29076928d8
10 new exploits Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service Exploit Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service LifeType 1.0.4 - SQL Injection / Admin Credentials Disclosure Exploit LifeType 1.0.4 - Multiple Vulnerabilities Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote DoS Exploit Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote Denial of Service cms-bandits 2.5 - (spaw_root) Remote File Inclusion Enterprise Payroll Systems 1.1 - (footer) Remote Include CMS-Bandits 2.5 - (spaw_root) Remote File Inclusion Enterprise Payroll Systems 1.1 - (footer) Remote File Inclusion 0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit empris r20020923 - (phormationdir) Remote Include aePartner 0.8.3 - (dir[data]) Remote Include 0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash PoC empris r20020923 - (phormationdir) Remote File Inclusion aePartner 0.8.3 - (dir[data]) Remote File Inclusion SmartSiteCMS 1.0 - (root) Remote File Inclusion Opera 9 - (long href) Remote Denial of Service Exploit SmartSite CMS 1.0 - (root) Remote File Inclusion Opera 9 - (long href) Remote Denial of Service w-Agora 4.2.0 - (inc_dir) Remote File Inclusion Exploit w-Agora 4.2.0 - (inc_dir) Remote File Inclusion BitchX 1.1-final do_hook() Remote Denial of Service Exploit BitchX 1.1-final - do_hook() Remote Denial of Service BLOG:CMS 4.0.0k SQL Injection Exploit BLOG:CMS 4.0.0k - SQL Injection Sun Board 1.00.00 alpha Remote File Inclusion Sun Board 1.00.00 alpha - Remote File Inclusion Mailist 3.0 Insecure Backup/Local File Inclusion Mailist 3.0 - Insecure Backup/Local File Inclusion AdaptCMS 2.0.0 Beta (init.php) Remote File Inclusion AdaptCMS 2.0.0 Beta - (init.php) Remote File Inclusion VisualShapers ezContents 1.x/2.0 db.php Arbitrary File Inclusion VisualShapers ezContents 1.x/2.0 archivednews.php Arbitrary File Inclusion VisualShapers ezContents 1.x/2.0 - db.php Arbitrary File Inclusion VisualShapers ezContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion VoteBox 2.0 Votebox.php Remote File Inclusion VoteBox 2.0 - Votebox.php Remote File Inclusion TRG News 3.0 Script Remote File Inclusion TRG News 3.0 Script - Remote File Inclusion Vortex Portal 2.0 content.php act Parameter Remote File Inclusion Vortex Portal 2.0 - content.php act Parameter Remote File Inclusion Shoutbox 1.0 Shoutbox.php Remote File Inclusion Shoutbox 1.0 - Shoutbox.php Remote File Inclusion Ajaxmint Gallery 1.0 Local File Inclusion Ajaxmint Gallery 1.0 - Local File Inclusion Zabbix 2.2.x_ 3.0.x - SQL Injection Microsoft Office Word 2013_2016 - sprmSdyaTop Denial of Service (MS16-099) Zabbix 2.2.x / 3.0.x - SQL Injection Microsoft Office Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099) Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use After Free PoC Windows x86 - MessageBoxA Shellcode (242 bytes) Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes) Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection Pi-Hole Web Interface 2.8.1 - Stored XSS in Whitelist/Blacklist Nagios Log Server 1.4.1 - Multiple Vulnerabilities Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV
50 lines
2.1 KiB
Text
Executable file
50 lines
2.1 KiB
Text
Executable file
# Exploit Title: Pi-Hole Web Interface Stored XSS in White/Black list file
|
|
# Author: loneferret from Kioptrix
|
|
# Product: Pi-Hole
|
|
# Version: Web Interface 1.3
|
|
# Web Interface software: https://github.com/pi-hole/AdminLTE
|
|
# Version: Pi-Hole v2.8.1
|
|
# Discovery date: July 20th 2016
|
|
# Vendor Site: https://pi-hole.net
|
|
# Software Download: https://github.com/pi-hole/pi-hole
|
|
# Tested on: Ubuntu 14.04
|
|
# Solution: Update to next version.
|
|
|
|
# Software description:
|
|
# The Pi-hole is an advertising-aware DNS/Web server. If an ad domain is queried,
|
|
# a small Web page or GIF is delivered in place of the advertisement.
|
|
# You can also replace ads with any image you want since it is just a simple
|
|
# Webpage taking place of the ads.
|
|
|
|
# Note: Not much of a vulnerability, implies you already have access
|
|
# to the box to begin with. Still best to use good coding practices,
|
|
# and avoid such things.
|
|
|
|
# Vulnerability PoC: Stored XSS
|
|
# Insert this:
|
|
# <script>alert('This happens...');</script>
|
|
# In either /etc/pihole/blacklist.txt || /etc/pihole/whitelist.txt
|
|
#
|
|
# Then navigate to:
|
|
# http://pi-hole-server/admin/list.php?l=white
|
|
# or
|
|
# http://pi-hole-server/admin/list.php?l=black
|
|
#
|
|
# And a pop-up will appear.
|
|
|
|
# Disclosure timeline:
|
|
# July 20th 2016: Sent initial email to author.
|
|
# July 21st 2016: Response, bug has been forwarded to web dev people
|
|
# July 22nd 2016: Asked to be kept up to date on fix
|
|
# July 27th 2016: Author replied saying he shall
|
|
# July 28th 2016: - Today I had chocolat milk -
|
|
# August 3rd 2016: Reply saying there's a fix, waiting on "Mark" to confirm
|
|
# August 3rd 2106: Supplies URL to fix from Github https://github.com/pi-hole/AdminLTE/pull/120
|
|
# August 4th 2016: Thanked him for fix, informed him of a lame LFI in the web interface as well.
|
|
# August 4th 2016: - While drinking my coffee, I realize my comments are longer than the actual PoC. -
|
|
# August 10th 2016: Still nothing
|
|
# August 12th 2016: Submitting this is taking too much time to integrate their fix
|
|
|
|
--
|
|
Notice: This email does not mean I'm consenting to receiving promotional
|
|
emails/spam/etc. Remember Canada has laws.
|