2c01698aec
14 new exploits Drupal <= 4.5.3 & <= 4.6.1 Comments PHP Injection Exploit Drupal <= 4.5.3 & <= 4.6.1 - Comments PHP Injection Exploit phpBB 2.0.15 - Remote PHP Code Execution Exploit (metasploit) phpBB 2.0.15 - Remote PHP Code Execution Exploit (Metasploit vBulletin <= 3.0.6 (Template) Command Execution Exploit (metasploit) vBulletin <= 3.0.6 (Template) Command Execution Exploit (Metasploit WordPress <= 1.5.1.3 - Remote Code Execution eXploit (metasploit) WordPress <= 1.5.1.3 - Remote Code Execution eXploit (Metasploit Solaris <= 10 LPD Arbitrary File Delete Exploit (metasploit) Solaris <= 10 LPD Arbitrary File Delete Exploit (Metasploit Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (metasploit) Horde <= 3.0.9/3.1.0 - (Help Viewer) Remote Code Execution (Metasploit Softerra PHP Developer Library <= 1.5.3 File Include Vulnerabilities Softerra PHP Developer Library <= 1.5.3 - File Include Vulnerabilities IDEAL Administration 2009 9.7 - Buffer Overflow - Metasploit Universal IDEAL Administration 2009 9.7 - Buffer Overflow (Metasploit) PHP RapidKill Pro 5.x Shell Upload Vulnerability PHP RapidKill Pro 5.x - Shell Upload Vulnerability Shellcode - Win32 MessageBox (Metasploit module) Shellcode - Win32 MessageBox (Metasploit) Php Nuke 8.x.x - BlindSQL Injection Vulnerability PHP-Nuke 8.x.x - BlindSQL Injection Vulnerability Integard Pro 2.2.0.9026 - (Win7 ROP-Code Metasploit Module) Integard Pro 2.2.0.9026 - Windows 7 ROP-Code (Metasploit) Digital Music Pad 8.2.3.3.4 - SEH Overflow Metasploit Module Digital Music Pad 8.2.3.3.4 - SEH Overflow (Metasploit) MaticMarket 2.02 for PHP Nuke LFI Vulnerability MaticMarket 2.02 for PHP-Nuke - LFI Vulnerability Microsoft Word 2003 - Record Parsing Buffer Overflow (Metasploit) (MS09-027) Microsoft Word 2003 - Record Parsing Buffer Overflow (MS09-027) (Metasploit) Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (Metasploit) (0day) Actfax FTP Server <= 4.27 - USER Command Stack Buffer Overflow (0day) (Metasploit) Metasploit 4.1.0 Web UI stored XSS Vulnerability Metasploit 4.1.0 Web UI - Stored XSS Vulnerability PHP Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability PHP-Nuke 1.0/2.5/3.0/4.x - Remote Ad Banner URL Change Vulnerability Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (metasploit) Microsoft Visual Studio RAD Support Buffer Overflow Vulnerability (Metasploit PHP Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty PHP-Nuke 5.0 - 'user.php' Form Element Substitution Vulnerabilty PHP Nuke 5.x Error Message Web Root Disclosure Vulnerability PHP-Nuke 5.x - Error Message Web Root Disclosure Vulnerability PHP Nuke 8.2.4 - CSRF Vulnerability PHP-Nuke 8.2.4 - CSRF Vulnerability DCP-Portal 3.7/4.x/5.x Calendar.PHP HTTP Response Splitting Vulnerability DCP-Portal 3.7/4.x/5.x - Calendar.PHP HTTP Response Splitting Vulnerability PHP Nuke 0-7 Double Hex Encoded Input Validation Vulnerability PHP-Nuke 0-7 - Double Hex Encoded Input Validation Vulnerability PHP 4.x/5.x Html_Entity_Decode() Information Disclosure Vulnerability PHP 4.x/5.x - Html_Entity_Decode() Information Disclosure Vulnerability Western Digital Arkeia Remote Code Execution (Metasploit) Western Digital Arkeia - Remote Code Execution (Metasploit) Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - cgi-bin Remote Code Execution Exploit Apache + PHP 5.x (< 5.3.12 / < 5.4.2) - Remote Code Execution (Multithreaded Scanner) Apache + PHP 5.x (< 5.3.12 & < 5.4.2) - Remote Code Execution (Multithreaded Scanner) PHP PEAR <= 1.5.3 INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability PHP PEAR <= 1.5.3 - INSTALL-AS Attribute Arbitrary File Overwrite Vulnerability GNU bash Environment Variable Command Injection (Metasploit) GNU Bash - Environment Variable Command Injection (Metasploit) Bash - CGI RCE (Metasploit) Shellshock Exploit Bash - CGI RCE Shellshock Exploit (Metasploit) Endian Firewall < 3.0.0 - OS Command Injection (Metasploit Module) Endian Firewall < 3.0.0 - OS Command Injection (Metasploit) Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032) WordPress eBook Download Plugin 1.1 - Directory Traversal WordPress Import CSV Plugin 1.0 - Directory Traversal WordPress Abtest Plugin - Local File Inclusion Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit Disc ORGanizer - DORG - Multiple Vulnerabilities D-Link DWR-932 Firmware 4.00 - Authentication Bypass Xoops 2.5.7.2 - Arbitrary User Deletions CSRF Xoops 2.5.7.2 - Directory Traversal Bypass WordPress Image Export Plugin 1.1.0 - Arbitrary File Disclosure Sysax Multi Server 6.50 - HTTP File Share SEH Overflow RCE Exploit Dating Pro Genie 2015.7 - CSRF Vulnerabilities iTop 2.2.1 - CSRF Vulnerability ProjectSend r582 - Multiple XSS Vulnerabilities
86 lines
2.2 KiB
Text
Executable file
86 lines
2.2 KiB
Text
Executable file
[+] Credits: John Page aka hyp3rlinx
|
|
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
|
|
[+] Source:
|
|
http://hyp3rlinx.altervista.org/advisories/XOOPS-DIRECTORY-TRAVERSAL.txt
|
|
|
|
|
|
Vendor:
|
|
=============
|
|
xoops.org
|
|
|
|
|
|
Product:
|
|
================
|
|
Xoops 2.5.7.2
|
|
|
|
|
|
Vulnerability Type:
|
|
===========================
|
|
Directory Traversal Bypass
|
|
|
|
|
|
Vulnerability Details:
|
|
=====================
|
|
|
|
Xoops 2.5.7.2 has checks to defend against directory traversal attacks.
|
|
However, they can be easily bypassed by simply issuing "..././" instead of
|
|
"../"
|
|
|
|
|
|
References:
|
|
http://xoops.org/modules/news/article.php?storyid=6757
|
|
|
|
|
|
Exploit Codes:
|
|
==============
|
|
|
|
|
|
In Xoops code in 'protector.php' the following check is made for dot dot
|
|
slash "../" in HTTP requests
|
|
|
|
/////////////////////////////////////////////////////////////////////////////////
|
|
|
|
if( is_array( $_GET[ $key ] ) ) continue ;
|
|
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
|
|
{
|
|
$this->last_error_type = 'DirTraversal' ;
|
|
$this->message .= "Directory Traversal '$val' found.\n" ;
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
The above Xoops directory traversal check can be defeated by using
|
|
..././..././..././..././
|
|
|
|
you can test the theory by using example below test case by supplying
|
|
..././ to GET param.
|
|
|
|
$val=$_GET['c'];
|
|
|
|
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
|
|
{
|
|
echo "traversal!";
|
|
}else{
|
|
echo "ok!" . $val;
|
|
}
|
|
|
|
|
|
|
|
Disclosure Date:
|
|
==================================
|
|
Feb 2, 2016: Vendor Notification
|
|
Vendor confirms and patches Xoops
|
|
March 17, 2016 : Public Disclosure
|
|
|
|
==================================
|
|
|
|
[+] Disclaimer
|
|
Permission is hereby granted for the redistribution of this advisory,
|
|
provided that it is not altered except by reformatting it, and that due
|
|
credit is given. Permission is explicitly given for insertion in
|
|
vulnerability databases and similar, provided that due credit is given to
|
|
the author.
|
|
The author is not responsible for any misuse of the information contained
|
|
herein and prohibits any malicious use of all security related information
|
|
or exploits by the author or elsewhere. (c) hyp3rlinx.
|